advertisement
Reference Manual
GUI Graphical User Interface Industrial Ethernet Firewall EAGLE One
RM GUI EAGLE One Release 5.3.0 09/2013 Technical Support https://hirschmann-support.belden.eu.com
The naming of copyrighted trademarks in this manual, even when not specially indicated, should not be taken to mean that these names may be considered as free in the sense of the trademark and tradename protection law and hence that they may be freely used by anyone.
© 2013 Hirschmann Automation and Control GmbH Manuals and software are protected by copyright. All rights reserved. The copying, reproduction, translation, conversion into any electronic medium or machine scannable form is not permitted, either in whole or in part. An exception is the preparation of a backup copy of the software for your own use. For devices with embedded software, the end-user license agreement on the enclosed CD/DVD applies.
The performance features described here are binding only if they have been expressly agreed when the contract was made. This document was produced by Hirschmann Automation and Control GmbH according to the best of the company's knowledge. Hirschmann reserves the right to change the contents of this document without prior notice. Hirschmann can give no guarantee in respect of the correctness or accuracy of the information in this document.
Hirschmann can accept no responsibility for damages, resulting from the use of the network components or the associated operating software. In addition, we refer to the conditions of use specified in the license contract.
You can get the latest version of this manual on the Internet at the Hirschmann product site (www.hirschmann.com).
Printed in Germany Hirschmann Automation and Control GmbH Stuttgarter Str. 45-51 72654 Neckartenzlingen Germany Tel.: +49 1805 141538 Rel. 5.3.0 09/2013 – 24.10.13
Contents
Contents
1.5.1 Configuration as a Terminal/CLI interface
1.5.2 Configuration as a Modem interface
1.6.2 Configuration in the non-volatile memory (NVM) 41
1.6.3 Configuration on the AutoConfiguration Adapter (ACA) 42
1.6.4 Saving and Loading a Configuration 43
1.6.5 Cancelling a configuration change
RM GUI EAGLE One Release 5.3.0 09/2013 3
Contents
External Authentication 2.6.1 User Firewall Accounts
4.1.2 Firewall Learning Mode (FLM)
4.1.3 Incoming and outgoing IP packets
4.1.4 Incoming and outgoing MAC packets
NAT – Network Address Translation 4.2.1 General NAT settings
4.2.2 IP Masquerading 4.2.3 1:1 NAT
Helping protect against Denial of Service (DoS)
4
RM GUI EAGLE One Release 5.3.0 09/2013
Contents
Signal contact 7.5.1 Function Monitoring
7.5.3 Device Status 7.5.4 Configuring Traps
Report 7.7.1 System Information
RM GUI EAGLE One Release 5.3.0 09/2013 5
Contents
Maintenance A.4.1 Service-Shell
Copyright of Integrated Software A.5.1 Bouncy Castle Crypto APIs (Java)
A.5.2 Network Time Protocol Version 4 Distribution
6 RM GUI EAGLE One Release 5.3.0 09/2013
About this Manual
About this Manual
The “GUI Graphical User Interface” reference manual contains detailed information on using the graphical user interface to operate the individual functions of the device.
The “Command Line Interface” reference manual contains detailed information on using the Command Line Interface to operate the individual functions of the device.
The “Installation” user manual contains a device description, safety instructions, a description of the display, and the other information that you need to install the device.
The “Configuration“ user manual contains the information you need to start operating the device. It takes you step by step from the first startup operation through to the basic settings for operation in your environment.
The Industrial HiVision Network Management Software provides you with additional options for smooth configuration and monitoring: Simultaneous configuration of multiple devices Graphical user interface with network layout Auto-topology discovery Event log Event handling Client/server structure Browser interface ActiveX control for SCADA integration SNMP/OPC gateway.
RM GUI EAGLE One Release 5.3.0 09/2013 7
About this Manual 8 RM GUI EAGLE One Release 5.3.0 09/2013
Key
Key
The designations used in this manual have the following meanings: Link
Note:
Courier List Work step Subheading Cross-reference with link A note emphasizes an important fact or draws your attention to a dependency.
ASCII representation in the graphical user interface Symbols used: WLAN access point Router with firewall Switch with firewall Router Switch Bridge RM GUI EAGLE One Release 5.3.0 09/2013 9
Key Hub A random computer Configuration Computer Server PLC Programmable logic controller I/O Robot 10 RM GUI EAGLE One Release 5.3.0 09/2013
Graphical User Interface
Graphical User Interface
System requirements Use HiView to open the graphical user interface. This application offers you the possibility to use the graphical user interface without other applications such as a Web browser or an installed Java Runtime Environment (JRE).
Alternatively you have the option to open the graphical user interface in a Web browser, e.g. in Mozilla Firefox version 3.5 or higher or Microsoft Internet Explorer version 6 or higher. You need to install the Java Runtime Environment (JRE) in the most recently released version. You can find installation packages for your operating system at http://java.com.
Starting the graphical user interface The prerequisite for starting the graphical user interface, first configure the IP parameters of the device correctly. The “Basic Configuration” user manual contains detailed information that you need to define the IP parameters.
Start the graphical user interface in HiView: Start HiView.
In the URL field of the start window, enter the IP address of your device.
Click "Open".
HiView sets up the connection to the device and shows the login window RM GUI EAGLE One Release 5.3.0 09/2013 11
Graphical User Interface Start the graphical user interface in the Web browser: – This requires that Java is enabled in the security settings of your Web browser.
Start your Web browser.
Write the IP address of the device in the address field of the Web browser. Use the following form: https://xxx.xxx.xxx.xxx
The Web browser sets up the connection to the device and shows the login window.
Figure 1: Login window
Select the desired language.
In the Login drop-down menu, select – – user to have read access to the device admin to have read/write access to the device.
12 RM GUI EAGLE One Release 5.3.0 09/2013
Graphical User Interface The password “public”, with which you have read access, appears in the password field. If you wish to have write access to the device, then highlight the contents of the password field and overwrite it with the password “private” (default setting).
In the Login Type drop-down menu, select – Administration if you want to manage the device, or – User Firewall if you want to login for the user firewall function (prerequisite: the user selected in the Login drop-down menu has already been created in the user firewall). Click "OK".
The screen shows the graphical user interface of the device.
Note:
dialog The changes you make in the dialogs will be copied to the volatile memory of the device (RAM) when you click “Set”. Click “Reload” to update the display.
To save any changes made so that they will be retained after a power cycle or reboot of the device use the save option on the "Load/Save"
(see on page 41 “Configuration in the non-volatile memory (NVM)”)
.
Figure 2: Graphical user interface of the device
RM GUI EAGLE One Release 5.3.0 09/2013 13
Graphical User Interface Menu bar The menu section displays the menu items. By placing the mouse pointer in the menu section and clicking the right mouse button you can use “Back” to return to a menu item you have already selected, or “Forward” to jump to a menu item you have already selected.
14 RM GUI EAGLE One Release 5.3.0 09/2013
Basic Settings
1 Basic Settings
The Basic Settings menu contains the dialogs, displays and tables for the basic configuration: System Network Software Port Configuration Serial Port Load/Save Restart RM GUI EAGLE One Release 5.3.0 09/2013 15
Basic Settings 1.1 System
1.1 System
The “System” submenu in the basic settings menu is structured as follows: Device Status System Data Device View Reloading
Figure 3: “System” submenu
Device Status This section of the graphical user interface provides information on the device status and the alarm states the device has detected.
16 RM GUI EAGLE One Release 5.3.0 09/2013
Basic Settings 1.1 System 1 2 3
Figure 4: Device status and alarm display 1 - The symbol displays the device status 2 - Cause of the oldest existing alarm 3 - Start of the oldest existing alarm
System Data The fields in this frame show operating data and information on the location of the device.
– the system name, – the location description, – the name of the contact person for this device, – the temperature threshold values.
Name
Name Location Contact Basic module Power Supply 1/2 Temperature Uptime
Table 1: System Data
Meaning
System name of this device Location of this device The contact for this device Hardware version of the device Status of power units (P1/P2) Temperature of the device. Lower/upper temperature threshold values. If the temperature goes outside this range, the device generates an alarm. Time that has elapsed since this device was last restarted.
Device View The device view shows the device. Symbols on the ports represent the status of the individual ports.
RM GUI EAGLE One Release 5.3.0 09/2013 17
Basic Settings 1.1 System
Figure 5: Device View
Meaning of the symbols: The port (10, 100 Mbit/s) is enabled and the link has been established.
The port is disabled by the management and it has a link.
The port is disabled by the management and it has no link.
The port is in autonegotiation mode.
The port is in HDX mode. Reloading This area of the user interface (Web-based Interface) at the bottom left displays the countdown time until the applet requests the current data of this dialog again. Clicking the “Reload” button calls up the current dialog data immediately. The applet automatically calls up the current data of the device every 100 seconds.
18 RM GUI EAGLE One Release 5.3.0 09/2013
Basic Settings
Figure 6: Time to next Reload
1.1 System RM GUI EAGLE One Release 5.3.0 09/2013 19
Basic Settings 1.2 Network
1.2 Network
The “Network” submenu in the Basic Settings menu allows you to configure and select the network mode, and to create static routes: Global Transparent Mode Router Mode PPPoE Mode Routes 20 RM GUI EAGLE One Release 5.3.0 09/2013
Basic Settings 1.2 Network 1.2.1 Global With this dialog you can select the network mode and enter settings for forwarding packets.
Name
Mode
Meaning
Select the mode in which you want to operate the device: transparent for transparent mode router for router mode, or pppoe for PPPoE mode Default setting: transparent .
Forward IP fragments Forward net-directed Broadcasts Send ICMP redirects
Table 2:
Note:
You configure the details for the respective network modes in the
dialogs.
Sets whether the device forwards IP fragments. Default setting: on .
Sets whether the device forwards net-directed Broadcasts. Default setting: off .
Specifies whether the device additionally sends an ICMP redirect packet when the device routes a received packet back into the same subnetwork at the receiving interface. Default setting: on .
Global network configuration, mode and forwarding settings
Note:
The setting for: – “Forward IP fragments” is applied by the device in the Transparent, Router and PPPoE modes.
The settings for: – “Forward net-directed Broadcasts” and – “Send ICMP redirects” are only applied by the device in the Router and PPPoE modes.
RM GUI EAGLE One Release 5.3.0 09/2013 21
Basic Settings 1.2 Network
Note:
Before switching to another mode, verify that the device can still be accessed with the configuration of the other mode.
1.2.2 Transparent Mode This dialog allows you to configure the transparent mode.
In transparent mode, the device behaves like a switch and transmits on layer 2 of the ISO/OSI layer model.
Name
Protocol
Table 3:
Meaning
Activate/deactivate the DHCP protocol. Activate the DHCP protocol if the device is to get its IP parameters from a DHCP server on the basis of the MAC address or the name of the device.
Note:
An EAGLE One device only supports standard DHCP. Therefore, if you are using a Hirschmann DHCP server, deactivate the “Hirschmann Device” setting for the EAGLE One device in its pool entry.
Network: Protocol in transparent mode
22 RM GUI EAGLE One Release 5.3.0 09/2013
Basic Settings 1.2 Network
Name
IP Address MAC Address Gateway Address Netmask Use VLAN Tag VLAN ID
Table 4:
Meaning
Enter the IP address via which you can access the device.
Display the MAC address.
Enter the gateway address.
Enter the netmask.
By selecting this you specify that the device evaluates the VLAN tag of the data packets that are addressed to the device (management). Thus the management of the device can only be accessed from the VLAN with the management VLAN ID.
Define the VLAN ID (1-4.094) of the VLAN.
Note:
The device uses the VLAN ID entered in this field if "Use VLAN Tag“ is marked exclusively.
Network: Locally in transparent mode
Name
Function
Meaning
Activate/deactivate the HiDiscovery protocol.
Access
Table 5:
The HiDiscovery protocol allows you to allocate an IP address to the device on the basis of its MAC address. Activate the HiDiscovery protocol if you want to allocate an IP address to the device from your PC with the supplied HiDiscovery software (default setting: "Operation" on , "Access" read-write ).
read-write: read and allocate IP addresses read-only: read IP addresses
Network: HiDiscovery-Protocol in transparent mode
Name
Relay
Table 6:
Meaning
By selecting this you specify that the device forwards the HiDiscovery protocol (setting on delivery: deactivated).
Network: HiDiscovery-Relay in transparent mode
Note:
The device displays the currently active network mode in the Network
RM GUI EAGLE One Release 5.3.0 09/2013 23
Basic Settings 1.2 Network
Note:
The Advanced:Packet Forwarding
dialog allows you to activate and deactivate the forwarding of RSTP, GMRP and DHCP data packets. Default setting: no forwarding of these packets.
Note:
The device offers the configuration with HiDiscovery exclusively in and for transparent mode. The transparent mode is activated in the as-delivered condition.
1.2.3 Router Mode This dialog allows you to configure the router mode.
In the router mode, the device behaves like a router and transmits on layer 3 of the ISO/OSI layer model. Internal Interface (Port 1)
Name
Protocol
Table 7:
Meaning
Activate/deactivate the DHCP protocol. Activate the DHCP protocol if the device is to get its IP parameters from a DHCP server on the basis of the MAC address or the name of the device.
Note:
An EAGLE One device only supports standard DHCP. Therefore, if you are using a Hirschmann DHCP server, deactivate the “Hirschmann Device” setting for the EAGLE One device in its pool entry.
Network: Protocol in router mode at internal interface
24 RM GUI EAGLE One Release 5.3.0 09/2013
Basic Settings 1.2 Network
Name
IP Address Netmask Use VLAN Tag VLAN ID
Table 8:
Meaning
Enter the IP address via which you can access the device.
Enter the netmask.
When the function is switched on, the device accepts data packets with the VLAN ID entered in the field VLAN ID exclusively. The NAT functions are disabled.
Define the VLAN ID (1-4.094) of the VLAN.
Note:
The device uses the VLAN ID entered in this field if "Use VLAN Tag“ is marked exclusively.
Network: Locally in router mode at internal interface
External Interface (Port 2)
Name
Protocol
Table 9:
Meaning
Activate/deactivate the DHCP protocol. Activate the DHCP protocol if the device is to get its IP parameters from a DHCP server on the basis of the MAC address or the name of the device.
Note:
An EAGLE One device only supports standard DHCP. Therefore, if you are using a Hirschmann DHCP server, deactivate the “Hirschmann Device” setting for the EAGLE One device in its pool entry.
Network: Protocol in router mode at external interface
Name
IP Address Netmask Use VLAN Tag VLAN ID Default Gateway
Meaning
Enter the IP address via which you can access the device.
Enter the netmask.
When the function is switched on, the device accepts data packets with the VLAN ID entered in the field VLAN ID exclusively. The NAT functions are disabled.
Define the VLAN ID (1-4.094) of the VLAN.
Note:
The device uses the VLAN ID entered in this field if "Use VLAN Tag“ is marked exclusively.
Define the standard gateway. If the subnetwork in which the gateway is integrated is assigned to the internal or external interface is of no concern. The purpose of a gateway is to reach nodes outside of subnetworks, which are assigned directly to an interface. To this gateway, the device sends packets whose destination address is outside of the subnetworks assigned to the interfaces. The IP address of the gateway needs to be in one of the subnetworks which are assigned to an interface.
Table 10: Network: Locally in router mode at external interface
RM GUI EAGLE One Release 5.3.0 09/2013 25
Basic Settings 1.2 Network Secondary IP Interfaces This part of the dialog allows you to connect several subnetworks to a router interface (multinetting) and to create VLAN interfaces on a router interface. This allows you to route between VLANs.
Click on “New...” to open a window for entering a new row in the table.
Select “Internal Interface” or “External Interface”.
After entering – the IP address, – the netmask, – Use VLAN Tag and – the VLAN ID, you click on “Set” to transfer the entry into the table.
Click on “Back” to return to the table.
If additional entries in the table are required, you create these by clicking on “Create...”.
In the “Active” column, you can activate/deactivate the individual entries in the table.
You can change the entries directly in the table.
To delete a row, select the row and click on “Delete Entry”.
Name
IP Address Netmask Use VLAN Tag VLAN ID
Meaning
Enter the IP address Enter the netmask When the function is switched on, the device accepts data packets with the VLAN ID entered in the field VLAN ID exclusively. The NAT functions are disabled.
Define the VLAN ID (1-4.094) of the VLAN.
Note:
The device uses the VLAN ID entered in this field if "Use VLAN Tag“ is marked exclusively.
Table 11: Network: Table for secondary IP address entries
Note:
The device displays the currently active network mode in the
26 RM GUI EAGLE One Release 5.3.0 09/2013
Basic Settings 1.2 Network 1.2.4 PPPoE Mode This dialog enables you to configure PPPoE (Point to Point Protocol over Ethernet) mode. In PPPoE network mode, the device creates a point-to-point connection to a dial-in node.
Note:
In the PPPoE Mode, use the NAT function if you are using private IP addresses in the internal network and want to communicate with the public network. In the state on delivery, the device transmits from the internal network to the external network, even if NAT is deactivated. You can help prevent this by creating a packet filter.
Internal Interface (Port 1)
Name
Protocol
Meaning
Activate/deactivate the DHCP protocol. Activate the DHCP protocol if the device is to get its IP parameters from a DHCP server on the basis of the MAC address or the name of the device.
Note:
An EAGLE One device only supports standard DHCP. Therefore, if you are using a Hirschmann DHCP server, deactivate the “Hirschmann Device” setting for the EAGLE One device in its pool entry.
Table 12: Network: Protocol in PPPoE mode at internal interface
Name
IP Address Netmask Use VLAN Tag VLAN ID
Meaning
Enter the IP address via which you can access the device.
Enter the netmask.
When the function is switched on, the device accepts data packets with the VLAN ID entered in the field VLAN ID exclusively. The NAT functions are disabled.
Define the VLAN ID (1-4.094) of the VLAN.
Note:
The device uses the VLAN ID entered in this field if "Use VLAN Tag“ is marked exclusively.
Table 13: Network: Locally in PPPoE mode at internal interface
RM GUI EAGLE One Release 5.3.0 09/2013 27
Basic Settings 1.2 Network External Interface (Port 2)
Name
User Name Password Interface MTU
Meaning
Enter the user name allocated by the provider.
Enter the password allocated by the provider.
Enter the maximum packet size allocated by the provider for which the data packets are not fragmented yet (Maximum Transmission Unit). Permitted values: 60-1,500 bytes, default setting: 1,492 bytes.
Table 14: Network: User identification and MTU in PPPoE mode at external interface
Name Meaning
Switch on automatic interruption By selecting this you specify that the device automatically interrupts the PPPoE connection at the specified time every day. Before activating this function, check whether the system time of your EAGLE One device is set correctly.
Time (hours) until interruption Set the time (hour) at which the device automatically interrupts the PPPoE connection every day. Value range: 0 to 23.
Table 15: Network: the PPPoE connection is interrupted automatically
Name
IP Address Netmask Gateway Status
Meaning
Display the IP address allocated by the provider Display the netmask allocated by the provider Display the gateway allocated by the provider Display the connection status
Table 16: Network: Local parameters in PPPoE mode at external interface
28 RM GUI EAGLE One Release 5.3.0 09/2013
Basic Settings 1.2 Network Creating secondary IP addresses Entries for secondary IP addresses allow you to connect multiple subnetworks to one router interface (multinetting).
Click on “Create...” to open a window for entering a new row in the table.
After entering – the IP address, – the netmask, – Use VLAN Tag and – the VLAN ID you click on “Set” to transfer the entry into the table.
Click on “Back” to return to the table.
If additional entries in the table are required, you create these by clicking on “Create...”.
In the “Active” column, you can activate/deactivate the individual entries in the table.
You can change the entries directly in the table.
To delete a row, select the row and click on “Delete Entry”.
Name
IP Address Netmask Use VLAN Tag VLAN ID
Meaning
Enter the IP address Enter the netmask When the function is switched on, the device accepts data packets with the VLAN ID entered in the field VLAN ID exclusively. The NAT functions are disabled.
Define the VLAN ID (1-4.094) of the VLAN.
Note:
The device uses the VLAN ID entered in this field if "Use VLAN Tag“ is marked exclusively.
Table 17: Network: Table for secondary IP address entries
Note:
The device displays the currently active network mode in the Network submenu
.
RM GUI EAGLE One Release 5.3.0 09/2013 29
Basic Settings 1.2 Network 1.2.5 Routes The route table allows you to enter static routes. Creating a route entry in the table Click on “New...” to open a window for entering a new row in the table.
Select “Internal Interface” or “External Interface”.
After entering – the destination network, – the destination netmask and – the next hop‘s IP address, you click on “Set” to transfer the entry into the table.
Click on “Back” to return to the table.
If additional entries in the table are required, you create these by clicking on “Create...”.
In the “Active” column, you can activate/deactivate the individual entries in the table.
You can change the entries directly in the table.
To delete a row, select the row and click on “Delete Entry”.
Name
Destination Network Destination Mask Next Hop
Table 18: Table for Routes
Meaning
First IP address of the destination subnetwork Netmask of the destination subnetwork The next hop‘s gateway IP address 30 RM GUI EAGLE One Release 5.3.0 09/2013
Basic Settings 1.3 Software
1.3 Software
The software dialog enables you display the software versions in the device and to carry out a software update of the device via file selection.
Figure 7: Software Dialog
For a HTTPS software update (via the file selection window), the device software has to reside on a drive that you can access from your PC.
RM GUI EAGLE One Release 5.3.0 09/2013 31
Basic Settings 1.3 Software
Name Frame „Version“
Stored Version Running Version Backup Version
Meaning
Show the version of the software stored in the flash memory.
Show the version of the software running on the device.
Show the version of the backup software stored in the flash memory.
Frame „https-Software-Update“
“File” input row “...” button “Update” button Show the device software selected (*.bin).
Open a file selection window Transfer the selected device software to the device.
Table 19: Software Version Display and Update
The end of the update is indicated by one of the following messages: Update completed successfully.
Update failed. Reason: refer text string of the message.
After successfully loading it, you activate the new software: Select the Basic Settings:Restart dialog and perform a cold start.
On a cold start, the device reloads the software from the non-volatile memory, restarts, and performs a self-test.
In your browser, click on “Reload” so that you can access the device again after it is booted.
32 RM GUI EAGLE One Release 5.3.0 09/2013
Basic Settings 1.4 Port Configuration
1.4 Port Configuration
This configuration table allows you to configure every port of the device.
Variable Meaning Possible Values
Port Name Port on Propagate Connection Error Automatic Configuration Manual Configuration Link/Current settings Port designation (int: 1, ext: 2) Enter a name of your choice for each port.
Activate the port by checkmarking it.
When you checkmark this, you specify that when a connection error has been detected at this port this is propagated to the device status and signal contact.
Activate automatic selection of the operating mode of a port by checkmarking the corresponding field.
After autonegotiation has been switched on, it takes a few seconds for the operating mode to be set.
Set the operating mode for this port – ASCII characters, max. 64 characters on/off on/off – 10 Mbit/s half-duplex (HDX) a – 10 Mbit/s full-duplex (FDX) a – 100 Mbit/s half-duplex (HDX) – 100 Mbit/s Full duplex (FDX) a For TX ports only Display the current operating mode and thus display an existing connection.
Table 20: Setting options per port
State on Delivery
– – on on 100 Mbit/s full-duplex (FDX)
Note:
The active automatic configuration takes precedence over the manual configuration.
