Down - Digi-Key
Contents
1. f Several filters can be set and their sequence is irrelevant 8334_en_01 PHOENIX CONTACT 6 19 FL MGUARD 2 Management gt gt System Settings gt gt Shell Access Authorized for access as Client certificate Authorized for access as All users root admin netadmin audit Additional filter which specifies that the SSH client has to be authorized for a specific administration level in order to gain access When establishing a connection the SSH client shows its certificate and also specifies the system user for which the SSH session is to be opened root admin netadmin audit Access is only granted if the entries match those defined here Access for all listed system users is possible when All users is set i This configuration is required in the following cases The netadmin and audit setting options relate to access rights with the device manager software FL MGUARD DM SSH clients each show a self signed certificate SSH clients each show a certificate signed by a CA Filtering should take place Access is only granted to a user whose certificate copy is installed on the FL MGUARD as the remote certificate and is provided to the FL MGUARD in this table as the Client certificate This filter is not subordinate to the Subject filter It resides on the same level and is allocated a logical OR function with the Subject filter The entry in this field defi2. Dial in Settings for egress queue rules QoS ae Rules Internal External internat Externat externar iain Default Default Queue Default X Rules pEi a v 00000 ay Jooo any TOS Minimize Delay w Unchanged v Urgent v 7 SO a1 v 00000 any 0 0 0 0 0 any TOS Maximize Reliability v Unchanged v Important v pE a v 00000 any 0 0 0 070 any TOS Minimize Cost w Unchanged v Low Priority w 8334_en_01 PHOENIX CONTACT 6 213 FL MGUARD 2 6 8 4 2 Egress Rules VPN VPN via Internal VPN via External VPN via External 2 VPN via Dial in VPN via Internal Settings for egress queue rules QoS Egress Rules VPN VPN via Internal VPN via External VPN via External 2 VPN via Dial in Default Defaut Queue Defaut v Rules C 1 Al 00 0 0 070 any 0 0 0 010 any TOS Minimize Delay v Unchanged v Urgent v E 2 Al v 0 0 0 0 0 any 0 0 0 0 0 any TOS Maximize Reliability w Unchanged v Important v 341 00000 any 0 0 0 010 any TOS Minimize Cost w Unchanged v LowPriorty w VPN via External Settings for egress queue rules QoS Egress Rules VPN VPN via Internal VPN via External VPN via External 2 VPN via Dial in Default Rules 1 a v 000 00 any 0 0 0 0 0 any TOS Minimize Delay v Unchanged v Urgent v p C 2 Al v 0 0 0 0 0 any 0 0 0 0 0 any TOS Maximize Reliability w Unchanged v import
3. Internal LAN interface External WAN interface MAC 00 40 45 08 61 69 192 168 0 12 Port 5 MAC 00 OC BE 04 1B DB 192 168 42 22 WAN port LLDP Link Layer Discovery Protocol IEEE 802 1AB D13 uses suitable request methods to automatically determine the Ethernet network infrastructure LLDP capable devices periodically send Ethernet multicasts layer 2 Tables of systems connected to the network are created from the responses and these can be requested via SNMP Management gt gt SNMP gt gt LLDP LLDP Internal LAN interface External WAN interface Mode Enabled Disabled The LLDP service or agent can be globally enabled or disabled here If the function is enabled this is indicated by a green signal field on the tab at the top of the page If the signal field is red the function is disabled Device ID A unique ID of the computer found typically one of its MAC addresses IP address IP address of the computer found This can be used to perform administrative activities on the computer via SNMP Port description A textual description of the network interface where the computer was found System name Host name of the computer found Button Update To update the displayed data if necessary click on Update 8334_en_01 PHOENIX CONTACT 6 51 FL MGUARD 2 6 2 7 Management gt gt Central Management 6 2 7 1 Management Central Management Configuration Pull Configuration Pull Pull Schedule Se
4. Installing the FL MGUARD RS4000 RS2000 on page 4 3 under Service contacts Information about how to operate the different switch types is also provided Ifa VPN connection is established by pressing the button or switch the connection is maintained until it is released by pressing the button or switch again If an on off switch is used instead of a button and it is pressed to establish a VPN connection this connection is reestablished automatically when the FL MGUARD is restarted 6 166 PHOENIX CONTACT 8334_en_01 Configuration re me te ee oe TCP Encapsulation This function is used to encapsulate data packets to be transmitted via a VPN connection in TCP packets In the case of VPN connections this encapsulation is essential Otherwise important data packets belonging to the VPN connection may not always be correctly transmitted due to interconnected NAT routers firewalls or proxy servers for example Firewalls for example may be set up to prevent any data packets of the UDP protocol from passing through or incorrectly implemented NAT routers may not manage the port numbers correctly for UDP packets TCP encapsulation avoids these problems because the packets belonging to the relevant VPN connection are encapsulated in TCP packets i e they are hidden so that only TCP packets appear for the network infrastructure The FL MGUARD can allow VPN connections encapsulated in
5. 6 10 2 1 Log entry categories Common Log entries that cannot be assigned to other categories Network Security In the case of the FL MGUARD RS2000 access via its firewall is not logged Logged events are shown here if the logging of firewall events was selected when defining the firewall rules Log Yes Log ID and number for tracing errors Log entries that relate to the firewall rules listed below have a log ID and number This log ID and number can be used to trace the firewall rule to which the corresponding log entry relates and that led to the corresponding event Firewall rules and their log ID Packet filters Network Security gt gt Packet Filter gt gt Incoming Rules menu Network Security gt gt Packet Filter gt gt Outgoing Rules menu Log ID w incoming or Ew outgoing Firewall rules for VPN connections IPsec VPN gt gt Connections gt gt Edit gt gt Firewall menu Incoming Outgoing Log ID vpn w in or vpn fw out Firewall rules for web access to the FL MGUARD via HTTPS Management gt gt Web Settings gt gt Access menu Log ID w https access Firewall rules for access to the FL MGUARD via SNMP Management gt gt SNMP gt gt Query menu Log ID w snmp access Firewall rules for SSH remote access to the FL MGUARD Management gt gt System Settings gt gt Shell Access menu Log ID fw ssh access Firewall rules for the user firewall Network Security
6. D8 II i Yes v Mannheim Leipzig FE Yes v MA Techniker Zentrale E No 8334_en_01 PHOENIX CONTACT 6 171 FL MGUARD 2 Example 6 7 3 Defining a new VPN connection VPN connection channels e Inthe connections table click on Edit to the right of the unnamed entry under Name e Ifthe unnamed entry cannot be seen open another row in the table Editing a VPN connection VPN connection channels e Click on Edit to the right of the relevant entry URL for starting stopping querying the status of a VPN connection The following URL can be used to start and stop VPN connections or query their connection status independently of their Enabled setting https server nph vpn cgi name verbindung amp cmd up down status wget no check certificate https admin FL MGUARD 192 168 1 1 nph vpn cgi name Athen amp cmd up The no check certificate option ensures that the HTTPS certificate on the FL MGUARD does not undergo any further checking It may also be necessary to encode the password for the URL if it contains special characters A command like this relates to all connection channels that are grouped together under the respective name in this example Athen This is the name entered under A descriptive name for the connection on the General tab page In the event of ambiguity the URL call only affects the first entry in the list of connections It is not possible to communicate with the
7. 6 22 PHOENIX CONTACT 8334_en_01 Configuration Management gt gt Web Settings gt gt Access Allowed Networks Remote HTTPS TCP Port Default 443 If this port number is changed the new port number only applies for access via the External External 2 VPN and Dial in interface Port number 443 still applies for internal access The remote partner that implements remote access may have to specify the port number defined here after the IP address during entry of the address Example If this FL MGUARD can be accessed over the Internet via address 123 124 125 21 and port number 443 has been specified for remote access you do not need to enter this port number after the address in the web browser of the remote partner If a different port number is used it should be entered after the IP address e g https 123 124 125 21 442 The FL MGUARD authenticates itself to the partner in this case the browser of the user using a self signed machine certificate This isa unique certificate issued by Innominate for each FL MGUARD This means that every FL MGUARD device is delivered with a unique self signed machine certificate Sef romi inertas ction comment tog p 1 0 0 0 0 0 External w Accept v No v Lists the firewall rules that have been set up These apply for incoming data packets of an HTTPS remote access attempt If multiple firewall rules are defined these are queried starting from
8. 8334_en_01 Configuration 6 6 4 CIFS Integrity Monitoring gt gt CIFS AV Scan Connector This function is optional and can only be activated by purchasing the FL MGUARD LIC CIM Order No 2701083 accessory CIFS integrity monitoring is not available on the FL MGUARD RS2000 It must not be used on the FL MGUARD BLADE controller In Stealth network mode without management IP address the CIFS server for the anti virus scan is not supported CIFS Antivirus Scan The CIFS anti virus scan connector enables the FL MGUARD to perform a virus scan on Connector drives that are otherwise not externally accessible e g production cells The FL MGUARD mirrors a drive externally in order to perform the virus scan Additional anti virus software is required for this procedure Set the necessary read access for your anti virus software 6 6 4 1 CIFS Antivirus Scan Connector CIFS Integrity Monitoring CIFS AV Scan Connector CIFS Antivirus Scan Connector CIFS Server Enable the server Yes v Accessible as 172 16 66 49 exported av share External 192 168 66 49 exported av share Internal Server s workgroup WORKGROUP Login virus scanner Password eeccccccccces Exported share s name exported av share Allow write access No v Please note To have the CIFS server enabled in the network mode Stealth a management IP must be set Allowed Networks Log 1D 1w olfs 200258 2627200 2140 1402 907
9. Requirement A configuration profile has been saved on the configuration computer as a file according to the procedure described above e Enter the desired profile name in the Name for the new profile field next to Upload Configuration to Profile e Click on Browse select and open the relevant file in the dialog box that is displayed e Click on Upload The configuration profile is loaded on the FL MGUARD and the name assigned in step 1 appears in the list of profiles already stored on the FL MGUARD 8334_en_01 PHOENIX CONTACT 6 39 FL MGUARD 2 Management gt gt Configuration Profiles External Config Storage ECS i Save the active FL MGUARD RS4000 RS2000 only configuration to an external memory SD card When replacing the original device with a replacement device the configuration profile of the original device can be applied using the SD card To do so the replacement device must still use root as the password for the root user If the root password on the replacement device is not root this password must be entered in the The root password to save to the ECS field Automatically save FL MGUARD RS4000 RS2000 only configuration changes to an SD card When set to Yes the configuration changes are automatically saved to the SD card i e the SD card always stores the profile that is currently in use The FL MGUARD only uses the automatically stored configuration profiles u
10. The Stealth network mode is currently not supported For further restrictions see Requirements for firewall redundancy on page 1 4 and Limits of firewall redundancy on page 1 14 8334_en_01 PHOENIX CONTACT 7 1 FL MGUARD 2 7 1 1 Components in firewall redundancy Firewall redundancy is comprised of several components Connectivity check Checks whether the necessary network connections have been established Availability check Checks whether an active FL MGUARD is available and whether this should remain active State synchronization of the firewall The FL MGUARD on standby receives a copy of the current firewall database state Virtual network interface Provides virtual IP addresses and MAC addresses that can be used by other devices as routes and default gateways State monitoring Coordinates all components Status indicator Shows the user the state of the FL MGUARD Connectivity check On each FL MGUARD in a redundant pair checks are constantly made as to whether a connection is established through which the network packets can be forwarded Each FL MGUARD checks its own internal and external network interfaces independently of each other Both interfaces are tested for a continuous connection This connection must be in place otherwise the connectivity check will fail ICMP echo requests can also be sent optional The ICMP echo requests can be set using the Redundancy gt gt Fir
11. 5 2 PHOENIX CONTACT 8334_en_01 Preparing the configuration 5 2 1 Configuring the FL MGUARD on startup with stealth mode by default On initial startup of devices provided in stealth mode the FL MGUARD can be accessed via two addresses https 192 168 1 1 see page 1 3 https 1 1 1 1 see page 1 4 Alternatively an IP address can be assigned via BootP e g using IPAssign exe see Assigning the IP address via BootP on page 1 5 The FL MGUARD can be accessed via https 192 168 1 1 if the external network interface is not connected on startup Computers can access the FL MGUARD via https 1 1 1 1 if they are directly or indirectly connected to the LAN port of the FL MGUARD For this purpose the FLMGUARD with LAN port and WAN port must be integrated in an operational network in which the default gateway can be accessed via the WAN port After access via IP address 192 168 1 1 and successful login IP address 192 168 1 1 is set as a fixed management IP address After access via IP address 1 1 1 1 or after IP address assignment via BootP the FL MGUARD can no longer be accessed via IP address 192 168 1 1 5 2 1 1 IP address 192 168 1 1 For devices provided in stealth mode the FL MGUARD can be accessed via the LAN interface via IP address 192 168 1 1 within network 192 168 1 0 24 if one of the following conditions applies The FL MGUARD is in the delivery state
12. If locally stored CA certificates are to be used to authenticate the partner the address of the VPN gateway of the partner can be specified explicitly by means of an IP address or host name or by any If it is specified using an explicit address and not with any then a VPN identifier see VPN Identifier on page 6 189 must be specified any must be selected if the partner is located downstream of a NAT gateway Otherwise the renegotiation of new connection keys will fail on initial contact If TCP Encapsulation is used see TCP Encapsulation on page 6 167 A fixed IP address or a host name must be specified if this FL MGUARD is to initiate the VPN connection and encapsulate the VPN data traffic If this FL MGUARD is installed upstream of a maintenance center to which multiple remote FL MGUARD devices establish VPN connections and transmit encapsulated data packets any must be specified for the VPN gateway of the partner 6 174 PHOENIX CONTACT 8334_en_01 Configuration IPsec VPN gt gt Connections gt gt Edit gt gt General Options Interface used for the Internal External External 2 Dial in no a gateway External 2 and Dial in only apply to the FL MGUARD RS4000 g see Network gt gt Interfaces on page 6 56 Selection of the Internal option is not permitted in Stealth mode This interface setting is only considered when any is entered as the address of t
13. Network Address Translation IP Masquerading Lists the rules established for NAT Network Address Translation For outgoing data packets the device can translate the specified sender IP addresses from its internal network into its own external address a technique referred to as NAT Network Address Translation see also NAT Network Address Translation in the glossary This method is used if the internal addresses cannot or should not be routed externally e g because a private address area such as 192 168 x x or the internal network structure should be hidden The method can also be used to hide external network structures from the internal devices To do so set the Internal option under Outgoing on Interface The Internal setting allows for communication between two separate IP networks where the IP devices have not configured a useful default route or differentiated routing settings e g PLCs without the corresponding settings The corresponding settings must be made under 1 1 NAT This method is also referred to as IP masquerading Default settings NAT is not active If the FL MGUARD is operated in PPPoE PPTP mode NAT must be activated in order to gain access to the Internet If NAT is not activated only VPN connections can be used in the list is always used for IP masquerading These rules do not apply in Stealth mode A If multiple static IP addresses are used for the WAN port the
14. Redundancy FW Redundancy Status External Interface Summarized result Ethernet link status Number of check intervals Kind of check Check interval Timeout per interval and set of targets Results of the last 16 intervals youngest first Results of the primary targets Internal Interface Summarized result Ethernet link status Number of check intervals Kind of check Check interval Timeout per interval and set of targets Results of the last 16 intervals youngest first Redundancy Status Connectivity Status success connected N 65536 32456 at least one target must respond 300 milliseconds 420 milliseconds Ftttttttttttttt e o Resu 172 16 66 18 sRsRsRsRsRsRsksRsksksksksRsksksR Legend ICMP echo request sent R ICMP echo response received 7 missing ICMP echo response _ no ICMP echo request sent success connected N 65536 32456 Ethernet link detection only 300 milliseconds 420 milliseconds tttttttttt ttt Redundancy gt gt FW Redundancy Status gt gt Connectivity Status External interface Summarized result Ethernet link status Number of check intervals Kind of check Check interval success fail Result of the connectivity check for the external interface The fail result is also displayed until the specific result of the connectivity check is known The last two intervals of the connectivity check are taken into consideration for the combin
15. Se Co Co 8334_en_01 PHOENIX CONTACT 6 105 FL MGUARD 2 Network gt gt DHCP gt gt Internal DHCP DHCP mode Relay If DHCP mode is set to Relay the corresponding setting options are displayed below as follows Network DHCP Internal DHCP External DHCP Mode DHCP mode Relay v DHCP Relay Options OvcP Severe to rey Append Relay Agent Information Option 82 Nov DHCP Relay Options In FL MGUARD Stealth mode relay DHCP mode is not supported If the FL MGUARD is in Stealth mode and relay DHCP mode is selected this setting will be ignored However DHCP requests from the computer and the corresponding responses are forwarded due to the nature of Stealth mode DHCP Servers to relay A list of one or more DHCP servers to which DHCP requests to should be forwarded Append Relay Agent When forwarding additional information for the DHCP servers Information to which information is being forwarded can be appended Option 82 according to RFC 3046 6 106 PHOENIX CONTACT 8334_en_01 Configuration 6 3 5 Network gt gt Proxy Settings 6 3 5 1 HTTP S Proxy Settings HTTP S Proxy Settings HTTP S Proxy Settings Use Proxy for ue pani It is also used for VPN in TCP encapsulation No v HTTP S Proxy Server proxy example com Port 3128 Proxy Authentication Login Password A proxy server can be specified here for the following activities performed
16. X 509 certificates for SSH clients The FL MGUARD supports the authentication of SSH clients using X 509 certificates It is sufficient to configure CA certificates that are required for the establishment and validity check of a certificate chain This certificate chain must exist between the CA certificate on the FL MGUARD and the X 509 certificate shown to the SSH client see Shell Access on page 6 11 If the validity period of the client certificate is checked by the FL MGUARD see Certificate settings on page 6 120 new CA certificates must be configured on the FL MGUARD at some point This must take place before the SSH clients use their new client certificates If the CRL check is activated under Authentication gt gt Certificates gt gt Certificate settings one URL where the corresponding CRL is available must be maintained for each CA certificate The URL and CRL must be published before the FL MGUARD uses the CA certificates in order to confirm the validity of the certificates shown by the VPN partners 7 12 PHOENIX CONTACT 8334_en_01 Redundancy 7 1 9 Transmission capacity with firewall redundancy These values apply to Router network mode when the data traffic for state synchronization is transmitted without encryption If the transmission capacity described here is exceeded in the event of errors the switching time may be longer than that set Platform Transmission capacity with firewall redundancy FL
17. ham vic INFO INFO transitioned to state faulty disabled IP forwarding and other conditions ham ac extl AC INFO ham ac 3417 eth0 listening to CARP messages ham ac syncif AC INFO ham ac 3432 eth2 listening to CARP messages ham ac int AC INFO ham ac 3399 eth1 listening to CARP messages ham vic ham vic ham vic ham ssv ham ssv ham vic ham ssv ham ac syncif INFO INFO INFO INFO INFO INFO INFO disabled virtual interface eth0 vif disabled virtual interface ethl vif disabled ARP daemon 0 transitioned to state outdated transitioned to state on_standby enabled IP forwarding and other conditions transitioned to state becomes_active AC INFO ham ac 3432 eth2 sending CARP messages and listening t ham ac exti AC INFO ham ac 3417 eth0 sending CARP messages and listening to ham ac int AC INFO ham ac 3399 eth1 sending CARP messages and listening to t ham ssv ham ssv ham vic ham vic ham vic ham uer INFO sigalrm timeout transitioned to state active enabled virtual interface eth0 vif enabled virtual interface ethl vif enabled ARP daemon 0 tarminsting The corresponding checkboxes for filtering entries according to their category are displayed below the log entries depending on which FL MGUARD functions were active To display one or more categories enable the checkboxes for the desired categories and click on Reload logs 6 234 PHOENIX CONTACT 8334_en_01 Configuration
18. on page 6 177 See Remote on page 6 177 Virtual IP for the client See Virtual IP for the client on page 6 180 NAT With NAT Network Address Translation addresses in data packets are replaced by other addresses It is possible to translate the IP addresses of devices located at the local end of the VPN tunnel local NAT or the addresses of devices located at the remote end remote NAT 6 180 PHOENIX CONTACT 8334_en_01 Configuration IPsec VPN gt gt Connections gt gt Edit gt gt General Further settings can be made by clicking on More Local NAT for IPsec Off 1 1 NAT Local masquerading tunnel connections Default Off Here you can define which type of address translation is to be used for the destination address of the packets being received and for the source address of the packets being transmitted Off NAT is not performed 1 1 NAT Local NAT Local NAT for IPsec tunnel 1 1 NAT connections Internal network address for local 1to 1 NAT 92 1662 1 With 1 1 NAT the IP addresses of devices at the local end of the tunnel are exchanged so that each individual address is translated into another specific address It is not translated into an address that is identical for all devices as is the case with IP masquerading If local devices transmit data packets only those data packets are considered which Are actually encrypted by the FL MGUARD the FL MGUARD only forwards p
19. 7 1 3 Accepting the firewall redundancy settings from previous versions Existing configuration profiles on firmware version 6 1 x and earlier can be imported with certain restrictions However we recommend using a new configuration for the devices 7 1 4 Requirements for firewall redundancy The firewall redundancy function can only be activated when a suitable license key is installed See under Redundancy gt gt Firewall Redundancy gt gt Redundancy gt gt Enable redundancy Redundancy gt gt Firewall Redundancy gt gt Redundancy gt gt Interface used for synchronizing the state Each set of targets for the connectivity check can contain more than ten targets a fail over time cannot be guaranteed without an upper limit Redundancy gt gt Firewall Redundancy gt gt Redundancy gt gt External interface gt gt Primary targets for ICMP echo requests gt gt External interface gt gt Secondary targets for ICMP echo requests gt gt Internal interface gt gt Primary targets for ICMP echo requests gt gt Internal interface gt gt Secondary targets for ICMP echo requests If at least one target must respond or all targets of one set must respond is selected under External interface gt gt Kind of check then External interface gt gt Primary targets for ICMP echo requests cannot be left empty This also applies to the internal interface In Router network mode at least one external
20. A Flag indicating the summarized state of all Availability Check components 8334_en_01 PHOENIX CONTACT 6 227 FL MGUARD 2 Redundancy gt gt FW Redundancy Status gt gt Redundancy Status Current State Status of the Components Availability Check Connectivity Check State Replication Virtual Interface Controller Possible states booting The FL MGUARD is starting faulty The FL MGUARD is not yet connected properly outdated State synchronization of the databases is not yet up to date on_standby The FL MGUARD is ready for activation if the other FL MGUARD fails becomes_active The FL MGUARD is becoming active because the other FL MGUARD has failed active The FL MGUARD is active becomes_standby The FL MGUARD is switching from the active state to standby mode The state is changed to outdated since the status database has to be updated first Relates to the status of the availability check for the internal or external interface The availability check has three possible results Presence notifications CARP are not received from any other FL MGUARD device Another FL MGUARD is available which is to become or remain active Another FL MGUARD is available which is active but is to go on_standby Indicates whether the check was successful Each interface is checked separately When synchronizing the state various databases are checked to see whether e
21. If a different VPN connection definition applies to the outgoing data packets the firewall rules for Outgoing for this other connection definition are used If the FL MGUARD has been configured to forward SSH connection packets e g by permitting a SEC Stick hub amp spoke connection existing VPN firewall rules are not applied This means for example that packets of an SSH connection are sent via a VPN tunnel despite the fact that this is prohibited by its firewall rules IPsec VPN gt gt Connections gt gt Edit gt gt Firewall Incoming General firewall Allow all incoming connections The data packets of all setting incoming connections are allowed Drop all incoming connections The data packets of all incoming connections are discarded Use the set of rules specified below Displays further setting options This menu item is not included in the scope of functions for the FL MGUARD RS2000 The following settings are only visible if Use the set of rules specified below is set Protocol All means TCP UDP ICMP GRE and other IP protocols From IP To IP 0 0 0 0 0 means all IP addresses To specify an address area use CIDR format see CIDR Classless Inter Domain Routing on page 6 241 Incoming From IP The IP address in the VPN tunnel TolP The 1 1 NAT address or the real address Outgoing From IP The 1 1 NAT address or the real address TolP The IP address in the VPN
22. OU Development O Organization Specifies the organization or company Example O Phoenix Contact L Locality Specifies the place locality Example L Hamburg ST State Specifies the state or county Example ST Bavaria C Country Two letter code that specifies the country Germany DE Example C DE A filter can be set for the subject i e the certificate owner during VPN connections and remote service access to the FL MGUARD using SSH or HTTPS This would ensure that only certificates from partners are accepted that have certain attributes in the subject line In symmetrical encryption the same key is used to encrypt and decrypt data Two examples of symmetrical encryption algorithms are DES and AES They are fast but also increasingly difficult to administrate as the number of users increases These are network protocols used to connect two computers on the Internet IP is the base protocol UDP is based on IP and sends individual packets The packets may reach the recipient in an different order than that in which they were sent or they may even be lost TCP is used for connection security and ensures for example that data packets are forwarded to the application in the correct order UDP and TCP add port numbers between 1 and 65535 to the IP addresses These distinguish the various services offered by the protocols 8334_en_01 PHOENIX CONTACT 9 7 FL MGUARD 2 VLAN VPN Virtual Private Networ
23. Restart recovery procedure and flashing the firmware 8 3 1 Installing the DHCP and TFTP server Installing a second DHCP server in a network could affect the configuration of the entire network In Windows Install the program provided in the download area at www innominate com e f the Windows computer is connected to a network disconnect it from the network e Copy the firmware to an empty folder of your choice on the Windows computer e Start the TFTPD32 EXE program The host IP to be specified is 192 168 10 1 It must also be used as the address for the network card e Click on Browse to switch to the folder where the FL MGUARD image files are saved install p7s jffs2 img p7s e Ifa major release upgrade of the firmware is carried out by means of flashing the license file purchased for the upgrade must also be stored here under the name licence lic Make sure that this is the correct license file for the device see Management gt gt Update on page 6 34 gt Tftpd32 by Ph Jounin la x Current Directory JEAmy Browse Server interface 192 168 10 1 Show Dir Tftp Server DHCP server Revd DHCP Discover Msg for IP 0 0 0 0 Mac 00 0C BE 01 00 EB 26 11 09 41 19 694 DHCP proposed address 192 168 10 200 26 11 09 41 19 694 Revd DHCP Rast Msg for IP 0 0 0 0 Mac 00 00 BE 01 00 EB 26 11 09 41 19 704 Previously allocated address acked 26 11 09 41 19 714 Connection received from 192 168 10 20
24. The same network drive can be used as the checksum memory for several different drives to be checked The base name of the checksum files must then be clearly selected in this case The FL MGUARD recognizes which version the checksum files on the network drive must have For example if it is necessary to restore the contents of the network drive from a backup following a malfunction old checksum files are provided in this case and the FL MGUARD would detect the deviations In this case the integrity database must be recreated see CIFS Integrity Monitoring gt gt CIFS Integrity Status gt gt Show gt gt Actions on page 6 157 Basename of the The checksum files are stored on the network drive specified checksum files May above They can also be stored in a separate directory The be prefixed with a directory name must not start with a backslash directory Example Checksumdirectory integrity checksum Checksumdirectory is the directory and contains the files beginning with integrity checksum 6 6 2 2 Patterns for filenames CIFS Integrity Monitoring CIFS Integrity Checking Settings Filename Patterns Sets of Filename Patterns PE ame aeon me p executables CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Filename Patterns Sets of Filename Patterns Name Freely definable name for a set of rules for the files to be checked This name must be selected under CIFS Integrity
25. connection to the Internet is established after establishing the telephone connection Command syntax Together with the previously set ATD modem command for dialing the following dial sequence for example is created for the connected modem ATD765432 A compatible pulse dialing procedure that works in all scenarios is used as standard Special dial characters can be used in the dial sequence 8334_en_01 PHOENIX CONTACT 6 81 FL MGUARD 2 Network gt gt Interfaces gt gt Dial out Authentication HAYES special dial characters W Instructs the modem to insert a dialing pause at this point until the dial tone can be heard Used when the modem is connected to a private branch exchange An external line must be obtained first for outgoing calls by dialing a specific number e g 0 before the phone number of the relevant subscriber can be dialed Example ATDOW765432 T Switch to tone dialing Insert the special dial character T before the phone number if the faster tone dialing procedure is to be used with tone compatible telephone connections Example ATDT765432 PAP CHAP None PAP Password Authentication Protocol CHAP Challenge Handshake Authentication Protocol These terms describe procedures for the secure transmission of authentication data using the Point to Point Protocol If the Internet service provider requires the user to login using a user name and password then PAP
26. gt gt Global 6 7 1 1 Options IPsec VPN Global Options DynDNS Monitoring Options Allow packet forwarding No Archive diagnostic messages for VPN connections VPN Switch Switch type connected to the contact TCP Encapsulation Listen for incoming VPN connections which are No encapsulated TCP port to listen on 8080 Server ID 0 63 0 IP Fragmentation such routers IPsec VPN gt gt Global gt gt Options Options Allow packet forwarding between VPN connections v VPN connection Mannheim Leipzig wv On off switch w i i between VPN connections The value Yes will not be applied to the network mode Stealth v Start and stop the specified VPN connection with an external contact and signal the status of the connection with the ACK contact Some routers fail to forward large UDP packets which may break the IPsec protocol The following options allow you to reduce the size of the UDP packets generated by IPsec to traverse IKE Fragmentation The IKE Main Mode with X 509 certificates usually generates large UDP packets With this option enabled IKE Main Mode packets will be fragmented within the IKE protocol itself and thereby avoid large UDP packets Yes v IPsec MTU default is 16260 The internal IPsec MTU is usually set to a large value like 16260 to avoid fragmentation of IP packets within IPsec When IPsec has to traverse NAT routers encrypted IP packets will be transfered v
27. high probability for example Packet processing on the FL MGUARD is generally defined by the handling of individual data packets This means that the processing performance depends on the number of packets to be processed and not on the bandwidth Filtering is performed exclusively according to features that are present or may be present in each data packet The sender and recipient IP address specified in the header the specified Ethernet protocol the specified IP protocol the specified TOS DSCP value and or the VLAN ID if VLANs have been set up As the list of filter rules must be applied to each individual data packet it should be kept as short as possible Otherwise the time spent on filtering could be longer than the time actually saved by setting the filter Please note that not all specified filter criteria should be combined For example it does not make sense to specify an additional IP protocol in the same rule that contains the ARP Ethernet protocol Nor does it make sense to specify a transmitter or sender IP address if the IPX Ethernet protocol is specified in hexadecimal format 6 8 1 1 Internal External QoS Ingress Filters Internal External Enabling Filters 1 No _v 1 a p ARP All Enable ingress QoS No v Measurement Unit Packets w All 0 0 0 0 0 0 0 0 0 0 v 100 unlimited Internal Settings for the ingress filter at the LAN interface 6 206 PHOENIX CONTACT 8334_en_01 Config
28. if a user logs in via the Internet from a location or a computer to which the IP address is assigned dynamically by the Internet service provider this is usually the case for many Internet users If such a connection is temporarily interrupted e g because the user logged in is being assigned a different IP address this user must log in again However the old login session under the old IP address remains open This login session could then be used by an intruder who uses this old IP address of the authorized user and accesses the FL MGUARD using this sender address The same thing could also occur if an authorized firewall user forgets to log out at the end of a session This hazard of logging in via an unsecure interface is not completely eliminated but the time is limited by setting the configured timeout for the user firewall template used See Timeout type on page 6 146 Interface External Internal External 2 Dial in Specifies which FL MGUARD interfaces can be used by firewall users to log into the FL MGUARD For the interface selected web access via HTTPS must be enabled Management Web Settings menu Access tab page see Access on page 6 22 In Stealth network mode both the Internal and External interfaces must be enabled so that firewall users can log into the FL MGUARD Two rows must be entered in the table for this 1 External 2 and Dial in are only for devices with a serial int
29. indicates a cycle during which ICMP echo requests have been correctly transmitted and received Missing answers are indicated by a and requests that have not been transmitted are indicated bya _ Only visible when a secondary target is set see Secondary targets for ICMP echo requests on page 6 225 See External interface See External interface See External interface See External interface See External interface See External interface 8334_en_01 PHOENIX CONTACT 6 231 FL MGUARD 2 6 9 3 Ring Network Coupling The ring network coupling function is not supported on FLMGUARD centerport Ring network coupling with restrictions FLMGUARD DELTA The internal side switch ports cannot be switched off FLMGUARD PCI In driver mode the internal network interface cannot be switched off however this is possible in power over PCI mode 6 9 3 1 Ring Network Coupling Redundancy Ring Network Coupling Ring Network Coupling Settings Enable Ring Network Coupling Dual Homing Yes v Redundancy Port Internal w Redundancy gt gt Firewall Redundancy gt gt Ring Network Coupling Settings Enable Ring Network Yes No Coupling Dual Homing When activated the status of the Ethernet connection is transmitted from one port to another in Stealth mode This means that interruptions in the network can be traced easily Redundancy Port Internal External Internal If the connection
30. 151 or via SNMP see CIFS integrity traps on page 6 47 Setting options for CIFS anti virus scan connector Which network drives are known to the FL MGUARD see CIFS Integrity Monitoring gt gt Importable Shares on page 6 149 What type of access is permitted read or read write access see CIFS Integrity Monitoring gt gt CIFS AV Scan Connector on page 6 159 6 148 PHOENIX CONTACT 8334_en_01 Configuration Requirements i 6 6 1 CIFS Integrity Monitoring gt gt Importable Shares The network drives that the FL MGUARD should check regularly can be specified here In order for the network drives to be checked you must also refer to these network drives in one of the two methods CIFS integrity checking or CIFS anti virus scan connector The references to the network drives can be set as follows For CIFS integrity checking see Checked CIFS Share on page 6 152 For CIFS anti virus scan connector see CIFS Antivirus Scan Connector on page 6 159 6 6 1 1 Importable Shares Importable Shares Importable CIFS Shares Here you can specify the CIFS shares to which the mGuard has access SS r e E E o pc x7 scan 10 1 66 127 c Please note The shares listed here are only used if they are referenced from the CIFS Integrity Checking function or the CIFS AV Scan Connector function The mGuard will either only read from the share or also write to it
31. 2 VPN and Dial in interface Port number 22 still applies for internal access The remote partner that implements remote access may have to specify the port number defined here during login Example If this FL MGUARD can be accessed over the Internet via address 123 124 125 21 and default port number 22 has been specified for remote access you may not need to enter this port number in the SSH client e g PUTTY or OpenSSH of the remote partner If a different port number has been set e g 2222 this must be specified e g ssh p 2222 123 124 125 21 6 12 PHOENIX CONTACT 8334_en_01 Configuration Management gt gt System Settings gt gt Shell Access Delay between Default 120 seconds requests for a sign of life Values from 0 to 3600 seconds can be set Positive values indicate that the FL MGUARD is sending a query to the partner within the encrypted SSH connection to find out whether it can still be accessed The query is sent if no activity was detected from the partner for the specified number of seconds e g due to network traffic within the encrypted connection The value entered relates to the functionality of the encrypted SSH connection As long as the functions are working properly the SSH connection is not terminated by the FL MGUARD as a result of this setting even when the user does not perform any actions during this time Because the number of simultaneously open sessions is
32. 255 254 0 0 11111111 11111110 00000000 00000000 15 255 252 0 0 11111111 11111100 00000000 00000000 14 255 248 0 0 11111111 11111000 00000000 00000000 13 255 240 0 0 11111111 11110000 00000000 00000000 12 255 224 0 0 11111111 11100000 00000000 00000000 11 255 192 0 0 11111111 11000000 00000000 00000000 10 255 128 0 0 11111111 10000000 00000000 00000000 9 255 0 0 0 11111111 00000000 00000000 00000000 8 254 0 0 0 11111110 00000000 00000000 00000000 7 252 0 0 0 11111100 00000000 00000000 00000000 6 248 0 0 0 11111000 00000000 00000000 00000000 5 240 0 0 0 11110000 00000000 00000000 00000000 4 224 0 0 0 11100000 00000000 00000000 00000000 3 192 0 0 0 11000000 00000000 00000000 00000000 2 128 0 0 0 10000000 00000000 00000000 00000000 1 0 0 0 0 00000000 00000000 00000000 00000000 0 Example 192 168 1 0 255 255 255 0 corresponds to CIDR 192 168 1 0 24 8334_en_01 PHOENIX CONTACT 6 241 FL MGUARD 2 Router External IP address 192 168 11 2 Internal IP address 192 168 15 254 Subnet mask 255 255 255 0 Router External IP address 192 168 15 1 Internal IP address 192 168 27 254 Subnet mask 255 255 255 0 6 13 Network example diagram The following diagram shows how IP addresses can be distributed in a local network with subnetworks which network addresses result from this and how the details regarding additional internal routes may look for the FL MGUARD Internet External address e g 123 456 789 21 assigned
33. 6 26 PHOENIX CONTACT 8334_en_01 Configuration If the following User authentication methods are defined Login restricted to X 509 client certificate Login with X 509 client certificate or password You must then specify how the FL MGUARD authenticates the remote user according to X 509 The table below shows which certificates must be provided for the FL MGUARD to authenticate the user access via HTTPS if the user or their browser shows one of the following certificate types when a connection is established A certificate signed by a CA A self signed certificate For additional information about the table see Authentication gt gt Certificates on page 6 115 X 509 authentication Tor HTTPS The partner shows Certificate specific to Certificate specific to the following individual signed by CA individual self signed The FL MGUARD authenticates the T partner using All CA certificates that form Remote certificate the chain to the root CA certificate together with the certificate shown by the partner PLUS if required Remote certificates if used as a filter The partner can additionally provide sub CA certificates In this case the FL MGUARD can form the set union for creating the chain from the CA certificates provided and the self configured CA certificates The corresponding root certificate must always be available on the FL MGUARD According to this table the ce
34. A B or C and use the same hostnames in each of these networks to communicate with the corresponding machine controllers Notebook of service technician IP addresses and host names with domain ontroller A 10 1 30 1 24 fold cell a example com 10 1 30 2 24 fill cell a example com The notebook can obtain the IP address to be used the name 10 1 30 3 24 server and the domain from the i ontroller C FL MGUARD via DHOP j oo pack cell a example com Switch 10 1 80 0 24 Machine B ontroller A 10 1 31 1 24 fold cell b example com 10 1 31 2 24 ontroller B fill cell b example com Plant network Ethernet 10 1 31 3 24 ontroller C pack cell b example com Switch 10 1 81 0 24 10 1 32 1 24 P ontroller A Machine e Contolera fold cell c example com 10 1 32 2 24 ontroller B fill cell c example com 10 1 32 3 24 ontroller C pack cell c example com Switch 10 1 32 0 24 ia Host name Domain name Figure 6 1 Local Resolving of Hostnames 8334_en_01 PHOENIX CONTACT 6 101 FL MGUARD 2 6 3 3 2 DynDNS Network DNS DNS server DynDNS DynDNS Register this mGuard at a No w DynDNS Service Status Refresh Interval sec 420 DynDNS Provider DNS4BIZ v DynDNS Server dyndns example com DynDNS Login DynDNS Password DynDNS Hostname host example com Network gt gt DNS gt gt DynDNS DynDNS In order for a VPN c
35. Aname must be assigned whether it is the suggested one or another Names must be unique and must not be assigned more than once During the configuration of SSH Management gt gt System Settings Shell Access menu HTTPS Management gt gt Web Settings Access menu VPN connections IPsec VPN gt gt Connections menu 6 124 PHOENIX CONTACT 8334_en_01 Configuration the certificates imported on the FL MGUARD are provided in a selection list The certificates are displayed under the short name specified for each individual certificate on this page For this reason name assignment is mandatory Creating a certificate copy A copy can be created from the imported CA certificate To do that e Click on Current Certificate File next to the Download Certificate row for the relevant CA certificate Enter the desired information in the dialog box that opens 8334_en_01 PHOENIX CONTACT 6 125 FL MGUARD 2 6 4 4 4 Remote Certificates A remote certificate is a copy of the certificate that is used by a partner to authenticate itself to the FL MGUARD Remote certificates are files file name extension cer pem or crt received from possible partners by trustworthy means You load these files on the FL MGUARD so that reciprocal authentication can take place The remote certificates of several possible partners can be loaded The remote certificate for authentication of a VPN connection or the channels
36. Authentication using the corresponding remote certificate e Select the following entry from the selection list No CA certificate but the Remote Certificate below e Install the remote certificate under Remote Certificate see Installing the remote certificate on page 6 188 It is not possible to reference a remote certificate loaded under the Authentication gt gt Certificates menu item Installing the remote certificate The remote certificate must be configured if the VPN partner is to be authenticated using a remote certificate To import a certificate proceed as follows 6 188 PHOENIX CONTACT 8334_en_01 Configuration Requirement IPsec VPN gt gt Connections gt gt Edit gt gt Authentication VPN Identifier The certificate file file name extension pem cer or crt is saved on the connected computer e Click on Browse to select the file e Click on Upload The contents of the certificate file are then displayed Authentication method CA certificate The following explanation applies if the VPN partner is authenticated using CA certificates VPN gateways use the VPN identifier to detect which configurations belong to the same VPN connection If the FL MGUARD consults CA certificates to authenticate a VPN partner then it is possible to use the VPN identifier as a filter e Make a corresponding entry in the Remote field Local Remote Default Em
37. CA certification authority that issued the server certificate This is valid when the configuration server certificate is signed by a CA instead of self signed If the stored configuration profiles also contain the private VPN key for the VPN connection s with PSK the following conditions must be met The password should consist of at least 30 random upper and lower case letters and numbers to prevent unauthorized access The HTTPS server should only grant access to the configuration of this individual FL MGUARD using the login and password specified Otherwise users of other FL MGUARD devices could access this individual FL MGUARD The IP address or the host name specified under Server must be the same as the server certificate s common name CN Self signed certificates should not use the key usage extension To install a certificate proceed as follows Requirement The certificate file must be saved on the connected computer e Click on Browse to select the file e Click on Import Download Test e By clicking on Test Download you can test whether the specified parameters are correct without actually saving the modified parameters or activating the configuration profile The result of the test is displayed in the right hand column a Ensure that the profile on the server does not contain unwanted variables starting with GAI_PULL_ as these overwrite the applied confi
38. General firewall Allow all incoming connections The data packets of all setting incoming connections are allowed Drop all incoming connections The data packets of all incoming connections are discarded Use the set of rules specified below Displays further setting options This menu item is not included in the scope of functions for the FL MGUARD RS2000 The following settings are only visible if Use the set of rules specified below is set Interface External External 2 Any External Specifies via which interface the data packets are received so that the rule applies to them Any External refers to the External and External 2 interfaces These interfaces are only available on FL MGUARD models that have a serial interface with external access Protocol TCP UDP ICMP GRE All From IP To IP 0 0 0 0 0 means all IP addresses To specify an address area use CIDR format see CIDR Classless Inter Domain Routing on page 6 241 From Port To Port Only evaluated for TCP and UDP protocols any refers to any port startport endport e g 110 120 refers to a port area Individual ports can be specified using the port number or the corresponding service name e g 110 for pop3 or pops for 110 6 130 PHOENIX CONTACT 8334_en_01 Configuration Network Security gt gt Packet Filter gt gt Incoming Rules 1 Action Comment Log Log entries for unknown connection attempts Accept mean
39. IP addresses ooo ee ee o usevian vian AX 192 168 11 1 255 255 255 0 No v 1 r 192 168 5 1 255 255 255 0 No v 1 Default gateway 192 168 11 10 An additional IP address can be specified here for the administration of the FL MGUARD Remote access via HTTPS SNMP and SSH is only possible using this address if one of the following applies The multiple clients option is selected under Stealth configuration The client does not answer ARP requests Noclientis available With static Stealth configuration the Stealth management IP address can always be accessed even if the network card of the client PC has not been activated If the secondary external interface is activated see Secondary External Interface on page 6 67 the following applies If the routing settings are such that data traffic to the Stealth management IP address would be routed via the secondary external interface this would be an exclusion situation i e the FL MGUARD could no longer be administered locally To prevent this the FL MGUARD has a built in mechanism that ensures that in such an event the Stealth management IP address can still be accessed by the locally connected computer or network 8334_en_01 PHOENIX CONTACT 6 65 FL MGUARD 2 Network gt gt Interfaces gt gt General Stealth network mode Static routes Management IP IP addresses IP address via which the FL MGUARD can be accessed and administere
40. Mode Network Mode Stealth w Stealth configuration autodetect v Autodetect ignore NetBIOS overTCPtrafficonTCPport No v 139 Stealth Management IP Address Here you can specify additional IP addresses to administrate the mGuard If you have set Stealth configuration to multiple clients remote access will only be possible using this IP address An IP address of 0 0 0 0 disables this feature Note using management VLAN is not supported in Stealth autodetect mode Management P accresses EE TTT T HX 192 168 11 1 255 255 255 0 No v 1 192 168 5 1 255 255 255 0 No v 1 Default gateway 192 168 11 10 Static routes The following settings are applied to traffic generated by the mGuard Networs tobe routed over X alternative W oraig al 192 168 101 0 24 10 1 0 253 Secondary External Interface Network Mode Off v Static Stealth Configuration Client s IP address 192 68 11 1 Client s MAC address 00 00 00 00 00 00 Network gt gt Interfaces gt gt General Stealth network mode Network mode Only applies if Stealth is selected as the network mode Stealth configuration autodetect static multiple clients autodetect The FL MGUARD analyzes the network traffic and independently configures its network connection accordingly It operates transparently 8334_en_01 PHOENIX CONTACT 6 63 FL MGUARD 2 Network gt gt Interfaces gt gt General Stealth network
41. Mode PPTP on page 6 61 and Router network mode PPTP router mode on page 6 78 Router Mode Modem on page 6 62 and Router network mode Modem router mode on page 6 79 Network Mode Stealth on page 6 63 and Router network mode Modem router mode on page 6 79 Modem Built in Modem is not available for all FL MGUARD models see Network gt gt Interfaces on page 6 56 6 58 PHOENIX CONTACT 8334_en_01 Configuration Stealth default settings for FL MGUARD RS4000 RS2000 FL MGUARD SMART2 Stealth mode is used to protect a single computer or a local network with the FL MGUARD Important If the FL MGUARD is in Stealth network mode it is inserted into the existing network see figure without changing the existing network configuration of the connected devices Before gQ Q C piz ewo ye LE i O Q oS ano daa After ER m Cp n a AATE Ta Cd A LAN can also be on the left The FL MGUARD analyzes the active network traffic and independently configures its network connection accordingly It then operates transparently i e without the computers having to be reconfigured As in the other modes firewall and VPN security functions are available Externally supplied DHCP data is allowed through to the connected computer If the FL MGUARD is to provide services such as VPN DNS NTP etc a firewall installed on
42. SD card slot VPN intelligent firewall with full scope of functions for maximum security and ease of configuration router with NAT 1 1 NAT optional CIFS integrity monitoring Router with intelligent firewall stateful inspection firewall for maximum security and ease of configuration Router with intelligent firewall stateful inspection firewall for maximum security and ease of configuration VPN according to IPsec standard hardware encryption with up to 40 Mbps Security appliance in metal housing SD card slot intelligent firewall with full scope of functions for maximum security and ease of configuration router with NAT 1 1 NAT optional VPN CIFS integrity monitoring 10 4 2 Description Universal end clamp Program and configuration memory plug in 256 MB Network monitoring with HMI SCADA systems Patch cable CAT6 pre assembled 0 3 m long Patch cable CAT6 pre assembled 0 5 m long Patch cable CAT6 pre assembled 1 0 m long Patch cable CAT6 pre assembled 1 5 m long Patch cable CAT6 pre assembled 2 0 m long Patch cable CAT6 pre assembled 3 0 m long Patch cable CAT6 pre assembled 5 0 m long Patch cable CAT6 pre assembled 7 5 m long Patch cable CAT 6 pre assembled 10 m long Patch cable CAT6 pre assembled 12 5 m long Patch cable CAT6 pre assembled 15 m long Patch cable CAT6 pre assembled 20 m long Patch cable CAT5 pre assembled 0 3 m long Patch cable CAT5 pre assembled 0 5 m long Patch ca
43. System Settings gt gt Shell Access X 509 Authentication Enable X 509 If No is selected then only conventional authentication This menu item is not included in the scope of functions for certificates for methods user name and password or private and public SSH access keys are permitted not the X 509 authentication method the FL MGUARD RS2000 If Yes is selected then the X 509 authentication method can be used in addition to conventional authentication methods as also used for No If Yes is selected the following must be specified How the FLMGUARD authenticates itself to the SSH client according to X 509 see SSH server certificate 1 Howthe FLMGUARD authenticates the remote SSH client according to X 509 see SSH server certificate 2 SSH server certificate Specifies how the FL MGUARD identifies itself to the 1 SSH client Select one of the machine certificates from the list or the None entry None When None is selected the SSH server of the FL MGUARD does not authenticate itself to the SSH client via the X 509 certificate Instead it uses a server key and thus behaves in the same way as older versions of the FL MGUARD If one of the machine certificates is selected this is also offered to the SSH client The client can then decide whether to use the conventional authentication method or the method according to X 509 The selection list contains the machine certificates that have been loaded
44. TCP even when the FL MGUARD is positioned behind a NAT gateway in the network and thus cannot be reached by the VPN partner under its primary external IP address To do this the NAT gateway must forward the corresponding TCP port to the FL MGUARD see Listen for incoming VPN connections which are encapsulated on page 6 168 TCP encapsulation can only be used if an FL MGUARD Version 6 1 or later is used at both ends of the VPN tunnel TCP encapsulation should only be used if required because connections are slowed down by the significant increase in the data packet overhead and by the correspondingly longer processing times If the FL MGUARD is configured to use a proxy for HTTP and HTTPS in the Network gt gt Proxy Settings menu item then this proxy is also used for VPN connections that use TCP encapsulation TCP encapsulation supports the basic authentication and NTLM authentication methods for the proxy For the TCP encapsulation to work through an HTTP proxy the proxy must be named explicitly in the proxy settings Network gt gt Proxy Settings menu item i e it must not be a transparent proxy and this proxy must also understand and permit the HTTP method CONNECT 8334_en_01 PHOENIX CONTACT 6 167 FL MGUARD 2 As devices in the TCP encapsulation the FL MGUARD devices for the machine controllers initiate VPN data traffic to the maintenance center and encapsulate
45. The FLMGUARD was reset to the default settings via the web interface see Configuration Profiles on page 6 38 and restarted The rescue procedure flashing of the FL MGUARD or the recovery procedure have been performed see Section 8 To access the configuration interface it may be necessary to adapt the network configuration of your computer Under Windows XP proceed as follows e Click on Start Control Panel Network Connections e Right click on the LAN adapter icon to open the context menu e Inthe context menu click on Properties e Inthe Properties of local network LAN connections dialog box select the General tab e Under This connection uses the following items select Internet Protocol TCP IP 8334_en_01 PHOENIX CONTACT 5 3 FL MGUARD 2 e Then click on Properties to display the following dialog box Internet Protocol TCP IP Properties General You can get IP settings assigned automatically if your network supports this capability Otherwise you need to ask your network administrator for the appropriate IP settings Obtain an IP address automatically Use the following IP address IP address 192 168 Subnet mask 255 255 Default gateway 192 168 Use the following DNS server addresses Preferred DNS server Altemate DNS server Figure 5 1 Internet Protocol TCP IP Properties e First select Use the following IP address then ente
46. VPNs hub and spoke Dependent on the license Up to 250 VPN channels hardware acceleration for encryption in VPN additional features Remote logging Router firewall redundancy optional Administration using SNMP v1 v3 and device manager software FL MGUARD DM PKI support for HTTPS SSH remote access Can act as an NTP and DNS server via the LAN interface In the event of problems with your FL MGUARD please contact your dealer Additional information on the device as well as on release notes and software updates can be found on the Internet at www phoenixcontact com 1 2 PHOENIX CONTACT 8334_en_01 Introduction 1 1 Device versions The FL MGUARD is available in the following device versions which largely have identical functions All devices can be used regardless of the processor technology and operating system used by the connected computers FL MGUARD SMART2 The FL MGUARD SMART2 is the smallest device version For example it can be easily inserted between the computer or local network at the LAN port of the FL MGUARD and an available router at the WAN port of the FL MGUARD without having to make configuration changes or perform driver installations on the existing system It is designed for instant use in the office or when traveling Figure 1 1 FL MGUARD SMART2 8334_en_01 PHOENIX CONTACT 1 3 FL MGUARD 2 FL MGUARD RS4000 The FL MGUARD RS4000 is a security appliance with intelli
47. a failure of the internal network connection the FL MGUARD may contain an obsolete copy of the firewall database This database must therefore be updated before the connection is reestablished The primary FL MGUARD ensures that it receives an up to date copy before becoming active 7 1 8 Interaction with other devices Virtual and actual IP addresses With firewall redundancy in Router network mode the FL MGUARD uses actual IP addresses to communicate with other network devices Virtual IP addresses are used in the following two cases Virtual IP addresses are used when establishing and operating VPN connections If DNS and NTP services are used according to the configuration they are offered to internal virtual IP addresses The usage of actual management IP addresses is especially important for the connectivity check and availability check Therefore the actual management IP address must be configured so that the FL MGUARD can establish the required connections The following are examples of how and why FL MGUARD communication takes place Communication with NTP servers to synchronize the time Communication with DNS servers to resolve host names especially those from VPN partners To register its IP address with a DynDNS service To send SNMP traps To forward log messages to a SysLog server To download a CRL from an HTTP S server To authenticate a user through a RADIUS server To download a
48. and any subdirectories Missing files trigger an alarm Missing files are files that were present during initialization An alarm is also triggered if additional files are present Include The files are included in the check Each file name is compared with the samples one after the other The first hit determines whether the file is to be included in the integrity check The file is not included if no hits are found Exclude The files are excluded from the check 8334_en_01 PHOENIX CONTACT 6 155 FL MGUARD 2 6 6 3 CIFS Integrity Monitoring gt gt CIFS Integrity Status CIFS Integrity Monitoring CIFS Integrity Status Last check was OK pc x7 scan Last check started 0 days and 13h 43m ago CIFS Integrity Monitoring gt gt CIFS Integrity Status List with buttons for each individual network drive Checked CIFS Share Click on Show to see the result of the check or to carry out actions such as start or cancel check update integrity database if the network drives to be checked have been intentionally changed Click on Edit to revise the settings for the check same as CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Settings gt gt Edit on page 6 152 Status Summary Result and time of the last checks Click on Update to see a summary of the results of the latest checks Update applies to all network drives CIFS Integrity Monitoring CIFS Integrity Stat
49. are to be forwarded from the internal area to the external area Yes No default No Protocol used to establish communication sessions between two or more devices Used for audio visual transmission This protocol is older than SIP Yes No default No SIP Session Initiation Protocol is used to establish communication sessions between two or more devices Often used in IP telephony When set to Yes it is possible for the FL MGUARD to track the SIP and add any necessary firewall rules dynamically if further PCP channels are established to the same session When NAT is also activated one or more locally connected computers can communicate with external computers by SIP via the FL MGUARD 8334_en_01 PHOENIX CONTACT 6 141 FL MGUARD 2 i 6 5 1 6 Firewall on FL MGUARD RS2000 The FL MGUARD RS2000 has a straightforward 2 click firewall This either permits or rejects all incoming and outgoing connections No advanced settings are provided Furthermore access via this firewall is not logged see Section 6 10 2 Logging gt gt Browse local logs The following firewall functionality is available when using the FL MGUARD RS2000 Incoming Rules Outgoing Rules Incoming General firewall setting Accept all incoming connections Accept all incoming connections Drop all incoming connections Network Security Packet Filter Incoming Rules Outgoing Rules Outgoi
50. attributes are defined by the actual external IP address For each virtual IP address an actual IP address must be configured whose IP network accommodates the virtual address The FL MGUARD transmits the subnet mask and VLAN setting from the actual external IP address to the corresponding virtual IP address The applied VLAN settings define whether standard MTU settings or VLAN MTU settings are used for the virtual IP address a 1 2 3 255 default 51 Firewall redundancy cannot function correctly if no actual IP address and subnet mask are available Only in Router network mode This ID is sent by the redundant pair with each presence notification CARP via the external and internal interface and is used to identify the redundant pair This ID must be set so it is the same for both FL MGUARD devices It is used to differentiate the redundant pair from other Ethernet devices that are connected to the same Ethernet segment through their external internal interface Please note that CARP uses the same protocol and port as VRRR Virtual Router Redundancy Protocol The ID set here must be different to the IDs on other devices which use VRRR or CARP and are located in the same Ethernet segment 6 222 PHOENIX CONTACT 8334_en_01 Configuration Redundancy gt gt Firewall Redundancy gt gt Redundancy Encrypted state synchronization Internal virtual IP As described under External virtual IP ad
51. be deleted Additional External In addition to the default route via the default gateway Routes specified below additional external routes can be specified Network Gateway See Network example diagram on page 6 242 8334_en_01 PHOENIX CONTACT 6 75 FL MGUARD 2 Network gt gt Interfaces gt gt General Router network mode static router mode IP of default gateway The IP address of a device in the local network connected to the LAN port or the IP address of a device in the external network connected to the WAN port can be specified here If the FL MGUARD establishes the transition to the Internet this IP address is assigned by the Internet service provider ISP If the FL MGUARD is used within the LAN the IP address of the default gateway is assigned by the network administrator If the local network is not known to the external router e g in the event of configuration via DHCP specify your local network under Network gt gt NAT see page 6 94 Internal Networks See Internal Networks on page 6 73 Secondary External See Secondary External Interface on page 6 67 Interface Router network mode DHCP router mode Network Interfaces General Ethernet Dial out Dial in Modem Console Network Status External IP address 172 16 66 49 Active Defaultroute 172 16 66 18 Used DNS servers 10 1 0 253 Network Mode Network Mode Router v Router Mode DHCP
52. be used to check the CA certificate of the subordinate instance etc This chain of trust continues down to the root instance the root CA or certification authority The root CA s CA file is necessarily self signed since this instance is the highest available and is ultimately the basis of trust No one else can certify that this instance is actually the instance in question A root CA therefore is a state or a state controlled organization The FL MGUARD can use its imported CA certificates to check the authenticity of certificates shown by partners In the case of VPN connections for example partners can only be authenticated using CA certificates This requires all CA certificates to be installed on the FL MGUARD in order to form a chain with the certificate shown by the partner In addition to the CA certificate from the CA whose signature appears on the certificate shown by the VPN partner to be checked this also includes the CA certificate of the superordinate CA and so forth up to the root certificate The more meticulously this chain of trust is checked in order to authenticate a partner the higher the level of security will be 8334_en_01 PHOENIX CONTACT 9 1 FL MGUARD 2 Client server Datagram Default route DES 3DES In a client server environment a server is a program or computer which accepts and responds to queries from client programs or client computers In data communication the computer establishi
