Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

How to configure Network Devices Protection Profile (NDPP) Compliance Checklist

07/02/2021 15 People found this article helpful 198,987 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    NDPP describes security requirements for a network device that can be connected to a network and is intended to provide a minimal, baseline set of requirements that are targeted at mitigating well defined and described threats.

    SonicWall UTM appliances can be configured to adhere to the security requirements of NDPP.
    Image

    Resolution

    RESOLUTION FOR SONICOS 7.X

     

    This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

    To enable NDPP, perform the following steps:

    1. Login to the SonicWall management GUI
    2. Navigate to the Device| Firewall| Firmware and Settings| Settings page.

    Image

        3. Enable check- box NDPP. If the appliance configuration is not as per NDPP requirements, a pop-up window with the list of configuration      changes required in the SonicWall is displayed. Until these changes are made the NDPP check-box cannot be enabled.


    The below steps describes how to configure the SonicWall UTM appliance to meet NDPP requirements.

    Device| Firewall| Administration| Login/Multiple Administrators| Login Security

    1.    Admin password life time is required
    2.    New password must contain 4 characters different from the old password must be applied in NDPP mode:
    3.    Minimum length of Admin or User password can not be less than 8
    4.    Enforced password complexity must contain letters, numbers and symbols
    5.    Enforced password complexity requirement must contain at least 1 upper case letter, 1 lower case letter, 1 numeric character, and 1 special character
    6.    Must apply the password constraints for Administrator and Other full administrators

    Image



    Device| Diagnostics | Tech Support Report 
    7.    Not allowed to print password or pre-shared keys in TSR.

    Image



    Device| Users | Settings - Enable check-box Force relogin after password change

    8.    Require users to relogin after password change.

    Image


    Network| Firewall| Advanced| IPv6 
    9.    Must enable "Drop and log network packets whose source or destination address is reserved by RFC"

    Image


    VPN | Settings

    10.   Group VPN must set to disable in NDPP mode.
    11.   The length of VPN pre-shared key should be at least 22
    12.   IPsec Phase 2 lifetime(kbytes) not allowed to be unlimited in NDPP mode.
    13.   SHA-256 or higher is required in IPsec.
    14.   AES-128 or AES-256 is required in IPsec.

    Image


    VPN | Advanced

    15.    IKEv2 Dynamic Client Proposal in VPN advanced settings requires SHA-256
    16.    IKEv2 Dynamic Client Proposal in VPN advanced settings requires AES-128 or AES-256

    Image


    Network | System| Interfaces

    17.    HTTP and SSH interface login is not allowed.
    18.    IPv6 HTTP and SSH interface login is not allowed.


    Manage| Logs and Reporting| Log Settings| Syslog

    19.    Must configure at least one Syslog Server.
    20.    Required to enable NDPP enforcement for Syslog Server.

    Image

    • NDPP enforcement for Syslog server warrants the Syslog traffic be sent over a VPN tunnel. Therefore, a site to site VPN, either policy based or tunnel interface based, must be configured before enabling the option Enable NDPP Enforcement for Syslog Server.
    • With the above requirement in place if the Syslog configuration is successful, a Network Monitor Policy is auto-created to probe the Syslog server.

    Image



    21.    LDAP is not supported in NDPP mode.
    User Authentication must be set to Local Users.

    22.    SSL VPN is not allowed in NDPP mode.


    Manage| Policies| Rules| Access Rules.

    23.    Must set session quota for each management IP.
    24.    Must set session quota for each IPv6 management IP.

    To set session quota, perform the following steps:


    1. In the SonicWall management GUI, navigate to access rule section
    2. Change the page to LAN to LAN or WAN to WAN etc.
    3. Click on Configure on the auto-created management access rule.
    4. Click on the Optional Settings tab.
    5. Enable check box under Enable connection limit for each Source IP Address
    6. Enable check box under Enable connection limit for each Destination IP Address.
    7. The threshold counter could be either the default 128 or a figure of your choice.

    Image

    Session quota must be set in auto-created access rules where the destination IP is the default management IP address object. This applies to both IPv4 and IPv6. For example, All X0 Management IP, All X1 Management IP, X0 Management IPv6 Addresses etc.

    Image


    This completes the configuration as required by NDPP.  To enable NDPP perform the following steps:


    1. Navigate to Device| Firewall| Firmware and Settings| Settings
    2. Enable the check box under NDPP.  If a configuration is pending, a pop-up window with the pending configuration is listed.  If the stipulated configuration is completed, the following pop-up window will be displayed.
    3. Click on OK. A pop-window with a warning will be displayed.
    4. Click on OK again.
    5. Click on the restart message at the bottom of the screen or restart from System | Restart.

    ImageImage



    Subsequent to enabling NDPP mode, the settings configured for NDPP mode cannot be undone. NDPP must be manually disabled by de-selecting the NDPP check box under System | Settings or in the CLI before the configuration can be undone.




    RESOLUTION FOR SONICOS 6.5.


