HP DesignJet and PageWide XL User Manual

HP DesignJet and PageWide XL Printers

Security features

HP DesignJet and PageWide XL Printers Security Features

Company, L.P.

Reproduction, adaptation, or translation without prior permission is prohibited, except as allowed under the copyright laws.

The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

September 2021 Edition

HP DesignJet and PageWide XL Printers Security Features

Table of Contents

1. Introduction & Overview ........................................................................................................................................ 5

2. Security concepts explanation.............................................................................................................................. 5

2.1 Device security ........................................................................................................................................................ 5

UEFI secure boot......................................................................................................................................................... 5

Firmware protection .................................................................................................................................................. 6

Integration with SIEM tools ....................................................................................................................................... 6

2.2 Device configuration protection ........................................................................................................................... 6

Disable protocols ........................................................................................................................................................ 6

SNMP compatibility .................................................................................................................................................... 8

Disable connectivity interfaces ................................................................................................................................. 9

Control Panel Access .............................................................................................................................................. 11

SCL certificates ........................................................................................................................................................ 17

Embedded Web Server (EWS) access control ...................................................................................................... 18

USB drive control ..................................................................................................................................................... 26

Jetdirect Security Wizard (HP T9x0-T15x0-T25x0-T3500-PageWide XL) ...................................................... 28

Hide IP from front panel ......................................................................................................................................... 28

2.3 Data security: encrypted communications ...................................................................................................... 28

IPSec 28

Encrypt web communications ............................................................................................................................... 29

Access control list .................................................................................................................................................... 29

802.1X authentication ............................................................................................................................................ 30

2.4 Authentication ..................................................................................................................................................... 30

2.5 Protected data in storage .................................................................................................................................. 30

Self-encrypted hard disk ........................................................................................................................................ 30

Secure File Erase (SFE) ........................................................................................................................................... 30

Secure Disk Erase (SDE).......................................................................................................................................... 31

Scan to network (HP DesignJet T2500, T2530, T3500, T2600, XL3600 eMFP Series) ................................. 33

Scan to FTP folder ................................................................................................................................................... 41

Exclude personal info from accounting ................................................................................................................ 43

Disable internet connection ................................................................................................................................... 44

2.6 Document security .............................................................................................................................................. 44

Job storage and PIN printing .................................................................................................................................. 44

ePrint center connection ........................................................................................................................................ 46

3. Advanced workflows ........................................................................................................................................... 48

3.1 Printing using LPR protocol. .............................................................................................................................. 48

How to use the LPR command in Windows. ........................................................................................................ 48

3.2 Printing using FTP protocol. ............................................................................................................................... 48

How to use FTP in Windows ................................................................................................................................... 49

How to use FTP from DOS command ................................................................................................................... 49

How to use FTP combined with DMS server ........................................................................................................ 49

Possible issue .......................................................................................................................................................... 50

3.3 Printing with PJLs ................................................................................................................................................ 50

How to use PJLs....................................................................................................................................................... 52

4. Large Format printers: security features summary ....................................................................................... 53

5. Large Format scanners: security features summary ..................................................................................... 63

6. Ports used in HP printers .................................................................................................................................... 65

Appendix 1 – Web Jetadmin .......................................................................................................................................... 71

HP DesignJet and PageWide XL Printers Security Features

Manageability contract for Large Format Printers ..................................................................................................... 71

MC DJA 1.0 ................................................................................................................................................................ 72

MC DJA 2.0 - Only additions are shown ............................................................................................................... 72

Appendix 2 – JetAdvantage Security Manager ............................................................................................................ 73

Policy compatibility features (HP DesignJet T1700/Z6/Z9+ Printer Series) ................................................... 73

Appendix 3 - Security Manager ..................................................................................................................................... 75

Plug-in modules: ............................................................................................................................................................. 75

Appendix 4 - Netgard overview .................................................................................................................................... 77

Introduction ..................................................................................................................................................................... 77

User account .................................................................................................................................................................... 77

FP settings ....................................................................................................................................................................... 77

EWS settings .................................................................................................................................................................... 79

Netgard MFD configuration ........................................................................................................................................... 80

Basic configuration of Netgard MFD for HP printers ........................................................................................... 80

Netgard MFD user interface access ...................................................................................................................... 80

Additional information ................................................................................................................................................... 86

Security Glossary ............................................................................................................................................................ 87

Device protection related .............................................................................................................................................. 88

Data protection related .................................................................................................................................................. 90

Document protection related ........................................................................................................................................ 93

HP DesignJet and PageWide XL Printers Security Features

1. Introduction & Overview

This document provides an overview of the security and connectivity features supported by HP DesignJet and PageWide XL printers as of October 2018.

The security features described in this document make the HP DesignJet and PageWide XL printer series particularly well suited for

In this document, you will find:

• The description of the features, where to configure them and some recommended values (Section 2,

• Description of the advanced printing workflows that can be used with the HP DesignJet (only

• The tables summarizing the new and existing security features of the HP DesignJet and PageWide XL

deployment in environments where network, data, and access control security are important.

Security concepts explanation

T1700/Z6/Z9+/Z6 Pro/Z9+ Pro) and PageWide XL printers (Section 3, Advanced workflows

printer series and how they are configured using the control panel, Embedded Web Server and/or HP Web Jetadmin (WJA). Please make sure that your printer has the latest firmware version to benefit from all the security features (Section 4, Large Format printers: security features summary

• The table summarizing the new and existing security features of the HP Scanners compatible with the HP DesignJet and PageWide XL printers (Section 5, Large Format scanners: security features summary

• The list of ports used by the printer and the effect of keep them blocked (Section 5, Ports used in HP

printers).

NOTE: If your printer is not listed in the table, then these features are not implemented.

2. Security concepts explanation

2.1 Device security

UEFI secure boot

It prevents the loading of unauthorized operating systems (OS) during system startup. This feature is compliant with the UEFI specification. Non-configurable feature.

HP Secure Boot

HP Secure Boot is another security feature that further protects the printer during boot process by making the BIOS validate its own integrity at the very start before continues execution. Secure Boot ensures a clean bootup to avoid any usage of external software installed in the printer and blocking backdoors to prevent hacking of the BIOS of the device.

To achieve this, file whitelisting ensures that the firmware and datafiles are originals and not modified or replaced files by unknown sources.

Security Event Logging (Sysslog)

Security Event Logging ensures the device can register all the security-related events. It is achieved through integration with Splunk and McAfee’s SIEMS.

All sensitive information, such as keys and passwords, are stored in an independent hardware item. To access this hardware, the system uses different keys, protecting the printer’s identity when authenticating.

HP DesignJet and PageWide XL Printers Security Features

Integration with SIEM tools

SIEM tools are software products and services that result from the combination of Security Information Management and Security Event Management. They provide real-time analysis and recording of security alerts generated by applications and network hardware.

Connection Inspector

Connection Inspector monitors the printer connections to the internet, detecting patterns from malicious software connections and acts on them. It can display 3 different system errors, based on severity:

• Warning

• Severe Continuable

• Severe not Continuable (requires printer restart). By restarting the printer, during the disk check, traces and

injected malware will be cleared.

Firmware protection

All HP portfolio use signed firmware package, that means firmware packages are digitally signed by the HP Code Signing group.

The printer is able to check the authenticity of any firmware and install only those signed by HP.

It is really important to keep the printer updated with the latest firmware, that provides you the highest security and new features.

The firmware can be updated in various ways, although not all them are available in all the printers:

• Plugging a USB drive with the firmware file in the root folder.

• Sending the firmware file through EWS.

• Sending the firmware file through the port 9100, as any other job.

• Activating the Automatic Firmware Upgrade (AFU): This function connects the printer with the HP server,

checks if there is a new firmware and downloads it. The installation should always be launched from EWS or printer control panel.

Despite the signature system, the recommendation is to protect the printer from unauthorized firmware upgrades:

• Protect the EWS access with an admin account (see section 2.2.6,

Embedded Web Server (EWS) access

control).

• Disable the firmware upgrade from USB (see section 2.2.7, USB drive control)

• Use the Automatic Firmware Upgrade to download the firmware.

2.2 Device configuration protection

Disable protocols

In some cases, you might want to disable all protocols that you do not plan to use to access your printer. For example, you might prevent users from sending files via ftp or connecting through telnet to manage the printer network settings. You can disable unused protocols through the Mgmt. Protocols option in the Embedded Web Server, or

the

HP DesignJet and PageWide XL Printers Security Features

Network Enable Features in Web Jetadmin.

In the HP DesignJet T830 MFP/T730 printer and HP DesignJet T200/600/Studio Printer, the network Management Protocols can be configured from the

Network > Advanced Settings menu.

HP DesignJet and PageWide XL Printers Security Features

SNMP compatibility

SNMP is a protocol to get printer information and to configure it. SNMPv3 is its encrypted version. Enabling it, only the client applications knowing the keys will be able to access the printer using this protocol.

The main benefits of using SNMPv3 are:

• Integrity: protects data flowing from side-to-side from being modified by a third party.

• Authentication: verifies the data source.

• Encryption: protects data from being accessed by a third party.

• Access control: restricts the Managed Device data that can be accessed by each Network Management

System.

You can enable and disable the SNMPv3 agent from your printer. You may set up an account that allows a management application to access the SNMPv3 agent.

The recommendation is to work with SNMPv3 and keep SNMPv1/v2 disabled if your system allows it.

HP DesignJet and PageWide XL Printers Security Features

Disable connectivity interfaces

Depending on the printer series, there are some USB network interfaces that can be disabled to restrict access to the printer through these interfaces.

In some products, you can install a Jetdirect card to add extra security features, in this case, you might want to disable the onboard Ethernet.

The HP Jetdirect 640n is a print networking device that offers high-speed wired functionality, easy set-up, full manageability, backward compatibility and enterprise-class security features.

Ideal for enterprise and workgroup SMBs requiring full-featured, secure, and backward-compatible print management of printers and MFPs over shared, wired networks.

HP DesignJet and PageWide XL Printers Security Features

Features: Print at high speed over gigabit networks

• Quickly connect to shared printers and MFPs throughout your office, over a gigabit network.

• Maintain rigorous standards through IPv6 network features: more IP addresses than IPv4 and IPsec security.

• Help reduce administration and operation costs with off-the-shelf functionality and backward compatibility.

See http://www8.hp.com/emea_africa/en/products/print-servers/product-detail.html?oid=5305778

for more

information about the Jetdirect card.

If you enable or disable a connectivity option, the printer will automatically restart. Keep in mind that disabling a connectivity option could cut off network access to the printer. As a security measure, you cannot disable the connection that you use to access the Embedded Web server.

HP DesignJet and PageWide XL Printers Security Features

Control Panel Access

The DesignJet and PageWide technologies allow the printer administrator to lock some features in the control panel of the device. Currently, there are two modes of control access “

Control Panel Access Lock” and “Access Control”,

depending on the model. To use these features, it is compulsory to define an administrator account and password.

In some printers, when setting an Embedded Web Server admin password, you also restrict access to certain front panel features by default. The protected features on the front panel are:

• Network connectivity & Internet connectivity

• Control firmware upgrades

• Reset factory defaults

• External hard disk connection

• Security

2.2.1.1 Control Panel Access lock

The control panel access lock is a feature intended for IT administrators, which enables them to lock the device’s control panel by using either the HP Web Jetadmin or the printer’s Embedded Web Server (depending on the printer model). This feature prevents unauthorized users from accessing some features on the control panel. Administrators can specify the level of access as follows:

• Unlock

• Minimum lock

• Moderate lock

• Intermediate lock

• Maximum lock

This option can be enabled from the HP Web Jetadmin as shown below:

HP DesignJet and PageWide XL Printers Security Features

Lock level

Functionality locked when the Lock level is set

0 – Unlock

1 – Minimum Lock

Resets, CIP config, Security, Service Menu 1

2 – Moderate Lock

Resets, CIP config, Security config

3 – Intermediate Lock

Resets, CIP config, Security

Media mgmt. workflows, Pause printer, Maintenance & IQ workflows

4 – Maximum Lock

Resets, CIP config, Security

Any settings, Connectivity info, IDS info, Paper Info, Cancel jobs, Calibration info

This option can also be enabled from the T1200 Embedded Web Server as shown below:

The following table shows the features enabled or disabled for each lock level:

Connectivity, AFU, IDS workflows, System info, Job Queue

Connectivity config, AFU, IDS workflows, System info, Job Queue

Connectivity config, AFU, IDS workflows, System info, Job Queue Media mgmt. workflows, Pause printer, Maintenance & IQ workflows

HP DesignJet and PageWide XL Printers Security Features

Actions

Permission denied if FP lock level is at least:

Settings App Access

4 - Maximum

Connectivity App Access

4 - Maximum

Connectivity App Details Access

2 - Moderate

Settings App Internet connectivity

2 - Moderate

Settings App Connectivity Troubleshooting

2 - Moderate

IDS App Access

4 - Maximum

IDS App Actions i.e. replacement, alignment, etc.