53. case the fields that relate to the PAP or CHAP authentication methods are hidden 8334_en_01 PHOENIX CONTACT 6 83 FL MGUARD 2 Network gt gt Interfaces gt gt Dial out Only the fields that define further settings remain visible below Authentication None w Dialondemand Yes v idle timeout Yes v idle time seconds 300 LocaliP 0 0 0 0 Remote IP 0 0 0 0 Netmask 0 0 0 0 Other common settings Network gt gt Interfaces gt gt Dial out PPP dial out options Dial on demand Yes No a If set to Yes default This setting is useful for telephone connections where costs are calculated according to the connection time Whether Yes or No The telephone connection is always established by the FL MGUARD The FL MGUARD only commands the modem to establish a telephone connection when network packets are actually to be transferred It also instructs the modem to terminate the telephone connection as soon as no more network packets are to be transmitted for a specific time see value in Idle timeout field By doing this however the FL MGUARD is not constantly available externally i e for incoming data packets 6 84 PHOENIX CONTACT 8334_en_01 Configuration Network gt gt Interfaces gt gt Dial out The FL MGUARD also often or sporadically establishes a connection via the modem or keeps a connection longer if the following conditions apply Often The
54. checking or if the check could not be carried out due to an access error This address is entered as the sender in the e mail IP address or host name of the e mail server via which the e mail is sent Text entered in the subject field of the e mail No A check is not triggered for this network drive The FL MGUARD has not connected this drive The status cannot be viewed Yes A check is triggered regularly for this network drive Suspended The check has been suspended until further notice The status can be viewed 8334_en_01 PHOENIX CONTACT 6 151 FL MGUARD 2 CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Settings Checked CIFS Share Checksum Memory Name of the network drive to be checked specified under CIFS Integrity Monitoring gt gt Importable Shares gt gt Edit In order to perform the check the FL MGUARD must be provided with a network drive for storing the files The checksum memory can be accessed via the external network interface Click on Edit to make further settings for checking network drives CIFS Integrity Monitoring CIFS Integrity Checking pc x7 scan Checked Share Settings Enabled Yes Time Schedule Everyday Maximum time a check may take Checksum Memory Checksum Algorithm SHA 1 Basename of the checksum files May be prefixed with a directory Checked CIFS Share pc x7 scan v Patterns for filenames executables
55. configuration profile through an HTTPS server To download a firmware update from an HTTPS server With firewall redundancy in Router network mode devices connected to the same LAN segment as the redundant pair must use their respective virtual IP addresses as gateways for their routes If these devices were to use the actual IP address of either of the MGUARD devices this would work until that particular MGUARD failed However the other FL MGUARD would then not be able to take over 7 10 PHOENIX CONTACT 8334_en_01 Redundancy Targets for the connectivity check If a target is set for ICMP echo requests as part of the connectivity check these requests must be answered within a certain time even if the network is busy with other data The network path between the redundant pair and these targets must be set so that it is also able to forward the ICMP responses when under heavy load Otherwise the connectivity check for an FL MGUARD could erroneously fail Targets can be configured for the internal and external interface in the connectivity check see Connectivity Checks on page 6 225 It is important that these targets are actually connected to the specified interface An ICMP echo reply cannot be received by an external interface when the target is connected to the internal interface and vice versa When the static routes are changed it is easy to forget to adjust the configuration of the targets accordingly The tar
56. connection to a maintenance center and encapsulate the data traffic there Initiate or Initiate on traffic must be specified Ifthe FL MGUARD is installed at a maintenance center to which FL MGUARD devices establish a VPN connection Wait must be specified Settings Transport and Tunnel Settings x Click here to f Yes v Tunnel v 192 168 1 1 32 192 168 254 1 32 192 168 1 1 oren specify additional tunnel and Router mode transport paths Transport and Tunnel Settings Dx F Yes v Tunnel v 192 168 1 1 32 192 168 254 1 32 oren VPN connection channels For each individual VPN connection channel Enabled Comment A VPN connection defined under a descriptive name can comprise several VPN connection channels Multiple VPN connection channels can therefore be defined here When you click on More another partially overlapping page is displayed where connection parameters can be specified for the relevant transport path or tunnel Yes No Specify whether the connection channel should be active Yes or not No Freely selectable comment text Can be left empty 6 176 PHOENIX CONTACT 8334_en_01 Configuration IPsec VPN gt gt Connections gt gt Edit gt gt General Type Local Remote for Tunnel network lt gt network connection type m _ bal fa baal Local network Local Remote The following can be selected Tunnel network lt network Transport host lt h
57. depending on the function the share is referenced from CIFS Integrity Monitoring gt gt Importable Shares Importable CIFS Shares Name Name of the network drive to be checked internal name used in the configuration Server IP address of the authorizing server CIFS Share Name of the network drive made available by the authorizing server Click on Edit to make the settings Importable Share Identification for Reference Name pc x7 scan Location of the Importable Share IP address ofthe server 10 1 66 127 Imported share s name C Authentication for mounting the Share Workgroup WORKGROUP Login mguard scan Password eeccesces CIFS Integrity Monitoring gt gt Importable Shares gt gt Edit Identification for Reference Name Name of the network drive to be checked internal name used in the configuration Location of the Importable IP address of the IP address of the server whose network drive is to be checked Share server 8334_en_01 PHOENIX CONTACT 6 149 FL MGUARD 2 CIFS Integrity Monitoring gt gt Importable Shares gt gt Edit Authentication for mounting the Share Integrity database Imported share s Directory on the above authorized server that is to be name checked Workgroup Name of the workgroup to which the network drive belongs Login Login for the server Password Password for login 6 6 2 CIFS Integrity Monitoring gt gt CIFS Integrity Checking When CIF
58. e Then click on Install license file 6 32 PHOENIX CONTACT 8334_en_01 Configuration 6 2 3 3 Terms of License Management Licensing Overview Install Terms of License mGuard Firmware License Information The mGuard incorporates certain free and open software Some license terms associated with this software require that Innominate Security Technologies AG Provides copyright and license information see below for details All the other components of the mGuard Firmware are Copyright 2001 2010 by innominate Security Technologies AG Last reviewed on 2011 05 11 for the mGuard 7 4 0 release atv BSD stvie beron enu Gpiv2 bots GNU GPiv2 bridge utiis Gnu Geiv2 busybox enu GPiv2 MIT derivate license lcares BSD style and GNU GPLv2 divans Copyright 2001 D J Bernstein conntrack enu GPLv2 curi MTX derivate license Ebtabies enu Gpiv2 EXT2 filesystem utilities GNU GPLv2 tore joo Lora lib uuid BSD style ezipupaate enu GPiv2 inora Gnu Gpiv2 GNU GPLv2 LGPLw2 md2 Derived from the RSA Data Security Inc MD2 Message Digest Algorithm mdS Derived from the RSA Data Security Inc MDS Message Digest Algorithm F VOoSANAN Openness mapaa Eric Young BSD style OpenSSL libaes BSD style zlib zlib license rai BSD style HTML Utilities BSD stvie hdparm ESD stvie HECI ibrary ESD
59. entry refers to is displayed BLADE In addition to error messages the following messages are output on the FL MGUARD BLADE controller The areas enclosed by lt and gt are replaced by the relevant data in the log entries a AD Enr gt online AD E lt B Enr gt is mute B B B B DI ADE lt B D D E lt B AD Reading Push configuration to BLADE reconfigura timestamp from BLA Enr gt not running E daemon lt version gt starting DE lt BLADEnr gt lt BLADEnr gt tion of BLADE lt B ADEnr gt returned lt returncode gt BLADE lt BLAD Enr gt lt text gt Pull configuration from BLA DE lt B AADEnr gt Pull configuration from BLA DE lt B AADEnr gt returned lt returncode gt 6 236 PHOENIX CONTACT 8334_en_01 Configuration CIFS AV Scan Connector This log contains CIFS server messages This server is used by the FL MGUARD itself for enabling purposes In addition messages that occur when connecting the network drives and are grouped together and provided by the CIFS server are also visible CIFS Integrity Checking Messages relating to the integrity check of network drives are displayed in this log In addition messages that occur when connecting the network drives and are required for the integrity check ar
60. for SSH access to Yes the X 509 authentication procedure can be used as an alternative Which procedure is actually used by the user depends on how the user uses the SSH client When setting up a RADIUS authentication for the first time select Yes You should only select As only method for password authentication if you are an experienced user as doing so could result in all access to the FL MGUARD being blocked If you do intend to use the As only method for password authentication option when setting up RADIUS authentication we recommend that you create a Customized Default Profile which resets the authentication method The predefined users root admin netadmin and audit are then no longer able to log in to the FL MGUARD via SSH or serial console There is one exception It it still possible to perform authentication via an externally accessible serial console by correctly entering the local password for the root user name 6 16 PHOENIX CONTACT 8334_en_01 Configuration X 509 Authentication X 509 Authentication Enable X 509 certificates for SSH Yes ow access SSH server certificate mguard hh kunde de v E CAeentiieate f f 9 x 4 gt f f x SSH RootCA 01 w SSH SubCA 01 w X 509 subject Authorized for access as CN OU Admin O admin v Client certificate Authorized for access as Kraft Herbert v root v Findig Petra v root v Management gt gt
61. from the external network via the primary secondary external interface B Regardless of the setting specified here incoming ICMP packets are always accepted if SNMP access is activated Drop All ICMP messages to the FL MGUARD are dropped Allow ping requests Only ping messages ICMP type 8 to the FL MGUARD are accepted Allow all ICMPs All ICMP message types to the FL MGUARD are accepted Yes No The GARP VLAN Registration Protocol GVRP is used by GVRP capable switches to exchange configuration information If this option is set to Yes GVRP packets are allowed to pass through the FL MGUARD in Stealth mode 8334_en_01 PHOENIX CONTACT 6 139 FL MGUARD 2 Network Security gt gt Packet Filter gt gt Advanced Allow forwarding of STP frames Allow forwarding of DHCP frames Connection Tracking Maximum table size Allow TCP connections upon SYN only Timeout for established TCP connections Yes No The Spanning Tree Protocol STP 802 1d is used by bridges and switches to detect and consider loops in the cabling If this option is set to Yes STP packets are allowed to pass through the FL MGUARD in Stealth mode Yes No When set to Yes the client is allowed to obtain an IP address via DHCP regardless of the firewall rules for outgoing data traffic This option is set to Yes by default This entry specifies an upper limit This is set to a level that can never b
62. full duplex mode is also used here The time for transmission of the ICMP echo reply to the FL MGUARD Table 7 1 Frequency of the ICMP echo requests Fail over ICMP echo Timeout on the Bandwidth per switching time requests per target FL MGUARD after target transmission 1s 10 per second 100 ms 6560 bps 3s 3 3 per second 300 ms 2187 bps 10s 1 per second 1s 656 bps If secondary targets are configured then additional ICMP echo requests may occasionally be sent to these targets This must be taken into account when calculating the ICMP echo request rate The timeout for a single ICMP echo request is displayed in Table 7 1 This does not indicate how many of the responses can be missed before the connectivity check fails The check tolerates a negative result for one of two back to back intervals Availability check Presence notifications CARP measure up to 76 bytes on layer 3 of the Internet protocol When VLAN is not used 18 bytes for the MAC header and checksum are added to this with the Ethernet on layer 2 The ICMP echo reply is the same size 8334_en_01 PHOENIX CONTACT 7 5 FL MGUARD 2 Table 7 2 shows the maximum frequency at which the presence notifications CARP are sent from the active FL MGUARD It also shows the bandwidth used in the process The frequency depends on the FL MGUARD priority and the Fail over switching time Table 7 2 also shows the maximum latency tolerated by
63. gt gt User Firewall menu Firewall rules Log ID ufw Rules for NAT port forwarding Network gt gt NAT gt gt Port Forwarding menu Log ID w portforwarding Firewall rules for the serial interface Network gt gt Interfaces gt gt Dial in menu Incoming rules Log ID w serial incoming Outgoing rules Log ID w serial outgoing 8334_en_01 PHOENIX CONTACT 6 235 FL MGUARD 2 General messages When activating a configuration profile ona BLADE When retrieving a configuration profile from a BLADE Searching for firewall rules on the basis of a network security log If the Network Security checkbox is enabled so that the relevant log entries are displayed the Jump to firewall rule search field is displayed below the Reload logs button Proceed as follows if you want to trace the firewall rule referenced by a log entry in the Network Security category and which resulted in the corresponding event 1 Select the section that contains the log ID and number in the relevant log entry Copy Common 7 SNMPILLDP CFS integrity Checking V Psec VPN Jump to frewall rule CERT INSeth0 OUT CEPT INseth0 OUT ICCEPT IN etno OUT CEPT IN ethO OUT CEPT IN eth0 OUT CEPT IN ethO OUT 7 Network Securty 7 CIFS AV Scan Connector 7 n 2 Copy this section into the Jump to firewall rule field 3 Click on Lookup The configuration page containing the firewall rule that the log
64. host names and IP addresses You can also activate or deactivate the resolution of host names for a domain In addition you can delete a domain with all its assignment pairs Creating a table with assignment pairs for a domain e Open anew row and click on Edit in this row Changing or deleting assignment pairs belonging to a domain e Click on Edit in the relevant table row After clicking on Edit the DNS Records tab page is displayed DNS Records Local Resolving of Hostnames Domain for the hosts example local Enabled Yes v Resolve IP Addresses also Yes v TE A m cc host 3600 192 168 1 1 Domain for the hosts The name can be freely assigned but it must adhere to the rules for assigning domain names It is assigned to every host name Enabled Yes No Switches the Local Resolving of Hostnames function on Yes or off No for the domain specified in the field above Resolve IP Addresses No The FL MGUARD only resolves host names i e it also supplies the assigned IP address for host names Yes Same as for No It is also possible to determine the host names assigned to an IP address Hostnames The table can have any number of entries A host name may be assigned to multiple IP addresses Multiple host names may be assigned to one IP address TTL Abbreviation for Time To Live Value specified in seconds Default 3600 1 hour Specifies how long called assignment pairs may be stored in th
65. ies ilies 6 108 6 5 Network Security menu cceecceeeeeeceeeeeeeceeeeesaeeeeeecaeeeeaeeeaeessaeseeeesneeeeaaneeeeees 6 129 6 6 CIFS Integrity Monitoring Menu oo cee eeececeeeeeeeeeeeeenaeceeeeeeaeesaaeeeeeenaeeteeeenaees 6 148 6 7 IPsec VPN MONU nran eee os ee 6 164 6 8 QOS MeN k essed deel aise E a a a a a a eo ee eae Ree iat 6 207 6 9 Redundancy siana e hid e door kee ie haat te 6 218 6 10 Logging Meni iia ee ee 6 234 GTI Support Men s aian dA eel a ei ani ae aes 6 239 8334_en_01 PHOENIX CONTACT 1 FL MGUARD FW 7 4 6 12 CIDR Classless Inter Domain Routing ecceeceeeeeeeeeeeeeeneeeeeeeseeeneeennees 6 242 6 13 Network example GiaQram eeeccesseeeeeeeeeeneeeeeeeeeeeeeeeeaeeeeenaeeeeneeeeeneeeeenaes 6 243 7 SROGUAGANCY seciccceicee i reecctceee tect tiaaias etlaieet AE E EEEn o AEEA ERE AEEA EEEE tain E 7 1 7 1 Firewallred ndanCys iari a o ana aa a a a ei a Eaa 7 1 7 2 VPN redunda y r ai T ache a e a aana a T a a a ai aada eai 7 15 8 Restart recovery procedure and flashing the firmware ee ceeeeeeeeee eee eeeneeeeeeeeeeeeeeneeeeeeeees 8 1 8 1 Pefforming a resla fo cccks ere are ere re apare rao epera aeaaee raae SEDA Peada dees ERa TESE AEREE 8 1 8 2 Performing a recovery procedure sssserssriiesiiserissriirsrintriinntirnstinesrinetinnrennnnt 8 2 8 3 Flashing the firmware rescue procedure esseeeeeeeeeieeiesireireerssissrrnsrsernerrnens 8 3 9r GOSSA E ge O T eg eae age E OR ae a 9 1 TO g
66. in order to determine the correct route If arouter is connected to the computer and its internal IP address i e the IP address of the router s LAN port has been relayed to the operating system as the default gateway in the network card s TCP IP configuration then this IP address is used as the destination if all other IP addresses in the routing table are not suitable In this case the IP address of the router specifies the default route because all IP packets whose IP address has no counterpart in the routing table i e cannot find a route are directed to this gateway This symmetrical encryption algorithm gt Symmetrical encryption on page 1 7 was developed by IBM and checked by the NSA DES was specified in 1977 by the American National Bureau of Standards the predecessor of the National Institute of Standards and Technology NIST as the standard for American governmental institutions As this was the very first standardized encryption algorithm it quickly won acceptance in industrial circles both inside and outside America DES uses a 56 bit key length which is no longer considered secure as the available processing power of computers has greatly increased since 1977 3DES is a version of DES It uses keys that are three times as long i e 168 bits in length Still considered to be secure today 3DES is included in the IPsec standard for example 9 2 PHOENIX CONTACT 8334_en_01 Glossary DynDNS prov
67. individual channels of a VPN connection If individual channels are deactivated Enabled No they are not started Starting and stopping in this way thus have no effect on the settings of the individual channels i e the list under Transport and Tunnel Settings Starting and stopping a connection using a URL only makes sense if the connection is deactivated in the configuration Enabled No or if Connection startup is set to Wait Otherwise the FL MGUARD re establishes the connection automatically If the status of a VPN connection is queried using the URL specified above then the following responses can be expected Table 6 1 Status of a VPN connection Answer Meaning unknown A VPN connection with this name does not exist void The connection is inactive due to an error e g the external network is down or the host name of the partner could not be resolved in an IP address DNS void is also issued by the CGI interface even if no error occurred if for example the VPN connection is deactivated according to the configuration No set in column and has not been enabled temporarily using the CGI interface or CMD contact ready The connection is ready to establish channels or allow incoming queries regarding channel setup active At least one channel has already been established for the connection 6 172 PHOENIX CONTACT 8334_en_01 Configuration Defining a VPN connection VPN co
68. is required all HTTP connections are redirected to the FL MGUARD Changes to this option only take effect after the next restart User Password There is no default user password To set one enter the desired password in both entry fields 6 4 1 2 RADIUS Filters Authentication Administrative Users Passwords RADIUS Filters RADIUS Filters for Administrative Access gt x Group Filter ID Authorized for access as mGuard admin admin v F mGuard audit audit v Group names can be created here for administrative users whose password is checked using a RADIUS server when accessing the FL MGUARD Each of these groups can be assigned an administrative role Authentication gt gt Administrative Users gt gt RADIUS Filters This menu item is not included The FL MGUARD only checks passwords using RADIUS servers if you have activated in the scope of functions for RADIUS authentication the FL MGUARD RS2000 cy 22000 For shell access see menu Management gt gt System Settings gt gt Shell Access For web access see menu Management gt gt Web Settings gt gt Access The RADIUS filters are searched consecutively When the first match is found access is granted with the corresponding role admin netadmin audit 8334_en_01 PHOENIX CONTACT 6 109 FL MGUARD 2 Authentication gt gt Administrative Users gt gt RADIUS Filters RADIUS Filters for Administrative Access After a RADIUS
69. light Table 4 3 Service 2 plug pin assignment Designation Function Use CMD V Not used None at present CMD Not used None at present GND Not used None at present ACK Not used None at present 4 4 PHOENIX CONTACT 8334_en_01 Startup Operating a connected button Operating a connected on off switch INFO LED Table 4 4 Contact plug pin assignment Designation Function Use GND Not used None at present OFF Not used None at present GND Alarm contact E g as error light FAULT Alarm contact 9 to 36 V E g as error light Voltage present when operating correctly disconnected in the event of a fault A button or an on off switch e g key switch can be connected between service contacts CMD and CMD V A standard lamp 24 V can be connected between contacts ACK and GND The contact is short circuit proof and supplies a maximum of 250 mA The button or on off switch is used to establish and release a predefined VPN connection The output indicates the status of the VPN connection see IPsec VPN gt gt Global on page 6 163 under Options e To establish the VPN connection hold down the button for a few seconds until the signal output flashes Then release the button Flashing indicates that the FL MGUARD has received the command to establish the VPN connection and is establishing the VPN connection As soon as the VPN connection is established t
70. limited see Limitation of simultaneous sessions it is important to terminate sessions that have expired Therefore the request for a sign of life is preset to 120 seconds in the case of Version 7 4 0 or later Ifa maximum of three requests for a sign of life are issued this causes an expired session to be detected and removed after six minutes In previous versions the preset was 0 This means that no requests for a sign of life are sent If it is important not to generate additional traffic you can adjust the value When the setting 0 is made in conjunction with Limitation of simultaneous sessions subsequent access may be blocked if too many sessions are interrupted but not closed as a result of network errors Maximum number of Specifies the maximum number of times a sign of life request missing signs of life to the partner may remain unanswered For example if a sign of life request should be made every 15 seconds and this value is set to 3 the SSH connection is deleted if a sign of life is still not detected after approximately 45 seconds Limitation of simultaneous In the case of administrative access to the FL MGUARD via SSH the number of sessions simultaneous sessions is limited depending on the predefined user Approximately 0 5 MB of memory space is required for each session The root user has unrestricted access In the case of administrative access via another user admin netadmin and audit the numbe
71. manually or via DHCP so that the local address of the FL MGUARD is used as the address of the DNS server to be used If the FL MGUARD is operated in Stealth mode the management IP address of the FL MGUARD if this is configured must be used for the clients or the IP address 1 1 1 1 must be entered as the local address of the FL MGUARD Servers to query DNS Root Servers Requests are sent to the root name servers on the Internet whose IP addresses are stored on the FL MGUARD These addresses rarely change Provider defined e g via PPPoE or DHCP The domain name servers of the Internet service provider that provide access to the Internet are used Only select this setting if the FL MGUARD operates in PPPoE PPTP Modem mode or in Router mode with DHCP User defined servers listed below If this setting is selected the FL MGUARD will connect to the domain name servers listed under User defined name servers User defined name The IP addresses of domain name servers can be entered in servers this list If these should be used by the FL MGUARD select the User defined servers listed below option under Servers to query 8334_en_01 PHOENIX CONTACT 6 99 FL MGUARD 2 Network gt gt DNS gt gt DNS server Local Resolving of Hostnames You can configure multiple entries with assignment pairs of host names and IP addresses for various domain names You have the option to define change edit and delete assignment pairs of
72. mode Autodetect ignore NetBIOS over TCP traffic on TCP port 139 static If the FL MGUARD cannot analyze the network traffic e g because the locally connected computer only receives data and does not send it then Stealth configuration must be set to static In this case further entry fields are available for the static Stealth configuration at the bottom of the page multiple clients Default As with autodetect but it is possible to connect more than one computer to the LAN port secure port of the FL MGUARD meaning that multiple IP addresses can be used at the LAN port secure port of the FL MGUARD No Yes Only with autodetect Stealth configuration If a Windows computer has more than one network card installed it may alternate between the different IP addresses for the sender address in the data packets it sends This applies to network packets that the computer sends to TCP port 139 NetBIOS As the FL MGUARD determines the address of the computer from the sender address and thus the address via which the FLMGUARD can be accessed the FL MGUARD would have to switch back and forth and this would hinder operation considerably To avoid this set this option to Yes if the FL MGUARD has been connected to a computer that has these properties 6 64 PHOENIX CONTACT 8334_en_01 Configuration Network gt gt Interfaces gt gt General Stealth network mode Stealth Management IP Address Management
73. of a VPN connection is installed in the Psec VPN gt gt Connections menu For a more detailed explanation see Authentication gt gt Certificates on page 6 115 Example of imported remote certificates Authentication Certificates Certificate settings Machine Certificates CA Certificates Remote Certificates CRL z Trusted remote Certificates gt x Subject CN Battaglia Mauro L KS OU Spezialwartung O Beispiel Lieferant C DE Subject Alternative Names Issuer CN SSH SubCA 01 0 Secure Access GmbH C DE Validity From Mar 20 19 37 46 2007 GMT to Mar 20 19 37 46 2010 GMT Fingerprint MOS 52 E5 2D BE 00 88 0B F8 39 1E BF 92 9F 2E B9 7C SHA1 68 52 FB FF E2 0D 8A 7A 69 D8 B3 D6 CB 7E 82 4E CD DE SA CE W Shortname Battaglia Mauro Upload Certificate Filename Durchsuchen import Coven cee Authentication gt gt Certificates gt gt Remote Certificates Trusted remote Certificates Displays the current imported remote certificates Importing a new certificate Requirement The file file name extension cer pem or crt is saved on the connected computer Proceed as follows e Click on Browse to select the file e Click on Import Once imported the loaded certificate appears under Certificate e Remember to save the imported certificate along with the other entries by clicking on the Apply button Shortname When importing a remote certificate the CN attribute from
74. publication of extracts of this document is prohibited Phoenix Contact reserves the right to register its own intellectual property rights for the product identifications of Phoenix Contact products that are used here Registration of such intellectual property rights by third parties is prohibited Other product identifications may be afforded legal protection even where they may not be indicated as such PHOENIX CONTACT Table of contents 1O MATWOGUCTION renerion iiaeia EEEE TEENEKS EEE EEE pads nd tees edna 1 1 1 1 Device VASO S ra l ra a aa e a foneditotestiadesd 1 3 2 Preliminary user manualTypical application scenarios 0 0 eee cette eee eeeeeeeeeeeeeeeeeeeeeeeeaaaaes 2 1 2 1 Stealth Modes s 3 2 neste eats Ube halite cia io ene ee 2 1 2 2 NG tWOrk POUTGR sie cnccccseccsads cebscecztasesesduats cassehiehdssavasdestseseava di cpdscercatacesvavads dobesanaib ees 2 2 2 3 DMZteveusiceeates a ae oe i A ee A 2 3 2 4 VPN gateways non e a BSG a ee ee 2 3 2 5 WLAN via VPN gt cscs csccdceeit sscedastedeocevadcdacice cantsachhesegidadeisseyadedal fiaztatdatdeaseaneed ceesvanes 2 4 2 6 Resolving network conflicts eee cceeceeeeneeeceneeeeeeeeeenaeeeeenaeeeeneeeeenaeeseeneeeenneeeees 2 5 3 Operating elements and LEDS cc ecccccceeeeececeeeeeeeeeeeeeaeeeeeaaeeeeeeeaaaeeeesaaaeeesesneeeeeeeeaaaeeees 3 1 3 1 FL MGUARD RS4000 RS2000 2 cccececceeeseececeeceeseaeeeseeaeeseneeeeseaeesseeeeeseneeeees 3 1 3 2 FL MG
75. self signed certificate A corresponding certificate signed by a CA must be requested from the CA In order for the private key to be imported into the FL MGUARD with the corresponding certificate these components must be packed into a PKCS 12 file file name extension p12 The FL MGUARD uses two methods of X 509 authentication that are fundamentally different The authentication of a partner is carried out based on the certificate and remote certificate In this case the remote certificate that is to be consulted must be specified for each individual connection e g for VPN connections The FLMGUARD consults the CA certificate provided to check whether the certificate shown by the partner is authentic This requires all CA certificates to be made available to the FL MGUARD in order to form a chain with the certificate shown by the partner through to the root certificate Available means that the relevant CA certificates must be installed on the FL MGUARD see CA certificates on page 6 124 and must also be referenced during the configuration of the relevant application SSH HTTPS and VPN Whether both methods are used alternatively or in combination varies depending on the application VPN SSH and HTTPS 8334_en_01 PHOENIX CONTACT 6 117 FL MGUARD 2 Authentication for SSH The partner shows the following Certificate specific to individual signed by CA Certificate specific to individu
76. server has checked and accepted a user s password it sends the FL MGUARD a list of filter IDs in its response These filter IDs are assigned to the user in a server database They are used by the FL MGUARD for assigning the group and hence the authorization level as admin netadmin or audit If authentication is successful this is noted as part of the FL MGUARD s logging process Other user actions are logged here using the original name of the user The log messages are forwarded to a SysLog server provided a SysLog server has been approved by the FL MGUARD The following actions are recorded Login Logout Start of a firmware update Changes to the configuration Password changes for one of the predefined users root admin netadmin audit and user Group Filter ID Authorized for access as The group name may only be used once Two lines may not have the same value Answers from the RADIUS server with a notification of successful authentication must have this group name in their filter ID attribute Up to 50 characters are allowed printable UTF 8 characters only without spaces Each group is assigned an administrative role admin Administrator netadmin Administrator for the network audit Auditor 6 110 PHOENIX CONTACT 8334_en_01 Configuration 6 4 2 Authentication gt gt Firewall Users To prevent private surfing on the Internet for example every outgoing connection i
77. specified in certificates and CRLs is ignored by the FL MGUARD Wait for synchronization of the system time The validity period specified in certificates and CRLs is only observed by the FL MGUARD if the current date and time are known to the FL MGUARD Through the built in clock or By synchronizing the system time see Time and Date on page 6 7 Until this point all certificates to be checked are considered invalid for security reasons 6 120 PHOENIX CONTACT 8334_en_01 Configuration Authentication gt gt Certificates gt gt Certificate settings Enable CRL checking Yes When CRL checking is enabled the FL MGUARD consults the CRL certificate revocation list and checks whether or not the certificates that are available to the FL MGUARD are blocked CRLs are issued by the CAs and contain the serial numbers of blocked certificates e g certificates that have been reported stolen On the CRL tab page see CRL on page 6 128 specify the origin of the FL MGUARD revocation lists When CRL checking is enabled a CRL must be configured for each issuer of certificates on the FL MGUARD Missing CRLs result in certificates being considered invalid Revocation lists are verified by the FL MGUARD using an appropriate CA certificate Therefore all CA certificates that belong to a revocation list all sub CA certificates and the root certificate must be imported on the FL MGUARD
78. switching time can be set to 1 3 or 10 seconds in the event of errors 7 22 PHOENIX CONTACT 8334_en_01 Redundancy 7 2 9 Limits of VPN redundancy The limits documented above for firewall redundancy also apply to VPN redundancy see Limits of firewall redundancy on page 1 14 Further restrictions also apply The redundant pair must be configured in exactly the same way with respect to the following General VPN settings Each individual VPN connection The FL MGUARD only accepts VPN connections to the first virtual IP address In Router network mode this means the first internal IP address and the first external IP address The following features cannot be used with VPN redundancy Dynamic activation of the VPN connections using a VPN switch or the CGI script command nph vpn cgi only on FL MGUARD industrial rs Archiving of diagnostic messages for VPN connections VPN connections are only supported in Tunnel mode Transport mode does not take sufficient account of VPN connections The upper limit of the fail over switching time does not apply to connections which are encapsulated with TCP Connections of this type are interrupted for a prolonged period during a fail over The encapsulated TCP connections must be reestablished by the initiating side after each fail over If the fail over occurred on the initiating side they can start immediately after the transfer However if the fail over occurre
79. the sender is informed of their rejection In Stealth mode Reject has the same effect as Drop Drop means that the data packets are not permitted to pass through They are discarded which means that the sender is not informed of their whereabouts Name of rule sets if defined In addition to Accept Reject and Drop the selection list also contains the names of previously defined sets of rules If a name is selected referenced the rules contained in this set of rules are applied here If the rules from the applied set of rules cannot be used and implemented with Accept Reject or Drop rule processing continues with the rule following the one from which the set of rules was referenced Freely selectable comment for this rule For each individual firewall rule you can specify whether the use of the rule Should be logged set Log to Yes Should not be logged set Log to No default settings 8334_en_01 PHOENIX CONTACT 6 135 FL MGUARD 2 6 5 1 4 MAC Filtering Network Security Packet Filter Incoming Rules 1 Outgoing Rules Rule Records MAC Filtering i Advanced l Incoming x Source MAC Destination MAC Ethernet Protocol OCC AK YOCXX XK OCKK AK any Accept v Ethernet Protocol may be any IPv4 ARP Length or a hexadecimal value Please note These rules only apply to the Stealth mode Please note Management access to 1 1 1 1 requires ARP resol
80. the FL MGUARD RS4000 RS2000 on page 4 3 Connecting the FL MGUARD SMART on page 4 7 Displays the state of the alarm contact Either Open Error or Closed OK If set to Ignore the state of the power supply does not influence the alarm contact If set to Supervise the alarm contact is opened if one of the two supply voltages fails 6 6 PHOENIX CONTACT 8334_en_01 Configuration Management gt gt System Settings gt gt Alarm Contact Manual settings Link monitoring Monitoring of the link status of the Ethernet connections Possible settings are Ignore Supervise internal only trusted Supervise external only untrusted Supervise both Contact If Alarm contact has been set to Manual settings the contact can be set to Closed or Open Alarm here 6 2 1 3 Time and Date Set the time and date correctly Otherwise certain time dependent activities cannot be started by the FL MGUARD see Time controlled activities on page 6 8 Host Time and Date Shell Access Time and Date Current system time UTC Mon Nov 21 08 05 58 UTC 2011 Current system time local Mon Nov 21 09 05 58 CET 2011 System time state synchronized by NTP Hardware clock state synchronized Local system time 2011 11 21 09 05 58 yYYY MM DD HH MM SS Timezone in POSIX 1 notation CET 1CEST M3 5 0 M10 5 Eg CET 1 for the EU or CET 1CEST M3 5 0 M10 5 0 3 with automatic daylight saving ti
81. the FL MGUARD for the network that is used to transmit the presence notifications CARP If this latency is exceeded the redundant pair can exhibit undefined behavior Table 7 2 Frequency of the presence notifications CARP Fail over Presence notifications CARP per Maximum Bandwidth on switching second latency layer 2 for the time High priority Low priority high priority 1s 50 per second 25 per second 20 ms 37 600 bps 3s 16 6 per second 8 3 per second 60 ms 12 533 bps 10s 5 per second 2 5 per second 200 ms 3760 bps 7 6 PHOENIX CONTACT 8334_en_01 Redundancy 7 1 6 Error compensation through firewall redundancy Firewall redundancy is used to compensate for hardware failures Primary MGUARD N 1 mee i 3 A1 A2 ie lt n External Internal network network Pa ioe Secondary MGUARD Figure 7 2 Possible error locations 1 8 Figure 7 2 shows a diagram containing various error locations not related to the network mode Each of the FLMGUARD devices in a redundant pair is located in a different area A and B The FL MGUARD in area A is connected to switch A1 through its external Ethernet interface and to switch A2 through its internal Ethernet interface FL MGUARD B is connected accordingly to switches B1 and B2 In this way the switches and FL MGUARD devices connect an external Ethernet network to an internal Ethernet network The connection i
82. the HASH value The CA then encrypts this with its own private key and then adds it to the certificate The encryption with the CA s private key proves the 9 8 PHOENIX CONTACT 8334_en_01 Glossary authenticity of the certificate i e the encrypted HASH string is the CA s digital signature If the certificate data is tampered with then this HASH value will no longer be correct and the certificate will be rendered worthless The HASH value is also known as the fingerprint Since it is encrypted with the CA s private key anyone who has the corresponding public key can decrypt the bit string and thus verify the authenticity of the fingerprint or signature The involvement of a certification authority means that it is not necessary for key owners to know each other They only need to know the certification authority involved in the process The additional key information also simplifies administration of the key X 509 certificates can for example be used for e mail encryption by means of S MIME or IPsec 8334_en_01 PHOENIX CONTACT 9 9 FL MGUARD 2 9 10 PHOENIX CONTACT 8334_en_01 Technical data 10 Technical data 10 1 Hardware properties Platform Network interfaces Other interfaces Memory High availability Power supply unit Power consumption Humidity range Degree of protection Temperature range Dimensions H x W x D Weight Firmware and power values Firmware compatib
83. the data packets sent to it As soon as a connection is initiated the maintenance center also automatically encapsulates the data packets EL GU sent to the relevant VPN partner g initiate on nnec VPN ARD Machine gewices 0 controller 1 _ Machine controller 2 Maintenance center A 4 Machine FL MGUARD of maintenance center Required basic settings IPsec VPN menu item Global Options tab page Listen for incoming VPN connections which are encapsulated Yes Connections submenu General tab page Address of the partner s VPN gateway any Connection startup Wait controller 3 FL MGUARD devices on machine controllers Required basic settings IPsec VPN menu item Global Options tab page Listen for incoming VPN connections which are encapsulated No Connections submenu General tab page Address of the partner s VPN gateway Fixed IP address or host name Connection startup Initiate or Initiate on traffic Encapsulate the VPN traffic in TCP Yes Figure 6 2 TCP encapsulation in an application scenario with a maintenance center and machines maintained remotely via VPN connections IPsec VPN gt gt Global gt gt Options TCP Encapsulation Listen for incoming VPN connections which are encapsulated Default setting No Only set this option to Yes if the TCP Encapsulation function is used Only then can the FL MGUARD allo
84. the networks on the right hand side should be accessible to the network or computer on the left hand side However for historical or technical reasons the networks on the right hand side overlap The 1 1 NAT feature of the FL MGUARD can be used to translate these networks to other networks thus resolving the conflict 1 1 NAT can be used in normal routing and in IPsec tunnels 8334_en_01 PHOENIX CONTACT 2 5 FL MGUARD 2 2 6 PHOENIX CONTACT 8334_en_01 Operating elements and LEDs 3 Operating elements and LEDs 3 1 FL MGUARD RS4000 RS2000 _ COMBICON plug in connector for assignment see page 4 4 Connections at bottom 9 pos serial interface console LEDs see Table 3 1 Configuration SD card ae Figure 3 1 Operating elements and LEDs on the FL MGUARD RS4000 Table 3 1 LEDs on the FL MGUARD RS4000 and RS2000 LED State Meaning P1 Green ON Power supply 1 is active P2 Green ON Power supply 2 is active FL MGUARD RS2000 not used STAT Flashing green Heartbeat The device is connected correctly and is operating ERR Flashing red System error Restart the device Press the Rescue button for 1 5 seconds Alternatively briefly disconnect the device power supply and then connect it again If the error is still present start the recovery procedure see Performing a recovery procedure on page 8 2 or contact the Support team SIG Not used FAULT Red ON T
85. there are any problems that cannot be solved with the help of this documentation please contact our hotline 49 5281 9 462888 10 6 PHOENIX CONTACT 8334_en_01
86. this will continue to be displayed at the top of the page until the passwords are changed 6 2 1 Management gt gt System Settings 6 2 1 1 Host Management System Settings Host Signal Contact TimeandDate Shell Access System Uptime 4min Power supply 1 2 ok failure System Temperature C min 0 C current 29 2 C max 60 T System DNS Hostname Hostname mode User defined from field below w Hostname mguard Domain search path example local SNMP Information System Name Location Contact Management gt gt System Settings gt gt Host System Uptime Device operating time since the last restart FL MGUARD RS4000 RS2000 only Power supply 1 2 State of both power supply units does not apply to FL MGUARD RS2000 Temperature C An SNMP trap is triggered if the temperature exceeds or falls below the specified temperature range FL MGUARD SMART2 only CPU temperature C An SNMP trap is triggered if the temperature exceeds or falls below the specified temperature range 6 4 PHOENIX CONTACT 8334_en_01 Configuration Management gt gt System Settings gt gt Host System DNS Hostname Hostname mode Hostname Domain search path SNMP Information System name Location Contact HiDiscovery You can assign a name to the FL MGUARD using the Hostname mode and Hostname fields This name is then displayed for example when logging in via SSH see Managem
87. through a certain user then the first filter applies The user is assigned the access rights as defined by this filter This could differ from the access rights assigned to the user in the subsequent filters If remote certificates are configured as filters in the X 509 Certificate table column then these filters have priority over the filter settings here 8334_en_01 PHOENIX CONTACT 6 29 FL MGUARD 2 Management gt gt Web Settings gt gt Access Authorized for access as X 509 Certificate Authorized for access as All users root admin netadmin audit Specifies which user or administrator rights are granted to the remote user For a description of the root admin and user authorization levels see Authentication gt gt Administrative Users on page 6 108 The netadmin and audit authorization levels relate to access rights in the case of access with the device manager software FL MGUARD DM This configuration is required in the following cases Remote users each show a self signed certificate Remote users each show a certificate signed by a CA Filtering should take place Access is only granted to a user whose certificate copy is installed on the FL MGUARD as the remote certificate and is provided to the FL MGUARD in this table as the X 509 Certificate If used this filter has priority over the Subject filter in the table above The entry in this field defines which
88. tunnel From Port To Port Only evaluated for TCP and UDP protocols any refers to any port startport endport e g 110 120 refers to a port area Individual ports can be specified using the port number or the corresponding service name e g 110 for pop3 or pops for 110 8334_en_01 PHOENIX CONTACT 6 193 FL MGUARD 2 IPsec VPN gt gt Connections gt gt Edit gt gt Firewall Outgoing Action Comment Log Log entries for unknown connection attempts Accept means that the data packets may pass through Reject means that the data packets are sent back and the sender is informed of their rejection In Stealth mode Reject has the same effect as Drop Drop means that the data packets are not permitted to pass through They are discarded which means that the sender is not informed of their whereabouts Freely selectable comment for this rule For each individual firewall rule you can specify whether the use of the rule Should be logged set Log to Yes Should not be logged set Log to No default settings When set to Yes all connection attempts that are not covered by the rules defined above are logged The explanation provided under Incoming also applies to Outgoing 6 194 PHOENIX CONTACT 8334_en_01 Configuration 6 7 3 4 IKE Options Firewall IKE Options General Authentication ISAKMP SA Key Exchange Algorithms This preference list sta
89. user You should only select As only method for password authentication if you are an experienced user as doing so could result in all access to the FL MGUARD being blocked When setting up a RADIUS authentication for the first time select Yes If you do intend to use the As only method for password authentication option when setting up RADIUS authentication we recommend that you create a Customized Default Profile which resets the authentication method If you have selected RADIUS authentication as the only method for checking the password it may no longer be possible to access the FL MGUARD For example this may be the case if you set up the wrong RADIUS server or convert the FL MGUARD The predefined users root admin netadmin audit and user are then no longer accepted External 2 and Dial in are only for devices with a serial interface see Network gt gt Interfaces on page 6 56 8334_en_01 PHOENIX CONTACT 6 25 FL MGUARD 2 Management gt gt Web Settings gt gt Access User authentication User authentication This menu item is not included User authentication method Login with X 509 client certificate or password w in the scope of functions for p x the FL MGUARD RS2000 VPN RootCA01 v gt x F a root v gt x er Battaglia Mauro w root X Defines how the local User authentication Login with password FL MGUARD authenticates method the remote partner Specifies that th
90. value should be set to the highest value supported by the modem If the value is set lower than the maximum possible speed that the modem can reach on the telephone line the telephone line will not be used to its full potential 8334_en_01 PHOENIX CONTACT 6 91 FL MGUARD 2 Network gt gt Interfaces gt gt Modem Console rr two simple quotation marks placed directly after one another d dATH OK Li Handle modem Yes No reer Cordial If the external modem is used for dial in see page 6 87 Yes means that the FL MGUARD does not initialize the modem The subsequently configured modem initialization sequence is not observed Thus either a modem is connected which can answer calls itself default profile of the modem contains auto answer or a null modem cable to a computer can be used instead of the modem and PPP protocol is used over this Modem init string Specifies the initialization sequence that the FL MGUARD sends to the connected modem Default d dATH OK If necessary consult the modem user manual for the initialization sequence for this modem The initialization sequence is a sequence of character strings expected by the modem and commands that are then sent to the modem so that the modem can establish a connection The preset initialization sequence has the following meaning The empty character string inside the quotation marks means that the FL MGUARD does not initially expec
91. w There are no additional setting options for Router network mode DHCP router mode Network gt gt Interfaces gt gt General Router network mode DHCP router mode Internal Networks See Internal Networks on page 6 73 Secondary External See Secondary External Interface on page 6 67 Interface 6 76 PHOENIX CONTACT 8334_en_01 Configuration Router network mode PPPoE router mode Network Interfaces General Ethernet Dial out Dialin Modem Console Network Status External IP address 172 16 66 49 Active Defaultroute 172 16 66 18 Used DNS servers 10 1 0 253 Network Mode Network Mode Router v Router Mode PPPoE w PPPoE PPPoE Login user provider example n When Router is PPPoE Password selected as the Request PPPoE Service W v network mode and Name PPPoE is selected PEEVE Service ee as the router mode a e T Re connect daily at 0 ho m Network gt gt Interfaces gt gt General Router network mode PPPoE router mode PPPoE For access to the Internet the Internet service provider ISP provides the user with a user name login and password These are requested when you attempt to establish a connection to the Internet PPPoE Login The user name login that is required by the Internet service provider ISP when you attempt to establish a connection to the Internet PPPoE Password The password that is required by the Internet service provider when you attempt
92. 0 on port 1024 26 11 09 41 19 774 Read request for file lt install p s gt Mode octet 26 11 09 41 19 774 lt install p s gt sent 4 blks 2048 bytes in 1 s 0 blk resent 26 11 09 41 20 786 Connection received from 192 168 10 200 on port 1024 26 11 09 43 17 053 Read request for file lt jffs2 img p7s gt Mode octet 26 11 09 43 17 053 lt jffs2 img p s gt sent 14614 blks 7482368 bytes in 11 s 0 blk resent 26 11 09 43 28 008 Current Action eiffs2ima p7s gt sent 14614 biks 7482368 bytes in 11 s D blk resent moa he Figure 8 2 Entering the host IP 8334_en_01 PHOENIX CONTACT 8 5 FL MGUARD 2 Switch to the TFTP Server or DHCP server tab page and click on Settings to set the parameters as follows Tftpd32 Settings xj r Base Directory E Amy Browse gt Tftpd32 by Ph Jounin F lol x noel eel Current Directory Em Browse IV TFTP Server Syslog Server I Save syslog message I TFTP Client I DHCP Server File aa Server interface 192168 1 0 1 7 Show Dit r TFTP Security r TFTP configuration Titp Server DHCP server C None E Standard Tineo isecondsi f3 IP pool starting address 192 168 10 200 7 Max Retransmit 6 3 f High Thppot Size of pool J30 g C Read Ony Boot File DO Y O r Advanced TFTP Options WINS DNS Server 0 0 0 0 v IV Option negotiation T Hide Window at startup Default router 0 0 0 0 3 M Show Progre
93. 1 0 24 Figure 2 5 WLAN via VPN 4 Yace 89i 26k Vv ZL OL LL In this example the FL MGUARD devices were set to router mode and a separate network with 172 16 1 x addresses was set up for the WLAN To provide the annex with an Internet connection via the VPN a default route is set up via the VPN Tunnel configuration in the annex Connection type Tunnel network lt gt network Address of the local network 192 168 2 0 24 Address of the remote network 0 0 0 0 0 In the main building the corresponding counterpart is configured Tunnel configuration in the main building Connection type Tunnel network lt gt network Local network 0 0 0 0 Address of the remote network 192 168 2 0 24 The default route of an FL MGUARD usually uses the WAN port However in this case the Internet can be accessed via the LAN port Default gateway in the main building IP address of the default gateway 192 168 1 253 2 4 PHOENIX CONTACT 8334_en_01 Preliminary user manualTypical application scenarios 2 6 Resolving network conflicts Li gt 10 0 0 0 16 o z gt 10 0 0 0 16 oo Ci W gt 10 0 0 0 16 ill oo Resolving network conflicts In the example
94. 334_en_01 Configuration 6 5 3 Network Security gt gt User Firewall This menu is not available on the FL MGUARD RS2000 The user firewall is used exclusively by firewall users i e users that are registered as firewall users see Authentication gt gt Firewall Users on page 6 111 Each firewall user can be assigned a set of firewall rules also referred to as a template 6 5 3 1 User Firewall Templates Network Security User Firewall User Firewall Templates cx m a E so me Yes v BluePrint All defined user firewall templates are listed here A template can consist of several firewall rules A template can be assigned to several users Defining a new template e Inthe template table click on Edit to the right of the unnamed entry under Name e Ifthe unnamed entry cannot be seen open another row in the table Editing a set of rules e Click on Edit to the right of the relevant entry Network Security gt gt User Firewall gt gt User Firewall Templates General Enabled Activates deactivates the relevant template Name Name of the template The name is specified when the template is created The following tab page appears when you click on Edit Network Security User Firewall BluePrint General Template users Firewall rules Options A descriptive name for the template Enabled Yes v BluePrint Comment Timeout 28800 Timeouttype stat
95. 36 PHOENIX CONTACT 8334_en_01 Configuration Management gt gt Update Online Update Automatic Update Update Servers To perform an online update proceed as follows e Make sure that there is at least one valid entry under Update Servers You should have received the necessary details from your licenser e Enter the name of the package set e g update 6 1 x 7 2 0 e Then click on Install Package Set This is a version of the online update where the FL MGUARD independently determines the required package set Install the latest patch Patch releases resolve errors in previous versions and have a release x y Z version number which only changes in the third digit position For example 4 0 1 is a patch release for Version 4 0 0 Install the latest minor Minor and major releases supplement the FL MGUARD with release x Y z forthe new properties or contain changes that affect the behavior of currently installed the FL MGUARD Their version number changes in the first or major version second digit position Install the next major For example 4 1 0 is a major or minor release for versions release X y z 3 1 0 or 4 0 1 respectively Specify from which servers an update may be performed The list of servers is processed from top to bottom until an available server is found The order of the entries therefore also specifies their priority A All configured update servers must provide the same updat
96. 4000 indicates the failure of the supply voltage via the alarm contact This message can be prevented by feeding the supply voltage via both inputs 4 6 PHOENIX CONTACT 8334_en_01 Startup 4 4 Connecting the FL MGUARD SMART2 LAN port Ethernet connector for direct connection to the device or network to be protected local device or network USB connector For connection to the USB interface of a computer For the power supply default settings The FL MGUARD SMART2 not the FL MGUARD SMART can be configured such that a serial console is available via the USB connector see Section 6 3 1 5 WAN port Socket for connection to the external network e g WAN Internet Connections to the remote device or network are established via this network Use a UTP cable CATS Before C j E Cp g a After A LAN can also be on the left eas i we 3 s Ch S LD Figure 4 3 FL MGUARD SMART2 Connection to the network If your computer is already connected to a network insert the FL MGUARD SMART2 between the network interface of the computer i e its network card and the network Driver installation is not required For security reasons we recommend you change the default root and administrator passwords during initial configuration WARNING This is a Class A item of equipment This equipment can cause radio interference i
97. 6 00000206000 NY B 10 0 0 0 8 External v Accept No v These rules allow to grant remote access to the CIFS server of the mGuard Please note In router mode with NAT or portforwarding the network ports required for the CIFS server have priority over portforwarding Please note Access to the CIFS server is granted from the internal side via dial in and VPN by default and can be restricted by these firewall rules Consolidated Imported Shares AX Enabled Exported in Subdirectory CIFS Share p F Yes v pc x7 pce x7 scan v CIFS Integrity Monitoring gt gt CIFS AV Scan Connector CIFS Server Enable the server No CIFS server is not available Yes CIFS server is available 8334_en_01 PHOENIX CONTACT 6 159 FL MGUARD 2 CIFS Integrity Monitoring gt gt CIFS AV Scan Connector Allowed Networks Accessible as Displays the virtual network drive provided by the FL MGUARD for the CIFS Antivirus Scan Connector function This path is displayed with UNC notation By means of copy and paste it can be directly used on the PC which is to use the virtual network drive see Accessing the virtual network CIFS Antivirus Scan Connector on page 6 162 Two UNC addresses for the internal and external interface are displayed in Router network mode while one UNC address is displayed in Stealth network mode Access to the virtual network drive can be prevented as a result of the settings in the Allowed Netwo
98. 6 185 the following applies The IP address of the SysLog server must be located in the network that is specified as Remote in the definition of the VPN connection 6 10 2 Logging Browse local logs Logging gt gt Browse local logs i2011 10 26_15 63338 63338 77216 77241 77251 77278 77298 77323 77562 79624 79689 79736 80633 80690 80744 80880 17574 27016 27019 27023 66814 67108 67138 67154 67175 67319 67553 67593 17281 17361 17412 17464 17517 17561 17583 54001 54021 54395 54415 54515 12224 i2011 10 27_11 2011 10 27_11 2011 10 27_11 2011 10 27_11 2011 10 27_11 2011 10 27_11 2011 10 27_11 2011 10 27_11 i2011 10 27_11 Bnin 11 ham ssv ham vsr ham ssv ham ssv ham ssv ham vsr ham fsr ham fsr ham fsr ham fsr ham fsr ham vsr ham vsr ham vsr ham ssv beron beron exec INFO INFO transitioned to state active terminating NOTICE EOF from component INFO transitioned to state active_waiting NOTICE EOF from component INFO ham vsr 2877 terminated terminating ham fsr 2922 terminated ham fsr 3453 starting started entering sending mode ham vsr 3459 starting started entering sending mode transitioned to state active root CMD cifsscan start_scan r MAI2011736741 beron Subject Cron lt root mguard cessmann gt cifsscan start_scan r MAI20117367 beron beron OK ham ssv
99. 6 67 6 78 PHOENIX CONTACT 8334_en_01 Configuration Router network mode Modem router mode FL MGUARD RS4000 only General Ethernet Dial out Dial in Modem Console Network Status External IP address 172 16 66 49 Active Defaultroute 172 16 66 18 Used DNS servers 10 1 0 253 Network Mode Network Mode Router v Router Mode Modem v Network gt gt Interfaces gt gt General Router network mode Modem router mode Modem Built in Modem Modem network mode is available for FL MGUARD RS4000 For all the devices mentioned above data traffic is routed via the serial interface and not via the FL MGUARD WAN port when in Modem network mode From there itis routed via the externally accessible serial interface serial port to which an external modem must be connected The connection to the Internet service provider and therefore the Internet is established via the telephone network using a modem In Modem network mode the serial interface of the FL MGUARD is not available for the PPP dial in option or for configuration purposes see Modem Console on page 6 90 After selecting Modem as the network mode specify the required parameters for the modem connection on the Dial out and or Dial in tab pages see Dial out on page 6 81 and Dial in on page 6 87 Enter the connection settings for an external modem on the Modem Console tab page see Modem Console on
100. 8 43 Exponent 65537 0x10001 X509v3 extensions X509v3 Subject Alternative Name email xyz anywhere com Netscape Comment mod_ssl generated test server certificate Netscape Cert Type SSL Server Signature Algorithm md5WithRSAEncryption 12 ed f7 b3 5 a0 93 3f a0 1d 60 cb 47 19 7d 15 59 9b 3b 2c a8 a3 6a 03 43 d0 85 d3 86 86 2f e3 aa 79 39 e7 82 20 ed f4 11 85 a3 41 5e 5c 8d 36 a2 7 1 b6 6a 08 f9 cc 1e da c4 78 05 75 8f 9b 10 f00 15 f0 9e 67 a0 4e a1 4d 3f 16 4c 9b 19 56 6a f2 af 89 54 52 4a 06 34 42 0d d5 40 25 6b b0 c0 a2 03 18 cd d1 07 20 b6 e5 c5 1e 21 44 e7 c5 09 d2 d5 94 9d 6c 13 07 2f 3b 7c 4c 64 90 bf ff 8e 9 6 PHOENIX CONTACT 8334_en_01 Glossary Symmetrical encryption TCP IP Transmission Control Protocol Internet Protocol The subject distinguished name or subject for short uniquely identifies the certificate owner The entry consists of several components These are known as attributes see the example certificate above The following table contains a list of possible attributes The sequence of attributes in an X 509 certificate can vary Table 9 1 X 509 certificate Abbreviation Name Explanation CN Common name Identifies the person or object to whom or which the certificate belongs Example CN server1 E E mail address Specifies the e mail address of the certificate owner OU Organizational unit Specifies the department within an organization or company Example
101. ARD RS2000 Access via the SEC Stick requires a license This access function can only be used if the corresponding license has been purchased and installed Enable SEC Stick Set this option to Yes to specify that the SEC Stick being used service at a remote location or its owner is able to log in In this case SEC Stick remote access must also be enabled next option Enable SEC Stick Set this option to Yes to enable SEC Stick remote access remote access Remote SEC Stick Default 22002 TCP Port If this port number is changed the new port number only applies for access via the External External 2 or VPN interface Port number 22002 still applies for internal access 8334_en_01 PHOENIX CONTACT 6 201 FL MGUARD 2 SEC Stick gt gt Global gt gt Access Delay between requests for a sign of life Maximum number of missing signs of life Default 120 seconds Values from 0 to 3600 seconds can be set Positive values indicate that the FL MGUARD is sending a query to the partner within the encrypted SSH connection to find out whether it can still be accessed The request is sent if no activity was detected from the partner for the specified number of seconds e g due to network traffic within the encrypted connection The value entered relates to the functionality of the encrypted SSH connection As long as the functions are working properly the SSH connection is not terminated by the FL MG
102. ARD v7 4 or later Phoenix Contact recommends using firmware Version 7 x with the respective current patch releases For the scope of functions please refer to the relevant firmware data sheet Router mode default firewall ruls bidirectional throughput max 124 Mbps Stealth mode default firewall rules bidirectional throughput max 58 Mbps DES 3DES AES 128 192 256 Router mode default firewall ruls bidirectional throughput max 40 Mbps Stealth mode default firewall rules bidirectional throughput max 26 Mbps Web GUI HTTPS command line interface SSH SNMP v1 2 3 central device management software LEDs 3 LEDs in combination for boot process heartbeat system error Ethernet status recovery mode log file remote SysLog CE FCC Realtime clock Trusted Platform Module TPM temperature sensor 10 4 PHOENIX CONTACT 8334_en_01 Technical data 10 4 Ordering data 10 4 1 Products Description Security appliance in metal housing with extended temperature range SD card slot up to 2 VPN tunnels 2 click firewall for maximum ease of configuration router with NAT 1 1 NAT Security appliance in metal housing with extended temperature range SD card slot intelligent firewall with full scope of functions for maximum security and ease of configuration router with NAT 1 1 NAT optional VPN CIFS integrity monitoring Security appliance in metal housing with extended temperature range
103. AUTOMATION S 7 300 e 30 9 X1 WAN 1 Xi WAN 1 X2 LAN 1 LJ X2 LAN 1 eA i mle TETE EZ lMGuard rs2000 User manual UM EN FL MGUARD2 Order No User manual for the hardware and software of FL MGUARD security appliances OO GD GD OGD OO GD conc OGD INSPIRING INNOVATIONS AUTOMATION User manual User manual for the hardware and software of FL MGUARD security appliances 2012 06 27 Designation UM EN FL MGUARD2 Revision 01 Order No This user manual is valid for Designation Revision FL MGUARD RS2000 TX TX VPN FL MGUARD RS4000 TX TX FL MGUARD RS4000 TX TX VPN FL MGUARD SMART2 FL MGUARD SMART2 VPN FL MGUARD DELTA TX TX Order No 2700642 2700634 2200515 2700640 2700639 2700967 8334_en_01 PHOENIX CONTACT Internet Subsidiaries Published by Please observe the following notes User group of this manual The use of products described in this manual is oriented exclusively to Qualified electricians or persons instructed by them who are familiar with applicable standards and other regulations regarding electrical engineering and in particular the relevant safety concepts Qualified application programmers and software engineers who are familiar with the safety concepts of automation technology and applicable standards Explanation of symbols used and signal words hazards Obey all safety measures that follow this s
104. Antivirus Scan Connector CIFS Integrity Checking When CIFS integrity checking is performed the Windows network drives are checked to determine whether certain files e g exe dll have been changed Changes to these files indicate a possible virus or unauthorized intervention CIFS Antivirus Scan The CIFS anti virus scan connector enables the FL MGUARD to perform a virus scan on Connector drives that are otherwise not externally accessible e g production cells The FL MGUARD mirrors a drive externally in order to perform the virus scan Additional anti virus software is required for this procedure Set the necessary read access for your anti virus software Setting options for CIFS integrity checking Which network drives are known to the FL MGUARD see CIFS Integrity Monitoring gt gt Importable Shares on page 6 149 What type of access is permitted see CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Settings on page 6 151 Atwhatintervals the drives should be checked see CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Settings gt gt Edit on page 6 152 Which file types should be checked see CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Filename Patterns on page 6 154 Warning method when a change is detected e g via e mail see CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Settings on page 6
105. As and IPsec SAs 7 2 6 Handling VPN redundancy in extreme situations The conditions listed under Handling firewall redundancy in extreme situations on page 1 8 also apply to VPN redundancy They also apply when the FL MGUARD is used exclusively for forwarding VPN connections The FL MGUARD forwards the data flows via the VPN channels and rejects incorrect packets regardless of whether firewall rules have been defined for the VPN connections or not An error interrupts the flow of data traffic An error that interrupts the data traffic running via the VPN channels represents an extreme situation In this case the IPsec data traffic is briefly vulnerable to replay attacks A replay attack is the repetition of previously sent encrypted data packets using copies which have been saved by the attacker The data traffic is protected by sequential numbers Independent sequential numbers are used for each direction in an IPsec channel The FL MGUARD drops ESP packets which have the same sequential number as a packet that has already been decrypted for a specific IPsec channel by the FL MGUARD This mechanism is known as the IPsec replay window The IPsec replay window is only replicated sporadically during state synchronization as it is very resource intensive Therefore the active FL MGUARD may have an obsolete IPsec replay window following a fail over An attack is then possible until the real VPN partner has sent the next ESP packet for th
106. Beispiel Lieferant C DE Validity From Mar 20 18 38 09 2007 GMT to Mar 20 18 38 09 2010 GMT Fingerprint MDS 11 73 7D 98 89 6F AB DB 23 A1 22 06 A2 68 79 EC SHA1 E9 14 0A 50 84 36 62 C5 B0 2F 1F A7 FB 1E 89 47 30 53 BC B8 Filename pem Durchsuchen apean VPN Identifier Local Valid values are e the certificates distinguished name same as no entry Remote Valid values are e the certificates distingushed name same as no entry IPsec VPN gt gt Connections gt gt Edit gt gt Authentication Authentication Authentication There are two options method X 509 Certificate default Pre Shared Key PSK Depending on the chosen method the page contains different setting options Authentication method X 509 Certificate This method is supported by most modern IPsec implementations With this option each VPN device has a secret private key and a public key in the form of an X 509 certificate which contains further information about the certificate s owner and the certification authority CA The following must be specified How the FL MGUARD authenticates itself to the partner How the FL MGUARD authenticates the remote partner How the FL MGUARD authenticates itself to the remote partner Authentication method X 509 Certificate X Local X 509 Certificate VPN Endpunkt Kundendienst MA w Remote CA Certificate No CA certificate but the Remote Certificate below w Remote Certificate Subject CN VPN Endp
