Home
1 FL MGUARD security appliance
Contents
1. Smart mode Recovery procedure 51 55 Smart mode Flash procedure Smart mode Customized default profile 7612 _en_02 PHOENIXCONTACT 3 7 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD In the event of an error Meaning pey o RAM test error Performa voltage reset Flash test error Performa voltage reset Error when executing the rollout Check the rollout script for errors Script Display File transfer was completed Provide a valid firmware version with the previously specified successfully but the file is nota file name valid firmware version forthe device Repeat the download Device temperature too high ortoo The device has exited the temperature range set in the web low interface 4 SFP module not supported or faulty Replace the SFP module with a supported and or fully functional SFP module HC This MEM PLUG Is notcompatible Use a suitable MEM PLUG with the device e g a wireless ID plug oran MRP master The points under Remedy are recommendations they do not all have to be carried out for every error ae _ Firmware transfer via TFTP or Check the physical connection Xmodem failed display changes Establish a point to point connection from 03 to 17 Make sure thatthe file with the specified file name exists and is in the correct directory Check the IP address of the TFTP server Activate the TFTP server Repeat the download 41 42 07 17 19 30 9 Fo
2. host example com DynDNS Atleastone partner IP address must be known in order to establish a VPN connection so thatthey can contacteach other This condition is notmetif both participants are assigned IP addresses dynamically by their respective Internet service providers In this case a DynDNS service such as DynDNS org or DNS 4BIZ com can be of assistance The currently valid IP address is registered under a fixed name for a DynDNS service If you have registered with one of the DynDNS services supported by FL MGUARD you can enter the corresponding information in this dialog box Register this mGuard Select Yes if you have registered with a DynDNS provider and ata DynDNS Service the FL MGUARD should use this service The FL MGUARD reports its current IP address to the DynDNS service i e the one assigned for Internet access by the Internet service provider Refresh Interval sec Default 420 seconds The FL MGUARD informs the DynDNS service of its new IP address whenever the IP address of its Internet connection Is changed For additional reliability the device also reports its IP address atthe interval specified here This setting has no effect for some DynDNS providers such as DynDNS org as too many updates can cause the account to be closed DynDNS Provider The providers in this list support the same protocol as the FL MGUARD Selectthe name of the provider with whom you are registered e g DynDNS org Tin
3. For remote configuration The FL MGUARD must be configured so that remote configuration is permitted TheFLMGUARD must be connected i e the required connections must be working FL MGUARD SMART The FLMGUARD SMART must be switched on i e it must be connected to a computer or power supply unit that is switched on via a USB cable in order for it to be Supplied with power For local configuration The computer used for configuration Mustbe connected to the LAN port of the FL MGUARD Ormustbe connected to the FL MGUARD via the local network For remote configuration The FL MGUARD must be configured so that remote configuration is permitted TheFLMGUARD must be connected i e the required connections must be working FL MGUARD PCI For local configuration The computer used for configuration must meet the following requirements FL MGUARD in driver mode The FL MGUARD PCI driver mustbe installed on the computer FL MGUARD in Power over PCI mode The computer must be connected to the FL MGUARD via its LAN connection or via the local network For remote configuration The FL MGUARD must be configured so that remote configuration is permitted The FLMGUARD must be connected i e the required connections must be working 7612_en_02 PHOENIXCONTACT 5 1 FL MGUARD 5 2 PHOENIX CONTACT onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD BLADE The FL MGUARD BLA
4. The remote peer that implements remote access may have to Specify the port number defined here after the IP address during entry of the address Example If this FL MGUARD can be accessed over the Internet via address 123 124 125 21 and portnumber 443 has been specified for remote access you do not need to enter this port number after the address in the web browser of the remote peer If a different portnumber is used itshould be entered after the IP address e g httos 123 124 125 21 442 The FL MGUARD authenticates itself to the remote peer in this case the browser of the user using a self signed machine certificate This is a unique certificate issued by Innominate foreach FL MGUARD This means that every FL MGUARD device Is delivered with a unique self signed machine certificate Log ID fw https access N0 3657839 a090 1937 a71a 080027e157 b pap ne Fromip interface action Comment Log E s 0 0 0 0 0 External Y Accept Y peers Lists the firewall rules that have been setup These apply for incoming data packets of an HTTPS remote access attempt If multiple firewall rules are defined these are queried starting from the top of the list of entries until an appropriate rule is found This rule is then applied If the list of rules contains further subsequent rules that could also apply these rules are ignored The rules specified here only take effect if Enable HTTPS remote access is set to Y
5. at the start means that any directory is searched even those at the top level if this is empty This cannot be combined with other characters e g c is not permitted Example Name exe refers to all files with the extension exe that are located in the Name directory and any Subdirectories Missing files trigger an alarm Missing files are files that were present during initialization An alarm is also triggered if additional files are present Include in check Include The files are included in the check Each file name is compared with the templates in sequence The firsthitis decisive for the inclusion of the file in the integrity check The file is not included if no hits are found Exclude The files are excluded from the check 6 154 PHOENIX CONTACT 7612_en_02 onlin components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 7 3 CIFS Integrity Monitoring gt gt CIFS Integrity Status CIFS Integrity Monitoring CIFS Integrity Status pc x7 scan Last check was OK Last check started 0 days and Oh 4m ago CIFS Integrity Monitoring gt gt CIFS Integrity Status List with buttons for each individual network drive Checked CIFS Share Click on Show to see the result of the check or to carry out actions Such as Start or cancel check update integrity database if the network drives to be checked have been intentionally changed Click on Editto revise the setting
6. Contact discharge 4 kV Air discharge 8 kV 10 V m Criterion A 10 Ves Criterion A Data lines 1 kV Criterion B Power supply lines 0 5 kV Criterion B Data lines 1 kV asymmetrical Criterion B Power supply lines 0 5 kV symmetrical asymmetrical Criterion B FL MGUARD GT GT Security appliance firewall routing 1 1 NAT VPN optional conforms to standard IEEE 802 3 802 3u 802 3ab Stateful inspection Version 2c 3 128 x 110 x 69 depth from top edge of DIN rail 128 x 150 x 69 depth from top edge of DIN rail with FL MEM PLUG accessories 20 C to 60 C 40 C to 85 C IP20 IEC 60529 Class 3 VDE 0106 IEC 60536 5 to 95 no condensation PHOENIX CONTACT 9 3 FL MGUARD General data Storage Air pressure Operation Storage Ambient compatibility Mounting position Connection to protective earth ground Weight Supply voltage US1 US 2 redundant Connection Nominal value Permissible voltage range Permissible ripple within the permissible voltage range Test voltage Maximum current consumption on US at 24 V DC Maximum power consumption at nominal voltage Interfaces Number of Ethernet ports with Gigabit support V 24 RS 232 configuration interface Connection format Floating alarm contact Voltage Current carrying capacity Ethernet interfaces Properties of RJ 45 ports Number Connection format Connection medium Cable impedance Transmission speed Maximum network segment
7. Idle timeout Yes Idle time seconds 0 Local IP Remote IP Netmask Other common settings Dial on demand For both Yes and No The telephone connection is always established by the FL MGUARD lt of ofj ofu D ll ll l e v ll fl 2 of olo O Yes default This setting is useful for telephone connections where costs are calculated according to the connection time The FL MGUARD only commands the modem to establish a telephone connection when network packets are to be transferred It also instructs the modem to terminate the telephone connection as soon as no more network packets are to be transmitted for a specific time see value in Idle timeoutfield By doing this the FL MGUARD is notconstantly available externally i e for incoming data packets 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Network gt gt Interfaces gt gt Dial out continued The FL MGUARD also often or sporadically establishes a connection via the modem or keeps a connection longer if the following conditions apply Often The FL MGUARD is configured so that it synchronizes its system time date and time regularly with an external NTP server Sporadically The FL MGUARD acts as a DNS server and must perform a DNS request for a client Aftera restart An active VPN connection is set to initiate If this is the case the FL MGUARD establishes a connection a
8. Default setting 100 percent Keying tries 0 means Number of attempts to negotiate new keys with the remote unlimited tries peer The value 0 results in unlimited attempts for connections initiated by the FL MGUARD otherwise it results in 5 attempts Rekey Yes No When set to Yes the FL MGUARD will attempt to negotiate a new key when the old one expires Dead Peer Detection If the remote peer Supports the Dead Peer Detection DPD protocol the relevant partners can detect whether or not the IPsec connection is still valid and whether it needs to be established again 7612 _en_02 PHOENIX CONTACT 6 191 FL MGUARD IPsec VPN gt gt Connections gt gt Edit gt gt IKE Options 6 192 PHOENIX CONTACT Delay between requests for a sign of life Timeout for absent sign of life after which peer is assumed dead THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Period of time in seconds after which DPD Keep Alive requests should be sent These requests test whether the partner is still available Default setting 30 seconds Period of time in seconds after which the connection to the remote peer should be declared dead if there has been no response to the Keep Alive requests Default setting 120 seconds i Ifthe FL MGUARD finds thata connection is dead it responds according to the setting under Connection startup see definition of this VPN connection under Connection startup on the General tab page 761
9. FL MGUARD 9 8 PHOENIX CONTACT 7612_en_02
10. Management System Settings Signal Contact Time and Date Time and Date Current system time UTC Current system time local System time state Hardware clock state Local system time 2009 09 18 15 46 08 Timezone in POSIX 1 notation Cc J g Time stamp in filesystem 2h granularity NTP Server Enable NTP time synchronization Yes NTP State 192 168 66 2 Management gt gt System Settings gt gt Time and Date Time and Date Current system time The current system time is displayed as Universal Time UTC Coordinates UTCs If NTP time synchronization is not yet activated see below and Time stamp in filesystem is deactivated the clock will start at anuary 1 2000 Current system time Display If the sometimes different current local time should local be displayed the corresponding entry must be made under Timezone in POSIX 1 notation See below System time state Display Indicates whether the FL MGUARD system time and run time have ever actually been synchronized with a valid time If the FL MGUARD system time has not been synchronized the FL MGUARD does not perform any time controlled activities These are as follows Time controlled pick up of configuration from a configuration server This is the case when the Time Schedule setting is selected under the Management gt gt Central Management Configuration P ull menu item for the Pull Schedule setting see Management gt gt Conf
11. The login parameters for SNMP v3 can only be changed using SNMPv3 If you wish to allow monitoring of the FL MGUARD via SNMP v1 v2 set this option to Yes You must also enter the login data under SNMPv1 v2 Community The firewall rules for the available interfaces must be defined on this page under Allowed Networks in order to specify differentiated access and monitoring options on the FL MGUARD Default 161 If this port number is changed the new port number only applies for access via the External External 2 VPN and Dial in interface Portnumber 161 still applies for internal access The remote peer that implements remote access may have to Specify the port number defined here during entry of the address Enter the required login data in this field Read Only Community Enter the required login data in this field Allowed Networks Lists the firewall rules that have been setup These apply for incoming data packets of an SNMP access attempt The rules specified here only take effect if Enable SNMPv3 access or Enable SNMPv1 v2 access is set to Yes If multiple firewall rules are defined these are queried starting from the top of the list of entries until an appropriate rule is found This rule is then applied If the list of rules contains further subsequent rules that could also apply these rules are ignored 6 38 PHOENIX CONTACT 7612_en_02 Management gt gt SNMP gt gt Query continued From IP
12. The mGuard incorporates certain free and open software Some license terms associated with this software require that Innominate Security Technologies AG provides copyright and license information see below for details All the other components of the mGuard Firmware are Copyright 2001 2009 by Innominate Security Technologies AG Last updated on 2009 07 31 for the mGuard 7 0 0 release atv BSD stye C OOO OSE beron GNU balbs GNU GP busybox GNUGPLVD S SA bzpi2 Bsbosye S SOS djbdan s Copyright 2001 D J Bernstein 0 conntrack enu sev o ebtables GNU GPL i iCsS EXT2 filesystem utilities GNU GPLv2 lib ext2fs LGPLv2 lib e2p LGPLv2 lib uuid BSD style ez ipupdate Gnu GPLv2 fnord Gnu GPLv2 freeradius mostly GNU GPLv2 LGPLv2 GNU GPLv2 LGPLv2 md2 Derived from the RSA Data Security Inc MD2 Message Digest Algorithm md5 Derived from the RSA Data Security Inc MD5 Message Digest Algorithm l libdes BSD style FreeS WAN O Paran libcrypto BSD style Eric Young BSD style OpenSSL libaes BSD style zlib zlib license e2fsprogs raij BSD style HTML Utilities BSD stvle Lists the licenses of the external software used on the FL MGUARD The software is usually open source software 7612_en_02 PHOENIXCONTACT 6 31 FL MGUARD THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS 6 2 4 Management gt gt Update With FL MGUARD firmware Version 5 0 0 0 or
13. _ Don t search will choose the driver to install Choose this option to select the device driver from alist Windows does not guarantee that the driver you choose will be the best match for your hardware Install the software automatically Recommended Install from a list or specific location Advanced Click Next to continue 3 Hardware Installation 4 Found New Hardware Wizard Completing the Found New Hardware Wizard The wizard has finished installing the software for The software you are installing for this hardware Innominate mGuardPCl has not passed Windows Logo testing to verify its compatibility with Windows XP Tell me why this testing is important Continuing your installation of this software may impair or destabilize the correct operation of your system either immediately or in the future Microsoft strongly recommends that you stop this installation now and contact the hardware vendor for software that has passed Windows Logo testing Hg Innominate mGuardPCI Continue Anyway STOP Installation Click Finish to close the wizard e Driver installation under Windows XP 1 After inserting the data carrier select the Install from a list or specific location Advanced option and click Next 2 Click Next 3 Click on Continue Anyway 4 Click on Finish 7612 _en_02 PHOENIXCONTACT 4 27 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD Under Window
14. of the entire network Under Windows Install the program provided in the download area at www innominate com e Ifthe Windows computer is connected to a network disconnect it from the network e Copy the software to an empty folder on the Windows computer e Startthe TFTPD32 EXE program The hostIP to be specified is 192 168 10 1 This must also be used as the address for the network card e Click on Browse to switch to the folder where the FL MGUARD image files are saved install p7s jffs2 img p7s e ifa major release upgrade of the firmware is carried out by flashing the license file purchased for the upgrade must also be stored here under the name licence lic Make sure that this is the correct license file for the device see Management gt gt Update on page 6 32 2101 x Curent Directoy Emy sst i i s S S S S S SCS Browse Server interface 1g2168101 Show Dir_ Tftp Server DHCP server Revd DHCP Discover Msg for IP 0 0 0 0 Mac 00 00 BE 01 00 EB 26 11 09 41 19 694 DHCP proposed address 192 168 10 200 26 11 09 41 19 694 Revd DHCP Rast Msg for IP 0 0 0 0 Mac 00 0C BE 01 00 EB 26 11 09 41 19 704 Previously allocated address acked 26 11 09 41 19 714 Connection received from 192 168 10 200 on port 1024 26 11 09 41 19 774 Read request for file lt install p s gt Mode octet 26 11 09 41 19 774 lt installp s gt sent 4 blks 2048 bytes in 1 s 0 blk resent
15. 26 11 09 41 20 786 Connection received from 192 168 10 200 on port 1024 26 11 09 43 17 053 Read request for file lt jffs2 ima p s gt Mode octet 26 11 09 43 17 053 lt jffs2 img p s gt sent 14614 blks 7482368 bytes in 11 s 0 blk resent 26 11 09 43 28 008 Current Action kiffs2 ima p7s gt sent 14614 blks 7482368 bytes in 11 s 0 blk resent ston Hb Figure 7 2 Entering the host IP 7 6 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Restart the recovery procedure and flashing the firmware e Switch to the Tftp Server or DHCP server tab and click on Settings to set the parameters as follows s gt Tftpd32 Settings x gt Tftpd32 by Ph Jounin Oj x m Base Directory Current Director IES B E my Browse i Y Browse Server interface 192 168 10 1 Show Dif Tftp Server DHCP server m Global Settings M TFTP Server Syslog Server m Syslog server Save syslog message TFTP Client V DHCP Server File e IP pool starting address 192 168 10 200 Size of pool 30 m TFTP Security gt r TFTP configuration Boot File a Se Timeout recond 3 WINS DNS Server foooo oo C High Max Retransmit G Default router foooo C Reston Tftp port 69 Mask 255 255 255 0 ly Domain Name ooo r dvanced TFTP Options J Option negotiation Hide Window at startup Abot Hep MV Show Progress bar 7 Create dir txt files
16. 4 2 Yes v Yes Y oOo 0 0 0 0 0 0 0 0 0 0 0 0 User name specified during Internet service provider login to access the Internet Password specified during Internet service provider login to access the Internet Yes No The following two entry fields are shown when Yes is selected 7612_en_02 Network gt gt Interfaces gt gt Dial out continued Server user name Server password Subsequent fields onlin components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Username and password thatthe FL MGUARD requests from the server The FL MGUARD only allows the connection if the server returns the agreed user name password combination See under If None is selected as the authentication method on page 6 83 If authentication is via CHAP Authentication Local name Remote name Secret for client authentication CHAP server authentication Dial on demand Idle timeout Idle time seconds Local IP Remote IP Netmask Local name Remote name Secret for client authentication CHAP server authentication Password for server authentication Subsequent fields If None is selected as the authentication method CHAP No Yes Yes v o WJ s s o ojefpeje o o o o A name forthe FL MGUARD thatituses to log in to the Internet service provider The service
17. 6 195 6 9 2 OSS SCS arrriarsriassatersitnsnerne Ene E sitne eE naad 6 198 6 9 3 Egress Queues VPN eeessssssrrsrssrenenessrsrrrrrrrressssrrsrrrrerensrrrrnrrrrrreene 6 199 6 9 4 Egress ee fn ee ee err 6 202 6 10 Redundancy Se cea pee ake aaa EEn iaa aani Ania 6 206 6 10 1 Ring Network Coupling ers ssssssesssssrrrrrrnneresssrsrrrrrrnrenrsrerrrrrrereesssne 6 206 6 11 LOGGING Men GAG Qevvccccscrssccevccnscevseceserseneverssesauavsevesensevagesessensans 6 207 G11 Logging gt MUNIS vncimiraraaninitianamsMiuiutaanminaiataains 6 207 6 11 2 Logging gt gt Browse local l0gS sssssssssrrrrrssrenssssssrrrrrnnsesrsrrrrrrrreeesse 6 208 6 12 Support menu pei Maf co sisatesncben see duceuratanl ietes dens auawanut sh daunes ace iebaea natin 6 212 6 12 1 SUD PRL 1001S easiest aternsiensenenistamenemeteneiewan 6 212 6 12 2 GRBIDPDIT gt Advanced cescccsscssseccccsseusvecvesessevevessssensuaneavevessenapensss 6 214 6 13 CIDR Classless Inter Domain Routing ccececeeecceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeneaes 6 215 6 14 Network example CiaAGrar cccccccssssscccerscsssseceeerseesssecerseuaeseceeerseensesereeteaas 6 216 7 Restart the recovery procedure and flashing the firmware ccccesccseeesseseeeeeeeeeeeeeaeseraneeesaess 7 1 7 1 Performing a Testasin n aea nEri an ursisiaenner ania tian 7 1 7 2 Performing a recovery procedure ssssssssrrseeeressrrsrrrrrrrresssnnrrrrerenrrsnnrrrrrnreressee 7 2 7 3 Flashi
18. 6 6 1 Network Security gt gt Packet Filter cccccccssssescesessseeeeesssseeeseeenens 6 130 6 6 2 Network Security gt gt DoS Protection cccscceeecseessseseeeesseenseeeesens 6 142 6 6 3 Network Security gt gt User Firewall ccccccccsceescssssseeeeeeessseeeseeeeeees 6 144 ii PHOENIX CONTACT 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Table of Contents 6 7 CIFS Integrity Monitoring MENU cccccceeeeeccecceeeeeeceeecueeeeeeeesauaneeeeeeesaaaessees 6 147 6 7 1 CIFS Integrity Monitoring gt gt Importable Shares oo eee 6 148 6 7 2 CIFS Integrity Monitoring gt gt CIFS Integrity Checking eee 6 149 6 7 3 CIFS Integrity Monitoring gt gt CIFS Integrity Status oo 6 155 6 7 4 CIFS Integrity Monitoring gt gt CIFS AV Scan Connector essa 6 158 6 8 Lestcieg 2 Ridin ere ert ere errr Terr ct terete een errr te eer Te 6 161 6 8 1 IPSEC VPN gt gt GlODal accsacntencaesursavieassta trent asus rnana nuenean enai 6 161 6 8 2 IPsec VPN gt gt Connections ssessssssrrrrrsrrrresessrrrrrrrrrrressssrrrrrrrrene 6 169 6 8 3 Defining a new VPN connection VPN connection channels 6 170 6 8 4 IPsec VPN gt gt L2TP overIPSec unssssssrssssrsrnnresssnrnrerernrrrrressrrresee 6 193 6 8 5 IPsec VPN gt gt IPSEC SAWS ciietieesmesenesnctecesneasl le N niaaa inaa 6 194 6 9 Soa E ee O A 6 195 6 9 1 WOESE a O WA sesiacndieachsuluvseenssedeetenten
19. A rule is defined by default that allows all outgoing connections If no rule is defined all outgoing connections are prohibited excluding VPN Protocol TCP UDP ICMP All From IP To IP 0 0 0 0 0 means all IP addresses To specify an address area use CIDR format see CIDR Classless Inter Domain R outing on page 6 215 From Port To Port Only evaluated for TCP and UDP protocols any refers to any port sgtartport endport e g 110 120 refers to a port area Individual ports can be specified using the port number or the corresponding service name e g 110 for pop3 or pop3 for 110 Action Accept means thatthe data packets may pass through Reject means thatthe data packets are sent back so the sender is informed of their rejection In stealth mode Reject has the same effect as Drop Drop means that the data packets may not pass through They are discarded which means that the sender is not informed of their whereabouts Name of rule sets if defined When a name is specified for rule sets the firewall rules saved under this name take effect see Setof Rules tab page Comment Freely selectable comment for this rule 7612 _en_02 PHOENIX CONTACT 6 133 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD Network Security gt gt Packet Filter gt gt Outgoing Rules continued Log For each individual firewall rule you can specify whether the use of the rule Should be logged setLog to Yes
20. FL MGUARD GT GT and FL MGUARD BLADE controller Ifthe FL MGUARD is in router mode it acts as the gateway between various subnetworks and has both an external interface WAN port and an internal interface LAN port with at least one IP address The FL MGUARD is connected to the Internet or other external parts of the LAN via its WAN port FLMGUARD SMART The WAN portis the Ethernet female connector The FL MGUARD is connected to a local network or a single computer via its LAN port FLMGUARD SMART The LAN portis the Ethernet male connector FLMGUARD PCI In driver mode the LAN portis represented by the network interface of the operating system that has the network card operating system in this example FL MGUARD PCI In Power over PCI mode the LAN portis the LAN female connector of the FLMGUARD PCI As in the other modes firewall and VPN security functions are available Ifthe FL MGUARD Is operated in router mode it must be setas the default gateway on the locally connected computers This means that the IP address of the FL MGUARD LAN port must be specified as the default gateway address on these computers NAT should be activated if the FL MGUARD is operated in router mode and establishes the connection to the Internet See Network gt gt NAT on page 6 96 Only then can the computers in the connected local network access the Internet via the FL MGUARD If NAT is not activated itis possible that only VP
21. Interface Action Comment Log THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Enter the address of the computer or network from which remote access is permitted or forbidden in this field The following options are available An lIP address To specify an address area use CIDR format see CIDR Classless Inter Domain Routing on page 6 215 0 0 0 0 0 means all addresses External Internal External 2 VPN Dial in Specifies to which interface the rules should apply If no rules are setor if no rule applies the following default Settings apply SNMP monitoring is permitted via Internal VPN and Dial in Access via External and External 2 Is refused Specify the monitoring options according to your requirements NOTE If you want to refuse access via Internal VPN or Dial in you must implement this explicitly by means of corresponding firewall rules for example by specifying Drop as an action To prevent your own access being blocked you may have to simultaneously permit access via another interface explicitly with Accept before the new setting takes effect by clicking on the Apply button Otherwise if your access Is blocked you must carry out the recovery procedure Accept means that the data packets may pass through Reject means that the data packets are sent back so the sender is informed of their rejection In stealth mode Reject has the same effect as Drop Drop mea
22. Removal 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Startup e Make any necessary network connections at the LAN portor WAN port see Connecting to the network on page 4 6 e Connect the corresponding device at the serial port as required See Serial port on page 4 10 e Remove or disconnect connections e Toremove the FL MGUARD RS from the DIN rail inserta screwdriver horizontally in the locking slide under the housing pull it down without tilting the screwdriver and pull up the FL MGUARD RS 4 3 2 Connecting the supply voltage WARNING The FL MGUARD RS is designed for operation with a DC voltage of 9V DC 36V DC SELV 0 5 A maximum Therefore only SELV circuits with voltage limitations according to EN 60950 1 may be connected to the supply connections and the signal contact The supply voltage is connected via a terminal block with screw locking which Is located on the top of the device Supply voltage P1 P2 24V 0V 24V OV Modem Fault Supply voltage NEC Class 2 power source 12 V DC or 24 V DC 25 33 SELV SELV PELV redundant inputs isolated 5A maximum Buffertime 10 ms minimum at 24 V DC Redundant power supply A redundant supply voltage can be connected Both inputs are isolated The load Is not distributed With a redundant supply the power supply unit with the higher output voltage Supplies the FLMGUARD RS alo
23. Should not be logged set Log to No default setting Log entries for unknown When setto Yes all connection attempts that are not covered connection attempts by the rules defined above are logged default setting No 6 134 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 6 1 3 Sets of Rules Network Security Packet Filter Incoming Rules Outgoing Rules Sets of Rules MAC Filtering Sets of Rules unnamed Sets of rules can be defined and stored under a rule set name for structuring incoming and outgoing rules A rule set can then be referenced in an incoming or outgoing rule whereby the rules contained in the rule set are applied there When defining a rule set itis also possible to reference another defined rule set i e using this rule setas a block in the current rule set Defining a new rule set e Inthe setofrules table click on Editto the right ofthe unnamed entry under Name e Ifthe unnamed entry cannot be seen open another row in the table Editing a rule set e Click on Editto the right of the relevant entry e Ifa firewall rule set comprises multiple firewall rules these are queried starting from the top of the list of entries until an appropriate rule is found This rule is then applied If the list of rules contains further subsequent rules that could also apply these rules are ignored Network Security gt gt Packet Filter gt gt Sets of R
24. Specific to the following individual signed by CA individual self signed The FL MGUARD authenticates the remote peer using All CA certificates that form Remote certificate the chain to the root CA certificate together with the certificate shown by the remote peer PLUS if required Remote certificates if used as a filter l The remote peer can additionally provide sub CA certificates In this case the FL MGUARD can form the set union for creating the chain from the CA certificates provided and the self configured CA certificates The corresponding root CA certificate must always be available on the FL MGUARD See Management gt gt Web Settings on page 6 18 Access on page 6 20 PHOENIX CONTACT 6 119 FL MGUARD H 6 120 PHOENIX CONTACT THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Authentication for VPN The remote peer shows Machine certificate signed Machine certificate the following by CA self signed The FL MGUARD authenticates the remote peer using Remote certificate Remote certificate Or all CA certificates that form the chain to the root CA certificate together with the certificate shown by the remote peer NOTE Itis not sufficient to simply install the certificates to be used on the FL MGUARD under Authentication gt gt Certificates In addition the FL MGUARD certificate imported from the pool that is to be used must be referenced in the relevant applications VPN
25. are created from the responses and these can be requested via SNMP Management gt gt SNMP gt gt LLDP LLDP Internal LAN interface External WAN interface 6 46 PHOENIX CONTACT Mode Chassis ID IP address Port description System name Button Update Enabled Disabled The LLDP service or agent can be globally enabled or disabled here If the function is enabled this is indicated by a green signal field on the tab atthe top of the page If the signal field is red the function is disabled A unique ID of the computer found typically one of its MAC addresses IP address of the computer found which can be used to perform administrative activities via SNMP A textual description of the network interface where the computer was found Hostname of the computer found To update the displayed data if necessary click on Update 7612_en_02 online components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 2 7 Management gt gt Central Management 6 2 7 1 Configuration Pull Management Central Management Configuration Pull Configuration Pull Pull Schedule Never Server config example com Directory Filename When empty VB0815 atv will be used Number of times a configuration profile is ignored after it was rolled back Download timeout seconds 120 Login anonymous Password Server Certificate The server s certificate is needed here if
26. concepts are available enabling the complex additional administration of symmetrical keys to be avoided DES 3DES This symmetrical encryption algorithm gt Symmetrical encryption on page 8 6 was developed by IBM and checked by the NSA DES was specified in 1977 by the American National Bureau of Standards the predecessor of the National Institute of Standards and Technology NIST as the standard for American governmental institutions As this was the very first standardized encryption algorithm it quickly won acceptance in industrial circles both inside and outside America DES uses a 56 bit key length which is no longer considered secure as the available processing power of computers has greatly increased since 1977 3DES is a variant of DES Ituses keys that are three times as long i e 168 bits in length Still considered to be secure today 3DES is included in the IPsec standard for example AES AES Advanced Encryption Standard was developed by NIST National Institute of Standards and Technology in cooperation with the industry This symmetrical encryption Standard was developed to replace the earlier DES standard AES specifies three different key lengths 128 192 and 256 bits In 1997 NIST started the AES initiative and published its conditions for the algorithm From the many proposed encryption algorithms NIST selected a total of five algorithms for closer examination MARS RC6 Rijndael Serpent and Twofish In
27. gt Configuration Profiles ccccccccccssssseeeeeeeseeeeseeeees 6 35 6 2 6 Management gt gt SNMP oo seccccsssseeeseenseeeeceaeesesseaeeeeeseaeeesssenenesseas 6 37 6 2 7 Management gt gt Central Management ccccceccceseeseeeeeeesaeeeeeeeeess 6 47 6 2 8 Management gt gt Restart accisccasssinauetsdnataneetianeceneiseadeesediaadeeaerdeeetiaweais 6 51 6 3 MRE C ONTO MENU secs E EEE 6 52 6 3 1 Blade Control gt gt OvervieW ssssssssssssssrrrrrrrrrrresesrrrrrrrrrrrresssrrnrnrrrreree 6 52 6 3 2 Blade Control gt gt Blade 01 to 12 wee 6 53 6 4 PTO MENU siana TE EREA N 6 55 6 4 1 Network gt gt Interfaces ssssssssssssseesesssrrrrrrrrrresrsrerrrrrrrrrresrreerrrrrrenses 6 55 6 4 2 NEIWOIK gt gt NAT spann ERE 6 96 6 4 3 Newaik gt DNS agrees es apace E cans RE AEE 6 100 6 4 4 Shel 0 d Ge DHCP sarsii E i 6 106 6 4 5 Network gt gt Proxy Settings esssssssesessrrrnrssrrrnresrrrrresrrrrrrrnerrrrreeee 6 110 6 5 Authentication MenU seesessssrrrrrrrsresssssrrrrrrrrrrrnnrnrrrrrrrensttntnrrrtrrnesrsrtrrrrrrerne 6 111 6 5 1 Authentication gt gt Local USerS sssseereerreeeereeeerreereeeeernenne 6 111 6 5 2 Authentication gt gt Firewall USerS ssssssssssssenesssssrsrrrrrrrensrsrrrrrrreeeee 6 113 6 5 3 Authentication gt gt Certificates sessssssisrrisrreeeresrrrrrrrrrrrrerrrrrrrrrrrrene 6 116 6 6 N twoik S ecCuny MERU sss csvsindatunentsandiicnniiondicrtniinaatatiatnnniebmintoammtnnbtseicads 6 130
28. gt CIFS Integrity Checking gt gt Settings gt gt Editso that the template is activated Click on Editto define a setof rules for the files to be checked and save this under the defined name 7612 _en_02 PHOENIX CONTACT 6 153 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD CIFS Integrity Monitoring CIFS Integrity Checking Windows executables Set of Filename Patterns Rules for files to check px pagefile sys OO Exclude v pagefile sys Exclude exe Include Pecon tt s i i isw sS S CS Include en Include gt Pea bat ss SSSSSSSS Include emd ee ss s ssSSSSOSSSS Include gt Each filename is matched against the list of patterns in sequence The first match determines whether the file is to be guarded by the integrity check If no match is found the file is not included CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Filename Patterns gt gt Edit Rules for files to check Filename pattern The following rules apply exe means thatthe files located in a specific directory and with file extension exe are checked or excluded Only one placeholder is permitted per directory or file name Placeholders represent characters e g win exe returns files with the extension exe thatare located in a directory that begins with win
29. on the FL MGUARD see Authentication gt gt Certificates on page 6 116 If the use of revocation lists CRL checking is activated under the Authentication gt gt Certificates Certificate settings menu item each certificate signed by a CA thatis shown by the SSH client must be checked for revocations Management gt gt Web Settings gt gt Access CA certificate 7612_en_02 This configuration is only necessary if the user access via HTTPS shows a certificate signed by a CA All CA certificates required by the FL MGUARD to form the chain to the relevant root CA certificate with the certificates shown by the user must be configured Ifthe browser of the remote user also provides CA certificates that contribute to forming the chain then itis notnecessary for these CA certificates to be installed on the FL MGUARD and referenced at this point However the corresponding root CA certificate must be installed on the FL MGUARD and made available referenced atall times When selecting the CA certificates to be used or when changing the selection or the filter settings you must first select and test the Login with X 509 client certificate or password option as the User authentication method before enabling the new Setting Only switch to Login restricted to X 509 client certificate when you are sure that this setting works Otherwise your access could be blocked Always take this precautionary measure when mod
30. pre assembled 12 5 m long Patch cable CAT6 pre assembled 15 m long Patch cable CAT6 pre assembled 20 m long Patch cable CAT5 pre assembled 0 3 m long Patch cable CAT5 pre assembled 0 5 m long Patch cable CAT5 pre assembled 1 0 m long Patch cable CAT5 pre assembled 1 5 m long Patch cable CAT5 pre assembled 2 0 m long Patch cable CAT5 pre assembled 3 0 m long Patch cable CAT5 pre assembled 5 0 m long Patch cable CAT5 pre assembled 7 5 m long Patch cable CAT5 pre assembled 10 0 m long Color coding for FL CAT5 6 PATCH black Color coding for FL CAT5 6 PATCH brown Color coding for FL CAT5 6 PATCH blue Color coding for FL CAT5 6 PATCH green Color coding for FL CAT5 6 PATCH gray Color coding for FL CAT5 6 PATCH red Color coding for FL CAT5 6 PATCH violet Color coding for FL CAT5 6 PATCH yellow Lockable security element for FL CAT5 6 PATCH Color coding forFL PATCH GUARD black Color coding for FL PATCH GUARD blue Color coding for FL PATCH GUARD green Color coding forFL PATCH GUARD orange Color coding forFL PATCH GUARD red Color coding for FL PATCH GUARD turquoise Color coding forFL PATCH GUARD violet Color coding forFL PATCH GUARD yellow Key forFL PATCH GUARD Security element for FL CAT 5 6 PATCH HOTLINE Order designation FL CAT6 PATCH 1 0 FL CAT6 PATCH 1 5 FL CAT6 PATCH 2 0 FL CAT6 PATCH 3 0 FL CAT6 PATCH 5 0 FL CAT6 PATCH 7 5 FL CAT6 PATCH
31. the X 509 authentication method ensures that the correct partners communicate with each other An incorrect communication partner is one who falsely identifies themselves as someone they are not see glossary under X 509 Certificate Certificate A certificate is used as proof of the identity of the certificate owner The relevant authorizing body in this case is the CA certification authority The digital signature on the certificate is provided by the CA By providing this signature the CA confirms that the authorized certificate owner possesses a private key that corresponds to the public key in the certificate The name of the certificate issuer appears under Issuer on the certificate while the name of the certificate owner appears under S ubject Self signed certificates A self signed certificate is one thatis signed by the certificate owner and notbya CA In self Signed certificates the name of the certificate owner appears under both Issuer and Subject Self signed certificates are used if communication partners want to or must use the X 509 authentication method without having or using an official certificate This type of authentication should only be used between communication partners that know and trust each other Otherwise from a security point of view such certificates are as worthless as a home made passport without the official stamp Certificates are shown to all communication partners users or machines during
32. 10 FL CAT6 PATCH 12 5 FL CAT6 PATCH 15 FL CAT6 PATCH 20 FL CAT5 PATCH 0 3 FL CAT5 PATCH 0 5 FL CAT5 PATCH 1 0 FL CAT5 PATCH 1 5 FL CAT5 PATCH 2 0 FL CAT5 PATCH 3 0 FL CAT5 PATCH 5 0 FL CAT5 PATCH 7 5 FL CAT5 PATCH 10 FL PATCH CCODE BK FL PATCH CCODE BN FL PATCH CCODE BU FL PATCH CCODE GN FL PATCH CCODE GY FL PATCH CCODE RD FL PATCH CCODE VT FL PATCH CCODE YE FL PATCH GUARD FL PATCH GUARD CCODE BK FL PATCH GUARD CCODE BU FL PATCH GUARD CCODE GN FL PATCH GUARD CCODE OG FL PATCH GUARD CCODE RD FL PATCH GUARD CCODE TQ FL PATCH GUARD CCODE VT FL PATCH GUARD CCODE YE FL PATCH GUARD KEY FL PATCH SAFE CLIP Order No 2891385 2891482 2891589 2891686 2891783 2891880 2891887 2891369 2891372 2891576 2832250 2832263 2832276 2832221 2832289 2832292 2832580 2832616 2832629 2891194 2891495 2891291 2891796 2891699 2891893 2891990 2891592 2891424 2891136 2891233 2891631 2891330 2891738 2891534 2891835 2891437 2891521 2891246 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Technical data Pcs Pkt 10 10 10 10 10 10 10 5 5 5 10 10 10 10 10 10 10 10 10 20 20 20 20 20 20 20 20 20 12 12 12 12 12 12 12 12 1 20 Should problems occur that cannot be resolved with the help of this documentation please contact our hotline 49 52 81 94 62 88 8 7612_en_02 PHOENIX CONTACT 9 7 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS
33. 183 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD Installing the remote certificate The remote certificate must be configured if the VPN remote peer should be authenticated using a remote certificate To importa certificate proceed as follows 6 184 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Requirement The certificate file file name extension pem cer or crt is saved on the connected computer e Click on Browse to select the file e Click on Upload The contents of the certificate file are then displayed IPsec VPN gt gt Connections gt gt Edit gt gt Authentication VPN Identifier Authentication method CA certificate The following explanation applies if the VPN remote peer is authenticated using CA certificates VPN gateways use the VPN identifier to determine which configurations belong to the Same VPN connection If the FL MGUARD consults CA certificates to authenticate a VPN remote peer then itis possible to use the VPN Identifier as a filter e Make a corresponding entry in the Remote field Local Default Empty field The local VPN identifier can be used to specify the name the FL MGUARD uses to identify itself to the remote peer It must match the data in the machine certificate of the FL MGUARD Valid values Empty i e no entry default The Subject entry previously Distinguished Name in the
34. 2 1 Hardware This page lists various hardware properties of the FL MGUARD Support Advanced Hardware Hardware Information Hardware CPU CPU Family CPU Stepping CPU Clock Speed System Uptime User Space Memory MAC 1 MAC 2 Product Name OEM Name OEM Serial Number Serial Number Flash ID Hardware Version Version Parameterset 6 12 2 2 Snapshot This function is used for Support purposes Support Advanced Snapshot Support Snapshot It creates a compressed file in tar gz format containing all current configuration settings and log entries that could be relevant to error diagnostics This file does not contain any private information such as private machine certificates or passwords However any pre shared keys of VPN connections are contained in Snapshots To create a Snapshot proceed as follows e Click on Download e Save the file under the name snapshot tar gz Provide the file to the Support team if required 6 214 PHOENIX CONTACT 7612_en_02 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 13 CIDR Classless Inter Domain Routing IP subnet masks and CIDR are methods of notation which combine several IP addresses to create a Single address area An area comprising consecutive addresses is handled like a network To specify an area of IP addresses for the FL MGUARD e g when configuring the firewall it may be necessary to specify the a
35. 2 5 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 2 6 PHOENIX CONTACT 7612_en_02 online components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Operating elements and indicators 3 Operating elements and indicators The FL MGUARD RS B is a router which offers static routing NAT 1 1 NAT and port forwarding functions Notall of the functions described in this user manual are Supported by all device versions 3 1 FL MGUARD RS Supply voltage US2 m PH NIX CONTACT P1 P2 _ Status and Modem Fault diagnostic indicators State Error LAN WAN US1 Serial interface Z Serial Unsecure eeaeee WAN port Secure LAN port Rescue button LA WAN Service ES sek BVA Connection for signal contact ELLELE ene FL MGUARD RS Ord No 2989310 76120007 Figure 3 1 Operating elements and indicators on the FLMGUARDRS 7612 en_02 PHOENIXCONTACT 3 1 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD Table 3 1 Indicators on the FLMGUARDRS Power supply 1 is active Power supply 2 Is active Modem GreenON Connection via modem established Red ON The signal contact is open due to an error see Installing the FL MGUARD RS on page 4 4 and Signal contact on page 4 8 The signal contactis interrupted during a restart State Green flashing Heartbe
36. 3b9738od 4632 14e5 a721 080027e157fb Log entries for unknown connection attempts No Y Outgoing Log ID fw vpn out N9 3b9738ce 4632 14e5 38721 080027e157fb PES es A C all al o 0 0 0 0 o 0 0 0 0 Accept Y default rule please adapt No Log entries for unknown connection attempts No Y Incoming Outgoing While the settings made under the Network Security menu item only relate to non VPN connections See above under Network Security menu on page 6 130 the settings here only relate to the VPN connection defined on these tab pages If multiple VPN connections have been defined you can limit the outgoing or incoming access individually for each connection Any attempts to bypass these restrictions can be logged The VPN firewall is set by default to allow all connections for this VPN connection However the extended firewall settings defined and explained above apply independently for each individual VPN connection see Network Security menu on page 6 130 Network Security gt gt Packet Filter on page 6 130 Advanced on page 6 138 If multiple firewall rules are defined these are queried starting from the top of the list of entries until an appropriate rule is found This rule is then applied If the list of rules contains further subsequent rules that could also apply these rules are ignored In stealth mode the actual IP address used by the client should be used in the firewall rules or i
37. 6 53 online components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 6 3 2 2 Configuration Blade Control Blade 01 Blade in slot 01 Configuration No configuration file Configuration backup Blade 01 gt Controller Reconfiguration if Blade 01 is replaced Manual Delete configuration backup of Blade 01 Delete Upload configuration from client Browse Upload from client Download configuration to client alta Blade Control gt gt Blade xx gt gt Configuration Configuration Configuration backup Automatic Thenew configuration is stored automatically Blade _ gt on the controller shortly after a configuration change on Controller the FLMGUARD The status of the stored Manual The configuration can be stored on the controller configuration is displayed for by clicking on Backup each blade Click on Restore to transfer the configuration stored on No configuration file the controller to the FL MGUARD Obsolete a If the blade was reconfigured after a manual Current configuration backup but the new configuration 3 i was not saved the configuration stored on the File will be copied controller is out of date This is indicated on the Blade has been replaced Configuration tab page by C onfiguration O bsolete See the above screenshot This indicates that something has been overlooked in this case you must backup the configuration on the controlle
38. 68_2 x E EE H p emmen Hetrork Secanty F COPS AW Scan Cennactor G GIFS integrity Checking F irsz vem Jume to firewal rule fw tittos access 1 Ibd7 Pebb abde ideS 2 Copy this section into the J ump to firewall rule field 3 Click on Lookup The configuration page containing the firewall rule that the log entry refers to Is displayed Blade In addition to error messages the following messages are output on the blade controller The areas enclosed by lt and gt are replaced by the relevant data in the log entries blade daemon lt version gt starting Blade lt bladenr gt online Blade lt bladenr gt is mute Blade lt bladenr gt not running Reading timestamp from blade lt bladenr gt Push configuration to blade lt bladenr gt reconfiguration of blade lt bladenr gt returned lt returncode gt blade lt bladenr gt lt text gt Pull configuration from blade lt bladenr gt Pull configuration from blade lt bladenr gt returned lt returncode gt 7612 en_02 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration CIFS AV Scan Connector In this log CIFS server messages are displayed which are operated by the FL MGUARD for the enabling process In addition messages that occur when connecting the network drives and are grouped together and provided by the CIFS server are also visible CIFS Integrity Checking Messages relating to the int
39. Allow forwarding of GVRP frames Allow forwarding of STP frames Allow forwarding of DHCP frames This option can be used to control the behavior of the FL MGUARD when ICMP messages are received from the external network via the primary secondary interface Regardless ofthe setting specified here incoming ICMP packets are always accepted if SNMP access is activated Drop All ICMP messages to the FL MGUARD are dropped Allow ping requests Only ping messages ICMP type 8 to the FL MGUARD are accepted Allow all IC MPs All ICMP messages to the FL MGUARD are accepted Yes No The GARP VLAN Registration Protocol GVRP is used by GVRP capable switches to exchange configuration information If this option is setto Yes GVRP packets are allowed to pass through the FL MGUARD in stealth mode Yes No The Spanning Tree Protocol STP 802 1d is used by bridges and switches to detect and consider loops in the cabling If this option is setto Yes STP packets are allowed to pass through the FL MGUARD in stealth mode Yes No When setto Yes the clientis allowed to obtain an IP address via DHCP regardless of the firewall rules for outgoing data traffic This option is setto Yes by default PHOENIX CONTACT 6 139 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD Network Security gt gt Packet Filter gt gt Advanced continued Connection Tracking Maximum table size This entry specifies an upp
40. COMPONENTS FL MGUARD Management gt gt Update Local Update Filename To install the packages proceed as follows e Click on Browse select the file and open itso that the file name or path Is displayed in the Filename field The file name must have the following format update a b c d e f default tar gz e Then click on Install Packages Online Update To perform an online update proceed as follows e Make sure that there is at least one valid entry under Update Servers You should have received the necessary details from your licenser e Enterthe name of the package set e g update 4 0 x 4 1 0 e Then click on Install Package Set Automatic Updates This is a version of the online update where the FL MGUARD independently determines the required package set Install the latest patch Patch releases resolve errors in previous versions and have a release x y Z version number which only changes in the third digit position For example 4 0 1 is a patch release for Version 4 0 0 Install the latest minor Minor and major releases supplement the FL MGUARD with release x Y z forthe new properties or contain changes that affect the behavior of currently installed the FL MGUARD Their version number changes in the first or major version second digit position Install the next major For example 4 1 0 is a major or minor release for versions release X y Z 3 1 0 or 4 0 1 respectively Update Servers Specify fro
41. Certificates Certificate Subject CN VPN terminal machine 06 L E O Sample Supplier C UK Subject Alternative Names Ce cn ven subca 01 0 Sample Supplier C UK D D From sun 20 12 05 12 2007 GMT to Jun 20 12 05 12 2010 GMT Fingerprint ap 6C A2 76 44 27 5E 6E F2 0A 50 36 79 22 9D DF 9B g SHA1 0A 3A A8 35 86 27 85 02 2C 88 89 AD 2A 59 DF 49 4B F6 3C 48 Shortname terminal machine 06 Upload Filename srs Durchsuchen Import PKCS 12 Password DOO O E Certificate Current Certificate File Authentication gt gt Certificates gt gt Machine Certificates Machine Certificates 7612_en_02 Shows the currently imported X 509 certificates that the FL MGUARD uses to authenticate itself to remote peers e g other VPN gateways PHOENIX CONTACT 6 123 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD To importa new certificate proceed as follows Importing a new machine Requirement certificate The PKCS 12 file file name extension p12 or pfx is saved on the connected computer Proceed as follows e Click on Browse to select the file e Inthe Password field enter the password used to protect the private key of the PKCS 12 file e Click on Import Once imported the loaded certificate appears under Certificate e Remember to save the imported certificate along with the other entries by clicking on the Apply button Shortname When importing a machine ce
42. ELECTRONIC COMPONENTS Lower area on front Service rine plate with terminal I CMDACK TIPRING strip Functional earth Signal contact Service contacts Telephone line ground as above as above as above analog connection Figure 4 4 FLMGUARD RS VPN ANALOG with modem Lower area on front Service ISDN Line with terminal I L CMDACK TX TX RX RX strip Functional earth Signal contact Service contacts SDN ground as above as above as above Figure 4 5 FLMGUARD RS VPN ISDN with ISDN terminal adapter Functional earth ground The functional earth ground can be used by the operator This connection Is electrically connected to the back of the FL MGUARD RS The FL MGUARD RS is grounded when itis mounted ona DIN rail with the metal clamp which connects the back of the device to the DIN rail The DIN rail must be grounded Signal contact WARNING Only SELV circuits with voltage limitations according to EN 60950 1 may be connected to the signal contact PHOENIX CONTACT The signal contact monitors the operation of the FL MGUARD RS and thus enables remote diagnostics Interruption of the contact via the floating signal contact relay contact closed current circuit indicates the following Failure of at least one of the two supply voltages Powersupply of the FL MGUARD RS below the specified limit value Supply voltage 1 and or 2 is less than 9 V The faulty link status of at leas
43. F Translate Unix file names Beep for long tranfer MV Use Tftpd32 only on this interface LEZAMA LU Use anticipation window of fo Bytes T Allow As virtual root Default Help Cancel Figure 7 3 Settings Under Linux All current Linux distributions include DHCP and TFTP servers e Install the corresponding packages according to the instructions provided for the relevant distribution e Configure the DHCP server by making the following settings in the etc dhcpd conf file subnet 192 168 134 0 netmask 255 255 255 0 range 192 168 134 100 192 168 134 119 option routers 192 168 134 1 option subnet mask 255 255 255 0 option broadcast address 192 168 134 255 This example configuration provides 20 IP addresses 100 to 119 Itis assumed that the DHCP server has the address 192 168 134 1 settings for ISC DHCP 2 0 The required TFTP server is configured in the following file etc inetd conf e In this file insert the corresponding line or set the necessary parameters for the TFTP service Directory for data tftpboot tfto dgram udp wait root usr sbin in tftpd s tftpboot The FL MGUARD image files must be saved in the tftpboot directory install p7s jffs2 img p7s e Ifamajor release upgrade of the firmware is carried out by flashing the license file purchased for the upgrade must also be stored here under the name licence lic Make sure that this is the correct license file for the device see Mana
44. IPsec header is inserted between the IP header and the TCP or UDP header respectively in each IP datagram Since the IP header remains unchanged this mode is only suitable for host to host connections In tunnel mode an IPsec header and a new IP header are prefixed to the entire IP datagram This means the original datagram Is encrypted in its entirety and stored in the payload of the new datagram Tunnel mode Is used in VPN applications The devices atthe ends of the tunnel ensure that the datagrams are encrypted before they pass through in other words the actual datagrams are completely protected during transfer over a public network 8 4 PHOENIX CONTACT 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Glossary NAT Network Address Network Address Translation NAT also Known as IP masquerading hides an entire Translation network behind a single device known as a NAT router If you communicate externally via a NAT router the internal computers in the local network and their IP addresses remain hidden The remote communication partner will only see the NAT router with its own IP address In order to allow internal computers to communicate directly with external computers on the Internet the NAT router must modify the IP datagrams that are sent from internal computers to remote peers and received by internal computers from remote peers If an IP datagram is sent from the internal network to a
45. LAN Diagnostic x6 x7 x8 status indicators US1 GND MC1 GND R1 R2 MEM MAC address per port General diagnostic status indicators supply voltage US1 Mini DIN V 24 RS 232 interface Connection for RJ45 SFP slots 70120021 supply voltage US2 ports VPN enable button Floating signal M12 female connector contact for parameterization memory Figure 3 2 Operating elements and indicators on the FL MGUARD GT GT 3 2 1 Connecting the supply voltage and the VPN enable button The FL MGUARD GT GT is operated with a 24 V DC voltage which is applied via COMBICON terminal blocks X5 US1 and GND COMBICON terminal blocks X6 MC1 and GND offer two functions Connection of the redundant supply voltage with monitoring by the device Connection of a VPN enable button for devices with VPN function 7612 _en_02 PHOENIXCONTACT 3 3 onlin components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 3 2 1 1 Supplying the device using one voltage source US1 GND GND R1 R2 76120025 OUT Figure 3 3 Supplying the device using one voltage source 3 2 1 2 Redundant 24 V DC supply US1 GND GND R1 R2 76120026 D Figure 3 4 Supplying the device using two voltage sources 3 4 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Operating elements and indicators 3 2 1 3 Supplying the devi
46. Mondays Tuesdays etc at xx h xxx m You can starta check every day or on a specific weekday ata Specific time hours minutes The FL MGUARD system time must be set for the time schedule to work properly Integrity checks cannot be performed if the system time is not synchronized This can be carried out manually or via NTP see Time and Date on page 6 7 A check is only started if the FL MGUARD is operating atthe settime Ifthe FL MGUARD Is not operating at the time a check is not performed later when the FL MGUARD is Started up again The check can also be started manually CIFS Integrity Monitoring gt gt CIFS Integrity Status gt gt Display gt gt Actions on page 6 156 Maximum time a Maximum duration of the check sequence in minutes cheer may tare You can thus ensure that the check is completed in good time e g before a shift starts Checksum Algorithm SHA 1 MD5 SHA 256 Checksum algorithms such as MD5 SHA 1 or SHA 256 are used to check whether a file has been changed SHA 256 is more secure than SHA 1 but it takes longer to process 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Settings gt gt Edit continued To be stored on CIFS In order to perform the check the FL MGUARD must be share provided with a network drive for storing the files The checksum memory can be accessed via the externa
47. October 2000 the Rijndael algorithm was adopted as the encryption algorithm CA certificate How trustworthy is a CA certificate and the issuing CA certification authority gt An X 509 v3 certificate thus comprises a public key information about the key owner the Distinguished Name DN authorized use etc and the signature of the CA gt Subject certificate on page 8 7 A CA certificate can be consulted in order to check a certificate bearing this CA s signature This check only makes sense if there is little doubt that the CA certificate originates from an authentic source i e is authentic In the event of doubt the CA certificate itself can be checked If as is usually the case the certificate is a sub CA certificate i e a CA certificate issued by a sub certification authority then the CA certificate of the superordinate CA can be used to check the CA certificate of the Subordinate instance If a superordinate CA certificate is in turn subordinate to a Superordinate CA then its CA certificate can be used to check the CA certificate of the Subordinate instance etc This chain of trust continues down to the root instance the root CA or certification authority The root CA s CA file is necessarily self signed since this 7612 _en_02 PHOENIXCONTACT 8 1 FL MGUARD Client server Datagram Default route 8 2 PHOENIX CONTACT onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS instance
48. PHOENIXCONTACT 6 131 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD Network Security gt gt Packet Filter gt gt Incoming Rules continued Comment Freely selectable comment for this rule Log For each individual firewall rule you can specify whether the use of the rule Should be logged set Log to Yes Should not be logged set Log to No default setting Log entries for When setto Yes all connection attempts that are not covered unknown connection bythe rules defined above are logged default setting No attempts l External 2 and Any External are only for devices with a serial interface see Network gt gt Interfaces on page 6 55 6 132 PHOENIX CONTACT 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 6 1 2 Outgoing Rules Network Security Packet Filter Incoming Rules Outgoing Rules Sets of Rules MAC Filtering Outgoing lo 0 0 0 0 lo 0 0 0 0 Accept Y default rule No These rules specify which traffic from the inside is allowed to pass to the outside Please note Port settings are only meaningful for TCP and UDP Log entries for unknown connection attempts No v Network Security gt gt Packet Filter gt gt Outgoing Rules Outgoing Lists the firewall rules that have been set up They apply for outgoing data connections that have been initiated internally in order to communicate with a remote peer Default setting
49. S top bits l Ea 3G res Flow control None D2 1G RxD PS TD Figure 4 12 Transmission parameters and assignment of the V 24 RS 232 interface 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Startup 4 5 Connecting the FL MGUARD SMART LAN port Ethernet connector for direct connection to the device or network to be protected local device or network USB connector For connection to the USB interface of a computer Only for the power supply WAN port Female connector for connection to the external network e g WAN Internet Connections to the remote device or network are established via this network Use a UTP cable CAT5 Figure 4 13 FLMGUARD SMART Connections Before Ch Se amy C CP After A LAN canalso be Ch on the left os ipo bp L a7 any Figure 4 14 FL MGUARD BLADE Connection in the network If your computer is already connected to a network insert the FL MGUARD SMART between the network interface of the computer i e its network card and the network Driver installation is not required For security reasons we recommend you change the default root and administrator passwords during initial configuration WARNING This is a Class A item of equipment This equipment can cause radio interference in residential areas and the operator may be required to take appropriate measures 7612_en_02 PHOENIXCONTACT 4 17 THE ONLINE DISTRIBUTOR OF ELECTRONI
50. SNMP v2 Is used SNMP v3 is significantly better in terms of security butnotall managementconsoles support this version If SNMPv3 orSNMPv1 v2 is activated this is indicated by a green signal field on the tab at the top of the page Otherwise i e if SNMPv3 or SNMPv1 v2 is not active the signal field is red Itcan take over a second to process SNMP Get or Walk requests However this value corresponds to the default timeout value of some SNMP management applications e Ifyou experience timeout problems set the timeout value of your management application to values between 3 and 5 seconds 7612 _en_02 PHOENIXCONTACT 6 37 FL MGUARD Management gt gt SNMP gt gt Query Settings Enable SNMPv3 Yes No Enable SNMPv1 v2 access Yes No Port for SNMP connections SNMPv1 v2 Community Read Write Community THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS If you wish to allow monitoring of the FL MGUARD via SNMP v3 set this option to Yes The firewall rules for the available interfaces must be defined on this page under Allowed Networks in order to specify differentiated access and monitoring options on the FL MGUARD Access via SNMP v3 requires authentication with a login and password The default settings for the login parameters are Login admin Password SnmpAdmin please note that the password Is case sensitive MD5 is Supported for the authentication process DES is Supported for encryption
51. SSH HTTPS The remote certificate for authentication of a VPN connection or the channels of a VPN connection is installed in the IPSec VPN gt gt Connections menu 7612_en_02 Authentication gt gt Certificates gt gt Certificate settings Certificate settings 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 5 3 1 Certificate settings Authentication Certificates Certificate settings Machine Certificates CA Certificates Remote Certificates Certificate settings Check the validity period of certificates and No CRLs Enable CRL checking CRL download interval Yes Every 15min The settings made here relate to the certificates and certificate chains that are to be checked by the FL MGUARD This usually excludes the following Self signed certificates from remote peers All remote certificates for VPN Check the validity period of certificates and CRLs No Wait for synchronization of the system time No The validity period specified in certificates and CRLs is ignored by the FL MGUARD Wait for synchronization of the system time The validity period specified in certificates and CRLs Is only observed by the FL MGUARD if the current date and time are known by the FL MGUARD By means ofthe built in clock forthe FL MGUARDRS and FL MGUARD DELTA By synchronizing the system clock see Time and Date on page 6 7 Until this point all cert
52. Serial Serial number of the FL MGUARD Version S oftware version of the FL MGUARD B Backup Automatic configuration backup on the controller is activated deactivated for this slot R Restore Automatic configuration restoration after replacing the FL MGUARD is activated deactivated for this slot 7612_en_02 onlin components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 3 2 Blade Control gt gt Blade 01 to 12 These pages display the status information for each installed FL MGUARD device and enable the configuration of the relevant FL MGUARD device to be backed up and restored 6 3 2 1 Blade in slot Blade Control Blade 01 Blade in slot 01 Configuration Overview Device type ID bus controller ID Serial number Flash ID Software version MAC addresses Status LAN link status WAN link status Temperature Blade Control gt gt Blade xx gt gt Blade in slot xx Overview 7612_en_02 Device type ID bus controller ID Serial number Flash ID Software version MAC addresses Status LAN link status WAN link status Device name e g blade or blade XL ID of this slot on the control bus of the bladeBase Serial number of the FL MGUARD Flash ID of the Flash memory of the FL MGUARD Version of the software installed on the FL MGUARD AllMAC addresses used by the FL MGUARD Status of the FL MGUARD Status of the LAN port Status of the WAN port PHOENIXCONTACT
53. URL for starting stopping querying the status of a VPN connection The following URL can be used to startand stop VPN connections or query their connection Status independently of their Enabled setting https server nph vpn cgi name verbindung amp cmd up down status Example wget https admin mGuard 192 168 1 1 nph vpn cgi name Athen amp cmd up A command like this relates to all connection channels that are summarized under the relevantname in this example Athen This is the name entered under A descriptive name for the connection on the General tab page In the event of ambiguity the URL call only affects the first entry in the list of connections Itis not possible to address the individual channels of a VPN connection If individual channels are deactivated Enabled No then these are not started Starting and stopping in this way thus have no effect on the settings of the individual channels i e the list under Transport and Tunnel Settings Starting and stopping a connection using a URL only makes sense if the connection is deactivated in the configuration Enabled No or if Connection startup is setto Wait Otherwise the FL MGUARD connection Is re established automatically If the status ofa VPN connection Is queried using the URL specified above then the following responses can be expected Table 6 1 Status of a VPN connection Response Meaning gt Z S O A VPN connection with this name does not exi
54. VPN features Additional features 1 2 PHOENIX CONTACT onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Maximum firewall throughput of 99 Mbps Firewall throughput 200 Mbps FL MGUARD GT GT VPN throughput 70 Mbps FL MGUARD GT GT VPN CIFS integrity check of network drives for changes to specific file types e g executable files Anti virus scan connector which supports central monitoring of network drives with virus scanners Protocol IPsec tunnel and transport mode IPSec encryption in hardware with DES 56 bits 3DES 168 bits and AES 128 192 256 bits Packet authentication MD5 SHA 1 Internet Key Exchange IKE with main and quick mode Authentication via Pre shared key PSK X 509v3 certificates with public key infrastructure P KI with certification authority CA optional certificate revocation list CRL and the option of filtering by subject or Partner certificate e g self signed certificates Recognition of changing partner IP addresses via DynDNS NAT traversal NAT T Dead Peer Detection DPD Detection of IPSec connection aborts IPSec L2TP server Connection of IPsec L2TP clients IPsec firewall and 1 1 NAT Default route over VPN Data forwarding between VPNs hub and spoke Up to 250 VPN tunnels additional license required Maximum VPN throughput of 35 Mbps at 266 MHz and 70 Mbps at 533 MHz FL MGUARD Remote logging R outer firewall redundancy th
55. a CA certificate Using the corresponding remote certificate Authentication using a CA certificate Only the CA certificate from the CA that signed the certificate shown by the VPN remote peer should be referenced here selection from list The additional CA certificates that form the chain to the root CA certificate together with the certificate shown by the remote peer must be installed on the FL MGUARD under the Authentication gt gt Certificates menu item The selection list contains all the CA certificates thathave been loaded on the FL MGUARD under the Authentication gt gt Certificates menu item The other option is Signed by any trusted CA With this setting all VPN remote peers are accepted providing that they log in with a signed CA certificate issued by a recognized certification authority CA The CA is recognized if the relevant CA certificate and all other CA certificates have been loaded on the FL MGUARD These then form the chain to the root certificate together with the certificates shown Authentication using the corresponding remote certificate e Select the following entry from the selection list No CA certificate but the Remote Certificate below e Install the remote certificate under Remote Certificate see Installing the remote certificate on page 6 184 Itis not possible to reference a remote certificate loaded under the Authentication gt gt Certificates menu item 7612 _en_02 PHOENIX CONTACT 6
56. accessed If you have forgotten the If the address of the FL MGUARD in router PPPoE or PPTP mode has been set to a configured address different value and the current address is not known the FL MGUARD mustbe restored to the default settings specified above forthe IP address of FL MGUARD by Setting the device to stealth mode or router mode for FL MGUARD DELTA FL MGUARD GT GT and FL MGUARD BLADE controller using the Recovery button see Performing a recovery procedure on page 7 2 If the administrator web If the web browser repeatedly reports that the page cannot be displayed try the following page is not displayed e Check whether the default gateway of the connected configuration computer is initialized See Local configuration on startup on page 5 3 e Disable any active firewalls e Make sure that the browser does not use a proxy server 7612 _en_02 PHOENIXCONTACT 5 9 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD In MS Internet Explorer Version 6 0 make the settings as follows In the Tools menu select Internet Options and click on the Connections tab Click on Properties under LAN settings Check that Use a proxy server for your LAN under Proxy server is not activated in the Local Area Network LAN Settings dialog box e lIfotherLAN connections are active on the computer deactivate them until the configuration has been completed Under the Windows menu Start Settings Control Pa
57. active Re Build the integrity The FL MGUARD creates a database with checksums in database order to check whether files have been changed A change to executable files indicates a virus However if these files have been changed intentionally a new database must be created by clicking on Initialize in order to prevent false alarms The creation of an integrity database Is also recommended if network drives have been newly set up Otherwise an integrity database is setup during the first scheduled check instead of a check being performed 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration CIFS Integrity Monitoring gt gt CIFS Integrity Status gt gt Display gt gt Actions continued Cancel the creation of Click Cancel to stop the creation of the integrity database ule ERINN database The old database is no longer used A new database must be ony SP BYE n Warnia created manually otherwise itis created automatically on the database is being created l next scheduled check of the drive The contents of the network drive may be manipulated e g infected without being detected if no integrity database is in place Erase reports and the Click on Erase to delete all existing reports databases integrity database A new integrity database must be created for any further integrity checks This can be initiated by clicking on Initialize Otherwise a new integrity database is created automati
58. and only if it is self signed Otherwise the root certificate of the CA which issued the server s Import certificate must be installed Download Test Test Download The FL MGUARD can retrieve new configuration profiles from an HTTPS server in adjustable time intervals provided thatthe server makes them available to the FL MGUARD as files file extension atv Ifthe FL MGUARD configuration provided differs from the active configuration the new configuration is automatically downloaded and activated Management gt gt Central Management gt gt Configuration Pull Configuration Pull 7612_en_02 Pull Schedule Here specify whether and ifso when and at what intervals the FL MGUARD should attemptto download and apply a new configuration from the server To do this open the selection list and select the desired value A new field is shown when Time Schedule is selected In this field specify whether the new configuration should be downloaded from the server daily or regularly on a certain weekday and at what time Time controlled download of a new configuration is only possible if the system time has been synchronized see Management gt gt System Settings on page 6 4 Time and Date on page 6 7 Time control sets the selected time based on the configured time zone Server IP address or host name of the server that provides the configurations Directory The directory folder on the server where the configu
59. and the accompanying text provides additional information to the reader Itis also used as a reference to other sources of information manuals data sheets literature on the subject matter product etc 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS UM EN FL MGUARD General terms and conditions of use for technical documentation Phoenix Contact reserves the right to alter correct and or improve the technical documentation and the products described in the technical documentation at its own discretion and without giving prior notice insofar as this is reasonable for the user The Same applies to any technical changes that serve the purpose of technical progress The receipt of technical documentation in particular data sheets installation instructions manuals etc does not constitute any further duty on the partof Phoenix Contact to furnish information on alterations to products and or technical documentation Any other agreement shall only apply if expressly confirmed in writing by Phoenix Contact Please note that the supplied documentation Is product specific documentation only and that you are responsible for checking the suitability and intended use of the products in your specific application in particular with regard to observing the applicable standards and regulations Although Phoenix Contact makes every effort to ensure that the information content is accurate up to date and state o
60. are retained including passwords Possible reasons for performing the recovery procedure The FLMGUARD is in router or PPPOE mode The configured device address of the FL MGUARD differs from the default setting The currentIP address of the device is not Known Action e Slowly press the Rescue button six times noton the FL MGUARD GT GT For more detailed instructions for performing the recovery procedure on the FL MGUARD GT GT please refer to Section Using Smart mode on page 3 6 The FL MGUARD responds after around two seconds FL MGUARD RS If successful the State LED lights up green ADIS lromacee rosa inet FL MGUARD SMART If successful the middle LED lights up green W eoped FL MGUARD BLADE If successful the LAN LED lights up red FL MGUARD DELTA If successful the status LED lights up green paneer lromcceesobe Lestat e Press the Rescue button slowly again six times e fsuccessful the device restarts after two seconds and switches to stealth mode or router mode forFL MGUARD DELTA and FL MGUARD BLADE controller e The device can then be reached again at the following address httos 1 1 1 1 FL MGUARD DELTA FL MGUARD GT GT and FL MGUARD BLADE controller httos 192 168 1 1 7 2 PHOENIX CONTACT 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Restart the recovery procedure and flashing the firmware 7 3 Flashing the firmware Aim The entire
61. are therefore ideal for use in industrial applications VPN tunnels can be initiated using software or hardware switches A redundant supply voltage can be connected 18 V DC 32 V DC TZ 5 i p 5 Figure 1 1 FLMGUARD RS PHOENIX CONTACT 1 3 FL MGUARD FL MGUARD SMART FL MGUARD PCI FL MGUARD BLADE 1 4 PHOENIX CONTACT THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS The FL MGUARD SMART is the smallest device version For example it can be easily inserted between the computer or local network at the LAN port of the FL MGUARD and an available router atthe WAN portofthe FL MGUARD without having to change existing system configurations or driver installations It is designed for instant use in the office or when traveling Figure 1 2 FL MGUARD SMART The FL MGUARD PCI is a card that can be used ina PCI slot In driver mode it provides the computer in which the card is installed with all FL MGUARD functions as well as acting as a normal network card In power over PClI mode an existing network card in the computer or another Computer network can be connected Figure 1 3 FLMGUARD PCI The FL MGUARD BLADEPACK comprises the FL MGUARD BLADEBASE which can be installed easily in standard 3 U racks 19 inches and up to 12 FL MGUARD BLADE devices plus a blade controller This device version is therefore ideal for use in industrial applications where several server systems can be prot
62. as an object identifier e g 132 3 7 32 1 or more commonly as an abbreviation with a corresponding value Example CN ohn Smith O Smith and Co C US If certain subject attributes have very specific values for the acceptance of the browser by the FL MGUARD then these must be specified accordingly The values of the other freely selectable attributes are entered using the asterisk wildcard Example CN O C US_ with orwithoutspaces between attributes In this example the attribute C US must be entered in the certificate under Subject Itis only then thatthe FL MGUARD would accept the certificate owner Subject as a communication partner The other attributes in the certificates to be filtered can have any value Ifa subject filter is set the number but not the order of the specified attributes must correspond to that of the certificates for which the filter is to be used Please note that the filter is case sensitive Several filters can be set and their sequence Is irrelevant However please note the order of the specified attributes With HTTPS the browser of the accessing user does not Specify which user or administration rights it is using to log in These access rights are assigned by setting filters here under Authorized for access as This has the following result If there are several filters that let through a certain user then the first filter applies The user is assigned the access
63. by clicking on the Apply button you Can restore the original values on the page by clicking the Reset button This button only appears at the top of the page if the scope of validity of the Apply button is setto Include all pages see Management gt gt Web Settings on page 6 18 Apply Optional button Has the same function as the Apply button but is valid for all pages This button only appears at the top of the page if the scope of validity of the Apply button is setto Include all pages see Management gt gt Web Settings on page 6 18 7612_en_02 PHOENIXCONTACT 6 3 onlin components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 6 2 Management menu For security reasons we recommend you change the default root and administrator passwords during initial configuration see Authentication gt gt Local Users on page 6 111 A message informing you of this will continue to be displayed at the top of the page until the passwords are changed 6 2 1 Management gt gt System Settings 6 2 1 1 Host Management System Settings Host Time and Date System Uptime System DNS Hostname Hostname mode User defined from field below Y Hostname mguard Domain search path example local SNMP Information System Name Location Contact HiDiscovery Local HiDiscovery Support Enabled Y HiDiscovery Frame Forwarding Management gt gt System Settin
64. communicating VPN gateways TRAFFIC refers to the computers and networks that communicate via the VPN gateways Refers to the subject of an X 509 certificate ISAKMP State Internet Security Association and Key Management Protocol is set to established if both VPN gateways involved have established a channel for key exchange In this case they have been able to contact one another and all entries up to and including ISAKMP SA on the connection configuration page are correct IPsec State is setto established if IPSec encryption Is activated for communication In this case all the data under IPsec SA and Tunnel Settings is correct In the eventof problems itis recommended that you check the VPN logs of the remote peer to which the connection was established This is because detailed error messages are not forwarded to the initiating computer for security reasons This means that Authentication was successful but the other parameters did not match Does the connection type tunnel transport correspond If Tunnel is selected do the network areas correspond on both sides The VPN connection is established successfully and can be used However if this is not possible the VPN gateway Is causing problems for the remote peer In this case deactivate and reactivate the connection to reestablish the connection 7612 en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 9 QoS menu QoS Quality of Se
65. confirmation message appears This indicates that the new settings have taken effect They also remain valid after a restart reset Y ou can return to the previously accessed page by clicking on the Back button located at the bottom right of the page if available Entry of impermissible values If you enter an impermissible value e g an impermissible number in an IP address and then click on the Apply button the relevant tab page title is displayed in red This makes it easier to trace the error Working with sortable tables Many settings are saved as data records Accordingly the adjustable parameters and their values are presented in the form of table rows If several data records have been set e g firewall rules they will be queried or processed based on the order of the entries from top to bottom Therefore note the order of the entries if necessary The order can be changed by moving table rows up or down With tables you can Insertrows to create a new data record with settings e g the firewall settings fora Specific connection Move rows i e resort them Delete rows to delete the entire data record PHOENIX CONTACT 6 1 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD Inserting rows 1 Click onthe arrow below which you want to insert a new row 2 The new row is inserted Y ou can now enter or specify values in the row Moving rows 1 Select the row s you want to move 2 Cli
66. connections that have been initiated externally If no rule has been set the data packets of all incoming connections excluding VPN are dropped default setting Interface External E xternal 2 Any External Specifies via which interface the data packets are received so that the rule applies to them Any External refers to the External and External 2 interfaces These interfaces are only available on FL MGUARD models that have a serial interface with external access Protocol TCP UDP ICMP All From IP To IP 0 0 0 0 0 means all IP addresses To specify an address area use CIDR format see CIDR Classless Inter Domain Routing on page 6 215 From Port To Port Only evaluated for TCP and UDP protocols any refers to any port gstartport endport e g 110 120 refers to a portarea Individual ports can be specified using the portnumber or the corresponding service name e g 110 for pop3 or pop3 for 110 Action Accept means that the data packets may pass through Reject means that the data packets are sent back so the sender is informed of their rejection In stealth mode Reject has the same effect as Drop Drop means that the data packets may not pass through They are discarded which means that the sender Is not informed of their whereabouts Name of rule sets if defined When a name is specified for rule sets the firewall rules saved under this name take effect see Setof Rules tab page 7612_en_02
67. established via the serial interface using a modem Alternatively the serial interface can be used as follows for PPP dial in into the local network or for configuration purposes For devices with a built in modem analog modem or ISDN terminal adapter the modem can be used additionally to combine access options The details for this must be configured on the General Ethernet Dial out Dial in and Modem Console tab pages Fora more detailed explanation of the options for using the serial interface and a built in modem see Modem Console on page 6 90 7612_en_02 PHOENIXCONTACT 6 55 onlin components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 6 4 1 1 General Network Interfaces General dial in Modem Console Network Status External IP address Active Defaultroute Used DNS servers Network Mode Network Mode Router Y Router Mode static v External Networks External IPs IP Netmask Use VLAN VLAN ID untrusted port 10 1 66 17 255 255 0 0 No v Additional External Routes Network Gateway IP of default gateway Internal Networks Internal IPs Netmask Use VLAN VLAN ID IP trusted port 192 168 66 17 255 255 255 0 Emami Additional Internal Routes Network Gateway Secondary External Interface Network gt gt Interfaces gt gt General Network Status External IP address Display only The addresses via which the FL MGUARD can WAN port addres
68. etc and the signature of the CA gt Subject certificate The signature is created as follows The CA creates an individual bit sequence from the bit sequence of the public key owner information and other data This sequence can be up to 160 bits in length and is known as the HASH value It then encrypts this with its own private key and then adds it to the certificate The encryption with the CA s private key proves the authenticity of the certificate i e the encrypted HASH string is the CA s digital signature If the certificate data is tampered with then this HASH value will no longer be correct and the certificate will be rendered worthless PHOENIX CONTACT 8 7 FL MGUARD TCP IP Transmission Control Protocol Internet Protocol VLAN VPN Virtual Private Network 8 8 PHOENIX CONTACT onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS The HASH value is also known as the fingerprint Since itis encrypted with the CA s private key anyone who has the corresponding public key can decrypt the bit sequence and thus verify the authenticity of the fingerprint or signature The involvement of a certification authority means itis not necessary for key owners to know each other They only need to know the certification authority involved in the process The additional key information further simplifies administration of the key X 509 certificates can be used e g for e mail encryption with S MIM
69. exe dll have been changed Changes to these files indicate a virus or unauthorized intervention Integrity database If a network drive that Is to be checked Is reconfigured an integrity database must be created This integrity database Is used as the basis for comparison when checking the network drive regularly The checksums of all files to be monitored are recorded here The integrity database is protected against manipulation The database Is either created explicitly due to a specific reason see CIFS Integrity Monitoring gt gt CIFS Integrity Status gt gt Display gt gt Actions on page 6 156 or on the first regular check of the drive The integrity database must be created again following intentional manipulation of the relevant files of the network drive Unauthorized manipulation of the relevant files cannot be detected if there Is no valid integrity database 7612_en_02 PHOENIX CONTACT 6 149 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 6 7 2 1 Settings CIFS Integrity Monitoring CIFS Integrity Checking Settings Filename Patterns General Integrity certificate VPN terminal machine 06 Used to sign integrity databases Send notifications via e mail r every check Target address for e mail notifications cifs integrity example com Sender address of e mail notifications cifs integrity example com ee Subject prefix for e mail notifications mGuard CIFS Integrity Ad
70. expansion Properties of the SFP interfaces Number Connection format 9 4 PHOENIX CONTACT THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS 5 to 95 no condensation 86 kPa to 108 kPa 1500 m above Sea level 66 kPa to 108 kPa 3500 m above Sea level Free from substances that would hinder coating with paintor varnish according to VW specification Perpendicular to a standard DIN rail Snapped onto a grounded DIN rail 660 g typical Via COMBICON conductor cross section 2 5 mm maximum 24V DC 18 0 V DC to 32 0 V DC 3 6 Vpp 500 V DC for one minute 270 mA 6 5 W 2 Should be operated as RJ 45 portor SFP port Mini DIN female connector 24V DC 100 mA 2 with auto crossing and auto negotiation 8 pos RJ 45 female connector on the switch Twisted pair cable with a conductor cross section of 0 14 mm to 0 22 mm 100 Ohm 10 100 1000 Mbps 100 m 2 Gigabit SFP slot module 7612_en_02 Ethernet interfaces continued Connection medium Connection Data transmission rate Maximum network expansion Optical fiber type Mechanical tests Shock test according to IEC 60068 2 27 Vibration resistance according to IEC 60068 2 6 Free fall according to IEC 60068 2 32 Conformance with EMC Directives Developed according to IEC 61000 6 2 Noise emission according to EN55022 1998 A1 2000 A2 2003 interference voltage Noise emission according to EN55011 1998 A1 1999 A2 2002 electromagnetic interference Noi
71. external interface forthe Drop v mGuard Please note Enabling SNMP access automatically accepts incoming ICMP packets Stealth Mode Allow forwarding of GVRP frames Allow forwarding of STP frames Allow forwarding of DHCP frames Connection Tracking Maximum table size Allow TCP connections upon SYN only after reboot connections need to be re established Timeout for established TCP connections Timeout for closed TCP connections FTP IRC D R f o 4 4 8 Consistency checks Maximum size of Refers to the length of entire packet including the header E ping packets ICMP The packet length is normally 64 bytes but it can be larger If Echo Request oversized packets should be blocked to preventbottlenecks a maximum value can be specified This mustbe more than 64 bytes as normal ICMP echo requests should not be blocked Enable TCP UDP ICMP_ When setto Yes the FL MGUARD performs a range of tests consistency checks to check forincorrectchecksums packetsizes etc and drops packets that fail these tests This option is setto Yes by default 6 138 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Network Security gt gt Packet Filter gt gt Advanced continued Network Modes Router PPTP PPPoE Stealth Mode 7612_en_02 ICMP via primary external interface for the mGuard ICMP via secondary external interface for the mGuard
72. fields for specifying the modem connection parameters are displayed For the further configuration of built in modem modem network mode see R outer network mode Modem Built in Modem router mode on page 6 78 7612 _en_02 PHOENIXCONTACT 6 61 FL MGUARD online components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Network Mode Stealth Default setting for all devices exceptFL MGUARD DELTA FLMGUARD GT GT and FL MGUARD BLADE controller When Stealth is selected as the network mode and static is selected for the Stealth configuration Network Interfaces General Dial in Modem Console Network Status External IP address Active Defaultroute Used DNS servers Network Mode Network Mode Stealth Y Stealth configuration autodetect Y Autodetect ignore NetBIOS over TCP traffic No on TCP port 139 Stealth Management IP Address Here you can specify an additional IP address to administrate the mGuard If you have set Stealth configuration to multiple clients remote access will only be possible using this IP address An IP address of 0 0 0 0 disables this feature Note using management VLAN is not supported in Stealth autodetect mode IP address 0 0 0 0 Netmask 0 0 0 0 Default gateway 0 0 0 0 Use Management VLAN No Y Management VLAN ID Static routes The following settings are applied to traffic generated by the mGuard Networks to be routed over alter
73. fo 0 0 0 0 TOS Minimize Delay M Unchanged M Urgent M g OIA l v o 0 0 0 0 o 0 0 0 0 TOS Maximize Reliability Y Unchanged v Important Y E LIRIA iv o 0 0 0 0 o 0 0 0 0 TOS Minimize Cost v Unchanged v Low Priority Y 6 202 PHOENIX CONTACT 7612_en_02 onlin components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 9 4 2 Egress Rules VPN VPN via Internal VPN via External VPN via External 2 VPN via Dial in VPN via Internal Setting for egress queue rules QoS Egress Rules VPN VPN via Internal VPN via External VPN via External 2 VPN via Dial in Default Default Queue Default v Rules Si all v o 0 0 00 8 8 lary loooo 0 jay TOS Minimize Delay v Unchanged v Urgent v DO ss 2 Aal v foooo 0 any loo o 0 0 any TOS Maximize Reliability Y Unchanged v Important Y DOO o y y IESi a vy loooo 0 fay o 0 0 00 8 8 fany TOS Minimize Cost vy Unchanged v Low Priority Y Poo VPN via External Setting for egress queue rules QoS Egress Rules VPN VPN via Internal VPN via External VPN via External 2 VPN via Dial in Default Default Queue Defaut Rules 1 all x 0 0 0 0 0 0 0 0 0 0 TOS Minimize Delay Unchanged v Urgent vy Ej 2 all hi 0 0 0 0 0 0 0 0 0 0 TOS Maximize Reliability Y Unchanged v Important SLi al ly 0 0 0 0 0 0 0 0 0 0 TOS M
74. following IP address then enter the following addresses for example IP address 192 168 1 2 Do not under any circumstances assign 255 255 255 0 an address such as 1 1 1 2 to the configuration computer In DOS Start Programs Accessories Command Prompt enter the following arp s lt IP address of the default gateway gt 00 aa aa aa aa aa Example You have determined or specified the address of the default gateway as 192 168 1 1 The command should then be arp s 192 168 1 1 00 aa aa aa aa aa To proceed with the configuration establish the configuration connection see Establishing a local configuration connection on page 5 9 Following configuration restore the original default gateway setting To do this either restart the configuration computer or enter the following command in DOS arp d Depending on the configuration of the FL MGUARD it may then be necessary to adapt the network interface of the locally connected computer or network accordingly 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Preparing the configuration 5 2 2 FL MGUARD DELTA FL MGUARD GT GT FL MGUARD DELTA By default upon delivery following reset to the default settings or after flashing the FL MGUARD the FL MGUARD DELTA can be accessed within the network 192 168 1 0 24 via LAN interfaces 4 to 7 under IP address 192 168 1 1 FL MGUARD GT GT By default upon delivery following reset to
75. found to be faulty according to the checking procedure described above When the FL MGUARD attempts to retrieve a new configuration profile periodically according to the time defined in the Pull Schedule field and Time Schedule it will only accept the profile subject to the following selection criterion The configuration profile provided must differ from the configuration profile previously identified as faulty for the FL MGUARD which resulted in the rollback The FL MGUARD checks the MD5 total stored for the old faulty and rejected configuration against the MD5 total of the new configuration profile offered If this selection criterion is met i e a newer configuration profile is offered the FL MGUARD retrieves this configuration profile applies it and checks it according to the procedure described above It also disables the configuration profile if the rollback check is unsuccessful 6 48 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Management gt gt Central Management gt gt Configuration Pull continued If the selection criterion is not met i e the same configuration profile is being offered the selection criterion remains in force for all further cyclic requests for the period Specified in the Number of times field If the specified number of times elapses without a change of the configuration profile on the configuration server the FL MGUARD applies the uncha
76. in the list of profiles already stored on the FL MGUARD 6 36 PHOENIX CONTACT 7612_en_02 onlin components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 2 6 Management gt gt SNMP 6 2 6 1 Query Management SNMP OB Query Settings Enable SNMPv3 access Enable SNMPv1 v2 access Port for incoming SNMP connections 6 remote access only Run SNMP Agent under the permissions of admin the following user SNMPv1 v2 Community Read Write Community Read Only Community Allowed Networks Pet ne L Froma interface Action comment tog These rules allow to enable SNMP access Important Make sure to set secure passwords for SNMPv3 before enabling remote access Note In Stealth mode incoming traffic on the given port is no longer forwarded to the client Note In router mode with NAT or portforwarding the port set here has priority over portforwarding Note Enabling SNMP access automatically accepts incoming ICMP packets Note The SNMP access from the internal side and via dial in or VPN is allowed by default and can be restricted by firewall rules The SNMP Simple Network Management Protocol is mainly used in more complex networks to monitor the status and operation of devices SNMP is available in several releases SNMPv1 SNMPv2 and SNMPv3 The older versions GNMPv1 SNMPv2 do notuse encryption and are not considered to be secure It is therefore not recommended that SNMPv1
77. interface QoS Egress Queues Internal Enabling Total Bandwidth Rate Bandwidth Rate Limit unlimited Queues C Guaranteed Uppertimt priory comment urgent ts unlimited High x importat unlimited Medium Defaut ts unlimited Medium Low Priority unlimited Low v Enabling Enable Egress QoS Total Bandwidth Rate Bandwidth Rate Limit unlimited Queues DEA n name OO O Guaranteed OOOO OOO uperi OOOO N porny OOOO comment OOOO O 1 urgent zo unlimited High v g LI 2 Important fzo unlimited Medium O 3 Default fio unlimited Medium Y O 4 Low Priority 10 unlimited Low v 6 198 PHOENIX CONTACT 7612_en_02 onlin components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration External 2 Setting for egress queues at the secondary external interface QoS Egress Queues External 2 Enabling Enable Egress QoS No Y Total Bandwidth Rate Bandwidth Rate Limit unlimited kbit s v Queues urgent sis unlimited High M importat unlimited Medium 7 Defaut ts unlimited Medium Low Priority unlimited Low M Dial in Setting for egress queues for packets fora PPP dial up connection dial in Dial in Enabling Total Bandwidth Rate Bandwidth Rate Limit unlimited kbit s Y Queues unlimited High 7 important unlimited Medium Defaut tC S unlimited CS Medium flow Priority unlimited L
78. later a license must be obtained for the relevant device before a major release upgrade e g from Version 4 x y to Version 5 x y or from Version 5 x y to Version 6 x y can be installed The license must be installed on the device before updating the firmware see Management gt gt Licensing on page 6 29 and Install on page 6 29 Minor release upgrades i e the Same major version e g within Version 5 x y can be installed without a license until further notice me H With FL MGUARD firmware Version 5 0 or later licenses remain installed even after the firmware is flashed The Firewall Redundancy function is not available in firmware Version 7 0 Devices with an installed license for firewall redundancy reject firmware updates to Version 7 0 if the Firewall Redundancy function is activated 6 2 4 1 Overview Management Update Overview Update System Information Version Base Updates Package Versions TS Number version Fiavour beron 1 2 0 default bootloader 1 0 8 default bridge utils 1 4 0 default busybox 1 4 8 default bzip2 0 2 0 default chat 2 6 0 default conntrack 0 1 0 default Management gt gt Update gt gt Overview System Information Package Versions 6 32 PHOENIX CONTACT Version The current software version of the FL MGUARD Base The software version that was originally used to flash this FL MGUARD Updates List of updates that have been installed on
79. lit continuously e To release the VPN connection hold down the button fora few seconds until the signal LED flashes or goes out Then release the button As soon as the signal LED goes out the VPN connection is released Operating a connected e To establish the VPN connection set the switch to the ON position on off switch e To release the VPN connection set the switch to the OFF position Signal LED Ifthe signal LED is OFF this generally indicates that the defined VPN connection is not present Either the VPN connection was not established or it has failed due to an error If the signal LED is ON the VPN connection is present If the signal LED is flashing the VPN connection Is being established or released Analog line for integrated modem WARNING The analog connections TIP RING should only be connected to the telecommunications cable provided The TIP and RING contacts are for connection to the fixed line telephone network analog connection For the contact designations specified on the front plate the following designations are usually used in Germany TIP a RING b 7612 _en_02 PHOENIXCONTACT 4 9 FL MGUARD 4 10 PHOENIX CONTACT onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS ISDN line with integrated ISDN terminal adapter WARNING The ISDN connections TX TX RX RX should only be connected to an ISDN SO bus Contacts TX TX RX and RX are designed for conne
80. machine certificate is then used The Subject entry in the machine certificate One ofthe Subject Alternative Names if they are listed in the certificate If the certificate contains Subject Alternative Names these are specified under Valid values These can include IP addresses host names with prefix or e mail addresses Remote Specifies what must be entered as a subject in the machine certificate of the VPN remote peer for the FL MGUARD to accept this VPN remote peer as a communication partner Itis then possible to limit or enable access by VPN remote peers which the FL MGUARD would accept in principle based on certificate checks Limited access to certain subjects i e machines and or to subjects that have certain attributes Access enabled for all subjects See Subject certificate on page 8 6 Distinguished Name was previously used instead of Subject 7612 _en_02 PHOENIX CONTACT 6 185 FL MGUARD THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS IPsec VPN gt gt Connections gt gt Edit gt gt Authentication continued 6 186 PHOENIX CONTACT Access enabled for all subjects If the Remote field is left empty then any subject entries are permitted in the machine certificate shown by the VPN remote peer It is then no longer necessary to identify or define the subject in the certificate Limited access to certain subjects In the certificate the certificate owner is specified in
81. network at machine A B or C and use the same host name in each of these networks to communicate with the corresponding machine control systems IP addresses and hostnames with domain Control system A 10 1 30 1 24 fold cell a example com Control system B 19 1 30 2 24 fill cell a example com Control system C 10 1 30 3 24 pack cell a example com witch 10 1 80 0 24 faa ai The notebook can obtain the IP address to be used the name server and the domain from the FL MGUARD via DHCP Control system A 10 1 31 1 24 fold cell b example com Control system B 10 1 31 3 24 Control system C Ethernet o o E a id pack cell b example com 10 1 31 2 24 fill cell b example com Plant network Switch 10 1 81 0 24 10 1 32 1 24 Control system A Machine fold cell c example com Control system B 10 1 32 2 24 fill cell c example com Control system C 10 1 32 3 24 REPPE pack cell c example com Switch 10 1 32 0 24 psi al Hostname Domainname Figure 6 1 Local resolving of host names 7612 _en_02 PHOENIX CONTACT 6 103 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 6 4 3 2 DynDNS DynDNS DynDNS Register this mGuard at a DynDNS Service Status Refresh Interval sec DynDNS Provider DynDNS Server DynDNS Login DynDNS Password DynDNS Hostname Network gt gt DNS gt gt DynDNS lt DNS4BIZ v dyndns example com
82. number only applies for access via the External External 2 VPN and Dial in interface Portnumber 22 still applies for internal access The remote peer that implements remote access may have to Specify the port number defined here during login Example If this FL MGUARD can be accessed over the Internet via address 123 124 125 21 and default portnumber 22 has been Specified for remote access you may not need to enter this port number in the SSH client e g PUTTY or OpenSSH of the remote peer Ifa different port number has been set e g 2222 this must be specified e g ssh p 2222 123 124 125 21 Allowed Networks Log ID fw ssh access N 365783 4 1 zr 1 0 0 16 External Accept Y No a L External Accept Y No Lists the firewall rules that have been setup These apply for incoming data packets of an SSH remote access attempt If multiple firewall rules are defined these are queried starting from the top of the list of entries until an appropriate rule is found This rule is then applied If the list of rules contains further subsequent rules that could also apply these rules are ignored The rules specified here only take effect if Enable SSH remote access is setto Yes Internal access is also possible when this option is setto No A firewall rule that would refuse Internal access does therefore notapply in this case The following options are available 6 12 PHOENIX CONTACT 7612
83. on the FL MGUARD The Per Session setting specifies that you only have to click on Apply once after making changes on a number of pages PHOENIXCONTACT 6 19 FL MGUARD Only displayed when Login with X 509 user certificate is selected Q THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS 6 2 2 2 Access Management Web Settings HTTPS Web Access Allowed Networks Log ID fw https access N0 3657839e a090 1937 a71a 080027e157fb o 0 0 0 0 External Accept Y Yes Y User authentication User authentication method Login restricted to X 509 client certificate bd J x CA certificate Web RootCA Web SubCA Y D x X 509 Subject Authorized for access as admin x X 509 Certificate Authorized for access as SLi Meyer Ralf v root bal These rules allow to enable HTTPS remote access Important Make sure to set secure passwords before enabling remote access Note In Stealth mode incoming traffic on the given port is no longer forwarded to the client Note In router mode with NAT or portforwarding the port set here has priority over portforwarding Note The table Allowed Networks is effective only if remote access is enabled Note The HTTPS access from the internal side is allowed for all networks when remote access is disabled Note Once remote access is enabled the HTTPS access from the internal side and via dial in or VPN is allowed by default and can be restricted by firewall r
84. other European countries Otherwise the ISDN protocol should be specified according to the country If necessary this must be requested from the relevant phone company Layer 2 protocol The regulation used by the ISDN terminal adapter of the local FL MGUARD to communicate with its ISDN remote peer This is generally the ISDN modem of the Internet service provider used to establish the connection to the Internet This must be requested from the Internet service provider PPP ML PPP is often used 7612 _en_02 PHOENIXCONTACT 6 95 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 6 4 2 Network gt gt NAT 6 4 2 1 Masquerading Masquerading Port Forwarding Network Address Translation IP Masquerading External v 192 168 88 0 24 These rules let you specify which IP addresses normally addresses within the private address space are to be rewritten to the mGuara s IP address Please note These rules won t apply to the Stealth mode 1 1 NAT mx caleba External network g LI 192 168 66 32 193 99 144 84 30 m Please note These rules won t apply to the Stealth mode Network gt gt NAT gt gt Masquerading Network Address Lists the rules defined for NAT Network Address Translation Uee ao Meg Heee u For outgoing data packets the device can rewrite the specified sender IP addresses from its internal network to its own external address a technique referred to as NAT Network Address Translation see also NA
85. owner is specified in the Subject field The entry is comprised of several attributes These attributes are either expressed as an object identifier e g 132 3 7 32 1 or more commonly as an abbreviation with a corresponding value Example CNS ohn Smith O S mith and Co C US If certain subject attributes have very specific values for the acceptance of the SSH client by the FL MGUARD then these must be specified accordingly The values of the other freely selectable attributes are entered using the asterisk wildcard Example CN O C US_ with or without spaces between attributes In this example the attribute C US must be entered in the certificate under Subject It is only then that the FL MGUARD would accept the certificate owner Subject as a communication partner The other attributes in the certificates to be filtered can have any value Ifa subject filter is set the number but not the order of the specified attributes must correspond to that of the certificates for which the filter is to be used Please note that the filter is case sensitive a Several filters can be set and their sequence is irrelevant Authorized for access All users root admin netadmin audit aS Additional filter which defines that the SSH client has to be authorized for a specific administration level in order to gain access When establishing a connection the SSH client shows its certificate and also specifies the system u
86. oxK to the initialization sequence Some external modems depending on their default settings require a physical connection to the DTR cable of the serial interface in order to operate correctly Because the FL MGUARD models do not provide this cable at the external serial interface the character string AT amp DO OK aspace followed by AT amp DO followed bya Space followed by oK must be appended to the above initialization sequence According to the extended HAYES command set this sequence means that the modem does notuse the DTR cable If the external modem is to be used for outgoing calls it is connected to a private branch exchange and if this private branch exchange does not generate a dial tone after the connection is opened then the modem mustbe instructed notto waitfor a dialtone before dialing In this case append the character string ATX3 OK a space followed by ATX3 followed by a space followed by oK to the initialization sequence In order to wait for the dial tone the control character w should be inserted in the Phone number to call after the digit for dialing an outside line 7612_en_02 Primary External Interface Secondary External Interface PPP dial in options 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration For the FL MGUARD RS with built in modem built in ISDN modem ISDN terminal adapter The FL MGUARD RS is available wi
87. page 6 113 Each firewall user can be assigned a Set of firewall rules also referred to as a template 6 6 3 1 User Firewall Templates Network Security User Firewall User Firewall Templates office All defined user firewall templates are listed here A template can consist of several firewall rules A template can be assigned to several users Defining a new template e Inthe template table click on Editto the right of the unnamed entry under Name e Ifthe unnamed entry cannot be seen open another row in the table Editing a rule set e Click on Editto the right of the relevant entry Network Security gt gt User Firewall gt gt User Firewall Templates General 6 144 PHOENIX CONTACT Enabled Activates deactivates the relevant template Name Name of the template The name is specified when the template is created The following tab page appears when you click on Edit Network Security User Firewall Office General Template users Options A descriptive name for the template Enabled Comment Timeout Timeout type 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Network Security gt gt User Firewall gt gt User Firewall Templates continued Options A descriptive name for The user firewall template can be freely named and renamed the template Enabled Yes No When setto Yes the user firewall template becomes active as soo
88. port to listen on IPSec VPN gt gt Global gt gt Options menu item If TCP Encapsulation is used see TCP Encapsulation on page 6 165 Ifthe FL MGUARD is to establish a VPN connection to a maintenance center and encapsulate the data traffic there Initiate or Initiate on traffic must be specified I fthe FL MGUARD is installed ata maintenance center to which FL MGUARD devices establish a VPN connection Waitmust be specified PHOENIX CONTACT 6 173 FL MGUARD THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS IPsec VPN gt gt Connections gt gt Edit gt gt General continued Transport and Tunnel Stealth mode Settings Click here to specify additional tunnel and transport paths sale Router mode Transport and Tunnel Settings VPN connection channels For each individual VPN connection channel Enabled Comment Type 6 174 PHOENIX CONTACT Transport and Tunnel Settings A VPN connection defined under a descriptive name can comprise several VPN connection channels Multiple VPN connection channels can therefore be defined here When you click on More another partially overlapping page is displayed where connection parameters can be specified for the relevant transport path or tunnel Yes No Specify whether the connection channel should be active Yes or not No Freely selectable comment text Can be left empty The following can be selected Tunnel network
89. qualified electricians or persons instructed by them who are familiar with applicable Standards and other regulations regarding electrical engineering and in particular the relevant safety concepts qualified application programmers and software engineers who are familiar with the Safety concepts of automation technology and applicable standards Phoenix Contact accepts no liability for erroneous handling or damage to products from Phoenix Contactor third party products resulting from disregard of information contained in this manual Explanation of symbols used and signal words hazards Obey all safety messages that follow this symbol to avoid possible This is the safety alertsymbol Itis used to alert you to potential personal injury A injury or death DANGER This indicates a hazardous situation which if not avoided will resultin death or serious injury WARNING This indicates a hazardous situation which if notavoided could resultin death or serious injury CAUTION This indicates a hazardous situation which if not avoided could resultin minor or moderate injury The following types of messages provide information about possible property damage and general information concerning proper operation and ease of use NOTE This symbol and the accompanying text alerts the reader to a situation which may cause damage or malfunction to the device either hardware or software or Surrounding property This symbol
90. remote peer the NAT router will modify the UDP and TCP headers of the datagram replacing the source IP address and port with its own official IP address and a previously unused port It does this using a table in which the original values are listed together with the corresponding new ones When a response datagram Is received the NAT router will recognize that itis intended for an internal computer from the destination port of the datagram Using the table the NAT router will replace the destination IP address and port before forwarding the datagram via the internal network Port number A portnumber is assigned to each participant in UDP and TCP protocol based communication This number makes it possible to differentiate multiple UDP or TCP connections between two computers and use them at the same time Certain port numbers are reserved for specific purposes For example HTTP connections are uSually assigned to TCP port 80 and POP3 connections to TCP port110 Proxy A proxy Is an intermediary service A web proxy e g Squid is often connected upstream of a large network For example if 100 employees access a certain website at the same time over a web proxy then the proxy only loads the relevant web pages once from the server and then distributes them as needed among the employees Remote web traffic is reduced which saves money PPPoE Acronym for Point to Point Protocol over Ethernet A protocol based on the PPP and Ethernet standard
91. remove electrostatic discharge The module contains components that can be damaged or destroyed by electrostatic discharge When handling this module observe the necessary Safety precautions against electrostatic discharge ESD according to EN 61340 5 1 and EN 61340 5 2 4 8 4 FL MGUARD PCI Setup e Configure the FL MGUARD PCI for driver mode or Power over PCI mode see Selection of driver mode or Power over PCI mode on page 4 21 e Todo this set the jumper 2 to the relevant position Driver mode Power over PCI mode 3 3 2 2 e l 1 Figure 4 21 J umper for driver or Power over PCI mode e Switch off the computer and any other connected I O devices e Observe the safety notes for electrostatic discharge 7612 _en_02 PHOENIXCONTACT 4 25 FL MGUARD Requirements 4 26 PHOENIX CONTACT onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS e Unplug the power cable e Open the computer cover Please refer to the description in the computer user manual for this step e Selecta free PCI slot 3 3 V or 5 V forthe FL MGUARD PCI e Remove the corresponding slot plate by loosening the relevant screw and pulling out the slot plate Keep the screw for securing the FL MGUARD PCI card e Carefully align the male connector of the FL MGUARD PCI card over the female connector of the PCI slot on the motherboard and then press the card evenly into the female connector e Tighten the card slot plate e Close
92. security reasons we recommend you change the default root and administrator passwords during initial configuration 4 6 PHOENIX CONTACT 7612_en_02 Lower terminal strip 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Startup Connection options on lower terminal block The FL MGUARD RS is available in five versions which can be distinguished by their designation and order number as well as by the connection options on the lower terminal block ooo OOOO Bada P1 P2 Phe P1 P2 Modem Fault Modem Fault Modem Fault State Error State Error State Error LAN WAN LAN WAN LAN WAN mGuard industrial RS mGuard industrial RS m Guard industrial RS ISDN Line e pann I _ CMDACK TX4TX RX RX Ll CMDACK TIPRING 3 L CMDACK With ISDN terminal adapter With analog modem Without modem ISDN TA Figure 4 2 FL MGUARD RS Lower terminal block Lower area on front Service plate with terminal A gt 1 CMDACK Strip Functional earth ground Signal contact interrupted in the event of an error Button or on off switch L Signal LED 20 mA Service contacts _J CMD ACK for establishing a predefined VPN connection Figure 4 3 FL MGUARD RS Without modem IS DN terminal adapter PHOENIX CONTACT 4 7 FL MGUARD 4 8 onlinecomponents com THE ONLINE DISTRIBUTOR OF
93. select the General tab e Under This connection uses the following items select Internet Protocol TCP IP e Then click on Properties to display the following dialog box Eigenschaften von Internetprotokoll TCP IP Allgemein IP Einstellungen k nnen automatisch zugewiesen werden wenn das Netzwerk diese Funktion unterstutzt Wenden Sie sich andernfalls an den Netzwerkadministrator um die geeigneten IP Einstellungen zu beziehen IP Adresse automatisch beziehen IP Adresse 192 168 Subnetzmaske 255 255 Standardgateway 192 168 Folgende DNS Serveradressen verwenden Bevorzugter DNS Server I Alternativer DNS Server Figure 5 2 Internet Protocol TCP IP Properties 7612_en_02 PHOENIXCONTACT 5 7 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD Default gateway Once you have configured the network interface it should be possible to access the configuration interface of the FL MGUARD using a web browser under the URL https 1 1 1 1 If this is not possible the default gateway of your computer probably cannot be accessed In this case your computer should be simulated as follows Initializing the default gateway Determine the currently valid default gateway address e Under Windows XP carry out the steps described under Configuring the network interface on page 5 7 to open the Internet Protocol TCP IP Properties
94. should be transmitted to the external log server specified below setthis option to Yes Log Server IP address Specifythe IP address ofthe log server to which the log entries Should be transmitted via UDP An IP address must be specified not a host name This function does not support name resolution because It would not be possible to make log entries if a DNS server failed Log Server port Specify the port of the log server to which the log entries normally 514 Should be transmitted via UDP Default 514 If SysLog messages should be transmitted to a SysLog server via a VPN channel the IP address of the S ysLog server must be located in the network that is specified as the Remote network in the definition of the VPN connection The internal IP address in stealth mode Stealth Management IP Address or Virtual IP must be located in the network that Is specified as Local in the definition of the VPN connection see Defining a VPN connection VPN connection channels on page 6 171 7612 _en_02 PHOENIX CONTACT 6 207 FL MGUARD Logging gt gt Remote Logging continued THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Ifthe Enable 1 to 1 NAT of the local network to an internal network option is set to Yes see 1 1 NAT on page 6 178 the following applies The internal IP address in stealth mode Stealth Management IP Address or Virtual IP must be located in the network that Is specified as the Internal network add
95. software of the FL MGUARD should be reloaded on the device All configured settings are deleted The FL MGUARD is restored to the settings default upon delivery In Version 5 0 0 or later of the FL MGUARD the licenses installed in the FL MGUARD are retained after flashing the firmware They therefore do not have to be installed again Forthe FL MGUARD RS only firmware Version 5 1 0 or later can be installed Possible reasons for flashing the firmware The administrator and root password have been lost Requirements for flashing the firmware DHCP and TFTP server NOTE To flash the firmware a DHCP and TFTP serverora BOOTP and TFTP server must be installed on the locally connected computer Install the DHCP and TFTP server if necessary see Installing the DHCP and TFTP server on page 7 6 NOTE If you installa second DHCP server ina network this could affectthe configuration of the entire network Action To flash the firmware proceed as follows NOTE Do not interrupt the power supply to the FL MGUARD during any stage of the flashing procedure The device could be damaged and may have to be reactivated by the manufacturer Additional requirements 7612_en_02 The FL MGUARD software has been obtained from the Innominate Support team or from www innominate com and has been saved on the configuration computer If your Current software version is newer than the version default upon delivery a lic
96. specific conditions are met and itis only then that the routing settings of the secondary external interface take effect Network address 0 0 0 0 0 generally refers to the largest definable network i e the Internet In router network mode the local network connected to the FL MGUARD can be accessed via the secondary external interface as long as the specified firewall settings allow this 6 68 PHOENIX CONTACT 7612_en_02 onlin components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Network gt gt Interfaces gt gt General continued Secondary External Interface continued Secondary External Probes for Activation Interface continued Secondary External Interface Network Mode ModemM network mode Operation Mode temporary rn ess temporary 7 Secondary External Routes Network Gateway Probes for Activation Destination Comment The secondary external interface is activated only if a probes fail and if the operation mode is set to temporary Probe Interval seconds Number of times all probes need to fail during subsequent runs before the secondary external interface is activated DNS Mode use primary DNS settings untouched User defined name servers If they should be reachable via the secondary external interface please configure a route for them Np N oO If the operating mode of the secondary external interface is set to temporary the follo
97. system time field The administrator has set the Time stamp in filesystem setting to Yes and has either transmitted the current system time to the FL MGUARD via NTP see below under NTP Server or has entered it under Local system time The system time of the FL MGUARD is then synchronized using the time stamp after a restart even if it has no built in clock and is set exactly again afterwards via NTP The administrator has activated NTP time synchronization under NTP Server has entered the address of atleast one NTP server and the FL MGUARD has established a connection with atleastone of the specified NTP servers If the network is working correctly then this occurs a few seconds after a restart The display in the NTP State field may only change to synchronized much later see the explanation below under NTP State Hardware clock state ForFL MGUARD RS FL MGUARD GT GT and FL MGUARD DELTA The state of the built in clock is only visible ifthe FL MGUARD has a clock that also runs when the FL MGUARD is not Supplied with power and is switched off The display shows whether the clock has been synchronized with the current time The built in clock is only synchronized if the system time of the FL MGUARD has been synchronized Once the clock has been synchronized its status only returns to not synchronized if the firmware Is reinstalled on the device see Section 7 3 Flashing the firmware or if the capacitor FL MGUARD R
98. table the certificates that must be provided are the ones the FL MGUARD uses to authenticate the relevant VPN remote peer 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Requirements The following instructions assume that the certificates have already been correctly installed on the FL MGUARD see Authentication gt gt Certificates on page 6 116 apart from the remote certificate If the use of revocation lists CRL checking is activated under the Authentication gt gt Certificates Certificate settings menu item each certificate signed by a CA that Is shown by the VPN remote peer must be checked for revocations This excludes locally configured imported remote certificates Remote CA Certificate Self signed machine Ifthe VPN remote peer authenticates itself with a self signed machine certificate certificate e Select the following entry from the selection list No CA certificate but the Remote Certificate below e Install the remote certificate under Remote Certificate See Installing the remote certificate on page 6 184 Itis not possible to reference a remote certificate loaded under the Authentication gt gt Certificates menu item Machine certificate signed Ifthe VPN remote peer authenticates itself with a machine certificate signed by a CA by the CA Itis possible to authenticate the machine certificate shown by the remote peer as follows Using
99. the connection process providing the X 509 authentication method is used In terms of the FL MGUARD this could apply to the following applications Authentication of communication partners when establishing VPN connections see IPsec VPN gt gt Connections on page 6 169 Authentication on page 6 181 Management ofthe FL MGUARD via SSH shell access see Management gt gt System Settings on page 6 4 Shell Access on page 6 11 Managementof the FL MGUARD via HTTPS see Management gt gt Web Settings on page 6 18 Access on page 6 20 Certificate machine Certificates can be used to identify authenticate oneself to others The certificate used by certificate the FL MGUARD to identify itself to others shall be referred to as the machine certificate here in line with Microsoft Windows terminology A certificate certificate specific to an individual or user certificate showing a person is one used by operators to authenticate themselves to remote peers e g for an operator attempting to access the FL MGUARD remotely via HTTPS and a web browser A certificate specific to an individual can be saved ona chip card and then inserted in the card reader of the relevant computer when prompted by a web browser for example 6 116 PHOENIX CONTACT 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Remote certificate A certificate is thus used by its owner person or
100. the FL MGUARD is set to the page will change together with its configuration parameters See Stealth default setting except for FL MGUARD DELTA FL MGUARDGT GT and FL MGUARD BLADE controller on page 6 58 and Network Mode Stealth on page 6 62 R outer default setting for FL MGUARD DELTA FLMGUARDGT GT andFLMGUARD BLADE controller on page 6 59 and Network Mode Router on page 6 72 Static DHCP PPPoE PPTP Modem Built in Modem See Router Mode static on page 6 60 and R outer network mode PPTP router mode on page 6 77 Router Mode DHCP on page 6 60 and Router network mode DHCP router mode on page 6 75 Router Mode PPPoE on page 6 60 and R outer network mode PPPoE router mode on page 6 76 Router Mode PPTP on page 6 60 and Router network mode PPTP router mode on page 6 77 Router Mode Modem on page 6 61 and R outer network mode Modem Built in Modem router mode on page 6 78 Router Mode Built in Modem on page 6 61 and Router network mode Modem Built in Modem router mode on page 6 78 Modem built in modem is not available forall FL MGUARD models See Network gt gt Interfaces on page 6 55 PHOENIX CONTACT 6 57 FL MGUARD 6 58 e H PHOENIX CONTACT onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Stealth default setting except for FL MGUARD DELTA FL MGUARD GT GT and FL MGUARD BLADE controller Stea
101. the Subject field The entry is comprised of several attributes These attributes are either expressed as an object identifier e g 132 3 7 32 1 or more commonly as an abbreviation with a corresponding value Example CN VPN end point 01 O S mith and Co C US If certain subject attributes have very specific values for the acceptance of the VPN remote peer by the FL MGUARD then these must be specified accordingly The values of the other freely selectable attributes are entered using the asterisk wildcard Example CN O S mith and Co C US with or without spaces between attributes In this example the attributes O S mith and Co and C US must be entered in the certificate thatis shown under Subject Itis only then thatthe FL MGUARD would accept the certificate owner Subject as a communication partner The other attributes in the certificates to be filtered can have any value If a subject filter is set the number and the order of the specified attributes must correspond to that of the certificates for which the filter is to be used Please note these are case sensitive 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration IPsec VPN gt gt Connections gt gt Edit gt gt Authentication continued VPN Identifier Authentication method Pre Shared Secret PSK IPsec VPN gt Connections Berlin London Authentication Authentication Authentication method Pre Shared Secr
102. the connection to the telephone network is connected to the serial port The connection to the WAN or Internet Is then established via the telephone network by means of the external modem If the address of the FL MGUARD is changed e g by changing the network mode from Stealth to router the device can only be accessed via the new address If the configuration is changed via the LAN port confirmation of the new address is displayed before the change is applied If configuration changes are made via the WAN port no confirmation is displayed Ifthe mode is set to Router PPPoE or PPTP and you then change the IP address of the LAN port and or the local subnet mask make sure you specify the correct values Otherwise the FL MGUARD may no longer be accessible under certain circumstances For the further configuration of built in modem modem network mode see R outer network mode Modem Built in Modem router mode on page 6 78 Router Mode Built in Modem Only used forFL MGUARD RS devices with a built in modem or ISDN terminal adapter If built in modem network mode is selected the external Ethernet interface of the FL MGUARD is deactivated and data is transferred to and from the WAN via the built in modem or built in ISDN terminal adapter of the FL MGUARD This mustbe connected to the telephone network The connection to the Internet is then established via the telephone network After selecting built in modem the
103. the empty handling plate with the suitable number from the FLMGUARD BLADEBASE accessories or replace it with the plate from the old FL MGUARD BLADE To do this pull or push the plate sideways 4 18 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Startup Control unit CTRL slot The CTRL slotis located right next to the two power supply units An FL MGUARD BLADE operated in this slot acts as the controller for all other FL MGUARD BLADE devices During initial installation of an FL MGUARD BLADE in the CTRL slot the BLADE is reconfigured as a control unit as follows The user interface is reconfigured for operation as a controller tswitches to router mode with local IP address 192 168 1 1 The firewall CIFS integrity monitoring and VPN functions are reset and deactivated Connecting the FL MGUARD BLADE Computer in the patch field Patch field S witch FL MGUARD BLADE Before Figure 4 16 Connecting the FL MGUARD BLADE to the network NOTE If your computer Is already connected to a network patch the FL MGUARD BLADE between the existing network connection Please note that configuration can only be completed from the local computer via the LAN interface and the firewall of the FL MGUARD prevents all IP data traffic from the WAN to the LAN interface Driver installation is not required For security reasons we recommend you change the default root and adm
104. the superordinate CA and so forth up to the root certificate See glossary under CA certificate Authentication using CA certificates enables the number of possible remote peers to be extended without any increased management effort as the installation of a remote certificate for each possible remote peer is not compulsory 7612 en_02 PHOENIX CONTACT 6 117 FL MGUARD Creation of certificates Authentication method 6 118 PHOENIX CONTACT onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS To create a certificate a private key and the corresponding public key are required Programs are available where the user can create these keys A corresponding certificate with the corresponding public key can also be created resulting in a self signed certificate Additional information about self creation can be downloaded from www innominate com Itis available in the download area in an application note entitled How to obtain X 509 certificates A corresponding certificate signed by a CA must be requested from the CA In order for the private key to be imported into the FL MGUARD with the corresponding certificate these components must be packed into a PKCS 12 file file name extension p12 The FL MGUARD uses two principle methods of X 509 authentication The authentication of a remote peer is carried out based on the certificate and remote certificate In this case the remote certificate that is to be co
105. unless the device was delivered accordingly The device must be restarted in order to use this installed license Virtual IP address only in stealth mode Virtual local network IPSec tunnel Client s virtual IP a Client s actual IP Remote Remote Internet VPN gateway network Figure 6 4 Virtual IP In stealth mode the local network of the VPN is simulated by the FL MGUARD Within this virtual network the client is known as and can be addressed by the virtual IP address to be entered here 6 176 PHOENIX CONTACT 7612_en_02 onlin components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration IPsec VPN gt gt Connections gt gt Edit gt gt General Further settings can be made by clicking on More Options IPsec VPN Connections gt Tunnel Settings Tunnel connection type d Serer Options Enabled sears Comment Type Tunnel Y Local 192 168 66 0 24 Remote 172 16 66 0 24 NAT NAT for IPsec tunnel connections 1 1 NAT Enable 1 to 1 NAT of the local network to an internal Yes Y network Internal network address for local 1 to 1 NAT 192 168 0 0 Enable 1 to 1 NAT of the remote network to a different yesiw network Network address for remote 1 to 1 NAT 192 168 1 0 Protocol Protocol Enabled Yes No As above Comment Freely selectable comment text Can be left empty Type Tunnel Transport As above When you switch t
106. used in the configuration Server IP address of the authorized server Share Name of the network drive made available by the authorized server Click on Editto make the settings CIFS Integrity Monitoring Importable Shares pc x7 scan Importable Share Identification for Reference Name pc x 7 scan Location of the Importable Share IP address of the server 192 168 66 2 Imported share s name pc x7 scan Authentication for mounting the Share Workgroup WORKGROUP Login pc x7 scan Password EITT TITT CIFS Integrity Monitoring gt gt Importable Shares gt gt Edit identification for Reference Name Name ofthe network drive thatis to be checked internalname used in the configuration Location of the Importable IP address of the IP address of the server whose network drive is to be checked Share server Imported share s Directory on the above authorized server that Is to be name checked 6 148 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration CIFS Integrity Monitoring gt gt Importable Shares gt gt Edit continued Authentication for Workgroup Name of the workgroup to which the network drive belongs Hodne ths SEL Login Login for the server Password Password for login 6 7 2 CIFS Integrity Monitoring gt gt CIFS Integrity Checking When CIFS integrity checking is performed the Windows network drives are checked to determine whether certain files e g
107. using the new update must first be obtained so that the required license file is available for the flashing process This applies to major release upgrades e g from Version 4 x y to Version 5 x y to Version 6 x y etc See Flashing the firmware on page 7 3 Management gt gt Licensing gt gt Overview General Feature License Shows which functions are included with the installed FL MGUARD license e g the number of possible VPN tunnels whether remote logging is Supported etc 6 2 3 2 Install More functions can be added later to the FL MGUARD license you have obtained You will Management Licensing Automatic License Installation Voucher Serial Number Voucher Key PO Online License Request Reload Licenses Online License Reload Manual License Installation Order License Edit License Request Form Filename Durchsuchen Install license file find a voucher serial number and a voucher key in the voucher included with the FL MGUARD The voucher can also be purchased separately Itcan be used to Requestthe required feature license file Install the license file 7612 _en_02 PHOENIXCONTACT 6 29 FL MGUARD Management gt gt Licensing gt gt Install Automatic License Voucher Serial Installation Number Voucher Key Reload Licenses Manual License Installation Order License Filename 6 30 PHOENIX CONTACT THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Enter the serial number printed on
108. when you attempt to establish a connection to the Internet PPTP Login The user name login thatis required by the Internet service provider when you attempt to establish a connection to the Internet PPTP Password The password thatis required by the Internet service provider when you attempt to establish a connection to the Internet Local IP Mode Via DHCP If the address data for access to the PPTP server is provided by the Internet service provider via DHCP select Via DHCP In this case no entry Is required under Local IP Static from field below If the address data for access to the PPTP server is not Supplied by the Internet service provider via DHCP the local IP address must be specified Local IP The IP address via which the FL MGUARD can be accessed by the PPTP server Modem IP The address of the PPT server of the Internet service provider Internal Networks See Internal Networks on page 6 72 Secondary External See Secondary External Interface on page 6 66 Interface 7612 _en_02 PHOENIXCONTACT 6 77 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD Router network mode Modem Built in Modem router mode a FL MGUARD RS FL MGUARD BLADE and FL MGUARD DELTA only Network Interfaces General Dial in Modem Console Network Status External IP address 1006627 Active Defaultroute EAs Used DNS servers SEEE Network Mode Network Mode Router A Network gt gt Interfaces gt
109. with 172 16 1 x addresses was setup for the WLAN To provide the annex with an Internet connection via the VPN a default route was setup via the VPN Tunnel configuration in the annex Connection type Tunnel network lt gt network Address of the local network 192 168 2 0 24 Address of the remote network 0 0 0 0 0 In the main building the corresponding counterpart is configured Tunnel configuration in the main building Connection type Tunnel network lt gt network Local network 0 0 0 0 Address of the remote network 192 168 2 0 24 The default route of an FL MGUARD usually uses the WAN port However in this case the Internet can be accessed via the LAN port Default gateway in the main building IP address of the default gateway 192 168 1 253 2 4 PHOENIX CONTACT 7612_en_02 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Typical application scenarios 2 6 Resolving network conflicts FLMGUA 10 0 0 0 16 oe 10 0 0 0 16 FLMGUA 10 0 0 0 16 Resolving network conflicts In the example the networks on the right hand side should be accessible to the network or computer on the left hand side However for historical or technical reasons the networks on the right hand side overlap The 1 1 NAT feature of the FL MGUARD can be used to translate these networks to other networks thus resolving the conflict 1 1 NAT can be used in normal routing and in IPsec tunnels PHOENIX CONTACT
110. 0 b5 d7 e4 7a a5 4b 94 ef d9 5e 43 7f c1 64 80 fd 9f 50 41 6b 70 73 80 48 90 f3 58 bf f0 4c b9 90 32 81 59 18 16 3f 19 f4 5f 11 68 36 85 f6 1c a9 af fa a9 a8 7b 44 85 79 b5 f1 20 d3 25 7d 1 c de 68 15 0c b6 bc 59 46 0a d8 99 4e 07 50 0a 5d 83 61 d4 db c9 7d c3 2e eb 0a 8F 62 8f 7e 00 e1 37 67 3f 36 d5 04 38 44 44 77 e9 f0 54 95 f5 f9 34 9F f8 43 Exponent 65537 0x10001 X509v3 extensions X509v3 Subject Alternative Name email xyz anywhere com Netscape Comment mod_ssl generated test server certificate Netscape Cert Type SSL Server Signature Algorithm md5WithRSAEncryption 12 ed f7 03 5e a0 93 3f a0 1d 60 cb 47 19 7d 15 59 9b 3b 2 a8 a3 6a 03 43 d0 85 d3 86 86 2f e3 aa 79 39 e7 82 20 ed f4 11 85 a3 41 5e 5 8d 36 a2 71 06 6a 08 f9 cc le da c4 78 05 75 8f 9b 10 f0 15 f0 9e 67 a0 4e al 4d 3f 16 4 9b 19 56 6a f2 af 89 54 52 4a 06 34 42 0d d5 40 25 6b b0 c0 a2 03 18 cd d1 07 20 b6 e5 c5 1e 21 44 e7 5 09 d2 d5 94 9d 6c 13 07 2f 3b 7 4c 64 90 bf ff 8e 8 6 PHOENIX CONTACT 7612_en_02 Trap 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Glossary The subject distinguished name or subject for short clearly identifies the certificate owner The entry consists of several components These are known as attributes see the example certificate above The following table contains a listof possible attributes The sequence of attributes in an X 509 certificate can vary Table 8 1 X 509 certificate
111. 1 1 NAT and port forwarding functions Notall of the functions described in this user manual are supported Configurable firewall for protection against unauthorized access The dynamic packet filter inspects data packets using the source and destination address and blocks undesired data traffic The device can be configured easily using a web browser 1 1 Device properties Stealth auto static multi router static DHCP client PPPoE for DSL PPTP for DSL and modem mode VLAN DHCP server relay on internal and external network interfaces DNS cache on the internal network interface Administration via HTTPS and SSH Optional conversion of DSCP TOS values Quality of Service Quality of Service QoS LLDP MAU management SNMP Gigabit connectivity FL MGUARD GT GT 10 100 1000 Mbps for copper ports in RJ 45 format FL MGUARD GT GT 1000 Mbps for fiber optic ports in SFP format FL MGUARD GT GT Replaceable configuration memory FL MGUARD GT GT Stateful packet inspection Anti spoofing IP filter L2 filter only in stealth mode NAT with FTP IRC and PPTP support only in router modes 1 1 NAT only in router network mode Port forwarding notin stealth network mode Individual firewall rules for different users user firewall Individual rule sets as action target of firewall rules apart from user firewall or VPN firewall PHOENIX CONTACT 1 1 FL MGUARD Anti virus features
112. 106 1 Remote IP range If setas shown in the screenshot above the FL MGUARD will start end assign the remote peer an IP address between 10 106 106 2 and 10 106 106 254 Status Displays information about the L2TP status if this connection type has been selected 7612 _en_02 PHOENIX CONTACT 6 193 FL MGUARD Update Restart Edit GATEWAY TRAFFIC ID ISAKMP State IPsec State If displayed ISAKMP SA established IPsec State WAITING IPsec State IPsec SA established 6 194 PHOENIX CONTACT onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS 6 8 5 IPsec VPN gt gt IPsec Status IPsec VPN IPsec Status Berlin Dublin Gateway 10 1 66 17 any MAI0326492600_1 192 168 77 0 24 172 16 77 0 24 Ez C UK O Sample Supplier L E CN VPN terminal machine 06 Berlin London Gateway 10 1 66 17 any MAI0895913944 1 192 168 66 0 24 172 16 66 0 24 E C UK O Sample Supplier L E CN VPN terminal machine 06 Displays information about the status of IPSec connections The names of the VPN connections are listed on the left while their current status is indicated on the right Buttons To update the displayed data if necessary click on Update If you want to release and then restart a connection click on the corresponding Restart button If you want to reconfigure a connection click on the corresponding Edit button Connection ISAKAMP Status IPsec Status GATEWAY indicates the IP addresses of the
113. 1111 11111111 11111110 11111100 11111000 11110000 11100000 11000000 10000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 11111111 11111110 11111100 11111000 11110000 11100000 11000000 10000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 CIDR 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 PNU F UI OY 0 Example 192 168 1 0 255 255 255 0 corresponds in CIDR format to 192 168 1 0 24 PHOENIX CONTACT 6 215 FL MGUARD Router External IP address 192 168 11 2 Internal IP address 192 168 15 254 Subnet mask 255 255 255 0 Router External IP address 192 168 15 1 Internal IP address 192 168 27 254 Subnet mask 255 255 255 0 Additional internal routes THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS 6 14 Network example diagram The following diagram shows how IP addresses can be distributed in a local network with subnetworks which network addresses result and how the details regarding additional internal routes may look for the FL MGUARD Internet A External address e g 123 456 789 21 assigned
114. 2_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 8 4 IPsec VPN gt gt L2TP over IPsec Allows VPN connections to the FL MGUARD to be established using the IPsec L2TP protocol In doing so the L2TP protocol is driven using an IPsec transport connection in order to establish a tunnel connection with a Point to Point Protocol PPP Clients are automatically assigned IP addresses by the PPP In order to use IPSec L2TP the L2TP server must be activated and one or more IPsec connections with the following properties must be defined Type Transport Protocol UDP Local port all Remote port all PFS No See also on page 6 177 and IKE Options on page 6 190 6 8 4 1 L2TP Server IPsec VPN L2TP over IPsec L2TP Server Settings HS on e fto106 1061 Remote IP range start o1os102 D See zo 106 106 254 M Please note These settings don t apply to the Stealth mode Status The L2TP daemon isn t running IPsec VPN gt gt L2TP over IPsec gt gt L2TP Server Settings Start L2TP Server for Ifyou wantto enable IPsec L2TP connections set this option IPsec L2TP to Yes Itis then possible to establish L2TP connections to the FL MGUARD via IPsec which dynamically assign IP addresses to the clients within the VPN Local IP for L2TP If setas shown in the screenshot above the FL MGUARD will connections inform the remote peer that its address is 10 106
115. 2_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration IPsec VPN gt gt Connections gt gt Edit gt gt IKE Options Encryption Algorithm See above Hash Algorithm See above Perfect Forward Method for providing increased security during data Secrecy PFS transmission With IPsec the keys for data exchange are renewed at defined intervals With PFS new random numbers are negotiated with the remote peer instead of being derived from previously agreed random numbers a Only select Yes if the remote peer supports PFS Set Perfect Forward Secrecy PFS to No if the remote peer is an IPSec L2TP client Lifetimes The keys of an IPsec connection are renewed at defined intervals in order to increase the difficulty of an attack on an IPsec connection ISAKMP SA Lifetime Lifetime in seconds of the keys agreed for the ISAKMP SA Default setting 3600 seconds 1 hour The maximum permitted lifetime is 86 400 seconds 24 hours IPsec SA Lifetime Lifetime in seconds of the keys agreed for IPsec SA Default setting 28 800 seconds 8 hours The maximum permitted lifetime is 86 400 seconds 24 hours Rekeymargin Minimum time period before the old key expires during which a new key should be created Default setting 540 seconds 9 minutes Rekeyfuzz Maximum amountas a percentage by which the rekey margin Should be randomly increased This is used to delay key exchange on machines with multiple VPN connections
116. 3 14 PHOENIX CONTACT When data packets are transmitted the LED goes out briefly Recovery mode After pressing the Rescue button See Restart the recovery procedure and flashing the firmware on page 7 1 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Operating elements and indicators 3 4 FL MGUARD PCI LAN WAN LAN green LAN red WAN green WAN red Figure 3 15 Operating elements and indicators on the FL MGUARD PCI Table 3 6 Indicators on the FL MGUARD PCI WAN LAN Red Flashing Boot process When the computer is started or restarted Flashing System error Restartthe device e Press the Rescue button for 1 5 seconds e Alternatively briefly disconnect the device power supply and then connect it again If the error is still present start the recovery procedure See Performing a recovery procedure on page 7 2 or contact the Support team WAN LAN ON orflashing Ethernet status Indicates the status of the LAN or WAN interface As soon as the device is connected a continuous light indicates that there is a connection to the network partner When data packets are transmitted the LED goes out briefly WAN Red Various LED Recovery mode After pressing the Rescue button Green light codes On the FL MGUARD PCI the Rescue button is on the PCB see Installing the hardware on page 4 25 See Restart the recovery proce
117. 6 181 FLMGUARDRS and Startand stop the The FL MGUARD RS has connections to which an external FLMGUARDGT GT specified VPN button or on off switch and a signal LED can be connected only connection with the the internal INF LED onthe FL MGUARD GT GT One of CMD MC1 contact the configured VPN connections can be established and Off VPN connection released via the button or on off switch The VPN connection name is Specified here If VPN connections are configured and listed under the IPsec VPN gt gt Connections menu item see page 6 169 they are displayed in this selection list If the connection is to be established or released manually by actuating the button or Switch then select this here If starting and stopping the VPN connection via the CMD MC1 contact is enabled only the CMD MC1 contact is authorized to do this This means thatif this option is setto Enabled for the entire VPN connection this has no effect Ifa button is connected to the CMD MC1 contact instead of a switch see below the connection can also be established and released using the CGI script command nph vpn cgi which has the Same rights When set to Off this function is disabled If a button or on off switch is connected to the FL MGUARD service contacts then actuating ithas no effect 6 162 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration IPsec VPN gt gt Global gt gt Options
118. 754 FLSFP LX Order No 2891767 FLSFP LH Order No 2989912 Use of SFP slots The SFP slots are used by SFP modules fiber optic glass fiber modules in SFP format By selecting SFP modules the user can specify whether the switch has multi mode or single mode fiber optic ports for example The SFP modules are available separately as accessories see Ordering data on page 9 6 Elements of the SFP modules Mechanical interlock Fiber optic connection Electrical Release latch connection contacts Figure 3 7 Elements of the SFP modules PHOENIX CONTACT 3 9 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 3 10 3 2 4 3 Mounting the SFP modules Inserting the SFP modules e Insertthe SFP modules in the relevant slots on the switch e Ensure correct mechanical alignment of the SFP modules P gt Figure 3 8 Inserting the SFP modules Connecting the fiber optic cable e Ensure correct mechanical alignment when inserting the fiber optic connectors Removing the fiber optic connectors e Press the arresting latch A and pull out the connector B B Nip ti ly Ni Figure 3 9 Removing the fiber optic connectors Removing the SFP modules e Remove the fiber optic connector before removing the SFP module PHOENIX CONTACT 7612_en_02 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Operating elements and indicators Flip down the release latch A and
119. 8 To create a copy of a machine certificate imported in the FL MGUARD proceed as follows e On the Machine Certificates tab page click on Current Certificate F ile next to the Download Certificate row for the relevant machine certificate see Machine Certificates on page 6 123 CA certificates The certificate shown by a remote peer can also be checked by the FL MGUARD ina different way i e not by consulting the locally installed remote certificate on the FL MGUARD To check the authenticity of remote peers in accordance with X 509 the method described below of consulting CA certificates can be used instead or as an additional measure CA certificates provide a way of checking whether the certificate shown by the remote peer is really signed by the CA specified in the remote peer s certificate A CA certificate is available as a file from the relevant CA file name extension cer pem or crt Forexample this file may be available to download from the website of the relevant CA The FL MGUARD can then check if the certificate shown by the remote peer is authentic using the CA certificates loaded on the FL MGUARD This requires thatall CA certificates must be available to the FL MGUARD in order thata chain can be formed with the certificate Shown by the remote peer In addition to the CA certificate from the CA whose signature appears on the certificate shown by the remote peer to be checked this includes the CA certificate of
120. A ping testis successful ifthe FL MGUARD receives a positive response to the sent ping request packet within 4 seconds If the response Is positive the remote peer can be reached 7612_en_02 PHOENIXCONTACT 6 69 FL MGUARD THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Network gt gt Interfaces gt gt General continued Secondary External Interface continued 6 70 PHOENIX CONTACT Probe Interval seconds Ping types IKE ping Determines whether a VPN gateway can be reached at the IP address specified ICMP ping Determines whether a device can be reached at the IP address specified This is the most common ping test However the response to this ping testis disabled on some devices So that they do not respond even though they can be reached DNS ping Determines whether a functioning DNS server can be reached atthe IP address specified A generic request is sent to the DNS server with the Specified IP address and every DNS server that can be reached responds to this request Please note the following when programming ping tests Itis useful to program multiple ping tests This is because itis possible that an individual tested service Is currently undergoing maintenance This type of scenario should not result in the secondary external interface being activated and an expensive dial up connection being established via the telephone network Because the ping tests generate network traffic the number o
121. Abbreviation Name Explanation CN Common name Identifies the person or object to whom or which the certificate belongs Example CN serverl E mail address Specifies the e mail address of the certificate owner Organizational unit Specifies the department within an organization or company Example O Development ea ace Specifies the organization or company Example O Innominate Locality Specifies the place locality D a ee ST State Specifies the state or county Country Two letter code that specifies the country Germany DE A filter can be set for the subject i e the certificate owner during VPN connections and remote service access to the FL MGUARD using SSH or HTTPS This would ensure that only certificates from remote peers that have certain attributes in the subject line are accepted SNMP Simple Network Management Protocol is often used alongside other protocols in particular on large networks This UDP based protocol is used for the central administration of network devices For example the configuration of a device can be requested using the GET command and changed using the SET command the requested network device must simply be SNMP compatible An SNMP compatible device can also send SNMP messages e g should unexpected events occur Messages of this type are known as SNMP traps An X 509 v3 certificate thus comprises a public key information about the key owner the Distinguished Name DN authorized use
122. C COMPONENTS FL MGUARD 4 6 Installing the FL MGUARD BLADE FL MGUARD BLADEBASE FL MGUARD BLADE Power supply switch P1 and P2 Handling plates Screws L MGUARD BLADE 1 to 12 Control unit CTRL Power supply P1 and P2 Figure 4 15 Installing the FL MGUARD BLADE Power supply connection P1 and P2 NOTE Always ensure sufficient air circulation for the BladePack If several BladePacks are stacked one or more inches of fan trays must be installed to discharge the accumulated warm air Installing the FL MGUARD BLADEBASE e Install the FL MGUARD BLADEBASE in the rack e g close to the patch field e Fitthe two power supply units and the control unit with the handling plates P1 P2 and Ctrl on the front from left to right e Connect both power supply units on the back of the FL MGUARD BLADEBASE with 100 V or 220 240 V e Switch on both power supply units e The LEDs on the front of the power supply units are now green Installing the FL MGUARD BLADE The FL MGUARD BLADEBASE does not have to be switched off when installing or removing an FL MGUARD BLADE e Loosen the top and bottom screw on the faceplate oron the FL MGUARD BLADE to be replaced e Remove the faceplate or pull out the old FL MGUARD BLADE e Insertthe new FL MGUARD BLADE and PCB into the plastic guides and push it completely into the FLMGUARD BLADEBASE e Secure the FLMGUARD BLADE by tightening the screws slightly e Replace
123. Central European Summer Time applies in summer which is UTC plus two hours Duration of the last Duration of the check in hours and minutes check Only displayed if a check has been carried out Start of the current See Start of the last check on page 6 156 check Only displayed if a check has been carried out Progress of the Only displayed if a check is currently active current check CIFS Integrity Monitoring CIFS Integrity Status pc x7 scan Actions Possible Actions for pc x7 scan Verify the validity of the recent check report Start an integrity check right now Cancel the currently running integrity check Re Build the integrity database Perform this if the checked shares content has been changed intentionally Cancel the creation of the integrity database Erase reports and the integrity database CIFS Integrity Monitoring gt gt CIFS Integrity Status gt gt Display gt gt Actions Possible Actions for 6 156 PHOENIX CONTACT check right now check Verify the validity of Click on Validate the report to check whether the report is the recent check unchanged from the definition in the FL MGUARD according report to the signature and certificate Start an integrity Click on Start a check to start the integrity check Only displayed if a check is not currently active Cancel the currently Click Cancel to stop the integrity check running integrity Only displayed if a check is currently
124. DE must be mounted in the FL MGUARD BLADEBASE and at least one of the BLADEBASE device s power supply units must be in operation For local configuration The computer used for configuration Mustbe connected to the LAN female connector of the FL MGUARD Orthe computer must be connected to the FL MGUARD via the network For remote configuration The FL MGUARD must be configured so that remote configuration is permitted The FL MGUARD must be connected i e the required connections must be working FL MGUARD DELTA The FL MGUARD DELTA must be connected to its power supply For local configuration The computer used for configuration Mustbe connected to the LAN switch Ethernet female connector 4 to 7 of the FLMGUARD Ormustbe connected to the FL MGUARD via the local network For remote configuration The FL MGUARD must be configured so that remote configuration is permitted The FL MGUARD must be connected i e the required connections must be working 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Preparing the configuration 5 2 Local configuration on startup The FL MGUARD is configured using a web browser on the computer used for configuration e g MS InternetExplorer Version 5 0 or later Mozilla Firefox Version 1 5 or later or S afari Q NOTE The web browser must support SSL i e HTTPS According to the default setting the FL MGUARD can be accessed via the following addresses Table 5 1
125. DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 2 1 4 Shell Access Management System Settings Host Signal Contact Time and Date O Shell Access Shell Access Session Timeout seconds Enable SSH remote access Port for incoming SSH connections remote administration only Allowed Networks Log ID fw ssh access N 3657835f a090 1937 a71a 080027e157fb pam No Frome Interface Action Comment Log O 10 1 0 0 16 External v Accept rT eal ae O i 192 168 67 0 24 External v Accept DSN 7 E x 509 Authentication Enable X 509 certificates for SSH access SSH server certificate CA certificate SSH RootCA SSH SubCA c x m thorized foraccessas Displayed when Poo All users gt Enable X 509 certificates for SSH access is setto Yes g LI Meyer Ralf z admin v These rules allow to enable SSH remote access Important Make sure to set secure passwords before enabling remote access Note In Stealth mode incoming traffic on the given port is no longer forwarded to the client Note In router mode with NAT or portforwarding the port set here has priority over portforwarding Note The table Allowed Networks is effective only if remote access is enabled Note The SSH access from the internal side is allowed for all networks when remote access is disabled Note Once remote access is enabled the SSH access from the internal side and via dia
126. E or IPsec These are network protocols used to connect two computers on the Internet IP is the base protocol UDP is based on IP and sends individual packets The packets may reach the recipient in an different order than that in which they were sent or they may even be lost TCP is used for connection security and ensures for example that data packets are forwarded to the application in the correct order UDP and TCP add port numbers between 1 and 65535 to the IP addresses These distinguish the various services offered by the protocols A number of additional protocols are based on UDP and TCP These include HTTP Hyper TextTransfer Protocol HTTPS Secure Hyper Text Transfer Protocol SMTP Simple Mail Transfer Protocol POP3 Post Office Protocol Version 3 and DNS Domain Name Service ICMP is based on IP and contains control messages SMTP is an e mail protocol based on TCP IKE is an IPsec protocol based on UDP ESP is an IPsec protocol based on IP Ona Windows PC the WINSOCK DLL or WSOCK32 DLL provides a common interface for both protocols gt Datagram on page 8 2 A VLAN Virtual Local Area Network divides a physical network into several independent logical networks which exist in parallel Devices on different VLANs can only access devices within their own VLAN Accordingly assignment to a VLAN is no longer defined by the network topology alone but also by the configured VLAN ID VLAN settings ca
127. ENTS Configuration 6 6 1 4 MAC Filtering Network Security Packet Filter Incoming Rules Outgoing Rules Sets of Rules MAC Filtering Incoming so XXIXXIXKXIXK XK KX XXIXXIXKI KK XK XX oa Accept lt a Ethernet Protocol may be any IPv4 ARP Length or a hexadecimal value Please note These rules only apply to the Stealth mode Please note Management access to 1 1 1 1 requires ARP resolution of the default gateway Restricting ARP traffic to the default gateway may lead to management access problems Outgoing E G XXiXXIXXIXXiIXXiIXX xx XXIXXIXKXIXKI XX Pa Accept I The MAC filter is only applied to data packets that are received or sent via the Ethernet interface Data packets that are received or sent via a modem connection on FL MGUARD models with a serial interface are not picked up by the MAC filter because the Ethernet protocol is not used here In stealth mode in addition to the packet filter Layer 3 4 that filters data traffic e g according to ICMP messages or TCP UDP connections a MAC filter Layer 2 can also be set A MAC filter Layer 2 filters according to MAC addresses and Ethernet protocols In contrast to the packet filter the MAC filter is stateless This means that corresponding rules must also be created for the opposite direction where necessary If no rules are set all ARP and IP packets are allowed to pass through When setting MAC filter rules please note the information displayed on
128. Egress Rules gt gt Internal E xternal External 2 Dial in QoS gt gt Egress Rules VPN gt gt VPN via Internal VPN via External VPN via External 2 VPN via Dial in Default Default Queue Rules Protocol From IP From Port To IP To Port 6 204 PHOENIX CONTACT Name of the egress queue user defined The names of the queues are displayed as listed or specified under Egress Queues on the Internal External VPN via External tab pages The following default names are defined Default Urgent Important Low Priority Traffic that is not assigned to a specific egress queue under Rules remains in the default queue You can specify which egress queue should be used as the default queue in this selection list The assignment of specific data traffic to an egress queue is based on a list of criteria If the criteria in a row apply to a data packet itis assigned to the egress queue specified in the row Example You have defined a queue with guaranteed bandwidth and priority for audio data to be transmitted under Egress Queues see page 6 198 under the name Urgent Define the rules for how audio data is detected and specify that this data should belong to the Urgent queue All TCP UDP ICMP ESP Protocols relating to the assignment IP address of the network or device from which the data Originates 0 0 0 0 0 means all IP addresses To specify an address area use CIDR format see CIDR Classless Inter Domain Routing on pa
129. FL MGUARD 6 4 3 Network gt gt DNS 6 4 3 1 DNS server DNS server DNS Servers to query User defined servers listed below z User defined name servers 10 1 0 253 In Stealth Mode only User defined and DNS Root Servers are supported Other settings will be ignored Local Resolving of Hostnames example local Network gt gt DNS gt gt DNS server DNS Ifthe FL MGUARD should initiate a connection to a remote peer on its own e g toa VPN gateway or NTP server and itis specified in the form of a hostname i e www example com the FL MGUARD must determine which IP address belongs to the hostname To do this the FL MGUARD connects to a domain name server DNS to query the corresponding IP address there The IP address determined for the host name is stored in the cache so thatit can be found directly i e more quickly for other host name resolutions With the Local Resolving of Hostnames function the FL MGUARD can also be configured to respond to DNS requests for locally used host names itself by accessing an internal previously configured directory The locally connected clients can be configured manually or via DHCP so that the local address of the FL MGUARD is used as the address of the DNS server to be used If the FL MGUARD is operated in sfea th mode the management IP address of the FL MGUARD if this is configured must be used for the clients or the IP address 1 1 1 1 must be entered as the
130. FL MGUARD will also answer ARP requests for IP addresses within the remote network This allows access to a remote VPN using local IP addresses without changing the routing of locally connected clients 7612 _en_02 PHOENIX CONTACT 6 179 FL MGUARD onlin components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS IPsec VPN gt gt Connections gt gt Edit gt gt General continued Further settings can be made by clicking on More Protocol 6 180 PHOENIX CONTACT Protocol All TCP UDP ICMP Select whether the VPN is restricted to a specific protocol or whether itis valid for all data traffic When TCP or UDP is selected Protocol Local Port all for all ports a number between 1 and 65535 or any to accept any proposal Remote Port all for all ports a number between 1 and 65535 or any to accept any proposal Local Port Yall default specifies that all ports can be used If a specific port should be used specify the port number any specifies that port selection is made by the client Remote Port Yall default specifies that all ports can be used If a specific port should be used specify the port number Tunnel settings IPsec L2TP If clients should connect to the FL MGUARD by IPsec L2TP activate the L2TP server and make the following entries in the fields specified below Type Transport Protocol UDP Local Port all Remote Port all 7612_en_02 online c
131. HE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD Network Security gt gt User Firewall gt gt User Firewall Templates gt gt Edit gt Template users Network Security User Firewall Office Template users Firewall rules username S pecify the names of users here The names must correspond to those that have been defined under the Authentication gt gt Firewall Users menu see page 6 113 Firewall rules Network Security User Firewall Office Template users Firewall rules Firewall rules Source IP authorized_ip Log ID ufw N 00000000 0000 0000 0000 000000000000 KX TCP fany o 0 0 0 0 fany No Please note If the template is configured with dynamic timeout the logout timer will be reset to its initial value if TCP UDP or any other network traffic except ICMP is passing the device due to a matching user firewall rule For a more precise description of this feature please see the user manual Source IP IP address from which connections are allowed to be established If this is to be the address from which the user logged into the FL MGUARD the placeholder authorized_ip should be used If multiple firewall rules are defined and activated for a user these are queried starting from the top of the list of entries until an appropriate rule is found This rule is then applied If the list of rules contains further subsequent rules that could also apply these rules are ignor
132. IP address of the FL MGUARD by default upon delivery this is 192 168 1 1 This relationship is shown in the above diagram by two black spheres A third IP address is used for the interface of the FL MGUARD to the WAN It is used for connection to an external network e g Internet 4 8 2 Power over PCI mode Stealth mode in Power over PCI mode Network card i 192 168 1 1 PY Y 7 If f 41 11 FL MGUARD PCI External IP 192 168 1 1 Since the network card functions of the FL MGUARD PClare switched off in PoweroverPCI mode no driver software is installed for it A previously installed network card is connected to the LAN portof the FL MGUARD PCI which is located in the same computer orin another computer see Installing the hardware on page 4 25 Figure 4 19 Power over PCI mode Stealth mode In stealth mode the IP address configured for the network interface of the operating system LAN port is also used by the FL MGUARD for its WAN port This means that the FL MGUARD does notappear as a separate device with its own address for data traffic to and from the computer In stealth mode PPPoE and PPTP cannot be used 7612 _en_02 PHOENIXCONTACT 4 23 FL MGUARD 4 24 PHOENIX CONTACT THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Router mode in Power over PCI mode Network card 192 168 1 2 N SEIN 192 168 1 1 FL MGUARD PCI I E
133. Innominate mGuardPCI The wizard searches for suitable drivers in its driver database on your computer and in Windows found a driver for this device To install the driver Windows found click Next any of the following optional search locations that you specify j To start the search click Next If you are searching on a floppy disk or CD ROM drive insert the floppy disk or CD before clicking Next P d windows netmagpc inf Optional search locations T Floppy disk drives M CD ROM drives I Specify a location 7 Microsoft Windows Update lt Back Cancel Figure 4 22 Driver installation under Windows 2000 1 l 2 ce 4 4 28 PHOENIX CONTACT 7612_en_02 Click N ext Select Search for a suitable driver for my device recommended and click Next Select Specify a location and click Next Click N ext THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Startup 5 Digital Signature Not Found x 6 Found New Hardware Wizard l The Microsoft digital signature affirms that software has been tested with Windows and that the software has not been altered since it was tested Completing the Found New Hardware Wizard EF Innominate mGuardPCl Windows has finished installing the software for this device The software you are about to install does not contain a Microsoft digital signature Therefore there is no guarantee that this software works correctly with Windows Innominate mGuar
134. Integrity Monitoring gt gt CIFS AV Scan Connector continued Consolidated Imported Enabled No This network drive is not mirrored SE Yes This network drive is mirrored and made available Exported in Several drives can be combined as one in this directory Subdirectory CIFS Share Name of the network drive to be imported created under CIFS Integrity Monitoring gt gt Importable Shares gt gt Edit l External 2 and Dial in are only for devices with a serial interface see Network gt gt Interfaces on page 6 55 6 160 PHOENIX CONTACT 7612_en_02 onlin components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 8 IPsec VPN menu This menu is notavailable on the FL MGUARD BLADE controller 6 8 1 IPsec VPN gt gt Global 6 8 1 1 Options IPsec VPN Global Options DynDNS Monitoring Options Allow packet forwarding between VPN connections Archive diagnostic messages for VPN connections Only when started via nph vpn cgi or CMD contact Y Archive diagnostic messages only upon failure Yes VPN Switch Start and stop the specified VPN connection with an external contact and signal the status of the connection with the ACK contact VPN connection Berlin London Y Switch type connected to the contact Push button TCP Encapsulation Listen for incoming VPN connections which are encapsulated TCP port to listen on Server ID 0 63 IP F
135. K If necessary consult the modem manual for the initialization sequence The initialization sequence is a sequence of character strings expected by the modem and commands that are then sent to the modem so that the modem can establish a connection The preset initialization sequence has the following meaning The empty character string inside the quotation marks means thatthe FL MGUARD does not initially expect any information from the connected modem but instead sends the following text directly to the modem The FL MGUARD sends this character string to the modem in order to specify that the modem is ready to accept commands Specifies that the FL MGUARD expects the OK character string from the modem as a response to d dATH On many modem models itis possible to save modem default settings to the modem itself However this option should not be used Initialization sequences should be configured externally instead i e on the FL MGUARD In the event of a modem fault the modem can then be replaced quickly without changing the modem default settings PHOENIX CONTACT Ifthe external modem Is to be used for incoming calls without the modem default settings being entered accordingly then you have to inform the modem that it should accept incoming calls after it rings If using the extended HAYES command set append the character string AT amp SO 1 OK a Space followed by AT amp SO 1 followed by a space followed by
136. LINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Network gt gt Interfaces gt gt General Stealth network mode continued Static routes In stealth mode the FL MGUARD adopts the default gateway of the computer connected to its LAN port Alternative routes can be specified for data packets in the WAN created by the FL MGUARD These include the following data traffic packets Download of certificate revocation lists CRLs Download of a new configuration Communication with an NTP server for time synchronization Sending and receiving encrypted data packets from VPN connections Requests to DNS servers Syslog messages Download of firmware updates Download of configuration profiles from a central server if configured SNMP traps If this option is used make the relevant entries afterwards If itis not used the affected data packets are routed via the default gateway specified for the client Static routes The following settings are applied to traffic generated by the mGuard gateways Gi Network Specify the network in CIDR format see CIDR Classless Inter Domain Routing on page 6 215 Gateway The gateway via which this network can be accessed The routes specified here are mandatory routes for data packets created by the FL MGUARD This setting has priority over other settings see also Network example diagram on page 6 216 Internal Networks See Internal Networks on page 6 72 St
137. N connections can be used In router network mode a secondary external interface can also be configured see Secondary External Interface on page 6 66 There are several router modes depending on the Internet connection Static DHCP PPPOE PPPT Modem Built in modem PHOENIXCONTACT 6 59 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD Router Mode static The IP address is fixed Router Mode DHCP The IP address is assigned via DHCP Router Mode PPPoE PPPoE mode corresponds to the router mode with DHCP with one difference The PPPoE protocol which is used by many DSL modems for DSL Internet access is used to connect to the external network Internet WAN The external IP address which the FL MGUARD uses for access from remote peers is specified by the provider Ifthe FL MGUARD is operated in PPPoE mode the FL MGUARD must be setas the default gateway on the locally connected computers This means that the IP address of the FL MGUARD LAN port must be specified as the default gateway address on these computers Ifthe FL MGUARD is operated in PPPoE mode NAT must be activated in order to gain access to the Internet If NAT is not activated itis possible that only VPN connections can be used For the further configuration of PPPoE network mode see Router network mode PPPoE router mode on page 6 76 Router Mode PPTP Similar to PPPoE mode Fo
138. NIC COMPONENTS FL MGUARD IPsec VPN gt gt Global gt gt Options continued Option Only when started via nph vpn cgi or CMD MC1 contact If the option of diagnosing VPN connection problems using the FL MGUARD logging function is too impractical or insufficient select this option This may be the case if the following conditions apply Incertain application environments e g when the FL MGUARD is operated by means of a machine control system via the CMD MC1 contact FL MGUARD RS FL MGUARD GT GT only the option for a user to view the FL MGUARD log file via the web based user interface of the FL MGUARD may not be available at all Ifthe FL MGUARD is being used remotely itis possible thata VPN connection error can only be diagnosed after the FL MGUARD is temporarily disconnected from its power source which causes all the log entries to be deleted The relevantlog entries of the FL MGUARD that could be useful may be deleted because the FL MGUARD regularly deletes older log entries on account of its limited memory space IfanFLMGUARD is being used as the central VPN remote peer e g in a remote maintenance center as the gateway for the VPN connections of numerous machines the messages regarding activity on the various VPN connections are logged in the Same data stream The resulting volume of the logging makes it time consuming to find the information relevant to one error After archiving is enabled relevant l
139. OF ELECTRONIC COMPONENTS FL MGUARD 6 8 1 2 DynDNS Monitoring IPsec VPN Global DynDNS Monitoring Watch hostnames of remote VPN Gateways Refresh Interval sec For an explanation of DynDNS see DynDNS on page 6 104 IPsec VPN gt gt Global gt gt Options DynDNS Monitoring Watch hostnames of Yes No remote VPN Gateways If the FL MGUARD has been assigned the address of a VPN remote peer as its hostname see Defining a VPN connection VPN connection channels on page 6 171 and this hostname is registered with a DynDNS service then the FL MGUARD can check the relevant DynDNS at regular intervals to determine whether any changes have occurred If so the VPN connection will be established to the new IP address Refresh Interval sec Default 300 6 168 PHOENIX CONTACT 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 8 2 IPsec VPN gt gt Connections Requirements fora VPN connection A general requirement for a VPN connection is that the IP addresses of the VPN partners are known and can be accessed In order to successfully establish an IPSec connection the VPN remote peer must Support IPsec with the following configuration Authentication via pre shared key PSK or X 509 certificate ESP Diffie Hellman group 2 or 5 DES 3DES or AES encryption MD5orSHA 1 hash algorithms Tunnel or transport mode Quick mode Main mode SA lifet
140. Options 7612_en_02 Connection startup Initiate Initiate on traffic Wait Encapsulate the VPN traffic in TCP TCP Portof the server which accepts the encapsulated connection THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Initiate The FL MGUARD initiates the connection to the remote peer In the Address of the remote site s VPN gateway field see above the fixed IP address of the remote peer or its name must be entered Initiate on traffic The connection is initiated automatically when the FL MGUARD Sees that the connection should be used Can be selected for all operating modes of the FL MGUARD stealth router etc Wait The FL MGUARD is ready to accept the connection to the FL MGUARD thata remote peer actively initiates and establishes If Yany is entered under Address of the remote Site s VPN gateway Wait must be selected Yes No Default No Ifthe TCP Encapsulation function is used see TCP Encapsulation on page 6 165 only set this option to Yes if the FL MGUARD is to encapsulate its own outgoing data traffic forthe VPN connection It initiated In this case the number of the port where the remote peer receives the encapsulated data packets must also be specified Default 8080 Number of the port where the encapsulated data packets are received by the remote peer The port number specified here mustbe the same as the one specified for the FL MGUARD of the remote peer under TCP
141. Preset addresses Default setting Stealth mode httos 1 1 1 1 Default upon delivery for all devices excluding the FL MGUARD DELTA and FL MGUARD BLADE controller Router mode https 192 168 1 1 default setting for FL MGUARD DELTA FLMGUARD GT GT and FL MGUARD BLADE controller 5 2 1 Configuring the FL MGUARD RS FL MGUARD SMART and FL MGUARD BLADE on startup With a configured network So thatthe FL MGUARD can be addressed via the address https 1 1 1 1 it must be interface connected to a configured network interface This is the case if itis connected in an existing network connection see Figure 4 14 on page 4 17 In this case the web browser establishes a connection to the FL MGUARD configuration interface after the address https 1 1 1 1 is entered see Establishing a local configuration connection on page 5 9 Continue from this point With a non configured If the computer s network interface is not configured network interface Ifthe configuration computer was not previously connected to a network e g because the computer is new its network interface is not usually configured This means that the computer does not yet know that network traffic is routed via this interface In this case you must initialize the default gateway by assigning ita dummy value To do this proceed as follows Initializing the default gateway Determine the currently valid default gateway address Under Windows XP pro
142. R OF ELECTRONIC COMPONENTS Configuration 6 5 3 4 Remote Certificates A remote certificate is a copy of the certificate thatis used by a remote peer to authenticate itself to the FL MGUARD Remote certificates are files file name extension cer pem or crt received from possible remote peers by trustworthy means Load these files on the FL MGUARD so that reciprocal authentication can take place The remote certificates of several possible remote peers can be loaded The remote certificate for authentication of a VPN connection or the channels of a VPN connection is installed in the IPSec VPN gt gt Connections menu Fora more detailed explanation see Authentication gt gt Certificates on page 6 116 Example for imported remote certificates Authentication Certificates Certificate settings Machine Certificates CA Certificates Remote Certificates Trusted remote Certificates Certificates CN Meyer Ralf _ B OU Service O Sample Supplier C UK Subject Alternative Names CN Web SubCA 01 0 Sample Web Securities Inc C UK From Jun 20 11 27 08 2007 GMT to Jun 20 11 27 08 2010 GMT MDS 1D EF 40 76 D1 52 F8 07 18 0B 6D F7 85 93 37 6D SHA1 C8 DC 97 2E B7 1D 6A 94 EE FE 6D 6B 71 58 F1 35 52 D3 BE E1 Fingerprint Shortname Meyer Ralf Upload Filename Durchsuchen Import Certificate ee Fartficate Current Certificate File Authentication gt gt Certificates gt gt Remote Certi
143. S orthe battery FL MGUARD DELTA did not supply the built in clock with sufficient voltage fora period when the device was switched off 6 8 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Management gt gt System Settings gt gt Time and Date continued Local system time Timezone in POSIX 1 notation Time stamp in Here you can set the FL MGUARD time if no NTP server has been set up see below or the NTP server cannot be accessed The date and time are specified in the format YYYY MM DD hh mm ss YYYY Year MM Month DD Day hh Hour mm M inute SS Second Ifa currentlocaltime thatdiffers from Greenwich Mean Time should be displayed under Current system time you must enter the number of hours that your local time is ahead of or behind Greenwich Mean Time Examples In Berlin the time is one hour ahead of GMT Therefore enter CET 1 In New York the time is five hours behind Greenwich Mean Time Therefore enter CET 5 The only important thing is the 1 2 or 1 etc value as only these are evaluated not the preceding letters They can be Substituted with CET or any other designation such as UTC If you wish to display Central European Time e g for Germany and have it automatically switch to from daylight saving time enter CET 1CEST M3 5 0 M10 5 0 3 If this option is setto Yes the FL MGUARD will write the filesystem Current system ti
144. S Egress Queues VPN VPN via Internal VPN via External VPN via External 2 VPN via Dial in Enabling Total Bandwidth Rate Bandwidth Rate Limit unlimited kbit s v Queues cet Sd inimted S d High gt important sid Cnimted iY Medium gt foerat lima F Medium gt aa inae o inimes o low ir All of the tab pages listed above for Egress Queues for Internal External External 2 and Dial in interfaces and for VPN connections routed via these interfaces offer the same Setting options In all cases the settings relate to the data that is sent externally into the network from the relevant FL MGUARD interface 6 200 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration QoS gt gt Egress Queues gt gt Internal E xternal E xternal 2 Dial in QoS gt gt Egress Queues VPN gt gt VPN via Internal VPN via External VPN via External 2 VPN via Dial in Enabling Enable Egress QoS Total Bandwidth Rate Bandwidth Rate Limit Queues Name Guaranteed Upper Limit Priority Comment 7612_en_02 No default This feature is disabled Yes This feature is enabled This is recommended if the interface is connected to a network with low bandwidth This enables bandwidth allocation to be influenced in favor of particularly important data kbit s or Packet s Total maximum bandwidth that is physically available Specified in kbps or packets per second In orderto o
145. Service Name Yes No If Yes is selected specify the time in the Re connect daily at field This feature is used to schedule Internet disconnection and reconnection as required by many Internet service providers so that they do not interrupt normal business Operations When this function is enabled it only takes effect if synchronization with a time server has been carried out see Management gt gt System Settings on page 6 4 Time and Date on page 6 7 Specified time at which the Automatic Re connect function see above should be performed Internal Networks See Internal Networks on page 6 72 Secondary External See Secondary External Interface on page 6 66 Interface 6 76 PHOENIX CONTACT 7612_en_02 onlin components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Router network mode PPTP router mode Network Interfaces General Dial in Modem Console Network Status External IP address Active Defaultroute Used DNS servers Network Mode When Router is Modem IP 10 4 66 47 10 4 0 254 10 1 0 253 senna Router Mode ee m network mode and PPTP is selected as mis the router mode PPTP Login peor aeee na Network gt gt Interfaces gt gt General Router network mode PPTP router mode PPTP For access to the Internet the Internet service provider ISP provides the user with a user name login and password These are requested
146. T Network Address Translation in the glossary This method is used if the internal addresses cannotor should not be routed externally e g because a private address area such as 192 168 x x or the internal network structure should be hidden This method is also referred to as P masquerading Default setting NAT is not active Ifthe FL MGUARD is operated in PPPoE PPTP mode NAT must be activated in order to gain access to the Internet If NAT is notactivated only VPN connections can be used If multiple static IP addresses are used forthe WAN port the firstIP address in the listis always used for IP masquerading These rules do not apply in stealth mode me H de Outgoing on Interface External External 2 Any External Specifies via which interface the data packets are sentso that the rule applies to them Any External refers to the External and External 2 interfaces From IP 0 0 0 0 0 means that all internal IP addresses are subject to the NAT procedure To specify an address area use CIDR format see CIDR Classless Inter Domain Routing on page 6 215 Comment Can be filled with appropriate comments 6 96 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Network gt gt NAT gt gt Masquerading 1 1 NAT Lists the rules defined for 1 1 NAT Network Address Translation With 1 1 NAT the sender IP addresses are exchanged so that each individual address is ex
147. THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS AUTOMATION Ta i T 3 FEA 5 Hiren F E z 3 ee IE rem User manual UM EN FL MGUARD Order No 2910509 User manual for the hardware and software of FL MGUARD security appliances OGD OO GD GD OGD OO GD homite dD INSPIRING INNOVATIONS THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS AUTOMATION User Manual THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS for the hardware and software of FL MGUARD security appliances Designation UM EN FLMGUARD Revision 02 Order No 2910509 This uSer manual is valid for Bezeichnung FL MGUARD B FLMGUARD RS FL MGUARD RS VPN FL MGUARD RS VPN ANALOG FL MGUARD RS VPN ISDN FL MGUARD PCl 266 FL MGUARD PCI 266 VPN FL MGUARD PCl1 533 FL MGUARD PC1 533 VPN FL MGUARD GT GT FL MGUARD GT GT VPN FL MGUARD B 7612_en_02 Order No 2989899 2989310 2989611 2989718 2989815 2989019 2989514 2989213 2989417 2700197 2700198 2989899 2009 12 14 PHOENIX CONTACT UM EN FL MGUARD D DD PHOENIX CONTACT onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Please observe the following notes In order to ensure the safe use of the product described you have to read and understand this manual The following notes provide information on how to use this manual User group of this manual The use of products described in this manual is oriented exclusively to
148. UARD is configured via a web browser e g Firefox MS Internet E xplorer or interface S afari that is executed on the configuration computer Q NOTE The web browser must support SSL i e HTTPS Depending on the model the FL MGUARD is setto stealth or router network mode by default upon delivery and can be accessed accordingly using the following addresses Table 5 2 Presetaddresses Default setting Stealth mode https 1 1 1 1 Default upon delivery for all devices excluding the FL MGUARD DELTA and FL MGUARD BLADE controller Router mode httos 192 168 1 1 default setting for FL MGUARD DELTA FLMGUARD GT GT and FL MGUARD BLADE controller PPPoE or PPTP is always Proceed as follows e Starta web browser For example Firefox MS Internet Explorer or Safari the web browser must be SSL i e HTTPS e Make sure thatthe browser does not automatically dial a connection when itis started as this could make it more difficult to establish a connection to the FL MGUARD In MS Internet Explorer make the settings as follows e Inthe Tools menu select Internet Options and click on the Connections tab e Under Dial up and Virtual Private Network settings select Never dial a connection e Inthe address line of the web browser enter the full address of the FL MGUARD see Table 5 2 The administrator web page of the FL MGUARD can then be accessed If the administrator web page of the FL MGUARD cannot be
149. UDP protocols any refers to any port gstartport endport e g 110 120 refers to a portarea Individual ports can be specified using the portnumber or the corresponding service name e g 110 for pop3 or pop3 for 110 Accept means that the data packets may pass through Reject means that the data packets are sent back so the sender is informed of their rejection In stealth mode R eject has the same effectas Drop Drop means that the data packets may not pass through They are discarded which means that the sender Is not informed of their whereabouts Freely selectable comment for this rule For each individual firewall rule you can specify whether the use of the rule Should be logged set Log to Yes Should not be logged set Log to No default setting When setto Yes all connection attempts that are not covered by the rules defined above are logged PHOENIX CONTACT 6 189 online components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 6 8 3 4 IKE Options IPsec VPN Connections Berlin London IKE Options ISAKMP SA Key Exchange Encryption Algorithm 3DES v Hash Algorithm All algorithms IPsec SA Data Exchange Encryption Algorithm 3DES v Hash Algorithm All algorithms Perfect Forward Secrecy PFS The remote site must have the same entry Activation is recommended due to security reasons v lt m n Lifetimes ISAKMP SA L
150. What type of access is permitted read or read write access see CIFS Integrity Monitoring gt gt CIFS AV Scan Connector on page 6 158 7612 _en_02 PHOENIX CONTACT 6 147 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 6 7 1 CIFS Integrity Monitoring gt gt Importable Shares Requirements The network drives that the FL MGUARD should check regularly can be specified here In order for the network drives to be checked you must also refer to these network drives in one of the two methods CIFS integrity checking or CIFS anti virus scan connector The references to the network drives can be set as follows ForCIFS integrity checking see Checked CIFS Share on page 6 151 ForCIFS anti virus scan connector see CIFS AV Scan Connector on page 6 158 6 7 1 1 Importable Shares CIFS Integrity Monitoring Importable Shares Importable Shares Importable CIFS Shares Here you can specify the CIFS shares to which the mGuard has access x r a pc x7 scan 192 168 66 2 pc x7 scan Please note The shares listed here are only used if they are referenced from the CIFS Integrity Checking function or the CIFS AV Scan Connector function The mGuard will either only read from the share or also write to it depending on the function the share is referenced from CIFS Integrity Monitoring gt gt Importable Shares Importable CIFS Shares Name Name of the network drive that is to be checked internalname
151. _en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Management gt gt System Settings gt gt Shell Access continued From IP Enter the address of the computer or network from which remote access is permitted or forbidden in this field The following options are available IP address 0 0 0 0 0 means all addresses To specify an address area use CIDR format see CIDR Classless Inter Domain Routing on page 6 215 Interface E xternal Internal E xternal 2 VPN Dial in External 2 and Dial in are only for devices with a serial interface see Network gt gt Interfaces on page 6 55 Specifies to which interface the rules should apply If no rules are setor if no rule applies the following default settings apply SSH access is permitted via Internal VPN and Dial in Access via External and External 2 Is refused Specify the access options according to your requirements NOTE If you wantto refuse access via Internal VPN or Dial in you must implement this explicitly by means of corresponding firewall rules for example by specifying Drop as an action To prevent your own access being blocked you may have to simultaneously permit access via another interface explicitly with Accept before the new Setting takes effect by clicking on the Apply button Otherwise if your access is blocked you must carry out the recovery procedure Action Options Accept means that the data packets may pa
152. ab select Internet Protocol TCP IP under This connection uses the following items then click on Properties e Make the appropriate entries and settings in the Internet Protocol Properties TCP IP dialog box 6 4 4 1 Internal External DHCP Network DHCP Internal DHCP External DHCP Mode DHCP mode Disabled Y Network gt gt DHCP gt gt Internal DHCP Mode DHCP mode Disabled Server Relay Set this option to Server if the FL MGUARD is to operate as an independent DHCP server The corresponding setting options are then displayed below on the tab page see Server Setthis option to Relay ifthe FL MGUARD is to forward DHCP requests to another DHCP server The corresponding setting options are then displayed below on the tab page see Relay In FL MGUARD stealth mode relay DHCP mode is not Supported Ifthe FL MGUARD is in stealth mode and relay DHCP mode is Selected this setting will be ignored However DHCP requests from the computer and the corresponding responses are forwarded due to the nature of stealth mode If this option is setto Disabled the FL MGUARD does not answer any DHCP requests 6 106 PHOENIX CONTACT 7612_en_02 onlin components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Network gt gt DHCP gt gt Internal DHCP continued DHCP mode Server If DHCP mode is set to Server the corresponding setting options are displayed below as follows Ne
153. aker Speaker control These two settings specify which sounds should be emitted by built in speaker the FL MGUARD speaker and at what volume 6 94 PHOENIX CONTACT 7612_en_02 onlin components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration For the FL MGUARD RS with built in ISDN terminal adapter External Modem Modem init string d dATH OK Additiona lly for the Built in Modem ISDN FL MGUARD RS with ces O ilt i cada CO O OE OE A ISDN protocol EurotSON NETS __ ph eee Layer 2 protocol ded Network gt gt Interfaces gt gt Modem Console for the FL MGUARD RS with built in ISDN terminal adapter External Modem As for the FL MGUARD RS without built in modem FL MGUARD BLADE and FL MGUARD DELTA Configuration as above for External Modem see External Modem on page 6 91 Built in Modem ISDN Ist MSN For outgoing calls the FL MGUARD transmits the MSN Multiple Subscriber Number entered here to the called remote peer In addition the FL MGUARD can receive incoming calls via this MSN provided dial in operation is enabled see General tab page Maximum of 25 alphanumeric characters the following Special characters can be used colon 2nd MSN If the FL MGUARD should also receive incoming calls via another number for dial in operation if enabled enter the second MSN here ISDN protocol The EurolSDN protocol also known as NET3 is used in Germany and many
154. allLogoutR eas on This trap is sent when a user logs out of the user firewall enterprise oid generic trap specific trap mGuardTrapUSerF irewall enterpriseS pecific mGuardT rapUSerF irewallAuthE rror TRAP TYPE 3 mGuardTResUserF irewallUsername mGuardTResUserF irewallSrciP mGuardTResUserF irewallAuthenticatio nMethod This trap is sentin the event of an authentication error additional Activate traps Yes No enterprise oid mGuardTrapVPN genericTrap enterpriseS pecific specific trap additional mGuardTrapVPNIKEServerStatus 1 mGuardTResVPNStatus This trap is sent when the IPsec IKE server is started and stopped enterprise oid genericTrap specific trap additional mGuardTrapVPN enterpriseS pecific mGuardTrapVPNIPsecC onnS tatus 2 mGuardTResVPNName mG uardTResVPNIndex mG uardTResVPNPeer mGuardTResVPNStatus mGuardTResVPNType mGuardTResVPNLocal mGuardTResVPNRemote This trap is sent when the status of an IPsec connection changes 7612_en_02 Management gt gt SNMP gt gt Trap continued Trap destinations 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration L2TP connection status Activate traps Yes No changes 2 enterprise old genericTrap Specific trap additional mGuardTrapVPN enterprises pecific mGuardTrapVPNL2TPConnStatus 3 mGuardTResVPNName mGuardTResVPNIndex mGuardTResVPNPe
155. ample IP address 192 168 1 2 Subnet mask 255 255 255 0 Default gateway 192 168 1 1 Depending on the configuration of the FL MGUARD it may then be necessary to adapt the network interface of the locally connected computer or network accordingly 5 6 PHOENIX CONTACT 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Preparing the configuration 5 2 3 FL MGUARD PCI Installing the PCI card e Ifthe PCI card has not yet been installed in your computer first proceed as described under Installing the hardware on page 4 25 Installing the driver e Ifyou have configured the FL MGUARD for driver mode make sure that the driver is installed as described under Driver installation on page 4 26 Configuring the network interface If the FL MGUARD S operated in driver mode and the LAN interface network interface of the computer has not yet been configured or S Operated in Power over PCI mode and the network interface of the computer that Is connected to the LAN interface of the FL MGUARD has not yet been configured This network interface must be configured before the FL MGUARD can be configured Under Windows XP configure the network interface as follows e Click on Start Control Panel Network Connections e Right click on the LAN adapter icon to open the context menu In the context menu click on Properties e Inthe Properties of local network LAN connections dialog box
156. ap Basic traps 7612_en_02 SNMP authentication Link Up Down Coldstart Admin access SSH HTTPS new DHCP client THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Activate traps Yes No enterprise oid mGuardinfo generic trap authenticationF ailure specific trap 0 Sent if an unauthorized station attempts to access the FL MGUARD SNMP agent Activate traps Yes No enterprise oid mGuardinfo generic trap linkU p linkDown Specific trap 0 Sentwhen the connection to a portis interrupted linkDown or restored linkUp Activate traps Yes No enterprise oid mGuardinfo generic trap coldStart Sspecific trap 0 Sentafter a cold restart or warm start Activate traps Yes No enterprise oid mGuard generic trap enterpriseS pecific specific trap mGuardHTTPSLoginT rap 1 additional mGuardHTTPSLastAccessIP This trap is sent if Someone has tried unsuccessfully to open an HTTPS session e g using an incorrect password The trap contains the IP address of the last unsuccessful login attempt enterprise oid mGuard generic trap enterpriseS pecific specific trap mGuardShellLoginT rap 2 additional mGuardS hellLastAccessIP This trap is sentwhen someone opens the shell viaSSH orthe Serial interface The trap contains the IP address of the login request If this request was sent via the serial port the value is 0 0 0 0 enterprise
157. asily Redundancy Port Internal E xternal Internal If the connection is lost arrives at the LAN port the WAN portis also disabled enabled External If the connection is lost arrives at the WAN port the LAN portis also disabled enabled 6 206 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 11 Logging menu Logging refers to the recording of event messages e g regarding settings that have been made the application of firewall rules errors etc Log entries are recorded in various categories and can be displayed according to these categories See Logging gt gt Browse local logs on page 6 208 6 11 1 Logging gt gt Settings 6 11 1 1 Remote Logging Alllog entries are recorded in the main memory of the FL MGUARD by default Once the maximum memory space for log entries has been used up the oldest log entries are automatically overwritten by new entries In addition all log entries are deleted when the FL MGUARD is switched off To prevent this log entries SysLog messages can be transmitted to an external computer SysLog server This is particularly useful if you wish to manage the logs of multiple FL MGUARD devices centrally Remote Logging Settings Activate remote UDP logging Yes Log Server IP address 192 168 66 2 Log Server port normally 514 514 Logging gt gt Remote Logging Settings Activate remote UDP Yes No logging Ifall log entries
158. at The device is connected correctly and is operating Red flashing System error Restart the device Press the Rescue button for 1 5 seconds Alternatively briefly disconnect the device power supply and then connect it again If the error is still present start the recovery procedure see Performing a recovery procedure on page 7 2 or contact the Support team State Flashing Boot process When the device has just been connected to the power supply After Error alternately green afew seconds this display changes to the heartbeat state and red Ethernet status Indicates the status of the LAN or WAN port As soon as the device Green ON is Connected to the relevant network a continuous light indicates that there is a connection to the network partner in the LAN or WAN When data packets are transmitted the LED goes out briefly 3 2 PHOENIX CONTACT 7612_en_02 online components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Operating elements and indicators 3 2 FL MGUARD GT GCT By default upon delivery the device Is in router mode with the default IP address 192 168 1 1 subnet mask 255 255 255 0 The management interfaces can now be accessed via the LAN interface MODE switch with LEDs REPAY Port labeling fields PHGNIX CONTACT Device labeling Brno arose N ae A mac c TUUIUMIUUUI ITI ACT SPD FD LNK MODE INF 90 A0 45 06 04 02 J HEL
159. ata payload The IP header contains The IP address of the sender source IP address The IP address of the recipient destination IP address The protocol number of the protocol on the superordinate protocol layer according to the OSI layer model The IP header checksum used to check the integrity of the received header The TCP UDP header contains the following information The sender s port Source port The recipient s port destination port A checksum covering the TCP header and information from the IP header e g Source and destination IP addresses Ifa computer is connected to a network the operating system creates a routing table internally The table lists the IP addresses that the operating system has identified based on the connected computers and the routes available at that time Accordingly the routing table contains the possible routes destinations for sending IP packets If IP packets are to be sent the computer s operating system compares the IP addresses Stated in the IP packets with the entries in the routing table in order to determine the correct route Ifa router is connected to the computer and its internal IP address i e the IP address of the router s LAN port has been relayed to the operating system as the default gateway in the network card s TCP IP configuration then this IP address is used as the destination if all other IP addresses in the routing table are not suitab
160. atic Stealth Configuration Client s IP address The IP address of the computer connected to the LAN port Client s MAC address The physical address of the network card of the local computer to which FL MGUARD is connected The MAC address can be determined as follows In DOS Start Programs Accessories Command Prompt enter the following command ipconfig all The MAC address does not necessarily have to be specified The FL MGUARD can automatically obtain the MAC address from the client The MAC address 0 0 0 0 0 0 must be setin order to do this Please note that the FL MGUARD can only forward network packets to the client once the MAC address of the client has been determined If no stealth management IP address orclientMAC address is configured in static stealth mode then DAD ARP requests are sent to the internal interface see RFC 2131 Section 4 4 1 7612 _en_02 PHOENIXCONTACT 6 65 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD Network gt gt Interfaces gt gt General Stealth network mode continued Secondary External Interface Only in router network mode with static router mode or stealth network mode Only forFL MGUARD RS FL MGUARD BLADE and FL MGUARD DELTA In these network modes the serial interface of the FL MGUARD can be configured as an additional secondary external interface The secondary external interface can be used to transfer data permanently or temporarily to the external netw
161. ation enabled IP Fragmentation IKE Fragmentation UDP packets can be oversized if an IPSec connection is established between the participating devices via IKE and certificates are exchanged Some routers are not capable of forwarding large UDP packets if they are fragmented over the transmission path e g via DSL in 1500 byte segments Some faulty devices forward the first fragment only resulting in connection failure Iftwo FL MGUARD devices communicate with each other then the transmission of small UDP packets should be agreed upon first This prevents packets from being fragmented during transmission which can result in incorrect routing by some routers If you want to use this option setit to Yes If this option is setto Yes this setting only takes effect if the remote peer is an FL MGUARD with installed firmware Version 5 1 0 or later In all other cases the setting has no effect negative or otherwise IPsec MTU defaultis The option for avoiding oversized IKE data packets which 16260 cannot be routed correctly on the transmission path by faulty routers can also be applied for IP sec data packets In order to remain below the upper limit of 1500 bytes often setby DSL it is recommended thata value of 1414 bytes be set This also allows enough space for additional headers If you want to use this option specify a value lower than the default setting 7612 _en_02 PHOENIX CONTACT 6 167 THE ONLINE DISTRIBUTOR
162. between the different IP addresses for the sender address in the data packets itsends This applies to network packets that the computer sends to TCP port 139 NetBIOS As the FL MGUARD determines the address of the computer from the sender address and thus the address via which the FL MGUARD can be accessed the FL MGUARD would have to switch back and forth and this would hinder operation considerably To avoid this set this option to Yes if the FL MGUARD has been connected to a computer that has these properties PHOENIX CONTACT 6 63 FL MGUARD THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Network gt gt Interfaces gt gt General Stealth network mode continued Stealth Management IP Address 6 64 PHOENIX CONTACT Stealth Management IP Address Here you can specify an additional IP address to administrate the mGuard If you have set Stealth configuration to multiple clients remote access will only be possible using this IP address An IP address of 0 0 0 0 disables this feature Note using management VLAN is not supported in Stealth autodetect mode IP address 0 0 0 0 Netmask 0 0 0 0 Default gateway 0 0 0 0 Use Management VLAN No Y Management VLAN ID An additional IP address can be specified here for the administration of the FL MGUARD Remote access via HTTPS SNMP and SSH is only possible using this address if The multiple clients option is selected under Stealth configu
163. bled sears Comment Type Tunnel Y Local 192 168 66 0 24 Remote 172 16 66 0 24 NAT NAT for IPsec tunnel connections 1 1 NAT Enable 1 to 1 NAT of the local network to an internal Yes Y network Internal network address for local 1 to 1 NAT 192 168 0 0 Enable 1 to 1 NAT of the remote network to a different yesiw network Network address for remote 1 to 1 NAT 192 168 1 0 Protocol Protocol NAT Enable 1 to 1 NAT of Yes No the local network to an Rewrites the local network specified under Local to an actual internal network existing local network This option is set to No by default Internal network Only if Yes has been selected above address for local 1 to 1 NAT The actual network address of the system in the local network The subnet mask is taken from the Local field Enable 1 to 1 NAT of Rewrites the remote network agreed by the VPN remote peer the remote network to under Remote as if the computers connected there and their a different network addresses were located in another network This option is set to No by default Network address for Only if Yes has been selected above remote 1 to 1 NAT The remote network address actually addressed by the systems in the local network The subnet mask is taken from the Remote field If the remote network or the remote network for 1 1 NAT are within one of the networks directly connected to the LAN port of the FL MGUARD the
164. by the Internet service provider FL MGUARD in router network mode Internal address of the FL MGUARD 192 168 11 1 Switch Network A Network address 192 168 11 0 24 Network B Network address 192 168 15 0 24 Subnet mask 255 255 255 0 gt Router PPRT Switch Network C Network address 192 168 27 0 24 Subnet mask 255 255 255 0 JOUL 000 amp Network A Network B Network C Computer IP address Subnet mask Computer IP address 192 168 15 2 192 168 15 3 192 168 15 4 192 168 15 5 Subnet mask 255 255 255 0 255 255 255 0 255 255 255 0 255 255 255 0 Computer IP address 192 168 27 1 192 168 27 2 192 168 27 3 192 168 27 4 Subnet mask 255 255 255 0 255 255 255 0 255 255 255 0 255 255 255 0 6 216 PHOENIX CONTACT A1 A2 A3 A4 A5 192 168 11 3 192 168 11 4 192 168 11 5 192 168 11 6 192 168 11 7 255 255 255 0 255 255 255 0 255 255 255 0 255 255 255 0 255 255 255 0 Additional internal routes Network 192 168 15 0 24 Gateway 192 168 11 2 Network 192 168 27 0 24 Gateway 192 168 11 2 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Restart the recovery procedure and flashing the firmware 7 Restart the recovery procedure and flashing the firmware The Rescue button is used to set the device to one of the following states Performing a restart Performing a recovery procedure Flashing the firmwar
165. cally atthe next scheduled check This procedure cannot be seen 7612_en_02 PHOENIX CONTACT 6 157 FL MGUARD CIFS anti virus scan connector l onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS 6 7 4 CIFS Integrity Monitoring gt gt CIFS AV Scan Connector In stealth network mode the CIFS server for the anti virus scan is not supported without a management IP address The CIFS anti virus scan connector enables the FL MGUARD to perform a virus scan on drives that are otherwise not externally accessible e g production cells The FL MGUARD mirrors a drive externally in order to perform the virus scan Additional anti virus software Is required for this procedure Set the necessary read or read write access for your anti virus software 6 7 4 1 CIFS AV Scan Connector CIFS Integrity Monitoring CIFS AV Scan Connector CIFS Antivirus Scan Connector CIFS Server Enable the server No Server s workgroup WORKGROUP Login anonymous Password Exported share s name exported av share Allow write access No 7 Please note To have the CIFS server enabled in the network mode Stealth a management IP must be set Allowed Networks Log ID fw cifs access N 3b9738b9 4632 14e5 a721 080027 157fb JE 0 0 0 0 0 External Y Accept No Y These rules allow to grant remote access to the CIFS server of the mGuard Please note In router mode with NAT or portforwarding the net
166. can be adjusted as accurately as possible Only then can the FL MGUARD actas the NTP server for the computers connected to its LAN interface and provide them with the system time An initial time synchronization with the external time server is performed after every booting process unless the FL MGUARD has a built in clock FL MGUARD RS and FL MGUARD DELTA After the initial time synchronization the FL MGUARD regularly compares the system time with the time servers Fine adjustment of the time Is usually only made in the second range Displays the current NTP status Shows whether the NTP server running on the FL MGUARD has been synchronized with the configured NTP servers to a Sufficient degree of accuracy If the system clock of the FL MGUARD has never been synchronized prior to activation of NTP time synchronization then synchronization can take up to 15 minutes The NTP server still changes the FL MGUARD system clock to the Current time after a few seconds as soon as ithas Successfully contacted one of the configured NTP servers The system time of the FL MGUARD is then regarded as synchronized Fine adjustment of the time is usually only made in the second range Enter one or more time servers from which the FL MGUARD Should obtain the current time If several time servers are Specified the FL MGUARD will automatically connect to all of them to determine the current time 7612_en_02 onlin components com THE ONLINE
167. cate can be selected from the selection list The selection list contains the remote certificates that have been loaded on the FL MGUARD under the Authentication gt gt Certificates menu item Authorized for access root admin netadmin audit user Specifies which user or administrator rights are granted to the remote user Fora description of the root admin and user authorization levels see Authentication gt gt Local Users on page 6 111 The netadmin and audit authorization levels relate to access rights with the Innominate Device Manager 6 28 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 2 3 Management gt gt Licensing 6 2 3 1 Overview Management Licensing mGuard Flash ID U36C1068B 696C 40C2 B29C 8AC8FD860A21 0b8c Feature License License with priority 1235130572 licence_id 6 licence_date 2009 02 20T11 49 32 flash_id U36C1068B 696C 40C2 B29C 8AC8FD860A21 serial_number VB0815 hardware_revision 00002000 product_code BD 601000 firmware_max_version 7 firmware_flavours default vpn_channels 250 I2tp_server 1 licence_version 1 licence_type Innominate mGuard auth_x509 nw_extended nwsec_base With FL MGUARD Version 5 0 or later licenses remain installed even after the firmware is flashed However licenses are still deleted when devices with older firmware versions are flashed to Version 5 0 0 or later Before flashing the license for
168. cause radio interference in residential areas and the operator may be required to take appropriate measures WARNING Conditions of acceptability The device is designed for installation ina PC in the secondary signal circuit and therefore no tests have been performed The user must evaluate any tests The temperature of the PCB must not exceed 105 C gt gt Selection of driver mode or Power over PCI mode There are two operating modes driver mode and Power over PCI mode e Before installing itin your PC decide which mode will be used to operate the FL MGUARD PCI e The FL MGUARD is setto the desired mode using a jumper Driver mode The FL MGUARD PCI can be used as a normal network card This network card then also provides FL MGUARD functions In this case the supplied driver must be installed Power over PCI mode If the network card functions of the FL MGUARD are not required or should not be used the FL MGUARD PCI can be connected after an existing network card on the same computer or on another as an FL MGUARD stand alone device In this operating mode the FL MGUARD PCI actually only uses the PCI slot of a computer in order to receive power and as housing This operating mode of the FL MGUARD is referred to as Power over PCI mode A driver is not installed 4 8 1 Driver mode In this mode a driver for the PCI interface of the FL MGUARD PCI available for Windows XP 2000 and Linux must be installed later
169. ce using one voltage source and connecting the VPN enable button Always supply the VPN enable button from the voltage source that supplies the FL MGUARD GT GT VPN US1 MCt1 GND GND R1 R2 Figure 3 5 Supplying the device and connecting the VPN enable button using one voltage source 3 2 1 4 Redundant 24 V DC supply and connecting the VPN enable button Always supply the VPN enable button from the voltage source that supplies the FL MGUARD GT GT VPN NOTE Risk of material damage Only use power supplies that are suitable for parallel operation US1 MC GND l 1 GND R1 R2 Figure 3 6 Supplying the device using two voltage sources 7612_en_02 PHOENIX CONTACT 3 5 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 3 2 2 Using Smart mode Smart mode enables the user to execute special functions without having to access the management interface The FL MGUARD GT GT offers the following setting options in Smart mode Execute the recovery procedure Apply a customized default profile Startthe flash procedure Exit Smart mode without changes 3 2 2 1 Activating Smart mode The mode button is used to call exit Smart mode and to select the desired function The three mode LEDs indicate the mode that Is curr
170. ceed as follows e Click on Start Control Panel Network Connections e Right click on the LAN adapter icon to open the context menu e Inthe context menu select Properties e Inthe Properties of local network LAN connections dialog box switch to the G eneral tab e Under This connection uses the following items select Internet Protocol TCP IP 7612 _en_02 PHOENIXCONTACT 5 3 FL MGUARD 5 4 PHOENIX CONTACT Look up or specify the IP onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Then click on Properties to display the following dialog box Eigenschaften von Internetprotokoll TCP IP Allgemein IP Einstellungen k nnen automatisch zugewiesen werden wenn das Netzwerk diese Funktion unterstutzt Wenden Sie sich andernfalls an den Netzwerkadministrator um die geeigneten IP Einstellungen zu beziehen Q IP Adresse automatisch beziehen IP Adresse 192 168 Subnetzmaske 255 255 Standardgateway HE EEE E a d d ress of th e d efa u It Folgende DNS Serveradressen verwenden g a te Wa y Bevorzugter DNS Server Alternativer DNS Server Internet Protocol TCP IP Properties Ifno IP address has been specified for the default gateway in this dialog box e g because Obtain an IP address automatically has been activated then enter the IP address manually Subnet mask Default gateway 192 168 1 1 To do so firstselect Use the
171. changed with another specific address and is not exchanged with the same address for all data packets as in IP masquerading This enables the FL MGUARD to mirror addresses from the internal network to the external network Example The FL MGUARD is connected to network 192 168 0 0 24 via its LAN port and to network 10 0 0 0 24 via its WAN port By using 1 1 NAT the LAN computer with IP address 192 168 0 8 can be accessed via IP address 10 0 0 8 in the external network 192 168 0 8 192 168 0 0 24 10 0 0 0 24 Default setting 1 1 NAT is not active a 1 1 NAT cannot be used on the external 2 interface a 1 1 NAT is only used in router network mode Local network The address of the network at the LAN port External network The address of the network at the WAN port Netmask The subnet mask as a value between 1 and 32 for the local and external network address see also CIDR Classless Inter Domain Routing on page 6 215 Comment Can be filled with appropriate comments l External 2 and All External are only for devices with a serial interface FL MGUARD RS FL MGUARD BLADE and FL MGUARD DELTA see Secondary External Interface on page 6 66 7612 _en_02 PHOENIXCONTACT 6 97 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 6 4 2 2 Port Forwarding Masquerading Port Forwarding Port Forwarding Log ID fw portforw 2002 varding N 365783a8 a090 1937 a71a g L Bi TCP fo 0 0 0 0 fany
172. cified as 10 0 0 0 8 while the external route of the secondary external interface is specified as 10 1 7 0 24 Data packets to network 10 1 7 0 24 are then routed via the secondary external interface although the routing entry for the primary external interface also matches them Reason The routing entry for the secondary external interface refers to a smaller network 10 1 7 0 24 lt 10 0 0 0 8 This rule does notapply in stealth network mode with regard to the stealth management IP address See note under Stealth Management IP Address on page 6 64 Ifthe routing entries for the primary and secondary external interfaces are identical then the secondary external interface wins i e the data packets with a matching destination address are routed via the secondary external interface The routing settings for the secondary external interface only take effect when the secondary external interface is activated Particular attention must be paid to this if the routing entries for the primary and secondary external interfaces overlap or are identical whereby the priority of the secondary external interface has a filter effect with the following result Data packets whose destination matches both the primary and secondary external interfaces are always routed via the secondary external interface but only if this is activated In temporary mode activated signifies the following The secondary external interface is only activated when
173. ck onthe F arrow below which you want to move the selected rows 3 The rows are moved Deleting rows Selectthe rows you wantto delete Clickon A to delete the rows The rows are deleted U N e Working with non sortable tables Tables are non sortable if the order of the data records contained within does not play any technical role Itis then not possible to insert or move rows With these tables you can Delete rows Append rows to the end of the table in order to create a new data record with settings e g user firewall templates The symbols for inserting a new table row are therefore different 6 2 PHOENIX CONTACT 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Appending rows non sortable tables i mm E r la WM 1 Click on the arrow to append a new row 2 The new row is appended below the existing table Y ou can now enter or specify values in the row Buttons The following buttons are located at the top of every page Logout For logging out after configuration access to the FL MGUARD If the user does not log out he she is logged out automatically if there has been no further activity and the time period specified by the configuration has elapsed Access can only be restored by logging in again Optional button Resets to the original values If you have entered values on a configuration page and these have not yet taken effect
174. communicate with external computers by SIP via the FL MGUARD PHOENIX CONTACT 6 141 FL MGUARD onlin components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS 6 6 2 Network Security gt gt DoS Protection 6 6 2 1 Flood Protection Network Security DoS Protection Flood Protection TCP Maximum number of new outgoing TCP connections SYN per second Maximum number of new incoming TCP connections SYN per second ICMP Maximum number of outgoing ping frames ICMP Echo Request per second Maximum number of incoming ping frames ICMP Echo Request per second Stealth Mode Maximum number of outgoing ARP requests or ARP replies per second each Maximum number of incoming ARP requests or ARP replies per second each Network Security gt gt DoS Protection gt gt Flood Protection TCP Maximum number of new incoming outgoing TCP connections SYN per second ICMP Maximum number of incoming outgoing ping frames ICMP Echo Request per second 6 142 PHOENIX CONTACT Outgoing Default setting 75 Incoming Default setting 25 Maximum values for the number of incoming and outgoing TCP connections allowed per second These are set to a level that can never be reached during normal practical operation However itcan be easily reached in the event of attacks thus providing additional protection If there are special requirements in your operating environment these values can b
175. connected to the RJ 45 female connectors of the FL MGUARD FL MGUARD 4 14 PHOENIX CONTACT LAN port e Connect the local computer or the local network to the LAN port of the FL MGUARD using a UTP Ethernet cable CAT5 or using SFP plug in modules optional see Ordering data on page 9 6 If your computer is already connected to a network patch the FL MGUARD between the existing network connection Please note that configuration can only be completed via the LAN interface and the firewall ofthe FL MGUARD GT GT prevents all IP data traffic from the WAN to the LAN interface 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Startup WAN port e UseaUTP cable CAT5 or establish the connection using SFP plug in modules optional see Ordering data on page 9 6 e Connect the external network via the WAN female connector e g WAN Internet Connections to the remote device or network are established via this network Driver installation is not required For security reasons we recommend you change the default root and administrator l Operating a connected button 7612_en_02 passwords during initial configuration Functional earth ground The FL MGUARD GT GT is grounded via the metal housing when itis mounted on a DIN rail The DIN rail must be grounded Signal contact WARNING Only SELV circuits with voltage limitations according to EN 60950 1 may be c
176. connections must not be positioned after a NAT router and must have its own IP address which the client me fre ete e lee me also uses to establish the encapsulated connection 7612_en_02 PHOENIX CONTACT 6 165 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD As participants in the TCP encapsulation the FL MGUARD devices for the machine control systems initiate the VPN data traffic to the maintenance center and encapsulate the data packets sent to it o controls machin As soon as a connection is initiated the maintenance jevices on the _ Machine control center also automatically encapsulates the data packets i mGUARP system 1 sent to the relevant VPN remote peer py fF si _ Machine control Mai system 2 center Machine control system 3 ystem FL MGUARD of maintenance center FL MGUARD devices on machine control systems Required basic settings Required basic settings IPsec VPN Global menu item Options tab IPsec VPN Global menu item Options tab page oo l Listen for incoming VPN connections which are Listen for incoming VPN connections which are encapsulated No eneapeatcu res Connections submenu General tab page Connections Address of the remote site s VPN gateway Fixed submenu General tab page Madress or hostname Address of the remote site s VPN gateway any Connection startup Initiate or Initiate on traffic Connection startup Wait Encapsulate the VPN traffic in TCP Yes F
177. continued FLMGUARDRS and Switchtypeconnected TheFLMGUARDRS FLMGUARD GT GT have FLMGUARD GT GT to the CMD MC1 connections to which an external button switch and a signal only contact Push button LED FL MGUARD RS only can be connected Select the or on off switch Switch type that is connected to the corresponding service contacts of the FL MGUARD RS FL MGUARD GT GT For additional information see Installing the FLMGUARD RS on page 4 4 or Installing the FLMGUARD GT GT on page 4 11 under Service Contacts Information about how to operate the different Switch types is also described Ifa VPN connection is established by actuating the button or switch the connection is maintained until itis released by actuating the button or switch again Ifan on off switch is used instead of a button and itis actuated to establish a VPN connection this connection Is reestablished automatically when the FL MGUARD is restarted Archive diagnostic If errors occur when establishing VPN connections the messages for VPN FL MGUARD logging function can be used to find the source connections No Only ofthe error based on corresponding entries See Logging gt gt when started via Browse local logs menu item This option for error diagnostics nph vpn cgi or is used as Standard Set this option to No default if it is CMD MC1 contact sufficient 7612_en_02 PHOENIX CONTACT 6 163 THE ONLINE DISTRIBUTOR OF ELECTRO
178. cted to the front plate AN WARNING This is a Class A item of equipment This equipment can cause radio interference in residential areas and the operator may be required to take appropriate measures When installed in residential or office areas the FL MGUARD RS may only be operated in control cabinets with fire protection properties according to EN 60950 1 4 3 1 Mounting removal Mounting The device is ready to operate when itis supplied The recommended procedure for mounting and connection is as follows e Pull outthe terminal block from the bottom ofthe FL MGUARD RS and wire the signal lines and other connections as required see Connection options on lower terminal block on page 4 7 e Tighten the screws on the screw terminal blocks with at least 0 22 Nm Wait to insert the terminal block e Mountthe FLMGUARD RS on a grounded 35 mm DIN rail according to DIN EN 60715 The device conducts the grounding provided by the DIN rail through the left hand contact ground connection of the lower terminal strip ALLE Figure 4 1 Mounting the FL MGUARD RS ona DIN rail e Attach the top snap on foot of the FL MGUARD RS to the DIN rail and then press the FL MGUARD RS down towards the DIN rail so that it engages with a click e Insert the wired terminal block e Connectthe supply voltage atthe top of the terminal block see Connecting the supply voltage on page 4 5 4 4 PHOENIX CONTACT 7612_en_02
179. ction to ISDN and identify the FLMGUARD RS VPN ISDN as a device in the ISDN network The table below describes the assignment of contacts to 8 pos connections both for connectors and for sockets for example RJ 45 Table 4 2 Assignment of contacts to 8 pos connections TX Serial port WARNING The Serial interface RJ 12 female connector must not be connected directly to the telecommunications connections To connecta serial terminal ora modem use a serial cable with RJ 12 connector The maximum cable length of the serial cable is 30 m The serial port Serial interface can be used as follows To configure the FL MGUARD via the serial interface There are two options APC is connected directly to the serial interface of the FL MGUARD via the serial interface of the PC The PC user can then use a terminal program to configure the FL MGUARD via the command line A modem is connected to the serial interface of the FL MGUARD This modem is connected to the telephone network fixed line or GSM network The user of a remote PC which is also connected to the telephone network by a modem can then establish a PPP Point to Point Protocol dial up connection to the FL MGUARD and configure it via a web browser To manage data traffic via the serial interface instead of via the WAN interface of the FL MGUARD In this case a modem should be connected to the serial interface Not used Pin 6 CTS Pin 5 LE TxD Pin 4 RTS P
180. cts Description Industrial router Industrial firewall router Industrial firewall router with VPN support Industrial firewall router with VPN support and integrated analog modem Industrial firewall router with VPN support and integrated ISDN terminal adapter Industrial firewall router in PCI card format 266 MHz Industrial firewall router in PCI card format 266 MHz and VPN support Industrial firewall router in PCI card format 533 MHz Industrial firewall router in PCI card format 533 MHz and VPN support Industrial firewall router with Gigabit Industrial firewall router with Gigabit and VPN Replaceable configuration memory SFP slot module in SFP format multi mode SFP slot module in SFP format single mode SFP slot module in SFP format single mode long haul 9 3 2 Accessories Description Universal end clamp Network monitoring with HMI SCADA systems Patchbox 8 x RJ 45 CAT5e pre assembled can be retrofitted Patchbox 6 x RJ 45 CAT5e and 4 SC RJ glass pre assembled can be retrofitted Angled patch connector with two RJ 45 network connections CAT5e including Layer 1 security elements Angled patch connector with eight RJ 45 network connections CAT5e including Layer 1 security elements Angled patch connector with two RJ 45 network connections CAT5e Angled patch connector with eight RJ 45 network connections CAT5e Angled patch connector with two RJ 45 network connections CAT6 Angled patch connector with ei
181. d configure the FL MGUARD Login with X 509 client certificate or password User authentication is by means of login with a password see above The user s browser authenticates itself using an X 509 certificate and a corresponding private key Additional details must be specified here The use of either method depends on the web browser of the remote user The second option is used when the web browser provides the FL MGUARD with a certificate Login restricted to X 509 client certificate The user s browser must use an X 509 certificate and the corresponding private key to authenticate itself Additional details must be specified here a Before enabling the Login restricted to X 509 client certificate option you must first select and test the Login with X 509 client certificate or password option Only switch to Login restricted to X 509 client certificate when you are sure that this setting works Otherwise your access could be blocked Always take this precautionary measure when modifying settings under User authentication 7612_en_02 PHOENIXCONTACT 6 23 FL MGUARD X 509 authentication for HTTPS 6 24 PHOENIX CONTACT onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS If the following User authentication methods are defined Login restricted to X 509 client certificate Login with X 509 client certificate or password You must then specify how the FL MGUARD authenticates t
182. d that are specified for this access type For user firewall see Network Security gt gt User Firewall on page 6 144 5 10 PHOENIX CONTACT 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Preparing the configuration The following are set by default for administration please note these settings are case sensitive Username admin Password mGuard To configure the device make the desired or necessary settings on the individual pages of the FL MGUARD user interface See Configuration on page 6 1 For security reasons we recommend you change the default root and administrator passwords during initial configuration see Authentication gt gt Local Users on page 6 111 5 4 Remote configuration Requirements The FL MGUARD must be configured so that remote configuration is permitted The option for remote configuration is disabled by default To enable remote configuration see Management gt gt Web Settings on page 6 18 and Access on page 6 20 proceed as follows Procedure To configure a remote computer from the FL MGUARD via its web user interface establish the connection to the FL MGUARD from there Proceed as follows e Startthe web browser on the remote computer e g Firefox MS Internet Explorer or Safari the web browser must support HTTPS e Under address enter the IP address where the FL MGUARD can be accessed externally over the Internet or WAN together with
183. dPCl If you want to search for Microsoft digitally signed software visit the Windows Update Web site at http windowsupdate microsoft com to see if one is available Do you want to continue the installation 2 No More Info To close this wizard click Finish j Cancel Figure 4 23 Driver installation under Windows 2000 2 5 Clickon Yes 6 Click on Finish Under Linux The Linux driver is available in the source code and must be compiled before use e Firstsetup and compile the Linux kernel 2 4 25 in the directory usr src linux e Extract the drivers from the ZIP to the directory usr src pci driver e Execute the following commands cd usr src pci driver make LINUXDIR usr src linux install m0644 mguard o lib modules 2 4 25 kernel drivers net depmod a e The driver can now be loaded with the following command modprobe mguard 7612_en_02 PHOENIXCONTACT 4 29 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 4 30 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Preparing the configuration 5 Preparing the configuration 5 1 Connection requirements FL MGUARD RS FL MGUARD GT GT TheFLMGUARDRS FLMGUARD GT GT mustbe connected to atleastone active power Supply unit For local configuration The computer that is to be used for configuration must be connected to the LAN female connector on the FL MGUARD
184. ddress area in CIDR format In the table below the left hand column shows the IP subnet mask while the right hand column shows the corresponding CIDR format IP subnet mask 255 255 255 255 255 255 255 254 259s A99 455 452 255 255 255 248 255 255 255 240 255 255 255 224 255 255 255 192 255 255 255 128 299 2559 255 0 255 255 254 0 255 255 252 0 255 255 248 0 255 255 240 0 255 255 224 0 255 255 192 0 255 255 128 0 255 255 0 0 255 254 0 0 255 252 0 0 255 248 0 0 255 240 0 0 255 224 0 0 255 192 0 0 255 128 0 0 255 254 252 248 240 N N A H o N oOoo0o0o 0o o0oo 0oo0 O oOoo0o0o 0o o0o o 0oo0 O oOoo0o0o 0 o 0 o 0oo0 O Hm N 0 0 0 0 0 0 Binary 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 a i Wa fF DB 11111111 11111110 11111100 11111000 11110000 11100000 11000000 10000000 00000000 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 1178 1 Re IEL et 11 1 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111110 11111100 11111000 11110000 11100000 11000000 10000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 11111111 11111111 11111111 11111111 1111 r14 11111111 11111111 1111
185. dial tone built in modem analog Speaker volume built in speaker Speaker control built in speaker Speaker is on during call establishment but off when receiving carrier Y Network gt gt Interfaces gt gt Modem Console for the FL MGUARD RS with built in modem External Modem As for the FL MGUARD RS without built in modem FL MGUARD BLADE and FL MGUARD DELTA Configuration as above for External Modem see External Modem on page 6 91 Built in Modem analog Country The country where the FL MGUARD with built in modem is operated must be specified here This ensures thatthe built in modem operates according to the applicable remote access guidelines in the respective country and thatit recognizes and uses dial tones correctly for example Extension line Yes No regarding dial tone When setto No the FL MGUARD waits for the dial tone when the telephone network is accessed and the FL MGUARD is calling the remote peer When set to Yes the FL MGUARD does not wait for a dial tone Instead it begins dialing the remote peer immediately This procedure may be necessary if the built in modem of the FL MGUARD is connected to a private branch exchange that does not emit a dial tone when itis picked up When a Specific number must be dialed to access an external line e g 0 this number should be added to the start of the desired remote peer phone number that is to be dialed Speaker volume built in spe
186. dialog box e fno IP address has been specified for the default gateway in this dialog box e g because Obtain an IP address automatically has been activated then enter an IP address manually To do so firstselect Use the following IP address then enter the following addresses for example IP address 192 168 1 2 Do not under any circumstances assign Subnet mask 255 255 255 0 an address such as 1 1 1 2 to the configuration computer Default gateway 192 168 1 1 e In DOS Start Programs Accessories Command Prompt enter the following arp s lt IP address of the default gateway gt 00 aa aa aa aa aa Example You have determined or specified the address of the default gateway as 192 168 1 1 The command should then be arp s 192 168 1 1 00 aa aa aa aa aa e To proceed with the configuration establish the configuration connection see Establishing a local configuration connection on page 5 9 e Following configuration restore the original default gateway setting To do this either restart the configuration computer or enter the following command in DOS arp d Depending on the configuration of the FL MGUARD it may then be necessary to adapt the network interface of the locally connected computer or network accordingly 5 8 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Preparing the configuration 5 3 Establishing a local configuration connection Web based administrator The FL MG
187. dicators LNK MODE INF LNK MODE INF ACT SPD FD LNK MODE INF ACT SPD FD LNK MODE INF US1 US2 FAIL LAN FA US1 US2 FAIL LAN TA Figure 3 13 Example for status indicators on the FL MGUARD GT GT 7612_en_02 PHOENIX CONTACT 3 13 FL MGUARD 3 3 Rescue button Located in the opening Can be pressed with a Straightened paper clip for example Figure 3 14 FL MGUARD SMART Table 3 5 Indicators on the FL MGUARD SMART Flashing red green Boot process When the device has just been connected to the power Color Status THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS LED 1 LED 2 LED 3 Operating elements and indicators on the FL MGUARD SMART supply After a few seconds this display changes to the heartbeat state Flashing Heartbeat The device is connected correctly and is operating Flashing ice e Press the Rescue button for 1 5 seconds e Alternatively briefly disconnect the device power supply and then connect it again System error Restart the device Ifthe error is still present start the recovery procedure See Performing a recovery procedure on page 7 2 or contact the Support team Ethernet status LED 1 indicates the status of the LAN port LED 3 the As soon as the device is connected to the network a continuous light indicates that there is a connection to the network partner Green ON or flashing i status of the WAN port Various LED light codes
188. ding to the option set under Measurement Unit see above This applies to the data stream that conforms to the rule set criteria Specified on the left i e that may pass through The FL MGUARD will drop the excess number of data packets in the event of capacity bottlenecks if this data stream delivers more data packets per second than specified Comment Optional comment text 7612 _en_02 PHOENIX CONTACT 6 197 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 6 9 2 Egress Queues The services are assigned corresponding priority levels In the event of connection bottlenecks the outgoing data packets are placed in egress queues i e queues for pending packets according to the assigned priority level and are then processed according to their priority Ideally the assignment of priority levels and bandwidths should result ina Sufficient bandwidth level always being available for the complete transmission of data packets in realtime while other packets e g FTP downloads are set to wait in critical cases The main application of egress QoS is the optimal utilization of the available bandwidth on a connection In certain cases a limitation of the packet rate can be useful e g to protect a slow computer from overloading in the protected network The Egress Queues feature can be used for all interfaces and for VPN connections 6 9 2 1 External Internal E xternal 2 Dial in Internal Setting for egress queues atthe LAN
189. dress of the e mail server smtp example local Checking of Shares D x Enabled Checked CIFS Share Checksum Memory No pc x7 scan Y pc x7 scan Please note To have checking of shares enabled in the network mode Stealth a management IP must be set CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Settings General Integrity certificate The FL MGUARD authenticates itself to the remote peer using Used to sign integrity a machine certificate loaded on the FL MGUARD The databases machine certificate acts as an ID card for the FL MGUARD which it shows to the relevant remote peer For information about certificates please refer to Machine Certificates on page 6 123 Send notifications via After every check An e mail is sentto the address specified e mail below after every check No An e mail is not sent to the address specified below Only with faults and deviations An e mail is sent to the address specified below if a deviation is detected during CIFS integrity checking or if the check could not be carried out due to an access error Target address for An e mail is sentto this address either after every check or e mail notifications only if a deviation is detected during CIFS integrity checking or if the check could not be carried out due to an access error Sender address of This address is entered as the sender in the e mail e mail notifications Address of the e mail P address or host nam
190. dshake Off On areetS When set to On flow is controlled by means of RTS and CTS Signals External Modem Hardware handshake Off On RTS CTS When set to On flow is controlled by means of RTS and CTS Signals for PPP connections Baudrate Default 57600 Transmission speed for communication between the FL MGUARD and modem via the serial connecting cable between both devices This value should be set to the highest value supported by the modem If the value is set lower than the maximum possible Speed that the modem can reach on the telephone line the telephone line will not be used to its full potential Handle modem Yes No transparently for dial lf the external modem is used for dial in see page 6 87 Yes in only means that the FL MGUARD does not initialize the modem The subsequently configured modem initialization sequence is notobserved Thus eithera modem is connected which can answer Calls itself default profile of the modem contains auto answer or a null modem cable to a computer can be used instead of the modem and PPP is used over this 7612_en_02 PHOENIXCONTACT 6 91 FL MGUARD THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Network gt gt Interfaces gt gt Modem Console two simple quotation marks placed directly after one another d dATH OK 6 92 Modem init string Specifies the initialization sequence thatFL MGUARD sends to the connected modem Default d dATH O
191. dure and flashing the firmware on page 7 1 7612 _en_02 PHOENIXCONTACT 3 15 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 3 5 FL MGUARD BLADE OELE S erial WAN red WAN green LAN red LAN green Rescue button Figure 3 16 Operating elements and indicators on the FL MGUARD BLADE Table 3 7 FL MGUARD BLADE Leos color setus Meaning O O WAN LAN Flashing Boot process When the computer is started or restarted Flashing System error Restart the device e Press the Rescue button for 1 5 seconds If the error is still present start the recovery procedure See Performing a recovery procedure on page 7 2 or contact the Support team WAN LAN ON or flashing Ethernet status Indicates the status of the LAN or WAN interface As soon as the device is connected a continuous light indicates that there is a connection to the network partner When data packets are transmitted the LED goes out briefly WAN Green Various LED light Recovery mode After pressing the Rescue button Red See Restart the recovery procedure and flashing the firmware on LAN Green page 7 1 3 16 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Operating elements and indicators 3 6 FL MGUARD DELTA 6 Innominate x mGuard Status LAN SWITCH Power Status Reserved Ethernet WAN Ethernet LAN Figure 3 17 Operating elemen
192. e FLMGUARD SMART FL MGUARD PCI FL MGUARD BLADE FL MGUARD DELTA Figure 7 1 Rescue button 7 1 Performing a restart Aim The device is restarted with the configured settings Action Press the Rescue button for around 1 5 seconds e FL MGUARD RS Until the Error LED lights up e FL MGUARD SMART Until the middle LED lights up red e FL MGUARD BLADE FL MGUARD PCI Until both red LEDs light up red e FL MGUARD DELTA Until the status LED stops flashing Alternatively e Temporarily disconnect the power supply e FL MGUARD PCI Restart the computer that contains the FL MGUARD PCI card 7612_en_02 PHOENIXCONTACT 7 1 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 7 2 Performing a recovery procedure Aim The network configuration should be reset to the settings default upon delivery as itis no oa possible to access the FL MGUARD AllFL MGUARD models excluding the FL MGUARD DELTA and FL MGUARD BLADE controller are reset to stealth mode automatically with address 1 1 1 1 Forthese FL MGUARD models the CIFS integrity monitoring function is also disabled as this only works when the management IP is active The FLMGUARD DELTA FLMGUARD GT GT and FL MGUARD BLADE controller are reset to router mode with address 192 168 1 1 MAU management remains switched on for Ethernet connections HTTPS is enabled via the local Ethernet connection LAN The settings configured for VPN connections and the firewall
193. e CIDR Classless Inter Domain Routing on page 6 215 To IP Specifies that only data packets that should be forwarded to the specified IP address may pass through Entries correspond to From IP as described above 0 0 0 0 0 stands for all addresses i e in this case no filtering is applied according to the IP address of the sender Current TOS DSCP Each data packet contains a TOS or DSCP field TOS stands for Type of Service DSCP stands for Differentiated Services Code Point The traffic type to which the data packet belongs is specified here For example an IP phone will write something different in this field for outgoing data packets compared to an FTP program When a value is selected here then only data packets with this value in the TOS or DSCP field may pass through When set to All no filtering according to the TOS DSCP value is applied Guaranteed The number entered specifies how many data packets per second or kbps can pass through at all times according to the option set under Measurement Unit see above This applies to the data stream that conforms to the rule set criteria Specified on the left i e that may pass through The FL MGUARD may drop the excess number of data packets in the event of capacity bottlenecks if this data stream delivers more data packets per second than specified Upper Limit The number entered specifies the maximum number of data packets persecond orkbps thatcan pass through accor
194. e Firewall Redundancy function is not available in firmware Version 7 0 Administration using SNMP v1 v3 and Innominate Device Manager IDM PKI support for HTTPS SSH remote access Can actas an NTP and DNS server via the LAN interface 7612_en_02 FL MGUARD RS FL MGUARD GT GT FL MGUARD RS FL MGUARD GT GT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD security appliance 1 2 Device versions The FL MGUARD is available in the following device versions which largely have identical functions All devices can be used regardless of the processor technology and operating system used by the connected computers The FL MGUARD RS is available in five device versions Asarouter FL MGUARD RS B As a security appliance FLMGUARD RS As a security appliance with VPN support FL MGUARD RS VPN As a security appliance with VPN supportand integrated analog modem FLMGUARD RS VPN ANALOG Asa security appliance with VPN supportand integrated ISDN modem ISDN terminal adapter FL MGUARD RS VPN ISDN The FL MGUARD GT GT is available in two device versions As a security appliance FL MGUARD GT GT As a security appliance with VPN support FL MGUARD GT GT VPN The devices support hybrid use as a router firewall VPN router both via Ethernet and for serial dial up connections notFL MGUARD GT GT The devices are designed for DIN rail mounting according to DIN EN 60715 and
195. e SSH clientshows a certificate signed bya CA All CA certificates required by the FL MGUARD to form the chain to the relevant root CA certificate with the certificates shown by the SSH client must be configured The selection list contains the CA certificates that have been loaded on the FL MGUARD under the Authentication gt gt Certificates menu item X 509 subject Enables a filter to be set in relation to the contents of the Subject field in the certificate shown by the SSH client It is then possible to limit or enable access for SSH clients which the FL MGUARD would accept based on certificate checks Limited access to certain subjects i e individuals and or to subjects that have certain attributes Access enabled for all subjects See glossary under Subject certificate on page 8 6 a The X 509 subject field must not be left empty 6 16 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Management gt gt System Settings gt gt Shell Access continued Access enabled for all subjects i e individuals An asterisk in the X 509 subject field can be used to specify that all subject entries in the certificate shown by the SSH client are permitted It is then no longer necessary to identify or define the subject in the certificate Limited access to certain subjects i e individuals or to subjects that have certain attributes In the certificate the certificate
196. e a user has logged into the FL MGUARD via HTTP As long as authentication is required all HTTP connections are redirected to the FL MGUARD Changes to this option only take effect after the next restart User Password There is no default user password To set one enter the desired password in both entry fields 6 112 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 5 2 Authentication gt gt Firewall Users For example to prevent private surfing on the Internet every outgoing connection is blocked under Network Security gt gt Packet Filter gt gt Sets of Rules VPN is not affected by this Under Network Security gt gt User Firewall different firewall rules can be defined for certain users e g outgoing connections are permitted This user firewall rule takes effectas soon as the relevant firewall user to whom this user firewall rule applies has logged in see Network Security gt gt User Firewall on page 6 144 6 5 2 1 Firewall Users Authentication Firewall Users Firewall Users RADIUS Servers Users Enable user firewall No Y Enable group authentication No Y Authentication gt gt Firewall Users gt gt Firewall Users Users 7612 en_02 Lists the firewall users by their assigned user names Also specifies the authentication method Enable user firewall Under the Network Security gt gt User Firewall menu item firewall rules can be defined a
197. e from the currently installed version to the next major release available Therefore execute the minor release update first and repeat this step until you receive the message that there is no newer minor release available Then install the next major release Update Servers r i https Y update innominate com DOO O NOTE Do notinterruptthe power supply to the FL MGUARD during the update process The device could be damaged and may have to be reactivated by the manufacturer Depending on the size of the update the process may take several minutes A message is displayed if a restart is required after completion of the update With FL MGUARD firmware Version 5 0 0 0 or later a license must be obtained for the relevant device before a major release upgrade e g from Version 4 x y to Version 5 x y or from Version 5 x y to Version 6 x y can be installed The license must be installed on the device before updating the firmware see Management gt gt Licensing on page 6 29 and Install on page 6 29 Minor release upgrades i e the same major version e g within Version 5 x y can be installed without a license until further notice The Firewall Redundancy function is not available in firmware Version 7 0 Devices with an installed license for firewall redundancy reject firmware updates to Version 7 0 if the Firewall Redundancy function is activated PHOENIX CONTACT 6 33 THE ONLINE DISTRIBUTOR OF ELECTRONIC
198. e increased Outgoing Default setting 5 Incoming Default setting 3 Maximum values for the number of incoming and outgoing ping packets allowed per second These are set to a level that can never be reached during normal practical operation However itcan be easily reached in the event of attacks thus providing additional protection If there are special requirements in your operating environment these values can be increased The value 0 means that no ping packets are allowed in or out 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Network Security gt gt DoS Protection gt gt Flood Protection continued Stealth Mode 7612_en_02 Maximum number of incoming outgoing ARP requests or ARP replies per second each Default setting 500 Maximum values for the number of incoming and outgoing ARP requests allowed per second These are set to a level that can never be reached during normal practical operation However itcan be easily reached in the event of attacks thus providing additional protection If there are special requirements in your operating environment these values can be increased PHOENIX CONTACT 6 143 FL MGUARD THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS 6 6 3 Network Security gt gt User Firewall The user firewall is used exclusively by firewall users i e users that are registered as firewall users See Authentication gt gt Firewall Users on
199. e negative if none of the ping tests it contains were successful secondary external ntertace c activated The number specified here also indicates how many consecutive test runs must be successful after the secondary external interface has been activated before this interface is deactivated again DNS Mode Only relevantif the secondary external interface is activated in temporary mode The DNS mode selected here specifies which DNS server the FL MGUARD uses for temporary connections established via the secondary external interface Use primary DNS settings untouched DNS RootServers Provider defined via PPP dial up User defined servers listed below Use primary DNS settings untouched The DNS servers defined under Network gt DNS Server see Network gt gt NAT on page 6 96 are used DNS Root Servers Requests are sent to the root name servers on the Internet whose IP addresses are stored on the FL MGUARD These addresses rarely change Provider defined via PPP dial up The domain name servers of the Internet service provider that provide access to the Internet are used User defined servers listed below If this setting is selected the FL MGUARD will connect to the domain name servers listed under User defined name servers User defined name The IP addresses of domain name servers can be entered in servers this list The FL MGUARD uses this list for communication via the secondary external int
200. e next section l Built in Modem can also be selected for the FL MGUARD RS only available as an option forthe FL MGUARD RS with built in modem or ISDN terminal adapter 6 78 PHOENIX CONTACT 7612_en_02 onlin components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 4 1 2 Ethernet Network Interfaces Ethernet Modem Console ARP Timeout ARP Timeout MTU Settings MTU of the internal interface MTU of the internal interface for VLAN MTU of the external interface MTU of the external interface for VLAN MTU of the Management Interface MTU of the Management Interface for VLAN 1500 MAU Configuration Media Type Link State Automatic Configuration Manual Configuration Current Mode External 10 100 1000 BASE T RJ45 up Yes 1000 Mbit s FDX Yes Internal 10 100 1000 BASE T RJ45 up Yes v 1000 Mbit s FDX Yes Network gt gt Interfaces gt gt Ethernet ARP Timeout MTU Settings MAU Configuration 7612_en_02 ARP Timeout Service life in seconds of entries in the ARP table MTU of the interface The maximum transfer unit MTU defines the maximum IP packet length that may be used for the relevant interface Fora VLAN interface As VLAN packets contain 4 bytes more than those without VLAN certain drivers may have problems processing larger packets Such problems can be solved by reducing the MTU to 1496 Configuratio
201. e of the e mail server via which the server e mail is sent Subject prefix for Text entered in the subject field of the e mail e mail notifications 6 150 PHOENIX CONTACT 7612_en_02 onlin components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Settings continued Checking of Shares Enabled No A check is not triggered for this network drive The FL MGUARD has notconnected this drive The status cannot be viewed Yes A check is triggered regularly for this network drive Suspended The check has been suspended until further notice The status can be viewed Checked CIFS Share Name of the network drive to be checked specified under CIFS Integrity Monitoring gt gt Importable Shares gt gt Edit Checksum Memory In order to perform the check the FL MGUARD must be provided with a network drive for storing the files The checksum memory can be accessed via the external network interface Click on Edit to make further settings for checking network drives CIFS Integrity Monitoring CIFS Integrity Checking pc x7 scan Checked Share Settings Enabled Checked CIFS Share pc x7 scan Y Patterns for filenames Windows executables Y Time Schedule Everyday v 4 Z o Maximum time a check may take H Please note No regular check will happen unless the system time of the mGuard has been set eith
202. e operation Display E xtracting starting firmware boot The device is in normal operating mode and tries to obtain network parameters from a BootP DHCP server using DHCP requests Downloading firmware via TFTP Loading firmware in the Flash memory that was loaded via the network The recently loaded firmware was successfully saved in the Flash memory 7 N ew firmware was successfully saved in the Flash memory a rollout Script was downloaded via TFTP and executed The device is in rescue mode and tries to obtain network parameters from a BootP DHCP server using DHCP requests in order to requesta firmware image Initializing firmware 0 0 0 0 Firmware running in normal mode r 1 3 4 5 B Or Device rebooting Recovery procedure is triggered according to the installed customized default profile O od Customized default profile cannot be applied e g itis not installed Messages during operation with the memory module Display Meaning S Save configuration data on the MEM PLUG EC Equal configuration the configurations on the MEM PLUG and the device are the same Different configuration the configurations on the MEM PLUG and the device are different OC The MEM PLUG is empty Notenough memory on the memory module to save the configuration This MEM PLUG is not compatible with the device e g a wireless ID plug oran MRP master Messages in Smart mode Display Meaning S O B Smart mode No changes
203. e row Delete domain with all Delete the corresponding table entry assignment pairs 6 102 PHOENIX CONTACT 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Example Local Resolving The Local Resolving of Hostnames function is used in the following scenario of Hostnames for example A plant operates a number of identically structured machines each one as a cell The local networks of cells A B and C are each connected to the plant network via the Internet using FL MGUARD Each cell contains multiple control elements which can be addressed via their IP addresses Different address areas are used for each cell A service technician should be able to use his notebook on site to connect to the local network for machine A B orC and to communicate with the individual control systems So that the technician does not have to know and enter the IP address for every single control system in machine A B or C host names are assigned to the IP addresses of the control systems in accordance with a standardized diagram that the service technician uses The hostnames used for machines A B and C are identical i e the control system for the packing machine in all three machines has the hostname pack for example However each machine is assigned an individual domain name e g cell a example com Notebook of service technician The service technician can connect his notebook to the local
204. e rules From IP Enterthe address of the computer network from which remote access is permitted or forbidden in this field IP address 0 0 0 0 0 means all addresses To specify an address area use CIDR format see 6 215 Interface External Internal External 2 VPN Dial in Specifies to which interface the rules should apply If no rules are setor if no rule applies the following default Settings apply Remote access is permitted via Internal VPN and Dial in Access via External and External 2 is refused Specify the access options according to your requirements If you want to refuse access via Internal VPN or Dial in you must implement this explicitly by means of corresponding firewall rules for example by specifying Drop as an action Action Accept means that the data packets may pass through Reject means that the data packets are sent back so the sender is informed of their rejection In stealth mode R eject has the same effectas Drop Drop means that the data packets may not pass through They are discarded which means that the sender Is not informed of their whereabouts Comment Freely selectable comment for this rule Log For each individual rule you can specify whether the use of the rule Should be logged set Log to Yes Should not be logged set Log to No default setting 7612 _en_02 PHOENIX CONTACT 6 159 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD CIFS
205. ected individually and independently of one another An additional serial interface enables remote configuration via a telephone dial up connection or a terminal Figure 1 4 FLMGUARD BLADEBASE with FL MGUARD BLADE 533 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD security appliance FL MGUARD DELTA As a compact LAN switch Ethernet F ast Ethernet the FL MGUARD DELTA is designed for the connection of up to 4 LAN segments This device is therefore ideal for use in logically segmented network environments where the locally connected computers networks share the FL MGUARD functions An additional serial interface enables configuration via a telephone dial up connection ora terminal With its rugged metal housing the FL MGUARD DELTA is suitable for installation in distribution compartments as well as for use as a desktop device innominate mius Figure 1 5 FLMGUARD DELTA 7612_en_02 PHOENIX CONTACT 1 5 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 1 6 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Typical application scenarios 2 Typical application scenarios 7612_en_02 This section describes various application scenarios for the FL MGUARD Stealth mode N etwork router DMZ VPN gateway WLAN via VPN Resolving network conflicts 2 1 Stealth mode In stealth mode default setting the FL MGUARD can be po
206. ecting the FL MGUARD DELTA on page 4 20 Installing the FL MGUARD PCI on page 4 21 Local configuration on startup on page 5 3 7612_en_02 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Startup 4 2 Checking the scope of supply Before startup check the scope of supply to ensure nothing Is missing The scope of supply includes TheFLMGUARDRS FLMGUARD BLADE FL MGUARD DELTA FLMGUARD PCl FLMGUARD SMART FLMGUARD GT GT Package slip The FL MGUARD RS also includes Terminal block for the power supply connection inserted Terminal block for the signal contact button and optional ISDN or telephone connection The FL MGUARD GT GT also includes Terminal block for the power supply connection inserted Terminal block for the signal contact button The FL MGUARD BLADEPACK also includes 19 FLMGUARD BLADEBASE OneFLMGUARD BLADE as the controller Two power supply units Two mains cables 12 place holders 12 labeling plates M1 to M12 Screws for mounting the FL MGUARD BLADEBASE The FL MGUARD DELTA also includes One5VDC power supply unit Two UTP Ethernet cables PHOENIX CONTACT 4 3 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 4 3 Installing the FL MGUARD RS AN WARNING The housing must not be opened WARNING The shielding ground of the connected twisted pair cables is electrically conne
207. ed Protocol All means TCP UDP ICMP and other IP protocols From Port To Port Only evaluated for TCP and UDP protocols any refers to any port gstartport endport e g 110 120 refers to a portarea Individual ports can be specified using the port number or the corresponding service name e g 110 for pop3 or pop3 for 110 To IP 0 0 0 0 0 means all IP addresses To specify an address area use CIDR format see CIDR Classless Inter Domain Routing on page 6 215 Comment Freely selectable comment for this rule Log For each firewall rule you can specify whether the use of the rule Should be logged set Log to Yes Should not be logged set Log to No default setting 6 146 PHOENIX CONTACT 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 7 CIFS Integrity Monitoring menu a This menu is not available on the FL MGUARD BLADE controller In stealth network mode CIFS integrity checking is not possible without a management IP address and the CIFS server for the anti virus scan is not Supported There are two options for checking network drives for viruses using CIFS integrity monitoring CIFS integrity checking CIFS anti virus scan connector CIFS integrity checking When CIFS integrity checking is performed the Windows network drives are checked to determine whether certain files e g exe dll have been changed Changes to these files ind
208. ed in the Hostname IP Address field e Ifthe points on the route are to be output with IP addresses and not host names if applicable activate the Do not resolve IP addresses to hostnames checkbox e Then click on Trace A corresponding message is then displayed 6 212 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 12 1 3 DNS Lookup Support Tools DNS Lookup DNS Lookup Hostname Support gt gt Tools gt gt Traceroute Traceroute Objective To determine which host name belongs to a specific IP address or which IP address belongs to a specific host name Procedure e Enterthe IP address or hostname in the Hostname field e Click on Lookup The response which is determined by the FL MGUARD according to the DNS configuration is then returned 6 12 1 4 IKE Ping Support Tools DNS Lookup IKE Ping IKE Ping Hostname IP Address Support gt gt Tools gt gt IKE Ping IKE Ping Objective To determine whether the VPN software fora VPN gateway is able to establish a VPN connection or whether a firewall prevents this for example Procedure e Enterthe name orIP address of the VPN gateway in the Hostname IP Address field e Click on Ping e A corresponding message is then displayed 7612_en_02 PHOENIXCONTACT 6 213 online components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 6 12 2 Support gt gt Advanced 6 12
209. ed pair cable with a conductor cross section of 0 14 mm to 0 22 mm 100 Ohm 10 100 Mbps auto negotiation 100 m https 1 1 1 1 6 pos RJ 11 female connector on the device 30m Bits per second 57600 Data bits 8 P arity None Stop bits 1 Flow control None Pin 1 GND Pin 2 RxD Pin 3 CTS Pin 4 TxD Pin5 RTS Pin 6 n c 7612_en_02 Mechanical tests Shock test according to IEC 60068 2 27 Vibration resistance according to IEC 60068 2 6 Free fall according to IEC 60068 2 32 Approvals FCC CFR 47 Part 15 2005 4 ETS 300 328 Conformance with EMC Directives Noise emission according to EN 55022 Radio interference field strengths according to EN 55022 Electrostatic discharge ESD according to EN 61000 4 2 Electromagnetic fields according to IEC 61000 4 3 Conducted interference according to IEC 61000 4 6 Fast transients burst according to IEC 61000 4 4 Surge voltages according to IEC 61000 4 5 9 2 General data Function Firewall principle SNMP Housing dimensions width x height x depth in mm Permissible operating temperature Permissible storage temperature Degree of protection Protection class Humidity Operation 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Technical data Operation 25g 11 ms period half sine shock pulse Storage transport 50g 11 ms period half sine shock pulse Operation storage transport 5g 10 150 Hz Criterion 3 1m ClassA Class B ClassA
210. ed via the WAN port Ethernet interface but via the serial interface Secondary External As a secondary external interface if Secondary External Interface is activated and Interface Modem is selected under Network gt gt Interfaces on the General tab page see Network gt gt Interfaces on page 6 55 and General on page 6 56 In this case data traffic is processed permanently or temporarily via the serial interface FordialingintotheLANor Used for dialing in to the LAN or for configuration purposes see also Dial in on for configuration page 6 87 The following options are available purposes A modem is connected to the serial interface of the FL MGUARD This modem is connected to the telephone network fixed line or GSM network The connection to the telephone network is established via the terminal strip on the bottom of the device for the FL MGUARD RS with built in modem or ISDN terminal adapter This enables a remote PC thatis also connected to the telephone network to establish a PPP Point to Point Protocol dial up connection to the FL MGUARD via a modem or ISDN adapter This method is referred to as a PPP dial in option Itcan be used to access the LAN behind the FL MGUARD or to configure the FL MGUARD Dial in is the interface definition used for this connection type in firewall selection lists On order to access the LAN with a Windows computer using the dial up connection a network connection must be setup on this compu
211. egrity check of network drives are displayed in this log In addition messages that occur when connecting the network drives and are required for the integrity check are also visible DHCP Server Relay Messages from services defined under Network gt DHCP SNMP LLDP Messages from services defined under Management gt SNMP IPsec VPN Lists all VPN events The format corresponds to standard Linux format ltoffers special evaluation programs that present information from the logged data in a more readable format PHOENIX CONTACT 6 211 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 6 12 Support menu 6 12 1 Support gt gt Tools 6 12 1 1 Ping Check Support Tools Ping Check DNS Lookup Ping Check Hostname IP Address Support gt gt Tools gt gt Ping Check Ping Check Objective To check that the remote peer can be accessed via a network Procedure e Enterthe IP address or host name of the remote peer in the Hostname IP Address field Then click on Ping A corresponding message is then displayed 6 12 1 2 Traceroute Support Tools Traceroute DNS Lookup Traceroute Do not resolve IP addresses to hostnames Support gt gt Tools gt gt Traceroute Traceroute Objective To determine which intermediate points or routers are located on the connection path to a remote peer Procedure e Enterthe IP address orhostname of the remote peer whose route Is to be determin
212. en a licensed anti virus system is active SNMP traps only are sent if SNMP access is enabled In certain cases the FL MGUARD can send SNMP traps Traps correspond to SNMP v1 The trap information for each setting is listed below A more detailed description can be found in the MIB that belongs to the FL MGUARD IfSNMP traps are sentto the remote peer via a VPN channel the IP address of the remote peer must be located in the network that is specified as the Remote network in the definition of the VPN connection The internal IP address in stealth mode Stealth Management IP Address or Virtual IP must be located in the network that Is specified as Local in the definition of the VPN connection see Defining a VPN connection VPN connection channels on page 6 171 PHOENIX CONTACT If the Enable 1 to 1 NAT of the local network to an internal network option is set to Yes See 1 1 NAT on page 6 178 the following applies The internal IP address in stealth mode Stealth Management IP Address or Virtual IP must be located in the network that Is specified as the Internal network address for local 1 to 1 NAT Ifthe Enable 1 to 1 NAT of the remote network to another network option is setto Yes see 1 1 NAT on page 6 178 the following applies The IP address of the trap receiver must be located in the network that is specified as Remote in the definition of the VPN connection 7612_en_02 Management gt gt SNMP gt gt Tr
213. en of proof to the detriment of the user 7612_en_02 PHOENIX CONTACT UM EN FL MGUARD Internet Subsidiaries Published by PHOENIX CONTACT onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Statement of legal authority This manual including all illustrations contained herein is copyright protected Use of this manual by any third party is forbidden Reproduction translation and public disclosure as well as electronic and photographic archiving or alteration requires the express written consent of Phoenix Contact Violators are liable for damages Phoenix Contact reserves all rights in the case of patent award or listing of a registered design in as far as this concerns software of Phoenix Contact that meets the criteria of technicity or has technical relevance Third party products are always named without reference to patent rights The existence of such rights shall not be excluded Windows 3 x Windows 95 Windows 98 Windows NT Windows 2000 Windows XP and Windows Vista are trademarks of the Microsoft Corporation All other product names used are trademarks of the respective organizations How to contact us Up to date information on Phoenix Contact products and our Terms and Conditions can be found on the Internet at www phoenixcontact com Make sure you always use the latest documentation Itcan be downloaded at www phoenixcontact net catalog If there are any problems that ca
214. ends details of the IP address used by the computer to the Dynamic DNS provider The domain name server registers the Current assignment of host name to IP address and also informs the other domain name servers on the Internet accordingly Ifa remote computer now wishes to establish a connection to a computer that is registered with the DynDNS provider then the remote computer can use the hostname of the computer as its address This will establish a connection to the responsible DNS in order to look up the IP address that is currently registered for this host name The corresponding IP address is sent back from the DNS to the remote computer which can then use this as the destination address This now leads directly to the desired computer In principle all lnternetaddresses are based on this procedure First a connection toa DNS is established in order to determine the IP address assigned to the hostname Once this has been accomplished the established IP address is used to setup a connection to the required remote peer which could be any site on the Internet IP address Every host or router on the Internet Intranet has its own IP address IP Internet Protocol An IP address is 32 bits 4 bytes long and Is written as four numbers each between 0 and 255 which are separated by a dot An IP address consists of two parts the network address and the host address Network address Host address All network hosts have the sa
215. ense must be obtained to use this update This applies to major release upgrades e g from Version 4 x y to Version 5 x y to Version 6 x y etc DHCP and TFTP servers can be accessed under the same IP address FL MGUARD PCI If the FL MGUARD is operated in Power over PCI mode the DHCP TFTP server must be connected via the LAN female connector of the FLMGUARD Ifthe FL MGUARD is operated in PCI driver mode the DHCP TFTP server must be Operated on the computer or operating system that the interface provides for the FLMGUARD PHOENIX CONTACT 7 3 FL MGUARD Procedure 7 4 a PHOENIX CONTACT THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Press and hold down the Rescue button until the device enters recovery status For more detailed instructions for performing the rescue procedure on the FL MGUARD GT GT please refer to Section Using Smart mode on page 3 6 The FL MGUARD is restarted after around 1 5 seconds after a further 1 5 seconds the FL MGUARD enters recovery Status The reaction of the device depends on its type FL MGUARD RS The State LAN and WAN LEDs light up green FL MGUARD SMART The LEDs light up green FL MGUARD BLADE The green LEDs and red LAN LED light up FL MGUARD PCI FL MGUARD DELTA The status LED fades slowly Release the Rescue button within a second of entering recovery status If the Rescue button is not released the FL MGUARD Is restarted The FL MGUARD now starts
216. ently set and the mode that is entered when exiting Smart mode Calling Smart mode e Disconnect the device from the power supply if necessary e Assoonas the supply voltage is switched on hold down the mode button for more than ten seconds These three mode LEDs flash briefly three times and indicate that Smart mode is active e When Smart mode is started the device is initially in the Exit without changes state 51 in the display Selecting the desired setting e To select the different settings press the mode button briefly and select the desired operating mode using a binary light pattern of the mode LEDs and a code on the 7 segment display Exiting Smart mode and activating the selection e To exit press and hold down the mode button for at least five seconds The previously Selected function is executed Possible functions in Smart mode The device supports the selection of the following functions in Smart mode see also example below Table 3 2 Functions in Smart mode 7 segment ACT SPD FD display LED 1 LED 2 LED3 E xit S mart mode without changes 51 OFF OFF ON Activate the recovery procedure 55 ON OFF ON Activate the flash procedure 56 ON ON OFF Apply customized default profile 5 ON ON ON 3 6 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Operating elements and indicators 3 2 3 Messages in the 7 segment display During error fre
217. er mGuardTResVPNStatus mGuardTResVPNLocal mGuardTResVPNRemote This trap is sent when the status of an L2TP connection changes Traps can be sent to multiple destinations Destination IP IP address to which the trap should be sent Destination Port Default 162 Destination port to which the trap should be sent Destination Name Optional name for the destination Does not affect the generated traps Destination Community Name ofthe SNMP community to which the trap Is assigned PHOENIXCONTACT 6 45 FL MGUARD 6 2 6 3 LLDP Management gt SNMP LLDP onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Mode Enabled Internal LAN interface Chassis ID IP address Port description L system name MAC 08 00 27 50 44 CE 192 168 66 33 LAN port mguard b MAC 08 00 27 41 5C 68 192 168 66 65 LAN port mguard d MAC 08 00 27 90 EA 09 192 168 66 49 LAN port mguard c External WAN interface MAC 00 OC BE 01 1B 78 none WAN port mguard MAC 00 OC BE O2 21 2C WAN port mbald MAC 08 00 27 50 44 CE 10 1 66 33 WAN port mguard b MAC 00 OC BE 01 2A 55 none WAN port delt MAC 00 OC BE 01 32 E1 10 1 0 254 LAN port devel mguard mo wae Update LLDP Link Layer Discovery Protocol IEEE 802 1AB D13 uses suitable request methods to automatically determine the Ethernet network infrastructure LLDP capable devices periodically send Ethernet multicasts layer 2 Tables of systems connected to the network
218. er authorization level Authentication gt gt Local Users gt gt Passwords To log into the corresponding authorization level the user must enter the password assigned to the relevant authorization level root admin or user root Root Password Grants full rights to all parameters of the FL MGUARD Account root Background Only this authorization level allows unlimited access to the FL MGUARD file system User name cannot be modified root Default root password root e Tochange the root password enter the only password in the Old Password field then the new password in the two corresponding fields below admin Administrator Grants the rights required for the configuration options Password Account accessed via the web based administrator interface admin User name cannot be modified admin Default password mGuard 7612 en_02 PHOENIX CONTACT 6 111 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD Authentication gt gt Local Users gt gt Passwords continued user Disable VPN until the Ifa user password has been specified and activated the user user is authenticated mustalways enter this password afteran FL MGUARD restart via HTTP in order to enable FL MGUARD VPN connections when attempting to access any HTTP URL To use this option specify the new user password in the corresponding entry field This option is set to No by default If set to Yes VPN connections can only be used onc
219. er limit This is setto a level thatcan never be reached during normal practical operation However itcan be easily reached in the event of attacks thus providing additional protection If there are special requirements in your operating environment this value can be increased Allow TCP Yes No connections upon SYN only SYN is a special data packet used in TCP IP connection establishment that marks the beginning of the connection establishment process No default The FL MGUARD also allows connections where the beginning is not specified This means that the FL MGUARD can perform a restart when a connection is present without interrupting the connection Yes The FL MGUARD must register the SYN packet of an existing connection Otherwise the connection Is aborted Ifthe FL MGUARD performs a restart while a connection is present this connection is disconnected Attacks on and the hijacking of existing connections are thus prevented Timeout for Ifa TCP connection is not used during the time period established TCP Specified here the connection data is deleted connections A connection assigned by NAT not 1 1 NAT must then be reestablished The default setting is 432000 seconds 5 days FTP Yes No If an outgoing connection Is established to call data for the FTP protocol two methods of data transmission can be used With active FTP the called server establishes an additional counter connection to the caller in ord
220. er manually or with the help of NTP Checksum Memory Checksum Algorithm SHA 1 Y To be stored on CIFS share pc x7 scan Y Basename of the checksum files integrity check May be prefixed with a directory CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Settings gt gt Edit Settings Enabled No A check is nottriggered for this network drive The FL MGUARD has notconnected this drive The status cannot be viewed Yes A check is triggered regularly for this network drive Suspended The check has been suspended until further notice The status can be viewed Checked CIFS Share Name ofthe network drive to be checked specified under CIFS Integrity Monitoring gt gt Importable Shares gt gt Edit 7612_en_02 PHOENIX CONTACT 6 151 FL MGUARD THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Settings gt gt Edit continued Checksum Memory 6 152 PHOENIX CONTACT Patterns for filenames Specific file types are checked e g only executable files such as exe and dll The rules can be defined under CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Filename Patterns Do not check files that are changed in normal operation as this could trigger false alarms Do notcheck files that are simultaneously opened exclusively by other programs as this can lead to access conflicts Time Schedule Everyday
221. er to transmit data over this connection With passive FTP the client establishes this additional connection to the server for data transmission FTP must be set to Yes default so that additional connections can pass through the firewall IRC Yes No Similarto FTP ForIRC chatover the Internet to work properly incoming connections must be allowed following active connection establishment IRC mustbe setto Yes default so these connections can pass through the firewall PPTP Yes No default No Must be setto Yes if VPN connections are established using PPTP from local computers to external computers without the assistance of the FL MGUARD 6 140 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Network Security gt gt Packet Filter gt gt Advanced continued 7612_en_02 H 323 SIP Yes No default No Protocol used to establish communication sessions between two or more participants Used for audio visual transmission This protocol is older than SIP Yes No default No SIP Session Initiation Protocol is used to establish communication sessions between two or more participants Often used in IP telephony When setto Yes itis possible forthe FL MGUARD to track the SIP and add any necessary firewall rules dynamically if further communication channels are established in the same session When NAT is also activated one or more locally connected computers can
222. erface as long as the interface Is activated temporarily and User defined is specified under DNS Mode see above in this case 7612 _en_02 PHOENIXCONTACT 6 71 onlin components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD Network Mode Router Default setting forFL MGUARD DELTA FL MGUARD GT GT and FL MGUARD BLADE controller Network Interfaces General _Dial in_ Network Status External IP address 10 14 66 17 Active Defaultroute 10 1 0 254 0 Used DNS servers CEEE 00 Network Mode Router Mode External Networks p IPs When Router is prota ar IP Netmask Use VLAN VLAN ID selected as the network is mode and static IS Additional External Routes Network Gateway selected as the router mode see page 6 74 ees foo Es Internal Networks Internal IPs Netmask Use VLAN VLAN ID IP trusted port 192 168 66 17 255 255 255 0 noj ii Additional Internal Routes Network Gateway Secondary External Interface Network gt gt Interfaces gt gt General Router network mode Internal Networks Internal IPs trusted The internal IP is the IP address via which the FL MGUARD port can be accessed by devices in the locally connected network The default settings in Router PPPoE PPTP Modem mode are as follows IP address 192 168 1 1 Netmask 255 255 255 0 You can also specify other addresses via which the FL MGUARD can be accessed by devices in the locally connected network For
223. ernal Modem the PPP dial in option is available An external modem must then be connected to the serial interface The connection settings forthe connected external modem should be made on the Modem Console tab page If this option is set to Built in Modem the PPP dial in option is available In this case the modem connection Is not established via the serial female connector on the front Instead itis established via the terminal strip on the bottom where the built in modem or ISDN terminal adapter is connected to the telephone network The connection settings for the built in modem should be made on the Modem Console tab page If the Built in Modem option is used the serial interface can also be used For the options for using the serial interface see Modem C onsole on page 6 90 Local IP IP address of the FL MGUARD via which it can be accessed fora PPP connection Remote IP IP address of the remote peer of the PPP connection PPP Login name Login name that mustbe specified by the remote peer in order to access the FL MGUARD via a PPP connection PPP Password The password that must be specified by the remote peer in order to access the FL MGUARD via a PPP connection Incoming Rules PPP Firewall rules for PPP connections to the LAN interface If multiple firewall rules are defined these are queried starting from the top of the list of entries until an appropriate rule is found This rule is then applied If the list of rules c
224. es Internal access is also possible when this option is set to No A firewall rule that would refuse Internal access does therefore not apply in this case The following options are available From IP Enter the address of the computer or network from which remote access is permitted or forbidden in this field IP address 0 0 0 0 0 means all addresses To specify an address area use CIDR format see CIDR Classless Inter Domain Routing on page 6 215 PHOENIXCONTACT 6 21 FL MGUARD Management gt gt Web Settings gt gt Access continued Interface Action Comment Log 1 6 22 PHOENIX CONTACT THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS External Internal External 2 VPN Dial in Specifies to which interface the rules should apply If no rules are setor if no rule applies the following default Settings apply HTTPS access is permitted via Internal VPN and Dial in Access via External and External 2 is refused Specify the access options according to your requirements If you wantto refuse access via Internal VPN or Dial in you must implement this explicitly by means of corresponding firewall rules for example by specifying Drop as an action To prevent your own access being blocked you may have to simultaneously permit access via another interface explicitly with Accept before the new Setting takes effect by clicking on the Apply button Otherwise if your access is blocked you must carr
225. et PSK Y Pre Shared Secret Key PSK complicated_like_SDy0qoD_and_long T VPN Identifier Local This method is mainly supported by older IP sec implementations In this case both sides of the VPN authenticate themselves using the same PSK To make the agreed key available to the FL MGUARD proceed as follows Enter the agreed string in the Pre Shared Secret Key PSK entry field To achieve security comparable to thatof 3DES the string should consist of around 30 randomly selected characters and should include upper and lower case characters and digits Pre Shared Secret Key cannot be used with dynamic Y any IP addresses Only fixed IP addresses or host names on both sides are supported However changing IP addresses DynDNS can be hidden behind the host name a Pre Shared Secret Key cannot be used if at least one or both of the communication partners is located aftera NAT gateway VPN gateways use the VPN identifier to determine which configurations belong to the Same VPN connection The following entries are valid for PSK 7612_en_02 Empty IP address used as default An IP address A hostnames with prefix e g vpn1138 example com An e mail address e g piepiorra example com PHOENIX CONTACT 6 187 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 6 8 3 3 Firewall IPsec VPN Connections Berlin London Authentication Firewall Incoming Log ID fw vpn in N
226. etwork gt gt Interfaces gt gt Dial in PPP dial in options 7612_en_02 a FL MGUARD RS FL MGUARD BLADE and FL MGUARD DELTA only Should only be configured if the FL MGUARD should permit PPP dial in via A modem connected to the serial interface A built in modem available as an option for the FL MGUARD RS PPP dial in can be used to access the LAN or the FL MGUARD for configuration purposes see Modem C onsole on page 6 90 If the modem is used for dialing out by acting as the primary external interface modem network mode of the FL MGUARD oras its secondary external interface when activated in stealth or router network mode itis not available for the PPP dial in option Modem PPP FL MGUARD RS without built in modem ISDN TA FL MGUARD BLADE and FL MGUARD DELTA only Off On This option mustbe Setto Off if no serial interface should be used for the PPP dial in option If this option is set to On the PPP dial in option is available The connection settings for the connected external modem Should be made on the Modem Console tab page PHOENIX CONTACT 6 87 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD Network gt gt Interfaces gt gt Dial in continued Modem PPP FL MGUARD RS with built in modem ISDN TA only Off Built in Modem External Modem This option must be Set to Off if no serial interface should be used for the PPP dial in option If this option is setto Ext
227. eues see above the priority with which it is transmitted and to which queue it is assigned Rules can be defined separately for all interfaces and for VPN connections 6 9 4 1 External Internal E xternal 2 Dial in Internal Setting for egress queue rules Qos Loress Rules internal Default Detautt Queue tw eee Rules OE TE fo 0 T f 0 9 0 0 TOS Minimize Delay Unchanged Urgent Al o sn nA F foc bw foo 0 0 hr TOS Maximize Re abilty Unchanged Important dej fo 0 bo 0 0 0 TOS Minimize Cost ad Unchanged el Lom Priority QoS Egress Rules External Default Default Queue Default v Rules SLi ai M Joooo 0 fany o o o00 fany TOS Minimize Delay M Unchanged v Urgent v Poo LJ 2 all x foooo 0 any fooooo any TOS Maximize Reliability M Unchanged v Important Y OoOo si isisiszr 3 All M loooo 0 any foooo o any TOS Minimize Cost M Unchanged v Low Priority Y E External 2 Setting for egress queue rules Externalz Detault Datak Guess Ctar m OCC Rubles PX tt oca a l a i d a lll aaa a aaa a O M E boc po SS TOS Wairi Gotey F ieee Urgent F Pia kaima moo 2 _ _ lt a TOS Maximire Ramabiiny F TA imeartant_ O basm oa aT ToS Mininnize Coat ae Lam Priori Sr Dial in Setting for egress queue rules Dial in Default Default Queue cut Rules Z 1 All vf fo 0 0 0 0
228. example this can be useful if the locally connected network is divided into subnetworks Multiple devices in differentsubnetworks can then access the FL MGUARD via different addresses IP IP address with which the FL MGUARD can be accessed via its LAN port Netmask The subnet mask of the network connected to the LAN port Use VLAN If the IP address should be within a VLAN setthis option to Yes 6 72 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Network gt gt Interfaces gt gt General Router network mode continued Secondary External Interface 7612_en_02 VLAN ID AVLAN ID between 1 and 4095 Foran explanation of the term VLAN please refer to the glossary on page 8 8 Ifyou wantto delete entries from the list please note that the first entry cannot be deleted Additional Internal Additional routes can be defined if further subnetworks are Routes connected to the locally connected network Network Specify the network in CIDR format See CIDR Classless Inter Domain R outing on page 6 215 Gateway The gateway via which this network can be accessed See also Network example diagram on page 6 216 See Secondary External Interface on page 6 66 PHOENIXCONTACT 6 73 onlin components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD Router network mode static router mode Network Interfaces General dial in Modem Cons
229. extern http 127 0 0 1 http No Network gt gt NAT gt gt Port Forwarding Port Forwarding Lists the rules defined for port forwarding DNAT Destination NAT Port forwarding includes the following The header of incoming data packets from the network which are addressed to the external IP address or one of the external IP addresses ofthe FL MGUARD and to a specific portofthe FL MGUARD are rewritten in order to forward them to a specific computer in the internal network and to a specific porton this computer i e the IP address and portnumber in the header of incoming data packets are changed This method is also referred to as Destination NAT Portforwarding cannot be used for connections initiated via the external 21 interface 1 External 2 is only for devices with a serial interface The rules defined here have priority over the settings made under Network Security gt gt Packet Filter gt gt Incoming Rules Protocol TCP UDP Specify the protocol to which the rule should apply From IP The sender address for forwarding 0 0 0 0 0 means all addresses To specify an address area use CIDR format see CIDR Classless Inter Domain Routing on page 6 215 From Port The sender port for forwarding any refers to any port Either the portnumber or the corresponding service name can be specified here e g pop3 for port 110 or http for port 80 Incoming on IP Specify the external IP address or one of the exter
230. f tests and their frequency should be kept within reasonable limits You should also avoid activating the secondary external interface too early The timeout time for the individual ping requests is 4 seconds This means that after a ping test is Started the next ping teststarts after 4 seconds if the previous one was unsuccessful To take these considerations into account make the following settings The ping tests defined above under Probes for Activation are performed one after the other When the ping tests defined are performed once in sequence this is known as a fest run Testruns are performed continuously at intervals The interval entered in this field specifies how long the FL MGUARD waits after starting a test run before it starts the next test run The testruns are not necessarily completed as soon as one ping testin a testrun is successful the subsequent ping tests in this test run are omitted If a test run takes longer than the interval Specified then the subsequent test run is started directly after it 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Network gt gt Interfaces gt gt General continued Secondary External Interface continued Number of times all Specifies how many sequentially performed test runs must probes need to fail return a negative result before the FL MGUARD activates the during subsequent secondary external interface The result of a test run is runs before th
231. f VLANs have been setup As the list of filter rules must be applied to each individual data packet it should be kept as shortas possible Otherwise the time Spent on filtering could be longer than the time actually saved by setting the filter Please note that notall specified filter criteria should be combined For example itdoes not make sense to specify an additional IP protocol in the same rule setas the ARP Ethernet protocol This also applies to the entry of a sender or recipient IP address under the hexadecimal IPX Ethernet protocol 6 9 1 1 Internal E xternal QoS Ingress Filters Internal Enabling Filters 0 0 0 0 0 0 0 0 0 0 All x 100 unlimited Internal Setting for the ingress filter atthe LAN interface 7612_en_02 PHOENIX CONTACT 6 195 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD QoS Ingress Filters External Enabling Enable Ingress QoS No x Measurement Unit aes E Filters 0 0 0 0 0 0 0 0 0 0 All 100 unlimited External Setting for the ingress filter atthe WAN interface QoS gt gt Ingress Filters gt gt Internal E xternal Enabling Enable Ingress QoS No default This feature is disabled If filter rules are defined they are ignored Yes This feature is enabled Data packets may only pass through and be forwarded to the FL MGUARD for further evaluation and processing if they comply with the filter rules defined below Filters can be setf
232. f the art technical inaccuracies and or printing errors in the information cannot be ruled out Phoenix Contact does not offer any guarantees as to the reliability accuracy or completeness of the information All information made available in the technical data is supplied without any accompanying guarantee whether expressly mentioned implied or tacitly assumed This information does notinclude any guarantees regarding quality does not describe any fair marketable quality and does not make any claims as to quality guarantees or guarantees regarding the suitability for a special purpose Phoenix Contact accepts no liability or responsibility for errors or omissions in the content of the technical documentation in particular data sheets installation instructions manuals etc The aforementioned limitations of liability and exemptions from liability do not apply in so far as liability must be assumed e g according to product liability law in cases of premeditation gross negligence on account of loss of life physical injury or damage to health or on account of the violation of important contractual obligations Claims for damages for the violation of important contractual obligations are however limited to contract typical predictable damages provided there is no premeditation or gross negligence or that liability is assumed on account of loss of life physical injury or damage to health This ruling does not imply a change in the burd
233. ficates Trusted Remote Certificates Importing a new certificate 7612_en_02 Displays the current imported remote certificates Requirement The file file name extension cer pem or crt is saved on the connected computer Proceed as follows e Click on Browse to select the file e Click on Import Once imported the loaded certificate appears under Certificate e Remember to save the imported certificate along with the other entries by clicking on the Apply button Shortname When importing a remote certificate the CN attribute from the certificate subject field is Suggested as the short name here providing the Shortname field is empty at this point This name can be adopted or another name can be chosen e Aname mustbe assigned whether itis the suggested one or another Names must be unique and must not be assigned more than once PHOENIX CONTACT 6 127 FL MGUARD Use of the short name 6 128 PHOENIX CONTACT onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS During the configuration of SSH Management gt gt System Settings Shell Access menu HTTPS Management gt gt Web Settings Access menu The certificates imported on the FL MGUARD are provided in a Selection list The certificates are displayed under the short name specified for each individual certificate on this page Name assignment is not mandatory Creating a certificate copy A copy can be created from
234. fter every restart Aftera restart Foran active VPN connection the gateway of the remote peer is Specified as the host name After a restart the FL MGUARD must request the IP address that corresponds to the host name for a DNS server Often VPN connections are setup and DPD messages are sent regularly see Dead Peer Detection on page 6 191 Often The FL MGUARD is configured to send its external IP address regularly to a DNS service e g DynDNS so that it can still be accessed via its host name Often The IP addresses of remote peer VPN gateways must be requested from the DynDNS service or they must be kept up to date by new queries Sporadically The FL MGUARD is configured so that SNMP traps are sent to the remote server Sporadically The FL MGUARD Is configured to permitand acceptremote access via HTTPS SSH or SNMP The FL MGUARD then sends reply packets to every IP address from which an access attempt is made if the firewall rules permit this access Often The FL MGUARD is configured to connect to an HTTPS server at regular intervals in order to download any configuration profiles available there see Management gt gt Central Management on page 6 47 When No is selected the FL MGUARD establishes a telephone connection using the connected modem as soonas possible after a restart or activation of modem network mode This remains permanently in place regardless of whether or not data is transmit
235. ge 6 215 Assign the traffic from this source to the queue selected under Queue Name in this row Port used at the source from which data originates only evaluated for TCP and UDP protocols any refers to any port startport endport e g 110 120 refers to a port area Individual ports can be specified using the portnumber or the corresponding service name e g 110 for pop3 or pop3 for 110 IP address of the network or device to which the data is sent Entries correspond to From IP as described above Port used at the source where the data is sent Entries correspond to From Port as described above 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration QoS gt gt Egress Rules gt gt Internal E xternal External 2 Dial in QoS gt gt Egress Rules VPN gt gt VPN via Internal VPN via External VPN via External 2 VPN via Dial in continued Current TOS DSCP Each data packet contains a TOS or DSCP field TOS stands for Type of Service DSCP stands for Differentiated Services Code Point The traffic type to which the data packet belongs is specified here For example an IP phone will write something different in this field for outgoing data packets compared to an FTP program that uploads data packets to a server When you Selecta value here only the data packets thathave this TOS or DSCP value in the corresponding fields are chosen These values are then set to a different value according
236. ge source that supplies the FL MGUARD GT GT VPN To enable a VPN enable button switch connected externally to the device to establish release a VPN tunnel this switch button should be connected to MC1 GND US1 MC 1 GND GND R1 R2 fae ei in X OU 24V DC T ae VPN enable button switch Figure 4 10 Simple connection of the supply voltage signal contact with VPN enable button 7612 _en_02 PHOENIXCONTACT 4 13 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS 4 4 2 4 Redundant connection of the supply voltage signal contact with VPN enable button NOTE Risk of material damage Only use power supplies that are suitable for parallel operation Always supply the VPN enable contact from the voltage source that supplies the FL MGUARD GT GT VPN To enable a VPN enable button switch connected externally to the device to establish release a VPN tunnel this switch button should be connected to MC1 GND US1 MC 1 GND GND R1 R2 76120028 OUT VPN enable button switch Figure 4 11 Redundant connection of the supply voltage signal contact with VPN enable button 4 4 3 Connecting to the network WARNING Only connect the FL MGUARD network ports to LAN installations When connecting to the network use cables with bend protection on the connectors Some telecommunications connections also use RJ 45 female connectors these mustnot be
237. gement gt gt Update on page 6 32 e Then restart the inetd process to apply the configuration changes e ifa different mechanism should be used e g xinetd please consult the relevant documentation PHOENIX CONTACT 7 7 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 7 8 PHOENIX CONTACT 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Glossary 8 Glossary Asymmetrical encryption In asymmetrical encryption data is encrypted with one key and decrypted with a second key Both keys are suitable for encryption and decryption One of the keys is keptsecret by its owner private key while the other is made available to the public public key i e to potential communication partners A message encrypted with the public key can only be decrypted and read by the owner of the associated private key A message encrypted with the private key can be decrypted by any recipient in possession of the associated public key Encryption using the private key Shows that the message actually originated from the owner of the associated public key Therefore the expression digital signature is also often used However asymmetrical encryption methods such as RSA are both slow and susceptible to certain types of attack As a result they are often combined with some form of symmetrical encryption gt Symmetrical encryption on page 8 6 On the other hand
238. ght RJ 45 network connections CAT6 Patch cable CAT6 pre assembled 0 3 m long Patch cable CAT6 pre assembled 0 5 m long 9 6 PHOENIX CONTACT Ordering data Order designation FL MGUARD RS B FL MGUARD RS FL MGUARD RS VPN FLMGUARD RS VPN ANALOG FL MGUARD RS VPN ISDN FL MGUARD PCI 266 FL MGUARD PCl 266 VPN FL MGUARD PC1 533 FL MGUARD PCI 533 VPN FL MGUARD GT GT FL MGUARD GT GT VPN FLMEM PLUG FL SFP SX FL SFP LX FLSFP LX LH Order designation E NS 35 N FL SNMP OPC SERVER FL PBX 8TX FL PBX 6TX 4FX FL PF SEC 2TX FL PF SEC 8TX FL PF 2TX CAT5E FL PF 8TX CATSE FL PF 2TX CAT 6 FL PF 8TX CAT 6 FL CAT6 PATCH 0 3 FL CAT6 PATCH 0 5 Order No 2989899 2989310 2989611 2989718 2989815 2989019 2989514 2989213 2989417 2700197 2700198 2891259 2891754 2891767 2989912 Order No 0800886 2832166 2832496 2832506 2832687 2832690 2891165 2891178 2891068 2891071 2891181 2891288 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Pcs Pkt 1 1 1 1 e e SS eS eS LE Pcs Pkt 1 1 1 1 e e e e 10 7612_en_02 Description continued Patch cable CAT6 pre assembled 1 0 m long Patch cable CAT6 pre assembled 1 5 m long Patch cable CAT6 pre assembled 2 0 m long Patch cable CAT6 pre assembled 3 0 m long Patch cable CAT6 pre assembled 5 0 m long Patch cable CAT6 pre assembled 7 5 m long Patch cable CAT6 pre assembled 10 m long Patch cable CAT6
239. gs gt gt Host System Power supply 1 2 State of both power supply units Temperature C An SNMP trap is triggered if the temperature exceeds or falls below the specified temperature range 6 4 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Management gt gt System Settings gt gt Host continued System DNS Hostname SNMP Information 7612_en_02 Hostname mode Hostname Domain search path System Name Location Contact HiDiscovery Local HiDiscovery support You can assign a name to the FL MGUARD using the Hostname mode and Hostname fields For example this name is then displayed when logging in via SSH see Management gt gt System Settings on page 6 4 Shell Access on page 6 11 Assigning names simplifies the administration of multiple FL MGUARD devices User defined from field below Default The name entered in the Hostname field is the name used for the FL MGUARD Ifthe FL MGUARD is running in stealth mode the User defined option must be selected under Hostname mode Provider defined e g via DHCP If the selected network mode permits external setting of the host name e g via DHCP the name supplied by the provider is assigned to the FL MGUARD Ifthe User defined option is selected under Hostname mode enter the name that should be assigned to the FL MGUARD here Otherwise this entry will be ignored i e if the P
240. gt Authentication 6 182 PHOENIX CONTACT Local X 509 Certificate Specifies which machine certificate the FL MGUARD uses as authentication to the VPN remote peer Select one of the machine certificates from the selection list The selection list contains the machine certificates that have been loaded on the FL MGUARD under the Authentication gt gt Certificates menu item See page 6 116 If None is displayed a certificate mustbe installed first None must not be leftin place as this results inno X 509 authentication How the FL MGUARD authenticates the remote peer The following definition relates to how the FL MGUARD verifies the authenticity of the VPN remote peer The table below shows which certificates must be provided for the FL MGUARD to authenticate the VPN remote peer if the VPN remote peer shows one of the following certificate types when a connection Is established A machine certificate signed by a CA A self signed machine certificate For additional information about the table see Authentication gt gt Certificates on page 6 116 Authentication for VPN The remote peer shows Machine certificate signed Machine certificate self the following by CA signed The FL MGUARD authenticates the remote peer using Remote certificate Remote certificate Orall CA certificates that form the chain to the rootCA certificate together with the certificate shown by the remote peer According to this
241. gt General Router network mode Modem Built in Modem router mode Modem Built in Modem a Modem network mode is available for FLMGUARD RS FL MGUARD BLADE and FL MGUARD DELTA a Built in modem network mode is available for FL MGUARD RS if this has a built in modem ora built in ISDN terminal adapter optional Forall of the devices mentioned above data traffic is routed via the serial interface and not via the FL MGUARD WAN port when in modem or builtin modem network mode From there it is either A Routed via the external serial interface Serial port to which an external modem must be connected B Routed via the built in modem built in ISDN terminal adapter for FL MGUARD RS if equipped accordingly In both cases the connection to the Internet service provider and therefore the Internet is established via the telephone network using a modem or ISDN terminal adapter In modem network mode the serial interface of the FL MGUARD is not available for the PPP dial in option or for configuration purposes see Modem Console on page 6 90 After selecting Modem as the network mode specify the required parameters for the modem connection on the Dial out and or Dial in tab pages see Dial out on page 6 81 and Dial in on page 6 87 Enter the connection settings for an external modem on the Modem Console tab page see Modem Console on page 6 90 The configuration of the internal networks is described in th
242. guration An application note is provided by Innominate It describes how a rollback can be started using a configuration profile Download timeout Default 120 seconds Specifies the maximum timeout length period of inactivity when downloading the configuration file The download is aborted if this time is exceeded If and when a new download is attempted depends on the setting of Pull Schedule see above Login Login user name that the HTTPS server requests Password Password that the HTTPS server requests Server Certificate The certificate that the FL MGUARD uses to check the authenticity of the certificate shown by the configuration server It prevents an incorrect configuration from an unauthorized server from being installed on the FL MGUARD 7612 _en_02 PHOENIXCONTACT 6 49 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD Management gt gt Central Management gt gt Configuration Pull continued The following may be specified here A self signed certificate of the configuration server The root certificate of the CA certification authority that issued the server certificate This is valid when the configuration server certificate is signed by a CA instead of self signed If the stored configuration profiles also contain the private VPN key for the VPN connection s with PSK the following conditions must be met The password should consistof atleast 30 random upper and lo
243. he FL MGUARD can then be called by a remote peer if this remote peer has been dynamically assigned its IP address by the Internet service provider i e ithas an IP address that changes In this scenario you may only specify an IP address if the remote calling peer has a fixed and known IP address any can only be used together with the authentication method using X 509 certificates If locally stored CA certificates are to be used to authenticate the remote peer the address of the VPN gateway of the remote peer can be specified explicitly oy means of an IP address or host name or by any If itis specified using an explicit address and not with any then a VPN identifier see VPN Identifier on page 6 185 must be specified any must be selected if the remote peer is located aftera NAT gateway Otherwise the renegotiation of new connection keys will fail on initial contact lf TCP Encapsulation is used see TCP Encapsulation on page 6 165 A fixed IP address or a hostname must be Specified if this FL MGUARD is to initiate the VPN connection and encapsulate the VPN data traffic pee ine foe If this FL MGUARD is installed before a maintenance center to which multiple remote FL MGUARD devices establish VPN connections and send encapsulated data packets any must be specified for the VPN gateway of the remote peer 6 172 PHOENIX CONTACT 7612_en_02 IPsec VPN gt gt Connections gt gt Edit gt gt General
244. he remote user according to X 509 The table below shows which certificates must be provided for the FL MGUARD to authenticate the user access via HTTPS if the user or their browser shows one of the following certificate types when a connection Is established A certificate signed by a CA A self signed certificate For additional information aboutthe table see Authentication gt gt Certificates on page 6 116 The remote peer shows Certificate specific to Certificate specific to the following individual signed by CA individual self signed The FL MGUARD authenticates the remote peer using g CA certificates that form Remote certificate the chain to the root CA certificate together with the certificate shown by the remote peer PLUS if required Remote certificates if used as a filter 1 The remote peer can additionally provide sub CA certificates In this case the FL MGUARD can form the set union for creating the chain from the CA certificates provided and the self configured CA certificates The corresponding root certificate must always be available on the FL MGUARD According to this table the certificates that must be provided are the ones the FL MGUARD uses to authenticate a remote user access via HTTPS or their browser 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration The following instructions assume that the certificates have already been correctly installed
245. hentication User name Password PAP server authentication B C No gt Ei ves v Dial on demand Idle timeout Idle time seconds Ww o oO Local IP Remote IP olol o ofofo ofj ofo o o o Netmask Please note On some platforms the serial port is not accessible Network gt gt Interfaces gt gt Dial out PPP dial out options Should only be configured if the FL MGUARD should be able to establish a data connection dial out to the WAN Internet Via the primary external interface modem or built in modem network mode or Via the secondary external interface also available in stealth or router network mode Phone number to call Phone number of the Internet service provider The connection to the Internet is established after establishing the telephone connection Command syntax Together with the previously set modem command for dialing ATD the following dial sequence is created for the connected modem for example ATD765432 A compatible pulse dialing procedure that works in all scenarios is used as standard Special dial characters can be used in the dial sequence 7612_en_02 PHOENIXCONTACT 6 81 FL MGUARD Network gt gt Interfaces gt gt Dial out continued 6 82 PHOENIX CONTACT Authentication onlin components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS HAYES special dial characters W In
246. hority CA CA certificates are used to check whether the certificates shown by remote peers are authentic The checking process is as follows The certificate issuer CA is specified as the issuer in the certificate shown by the remote peer These details can be verified by the same issuer using the local CA certificate For a more detailed explanation see Authentication gt gt Certificates on page 6 116 Example for imported CA certificates Authentication Certificates Certificate settings Machine Certificates Trusted CA Certificates Certificates CN Web RootCA 01 0 Sample Web Securities Inc C UK Subject Alternative Names CN Web RootCA 01 0 Sample Web Securities Inc C UK Validity From Jun 20 11 22 37 2007 GMT to Jun 20 11 22 37 2022 GMT MDS 39 B5 DC 6F EB B5 C3 57 A7 4E 3D DF DE 71 3F EA SHA1 91 0C 57 A8 B5 4F 46 C9 F0 61 9F 1E AD 10 6E 1B 06 64 7C A9 Shortname web RootCA Upload Filename Durchsuchen Import Certificate bs ioka Current Certificate File T Fingerprint Authentication gt gt Certificates gt gt CA Certificates Trusted CA Certificates Displays the current imported CA certificates To import a new certificate proceed as follows Importing a CA certificate Requirement The file file name extension cer pem or crt is saved on the connected computer Proceed as follows e Click on Browse to select the file e Click on Import Once imported the l
247. icate a virus or unauthorized intervention CIFS anti virus scan The CIFS anti virus scan connector enables the FL MGUARD to perform a virus scan on connector drives that are otherwise not externally accessible e g production cells The FL MGUARD mirrors a drive externally in order to perform the virus scan Additional anti virus software Is required for this procedure Set the necessary read or read write access for your anti virus software Setting options for CIFS integrity checking Which network drives are known to the FL MGUARD see CIFS Integrity Monitoring gt gt Importable Shares on page 6 148 Whattype of access is permitted read access see CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Settings on page 6 150 Atwhatintervals the drives should be checked See CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Settings gt gt Edit on page 6 151 Which file types should be checked see CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Filename Patterns on page 6 153 Warning method when a change is detected e g via e mail see CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Settings on page 6 150 or via SNMP see CIFS integrity traps on page 6 43 Setting options for CIFS anti virus scan connector Which network drives are known to the FL MGUARD see CIFS Integrity Monitoring gt gt Importable Shares on page 6 148
248. icators 2 tteeeeee eee eteeees esse Qh ceeeeessssssseeeressssseeenssseeas 3 1 3 1 FLMGUARD RS vedeceesscssecedunyostnncnce tet a nenir erns Eteni anir 3 1 3 2 FL MGUARD GT GT eee SRR OO ccc ceeeeccccesneesneeseeeeseeeeseeeereeeeneeees 3 3 3 2 1 Connecting the supply voltage and the VPN enable button ses 3 3 oy USING S mart MOC GIR ccccccccccctecssscsssssssssssssssesssssssesssesserseeeneees 3 6 32 5 Messages In the 7 Segment display cccceceeseceeeeeeeeeesseeseeeeseeeeeeeenes 3 7 3 2 4 Interfaces on the FL MGUARD GT GT ssssssessssssssrrrrrrrrererrrrrrrrrrreees 3 8 3 2 5 Sy OM CCM E E cease iennonconempeti cron E ai caes 3 11 3 3 FING WR Di Pee Il eiccennais iaaa 3 14 3 4 FE ae W sa at are trnsitetcentcee Rena alon forte bae aes a R atmeasate 3 15 3 5 AC FB LA DIE a sene seo nscnsca desea anaivacnairnpueeduvimauseovsitendereocrtiubitlconstlimmumesuest 3 16 3 6 FLAO ERO DELTA sesesorestameconcnne necee ac hesitate a agente aaae 3 17 a MN o EEE P acct ct arctic sect aire a dts ean acts Nees A E A E A veuaineey tates 4 1 4 1 SO MOLES EAEE A AEA any E AE E ulna nsneninn misieaer tas 4 1 4 2 Checking the scope of SUD DIY sxe aciuis ev vem edurnina deck scsias sets sxieduceaanidereusmentaueuetdeoaind 4 3 4 3 Installing the FL MGUARD RS eeeececcccssssseeeeceeeeseeeeeeeseeeeeseeeseaeasseeesesuaeseeeees 4 4 4 3 1 Mounting removal ccccccccesseseececceaeeeeeeeeasaeseeeeeeeeseeeeeeesasaeaseseeestsnegs 4 4 4 3 2 Connecti
249. ifetime IPsec SA Lifetime Rekeymargin Rekeyfuzz H o Keying tries 0 means unlimited tries Rekey lt m Lut 4 Dead Peer Detection Delay between requests for a sign of life Timeout for absent sign of life after which peer is assumed dead IPsec VPN gt gt Connections gt gt Edit gt gt IKE Options ISAKMP SA Encryption Algorithm Key Exchange Decide on which encryption method should be used with the administrator of the remote peer 3DES 168 is the most commonly used method and Is therefore set by default The following generally applies The more bits an encryption algorithm has specified by the appended number the more secure itis The relatively new AES 256 method Is therefore the most secure however it is not used that widely yet The longer the key the more time consuming the encryption procedure However this does not affect the FL MGUARD as ituses a hardware based encryption technique Nevertheless this aspect may be of significance for the remote peer The algorithm designated as Null contains no encryption Hash Algorithm Leave this set to All algorithms It then will not make a difference whether the remote peer is operating with MD5 or SHA 1 IPsec SA Data Exchange In contrast to ISAKMP SA key exchange See above the procedure for data exchange is defined here It does not necessarily have to differ from the procedure defined for key exchange 6 190 PHOENIX CONTACT 761
250. ificates to be checked are considered invalid PHOENIX CONTACT 6 121 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD Authentication gt gt Certificates gt gt Certificate settings continued Enable CRL checking Yes When CRL checking Is enabled the FL MGUARD consults the CRL certificate revocation list and checks whether or not the FL MGUARD certificates are blocked CRLs are issued by the CAs and contain the serial numbers of blocked certificates e g certificates that have been reported Stolen On the CRL tab page see CRL on page 6 129 specify the origin of the FL MGUARD revocation lists a When CRL checking is enabled a CRL must be configured for each issuer of certificates on the FL MGUARD Missing CRLs result in certificates being considered invalid a Revocation lists are verified by the FL MGUARD using an appropriate CA certificate Therefore all CA certificates that belong to a revocation list all sub CA certificates and the root certificate must be imported on the FL MGUARD If the validity of a revocation list cannot be proven itis ignored by the FL MGUARD If the use of revocation lists is activated together a with the consideration of validity periods revocation lists are ignored if based on the system time their validity has expired or has not yet started CRL download interval IfEnable CRL checking is setto Yes See above select here the time period after which
251. ifying settings under User authentication PHOENIX CONTACT 6 25 FL MGUARD Management gt gt Web Settings gt gt Access continued 6 26 PHOENIX CONTACT X 509 Subject THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Enables a filter to be setin relation to the contents of the Subject field in the certificate shown by the browser HTTPS client Itis then possible to limit or enable access for the browser HTTPS client which the FL MGUARD would accept based on certificate checks Limited access to certain subjects i e individuals and or to subjects that have certain attributes Access enabled for all subjects See glossary under Subject certificate on page 8 6 a The X 509 Subject field must not be left empty Access enabled for all subjects i e individuals An asterisk in the X 509 subjectfield can be used to specify that all subject entries in the certificate shown by the browser HTTPS client are permitted It is then no longer necessary to identify or define the subject in the certificate 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Management gt gt Web Settings gt gt Access continued Limited access to certain subjects i e individuals and or to subjects that have certain attributes In the certificate the certificate owner is specified in the Subject field The entry is comprised of several attributes These attributes are either expressed
252. ignments otherwise multiple MAC addresses me me will be assigned to this IP address Only one DHCP server should be used per Subnetwork 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Network gt gt DHCP gt gt Internal DHCP continued DHCP Relay Options 7612_en_02 DHCP mode Relay If DHCP mode is set to Relay the corresponding setting options are displayed below as follows Network DHCP Internal DHCP Mode DHCP mode DHCP Relay Options DHCP Servers to relay to x m 192 168 66 9 In FL MGUARD stealth mode relay DHCP mode is not supported If the FL MGUARD is in stealth mode and relay DHCP mode is selected this setting will be ignored However DHCP requests from the computer and the corresponding responses are forwarded due to the nature of stealth mode DHCP Servers to A list of one or more DHCP servers where DHCP requests relay to Should be forwarded Append Relay Agent When forwarding additional information for the DHCP server Information that is being forwarded to can be appended according to Option 82 RFC 3046 PHOENIX CONTACT 6 109 FL MGUARD onlin components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS 6 4 5 Network gt gt Proxy Settings 6 4 5 1 HTTP S Proxy Settings Network Proxy Settings HTTP S Proxy Settings HTTP S Proxy Settings Use Proxy for HTTP and HTTPS It is also used for VPN in TCP encapsulati
253. iguration Profiles on page 6 35 Configuration Pull on page 6 47 Interruption of the connection ata certain time using PPPoE network mode This is the case when Network Mode is set to PPPoE under the Network gt gt Interfaces General menu item and Automatic Reconnectis set to Yes see 6 4 1 Network gt gt Interfaces R outer network mode PPPoE router mode on page 6 76 Acceptance of certificates when the system time has not yet been synchronized This is the case when the Wait for synchronization of the system time setting Is selected under the Authentication gt gt Certificates Certificate settings menu item for the Check the validity period of certificates and CRLs option see Section 6 5 3 and Certificate settings on page 6 121 7612 _en_02 PHOENIXCONTACT 6 7 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD Management gt gt System Settings gt gt Time and Date continued The system time can be synchronized by various events The FLMGUARD has a built in clock which has been synchronized with the current time atleastonce The FL MGUARD only has a built in clock ifthe Hardware clock state option is visible The display shows whether the clock is synchronized A synchronized built in clock ensures that the FL MGUARD has a synchronized system time even after a restart The administrator has defined the current time for the FL MGUARD run time by making a corresponding entry in the Local
254. igure 6 2 TCP encapsulation in an application scenario with a maintenance center and machines maintained remotely via VPN connections IPsec VPN gt gt Global gt gt Options TCP Encapsulation Listen for incoming Default setting No This option is only setto Yes ifthe TCP VPN connections Encapsulation function is used Only then can the which are FL MGUARD accept connection establishment with encapsulated encapsulated packets TCP port to listen on Number of the TCP port where the encapsulated data packets to be received arrive The portnumber specified here must be the same as the one specified for the FL MGUARD of the remote peer as the TCP port of the server which accepts the encapsulated connection IPsec VPN gt gt Connections Edit menu item General tab page The following restriction applies The portto listen in on must not be identical to a port that is being used for remote access SSH HTTPS or SEC stick 6 166 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration IPSec VPN gt gt Global gt gt Options continued Server ID 0 63 The default value 0 does not usually have to be changed The numbers are used to differentiate between different centers A different number should only be used in the following scenario An FL MGUARD connected before a machine must establish connections to two or more different maintenance centers and their FL MGUARD devices with TCP encapsul
255. ime 1 second to 24 hours If the remote peer is a computer running Windows 2000 the Microsoft Windows 2000 High Encryption Pack or atleast Service Pack 2 must be installed Ifthe remote peer is positioned after a NAT router the remote peer must support NAT T Alternatively the NAT router must support the IPsec protocol IPSec VPN passthrough For technical reasons only IPsec tunnel connections are supported in both cases 6 8 2 1 Connections Lists all the VPN connections that have been defined Each connection name listed here can refer to an individual VPN connection or a group of VPN connection channels You have the option of defining several tunnels under the transport and or tunnel settings of the relevant entry You also have the option of defining activating and deactivating new VPN connections changing editing the VPN connection or connection group properties and deleting connections IPsec VPN Connections Connections es x Yes Berlin London Edit Yes Berlin Dublin 7612_en_02 PHOENIX CONTACT 6 169 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 6 8 3 Defining a new VPN connection VPN connection channels e Inthe connections table click on Editto the right of the unnamed entry under Name e Ifthe unnamed entry cannot be seen open another row in the table Editing a VPN connection VPN connection channels e Click on Editto the right of the relevant entry
256. inimize Cost v Unchanged v Low Priority Y VPN via External 2 Setting for egress queue rules QoS Egress Rules VPN VPN via Internal VPN via External VPN via External 2 VPN via Dial in Default Default Queue Default Rules Ii a fv 0 0 0 0 0 o 0 0 0 0 TOS Minimize Delay v Unchanged v Urgent v Ej x 0 0 0 0 0 0 0 0 0 0 TOS Maximize Reliability Unchanged v Important m 3 all 0 0 0 0 0 0 0 0 0 0 TOS Minimize Cost x Unchanged z Low Priority Y VPN via Dial in Setting for egress queue rules QoS Egress Rules VPN VPN via Internal VPN via External VPN via External 2 VPN via Dial in Default Default Queue Default v Rules ai a v 0 0 0 0 0 o 0 0 0 0 TOS Minimize Delay v Unchanged v Urgent v 2 all v 0 0 0 0 0 o 0 0 0 0 TOS Maximize Reliability Y Unchanged v Important Y 3i al 7 o 0 0 0 0 0 0 0 0 0 TOS Minimize Cost v Unchanged v Low Priority Y All of the tab pages listed above for Egress Rules for Internal External External 2 and Dial in interfaces and for VPN connections routed via these interfaces offer the same setting options In all cases the settings relate to the data that is sent externally into the network from the relevant FL MGUARD interface 7612 _en_02 PHOENIX CONTACT 6 203 FL MGUARD THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS QoS gt gt
257. inistrator passwords during initial configuration Serial port NOTE The serial interface RJ 12 female connector mustnotbe connected directly to the telecommunications connections To connecta serial terminal ora modem use a Serial cable with RJ 12 connector The maximum cable length of the serial cable is 30 m The serial port Serial interface can be used as described in Serial port on page 4 10 7612 _en_02 PHOENIXCONTACT 4 19 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 4 7 Connecting the FL MGUARD DELTA WARNING The serial interface DE 9 plug in connection mustnotbe connected directly to the telecommunications connections To connect a Serial terminal ora modem use a serial cable with DE 9 connector The maximum cable length of the serial cable is 30 m a eee P Console nd DC 5V 3A Serial console Ethernet LAN Ethernet WAN Reserved Power supply Connecting the FL MGUARD DELTA e Connect the power supply 5 V DC 3 A to the DC 5V 3A female connector of the FLMGUARD DELTA e Connectthe local computer or the local network to one of the EthernetLAN connections 4 to 7 of the FL MGUARD DELTA using a UTP Ethernet cable CAT5 4 20 PHOENIX CONTACT 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Startup 4 8 Installing the FL MGUARD PCI WARNING This is a Class A item of equipment This equipment can
258. ion under the old IP address remains open This login session could then be used by an intruder who uses this old IP address of the authorized user and accesses the FL MGUARD using this sender address The same thing could also occur if an authorized firewall user forgets to log out at the end of a session This hazard of logging in via an unsecure interface is not completely eliminated but the time is limited by setting the configured timeout for the user firewall template used See Timeout type on page 6 145 Interface External Internal External 2 VPN Dial in Specifies which FL MGUARD interfaces can be used by firewall users to log into the FL MGUARD For the interface selected web access via HTTPS must be enabled Management Web Settings menu Access tab page see Access on page 6 20 In stealth network mode both the internal and external interfaces must be enabled so that firewall users can log in to the FL MGUARD Two rows must be entered in the table for this l External 2 and Dial in are only for devices with a serial interface see Network gt gt Interfaces on page 6 55 7612 _en_02 PHOENIX CONTACT 6 115 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 6 5 2 4 Status When the user firewall is activated its status is displayed here 6 5 3 Authentication gt gt Certificates Authentication is a fundamental element of secure communication Using certificates
259. is specified as any itis possible that a number of different remote peers will connect to the FL MGUARD Specifying a default route over the VPN The address 0 0 0 0 0 specifies a default route over the VPN In this case all data traffic where no other tunnel or route exists is routed through this VPN tunnel A default route over the VPN should only be specified for a single tunnel In stealth mode a default route over the VPN cannot be used Option following installation of a VPN tunnel group license If Address of the remote site s VPN gateway is specified as any it is possible that there are many FL MGUARD devices or many networks on the remote side A very large address area is then specified in the Remote field for the local FL MGUARD A partof this address area is used on the remote FL MGUARD devices for the network Specified for each of them under Local This is illustrated as follows The entries in the Local and Remote files for the local and remote FL MGUARD devices could be made as follows PHOENIX CONTACT 6 175 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD LocalFL MGUARD Remote FLMGUARDA Local Remote Local Remote 10 0 0 0 8 10 0 0 0 8 gt 10 1 7 0 24 10 0 0 0 8 Remote FL MGUARD B Local Remote gt 10 3 9 0 24 10 0 0 0 8 Etc In this way by configuring a single tunnel you can establish connections for a number of peers To use this option the VPN tunnel group license must be installed
260. is the highest available and is ultimately the basis of trust No one else can certify that this instance is actually the instance in question A root CA is therefore a state ora State controlled organization The FL MGUARD can use its imported CA certificates to check the validity of certificates shown by remote peers In the case of VPN connections for example remote peers can only be authenticated using CA certificates This requires that all CA certificates are installed on the FL MGUARD in order thata chain can be formed to the certificate shown by the remote peer in addition to the CA certificate from the CA whose signature appears on the certificate shown by the remote peer to be checked this includes the CA certificate of the superordinate CA and so forth up to the root certificate The more meticulously this chain of trust is checked in order to authenticate a remote peer the higher the level of security will be In a client server environment a server is a program or computer which accepts and responds to queries from client programs or computers In data communication the computer establishing a connection to a server or host is also called a client In other words the client is the calling computer and the server or host is the computer called In the IP protocol data is sent in the form of data packets These are known as IP datagrams An IP datagram is structured as follows IP header TCP UDP ESP etc header D
261. isted below have a log ID and number This log ID and number can be used to trace the firewall rule to which the corresponding log entry relates and that led to the corresponding event Firewall rules and their log ID Packet filters Network Security gt gt Packet Filter gt gt Incoming Rules menu Network Security gt gt Packet Filter gt gt Outgoing Rules menu Log ID w incoming Or Ew outgoing Firewall rules for VPN connections IPSec VPN gt gt Connections gt gt Edit gt gt Firewall menu Incoming O utgoing Log ID vpn w in Of vpn fw out Firewall rules for web access to the FL MGUARD via HTTPS Management gt gt Web Settings gt gt Access menu Log ID w https access Firewall rules for access to the FL MGUARD via SNMP Management gt gt SNMP gt gt Query menu Log ID Ew snmp access Firewall rules for SSH remote access to the FL MGUARD Management gt gt System Settings gt gt Shell Access menu Log ID fw ssh access Firewall rules for the user firewall Network Security gt gt User Firewall menu Firewall rules Log ID ufw Rules for NAT port forwarding Network gt gt NAT gt gt Port Forwarding menu Log ID w portforwarding Firewall rules for the serial interface Network gt gt Interfaces gt gt Dial in menu Incoming Rules Log ID w serial incoming Outgoing Rules Log ID w serial outgoing PHOENIX CONTACT 6 209 FL MGUARD General messages When activating a c
262. l network interface The same network drive can be used as the checksum memory for several different drives to be checked The base name of the checksum files must then be clearly selected in this case The FL MGUARD recognizes which version the checksum files on the network drive must have For example if itis necessary to restore the contents of the network drive from a backup following a malfunction old checksum files are provided in this case and the FL MGUARD would detect deviations In this case the integrity database must be recreated see CIFS Integrity Monitoring gt gt CIFS Integrity Status gt gt Display gt gt Actions on page 6 156 Basename of the The checksum files are stored on the network drive specified checksum files above They can also be stored in a separate directory The May be prefixed with directory name must not Start with a backslash a directory Example Checksumdirectory integrity checksum Checksumdirectory is the directory and contains the files beginning with integrity checksum 6 7 2 2 Filename Patterns CIFS Integrity Monitoring CIFS Integrity Checking Filename Patterns Sets of Filename Patterns Windows executables CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Filename Patterns Sets of Filename Patterns Name Freely definable name for a set of rules for the files to be checked This name must be selected under CIFS Integrity Monitoring gt
263. l in or VPN is allowed by def ault and can be restricted by firewall rules Management gt gt System Settings gt gt Shell Access Shell Access When SSH remote access is enabled the FL MGUARD can be configured from remote computers using the command line This option is disabled by default NOTE If remote access is enabled ensure that secure passwords are defined for rootand admin Make the following settings for SSH remote access Session Timeout Specifies after what period of inactivity in seconds the seconds session is automatically terminated i e automatic logout When set to 0 default setting the session is not terminated automatically The specified value is also valid for shell access via the serial interface 7612 _en_02 PHOENIXCONTACT 6 11 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD Management gt gt System Settings gt gt Shell Access continued Enable SSH remote If you want to enable SSH remote access set this option to access Yes No Yes Internal SSH access i e from the directly connected LAN orfrom the directly connected computer can be enabled independently of this setting The firewall rules for the available interfaces must be defined on this page under Allowed Networks in order to specify differentiated access options on the FL MGUARD Portfor incoming SSH Default 22 connections remote administration only If this port number is changed the new port
264. le In this case the IP address of the router specifies the default route because all IP packets whose IP address has no counterpart in the routing table i e cannot find a route are directed to this gateway 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Glossary DynDNS provider Also known as Dynamic DNS provider Every computer connected to the Internet has an IP address IP Internet Protocol If the computer accesses the Internet via a dial up modem ISDN or ADSL its ISP will assign ita dynamic IP address In other words the address changes for each online session Even if a computer is online 24 hours a day without interruption e g flat rate the IP address will change during the session If this computer needs to be accessible via the Internet it must have an address that Is known to the remote peer This is the only way to establish a connection to the computer However if the address of the computer changes constantly this will not be possible This problem can be avoided if the operator of the computer has an accountwith a Dynamic DNS provider DNS Domain Name Server In this case the operator can seta hostname with this provider via which the system should be accessible e g www example com The Dynamic DNS provider also provides a small program that must be installed and run on the computer concerned Every time a new Internet session is launched on the local computer this tool s
265. lientif the SSH client shows one of the following certificate types when a connection Is established A certificate signed by a CA A self signed certificate For additional information about the table see Section 6 5 3 Authentication gt gt Certificates Authentication for SSH The remote peer shows Certificate Specific to Certificate Specific to the following individual signed by CA individual self signed The FL MGUARD authenticates the af remote peer using pi CA certificates that form Remote certificate the chain to the root CA certificate together with the certificate shown by the remote peer PLUS if required Remote certificates if used as a filter According to this table the certificates that must be provided are the ones the FL MGUARD uses to authenticate the relevantSSH client 7612_en_02 PHOENIXCONTACT 6 15 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD The following instructions assume that the certificates have already been correctly installed on the FL MGUARD see Section 6 5 3 Authentication gt gt Certificates If the use of revocation lists CRL checking is activated under the Authentication gt gt Certificates Certificate settings menu item each certificate signed by a CA that is shown by the SSH client must be checked for revocations Management gt gt System Settings gt gt Shell Access CA certificate This configuration is only necessary if th
266. ll incoming connections are rejected excluding VPN Data packets of all outgoing connections are allowed through The firewall rules here have an effect on the firewall that is permanently active with the exception of VPN connections Individual firewall rules are defined for VPN connections see IPSec VPN gt gt Connections on page 6 169 Firewall on page 6 188 User firewall When a user logs on for whom user firewall rules are defined these rules take priority see Network Security gt gt User Firewall on page 6 144 followed by the permanently active firewall rules If multiple firewall rules are defined these are queried starting from the top of the list of entries until an appropriate rule is found This rule is then applied If the list of rules contains further subsequent rules that could also apply these rules are 6 130 PHOENIX CONTACT ignored 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 6 1 1 Incoming Rules Network Security Packet Filter Incoming Rules Outgoing Rules Sets of Rules MAC Filtering Incoming These rules specify which traffic from the outside is allowed to pass to the inside Please note Port settings are only meaningful for TCP and UDP Log entries for unknown connection attempts No v Network Security gt gt Packet Filter gt gt Incoming Rules Incoming Lists the firewall rules that have been set up They apply for incoming data
267. local address of the FL MGUARD Servers to query DNS Root Servers Requests are sentto the rootname servers on the Internet whose IP addresses are stored on the FL MGUARD These addresses rarely change Provider defined e g via PPPoE or DHCP The domain name servers of the Internet service provider that provide access to the Internet are used Only select this setting ifthe FL MGUARD operates in PPPoE PPTP modem mode or in router mode with DHCP User defined servers listed below If this setting is selected the FL MGUARD will connect to the domain name Servers listed under User defined name servers 6 100 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Network gt gt DNS gt gt DNS server continued Local Resolving of Hostnames 7612_en_02 Configuration User defined name The IP addresses of domain name Servers can be entered in servers this list If these should be used by the FL MGUARD select the User defined Servers listed below option under Servers to query You can configure multiple entries with assignment pairs of hostnames and IP addresses for various domain names You have the option to define change edit and delete assignment pairs of host names and IP addresses You can also activate or deactivate the resolving of host names for a domain In addition you can delete a domain with all its assignment pairs Create a table with assignment pairs for a domain e Ope
268. lt gt network Transport host lt host Tunnel network network This connection type is suitable in all cases and is also the most secure In this mode the IP datagrams are completely encrypted and have a new header and are sent to the VPN gateway ofthe remote peer the tunnel end The transmitted datagrams are then decrypted and the original datagrams are restored These are then forwarded to the destination computer Transport host amp host For this type of connection only the data of the IP packets is encrypted The IP header information remains unencrypted When you switch to Transport the following fields apart from P rotocol are hidden as these parameters are omitted 7612 en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS IPsec VPN gt gt Connections gt gt Edit gt gt General continued 7612_en_02 Configuration Local Remote for Define the network areas for both tunnel ends under Local Tunnel network and Remote network connection type m m me E E e e e O ee o m IPsec tunnel v d ee Local Remote R emote newwork Internet VPN gateway network Local Here specify the address of the network or computer which is connected locally to the FL MGUARD Remote Here specify the address of the network or computer that is located after the remote VPN gateway If Address of the remote site s VPN gateway see Address of the remote site s VPN gateway on page 6 171
269. lth mode is used to protect a single computer or a local network with the FL MGUARD Important If the FL MGUARD is in stealth network mode it is inserted into the existing network see figure without changing the existing network configuration of the connected devices Before ee Ol lt a a After oe weer FFF ier i FLMGUARD A LAN can also be on the left The FL MGUARD analyzes the active network traffic and configures its network connection accordingly Itthen operates transparently i e without the computers having to be reconfigured As in the other modes firewall and VPN security functions are available Externally supplied DHCP data is allowed through to the connected computer Ifthe FL MGUARD is to provide services such as VPN DNS NTP etc a firewall installed on the computer must be configured to allow ICMP echo requests ping In stealth mode the FL MGUARD uses internal IP address 1 1 1 1 This can be accessed when the configured default gateway of the computer is also accessible In stealth network mode a secondary external interface can also be configured see Secondary External Interface on page 6 66 For the further configuration of stealth network mode see Network Mode Stealth on page 6 62 7612 en_02 WAN port LAN port 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Router default setting for FL MGUARD DELTA
270. m which servers an update may be performed The list of servers is processed from top to bottom until an available server is found The order of the entries therefore also specifies their priority a All configured update servers must provide the same updates The following options are available Protocol The update can be performed via HTTPS or HTTP Server Host name of the server that provides the update files Login Login for the server Password Password for login 6 34 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 2 5 Management gt gt Configuration Profiles 6 2 5 1 Configuration Profiles Management Configuration Profiles Configuration Profiles Configuration Profiles O Factory Default O Home office O office ae eae Upload Configuration to Profile fo Upload external cong starage external config storage nanana You can save the settings of the FL MGUARD as a configuration profile under any name on the FL MGUARD Itis possible to create multiple configuration profiles You can then switch between different profiles for example if the FL MGUARD is used in different environments Furthermore you can also save the configuration profiles as files on your configuration computer Alternatively these configuration files can be loaded onto the FL MGUARD and activated In addition you can restore the default setting settings at any time When a c
271. machine as a form of ID in order to verify that they really are the individual they identify themselves as As there are at least two communication partners the process takes place alternately partner A shows their certificate to their remote peer partner B partner B then shows their certificate to their remote peer partner A In order for A to accept the certificate shown by B i e the certificate of the remote peer thus allowing communication there is the following option A has previously received a copy of the certificate from B e g by data carrier or e mail with which B will verify itself A can then verify the certificate shown later by B by comparing itto this certificate With regard to the FL MGUARD interface the certificate copy given here by partner B to A is an example of a remote certificate For reciprocal authentication to take place both partners must thus provide the other witha copy of their certificate in advance in order to identify themselves A installs the copy of the certificate from B as its remote certificate B then installs the copy of the certificate from A as its remote certificate Never provide the PKCS 12 file file name extension p12 as a copy of the certificate to the remote peer in order to use X 509 authentication for communication ata later time The PKCS 12 file contains a private key that must be keptsecretand mustnotbe given to a third party see Creation of certificates on page 6 11
272. me network address but different host addresses The two parts of the address differ in length depending on the size of the respective network networks are categorized as Class A B orC 1st byte 2nd byte 3rd byte 4th byte Class A Network address Host address Class B Network address Hostaddress Class C Network address Hostaddress 7612 _en_02 PHOENIXCONTACT 8 3 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD The first byte of the IP address determines whether the IP address of a network device belongs to Class A B orC The following has to be specified Value of lstbyte No of bytes for the No of bytes for network address the host address Class A 1 126 1 3 Class B 128 191 2 2 Class C 192 223 3 1 Based on the above figures the number of Class A networks worldwide is limited to 126 Each of these networks can have a maximum of 256 x 256 x 256 hosts 3 bytes of address Space There can be 64 x 256 Class B networks and each of these networks can have up to 65 536 hosts 2 bytes of address space 256 x 256 There can be 32 x 256 x 256 Class C networks and each of these networks can have up to 256 hosts 1 byte of address space Subnet mask Normally a company network with access to the Internet is only officially assigned a single IP address e g 123 456 789 21 The first byte of this example address indicates that this company network is a Class B network in o
273. me to its memory every two hours ae oo Ifthe FL MGUARD is switched off and then on again a time a from this two hour period is displayed nota time on J anuary 1 2000 NTP Server NTP Network Time Protocol The FL MGUARD can actas the NTP server for computers that are connected to Its LAN port In this case the computers should be configured so that the local address of the FL MGUARD is specified as the NTP server address Ifthe FL MGUARD is operated in stealth mode the management IP address of the FL MGUARD if this is configured must be used for the computers or the IP address 1 1 1 1 must be entered as the local address of the FL MGUARD So thatthe FL MGUARD can actas the NTP server it must obtain the current date and the current time from an NTP server time server To do this the address of atleastone NTP server must be specified This feature must also be activated 7612_en_02 PHOENIX CONTACT 6 9 FL MGUARD THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Management gt gt System Settings gt gt Time and Date continued 6 10 PHOENIX CONTACT Enable NTP time synchronization Once the NTP Is activated the FL MGUARD obtains the date and time from one or more time server s and synchronizes itself with itor them Initial time synchronization can take up to 15 minutes During this time the FL MGUARD continuously compares the time data of the external time server and that of its own clock so that this
274. n a new row and click on Editin this row Change or delete assignment pairs belonging to a domain e Click on Editin the relevant table row After clicking on Edit the DNS Records tab page is displayed DNS Records Local Resolving of Hostnames Domain for the hosts example local Enabled Yes v Resolve IP Addresses also Yes Hostnames Host l x TTL IP Eho n 3600 192 168 1 1 Domain for the hosts The name can be freely assigned but it must adhere to the rules for assigning domain names Itis assigned to every host name Enabled Yes No Switches the Local Resolving of Hostnames functions on Yes or off No for the domain specified in the field above Resolve IP Addresses No The FL MGUARD only resolves hostnames i e it also Supplies the assigned IP address to hostnames Yes Same as for No However itis also possible to get the host name assigned to an IP address Hostnames The table can have any number of entries A hostname may be assigned to multiple IP addresses Multiple host names may be assigned to one IP address PHOENIX CONTACT 6 101 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD Network gt gt DNS gt gt DNS server continued TTL Abbreviation for time to live Value specified in seconds Default 3600 1 hour Specifies how long called assignment pairs may be stored in the cache of the calling computer IP The IP address assigned to the host name in this tabl
275. n and status display of the Ethernet connections Port Name ofthe Ethernet connection to which the row refers Media Type Media type of the Ethernet connection Link State Up The connection is established Down The connection is not established PHOENIXCONTACT 6 79 FL MGUARD Network gt gt Interfaces gt gt Ethernet Automatic Configuration Manual Configuration Current Mode Port On 6 80 PHOENIX CONTACT THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Yes Try to determine the required operating mode automatically No Use the operating mode specified in the Manual Configuration column When connecting the FL MGUARD RS toa hub please note the following When Automatic Configuration is deactivated the Auto MDIX function is also deactivated This means that the port of the FL MGUARD RS musteither be connected to the uplink port of the hub or connected to the hub using a cross link cable The desired operating mode when Automatic Configuration is set to No The current operating mode of the network connection Yes No FLMGUARD RS and FL MGUARD SMART only Switches the Ethernet connection on or off 7612_en_02 onlin components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 4 1 3 Dial out A FL MGUARD RS FL MGUARD BLADE and FL MGUARD DELTA only Network Interfaces Dial out Modem Console PPP dial out options Phone number to call Aut
276. n as firewall users log into the FL MGUARD who are listed on the Template users tab page see below and who have been assigned this template It does not matter from which computer and under what IP address the user logs in The assignment of user firewall rules is based on the authentication data that the user enters during login user name password Comment Optional explanatory text Timeout Default 28800 Specifies the time in seconds at which point the firewall rules are deactivated If the user session lasts longer than the timeout time specified here the user has to log in again Timeout type Static dynamic With a static timeout users are logged out automatically as soon as the set timeout time has elapsed With a dynamic timeout users are logged out automatically after all the connections have been closed by the user or have expired on the FL MGUARD and the set timeout time has elapsed An FL MGUARD connection is considered to have expired if no more data is sent for this connection over the following periods Connection expiration period after non usage TCP 5 days this value can be adjusted see 6 140 120 additional seconds after closure of the connection This also applies to connections closed by the user UDP 30 seconds after data traffic in one direction 180 seconds after data traffic in both directions ICMP 30 seconds Others 10 minutes 7612_en_02 PHOENIX CONTACT 6 145 onlinecomponents com T
277. n be used as optional settings for each IP A VLAN Is identified by its VLAN ID 1 4094 All devices with the same VLAN ID belong to the same VLAN and can therefore communicate with each other The Ethernet packet for a VLAN based on IEEE 802 1Q is extended by 4 bytes with 12 bits available for recording the VLAN ID The VLAN IDs 0 and 4095 are reserved and Cannot be used for VLAN identification A Virtual Private Network VPN connects several separate private networks Subnetworks together via a public network e g the Internet to form a single common network A cryptographic protocol is used to ensure confidentiality and authenticity A VPN is thus a cost effective alternative to using permanent lines to build a nationwide corporate network 7612_en_02 X 509 certificate 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Glossary A type of seal that certifies the authenticity of a public key gt Asymmetrical encryption and the associated data Itis possible to use certification to enable the user of the public key used to encrypt the data to ensure that the received public key is from its actual issuer and thus from the instance that should later receive the data A certification authority CA certifies the authenticity of the public key and the associated link between the identity of the issuer and its key The certification authority verifies authenticity in accordance with it
278. n3 no GND Pin 1 Figure 4 6 Pin assignment of the RJ 12 female connector serial port Onthe FL MGUARD RS with integrated modem or ISDN terminal adapter data traffic can be transmitted via the analog line or ISDN line connections instead of via the WAN interface 7612_en_02 Mounting Removal 7612_en_02 gt D onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Startup 4 4 Installing the FL MGUARD GT GT WARNING The housing must not be opened WARNING The shielding ground of the connected twisted pair cables is electrically connected to the front plate 4 4 1 Mounting removal The device is ready to operate when itis supplied The recommended procedure for mounting and connection is as follows e Pull outthe terminal block from the bottom of the FL MGUARD GT GT and wire the connections as required see Connection options on lower terminal block on page 4 7 e Tighten the screws on the screw terminal blocks with atleast 0 22 Nm Wait to insert the terminal block e Mountthe FL MGUARD GT GT 0na grounded 35 mm DIN rail according to DIN EN 60715 The device is grounded by snapping it onto a grounded DIN rail ny Figure 4 7 Mounting the FL MGUARD GT GT ona DIN rail 76120024 e Attach the top snap on footofthe FL MGUARD GT GT to the DIN rail and then press the FL MGUARD GT GT down towards the DIN rail so that it engages with a click e Insertthe required
279. nal IP addresses of the FL MGUARD here or Usethe variable extern ifthe external IP address ofthe FL MGUARD is changed dynamically so that the external IP address cannot be specified If multiple static IP addresses are used for the WAN port the variable extern always refers to the first IP address in the list 6 98 PHOENIX CONTACT 7612_en_02 Network gt gt NAT gt gt Port Forwarding continued 7612_en_02 Incoming on Port Redirect to IP Redirect to Port Comment Log THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration The original destination port specified in the incoming data packets Either the portnumber or the corresponding service name can be specified here e g pop3 for port 110 or http for port 80 The internal IP address to which the data packets should be forwarded The original destination addresses will be overwritten with this address The portto which the data packets should be forwarded The Original destination port will be overwritten with this port Either the portnumber or the corresponding service name can be specified here e g pop3 for port 110 or http for port 80 Freely selectable comment for this rule For each individual port forwarding rule you can specify whether the use of the rule Should be logged set Log to Yes Should not be logged set Log to No default setting PHOENIX CONTACT 6 99 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS
280. native gateways Network Gateway Secondary External Interface Network Mode Static Stealth Configuration Client s IP address 0 0 0 0 Client s MAC address 00 00 00 00 00 00 Network gt gt Interfaces gt gt General Stealth network mode Network Mode 6 62 PHOENIX CONTACT Only applies if Stealth is selected as the network mode Stealth configuration autodetect static multiple clients autodetect Default The FL MGUARD analyzes the network traffic and independently configures its network connection accordingly It operates transparently 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Network gt gt Interfaces gt gt General Stealth network mode continued 7612_en_02 Autodetect ignore NetBIOS over TCP traffic on TCP port 139 Static Ifthe FL MGUARD cannot analyze the network traffic e g because the locally connected computer only receives data and does not send it then Stealth configuration must be set to static In this case further entry fields are available for the static stealth configuration multiple clients As with autodetect but itis possible to connect more than one computer to the LAN port secure port meaning that multiple IP addresses can be used atthe LAN port secure port of the FL MGUARD Yes No Only with autodetect stealth configuration If a Windows computer has more than one network card installed it may alternate
281. nd assigned to specific firewall users When setto Yes the firewall rules assigned to the listed users are applied as soon as the corresponding user logs in Enable group If activated the FL MGUARD forwards login requests for authentication unknown users to the RADIUS server If successful the response from the RADIUS server will contain a group name The FL MGUARD then enables user firewall templates containing this group name as the template user The RADIUS server must be configured to deliver this group name in the Access Accept package as a F ilter ID lt groupname gt attribute User Name Name the user must enter on login Authentication Method Local DB When Local DB Is selected the password assigned to the user must be entered in the User Password column next to the user name that must be entered on login RADIUS If RADIUS is selected the user password can be stored on the RADIUS server User Password Only active if Local DB Is selected as the authentication method PHOENIX CONTACT 6 113 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 6 5 2 2 RADIUS Servers Authentication Firewall Users RADIUS Servers RADIUS timeout RADIUS retries Authentication gt gt Firewall Users gt gt RADIUS Servers RADIUS Servers RADIUS timeout Specifies the time in seconds the FL MGUARD waits fora response from the RADIUS server Default 3 seconds RADIUS retries Specifies how often req
282. ne The supply voltage Is electrically isolated from the housing If the supply voltage is not redundant the FL MGUARD RS indicates the failure of the Supply voltage via the signal contact This message can be prevented by feeding the supply voltage via both inputs PHOENIX CONTACT 4 5 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 4 3 3 Connecting to the network WARNING Only connect the FL MGUARD network ports to LAN installations When connecting to the network use cables with bend protection on the connectors Cover unused female connectors with the dust protection caps provided Some telecommunications connections also use RJ 45 female connectors these mustnot be connected to the RJ 45 female connectors of the FL MGUARD LAN port Connect the local computer or the local network to the LAN port of the FL MGUARD using a UTP Ethernet cable CAT5 If your computer is already connected to a network patch the FL MGUARD between the existing network connection Please note that configuration can only be completed via the LAN interface and the firewall of the FL MGUARD RS prevents all IP data traffic from the WAN to the LAN interface WAN port Use a UTP cable CAT5 Connect the external network via the WAN female connector e g WAN Internet Connections to the remote device or network are established via this network Driver installation is not required For
283. nel Network Connections or Network and Dial up Connections right click on the corresponding icon and select Disable in the context menu After a successful connection establishment Once a connection has been established successfully the following security alert is displayed MS Internet Explorer Sicherheitshinweis Ed FD Informationen die Sie mit dieser Site austauschen konnen von i anderen weder angesehen noch ver ndert werden Das Sicherhertszertitikat der Site ist jedoch fehlerhatt ity Das Sicherheitszertifik at wurde von einer Firma ausgestellt die Sie nicht al yertrauenswurdig eingestutt haben Untersuchen Sie das Zertifikat um festeustellen ob Sie der auestellenden Institution vertrauen mochten i Das Datum des Sicherhetezertifikates ist gultig ity Der auf dem Sicherheitszertifikat angegebene Mame stimmt nicht mit dem Mamen der Site Uberein Soll der Vorgang fortgesetzt werden Ja Mein Zertifikat anzeigen Figure 5 3 Security alert Explanation As administrative tasks can only be performed when secure encrypted access to the device has been established a self signed certificate is supplied e Click Yes to acknowledge the security alert The login window is displayed mguard login Username admin Password kebhtht Access Type Administration User Firewall Figure 5 4 Login e Selectthe access type administration or user firewall and enter your user name and passwor
284. ng We MIRAI VY cle ciensaetindanrsanatsncnoarsnmeniditaantedstieauntemdageteurendadiuanstunnenaaitens 7 3 7 3 1 Installing the DHCP and TFTP server ccccceeceecceeseeeseseeeesaeeeeeeeeseeens 7 6 EE EE Gemeente ee ee eee en ee ee eee 8 1 OL WCAC Na asec tee at detec eee eres ents nett uigetocceecuaweoeoeuuaste beeen 9 1 9 1 FLMGUARD RS FL MGUARD PCI FL MGUARD DELTA FL MGUARD BLADE 9 1 9 2 FEMGUARD GT GT seirsceiss Sroine annoa R alive dasa rr EAEaren 9 3 9 3 Ordering data cae cca aerated beinka as gee caus use ede as nda ENEA EEE 9 6 9 3 1 POO OCIS pasate ice icsvuectabtoanonecteceapenconesep eek A E aaeiess 9 6 9 3 2 ACCESSOTOS er treo cece naa pasa kacia a oases cies KANNER EN are EEE 9 6 7612 en 02 PHOENIX CONTACT iii onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD iv PHOENIX CONTACT 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD security appliance 1 FL MGUARD security appliance Network features Firewall features 7612_en_02 The FL MGUARD protects IP data connections by combining the following functions by all device versions Network card FL MGUARD PCI and Ethernet switch FL MGUARD DELTA VPN router VPN Virtual Private Network for secure data transmission via public networks hardware based DES 3DES and AES encryption IPsec protocol The FL MGUARD RS B is a router which offers static routing NAT
285. ng the supply voltage cceeeececeeeeeeeeeeeseeeeeeeeeeeeeeeeeeeeeseeeaeeess 4 5 4 3 3 Connecting to the network 0 eececccccesseeeeeeeceesaeeeeeeeeessaeeeeseesesaeeseess 4 6 4 4 Installing the FL MGUARD GT GT ceeeeececececeeseeeeseeeeeesesntsssseeeeeeeeeeeeeseeeeeees 4 11 4 4 1 Mounting removal aincsicsin vata ayia au metdees basirad tyne tosetiauin teeta mre enamine 4 11 4 4 2 Connecting the supply voltage cccecccccsssseeeceeeceeeeeeeeeeseaeeseeeetsasens 4 12 4 4 3 Connecting to the network eseeessssrsrrsseesesssserrrrrrrreressrrerrrrrrreesesrerrrrns 4 14 4 5 Connecting the FL MGUARD SMART cccccssseseeeececseeeeeeeeeeeseeeseeeeessaeaeeeeeseas 4 17 4 6 Installing the FL MGUARD BLADE cccccceeeeeeeeeeessssteeseeeeeeeeeeeeeeeeeeseneeeneess 4 18 4 7 Connecting the FL MGUARD DELTA 1 ccccccccsseeeeeceeeeaeeeeseceeesueneeseeeesaanaeseeeens 4 20 4 8 Installing the FL MGUARD PCL ceeeecececcsssssececeeseeeeeeeeeeeseaeeeseeeesaneeesesessaeeess 4 21 4 8 1 PY OP MOC se sarscstovasereegueasdessuessaeepade sites sete r aE 4 21 7612 en 02 PHOENIX CONTACT i onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 4 8 2 Power over PCI mode scsctsnntasdtss savsnndast scteendets westadnasnsieiees nea eeeretteies 4 23 4 8 3 Installing the hardware sisescisaimmrdiretetindjaintsrsumehiernenaierabiamceoantnens 4 25 4 8 4 FLMGUARD saeco cesta a aaa 4 25 4 8 5 Driv r installa H
286. nged new faulty configuration profile again despite it being faulty This is to rule out the possibility that external factors e g network failure may have resulted in the check being unsuccessful The FL MGUARD then attempts to connectto the configuration server again based on the new configuration and then downloads the newly applied configuration profile again If this is unsuccessful another rollback is performed The selection criterion is enforced again for the further cycles for loading a new configuration as often as is defined in the Number of times field If the value in the Number of times field is specified as 0 the selection criterion will never be enforced the offered configuration profile is ignored if itremains unchanged As a result the second of the following objectives can then no longer be met This mechanism has the following objectives 1 After applying a new configuration itmust be ensured that the FL MGUARD can still be configured from a remote location 2 When cycles are close together e g Pull Schedule 15 minutes the FL MGUARD must be prevented from testing a possibly faulty configuration profile over and over at intervals that are too short This can block or prevent external administrative access as the FL MGUARD Is too busy dealing with its own processes 3 External factors e g network failure must be largely ruled out as a reason for the FL MGUARD rejection of the new confi
287. nnot be solved using the documentation please contact your Phoenix Contact subsidiary Subsidiary contact information is available at www phoenixcontact com PHOENIX CONTACT GmbH amp Co KG PHOENIX CONTACT Flachsmarktstrabe 8 P O Box 4100 32825 Blomberg Harrisburg PA 17111 0100 Germany USA Phone 449 0 52 35 3 00 Phone 1 717 944 1300 Fax 49 0 52 35 3 4 12 00 Should you have any suggestions orrecommendations for improvementof the contents and layout of our manuals please send your comments to tecdoc phoenixcontact com 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Table of Contents 1 FEMGUARD secun a DOW ANICS stratecsscavncvanaeiesin aowiauaienieonieauemacniemdenecictwuencniner eamiaotite 1 1 1 1 Device DIO DMCS scanner cetentadetsauutereresnitestunnaatiecsteniemuetmiencaatiovartedaiuseenstonndnd 1 1 1 2 DEVCEVETS OIG marrei tng seaieecne ane aaa aa E nee hand 1 3 2 Typical IDE AUC SCS OS crire E E R ES 2 1 2 1 Stealth MOUE pc cneacce ehpser cera ocaenier na i a E tne N EEEa A 2 1 2 2 PUTO OM ac tc oe iE avec aces eo savas aoe eee eee ee 2 2 2 3 DMZ Re een ne ere enn ee ereeerecn ees rene ere er te enc rr en ee err 2 3 2 4 VPN OTON Oy eE Sispaaceon sheer nent tec tatee sere cucteectacee 2 3 2 5 WLAN Vid VPN E O MDS cccesessssrssesseeeeeeees 2 4 2 6 Resolving network conflicts ccccccsssseeccesneeecesscqgtme MDs rstevssersensseavesessnssaveressens 2 5 3 Operating elements and ind
288. ns that the data packets may not pass through They are discarded which means that the sender is not informed of their whereabouts Freely selectable comment for this rule For each individual firewall rule you can specify whether the use of the rule Should be logged set Log to Yes Should not be logged set Log to No default setting l External 2 and Dial in are only for devices with a serial interface see Network gt gt Interfaces on page 6 55 7612_en_02 PHOENIXCONTACT 6 39 FL MGUARD 6 40 6 2 6 2 Trap Management SNMP onlin components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Basic traps SNMP authentication m 4 Link Up Down Coldstart Admin access SSH HTTPS new DHCP client Hardware related traps Chassis power signal relay Agent external config storage temperature yes w CIFS integrity traps lt lt lt lt lt H a a ile ja 4 KIKI KIKIKI Successful integrity check of a CIFS share Failed integrity check of a CIFS share m 4 Found a suspicious difference on a CIFS share Userfirewall traps Userfirewall traps VPN traps IPsec connection status changes L2TP connection status changes SEC Stick Traps lt lt lt lt a ila a a KIKI 4 K SEC Stick connection status changes Trap destinations Platform specific configurations are only effective on the platform in question Similarily AV traps are only sent wh
289. nsation FL MGUARD PCI FLMGUARD BLADE FL MGUARD SMART Via grounded DIN rail optional via COMBICON FL MGUARD RS Via mounting plate FL MGUARD PCI 250 g typical FL MGUARD RS 200 g FL MGUARD PCI Ethernet IEEE 802 10 100 Mbps RJ 45 V 24 RS 232 FLMGUARD SMART Via USB interface 5 V 500 mA or by means of external power supply unit 110 230 V FL MGUARD DELTA 5VDC 3A Length of a 10Base T 100Base TX twisted pair segment 100 m approximately PHOENIX CONTACT 9 1 FL MGUARD Supply voltage US1 US2 redundant FL MGUARD RS Connection Nominal value Permissible voltage range Typical current consumption on US at 24 V DC Typical power consumption Overcurrent protection at the input Potential difference between input voltage and housing Supply voltage FL MGUARD PCI Connection Nominal value Interfaces Number of Ethernet ports LAN WAN Connection format Connection medium Cable impedance Transmission speed Maximum network segment expansion Default IP address Serial interface FL MGUARD RS only Connection format Maximum permissible cable length Transmission parameters Pin assignment 9 2 PHOENIX CONTACT THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Via COMBICON conductor cross section 2 5 mm2 maximum 24 V DC SELV 9V DC to 36 V DC 170 mA 4W at24V DC Non replaceable fuse 36 V DC maximum Via PCI bus 5V DC 1 1 8 pos RJ 45 female connector at the access point Twist
290. nsulted must be specified for each individual connection e g for VPN connections TheFLMGUARD consults the CA certificate provided to check whether the certificate shown by the remote peer is authentic This requires that all CA certificates must be available to the FL MGUARD in order that a chain can be formed with the certificate shown by the remote peer through to the root certificate Available means that the corresponding CA certificates must be installed on the FL MGUARD see CA Certificates on page 6 125 and must also be made available during the configuration of the corresponding application SSH HTTPS and VPN Whether both methods are used alternatively or in combination varies depending on the application VPN SSH and HTTPS 7612_en_02 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Authentication for SSH The remote peer shows Certificate Specific to Certificate Specific to the following individual signed by CA individual self signed The FL MGUARD authenticates the remote peer using AllCA certificates thatform Remote certificate the chain to the root CA certificate together with the certificate shown by the remote peer PLUS if required Remote certificates if used as a filter 1 See Management gt gt System Settings on page 6 4 Shell Access on page 6 11 Authentication for HTTPS The remote peer shows Certificate Specific to Certificate
291. nternet address a user can create the illusion of being an authorized user Anti spoofing is the term for mechanisms that detect or prevent spoofing Symmetrical encryption In symmetrical encryption the same key is used to encryptand decryptdata Two examples of symmetrical encryption algorithms are DES and AES They are fast but also increasingly difficult to administrate as the number of users increases Subject certificate In a certificate the classification of a certificate to its owner is confirmed by a certification authority CA This takes the form of the confirmation of specific owner characteristics Furthermore the certificate owner must possess the private key that matches the public key in the certificate see An X 509 v3 certificate thus comprises a public key information aboutthe key owner the Distinguished Name DN authorized use etc and the signature of the CA gt Subject certificate on page 8 7 Example Certificate Data Version 3 0x2 Serial Number 1 0x1 Signature Algorithm md5WithRSAEncryption Issuer C XY ST Austria L Graz O TrustMe Ltd OU Certification Authority CN C A E mail ca trustme dom Validity Not Before Oct 29 17 39 10 2000 GMT gt Subject CN anywhere com E doctrans de C DE ST Hamburg L Hamburg O Innominate OU S ecurity Subject Public Key Info Public Key Algorithm rsaEncryption RSA Public Key 1024 bit Modulus 1024 bit 00 c4 40 4c 6e 14 1b 61 36 84 24 b2 61 c
292. o Transport the following fields apart from Protocol are hidden as these parameters are omitted Local See Local on page 6 175 Remote See Remote on page 6 175 Virtual IP for the client See Virtual IP for the client on page 6 177 NAT NAT for IPsec tunnel Off Local masquerading 1 1 NAT connections Default Off Local masquerading a Can only be used for Tunnel VPN type Example A control center has one VPN tunnel each for a large number of branches One local network with numerous computers is installed in each of the branches and these computers are connected to the control center via the relevant VPN tunnel In this case the address area could be too small to include all the computers atthe various VPN tunnel ends Local masquerading provides the solution The computers connected in the network of a branch appear under a single IP address by means of local masquerading for the VPN gateway of the control center In addition this enables the local networks in the various branches to all use the same network address locally Only the branch can establish VPN connections to the control center 7612 en_02 PHOENIX CONTACT 6 177 FL MGUARD THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Internal network address for local masquerading Specifies the network i e the IP address area for which local masquerading is used The source address in the data packets sent by this computer via the VPN connection is only replaced by
293. o the entire set of VPN connection channels grouped under this name Similarities between VPN connection channels Same authentication method as specified on the Authentication tab page see Authentication on page 6 181 Same firewall settings Same IKE options set Enabled Yes No Specifies whether the VPN connection channels defined below should all be active Yes or not No Address of the remote An IP address host name or any for several remote peers site s VPN gateway or remote peers after a NAT router PHOENIX CONTACT 6 171 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD Address of the remote site s VPN gateway Internet VPN gateway of the remote peer Figure 6 3 The address of the transition to the private network where the remote communication partner is located Ifthe FL MGUARD should actively initiate and establish the connection to the remote peer specify the IP address or host name of the remote peer here Ifthe VPN gateway of the remote peer does not have a fixed and known IP address the DynDNS service See glossary can be used to simulate a fixed and known address Ifthe FL MGUARD should be ready to accept a connection to the local FL MGUARD thatwas actively initiated and established by a remote peer with any IP address specify any This setting should also be selected for a VPN star configuration if the FL MGUARD is connected to the control center T
294. oE router mode Network Interfaces General Network Status External IP address Active Defaultroute Used DNS servers Network Mode Network Mode Router Mode PPPoE PPPoE Login When Router is selected as the network mode and Request PPPoE Service Name PPPoE is selected PPPoE Service Name as the ro uter mode Automatic Re connect PPPoE Password Re connect daily at Dial in Modem Console _ Juser provider example ne _ No S LO O S Router Y PPPoE user provider example ne o 4 No Y Network gt gt Interfaces gt gt General Router network mode PPPoE router mode PPPoE For access to the Internet the Internet service provider ISP provides the user with a user name login and password These are requested when you attempt to establish a connection to the Internet PPPoE Login PPPoE password Request PPPoE Service Name PPPoE Service Name Automatic Re connect Re connect daily at The user name login that is required by the Internet service provider ISP when you attempt to establish a connection to the Internet The password that is required by the Internet service provider when you attempt to establish a connection to the Internet Yes No When Yes is selected the PPPoE client ofthe FL MGUARD requests the service name specified below from the PPPoE server Otherwise the PPPoE service name is not used PPPoE
295. oaded certificate appears under Certificate e Remember to save the imported certificate along with the other entries by clicking on the Apply button Shortname When importing a CA certificate the CN attribute from the certificate subject field is Suggested as the short name here providing the Shortname field is empty at this point This name can be adopted or another name can be chosen e Aname mustbe assigned whether itis the suggested one or another Names must be unique and must not be assigned more than once Use of the short name During the configuration of SSH Management gt gt System Settings Shell Access menu HTTPS Management gt gt Web Settings Access menu VPN connections IPSec VPN gt gt Connections menu 7612 _en_02 PHOENIX CONTACT 6 125 FL MGUARD 6 126 PHOENIX CONTACT onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS The certificates imported on the FL MGUARD are provided in a selection list The certificates are displayed under the short name specified for each individual certificate on this page Name assignment is not mandatory Creating a certificate copy A copy can be created from the imported CA certificate To do this proceed as follows e Click on Current Certificate File next to the Download Certificate row for the relevant CA certificate Enter the desired information in the dialog box that opens 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTO
296. og entries about the operations involved in establishing VPN connections are archived in the non volatile memory of the FL MGUARD ifthe connections are established as follows Viathe CMD MC1 contact Via the CGI interface nph vpn cgi with the command synup see Application note Diagnosis of VPN connections Application notes are available in the download area at www innominate com Archived log entries are not affected by a restart They can be downloaded as part of the Support Snapshot Support gt gt Advanced menu item Snapshot tab page A snapshot provides the Innominate Support team with additional options for more efficient troubleshooting than would be possible without archiving Archive diagnostic Only visible if archiving is enabled If only log entries messages only upon generated for failed connection attempts should be archived failure Yes No set this option to Yes If setto No all log entries will be archived l The CMD MC1 contactis only available on the FL MGUARD RS or FL MGUARD GT GT 6 164 PHOENIX CONTACT 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration TCP Encapsulation This function is used to encapsulate data packets to be transmitted via a VPN connection in TCP packets Without this encapsulation itis possible for VPN connections that under certain circumstances important data packets belonging to the VPN connection may notbe correctly t
297. oid mGuard generic trap enterpriseS pecific specific trap 3 additional mGuardHTTPSLastAccessMAC This trap is sentwhen a DHCP request is received from an unknown client PHOENIXCONTACT 6 41 FL MGUARD Management gt gt SNMP gt gt Trap continued Chassis power signal relay Hardware related traps FL MGUARD RS only Blade controller traps Blade status change blade only Blade reconfiguration 6 42 PHOENIX CONTACT THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Activate traps Yes No enterprise oid mGuardTrapSenderlndustrial generic trap enterpriseS pecific specific trap mGuardTrapindustrialP owerS tatus 2 additional mGuardT rapIindustrialP owerS tatus Sent when the system registers a power failure mGuardTrapS enderIndustrial enterpriseS pecific mGuardTrapSignalR elais 3 mGuardT ResSignalR elaisS tate mGuardTEsSignlalR elaisR eason mG uardT ResSignal R elaisR easonldx enterprise oid generic trap specific trap additional Sent after the signal contact is changed and indicates the current status 0 Off 1 On Blade switch failure Activate traps Yes No enterprise oid mGuardTrapBladeCTRL generic trap enterpriseS pecific specific trap mGuardTrapBladeCtriP owerS tatus 2 additional mGuardTrapBladeRackID mGuardTrapBladeS lotNr mGuardTrapBladeC triP owerS tatus This trap is sent when the power supply status of
298. ole Network Status External IP address Active Defaultroute Used DNS servers Network Mode Network Mode Router Y Router Mode static v External Networks External IPs d IP Netmask Use VLAN VLAN ID untrusted port Additional External Routes Network Gateway IP of default gateway 10 1 0 254 Network gt gt Interfaces gt gt General Router network mode static router mode External Networks External IPs The addresses on the WAN portside via which devices can untrusted port access the FL MGUARD Ifthe transition to the Internet takes place here the external IP address of the FL MGUARD is assigned by the Internet service provider ISP IP Netmask IP address and subnet mask of the WAN port Use VLAN Yes No Ifthe IP address should be within a VLAN setthis option to Yes VLAN ID AVLAN ID between 1 and 4095 An explanation can be found under VLAN on page 8 8 Ifyou wantto delete entries from the list please note that the first entry cannot be deleted Additional External In addition to the default route via the default gateway Routes Specified below additional external routes can be specified Network Gateway See Network example diagram on page 6 216 6 74 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Network gt gt Interfaces gt gt General Router network mode static router mode IP of default gatewa
299. omponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 8 3 2 Authentication IPsec VPN Connections Berlin London Authentication Authentication Authentication method X 509 Certificate Ad Local X 509 Certificate VPN terminal machine 06 Y Remote CA Certificate VPN SubCA Remote Certificate VPN Identifier Local IPsec VPN gt gt Connections gt gt Edit gt gt Authentication Authentication Authentication There are two options method X 509 Certificate default Pre Shared Secret PSK Depending on the chosen method the page contains different setting options Authentication method X 509 Certificate This method is supported by most modern IPsec implementations With this option each VPN device has a private key and a public key in the form of an X 509 certificate which contains additional information about the certificate s owner and the certification authority CA The following must be specified How the FL MGUARD authenticates itself to the remote peer How the FL MGUARD authenticates the remote peer How the FL MGUARD authenticates itself to the remote peer Authentication Authentication method X 509 Certificate v Local X 509 Certificate VPN terminal machine 06 Y Remote Certificate 7612_en_02 PHOENIX CONTACT 6 181 FL MGUARD THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS IPsec VPN gt gt Connections gt gt Edit gt
300. on HTTP S Proxy Server proxy example com Port Proxy Authentication Login Password A proxy server can be specified here for the following activities performed by the FL MGUARD itself CRL download Firmware update Regular configuration profile retrieval from a central location Restoring of licenses Network gt gt Proxy Settings gt gt HTTP S Proxy Settings HTTP S Proxy Settings Proxy Authentication 6 110 PHOENIX CONTACT Use Proxy for HTTP When setto Yes connections that use the HTTP or HTTPS and HTTPS protocolare transmitted via a proxy server whose address and port should be specified in the next two fields HTTP S Proxy Server Hostname or IP address of the proxy server Port Number of the port to be used e g 3128 Login User name for proxy server login Password Password for proxy server login 7612_en_02 onlin components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 5 Authentication menu 6 5 1 Authentication gt gt Local Users 6 5 1 1 Passwords Authentication Local Users Passwords root Root Password Account root admin Administrator Password Account admin user Disable VPN until the user is authenticated via yo v HTTP pe a h Local users refers to users who have the right depending on their authorization level to configure the FL MGUARD rootand administrator authorization levels or to use it us
301. on cctcrretcrtancnacamactidexenutaxwarhietn tna aeiemisalnnatnia eee 4 26 5 Preparing Une contiguraloi secreet EEEE AAR A N 5 1 5 1 Connection requirements eseesesssrrrrrreressrrrrrrrrrrrentestrrrrrrrrrrtstsstrirrrrrrrrerrrnrrns 5 1 5 2 Local configuration ON StartUp s sessssssrrrrrsereresssrsrrrrrrrnnnnnnsrnrrrrrrrnnnssrrrnrrrrrrenent 5 3 52l Configuring the FL MGUARD RS FL MGUARD SMART and FL MGUARD BLADE on startup cccceeecccecccceeeceeeeeeeeeeeeeeeeeeeeeeessneeess 5 3 5 2 2 FL MGUARD DELTA FL MGUARD GT GT a c ceeeecececeeseeeeeeeeeeseeeeeeeeens 5 5 5 2 3 FLMGUARD PC I ssisssesmsbiescrnrseirirees raa MM Me arand SEnSE RENED EN SEDNES 5 7 5 3 Establishing a local configuration Connection sessssssesessssssssssrrrnreneeenssrrrrrrrreeeess 5 9 5 4 Remote configuration cscsesceccsccssereversece Nes MB ecssesecccnsnesccesessseagecessensapseseves 5 11 COMMIS orriei A E ET 6 1 6 1 Be AELE EEE E E E T N TTTS 6 1 6 2 Management menu MRA Y otekted ness etcetera naras icaneenaneuiedaaelens 6 4 6 2 1 Management gt gt System SettingS cccccccccsssssesccssessseeeeeeessseeeeeeesnseess 6 4 6 2 2 Management gt gt Web SettingS ccccccccsccscssseeeeeeceesseeeeeeeeeeseeseeseesens 6 18 6 2 3 Management gt gt LICENSING cccccccssseeeeeceeeseeseeceeeeauaeseeeeesaenaneeeeets 6 29 6 2 4 Management gt gt Update cecccccccscsssssssseeseeeeeseesssssssssssesseeeeeeenees 6 32 6 2 5 Management gt
302. on read directly from the CRL by the FL MGUARD Time and date when the CA will nextissue a new CRL This information is not influenced or considered by the CRL download interval URL Specify the URL of the CA where CRL downloads are obtained if the CRL should be downloaded on a regular basis as defined under CRL download interval on the Certificate Settings tab page See Certificate settings on page 6 121 Upload Ifthe CRL Is available as a file itcan also be loaded on the FL MGUARD manually e Todo this click on Browse select the file and click on Import e Remember to save the imported CRL along with the other entries by clicking on the Apply button 7612_en_02 PHOENIX CONTACT 6 129 FL MGUARD onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS 6 6 Network Security menu a This menu is not available on the FL MGUARD BLADE controller 6 6 1 Network Security gt gt Packet Filter The FL MGUARD includes a Stateful Packet Inspection Firewall The connection data of an active connection is recorded in a database connection tracking Rules can thus only be defined for one direction This means that data from the other direction of the relevant connection and only this data is automatically allowed through A side effect is that existing connections are not aborted during reconfiguration even if a corresponding new connection can no longer be established Default firewall settings A
303. on the computer In driver mode no additional network card is required for the computer 7612_en_02 PHOENIXCONTACT 4 21 FL MGUARD 4 22 PHOENIX CONTACT THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Stealth mode in driver mode default setting In driver mode the LAN Ethernet female connector is Switched off The LAN interface of the FL MGUARD is occupied internally by the host computer Y Y Y Y F Figure 4 17 Driver mode Stealth mode In stealth mode the FL MGUARD behaves like a normal network card The IP address that is configured for the network interface of the operating system LAN port is also used by the FL MGUARD for its WAN port This means that the FL MGUARD does not appear as a separate device with its own address for data traffic to and from the computer In stealth mode PPPoE and PPTP cannot be used Router mode in driver mode lt A ee min Operating system a 192 168 1 2 A On moo O SS z Le 192 168 1 1 a FL MGUARD PCI External IP Ifthe FL MGUARD Is in router mode or PPPoE or PPTP mode it essentially creates its own network with the operating system of the computer in which the FL MGUARD is installed Figure 4 18 Driver mode Router mode 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Startup For the IP configuration of the network interface of the operating system this means thatan IP address must be assigned that differs from the internal
304. onfiguration profile is saved the passwords used for authenticating administrative access to the FL MGUARD are not saved Itis possible to load and activate a configuration profile that was created under an older firmware version of the FL MGUARD However the reverse Is not true a configuration profile created under a newer firmware version should not be loaded Management gt gt Update gt gt Configuration Profiles Configuration Profiles Atthe top of the Configuration Profiles page there is a list of the configuration profiles that are stored on the FL MGUARD e g the Factory Default configuration profile If any configuration profiles have been saved by the user See below they will be listed here BI Active configuration profile The configuration profile thatis currently enabled has an Active symbol atthe start of the entry Configuration profiles that are stored on the FL MGUARD can be Enabled Saved as a file on the connected configuration computer Deleted Displayed 7612 _en_02 PHOENIXCONTACT 6 35 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD Management gt gt Update gt gt Configuration Profiles continued Displaying the configuration profile e Click on the name of the configuration profile in the list Enabling the default setting or a configuration profile saved on the FL MGUARD by the user e Click on Restore to the right of the name of the relevant configuration profile The c
305. onfiguration profile ona blade When retrieving a configuration profile from a blade 6 210 PHOENIX CONTACT onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Searching for firewall rules on the basis of a network security log If the Network Security checkbox is enabled so that the relevantlog entries are displayed the J ump to firewall rule search field is displayed below the Reload logs button Proceed as follows if you want to trace the firewall rule referenced by a log entry in the Network Security category that resulted in the corresponding event 1 Selectthe section that contains the log ID and number in the relevant log entry for example MND ore cece eee ee eee re SS 0 16 0 21 16 106887 ates ol 162 mg secrets from Setcfipsec secrets Sb fF 18 Pi 7 516 11158 pl ute LASS ate ad bla k r fale aoi tude shed references RAT OTOTS 1 AAP N SUE Cs 1 ee 21 a 11a pluto iii a ed private kep fale feats tude sheed referenced HAT OOTOTSL 420 PR Pies 16 21 Le i fire iat client con change HR 4 18 a A 18 Lanz serve ihald ahald pa atl error ollang Spe PI SATE glad ie od tr dele JIMS CP shew cbs Ss de he POO Te Sth TERT Thethi miT ee shal 2005 5 16_05 21 22 19712 ser all error polling POLL PEUR STATE could not rand from jaya T 2 l ehr ag 4652 Lis B72 050027el57fb act ACCEPT INeetho g SUG Cs 1 21 SL Webi nter face sete logan for adein from 10 1
306. onnected to the signal contact The signal contact monitors the operation of the FL MGUARD GT GT and thus enables remote diagnostics Interruption of the contact via the floating signal contact relay contact closed current circuit indicates the following Failure of at least one of the two supply voltages Powersupply of the FL MGUARD GT GT below the specified limit value Supply voltage 1 and or 2 Is less than 18 V The faulty link status of at least one port The link status for each port can be masked onthe FLMGUARD GT GT via the management software By default upon delivery there is no connection monitoring Error during selftest During a restart the signal contact Is interrupted until the FL MGUARD has started up completely This also applies when the signal contact is manually set to Closed in the software configuration VPN enable contact Always supply the VPN enable button from the voltage source that supplies the FL MGUARD GT GT VPN A button or an on off switch e g key switch can be connected to VPN enable contacts MC1 and GND The button or on off switch is used to establish and release a predefined VPN connection The INF LED indicates the status of the VPN connection see IPSec VPN gt gt Global on page 6 161 under Options e To establish the VPN connection hold down the button for a few seconds until the Signal LED flashes Then release the button The flashing indicates that
307. ontains further subsequent rules that could also apply these rules are ignored The following options are available Protocol All means TCP UDP ICMP and other IP protocols From To IP 0 0 0 0 0 means all IP addresses To specify an address area use CIDR format see CIDR Classless Inter Domain Routing on page 6 215 6 88 PHOENIX CONTACT 7612_en_02 Network gt gt Interfaces gt gt Dial in continued 7612_en_02 From To Port Action Comment Log Log entries for unknown connection attempts Outgoing Rules Port THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Only evaluated for TCP and UDP protocols any refers to any port startport endport e g 110 120 refers to a port area Individual ports can be specified using the portnumber or the corresponding service name e g 110 for pop3 or pop3 for 110 Accept means that the data packets may pass through Reject means that the data packets are sent back so the sender is informed of their rejection Drop means that the data packets may not pass through They are discarded which means that the sender Is not informed of their whereabouts Freely selectable comment for this rule For each individual firewall rule you can specify whether the use of the rule Should be logged set Log to Yes Should not be logged set Log to No default setting Yes No When setto Yes all connection attempts that are not covered by the
308. or the LAN port Internal tab page and the WAN port External tab page Measurement Unit kbit s or Packet s Specifies the unit of measurement for the numerical values entered under Guaranteed and Upper Limit Filters Use VLAN Ifa VLAN is setup the relevant VLAN ID can be specified to allow the relevant data packets to pass through This option must be set to Yes VLAN ID Specifies that the VLAN data packets that have this VLAN ID may pass through The Use VLAN option must be set to Yes Ethernet Protocol Specifies that only data packets of the specified Ethernet protocol may pass through Possible entries ARP IPV4 and any Other entries must be in hexadecimal format up to 4 digits The ID of the relevant protocol in the Ethernet header is entered here This can be found in the publication of the relevant standard IP Protocol All TCP UDP ICMP ESP Specifies that only data packets of the selected IP protocol may pass through When set to All no filtering is applied according to the IP protocol 6 196 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration QoS gt gt Ingress Filters gt gt Internal E xternal continued From IP Specifies that only data packets from a specified IP address may pass through 0 0 0 0 0 stands for all addresses i e in this case no filtering Is applied according to the IP address of the sender To Specify an address area use CIDR format se
309. ork NOTE Select suitable ambient conditions Ambient temperature 0 C to 40 C FL MGUARD SMART FL MGUARD BLADE FL MGUARD DELTA 70 C maximum FL MGUARD PCI 55 C maximum FL MGUARD RS 20 C to 60 C FL MGUARD GT GT FL MGUARD GT GT VPN Maximum humidity 90 no condensation FL MGUARD SMART FL MGUARD BLADE FL MGUARD DELTA FL MGUARD PCI Maximum humidity 95 no condensation FL MGUARD RS FL MGUARD GT GT FL MGUARD GT GT VPN To avoid overheating do not expose to direct sunlight or other heat sources Q NOTE Cleaning Clean the device housing with a soft cloth Do not use abrasive solvents 7612_en_02 PHOENIXCONTACT 4 1 FL MGUARD Steps for startup THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS To start up the device carry out the following steps in the specified order Table 4 1 Steps for startup 1 Check the scope of supply Read the release notes Connect the device Configure the device if required Work through the individual menu options offered by the FL MGUARD configuration interface Read the explanations in this user manual in order to determine which settings are required for your operating environment 4 2 PHOENIX CONTACT Checking the scope of supply on page 4 3 Installing the FL MGUARD RS on page 4 4 Installing the FL MGUARD GT GT on page 4 11 Connecting the FL MGUARD SMART on page 4 17 Installing the FL MGUARD BLADE on page 4 18 Conn
310. ork WAN If the secondary external interface is activated the following applies In stealth network mode Only the data traffic generated by the FL MGUARD is subject to the routing specified for the secondary external interface not the data traffic from a locally connected computer Locally connected computers cannotbe accessed remotely either only the FLMGUARD can be accessed remotely if the configuration permits this As in router network mode VPN data traffic can flow to and from the locally connected computers Because this traffic is encrypted by the FL MGUARD itis seen as being generated by the FL MGUARD In router network mode All data traffic i e from and to locally connected computers including data traffic generated by the FL MGUARD can be routed to the external network WAN via the secondary external interface Secondary External Interface Network Mode Off v Network Mode Off Modem off Default Selectthis setting ifthe operating environment of the FL MGUARD does notrequire a secondary external interface You can then use the serial interface or the built in modem if present for other purposes see Modem Console on page 6 90 Modem Built in Modem If you select one of these options the secondary external interface will be used to route data permanently or temporarily to the external network WAN The secondary external interface is created via the serial interface of the FL MGUARD and an exte
311. orresponding configuration profile is activated Saving the configuration profile as a file on the configuration computer e Click on Download to the right of the name of the relevant configuration profile e Inthe dialog box that is displayed specify the file name and folder under which the configuration profile is to be saved The file name can be freely selected Deleting a configuration profile e Click on Delete to the right of the name of the relevant configuration profile a The Factory Default profile cannot be deleted Saving the active configuration as a configuration profile on the FL MGUARD e Enter the desired profile name in the Name for the new profile field next to Save Current Configuration to Profile e Click on Save The configuration profile is saved on the FL MGUARD and the name of the profile appears in the list of profiles already stored on the FL MGUARD Uploading a configuration profile that has been saved to a file on the configuration computer Requirement A configuration profile has been saved on the configuration computer as a file according to the procedure described above e Enter the desired profile name in the Name for the new profile field next to Upload Configuration to Profile e Click on Browse select and open the relevant file in the dialog box that is displayed e Click on Upload The configuration profile is loaded on the FL MGUARD and the name assigned in step 1 appears
312. ow _ 6 9 3 Egress Queues VPN 6 9 3 1 VPN via Internal VPN via External VPN via External 2 VPN via Dial in VPN via Internal Setting for egress queues QoS Egress Queues VPN VPN via Internal VPN via External VPN via External 2 VPN via Dial in Enabling Enable Egress Qos Total Bandwidth Rate Bandwidth Rate Limit unlimited kbit s Queues urgent unlimited High M important is unlimited Medium Y Defaut sits unlimited Medium Low Priority uniimited Low 7 7612 _en_02 PHOENIX CONTACT 6 199 onlin components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD VPN via External Setting for egress queues QoS Egress Queues VPN VPN via Internal VPN via External VPN via External 2 VPN via Dial in Enabling Enable Egress Qos Total Bandwidth Rate Bandwidth Rate Limit unlimited kbit s Queues O urgent unlimited High 7 U Important unlimited Medium g L Default unlimited Medium U JLow Priority unlimited Low v VPN via External 2 Setting for egress queues QoS Egress Queues VPN VPN via Internal VPN via External VPN via External 2 VPN via Dial in Enabling Enable Egress Qos Total Bandwidth Rate Bandwidth Rate Limit unlimited kbit s v Queues unlimited High M important its unlimited Medium cut id nimted Medium gt Low Priority unlimited Low 7 VPN via Dial in Setting for egress queues Qo
313. owing must be specified HowtheFL MGUARD authenticates itselfto the SSH client according to X 509 see SSH server certificate 1 HowtheFL MGUARD authenticates the remote SSH client according to X 509 see SSH server certificate 2 SSH server certificate Specifies how the FL MGUARD identifies itself to the 1 SSH client Select one of the machine certificates from the listorthe None entry None When None is selected the SSH server of the FLMGUARD does not authenticate itself to the SSH client via the X 509 certificate Instead ituses a server key and is thus compatible with older versions of the FL MGUARD If one of the machine certificates is selected this is also offered to the SSH client The client can then decide whether to use the conventional authentication method or the method according to X 509 The selection list contains the machine certificates that have been loaded on the FL MGUARD under the Authentication gt gt Certificates menu item see page 6 116 6 14 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Management gt gt System Settings gt gt Shell Access continued SSH server certificate Specifies how the FL MGUARD authenticates the SSH 2 client The following definition relates to how the FL MGUARD verifies the authentication of the SSH client The table below shows which certificates must be provided for the FL MGUARD to authenticate the SSH c
314. pe FL MGUARD RS The State LED is lit continuously FL MGUARD GT GT FL MGUARD SMART The middle LED Heartbeat Is lit continuously FL MGUARD BLADE The green LEDs flash while the red LAN LED is lit FL MGUARD PCI continuously FL MGUARD DELTA The status LED is lit continuously The new software is extracted and configured This takes around 1 3 minutes As soon as the procedure has been completed the following occurs FL MGUARD RS The Modem State and LAN LEDs flash green FL MGUARD GT GT simultaneously FL MGUARD SMART All 3 LEDs flash green simultaneously FL MGUARD BLADE The green WAN green LAN and red WAN LEDs flash simultaneously FL MGUARD PCI The FL MGUARD restarts FL MGUARD DELTA The status LED flashes once per second e Restart the FL MGUARD This is not necessary on the FL MGUARD BLADE and FLMGUARD PCI e Todo this briefly press the Rescue button Alternatively you can disconnect and reconnect the power supply On the FL MGUARD SMART you can disconnect and insert the USB cable as itis only used for the power supply The FL MGUARD is in the state default upon delivery You can now configure it again see Establishing a local configuration connection on page 5 9 7612_en_02 PHOENIXCONTACT 7 5 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 7 3 1 Installing the DHCP and TFTP server NOTE If you installa second DHCP serverin a network this could affectthe configuration
315. pleted Failed integrity check of Activate traps Yes No a CIFS share enterprise oid mGuardTrapCIC generic trap enterpriseS pecific specific trap mGuardTrapCIC Fail 2 additional mGuardTrapCiCShareName mGuardTrapCICS hareUNC This trap is sent ifthe CIFS integrity check has failed Found a Suspicious Activate traps Yes No difference on a CIFS enterprise oid mGuardTrapCIC share generic trap enterpriseS pecific specific trap mGuardTrapCIC Fail 2 additional mGuardTrapCiCShareName mGuardTrapClCShareUNC This trap is sent if the CIFS integrity check has detected a deviation Userfirewall traps Userfirewall traps Activate traps Yes No enterprise oid mGuardTrapUserF irewall generic trap enterpriseS pecific specific trap mGuardTrapUserF irewallLogin 1 additional mGuardTResUserF irewallUsername mGuardTResUserF irewallSrclP mGuardTResUserF irewallAuthenticatio nM ethod This trap is sent when a user logs into the user firewall 7612 _en_02 PHOENIXCONTACT 6 43 FL MGUARD Management gt gt SNMP gt gt Trap continued VPN traps IPsec connection status changes 6 44 PHOENIX CONTACT THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS enterprise oid generic trap specific trap additional mGuardTrapUSerF irewall enterpriseS pecific mGuardTrapUserF irewallLogout 2 mGuardTResUserFirewallUsername mGuardTResUserFirewallSrclP mG uardTResUSerF irew
316. porary mode Gateway Specify the IP address if known of the gateway that is used for routing to the external network described above When you dial into the Internet using the phone number of the Internetservice provider the address of the gateway is usually not known until you have dialed in In this case enter gateway in the field as a placeholder 7612_en_02 PHOENIXCONTACT 6 67 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD Operation Mode permanent temporary In both permanent and temporary mode the modem must be available to the FL MGUARD for the secondary external interface so that the FL MGUARD can establish a connection to the WAN Internet via the telephone network connected to the modem Which data packets are routed via the primary external interface Ethernet interface and which data packets are routed via the secondary external interface is determined by the routing settings thatare applied for these two external interfaces Therefore an interface can only take a data packet if the routing setting for that interface matches the destination of the data packet The following rules apply for routing entries If multiple routing entries for the destination of a data packet match then the smallest network defined in the routing entries that matches the data packet determines which route this packet takes Example The external route of the primary external interface is spe
317. pply connections and the signal contact 4 4 2 1 Simple connection of the supply voltage signal contact without VPN enable button The supply voltage is connected via a terminal block with screw locking which is located under the front of the device US1 MC GND 1 GND R1 R2 76120025 OUT Figure 4 8 Simple connection of the supply voltage signal contact without VPN enable button 4 4 2 2 Redundant connection of the supply voltage signal contact without VPN enable button A redundant supply voltage can be connected Both inputs are isolated The load Is not distributed With a redundant supply the power supply unit with the higher output voltage Supplies the FLMGUARD GT GT alone The supply voltage is electrically isolated from the housing 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Startup If the supply voltage is not redundant the FL MGUARD RS indicates the failure of the Supply voltage via the signal contact This message can be prevented by feeding the supply voltage via both inputs US1 MC GND 1 GND R1 R2 76120026 i 24V DC E TE OUT Figure 4 9 Redundant connection of the supply voltage signal contact without VP N enable button 4 4 2 3 Simple connection of the supply voltage signal contact with VPN enable button Always supply the VPN enable button from the volta
318. provider may have several customers and ituses this name to identify who is attempting to dial in After the FL MGUARD has logged in to the Internet service provider with this name the service provider also compares the password specified for client authentication See below The connection can only be established successfully if the name is known to the service provider and the password matches A name assigned to the FL MGUARD by the Internet service provider for identification purposes The FL MGUARD will not establish a connection to the service provider if the ISP does not assign the correct name Password that must be specified during Internet service provider login to access the Internet Yes No The following two entry fields are shown when Yes is selected Password thatthe FL MGUARD requests from the server The FL MGUARD only allows the connection if the server returns the agreed password See under If None is selected as the authentication method on page 6 83 In this case all fields that relate to the PAP or CHAP authentication methods are hidden PHOENIXCONTACT 6 83 FL MGUARD onlin components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Network gt gt Interfaces gt gt Dial out continued Network gt gt Interfaces gt gt Dial out PPP dial out options 6 84 PHOENIX CONTACT Only the fields that define further settings remain visible Authentication Dial on demand Yes
319. ptimize prioritization the total bandwidth specified here should be slightly lower than the actual amount This prevents a buffer overrun on the transferring devices which would result in adverse effects The default name for the egress queues can be adopted or another can be assigned The name does not specify the priority level Bandwidth that should be available at all times for the relevant queue To be specified based on the selection under Bandwidth Rate Limit kbit s OR Packet s but the unit of measurement does not have to be specified explicitly here The total of all guaranteed bandwidths must be less than or equal to the total bandwidth Maximum bandwidth available that may be set for the relevant queue by the system To be specified based on the selection under Bandwidth Rate Limit kbit s OR Packet s but the unit of measurement does not have to be specified explicitly here The value must be greater than or equal to the guaranteed bandwidth The value unlimited can also be specified which means that there Is no further restriction Low M edium High Specifies with which priority the affected queue should be processed providing the total available bandwidth has not been exhausted Optional comment text PHOENIX CONTACT 6 201 online components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 6 9 4 Egress Rules This page defines the rules for which data is assigned to the defined egress qu
320. pull outthe SFP module B Figure 3 10 Removing the SFP modules V 24 RS 232 interface for external management The interface is designed exclusively for configuration purposes and not for the connection of external devices such as modems The 6 pos Mini DIN female connector provides a serial interface to connect a local management station It can be used to connect a VT 100 terminal or a PC with corresponding terminal emulation to the management interface for an appropriate cable please refer to page 9 6 Set the following transmission parameters RS 232 V 24 interface Bits per second 38400 Data bits 8 ets coe RTS P arity None Stop bits 1 l 3G res Flow control None D2 1Q RD ST XD Figure 3 11 Transmission parameters and assignment of the V 24 RS 232 interface 3 2 5 Signal contact The switch has a floating signal contact An error is indicated when the contact is opened 67842015 Figure 3 12 Basic circuit diagram for the signal contact PHOENIXCONTACT 3 11 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 3 2 5 1 Local diagnostic and status indicators on the FL MGUARD GT GCT Table 3 4 Indicators on the FLMGUARDRS Green ON Supply voltage 1 in the tolerance range OFF OFF Supply voltage 1 too low Green ON Supply voltage 2 in the tolerance range Orr OFF Supply voltage 2 too low ee ON Signal contact open i e an e
321. r No blade available Reconfiguration ifthe After replacing an FL MGUARD in this slot the configuration FL MGUARD BLADE is stored onthe controller is automatically transferred to the new replaced device in this slot Delete configuration Deletes the configuration stored on the controller for the backup of Blade _ device in this slot Upload configuration Uploads and saves the configuration profile for this slot onto from client the controller Download Downloads the configuration profile stored on the controller configuration to client for this slot onto the configuration PC 6 54 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 4 Network menu 6 4 1 Network gt gt Interfaces The FL MGUARD has the following interfaces with external access Please note thatthe serial interface ofthe FL MGUARD GT GT should only be used for configuration purposes and should not be used to connect external devices such as modems Ethernet S erial Built in Internal LAN interface modem External WAN FLMGUARD SMART FLMGUARD GT GT FL MGUARD RS FL MGUARD Yes BLADE FL MGUARD DELTA Optional FL MGUARD RS VPN ANALOG ISDN The LAN portis connected to a single computer or the local network internal The WAN portis used to connect to the external network For devices with a Serial interface the connection to the external network can also or additionally be
322. r all other message codes that are not listed here please contact Phoenix Contact 3 2 4 Interfaces on the FL MGUARD GT GT 3 2 4 1 RJ 45 ports The FL MGUARD GT GT has two RJ 45 ports which support both 10 100 Mbps and 1000 Mbps and can be configured via web based management The LAN or WAN RJ 45 ports are disabled after the next reboot of the device if an SFP module is inserted in the corresponding slot 3 8 PHOENIX CONTACT 7612_en_02 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Operating elements and indicators Assignment of the RJ 45 Ethernet connectors Please note that for operation with 1000 Mbps Gigabit cables with four twisted pairs eight wires which meet the requirements of CAT5e as a minimum must be used Table 3 3 Pin assignment of RJ 45 connectors Pin 10Base T 10 Mbps 100Base T 100 Mbps 1000Base T 1000 Mbps TD transmit TD transmit BI DA bidirectional TD transmit TD transmit BI_DA bidirectional RD receive RD receive BI_DB bidirectional a o BIDE bidirectional 6 RD receive RD receive BI_ DB bidirectional 3 2 4 2 SFP slots Inserted SFP modules are detected automatically when the device is switched on and the corresponding RJ 45 portis disabled Configuration of the SFP modules is not required because the modules are always operated at 1000 Mbps full duplex Use of the following module types is recommended FLSFP SX Order No 2891
323. r example in Austria the PPTP protocol is used instead of the PPPoE protocol for DSL connections PPTP is the protocol that was originally used by Microsoft for VPN connections Ifthe FL MGUARD is operated in PPTP mode the FL MGUARD mustbe setas the default gateway on the locally connected computers This means that the IP address of the FL MGUARD LAN port must be specified as the default gateway on these computers Ifthe FL MGUARD is operated in PPTP mode NAT should be activated in order to gain access to the Internet from the local network see Network gt gt NAT on page 6 96 If NAT is not activated itis possible that only VPN connections can be used For the further configuration of PPTP network mode see R outer network mode PPTP router mode on page 6 77 6 60 PHOENIX CONTACT 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Router Mode Modem Only used for FL MGUARDRS devices without a built in modem FL MGUARD BLADE and FL MGUARD DELTA Please note that the serial interface of the FL MGUARD GT GT should only be used for configuration purposes and should not be used to connect external devices such as modems If modem network mode is selected the external Ethernet interface of the FL MGUARD is deactivated and data is transferred to and from the WAN via the serial interface serial port of the FL MGUARD An external modem which establishes
324. ragmentation Some routers fail to forward large UDP packets which may break the IPsec protocol The following options allow you to reduce the size of the UDP packets generated by IPsec to traverse such routers IKE Fragmentation IPsec MTU default is 16260 IPsec VPN gt gt Global gt gt Options Options Allow packet forwarding between This option should only be setto Yes on an VPN connections FL MGUARD communicating between two different VPN remote peers To enable communication between two VPN remote peers the local network of the communicating FL MGUARD mustbe configured So that the remote networks containing the VPN remote peers are included The opposite setup local and remote network swapped round must also be implemented for VPN remote peers see Remote on page 6 175 a Yes is not supported in stealth network mode 7612 _en_02 PHOENIX CONTACT 6 161 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD IPsec VPN gt gt Global gt gt Options continued No default VPN connections exist separately Yes Hub and spoke feature enabled a control center diverts VPN connections to several branches that can also communicate with each other With a star VPN connection topology FL MGUARD remote peers can also exchange data with one another In this case itis recommended that the local FL MGUARD consults CA certificates for the authentication of remote peers See Authentication on page
325. ransmitted due to interconnected NAT routers firewalls or proxy servers for example For example firewalls may be set up to prevent any data packets of the UDP protocol from passing through or incorrectly implemented NAT routers may not manage the port numbers correctly for UDP packets TCP encapsulation avoids these problems because the packets belonging to the relevant VPN connection are encapsulated in TCP packets i e they are hidden so that only TCP packets appear for the network infrastructure TCP encapsulation can only be used ifan FL MGUARD Version 6 1 or later is used at both ends of the VPN tunnel TCP encapsulation should only be used if itis necessary because connections are Slowed down by the significant increase in the data packet overhead and by the correspondingly longer processing times Ifthe FL MGUARD is configured to use a proxy for HTTP and HTTPS in the Network gt gt Proxy Settings menu item then this proxy is also used for VPN connections thatuse TCP encapsulation TCP encapsulation supports the basic authentication and NTLM authentication methods for the proxy For the TCP encapsulation to work through an HTTP proxy the proxy must be named explicitly in the proxy settings Network gt gt Proxy Settings menu item i e it must not be a transparent proxy and this proxy mustalso understand and permitthe HTTP method CONNECT AnFL MGUARD used as a Server in order to acceptencapsulated VPN
326. ration The clientdoes not answer ARP requests Noclientis available With static stealth configuration the stealth management IP address can always be accessed even if the network card of the clientPC has not been activated If the secondary external interface is activated See Secondary External Interface on page 6 66 the following applies If the routing settings are such that data traffic to the stealth management IP address would be routed via the secondary external interface this would be an exclusion situation i e the FL MGUARD would no longer be administered locally To prevent this the FL MGUARD has a built in mechanism that ensures that in such an event the stealth management IP address can still be accessed by the locally connected computer or network IP address The additional IP address via which the FL MGUARD can be accessed and administered The IP address 0 0 0 0 deactivates the management IP address Netmask The subnet mask of the IP address above Default gateway The default gateway of the network where the FL MGUARD Is located Use Management If the IP address should be within a VLAN set this option to VLAN Yes No Y es Management VLAN ID A VLAN ID between 1 and 4095 VLAN is not supported for the management IP address when autodetectstealth configuration is enabled For an explanation of this term please refer to the glossary under VLAN on page 8 8 7612_en_02 THE ON
327. ration is located PHOENIXCONTACT 6 47 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD Management gt gt Central Management gt gt Configuration Pull continued Filename The name of the file in the directory defined above If no file name is defined here the serial number of the FL MGUARD is used with file extension atv Number of times a Default 10 configuration profile is ignored after it was rolled back After retrieving a new configuration itis possible that the FL MGUARD may no longer be accessible after applying the new configuration Itis then no longer possible to implementa new remote configuration to make corrections In order to prevent this the FL MGUARD performs the following check As soon as the retrieved configuration is applied the FL MGUARD tries to connect to the configuration server again based on the new configuration The FL MGUARD then attempts to download the newly applied configuration profile again If successful the new configuration remains in effect If this check is unsuccessful for whatever reason the FL MGUARD assumes that the newly applied configuration profile is faulty The FL MGUARD memorizes the MD5 total for identification purposes then performs a rollback Rollback means that the last working configuration is restored This assumes that the new non functioning configuration contains an instruction to perform a rollback if a newly loaded configuration profile is
328. ress for local 1 to 1 NAT If the Enable 1 to 1 NAT of the remote network to another network option is set to Yes see 1 1 NAT on page 6 178 the following applies The IP address of the SysLog server must be located in the network that is specified as Remote in the definition of the VPN connection 6 11 2 Logging Browse local logs Logging gt gt B 1restarter firestarter Copyright C 2009 Innominate Security Technologies AG userfwd userfwd userfwd server not configured userfwd pluto 1862 pluto 1862 pluto 1862 pluto 1862 pluto 1862 pluto 1862 pluto 1862 pluto 1862 pluto 1862 pluto 1862 userfwd userfwd cifsscand cifsscand userfwd iptables waiting for lock rowse local logs Whirlwind VPN Management Daemon 0 1 server startup server shutdown Pluto initialized Starting Pluto Openswan Version 2 4 7 PLUTO_SENDS VENDORID PLUTO_USES Setting NAT Traversal port 4500 floating to on port floating activation criteria nat_t 1 port_fload 1 including NAT Traversal patch Version 0 6c ike_alg_register_enc Activating OAKLEY_AES CBC Ok ret 0 ike_alg_register_hash Activating OAKLEY_SHA2_512 Ok ret 0 ike_alg_register_hash Activating OAKLEY_SHA2_ 256 Ok ret 0 no helpers will be started all cryptographic operations will be done i Using NETKEY IPsec interface code on 2 6 27 20 mguard 5 4 48 INFO MAIO318209259 new share started lock obtained fwrulese
329. rights as defined by this filter This could differ from the access rights assigned to the user in the subsequent filters If remote certificates are configured as filters in the X 509 Certificate table column then these filters have priority over the filter settings here 7612_en_02 PHOENIXCONTACT 6 27 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD Management gt gt Web Settings gt gt Access continued Authorized for access All users root admin netadmin audit a3 Specifies which user or administrator rights are granted to the remote user For a description of the root admin and user authorization levels see Authentication gt gt Local Users on page 6 111 The netadmin and audit authorization levels relate to access rights with the Innominate Device Manager X 509 Certificate This configuration is required in the following cases Remote users each show a self signed certificate Remote users each show a certificate signed by a CA Filtering should take place Access is only granted to a user whose certificate copy is installed on the FL MGUARD as the remote certificate and is provided to the FL MGUARD in this table as the X 509 Certificate If used this filter has priority over the Subject filter in the table above The entry in this field defines which remote certificate the FL MGUARD should adoptin order to authenticate the remote peer browser of the remote user The remote certifi
330. rnal modem connected to it 6 66 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Network gt gt Interfaces gt gt General Stealth network mode continued Operation Mode permanent temporary After selecting modem or built in modem network mode for the secondary external interface the operating mode of the secondary external interface must be specified Secondary External Interface Network Mode Operation Mode permanent Y Secondary External Routes Network Gateway 192 168 3 0 24 gateway permanent Data packets whose destination corresponds to the routing settings specified for the secondary external interface are always routed via this external interface The secondary external interface is always activated temporary Data packets whose destination corresponds to the routing settings specified for the secondary external interface are only routed via this external interface when additional separately defined conditions are met Only then is the secondary interface activated and the routing settings for the secondary external interface take effect see Probes for Activation on page 6 69 Secondary External Network Routes Specify the routing to the external network here Multiple routes can be specified Data packets intended for these networks are then routed to the corresponding network via the secondary external interface in permanent or tem
331. rovider defined option e g via DHCP is selected under Hostname mode This option makes it easier for the user to enter a domain name If the user enters the domain name in an abbreviated form the FL MGUARD completes the entry by appending the domain suffix that is defined here under Domain search path A name that can be freely assigned to the FL MGUARD for administration purposes e g Hermes Pluto under SNMP sysName A description of the installation location that can be freely assigned e g Hall IV Corridor 3 Broom closet under SNMP sysLocation The name of the contact person responsible for the FL MGUARD ideally includes the phone number under SNMP sysC ontact HiDiscovery Is a protocol that supports the initial startup of new network devices and is available in stealth mode for the local interface LAN of the FL MGUARD Enabled The HiDiscovery protocol is activated Read only The HiDiscovery protocol is activated but it cannot be used to configure the FL MGUARD Disabled The HiDiscovery protocol is deactivated PHOENIX CONTACT 6 5 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD Management gt gt System Settings gt gt Host continued HiDiscovery Frame _ If this option is setto Yes then HiDiscovery frames are Forwarding Yes No forwarded from the LAN port externally via the WAN port 6 2 1 2 Signal Contact Management gt System Settings Signal Contac
332. rror has occurred OFF OFF Signal contact closed i e an error has not occurred A Link LED ts located on the front of the device for the LAN and WAN port LNK Green ON Link active Link zo a Link not active Another LED is located on the front i device for the LAN and WAN port The function of the second LED MODE for each portcan be setusing the MODE switch see also example below There are three options during the boot process the mode and portLEDs are permanently on ACT Green ON Receiving telegrams Activity Or Not receiving telegrams SPD Green 1000 Mbps Speed orange iia ON green ON green 100 Mbps for RJ 45 ports only OFF 10 Mbps if Link LED is active for RJ 45 ports only FD Green ON Full duplex Duplex Half duplex ACT SPD FD Flashing The device is in Smart mode see Using Smart mode on page 3 6 Green a VPN tunnel established Flashing Initializing VPN tunnel OFF No VPN tunnel Example In Figure 3 13 the LED indicators have the following meaning A The MODE switch has been set to display the duplex mode FD the mode LEDs now indicate that the LAN portis in half duplex mode and the WAN portis in full duplex mode B The switch has been set to display the Activity ACT the mode LEDs now indicate that incoming data packets are detected on both ports 3 12 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Operating elements and in
333. rt reboot is necessary in the event of an error It may also be necessary after a software update PHOENIXCONTACT 6 51 FL MGUARD Blade Control gt gt Overview onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS 6 3 Blade Control menu a This menu is only available on the FL MGUARD BLADE controller Overview 6 52 PHOENIX CONTACT 6 3 1 Blade Control gt gt Overview Blade Control Overview Overview ST eS Status wan Lan seria version efr 01 blade Gaines Sowa GR 2tNooos3 4 2 0 default blade XL 5 0 0 pre02 def blade 2 3 0 default Unknown blade 4 2 0 default blade XL 4 2 0 pre08 beta blade 4 2 0 pre05 beta blade 4 2 0 pre05 beta Unknown Unknown Unknown Unknown B Automatic configuration backup is enabled disabled R Automatic reconfiguriation of a replaced blade is enabled disabled Rack ID The ID of the rack where the FL MGUARD is located This value can be configured for all blades on the controller Power supply P1 P2 Status of power supply units P1 and P2 OK Absent Defect Fatal error Blade Number of the slot where the FL MGUARD blade is installed Device Device name e g blade or blade XL Status Online The device in the slot is operating correctly Present The device is present but not yet ready e g because itis just starting up Absent No device found in the slot WAN Status of the WAN port LAN Status of the LAN port
334. rtificate the CN attribute from the certificate subject field is Suggested as the short name here providing the Shortname field is empty at this point This name can be adopted or another name can be chosen e Anamemustbe assigned whether itis the suggested one or another Names must be unique and must not be assigned more than once Use of the short name During the configuration of SSH Management gt gt System Settings Shell Access menu HTTPS Management gt gt Web Settings Access menu VPN connections IPSec VPN gt gt Connections menu The certificates imported on the FL MGUARD are provided in a Selection list The certificates are displayed under the short name specified for each individual certificate on this page For this reason name assignment is mandatory Creating a certificate copy You can create a copy of the imported machine certificate e g for the remote peer so that this can authenticate the FL MGUARD This copy does not contain the private key and can be made public at any time To do this proceed as follows e Click on Current Certificate File next to the Download Certificate row for the relevant machine certificate e Enter the desired information in the dialog box that opens 6 124 PHOENIX CONTACT 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 5 3 3 CA Certificates CA certificates are certificates issued by a certification aut
335. rules defined above are logged Firewall rules for outgoing PPP connections from the LAN interface The parameters correspond to those under Incoming Rules PPP These outgoing rules apply to data packets that are sent out via a data connection initiated by PPP dial in PHOENIXCONTACT 6 89 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 6 4 1 5 Modem Console a FL MGUARD RS FL MGUARD BLADE and FL MGUARD DELTA only Some FL MGUARD models have a Serial interface that can be accessed externally while the FL MGUARD RS is also available with a built in modem as an option See Network gt gt Interfaces on page 6 55 Network Interfaces Modem Console Serial Console Baudrate 57600 4 Please note On some platforms the serial portis not accessible The settings above become effective only for administrative shell login via a console connected to the serial port Such logins are impossible if dial in or dial out is configured via external modem External Modem Hardware handshake RTS CTS off Modem init string d dATH OK Options for using the serial interface Alternatively the serial interface can be used as follows Primary External Interface As a primary external interface if the network mode is setto Modem under Network gt gt Interfaces on the General tab page see Network gt gt Interfaces on page 6 55 and General on page 6 56 In this case data traffic is not process
336. rvice refers to the quality of individual transmission channels in IP networks This relates to the allocation of specific resources to specific services or communication types so that they work correctly For example the necessary bandwidth must be provided to transmit audio or video data in realtime in order to reach a Satisfactory communication level At the same time slower data transfer by FTP or e mail does not threaten the overall success of the transmission process file or e mail transfer 6 9 1 Ingress Filters An ingress filter prevents the processing of certain data packets by filtering and dropping them before they enter the FL MGUARD processing mechanism The FL MGUARD canuse an ingress filter to avoid processing data packets that are not needed in the network This results in a faster processing of the remaining i e required data packets Using suitable filter rules administrative access to the FL MGUARD can be ensured with high probability for example Packet processing on the FL MGUARD is generally defined by the handling of individual data packets so that the processing performance depends on the number of packets and not on bandwidth Filtering is performed exclusively according to characteristics that are present or may be present in each data packet The sender and recipient IP address specified in the header the specified Ethernet protocol the specified IP protocol the specified TOS DSCP value and or the VLAN ID i
337. rvice provider which is used to provide access to the Internet As the Point to Point Protocol PPP is used for the connection the IP address does not usually have to be specified This means you can use the preset value 0 0 0 0 Netmask The subnet mask specified here belongs to both the local IP address and the remote IP address Normally all three values Local IP Remote IP and Netmask are either fixed or remain set to 0 0 0 0 Enter the connection settings for an external modem on the Modem Console tab page see Modem Console on page 6 90 6 86 PHOENIX CONTACT 7612_en_02 onlin components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 4 1 4 Dial in a FL MGUARD RS FL MGUARD BLADE and FL MGUARD DELTA only Network gt Interfaces PPP dial in options Modem PPP Local IP 192 168 2 1 Remote IP 192 168 2 2 PPP Login name PPP Password Incoming Rules PPP Log ID fw serial incoming N 00000000 0000 0000 000000000000 Po 0000 rt f Action comment To Outgoing Rules PPP Log ID fw serial outgoing N2 00000000 0000 0000 0000 000000000000 Po om z Comment To Log entries for unknown connection attempts No Y In addition to HTTPS SSH and SNMP management access the above rules regulate access to Incoming and from Outgoing the internal network via the PPP connection Please note On some platforms the serial portis not accessible N
338. s PPPOE is a specification defining how to connect users to the Internet via Ethernet using a shared broadband medium such as DSL wireless LAN ora cable modem PPTP Acronym for Point to Point Tunneling Protocol This protocol was developed by Microsoft and U S Robotics among others for secure data transfer between VPN nodes gt VPN via a public network Protocol transmission Devices that communicate with each other must follow the same rules They have to speak protocol the same language Rules and standards of this kind are called protocols or transmission protocols Some of the more frequently used protocols are IP TCP PPP HTTP and SMTP Router A router is a device that is connected to different IP networks and communicates between them To do this the router has an interface for each network connected to it A router must find the correct path to the destination for incoming data and define the appropriate interface for forwarding it To do this ittakes data from a local routing table listing assignments between available networks and router connections or intermediary stations Service provider Service providers are companies or institutions that enable users to access the Internet or Online services 7612 _en_02 PHOENIXCONTACT 8 5 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD Spoofing anti spoofing In Internet terminology spoofing means supplying a false address Using this false I
