Home
/
Siemens
/
SIMATIC NET SCALANCE SC-600
/
Configuration Manual

Siemens SIMATIC NET SCALANCE SC-600, Configuration Manual

Share

Page: 57 / 372

Siemens SIMATIC NET SCALANCE SC-600 Configuration Manual Download Page 57

Technical basics

3.8 Security functions

SCALANCE SC-600 Web Based Management (WBM)
Configuration Manual, 10/2021, C79000-G8976-C475-03

57

Service

Access

IPsec VPN

No

yes

SSH

yes

No

DHCP

yes

yes (for the DHCP client

function)

Ping

yes

No

System time

yes

No

VRRP

No

No

3.8.4

NAT

NAT (Network Address Translation) is a method of translating IP addresses in data

packets. With this, two different networks (internal and external) can be connected

together.
A distinction is made between source NAT in which the source IP address is translated

and destination NAT in which the destination IP address is translated.
You will find information on NAT scenarios that are implemented with the device at the

following address: (

https://support.industry.siemens.com/cs/en/view/109744660

IP masquerading

IP masquerading is a simplified source NAT. With each outgoing data packet sent via

this interface, the source IP address is replaced by the IP address of the interface. The

adapted data packet is sent to the destination IP address. For the destination host it

appears as if the queries always came from the same sender. The internal nodes cannot

be reached directly from the external network. By using NAPT, the services of the

internal nodes can be made reachable via the external IP address of the device.
IP masquerading can be used if the internal IP addresses cannot or should not be

forwarded externally, for example because the internal network structure should remain

hidden.
You configure masquerading in "Layer 3" > "NAT" > "IP Masquerading (Page 264)".

NAPT

NAPT (Network Address and Port Translation) is a form of destination NAT and is often

called port forwarding. This allows the services of the internal nodes to be reached from

external that are hidden by IP masquerading or source NAT.
Incoming data packets are translated that come from the external network and are

intended for an external IP address of the device (destination IP address). The

destination IP address is replaced by the IP address of the internal node. In addition to

address translation, port translation is also possible.

«
...
55
56
57
58
59
...
»

Summary of Contents for SIMATIC NET SCALANCE SC-600

Page 1: ...CALANCE SC 600 Web Based Management WBM Configuration Manual 10 2021 C79000 G8976 C475 03 Introduction Security recommendations 1 Description 2 Technical basics 3 Configuring with Web Based Management 4 Upkeep and maintenance 5 Exchange of configuration data with STEP7 6 Appendix A A ...

Page 2: ... only by personnel qualified for the specific task in accordance with the relevant documentation in particular its warning notices and safety instructions Qualified personnel are those who based on their training and experience are capable of identifying risks and avoiding potential hazards when working with these products systems Proper use of Siemens products Note the following WARNING Siemens p...

Page 3: ...NCE SC636 2C SCALANCE SC642 2C SCALANCE SC646 2C This Configuration Manual applies to the following software version Firmware as of version V2 2 Purpose of the Configuration Manual This Configuration Manual is intended to provide you with the information you require to install commission and operate the security appliances SCALANCE SC 600 It provides you with the information you require to configu...

Page 4: ...SC646 2C SCALANCE SC632 2C and SCALANCE SC636 2C SCALANCE SC642 2C and SCALANCE SC646 2C SC62x 2C SC6x2 2C SC6x6 2C SC63x 2C SC64x 2C Device If information relates to a specific device the device name is used SCALANCE SC622 2C SCALANCE SC626 2C SCALANCE SC632 2C SCALANCE SC636 2C SCALANCE SC642 2C SCALANCE SC646 2C New in this edition Support of SCALANCE SC626 2C Protection against brute force att...

Page 5: ...se documents explain the configuration of the SCALANCE S615 and can also be used for the Security Appliances SCALANCE SC 600 You will find the documentation here On the data medium that ships with some products Product CD product DVD SIMATIC NET Manual Collection On the Internet pages of Siemens Industry Online Support Link https support industry siemens com cs ww en ps 15327 man Further documenta...

Page 6: ...84922825 SIMATIC NET manuals You will find the SIMATIC NET manuals here On the data medium that ships with some products Product CD product DVD SIMATIC NET Manual Collection On the Internet pages of Siemens Industry Online Support Link https support industry siemens com cs ww en ps 15247 License conditions Note Open source software Read the license conditions for open source software carefully bef...

Page 7: ...ay be implemented please visit https www siemens com industrialsecurity https www siemens com industrialsecurity Siemens products and solutions undergo continuous development to make them more secure Siemens strongly recommends that product updates are applied as soon as they are available and that the latest product versions are used Use of product versions that are no longer supported and failur...

Page 8: ...sposal of your old device contact a certified disposal company for electronic scrap or your Siemens contact Keep to the local regulations You will find information on returning the product on the Internet pages of Siemens Industry Online Support Link https support industry siemens com cs ww en view 109479891 SIMATIC NET glossary Explanations of many of the specialist terms used in this documentati...

Page 9: ...ress 33 3 1 1 Structure of an IPv4 address 33 3 1 2 IPv4 35 3 1 3 Initial assignment of an IP address 36 3 1 4 Address assignment with DHCP 36 3 2 MAC address 37 3 3 ICMP 38 3 4 VLAN 40 3 4 1 VLAN tagging 41 3 5 SNMP 43 3 6 Redundancy 45 3 6 1 HRP 45 3 6 2 MRP 46 3 6 3 Spanning Tree 48 3 6 4 RSTP 49 3 7 Routing function 50 3 7 1 Routing 50 3 7 2 VRRPv3 50 3 7 3 Static routing 51 3 8 Security funct...

Page 10: ... 90 4 3 8 LLDP 91 4 3 9 Fiber Monitoring Protocol 93 4 3 10 Routing 94 4 3 11 Redundancy 95 4 3 11 1 Spanning Tree 95 4 3 11 2 VRRPv3 Statistics 98 4 3 11 3 Sync Firewall State 101 4 3 11 4 Ring redundancy 102 4 3 12 Unicast 103 4 3 13 Multicast 104 4 3 14 SNMP 105 4 3 15 Security 105 4 3 15 1 Overview 105 4 3 15 2 Supported Function Rights 108 4 3 15 3 Roles 109 4 3 15 4 Groups 110 4 3 15 5 802 1...

Page 11: ...MPv3 Users 167 4 4 9 3 SNMPv3 User to Group mapping 170 4 4 9 4 SNMPv3 Access 171 4 4 9 5 SNMPv3 Views 173 4 4 9 6 Notifications 175 4 4 10 System time 177 4 4 10 1 Manual Setting 178 4 4 10 2 DST Overview 180 4 4 10 3 DST Configuration 182 4 4 10 4 SNTP Client 185 4 4 10 5 NTP Client 189 4 4 10 6 SIMATIC Time Client 193 4 4 10 7 NTP server 194 4 4 11 Auto logout 196 4 4 12 Button 197 4 4 13 Syslo...

Page 12: ...Ports 250 4 5 8 3 Blocking 252 4 5 9 Multicast 253 4 5 9 1 Groups 253 4 5 9 2 Blocking 255 4 5 10 Inter VLAN Bridge SC63x SC64x 256 4 5 10 1 Overview 256 4 5 10 2 Configuration 258 4 6 Layer 3 menu 259 4 6 1 Subnets 259 4 6 1 1 Overview 259 4 6 1 2 Configuration 262 4 6 2 NAT 263 4 6 2 1 NAT General 263 4 6 2 2 Masquerading 264 4 6 2 3 NAPT 264 4 6 2 4 Source NAT 266 4 6 2 5 NETMAP 268 4 6 3 Stati...

Page 13: ...ec VPN SC64x 2C 324 4 7 6 1 General 324 4 7 6 2 Remote End 325 4 7 6 3 Connections 327 4 7 6 4 Authentication 330 4 7 6 5 Phase 1 332 4 7 6 6 Phase 2 334 4 7 7 OpenVPN 337 4 7 7 1 General 337 4 7 7 2 Connections 338 4 7 7 3 Client 340 4 7 7 4 Authentication 341 4 7 7 5 Server 342 4 7 8 Brute Force Prevention 343 5 Upkeep and maintenance 347 5 1 Device configuration with PRESET PLUG 347 5 2 Firmwar...

Page 14: ...Table of contents SCALANCE SC 600 Web Based Management WBM 14 Configuration Manual 10 2021 C79000 G8976 C475 03 ...

Page 15: ...Check regularly for news on the Siemens Internet pages You can find information on Industrial Security here Link http www siemens com industrialsecurity You can find information on security in industrial communication here Link http w3 siemens com mcms industrial communication de ie industrial ethernet security Seiten industrial security aspx Keep the software up to date Always use the latest soft...

Page 16: ...and subsequent interception of the data traffic Appropriate security measures must be taken for non secure layer 2 protocols to prevent unauthorized access to the network Physical access to the local network can be secured or secure higher layer protocols can be used among other things Certificates and keys This section deals with the security keys and certificates you require to set up TLS VPN IP...

Page 17: ...ion Page 343 For data transmission via a non secure network use an encrypted VPN tunnel IPsec OpenVPN to encrypt and authenticate communication When you establish a secure connection to a server for example for an upgrade make sure that strong encryption methods and protocols are configured for the server Terminate management connections correctly WBM SSH etc Using remote logging ensure that the s...

Page 18: ... on the WBM page System Load Save Passwords When using SNMP Simple Network Management Protocol Configure SNMP to generate a notification when authentication errors occur For more information see WBM System SNMP Notifications Ensure that the default values of the community strings are changed Use SNMPv3 whenever possible SNMPv1 and SNMPv2c are considered non secure and should only be used when abso...

Page 19: ... for a protocol use it The following protocols provide secure alternatives SNMPv1 v2 SNMPv3 Check whether use of SNMPv1 v2c is necessary SNMPv1 v2c are classified as non secure Use the option of preventing write access The device provides you with suitable setting options If SNMP is enabled change the community names If no unrestricted access is necessary restrict access with SNMP Use the authenti...

Page 20: ...otocol is authenticated Encryption Specifies whether or not the transfer is encrypted List of available services The following is a list of all available protocols and services as well as their ports through which the device can be accessed The table includes the following columns Service Protocol The services protocols that the device supports Protocol Port number Port number assigned to the prot...

Page 21: ... TCP 53 UDP 53 Open Closed DDNS TCP 80 UDP 80 TCP 443 UDP 443 Outgoing only Outgoing only Firewall State Sync UDP 3780 Closed Closed HTTP TCP 80 Open Closed HTTP Proxy TCP 3128 TCP 8080 Outgoing only Outgoing only Optional HTTPS TCP 443 Open Closed IPsec IKE UDP 500 UDP 4500 Closed Closed NTP Client UDP 123 Outgoing only Outgoing only NTP Server UDP 123 Closed Closed NTP Server secure UDP 123 Clos...

Page 22: ...al SNMP Traps UDP 162 Outgoing only Outgoing only SNTP Client UDP 123 Closed Closed SSH SFTP TCP 22 Open Closed Syslog Client UDP 514 Outgoing only Outgoing only Syslog Client TLS TCP 6514 Outgoing only Outgoing only TFTP UDP 69 Outgoing only Outgoing only VRRP IP 112 Closed Closed Depending on the device type VLAN1 and VLAN2 are on different physical ports SC6x2 2C VLAN1 port 1 VLAN2 port 2 SC6x6...

Page 23: ...rity functions Router with NAT function IP masquerading NAPT Source NAT NETMAP Password protection Firewall function Port forwarding MAC firewall layer 2 IP firewall with stateful packet inspection layer 3 and 4 Global and user defined firewall rules VPN functions To establish a VPN Virtual Private Network the following functions are available IPsec VPN SC64x 2C OpenVPN SINEMA RC client Use of pro...

Page 24: ...ure NTP server SIMATIC Time Client SNTP DHCP DHCP Server DHCP Client Virtual networks VLAN To structure Industrial Ethernet networks with a fast growing number of nodes a physical network can be divided into several virtual subnets Digital input digital output via signaling contact DDNS client DNS client DNS proxy SMTP client Combo ports Combo port is the name for two communication ports A combo p...

Page 25: ...ollowing parameters for the connection Bits per second 115200 Data bits 8 Parity None Stop bits 1 Flow control None Power supply A power supply with a voltage between 12 VDC and 24 VDC that can provide sufficient current You will find further information on this in the device specific operating instructions Configuration In the factory settings the SCALANCE SC 600 can be reached as follows for ini...

Page 26: ...age 71 2 2 1 Use in a PROFINET environment Configuration information When using the device in a PROFINET environment follow the following configuration instructions Set the Aging Time s to 45 seconds under Layer 2 Dynamic MAC Aging Disable the function Spanning Tree under Layer 2 and enable the function Passive Listening under Layer 2 Configuration 2 3 System functions Availability of the system f...

Page 27: ...lient DHCP SNMP System time Auto logout Button Syslog client Ports Fault Monitoring PLUG Ping DCP Discovery Port diagnostics cRSP SRS SC64x 2C Proxy server SINEMA RC Layer 2 Configuration Port Based VLAN Dynamic MAC Aging Ring redundancy Spanning Tree LLDP Unicast Multicast Inter VLAN Bridge Layer 3 Subnets NAT Static routes VRRPv3 Security Users Passwords AAA Certificates Firewall IPsec VPN SC64x...

Page 28: ...aracters Syslog server 3 SNMPv1 trap receiver 10 SNTP server 1 NTP server 4 NTP secure server 4 DHCP pools 8 IPv4 addresses managed by the DHCP server dynamic static 100 Static assignments per DHCP pool 128 DHCP options 3 6 12 15 66 67 5 SINEMA RC 1 Proxy server 5 Layer 2 Virtual LANs port based including VLAN 1 257 Layer 3 IP interfaces 32 Static routes 100 Possible routes to the same destination...

Page 29: ...646 2C restriction You can create a maximum of 20 phase 2 connections per phase 1 Remote End 2 5 PLUG The PLUG is a removable medium and is used to transfer the configuration of the old device to the new device when a device is replaced The PLUG is available in the following variants C PLUG The removable data storage medium only saves the configuration data of the device How it works NOTICE Do not...

Page 30: ...uses the configuration data of the PLUG automatically when it starts up The requirement for acceptance is that the data was written by a compatible device type If there is configuration data in the internal memory of the device this is overwritten This mode is active as soon as a written C PLUG KEY PLUG is inserted Response to errors Inserting a C PLUG KEY PLUG that does not contain the configurat...

Page 31: ...ou assign fixed IP addresses extra following the basic installation In a PLUG that was configured as a PRESET PLUG the device configuration user accounts certificates and the firmware are stored Note Restore factory defaults and restart with a PRESET PLUG inserted If you reset a device to the factory defaults when the device restarts an inserted PRESET PLUG is formatted and the PRESET PLUG functio...

Page 32: ...Description 2 5 PLUG SCALANCE SC 600 Web Based Management WBM 32 Configuration Manual 10 2021 C79000 G8976 C475 03 ...

Page 33: ... The binary representation of the 4 subnet mask decimal numbers must contain a series of consecutive 1s from the left and a series of consecutive 0s from the right The 1 values determine the network address within the IPv4 address The 0 values determine the device address within the IPv4 address Example Correct values 255 255 0 0 D 1111 1111 1111 1111 0000 0000 0000 0000 B 255 255 128 0 D 1111 111...

Page 34: ...esentation in other words 24 bits This results in the CIDR notation 192 168 0 0 24 The host part covers 1 x 8 bits in binary notation This results in an address range of 2 to the power 8 in other words 256 possible addresses Masking additional subnets Using the subnet mask you can further structure a subnet assigned to one of the address classes A B or C and form private subnets by setting further...