107. C Stick gt gt Connections gt gt SEC Stick connections SEC Stick connections General List of defined SEC Stick connections Click on the down arrow at the top left of the screen if you want to add a new connection An existing connection can be edited by clicking on Edit a Not all of the SEC Stick functions can be configured via the web interface of the FL MGUARD Enabled To use a defined SEC Stick connection the Enabled option must be set to Yes User Name An SEC Stick connection with a uniquely assigned user name must be defined for every owner of a SEC Stick who has authorized access This user name is used to uniquely identify the defined connections Name Name of the person Company Name of the company The following page appears when you click on Edit SEC Stick connections General Enabled No w UserName nobody Comment Contact Adescriptive name of the user Company myCompany SSH public key including ssh dss or ssh rsa SSH Port Forwarding cx Ee Port 192 168 47 11 3389 Enabled As above User Name As above Comment Optional comment text Contact Optional comment text A descriptive name of Optional name of the person repeated the user Company Optional As above 6 204 PHOENIX CONTACT 8334_en_01 Configuration SEC Stick gt gt Connections gt gt SEC Stick connections SSH Port Forwarding SSH public key Enter the SSH public key belonging
108. CH blue Color coding for FL CAT5 6 PATCH green Color coding for FL CAT5 6 PATCH gray Color coding for FL CAT5 6 PATCH red Color coding for FL CAT5 6 PATCH violet Color coding for FL CAT5 6 PATCH yellow Lockable security element for FL CAT5 6 PATCH Color coding for FL PATCH GUARD black Color coding for FL PATCH GUARD blue Color coding for FL PATCH GUARD green Color coding for FL PATCH GUARD orange Color coding for FL PATCH GUARD red Color coding for FL PATCH GUARD turquoise Color coding for FL PATCH GUARD violet Color coding for FL PATCH GUARD yellow Key for FL PATCH GUARD Security element for FL CAT5 6 PATCH HOTLINE Order designation FL CAT5 PATCH 5 0 FL CAT5 PATCH 7 5 FL CAT5 PATCH 10 FL PATCH CCODE BK FL PATCH CCODE BN FL PATCH CCODE BU FL PATCH CCODE GN FL PATCH CCODE GY FL PATCH CCODE RD FL PATCH CCODE VT FL PATCH CCODE YE FL PATCH GUARD FL PATCH GUARD CCODE BK FL PATCH GUARD CCODE BU FL PATCH GUARD CCODE GN FL PATCH GUARD CCODE OG FL PATCH GUARD CCODE RD FL PATCH GUARD CCODE TQ FL PATCH GUARD CCODE VT FL PATCH GUARD CCODE YE FL PATCH GUARD KEY FL PATCH SAFE CLIP Order No 2832580 2832616 2832629 2891194 2891495 2891291 2891796 2891699 2891893 2891990 2891592 2891424 2891136 2891233 2891631 2891330 2891738 2891534 2891835 2891437 2891521 2891246 Pcs Pkt 10 10 10 20 20 20 20 20 20 20 20 20 12 12 12 12 12 12 12 12 1 20 If
109. D on which the incorrect password was entered so that it uses the old password Wait until the FL MGUARD indicates that the old password is being used Then enter the correct password If you have forgotten the old password proceed as follows Check whether you can read the old password out from the other FL MGUARD Ifthe other FL MGUARD is disabled or missing you can simply enter the correct new password on the active FL MGUARD on which you inadvertently set the incorrect password Make sure that the other FL MGUARD is assigned the same password before operating it again If the other FLMGUARD is already using the new password you must make sure that the FL MGUARD with the incorrect password is not active or able to be activated e g by removing the cable at the LAN or WAN interface In the case of remote access you can enter a destination for the availability check that will not respond Check beforehand that there is no redundancy error on any of the FL MGUARD devices One FL MGUARD must be active and the other must be on standby If applicable rectify any errors displayed Replace the incorrect password with a different one Enter this password on the active FL MGUARD too Restart the FL MGUARD that is not active You can do this for example by reconnecting the Ethernet cable or restoring the old settings for the availability check External virtual 1 2 3 255 default 51 Router ID Only in Router n
110. D uses the first external virtual IP address as the address from which it sends and receives IKE messages The external virtual IP address is used instead of the actual primary IP address of the external network interface The FL MGUARD no longer uses the actual IP address to send or answer IKE messages ESP data traffic is handled similarly but is also accepted and processed by the actual IP address As described under External virtual IP addresses but for internal virtual IP addresses 8334_en_01 PHOENIX CONTACT 7 17 FL MGUARD 2 7 2 5 Requirements for VPN redundancy VPN redundancy can only be activated if a license key is installed for VPN redundancy and a VPN connection is activated FL MGUARD RS4000 only If a VPN connection is controlled via a VPN switch then VPN redundancy cannot be activated See under Psec VPN gt gt Global gt gt Options gt gt VPN Switch During VPN state synchronization the state of the VPN connection is sent continuously from the active FL MGUARD to the FL MGUARD on standby so that it always has an up to date copy in the event of errors The only exception is the state of the IPsec replay window Changes there are only transmitted sporadically The volume of the data traffic for state synchronization does not depend on the data traffic sent over the VPN channels The data volumes for state synchronization are defined by a range of parameters that are assigned to the ISAKMP S
111. Destination Name Destination Community so 192 168 10 10 162 Platfom specific configurations are only effective on the platfom in question Similarily AV traps are only sent when a licensed anti virus system is active SNMP traps only are sent if SNMP access is enabled X In certain cases the FL MGUARD can send SNMP traps SNMP traps are only sent if the SNMP request is activated The traps correspond to SNMPv1 The trap information for each setting is listed below A more detailed description can be found in the MIB that belongs to the FL MGUARD If SNMP traps are sent to the partner via a VPN channel the IP address of the partner must be located in the network that is specified as the Remote network in the definition of the VPN connection The internal IP address in Stealth mode Stealth Management IP Address or Virtual IP must be located in the network that is specified as Local in the definition of the VPN connection see Defining a VPN connection VPN connection channels on page 6 173 6 44 PHOENIX CONTACT 8334_en_01 Configuration Ifthe Enable 1 to 1 NAT of the local network to an internal network option is set to Yes see 1 1 NAT on page 6 185 the following applies The internal IP address in Stealth mode Stealth Management IP Address or Virtual IP must be located in the network that is specified as the Internal network address for local 1 to 1 NAT Ifthe En
112. ELEI FL MGUARD RS4000 FL MGUARD RS2000 Figure 4 2 FL MGUARD RS4000 FL MGUARD RS2000 The FL MGUARD RS4000 has a redundant supply voltage If you only connect one supply voltage you will get an error message e Take off the COMBICON connectors for the power supply and the service contacts e Do not connect service contacts to an external voltage source e Wire the supply voltage lines to the corresponding COMBICON connector P1 P2 of the FL MGUARD Tighten the screws on the screw terminal blocks with 0 22 Nm e Insert the COMBICON male connectors in the intended COMBICON female connectors on the top of the FL MGUARD see figure 1 2 The status LED P1 lights up green when the supply voltage is connected properly On the FL MGUARD RS4000 status LED P2 also lights up if there is a redundant supply voltage connection The FL MGUARD boots the firmware The status LED STAT flashes green The FL MGUARD is ready for operation as soon as the Ethernet socket LEDs light up Additionally status LEDs P1 P2 light up green and the status LED STAT flashes green at heartbeat Redundant power supply FL MGUARD RS4000 A redundant supply voltage can be connected Both inputs are isolated The load is not distributed With a redundant supply the power supply unit with the higher output voltage supplies the FLMGUARD RS4000 alone The supply voltage is electrically isolated from the housing If the supply voltage is not redundant the FL MGUARD RS
113. FL MGUARD authenticates the partner using 2 2 Remote certificate Or all CA certificates that form the chain to the root CA certificate together with the certificate shown by the partner Remote certificate HTTPS NOTE It is not sufficient to simply install the certificates to be used on the FL MGUARD under Authentication gt gt Certificates In addition the FL MGUARD certificate imported from the pool that is to be used must be referenced in the relevant applications VPN SSH The remote certificate for authentication of a VPN connection or the channels of a VPN connection is installed in the IPsec VPN gt gt Connections menu 8334_en_01 PHOENIX CONTACT 6 119 FL MGUARD 2 Authentication gt gt Certificates gt gt Certificate settings Certificate settings 6 4 4 1 Certificate settings Authentication Certificates Certificate settings Check the validity period of No certificates and CRLs CRL download interval Never Certificate settings Machine Certificates CA Certificates Remote Certificates CRL Enable CRL checking No v The settings made here relate to all certificates and certificate chains that are to be checked by the FL MGUARD This generally excludes the following Self signed certificates from partners Allremote certificates for VPN Check the validity period of certificates and CRLs No The validity period
114. FL MGUARD devices It does not matter which order you do this in but the same password must be used in both cases If you inadvertently enter an incorrect password follow the instructions under How to proceed in the event of an incorrect password on page 6 221 As soon as a redundant pair has been assigned a new password it automatically negotiates when it can switch to the new password without interruption The status is displayed using symbols We recommend observing this status for security reasons A red cross indicates that the FL MGUARD has a new password that it wants to use However the old password is still in use A yellow check mark indicates that the new password is already in use but that the old password can still be accepted in case the other FL MGUARD still uses it If no symbol is shown it means that no password is being used For example this may be because redundancy has not been activated or the firmware is booting up 8334_en_01 PHOENIX CONTACT 6 219 FL MGUARD 2 Redundancy gt gt Firewall Redundancy gt gt Redundancy If an FL MGUARD fails while the password is being changed the following scenarios apply Password replacement has been started on all FL MGUARD devices and then interrupted because of a network error for example This situation is rectified automatically Password replacement has been started on all FL MGUARD devices However an FL MGUARD then fails and must be replaced E
115. FL MGUARD is configured so that it synchronizes its system time date and time regularly with an external NTP server Sporadically The FL MGUARD acts as a DNS server and must perform a DNS request for a client After a restart An active VPN connection is set to initiate If this is the case the FL MGUARD establishes a connection after every restart After a restart For an active VPN connection the gateway of the partner is specified as the host name After a restart the FL MGUARD must request the IP address that corresponds to the host name from a DNS server Often VPN connections are set up and DPD messages are sent regularly see Dead Peer Detection on page 6 198 Often The FL MGUARD is configured to send its external IP address regularly to a DNS service e g DynDNS so that it can still be accessed via its host name Often The IP addresses of partner VPN gateways must be requested from the DynDNS service or they must be kept up to date by new queries Sporadically The FL MGUARD is configured so that SNMP traps are sent to the remote server Sporadically The FL MGUARD is configured to permit and accept remote access via HTTPS SSH or SNMP The FL MGUARD then sends reply packets to every IP address from which an access attempt is made if the firewall rules permit this access Often The FL MGUARD is configured to connect to an HTTPS server at regular intervals in order to download an
116. HAP server authentication No Dialondemand Yes idle timeout Yes idle time Seconds 300 LocalIP 0 0 0 0 Remote IP 0 0 0 0 Netmask 0 0 0 0 Local name Remote name Secret for client authentication CHAP server authentication Password for server authentication Subsequent fields If None is selected as the authentication method Aname for the FL MGUARD that it uses to log into the Internet service provider The service provider may have several customers and it uses this name to identify who is attempting to dial in After the FL MGUARD has logged into the Internet service provider with this name the service provider also compares the password specified for client authentication see below The connection can only be established successfully if the name is known to the service provider and the password matches A name assigned to the FL MGUARD by the Internet service provider for identification purposes The FL MGUARD will not establish a connection to the service provider if the ISP does not assign the correct name Password that must be specified during Internet service provider login to access the Internet Yes No The following two entry fields are shown when Yes is selected Password that the FLMGUARD requests from the server The FL MGUARD only allows the connection if the server returns the agreed password See under If None is selected as the authentication method on page 6 83 In this
117. If the validity of a revocation list cannot be proven it is ignored by the FL MGUARD If the use of revocation lists is activated together with the consideration of validity periods revocation lists are ignored if based on the system time their validity has expired or has not yet started CRL download interval If Enable CRL checking is set to Yes See above select the time period after which the revocation lists should be downloaded and applied On the CRL tab page see CRL on page 6 128 specify the origin of the FL MGUARD revocation lists If CRL checking is enabled but CRL download is set to Never the CRL must be manually loaded on the FL MGUARD so that CRL checking can be performed 8334_en_01 PHOENIX CONTACT 6 121 FL MGUARD 2 6 4 4 2 Machine certificates The FL MGUARD authenticates itself to the partner using a machine certificate loaded on the FL MGUARD The machine certificate acts as an ID card for the FL MGUARD which it shows to the relevant partner For a more detailed explanation see Authentication gt gt Certificates on page 6 115 By importing a PKCS 12 file the FL MGUARD is provided with a private key and the corresponding machine certificate Multiple PKCS 12 files can be loaded on the FL MGUARD enabling the FL MGUARD to show the desired self signed or CA signed machine certificate to the partner for various connections In order to use the machine certificate inst
118. L MGUARD Freely selectable comment for this rule For each individual port forwarding rule you can specify whether the use of the rule Should be logged set Log to Yes Should not be logged set Log to No default settings 6 98 PHOENIX CONTACT 8334_en_01 Configuration 6 3 3 Network gt gt DNS 6 3 3 1 DNS server DNS server DynDNS DNS Servers to query User defined servers listed below v User dened ame servers XE 10 1 0 253 In Stealth Mode only User defined and DNS Root Servers are supported Other settings will be ignored Local Resolving of Hostnames p Yes v example local Ew Network gt gt DNS gt gt DNS server DNS If the FL MGUARD is to initiate a connection to a partner on its own e g to a VPN gateway or NTP server and it is specified in the form of a host name i e www example com the FL MGUARD must determine which IP address belongs to the host name To do this the FL MGUARD connects to a domain name server DNS to query the corresponding IP address there The IP address determined for the host name is stored in the cache so that it can be found directly i e more quickly for other host name resolutions With the Local Resolving of Hostnames function the FL MGUARD can also be configured to respond to DNS requests for locally used host names itself by accessing an internal previously configured directory The locally connected clients can be configured
119. L MGUARD can be set to authenticate VPN partners directly using the X 509 certificates shown by these VPN partners For this to happen the relevant X 509 certificate must be set on the FL MGUARD This is known as the Remote CA Certificate If aremote certificate is renewed for a brief period only one of the FL MGUARD devices will have a new certificate We therefore recommend authenticating the VPN partners using CA certificates instead of remote certificates in VPN redundancy 7 24 PHOENIX CONTACT 8334_en_01 Redundancy Adding a new CA certificate to identify VPN partners The FL MGUARD can be set to authenticate VPN partners using CA certificates see CA certificates on page 6 124 and Authentication on page 6 186 To do this select Signed by any trusted CA under Psec VPN gt gt Connections gt gt Edit gt gt Authentication Remote CA Certificate With this setting a new CA certificate can be added without affecting the established VPN connections However the new CA certificates are used immediately The X 509 certificate used by the VPN partner to authenticate itself to the FL MGUARD can then be replaced with minimal interruption The only requirement is ensuring that the new CA certificate is available first The FL MGUARD can be set to check the validity period of the certificates provided by the VPN partner see Certificate settings on page 6 120 In this case new trusted CA certificates mus
120. L MGUARD that now acts as the WAN interface If this IP address is assigned dynamically by the Internet service provider use the preset value 0 0 0 0 Otherwise e g for the assignment of a fixed IP address enter this here IP address of the partner When connecting to the Internet this is the IP address of the Internet service provider which is used to provide access to the Internet As the Point to Point Protocol PPP is used for the connection the IP address does not usually have to be specified This means you can use the preset value 0 0 0 0 The subnet mask specified here belongs to both the local IP address and the remote IP address Normally all three values Local IP Remote IP and Netmask are either fixed or remain set to 0 0 0 0 Enter the connection settings for an external modem on the Modem Console tab page see Modem Console on page 6 90 6 86 PHOENIX CONTACT 8334_en_01 Configuration 6 3 1 4 Dial in FL MGUARD RS4000 only Network Interfaces General Ethernet Dialout Dialin Modem Console PPP dial in options Modem PPP Off v LocaliP 192 168 2 1 Remote IP 192 168 2 2 PPP Login name admin PPP Password eeccsce Incoming Rules PPP Log 10 Si seriat incoming MN 99000000 0000 0000 0000 000000000000 PET ae Troco frome romot tor Toron asson comment toa Log entries for unknown p connection attempts Outgoing Rules PPP Log ID fu se
121. MGUARD SMART2 up to 62 Mbps bidirectional FL MGUARD RS4000 not more than 5250 frames s Fail over switching time The fail over switching time can be set to 1 3 or 10 seconds in the event of errors 8334_en_01 PHOENIX CONTACT 7 13 FL MGUARD 2 7 1 10 Limits of firewall redundancy In Router network mode firewall redundancy is only supported with the static mode Access to the FL MGUARD via the HTTPS SNMP and SSH management protocols is only possible with an actual IP address from each FL MGUARD Access attempts to virtual addresses are rejected The following features cannot be used with firewall redundancy A secondary external Ethernet interface ADHCP server ADHCP relay ASEC Stick server A user firewall CIFS Integrity Monitoring The redundant pair must have the same configuration Take this into account when making the following settings NAT settings masquerading port forwarding and 1 1 NAT Flood protection Packet filter firewall rules MAC filter advanced settings Queues and rules for QoS Some network connections may be interrupted following a network lobotomy See Restoration in the event of a network lobotomy on page 1 8 After a fail over semi unidirectional or complex connections that were established in the second before the fail over may be interrupted See Fail over when establishing complex connections on page 1 8 and Fail over when establishing sem
122. MGUARD is in Stealth mode Display only The names of the DNS servers used by the FL MGUARD for name resolution are displayed here This information can be useful for example if the FL MGUARD is using the DNS servers assigned to it by the Internet service provider Network Status External IP address WAN port address Network Mode Status Active Defaultroute Used DNS servers 8334_en_01 PHOENIX CONTACT 6 57 FL MGUARD 2 Network gt gt Interfaces gt gt General Network mode Router Mode 1 Network mode Only used when Router is selected as the network mode Stealth Router The FL MGUARD must be set to the network mode that corresponds to its connection to the network see also Preliminary user manualTypical application scenarios on page 2 1 Depending on which network mode the FL MGUARD is set to the page will change together with its configuration parameters See Stealth default settings for FL MGUARD RS4000 RS2000 FL MGUARD SMART2 on page 6 59 and Network Mode Stealth on page 6 63 Static DHCP PPPoE PPTP Modem Built in Modem See Router Mode static on page 6 61 and Router network mode PPTP router mode on page 6 78 Router Mode DHCP on page 6 61 and Router network mode DHCP router mode on page 6 76 Router Mode PPPoE on page 6 61 and Router network mode PPPoE router mode on page 6 77 Router
123. MP sysContact HiDiscovery is a protocol that supports the initial startup of new network devices and is available in Stealth mode for the local interface LAN of the FL MGUARD 8334_en_01 PHOENIX CONTACT 6 5 FL MGUARD 2 Management gt gt System Settings gt gt Host Local HiDiscovery support HiDiscovery Frame Forwarding Yes No 6 2 1 2 Alarm contact Enabled The HiDiscovery protocol is activated Read only The HiDiscovery protocol is activated but it cannot be used to configure the FL MGUARD Disabled The HiDiscovery protocol is deactivated If this option is set to Yes then HiDiscovery frames are forwarded from the LAN port externally via the WAN port Management System Settings Mode Operation supervision Manual settings Host Signal Contact Time and Date 2 Shell Access Signal contact Operation supervision w Contact Closed Ok Redundant power supply Supervise v Link supervision Supervise both ports v Contact Closed v The alarm contact is a relay that is used by the FL MGUARD to signal error states see also Alarm contact on page 6 6 Management gt gt System Settings gt gt Alarm Contact Mode FL MGUARD RS2000 FL MGUARD RS4000 only Alarm contact Operation supervision Contact Redundant power supply The alarm contact can be controlled automatically using Operation supervision default or Manual settings See also Installing
124. Monitoring gt gt CIFS Integrity Checking gt gt Settings gt gt Edit in order for the sample to be activated Click on Edit to define a set of rules for the files to be checked and save this under the defined name 6 154 PHOENIX CONTACT 8334_en_01 Configuration CIFS Integrity Monitoring CIF S Integrity Checking executables Set of Filename Patterns Rules for files to check sx E System Volume Information Exclude v F System Volume Information Exclude w E pagefile sys Exclude v pagefile sys Exclude v F t exe include v Fi com include v f dll Include v Fi bat include v p t cmd include v CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Filename Patterns gt gt Edit Rules for files to check Filename pattern Include in check The following rules apply exe means that the files located in a specific directory and with file extension exe are checked or excluded Only one wildcard is permitted per directory or file name Wildcards represent characters e g win exe returns files with the extension exe that are located in a directory that begins with win atthe start means that any directory is searched even those at the top level if this is empty This cannot be combined with other characters e g c is not permitted Example Name exe refers to all files with the extension exe that are located in the Name directory
125. NTACT 6 9 FL MGUARD 2 Management gt gt System Settings gt gt Time and Date NTP Server NTP Network Time Protocol The FL MGUARD can act as the NTP server for computers that are connected to its LAN port In this case the computers should be configured so that the local address of the FL MGUARD is specified as the NTP server address If the FL MGUARD is operated in Stealth mode the management IP address of the FL MGUARD if this is configured must be used for the computers or the IP address 1 1 1 1 must be entered as the local address of the FL MGUARD In order for the FL MGUARD to act as the NTP server it must obtain the current date and the current time from an NTP server time server To do this the address of at least one NTP server must be specified This feature must also be activated Enable NTP time Once the NTP is activated the FL MGUARD obtains the date synchronization and time from one or more time server s and synchronizes Yes No itself with it or them Initial time synchronization can take up to 15 minutes During this time the FL MGUARD continuously compares the time data of the external time server and that of its own clock so that this can be adjusted as accurately as possible Only then the FL MGUARD can act as the NTP server for the computers connected to its LAN interface and provide them with the system time Initial time synchronization is performed with the external time server after ev
126. Options Delay between requests for a sign of life Otherwise the VPN partners may think that the redundant pair is dead even though it is only dealing with a fail over Data traffic In the event of a high latency in a network used for state synchronization updates the FL MGUARD on standby is assigned the outdated state The same thing also happens in the event of serious data losses on this network This does not occur however as long as no more than two back to back updates are lost This is because the FL MGUARD on standby automatically requests a repeat of the update The latency requirements are the same as those detailed under Fail over switching time on page 1 5 Actual IP addresses VPN partners may not send ESP traffic to the actual IP address of the redundant pair VPN partners must always use the virtual IP address of the redundant pair to send IKE messages or ESP traffic 8334_en_01 PHOENIX CONTACT 7 21 FL MGUARD 2 7 2 8 Transmission capacity with VPN redundancy These values apply to Router network mode when the data traffic for state synchronization is transmitted without encryption If the transmission capacity described here is exceeded in the event of errors the switching time may be longer than that set Platform Transmission capacity with VPN redundancy FL MGUARD SMART2 up to 17 Mbps bidirectional FL MGUARD RS4000 not more than 2300 frames s Fail over switching time The fail over
127. Otherwise if your access is blocked you must carry out the recovery procedure Action Options Accept means that the data packets may pass through Reject means that the data packets are sent back and the sender is informed of their rejection In Stealth mode Reject has the same effect as Drop Drop means that the data packets are not permitted to pass through They are discarded which means that the sender is not informed of their whereabouts Comment Freely selectable comment for this rule Log For each individual firewall rule you can specify whether the use of the rule Should be logged set Log to Yes Should not be logged set Log to No default setting 8334_en_01 PHOENIX CONTACT 6 15 FL MGUARD 2 Management gt gt System Settings gt gt Shell Access RADIUS authentication This menu item is not included in the scope of functions for the FL MGUARD RS2000 Use RADIUS authentication for shell access If set to No the passwords of users who log in via shell access are checked via the local database on the FL MGUARD Select Yes to enable users to be authenticated via a RADIUS server This also applies for users who want to access the FL MGUARD via shell access using SSH or a serial console The password is only checked locally in the case of predefined users root admin netadmin and audit Under X 509 Authentication if you set Enable X 509 certificates
128. S integrity checking is performed the Windows network drives are checked to determine whether certain files e g exe dll have been changed Changes to these files indicate a possible virus or unauthorized intervention If a network drive that is to be checked is reconfigured an integrity database must be created This integrity database is used as the basis for comparison when checking the network drive regularly The checksums of all files to be monitored are recorded here The integrity database is protected against manipulation The database is either created explicitly due to a specific reason see CIFS Integrity Monitoring gt gt CIFS Integrity Status gt gt Show gt gt Actions on page 6 157 or on the first regular check of the drive The integrity database must be created again following intentional manipulation of the relevant files of the network drive Unauthorized manipulation of the relevant files cannot be detected if there is no valid integrity database 6 150 PHOENIX CONTACT 8334_en_01 Configuration 6 6 2 1 Settings CIFS Integrity Monitoring CIFS integrity Checking General Integrity certificate Used to sign integrity databases Send notifications via e mail Target address for e mail Notifications Sender address of e mail notifications Subject prefix for e mail Notifications Address of the e mail server Settings Filename Patterns Checking o
129. This connection uses the following items then click on Properties e Make the appropriate entries and settings in the Internet Protocol Properties TCP IP dialog box 6 3 4 1 Internal External DHCP Network DHCP Internal DHCP External DHCP Mode mores Jools Network gt gt DHCP gt gt Internal DHCP Mode DHCP mode Disabled Server Relay Set this option to Server if the FL MGUARD is to operate as an independent DHCP server The corresponding setting options are then displayed below on the tab page see Server Set this option to Relay if the FLMGUARD is to forward DHCP requests to another DHCP server The corresponding setting options are then displayed below on the tab page see Relay la In FL MGUARD Stealth mode relay DHCP mode is not supported If the FL MGUARD is in Stealth mode and relay DHCP mode is selected this setting will be ignored However DHCP requests from the computer and the corresponding responses are forwarded due to the nature of Stealth mode If this option is set to Disabled the FL MGUARD does not answer any DHCP requests 8334_en_01 PHOENIX CONTACT 6 103 FL MGUARD 2 Network gt gt DHCP gt gt Internal DHCP DHCP mode Server If DHCP mode is set to Server the corresponding setting options are displayed below as follows Network DHCP Internal DHCP External DHCP Mode DHCP mode Server v DHCP Server Opti
130. TraPCIFSScanInfo 1 additional FL MGUARDTResCIFSShare FL MGUARDTResCIFSScanError FL MGUARDTResCIFSNumDiffs This trap is sent if the CIFS integrity check has been successfully completed 8334_en_01 PHOENIX CONTACT 6 47 FL MGUARD 2 Management gt gt SNMP gt gt Trap Failed integrity check of a CIFS share Found a suspicious difference on a CIFS share Userfirewall traps Userfirewall traps This menu item is not included in the scope of functions for the FL MGUARD RS2000 Activate traps Yes No enterprise oid FLMGUARDTraPCIFSScan generic trap enterpriseSpecific specific trap FL MGUARDTraPCIFSScanFailure 2 additional FL MGUARDTResCIFSShare FL MGUARDTResCIFSScanError FL MGUARDTResCIFSNumDiffs This trap is sent if the CIFS integrity check has failed Activate traps Yes No enterprise oid FLMGUARDTraPCIFSScan generic trap enterpriseSpecific specific trap FLMGUARDTraPCIFSScanDetection 3 additional FL MGUARDTResCIFSShare FL MGUARDTResCIFSScanError FL MGUARDTResCIFSNumDiffs This trap is sent if the CIFS integrity check has detected a deviation Activate traps Yes No FL MGUARDTrapUserFirewall enterpriseSpecific FL MGUARDTrapUserFirewallLogin 1 FL MGUARDTResUserFirewallUser name FL MGUARDTResUserFirewallSrclP FL MGUARDTResUserFirewallAuthent icationMethod enterprise oid generic trap speci
131. Trap Hardware related traps FL MGUARD RS2 4000 only Chassis power signal relay enterprise oid FLMGUARD generic trap enterpriseSpecific specific trap FL MGUARDShellLoginTrap 2 additional FL MGUARDShellLastAccessIP This trap is sent when someone opens the shell via SSH or the serial interface The trap contains the IP address of the login request If this request was sent via the serial interface the value is 0 0 0 0 enterprise oid FLMGUARD generic trap enterpriseSpecific specific trap 13 additional FL MGUARDDHCPLastAccessMAC This trap is sent when a DHCP request is received from an unknown client enterprise oid FLMGUARD generic trap enterpriseSpecific specific trap FL MGUARDTrapSSHLogin additional FL MGUARDTResSSHUsername FL MGUARDTResSSHRemotelP This trap is sent when someone accesses the FL MGUARD via SSH enterprise oid FLMGUARD generic trap enterpriseSpecific specific trap FL MGUARDTrapSSHLogout additional FL MGUARDTResSSHUsername FL MGUARDTResSSHRemotelP This trap is sent when access to the FL MGUARD via SSH is terminated Activate traps Yes No enterprise oid FL MGUARDTrapSenderlndustrial generic trap enterpriseSpecific specific trap FL MGUARDTraplndustrialPower Status 2 additional FL MGUARDTraplndustrialPower Status Sent when the system registers a pow
132. UARD SMART 2 cs csce cescce tgececcgenseeeasetecedgeciegedetiethededaetetecdeceestiecteeneeetecs 3 3 4 VVGIAU Py Bas coh Sack ae Sh eae ena keine taeda Ree Ree a ol Dabo A e Ria da aN adh cae mY 4 1 4 1 SAISTV NOLES A chs asctagcctlis Raat hitter thi EET 4 1 4 2 Checking the scope Of SUPPIY eeeceeeeeeeceeeceneeceeeeceeeeeneeeeeeeaeetaeeeneestaeeeneenaes 4 2 4 3 Installing the FL MGUARD RS4000 RS2000 ccecceeeeeeeeeeeeeeeeeeeeeeeseaeeeeenaees 4 3 4 4 Connecting the FL MGUARD SMART 2 ccceecececceeeeeeeeeeeeeeeeaeeeeeeeeaeeeaeenereeaes 4 7 5 Preparing the configuration a 2easareesacrczcrieeseigsacsthedeexaievucodndeasedentactudictvdecuenadatsedcetsaiamnsaeseneee nities 5 1 5 1 Connection requirements ceccececceeseeeseeceeeceaaeceeeecaeeeeaeeseeeeaeseaeesnaeeeuaeeeaeenaes 5 1 5 2 Local configuration on startup EIS ecceecceceeeeeeeceeeeeeeeseeeecneeeeaeeeeeeeteeeeeeenaees 5 2 5 3 Establishing a local configuration CONNECTION ce eeteeeeeeeeeeeeeeereeeeeeneeeenaeeeeens 5 9 5 4 Remote Configuration ccccessececesceceeeeceseeeeeeseneeseseeenseneeeeeseaeeseaeesseneeesneaeess 5 11 6 CONTGUPATION espen setae aac cat Legian as Aaa tease ace a deca tet as ate ta 6 1 6 1 Operationy insides e renk C S etn vr ee nist ie 6 1 6 2 Management Menu ensena ae ar a Aedes esti etude ees 6 4 6 3 Network MOM vcess cette ccueteaseedsapnacidize dctishan Acti a eaaa aaa 6 56 6 4 Authentication Menu isc eek ade e
133. UARD as a result of this setting even when the user does not perform any actions during this time Because the number of simultaneously open sessions is limited see Maximum number of simultaneous sessions for all users it is important to terminate sessions that have expired Therefore the request for a sign of life is preset to 120 seconds in the case of Version 7 4 0 or later Ifa maximum of three requests for a sign of life are issued this causes an expired session to be detected and removed after six minutes In previous versions the preset was 0 This means that no requests for a sign of life are sent Please note that sign of life requests generate additional traffic Specifies the maximum number of times a sign of life request to the partner may remain unanswered For example if a sign of life request should be made every 15 seconds and this value is set to 3 then the SEC Stick client connection is deleted if a sign of life is not detected after approximately 45 seconds Limitation of simultaneous In the case of administrative access to the FL MGUARD via SEC Stick the number of sessions simultaneous sessions is limited Approximately 0 5 MB of memory space is required for each session to ensure the maximum level of security The restriction does not affect existing sessions it only affects newly established access instances Maximum number of simultaneous sessions for all users Maximum number of simultaneo
134. UARDTResVPNType FL MGUARDTResVPNLocal FL MGUARDTResVPNRemote This trap is sent when the status of an IPsec connection changes enterprise oid FLMGUARD generic trap enterpriseSpecific specific trap FL MGUARDTrapVPNIPsecConn Status This trap is sent when a connection is established or aborted It is not sent when the FL MGUARD is about to accept a connection request for this connection 8334_en_01 PHOENIX CONTACT 6 49 FL MGUARD 2 Management gt gt SNMP gt gt Trap L2TP connection Activate traps Yes No status changes enterprise oid FL MGUARDTrapVPN genericTrap enterpriseSpecific specific trap FL MGUARDTrapVPNL2TPConn Status 3 additional FL MGUARDTResVPNName FL MGUARDTResVPNIndex FL MGUARDTResVPNPeer FL MGUARDTResVPNStatus FL MGUARDTResVPNLocal FL MGUARDTResVPNRemote This trap is sent when the status of an L2TP connection changes Trap destinations Traps can be sent to multiple destinations Destination IP IP address to which the trap should be sent Destination Port Default 162 Destination port to which the trap should be sent Destination Name Optional name for the destination Does not affect the generated traps Destination Name of the SNMP community to which the trap is assigned Community 6 50 PHOENIX CONTACT 8334_en_01 Configuration 6 2 6 3 LLDP Management SNMP 2 Query i Trap ICA LLDP LLDP Mode Enabled
135. X CONTACT 8334_en_01 Technical data 10 2 Hardware properties Platform Network interfaces Other interfaces Drives High availability Power supply unit Power consumption Temperature range Humidity range Degree of protection Dimensions H x W x D Weight Firmware and power values Firmware compatibility Data throughput router firewall Hardware based encryption Encrypted VPN throughput AES 256 Management support Diagnostics Other Conformity Special features FL MGUARD SMART2 Freescale network processor with 330 MHz clocking 1 LAN port 1 WAN port Ethernet IEEE 802 3 10 100 Base TX RJ 45 full duplex auto MDIX Serial via USB connection Depending on the firmware used Via USB interface 5 V at 500 mA Optional External power supply unit 110 V 230 V 2 5 W maximum 0 C 40 C operation 20 C 60 C storage 20 90 during operation non condensing IP30 27x77x115mm 1319 FL MGUARD v7 2 or later Phoenix Contact recommends using firmware Version 7 x with the respective current patch releases For the scope of functions please refer to the relevant firmware data sheet Router mode default firewall ruls bidirectional throughput max 124 Mbps Stealth mode default firewall rules bidirectional throughput max 58 Mbps DES 3DES AES 128 192 256 Router mode default firewall ruls bidirectional throughput max 40 Mbps Steal
136. a OnE ae ICMP via sekundarem externen Interface f r den Verwerfen v mGuard LLLI Bitte beachten Sie Bei aktiviertem SNMP Zugniff werden automatisch eingehende ICMP Pakete angenommmen Stealth Modus Erlaube Weiterleitung von GVRP Paketen ead Erfaube Weiterleitung von sTP Paketen Nein v Erfaube Weiterleitung von DHCP Paketen Connection Tracking Maximale Zahl gleichzeitiger Verbindungen W Erlaube TCP Verbindungen nur mit SYN nach einem Neustart m ssen Verbindungen neu aufgebaut werden Nein v Timeout f r aufgebaute TCP Verbindungen Sekunden 432000 Timeout f r geschlossene TCP Verbindungen Sekunden 3600 FTP IRC PPTP Nein v H 323 Nein v SIP Nein w Network Security gt gt Packet Filter gt gt Advanced Consistency checks This menu item is not included in the scope of functions for the FL MGUARD RS2000 Maximum size of ping packets ICMP Echo Request Refers to the length of the entire packet including the header The packet length is normally 64 bytes but it can be larger If oversized packets are to be blocked to prevent bottlenecks a maximum value can be specified This value should be more than 64 bytes in order not to block normal ICMP echo requests When set to Yes the FL MGUARD performs a range of tests to check for incorrect checksums packet sizes etc and drops packets that fail these tests Enable TCP UDP ICMP consistency checks This op
137. able 1 to 1 NAT of the remote network to a different network option is set to Yes see 1 1 NAT on page 6 185 the following applies The IP address of the trap receiver must be located in the network that is specified as Remote in the definition of the VPN connection Management gt gt SNMP gt gt Trap Basic traps SNMP authentication Link Up Down Coldstart Admin access SSH HTTPS new DHCP client Activate traps Yes No enterprise oid FLMGUARDInfo generic trap authenticationFailure specific trap 0 Sent if an unauthorized station attempts to access the FL MGUARD SNMP agent Activate traps Yes No enterprise oid FLMGUARDInfo generic trap linkUp linkDown specific trap 0 Sent when the connection to a portis interrupted linkDown or restored linkUp Activate traps Yes No enterprise oid FLMGUARDInfo generic trap coldStart specific trap 0 Sent after a cold restart or warm start Activate traps Yes No enterprise oid FLMGUARD generic trap enterpriseSpecific specific trap FL MGUARDHTTPSLoginTrap 1 additional FL MGUARDHTTPSLastAccessIP This trap is sent if someone has tried successfully or unsuccessfully e g using an incorrect password to open an HTTPS session The trap contains the IP address from which the attempt was issued 8334_en_01 PHOENIX CONTACT 6 45 FL MGUARD 2 Management gt gt SNMP gt gt
138. ackets via the VPN tunnel if they originate from a trustworthy source Originate from a source address within the network which is defined in conjunction with the subnet mask under Local under Internal network address for local 1 1 NAT Have their destination address in the Remote network see Remote on page 6 177 if 1 1 NAT is not set for remote NAT Have their destination address in the area corresponding to the Network address for remote 1 1 NAT if 1 1 NAT is set for remote NAT The data packets of local devices are assigned a source address according to the address set under Local see Local on page 6 177 and are transmitted via the VPN tunnel Internal network Data packets received via the VPN tunnel are mapped the address for local other way around Destination addresses that belong to the 1 1 NAT Local network are translated into the corresponding address under Internal networkaddress for local 1 1 NAT 8334_en_01 PHOENIX CONTACT 6 181 FL MGUARD 2 IPsec VPN gt gt Connections gt gt Edit gt gt General Further settings can be made by clicking on More Local NAT for IPsec tunnel connections Remote NAT Remote NAT for IPsec tunnel connections Local masquerading Local NAT Local NAT for IPsec tunnel ieee Local masquerading v Internal network address for 192 168 1 0 24 local masquerading If local devices transmit data packets only those data packets are considere
139. al self signed The FL MGUARD authenticates the partner using 2 2 4 page 6 11 Authentication for HTTPS All CA certificates that form the chain to the root CA certificate together with the certificate shown by the partner PLUS if required Remote certificates if used as a filter Remote certificate See Management gt gt System Settings on page 6 4 Shell Access on The partner shows the following Certificate specific to individual signed by CA Certificate specific to individual self signed The FL MGUARD authenticates the partner using 2 2 All CA certificates that form the chain to the root CA certificate together with the certificate shown by the partner PLUS if required Remote certificates if used as a filter Remote certificate The partner can additionally provide sub CA certificates In this case the FL MGUARD can form the set union for creating the chain from the CA certificates provided and the self configured CA certificates The corresponding root CA certificate must always be available on the FL MGUARD See Management gt gt Web Settings on page 6 21 Access on page 6 22 6 118 PHOENIX CONTACT 8334_en_01 Configuration Authentication for VPN The partner shows the following Machine certificate signed by CA Machine certificate self signed The
140. al information about the table see Authentication gt gt Certificates on page 6 115 Authentication for VPN The partner shows the Machine certificate signed Machine certificate self following by CA signed The FL MGUARD authenticates the partner using Remote certificate Remote certificate Or all CA certificates that form the chain to the root CA certificate together with the certificate shown by the partner According to this table the certificates that must be provided are the ones the FLMGUARD uses to authenticate the relevant VPN partner The following instructions assume that the certificates have already been correctly installed on the FL MGUARD see Authentication gt gt Certificates on page 6 115 apart from the remote certificate If the use of revocation lists CRL checking is activated under the Authentication gt gt Certificates Certificate settings menu item each certificate signed by a CA that is shown by the VPN partner must be checked for revocations This excludes locally configured imported remote certificates 8334_en_01 PHOENIX CONTACT 6 187 FL MGUARD 2 Self signed machine certificate i Machine certificate signed by the CA Remote CA Certificate If the VPN partner authenticates itself with a self signed machine certificate e Select the following entry from the selection list No CA certificate but the Remote Certific
141. alled at this point it must be referenced additionally during the configuration of applications SSH VPN so that it can be used for the relevant connection or remote access type Example of imported machine certificates Authentication Certificates a Certificate settings Machine Certificates CA Certificates Remote Certificates i crt Machine Certificates SS a Cerean Subject CN VPN Endpunkt Kundendienst L KS O Beispiel Lieferant C DE Subject Alternative Names Issuer CN VPN SubCA 01 0 Beispiel Lieferant C DE Validity From Mar 20 18 37 57 2007 GMT to Mar 20 18 37 57 2010 GMT Fingerprint MDS 17 0C 51 54 98 88 BC 13 63 A9 89 F2 63 0B 18 32 SHA1 AF DC D1 F6 18 CD A7 6F 25 B5 1A 54 2D FE 95 AA 1E 6B 8E 29 Shortname VPN Endpunkt Kundendienst KS Upad PKCSH2Flename Password P oowoo comrae AED 7 Subject CN VPN Endpunkt Kundendienst L MA O Beispiel Lieferant C DE Subject Alternative Names Issuer CN VPN SubCA 01 0 Beispiel Lieferant C DE Validity From Mar 20 18 37 55 2007 GMT to Mar 20 18 37 55 2010 GMT C Fingerprint MDS 58 A1 17 55 4A BF B4 CA DB 54 7C BD 75 AB A3 EB SHA1 64 BD 83 0B 11 77 02 43 DD C4 1A 68 DF 52 33 DD BD 07 0E AB Shortname VPN Endpunkt Kundendienst MA Upload PKCS 12 Filename Durchsuchen import Password P aed ENCES FI Subject CN mguard hh kunde de L HH O Beispiel Kunde C DE Subject Alternative Names Issuer CN SSH SubCA 01 0 Secure Access GmbH C DE Validity From M
142. als An asterisk in the X 509 subject field can be used to specify that all subject entries in the certificate shown by the SSH client are permitted It is then no longer necessary to identify or define the subject in the certificate Limited access to certain subjects i e individuals or to subjects that have certain attributes In the certificate the certificate owner is specified in the Subject field The entry is comprised of several attributes These attributes are either expressed as an object identifier e g 132 3 7 32 1 or more commonly as an abbreviation with a corresponding value Example CN John Smith O Smith and Co C US If certain subject attributes have very specific values for the acceptance of the SSH client by the FL MGUARD then these must be specified accordingly The values of the other freely selectable attributes are entered using the asterisk wildcard Example CN O C US_ with or without spaces between attributes In this example the attribute C US must be entered in the certificate under Subject It is only then that the FL MGUARD would accept the certificate owner subject as a communication partner The other attributes in the certificates to be filtered can have any value If a subject filter is set the number but not the order of the specified attributes must correspond to that of the certificates for which the filter is to be used Please note that the text is case sensitive
143. and one internal virtual IP address must be set A virtual IP address cannot be listed twice 7 4 PHOENIX CONTACT 8334_en_01 Redundancy 7 1 5 Fail over switching time The FL MGUARD calculates the intervals for the connectivity check and availability check automatically according to the variables under Fail over switching time Connectivity check The factors which define the intervals for the connectivity check are specified in Table 7 1 on page 1 5 64 kbyte ICMP echo requests are sent for the connectivity check They are sent on layer 3 of the Internet protocol When VLAN is not used 18 bytes for the MAC header and checksum are added to this with the Ethernet on layer 2 The ICMP echo reply is the same size The bandwidth is also shown in Table 7 1 This takes into account the values specified for a single target and adds up the bytes for the ICMP echo request and reply The timeout on the FL MGUARD following transmission includes the following The time required by the FL MGUARD to transmit an ICMP echo reply If other data traffic is expected the half duplex mode is not suitable here The time required for the transmission of the ICMP echo request to a target Consider the latency during periods of high capacity utilization This applies especially when routers forward the request The time required on each target for processing the request and transmitting the reply to the Ethernet layer Please note that the
144. ant pairs can be connected within a LAN segment redundant group You define a value as an identifier through the router ID for each virtual instance of the redundant pair As long as these identifiers are different the redundant pairs do not come into conflict with each other Data traffic In the event of a high latency in a network used for state synchronization updates or a serious data loss on this network the FL MGUARD on standby is assigned the outdated state This does not occur however as long as no more than two back to back updates are lost This is because the FL MGUARD on standby automatically requests a repeat of the update The latency requirements are the same as those detailed under Fail over switching time on page 1 5 8334_en_01 PHOENIX CONTACT 7 11 FL MGUARD 2 Sufficient bandwidth The data traffic generated as a result of the connectivity check availability check and state synchronization uses bandwidth on the network The connectivity check also generates complicated calculations There are several ways to limit this or stop it completely If the influence on other devices is unacceptable The connectivity check must either be deactivated or must only relate to the actual IP address of the other FL MGUARD The data traffic generated by the availability check and state synchronization must be moved to a separate VLAN Switches must then be used which allow separation of the VLANs
145. ant v Ppa v 000 00 any 0 0 0 00 any TOS Minimize Cost v Unchanged v Low Priority v VPN via External 2 Settings for egress queue rules QoS Egress Rules VPN VPN via Internal VPN via External i VPN via External 2 If VPN via Dialin Default Default Queue Default v Rules ESE eooo rome romen e orot curentTosmsce_ newrosnsce cuove tame Comment f F 1 Aa v 0 0 0 0 0 any 0 0 0 0 0 any TOS Minimize Delay wv Unchanged v Urgent v p F 2 Al v 0 0 0 0 0 any 0 0 0 0 0 any TOS Maximize Reliability w Unchanged wv Important v M3 a1 v 00000 any 0 0 0 00 any TOS Minimize Cost v Unchanged w Low Priority v VPN via Dial in Settings for egress queue rules QoS Egress Rules VPN VPN via internat VPN via External If VPN via External 2 VPN via Dakin Default Default Queue Default Rules n PET eroico rom z Current TOSDSCP New TOSDSCP pE ai aly 00000 any 0 0 0 010 any y TOS Minimize Delay w Unchanged w Urgent v f F 2 Al v 00 0 00 any 0 0 0 0 0 any TOS Maximize Reliability w Unchanged v important v Ppa v 0000 any 0 0 0 0 0 any TOS Minimize Cost v Unchanged v Low Priority Y All of the tab pages listed above for Egress Rules for the Internal External External 2 and Dial in interfaces and for VPN connections routed via these interfaces have the same setting options In all c
146. any suggestions or recommendations for improvement of the contents and layout of our manuals please send your comments to t hoenixcontact com PHOENIX CONTACT Please observe the following notes General terms and conditions of use for technical documentation Phoenix Contact reserves the right to alter correct and or improve the technical documen tation and the products described in the technical documentation at its own discretion and without giving prior notice insofar as this is reasonable for the user The same applies to any technical changes that serve the purpose of technical progress The receipt of technical documentation in particular user documentation does not consti tute any further duty on the part of Phoenix Contact to furnish information on modifications to products and or technical documentation You are responsible to verify the suitability and intended use of the products in your specific application in particular with regard to observ ing the applicable standards and regulations All information made available in the technical data is supplied without any accompanying guarantee whether expressly mentioned im plied or tacitly assumed In general the provisions of the current standard Terms and Conditions of Phoenix Contact apply exclusively in particular as concerns any warranty liability This manual including all illustrations contained herein is copyright protected Any changes to the contents or the
147. ar 20 19 37 44 2007 GMT to Mar 20 19 37 44 2010 GMT Fingerprint MDS 66 71 8E 73 E3 F7 90 SE 26 7B 9D C7 03 64 85 D8 a SHA1 93 7D 51 60 C0 C0 75 28 5E 46 E9 44 80 09 72 8F AF 89 46 AF Shortname mguard hh kunde de Authentication gt gt Certificates gt gt Machine Certificates Machine Certificates Shows the currently imported X 509 certificates that the FL MGUARD uses to authenticate itself to partners e g other VPN gateways 6 122 PHOENIX CONTACT 8334_en_01 Configuration Importing a new machine certificate Using the short name To import a new certificate proceed as follows Requirement The PKCS 12 file file name extension p12 or pfx is saved on the connected computer Proceed as follows e Click on Browse to select the file e Inthe Password field enter the password used to protect the private key of the PKCS 12 file e Click on Import Once imported the loaded certificate appears under Certificate e Remember to save the imported certificate along with the other entries by clicking on the Apply button Shortname When importing a machine certificate the CN attribute from the certificate subject field is suggested as the short name here providing the Shortname field is empty at this point This name can be adopted or another name can be chosen e A name must be assigned whether it is the suggested one or another Names must be unique and must not be assigned mor
148. ases the settings relate to the data that is sent externally into the network from the relevant FL MGUARD interface 6 214 PHOENIX CONTACT 8334_en_01 Configuration QoS gt gt Egress Rules gt gt Internal External External 2 Dial in QoS gt gt Egress Rules VPN gt gt VPN via Internal VPN via External VPN via External 2 VPN via Dial in Default Default Queue Rules Protocol From IP From Port To IP To Port Name of the egress queue user defined The names of the queues are displayed as listed or specified under Egress Queues on the nternal External VPN via External tab pages The following default names are defined Default Urgent Important Low Priority Traffic that is not assigned to a specific egress queue under Rules remains in the default queue You can specify which egress queue should be used as the default queue in this selection list The assignment of specific data traffic to an egress queue is based on a list of criteria If the criteria in a row apply to a data packet it is assigned to the egress queue specified in the row Example For audio data to be transmitted you have defined a queue with guaranteed bandwidth and priority under Egress Queues see page 6 209 under the name Urgent You then define the rules here for how audio data is detected and specify that this data should belong to the Urgent queue All TCP UDP ICMP ESP Protocol s relating to the rule IP address of the net
149. ate below e Install the remote certificate under Remote Certificate see Installing the remote certificate on page 6 188 It is not possible to reference a remote certificate loaded under the Authentication gt gt Certificates menu item If the VPN partner authenticates itself with a machine certificate signed by a CA It is possible to authenticate the machine certificate shown by the partner as follows Using CA certificates Using the corresponding remote certificate Authentication using a CA certificate Only the CA certificate from the CA that signed the certificate shown by the VPN partner should be referenced here selection from list The additional CA certificates that form the chain to the root CA certificate together with the certificate shown by the partner must be installed on the FL MGUARD under the Authentication gt gt Certificates menu item The selection list contains all the CA certificates that have been loaded on the FL MGUARD under the Authentication gt gt Certificates menu item The other option is Signed by any trusted CA With this setting all VPN partners are accepted providing that they log in with a signed CA certificate issued by a recognized certification authority CA The CA is recognized if the relevant CA certificate and all other CA certificates have been loaded on the FL MGUARD These then form the chain to the root certificate together with the certificates shown
150. ations in this user manual in order to determine which settings are necessary or desirable for your operating environment 4 2 Checking the scope of supply Before startup check the scope of supply to ensure nothing is missing The scope of supply includes The FL MGUARD SMART2 FL MGUARD RS4000 or FL MGUARD RS2000 device Package slip The FL MGUARD RS4000 and FL MGUARD RS2000 also include COMBICON plug in connector for the power supply connection and inputs outputs inserted 4 2 PHOENIX CONTACT 8334_en_01 Startup 4 3 Installing the FL MGUARD RS4000 RS2000 4 3 1 Mounting removal Mounting The device is ready to operate when it is supplied The recommended sequence for mounting and connection is as follows e Mount the FL MGUARD RS4000 RS2000 on a grounded 35 mm DIN rail according to DIN EN 60715 Ja AB Figure 4 1 Mounting the FL MGUARD RS4000 RS2000 on a DIN rail e Attach the top snap on foot of the FL MGUARD RS4000 RS2000 to the DIN rail and then press the FL MGUARD RS4000 RS2000 down towards the DIN rail until it engages with a click Removal e Remove or disconnect the connections e To remove the FL MGUARD RS4000 RS2000 from the DIN rail insert a screwdriver horizontally in the locking slide under the housing pull it down without tilting the screwdriver and pull up the FL MGUARD RS4000 RS2000 8334_en_01 PHOENIX CONTACT 4 3 FL MGUARD 2 D 4 3 2 Connecting to the network WARNING Onl
151. be used However if this is not established possible the VPN gateway of the partner is causing problems In this case deactivate and reactivate the connection to reestablish the connection 6 200 PHOENIX CONTACT 8334_en_01 Configuration 6 7 6 Global Access SEC Stick Access Enable SEC Stick service No w Enable SEC Stick remote access No v Remote SEC Stick TCP Port 22002 Delay between requests for a sign of life The value 0 indicates that 120 seconds these messages will not be sent Maximum number of missing signs of life Allow SEC Stick forwarding into VPN tunnel Concurrent Session Limits Maximum number of cumulative concurrent sessions forall 10 users Maximum number of concurrent sessions for one 2 user Allowed Networks Log ID M secstiok 200255 V 00000000 0000 0000 0000 000009000000 PES romi O o o interra Action O comme fo oa F E a 0 0 0 0 0 External v Accept No v These rules allow to enable SEC Stick remote access Note In Stealth mode incoming traffic on the given port is no longer forwarded to the client Note In router mode with NAT or portforwarding the port set here has priority over portforwarding Note The SEC Stick access from the internal side and via dial in is enabled by default and can be restricted by firewall rules SEC Stick gt gt Global gt gt Access SEC Stick Access This menu item is not included in the scope of functions for the FL MGU
152. ble CAT5 pre assembled 1 0 m long Patch cable CAT5 pre assembled 1 5 m long Patch cable CAT5 pre assembled 2 0 m long Patch cable CAT5 pre assembled 3 0 m long Accessories Order designation FL MGUARD RS2000 TX TX VPN FL MGUARD RS4000 TX TX FL MGUARD RS4000 TX TX VPN FL MGUARD SMART2 FL MGUARD SMART2 VPN FL MGUARD DELTA TX TX Order designation E NS 35 N SD FLASH 256MB FL SMNP OPC SERVER V3 FL CAT6 PATCH 0 3 FL CAT6 PATCH 0 5 FL CAT6 PATCH 1 0 FL CAT6 PATCH 1 5 FL CAT6 PATCH 2 0 FL CAT6 PATCH 3 0 FL CAT6 PATCH 5 0 FL CAT6 PATCH 7 5 FL CAT6 PATCH 10 FL CAT6 PATCH 12 5 FL CAT6 PATCH 15 FL CAT6 PATCH 20 FL CAT5 PATCH 0 3 FL CAT5 PATCH 0 5 FL CAT5 PATCH 1 0 FL CATS PATCH 1 5 FL CAT5 PATCH 2 0 FL CAT5 PATCH 3 0 Order No 2700642 2700634 2200515 2700640 2700639 2700967 Order No 0800886 2988120 2701139 2891181 2891288 2891385 2891482 2891589 2891686 2891783 2891880 2891887 2891369 2891372 2891576 2832250 2832263 2832276 2832221 2832289 2832292 Pcs Pkt 1 Pcs Pkt 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 8334_en_01 PHOENIX CONTACT 10 5 FL MGUARD 2 Description Patch cable CAT5 pre assembled 5 0 m long Patch cable CAT5 pre assembled 7 5 m long Patch cable CAT5 pre assembled 10 0 m long Color coding for FL CAT5 6 PATCH black Color coding for FL CAT5 6 PATCH brown Color coding for FL CAT5 6 PAT
153. blishes the connection to the telephone network is connected to the serial port The connection to the WAN or Internet is then established via the telephone network by means of the external modem Stealth to Router the device can only be accessed via the new address If the configuration is changed via the LAN port confirmation of the new address is displayed before the change is applied If configuration changes are made via the WAN port no confirmation is displayed If the address of the FL MGUARD is changed e g by changing the network mode from LAN port and or the local subnet mask make sure you specify the correct values Otherwise the FL MGUARD may no longer be accessible under certain circumstances For the further configuration of Built in Modem Modem network mode see Router network mode Modem router mode on page 6 79 l If the mode is set to Router PPPoE or PPTP and you then change the IP address of the 6 62 PHOENIX CONTACT 8334_en_01 Configuration When Stealth is selected as the network mode and static is selected for the Stealth configuration Network Mode Stealth Default settings for FL MGUARD RS4000 RS2000 FL MGUARD SMART2 Network Interfaces General Ethernet Dialout Dialin Modem Console Network Status External IP address 172 16 66 49 Active Defaultroute 172 16 66 18 Used DNS servers 10 1 0 253 Network
154. by the FL MGUARD itself CRL download Firmware update Regular configuration profile retrieval from a central location Restoring of licenses Network gt gt Proxy Settings gt gt HTTP S Proxy Settings HTTP S Proxy Settings Proxy Authentication Use Proxy for HTTP When set to Yes connections that use the HTTP or HTTPS and HTTPS protocol are transmitted via a proxy server whose address and port should be specified in the next two fields HTTP S Proxy Server Hostname or IP address of the proxy server Port Number of the port to be used e g 3128 Login User name for proxy server login Password Password for proxy server login 8334_en_01 PHOENIX CONTACT 6 107 FL MGUARD 2 6 4 Authentication menu 6 4 1 Authentication gt gt Administrative Users 6 4 1 1 Passwords Authentication Administrative Users Passwords RADIUS Filters root Root Password Old Password Account root New Password eeccee New Password again eeseecee admin Administrator Password New Password Account admin New Password again user Disable VPN until the user is No authenticated via HTTP Yes User Password word New Password again Administrative users refers to users who have the right depending on their authorization level to configure the FL MGUARD root and administrator authorization levels or to use it user authorization level Authentication gt gt Administrative U
155. by the FL MGUARD In addition the FL MGUARD also masks data with virtual IP addresses when masquerading rules are set up State monitoring State monitoring is used to determine whether the FL MGUARD is active on standby or has an error Each FL MGUARD determines its own state independently depending on the information provided by other components State monitoring ensures that two FL MGUARD devices are not active at the same time Status indicator The status indicator contains detailed information on the firewall redundancy state A summary of the state can be called up using the Redundancy gt gt Firewall Redundancy gt gt Redundancy or Redundancy gt gt Firewall Redundancy gt gt Connectivity Checks menus 8334_en_01 PHOENIX CONTACT 7 3 FL MGUARD 2 7 1 2 Interaction of the firewall redundancy components During operation the components work together as follows Both FL MGUARD devices perform ongoing connectivity checks for both of their network interfaces internal and external In addition an ongoing availability check is performed Each FL MGUARD listens continuously for presence notifications CARP and the active FL MGUARD also sends them Based on the information from the connectivity and availability checks the state monitoring function is made aware of the state of the FL MGUARD devices State monitoring ensures that the active FL MGUARD mirrors its data onto the other FL MGUARD state synchronization
156. by the Internet service provider FL MGUARD in Router network mode Internal address of the FL MGUARD 192 168 11 1 Switch Network A Network address 192 168 11 0 24 Network B Network address 192 168 15 0 24 Subnet mask 255 255 255 0 Network C Network address 192 168 27 0 24 Additional internal routes Q Subnet mask 255 255 255 0 Network A Computer Al A2 A3 A4 A5 IP address 192 168 11 3 192 168 11 4 192 168 11 5 192 168 11 6 192 168 11 7 Subnet mask 255 255 255 0 255 255 255 0 255 255 255 0 255 255 255 0 255 255 255 0 NetworkB Computer B1 B2 B3 B4 Additional internal routes IP address 192 168 15 2 192 168 15 3 192 168 15 4 192 168 15 5 Network Subnetmask 255 255 255 0 255 255 255 0 255 255 255 0 255 255 255 0 a 192 168 11 2 Network C Computer C1 C2 c3 c4 Network IP address 192 168 27 1 192 168 27 2 192 168 27 3 192 168 27 4 192 168 27 0 24 Gateway Subnet mask 255 255 255 0 255 255 255 0 255 255 255 0 255 255 255 0 192168112 6 242 PHOENIX CONTACT 8334_en_01 Redundancy 7 Redundancy i This menu is only made available if the relevant license is used for operation and is not supplied as standard with the devices This function is not supported by the FL MGUARD RS2000 There are several different ways of compensating for errors using the FL MGUARD so that an existing connection
157. can cope with the loss of one of two back to back update packets If more data packets are lost this can result in a longer switching time in the event of errors The FL MGUARD on standby has an obsolete machine certificate X 509 certificates and private keys used by a redundant pair to authenticate itself as a VPN partner may need to be changed The combination of a private key and certificate is hereafter referred to as a machine certificate Each FL MGUARD in a redundant pair must be reconfigured in order to switch the machine certificate Both FL MGUARD devices also require the same certificate so that their VPN partners view them as one and the same virtual VPN appliance 8334_en_01 PHOENIX CONTACT 7 19 FL MGUARD 2 As each FL MGUARD has to be reconfigured individually it may be the case that the FL MGUARD on standby has an obsolete machine certificate for a brief period If the FL MGUARD on standby becomes active at the exact moment when the ISAKMP SAs are being established this procedure cannot be continued with an obsolete machine certificate As a countermeasure VPN state synchronization replicates the machine certificate from the active FL MGUARD to the FL MGUARD on standby In the event of a fail over the FL MGUARD on standby will only use this to complete the process of establishing the ISAKMP SAs where this has already been started If the FL MGUARD on standby establishes new ISAKMP SAs after a fail over it uses t
158. ce connections No Only of the error based on corresponding entries see Logging gt gt when started vianph Browse local logs menu item This option for error vpn cgi or CMD diagnostics is used as standard Set this option to No default contact if itis sufficient The CMD contact is only available on the FL MGUARD industrial rs Only when started via nph vpn cgi or CMD contact If the option of diagnosing VPN connection problems using the FL MGUARD logging function is too impractical or insufficient select this option This may be the case if the following conditions apply In certain application environments e g when the FL MGUARD is operated by means of a machine controller via the CMD contact FL MGUARD RS2000 4000 only the option for a user to view the FL MGUARD log file via the web based user interface of the FL MGUARD may not be available at all If the FL MGUARD is being used remotely it is possible that a VPN connection error can only be diagnosed after the FL MGUARD is temporarily disconnected from its power source which causes all the log entries to be deleted The relevant log entries of the FL MGUARD that could be useful may be deleted because the FL MGUARD regularly deletes older log entries on account of its limited memory space If an FL MGUARD is being used as the central VPN partner e g in a remote maintenance center as the gateway for the VPN connections of numerous machines the messages regarding ac
