Security Settings

Password Change

The administrator password and user password can be changed.
When you change the password, be sure to remember the new password.

• Enter a password consisting of 1 to 255 characters (when the administrator password is changed: 5 to 255). Your setting is made valid only when the machine is turned On again.
The user-level authentication password is required to add, edit or delete the destination. When you log on, enter "users" as the user name. Then, enter the user password that you have registered with this option.
The administrator-level authentication password is required to select all settings and the same functions as those available with the user-level password. When you log on, enter "admin" as the user name. Then, enter the administrator password that you have registered with this option.

• If you tap the [Store] key without entering a password, the previously set value is assumed. Password protection is enabled by default.

Restrict Device Web Page Access Via Password

Use this setting to display the login screen and require login in order to access the Web server.

Administrator Password

Changes the setting of the administrator password.
When setting a password, make sure that it contains at least one or more numbers, uppercase and lowercase letters of the alphabet, and symbols.
The characters that can be entered are as follows.

• Numbers: 0 to 9
• Upper case alphabet: A to Z
• Lower case alphabet: a to z
• Symbols: ! @ # $ % ^ & * ( ) “ ‘ + , - . / : ; < = > ? [ \ ] _ ` { | } ~ and spaces

User Password

Changes the setting of the user password.
When setting a password, make sure that it contains at least one or more numbers, uppercase and lowercase letters of the alphabet, and symbols.
The characters that can be entered are as follows.

• Numbers: 0 to 9
• Upper case alphabet: A to Z
• Lower case alphabet: a to z
• Symbols: ! @ # $ % ^ & * ( ) “ ‘ + , - . / : ; < = > ? [ \ ] _ ` { | } ~ and spaces

Password Setting

The administrator password and user password can be changed.
When you change the password, be sure to remember the new password.

• Enter a password consisting of 5 to 255 characters and tap the [Store] key. Your setting is made valid only when the machine is turned on again.
The administrator-level authentication password is required to select all settings and the same functions as those available with the user-level password. When you log on, enter "admin" as the user name. Then, enter the administrator password that you have registered with this option.

The characters that can be entered are as follows.

• Numbers: 0 to 9
• Upper case alphabet: A to Z
• Lower case alphabet: a to z
• Symbols: ! @ # $ % ^ & * ( ) “ ‘ + , - . / : ; < = > ? [ \ ] _ ` { | } ~ and spaces

Condition Settings

Restrict Print Jobs

You can select settings to cancel print jobs that are not print hold jobs, or force all print jobs to be held.
When [Restrict Print Jobs] is turned ON, the settings below can be selected.

Item	Description
Force Retention	This setting forcibly sets all print jobs as print hold jobs, even jobs for which print hold is not selected.
Disable Job	Prohibit all print jobs other than print hold jobs.

Factory default settings:

Force Retention

Automatic Deletion of Suspended Print Jobs

If the print job is interrupted due to a paper jam, etc., the job is automatically deleted after the time set in "Time until Suspended Print Jobs are Automatically Deleted" has elapsed.

Factory default settings:

Disable

Time until Suspended Print Jobs are Automatically Deleted

Set the time after stopping a job to automatically deleting the job.

Factory default settings:

5 minutes

Clear All Data When the Jobs are Completed

Completely deletes the data from the memory of the machine when the job is completed.

Factory default settings:

Disable

Reject Requests from External Sites

You can reject the request from external sites.

Factory default settings:

Enabled

Mandatory Access Control

Set whether to perform forced access control. Once set, access to all files inside the machine will be forcibly controlled.

Factory default settings:

Disable

Port Control

For the various major ports used in the system, set the prohibition/permission and port number, and tap the [Store] key.
The ports that can be set are as follows.