Page 35: ...t at the points where the subnet mask is set to 0 3 1 2 IPv4 IPv4 IP configuration DHCP Server Manual Available IP addresses 32 bit 4 29 109 addresses Address format Decimal 192 168 1 1 with port 192 168 1 1 20 Loopback 127 0 0 1 IP addresses of the interface 4 IP addresses Header Checksum Variable length Fragmentation in the header No security Fragmentation Host and router Quality of service Type...

Page 36: ...be able to assign an IP address to the device with SINEC PNI it must be possible to reach the device via Ethernet You can find SINEC PNI on the Internet pages of Siemens Industry Online Support Link https support industry siemens com cs ww en ps 26672 dl For additional information about assigning the IP address with SINEC PNI refer to the online help or the SINEC PNI network management operating i...

Page 37: ...DHCP option 15 DNS domain name DHCP option 12 Assignment of a host name DHCP option 66 Assignment of a dynamic TFTP server name DHCP option 67 Assignment of a dynamic boot file name Note DHCP uses a mechanism with which the IP address is assigned for only a short time lease time If the device does not reach the DHCP server with a new request on expiry of the lease time the assigned IP address the ...

Page 38: ...ket type Type of message Code Further details of the message Checksum Data optional ICMP packet type The most important ICMP packet types are as follows Redirect The router informs the host in one of its subnets that there is a better route to the destination This ICMP packet type is dealt with in more detail in the following description Destination Unreachable IP frame cannot be delivered Time Ex...

Page 39: ... subnet C Router A sends a redirect message to host A In this router A instructs host A in future to send IP frames to host C via router B whose IP address is contained in the redirect message The initial IP frame is sent by router A directly to router B that forwards it to Host C Conditions for sending redirect messages The IP frame is received and sent via the same interface of router A The sour...

Page 40: ...nded by 4 bytes refer to VLAN tagging Page 41 This expansion includes not only the VLAN ID but also priority information Options for the VLAN assignment There are various options for the assignment to VLANs Port based VLAN Each port of a device is assigned a VLAN ID You configure port based VLAN in Layer 2 VLAN Port based VLAN Page 234 VLAN assignment on the device In the factory settings the foll...

Page 41: ... length this frame type If this is not the case only frames of the standard length may be sent to these nodes The additional 4 bytes are located in the header of the Ethernet frame between the source address and the Ethernet type length field Figure 3 1 Structure of the expanded Ethernet frame The additional bytes contain the tag protocol identifier TPID and the tag control information TCI Tag pro...

Page 42: ...h different priorities can be processed As default first the frames with the highest priority are processed This method ensures that the frames with the highest priority are sent even if there is heavy data traffic Canonical Format Identifier CFI The CFI is required for compatibility between Ethernet and the token Ring The values have the following meaning Value Meaning 0 The format of the MAC add...

Page 43: ...ing is correct the SNMP agent responds and sends the requested data If the community string is not correct the SNMP agent discards the query Define different community strings for read and write permissions The community strings are transferred in plain text Standard values of the community strings public has only read permissions private has read and write permissions Note Because the SNMP commun...

Page 44: ... user authentication Encryption of the entire data traffic Access control of the MIB objects at the user group level With the introduction of SNMPv3 you can no longer transfer user configurations to other devices without taking special action e g by loading a configuration file or replacing the C PLUG According to the standard the SNMPv3 protocol uses a unique SNMP engine ID as an internal identif...

Page 45: ...ring port due to an interruption the RM switches through its two ring ports and informs the redundancy clients of the change immediately The reconfiguration time after an interruption of the ring is a maximum of 300 ms Requirements HRP HRP is supported in ring topologies with up to 50 devices Exceeding this number of devices can lead to a loss of data traffic For HRP only devices that support this...

Page 46: ... Internet pages of Siemens Industry Online Support Link https support industry siemens com cs ww en view 109739600 3 6 2 MRP The MRP method conforms to the Media Redundancy Protocol MRP specified in the following standard IEC 62439 2 Release 1 0 2010 02 Industrial communication networks High availability automation networks Part 2 Media Redundancy Protocol MRP The reconfiguration time after an int...

Page 47: ...ample some of the Industrial Ethernet SCALANCE X switches some of the communications processors CPs for SIMATIC S7 and PG PC and non Siemens devices that support this function All devices must be interconnected via their ring ports Multimode connections up to 3 km and single mode connections up to 26 km between two SCALANCE X IE switches are possible At greater distances the specified reconfigurat...

Page 48: ...g about the status change of the root ports The root bridge is the bridge that controls the spanning tree algorithm for all involved components Once the root bridge has been specified each device sets a root port The root port is the port with the lowest path costs to the root bridge Response to changes in the network topology If nodes are added to a network or drop out of the network this can aff...

Page 49: ... role as edge port and it takes part in R STP again If no further BPDU is received after a certain time has elapsed 3 x hello time the port returns to the edge port status Point to point direct communication between two neighboring devices By directly linking the devices a status change reconfiguration of the ports can be made without any delays Alternate port substitute for the root port A substi...

Page 50: ...aces Several VRRP routers in a network segment are put together as a logical group representing a virtual router VR The group is defined using the virtual ID VRID Within the group the VRID must be the same The VRID can no longer be used for other groups in the same L2 Ethernet segment The virtual router is assigned a virtual IP address and a virtual MAC address One of the VRRP routers within the g...

Page 51: ...e original data packet becomes larger as a result of the additional header information and may need to be segmented for further transfer This depends on the MTU specifications in the connected network However a necessary segmentation may lead to noticeable losses in performance or cancelation of the data transfer Avoid this by adapting the MTU format on the terminal device which means reducing it ...

Page 52: ... Standard If you have set the authorization mode conventional the authentication of users via a RADIUS server runs as follows 1 The user logs on with user name and password on the device 2 The device sends an authentication request with the login data to the RADIUS server 3 The RADIUS server runs a check and signals the result back to the device The RADIUS server reports a successful authenticatio...

Page 53: ...up The group is known on the device and the user is entered in the table External User Accounts The user is assigned the role with the higher rights and logged in with these rights The group is not known on the device and the user is entered in the table External User Accounts The user is logged in with the rights of the role linked to the user account The group is not known on the device and the ...

Page 54: ...tions The automatically created firewall rules allow packets in the following direction From To SINEMA RC IPsec VPN OpenVPN Internal External External Internal Device External External Device Predefined IPv4 rules When the connection is created the following IPv4 services are enabled HTTP HTTPS SSH Ping Ping Ping Predefined firewall rules The firewall contains predefined IPv4 rules that enable spe...

Page 55: ...ted protocols IP addresses and ports of the permitted sources IP addresses and ports of the permitted destinations If an IP packet fits the specified parameters it is allowed to pass through the firewall The rules also specify what is done with IP packets that are not allowed to pass through the firewall Simple packet filter techniques require two firewall rules per connection One rule for the que...

Page 56: ...onnections all or via a certain VPN connection Connection Name Device vlan x Access from the device to the IP subnet SINEMA RC Access from the device to the SINEMA RC connection IPsec all IPsec Connection Name Access from the device to the VPN tunnel partners that can be reached via all VPN connections all or via a certain VPN connection Connection Name SINEMA RC vlan x Access from SINEMA RC conne...

Page 57: ... the interface The adapted data packet is sent to the destination IP address For the destination host it appears as if the queries always came from the same sender The internal nodes cannot be reached directly from the external network By using NAPT the services of the internal nodes can be made reachable via the external IP address of the device IP masquerading can be used if the internal IP addr...

Page 58: ...dresses cannot or should not be forwarded externally for example because a private address range such as 192 168 x x is used You configure source NAT in Layer 3 NAT Source NAT Page 266 NETMAP With NETMAP it is possible to translate complex subnets to a different subnet In this translation the subnet part of the IP address is changed and the host part remains For translation with NETMAP only one ru...

Page 59: ...ec VPN Page 330 Server certificate Server certificates are required to establish secure communication e g HTTPS VPN between the device and another network participant The server certificate is an encrypted SSL certificate The server certificate is derived from the oldest valid CA even if this is out of service The crucial thing is the validity date of the CA SINEMA RC Device certificate Certificat...

Page 60: ...dress of the partner is either entered manually or any is selected If you select any a connection establishment from every address is accepted The device learns the reachable remote subnets from the partner Standard mode In this mode the address of the partner and the remote subnet is entered permanently The device can either establish the connection actively as a VPN client or wait passively for ...

Page 61: ... are therefore secure Phase 2 Phase 2 serves to negotiate the required IPsec SA Similar to phase 1 exchanging offers achieves agreement about the authentication methods the algorithms and the encryption method to protect the IP packets with IPsec AH and IPsec ESP The exchange of messages is protected by the ISAKMP SA negotiated in phase 1 Due to the ISAKMP SA negotiated in phase 1 the identity of ...

Page 62: ... transferred to the VPN connection partners The list contains combinations of the three algorithms Encryption Authentication Key Derivation To establish a VPN connection the VPN connection partner must support at least one of these combinations The combinations depend on the phase und the key exchange method IKE Combination Phase 1 Phase 2 Encryption Authenticati on Key derivation IKEv1 IKEv2 IKEv...

Page 63: ...ecks whether the connection is still operating problem free or whether there has been an interruption on the line Without DPD and depending on the configuration it may be necessary to wait until the SA lifetime has expired or the connection must be reinitiated manually To check whether the IPsec connection is still problem free the device itself sends DPD queries to the VPN partner station If the ...

Page 64: ...ce to authenticate itself and to generate digital signatures User name Password Access is restricted by a user name and a password Encryption methods The device also supports the following methods BF CBC AES128 CBC AES192 CBC AES256 CBC DES EDE3 3 8 7 3 VPN connection establishment The device supports the following options for establishing a VPN connection IPsec VPN Security IPsec VPN Connections ...

Page 65: ...f the SINEMA RC server You configure the settings on the SINEMA RC Server in Remote Connections Devices You can find additional information on this topic in the operating instructions SINEMA RC Server Permanent x The device establishes a VPN connection to the SINEMA RC Server The VPN tunnel is established permanently Digital input DI The establishment of the VPN tunnel can also be controlled via t...

Page 66: ...he device provides several options for notification on the Events page Type of notification Digital In VPN tunnel Behavior if there is a status change E mail x x The device sends an e mail The e mail contains the identification of the sending device a description of the cause of the alarm in plain language and a time stamp Requirement An SMTP server is set up In System SMTP Client the function is ...

Page 67: ...e private MIB variable snMspsDigitalInputLevel you can read out the status of the digital input OID of the private MIB variable snMspsDigitalInputLevel iso 1 org 3 dod 6 internet 1 private 4 enterprises 1 siemens 4329 industrialComProducts 20 iComPlatforms 1 simaticNet 1 snMsps 1 snMspsCommon 1 snMspsDigita lIO 39 snMspsDigitalIOObjects 1 snMspsDigitalInputTabl e 2 snMspsDigitalInputEntry 1 snMsps...

Page 68: ......

Page 69: ...via an HTTP connection you need to select HTTP HTTPS for HTTP Services in System Configuration Requirements WBM display The device has an IP address There is a connection between the device and the Admin PC With the Windows ping command you can check whether or not a connection exists If the device has the factory settings refer to Requirements for operation Page 25 Access via HTTPS is enabled Jav...

Page 70: ...access using HTTPS TCP port 443 The display of the WBM was tested with the following desktop Web browsers Microsoft Internet Explorer Note Compatibility view In Microsoft Internet Explorer disable the compatibility view to ensure correct display and to allow problem free configuration using WBM Microsoft Edge Firefox Quantum Google Chrome Recommendation Use the latest available version of the Web ...

Page 71: ...be administered using encrypted access it is delivered with a self signed certificate If certificates with signatures that the operating system does not know are used a security message is displayed You can display the certificate A message relating to the security certificate appears Acknowledge this message and continue loading the page If you use a port other than the standard port enter a colo...

Page 72: ...79000 G8976 C475 03 Default Login Page Under System Configuration Default Login Page you can define which login page is opened by default You can change the type of login via the Switch to links To log in you have the following options Login option in the center of the browser window Login option in the upper left area of the browser window ...

Page 73: ...nerally not permitted The characters coded with the ASCII value as of 128 extended ASCII code The characters for Space and Delete Logging in to WBM To log in via HTTPS HTTP you have the following options Login option in the center of the browser window Login option in the upper left area of the browser window Procedure 1 Name input box When you log in for the first time or following a Restore Fact...

Page 74: ...he changes take immediate effect Access via DCP is write protected after the admin password is changed The network parameters can be read with the Primary Setup Tool or with DCP Discovery but can no longer be changed Once you have logged in successfully the start page appears Logging into the dynamic firewall Requirement The user has the right to remote access You configure the setting Security Us...

Page 75: ...opens The current ruleset and the remaining time are displayed If needed the user can extend the access time via the Reset Timeout button 4 3 Information menu 4 3 1 Start page View of the Start page When you enter the IP address of the device the start page is displayed after a successful login General layout of the WBM page The following areas are available on every WBM page Selection area 1 Top ...

Page 76: ...guring with Web Based Management 4 3 Information menu SCALANCE SC 600 Web Based Management WBM 76 Configuration Manual 10 2021 C79000 G8976 C475 03 Navigation area 3 Left hand area Content area 4 Middle area ...

Page 77: ...s set and or can be synchronized the status is Display area 2 In the left hand part of the display area the full title of the currently selected menu item is always displayed LED simulation Each device has one or more LEDs that provide information on the operating state of the device Depending on its location direct access to the device may not always be possible Web Based Management therefore dis...

Page 78: ...update click On Instead of On Off is displayed As default updating is always enabled on the WBM page Navigation area 3 In the navigation area you have various menus available Click the individual menus to display the submenus The submenus contain pages on which information is available or with which you can create configurations These pages are always displayed in the content area Content area 4 I...

Page 79: ... deleted and the previous configuration will be loaded from the device and displayed here Save entries with Set Values WBM pages in which you can make configuration settings have a Set Values button at the lower edge The button only becomes active if you change at least one value on the page Click this button to save the configuration data you have entered on the device Once you have saved the but...

Page 80: ...n pages with a large number of data records Click Show all to display all entries on the page Note that displaying all messages can take some time Drop down list to change page In pages with a large number of data records you can navigate to the desired page From the drop down list select the relevant page to display it Reset Counters button Click Reset Counters to reset all counters The counters ...

Page 81: ...ot Name Shows the name of the device or module Revision Shows the hardware version of the device Order ID Shows the article number of the device or described module Software Firmware Shows the current firmware version If a new firmware file was downloaded and the device has not yet restarted the firmware version of the downloaded firmware file is displayed here After the next restart the loaded fi...

Page 82: ... 4 3 3 Identification Maintenance Identification and Maintenance data This page contains information about device specific vendor and maintenance data such as the order number serial number version number etc You cannot configure anything on this page Description of the displayed values The table has the following rows Manufacturer ID Shows the manufacturer ID Order ID Shows the order ID Serial Nu...

Page 83: ...t supported Location designation is not supported Date is not supported Descriptor is not supported 4 3 4 ARP Table Assignment of MAC address and IP address With the Address Resolution Protocol ARP there is a unique assignment of MAC address to IP address This assignment is kept by each network node in its own separate ARP table The WBM page shows the ARP table of the device Description The table ...

Page 84: ...recognized the address data automatically Static The addresses were entered as static addresses 4 3 5 Log Tables 4 3 5 1 Event Log Logging events The WBM page shows the system events that have occurred in the form of a table Some of the system events can be configured in System Events for example if the connection status of a port has changed The content of the table is retained even when the devi...