2 - Moderate

IDS Widget – Access to IDS App

4 - Maximum

IDS Widget – Cartridge Replacement

3 - Intermediate

Settings App Inks Entry Access

3 - Intermediate

Paper App Access

4 - Maximum

Paper App Load Media

3 - Intermediate

Paper App Unload Media

3 - Intermediate

Paper App Change Paper Type

3 - Intermediate

Paper Widget – Access to Paper App

4 - Maximum

Settings App Paper Entry Access

4 - Maximum

Printer Information App Access

4 - Maximum

Printer Information App AFU Access

2 - Moderate

Job Queue App Access

2 - Moderate

Pause printing

3 - Intermediate

Cancel printing

4 - Maximum

Settings App Calibration Info Entry Access

4 - Maximum

Settings App IQ maintenance Entry Access: Test plots, Align PH, IQ

Settings App Maintenance Entry Access

3 - Intermediate

Settings App System Entry Access

2 - Moderate

Settings App CIP Entry Access

1 - Minimum

Settings App Restore Factory Settings

1 - Minimum

Settings App FW Update

2 - Moderate

Settings App Printer Logs

3 - Intermediate

Settings App Allow SNMP

1 - Minimum

Settings App Service Level 1

1 - Minimum – PIN needs to be provided

Grouped by categories:

NOTE: When the Intermediate or Maximum locks are set, you will not able to load/unload paper or replace

printheads/ink cartridges without first unlocking the front panel. These options should only be set in specific circumstances

where the implications are known and understood.

NOTE: None of these levels locks the copy, scan, or print applications.

3 - Intermediate

HP DesignJet and PageWide XL Printers Security Features

When the control panel is locked, the applicable menus show a ‘lock’ symbol in the front panel. If a user attempts to access a “locked” menu entry, a warning message is displayed.

NOTE: In PageWide XL, when the user attempts to access a “locked” menu, the printer asks for the User password

that is not available when the Control Panel Access Lock is used. To insert the Admin password, click on the top left corner.

2.2.1.2 Access Control

The Access Control page is placed in the Setup tab, in the subsection called Access Control.

This function allows you to manage at least three roles of use (depending on the firmware version), defining which applications are available for each of them.

The Control Panel Access Lock (Setup > Security) should be set to unlocked (see 3.5.1. Control Panel Access Lock).

How to configure Access Control

The Access Control page has three main sections for the three main actions that can be performed:

• Sign-in methods: this section shows the enabled sign-in methods that can be used to sign in to the device.

• Device user accounts: in this section you can create, edit or delete the user accounts that are available on

the printer.

• Sign-in and permission policies: here you can set up the sign-in requirements for specific tasks and restrict user access by role.

HP DesignJet and PageWide XL Printers Security Features

Figure 1 - Access Control page

a. Sign-in methods

This section shows the enabled sign-in methods that can be used to sign in on the device.

Currently, sign-in methods are Local device, LDAP and Windows Sign-in (Kerberos).

Figure 2 - Sign-in methods

b. Device user accounts

In this section, there are four actions available:

• New: to add a new user account.

• Edit: to edit the selected user account.

• Delete: to delete the selected user account.

• Delete all: to delete all the user accounts.

HP DesignJet and PageWide XL Printers Security Features

User type

Role details

Admin user

This role has all the access privileges granted to it and cannot be edited.

Device user

This role has some access privileges granted to it that can be edited in the Access Control page.

Guest user

This role has some access privileges granted to it that can be edited in the Access Control

Figure 3 - Empty user accounts list

To add a new user:

• Click the New button; a section is expanded. It is required to fill in the name and password fields.

• It is possible to change the User access code and the Permission that is set. You can select from the following permission roles.

page.

Figure 4 - Creating a user account

After adding the user, you will see the following screen.

Figure 5 - User accounts list

c. Sign-in and permissions policies

You can change the permissions for the roles guest and user. Select the permissions and click Apply.

HP DesignJet and PageWide XL Printers Security Features

Figure 6 - Defining permissions

NOTE: Users have at least the Guest permission.

NOTE: Any app that forces the user to log in will cause the Guest column to be disabled.

Front Panel log in

When the user clicks on any blocked function for the first time, a window appears. The user must enter in his/her password. Session expiration can be managed in

Settings.

To log in as Admin, click the menu in the corner.

2.2.1.3 Deadlock: Front Panel locked + EWS password forgotten

Under certain circumstances, a printer might become inaccessible if the control panel has been locked and the administrator has lost the password needed to unlock it. This could happen if the front panel is locked through the printer’s Embedded Web Server and the Administrative password for the EWS is lost. In this situation, it would not be possible to unlock the front panel from the Embedded Web Server and it would not be possible to reset the Embedded

Web Server from the front panel.

NOTE: If the printer’s front panel becomes locked and you are unable to unlock it, then you should contact HP support

as soon as possible.

SCL certificates

• Jetdirect identity certificate

You can request, install, and manage digital certificates on the HP Jetdirect print server. Certificates are used to

identify the Jetdirect print server both as a valid web server for network clients, and as a valid client requesting access installed certificate.

on a secure network. By default, the Jetdirect print server contains a self-signed, pre-

HP DesignJet and PageWide XL Printers Security Features

• Certificate Authority certificate

You can install and manage a CA certificates in the printer. The CA certificate is used to validate the identity of the network servers you may connect to, such as SSL or LDAP servers secured with SSL.

Unique Admin password for EWS access control

New regulatory policies in some states worldwide state that governmental devices should have a non-blank default administrative password and that all printer administration/configuration resources should be protected by an admin password.

For this reason and to increase HP LFP Printers default security level, HP DesignJet and PageWide Printer Series now come with a new Security feature, the default unique admin password. This feature is currently only present in DesignJet and PageWide printers listed in the below table

but will be extended to further products. A default admin password will be assigned at manufacturing stage to all HP DesignJet and PageWide Printer Series printers going forwards that is unique for every printer.

HP DesignJet and PageWide XL Printers Security Features

DesignJet and PageWide Printer Series

Location of default Admin password

Settings Menu --> Security --> Administrator password:

Similarly, to other technical devices, this default admin password is already set when the user purchases the product. Depending on the printer model the default admin password may be found in different places. In some models this password can be located on a sticker on the rear of the printer. In other models the user will have a front panel menu option to obtain this default admin password. By referencing the below table, you can see where to find your printer’s unique default password and steps on how it can be changed/customized in each case.

PageWide XL 3920 MFP

PageWide XL 4200 Printer/MFP

PageWide XL 4700 Printer/MFP

PageWide XL 5200 Printer/MFP

PageWide XL 5200 Printer

PageWide XL Pro 5200 Printer/MFP

PageWide XL 8200 Printer/MFP

PageWide XL 8200 Printer

PageWide XL Pro 8200 Printer/MFP

PageWide XL Pro10000 Printer

DesignJet Z6 Pro Printer

DesignJet Z9+ Pro Printer

HP DesignJet T200/600/Studio Printer On the serial number label located on the back of printer

Using the Front Panel to discover the default admin password.

Front panel of the printer

Using the Front Panel, navigate to Settings Menu > Security > Administrator password:

It can also be discovered from the Front Panel through Printer Information:

HP DesignJet and PageWide XL Printers Security Features

When the default admin password is modified, under these menu paths you will see: Administrator password “Your password has been modified by the administrator, in case you lost it and need to recover, please contact your HP Service Representative”

NOTE: This is only an example. In every LFP printer the default admin password will be different.

2.2.1.4 How to change my printer’s default admin password

The printer’s admin password can be changed for any of your own (except a blank password). The process to change admin password can be performed in different ways.

Printer users can change the admin password through the web browser going to:

Settings > Security > Administrator password > Click on the Pen Icon:

HP DesignJet and PageWide XL Printers Security Features

A new window will ask both the default admin password and the new admin password. Note that the new admin password will have no constraint except that blank passwords are not allowed.

The admin password will remain between reboots.

NOTE: Default User name: admin

2.2.1.5 Reset admin password to default

In printers where the Unique Admin Password can be found on the printer front panel, users cannot reset the admin password to the default without assistance. If, for any reason, the customer admin password of the printer is not known, it is necessary to call a service representative to reset this password.

Only developers and servicing personnel will be allowed to reset admin password.

Unique Admin Password on printer label

Some Printer models are not able to display the unique admin password on the printer front panel and are therefore shipped with the default unique admin password on the printer label. These models can be identified from the above table. In these printer models there are 2 ways to find the default EWS password:

1. A label on the back of printer.

2. “Printer PIN” on “Printer Status Report”. Printable from front panel if it has not been changed from the default. If you change the PIN, the status report will no longer show it. It will show “Custom user password set” in the report instead.

NOTE: Default User name: admin

HP DesignJet and PageWide XL Printers Security Features

In printer models where the default admin password is found on the printer label it is possible to reset the admin password to its default through a factory rest of the printer.

Perform Setup > Printer Maintenance > Restore > Reset Factory Default

HP DesignJet and PageWide XL Printers Security Features

Embedded Web Server (EWS) access control

The Embedded Web Server is a powerful tool which enables direct management of devices such as the HP LaserJet or the HP DesignJet printers. With no security in place, however, this tool also has the potential to have a negative effect on many features, as they can be configured using just a web browser and knowing the IP address printer. To solve this situation, we have implemented two levels of access to our compatible HP DesignJet

of the

printers.

The Security page enables users to:

• Restrict access to the printer by setting an administrator user account.

• Define two levels of access: Administrator and Guest (Guest account not available in HP PageWide).

If the two levels of access have been set, and you have neither of the passwords, then you will not be able to gain access to the EWS information, as in the image below.

2.2.1.6 Administrator password

Access control is enabled by setting the Admin account password, i.e. specifying a password for the user account at admin level. You must then provide the admin password to perform any of the following restricted operations:

• Cancel, delete or preview a job in the job queue.

• Delete a stored job.

• Clear accounting information and configure cost assignment, in some models.

• Change printer settings on the Device Setup page.

• Access the setup tab to configure the printer.

• View protected printer information pages.

• Access the Customer Involvement Program page.

• Access the Service Support.

HP DesignJet and PageWide XL Printers Security Features

If there is no administrator account, then the restricted operations can be accessed without a password.

2.2.1.7 Guest password

Once the administrator user account has been set, the administrator can also set up a guest user account by specifying a password for the guest.

If the guest user account is set up, a username and password are required for all EWS operations: users identified as guests have access to restricted operations, whilst users identified as administrators have access to all operations.

If the guest account is not set up, a username and password are not required for unrestricted operations.

HP DesignJet and PageWide XL Printers Security Features

Notes:

• Some printers only have 1-level password access to the Embedded Web Server.

• The networking tab of the Embedded Web Server asks for another admin account and password. This

password is synchronized with the admin password for the complete EWS.

• For most printers that have EWS password capability, it is also possible to setup the admin password through Web Jetadmin. Only one level can be set in this way, however, so the guest password cannot be set up from Web Jetadmin.

• Passwords have no minimum complexity requirements; the maximum length is 16 characters.

• Printers with touchscreen front panels only allow the use of the limited set of characters shown below

(capital letters are also supported).

• These limitations do not apply to printers without touchscreen front panels, as the password can be set using EWS.

• Some printer drivers rely on the EWS for creating the preview. In cases where an administrator password is set, the administrator password will be required to access job preview.

USB drive control

All printers allow you to control the USB use, in two ways:

• USB drive: enable or disable the use of the USB to print or scan.

• Firmware upgrade from USB: enable or disable the possibility of upgrading the firmware from a USB.

These features are available in the control panel, the Embedded Web Server and Web Jetadmin.

HP DesignJet and PageWide XL Printers Security Features

Security level

Details

Basic

is shared on other tools such as Telnet and

Enhanced

Custom

Jetdirect Security Wizard (HP T9x0-T15x0-T25x0-T3500-PageWide XL)

The HP Jetdirect Security Configuration Wizard enables you to configure security settings for HP Jetdirect print server management. There are 3 levels of Network Security that can be set:

Configure an admin password that SNMPv1/v2.

Disable unsecure management protocols (FTP, Telnet, RCFG, SNMP v1/v2c).

Enable SNMPv3.

Enable SNMPv1/v2 read only access.

Manually adjust all the settings.

Hide IP from front panel

Some printers include an option in the Service Menu, accessible with the help of an HP Support agent only, that enables you to hide all IP information from the printer’s front panel. This prevents that people physically around the printer could obtain the IP and connect to it.

2.3 Data security: encrypted communications

IPSec

A Firewall or IP Security (IPsec) policy enables you to control traffic to or from the device by using network-layer protocols. Either a firewall or IPsec/firewall pages will appear, depending on whether IPsec is supported by the print server and device. If IPsec is not supported, firewall pages will be displayed and a firewall policy can be configured.

NOTE: Before you enable a firewall or IPsec policy, you should make sure that access to your configuration

management settings is secured (for example, through an administrator password). This will ensure that your policy is

not easily disabled through Telnet, control panel menus, or other management tools.

Firewall. Use this page to view or configure a firewall policy. A firewall policy consists of up to 10 rules, where each

HP DesignJet and PageWide XL Printers Security Features

rule specifies the IP addresses and services that are allowed by the print server and device. To add a rule, click Add Rule. This setting runs a wizard that will help you to configure each rule.

IPsec/Firewall. Use this page to view or configure an IPsec/firewall policy. An IPsec/firewall policy consists of up to 10 rules. As with a firewall policy, each rule specifies the IP addresses and services that are allowed by the print server

and device. With IPsec support, you can apply IPsec authentication and encryption protocols for those

addresses and

services. To add a rule, click Add Rule. This runs a wizard that will help you to configure each rule.

For a detailed description of wizard settings and additional help, visit Jetdirect IPsec/Firewall Help.