Server Port	Factory default settings		Client Port	Factory default settings
	Port Control	Enable / Disable		Port Control	Enable / Disable
HTTP*	80	Enabled	HTTP*		Enabled
HTTPS	443	Enabled	HTTPS		Enabled
FTP Print*	21	Enabled	FTP*		Enabled
Raw Print*	9100	Enabled	FTPS		Enabled
LPD*	515	Enabled	SMTP*		Enabled
IPP*	631	Enabled	SMTP-SSL/TLS		Enabled
IPP-SSL/TLS	443	Disabled	POP3*		Enabled
Remote Operation Panel*	5900	Enabled	SNMP-TRAP*	162	Enabled
SNMPD	161	Enabled	Notify Job End*		Enabled
WSD*		Enabled	LDAP*		Enabled
			LDAP-SSL/TLS		Enabled
			mDNS*		Enabled
			syslog*	514	Enabled
			syslog-SSL/TLS	6514	Enabled

* If these settings are set to [Enable], insecure communication will be possible, and there is a risk that data that may include personal information/private information may be intercepted.

Filter Setting

You can set the filter by an IP or MAC address to prevent an unauthorised access to the machine via a network.
Set the IP or MAC address filter and tap the [Store] key.

Factory default settings:

Disable

IP Address Filter Settings

This option sets an IP address.
You can specify whether to allow or prohibit access to the machine from the IP address you set.

Factory default settings:

Enable

MAC Address Filter Settings

This option sets a MAC address.
It allows access to the machine from the MAC address you set.

Enable Filter

Enable the settings made in [System Settings] → [Security Settings] → [Filter Setting] on the Web page.

Factory default settings:

Disable

SSL/TLS Settings

SSL/TLS can be used for data transmission over a network.
SSL/TLS is a protocol that enables the encryption of information communicated over a network. Encrypting data makes it possible to transmit and receive sensitive information safely.
Data encryption can be set by the following protocols.

Setting of SSL/TLS

Server Port

• HTTPS: Apply SSL/TLS encryption to HTTP communication.

Factory default settings:

Enable

• IPP-SSL/TLS: Apply SSL/TLS encryption to IPP communication.

Factory default settings:

Disable

• Redirect HTTP to HTTPS in Device Web Page Access: When this setting is enabled, all communication that attempts to access the machine by HTTP is redirected to HTTPS.

Factory default settings:

Disable

Client Port

• HTTPS:
  Apply SSL/TLS encryption to HTTP communication.

Factory default settings:

Enable

• FTPS: Apply FTP encryption to HTTP communication.

Factory default settings:

Enable

• SMTP-SSL/TLS:
  Apply SMTP encryption to HTTP communication.

Factory default settings:

Enable

• LDAP-SSL/TLS:
  Apply SSL/TLS encryption to communication using LDAP.

Factory default settings:

Enable

• syslog-SSL/TLS:
  Apply SSL/TLS encryption when sending audit logs.

Factory default settings:

Enable

• Verify Signature of Server Certificate of the Other Party:
  Validate the certificate of the server you are communicating with.

Factory default settings:

Disable

Even if "Verify Signature of Server Certificate of the Other Party" is enabled, when "Global Address Search" or "My Address Search" is performed only when the search destination is an LDAP server, the server certificate of the destination is not validated.
If "Verify Signature of Server Certificate of the Other Party" is disabled, you may connect to an unintended server and data that may include personal or private information may be transmitted to that server.

• TLS1.2: Use only TLS1.2.

Factory default settings:

Enable

• TLS1.3: Use only TLS1.3.

Factory default settings:

Enable

Device Certificate

Certificate Status

Displays the status of the certificate required for SSL/TLS communication. Click the [Select] key to install the certificate.

Certificate Information

If the device certificate is installed, click the [Show] key to display the certificate information.

Select Device Certificate

Click the [Select] key to display the device certificates that have already been registered. Select from them.

IPsec Settings

IPsec can be used for data transmission/reception on a network.
When IPsec is used, data can be sent and received safely without the need to configure settings for IP packet encryption in a Web browser or other higher-level application.
When enabling this settings, take the following notes.

• It may take some time to reflect on the machine settings, and you cannot connect to the machine during this time.
• If the settings in the Web page are not correctly selected, connection to the machine may not be allowed, or the settings may not allow printing, or Setting mode (Web version) display. In this case, deselect this setting and change the System Settings (on Web pages).

