Industrial ETHERNET Firewall EAGLE 20, User Manual Configuration
Contents
1. CIDR notation 149 218 112 0 25 Mask bits The combination of a number of class C address ranges is known as supernetting This enables you to subdivide class B address ranges to a very fine degree EAGLE Konfiguration Release 5 0 09 2010 41 Entering the IP Parameters 3 2 Entering IP parameters via CLI 3 2 Entering IP parameters via CLI If you do not configure the system via DHCP the HiDiscovery protocol or the ACA AutoConfiguration Adapter then you perform the configuration via the V 24 interface using the CLI Entering IP address Connect the PC with terminal program started to the RJ11 socket Command Line Interface starts after key press Log in and change to the Privileged EXEC Mode Select the operating mode Transparent Router PPPoE Enter and save IP parameter End of entering IP address Figure 9 Flow chart for entering IP addresses EAGLE Konfiguration 42 Release 5 0 09 2010 Entering the IP Parameters 3 2 Entering IP parameters via CLI Note If there is no terminal or PC with terminal emulation available in the vicinity of the installation location you can configure the device at your own workstation then take it to its final installation location LI Set up a connection to the device see on page 27 Opening the Command Line Interface The start screen appears NOTE Enter for Command Help Command help displays all options that are valid for the particul2. Listening on Port 67 Figure 64 Static address input LQ Click New EAGLE Konfiguration Release 5 0 09 2010 233 Setting up the Configuration A 1 Setting up the DHCP Server Environment rs haneWIN DHCP Server 2 73 File Options Window Help Observed MAC addresses Id 2 4 J static dynamic ignored 4 Listening on Port 6 Figure 65 Adding static addresses LI Enter the MAC address of the device LI Enter the IP address of the device LI Select the configuration profile of the device O Click Apply and then OK Add static entries With static entries you can assign clients with known hardware address or identifier a fixed IP address and configuration profile The assigned IP addresses must not overlap with the dynamic address ranges Identifiers or hardware addresses must be specified byte by byte in hexadecimal notation For MAC hardware addresses the bytes must be separated by a dash or colon F Glenticentiier 1 Gireuttdentitie T Remoteldentitier or Hardware address Joo 20 63 51 74 00 IP Address frag 21 8 112 105 Optional Configuration Profile PowerMICE1 05 x Remark Redundant entry allow entry with an existing IP address cnet Figure 66 Entries for static addresses L Add an entry for each device that will get its parameters from the DHCP server EAGLE Konfiguration 234 Release 5 0 09 2010 Setting up the Confi
3. Select the IP Networks tab page The device shows an empty table Click on Create entry to create a new line In the 1st line enter Source address CIDR 10 0 1 0 24 Destination address CIDR 10 0 4 0 24 Description FW 1 to FW 3 Click on Create entry to create a new line In the 2nd line enter Destination address CIDR 10 0 3 0 24 Source address CIDR 10 0 4 0 24 Description FW 2 to FW 3 Click on Write to temporarily save the data Click on Back to return to the Virtual Private Network Connections dialog EAGLE Konfiguration Release 5 0 09 2010 Controlling the Data Traffic 7 5 VPN Virtual Private Network O Save your settings LI Click on Write to temporarily save the data LI Select the dialog Basic Settings Load Save to save the example configuration permanently O Click on Save to NVM ACA to temporarily save the data in the non volatile memory LI Create the routing on Firewall 2 Select the dialog Virtual Private Network Connections Select the connection with the name Production control production hall 1 and click on Edit Select the IP Networks tab page The device shows an empty table Click on Create entry to create a new line In the 1st line enter Source address CIDR 10 0 3 0 24 Source address CIDR 10 0 1 0 24 Description FW 2 to FW 1 Click on Write to tem
4. if you want the device to evaluate the VLAN tag of the data packets received When this function is active the device drops all data packets received whose VLAN tag contains a VLAN ID different to the one entered in this dialog LI The VLAN ID line enables you to allocate a VLAN to the interface Entering local IP parameters O Enter the IP address of the device in the IP Address field O Enter the netmask in the Netmask field L In the Gateway IP Address field enter the IP address of the gateway to which the device is to forward data packets whose destination address is outside its own subnetwork LI If you want to allocate more than one IP address to an interface you can press Create to enter additional IP parameters in the table below You require multiple IP addresses on an interface if you want to connect large flat networks with different subnetworks at one port Getting IP Parameters via DHCP LI You enter the name applicable to the DHCP protocol in the Name line in the system dialog of the Web based interface EAGLE Konfiguration 62 Release 5 0 09 2010 Entering the IP Parameters 3 6 Web based IP Configuration Entering PPPoE connection parameters O Enter the connection parameters that you got from your provider for the connection Username Password MTU Maximum Transmission Unit The MTU specifies the maximum frame size that this connection can transmit If larger data pack
5. 207 208 208 209 210 211 212 213 Contents 8 4 1 Controlling the Signal Contact 213 8 4 2 Monitoring Correct Operation via the Signal Contact 215 8 4 3 Monitoring the Device Status via the Signal Contact 216 8 5 Port Status Indication 217 8 6 Network Load and Event Counter at Port Level 218 8 6 1 Network Load 218 8 6 2 Port Statistics 219 8 7 Topology Discovery 221 8 7 1 Description of Topology Discovery 221 8 7 2 Displaying the Topology Discovery Results 223 8 8 Configuration Check 226 8 9 Reports 227 A Setting up the Configuration Environment 229 B General Information 239 C Readers Comments 245 D Index 247 E Further Support 253 EAGLE Konfiguration 6 Release 5 0 09 2010 About this Manual About this Manual The Configuration user manual contains all the information you need to start operating the Industrial ETHERNET Firewall EAGLE It takes you step by step from the first startup operation through to the basic settings for operation in your environment The following steps should be performed to install and configure a switch Select operating mode depending on area of application Transparent Bridging Router Different subnets PPPoE Internet access via DSL Configure the operating mode selected Create firewall rules set up VPN The Installation user manual contains a device description safety instructions a description of the display and the other information that you
6. 7 3 2 Application example for the User Firewall Function The figure shows a typical application case A service technician wants to download a software update from a server for the maintenance of a robot The following is Known Parameter Firewall Service PC Server IP address of internal port 10 0 1 201 External port PPPoE IP address 10 0 1 51 10 149 1 51 Gateway 10 0 1 201 Prerequisities for further configuration The Firewall is in router mode The IP parameters of the Firewall router interface are configured The devices in the internal network have the IP address of the internal interface port 1 of the Firewall as their gateway The gateway and the IP address of the PC are configured The packet filters are configured according to the example see on page 132 Application Example for Packet Filter The external authentication for the service is configured see on page 123 Application example for external Authentication vY vv vvyv Figure 43 User firewall application example EAGLE Konfiguration 162 Release 5 0 09 2010 Controlling the Data Traffic 7 3 User Firewall L Create a user firewall entry oou g O Select the dialog Network Security User Firewall Entries Click on Create Entry You thus add a new entry to the table Select the entry Click on Edit Select the tab page Basic Settings Enter the data Name Service User This is the name for this user
7. Parameter Firewall 1 Firewall 2 Firewall 3 IP address of internal port 10 0 1 201 10 0 3 201 10 0 3 201 IP address of external port 10 0 2 1 10 0 2 2 10 0 2 3 Pre shared key 456789defghi 456789defghi 456789defghi Start IKE mode as Initiator Responder Responder IP parameters of the networks to be 10 0 1 0 24 10 0 3 0 24 10 0 3 0 24 connected Mapped IP parameter from the network 10 0 4 0 24 10 0 5 0 24 Table 14 Interface settings for Hirschmann Address Mapping on the participating firewalls For the routing of the firewall 1 set the IP networks for every VPN connection in the dialog VPN Connections and in the tab page IP Networks according to the following table VPN name Index Source Address Destination Description CIDR Address CIDR Production control 1 10 0 1 0 24 10 0 4 0 24 FW 1 to FW 2 production hall 1 Production control 1 10 0 1 0 24 10 0 5 0 24 FW 1 to FW 3 production hall 2 Table 15 VPN routing settings for Hirschmann Address Mapping on the firewall of the production control For the address mapping of firewalls 2 and 3 set the IP networks in the dialog VPN Connections and in the tab page IP Networks according to the following table Firewall Index Source Destination Mapped source address Description Address Address CIDR CIDR CIDR 2 1 10 0 3 0 24 10 0 1 0 24 10 0 4 0 24 FW 2 to FW 1 3 1 10 0 3 0 24 10 0 1 0 24 10 0 5 0 24 FW 3 to FW 1 Table 16 VPN routing settings for Hirschmann Address Mapping on th
8. Entering the IP Parameters 3 2 Entering IP parameters via CLI 48 enable Switch to the Privileged EXEC mode network mode pppoe Select the PPPoE Mode state on delivery Transparent Mode network router proto int none Deactivate DHCP state on delivery disabled network router param int ip Allocate the IP address 172 17 1 100 to the address 172 17 1 100 internal interface network router param int Allocate the netmask 255 255 255 0 to the device netmask 255 255 255 0 in transparent mode copy config running config nv Save the current configuration to the non volatile memory After entering the IP parameters you can easily configure the device via the Web based interface see the Web based Interface reference manual External Interface O Enter the connection parameters that you got from your provider for the connection Username Password MTU Maximum Transmission Unit The MTU specifies the maximum frame size that this connection can transmit If larger data packets are to be transmitted the Firewall fragments the larger data packet into multiple small data packets L Save the configuration entered with copy config running config nv or save enable Switch to the Privileged EXEC mode network pppoe username Peter Enter the user name Peter network pppoe password Enter the password Holidays Holidays network pppoe mtu size 1492 Enter the maximum frame size as 1492 copy c
9. Open the Command Line Interface see on page 27 Opening the Command Line Interface enable Switch to the Privileged EXEC mode copy firmware aca filename Load the firmware with the file name eagleSDV bin nv eagleSDV bin in the non volatile memory Are you sure Y N Y Confirm the operation with Y Performing a cold start enable Switch to the Privileged EXEC mode reboot Perform a cold start In the System Monitor This menu item End reset and reboot of the system monitor allows you to reset the hardware of the device and perform a restart EAGLE Konfiguration 80 Release 5 0 09 2010 Basic Settings 4 2 Loading Software Updates 4 2 4 Loading the Software via File Selection For an HTTPS update via a file selection window the device software must reside on a location that is accessible from your workstation O Select the Basics Software dialog L In the file selection frame click on O In the file selection window select the device software eagleSDV bin and click on Open LI Click on HTTPS Update to transfer the software to the device The end of the update is indicated by one of the following messages Update completed successfully Update failed Reason incorrect file Update failed Reason error when saving LI After successfully loading it you activate the new software Select the Basic Settings Restart dialog and perform a cold start In a cold start the device r
10. Release 5 0 09 2010 153 Controlling the Data Traffic 7 2 NAT Network Address Translati on 7 2 4 NAT Application Examples E Connecting a production cell with the company network via 1 1 NAT You have multiple identical production cells and want to connect them with your company network As even the IP addresses used in the production cells are identical you convert the IP addresses using the 1 1 NAT function The following is known Parameter Firewall Number 1 Firewall Number 2 Internal Network 10 0 1 192 28 10 0 1 192 28 External Network 10 0 2 192 28 10 0 2 208 28 Prerequisites for further configuration gt The Firewall is in router mode gt The IP parameters of the router interface are configured gt The gateway and the IP address of the devices in production cells are configured gt The devices in the production cells have the IP address of the internal interface port 1 of the Firewall as their gateway 10 0 1 194 int ext 10 0 1 193 10 0 2 1 10 0 2 33 10 0 1 194 int ext 10 0 1 193 10 0 2 17 Figure 39 Connecting one of multiple identical production cells with the company network via 1 1 NAT EAGLE Konfiguration 154 Release 5 0 09 2010 Controlling the Data Traffic 7 2 NAT Network Address Translati on LI First you configure firewall number 1 Enter the parameters for converting the IP addresses O Select the dialog Network Security NAT 1 1 NAT LI Click on Create Entr
11. Testing the newly created packet filter rules LI Click on Release for Test LI Select the FLM Control tab page LI Click on Start test mode The Web based interface sets the number of IP entries learned in the test mode up to now to 0 L On your configuration computer once again load the Web based interface of the switch in the production cell in another browser window To test the new packet filter rules access dialog pages and HTML pages again You thus create the desired snmp and http traffic O Go back again to the assistant for the firewall learn mode LI Click on Stop test mode The Web based interface refreshes its display and displays the number of new IP entries that the device has learned in the test mode O Select the External interface tab page During the learning the device has now ignored the http and snmp traffic that you previously permitted If you discover in the learned data additional traffic that you want you permit you have the option to derive additional rules from this traffic Afterwards repeat the test EAGLE Konfiguration Release 5 0 09 2010 145 Controlling the Data Traffic 7 1 Packet Filter Closing the assistant for the firewall learn mode and saving the new packet filter rules LI Select the FLM Control tab page LI In the Operation frame click Off O To close the assistant for the firewall learn mode click on Write The
12. displays statuses of the SNTP client as one or more test messages e g Server 2 not responding Configuration SNTP Client O In External server address you enter the IP address of the SNTP server from which the device periodically requests the system time L In Redundant server address you enter the IP address of an additional SNTP server The device periodically requests from this server the system time if it does not receive a response from the server to a request from the External server address within 1 second Note If you are receiving the system time from an external redundant server address you do not accept any SNTP Broadcast packets see below You thus ensure that the device uses the time of the server entered LI In Server request interval you specify the interval at which the device requests SNTP packets valid entries 1 s to 3 600 s on delivery 30 s LI With Accept SNTP Broadcasts the device takes the system time from SNTP Broadcast Multicast packets that it receives Configuration SNTP Server LI In Anycast destination address you enter the IP address to which the SNTP server of the device sends its SNTP packets see table 6 LI In Anycast send interval you specify the interval at which the device sends SNTP packets valid entries 1 s to 3 600 s on delivery 120 s O With Disable Server at local time source the device disables the SNTP server function i
13. i e 10 Bridge Hub A random computer Configuration Computer Server PLC Programmable logic controller I O Robot EAGLE Konfiguration Release 5 0 09 2010 Introduction 1 Introduction Today machines and production units such as printing machines or robotic lines require the real time transfer of production information This absolutely necessitates the option to access the machine directly from the office level and exposes the production plant to the risk of deliberate or accidental manipulation With the Hirschmann Industrial ETHERNET Firewall EAGLE you have chosen the secure option for anywhere that process and production data flows into cross area data recording systems or where systems are aligned The segmentation of individual production cells and the securing of remote maintenance accessing prevents manipulation and provides the required data security and the smooth operation of the plant These times in which ETHERNET is being used beyond office applications and increasingly on the machine level are seeing an increase in the security requirements protection of sensitive subareas of production long term integration of office IT and industrial IT networks as a comprehensive solution In addition the Hirschmann Industrial ETHERNET Firewall EAGLE provides you with three access options for remote maintenance modem access with firewall rules Internet access with firewall rules access via a virtua
14. key that is exclusively available to the authorized communication subscribers Traffic flow confidentiality The traffic flow confidentiality ensures that no unauthorized person can gain knowledge of the actual recipient and sender of a data packet IPsec performs this in the tunnel mode by encrypting the complete IP packet For the mediation of the security parameters to be used between the two endpoints of a VPN connection IPsec provides two modes transport mode and tunnel mode Transport mode In the transport mode two terminal devices authenticate themselves to each other then they set up the parameters required for the signing and the encryption As the communication taking place between two defined terminal devices the recipient and sender addresses remain visible Tunnel mode In the tunnel mode two routers gateways authenticate themselves to each other then they set up the parameters required for the signing and the encryption With the two routers gateways the VPN connection has two addressable endpoints but the communication takes place between the subscribers of the network connected to the routers gateways This enables the encryption of all the communication data to be transmitted including the recipient and sender addresses The addresses of the routers gateways are used to address the endpoints of the VPN connection The tunnel mode can also be used for the VPN connection between a terminal device and a router gateway
15. 0 09 2010 Setting up the Redundancy 5 2 Router Redundancy 5 2 Router Redundancy 5 2 1 Description of the Router Redundancy Function In the Router mode the Firewall allows you to use a Firewall to install a substitute line and a substitute Firewall for an existing connection between two networks Terminal devices usually give you the option of entering a default gateway for transmitting data packets in external subnetworks Here the term Gateway applies to a router by means of which the terminal device can communicate in other subnetworks If this router fails the terminal device cannot send any more data to external subnetworks In this case the Router Redundancy function helps the Firewall with the virtual IP address This function provides a type of gateway redundancy It describes a process that groups two routers into one virtual router Terminal devices always address the virtual router and the Router Redundancy function ensures that a physical router belonging to the virtual router takes over the data transmission The two Firewalls continuously exchange information via the internal interface and also via the external interface Thus they also check the accessibility at the same time If the firewall which temporarily assumes the virtual router function discovers a line interruption on one of its ports it informs its partner firewall which then takes over the virtual router function The Firewall also offers
16. 61 Netmask in the configuration profile L Select the Boot tab page O Enter the IP address of your tftp server L Enter the path and the file name for the configuration file O Click Apply and then OK RS2_7_103 71x Basic Profile DNS NetBios Server Boot Other p Boot Server Next Server IP Address i Name 149 218 112 159 File switcht O3config dat Boot File Size in 512 byte blocks I Always use option 65 67 for Name and File I Altemate File if Vendor Class 1d is File Boot File Size in 512 byte blocks Root Path Substitutions in File and Root Path ZN host name ZA P address Abbrechen Ubemehmen Figure 62 Configuration file on the tftp server EAGLE Konfiguration 232 Release 5 0 09 2010 Setting up the Configuration A 1 Setting up the DHCP Server Environment L Add a profile for each device type If devices of the same type have different configurations then you add a profile for each configuration To complete the addition of the configuration profiles click OK Configuration profiles x Profile Type Default Client Profile Ps2 7103 Add Edit _Bemove Figure 63 Managing configuration profiles L To enter the static addresses click Static in the main window haneWIN DHCP Server 2 1 2 File Dptions Window Help Observed MAC addresses ld 2 4 MAC Addess Id IP Address TFTP New static
17. Client are the endpoints of the VPN connection EAGLE Konfiguration Release 5 0 09 2010 199 Controlling the Data Traffic 7 5 VPN Virtual Private Network O Enter the IPsec data exchange parameters O Select the IPsec Data Exchange tab page L In the Mode frame you enter Encapsulation tunnel With this the Firewall encrypts the entire data packet including the IP addresses of the communication partners Force NAT T No Lifetime 3600 L In the Algorithms frame you enter Key Agreement modp1024 Integrity hmacmd5 Encryption aes128 LI Enter the parameters for the IP networks whose data is to be transmitted via the VPN connection L Select the IP Networks tab page O Click on Create entry LI After you double click on a cell of the entry you can edit the cell Source address 10 0 1 0 24 Source port any Destination address 10 0 2 92 32 Destination port any Protocol any Description Free data traffic between Production Manager and Production Hall Active On LI Click Set to temporarily save the entry in the configuration LI Save the settings in the non volatile memory O Select the dialog Basic Settings Load Save L Click on Save to NVM ACA to permanently save the configuration in the active configuration Settings on the notebook with the LANCOM Advanced VPN Client Requirement The LANCOM Advanced VPN Client Software is inst
18. H HIRSCHMANN A BELDEN BRAND User Manual Configuration industrial ETHERNET Firewall EAGLE 20 EAGLE Konfiguration Technische Unterst tzung Release 5 0 09 2010 HAC Support Belden com The naming of copyrighted trademarks in this manual even when not specially indicated should not be taken to mean that these names may be considered as free in the sense of the trademark and tradename protection law and hence that they may be freely used by anyone 2010 Hirschmann Automation and Control GmbH Manuals and software are protected by copyright All rights reserved The copying reproduction translation conversion into any electronic medium or machine scannable form is not permitted either in whole or in part An exception is the preparation of a backup copy of the software for your own use For devices with embedded software the end user license agreement on the enclosed CD applies The performance features described here are binding only if they have been expressly agreed when the contract was made This document was produced by Hirschmann Automation and Control GmbH according to the best of the company s knowledge Hirschmann reserves the right to change the contents of this document without prior notice Hirschmann can give no guarantee in respect of the correctness or accuracy of the information in this document Hirschmann can accept no responsibility for damages resulting from the use of the network components or the associated
19. STAND BY 0 Figure 19 Transparent Redundancy application example EAGLE Konfiguration Release 5 0 09 2010 93 Setting up the Redundancy 5 1 Transparent Redundancy LI First you configure firewall number 1 Enter the parameters for the Transparent Redundancy and activate the function Select the dialog Redundancy Transparent In the Function line in the Configuration frame click On to activate the function In the Transparent Mode frame select the Master or Slave Port internal main line In the Firewall state table synchronization frame enter the IP address of the redundancy partner In this case this is the IP address of firewall number 2 10 0 0 202 L Click Set to temporarily save the entry in the configuration Oo ogo L Save the settings in the non volatile memory O Select the dialog Basic Settings Load Save L Click on Save to NVM ACA to permanently save the configuration in the active configuration EAGLE Konfiguration 94 Release 5 0 09 2010 Setting up the Redundancy 5 1 Transparent Redundancy O Now you configure firewall number 2 Enter the parameters for the Transparent Redundancy and activate the function Select the dialog Redundancy Transparent In the Function line in the Configuration frame click On to activate the function In the Transparent Mode frame select the Master or Slave Port internal redundant line In
20. You thus quit the assistant for the configuration of the profile Select the new profile and click on Configure Click on IPsec settings in the left field Under Guideline you enter IKE guideline Pre shared Key IPsec guideline ESP AES128 MD5 Click on Validity In the IPsec guideline frame under Duration you enter 000s 0 Ls 00800 This value is the same as the Lifetime in the EAGLE settings under IPsec Data Exchange Click on OK to close the input window EAGLE Konfiguration Release 5 0 09 2010 201 Controlling the Data Traffic 7 5 VPN Virtual Private Network L Click on OK to finish the profile setting L On the LANCOM client main screen select the profile created and click on Connect to set up the VPN connection to the EAGLE If the LANCOM Client cannot set up the connection then restart the PC with the LANCOM Client After the restart click on Connect to set up the VPN connection to the EAGLE Activating VPN connection automatically and displaying activation via STATUS LED The EAGLE device provides you with a service mode function In service mode the device automatically activates one or more VPN connections that you have pre configured if the redundant power supply PS2 of the EAGLE device fails if you switch off the redundant power supply PS2 of the EAGLE device for this purpose in order to automatically activate one or more VP
21. address 172 16 1 100 device in transparent mode network transparent netmask Allocate the netmask 255 255 255 0 to the device 255 255 255 0 in transparent mode network transparent gateway Allocate the gateway address 176 16 1 1 to the 176 16 1 1 device in transparent mode copy config running config nv Save the current configuration to the non volatile 44 memory EAGLE Konfiguration Release 5 0 09 2010 Entering the IP Parameters 3 2 Entering IP parameters via CLI After entering the IP parameters you can easily configure the device via the Web based interface see the Web based Interface reference manual 3 2 2 IP Parameters in Router Mode Internal interface O Activate the router mode state on delivery transparent mode O If DCHP is switched on switch it off state on delivery DHCP is switched off L Enter the IP parameters Internal IP address On delivery the device has the local IP address 192 168 1 3 Netmask If your network has been divided up into subnetworks and if these are identified with a netmask then the netmask is to be entered here The default setting of the netmask is 255 255 255 0 O Save the configuration entered with copy config running config nvor Save EAGLE Konfiguration Release 5 0 09 2010 45 Entering the IP Parameters 3 2 Entering IP parameters via CLI enable Switch to the Privileged EXEC mode network mode router Select the Router Mode sta
22. device displays connection errors via the signal contact and the LED display The device allows you to suppress this display because you do not want to interpret a switched off device as an interrupted connection for example O Select the Basics Port Configuration dialog LI In the Propagate connection error column select the ports for which you want to have link monitoring EAGLE Konfiguration Release 5 0 09 2010 83 Basic Settings 4 4 Synchronizing the System Time in the Network 4 4 Synchronizing the System Time in the Network The device allows you to synchronize the time in your network The actual meaning of the term real time depends on the time requirements of the application The Simple Network Time Protocol SNTP is accurate to the order of milliseconds The accuracy depends on the signal running time The Network Time Protocol NTP is accurate to the order of sub milliseconds Examples of application areas include log entries time stamping of production data production control etc 4 4 1 Entering the Time If no reference clock is available you have the option of adopting the system time from the PC The device resets the time during a restart Note When setting the time in zones with summer and winter times make an adjustment for the local offset if applicable The SNTP client can also get the SNTP server IP address and the local offset from a DHCP server The NTP client gets its NTP server
23. entered then the device will allow access In the delivery state the device is accessible via the password public read only and private read and write from every computer To protect your device from unwanted access O First define a new password with which you can access from your computer with all rights LI Treat this password as confidential Because everyone who knows the password can access the MIB of the device with the IP address of your computer L Check which SNMP version your Network Management software communicates with If necessary activate SNMPv1 or SNMPv2 L Enter the SNMP access rules EAGLE Konfiguration 120 Release 5 0 09 2010 Protection from Unauthorized Access 6 4 HiDiscovery Access 6 4 HiDiscovery Access 6 4 1 Description of the HiDiscovery Protocol The HiDiscovery protocol allows you to allocate an IP address to the device in transparent mode on the basis of its MAC address see on page 50 Entering the IP Parameters via HiDiscovery HiDiscovery is a layer 2 protocol Note For security reasons restrict the HiDiscovery function for the device or disable it after you have assigned the IP parameters to the device EAGLE Konfiguration Release 5 0 09 2010 121 Protection from Unauthorized Access 6 4 HiDiscovery Access 6 4 2 Enabling disabling the HiDiscovery Function L Select the Basic Settings Network Transparent Mode dialog LI Disable the HiDiscovery functio