Encrypt web communications

You can securely manage your network-connected printers using a web browser and the HTTPS protocol. To authenticate the HP Jetdirect web server when HTTPS is used, you may configure a certificate, or you may use the pre-installed, self-signed X.509 Certificate. The encryption strength specifies what ciphers the web server will use for secure communications. SSL/TLS Protocols used in the communications can be configured in the printer’s EWS. Supported cipher suites can also be checked at EWS.

When you enable encryption, the web server encrypts all web communication, forcing all connections to use HTTPS. You can also configure encryption options to allow both HTTP (unencrypted) and HTTPS connections. In secure environments, you should choose to encrypt all web communications. Otherwise, sensitive management data (administrator password, SNMP community names, and secret keys) may be compromised.

Access control list

This feature lets you determine the access control list (ACL), which is used to specify the IP addresses on your network entries. access. By regardless (NATs) are

that are allowed access to the device. The ACL is normally used for security purposes and supports up to 10

The device blocks communications from all other addresses. If the list is empty, any system is allowed

default, host systems with HTTP connections (such as web browser or IPP connections) are allowed access

of ACL entries. This allows hosts to access the device when proxy servers or Network Address Translators

used. However, unfiltered access by HTTP hosts may be disabled by clearing the Check ACL for HTTP

checkbox.

Host systems that have access are specified by their IP host or network address. If the network contains subnets, an address mask may be used to specify whether the IP address entry is for an individual host system or a group of host systems. For an individual host system, the mask “255.255.255.255” is assumed and is not required.

HP DesignJet and PageWide XL Printers Security Features

CAUTION! You may lose your ability to communicate with the device if your system is not properly specified in the

list, or access through HTTP is disabled. If communication with the device is lost, then it may be necessary to restore the

network settings to their factory-default values.

802.1X authentication

802.1X is an IEEE Standard for port-based Network Access Control. It provides an authentication mechanism for devices that want to connect to a LAN.

For most 802.1X networks, the infrastructure components (such as LAN switches) must use 802.1X protocols to control a port's access to the network. If these ports do not allow partial or guest access, then the print server may need to be configured with your 802.1X parameters prior to connection.

To configure initial 802.1X settings before connecting to your network, you can use an isolated LAN, or a direct computer connection via a cross-over cable.

The supported 802.1X authentication protocols and associated configuration depend on the print server model and firmware version.

2.4 Authentication

2.5 Protected data in storage

Self-encrypted hard disk

The Self Encrypted hard disk ensures data is automatically encrypted every time data is sent to the printer and is written to the drive. This is achieved using AES 256-bit encryption.

Secure File Erase (SFE)

Secure File Erase is a feature that manages how files are deleted from the printer’s hard disk.

There are three security modes in the Secure Files Erase feature. These settings can be changed via Web Jetadmin, EWS and control panel (via the Service Menu with the HP support representative help).

• Non-Secure Fast Erase: In this mode, all file pointers to the data (table indexes) are erased. Temporary data remains on the Hard Disk Drive until the disk space it occupies is needed for another purpose, and is then overwritten. This is the fastest mode of operation and is the default for all printers.

• Secure Fast Erase: In this mode of operation, file pointers are erased and the disk space where the temporary job was stored is also overwritten with a fixed character pattern. This mode of operation is slower than Non-Secure Fast Erase, but all data is overwritten.

• Secure Sanitizing Erase: In this mode of operation, file pointers are erased and the disk space where the temporary job was stored is repeatedly overwritten using an algorithm that prevents any residual data. This mode of operation may affect product performance. The Secure Sanitizing Erase mode of operation meets the US Department of Defense 5220.22-M requirements for clearing and sanitization of disk media. When the Secure Sanitizing Erase feature is enabled, all temporary files that might contain sensitive data are erased with this method. No temporary files are left after a job has been completed (scan, copy, or print).

Furthermore, if you do not want to store jobs in the printer, you can set the number of jobs to be stored in the printer’s queue to 0. To configure this setting, perform the following steps:

HP DesignJet and PageWide XL Printers Security Features

• Go to the printer’s front panel,

• Select the Setup menu.

• Select Job management setup.

For further information, refer to the printer’s user manual, as the actual menu options may differ for a specific printer. The following is an example of how to change the Secure File Erase setting for the HP DesignJet T1100 printer.

Secure Disk Erase (SDE)

In either of the two secure methods described above (Secure Fast Erase and Secure Sanitizing Erase), there is also the

option to sanitize the whole disk. The sanitizing method removes any user data in a secure manner, so that the

device

can safely be moved from a secure location to an unsecure location. All disk erasing will be carried out via the

same

level of security erase.

This setting can be used via Web Jetadmin, EWS or the Control Panel’s Service menu, which is only accessible with the

help of an HP Support representative.

• HP Web Jetadmin access: The user interface that manages the Secure File Erase and Secure Disk Erase functionality is the HP Web Jetadmin. This is the same functionality that is used in the Web Jetadmin device plug-ins for LaserJet printers, which enables you to set the same global options across your fleet LaserJets and HP DesignJets. The following example shows how to configure the HP using the Web Jetadmin. Note that in the Web Jetadmin this option is called

Secure Storage Erase.

DesignJet T2300

of HP

HP DesignJet and PageWide XL Printers Security Features

• Printer Front Panel access: Once you have entered the Service Menu with the help of an HP Support representative, you can perform the Jetadmin. Note that the name of the feature in the front panel is

Secure Disk Erase using the same 3 options that you have in Web

Disk Wipe DoD 5220.220M, and that the

three options are called Insecure Mode, 1-pass mode and 5-pass mode.

Before you start the erase operation, you must first select the security level (sometimes referred to as sanity level). The printer will then warn you that the erase operation is a process which deletes all data and takes a long time. Once

you accept, the printer will begin the process, and will display a progress bar until complete. All data will be

wiped using

the selected method, and the printer’s firmware will be restored to the latest version installed before

this operation.

The time that this action will take depends on the amount of information stored on the HDD, the printer model and the option selected to perform it. The average time is:

Insecure Mode: 1 minute 1-pass mode: 2 days 5-pass mode: 2 weeks

The following screens show how to perform a secure hard disk erase on the HP DesignJet T2300 printer.

HP DesignJet and PageWide XL Printers Security Features

Scan to network (HP DesignJet T2500, T2530, T3500, T2600, XL3600 eMFP Series)

A scanned image may be saved on a USB flash drive or in a network folder. The USB flash drive option requires no preparation, but the network folder option will not work until it has been set up in the following way.

1. Create a folder on a computer that the scanner can access through the network.

2. Create a user account on the same computer for the printer (scanner user).

3. Change the sharing options of the folder, so that it is shared with the scanner user, and assign full control of

HP DesignJet and PageWide XL Printers Security Features

the folder to that user.

4. Create a share name for the folder.

NOTE: It is important to complete the above steps before starting the remaining steps below.

5. In the printer's Embedded Web Server, select the Setup tab and then Scan to network.

6. On the Scan to network page, click Add folder details, and fill in the various fields.

• The Server name should contain the network name of the remote computer. This remote computer must be connected in the local network to the printer.

• The Folder name should contain the share name of the folder.

• The User name should contain the name of the scanner user.

• The User password should contain the password of the scanner user.

• The Domain name should contain the name of the domain in which the user name exists. If the

scanner user does not belong to any domain, leave this field empty.

The server and folder names are used to connect to the shared folder by building a network folder path as follows: \\

SERVER NAME\FOLDER NAME

7. Click Apply to save the configuration.

The printer automatically checks that it can access the network folder.

EXAMPLE: CREATE A SCAN-TO-NETWORK FOLDER USING WINDOWS

1. Create a new user account for the scanner user on the remote computer. You can use an existing user account for this purpose, but it is not recommended.

2. Create a new folder on the remote computer (unless you want to use an existing folder).

3. Right-click the folder and select Properties.

4. In the Sharing tab, click the Advanced Sharing button.

HP DesignJet and PageWide XL Printers Security Features

5. Check the Share this folder box.

6. You need to ensure that the scanner user has full read/write control over the shared folder. To do this, click Permissions and grant Full Control to the user (or to any suitable group that includes that user).

7. If there is a Security tab in the Properties window for your folder, then you must also grant the same user Full Control over the folder in the Security tab. Only some file systems such as NTFS require this.

HP DesignJet and PageWide XL Printers Security Features

The scanner user can now access the folder and write files to it. Next, you must configure the printer to send scans to the folder.

8. In the Home screen of the printer's Embedded Web Server, select the Scan to network tab.

9. On the Scan to Network page, click Add folder details:

If the printer has already been configured for scanning to the network and you now want to use a different shared folder, click

Modify.

HP DesignJet and PageWide XL Printers Security Features

Enter the Host name or IP address of the remote computer, the name of the shared folder, and the user name and password of the scanner user that you have already created on the remote computer.

Leave the user domain field empty unless the user is a member of a Windows domain. If the user is only a local user of the remote computer, leave the field empty.

You can use the host name (instead of the IP address) in the server name field only if the shared folder is on a Windows computer in the same local network. This must be a simple name (up to 16 characters long) without a domain suffix (i.e. without any dots in the name). Fully qualified DNS domain names are supported, except for T2300.

10. Click Apply to save the configuration.

The printer automatically checks that it can access the network folder.

You can check at any later time that the shared folder remains accessible by clicking Verify in the Embedded Web Server. A correctly configured shared folder can become inaccessible if the user’s password is changed, or if the shared folder is moved or deleted.

EXAMPLE: CREATE A SCAN-TO-NETWORK FOLDER USING MAC OS

NOTE: Scan to Network is currently supported on Mac OS 10.9 (Maverick) and previous versions.

1. Create a new user account for the scanner user on the remote computer. You can use an existing user account for this purpose, but it is not recommended.

2. Create or choose a folder on the remote computer. By default, Mac OS users have a “Public Folder” that can easily be used for this purpose.

3. Open System Preferences and select the Sharing icon.

HP DesignJet and PageWide XL Printers Security Features

4. Make sure the scanner user has Read & Write access to the folder.

5. Click Options.

6. Check the Share files and folder using SMB box, and make sure that the scanner user is checked in the On column.

7. Click Done. You will now see file sharing enabled and Windows sharing: On.

HP DesignJet and PageWide XL Printers Security Features

The scanner user can now access the folder and write files to it. Next, you must configure the printer to send scans to the folder.

8. From the Home screen of the printer's Embedded Web Server, select the Setup tab and then Scan to network.

9. On the Scan to network page, click Add folder details.

If the printer has already been configured for scanning to the network and you now want to use a different shared folder, click Modify.

Enter the IP address of the remote computer, the name of the shared folder, and the user name and password of the scanner user that you have already created on the remote computer.

You cannot use the remote computer’s host name as the server name, as this is only supported for computers running Windows. You must use the IPv4 or IPv6 address.

Leave the user domain field empty.

10. Click Apply to save the configuration.

The printer automatically checks that it can access the network folder.

HP DesignJet and PageWide XL Printers Security Features

Printer model

Product Number

Scan to Cluster Server environment supported

HP DesignJet T2600 36-in Multifunction Printer

3XB77A

Yes

HP DesignJet T2600 36-in PostScript Multifunction Printer

3XB78A

Yes

HP DesignJet T2600dr 36-in Multifunction Printer

Y3T75A

Yes

HP DesignJet T2600dr 36-in PostScript Multifunction Printer

3EK15A

3EK15F

Yes

HP DesignJet XL 3600 36-in Multifunction Printer

6KD23A

Yes

2.5.1.1 Troubleshooting scan to network connectivity issues

If you are unable set the Scan to network, try the following:

• Check that you have filled in each field correctly.

• Check that the printer is connected to the network.

• Check that the folder is shared.

• Check that you can put files into the same folder from a different computer on the network, using the

printer's logon credentials.

• Check that the printer and the remote computer are on the same network subnet.

• Check that the Firewall does not block de CIFS/SMB ports.

• Try a basic network configuration, connect the printer directly to the computer.

Notes:

• Direct hosted SMB traffic (not using NetBIOS) uses port 445 (TCP and UDP).

• NetBIOS over TCP uses the following ports: UDP ports 137,138; TCP ports 137,139.

• Scan to network is not supported within the following environments/protocols: Active Directory, Kerberos,

NFS and SSPI protocols.

• Scan to Cluster Server environment is supported in newer printers regardless if DFS is installed or not. Previous MFP series do not support scan to cluster server environment. You can check the current models that support this feature in the following table.

3XB78F

3EK15B

6KD23G 6KD23H 6KD23F

6KD23L 6KD23M 6KD23N

HP DesignJet and PageWide XL Printers Security Features

HP DesignJet XL 3600 36-in Multifunction Printer PS

6KD24A

Yes

HP DesignJet XL 3600dr 36-in Multifunction Printer

6KD25A

6KD25N

Yes

HP DesignJet XL 3600dr 36-in Multifunction Printer PS

6KD26A

Yes

HP PageWide XL 3920 Multifunction Printer

HP PageWide XL 4200 Multifunction Printer

HP PageWide XL 4700 Multifunction Printer

HP PageWide XL 5200 Multifunction Printer

HP PageWide XL Pro 5200 MFP Printer

HP PageWide XL Pro 8200 MFP Printer

4VW11A

Yes

6KD24G 6KD24H

6KD24F

6KD24L 6KD24M 6KD24N

6KD25G 6KD25H

6KD25F

6KD25L 6KD25M

6KD26G 6KD26H

6KD26F

6KD26L 6KD26M 6KD26N

4VW13A 4VW15A 4VW17A 4VW19A 4VW20A

Scan to FTP folder

1. Create a folder on an FTP server.

2. Ensure that you know the server name, user name, and password for the FTP server.

NOTE: You must complete the above steps for one option or the other before starting the remaining steps

below.