Condition Settings

IPsec Settings

Sets whether to use IPsec for transmission.

Factory default settings:

Disable

IKEv1 Settings

Pre-Shared Key

Enter the Pre-Shared Key to be used for IKEv1.

SA Lifetime (time)

Set the SA lifetime.

Factory default settings:

28800 seconds

IKE Lifetime

Set the IKE lifetime.

Factory default settings:

30 seconds

IPsec Rules

The registered IPsec rules are displayed.
To add a new rule, click the [Add] key.
To delete a rule, select the rule you want to delete and click the [Delete] key.

IPsec Rule Registration

Rule Name

Enter a name for the IPsec rule.

Priority

Set the priority level.

Factory default settings:

1

Select the Rule Name to be the Registration Model

If there is a previously registered rule that is similar to the rule you want to create, you can create the new rule based on the registered rule.

Device Address

Set the type of IP address to be used on the machine and the port number (for IPv6, set the port number / prefix length).

Client Address

Set the destination IP address type and port number (for IPv6, set the port number / prefix length).

Protocol

Set the protocol to be used.

Factory default settings:

TCP

Filter Mode

Configure settings for the authentication method used for IPsec.

Factory default settings:

IPsec

IPsec Encryption

Configure settings for the authentication method used for IPsec.

ESP

Select to use ESP authentication.

Factory default settings:

Enable

Allow Communication not using ESP

Specify whether or not communication that does not use ESP is allowed.

Factory default settings:

Enable

AH

Select to use AH authentication.

Factory default settings:

Disable

Allow Communication not using AH

Specify whether or not communication that does not use AH is allowed.

Factory default settings:

Disable

Audit Log

Logs are created and saved for various events relating to security functions and settings.
Audit logs are created and saved in English. However, setting values such as filenames which are input from external sources are saved as-is.
Audit logs which have been saved in the internal memory can be exported by an administrator to a PC as TSV files.
You can select either the internal memory or an external server as the destination for saving audit logs.

Audit Log

"Audit Log" can be carried out as follows.
In the Web page, select [System Settings] → [Security Settings] → [Audit Log]
Select "Security Control", "Storage/Send Settings" or "Save/Delete Audit Log".

Factory default settings:

Disable

Storage/Send Settings

"Storage/Send Settings" can be carried as follows.
In the Web page, select [System Settings] → [Security Settings] → [Audit Log]→ [Storage/Send Settings]
Then make the storage and transmission settings.

Factory default settings:

Server Send:Disable, Enable SSL/TLS:Disable, Port Number:514, Port Number (Use SSL/TLS):6514

Save/Delete Audit Log

"Save/Delete Audit Log" can be carried out as follows.
In the Web page, select [System Settings] → [Security Settings] → [Audit Log]→ [Save/Delete Audit Log]
Select "Save Audit Log" or "Delete Audit Log".

Audit Log specifications

If the audit log is saved to an external server, the audit log is temporarily saved in the buffer area reserved in the internal memory until the transmission to the external server is successful.

• Audit logs that are successfully sent to the external server are cleared from the buffer area.
• If the transmission to the external server fails, a warning message will be displayed on the operation panel and the screen of the Web page, and the transmission will be periodically retransmitted to the external server until the transmission is successful.

The audit events and information stored in the audit log are as shown in the following table.