Page 85: ...ll entries of the category Critical are displayed Warning warning When this parameter is enabled all entries of the category Warning are displayed Info Informative When this parameter is enabled all entries of the category Info are displayed The table has the following columns Restart Counts the number of restarts since you last reset to factory settings and shows the device restart after which th...

Page 86: ...nformation menu SCALANCE SC 600 Web Based Management WBM 86 Configuration Manual 10 2021 C79000 G8976 C475 03 4 3 5 2 Security Log The WBM page shows the events that occurred during communication via a secure VPN tunnel in the form of the table ...

Page 87: ...ll entries of the category Critical are displayed Warning warning When this parameter is enabled all entries of the category Warning are displayed Info Informative When this parameter is enabled all entries of the category Info are displayed The table has the following columns Restart Counts the number of restarts since you last reset to factory settings and shows the device restart after which th...

Page 88: ...ng to severity To display all the entries enable or disable all parameters Note For each severity a maximum of 400 entries in the table are possible If the maximum number of entries is reached for a severity the oldest entries of this severity are overwritten in the table The table remains permanently in the memory Critical Critical When this parameter is enabled all entries of the category Critic...

Page 89: ...stem Time Shows the date and time when the described event occurred If no system time is set the box displays Date time not set Severity Sorts the entry into the categories above Log Message Displays a brief description of the event that has occurred 4 3 6 Faults Fault status If a fault occurs it is shown on this page On the device faults are indicated by the red fault LED lighting up Internal fau...

Page 90: ...hows the time the device has been running since the last system restart when the described fault occurred Fault Description Displays a brief description of the error that has occurred Clear Fault State Some faults can be acknowledged and thus removed from the fault list e g a fault of the event Cold Warm Start If the Clear Fault State button is enabled you can delete the error 4 3 7 DHCP Server Th...

Page 91: ...State Shows the status of the assignment Associated The assignment is used not used The assignment is not used probing The assignment is being checked unknown The status of the assignment is unknown Expire Time Shows how long the assigned IPv4 address is still valid When half the period of validity has elapsed the DHCP client can extend the period of the assigned IPv4 address When the entire time ...

Page 92: ...me assigned via SINEC PNI STEP 7 If no device name is assigned the MAC address of the device is displayed Local Interface Port at which the device received the information Hold Time An entry remains stored on the device for the time specified here If the device does not receive any new information from the connected device during this time the entry is deleted Capability Shows the properties of th...

Page 93: ...Fiber Monitoring This depends on the transceivers Rx Power State disabled Fiber monitoring is disabled ok The value for the received power of the optical link is within the set limits maint req Check the link A warning is signaled maint dem The link needs to be checked An alarm is signaled and the fault LED is lit link down The connection to the communications partner is down No link is detected R...

Page 94: ...ing is signaled maint dem The link needs to be checked An alarm is signaled and the fault LED is lit idle The port has no connection to another port with fiber monitoring enabled If no diagnostics information is received from the optical port of the connection partner for 5 cycles the fiber monitoring connection is assumed to be interrupted A cycle lasts 5 seconds Power Loss dB Shows the current v...

Page 95: ... the gateway for this route Interface Shows the interface for this route Metric Shows the metric of the route The higher value the longer packets require to their destination Routing Protocol Shows the routing protocol from which the entry in the routing table originates The following entries are possible Connected Connected routes Static Static routes DHCP Routes via DHCP 4 3 11 Redundancy 4 3 11...

Page 96: ... becomes the root bridge If several devices in a network have the same priority the device whose MAC address has the lowest numeric value will become the root bridge Both parameters bridge priority and MAC address together form the bridge identifier Since the root bridge manages all path changes it should be located as centrally as possible due to the delay of the frames The value for the bridge p...

Page 97: ... The parameter depends on the configured protocol Discarding The port receives BPDU frames Other incoming or outgoing frames are discarded Listening The port receives and sends BPDU frames The port is involved in the spanning tree algorithm Other outgoing and incoming frames are discarded Learning The port actively learns the topology in other words the node addresses Other outgoing and incoming f...

Page 98: ...mission speed is the lower the value of the path costs Typical values for path costs with rapid spanning tree 10 000 Mbps 2 000 1000 Mbps 20 000 100 Mbps 200 000 10 Mbps 2 000 000 Edge Type Shows the type of the connection The following values are possible Edge Port There is an end device at this port No Edge Port There is a spanning tree or rapid spanning tree device at this port P t P Type Shows...

Page 99: ...ow many VRRPv3 packets containing an invalid version number were received Checksum Errors Shows how many VRRPv3 packets containing an invalid checksum were received The table has the following columns Interfaces Interface to which the settings relate VRID Shows the ID of the virtual router Valid values are 1 255 Address Type Shows the version of the IP protocol Become Master Shows how often this v...

Page 100: ...RPv3 packets with priority 0 are sent when a master router is shut down These packets allow a fast handover to the relevant backup router Prio 0 sent Shows how many VRRPv3 packets with priority 0 were sent Packets with priority 0 are sent when a master router is shut down These packets allow a fast handover to the relevant backup router Invalid Type Shows how many bad VRRPv3 packets were received ...

Page 101: ...layed values The table has the following columns Sync State Shows the status of the Firewall State Sync running Valid messages from the synchronization partner are being received no receive No messages were received from the synchronization partner during the valid period 5 seconds error The message could not be sent due to an internal error disabled The function is disabled Sent Messages Number o...

Page 102: ...you obtain information about the status of the device in terms of ring redundancy The text boxes on this page are read only Description of the displayed values The table has the following columns Redundancy Function The Redundancy Function column shows the role of the device within the ring No Ring Redundancy The device is operating without redundancy function HRP Client The device is operating as...

Page 103: ...yed values The table contains the following columns VLAN ID Shows the VLAN ID assigned to this MAC address MAC Address Shows the MAC address of the node that the device has learned or the user has configured Status Shows the status of each address entry Static Configured by the user Static addresses are stored permanently in other words they are not deleted when the aging time expires or on a rest...

Page 104: ...user Description of the displayed values The table contains the following columns VLAN ID Shows VLAN ID of the VLAN to which the MAC multicast address is assigned MAC Address Shows the MAC multicast address that the device has learned or the user has configured Status Shows the status of each address entry The following information is possible Static The address was entered statically by the user ...

Page 105: ...he created SNMPv3 groups You configure the SNMPv3 groups in System SNMP Description The table has the following columns Group Name Shows the group name User Name Shows the user that is assigned to the group 4 3 15 Security 4 3 15 1 Overview Note The values displayed depend on the rights of the logged in user This page shows the security settings and the local and external user accounts ...

Page 106: ... configure the setting in System Configuration Enabled Encrypted access to the CLI Disabled No encrypted access to the CLI SSH Fingerprint x The following SSH fingerprints are displayed MD5 SH256 You can uniquely identify the device with the fingerprint shown Web Server You configure the setting in System Configuration HTTP HTTPS Access to the WBM is possible with HTTP and HTTPS HTTPS Access to th...

Page 107: ...be handled via a RADIUS server Local and RADIUS The authentication is possible both with the users that exist on the device user name and password and via a RADIUS server The user is first searched for in the local database If the user does not exist there a RADIUS query is sent RADIUS and fallback local The authentication must be handled via a RADIUS server A local authentication is performed onl...

Page 108: ...ts the user is logged in with the rights of the associated role If the corresponding group is known on the device both tables are evaluated The user is assigned the role with the higher rights Note The table External User Accounts is only evaluated if you have set SiemensVSA in the RADIUS Authorization Mode With CLI you can access external user accounts The Local User Accounts and External User Ac...

Page 109: ...the function right 4 3 15 3 Roles Note The values displayed depend on the role of the logged on user The page shows the roles valid locally on the device Description The table contains the following columns Role Shows the name of the role Function Right Shows the function right of the role 1 Users with this role can read device parameters but cannot change them 15 Users with this role can both rea...

Page 110: ...e role of the logged on user This page shows which group is linked to which role The group is defined on a RADIUS server The role is defined locally on the device Description of the displayed values The table has the following columns Group Shows the name of the group The name matches the group on the RADIUS server Role Shows the name of the role Users who are authenticated with the linked group o...

Page 111: ...dual ports Description The table has the following columns Port All ports of the device are displayed in this column 802 1X Auth Status The authentication status of the node The following options are possible Authorized Data traffic via the port is possible after successful authentication with the 802 1X method Unauthorized Data traffic via the port is not possible because no authentication has ta...

Page 112: ...not authenticated individually The first client that is authenticated opens the port for all clients No client is authenticated yet Open MAC authentication is configured for the port Clients are not authenticated individually The first client that is authenticated opens the port for all clients The port was opened after successful authentication of a client MAC Auth Actual Allowed Addresses Shows ...

Page 113: ...Authorized Data traffic via the port is possible after successful authentication with the MAC Authentication method Unauthorized Data traffic via the port is not possible because no authentication has taken place with the MAC Authentication method yet or the authentication method was not successful Port Shows the port via which the node with the specified address can be reached 4 3 16 IPSec VPN SC...

Page 114: ...ion establishment The entry is adopted from the Local ID box the device certificate or the IP address of the device Local Subnet Shows the local subnet Remote Host Shows the IP address or the host name of the remote device Remote DN Shows the Distinguished Name DN signaled by the remote device during connection establishment Remote Subnet Shows the remote subnet Rekey Time Shows when the validity ...

Page 115: ... RC Server Description of the displayed values Status Shows the status of the connection to SINEMA RC Server Device Name If configured the name of the device is displayed Device Location If configured the location of the device is displayed GSM Number If configured the phone number of the device is displayed Vendor If configured the entry is displayed Comment If configured the comment is displayed...

Page 116: ...subnets Is only displayed when the option Connected local subnets is enabled on the SINEMA RC Server You will find further information on this in the Operating Instructions of the SINEMA RC Server Connected Local Host s Shows the destination IP address of the hosts that can be reached Tunnel Interface Address Shows the IP address of the virtual tunnel interface Connected Remote Subnet s Shows the ...

Page 117: ... Exported Subnets Shows the IP address of the local subnets Routed Subnets Shows the subnets of the OpenVPN server Status Shows the status of the OpenVPN connection 4 3 18 2 Server The WBM page shows the status of the activated OpenVPN server Description of the displayed values The table contains the following columns Name Shows the name of the OpenVPN server Server Port Shows the port via which t...

Page 118: ...ith some services there are further configuration pages on which more detailed settings can be made The standard port can also be changed for some services Note Changing the standard port Some programs can only access the service over the standard port e g TIA Portal accesses HTTPS over standard port 443 Before you change the port check which port the program uses When you change the standard port...

Page 119: ...d Management WBM Configuration Manual 10 2021 C79000 G8976 C475 03 119 Description of the displayed boxes The page contains the following boxes SSH Server Enable or disable the SSH Server service for encrypted access to the CLI SSH Port Specify the port for SSH access to the CLI ...

Page 120: ...p18 sha512 Low Curve25519 sha256 Curve25519 sha256 libssh org Ecdh sha2 nistp256 Ecdh sha2 nistp384 Ecdh sha2 nistp521 Diffie hellman group16 sha512 Diffie hellman group18 sha512 Diffie hellman group14 sha256 Diffie hellman group14 sha1 HTTP Server Enable or disable HTTP access to the WBM HTTP Port Specify the port for HTTP access to the WBM HTTPS Server Enable or disable HTTP access to the WBM HT...

Page 121: ...essed with DCP Discovery and Configuration Protocol disabled DCP is disabled Device parameters can neither be read nor modified Read Write With DCP device parameters can be both read and modified Read Only With DCP device parameters can be read but cannot be modified Time Select the setting from the drop down list The following settings are possible Manual The system time is set manually You can c...

Page 122: ... sending of SNMPv1 traps alarm frames You can configure other settings in System SNMP Traps SINEMA Configuration Interface If the SINEMA configuration interface is enabled you can download configurations to the device using STEP 7 Basic Professional DUID Type Specify which DUID type will be used The DUID types are defined in RFC 3315 DUID LLT DUID is based on the link layer address of the interfac...

Page 123: ...e Saving starts only after the timer in the message has elapsed How long saving takes depends on the device During the save the message Saving configuration data in progress Please do not switch off the device is displayed Do not switch off the device immediately after the timer has elapsed Trial Trial mode In Trial mode although changes are adopted they are not saved in the configuration file sta...

Page 124: ...stem time is either set by the user or by a time of day frame either SIMATIC time of day frame NTP or SNTP System Up Time Shows the operating time of the device since the last restart Device Type Shows the type designation of the device System Name You can enter the name of the device The entered name is displayed in the selection area A maximum of 255 characters are possible The system name is al...

Page 125: ...ontact input box 2 Enter the identifier for the location at which the device is installed in the System Location input box 3 Enter the name of the device in the System Name input box 4 Click the Set Values button Note Steps 1 to 3 can also be performed with the SNMP Management Tool 4 4 2 2 Coordinates Information on geographic coordinates In the Geographic Coordinates window you can enter informat...

Page 126: ...1 31 67 N Longitude input box Geographic longitude Here you enter the value of the eastern or western longitude of the location of the device The value 8 20 58 73 means that the device is located at 8 degrees 20 minutes and 58 73 seconds east A western longitude is indicated by a preceding minus sign You can also add the letter E easterly longitude or W westerly longitude to the numeric informatio...

Page 127: ...ble or disable depending on whether the device should operate as a DNS client Used DNS Servers Specify which DNS server the device uses learned only The device uses only the DNS servers assigned by DHCP manual only The device uses only the manually configured DNS servers The DNS servers must be connected to the Internet A maximum of two DNS servers can be configured all The device uses all availab...

Page 128: ...vice keeps a domain address in the cache depends on the host being addressed In addition to the IP address a DNS request to an external DNS server also supplies the life span of this information Description The page contains the following boxes Enable DNS Proxy Enable or disable the proxy of the DNS server Cache Name Errors NXDOMAIN Enable or disable the caching of NXDOMAIN replies If you enable t...

Page 129: ...ser Name Enter the user name with which the device logs on to the DDNS server Password Enter the password assigned to the user Password Confirmation Confirm the password Procedure Requirement User name and password that gives you the right to use the DDNS service Registered hostname e g example no ip com UDP port 53 for DNS is enabled and is not used for NAPT 1 In Host enter the hostname that you ...

Page 130: ...d with an FQDN The device checks if there is an entry for DNS requests and converts the URL into the corresponding IPv4 address Description The page contains the following boxes Enable DNS Records When this is enabled the address directory is used The table has the following columns Select Select the check box in the row to be deleted Domain Enter the FQDN Fully Qualified Domain Name IP Address En...

Page 131: ... Note the following points about restarting a device You can only restart the device with administrator privileges A device should only be restarted with the buttons of this menu and not by a power cycle on the device If the device is in Trial mode configuration modifications must be saved manually before a restart Any modifications you have made only become active on the device after clicking the...

Page 132: ...ou can leave the browser window open while the device restarts After the restart you will need to log in again Restore Memory Defaults and Restart Click this button to restore the factory defaults of the device with the exception of the following parameters and to restart the device IP addresses Subnet mask IP address of the default gateway DHCP client ID DHCP System name System location System co...

Page 133: ...quirements for operation Page 25 4 4 5 Load Save 4 4 5 1 File list Overview of the file types File type Description Config This file contains the start configuration The file can be supplied with a password before download To load the file into the device successfully use the specified password You enter the password on the WBM page Passwords Page 146 ConfigPack ZIP file consisting of the Config U...