24. firewall entry Timeout 7200 Maximal duration of access in seconds gt Timeout Type static The countdown of the timeout begins when the user logs on Source Address 10 0 1 51 This is the IP address of the service PC Description Open the access to the production cell for the service operation Select the Accounts tab page Click on Create Entry A dialog gives you the option to select an existing account e g Service see on page 123 Application example for external Authentication Select an account Click on OK EAGLE Konfiguration Release 5 0 09 2010 163 Controlling the Data Traffic 7 3 User Firewall O OO OOo OO O01 Select the Rules tab page Click on Create Entry You thus add a new entry to the table Select the entry Click on Edit Enter the data Source port any Since the port through which the browser of the notebook is normally not a fixed port the setting any is required Destination network 10 149 1 51 32 IP address of the server on which the software for the robot is located Destination port http With the http setting the service technician downloads the software via his browser Description Software Download Meaningful description of the rule Protocol tcp Log if you want to log the accesses you select this function Click Set to temporarily save the entry in the configuration
25. fo Use Default Default Gateway gt o f fi A J 200 Use Default Set As Default OK Cancel Figure 11 HiDiscovery assigning IP parameters EAGLE Konfiguration 52 Release 5 0 09 2010 Entering the IP Parameters 3 4 Loading the System Configuration from the ACA 3 4 Loading the System Configuration from the ACA The AutoConfiguration Adapter ACA is a device for storing the configuration data of a device and storing the device software In the case of a device becoming inoperative the ACA makes it possible to easily transfer the configuration data by means of a substitute device of the same type When you start the device it checks for an ACA If it finds an ACA with a valid password and valid software the device loads the configuration data from the ACA The password is valid if the password in the device matches the password in the ACA or the preset password is entered in the device To save the configuration data in the ACA see page 68 Saving the Configuration EAGLE Konfiguration Release 5 0 09 2010 53 Entering the IP Parameters 3 4 Loading the System Configuration from the ACA Figure 12 Flow chart of loading configuration dats from the ACA 1 Device start up 2 ACA plugged in 3 Password in device and ACA identical 3a Default password in device 4 Load configuration from ACA ACA LEDs flashing synchronously 4a Load configuration from local memory ACA LEDs
26. from the following sources from its non volatile memory NVM from the AutoConfiguration Adapter If an ACA is connected to the device the device loads its configuration from the ACA if the configuration saved on the ACA differs from the configuration saved locally The device saves configurations settings such as the IP parameters and the port configuration in the temporary memory These settings are lost when you switch off or reboot the device The device allows you to do the following with configurations settings activate them save them reset them to the state on delivery load them from the non volatile memory NVM copy them display them delete them If you change the current configuration for example by switching a port off the Web based interface changes the load save symbol in the navigation tree from a disk symbol to a yellow triangle After saving the configuration the Web based interface displays the load save symbol as a disk again EAGLE Konfiguration 66 Release 5 0 09 2010 Basic Settings 4 1 Editing and managing Configurations Undo Modifications of Configuration Non volatile memory NVM status ai Function Watchdog IP Address 0 0 0 0 AutoContig Adapter ACA status absent ef Period to undo while Connection is lost s 600 Configuration in non volatile memory NYM Modification Date Copy from PC config 2009 01 01 09 15 18 M Copy to
27. if you create and activate for your PC a rule for the Web access and the SNMP access First open the Web based Interface via the internal port see on page 29 Opening the Web based Interface via the internal port After creating the access rules at the external port you can open the Web based interface via the external port in the same way as via the internal port L Inthe Security Web Access menu create a new entry with the IP address of your PC as the source address Select Accept in the Action column and activate the table entry O Inthe Security SNMP Access menu create a new entry with the IP address of your PC as the source address Select Accept in the Action column and activate the table entry L Proceed in the same way as for opening the internal port EAGLE Konfiguration Release 5 0 09 2010 Entering the IP Parameters 3 Entering the IP Parameters Choosing the operating mode The entries for the IP parameters depend on the operating mode selected In Transparent Mode the local IP address is also the IP address of the management of the Industrial ETHERNET Firewall In Router PPPoE Mode the IP address of the internal interface is also the IP address of the management of the Industrial ETHERNET Firewall Depending on the firewall settings you can also access the management via the IP address of the external interface LO Choose an operating mode that meets your requirements In the st
28. installed device using DHCP You need a DHCP server for this The DHCP server assigns the IP parameters to the device using its MAC address or its system name see page 55 System Configuration via DHCP Configuration via the Web based interface If the device already has an IP address and can be reached via the network then the Web based interface provides you with another option for configuring the IP parameters EAGLE Konfiguration Release 5 0 09 2010 Entering the IP Parameters 3 1 IP Parameter Basics 3 1 IP Parameter Basics 3 1 1 IP address version 4 The IP addresses consist of 4 bytes These 4 bytes are written in decimal notation separated by a decimal point Since 1992 five classes of IP address have been defined in the RFC 1340 Class Network Host address Address range address A 1 byte 3 bytes 1 0 0 0 to 126 255 255 255 B 2 bytes 2 bytes 128 0 0 0 to 191 255 255 255 C 3 bytes 1 byte 192 0 0 0 to 223 255 255 255 D 224 0 0 0 to 239 255 255 255 E 240 0 0 0 to 255 255 255 255 Table 3 IP address classes The network address is the fixed part of the IP address The worldwide leading regulatory board for assigning network addresses is the IANA Internet Assigned Numbers Authority If you require an IP address block contact your Internet service provider Internet service providers should contact their local higher level organization APNIC Asia Pacific Network Information Center Asia Pacific Region ARIN A
29. interface via Ethernet in band EAGLE Konfiguration Release 5 0 09 2010 23 Access to the user interfaces 2 1 System Monitor 2 1 System Monitor The system monitor enables you to select the software to be loaded perform a software update start the selected software shut down the system monitor delete the configuration saved and display the boot code information Opening the system monitor L Use the terminal cable See accessories to connect the V 24 socket RJ11 to aterminal ora COM port of a PC with terminal emulation based on VT100 for the physical connection see the Installation user manual Speed 9 600 Baud Data 8 bit Parity none Stopbit 1 bit Handshake off Table 2 Data transfer parameters O Start the terminal program on the PC and set up a connection with the device When you boot the device the message Press lt 1 gt to enter System Monitor 1 appears on the terminal EAGLE Konfiguration 24 Release 5 0 09 2010 Access to the user interfaces 2 1 System Monitor lt Eagle Boot Release 04 4 00 Build 2009 09 09 09 09 HW 1 00 gt Press lt l gt to enter System Monitor 1 1 Figure 1 Screen display during the boot process L Press the lt 1 gt key within one second to start system monitor 1 System Monitor 1 Selected OS SDV 04 4 00 2009 09 09 09 09 Select Boot Operating System Update Operating System Start Selected Operating System End reset an
30. on the PKCS 12 standard is p12 You can also find the information contained in a PKCS 12 file separately in individual files with the file name extension pem Encryption To protect the data IKE uses various cryptographic algorithms to encrypt the data The endpoints of the VPN connection require the key to code and decode the data In a first step to set up the IKE security arrangement between the endpoints of the VPN connection EAGLE Konfiguration 168 Release 5 0 09 2010 Controlling the Data Traffic 7 5 VPN Virtual Private Network they agree on a cryptographic algorithm which will subsequently use the key for coding and decoding the IKE protocol messages they specify the time periods during which the key exchange takes place and they communicate the endpoints at which the coding and decoding takes place The administrator defines the endpoints beforehand in the settings of the endpoints of the VPN connection In the second step the endpoints of the VPN connection agree on the key to code and decode the data EAGLE Konfiguration Release 5 0 09 2010 169 Controlling the Data Traffic 7 5 VPN Virtual Private Network 7 5 3 Application Examples The following examples consider the special features of frequently occurring application cases including the connection of an EAGLE with an earlier version of an EAGLE E Connecting two subnetworks In a large company network all the subnetworks are connected to eac
31. on their IP addressing information and protocol information Incoming MAC packets This group gives you the option to filter incoming MAC packets at the external port based on their MAC addressing information In router mode the Firewall only transmits IP packets Outgoing MAC packets This group gives you the option to filter incoming MAC packets at the internal port based on their MAC addressing information In router mode the Firewall only transmits IP packets Incoming PPP packets This group gives you the option to filter incoming PPP packets at the external port based on their IP addressing information You can define filter rules which when they apply cause the firewall to either drop reject or accept the packets EAGLE Konfiguration 128 Release 5 0 09 2010 Controlling the Data Traffic 7 1 Packet Filter Action Meaning Drop Delete data packet Reject Delete data packet and inform the sender Accept Forward data packet in accordance with the address information Table 8 Handling filtered data packets The firewall checks each data packet starting with the first rule The first rule that applies determines how the firewall handles the data packet To ensure that the Firewall really is an insurmountable obstacle for undesired data packets the last rule is Drop everything Note If you insert packet filter entries that deny traffic or edit existing ones to deny traffic note that the status table
32. production cell with the model The IP address ranges before and after office network via a the Firewall are located in different public network subnetworks Data transfer in a protected tunnel through the public Internet VPN Providing protected Service access via the public telephone PPPoE service access network Table 1 Choosing the operating mode Depending on the operating mode you choose there are different procedures for the further configuration of the Industrial ETHERNET Firewall EAGLE Konfiguration 18 Release 5 0 09 2010 Introduction 1 3 Configuring the application 1 3 1 Configuration steps in the transparent mode In the state on delivery the Industrial ETHERNET Firewall is in the transparent mode The default settings enable you to start operating the Industrial ETHERNET Firewall immediately In the state on delivery the Industrial ETHERNET Firewall prevents a communication link from being set up if it is initiated externally Internal devices can set up a communication link to the outside To protect the access to the Industrial ETHERNET Firewall and make further settings you proceed as follows O Make connection to Firewall see on page 23 Access to the user interfaces L Select the transparent operating mode see on page 44 IP parameters in Transparent Mode O Enter IP parameters for the device see on page 44 IP parameters in Transparent Mode L Protect Industrial ETHERNET Firewall
33. production cells are located in the same layer 2 network The EAGLE works like a switch with an integrated firewall EAGLE Konfiguration 14 Release 5 0 09 2010 Introduction 1 2 Typical applications E Protecting individual production cells in a routed company network Individual production cells exchange information with devices in the company network The company network and the production cells are located in different subnetworks The EAGLE works like a router with an integrated firewall EAGLE Konfiguration Release 5 0 09 2010 15 Introduction 1 2 Typical applications E Coupling identical production cells to a company network Individual identically structured production cells exchange information with devices in the company network The company network and the production cells are located in different supbnetworks The EAGLE works like a router with an integrated firewall The NAT function enables the identically structured production cells to communicate with the company network even though the devices have the same IP address in the different production cells E Connecting a production cell with the office network via a public network A production cell exchanges information with devices in the company network via the public Internet A virtual information tunnel virtual private network VPN through the public Internet protects the communication EAGLE Konfiguration 16 Release 5 0 09 2010 Introduction 1 2
34. reference model Finally Romeo puts the entire data packet into the mailbox This is comparable to going from layer 2 to layer 1 i e to sending the data packet over the Ethernet EAGLE Konfiguration Release 5 0 09 2010 39 Entering the IP Parameters 3 1 IP Parameter Basics Lorenzo receives the letter and removes the outer envelope From the inner envelope he recognizes that the letter is meant for Juliet He places the inner envelope in a new outer envelope and searches his address list the ARP table for Juliet s MAC address He writes her MAC address on the outer envelope as the destination address and his own MAC address as the source address He then places the entire data packet in the mail box Juliet receives the letter and removes the outer envelope She finds the inner envelope with Romeo s IP address Opening the inner envelope and reading its contents corresponds to transferring the message to the higher protocol layers of the SO OSI layer model Juliet would now like to send a reply to Romeo She places her reply in an envelope with Romeo s IP address as destination and her own IP address as source But where is she to send the answer For she did not receive Romeo s MAC address It was lost when Lorenzo replaced the outer envelope In the MIB Juliet finds Lorenzo listed under the variable hmNetGatewaylPAddr as a means of communicating with Romeo She therefore puts the envelope with the IP addresses in a further envelop
35. status can be masked via the management for each port see on page 83 Displaying connection error messages On delivery there is no link monitoring The management setting specifies which events switch a contact Note With non redundant voltage supply the device reports the absence of a supply voltage You can prevent this message by feeding the supply voltage via both inputs or by switching off the monitoring see on page 215 Monitoring Correct Operation via the Signal Contact 8 4 1 Controlling the Signal Contact With this mode you can remotely control every signal contact individually Application options EAGLE Konfiguration Release 5 0 09 2010 213 Operation Diagnosis 8 4 Out of band Signaling Simulation of an error as an input for process control monitoring equipment Remote control of a device via SNMP such as switching on a camera O Select the Diagnostics Signal Contact dialog LI In the Mode Signal contact frame you select the Manual setting mode to switch the contact manually L Select Opened in the Manual setting frame to open the contact LI Select Closed in the Manual setting frame to close the contact enable Switch to the Privileged EXEC mode configure Switch to the Configuration mode signal contact mode manual Select the manual setting mode for the signal contact signal contact state open Open the signal contact signal contact state closed Clo
36. the Firewall state table synchronization frame enter the IP address of the redundancy partner In this case this is the IP address of firewall number 1 10 0 0 201 L Click Set to temporarily save the entry in the configuration Oo g0 L Save the settings in the non volatile memory O Select the dialog Basic Settings Load Save L Click on Save to NVM ACA to permanently save the configuration in the active configuration Note In the display field behind Communication in the Redundancy Transparent dialog window the Web based interface shows you the Layer 2 status of your redundancy connection Behind the Communication parameter the Active display field is checkmarked The communication via the main line of your redundancy configuration is active Behind the Communication parameter the Inactive display field is checkmarked There is currently no communication via the main line of your redundancy configuration EAGLE Konfiguration Release 5 0 09 2010 95 Setting up the Redundancy 5 1 Transparent Redundancy 96 L Check whether a data line or a network component in your redundancy configuration may have failed Check the redundancy status using the switches in the path of the redundant ring network coupling in which you have incorporated the firewall see the user manual for the redundancy configuration of your Hirschmann device that supports redundant coupling EAGLE Konfiguration Release 5
37. to DHCP queries L Open the window for the program settings in the menu bar Options Preferences and select the DHCP tab page LI Enter the settings shown in the illustration and click OK EAGLE Konfiguration 230 Release 5 0 09 2010 Setting up the Configuration A 1 Setting up the DHCP Server Environment Preferences 27 xi General Language DHCP Interfaces TFTP TFTP Options Accept DHCP Client Identifier Option 61 I Accept Relay Agent Information Option 82 Disable Client Auto Configuration Option 116 T Respond to DHCP requests only I Vary dynamic IP address of clients I Check that a selected dynamic IP address is not in use Abbrechen Ubemehmen Figure 59 DHCP setting LI To enter the configuration profiles select Options Configuration Profiles in the menu bar LI Enter the name of the new configuration profile and click Add Configuration profiles x Profile Default Client Profile Rs27_103 Add Edit Bemove Figure 60 Adding configuration profiles O Enter the netmask and click Apply EAGLE Konfiguration Release 5 0 09 2010 231 Setting up the Configuration A 1 Setting up the DHCP Server Environment RS2_7_103 2x Basic Profile DNS NetBios Server Boot Other r Dynamic IP Addresses From Until Lease time s 36000 Subnet mask 255 255 255 0 Gateway Address Backup Gateway 1 Backup Gateway 2 Abbrechen Figure
38. to speak With IP Masquerading the Firewall replaces the source IP address of a data packet from the internal network with the external IP address of the Firewall To identify the different internal IP addresses NAT adds the logical port number of the connection to the address information Adding the port information also gave the IP Masquerading the name Network Address Port Translation NAPT By converting the IP addresses using port information devices can set up communication connections to the outside from the internal network However as devices in the external network only know the external IP address of the Firewall they are unable to set up a communication connection to a device in the internal network Figure 36 Setting up a communication connection with IP Masquerading EAGLE Konfiguration Release 5 0 09 2010 149 Controlling the Data Traffic 7 2 NAT Network Address Translati on 7 2 2 1 1 NAT You use 1 1 NAT when you are setting up identical production cells with the same IP addresses and want to connect them with the external network The Firewall then allocates to the devices in the internal network a different IP address in the external network With 1 1 NAT the Firewall replaces the source IP address of a data packet from the internal network with an IP address of the external network Through the 1 1 conversion of the IP addresses devices can set up communication connections to the outsid
39. typical application case A production controller want to request data from a production robot The production robot is located in a production cell which a Firewall keeps separate from the company network The Firewall is to prevent all data traffic between the production cell and the rest of the company network Only the data traffic between the robot and the production controller s PC is allowed to flow freely The following is Known Parameter Robot Firewall PC IP address of internal port 10 0 1 201 IP address of external port 10 0 2 1 IP address 10 0 1 5 10 0 2 17 Gateway 10 0 1 201 10 0 2 1 Prerequisities for further configuration The Firewall is in router mode The IP parameters of the Firewall router interface are configured The devices in the internal network have the IP address of the internal interface port 1 of the Firewall as their gateway The gateway and the IP address of the PC and the robot are configured int ext 10 0 1 201 10 0 2 1 10 0 2 17 Figure 32 Application example for packet filter EAGLE Konfiguration 132 Release 5 0 09 2010 Controlling the Data Traffic 7 1 Packet Filter O Enter the filter data for incoming IP packets O Select the dialog Network Security Packet Filter Incoming IP Packets In the state on delivery the EAGLE already has an invisible entry that prevents all data traffic from the external network to the internal network LI Click on Create Entry Yo
40. you the ICMP host check function for monitoring lines in the connected network As soon as one Firewall loses the connection to the other Firewall at one port both Firewalls send ping requests to the IP addresses entered in the ICMP Host Check table After the evaluation of the ping responses the two Firewalls decide which EAGLE Konfiguration Release 5 0 09 2010 97 Setting up the Redundancy 5 2 Router Redundancy Firewall takes over the active transmission function By entering important IP addresses such as those of servers routers controllers PLC in the ICMP Host Check table you ensure the high availability of the connection to these devices in the internal and external networks If the main connection fails the substitute Firewall completely takes over the tasks of the main Firewall You can combine 1 1 NAT with the router redundancy You thus obtain a high availability 1 1 NAT router see page 148 NAT Network Address Translation Note With 1 1 NAT the Firewall responds to ARP requests from the external network to addresses which it maps from the internal network This is also the case when no device with the IP address exists in the internal network Therefore in the external network only allocate to devices IP addresses located outside the area which 1 1 NAT maps from the internal network to the external network Figure 20 Router Redundancy EAGLE Konfiguration 98 Release 5 0 09 2010 Setting up the Red
41. 0 When the source address is 0 0 0 0 the EAGLE uses the IP address of the interface at which the pings are sent The Firewall determines the interface from the destination address and the routing table EAGLE Konfiguration 206 Release 5 0 09 2010 Operation Diagnosis 8 2 Sending Traps 8 2 Sending Traps If unusual events occur during normal operation of the device they are reported immediately to the management station This is done by means of what are called traps alarm messages that bypass the polling procedure Polling means querying the data stations at regular intervals Traps make it possible to react quickly to critical situations Examples of such events are a hardware reset changes to the configuration segmentation of a port Traps can be sent to various hosts to increase the transmission reliability for the messages A trap message consists of a packet that is not acknowledged The device sends traps to those hosts that are entered in the trap destination table The trap destination table can be configured with the management station via SNMP EAGLE Konfiguration Release 5 0 09 2010 207 Operation Diagnosis 8 2 Sending Traps 8 2 1 SNMP trap listing You can find a list of the traps the device can send in the Web based Interface reference manual 8 2 2 SNMP Traps during Boot The device sends the ColdStart trap every time it boots EAGLE Konfiguration 208 Release 5 0 09 2010 Operation Diagnos
42. 0 09 2010 219 Operation Diagnosis 8 6 Network Load and Event Counter at Port Level The device uses the Address Resolution Protocol ARP to determine the MAC address relating to the IP address of a device and it saves this allocation in the ARP table LI Select the Diagnostics Ports ARP dialog L To reset the counters click on Reset ARP table in the Basic Settings Restart dialog fh HIRSCHMANN B ARP A Belden Company Port P Address MAC Address Last Updated 10 01 112 0 1 82 80 0 day s 0 10 03 dyr amic Vv 53 To internal Port 10 11 Figure 56 Example of ARP entries enable Switch to the Privileged EXEC mode show network statistics Display the network statistics for port 1 internal and port 2 external including the ARP entries EAGLE Konfiguration 220 Release 5 0 09 2010 Operation Diagnosis 8 7 Topology Discovery 8 7 Topology Discovery 8 7 1 Description of Topology Discovery IEEE 802 1AB describes the Link Layer Discovery Protocol LLDP LLDP enables the user to have automatic topology recognition for his LAN A device with active LLDP sends its own connection and management information to neighboring devices of the shared LAN This can be evaluated there once these devices have also activated LLDP receives connection and management information from neighboring devices of the shared LAN once these devices have also activated LLDP sets
43. 01 456789defghi Responder 10 0 3 0 24 Firewall 3 10 0 4 201 10 0 2 3 7 5 VPN Virtual Private Network 456789defghi Responder 10 0 4 0 24 Table 11 Interface settings for hub and spoke on the participating firewalls For the routing of the firewall 1 set the IP networks for every VPN connection in the dialog VPN Connections and in the tab page IP Networks according to the following table VPN name Index Source Address CIDR Production control 1 10 0 1 0 24 production hall 1 2 10 0 4 0 24 Production control 1 10 0 1 0 24 production hall 2 2 10 0 3 0 24 Table 12 VPN routing settings for hub and spoke on the firewall Destination Address CIDR 10 0 3 0 24 10 0 3 0 24 10 0 4 0 24 10 0 4 0 24 Description FW 3 to FW 2 FW 2 to FW 3 Note The lines with the index 1 allow the communication of the subnetwork of the production control 10 0 1 0 24 directly with subnetworks of the production halls 1 and 2 10 0 3 0 24 or 10 0 4 0 24 For the routing of firewalls 2 and 3 set the IP networks for the VPN connection in the dialog VPN Connections and in the tab page IP Networks according to the following table Firewall No Index Source Address CIDR 2 1 10 0 3 0 24 3 1 10 0 4 0 24 Destination Address CIDR 10 0 1 0 24 10 0 1 0 24 Description FW 2 to FW 1 FW 3 to FW 1 Table 13 VPN routing settings for hub and spoke on the spoke firewall Prerequisities for further config
44. 010 Controlling the Data Traffic 7 5 VPN Virtual Private Network the host name registered at DynDNS org from the logon at oe a DynDNS org e g gerhardsFW dyndns org Select the Enhanced DNS DynDNS dialog Activate Register so that EAGLE No 6 passes its current IP address to the DynDNS server as soon as it changes Enter the name of the DynDNS server member dyndns org In Login you enter your DynDNS user name hugo In Password you enter your DynDNS password oguh In Host name you enter your DynDNS host name gerhardsFW dyndns org LI Configure the DNS server on EAGLE No 5 To configure the DynDNS you require the name of the DynDNS server Hob Of Oo At DynDNS org the host name of the HTTP server for the DynDNS service is members dyndns org the user name from the logon at DynDNS org e g hugo the password from the logon at DynDNS org e g oguh the host name registered at DynDNS org from the logon at DynDNS org e g gerhardsFW dyndns org Select the Enhanced DNS DynDNS dialog Activate Register so that EAGLE No 5 passes its current IP address to the DynDNS server as soon as it changes Enter the name of the DynDNS server member dyndns org In Login you enter your DynDNS user name hugo In Password you enter your DynDNS password oguh In Host name you enter your D
45. 010 Protection from Unauthorized Access 6 Protection from Unauthorized Access Protect your device from unauthorized access The device provides you with the following functions for protecting against unauthorized access Password protected Web access can be disabled Password protected CLI access can be disabled Password protected network management access can be disabled HiDiscovery function can be disabled User authentication Note For security reasons change the factory setting password to prevent the device from being accessed with this password If the password is the factory setting password the device displays the message Default Password in every dialog s header line Note Choose your password so that you can also remember it To have a secure password avoid short words and character sequences words and character sequences that have a meaning e g names years birthdays quotations sequences of simple words To have a secure password use long words and character sequences words and character sequences that do not seem to have a meaning e g first letters of the words in a sentence unusual words invented words combinations of letters numbers and special characters When selecting special characters note that these may not be available on foreign keyboards altered and corrupted spelling e g pLue PiRD instead of Blue bird EAGLE Konfiguration Release 5 0 09 2010 103 Prot
46. 10 255 255 255 0 0 0 0 0 R5S20 0400M2 RS 4447B3 00 80 63 2F FB B8 10 0 1 2 255 255 255 0 10 0 1 200 MICE 2FFBB8 am a a a a a WIA aaa 9 q 4 4 VWIUVGIIVagaga 4 File Edit 2 te tg 2 a gt 10 0 1 159 NDIS WDM Driver for HighSpeed USB Eth Signal Properties WWW Telnet Ping Rescan Preferences No MAC Address writable Ip Address Subnet Mask Default Gateway Product 10 00 iv 00 10 0 1 105 255 255 255 0 10 0 1 200 00 80 63 1B 2F CE 00 80 63 1F 10 54 00 80 63 57 4C 67 00 80 63 70 E8 70 00 80 63 0F 1D B0 00 80 63 74 02 5E 00 80 63 51 74 30 10 0 1 100 255 255 255 0 10 0 1 200 10 0 1 13 255 255 255 0 0 0 0 0 10 0 1 203 255 255 255 0 0 0 0 0 10 0 1 14 255 255 255 0 10 0 1 200 10 0 1 5 255 255 255 0 0 0 0 0 10 0 1 17 255 255 255 0 0 0 0 0 10 0 1 116 255 255 255 0 0 0 0 0 10 0 1 112 255 255 255 0 0 0 0 0 10 0 1 53 255 255 255 0 0 0 0 0 10 0 1 4 255 255 255 0 0 0 0 0 10 0 1 6 255 255 255 0 0 0 0 0 10 0 1 10 255 255 255 0 0 0 0 0 10 0 1 2 255 255 255 0 10 0 1 200 10 0 1 15 255 255 255 0 0 0 0 0 00 80 63 51 82 80 00 80 63 10 9A D7 00 80 63 17 2B 79 00 80 63 FD 3B 41 00 80 63 44 47 B3 00 80 63 2F FB B8 00 80 63 74 67 08 WWII R A A A gaa 40 4 Figure 10 HiDiscovery When HiDiscovery is started it automatically se