Event name	Date & Time *1	Operation I/F *2	Login Name	Result *3	Additional Information
Audit Start	Yes	N/A	N/A	Yes	Reasons for starting Other: security erase
Audit End	Yes	N/A	N/A	Yes	N/A
Job Completion	Yes	Yes	Job owner (SYSTEM)	Yes	Finished job name
I&A Success	Yes	Yes	The string entered as your login name	N/A	IP address of the login source 127.0.0.1 for the operation panel
I&A Failure	Yes	Yes	The string entered as the login name	N/A	IP address of the login source 127.0.0.1 for the operation panel
Add User	Yes	Yes	User who added	Yes	Added login name
Login Terminated	Yes	Yes	The string entered as your login name	N/A	Active termination/ Timeout
Change Password	Yes	Yes	The user who made the change	Yes	Login name of the user whose password has been changed
Change Login Name	Yes	Yes	The user who made the change	Yes	Login name after change
Delete user	Yes	Yes	User who deleted	Yes	Deleted login name (ALL if all users are deleted)
Add Auth Group	Yes	Yes	User who added	Yes	Added authority group name
Change Role	Yes	Yes	The user who made the change	Yes	Login name of the user whose authority group has been changed Changed authority group name
Change Auth Group Setting	Yes	Yes	The user who made the change	Yes	Privilege changed settings Group Name
Add Page Limit Group	Yes	Yes	Users with additional functions	Yes	Name of the additional page limit group
Delete Page Limit Group	Yes	Yes	Users whose functions are deleted	Yes	Name of the deleted page limit group
Change Page Limit Group Setting	Yes	Yes	Users who have changed the settings	Yes	Name of the changed page limit group
Change Time Setting	Yes	Yes	The user who made the change	Yes	N/A
Change Setting	Yes	Yes	User who made the change (“ByPolicy” when applying AD policy)	Yes	Setting items whose setting values have been changed Set value after change
Firm Recovery	Yes	N/A	N/A	Yes	Firmware name Firmware version after recovery
Exec Rejection	Yes	N/A	N/A	Yes	Distinguished name of firmware or embedded OSA app
TLS, IPsec communication failure (Comm Failure) * Communication partner is other than the audit server	Yes	N/A	Users who are communicating	N/A	IP address of the communication starter IP address of the communication partner Communication direction Reason for failure
Modify AddrBook	Yes	Yes	User who updated	Yes	At the time of addition: Internal management ID and destination name of the added entry When deleting / changing: Internal management ID of deleted / changed entry
Firm Update	Yes	Yes	User who updated	Yes	Firmware name Firmware version before update Firmware version after update
Release Denied Addr	Yes	Yes	Users who have been released	Yes	Released IP address
Send External Dest	Yes	Yes	Users who sent	Yes	Destination e-mail address/IP address/SMB folder path
Web Push Print	Yes	Yes	Users of the function	Yes	IP address from which the file was downloaded
Change Service Setting	Yes	Yes	Users who have changed the settings	Yes	Changed settings and their values
Switch to service mode	Yes	Yes	Service	Yes	N/A
Running in service mode	Yes	Yes	Service	Yes	Changed setting values

*1 The date and time when the event occurred is displayed in the extended format of ISO 8601.

*2 Either Ope/Web/sNet is displayed as the operation interface. However, if it is "N / A" in the table, it will be written as "N / A".

*3 Either Success / Failure will be displayed as the result of the event.

Certificate Management

Device Certificate Management

Import

Import the certificate/private key.

Export

Export the certificate/private key.

Certificate Information

Shows the status of the certificate.

Creation of Certificate and Private Key

Common Name (Required)

Enter the name to be used.

Organization

Enter the name of the organization.

Organizational Unit

Enter the name of the unit within the organization.

City/Locality

Enter the city or locality.

State/Province

Enter the state or province.

Country/Region (Required)

Enter the country code.

Certificate Start Date

Enter the start date and time for the certificate.

Certificate Validity Period

Enter the expiration date of the certificate.

Certificate Information

Enter the Certificate Information.

Certificate Signing Request (CSR) Management

Installation of Certificate

Install the certificate.

Certificate Information

Shows the status of the certificate.

Make of Certificate Signing Request(CSR)

Common Name (Required)

Enter the name to be used.

Organization

Enter the name of the organization.

Organizational Unit

Enter the name of the unit within the organization.

City/Locality

Enter the city or locality.

State/Province

Enter the state or province.

Country/Region (Required)

Enter the country code.

Key Length of Certificate

Specify the key length of the certificate.

Factory default settings:

1024bit

CA Certificate Management

Import

Import the certificate.

Certificate Information

Shows the status of the certificate.

Initialize Data in Machine

Press the [OK] key to initialise the following personal information and data in the machine.

• All user information data
• All job data in this machine
• Log information
• Data and areas for internal processing
• Data in the machine registered/stored by the user