    This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

    To enable NDPP, perform the following steps:

    1. Login to the SonicWall management GUI
    2. Navigate to the Firmware and Backup | Settings page.

    Image      3. Enable check- box NDPP. If the appliance configuration is not as per NDPP requirements, a pop-up window with the list of configuration      changes required in the SonicWall is displayed. Until these changes are made the NDPP check-box cannot be enabled.


    The below steps describes how to configure the SonicWall UTM appliance to meet NDPP requirements.



    Manage| System Setup| Appliance| Base Settings| Login Security

    1.    Admin password life time is required
    2.    New password must contain 4 characters different from the old password must be applied in NDPP mode:
    3.    Minimum length of Admin or User password can not be less than 8
    4.    Enforced password complexity must contain letters, numbers and symbols
    5.    Enforced password complexity requirement must contain at least 1 upper case letter, 1 lower case letter, 1 numeric character, and 1 special character
    6.    Must apply the password constraints for Administrator and Other full administrators
    Image



    Investigate| Tools| System Diagnostics | Tech Support Report 
    7.    Not allowed to print password or pre-shared keys in TSR.
    Image


    Manage| System Setup| Users | Settings - Enable check-box Force relogin after password change

    8.    Require users to relogin after password change.

    Image


    Manage| Security Configuration| Advanced Settings| IPv6 Advanced Configurations

    9.    Must enable "Drop and log network packets whose source or destination address is reserved by RFC"

    Image



    VPN | Settings

    10.   Group VPN must set to disable in NDPP mode.
    11.   The length of VPN pre-shared key should be at least 22
    12.   IPsec Phase 2 lifetime(kbytes) not allowed to be unlimited in NDPP mode.
    13.   SHA-256 or higher is required in IPsec.
    14.   AES-128 or AES-256 is required in IPsec.
    Image
    VPN | Advanced

    15.    IKEv2 Dynamic Client Proposal in VPN advanced settings requires SHA-256
    16.    IKEv2 Dynamic Client Proposal in VPN advanced settings requires AES-128 or AES-256
    Image


    Mange| Network | Interfaces

    17.    HTTP and SSH interface login is not allowed.
    18.    IPv6 HTTP and SSH interface login is not allowed.

    Manage| Logs and Reporting| Log Settings| Syslog

    19.    Must configure at least one Syslog Server.
    20.    Required to enable NDPP enforcement for Syslog Server.
    Image

    • NDPP enforcement for Syslog server warrants the Syslog traffic be sent over a VPN tunnel. Therefore, a site to site VPN, either policy based or tunnel interface based, must be configured before enabling the option Enable NDPP Enforcement for Syslog Server.
    • With the above requirement in place if the Syslog configuration is successful, a Network Monitor Policy is auto-created to probe the Syslog server.

    21.    LDAP is not supported in NDPP mode.
    User Authentication must be set to Local Users.

    22.    SSL VPN is not allowed in NDPP mode.

    Manage| Policies| Rules| Access Rules.

    23.    Must set session quota for each management IP.
    24.    Must set session quota for each IPv6 management IP.

    To set session quota, perform the following steps:

    1. In the SonicWall management GUI, navigate to access rule section
    2. Change the page to LAN to LAN or WAN to WAN etc.
    3. Click on Configure on the auto-created management access rule.
    4. Click on the Advanced tab.
    5. Enable check box under Enable connection limit for each Source IP Address
    6. Enable check box under Enable connection limit for each Destination IP Address.
    7. The threshold counter could be either the default 128 or a figure of your choice.
    8. Click on OK to save.
    Image

    Session quota must be set in auto-created access rules where the destination IP is the default management IP address object. This applies to both IPv4 and IPv6. For example, All X0 Management IP, All X1 Management IP, X0 Management IPv6 Addresses etc.

    Image

    This completes the configuration as required by NDPP.  To enable NDPP perform the following steps:

    1. Navigate to System | Settings
    2. Enable the check box under NDPP.  If a configuration is pending, a pop-up window with the pending configuration is listed.  If the stipulated configuration is completed, the following pop-up window will be displayed.
    3. Click on OK. A pop-window with a warning will be displayed.
    4. Click on OK again.
    5. Click on the restart message at the bottom of the screen or restart from System | Restart.

    ImageImage

    Subsequent to enabling NDPP mode, the settings configured for NDPP mode cannot be undone. NDPP must be manually disabled by de-selecting the NDPP check box under System | Settings or in the CLI before the configuration can be undone.


    Disabling NDPP from console

    Enter the following commands in the CLI to disable NDPP. You must restart the SonicWall for the changes to take effect.

    |config
    |no ndpp
    |commit best-effort
    |exit

    Related Articles

    • Bandwidth usage and tracking in SonicWall
    • How to force an update of the Security Services Signatures from the Firewall GUI
    • Configure Guest VLAN in the TZ firewall, for guest users to access Internet only.

    Categories

    • Firewalls > TZ Series
    • Firewalls > SonicWall SuperMassive E10000 Series
    • Firewalls > SonicWall SuperMassive 9000 Series
    • Firewalls > SonicWall NSA Series

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2023 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top