47. 1_1 instead of 10 0 1 5 32 Destination port any Protocol any Action accept Log disable Click Set to temporarily save the entry in the configuration EAGLE Konfiguration Release 5 0 09 2010 Controlling the Data Traffic 7 1 Packet Filter O Transfer the variables to the filter data for outgoing IP packets LI Select the dialog Network Security Packet Filter Outgoing IP Packets O Select the entry free access for robot LI Replace the source address in the entry free access for PC with the variable Description free access for robot Source address CIDR robo_ce11_1 instead of 10 0 1 5 32 Source port any Destination address CIDR 10 0 2 17 32 Destination port any Protocol any Action accept Log disable LI Click Set to temporarily save the entry in the configuration L Save the settings in the non volatile memory O Select the dialog Basic Settings Load Save L Click on Save to NVM ACA to permanently save the configuration in the active configuration EAGLE Konfiguration Release 5 0 09 2010 139 Controlling the Data Traffic 7 1 Packet Filter 7 1 3 Application Example for the Firewall Learn Mode FLM The figure shows a typical application case A production controller sets up a new production cell A Firewall is to separate the production cell from the company network It is to permit only the des
48. 2 7 3 7 4 7 5 8 1 8 2 8 3 8 4 Network Management Access HiDiscovery Access 6 4 1 Description of the HiDiscovery Protocol 6 4 2 Enabling disabling the HiDiscovery Function External Authentication 6 5 1 Description of the external Authentication 6 5 2 Application example for external Authentication Controlling the Data Traffic Packet Filter 7 1 1 Description of the Packet Filter Function 7 1 2 Application Example for Packet Filter 7 1 3 Application Example for the Firewall Learn Mode FLM NAT Network Address Translation 7 2 1 IP Masquerading 7 2 2 1 1 NAT 7 2 3 Port Forwarding 7 2 4 NAT Application Examples User Firewall 7 3 1 Description of the User Firewall Function 7 3 2 Application example for the User Firewall Function Service Request Limitation 7 4 1 Description of Denial of Service VPN Virtual Private Network 7 5 1 IPsec Internet Protocol Security 7 5 2 IKE Internet Key Exchange 7 5 3 Application Examples Operation Diagnosis Reachability Test Ping Sending Traps 8 2 1 SNMP trap listing 8 2 2 SNMP Traps during Boot 8 2 3 Configuring Traps Monitoring the Device Status 8 3 1 Configuring the Device Status 8 3 2 Displaying the Device Status Out of band Signaling EAGLE Konfiguration Release 5 0 09 2010 120 121 121 122 123 123 123 127 128 128 132 140 148 149 150 153 154 160 160 162 165 165 166 166 168 170 205 206
49. 9 2010 Contents 3 7 4 1 4 2 4 3 4 4 5 2 Faulty Device Replacement Basic Settings Editing and managing Configurations 4 1 1 Activating a Configuration 4 1 2 Saving the Configuration 4 1 3 Resetting the Configuration to the State on Delivery 4 1 4 Loading the active Configuration 4 1 5 Copying Configuration Files 4 1 6 Displaying a Configuration File 4 1 7 Deleting a Configuration File 4 1 8 SFTP Access to Device Files 4 1 9 Cancelling a Configuration Change Loading Software Updates 4 2 1 Checking the installed Software Release 4 2 2 Loading the Software 4 2 3 Loading the Software from the ACA 4 2 4 Loading the Software via File Selection Configuring the Ports Synchronizing the System Time in the Network 4 4 1 Entering the Time 4 4 2 SNTP 4 4 3 NTP Setting up the Redundancy Transparent Redundancy 5 1 1 Description of the Transparent Redundancy function 5 1 2 Application Example for the Transparent Redundancy Router Redundancy 5 2 1 Description of the Router Redundancy Function 5 2 2 Application Example for the Router Redundancy Protection from Unauthorized Access Web based Interface Access 6 1 1 Description of Web based Interface Access 6 1 2 Configuring the Web based Interface Access CLI Access 6 2 1 Description of CLI Access 6 2 2 Configuring CLI the Access 99 103 105 106 107 113 113 113 EAGLE Konfiguration Release 5 0 09 2010 Contents 6 3 6 4 6 5 7
50. AGLE Konfiguration Release 5 0 09 2010 181 Controlling the Data Traffic 7 5 VPN Virtual Private Network E Connecting multiple subnetworks via a public network hub and spoke architecture A newly formed department in the 2nd production hall carries out maintenance work not only locally but also for the 1st production hall The devices also access the 1st production network via the existing VPN connection To implement this the administrator selects the Hub and Spoke architecture since this is easy to set up and does not require any additional hardware The Firewall 1 in the production control thereby assumes the function of the central node Hub The VPN connections perform the function of the spokes If the Firewall is working as a hub it sends out the routed packets at the same interface at which it received them This is also called hub and spoke routing external internal Spoke external transfer network 10 0 2 0 24 external Hub Spoke external internal Figure 47 Connecting several subnetworks via a public network hub and spoke routing The following is known EAGLE Konfiguration 182 Release 5 0 09 2010 Controlling the Data Traffic Parameter IP address of internal port IP address of external port Pre shared key Start IKE mode as IP parameters of the networks to be connected Firewall 1 10 0 1 201 456789defghi 10 0 1 0 24 10 0 2 2 Firewall 2 10 0 3 2
51. Access O Enter new passwords 0 0 0 0 0 00O Select the Security Password dialog Select Modify Read Only Password User y to enter the read password Use the Modify Read Password User input fields to enter a new read password Enter the new read password in the New Password line and repeat your entry in the Please retype line Select Modify Read Write Password AdminY to enter the read write password Use the Modify Read Write Password Admin input fields to enter the read write password Enter the read write password and repeat your entry Important If you do not know a password with read write access you will have no write access to the device Note For security reasons the dialog shows the passwords as asterisks Make a note of every change You cannot access the device without a valid password Note In SNMP version 3 use between 5 and 32 characters for the password because many applications do not accept shorter passwords EAGLE Konfiguration Release 5 0 09 2010 115 Protection from Unauthorized Access 6 2 CLI Access Figure 28 Password Dialog O Click Set to temporarily save the entry in the configuration EAGLE Konfiguration 116 Release 5 0 09 2010 Protection from Unauthorized Access 6 2 CLI Access LI Configure the SSH access O Select the Security SSH Access dialog LI Change the SSH port to 9243 for example Restrict the IP addre
52. BOOTP Bi directional NAT Booting Browser C CA CD ROM CIDR CLI Certificate Certification authority Classless Inter Domain Routing Classless Inter Domain Routing Closed circuit Cold start Command Line Interface Confidentiality Configuration Configuration Check Configuration changes Configuration data Connection error D DHCP DHCP Client DHCP Option 82 EAGLE Konfiguration Release 5 0 09 2010 150 53 66 68 79 106 113 57 66 150 24 29 34 55 55 55 66 55 55 230 DHCP server Data transfer parameter Default gateway Denial of Service Denial of service Destination NAT Destination table Device Status Device status DoS Double NAT E Encryption F FAQ FLM Faulty device replacement Firewall Learn Mode First installation Frame size G Gateway Generic object classes H HDX mode HTTPS HaneWin Hardware reset HiDiscovery HiVision Hirschmann Address Mapping Host address Hub and Spoke routing IANA ICMP Echo Request IEEE MAC address IKE Internet Key Exchange 35 44 45 46 47 56 IP Address IP Masquerading IP Parameter IP address IP address templates IPsec ISO OSI layer model 253 130 64 130 33 48 63 37 44 46 97 242 217 105 106 230 207 50 121 122 8 57 187 36 182 35 36 206 222 168 149 149 33 35 129 166 166 168 40 247 Index Instantiation 242 Integrity 167 Internet Assigned Number
53. Click on Back This returns you to the Rules tab page Click on the Active field of this entry to activate the entry Click on Back This returns you to the table view Click on the Active field of this entry to activate the entry Click Set to temporarily save the entry in the configuration LI Save the settings in the non volatile memory E E 164 Select the dialog Basic Settings Load Save Click on Save to NVM ACA to permanently save the configuration in the active configuration EAGLE Konfiguration Release 5 0 09 2010 Controlling the Data Traffic 7 4 Service Request Limitation 7 4 Service Request Limitation 7 4 1 Description of Denial of Service With the Denial of Service function you protect your network from being excessively flooded with service requests to subscribers in the protected network The EAGLE supports the monitoring of the following service requests Incoming TCP connections Outgoing TCP connections Incoming ping packets Outgoing ping packets Incoming ARP connections Outgoing ARP connections The values set in the state on delivery for the maximum number of connections packets are sufficient for normal data traffic However attacks easily exceed this maximum permitted number Thus the Firewall provides you with comprehensive protection from excessive flooding of your network and overloading of your devices through requests for countless services EAGLE K
54. Controlling the Data Traffic 7 5 VPN Virtual Private Network O Enter the IKE key exchange parameters L Select the IKE Key Exchange tab page L In the Mode frame you enter Protocol auto With this the Firewall selects the protocol version automatically depending on the VPN remote terminal Startup as initiator With this this Firewall initiates the VPN connection to the remote terminal DPD Timeout 120 With this the Firewall terminates the VPN connection if it does not receive a sign of life from the remote terminal within 120 seconds Lifetime 28800 After this lifetime has elapsed the two participating Firewalls agree on new keys for the IKE security arrangement IKE SA The lifetime is there to effect a periodic key change for the IKE SA Compatibility Mode Off L In the Algorithmen frame enter the encryption procedures you wish to use for the various applications Key Agreement modp1024 Hash e g md5 Integrity hmacshal Encryption aes128 O Inthe Peers Endpoints frame you enter Local IP address 10 149 112 92 Remote IP Address gerhardsFW dyndns org In the current example the external ports of the two Firewalls are the endpoints of the VPN connection While the local IP address is known the remote IP address is subject to being changed by the DSL provider In this case the Firewall determines the remote IP address using DynDNS EAGLE Konfigur
55. DP support discard LLDP packets Thus a non LLDP capable device between 2 LLDP capable devices prevents LLDP information exchange between these two devices To get around this Hirschmann devices send and receive additional LLDP packets with the Hirschmann Multicast MAC address 01 80 63 2F FF 0B Hirschmann devices with the LLDP function are thus also able to exchange LLDP information with each other via devices that are not LLDP capable The Management Information Base MIB of an LLDP capable Hirschmann device holds the LLDP information in the LLDP MIB and in the private hmLLDP The Management Information Base MIB of an LLDP capable device holds the LLDP information in the LLDP MIB EAGLE Konfiguration 222 Release 5 0 09 2010 Operation Diagnosis 8 7 Topology Discovery 8 7 2 Displaying the Topology Discovery Results E L Select the Diagnostics Topology Discovery dialog EAGLE Konfiguration Release 5 0 09 2010 223 Operation Diagnosis 8 7 Topology Discovery This dialog allows you to switch on off the topology discovery function LLDP The topology table shows you the collected information for neighboring devices This information enables the network management station to map the structure of your network Operation on off Set Reload Help oading data ok o Figure 57 Topology Discovery EAGLE Konfiguration 224 Release 5 0 09 2010 Operation Diagnosis 8 7 Topology Discovery If seve
56. Firewall initiates the VPN connection to the remote terminal DPD Timeout 120 With this the Firewall terminates the VPN connection if it does not receive a sign of life from the remote terminal within 120 seconds Lifetime 28800 After this lifetime has elapsed the two participating Firewalls agree on new keys for the IKE security arrangement IKE SA The lifetime is there to effect a periodic key change for the IKE SA Compatibility Mode Off L In the Algorithmen frame enter the encryption procedures you wish to use for the various applications Key Agreement modp1024 Hash e g md5 Integrity hmacshal Encryption aes128 L Inthe Peers Endpoints frame you enter Local IP Address 10 0 2 1 Remote IP Address 10 0 2 2 In the current example the external ports of the two Firewalls are the endpoints of the VPN connection EAGLE Konfiguration 172 Release 5 0 09 2010 Controlling the Data Traffic 7 5 VPN Virtual Private Network O Enter the IPsec data exchange parameters O Select the IPsec Data Exchange tab page L In the Mode frame you enter Encapsulation tunnel With this the Firewall encrypts the entire data packet including the IP addresses of the communication partners Force NAT T No Lifetime 3600 L Inthe Algorithms frame you enter Key Agreement modp1024 Integrity hmacshal Encryption aes128 L Enter the parameters for t
57. IP address exclusively from the configuration that you set EAGLE Konfiguration 84 Release 5 0 09 2010 Basic Settings 4 4 Synchronizing the System Time in the Network O Select the Time Basic Settings dialog With this dialog you can enter time related settings The System time UTC displays the time with reference to the coordinated world time scale UTC Universal Time Coordinated The display is the same worldwide Local time differences are not taken into account Possible sources of the system time UTC are local sntp and ntp see Time source The devices calculates the system time from the system time UTC and the local offset the local time difference from UTC System time System time UTC Local offset Time source displays the source of the following time data The device automatically selects the source with the greatest accuracy Possible sources are local and sntp The source is initially local If SNTP is activated and if a valid SNTP packet is received the device sets its time source to sntp L With Set time from PC the device takes the PC time as the system time and calculates the IEEE 1588 SNTP time using the local time difference IEEE 1588 SNTP time System time Local offset C The Local Offset is for displaying entering the time difference between the local time and the IEEE 1588 SNTP time With Set o
58. Interface Access LI Configure the SNMP access O Select the Security SNMP Access dialog L Change the SNMP port to 9223 for example Restrict the IP address which are permitted access via SNMP LI Click on Create Entry L In the Port cell of the new entry in the table select int CI Double click in the Source IP CIDR cell and enter the source address e g 10 0 1 17 If this is the only active entry in this table then only the PC with this IP address can access via this protocol LI Click on the Active field of this entry to activate the entry LI Click Set to temporarily save the entry in the configuration Network SNMP Port 161 Figure 24 SNMP Access dialog EAGLE Konfiguration 110 Release 5 0 09 2010 Protection from Unauthorized Access 6 1 Web based Interface Access LI Configure the Web access O Select the Security Web Access dialog LI Change the HTTPS port to 9027 for example Restrict the IP address which are permitted access via HTTPS LI Click on Create Entry L In the Port cell of the new entry in the table select int CI Double click in the Source IP CIDR cell and enter the source address e g 10 0 1 17 If this is the only active entry in this table then only the PC with this IP address can access via this protocol Click on the Active field of this entry to activate the entry Click Set to temporarily save the entry in th
59. MM SC TX FW 2 943011015010201044 EAGLE MM SC MM SC FW 943011016010201070 EAGLE devices with smaller serial numbers have 32 MB RAM The device gives you two options for loading the software from the ACA 21 USB out of band via a file selection dialog from your PC Note The existing configuration of the device is kept after the new software is installed 4 2 3 Loading the Software from the ACA You can connect the ACA 21 USB to a USB port of your PC like a conventional USB stick and copy the device software into the main directory of the ACA 21 USB O Connect the ACA 21 USB with the device software to the device s USB port EAGLE Konfiguration Release 5 0 09 2010 79 Basic Settings 4 2 Loading Software Updates Loading with the system monitor L Open the system monitor see page 24 Opening the system monitor L Select 2 and press the Enter key to copy the software from the ACA 21 USB into the local memory of the device O Enter the file name of the firmware and confirm your entry with the Enter key O Press the Enter key to start the loading procedure At the end of the loading procedure the system monitor asks you to press any key to continue O Select 3 to start the new software on the device The system monitor offers you additional options in connection with the software on your device Select the software to be loaded Start the software Perform a cold start Loading with the Command Line Interface L
60. N connections LI Create anew VPN connection and configure the connection Select the Active field In the Exchange Mode field choose the entry mainaggressive Click on Write to temporarily save the entry in the configuration L Select the dialog Virtual Private Network Connections LI Click on Create Entry O Enter a name for the connection in the Name field for example EAGLE_PS2 LI Select the Service Mode field to activate the service mode for this connection LI LI LI O Repeat these steps for additional VPN connections The Status field shows you the status for each VPN connection If the service mode is activated the entry is servicemode up The EAGLE device allows you to use the STATUS LED to display active VPN connections To activate this function you proceed as follows EAGLE Konfiguration 202 Release 5 0 09 2010 Controlling the Data Traffic 7 5 VPN Virtual Private Network LI Select the dialog Virtual Private Network Connections LI Select the Status LED Indication field L Click on Write to temporarily save the entry in the configuration The STATUS LED of the EAGLE device blinks once a second alternatively in yellow and green if one or more VPN connections are active Note Displaying flash and ACA access has a higher priority than displaying active VPN connections If the EAGLE device performs a flash or ACA access and an active VPN
61. NTP if you are sure that require this increased accuracy EAGLE Konfiguration Release 5 0 09 2010 89 Basic Settings 4 4 Synchronizing the System Time in the Network The NTP server makes the UTC Universal Time Coordinated available UTC is the time relating to the coordinated world time measurement The time displayed is the same worldwide Local time differences are not taken into account The NTP client obtains the UTC from one or more external NTP servers Note To obtain as accurate a system time distribution as possible use multiple NTP servers for an NTP client Note If you switch NTP on set any value other than of when SNTP is already active on the device the device reports an error To switch NTP on first deactivate SNTP On delivery SNTP is switched off EAGLE Konfiguration 90 Release 5 0 09 2010 Setting up the Redundancy 5 Setting up the Redundancy The Redundancy function of the Firewall allows you to operate the Firewall and its supply lines redundantly If a Firewall or a supply line to the Firewall fails the other Firewall and its supply lines take over the function of the first Firewall For this purpose the two Firewalls continuously synchronize the state of the stateful firewall Thus when there is a switch from one Firewall to the other the existing connections are maintained Figure 17 Redundant Firewall connection EAGLE Konfiguration Release 5 0 09 2010 91 Setting up the Redundanc
62. PE Showy Delete Activate New Configuration in AutoContig Adapter ACA Name Modification Date Copy from PC Capy to PC Figure 14 Load Save dialog 4 1 1 Activating a Configuration The device allows you to activate a stored configuration from the table Configuration in the non volatile memory NVM L Select the Basics Load Save dialog L Select a non active configuration file in the NVM configuration table L Click on Activate In the Active column the device shows you the active configuration If an ACA with the same configuration file is connected the device activates the configuration file on the ACA and grays out the display of the activation in the NVM table EAGLE Konfiguration Release 5 0 09 2010 67 Basic Settings 4 1 Editing and managing Configurations enable Switch to the Privileged EXEC mode show config profiles nv Display the configurations stored in the NVM copy config nv profile lt name gt The device loads configuration data Name from running config the local non volatile memory Note If you mark a configuration as active using the alternative CLI command profile activate nv lt id gt it will only take effect after you issue the CLI command copy config nv running config Note When loading activating a configuration do not access the device until it has loaded the configuration file and has made the new configuration settings Depending on the complexity of th
63. RL http www beldensolutions com 253 253 message URL http www dyndns com services dns dyndns 192 message URL http www hicomcenter com 253 253 message URL http www hirschmann com 77 O out of band 26 249 Index EAGLE Konfiguration 250 Release 5 0 09 2010 Index EAGLE Konfiguration Release 5 0 09 2010 251 Index EAGLE Konfiguration 252 Release 5 0 09 2010 Further Support E Further Support Technical Questions and Training Courses In the event of technical queries please contact your local Hirschmann distributor or Hirschmann office You can find the addresses of our distributors on the Internet www beldensolutions com Our support line is also at your disposal Tel 49 1805 14 1538 Fax 49 7127 14 1551 Answers to Frequently Asked Questions can be found on the Hirschmann internet site www beldensolutions com at the end of the product sites in the FAQ category The current training courses to technology and products can be found under http www hicomcenter com Hirschmann Competence Center In the long term excellent products alone do not guarantee a successful customer relationship Only comprehensive service makes a difference worldwide In the current global competition scenario the Hirschmann Competence Center is ahead of its competitors on three counts with its complete range of innovative services Consulting incorporates comprehensive technical advice from system evaluation throug
64. Restore from NVM enable Switch to the Privileged EXEC mode copy config running config nv The device saves the current configuration data in the local non volatile memory and if an ACA is connected also on the ACA EAGLE Konfiguration Release 5 0 09 2010 69 Basic Settings 4 1 Editing and managing Configurations 4 1 3 Resetting the Configuration to the State on Delivery The device allows you to reset the configuration to the state on delivery LI Select the Basic Settings Restart dialog LI Click on Reset to factory enable Switch to the Privileged EXEC mode clear factory Reset NVM and ACA to the factory settings clear config Delete the current configuration including the IP parameters Setting in the system monitor O Select 5 Erase main configuration file This menu item allows you to reset the configuration of the device to its state on delivery O Press the Enter key to restore the configuration of the state on delivery Note The device deletes all tables settings and files on the device and ona connected ACA EAGLE Konfiguration 70 Release 5 0 09 2010 Basic Settings 4 1 Editing and managing Configurations 4 1 4 Loading the active Configuration The device allows you to load the active configuration O Select the Basics Load Save dialog LI Click on Restore from NVM if you want to load the active configuration file from the non volatile memory enable Switch to the Privil
65. Router mode 20 S SFTP access 74 117 SNMP 29 120 207 SNMP Port 106 113 SNMPv3 106 SNTP 84 86 87 SNTP client 86 SNTP server 86 SSH 23 26 26 Security Concept 12 Segmentation 207 Service provider 35 Service request limitation 165 Service requests 165 Set Time from PC 85 Signal contact 83 213 Signal runtime 86 Simple Network Time Protocol 84 Software release 77 State on delivery 70 120 EAGLE Konfiguration Release 5 0 09 2010 Index Stateful firewall Subidentifier Subnetwork Switching the port on and off Symbol System Monitor System Name System time 91 242 44 45 46 47 82 9 23 24 24 55 55 87 System time taken from an SNTP server 88 T TCP Technical questions Templates IP addresses Topology Traffic flow confidentiality Training courses Transmission reliability Transparent Mode Transparent Redundancy Trap Trap Destination Table Tunnel mode Twice NAT U USB stick UTC Universal Time Coordinated Update User Firewall User Firewall login type User firewall User name V V 24 V 24 connection V 24 interface VLAN ID VLAN Tag VPN Virtual Private Network Web based Interface Web based Interface access Web based Management Web based interface Website Write access X X 509 rsa EAGLE Konfiguration Release 5 0 09 2010 165 253 129 129 224 167 253 207 19 33 44 59 92 207 209 207 167 152 d data traffic 127 m message U
66. SNTP When planning bear in mind that the accuracy of the time depends on the signal runtime EAGLE Konfiguration 86 Release 5 0 09 2010 Basic Settings 4 4 Synchronizing the System Time in the Network PLC Client Switch Switch Switch jinem ale sis e aa DK Client Client Server Client Server Client Server 192 168 1 1 192 168 1 2 192 168 1 3 Figure 16 Example of SNTP cascade L Enable the SNTP function on all devices whose time you want to set using SNTP The SNTP server of the device responds to Unicast requests as soon as it is enabled L If no reference clock is available specify a device as the reference clock and set its system time as accurately as possible Note For the most accurate system time distribution possible with cascaded SNTP servers and clients only use network components routers switches hubs in the signal path between the SNTP server and the SNTP client which forward SNTP packets with a minimized delay Configuring SNTP LI Select the Time SNTP dialog Operation LI In this frame you switch the SNTP function on off globally Note If you switch SNTP on when NTP is already active on the device the device reports an error To switch SNTP on first deactivate NTP On delivery NTP is switched off EAGLE Konfiguration Release 5 0 09 2010 87 Basic Settings 4 4 Synchronizing the System Time in the Network SNTP Status L The Status message
67. TML file in the Web based interface EAGLE Konfiguration Release 5 0 09 2010 227 Operation Diagnosis 8 9 Reports EAGLE Konfiguration 228 Release 5 0 09 2010 Setting up the Configuration Environment A Setting up the Configuration Environment EAGLE Konfiguration Release 5 0 09 2010 229 Setting up the Configuration A 1 Setting up the DHCP Server Environment A 1 Setting up the DHCP Server On the CD ROM supplied with the device you will find the software for a DHCP server from the software development company IT Consulting Dr Herbert Hanewinkel You can test the software for 30 calendar days from the date of the first installation and then decide whether you want to purchase a license O To install the DHCP servers on your PC put the CD ROM in the CD drive of your PC and under Additional Software select haneWIN DHCP Server To carry out the installation follow the installation assistant O Start the DHCP Server program L haneWIN DHCP Server 2 1 2 File Options window Help Observed MAC addresses ld 2 4 MAC Address id IP Address TFTP New static dynamic ignored Listening on Port 67 TA Figure 58 Start window of the DHCP server Note The installation procedure includes a service that is automatically started in the basic configuration when Windows is activated This service is also active if the program itself has not been started When started the service responds
68. Thus the address data within the network connected to the router gateway remains hidden EAGLE Konfiguration Release 5 0 09 2010 167 Controlling the Data Traffic 7 5 VPN Virtual Private Network 7 5 2 IKE Internet Key Exchange IPsec uses the Internet Key Exchange protocol for authentication for exchanging keys and for agreeing on further parameters for the security arrangement of a VPN connection Authentication Authentication is an important part of the security arrangement During authentication the connection partners show each other their ID cards so to speak This ID card can consist of what is Known as a pre shared key which is a character string previously exchanged via a different communication channel a digital certificate which was issued by a certification authority CA Certificates based on the X 509 standard contain for example information on the certification authority itself validity period of the certificate information on the permitted usage the identity of the person to whom the certificate is assigned X 500 DN the public key belonging to this identity the digital signature for verifying the connection between this identity and this related public key Larger companies and authorities usually have their own certification authority You can also obtain certificates from the Hirschmann Automation and Control GmbH company A commonly used file name extension for a certificate based
69. Typical applications E Providing protected service access A service technician exchanges information with devices in the production cell via the public Internet A virtual information tunnel virtual private network VPN through the public Internet protects the communication EAGLE Konfiguration Release 5 0 09 2010 17 Introduction 1 3 Configuring the application 1 3 Configuring the application The Industrial ETHERNET Firewall has 3 operating modes Transparent mode Router mode PPPoE mode Your choice of operating mode depends on your application case The table below helps you when choosing the operating mode Application Characteristic Operating mode Protecting individual Transmission on level 2 of the ISO OSI layer Transparent production cells ina flat model The IP address ranges before and after company network the Firewall are located in the same subnetwork Protecting individual Transmission on level 3 of the ISO OSI layer Router production cells in a model The IP address ranges before and after routed company the Firewall are located in different network subnetworks Coupling identical Transmission on level 3 of the ISO OSI layer Router production cells toa model The IP address ranges before and after company network the Firewall are located in different subnetworks The Nat function is used to map IP addresses onto a different IP address range Connecting a Transmission on level 3 of the ISO OSI layer Router