159. cket inspection Anti spoofing IP filter L2 filter only in stealth mode NAT with FTP IRC and PPTP support only in router modes 1 1 NAT only in router network mode Port forwarding not in stealth network mode Individual firewall rules for different users user firewall Individual rule sets as action target of firewall rules apart from user firewall or VPN firewall CIFS integrity check of network drives for changes to specific file types e g executable files Anti virus scan connector which supports central monitoring of network drives with virus scanners 8334_en_01 PHOENIX CONTACT 1 1 FL MGUARD 2 VPN features Support Protocol IPsec tunnel and transport mode IPsec encryption in hardware with DES 56 bits 3DES 168 bits and AES 128 192 256 bits Packet authentication MD5 SHA 1 Internet Key Exchange IKE with main and quick mode Authentication via Pre shared key PSK X 509v3 certificates with public key infrastructure PKI with certification authority CA optional certificate revocation list CRL and the option of filtering by subject or Partner certificate e g self signed certificates Detection of changing partner IP addresses via DynDNS NAT traversal NAT T Dead Peer Detection DPD detection of IPsec connection aborts IPsec L2TP server connection of IPsec L2TP clients IPsec firewall and 1 1 NAT Default route over VPN Data forwarding between
160. cket to a server When you select a value here only the data packets that have this TOS or DSCP value in the corresponding fields are chosen These values are then set to a different value according to the entry in the New TOS DSCP field If you want to change the TOS DSCP values of the data packets that are selected using the defined rules enter the text that should be written in the TOS DSCP field here For a more detailed explanation of the Current TOS DSCP and New TOS DSCP options please refer to the following RFC documents RFC 3260 New Terminology and Clarifications for Diffserv RFC 3168 The Addition of Explicit Congestion Notification ECN to IP RFC 2474 Definition of the Differentiated Services Field DS Field RFC 1349 Type of Service in the Internet Protocol Suite Name of the egress queue to which traffic should be assigned Optional comment text 6 216 PHOENIX CONTACT 8334_en_01 Configuration 6 9 Redundancy Redundancy is described in detail in Section 7 Redundancy 6 9 1 Redundancy gt gt Firewall Redundancy This menu is only made available if the relevant license is used for operation It is not included in the scope of supply of the devices This function is not supported by the FL MGUARD RS2000 6 9 1 1 Redundancy General ees Toma is actively forwarding and filtering network traffic Enable redundancy Yes v FaiLover switching ti
161. coming access individually for each connection Any attempts to bypass these restrictions can be logged B By default the VPN firewall is set to allow all connections for this VPN connection However the extended firewall settings defined and explained above apply independently for each individual VPN connection see Network Security menu on page 6 129 Network Security gt gt Packet Filter on page 6 129 Advanced on page 6 138 If multiple firewall rules are defined these are queried starting from the top of the list of entries until an appropriate rule is found This rule is then applied If the list of rules contains further subsequent rules that could also apply these rules are ignored In Stealth mode the actual IP address used by the client should be used in the firewall rules or it should be left at 0 0 0 0 0 as only one client can be addressed through the tunnel ee me 6 192 PHOENIX CONTACT 8334_en_01 Configuration If the Allow packet forwarding between VPN connections option is set to Yes on the Global tab page the rules under Incoming are used for the incoming data packets to the FL MGUARD and the rules under Outgoing are applied to the outgoing data packets If the outgoing data packets are included in the same connection definition for a defined VPN connection group then the firewall rules for Incoming and Outgoing for the same connection definition are used
162. configuration connection where a terminal or PC with terminal program is connected to the serial interface as described above The settings are not valid when an external modem is connected Settings for this are made further down under External Modem Baud rate Hardware handshake RTS CTS Serial console via USB FL MGUARD SMART2 only External Modem Hardware handshake RTS CTS Baud rate The transmission speed of the serial interface is specified via the selection list Off On When set to On flow is controlled by means of RTS and CTS signals No Yes When No is selected the FL MGUARD SMART 2 uses the USB connection solely as a power supply When Yes is selected the FL MGUARD SMART 2 provides an additional serial interface for the connected computer through the USB interface The serial interface can be accessed on the computer using a terminal program The FL MGUARD SMART 2 provides a console through the serial interface which can then be used in the terminal program Windows requires a special driver This can be directly downloaded from the FL MGUARD The relevant link is located on the right hand side next to the Serial console via USB drop down menu Off On When set to On flow is controlled by means of RTS and CTS signals for PPP connections Default 57600 Transmission speed for communication between the FL MGUARD and modem via the serial connecting cable between both devices This
163. containing this group name as the template user The RADIUS server must be configured to deliver this group name in the Access Accept packet as a Filter ID lt groupname gt attribute User Name Name specified by the user during login Authentication Method Local DB When Local DB is selected the password assigned to the user must be entered in the User Password column in addition to the User Name that must be entered on login RADIUS If RADIUS is selected the user password can be stored on the RADIUS server User Password Only active if Local DB is selected as the authentication method 8334_en_01 PHOENIX CONTACT 6 111 FL MGUARD 2 6 4 2 2 Access Authentication Firewall Users Firewall Users Access Status HTTPS Authentication via D x Interface F Internal v p External v FE Diskin v Please note Firewall users can only log into the web interface if HTTPS remote access for the corresponding network interface is enabled as well see Management Web Settings Authentication gt gt Firewall Users gt gt Access Authentication via HTTPS NOTE For authentication via an external interface please consider the following If a firewall user can log in via an unsecure interface and the user leaves the session without logging out correctly the login session may remain open and could be misused by another unauthorized person An interface is unsecure for example
164. corresponding target is connected to the internal interface and vice versa When the static routes are changed it is easy for the targets not to be checked properly Redundancy Firewall Redundancy Redundancy Connectivity Checks External interface Kindof check atleast one target must respond v requests O ee Recommended are the IPs of F 172 16 66 18 routers in particular of a default gateway or the realIP gt 10 0 0 31 of the other mGuard of this redundancy pair Secondary targets for ICMP fs echo requests Used only if the check failed for the primary targets r O 10 0 0 31 10 0 0 31 0O x Internal interface Kindof check atleast one target must respond v Redundancy gt gt Firewall Redundancy gt gt Connectivity Checks External interface Recommended are the IPs of A routers in particular of a f 192 168 1 1 default gateway or the reallP 4 192 168 1 31 of the other mGuard of this a redundancy pair Secondary targets or MP D X echo requests Used only if the check failed 192 168 1 31 ater p F 192 168 1 31 Kind of check Specifies whether a connectivity check is performed on the external interface and if so how If at least one target must respond is selected it does not matter whether the ICMP echo request is answered by the primary or secondary target The request is only sent to the secondary target if the primary target did not off
165. ction to a computer that is registered with the DynDNS provider then the remote computer can use the host name of the computer as the address This establishes a connection to the responsible DNS in order to look up the IP address that is currently registered for this host name The corresponding IP address is sent back from the DNS to the remote computer which can then use it as the destination address This now leads directly to the desired computer In principle all Internet addresses are based on this procedure First a connection toa DNS is established in order to determine the IP address assigned to the host name Once this has been accomplished the established IP address is used to set up a connection to the required partner which could be any site on the Internet Every host or router on the Internet Intranet has its own unique IP address IP Internet Protocol An IP address is 32 bits 4 bytes long and is written as four numbers each between 0 and 255 which are separated by a dot An IP address consists of two parts The network address and the host address Network address Host address All network hosts have the same network address but different host addresses The two parts of the address differ in length depending on the size of the respective network networks are categorized as Class A B or Byte 1 Byte 2 Byte 3 Byte 4 Class A Network Host address address Class B Network address H
166. curity gt gt Packet Filter gt gt Advanced Timeout for closed TCP connections FTP IRC PPTP H 323 SIP The timeout blocks a TCP port to port connection for an extended period after the connection is closed This is necessary as packets belonging to the closed TCP connection may still arrive in a packet based network after the connection is closed Without time controlled blocking old packets could be assigned to a new connection accidentally The default setting is 3600 seconds 1 hour Yes No If an outgoing connection is established to call data for the FTP protocol two methods of data transmission can be used With active FTP the called server establishes an additional counter connection to the caller in order to transmit data over this connection With passive FTP the client establishes this additional connection to the server for data transmission FTP must be set to Yes default so that additional connections can pass through the firewall Yes No Similar to FTP For IRC chat over the Internet to work properly incoming connections must be allowed following active connection establishment IRC must be set to Yes default in order for these connections to pass through the firewall Yes No default No Must be set to Yes if VPN connections are to be established using PPTP from local computers to external computers without the assistance of the FL MGUARD Must be set to Yes if GRE packets
167. d The IP address 0 0 0 0 deactivates the management IP address Change the management IP address first before specifying any additional addresses Netmask The subnet mask of the IP address above Use VLAN Yes No IP address and subnet mask of the VLAN port If the IP address should be within a VLAN set this option to Yes VLAN ID AVLAN ID between 1 and 4095 An explanation can be found under VLAN on page 9 8 Ifyou want to delete entries from the list please note that the first entry cannot be deleted Default gateway The default gateway of the network where the FL MGUARD is located In Stealth modes autodetect and static the FL MGUARD adopts the default gateway of the computer connected to its LAN port This does not apply if a management IP address is configured with the default gateway Alternative routes can be specified for data packets destined for the WAN that have been created by the FL MGUARD These include the packets from the following types of data traffic Download of certificate revocation lists CRLs Download of a new configuration Communication with an NTP server for time synchronization Sending and receiving encrypted data packets from VPN connections Requests to DNS servers Syslog messages Download of firmware updates Download of configuration profiles from a central server if configured SNMP traps If this option is used make the r
168. d on the answering side the initiator must first detect the interruption and then reestablish the connection VPN redundancy supports masquerading in the same way as without VPN redundancy This applies when a redundant pair is masked by a NAT gateway with a dynamic IP address For example a redundant pair can be hidden behind a DSL router which masks the redundant pair with an official IP address This DSL router forwards the IPsec data traffic IKE and ESP UDP ports 500 and 4500 to the virtual IP addresses If the dynamic IP address changes all active VPN connections which run via the NAT gateway are reestablished The connections are reestablished by means of Dead Peer Detection DPD using the relevant configured time This effect is beyond the influence of the FL MGUARD The redundancy function on the FL MGUARD does not support path redundancy Path redundancy can be achieved using other methods e g by using a router pair This router pair is seen on the virtual side of the FL MGUARD devices By contrast on the other side each of the routers has different connections Path redundancy must not use NAT mechanisms such as masquerading to hide the virtual IP addresses of the FLMGUARD devices Otherwise a migration from one path to another would change the IP addresses used to mask the redundant pair This would mean that all VPN connections all ISAKMP SAs and all IPsec SAs would have to be reestablished The connectio
169. d which Are actually encrypted by the FL MGUARD the FL MGUARD only forwards packets via the VPN tunnel if they originate from a trustworthy source Originate from a source address within the network which is defined under Internal network address for local masquerading Have their destination address in the Remote network see Remote on page 6 177 if 1 1 NAT is not set for remote NAT Have their destination address in the area corresponding to the Network address for remote 1 1 NAT if 1 1 NAT is set for remote NAT The source address of such data packets is masked under Local using the lowest IP address of the network The data packets are then transmitted via the VPN tunnel Masking changes the source address and source port The original addresses are recorded Where response packets are received via the VPN tunnel and there is a matching entry these packets have their destination address and destination port written back to them Off 1 1 NAT Masquerading of remote network Here you can define which type of address translation is to be used for the source address of the packets being received and for the destination address of the packets being transmitted Default Off 6 182 PHOENIX CONTACT 8334_en_01 Configuration IPsec VPN gt gt Connections gt gt Edit gt gt General Further settings can be made by clicking on More Remote NAT Remote NAT for IPsec 1 1 NAT tunnel co
170. dby the active FL MGUARD sends a complete record of all state information Establishing VPN connections In VPN redundancy the virtual network interface is used for an additional purpose to establish accept and operate the VPN connections The FL MGUARD only listens for the first virtual IP address In Router network mode the FL MGUARD listens to the first external and internal virtual IP addresses 8334_en_01 PHOENIX CONTACT 7 15 FL MGUARD 2 State monitoring State monitoring is used to monitor state synchronization on both the VPN and firewall Status indicator The status indicator shows additional detailed information on the status of VPN state synchronization This is located directly next to the information for firewall state synchronization As an ancillary effect the status indicator of the VPN connection can also be seen on the FL MGUARD on standby You can therefore find the contents of the VPN state database replicated under the normal status indicator for the VPN connection under Psec VPN gt gt IPsec Status Only the state of the synchronization process is shown in the status indicator for firewall redundancy Redundancy gt gt FW Redundancy Status gt gt Redundancy Status 7 2 2 Interaction of the VPN redundancy components The individual components interact in the same way as described for firewall redundancy VPN state synchronization is also controlled by state monitoring The state i
171. ded to the above initialization sequence According to the extended HAYES command set this sequence means that the modem does not use the DTR cable 6 92 PHOENIX CONTACT 8334_en_01 Configuration If the external modem is to be used for outgoing calls it is connected to a private branch exchange and if this private branch exchange does not generate a dial tone after the connection is opened then the modem must be instructed not to wait for a dial tone before dialing In this case append the character string ATX3 OK a space followed by ATX3 followed by a space followed by OK to the initialization sequence In order to wait for the dial tone the control character w should be inserted in the Phone number to call after the digit for dialing an outside line 8334_en_01 PHOENIX CONTACT 6 93 FL MGUARD 2 6 3 2 Network gt gt NAT 6 3 2 1 Masquerading Network NAT Masquerading IP and Port Forwarding Network Address Translation IP Masquerading o External X 0 0 0 0 0 These rules let you specify which IP addresses normally addresses within the private address space are to be rewritten to the mGuard s IP address Please note These rules won t apply to the Stealth mode 1 1 NAT p 0 0 0 0 0 0 0 0 24 Yes v Please note These rules only apply to the network mode Router and if the router mode is set to static or DHCP Network gt gt NAT gt gt Masquerading
172. defined for root and admin Make the following settings for SSH remote access 8334_en_01 PHOENIX CONTACT 6 11 FL MGUARD 2 Management gt gt System Settings gt gt Shell Access Session Timeout seconds Enable SSH remote access Yes No Port for incoming SSH connections remote administration only Specifies after what period of inactivity in seconds the session is automatically terminated i e automatic logout When set to 0 default settings the session is not terminated automatically The specified value is also valid for shell access via the serial interface instead of via the SSH protocol The effects of the Session Timeout field settings are temporarily ineffective if processing of a shell command exceeds the number of seconds set In contrast the connection can also be aborted if it is no longer able to function correctly see Delay between requests for a sign of life on page 6 13 If you want to enable SSH remote access set this option to Yes Internal SSH access i e from the directly connected LAN or from the directly connected computer can be enabled independently of this setting The firewall rules for the available interfaces must be defined on this page under Allowed Networks in order to specify differentiated access options on the FL MGUARD Default 22 If this port number is changed the new port number only applies for access via the External External
173. ditional headers If you want to use this option specify a value lower than the default setting 8334_en_01 PHOENIX CONTACT 6 169 FL MGUARD 2 6 7 1 2 DynDNS Monitoring IPsec VPN Global Options DynDNS Monitoring DynDNS Monitoring Watch hostnames of remote VPN Gateways tlie Refresh Interval sec 300 For an explanation of DynDNS see DynDNS on page 6 102 IPsec VPN gt gt Global gt gt Options DynDNS Monitoring Watch hostnames of Yes No remote VPN Gateways If the FL MGUARD knows the address of a VPN partner in the form of a host name see Defining a VPN connection VPN connection channels on page 6 173 and this host name is registered with a DynDNS service then the FL MGUARD can check the relevant DynDNS at regular intervals to determine whether any changes have occurred If so the VPN connection will be established to the new IP address Refresh Interval sec Default 300 6 170 PHOENIX CONTACT 8334_en_01 Configuration 6 7 2 IPsec VPN gt gt Connections Requirements for a VPN connection A general requirement for a VPN connection is that the IP addresses of the VPN partners are known and can be accessed FLMGUARDs provided in Stealth network mode are preset to the multiple clients Stealth configuration In this mode you need to configure a management IP address and default gateway if you want to use VPN connections see page 6 66 Alternatively yo
174. dresses but with two addresses exceptions Under Internal virtual IP addresses IP addresses are defined for devices which belong to the internal Ethernet segment These devices must use the IP address as their default gateway These addresses can be used as a DNS or NTP server when the FL MGUARD is configured as a server for the protocols For each virtual IP address an actual IP address must be configured whose IP network accommodates the virtual address The response to ICMP queries with internal virtual IP addresses is independent from the settings made under Network Security gt gt Packet Filter gt gt Advanced Encrypt the state Yes No messages If Yes is selected the presence notifications for state synchronization are encrypted Passphrase The password is changed as described under Passphrase for availability checks on page 6 219 Only deviate from the prescribed approach if an incorrect password has been inadvertently entered How to proceed in the event of an incorrect password a If you have inadvertently entered an incorrect password on an FL MGUARD you cannot simply reenter the password using the correct one Otherwise in the event of adverse circumstances this may result in both FL MGUARD devices being active Case 1 Only one FL MGUARD has an incorrect password The process of changing the password has not yet begun on the other FL MGUARD e Reconfigure the FL MGUARD on which th
175. ds Enable SSH remote access Yes w remote administration only Delay between requests for a sign of life The value 0 indicates that these 7 senais messages will not be sent Maximum number of missing signs 3 of life Concurrent Session Limits Maximum number of concurrent 4 sessions for role admin Maximum number of concurrent 2 sessions for role netadmin Maximum number of concurrent 2 sessions for role audit Allowed Networks Lg 1D Prratraccemn VP nena asi 240 1430 Toae SN Frome interface tction Comment Tc sh 10 1 0 0 16 External w Accept w 5 No v 2 192 168 67 0 24 Extemal ow Accept w No v RADIUS Authentication Use RADIUS authentication for Shell No access Please note Even if RADIUS is the only method for password authentication root is stil able to authenticate with the local password at the serial console X 509 Authentication Enable X 509 certificates for SSH Ye ew access SSH server certificate mguard hh kunde de v gt x O SSH RootCA 01 w f SSH SubCA01 w sx e CN OU Admin O admin v gt x Krafti Herbet w root v sO Findig Petra v root v Management gt gt System Settings gt gt Shell Access Shell Access When SSH remote access is enabled the FL MGUARD can be configured from remote computers using the command line This option is disabled by default NOTE If remote access is enabled ensure that secure passwords are
176. e Snapshot Hardware Information Hardware Innominate mGuard rs2000 CPU 300c3 CPU Family mpc83xx CPU Stepping 1 0 CPU Clock Speed 330 MHz System Temperature 34 5 C System Uptime 4 min User Space Memory 126532 kB MAC 1 00 0c be 04 10 3a MAC 2 00 0c be 04 10 3b MAC 3 00 0c be 04 10 3c MAC 4 00 0c be 04 10 3d Product Name mGuard rs2000 TX TX OEM Name innominate OEM SerialNumber 2030749866 Serial Number 2030749866 Flash ID N205d28323633151c1aa2d7cdcScceae3eS Hardware Version 00003200 Version Parameterset 4 Version of the bootloader BootLoader 2 3 5 default Version of the rescue system MGUARD2 Rescue 1 8 1 default Current root filesystem rootfs2 6 11 2 2 Snapshot This function is used for support purposes Support Advanced Haraware Snapshot Support Snapshot This will create a snapshot of the mGuard for support purposes It creates a compressed file in tar gz format containing all active configuration settings and log entries that could be relevant for error diagnostics This file does not contain any private information such as private machine certificates or passwords However any pre shared keys of VPN connections are contained in the snapshots To create a snapshot proceed as follows e Click on Download e Save the file under the name snapshot tar gz Provide the file to the support team if required 6 240 PHOENIX CONTACT 8334_en_01 Configuratio
177. e and if so how The settings are the same as those for the external interface See above Factory default 192 168 1 30 192 168 1 31 for new addresses See above Factory default 192 168 1 30 192 168 1 31 for new addresses 6 226 PHOENIX CONTACT 8334_en_01 Configuration 6 9 2 Redundancy gt gt FW Redundancy Status 6 9 2 1 Redundancy Status Current State e a G sue dis dy fe ding and fih k traffic t s u Wed Nov 9 11 59 13 CET 2011 Status of the Components Availability Check Received no CARP announcements from another mGuard Wed Oct 28 15 49 20 CEST 2011 Availability Check papery Received no CARP announcements from another mGuard Wed Oct 26 15 49 19 CEST 2011 Availability Check Interface for State Synchronization Received no CARP announcements from another mGuard Wed Oct 26 15 49 20 CEST 2011 Connectivity Check External Interface The check is successful Wed Nov 9 11 59 06 CET 2011 Connectivity Check Internal Interface The check is successful Wed Oct 26 15 49 17 CEST 2011 Phrase Swap Controller Availability Check s Phrase The configured phrase is in use Wed Oct 26 15 49 20 CEST 2011 Phrase Swap Controller Phrase of the Encrypted State Synchronization The configured phrase is in use 5 State Replication Connection Tracking Table The database is up to date State Replication IPsec VPN Connections The database is up to date Virtual Interface Controller Virtual Interface s Forwardin
178. e licence lic Make sure that this is the correct license file for the device see Management gt gt Update on page 6 34 Then restart the inetd process to apply the configuration changes If a different mechanism should be used e g xinetd please consult the relevant documentation 8 6 PHOENIX CONTACT 8334_en_01 Glossary 9 Glossary AES Asymmetrical encryption CA certificate AES Advanced Encryption Standard has been developed by NIST National Institute of Standards and Technology over the course of many years of cooperation with industry This symmetrical encryption standard has been developed to replace the earlier DES standard AES specifies three different key lengths 128 192 and 256 bits In 1997 NIST started the AES initiative and published its conditions for the algorithm From the many proposed encryption algorithms NIST selected a total of five algorithms for closer examination MARS RC6 Rijndael Serpent and Twofish In October 2000 the Rijndael algorithm was adopted as the encryption algorithm In asymmetrical encryption data is encrypted with one key and decrypted with a second key Both keys are suitable for encryption and decryption One of the keys is kept secret by its owner private key while the other is made available to the public public key i e to potential communication partners A message encrypted with the public key can only be decrypted and read by the owner
179. e FL MGUARD interface the certificate copy given here by partner B to A is an example of a remote certificate For reciprocal authentication to take place both partners must thus provide the other with a copy of their certificate in advance in order to identify themselves A installs the copy of the certificate from B as its remote certificate B then installs the copy of the certificate from A as its remote certificate Never provide the PKCS 12 file file name extension p12 as a copy of the certificate to the partner in order to use X 509 authentication for communication at a later time The PKCS 12 file also contains the private key that must be kept secret and must not be given to a third party see Creation of certificates on page 6 117 To create a copy of a machine certificate imported in the FL MGUARD proceed as follows e Onthe Machine Certificates tab page click on Current Certificate File next to the Download Certificate row for the relevant machine certificate see Machine certificates on page 6 122 6 116 PHOENIX CONTACT 8334_en_01 Configuration CA certificates Creation of certificates Authentication methods The certificate shown by a partner can also be checked by the FL MGUARD in a different way i e not by consulting the locally installed remote certificate on the FL MGUARD To check the authenticity of possible partners in accordance with X 509 the method described below of consulti
180. e also visible DHCP server relay Messages from the services defined under Network gt DHCP SNMP LLDP Messages from services defined under Management gt SNMP IPsec VPN Lists all VPN events The format corresponds to standard Linux format There are special evaluation programs that present information from the logged data ina more easily readable format 8334_en_01 PHOENIX CONTACT 6 237 FL MGUARD 2 6 11 Support menu 6 11 1 Support gt gt Tools 6 11 1 1 Ping Check Support Tools Ping Check Traceroute DNS Lookup IKE Ping Ping Check Hostname IP Address myWebserver aid Support gt gt Tools gt gt Ping Check Ping Check Aim To check whether a partner can be accessed via a network How to proceed e Enter the IP address or host name of the partner in the Hostname IP Address field Then click on Ping A corresponding message is then displayed 6 11 1 2 Traceroute Support Tools PingCheck Traceroute DNS Lookup IKE Ping Traceroute Hostname P Address myWebServer Do not resolve IP addressesto gt hostnames Support gt gt Tools gt gt Traceroute Traceroute Aim To determine which intermediate points or routers are located on the connection path to a partner How to proceed e Enter the host name or IP address of the partner whose route is to be determined in the Hostname IP Address field e Ifthe points on the route are to be outpu
181. e any of these programs for address assignment This section explains IP address assignment using the IP assignment tool Windows software IPAssign exe This software can be downloaded free of charge at www phoenixcontact net catalog Notes for BootP During initial startup the FL MGUARD transmits BootP requests without interruption until it receives a valid IP address After receiving a valid IP address the FL MGUARD no longer sends BootP requests The FL MGUARD can then no longer be accessed via IP address 192 168 1 1 After receiving a BootP reply the FL MGUARD no longer sends BootP requests not even after it has been restarted For the FL MGUARD to send BootP requests again it must either be set to the default settings or one of the procedures recovery or flash must be performed Requirements The FL MGUARD is connected to a computer using a Microsoft Windows operating system IP address assignment using IPAssign exe Step 1 Downloading and executing the program e On the Internet select the link www phoenixcontact net catalog e Enter Order No 2832700 in the search field for example The BootP IP addressing tool can be found under Configuration file e Double click on IPAssign exe e Inthe window that opens click on Run Step 2 IP Assignment Wizard The program opens and the start screen of the addressing tool appears The program is mostly in English for international purposes However the program button
182. e cache of the calling computer IP The IP address assigned to the host name in this table row Delete domain with all Delete the corresponding table entry assignment pairs 6 100 PHOENIX CONTACT 8334_en_01 Configuration Example Local Resolving The Local Resolving of Hostnames function is used in the following scenario of Hostnames for example A plant operates a number of identically structured machines each one as a cell The local networks of cells A B and C are each connected to the plant network via the Internet using the FL MGUARD Each cell contains multiple control elements which can be addressed via their IP addresses Different address areas are used for each cell A service technician should be able to use his notebook on site to connect to the local network for machine A B or C and to communicate with the individual controllers So that the technician does not have to know and enter the IP address for every single controller in machine A B or C host names are assigned to the IP addresses of the controllers in accordance with a standardized diagram that the service technician uses The host names used for machines A B and C are identical i e the controller for the packing machine in all three machines has the host name pack for example However each machine is assigned an individual domain name e g cell a example com The service technician can connect his notebook to the local network at machine
183. e corresponding IPsec SA or until the IPsec SA has been renewed To avoid having an insufficient sequential number for the outgoing IPsec SA VPN redundancy adds a constant value to the sequential number for each outgoing IPsec SA before the FL MGUARD becomes active This value is calculated so that it corresponds to the maximum number of data packets which can be sent through the VPN channel during the maximum fail over switching time In the worst case 1 Gigabit Ethernet and a switching time of 10 seconds this is 0 5 of an IPsec sequence At best this is only a per thousand value 7 18 PHOENIX CONTACT 8334_en_01 Redundancy Adding a constant value to the sequential number prevents the accidental reuse of a sequence number already used by the other FL MGUARD shortly before it failed Another effect is that ESP packets sent from the previously active FL MGUARD are dropped by the VPN partner if new ESP packets are received earlier from the FL MGUARD that is currently active To do this the latency on the network must differ from the fail over switching time An error interrupts the initial establishment of the ISAKMP SA or IPsec SA If an error interrupts the initial establishment of the ISAKMP SA or IPsec SA the FL MGUARD on standby can continue the process seamlessly as the state of the SA is replicated synchronously The response to an IKE message is only sent from the active FL MGUARD after the FL MGUARD on standby has confi
184. e default gateway Usually this is the internal IP address of the FL MGUARD Address of the server used by the computer to resolve host names in IP addresses via the Domain Name Service DNS If the DNS service of the FL MGUARD is to be used enter the internal IP address of the FL MGUARD here 6 104 PHOENIX CONTACT 8334_en_01 Configuration Network gt gt DHCP gt gt Internal DHCP WINS server Static Mapping according to MAC address Address of the server used by the computer to resolve host names in addresses via the Windows Internet Naming Service WINS To find out the MAC address of your computer proceed as follows Windows 95 98 ME e Start winipcfg in a DOS box Windows NT 2000 XP e Start ipconfig all in a prompt The MAC address is displayed as the Physical Address Linux Call sbin ifconfig or ip link show in a shell The following options are available MAC address of the client computer without spaces or hyphens Client s IP address Client IP Address The static IP address of the computer to be assigned to the MAC address Static assignments take priority over the dynamic IP address pool Static assignments must not overlap with the dynamic IP address pool Do not use one IP address in multiple static assignments otherwise multiple MAC addresses will be assigned to this IP address Only one DHCP server should be used per subnetwork
185. e incorrect password was entered so that it uses the old password e Wait until the FL MGUARD indicates that the old password is being used e Then enter the correct password Case 2 The other FL MGUARD is already using the new password e The status of both FL MGUARD devices must be such that they are using an old password but expecting a new one red cross To ensure that this is the case enter random passwords successively e Finally generate a secure password and enter it on both FL MGUARD devices This password is used immediately without any coordination During this process the state of the FL MGUARD on standby may briefly switch to outdated However this situation resolves itself automatically Encryption Algorithm DES 3DES AES 128 AES 192 AES 256 See Algorithms on page 6 196 8334_en_01 PHOENIX CONTACT 6 223 FL MGUARD 2 Redundancy gt gt Firewall Redundancy gt gt Redundancy Checksum Algorithm Hash Algorithm Interface used for synchronizing the state Interface for state synchronization IP of the dedicated interface Disable the availability check at the external interface MD5 SH1 SHA 256 SHA 512 See Algorithms on page 6 196 Internal Interface Dedicated Interface The redundant pair can be connected through an additional dedicated Ethernet interface or an interconnected switch On a Dedicated Interface presence notifications CARP are also listened for on t
186. e number of VPN connections affected the performance of the FL MGUARD and VPN partners and the latency of the FL MGUARD devices on the network If this is not feasible for redundancy the VPN partners of a redundant pair must be configured so that they accept all certificates whose validity is confirmed by a set of specific CA certificates see CA certificates on page 6 124 and Authentication on page 6 186 To do this select Signed by any trusted CA under Psec VPN gt gt Connections gt gt Edit gt gt Authentication Remote CA Certificate If the new machine certificate is issued from a different sub CA certificate the VPN partner must be able to recognize this before the redundant pair can use the new machine certificate The machine certificate must be replaced on both FL MGUARD devices in a redundant pair However this is not always possible if one cannot be reached This might be the case in the event of a network failure for example The FL MGUARD on standby may then have an obsolete machine certificate when it becomes active This is another reason for setting the VPN partners so that they use both machine certificates The machine certificate is normally also replicated with the corresponding key during VPN state synchronization In the event of a fail over the other FL MGUARD can take over and even continue establishing incomplete ISAKMP SAs Switching the remote certificates for a VPN connection The F
187. e ongoing ping tests is to check whether specific destinations can be reached via the primary external interface When they cannot be reached the secondary external interface is activated until they can be reached again Type Destination Specify the ping Type of the ping request packet that the FL MGUARD is to send to the device with the IP address specified under Destination Multiple ping tests can be configured for different destinations Success failure A ping test is successful if the FL MGUARD receives a positive response to the sent ping request packet within 4 seconds If the response is positive the partner can be reached 6 70 PHOENIX CONTACT 8334_en_01 Configuration Network gt gt Interfaces gt gt General continued Secondary External Interface continued Probe Interval seconds Ping types IKE ping Determines whether a VPN gateway can be reached at the IP address specified ICMP ping Determines whether a device can be reached at the IP address specified This is the most common ping test However the response to this ping test is disabled on some devices This means that they do not respond even though they can be reached DNS ping Determines whether an operational DNS server can be reached at the IP address specified A generic request is sent to the DNS server with the specified IP address and every DNS server that can be reached responds to this request Please note the
188. e reached during normal practical operation However it can be easily reached in the event of attacks thus providing additional protection If there are special requirements in your operating environment this value can be increased Connections established from the FL MGUARD are also counted This value must therefore not be set too low as this will otherwise cause malfunctions Yes No default No SYN is a special data packet used in TCP IP connection establishment that marks the beginning of the connection establishment process No default The FLMGUARD also allows connections where the beginning has not been registered This means that the FL MGUARD can perform a restart when a connection is present without interrupting the connection Yes The FL MGUARD must have registered the SYN packet of an existing connection Otherwise the connection is aborted If the FL MGUARD performs a restart while a connection is present this connection is interrupted Attacks on and the hijacking of existing connections are thus prevented If a TCP connection is not used during the time period specified here the connection data is deleted A connection translated by NAT not 1 1 NAT must then be reestablished If Yes is set under Allow TCP connections upon SYN only all expired connections must be reestablished The default setting is 432000 seconds 5 days 6 140 PHOENIX CONTACT 8334_en_01 Configuration Network Se
189. e remote FL MGUARD user must use a password to log into the FL MGUARD The password is specified under the Authentication gt gt Administrative Users menu see page 6 108 The option of RADIUS authentication is also available See page 6 113 Depending on which user ID is used to log in user or administrator password the user has the right to operate and or configure the FL MGUARD accordingly Login with X 509 client certificate or password User authentication is by means of login with a password see above The user s browser authenticates itself using an X 509 certificate and a corresponding private key Additional details must be specified here The use of either method depends on the web browser of the remote user The second option is used when the web browser provides the FL MGUARD with a certificate Login restricted to X 509 client certificate The user s browser must use an X 509 certificate and the corresponding private key to authenticate itself Additional details must be specified here Before enabling the Login restricted to X 509 client certificate setting you must first select and test the Login with X 509 client certificate or password setting Only switch to Login restricted to X 509 client certificate when you are sure that this setting works Otherwise your access could be blocked Always take this safety precaution when modifying settings under User authentication
190. e than once During the configuration of SSH Management gt gt System Settings Shell Access menu HTTPS Management gt gt Web Settings Access menu VPN connections IPsec VPN gt gt Connections menu the certificates imported on the FL MGUARD are provided in a selection list The certificates are displayed under the short name specified for each individual certificate on this page For this reason name assignment is mandatory Creating a certificate copy You can create a copy of the imported machine certificate e g for the partner in order to authenticate the FL MGUARD This copy does not contain the private key and can therefore be made public at any time To do that e Click on Current Certificate File next to the Download Certificate row for the relevant machine certificate e Enter the desired information in the dialog box that opens 8334_en_01 PHOENIX CONTACT 6 123 FL MGUARD 2 6 4 4 3 CA certificates CA certificates are certificates issued by a certification authority CA CA certificates are used to check whether the certificates shown by partners are authentic The checking process is as follows The certificate issuer CA is specified as the issuer in the certificate transmitted by the partner These details can be verified by the same issuer using the local CA certificate For a more detailed explanation see Authentication gt gt Certificates on page 6 115 Example of i
191. e to be imported created under C FS Integrity Monitoring gt gt Importable Shares gt gt Edit 1 External 2 and Dial in only apply to the FL MGUARD RS4000 see Network gt gt Interfaces on page 6 56 8334_en_01 PHOENIX CONTACT 6 161 FL MGUARD 2 Accessing the virtual network CIFS Antivirus Scan Connector The virtual network drive provided by the FL MGUARD for the CIFS Antivirus Scan Connector can be integrated in Windows Explorer To do this open the Tools Map Network Drive menu in Windows Explorer and enter the path using UNC notation This path is displayed under CIFS Integrity Monitoring gt gt CIFS AV Scan Connector gt gt Accessible as lt External IP of FL MGUARD gt lt Name of the exported share gt lt Internal IP of FL MGUARD gt lt Name of the exported share gt Example 10 1 66 49 exported av share 192 168 66 49 exported av share Alternatively you can enter the net use command in the command line For further information please refer to the Microsoft product information Notes DNS names can also be used instead of the IP address The authorized network cannot be found using the browse or search function The Exported share s name must always be added Windows does not automatically display the authorized network drive upon connection of the FL MGUARD 6 162 PHOENIX CONTACT 8334_en_01 Configuration 6 7 IPsec VPN menu 6 7 1 IPsec VPN
192. e top of the list of entries until an appropriate rule is found This rule is then applied If the list of rules contains further subsequent rules that could also apply these rules are ignored From IP Interface Action Comment Log 1 Enter the address of the computer or network from which remote access is permitted or forbidden in this field The following options are available An IP address To specify an address area use CIDR format see CIDR Classless Inter Domain Routing on page 6 241 0 0 0 0 0 means all addresses External Internal External 2 VPN Dial in Specifies to which interface the rule should apply If no rules are set or if no rule applies the following default settings apply SNMP monitoring is permitted via Internal VPN and Dial in Access via External and External 2 is refused Specify the monitoring options according to your requirements NOTE If you want to refuse access via nternal VPN or Dial in you must implement this explicitly by means of corresponding firewall rules for example by specifying Drop as an action To prevent your own access being blocked you may have to permit access simultaneously via another interface explicitly with Accept before clicking on the Apply button to activate the new setting Otherwise if your access is blocked you must carry out the recovery procedure Accept means that the data packets may pass through Rejec
193. eartbeat state Green Flashing Heartbeat The device is connected correctly and is operating Red Flashing System error Restart the device e Press the Rescue button for 1 5 seconds e Alternatively briefly disconnect the device power supply and then connect it again If the error is still present start the recovery procedure see Performing a recovery procedure on page 8 2 or contact the Support team 1and3 Green ON or flashing Ethernet status LED 1 indicates the status of the LAN port LED 3 the status of the WAN port As soon as the device is connected to the network a continuous light indicates that there is a connection to the network partner When data packets are transmitted the LED goes out briefly 1 2 3 Various LED light codes Recovery mode After pressing the Rescue button See Restart recovery procedure and flashing the firmware on page 8 1 8334_en_01 PHOENIX CONTACT 3 3 FL MGUARD 2 3 4 PHOENIX CONTACT 8334_en_01 Startup 4 Startup gt D 4 1 Safety notes To ensure correct operation and the safety of the environment and of personnel the FL MGUARD must be installed operated and maintained correctly WARNING Intended use Only use the FL MGUARD in an appropriate way and for its intended purpose WARNING Only connect LAN installations to RJ45 female connectors Only connect the FL MGUARD network ports to LAN installations S
194. ect 8334_en_01 PHOENIX CONTACT 6 115 FL MGUARD 2 Self signed certificates Certificate machine certificate Remote certificate A self signed certificate is one that is signed by the certificate owner and not by a CA In self signed certificates the name of the certificate owner appears under both ssuer and Subject Self signed certificates are used if communication partners want to or must use the X 509 authentication method without having or using an official certificate This type of authentication should only be used between communication partners that know and trust each other Otherwise from a security point of view such certificates are as worthless as for example a home made passport without the official stamp Certificates are shown to all communication partners users or machines during the connection process providing the X 509 authentication method is used In terms of the FL MGUARD this could apply to the following applications Authentication of communication partners when establishing VPN connections see IPsec VPN gt gt Connections on page 6 171 Authentication on page 6 186 Management of the FL MGUARD via SSH shell access see Management gt gt System Settings on page 6 4 Shell Access on page 6 11 Management of the FL MGUARD via HTTPS see Management gt gt Web Settings on page 6 21 Access on page 6 22 Certificates can be used to ident
195. ect Yes Log Server IP address Specify the IP address of the log server to which the log entries should be transmitted via UDP An IP address must be specified not a host name This function does not support name resolution because it might not be possible to make log entries if a DNS server failed Log Server port Specify the port of the log server to which the log entries normally 514 should be transmitted via UDP Default 514 If SysLog messages should be transmitted to a SysLog server via a VPN channel the IP address of the SysLog server must be located in the network that is specified as the Remote network in the definition of the VPN connection The internal IP address in Stealth mode Stealth Management IP Address or Virtual IP must be located in the network that is specified as Local in the definition of the VPN connection see Defining a VPN connection VPN connection channels on page 6 173 8334_en_01 PHOENIX CONTACT 6 233 FL MGUARD 2 Logging gt gt Remote Logging If the Enable 1 to 1 NAT of the local network to an internal network option is set to Yes see 1 1 NAT on page 6 185 the following applies The internal IP address in Stealth mode Stealth Management IP Address or Virtual IP must be located in the network that is specified as the Internal network address for local 1 to 1 NAT If the Enable 1 to 1 NAT of the remote network to a different network option is set to Yes see 1 1 NAT on page
196. ection to the FL MGUARD that a remote partner actively initiates and establishes If Yany is entered under Address of the remote site s VPN gateway Wait must be selected 8334_en_01 PHOENIX CONTACT 6 175 FL MGUARD 2 IPsec VPN gt gt Connections gt gt Edit gt gt General Encapsulate the VPN traffic in TCP TCP Port of the server which accepts the encapsulated connection Only visible if Encapsulate the VPN traffic in TCP is set to Yes Transport and Tunnel Stealth mode Yes No default No If the TCP Encapsulation function is used see TCP Encapsulation on page 6 167 only set this option to Yes if the FL MGUARD is to encapsulate its own outgoing data traffic for the VPN connection it initiated In this case the number of the port where the partner receives the encapsulated data packets must also be specified When Yes is selected the FL MGUARD will not attempt to establish the VPN connection using standard IKE encryption UDP port 500 and 4500 Instead the connection is always encapsulated using TCP Default 8080 Number of the port where the encapsulated data packets are received by the partner The port number specified here must be the same as the one specified for the FL MGUARD of the partner under TCP port to listen on IPsec VPN gt gt Global gt gt Options menu item If TCP Encapsulation is used see page 6 167 Ifthe FL MGUARD is to establish a VPN
197. ed even after the firmware is flashed However licenses are still deleted when devices with older firmware versions are flashed to Version 5 0 0 or later Before flashing the license for using the new update must first be obtained so that the required license file is available for the flashing process 7 default 10 1 1 Innominate mGuard This applies to major release upgrades e g from Version 4 x y to Version 5 x y to Version 6 x y etc see Flashing the firmware rescue procedure on page 8 3 Management gt gt Licensing gt gt Overview General i Feature License Shows which functions are included with the installed FL MGUARD licenses e g the number of possible VPN tunnels whether remote logging is supported etc 6 2 3 2 Install This function is not available on the FL MGUARD RS2000 8334_en_01 PHOENIX CONTACT 6 31 FL MGUARD 2 More functions can be added later to the FL MGUARD license you have obtained You will Management Licensing Overview Install Terms of License Automatic License Installation SS Number Voucher Key fons Lenses Manual License Installation Order License D mos Durchsuchen Sua find a voucher serial number and a voucher key in the voucher included with the FL MGUARD The voucher can also be purchased separately It can be used to Request the required feature license file _ Install the license file that you receive fol
198. ed result success is only displayed if both were successful Shows whether the Ethernet connection has been established Number of completed check intervals When the counter is full a message is displayed in front of the number Repeats the setting for the connectivity check see Kind of check on page 6 225 Shows the time in milliseconds between the starts of the checks This value is calculated from the set fail over switching time 6 230 PHOENIX CONTACT 8334_en_01 Configuration Redundancy gt gt FW Redundancy Status gt gt Connectivity Status Internal Interface Timeout per interval and set of targets Results of the last 16 intervals youngest first Results of the primary targets Results of the secondary targets Summarized result Ethernet link status Number of check intervals Check interval Timeout per interval and set of targets Results of the last 16 intervals youngest first Shows the time in milliseconds after which a target is classed as no response if no response to the ICMP echo request has been received This value is calculated from the set fail over switching time A green plus indicates a successful check Ared minus indicates a failed check Only visible when a primary target is set see Primary targets for ICMP echo requests on page 6 225 Shows the results of the ICMP echo requests in chronological order The most recent result is at the top sR
199. een carried out Progress of the Only displayed if a check is currently active current check CIFS Integrity Monitoring CIFS Integrity Status pc x7 scan Status Actions Possible Actions for pc x7 scan eames check report een es Ga now Cancel the currently running tegrty ene Mall Re Build the integrity Perform this ifthe checked pease note This will erase an already existing integrity database shares content has been changed intentionally Cancel the creation of the integrity database plssse note Unless appointed otherwise the creation will be started at the time of the next regular check Erase reports and the integrity Please note Unless appointed otherwise the integrity database will be re created at the time of the next regular check CIFS Integrity Monitoring gt gt CIFS Integrity Status gt gt Show gt gt Actions Possible Actions for Verify the validity of Click on Validate the report to check whether the report is the recent check unchanged from the definition in the FL MGUARD according report to the signature and certificate Start an integrity Click on Start a check to start the integrity check heck right n F ATRE Meneses Only displayed if a check is not currently active Cancel the currently Click on Cancel to stop the integrity check running integrity check Only displayed if a check is currently active 8334_en_01 PHOENIX CONTACT 6 157 FL MGUARD 2 CIFS Inte
200. einstalled on the device see Section 8 3 Flashing the firmware rescue procedure or if the battery did not supply the built in clock with sufficient voltage for a period when the device was switched off Here you can set the FL MGUARD time if no NTP server has been set up see below or the NTP server cannot be accessed The date and time are specified in the format YYYY MM DD HH MM SS YYYY Year MM Month DD Day HH Hour MM Minute SS Second If a current local time that differs from Greenwich Mean Time is to be displayed under Current system time you must enter the number of hours that your local time is ahead of or behind Greenwich Mean Time Example In Berlin the time is one hour ahead of GMT Therefore enter CET 1 In New York the time is five hours behind Greenwich Mean Time Therefore enter CET 5 The only important thing is the 1 2 or 1 etc value as only these values are evaluated not the preceding letters They can be CET or any other designation such as UTC If you wish to display Central European Time e g for Germany and have it automatically switch to from daylight saving time enter CET 1CEST M3 5 0 M10 5 0 3 If this option is set to Yes the FL MGUARD writes the current system time to its memory every two hours If the FL MGUARD is switched off and then on again a time from this two hour time slot is displayed not a time on January 1 2000 8334_en_01 PHOENIX CO
201. elevant entries afterwards If it is not used the affected data packets are routed via the default gateway specified for the client Networks tobe routed over A T e alternative gateways Network Specify the network in CIDR format see CIDR Classless Inter Domain Routing on page 6 241 6 66 PHOENIX CONTACT 8334_en_01 Configuration Network gt gt Interfaces gt gt General Stealth network mode Static Stealth Configuration Secondary External Interface This menu item is not included in the scope of functions for the FL MGUARD RS2000 Gateway The gateway via which this network can be accessed The routes specified here are mandatory routes for data packets created by the FL MGUARD This setting has priority over other settings see also Network example diagram on page 6 242 Client s IP address The IP address of the computer connected to the LAN port Client s MAC address The physical address of the network card of the local computer to which FL MGUARD is connected e The MAC address can be determined as follows In DOS Start Programs Accessories Command Prompt enter the following command ipconfig all The MAC address does not necessarily have to be specified The FL MGUARD can automatically obtain the MAC address from the client The MAC address 0 0 0 0 0 0 must be set in order to do this Please note that the FL MGUARD can only forward network packets to the client once the MAC addre
202. en no response to the peer is assumed dead Keep Alive requests Default setting 120 seconds a Ifthe FL MGUARD finds that a connection is dead it responds according to the setting under Connection startup see definition of this VPN connection under Connection startup on the General tab page 6 198 PHOENIX CONTACT 8334_en_01 Configuration 6 7 4 IPsec VPN gt gt L2TP over IPsec These settings are not applied in Stealth mode Allows VPN connections to the FL MGUARD to be established using the IPsec L2TP protocol In doing so the L2TP protocol is driven using an IPsec transport connection in order to establish a tunnel connection to a Point to Point Protocol PPP Clients are automatically assigned IP addresses by the PPP In order to use IPsec L2TP the L2TP server must be activated and one or more IPsec connections with the following properties must be defined Type Transport Protocol UDP Local Port all Remote Port all PFS No See also Further settings can be made by clicking on More on page 6 180 and IKE Options on page 6 195 6 7 4 1 L2TP Server L2TP Server Settings Start L2TP Server for No wv IPsec L2TP Local IP for L2TP connections 10 106 106 1 Remote IP range start 10 106 106 2 Remote IP rangeend 10 106 106 254 Please note These settings don t apply to the Stealth mode Status The L2TP daemon isn t running IPsec VPN
203. ent gt gt System Settings on page 6 4 Shell Access on page 6 11 Assigning names simplifies the administration of multiple FL MGUARD devices User defined from field below Default The name entered in the Hostname field is the name used for the FL MGUARD If the FL MGUARD is running in Stealth mode the User defined option must be selected under Hostname mode Provider defined e g via DHCP If the selected network mode permits external setting of the host name e g via DHCP the name supplied by the provider is assigned to the FL MGUARD If the User defined option is selected under Hostname mode enter the name that should be assigned to the FL MGUARD here Otherwise this entry will be ignored i e if the Provider defined option e g via DHCP is selected under Hostname mode This option makes it easier for the user to enter a domain name If the user enters the domain name in an abbreviated form the FL MGUARD completes the entry by appending the domain suffix that is defined here under Domain search path Aname that can be freely assigned to the FL MGUARD for administration purposes e g Hermes Pluto Under SNMP sysName A description of the installation location that can be freely assigned e g Hall IV Corridor 3 Control cabinet Under SNMP sysLocation The name of the contact person responsible for the FL MGUARD ideally including the phone number Under SN
204. ent contents of the Flash memory and prepares for a new firmware installation The reaction of the device depends on its type FL MGUARD RS4000 2000 The STAT MOD and SIG LEDs form a light sequence FL MGUARD SMART2 The three green LEDs form a light sequence The jffs2 img p7s firmware file is downloaded from the TFTP server or SD card and written to the Flash memory This file contains the actual FL MGUARD operating system and is signed electronically This process takes approximately 3 to 5 minutes The reaction of the device depends on its type FL MGUARD RS4000 2000 The STAT LED is lit continuously FL MGUARD SMART2 The middle LED Heartbeat is lit continuously The new firmware is extracted and configured This takes approximately 1 to 3 minutes As soon as the procedure has been completed the following occurs FL MGUARD RS4000 2000 The STAT MOD and SIG LEDs flash green simultaneously FL MGUARD SMART2 All 3 LEDs flash green simultaneously e Restart the FL MGUARD e Briefly press the Rescue button Alternatively you can disconnect and reconnect the power supply On the FL MGUARD SMART2 you can disconnect and insert the USB cable as it is only used for power supply The FL MGUARD is in the delivery state You can now reconfigure it see Establishing a local configuration connection on page 5 9 8 4 PHOENIX CONTACT 8334_en_01
205. er Via VPN then the FL MGUARD supports queries from a RADIUS server through its VPN connection This happens automatically whenever the RADIUS server belongs to the remote network of a configured VPN tunnel and the FL MGUARD has an internal IP address belonging to the local network of the same VPN tunnel This makes the authentication query dependent on the availability of a VPN tunnel During configuration ensure that the failure of a single VPN tunnel does not prevent administrative access to the FL MGUARD Port The port number used by the RADIUS server 6 114 PHOENIX CONTACT 8334_en_01 Configuration Authentication gt gt RADIUS Servers Certificate Secret RADIUS server password This password must be the same as on the FL MGUARD The FL MGUARD uses this password to exchange messages with the RADIUS server and to encrypt the user password The RADIUS server password is not transmitted in the network The password is important for security since the FL MGUARD can be rendered vulnerable to attack at this point if passwords are too weak We recommend a password with at least 32 characters and several special characters It must be changed on a regular basis If the RADIUS secret is discovered an attacker can read the user password for the RADIUS authentication queries An attacker can also falsify RADIUS responses and gain access to the FL MGUARD if they know the user names These user names are
206. er a suitable answer In this way configurations can be supported where the devices are only optionally equipped with ICMP echo requests If all targets of one set must respond is selected then both targets must answer If no secondary target is specified then only the primary target must answer If Ethernet link detection only is selected then only the state of the Ethernet connection is checked 8334_en_01 PHOENIX CONTACT 6 225 FL MGUARD 2 Redundancy gt gt Firewall Redundancy gt gt Connectivity Checks Internal interface Primary targets for ICMP echo requests Secondary targets for ICMP echo requests Kind of check Primary targets for ICMP echo requests Secondary targets for ICMP echo requests This is an unsorted list of IP addresses used as targets for ICMP echo requests We recommend using the IP addresses of routers especially the IP addresses of default gateways or the actual IP address of the other FL MGUARD Default 10 0 0 30 10 0 0 31 for new addresses Each set of targets for state synchronization can contain a maximum of ten targets See above Only used if the check of the primary targets has failed Failure of a secondary target is not detected in normal operation Default 10 0 0 30 10 0 0 31 for new addresses Each set of targets for state synchronization can contain a maximum of ten targets Specifies whether a connectivity check is performed on the internal interfac
207. er failure 6 46 PHOENIX CONTACT 8334_en_01 Configuration Management gt gt SNMP gt gt Trap Agent external config storage temperature CIFS integrity traps Successful integrity This menu item is not included check of a CIFS share in the scope of functions for the FL MGUARD RS2000 FL MGUARDTrapSenderlndustrial enterpriseSpecific FL MGUARDTrapSignalRelais 3 FL MGUARDTResSignalRelaisState FL MGUARDTEsSignlalRelaisRea son FL MGUARDTResSignal RelaisReasonldx enterprise oid generic trap specific trap additional Sent after the alarm contact is changed and indicates the current status 0 Off 1 On Activate traps Yes No enterprise oid FL MGUARDTrapindustrial generic trap enterpriseSpecific specific trap FL MGUARDTrapIndustrialTempera ture 1 additional FL MGUARDSystemTemperature FL MGUARDTrapIndustrialTempHi Limit FL MGUARDTrapIndustrialLowLimit The trap indicates the temperature in the event of the temperature exceeding the specified limit values enterprise oid FLMGUARDTrap Industrial genericTrap enterpriseSpecific specific trap FL MGUARDTrapAutoConfigAdapter State 4 additional FL MGUARDTrapAutoConfigAdapter Change This trap is sent after access to the ECS Activate traps Yes No enterprise oid FLMGUARDTraPCIFSScan generic trap enterpriseSpecific specific trap FL MGUARD
208. er the partner is operating with MD5 SHA 1 SHA 256 SHA 384 or SHA 512 The encryption algorithms SHA 256 and SHA 512 are supported by all FL MGUARD devices However not all FL MGUARD devices accelerate the algorithms via hardware On the other FL MGUARD devices MD5 and SHA1 are accelerated with hardware Only the FL MGUARD SMART2 and FL MGUARD RS4000 2000 also accelerate SHA 256 via hardware IPsec SA Data Exchange In contrast to ISAKMP SA key exchange see above the procedure for data exchange is defined here It does not necessarily have to differ from the procedure defined for key exchange Algorithms See above 6 196 PHOENIX CONTACT 8334_en_01 Configuration IPsec VPN gt gt Connections gt gt Edit gt gt IKE Options Perfect Forward Method for providing increased security during data Secrecy PFS transmission With IPsec the keys for data exchange are renewed at defined intervals With PFS new random numbers are negotiated with the partner instead of being derived from previously agreed random numbers The partner must have the same entry We recommend activation for security reasons Select Yes if the partner supports PFS partner is an IPsec L2TP client B Set Perfect Forward Secrecy PFS to No if the Lifetimes and Limits The keys of an IPsec connection are renewed at defined intervals in order to increase the difficulty of an attack on an IPsec connection ISAKMP SA L
209. erface see Network gt gt Interfaces on page 6 56 6 112 PHOENIX CONTACT 8334_en_01 Configuration 6 4 2 3 Status When the user firewall is activated its status is displayed here Authentication Firewall Users Firewall Users i Access i Status Status No users are logged in 6 4 3 Authentication gt gt RADIUS Servers RADIUS Servers RADIUS Servers RADIUS timeout 3 seconds RADIUS retries 3 F i radius1 example com No v 1812 secret i radius2 example com Yes v 1812 secret A RADIUS server is a central authentication server used by devices and services for checking user passwords The password is not known to these devices and services Only one or a number of RADIUS servers know the password The RADIUS server also provides the device or service that a user wishes to access with further information about the user e g the group to which the user belongs In this way all user settings can be managed centrally In order to activate RADIUS authentication Yes must be set under Authentication gt gt Firewall Users Enable group authentication sub item and RADIUS selected as the Authentication Method Under Authentication gt gt RADIUS Servers a list of RADIUS servers is generated for use by the FL MGUARD This list is also used when RADIUS authentication is activated for administrative access SSH HTTPS When RADIUS authentication is active the login attempt is forwarded
210. ery booting process unless the FL MGUARD has a built in clock FL MGUARD RS2000 FL MGUARD RS4000 and FL MGUARD SMART2 but not FL MGUARD SMART After initial time synchronization the FL MGUARD regularly compares the system time with the time servers Fine adjustment of the time is usually only made in the second range NTP State Displays the current NTP status Shows whether the NTP server running on the FL MGUARD has been synchronized with the configured NTP servers to a sufficient degree of accuracy If the system clock of the FL MGUARD has never been synchronized prior to activation of NTP time synchronization then synchronization can take up to 15 minutes The NTP server still changes the FL MGUARD system clock to the current time after a few seconds as soon as it has successfully contacted one of the configured NTP servers The system time of the FL MGUARD is then regarded as synchronized Fine adjustment of the time is usually only made in the second range NTP Server Enter one or more time servers from which the FL MGUARD should obtain the current time If several time servers are specified the FL MGUARD will automatically connect to all of them to determine the current time 6 10 PHOENIX CONTACT 8334_en_01 Configuration Displayed when Enable X 509 certificates for SSH access is set to Yes 6 2 1 4 Shell Access Host Time and Date shett access Shell Access Session Timeout 0 secon