3. In the printer's Embedded Web Server, select the Setup tab and then Scan to network. See Access the Embedded Web Server.

HP DesignJet and PageWide XL Printers Security Features

Alternatively, in the HP Utility, select the Settings tab and then Scan to network. See Access the HP Utility.

4. On the Scan to network page, click Add folder details, and fill in the various fields.

• Protocol may be FTP or CIFS (Windows).

• Folder type may be public or private. The folder type is displayed in both the Embedded Web Server

and the front panel with an icon. When you select a private folder, you must enter a password in the front panel.

• Alias name is displayed in the front panel when you are choosing the scan destination. It may be different from the network or FTP folder name.

• Set this network destination as a default. If you have installed HP DesignJet SmartStream, the option to set it as a destination appears. For more information, see HP SmartStream user guide.

• Server name should contain the network name of the remote computer.

• Folder name should contain the share name of the folder.

• User name should contain the name of the scanner user.

• User password should contain the password of the scanner user.

• Domain name should contain the name of the domain in which the user name exists. If the scanner

user does not belong to any domain, leave this field empty.

The server and folder names are used to connect to the shared folder by building a network folder path as follows: \\server name\folder name.

HP DesignJet and PageWide XL Printers Security Features

For a network folder, enter the name or IP address of the remote computer, the name of the shared folder, and the user name and password of the scanner user that you have already created on the remote computer. Leave the user domain field empty unless the user is a member of a Windows domain. If the user is only a local user of the remote computer, leave the field empty. You can use the name (instead of the IP address) in the server name field only if the shared folder is on a Windows computer in the same local network. This must be a simple name (up to 16 characters long) without a domain suffix (without any dots in the name). Fully qualified DNS domain names are also supported.

For an FTP folder, enter the server name, folder name, user name, and password. Leave the user domain empty.

5. Click Add to save the configuration.

NOTE: If the product has already been configured for scanning to the network and you now want to use a

different shared folder, click Modify.

6. The printer automatically checks that it can access the network folder. If not, see the User Guide of the printer.

Exclude personal info from accounting

You can enable or disable the option for the printer to send an e-mail containing accounting information. If you enable this setting, you also need to fill in the destination of the report by using the Send accounting files to setting. Please note that you also have to configure the e-mail server on the Setup Page.

In some cases, customers prefer not to send personal data from the printers via e-mail, and so the option to Exclude Personal information from accounting e-mail is now available in the Embedded Web server. If this option is selected, accounting e-mails will not contain personal information (user name, job name, and account ID will be left blank in the

accounting file sent by e-mail from the printer).

This option is typically used for managed print or pay-per-use contracts to ensure that only the data (counters) relevant for billing are being sent by the printer. Personal information about who printed which file is not required for

billing purposes, and can be excluded from the accounting e-mail. This personal information is typically used for

cost

allocation within a company.

HP DesignJet and PageWide XL Printers Security Features

Disable internet connection

Disable the direct connection of the printer to the internet. This option also prevents the printer from automatically performing firmware upgrades.

2.6 Document security

Job storage and PIN printing

Job storage allows jobs to be stored and then printed when required, it also provides features for setting print jobs as

“private”, with a personal identification number (PIN).

To access job storage features, open the printer’s Properties, and then select Printing Preferences. Click on the Job Storage tab where the following job-storage features are available:

HP DesignJet and PageWide XL Printers Security Features

Print and Store

• After a job has been printed, it is stored in the printer and more copies can then be printed from the front panel.

Print and Delete

• Once printed, the job is automatically removed from the printer.

Retrieve from front panel (Personal Job)

• Use the personal job printing feature to specify that a job cannot be printed until you release it from the printer's front panel.

• To preview it in the Embedded Web Server, you will need to enter the PIN.

Retrieve from front panel (Private Job)

• Use the private job printing feature to specify that a job cannot be printed until you release it with a PIN. First, select

Retrieve from front panel (Private Job), then the PIN to print checkbox will be available. If checked, a 4-digit personal identification number must be set. The PIN is sent to the device as part of the print job. After sending the print job to the device, use the PIN to print the job. Once printed, it is automatically removed from the printer.

• To preview it in the Embedded Web Server or in the front panel, you will need to enter the PIN.

HP DesignJet and PageWide XL Printers Security Features

NOTE: Some Multifunction devices include the Scan job storage feature that has two options: Scan and delete (the

job is not stored in the scan job queue) and Scan and store (the job is kept in the scan job queue).

ePrint center connection

The ePrint feature allows the user to print any supported file sending an email. It is available in the front panel and the EWS.

This feature can be disabled, so that users are unable to remotely send items to print.

HP DesignJet and PageWide XL Printers Security Features

This functionality is disabled by default.

In PageWide XL, the route to enable it is Settings > Connectivity > HP Connected > HP ePrint connectivity. In the same window, you can set the behavior of the printer for this kind of job.

If you want to control the job sent with this path, you can use Hold the job and block the control panel with a password.

You can also configure who can use this path (which e-mail addresses are allowed or forbidden). This is configured in https://www.hpconnected.com/

, an account is needed to do it.

HP DesignJet and PageWide XL Printers Security Features

3. Advanced workflows

This section describes some advanced printing workflows that can be used to interact with the HP PageWide XL, DesignJet T1700, DesignJet Z6, Z6 Pro and DesignJet Z9+ and Z9+Pro printers.

3.1 Printing using LPR protocol.

This feature allows you to print any supported file without drivers or other programs.

It can be useful to develop internal programs to manage production or to develop programs for operating systems without a driver.

The job sent using this method will be printed with the default settings, some options can be managed using PJLs. (See section 3.3, Print with PJLs

This protocol must be enabled in the EWS or Web Jetadmin. If you do not use it, keep it disabled for security.

How to use the LPR command in Windows.

• Turn on the windows feature

)

a. Go to Control Panel > Programs > Programs and

Features > Turn Windows features on or off.

b. Select the LPR Port Monitor from the list.

• Open a command window (search cmd in the Start menu).

• Use the command: Lpr -S IP –P printer File name

a. IP Format: xx.xxx.xx.xxx

b. Printer: any name you want to use.

c. File name: including complete route.

*In this example, the file is located in C:\.

3.2 Printing using FTP protocol.

This feature allows you to print any supported file without drivers or other programs. It can be used through command line or as a drag and drop system, combined with any FTP client program.

As with the LPR command, it can be used for developing specific tools to simplify your workflow.

The job sent using this method will be printed with the default settings, some options could be managed using PJLs. (See section 3.3, Print with PJLs

This protocol must be enabled in the EWS or Web Jetadmin. If you do not use it, keep it disabled for security.

)

HP DesignJet and PageWide XL Printers Security Features

Operator’s PC is running a

and selects the printer, a request

Once the request reaches the server,

save it locally.

Finally, the files will be sent to the

How to use FTP in Windows

1. Open the Windows Explorer.

2. Write in the route box: “ftp:\\IP”.

3. Now you have a window with one folder (Port).

4. Open the folder.

5. Use Drag and Drop. (Any file added to this folder will be printed.)

How to use FTP from DOS command

This example uses the ftp command in a similar way to that of LPR. You only have to connect the Printer with the FTP command and use any command, such as “put” or “send” (see the FTP help for the command format), to add the files to the printer FTP.

If you have an admin password defined, the printer will ask for it to approve the connection.

How to use FTP combined with DMS server

printing interface with DMS. The PC and the printer need to be in the same intranet. List all the jobs from DMS that need to be printed. When the operator clicks print,

the second PC (PC2) will download the printing file from the server and

printer by FTP command. The FTP command is generated by PC2, so there is no need for the operator to type the code in CMD. The file will be printed with default

HP DesignJet and PageWide XL Printers Security Features

PJL Name

Description

Accepted values

Example

STRINGCODESET

Indicates the string's

them).

UTF8

@PJL SET

JOBNAME (also set via @PJL JOB NAME)

Sets the localized version of

@PJL SET JOBNAME="My Job"

USERNAME

Sets the localized version of

@PJL SET

Wrong printing order

It is possible that the files

Possible issue

If the printing files downloaded from the server are temporally stored in a folder,…

were sorted by name or any other rule, then sent to print in the wrong order

3.3 Printing with PJLs

PJL commands allow you to add print settings to a PDF file (not compatible with other files). This means that you can use a direct print mode (send the file directly to the printer without a driver or software) modifying some properties.

The following table contains the list of PJLs that are currently supported in the supported printers.

This list is still in development, more commands could be added in future releases.

codification type used for the "@PJL JOB NAME, @PJL SET JOBNAME and @PJL SET USERNAME" commands (therefore, it comes before

the job name. It requires specification of the string's codification type. This value has precedence over the "@PJL JOB NAME=jobname". Maximum length is 128 bytes.

the user name. It requires

UTF8URL ROMAN8 KAN8

STRINGCODESET=UTF8

@PJL JOB NAME="My Job"

USERNAME="wintest"

HP DesignJet and PageWide XL Printers Security Features

specification of the string's codification type.

MARGINLAYOUT

Selects how the margins will

STANDARD

@PJL SET

PRINTQUALITY

Specifies the desired print

NOTE

DRAFT

@PJL SET

RENDERINTENT

Indicates which color

which can be modified.

PERCEPTUAL

SATURATION

@PJL SET

RENDERMODE

Sets the printing mode for

COLOR

@PJL SET

RESOLUTION

The value depends on the

@PJL SET RESOLUTION=300

MEDIASOURCE

Selects the input media

ROLL1

AUTO

@PJL SET

MEDIADESTINATION

Chooses the output

DEFAULT

@PJL SET

FOLDINGMETHODTYPE

Specifies the folding method type.

USER STANDARD

@PJL FOLDINGMETHODTYPE=USER

FOLDINGMETHODENUM

Specifies the folding method

Use

@PJL SET

be applied.

quality for a page. This command affects the entire page. Once data has been sent to the printer, any subsequent print quality change will not take effect until the following page.

: HP PageWide XL Print

Quality mapping: * Lines/Fast = DRAFT * Uniform areas = NORMAL * High Detail = HIGH

properties must be kept and

your plot to color or grayscale.

OVERSIZE CLIPINSIDE

NORMAL HIGH

COLORIMETRIC

GRAYSCALE

MARGINLAYOUT=CLIPINSIDE

PRINTQUALITY=DRAFT

RENDERINTENT=PERCEPTUAL

RENDERMODE=COLOR

data format and print quality.

source.

destination for the job.

value: 0: Do not fold 1: User Defined 2: Folder Selected 3: Stack 4 - 255: Reserved, Do Not

ROLL2 … ROLL6

BIN STACKER FOLDER ACCESSORY_STACKER

MEDIASOURCE=ROLL4

MEDIADESTINATION=BIN

FOLDINGMETHODENUM=0

HP DesignJet and PageWide XL Printers Security Features

256 - 65535: Use freely

FOLDEROUTPUTBIN

Specifies the folder output

@PJL FOLDEROUTPUTBIN=0

AUTOROTATE

Specifies whether

ON OFF

@PJL SET AUTOROTATE = ON

SCALE

Specifies scaling of the job.

@PJL SET SCALE = 50

COPIES

Specifies the number of copies of the job.

@PJL SET COPIES =2

ENTER LANGUAGE

Specifies the language of the

PDF

@PJL ENTER

%PDF-1.5 %âãÏÓ

[ESC]%-12345X@PJL JOB

bin number for the job.

Autorotate is enabled or not.

job encapsulated.

TIFF

LANGUAGE="PDF" JPEG HPGL2

How to use PJLs

In order for PJL values to be applied to a job when sending it to the HP PageWide XL, the submitted file needs to be modified.

The first line [ESC]%-12345X@PJL JOB is pointing out that a PJL Job is beginning. Please note that [ESC] references to the ASCII escape character.

The following lines contain the PJLs supported by HP PageWide XL, as shown in the example.

The last line in the header references the language of the file encapsulated, for instance PDF.

Finally, a last line closing the job is needed.