Page 134: ...commands Passwords are masked in this file as follows PASSWORD You can download the text file The file is not intended to be uploaded again unchanged Script Text file with CLI commands You can upload a script file in a device The CLI commands it contains are executed accordingly CLI commands for saving and loading files cannot be executed with the CLI script file SSHPrivateKeyECD SA Private SSH ke...

Page 135: ...In Trial mode although the changes are adopted they are not saved in the configuration files ConfigPack and Config Use the Write Startup Config button on the System Configuration WBM page to save changes in the configuration files CLI script file You can download existing CLI configurations RunningCLI Note The downloadable CLI script is not intended to be uploaded again unchanged CLI commands for ...

Page 136: ...igure a device in STEP 7 Basic Professional You can export the configuration and load it as SINEMAConfig to the real device using the WBM X509 certificates The following file types can be loaded into the device crt pem zip Maximum file name length 255 characters p12 Maximum file name length 248 characters Description The table has the following columns Type Shows the file type Description Shows th...

Page 137: ...the device successfully you need to enter the password specified for the file in System Load Save Passwords A dialog for uploading a file opens 2 Select the required file and confirm the upload The file is uploaded 3 If a restart is necessary a message to this effect will be output Click the OK button and run the restart If you click the Abort button there is no device restart The changes only tak...

Page 138: ...BM also allows you to store device data in an external file on your client PC or to load such data from an external file from the PC to the devices This means for example that you can also load new firmware from a file located on your Admin PC On this page the certificates required to establish a secure VPN connection can also be loaded Firmware The firmware is signed and encrypted This ensures th...

Page 139: ...rements Same article number Same firmware version Password You assign the password in the WBM under System Load Save Passwords You can use the file types as follows For offline diagnostics You can save the faulty configuration of a device as RunningSINEMAConfig via the WBM and import it in STEP 7 Basic Professional No connection to a real device is required for the diagnostics in STEP 7 Basic Prof...

Page 140: ...Server Address Enter the IP address or the FQDN Fully Qualified Domain Name of the TFTP server with which you exchange data TFTP Server Port Enter the port of the TFTP server via which data exchange will be handled If necessary you can change the default value 69 to your own requirements The table has the following columns Type Shows the file type Description Shows the short description of the fil...

Page 141: ... TFTP server in TFTP server address 2 Enter the port of the TFTP server to be used in TFTP Server Port 3 If applicable enter the name of a file in which you want to save the data or take the data from in Filename Note Files whose access is password protected To be able to load these files on the device successfully you need to enter the password specified for the file in System Load Save Passwords...

Page 142: ...ccess data for the SFTP server You can also store device data in an external file on your client PC or load such data from an external file from the PC to the devices This means for example that you can also load new firmware from a file located on your Admin PC On this page the certificates required to establish a secure VPN connection can also be loaded Firmware The firmware is signed and encryp...

Page 143: ...rements Same article number Same firmware version Password You assign the password in the WBM under System Load Save Passwords You can use the file types as follows For offline diagnostics You can save the faulty configuration of a device as RunningSINEMAConfig via the WBM and import it in STEP 7 Basic Professional No connection to a real device is required for the diagnostics in STEP 7 Basic Prof...

Page 144: ...r Port Enter the port of the SFTP server via which data exchange will be handled If necessary you can change the default value 22 to your own requirements SFTP User Enter the user for access to the SFTP server This assumes that a user with the corresponding rights has been created on the SFTP server SFTP Password Enter the password for the user SFTP Password Confirmation Confirm the password The t...

Page 145: ...r the port of the SFTP server to be used in SFTP Server Port 3 Enter the user data user name and password required for access to the SFTP server 4 If applicable enter the name of a file in which you want to save the data or take the data from in Filename Note Files whose access is password protected To be able to load these files on the device successfully you need to enter the password specified ...

Page 146: ...ngs are necessary for specific devices these must be made online on the relevant device Note Configuration data has a checksum If you change the data you can no longer upload it to the device 4 4 5 5 Passwords There are files to which access is password protected To load the file on the device enter the password specified for the file on the WBM page Description The table has the following columns...

Page 147: ...To confirm the password enter the password again in Password Confirmation 3 Select the Enabled option 4 Click the Set Values button 4 4 6 Events 4 4 6 1 Configuration Selecting system events On the WBM page you define which system events are reported and how or execute a follow up reaction The following messages are always entered in the event log table and cannot be deselected Changing the admin ...

Page 148: ...able 2 at once Table 1 has the following columns All Events Shows that the settings are valid for all events of table 2 E mail Trap Log Table Syslog Fault Digital Out VPN Tunnel Firewall Enable or disable the required type of notification for all events If No Change is selected the entries of the corresponding column in table 2 remain unchanged Copy To Table If you click the button the setting is ...

Page 149: ...contact When a fault occurs at the signaling contact the signaling contact opens and the error LED F lights up When the error fault status is no longer pending the fault LED goes out and the signaling contact is closed Fault at digital output If you have configured the signaling contact as digital output For an error to also be signaled by the fault LED F you must enable Fault State Change for the...

Page 150: ...The device sends an e mail This is only possible if the SMTP server is set up and the SMTP Client function is enabled Trap The device sends an SNMP trap This is only possible if SNMPv1 Traps is enabled in System Configuration Log Table The device writes an entry in the event log table see Information Log Table Syslog The device writes an entry to the system log server This is only possible if the ...

Page 151: ...ating a VPN tunnel via the digital input 1 For the Digital In event activate the VPN Tunnel entry 2 Configure the VPN connection IPsec In Operation set wait on DI or start on DI You can find more information on this in IPsec VPN Connections and in VPN connection establishment SINEMA RC For Type of connection set Auto or Digital In For Auto type of connection you must set the Digital In type of con...

Page 152: ...following settings are possible Info The messages of all Severity are sent or logged Warning The message of this Severity and the Critical level are sent or logged Critical Only the messages of this Severity are sent or logged 4 4 7 SMTP client 4 4 7 1 General Network monitoring with e mails If events occur the device can automatically send an e mail e g to the service technician The e mail contai...

Page 153: ...nter the IP address or the FQDN Fully Qualified Domain Name of the SMTP server The table contains the following columns Select Select the check box in a row to be deleted Status Specify whether this SMTP server will be used SMTP Server Address Shows the IP address or the FQDN Fully Qualified Domain Name of the SMTP server Sender Email Address Enter the e mail address of the sender that is specifie...

Page 154: ...sending was not successful the message contains possible causes Procedure Configuring the SMTP server 1 Enable the SMTP Client function 2 Enter the IP address or the FQDN of the SMTP server for SMTP Server Address 3 Click the Create button A new entry is generated in the table 4 Enter the name of the sender that will be included in the e mail for Sender Email Address 5 Enter the user name and pass...

Page 155: ... is generated in the table The setting Send is activated by default 2 Send test e mail Click the General tab Click the Test button next to the SMTP server entry The device sends to every configured receiver Check the test result If sending was not successful the message contains possible causes 4 4 7 2 Receiver On this page you specify who receives an e mail when an event occurs Description The pa...

Page 156: ...ich the device sends an e mail if a fault occurs Procedure Configuring an SMTP receiver 1 Select the required SMTP Server 2 Enter the SMTP receiver email address 3 Click the Create button A new entry is generated in the table 4 Activate the Send option for the entry 5 Click the Set Values button 4 4 8 DHCP 4 4 8 1 DHCP Client If the device is configured as a DHCP client it starts a DHCP request As...

Page 157: ...sed on the MAC address via DHCP Client ID Identification is based on a freely defined DHCP client ID via System Name Identification is based on the Device Name If the device name is 255 characters long the last character is not used for identification via IAID and DUID With this the DHCP client can log on with DHCP servers that support parallel operation of IPv4 and IPv6 The identification is via ...

Page 158: ...able 4 Click the Set Values button Note If a configuration file is downloaded this can trigger a system restart If the currently running configuration and the configuration in the downloaded configuration file differ the system restarts Make sure that the option DHCP Client Configuration Request Opt 66 67 is no longer set 4 4 8 2 DHCP Server You can operate the device as a DHCP server This allows ...

Page 159: ... there may be conflicts with the IPv4 addresses To avoid this assign these devices an IPv4 address outside the IPv4 address band The table has the following columns Select Select the check box in the row to be deleted Pool ID Shows the number of the IPv4 address band If you click the Create button a new row with a unique number is created pool ID Interface Select a VLAN IP interface The IPv4 addre...

Page 160: ...ddress that specifies the end of the dynamic IPv4 address band The IPv4 address must be within the network address range you configured for Subnet Lease Time sec Specify for how many seconds the assigned IPv4 address remains valid When half the period of validity has elapsed the DHCP client can extend the period of the assigned IPv4 address When the entire time has elapsed the DHCP client needs to...

Page 161: ...of the required DHCP option Note DHCP options supported The DHCP options 1 3 6 12 15 66 67 are supported The DHCP options are created automatically when the IPv4 address band is created With the exception of option 1 the options can be deleted The table has the following columns Select Select the check box in the row to be deleted Pool ID Shows the number of the address band Option Value Shows the...

Page 162: ...bnet of the DHCP client If the device itself is the router the IPv4 address of the interface is used You can specify several IPv4 addresses separated by commas 6 DNS Server The IPv4 address of the DNS server available to the DHCP client If the device itself is the DNS server the IPv4 address of the interface is used 12 Host name Enter the host name in the string format 15 DNS domain name Assign th...

Page 163: ...ent Identification Method Select the method according to which a client is identified Ethernet MAC Identification is based on the MAC address Enter the MAC address in Value A MAC address consists of six byes separated by hyphens in hexadecimal notation e g 00 ab 1d df b4 1d Client ID Identification is based on a freely defined DHCP client ID Enter the required designation in Value DUID Identificat...

Page 164: ... box in the row to be deleted Pool ID Shows the number of the address band Identification Method Shows the method with which the client identifies itself with the DHCP server Value Shows the MAC address or client ID or DUID of the client IP Address Specify the IPv4 address that will be assigned to the client The IPv4 address must be within the address band Comment Enter a description for the addre...

Page 165: ... make the basic settings for SNMP Enable the check boxes according to the function you want to use Description The page contains the following boxes SNMP Select the SNMP protocol from the drop down list The following settings are possible Disabled SNMP is disabled SNMPv1 v2c v3 SNMPv1 v2c v3 is supported Note Note that SNMP in versions 1 and 2c does not have any security mechanisms SNMPv3 Only SNM...

Page 166: ...NMPv1 v2c Read Write Community String Enter the community string for read and write access of the SNMP protocol SNMPv3 User Migration Enabled If the function is enabled an SNMP engine ID is generated that can be migrated You can transfer configured SNMPv3 users to a different device If you enable this function and load the configuration of the device on another device configured SNMPv3 users are r...

Page 167: ...character string in the SNMPv1 v2c Read Write Community String input box 5 If necessary enable the SNMPv3 User Migration 6 Click the Set Values button 4 4 9 2 SNMPv3 Users User specific security settings On the WBM page you can create new SNMPv3 users and modify or delete existing users The user based security model works with the concept of the user name in other words a user ID is added to every...

Page 168: ...ion protocol for which a password will be stored This drop down list is only enabled when an authentication protocol has been selected The following settings are available None DES AES Authentication Password Enter the authentication password in the first input box This password must have at least 1 character the maximum length is 32 characters Note Length of the password As an important measure t...

Page 169: ...umbers Privacy Password Confirmation Confirm the encryption password by repeating the entry Procedure Create a new user 1 Enter the name of the new user in the User Name input box 2 Click the Create button A new entry is generated in the table 3 Select the authentication algorithm for Authentication Protocol In the relevant input boxes enter the authentication password and the confirmation 4 Selec...

Page 170: ...escription The page contains the following boxes Group Name Enter the group that will be assigned to the user User Name Select the user to be a member of the specified group The drop down list only contains users that are not yet assigned to a group The table has the following columns Select Select the row you want to delete Group Name Displays the SNMPv3 group A group name can only be changed lat...

Page 171: ... of a group Note Different access permissions for different security levels can be assigned to a group If no access permission is defined for a security level no access to the device is possible for members of the group using this security level Description The page contains the following boxes Group Name Select the name of the group Security Level Select the security level authentication encrypti...

Page 172: ...group with the defined security level should be used Procedure Creating a new group 1 Select the name of the group for which you are configuring SNMP access 2 Select the required security level from the Security Level drop down list 3 Click the Create button to create a new entry 4 In the Read View Name field enter the SNMPv3 view for read access 5 In the Write View Name field enter the SNMPv3 vie...

Page 173: ... and SNMPv2c access The preconfigured SIMATICNETRD and SIMATICNETWR views are used internally to control the SNMPv1 and SNMPv2c access If you delete or change these views this directly affects the SNMPv1 and SNMPv2c access Description The page contains the following boxes View Name Select the name of the view that you want to configure An SNMPv3 view always needs to be assigned to an SNMPv3 access...

Page 174: ...t is not listed is necessary you can configure this via the CLI with the snmp view command This OID is then also displayed in the WBM in the overview table The table has the following columns Select Select the row you want to delete View Name The name of the SNMPv3 view MIB Tree The OID of the MIB area for the SNMPv3 view View Type The available options are as follows Included The MIB OID and its ...

Page 175: ...g boxes SNMPv1 Traps Enable or disable sending of SNMPv1 traps This setting affects all receivers of SNMPv1 traps and has no effects on receivers of SNMPv2c or SNMPv3 notifications SNMPv1 v2c Trap Community String Enter the community string for sending SNMPv1 v2c notifications SNMPv3 Notify User Select the user to which SNMPv3 notifications are to be sent SNMPv3 Notify Security Level Select the se...

Page 176: ...nds SNMP notifications You can specify up to ten different receivers servers The table has the following columns Select Select the row you want to delete Notification Receiver Address If necessary change the IP address of the stations Notification Receiver Type Shows the defined receiver type SNMP Engine ID The ID of the SNMP engine to which SNMPv3 inform notifications are sent You can only config...

Page 177: ...Receiver Type drop down list 4 In Notification Receiver Address enter the IP address of the station to which the device should send traps or notifications 5 Click the Create button to create a new trap entry 6 Activate Notification in the required row 7 Click the Set Values button Deleting a trap entry 1 Enable Select in the row to be deleted 2 Click the Delete button The entry is deleted 4 4 10 S...

Page 178: ...ption The page contains the following boxes Time Manually Enable or disable the manual time setting If you enable the option the System Time input box can be edited System Time Enter the date and time in the format MM DD YYYY HH MM SS After a restart the time of day begins at 01 01 2000 00 00 00 Use PC Time Click the button to use the time setting of the PC Last Synchronization Time Shows when the...

Page 179: ...ght Saving Time Shows whether the daylight saving time changeover is active active offset 1 h The system time was changed to daylight saving time in other words an hour was added You can see the current system time at the top right in the selection area of the WBM The set time continues to be displayed in the System Time box inactive offset 0 h The current system time is not changed Procedure 1 En...

Page 180: ...elect Select the row you want to delete DST No Shows the number of the entry If you create a new entry a new line with a unique number is created Name Shows the name of the entry Year Shows the year for which the entry was created Start Date Shows the month day and time for the start of daylight saving time End Date Shows the month day and time for the end of daylight saving time Recurring Date Wi...

Page 181: ...er Procedure Creating an entry 1 Click the Create button A new entry is created in the table 2 Click on the required entry in the DST No column You change to the DST Configuration page 3 Select the required type in the Type drop down list Depending on the selected type various settings are available 4 Enter a name in the Name box 5 If you have selected the type Date fill in the following boxes Yea...

