- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
How to configure Network Devices Protection Profile (NDPP) Compliance Checklist
07/02/2021 
15 People found this article helpful
45,303 Views
Description
NDPP describes security requirements for a network device that can be connected to a network and is intended to provide a minimal, baseline set of requirements that are targeted at mitigating well defined and described threats.
SonicWall UTM appliances can be configured to adhere to the security requirements of NDPP.
Resolution
RESOLUTION FOR SONICOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
To enable NDPP, perform the following steps:
- Login to the SonicWall management GUI
- Navigate to the Device| Firewall| Firmware and Settings| Settings page.
3. Enable check- box NDPP. If the appliance configuration is not as per NDPP requirements, a pop-up window with the list of configuration changes required in the SonicWall is displayed. Until these changes are made the NDPP check-box cannot be enabled.
The below steps describes how to configure the SonicWall UTM appliance to meet NDPP requirements.
Device| Firewall| Administration| Login/Multiple Administrators| Login Security
1. Admin password life time is required
2. New password must contain 4 characters different from the old password must be applied in NDPP mode:
3. Minimum length of Admin or User password can not be less than 8
4. Enforced password complexity must contain letters, numbers and symbols
5. Enforced password complexity requirement must contain at least 1 upper case letter, 1 lower case letter, 1 numeric character, and 1 special character
6. Must apply the password constraints for Administrator and Other full administrators
Device| Diagnostics | Tech Support Report
7. Not allowed to print password or pre-shared keys in TSR.
Device| Users | Settings - Enable check-box Force relogin after password change
8. Require users to relogin after password change.
Network| Firewall| Advanced| IPv6
9. Must enable "Drop and log network packets whose source or destination address is reserved by RFC"
VPN | Settings
10. Group VPN must set to disable in NDPP mode.
11. The length of VPN pre-shared key should be at least 22
12. IPsec Phase 2 lifetime(kbytes) not allowed to be unlimited in NDPP mode.
13. SHA-256 or higher is required in IPsec.
14. AES-128 or AES-256 is required in IPsec.
VPN | Advanced
15. IKEv2 Dynamic Client Proposal in VPN advanced settings requires SHA-256
16. IKEv2 Dynamic Client Proposal in VPN advanced settings requires AES-128 or AES-256
Network | System| Interfaces
17. HTTP and SSH interface login is not allowed.
18. IPv6 HTTP and SSH interface login is not allowed.
Manage| Logs and Reporting| Log Settings| Syslog
19. Must configure at least one Syslog Server.
20. Required to enable NDPP enforcement for Syslog Server.
- NDPP enforcement for Syslog server warrants the Syslog traffic be sent over a VPN tunnel. Therefore, a site to site VPN, either policy based or tunnel interface based, must be configured before enabling the option Enable NDPP Enforcement for Syslog Server.
- With the above requirement in place if the Syslog configuration is successful, a Network Monitor Policy is auto-created to probe the Syslog server.
21. LDAP is not supported in NDPP mode.
User Authentication must be set to Local Users.
22. SSL VPN is not allowed in NDPP mode.
Manage| Policies| Rules| Access Rules.
23. Must set session quota for each management IP.
24. Must set session quota for each IPv6 management IP.
To set session quota, perform the following steps:
- In the SonicWall management GUI, navigate to access rule section
- Change the page to LAN to LAN or WAN to WAN etc.
- Click on Configure on the auto-created management access rule.
- Click on the Optional Settings tab.
- Enable check box under Enable connection limit for each Source IP Address
- Enable check box under Enable connection limit for each Destination IP Address.
- The threshold counter could be either the default 128 or a figure of your choice.
Session quota must be set in auto-created access rules where the destination IP is the default management IP address object. This applies to both IPv4 and IPv6. For example, All X0 Management IP, All X1 Management IP, X0 Management IPv6 Addresses etc.
This completes the configuration as required by NDPP. To enable NDPP perform the following steps:
- Navigate to Device| Firewall| Firmware and Settings| Settings
- Enable the check box under NDPP. If a configuration is pending, a pop-up window with the pending configuration is listed. If the stipulated configuration is completed, the following pop-up window will be displayed.
- Click on OK. A pop-window with a warning will be displayed.
- Click on OK again.
- Click on the restart message at the bottom of the screen or restart from System | Restart.
Subsequent to enabling NDPP mode, the settings configured for NDPP mode cannot be undone. NDPP must be manually disabled by de-selecting the NDPP check box under System | Settings or in the CLI before the configuration can be undone.
RESOLUTION FOR SONICOS 6.5.
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
To enable NDPP, perform the following steps:
- Login to the SonicWall management GUI
- Navigate to the Firmware and Backup | Settings page.