@PJL SET STRINGCODESET=UTF8 @PJL JOBNAME = “My Job" @PJL USERNAME = “User_01" @PJL MARGINLAYOUT = “OVERSIZE" @PJL MEDIASOURCE = “ROLL6"

10 0 obj <</Linearized 1/L 93026/O 12/E 88610/N 1/T 92722/H [ 456 153]>> endobj … %%EOF

HP DesignJet and PageWide XL Printers Security Features

Model

Z6XX0

D5800

Z5400

Z3200

Z2100/Z5200

Z2600/Z5600

Z6/Z9+

Pro/Z9+Pro

Device security - Device integrity

SNMPv3

UEFI Secure Boot

Whitelisting

Disable firmware

update through

USB

Automatic

Firmware

Upgrade (AFU)

HP Secure Boot

Connection

Inspector

Device security - Device configuration protection

Disable protocols

Disable physical

ports

Control panel

lock

Hide IP from

Front Panel (FP)

EWS multilevel

Guest Account

Printer access

control

Disable USB drive

Wizard setup configuration

CA/JD

Certificates

SIEM tools

Security event

logging (Sysslog)

4. Large Format printers: security features summary

GRAPHIC PRINTERS

EWS EWS EWS

N/A N/A N/A N/A N/A N/A Yes Yes

N/A N/A EWS/FP N/A N/A EWS/FP EWS/FP

No EWS EWS EWS EWS Yes Yes Yes

No No No No No No No Yes

EWS/WJA EWS/WJA EWS/WJA EWS/WJA EWS/WJA EWS/WJA EWS/WJA EWS/WJA

EWS EWS

EWS/FP

(USB Printing)

EWS/WJA +

Jetdirect

N/A N/A

EWS/WJA +

Jetdirect

EWS EWS/FP

EWS/FP

(USB printing)

EWS/FP/WJA

EWS/WJA

FP/EWS/WJA

EWS EWS EWS/WJA N/A N/A EWS/WJA EWS/WJA

FP FP EWS/FP N/A N/A EWS/FP FP No

EWS EWS EWS

Yes Yes Yes Yes Yes Yes Yes Yes

N/A N/A EWS/FP N/A N/A EWS/FP EWS/FP/WJA

N/A N/A EWS/FP N/A N/A EWS/FP EWS EWS/FP/WJA

N/A N/A N/A N/A N/A N/A Yes Yes

EWS/WJA EWS/WJA EWS/WJA

N/A N/A N/A N/A N/A N/A N/A

EWS (1

level)

EWS +

Jetdirect

N/A EWS EWS/FP/WJA

EWS +

Jetdirect

EWS/WJA EWS/WJA

EWS/WJA

Yes (1 level)

EWS/FP/WJA

EWS/WJA

Yes

HP DesignJet and PageWide XL Printers Security Features

Model

Z6XX0

D5800

Z5400

Z3200

Z2100/Z5200

Z2600/Z5600

Z6/Z9+

Pro/Z9+Pro

Data security - Encrypted communications

IPSec

Compatibility

TLS/SSL

Encrypt web

communications

Data security – Authentication

802.1X

Authentication

JD640

NTLM

Data security - Protected data in storage

External HDD

Removable HDD

Self-Encrypted

HDD

Secure file erase

Secure disk erase

Exclude personal

info. from

(Z5200ps

Disable internet

connection

Disable ePrint

Center

TPM

Secure Storage

Document security – PIN printing

Job Storage

Mode and PIN

EWS EWS EWS/WJA

SSL1.0 and

SSL/TLS with

JD640

EWS/WJA EWS/WJA EWS/WJA

Only with

N/A N/A N/A N/A

Yes Yes N/A N/A N/A N/A N/A No

N/A N/A Yes N/A N/A Yes Yes No

Only Rev B N/A N/A N/A N/A N/A Yes Yes

SSL1.0 and

SSL/TLS

with JD640

Only with

Yes

Only with

EWS/WJA +

Jetdirect

Only with

JD640

EWS/WJA +

Jetdirect

Only with

EWS/WJA +

Jetdirect

Only with

JD640

EWS/WJA +

Jetdirect

Only with

JD640

N/A N/A N/A V2

EWS/WJA EWS/WJA EWS/WJA

Only with

JD640

Yes Yes

WJA WJA WJA/FP WJA

WJA/FP WJA/FP WJA/FP WJA/FP N/A WJA/FP EWS/FP/WJA EWS/FP/WJA

EWS EWS EWS EWS

N/A N/A EWS/FP N/A N/A EWS/FP EWS/FP/WJA EWS/FP/WJA

N/A N/A EWS/FP N/A N/A EWS/FP EWS/FP N/A

N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A Yes Yes

WJA (Z2100

only)

EWS

WJA/FP EWS/FP/WJA EWS/FP/WJA

EWS EWS/FP EWS/FP

EWS: Embedded Web Server, WJA: Web Jet Admin, FP: Front Panel., N/A: Not available.

HP DesignJet and PageWide XL Printers Security Features

Model

T7X00

T3500

T2500/ T1500/

T920

T2530/

T1530/T930

T2300/

T1300

T790/T795

T120/T520/

T100/T500

T200/600/

Studio

T730/

T830

T830 24

inch

T1700

T1600/

T2600

XL3600

Device security - Device integrity

SNMP configurability

EWS

UEFI Secure Boot

Whitelisting

Disable firmware

update through USB

Automatic Firmware

Upgrade (AFU)

Device security - Device configuration protection

Disable protocols

Disable interfaces

Control panel lock

Hide IP from FP

SMB 2/3

EWS multilevel

Printer access

control

Disable USB drive

TECHNICAL PRINTERS

EWS EWS/FP/WJA EWS/FP/WJA EWS/FP/WJA EWS EWS

N/A Yes N/A Yes N/A N/A N/A N/A N/A N/A Yes Yes Yes

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A Yes Yes Yes

N/A EWS/FP EWS/FP EWS/FP EWS/FP EWS/FP N/A N/A EWS EWS EWS/FP EWS/FP EWS/FP

No Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes

EWS/WJA EWS/WJA EWS/WJA EWS/WJA EWS/WJA EWS/WJA EWS/WJA EWS/WJA EWS/WJA EWS/WJ

EWS EWS/FP/WJA EWS/FP/WJA EWS/FP/WJA

EWS/WJA EWS/WJA EWS/WJA EWS/WJA EWS/WJA EWS/WJA N/A N/A N/A N/A EWS/WJA EWS/WJA EWS/WJA

EWS/FP (USB printing only)

Only SNMPv1

EWS/FP EWS/FP EWS/FP EWS/FP EWS/FP/WJA EWS/FP/WJA EWS/FP/WJA

EWS EWS EWS EWS/FP EWS/FP EWS/FP

EWS/WJA EWS/WJA EWS/WJA

FP FP FP FP FP FP N/A N/A N/A N/A FP FP FP

N/A Yes

EWS EWS/FP/WJA EWS/FP/WJA EWS/FP/WJA EWS/FP

N/A EWS/FP/WJA EWS/FP/WJA EWS/FP/WJA EWS/FP EWS/FP N/A N/A N/A N/A EWS/FP/WJA EWS/FP/WJA EWS/FP/WJA

N/A EWS/FP/WJA EWS/FP/WJA EWS/FP/WJA EWS/FP EWS/FP N/A N/A EWS EWS EWS EWS EWS

Yes (Only

T2500)

Yes (Only

T2530)

No No No No

EWS/FP (1

EWS (1 level)

EWS (1

Yes (Only

T830)

EWS (1

Yes N/A N/A YES

EWS (1

EWS/FP/WJA EWS/FP/WJA EWS/FP/WJA

HP DesignJet and PageWide XL Printers Security Features

Model

T7X00

T3500

T2500/ T1500/

T920

T2530/

T1530/T930

T2300/

T1300

T790/T795

T120/T520/

T100/T500

T200/600/

Studio

T730/

T830

T830 24

inch

T1700

T1600/

T2600

XL3600

SIEM tools

Splunk

Security event

logging (Sysslog)

Wizard setup configuration

CA/JD Certificates

Data security – Encrypted communications

IPSec

TLS/SSL

Encrypt web

communications

Data security – Authentications

802.1X

Authentication

NTLM

Data security – Protected data in storage

External HDD

Removable HDD

Self-Encrypted HDD

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A Yes Yes

N/A EWS EWS EWS N/A N/A N/A N/A N/A N/A EWS/WJA EWS/WJA EWS/WJA

EWS/WJA EWS/WJA EWS/WJA EWS/WJA EWS/WJA EWS N/A EWS EWS EWS EWS/WJA EWS/WJA EWS/WJA

EWS EWS/FP/WJA EWS/FP/WJA EWS/FP/WJA EWS/WJA EWS/WJA N/A N/A N/A N/A EWS/WJA EWS/WJA EWS/WJA

SSL1.0 and

SSL/TLS with

JD640

EWS/WJA EWS/FP/WJA EWS/FP/WJA EWS/FP/WJA EWS/WJA EWS/WJA EWS EWS EWS EWS EWS/WJA EWS/WJA EWS/WJA

Yes Yes Yes Yes

Yes

N/A Yes Yes

McAfee

Yes Yes Yes Yes

Yes (Only

with JD640)

N/A

Yes N/A N/A N/A Yes PS only N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A Yes Yes N/A N/A N/A N/A Yes Yes Yes

N/A Yes Rev B Rev B Rev B Rev B (only

Yes Yes Yes

V2 (only

T2500)

V2 (only

T2530)

Yes (Only

with JD640)

V1 (only

T2300)

Yes (Only

with JD640)

N/A N/A N/A

N/A EWS EWS EWS Yes Yes Yes

N/A N/A N/A N/A Yes Yes Yes

V2 (only

T830)

N/A N/A N/A

HP DesignJet and PageWide XL Printers Security Features

Model

T7X00

T3500

T2500/ T1500/

T920

T2530/

T1530/T930

T2300/

T1300

T790/T795

T120/T520/

T100/T500

T200/600/

Studio

T730/

T830

T830 24

inch

T1700

T1600/

T2600

XL3600

Secure file erase

Secure disk erase

Exclude personal

info. from accounting

Disable internet

connection

Disable ePrint Center

connectivity

TPM

Secure Storage

Document security – PIN printing

Job storage and PIN

printing (Job

retention)

WJA EWS/FP/WJA EWS/FP/WJA EWS/FP/WJA WJA WJA N/A N/A N/A N/A EWS/FP/WJA EWS/FP/WJA EWS/FP/WJA

WJA/FP EWS/FP/WJA EWS/FP/WJA EWS/FP/WJA WJA/FP WJA/FP (PS

N/A N/A N/A N/A EWS/FP/WJA EWS/FP/WJA EWS/FP/WJA

EWS EWS/WJA EWS/WJA EWS/WJA EWS EWS N/A N/A N/A N/A EWS/FP EWS/FP EWS/FP

N/A EWS/FP/WJA EWS/FP/WJA EWS/FP/WJA EWS/FP EWS/FP EWS/FP EWS/FP EWS/FP EWS/FP EWS/FP/WJA EWS/FP/WJA EWS/FP/WJA

N/A EWS/FP EWS/FP EWS/FP FP FP EWS/FP EWS/FP EWS/FP EWS/FP EWS/FP EWS/FP EWS/FP

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A Yes Yes

No Yes No Yes No No No No No No Yes Yes Yes

HP DesignJet and PageWide XL Printers Security Features

Model

T1200

T770

Z3100

Z3100ps

4020/4520

T1100/T1120

Z6100

T620

Device security - Device integrity

SNMPv3

Jetdirect

UEFI Secure Boot

Whitelisting

Disable Firmware

Automatic Firmware

Upgrade (AFU)

Device security – Device configuration protection

Disable protocols

Disable interfaces

Control panel lock

EWS multilevel

Printer access control

Disable USB drive

Wizard setup configuration

CA/JD Certificates

Jetdirect

Data security – Encrypted communications

IPSec

Encrypt web

communications

Jetdirect

Data security – Authentication

NTLM

Data security – Protected data in storage

External HDD

Removable HDD

Self-Encrypted hard disk

OLDER TECHNICAL AND GRAPHIC PRINTERS

EWS EWS EWS +

N/A N/A N/A N/A N/A N/A N/A N/A

No No No No No No No No

EWS/WJA EWS/WJA EWS/WJA EWS/WJA EWS/WJA EWS/WJA EWS/WJA EWS/WJA

EWS EWS EWS N/A EWS EWS EWS N/A

EWS/WJA WJA N/A N/A WJA EWS EWS N/A

EWS N/A N/A EWS

N/A N/A N/A N/A N/A N/A N/A N/A

EWS +

EWS EWS EWS N/A

EWS +

N/A N/A N/A N/A N/A N/A N/A N/A

EWS EWS EWS +

EWS/WJA EWS/WJA EWS/WJA +

Jetdirect

EWS EWS EWS/WJA +

N/A N/A N/A N/A N/A N/A N/A N/A

Yes HD ver

(from F/W

6.0.0.6)

N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A

EWS +

EWS/WJA +

Jetdirect

EWS/WJA +

EWS +

EWS/WJA +

Jetdirect t

EWS/WJA +

EWS +

EWS/WJA +

Jetdirect

EWS/WJA +

EWS +

EWS/WJA +

Jetdirect

EWS/WJA +

EWS +

EWS/WJA +

Jetdirect

EWS/WJA +

N/A N/A N/A N/A N/A N/A N/A N/A

HP DesignJet and PageWide XL Printers Security Features

Model

T1200

T770

Z3100

Z3100ps

4020/4520

T1100/T1120

Z6100

T620

Secure file erase

Secure disk erase

Exclude personal info.

from accounting

Disable internet

connection

Disable ePrint Center

connectivity

Secure Storage

Document security – PIN printing

PIN Printing

WJA WJA WJA WJA WJA WJA WJA N/A

WJA/FP WJA/FP

(HD)

EWS EWS N/A N/A EWS EWS EWS N/A

N/A N/A N/A N/A N/A N/A N/A N/A

N/A FP FP WJA/FP WJA/FP WJA/FP

HP DesignJet and PageWide XL Printers Security Features

Model

HP PageWide XL

4200/4700/5200/

Pro 5200 /8200/ Pro

8200 Multifunction

Printer

HP PageWide XL

3920/4200/4700/5200/8200/

Pro10000 Printer

HP PageWide XL

8000/5000/4500/4000

Printer

HP PageWide XL

5000/4500/4000

Multifunction Printer

HP PageWide

XL 4500

Printer and

Multifunction

Printer TAA

Compliant (US

Only)

Device security- Device integrity

SNMPv3

UEFI Secure

Boot

HP Secure Boot

Whitelisting

Disable

firmware (F/W)

update through

USB

Automatic

Firmware

Upgrade (AFU)