RM GUI EAGLE One Release 5.3.0 09/2013 33
Basic Settings 1.4 Port Configuration
Figure 8: Port configuration table dialog
34 RM GUI EAGLE One Release 5.3.0 09/2013
Basic Settings
1.5 Serial Port
This dialog allows you to configure the serial port of the device as a Terminal/CLI interface (default setting) or as a Modem interface. 1.5 Serial Port
Figure 9: Serial Port dialog
RM GUI EAGLE One Release 5.3.0 09/2013 35
Basic Settings 1.5 Serial Port 1.5.1 Configuration as a Terminal/CLI interface In the “Interface” frame, select Terminal/CLI interface . In Terminal/CLI interface mode, the following parameters are fixed for the interface: 9,600 bits/s, 8 data bits, no parity, 1 stopbit, no flow control.
Pin 6 Pin 1 CTS n.c.
TX GND RX RJ11 1 2 3 4 5 2 3 5 DB9 Pin 5 Pin 8 Pin 1
Figure 10: Terminal Cable Pin Assignment
36 RM GUI EAGLE One Release 5.3.0 09/2013
Basic Settings 1.5 Serial Port 1.5.2 Configuration as a Modem interface In the “Interface” frame, select Modem interface .
The device displays the “Settings” frame.
Pin 6 Pin 1 RJ11 DB9 Pin 5 Pin 8 Pin 1 CTS TX GND RX RTS 1 3 4 5 6 7 8 9 1 3 4 5 6
Figure 11: Pin assignment of modem cable
RM GUI EAGLE One Release 5.3.0 09/2013 37
Basic Settings 1.5 Serial Port
Name
Username Password Interface MTU Local IP Address Remote IP Address Flow Control Baud rate Status
Meaning
Enter the PPP user name for accessing a remote device on the EAGLE One (PAP, CHAP).
Enter the PPP password for accessing a remote device on the EAGLE One (PAP, CHAP).
Enter the maximum packet size for the PPP connection (Maximum Transmission Unit). The device fragments data packets if they are larger than the value entered. Permitted values: 60-1,500 bytes. Default setting: 1,500 bytes. Select a smaller value if you know that your Internet service provider uses a smaller value or no connection can be made.
Enter the IP address of the serial port. Select an IP address for the serial port that belongs to a different subnetwork than the IP addresses allocated under
.
Enter the IP address of the remote device. Select an IP address for the serial port that belongs to a different subnetwork than the IP addresses allocated under
.
Enable/Disable Flow Control.
Select the baud rate. Select the same baud rate (typically: 57,600 baud) on your modem and on the EAGLE One‘s serial port.
Status of the serial interface in modem mode. Possible messages: “not connected” or “peer connected”. In terminal/CLI mode, the message is “serial CLI mode”
Table 21: Settings for Modem Mode
Note:
When you select the mode “Terminal/CLI Interface”, the device reduces the adjustable parameters to those for the Terminal/CLI Interface.
Note:
Configure the filter rules in the
“Incoming PPP packets” dialog in the
Network Security:Packet Filter menu so that the Firewall enables data traffic between the remote and local IP addresses.
38 RM GUI EAGLE One Release 5.3.0 09/2013
Basic Settings
1.6 Load/Save
With this dialog you can: load a configuration, save a configuration, display a configuration, delete a configuration, activate a configuration, create a configuration, use the ACA for configuring, cancel a configuration change. 1.6 Load/Save
Figure 12: Load/Save dialog
RM GUI EAGLE One Release 5.3.0 09/2013 39
Basic Settings 1.6.1 Status display 1.6 Load/Save
Name
OK out-of-sync
Meaning
The configuration data from the NVM and the device is consistent. The configuration data from the NVM and the device is not consistent.
Table 22: Status of the non-volatile memory (NVM)
Name
OK out-of-sync Absent
Meaning
AutoConfiguration Adapter connected. The configuration data on the ACA and the device matches.
The current configuration‘s data on the ACA and the NVM do not match. No AutoConfiguration Adapter is connected.
Table 23: Status of the AutoConfiguration Adapter (ACA)
40 RM GUI EAGLE One Release 5.3.0 09/2013
Basic Settings 1.6 Load/Save 1.6.2 Configuration in the non-volatile memory (NVM) The table lists the individual configuration files of the non-volatile memory.
Name
Name Modification date Active
Meaning
Name of the configuration file Date saved YYYY-MM-DD HH:MM:SS Display the active configuration
Table 24: Configuration in the Non-Volatile Memory (NVM)
Note:
The device allows you to use up to 32 characters for the name of a configuration file. Allowed are alphanumeric characters ("A“ to "Z“, "a“ to "z“, "0“ to "9“) as well as the underline "_“ and the hyphen „-“.
Name
Copy from PC Copy to PC Show Delete Activate New
Meaning
Load a configuration file from a PC to the device. The configuration file appears in a new table entry.
Save a configuration file from the device to a PC.
Display a configuration file.
Delete a configuration file.
Activate a configuration file.
In the “Active” column, the device shows you the active configuration.
Save the current configuration in a configuration file on the device (and the ACA).
Table 25: Editing the Table Entries
If you change the current configuration (for example, by switching a port off), the graphical user interface changes the “load/save” symbol in the navigation tree from a disk symbol to a yellow triangle. After saving the configuration, the graphical user interface displays the “load/save” symbol as a disk again.
RM GUI EAGLE One Release 5.3.0 09/2013 41
Basic Settings 1.6 Load/Save
Note:
You can reset to the state on delivery with Restart:Reset to Factory
. Note that the device deletes all tables, settings and files on the device and on a connected ACA.
1.6.3 Configuration on the AutoConfiguration Adapter (ACA) An ACA is a means for saving the configuration data of a device. In the case of a detected failure, an ACA enables the configuration data to be transferred easily by means of a substitute device of the same type. The table lists the individual configuration files of an AutoConfiguration Adapter (ACA).
Name
Name Modification date Active
Meaning
Name of the configuration file Date saved YYYY-MM-DD HH:MM:SS Display the active configuration
Table 26: Configuration on the AutoConfiguration Adapter (ACA)
Name
Copy from PC Copy to PC Show Delete Copy to NVM
Meaning
Load a configuration file from a PC to the ACA. The configuration file appears in a new table entry.
Save a configuration file from the ACA to a PC.
Display a configuration file.
Delete a configuration file.
Save a configuration file from the ACA to the device.
Table 27: Editing the Table Entries
42 RM GUI EAGLE One Release 5.3.0 09/2013
Basic Settings 1.6 Load/Save If you change the current configuration (for example, by switching a port off), the graphical user interface changes the “load/save” symbol in the navigation tree from a disk symbol to a yellow triangle. After saving the configuration, the graphical user interface displays the “load/save” symbol as a disk again.
Note:
You can reset to the state on delivery with Restart:Reset to Factory
. Note that the device deletes all tables, settings and files on the device and on a connected ACA.
1.6.4 Saving and Loading a Configuration
Name
Set Reload Save to NVM + ACA Restore from NVM
Table 28: Saving and loading
Meaning
Write the setting for which configuration is marked as active to the non-volatile memory and to the ACA.
Update the table display in case this has been changed by another SNMP access.
Replace the active configuration with the current configuration in the non-volatile memory and on the ACA Reload the active configuration from the local non-volatile memory.
RM GUI EAGLE One Release 5.3.0 09/2013 43
Basic Settings 1.6 Load/Save 1.6.5 Cancelling a configuration change Operation If the function is activated and the connection to the device is interrupted for longer than the time specified in the field “Period to undo while connection is lost [s]”, the device then loads the last configuration saved.
Activate the function before you configure the device so that you will then be reconnected if an incorrect configuration interrupts your connection to the device. Enter the “Period to undo while the connection is lost [s]” in seconds. Possible values: 10-600 seconds.
Default setting: 600 seconds.
Note:
Deactivate the function after you have successfully saved the configuration. In this way you help prevent the device from reloading the configuration after you close the web interface.
Note:
When accessing the device via SSH, also note the TCP connection timeouts for the cancellation of the configuration.
Watchdog IP address “Watchdog IP address” shows you the IP address of the PC from which you have activated the (watchdog) function. The device monitors the link to the PC with this IP address, checking for interruptions.
44 RM GUI EAGLE One Release 5.3.0 09/2013
Basic Settings
1.7 Restart
With this dialog you can: coldstart the device, reset the MAC address table, reset the ARP table, reset the firewall and NAT connections, reset the port counters, delete the log file, reset the device to the state on delivery.
1.7 Restart
Name
Coldstart ...
Reset MAC Address table Reset ARP table Reset firewall and NAT connections Reset port counter Delete logfile Reset to factory
Meaning
The device reloads the software from the non-volatile memory, restarts, and performs a self-test.
The device resets the entries with the status “learned” in the filter table.
The device empties the ARP table.
The device resets the state tables
(see on page 83 “Network Security”)
.
The device resets the port counter.
The device deletes the internal log file. The persistent files remain.
The device resets all tables, settings and files on the device (and on a connected ACA) to the state on delivery.
Table 29: Restart
Note:
During the restart, the device temporarily does not transfer any data, and it cannot be accessed via the graphical user interface or other management systems such as Industrial HiVision.
RM GUI EAGLE One Release 5.3.0 09/2013 45
Basic Settings 1.7 Restart
Figure 13: Restart Dialog
46 RM GUI EAGLE One Release 5.3.0 09/2013
Security
2 Security
The security menu contains the dialogs, displays and tables for configuring the security settings: Password SNMP Access Web Access SSH Access External Authentication Login Banner RM GUI EAGLE One Release 5.3.0 09/2013 47
Security 2.1 Password
2.1 Password
This dialog gives you the option of changing the read and read/write passwords for access to the device via the graphical user interface (GUI), via the CLI, and via SNMPv3 (SNMP version 3). Set different passwords for the read password and the read/write password so that a user that only has read access (user name “user”) does not know, or cannot guess, the password for read/write access (user name “admin”).
The graphical user interface (GUI) communicates via SNMPv3, and the user interface (CLI) via SSH.
Note:
Passwords are case-sensitive.
Note:
For security reasons, change the factory setting password. You thus help prevent the device from being accessed with this password. If the password is the factory setting password, the device displays the message “Default Password” in every dialog‘s header line. Select “Modify Read-Only Password (User)” to enter the read password.
Enter the new read password in the “New Password” line and repeat your entry in the “Please retype” line.
Select “Modify Read-Write Password (Admin)” to enter the read/write password.
Enter the read/write password and repeat your entry.
48 RM GUI EAGLE One Release 5.3.0 09/2013
Security 2.1 Password
Figure 14: Password Dialog
Note:
If you do not know a password with “read/write” access, you will have no write access to the device.
Note:
For security reasons, the dialog shows the passwords as asterisks. Make a note of every change. You cannot access the device without a valid password.
Note:
In SNMP version 3, use between 5 and 32 characters for the password, because many applications do not accept shorter passwords.
Access via a Web browser can be disabled in a separate dialog (see on
.
RM GUI EAGLE One Release 5.3.0 09/2013 49
Security 2.2 SNMP Access
2.2 SNMP Access
With this dialog you can enter an SNMP port. The factory setting for the port is 161. Enter a different UDP port number if, for administration or security reasons, you want to use a different port number. The graphical user interface will automatically use the new port number after a restart.
manage, create and delete entries for accessing the device via SNMP. Click on “ ↑ “ oder “ ↓ “ to move a selected entry up or down.
tunnel the SNMP access of the graphical user interface to the device via HTTPS. Thus only HTTPS connections to the device are necessary. With this function you can also perform a RADIUS authentication for SNMP users.
The factory setting for the function SNMP over HTTPS (Tunnel) is inactive.
Note:
A change to the setting SNMP over HTTPS (Tunnel) only takes effect after reloading the graphical user interface. Access via SNMP is still possible.
50 RM GUI EAGLE One Release 5.3.0 09/2013
Security 2.2 SNMP Access
Figure 15: SNMP Access dialog
RM GUI EAGLE One Release 5.3.0 09/2013 51
Security 2.2 SNMP Access
Parameter
Index Port Source IP (CIDR) Action Log Description Active Error
Meaning
Sequential number to which the access restriction refers Select port.
Enter an IP address or a group of IP addresses in mask form that can access the device, or “any”. When you enter an IP address without a mask, the device changes the form of the IP address to the mask form with a 32-bit long network mask (x.x.x.x in x.x.x.x/32).
Select the action for the device if (one of) the IP addresses entered under “Source Address (CIDR)” accesses the device.
When the rules of a table entry have been used by the device, the device writes this as an event in the event log
.
Possible Values
(Automatically generated) int ext ppp - settings refer to the internal port - settings refer to the external port - settings refer to the V.24 port configured as a modem.
Any IP address in mask form. This may be the IP address or the group of IP addresses which the device can access. any - Access to this device is permitted for computers with any IP address.
accept - access allowed drop - access not allowed, no message to sender reject - access not allowed, message to sender enable, disable, logAndTrap
Note:
The logAndTrap setting can generate large quantities of trap data traffic. This is especially the case when sending the trap triggers a match in the Firewall rule again (e.g. if the trap host cannot be reached and a router responds with an ICMP message).
Enter a description of your choice for this entry, e.g. the name or location of the PC that has the IP address entered.
Activate/deactivate table entry Shows the last detected error for an attempt to activate the table entry (usually a detected syntax error).
Maximum 128 characters on/off -
Table 30: SNMP access table
The “Create” button enables you to create a new row in the table. With “Remove” you delete the selected rows in the table.
52 RM GUI EAGLE One Release 5.3.0 09/2013
Security 2.2 SNMP Access
Note:
If no row is selecetd, – there are no access restrictions at the internal port – there is no access option to the external port via SNMP.
Note:
In the state on delivery, the firewall allows the outgoing IP traffic and the management access (SNMP, HTTPS and SSH) to the device at the internal port. If you want to deactivate the management access, you have the following options: Define explicit drop rules for the management access. Change the corresponding firewall rules for the outgoing IP traffic.
Note:
The Firewall supports up to 1024 IP rules. In the dialog Diagnostics:IP Firewall List , you find the summary of the active rules.
RM GUI EAGLE One Release 5.3.0 09/2013 53
Security 2.3 SNMPv1/v2
2.3 SNMPv1/v2
With this dialog you can: select the access via SNMPv1 or SNMPv2. In the state on delivery, both protocols are deactivated, so SNMP access is only possible via SNMPv3, for security reasons. change the read and read/write passwords for access to the device via SNMPv1/v2. The passwords are case-sensitive. For security reasons, create unique passwords for read and read/write access.
Note:
In the state on delivery, SNMPv1 and SNMPv2 access is deactivated. As SNMPv1 and SNMPv2 transfer data unencrypted, using SNMPv1 and SNMPv2 creates a potential security risk. Only allow SNMPv1 or SNMPv2 access if you want to use an application that requires this.
Note:
For security reasons, change the factory setting password. You thus help prevent the device from being accessed with this password. If the password is the factory setting password, the device displays the message “Default Password” in every dialog‘s header line. Select “Modify Read-Only Password (User)” to enter the read password.
Enter the new read password in the “New Password” line and repeat your entry in the “Please retype” line.
Select “Modify Read-Write Password (Admin)” to enter the read/write password.
Enter the read/write password and repeat your entry.
54 RM GUI EAGLE One Release 5.3.0 09/2013
Security 2.3 SNMPv1/v2
Figure 16: SNMPv1/v2 dialog
Note:
For security reasons, the dialog shows the passwords as asterisks. Make a note of every change. You cannot access the device without a valid password.
Access via a Web browser can be disabled in a separate dialog (see on
.
RM GUI EAGLE One Release 5.3.0 09/2013 55
Security 2.4 Web Access
2.4 Web Access
With this dialog you can: activate/deactivate the Web server on the device. In the delivery state, the Web server on the internal port is activated. The Web server of the device allows you to configure the device by using the graphical user interface. Deactivating the Web server helps prevent Web access to the device.
enter an HTTPS port (TCP port number that uses the device for the Web server). Possible values: 1 - 65,535. Default setting: Well Known Port for HTTPS (443). This port change becomes effective when the device is restarted. When changing the port for access to the device, add the port number to the URL, e.g. https://192.168.1.1:444.
manage, create and delete entries for accessing the device via the graphical user interface.
upload certificates to the device.
In its delivery state, the device includes a certificate.
After the Web server has been switched off, it is no longer possible to log in via a Web browser. The login in the open browser window remains active.
Note:
The graphical user interface communicates with the device via SNMP. If you want to access the graphical user interface via the external port and the function SNMP over HTTPS (Tunnel) is inactive, you create an SNMP access rule
(see on page 50 “SNMP Access”)
.
56 RM GUI EAGLE One Release 5.3.0 09/2013
Security 2.4 Web Access
Figure 17: Web Access dialog
RM GUI EAGLE One Release 5.3.0 09/2013 57
Security 2.4 Web Access
Parameter
Index Port Source IP (CIDR) Action Log Description Active Error
Meaning
Sequential number to which the access restriction refers Select port.
Enter an IP address or a group of IP addresses in mask form that can access the device, or “any”. When you enter an IP address without a mask, the device changes the form of the IP address to the mask form with a 32-bit long network mask (x.x.x.x in x.x.x.x/32).
Select the action for the device if (one of) the IP addresses entered under “Source Address (CIDR)” accesses the device.
When the rules of a table entry have been used by the device, the device writes this as an event in the event log
.
Possible Values
(Automatically generated) int ext ppp - settings refer to the internal port - settings refer to the external port - settings refer to the V.24 port configured as a modem.
Any IP address in mask form. This may be the IP address or the group of IP addresses which the device can access. any - Access to this device is permitted for computers with any IP address.
accept - access allowed drop - access not allowed, no message to sender reject - access not allowed, message to sender enable, disable, logAndTrap
Note:
The logAndTrap setting can generate large quantities of trap data traffic. This is especially the case when sending the trap triggers a match in the Firewall rule again (e.g. if the trap host cannot be reached and a router responds with an ICMP message).
Enter a description of your choice for this entry, e.g. the name or location of the PC that has the IP address entered.
Activate/deactivate table entry Shows the last detected error for an attempt to activate the table entry (usually a detected syntax error).
Maximum 128 characters on/off -
Table 31: Web access table
The “Create Entry” button enables you to create a new row in the table. The device displays a dialog to remind you to create an additional SNMP rule where necessary if you want to use the graphical user interface. With “Delete Entry” you delete the selected rows in the table.
With “ ↑ “ oder “ ↓ “ you move a selected entry up or down.
58 RM GUI EAGLE One Release 5.3.0 09/2013
Security 2.4 Web Access To upload a certificate, the file has to reside on a drive that you can access from your PC.
Click on “Certificates”.
In the file selection frame, click on “...”.
In the file selection window, select the certificate file (e.g. certificate.p12) and click on “Open”.
Click on “Copy from PC” to transfer the file to the device.
The end of the upload is indicated by one of the following messages: Update completed successfully.
Update failed. Reason: file copy failed.
Note:
In the state on delivery, the firewall allows the outgoing IP traffic and the management access (SNMP, HTTPS and SSH) to the device at the internal port. If you want to deactivate the management access, you have the following options: Define explicit drop rules for the management access. Change the corresponding firewall rules for the outgoing IP traffic.
Note:
The device accepts HTTPS server certificates with a key length of between 512 and 2048 bits (RSA key in PEM format with non-encrypted private key).
Encryption algorithms supported by the server: SSLv3: AES128-SHA TLSv1: AES256-SHA AES128-SHA DES-CBC3-SHA
Note:
The Firewall supports up to 1024 IP rules. In the dialog Diagnostics:IP Firewall List , you find the summary of the active rules.
RM GUI EAGLE One Release 5.3.0 09/2013 59
Security 2.5 SSH Access
2.5 SSH Access
With this dialog you can: activate/deactivate the SSH server on the device. In the state on delivery, the SSH server is activated on the internal port. The SSH server of the device allows you to configure the device using the Command Line Interface (in-band). Deactivating the SSH server helps prevent SSH access to the device.
enter an SSH port. Possible values are 1 - 65,535. The state on delivery is 22. view the DSA and RSA fingerprints. The fingerprints are used to identify the key used to login.
manage, create and delete entries for accessing the device via SSH.
After the SSH server has been deactivated, you will no longer be able to access the device via a new SSH connection. If a SSH connection already exists, it is maintained.
Note:
The Command Line Interface (out-of-band) and the Security:Web Access dialog in the graphical user interface (or another SNMP administration tool) allow you to reactivate the SSH server.
Note:
The device allows you to use SFTP to access device files such as configuration files or the ACA, or to load a firmware update or VPN certificates onto the device. To do this, use an SFTP client, such as WinSCP. For the SFTP access, you must have SSH access to the device.
60 RM GUI EAGLE One Release 5.3.0 09/2013
Security 2.5 SSH Access
Figure 18: SSH Access dialog
RM GUI EAGLE One Release 5.3.0 09/2013 61
Security 2.5 SSH Access
Parameter
Index Port Source IP (CIDR) Action Log Description Active Error
Meaning
Sequential number to which the access restriction refers Select port.
Enter an IP address or a group of IP addresses in mask form that can access the device, or “any”. When you enter an IP address without a mask, the device changes the form of the IP address to the mask form with a 32-bit long network mask (x.x.x.x in x.x.x.x/32).
Select the action for the device if (one of) the IP addresses entered under “Source Address (CIDR)” accesses the device.
When the rules of a table entry have been used by the device, the device writes this as an event in the event log
.
Possible Values
(Automatically generated) int ext ppp - settings refer to the internal port - settings refer to the external port - settings refer to the V.24 port configured as a modem.
Any IP address in mask form. This may be the IP address or the group of IP addresses which the device can access. any - Access to this device is permitted for computers with any IP address.
accept - access allowed drop - access not allowed, no message to sender reject - access not allowed, message to sender enable, disable, logAndTrap
Note:
The logAndTrap setting can generate large quantities of trap data traffic. This is especially the case when sending the trap triggers a match in the Firewall rule again (e.g. if the trap host cannot be reached and a router responds with an ICMP message).
Enter a description of your choice for this entry, e.g. the name or location of the PC that has the IP address entered.
Activate/deactivate table entry Shows the last detected error for an attempt to activate the table entry (usually a detected syntax error).
Maximum 128 characters on/off -
Table 32: SSH Access Table
The “Create” button enables you to create a new row in the table. With “Remove” you delete the selected rows in the table.
62 RM GUI EAGLE One Release 5.3.0 09/2013
Security 2.5 SSH Access
Note:
In the state on delivery, the firewall allows the outgoing IP traffic and the management access (SNMP, HTTPS and SSH) to the device at the internal port. If you want to deactivate the management access, you have the following options: Define explicit drop rules for the management access. Change the corresponding firewall rules for the outgoing IP traffic.
Note:
Deactivating an entry helps prevent logging in again via SSH. However, an existing SSH connection to which the deactivation criteria apply remains in place until it is logged out.
Note:
The Firewall supports up to 1024 IP rules. In the dialog Diagnostics:IP Firewall List , you find the summary of the active rules.
RM GUI EAGLE One Release 5.3.0 09/2013 63
Security 2.6 External Authentication
2.6 External Authentication
This dialog allows you to create up to 5 firewall user accounts. With the account name and the corresponding password, a user can log into the device on the login screen using the “user firewall” login type (see on
page 11 “Graphical User Interface”)
account during the login.
dialog . For each user firewall account, an authentication list is stored on the basis of which the device authenticates the You must have a user firewall account to be able to create an entry in the Network Security:User Firewall Entries
. 2.6.1 User Firewall Accounts This dialog allows you to create, configure and delete users that can login to the device under the “user firewall” login type
. 64 RM GUI EAGLE One Release 5.3.0 09/2013
Security 2.6 External Authentication
Figure 19: User Firewall Accounts Dialog
RM GUI EAGLE One Release 5.3.0 09/2013 65
Security 2.6 External Authentication
Parameter Meaning
Account Name Enter the name of a user (account name) that can login in the login window under the “user firewall” login type . Enter the password for this user.
