Expanding support for Palo Alto and Panorama

Palo Alto

The latest release of Nipper expands our support for Palo Alto devices running operating systems up to and including PAN-OS 9.1, as well as enabling remote auditing of Panorama devices. Tech support files remotely retrieved from Panorama devices are now correctly unzipped, allowing Panorama devices to be remotely audited.

  • The existing Palo Alto Firewall Plugin has been extended to support HIP profiles and objects; with reports displaying a range of information about each, as well as a link to the security policy rule(s) that they are applied to.

Cisco PSIRT

The latest release of Nipper improves the interactivity for Cisco PSIRT audits via Nipper's CLI. When multiple devices are audited through Nipper's CLI, if any of the devices are detected to be auditable by PSIRT the user will be prompted to enter their exact device OS versions to enable an accurate PSIRT report.

Additional Fixes

Nipper 2.10.2 also fixes several bugs across the software delivering enhanced accuracy in reports, as well as improving the overall stability and usability of the software:

Cisco
  • Cisco ISR 4331 devices are now correctly identified as such, not as Cisco Catalyst
  • Not having a privileged password set on Cisco IOS 15 devices will no longer cause CIS audits to hang during report generation
  • Auditing local Cisco configuration files via Nipper's CLI on CentOS 7 now generates a report as expected
  • Accuracy in a number of findings across multiple report types for Cisco devices has been enhanced:
    • Not setting an auxiliary password on Cisco Catalyst devices will now raise an associated Security Audit finding
    • Not fully configuring SNMP on Cisco devices is now flagged as a Security Audit finding
    • Unicast RPF verification on tunnel interfaces is no longer flagged as a Security Audit finding as it is not configurable by a user o Router OSPF interfaces that are set to passive are now displayed as such
    • "Any to Any" rules on Cisco ASA devices are now correctly reported in the Security Audit
    • ACL rules managing SNMP access no longer raises STIG check V-3021 o Switch port security is now correctly identified on Cisco Nexus devices, and noted in reports as expected
    • VPNs configured with aggressive mode enabled on Cisco IOS devices are now correctly identified in reports
Check Point
  • Unknown passwords in Check Point configurations are now correctly referenced in reports
  • Manually setting your Check Point R80 version number will now correctly report on all related NVD vulnerabilities
  • Having hidden passwords in Check Point R80 configurations now sets STIG check NET0240 as a manual check to be assessed by the user

    Fortinet
    • The help text displayed in Nipper's CLI now combines FortiOS 6 with the rest of the FortiOS versions
    • Remotely auditing FortiOS devices with Nipper's CLI no longer incorrectly states that you are missing command parameters
    • Some Security Audit checks for Fortinet UTM devices now have improved accuracy to help prevent false negatives
    • SSH is now correctly detected on all FortiOS 6 devices
    Juniper
    • The device OS version for Juniper Pulse devices is now correctly identified and noted in reports.
    Palo Alto
    • Increased clarity in how DHCP clients are displayed for PAN-OS 9 devices
    • Error messages displayed while auditing Panorama devices now have device passwords redacted
    • Not setting an NTP no longer causes Virtual Systems to be skipped on Panorama 8 devices
    SonicWall
    • The Filtering Differences report no longer detects changes between identical rules on SonicWall devices
    Stability
    • Importing a settings profile that contains an email server password no longer causes a serious error
    • Resolved error that occurred when running a report against specific FortiOS 6 and Check Point R80 configurations
    Usability
    • Disabling interactive mode on Nipper's CLI now disables all interactive user prompts
    • Amended spelling in the Filtering Complexity check's title
    • Help text in Nipper's CLI now informs when specific command ordering is required in some remote device connections
    • Nipper's internal NVD processor now looks past the initial CPE match in each CPE list, therefore correctly identifying when multiple CPEs are found to match.