Connection

Inspector

Device security - Device configuration protection

Disable

protocols

Disable

interfaces

Control panel

lock

Hide IP from

Front Panel

(FP)

SMB2/3

EWS multilevel

PAGEWIDE XL PRINTERS

EWS/WJA EWS/WJA EWS/WJA EWS/WJA EWS/WJA

Yes Yes Yes Yes Yes

Yes Yes No No No

FP/EWS/WJA FP/EWS/WJA FP/EWS/WJA FP/EWS/WJA FP/EWS/WJA

Yes Yes Yes Yes Yes

Yes Yes No No No

EWS/WJA EWS/WJA EWS/WJA EWS/WJA EWS/WJA

No No No No No

EWS/WJA EWS/WJA EWS/WJA EWS/WJA EWS/WJA

No No No No No

Yes Yes Yes Yes Yes

Yes (one level) Yes (one level) Yes (one level) Yes (one level) Yes (one level)

HP DesignJet and PageWide XL Printers Security Features

Model

HP PageWide XL

4200/4700/5200/

Pro 5200 /8200/ Pro

8200 Multifunction

Printer

HP PageWide XL

3920/4200/4700/5200/8200/

Pro10000 Printer

HP PageWide XL

8000/5000/4500/4000

Printer

HP PageWide XL

5000/4500/4000

Multifunction Printer

HP PageWide

XL 4500

Printer and

Multifunction

Printer TAA

Compliant (US

Only)

Printer access

control

Disable USB

drive

Job Storage

Mode and PIN

printing

Wizard setup configuration

CA/JD

Certificates

SIEM tools

Security event

logging

(Sysslog)

IPSec

TLS/SSL

Encrypt web

comms

FIPS-140

TPM

Data security – Authentication

802.1X

Authentication

NTLM

Data security - Protected data in storage

External HDD

Removable HDD

EWS EWS EWS EWS EWS

FP/EWS/WJA FP/EWS/WJA FP/EWS/WJA FP/EWS/WJA FP/EWS/WJA

Yes Yes Yes Yes Yes

EWS//WJA EWS//WJA EWS//WJA EWS//WJA EWS//WJA

YES YES NO NO NO

NO NO NO

YES YES

EWS/WJA EWS/WJA EWS/WJA EWS/WJA EWS/WJA

Yes Yes Yes Yes Yes

EWS//WJA EWS//WJA EWS//WJA EWS//WJA EWS//WJA

Yes, only using SED Yes, only using SED Yes, only using SED Yes, only using SED Yes, only using SED

Yes Yes No No No

Yes Yes Yes Yes Yes

V2 V2 V2 V2 V2

No No No No No

No No No No Yes

HP DesignJet and PageWide XL Printers Security Features

Self-encrypted

hard disk

Secure file

erase

Secure disk

erase

Disable internet

connection

Exclude

personal info.

from accounting

Disable ePrint

Center

connectivity

Document security – PIN printing

Job Storage

Mode and PIN

printing

Yes Yes Yes Yes Yes

EWS/WJA EWS/WJA EWS/WJA EWS/WJA EWS/WJA

No No No No No

Yes Yes Yes Yes Yes

FP/EWS FP/EWS FP/EWS FP/EWS FP/EWS

Yes Yes Yes Yes Yes

HP DesignJet and PageWide XL Printers Security Features

Model

DJ 4500 MFP/T1100 MFP, HD-MFP Series

DJ 4520 Scanner

DJ 4500 Scanner

HP HD/SD Pro

Scanner*

HP HD Pro 2

Scanner*

PageWide XL

MFP series

T1120 SD-

MFP

T2300 MFP

T2500 MFP

T2530 MFP

T3500 MFP

T830 MFP

T2600 MFP

XL3600

MFP

Firewall

Disable FTP &

Web Access

Access to images in

scanner through

network

Security patches

Install scanner

software into a

separate PC

NTLM

5. Large Format scanners: security features summary

Multi-function printers (MFPs) consist of two main parts: the printer and the scanner. For the scanner, refer to the table below.

Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes

Yes Yes Yes N/A Yes Yes Yes Yes Yes Yes Yes

* HD/SD Pro Scanners are standalone scanners, meaning they are not attached to a printer by default. They include a Panel PC to operate them, which is running a custom version of Windows IoT. This is a closed operating system that prevents software installations and settings changes that can affect system performance or security. This also implies that it is not possible to install third-party software or third-party printer drivers. Different Windows OS are used depending on the model:

• Windows 10 IoT Enterprise LTSC®

Yes, by default (FTP

& EWS - Read only)

Yes, by default

(FTP & EWS -

N/A N/A N/A N/A N/A N/A N/A N/A N/A

Read only)

Through scanner SW update Through FW update

Possible but not

official process

Possible but not

official process

N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A V2 V2 N/A V1 V2 V2 V2 V2 V2 V2

- Includes a firewall that cannot be disabled.

- The scanner cannot be pinged from the network to increase security.

HP DesignJet and PageWide XL Printers Security Features

• Windows 7 Embedded Standard®

- The scanner can be pinged from the network.

HP DesignJet and PageWide XL Printers Security Features

Protocol/Function

Port

In/

Out

Purpose and consequences of disabling it

Configuration

DesignJet &

PageWide XL

SFP

DesignJet &

PageWide XL

MFP

FTP Printing

TCP 20,21

In/Out

Printing. It will be impossible to send documents to

[EWS] > Network > Other

Yes

Yes Scan to Network (FTP)

TCP 21

Out

Scan to network folder. MFPs will not be able to

[EWS] > Setup > Scan to network

Yes

Telnet

TCP 23

This port can be used for remote configuration of

[EWS] > Network > Other

Yes

Email sending (alerts & job scanned)

TCP 25,

Out

Email. Newer HP Printers and Multi-Function

and others could be selected instead.

[EWS] > Settings > Email Server

Yes

IPsec/Firewall

TCP

In/Out

It will become impossible to use encrypted secure

[EWS] > Network > TCP/IP

Yes

LLMNR

UDP 5355

Resolving device name. The device will not be able

[EWS] > Network > Other

Yes

6. Ports used in HP printers

Below you can find a list with the ports used by HP printers. Some connection problems are caused by a firewall blocking the needed port. They are ordered by protocol or function.

NOTE: Ports may change as HP products develop and evolve; these changes will be communicated to the official channel and the documentation will be updated.

465, 587

50/51,

UDP 500

the device via FTP protocol. Rarely used. It depends on connection tracking (firewall feature).

send scanned date to an ftp server.

the HP Jetdirect device when there is no other configuration method, or it can be used to check the current configuration.

Devices have the capability of sending e-mail alerts directly from the device. The port is configurable,

connection to the device over the Internet or LAN. It would also become impossible to set up ports/services mapping/forwarding.

to introduce itself in local network when DNS name resolving is inaccessible. It should have no impact for OS X. Mostly used in Windows.

Settings > FTP Printing

Settings > Telnet Config

Settings

HP DesignJet and PageWide XL Printers Security Features

Protocol/Function

Port

In/

Out

Purpose and consequences of disabling it

Configuration

DesignJet &

PageWide XL

SFP

DesignJet &

PageWide XL

MFP

DNS

TCP, UDP

Out

DNS. Allows devices to resolve hostnames used by

[EWS] > Network > TCP/IP

Yes

DHCPv4 and BOOTP

UDP 67,

In/Out

DHCPv4 and BOOTP.

[EWS] > Network > TCP/IP

Yes

TFTP (Trivial File Transfer Protocol) configuration file

UDP 69

In/Out

This port is used for configuration and upgrading of

[EWS] > Network > Other

Yes

HP Jetdirect XML services

TCP 80,

Some HP software utilities may perform web

[telnet] > TCP/IP Menu > Other

& Management

Yes

AFU, Connectivity Test

TCP 80

Out

Access to the Automatic Firmware Upgrade host

[EWS] > About printer >

Yes

Kerberos

TCP, UDP

In/Out

Used by HP Large Format devices for Kerberos

[EWS] > Security > Access

Yes

NetBIOS, SMB (Scan to network)

TCP 139,

Out

Scan to network folder (to SMB destination). If

data to networks folders.

[EWS] > Setup > Scan to network

Yes

8080

any feature that requires outgoing connections.

the Jetdirect firmware. Only in the case that the Jetdirect card is used: configuration through this protocol cannot be used. Rarely used.

service requests to this port to retrieve device status information. If disabled, the printer EWS would not be reachable, and HP Web Jetadmin and other utilities might not work.

(under hp.com), performing connectivity tests. If disabled, the printer will not be able to automatically receive the latest FW upgrades and the connectivity test will always fail.

Settings > Network Identification

Settings > TCP/IP(v4)

Settings > TFTP Configuration File

Settings > EWS Config [Control Panel] > Settings > Security > Embedded Web Server [Control Panel] > Settings > Security > Web Services Printing

Firmware Update [EWS] > Connectivity > Services > Settings > Services > Printer Data Sharing Agreement

445

authentication.

disabled, MFPs will not be able to send scanned

Control > Windows Sign In Configuration [EWS] > Network > Security > IPsec/Firewall

HP DesignJet and PageWide XL Printers Security Features

Protocol/Function

Port

In/

Out

Purpose and consequences of disabling it

Configuration

DesignJet &

PageWide XL

SFP

DesignJet &

PageWide XL

MFP

SDK (SNMP)

UDP 161

This port can be accessed by any SNMP

configure and query the status of a printer.

[EWS] > Network > Security >

Yes

SDK (SNMP traps)

UDP 162

In/Out

This port can be used when the network is

traps.

[EWS] > Network > Security >

Yes

Yes LDAP

TCP 389

Out

LDAP client. Allows Large Format devices to

[EWS] > Security > Access

Yes

SLP (Service Location Protocol)

UDP 427

In/Out

Devices use SLP for advertising their services. Some

enabled (SLP is treated as legacy technology).

[EWS] > Network > Other

Yes

EWS, Web Services (Fibonacci, RIO, ePrint)

TCP 443

In/Out

The printer connects through HTTP over TLS/SSL to

[EWS] > Network > Mgmt.

& Management

Yes

Syslog

UDP 514

Out

Allows the device to send syslog events to a syslog

[EWS] > Network > TCP/IP

Yes

Management utility. HP Web Jetadmin use SNMP to

configured to capture trap information. Many SNMP Management utilities can be configured to capture

perform address lookups and authentication. Host and Port can be configured.

HP software utilities use SLP to automatically discover and automatically install a printer on the network. The device will not be discoverable over SLP from DMF - impact is minimal if Bonjour is

several cloud services. IPP Jobs that include HTTPS references may also require downloading the print job using HTTPS. If disabled, it will not be possible to use the HP Connected service or to send usage data to the HP usage server (Fibonacci) or to the supplies reordering service (RIO).

Mgmt. Protocols > SNMP

Control > LDAP Sign in server [EWS] > Setup > Address Book

Settings > SLP

Protocols > Web Mgmt. [telnet] > TCP/IP Menu > Other Settings > EWS Config [Control Panel] > Settings > Security > Embedded Web Server [Control Panel] > Settings > Security > Web Services Printing

server. Host and Port can be configured.

Settings > Advanced

HP DesignJet and PageWide XL Printers Security Features

Protocol/Function

Port

In/

Out

Purpose and consequences of disabling it

Configuration

DesignJet &

PageWide XL

SFP

DesignJet &

PageWide XL

MFP

LPD (Line Printer Daemon protocol/Line Printer Remote protocol) printing

TCP 515

LPD Print Protocol. It will disable LPD printing from

[EWS] > Network > Other

Yes

DHCPv6

UDP 547

In/Out

DHCPv6

[EWS] > Network > TCP/IP Settings > TCP/IP(v6)

Yes

IPP (Internet Printing Protocol) printing

TCP 631

IPP Printing Protocol. This protocol is used by

[EWS] > Network > Other

Yes

LDAP over TLS

TCP 636

Out

LDAP over TLS client. Allows Large Format devices

[EWS] > Security > Access

Yes

Certificate management service

TCP 829

Used for certificate management. If disabled, the HP

[EWS] > Networking > Security >

Yes

WS-Discovery

UDP 3702

In/Out

Multicast discovery protocol to locate services on a

Windows hosts.

[EWS] > Network > Other

Yes

Web Services for Devices

TCP, UDP

Web Services for Devices, Usually for Windows

[EWS] > Network > Other

Yes

HP ePrint

TCP 5222

Out

Used by HP ePrint to connect to HP cloud services

[Control Panel] > Connectivity >

Yes

Windows or OS X, which is almost never used by end users as it is a legacy protocol.

AirPrint and some HP Software utilities. In the HP DesignJet T790/795/T1300, this feature is only available with the Jetdirect accessory. It can be manually used from Windows or Mac.

to perform address lookups and authentication. Host and Port can be configured.

WJA fleet management tool might not work.

local network. If disabled, the Windows HP Installer will not work, and Windows will not automatically choose WS-Print as path to print. Usually for

Settings > LPD [EWS] > Network > Other Settings > LPD Queues

Settings > IPP Printing

Control > LDAP Sign in server [EWS] > Setup > Address Book

Mgmt. Protocols

Settings > WS-Discovery

3910,

3911

hosts.

(email printing).