Password for Local Authentication Authentication list Logged in Active Select an authentication list
“Authentication Lists”) (see on page 66
Possible Values
1-128 ASCII characters Maximum 5-32 characters - userFirewallLoginDefaultList, - systemLoginDefaultList , - Lists that you created under Security:External Authentication:Authenti cation Lists (see
.
on/off Show whether this user is logged into the user firewall. If this user is logged in, the administrator can log him off the user firewall by clicking on the checkmark, then on “Set”.
Activate/deactivate table entry on/off
Table 33: User Access table
The “Create” button enables you to create a new row in the table. With “Remove” you delete the selected rows in the table.
2.6.2 Authentication Lists This dialog allows you to create, configure and delete authentication lists.
In an authentication list, you define which authentication methods the device uses when a user allocated to this authentication list logs in, in which sequence the device uses these authentication methods.
In the delivery state, this dialog already offers you the authentication lists “userFirewallLoginDefaultList” and “systemLoginDefaultList” to simplify the configuration.
66 RM GUI EAGLE One Release 5.3.0 09/2013
Security 2.6 External Authentication
Figure 20: Authentication lists
If required, in “Authentication List for unknown System Login Users”, you select one of the authentication lists that the device uses when an unknown user accesses it as administrator. If you do not make a selection, the result is that no unknown users can access the device as administrator.
If required, in “Authentication List for unknown Firewall Users”, you select one of the authentication lists that the device shall use when an unknown user accesses it. If you do not make a selection, no unknown users are able to access the device.
RM GUI EAGLE One Release 5.3.0 09/2013 67
Security 2.6 External Authentication
Parameter
Name First method
Meaning
Name of the authentication list.
“userFirewallLoginDefaultList” and “systemLoginDefaultList” are already created in the state on delivery.
Define the authentication method that the device uses first.
Second method Define the authentication method that the device uses if the first authentication method was not successful.
Third method Active Define the authentication method that the device uses if the first and second authentication methods were not successful.
Activate/deactivate table entry
Possible Values
Any ASCII characters none - access to the device without authentication local - authentication of user and password by the device radius server deny - authentication of user and password by the RADIUS - reject authentication none - access to the device without authentication local - authentication of user and password by the device radius server deny - authentication of user and password by the RADIUS - reject authentication none - access to the device without authentication local - authentication of user and password by the device radius server deny - authentication of user and password by the RADIUS - reject authentication on/off
Table 34: Authentication lists
The “Create” button enables you to create a new row in the table. With “Remove” you delete the selected rows in the table.
68 RM GUI EAGLE One Release 5.3.0 09/2013
Security 2.6 External Authentication 2.6.3 RADIUS Server RADIUS (Remote Authentication Dial-In User Service) is a client server protocol for the central authentication of users and terminal devices (AAA system).
This dialog allows you to enter the data for 1 to 3 RADIUS servers. If “radius” is selected as the authentication method in External Authentication:Authentication Lists , the device contacts the RADIUS servers one after the other in the case of authentication queries.
Figure 21: RADIUS Server Dialog
RM GUI EAGLE One Release 5.3.0 09/2013 69
Security 2.6 External Authentication
Parameter
Retries Timeout
Meaning
Enter how often the device resubmits an unanswered request to the RADIUS server before the device sends the request to another RADIUS server. Enter how long (in seconds) the device waits for a response after a request to the RADIUS server before the device resubmits the request.
Possible Values
1 - 15 1 - 30
Table
Address UDP Port Enter the IP address of a RADIUS server.
Enter the UDP port of the RADIUS server.
Shared Secret Enter the character string which you get as a key from the administrator of your RADIUS server.
Active Activate/deactivate table entry 0 - 65,535 (default setting 1,812) Maximum 20 characters on/off
Table 35: RADIUS Server
70 RM GUI EAGLE One Release 5.3.0 09/2013
Security 2.7 Login Banner
2.7 Login Banner
This dialog allows you to enter a login banner.
The device displays the login banner when a user logs in to the user interface (graphical user interface or CLI).
The login banner is up to 255 characters long. The characters in the ASCII code range 0x20 (space character, “ ”) to ASCII code 0x7E (tilde “~”) are allowed with the exception of percent signs (%, 0x25).
RM GUI EAGLE One Release 5.3.0 09/2013 71
Security 2.7 Login Banner 72 RM GUI EAGLE One Release 5.3.0 09/2013
Time
3 Time
RM GUI EAGLE One Release 5.3.0 09/2013 73
Time 3.1 Basic Settings
3.1 Basic Settings
With this dialog you can enter general time-related settings.
74 RM GUI EAGLE One Release 5.3.0 09/2013
Time 3.1 Basic Settings
Figure 22: Time:Basic Settings dialog
The “System time (UTC)” displays the time with reference to the coordinated world time scale UTC (Universal Time Coordinated).
The display is the same worldwide. Local time differences are not taken into account. Possible sources of the system time (UTC) are: local , sntp and ntp , see “Time source”.
The devices calculates the “system time” from the “system time (UTC)” and the “local offset” (the local time difference from UTC).
“System time” = “System time (UTC)” + “Local offset”.
“Time Source” displays the source of the system time (UTC). The device automatically selects the available source based on accuracy. Possible sources are: local , sntp and ntp .
– The source is initially local . This is the system clock of the device.
– If you have activated the SNTP client and if the device receives a valid SNTP packet, the device sets its time source to itself, the device sets its time source to ntp .
sntp .
– If you have activated the NTP client and if the client has synchronized RM GUI EAGLE One Release 5.3.0 09/2013 75
Time 3.1 Basic Settings With the “Set Time from PC” button, the device takes the local time from the work station on which you are running the graphical user interface. It calculates the system time (UTC) using the local time difference. “System time (UTC)” = “System time” - “Local offset” The “Local Offset” is for displaying/entering the time difference between the local time and the “System time (UTC)”.
With the “Set offset from PC” button, the device determines the time zone on your PC, uses it to calculate the local time difference, and takes this over.
Note:
When setting the time in zones with summer and winter times, make an adjustment for the local offset, if applicable. The SNTP client can also get the SNTP server IP address and the local offset from a DHCP server. The NTP client gets its NTP server IP address exclusively from the configuration that you set.
76 RM GUI EAGLE One Release 5.3.0 09/2013
Time 3.2 SNTP configuration
3.2 SNTP configuration
The Simple Network Time Protocol (SNTP) enables you to synchronize the system time in your network. The device supports the SNTP client and the SNTP server function.
The SNTP server makes the UTC (Universal Time Coordinated) available. UTC is the time relating to the coordinated world time measurement. The time displayed is the same worldwide. Local time differences are not taken into account.
SNTP uses the same packet format as NTP. In this way, an SNTP client can receive the time from an SNTP server as well as from an NTP server.
Note:
For accurate system time distribution with cascaded SNTP servers and clients, use only network components (routers, switches, hubs) in the signal path between the SNTP server and the SNTP client which forward SNTP packets with a minimized delay.
Operation In this frame you switch the SNTP function on/off globally.
Note:
If you switch SNTP on when NTP is already active on the device, the device reports a detected error. To switch SNTP on, first deactivate NTP. On delivery, NTP is switched off.
RM GUI EAGLE One Release 5.3.0 09/2013 77
Time 3.2 SNTP configuration SNTP Status The “Status message” displays statuses of the SNTP client as one or more test messages , e.g. Server 2 not responding .
Configuration SNTP Client In “External server address” you enter the IP address of the SNTP server from which the device periodically requests the system time.
In “Redundant server address” you enter the IP address of an additional SNTP server. The device periodically requests from this server the system time if it does not receive a response from the server to a request from the “External server address” within 1 second.
Note:
If you are receiving the system time from an external/redundant server address, you do not accept any SNTP Broadcast packets (see below). You thus help ensure that the device uses the time of the server entered.
In “Server request interval” you specify the interval at which the device requests SNTP packets (valid entries: 1 s to 3,600 s, on delivery: 30 s).
With “Accept SNTP Broadcasts” the device takes the system time from SNTP Broadcast/Multicast packets that it receives.
Configuration SNTP Server In “Anycast destination address” you enter the IP address to which the SNTP server of the device sends its SNTP packets
.
In “Anycast send interval” you specify the interval at which the device sends SNTP packets (valid entries: 1 s to 3,600 s, on delivery: 120 s).
With “Disable Server at local time source” the device disables the SNTP server function if the source of the time is local (see Time:Basic Settings dialog).
78 RM GUI EAGLE One Release 5.3.0 09/2013
Time 3.2 SNTP configuration
IP destination address
0.0.0.0
Unicast address (0.0.0.1 - 223.255.255.254) Multicast address (224.0.0.0 - 239.255.255.254), especially 224.0.1.1 (NTP address) 255.255.255.255
Send SNTP packet to
Nobody Unicast address Multicast address Broadcast address
Table 36: Destination address classes for SNTP and NTP packets Figure 23: SNTP Dialog
RM GUI EAGLE One Release 5.3.0 09/2013 79
Time 3.3 NTP Configuration
3.3 NTP Configuration
The Network Time Protocol (NTP) enables you to synchronize the system time in your network. The device supports the NTP client and the NTP server function.
With NTP, the device can determine the time more accurately than with SNTP. Thus, as an NTP server it can also provide a more accurate time.
The NTP and SNTP packet formats are identical. In contrast to the SNTP client, the NTP client uses multiple NTP servers and a more complex algorithm for the synchronization. It can thus determine the time more accurately. Therefore, the synchronization of the NTP client can take longer than an SNTP client. Only use NTP if you require this increased accuracy.
The NTP server makes the UTC (Universal Time Coordinated) available. UTC is the time relating to the coordinated world time measurement. The time displayed is the same worldwide. Local time differences are not taken into account.
The NTP client obtains the UTC from one or more external NTP servers.
Note:
To obtain as accurate a system time distribution as possible, use multiple NTP servers for an NTP client.
Operation In this frame you select the NTP operation mode globally. Possible values: - - off : The NTP client and the NTP server are switched off (default setting) - symmetric-active : The NTP client and the NTP server are active, and the association mode is “Symmetric active” (mode 1) - symmetric-passive client : : The NTP client and the NTP server are active, and the association mode is “Symmetric passive” (mode 2) 80 RM GUI EAGLE One Release 5.3.0 09/2013
Time 3.3 NTP Configuration Only the NTP client is active, and the association mode is “Client” (mode 3) - - - server (mode 4). : Only the NTP server is active, and the association mode is “Server” client-server : The NTP client and the NTP server are active. The association mode of the client is “Client” (mode 3, sends request packets with mode 4). The association mode of the server is “Server” (mode 4, sends reply packets with mode 3). broadcast-client (mode 5) : Only the NTP client is active and accepting NTP Broadcast packets
Note:
If you switch NTP on (set any value other than To switch NTP on, first deactivate SNTP. On delivery, SNTP is switched off.
off ) when SNTP is already active on the device, the device reports a detected error. NTP status The “Status message” displays statuses of the NTP client as one or more text messages, e.g.
Server 1 not responding .
Configuration NTP Client In “External server address” you enter the IP address of the first NTP server from which the device obtains the system time.
In “Redundant server address” you enter the IP address of an additional NTP server from which the device obtains the system time.
In “Server request interval” you specify the interval at which the device requests NTP packets (valid entries: 1 s to 3,600 s, on delivery: 64 s).
Configuration NTP Server In “Anycast destination address” you enter the IP address to which the NTP server of the device sends its NTP packets
.
In “Anycast send interval” you specify the interval at which the device sends NTP packets (valid entries: 1 s to 3,600 s, on delivery: 128 s).
RM GUI EAGLE One Release 5.3.0 09/2013 81
Time 3.3 NTP Configuration
Figure 24: NTP dialog
Note:
If you change a parameter for NTP the NTP service will be restarted.
82 RM GUI EAGLE One Release 5.3.0 09/2013
Network Security
4 Network Security
To help you establish network security, the Firewall provides you with: Packet filters with address templates and Firewall learn mode NAT - Network Address Translation DoS - Helping protect against Denial of Service (DoS) User Firewall The Firewall observes and monitors the data traffic. The Firewall takes the results of the observation and the monitoring and combines them with the rules for the network security to create so-called status tables. Based on these status tables, the Firewall decides whether to accept, drop or reject the data.
You can use address templates to create and modify IP packet filter entries quickly and more easily.
As a special feature, the Firewall has an innovative set-up assistant, the Firewall learn mode. It helps you analyze the traffic and create suitable rules for permitting the traffic you desire.
RM GUI EAGLE One Release 5.3.0 09/2013 83
Network Security 4.1 Packet Filter
4.1 Packet Filter
In the Packet Filter submenu, you can create rules on the basis of which the Firewall handles received data packets. The Firewall can accept data packets, i.e. forward them, or it can drop or reject them.
Here you are able to create rules yourself define address templates and use them in your rules analyze the traffic through the Firewall using an innovative assistant for the Firewall learn mode (FLM), and accept the proposed rules and modify them if necessary.
The Firewall allows you to create rules for the following groups: Incoming IP packets (received at the external port) Outgoing IP packets (received at the internal port) Incoming MAC packets (received at the external port) Outgoing MAC packets (received at the internal port) Incoming PPP packets (received at the serial port) The Firewall initially checks every data packet based on first rule in the table. If the conditions of this rule apply, the Firewall performs the corresponding action (accept, reject, drop). If the first rule does not apply, the Firewall checks the data packets on the basis of the second rule in the table, etc., down to the last rule in the table.
The last default rule of the device is “drop everything”. This rule is not visible in the tables and cannot be deleted.
With IP and PPP packets you have the option of creating a log entry if none of the rules applies.
You can create, delete and edit rules, and you can change their order. Select one or more sequential rows to be moved and move your selection with the “ ↑ ” and “ ↓ ” buttons. You can also duplicate (clone) a rule and then edit it.
84 RM GUI EAGLE One Release 5.3.0 09/2013
Network Security 4.1 Packet Filter Settings in the state on delivery: In the state on delivery, no address templates are defined.
The assistant for the Firewall learn mode is switched off.
The Firewall is asymmetrical. This means: – It transmits the data packets from the internal network to the external network.
The table also contains a visible “accept all” rule for the internal interface.
– The Firewall transmits data packets from the external network to the internal network only if a subscriber to the internal network requested these data packets. This behavior corresponds to the Stateful Packet Inspection (SPI), a dynamic packet filter technique that allocates every data packet to a certain active communication connection. The Firewall drops the other data packets. The table for the external interface also contains a “drop everything” rule.
For IP or PPP packets, the Firewall does not create a log entry if no rule applies.
Note:
Firewall rules can also apply to the CPU of the device. In this case, you can enter the IP target address of the device with the symbolic entry invisible in the tables and cannot be deleted.
me . For the CPU of the device to be reachable in the state on delivery, it uses default rules that accept SSH, SNMP and HTTPS traffic. These rules are RM GUI EAGLE One Release 5.3.0 09/2013 85
Network Security 4.1 Packet Filter 4.1.1 Address Templates This dialog allows you to create address templates, which you can then use to create and modify IP packet filter entries quickly and more easily. An address template consists of 1 or more address entries with the same name.
The device automatically creates the suitable packet filter entries from a packet filter entry with variables. If you change the address template for a variable, the device automatically modifies the packet filter entries created.
Parameter
Template Name Index IP-Address (CIDR) Active “Create” button
Meaning
Name of an entry for an address template.
Note:
The active entries with the same name make up an address template.
Value range
1-19 ASCII characters; recommendatio n: in the range 0x21 (“!”) to 0x7e (“~”).
Default setting
Sequential line index.
IP address range of the entry in CIDR notation.
The device automatically adds the netmask /32 to an entry for a host address.
To edit an existing address entry, click on the table row.
Activates or deactivates a single entry of an address template.
Open a subdialog with the input fields “List name” and “IP address (CIDR)” to create a new entry for an address template.
Valid IPv4 address range On , Off on “Remove” button
Note:
If you want to add an address entry to an existing address template, select the existing name for the “List name” field in the subdialog.
Deletes the selected entries for one or more address templates.
-
Table 37: Description of the Address Templates dialog
86 RM GUI EAGLE One Release 5.3.0 09/2013
Network Security 4.1 Packet Filter
Note:
After adding entries, re-sort the list on the basis of the “Template Name” column. You thus help ensure that the graphical user interface displays the entries that belong to one and the same address template underneath each other.
Note:
The maximum number of active entries in the address templates is restricted by the maximum number of IP packet filter entries (see on
page 105 “Incoming and outgoing IP packets”)
.
4.1.2 Firewall Learning Mode (FLM) The Firewall learn mode is an innovative set-up assistant. It helps you analyze the traffic and create suitable rules for permitting the traffic you desire.
The assistant for the Firewall learn mode allows you to automatically determine in an easy way the traffic which your existing rules do not permit yet (actual learn mode) analyze this traffic based on various criteria automatically create new rule defaults from the desired traffic modify these rules if required and automatically visualize their traffic coverage, and test the new rules for the desired coverage.
Note:
However, the assistant for the Firewall learn mode still requires specialized knowledge of data networks, as the user is responsible for the rules created.
RM GUI EAGLE One Release 5.3.0 09/2013 87
Network Security 4.1 Packet Filter The FLM only applies to packets that want to pass through the device (the Firewall). It does not apply to packets that are sent to the device itself, and those that the device itself creates.
Perform the following steps to create the rules supported by FLM: Implement the Firewall at the desired position in your network.
Activate the FLM assistant on the desired interfaces of the Firewall (typically on both interfaces).
Start the actual learn mode.
Operate the devices in your network for a while, so that the Firewall learns the desired traffic.
Start the learn mode.
Display the learned traffic on the selected interface: If the Firewall has learned too little traffic, continue with the learn mode in order to learn more traffic.
When the Firewall has learned enough traffic, inspect the captured data.
Select desired entries from the captured data and add them to the temporary rule set.
If necessary, modify the added rules.
Ignore undesired entries in the captured data, i.e. do not create any rules for them. Thus, the Firewall blocks this traffic after the learn and test mode has ended.
Release the desired rules for testing.
Start the test mode: If the devices in your network are working as desired, write the temporary rules to your rule base.
If the devices in your network are not working as desired, modify the rules released for testing. Alternatively, restart the learn mode in order to learn more traffic.
End the assistant for the Firewall learn mode.
Save the rules in the configuration.
88 RM GUI EAGLE One Release 5.3.0 09/2013
Network Security 4.1 Packet Filter
Note:
While learning, the Firewall observes and learns only the traffic that it has not permitted up to now based on the existing rules. The Firewall deactivates the packet filter entry “drop everything” on the external interface. As a result of this, it is possible that the Firewall also accepts undesired traffic when in the learn mode. Therefore, during the learning period, only create desired traffic via the Firewall. If you still find undesired entries when evaluating the learned traffic, do not create any rules for this, and if necessary delete any rules already created.
After the learn and test phase is complete, if you accept the temporary rules derived from the learned data, the Firewall generally does not behave asymmetrically any more.
Note:
Switching the device between the router and transparent modes during the learn phase can have unpredictable results.
Manually adding, deleting or changing packet filter entries during the learn phase can reduce the efficiency of the rules that you derive from the learned data.
RM GUI EAGLE One Release 5.3.0 09/2013 89
Network Security 4.1 Packet Filter
Parameter Meaning Value range Frame „Operation“ Frame „Configuration“
Learning on interfaces Adjustment of the “accept-any” rule Switches the assistant for the Firewall learn mode on or off.
On , Off Select the interfaces of the Firewall on which you want the Firewall to learn traffic.
Automatic : The Firewall automatically deactivates the “accept-any” rules on the interfaces before the learn and test phases. If such a rule is active during the learning or the testing, it applies to the traffic for the relevant interface. This situation disables new traffic from being learned. The automatic deactivation of these rules during the learning and testing enables new traffic to be learned easily. During the traffic analysis and the rule creation, the Firewall activates these rules again or inserts such a rule. This helps make your productive environment secure. If you take over the newly created, temporary rules, the device deactivates the “accept-any” rules on the relevant interfaces.
Manual : Manually deactivate the “accept-any” rules on the relevant interfaces before the learn and test phases. During the traffic analysis and the rule creation, activate these rules again. If you take over the newly created, temporary rules, deactivate the “accept-any” rules on the relevant interfaces.
Both , Internal , External Automatic , Manual
Default setting
Off Both Automat ic
Table 38: Firewall Learning Mode, “FLM Control” tab page, Operation and Configuration frames
90 RM GUI EAGLE One Release 5.3.0 09/2013
Network Security 4.1 Packet Filter
Parameter Meaning Value range Default setting Buttons
“Start learning mode”/ “Stop learning mode”/ “Continue learning mode” buttons “Start testing mode”/ “Stop testing mode” buttons “Delete data” button Start learning mode there is no data there yet.
: Starts the learning of traffic data when Stop learning mode : Interrupts the learning of traffic data.
Continue learning mode data is already there.
: Continue the learning of traffic data when Start testing mode of rules.
: Temporarily enters the rules released for testing for the relevant interface in the set Stop testing mode : Ends the test mode.
Interrupts the learning and deletes the learned traffic data. You have the option to restart the learning.
Start learning mode mode mode , , Stop learning Continue learning Start testing mode mode , Stop testing Start learning mode ) (deactivated Start testing mode ) (deactivated
Table 39: Firewall Learning Mode, “FLM control” tab page, buttons
Note:
This dialog only provides you with the tab pages that you can use in the current status of the learn or test mode. If it is not possible to operate them, the “Internal interface” or “External interface” dialog tabs display your text as deactivated (grayed out).
The buttons in the dialog can display different names. They only provides the actions that you can perform in the current status of the FLM assistant. If no action is possible, the text on the button is displayed as deactivated (grayed out).
RM GUI EAGLE One Release 5.3.0 09/2013 91
Network Security 4.1 Packet Filter
Parameter Meaning Value range Default setting Frame „Information“
State Additional Information Off : The learning is not active.
No data present. Select interface and start learning : The learning is inactive and the Firewall has not learned any data yet.
Stopped. Check interface data and release for test: You have interrupted the learning. You now have the option to check the learned data in the “Internal interface” or “External interface” dialog, derive rules from it, modify these rules, and release them for testing.
Learning : You have started the learning. The device is collecting traffic data.
Testing : You have started the test mode.
Currently busy. Please wait device.
: The device is currently busy processing data, or the graphical user interface is exchanging data with the (No display): The learning is not active.
Normal operation : The learning is active. The device still has enough memory for traffic data.
Stopped! No free memory traffic data.
: The available memory for learning connections is exhausted. The Firewall has stopped recording Some connections have not been recorded : During the internal processing of the connections to be learned, the Firewall has detected too many hash collisions. This means that the Firewall has not recorded a number of connections. It is possible that the rules thus determined are incomplete and do not permit the desired traffic. Test the rules created from this learning procedure thoroughly.
Table 40: Firewall Learning Mode, “FLM control” tab page, “Information” frame
92 RM GUI EAGLE One Release 5.3.0 09/2013
Network Security 4.1 Packet Filter
Parameter
IP Entries
Meaning
Number of Layer 3 connections learned up to now that have been received at the selected interfaces. For TCP packets, the Firewall only counts the setting up of the connection. For other Layer 4 protocols, it only counts the first packet of a connection. A connection is a unique combination of source and destination addresses, source and destination ports, and the Layer 4 protocol number of the IP header.
Value range
Free memory for learning Data [%] To update the display while the learning is running, press the “Reload” button.
Display the memory remaining for the connections to be learned. The Firewall can learn up to 65,536 different connections.
In ICMP packets, the Firewall ignores the codes. The firewall allocates ICMP packets for which only the code differs to a single connection.
To update the display while the learning is running, press the “Reload” button.