211. ery procedure The FL MGUARD is in Router or PPPoE mode The configured device address of the FL MGUARD differs from the default setting The current IP address of the device is not known e Slowly press the Rescue button six times The FL MGUARD responds after around two seconds FL MGUARD RS4000 2000 The State LED lights up green FL MGUARD SMART2 The middle LED lights up green e Slowly press the Rescue button again six times FL MGUARD RS4000 2000 If successful the State LED lights up green If unsuccessful the Error LED lights up red FL MGUARD SMART2 If successful the middle LED lights up green If unsuccessful the middle LED lights up red e f successful the device restarts after two seconds and switches to Stealth or Router mode The device can then be reached again at the corresponding addresses see Table Preset addresses on page 1 2 8 2 PHOENIX CONTACT 8334_en_01 Restart recovery procedure and flashing the firmware 8 3 Flashing the firmware rescue procedure Aim The entire firmware of the FL MGUARD should be reloaded on the device All configured settings are deleted The FL MGUARD is set to the delivery state In Version 5 0 0 or later of the FL MGUARD the licenses installed on the FL MGUARD are retained after flashing the firmware Therefore they do not have to be installed again Only firmware Version 5 1 0 or later can be installed
212. es The following options are available Protocol The update can be performed via HTTPS or HTTP Server Host name of the server that provides the update files Via VPN The update is performed via the VPN tunnel Default No B Updates via VPN are not supported if the relevant VPN tunnel has been disabled in the configuration see Section 6 7 2 IPsec VPN gt gt Connections and has only been temporarily opened via the service contact or CGI interface Login Login for the server Password Password for login 8334_en_01 PHOENIX CONTACT 6 37 FL MGUARD 2 es oe 6 2 5 Management gt gt Configuration Profiles 6 2 5 1 Configuration Profiles Management Configuration Profiles Configuration Profiles Configuration Profiles sero ae Stone Se Se ae omer un SRE STOTT HEE Seve Cosvert coneasetion ie Name for the new profile Upload Configuration to Profile Name for the new profile sdmin Filename Durchsuchen External Config Storage ECS The root password to save to the ECS eeeeeeee esa No w Save the current configuration to an ECS Automatically save configuration changes to sn ECS You can save the settings of the FL MGUARD as a configuration profile under any name on the FL MGUARD Itis possible to create multiple configuration profiles You can then switch between different profiles as required for example if the FL MGUARD is used in different e
213. es per se This happens regardless of whether or not a relevant firewall rule is available A scenario is conceivable in which the FL MGUARD allows the initiating data packet to pass through and then fails before the relevant connection entry has been made in the other FL MGUARD The other FLMGUARD may then reject the responses as soon as it becomes the active FL MGUARD The FL MGUARD cannot correct this situation due to the single sided connection As a countermeasure the firewall can be configured so that the connection can be established in both directions This is normally already handled via the protocol layer and no additional assignment is required Loss of data packets during state synchronization If data packets are lost during state synchronization this is detected automatically by the FL MGUARD which then requests the active FL MGUARD to send the data again This request must be answered within a certain time otherwise the FL MGUARD on standby is assigned the outdated state and asks the active FL MGUARD for a complete copy of all state information The response time is calculated automatically from the fail over switching time This is longer than the time for presence notifications CARP but shorter than the upper limit of the fail over switching time Loss of presence notifications CARP during transmission A one off loss of presence notifications CARP is tolerated by the FL MGUARD but it does not tolerate the los
214. ess or one of the external IP addresses of the FL MGUARD and to a specific port of the FL MGUARD are rewritten in order to forward them to a specific computer in the internal network and to a specific port on this computer In other words the IP address and port number in the header of incoming data packets are changed This method is also referred to as Destination NAT Port forwarding cannot be used for connections initiated via the External 21 interface 4 a os The rules defined here have priority over the settings made under Network Security gt gt Packet Filter gt gt Incoming Rules Protocol Specify the protocol to which the rule should apply TCP UDP GRE GRE GRE protocol IP packets can be forwarded However only one GRE connection is supported at any given time If more than one device sends GRE packets to the same external IP address the FL MGUARD may not be able to feed back reply packets correctly We recommend only forwarding GRE packets from specific transmitters These could be ones that have had a forwarding rule set up for their source address by entering the transmitter address in the From IP field e g 193 194 195 196 32 From IP The sender address for forwarding 0 0 0 0 0 means all addresses To specify an address area use CIDR format see CIDR Classless Inter Domain Routing on page 6 241 From Port The sender port for forwarding any refers to any port Either the po
215. ess are each assigned the value 255 The primary purpose of doing this is to enable a portion of the host address area to be borrowed and used for addressing subnetworks For example if the subnet mask 255 255 255 0 is used on a Class B network 2 bytes for the network address 2 bytes for the host address the third byte which was actually intended for host addressing can now be used for subnetwork addressing This computes to potential support for 256 subnetworks each with 256 hosts IP Security IPsec is a standard that uses encryption to verify the authenticity of the sender and to ensure the confidentiality and integrity of the data in IP datagrams gt Datagram on page 1 2 The components of IPsec are the Authentication Header AH the Encapsulating Security Payload ESP the Security Association SA and the Internet Key Exchange IKE At the start of the session the computers involved in the communication must determine which technique to use and the implications of this choice e g Transport mode or Tunnel mode In Transport mode an IPsec header is inserted between the IP header and the TCP or UDP header respectively in each IP datagram Since the IP header remains unchanged this mode is only suitable for host to host connections In Tunnel mode an IPsec header and a new IP header are prefixed to the entire IP datagram This means the original datagram is encrypted in its entirety and stored in the payload of the
216. et to temporary Probe Interval seconds 20 gt e Number of times all probes need to fail during subsequent runs before the secondary external interface is activated 2 DNS Mode use primary DNS settings untouched w ee ee User defined name servers if they should be reachable via the secondary external interface please configure a route for them If the operating mode of the secondary external interface is set to temporary the following is checked using periodic ping tests Can a specific destination or destinations be reached when data packets take the route based on all the routing settings specified for the FL MGUARD apart from those specified for the secondary external interface Only if none of the ping tests are successful does the FL MGUARD assume that it is currently not possible to reach the destination s via the primary external interface Ethernet interface or WAN port of the FL MGUARD In this case the secondary external interface is activated which results in the data packets being routed via this interface according to the routing setting for the secondary external interface The secondary external interface remains activated until the FL MGUARD detects in subsequent ping tests that the destination s can be reached again If this condition is met the data packets are routed via the primary external interface again and the secondary external interface is deactivated Therefore the purpose of th
217. ettings Each FL MGUARD is active during a network lobotomy The following occurs after the network lobotomy has been rectified If the FL MGUARD devices have different priorities the FL MGUARD with the higher priority becomes active and the other switches to standby If both FL MGUARD devices have the same priority an identifier sent with the presence notifications CARP determines which FL MGUARD becomes active Both FL MGUARD devices manage their own firewall state during the network lobotomy The active FL MGUARD retains its state Connections on the other FL MGUARD which were established during the lobotomy are dropped Fail over when establishing complex connections Complex connections are network protocols which are based on different IP connections One example of this is the FTP protocol In an FTP protocol the client establishes a control channel for a TCP connection The server is then expected to open another TCP connection over which the client can then transmit data The data channel on port 20 of the server is set up while the control channel on port 21 of the server is being established If the relevant connection tracking function is activated on the FL MGUARD see Advanced on page 6 138 complex connections of this type are tracked In this case the administrator only needs to create a firewall rule on the FL MGUARD which allows the client to establish a control channel to the FTP server The FL MGUARD enables the serve
218. etwork mode This ID is sent by the redundant pair with each presence notification CARP via the external interface and is used to identify the redundant pair This ID must be the same for both FL MGUARD devices It is used to differentiate the redundant pair from other redundant pairs that are connected to the same Ethernet segment through their external interface Please note that CARP uses the same protocol and port as VRRR Virtual Router Redundancy Protocol The ID set here must be different to the IDs on other devices which use VRRR or CARP and are located in the same Ethernet segment 8334_en_01 PHOENIX CONTACT 6 221 FL MGUARD 2 Redundancy gt gt Firewall Redundancy gt gt Redundancy External virtual IP addresses Internal virtual Router ID Default 10 0 0 100 Only in Router network mode These are IP addresses which are shared by both FL MGUARD devices as virtual IP addresses of the external interface These IP addresses must be the same for both FL MGUARD devices These addresses are used as a gateway for explicit static routes for devices located in the same Ethernet segment as the external network interface of the FL MGUARD The active FL MGUARD can receive ICMP queries via this IP address It reacts to these ICMP requests depending on the menu settings underNetwork Security gt gt Packet Filter gt gt Advanced No subnet masks or VLAN IDs are set up for the virtual IP addresses as these
219. ewall Redundancy gt gt Connectivity Checks menu Availability check On each FL MGUARD in a redundant pair checks are also constantly performed to determine whether an active FL MGUARD is available and whether it should remain active A variation of the CARP Common Address Redundancy Protocol is used here The active FL MGUARD constantly sends presence notifications through its internal and external network interface while both FL MGUARD devices listen If a dedicated Ethernet link for state synchronization of the firewall is available the presence notification is also sent via this link In this case the presence notification for the external network interface can also be suppressed The availability check fails if an FL MGUARD does not receive any presence notifications within a certain time The check also fails if an FL MGUARD receives presence notifications with a lower priority than its own The data is always transmitted through the physical network interface and never through the virtual network interface 7 2 PHOENIX CONTACT 8334_en_01 Redundancy State synchronization The FL MGUARD on standby receives a copy of the state of the FL MGUARD that is currently active This includes a database containing the forwarded network connections This database is filled and updated constantly by the forwarded network packets It is protected against unauthorized access The data is transmitted through the physical LAN inter
220. f Shares gt x Enabled Checked CIFS Share Checksum Memory Action Yes pc x7 scan v pc x7 scan v ED VPN Endpunkt Kundendienst KS v After every check v cifs integrity example com cifs integrity example com mGuard CIFS Integrity ssmtp example com Please note To have checking of shares enabled in the network mode Stealth a management IP must be set CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Settings General Checking of Shares Integrity certificate Used to sign integrity databases Send notifications via e mail Target address for e mail notifications Sender address of e mail notifications Address of the e mail server Subject prefix for e mail notifications Enabled Used for signing and checking the integrity database so that it cannot be replaced or manipulated by an intruder without being detected For information about certificates please refer to Machine certificates on page 6 122 After every check An e mail is sent to the address specified below after every check No An e mail is not sent to the address specified below Only with faults and deviations An e mail is sent to the address specified below if a deviation is detected during CIFS integrity checking or if the check could not be carried out due to an access error An e mail is sent to this address either after every check or only if a deviation is detected during CIFS integrity
221. f the Ethernet connection Link status Up The connection is established Down The connection is not established Automatic Yes Try to determine the required operating mode configuration automatically No Use the operating mode specified in the Manual Configuration column Manual Configuration The desired operating mode when Automatic Configuration is set to No Current Mode The current operating mode of the network connection Port On Yes No Switches the Ethernet connection on or off 6 80 PHOENIX CONTACT 8334_en_01 Configuration 6 3 1 3 Dial out FL MGUARD RS4000 only Network Interfaces General Ethernet Dial out i Dial in Modem Console PPP dial out options Phone number to call ATD Authentication PAP v User name Password PAP server authentication No w Dialon demand Yes v idie timeout Yes v idle time seconds 300 LocaliP 0 0 0 0 Remote IP 0 0 0 0 Netmask 0 0 0 0 Please note On some platforms the serial port is not accessible Network gt gt Interfaces gt gt Dial out PPP dial out options Should only be configured if the FL MGUARD is to be able to establish a data connection dial out to the WAN Internet Via the primary external interface Modem network mode or Viathe secondary external interface also available in Stealth or Router network mode Phone number to call Phone number of the Internet service provider The
222. face and never through the virtual network interface To keep internal data traffic to a minimum a VLAN can be configured to store the synchronization data in a separate multicast and broadcast domain Virtual IP addresses Each FL MGUARD is configured with virtual IP addresses The number of virtual IP addresses depends on the network mode used Both FL MGUARD devices in a redundant pair must be assigned the same virtual IP addresses The virtual IP addresses are required by the FL MGUARD to establish virtual network interfaces Two virtual IP addresses are required in Router network mode while others can be created One virtual IP address is required for the external network interface and the other for the internal network interface These IP addresses are used as a gateway for routing devices located in the external or internal LAN In this way the devices can benefit from the high availability resulting from the use of both redundant FL MGUARD devices The redundant pair automatically defines MAC addresses for the virtual network interface These MAC addresses are identical for the redundant pair In Router network mode both FL MGUARD devices share a MAC address for the virtual network interface connected to the external and internal Ethernet segment In Router network mode the FL MGUARD devices support forwarding of special UDP TCP ports from a virtual IP address to other IP addresses provided the other IP addresses can be reached
223. fferent entry in this field for outgoing data packets compared to an FTP program When a value is selected here only data packets with this value in the TOS or DSCP field may pass through When set to All no filtering according to the TOS DSCP value is applied The number entered specifies how many data packets per second or kbps can pass through at all times according to the option set under Measurement Unit see above This applies to the data stream that conforms to the rule set criteria specified on the left i e that may pass through The FL MGUARD may drop the excess number of data packets in the event of capacity bottlenecks if this data stream delivers more data packets per second than specified The number entered specifies the maximum number of data packets per second or kbps that can pass through according to the option set under Measurement Unit see above This applies to the data stream that conforms to the rule set criteria specified on the left i e that may pass through The FL MGUARD discards the excess number of data packets if this data stream delivers more data packets per second than specified Optional comment text 6 208 PHOENIX CONTACT 8334_en_01 Configuration 6 8 2 Egress Queues The services are assigned corresponding priority levels In the event of connection bottlenecks the outgoing data packets are placed in egress queues i e queues for pending packets according to the as
224. fic trap additional This trap is sent when a user logs into the user firewall FL MGUARDTrapUserFirewall enterpriseSpecific FL MGUARDTrapUserFirewallLogout 2 FL MGUARDTResUserFirewallUser name FL MGUARDTResUserFirewallSrclP FL MGUARDTResUserFirewallLogout Reason enterprise oid generic trap specific trap additional This trap is sent when a user logs out of the user firewall 6 48 PHOENIX CONTACT 8334_en_01 Configuration Management gt gt SNMP gt gt Trap VPN traps IPsec connection status changes enterprise oid FLMGUARDTrapUserFirewall generic trap enterpriseSpecific specific trap FL MGUARDTrapUserFirewallAuth Error TRAP TYPE 3 additional FL MGUARDTResUserFirewallUser name FL MGUARDTResUserFirewallSrclP FL MGUARDTResUserFirewallAuthent icationMethod This trap is sent in the event of an authentication error Activate traps Yes No enterprise oid FLMGUARDTrapVPN genericTrap enterpriseSpecific specific trap FL MGUARDTrapVPNIKEServer Status 1 additional FL MGUARDTResVPNStatus This trap is sent when the IPsec IKE server is started or stopped enterprise oid FLMGUARDTrapVPN genericTrap enterpriseSpecific specific trap FL MGUARDTrapVPNIPsecConn Status 2 additional FL MGUARDTResVPNName FL MGUARDTResVPNIndex FL MGUARDTResVPhPeer FL MGUARDTResVPNStatus FL MG
225. first IP address Outgoing on Interface External External 2 Any External Internal Specifies via which interface the data packets are sent so that the rule applies to them Any External refers to the External and External 2 interfaces 6 94 PHOENIX CONTACT 8334_en_01 Configuration Network gt gt NAT gt gt Masquerading 1 1 NAT Example A masking is defined which applies for network data flows in Router mode These data flows are initiated so that they lead to a destination device which can be accessed over the selected network interface on the FL MGUARD To do this the FL MGUARD replaces the IP address of the initiator with a suitable IP address of the selected network interface in all associated data packets The effect is the same as for the other values of the same variables The IP address of the initiator is hidden from the destination of the data flow In particular the destination does not require any routes in order to respond in a data flow of this type not even a default route default gateway i Set the firewall in order for the desired connections to be allowed For incoming and outgoing rules the source address must still correspond to the original sender if the firewall rules are used Please observe the outgoing rules when using the External External 2 Any External settings see Outgoing Rules on page 6 132 Please observe the incoming rules when using the Internal
226. folders on the SD card Firmware install ubi mpc83xx p7s Firmware ubifs img mpc83xx p7s Action To flash the firmware or to perform the rescue procedure proceed as follows NOTE Do not interrupt the power supply to the FL MGUARD during any stage of the flashing procedure Otherwise the device could be damaged and may have to be reactivated by the manufacturer e Press and hold down the Rescue button until the device enters recovery status The FL MGUARD is restarted after around 1 5 seconds after a further 1 5 seconds the FL MGUARD enters recovery status 8334_en_01 PHOENIX CONTACT 8 3 FL MGUARD 2 The reaction of the device depends on its type FL MGUARD RS4000 2000 The STAT MOD and SIG LEDs light up green FL MGUARD SMART2 The LEDs light up green e Release the Rescue button within a second of entering recovery status If the Rescue button is not released the FL MGUARD is restarted The FL MGUARD now starts the recovery system It searches fora DHCP server via the LAN interface in order to obtain an IP address The reaction of the device depends on its type FL MGUARD RS4000 2000 The STAT LED flashes FL MGUARD SMART2 The middle LED Heartbeat flashes The install p7s file is loaded from the TFTP server or SD card It contains the electronically signed control procedure for the installation process The control procedure now deletes the curr
227. following when programming ping tests It is useful to program multiple ping tests This is because it is possible that an individual tested service is currently undergoing maintenance This type of scenario should not result in the secondary external interface being activated and an expensive dial up line connection being established via the telephone network Because the ping tests generate network traffic the number of tests and their frequency should be kept within reasonable limits You should also avoid activating the secondary external interface too early The timeout time for the individual ping requests is 4 seconds This means that after a ping test is started the next ping test starts after 4 seconds if the previous one was unsuccessful To take these considerations into account make the following settings The ping tests defined above under Probes for Activation are performed one after the other When the ping tests defined are performed once in sequence this is known as a test run Test runs are continuously repeated at intervals The interval entered in this field specifies how long the FL MGUARD waits after starting a test run before it starts the next test run The test runs are not necessarily completed As soon as one ping test in a test run is successful the subsequent ping tests in this test run are omitted If a test run takes longer than the interval specified then the subsequent test run is started directly afte
228. follows e Start a web browser For example Mozilla Firefox MS Internet Explorer Google Chrome or Apple Safari the web browser must support SSL encryption i e HTTPS e Make sure that the browser does not automatically dial a connection when it is started as this could make it more difficult to establish a connection to the FL MGUARD In MS Internet Explorer make the following settings e Inthe Tools menu select Internet Options and click on the Connections tab e Under Dial up and Virtual Private Network settings select Never dial a connection e Inthe address line of the web browser enter the full address of the FL MGUARD see Table 5 2 The administrator web page of the FL MGUARD can then be accessed If the administrator web page of the FL MGUARD cannot be accessed If the address of the FL MGUARD in router PPPoE or PPTP mode has been set to a different value and the current address is not known the FL MGUARD must be reset to the default settings specified above for the IP address of the FL MGUARD using the Recovery procedure see Performing a recovery procedure on page 8 2 If the web browser repeatedly reports that the page cannot be displayed try the following e Check whether the default gateway of the connected configuration computer is initialized see Local configuration on startup EIS on page 1 2 e Disable any active firewalls e Make sure that the browser does not use a proxy server I
229. from a non predefined user not root admin netadmin audit or user to all RADIUS servers listed here The first response received by the FL MGUARD from one of the RADIUS servers determines whether or not the authentication attempt is successful Authentication gt gt RADIUS Servers RADIUS Servers RADIUS timeout Specifies the time in seconds the FL MGUARD waits for a Tic monuiteriener included response from the RADIUS server Default 3 seconds in the scope of functions for RADIUS retries Specifies how often requests to the RADIUS server are the FL MGUARD RS2000 repeated after the RADIUS timeout time has elapsed Default 3 8334_en_01 PHOENIX CONTACT 6 113 FL MGUARD 2 Authentication gt gt RADIUS Servers Server Name of the RADIUS server or its IP address We recommend entering IP addresses as servers instead of names where possible Otherwise the FL MGUARD must first resolve the names before it can send authentication queries to the RADIUS server This takes time when logging in Also it may not always be possible to perform authentication if name resolution fails e g because the DNS is not available or the name was deleted from the DNS Via VPN If Yes is selected the FLMGUARD authentication query is always sent via an encrypted VPN tunnel if a suitable one is available If No is selected a query of this type is always sent unencrypted outside the VPN If Yes has been selected und
230. g of traffic is allowed Wed Nov 9 59 08 CET 2011 State History active_waiting The mGuard is actively forwarding and filtering network traffic t s Wed Nov 9 11 59 13 CET 2011 gg ep icy Sung Sk nl cok t s u Wed Now 9 11 59 08 CET 2011 en bay oad a eee t s u Wed Nov 9 11 59 08 CET 2011 ee rae tie t s u Wed Now 9 11 59 06 CET 2011 eee t s u Wed Nov 9 11 59 08 CET 2011 A eke aiid wane o oo ticaw ance bene esa t s u Wed Nov 9 11 59 00 CET 2011 ee nnn an E er eee t f u Wed Nov 9 11 59 06 CET 2011 O N OA t s u Thu Oct 27 11 33 40 CEST 2011 e y loerde and ekg ate bat t s Thu Oct 27 11 33 39 CEST 201 Additionally the mGuard waits for a restarting component Tar races N E t s u Thu Oct 27 1 33 33 CEST 2011 a eu meee t s u Thu Oct 27 11 33 33 CEST 2011 TROD as oh t s u Thu Oct 27 11 33 32 CEST 2011 eee t s u Thu Oct 27 11 33 32 CEST 2011 Sst T oaks sc VN ais sn wan wands bs noe t s u Thu Oot 27 11 33 22 CEST 201 fep E a es nae ny ee oe t f u Thu Oct 27 11 33 32 CEST 201 FIE t s u Thu Oct 27 1 31 53 CEST 2011 The mGuard is actively forwarding and filtering network traffic Please note The table is sorted chronologically starting with the youngest former state for column headers B Flag indicating the booting state of the firmware T Flag indicating the validity of the system time O Flag indicating the timeout of the former state
231. ge 6 38 Configuration Pull on page 6 52 Interruption of the connection at a certain time using PPPoE network mode This is the case when Network Mode is set to PPPoE under the Network gt gt Interfaces General menu item and Automatic Reconnect is set to Yes see 6 3 1 Network gt gt Interfaces Router network mode PPPoE router mode on page 6 77 Acceptance of certificates when the system time has not yet been synchronized This is the case when the Wait for synchronization of the system time setting is selected under the Authentication gt gt Certificates Certificate settings menu item for the Check the validity period of certificates and CRLs option see Section 6 4 4 and Certificate settings on page 6 120 CIFS integrity checking The regular automatic check of the network drives is only started when the FL MGUARD has a valid time and date see the following section The system time can be set or synchronized by various events The FL MGUARD has a built in clock which has been synchronized with the current time at least once The FL MGUARD only has a built in clock if the Hardware clock state field is visible The display shows whether the clock is synchronized A synchronized built in clock ensures that the FL MGUARD has a synchronized system time even after a restart The administrator has defined the current time for the FL MGUARD runtime by making a corresponding entry in the Local system ti
232. gent firewall and optional IPsec FL MGUARD RS2000 VPN 10 to 250 tunnels It has been designed for use in industry to accommodate strict distributed security and high availability requirements The FL MGUARD RS2000 is a security router with basic firewall and integrated IPsec VPN maximum of two tunnels Its scope of functions is reduced to the essentials It is suitable for secure remote maintenance applications in industry and enables the quick startup of robust field devices for industrial use thereby facilitating error free independent operation Both versions have a replaceable configuration memory SD card The fanless metal housing is mounted on a DIN rail The following connectivity options are available FL MGUARD RS4000 LAN WAN FL MGUARD RS2000 LAN WAN TX TX Ethernet Ethernet TX TX VPN Ethernet Ethernet VPN TX TX VPN Ethernet Ethernet VPN MGuard rs4000 _ ere Figure 1 2 FL MGUARD RS4000 FL MGUARD RS2000 1 4 PHOENIX CONTACT 8334_en_01 Preliminary user manualTypical application scenarios 2 Preliminary user manualTypical application scenarios This section describes various application scenarios for the FL MGUARD Stealth mode Network router DMZ VPN gateway WLAN via VPN Resolving network conflicts 2 1 Stealth mode In stealth mode the FL MGUARD can be positioned between an individual computer and the rest of the network The settings e g for firewall and VPN ca
233. gets for the connectivity check should be well thought out Without a connectivity check all it takes are two errors for a network lobotomy to occur A network lobotomy is prevented if the targets for both FL MGUARD devices are identical and all targets have to answer the request However the disadvantage of this method is that the connectivity check fails more often if one of the targets does not offer high availability In Router network mode we recommend defining a readily available device as the target on the external interface This can be the default gateway for the redundant pair e g a virtual router comprised of two independent devices In this case either no targets ora selection of targets should be defined on the internal interface Please also note the following information when using a virtual router consisting of two independent devices as the default gateway for a redundant pair If these devices use VRRP to synchronize their virtual IP then a network lobotomy could split the virtual IP of this router into two identical copies These routers could use a dynamic routing protocol and only one may be selected for the data flows of the network being monitored by the FL MGUARD Only this router should keep the virtual IP Otherwise you can define targets which are accessible via this route in the connectivity check In this case the virtual IP address of the router would not be a sensible target Redundant group Several redund
234. gned certificate is supplied with the device e Click Yes to acknowledge the security alert The login window is displayed mguard login Username admin Password bdaiasalea Access Type f Admini User Firewall Figure 5 7 Login The User firewall access type is not available on the FL MGUARD RS2000 e Select the access type administration or user firewall and enter your user name and password which are specified for this access type For user firewall see Network Security gt gt User Firewall on page 6 145 5 10 PHOENIX CONTACT 8334_en_01 Preparing the configuration Requirement How to proceed Example Configuration The following is set by default for administration please note these settings are case sensitive User name admin Password mGuard To configure the device make the desired or necessary settings on the individual pages of the FL MGUARD user interface see Configuration on page 6 1 For security reasons we recommend you change the default root and administrator passwords during initial configuration see Authentication gt gt Administrative Users on page 6 108 5 4 Remote configuration The FL MGUARD must be configured so that remote configuration is permitted The option for remote configuration is disabled by default To enable remote configuration see Management gt gt Web Settings on page 6 21 and Access on page 6 22
235. grity Monitoring gt gt CIFS Integrity Status gt gt Show gt gt Actions Re Build the integrity database Cancel the creation of the integrity database Only displayed when a database is being created Erase reports and the integrity database The FL MGUARD creates a database with checksums in order to check whether files have been changed A change to executable files indicates a virus However if these files have been changed intentionally anew database must be created by clicking on Initialize in order to prevent false alarms The creation of an integrity database is also recommended if network drives have been newly set up Otherwise an integrity database is set up during the first scheduled check instead of a check being performed Click Cancel to stop the creation of the integrity database The old database is no longer used A new database must be created manually otherwise it is created automatically on the next scheduled check of the drive The contents of the drive may be manipulated e g infected without being detected if no integrity database is in place Click on Erase to delete all existing reports databases A new integrity database must be created for any further integrity checks This can be initiated by clicking on Initialize Otherwise a new integrity database is created automatically upon the next scheduled check This procedure cannot be seen 6 158 PHOENIX CONTACT
236. gt CIFS AV Scan Connector Consolidated Imported Shares Interface Action Comment Log Enabled Exported in Subdirectory CIFS Share External Internal External 2 VPN Dial in Specifies to which interface the rule should apply If no rules are set or if no rule applies the following default settings apply Remote access is permitted via Internal VPN and Dial in Access via External and External 2 is refused Specify the access options according to your requirements If you want to refuse access via Internal VPN or Dial in you must implement this explicitly by means of corresponding firewall rules for example by specifying Drop as an action Accept means that the data packets may pass through Reject means that the data packets are sent back and the sender is informed of their rejection In Stealth mode Reject has the same effect as Drop Drop means that the data packets are not permitted to pass through They are discarded which means that the sender is not informed of their whereabouts Freely selectable comment for this rule For each individual rule you can specify whether the use of the rule Should be logged set Log to Yes Should not be logged set Log to No default settings No This network drive is not mirrored Yes This network drive is mirrored and made available Several drives can be combined as one in this directory Name of the network driv
237. gt gt Edit gt gt Authentication VPN Identifier Authentication method Pre Shared Secret PSK General Authentication Firewall IKE Options Authentication Authentication method Pre Shared Secret PSK v Pre Shared Secret Key PSK complicated_like_SDy0qoD_and_long VPN Identifier Local By default the IP address of the peer is used Other possible settings are a hostname hostname or an e mail address name hostname Remote By default the IP address of the peer is used Other possible settings are a hostname hostname or an e mail address name hostname This method is mainly supported by older IPsec implementations In this case both sides of the VPN authenticate themselves using the same PSK To make the agreed key available to the FL MGUARD proceed as follows e Enter the agreed string in the Pre Shared Secret Key PSK entry field To achieve security comparable to that of 3DES the string should consist of around 30 randomly selected characters and should include upper and lower case characters and digits Pre Shared Secret Key cannot be used with dynamic any IP addresses Only fixed IP addresses or host names on both sides are supported However changing IP addresses DynDNS can be hidden behind the host name Pre Shared Secret Key cannot be used if at least one or both of the communication partners is located downstream of a NAT gateway VPN gateway
238. gt gt L2TP over IPsec gt gt L2TP Server Settings Start L2TP Server for If you want to enable IPsec L2TP connections set this option IPsec L2TP to Yes It is then possible to establish L2TP connections to the FL MGUARD via IPsec which dynamically assign IP addresses to the clients within the VPN Local IP for L2TP If set as shown in the screenshot above the FL MGUARD will connections inform the partner that its address is 10 106 106 1 Remote IP range If set as shown in the screenshot above the FL MGUARD will start end assign the partner an IP address between 10 106 106 2 and 10 106 106 254 Status Displays information about the L2TP status if this connection type has been selected 8334_en_01 PHOENIX CONTACT 6 199 FL MGUARD 2 6 7 5 IPsec VPN gt gt IPsec Status IPsec VPN IPsec Status Connection eet ISAKMP IPsec Name State State Mannheim Leipzig Gateway 172 16 66 48 any MAI0097829638_1 Traffic 192 168 1 1 32 192 168 254 1 32 C DE O Beispiel Lieferant L MA CN VPN Endpunkt C DE O Beispiel Lieferant L L CN VPN Endpunkt 1D mesa Kundendienst Maschine 06 Displays information about the status of IPsec connections The names of the VPN connections are listed on the left while their current status is indicated on the right Buttons Update To update the displayed data if necessary click on Update Restart If you want to disconnect and then restart a connection click on the correspo
239. guration 8334_en_01 PHOENIX CONTACT 6 55 FL MGUARD 2 6 2 8 Management gt gt Restart 6 2 8 1 Restart Management Restart Restart Restart inns Note please give the device approximately 40 seconds to reboot Restarts the FL MGUARD Has the same effect as a temporary interruption in the power supply whereby the FL MGUARD is switched off and on again A restart reboot is necessary in the event of an error It may also be necessary after a software update 6 3 Network menu 6 3 1 Network gt gt Interfaces The FL MGUARD has the following interfaces with external access Ethernet Serial Built in Serial Internal LAN interface modem console External via USB WAN FL MGUARD SMART2 Yes No No Yes FL MGUARD Yes Yes No No RS4000 RS2000 1 See Serial console via USB on page 6 91 The LAN port is connected to a single computer or the local network internal The WAN port is used to connect to the external network In the case of FL MGUARD RS4000 devices only the connection to the external network can also or additionally be established via the serial interface using a modem Alternatively the serial interface can also be used as follows For PPP dial in into the local network or for configuration purposes The details for this must be configured on the General Ethernet Dial out Dial in and Modem Console tab pages For a more detailed explanation of t
240. hat is located between two other networks For example a company s website may be in the DMZ so that new pages can only be copied to the server from the Intranet using FTP However the pages can be read from the Internet via HTTP IP addresses within the DMZ can be public or private and the FL MGUARD which is connected to the Internet forwards the connections to private addresses within the DMZ by means of port forwarding is Figure 2 3 MZ 2 4 VPN gateway The VPN gateway provides company employees with encrypted access to the company network from home or when traveling The FL MGUARD performs the role of the VPN gateway IPsec capable VPN client software must be installed on the external computers and the operating system must support this functionality For example Windows 2000 XP can be used or the computer can be equipped with an FL MGUARD Figure 2 4 VPN gateway 8334_en_01 PHOENIX CONTACT 2 3 FL MGUARD 2 2 5 WLAN via VPN WLAN via VPN is used to connect two company buildings via a WLAN path protected using IPsec The annex should also be able to use the Internet connection of the main building 4 Gel 89l c6L vSe o 89l c6lL VL OL CZLL GOL CLL O z Pas 192 168 2 0 24 192 168
241. hat only one IP address is signified Local masquerading can be used in the following network modes Router PPPoE PPTP Modem Built in Modem and Stealth only multiple clients in Stealth mode Modem Built in Modem is not available for all FL MGUARD models see Network gt gt Interfaces on page 6 56 For IP connections via a VPN connection with active local masquerading the firewall rules for outgoing data in the VPN connection are used for the original source address of the connection CoG 1 1 NAT B Only in Router mode With 1 1 NAT it is still possible to enter the network addresses actually used local and or remote to specify the tunnel beginning and end independently of the tunnel parameters agreed with the remote partner Local network Remote network bal 2a E l oo IPsec tunnel EP ir ao Se pige Internet Internet network address for Network address for remote 1 1 NAT 1 1 NAT Figure 6 5 1 1 NAT 8334_en_01 PHOENIX CONTACT 6 185 FL MGUARD 2 6 7 3 2 Authentication General Authentication Firewall IKE Options Authentication Authentication method X 509 Certificate v Local X 509 Certificate VPN Endpunkt Kundendienst MA w Remote CA Certificate No CA certificate but the Remote Certificate below w Remote Certificate Subject CN VPN Endpunkt Maschine 06 L L O Beispiel Lieferant C DE Subject Alternative Names Issuer CN VPN SubCA 01 0
242. he machine certificate that has already been configured VPN state synchronization therefore ensures that the currently used machine certificates are replicated However it does not replicate the configuration itself The FL MGUARD on standby has an obsolete Pre Shared Key PSK Pre Shared Keys PSK also need to be renewed on occasion in order to authenticate VPN partners The redundant FL MGUARD devices may then have a different PSK for a brief period In this case only one of the FL MGUARD devices can establish a VPN connection as most VPN partners only accept one PSK The FL MGUARD does not offer any countermeasures for this We therefore recommend using X 509 certificates instead of PSKs If VPN state synchronization replicates the PSKs being sent to the FL MGUARD on standby for a prolonged period an incorrect configuration remains concealed during this period making it difficult to detect 7 2 7 Interaction with other devices Resolving host names If host names are configured as VPN gateways the FL MGUARD devices in a redundant pair must be able to resolve the host names for the same IP address This applies especially when DynDNS Monitoring see page 6 170 is activated If the host names are resolved from the FL MGUARD on standby to another IP address the VPN connection to this host is interrupted following a fail over The VPN connection is reestablished through another IP address This takes place directly afte
243. he FL MGUARD assumes that the newly applied configuration profile is faulty The FL MGUARD remembers the MD5 total for identification purposes It then performs a rollback Rollback means that the last working configuration is restored This assumes that the new non functioning configuration contains an instruction to perform a rollback if a newly loaded configuration profile is found to be faulty according to the checking procedure described above When the FL MGUARD makes subsequent attempts to retrieve a new configuration profile periodically according to the time defined in the Pull Schedule field and Time Schedule it will only accept the profile subject to the following selection criterion The configuration profile provided must differ from the configuration profile previously identified as faulty for the FL MGUARD and which resulted in the rollback The FL MGUARD checks the MDS total stored for the old faulty and rejected configuration against the MD5 total of the new configuration profile offered If this selection criterion is met i e a newer configuration profile is offered the FL MGUARD retrieves this configuration profile applies it and checks it according to the procedure described above It also disables the configuration profile by means of rollback if the check is unsuccessful 8334_en_01 PHOENIX CONTACT 6 53 FL MGUARD 2 Management gt gt Central Management gt gt Configuration Pull If the
244. he IP Address to be used below Selected MAC Address 00 a0 45 04 08 83 IP Address Subnet Mask Gateway Address WARNING this address is in a different Subnet Once you have entered a valid IP address click Next lt Zur ck Abbrechen Figure 5 3 Set IP Address window with incorrect settings e Adjust the IP parameters according to your requirements If inconsistencies are no longer detected a message appears indicating that a valid IP address has been set e Click on Next 5 6 PHOENIX CONTACT 8334_en_01 Preparing the configuration Step 5 Assign IP Address The program attempts to transmit the IP parameters set to the FL MGUARD Phoenix Contact IP Assignment Tool Assign IP Address Attempting to Assign IP Address The wizard is attempting to Assign the specified IP Address Attempting to assign MAC Address catni e 00 a0 45 04 08 a3 Tf it has been more than a minute or two and the IP is still not assigned please try rebooting or power the following cycling your device IP Address 192 168 1 21 IP Mask 255 255 255 0 IP Gateway 0 0 0 0 Once your device has received it s IP Address this wizard will automatically go to the next page Abbrechen Figure 5 4 Assign IP Address window Following successful transmission the next window opens Step 6 Finishing IP address assignment The window that opens informs you that IP address assignment has been successfully pe
245. he VPN gateway on the partner In this case the interface of the FL MGUARD through which the FL MGUARD answers and permits requests for the establishment of this VPN connection is set here The VPN connection can be established through the LAN and WAN port in all Stealth modes when External is selected The interface setting allows encrypted communication to take place over a specific interface for VPN partners without a known IP address If an IP address or host name is entered for the partner then this is used for the implicit assignment to an interface The FL MGUARD can be used as a single leg router in Router mode when Internal is selected as both encrypted and decrypted VPN traffic for this VPN connection is transferred over the internal interface IKE and IPsec data traffic is only possible through the primary IP address of the individual assigned interface This also applies to VPN connections with a specific partner Connection startup Initiate Initiate Initiate on traffic Wait The FL MGUARD initiates the connection to the partner In the Address of the remote site s VPN gateway field see above the fixed IP address of the partner or its name must be entered Initiate on traffic The connection is initiated automatically when the FL MGUARD sees that the connection should be used Can be selected for all operating modes of the FL MGUARD Stealth Router etc Wait The FL MGUARD is ready to allow the conn
246. he alarm output is open due to an error see Installing the FL MGUARD RS4000 RS2000 on page 4 3 The alarm output is interrupted during a restart MOD Green ON Connection via modem established INFO Not used 8334_en_01 PHOENIX CONTACT 3 1 FL MGUARD 2 Table 3 1 LEDs on the FL MGUARD RS4000 and RS2000 LED State Meaning STAT ERR Flashing Boot process When the device has just been connected to the power supply After alternately green a few seconds this LED changes to the heartbeat state and red LAN Green ON The LAN WAN LEDs are located in the LAN WAN sockets 10 100 and duplex LED WAN Green ON Ethernet status Indicates the status of the LAN or WAN port As soon as the device is connected to the relevant network a continuous light indicates that there is a connection to the network partner in the LAN or WAN When data packets are transmitted the LED goes out briefly 3 2 PHOENIX CONTACT 8334_en_01 Operating elements and LEDs 3 2 FL MGUARD SMART2 Rescue button Located in the opening Can be pressed with a straightened paper clip for example LED1 LED2 LED3 Figure 3 2 Operating elements and LEDs on the FL MGUARD SMART2 Table 3 2 LEDs on the FL MGUARD SMART2 LEDs Color State Meaning 2 Red green Flashing red green Boot process When the device has just been connected to the power supply After a few seconds this LED changes to the h
247. he options for using the serial interface and a built in modem see Modem Console on page 6 90 6 56 PHOENIX CONTACT 8334_en_01 Configuration 6 3 1 1 General General Ethernet Dial out Dial in Modem Console Network Status External IP address 172 16 66 49 Active Defaultroute 172 16 66 18 Used DNS servers 10 1 0 253 Network Mode Network Mode Router v Router Mode static v External Networks 6 eS T feeble Se 172 16 66 49 255 255 255 0 No v Ational External Routes 2 IP of default gateway 172 16 66 18 Internal Networks ra aS T port Hx 192 168 66 49 255 255 255 0 No v Aatioat tera Raves I atow Secondary External Interface Network Mode Off F Network gt gt Interfaces gt gt General Display only The addresses via which the FL MGUARD can be accessed by devices from the external network They form the interface to other parts of the LAN or to the Internet If the transition to the Internet takes place here the IP addresses are usually assigned by the Internet service provider ISP If an IP address is assigned dynamically to the FL MGUARD the currently valid IP address can be found here In Stealth mode the FL MGUARD adopts the address of the locally connected computer as its external IP Displays the status of the selected network mode Display only The IP address that the FL MGUARD uses to try to reach unknown networks is displayed here This field can contain none if the FL
248. he signal output remains lit continuously e Torelease the VPN connection hold down the button for a few seconds until the signal output flashes or goes out Then release the button As soon as the signal output goes out the VPN connection is released e To establish the VPN connection set the switch to the ON position e To release the VPN connection set the switch to the OFF position If the signal output is OFF this generally indicates that the defined VPN connection is not present Either the VPN connection was not established or it has failed due to an error If the INFO LED is ON the VPN connection is present If the INFO LED is flashing the VPN connection is being established or released 4 3 4 Connecting the supply voltage WARNING The FL MGUARD RS4000 RS2000 is designed for operation with a DC voltage of 9 V DC 36 V DC SELV 1 5 A maximum Therefore only SELV circuits with voltage limitations according to EN 60950 1 may be connected to the supply connections and the alarm contact 8334_en_01 PHOENIX CONTACT 4 5 FL MGUARD 2 The supply voltage is connected via a COMBICON plug in connector which is located on the top of the device Supply voltage Supply voltage P1 P2 P1 24 V 0V 24V J 24 V 0V PPa n SA CEA EEA Oooo E i F d ee c e j oe d 8 P sr Y Y YN 3 s 3 LEL JBGGE poo L
249. he third Ethernet interface Presence notifications CARP are also transmitted when the FL MGUARD is active However no additional routing is supported for this interface Frames received on this interface are not forwarded for security reasons The connection status of the third Ethernet interface can be queried via SNMP Only available when Dedicated Interface is selected IP IP address used on the third network interface of the FL MGUARD centerport for state synchronization with the other FL MGUARD Default 192 168 68 29 Netmask Subnet mask used on the third network interface of the FL MGUARD centerport for state synchronization with the other FL MGUARD Default 255 255 255 0 Use VLAN When Yes is selected a VLAN ID is used for the third network interface VLAN ID 1 2 3 4094 default 1 VLAN ID when this setting is activated Only available when Dedicated Interface is selected When Yes is selected no presence notifications CARP are transmitted or received via the external interface This can make sense in some scenarios for protection against external attacks 6 224 PHOENIX CONTACT 8334_en_01 Configuration 6 9 1 2 Connectivity Checks Targets can be configured for the internal and external interface in the connectivity check It is important that these targets are actually connected to the specified interface An ICMP echo reply cannot be received by an external interface when the
250. i unidirectional connections on page 1 9 Firewall redundancy does not support the FL MGUARD PCI in Driver mode State synchronization does not replicate the connection tracking entries for ICMP echo requests forwarded by the FL MGUARD Therefore ICMP echo replies can be dropped according to the firewall rules if they only reach the FL MGUARD after the fail over is completed Please note that ICMP echo replies are not suitable for measuring the fail over switching time Masquerading involves hiding the transmitter behind the first virtual IP address or the first internal IP address This is different to masquerading on the FL MGUARD without firewall redundancy When firewall redundancy is not activated the external or internal IP address hiding the transmitter is specified in a routing table 7 14 PHOENIX CONTACT 8334_en_01 Redundancy 7 2 VPN redundancy VPN redundancy can only be used together with firewall redundancy The concept is the same as for firewall redundancy In order to detect an error in the system environment the activity is transmitted from the active FL MGUARD to the FL MGUARD on standby At any given point in time at least one FL MGUARD in the redundant pair is operating the VPN connection except in the event of a network lobotomy Basic requirements for VPN redundancy VPN redundancy does not have any of its own variables It currently does not have its own menu in the user interface it is act
251. ia UDP By reducing the IPsec MTU the IP packets will be fragmented before they are encapsulated in UDP and thereby avoid large UDP packets A recommended value in such situations is 1414 or smaller 16260 Note This applies to VPN tunnels only This option should only be set to Yes on an FL MGUARD communicating between two different VPN partners To enable communication between two VPN partners the local network of the communicating FL MGUARD must be configured so that the remote networks containing the VPN partners are included The opposite setup local and remote network swapped round must also be implemented for VPN partners see Remote on page 6 177 Yes is not supported in Stealth network mode 8334_en_01 PHOENIX CONTACT 6 163 FL MGUARD 2 IPsec VPN gt gt Global gt gt Options Option No default VPN connections exist separately Yes Hub and spoke feature enabled A control center diverts VPN connections to several branches that can also communicate with each other With a star VPN connection topology FL MGUARD partners can also exchange data with one another In this case it is recommended that the local FL MGUARD consults CA certificates for the authentication of partners see Authentication on page 6 186 Archive diagnostic If errors occur when establishing VPN connections the messages for VPN FL MGUARD logging function can be used to find the sour
252. iated for the IPsec SA A further amount is subtracted when a Re key Fuzz see below above 0 is entered This is a percentage of the re key margin The percentage is entered under Re key Fuzz The re key margin value must be lower than the Hard Limit It must be significantly lower when a Re key Fuzz is also added If the Psec SA Lifetime is reached earlier the Soft Limit is ignored Re key Fuzz Maximum percentage by which Re key Margin is to be increased at random This is used to delay key exchange on machines with multiple VPN connections Default setting 100 percent Keying tries Number of attempts to negotiate new keys with the partner The value 0 results in unlimited attempts for connections initiated by the FL MGUARD otherwise it results in 5 attempts Rekey Yes No When set to Yes the FL MGUARD will attempt to negotiate a new key when the old one expires Dead Peer Detection If the partner supports the Dead Peer Detection DPD protocol the relevant partners can detect whether or not the IPsec connection is still valid and whether it needs to be established again Delay between Duration in seconds after which DPD Keep Alive requests requests for a sign of should be transmitted These requests test whether the life partner is still available Default setting 30 seconds Timeout for absent Duration in seconds after which the connection to the partner sign of life after which should be declared dead if there has be
253. ible when this option is set to No A firewall rule that would refuse nternal access therefore does not apply in this case The following options are available From IP Enter the address of the computer or network from which remote access is permitted or forbidden in this field The following options are available IP address 0 0 0 0 0 means all addresses To specify an address area use CIDR format see CIDR Classless Inter Domain Routing on page 6 241 6 14 PHOENIX CONTACT 8334_en_01 Configuration Management gt gt System Settings gt gt Shell Access Interface External Internal External 2 VPN Dial in External 2 and Dial in are only for devices with a serial interface see Network gt gt Interfaces on page 6 56 Specifies to which interface the rule should apply If no rules are set or if no rule applies the following default settings apply SSH access is permitted via Internal VPN and Dial in Access via External and External 2 is refused Specify the access options according to your requirements NOTE If you want to refuse access via Internal VPN or Dial in you must implement this explicitly by means of corresponding firewall rules for example by specifying Drop as an action To prevent your own access being blocked you may have to permit access simultaneously via another interface explicitly with Accept before clicking on the Apply button to activate the new setting
254. ic 8334_en_01 PHOENIX CONTACT 6 145 FL MGUARD 2 Network Security gt gt User Firewall gt gt User Firewall Templates Options A descriptive name for the template Enabled Comment Timeout Timeout type The user firewall template can be freely named and renamed Yes No When set to Yes the user firewall template becomes active as soon as firewall users log into the FL MGUARD who are listed on the Template users tab page see below and who have been assigned this template It does not matter from which computer and under what IP address the user logs in The assignment of user firewall rules is based on the authentication data that the user enters during login user name password Optional explanatory text Default 28800 Specifies the time in seconds at which point the firewall rules are deactivated If the user session lasts longer than the timeout time specified here the user has to log in again static dynamic With a static timeout users are logged out automatically as soon as the set timeout time has elapsed With dynamic timeout users are logged out automatically after all the connections have been closed by the user or have expired on the FL MGUARD and the set timeout time has elapsed An FL MGUARD connection is considered to have expired if no more data is sent for this connection over the following periods Connection expiration period after non usage TCP 5 days th
255. ider IP address Also known as Dynamic DNS provider Every computer connected to the Internet has an IP address IP Internet Protocol If the computer accesses the Internet via a dial up modem ISDN or ADSL its Internet service provider will assign it a dynamic IP address In other words the address changes for each online session Even if a computer is online 24 hours a day without interruption e g flat rate the IP address will change during the session If this computer needs to be accessible via the Internet it must have an address that is known to the remote partner This is the only way to establish a connection to the computer However if the address of the computer changes constantly this will not be possible This problem can be avoided if the operator of the computer has an account with a DynDNS provider DNS Domain Name Server In this case the operator can set a host name with this provider via which the computer should be accessible e g www example com The DynDNS provider also provides a small program that must be installed and run on the computer concerned Every time a new Internet session is launched on the local computer this tool sends the IP address used by the computer to the DynDNS provider The domain name server registers the current assignment of the host name to the IP address and also informs the other domain name servers on the Internet accordingly If a remote computer now wishes to establish a conne
256. ied for these two external interfaces Therefore an interface can only take a data packet if the routing setting for that interface matches the destination of the data packet The following rules apply for routing entries If multiple routing entries for the destination of a data packet match then the smallest network defined in the routing entries that matches the data packet destination determines which route this packet takes Example The external route of the primary external interface is specified as 10 0 0 0 8 while the external route of the secondary external interface is specified as 10 1 7 0 24 Data packets to network 10 1 7 0 24 are then routed via the secondary external interface although the routing entry for the primary external interface also matches them Explanation The routing entry for the secondary external interface refers to a smaller network 10 1 7 0 24 lt 10 0 0 0 8 This rule does not apply in Stealth network mode with regard to the Stealth management IP address see note under Stealth Management IP Address on page 6 65 If the routing entries for the primary and secondary external interfaces are identical then the secondary external interface wins i e the data packets with a matching destination address are routed via the secondary external interface The routing settings for the secondary external interface only take effect when the secondary external interface is activated Particula
257. ient certificate or password setting as the User authentication method before enabling the new setting Only switch to Login restricted to X 509 client certificate when you are sure that this setting works Otherwise your access could be blocked Always take this safety precaution when modifying settings under User authentication Enables a filter to be set in relation to the contents of the Subject field in the certificate shown by the browser HTTPS client It is then possible to limit or enable access for the browser HTTPS client which the FL MGUARD would accept based on certificate checks Limited access to certain subjects i e individuals and or to subjects that have certain attributes Access enabled for all subjects see glossary under NAT Network Address Translation on page 9 5 i Access enabled for all subjects i e individuals The X 509 subject field must not be left empty An asterisk in the X 509 subject field can be used to specify that all subject entries in the certificate shown by the browser HTTPS client are permitted It is then no longer necessary to identify or define the subject in the certificate 6 28 PHOENIX CONTACT 8334_en_01 Configuration Management gt gt Web Settings gt gt Access Limited access to certain subjects i e individuals and or to subjects that have certain attributes In the certificate the certificate
258. ifetime Lifetime in seconds of the keys agreed for the ISAKMP SA Default setting 3600 seconds 1 hour The maximum permitted lifetime is 86400 seconds 24 hours IPsec SA Lifetime Lifetime in seconds of the keys agreed for IPsec SA Default setting 28800 seconds 8 hours The maximum permitted lifetime is 86400 seconds 24 hours IPsec SA Traffic Limit 0 to 2147483647 bytes The value 0 indicates that there is no traffic limit for the IPsec SAs on this VPN connection All other values indicate the maximum number of bytes which are encrypted by the IPsec SA for this VPN connection Hard Limit Re key Margin for Applies to ISAKMP SAs and IPsec SAs ENeHnics Minimum duration before the old key expires and during which a new key should be created Default setting 540 seconds 9 minutes 8334_en_01 PHOENIX CONTACT 6 197 FL MGUARD 2 IPsec VPN gt gt Connections gt gt Edit gt gt IKE Options Re key Margin for the Only applies to IPsec SAs Tratte Limit The value 0 indicates that the traffic limit is not used O must be set here when 0 is also set under IPsec SA Traffic Limit If a value above 0 is entered then a new limit is calculated from two values The number of bytes entered here is subtracted from the value specified under Psec SA Traffic Limit i e Hard Limit The calculated value is then known as the Soft Limit This specifies the number of bytes which must be encrypted for a new key to be negot
259. ified here should be slightly lower than the actual amount This prevents a buffer overrun on the transferring devices which would result in adverse effects The default name for the egress queue can be adopted or another can be assigned The name does not specify the priority level Bandwidth that should be available at all times for the relevant queue Based on the selection under Bandwidth Rate Limit kbit s OR Packet s meaning that the unit of measurement does not have to be specified explicitly here The total of all guaranteed bandwidths must be less than or equal to the total bandwidth Maximum bandwidth available that may be set for the relevant queue by the system Based on the selection under Bandwidth Rate Limit kbit s OR Packet s meaning that the unit of measurement does not have to be specified explicitly here The value must be greater than or equal to the guaranteed bandwidth The value unlimited can also be specified which means that there is no further restriction Low Medium High Specifies with which priority the affected queue should be processed providing the total available bandwidth has not been exhausted Optional comment text 6 212 PHOENIX CONTACT 8334_en_01 Configuration 6 8 4 Egress Rules This page defines the rules for the data that is assigned to the defined egress queues see above in order for the data to be transmitted with the priority assigned to the relevant queue Ru
260. ify authenticate oneself to others The certificate used by the FL MGUARD to identify itself to others shall be referred to as the machine certificate here in line with Microsoft Windows terminology A certificate certificate specific to an individual or user certificate showing a person is one used by operators to authenticate themselves to partners e g an operator attempting to access the FL MGUARD via HTTPS and a web browser for the purpose of remote configuration A certificate specific to an individual can also be saved on a chip card and then inserted by its owner in the card reader of their computer when prompted by a web browser during establishment of the connection for example A certificate is thus used by its owner person or machine as a form of ID in order to verify that they really are the individual they identify themselves as As there are at least two communication partners the process takes place alternately partner A shows their certificate to partner B partner B then shows their certificate to partner A Provision is made for the following so that A can accept the certificate shown by B i e the certificate of its partner thus allowing communication with B A has previously received a copy of the certificate from B e g by data carrier or e mail which B will use to identify itself to A Acan then verify that the certificate shown by B actually belongs to B by comparing it with this copy With regard to th
261. iguration profiles that are stored on the FL MGUARD can be Enabled Saved as a file on the connected configuration computer Deleted Displayed Displaying the configuration profile e Click on the name of the configuration profile in the list Enabling the default setting or a configuration profile saved on the FL MGUARD by the user e Click on Restore to the right of the name of the relevant configuration profile The corresponding configuration profile is activated Saving the configuration profile as a file on the configuration computer e Click on Download to the right of the name of the relevant configuration profile e Inthe dialog box that is displayed specify the file name and folder under which the configuration profile is to be saved as a file The file name can be freely selected Deleting a configuration profile e Click on Delete to the right of the name of the relevant configuration profile A The Factory Default profile cannot be deleted Saving the active configuration as a configuration profile on the FL MGUARD e Enter the desired profile name in the Name for the new profile field next to Save Current Configuration to Profile e Click on Save The configuration profile is saved on the FL MGUARD and the name of the profile appears in the list of profiles already stored on the FL MGUARD Uploading a configuration profile that has been saved to a file on the configuration computer
262. ility Data throughput router firewall Virtual Private Network VPN Hardware based encryption Encrypted VPN throughput AES 256 Management support Diagnostics FL MGUARD RS4000 RS2000 FL MGUARD RS4000 Freescale network processor with 330 MHz clocking 1 LAN port 1 WAN port Ethernet IEEE 802 3 10 100 Base TX RJ 45 full duplex auto MDIX Serial RS 232 9 pos D SUB connector 2 digital inputs and 2 digital outputs 128 MB RAM 128 MB Flash SD card Replaceable configuration memory Optional VPN router and firewall Voltage range 11 36 V DC redundant 2 2 W typical 5 95 operation storage non condensing IP20 20 C 60 C operation 20 C 60 C storage 130 x 45 x 114 mm from the top edge of the DIN rail 725 g TX TX FL MGUARD v7 4 0 or later FL MGUARD RS2000 Freescale network processor with 330 MHz clocking 1 LAN port 1 WAN port Ethernet IEEE 802 3 10 100 Base TX RJ 45 full duplex auto MDIX Serial RS 232 9 pos D SUB connector 2 digital inputs and 2 digital outputs 128 MB RAM 128 MB Flash SD card Replaceable configuration memory Not available Voltage range 11 36 VDC 2 2 W typical 5 95 operation storage non condensing IP20 20 C 60 C operation 20 C 60 C storage 130 x 45 x 114 mm from the top edge of the DIN rail 725 g TX TX Phoenix Contact recommends the use of the late
263. is available in several releases SNMPv1 SNMPv2 and SNMPvs The older versions SGNMPv1 SNMPvz2 do not use encryption and are not considered to be secure The use of SNMPv1 SNMPva2 is therefore not recommended SNMPV3 is significantly better in terms of security but not all management consoles support this version yet If SNMPv3 or SNMPv1 v2 is activated this is indicated by a green signal field on the tab at the top of the page Otherwise i e if SNMPv3 or SNMPv1 v2 is not active the signal field is red Processing an SNMP request may take more than one second However this value corresponds to the default timeout value of some SNMP management applications e Ifyou experience timeout problems set the timeout value of your management application to values between 3 and 5 seconds 8334_en_01 PHOENIX CONTACT 6 41 FL MGUARD 2 Management gt gt SNMP gt gt Query Seitings Enable SNMPv3 access Yes No Enable SNMPv1 v2 access Yes No Port for incoming SNMP connections SNMPv1 v2 Community Read and write Read Only Community If you wish to allow monitoring of the FL MGUARD via SNMPVv3 set this option to Yes B The firewall rules for the available interfaces must be defined on this page under Allowed Networks in order to specify differentiated access and monitoring options on the FL MGUARD Access via SNMPv3 requires authentication with a login and password The default settings fo
264. is lost established on the LAN port the WAN port is also disabled enabled External If the connection is lost established on the WAN port the LAN port is also disabled enabled 6 232 PHOENIX CONTACT 8334_en_01 Configuration Logging gt gt Remote Logging 6 10 Logging menu Logging refers to the recording of event messages e g regarding settings that have been made the application of firewall rules errors etc Log entries are recorded in various categories and can be sorted and displayed according to these categories see Logging gt gt Browse local logs on page 6 234 6 10 1 Logging gt gt Settings 6 10 1 1 Remote Logging All log entries are recorded in the main memory of the FL MGUARD by default Once the maximum memory space for log entries has been used up the oldest log entries are automatically overwritten by new entries In addition all log entries are deleted when the FL MGUARD is switched off To prevent this log entries SysLog messages can be transmitted to an external computer SysLog server This is particularly useful if you wish to manage the logs of multiple FL MGUARD devices centrally Remote Logging Settings Activate remote UDP logging Yes v Log Server IP address 10 1 66 2 Log Server port normally 514 514 Settings Activate remote UDP Yes No logging If you want all log entries to be transmitted to the external log server specified below sel
265. is not interrupted Firewall redundancy Two identical FL MGUARD devices can be combined to form a redundant pair meaning one takes over the functions of the other if an error occurs VPN redundancy An existing firewall redundancy forms the basis for VPN redundancy In addition the VPN connections are designed so that at least one FL MGUARD in a redundant pair operates the VPN connections Ring network coupling In ring network coupling another method is used Parts of a network are designed as redundant In the event of errors the alternative path is selected 7 1 Firewall redundancy Using firewall redundancy it is possible to combine two identical FL MGUARD devices into a redundant pair single virtual router One FL MGUARD takes over the functions of the other if an error occurs Both FL MGUARD devices run synchronously meaning an existing connection is not interrupted when the FL MGUARD is switched Primary MGUARD Guard n vw a External a Internal T network ees Secondary MGUARD Figure 7 1 Firewall redundancy example Basic requirements for firewall redundancy A license is required for the firewall redundancy function It can only be used if the corresponding license has been purchased and installed Only identical FL MGUARD devices can be used together in a redundant pair In Router network mode firewall redundancy is only supported with the static Router mode
266. is value can be set see 6 140 120 seconds are added after closing the connection This also applies to connections closed by the user UDP 30 seconds after data traffic in one direction 180 seconds after data traffic in both directions ICMP 30 seconds Others 10 minutes 6 146 PHOENIX CONTACT 8334_en_01 Configuration Network Security gt gt User Firewall gt gt User Firewall Templates Edit gt Template users Network Security User Firewall BluePrint General Template users Firewall rules J l Users S 5 n T O Service_1 Specify the names of the users here The names must correspond to those that have been defined under the Authentication gt gt Firewall Users menu see page 6 111 Firewall rules Network Security User Firewall BluePrint General Template users Firewall rules Firewall rules Source P authorized_ip Log ID wtw NV 240 322 3648 14 0385 00000206000 gt x Proc tromrot fro E E 1 TR v any 0 0 0 0 0 any important Yes v Source IP IP address from which connections are allowed to be established If this should be the address from which the user logged into the FL MGUARD the wildcard authorized_ip should be used If multiple firewall rules are defined and activated for a user these are queried starting from the top of the list of entries until an appropriate rule is found This rule is then applied If the lis
267. isting table You can now enter or specify values in the row Buttons The following buttons are located at the top of every page Logout 5 Reset Apply Apply For logging out after configuration access to the FL MGUARD If the user does not log out he she is logged out automatically if there has been no further activity and the time period specified by the configuration has elapsed Access can only be restored by logging in again Optional button Resets to the original values If you have entered values on a configuration page and these have not yet taken effect by clicking on the Apply button you can restore the original values on the page by clicking the Reset button This button only appears at the top of the page if the scope of validity of the Apply button is set to nclude all pages see Management gt gt Web Settings on page 6 21 Optional button Has the same function as the Apply button but is valid for all pages This button only appears at the top of the page if the scope of validity of the Apply button is set to nclude all pages see Management gt gt Web Settings on page 6 21 8334_en_01 PHOENIX CONTACT 6 3 FL MGUARD 2 6 2 Management menu For security reasons we recommend you change the default root and administrator passwords during initial configuration see Authentication gt gt Administrative Users on page 6 108 A message informing you of
268. itted in the machine certificate shown by the VPN partner It is then no longer necessary to identify or define the subject in the certificate Limited access to certain subjects In the certificate the certificate owner is specified in the Subject field The entry is comprised of several attributes These attributes are either expressed as an object identifier e g 132 3 7 32 1 or more commonly as an abbreviation with a corresponding value Example CN VPN end point 01 O Smith and Co C US If certain subject attributes have very specific values for the acceptance of the VPN partner by the FL MGUARD then these must be specified accordingly The values of the other freely selectable attributes are entered using the asterisk wildcard Example CN O Smith and Co C US with or without spaces between attributes In this example the attributes O Smith and Co and C US should be entered in the certificate that is shown under Subject It is only then that the FL MGUARD would accept the certificate owner subject as a communication partner The other attributes in the certificates to be filtered can have any value If a subject filter is set the number and the order of the specified attributes must correspond to that of the certificates for which the filter is to be used Please note that the text is case sensitive 6 190 PHOENIX CONTACT 8334_en_01 Configuration IPsec VPN gt gt Connections
269. ivated together with firewall redundancy instead VPN redundancy can only be used if the corresponding license has been purchased and installed on the FL MGUARD As VPN connections must be established for VPN redundancy a corresponding VPN license is also necessary If you only have the license for firewall redundancy and VPN connections are installed VPN redundancy cannot be activated An error message is displayed as soon as an attempt is made to use firewall redundancy Only identical FL MGUARD devices can be used together in a redundant pair 7 2 1 Components in VPN redundancy The components used in VPN redundancy are the same as described under firewall redundancy One additional component is available here VPN state synchronization A small number of components are slightly expanded for VPN redundancy However the connectivity check availability check and firewall state synchronization are all performed in the same way as before VPN state synchronization The FL MGUARD supports the configuration of firewall rules for the VPN connection VPN state synchronization monitors the state of the different VPN connections on the active FL MGUARD It ensures that the FL MGUARD on standby receives a valid up to date copy of the VPN state database As with state synchronization of the firewall VPN state synchronization sends updates from the active FL MGUARD to the FL MGUARD on standby If requested to do so by the FL MGUARD on stan
270. k X 509 certificate A number of additional protocols are based on UDP and TCP These include HTTP Hyper Text Transfer Protocol HTTPS Secure Hyper Text Transfer Protocol SMTP Simple Mail Transfer Protocol POP3 Post Office Protocol Version 3 and DNS Domain Name Service ICMP is based on IP and contains control messages SMTP is an e mail protocol based on TCP IKE is an IPsec protocol based on UDP ESP is an IPsec protocol based on IP On a Windows PC the WINSOCK DLL or WSOCK32 DLL provides a common interface for both protocols See Datagram on page 1 2 A VLAN Virtual Local Area Network divides a physical network into several independent logical networks which exist in parallel Devices on different VLANs can only access devices within their own VLAN Accordingly assignment to a VLAN is no longer defined by the network topology alone but also by the configured VLAN ID VLAN settings can be used as optional settings for each IP A VLAN is identified by its VLAN ID 1 4094 All devices with the same VLAN ID belong to the same VLAN and can therefore communicate with each other The Ethernet packet for a VLAN according to IEEE 802 1Q is extended by 4 bytes with 12 bits available for recording the VLAN ID VLAN IDs 0 and 4095 are reserved and cannot be used for VLAN identification A Virtual Private Network VPN connects several separate private networks Subnetworks together via a public ne
271. ksum Algorithm Everyday Mondays Tuesdays etc at xx h xx m You can start a check every day or on a specific weekday ata specific time hours minutes The FL MGUARD system time must be set for the time schedule to work properly Integrity checks are not performed if the system time is not synchronized This can be carried out manually or via NTP see Time and Date on page 6 7 A check is only started if the FL MGUARD is operating at the set time If the FL MGUARD is not operating at the time a check is not performed later when the FL MGUARD is started up again The check can also be started manually CIFS Integrity Monitoring gt gt CIFS Integrity Status gt gt Show gt gt Actions on page 6 157 Maximum duration of the check sequence in minutes You can thus ensure that the check is completed in good time e g before a shift starts SHA 1 MD5 SHA 256 Checksum algorithms such as MD5 SHA 1 or SHA 256 are used to check whether a file has been changed SHA 256 is more secure than SHA 1 but it takes longer to process 8334_en_01 PHOENIX CONTACT 6 153 FL MGUARD 2 CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Settings gt gt Edit To be stored on CIFS In order to perform the check the FL MGUARD must be share provided with a network drive for storing the files The checksum memory can be accessed via the external network interface
272. l External 2 VPN Dial in Specifies to which interface the rule should apply If no rules are set or if no rule applies the following default settings apply Remote SEC Stick access is permitted via Internal VPN and Dial in Access via External and External 2 is refused Specify the access options according to your requirements If you want to refuse access via Internal VPN or Dial in you must implement this explicitly by means of corresponding firewall rules for example by specifying Drop as an action Action Accept means that the data packets may pass through Reject means that the data packets are sent back and the sender is informed of their rejection In Stealth mode Reject has the same effect as Drop Drop means that the data packets are not permitted to pass through They are discarded which means that the sender is not informed of their whereabouts Comment Freely selectable comment for this rule Log For each individual firewall rule you can specify whether the use of the rule Should be logged set Log to Yes Should not be logged set Log to No default setting 1 External 2 and Dial in only apply to the FL MGUARD RS4000 see Network gt gt Interfaces on page 6 56 8334_en_01 PHOENIX CONTACT 6 203 FL MGUARD 2 6 7 7 Connections SEC Stick Connections SEC Stick connections SEC Stick connections D x LL oe E Nv nobody myCompany Ea SE
273. large network For example if 100 employees access a certain website at the same time over a web proxy then the proxy only loads the relevant web pages from the server once and then distributes them as needed among the employees Remote web traffic is reduced which saves money A router is a device that is connected to different IP networks and communicates between them To do this the router has an interface for each network connected to it A router must find the correct path to the destination for incoming data and define the appropriate interface for forwarding it To do this it takes data from a local routing table listing assignments between available networks and router connections or intermediate stations 8334_en_01 PHOENIX CONTACT 9 5 FL MGUARD 2 Trap Service provider Spoofing anti spoofing Subject certificate SNMP Simple Network Management Protocol is often used alongside other protocols in particular on large networks This UDP based protocol is used for central administration of network devices For example the configuration of a device can be requested using the GET command and changed using the SET command the requested network device must simply be SNMP compatible An SNMP compatible device can also send SNMP messages e g should unexpected events occur Messages of this type are known as SNMP traps Service providers are companies or institutions that enable users to access the Internet or o
274. le Egress QoS No v Total Bandwidth Rate Bandwidth Rate Limit unlimited kbit s v Queues tame Guaranteed O Uppert o Prior Comment O01 Urgent 0 unlimted High v i stl 2 Important 10 unlimited Medium v H s Default 10 unlimited Medium v toe Low Priority 10 unlimited Low v All of the tab pages listed above for Egress Queues for the Internal External External 2 and Dial in interfaces and for VPN connections routed via these interfaces have the same setting options In all cases the settings relate to the data that is sent externally into the network from the relevant FL MGUARD interface 8334_en_01 PHOENIX CONTACT 6 211 FL MGUARD 2 QoS gt gt Egress Queues gt gt Internal External External 2 Dial in QoS gt gt Egress Queues VPN gt gt VPN via Internal VPN via External VPN via External 2 VPN via Dial in Enabling Enable Egress QoS Total Bandwidth Rate Bandwidth Rate Limit Queues Name Guaranteed Upper Limit Priority Comment No default This feature is disabled Yes This feature is enabled This option is recommended if the interface is connected to a network with low bandwidth This enables bandwidth allocation to be influenced in favor of particularly important data kbit s or Packet s Total maximum bandwidth that is physically available specified in kbps or packets per second In order to optimize prioritization the total bandwidth spec
275. les can be defined separately for all interfaces and for VPN connections 6 8 4 1 Internal External External 2 Dial in Internal Settings for egress queue rules QoS Egress Rules Default Default Queue Default v Rules ESF eroiccat rrome romen ror orot CurrentTosmsce NewTosmsce Queue tame Comment pia v 00000 any 0 0 0 00 any TOS Minimize Delay wv Unchanged v Urgent v a 2 Al v 0 0 0 0 0 any 0 0 0 0 0 any TOS Maximize Reliability w Unchanged v Important v P3 ar v 00000 any 0 0 0 00 any TOS Minimize Cost v Unchanged v Low Priority v External Settings for egress queue rules QoS Een T Rules internat externat Externar2 iatin Default Rules PET Protocol p1 a v 00000 any 0 0 0 0 0 any TOS Minimize Delay Unchanged v Urgent v F L 2 Al v 00 0 00 any 0 0 0 0 0 any TOS Maximize Reliability w Unchanged v Important v p F 3 Al w 00 0 00 any 0 0 0 0 0 any TOS Minimize Cost wv Unchanged wv Low Priority w External 2 Settings for egress queue rules Internal External External 2 Dial in Default Default Queue Defaut v Rules E 1 Al w 0 0 0 0 0 any 0 0 0 0 0 o y TOS Minimize Delay v Unchanged v Urgent v f E 2 Al v 00 0 00 any 0 0 0 070 any TOS Maximize Reliability w Unchanged v Important v pE 3 a v 00000 any 0 0 0 00 any TOS Minimize Cost w Unchanged wv Low Priority Y
276. lete the entire data record 8334_en_01 PHOENIX CONTACT 6 1 FL MGUARD 2 Inserting rows gt lt i gt lt i n m G e L 2 L 1 Click on the F L 2 arrow below which you want to insert a new row 2 The new row is inserted You can now enter or specify values in the row Moving rows ONO i sO i E 2 l 3 sL 4 N O sO 2 3 Fm 4 1 Select the row s you want to move 2 Click on the F 3 The rows are moved Deleting rows ERJ O O rm i L rm sL 2 lt ii 0l l rja 2 ra E gL 1 Select the rows you want to delete 2 Click on x to delete the rows h 3 The rows are deleted Working with non sortable tables NO O sO i rm 3 re 2 sL arrow below which you want to move the selected rows gt lt O O i O sUL__ _ rm 4 Tables are non sortable if the order of the data records contained within them does not play any technical role It is then not possible to insert or move rows With these tables you can Delete rows Append rows to the end of the table in order to create a new data record with settings e g user firewall templates The symbols for inserting a new table row are therefore different F to insert rows in a sortable table 6 2 PHOENIX CONTACT 8334_en_01 Configuration Appending rows non sortable tables x E E z E 1 Click on the arrow to append a new row 2 The new row is appended below the ex
277. limited kbit s v Queues PE e name OO O Guaranteed OO OO eH 1 Urgent 10 unlimited High v daj Important 10 unlimited Medium v 5 z i unl ited ium v rl 3 Default 10 limited Mediu e illi4 Low Priority 10 unlimited low wv 6 210 PHOENIX CONTACT 8334_en_01 Configuration VPN via External Settings for egress queues QoS Egress Queues VPN VPN via Internal VPN via External If VPN via External 2 I VPN via Dialin Enabling Enable Egress QoS No v Total Bandwidth Rate Bandwidth Rate Limit unlimited kots 5 kbit s Queues Packet s gt x OH Urgent io oS i unimted Hih v o e she Important 0 unimted Medium w Hi 3 Defaut 10 unlimited Medium w som Low Priorty mo tt unlimited Low v VPN via External 2 Settings for egress queues QoS Egress Queues VPN VPN via Internal ii VPN via External iil VPN via External 2 If VPN via Dial in Enabling Enable Egress QoS No v Total Bandwidth Rate No Bandwidth Rate Limit unlimited kbs v Queues oxo name E Urgent 10 unlimited High v rim Important 10 unlimited Medium v B 3 Default 10 unlimited Medium v rim Low Priority 10 unlimited low v VPN via Dial in Settings for egress queues QoS Egress Queues VPN VPN via Internal VPN via External VPN via External 2 VPN via Dial in Enabling Enab
278. ll Schedule 15 minutes the FL MGUARD must be prevented from repeatedly testing a configuration profile that might be faulty at intervals that are too short This can hinder or prevent external administrative access as the FL MGUARD might be too busy dealing with its own processes 3 External factors e g network failure must be largely ruled out as a reason why the FL MGUARD considers the new configuration to be faulty An application note is provided by Innominate It describes how a rollback can be started using a configuration profile Download timeout Default 120 seconds Specifies the maximum timeout length period of inactivity when downloading the configuration file The download is aborted if this time is exceeded If and when a new download is attempted depends on the setting of Pull Schedule see above Login Login user name that the HTTPS server requests Password Password that the HTTPS server requests Server Certificate The certificate that the FL MGUARD uses to check the authenticity of the certificate shown by the configuration server It prevents an incorrect configuration from an unauthorized server from being installed on the FL MGUARD 6 54 PHOENIX CONTACT 8334_en_01 Configuration Management gt gt Central Management gt gt Configuration Pull The following may be specified here A self signed certificate of the configuration server The root certificate of the
279. lled on the FL MGUARD see Section 6 4 4 Authentication gt gt Certificates If the use of revocation lists CRL checking is activated under the Authentication gt gt Certificates Certificate settings menu item each certificate signed by a CA that is shown by the SSH client is checked for revocations 6 18 PHOENIX CONTACT 8334_en_01 Configuration Management gt gt System Settings gt gt Shell Access CA certificate This configuration is only necessary if the SSH client shows a certificate signed by a CA All CA certificates required by the FL MGUARD to form the chain to the relevant root CA certificate with the certificates shown by the SSH client must be configured The selection list contains the CA certificates that have been loaded on the FL MGUARD under the Authentication gt gt Certificates menu item X 509 Subject Enables a filter to be set in relation to the contents of the Subject field in the certificate shown by the SSH client It is then possible to limit or enable access for SSH clients which the FL MGUARD would accept based on certificate checks Limited access to certain subjects i e individuals and or to subjects that have certain attributes Access enabled for all subjects see glossary under NAT Network Address Translation on page 9 5 l The X 509 subject field must not be left empty Access enabled for all subjects i e individu
280. lled download of a new configuration is only possible if the system time has been synchronized see Management gt gt System Settings on page 6 4 Time and Date on page 6 7 Time control sets the selected time based on the configured time zone 6 52 PHOENIX CONTACT 8334_en_01 Configuration Management gt gt Central Management gt gt Configuration Pull Server IP address or host name of the server that provides the configurations Directory The directory folder on the server where the configuration is located Filename The name of the file in the directory defined above If no file name is defined here the serial number of the FL MGUARD is used with file extension atv Number of times a Default 10 configuration profile is ignored after it was rolled back After retrieving a new configuration it is possible that the FL MGUARD may no longer be accessible after applying the new configuration It is then no longer possible to implement a new remote configuration to make corrections In order to prevent this the FL MGUARD performs the following check As soon as the retrieved configuration is applied the FL MGUARD tries to connect to the configuration server again based on the new configuration The FL MGUARD then attempts to download the newly applied configuration profile again If successful the new configuration remains in effect If this check is unsuccessful for whatever reason t
281. lowing this request Management gt gt Licensing gt gt Install Automatic License Installation Manual License Installation Voucher Serial Enter the serial number printed on the voucher and the Number Voucher Key corresponding voucher key then click on Online License Request The FL MGUARD now establishes a connection via the Internet and installs the corresponding license on the FL MGUARD if the voucher is valid Reload Licenses This option can be used if the license installed on the FL MGUARD has been deleted Click on Online License Reload The licenses that were previously issued for this FL MGUARD are then retrieved from the server via the Internet and installed Order License After clicking on Edit License Request Form an online form is displayed which can be used to order the desired license Enter the following information in the form Voucher Serial Number The serial number printed on your voucher Voucher Key The voucher key on your voucher Flash ID This is entered automatically Filename After sending the form the license file is made available for download and can be installed on the FL MGUARD in a further step Install license file To install a license first save the license file as a separate file on your computer then proceed as follows e Click on Browse next to the Filename field Select the file and open it so that the file name or path is displayed in the Filename field
282. m is received the NAT router uses the specified destination port to recognize that the datagram is intended for an internal computer Using the table the NAT router replaces the destination IP address and port before forwarding the datagram via the internal network A port number is assigned to each device in UDP and TCP protocol based communication This number makes it possible to differentiate multiple UDP or TCP connections between two computers and use them simultaneously Certain port numbers are reserved for specific purposes For example HTTP connections are usually assigned to TCP port 80 and POP3 connections to TCP port 110 Acronym for Point to Point Protocol over Ethernet A protocol based on the PPP and Ethernet standards PPPoE is a specification defining how to connect users to the Internet via Ethernet using a shared broadband medium such as DSL wireless LAN or a cable modem Acronym for Point to Point Tunneling Protocol This protocol was developed by Microsoft and U S Robotics among others for secure data transfer between two VPN nodes a VPN via a public network Devices that communicate with each other must follow the same rules They have to speak the same language Rules and standards of this kind are called protocols or transmission protocols Some of the more frequently used protocols are IP TCP PPP HTTP and SMTP A proxy is an intermediary service A web proxy e g Squid is often connected upstream of a
283. me 3 w second s Priority of this device high v Eher bi ere aitheeweesoomdyocoh7jail skaono7phae3Nah q Virtual interfaces External virtual Router ID 190 External vitua P addresses gt A 172 16 66 48 Internal virtual Router ID 190 OOTTE FO 192 168 66 48 Encrypted state synchronisation Encryptthe state messages Yes v Passphrase da3ooNaihaiWeuc8wu4bo4voh7ugiiQuoolaifs ov Encryption Algorithm 3DES v Hash Algorithm SHA 1 v Interface for state synchronisation Interface which is used for Dedicated Interface w state synchronization Pottedescatesntertece TAS NTT eT TTI 192 168 68 29 255 255 255 0 No v 1 Disable the availablity check at gt q the external interface 8334_en_01 PHOENIX CONTACT 6 217 FL MGUARD 2 Redundancy gt gt Firewall Redundancy gt gt Redundancy General Redundancy state Enable redundancy Fail over switching time Priority of this device Shows the current status No default Firewall redundancy is disabled Yes Firewall redundancy is enabled This function can only be activated when a suitable license key is installed Further conditions apply if VPN redundancy is to be enabled at the same time see VPN redundancy on page 7 15 Maximum time that is allowed to elapse in the event of errors before switching to the other FL MGUARD high low Specifies the priority associated with the presence notifications CARP Set the p
284. me field The administrator has set the Time stamp in filesystem setting to Yes and has either transmitted the current system time to the FL MGUARD via NTP see below under NTP Server or has entered it under Local system time The system time of the FL MGUARD is then synchronized using the time stamp after a restart even if it has no built in clock and is set exactly again afterwards via NTP The administrator has activated NTP time synchronization under NTP Server has entered the address of at least one NTP server and the FL MGUARD has established a connection with at least one of the specified NTP servers If the network is working correctly this occurs a few seconds after a restart The display in the NTP State field may only change to synchronized much later see the explanation below under NTP State 6 8 PHOENIX CONTACT 8334_en_01 Configuration Management gt gt System Settings gt gt Time and Date Hardware clock state Local system time Timezone in POSIX 1 notation Time stamp in filesystem 2h granularity Yes No for FL MGUARD RS2000 FL MGUARD RS4000 and for FL MGUARD SMART2 but not for FL MGUARD SMART The display shows whether the clock has been synchronized with the current time The built in clock is always synchronized when the system time of the FL MGUARD has been synchronized Once the clock has been synchronized its state only returns to not synchronized if the firmware is r
285. me switching Time stamp in filesystem 2h granularity Y NTP Server Enable NTP time Yeu synchronization NTP State synchronized iy Sie 10 1 66 2 Management gt gt System Settings gt gt Time and Date Time and Date Current system time The current system time is displayed as Universal Time UTC Coordinates UTCs If NTP time synchronization is not yet activated see below and Time stamp in filesystem is deactivated the clock will start at January 1 2000 Current system time Display If the sometimes different current local time is to be local displayed the corresponding entry must be made under Timezone in POSIX 1 notation see below System time state Display Indicates whether the FL MGUARD system time has ever been synchronized with a currently valid time during FL MGUARD runtime If the display indicates that the FL MGUARD system time has not been synchronized the FL MGUARD does not perform any time controlled activities These are as follows 8334_en_01 PHOENIX CONTACT 6 7 FL MGUARD 2 Management gt gt System Settings gt gt Time and Date Time controlled activities Time controlled pick up of configuration from a configuration server This is the case when the Time Schedule setting is selected under the Management gt gt Central Management Configuration Pull menu item for the Pull Schedule setting see Management gt gt Configuration Profiles on pa
286. mported CA certificates Authentication Certificates Certificate settings Machine Certificates CA Certificates Remote Certificates CRL Trusted CA Certificates sx Subject CN VPN RootCA 01 0 Beispiel Lieferant C DE Subject Alternative Names Issuer CN VPN RootCA 01 0 Beispiel Lieferant C DE W Validity From Mar 20 15 56 38 2007 GMT to Mar 20 15 56 38 2022 GMT Fingerprint MDS 49 13 FB 16 C8 3A DE C3 F7 70 AB F9 SB 76 BD 40 SHA1 12 C2 4C 53 7B 60 62 FA C0 83 61 C4 92 98 03 82 75 1D 29 75 Shortname VPN RootCA 01 Upload Certificate Filename Durchsuchen Import P Downs Crt Authentication gt gt Certificates gt gt CA Certificates Trusted CA Certificates Importing a CA certificate Using the short name Displays the current imported CA certificates To import a new certificate proceed as follows Requirement The file file name extension cer pem or crt is saved on the connected computer Proceed as follows e Click on Browse to select the file e Click on Import Once imported the loaded certificate appears under Certificate e Remember to save the imported certificate along with the other entries by clicking on the Apply button Shortname When importing a CA certificate the CN attribute from the certificate subject field is suggested as the short name here providing the Shortname field is empty at this point This name can be adopted or another name can be chosen e
287. n 6 12 CIDR Classless Inter Domain Routing IP subnet masks and CIDR are methods of notation that combine several IP addresses to create a single address area An area comprising consecutive addresses is handled like a network To specify an area of IP addresses for the FL MGUARD e g when configuring the firewall it may be necessary to specify the address area in CIDR format In the table below the left hand column shows the IP subnet mask while the right hand column shows the corresponding CIDR format IP subnet mask Binary CIDR 255 255 255 255 11111111 11111111 11111111 11111111 32 255 255 255 254 11111111 11111111 11111111 11111110 31 255 255 255 252 11111111 11111111 11111111 11111100 30 255 255 255 248 11111111 11111111 11111111 11111000 29 255 255 255 240 11111111 11111111 11111111 11110000 28 255 255 255 224 11111111 11111111 11111111 11100000 27 255 255 255 192 11111111 11111111 11111111 11000000 26 255 255 255 128 11111111 11111111 11111111 10000000 25 255 255 255 0 11111111 11111111 11111111 00000000 24 255 255 254 0 11111111 11111111 11111110 00000000 23 255 255 252 0 11111111 11111111 11111100 00000000 22 255 255 248 0 11111111 11111111 11111000 00000000 21 255 255 240 0 11111111 11111111 11110000 00000000 20 255 255 224 0 11111111 11111111 11100000 00000000 19 255 255 192 0 11111111 11111111 11000000 00000000 18 255 255 128 0 11111111 11111111 10000000 00000000 17 255 255 0 0 11111111 11111111 00000000 00000000 16
288. n MS Internet Explorer Version 8 make the following settings Tools menu Internet Options Connections tab Click on Properties under LAN settings Check that Use a proxy server for your LAN under Proxy server is not activated in the Local Area Network LAN Settings dialog box 8334_en_01 PHOENIX CONTACT 5 9 FL MGUARD 2 Explanation e f other LAN connections are active on the computer deactivate them until the configuration has been completed Under the Windows menu Start Settings Control Panel Network Connections or Network and Dial up Connections right click on the corresponding icon and select Disable in the context menu After a successful connection establishment Once a connection has been established successfully the following security alert is displayed MS Internet Explorer Security Alert Information you exchange with this site cannot be viewed or changed by others However there is a problem with the site s security certificate The security certificate was issued by a company you have not chosen to trust View the certificate to determine whether you want to trust the certifying authority The security certificate has expired or is not yet valid The name on the security certificate is invalid or does not match the name of the site Do you want to proceed Figure 5 6 Security alert As administrative tasks can only be performed using encrypted access a self si
289. n be made using a web browser under the URL https 1 1 1 1 No configuration modifications are required on the computer itself ill EI ll Mi ULI ll ilil oo ca iili oo a ilil oo Figure 2 1 Stealth mode 8334_en_01 PHOENIX CONTACT 2 1 FL MGUARD 2 2 2 Network router When used as a network router the FL MGUARD can provide the Internet link for several computers and protect the company network with its firewall One of the following network modes can be used on the FL MGUARD Router if the Internet connection is for example via a DSL router or a permanent line PPPOE if the Internet connection is for example via a DSL modem and the PPPoE protocol is used e g in Germany PPTP if the Internet connection is for example via a DSL modem and the PPTP protocol is used e g in Austria Modem if the Internet connection is via a serial connected modem compatible with Hayes or AT command set For computers in the Intranet the FL MGUARD must be specified as the default gateway DSL Modem Router Cons lt Figure 2 2 Network router 2 2 PHOENIX CONTACT 8334_en_01 Preliminary user manualTypical application scenarios 2 3 DMZ A DMZ demilitarized zone is a protected network t
290. n residential areas and the operator may be required to take appropriate measures 8334_en_01 PHOENIX CONTACT 4 7 FL MGUARD 2 4 8 PHOENIX CONTACT 8334_en_01 Preparing the configuration 5 Preparing the configuration 5 1 Connection requirements FL MGUARD SMART2 The FL MGUARD SMART2 must be switched on i e it must be connected to a computer or power supply unit that is switched on via a USB cable in order for it to be supplied with power For local configuration The computer used for configuration Must be connected to the LAN port of the FL MGUARD Ormust be connected to the FL MGUARD via the local network For remote configuration The FL MGUARD must be configured so that remote configuration is permitted The FL MGUARD must be connected i e the required connections must be working FL MGUARD RS4000 RS2000 The FL MGUARD RS4000 RS2000 must be connected to at least one active power supply unit For local configuration The computer that is to be used for configuration must be connected to the LAN female connector on the FL MGUARD For remote configuration The FL MGUARD must be configured so that remote configuration is permitted The FL MGUARD must be connected i e the required connections must be working 8334_en_01 PHOENIX CONTACT 5 1 FL MGUARD 2 5 2 Local configuration on startup EIS As of firmware version 7 2 initial startup of FL MGUARD products provided in s
291. nder Remote This address is translated using the Network address for remote 1 1 NAT 8334_en_01 PHOENIX CONTACT 6 183 FL MGUARD 2 IPsec VPN gt gt Connections gt gt Edit gt gt General Further settings can be made by clicking on More Remote NAT Remote NAT for IPsec Masquerading of the remote network tunnel connections Remote NAT ae NATI Pene Eea Masquerading of remote net v IP add sed for gh chs saat a The source addresses of data packets received by the FL MGUARD via the VPN tunnel are masked using the IP address defined under Internal IP address for masking the remote network The original and translated source address and source port are recorded This means that responses can have their original destination restored if a matching record is found for them If necessary the destination address is also translated see Local NAT Protocol Protocol All TCP UDP ICMP Select whether the VPN is restricted to a specific protocol or whether it is valid for all data traffic When TCP or UDP is selected Protocol Protocol TCP w Local Port all for all ports a number between 1 and 65535 or all eany to accept any proposal Remote Port all for all ports a number between 1 and65535 or all any to accept any proposal Local Port all default specifies that all ports can be used If a specific port should be used specify the port number any specifies that port
292. nder a rule set name for structuring incoming and outgoing rules A rule set can then be referenced in an incoming or outgoing rule whereby the rules contained in the rule set are applied there When defining a rule set itis also possible to reference another defined rule set i e using this rule set as a block in the current rule set Defining a new rule set e Inthe set of rules table click on Edit to the right of the unnamed entry under Name e Ifthe unnamed entry cannot be seen open another row in the table Editing a rule set e Click on Edit to the right of the relevant entry e Ifa firewall rule set comprises multiple firewall rules these are queried starting from the top of the list of entries until an appropriate rule is found This rule is then applied If the list of rules contains further subsequent rules that could also apply these rules are ignored Network Security gt gt Packet Filter gt gt Sets of Rules Sets of Rules Lists all the defined firewall sets of rules Sets of rules are only used if they are referenced on the Incoming Rules or Outgoing Rules tab page A set of rules that is referenced in a firewall rule is only used if it meets all the criteria of this firewall rule Enabled Activates deactivates the relevant set of rules Name Name of the set or rules The name is specified when the set or rules is created The Set of Rules page is displayed when you click on Edi
293. nding Restart button Edit If you want to reconfigure a connection click on the corresponding Edit button Connection ISAKAMP State IPsec State Gateway Gateway indicates the IP addresses of the communicating VPN gateways Traffic Traffic refers to the computers and networks that communicate via the VPN gateways ID Refers to the subject of an X 509 certificate ISAKMP State ISAKMP State Internet Security Association and Key Management Protocol is set to established if both VPN gateways involved have established a channel for key exchange In this case they have been able to contact one another and all entries up to and including ISAKMP SA on the connection configuration page are correct IPsec State IPsec State is set to established if IPsec encryption is activated for communication In this case the data under IPsec SA and Tunnel Settings is also correct In the event of problems it is recommended that you check the VPN logs of the partner to which the connection was established This is because detailed error messages are not forwarded to the initiating computer for security reasons If displayed This means that ISAKMP SA established Authentication was successful but the other parameters did not match Does the IPsec State WAITING connection type tunnel transport match If Tunnel is selected do the network areas match on both sides IPsec State IPsec SA The VPN connection is established successfully and can
294. nels defined below should all be active Yes or not No An IP address host name or any for several partners or partners downstream of a NAT router 8334_en_01 PHOENIX CONTACT 6 173 FL MGUARD 2 me De ee Address of the remote site s VPN gateway 5 e Cone 3 VPN gateway of the partner Figure 6 3 The address of the transition to the private network where the remote communication partner is located Ifthe FLMGUARD should actively initiate and establish the connection to the remote partner specify the IP address or host name of the partner here If the VPN gateway of the partner does not have a fixed and known IP address the DynDNS service see glossary can be used to simulate a fixed and known address Ifthe FLMGUARD should be ready to allow a connection to the local FL MGUARD that was actively initiated and established by a remote partner with any IP address specify any This setting should also be selected for a VPN star configuration if the FL MGUARD is connected to the control center The FL MGUARD can then be called by a remote partner if this partner has been dynamically assigned its IP address by the Internet service provider i e it has an IP address that changes In this scenario you may only specify an IP address if the remote calling partner has a fixed and known IP address any can only be used together with the authentication method using X 509 certificates
295. nes which remote certificate the FL MGUARD should adopt in order to authenticate the partner SSH client The remote certificate can be selected from the selection list The selection list contains the remote certificates that have been loaded on the FL MGUARD under the Authentication gt gt Certificates menu item All users root admin netadmin audit Filter which specifies that the SSH client has to be authorized for a specific administration level in order to gain access When establishing a connection the SSH client shows its certificate and also specifies the system user for which the SSH session is to be opened root admin netadmin audit Access is only granted if the entries match those defined here Access for all listed system users is possible when All users is set i The netadmin and audit setting options relate to access rights with the device manager software FL MGUARD DM 6 20 PHOENIX CONTACT 8334_en_01 Configuration 6 2 2 Management gt gt Web Settings 6 2 2 1 General Management Web Settings General 2 Access General Language English Session Timeout seconds 1800 Scope of the Apply button Per Session v Management gt gt Web Settings gt gt General General Language Session Timeout seconds Scope of the Apply button If automatic is selected in the list of languages the device uses the language setting of the computer s br
296. new datagram Tunnel mode is used in VPN applications The devices at the ends of the tunnel ensure that the datagrams are encrypted and decrypted in other words the actual datagrams are completely protected on the tunnel path i e during transfer over a public network 9 4 PHOENIX CONTACT 8334_en_01 Glossary NAT Network Address Translation Port number PPPoE PPTP Protocol transmission protocol Proxy Router Network Address Translation NAT also known as P masquerading hides an entire network behind a single device known as a NAT router If you communicate externally via a NAT router the internal computers in the local network and their IP addresses remain hidden The remote communication partner will only see the NAT router with its IP address In order to allow internal computers to communicate directly with external computers on the Internet the NAT router must modify the IP datagrams that are sent from internal computers to remote partners and received by internal computers from remote partners If an IP datagram is sent from the internal network to a remote partner the NAT router modifies the UDP and TCP headers of the datagram replacing the source IP address and source port with its own official IP address and a previously unused port For this purpose the NAT router uses a table in which the original values are listed together with the corresponding new ones When a response datagra
297. ng General firewall setting Drop all outgoing connections v Accept all outgoing connections Drop all outgoing connections D These variables are also available on other devices However other devices also have advanced settings see Incoming Rules on page 6 130 and Outgoing Rules on page 6 132 6 142 PHOENIX CONTACT 8334_en_01 Configuration 6 5 2 Network Security gt gt DoS Protection 6 5 2 1 Flood Protection This menu is not available on the FL MGUARD RS2000 Network Security DoS Protection Flood Protection TCP Maximum number of new outgoing TCP connections 75 SYN per second Maximum number of new incoming TCP connections 25 SYN per second ICMP Maximum number of outgoing ping frames ICMP Echo 5 Request per second Maximum number of incoming ping frames ICMP Echo 3 Request per second Stealth Mode Maximum number of outgoing ARP requests or ARP replies 500 per second each Maximum number of incoming ARP requests or ARP replies 500 per second each Network Security gt gt DoS Protection gt gt Flood Protection TCP Maximum number of Outgoing Default setting 75 new incoming a rae outgoing TCP Incoming Default setting 25 connections SYN Maximum values for the number of incoming and outgoing per second TCP connections allowed per second These values are set to a level that can never be reached during normal p
298. ng CA certificates can be used instead or as an additional measure depending on the application CA certificates provide a way of checking whether the certificate shown by the partner is really signed by the CA specified in the partner s certificate ACA certificate is available as a file from the relevant CA file name extension cer pem or crt For example this file may be available to download from the website of the relevant CA The FL MGUARD can then check if the certificate shown by the partner is authentic using the CA certificates loaded on the FL MGUARD However this requires all CA certificates to be made available to the FL MGUARD in order to form a chain with the certificate shown by the partner In addition to the CA certificate from the CA whose signature appears on the certificate shown by the partner to be checked this also includes the CA certificate of the superordinate CA and so forth up to the root certificate see glossary under CA certificate Authentication using CA certificates enables the number of possible partners to be extended without any increased management effort because it is not compulsory to install a remote certificate for each possible partner To create a certificate a private key and the corresponding public key are required Programs are available so that any user can create these keys Similarly a corresponding certificate with the corresponding public key can also be created resulting in a
299. ng a connection to a server or host is also called a client In other words the client is the calling computer and the server or host is the computer called In the IP transmission protocol data is sent in the form of data packets These are known as IP datagrams An IP datagram is structured as follows IP header TCP UDP ESP etc header Data payload The IP header contains The IP address of the sender source IP address The IP address of the recipient destination IP address The protocol number of the protocol on the superordinate protocol layer according to the OSI layer model The IP header checksum used to check the integrity of the received header The TCP UDP header contains the following information The port of the sender source port The port of the recipient destination port A checksum covering the TCP header and information from the IP header e g source and destination IP addresses If a computer is connected to a network the operating system creates a routing table internally The table lists the IP addresses that the operating system has identified based on the connected computers and the routes available at that time Accordingly the routing table contains the possible routes destinations for sending IP packets If IP packets are to be sent the computer s operating system compares the IP addresses stated in the IP packets with the entries in the routing table
300. nline services In Internet terminology spoofing means supplying a false address Using this false Internet address a user can create the illusion of being an authorized user Anti spoofing is the term for mechanisms that detect or prevent spoofing In a certificate confirmation is provided by a certification authority CA that the certificate does actually belong to its owner This is done by confirming specific owner properties Furthermore the certificate owner must possess the private key that matches the public key in the certificate gt Service provider on page 1 6 Example Certificate Data Version 3 0x2 Serial Number 1 0x1 Signature Algorithm md5WithRSAEncryption Issuer C XY ST Austria L Graz O TrustMe Ltd OU Certificate Authority CN CA Email ca trustme dom Validity Not Before Oct 29 17 39 10 2000 GMT gt Subject CN anywhere com E doctrans de C DE ST Hamburg L Hamburg O Innominate OU Security Subject Public Key Info Public Key Algorithm rsaEncryption RSA Public Key 1024 bit Modulus 1024 bit 00 c4 40 4c 6e 14 1b 61 36 84 24 b2 61 c0 b5 d7 e4 7a a5 4b 94 ef d9 5e 43 7f c1 64 80 fd 9f 50 41 6b 70 73 80 48 90 f3 58 bf f0 4c b9 90 32 81 59 18 16 3f 19 4 5f 1 1 68 36 85 f6 1c a9 af fa a9 a8 7b 44 85 79 b5 f1 20 d3 25 7d 1 de 68 15 0c b6 bc 59 46 0a d8 99 4e 07 50 0a 5d 83 61 d4 db c9 7d c3 2e eb 0a 8F 62 8f 7 00 1 37 67 3f 36 d5 04 38 44 44 77 e9 0 b4 95 f5 f9 34 9F f
301. nnection channels Depending on the network mode of the FL MGUARD the following page appears after clicking on Edit 6 7 3 1 General Options A descriptive name for the connection Enabled Address of the remote site s VPN gateway Either an IP address a hostname or any for any IP multiple clients or clients behind a NAT gateway Interface to use for gateway setting any Connection startup Encapsulate the VPN traffic in TCP TCP Port of the server which accepts the encapsulated connection Sl Yes v Tunnel IPsec VPN gt gt Connections gt gt Edit gt gt General Options A descriptive name for the connection Enabled Address of the remote site s VPN gateway General Authentication Firewall IKE Options Mannheim Leipzig Yes v any External v Wait v Yes v 8080 Transport and Tunnel Settings v 192 168 1 1 32 192 168 254 1 32 192 168 1 1 Only in Stealth mode asi The connection can be freely named and renamed If several connection channels are defined under Transport and Tunnel Settings then this name applies to the entire set of VPN connection channels grouped under this name Similarities between VPN connection channels Same authentication method as specified on the Authentication tab page see Authentication on page 6 186 Same firewall settings Same IKE options set Yes No Specifies whether the VPN connection chan
302. nnections Remote NAT Remote NAT for IPsec tunnel eon 1 1 NAT v Network address for remote 1 t0 1 NAT 192 168 2 1 With 1 1 NAT the IP addresses of the remote devices are exchanged so that each individual address is swapped for another specific address and is not swapped for an address that is identical for all devices as is the case with IP masquerading If local devices transmit data packets only those data packets are considered which Are actually encrypted by the FL MGUARD the FL MGUARD only forwards packets via the VPN tunnel if they originate from a trustworthy source Have their source address within the network defined under Local NAT under Local on page 6 177 under 1 1 NAT or under Local masquerading or have their source address within the Local network if Local NAT is not defined Have a destination address which belongs to the Network address for remote 1 1 NAT if the Remote network subnet mask is applied to it The data packets are assigned a corresponding destination address from the network that is set under Remote see Remote on page 6 177 If necessary the source address is also replaced see Local NAT The data packets are then transmitted via the VPN tunnel Network address for The source addresses of packets received by the remote 1 1 NAT FL MGUARD via the VPN tunnel are translated the other way around These packets arrive with a source address from the network defined u
303. ns are reestablished by means of Dead Peer Detection DPD using the relevant configured time This effect is beyond the influence of the FL MGUARD In the event of path redundancy caused by a network lobotomy the VPN connections are no longer supported A network lobotomy must be prevented whenever possible 8334_en_01 PHOENIX CONTACT 7 23 FL MGUARD 2 X 509 certificates for VPN authentication The FL MGUARD supports the use of X 509 certificates when establishing VPN connections This is described in detail under Authentication on page 6 186 However there are some special points to note when X 509 certificates are used for authenticating VPN connections in conjunction with firewall redundancy and VPN redundancy Switching machine certificates A redundant pair can be configured so that it uses an X 509 certificate and the corresponding private key together to identify itself to a remote VPN partner as an individual virtual VPN instance These X 509 certificates must be renewed regularly If the VPN partner is set to check the validity period of the certificates these certificates must be renewed before their validity expires see Certificate settings on page 6 120 If a machine certificate is replaced all VPN connections which use it are restarted by the FL MGUARD While this is taking place the FL MGUARD cannot forward any data via the affected VPN connections for a certain period of time This period depends on th
304. nvironments Furthermore you can also save the configuration profiles as files on your configuration computer Alternatively these configuration files can be loaded onto the FL MGUARD and activated In addition you can restore the Factory Default settings at any time With the FL MGUARD RS4000 RS2000 configuration profiles can be stored on an SD card see FL MGUARD RS4000 RS2000 Configuration profiles can also be stored on an SD card up to 2 GB capacity on page 6 40 When a configuration profile is saved the passwords used for authenticating administrative access to the FL MGUARD are not saved It is possible to load and activate a configuration profile that was created under an older firmware version However the reverse is not true a configuration profile created under a newer firmware version should not be loaded 6 38 PHOENIX CONTACT 8334_en_01 Configuration Management gt gt Configuration Profiles Configuration Profiles Save Current Configuration to Profile Upload Configuration to Profile At the top of the page there is a list of the configuration profiles that are stored on the FL MGUARD e g the Factory Default configuration profile If any configuration profiles have been saved by the user see below they will be listed here BI Active configuration profile The configuration profile that is currently enabled has an Active symbol at the start of the entry Conf
305. of the associated private key A message encrypted with the private key can be decrypted by any recipient in possession of the associated public key Encryption using the private key shows that the message actually originated from the owner of the associated public key Therefore the expression digital signature is also often used However asymmetrical encryption methods such as RSA are both slow and susceptible to certain types of attack As a result they are often combined with some form of symmetrical encryption see Symmetrical encryption on page 1 7 On the other hand concepts are available enabling the complex additional administration of symmetrical keys to be avoided How trustworthy is a certificate and the issuing CA certification authority gt Service provider on page 1 6 A CA certificate can be consulted in order to check a certificate bearing this CA s signature This check only makes sense if there is little doubt that the CA certificate originates from an authentic source i e is authentic In the event of doubt the CA certificate itself can be checked If as is usually the case the certificate is a sub CA certificate i e a CA certificate issued by a sub certification authority then the CA certificate of the superordinate CA can be used to check the CA certificate of the subordinate instance If a superordinate CA certificate is in turn subordinate to another superordinate CA then its CA certificate can
306. of the partner of the PPP connection Login name that must be specified by the PPP partner in order to access the FL MGUARD via a PPP connection The password that must be specified by the PPP partner in order to access the FL MGUARD via a PPP connection Incoming Rules PPP Firewall rules for PPP connections to the LAN interface If multiple firewall rules are defined these are queried starting from the top of the list of entries until an appropriate rule is found This rule is then applied If the list of rules contains further subsequent rules that could also apply these rules are ignored The following options are available Protocol From To IP From To Port Action Comment All means TCP UDP ICMP GRE and other IP protocols 0 0 0 0 0 means all IP addresses To specify an address area use CIDR format see CIDR Classless Inter Domain Routing on page 6 241 Only evaluated for TCP and UDP protocols any refers to any port startport endport e g 110 120 refers to a port area Individual ports can be specified using the port number or the corresponding service name e g 110 for pop3 or pops for 110 Accept means that the data packets may pass through Reject means that the data packets are sent back and the sender is informed of their rejection Drop means that the data packets are not permitted to pass through They are discarded which means that the sender is not informed of their whereabout
307. of the provider with whom you are registered e g DynDNS org TinyDynDNS DNS4BIZ Name of the server for the selected DynDNS provider Enter the user name and password assigned by the DynDNS provider here The host name selected for this FL MGUARD at the DynDNS service providing you use a DynDNS service and have entered the corresponding data above The FL MGUARD can then be accessed via this host name 6 102 PHOENIX CONTACT 8334_en_01 Configuration Under Windows XP i i 6 3 4 Network gt gt DHCP The Dynamic Host Configuration Protocol DHCP can be used to automatically assign the network configuration set here to the computer connected directly to the FL MGUARD Under Internal DHCP you can specify the DHCP settings for the internal interface LAN port and under External DHCP the DHCP settings for the external interface WAN port The External DHCP menu item is not included in the scope of functions for the FL MGUARD RS2000 The DHCP server also operates in Stealth mode IP configuration for Windows computers When you start the DHCP server of the FL MGUARD you can configure the locally connected computers so that they obtain their IP addresses automatically e Inthe Start menu select Control Panel Network Connections e Right click on the LAN adapter icon and select Properties from the context menu e Onthe General tab select Internet Protocol TCP IP under
308. of the source MAC address XX XX XX XX XX XX stands for all MAC addresses Destination MAC Specification of the destination MAC address XX XX XX XX XX XX Stands for all MAC addresses ff ff ff ff ff ff stands for the broadcast MAC address to which all ARP requests for example are sent 1 FLMGUARD RS4000 6 136 PHOENIX CONTACT 8334_en_01 Configuration Network Security gt gt Packet Filter gt gt MAC Filtering Ethernet Protocol any stands for all Ethernet protocols Additional protocols can be specified in name or hexadecimal format for example IPv4 or 0800 ARP or 0806 Action Accept means that the data packets may pass through Drop means that the data packets are not permitted to pass through they are dropped Comment Freely selectable comment for this rule Outgoing The explanation provided under Incoming also applies to Outgoing 8334_en_01 PHOENIX CONTACT 6 137 FL MGUARD 2 6 5 1 5 The following settings affect the basic behavior of the firewall Netzwerksicherheit Paketfilter a Advanced Eingangsregein Ausgangsregein Regetsatze MAC Filter Erweiterte Einstellungen Konsistenzpr fungen Maximale L nge f r Ping Pakete ICMP Echo Request 7535 Aktiviere TCP UDP ICMP Ja Konsistenzprifungen Erlaube TCP Keepalive Pakete ohne TCP Flags Meny Netzwerkmodi Router PPTP PPPoE ICMP via primarem externen Interface f r den mGuard Aan
309. ome telecommunications connections also use RJ45 female connectors these must not be connected to the RJ45 female connectors of the FL MGUARD Please also note the additional safety notes for the device in the following sections General notes regarding usage NOTE Select suitable ambient conditions Ambient temperature 0 C to 40 C FL MGUARD SMART2 20 C to 60 C FL MGUARD RS4000 FL MGUARD RS2000 0 C to 40 C FL MGUARD DELTA TX TX Maximum humidity 90 non condensing FL MGUARD SMART2 Maximum humidity 95 non condensing FL MGUARD RS4000 FL MGUARD RS2000 FL MGUARD DELTA TX TX To avoid overheating do not expose to direct sunlight or other heat sources NOTE Cleaning Clean the device housing with a soft cloth Do not use abrasive solvents 8334_en_01 PHOENIX CONTACT 4 1 FL MGUARD 2 Steps for startup To start up the device carry out the following steps in the specified order Table 4 1 Steps for startup Step Aim Page 1 Check the scope of supply Checking the scope of supply on page 4 2 Read the release notes 2 Connect the device Connecting the FL MGUARD SMART on page 4 7 Installing the FL MGUARD RS4000 RS2000 on page 4 3 3 Configure the device if required Local configuration on startup EIS on Work through the individual menu options offered by the FL page 5 2 MGUARD configuration interface Read the explan
310. on the FL MGUARD industrial rs Possible reasons The administrator and root password have been lost Requirements Requirements for the DHCP and TFTP server NOTE To flash the firmware a DHCP and TFTP server or a BootP and TFTP server must be installed on the locally connected computer Install the DHCP and TFTP server if necessary see Installing the DHCP and TFTP server on page 1 5 No such server is required for the FL MGUARD RS4000 RS2000 if the firmware is to be loaded from an SD card During flashing the firmware is always loaded from an SD card first The firmware is only loaded from a TFTP server if no SD card is found The following requirements apply when loading the firmware from an SD card All necessary firmware files must be located in a common directory on the first partition of the SD card This partition must use a VFAT file system standard type for SD cards NOTE Installing a second DHCP server in a network could affect the configuration of the entire network Additional requirements FL MGUARD RS4000 RS2000 The FLMGUARD firmware has been obtained from the www phoenixcontact com website and has been saved on a compatible SD card This SD card has been inserted into the FL MGUARD The relevant firmware files are available for download from the download page of www phoenixcontact com The files must be located under the following path names or in the following
311. on the FL MGUARD under the Authentication gt gt Certificates menu item see page 6 115 8334_en_01 PHOENIX CONTACT 6 17 FL MGUARD 2 Management gt gt System Settings gt gt Shell Access SSH server certificate 2 Authentication for SSH Specifies how the FL MGUARD authenticates the SSH client The following definition relates to how the FL MGUARD verifies the authenticity of the SSH client The table below shows which certificates must be provided for the FL MGUARD to authenticate the SSH client if the SSH client shows one of the following certificate types when a connection is established A certificate signed by aCA A self signed certificate For additional information about the table see Section 6 4 4 Authentication gt gt Certificates The partner shows the following Certificate specific to individual signed by CA Certificate specific to individual self signed The FL MGUARD authenticates the partner using 2 2 All CA certificates that form the chain to the root CA certificate together with the certificate shown by the partner PLUS if required Remote certificates if used as a filter Remote certificate According to this table the certificates that must be provided are the ones the FL MGUARD uses to authenticate the relevant SSH client The following instructions assume that the certificates have already been correctly insta
312. onnection to be established at least one partner IP address must be known so that the partners can contact each other This condition is not met if both participants are assigned IP addresses dynamically by their respective Internet service providers In this case a DynDNS service such as DynDNS org or DNS4BIZ com can be of assistance With a DynDNS service the currently valid IP address is registered under a fixed name If you have registered with one of the DynDNS services supported by FL MGUARD you can enter the corresponding information in this dialog box Register this mGuard at a DynDNS Service Refresh Interval sec DynDNS provider DynDNS Server DynDNS Login DynDNS Password DynDNS Hostname Select Yes if you have registered with a DynDNS provider and if the FL MGUARD is to use this service The FL MGUARD then reports its current IP address to the DynDNS service i e the one assigned for its Internet connection by the Internet service provider Default 420 seconds The FL MGUARD informs the DynDNS service of its new IP address whenever the IP address of its Internet connection is changed For additional reliability the device also reports its IP address at the interval specified here This setting has no effect for some DynDNS providers such as DynDNS org as too many updates can cause the account to be closed The providers in this list support the same protocol as the FL MGUARD Select the name
313. ons Enable dynamic IP address Yes v pool DHCP lease time 14400 DHCP range stat 192 168 1 100 DHCPrangeend 192 168 1 199 Localnetmask 255 255 255 0 Broadcast address 9 192 168 1 255 Default gateway 192 168 1 1 DNS serwer 10 0 0 254 WINS serwer 192 168 1 2 Static Mapping DHCP Server Options Enable dynamic IP address pool DHCP lease time Local netmask Broadcast address Default gateway DNS server Hx Client MAC Address Client IP Address Set this option to Yes if you want to use the IP address pool specified under DHCP range start and DHCP range end see below Set this option to No if only static assignments should be made using the MAC addresses see below With enabled dynamic IP address pool When the DHCP server and the dynamic IP address pool have been activated you can specify the network parameters to be used by the computer DHCP range start end The start and end of the address area from which the DHCP server of the FL MGUARD should assign IP addresses to locally connected computers Time in seconds for which the network configuration assigned to the computer is valid The client should renew its assigned configuration shortly before this time elapses Otherwise it may be assigned to other computers Specifies the subnet mask of the computers Default 255 255 255 0 Specifies the broadcast address of the computers Specifies which IP address should be used by the computer as th
314. or CHAP is used as the authentication method The user name password and any other data that must be specified by the user to establish a connection to the Internet are given to the user by the Internet service provider The corresponding fields are displayed depending on whether PAP CHAP or None is selected Enter the corresponding data in these fields If authentication is via PAP Authentication User name Password PAP server authentication Dial on demand idle timeout idle time seconds Local IP Remote IP Netmask User Name Password PAP server authentication PAP No w Yes v Yes v 300 0 0 0 0 0 0 0 0 0 0 0 0 v User name specified during Internet service provider login to access the Internet Password specified during Internet service provider login to access the Internet Yes No The following two entry fields are shown when Yes is selected 6 82 PHOENIX CONTACT 8334_en_01 Configuration Network gt gt Interfaces gt gt Dial out Server user name Server password Subsequent fields User name and password that the FL MGUARD requests from the server The FL MGUARD only allows the connection if the server returns the agreed user name password combination See under If None is selected as the authentication method on page 6 83 If authentication is via CHAP Authentication CHAP w Local name Remote name Secret for client authentication C