Settings > WS-Print

Services > Settings > Services > HP Connected

HP DesignJet and PageWide XL Printers Security Features

Protocol/Function

Port

In/

Out

Purpose and consequences of disabling it

Configuration

DesignJet &

PageWide XL

SFP

DesignJet &

PageWide XL

MFP

[EWS] > Setup > HP ePrint

Bonjour

UDP 5353

In/Out

Used for IP address and name resolution. It will

[EWS] > Network > Other

Yes

Web Services

TCP 7627

HP Web Jetadmin software may perform web

[Control Panel] > Settings>

Yes

SDK (Scanner)

TCP 8076

Sending scanned data out of the MFP. If disabled,

scanner SDK will not work.

[Control Panel] > Settings>

& Management

Yes

SDK (Paper management)

TCP 8085

Some HP software utilities and HP SDK for RIPs may

[Control Panel] > Settings>

Yes

Yes SDK (Remote management)

TCP 8086

Some HP software utilities and HP SDK for RIPs may

monitor and calibrate the device.

[Control Panel] > Settings >

& Management

Yes

SDK (XDM status)

TCP 8090

Some HP software utilities may perform web

[EWS] > Network > Other

Old devices

9100 printing

TCP 9100

Default printing port for HP driver and HP SDK. If

[EWS] > Network > Other

Yes

Connectivity

disable advertising of services supported by the device including 9100 printing, LPD printing and IPP/IPPS printing used on OS X for device discovery. AirPrint, printing from Android and HP Smart App will not work.

service requests to this port to retrieve device status information and manage the device.

software applications getting data using the

perform web service requests to this port to retrieve and configure paper preset information.

perform web service requests to this port to

Settings > Bonjour

Security > Web Services Printing & Management

Security > Web Services Printing

Security > Web Services Printing & Management

Security > Web Services Printing

service requests to this port to retrieve device status.

disabled, it will become impossible to print RAW documents (plain text/JPEG/PNG) on remote devices in the local network or internet, using port

Settings > XDM

Settings > 9100 Printing

HP DesignJet and PageWide XL Printers Security Features

Protocol/Function

Port

In/

Out

Purpose and consequences of disabling it

Configuration

DesignJet &

PageWide XL

SFP

DesignJet &

PageWide XL

MFP

9100. This is one of the main printing ports for

9101 printing

TCP 9101

Alternative printing port for HP SDK. If disabled, it

[EWS] > Network > Other

Mode

PageWide XL

9102 printing

TCP 9102

Alternative printing port for HP Smart Stream.

[EWS] > Network > Other

PageWide XL

Windows & Mac.

will become impossible to print using RIP applications based on LFP SDK.

Settings > 9100 Printing [EWS] > Network > Other

only

Settings > Enable High Speed

Settings > 9100 Printing

only

only [EWS] > Network > Other Settings > Enable High Speed Mode

HP DesignJet and PageWide XL Printers Security Features

MC DJA Version

1.0

2.0

Products implementing it

PageWide XL

Z6, Z6 Pro, Z9+, Z9+ Pro and T1700

Configuration features

Basic device identification

Access control

Enable printer firmware update

Supply status

Yes

Device status & alerts

Yes

Firmware upgrade

Yes

Appendix 1 – Web Jetadmin

HP Web Jetadmin is a printer management solution capable of performing different functions on a fleet of devices. This includes device configuration, alerts subscription, and printer status information. The tool allows the user to set up a configuration template and send it to a list of printers. For instance, HP Web Jetadmin can be used to carry out the following operations (assuming they are supported on the device):

• Disable protocols.

• Control panel access lock.

• Setup Admin password.

• USB drive control. (Enable or disable the use of the USB to print or scan, enable or disable the possibility of

upgrading the firmware from a USB.)

• Change the settings of Secure File Erase.

• Schedule a Secure Hard Disk Wipe.

• Remote firmware upgrade.

Please refer to Web Jetadmin documentation for updated information on supported features.

HP Web Jetadmin can be downloaded at the following link:

http://www8.hp.com/us/en/solutions/business-solutions/printingsolutions/wja.html

Manageability contract for Large Format Printers

Since the introduction of HP PageWide XL printers, the list of features supported by HP Web Jetadmin is included in a Manageability Contract (MC DJA) that is periodically updated. Each version of the Manageability Contract builds on the features of the previous version and adds support for additional functionalities. This means that MCA DJA 2.0 includes all the features of MC DJA 1.0, and some extra ones.

Currently, two versions of the MC DJA exist:

Basic device settings

Basic security settings

JD J8022E settings

Permissions by role User role mappings

Device user accounts

Common email server settings

Enable Scan to email

HP DesignJet and PageWide XL Printers Security Features

Device identification

Device settings

Security settings

J8022E networking settings

J8022E security settings

System Contact

Control Panel Language

Color Copy Option

DNS Server

8021X

Device identification

Device settings & Digital sending

Security settings

J8022E networking settings

J8022E security settings

Common email server

Enable firmware update

Device user accounts

MC DJA 1.0

System Location

Asset Number

Company Name

Contact Person

Device Name

Printer Wakeup

Sleep Delay Time

Control Panel Access

EWS Password

Enable Host USB

Enable Save to Network Folder

ePrint Settings

HTTP Idle Timeout

IPv4 Information IPv6 Information

Link Setting

mDNS Service Name

Network Enable Feature

SNMP Trap Destination Table

TCP Idle Timeout

TCP/IP Configuration Method

WINS Server

DHCPv4FQDNCompliance

Error Handling

IPP Printer Install Wizard

mDNS Service Name

Locally Administered Address

System Log Server Info

Webservice Print TCP\IP Domain Suffix Upload CA Certificate

Upload JetDirect Certificate

Proxy Server

Access Control List

Encrypt all web communication

Encryption Strength

SNMP Community Name

SNMP Version Access Control

IPsec/Firewall Policy

MC DJA 2.0 - Only additions are shown

Enable Scan to email

ePrint settings

File system password

Erase all stored files

Access control for device

functions

HP DesignJet and PageWide XL Printers Security Features

Authentication

Authentication Services

802.1x Authentication Y

802.1x EAP-TLS

Certificate Management

Identity Certificate Y

CA Certificate

Credentials

Admin (EWS) Password

Minimum Password Length

Admin (EWS) Password

Password Complexity

Account lockout

SNMPv1/v2

Read only enabled

Read Community Name

Read/Write community Name

Default SNMPv1/v2 Credentials

SNMPv3

SNMPv3 User Name

Minimum Password Length

Password Complexity

Authentication Passphrase

Privacy Passphrase

Encryption algorithms

Account lockout

Device Control

I/O Timeout

Control Panel

CP Lock

Device Security Checks

Check for Latest Firmware

Check for Latest Jetdirect Firmware

External Connections

Host USB Plug and Play

Logging

Appendix 2 – JetAdvantage Security Manager

The HP JetAdvantage Security Manager is a fleet security management tool, which allows the user to apply a security policy across a fleet of devices, monitor the security of these devices, and secure new devices as soon as they are added to the network. This tool can generate security reports to monitor compliance with user defined security policies.

HP JetAdvantage Security Manager can be downloaded at the following link:

http://www8.hp.com/us/en/solutions/business-solutions/printingsolutions/security_manager.html

Please refer to HP JetAdvantage Security Manager documentation for updated information on how to use the tool and supported features.

Policy compatibility features (HP DesignJet T1700/Z6/Z9+/ Z6 Pro/Z9+ Pro Printer Series)

Access

HP DesignJet and PageWide XL Printers Security Features

System Logging

Stored Data

File Erase Mode

Device Discovery

Service Location Protocol (SLP)

IPv4 Multicast

LLMNR

WS-Discovery

Bonjour

Network Security

Internet Protocol Security (IPsec)/Firewall

FIPS 140 Compliance Library

Windows

Verify Certificate for IPP/IPPS Pull Printing

Enable WINS Port

WINS Registration

Access Control

Allow Web Access

Access control List

Network Services

Novell Remote Config (RCFG)

Telnet

TFTP Configuration File

HP Jetdirect XML Services

Certificate Management Service

FTP Firmware Update

Web

Require HTTPS redirect

HTTPS

Web Encryption Strength

Ciphers

TLS 1.2

TLS 1.1

TLS 1.0

Embedded Web Server Access

Printing

Standard TCP/IP Printing (P9100)

AirPrint

LPD/LPR

Secure Internet Print Protocol (IPPS)

Web Services Print (WS-Print)

File Transfer Protocol (FTP)

AppleTalk

DLC/LLC

Novell (IPX/SPX)

Web Encryption Settings

SSL 3.0 - Insecure Protocol N

Internet Print Protocol (IPP) Y

HP DesignJet and PageWide XL Printers Security Features

Appendix 3 - Security Manager

The HP ProtectTools Security Manager can be configured to prevent unauthorized access using Smart Cards, TPM Embedded security chips, USB tokens and other security technologies.

HP ProtectTools Security Manager is completely customizable, which gives business customers the flexibility to choose the level of security that best meets their needs. The optional integrated Smart Card Reader on select notebook families provides simple deployment and management of this solution. In addition, HP ProtectTools Security Manager is now available on a wide array of Business Notebooks and select Business Desktops and Workstations. Built on open standards and HP intellectual property.

Plug-in modules:

• Smart Card security for HP ProtectTools

• Initialization and configuration of the Smart Card

• Manage Smart Card accounts and security settings

• Integration with supporting notebook BIOS requiring Smart Card to continue pre-boot process

• Embedded Security for HP ProtectTools

• TPM Embedded Security Chip configuration and management

• Credential Manager for HP ProtectTools

• Multifactor Windows Authentication

• Single sign-on

• BIOS configuration for HP ProtectTools

• BIOS configuration and security settings from within the HP ProtectTools Security Manager console

Benefits:

• Smart Card-based solution is based on open standards, meaning easy implementation, integration, and maintenance.

• Same Smart Card can be used for multiple devices, including notebooks and handhelds, and multiple applications, such as user authentication and building access.

• HP ProtectTools Security Manager can complement other layers of authentications, such as TPM encrypted passwords, fingerprint ID, biometrics and USB Tokens.

• Console design can grow to incorporate new functionality from within the same user interface.

Find attached the links where you can find further information about it:

• User guide: http://h10032.www1.hp.com/ctg/Manual/c03564719

• Installation guide: http://h10032.www1.hp.com/ctg/Manual/c03564723

• Supported printers: http://h10032.www1.hp.com/ctg/Manual/c03601723

HP DesignJet and PageWide XL Printers Security Features

• Licensing: http://h10032.www1.hp.com/ctg/Manual/c04677865

NOTE: To obtain an update for your solution or to renew your license, send an email to e-sw-ops-

support@hp.com with “Software Updates Portal” in the Subject line and include the name of the solution in the body

of the email.

HP DesignJet and PageWide XL Printers Security Features

Appendix 4 - Netgard overview

Introduction

API’s Netgard™ MFD product is a network access control device that is used for authenticating users who use multifunction devices (MFDs) and peripherals to access the network. Through the use of a Common Access Card (CAC) or Personal Identification Verification (PIV), this device prevents users from performing USB’ operations without authenticating. Moreover, the ‘Job queue’ application is also protected.

When this feature is configured in the printer, the following “stand-up workflows” are restricted to unknown users:

• Scan (‘Scan to USB’, ‘Scan to Email’, ‘Scan to HP Smart Stream’ and ‘Scan to Network folder’).

• Copy

• Print from USB

• Job queue

A user must be authenticated by inserting a Smartcard into the API Netgard card reader to gain access to those workflows. A user who is not previously authenticated would not have access to those workflows.

‘Scan’, ‘Copy’ and ‘Print from

The rest of the workflows such as “Print from Skylon” and “Print from Driver” are not protected (authentication is not required to launch them) and, therefore,

they are supposed to work normally.

User account

The user account that will be used for testing purposes is the following one:

Smartcard:

• PIN: 123456

FP settings

To enable Netgard, it will be necessary to configure the following setting at the Front Panel:

Settings > Partner menu > (…) User password > Extended workflows > API Technologies > Enable Netgard MFD

To configure the network and the Netgard appliance, it will be necessary to follow the next steps:

1. Select the “Connectivity” icon.

HP DesignJet and PageWide XL Printers Security Features

2. Select this icon:

3. Select the IPV4 SETTINGS option and set the Config Method as DHCP.

HP DesignJet and PageWide XL Printers Security Features

4. Afterwards, select this icon in the FP:

5. Finally, select OK to confirm the settings.

EWS settings

1. Access to the EWS through this IP @: 15.196.22.211

2. Go to Setup > Security and apply the following configuration:

HP DesignJet and PageWide XL Printers Security Features

3. Go to Networking > Authorization and set a password for the ‘Administrator’ account.

Netgard MFD configuration

Basic configuration of Netgard MFD for HP printers

Netgard MFD user interface access

1. Connect your computer to the MGMT port of the Netgard MFD and assign to your computer an IP address in the same subnet than the MGMT port. It is recommended to use the following details:

• IP: 192.168.20.20

• Subnet: 255.255.255.0

HP DesignJet and PageWide XL Printers Security Features

• Gateway: 192.168.20.1

2. Open a Firefox window and enter the default address (https://192.168.20.1.8080/) of the Netgard MFD in the Firefox web browser address bar. After entering this address, the Netgard MFD will display the login screen. The login page authenticates users and ensures that only the ones who are authorized can view or modify the device settings.