70. VPN connection directly between his notebook and the EAGLE Parameter Firewall LANCOM Client IP address of internal port 10 0 1 201 IP address of external port 10 0 2 1 Pre shared key 123456abcdef 123456abcdef Start IKE mode as Responder Initiator IP parameters of the networks to be 10 0 1 0 24 10 0 2 92 32 connected Prerequisities for further configuration The Firewall is in router mode The IP parameters of the Firewall router interface are configured The devices in the internal network have the IP address of the internal interface port 1 of the Firewall as their gateway transfer network HES LANCOM Client 1002 1 external Figure 50 Connecting a LANCOM Client with a private network via a public network Settings on the EAGLE L Create a new VPN connection O Select the dialog Virtual Private Network Connections LI Click on Create Entry Inthe Basic Settings tab page the dialog for editing the entries gives you the option to give this connection any name you want L Give the connection a name e g Production Manager Production Hall EAGLE Konfiguration Release 5 0 09 2010 197 Controlling the Data Traffic 7 5 VPN Virtual Private Network O Enter the authentication parameters O Select the Authentication tab page LI Inthe Key Information frame you enter Method psk Pre shared key e g 123456abcdef L Inthe Identities frame you enter Local Type default Remote ty
71. Web based interface informs you that you are leaving the firewall learn mode and it asks you whether you want to save the current configuration of the device or restore the previous configuration O Click on Write The Web based interface asks you to enter a file name The default file name has the format nnnnnnnnnnnnn_afterFLM O Enter Example01_after_FLM and click on OK The device saves the current configuration with the new packet filter rules permanently in the NVRAM under the specified name and sets it to the status active The Web based interface then deactivates the control elements for the firewall learn mode and the External interface tab page Additional options If you are adding new devices to the production cell or also want to manage the devices in the production cell from other configuration computers you have the option to execute the assistant for the firewall learn mode again and create additional rules for new desired traffic e g for controlling a robot to change existing rules manually in the Incoming IP Packets dialog e g To permit the entire production cell as a destination for desired http and snmp data traffic change the entries for Destination address CIDR to 10 0 1 0 24 To permit the entire production cell as a destination for desired http and snmp data traffic change the entries for Destination address CIDR to 172 17 255 0 24 To quickly hide the W
72. acket filters as the existing devices you can update the corresponding packet filter entries by changing a single address template Note The number of packet filter entries created through variables together with the number of other packet filter entries is limited to 1024 In the state on delivery no address templates are defined Firewall Learn Mode FLM The Firewall learn mode is an innovative set up assistant It helps you analyze the traffic and create suitable rules for permitting the traffic you desire The assistant for the Firewall learn mode allows you to automatically determine in an easy way the traffic which your existing rules do not permit yet actual learn mode analyze this traffic based on various criteria automatically create new rule defaults from the desired traffic modify these rules if required and automatically visualize their traffic coverage and test the new rules for the desired coverage Note However the assistant for the Firewall learn mode still requires specialized knowledge of data networks as the user is responsible for the rules created The FLM only applies to packets that want to pass through the device the Firewall It does not apply to packets that are sent to the device itself and those that the device itself creates Perform the following steps to create the rules supported by FLM LI Implement the Firewall at the desired position in your network O Activate the FLM assistant on the d
73. alled on the notebook O Start the LANCOM Client software on your PC EAGLE Konfiguration 200 Release 5 0 09 2010 Controlling the Data Traffic 7 5 VPN Virtual Private Network E E Create a new profile with Configuration Profile Settings Click on New Entry An assistant takes you through the configuration of the new profile E Select the connection type Connection to company network via IPsec Click on Continue O Enter a name for the profile Click on Continue L Select the connection medium LAN over IP Click on Continue LI For the gateway address you enter the IP address of the external O O O O E interface of the Firewall e g 10 0 2 1 Click on Continue Select the exchange mode Main Mode Select the PFS group DH group 2 1024 Bit Click on Continue Under Shared Secret you enter the pre shared key 123456abcdef Repeat the entry for the pre shared key Select the local identity type Fully Qualified Domain Name Enter the local identity ID www hirschmann ac com Click on Continue For the IP address assignment select the manual assignment Use local IP address Click on Continue To select the IP network for the communication click on New Enter the IP address and the network mask of the network in the production hall e g 10 0 1 0 and 255 255 255 0 Click on OK Click on Finish
74. ar mode For the syntax of a particular command consult the documentation form please Hirschmann Eagle gt EAGLE Konfiguration Release 5 0 09 2010 43 Entering the IP Parameters 3 2 Entering IP parameters via CLI 3 2 1 IP parameters in Transparent Mode C Activate the transparent mode state on delivery transparent mode LI If DCHP is switched on switch it off state on delivery DHCP is switched off L Enter the IP parameters Local IP Address On delivery the device has the local IP address 192 168 1 1 Netmask If your network has been divided up into subnetworks and if these are identified with a netmask then the netmask is to be entered here The default setting of the netmask is 255 255 255 0 IP address of the gateway This entry is required if the device and the management station or the DHCP server are located in different subnetworks see page 39 Example of how the network mask is used Enter the IP address of the gateway that connects the local subnet with the management station s subnet The default setting of the IP address is 0 0 0 0 L Save the configuration entered enable Switch to the Privileged EXEC mode network mode transparent Select the Transparent Mode state of delivery Transparent Mode network transparent proto Deactivate DHCP state on delivery disabled none network transparent Allocate the IP address 172 16 1 100 to the ip
75. arameters 3 1 IP Parameter Basics Example of IP addresses with subnetwork assignment when the above subnet mask is applied Decimal notation 129 218 65 17 128 lt 129 191 gt Class B Binary notation 10000001 11011010 01000001 00010001 Subnetwork 1 Network address Decimal notation 129 218 129 17 128 lt 129 191 gt Class B Binary notation 10000001 11011010 10000001 00010001 Subnetwork 2 Network address EAGLE Konfiguration 38 Release 5 0 09 2010 Entering the IP Parameters 3 1 IP Parameter Basics Example of how the network mask is used In a large network it is possible that gateways and routers separate the management agent from its management station How does addressing work in such a case Romeo Lorenzo Figure 8 Management agent that is separated from its management station by a router The management station Romeo wants to send data to the management agent Juliet Romeo knows Juliet s IP address and also knows that the router Lorenzo knows the way to Juliet Romeo therefore puts his message in an envelope and writes Juliet s IP address as the destination address For the source address he writes his own IP address on the envelope Romeo then places this envelope in a second one with Lorenzo s MAC address as the destination and his own MAC address as the source This process is comparable to going from layer 3 to layer 2 of the ISO OSI base
76. arches the network for those devices which support the HiDiscovery protocol HiDiscovery uses the first PC network card found If your computer has several network cards you can select these in HiDiscovery on the toolbar EAGLE Konfiguration Release 5 0 09 2010 51 Entering the IP Parameters 3 3 Entering the IP Parameters via Hi Discovery HiDiscovery displays a line for every device which reacts to the HiDiscovery protocol Note When the IP address is entered the device copies the local configuration settings see on page 66 Editing and managing Configurations Note For security reasons switch off the HiDiscovery function for the device in the Web based interface after you have assigned the IP parameters to the device see on page 59 Web based IP Configuration Note Save the settings so that you will still have the entries after a restart see on page 66 Editing and managing Configurations HiDiscovery enables you to identify the devices displayed L Select a device line L Click on the signal symbol in the tool bar to set the LEDs for the selected device flashing To switch off the flashing click on the symbol again L By double clicking a line you open a window in which you can enter the device name and the IP parameters Properties for MAC Address 00 80 63 51 82 80 x Name PowerMICE 518280 IP Configuration IP Address i0 A fo f fi Ea Use Default Subnet Mask 255 a 255 z 255 5
77. at you may find a more up to date release of the device software on the Hirschmann Internet site www hirschmann com than the release saved on your device 4 2 1 Checking the installed Software Release O Select the Basics Software dialog LI This dialog shows you the variant the release number and the date of the software saved on the device Stored Version the software in the non volatile memory Running Version the software currently being used Backup Version the backup software in the non volatile memory enable Switch to the Privileged EXEC mode show system info Display the system information EAGLE Konfiguration Release 5 0 09 2010 TT Basic Settings 4 2 Loading Software Updates System information System Description Hirschmann EAGLE Security Device System Name 2 2 eee eee eens EAGLE 574C67 System LoOcation 2 46 4 64 44 Hirschmann EAGLE System Contact Hirschmann Automation and Control GmbH System Uptime 0 days 5 hours 0 minutes 0 seconds System Date and Time local time zone SUN AUG 08 09 09 09 2010 OS Software Release SDV 05 5 00 2010 08 08 08 08 OOS Software Release ROM SDV 05 5 00 2010 08 08 08 08 Software Release BAK SDV 04 4 00 2009 09 09 09 09 Device Hardware RevisSion Ll Device Hardware Description EAGLE 20 TX TX Ser
78. ate on delivery the Transparent Mode is active Options for entering the IP parameters for the management of the Industrial ETHERNET Firewall The IP parameters must be entered when the device is installed for the first time so that you can access the device management for further configuration During the first installation the device provides you with 5 options for entering the local IP parameters in Transparent Mode or the IP parameters of the internal interface in the Router PPPoE mode Entry using the Command Line Interface CLI You choose this out of band method if you preconfigure your device outside its operating environment you do not have network access in band to the device see page 42 Entering IP parameters via CLI Entry using the HiDiscovery protocol You choose this in band method if the device is already installed in the network or if you have another Ethernet connection between your PC and the device see page 50 Entering the IP Parameters via HiDiscovery EAGLE Konfiguration Release 5 0 09 2010 33 Entering the IP Parameters 34 Configuration using the AutoConfiguration Adapter ACA You choose this method if you are replacing a device with a device of the same type and have already saved the configuration on an ACA see page 53 Loading the System Configuration from the ACA Configuration via DHCP You choose this in band method if you want to configure the
79. ated in light green L To permit the random source ports of the snmp requests change the source port of the rule to any In the Captured Data frame the Web based interface now displays the rows that the new rule covers in dark green From the desired traffic you have now created new rules which the Firewall will use to permit this traffic after you have closed the assistant for the firewall learn mode The Firewall shall drop the other learned traffic during operation Therefore you ignore this traffic when creating the rules In the Captured Data frame the Web based interface displays these rows unmarked with a white background FLM Control internal interface External Interface rCaptured Data 10115 3220 1011563255 138 udp 10 115 35 27 10 115 63 255 h38 udp 10 115 37 175 1011563 255 137 udp 10 115 37 184 10 115 63 255 138 udp 10 115 43 16 10 115 63 255 h38 Source Port Destination IP Destination Port Add to Rule Set J7 Hide Connections matching the learned Rules Rules Index Description _ Active Source P CIDR Destination IP CIDR Dest Port any 2 learned by FLM 10 0 1 116 32 3 learned by FLM 72 17 255 134 32 10 0 1 116 32 Release for Test Remove Rule t Help Figure 35 Firewall Learn Mode dialog External interface tab page EAGLE Konfiguration 144 Release 5 0 09 2010 Controlling the Data Traffic 7 1 Packet Filter
80. ation Release 5 0 09 2010 135 Controlling the Data Traffic 7 1 Packet Filter LI Select the entry Click on T Repeat the operation until the entry represents the first row of the table LI Click Set to temporarily save the entry in the configuration LI Save the settings in the non volatile memory O Select the dialog Basic Settings Load Save LI Click on Save to NVM ACA to permanently save the configuration in the active configuration EAGLE Konfiguration 136 Release 5 0 09 2010 Controlling the Data Traffic 7 1 Packet Filter E Application Example for Address Templates A production controller want to request data from a second production robot As additional robots will be added he decides to create the addresses of the robots in an address template and use the template as a variable in the existing packet filter entries The following is known Parameter Robot 1 Robot 2 Firewall PC IP address of internal port 10 0 1 201 IP address of external port 10 0 2 1 IP address 10 0 1 5 10 0 1 6 10 0 2 17 Gateway 10 0 1 201 10 0 1 201 10 0 2 1 Prerequisities for further configuration The previous Application Example for Packet Filter is already configured 10 0 1 5 10 0 1 6 10 0 1 201 10 0 2 1 j 10 0 2 17 Figure 33 Packet filter with address template application example EAGLE Konfiguration Release 5 0 09 2010 137 Controlling the Data Traffic 7 1 Packet Filter LI Create the a
81. ation Release 5 0 09 2010 195 Controlling the Data Traffic 7 5 VPN Virtual Private Network LI Enter the parameters for the IP networks whose data is to be transmitted via the VPN connection L Select the IP Networks tab page O Click on Create entry L After you double click on a cell of the entry you can edit the cell Source address 10 0 1 0 24 Source port any Destination address gerhardsFW dyndns org Destination port any Protocol any Description Free data traffic between Home and Production Hall Active On LI Click Set to temporarily save the entry in the configuration L Save the settings in the non volatile memory O Select the dialog Basic Settings Load Save O Click on Save to NVM ACA to permanently save the configuration in the active configuration L Make exactly the same settings on both Firewalls For the second Firewall in the settings for the authentication the IKE key exchange and the IP networks you merely swap the IP addresses for the endpoints or networks EAGLE Konfiguration 196 Release 5 0 09 2010 Controlling the Data Traffic 7 5 VPN Virtual Private Network Connecting a LANCOM Advanced VPN Client with a private network In this case a production manager wants to access his production data from any location within the company via a VPN connection To do so he uses a notebook with installed LANCOM Client software He can thus set up the
82. based interface access EAGLE Konfiguration Release 5 0 09 2010 107 Protection from Unauthorized Access 6 1 Web based Interface Access O Enter new passwords Oo 0 0 0 0 OO Select the Security Password dialog Select Modify Read Only Password User to enter the read password Use the Modify Read Password User input fields to enter a new read password Enter the new read password in the New Password line and repeat your entry in the Please retype line Select Modify Read Write Password Admin to enter the read write password Use the Modify Read Write Password Admin input fields to enter the read write password Enter the read write password and repeat your entry Important If you do not know a password with read write access you will have no write access to the device Note For security reasons the dialog shows the passwords as asterisks Make a note of every change You cannot access the device without a valid password Note In SNMP version 3 use between 5 and 32 characters for the password because many applications do not accept shorter passwords 108 EAGLE Konfiguration Release 5 0 09 2010 Protection from Unauthorized Access 6 1 Web based Interface Access Figure 23 Password Dialog O Click Set to temporarily save the entry in the configuration EAGLE Konfiguration Release 5 0 09 2010 109 Protection from Unauthorized Access 6 1 Web based
83. c Settings Load Save to save the example configuration permanently Click on Save to NVM ACA to temporarily save the data in the non volatile memory OO OO Oo OO OO EAGLE Konfiguration 190 Release 5 0 09 2010 Controlling the Data Traffic 7 5 VPN Virtual Private Network LI Create the routing for Firewall 3 OOo Bo 0 He Boe Select the dialog Virtual Private Network Connections Select the connection with the name Production control production hall 2 and click on Edit Select the IP Networks tab page The device shows an empty table Click on Create entry to create a new line In the 1st line enter Source address CIDR 10 0 3 0 24 Source address CIDR 10 0 1 0 24 Mapping source address CIDR 10 0 5 0 24 Description FW 3 to FW 1 Click on Write to temporarily save the data Click on Back to return to the Virtual Private Network Connections dialog Click on Write to temporarily save the data Select the dialog Basic Settings Load Save to save the example configuration permanently Click on Save to NVM ACA to temporarily save the data in the non volatile memory EAGLE Konfiguration Release 5 0 09 2010 191 Controlling the Data Traffic 7 5 VPN Virtual Private Network Connecting a PC with a subnetwork The production manager wants to be able to view the current production data from home For this purpose he sets up a VPN connec
84. connection at the same time the LED indicates the flash ACA access by blinking green EAGLE Konfiguration Release 5 0 09 2010 203 Controlling the Data Traffic 7 5 VPN Virtual Private Network EAGLE Konfiguration 204 Release 5 0 09 2010 Operation Diagnosis 8 Operation Diagnosis The device provides you with the following diagnostic tools for the operation diagnosis Reachability Test Ping Sending traps Monitoring the device status Out of band signaling via signal contact Port status indication Topology Discovery Configuration Check Reports MAC Firewall List IP Firewall List EAGLE Konfiguration Release 5 0 09 2010 205 Operation Diagnosis 8 1 Reachability Test Ping 8 1 Reachability Test Ping The Firewall allows you to test the reachability of any network node directly from the device including through a VPN tunnel Thus in the case of problems with the network you quickly receive information from the device about the accessibility of a particular network node e g a server The Reachability Test sends out a series of ICMP echo requests and checks if the responses arrive within a set time limit You can see the test result a few seconds later in the same dialog window Note The Reachability Test requires that the network node that you want to test supports ICMP and that the existing firewalls in the path allow through ICMP echo requests and responses State on delivery deactivated source address 0 0 0
85. d EXEC mode configure Switch to the Configuration mode device status monitor all Include all the possible events in the device enable status determination device status trap enable Enable a trap to be sent if the device status changes EAGLE Konfiguration Release 5 0 09 2010 211 Operation Diagnosis 8 3 Monitoring the Device Status 8 3 2 Displaying the Device Status 212 LI Select the Basics System dialog Devicestatus Alarmstarttime Alarmreason 1 2 3 Figure 52 Device status and display of detected alarms 1 Symbol indicates the Device Status 2 Cause of the oldest existing alarm detected 3 Time of the oldest existing alarm detected show device status Display the device status and the setting for the device status determination EAGLE Konfiguration Release 5 0 09 2010 Operation Diagnosis 8 4 Out of band Signaling 8 4 Out of band Signaling The signal contact is used to control external devices and monitor the operation of the device thus enabling remote diagnostics A break in contact is reported by the device via the potential free signal contact relay contact closed circuit Incorrect supply voltage the failure of at least one of the two supply voltages a permanent fault in the device internal supply voltage The temperature threshold has been exceeded or has not been reached The removal of the ACA The defective link status of at least one port With the device the indication of link
86. d interface uses the Java software version 6 Java Runtime Environment Version 1 6 x Install the software from the enclosed CD ROM To do this you go to Additional Software select Java Runtime Environment and click Installation EAGLE Konfiguration Release 5 0 09 2010 29 Access to the user interfaces 2 3 Web based Interface Device Software Device Info AddOn Software AddOn Info Imprint Exit EAGLE 20 Software 04 4 00 Java Runtime Environment 6 JAVA 2 PLATFORM STANDARD EDITION Industrial Hivision 3 1 Install Adobe Acrobat Reader Java Runtime Environment 6 n ava ume li anment o Website Figure 5 Installing Java C Start your Web browser C Make sure that you have activated JavaScript and Java in the security settings of your browser L Establish the connection by entering the IP address of the device which you want to administer via the Web based management in the address field of the Web browser Enter the address in the following form https XXX XXX XXX XXX On delivery the device has the IP address 192 168 1 1 The login window appears on the screen The EAGLE is a Security Device with VPN function SDV 30 EAGLE Konfiguration Release 5 0 09 2010 Access to the user interfaces 2 3 Web based Interface EagleSDV Sprache fengisch SSS Login Typ Administration z Figure 6 Login window E E E E E Select the desired language In the Login drop
87. d reboot Erase main configuration file Show Bootcode information DNoRWNE sysMonl gt Figure 2 System monitor 1 screen display L Select a menu item by entering the number O To leave a submenu and return to the main menu of system monitor 1 press the lt ESC gt key EAGLE Konfiguration Release 5 0 09 2010 25 Access to the user interfaces 2 2 Command Line Interface 2 2 Command Line Interface The Command Line Interface enables you to use all the functions of the device via a local or remote connection The Command Line Interface provides IT specialists with a familiar environment for configuring IT devices You will find a detailed description of the Command Line Interface in the Command Line Interface reference manual You can access the Command Line Interface via the V 24 port out of band SSH in band In the state on delivery the firewall setting allows SSH access via the secure port the firewall setting prevents SSH access via the non secure port for security reasons Note To facilitate making entries CLI gives you the option of abbreviating keywords Type in the beginning of a keyword If the characters entered identify a keyword CLI will complete the keyword when you press the tab key or the space key Note You can configure the V 24 interface either as a modem interface or a terminal CLI interface However to be able have at least limited access to the CLI interface
88. ddress template for the robots in the production cell OOOO OO 00O O Select the dialog Network Security Packet Filters Address Templates Click on Create Entry Enter the first address of the address template in the dialog Optionally you can enter an individual address with the address mask 32 List Name robo_cell_1 IP address CIDR 10 0 1 5 32 Click on OK to create the entry in the address template table Click on the Active field of this entry to activate the entry Click on Create Entry again Enter the second address of the address template in the dialog Use the same name again List Name robo_cell_1 IP address CIDR 10 0 1 6 32 Click on OK to create the entry in the address template table Click on the Active field of this entry to activate the entry Click on Write to temporarily save the entries in the configuration O Transfer the variables to the filter data for incoming IP packets 138 E L L E Select the dialog Network Security Packet Filter Incoming IP Packets Select the entry free access for PC Replace the destination address in the entry free access for PC with the variable Put a dollar sign in front of the variable name to indicate that it is a variable Description free access for PC Source address CIDR 10 0 2 17 32 Source port any Destination address CIDR robo_cel1
89. down menu select user to have read access to the device admin to have read write access to the device The password public with which you have read access appears in the password field If you wish to have write access to the device then highlight the contents of the password field and overwrite it with the password private default setting In the Login Type drop down menu select Administration if you want to manage the device or User Firewall if you want to login for the user firewall function prerequisite the user selected in the Login drop down menu has already been created in the user firewall Click on OK The website of the device appears on the screen Note For security reasons change the factory setting password to prevent the device from being accessed with this password If the password is the factory setting password the device displays the message Default Password in every dialog s header line EAGLE Konfiguration Release 5 0 09 2010 31 Access to the user interfaces 2 3 Web based Interface 32 Note The changes you make in the dialogs are copied to the volatile memory of the device when you click on Write Click on Load to update the display Opening the Web based Interface via the external port In the state on delivery the firewall setting prevents Web access via the external port for security reasons You can access the device via the external port
90. dress ranges in RFC 1918 Each of the three ranges is located in a different class Internet routers block data packets with private IP addresses Thus the private addresses are only intended for use in internal networks The Network Address Translation Protocol see on page 148 NAT Network Address Translation enables you to allow devices with a private IP address in an internal network with devices in other networks EAGLE Konfiguration 36 Release 5 0 09 2010 Entering the IP Parameters 3 1 IP Parameter Basics IP address range CIDR notation Network class 10 0 0 0 10 255 255 255 10 0 0 0 8 A 172 16 0 0 172 31 255 255 172 16 0 0 12 B 192 168 0 0 192 168 255 255 192 168 0 0 16 C Table 4 Private address ranges 3 1 3 Netmask Routers and gateways subdivide large networks into subnetworks The netmask assigns the IP addresses of the individual devices to a particular subnetwork The division into subnetworks with the aid of the netmask is performed in much the same way as the division of the network addresses net id into classes A to C The bits of the host address host id that represent the mask are set to one The remaining bits of the host address in the netmask are set to zero see the following examples Example of a netmask Decimal notation 255 255 192 0 Binary notation 11111111 11111111 11000000 00000000 Subnetwork mask bits Class B EAGLE Konfiguration Release 5 0 09 2010 37 Entering the IP P
91. e with Lorenzo s MAC destination address The letter now travels back to Romeo via Lorenzo the same way the first letter traveled from Romeo to Juliet 3 1 4 Classless Inter Domain Routing Class C with a maximum of 254 addresses was too small and class B with a maximum of 65534 addresses was too large for most users as they would never require so many addresses This resulted in ineffective usage of the class B addresses available Class D contains reserved multicast addresses Class E is reserved for experimental purposes A gateway not participating in these experiments ignores datagrams with these destination addresses EAGLE Konfiguration 40 Release 5 0 09 2010 Entering the IP Parameters 3 1 IP Parameter Basics Since 1993 RFC 1519 has been using Classless Inter Domain Routing CIDR to provide a solution to get around these problems CIDR overcomes these class boundaries and supports classless address ranges With CIDR you enter the number of bits that designate the IP address range You represent the IP address range in binary form and count the mask bits that designate the netmask The netmask indicates the number of bits that are identical to the network part for all IP addresses in a given address range Example IP address decimal Network mask IP address hexadecimal decimal 149 218 112 1 255 255 255 128 10010101 11011010 01110000 00000001 149 218 112 127 10010101 11011010 01110000 01111111 _______ 25 mask bits
92. e Firewall is in router mode The IP parameters of the router interface are configured The IP addresses of the devices are configured 10 0 1 194 int ext 10 0 1 193 10 0 2 1 10 0 2 195 Figure 40 Connecting 2 Devices via Double NAT EAGLE Konfiguration 156 Release 5 0 09 2010 Controlling the Data Traffic 7 2 NAT Network Address Translati on LI Enter the parameters for converting the IP addresses O Select the dialog Network Security NAT 1 1 NAT LI Click on Create Entry You thus add a new entry to the table LI Enter the parameters for converting the IP address of the robot Description Robot production hall test Internal network 10 0 1 194 External network 10 0 2 194 Netmask 32 L Click on the Output double NAT field of this entry to activate double NAT for the entry LI Click on the Active field of this entry to activate the entry LI Click on Create Entry You thus add a new entry to the table LI Enter the parameters for converting the IP address of the work station Description Work station company network test Internal network 10 0 1 195 External network 10 0 2 195 Netmask 32 L Click on the Output double NAT field of this entry to activate double NAT for the entry L Click on the Inverted field of this entry to select the entry as an inverted 1 1 NAT entry LI Click on the Active field of th
93. e an SFTP client such as WinSCP For the SFTP access you must have SSH access to the device To do this enable the SSH access to the device see on page 113 Configuring CLI the Access EAGLE Konfiguration 74 Release 5 0 09 2010 Basic Settings 4 1 Editing and managing Configurations 4 1 9 Cancelling a Configuration Change The device allows you to automatically cancel a configuration change if the device loses its network connection with the management station from which you configure the device An example is the inadvertent changing of the device s IP address You can use this function during remote maintenance When the function is active the device constantly checks if it is periodically accessed from the management station s IP address If these accesses are not received within a certain time the device replaces its current configuration with the most recently saved configuration This function is useful for administrators when the device is far removed or difficult to access State on delivery Operation Off Waiting time 600 s Note Deactivate the function after you have successfully saved the configuration In this way you prevent the device from reloading the configuration after you close the web interface Select the Basics Load Save dialog To activate the function select Function in the Configuration change frame Enter the waiting time at Period until cancellation when connection
94. e configuration OO Web Server active Vv HTTPS Port 443 Set Reload Create Entry ntry 1 i Certificates Help Figure 25 Web Access dialog EAGLE Konfiguration Release 5 0 09 2010 111 Protection from Unauthorized Access 6 1 Web based Interface Access LI Configure the automatic logout Select the Logout dialog In the Automatically line in the Web based Interface frame click On In the After min line enter the number of minutes of inactivity after which the device automatically terminates the HTTPS connection Click Set to temporarily save the entry in the configuration d fa 0g Logout of the Web Interface Logout Automatically C On Off After min 0 Automatic Logout of a SSH Connection After min amp Automatic Logout of the CLI Con ott After min 0 Set Reload Help Figure 26 Logout dialog L Save the settings in the non volatile memory O Select the dialog Basic Settings Load Save O Click on Save to NVM ACA to permanently save the configuration in the active configuration EAGLE Konfiguration 112 Release 5 0 09 2010 Protection from Unauthorized Access 6 2 CLI Access 6 2 CLI Access To access the Command Line Interface CLI you need a direct connection from your PC to the serial port or a Secure Shell SSH connection to your device see on page 236 Access via SSH 6 2 1 Descripti
95. e configuration settings this procedure can take several seconds Wait until the device selects the new configuration in the Active column 4 1 2 Saving the Configuration The device allows you to do the following with the current configuration setting on the device and the ACA save it in a new configuration file save it in the active configuration file EAGLE Konfiguration 68 Release 5 0 09 2010 Basic Settings 4 1 Editing and managing Configurations Saving a configuration in a new configuration file O Select the Basics Load Save dialog LI Click on Create to open a window for entering a new row in the table LI Enter a name in Configuration name in the file window O Click on OK The device saves the configuration in a new file in the NVM and on the ACA Note File names must not contain space characters and the maximum length is 32 characters Saving a configuration in an active configuration file The device allows you to replace the active configuration with the current configuration Note than you overwrite the active configuration file when you save the current configuration in it L Select the Basics Load Save dialog O Click on Save to NVM ACA when you want to replace the active configuration with the current configuration in the non volatile memory and on the ACA Note If you want to load the active configuration file from the local non volatile memory click on
96. e device is activated at the internal port deactivated at the external port Note The device offers the configuration with HiDiscovery exclusively in and for transparent mode The transparent mode is activated in the as delivered condition Install the HiDiscovery software on your PC The software is on the CD supplied with the device L To install it you start the installation program on the CD LI Start the HiDiscovery program EAGLE Konfiguration 50 Release 5 0 09 2010 Entering the IP Parameters 3 3 Entering the IP Parameters via Hi Discovery lolx File Edit Ld 2 a s9 2 gt 149 218 18 67 Intel R PRO 1000 PL Network Conne Signal Properties WWW Telnet Ping Rescan Preferences No MAC Address writable Subnet Mask Default Gateway Product Name Dcp HiDiscovery 00 80 63 51 74 00 10 0 1 105 255 255 255 0 10 0 1 200 M5S4128 5 PowerMICE 518280 00 80 63 1F 10 54 10 0 1 13 255 255 255 0 10 0 1 200 R5S20 1600T1T RS 1F1054 00 80 63 1B 2F CE 10 0 1 100 255 255 255 0 0 0 0 0 EAGLE mGuard 00 80 63 0F 1D B0 10 0 1 5 255 255 255 0 0 0 0 0 RS2 Gerhards R52 00 80 63 51 7A 80 10 0 1 116 255 255 255 0 10 0 1 200 M54128 5 PowerMICE 518280 00 80 63 51 82 80 10 0 1 112 255 255 255 0 10 0 1 200 M54128 L3P PowerMICE 518280 00 80 63 10 94 D7 10 0 1 53 255 255 255 0 0 0 0 0 M53124 4 Gerhards MICE 00 80 63 17 2B 79 10 0 1 4 255 255 255 0 0 0 0 0 RS2 Hirschmann RS2 00 80 63 44 47 B3 10 0 1
97. e firewall of the production networks Note In the Mapping destination address CIDR column no entry is required Prerequisities for further configuration The VPN parameters are configured on all 3 devices The IP parameters of the Firewall router interface are configured EAGLE Konfiguration 188 Release 5 0 09 2010 Controlling the Data Traffic 7 5 VPN Virtual Private Network The devices in the internal network have the IP address of the internal interface port 1 of the respective Firewall as their gateway All Firewalls run software version 4 4 or higher L Create the routing for Firewall 2 on Firewall 1 OO OO OO Select the dialog Virtual Private Network Connections Select the connection with the name Production control production hall 1 and click on Edit Select the IP Networks tab page The device shows an empty table Click on Create entry to create a new line In the 1st line enter Source address CIDR 10 0 1 0 24 Destination address CIDR 10 0 4 0 24 mapped network Description FW 1 to FW 2 Click on Write to temporarily save the data Click on Back to return to the Virtual Private Network Connections dialog O Create the routing for Firewall 3 on Firewall 1 Ao fA OO Select the connection with the name Production control production hall 2 and click on Edit Select the IP Networks tab page The device sho
98. e from the internal network and devices in the external network can set up communication connections to a device in the internal network This is why 1 1 NAT is also called bi directional NAT You have the option to combine 1 1 NAT with the router redundancy In the process 2 physical devices form a virtual high availability 1 1 NAT router see on page 97 Router Redundancy Figure 37 Setting up a communication connection with 1 1 NAT Note 1 1 NAT only changes IP addresses in the IP header of the packets For FTP the device provides an Application Layer Gateway Note With 1 1 NAT the Firewall responds to ARP requests from the external network to addresses which it maps from the internal network This is also the case when no device with the IP address exists in the internal network Therefore in the external network only allocate to devices IP addresses located outside the area which 1 1 NAT maps from the internal network to the external network EAGLE Konfiguration 150 Release 5 0 09 2010 Controlling the Data Traffic 7 2 NAT Network Address Translati on Inverse 1 1 NAT You use inverse 1 1 NAT if you want the devices in the internal network to communicate with the devices in the external network as if the devices in the external network were in the internal network The Firewall then allocates to the devices in the external network a different IP address in the internal network With inverse 1 1 NAT the Firewal
99. e user is logged in and can thus use the user firewall function EAGLE Konfiguration 124 Release 5 0 09 2010 Protection from Unauthorized Access 6 5 External Authentication O Configure the user firewall account L Select the dialog Security External Authentication User Firewall Accounts LI Click on Create Entry You thus open a dialog for entering the name for this user firewall account Enter the name for this account e g Service Click on OK You thus add a new entry to the table Double click on the cell Password for local authentication for this entry and enter the password Click on the Active field of this entry to activate the entry Click Set to temporarily save the entry in the configuration OO OF OO L Save the settings in the non volatile memory O Select the dialog Basic Settings Load Save L Click on Save to NVM ACA to permanently save the configuration in the active configuration On delivery the authentication lists contain the list userFirewallDefaultList The example has been selected so that you can keep the parameters of this list EAGLE Konfiguration Release 5 0 09 2010 125 Protection from Unauthorized Access 6 5 External Authentication EAGLE Konfiguration 126 Release 5 0 09 2010 Controlling the Data Traffic 7 Controlling the Data Traffic This chapter describes the main task of a firewall A firewall checks the data to be forwarded
100. eb servers of all the devices in the production cell change the action to drop for the entry with destination port 80 and protocol tcp The Firewall still allows the management of the devices via snmp EAGLE Konfiguration 146 Release 5 0 09 2010 Controlling the Data Traffic 7 1 Packet Filter Toaccess a robot for test purposes using a currently unknown proprietary TCP based protocol temporarily change the entry for Destination port from 80 to any and set the action to accept You also have the option to manually add new rules in the Incoming IP packets dialog for desired traffic e g for controlling a robot that uses a proprietary ee with the Layer 4 protocol No 141 Description Robot IP 141 active on Source address 172 17 255 0 24 Source port any Destination address CIDR 10 0 1 5 32 Destination port any Protocol 141 Action accept if applicable also for undesired traffic e g to explicitly ignore NetBIOS traffic to the network Broadcast address of the company network during the learning Description Drop NetBIOS Broadcasts active on Source address 10 115 0 0 19 Source port any Destination address CIDR any Destination port 136 gt lt 140 Protocol any Action drop Note When you are learning traffic at an interface for which you have configured an active drop rule the firewall ignores the traffic to which the rule applies du
101. ection from Unauthorized Access Note In the state on delivery SNMPv1 and SNMPv2 access is deactivated As SNMPv1 and SNMPv2 transfer data unencrypted using SNMPv1 and SNMPv2 creates a security risk Only allow SNMPv1 or SNMPv2 access if you want to use an application that requires this Note In the state on delivery the device allows SSH SNMPv3 and HTTPS access EAGLE Konfiguration 104 Release 5 0 09 2010 Protection from Unauthorized Access 6 1 Web based Interface Access 6 1 Web based Interface Access You access the Web based interface with the Hypertext Transfer Protocol Secure HTTPS HTTPS contains an authentication and an encryption of the data to be transmitted Both are based on a certificate In the state on delivery the device provides a Hirschmann certificate When you start the Web based interface via the browser your browser will ask you whether you trust the certificate no matter what the browser s default settings are In the Security Web Access dialog you can load a different certificate from your PC onto the device EAGLE Konfiguration Release 5 0 09 2010 105 Protection from Unauthorized Access 6 1 Web based Interface Access 6 1 1 Description of Web based Interface Access The device allows you to protect the access to the Web based interface in a number of ways Password Selection of the SNMP port To access the Web based interface your browser uses a Java application that it downloads from the de
102. eged EXEC mode copy config nv running config Load the active configuration 4 1 5 Copying Configuration Files Copying from a PC to the device The device allows you to copy a configuration file from a PC to the device LI Select the Basics Load Save dialog LI Click on Copy from PC beside the NVM configuration table O In the file selection frame click on CI In the file selection window select the configuration file cfg and click on Set LI In the file selection frame click on Copy from PC The end of the upload is indicated by one of the following messages Update completed successfully File not found Reason File name not found or does not exist EAGLE Konfiguration Release 5 0 09 2010 71 Basic Settings 4 1 Editing and managing Configurations Copying from a PC to the ACA The device allows you to copy a configuration file from a PC to the ACA LI Select the Basics Load Save dialog LI Click on Copy from PC beside the ACA configuration table O In the file selection frame click on CI In the file selection window select the configuration file cfg and click on Set LI In the file selection frame click on Copy from PC The end of the upload is indicated by one of the following messages Update completed successfully File not found Reason File name not found or does not exist When you restart the device adopts the configuration data of t
103. eloads the software from the non volatile memory restarts and performs a self test L In your browser click on Reload so that you can access the device again after it is booted EAGLE Konfiguration Release 5 0 09 2010 81 Basic Settings 4 3 Configuring the Ports 4 3 Configuring the Ports The port configuration consists of Entering the port name Switching the port on and off Selecting the operating mode Activating the display of connection error messages Entering the port name The Name table column allows you to give the port any name you want Switching the port on and off In the state on delivery all the ports are switched on LI Select the Basics Port Configuration dialog L In the Port on column select the ports that are connected to another device Selecting the operating mode In the state on delivery all the ports are set to the Automatic configuration operating mode Note The active automatic configuration has priority over the manual configuration LI Select the Basics Port Configuration dialog LI If the device connected to this port requires a fixed setting select the operating mode transmission rate duplex mode in the Manual configuration column and deactivate the port in the Automatic configuration column EAGLE Konfiguration 82 Release 5 0 09 2010 Basic Settings 4 3 Configuring the Ports Displaying connection error messages In the state on delivery the
104. ending a trap when the device status changes detect the device status in the Web based interface on the system side query the device status in the Command Line Interface The device status of the device includes Incorrect supply voltage the failure of at least one of the two supply voltages a permanent fault in the device internal supply voltage The temperature threshold has been exceeded or has not been reached The removal of the ACA The defective link status of at least one port With the device the indication of link status can be masked via the management for each port see on page 83 Displaying connection error messages On delivery there is no link monitoring The management setting specifies which events determine the device status Note With a non redundant voltage supply the device reports the absence of a supply voltage If you do not want this message to be displayed feed the supply voltage over both inputs or switch off the monitoring see on page 211 Configuring the Device Status EAGLE Konfiguration 210 Release 5 0 09 2010 Operation Diagnosis 8 3 Monitoring the Device Status 8 3 1 Configuring the Device Status O Select the Diagnostics Device Status dialog LI In the Monitoring field you select the events you want to monitor L To monitor the temperature you set the temperature thresholds in the Basics System dialog at the end of the system data enable Switch to the Privilege
105. enter where the device is to obtain its IP parameters Select DHCP if the configuration is to be performed by a DHCP server on the basis of the MAC address or the name of the device see page 55 System Configuration via DHCP If DHCP is not selected the device uses the network parameters in its local memory O Select Use VLAN Tag if you want the device to evaluate the VLAN tag of the data packets received If this function is active you can only access the management of the device VLAN entered in Management VLAN ID see below LI The Management VLAN ID line enables you to assign a VLAN to the interface for the management of the device see Use VLAN Tag above Entering local IP parameters O Enter the IP address of the device in the IP Address field EAGLE Konfiguration Release 5 0 09 2010 59 Entering the IP Parameters 3 6 Web based IP Configuration L In the Gateway IP Address field enter the IP address of the gateway to which the device is to forward data packets whose destination address is outside its own subnetwork L Enter the netmask in the Netmask field Getting IP Parameters via DHCP LI You enter the name applicable to the DHCP protocol in the Name line in the system dialog of the Web based interface Configuring the HiDiscovery protocol L The HiDiscovery protocol allows you to allocate an IP address to the device on the basis of its MAC address Ac
106. er the number of minutes of inactivity after which the device automatically terminates the HTTPS connection LI Click Set to temporarily save the entry in the configuration Logout of the Web Interface Logout Automatically On Off Automatic Logout of a SSH Connection After min 5 Automatic Logout of the CLI Con off After min j Set Reload Help Figure 30 Logout dialog EAGLE Konfiguration 118 Release 5 0 09 2010 Protection from Unauthorized Access 6 2 CLI Access LI Save the settings in the non volatile memory O Select the dialog Basic Settings Load Save L Click on Save to NVM ACA to permanently save the configuration in the active configuration EAGLE Konfiguration Release 5 0 09 2010 119 Protection from Unauthorized Access 6 3 Network Management Access 6 3 Network Management Access A network management station communicates with the device via the Simple Network Management Protocol SNMP Every SNMP packet contains the IP address of the sending computer and the password with which the sender of the packet wants to access the MIB of the device The device receives the SNMP packet and compares the IP address of the sending computer and the password with the entries in the MIB of the device see on page 242 Management Information Base MIB If the password has the appropriate access right and if the IP address of the sending computer has been
107. escr Description Fan Fan ID Identifier Lwr Lower e g threshold value PS Power supply Pwr Power supply sys System Ul User interface Upr Upper e g threshold value ven Vendor manufacturer Hirschmann Definition of the syntax terms used Integer An integer in the range 2 27 1 IP Address XXX XXX XXX XXX xxx integer in the range 0 255 MAC Address 12 digit hexadecimal number in accordance with ISO IEC 8802 3 Object identifier X X X X e g 1 3 6 1 1 4 1 248 Octet string ASCII character string PSID Power supply identifier number of the power supply unit TimeTicks Stopwatch Elapsed time in seconds numerical value 100 Numerical value integer in range 0 232 1 Timeout Time value in hundredths of a second Time value integer in range 0 2321 Type field 4 digit hexadecimal number in accordance with ISO IEC 8802 3 Counter Integer 0 232 whose value is increased by 1 when certain events occur EAGLE Konfiguration Release 5 0 09 2010 243 General Information B 2 Management Information Base MIB 6 snmp V2 14 hmConfiguration 15 hmPlatform4 52 hmSecurity2 26 snmpDot3MauMGT am Figure 69 Tree structure of the Hirschmann MIB A complete description of the MIB can be found on the CD ROM included with the device EAGLE Konfiguration 244 Release 5 0 09 2010 Readers Comments C Readers Comments What is yo
108. esired interfaces of the Firewall typically on both interfaces LI Start the actual learn mode L Operate the devices in your network for a while so that the Firewall learns the desired traffic EAGLE Konfiguration 130 Release 5 0 09 2010 Controlling the Data Traffic 7 1 Packet Filter OO OO OO O Start the learn mode Display the learned traffic on the selected interface If the Firewall has learned too little traffic continue with the learn mode in order to learn more traffic If the Firewall has learned enough traffic inspect the recorded data Select desired entries from the recorded data and add them to the temporary set of rules If necessary modify the added rules Ignore undesired entries in the recorded data i e do not create any rules for them Thus the Firewall blocks this traffic after the learn and test mode has ended Release the desired rules for testing Start the test mode If the devices in your network are working as desired write the temporary rules to your rule base If the devices in your network are not working as desired modify the rules released for testing Alternatively restart the learn mode in order to learn more traffic End the assistant for the Firewall learn mode Permanently save the rules in the configuration EAGLE Konfiguration Release 5 0 09 2010 131 Controlling the Data Traffic 7 1 Packet Filter 7 1 2 Application Example for Packet Filter The figure shows a
109. ets are to be transmitted the Firewall fragments the larger data packet into multiple small data packets Save IP configuration Save the settings so that you will still have the entries after a restart see page 66 Editing and managing Configurations EAGLE Konfiguration Release 5 0 09 2010 63 Entering the IP Parameters 3 7 Faulty Device Replacement 3 Faulty Device Replacement The device provides a plug and play solution for replacing a faulty device with a device of the same type faulty device replacement Configuring the new device using an AutoConfiguration Adapter see on page 53 Loading the System Configuration from the ACA When the new device is started it is given the same configuration data that the faulty device had EAGLE Konfiguration 64 Release 5 0 09 2010 Basic Settings 4 Basic Settings The basic settings of the device include Editing and managing configurations device settings Loading the latest device software Configuring the ports of the device Synchronizing the system time in the network EAGLE Konfiguration Release 5 0 09 2010 65 Basic Settings 4 1 Editing and managing Configurations 4 1 Editing and managing Configurations When it is restarted the device loads its configuration settings from its non volatile memory once you have not activated DHCP and no ACA is connected to the device During operation the device allows you to load configurations settings
110. ewall is in the transparent mode To protect the access to the Industrial ETHERNET Firewall and make further settings you proceed as follows E E Make connection to Firewall see on page 23 Access to the user interfaces Select the PPPoE operating mode see on page 47 Connection parameters in PPPoE Mode Enter IP parameter for the internal port see on page 47 Internal interface Enter connection parameters for the external port see on page 48 External Interface Switch the automatic interruption of the PPPoE connection on or off see page 46 External Interface Protect Industrial ETHERNET Firewall from unauthorized access see on page 103 Protection from Unauthorized Access Create rules for unauthorized and forbidden data traffic see on page 127 Controlling the Data Traffic Make NAT settings see on page 148 NAT Network Address Translation Set up VPN connection see on page 166 VPN Virtual Private Network EAGLE Konfiguration Release 5 0 09 2010 21 Introduction 22 1 3 Configuring the application EAGLE Konfiguration Release 5 0 09 2010 Access to the user interfaces 2 Access to the user interfaces The device has three user interfaces which you can access via different interfaces System monitor via the V 24 interface out of band Command Line Interface CLI via the V 24 connection out of band via SSH in band Web based
111. f the source of the time is local see Time Basic Settings dialog EAGLE Konfiguration 88 Release 5 0 09 2010 Basic Settings 4 4 Synchronizing the System Time in the Network IP destination address Send SNTP packet to 0 0 0 0 Nobody Unicast address 0 0 0 1 223 255 255 254 Unicast address Multicast address 224 0 0 0 239 255 255 254 Multicast address especially 224 0 1 1 NTP address 255 255 255 255 Broadcast address Table 6 Destination address classes for S NTP packets Device 192 168 1 1 192 168 1 2 192 168 1 3 Operation On On On Server destination address 0 0 0 0 0 0 0 0 0 0 0 0 Server VLAN ID 1 1 1 Send interval 120 120 120 Client external server address 192 168 1 0 192 168 1 1 192 168 1 2 Request interval 30 30 30 Accept Broadcasts No No No Table 7 Settings for the example see fig 16 4 4 3 NTP The Network Time Protocol NTP enables you to synchronize the system time in your network The device supports the NTP client and the NTP server function With NTP the device can determine the time more accurately than with SNTP Thus as an NTP server it can also provide a more accurate time The NTP and SNTP packet formats are identical In contrast to the SNTP client the NTP client uses multiple NTP servers and a more complex algorithm for the synchronization It can thus determine the time more accurately Therefore the synchronization of the NTP client can take longer than an SNTP client Only use
112. ffset from PC the device determines the time zone on your PC and uses it to calculate the local time difference enable Switch to the Privileged EXEC mode configure Switch to the Configuration mode sntp time lt YYYY MM DD Set the system time of the device HH MM SS gt sntp client offset lt 1000 to Enter the time difference between the local time 1000 gt and the SNTP time EAGLE Konfiguration Release 5 0 09 2010 85 Basic Settings 4 4 Synchronizing the System Time in the Network 4 4 2 SNTP Description of SNTP The Simple Network Time Protocol SNTP enables you to synchronize the system time in your network The device supports the SNTP client and the SNTP server function The SNTP server makes the UTC Universal Time Coordinated available UTC is the time relating to the coordinated world time measurement The time displayed is the same worldwide Local time differences are not taken into account SNTP uses the same packet format as NTP In this way an SNTP client can receive the time from an SNTP server as well as from an NTP server GPS NTP Server PLC Client Switch Switch Switch 1 eae 2 ae gt Client Client Server Client Server Client Server 192 168 1 1 192 168 1 2 192 168 1 3 Figure 15 SNTP cascade Preparing the SNTP Configuration LI To get an overview of how the time is passed on draw a network plan with all the devices participating in
113. flashing alternately 5 Configuration data loaded EAGLE Konfiguration 54 Release 5 0 09 2010 Entering the IP Parameters 3 5 System Configuration via DHCP 3 5 System Configuration via DHCP When it is started up via DHCP dynamic host configuration protocol a device receives its configuration data in accordance with the flow chart DHCP enables the configuration of the device DHCP Client via a name For the DHCP this name is known as the client identifier in accordance with rfc 2131 The device uses the name entered under sysName in the system group of the MIB II as the client identifier You can enter this system name directly via SNMP the Web based management see system dialog or the Command Line Interface During startup operation a device receives its IP parameters according to the DHCP process flowchart see fig 13 EAGLE Konfiguration Release 5 0 09 2010 55 Entering the IP Parameters 3 5 System Configuration via DHCP Start up Load default configuration Device in initalization Device runs with settings from local flash Send Yes DHCP Requests No Reply from Save IP parameters DHCP locally server initialize IP stack with IP parameters Device is manageable Figure 13 Flow chart for the DHCP process The device sends its system name to the DHCP server The DHCP servercan then use the system name to allocate an IP address as an alternative tothe MAC addres
114. from unauthorized access see on page 103 Protection from Unauthorized Access O Create rules for unauthorized and forbidden data traffic see on page 127 Controlling the Data Traffic EAGLE Konfiguration Release 5 0 09 2010 19 Introduction 1 3 Configuring the application 1 3 2 Configurations steps in router mode In the state on delivery the Industrial ETHERNET Firewall is in the transparent mode To protect the access to the Industrial ETHERNET Firewall and make further settings you proceed as follows E E 20 Make connection to Firewall see on page 23 Access to the user interfaces Select the router operating mode see on page 45 IP Parameters in Router Mode Enter IP parameter for the internal port see on page 33 Entering the IP Parameters Enter IP parameter for the external port see on page 46 External Interface Protect Industrial ETHERNET Firewall from unauthorized access see on page 103 Protection from Unauthorized Access Create rules for unauthorized and forbidden data traffic see on page 127 Controlling the Data Traffic Make NAT settings see page 148 NAT Network Address Translation Set up VPN connection see on page 166 VPN Virtual Private Network EAGLE Konfiguration Release 5 0 09 2010 Introduction 1 3 Configuring the application 1 3 3 Configurations steps in PPPoE mode In the state on delivery the Industrial ETHERNET Fir
115. g running config nvor save EAGLE Konfiguration 46 Release 5 0 09 2010 Entering the IP Parameters 3 2 Entering IP parameters via CLI enable Switch to the Privileged EXEC mode network router proto ext Deactivate the DHCP on the external router none interface state on delivery disabled network router param ext Allocate the IP address 10 0 1 100 to the external ip address 10 0 1 100 router interface network router param ext Allocate the netmask 255 255 240 0 to the netmask 255 255 240 0 external router interface network router gateway Allocate the gateway address 10 0 1 1 to the 10 01 41 device The gateway must be located in the network of one of the router interfaces copy config running config nv Save the current configuration to the non volatile memory 3 2 3 Connection parameters in PPPoE Mode Internal interface O Activate the PPPoE mode state on delivery transparent mode O If DCHP is switched on switch it off state on delivery DHCP is switched off LI Enter the IP parameters Internal IP address On delivery the device has the local IP address 192 168 1 3 Netmask If your network has been divided up into subnetworks and if these are identified with a netmask then the netmask is to be entered here The default setting of the netmask is 255 255 255 0 O Save the configuration entered with copy config running config nvor Save EAGLE Konfiguration Release 5 0 09 2010 47
116. guration Environment IN DHCP Server File Options Window Hep 00 J Observed MAC addresses Id 2 4 00 80 63 51 74 00 PowerMICE105 149 218 112 105 03 06 05 14 23 22 00 80 63 10 9a d7 MICE102 149 218 112 102 03 06 05 14 03 58 00 80 63 14 db d3 RS2_16M101 149 218 112 101 00 80 63 0f 1d b0 RS2_7_103 149 218 112 103 ITFTP New i static dynamic l ignored Listening on Port 67 7 Figure 67 DHCP server with entries EAGLE Konfiguration Release 5 0 09 2010 A 1 Setting up the DHCP Server 235 Setting up the Configuration A 2 Access via SSH Environment A 2 Access via SSH The program PuTTY enables you to access your device via SSH This program is located on the product CD O Start the program by double clicking on it O Enter the IP address of your device O Select SSH LI Click Open to set up the connection to your device Depending on the device and the time at which SSH was configured it can take up to a minute to set up the connection Shortly before the connection is set up PuTTY displays a security alert message and gives you the option of checking the fingerprint of the key x D WARNING POTENTIAL SECURITY BREACH The server s host key does not match the one PuTTY has cached in the registry This means that either the server administrator has changed the host key or you have actually connected to another computer pretending to be the server The new rsa key fingerpr
117. h other via a transfer network Two of these subnetworks e g the production control and the production hall are to be connected via a VPN As the internal IP addresses are to remain hidden the VPN is to be operated in tunnel mode The following is known Parameter Firewall Number 1 Firewall Number 2 IP address of internal port 10 0 1 201 10 0 3 201 IP address of external port 10 0 2 1 10 0 2 2 Pre shared key 123456abcdef 123456abcdef Start IKE mode as Initiator Responder IP parameters of the networks to be 10 0 1 0 24 10 0 3 0 24 connected Prerequisities for further configuration Both Firewalls are in router mode gt The IP parameters of the Firewall router interface are configured gt The devices in the internal network have the IP address of the internal interface port 1 of the Firewall as their gateway 4 transfer network 2 10 0 2 0 24 external external internal Figure 45 Connecting two subnetworks via a transfer network EAGLE Konfiguration 170 Release 5 0 09 2010 Controlling the Data Traffic 7 5 VPN Virtual Private Network L Create a new VPN connection O Select the dialog Virtual Private Network Connections LI Click on Create Entry Inthe Basic Settings tab page the dialog for editing the entries gives you the option to give this connection any name you want LI Give the connection a name e g Production Control Production Hall 1 The Firewall allows you to activate deac
118. h network planning to project planing Training offers you an introduction to the basics product briefing and user training with certification Support ranges from the first installation through the standby service to maintenance concepts With the Hirschmann Competence Center you have decided against making any compromises Our client customized package leaves you free to choose the service components you want to use Internet http www hicomcenter com EAGLE Konfiguration Release 5 0 09 2010 253 Further Support EAGLE Konfiguration 254 Release 5 0 09 2010
119. he ACA and saves it permanently in the flash memory If the connected ACA does not contain any valid data for example if it is in the delivery state the device loads the data from the flash memory Before loading the configuration data from the ACA the device compares the password in the device with the password in the ACA configuration data The device loads the configuration data if the admin password matches or there is no password stored locally or the local password is the delivery state password or no configuration is saved locally Copying from the device or the ACA to a PC The device allows you to save a configuration file of the device or the ACA ona PC LI Select the Basics Load Save dialog L Select a table entry of the device configuration in the non volatile memory NVM or of the ACA configuration on the AutoConfig Adapter ACA Click on Copy to PC In the file selection window select the desired directory and click on Set L L EAGLE Konfiguration 72 Release 5 0 09 2010 Basic Settings 4 1 Editing and managing Configurations Copying from the ACA to the device The device allows you to store a configuration file from the ACA on the device LI Select the Basics Load Save dialog LI Select a table entry of the ACA configuration on the AutoConfig Adapter ACA LI Click on Copy to NVM enable Switch to the Privileged EXEC mode copy config aca profile Load configurat
120. he IP networks whose data is to be transmitted via the VPN connection LI Select the IP Networks tab page L Click on Create entry L After you double click on a cell of the entry you can edit the cell Source address 10 0 1 0 24 Source port any Destination address 10 0 3 0 24 Destination port any Protocol any Description Free data traffic between the two networks Production Control and Production Hall Active On LI Click Set to temporarily save the entry in the configuration O Activate the connection L Click on Back to return to the connection overview L Select Active in the entry for the connection to activate the connection LI Click Set to temporarily save the entry in the configuration EAGLE Konfiguration Release 5 0 09 2010 173 Controlling the Data Traffic 7 5 VPN Virtual Private Network L Save the settings in the non volatile memory O Select the dialog Basic Settings Load Save L Click on Save to NVM ACA to permanently save the configuration in the active configuration LI Make exactly the same settings on both Firewalls For the second Firewall in the settings for the authentication the IKE key exchange and the IP networks you merely swap the IP addresses for the endpoints or networks EAGLE Konfiguration 174 Release 5 0 09 2010 Controlling the Data Traffic 7 5 VPN Virtual Private Network E Connecting two subnetworks with ano
121. his connection any name you want LI Give the connection a name e g Production Control Production Hall 2 O Enter the authentication parameters O Select the Authentication tab page LI Inthe Key Information frame you enter Method psk Pre shared key e g 456789defghi L In the Identities frame you enter Local type ipaddr With this you specify that the local IP address is part of the identification Local ID e g 10 0 2 1 Remote type ipaddr With this you specify that the remote IP address is part of the identification Remote ID e g 10 0 2 4 EAGLE Konfiguration 176 Release 5 0 09 2010 Controlling the Data Traffic 7 5 VPN Virtual Private Network O Enter the IKE key exchange parameters L Select the IKE Key Exchange tab page L In the Mode frame you enter Protocol auto With this the Firewall selects the protocol version automatically depending on the VPN remote terminal Startup as initiator With this this Firewall initiates the VPN connection to the remote terminal DPD Timeout 120 With this the Firewall terminates the VPN connection if it does not receive a sign of life from the remote terminal within 120 seconds Lifetime 28800 With this the Firewall terminates the VPN connection 28800 seconds after the VPN connection starts Compatibility Mode On L In the Algorithmen frame enter the encryption procedures you wish to
122. ial Number 943011301020201679 Network Operation Mode Transparent Mode IP address management 10 0 1 203 AC address management 00 80 63 57 4c 67 Configuration state running to NV ok Configuration state NV to ACA In sync Auto Configuration Adapter Serial Num 9432710010101254 Power Supply Pl SAC 6 ieee ee ee tesise ok Power Supply P2 State 2 ok Temperature ir ce aire cave sec Avent Be latch ye vane Bele ere 47 4 2 2 Loading the Software Note You can install the EAGLE firmware from software release 05 0 00 onwards on EAGLE devices with 64 MB hardware Earlier EAGLE devices with 32 MB hardware support firmware up to release 04 4 00 To check which hardware your EAGLE device has proceed as follows enable show system info 78 Switch to the Privileged EXEC mode Display the system information EAGLE Konfiguration Release 5 0 09 2010 Basic Settings 4 2 Loading Software Updates L Inthe Serial Number row the CLI displays the serial number of your EAGLE device Compare this serial number with the serial number of your EAGLE device type displayed in the following table EAGLE devices with the following serial numbers have 64 MB RAM EAGLE device type Serial number EAGLE TX TX 943011001010201323 EAGLE TX MM SC 2 943011002010201084 EAGLE MM SC TX 943011005010201038 EAGLE TX TX FW 2 943011011010201255 EAGLE TX MM SC FW 2 943011012010201122 EAGLE
123. in modem mode you connect your terminal setting on terminal 9 600 baud to the V 24 interface Press any key on your terminal keyboard a number of times until the login screen indicates the CLI mode EAGLE Konfiguration 26 Release 5 0 09 2010 Access to the user interfaces 2 2 Command Line Interface Opening the Command Line Interface LI Connect the device to a terminal or to a COM port of a PC using terminal emulation based on VT100 and press any key see on page 24 Opening the system monitor or call up the Command Line Interface via SSH A window for entering the user name appears on the screen Up to five users can access the Command Line Interface The EAGLE is a Security Device with VPN function SDV Copyright c 2007 2010 Hirschmann Automation and Control GmbH All rights reserved Eagle Release SDV 05 0 00 Build date 2010 08 08 08 08 System Name EAGLE 000000 Netw Mode transparent Mgmt IP gt a b c d Base MAC lt 00 11 22 33 44 55 System Time SUN AUG 08 08 08 08 2010 Hirschmann Eagle User Figure 3 Logging in to the Command Line Interface program L Enter a user name The default setting for the user name is admin Press the Enter key L Enter the password The default setting for the password is private Press the Enter key You can change the user name and the password later in the Command Line Interface Please note that these entries a
124. in accordance with defined rules Data to which the rules apply is either forwarded by a firewall or blocked For data to which no rules apply the Firewall is an insurmountable obstacle The EAGLE provides the following functions for controlling the data traffic Packet content related data traffic control packet filter NAT Network Address Translation User related data traffic control user firewall Service request control Denial of Service DoS VPN Virtual Private Network The firewall observes and monitors the data traffic The firewall takes the results of the observation and the monitoring and combines them with the rules for the network security to create what are known as status tables Based on these status tables the firewall decides whether to accept drop or reject data EAGLE Konfiguration Release 5 0 09 2010 127 Controlling the Data Traffic 7 1 Packet Filter 7 1 Packet Filter 7 1 1 Description of the Packet Filter Function With the packet content related data traffic control the firewall checks the content of the data packets to be transmitted Here the firewall provides various packet groups which define the checking criteria Incoming IP packets This group gives you the option to filter incoming IP packets at the external port based on their IP addressing information and protocol information Outgoing IP packets This group gives you the option to filter incoming IP packets at the internal port based
125. int is 1024 4e 62 99 32 56 07 26 1 c5 39 55 e4 65 a9 F9 6e Tf you were expecting this change and trust the new key hit Yes to update PuTTY s cache and continue connecting IF you want to carry on connecting but without updating the cache hit No IF you want to abandon the connection completely hit Cancel Hitting Cancel is the ONLY guaranteed safe choice Hilfe Ja Nein f Figure 68 Security alert prompt for the fingerprint L Check the fingerprint to protect yourself from unwelcome guests LI If the fingerprint matches that of the device key click Yes Note Hirschmann delivers the device with a unique permanently stored SSH RSA DSA device key This unique key allows you to identify the device in the case of SSH access EAGLE Konfiguration 236 Release 5 0 09 2010 Setting up the Configuration A 2 Access via SSH Environment The OpenSSH Suite offers experienced network administrators a further option to access your device via SSH To set up the connection enter the following command ssh admin 10 149 112 53 admin represents the user name 10 149 112 53 is the IP address of your device EAGLE Konfiguration Release 5 0 09 2010 237 Setting up the Configuration A 2 Access via SSH Environment EAGLE Konfiguration 238 Release 5 0 09 2010 General Information B General Information EAGLE Konfiguration Release 5 0 09 2010 239 General Information B 1 Abbreviations used B 1 Abbreviatio
126. ion Name onto the device lt name gt nv 4 1 6 Displaying a Configuration File The device allows you to display a configuration file on the device and on the ACA L Select the Basics Load Save dialog CO Select a table entry of the device configuration in the non volatile memory NVM or of the ACA configuration on the AutoConfig Adapter ACA L Click on Show EAGLE Konfiguration Release 5 0 09 2010 73 Basic Settings 4 1 Editing and managing Configurations 4 1 7 Deleting a Configuration File The device allows you to delete a non active configuration file on the device and on the ACA LI Select the Basics Load Save dialog L Select a non active table entry of the device configuration in the non volatile memory NVM or of the ACA configuration on the AutoConfig Adapter ACA LI Click on Delete enable Switch to the Privileged EXEC mode show config profiles nv Display the configurations stored in the NVM profile delete nv lt index gt Delete the configuration with the specified index in the NVM show config profiles aca Display the configurations stored in the ACA profile delete aca lt index gt Delete the configuration with the specified index in the ACA 4 1 8 SFTP Access to Device Files The device allows you to use SFTP to access device files such as configuration files or the ACA or to load a firmware update or VPN certificates onto the device To do this us
127. ired traffic from the configuration computer in the company network to the devices in the production cell and to drop the other traffic especially the traffic from the transfer network In the opposite direction from the production cell to the company network the data traffic is to flow freely To begin with the user wants to access the switch in the production cell from his configuration computer in the company network and configure this switch 10 0 1 116 int ext 10 0 1 115 10 0 1 1 10 115 0 2 172 17 255 134 Figure 34 Firewall Learn Mode FLM application example EAGLE Konfiguration 140 Release 5 0 09 2010 Controlling the Data Traffic 7 1 Packet Filter The following IP addresses are known Parameter Robot Switch Firewall Configuration computer IP address of internal 10 0 1 1 port IP address of external 10 115 0 2 port IP address 10 0 1 115 10 0 1 116 172 17 255 134 Default gateway 10 0 1 1 10 0 1 1 In the state on delivery the Firewall permits all traffic from the internal to the external interface The user wants to keep this configuration the Firewall drops all traffic from the external to the internal interface The user wants to change this configuration Prerequisities for further configuration The Firewall is in router mode The IP parameters of the Firewall router interface are configured The packet filter rules at the external interface of the Firewall are in the state on delivery The de
128. is 8 2 Sending Traps 8 2 3 Configuring Traps O Select the Diagnostics Alarms Traps dialog This dialog allows you to determine which events trigger an alarm trap and where these alarms should be sent Click Create entry to create a new table entry In the Name column enter a name for the recipient to whom the traps should be sent In the IP Address column enter the IP address of the recipient to whom the traps should be sent Click on OK In the Active column you select the entries which should be taken into account when traps are being sent In the Selection frame select the trap categories from which you want to send traps 0d 00 Jai Selection noo1254 M E t h0o 01123 m iotiecion UA Chassis Vv Cold Start Vv Link Status V Redundancy Vv Firewall Vv VPN Vv Set Reload Create Entry Delete Entry Help Figure 51 Alarms dialog EAGLE Konfiguration Release 5 0 09 2010 209 Operation Diagnosis 8 3 Monitoring the Device Status 8 3 Monitoring the Device Status The device status provides an overview of the overall condition of the device Many process visualization systems record the device status for a device in order to present its condition in graphic form The device enables you to signal the device status out of band via a signal contact see on page 216 Monitoring the Device Status via the Signal Contact signal the device status by s
129. is entry to activate the entry L Click on Write to temporarily save the entries in the configuration LI Save the settings in the non volatile memory O Select the dialog Basic Settings Load Save L Click on Save to NVM ACA to permanently save the configuration in the active configuration EAGLE Konfiguration Release 5 0 09 2010 157 Controlling the Data Traffic 7 2 NAT Network Address Translati on E Managing a switch in a production cell from a PC outside the production cell Port Forwarding You have used a Firewall to connect with your company network a production cell with its own IP addresses which should not be visible in the company network You configure the port forwarding function so that an administrator in the company network can manage a switch within the production cell The following is known Parameter Switch Firewall PC IP address of internal port 10 0 1 201 IP address of external port 10 0 2 1 IP address 10 0 1 193 10 0 2 17 Gateway 10 0 1 201 10 0 2 1 Prerequisites for further configuration gt The Firewall is in router mode gt The IP parameters of the router interface are configured gt The gateway and the IP address of the devices in production cells are configured The devices in the production cells have the IP address of the internal interface port 1 of the Firewall as their gateway 10 0 1 193 int ext 10 0 1 201 10 0 2 1 10 0 2 17 Figure 41 Managing a sw
130. is interrupted Click Set to temporarily save the entry in the configuration Click Load to display the IP address of your management station in the Watchdog IP address field H0 oO CI To deactivate the function deselect Function in the Configuration change frame Click Set to temporarily save the entry in the configuration Then click on Load The Watchdog IP address field now shows 0 0 0 0 O EAGLE Konfiguration Release 5 0 09 2010 75 Basic Settings 76 enable show config watchdog E configure config watchdog admin state enable config watchdog admin state disable config watchdog timeout 300 4 1 Editing and managing Configurations Switch to the Privileged EXEC mode Display of settings for the automatic cancellation of a configuration change during a connection interruption Switch to the Configuration mode Activation of the automatic cancellation of a configuration change during a connection interruption Deactivation of the automatic cancellation of a configuration change during a connection interruption Timeout settings for automatic cancellation of a configuration change during a connection interruption at 300 s EAGLE Konfiguration Release 5 0 09 2010 Basic Settings 4 2 Loading Software Updates 4 2 Loading Software Updates Hirschmann never stops working on improving the performance of its products So it is possible th
131. itch within the production cell from outside EAGLE Konfiguration 158 Release 5 0 09 2010 Controlling the Data Traffic 7 2 NAT Network Address Translati on O Configure the firewall Enter the parameters for converting the IP addresses O Select the dialog Network Security NAT Port Forwarding LI Click on Create Entry You thus add a new entry to the table LI Enter the parameters for the http transmission Source Address CIDR 10 0 1 17 24 Source Port any Incoming Address 10 0 2 1 Incoming Port 8080 You can freely allocate port numbers higher than 1024 Forwarding address 10 0 1 193 Forwarding port http Web server of the switch Protocol tcp Click on the Active field of this entry to activate the entry Click on Create Entry You thus add a new entry to the table O Enter the parameters for the SNMP transmission Source Address CIDR 10 0 1 17 24 Source Port any Incoming Address 10 0 2 1 Incoming Port 8081 You can freely allocate port numbers higher than 1024 Forwarding address 10 0 1 193 Forwarding port snmp for the communication of the applet with the website of the switch Protocol udp LI Click on the Active field of this entry to activate the entry L Click on Write to temporarily save the entries in the configuration OO L Save the settings in the non volatile memory O Select the dialog Ba
132. k 255 255 240 0 option routers 10 1 112 96 EAGLE Konfiguration Release 5 0 09 2010 57 Entering the IP Parameters 3 5 System Configuration via DHCP Host berta requests IP configuration with her MAC address host berta hardware ethernet 00 80 63 08 65 42 fixed address 10 1 112 82 Host hugo requests IP configuration with his client identifier host hugo option dhcp client identifier hugo option dhcp client identifier 00 68 75 67 6f fixed address 10 1 112 83 server name 10 1 112 11 filename agent config dat Lines that start with a character are comment lines The lines preceding the individually listed devices refer to settings that apply to all the following devices The fixed address line assigns a permanent IP address to the device For further information please refer to the DHCP server manual EAGLE Konfiguration 58 Release 5 0 09 2010 Entering the IP Parameters 3 6 Web based IP Configuration 3 6 Web based IP Configuration With the Basic Settings Network dialog you define the source from which the device gets its IP parameters after starting and you assign the IP parameters define the handling of the VLAN ID and configure the HiDiscovery access L Choose the operating mode see on page 18 Configuring the application 3 6 1 IP configuration in Transparent Mode LI In the Protocol frame you
133. l private network VPN To increase availability the Hirschmann Industrial ETHERNET Firewall EAGLE provides you with two redundancy mechanisms virtual router redundancy layer 2 redundancy for redundant ring network coupling EAGLE Konfiguration Release 5 0 09 2010 11 Introduction 1 1 Security Concept 1 1 Security Concept The primary function of a Firewall is to provide security for a closed local network A number of factors affect this security Access within the local network The risks within a local network are often underestimated Usually unintentionally virulent programs are introduced into the internal local network by the company s own employees or service providers who connect to the network with their own computers USB sticks or other memory media can also contain virulent programs Once they make the connection to a computer within the network they can do their damage from there Access to the Firewall Protect the access to the management of the Firewall yourself Because whoever has access to the Firewall determines which data can pass through the Firewall and which cannot Firewall settings The quintessential task of a Firewall is to protect the internal network from unpermitted data traffic across the dividing line of internal external network You use the Firewall rules to define which data is permitted to cross this dividing line Protection from viruses The best way to protect your network fro
134. l replaces the destination IP address of a data packet from the internal network with an IP address of the external network To do this you create an inverse 1 1 NAT entry for the devices in the external network Note With inverse 1 1 NAT the Firewall responds to ARP requests from the internal network to addresses which it maps from the external network This is also the case when no device with the IP address exists in the external network Therefore in the internal network only allocate to devices IP addresses located outside the area which the inverse 1 1 NAT entry maps from the external network to the internal network EAGLE Konfiguration Release 5 0 09 2010 151 Controlling the Data Traffic 7 2 NAT Network Address Translati on Double NAT You use Double NAT also known as Twice NAT if you want the devices in the internal network to communicate with the devices in the external network as if the devices in the external network were in the internal network and vice versa In the process the Firewall allocates to the devices in the internal network a different IP address in the external network 1 1 NAT function and to the devices in the external network a different IP address in the internal network inverse 1 1 NAT function With double NAT for a data packet from the internal network the Firewall replaces the source IP address with an IP address from the external network and the destination IP address with an IP addre
135. ld enter the IP address of the gateway to which the device is to forward data packets whose destination address is outside its own subnetwork LI If you want to allocate more than one IP address to an interface you can press Create to enter additional IP parameters in the table below You require multiple IP addresses on an interface if you want to connect large flat networks with different subnetworks at one port Getting IP Parameters via DHCP LI You enter the name applicable to the DHCP protocol in the Name line in the system dialog of the Web based interface Save IP configuration Save the settings so that you will still have the entries after a restart see page 66 Editing and managing Configurations EAGLE Konfiguration Release 5 0 09 2010 61 Entering the IP Parameters 3 6 Web based IP Configuration 3 6 3 IP configuration in PPPoE Mode In Router Mode the device requires the IP parameters to be entered on the internal interface The device gets the IP parameters for the external interface from the connection provider L In the Protocol frame you enter where the device is to obtain its IP parameters Select DHCP if the configuration is to be performed by a DHCP server on the basis of the MAC address or the name of the device see page 55 System Configuration via DHCP If DHCP is not selected the device uses the network parameters in its local memory O Select Use VLAN Tag
136. m viruses is to prevent communication with unsafe devices This is the most effective type of virus protection because it removes the need for the work intensive checking of data package contents Another advantage of this method is that you define exactly who may communicate with whom EAGLE Konfiguration 12 Release 5 0 09 2010 Introduction 1 2 Typical applications 1 2 Typical applications The Industrial ETHERNET Firewall is used everywhere that security sensitive network cells require a connection out from the cell in a harsh environment The Industrial ETHERNET Firewall is the link between the secure network cells and the unsecured outside world In its function as a link the Industrial ETHERNET Firewall protects the security sensitive cell from undesired data traffic along the connection to the outside world Typical uses are Protecting individual production cells in a flat company network Protecting individual production cells in a routed company network Coupling identical production cells to a company network Connecting a production cell with the office network via a public network Providing protected service access Separation of machine common parts EAGLE Konfiguration Release 5 0 09 2010 13 Introduction 1 2 Typical applications E Protecting individual production cells in a flat company network Individual production cells exchange information with devices in the company network The company network and the
137. merican Registry for Internet Numbers Americas and Sub Sahara Africa LACNIC Regional Latin American and Caribbean IP Address Registry Latin America and some Caribbean Islands RIPE NCC R seaux IP Europ ens Europe and Surrounding Regions EAGLE Konfiguration Release 5 0 09 2010 35 Entering the IP Parameters 3 1 IP Parameter Basics Net ID 7 bits Host ID 24 bits Class A Net ID 14 bits Host ID 16 bits Class B Net ID 21 bits Host ID 8 bits Class C Multicast Group ID 28 bits Class D reserved for future use 28 b its Class E Figure 7 Bit representation of the IP address All IP addresses belong to class A when their first bit is a zero i e the first decimal number is less than 128 The IP address belongs to class B if the first bit is a one and the second bit is a zero i e the first decimal number is between 128 and 191 The IP address belongs to class C if the first two bits are a one i e the first decimal number is higher than 191 Assigning the host address host id is the responsibility of the network operator He alone is responsible for the uniqueness of the IP addresses he assigns 3 1 2 Private IP addresses If the IP address range assigned to you is not large enough for your requirements or for whatever other reason you can use the IP addresses of the private IP address range IANA has defined three private IP ad
138. n Procedure PSK Pre shared secret key e g 456789defghi L Inthe VPN Identifier frame you enter Remote Terminal 10 0 2 1 With this you specify that the IP address of the remote terminal is part of the identification Local VPN identifier e g 10 0 2 4 O Enter the IKE key and data exchange parameters L Select the IKE Options tab page L Inthe ISAKMP SA Key Exchange frame you enter Encryption Algorithm 3DES Checksum Algorithm MD5 L Inthe IPsec SA Data Exchange frame you enter which encryption procedures you want to use for the different applications Encryption Algorithm 3DES Checksum Algorithm Hash e g MD5 PFS Yes L Inthe SA Lifetime frame you enter ISAKMP SA Lifetime 28800 IPsec SA Lifetime 3600 Rekey Margin 540 Rekey Fuzz 100 Rekey Attempts 0 gt Rekey Yes O Inthe Dead Peer Detection frame you enter Action Hold Delay 30 Timeout 120 EAGLE Konfiguration 180 Release 5 0 09 2010 Controlling the Data Traffic 7 5 VPN Virtual Private Network L Enter the parameters for the firewall rules for the data to be transmitted via the VPN connection In the default setting the EAGLE Rel 4 2 has rules that allow all data to be transmitted L Activate the connection L Save the settings in the non volatile memory LI Click on Accept to activate the entry and save it permanently in the configuration E
139. n in the HiDiscovery Protocol frame or limit the access to read only enable network protocol off network protocol read only network protocol read write 122 hidiscovery hidiscovery hidiscovery Switch to the Privileged EXEC mode Disable HiDiscovery function Enable HiDiscovery function with read only access Enable HiDiscovery function with read write access EAGLE Konfiguration Release 5 0 09 2010 Protection from Unauthorized Access 6 5 External Authentication 6 5 External Authentication 6 5 1 Description of the external Authentication External Authentication of the device allows you to create user firewall accounts with corresponding passwords in order to authenticate a user For each account you can select an authentication list to define three authentication methods that the device uses in sequence for access via this account name The device allows authentication by means of its user database local or via a RADIUS server You must create accounts users in order to use the user firewall function see on page 160 User Firewall 6 5 2 Application example for external Authentication In a typical case a service technician wants to login to the Firewall in the login window of the Web based interface under the user firewall login type After he successfully logs in the user firewall function see page 160 provides him with access to the internal and e
140. need to install the device The Command Line Interface user manual contains all the information you need to configure the device using the Command Line Interface The Web based Interface reference manual contains detailed information on using the Web interface to operate the individual functions of the device EAGLE Konfiguration Release 5 0 09 2010 7 About this Manual The Network Management Software HiVision Industrial HiVision provides you with additional options for smooth configuration and monitoring Configuration of multiple devices simultaneously Graphical interface with network layouts Auto topology discovery Event log Event handling Client Server structure Browser interface ActiveX control for SCADA integration SNMP OPC gateway EAGLE Konfiguration 8 Release 5 0 09 2010 Key Key The designations used in this manual have the following meanings List O Work step Subheading Link Indicates a cross reference with a stored link Note A note emphasizes an important fact or draws your attention to a dependency Courier ASCII representation in user interface eal Execution in the Web based Interface user interface Execution in the Command Line Interface user interface Symbols used WLAN access point en Router with firewall Switch with firewall Li Router lt Switch x EAGLE Konfiguration Release 5 0 09 2010 A ey PY cS BO
141. ns used ACA AutoConfiguration Adapter Access Control List Advanced Encryption Standard Bootstrap Protocol Classless Inter Domain Routing Command Line Interface Dynamic Host Configuration Protocol Data Encryption Standard Distinguished Name General Attribute Registration Protocol Forwarding Database Fully Qualified Domain Name GARP Multicast Registration Protocol Hashed Message Authentication Code Hypertext Transfer Protocol Internet Control Message Protocol Internet Group Management Protocol Internet Key Exchange Internet Protocol IP Security Light Emitting Diode Link Layer Discovery Protocoll Media Access Control Message Digest 5 Modular Exponentiation Network Time Protocol Personal Computer Precision Time Protocol Quality of Service Request For Comment Redundancy Manager Rail Switch Rapid Spanning Tree Protocol Security Association Small Form factor Pluggable Secure Hash Algorithm Simple Network Management Protocol Simple Network Time Protocol EAGLE Konfiguration Release 5 0 09 2010 General Information B 1 Abbreviations used TCP Transfer Control Protocol TFTP Trivial File Transfer Protocol TP Twisted Pair UDP User Datagramm Protocol URL Uniform Resource Locator UTC Coordinated Universal Time VLAN Virtual Local Area Network EAGLE Konfiguration Release 5 0 09 2010 241 General Information B 2 Management Information Base MIB B 2 Management Information Base MIB The Managemen
142. on of CLI Access The device allows you to protect the access to the CLI in a number of ways Password Activate deactivate After the SSH server has been deactivated the device prevents renewed access via a new SSH connection If an SSH connection already exists it is kept Selection of the SSH port Applications use the standard port 22 for an SSH connection The device allows you to use a different port Restrictions for IP addresses permitted access for each port In the state on delivery you can access the device with every IP address via the internal port The device allows you to specify for each port from which IP address the device allows or denies access Automatic logout after inactivity 6 2 2 Configuring CLI the Access To optimize the access protection use all the options the device provides you with EAGLE Konfiguration Release 5 0 09 2010 113 Protection from Unauthorized Access 6 2 CLI Access The figure shows a typical example for accessing the internal port of the Firewall The following table contains examples of all the parameters for the subsequent configuration example Parameter Value Read password Heinrich5 Write read password Ludwig14 SSH access active Yes SSH Port 9234 SSH source address of internal port 10 0 1 17 24 10 0 1 17 10 0 1 201 Figure 27 Application example of Command Line Interface access EAGLE Konfiguration 114 Release 5 0 09 2010 Protection from Unauthorized Access 6 2 CLI
143. onfig running config nv Save the current configuration to the non volatile memory EAGLE Konfiguration Release 5 0 09 2010 Entering the IP Parameters 3 2 Entering IP parameters via CLI Note Normally you can skip the setting of the maximum frame size Set the maximum frame size if you know that your Internet Service Provider uses a different value The external interface gets its IP address from the connection provider via PPPoE The EAGLE device allows you to automatically interrupt the PPPoE connection every day To activate this function you proceed as follows enable Switch to the Privileged EXEC mode network pppoe disconnect Specify that the device automatically interrupts admin stat nabl the PPPoE connection at the specified time every day network pppoe disconnect hour Set the time hour at which the device 2 automatically interrupts the PPPoE connection every day Value range 0 to 23 copy config running config nv Save the current configuration to the non volatile memory EAGLE Konfiguration Release 5 0 09 2010 49 Entering the IP Parameters 3 3 Entering the IP Parameters via Hi Discovery 3 3 Entering the IP Parameters via HiDiscovery The HiDiscovery protocol enables you to assign IP parameters to the device via the Ethernet You can easily configure other parameters via the Web based interface see the Web based Interface reference manual In the state on delivery the HiDiscovery function of th
144. onfiguration Release 5 0 09 2010 165 Controlling the Data Traffic 7 5 VPN Virtual Private Network 7 5 VPN Virtual Private Network A virtual private network VPN refers to the part of a public network that someone uses for their private purposes The special feature of a VPN as the name private suggests is that it is closed off from the public network Different measures protect the data of the virtual private network from spying data falsification and other attacks from external subscribers In the industrial environment for example a VPN serves to connect two plant sections with each other via the public Internet Figure 44 VPN for connecting two plant sections 7 5 1 IPsec Internet Protocol Security IPsec Internet Protocol Security is the most commonly used VPN protocol IPsec regulates the setting up of a VPN connection and the measures for secure data transmission in the virtual private network Secure data transmission in a VPN involves EAGLE Konfiguration 166 Release 5 0 09 2010 Controlling the Data Traffic 7 5 VPN Virtual Private Network Integrity protection Integrity protection ensures that the data transmitted is genuine i e that it comes from a trustworthy sender is authentic and that the recipient receives the data in an unfalsified form Encryption Encryption ensures that nobody without authorization can view the data Encryption procedures code the data to be transmitted using a code
145. operating software In addition we refer to the conditions of use specified in the license contract You can get the latest version of this manual on the Internet at the Hirschmann product site www beldensolutions com Printed in Germany Hirschmann Automation and Control GmbH Stuttgarter Str 45 51 72654 Neckartenzlingen Germany Tel 49 1805 141538 EAGLE Configuration Release 5 0 09 2010 Contents Contents 1 1 1 2 1 3 2 1 2 2 2 3 3 1 3 2 3 3 3 4 3 5 3 6 About this Manual Key Introduction Security Concept Typical applications Configuring the application 1 3 1 Configuration steps in the transparent mode 1 3 2 Configurations steps in router mode 1 3 3 Configurations steps in PPPoE mode Access to the user interfaces System Monitor Command Line Interface Web based Interface Entering the IP Parameters IP Parameter Basics 3 1 1 IP address version 4 3 1 2 Private IP addresses 3 1 3 Netmask 3 1 4 Classless Inter Domain Routing ntering IP parameters via CLI 2 1 IP parameters in Transparent Mode 2 2 IP Parameters in Router Mode E 3 3 3 2 3 Connection parameters in PPPoE Mode Entering the IP Parameters via HiDiscovery Loading the System Configuration from the ACA System Configuration via DHCP Web based IP Configuration 3 6 1 IP configuration in Transparent Mode 3 6 2 IP configuration in Router Mode 3 6 3 IP configuration in PPPoE Mode EAGLE Konfiguration Release 5 0 0
146. or a long period you should re dimension the network and for example ensure that the network has a higher data transmission rate or that the network load is split up see the Basic Configuration User Manual for your Hirschmann switch To display the network load for each port you proceed as follows O Select the Diagnostics Ports Network Load dialog enable Switch to the Privileged EXEC mode show interfaces utilization Display the network load as a percentage for port 1 internal and port 2 external EAGLE Konfiguration 218 Release 5 0 09 2010 Operation Diagnosis 8 6 Network Load and Event Counter at Port Level 8 6 2 Port Statistics The port statistics table enables experienced network administrators to identify possible detected problems in the network This table shows you the contents of various event counters In the Restart menu item you can reset all the event counters to zero using Warm start Cold start or Reset port counter The packet counters add up the events sent and the events received O Select the Diagnostics Ports Statistics dialog O To reset the counters click on Reset port counters in the Basic Settings Restart dialog SSS w Reload Help Figure 55 Displaying port statistics enable Switch to the Privileged EXEC mode show interfaces counters Display the statistic counters for port 1 internal and port 2 external EAGLE Konfiguration Release 5
147. pe fqdn With this you specify that the remote key identification is part of the identification Remote ID e g www hirschmann ac com EAGLE Konfiguration 198 Release 5 0 09 2010 Controlling the Data Traffic 7 5 VPN Virtual Private Network O Enter the IKE key exchange parameters L Select the IKE Key Exchange tab page L In the Mode frame you enter Protocol auto With this the Firewall selects the protocol version automatically depending on the VPN remote terminal Startup as responder With this this Firewall responds to the request to set up a VPN connection to the remote terminal DPD Timeout 120 With this the Firewall terminates the VPN connection if it does not receive a sign of life from the remote terminal within 120 seconds Lifetime 28800 After this lifetime has elapsed the two participating Firewalls agree on new keys for the IKE security arrangement IKE SA The lifetime is there to effect a periodic key change for the IKE SA Compatibility Mode Off L Inthe Algorithms frame you enter which encryption procedures you want to use for the different applications Key Agreement modp1024 Hash e g md5 Integrity hmacmd5 Encryption aes128 Q Inthe Peers Endpoints frame you enter Local IP Address 10 0 2 1 Remote IP Address 10 0 2 92 In the current example the external port of the Firewall and the Ethernet interface of the LANCOM
148. porarily save the routing and mapping data Click on Back to return to the Virtual Private Network Connections dialog Click on Write to temporarily save the data Select the dialog Basic Settings Load Save to save the example configuration permanently Click on Save to NVM ACA to temporarily save the data in the non volatile memory OO OO Oo OO OO EAGLE Konfiguration Release 5 0 09 2010 185 Controlling the Data Traffic 7 5 VPN Virtual Private Network LI Create the routing on Firewall 3 186 Ho Ao d 00 g Select the dialog Virtual Private Network Connections Select the connection with the name Production control production hall 2 and click on Edit Select the IP Networks tab page The device shows an empty table Click on Create entry to create a new line In the 1st line enter Source address CIDR 10 0 4 0 24 Source address CIDR 10 0 1 0 24 Description FW 3 to FW 1 Click on Write to temporarily save the routing and mapping data Click on Back to return to the Virtual Private Network Connections dialog Click on Write to temporarily save the data Select the dialog Basic Settings Load Save to save the example configuration permanently Click on Save to NVM ACA to temporarily save the data in the non volatile memory EAGLE Konfiguration Release 5 0 09 2010 Controlling the Data Traffic 7 5 VPN Virtual Priva
149. ral devices are connected to one port for example via a hub the table will contain one line for each connected device If devices with active topology discovery function and devices without active topology discovery function are connected to a port the topology table hides the devices without active topology discovery only devices without active topology discovery are connected to a port the table will contain one line for this port to represent all devices This line contains the number of connected devices IP addresses of devices that the topology table hides for the sake of clarity are located in the configuration check table see on page 226 Configuration Check EAGLE Konfiguration Release 5 0 09 2010 225 Operation Diagnosis 8 8 Configuration Check 8 8 Configuration Check This function allows you to check your configuration after the installation and the configuration The configuration check also includes the configuration of the neighboring device for the check By clicking on a line you will find details of the result of a check on a port in the lower part of the dialog EAGLE Konfiguration 226 Release 5 0 09 2010 Operation Diagnosis 8 9 Reports 8 9 Reports The following reports are available for the diagnostics System information The system information is an HTML file containing all system relevant data L Select the Diagnostics Report dialog LI Click System Information to open the H
150. re case sensitive The start screen appears EAGLE Konfiguration Release 5 0 09 2010 27 2 2 Command Line Interface Access to the user interfaces Command he NOTE Enter for Command Help that are valid for the particular mode For the syntax of a particular command consult the documentation Hirschmann Eagle gt Figure 4 CLI screen after login 28 lp displ yas orm please ays all options EAGLE Konfiguration Release 5 0 09 2010 Access to the user interfaces 2 3 Web based Interface 2 3 Web based Interface The user friendly Web based interface gives you the option of operating the device from any location in the network via a standard browser such as Mozilla Firefox or Microsoft Internet Explorer As a universal access tool the Web browser uses an applet which communicates with the device via the Simple Network Management Protocol SNMP The Web based interface allows you to graphically configure the device In the state on delivery the firewall setting allows Web access via the internal interface the firewall setting prevents Web access via the external interface for security reasons Opening the Web based Interface via the internal port To open the Web based interface you need a Web browser a program that can read hypertext for example Mozilla Firefox version 1 or later or Microsoft Internet Explorer version 6 or later Note The Web base
151. reF LM Enter Example01_before_FLM and click on OK The device saves the current configuration permanently in the NVRAM under the specified name and sets it to the status active The Web based interface then activates the control elements for the firewall learn mode The learning starts LI Select the external interface for the learning LI To start the actual learning process on the Firewall click on Start learn mode LI On your configuration computer load the Web based interface of the switch in the production cell in another browser window The Web based interface accesses the switch via http and snmp This data traffic is desired by you to configure the switch LI Go back to the assistant for the firewall learn mode and click on Load The device refreshes its display in the Information frame and displays the number of learned IP connections LI To stop the learn mode click on Stop learn mode The Web based interface activates the External interface tab page EAGLE Konfiguration 142 Release 5 0 09 2010 Controlling the Data Traffic 7 1 Packet Filter Inspect traffic data and use the assistant to derive rules for desired traffic Select the External interface tab page In the Captured Data frame sort the table in ascending order based on the Source IP column Search for the first row with the IP address of the configuration computer From this row onwards
152. rial ETHERNET Firewall EAGLE 20 reference manual LI Click on Write to temporarily save the entry in the configuration EAGLE Konfiguration 134 Release 5 0 09 2010 Controlling the Data Traffic 7 1 Packet Filter O Enter the filter data for outgoing IP packets E Select the dialog Network Security Packet Filter Outgoing IP Packets In the state on delivery the EAGLE already has an entry that allows all data traffic from the internal network to the external network L L O OO Select the entry Enter the filter data for drop everything Description drop everything Source address CIDR any Source port any Destination address CIDR any Destination port any Protocol any Action drop Log disable Click on the Active field of this entry to activate the entry Select the entry Click on f Repeat the operation until the entry represents the first row of the table Click on Create Entry You thus add a new entry to the table Select the entry Enter the filter data for free access for robot Description free access for robot Source address CIDR 10 0 1 5 32 Source Port any Destination address CIDR 10 0 2 17 32 Destination port any Protocol any Action accept Log disable Click on the Active field of this entry to activate the entry EAGLE Konfigur
153. ring the learning To learn and inspect this traffic deactivate the drop rule before the learning EAGLE Konfiguration Release 5 0 09 2010 147 Controlling the Data Traffic 7 2 NAT Network Address Translati on 7 2 NAT Network Address Translation The Network Address Translation NAT protocol describes a procedure for automatically and transparently changing IP address information in data packets while still transmitting the data packets to their precise destination NAT is used when you do not want IP addresses of an internal network to be visible from outside The reasons for this can include for example Keeping the structure of the internal network hidden from the outside world Keeping private IP addresses hidden see on page 36 Private IP addresses Using IP addresses multiple times for example by forming identical production cells Depending on your reason for using NAT it offers you various procedures for using the IP address information Properties IP Masquerading 1 1 NAT Port Forwarding Initialization of a Yes Yes No connection from within Initialization of a No Yes Yes connection from outside Table 9 Comparison of the individual NAT procedures EAGLE Konfiguration 148 Release 5 0 09 2010 Controlling the Data Traffic 7 2 NAT Network Address Translati on 7 2 1 IP Masquerading You use IP Masquerading to hide the internal network structure from outside concealing it behind a mask so
154. s The device accepts this data as configuration parameters see on page 59 Web based IP Configuration If an IP address was assigned by a DHCP server it will be permanently saved locally EAGLE Konfiguration 56 Release 5 0 09 2010 Entering the IP Parameters 3 5 System Configuration via DHCP Option Meaning 1 Subnet Mask 2 Time Offset 3 Router 4 Time server 12 Host Name 61 Client Identifier 66 TFTP Server Name 67 Bootfile Name Table 5 DHCP Options requested by the device The DHCP server provides leases the configuration parameters for a specific time period To avoid this most DHCP servers provide the explicit configuration option of always assigning a specific client the same IP address based on a unique hardware ID known as static address allocation On delivery DHCP is inactive If DHCP is activated the device attempts to obtain an IP address If it cannot find a DHCP server after restarting it will not have an IP address To activate deactivate DHCP see on page 59 Web based IP Configuration Note When using HiVision network management ensure that DHCP always allocates the original IP address to each device In the appendix you will find an example for the configuration of a BOOTP DHCP server see on page 230 Setting up the DHCP Server Example of a DHCP configuration file etc dhcpd conf for DHCP Daemon subnet 10 1 112 0 netmask 255 255 240 0 option subnet mas
155. s Authority 35 Internet Key Exchange protocol 168 Internet Protocol Security 166 Internet Protocol Security IPsec 166 Internet Router 36 Internet service provider 35 Inverse 1 1 NAT 151 Java Runtime Environment 29 JavaScript 30 L LACNIC 35 LLDP 224 Learn mode 130 Link monitoring 210 213 Login 30 Login Type 31 M MAC destination address 40 MTU 48 63 Management VLAN ID 59 Maximum Transmission Unit 48 63 Message 207 N NAPT 149 NAT 127 148 148 NTP 84 86 89 NTP client 89 NTP server 89 Netmask 37 44 45 46 47 48 63 Network Address Translation 127 148 148 Network Address Translation Protocol 36 Network Management 57 Network Management Software 8 Network Time Protocol 84 Network address 35 Network management station 224 Non volatile memory 67 O Object ID 242 Object classes 242 Object description 242 OpenSSH Suite 237 Operating mode 33 82 Operation monitoring 213 248 P PPPoE Mode 33 47 62 PPPoE mode 21 Packet Filter 128 Packet filter 127 128 Password 27 31 106 113 Ping 165 206 Polling 207 Port Configuration 82 Port Forwarding 153 153 Pre shared key 168 Private IP address 36 Private IP addresses 36 R RIPE NCC 35 Reachability Test 206 Read access 31 Real time 84 Reboot 80 Redundancy 91 97 Reference clock 84 87 Relay contact 213 Release 77 Remote diagnostics 213 Report 227 Request interval SNTP 88 Reset 80 Restart 80 Router 37 Router Mode 33 60 97 Router Redundancy 97 97
156. s may contain entries that nevertheless allow the traffic until they expire If you delete a packet filter entry the device clears the entire status table Address Templates You can use address templates to create and modify IP packet filter entries quickly and more easily If you use the same IP address ranges for the source or destination addresses in multiple rules you have the option to define these addresses as an address template An address template consists of 1 or more address entries with the same name Optionally you can enter an individual address with the address mask 32 You can activate or deactivate the individual addresses of the address template separately In your packet filter entries use an address template in the form of a variable You indicate a variable by putting a dollar sign before its name You can use variables for source and destination addresses The device automatically creates the suitable packet filter entries from a packet filter entry with variables If you change the address template for a variable the device automatically modifies the packet filter entries created EAGLE Konfiguration Release 5 0 09 2010 129 Controlling the Data Traffic 7 1 Packet Filter For example you can create an address template for the addresses in your internal network and use it as a variable in your packet filter entries When you add an additional device to your internal network which is to have the same p
157. se the signal contact EAGLE Konfiguration 214 Release 5 0 09 2010 Operation Diagnosis 8 4 Out of band Signaling 8 4 2 Monitoring Correct Operation via the Signal Contact Configuring the operation monitoring O Select the Diagnostics Signal Contact dialog O Select Monitoring correct operation in the Mode signal contact frame to use the contact for operation monitoring L In the Monitoring correct operation frame you select the events you want to monitor LI To monitor the temperature you set the temperature thresholds in the Basics System dialog at the end of the system data enable Switch to the Privileged EXEC mode configure Switch to the Configuration mode signal contact monitor Includes the temperature for the operation temperature enable monitoring signal contact trap enable Enables a trap to be sent if the status of the operation monitoring changes Displaying the signal contact s status The device gives you 3 additional options for displaying the status of the signal contact LED display on device display in the Web based interface query in the Command Line Interface EAGLE Konfiguration Release 5 0 09 2010 215 Operation Diagnosis 8 4 Out of band Signaling Alarm 1 alarm 2 Mode Signal contact r Trapconfiguration Monitoring correct operation Manual setting Device Status generate Trap T Set Reload Help Figure 53 Signal contact dialog show signal contact Di
158. search for the http traffic data between the configuration computer and the switch tcp port 80 This is the first row with the destination address of the switch destination port 80 and the tcp protocol O Select this row L Click on Add to Rule Set The device transfers the learned data of the selected row into a new rule In the Captured Data frame the Web based interface displays the row that the new rule covers in dark green L To permit the random source ports of the http requests change the source port of the rule to any In the Captured Data frame the Web based interface now displays the rows that the new rule covers in dark green LI In the Captured Data frame search again for the first row with the IP address of the configuration computer L From this row onwards search for the snmp traffic data between the configuration computer and the switch udp port 161 This is the first row with the destination address of the switch destination port 161 and the udp protocol O Select this row O Click on Add to Rule Set The device transfers the learned data of the selected row into a new rule Oo O OO EAGLE Konfiguration Release 5 0 09 2010 143 Controlling the Data Traffic 7 1 Packet Filter The Web based interface displays the row that the new rule covers in dark green The Web based interface displays the rows covered by the rule previously cre
159. sic Settings Load Save L Click on Save to NVM ACA to permanently save the configuration in the active configuration EAGLE Konfiguration Release 5 0 09 2010 159 Controlling the Data Traffic 7 3 User Firewall 7 3 User Firewall 7 3 1 Description of the User Firewall Function With the user related data traffic control the firewall checks the data of a user previously defined by you see on page 123 Description of the external Authentication The firewall allows you to define multiple users For every user defined you can create different rules on the basis of which the firewall handles data packets for the user defined After a user has registered for the user firewall on the firewall s website see fig 6 the firewall checks all data packets for this user on the basis of these rules defined for him If none of these rules apply the firewall checks these data packets on the basis of the general packet filters see on page 128 Packet Filter Figure 42 IP firewall list EAGLE Konfiguration 160 Release 5 0 09 2010 Controlling the Data Traffic 7 3 User Firewall You use the user firewall function if you want to provide certain users with access to the internal or external network for a limited period of time whereby this access is extended on the basis of rules EAGLE Konfiguration Release 5 0 09 2010 161 Controlling the Data Traffic 7 3 User Firewall
160. splays the status of the operation monitoring and the setting for the status determination 8 4 3 Monitoring the Device Status via the Signal Contact The Device Status option enables you like in the operation monitoring to monitor the device state see on page 210 Monitoring the Device Status via the signal contact EAGLE Konfiguration 216 Release 5 0 09 2010 Operation Diagnosis 8 5 Port Status Indication 8 5 Port Status Indication L Select the Basics System dialog The device view shows the device Symbols on the ports represent the status of the individual ports AD HIRSCHMANN EAGLE 20 ok E K uu EPSE A GtAaTUS IFE Mitis MICA vane Figure 54 Device View Meaning of the symbols eq The port 10 100 Mbit s is enabled and the link has been established The port is disabled by the management and it has a link The port is disabled by the management and it has no link The port is in autonegotiation mode D The port is in HDX mode EAGLE Konfiguration Release 5 0 09 2010 217 Operation Diagnosis 8 6 Network Load and Event Counter at Port Level 8 6 Network Load and Event Counter at Port Level 8 6 1 Network Load The network load indicates what percentage of the actual data transmission rate available in your network is currently being used You can use the network load as a simple indicator for the dimensioning of your network If the average network load is very high f
161. ss from the external network To do this you create a 1 1 NAT entry for the devices in the internal network and also an inverse 1 1 NAT entry for the devices in the external network EAGLE Konfiguration 152 Release 5 0 09 2010 Controlling the Data Traffic 7 2 NAT Network Address Translati on 7 2 3 Port Forwarding You use port forwarding when you want to hide the internal network structure from the outside but want to allow a communication connection to be set up from the outside in With port forwarding one or more external devices sets up a communication connection to the internal network In doing so an external device addresses data packets to a specific port with the external IP address of the Firewall Data packets with a permitted source IP address that the Firewall receives at this port are forwarded by the firewall to the port of the internal device entered in the NAT table Hence the name Port Forwarding As a dedicated destination is addressed in this case this procedure is also known as Destination NAT By converting the IP addresses and the port information using the incoming port addressing devices can set up network communication connections to the inside from the external network Gee Figure 38 Setting up a communication connection with Port Forwarding A typical application in the industrial sector is port 5631 for the remote maintenance of a PC in a production cell EAGLE Konfiguration