315. or the secondary external interface are only routed via this external interface when additional separately defined conditions are met Only then is the secondary external interface activated and the routing settings for the secondary external interface take effect see Probes for Activation on page 6 70 Network Specify the routing to the external network here Multiple routes can be specified Data packets intended for these networks are then routed to the corresponding network via the secondary external interface in permanent or temporary mode Gateway Specify the IP address if known of the gateway that is used for routing to the external network described above When you dial into the Internet using the phone number of the Internet service provider the address of the gateway is usually not known until you have dialed in In this case enter gateway in the field as a wildcard 6 68 PHOENIX CONTACT 8334_en_01 Configuration Operation Mode permanent temporary In both permanent and temporary operating mode the modem must be available to the FL MGUARD for the secondary external interface so that the FL MGUARD can establish a connection to the WAN Internet via the telephone network connected to the modem Which data packets are routed via the primary external interface Ethernet interface and which data packets are routed via the secondary external interface is determined by the routing settings that are appl
316. orwarded via a VPN tunnel Upload If the CRL is available as a file it can also be loaded on the FL MGUARD manually e Todo this click on Browse select the file and click on Import e Remember to save the imported CRL along with the other entries by clicking on the Apply button 6 128 PHOENIX CONTACT 8334_en_01 Configuration 6 5 Network Security menu A reduced version of the menu is available on the FL MGUARD RS2000 6 5 1 Network Security gt gt Packet Filter The FL MGUARD includes a Stateful Packet Inspection Firewall The connection data of an active connection is recorded in a database connection tracking Rules can thus only be defined for one direction This means that data from the other direction of the relevant connection and only this data is automatically allowed through A side effect is that existing connections are not aborted during reconfiguration even if a corresponding new connection can no longer be established Default firewall settings All incoming connections are rejected excluding VPN Data packets of all outgoing connections are allowed through The firewall rules here have an effect on the firewall that is permanently active with the exception of VPN connections Individual firewall rules are defined for VPN connections see IPsec VPN gt gt Connections on page 6 171 Firewall on page 6 192 User firewall When a user for whom user fi
317. ost Tunnel network network This connection type is suitable in all cases and is also the most secure In this mode the IP datagrams are completely encrypted and are with a new header transmitted to the VPN gateway of the partner the tunnel end The transmitted datagrams are then decrypted and the original datagrams are restored These are then forwarded to the destination computer Transport host host For this type of connection only the data of the IP packets is encrypted The IP header information remains unencrypted When you switch to Transport the following fields apart from Protocol are hidden as these parameters are omitted Define the network areas for both tunnel ends under Local and Remote m m eS e SS e IPsec tunnel A ee Ad bad A C 4 ZN DPE r Remote VPN Remote Internet gateway network Here specify the address of the network or computer which is connected locally to the FL MGUARD Here specify the address of the network or computer which is located downstream of the remote VPN gateway If Address of the remote site s VPN gateway see Address of the remote site s VPN gateway on page 6 173 is specified as any it is possible that a number of different partners will connect to the FL MGUARD 8334_en_01 PHOENIX CONTACT 6 177 FL MGUARD 2 Tunnel settings IPsec L2TP If clients should connect via the FL MGUARD by IPsec L2TP activa
318. ost address Class C Network address Host address 8334_en_01 PHOENIX CONTACT 9 3 FL MGUARD 2 IPsec The first byte of the IP address determines whether the IP address of a network device belongs to Class A B or C The following is specified Value of byte 1 Bytes for the network Bytes for the host address address Class A 1 126 1 3 Class B 128 191 2 2 Class C 192 223 3 1 Based on the above figures the number of Class A networks worldwide is limited to 126 Each of these networks can have a maximum of 256 x 256 x 256 hosts 3 bytes of address area There can be 64 x 256 Class B networks and each of these networks can have up to 65 536 hosts 2 bytes of address area 256 x 256 There can be 32 x 256 x 256 Class C networks and each of these networks can have up to 256 hosts 1 byte of address area Subnet mask Normally a company network with access to the Internet is only officially assigned a single IP address e g 123 456 789 21 The first byte of this example address indicates that this company network is a Class B network in other words the last two bytes are free to be used for host addressing Accordingly an address area for up to 65 536 possible hosts 256 x 256 can be computed Such a huge network is not practical and generates a need for subnetworks to be built The subnet mask can be used for this purpose Like an IP address the mask is 4 bytes long The bytes representing the network addr
319. owner is specified in the Subject field The entry is comprised of several attributes These attributes are either expressed as an object identifier e g 132 3 7 32 1 or more commonly as an abbreviation with a corresponding value Example CN John Smith O Smith and Co C US If certain subject attributes have very specific values for the acceptance of the browser by the FL MGUARD then these must be specified accordingly The values of the other freely selectable attributes are entered using the asterisk wildcard Example CN O C US with or without spaces between attributes In this example the attribute C US must be entered in the certificate under Subject It is only then that the FLMGUARD would accept the certificate owner subject as a communication partner The other attributes in the certificates to be filtered can have any value If a subject filter is set the number but not the order of the specified attributes must correspond to that of the certificates for which the filter is to be used Please note that the text is case sensitive irrelevant la Several filters can be set and their sequence is With HTTPS the browser of the accessing user does not specify which user or administration rights it is using to log in These access rights are assigned by setting filters here under Authorized for access as This has the following result If there are several filters that let
320. owser Specifies the period of inactivity in seconds after which the user will be automatically logged out of the FL MGUARD web interface Possible values 15 to 86400 24 hours The Per Page setting specifies that you have to click on the Apply button on every page where you make changes in order for the settings to be applied and take effect on the FL MGUARD The Per Session setting specifies that you only have to click on Apply once after making changes on a number of pages 8334_en_01 PHOENIX CONTACT 6 21 FL MGUARD 2 Only displayed when Login with X 509 user certificate is selected 6 2 2 2 Access 7 aces HTTPS Web Access Enable HTTPS remote access Yes v Remote HTTPS TCP Port 443 Allowed Networks Log ID tw nitas aocees W 26227202 240 140e S070 000e206000 PES Frome O interece Acton O comment f io r 0 0 0 0 0 External v Accept v No v 0 0 0 0 0 External v Accept v No v RADIUS Authentication Enable RADIUS authentication No v User authentication User authentication method Login with X 509 client certificate or password w sx F VPN RootCA01 w gt x 1509 sunject root v x FO Battaglia Mauro X root v These rules allow to enable HTTPS remote access important Make sure to set secure passwords before enabling remote access Note In Stealth mode incoming traffic on the given port is no longer forwarded to the client Note In
321. p The domain name servers of the Internet service provider that provide access to the Internet are used User defined servers listed below If this setting is selected the FL MGUARD will connect to the domain name servers listed under User defined name servers The IP addresses of domain name servers can be entered in this list The FL MGUARD uses this list for communication via the secondary external interface as long as the interface is activated temporarily and User defined is specified under DNS Mode see above in this case 6 72 PHOENIX CONTACT 8334_en_01 Configuration When Router is selected as the network mode and static is selected as the Router mode see page 6 75 Network Mode Router Network Interfaces Network Status External IP address Active Defaultroute Used DNS servers Network Mode Network Mode Router Mode External Networks External IPs untrusted port Additional External Routes PP of default gateway Internal Networks Internal IPs trusted port Additional Internal Routes Network Mode General Ethernet Dialout Dialin Modem Console Secondary External Interface 172 16 66 49 172 16 66 18 10 1 0 253 Router v static v p Netmask se vuan vian HX 172 16 66 49 255 255 255 0 No v E ewon Gawar 172 16 66 18 o e O emas O f usevi viano DX 192 168 65 49 255 255 255 0 No v ner Sate off v Network gt gt In
322. page 6 90 The configuration of the internal networks is described in the next section 8334_en_01 PHOENIX CONTACT 6 79 FL MGUARD 2 6 3 1 2 Ethernet General Ethernet Dia out f Dialin modem Console ARP Timeout ARP Timeout 30 MTU Settings MTU of the internal interface 1500 MTU of the internal interface forvian 500 MTU of the external interface 1500 MTU of the external interface forvian 500 MTU of the Management Interface MTU of the Management interface for vlan 1500 MAU Configuration Ea Media Type Link State Automatic Configuration Manual Current Mode External 10 100 1000 BASE T RJ45 up Yes v v 1000 Mbit s FDX Yes v Internal 10 100 1000 BASE T RJ45 up Yes v X w 1000 Mbit s FDX Yes v Network gt gt Interfaces gt gt Ethernet ARP Timeout MTU Settings MAU Configuration ARP Timeout Service life in seconds of entries in the ARP table MTU of the Interface The maximum transfer unit MTU defines the maximum IP packet length that may be used for the relevant interface For a VLAN interface As VLAN packets contain 4 bytes more than those without VLAN certain drivers may have problems processing these larger packets Such problems can be solved by reducing the MTU to 1496 Configuration and status indicator of the Ethernet connections Port Name of the Ethernet connection to which the row refers Media Type Media type o
323. pon startup if the original password root is still set on the FL MGUARD for the root user see Loading a profile from an external storage medium on page 6 40 Configuration changes are also made if the SD card is disconnected full or defective The corresponding error messages are displayed in the Logging menu see Section 6 10 2 Activation of the new settings extends the response time of the user interface when changing any settings FL MGUARD RS4000 RS2000 Configuration profiles can also be stored on an SD card up to 2 GB capacity Saving a profile to an external storage medium e FL MGUARD RS4000 RS2000 Insert the SD card into the SD slot at the front e Ifthe root password on the FL MGUARD onto which the profile is going to be subsequently loaded is not root this password must be entered in the The root password to save to the ECS field e Click on Save Loading a profile from an external storage medium e FL MGUARD RS4000 RS2000 Insert the SD card into the SD slot at the front e Once the storage medium has been inserted start the FL MGUARD e The FL MGUARD root password must either be root or correspond to the password that was specified while the profile was being saved The configuration profile loaded from the storage medium is loaded onto the FL MGUARD and applied The loaded configuration profile does not appear in the list of configuration profiles stored on the FL MGUARD The configu
324. proceed as follows To configure the FL MGUARD via its web user interface from a remote computer establish the connection to the FL MGUARD from there Proceed as follows e Start the web browser on the remote computer e g Mozilla Firefox MS Internet Explorer Google Chrome or Apple Safari the web browser must support HTTPS e Under address enter the IP address where the FL MGUARD can be accessed externally over the Internet or WAN together with the port number if required If this FL MGUARD can be accessed over the Internet via address https 123 45 67 89 and port number 443 has been specified for remote access the following address must be entered in the web browser of the remote partner https 123 45 67 89 If a different port number is used it should be entered after the IP address e g https 123 45 67 89 442 e To configure the device make the desired or necessary settings on the individual pages of the FL MGUARD user interface see Configuration on page 6 1 8334_en_01 PHOENIX CONTACT 5 11 FL MGUARD 2 5 12 PHOENIX CONTACT 8334_en_01 Configuration 6 Configuration 6 1 Operation You can click on the desired configuration via the menu on the left hand side e g Management Licensing The page is then displayed in the main window usually in the form of one or more tab pages where settings can be made If the page is organized into several tab pages you can switch bet
325. pty field The local VPN identifier can be used to specify the name the FL MGUARD uses to identify itself to the partner It must match the data in the machine certificate of the FL MGUARD Valid values Empty i e no entry default The Subject entry previously Distinguished Name in the machine certificate is then used The Subject entry in the machine certificate One ofthe Subject Alternative Names if they are listed in the certificate If the certificate contains Subject Alternative Names these are specified under Valid values These can include IP addresses host names with prefix or e mail addresses Specifies what must be entered as a subject in the machine certificate of the VPN partner for the FL MGUARD to accept this VPN partner as a communication partner It is then possible to limit or enable access by VPN partners which the FL MGUARD would accept in principle based on certificate checks Limited access to certain subjects i e machines and or to subjects that have certain attributes Access enabled for all subjects See NAT Network Address Translation on page 9 5 Distinguished Name was previously used instead of Subject 8334_en_01 PHOENIX CONTACT 6 189 FL MGUARD 2 IPsec VPN gt gt Connections gt gt Edit gt gt Authentication Access enabled for all subjects If the Remote field is left empty then any subject entries are perm
326. r it 8334_en_01 PHOENIX CONTACT 6 71 FL MGUARD 2 Network gt gt Interfaces gt gt General continued Secondary External Interface continued Number of times all probes need to fail during subsequent runs before the secondary external interface is activated DNS Mode User defined name servers Specifies how many sequentially performed test runs must return a negative result before the FL MGUARD activates the secondary external interface The result of a test run is negative if none of the ping tests it contains were successful The number specified here also indicates how many consecutive test runs must be successful after the secondary external interface has been activated before this interface is deactivated again Only relevant if the secondary external interface is activated in temporary mode The DNS mode selected here specifies which DNS server the FL MGUARD uses for temporary connections established via the secondary external interface Use primary DNS settings untouched DNS Root Servers Provider defined via PPP dial up User defined servers listed below Use primary DNS settings untouched The DNS servers defined under Network gt DNS Server see Network gt gt NAT on page 6 94 are used DNS Root Servers Requests are sent to the root name servers on the Internet whose IP addresses are stored on the FL MGUARD These addresses rarely change Provider defined via PPP dial u
327. r on off switch The VPN connection is specified here If VPN connections are configured and listed under the Psec VPN gt gt Connections menu item see page 6 171 they are displayed in this selection list Select here if the connection is to be established or released manually by pressing the button or switch If starting and stopping the VPN connection via the CMD contact is enabled only the CMD contact is authorized to do this This means that setting this option to Enabled for the entire VPN connection has no effect If a button is connected to the CMD contact instead of a switch see below the connection can also be established and released using the CGI script command nph vpn cgi which has the same rights When set to Off this function is disabled If a button or on off switch is connected to the FLMGUARD service contacts then pressing it has no effect If a VPN connection is controlled via a VPN switch then VPN redundancy cannot be activated 8334_en_01 PHOENIX CONTACT 6 165 FL MGUARD 2 IPsec VPN gt gt Global gt gt Options FL MGUARD RS4 2000 only Switchtype connected Push button or on off switch to the contact The FL MGUARD RS4000 RS2000 devices have connections to which an external button switch and a signal LED can be connected Select the switch type that is connected to the corresponding service contacts of the FL MGUARD For more information see
328. r attention must be paid to this if the routing entries for the primary and secondary external interfaces overlap or are identical whereby the priority of the secondary external interface has a filter effect with the following result Data packets whose destination matches both the primary and secondary external interfaces are always routed via the secondary external interface but only if this is activated In temporary mode activated signifies the following The secondary external interface is only activated when specific conditions are met and it is only then that the routing settings of the secondary external interface take effect Network address 0 0 0 0 0 generally refers to the largest definable network i e the Internet In Router network mode the local network connected to the FL MGUARD can be accessed via the secondary external interface as long as the specified firewall settings allow this 8334_en_01 PHOENIX CONTACT 6 69 FL MGUARD 2 Network gt gt Interfaces gt gt General continued Secondary External Interface continued Secondary External Interface continued Network Mode Modem Operation Mode temporary Probes for Activation Network Mode Operation Mode Secondary External Routes Modem v temporary v SX a is 192 168 3 0 24 gateway Probes for Activation The secondary external interface is activated only if all probes fail and if the operation mode is s
329. r of peers To use this option the VPN tunnel group license must be installed first unless the device was delivered accordingly The device must be restarted in order to use this installed license Virtual IP address only in Stealth mode Virtual local network Client s virtual IP Dg eae Internet l we Client s actual IP Remote VPN Remote gateway network Figure 6 4 Virtual IP In Stealth mode the local network of the VPN is simulated by the FL MGUARD Within this virtual network the client is known as and can be addressed by the virtual IP address to be entered here 8334_en_01 PHOENIX CONTACT 6 179 FL MGUARD 2 IPsec VPN gt gt Connections gt gt Edit gt gt General Further settings can be made by clicking on More Options Tunnel connection type Local NAT IPsec VPN Connections Tunnel Settings General Options Enabled Comment Type Local Remote Local NAT Local NAT for IPsec tunnel connections Remote NAT Remote NAT for IPsec tunnel connections Protocol Protocol st Enabled Comment Type Local Remote Yes v Tunnel v 192 168 1 1 32 192 168 254 1 32 Off v off a All ow Yes No As above Freely selectable comment text Can be left empty Tunnel Transport As above When you switch to Transport the following fields apart from Protocol are hidden as these parameters are omitted See Local
330. r of simultaneous sessions is restricted You can specify the number here The restriction does not affect existing sessions it only affects newly established access instances 8334_en_01 PHOENIX CONTACT 6 13 FL MGUARD 2 Management gt gt System Settings gt gt Shell Access Maximum number of 2 to 2147483647 simultaneous sessions for the admin role Maximum number of 0 to 2147483647 simultaneous sessions for the netadmin role Maximum number of 0 to 2147483647 simultaneous sessions for the At least two simultaneously permitted sessions are required for admin to prevent it from having its access blocked When 0 is set no session is permitted The netadmin user is not necessarily used When 0 is set no session is permitted The netadmin user is not necessarily used audit role Allowed Networks p ex a p 1 10 1 0 016 External v Accept v No v oe 192 168 67 0 24 External v Accept v No v Lists the firewall rules that have been set up These apply for incoming data packets of an SSH remote access attempt If multiple firewall rules are defined these are queried starting from the top of the list of entries until an appropriate rule is found This rule is then applied If the list of rules contains further subsequent rules that could also apply these rules are ignored The rules specified here only take effect if Enable SSH remote access is set to Yes nternal access is also poss
331. r the fail over However a short delay may occur depending among other things on what value is entered under DynDNS Monitoring for the Refresh Interval sec Obsolete IPsec replay window IPsec data traffic is protected against unauthorized access To this end each IPsec channel is assigned an independent sequential number The FL MGUARD drops ESP packets which have the same sequential number as a packet that has already been decrypted for a specific IPsec channel by the FL MGUARD This mechanism is known as the IPsec replay window It prevents replay attacks where an attacker sends previously recorded data to simulate someone else s identity 7 20 PHOENIX CONTACT 8334_en_01 Redundancy The IPsec replay window is only replicated sporadically during state synchronization as it is very resource intensive Therefore the active FL MGUARD may have an obsolete IPsec replay window following a fail over This means that a replay attack is possible for a brief period until the real VPN partner has sent the next ESP packet for the corresponding IPsec SA or until the IPsec SA has been renewed However the traffic must be captured completely for this to occur Dead Peer Detection Please note the following point for Dead Peer Detection With Dead Peer Detection set a higher timeout than the upper limit for the Fail over switching time on the redundant pair See under IPsec VPN gt gt Connections gt gt Edit gt gt IKE
332. r the following addresses for example IP address 192 168 1 2 Subnet mask 255 255 255 0 Default gateway 192 168 1 1 Depending on the configuration of the FL MGUARD it may then be necessary to adapt the network interface of the locally connected computer or network accordingly 5 2 1 2 IP address hitps 1 1 1 1 With a configured network In order for the FL MGUARD to be addressed via address https 1 1 1 1 it must be interface connected to a configured network interface This is the case if it is connected in an existing network connection see Figure 4 3 on page 4 7 and if the default gateway can be accessed via the WAN port of the FL MGUARD at the same time In this case the web browser establishes a connection to the FL MGUARD configuration interface after the address https 1 1 1 1 is entered see Establishing a local configuration connection on page 1 9 Continue from this point After access via IP address 1 1 1 1 the FL MGUARD can no longer be accessed via IP address 192 168 1 1 5 4 PHOENIX CONTACT 8334_en_01 Preparing the configuration 5 2 1 3 Assigning the IP address via BootP After assigning an IP address via BootP the FL MGUARD can no longer be accessed via IP address 192 168 1 1 For IP address assignment the FL MGUARD uses the BootP protocol The IP address can also be assigned via BootP On the Internet numerous BootP servers are available You can us
333. r the login parameters are Login admin Password SnmpAdmin please note that the password is case sensitive MD5 is supported for the authentication process DES is supported for encryption The login parameters for SNMPv3 can only be changed using SNMPvs If you wish to allow monitoring of the FL MGUARD via SNMPv1 v2 set this option to Yes You must also enter the login data under SNMPv1 v2 Community B The firewall rules for the available interfaces must be defined on this page under Allowed Networks in order to specify differentiated access and monitoring options on the FL MGUARD Default 161 If this port number is changed the new port number only applies for access via the External External 2 VPN and Dial in interface Port number 161 still applies for internal access The remote partner that implements remote access may have to specify the port number defined here during entry of the address Enter the required login data in this field Enter the required login data in this field 6 42 PHOENIX CONTACT 8334_en_01 Configuration Management gt gt SNMP gt gt Query Allowed Networks Lists the firewall rules that have been set up These apply for incoming data packets of an SNMP access attempt The rules specified here only take effect if Enable SNMPv3 access or Enable SNMPv1 v2 access is set to Yes If multiple firewall rules are defined these are queried starting from th
334. r to establish a data channel automatically regardless of whether the firewall rules allow for this The tracking of complex connections is part of the firewall state synchronization process However to keep the latency short the FL MGUARD forwards the network packets independently from the firewall state synchronization update that has been triggered by the network packets themselves Therefore it may be the case for a very brief period that a state change for the complex connection is not forwarded to the FL MGUARD on standby if the active FL MGUARD fails In this case tracking of the connection to the FL MGUARD which is active after the fail over is not continued correctly This cannot be corrected by the FL MGUARD The data link is then reset or interrupted 7 8 PHOENIX CONTACT 8334_en_01 Redundancy Fail over when establishing semi unidirectional connections A semi unidirectional connection refers to a single IP connection such as UDP connections where the data only travels in one direction after the connection is established with a bidirectional handshake The data flows from the responder to the initiator The initiator only sends data packets at the very start The following applies only to certain protocols which are based on UDP Data always flows in both directions on TCP connections If the firewall of the FL MGUARD is set up to only accept data packets from the initiator the firewall accepts all related respons
335. ractical operation However they can be easily reached in the event of attacks thus providing additional protection If there are special requirements in your operating environment these values can be increased 8334_en_01 PHOENIX CONTACT 6 143 FL MGUARD 2 Network Security gt gt DoS Protection gt gt Flood Protection ICMP Maximum number of Outgoing Default setting 5 incoming outgoing ping frames ICMP Echo Request per Maximum values for the number of incoming and outgoing second ping packets allowed per second Incoming Default setting 3 These values are set to a level that can never be reached during normal practical operation However they can be easily reached in the event of attacks thus providing additional protection If there are special requirements in your operating environment these values can be increased Value 0 means that no ping packets are allowed in or out Stealth Mode Maximum number of Default setting 500 incoming outgoing ARP requests or ARP replies per second each These values are set to a level that can never be reached during normal practical operation However they can be easily reached in the event of attacks thus providing additional protection Maximum values for the number of incoming and outgoing ARP requests allowed per second If there are special requirements in your operating environment these values can be increased 6 144 PHOENIX CONTACT 8
336. ration on the external storage medium also contains the passwords for the root admin netadmin audit and user users These passwords are also loaded when loading from an external storage medium 6 40 PHOENIX CONTACT 8334_en_01 Configuration 6 2 6 Management gt gt SNMP 6 2 6 1 Query Management SNMP Vv Query Trap V ue Settings Enable SNMPv3 access Yes v Enable SNMPv1 v2 access Yes v Port for incoming SNMP connections 161 remote access only Run SNMP Agent under the permissions of the following admin v user SNMPv1 v2 Community Read Write Community private Read Only Community public Allowed Networks Log ID M enmp access M 262e7a83 2840 140e 9076 000c0206000 SX o rome O o o r 10 0 0 0 8 External v Accept v No v These rules allow to enable SNMP access Important Make sure to set secure passwords for SNMPv3 before enabling remote access Note In Stealth mode incoming traffic on the given port is no longer forwarded to the client Note In router mode with NAT or portforwarding the port set here has priority over portforwarding Note Enabling SNMP access automatically accepts incoming ICMP packets Note The SNMP access from the internal side and via dial in or VPN is allowed by default and can be restricted by firewall rules The SNMP Simple Network Management Protocol is mainly used in more complex networks to monitor the state and operation of devices SNMP
337. re impossible if dial in or dial out is configured via external modem External Modem Hardware handshake off v RTSICTS Baudrate 57600 Handle modem transparently for diatin ony S Y Modem init string d dATH OK Options for using the serial interface The serial interface can be used alternatively as follows As a primary external interface if the network mode is set to Modem under Network gt gt Interfaces on the General tab page see Network gt gt Interfaces on page 6 56 and General on page 6 57 In this case data traffic is not processed via the WAN port Ethernet interface but via the serial interface As a secondary external interface if Secondary External Interface is activated and Modem is selected under Network gt gt Interfaces on the General tab page see Network gt gt Interfaces on page 6 56 and General on page 6 57 In this case data traffic is processed permanently or temporarily via the serial interface Used for dialing in to the LAN or for configuration purposes see also Dial in on page 6 87 The following options are available A modem is connected to the serial interface of the FL MGUARD This modem is connected to the telephone network fixed line or GSM network This enables a remote PC that is also connected to the telephone network to establish a PPP Point to Point Protocol dial up line connection to the FLMGUARD via a modem or ISDN adap
338. remote certificate the FL MGUARD should adopt in order to authenticate the partner browser of the remote user The remote certificate can be selected from the selection list The selection list contains the remote certificates that have been loaded on the FL MGUARD under the Authentication gt gt Certificates menu item root admin netadmin audit user Specifies which user or administrator rights are granted to the remote user For a description of the root admin and user authorization levels see Authentication gt gt Administrative Users on page 6 108 The netadmin and audit authorization levels relate to access rights with the device manager software FL MGUARD DM 6 30 PHOENIX CONTACT 8334_en_01 Configuration 6 2 3 Management gt gt Licensing 6 2 3 1 Overview Management Licensing Overview Install Terms of License mGuard Flash ID U3DDD33F8 0867 1A85 8E4B 027ABDA00853 0568 Feature License License with priority 1279215535 0 licence_id 2010 07 15T17 38 55 licence_date flash_id U3DDD33F8 0B67 1A8S 8E4B 027ABDA00853 serial_number 1A715030 hardware_revision 00002001 product_code BD 970010 BD 970010 pxc_product_code firmware_max_version firmware_flavours vpn_channels 2tp_server licence_version licence_type auth_extended nw_extended nwsec_base firewall_type additional_if dhcp_ext hub and spoke With FL MGUARD Version 5 0 or later licenses remain install
339. rewall rules are defined logs in these rules take priority see Network Security gt gt User Firewall on page 6 145 followed by the permanently active firewall rules If multiple firewall rules are defined these are queried starting from the top of the list of entries until an appropriate rule is found This rule is then applied If the list of rules contains further subsequent rules that could also apply these rules are ignored 8334_en_01 PHOENIX CONTACT 6 129 FL MGUARD 2 6 5 1 1 Incoming Rules Network Security Packet Filter Incoming Rules Outgoing Rules Rule Records MAC Filtering paiva Incoming General firewall setting Use the firewall ruleset below v Log ID tw nooming M 240833 10 3649 14 0 0355 000002060000 ESP tcroce Protocol trome romp tor fO eror Acton comment tog 1 External v TCP v 0 0 0 0 0 any 0 0 0 0 0 any Accept v Yes v These rules specify which traffic from the outside is allowed to pass to the inside Please note Port settings are only meaningful for TCP and UDP Log entries for unknown connection attempts Yes v Network Security gt gt Packet Filter gt gt Incoming Rules Incoming Lists the firewall rules that have been set up They apply for incoming data links that have been initiated externally If no rule has been set the data packets of all incoming connections excluding VPN are dropped default settings
340. rformed It gives an overview of the IP parameters that have been transmitted to the device with the MAC address shown For assigning IP parameters for additional devices e Click on Back For finishing IP address assignment e Click on Finish If required the IP parameters set here can be changed on the FL MGUARD web interface under Network gt gt Interfaces see page 6 80 8334_en_01 PHOENIX CONTACT 5 7 FL MGUARD 2 5 2 2 Configuring the FL MGUARD on startup with router mode by default To access the configuration interface it may be necessary to adapt the network configuration of your computer Under Windows XP proceed as follows e Click on Start Control Panel Network Connections e Right click on the LAN adapter icon to open the context menu e Inthe context menu click on Properties e Inthe Properties of local network LAN connections dialog box select the General tab e Under This connection uses the following items select Internet Protocol TCP IP e Then click on Properties to display the following dialog box Internet Protocol TCP IP Properties General You can get IP settings assigned automatically if your network supports this capability Otherwise you need to ask your network administrator for the appropriate IP settings Obtain an IP address automatically Use the following IP address IP address Le ee Subnet mask 5 255 255 0 Default gate
341. riority to high on the FL MGUARD that you want to be active The FL MGUARD on standby is set to low Both FL MGUARDS in a redundant pair may either be set to different priorities or be assigned the high priority Never set both FL MGUARD devices in a redundant pair to low priority 6 218 PHOENIX CONTACT 8334_en_01 Configuration Redundancy gt gt Firewall Redundancy gt gt Redundancy Passphrase for On an FL MGUARD which is part of a redundant pair checks availability checks are constantly performed to determine whether an active FL MGUARD is available and whether it should remain active A variation of the CARP Common Address Redundancy Protocol is used here CARP uses SHA 1 HMAC encryption together with a password This password must be the same for both FL MGUARD devices It is used for encryption and is never transmitted in plain text The password is important for security since the B FL MGUARD is vulnerable at this point We recommend a password with at least 20 characters and numerous special characters printable UTF 8 characters It must be changed on a regular basis When changing the password proceed as follows A Check the status of the set password before you enter a new one There is only a valid password available and you are only permitted to enter a new I password if you can see a green check mark to the right of the entry field Set the new password on both
342. rks section Enter arule here accordingly especially if access via the external interface is required Depending on the FL MGUARD configuration further access options can be established over other IP addresses such as access via VPN channels or via incoming calls for dial in see Dial in on page 6 87 Server s workgroup Name of the CIFS server workgroup Login Login for the server Password Password for login Exported share s Name for the computers that are to use the CIFS server to name access the combined drives the drives are connected under this name Allow write access No Read only access Yes Read and write access These rules allow external access to the CIFS server of the FL MGUARD In Router mode with NAT or port forwarding the port numbers for the CIFS server have priority over the rules for port forwarding port forwarding is set under Network gt gt NAT Access to the CIFS server is approved internally via incoming calls dial in and VPN as standard and can be restricted or expanded via the firewall rules A different default setting can also be defined using these rules From IP Enter the address of the computer network from which remote access is permitted or forbidden in this field IP address 0 0 0 0 0 means all addresses To specify an address area use CIDR format see 6 241 6 160 PHOENIX CONTACT 8334_en_01 Configuration CIFS Integrity Monitoring gt
343. rmed receipt of the corresponding VPN state synchronization update When an FL MGUARD becomes active it immediately repeats the last IKE message which should have been sent from the previously active FL MGUARD This compensates for cases where the previously active FL MGUARD has sent the state synchronization but has failed before it could send the corresponding IKE message In this way the establishment of the ISAKMP SA or IPsec SA is only delayed by the switching time during a fail over An error interrupts the renewal of an ISAKMP SA If an error interrupts the renewal of an ISAKMP SA this is compensated in the same way as during the initial establishment of the SA The old ISAKMP SA is also kept for Dead Peer Detection until the renewal of the ISAKMP SA is complete An error interrupts the renewal of an IPsec SA If an error interrupts the renewal of an IPsec SA this is compensated in the same way as during the initial establishment of the SA Until renewal of the ISAKMP SA is complete the old outgoing and incoming IPsec SAs are retained until the VPN partner notices the change VPN state synchronization ensures that the old IPsec SAs are retained throughout the entire time that the FL MGUARD remains on standby When the FL MGUARD becomes active it can then continue with the encryption and decryption of the data traffic without the need for further action Loss of data packets during VPN state synchronization State synchronization
344. router mode with NAT or portforwarding the port set here has priority over portforwarding Note The table Allowed Networks is effective only if remote access is enabled Note The HTTPS access from the internal side is allowed for all networks when remote access is disabled Note Once remote access is enabled the HTTPS access from the internal side and via dial in or VPN is allowed by default and can be restricted by firewall rules When web access via HTTPS protocol is enabled the FL MGUARD can be configured from a remote computer using its web based administrator interface This means that a browser on the remote computer is used to configure the FL MGUARD This option is disabled by default NOTE If remote access is enabled ensure that secure passwords are defined for root and admin To enable HTTPS remote access make the following settings Management gt gt Web Settings gt gt Access HTTPS Web Access Enable HTTPS remote If you want to enable HTTPS remote access set this option to access Yes No Yes Internal HTTPS access i e from the directly connected LAN or from the directly connected computer can be enabled independently of this setting The firewall rules for the available interfaces must be defined on this page under Allowed Networks in order to specify differentiated access options on the FL MGUARD In addition the authentication rules under User authentication must be set if necessary
345. rt number or the corresponding service name can be specified here e g 0003 for port 110 or http for port 80 8334_en_01 PHOENIX CONTACT 6 97 FL MGUARD 2 Network gt gt NAT gt gt Port Forwarding Incoming on IP Incoming on Port Redirect to IP Redirect to Port Comment Log Specify the external IP address or one of the external IP addresses of the FL MGUARD here or Usethe variable extern if the external IP address of the FL MGUARD is changed dynamically so that the external IP address cannot be specified If multiple static IP addresses are used for the WAN port the extern variable always refers to the first IP address in the list The original destination port specified in the incoming data packets Either the port number or the corresponding service name can be specified here e g 0003 for port 110 or http for port 80 This information is not relevant for the GRE protocol It is ignored by the FL MGUARD The internal IP address to which the data packets should be forwarded This is the address into which the original destination addresses are translated The port to which the data packets should be forwarded This is the port into which the original port data is translated Either the port number or the corresponding service name can be specified here e g 0003 for port 110 or http for port 80 This information is not relevant for the GRE protocol It is ignored by the F
346. rtal outgoing MN 00000000 0000 0000 0000 000000000000 ES row rromi f Frompo tor toro Acton comment toa Log entries for unknown connection attempts No v Network gt gt Interfaces gt gt Dial in PPP dial in options A FL MGUARD RS4000 only Should only be configured if the FL MGUARD is to permit PPP dial in via one of the following A modem connected to the serial interface A built in modem available as an option for the FL MGUARD industrial rs PPP dial in can be used to access the LAN or the FL MGUARD for configuration purposes see Modem Console on page 6 90 If the modem is used for dialing out by acting as the primary external interface Modem network mode of the FL MGUARD or as its secondary external interface when activated in Stealth or Router network mode it is not available for the PPP dial in option 8334_en_01 PHOENIX CONTACT 6 87 FL MGUARD 2 Network gt gt Interfaces gt gt Dial in Modem PPP Local IP Remote IP PPP Login name PPP Password FL MGUARD RS4000 only Off On This option must be set to Off if no serial interface is to be used for the PPP dial in option If this option is set to On the PPP dial in option is available The connection settings for the connected external modem should be made on the Modem Console tab page IP address of the FL MGUARD via which it can be accessed for a PPP connection IP address
347. rtificates that must be provided are the ones the FL MGUARD uses to authenticate a remote user access via HTTPS or their browser The following instructions assume that the certificates have already been correctly installed on the FL MGUARD see Authentication gt gt Certificates on page 6 115 If the use of revocation lists CRL checking is activated under the Authentication gt gt Certificates Certificate settings menu item each certificate signed by a CA that is shown by the HTTPS client must be checked for revocations 8334_en_01 PHOENIX CONTACT 6 27 FL MGUARD 2 Management gt gt Web Settings gt gt Access CA certificate X 509 Subject This configuration is only necessary if the user access via HTTPS shows a certificate signed by a CA All CA certificates required by the FL MGUARD to form the chain to the relevant root CA certificate with the certificates shown by the user must be configured If the browser of the remote user also provides CA certificates that contribute to forming the chain then itis not necessary for these CA certificates to be installed on the FL MGUARD and referenced at this point However the corresponding root CA certificate must be installed onthe FLMGUARD and made available referenced in any case When selecting the CA certificates to be used or B when changing the selection or the filter settings you must first select and test the Login with X 509 cl
348. rts with the most preferred pair of algorithms IPsec SA Data Exchange Algorithms This preference list starts with the most preferred pair of Dead Peer Detection Delay between requests for a sign of life Timeout for sbsent sign of life after which peer is assumed 3600 seconds 28800 seconds 0 bytes 120 seconds a 3DES 3DES gt lt En F o x Eoma All algorithms Y 8334_en_01 PHOENIX CONTACT 6 195 FL MGUARD 2 IPsec VPN gt gt Connections gt gt Edit gt gt IKE Options ISAKMP SA Key Algorithms Exchange Decide on which encryption method should be used with the administrator of the partner Encryption 3DES 168 is the most commonly used method and is therefore set by default Fundamentally the following applies The more bits an encryption algorithm has specified by the appended number the more secure it is The relatively new AES 256 method is therefore the most secure however it is still not used that widely The longer the key the more time consuming the encryption procedure However this does not affect the FL MGUARD as it uses a hardware based encryption technique Nevertheless this aspect may be of significance for the partner The algorithm designated as Null does not contain encryption Hash Leave this set to All algorithms It then does not matter wheth
349. rver Port Directory Filename If empty 1A715030 atv will be used Number of times a configuration profile is ignored after it was rolled back Download timeout seconds Login Password Server Certificate The server s certificate is needed here if and only if it is self signed Otherwise the root certificate of the CA which issued the server s certificate must be installed Download Test Configuration Pull Never v config example com 443 2 120 anonymous No Certificate installed Durchsuchen GSES The FL MGUARD can retrieve new configuration profiles from an HTTPS server in adjustable time intervals provided that the server makes them available to the FL MGUARD as files file extension atv If the configuration provided differs from the active configuration of the FL MGUARD the available configuration is automatically downloaded and activated Management gt gt Central Management gt gt Configuration Pull Configuration Pull Pull Schedule Here specify whether and if so when and at what intervals the FL MGUARD should attempt to download and apply anew configuration from the server To do this open the selection list and select the desired value A new field appears underneath when Time Schedule is selected In this field specify whether the new configuration should be downloaded from the server daily or regularly ona certain weekday and at what time Time contro
350. s Freely selectable comment for this rule 6 88 PHOENIX CONTACT 8334_en_01 Configuration Network gt gt Interfaces gt gt Dial in Log Log entries for unknown connection attempts Outgoing Rules Port For each individual firewall rule you can specify whether the use of the rule Should be logged set Log to Yes Should not be logged set Log to No default settings Yes No When set to Yes all connection attempts that are not covered by the rules defined above are logged Firewall rules for outgoing PPP connections from the LAN interface The parameters correspond to those under Incoming Rules PPP These outgoing rules apply to data packets that are sent out via a data link initiated by PPP dial in 8334_en_01 PHOENIX CONTACT 6 89 FL MGUARD 2 Primary External Interface Secondary External Interface For dialing in to the LAN or for configuration purposes 6 3 1 5 Modem Console Some FL MGUARD models have a serial interface that can be accessed externally see Network gt gt Interfaces on page 6 56 Network Interfaces General Ethernet Dial out Dial in Modem Console Serial Console Baudrate 57600 w Hardware handshake R TSICTS Off v Please note On some platforms the serial port is not accessible The settings above become effective only for administrative shell login via a console connected to the serial port Such logins a
351. s blocked under Network Security gt gt Packet Filter gt gt Sets of Rules VPN is not affected by this Under Network Security gt gt User Firewall different firewall rules can be defined for specific firewall users For example all outgoing connections can be permitted for a given user This user firewall rule takes effect as soon as the relevant firewall user s to whom this user firewall rule applies has or have logged in see Network Security gt gt User Firewall on page 6 145 6 4 2 1 Firewall Users This menu is not available on the FL MGUARD RS2000 Authentication Firewall Users Firewall Users Access Status Users Enable user firewall Yes v Enable group authentication No w Service_1 LocalDB v Authentication gt gt Firewall Users gt gt Firewall Users Users Lists the firewall users by their assigned user names Also specifies the authentication method Enable user firewall Under the Network Security gt gt User Firewall menu item firewall rules can be defined and assigned to specific firewall users When set to Yes the firewall rules assigned to the listed users are applied as soon as the corresponding user logs in Enable group If activated the FL MGUARD forwards login requests for authentication unknown users to the RADIUS server If successful the response from the RADIUS server will contain a group name The FL MGUARD then enables user firewall templates
352. s change according to the country specific settings The start screen displays the IP address of the PC This helps when addressing the FL MGUARD in the following steps e Click on Next Step 3 IP Address Request Listener All devices sending a BootP request are listed in the window which opens These devices are waiting for a new IP address 8334_en_01 PHOENIX CONTACT 5 5 FL MGUARD 2 Phoenix Contact IP Assignment Tool IP Address Request Listener Please select a MAC Address The list box below displays all MAC Addresses that we have received BOOTP requests from MAC Address Count Last Request Time 00 a0 45 04 08 a3 2 14 33 06 If you do not see the Mac address of the device you are looking for try cycling power to that device Show Only Phoenix Contact Devices abbrehen Figure 5 2 IP Address Request Listener window In this example the FL MGUARD has MAC ID 00 A0 45 04 08 A3 e Select the device to which you would like to assign an IP address e Click on Next Step 4 SET IP Address The following information is displayed in the window which opens IP address of the PC MAC address of the selected device IP parameters of the selected device IP address subnet mask and gateway address Any incorrect settings Phoenix Contact IP Assignment Tool Set IP Address Please specify an IP Address to use This PC s IP Address 192 168 1 100 Please specify t
353. s established by forwarding network packets in Router network mode Firewall redundancy compensates for errors displayed in Figure 7 2 if only one occurs at any given time If two errors occur simultaneously they are only compensated if they occur in the same area A or B For example if one of the FL MGUARD devices fails completely due to a power outage then this is detected A connection failure is compensated if the connection fails completely or partially When the connectivity check is set correctly a faulty connection caused by the loss of data packets or an excessive latency is detected and compensated Without the connectivity check the FL MGUARD cannot determine which area caused the error A connection failure between switches on a network side internal external is not compensated for 7 and 8 in Figure 7 2 8334_en_01 PHOENIX CONTACT 7 7 FL MGUARD 2 7 1 7 Handling firewall redundancy in extreme situations The situations described here only occur rarely Restoration in the event of a network lobotomy A network lobotomy occurs if a redundant pair is separated into two FL MGUARD devices operating independently of one another In this case each FL MGUARD deals with its own tracking information as the two FL MGUARD devices can no longer communicate via layer 2 A network lobotomy can be triggered by a rare and unfortunate combination of network settings network failures and firewall redundancy s
354. s of subsequent presence notifications CARP This applies to the availability check on each individual network interface even when these are checked simultaneously It is therefore very unlikely that the availability check will fail as a result of a very brief network interruption Loss of ICMP echo requests replies during transmission ICMP echo requests or replies are important for the connectivity check Losses are always observed but are tolerated under certain circumstances The following measures can be used to increase the tolerance level on ICMP echo requests Select at least one target must respond under Kind of check in the Redundancy gt gt Firewall Redundancy gt gt Connectivity Checks menu 8334_en_01 PHOENIX CONTACT 7 9 FL MGUARD 2 Also define a secondary set of targets here The tolerance level for the loss of ICMP echo requests can be further increased by entering the targets of unreliable connections under both sets primary and secondary or listing them several times within a set Restoring the primary FL MGUARD following a failure If a redundant pair is defined with different priorities the secondary FL MGUARD becomes active if the connection fails The primary FL MGUARD becomes active again after the failure has been rectified The secondary FL MGUARD receives a presence notification CARP and returns to standby mode State synchronization If the primary FL MGUARD becomes active again after
355. s or used in any way as an IP address conflict would otherwise occur in the external network This even applies when no device exists in the Internal network for one or more IP addresses from the specified External network Default settings 1 1 NAT is not active A 1 1 NAT cannot be applied to the External 2 interface 1 1 NAT is only used in Router network mode Local network The address of the network on the LAN port External network The address of the network on the WAN port Netmask The subnet mask as a value between 1 and 32 for the local and external network address see also CIDR Classless Inter Domain Routing on page 6 241 Comment Can be filled with appropriate comments 1 External 2 and Any External are only for devices with a serial interface FL MGUARD RS4000 6 96 PHOENIX CONTACT 8334_en_01 Configuration 6 3 2 2 Port Forwarding Masquerading IP and Port Forwarding IP and Port Forwarding Log ID mw portorwarding N 2402310 3649 1410 0355 00000206000 ERP eoo rrome o o romot ncomngont incomngonort Rearectioir Rearectio Por 1 TCP w 0 0 0 0 0 any extern http 127 0 0 1 http No v Network gt gt NAT gt gt Port Forwarding Port Forwarding Lists the rules defined for port forwarding DNAT Destination NAT Port forwarding performs the following The headers of incoming data packets from the external network which are addressed to the external IP addr
356. s recorded and updates are sent Certain conditions must be met for the states to occur VPN state synchronization is taken into account here 7 2 3 Error compensation through VPN redundancy VPN redundancy compensates for the exact same errors as firewall redundancy see Error compensation through firewall redundancy on page 1 7 However the VPN section can hinder the other VPN gateways in the event of a network lobotomy The independent FL MGUARD devices then have the same virtual IP address for communicating with the VPN partners This can result in VPN connections being established and disconnected in quick succession 7 16 PHOENIX CONTACT 8334_en_01 Redundancy 7 2 4 Setting the variables for VPN redundancy If the required license keys are installed VPN redundancy is automatically activated at the same time as firewall redundancy This occurs as soon as Enable redundancy is set to Yes in the Redundancy gt gt Firewall Redundancy gt gt Redundancy menu There is no separate menu for VPN redundancy The existing firewall redundancy variables are expanded Table 7 3 Expanded functions with VPN redundancy activated Redundancy gt gt Firewall Redundancy gt gt Redundancy General Virtual interfaces Enable redundancy External virtual IP addresses Internal virtual IP addresses Firewall redundancy and VPN redundancy are activated or deactivated Only in Router network mode The FL MGUAR
357. s simultaneously via another interface explicitly with Accept before clicking on the Apply button to activate the new setting Otherwise if your access is blocked you must carry out the recovery procedure Action Accept means that the data packets may pass through Reject means that the data packets are sent back and the sender is informed of their rejection In Stealth mode Reject has the same effect as Drop Drop means that the data packets are not permitted to pass through They are discarded which means that the sender is not informed of their whereabouts Comment Freely selectable comment for this rule Log For each individual firewall rule you can specify whether the use of the rule Should be logged set Log to Yes Should not be logged set Log to No default setting 6 24 PHOENIX CONTACT 8334_en_01 Configuration Management gt gt Web Settings gt gt Access RADIUS authentication Enable RADIUS This menu item is not included authentication in the scope of functions for the FL MGUARD RS2000 1 If set to No the passwords of users who log in via HTTPS are checked via the local database The User authentication method can only be set to Login restricted to X 509 client certificate if No is selected Select Yes to enable users to be authenticated via the RADIUS server The password is only checked locally in the case of predefined users root admin netadmin audit and
358. s that the data packets may pass through Reject means that the data packets are sent back and the sender is informed of their rejection a Drop means that the data packets are not permitted to pass through They are discarded which means that the sender is not informed of their whereabouts In Stealth mode Reject has the same effect as Drop Name of rule sets if defined When a name is specified for rule sets the firewall rules saved under this name take effect see Sets of Rules tab page Freely selectable comment for this rule For each individual firewall rule you can specify whether the use of the rule Should be logged set Log to Yes Should not be logged set Log to No default settings When set to Yes all connection attempts that are not covered by the rules defined above are logged Default settings No External 2 and Any External are only for devices with a serial interface see Network gt gt Interfaces on page 6 56 8334_en_01 PHOENIX CONTACT 6 131 FL MGUARD 2 6 5 1 2 Outgoing Rules Network Security Packet Filter BE Outgoing Rules i Rule Records MAC Filtering Advanced Outgoing General firewall setting Use the firewall ruleset below Accept all outgoing connections Log lO tw autgolng NV 262e7ac1 2tu0 140e 907e 00deD 080000 Drop all outgoing connections gt X OR ser Mi a v 0 0 0 0 0 any 0 0 0 0 0 any Accept v default rule No v These r
359. s use the VPN Identifier to detect which configurations belong to the same VPN connection The following entries are valid for PSK Empty IP address used by default An IP address A host name with prefix e g vpn1138 example com An e mail address e g piepiorra example com 8334_en_01 PHOENIX CONTACT 6 191 FL MGUARD 2 6 7 3 3 Firewall IPsec VPN Connections Mannheim Leipzig General Authentication 1 Firewall IKE Options Incoming General firewall setting Use the firewall ruleset below w Log 10 twain N 26287206 240 1402 9076 000002080000 a eroto rromi f romeo O ror o O rorot acion comment f to E 1 All v 0 0 0 0 0 any 0 0 0 0 0 any Accept w default rule please adap No wv Log entries for unknown 5 Yes v Outgoing General firewall setting Use the firewall ruleset below v Log ID w pn ot MN 26227207 2840 1402 9070 00000206000 Pe erotocoi Eromi From Pot Toa aalo portaaton comment Lea a 1 All v 0 0 0 0 0 any 0 0 0 0 0 any Accept w default rule please adap No wv Log entries for unknown i No w Incoming Outgoing While the settings made under the Network Security menu item only relate to non VPN connections see above under Network Security menu on page 6 129 the settings here only relate to the VPN connection defined on these tab pages If multiple VPN connections have been defined you can limit the outgoing or in
360. selection criterion is not met i e the same configuration profile is being offered the selection criterion remains in force for all further polling for the period specified in the Number of times field If the specified number of times elapses without a change of the configuration profile on the configuration server the FL MGUARD applies the unchanged new faulty configuration profile again despite it being faulty This is to rule out the possibility that external factors e g network failure may have resulted in the check being unsuccessful The FL MGUARD then attempts to connect to the configuration server again based on the new configuration that has been reapplied It then attempts to download the newly applied configuration profile again If this is unsuccessful another rollback is performed The selection criterion is enforced again for the further cycles for loading a new configuration as often as is defined in the Number of times field If the value in the Number of times field is specified as 0 the selection criterion will never be enforced the offered configuration profile is ignored if it remains unchanged This means it would no longer be possible to meet the second of the following objectives This mechanism has the following objectives 1 After applying a new configuration it must be ensured that the FL MGUARD can still be configured from a remote location 2 When cycles are close together e g Pu
361. selection is made by the client Remote Port all default specifies that all ports can be used If a specific port should be used specify the port number Local masquerading Can only be used for Tunnel VPN type Example A control center has one VPN tunnel each for a large number of branches One local network with numerous computers is installed in each of the branches and these computers are connected to the control center via the relevant VPN tunnel In this case the address area could be too small to include all the computers at the various VPN tunnel ends Local masquerading provides the solution The computers connected in the network of a branch appear under a single IP address by means of local masquerading for the VPN gateway of the control center In addition this enables the local networks in the various branches to all use the same network address locally Only the branch can establish VPN connections to the control center 6 184 PHOENIX CONTACT 8334_en_01 Configuration Internal network address for local masquerading Specifies the network i e the IP address area for which local masquerading is used The sender address in the data packets sent by a computer via the VPN connection is only replaced by the address specified in the Local field see above if this computer has an IP address from this address area The address specified in the Local field must have the subnet mask 32 to ensure t
362. serial numbers of blocked certificates This page is used for the configuration of sites from which the FL MGUARD should download CRLs in order to use them Certificates are only checked for revocations if the Enable CRL checking option is set to Yes see Certificate settings on page 6 120 A CRL with the same issuer name must be present for each issuer name specified in the certificates to be checked If a CRL is not present and CRL checking is enabled the certificate is considered invalid Issuer Information read directly from the CRL by the FL MGUARD Shows the issuer of the relevant CRL Last Update Information read directly from the CRL by the FL MGUARD Time and date of issue of the current CRL on the FL MGUARD Next Update Information read directly from the CRL by the FL MGUARD Time and date when the CA will next issue a new CRL This information is not influenced or considered by the CRL download interval URL Specify the URL of the CA where CRL downloads are obtained if the CRL should be downloaded on a regular basis as defined under CRL download interval on the Certificate settings tab page see Certificate settings on page 6 120 Download via VPN if If set to Yes the FL MGUARD uses a VPN tunnel to access possible the URL that the CRL makes available for download For this to happen a suitable VPN tunnel must be configured activated and allow access Otherwise the CRL downloads from this URL will not be f
363. sers gt gt Passwords To log into the corresponding authorization level the user must enter the password assigned to the relevant authorization level root admin or user root Root Password Grants full rights to all parameters of the FL MGUARD Account root PIOR Ee Background Only this authorization level allows unlimited access to the FL MGUARD file system User name cannot be modified root Default root password root e Tochange the root password enter the old password in the Old Password field then the new password in the two corresponding fields below admin Administrator Grants the rights required for the configuration options Password accessed via the web based administrator interface Account admin PA z User name cannot be modified admin Default password mGuard 6 108 PHOENIX CONTACT 8334_en_01 Configuration Authentication gt gt Administrative Users gt gt Passwords user Disable VPN until the If a user password has been specified and activated the user user is authenticated must always enter this password after an FL MGUARD restart via HTTP in order to enable FL MGUARD VPN connections when attempting to access any HTTP URL To use this option specify the new user password in the corresponding entry field This option is set to No by default If set to Yes VPN connections can only be used once a user has logged into the FL MGUARD via HTTP As long as authentication
364. setting see Incoming Rules on page 6 130 From IP Comment 0 0 0 0 0 means that all internal IP addresses are subject to the NAT procedure To specify an address area use CIDR format see CIDR Classless Inter Domain Routing on page 6 241 Can be filled with appropriate comments Lists the rules established for 1 1 NAT Network Address Translation With 1 1 NAT the sender IP addresses are exchanged so that each individual address is exchanged with another specific address and is not exchanged with the same address for all data packets as in IP masquerading This enables the FL MGUARD to mirror addresses from the internal network to the external network The FL MGUARD is connected to network 192 168 0 0 24 via its LAN port and to network 10 0 0 0 24 via its WAN port By using 1 1 NAT the LAN computer with IP address 192 168 0 8 can be accessed via IP address 10 0 0 8 in the external network a mGuard z D 192 168 0 0 24 10 0 0 0 24 8334_en_01 PHOENIX CONTACT 6 95 FL MGUARD 2 Network gt gt NAT gt gt Masquerading The FL MGUARD claims the IP addresses entered for the External network for the devices in its Local network The FL MGUARD returns ARP answers for all addresses from the specified External network on behalf of the devices in the Local network Therefore the IP addresses entered under External network must not be used They must not be assigned to other device
365. signed priority level and are then processed according to their priority Ideally the assignment of priority levels and bandwidths should result in a sufficient bandwidth level always being available for the real time transmission of data packets while other packets e g FTP downloads are temporarily set to wait in critical cases The main application of egress QoS is the optimal utilization of the available bandwidth on a connection In certain cases a limitation of the packet rate can be useful e g to protect a slow computer from overloading in the protected network The Egress Queues feature can be used for all interfaces and for VPN connections 6 8 2 1 Internal External External 2 Dial in Internal Settings for egress queues on the LAN interface QoS Egress Queues stort iecere ea Fem Enabling EnableEgressQoS No w Total Bandwidth Rate Bandwidth Rate Limit unlimited kbs v Queues game Guaranteed o operem l Pror comment 1 Urgent 10 unlimited High v 2 Important 10 unlimited Medium v 3 Default 10 unlimited Medium v 4 Low Priority 10 unlimited Low v External Settings for egress queues on the external WAN interface QoS Egress Queues ESS n cee ee Enabling Enable Egress QoS No v Total Bandwidth Rate Bandwidth Rate Limit unlimited kos w Queues Packets PE ame O Carane O fH Urgent 10 unlimited High v shi2 Impor
366. ss bar I Create dir txt files Mask 255 255 255 0 I Translate Unix file names I Beep for long tranfer Doman Name IV Use Tftpd32 only on this interface TEZAIEEATY I Use anticipation window of 0 Bytes About Help I Allow S As virtual root Default Help Cancel Figure 8 3 Settings In Linux All current Linux distributions include DHCP and TFTP servers Install the corresponding packages according to the instructions provided for the relevant distribution Configure the DHCP server by making the following settings in the etc dhcpd conf file subnet 192 168 134 0 netmask 255 255 255 0 range 192 168 134 100 192 168 134 119 option routers 192 168 134 1 option subnet mask 255 255 255 0 option broadcast address 192 168 134 255 This example configuration provides 20 IP addresses 100 to 119 It is assumed that the DHCP server has the address 192 168 134 1 settings for ISC DHCP 2 0 The required TFTP server is configured in the following file etc inetd conf In this file insert the corresponding line or set the necessary parameters for the TFTP service Directory for data tftpboot tftp dgram udp wait root usr sbin in tftpd s tftpboot The FL MGUARD image files must be saved in the tftpboot directory install p7s jffs2 img p7s If a major release upgrade of the firmware is carried out by means of flashing the license file purchased for the upgrade must also be stored here under the nam
367. ss of the client has been determined If no Stealth management IP address or client s MAC address is configured in static Stealth mode then DAD ARP requests are sent to the internal interface see RFC 2131 Section 4 4 1 Only in Router network mode with static router mode or Stealth network mode FL MGUARD RS4000 only In these network modes the serial interface of the FL MGUARD can be configured as an additional secondary external interface The secondary external interface can be used to transfer data traffic permanently or temporarily to the external network WAN If the secondary external interface is activated the following applies In Stealth network mode Only the data traffic generated by the FL MGUARD is subject to the routing specified for the secondary external interface not the data traffic from a locally connected computer Locally connected computers cannot be accessed remotely either only the FL MGUARD itself can be accessed remotely if the configuration permits this As in Router network mode VPN data traffic can flow to and from the locally connected computers Because this traffic is encrypted by the FL MGUARD it is seen as being generated by the FL MGUARD In Router network mode All data traffic i e from and to locally connected computers including data traffic generated by the FL MGUARD can be routed to the external network WAN via the secondary external interface Secondary External In