You have to insert the User Name and Password to log in:

User Name: admin

Password: password

3. When the user is logged in, select the Network tab.

HP DesignJet and PageWide XL Printers Security Features

For HP printers the user has to apply some changes in the default Netgard MFD configuration:

Netgard IP Address: 192.168.245.1

Subnet Mask: 255.255.255.0

Copier IP Address: 192.168.245.30

4. Go to Advance Configuration and check that the DHCP server is enabled.

HP DesignJet and PageWide XL Printers Security Features

Set the following fields:

Domain Name: bchp.com

Primary DNS Server: This information is specified under the Network > Configuration section.

Secondary DNS Server: This information is specified under the Network > Configuration section.

5. Go to Scan/Prt Setup > Scan to Network.

HP DesignJet and PageWide XL Printers Security Features

Scan Setup

Enabled/disabled

Port

Scan to Email

Enabled

Depending on the server:

Scan to FTP

Enabled

Scan to File Server

Enabled

139

Scan to Home

Disabled

---

Apply the following settings:

SMTP 25 or 465

IMAP 143 or 993

The Firewall has to be enabled while scanning (we have to make sure that the “No” option is selected at the Firewall section). Moreover, the Integration with Third Party Document Management Application section must be set as “

No”.

6. Go to Scan/Prt Setup > CAC Settings.

In the Integration with MFP section, set the Use MFP LCD Panel for PIN Entry parameter to “Yes” and the Encrypt Data to/from MFP parameter to “No”.

7. Go to Admin > Management.

HP DesignJet and PageWide XL Printers Security Features

Change the Port Number field to “8081”. Then, the address to access to Netgard MFD Configuration will be “

https://192.168.20.1:8081”.

Additional information

• When the Netgard feature is configured in a specific printer, in the case of changing the printer by a different

one, it will be necessary to disconnect the appliance (unplug the power supply cable from the appliance) before connecting the Netgard HW to the new printer; otherwise, it will not be possible to configure the Netgard feature.

• Netgard is not compatible with other features such as “Abacus”, “Planwell”, etc. Therefore, it’s necessary to

make sure that all those features are disabled in Front Panel.

• For further information, please, refer to the documents below:

o CAC readers.pptx

o APINETGARD with DHCP (Faltan logos y ultima revision).docx

DesignJet Printers supported:

• HP DesignJet T2500 and T3500 MFP

• HP DesignJet T795, T920, T930, T1530, T2530 and T1500 printer series

PageWide Printers supported:

• HP PageWide XL 8000 Printer series

• HP PageWide XL 5000 Printer series

• HP PageWide XL 4000/4500 Printer series

HP DesignJet and PageWide XL Printers Security Features

Security Glossary

HP DesignJet & PageWide XL printers

This glossary lists words and features you might hear or read in a security document.

Please note that the features and protocols listed are not all integrated into the HP DesignJet or PageWide XL printers.

HP DesignJet and PageWide XL Printers Security Features

Device protection related

BIOS

The BIOS (basic input/output system) is the program used to get the printer system started after it is turned on.

HP Sure Start

It validates the integrity of the BIOS at every boot cycle. If a compromised version is discovered, the device reboots using a safe, “golden copy” of the BIOS.

UEFI Secure Boot

Method to prevent the loading of unauthorized operating systems during the system startup. Based on the UEFI Forum specification (www.uefi.org).

CONFIGURATION

Disable ports and protocols

It allows the administrator to select which protocols and services are enabled. Restricting the enabled protocols to only those that are actually needed means the administrator can reduce the risk of vulnerability.

Instant-On Security

Devices supporting Instant-On Security features can be automatically added into the Security Manager as soon as they are connected to the network or from reset without any intervention. Instant-On Security immediately configures the device to be compliant with the corporate security policy.

SNMPv3

SNMP is a protocol to get and configure printer information. SNMPv3 is the encrypted version. When enabled, only the client applications knowing the keys will be able to access the printer using this protocol.

FIRMWARE

HP signed firmware packages

Firmware packages are digitally signed by the HP Code Signing group. The printer uses the public key of this group to verify the signature before installing the new firmware, thus ensuring that only legitimate firmware from HP can be installed in the printer.

Only forward firmware security upgrades

Behavior of the firmware that prevents installation of older firmware releases that have known security vulnerabilities.

RD only file system

HP DesignJet and PageWide XL Printers Security Features

Solution to guarantee that the firmware cannot be altered. It is based on configuring the filesystem where the printer firmware is located as a read only partition.

Remote firmware upgrade

This service allows an administrator to configure the printer to check for availability of new firmware versions and prepare them to be installed. For the administration of large networks with several printers, HP recommends using the HP Web Jetadmin software to

upgrade the printer or multi-function printer firmware.

Whitelisting

Feature that ensures at startup integrity of all the code and data used to control the printer, guaranteeing that no malicious code is executed.

FRONT PANEL

Front Panel access lock

This feature allows the printer administrator to define which Front Panel menus and applications are available for non-administrator users.

Hide IP address from front panel

An option in the Service Utilities menu of the front panel to show/hide the Internet Protocol (IP) address of your printer. If the address is hidden, only registered users submit jobs to the

printer.

or network administrators will know the correct address to

PASSWORDS

File system password

The File system password feature helps protect the printer’s data storage system options from unauthorized access. With the File system password configured, the configuration changes to

features that affect the data storage system. Some of these features are the Secure

printer requires the password before it will allow

disk erase mode, the Secure storage erase feature, and the File system access options.

Individual passwords

Each user that wants to interact with the printer must have a different password.

SECURITY EVENTS

Logging and auditing

System to monitor the security of the printers. It requires that the printer logs all the security events and uploads them to a server. It also requires a tool to generate reports using server data. This feature is part of the Common Criteria requirements.

HP DesignJet and PageWide XL Printers Security Features

Data protection related

AUTHENTICATION

802.1X

Protocol that the printer uses for its authentication in some networks.

Access control list

It allows the administrator to specify which IPv4 addresses on the network are allowed access to the device.

Authentication & authorization workflows with card readers

Users authenticate themselves using an ID card and a card reader before they can scan/copy/print.

Authentication & authorization walk-up workflows based on Argos OnBoard, ABC Imaging, HP Cost recovery

The users authenticate themselves by providing their identification and passwords through the printer Front Panel. The printer connects to the specific server to get authorization for the required workflow. The user information is then stored in the job accounting, thereby enabling cost recovery solutions.

HP Access Control

HP solution based on the OXP interface that offers secure workflows through authentication with LDAP, secure pull printing and job accounting/cost allocation.

LDAP

Protocol used to access directory services to get information about users, devices, printers, etc. The most used directory service is the Windows Active Directory.

LDAP authentication

The device requires a username and password from an LDAP directory. Currently using the LDAP directory as the authentication source through an LDAP authentication.

LDAP Bind. If users have LDAP Bind rights, they will be able to authenticate via

Authenticated scan & copy w/ LDAP

Users identify themselves in the Front Panel and the MFP authenticates them against the LDAP server before proceeding with the scan or copy. The MFP can then access the folder required by the user from the LDAP server to store the scanned/copied file.

Authenticated scan & copy w/ Kerberos and LDAP

In some enterprise environments, devices can only copy files in a server using the ticket provided by Kerberos. In this workflow, the users identify themselves in the Front Panel and the MFP authenticates them against the Kerberos server before proceeding with the scan or copy. The MFP then gets the folder where the copied/scanned file needs to be stored from the LDAP server.

HP DesignJet and PageWide XL Printers Security Features

Active directory

An advanced, hierarchical directory service that comes with Microsoft Windows servers (version 2000 or later). It is LDAP-compliant and built on the domain domain names,

exactly like Web sites, and any LDAP-compliant client – such as Windows, Mac, or Unix – can gain

naming system (DNS) used on the Internet. Workgroups are given

access.

Kerberos

Authentication protocol that enables two devices in a network to demonstrate their identities in a secure way. Kerberos is the authentication service in Windows networks.

NTLMv2

The authentication protocol used, among other cases, to access to SMB servers. The multi-function printers use it to be allowed to write the scanned data into the network folders.

Role based access control

Different and dynamic roles can be defined in the printer and have different permissions about which functionalities they are allowed to run. Users can be linked to a role. In this way, administrators will have a better control over what they allow each user to do.

User authentication

The user is requested to authenticate at the device.

COMMUNICATIONS

Encrypted e-mail

It encrypts all e-mails sent by multi-function printers (i.e. scanned data) to protect the content from being read by anyone that is not the intended recipient.

HTTPS

The standard secure (with authentication and encryption) version of the HTTP protocol. Printers and multifunction printers can be configured to use HTTPS when accessing the printer through the Embedded Web Server, or printing through solutions that use HTTPS.

Protocol

A protocol is a set of rules and guidelines for communicating data. Rules are defined for each step and process during the communication between two or more devices. Networks must follow these rules to successfully transmit data.

SSL

A cryptographic protocol for internet secure communications. It is used, for example, by HTTPS.

X.509

A standard for certificates using public keys. The certificates are the base to encrypt data for secure data transmission between devices connected to the internet.

STORAGE

ATA password protected disks

The disk of the printer is functional only after the printer BIOS authenticates itself by providing a password. It protects information on the disk even if the disk is removed from the printer and installed in a PC.

HP DesignJet and PageWide XL Printers Security Features

Encrypted hard disk

Hard disk in which the data is stored applying an encryption method. This ensures that disk contents cannot be read if the disk is removed from the printer and connected to a computer.

Secure file erase and disk erase

Procedures to ensure that actual data in storage systems is removed, avoiding any possibility of data recovery. They are based on repeatedly writing multiple patterns in the areas were the original data was located.

Secure sanitizing erase

It conforms to the U.S. Department of Defense 5220-22.M specification for deleting magnetically stored data. Secure sanitizing erase uses multiple data overwrites to eliminate trace magnetic data and also prevents subsequent analysis of the hard disk drive’s physical platters for the retrieval of data.

Secure storage

A solution to storage critical information encrypting it (using hardware such as TPM or a virtual TPM). It is a way to add another protection barrier to protect information as certificates even access to the HDD would have been done.

TPM

Hardware component used to securely store cryptographic keys and perform cryptographic operations. The TPM capabilities are used to add additional security protection to data stored in the system, such as certificates, and to enable secure cryptographic operations to identify and communicate with the printer.

Domain Naming system (DNS)

Converts host names and domain names into IP addresses on the internet or on local networks that use the TCP/IP protocol.

Firewall

Provides a simple way to configure which IP addresses can be accessed to/from the printer.

IPsec

Suite of protocols for securing communications over Internet Protocol (IP). It authenticates and/or encrypts every IP package. It is a way to secure data transmission without using upper protocols such as SSL, TLS or SSH.

VULNERABILITIES

TLS

The successor of SSL, which solves some of its vulnerabilities. It is used, for example, by HTTPS.

HP DesignJet and PageWide XL Printers Security Features

Document protection related

On-demand document retrieval

It allows print jobs to be saved electronically in the device, or on an external server, until the authorized user is ready to print them. The user provides a simple PIN code, or uses an authentication method supported for other HP multi-function printers in walk-up operations, to release the print job.

Job held timeout

This feature is part of the Job retention feature. It limits a held job to the selected time, and then the printer deletes it. You should select a reasonable timeout value to the printer to print a job

or to allow time for jobs to print in a queue.

for this setting to allow enough time for a user to walk

Job retention

This feature provides job retention options such as private job and hold job. You will be able to make sure that they are present during printing to provide privacy for

documents in the printer output bins.

Private job recovery

When configured in this mode, the printer holds the jobs in the queue with a user identifier. User must identify themselves in the FP. After the authentication, the users can see their jobs in the queue and trigger the printing. Users can only see their own jobs in the queue.

Private printing

The job is retrieved from a specific printer, which has been selected prior to sending the job.

Pull printing

Documents can be retrieved from a pool of printers.

Secure PIN printing

Method to protect user printout from others to access. It works by holding the job in the printer queue until the intended recipient of the printed output provides his/her PIN through the printer Front Panel.

Secure print

An end-to-end workflow in which the data is secured by encrypting it just from the submission point (i.e. in the driver).

Smart card

A smart card will be required by the device to access a certain function.

Encrypted PIN printing

The data sent to the printer when using the PIN printing feature is encrypted.

HP DesignJet and PageWide XL Printers Security Features

Authentication Manager (LJ feature)

This feature enables administrators to secure Device functions by requiring users to log in with a specific log in method for each function. For example, users may be required to log in with an Access Code or PIN to make copies, yet be required to log in with a username and password to send e-mails.

• Group 1 PIN: Requires users to input a numeric code for access when at the control panel of the device. The numeric code entered by the walk-up user is compared to the first of two PINs stored on the device by the Administrator. When the PIN is entered correctly, the user can proceed.

• Group 2 PIN: Requires users to input a numeric code for access when at the control panel of the device. The numeric code is compared to the second of two PINs stored on the device by the Administrator.

• LDAP (Lightweight Directory Access Protocol): Requires users to input a username and password that are verified by an LDAP server.

• HP Digital Send Service (if available): Also known as DSS. Requires users to enter credentials that are verified by the HP Digital Send Service software. (HP Digital Send Service software must be available to use

this Log in method. If no DSS server is associated with this device, walk-up users will not be required to authenticate before using the device.)

• Kerberos: Requires users to enter a username and password to be verified by a Windows Server.

For more information: About HP DesignJet printers: About HP Web Jetadmin:

and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

www.hp.com/go/designjet

www.hp.com/go/webjetadmin

Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation.

Adobe™ and PostScript™ are trademarks of Adobe Systems Incorporated, which may be registered in certain jurisdictions.

January 2021

HP DesignJet and PageWide XL User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual