IEF-G9010 Series User Manual
Version 1.2, February 2022
www.moxa.com/product
© 2022 Moxa Inc. All rights reserved.
Страница 1: ...IEF G9010 Series User Manual Version 1 2 February 2022 www moxa com product 2022 Moxa Inc All rights reserved...
Страница 2: ...hout warranty of any kind either expressed or implied including but not limited to its particular purpose Moxa reserves the right to make improvements and or changes to this manual or to the products...
Страница 3: ...s 27 NAT Rules 27 Configuring 1 to 1 NAT Rules 27 Configuring Multi 1 to 1 NAT Rules 28 Configuring Port Forwarding 29 Application layer Gateways ALG 30 Configuring ALG Settings 31 7 The Routing Scree...
Страница 4: ...iguring the Device Name and Device Location Information 80 Configuring the Management Client Access Control List 80 Configuring Management Protocols and Ports 81 The Sync Setting Screen 81 Enabling SD...
Страница 5: ...vent Format CIDR Classless Inter Domain Routing DPI Deep Packet Inspection EWS Engineering Workstation HMI Human Machine Interface ICS Industrial Control System IT Information Technology NAT Network A...
Страница 6: ...and needs In addition industrial environments are equipped with tools and devices that are traditionally unable to interface with a corporate network thus making provisioning security updates or patch...
Страница 7: ...al exploits at the network level Manufacturing personnel manage patching and updating providing pre emptive protection against critical production failures and additional protection for old or termina...
Страница 8: ...interface For more information see The Network Screens 6 Configure the system time For more information see Configuring System Time 7 Optional Configure the Syslog settings For more information see Co...
Страница 9: ...255 0 Before connecting a PC Laptop to the IEF G9010 Series the PC s IP address should be set to an IP address that is able to access the default IP address After that connect the PC and the IEF G901...
Страница 10: ...web browser type the address of the IEF G9010 Series in the following format https 192 168 127 254 The login screen appears 2 Log in as the administrator 3 Click the admin account icon at the top rig...
Страница 11: ...em resource usage on the system screen Device Information This widget shows the system boot time device name model firmware version and firmware build date and time Secured Service Status This widget...
Страница 12: ...h time settings Memory Utilization Real time memory utilization Based on the refresh time settings WAN Interface Summary This widget shows summary information for the WAN interface LAN Interface Summa...
Страница 13: ...es devices NOTE The term asset in this chapter refers to the devices or hosts that are protected by the IEF G9010 Series Enabling Active Query Active Query can detect inactive or dormant assets or pas...
Страница 14: ...Description Vendor Name The vendor name of the asset Model Name The model name of the asset Asset Type The asset type of the asset Host Name The name of the asset Serial Number The serial number of t...
Страница 15: ...s a list of network traffic statics of the asset Field Description No Ordinal number of the application traffic Application Name The application type of the traffic TX The amount of traffic transmitte...
Страница 16: ...d configure the port link speed NOTE The term Port in the document refers to physical ports to which network cables are connected Configuring Port Settings Steps 1 Go to Network Port Settings 2 Click...
Страница 17: ...ing The Port Mapping tab will appear This tab shows the mapping between the physical ports and the WAN and LAN interfaces Network Interface Use the Network Interface tab to configure the following set...
Страница 18: ...it Network Interface window will appear 3 Use the toggle to enable or disable the interface 4 Optional Enter a descriptive name for the interface 5 In the Network Settings section configure the follow...
Страница 19: ...he gateway IP address that will be assigned to DHCP clients iv Lease Time Specify the time in seconds that a client device can use the assigned IP address provided by the DHCP server v Optional DNS Se...
Страница 20: ...appear 3 Use the toggle to enable or disable the interface 4 Optional Enter a descriptive name for the interface 5 In the Network Settings section configure the following settings for the interface a...
Страница 21: ...ay Address Enter the gateway IP address that will be assigned to DHCP clients iv Lease Time Specify the time in seconds that a client device can use the assigned IP address provided by the DHCP server...
Страница 22: ...section choose a Connection Type a Static IP Configure a static IP address for this interface Configure the following additional settings i IP Address Enter a valid IP address ii Subnet Mask Enter th...