Default setting
Table 40: Firewall Learning Mode, “FLM control” tab page, “Information” frame
RM GUI EAGLE One Release 5.3.0 09/2013 93
Network Security 4.1 Packet Filter
Figure 25: Firewall Learning Mode dialog, “FLM control” tab page
94 RM GUI EAGLE One Release 5.3.0 09/2013
Network Security 4.1 Packet Filter
Parameter Meaning Value range Frame „Captured Data“
Index Source IP Source port Destination IP Destination Port Protocol “Add to Rule Set” button Sequential line index.
Learned IP source address Learned UDP or TCP source port Learned IP destination address Learned UDP or TCP destination port.
Learned Layer 4 protocol number from the IP header. The device displays known protocol numbers with their name.
Adds the selected rows of the learned data to the temporary set of rules. If you have selected multiple rows, the device takes over the first row as a rule. Afterwards you have the option to edit the rule.
IPv4 address 0-65535 IPv4 address 0-65535 0-255, icmp , tcp , udp
Default setting Note:
The learned entries that are covered by the entire temporary set of rules are displayed in bright green by the device. The entries that are covered by the currently selected rules are displayed in dark green by the device.
When you change a rule, e.g. shorten a netmask, the device automatically adjusts the dark green marking. This enables you to recognize quickly and easily how a changed rule covers the learned entries.
Note:
any When you create a rule from an ICMP entry, the device allocates the destination port to the rule.
Hide Connections matching the learned Rules When you activate this function, the device hides the learned entries that are covered by one of the rules instead of displaying them in green. You activate this function if you only want to display the entries not yet covered by rules.
Table 41: Firewall Learning Mode, “Internal interface” and “External interface” tab pages, “Recorded data” frame
RM GUI EAGLE One Release 5.3.0 09/2013 95
Network Security 4.1 Packet Filter
Parameter
Connections covered by Rule Set Connections covered by Selected
Meaning Value range
Displays the number of learned connections that are covered by the entire temporary set of rules. In addition, after the forward slash, the device displays the total number of the learned connections.
Displays the number of learned connections that are covered by the entire temporary set of rules In addition, after the forward slash, the device displays the total number of the learned connections.
Format: covered / total Format: covered / total -
Default setting
-
Table 41: Firewall Learning Mode, “Internal interface” and “External interface” tab pages, “Recorded data” frame
96 RM GUI EAGLE One Release 5.3.0 09/2013
Network Security 4.1 Packet Filter
Protocoll
FTP (data, control) SSH Telnet SMTP DHCP/BOOTP (Server, Client) TFTP HTTP (www) POP3 NTP NetBIOS (Name, Datagram, Session Service) SNMP, SNMP Trap HTTPS EtherNet/IP I/O EtherNet/IP Messaging Foundation Fieldbus Annunciation Foundation Fieldbus Message Specification Foundation Fieldbus System Management Foundation Fieldbus LAN Redundancy Port LonWorks LonWorks2 Modbus/TCP Profinet RT Unicast Profinet RT Multicast Profinet Context Manager IEC 60870-5-104 DNP Ethercat
Table 42: Examples for registered port numbers
1089 1090 1091 3622 2540 2541 502 34962 34963 34964 2404 20000 34980
Port number
20, 21 22 23 25 67, 68 69 80 110 123 137, 138, 139 161, 162 443 2222 44818
Note:
At http://www.iana.org/assignments/port-numbers you can find a list of the registered port numbers.
RM GUI EAGLE One Release 5.3.0 09/2013 97
Network Security 4.1 Packet Filter
Parameter Meaning Value range Frame „Rules“
Index Description Active
Note:
Most of the columns in this table are identical to those in the Incoming IP packets and Outgoing IP packets dialogs.
Sequential line index.
Description of this entry. If the Firewall created the entry from the learned data of the Firewall Learning Mode (FLM), the device enters the text “learned by FLM”.
Activate/deactivate the rule.
0-128 ASCII characters On
Default setting
On
Note:
If you created the rule in the Firewall learn mode, the rule is active. This setting cannot be changed within the FLM dialog. You can modify the rule later in the Incoming IP Packets or Outgoing IP packets dialog.
Source IP (CIDR) IP Address with Netmask (CIDR) of the actual source of the data packet.
Note:
If you want to use an address template, enter the name of the address template. Put a dollar sign (“$”) in front of the name to indicate that it is a variable name.
IP Address with Netmask, any = all, me = own IP address, $
= address template anyNote:
If you are using address templates in the rules that you have derived from the learned data, these rules will then function correctly. However, the device ignores these rules when marking and hiding the learned data.
Table 43: Firewall Learning Mode, “Internal interface” and “External interface” tab pages, “Rules” frame
98 RM GUI EAGLE One Release 5.3.0 09/2013
Network Security 4.1 Packet Filter
Parameter
Source Port Source Port (continued)
Meaning Value range
Logical source port of the data packet You can also use operators (op) to select multiple ports: = equal to != not equal to < less than <= less than or equal to > greater than >= greater than or equal to >< within <> outside of Use decimal numbers for the port ID. You can also enter the following known ports as ASCII characters: 7 tcp/udp: echo 9 tcp/udp: discard 20 tcp :ftp-data 21 tcp :ftp 22 tcp/udp: ssh 23 tcp :telnet 53 tcp/udp: domain 67 tcp/udp: bootps 68 tcp/udp: bootpc 69 udp : tftp 80 tcp/udp: www, http 88 tcp/udp: kerberos 115 tcp : sftp 123 tcp : ntp 161 udp : snmp 162 udp : snmp-trap 179 tcp/udp: bgp 389 tcp/udp: ldap 443 tcp/udp: https To selectively check incoming IP packets for specific ICMP traffic criteria, use: - the entry icmp for the parameter “Protocol” - for the parameter “Source Port” the following definition for the ICMP type and code: type
any = all op port or port 1 op port 2 type
Default setting
any any
Table 43: Firewall Learning Mode, “Internal interface” and “External interface” tab pages, “Rules” frame
RM GUI EAGLE One Release 5.3.0 09/2013 99
Network Security 4.1 Packet Filter
Parameter
Destination IP (CIDR)
Meaning Value range
IP Address with Netmask (CIDR) of the actual destination of the data packet.
Note:
If you want to use an address template, enter the name of the address template. Put a dollar sign (“$”) in front of the name to indicate that it is a variable name.
IP Address with Netmask, any = all, me = own IP address, $
= address templateDefault setting
Destination Port
Note:
If you are using address templates in the rules that you have derived from the learned data, these rules will then function correctly. However, the device ignores these rules when marking and hiding the learned data.
Logical destination port of the data packet To select multiple ports, you can use the same operators as for the source port: Use decimal numbers for the port ID. You can also enter the same known ports, as with the source port, as ASCII characters.
any = all op port port 1 op port 2 any
Table 43: Firewall Learning Mode, “Internal interface” and “External interface” tab pages, “Rules” frame
100 RM GUI EAGLE One Release 5.3.0 09/2013
Network Security 4.1 Packet Filter
Parameter
Protocol
Meaning Value range
You can enter the following protocols as ASCII characters: any Any Layer 4 protocol tcp Transmission Control Protocol (RFC 793) udp User Datagram Protocol (RFC 768) icmp Internet Control Message Protocol (RFC 792) igmp (v3)) Internet Group Management Protocol (RFCs 1112 (v1), 2236 (v2), 3376 ipip IP in IP Tunneling (RFC 1853) esp IPsec Encapsulated Security Payload (RFC 2406) ah IPsec Authentication Header (RFC 2402) ipv6-icmp Internet Control Message Protocol for IPv6 (RFC 4443) <0 - 255> Number of the Layer 4 protocol in the IP header
Note:
With the udp and tcp protocols, you have the option to enter the protocol ports in the “Source port” and “Destination Port” columns. For other protocols you enter any for “Source port” and “Destination Port”.
any tcp esp = all, , icmp igmp , udp , , ah , , (additionally: ipip ipv6-icmp <0 - 255> , , )
Note:
You can select the protocols any , tcp , udp and icmp from the list. Manually enter the protocols igmp , ipip , esp , ah , ipv6 icmp and <0 255> .
Default setting
any Action
Note:
The stateful firewall supports the protocols tcp, udp and icmp.
Action that the Firewall performs if the rule applies.
accept accept
Note:
If you created the rule in the Firewall learn mode, the action is accept . This setting cannot be changed within the FLM dialog. You can modify the rule later in the Incoming IP Packets or Outgoing IP packets dialog.
Table 43: Firewall Learning Mode, “Internal interface” and “External interface” tab pages, “Rules” frame
RM GUI EAGLE One Release 5.3.0 09/2013 101
Network Security 4.1 Packet Filter
Parameter
Log Error
Meaning Value range
Entry in the event list if the Firewall uses the rule. If applicable, the device also sends a trap.
enable , disable , logAndTrap
Note:
The logAndTrap setting can generate large quantities of trap data traffic. This is especially the case when sending the trap triggers a match in the Firewall rule again (e.g. if the trap host cannot be reached and a router responds with an ICMP message).
Shows the last message for an unsuccessful attempt to activate the table entry (usually a detected syntax error).
Default setting
disable
Table 43: Firewall Learning Mode, “Internal interface” and “External interface” tab pages, “Rules” frame
Parameter Meaning
“Release for Test” / “Unrelease” buttons “Remove Rule” button
Release for Test:
for testing. Adds the rules of the temporary set of rules to the provisional productive rule base In the process, the device helps prevent the released rules from being changed in the productive rule base.
Unrelease:
Removes the rules of the temporary set of rules from the productive rule base again. The device unblocks the rules for editing in the Firewall learn mode.
Deletes the selected rules from the temporary set of rules.
Value range Default setting
Table 44: Firewall learn mode, “Internal interface” and “External interface” tab pages, buttons
Note:
The buttons in the dialog can display different names. A button enables the action that is possible in the current status.
102 RM GUI EAGLE One Release 5.3.0 09/2013
Network Security 4.1 Packet Filter
Figure 26: Firewall Learn Mode dialog, “External interface” tab page
Details of the Example Screenshot
displays the “External interface” dialog tab page after the following steps: The user has: started the learning mode, accessed the graphical user interface of a switch in the internal network from a work station (has loaded the graphical user interface and opened dialogs), interrupted the learning mode again, selected the “External Interface” dialog tab page, sorted the data entered in ascending order based on the IP source address, derived 2 rules from the desired traffic and modified these.
RM GUI EAGLE One Release 5.3.0 09/2013 103
Network Security 4.1 Packet Filter
fig. 26 shows the following details:
The white rows of the recorded data show that the Firewall at the external interface has learned NetBIOS traffic from different hosts at the network Broadcast address 10.115.63.255. This traffic is undesired, so the user has not created any rules for this.
The green rows show that the Firewall has also learned SNMP and HTTP traffic from work station 172.17.255.134 to switch 10.0.1.116. This traffic is desired, so the user has created rules for this.
From the data item with the index 3, the user has added a rule to the temporary set of rules (the rule with the index 2) in order to permit the HTTP traffic between the work station and the switch.
– The Firewall has initially taken TCP source port 1643 into the rule.
– The user has changed the source port of the rule to HTTP traffic.
any (displayed in dark gray) so that the randomly selected source ports are permitted for From the data item with the index 1, the user has added a rule to the temporary set of rules (the rule with the index 3) in order to permit the SNMP traffic between the work station and the switch.
– The Firewall has initially taken UDP source port 1623 into the rule.
– The user has changed the source port of the rule to any so that the randomly selected source ports are permitted for SNMP traffic.
The green rows in the recorded data show that now the outgoing HTTP and SNMP traffic from the work station to the switch would be permitted by the rules.
The dark green row displays the traffic permitted by rule 3. This rule is currently selected.
The light green rows of the recorded data display the traffic permitted by the other rules of the temporary set of rules (here only rule 2). These rules are de-selected.
The user can now: select rules 2 and 3 and use the “Release for Test” button to add them to the set of rules to be tested, click the “Start Testing Mode” button in the “FLM control” dialog tab page, create additional network traffic.
The Firewall will now: permit the SNMP and HTTP traffic from the work station to the switch. The Firewall now ignores this traffic when learning.
only learn the traffic not yet permitted. It thus helps the user to detect and analyze any additional desired traffic. It thus assists the user in improving the rules.
104 RM GUI EAGLE One Release 5.3.0 09/2013
Network Security 4.1 Packet Filter 4.1.3 Incoming and outgoing IP packets The Firewall allows you to check the incoming IP packets at the external and internal ports based on: the logical port the source IP address the logical destination port the destination IP address the transmission protocol For every packet that does not match any of the rules in the table, but only the invisible default rule “drop everything”, you have the option of creating a log entry. To do this, activate the setting “Log if non-matching”.
You can create, delete and edit rules, and you can change their order. Select one or more sequential rows to be moved and move your selection with the “ ↑ ” and “ ↓ ” buttons. You can also duplicate (clone) a rule and then edit it.
RM GUI EAGLE One Release 5.3.0 09/2013 105
Network Security 4.1 Packet Filter
Parameter
Index Description Active Source IP (CIDR)
Meaning Value range Default setting
Sequential line index.
Description of this entry. If the Firewall created the entry from the learned data of the Firewall Learning Mode (FLM), the device enters the text “learned by FLM”.
Activate/deactivate the rule IP Address with Netmask (CIDR) of the actual source of the data packet.
Note:
If you want to use an address template, enter the name of the address template. Put a dollar sign (“$”) in front of the name to indicate that it is a variable name.
0-128 ASCII characters on/off IP Address with Netmask, any = all, me = own IP address, $
= address template off anyTable 45: Incoming/outgoing IP packets at the external/internal port
106 RM GUI EAGLE One Release 5.3.0 09/2013
Network Security 4.1 Packet Filter
Parameter Meaning Value range
Source Port Source Port (continued) Logical source port of the data packet You can also use operators (op) to select multiple ports: = equal to != not equal to < less than <= less than or equal to > greater than >= greater than or equal to >< within <> outside of Use decimal numbers for the port ID. You can also enter the following known ports as ASCII characters: 7 tcp/udp: echo 9 tcp/udp: discard 20 tcp :ftp-data 21 tcp :ftp 22 tcp/udp: ssh 23 tcp :telnet 53 tcp/udp: domain 67 tcp/udp: bootps 68 tcp/udp: bootpc 69 udp : tftp 80 tcp/udp: www, http 88 tcp/udp: kerberos 115 tcp : sftp 123 tcp : ntp 161 udp : snmp 162 udp : snmp-trap 179 tcp/udp: bgp 389 tcp/udp: ldap 443 tcp/udp: https To selectively check incoming IP packets for specific ICMP traffic criteria, use: - the entry icmp for the parameter “Protocol” - for the parameter “Source Port” the following definition for the ICMP type and code: type
any = all op port or port 1 op port 2 type
Table 45: Incoming/outgoing IP packets at the external/internal port
Default setting
any any RM GUI EAGLE One Release 5.3.0 09/2013 107
Network Security 4.1 Packet Filter
Parameter Meaning Value range Default setting
Destination IP (CIDR) IP Address with Netmask (CIDR) of the actual destination of the data packet.
Note:
If you want to use an address template, enter the name of the address template. Put a dollar sign (“$”) in front of the name to indicate that it is a variable name.
IP Address with Netmask, any = all, me = own IP address, $
= address template Destination Port Logical destination port of the data packet To select multiple ports, you can use the same operators as for the source port: Use decimal numbers for the port ID. You can also enter the same known ports, as with the source port, as ASCII characters.any = all op port port 1 op port 2 any
Table 45: Incoming/outgoing IP packets at the external/internal port
108 RM GUI EAGLE One Release 5.3.0 09/2013
Network Security 4.1 Packet Filter
Parameter
Protocol
Meaning
You can enter the following protocols as ASCII characters: any Any Layer 4 protocol tcp Transmission Control Protocol (RFC 793) udp User Datagram Protocol (RFC 768) icmp Internet Control Message Protocol (RFC 792) igmp Internet Group Management Protocol (RFCs 1112 (v1), 2236 (v2), 3376 (v3)) ipip IP in IP Tunneling (RFC 1853) esp IPsec Encapsulated Security Payload (RFC 2406) ah IPsec Authentication Header (RFC 2402) ipv6-icmp Internet Control Message Protocol for IPv6 (RFC 4443) <0 - 255> Number of the Layer 4 protocol in the IP header
Value range
any tcp igmp esp = all, , , udp (additionally: , ipip ah , , icmp ipv6-icmp <0 - 255> , , )
Note:
You can select the protocols any , tcp , udp and icmp from the list. Manually enter the protocols igmp , ipip , esp , ah , ipv6 icmp and <0 255> .
,
Default setting
any
Note:
With the udp and tcp protocols, you have the option to enter the protocol ports in the “Source port” and “Destination Port” columns. For other protocols you enter any for “Source port” and “Destination Port”.
Action
Note:
The stateful firewall supports the protocols tcp, udp and icmp.
Action that the Firewall performs if the rule applies.
accept, drop, reject drop (incoming) accept (outgoing)
Table 45: Incoming/outgoing IP packets at the external/internal port
RM GUI EAGLE One Release 5.3.0 09/2013 109
Network Security 4.1 Packet Filter
Parameter Meaning Value range
Log Error Entry in the event list if the Firewall uses the rule. If applicable, the device also sends a trap.
Note:
The logAndTrap setting can generate large quantities of trap data traffic. This is especially the case when sending the trap triggers a match in the Firewall rule again (e.g. if the trap host cannot be reached and a router responds with an ICMP message).
Shows the last message for an unsuccessful attempt to activate the table entry (usually a detected syntax error).
enable , disable , logAndTrap
Table 45: Incoming/outgoing IP packets at the external/internal port
Default setting
disable 110 RM GUI EAGLE One Release 5.3.0 09/2013
Network Security 4.1 Packet Filter
ICMP Type
0 3 5 8 9 10 11
Name
Echo Reply Destination Unreachable Redirect Echo Router Advertisement Router Solicitation Time Exceeded 0 1 2 3 4 5 6 7 8 9
ICMP Code
0 10 0 1 2 3 0 0 16 0 0 1
Name
No Code Net Unreachable Host Unreachable Protocol Unreachable Port Unreachable Fragmentation Needed and Don't Fragment was Set Source Route Failed Destination Network Unknown Destination Host Unknown Source Host Isolated Communication with Destination Network is Administratively Prohibited Communication with Destination Host is Administratively Prohibited
Referenc e
RFC792 RFC792 RFC792 RFC792 RFC792 RFC792 RFC792 RFC792 RFC792 RFC1122 RFC1122 RFC1122 RFC1122 RFC1122 Redirect Datagram for the Network (or subnet) Redirect Datagram for the Host Redirect Datagram for the Type of Service and Network Redirect Datagram for the Type of Service and Host RFC792 RFC792 RFC792 RFC792 RFC792 No Code Normal router advertisement Does not route common traffic No Code Time to Live exceeded in Transit Fragment Reassembly Time Exceeded RFC792 RFC792 RFC1256 RFC3344 RFC3344 RFC1256 RFC1256 RFC792 RFC792 RFC792
Table 46: ICMP types and codes
Note:
The Firewall supports up to 1024 IP rules. In the dialog Diagnostics:IP Firewall List , you find the summary of the active rules.
RM GUI EAGLE One Release 5.3.0 09/2013 111
Network Security 4.1 Packet Filter 4.1.4 Incoming and outgoing MAC packets The Firewall allows you to check the incoming MAC packets at the external and internal ports based on: the source MAC address the destination MAC address the type field of the MAC data packet
Transparent Mode
In the transparent mode, the following settings have priority above the entries in the MAC packet filters.
“HiDiscovery Relay” in Basic Settings:Network:Transparent Mode .
“RSTP” in the Enhanced:Packet Forwarding dialog.
“GMRP” in the Enhanced:Packet Forwarding dialog.
“DHCP” in the Enhanced:Packet Forwarding This property saves you from having to create special MAC packet filter rules for these application cases.
dialog.
Router Mode
In router mode, the Firewall only transmits IP packets. Other packets are dropped, with the exception of Broadcast and Multicast packets. The rules for MAC packets still apply if an IP packet is addressed to an interface of the Firewall. To improve the transmission performance of the Firewall, you can deactivate the rules for MAC packets in router mode.
You can create, delete and edit rules, and you can change their order. Select one or more sequential rows to be moved and move your selection with the “ ↑ ” and “ ↓ ” buttons. You can also duplicate (clone) a rule and then edit it.
112 RM GUI EAGLE One Release 5.3.0 09/2013
Network Security 4.1 Packet Filter
Parameter
Index Description Active Source Address Destination Address Protocol
Meaning
Sequential line index.
Description of this entry Activate/deactivate the rule MAC address of the actual source of the data packet.
Entry format: 11:22:33:44:55:66 Entering “?” enables wildcards to be used. Example: 1?:22:??:44:55:6?
.
MAC address of the actual destination of the data packet. Entry format: 11:22:33:44:55:66 Entering “?” enables wildcards to be used. Example: 1?:22:??:44:55:6?
.
Protocol in the type field of the MAC data packet Action that the Firewall performs if the rule applies.
Value range
0-127 ASCII characters on/off accept, drop
Default setting
off any Action Log Error Entry in the event list if the Firewall uses the rule. If applicable, the device also sends a trap.
enable , disable , logAndTrap
Note:
The logAndTrap setting can generate large quantities of trap data traffic. This is especially the case when sending the trap triggers a match in the Firewall rule again (e.g. if the trap host cannot be reached and a router responds with an ICMP message).
Shows the last message for an unsuccessful attempt to activate the table entry (usually a detected syntax error).
drop (outgoing) accept (incoming) disable
Table 47: Incoming/outgoing MAC packets at the external/internal port
Note:
The Firewall supports up to 256 MAC rules. In the dialog Diagnostics:MAC Firewall List , you find the summary of the active rules.
RM GUI EAGLE One Release 5.3.0 09/2013 113
Network Security 4.1 Packet Filter 4.1.5 Incoming PPP packets The Firewall allows you to check the incoming PPP packets at the external port based on: the logical port the source IP address the logical destination port the destination IP address the transmission protocol For every packet that does not match any of the rules in the table, but only the invisible default rule “drop everything”, you have the option of creating a log entry. To do this, activate the setting “Log if non-matching”.
114 RM GUI EAGLE One Release 5.3.0 09/2013
Network Security 4.1 Packet Filter
Parameter Meaning Possible Values Default Setting
Index Description Active Source Port Destination Net Sequential line index.
Description of this entry Activate/deactivate the rule Source IP (CIDR) IP Address with Netmask (CIDR) of the actual source of the data packet.