339. s be accessed by devices from the external network They form the interface to other parts of the LAN orto the Internet If the transition to the Internet takes place here the IP addresses are usually assigned by the Internet service provider ISP If an IP address is assigned dynamically to the FL MGUARD the currently valid IP address can be found here In stealth mode the FL MGUARD adopts the address of the locally connected computer as its external IP Network Mode Status Displays the status of the selected network mode Active Defaultroute Display only The IP address thatthe FL MGUARD uses to try to reach unknown networks Is displayed here This field can contain none if the FL MGUARD is in stealth mode Used DNS servers Display only The name of the DNS servers used by the FL MGUARD for name resolution are displayed here This information can be useful for example if the FL MGUARD Is using the DNS servers assigned to it by the Internet service provider 6 56 PHOENIX CONTACT 7612_en_02 Network gt gt Interfaces gt gt General continued Network Mode Network Mode Router Mode Only used when R outer is selected as the network mode 1 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Stealth Router The FL MGUARD must be set to the network mode that corresponds to its connection to the network see also Typical application scenarios on page 2 1 Depending on which network mode
340. s 2000 e After installing the hardware switch on the computer e Log on with administrator rights and wait until the following window appears 4 Found New Hardware Wizard il 2 Found New Hardware Wizard 3 Install Hardware Device Drivers x4 Welcome to the Found New A device driver is a software program that enables a hardware device to work with SS Hardware Wizard an operating system This wizard helps you install a device driver for a This wizard will complete the installation for this device hardware device Hg Innominate mGuardPCl 4 device driver is a software program that makes a hardware device work Windows needs driver files for your new device To locate driver files and complete the installation click Next What do you want the wizard to do prreesesesesssesesesesssesssesssssssssesssesseessssssssssssessssssesssessssssssssssesssessesssssssessesseesesssesssesssesesssesssesseeg Display a list of the known drivers for this device so that can choose a specific driver To continue click Next cros Found New Hardware Wizard 7 i 4 Found New Hardware Wizard i Locate Driver Files Driver Files Search Results Na tan Where do you want Windows to search for driver files The wizard has finished searching for driver files for pour hardware device SY Search for driver files for the following hardware device The wizard found a driver for the following device Hg Innominate mGuardPCI Hg
341. s for the check Same as CIFS Integrity Monitoring gt gt CIFS Integrity Checking gt gt Settings gt gt Edit on page 6 151 Status Summary Result and time of the last checks Click on Update to see a Summary of the results of the latest checks Update applies to all network drives CIFS Integrity Monitoring CIFS Integrity Status pc x7 scan Status Status of pc x7 scan Summary Report Download the report UNC notation of the imported share Start of the last check Duration of the last check Start of the current check Progress of the current check CIFS Integrity Monitoring gt gt CIFS Integrity Status gt gt Display gt gt Status Status of network drive Summary Last check was OK No deviations found nawy step calli o Last check found x deviation s The exact deviations are configuration listed in the check report Report The check reportis displayed here It can be downloaded by clicking on Download the report UNC notation of the S ervername networkdrive imported share 7612_en_02 PHOENIX CONTACT 6 155 FL MGUARD onlin components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS CIFS Integrity Monitoring gt gt CIFS Integrity Status gt gt Display gt gt Status continued Start of the lastcheck Weekday month day HH MM SS UTC The local time may differ from this time Example The standard time in Germany is Central European Time CET which is UTC plus one hour
342. s rules for example it may require the issuer of the public key to appear before it in person Once successfully authenticated the CA adds its digital signature to the issuer s public key This results in a certificate PHOENIX CONTACT 8 9 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 8 10 PHOENIX CONTACT 7612_en_02 9 Technical data THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Technical data 9 1 FL MGUARD RS FL MGUARD PCI FL MGUARD DELTA FL MGUARD BLADE General CPU Memory Function monitoring Operating system Housing dimensions width x height x depth in mm Permissible operating temperature Degree of protection Protection class Pollution degree Humidity Operation storage Connection to protective earth ground Weight LAN and WAN interfaces Serial Power supply FL MGUARDRS Network expansion 7612_en_02 Intel IXP 42x with 266 MHz or 533 MHz 16 MB Flash 64 MB SDRAM FL MGUARD DELTA 128 MB Watchdog and optical indication Innominate embedded Linux 45x 100 x 111 FL MGUARD RS According to PCI standard FL MGUARD PCI 0 C to 55 C FL MGUARD RS 0 C to 70 C FL MGUARD PCI 0 C to 40 C FL MGUARD SMART FL MGUARD DELTA FL MGUARD BLADE IP20 IEC 60529 FL MGUARD RS IPO FL MGUARD PCI Class 3 VDE 0106 IEC 60536 FL MGUARD RS 2 FL MGUARD RS 10 to 95 no condensation FL MGUARD RS FL MGUARD DELTA 10 to 90 no conde
343. s that the SSH client has to be authorized for a specific administration level in order to gain access When establishing a connection the SSH client shows its certificate and also specifies the system user for which the SSH session is to be opened root admin netadmin audit Access Is only granted if the entries match those defined here Access forall listed system users is possible when All users is set The netadmin and audit setting options relate to access rights with the Innominate Device Manager 6 2 2 Management gt gt Web Settings 6 2 2 1 General Management Web Settings General General Language automatic Y Session Timeout seconds 1800 hae Scope of the Apply button Per Session 6 18 PHOENIX CONTACT 7612_en_02 Management gt gt Web Settings gt gt General General 7612_en_02 Language Session Timeout seconds Scope of the Apply button THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration If automatic is selected in the list of languages the device uses the language setting of the computer s browser Specifies the period of inactivity in seconds after which the user will be automatically logged out of the FL MGUARD web interface Possible values 15 to 86400 24 hours The Per Page Setting specifies that you have to click on the Apply button on every page where you make changes in order for the settings to be applied and take effect
344. screen The rules defined here have priority over packet filter rules The MAC filter does not support logging Network Security gt gt Packet Filter gt gt MAC Filtering Incoming Source MAC Specification of the source MAC address Xx Xx XX XX XX XX stands for all MAC addresses Destination MAC Specification of the destination MAC address XX XX XX XX XX XX Stands forall MAC addresses ff ff ff ff fi ff stands for the broadcast MAC address to which all ARP requests are sent for example Ethernet Protocol any stands for all Ethernet protocols Additional protocols can be specified in name or hexadecimal format for example IPv4 or 0800 ARP or 0806 Action Accept means that the data packets may pass through Drop means thatthe data packets may not pass through they are dropped Comment Freely selectable comment for this rule 1 FLMGUARDRS FL MGUARD BLADE and FL MGUARD DELTA 7612 _en_02 PHOENIX CONTACT 6 137 online components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 6 6 1 5 Advanced The following settings affect the basic behavior of the firewall Network Security Packet Filter MAC Filtering Advanced Consistency checks Maximum size of ping packets ICMP Echo Request Enable TCP UDP ICMP consistency checks Yes Network Modes Router PPTP PPPoE ICMP via primary external interface for the Allow ping requests Y mGuard ICMP via secondary
345. se immunity according to EN61000 4 2 IEC 1000 4 2 ESD Contact discharge Air discharge Indirect discharge Noise immunity according to EN61000 4 3 IEC 1000 4 3 electromagnetic fields Noise immunity according to EN61000 4 4 IEC 1000 4 4 burst Data cables Power Supply Noise immunity according to EN61000 4 5 IEC 1000 4 5 Surge Data cables Power Supply Noise immunity according to EN61000 4 6 IEC 1000 4 6 conducted Additional certifications RoHS 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Technical data Fiber optics LC format 1000 Mbps Depends on the SFP module used Depends on the SFP module used Operation 30g 11 ms half sine shock pulse Storage transport 50g half sine shock pulse Operation storage transport 5g 57 150 Hz 1m Class B residential Class A industrial area Requirements according to DIN EN 61000 6 2 Test intensity 2 criterion B Test intensity 3 criterion B Test intensity 2 criterion B Requirements according to DIN EN 61000 6 2 Test intensity 3 criterion A Requirements according to DIN EN 61000 6 2 Test intensity 2 criterion B Test intensity 3 criterion B Requirements according to DIN EN 61000 6 2 Test intensity 2 criterion B Test intensity 1 criterion B Requirements according to DIN EN 61000 6 2 Test intensity 3 criterion A EEE 2002 95 EC WEEE 2002 96 EC PHOENIX CONTACT 9 5 FL MGUARD 9 3 9 3 1 Produ
346. ser for which the SSH session is to be opened root admin netadmin audit Access Is only granted if the entries match those defined here Access forall listed system users is possible when All users is set i The netadmin and audit setting options relate to access rights with the Innominate Device Manager 7612_en_02 PHOENIXCONTACT 6 17 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD Management gt gt System Settings gt gt Shell Access continued Client certificate This configuration is required in the following cases SSH clients each show a self signed certificate SSH clients each show a certificate signed by a CA Filtering should take place Access Is only granted to a user whose certificate copy Is installed on the FL MGUARD as the remote certificate and Is provided to the FL MGUARD in this table as the Client certificate This filter is notsubordinate to the S ubjectfilter It resides on the same level and is allocated a logical OR function with the Subject filter The entry in this field defines which remote certificate the FL MGUARD should adoptin order to authenticate the remote peer SSH client The remote certificate can be selected from the selection list The selection list contains the remote certificates that have been loaded onthe FL MGUARD under the Authentication gt gt Certificates menu item Authorized for access All users root admin netadmin audit a Filter which define
347. sitioned between an individual computer and the rest of the network The settings e g for firewall and VPN can be made using a web browser under the URL https 1 1 1 1 No configuration modifications are required on the computer itself Firewall VPN Figure 2 1 Stealth mode PHOENIX CONTACT 2 1 FL MGUARD 2 2 PHOENIX CONTACT 2 2 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Network router When used as a network router the FL MGUARD can provide the Internet link for several computers and protect the company network with its firewall One of the following network modes can be used on the FL MGUARD Router if the Internet connection is via e g a DSL router or a permanent line PPPoE if the Internet connection is via e g a DSL modem and the PPPoE protocol is used e g in Germany PPTP if the Internet connection Is via e g a DSL modem and the PPTP protocol is used e g in Austria Modem if the Internet connection Is via a serial connected modem compatible with Hayes or AT command set For computers in the Intranet the FL MGUARD must be specified as the default gateway Intranet DSL modem Internet or router Firewall Figure 2 2 N etwork router 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Typical application scenarios 2 3 DMZ A DMZ demilitarized zone is a protected network that is located between two other networks For example a compan
348. ss through Rejectmeans thatthe data packets are sent back so the sender is informed of their rejection In stealth mode Reject has the same effect as Drop Drop means thatthe data packets may not pass through They are discarded which means that the sender is not informed of their whereabouts Comment Freely selectable comment for this rule Log For each individual firewall rule you can specify whether the use of the rule Should be logged set Log to Yes Should not be logged set Log to No default setting 7612 _en_02 PHOENIXCONTACT 6 13 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD X 509 Authentication X 509 Authentication Enable X 509 certificates for SSH access Yes v SSH server certificate None v x CA certificate LJ SSH RootCA Y LJ SSH SubCA Y gt x X 509 subject Authorized for access as F L All users gt x Client certificate Authorized for access as r O Meyer Ralf bead admin v Management gt gt System Settings gt gt Shell Access X 509 Authentication Enable X 509 If No is selected then only conventional authentication certificates for SSH methods user name and password or private and public access Yes No keys are permitted not the X 509 authentication method If Yes is selected then the X 509 authentication method can be used in addition to conventional authentication methods as also used for No If Yes is selected the foll
349. ssless Inter Domain Routing on page 6 215 From Port To Port Only evaluated for TCP and UDP protocols any refers to any port gstartport endport e g 110 120 refers to a portarea Individual ports can be specified using the port number or the corresponding service name e g 110 for pop3 or pop3 for 110 Action Accept means that the data packets may pass through Reject means that the data packets are sent back so the sender is informed of their rejection In stealth mode Reject has the same effect as Drop Drop means that the data packets may not pass through They are discarded which means that the sender Is not informed of their whereabouts Name of rule sets if defined In addition to Accept Reject and Drop the selection list also contains the names of previously defined rule sets Ifa name is selected referenced the rules contained in this rule set are applied here If the rules from the applied rule set cannot be used and implemented with Accept Reject or Drop the rule processing continues with the rule following the one from which the rule set was referenced Comment Freely selectable comment for this rule Log For each individual firewall rule you can specify whether the use of the rule Should be logged set Log to Yes Should not be logged set Log to No default setting 6 136 PHOENIX CONTACT 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPON
350. st void The connection is inactive due to an error e g the external network is down or the host name of the remote peer could not be resolved in an IP address DNS ready The connection is ready to establish channels or allow incoming queries regarding channel setup active Atleast one channel has already been established for the connection 6 170 PHOENIX CONTACT 7612_en_02 onlin components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Defining a VPN connection VPN connection channels Depending on the network mode of the FL MGUARD the following page appears after clicking on Edit 6 8 3 1 General IPsec VPN Connections Berlin London General Options A descriptive name for the connection Berlin London Enabled Yes Address of the remote site s VPN gateway vpn london example com Either an IP address a hostname or any for any IP multiple clients or clients behind a NAT gateway Connection startup Initiate Encapsulate the VPN traffic in TCP Yes TCP Port of the server which accepts the 8080 encapsulated connection Transport and Tunnel Settings 192 168 0 1 Only in stealth mode IPsec VPN gt gt Connections gt gt Edit gt gt General Options 7612_en_02 A descriptive name for The connection can be freely named and renamed If several the connection connection channels are defined under Transport and Tunnel Settings then this name applies t
351. structs the modem to inserta dialing pause at this point until the dial tone can be heard Used when the modem is connected to a private branch exchange An external line must be obtained first for outgoing calls by dialing a specific number e g 0 before the phone telephone number can be dialed Example ATDOW 765432 T Switch to tone dialing Insert the special dial character T before the phone number if the faster tone dialing procedure should be used only with tone compatible telephone connections Example ATDT 765432 PAP CHAP None PAP Password Authentication Protocol CHAP Challenge Handshake Authentication Protocol These are procedures for the secure transmission of authentication data using the Point to Point Protocol If the Internet service provider requires the user to login using a username and password then PAP or CHAP Is used as the authentication method The user name password and any other data that must be specified by the user to establish a connection to the Internet are given to the user by the Internet service provider The corresponding fields are displayed depending on whether PAP CHAP or None is selected Enter the corresponding data in these fields If authentication is via PAP Authentication User name Password PAP server authentication Dial on demand Idle timeout Idle time seconds Local IP Remote IP Netmask User name Password PAP server authentication
352. t Time and Date Mode Signal contact Operation supervision Operation supervision Contact Redundant power supply Supervise Link supervision Ignore Manual settings Contact Closed The signal contactis a relay thatis used by the FL MGUARD to signal error states see also Signal contact on page 4 8 Management gt gt System Settings gt gt Signal Contact Mode FL MGUARDRS FL MGUARD GT GT only Signal contact The signal contact can be controlled automatically using Operation supervision default or Manual settings See also Installing the FL MGUARD RS on page 4 4 Installing the FL MGUARD GT GT on page 4 11 Operation supervision Contact Displays the status of the signal contact Either Open Error or Closed OK Redundant power If setto Ignore the power supply does notinfluence the signal supply contact If set to Supervise the signal contact is opened if one of the two power supply voltages fails Link supervision Monitoring of the link status of the Ethernet connections Possible settings are Ignore Supervise internal only trusted Supervise external only trusted Supervise both Manual settings Contact If Signal contact has been set to Manual settings the contact can be set to Closed or Open Alarm here 6 6 PHOENIX CONTACT 7612_en_02 onlin components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 2 1 3 Time and Date
353. t gateway Specifies which IP address should be used by the computer as the default gateway Usually this is the internal IP address of the FL MGUARD 7612 _en_02 PHOENIX CONTACT 6 107 FL MGUARD Network gt gt DHCP gt gt Internal DHCP continued 6 108 PHOENIX CONTACT DNS server WINS server Static Mapping according to MAC address THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Address of the server used by computers to release host names in IP addresses via the Domain Name Service DNS Ifthe DNS service of the FL MGUARD should be used enter the internal IP address of the FL MGUARD here Address of the server used by the computer to release host names in addresses via the Windows Internet Naming Service WINS To find out the MAC address of your computer proceed as follows Windows 95 98 ME e Start winipcfg ina DOS box Windows NT 2000 XP e Start ipconfig all ina prompt The MAC address is displayed as the Physical Address Linux e Call sbin ifconfig or ip link show in a shell The following options are available MAC address of the client computer without spaces or hyphens P address of the client Client IP address The static IP address of the computer to be assigned to the MAC address Static assignments take priority over the dynamic IP address pool Static assignments must not overlap with the dynamic IP address pool Do not use one IP address in multiple static ass
354. t one port The link status for each port can be masked onthe FL MGUARD RS via the management software By default upon delivery there is no connection monitoring Error during selftest 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Startup During a restart the signal contact is interrupted until the FL MGUARD has started up completely This also applies when the signal contact is manually set to Closed in the software configuration Service contacts A button or an on off switch e g key switch can be connected between service contacts CMD and A standard LED up to 3 5 V or a corresponding optocoupler can be connected between contacts ACK and _ _ The contactis short circuit proof and supplies 20 mA maximum The LED or optocoupler must be connected without preresistor for wiring see Figure 4 3 to Figure 4 5 The button or on off switch is used to establish and release a predefined VPN connection The LED indicates the status of the VPN connection see IPSec VPN gt gt Global on page 6 161 under Options Operating a connected e To establish the VPN connection hold down the button for a few seconds until the button Signal LED flashes Then release the button The flashing indicates thatthe FL MGUARD has received the command to establish the VPN connection and is establishing the VPN connection As soon as the VPN connection is established the signal LED remains
355. t_dynipt fwruleset_dynipt pluto 1862 pluto 1862 pluto 1862 pluto 1862 pluto 1862 pluto 1862 pluto 1862 pluto 1862 directory cert file cert file cert file cert file directory Changing directory Changing directory Changing Loaded Loaded Loaded Loaded Changing dynipt startup fetc ipsec d cacerts 3 pr 1 942 bytes 19 fetc ipsec d aacerts fetc ipsec d ocspcerts fetc ipsec d crls 927 bytes 814 bytes 830 bytes pluto 1862 loaded crl file MAI1889001503 crl 658 bytes Common IPsec VPN Network Security Dl CIFS Integrity Checking CIFS AV Scan Connector Reload logs Jump to firewall rule The corresponding checkboxes for filtering entries according to their category are displayed below the log entries depending on which FL MGUARD functions were active To display one or more categories enable the checkboxes for the desired categories and click on Reload logs 6 208 PHOENIX CONTACT 7612_en_02 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 11 2 1 Log entry categories General Log entries that cannot be assigned to other categories Network Security Logged events are shown here if the logging of firewall events was selected when defining the firewall rules Log Yes Log ID and number for tracing errors Log entries that relate to the firewall rules l
356. ted If the telephone connection is then interrupted the FL MGUARD attempts to restore it immediately Thus a permanent connection is created like a permanent line By doing this the FL MGUARD is constantly available externally i e for incoming data packets 7612 _en_02 PHOENIXCONTACT 6 85 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD Network gt gt Interfaces gt gt Dial out continued Idle timeout Yes No Only considered when Dial on demand Is set to Yes When set to Yes default the FL MGUARD terminates the telephone connection as soon as no data Is transmitted over the time period specified under Idle time The FL MGUARD gives the connected modem the relevant command for terminating the telephone connection When set to No the FL MGUARD does not give the connected modem a command for terminating the telephone connection Idle time Seconds Default 300 If there is still no data traffic after the time Specified here has elapsed the FL MGUARD can terminate the telephone connection See above under Idle timeout Local IP IP address of the Serial interface of the FL MGUARD that now acts as the WAN interface If this IP address Is assigned dynamically by the Internet service provider use the preset value 0 0 0 0 Otherwise e g forthe assignmentofa fixed IP address enter this here Remote IP IP address of the remote peer When connecting to the Internet this is the IP address of the Internet se
357. ter in which the dial up connection to the FL MGUARD is defined In addition the IP address of the FL MGUARD or its host name must be defined as the gateway for this connection so that the connections to 6 90 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration the LAN can be routed via this address To access the web configuration interface of the FL MGUARD you must enter the IP address of the FL MGUARD or its host name in the address line of the web browser The serial interface of the FL MGUARD is connected to the serial interface of a PC On the PC the connection to the FL MGUARD is established using a terminal program and the configuration is implemented using the command line of the FL MGUARD If an external modem is connected to the serial interface you may have to enter corresponding settings below under External Modem regardless of the use of the serial port and the modem connected to it Network gt gt Interfaces gt gt Modem Console Serial Console The following settings forthe baud rate and hardware handshake are only valid for a configuration connection where a terminal or PC with terminal program is connected to the serial interface The settings are not valid when an external modem is connected Settings for this are made further down under External Modem Baudrate The transmission speed of the serial interface is specified via the selection list Hardware han
358. th a built in analog modem built in ISDN terminal adapter as an option The built in modem or built in ISDN terminal adapter can be used as follows As a primary external interface if the network mode is set to Built in Modem under Network gt gt Interfaces on the General tab page see Network gt gt Interfaces on page 6 55 and General on page 6 56 In this case data traffic is not processed via the WAN port Ethernet interface but via this modem Asasecondary external interface if Secondary External Interface is activated and Built in Modem is selected under Network gt gt Interfaces on the General tab page see Network gt gt Interfaces on page 6 55 and General on page 6 56 In this case data traffic is also processed via the serial interface Forthe PPP dial in option See Options for using the serial interface on page 6 90 Please note that the serial interface of the device also provides similar options for use See above Therefore onan FLMGUARD RS with a built in modem normal data traffic can be routed via a modem connection modem network mode and a second modem connection can be used simultaneously for the PPP dial in option for example PHOENIXCONTACT 6 93 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD For the FL MGUARD RS with built in modem External Modem ier eee Dortea o Add itionally for the Built in Modem analog FL MGUARD RS with Country Extension line regarding
359. the FL MGUARD has received the command to establish the VPN connection and is establishing the VPN connection As soon as the VPN connection is established the signal LED remains lit continuously e To release the VPN connection hold down the button fora few seconds until the signal LED flashes or goes out Then release the button As soon as the signal LED goes out the VPN connection is released PHOENIXCONTACT 4 15 FL MGUARD Operating a connected on off switch INF signal LED 4 16 PHOENIX CONTACT onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS e To establish the VPN connection set the switch to the ON position e To release the VPN connection set the switch to the OFF position Ifthe signal LED is OFF this generally indicates that the defined VPN connection is not present Either the VPN connection was not established or it has failed due to an error If the signal LED is ON the VPN connection is present If the signal LED is flashing the VPN connection is being established or released V 24 RS 232 interface for external management The 6 pos Mini DIN female connector provides a serial interface to connect a local management station It can be used to connect a VT 100 terminal or a PC with corresponding terminal emulation to the management interface Set the following transmission parameters RS 232 V 24 interface Bits per second 38400 Data bits 8 a A eer re Pe P arity None
360. the address specified in the Local field see above if a computer has an IP address from this address area The address specified in the Local field must have the subnet mask 32 so that this Signifies exactly one IP address Local masquerading can be used in the following network modes router PPPoE PPTP modem built in modem and stealth only multiple clients in stealth mode Modem built in modem Not available for all FL MGUARD models see Network gt gt Interfaces on page 6 55 ForIP connections via a VPN connection with active local masquerading the firewall rules for outgoing data in the VPN connection are used for the original source address of the connection 1 1 NAT a Only in router mode 6 178 PHOENIX CONTACT With 1 1 NAT itis still possible to enter the network addresses actually used local and or remote to specify the tunnel beginning and end independently of the tunnel parameters agreed with the remote peer Local network Remote network lt i Internet Internet network address Network address for for 1 1 NAT remote 1 1 NAT Figure 6 5 1 1 NAT 7612_en_02 onlin components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration IPsec VPN gt gt Connections gt gt Edit gt gt General Further settings can be made by clicking on More Options IPsec VPN Connections gt Tunnel Settings Tunnel connection type d Serer Options Ena
361. the base Lists the individual software modules of the FL MGUARD Can be used for support purposes 7612_en_02 7612_en_02 ee te me O g onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 2 4 2 Update There are two options for performing a firmware update 1 You have the current package setfile on your computer the file name ends with tar gz and you perform a local update 2 You download the package setfile via the Internet from the update server and then install the packages Management Update Local Update Filename Durchsuchen Install Packages The filename of the package set has the extension tar gz The format of the filename you have to enter is update a b c d e f tar gz Online Update Package set name C Install Package Set Automatic Update Install the latest patch release x y Z Install latest patches Install the latest minor release x z for the install latest minor release currently installed major version Note It might be possible that there is no direct update from the currently installed version to the latest published minor release available Therefore after updating the system to a new minor release press this button again until you receive the message that there is no newer update available Install the next major release X y z Install next major version Note It might be possible that there is no direct updat
362. the blade pack changes mGuardTrapBladeCTRL enterpriseS pecific mGuardTrapBladeCtriR unS tatus 3 mGuardTrapBladeRackID mGuardTrapBladeS lotNr mGuardTrapBladeCtriR unS tatus This trap is sent when the blade run status changes enterprise oid generic trap specific trap additional Backup restore Activate traps Yes No enterprise oid mGuardTrapBladeC triC fg generic trap enterpriseS pecific specific trap mGuardTrapBladeCtriC fgB ackup 1 additional mGuardTrapBladeRackID mGuardTrapBladeS lotNr mGuardTrapBladeC triC fgBackup This trap is sentwhen configuration backup is triggered for the blade controller 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Management gt gt SNMP gt gt Trap continued enterprise oid mGuardTrapBladeCtriC fg generic trap enterpriseS pecific specific trap mGuardTrapBladeCtriCfgR estored 2 additional mGuardTrapBladeRackID mGuardTrapBladeS lotNr mGuardTrapBladeCtriCfgR estored This trap is sentwhen configuration restoration is triggered for the blade controller CIFS integrity traps Successful integrity Activate traps Yes No check ofa CIFS share enterprise oid mGuardTrapCIC generic trap enterpriseS pecific specific trap mGuardTrapC iC Done 1 additional mGuardTrapCiCShareName mGuardTrapClCS hareUNC This trap is sent ifthe CIFS integrity check has been successfully com
363. the computer cover again e Connect the computer power cable again and switch on the computer 4 8 5 Driver installation Driver installation is only required and supported if the FL MGUARD PCI is operating in driver mode see Driver mode on page 4 21 e First complete the steps described under Installing the hardware on page 4 25 e You should have the driver files on a data carrier If not e Download the driver files from the download area at www innominate com e Extractthe files from the ZIP e Copy the extracted files to a data carrier e g CD ROM USB memory Stick 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Startup Under Windows XP e After installing the hardware switch on the computer e Log on with administrator rights and wait until the following window appears 1 Found New Hardware Wizard 2 Found New Hardware Wizard Please choose your search and installation options Nas This wizard helps you install software for Search for the best driver in these locations Use the check boxes below to limit or expand the default search which includes local paths and Ethernet Controller removable media The best driver found will be installed Search removable media floppy CD ROM If your hardware came with an installation CD or Include this location in the search floppy disk insert it now a Deutsch Drivers Wwin2000_XPAPS What do you want the wizard to do
364. the default settings or after flashing the FL MGUARD the FL MGUARD GT GT can be accessed within the network 192 168 1 0 24 via the LAN interface under IP address 192 168 1 1 To access the configuration interface it may be necessary to adapt the configuration of your computer Under Windows XP proceed as follows 7612_en_02 Click on Start Control Panel Network Connections Right click on the LAN adapter icon to open the context menu In the context menu click on Properties In the Properties of local network LAN connections dialog box select the General tab Under This connection uses the following items select Internet Protocol TCP IP Then click on Properties to display the following dialog box Eigenschaften von Internetprotokoll TCP IP Allgemein IP Einstellungen konnen automatisch zugewiesen werden wenn das Netzwerk diese Funktion unterstutzt Wenden Sie sich andernfalls an den Netzwerkadministrator um die geeigneten P Einstellungen zu beziehen IP Adresse automatisch beziehen IP Adresse Subnetzmaske Standardgateway Folgende DNS Serveradressen verwenden Bevorzugter DNS Server Alternativer DNS Server Figure 5 1 Internet Protocol TCP IP Properties PHOENIX CONTACT 5 5 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD e Firstselect Use the following IP address then enter the following addresses for ex
365. the imported remote certificate To do this proceed as follows e Click on Current Certificate File next to the Download Certificate row for the relevant remote certificate Enter the desired information in the dialog box that opens 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 5 3 5 CRL Authentication Certificates Certificate settings Machine Certificates CA Certificates Remote Certificates CRL Issuer CN Test CA OU Research amp Development O Innominate Security Technologies AG C DE MTom Sep 8 18 29 14 2009 GMT E Authentication gt gt Certificates gt gt CRL CRL CRL stands for certificate revocation list The CRL is a list containing serial numbers of blocked certificates This page is used for the configuration of sites where the FL MGUARD should download CRLs in order to use them Certificates are only checked for revocations ifthe Enable CRL checking option is set to Yes see Certificate settings on page 6 121 A CRL with the same issuer name must be present for each issuer name specified in the certificate to be checked Ifa CRL is not present and CRL checking is enabled the certificate is considered invalid Issuer Information read directly from the CRL by the FL MGUARD Shows the issuer of the relevant CRL Last Update Information read directly from the CRL by the FL MGUARD Time and date of issue of the current CRL on the FL MGUARD Next Update Informati
366. the port number if required Example Ifthis FL MGUARD can be accessed over the Internetvia address https 123 45 67 89 and port number 443 has been specified for remote access the following address must be entered in the web browser of the remote peer https 123 45 67 89 If a different port number is used it should be entered after the IP address e g https 123 45 67 89 442 Configuration e To configure the device make the desired or necessary settings on the individual pages of the FL MGUARD user interface see Configuration on page 6 1 7612_en_02 PHOENIXCONTACT 5 11 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 5 12 PHOENIX CONTACT 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 Configuration 7612_en_02 6 1 Operation You can click on the desired configuration via the menu on the left hand side e g Management Licensing The page is then displayed in the main window usually in the form of one or more tab pages where settings can be made If the page is organized into several tab pages you can switch between them using the tabs at the top Working with tab pages You can make the desired entries on the corresponding tab page See also Working with sortable tables on page 6 1 To apply the settings on the device you must click on the Apply button Once the settings have been applied by the system a
367. the recovery system It searches fora DHCP server via the LAN interface in order to obtain an IP address The reaction of the device depends on its type FL MGUARD RS The State LED flashes FL MGUARD GT GT FL MGUARD SMART The middle LED Heartbeat flashes FL MGUARD BLADE The red LAN LED flashes FL MGUARD PCI FL MGUARD DELTA The status LED flashes The install p7s file is loaded from the TFTP server This contains the electronically Signed control procedure for the installation process Only files signed by Innominate are executed The control procedure now deletes the current contents of the Flash memory and prepares for a new software installation The reaction of the device depends on its type FL MGUARD RS The Modem State and LAN LEDs form a light FL MGUARD GT GT sequence FL MGUARD SMART The three green LEDs form a light sequence FL MGUARD BLADE The green LEDs and the red LAN LED form a light FL MGUARD PCI sequence FL MGUARD DELTA The status LED flashes faster The jffs2 img p7s firmware file is downloaded from the TFTP server and written to the Flash memory This file contains the actual FL MGUARD operating system and is Signed electronically Only files signed by Innominate are accepted This process takes around 3 to 5 minutes 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Restart the recovery procedure and flashing the firmware The reaction of the device depends on its ty
368. the revocation lists should be downloaded and applied On the CRL tab page see CRL on page 6 129 specify the origin of the FL MGUARD revocation lists IfCRL checking is enabled butCRL download is setto Never the CRL mustbe manually loaded on the FL MGUARD so that the CRL checking can be performed 6 122 PHOENIX CONTACT 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 5 3 2 Machine Certificates The FL MGUARD authenticates itself to the remote peer using a machine certificate loaded onthe FL MGUARD The machine certificate acts as an ID card forthe FL MGUARD which it shows to the relevant remote peer Fora more detailed explanation see Authentication gt gt Certificates on page 6 116 By importing a PKCS 12 file the FL MGUARD is provided with a private key and the corresponding machine certificate Multiple PKCS 12 files can be loaded on the FL MGUARD enabling the FL MGUARD to show the desired self signed or a CA signed machine certificate to the remote peer for various connections In order to use the installed machine certificate at this point it must be referenced additionally during the configuration of applications SSH VPN so that it can be used for the relevant connection or remote access type Example for imported machine certificates Authentication Certificates Certificate settings Machine Certificates CA Certificates Remote Certificates Machine
369. the voucher and the corresponding voucher key then click on Online License Request The FL MGUARD now establishes a connection via the Internet and installs the corresponding license on the FL MGUARD if the voucher is valid This option can be used if the license installed on the FL MGUARD has been deleted Click on Online License Reload The licenses that were previously issued for this FL MGUARD are then retrieved from the server via the Internet and installed After clicking on Edit License Request Form an online form is displayed which can be used to order the desired license Enter the following information in the form Voucher Serial Number The serial number printed on your voucher Voucher Key The voucher key on your voucher Flash ID This is entered automatically After sending the form the license file is made available for download and can be installed on the FLMGUARD ina Separate step Filename installing the license file To install a license first save the license file as a separate file on your computer then proceed as follows e Click on Browse next to the Filename field Select the file and open itso that the file name or path is displayed in the Filename field e Then click on Install license file 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 2 3 3 Terms of License Management Licensing mGuard Firmware License Information
370. ther words the lasttwo bytes are free to be used for host addresses Accordingly an address space for up to 65 536 possible hosts 256 x 256 can be computed Such a huge network Is not practical and generates a need for subnetworks to be built The Subnet mask can be used for this purpose Like an IP address the mask is 4 bytes long The bytes representing the network address are each assigned the value 255 The primary purpose of doing this is to enable a portion of the host address area to be borrowed and used for addressing subnetworks For example if the subnet mask 255 255 255 0 is used on a Class B network 2 bytes for the network address 2 bytes for the host address the third byte which was actually intended for host addressing can now be used for subnetwork addressing This computes to potential support for 256 subnetworks each with 256 hosts IPsec IP security IPSec is a Standard that uses encryption to verify the authenticity of the sender and to ensure the confidentiality and integrity of the data in IP datagrams gt Datagram on page 8 2 The components of IPsec are the Authentication Header AH the Encapsulating Security Payload ESP the Security Association SA and the Internet Key Exchange IKE Atthe start of the session systems wishing to communicate must determine which technique should be used and the implications of this choice for the session e g transport mode or tunnel mode In transport mode an
371. to the entry in the New TOS DSCP field New TOS DSCP If you want to change the TOS DSCP values of the data packets that are selected using the defined rules enter what Should be written in the TOS DSCP field here Fora more detailed explanation of the Current TOS DSCP and New TOS DSCP options please refer to the following RFC documents RFC 3260 New Terminology and Clarifications for Diffserv RFC 3168 The Addition of Explicit Congestion Notification ECN to IP RFC 2474 Definition of the Differentiated Services Field DS Field RFC 1349 Type of Service in the Internet Protocol Suite Queue Name Name of the egress queue to which traffic should be assigned Comment Optional comment text 7612_en_02 PHOENIX CONTACT 6 205 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 6 10 Redundancy menu 6 10 1 Ring Network Coupling The Ring Network Coupling function is only supported by the FL MGUARD SMART FL MGUARDRS and FL MGUARD GT GT Itis not supported by the FL MGUARD DELTA FL MGUARD PCI and FL MGUARD BLADE 6 10 1 1 Ring Network Coupling Redundancy Ring Network Coupling Ring Network Coupling Settings Redundancy gt gt Ring Network Coupling Settings Enable Ring Network Yes No Coupling Dual Homing When activated in stealth mode the status of the Ethernet connection is transmitted from one port to another This means that interruptions in the network can be traced e
372. ts and indicators on the FL MGUARD DELTA Table 3 8 Indicators on the FL MGUARD DELTA Power ON The power supply is active oN The FLMGUARD is starting Heartbeat The FL MGUARD is ready Flash flash pause etc ae a Reed SSC SSCSCS ou S d present SSS Pee raise e j 7aN e SSSS ik resent SSOSCS S S S Su eS 7612_en_02 PHOENIXCONTACT 3 17 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 3 18 PHOENIX CONTACT 7612_en_02 onlinecomponents com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Startup 4 Startup 4 1 Safety notes To ensure correct operation and the safety of the environment and of personnel the FL MGUARD must be installed operated and maintained correctly WARNING Intended use Only use the FL MGUARD in an appropriate way and for its intended purpose WARNING Only connect LAN installations to RJ 45 female connectors Only connect the FL MGUARD network ports to LAN installations Some telecommunications connections also use RJ 45 female connectors these must not be connected to the RJ 45 female connectors of the FL MGUARD Please also note the additional safety notes for the device in the following sections General notes regarding usage NOTE Connection notes A free PCI slot 3 3 V or 5 V must be available on your PC when using the FLMGUARD PCI Do not bend connecting cables Only use the network connector for connection to a netw
373. tshould be left at 0 0 0 0 0 as only one client can be addressed through the tunnel If the Allow packet forwarding between VPN connections option is set to Yes on the Global tab page the rules under Incoming are used for the incoming data packets to the FL MGUARD and the rules under Outgoing are applied to the outgoing data packets HJ le me If the outgoing data packets are included in the same connection definition for a defined VPN connection group then the firewall rules for Incoming and Outgoing for the same connection definition are used If a different VPN connection definition applies to the outgoing data packets the firewall rules for Outgoing for this other connection definition are used 6 188 PHOENIX CONTACT 7612_en_02 IPsec VPN gt gt Connections gt gt Edit gt gt Firewall Incoming Protocol From IP To IP From Port To Port Action Comment Log Log entries for unknown connection attempts 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration All means TCP UDP ICMP and other IP protocols 0 0 0 0 0 means all IP addresses To Specify an address area use CIDR format see CIDR Classless Inter Domain Routing on page 6 215 Incoming FromIP The IP address in the VPN tunnel TOoIP The 1 1 NAT address or the real address Outgoing From IP The 1 1 NAT address or the real address TolP The IP address in the VPN tunnel Only evaluated for TCP and
374. twork gt DHCP Internal DHCP Mode DHCP mode Server v DHCP Server Options Enable dynamic IP address pool Yes DHCP lease time 14400 DHCP range start 192 168 1 100 DHCP range end 192 168 1 199 Local netmask 255 255 255 0 Broadcast address 192 168 1 255 Default gateway 192 168 1 1 DNS server 10 0 0 254 WINS server 192 168 1 2 Static Mapping Client MAC Address Client IP Address DHCP Server Options Enable dynamic IP Setthis option to Yes if you wantto use the IP address pool address pool specified under DHCP range startand DHCP range end see below Setthis option to No if only static assignments should be made using the MAC addresses see below With enabled dynamic IP address pool When the DHCP serverand the dynamic IP address pool have been activated you can specify the network parameters to be used by the computer DHCP range start end The start and end of the address area from which the DHCP server of the FL MGUARD should assign IP addresses to locally connected computers DHCP lease time Time in seconds for which the network configuration assigned to the computer is valid The client should renew its assigned configuration shortly before this time elapses Otherwise it may be assigned to other computers Local netmask Specifies the subnet mask of the computers Default 255 255 255 0 Broadcast address Specifies the broadcast address of the computers Defaul
375. uests to the RADIUS server are repeated after the RADIUS timeout time has elapsed Default 3 Server Name of the RADIUS server or its IP address Port The port number used by the RADIUS server Secret RADIUS server password 6 114 PHOENIX CONTACT 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 5 2 3 Access Authentication Firewall Users Firewall Users RADIUS Servers Access HTTPS Authentication via Interface Internal hd External v Dial In Please note Login of firewall users is possible only via the interfaces listed above if HTTPS remote access is enabled therefor as well see Management Web Settings Authentication gt gt Firewall Users gt gt Access Authentication via HTTPS NOTE For authentication via an external interface please consider the following If a firewall user can log in via an unsecure interface and the user leaves the session without logging out correctly the login session remains open and could be misused by another unauthorized person An interface is unsecure for example ifa user logs in via the Internet from a location or a computer to which the IP address is assigned dynamically by the Internet service provider this is usually the case for many Internet users If such a connection Is temporarily interrupted e g because the user logged in is being assigned a different IP address this user must log in again However the old login sess
376. ules When web access via HTTPS protocol is enabled the FL MGUARD can be configured from a remote computer using its web based administrator interface This means thata browser on the remote computer is used to configure the FL MGUARD This option is disabled by default NOTE If remote access is enabled ensure that secure passwords are defined for root and admin To enable HTTPS remote access make the following settings Management gt gt Web Settings gt gt Access HTTPS Web Access 6 20 PHOENIX CONTACT Enable HTTPS remote Ifyou wantto enable HTTPS remote access setthis option to access Yes No Yes Internal HTTPS access i e from the directly connected LAN or from the directly connected computer can be enabled independently of this setting The firewall rules for the available interfaces must be defined on this page under Allowed Networks in order to specify differentiated access options on the FL MGUARD In addition the authentication rules under User authentication must be set if necessary 7612_en_02 Management gt gt Web Settings gt gt Access continued Allowed Networks 7612_en_02 Remote HTTPS TCP Port Allowed Networks THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Default 443 If this port number is changed the new port number only applies for access via the External External 2 VPN and Dial in interface Port number 443 still applies for internal access
377. ules Sets of Rules Lists all the defined firewall rule sets Rule sets are only used if they are referenced on the Incoming Rules or Outgoing Rules tab page A rule set that is referenced in a firewall rule is only used if it meets all the criteria of this firewall rule Enabled Activates deactivates the relevant rule set Name Name of the rule set The name Is specified when the rule set is created The Set of Rules page is displayed when you click on Edit Network Security Packet Filter Set of Rules unnamed Set of Rules General A descriptive name for the set mam o Enabled Yes v Firewall rules Log ID fw N 365783ac a090 1937 a71a 080027e157 b ae TCP Y 0 0 0 0 0 fany 0 0 0 0 0 fany Accept x No 7 7612_en_02 PHOENIX CONTACT 6 135 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD Network Security gt gt Packet Filter gt gt Sets of Rules continued General A descriptive name for A name thatcan be freely assigned Although it can be freely the set selected the name must clearly define the rule set A rule set can be referenced from the list of incoming and outgoing rules using this name To do this the relevant rule set name Is selected in the Action column Enabled Activates deactivates the relevant rule set Firewall rules Protocol TCP UDP ICMP All From IP To IP 0 0 0 0 0 means all IP addresses To specify an address area use CIDR format see CIDR Cla
378. wer case letters and numbers to prevent unauthorized access The HTTPS server should only grant access to this individual FL MGUARD using the login and password Specified Otherwise users could access other FL MGUARD devices The IP address or the host name specified under Server mustbe the same as the server certificate s common name CN Self signed certificates should not use the key usage extension To install a certificate proceed as follows Requirement The certificate file must be saved on the connected computer e Click on Browse to select the file e Click on Import Download Test e By clicking on Test Download you can test whether the Specified parameters are correct without actually saving the modified parameters or activating the configuration profile The result of the testis displayed in the right hand column a Ensure that the profile on the server does not contain unwanted variables starting with GAI PULL_ as these overwrite the applied configuration 6 50 PHOENIX CONTACT 7612_en_02 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration 6 2 8 Management gt gt Restart 6 2 8 1 Restart Management Restart Restart Restart Note please give the device approximately 40 seconds to reboot Restarts the FL MGUARD Has the same effect as a temporary interruption in the power supply whereby the FL MGUARD is switched off and on again A resta
379. wing is checked using periodic ping tests Can a specific destination or destinations be reached when data packets take the route based on all the routing settings specified for the FL MGUARD apart from those specified for the secondary external interface Only if none of the ping tests are successful does the FL MGUARD assume that it Is currently not possible to reach the destination s via the primary external interface Ethernet interface or WAN portof the FL MGUARD In this case the secondary external interface is activated which results in the data packets being routed via this interface according to the routing setting for the secondary external interface The secondary external interface remains activated until the FL MGUARD detects in Subsequent ping tests that the destination s can be reached again If this condition Is met the data packets are routed via the primary external interface again and the secondary external interface is deactivated Therefore the purpose of the ongoing ping tests Is to check whether specific destinations can be reached via the primary external interface When they cannot be reached the Secondary external interface is activated until they can be reached again Type Destination Specify the ping Type of the ping request packet that the FL MGUARD is to send to the device with the IP address Specified under Destination Multiple ping tests can be configured for different destinations Success failure
380. wired terminal blocks e Make any necessary network connections at the LAN portor WAN port see Connecting to the network on page 4 6 e Connect the corresponding device at the serial port as required See Serial port on page 4 10 e Remove or disconnect connections e To remove the FLMGUARD GT GT from the DIN rail insert a screwdriver horizontally in the locking slide under the housing pull it down without tilting the Screwdriver and pull up the FL MGUARD GT GT PHOENIXCONTACT 4 11 FL MGUARD 4 12 PHOENIX CONTACT THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS 4 4 2 Connecting the supply voltage Please note that there are several options when connecting the supply voltage and the optional VPN enable button signal contact Simple connection of the supply voltage signal contact without VPN enable button Simple connection of the supply voltage signal contact with VPN enable button Redundant connection of the supply voltage signal contact without VPN enable button Redundant connection of the supply voltage signal contact with VPN enable button The MC1 GND connection terminal blocks can be used either for the connection of a redundant power supply ora VPN enable button WARNING The FL MGUARD GT GT is designed for operation with a DC voltage of 18 V DC 32 V DC SELV 0 5 A maximum Therefore only SELV circuits with voltage limitations according to EN 60950 1 may be connected to the su
381. work ports required for the CIFS server have priority over portforwarding Please note Access to the CIFS server is granted from the internal side via dial in and VPN by default and can be restricted by these firewall rules Consolidated Imported Shares export directory pe x7 scan Y CIFS Integrity Monitoring gt gt CIFS AV Scan Connector CIFS Server 6 158 PHOENIX CONTACT Enable the server No CIFS server is not available Yes CIFS server is available Server s workgroup Name of the CIFS server workgroup Login Login for the server Password Password for login Exported share s Name for the computers that should use the CIFS server to name access the combined drives the drives are connected under this name Allow write access No Read only access Yes Read and write access 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration CIFS Integrity Monitoring gt gt CIFS AV Scan Connector continued Allowed Networks These rules allow external access to the CIFS server of the FL MGUARD In router mode with NAT or port forwarding the port numbers for the CIFS Server have priority over the rules for port forwarding port forwarding is set under Network gt gt NAT Access to the CIFS server is approved internally via incoming calls dial in and VPN as standard and can be restricted or expanded via the firewall rules A different default setting can also be defined using thes
382. xternal IP Figure 4 20 Power over PCI mode Router mode Ifthe FL MGUARD is in router mode or PPPoE or PPTP mode the FL MGUARD and the network card connected to its LAN female connector installed in the same computer or another computer actas a separate network For the IP configuration of the network interface of the operating system for the computer in which the network card is installed this means that an IP address must be assigned to this network interface that differs from the internal IP address of the FL MGUARD by default upon delivery this is 192 168 1 1 A third IP address is used for the interface of the FL MGUARD to the WAN It is used for connection to an external network e g Internet 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Startup 4 8 3 Installing the hardware 1 Rescue button 2 umper for activating deactivating driver mode 3 LAN port Deactivated in driver mode In Power over PCI mode the network card of the same or another computer to be protected or of the network to be protected is connected here A it 4 WAN port Connections to the external network e g Internet are established via this interface With the default firewall Settings incoming connections are blocked here Use a UTP cable CAT5 y NOTE Electrostatic discharge Ate Before installation touch the metal frame of the PC in which the FL MGUARD PClis to be installed in order to
383. y The IP address ofa device in the local network connected to the LAN port or the IP address of a device in the external network connected to the WAN port can be specified here If the FL MGUARD establishes the transition to the Internet this IP address is assigned by the Internet service provider ISP If the FL MGUARD Is used within the LAN the IP address of the default gateway is assigned by the network administrator If the local network is not known to the external router e g in the event of configuration via DHCP Specify your local network under Network gt gt NAT See page 6 96 Internal Networks See Internal Networks on page 6 72 Secondary External See Secondary External Interface on page 6 66 Interface Router network mode DHCP router mode Network Interfaces General Dial in Modem Console Network Status External IP address Active Defaultroute Used DNS servers Network Mode Network Mode Router Y Router Mode There are no additional setting options for R outer network mode DHCP router mode Network gt gt Interfaces gt gt General Router network mode DHCP router mode Internal Networks See Internal Networks on page 6 72 Secondary External See Secondary External Interface on page 6 66 Interface 7612_en_02 PHOENIX CONTACT 6 75 FL MGUARD onlin components com THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Router network mode PPP
384. y out the recovery procedure Accept means that the data packets may pass through Rejectmeans thatthe data packets are sent back so the sender is informed of their rejection In stealth mode Rejecthas the same effect as Drop Drop means thatthe data packets may not pass through They are discarded which means that the sender Is not informed of their whereabouts Freely selectable comment for this rule For each individual firewall rule you can specify whether the use of the rule Should be logged set Log to Yes Should not be logged set Log to No default setting External 2 and Dial in are only for devices with a serial interface see Network gt gt Interfaces on page 6 55 7612_en_02 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration Management gt gt Web Settings gt gt Access User authentication User authentication method Login restricted to X 509 client certificate v a Web RootCA Y E LJ Web SubCA Y L admin v g LI Meyer Ralf x root Defines how the local User authentication Login with password FL MGUARD authenticates method Specifies thatthe remote FL MGUARD user mustuse a the remote peer password to log in to the FL MGUARD The password is specified under the Authentication gt gt Local Users menu see page 6 111 Depending on which user ID is used user or administrator password the user has the corresponding rights to operate an
385. y s website may be in the DMZ so that new pages can only be copied to the server from the Intranet using FTP However the pages can be read from the Internet via HTTP IP addresses within the DMZ can be public or private and the FL MGUARD which is connected to the Internet forwards the connections to private addresses within the DMZ by means of port forwarding Intranet DMZ Internet Firewall Server Firewall Er HQ Figure 2 3 DMZ 2 4 VPN gateway The VPN gateway provides company employees with encrypted access to the company network from home or when traveling The FL MGUARD performs the role of the VPN gateway IPSec capable VPN client software must be installed on the external computers and the Operating system must support this function For example Windows 2000 XP can be used or the computer can be equipped with an FL MGUARD Internet Figure 2 4 VPN gateway 7612 _en_02 PHOENIXCONTACT 2 3 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 2 5 WLAN via VPN WLAN via VPN is used to connecttwo company buildings via a WLAN path protected using IPsec The annex should also be able to use the Internet connection of the main building Internet EGC T 8S9T C6L VSC C 89T COT L9YL cel Y TOT CLT STOTI YScCT 8S9T COT zaa Main bldg 192 168 1 0 24 192 168 2 0 24 Figure 2 5 WLAN via VPN In this example the FL MGUARD devices were setto router mode and a separate network
386. yDynDNS DNS4BIZ DynDNS Server Name of the server for the selected DynDNS provider DynDNS Login Enter the user name and password assigned by the DynDNS DynDNS Password provider here 6 104 PHOENIX CONTACT 7612_en_02 Network gt gt DNS gt gt DynDNS continued 7612_en_02 DynDNS Hostname THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS Configuration The hostname selected for this FL MGUARD atthe DynDNS service providing you use a DynDNS service and have entered the corresponding data above The FL MGUARD can be accessed via this hostname PHOENIX CONTACT 6 105 THE ONLINE DISTRIBUTOR OF ELECTRONIC COMPONENTS FL MGUARD 6 4 4 Network gt gt DHCP The Dynamic Host Configuration Protocol DHCP can be used to automatically assign the network configuration set here to the computer connected directly to the FL MGUARD UnderInternal DHCP you can specify the DHCP settings forthe internal interface LAN port and under External DHCP the DHCP settings for the external interface WAN port The DHCP server also operates in stealth mode IP configuration for Windows computers When you start the DHCP server of the FL MGUARD you can configure the locally connected computers so that they obtain their IP addresses automatically Under Windows XP e Inthe Start menu select Control Panel Network Connections e Right click on the LAN adapter icon and select Properties from the context menu e On the General t
Download Pdf Manuals
Related Search
Related Contents
DrumKAT 3.5 Manual EpsonLQ-350 取扱説明書[SR-HC3/HD3] (18.15 MB/PDF) MR-1000 Bedienungsanleitung Westinghouse Digital Electronics DPF-0802 digital photo frame Samsung 971P Manuel de l'utilisateur Practical Forensic Microscopy CAN 入門テキスト Biblio pôlecompétitivité - Ministère de l`écologie, du développement pages 83-111 Copyright © All rights reserved.
Failed to retrieve file