Страница 23: ...ii Optional VLAN ID If VLAN ID is enabled specify a VLAN ID 6 Click Ok Device Operation Modes The IEF G9010 Series can function in one of two operation modes Gateway Mode Bridge Mode Refer to the fol...
Страница 24: ...ion Mode From the Operation Mode screen you can configure or view the following The current operation mode of the device The network settings for Bridge Mode When the device is in Gateway Mode IP Addr...
Страница 25: ...gateway address d Optional DNS Enter a DNS address e Optional VLAN ID Use the toggle to enable or disable VLAN ID If enabled enter the VLAN ID f Optional STP Use the toggle to enable or disable STP Sp...
Страница 26: ...Gateway Mode radio button 3 When finished click Save NOTE In Bridge Mode the LAN1 network settings and LAN1 DHCP Service for Gateway Mode are view only NOTE Policy enforcement rule configurations are...
Страница 27: ...nslation for incoming traffic on the WAN interface The following table describes the basic tasks you can perform from the NAT Rule tab Task Description Add a NAT rule Click Add to create a new NAT rul...
Страница 28: ...ess the Original IP will be mapped to This is usually a private IP address within your local network h Optional Enable NAT Loopback Use the toggle to enable or disable NAT loopback 4 Click Ok to close...
Страница 29: ...g Interface if the destination IP of the packet matches the Original IP it will be changed to the Mapped IP These IP addresses are usually assigned by the ISP Internet Service Provider g Mapped IP Ent...
Страница 30: ...IP address and port range the Original IP will be mapped to This is usually a private IP address within your local network i Optional Enable NAT Loopback Use the toggle to enable or disable NAT loopb...
Страница 31: ...IEF G9010 Series User Manual 31 Configuring ALG Settings Steps 1 Go to NAT ALG The ALG Settings tab will appear 2 Use the toggles to enable or disable the FTP SIP and H 323 ALG 3 Click Save...
Страница 32: ...ate new or edit existing static routes The following table describes the basic tasks you can perform from the Static Route tab Task Description Add a static route Click Add to create a new static rout...
Страница 33: ...subnet enter the subnet mask to match the destination IP range for example 255 255 255 0 f Configure the Next Hop Type i Gateway IP Address If the next hop is a gateway enter the gateway s IP The gat...
Страница 34: ...fined here IPS Profile Contains the settings of IPS Intrusion Prevention System pattern rules that you can apply to a policy rule The following table describes the tasks you can perform when you view...
Страница 35: ...ustom protocol with a specified protocol number NOTE The term protocol number refers to the protocol number defined in the internet protocol suite Steps 1 Go to Object Profile Service Object Profile 2...
Страница 36: ...phisticated and advanced protocol settings that you can apply to a policy rule The following can be configured in a protocol filter profile Details of ICS protocols including Modbus CIP S7COMM S7COMM_...
Страница 37: ...r profile The Create Protocol Filter Profile screen will appear 3 Configure the following settings a Protocol Filter Profile Name Enter a name for the profile b Optional Description Enter a descriptio...
Страница 38: ...download commands sent from EWS to PLC and administration configuration relevant commands from EWS to PLC Others Private commands un documented commands or particular protocols provided by an ICS vend...
Страница 39: ...rmat of the specified ICS protocol If the packet format is incorrect the IEF G9010 will drop the packets of that ICS protocol NOTE In firmware 1 1 4 protocols support the Drop Malformed option Modbus...
Страница 40: ...otocol and select one of the following i Any Specify all available commands or function access in this protocol ii Basic Select multiple commands from the following Read Only Read commands sent from H...
Страница 41: ...tocol iii If you want to specify a function code by yourself select Custom and enter a function code in the Function Code field iv Enter a unit ID in the Unit ID field v Enter the address or address r...
Страница 42: ...Settings for the CIP Protocol The device features more detailed configurations for the CIP ICS protocol Through the Advanced Settings pane you can further specify the Object Class ID and Service Code...
Страница 43: ...ocol and select one of the following i Any Specify all available commands or function access in this protocol ii Basic Multiple selections of the following Read Only Read commands sent from HMI Human...