0-127 ASCII characters on/off IP Address with Netmask, any = all, me = own IP address any = all Logical source port of the data packet You can also use operators (op) to select multiple ports: = equal to != not equal to < less than <= less than or equal to > greater than >= greater than or equal to >< within <> outside of Use decimal numbers for the port ID. You can also enter the following known ports as ASCII characters: 7 tcp/udp: echo 9 tcp/udp: discard 20 tcp :ftp-data 21 tcp :ftp 22 tcp/udp: ssh 23 tcp :telnet 53 tcp/udp: domain 67 tcp/udp: bootps 68 tcp/udp: bootpc 69 udp : tftp 80 tcp/udp: www, http 88 tcp/udp: kerberos 115 tcp : sftp 123 tcp : ntp 161 udp : snmp 162 udp : snmp-trap 179 tcp/udp: bgp 389 tcp/udp: ldap 443 tcp/udp: https IP Address with Netmask (CIDR) of the actual destination of the data packet.
op port or port 1 op port 2 IP Address with Netmask, any = all, me = own IP address off any any
Table 48: Incoming PPP packets at the external port
RM GUI EAGLE One Release 5.3.0 09/2013 115
Network Security 4.1 Packet Filter
Parameter Meaning Possible Values
Destination Port Logical destination port of the data packet To select multiple ports, you can use the same operators as for the source port: Use decimal numbers for the port ID. You can also enter the same known ports, as with the source port, as ASCII characters.
any = all op port port 1 op port 2
Table 48: Incoming PPP packets at the external port
Default Setting
any 116 RM GUI EAGLE One Release 5.3.0 09/2013
Network Security 4.1 Packet Filter
Parameter
Protocol
Meaning Possible Values
You can enter the following protocols as ASCII characters: any Any Layer 4 protocol tcp Transmission Control Protocol (RFC 793) udp User Datagram Protocol (RFC 768) icmp Internet Control Message Protocol (RFC 792) igmp (v3)) Internet Group Management Protocol (RFCs 1112 (v1), 2236 (v2), 3376 ipip IP in IP Tunneling (RFC 1853) esp IPsec Encapsulated Security Payload (RFC 2406) ah IPsec Authentication Header (RFC 2402) ipv6-icmp (RFC 4443) Internet Control Message Protocol for IPv6 <0 - 255> Number of the Layer 4 protocol in the IP header any = all, tcp , udp , icmp , (additionally: igmp , ipip , esp , ah , ipv6-icmp , <0 - 255> )
Note:
You can select the protocols any , tcp , udp and icmp from the list. Manually enter the protocols igmp , ipip , esp , ah , ipv6-icmp and <0 - 255> .
Default Setting
any
Note:
With the udp and tcp protocols, you have the option to enter the protocol ports in the “Source port” and “Destination Port” columns. For other protocols you enter any for “Source port” and “Destination Port”.
Action
Note:
The stateful firewall supports the protocols tcp, udp and icmp.
Action that the Firewall performs if the rule applies.
accept , drop , reject
Table 48: Incoming PPP packets at the external port
accept RM GUI EAGLE One Release 5.3.0 09/2013 117
Network Security 4.1 Packet Filter
Parameter Meaning Possible Values
Log Error Entry in the event list if the Firewall uses the rule. If applicable, the device also sends a trap.
enable , disable , logAndTrap
Note:
The logAndTrap setting can generate large quantities of trap data traffic. This is especially the case when sending the trap triggers a match in the Firewall rule again (e.g. if the trap host cannot be reached and a router responds with an ICMP message).
Shows the last message for an unsuccessful attempt to activate the table entry (usually a detected syntax error).
Table 48: Incoming PPP packets at the external port
Default Setting
disable
Note:
The Firewall supports up to 1024 IP rules. In the dialog Diagnostics:IP Firewall List , you find the summary of the active rules.
118 RM GUI EAGLE One Release 5.3.0 09/2013
Network Security 4.2 NAT – Network Address Transla tion
4.2 NAT – Network Address Translation
The Firewall provides you with the following functions of the Network Address Translation protocol: IP Masquerading 1:1 NAT Port Forwarding 1:1 NAT allows you to set up communication connections in both directions.
4.2.1 General NAT settings The settings in this dialog apply to all NAT procedures.
Parameter
Maximum Connection Mappings Timeout for Established TCP Connections Send packet on receiving interface allowed
Meaning
Maximum for the sum of the assigned connections of all NAT procedures that the Firewall permits.
Time period in seconds for how long an active TCP connection is allowed to exist before the Firewall interrupts the TCP connection.
Activate this setting if you want to permit the Firewall to resend a received packet after the NAT processing at the same interface. This setting is only necessary in certain special cases.
Value range
0-4,096 s 0 2,147,483,647 s on/off
Default setting
1,024 s 3,600 s off
Table 49: General NAT Settings
RM GUI EAGLE One Release 5.3.0 09/2013 119
Network Security 4.2 NAT – Network Address Transla tion 4.2.2 IP Masquerading This dialog allows you to include up to 128 internal networks in the Network Address Translation.
Parameter
Index Description Active Internal Network (CIDR) FTP Error
Meaning
Sequential line index.
Description of this entry Activate/deactivate the rule IP Address with Netmask (CIDR) of the internal network, e.g. 10.1.2.0/24 Allow active FTP from the internal network Shows the last message for an unsuccessful attempt to activate the table entry (usually a detected syntax error).
Value range
0-127 ASCII characters on/off IP Address with Netmask on/off
Default setting
off 192.168.1.0/24 off
Table 50: IP Masquerading
4.2.3 1:1 NAT This dialog allows you to enter, edit or delete up to 128 entries for a 1:1 address translation. You can create entries for individual terminal devices with a netmask 32 bits long, and entries for entire network areas with a correspondingly shorter netmask.
120 RM GUI EAGLE One Release 5.3.0 09/2013
Network Security 4.2 NAT – Network Address Transla tion With 1:1 NAT, the device operates as a router and allocates an additional IP address in the external network for a terminal device in the internal network. In addition, as a proxy the device answers the ARP queries for the additional IP address in the external network. For outgoing data packets, the device replaces the internal source IP address of the terminal device with its external IP address. For incoming data packets, it replaces the external destination IP address with the internal IP address.
Note:
Before setting up 1:1 NAT, make sure that the IP address in the external (invert direction: internal) network is unused.
RM GUI EAGLE One Release 5.3.0 09/2013 121
Network Security 4.2 NAT – Network Address Transla tion
Parameter
Index Description Active Internal Network External Network Netmask FTP Invert Direction
Meaning
Sequential line index.
Description of this entry Activate/deactivate the rule IP address of the internal network or the smallest IP address of the network area of the inner network IP address of the external network or the smallest IP address of the network area of the external network Netmask for the area to be translated Allow active FTP from the internal network Allocate an additional IP address (via proxy ARP) for an external terminal device at the internal interface, instead of for an internal terminal device at the external interface. Thus terminal devices in the internal network can communicate with external terminal devices without gateway entries.
Value range
0-127 ASCII characters on/off IP Address IP Address 1-32 on/off on/off
Default setting
off 192.168.1.1
10.0.1.1
32 off off Double-NAT
Note:
Before setting up inverse 1:1 NAT, make sure that the IP address in the internal network is unused.
With Double NAT, when the source address is implemented in the packets, the device also replaces the destination address if there is a corresponding rule. Thus terminal devices in both the internal and external networks can communicate with terminal devices in the other network without gateway entries.
on/off Error
Note:
rule.
For the replacement of the destination address, enter an additional rule for the address conversion of the external terminal device. Activate “Output” (Double NAT). In addition, activate the inversion for this second Shows the last message for an unsuccessful attempt to activate the table entry (usually a detected syntax error).
Table 51: 1:1 NAT
122 off RM GUI EAGLE One Release 5.3.0 09/2013
Network Security 4.2 NAT – Network Address Transla tion The device allows you to combine 1:1 NAT with router redundancy (see on
.
RM GUI EAGLE One Release 5.3.0 09/2013 123
Network Security 4.2 NAT – Network Address Transla tion 4.2.4 Port forwarding A device can set up communication with a device in the internal network from the external network if you have previously entered the forwarding conditions in the table.
Parameter
Index
Meaning
Sequential line index.
Source IP (CIDR) IP Address with Netmask (CIDR) of the actual source of the data packet.
Source Port Logical source port of the data packet You can optionally use the operator “=“: = equal to Use decimal numbers for the port ID. You can also enter the following known ports as ASCII characters: 7 tcp/udp: echo 9 tcp/udp: discard 20 tcp :ftp-data 21 tcp :ftp 22 tcp/udp: ssh 23 tcp :telnet 53 tcp/udp: domain 67 tcp/udp: bootps 68 tcp/udp: bootpc 69 udp : tftp 80 tcp/udp: www, http 88 tcp/udp: kerberos 115 tcp : sftp 123 tcp : ntp 161 udp : snmp 162 udp : snmp-trap 179 tcp/udp: bgp 389 tcp/udp: ldap 443 tcp/udp: https Incoming Address Destination address of the data packet that is received at the external port for forwarding.
%extern indicates the IP address of the external port
Value range
IP Address with Netmask, any = all 0..65,535 Syntax: = port-no.
or = port id e. g.: = http %extern or IP address
Default setting
any any %extern
Table 52: Port Forwarding
124 RM GUI EAGLE One Release 5.3.0 09/2013
Network Security 4.2 NAT – Network Address Transla tion
Parameter
Incoming Port Forward Address Forward Port Protocol Log Description Active Error
Meaning
Logical port at which the data packet at the external port is received for forwarding. Use decimal numbers for the port ID. You can also enter the following known ports as ASCII characters: 7 tcp/udp: echo 9 tcp/udp: discard 20 tcp :ftp-data 21 tcp :ftp 22 tcp/udp: ssh 23 tcp :telnet 53 tcp/udp: domain 67 tcp/udp: bootps 68 tcp/udp: bootpc 69 udp : tftp 80 tcp/udp: www, http 88 tcp/udp: kerberos 115 tcp : sftp 123 tcp : ntp 161 udp : snmp 162 udp : snmp-trap 179 tcp/udp: bgp 389 tcp/udp: ldap 443 tcp/udp: https IP address of the device in the internal network for which the data packet is intended.
Logical address of the device in the internal network for which the data packet is intended. You can also enter the same known ports, as with the incoming port, as ASCII characters.
tcp udp Transmission Control Protocol (RFC 793) User Datagram Protocol (RFC 768) icmp Internet Control Message Protocol (RFC 792) Entry in the event list if the Firewall uses the rule.
Description of this entry
Value range
0..65.535
0..65.535
tcp, udp, icmp Yes, No 0-127 ASCII characters on/off Activate/deactivate the rule Shows the last message for an unsuccessful attempt to activate the table entry (usually a detected syntax error).
Table 52: Port Forwarding
Default setting
80 127.0.0.1
80 tcp No off RM GUI EAGLE One Release 5.3.0 09/2013 125
Network Security 4.2 NAT – Network Address Transla tion
Note:
The Firewall supports up to 1024 IP rules. In the dialog Diagnostics:IP Firewall List , you find the summary of the active rules.
126 RM GUI EAGLE One Release 5.3.0 09/2013
Network Security 4.3 Helping protect against Denial of Service (DoS)
4.3 Helping protect against Denial of Service (DoS)
This function helps you to protect your network and your server from unauthorized access via excessive flooding with TCP connections, ping packets or ARP packets.
Note:
Adjust the values defined by the default settings to the TCP connections, ping packets and ARP packets actually required in your network. The device allows you to generate a log entry when a threshold has been exceeded. You can set this specifically for each threshold.
Parameter
Max. incoming TCP Connections per s Max. outgoing TCP Connections per s Max. incoming Ping Frames per s Max. outgoing Ping Frames per s Max. incoming ARP Frames per s Max. outgoing ARP Frames per s
Meaning
Maximum number of new (SYN flag set) incoming TCP connections per second at the external port Maximum number of new (SYN flag set) incoming TCP connections per second at the internal port Maximum number of incoming ping frames per second at the external port Maximum number of incoming ping frames per second at the internal port Maximum number of incoming ARP frames per second at the external port Maximum number of incoming ARP frames per second at the internal port
Value range
1-999,999 1-999,999 1-999,999 1-999,999 1-999,999 1-999,999
Table 53: Settings to help protect against Denial of Service
Default setting
25 75 3 5 500 500 RM GUI EAGLE One Release 5.3.0 09/2013 127
Network Security 4.4 User Firewall
4.4 User Firewall
The user firewall allows you to create up to 32 firewall user entries. Every user firewall entry contains: a set of rules that defines which data packets the Firewall may forward or not.
a list of the users to which the Firewall should apply these rules.
a timeout to limit the usage period. In the “Configuration” frame of the dialog you can activate or deactivate the user firewall globally and activate or deactivate the group authentication for users.
Group Authentication:
Group authentication allows you to organize multiple users into groups via a RADIUS server. If group authentication is active and an unknown person logs in to the user firewall, the Firewall checks the authenticity via the RADIUS server (see on
page 66 “Authentication Lists”)
gives the user access.
. If the authentication is successful, the RADIUS server sends an “Accept” data packet with the attribute “Filter-ID=
To have a clear assignment of “user to user firewall entry”, you can assign exactly one entry to each user. You can assign multiple users to a firewall user entry.
You can create, delete and edit rules, and you can change their order. Select one or more sequential rows to be moved and move your selection with the “ ↑ ” and “ ↓ ” buttons. You can also duplicate (clone) a rule and then edit it.
128 RM GUI EAGLE One Release 5.3.0 09/2013
Network Security 4.4 User Firewall
Parameter
Name Timeout Type Source Address (CIDR) Description Active
Meaning
Unique name to identify this entry Defines the start of the timeout countdown: static : The countdown of the timeout begins when the user logs on.
dynamic : The countdown of the timeout begins after the user logs off.
IP Address with Netmask (CIDR) of the user
.
Description of this entry Activate/deactivate the rule
Value range
0-32 ASCII characters static , dynamic Unicast IP Address 0-127 ASCII characters on/off
Table 54: User Firewall Entries
Default setting
static %authorized_ip off Editing a user firewall entry The Basic Settings tab page enables you to enter general specifications for this user firewall entry.
Parameter
Name
Meaning
Any name for this entry.
Timeout [s] Timeout Type Maximum time for the duration of the user access.
Defines the start of the timeout countdown: static on.
off.
: The countdown of the timeout begins when the user logs dynamic : The countdown of the timeout begins after the user logs Source Address IP address of the user. If the user does not have a fixed IP address, the expression %authorized_ip allows you to take over the IP address from the user logon as the source address.
Description Description of this entry
Possible Values
0-32 ASCII characters
Default Setting
1-604,800 (7 days) 28,800 (8 h) static , dynamic IP Address, %authorized_ip 0-127 ASCII characters static %authorized_ip
Table 55: Basic Settings
RM GUI EAGLE One Release 5.3.0 09/2013 129
Network Security 4.4 User Firewall The Users tab page allows you to name the user(s) to whom this user firewall entry applies. You define the users beforehand in the dialog Security:External Authentication:Users .
Default Setting Parameter
Account Name Active
Meaning Possible Values
Name of a user from the table Security:External Authentication:User-Firewall Accounts .
Activate/deactivate the rule on/off
Table 56: Accounts
off 130 RM GUI EAGLE One Release 5.3.0 09/2013
Network Security 4.4 User Firewall The Rules tab page enables you to create rules for this user firewall entry.
Parameter
Source Port Destination Network
Table 57: Rules
Meaning Possible Values
Logical source port of the data packet You can also use operators (op) to select multiple ports: = equal to != not equal to < less than <= less than or equal to > greater than >= greater than or equal to >< within <> outside of Use decimal numbers for the port ID. You can also enter the following known ports as ASCII characters: 7 tcp/udp: echo 9 tcp/udp: discard 20 tcp :ftp-data 21 tcp :ftp 22 tcp/udp: ssh 23 tcp :telnet 53 tcp/udp: domain 67 tcp/udp: bootps 68 tcp/udp: bootpc 69 udp : tftp 80 tcp/udp: www, http 88 tcp/udp: kerberos 115 tcp : sftp 123 tcp : ntp 161 udp : snmp 162 udp : snmp-trap 179 tcp/udp: bgp 389 tcp/udp: ldap 443 tcp/udp: https IP Address with Netmask (CIDR) of the destination network, e.g. 10.1.2.0/24 any = all op port or port 1 op port 2 IP Address with Netmask, any = all, me = own IP address
Default Setting
any RM GUI EAGLE One Release 5.3.0 09/2013 131
Network Security 4.4 User Firewall
Parameter
Destination Port Protocol Log Description Active
Table 57: Rules
Meaning Possible Values
Logical destination port of the data packet To select multiple ports, you can use the same operators as for the source port: Use decimal numbers for the port ID. You can also enter the same known ports, as with the source port, as ASCII characters.
You can also enter the following known protocols as ASCII characters: tcp udp Transmission Control Protocol (RFC 793) User Datagram Protocol (RFC 768) icmp Internet Control Message Protocol (RFC 792) Entry in the event list if the Firewall uses the rule.
Description of this entry Activate/deactivate the rule any = all op port port 1 op port 2 any , tcp , udp , icmp Yes, No 0-127 ASCII characters on/off
Default Setting
any tcp No off
Note:
The Firewall supports up to 1024 IP rules. In the dialog Diagnostics:IP Firewall List , you find the summary of the active rules.
132 RM GUI EAGLE One Release 5.3.0 09/2013
VPN – Virtual Private Network
5 VPN – Virtual Private Network
The device provides you with an assistant for setting up a VPN connection.
This assistant takes you through the configuration of a VPN connection step by step. The assistant selects the next step for you, depending on the settings you have already made. The device also gives you the option of making or editing the settings independently of the assistant in the individual dialogs.
RM GUI EAGLE One Release 5.3.0 09/2013 133
VPN – Virtual Private Network 5.1 Device connection
5.1 Device connection
With this dialog you can: create up to 256 VPN connections on the external port and give them names. Each row (entry) in the list represents a VPN connection. Up to 64 of the configured connections can be active and in the status up at the same time.
enter a password for the remote controlled activation/deactivation of a connection.
instruct the device to validate received and local certificates before using them (default setting: "Certification validation" activated).
use the "VPN" LED of the EAGLE One device to display active VPN connections (default setting: "VPN LED Indication" deactivated).
define an IP address range from which the EAGLE One allocates an address to the clients of VPN connections that request an address.
define the source for the activation of the service mode.
You can select a VPN entry and: delete it edit it For a selected entry, you can: display information load a PKCS#12 file from the PC.
You need the name of a VPN connection together with the password in order to activate or deactivate a VPN connection remotely. To do this, you access the following URL of the device: https://vpn:
name=
Examples: https://vpn:[email protected]/nph-vpn.cgi?name=test1&cmd=up 134 RM GUI EAGLE One Release 5.3.0 09/2013
VPN – Virtual Private Network 5.1 Device connection https://vpn:[email protected]/nph-vpn.cgi?name=two&cmd=down The "VPN LED Indication" field enables you to use the "VPN" LED of the EAGLE One device to display active VPN connections. The values that can be entered have the following meanings:
Setting
off on
LED VPN Meaning
Not Glowing Use the "VPN" LED of the EAGLE One device to display active VPN connections. Not glowing One of the following cases applies: No VPN connection is active.
No active VPN connection is in up status.
Glowing green The LED glows green when one or more active VPN connections are in up status..
Table 58: Meaning of the values in the "VPN LED Indication" field.
The “Client IP address allocation” input field allows you to define an IP address range. If a client of an VPN connection requests an address, the EAGLE One dynamically allocates the client an address from this range.
The values that can be entered have the following meanings:
Parameter
Client IP address allocation
Meaning Possible Values
IPv4 address range in CIDR notation. Valid IPv4 address range in CIDR notation.
Default Setting
-
Table 59: IP address range for VPN clients (CIDR)
RM GUI EAGLE One Release 5.3.0 09/2013 135
VPN – Virtual Private Network 5.1 Device connection
Note:
When defining the address range, verify that the addresses are compatible with the traffic selectors of the VPNs from which clients request addresses. You thus help ensure that a client that receives such an address can also communicate via the VPN.
The "Source for service mode" field enables you to determine the source which starts the service mode.
The values that can be entered have the following meanings:
Parameter
Source for service mode
Meaning
Selecting the source which starts the service mode.
Possible Values
powersupply The service mode starts if the redundant power supply of the device is inoperable.
you switch off the redundant power supply of the device for this purpose.
Default Setting
powersupply digitalinput-low The service mode starts if the low level input voltage (state „0“) is connected to the digital input.
digitalinput-high The service mode starts if the high level input voltage (state „1“) is connected to the digital input.
Table 60: Meaning of the values in the "Source for service mode" field.
136 RM GUI EAGLE One Release 5.3.0 09/2013
VPN – Virtual Private Network 5.1 Device connection
Parameter
Index Name Startup as Service Mode Active
Meaning Possible Values
Row index for the unique identification of a connection.
Any name for this connection. You also use this name in the URL to remotely activate/deactivate the connection.
Starting role for mediating the key exchange Activate/deactivate the service mode. In service mode, the device automatically activates one or more pre-configured VPN connections. You define the source which starts the service mode in the Virtual Private Network:Connection
dialog in the "Source for service mode" field (see 0-128 ASCII characters responder initiator On/Off - Service mode on: Select the “Service Mode” field for one or more VPN connections to switch on the service mode of the device for these connection(s). First configure the selected VPN connection(s) as described in chapter
“Editing a connection” on page 138
servicemode-up connection(s).
. glows as described in
The device indicates that the service mode is activated as follows: - When the service mode is active, the "Status" field contains the value - If you have activated the "VPN LED Indication" function, the "VPN" LED
the device has activated the VPN The device indicates that it has left the service mode with an event log entry: “System service mode is not active”.
- Service mode off: Remove the checkmark from the Service Mode field to deactivate the service mode of the device.
Activate/deactivate the connection On/Off
Table 61: Connections
Default Setting
responder Off Off RM GUI EAGLE One Release 5.3.0 09/2013 137
VPN – Virtual Private Network 5.1 Device connection
Parameter
Status Exchange Mode
Meaning
State of the connection mainaggressive : as the initiator, the device uses the main mode when setting up a connection, and as the responder it accepts both the main and the aggressive modes.
Possible Values
up/ down/ negotiation/ constructing/ dormant/ servicemode-up mainaggressive/ main/ aggressive
Default Setting
mainaggressive main : as initiator or responder , the device only uses the main mode when setting up a connection.
aggressive : as initiator or responder connection.
, the device only uses the aggressive mode when setting up a
Table 61: Connections
Editing a connection The Basic Settings tab page enables you to give the connection any name you want.
Parameter
Name
Meaning
Any name for this connection. You also use this name in the URL to remotely activate/deactivate the connection.
Possible Values
0-128 ASCII characters
Table 62: Basic Settings
Default Setting
138 RM GUI EAGLE One Release 5.3.0 09/2013
VPN – Virtual Private Network 5.1 Device connection The Authentication connection. tab page enables you to set the parameters that the device needs to authenticate itself at the other end of the VPN
Parameter Frame Key Info
Method Pre-shared key (PSK)
Meaning Possible Values
Parameters for the key to be used Method for selecting and transferring the key Key that both ends of a VPN connection require to set up the connection and transfer data.
When you open a connection to edit it, the Firewall shows the PSK as eight asterisks.
psk x509rsa 6-128 random ASCII characters
Default Setting
psk
Note:
The Web interface uses the UTF-8 character encoding to exchange the PSK with the device. For the PSK, only use characters and character encoding that the participating devices can interpret immediately. If necessary, restrict the character set used to ASCII (character codes 32 127).
Load PKCS#12 file from the PC
Frame Identities
Local Type Local ID A PKCS#12 file is a file container that contains the CA certificate, the local certificate and the private key (PEM files).
Type of information that an endpoint of the VPN connection uses for identification.
Select the local identification type default ipaddr keyid fqdn email asn1dn Identification for the key exchange with the remote terminal in accordance with the local type selected above.
Table 63: Authentication
default RM GUI EAGLE One Release 5.3.0 09/2013 139
VPN – Virtual Private Network 5.1 Device connection
Parameter
Remote Type Remote ID
Meaning
Select the remote identification type Accepted identification for the key exchange from the remote terminal in accordance with the remote type selected above.
Possible Values
any ipaddr keyid fqdn email asn1dn
Table 63: Authentication
Default Setting
any The identity types that can be selected in the fields “Local type” and “Remote type” have the following meaning:
Possible Values
default any psk x509rsa ipaddr keyid fqdn email asn1dn
Meaning
Default setting (for PSK: ipaddr; for x509rsa: asn1dn) One of the available options Pre-shared key X.509 RSA certificate IP address of the other end of the VPN connection Key identification Fully-qualified domain name E-mail address of a trustworthy person X.500 Distinguished Name (DN). If the “Local ID” field is empty in this case, then the Firewall uses the DN from the certificate.
Table 64: Meaning of the values during the authentication
The Certificates tab page provides you with three options for entering certificates that you may need for the authentication: Load PKCS#12 file A PKCS#12 file is a file container that contains the CA certificate, the local certificate and the private key.
Load PEM files A certificate consists of the CA certificate, the local certificate and the private key. One PEM file contains one of these parts.
Enter the CA certificate, the local certificate and the private key manually.
140 RM GUI EAGLE One Release 5.3.0 09/2013
VPN – Virtual Private Network 5.1 Device connection
Parameter
Load PKCS#12 file from the PC
Local
Certificate Password Private key
Certification Authority (CA)
Certificate
Remote
Certificate (optional)
Meaning
A PKCS#12 file is a data container that contains individual certificate shares. As an alternative to the PKCS#12 file, you can load the individual certificate shares in the form of PEM files below.
Entries for the local certificate The local certificate for authentication at the other end of the VPN connection The password for the private key, if the key is in encrypted form.
When you open a connection to edit it, the Firewall shows the PSK as eight asterisks.
The private key assigned to the certificate.
Entry for the certificate of the certification authority.
Certificate of the certification authority.
Entry for the certificate of the other end of the VPN connection.
Certificate of the other end of the VPN connection (if desired). For a connection to an EAGLE One mGuard, you enter the certificate of the EAGLE One mGuard.
Table 65: Certificates
RM GUI EAGLE One Release 5.3.0 09/2013 141
VPN – Virtual Private Network 5.1 Device connection The IKE - Key Exchange tab page allows you the set the parameters for the key exchange.
Parameter Meaning Possible Values Mode
Protocol Startup as DPD Timeout Protocol version to be used for the key exchange Starting role for mediating the key exchange Dead Peer Detection. Period after which the connection becomes invalid if the other end of the connection does not send a sign of life.
Lifetime Key agreement Usage period for the key used to help protect IKE protocol messages, and therefore the maximum lifetime of the IKE security arrangement (IKE SA) itself.
Select the lifetime of the initiator as less than or equal to the lifetime of the responder.
Compatibility Mode For LANCOM Client and Hirschmann EAGLE One mGuard.
Algorithms
Select the encryption and hash algorithms to be used for the key exchange.
Hash Algorithm for the key agreement.
The Firewall allows you to enter “any” when it has the starting role “responder”.
Group assignment: modp768: DH-Group 1 modp1024: DH-Group 2 modp1536: DH-Group 5 modp2048: DH-Group 14 modp3072: DH-Group 15 modp4096: DH-Group 16 Hash algorithm.
The Firewall allows you to enter “any” when it has the starting role “responder”.
auto v1 v2 responder initiator 0-86,400 seconds, whereby the value “0” switches off the DPD.
1-86,400 seconds (= 24 hours) any modp768 modp1024 modp1536 modp2048 modp3072 modp4096 any md5 sha1
Default Setting
auto responder 120 seconds 28,800 seconds (8 hours) off modp1024 sha1
Table 66: IKE Key Exchange
142 RM GUI EAGLE One Release 5.3.0 09/2013
VPN – Virtual Private Network 5.1 Device connection
Parameter
Integrity Encryption
Endpoints (Peers)
Local IP Address Remote IP Address
Meaning
Authentication algorithm for IKE protocol messages.
The Firewall allows you to enter “any” when it has the starting role “responder”.
Algorithm for encryption of IKE protocol messages.
The Firewall allows you to enter “any” when it has the starting role “responder”.
Possible Values
any hmacmd5 hmacsha1 any des des3 aes128 aes192 aes256
Default Setting
hmacsha1 aes128 IP addresses of the two endpoints of the VPN connection Host name (FQDN) or IP address of the local security gateway. If the value is “any”, the Firewall uses the first IP address of the external interface. If this address is assigned via DHCP, the setting up of the VPN connection is delayed until a valid IP address is assigned.
If a host name is used, the setting up of the VPN connection is delayed until the host name is resolved.
Host name (FQDN) or IP address of the remote security gateway. If the value is “any”, the Firewall accepts every IP address when setting up an IKE security arrangement as Responder. The Firewall also accepts a network in CIDR notation when setting up an IKE security arrangement as Responder.
As Initiator, the Firewall does not accept such values.
If a host name is used, the setting up of the VPN connection is delayed until the host name is resolved.
IP Address, any any IP Address, any any
Table 66: IKE Key Exchange
RM GUI EAGLE One Release 5.3.0 09/2013 143
VPN – Virtual Private Network 5.1 Device connection The values that can be selected in the fields “Protocol”, “Start as”, “Key agreement”, “Hash”, “Integrity” and “Encryption” have the following meanings:
Possible Values
auto v1 v2 responder initiator modp md5 sha1 hmacmd5 hmacsha1 des aes
Meaning
Automatic selection IKE protocol version 1 IKE protocol version 2 IKE responder IKE initiator Modular Exponentiation Group, module used for the Diffie-Hellman key exchange.
Message Digest Algorithm 5, cryptographic hash function Secure Hash Algorithm 1, cryptographic hash function Hash Message Authentication Code, based on MD5 Hash Message Authentication Code, based on SHA1 DES (Data Encryption Standard) AES (Advanced Encryption Standard)
Table 67: Meaning of the values for the IKE Key Exchange.
144 RM GUI EAGLE One Release 5.3.0 09/2013
VPN – Virtual Private Network 5.1 Device connection The IPsec - Data Exchange tab page allows you to set the parameters for the data exchange.
Parameter Meaning Possible Values Mode
Encapsulation Force NAT-T Lifetime
Algorithms
Key Agreement Integrity Encryption Selection of VPN operating mode Network Address Translation - Traversal: If there are NAT routers in the transmission path, corresponding actions are taken by IPsec. In this case, IPsec addresses IKE and IPsec data packets to port 4500 in accordance with RFC 3948. If NAT-T is activated, the Firewall definitely addresses to port 4,500.
Usage period for the key used to help protect data packets, and therefore the maximum lifetime of the IPsec security arrangement (IPsec SA) itself.
Select the encryption and hash algorithms to be used for the key exchange.
Selection of an algorithm for the key agreement.
The Firewall allows you to enter “any” when it has the starting role “responder”.
Group assignment: modp768 DH-Group 1 modp1024 DH-Group 2 modp1536 DH-Group 5 modp2048 DH-Group 14 modp3072 DH-Group 15 modp4096 DH-Group 16 Selection of an algorithm for the integrity protection Selection of an algorithm for the data encryption transport tunnel on/off 1-28,800 (8 h) any modp768 modp1024 modp1536 modp2048 modp3072 modp4096 none any md5 sha1 any des des3 aes128 aes192 aes256
Table 68: IPsec - Data Exchange
Default Setting
transport off 3,600 (1 h) modp1024 hmacsha1 aes128 RM GUI EAGLE One Release 5.3.0 09/2013 145
VPN – Virtual Private Network 5.1 Device connection The values that can be selected in the fields “Encapsulation”, “Key agreement”, “Integrity” and “Encryption” have the following meanings:
Possible Values
modp hmacmd5 hmacsha1 des aes
Meaning
Modular Exponentiation Group, module used for the Diffie-Hellman key exchange.
Hash Message Authentication Code, based on MD5 Hash Message Authentication Code, based on SHA1 DES (Data Encryption Standard) AES (Advanced Encryption Standard)
Table 69: Meaning of the values for the IPsec data exchange
146 RM GUI EAGLE One Release 5.3.0 09/2013
VPN – Virtual Private Network 5.1 Device connection The IP Networks connection. tab page enables you to set the parameters for the IP networks at the internal port whose data is to be transferred via the VPN The firewall only transmits and encrypts through the tunnel that data which corresponds to an entry in this table. The firewall routes the other data according to the existing entries in the packet filters.
Parameter
Index Source Address (CIDR)
Meaning Possible Values
Sequential line index.
IP Address with Netmask (CIDR) of the actual source of the data packet.
IP Address with Netmask, any = all
Note:
If you connect 2 devices via VPN, network addresses are accepted as local source addresses even if they are not identical with the destination addresses entered at the opposite end but are a subset of these destination addresses.
Default Setting
any
Example:
If you enter 192.168.2.0/24 as the source address in the local device and 192.168.1.0/20 as the destination address at the opposite end, this is a valid combination.
Table 70: IP Networks at Internal Port
RM GUI EAGLE One Release 5.3.0 09/2013 147
VPN – Virtual Private Network 5.1 Device connection
Parameter
Source Port Destination Address (CIDR) Destination Port Policy
Meaning
Logical source port of the data packet.
Use decimal numbers for the port ID. You can also enter the following known ports as ASCII characters: 7 tcp/udp: echo 9 tcp/udp: discard, sink, null 20 tcp: ftp-data 21 tcp: ftp 22 tcp/udp: ssh 23 tcp: telnet 53 tcp/udp: dns 67 tcp/udp: bootps 68 tcp/udp: bootpc 69 udp: tftp 80 tcp/udp: www, http 88 tcp/udp: kerberos, krb5 115 tcp: sftp 123 tcp/udp: ntp 161 udp: snmp 162 udp: snmp-trap, snmptrap 179 tcp/udp: bgp 389 tcp/udp: ldap 443 tcp/udp: https IP Address with Netmask (CIDR) of the actual destination of the data packet.
Logical destination port of the data packet.
Use decimal numbers for the port ID. You can also enter the same known ports, as with the source port, as ASCII characters.
The EAGLE One uses these security specifications for traffic via a VPN connection. The EAGLE One supports the following security specifications: – – require : To set up a VPN connection, the EAGLE One requires the data to be encrypted. use : To set up a VPN connection, the EAGLE One uses the encryption, if you have selected an encryption. Otherwise the EAGLE One forwards the data unencrypted.
Possible Values
any = all op port op port 1 op port 2 IP Address with Netmask, any = all any = all op port op port 1 op port 2 require , use
Default Setting
any any require
Table 70: IP Networks at Internal Port
148 RM GUI EAGLE One Release 5.3.0 09/2013
VPN – Virtual Private Network 5.1 Device connection
Parameter
Protocol
Meaning
tcp udp Transmission Control Protocol (RFC 793) User Datagram Protocol (RFC 768) icmp Internet Control Message Protocol (RFC 792)
Possible Values
any = all, tcp , udp , icmp
Default Setting
any Description Mapped Source Address (CIDR) Mapped Destination Address (CIDR) Active
Note:
If you use a different protocol setting to the standard setting activate any and connect the EAGLE One to a remote terminal that supports only outdated implementation of IKEv1, then you also compatibility mode on the EAGLE One in the IKE key exchange tab so that the devices can set up a connection. The conditions set on the EAGLE One for the traffic selector are also retained in compatibility mode.
Description of this entry 0-127 ASCII characters The EAGLE One replaces the IP source address of the data sent into the VPN connection with an IP address from this address range.
Prerequisite: Protocol = any The EAGLE One replaces the IP destination address of the data received out of the VPN connection with an IP address from this address range.
Prerequisite: Protocol = any Activate/deactivate the rule on/off
Table 70: IP Networks at Internal Port
off Deleting a connection The firewall helps protect an active connection from being deleted. Select the deactivated entry for a connection to be deleted. Click “Delete entry”.
RM GUI EAGLE One Release 5.3.0 09/2013 149
VPN – Virtual Private Network 5.1 Device connection 150 RM GUI EAGLE One Release 5.3.0 09/2013
Redundancy
6 Redundancy
The redundancy functions allow you to provide redundant paths via a redundant Firewall.
If the Firewall that is currently transmitting detects a loss of communication (e.g. a disconnected link), it sends the information to its partner Firewall, which then takes over the transmission.
Depending on the network operating mode setting, the Firewall offers you: Transparent Redundancy Router Redundancy RM GUI EAGLE One Release 5.3.0 09/2013 151
Redundancy 6.1 Transparent Redundancy
6.1 Transparent Redundancy
The Transparent Redundancy function allows you to incorporate the Firewall into the path of the redundant ring/network coupling (see the user manual for the redundancy configuration of your Hirschmann device that supports redundant coupling). You can use the Transparent Redundancy function when you are operating the Firewall in the transparent mode.
152 RM GUI EAGLE One Release 5.3.0 09/2013
Redundancy 6.1 Transparent Redundancy
Parameter Meaning Possible Values Operation
Switch the Transparent Redundancy on/off. Prerequisite: In the Basic Settings:Network: Global dialog, the Transparent mode is selected.
on/off
Transparent Redundancy
Master or Slave Port The port of the EAGLE One that is connected to the master (via the main line) or the slave (via the redundant line) of the ring coupling.
The other port of the EAGLE One is connected to the remote ring or network, which contains neither a ring coupling master or slave.
With the external setting: If the connection at the internal port is inoperable, the Firewall deactivates the external port.
With the internal setting: If the connection at the external port is inoperable, the Firewall deactivates the internal port.
internal, external
Firewall State Table Synchronisation
Table 71: Transparent Redundancy
Default Setting
off external RM GUI EAGLE One Release 5.3.0 09/2013 153
Redundancy 6.1 Transparent Redundancy
Parameter
Redundancy Partner IP Address Communication
Meaning
The IP address identifies the redundancy partner with which the Firewall synchronizes its state table, so that the redundancy partner can take over all tasks at any time.
The communication between the redundant partners is active/inactive.
Possible Values
IPv4 address
Default Setting
0.0.0.0
Active, Inactive Inactive - Active: The communication between master and slave is active. The master sends synchronization packets to the slave and receives its confirmation packets when traffic is going over the device.
- Inactive: There is no communication at the moment. Make sure that no data line or net component is down: Check the Layer 2 redundancy status using the switches in the path of the redundant ring/network coupling in which you have incorporated the firewall (see the user manual for the redundancy configuration of your Hirschmann device that supports redundant coupling).
Table 71: Transparent Redundancy
Note:
Immediately after the main connection is reinstated, the redundant coupling switches the transmission from the redundant line to the main line. If both lines of the main Firewall were previously interrupted, then the two Firewalls were unable to synchronize their state tables.
Note:
If no packets are received from the other system there can be various reasons including: No data transfer via the device is taking place at this moment.
A data line or net component is inoperable.
The real Layer 2 redundancy state can only be checked on the switches.
154 RM GUI EAGLE One Release 5.3.0 09/2013
Redundancy 6.2 Router Redundancy
6.2 Router Redundancy
The Router Redundancy function enables you to provide a redundant Firewall for the Firewall itself in the network. In this case, the Firewall Router Redundancy function combines two Firewalls into a virtual Firewall. Both Firewalls have a shared virtual interface that uses the corresponding Firewall. In the case of a detected error, the redundant Firewall takes over the functions of the first Firewall.
Requirements for using the Router Redundancy function: The Router Mode is active.
The packet filter and NAT settings of the Firewall and the redundant Firewall are identical.
The Router Redundancy configuration of the Firewall and the redundant Firewall correspond.
The entries for the destinations of the ICMP Host Check function are identical and have the same sequence.
All VPN connections are deactivated.
All devices that have the Firewall entered as a gateway use the virtual IP address of the Firewall Redundancy function.
RM GUI EAGLE One Release 5.3.0 09/2013 155
Redundancy 6.2 Router Redundancy
Parameter Meaning Possible Values Configuration
Function on/off Priority Switch the Router Redundancy on/off. Requirement: In the Basics:Network:Global dialog in the "Configuration" frame, the router mode is selected.
The priority is used to specify which device takes over the redundant function. The device with the lower priority (lower number) takes over the redundant function. If the priority is the same, the devices automatically decide which takes over the redundant function.
Displays the redundancy state.
On, Off 1-255 Status
Internal Interface (Port 1)
IP Address Virtual IP Address VRID Redundancy Partner IP Address
External Interface (Port 2)
IP Address Displays the IP address of the internal interface (port 1).
IP address of the virtual router on the internal interface.
The VRID (virtual router ID) uniquely identifies a virtual router. Select different VRIDs for the internal and external interfaces.
IP address of the physical redundancy partner that is part of the virtual router.
IP Address 1-255 IP Address Virtual IP Address VRID Redundancy Partner IP Address Displays the IP address of the external interface (port 2).
IP address of the virtual router on the external interface.
The VRID (virtual router ID) uniquely identifies a virtual router. Select different VRIDs for the internal and external interfaces.
Physical IP address of the redundancy partner that is part of the virtual router.
IP Address 1-255 IP Address
Table 72: Basic Settings
Default Setting
Off 100 192.168.3.1
192.168.3.100
1 192.168.3.153
10.0.0.10
10.0.0.100
2 10.0.0.153
The device allows you to combine the router redundancy with 1:1 NAT (see
.
156 RM GUI EAGLE One Release 5.3.0 09/2013
Redundancy 6.2 Router Redundancy The ICMP Host Check function allows you to get the Firewall to check the accessibility of devices in the network in the case of individual connection interruptions. The Firewalls use the check‘s result to decide which Firewall takes over the active transmission function. To use this function effectively, configure at least one host for checking at each port of the two Firewalls.
How the ICMP Host Check works:
If the firewalls' router redundancy protocol detects that they can no longer access each other on all interfaces, the Firewalls start the ICMP Host Check. In the process, the Firewalls go through the affected interface‘s host list in ascending order of host indices until they find a difference in accessibility for a host. If the current master router cannot access a certain host even though it can be accessed by the backup router, the firewalls swap over their redundancy roles. The current backup router then takes over the master role and the current master router becomes the backup router.
Requirements for using the ICMP Host Check function: Connect at least one host with every interface of the Firewall that can normally be reached by both Firewalls.
These hosts are entered in the list for both Firewalls, and the host lists of the Firewalls are identical.
Parameter
Operation on/ off Status Index Port IP Address Active
Meaning
Switches the ICMP Host Check on/off.
Possible Values
on, off
Default Setting
off Displays the state of the check on the reachability of the ping devices entered in the table. Sequential line index.
Port to which the Firewall sends the ping request for checking the reachability.
IP address of the device to which the Firewalls sends the ping request for checking the reachability.
Activate/deactivate the entry.
out of service, service enabled, host check running i nternal, external internal Valid IPv4 Host Address on, off on
Table 73: ICMP Host Check
RM GUI EAGLE One Release 5.3.0 09/2013 157
Redundancy 6.2 Router Redundancy Meanings of the status values displayed are as follows: out of service : the ICMP Host Check function is switched off.
not in router mode : The Firewall is not in router mode.
service enabled : the function is switched on and is currently not needed as the router redundancy has not detected any problem.
host check running has detected a problem.
: The function is switched on and the firewall is currently working through the host list, because the router redundancy 158 RM GUI EAGLE One Release 5.3.0 09/2013
Diagnostics
7 Diagnostics
The diagnostics menu contains the following tables and dialogs: Events Event Log Syslog Server Event Settings Advanced Settings Ports Utilization Statistics table ARP entries Topology Discovery Device Status Signal Contact Alarms (Traps) Report System Information MAC Firewall List IP Firewall List Configuration Check Reachability Test (Ping) In service situations, they provide the technician with the necessary information for diagnosis.
RM GUI EAGLE One Release 5.3.0 09/2013 159
Diagnostics 7.1 Events
7.1 Events
The dialogs provide you with the following options: Event Log: Select the events to be logged; display and save the event log file.
Syslog Server: Configuration of the syslog server to transfer event messages to a syslog server.
Event Settings: Select the minimum level to report from which the device transfers events into the event log, and which of them it writes to a connected ACA.
7.1.1 Event Log This function allows you to filter the display for the event log so that it only contains events relevant for you.
In the Event Log dialog, you specify which categories of events in the log you want the device to list in the display. Then the device does not display the events of other known categories. The event log itself is not changed by the filtering.
You specify in the event settings
(see on page 163 “Event Settings”)
which events the device writes to the event log.
160 RM GUI EAGLE One Release 5.3.0 09/2013
Diagnostics 7.1 Events
Figure 27: Event Log dialog
Select the event categories that you want the device to list in the display. See the Event Settings dialog for the meaning of the categories (see
.
Click on “Set” to save the selected categories on your work station (not on the device itself!). They are saved in a file in the home directory of the current user. They are automatically loaded from there the first time the dialog is opened.
Click on “Show Events” to display the event log file as an HTML file.
Click on “Back” to return to the event log window.
“Reload” to update the display.
“Search” to search through the event log file for a key word or a regular expression.
“Save” if you will need the event log file again. In the file selection window, you now select the desired directory, enter a name for the file, and click on “Set”.
RM GUI EAGLE One Release 5.3.0 09/2013 161
Diagnostics 7.1 Events
Note:
The log file has the following properties: – The maximum number of log entries is 4,143.
– If the maximum number of log entries has been reached, the oldest entries will be overwritten by the newer ones.
– Entries that repeat contiguously will be summarized.
– If entries that repeat contiguously are summarized, the log file update may take up to 20 seconds after the last event logged.
7.1.2 Syslog Server This dialog allows you to enter a syslog server. If a syslog server is entered, when an event occurs, the device transfers an event message via the syslog protocol to this server, which for example displays the event messages or triggers an alarm for certain event messages.
If you want to deactivate the sending of event messages via the syslog protocol, you enter the IP address 0.0.0.0. 162 RM GUI EAGLE One Release 5.3.0 09/2013
Diagnostics 7.1 Events
Figure 28: Syslog Server dialog
Enter the IP address of the syslog server in “IP Address”.
In “Port” you enter the port number. Default setting: 514 (syslog protocol). Enter the same port number on the device and the syslog server.
7.1.3 Event Settings This dialog allows you to select a minimum level to report for the logging for each event category. The device logs events with the selected level or higher.
You also have the option to select specifically for each event category whether the device writes these events in the persistent log memory on the ACA.
RM GUI EAGLE One Release 5.3.0 09/2013 163
Diagnostics 7.1 Events
Figure 29: Event Settings dialog
Under “Level to report” you select for each category the desired event attribute
starting from which the device logs the events.
By making multiple selections you can assign the same level to report to multiple categories in one step.
For each category whose events the device is to write to the log file on the ACA, select the checkbox in the “Write in persistent log file”.
164 RM GUI EAGLE One Release 5.3.0 09/2013
Diagnostics 7.1 Events
Name
emergency alert critical error warning notice info debug
Meaning
The function is no longer available. This affects other functions. The device usually performs a restart.
The function is no longer available. This can affect other functions. Find the cause of the detected error and remove the detected error. The function was temporarily not available. This may have affected other functions. Find the cause of the detected error and remove the detected error. An error has been detected with this function. This does not affect other functions. The detected error has been handled by the device. Find out whether the detected error was caused by an incorrect configuration or by a temporary event (e.g. an overload) in the network. An error may have been detected with this function. This does not affect this function or other functions. Find out whether this message resulted from an incorrect configuration or a temporary event (e.g. an overload) in the network.
The function is available. This message is only for information purposes (e.g. reboot, certain configuration changes).
The function is available. The message means normal operation, and it can be used for reports or messages. No action is necessary.
The function is available. The message is useful when looking for a detected error, but not for normal operation.
Table 74: Meaning of the event attributes
Note:
The info and they cannot be saved.
debug levels have been prepared for use in a future software version - while they can be selected in the current software version, RM GUI EAGLE One Release 5.3.0 09/2013 165
Diagnostics 7.1 Events 7.1.4 Advanced Settings SNMP Logging In the “SNMP Logging” frame, the device gives you the option to treat the SNMP requests to the device as events. Here you have the option of treating GET and SET requests separately, and of assigning a “level to report” to the event log entries created.
Parameter Meaning Possible Values Default Setting Frame „SNMP Logging“
Log SNMP Get Requests.
Level to Report (for logs of SNMP Get Requests) Log SNMP Set Requests.
Level to Report (for logs of SNMP Set Requests) Settings for treating SNMP requests to the device as events.