Page 182: ...or the daylight saving time changeover or specify a fixed date Settings Note The content of this page depends on the selection in the Type box The boxes DST No Type and Name are always shown DST No Select the type of the entry Type Select how the daylight saving time changeover is made Date You can enter a fixed date for the daylight saving time changeover This setting is suitable for regions in w...

Page 183: ... for the start and end of daylight saving time Year Enter the year for the daylight saving time changeover Start Date Enter the following values for the start of daylight saving time Day Enter the day Hour Enter the hour Month Enter the month End Date Enter the following values for the end of daylight saving time Day Enter the day Hour Enter the hour Month Enter the month ...

Page 184: ...Recurring selected You can create a rule for the daylight saving time changeover Year Enter the year for the daylight saving time changeover Start Date Enter the following values for the start of daylight saving time Hour Enter the hour Month Enter the month Week Enter the week You can select the first to fourth or the last week of the month Day Enter the weekday ...

Page 185: ...he hour Month Enter the month Week Enter the week You can select the first to fourth or the last week of the month Day Enter the weekday 4 4 10 4 SNTP Client Time of day synchronization in the network SNTP Simple Network Time Protocol is used for synchronizing the time in the network The appropriate frames are sent by an SNTP server in the network Note To avoid time jumps make sure that there is o...

Page 186: ...er Security Firewall Predefined IPv4 rules Description The page contains the following boxes SNTP Client When enabled the device receives the system time from an SNTP server Current System Time Shows the current date and current normal time received by the IE switch If you specify a time zone the time information is adapted accordingly Last Synchronization Time Shows when the last time of day sync...

Page 187: ...anged to daylight saving time in other words an hour was added You can see the current system time at the top right in the selection area of the WBM The set time continues to be displayed in the System Time box inactive offset 0 h The current system time is not changed SNTP Mode Select the synchronization mode from the drop down list The following types are possible Poll If you select this mode th...

Page 188: ...st If several SNTP servers have been created the primary server is queried first Procedure 1 Click the SNTP Client check box to enable the automatic time setting 2 In Time Zone enter the local time difference to world time UTC The input format is HH MM because the NTP server always sends UTC time for example 02 00 for CEST the Central European Summer Time This time is recalculated and displayed as...

Page 189: ...ed 6 In Poll Interval s enter the time in seconds after which a new time query is sent to the time server 7 Click the Set Values button 4 4 10 5 NTP Client Automatic time of day setting with NTP If time synchronization is to take place via NTP define the time server that is used to synchronize the time Note To avoid time jumps make sure that there is only one time server in the network Requirement...

Page 190: ...t normal time received by the device If you specify a time zone the time information is adapted accordingly Last Synchronization Time Shows when the last time of day synchronization took place Last Synchronization Mechanism Shows how the last time synchronization was performed The following methods are possible Not set The time was not set Manual Manual time setting SNTP Automatic time of day sync...

Page 191: ...r with a smaller stratum value are received this time is applied The switchover to the time with the smaller stratum takes about 30 minutes In the table configure the NTP server Select Select the row you want to delete NTP Server Index Number corresponding to a specific NTP server entry NTP Server Address Enter the IP address the FQDN Fully Qualified Domain Name or the host name of the NTP server ...

Page 192: ...ow is inserted in the table for the NTP server 5 In NTP Server Address enter the address of the NTP server whose frames are used to synchronize the time of day 6 In NTP Server Port enter the port via which the NTP server is available The port can only be modified if the address of the NTP server is entered 7 In the Poll Interval column enter the interval in seconds after which a new time of day qu...

Page 193: ...3 193 4 4 10 6 SIMATIC Time Client Time setting via SIMATIC time client Note To avoid time jumps make sure that there is only one time server in the network Description The page contains the following boxes SIMATIC Time Client Select this check box to enable the device as a SIMATIC time client Current System Time Shows the current system time ...

Page 194: ... Client 2 Click the Set Values button 4 4 10 7 NTP server On this WBM page you configure the device as an NTP server or as an NTP server of the type NTP secure The other devices can call up the time made available by the device via this NTP server This means that the supplied devices are not dependent on a connection to an external time server Note Time synchronization Also configure the device as...

Page 195: ...Note SNTP Client in Listen mode and NTP Server cannot be enabled at the same time Interface Specify the interface via which the time is transferred using NTP The table has the following columns Select Select the row you want to delete Interface Via this interface the time is transferred using NTP Listen When enabled the other devices can call up the time via this interface Server Port Enter the po...

Page 196: ...ash algorithm DES ASCII 8 characters MD5 ASCII 16 characters SHA1 ASCII 20 characters Key Confirmation Enter the authentication key for confirmation 4 4 11 Auto logout Setting the automatic logout On this page set the times after which there is an automatic logout from WBM or the CLI following user in activity If you have been logged out automatically you will need to log in again Procedure 1 Ente...

Page 197: ...y Defaults When disabled the SET button cannot be used to restore factory defaults CAUTION Button function Restore Factory Defaults active during startup If you have disabled this function in your configuration disabling is only valid during operation When restarting for example after power down the function is active until the configuration is loaded so that the device can inadvertently be reset ...

Page 198: ...ent to the Syslog server unencrypted or encrypted Requirements for sending Syslog messages The Syslog client is enabled In System Events Configuration Syslog is activated for the relevant event There is a Syslog server in your network that receives the Syslog messages The IP address or the FQDN Fully Qualified Domain Name of the Syslog server is entered in the device Description The page contains ...

Page 199: ...g messages are sent unencrypted over UDP Procedure Enabling function 1 Select the Syslog Client check box 2 Click the Set Values button Creating a new entry 1 In the Syslog Server Address input box enter the address of the Syslog server to which the Syslog messages are sent 2 Click the Create button A new row is inserted in the table 3 In the Server Port input box enter the number of the server po...

Page 200: ...ports The entry is a link If you click on the link the corresponding configuration page is opened The port is made up of the module number and the port number for example port 0 1 is module 0 port 1 Port Name Shows the name of the port Port Type only with routing Shows the type of the port The following types are possible Switch Port VLAN Hybrid Switch Port VLAN Trunk Combo Port Media Type This co...

Page 201: ...alid link to the network a link integrity signal is being received Down The link is down for example because the connected device is turned off Mode Shows the transfer parameters of the port Negotiation Shows whether the automatic configuration is enabled or disabled Flow Ctrl Type Shows whether flow control is enabled or disabled for the port Flow Ctrl Shows whether or not flow control is working...

Page 202: ... not match the actual values of the combo port In the connection status up the correct values are displayed Initial situation A pluggable transceiver is plugged into the combo port with the following settings Combo Port Media Type auto Status enabled Link down Display of the transmission parameters With 100 Mbps pluggable transceivers Actual response Mode 100M HD Expected response Mode 100M FD Wit...

Page 203: ...figuring ports With this page you can configure all the ports of the device Description Port Select the port to be configured from the drop down list Status Specify whether the port is enabled or disabled enabled The port is enabled Data traffic is possible only over an enabled port disabled The port is disabled but the connection remains Note Turn off unused ports Link down ...

Page 204: ...s must match at both ends Note Mode Type with combo ports To be able to set the Mode Type of a combo port change the Combo Port Media Type to rj45 If auto is set for the Combo Port Media Type and the RJ 45 port is used you cannot set the Mode Type Mode Shows the transmission speed and the transmission mode of the port The following settings are possible 10 Mbps full duplex FD or half duplex HD 100...

Page 205: ...nsistent system state Combo Port Media Type Specify the mode of the combo port auto If you select this mode the pluggable transceiver port has priority As soon as a pluggable transceiver is plugged in an existing connection at the fixed RJ 45 port is terminated If no pluggable transceiver is plugged in a connection can be established via the fixed RJ 45 port rj45 If you select this mode the fixed ...

Page 206: ...gure the combo port media type accordingly using the WBM or CLI OperState Displays the current operational status The operational status depends on the configured Status and the Link The following options are possible Up You have configured the enabled status for the port and the port has a valid connection to the network Down You have configured the disabled status or Link down for the port or th...

Page 207: ...ation Click the appropriate box to change the configuration Note Optical ports only work with the full duplex mode and at maximum transmission rate As a result the following settings cannot be made for optical ports Automatic configuration Transmission speed Transmission mode Note With various automatic functions the device prevents or reduces the effect on other ports and priority classes Class o...

Page 208: ...al feed in line A fault is then signaled by the message system when there is no power on one of the monitored lines line 1 or line 2 or when the voltage is too low Note You will find the permitted operating voltage limits in the compact operating instructions of the device A fault causes the signaling contact to trigger and the fault LED on the device to light up and depending on the configuration...

Page 209: ... when there should be a link on a port and this is missing or when there should not be a link on a port and a link is detected A fault causes the fault LED on the device to light up and depending on the configuration can trigger a trap or an entry in the event log table Description Table 1 has the following columns 1st column Shows that the settings are valid for all ports Setting Select the setti...

Page 210: ...the port changes to the active status From Link down to Link up Down Error handling is triggered when the port changes to the inactive status From Link up to Link down disabled The error handling is not triggered Procedure Configure error monitoring for a port 1 From the relevant drop down list select the options of the slots ports whose connection status you want to monitor 2 Click the Set Values...

Page 211: ...on about the configuration stored on the C PLUG It is also possible to reset the PLUG to factory defaults or to load it with new contents Note Incompatibility with older firmware versions with PLUG inserted During the installation of an older firmware version the configuration data can be lost In this case reset the device to the factory settings after the firmware has been installed In this situa...

Page 212: ...able configuration in the device NOT ACCEPTED Invalid or incompatible configuration on the inserted PLUG NOT PRESENT There is no C PLUG or KEY PLUG inserted in the device FACTORY PLUG is inserted and does not contain a configuration This status is also displayed when the PLUG was formatted during operation MISSING There is no PLUG inserted Functions are configured on the device for which a license...

Page 213: ... PLUG The Info box shows whether or not the firmware is stored on the PLUG Note C PLUG 256 MB V2 2 and higher As of firmware version 2 2 you can only save the firmware on a C PLUG with 256 MB Info String Shows additional information about the device that used the PLUG previously for example article number type designation and the versions of the hardware and software The displayed software version...

Page 214: ... with a PLUG the device can no longer be used without this PLUG To be able to use the device again reset the device to the factory settings Note Incompatibility with previous versions with PLUG inserted During the installation of a previous version the configuration data can be lost In this case the device starts up with the factory settings after the firmware has been installed In this situation ...

Page 215: ...he license of the inserted KEY PLUG is not valid NOT PRESENT No KEY PLUG is inserted in the device MISSING There is no KEY PLUG inserted with the FACTORY status Functions are configured on the device for which a license is required WRONG The inserted KEY PLUG is not suitable for the device UNKNOWN Unknown content of the KEY PLUG DEFECTIVE The content of the KEY PLUG contains errors Order ID Shows ...

Page 216: ...e The displayed software version corresponds to the version in which the configuration was last changed With the NOT ACCEPTED status further information on the cause of the problem is displayed Note When you save the configuration the information about whether or not a KEY PLUG was inserted in the device at the time is also saved This configuration can then only work if a KEY PLUG with the same or...

Page 217: ...utton to empty the Ping Output box 4 4 18 DCP Discovery On this page you can select an interface and search for devices that are reachable via the interface and support DCP DCP Discovery only searches for devices located in the same subnet as the interface The reachable devices are listed in a table In the table you can check and adapt the network parameters of the devices To identify and configur...

Page 218: ...e On completion of the search the reachable devices are listed in the table The table is limited to 100 entries The table has the following columns Port Shows the port via which the device can be reached MAC Address Shows the MAC address of the device Device Type Shows the product line or product group to which the device belongs Device Name Adapt the PROFINET device name if necessary The device n...

Page 219: ...P server Configured The device was assigned a new IPv4 address Timeout s Specify the time for flashing When the time elapses flashing stops Flash Makes the port LEDs of the selected device flash Configuration procedure 1 Select the TIA interface 2 To show all devices that can be reached via the TIA interface click the Browse button 3 Adapt the desired properties 4 Click the Set Values button The s...

Page 220: ...s can be localized to within a few meters Note Please note that this test is permitted only when no data connection is established on the port to be tested If however there is a data connection to the port to be tested this is briefly interrupted Automatic re establishment of the connection can fail in this case the connection needs to be re established manually To run a cable test at the combo po...

Page 221: ...lays the distance to the open cable end cable break or short circuit in meters The value for the distance has a tolerance of 1 m If the status is OK the length is specified with unknown 4 4 19 2 SFP diagnostics On this page you run independent error diagnostics for each individual SFP port This test is performed without needing to remove the cable connect a cable tester or install a loopback modul...

Page 222: ...ect the required port from the drop down list Refresh Refreshes the display of the values of the set port The result is shown in the table The values are shown in the following boxes Name Shows the name of the interface Model Shows the type of interface Revision Shows the hardware version of the SFP Serial Shows the serial number of the SFP Nominal Bit Rate Mbps Shows the nominal bit rate of the i...

Page 223: ...r dBm Shows the receive power of the interface in microwatts decibel milliwatts Tx Power μW Tx Power dBm Shows the transmit power of the interface in microwatts decibel milliwatts Current column Shows the current value Low column Shows the lowest value High column Shows the highest value 4 4 20 cRSP SRS Note Common Remote Service Platform cRSP Siemens Remote Service SRS is a remote maintenance pla...

Page 224: ...te Server Certificate When enabled the device checks the validity of the received server certificate The table has the following columns Index The number of the entry Select Select the check box in the row to be deleted Click Delete to delete the entry Scheme Identifies the access method and the resource type https Secure access to a Web page Authority Contains the address of the destination serve...

Page 225: ...ocal parts of the resource e g the anchor attribute of a Web page Status Shows the status of the last cRSP SRS access of the entry Enabled When enabled this entry is used 4 4 21 Proxy server On this WBM page you configure the proxy server that is used by various components for example SINEMA RC Description Proxy Name Enter a name for the proxy server The table has the following columns Select Sele...

Page 226: ...er Port Enter the port on which the proxy service runs Auth Method Specify the authentication method None No authentication Basic Standard authentication User name and password are sent unencrypted NTML NT LAN Manager Authentication according to the NTML standard Windows user logon User Name Enter the user name for access to the proxy server Password Enter the password for access to the proxy serv...

Page 227: ... G8976 C475 03 227 4 4 22 SINEMA RC On the WBM page you configure the access to the SINEMA RC server Description The page contains the following Enable SINEMA RC Enabled A connection to the configured SINEMA RC Server is established These boxes cannot be edited Disabled The boxes can be edited Any existing connection is terminated ...

Page 228: ...ver Based on the fingerprint the device checks whether the correct SINEMA RC Server is involved You will find further information on this in the Operating Instructions of the SINEMA RC Server CA Certificate Only necessary with the setting CA Certificate Select the CA certificate of the server used to sign the server certificate Only loaded CA certificates can be selected Device Credentials area De...

Page 229: ...urther information on this topic in the SINEMA RC Server operating instructions Permanent The settings of the SINEMA RC server are ignored The device establishes a VPN connection to the SINEMA RC Server The VPN tunnel is established permanently Digital In The settings of the SINEMA RC server are ignored If the Digital In event occurs the device attempts to establish a VPN connection to the SINEMA ...

Page 230: ...ngs under Layer 2 Dynamic MAC Aging Redundancy Type The following settings are available disabled The redundancy function is disabled Ring If you select this option you specify the required redundancy mode in the Redundancy Mode drop down list Spanning Tree If you select this option you specify the required redundancy mode in the Redundancy Mode drop down list Redundancy Mode If you select Ring in...