Страница 44: ...n to be applied select Any Service Code iv If you want to specify one or more function codes move the service code s from the Available Service Code field to the Selected Service Code field v If you w...
Страница 45: ...s for S7Comm The device features more detailed configurations for the S7Comm ICS protocol Through the Advanced Settings pane you can further specify the function code function group code and sub funct...
Страница 46: ...Manual 46 Steps 1 Go to Object Profile Protocol Filter Profile 2 Do one of the following a Click Add to add a protocol filter profile b Click on the name of an existing profile to edit it 2 Configure...
Страница 47: ...ent from HMI Human Machine Interface EWS Engineering Work Station SCADA Supervisory Control and Data Acquisition to PLC Programmable Logic Controller Read Write Read and write commands sent from HMI E...
Страница 48: ...ion group code to be applied select Any Sub function Code v If you want to specify one or more sub function codes select Preset Sub function Code and move the sub function code s from the Available Su...
Страница 49: ...Advanced Settings for S7Comm Plus The device features more detailed configurations for the S7Comm Plus ICS protocol Through the Advanced Settings pane you can further specify the function code against...
Страница 50: ...tocol and select one of the following i Any Specify all available commands or function access in this protocol Basic Multiple selections of the following Read Only Read commands sent from HMI Human Ma...
Страница 51: ...besides S7Comm Plus and select Advanced Matching Criteria ii From the Function List drop down menu select a function for this protocol iii Click Add Repeat the above steps to add more protocol defini...
Страница 52: ...ual 52 Advanced Settings for SLMP The device features more detailed configurations for the SLMP ICS protocol Through the Advanced Settings pane you can further specify the command code against which t...
Страница 53: ...and select one of the following i Any Specify all available commands or function access in this protocol ii Basic Select multiple commands from the following Read Only Read commands sent from HMI Hum...
Страница 54: ...gs besides SLMP and select Advanced Matching Criteria ii From the Command Code List drop down menu select a function for this protocol iii Click Add Repeat the above steps to add more protocol definit...
Страница 55: ...55 Advanced Settings for MELSOFT The device features more detailed configurations for the MELSOFT ICS protocol Through the Advanced Settings pane you can further specify the command code against whic...
Страница 56: ...and select one of the following i Any Specify all available commands or function access in this protocol ii Basic Select multiple commands from the following Read Only Read commands sent from HMI Hum...
Страница 57: ...esides MELSOFT and select Advanced Matching Criteria ii From the Command Code List drop down menu select a function for this protocol iii Click Add Repeat the above steps to add more protocol definiti...
Страница 58: ...TOYOPUC The device features more detailed configurations for the TOYOPUC ICS protocol Through the Advanced Settings pane you can further specify the command code preset sub command code and custom sub...
Страница 59: ...and select one of the following i Any Specify all available commands or function access in this protocol ii Basic Select multiple commands from the following Read Only Read commands sent from HMI Hum...
Страница 60: ...function for this protocol iii If you want to specify one or more sub command codes select Preset Sub cmd Code and move the Command code s from the Available Sub cmd Code field to the Selected Sub cmd...
Страница 61: ...l filter 6 Click OK Configuring IPS Profiles An IPS profile contains more sophisticated pattern rules for more granular control and can be applied to policy rules The following can items be configured...
Страница 62: ...rusion Category The threat category of the intrusion Risk Level The suggested security level for the intrusion Impact The expected impact the intrusion will have on the target network device if the in...
Страница 63: ...he IPS Rule Details screen will appear 5 Configure the following settings a Status Enable or disable the pattern rule b Actions Select the pattern rule s default action i Accept and Log When an intrus...
Страница 64: ...ure 3 Select the default action if the feature is enabled a Monitoring and Log The IEF G9010 device will actively monitor and log DoS attacks but will not act b Prevention and Log The IEF G9010 device...
Страница 65: ...ng the Policy Enforcement Default Rule Action radio buttons select a default action for when no pattern is matched The following table summarizes the settings Mode Policy Enforcement Action Performed...
Страница 66: ...the drop down menu i Any ii WAN to LAN iii LAN to WAN iv WAN to DMZ v DMZ to WAN vi LAN to DMZ vii DMZ to LAN viii LAN to LAN NOTE The network interfaces listed in the drop down menu do not correspon...