Creates events for SNMP Get requests with the specified “level to report”.
Specifies the level for which the device creates the event “SNMP Get Request received”.
Creates events for SNMP Set requests with the specified “level to report”.
Specifies the level for which the device creates the event “SNMP Set Request received”.
active , inactive notice , warning , error , critical , alert , emergency active , inactive notice , warning , error , critical , alert , emergency inactive notice inactive notice
Table 75: SNMP logging settings
Write in persistent log file In the “Write in persistent log file” frame, you have the option to configure the maximum size and the maximum number of the persistent log files. In addition, you can stop the current log file. This enables you to replace the while the device is operating, so that the persistent log files remain consistent.
The device writes the persistent log files in the “/log” directory of the ACA. The current log file has the file name “messages”, while older log files in the archive have the names “messages.0” to “messages.97”. When the current log file attains its maximum size, the device renames it to archive file “messages.0” and opens a new current log file. The device renames the previous archive file “messages.0” to “messages.1”, “messages.1” to “messages.2”, etc. When the maximum number for persistent log files has been exceeded, the device deletes the oldest file.
166 RM GUI EAGLE One Release 5.3.0 09/2013
Diagnostics 7.1 Events To replace the ACA while the device is operating, the device gives you the option of locking and stopping the current log file. Afterwards, the device closes the current log file. You can now remove the ACA - the log files on the ACA remain consistent. Connect another ACA and remove the lock. The device creates a new current log file on the ACA and writes the new events in this file.
Parameter Meaning Possible Values Default Setting Frame „Store Log persistently“
Maximum size of one file in KByte Maximum number of files Stop persistent Logging (to remove ACA) Settings for persistent log files Displays the maximum size of a log file in KBytes. A maximum size of 0 closes the current log file, archives it, and ends the writing of persistent log files.
Defines the maximum number of log files on the ACA. The number 0 deletes the existing log files and ends the writing of persistent log files.
Lock and stop the current persistent log file. Activate the lock to replace the ACA, and deactivate the lock again afterwards.
0 - 4,096 KBytes 0 KByte 0 - 99 active , inactive 0 inactive
Table 76: Settings for persistent log files
Note:
To activate persistent log files, set both the maximum size and the maximum number of log files to values > 0.
Note:
Only select the events you require to be written in the log file, as the data write rate of the ACA is limited.
Note:
To replace the ACA while the device is operating, first stop the logging in the persistent log file and click on “Write”. Now replace the ACA. Afterwards, remove the lock on the log file and click “Write” again.
Note:
Log events that occur while the persistent log file is stopped are only written to the normal event log by the device.
RM GUI EAGLE One Release 5.3.0 09/2013 167
Diagnostics
7.2 Ports
The port menu contains displays and tables for the individual ports: Utilization Statistics table ARP entries 7.2 Ports 7.2.1 Network Load This table displays the network load at the individual ports.
Figure 30: Network load dialog
168 RM GUI EAGLE One Release 5.3.0 09/2013
Diagnostics 7.2 Ports 7.2.2 Statistics table This table shows you the contents of various port event counters. In the Basic Settings:Restart menu item, the device allows you to reset the event counters to 0 using “Cold start” or “Reset port counters”.
Parameter
Port Received packets Received Unicast packets Received Multicast packets Received Broadcast packets Received octets Packets discarded on the receiving side Received packets with detected errors Received unknown protocols Sent Unicast packets Sent Multicast packets Sent Broadcast packets Sent octets Packets discarded on the sending side Sent packets with detected errors
Table 77: MIB variables in the statistics table
MIB variable
ifIndex Sum of ifInUcastPkts, ifInMulticastPkts and ifInBroadcastPkts ifInUcastPkts ifInMulticastPkts ifInBroadcastPkts ifInOctets ifInDiscards ifInErrors ifInUnknownProtos ifOutUcastPkts ifOutMulticastPkts ifOutBroadcastPkts ifOutOctets ifOutDiscards ifOutError
Note:
In PPPoE mode not all PPPoE packets are counted in the external interface counter statistics.
RM GUI EAGLE One Release 5.3.0 09/2013 169
Diagnostics 7.2 Ports
Figure 31: Example of a port statistic table
7.2.3 ARP This table shows you the ARP entries for each port. The device uses the Address Resolution Protocol (ARP) to determine the MAC address relating to the IP address of a device, and it saves this allocation in the ARP table.
170 RM GUI EAGLE One Release 5.3.0 09/2013
Diagnostics 7.2 Ports
Parameter
Port IP Address MAC Address Last Updated Type Active
Meaning
Displays the port to which this entry applies.
Displays the IP address of a device that responded to an ARP query to this port.
Displays the MAC address of a device that responded to an ARP query to this port.
Display of the system uptime when this entry was last updated (in days, hours, minutes and seconds).
Displays the type of the entry: – static: static ARP entry that remains even after the ARP table is deleted.
– dynamic: dynamic entry. If the device does not receive any data during the “Aging Time”, it deletes the entry from the table after the time has elapsed.
– local: IP and MAC address of the device's own port Displays the status of the entry: – Checkmark: ARP active – No checkmark: ARP inactive
Table 78: ARP table Figure 32: Example of ARP entries.
RM GUI EAGLE One Release 5.3.0 09/2013 171
Diagnostics 7.3 Topology Discovery
7.3 Topology Discovery
This dialog allows you to switch on/off the Topology Discovery function (Link Layer Discovery Protocol, LLDP). The topology table shows you the collected information for neighboring devices. This information enables the network management station to map the structure of your network.
Figure 33: Topology Discovery dialog
If several devices are connected to one port, for example via a hub, the table will contain one line for each connected device.
172 RM GUI EAGLE One Release 5.3.0 09/2013
Diagnostics 7.3 Topology Discovery When devices both with and without an active topology discovery function are connected to a port, the topology table hides the devices without active topology discovery.
When only devices without active topology discovery are connected to a port, the table will contain one line for this port to represent all devices. This line contains the number of connected devices.
RM GUI EAGLE One Release 5.3.0 09/2013 173
Diagnostics 7.4 Device Status
7.4 Device Status
The device status provides an overview of the overall condition of the device. Many process visualization systems record the device status for a device in order to present its condition in graphic form.
The device displays its current status as "Error" or "OK" in the "Device Status" frame. The device determines this status from the individual monitoring results.
Figure 34: Device Status Dialog
174 RM GUI EAGLE One Release 5.3.0 09/2013
Diagnostics The events which can be selected are: 7.4 Device Status
Name
Power Supply ...
Temperature ACA Removal ACA not in sync Connection Error
Meaning
Monitor/ignore supply voltage(s).
Monitor/ignore the temperature threshold setting
for temperatures that are too high/too low.
Monitor/ignore the removal of the ACA.
Monitor/ignore non-matching of the configuration on the device and on the ACA a .
Monitor/ignore the link status of at least one port.
The reporting of the link status can be masked for each port by the management in the delivery.
(see on page 33 “Port Configuration”)
Basic settings:Portconfiguration . In order to monitor connection errors, you also need to select the box for each required port dialog in the column „Propagate connection error“. Link status is not monitored in the state on
Table 79: Device Status
a. The configurations are non-matching if only one file exists or the two files do not have the same content.
Select "Generate Trap" in the "Trap Configuration" field to activate the sending of a trap if the device state changes.
Note:
With a non-redundant voltage supply, the device reports the absence of a supply voltage. If you do not want this message to be displayed, feed the supply voltage over both inputs or switch off the monitoring
(see on page 176 “Signal contact”)
. RM GUI EAGLE One Release 5.3.0 09/2013 175
Diagnostics 7.5 Signal contact
7.5 Signal contact
The signal contacts are used for monitoring the functions of the device, controlling external devices by manually setting the signal contacts, reporting the device state of the device (default setting). 7.5.1 Function Monitoring In the “Mode Signal contact” box, you select the “Monitoring correct operation” mode. In this mode, the signal contact is used to monitor the operation of the device, thus enabling remote diagnostics. The device uses the potential-free signal contacts (relay contact, closed circuit) to report a break in contact: detected outage of power supply 1/2 or detected continuous device malfunction (internal voltage). Select “Monitor” for power supply 1/2 if the signal contact should report the detected outage of a power supply or the internal 3.3 V voltage.
the temperature thresholds set have been exceeded or have not been reached
(see on page 17 “System Data”)
temperature.
. Select “Monitor” for the temperature if the signal contact should report an impermissible removal of the ACA. Select “Monitor” for the ACA removal if the signal contact should report the removal of the ACA.
176 RM GUI EAGLE One Release 5.3.0 09/2013
Diagnostics 7.5 Signal contact the current configuration on the device and the ACA do not match. Select “Monitor” for a non-synchronous ACA if the signal contact should report this non-matching.
the interrupted connection to at least one port. In its delivery state, the device ignores the link status. In order to monitor detected connection errors, you also need to select the box for each required port in the Propagate connection error table column in the Basic settings: Port configuration dialog.
7.5.2 Manual Setting In the “Signal Contact Mode” field, you select the “Manual setting” mode. With this mode you can control this signal contact remotely. Select “Opened” in the “Manual setting” field to open the contact.
Select “Closed” in the “Manual setting” field to close the contact.
Application options: Simulation of a detected error during SPS error monitoring.
Remote control of a device via SNMP, such as switching on a camera.
RM GUI EAGLE One Release 5.3.0 09/2013 177
Diagnostics 7.5 Signal contact 7.5.3 Device Status In the “Signal Contact Mode” field, you select the “Device Status” mode. In this mode, the signal contact is used to monitor the device status of the device
(see on page 174 “Device Status”)
and thereby makes remote diagnosis possible.
A break in contact is reported with the device status “Error” via the potential-free signal contact (relay contact, closed circuit) (see on
. 7.5.4 Configuring Traps Select Generate Trap , if the device is to create a trap as soon as the position of a signal contact changes when function monitoring is active. 178 RM GUI EAGLE One Release 5.3.0 09/2013
Diagnostics
Figure 35: Signal Contact Dialog
7.5 Signal contact RM GUI EAGLE One Release 5.3.0 09/2013 179
Diagnostics 7.6 Alarms (Traps)
7.6 Alarms (Traps)
This dialog allows you to determine which events trigger an alarm (trap) and where these alarms should be sent.
Click “Create Entry...” to open the dialog window for entering a name and the IP address of the recipient to whom the traps are to be sent.
Confirm the entries with “OK”. You thus create a new row in the table for this recipient.
In the "Enabled“ column, you mark the entries that the device should take into account when it sends traps. Default setting: inactive.
In the “Configuration” frame, select the trap categories from which you want to send traps. Default setting: all trap categories are active.
180 RM GUI EAGLE One Release 5.3.0 09/2013
Diagnostics The events which can be selected are: 7.6 Alarms (Traps)
Name
Login Authentication Chassis Cold Start Link Status Redundancy Firewall VPN
Meaning
An access or an access attempt to the device has been made via the serial interface or via the network (SSH).
The device has rejected an unauthorized access attempt, see dialog on
Summarizes the following events: – The status of a supply voltage has changed
.
– The status of the signal contact
(see on page 176 “Signal contact”)
has changed. To take this event into account, you activate “Create trap when status changes” in the Diagnostics:Signal Contact dialog (see on – –
.
The device status has changed. To take this event into account, you
activate “Create trap when status changes” in the dialog “Device Status”
.
If the SNTP function is active: the synchronization with the SNTP server
(see on page 77 “SNTP configuration”)
was created or interrupted.
– – – If the NTP function is active: the synchronization with the NTP server
(see on page 80 “NTP Configuration”)
was created or interrupted.
The AutoConfiguration Adapter, ACA, has been added or removed.
The temperature threshold has been exceeded/not reached.
The device has been powered on and can be managed.
At one port of the device, the link to a device connected there has been established/interrupted.
If router redundancy is active: the router redundancy status (master router/ backup router)
(see on page 155 “Router Redundancy”)
of the device has changed.
A user
(see on page 64 “User Firewall Accounts”)
of the firewall (see on
has logged in, logged off, or the login has been unsuccessful.
A VPN connection was created or interrupted.
Table 80: Trap categories
RM GUI EAGLE One Release 5.3.0 09/2013 181
Diagnostics 7.6 Alarms (Traps)
Figure 36: Alarms (Traps) Dialog
182 RM GUI EAGLE One Release 5.3.0 09/2013
Diagnostics
7.7 Report
The following reports are available for the diagnostics: System Information 7.7 Report 7.7.1 System Information The system information is a HTML file containing the relevant data about the system. RM GUI EAGLE One Release 5.3.0 09/2013 183
Diagnostics 7.7 Report
Figure 37: System Information Dialog
Click on “Show System Info”. The device displays the system information as a HTML file. Click on “Back” to return to the system information window.
“Reload” to update the display.
“Search...” to search the system information file for a keyword or a regular expression.
“Save...” if you need the system information as an external file. In the file selection window, select the desired directory, enter a name for the file, and click on “Save”.
184 RM GUI EAGLE One Release 5.3.0 09/2013
Diagnostics 7.8 MAC Firewall List
7.8 MAC Firewall List
The MAC Firewall List shows the rules created by the user, together with the implicit rules of the Layer 2 (MAC) Firewall entered by the system. This list can help you to understand event log entries, and it enhances your overview of the Firewall configuration.
Parameter
Index Rule Group Reference Interface Source Address Destination Address Protocol Action
Meaning
Sequential line index Internal classification of the rules
Possible Values
- Default Rules - Miscellaneous - Rate Limits (DoS) - Special Traffic Internal information for the service technician.
Interface to which this rule applies.
- any = all - egress = device-specific data - external = external port - internal = internal port - mirror = bridge interface in Transparent Mode.
MAC address of the actual source of the data packet.
Entry format: 11:22:33:44:55:66 Entering “?” enables wildcards to be used. Example: 1?:22:??:44:55:6?
.
MAC address of the actual destination of the data packet. Entry format: 11:22:33:44:55:66 Entering “?” enables wildcards to be used. Example: 1?:22:??:44:55:6?
.
Protocol in the type field of the MAC data packet.
Action that the Firewall performs if the rule applies.
accept, drop
Table 81: MAC Firewall List
RM GUI EAGLE One Release 5.3.0 09/2013 185
Diagnostics 7.8 MAC Firewall List
Parameter
Log Match Count
Meaning
Entry in the event list if the rule applies.
Counter that records how often the rule has already applied
Possible Values
Yes, No 0 - 4,294,967,295 (2 32 - 1)
Table 81: MAC Firewall List
186 RM GUI EAGLE One Release 5.3.0 09/2013
Diagnostics 7.9 IP Firewall List
7.9 IP Firewall List
The IP Firewall List shows the rules created by the user, together with the implicit rules of the Layer 3 (IP) Firewall entered by the system. This list can help you to understand event log entries, and it enhances your overview of the Firewall configuration.
Parameter
Index Rule Group
Meaning
Sequential line index Internal classification of the rules
Possible Values
- Special Traffic - Miscellaneous - Rate Limits - VPN - HTTPS Access - SSH Access - SNMP Access - PPP Packet Filter - Packet Filter IP Outgoing - Packet Filter IP Incoming - Default Rules Reference Interface Source Network Source Port Destination Network Internal information for the service technician.
Interface to which this rule applies.
IP Address with Netmask (CIDR) of the actual source of the data packet.
Logical source port of the data packet.
IP Address with Netmask (CIDR) of the actual destination of the data packet.
- any = all - egress = device-specific data - external = external port - internal = internal port - mirror = bridge interface in Transparent Mode.
- loopback - ppp (serial) = V.24 port IP Address with Netmask, any = all, me = own IP address any = all op port port 1 op port 2 IP Address with Netmask, any = all, me = own IP address
Table 82: IP Firewall List
RM GUI EAGLE One Release 5.3.0 09/2013 187
Diagnostics 7.9 IP Firewall List
Parameter
Destination Port Protocol Action Log Match Count
Meaning
Logical destination port of the data packet IP protocol Action that the Firewall performs if the rule applies.
Entry in the event list if the rule applies.
Counter that records how often the rule has already applied
Possible Values
any = all op port port 1 op port 2 any = all, tcp, udp, icmp accept, drop, reject Yes, No 0 - 4,294,967,295 (2 32 - 1)
Table 82: IP Firewall List
188 RM GUI EAGLE One Release 5.3.0 09/2013
Diagnostics 7.10 Configuration Check
7.10 Configuration Check
The device enables you to compare its configuration with those of its neighboring devices. For this purpose, it uses the data that it received from its neighboring devices via topology recognition (LLDP). The dialog lists the deviations detected, which affect the performance of the communication between the device and the recognized neighboring devices. You update the table's content via the "Reload" button. If the table remains empty, the configuration check was successful and the device's configuration is compatible for the recognized neighboring devices.
Note:
A neighboring device without LLDP support, which forwards LLDP packets, may be the cause of equivocal messages in the dialog. This occurs if the neighboring device is a hub or a switch without management, which ignores the IEEE 802.1D-2004 standard. In this case, the dialog displays the devices recognized and connected to the neighboring device as connected to the switch port, even though they are connected to the neighboring device.
RM GUI EAGLE One Release 5.3.0 09/2013 189
Diagnostics 7.10 Configuration Check
Figure 38: Configuration Check
190 RM GUI EAGLE One Release 5.3.0 09/2013
Diagnostics 7.10 Configuration Check
Parameter
Port Neighbour System Name Neighbour IP Address Neighbour Port Neighbour Type Status Reason
Meaning
Port to which this entry applies.
System name of the neighboring device
(see on page 17 “System Data”)
IP address of the neighboring device with LLDP function
Displays information on the neighboring device. Displays the type of the neighboring device. Written in – Capital letters: The device has this function, and the function is activated.
– Lower-case letters: The device has this function, and the function is deactivated.
Displays the configuration status – Green circle with checkmark: The configuration of this device and the configuration of the neighboring device are compatible. Communication between the two devices is okay.
– – – Yellow triangle: The configuration of this device and the configuration of the neighboring device do not match. The performance of the communication between the two devices could be endangered. Select this row to obtain further information in the window below.
Red square with X: The configuration of this device and the configuration of the neighboring device are not compatible. Communication between the two devices is endangered. Select this row to obtain further information in the window below.
Blue circle with question mark: Configuration data is not available for the neighboring device. Select this row to obtain further information in the window below.
If a reason is entered in a row, selecting this row displays more detailed information on this reason in the window below.
Table 83: Configuration Check table
RM GUI EAGLE One Release 5.3.0 09/2013 191
Diagnostics 7.11 Reachability Test (Ping)
7.11 Reachability Test (Ping)
This dialog allows you to perform a reachability test (ping) for any IP address directly from the device.
For special cases, such as a reachability test through a VPN tunnel, you can specify the source address of the pings manually.
Figure 39: Ping dialog (reachability test)
192 RM GUI EAGLE One Release 5.3.0 09/2013
Diagnostics 7.11 Reachability Test (Ping)
Parameter
Source Address Destination Address Start Ping
Meaning
Sending address for the ICMP Echo requests (pings), normally 0.0.0.0.
When the source address is 0.0.0.0, the Firewall uses the IP address of the interface at which the pings are sent. The Firewall determines the interface from the destination address and the routing table.
For special cases (e.g. to help ensure that the reachability test uses a specific VPN tunnel), use a different IP address.
State on delivery: 0.0.0.0
Destination address for the ICMP Echo requests (pings).
State on delivery: 0.0.0.0
Click “Start Ping“ to start the reachability test. After some seconds, the device displays the result as a text in a new dialog window.
Possible Values
IPv4 address, normally 0.0.0.0
Any IPv4 address to be tested, not 0.0.0.0
-
Table 84: Ping dialog table
RM GUI EAGLE One Release 5.3.0 09/2013 193
Diagnostics 7.11 Reachability Test (Ping) 194 RM GUI EAGLE One Release 5.3.0 09/2013
Advanced
8 Advanced
The Advanced menu contains the dialogs: DNS Packet Forwarding DHCP Relay Agent DHCP Server RM GUI EAGLE One Release 5.3.0 09/2013 195
Advanced 8.1 DNS
8.1 DNS
The Domain Name System (DNS) allows names (e.g. www.example.de) to be used on the Internet instead of IP addresses. When entering host names, e.g. to create a connection with a remote terminal, a device (e.g. a PC) starts a DNS request on one or more DNS servers for the related IP address (name resolution). The DNS server that knows the requested name resolution passes the related IP address to the requesting device (DNS client). The DNS servers can be reached via the Internet service provider, or they can be installed in the local network.
The EAGLE One device provides you with a DNS cache function. It saves the result of the name resolution for a specific period - the maximum period is until a restart - in the temporary memory (cache). Thus the EAGLE One device can reply to additional DNS requests for which the result is already stored in the cache, without requiring a repeat DNS request at a DNS server. This reduces the workload of the responsible DNS server, and you receive the reply faster.
A DynDNS service enables you to have a name (DynDNS host name) registered there, by means of which a device (e.g. PC for administering the Firewall) can also determine dynamically allocated IP addresses.
8.1.1 DNS Server This dialog allows you to enter one or more DNS servers on which the device searches for a name resolution. Thus, when a device is setting up a connection to a remote terminal via a host name (e.g. VPN gateway), the device can determine the related IP address for this host name as a DNS client. 196 RM GUI EAGLE One Release 5.3.0 09/2013
Advanced 8.1 DNS In the “DNS Client Configuration” field, select the DNS server which the device accesses for a name resolution.
Provider: The DNS client of the device sends DNS requests to the DNS servers that were allocated to the device by the Internet service provider (e.g. via DHCP Client or PPPoE).
User: The DNS client of the device sends DNS requests to the DNS (root) servers entered in the four fields by the user, in the sequence of the entries. If a DNS (root) server is not available, then entering more than one DNS (root) server enables the device to switch to another DNS (root) server. In user mode, the device ignores the DNS servers allocated by an Internet service provider.
Figure 40: DNS server
RM GUI EAGLE One Release 5.3.0 09/2013 197
Advanced 8.1 DNS 8.1.2 DynDNS Register with the DynDNS service before using the DynDNS function. The device allows you to register on the www.DynDNS.org website or on another website of your choice: This dialog allows you to enter the registration data from this registration at the DynDNS service. Via the registered host name, the device can also be accessed via the Internet under this name in the case of dynamically allocated IP addresses (in PPPoE mode).
Parameter
Provider Register Server CheckIP Server Login Password Hostname Refresh Status
Table 85: DynDNS
Meaning
Select the website of the DynDNS provider: – dyndns-org: website www.DynDNS.org
– other: your choice for another DynDNS provider If you reset the provider from “other” to “dyndns-org”, the device resets the settings for “Server” and “CheckIP Server” to the default settings of DynDNS.org.
Checkmarked: The DynDNS service is activated. At the intervals entered under “Refresh”, the device checks its IP address, and if this changes it passes the new address to the DynDNS service for registration.
Not checkmarked: The DynDNS service is deactivated.
Enter the DNS server. Use the default settings of the DynDNS provider you have selected under “Provider”.
Default setting: DNS server “members.dyndns.org” proposed by DynDNS.org. Enter the CheckIP server for checking the IP address of a device.
Use the default settings of the DynDNS provider you have selected under “Provider”.
Default setting: CheckIP server “checkip.dyndns.org” proposed by DynDNS.org. Enter the login name from the registration at the DynDNS provider selected by you, e.g. at DynDNS.org.
Enter the password from the registration at the DynDNS provider selected by you, e.g. at DynDNS.org.
Enter the host name from the registration at the DynDNS provider selected by you, e.g. at DynDNS.org.
Refresh interval in minutes. Possible values: 1-6000, default setting 10.
Display the status of the DynDNS client,
(see on page 199 “DynDNS - Status of DynDNS Client”)
198 RM GUI EAGLE One Release 5.3.0 09/2013
Advanced 8.1 DNS
Possible Values
Inactive No change / in progress Good / update done Bad user / bad password No such host in system Invalid hostname format Host not in this account No change Host has been blocked
Meaning
DynDNS is not active (e.g. “Register” is not selected, DNS server (see
is not configured). DynDNS is active and checks whether the IP address has changed, and thus whether the device has to refresh the IP address stored in the DynDNS service.
The device has successfully updated the IP address stored in the DynDNS service. The DNS server of the DynDNS service has rejected the login of the user (login and/or password incorrect).
The DynDNS service does not recognize the host name entered.
The host name entered does not have a valid format (FQDN = Fully Qualified Domain Name).
The host name entered is not known for this DynDNS account (the host name does not belong to this user).
The DynDNS service has registered the same host name/IP address pair twice.
The DynDNS service has registered the same host name/IP address pair multiple times (the entry on the DynDNS service was thus blocked).
Table 86: DynDNS - Status of DynDNS Client Figure 41: DynDNS
RM GUI EAGLE One Release 5.3.0 09/2013 199
Advanced 8.2 Packet Forwarding
8.2 Packet Forwarding
This dialog allows you to activate and deactivate the forwarding of RSTP, GMRP and DHCP data packets in the Transparent Mode
(see on page 22 “Transparent Mode”)
packets. . If packet forwarding is activated, then the device is transparent for these In Router mode, these setting have no effect, because the device does not forward any packets on layer 2 in Router mode.
Parameter Meaning
RSTP GMRP DHCP Activate/deactivate the forwarding of Rapid Spanning Tree Protocol (RSTP) data packets. The RSTP enables redundancy by interrupting loops in multiple, redundant connections between subnetworks.
Activate/deactivate the forwarding of GMRP data packets. The GMRP (GARP Multicast Registration Protocol) controls the forwarding of multicasts. The network load is reduced by the device only forwarding the multicasts to the devices registered using GMRP.
Activate/deactivate the forwarding of DHCP data packets. Devices with DHCP as the configuration mode get their configuration data from a DHCP server. Thus they can be very easily incorporated or replaced.
Default setting
On Off Off
Table 87: Packet Forwarding
Note:
Forwarding of DHCP data packets only works in Transparent mode. If you are operating the device in Router mode, the device allows you to enable DHCP traffic via the DHCP relay
(see on page 202 “DHCP Relay Agent”)
.
200 RM GUI EAGLE One Release 5.3.0 09/2013
Advanced 8.2 Packet Forwarding
Figure 42: Packet Forwarding
RM GUI EAGLE One Release 5.3.0 09/2013 201
Advanced 8.3 DHCP Relay Agent
8.3 DHCP Relay Agent
This dialog allows you to configure the DHCP relay agent.
Note:
The DHCP relay agent only works in router mode. If you are running the device in transparent mode, you can enable DHCP traffic via the “Packet forwarding” setting
(see on page 200 “Packet Forwarding”)
.
202 RM GUI EAGLE One Release 5.3.0 09/2013
Advanced 8.3 DHCP Relay Agent
Note:
The DHCP relay agent enters the IP address for the interface at which the packet was received as the source address when forwarding DHCP packets to the server. Enter a route for this interface address in the configuration of your DHCP server to help assuring communication.
Enter the DHCP server IP address. If one DHCP server is not available, you can enter up to three additional DHCP server IP addresses so that the device can change to another DHCP server.
Parameter
Server IP address DHCP Relay Status Hirschmann Device
Meaning
Enter the DHCP server IP address. If one DHCP server is not available, then you can enter up to three additional DHCP server IP addresses, so that the device can change to another DHCP server.
Display the DHCP relay status.
The DHCP relay function is active if – at least one IP address is entered in “Server IP Address” and – the DHCP server
is not active on either of the two interfaces. Checkmark the interfaces to which a Hirschmann device is connected.
You thus help ensure that the DHCP server allocates the same IP address to a replacement Hirschmann device.
Note:
Because the Firewall is a security device, it only supports standard DHCP. For this reason, do not checkmark the interfaces to which an EAGLE One is connected.
Table 88: DHCP Relay Agent
RM GUI EAGLE One Release 5.3.0 09/2013 203
Advanced 8.3 DHCP Relay Agent
Figure 43: DHCP Relay Agent dialog
Note:
In the Enhanced:Packet Forwarding dialog
, deactivate the forwarding of DHCP packets.
204 RM GUI EAGLE One Release 5.3.0 09/2013
Advanced 8.4 DHCP Server
8.4 DHCP Server
The DHCP Server dialogs allow you to very easily include new devices (clients) in your network or exchange them in your network: When you select DHCP as the configuration mode for the client, the client gets the configuration data from the DHCP server.
The DHCP server assigns to the client: – a fixed IP address (static) or an address from an address range (dynamic), – the netmask, – the gateway address, – the DNS server address, – the WINS server address and – the lease time.
You can also specify for each port a URL for transferring additional configuration parameters to the client.
RM GUI EAGLE One Release 5.3.0 09/2013 205
Advanced 8.4 DHCP Server 8.4.1 Pool This dialog allows you to closely control the allocation of IP addresses. You can activate or deactivate the DHCP server for each port or for each VLAN. For this purpose, the DHCP server provides what is known as an IP address pool (in short “pool”) from which it allocates IP addresses to clients. The pool consists of a list of entries. An entry can define a specific IP address or a connected IP address range. You can choose between dynamic and static allocation.
An entry for dynamic allocation applies to the port of the device for which you activate the DHCP server. If a client makes contact at this port, the DHCP server allocates a free IP address from the pool entry for this port.
For dynamic allocation, create a pool entry for a port and enter the first and last IP addresses for the IP address range. Leave the MAC Address, Client ID, Remote ID and Circuit ID fields empty. You have the option to create 1 pool entry for each port.
With static allocation, the DHCP server each time allocates the same IP address to a client. The DHCP server identifies the client using a unique hardware ID. A static address entry can only contain 1 IP address and applies to the related port of the device.
For static allocation, create a pool entry for the port, enter the IP address, and leave the “Last IP Address” field empty. Enter a hardware ID with which the DHCP server uniquely identifies the client. This ID can be a MAC address, a client ID, a remote ID or a circuit ID. If a client makes contact with a known hardware ID, the DHCP server allocates the static IP address.
The table shows you the configured entries of the DHCP server pool. You have the option to create a new entry, edit an existing entry or delete entries.
You have the option to create 1 pool entry for each port of the device. The pools can contain up to 64 entries altogether.
Click “Create entry” to create a new entry. The device displays a new dialog. Fill in the fields you require, then click “Write”. Click on “Back” to return to the “Pool” dialog.
206 RM GUI EAGLE One Release 5.3.0 09/2013
Advanced 8.4 DHCP Server
Parameter
Port Active IP Address Last IP Address
Meaning
Port to which this entry applies.
Activates or deactivates the pool entry.
For a dynamic address entry: the 1st address of the IP address pool that the DHCP server allocates to a client.
For a static address entry: the IP address that the server each time allocates to the same client.
For a dynamic address entry: the last address of the IP address pool that the DHCP server allocates to a client.
Value range
internal (port 1) , external (port 2) On , Off Valid IPv4 address Valid IPv4 address
Default setting
internal (port 1) Off -
Table 89: DHCP server pool settings, IP address basic settings
RM GUI EAGLE One Release 5.3.0 09/2013 207
Advanced 8.4 DHCP Server
Parameter
Lease time [s] MAC Address Gateway Client ID Remote ID
Meaning
Time in s for which the DHCP server allocates the address to the client. Within the lease time, the client can apply for an extension. If the client does not apply for an extension, after it has elapsed the DHCP server takes the IP address back into the pool and allocates it to any client that requires it.
For a static address entry: MAC address with which the client identifies itself.
IP address of the DHCP relay via which the client makes its request. If the DHCP server receives a request via another DHCP relay, it ignores this. If there is no DHCP relay between the client and the DHCP server, leave these fields empty.
For a static address entry: Client ID with which the client identifies itself.
For a static address entry: Remote ID with which the client identifies itself.
Value range
1 s - 4294967295 s (2 32 -1 s) MAC address of the client that contains the static IP address IPv4 address of the DHCP relay.
Client ID of the client that contains the static IP address a Remote ID of the client that contains the static IP address a -
Default setting
86400 s (1 day)
Table 90: DHCP server pool settings, mode of address allocation
208 RM GUI EAGLE One Release 5.3.0 09/2013
Advanced 8.4 DHCP Server
Parameter
Circuit ID
Meaning
For a static address entry: Circuit ID with which the client identifies itself.
Hirschmann Device Checkmark the rows in which a Hirschmann device is entered as a client.
You thus help ensure that the DHCP server allocates the same IP address to a replacement Hirschmann device.
Note: Note:
Because an EAGLE One device is a security device, it only supports standard DHCP. For this reason, do not checkmark the rows in which an EAGLE One device is entered.
When replacing a client device, change the MAC address to that of the new client.
Value range
Circuit ID of the client that contains the static IP address a On , Off
Default setting
Off
Table 90: DHCP server pool settings, mode of address allocation
RM GUI EAGLE One Release 5.3.0 09/2013 209
Advanced 8.4 DHCP Server – a A client, remote or circuit ID consists of 1 - 255 bytes in hexadecimal form (00 - ff), separated by spaces.
Parameter
Configuration URL Default gateway Netmask WINS Server DNS Server Hostname
Meaning
TFTP URL, from which the client can obtain additional configuration information. Enter the URL in the form tftp://server name or ip address/ directory/file.
Default gateway entry for the client.
Value range Default setting
Valid TFTP URL Netmask entry for the client.
WINS (Windows Internet Name Service) entry for the client.
DNS server entry for the client.
Host name for the client. If this name is entered, it overwrites the system name of the client
.
Valid IPv4 address Valid IPv4 netmask Valid IPv4 address Valid IPv4 address Max. 64 ASCII characters in the range 0x21 (!) - 0x7e (~).
- (no host name)
Table 91: DHCP server pool settings, option allocation to the client
210 RM GUI EAGLE One Release 5.3.0 09/2013
Advanced 8.4 DHCP Server
Figure 44: DHCP Server Pool per Port dialog
8.4.2 Lease Table The lease table shows you the IP addresses that the DHCP server has currently allocated.
The device displays the related details for every IP address allocated.
The device allows you to allocate up to 1,024 addresses.
RM GUI EAGLE One Release 5.3.0 09/2013 211
Advanced 8.4 DHCP Server
Parameter
Port IP address Status Remaining Lifetime [s] Leased MAC Address Gateway Local (client) ID Remote ID Circuit ID
Meaning
Port to which this entry applies.
IP address that the DHCP server has allocated to the device with the specified MAC address.
Status of the DHCP address allocation according to the Dynamic Host Configuration Protocol.
Time remaining in seconds until the validity of the IP address elapses, unless the client applies for an extension.
MAC address of the client that is currently leasing the IP address.
IP address of the DHCP relay via which the client has made the request.
The client ID that the client submitted for the DHCP request.
The remote ID that the client submitted for the DHCP request.
The circuit ID that the client submitted for the DHCP request.
Value range
internal (port 1) , external (port 2) An IPv4 address from the pool.
bootp , offering , requesting , bound , renewing , rebinding , declined , released Format xx:xx:xx:xx:xx IPv4 address or empty a a a
Table 92: DHCP lease table
– a A client, remote or circuit ID consists of 1 - 255 bytes in hexadecimal form (00 - ff), separated by spaces.
212 RM GUI EAGLE One Release 5.3.0 09/2013
Advanced 8.4 DHCP Server
Figure 45: DHCP Server Lease Table dialog
RM GUI EAGLE One Release 5.3.0 09/2013 213
Advanced 8.4 DHCP Server 214 RM GUI EAGLE One Release 5.3.0 09/2013
Logout
9 Logout
This dialog allows you to configure automatic logging out for the various user interfaces. In addition, you can also log out from the graphical user interface immediately.
Graphical user interface: activate/deactivate the automatic logging out and set the time period for automatic logging out. Also immediate logging out from the graphical user interface.
SSH connection: time period for automatic logging out.
Command Line Interface (V.24): activate/deactivate the automatic logging out and set the time period for automatic logging out.
Parameter Graphical user interface
Log out now Automatically After [min]
SSH Connection
Automatically after [min]
Meaning Possible Values Default Setting
Immediate logout by clicking on “Log out now”.
Switch the automatic logout function on/off.
Enter the time in minutes after which the device ends the connection if you have not made any entries.
On/Off 0-120 (0: Off) Enter the time in minutes after which the device ends the connection if you have not made any entries.
1-120 On 5 (On) 5
Command Line Interface
Automatically After [min] Switch the automatic logout function on/off.
Enter the time in minutes after which the device ends the connection if you have not made any entries.
On/Off 0-120 (0: Off) On 5 (On)
Table 93: Logout
RM GUI EAGLE One Release 5.3.0 09/2013 215
Logout
Note:
To get access to the device via the graphical user interface again after a logout, restart the graphical user interface to login.
Figure 46: Logout
216 RM GUI EAGLE One Release 5.3.0 09/2013
General Information
A General Information
RM GUI EAGLE One Release 5.3.0 09/2013 217
General Information
A.1 List of RFCs
A.1 List of RFCs RFC 768 RFC 791 RFC 792 RFC 793 RFC 826 RFC 1157 RFC 1155 RFC 1212 RFC 1213 RFC 1769 RFC 1867 RFC 1901 RFC 1905 RFC 1906 RFC 1907 RFC 1908 RFC 1918 RFC 1945 RFC 2068 RFC 2131 RFC 2132 RFC 2233 RFC 2246 RFC 2271 RFC 2346 RFC 24xx RFC 2570 RFC 2571 RFC 2572 RFC 2573 RFC 2574 RFC 2575 RFC 2576 RFC 2578 RFC 2579 RFC 2580 RFC 2618 RFC 2663 RFC 2818 218 UDP IP ICMP TCP ARP SNMPv1 SMIv1 Concise MIB Definitions MIB2 SNTP Form-Based File Upload in HTML Community based SNMP v2 Protocol Operations for SNMP v2 Transport Mappings for SNMP v2 Management Information Base for SNMP v2 Coexistence between SNMP v1 and SNMP v2 Address Allocation for Private Internets HTTP/1.0
HTTP/1.1 protocol as updated by draft-ietf-http-v11-spec-rev-03 DHCP DHCP-Options The Interfaces Group MIB using SMI v2 The TLS Protocol, Version 1.0
SNMP Framework MIB AES Ciphersuites for Transport Layer Security IPsec, IKEv1 - there are several RFCs that apply to IPsec, IKEv1 Introduction to SNMP v3 Architecture for Describing SNMP Management Frameworks Message Processing and Dispatching for SNMP SNMP v3 Applications User Based Security Model for SNMP v3 View Based Access Control Model for SNMP Coexistence between SNMP v1, v2 & v3 SMIv2 Textual Conventions for SMI v2 Conformance statements for SMI v2 RADIUS Authentication Client MIB IP Network Address Translator (NAT) Terminology and Considerations HTTP over TLS RM GUI EAGLE One Release 5.3.0 09/2013
General Information A.1 List of RFCs RFC 2851 RFC 2865 RFC 2868 RFC 2869 RFC 3022 RFC 3164 RFC 3947 RFC 3948 RFC 43xx RFC 5905 Internet Addresses MIB RADIUS Client RADIUS Attributes for Tunnel Protocol Support RADIUS Extensions Traditional IP Network Address Translator The BSD syslog Protocol Negotiation of NAT-Traversal in the IKE UDP Encapsulation of IPsec ESP Packets IPsec, IKEv2 - there are several RFCs that apply to IPsec, IKEv2 NTPv4 RM GUI EAGLE One Release 5.3.0 09/2013 219
General Information A.2 Underlying IEEE Standards
A.2 Underlying IEEE Standards
IEEE 802.1AB
IEEE 802.1D
IEEE 802.1D-1998, IEEE 802.1D-2004 IEEE 802.3-2002 IEEE 802.3ac
Link aggregation Switching, GARP, GMRP, Spanning Tree (the device supports packet forwarding only) Media access control (MAC) bridges (includes IEEE 802.1p Priority and Dynamic Multicast Filtering, GARP, GMRP) Ethernet VLAN Tagging 220 RM GUI EAGLE One Release 5.3.0 09/2013
General Information
A.3 Technical Data
A.3 Technical Data
VLAN
VLAN ID 1 to 4094
Routing/Switching
Number of additional IP addresses Maximum number of static routing entries 32 64
Firewall
Maximum number of IP rules (in total) Maximum number of MAC rules (in total) Maximum number of SPI (Stateful Packet Inspection) entries 1024 256 4096
NAT
Maximum number of NAT rules Maximum number of 1:1 NAT address translation entries (mapping table) up to 512, depending on NAT type 4096 (adjustable), default setting: 1024
VPN
Maximum number of configurable connections 256 Maximum number simultaneously active connections 64
DHCP Server
Maximum number of configurable IP addresses that can be leased out Lease Time 1024 Configurable per pool entry, default 86,400 s (1 day) RM GUI EAGLE One Release 5.3.0 09/2013 221
General Information A.4 Maintenance
A.4 Maintenance
Hirschmann is continually working to improve and develop our software. You should regularly check whether there is a new version of the software that provides you with additional benefits. You will find software information and downloads on the product pages of the Hirschmann website.
A.4.1 Service-Shell A service technician uses the Service Shell function for maintenance of your functioning device. If you need service support, this function allows the service technician to access internal functions of your device from an external location.
Note:
The Service Shell function is for service purposes exclusively. This function allows the access on internal functions of the device. In no case, execute internal functions without service technician instructions. Executing internal functions such as deleting the content of the NVM (non-volatile memory) possibly leads to inoperability of your device.
Note:
Disabling the Service Shell function produces a permanent effect.
To reactivate the Service Shell function, send the device back to the manufacturer.
222 RM GUI EAGLE One Release 5.3.0 09/2013
General Information A.5 Copyright of Integrated Software
A.5 Copyright of Integrated Software
A.5.1 Bouncy Castle Crypto APIs (Java) The Legion Of The Bouncy Castle Copyright (c) 2000 - 2004 The Legion Of The Bouncy Castle (http://www.bouncycastle.org) Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
RM GUI EAGLE One Release 5.3.0 09/2013 223
General Information A.5 Copyright of Integrated Software A.5.2 Network Time Protocol Version 4 Distribution Copyright © David L. Mills 1992-2007 Permission to use, copy, modify, and distribute this software and its documentation for any purpose with or without fee is hereby granted, provided that the above copyright notice appears in all copies and that both the copyright notice and this permission notice appear in supporting documentation, and that the name University of Delaware not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. The University of Delaware makes no representations about the suitability this software for any purpose. It is provided "as is" without express or implied warranty The following individuals contributed in part to the Network Time Protocol Distribution Version 4 and are acknowledged as authors of this work.
– Mark Andrews
– Michael Barone
– Marc Brett
– John A. Dundas III
General Information A.5 Copyright of Integrated Software – Mike Iglesias
General Information A.5 Copyright of Integrated Software – Harlan Stenn
Readers’ Comments
B Readers’ Comments
What is your opinion of this manual? We are constantly striving to provide as comprehensive a description of our product as possible, as well as important information to assist you in the operation of this product. Your comments and suggestions help us to further improve the quality of our documentation.
Your assessment of this manual: Precise description Readability Understandability Examples Structure Comprehensive Graphics Drawings Tables O O O O O O
Very Good
O O O
Good Satisfactory Mediocre
O O O O O O O O O O O O O O O O O O O O O O O O O O O
Poor
O O O O O O O O O Did you discover any errors in this manual?
If so, on what page?
RM GUI EAGLE One Release 5.3.0 09/2013 227
Readers’ Comments Suggestions for improvement and additional information: General comments: Sender: Company / Department: Name / Telephone number: Street: Zip code / City: E-mail: Date / Signature: Dear User, Please fill out and return this page as a fax to the number +49 (0)7127/14-1600 or per mail to Hirschmann Automation and Control GmbH Department 01RD-NT Stuttgarter Str. 45-51 72654 Neckartenzlingen 228 RM GUI EAGLE One Release 5.3.0 09/2013
Index
C Index
1 1 to 1 NAT
A ACA Accept SNTP Broadcasts Access with Web-based interface, password Address templates Administration (login type) Advanced menu Alarm Anforderungsintervall (SNTP) Asymmetrical firewall Authentication Authentication List
Authentication list AutoConfiguration Adapter
C Certificate Certificates CLI access, password Configuration Check D Denial of Service Device Connection Device Status DHCP data packet DHCP Relay Agent DHCP Server (overview) DHCP server pool DHCP server (lease table) DNS DNS Server Domain Name Server DoS DynDNS E Event log Event settings F FAQ Filter-ID=
Firmware update FLM Function Monitoring G GMRP data packet Graphical User Interface (GUI) Group Authentication H HDX mode HIPER-Ring HiView HTTPS-Port I ICMP Host Check IKE - Key Exchange Industrial HiVision IPsec - Data Exchange IP address templates IP Firewall List IP Masquerading IP Networks L Learn mode Level to report LLDP Login Banner Login Type Login window Logout M MAC Firewall List Manual setting Modem interface N NAT Network Address Translation Network Load Network Management Station Network Security Non-volatile memory NTP NTP client NTP operation mode RM GUI EAGLE One Release 5.3.0 09/2013
229
Index NTP server NVM
P Packet Filter Packet Forwarding Password Password for access with Web-based interface Password for CLI access Password for SNMPv3 access Ports Port configuration Port forwarding Port statistics table PPPoE Mode
R RADIUS Server Radius server Read access Report Request interval (SNTP) RFC Router Mode Router Redundancy S Serial Port Set SFTP access Signal Contact SNMPv3 access, password SNMP Access SNMP access SNMP logging SNMP port SNTP Software update SSH Access
SSH Port STP data packet Static routes
Starting the graphical user interface (GUI) 11
Statistics table Supply voltage Symbol Syslog Server Syslog server System Systemzeit System Information System requirements (GUI)
System time (taken from an SNTP server) 78
T Technical Questions Temperature (device) Templates (IP addresses) Terminal/CLI interface Time Timeout Topology Topology Recognition Training Courses Transparent Mode Transparent Redundancy Trap Trap configuration U Universal Time Coordinated User Firewall User Firewall (login type) UTC V VPN W Web Access Write access 230 RM GUI EAGLE One Release 5.3.0 09/2013
Further Support
D Further Support
Technical Questions For technical questions, please contact any Hirschmann dealer in your area or Hirschmann directly.
You will find the addresses of our partners on the Internet at http://www.hirschmann.com
Contact our support at https://hirschmann-support.belden.eu.com
You can contact us in the EMEA region at Tel.: +49 (0)1805 14-1538 E-mail: [email protected]
in the America region at Tel.: +1 (717) 217-2270 E-mail: [email protected]
in the Asia-Pacific region at Tel.: +65 6854 9860 E-mail: [email protected]
Hirschmann Competence Center The Hirschmann Competence Center is ahead of its competitors: Consulting incorporates comprehensive technical advice, from system evaluation through network planning to project planning.
Training offers you an introduction to the basics, product briefing and user training with certification.
The current technology and product training courses can be found at http://www.hicomcenter.com
Support ranges from the first installation through the standby service to maintenance concepts.
RM GUI EAGLE One Release 5.3.0 09/2013 231
Further Support With the Hirschmann Competence Center, you have decided against making any compromises. Our client-customized package leaves you free to choose the service components you want to use.
Internet: http://www.hicomcenter.com
232 RM GUI EAGLE One Release 5.3.0 09/2013
Further Support RM GUI EAGLE One Release 5.3.0 09/2013 233
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project