Page 231: ...d at a port this port reverts from RSTP to spanning tree You can configure other settings in Layer 2 Spanning Tree Note When using RSTP Rapid Spanning Tree Protocol loops involving duplication of frames or frames being overtaken may occur briefly If this is not acceptable in your particular application use the slower standard spanning tree mechanism Passive Listening Enable or disable the Passive ...

Page 232: ... VLAN ID Enter the VLAN ID in the VLAN ID input box Range of values 1 4094 The table has the following columns Select Select the row you want to delete VLAN ID Shows the VLAN ID The VLAN ID a number between 1 and 4094 can only be assigned once when creating a new data record and can then no longer be changed To make a change the entire data record must be deleted and created again Name Enter a nam...

Page 233: ...ithout a VLAN tag are sent from this port u lowercase The port is an untagged member of the VLAN but the VLAN is not configured as a port VLAN Frames sent in this VLAN are forwarded without the VLAN tag F The port is not a member of the specified VLAN and cannot become a member of this VLAN even if it is configured as a trunk port T This option is only displayed and cannot be selected in the WBM T...

Page 234: ...ist select the setting for all ports If No Change is selected the entries of the corresponding column in table 2 remain unchanged Copy to Table If you click the button the setting is adopted for all ports of table 2 Table 2 has the following columns Port Shows the available ports Priority Select the required priority assigned to untagged frames The CoS priority Class of Service used in the VLAN ta...

Page 235: ...agged frames The device forwards all untagged frames and frames with a priority Priority Tagged Frames Otherwise the forwarding rules apply according to the configuration If you have configured the Bridge mode Provider this means that the device treats all incoming frames like untagged frames Ingress Filtering Specify whether the VID of received frames is evaluated You have the following options E...

Page 236: ...evice for example a programming device is connected to a different port If the check box is not enabled a device does not delete learnt addresses automatically Description The page contains the following boxes Dynamic MAC Aging Enable or disable the function for automatic aging of learned MAC addresses Aging Time s Enter the time in seconds in steps of 15 After this time a learned address is delet...

Page 237: ...ncy You can enable ring redundancy as follows using the WBM using the CLI Configuration of ring redundancy Ring Redundancy If you enable the Ring Redundancy check box you turn ring redundancy on The Ring Ports set on this page are used Ring redundancy mode Here you set the mode of the ring redundancy The following modes are available MRP Client The device adopts the role of MRP client HRP Client T...

Page 238: ... previous configuration 4 5 5 Spanning Tree 4 5 5 1 General General settings of the Spanning Tree protocol On this page you can enable Spanning Tree and select the protocol compatibility By default the Spanning Tree Protocol STP is enabled Description of the displayed boxes The page contains the following boxes Spanning Tree Enable or disable Spanning Tree Note No operation of Spanning Tree with e...

Page 239: ...ing Tree check box 2 From the Protocol Compatibility drop down list select the type of compatibility 3 Click the Set Values button 4 5 5 2 ST general The page consists of the following parts The left hand side of the page shows the configuration of the device The right hand part shows the configuration of the root bridge that can be derived from the spanning tree frames received by a device ...

Page 240: ...oot bridge Root port Shows the port via which the switch communicates with the root bridge Root Cost The path costs from this device to the root bridge Topology Changes Last Topology Change The entry for the device shows the number of reconfiguration actions due to the spanning tree mechanism since the last startup For the root bridge the time since the last reconfiguration is displayed as follows...

Page 241: ...ble 2 Spanning Tree Status In the drop down list select the setting for all ports If No Change is selected the entries of the corresponding column in table 2 remain unchanged Copy to Table If you click the button the setting is adopted for all ports of table 2 Table 2 has the following columns Port Shows the available ports Spanning Tree Status Specify whether the port is integrated in the spannin...

Page 242: ...s largely based on the transmission speed The higher the achievable transmission speed is the lower the value of the path costs Typical values for path costs with RSTP 10 000 Mbps 2 000 1000 Mbps 20 000 100 Mbps 200 000 10 Mbps 2 000 000 The values can however also be set individually Status Displays the current status of the port The values are only displayed and cannot be configured The Status p...

Page 243: ...stablished the first time the port is treated as an Edge Port Edge Shows the status of the port Enabled An end device is connected to this port Disabled There is a Spanning Tree or Rapid Spanning Tree device at this port With an end device a switch can change over the port faster without taking into account spanning tree frames If a Spanning Tree frame is received despite this setting the port aut...

Page 244: ...he network topology LLDP Link Layer Discovery Protocol is defined in the IEEE 802 AB standard LLDP is a method used to discover the network topology Network components exchange information with their neighbor devices using LLDP Network components that support LLDP have an LLDP agent The LLDP agent sends information about itself and receives information from connected devices at periodic intervals ...

Page 245: ...2 remains unchanged Copy to Table If you click the button the setting is adopted for all ports of table 2 Table 2 has the following columns Port Shows the available ports Setting Specify the LLDP functionality The following options are available Rx This port can only receive LLDP frames Tx This port can only send LLDP frames Rx Tx This port can receive and send LLDP frames disabled This port can n...

Page 246: ...ics information from its connection partner it monitors the received power measured at the optical port for the set limit values If Fiber Monitoring is enabled on the connection partner the connection partner transfers the current value for the transmit power of the port to the device The device compares the value it has received for the transmit power with the actually received power The differen...

Page 247: ...Fiber Monitoring As default the function is disabled Rx Power dBm Maintenance Required Warning Specify the value at which you are informed of the deterioration of the received power by a message of the severity level Warning If you enter the value 0 the received power is not monitored The default value depends on the relevant transceiver Rx Power dBm Maintenance Demanded Critical Specify the value...

Page 248: ...ng fiber monitoring Follow the steps below to activate the monitoring of a port 1 Select the appropriate check box in the Status column 2 For your setup enter practical values value at which you want to be informed of deterioration of the received power and the power loss of the connection 3 Click the Set Values button Deactivating fiber monitoring Follow the steps below to deactivate the monitori...

Page 249: ...to delete VLAN ID Shows the VLAN ID assigned to this MAC address MAC Address Shows the MAC address of the node that the device has learned or the user has configured Status Shows the status of each address entry Static Configured by the user Static addresses are stored permanently in other words they are not deleted when the Aging Time expires or when the switch is restarted Invalid These values a...

Page 250: ... row to be deleted Repeat this for all entries you want to delete 2 Click the Delete button to delete the selected entries from the filter table 3 Click the Refresh button 4 5 8 2 Locked Ports Activating the access control On this page you can block individual ports for unknown nodes If the Port Lock function is enabled packets arriving at this port from unknown MAC addresses are discarded immedia...

Page 251: ... following setting options Enabled Enables the port lock function Disabled Disables the port lock function No change Table 2 remains unchanged Copy to Table If you click the button the setting is adopted for all ports of table 2 Table 2 has the following columns Port This column lists all the ports available on this device Setting Enable or disable access control for the port Configuration procedu...

Page 252: ... 8 3 Blocking Blocking forwarding of unknown unicast frames On this page you can block the forwarding of unknown unicast frames for individual ports Description of the displayed values Table 1 has the following columns 1st column Shows that the settings are valid for all ports of table 2 Setting Select the setting from the drop down list You have the following setting options Enabled Blocking of u...

Page 253: ... in table 2 2 To apply the changes click the Set Values button Enabling blocking for all ports 1 In the Setting drop down list select the Enabled entry 2 Click the Copy to Table button The check box is enabled for all ports in table 2 3 To apply the changes click the Set Values button 4 5 9 Multicast 4 5 9 1 Groups Multicast applications In the majority of cases a frame is sent with a unicast addr...

Page 254: ...he row you want to delete MAC address Here the multicast address is displayed that the device has learned or the user has configured Status Static Shows the status of each address entry The address was entered statically by the user Static addresses are stored permanently in other words they are not deleted when the Aging Time expires or when the device is restarted These must be deleted by the us...

Page 255: ...columns 1st column Shows that the settings are valid for all ports of table 2 Setting Select the setting from the drop down list You have the following setting options Enabled Blocking of multicast frames is enabled Disabled Blocking of unknown multicast frames is disabled No change Table 2 remains unchanged Copy to Table If you click the button the setting is adopted for all ports of table 2 Tabl...

Page 256: ...ed entry 2 Click the Copy to Table button The check box is enabled for all ports in table 2 3 To apply the changes click the Set Values button 4 5 10 Inter VLAN Bridge SC63x SC64x 4 5 10 1 Overview Overview You can create one bridge per device and add a maximum of six VLANs to the bridge Description The page contains the following boxes Bridge ID Enter the bridge ID in the Bridge ID text box The B...

Page 257: ...N bridge Untagged frames that are received at these ports are also forwarded to all other ports of the Inter VLAN bridge without tag As long as the transparent bridge is enabled you cannot change the port associations of the affected VLANs The prerequisite for this is that the port VLAN ID of all ports belonging to the VLAN is set to the VLAN ID If you disable this option the VLAN tags are evaluat...

Page 258: ...face VLAN to which the setting relates The list of VLANs is dynamic and is based on the settings from Layer 3 Subnets Bridge ID Select the ID of the bridge that is to be used for the selected VLAN Type Select the type of the interface Member The IP address configuration of the VLAN is not used for the bridge Master The IP address configuration of the VLAN is used for the bridge Use this setting fo...

Page 259: ...e Configuration tab Description The page contains the following box Interface Select the interface on which you want to configure another subnet The table has the following columns Select Select the row you want to delete Interface Shows the interface TIA Interface Shows the selected TIA interface Status Shows whether or not the interface is enabled Interface Name Shows the name of the interface M...

Page 260: ...agement WBM 260 Configuration Manual 10 2021 C79000 G8976 C475 03 Address Type Shows the address type The following values are possible Primary The first IPv4 address that was configured on an IPv4 interface Secondary All other IPv4 addresses that were configured on the IPv4 interface ...

Page 261: ... a cyclic check This column shows the current status of the function The following values are possible Idle The interface is not enabled and does not have an IPv4 address Starting This status indicates the start up phase In this phase the device initially sends a query as to whether the planned IPv4 address already exists If the address is not yet been assigned the device sends the message that it...

Page 262: ...Status Enable or disable the interface Interface Name Enter the name of the interface MAC Address Displays the MAC address of the selected interface DHCP Enable or disable the DHCP client for this IPv4 interface Note If you want to operate the device as a router with several interfaces disable DHCP on all interfaces IP Address Enter the IPv4 address of the interface The IPv4 addresses must not be ...

Page 263: ...ines the VLAN on which the PROFINET functionalities are available This mainly affects the device search with or via DCP 4 6 2 NAT 4 6 2 1 NAT General On this WBM page you enable Gratuitous ARP for alias IP addresses Description On this page you can enable the following option Announce alias IP addresses When the option is enabled a Gratuitous ARP is sent for each alias IP address This announces th...

Page 264: ... this interface the source IP address is replaced by the IP address of the interface 4 6 2 3 NAPT On this WBM page you can configure a port translation in addition to the address translation The following port translations are possible From a single port to the same port If the ports are the same the frames will be forwarded without port translation From a single port to a single port The frames a...

Page 265: ...stination IP address The frames are received at this IP address Can only be edited if Use Interface IP from Source Interface is disabled Destination Port Enter the destination port Incoming frames with this port as the destination port are forwarded If the setting is intended to apply to a port range enter the range with start port end port for example 30 40 Translated Destination IP Enter the IP ...

Page 266: ...he protocol for which the address assignment applies Interface IP Shows whether the IP address of the interface is used Destination IP Shows the destination IP address The frames are received at this IP address Destination Port Shows the destination port Incoming frames with this port as the destination port are forwarded Translated Destination IP Shows the IP address of the node to which the pack...

Page 267: ...sec Either all IPsec VPN connections all or a specific IPsec VPN connection Note When you configure a NAT address translation to or from the direction of the VPN tunnel only the IP addresses involved in the NAT address translation rules can be reached via the VPN tunnel Source IP Address es Specify the source IP addresses for which this source NAT rule is valid Only the packets that correspond to ...

Page 268: ...veral IPv4 addresses grouped together to form an IP address range IP address number of bits of the network part CIDR notation The table has the following columns Select Activate the check box in the row to be deleted Source Interface Shows the source interface Destination Interface Shows the destination interface Source IP Address es Shows the IP addresses of the senders for which address translat...

Page 269: ...e with destination NAT Address translation with NAT was already performed before the firewall the translated addresses are therefore used in the firewall Security Firewall IP rules Source Range Input from Source IP Subnet Destination Range Input from Translated Destination IP Subnet Description Type Specify the type of address translation Source Replacement of the source IP address Destination Rep...

Page 270: ...the Source settings The subnet can also be a single PC or another subset of the subnet Use the CIDR notation for example 192 168 10 10 32 You can also specify the IP range with the start address end address e g 192 168 100 10 192 168 100 20 For the entire IP range enter Destination IP Subnet Enter the subnet of the receiver The subnet can also be a single PC or another subset of the subnet Use the...

Page 271: ...AP rule is created These firewall rules are displayed under Security Firewall IP rules If you change or delete the NETMAP rules the corresponding firewall rules are adjusted or deleted The table has the following columns Select Select the check box in the row to be deleted Type Shows the direction of the address translation Source Interface Shows the source interface Destination Interface Shows th...

Page 272: ...bination with network or address range When you enable the option in combination with a network or address range the Alias IP addresses are reserved for the entire network or address range This can lead to network problems VRRP Interface VRID Selection is only possible when the Alias IP option is enabled Shows all configured routers of the type VRRPv3 that are created in the Layer 3 VRRPv3 Router ...

Page 273: ...ter anything not used is entered automatically The metric can be changed later Range of values 1 255 or 1 for not used Here 1 is the value for the best possible route The higher value the longer packets require to their destination The table has the following columns Select Select the row you want to delete Destination Network Shows the network address of the destination Subnet Mask Shows the corr...

Page 274: ...nter the gateway in the Gateway input box 5 Enter the weighting of the route in Administrative Distance 6 Click the Create button A new entry is generated in the table 7 Click the Set Values button 4 6 4 VRRPv3 4 6 4 1 Router Introduction Using the Create button you can create new virtual routers A maximum of 16 virtual routers can be configured You can configure other parameters on the Configurat...

Page 275: ... all VRRP instances is restored Interface Select the VLAN Interface that functions as the virtual router from the drop down list VRID Enter the ID of the virtual router in the input box This ID defines the group of routers that form a virtual router VR In the group this is the same It can no longer be used for other groups Valid values are 1 255 The table has the following columns Select Select th...

Page 276: ...ally All other priorities can be distributed freely among the VRRP routers The higher the priority the earlier the VRRP router becomes Master Advert Interval Shows the interval at which the master router sends VRRP packets Preempt Shows the precedence of a router when changing roles between backup and master yes This router has precedence when changing roles no This router does not have precedence...

Page 277: ...IPv4 address If the router becomes master router the router uses this IPv4 address Note If you only configure one subnet on this VLAN no entry is necessary The entry is then 0 0 0 0 If you configure more than one subnet on the VLAN and you want a specific IPv4 address to be used as the source address for VRRP packets select the IPv4 address from the drop down list Otherwise the numerically lowest ...

Page 278: ... ID Decrement Priority Enter the value by which the priority of the VRRP interface will be reduced Current Priority Shows the priority of the VRRP interface after the monitored interface has changed to the down status Steps in configuration To configure a virtual router as the master router follow the steps below 1 Select the ID of the virtual router you want to configure from the Interface VRID d...