162. ss which are permitted access via SSH LI Click on Create Entry L In the Port cell of the new entry in the table select int CI Double click in the Source IP CIDR cell and enter the source address e g 10 0 1 17 If this is the only active entry in this table then only the PC with this IP address can access via this protocol LI Click on the Active field of this entry to activate the entry LI Click Set to temporarily save the entry in the configuration Note The device allows you to use SFTP to access device files such as configuration files or the ACA or to load a firmware update or VPN certificates onto the device To do this use an SFTP client such as WinSCP For the SFTP access you must have SSH access to the device SSH Server active Vv SSH Port DSA Fingerprint 4 RSA Fingerprint 31 fc 96 34 cc 4f 1a eb 80 69 ee 10 f8 35 78 5e Set Reload Create entry jelete entr Figure 29 SSH Access dialog EAGLE Konfiguration Release 5 0 09 2010 117 Protection from Unauthorized Access 6 2 CLI Access LI Configure the automatic logout LI Select the Logout dialog LI In the SSH connection frame in the After min line enter the number of minutes of inactivity after which the device automatically terminates the SSH connection LI In the Automatic line in the Command Line Interface frame click On LI In the After min line ent
163. t Information Base MIB is designed in the form of an abstract tree structure The branching points are the object classes The leaves of the MIB are called generic object classes If this is required for unique identification the generic object classes are instantiated i e the abstract structure is mapped onto reality by specifying the port or the source address Values integers time ticks counters or octet strings are assigned to these instances these values can be read and in some cases modified The object description or object ID OID identifies the object class The subidentifier SID is used to instantiate them Example The generic object class hmPSState OID 1 3 6 1 4 1 248 14 1 2 1 3 is the description of the abstract information power supply status However it is not possible to read any information from this as the system does not know which power supply is meant Specifying the subidentifier 2 maps this abstract information onto reality instantiates it thus indicating the operating status of power supply 2 A value is assigned to this instance and can then be read The instance get 1 3 6 1 4 1 248 14 1 2 1 3 2 returns the response 1 which means that the power supply is ready for operation EAGLE Konfiguration 242 Release 5 0 09 2010 General Information B 2 Management Information Base MIB The following abbreviations are used in the MIB Comm Group access rights con Configuration D
164. te Network E Hirschmann Address Mapping Hirschmann Address Mapping allows you to establish an unlimited number of networks with identical IP address ranges which are connected via VPN with a public network and clearly distinguishable from the public network The individual networks identical address ranges simplify the porting of their configuration Their distinguishability from the common network facilitates the unambiguous administration Hirschmann Address Mapping can be used to centrally administer several production cells The Firewall with Hirschmann Address Mapping allows you to replace the internal IP addresses with external valid and distinct IP addresses for the VPN connection Hirschmann Address Mapping works like a 1 1 NAT router integrated in the VPN connection The Firewall provides outgoing data packets from a definable address range with a new return address the Firewall thus maps the internal return address to an valid external address The Firewall automatically supplies incoming data packets with the valid internal destination address This assignment is reversibly unique external internal external transfer network 10 0 2 0 24 external internal Figure 48 Addressing several identical subnetworks from a public network Hirschmann Address Mapping The following is known EAGLE Konfiguration Release 5 0 09 2010 187 Controlling the Data Traffic 7 5 VPN Virtual Private Network
165. te of delivery Transparent Mode network router proto int Deactivate the DHCP on the internal router none interface state on delivery disabled network router param int Allocate the IP address 172 17 1 100 to the ip address 172 17 1 100 internal router interface network router param int Allocate the netmask 255 255 255 0 to the netmask 255 255 255 0 internal router interface copy config running config nv Save the current configuration to the non volatile memory After entering the IP parameters you can easily configure the device via the Web based interface see the Web based Interface reference manual External Interface O If DCHP is switched on switch it off state on delivery DHCP is switched off L Enter the IP parameters External IP Address On delivery the device has the local IP address 10 0 0 10 Netmask If your network has been divided up into subnetworks and if these are identified with a netmask then the netmask is to be entered here The default setting of the netmask is 255 255 255 0 IP address of the gateway This entry is required if the device and the management station or the DHCP server are located in different subnetworks See page 39 Example of how the network mask is used Enter the IP address of the gateway that connects the local subnet with the management station s subnet The default setting of the IP address is 0 0 0 0 L Save the configuration entered with copy confi
166. the Redundancy 5 2 Router Redundancy Note When using multiple redundant routers in your network make sure the VRIDs used are unique You thus prevent these virtual router applications that use VRRP from having a negative influence on each other Company network Virtual router Production cell IP 10 0 1 121 IP 10 0 1 124 GW 10 0 1 200 GW 10 0 1 200 Figure 21 Router Redundancy application example EAGLE Konfiguration 100 Release 5 0 09 2010 Setting up the Redundancy 5 2 Router Redundancy LI First you configure firewall number 1 Enter the parameters for the Router Redundancy and activate the function Select the dialog Redundancy Router Select the tab page Basic Settings In the Function line in the Configuration frame click On to activate the function Enter the parameters in accordance with the above table Click Set to temporarily save the entry in the configuration OOo OF oO LI Save the settings in the non volatile memory O Select the dialog Basic Settings Load Save L Click on Save to NVM ACA to permanently save the configuration in the active configuration L Now you configure firewall number 2 Enter the parameters for the Router Redundancy and activate the function LI Save the settings in the non volatile memory EAGLE Konfiguration Release 5 0 09 2010 101 Setting up the Redundancy 5 2 Router Redundancy EAGLE Konfiguration 102 Release 5 0 09 2
167. ther subnetwork Increasing sales require the doubling of the production capacity in the previous example For this reason the company management decides to set up a second production hall As the administrator has found another EAGLE version 4 2 in stock he wants to use this now The following is known Parameter Firewall Number 1 Firewall Number 3 IP address of internal port 10 0 1 201 10 0 4 201 IP address of external port 10 0 2 1 10 0 2 4 Pre shared key 456789defghi 456789defghi Start IKE mode as Initiator Responder IP parameters of the networks to be 10 0 1 0 24 10 0 4 0 24 connected Prerequisities for further configuration gt The EAGLE version 4 2 is also in router mode gt The IP parameters of the Firewall router interface are configured The devices in the internal network have the IP address of the internal interface port 1 of the Firewall as their gateway external internal transfer network 10 0 2 0 24 external external internal Figure 46 Connecting two identical subnetworks with another subnetwork via a transfer network EAGLE Konfiguration Release 5 0 09 2010 175 Controlling the Data Traffic 7 5 VPN Virtual Private Network LI On EAGLE No 1 you create a new VPN connection to EAGLE No 3 version 4 2 O Select the dialog Virtual Private Network Connections LI Click on Create Entry Inthe Basic Settings tab page the dialog for editing the entries gives you the option to give t
168. tion viaa DSL port As his DSL connection does not have a fixed IP address he uses DynDNS to determine his IP address Increased security requirements make it a good idea to use X 509 key information Parameter Firewall Number 5 Firewall Number 6 IP address of internal port 10 0 1 202 10 0 3 202 IP address of external port 10 149 112 92 DynDNS Key information PKCS 12 file PKCS 12 file Start IKE mode as Initiator Responder IP parameters of the networks to be 10 0 1 0 24 10 0 5 25 32 connected Prerequisities for further configuration Both Firewalls are in PPPoE mode The logon data for the DSL provider is configured The IP parameters of the internal interface are configured The devices in the internal network have the IP address of the internal interface port 1 of the Firewall as their gateway You have an account at www DynDNS org The PKS 12 files machine certificates with the key information are provided by the same certification authority 5 x 6 10 0 5 25 32 Figure 49 Connecting a PC with a subnetwork via a public network LI Configure the DynDNS client on EAGLE No 6 To configure the DynDNS you require the name of the DynDNS server At DynDNS org the host name of the HTTP server for the DynDNS service is members dyndns org the user name from the logon at DynDNS org e g hugo the password from the logon at DynDNS org e g oguh EAGLE Konfiguration 192 Release 5 0 09 2
169. tivate a connection remotely In the command for activating deactivating remotely you enter the name of the connection as a parameter The command is https vpn user passwort host nph vpn cgi name verbindung amp cmd up down Example https vpn helen25miller 10 0 2 1 nph vpn cgi name Fertigungssteuerung Produktionshalle amp cmd up Depending on your browser you can alternatively select the syntax without vpn user passwort and enter the VPN user with the password in the dialog O Enter the authentication parameters L Select the Authentication tab page LI Inthe Key Information frame you enter Method psk Pre shared key e g 123456abcdef L Inthe Identities frame you enter Local type ipaddr With this you specify that the entry in Local ID is an IP address Local ID e g 10 0 2 1 Value for identification within the authentication on the opposite side Remote type ipaddr With this you specify that the remote IP address is part of the identification Remote ID e g 10 0 2 2 EAGLE Konfiguration Release 5 0 09 2010 171 Controlling the Data Traffic 7 5 VPN Virtual Private Network L Enter the IKE key exchange parameters O Select the IKE Key Exchange tab page L In the Mode frame you enter Protocol auto With this the Firewall selects the protocol version automatically depending on the VPN remote terminal Startup as initiator With this this
170. tivate the HiDiscovery protocol if you want to transfer an IP address to the device from your PC with the enclosed HiDiscovery software setting on delivery active Save IP configuration Save the settings so that you will still have the entries after a restart see page 66 Editing and managing Configurations 3 6 2 IP configuration in Router Mode In Router Mode the device requires the IP parameters to be entered on the internal and external interfaces LI In the Protocol frame you enter where the device is to obtain its IP parameters EAGLE Konfiguration 60 Release 5 0 09 2010 Entering the IP Parameters 3 6 Web based IP Configuration Select DHCP if the configuration is to be performed by a DHCP server on the basis of the MAC address or the name of the device see page 55 System Configuration via DHCP If DHCP is not selected the device uses the network parameters in its local memory O Select Use VLAN Tag if you want the device to evaluate the VLAN tag of the data packets received When this function is active the device drops all data packets received whose VLAN tag contains a VLAN ID different to the one entered in this dialog LI The VLAN ID line enables you to allocate a VLAN to the interface Entering local IP parameters O Enter the IP address of the device in the IP Address field O Enter the netmask in the Netmask field L In the Gateway IP Address fie
171. u thus add a new entry to the table L Enter the filter data for free access for PC Description free access for PC Source address CIDR 10 0 2 17 32 Source Port any Destination address CIDR 10 0 1 5 32 Destination port any Protocol any Action accept Log disable L Click on the Active field of this entry to activate the entry LI Click Set to temporarily save the entry in the configuration The device allows you to selectively check incoming IP packets for specific ICMP traffic criteria To activate this function for an existing or new packet filter you proceed as follows EAGLE Konfiguration Release 5 0 09 2010 133 Controlling the Data Traffic 7 1 Packet Filter O Select the dialog Network Security Packet Filter Incoming IP Packets LI As required add a new entry to the table and enter the filter data as described in the previous table see chapter Application Example for Packet Filter L In the Protocol selection field choose the entry icmp LI Inthe Source port input field enter the ICMP type and code type 3 code 1 means Destination Unreachable ICMP type 3 Host Unreachable ICMP code 1 The values behind type and code are 1 to 3 digit decimal values Entering an ICMP code is optional You will find the possible values for the ICMP types and codes in the ICMP types and codes table in the Web based Interface Indust
172. undancy 5 2 Router Redundancy 5 2 2 Application Example for the Router Redundancy You use Router Redundancy when you are operating the Firewall in Router mode For availability reasons you have connected a production cell that continuously requires current production data to the company network via a substitute line with a substitute Firewall The following is Known Firewall 1 Firewall 2 Parameter Priority 100 10 0 1 201 24 90 10 0 1 202 24 Internal IP Address Virtual IP Address VR IP of the internal interface 10 0 1 200 24 10 0 1 200 24 Virtual Router ID VRID of the internal interface 1 10 0 1 202 24 1 10 0 1 201 24 Redundancy Partner IP Address internal interface External IP Address 10 0 2 201 24 10 0 2 202 24 Virtual IP Address VR IP of the external interface 10 0 2 200 24 2 10 0 2 200 24 2 Virtual Router ID VRID of the internal interface 10 0 2 202 24 10 0 2 201 24 Redundancy Partner IP Address external interface Prerequisites for further configuration The Firewall is in router mode The IP parameters in Router mode are configured The devices in the internal network production cell have the VR IP address of the internal interface as their gateway The devices in the external network company network have the VR IP address of the external interface as their gateway EAGLE Konfiguration Release 5 0 09 2010 99 Setting up
173. up a management information schema and object definition for saving information of neighboring devices with active LLDP A central element of the connection information is the exact unique ID of a connection point MSAP MAC Service Access Point This is made up of a device ID unique within the network and a port ID unique for this device Content of the connection and management information Chassis ID its MAC address Port ID its port MAC address Description of the port System Name System description Supported system capabilities Currently activated system capabilities Interface ID of the management address Port VLAN ID of the port Status of the autonegotiation at the port Medium half and full duplex settings and speed setting of the port Information about whether a redundancy protocol is switched on at the port and which one for example RSTP HIPER Ring Fast HIPER Ring MRP Ring Coupling EAGLE Konfiguration Release 5 0 09 2010 221 Operation Diagnosis 8 7 Topology Discovery Information about the VLANs which are set up in the switch VLAN ID and VLAN name regardless of whether the port is a VLAN member A network management station can call up this information from a device with LLDP activated This information enables the network management station to map the topology of the network To exchange information LLDP uses an IEEE MAC address which devices do not usually send For this reason devices without LL
174. ur opinion of this manual We are always striving to provide as comprehensive a description of our product as possible as well as important information that will ensure trouble free operation Your comments and suggestions help us to further improve the quality of our documentation Your assessment of this manual Very good Good Satisfactory Mediocr Poor e Precise description O O O O O Readability O O O O O Understandability O O O O O Examples O O O O O Structure O O O O O Completeness O O O O O Graphics O O O O O Drawings O O O O O Tables O O O O O Did you discover any errors in this manual If so on what page EAGLE Konfiguration Release 5 0 09 2010 245 Readers Comments Suggestions for improvement and additional information General comments Sender Company Department Name Telephone number Street Zip code City E mail Date Signature Dear User Please fill out and return this page as a fax to the number 49 0 7127 14 1600 or by mail to Hirschmann Automation and Control GmbH Department AED Stuttgarter Str 45 51 72654 Neckartenzlingen 246 EAGLE Konfiguration Release 5 0 09 2010 Index D Index 1 1 to 1 NAT A ACA ACA 21 USB APNIC ARIN ARP Accept SNTP Broadcasts Access rights Accessibility Address templates Administration login type Alarm Alarm messages Authentication AutoConfiguration Adapter Automatic configuration Automatic logout B
175. uration The VPN parameters are configured on all 3 devices The IP parameters of the Firewall router interface are configured The devices in the internal network have the IP address of the internal interface port 1 of the respective Firewall as their gateway All Firewalls run software version 4 4 or higher EAGLE Konfiguration Release 5 0 09 2010 FW 1 to FW 2 FW 1 to FW 3 183 Controlling the Data Traffic 7 5 VPN Virtual Private Network O Create the routing for Firewall 2 on Firewall 1 Ho Ao OO L L Select the dialog Virtual Private Network Connections Select the connection with the name Production control production hall 1 and click on Edit Select the IP Networks tab page The device shows an empty table Click on Create entry to create a new line In the 1st line enter Source address CIDR 10 0 1 0 24 Destination address CIDR 10 0 3 0 24 Description FW 1 to FW 2 Click on Create entry to create a new line In the 2nd line enter Source address CIDR 10 0 4 0 24 Destination address CIDR 10 0 3 0 24 Description FW 3 to FW 2 Click on Write to temporarily save the data Click on Back to return to the Virtual Private Network Connections dialog O Create the routing for Firewall 3 on Firewall 1 OO O 184 Select the connection with the name Production control production hall 2 and click on Edit
176. use for the various applications Key Agreement modp1024 Hash e g md5 Integrity hmacshal Encryption aes128 L Inthe Peers Endpoints frame you enter Local IP Address 10 0 2 1 Remote IP Address 10 0 2 2 In the current example the external ports of the two Firewalls are the endpoints of the VPN connection EAGLE Konfiguration Release 5 0 09 2010 177 Controlling the Data Traffic 7 5 VPN Virtual Private Network O Enter the IPsec data exchange parameters O Select the IKE Key Exchange tab page L In the Mode frame you enter Encapsulation tunnel With this the Firewall encrypts the entire data packet including the IP addresses of the communication partners Force NAT T No Lifetime 3600 L In the Algorithms frame you enter Key Agreement modp1024 Integrity hmashal Encryption aes128 L Enter the parameters for the IP networks whose data is to be transmitted via the VPN connection LI Select the IP Networks tab page L Click on Create entry L After you double click on a cell of the entry you can edit the cell gt Source address 10 0 1 0 24 Source port any Destination address 10 0 3 0 24 Destination port any Protocol any Description Free data traffic between the two networks Production Control and Production Hall Active On LI Click Set to temporarily save the entry in the configuration L Acti
177. vate the connection L Click on Back to return to the connection overview L Select Active in the entry for the connection to activate the connection L Click Set to temporarily save the entry in the configuration EAGLE Konfiguration 178 Release 5 0 09 2010 Controlling the Data Traffic 7 5 VPN Virtual Private Network L Save the settings in the non volatile memory O Select the dialog Basic Settings Load Save L Click on Save to NVM ACA to permanently save the configuration in the active configuration LI On EAGLE No 3 version 4 2 you create a new VPN connection to EAGLE No 1 O Select the dialog IPsec VPN Connections LI Give the connection a name e g Production Control Production Hall number 2 O Click on Edit O Enter the VPN connection parameters O Select the General tab page L In the Options frame you enter Active Yes Address of the VPN gateway of the remote terminal 10 0 2 1 Connection Initialization Wait L Inthe Tunnel Settings frame you enter Connection Type Tunnel Local Network 10 0 4 0 24 gt 1 to 1 NAT No Opposite Network 10 0 4 0 24 41 to 1 NAT No EAGLE Konfiguration Release 5 0 09 2010 179 Controlling the Data Traffic 7 5 VPN Virtual Private Network O Enter the authentication parameters O Select the Authentication tab page L In the Authentication frame you enter Authenticatio
178. vice This Java application communicates with the device via SNMPv3 Applications use the standard port 161 for an SNMP connection The device allows you to use a different port Activate deactivate Selection of the HTTPS port To access the Web based interface your browser sets up an HTTPS connection to the device Applications use the standard port 443 for an HTTPS connection The device allows you to use a different port Restrictions for IP addresses permitted access for each port In the state on delivery you can access the device with every IP address via the internal port The device allows you to specify for each port from which IP address the device allows or denies access Automatic logout after inactivity EAGLE Konfiguration 106 Release 5 0 09 2010 Protection from Unauthorized Access 6 1 Web based Interface Access 6 1 2 Configuring the Web based Interface Access To optimize the access protection use all the options the device provides you with The figure shows a typical example for accessing the internal port of the Firewall The following table contains examples of all the parameters for the subsequent configuration example Parameter Value Read password Heinrich5 Write read password Ludwig14 SNMP port 9223 SNMP source address of internal port 10 0 1 17 24 Web server active Yes HTTPS port 9027 HTTPS source address of internal port 10 0 1 17 24 10 0 1 17 J 10 0 1 201 Figure 22 Application example of Web
179. vices in the internal network have the IP address of the internal interface port 1 of the Firewall as their gateway The IP parameters of the configuration computer and the router in the company network are configured Special features of the learn mode In the learn mode the device only learns the traffic that is not covered by the current rules This is the traffic for which you have configured neither specific discard rules drop reject nor accept rules accept Thus during the learning phase the device ignores the traffic for which you have already configured explicit drop or accept rules The assistant for the firewall learn mode only creates accept rules During operation the stateful Firewall permits the traffic that it has captured with an accept rule for this communication relationship afterwards EAGLE Konfiguration Release 5 0 09 2010 141 Controlling the Data Traffic 7 1 Packet Filter Opening the assistant for the firewall learn mode O Select the dialog Network Security Packet Filters Firewall Learn Mode LI In the Operation frame click On O To activate the assistant for the firewall learn mode click on Write The Web based interface informs you that the firewall learn mode has started and it asks you whether you want to save the current configuration of the device L Click on Yes The Web based interface asks you to enter a file name The default file name has the format nnnnnnnnnnnnn_befo
180. ws an empty table Click on Create entry to create a new line In the 1st line enter Source address CIDR 10 0 1 0 24 Destination address CIDR 10 0 5 0 24 mapped network Description FW 1 to FW 3 Click on Write to temporarily save the data Click on Back to return to the Virtual Private Network Connections dialog EAGLE Konfiguration Release 5 0 09 2010 189 Controlling the Data Traffic 7 5 VPN Virtual Private Network O Save your settings L Click on Write to temporarily save the data LI Select the dialog Basic Settings Load Save to save the example configuration permanently L Click on Save to NVM ACA to temporarily save the data in the non volatile memory L Create the address mapping for the Firewall 2 Select the dialog Virtual Private Network Connections Select the connection with the name Production control production hall 1 and click on Edit Select the IP Networks tab page The device shows an empty table Click on Create entry to create a new line In the 1st line enter Source address CIDR 10 0 3 0 24 Source address CIDR 10 0 1 0 24 Mapping source address CIDR 10 0 4 0 24 Description FW 2 to FW 1 Click on Write to temporarily save the data Click on Back to return to the Virtual Private Network Connections dialog Click on Write to temporarily save the data Select the dialog Basi
181. xternal networks for a limited time and defined by additional rules so that he can for example download a software update from a server to maintain a robot Parameter for the application example for the user firewall function see page 160 EAGLE Konfiguration Release 5 0 09 2010 123 Protection from Unauthorized Access 6 5 External Authentication Parameter Value Account Name Service Authentication List userFirewallLoginDefaultList RADIUS Server Figure 31 Application example for external authentication Authentication procedure The user logs in to the device in the login window of the Web based interface under the user firewall login type with a user name and password gt The device checks whether there is an entry under External Authentication User Firewall Accounts for this user with this password If there is an entry and if this entry is active the device uses the authentication method in accordance with the authentication list for this entry If there is no entry and if an authentication list is entered in Authentication list for unknown users the device uses the authentication method in accordance with the authentication list for this entry If there is no entry and if there is no authentication list entered in Authentication list for unknown users the device denies the authentication If one of the authentication methods on the authentication lists leads to authentication th
182. y You thus add a new entry to the table LI Enter the parameters for converting the IP addresses Description Production hall 1 Internal network 10 0 1 193 External network 10 0 2 1 Netmask 28 LI Click on the Active field of this entry to activate the entry LI Click Set to temporarily save the entry in the configuration L Save the settings in the non volatile memory O Select the dialog Basic Settings Load Save L Click on Save to NVM ACA to permanently save the configuration in the active configuration LI Configure firewall number 2 in the same way Use the values for firewall number 2 from the table on the previous page Connecting 2 Devices via Double NAT For test purposes you want to connect a work station in your company network with a robot in a production cell As the test set up requires the two devices to be logically located in the same network you convert the IP addresses using the double NAT function The following is known EAGLE Konfiguration Release 5 0 09 2010 155 Controlling the Data Traffic 7 2 NAT Network Address Translati on Pepe a OrK 10 0 1 195 Parameter Robot IP address in the production network 10 0 1 194 internal IP address in the company network 10 0 2 194 10 0 2 195 external 953 Table 10 the IP addresses of the test devices a This IP address is created using NAT Prerequisites for further configuration Th
183. y 5 1 Transparent Redundancy 5 1 Transparent Redundancy 5 1 1 Description of the Transparent Redundancy function In the Network Transparent mode the Firewall allows you to incorporate one Firewall each into the paths of two redundantly coupled networks see the user manual for the redundancy configuration of your Hirschmann device that supports redundant coupling If the main connection fails the substitute Firewall completely takes over the tasks of the main Firewall STAND BY 0 l Figure 18 Transparent Redundancy EAGLE Konfiguration 92 Release 5 0 09 2010 Setting up the Redundancy 5 1 Transparent Redundancy 5 1 2 Application Example for the Transparent Redundancy You are using Transparent Redundancy in a flat network For availability reasons you have connected a production cell that continuously requires current production data to the company network via redundant coupling To make the production cell secure you install a Firewall in every path to the company network The following is Known Parameter Firewall 1 Firewall 2 Own IP Address 10 0 0 201 16 10 0 0 202 16 Redundancy Partner IP Address 10 0 0 202 16 10 0 0 201 16 Prerequisites for further configuration gt The Firewall is in transparent mode gt The IP parameters in transparent mode are configured Redundancy Manager on Company network __ external Production cell
184. ynDNS host name gQerhardsFW dyndns org EAGLE Konfiguration Release 5 0 09 2010 193 Controlling the Data Traffic 7 5 VPN Virtual Private Network LI On EAGLE No 5 you create a new VPN connection to EAGLE No 6 O Select the dialog Virtual Private Network Connections LI Click on Create Entry Inthe Basic Settings tab page the dialog for editing the entries gives you the option to give this connection any name you want L Give the connection a name e g Home Production Hall number 3 O Enter the authentication parameters L Select the Authentication tab page LI Inthe Key Information frame you enter Method x509rsa L Inthe Identities frame you enter Local type asnidn With this you specify that the local Firewall identifies itself with the Distinguished Name from the certificate Remote type asnidn With this you specify that the remote Firewall identifies itself with the Distinguished Name from the certificate O Enter the certificate parameters L Select the Certificates tab page L Click on Load PKCS 12 file from PC The Copy from PC dialog enables you to select the PKCS 12 file enter the password belonging to the certificate and load the PKCS 12 file onto the Firewall by clicking on Copy from PC After loading the PKCS 12 file you can see the individual certificate shares in the dialog EAGLE Konfiguration 194 Release 5 0 09 2010
Download Pdf Manuals
Related Search