3. Enable check- box NDPP. If the appliance configuration is not as per NDPP requirements, a pop-up window with the list of configuration changes required in the SonicWall is displayed. Until these changes are made the NDPP check-box cannot be enabled.
The below steps describes how to configure the SonicWall UTM appliance to meet NDPP requirements.
Manage| System Setup| Appliance| Base Settings| Login Security
1. Admin password life time is required
2. New password must contain 4 characters different from the old password must be applied in NDPP mode:
3. Minimum length of Admin or User password can not be less than 8
4. Enforced password complexity must contain letters, numbers and symbols
5. Enforced password complexity requirement must contain at least 1 upper case letter, 1 lower case letter, 1 numeric character, and 1 special character
6. Must apply the password constraints for Administrator and Other full administrators
Investigate| Tools| System Diagnostics | Tech Support Report
7. Not allowed to print password or pre-shared keys in TSR.
Manage| System Setup| Users | Settings - Enable check-box Force relogin after password change
8. Require users to relogin after password change.
Manage| Security Configuration| Advanced Settings| IPv6 Advanced Configurations
9. Must enable "Drop and log network packets whose source or destination address is reserved by RFC"
VPN | Settings
10. Group VPN must set to disable in NDPP mode.
11. The length of VPN pre-shared key should be at least 22
12. IPsec Phase 2 lifetime(kbytes) not allowed to be unlimited in NDPP mode.
13. SHA-256 or higher is required in IPsec.
14. AES-128 or AES-256 is required in IPsec.
VPN | Advanced
15. IKEv2 Dynamic Client Proposal in VPN advanced settings requires SHA-256
16. IKEv2 Dynamic Client Proposal in VPN advanced settings requires AES-128 or AES-256
Mange| Network | Interfaces
17. HTTP and SSH interface login is not allowed.
18. IPv6 HTTP and SSH interface login is not allowed.
Manage| Logs and Reporting| Log Settings| Syslog
19. Must configure at least one Syslog Server.
20. Required to enable NDPP enforcement for Syslog Server.
- NDPP enforcement for Syslog server warrants the Syslog traffic be sent over a VPN tunnel. Therefore, a site to site VPN, either policy based or tunnel interface based, must be configured before enabling the option Enable NDPP Enforcement for Syslog Server.
- With the above requirement in place if the Syslog configuration is successful, a Network Monitor Policy is auto-created to probe the Syslog server.
21. LDAP is not supported in NDPP mode.
User Authentication must be set to Local Users.
22. SSL VPN is not allowed in NDPP mode.
Manage| Policies| Rules| Access Rules.
23. Must set session quota for each management IP.
24. Must set session quota for each IPv6 management IP.
To set session quota, perform the following steps:
- In the SonicWall management GUI, navigate to access rule section
- Change the page to LAN to LAN or WAN to WAN etc.
- Click on Configure on the auto-created management access rule.
- Click on the Advanced tab.
- Enable check box under Enable connection limit for each Source IP Address
- Enable check box under Enable connection limit for each Destination IP Address.
- The threshold counter could be either the default 128 or a figure of your choice.
- Click on OK to save.
Session quota must be set in auto-created access rules where the destination IP is the default management IP address object. This applies to both IPv4 and IPv6. For example, All X0 Management IP, All X1 Management IP, X0 Management IPv6 Addresses etc.
This completes the configuration as required by NDPP. To enable NDPP perform the following steps:
- Navigate to System | Settings
- Enable the check box under NDPP. If a configuration is pending, a pop-up window with the pending configuration is listed. If the stipulated configuration is completed, the following pop-up window will be displayed.
- Click on OK. A pop-window with a warning will be displayed.
- Click on OK again.
- Click on the restart message at the bottom of the screen or restart from System | Restart.
Subsequent to enabling NDPP mode, the settings configured for NDPP mode cannot be undone. NDPP must be manually disabled by de-selecting the NDPP check box under System | Settings or in the CLI before the configuration can be undone.
Disabling NDPP from console
Enter the following commands in the CLI to disable NDPP. You must restart the SonicWall for the changes to take effect.
|config
|no ndpp
|commit best-effort
|exit
Related Articles
- How to force an update of the Security Services Signatures from the Firewall GUI
- How to upload security services signatures manually on Closed Environments?
- How to Create Gen 7 Settings File by Using the Online Migration Tool
Categories
- Firewalls > TZ Series
- Firewalls > SonicWall SuperMassive E10000 Series
- Firewalls > SonicWall SuperMassive 9000 Series
- Firewalls > SonicWall NSA Series
YES
NO