Page 279: ...nitor one IPv4 address Description of the displayed boxes The table has the following columns Interface Shows the interface that functions as the virtual router VRID Shows the ID of this virtual router Number of addresses Shows the number of IPv4 addresses Assigned IP address 1 Assigned IP address 4 Shows the router IPv4 addresses monitored by this virtual router If a router takes over the role of...

Page 280: ...played values The page contains the following boxes Interface VRID Select the virtual router from the drop down list Associated IP address Enter the IPv4 address that the virtual router will monitor The table has the following columns Select Select the row you want to delete Associated IP Address Shows the IPv4 addresses that the virtual router monitors Configuration procedure 1 Select the ID of t...

Page 281: ...face is reduced You configure the value by which the priority is reduced on the page Layer 3 VRRPv3 Configuration When the link of the interface changes back from down to up the original priority of the VRRP interface is restored Description of the displayed values The page contains the following boxes Interface From the drop down list select the interface to be monitored Track ID Enter a track ID...

Page 282: ...op down list 2 In the Track ID box enter the required ID 3 Click the Create button 4 Select an ID from the Track ID drop down list 5 In the Track Interface Count enter the number of interfaces 6 Click the Set Values button 7 Link the monitoring to a VRRP interface in the Configuration tab 4 6 4 6 Address tracking You configure the monitoring of IPv4 addresses on this page The router sends a ping r...

Page 283: ...following columns Select Select the row you want to delete Track ID Shows the track ID IP Address Show the IPv4 address to be monitored Ping Period Shows the cycle time in seconds between two ping requests Ping Timeout Shows the time in seconds that the router waits for a ping response The minimum duration is three times the ping period Procedure 1 In the Track ID box enter the required ID 2 In th...

Page 284: ...ers User accounts On this page you create local user accounts with the corresponding rights To be able to create a user account the logged in user must have the admin role Note You can create up to 30 additional user accounts Restrictions The following characters are generally not permitted The characters coded with the ASCII value as of 128 extended ASCII code The characters for Space and Delete ...

Page 285: ...e device with this user name When you log in for the first time or log in after a Restore Factory Defaults and Restart you are prompted to change the pre defined password admin You can also rename the admin user preset in the factory once Afterwards renaming admin is no longer possible Password Policy Shows which password policy is being used High Password length at least 8 characters maximum 128 ...

Page 286: ...in users cannot be deleted or changed Account Shows the user name Role Shows the role of the user Description Displays a description of the user account The description text can be up to 100 characters long Remote access Only Only remote access which means no rights other than logging into the WBM page for user specific firewall None No remote access The user cannot log in to the user specific fir...

Page 287: ... Enter a description of the user 7 Click the Set Values button Deleting users 1 Select the check box in the row to be deleted 2 Click the Delete button The entries are deleted and the page is updated 4 7 1 2 Roles Roles On this page you create roles that are valid locally on the device Note The values displayed depend on the rights of the logged in user Restrictions The following characters are ge...

Page 288: ...wing conditions It must be unique It must be between 1 and 64 characters long Note Role name cannot be changed After creating a role the name of the role can no longer be changed If a name of a role needs to be changed the role must be deleted and a new role created The table contains the following columns Select Select the check box in the row to be deleted Note Predefined roles and assigned role...

Page 289: ...ned a role you can no longer change the function right of the role If you want to change the function right of a role follow the steps outlined below 1 Delete all assigned users 2 Change the function right of the role 3 Assign the role again Description Enter a description for the role With predefined roles a description is displayed The description text can be up to 100 characters long Procedure ...

Page 290: ...he admin role Note The values displayed depend on the rights of the logged in user Restrictions The following characters are generally not permitted The characters coded with the ASCII value as of 128 extended ASCII code The characters for Space and Delete Description The page contains the following Group Name Enter the name of the group The name must match the group on the RADIUS server The name ...

Page 291: ...self defined roles refer to the page Security Users Roles Description Enter a description for the link of the group to a role The description text can be up to 100 characters long Procedure Linking a group to a role 1 Enter the name of a group 2 Click the Create button 3 Select a role 4 Enter a description for the link of a group to a role 5 Click the Set Values button Deleting the link between a ...

Page 292: ...age contains the following Current User Shows the user that is currently logged in Current User Password Enter the password for the currently logged in user Account Select the user whose password you want to change Password Policy Shows which password policy is being used when assigning new passwords High Password length at least 8 characters maximum 128 characters At least 1 uppercase letter At l...

Page 293: ...user preset in the factory once Afterwards renaming admin is no longer possible The factory setting for the password when the devices ship is as follows admin admin Note Changing the password in Trial mode Even if you change the password in Trial mode this change is saved immediately Password Confirmation Enter the new password again to confirm it 4 7 3 AAA 4 7 3 1 General Login of network nodes T...

Page 294: ...ssible both with the users that exist on the device user name and password and via a RADIUS server The user is first searched for in the local database If the user does not exist there a RADIUS request is sent RADIUS and fallback Local The authentication must be handled via a RADIUS server A local authentication is performed only when the RADIUS server cannot be reached in the network 4 7 3 2 RADI...

Page 295: ... returns for the user and whether or not there is an entry for the user in the table External User Accounts The table has the following columns Select Select the row you want to delete RADIUS Server Address Enter the IP address or the FQDN Fully Qualified Domain Name of the RADIUS server Server Port Here enter the input port on the RADIUS server As default input port 1812 is set The range of value...

Page 296: ...RADIUS server is however not running Reachable key not accepted The IP address is reachable the RADIUS server does not however accept the shared secret Reachable key accepted The IP address is reachable the RADIUS server accepts the specified shared secret Procedure Entering a new server 1 Click the Create button A new entry is generated in the table The following default values are entered in the...

Page 297: ...ant to modify Deleting servers 1 Click the check box in the first column before the row you want to delete to select the entry for deletion Repeat this for all entries you want to delete 2 Click the Delete button The data is deleted from the memory of the device and the page is updated 4 7 3 3 802 1X Authenticator Setting up network access An end device can only access the network after the device...

Page 298: ...1 C79000 G8976 C475 03 Enabling authentication for individual ports By enabling the relevant options you specify for each port whether or not network access protection according to IEEE 802 1X is enabled on this port Figure 4 1 802 1x Authenticator first part of the table Figure 4 2 802 1X Authenticator second part of the table ...

Page 299: ... 1X Auth Control Select the required setting If No Change is selected the entry in table 2 remains unchanged 802 1X Re Authentication Select the required setting If No Change is selected the entry in table 2 remains unchanged Re Authentication Timeout Specify the time interval in seconds after which the device is reauthenticated at the relevant port The default value is 3600 seconds If No Change i...

Page 300: ...umn lists all the ports available on this device 802 1X Auth Control Specify the authentication of the port Force Unauthorized Data traffic via the port is blocked Force Authorized Data traffic via the port is allowed without any restrictions Default setting Auto End devices are authenticated on the port with the 802 1X method The data traffic via the port is permitted or blocked depending on the ...

Page 301: ...hen the check box is not selected MAC authentication is possible both after an 802 1X timeout and after a failed 802 1X authentication Adopt RADIUS VLAN Assignment The RADIUS server informs the IE switch of the VLAN to which the port will belong Enable this option if you want the information of the server to be taken into account The port can only be assigned to the VLAN if the VLAN has been creat...

Page 302: ... configured in this column as if it had been transmitted by the RADIUS server In all cases a changed PVID is reset to the originally configured value after the device logs out Any Port membership that has been set up is deleted again This applies to both 802 1X authentication and MAC authentication MAC Auth Max Allowed Addresses 1 200 Specify how many MAC addresses can communicate on the port at t...

Page 303: ...Load Save HTTP System Load Save TFTP System Load Save SFTP Description Select Select the check box in the row to be deleted Only unused certificates can be deleted Type Shows the type of the loaded file CA Cert The CA certificate is signed by a CA Certification Authority Machine certificate Key File Remote Cert Partner certificate Filename Shows the file name Status Shows whether the certificate i...

Page 304: ...4 7 4 2 Certificates The format of the certificate is based on X 509 a standard of the ITU T for creating digital certificates This standard describes the schematic structure of X 509 certificates You will find further information on this on the Internet at http www itu int On this WBM page the content of the following structure elements can be displayed If the structure element does not exist or ...

Page 305: ... Shows the name of the applicant Issuer DN Shows the name of the certificate issuer Subject Alternate Name If it exists an alternative name of the applicant is displayed Issue Date Shows the start of the period of validity of the certificate Expiry Date Shows the end of the period of validity of the certificate Serial Number Shows the serial number of the certificate Used Shows which function uses...

Page 306: ...tive URL If the revocation list cannot be called up using the 1st URL the alternative URL is used Can only be edited if supported by the certificate Certificate Shows the name of the certificate Passphrase Enter the password for the certificate Can only be edited if the encrypted file is password protected Passphrase Confirmation Enter the password again Can only be edited if the encrypted file is...

Page 307: ...ion is terminated automatically when this time has elapsed The range of values is 1 to 2147483 Default setting 300 seconds TCP State Check When enabled the firewall only forwards TCP packets to the communication partner that can be assigned to a connection TCP packets that cannot be assigned to a connection are discarded To this end the firewall checks the status of the TCP connection for example ...

Page 308: ...gs from Layer 3 Subnets VLANx Allows access from the IP subnet to the device VLANs with configured IP subnet are available SINEMARC Allows access from the SINEMA RC server to the device IPsec Allows IKE Internet Key Exchange data traffic from the external network to the device Access over the firewall is permitted to the following IPv4 services of the device All All predefined IPv4 services HTTP F...

Page 309: ...eeds to establish a connection to this device SSH For encrypted access to the CLI DHCP Access to the DHCP server or the DHCP client Ping Access to the ping function System time Access to NTP and SNTP VRRP Activates VRRP in the firewall and thus incoming VRRP frames Enable the function if VRRP is also active on the device because otherwise no operation of router redundancy VRRPv3 is possible 4 7 5 ...

Page 310: ...nique number is created The table contains the following columns Select Select the check box in the row to be deleted No Shows the unique number of the entry Name Name of the rule set The name can be changed if required Comment Comment that describes the rule set in more detail Timeout min Access is time limited Specify the duration of the access If needed the user can extend the access time via t...

Page 311: ...d through a RADIUS user Time triggered Enforcement of the rule set is time triggered The User Account table contains the following columns Account Only users with the remote access only or additional are displayed Role Shows the role of the user Rule set Define the rule set that is valid for this user Combined with Combines the user login with an event e g the Digital Input event To log in to the ...

Page 312: ...Input event To log in to the WBM page for the dynamic firewall voltage must be present at the digital input and login must be successful Quantity After successful login the number of users active via RADIUS that are assigned to the RADIUS role is displayed Force Deactivate A user with administrator rights can log out the RADIUS role with this button The RADIUS User table contains the following col...

Page 313: ...ices You select a name and assign the service parameters to it When you configure the IP rules you simply use this name Description The page contains the following Service Name Enter the name of the IP service The name must be unique This table contains the following columns Select Activate the check box in the row to be deleted Service Name Shows the name of the IP service Transport Specify the p...

Page 314: ...cified port If the rule is intended to apply to a port range enter the range with start port end port for example 30 40 If the rule is intended to apply to all ports enter 4 7 5 5 ICMP services On this WBM page you define ICMP services Using the ICMP service definitions you can define firewall rules for specific services You select a name and assign the service parameters to it When you configure ...

Page 315: ...quest Echo request better known as ping Code The code describes the ICMP packet type in greater detail The selection depends on the selected ICMP packet type With Destination Unreachable for example Code 1 host cannot be reached 4 7 5 6 IP protocols On this WBM page you can configure user defined protocols e g IGMP for multicast groups You select a protocol name and assign the service parameters t...

Page 316: ...You will find list of the protocol numbers on the Internet pages of iana org Procedure Create IGMP protocol 1 Enter IGMP for Protocol Name 2 Click the Set Values button A new entry is generated in the table 3 Enter 2 for Protocol Number 4 7 5 7 IP rules On this WBM page you specify your own IP packet filter rules for the firewall The IP packet filer rules set here have priority over the pre define...

Page 317: ...he table contains the following columns Select Activate the check box in the row to be deleted Protocol Shows the version of the IP protocol Action Select how incoming IP packets are handled Accept The data packets can pass through Reject The data packets are rejected and the sender receives a corresponding message Drop The data packets are discarded without any notification to the sender From To ...

Page 318: ... placeholder DYNAMIC is replaced by the setting for Dynamic Source Range You configure the setting in Security Firewall User Specific Destination Range Enter the IP address or an IP range that is allowed to receive IP packets Individual IP address Enter the IPv4 address IP range Specify the range with the start address end address e g 192 168 100 10 192 168 100 20 All IP addresses Specify 0 0 0 0 ...

Page 319: ... 8 Pre defined MAC rules The WBM page contains pre defined MAC packet filter rules Select which incoming services the interface accepts and also forwards If you create your own MAC packet filter rules these have a higher priority than the pre defined MAC packet filter rules Description Interface Interface to which the settings relate The list of interfaces subnets is dynamic and is based on the se...

Page 320: ...l Selection of the protocol type Protocol Description ARP Frames with the following property Ethertype 0x0806 DCP The DCP protocol is used by SINEC PNI to set the IP parameters node initialization of SIMATIC NET network components PNIO Frames with the following property Ethertype 0x8892 ISO Frames with the following properties Lengthfield 05DC hex DSAP userdefined SSAP userdefined CTRL userdefined...

Page 321: ...rce Service Access Point LLC sender address CTRL LLC Control Field For SNAP OUI Organizationally Unique Identifier the first three bytes of the MAC address Manufacturer identification OUI Type Protocol type identification 4 7 5 10 MAC rules By default MAC packet filter rules exist on the device that permit the exchange of ARP frames between device and vlan1 or vlan2 You can define your own ARP rul...

Page 322: ...address of the MAC packets Service Select the service or the protocol name for which this rule is valid Log Specify whether or not there should be a log entry every time the rule comes into effect and specify the severity of the event The following settings are available none The rule coming into effect is not logged info warning critical The rule coming into effect is logged with the selected eve...

Page 323: ...s being used The outgoing queries are logged by the firewall in dynamic state tables Direct queries from the external network without previous query that is without corresponding entry in the state table are automatically blocked Note Protect connections to the Firewall State Sync The Firewall State Sync does not use any encryption or authentication The connection to the synchronization between th...

Page 324: ...ge contains the following Activate IPsec VPN Enable or disable the IPsec protocol for VPN Enforce strict CRL Policy When enabled the validity of the certificates is checked based on the CRL Certificate Revocation List The certificate revocation list lists the certificates issued by the certification authority that have lost their validity before the set expiry date You configure the certificate re...

Page 325: ...2 Remote End On this WBM page you configure the partner VPN end point Description The page contains the following Remote End Name Enter the name of the remote station and click Create to create a new remote station The table contains the following columns Select Select the check box in the row to be deleted Name Shows the name of the partner Remote Mode Specify the role the remote stations will ad...

Page 326: ...partner or enter an IP range from which connections will be accepted Remote Subnet In standard mode enter the remote subnet of the remote station Use the CIDR notation Multiple subnets can be used only with IKEv2 In this case enter the subnets separated by a comma In Roadwarrior mode the remote station informs the device of its accessible subnets and the device learns them Virtual IP Mode Specify ...

Page 327: ...gure the basic settings for the VPN connection With these settings the device local endpoint can establish a secure VPN tunnel to the partner You specify the security settings on the WBM page Authentication Note Several IPsec VPN connections via the same VPN endpoint If you have created IPsec VPN connections to different remote subnets via the same VPN endpoint the first configured VPN connection ...