368. st firmware version and patch releases in each case For the scope of functions please refer to the relevant release notes Router mode default firewall ruls bidirectional throughput max 124 Mbps Stealth mode default firewall rules bidirectional throughput max 58 Mbps IPsec IETF standard up to 250 VPN tunnels DES 3DES AES 128 192 256 Router mode default firewall ruls bidirectional throughput max 40 Mbps Stealth mode default firewall rules bidirectional throughput max 26 Mbps Router mode default firewall ruls bidirectional throughput max 124 Mbps Stealth mode default firewall rules bidirectional throughput max 58 Mbps IPsec IETF standard up to 2 VPN tunnels DES 3DES AES 128 192 256 Router mode default firewall ruls bidirectional throughput max 40 Mbps Stealth mode default firewall rules bidirectional throughput max 26 Mbps Web GUI HTTPS command line interface SSH SNMP v1 2 3 central device management software LEDs Power 1 2 State Error Signal Fault Modem Info alarm contacts service contacts log file remote SysLog LEDs Power State Error Signal Fault Modem Info alarm contacts service contacts log file remote SysLog 8334_en_01 PHOENIX CONTACT 10 1 FL MGUARD 2 Other FL MGUARD RS4000 FL MGUARD RS2000 Special features Realtime clock Trusted Platform Module TPM temperature sensor 10 2 PHOENI
369. stvie fiproute2 enu GPLv2 ipset enu Gpiv2 iptabies enu GPiv2 koa enu GPLv2 ibcap BSD stve ibfuse enu GPLv2 LGPLv2 litomp GNU GPLv2 LGPLv2 lionetfitter_conntrack GNU GPLv2 lion fnettink GNU GPLiv2 Lists the licenses of the external software used on the FL MGUARD The software is usually open source software 8334_en_01 PHOENIX CONTACT 6 33 FL MGUARD 2 6 2 4 Management gt gt Update 6 2 4 1 Overview Management Update overview upate System Information Version 7 4 0 default Base 7 4 0 default Updates none Package Versions Management gt gt Update gt gt Overview authdaemon 0 0 2 2 default beron 0 1 3 0 default bridge utils 0 1 4 0 default brnetlink 0 0 1 0 default busybox 0 174 default chat 0 2 7 0 default conntrack 0 1 0 6 default mnt a nan datni pu System information Version The current software version of the FL MGUARD Base The software version that was originally used to flash this FL MGUARD Updates List of updates that have been installed on the base Package Versions Lists the individual software modules of the FL MGUARD Can be used for support purposes 6 34 PHOENIX CONTACT 8334_en_01 Configuration 6 2 4 2 Update Firmware updates with firewall redundancy enabled Updates of Version 7 3 1 or later can be performed while an FL MGUARD redundant pair is connected and operating This does not appl
370. t If NAT is not activated it is possible that only VPN connections can be used For the further configuration of PPPoE network mode see Router network mode PPPoE router mode on page 6 77 Router Mode PPTP Similar to PPPoE mode For example in Austria the PPTP protocol is used instead of the PPPoE protocol for DSL connections PPTP is the protocol that was originally used by Microsoft for VPN connections Ifthe FL MGUARD is operated in PPTP mode the FL MGUARD must be set as the default gateway on the locally connected computers This means that the IP address of the FL MGUARD LAN port must be specified as the default gateway on these computers e If the FL MGUARD is operated in PPTP mode NAT should be activated in order to gain access to the Internet from the local network see Network gt gt NAT on page 6 94 If NAT is not activated it is possible that only VPN connections can be used For the further configuration of PPTP network mode see Router network mode PPTP router mode on page 6 78 8334_en_01 PHOENIX CONTACT 6 61 FL MGUARD 2 Router Mode Modem FL MGUARD RS4000 only If Modem network mode is selected the external Ethernet interface of the FL MGUARD is deactivated and data traffic is transferred to and from the WAN via the externally accessible serial interface serial port of the FL MGUARD An external modem which esta
371. t General Network Security Packet Filter Rule Record Generic Rule Record General A descriptive name for the set Generic Enabled Yes v Firewall rules Log 1D wA 9 2483 11 3649 1490 0355 0000006000 D x DET T E T T comment tog Log p 1 Tce v 0 0 0 00 any 0 0 0 0 0 any Accept v No v A descriptive name for A name that can be freely assigned Although it can be freely the set selected the name must clearly define the set of rules A set of rules can be referenced from the list of incoming and outgoing rules using this name To do this the relevant rule set name is selected in the Action column Enabled Activates deactivates the relevant set of rules 6 134 PHOENIX CONTACT 8334_en_01 Configuration Network Security gt gt Packet Filter gt gt Sets of Rules Firewall rules Protocol From IP To IP From Port To Port Action Comment Log TCP UDP ICMP GRE All 0 0 0 0 0 means all IP addresses To specify an address area use CIDR format see CIDR Classless Inter Domain Routing on page 6 241 Only evaluated for TCP and UDP protocols any refers to any port startport endport e g 110 120 refers to a port area Individual ports can be specified using the port number or the corresponding service name e g 110 for pop3 or pops for 110 Accept means that the data packets may pass through Reject means that the data packets are sent back and
372. t TECHNICA ate snper apane A E KE EE EEEE AEA Sede tne 10 1 10 1 FL MGUARD RS4000 RS2000 0 00 ec eeee cece eeeeeeeeeeeeeeeeeeeeeesaeeeeeeeneeesaeeeeeeenas 10 1 10 2 FL MGUARD SMART2 PPP Ere rere er rere eer er rer reer errr rrr errr er errr rr er rere errr rer rere rere errr reer e rr eter errr errr trey 10 2 10 3 Ordering data s irni ia eae ae aE E E snared 10 3 2 PHOENIX CONTACT 8334_en_01 Introduction 1 Introduction Network features Firewall features Anti virus features optional The FL MGUARD protects IP data links by combining the following functions VPN router VPN Virtual Private Network for secure data transmission via public networks hardware based DES 3DES and AES encryption IPsec protocol Configurable firewall for protection against unauthorized access The dynamic packet filter inspects data packets using the source and destination address and blocks undesired data traffic The device can be configured easily using a web browser Further information can be found on our website at www phoenixcontact com Stealth auto static multi router static DHCP client PPPoE for DSL PPTP for DSL and modem mode VLAN DHCP server relay on internal and external network interfaces DNS cache on the internal network interface Administration via HTTPS and SSH Optional conversion of DSCP TOS values Quality of Service Quality of Service QoS LLDP MAU management SNMP Stateful pa
373. t any information from the connected modem but instead sends the following text directly to the modem The FL MGUARD sends this character string to the modem in order to establish whether the modem is ready to accept commands Specifies that the FL MGUARD expects the OK character string from the modem as a response to d dATH On many modem models it is possible to save modem default settings to the modem itself However this option should not be used Initialization sequences should be configured externally instead i e on the FL MGUARD In the event of a modem fault the modem can then be replaced quickly and smoothly without changing the modem default settings If the external modem is to be used for incoming calls without the modem default settings being entered accordingly then you have to inform the modem that it should accept incoming calls after it rings If using the extended HAYES command set append the character string AT amp SO 1 OK a space followed by AT amp S0 1 followed by a space followed by OK to the initialization sequence Some external modems depending on their default settings require a physical connection to the DTR cable of the serial interface in order to operate correctly Because the FLMGUARD models do not provide this cable at the external serial interface the character string AT amp DO OK a space followed by AT amp DO followed by a space followed by OK must be appen
374. t be added to the FL MGUARD configuration These certificates should also have a validity period If the CRL check is activated under Authentication gt gt Certificates gt gt Certificate settings one URL where the corresponding CRL is available must be maintained for each CA certificate The URL and CRL must be published before the FL MGUARD uses the CA certificates in order to confirm the validity of the certificates shown by the VPN partners Using X 509 certificates with limited validity periods and CRL checks The use of X 509 certificates is described under Certificate settings on page 6 120 Authentication gt gt Certificates gt gt Certificate settings menu If X 509 certificates are used and Check the validity period of certificates and CRLs is set the system time has to be correct We recommend synchronizing the system time using a trusted NTP server Each FL MGUARD in a redundant pair can use the other as an additional NTP server but not as the only NTP server 8334_en_01 PHOENIX CONTACT 7 25 FL MGUARD 2 7 26 PHOENIX CONTACT 8334_en_01 Restart recovery procedure and flashing the firmware 8 Restart recovery procedure and flashing the firmware Aim Action The Rescue button see red arrow is used to perform the following procedures on the devices shown in Figure 1 1 Performing a restart Performing a recovery procedure Flashing the firmware rescue procedure 01 Fig
375. t means that the data packets are sent back and the sender is informed of their rejection In Stealth mode Reject has the same effect as Drop Drop means that the data packets are not permitted to pass through They are discarded which means that the sender is not informed of their whereabouts Freely selectable comment for this rule For each individual firewall rule you can specify whether the use of the rule Should be logged set Log to Yes Should not be logged set Log to No default setting External 2 and Dial in are only for devices with a serial interface see Network gt gt Interfaces on page 6 56 8334_en_01 PHOENIX CONTACT 6 43 FL MGUARD 2 6 2 6 2 Trap A amy a 7 use Basic traps SNMP authentication Yes v Link Up Down Yes v Coldstat Yes v Admin access SSH HTTPS Ye v new DHCP client Hardware related traps Chassis power signal relay Yes v Agent external config storage tempersture bled CIFS integrity traps Successful integrity check of a CirSshere Y Failed integrity check of a CIFS Ye v share Found a suspicious difference onaClFSshare Y W Redundancy traps Ststus change Yes v Userfirewall traps Userfirewall traps Yes v VPN traps IPsec connection status changes Yes v L2TP connection status changes Yes v SEC Stick Traps SEC Stick connection status changes Ye v Trap destinations 5 x Destination IP Destination Port
376. t of rules contains further subsequent rules that could also apply these rules are ignored Protocol All means TCP UDP ICMP GRE and other IP protocols From Port To Port Only evaluated for TCP and UDP protocols any refers to any port startport endport e g 110 120 gt port area Individual ports can be specified using the port number or the corresponding service name e g 110 for pop3 or pops for 110 To IP 0 0 0 0 0 means all IP addresses To specify an address area use CIDR format see CIDR Classless Inter Domain Routing on page 6 241 Comment Freely selectable comment for this rule Log For each firewall rule you can specify whether the use of the rule Should be logged set Log to Yes Should not be logged set Log to No default setting 8334_en_01 PHOENIX CONTACT 6 147 FL MGUARD 2 6 6 CIFS Integrity Monitoring menu This function is optional and can only be activated by purchasing the FL MGUARD LIC CIM Order No 2701083 accessory CIFS integrity monitoring is not available on the FL MGUARD RS2000 It must not be used on the FL MGUARD BLADE controller In Stealth network mode CIFS integrity checking is not possible without a management IP address and the CIFS server for the anti virus scan is not supported There are two options for checking network drives for viruses using CIFS integrity monitoring CIFS Integrity Checking CIFS
377. t with IP addresses instead of host names if applicable activate the Do not resolve IP addresses to hostnames checkbox e Then click on Trace A corresponding message is then displayed 6 238 PHOENIX CONTACT 8334_en_01 Configuration 6 11 1 3 DNS Lookup Support Tools PingCheck Traceroute DNS Lookup IKE Ping DNS Lookup esas Support gt gt Tools gt gt DNS Lookup DNS Lookup Aim To determine which host name belongs to a specific IP address or which IP address belongs to a specific host name How to proceed e Enter the IP address or host name in the Hostname field e Click on Lookup The response which is determined by the FL MGUARD according to the DNS configuration is then returned 6 11 1 4 IKE Ping Support Tools Ping Check Traceroute DNS Lookup IKE Ping IKE Ping Hostname IP Address myWebserver Support gt gt Tools gt gt IKE Ping IKE Ping Aim To determine whether the VPN software for a VPN gateway is able to establish a VPN connection or whether a firewall prevents this for example How to proceed e Enterthe name or IP address of the VPN gateway in the Hostname IP Address field e Click on Ping e A corresponding message is then displayed 8334_en_01 PHOENIX CONTACT 6 239 FL MGUARD 2 6 11 2 Support gt gt Advanced 6 11 2 1 Hardware This page lists various hardware properties of the FL MGUARD Support Advanced Hardwar
378. tant 10 unlimited Medium v FH 3 Default 10 unlimited Medium v e ii4 Low Priority 10 unlimited Low v 8334_en_01 PHOENIX CONTACT 6 209 FL MGUARD 2 External 2 Settings for egress queues on the secondary external interface QoS Egress Queues Internal External External 2 Dial in Enabling EnableEgressQoS No w Total Bandwidth Rate Bandwidth Rate Limit unlimited kbs v Queues SY SY TL comme OO f E 1 Urgent 10 So unimtes High v e soe important oC unimted Medium v Lal FH 3 Defaut mw o SSS E united Medium v eo Low Priority fe eT unlimited low v Dial in Settings for egress queues for packets for a PPP dial up line connection dial in Internal External External 2 Dial in Enabling Enable Egress QoS No v Total Bandwidth Rate Bandwidth Rate Limit unlimited koitis v Queues cx r a comment r Urgent 10 unlimited High v toe Important 10 unlimited Medium v SH 3 Defautt 10 unlimited Medium v eo Low Priority 10 unlimited Low v 6 8 3 Egress Queues VPN 6 8 3 1 VPN via Internal VPN via External VPN via External 2 VPN via Dial in VPN via Internal Settings for egress queues QoS Egress Queues VPN VPN via Internal VPN via External VPN via External 2 VPN via Dial in Enabling Enable Egress QoS No v Total Bandwidth Rate Bandwidth Rate Limit un
379. te the L2TP server and make the following entries in the fields specified below Type Transport Protocol UDP Local Port all Remote Port all Specifying a default route over the VPN Address 0 0 0 0 0 specifies a default route over the VPN In this case all data traffic where no other tunnel or route exists is routed through this VPN tunnel A default route over the VPN should only be specified for a single tunnel In Stealth mode a default route over the VPN cannot be used Option following installation of a VPN tunnel group license If Address of the remote site s VPN gateway is specified as any it is possible that there are many FL MGUARD devices or many networks on the remote side A very large address area is then specified in the Remote field for the local FL MGUARD A part of this address area is used on the remote FL MGUARD devices for the network specified for each of them under Local This is illustrated as follows The entries in the Local and Remote fields for the local and remote FL MGUARD devices could be made as follows 6 178 PHOENIX CONTACT 8334_en_01 Configuration Local Remote FL MGUARD A FL MGUARD Local Remote Local Remote 10 0 0 0 8 10 0 0 0 8 gt 10 1 7 0 24 10 0 0 0 8 Remote FL MGUARD B Local Remote gt 10 3 9 0 24 10 0 0 0 8 etc In this way by configuring a single tunnel you can establish connections for a numbe
380. tealth mode is considerably easier From this version onwards the EIS Easy Initial Setup procedure enables startup to be performed via preset or user defined management addresses without actually having to connect to an external network The FL MGUARD is configured using a web browser on the computer used for configuration e g MS Internet Explorer Version 8 or later Mozilla Firefox Version 1 5 or later Google Chrome or Apple Safari NOTE The web browser used must support SSL encryption i e HTTPS According to the default settings the FL MGUARD can be accessed via the following addresses Table 5 1 Preset addresses Default settings Network Management IP 1 Management IP 2 mode FL MGUARD SMART2 Stealth https 1 1 1 1 https 192 168 1 1 FL MGUARD Stealth https 1 1 1 1 https 192 168 1 1 RS4000 RS2000 FL MGUARDs provided in stealth network mode are preset to the multiple clients stealth configuration In this mode you must configure a management IP address and default gateway if you want to use VPN connections see page 6 66 Alternatively you can select a different stealth configuration to the multiple clients configuration or use another network mode The configuration on startup is described in two sections For devices provided in the stealth network mode in Section 5 2 1 from page 1 3 For devices provided in the router network mode in Section 5 2 2 on page 1 8
381. ted if the FL MGUARD is operated in Router mode and establishes the connection to the Internet see Network gt gt NAT on page 6 94 Only then can the computers in the connected local network access the Internet via the FL MGUARD If NAT is not activated it is possible that only VPN connections can be used In Router network mode a secondary external interface can also be configured see Secondary External Interface on page 6 67 There are several Router modes depending on the Internet connection static DHCP PPPoE PPPT Modem 6 60 PHOENIX CONTACT 8334_en_01 Configuration Router Mode static The IP address is fixed Router Mode DHCP The IP address is assigned via DHCP Router Mode PPPoE PPPoE mode corresponds to Router mode with DHCP but with one difference The PPPoE protocol which is used by many DSL modems for DSL Internet access is used to connect to the external network Internet WAN The external IP address which the FL MGUARD uses for access from remote partners is specified by the provider If the FL MGUARD is operated in PPPoE mode the FL MGUARD must be set as the default gateway on the locally connected computers This means that the IP address of the FL MGUARD LAN port must be specified as the default gateway address on these computers l If the FL MGUARD is operated in PPPoE mode NAT must be activated in order to gain access to the Interne
382. ter This method is referred to as a PPP dial in option It can be used to access the LAN behind the FL MGUARD or to configure the FL MGUARD Dial in is the interface definition used for this connection type in firewall selection lists In order to access the LAN with a Windows computer using the dial up line connection a network connection must be set up on this computer in which the dial up line connection to the FL MGUARD is defined In addition the IP address of the FL MGUARD or its host name must be defined as the gateway for this connection so that the connections to the LAN can be routed via this address To access the web configuration interface of the FL MGUARD you must enter the IP address of the FL MGUARD or its host name in the address line of the web browser The serial interface of the FL MGUARD is connected to the serial interface of a PC 6 90 PHOENIX CONTACT 8334_en_01 Configuration On the PC the connection to the FL MGUARD is established using a terminal program and the configuration is implemented using the command line of the FL MGUARD If an external modem is connected to the serial interface you may have to enter corresponding settings below under External Modem regardless of how you are using the serial interface and the modem connected to it Network gt gt Interfaces gt gt Modem Console Serial Console The following settings for the baud rate and hardware handshake are only valid for a
383. terface Network Mode Off v 8334_en_01 PHOENIX CONTACT 6 67 FL MGUARD 2 Network gt gt Interfaces gt gt General Stealth network mode Operation Mode Secondary External Interface Network Mode Modem v Network Mode Off Modem Off Default Select this setting if the operating environment of the FL MGUARD does not require a secondary external interface You can then use the serial interface or the built in modem if present for other purposes see Modem Console on page 6 90 Modem Built in Modem If you select one of these options the secondary external interface will be used to route data traffic permanently or temporarily to the external network WAN The secondary external interface is created via the serial interface of the FL MGUARD and an external modem connected to it permanent temporary After selecting Modem or Built in Modem network mode for the secondary external interface the operating mode of the secondary external interface must be specified Operation Mode permanent v Secondary External Routes P gt X F 192 168 3 0 24 gateway permanent Secondary External Routes Data packets whose destination corresponds to the routing settings specified for the secondary external interface are al ways routed via this external interface The secondary exter nal interface is always activated temporary Data packets whose destination corresponds to the routing settings specified f
384. terfaces gt gt General Router network mode Internal Networks Internal IPs trusted port IP Netmask Use VLAN The internal IP is the IP address via which the FL MGUARD can be accessed by devices in the locally connected network The default settings in Router PPPoE PPTP Modem mode are as follows 192 168 1 1 255 255 255 0 You can also specify other addresses via which the FL MGUARD can be accessed by devices in the locally connected network For example this can be useful if the locally connected network is divided into subnetworks Multiple devices in different subnetworks can then access the FL MGUARD via different addresses IP address via which the FL MGUARD can be accessed via its LAN port The subnet mask of the network connected to the LAN port IP address Netmask If the IP address is within a VLAN set this option to Yes 8334_en_01 PHOENIX CONTACT 6 73 FL MGUARD 2 Network gt gt Interfaces gt gt General Router network mode VLAN ID AVLAN ID between 1 and 4095 Foran explanation of the term VLAN please refer to the glossary on page 9 8 Ifyou want to delete entries from the list please note that the first entry cannot be deleted Additional Internal Additional routes can be defined if further subnetworks are Routes connected to the locally connected network Network Specify the network in CIDR format see CIDR Classless Inter Domain Ro
385. th mode default firewall rules bidirectional throughput max 26 Mbps Web GUI HTTPS command line interface SSH SNMP v1 2 3 central device management software LEDs 3 LEDs in combination for boot process heartbeat system error Ethernet status recovery mode log file remote SysLog CE FCC Realtime clock Trusted Platform Module TPM temperature sensor 8334_en_01 PHOENIX CONTACT 10 3 FL MGUARD 2 10 3 Hardware properties Platform Network interfaces Other interfaces Memory High availability Power supply unit Power consumption Temperature range Humidity range Degree of protection Dimensions H x W x D Weight Firmware and power values Firmware compatibility Data throughput router firewall Hardware based encryption Encrypted VPN throughput AES 256 Management support Diagnostics Other Conformity Special features FL MGUARD DELTA TX TX Freescale network processor with 330 MHz clocking 1 LAN port 1 WAN port Ethernet IEEE 802 3 10 100 Base TX RJ 45 full duplex auto MDIX Serial RS 232 9 pos D SUB connector 128 MB RAM 128 MB Flash SD card Replaceable configuration memory Depending on the firmware used External power supply unit 12V 850 mA DC 100 V 240 V 400 mA AC 2 5 W maximum 0 C 40 C operation 20 C 70 C storage 5 95 during operation non condensing IP20 45 x 130 x 114mm 630 g FL MGU
386. the certificate subject field is suggested as the short name here providing the Shortname field is empty at this point This name can be adopted or another name can be chosen e Aname must be assigned whether it is the suggested one or another Names must be unique and must not be assigned more than once 6 126 PHOENIX CONTACT 8334_en_01 Configuration Using the short name During the configuration of SSH Management gt gt System Settings Shell Access menu HTTPS Management gt gt Web Settings Access menu the certificates imported on the FL MGUARD are provided in a selection list The certificates are displayed under the short name specified for each individual certificate on this page For this reason name assignment is mandatory Creating a certificate copy A copy can be created from the imported remote certificate To do that e Click on Current Certificate File next to the Download Certificate row for the relevant remote certificate Enter the desired information in the dialog box that opens 8334_en_01 PHOENIX CONTACT 6 127 FL MGUARD 2 6 4 4 5 CRL Certificate settings Machine Certificates CA Certificates Remote Certificates CRL CRL DX CRL Issuer Last Update Next Update URL Do ia VPN if wnload n te No v F Upload Durchsuchen I Import Authentication gt gt Certificates gt gt CRL CRL CRL stands for certificate revocation list The CRL is a list containing
387. the computer must be configured to allow ICMP echo requests ping In Stealth mode the FL MGUARD uses internal IP address 1 1 1 1 This can be accessed from the computer if the default gateway configured on the computer is accessible me me In Stealth network mode a secondary external interface can also be configured see Secondary External Interface on page 6 67 For the further configuration of Stealth network mode see Network Mode Stealth on page 6 63 8334_en_01 PHOENIX CONTACT 6 59 FL MGUARD 2 WAN port LAN port Router If the FL MGUARD is in Router mode it acts as the gateway between various subnetworks and has both an external interface WAN port and an internal interface LAN port with at least one IP address each The FL MGUARD is connected to the Internet or other external parts of the LAN via its WAN port FLMGUARD SMART2 The WAN port is the Ethernet female connector The FL MGUARD is connected to a local network or a single computer via its LAN port FLMGUARD SMART2 The LAN port is the Ethernet male connector As in the other modes firewall and VPN security functions are available If the FL MGUARD is operated in Router mode it must be set as the default gateway on the locally connected computers This means that the IP address of the FL MGUARD LAN port must be specified as the default gateway address on these computers NAT should be activa
388. the top of the list of entries until an appropriate rule is found This rule is then applied If the list of rules contains further subsequent rules that could also apply these rules are ignored The rules specified here only take effect if Enable HTTPS remote access is set to Yes Internal access is also possible when this option is set to No A firewall rule that would refuse Internal access therefore does not apply in this case The following options are available From IP Enter the address of the computer or network from which remote access is permitted or forbidden in this field IP address 0 0 0 0 0 means all addresses To specify an address area use CIDR format see CIDR Classless Inter Domain Routing on page 6 241 8334_en_01 PHOENIX CONTACT 6 23 FL MGUARD 2 Management gt gt Web Settings gt gt Access Interface External Internal External 2 VPN Dial in Specifies to which interface the rule should apply If no rules are set or if no rule applies the following default settings apply HTTPS access is permitted via Internal VPN and Dial in Access via External and External 2 is refused Specify the access options according to your requirements If you want to refuse access via Internal VPN or Dial in you must implement this explicitly by means of corresponding firewall rules for example by specifying Drop as an action To prevent your own access being blocked you may have to permit acces
389. tion is set to Yes by default 6 138 PHOENIX CONTACT 8334_en_01 Configuration Network Security gt gt Packet Filter gt gt Advanced Allow TCP keepalive packets without TCP flags Network Modes ICMP via primary Router PPTP PPPoE external interface for the mGuard ICMP via secondary external interface for the mGuard Stealth Mode Allow forwarding of GVRP frames TCP packets without flags set in their TCP header are normally rejected by firewalls At least one type of Siemens controller with older firmware sends TCP keepalive packets without TCP flags set These are therefore discarded as invalid by the FL MGUARD When set to Yes forwarding of TCP packets where no TCP flags are set in the header is enabled This only applies when TCP packets of this type are sent within an existing TCP connection with a regular structure TCP packets without TCP flags do not result in a new entry in the connection table see Connection Tracking on page 6 140 If the connection is already established when the FL MGUARD is restarted the corresponding packets are still rejected and connection problems can be observed as long as no packets with flags belonging to the connection are sent These settings affect all the TCP packets without flags The Yes option thus weakens the security functions provided by the FL MGUARD This option can be used to control the behavior of the FL MGUARD when ICMP messages are received
390. tivity on the various VPN connections are logged in the same data stream The resulting volume of the logging makes it time consuming to find the information relevant to one error After archiving is enabled relevant log entries about the operations involved in establishing VPN connections are archived in the non volatile memory of the FL MGUARD if the connections are established as follows Via the CMD contact Via the CGI interface nph vpn cgi using the synup command see Application Note Diagnosis of VPN connections Archived log entries are not affected by a restart They can be downloaded as part of the support snapshot Support gt gt Advanced menu item Snapshot tab page A snapshot provides the support team with additional options for more efficient troubleshooting than would be possible without archiving 6 164 PHOENIX CONTACT 8334_en_01 Configuration IPsec VPN gt gt Global gt gt Options Archive diagnostic messages only upon failure Yes No VPN Switch VPN connection FL MGUARD RS4 2000 only Only visible if archiving is enabled If only log entries generated for failed connection attempts are to be archived set this option to Yes If set to No all log entries will be archived The FL MGUARD RS4000 RS2000 devices have connections to which an external button or on off switch and a signal LED can be connected One of the configured VPN connections can be established and released via the button o
391. to be used in the following scenario An FL MGUARD connected upstream of a machine must establish connections to two or more different maintenance centers and their FL MGUARD devices with TCP encapsulation enabled UDP packets can be oversized if an IPsec connection is established between the participating devices via IKE and certificates are exchanged Some routers are not capable of forwarding large UDP packets if they are fragmented over the transmission path e g via DSL in 1500 byte segments Some faulty devices forward the first fragment only resulting in connection failure If two FL MGUARD devices communicate with each other itis possible to ensure at the outset that only small UDP packets are to be transmitted This prevents packets from being fragmented during transmission which can result in incorrect routing by some routers If you want to use this option set it to Yes If this option is set to Yes the setting only takes ef fect if the partner is an FL MGUARD with firmware Version 5 1 0 or later installed In all other cases the setting has no effect negative or otherwise The option for avoiding oversized IKE data packets which cannot be routed correctly on the transmission path by faulty routers can also be applied for IPsec data packets In order to remain below the upper limit of 1500 bytes often set by DSL it is recommended that a value of 1414 bytes be set This also allows enough space for ad
392. to establish a connection to the Internet Request PPPoE When Yes is selected the PPPoE client of the FL MGUARD Service Name requests the service name specified below from the PPPoE server Otherwise the PPPoE service name is not used PPPoE Service Name PPPoE Service Name Automatic If Yes is selected specify the time in the Re connect daily at Re connect field This feature is used to schedule Internet disconnection and reconnection as required by many Internet service providers so that they do not interrupt normal business operations When this function is enabled it only takes effect if synchronization with a time server has been carried out see Management gt gt System Settings on page 6 4 Time and Date on page 6 7 Re connect daily at Specified time at which the Automatic Re connect function see above should be performed Internal Networks See Internal Networks on page 6 73 Secondary External See Secondary External Interface on page 6 67 Interface 8334_en_01 PHOENIX CONTACT 6 77 FL MGUARD 2 When Router is selected as the network mode and PPTP is selected as the router mode Router network mode PPTP router mode General Ethernet Dial out Dialin Modem Console Network Status External IP address 172 16 66 49 Active Defauttroute 172 16 66 18 Used DNS servers 10 1 0 253 Network Mode Network Mode Router v Router Mode PPTP w PPIP PPTP Login user provider e
393. to the SEC Stick in ASCII including ssh dss or formatin this field The secret equivalent is stored on the SEC ssh rsa Stick List of allowed access and SSH port forwarding relating to the SEC Stick of the corresponding user IP IP address of the computer to which access is enabled Port Port number to be used when accessing the computer 8334_en_01 PHOENIX CONTACT 6 205 FL MGUARD 2 6 8 QoS menu This menu is not available on the FL MGUARD RS2000 QoS Quality of Service refers to the quality of individual transmission channels in IP networks This relates to the allocation of specific resources to specific services or communication types so that they work correctly The necessary bandwidth for example must be provided to transmit audio or video data in realtime in order to reach a satisfactory communication level At the same time slower data transfer by FTP or e mail does not threaten the overall success of the transmission process file or e mail transfer 6 8 1 Ingress Filters An ingress filter prevents the processing of certain data packets by filtering and dropping them before they enter the FLMGUARD processing mechanism The FLMGUARD can use an ingress filter to avoid processing data packets that are not needed in the network This results in a faster processing of the remaining i e required data packets Using suitable filter rules administrative access to the FL MGUARD can be ensured with
394. transmitted as plain text with the RADIUS request The attacker can thus simulate RADIUS queries and thereby find out user names and the corresponding passwords Administrative access to the FL MGUARD should remain possible while the RADIUS server password is being changed Proceed as follows to ensure this e Setup the RADIUS server for the FL MGUARD a second time with a new password e Also set this new password on the RADIUS server e Onthe FL MGUARD delete the line containing the old password 6 4 4 Authentication gt gt Certificates Authentication is a fundamental element of secure communication The X 509 authentication method relies on certificates to ensure that the correct partners communicate with each other and that no incorrect partner is involved in communication An incorrect communication partner is one who falsely identifies themselves as someone they are not see glossary under X 509 Certificate A certificate is used as proof of the identity of the certificate owner The relevant authorizing body in this case is the CA certification authority The digital signature on the certificate is provided by the CA By providing this signature the CA confirms that the authorized certificate owner possesses a private key that corresponds to the public key in the certificate The name of the certificate issuer appears under ssuer on the certificate while the name of the certificate owner appears under Subj
395. twork e g the Internet to form a single common network Cryptographic protocols are used to ensure confidentiality and authenticity A VPN is therefore a cost effective alternative to the use of permanent lines for building a nationwide corporate network A type of seal that certifies the authenticity of a public key gt Asymmetrical encryption and the associated data It is possible to use certification to enable the user of the public key used to encrypt the data to ensure that the received public key is indeed from its actual issuer and thus from the instance that should later receive the data A certification authority CA certifies the authenticity of the public key and the associated link between the identity of the issuer and its key The certification authority verifies authenticity in accordance with its rules for example it may require the issuer of the public key to appear before it in person After successful authentication the CA adds its digital signature to the issuer s public key This results in a certificate An X 509 v3 certificate thus comprises a public key information about the key owner the Distinguished Name DN authorized use etc and the signature of the CA gt Subject certificate The signature is created as follows The CA creates an individual bit string from the bit string of the public key owner information and other data This bit string can be up to 160 bits in length and is known as
396. u can select a different Stealth configuration to the multiple clients configuration or use another network mode In order to successfully establish an IPsec connection the VPN partner must support IPsec with the following configuration Authentication via pre shared key PSK or X 509 certificates ESP Diffie Hellman group 2 or 5 DES 3DES or AES encryption MD5 SHA 1 or SHA 2 hash algorithms Tunnel or transport mode Quick mode Main mode SA lifetime 1 second to 24 hours If the partner is a computer running Windows 2000 the Microsoft Windows 2000 High Encryption Pack or at least Service Pack 2 must be installed Ifthe partner is positioned downstream of a NAT router the partner must support NAT T Alternatively the NAT router must know the IPsec protocol IPsec VPN passthrough For technical reasons only IPsec tunnel connections are supported in both cases 6 7 2 1 Connections Lists all the VPN connections that have been defined Each connection name listed here can refer to an individual VPN connection or a group of VPN connection channels You have the option of defining several tunnels under the transport and or tunnel settings of the relevant entry You also have the option of defining new VPN connections activating and deactivating VPN connections changing editing the VPN connection or connection group properties and deleting connections IPsec VPN Connections Connections
397. ules specify which traffic from the inside is allowed to pass to the outside Please note Port settings are only meaningful for TCP and UDP Log entries for unknown connection attempts Y Network Security gt gt Packet Filter gt gt Outgoing Rules Outgoing Lists the firewall rules that have been set up They apply for outgoing data links that have been initiated internally in order to communicate with a remote partner Default settings A rule is defined by default that allows all outgoing connections If no rule is defined all outgoing connections are prohibited excluding VPN General firewall Allow all outgoing connections The data packets of all setting outgoing connections are allowed Drop all outgoing connections The data packets of all outgoing connections are discarded Use the set of rules specified below Displays further setting options This menu item is not included in the scope of functions for the FL MGUARD RS2000 The following settings are only visible if Use the set of rules specified below is set Protocol TCP UDP ICMP GRE All From IP To IP 0 0 0 0 0 means all IP addresses To specify an address area use CIDR format see CIDR Classless Inter Domain Routing on page 6 241 From Port To Port Only evaluated for TCP and UDP protocols any refers to any port startport endport e g 110 120 refers to a port area Individual ports can be specified using the port n
398. umber or the corresponding service name e g 110 for pop3 or pops for 110 6 132 PHOENIX CONTACT 8334_en_01 Configuration Network Security gt gt Packet Filter gt gt Outgoing Rules Action Comment Log Log entries for unknown connection attempts Accept means that the data packets may pass through Reject means that the data packets are sent back and the sender is informed of their rejection a Drop means that the data packets are not permitted to pass through They are discarded which means that the sender is not informed of their whereabouts In Stealth mode Reject has the same effect as Drop Name of rule sets if defined When a name is specified for rule sets the firewall rules saved under this name take effect see Sets of Rules tab page Freely selectable comment for this rule For each individual firewall rule you can specify whether the use of the rule Should be logged set Log to Yes Should not be logged set Log to No default settings When set to Yes all connection attempts that are not covered by the rules defined above are logged Default settings No 8334_en_01 PHOENIX CONTACT 6 133 FL MGUARD 2 6 5 1 3 Sets of Rules Network Security Packet Filter Incoming Rules Outgoing Rules Rule Records MAC Filtering i Advanced Rule Records 2 a ED Aa Yes v Generic Sets of rules can be defined and stored u
399. unkt Maschine 06 L L O Beispiel Lieferant C DE Subject Alternative Names issuer CN VPN SubCA 01 0 Beispiel Lieferant C DE Validity From Mar 20 18 38 09 2007 GMT to Mar 20 18 38 09 2010 GMT Fingerprint MDS 11 73 7D 98 89 6F AB DB 23 A1 22 06 A2 68 79 EC SHA1 E9 14 0A 50 84 36 62 C5 B0 2F 1F A7 FB 1E 89 47 30 53 BC B8 Filename pem C Durehsuchen 6 186 PHOENIX CONTACT 8334_en_01 Configuration IPsec VPN gt gt Connections gt gt Edit gt gt Authentication Requirement Local X 509 Certificate Specifies which machine certificate the FL MGUARD uses as authentication to the VPN partner Select one of the machine certificates from the selection list The selection list contains the machine certificates that have been loaded on the FL MGUARD under the Authentication gt gt Certificates menu item see page 6 115 If None is displayed a certificate must be installed first None must not be left in place as this results in no X 509 authentication How the FL MGUARD authenticates the remote partner The following definition relates to how the FL MGUARD verifies the authenticity of the VPN remote partner The table below shows which certificates must be provided for the FL MGUARD to authenticate the VPN partner if the VPN partner shows one of the following certificate types when a connection is established A machine certificate signed by a CA A self signed machine certificate For addition
400. uration QoS Ingress Filters internal External Enabling Enable Ingress QoS No v Measurement Unit Packets v Filters x Use VLAN VLAN ID Ethernet Protocol H From IP To IP Current TOS DSCP Guaranteed Upper Limit Comment gt A Protocol f ARP All i No vf Al w 0 0 0 0 0 0 0 0 0 0 v 100 unlimited el No wv 1 ipv4 Al 0 0 0 0 0 0 0 0 0 0 All v1 unlimited External Settings for the ingress filter at the WAN interface QoS gt gt Ingress Filters gt gt Internal External Enabling Enable Ingress QoS No default This feature is disabled If filter rules are defined they are ignored Yes This feature is enabled Data packets may only pass through and be forwarded to the FL MGUARD for further evaluation and processing if they comply with the filter rules defined below Filters can be set for the LAN port Internal tab page and the WAN port External tab page Measurement Unit kbit s or Packet s Specifies the unit of measurement for the numerical values entered under Guaranteed and Upper Limit Filters Use VLAN If a VLAN is set up the relevant VLAN ID can be specified to allow the relevant data packets to pass through To do this this option must be set to Yes VLAN ID Specifies that the VLAN data packets that have this VLAN ID may pass through To do this the Use VLAN option must be set to Yes Ethernet Protocol Specifies that only data packets of the specified Ethernet protocol ma
401. ure 8 1 Rescue button 8 1 Performing a restart The device is restarted with the configured settings Press the Rescue button on the other FL MGUARD devices for around 1 5 seconds e FL MGUARD RS4000 RS2000 Until the error LED lights up e FL MGUARD SMART2 Until the middle LED lights up red 8334_en_01 PHOENIX CONTACT 8 1 FL MGUARD 2 Aim Action 8 2 Performing a recovery procedure The network configuration but not the rest of the configuration is to be reset to the delivery state because it is no longer possible to access the FL MGUARD When performing the recovery procedure the default settings are established for all FL MGUARD models according to the following table Table 8 1 Preset addresses Default settings Network Management IP 1 Management IP 2 mode FL MGUARD Stealth https 1 1 1 1 https 192 168 1 1 RS4000 2000 FL MGUARD SMART2 Stealth https 1 1 1 1 https 192 168 1 1 The following applies to FL MGUARD models that are reset to Stealth mode with the multiple clients default settings The CIFS integrity monitoring function is also disabled because this only works when the management IP is active MAU management remains switched on for Ethernet connections HTTPS access is enabled via the local Ethernet connection LAN The settings configured for VPN connections and the firewall are retained including passwords Possible reasons for performing the recov
402. us pc x7 scan Status Actions Status of pc x7 scan Summary Last check was OK Report The location of the report is 10 1 66 127 C cim pce x7 c log txt UNC notation of the imported 10 1 66 127 C share Start of the last check Mon Nov 28 04 17 00 CET 2011 Duration of the last check 0 hour s 48 minute s and 12 second s CIFS Integrity Monitoring gt gt CIFS Integrity Status gt gt Show gt gt Status Status of network drive Summary Last check was OK No deviations found name according to configuration Last check found x deviation s The exact deviations are listed in the check report Report The check report is displayed here It can be downloaded by clicking on Download the report UNC notation of the Servername networkdrive imported share 6 156 PHOENIX CONTACT 8334_en_01 Configuration CIFS Integrity Monitoring gt gt CIFS Integrity Status gt gt Show gt gt Status Start of the last check Weekday month day HH MM SS UTC The local time may differ from this time Example The standard time in Germany is Central European Time CET which is UTC plus one hour Central European Summer Time applies in summer which is UTC plus two hours Duration of the last Duration of the check in hours and minutes check Only displayed if a check has been carried out Start of the current See Start of the last check on page 6 157 check Only displayed if a check has b
403. us sessions for one user 0 to 2147483647 Specifies the number of administrative access instances that are permitted for all users simultaneously When 0 is set no session is permitted 0 to 2147483647 Specifies the number of administrative access instances that are permitted for one user simultaneously When 0 is set no session is permitted 6 202 PHOENIX CONTACT 8334_en_01 Configuration SEC Stick gt gt Global gt gt Access Allowed Networks Lists the firewall rules that have been set up These apply for remote SEC Stick access i gt lt L romi o l interface oo Action ooo comment o ooo ooo 0 0 0 0 0 Extemal v Accept v No v If multiple firewall rules are defined these are queried starting from the top of the list of entries until an appropriate rule is found This rule is then applied If the list of rules contains further subsequent rules that could also apply these rules are ignored The rules specified here only take effect if Enable SEC Stick remote access is set to Yes Internal access is also possible when this option is set to No A firewall rule that would refuse nternal access does therefore not apply in this case Multiple rules can be specified From IP Enter the address of the computer network from which remote access is permitted or forbidden in this field IP address 0 0 0 0 0 means all addresses To specify an address area use CIDR format see 6 241 Interface External Interna
404. uting on page 6 241 Gateway The gateway via which this network can be accessed See also Network example diagram on page 6 242 Secondary External See Secondary External Interface on page 6 67 Interface 6 74 PHOENIX CONTACT 8334_en_01 Configuration Router network mode static router mode Network Interfaces General Ethernet Dial out Diatin Modem Console Network Status External IP address 172 16 66 49 Active Defaultroute 172 16 66 18 Used DNS servers 10 1 0 253 Network Mode Network Mode Router v RouterMode static w External Networks etna T via 1 untrusted port px 172 16 66 49 255 255 255 0 No w Adatonl External utes I e IP of default gateway 172 16 66 18 Network gt gt Interfaces gt gt General Router network mode static router mode External Networks External IPs The addresses via which the FL MGUARD can be accessed untrusted port by devices on the WAN port side If the transition to the Internet takes place here the external IP address of the FL MGUARD is assigned by the Internet service provider ISP IP Netmask P address and subnet mask of the WAN port Use VLAN Yes No Ifthe IP address is within a VLAN set this option to Yes VLAN ID AVLAN ID between 1 and 4095 An explanation can be found under VLAN on page 9 8 Ifyou want to delete entries from the list please note that the first entry cannot
405. ution of the default gateway Restricting ARP traffic to the default gateway may lead to management access problems Outgoing A x Source MAC Destination MAC Ethernet Protocol f E XK XK XK XK AK XK XX XKIXK XK XK XK any Accept Nran The Incoming MAC filter is applied to frames that the FL MGUARD receives at the WAN interface The Outgoing MAC filter is applied to frames that the FL MGUARD receives at the LAN interface Data packets that are received or sent via a modem connection on FL MGUARD models with a serial interface are not picked up by the MAC filter because the Ethernet protocol is not used here In Stealth mode in addition to the packet filter Layer 3 4 that filters data traffic e g according to ICMP messages or TCP UDP connections a MAC filter Layer 2 can also be set A MAC filter Layer 2 filters according to MAC addresses and Ethernet protocols In contrast to the packet filter the MAC filter is stateless This means that if rules are introduced corresponding rules must also be created for the opposite direction where necessary If no rules are set all ARP and IP packets are allowed to pass through When setting MAC filter rules please note the information displayed on the screen The rules defined here have priority over packet filter rules The MAC filter does not support logging Network Security gt gt Packet Filter gt gt MAC Filtering Incoming Source MAC Specification
406. verything is up to date With one redundant pair only one database is active while the other is on standby Any change made to this state is also displayed The Connection Tracking Table relates to the firewall state database IPsec VPN Connections with activated VPN redundancy All virtual interfaces are checked together to see whether the forwarding of packets is allowed 6 228 PHOENIX CONTACT 8334_en_01 Configuration Redundancy gt gt FW Redundancy Status gt gt Redundancy Status State History Firmware status System time Timeout of the previous state Availability check Connectivity check State synchronization The table starts with the most recent state The abbreviations are as follows Firmware started up completely Firmware not yet started up completely Valid system time Invalid system time Timeout No timeout Unknown state Another FL MGUARD is available This FL MGUARD is active or is currently being enabled Another FL MGUARD is available This FL MGUARD is on standby or is currently switching to standby No other FL MGUARD available Unknown state Check of all components was successful Check of at least one component has failed Unknown state Database is up to date Database is obsolete Database switching to on_standby Database switching to active 8334_en_01 PHOENIX CONTACT 6 229 FL MGUARD 2 6 9 2 2 Connectivity Status
407. w 180 m Please note No regular check will happen unless the system time of the mGuard has been set either manually or with the help of NTP To be stored on CiFS share pc x7 scan w cim pc x7 c v v at4 h 17 m CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Settings gt gt Edit Settings Enabled Checked CIFS Share Patterns for filenames No A check is not triggered for this network drive The FL MGUARD has not connected this drive The status cannot be viewed Yes A check is triggered regularly for this network drive Suspended The check has been suspended until further notice The status can be viewed Name of the network drive to be checked specified under CIFS Integrity Monitoring gt gt Importable Shares gt gt Edit Specific file types are checked e g only executable files such as exe and dll The rules can be defined under CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Filename Patterns Do not check files that are changed in normal operation as this could trigger false alarms Do not check files that are simultaneously opened exclusively by other programs as this can lead to access conflicts 6 152 PHOENIX CONTACT 8334_en_01 Configuration CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Settings gt gt Edit Checksum Memory Time Schedule Maximum time a check may take Chec
408. w connection establishment with encapsulated packets i For technical reasons the main memory RAM requirements increase with each interface that is used to listen out for VPN connections encapsulated in TCP If multiple interfaces need to be used for listening then the device must have at least 64 Mbytes RAM The interfaces to be used for listening are determined by the FL MGUARD according to the settings on the active VPN connections that have any configured as the partner The decisive setting is specified under Interface to use for gateway setting any 6 168 PHOENIX CONTACT 8334_en_01 Configuration IPsec VPN gt gt Global gt gt Options IP Fragmentation TCP port to listen on Server ID 0 63 IKE Fragmentation IPsec MTU default is 16260 Number of the TCP port where the encapsulated data packets to be received arrive The port number specified here must be the same as the one specified for the FL MGUARD of the partner as the TCP port of the server which accepts the encapsulated connection Psec VPN gt gt Connections Edit menu item General tab page The following restriction applies The port to be used for listening must not be identical to a port that is being used for remote access SSH HTTPS Usually the default value 0 does not have to be changed The numbers are used to differentiate between different control centers A different number is only
409. way 1 1 Use the following DNS server addresses Prefered DNS server Altemate DNS server Figure 5 5 Internet Protocol TCP IP Properties e First select Use the following IP address then enter the following addresses for example IP address 192 168 1 2 Subnet mask 255 255 255 0 Default gateway 192 168 1 1 Depending on the configuration of the FL MGUARD it may then be necessary to adapt the network interface of the locally connected computer or network accordingly 5 8 PHOENIX CONTACT 8334_en_01 Preparing the configuration Web based administrator interface If you have forgotten the configured address If the administrator web page is not displayed 5 3 Establishing a local configuration connection The FL MGUARD is configured via a web browser e g Mozilla Firefox MS Internet Explorer Google Chrome or Apple Safari that is executed on the configuration computer NOTE The web browser used must support SSL encryption i e HTTPS Depending on the model the FL MGUARD is set to stealth or router network mode by default upon delivery and can be accessed accordingly using one of the following addresses Table 5 2 Preset addresses Default settings Network Management IP 1 Management IP 2 mode FL MGUARD SMART2 Stealth https 1 1 1 1 https 192 168 1 1 FL MGUARD Stealth https 1 1 1 1 https 192 168 1 1 RS4000 RS2000 Proceed as
410. ween them using the tabs at the top Working with tab pages You can make the desired entries on the corresponding tab page see also Working with sortable tables on page 6 1 App To apply the settings on the device you must click on the Apply button Once the settings have been applied by the system a confirmation message appears This indicates that the new settings have taken effect They also remain valid after a restart reset Back You can return to the previously accessed page by clicking on the Back button located at the bottom right of the page if available Entry of impermissible values If you enter an impermissible value e g an impermissible number in an IP address and then click on the Apply button the relevant tab page title is displayed in red This makes it easier to trace the error Working with sortable tables Many settings are saved as data records Accordingly the adjustable parameters and their values are presented in the form of table rows If several data records have been set e g firewall rules they will be queried or processed based on the order of the entries from top to bottom Therefore note the order of the entries if necessary The order can be changed by moving table rows up or down With tables you can Insert rows to create a new data record with settings e g the firewall settings for a specific connection Move rows i e resort them Delete rows to de
411. work or device from which the data originates 0 0 0 0 0 means all IP addresses To specify an address area use CIDR format see CIDR Classless Inter Domain Routing on page 6 241 Assign the traffic from this source to the queue selected under Queue Name in this row Port used at the source from which data originates only evaluated for TCP and UDP protocols any refers to any port startport endport e g 110 120 refers to a port area Individual ports can be specified using the port number or the corresponding service name e g 110 for pop3 or pops for 110 IP address of the network or device to which the data is sent Entries correspond to From IP as described above Port used at the source where the data is sent Entries correspond to From Port as described above 8334_en_01 PHOENIX CONTACT 6 215 FL MGUARD 2 QoS gt gt Egress Rules gt gt Internal External External 2 Dial in QoS gt gt Egress Rules VPN gt gt VPN via Internal VPN via External VPN via External 2 VPN via Dial in Current TOS DSCP New TOS DSCP Queue Name Comment Each data packet contains a TOS or DSCP field TOS stands for Type of Service DSCP stands for Differentiated Services Code Point The traffic type to which the data packet belongs is specified here For example an IP phone will write a different entry in this field for outgoing data packets compared to an FTP program that uploads data pa
412. x Y z for the currently installed major version Note It might be possible that there is no direct update from the currently installed version to the latest published minor release available Therefore after updating the system to a new minor release press this button again until you receive the message that there is no newer update available Sa Xy z Note It might be possible that there is no direct update from the currently installed version to the next major release available Therefore execute the minor release update first and repeat this step until you receive the message that there is no newer minor release available Then install the next major release Update Servers f m https v update innominate com No v NOTE Do not interrupt the power supply to the FL MGUARD during the update process Otherwise the device could be damaged and may have to be reactivated by the manufacturer Depending on the size of the update the process may take several minutes A message is displayed if a restart is required after completion of the update Filename To install the packages proceed as follows e Click on Browse select the file and open it so that the file name or path is displayed in the Filename field The file name must have the following format update a b c d e f default lt platform gt tar gz Example update 7 0 0 7 0 1 default ixp4xx_be tar gz e Then click on Install Packages 6
413. xamine the remaining FL MGUARD to determine whether the process of changing the password has been completed If you can see a green check mark you must set the new password directly on the FL MGUARD that is being replaced If you cannot see a green check mark it means that the password has not yet been changed on the remaining FL MGUARD In this case you must change the password again on the FL MGUARD that is still in operation Wait until the green check mark appears Only then should you replace the FL MGUARD that has failed Configure the replacement FL MGUARD with the new password immediately on setting up redundancy Password replacement has been started but not performed on all FL MGUARD devices because they have failed Password replacement must be started as soon as a faulty FL MGUARD is back online If an FL MGUARD has been replaced it must first be configured with the old password before it is connected 6 220 PHOENIX CONTACT 8334_en_01 Configuration Redundancy gt gt Firewall Redundancy gt gt Redundancy Virtual interfaces How to proceed in the event of an incorrect password A If you have inadvertently entered an incorrect password on an FL MGUARD you cannot simply reenter the password using the correct one Otherwise in the event of adverse circumstances this may result in both FL MGUARD devices being active If you can still remember the old password proceed as follows Reconfigure the FL MGUAR
414. xample n PPTP Password Local iP Mode Static from field below w LocaliP 10 0 0 140 ModemiP 10 0 0 138 Network gt gt Interfaces gt gt General Router network mode PPTP router mode PPTP Internal Networks Secondary External Interface This menu item is not included in the scope of functions for the FL MGUARD RS2000 For access to the Internet the Internet service provider ISP provides the user with a user name login and password These are requested when you attempt to establish a connection to the Internet PPTP Login The user name login that is required by the Internet service provider when you attempt to establish a connection to the Internet PPTP Password The password that is required by the Internet service provider when you attempt to establish a connection to the Internet Local IP Mode Via DHCP If the address data for access to the PPTP server is provided by the Internet service provider via DHCP select Via DHCP In this case no entry is required under Local IP Static from field below If the address data for access to the PPTP server is not supplied by the Internet service provider via DHCP the local IP address must be specified Local IP The IP address via which the FL MGUARD can be accessed by the PPTP server Modem IP The address of the PPTP server of the Internet service provider See Internal Networks on page 6 73 See Secondary External Interface on page
415. y configuration profiles available there see Management gt gt Central Management on page 6 52 When No is selected the FL MGUARD establishes a telephone connection using the connected modem as soon as possible after a restart or activation of Modem network mode This remains permanently in place regardless of whether or not data is transmitted If the telephone connection is then interrupted the FL MGUARD attempts to restore it immediately Thus a permanent connection is created like a permanent line By doing this the FL MGUARD is constantly available externally i e for incoming data packets 8334_en_01 PHOENIX CONTACT 6 85 FL MGUARD 2 Network gt gt Interfaces gt gt Dial out Idle timeout Idle time seconds Local IP Remote IP Netmask Yes No Only considered when Dial on demand is set to Yes When set to Yes default the FL MGUARD terminates the telephone connection as soon as no data traffic is transmitted over the time period specified under Idle time The FL MGUARD gives the connected modem the relevant command for terminating the telephone connection When set to No the FL MGUARD does not give the connected modem a command for terminating the telephone connection Default 300 If there is still no data traffic after the time specified here has elapsed the FL MGUARD can terminate the telephone connection see above under Idle timeout IP address of the serial interface of the F
416. y connect the FL MGUARD network ports to LAN installations Some telecommunications connections also use RJ45 female connectors these must not be connected to the RJ45 female connectors of the FL MGUARD e Connect the FL MGUARD to the network To do this you need a suitable UTP cable CAT5 which is not included in the scope of supply e Connect the internal network interface LAN 1 of the FL MGUARD to the corresponding Ethernet network card of the configuration computer or a valid network connection of the internal network LAN 4 3 3 Service contacts WARNING The service contacts GND CMD CMD V ACK must not be connected to an external voltage source they should always be connected as described here Please note that only the Service 1 contacts are used with firmware version 7 4 The Service 2 contacts shall be made available with a later firmware version 0 a aa a a elelele felefele ee 3 sh yy yy st yY N NN nra a a a a YY Y S ejeoejojo IOOOC Telelefe fefefe s 8 8 8 f K 8 8 amp S FL MGUARD RS4000 FL MGUARD RS2000 Table 4 2 Service 1 plug pin assignment Designation Function Use CMD V Switch contact pin 1 VPN enable switch CMD Switch contact pin 2 VPN enable switch GND Signal contact VPN status light ACK Signal contact 9 to 36 V VPN status
417. y pass through Possible entries ARP IPV4 any Other entries must be in hexadecimal format up to 4 digits The ID of the relevant protocol in the Ethernet header is entered here It can be found in the publication of the relevant standard IP Protocol All TCP UDP ICMP ESP Specifies that only data packets of the selected IP protocol may pass through When set to All no filtering is applied according to the IP protocol From IP Specifies that only data packets from a specified IP address may pass through 0 0 0 0 0 stands for all addresses i e in this case no filtering is applied according to the IP address of the sender To specify an address area use CIDR format see CIDR Classless Inter Domain Routing on page 6 241 8334_en_01 PHOENIX CONTACT 6 207 FL MGUARD 2 QoS gt gt Ingress Filters gt gt Internal External To IP Current TOS DSCP Guaranteed Upper Limit Comment Specifies that only data packets that should be forwarded to the specified IP address may pass through Entries correspond to From IP as described above 0 0 0 0 0 stands for all addresses i e in this case no filtering is applied according to the IP address of the sender Each data packet contains a TOS or DSCP field TOS stands for Type of Service DSCP stands for Differentiated Services Code Point The traffic type to which the data packet belongs is specified here For example an IP phone will write a di
418. y to the following devices FLMGUARD RS FLMGUARD SMART FLMGUARD PCI FLMGUARD BLADE FLMGUARD DELTA These devices must be updated successively while the relevant redundant device is disconnected If firewall redundancy is activated the two FL MGUARD devices of a redundant pair can be updated at the same time FL MGUARD devices that form a pair automatically decide which FL MGUARD is to perform the update first while the other FLM MGUARD remains active If the active FL MGUARD is unable to boot within 25 minutes of receiving the update command because the other FLMGUARD has not yet taken over it aborts the update and continues to run using the existing firmware version Updating firmware There are two options for performing a firmware update 8334_en_01 PHOENIX CONTACT 6 35 FL MGUARD 2 Psy Management gt gt Update Local Update 1 You have the current package set file on your computer the file name ends with tar gz and you perform a local update 2 The FLMGUARD downloads a firmware update of your choice from the update server via the Internet and installs it Management Update Overview Update Local Update Fleneme Durchsuchen gas The filename of the package set has the extension tar gz The format of the filename you have to enter is update a b c d e f tar gz Online Update Paap strane Automatic Update TE xyZ Install the latest minor release
419. ymbol to avoid possible in i This is the safety alert symbol It is used to alert you to potential personal injury jury or death There are three different categories of personal injury that are indicated with a signal word DANGER This indicates a hazardous situation which if not avoided will re sult in death or serious injury WARNING This indicates a hazardous situation which if not avoided could result in death or serious injury CAUTION This indicates a hazardous situation which if not avoided could result in minor or moderate injury This symbol together with the signal word NOTE and the accompanying text alert the reader to a situation which may cause damage or malfunction to the device hardware software or surrounding property formation or refer to detailed sources of information B This symbol and the accompanying text provide the reader with additional in How to contact us Up to date information on Phoenix Contact products and our Terms and Conditions can be found on the Internet at www phoenixcontact com Make sure you always use the latest documentation It can be downloaded at www phoenixcontact net catalog If there are any problems that cannot be solved using the documentation please contact your Phoenix Contact subsidiary Subsidiary contact information is available at www phoenixcontact com PHOENIX CONTACT GmbH amp Co KG FlachsmarktstraBe 8 32825 Blomberg GERMANY Should you have
Download Pdf Manuals
Related Search