Страница 67: ...ol suite v Service Object NOTE If you select Service Object you will need to select the service object from a previously created service object profile 7 In the Action section configure the following...
Страница 68: ...ttings a Status Click the toggle to enable or disable the rule b Rule Name Enter a name for the rule c Optional Description Enter a description for the rule 4 In the Source and Destination Selection s...
Страница 69: ...NOTE If you select Service Object you will need to select the service object from a previously created service object profile 6 Click the VLAN ID toggle to enable or disable VLAN ID tagging If enable...
Страница 70: ...nd click the Copy button To edit a policy enforcement rule Click the name of the rule and the Edit Policy Rule windows will appear To change the priority of a policy enforcement rule Click the check b...
Страница 71: ...el Viewing Device Pattern Information Steps 1 Go to Pattern Pattern Update The Pattern Update screen will appear 2 The Device Pattern Information pane will show the Current Pattern Version and Pattern...
Страница 72: ...ignature Direction The direction flow of the connection Interface The network interface which received the connection Attacker The IP address of the host device that initiated the cyberattack Source M...
Страница 73: ...etwork interface which received the connection Source MAC Address The source MAC address of the connection Source IP Address The source IP address of the connection Source Port The source port of the...
Страница 74: ...he destination IP address of the connection Destination Port The destination port of the connection if the selected protocol is TCP UDP The ICMP type if the selected protocol is ICMP VLAN ID The VLAN...
Страница 75: ...cord details about system events occurring on the device Steps 1 Go to Logs System Logs The following table describes the log s fields Field Description Time The time the log entry was created Severit...
Страница 76: ...Account Management screen Task Description Add account Click Add to create a new user account For more information see Adding a User Account Delete existing accounts Select one or more existing user a...
Страница 77: ...on Account Management 2 Click Add The Add User Account screen will appear 3 Configure the following settings a ID Enter the user ID used to log in to the management console b Name Enter the name of th...
Страница 78: ...IEF G9010 Series User Manual 78...
Страница 79: ...er creates a new password the system will determine if the password meets the specified requirements While strict password policies improve security they may sometimes increase the cost to an organiza...
Страница 80: ...ng the Device Name and Device Location Information Steps 1 Go to Administration System Management 2 In the System Setting pane enter the host name and location information for the device Configuring t...
Страница 81: ...re used for connecting to the web management console The SSH and Telnet protocols are used for connecting to the command line interface CLI The Sync Setting Screen The IEF G9010 Series can be managed...
Страница 82: ...a Check Send logs to a syslog server to enable the syslog server b Server address Enter the syslog server address c Port Enter the syslog server port d Protocol Select the communication protocol e Fa...
Страница 83: ...ction to avoid errors 5 Notice Unusual events Immediate action is not required 6 Information Normal operational messages useful for reporting measuring throughput and other purposes No action is requi...
Страница 84: ...2 In the Date and Time pane do one of the following a Synchronize the system time with an NTP server i Check the Synchronize system time with an NTP server box ii Specify the domain name or IP addres...
Страница 85: ...iguration file Import or export configurations while the IEF G9010 Series is idle as this will affect the device s performance Backing Up a Configuration Steps 1 Go to Administration Back Up Restore T...
Страница 86: ...g which indicates it is the currently active firmware The other partition will have the Standby status acting as the standby partition To make the standby firmware the running firmware refer to Reboot...
Страница 87: ...ration Firmware Management 2 Click the Reboot and Apply Firmware button in the Actions column of the Standby partition NOTE This function is only available if both partitions have a separate firmware...
Страница 88: ...les can be downloaded at https netsecuritylicense moxa com NOTE Given that this feature allows anyone with a supported USB device to update the pattern file carefully consider the physical security of...
Страница 89: ...Blinking green Every second 5 From the default state press the reset button once to select Load Restore Pattern from USB Disk Device The IPS IDS LED will start blinking green 6 After ensuring the cor...
Страница 90: ...ant system logs can be checked to verify whether an action was completed successfully or not If an action was successful the LEDs will be restored to their default state when the USB disk device was f...