Page 328: ...only auto firewall rules are supported For Operation the setting on demand cannot be selected Description The page contains the following boxes Connection name Enter a name for the VPN connection and click Create to create a new connection The table contains the following columns Select Select the check box in the row to be deleted Name Shows the name of the VPN connection ...

Page 329: ...se enable VPN tunnel for the Digital In event under System Events Configuration wait on DI If the event Digital In occurs the device waits for the partner to initiate connection establishment This is on condition that the event Digital In is forwarded to the VPN connection This is on condition that the event Digital In is forwarded to the VPN connection For this purpose enable VPN tunnel for the D...

Page 330: ...matically terminated 4 7 6 4 Authentication On this WBM page you specify how the VPN connection partners authenticate themselves with each other Description The table contains the following columns Name Shows the name of the VPN connection to which the settings relate TLS Auth Key Select the key file used to sign the TLS packets If the incoming TLS packets are not signed with this key they are dis...

Page 331: ...on is established only if both operations are successful Note For the PSK authentication method specify the Local ID and Remote ID If the entries remain empty IPsec uses the IP address of the interface as the ID and prevents the VPN tunnel from being set up CA Certificate Select the certificate Only loaded certificates can be selected You load the certificates into the device with System Load Save...

Page 332: ...ist contains combinations of the three algorithms Encryption Authentication Key Derivation To establish a VPN connection the VPN connection partner must support at least one of these combinations The selection depends on the key exchange method Additional information can be found in the section IPsec VPN Page 60 Encryption For phase 1 select the required encryption algorithm Can only be selected i...

Page 333: ...roup 17 DH group 18 Keying Tries Enter the number of repetitions for a failed connection establishment If you enter the value 0 the connection establishment will be attempted endlessly Lifetime min Enter a period in minutes to specify the lifetime of the authentication When the time has elapsed the VPN endpoints involved must authenticate themselves with each other again and generate a new key DPD...

Page 334: ...utes longer than the DPD period Aggressive Mode disabled Main Mode is used enabled Aggressive Mode is used The difference between main and aggressive mode is the identity protection used in main mode The identity is transferred encrypted in main mode but not in aggressive mode 4 7 6 6 Phase 2 Phase 2 Data exchange ESP Encapsulating Security Payload On this WBM page you set the parameters for the p...

Page 335: ...must support at least one of these combinations Additional information can be found in the section IPsec VPN Page 60 Encryption For phase 2 select the required encryption algorithm Can only be selected if Default Ciphers is disabled Additional information can be found in the section IPsec VPN Page 60 Note The AES modes CCM and GCM contain separate mechanisms for authenticating data If you use a mo...

Page 336: ...abled DH group 1 DH group 2 DH group 5 DH group 14 DH group 15 DH group 16 DH group 17 DH group 18 Note So that a VPN connection can be established all devices need to use the same settings or provide compatible key procedures Lifetime min Enter a period in minutes to specify the lifetime of the agreed keys When the time expires the key is renegotiated Lifebytes Enter the data limit in bytes that ...

Page 337: ...g is intended to apply to all ports enter The setting is only effective for port based protocols Auto Firewall Rules enabled For the VPN connection the firewall rules for access from External to Internal and vice versa are created automatically You can enable access to specific services of the device under Security Firewall Predefined IPv4 Ping is enabled by default disabled You will need to creat...

Page 338: ...to create a new connection The table contains the following columns Select Select the check box in the row to be deleted Name Shows the name of the OpenVPN connection Operation Specify how the connection is established start The device attempts to establish a VPN connection to the partner start on DI If the event Digital In occurs the device attempts to establish a VPN connection to the partner Th...

Page 339: ...efault The server can disable the compression Self adjusting As default compression is activated adaptively Compression is only used when the data is good to compress otherwise compression is deactivated for a certain time Bridged Select the bridge ID with the IP address with which the OpenVPN connection should run One bridge ID can be used for multiple connections Auto Firewall Rules Enabled For ...

Page 340: ...tically terminated 4 7 7 3 Client On this WBM page you can create multiple OpenVPN clients per connection The device attempts to establish a connection to the individual clients Description The page contains the following Client Name Enter a name for the OpenVPN client and click Create The table contains the following columns Select Select the check box in the row to be deleted Name Shows the name...

Page 341: ... following columns Name Shows the name of the VPN connection to which the settings relate TLS Auth Key Select the key file used to sign the TLS packets If the incoming TLS packets are not signed with this key they are discarded Method Select the authentication method For the VPN connection it is essential that the partner uses the same authentication method Disabled No authentication method is sel...

Page 342: ...icate Only loaded certificates can be selected You load the certificates into the device with System Load Save The loaded certificates and key files are shown on the WBM page Security Certificates User Name Specify the user name Password Specify the password Password Confirmation Confirm the password 4 7 7 5 Server On this WBM page you can create multiple OpenVPN servers per connection Description...

Page 343: ...nts to which the server can establish a connection at the same time Port Specify the port via which the OpenVPN tunnel can communicate The setting applies specifically to the specified port Protocol Specify the protocol for which the OpenVPN connection will be used 4 7 8 Brute Force Prevention Brute Force Prevention BFP refers to the protection of the device from unauthorized access by trying a su...

Page 344: ...or a specific time The users that are not configured as local users for the device are summarized under the user name UnknownUser 0 User Specific BFP is Disabled IP Specific BFP is Enabled IP Specific BFP is Disabled Shows whether the IP specific Brute Force Prevention is enabled Acceptable Invalid Login Attempts Per IP The maximum number of invalid login attempts for an IP address accepted by the...

Page 345: ...nt value click the Refresh button When a blocked user attempts to log in before the timer expires the timer restarts Delete Ends blocking for the user and resets the displays in the Last Failed s and Blocked s boxes The IP Specific BFP table has the following columns IP The IP address of the device for the login attempt Failed Logins The current number of failed login attempts Last Failed s Time i...

Page 346: ...Configuring with Web Based Management 4 7 Security menu SCALANCE SC 600 Web Based Management WBM 346 Configuration Manual 10 2021 C79000 G8976 C475 03 ...

Page 347: ...Command Line Interface CLI You can create a PRESET PLUG from any PLUG To do this follow the steps outlined below Note Using configurations with DHCP Create a PRESET PLUG only from device configurations that use DHCP Otherwise disruptions will occur in network operation due to multiple identical IP addresses You assign fixed IP addresses extra following the basic installation Requirement A PLUG is ...

Page 348: ...device and does not jut out of the slot 4 Turn on the power to the device again If there is a different firmware version on the device to be installed compared with that on the PRESET PLUG an upgrade downgrade of the firmware is performed You can recognize this by the red F LED flashing flashing interval 2 sec on 0 2 sec off Afterwards the device is restarted and the device configuration incl user...

Page 349: ... the preset function To do this follow the steps outlined below 1 Start the remote configuration using Telnet CLI and log on with a user with the admin role 2 Switch to the global configuration mode with the command configure terminal 3 You change to the PLUG configuration mode with the plug command 4 Enter the command factoryclean The PRESET PLUG is formatted and the preset function is reset 5 Wr...

Page 350: ...der without making changes press the SET button briefly The device restarts with the loaded configuration 4 Connect a PC to the device over the Ethernet interface P0 1 P0 6 5 Open a DOS box change to the directory where the new firmware file is located and then execute the command tftp i ip address PUT firmware As an alternative you can use a different TFTP client If you are not sure that the IP a...

Page 351: ... in the TFTP Server Port input box 4 Select the action Load file in the Firmware table row Make sure that the file name is correct 5 Click the Set Values button The file is uploaded Firmware update via SFTP 1 Click System Load Save in the navigation area Click the SFTP tab 2 Enter the IP address of the SFTP server in the SFTP Server Address input box 3 Enter the server port in the SFTP Server Port...

Page 352: ...ton in the operating instructions Follow the steps below to reset the device parameters to the factory settings 1 Turn off the power to the device 2 Now press the Reset button and reconnect the power to the device while holding down the button 3 Hold down the button until the red fault LED F stops flashing after approximately 10 seconds and is permanently lit 4 Now release the button and wait unti...

Page 353: ...work view or the topology view 4 Open the Hardware catalog 5 In the hardware catalog navigate to the device with the relevant article number 6 Select the desired device with a mouse click 7 Set the matching firmware version via the drop down list of the hardware catalog 8 Drag and drop the device to the network view or to the topology view 9 Select the device in the network view on in the topology...

Page 354: ...t the device in the network view on in the topology view 10 In the Inspector window navigate to the Management parameter under Properties General 11 In the parameter group Load save file click the Load from file button 12 Select the desired file 13 Click the Open button The Load configuration file dialog opens 14 Enter the password for the decryption of the file Note You assign this password in th...

Page 355: ...the project view 3 Select the device in the project tree 4 Select the Go to network view command in the shortcut menu 5 Select the device in the network view 6 In the shortcut menu of the selected device select the command SCALANCE configuration Save as start configuration Result The configuration is saved on the device The message is no longer visible in the display area A configuration change di...

Page 356: ...Exchange of configuration data with STEP7 6 2 Message SINEMA configuration not yet accepted SCALANCE SC 600 Web Based Management WBM 356 Configuration Manual 10 2021 C79000 G8976 C475 03 ...

Page 357: ...ss according to RFC1035 Bytes in decimal representation XXX XXX XXX XXX IPv6 address according to RFC4291 Section 2 2 is output if information is missing Example in the product The station name configured in the System tab for the RTU APP NAME Device or application from which the message originates is output if information is missing PROCID The process ID serves to clearly identify the individual ...

Page 358: ...Section 2 2 d d d d XXX XXX XXX XXX 192 168 1 105 2001 DB8 8 800 200C 41 7A Src port Dest port Port number decimal d 0 65535 Dest mac Src mac MAC address 02x 02x 02x 02 x 02x 02x 00 0C 29 2F 09 B3 Protocol Layer 4 protocol or service used that generated the event s UDP TCP WBM Telnet SSH Console TFTP SFTP Group Name for identification of the group string s it service User name String without space...

Page 359: ... Network interface Symbolic name of a network interface s vlan 1 A 3 Syslog messages This section describes the Syslog messages The structure of the messages is based on IEC 62443 3 3 Note Severity Some severities are grouped in the firmware Info Notice Info Warning Error Warning Critical Emergency Critical Identification and authentication of human users Message text protocol User User name has l...

Page 360: ... text firewall action accept 1 in network interface out network interface len length s mac src mac d mac dest mac s ip ip address d ip ip address protocol src port dest port Example ACCEPT 1 in vlan1 out ppp0 len 52 s mac 58 EF 68 B3 FA CE d mac 00 1B 1B A7 5B D8 s ip 172 23 1 6 d ip 158 85 11 68 tcp 53788 443 Explanation A known device requested a connection Severity Info or Warning or Error conf...

Page 361: ...ion The user has created an account Severity Notice Facility local0 Standard IEC 62443 3 3 Reference SR1 3 Message text protocol User user name deleted user account action user name Example WBM User admin deleted user account service Explanation The administrator deleted an existing account Severity Notice Facility local0 Standard IEC 62443 3 3 Reference SR1 3 Management of the identifiers Message...

Page 362: ...shed between ip address config detail ip address config detail Example IKE c1 3 IKE_SA c1 1 established between 192 168 55 210 lokal 192 168 55 211 remote Explanation VPN connection is established IPsec Severity Info Facility local0 Standard IEC 62443 3 3 Reference n a NERC CIP 005 R1 Message text IKE connection name config detail deleting IKE_SA connection name config detail between ip address co...

Page 363: ...NEMA RC State of Digital Input changed to HIGH SINEMA RC OpenVPN connection established Explanation Remote access is permitted SINEMA RC Digital Input Severity Info Facility local0 Standard IEC 62443 3 3 Reference SR 1 13 Message text JOB connection name config detail deleting CHILD_SA after time second seconds of inactivity Example JOB to_Baugruppe1 21 deleting CHILD_SA after 20 seconds of inacti...

Page 364: ...ll USF Digital Input Login Severity Info Facility local0 Standard IEC 62443 3 3 Reference n a NERC CIP 005 R2 4820486 Message text User specific firewall user user name ruleset firewall rule time expired Example User specific firewall user usf ruleset rs1 time expired Explanation The access to the user specific firewall was denied The access time is expired USF User Logout Severity Error Facility ...

Page 365: ...r admin was closed after 60 seconds of inactivity Explanation The current session was ended due to inactivity Severity Warning Facility local0 Standard IEC 62443 3 3 Reference SR 2 5 Closing a remote access session Message text Protocol Remote session Config detail was closed after Time second seconds of inactivity Example WBM UDP TCP Telnet SSH Console PNIO PB OPC Remote session OpenVPN was close...

Page 366: ...ge text OVPN_ connection name config detail Authenticate Decrypt packet error packet HMAC authentication failed Example OVPN_c1 25409 Authenticate Decrypt packet error packet HMAC authentication failed Explanation Integrity check failed OpenVPN Severity Error Facility local0 Standard IEC 62443 3 3 Reference SR 3 1 Restoration of the automation system Message text protocol Loaded file type Firmware...

Page 367: ...ce SR7 4 Message text protocol Loaded file type ConfigPack restart required Example TFTP Loaded file type ConfigPack restart required Explanation The configuration is applied Severity Notice Facility local0 Standard IEC 62443 3 3 Reference SR7 4 Message text protocol User user name loaded file type Config restart required Example WBM User admin loaded file type Config restart required Explanation ...

Page 368: ...Appendix A A 3 Syslog messages SCALANCE SC 600 Web Based Management WBM 368 Configuration Manual 10 2021 C79000 G8976 C475 03 ...

Page 369: ...e configuration 213 D DCP Discovery 217 DCP server 121 Dead peer detection 63 Default VLAN ID 297 Device certificate 59 DHCP Client 157 Disposal 8 DST Daylight saving time 180 182 Dynamic MAC Aging 236 E Ethernet interface 25 F Factory defaults 352 Factory setting 352 Fault monitoring Connection status change 209 Fault status 89 Filter Filter configuration 250 Forward Delay 240 G Geographic coordi...

Page 370: ...table Event log 84 Firewall log 88 Security log 86 Login 343 Logout Automatic 196 M MAC address 37 Maintenance data 82 Manufacturer 82 Manufacturer ID 82 Multicast 253 N NAPT Configuring 265 NAT 1 to 1 NAT 269 Configuring 264 Masquerading 57 NAPT 57 NAT traversal 63 NETMAP 58 Source NAT 58 NAT traversal 63 NTP 253 Client 189 Server 195 O Order ID 82 P Password 26 284 292 Ping 216 PLUG 214 214 C PL...

Page 371: ...SNMP 43 122 165 171 Groups 170 Overview 105 SNMPv1 43 SNMPv2c 43 SNMPv3 43 Trap 175 SNMPv3 Access 171 Groups 170 Notifications 175 Users 167 Views 173 Software version 83 Source NAT Masquerading 57 Spanning Tree Information 95 Rapid Spanning Tree 49 RSTP 238 SSH 25 Server 119 Standard mode 60 Start page 75 Stateful Inspection Firewall 55 STP 238 Subnet Configuration 262 Overview 259 Sync Firewall ...

Page 372: ... VLAN ID 42 VLAN tag 41 VPN connection OpenVPN server 117 Status 113 Status OpenVPN client 116 VRRP Interface Tracking 281 VRRP address configuration IPv4 280 VRRP address overview IPv4 279 VRRP configuration IPv4 277 VRRP routers IPv4 274 VRRPv3 Backup router 50 Master router 50 Virtual router 50 VRRPv3 router 50 VRRPv3 Statistics 98 W Web Based Management 69 Requirement 69 ...

Reviews:

No comments

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands