background image

49

W&T

 

Subject to error and alteration

6  Security & Maintenance

Security and operating notes

Firmware updates

Individual certificates

.

  Emergency access via service button

.

  Reset to factory defaults

Содержание Microwall Gigabit 55210

Страница 1: ...Manual Startup and application Microwall Gigabit Valid for the following models 55210 Microwall Gigabit as of firmware version 1 52 Release 1 02 11 2020 W T w w w Wu T d e...

Страница 2: ...tructions completely Unauthorized action can cause dangers We are not liable for the consequences of arbitrary action In case of doubt please ask us or your dealer again This device contains software...

Страница 3: ...000BaseT network connections and integrated whitelist based firewall It connects a network island e g with auto mation components to a higher level local network Suitable filter rules at TCP IP level...

Страница 4: ...System LED green 18 2 4 2 Service LED red 18 2 5 Service button 19 3 Start up 21 3 1 IP assignment via DHCP 22 3 2 Initial assignment of IP parameters with WuTility 23 3 3 Start up via the default IP...

Страница 5: ...6 2 Up Download of configuration backups 54 6 3 Firmware updates 56 8 3 1 Where is the latest firmware available 56 6 3 2 Firmware update with WuTility 56 6 2 3 Firmware Update via Web Based Manageme...

Страница 6: ...W T...

Страница 7: ...7 W T Subject to error and alteration 1 Legal information and safety...

Страница 8: ...e injury if no appropriate preventive actions are taken 1CAUTION Indicates a hazard that can result in slight injury if no appropriate preventive actions are taken 1NOTE Indicates a hazard which can r...

Страница 9: ...ipment may not be disposed of with normal waste but rather must be brought to a proper electrical scrap processing facility The complete declarations of conformity for the devices de scribed in the in...

Страница 10: ...ts of the island network can be provided via the WireGuard VPN Suitable filter rules on TCP IP level protect all networks from unauthorized undesi red and harmful communication Any other use or modifi...

Страница 11: ...s The power supply used for the Microwall must absolutely ensure safe isolation of the low voltage side from the supply mains according to EN62368 1 and must have LPS designation EMV 1NOTE Only shield...

Страница 12: ...12 W T...

Страница 13: ...13 W T Subject to error and alteration 2 Hardware interfaces and displays Hardware installation Power supply Network interfaces Service button...

Страница 14: ...with alternative mounting methods the outlined air circulation must be gua ranteed A i r c i r c u l a t i o n iThe installation site must be adapted to the security requi rements of the respective sy...

Страница 15: ...2 2 External power supply As an alternative to the PoE supply the Microwall can be sup plied externally via the pluggable screw terminal located on the underside of the housing The DC voltage used mu...

Страница 16: ...ing with the factory settings and a possible sup ply via PoE is only possible via Network 1 yellow 2 3 1 Gigabit Ethernet Features Both Gigabit Ethernet connections have the following features RJ45 ja...

Страница 17: ...nd that the connected devices are also operated in auto negotiation mode 2 3 2 Link state The link status is indicated by LEDs integrated in the RJ45 sockets Pin 1 2 3 4 5 6 7 8 Richtung Out Out In In...

Страница 18: ...d 10s The emergency access of the Microwall is activated Further information on emergency access can be found in the chapter on emergency access iThe emergency access opens a non password protected HT...

Страница 19: ...n both network connections via TCP port 446 Pressing the button again briefly performs a reset and ends the emergency access Further information on emergency access can be found in the chapter emergen...

Страница 20: ...crowall continues with the standard operation of the current configuration iA reset to the factory setting causes all settings filter ru les IP parameters log files etc to be lost Recommissio ning mus...

Страница 21: ...ess required for initial access is assi gned Subsequent browser access leads to the initial web page for configu ration of the basic parameters required for operation including the system password IP...

Страница 22: ...twork 1 is connected to the network the initial web page for assigning the system password is accessible via the default IP or the IP address assigned via WuTility or DHCP Make sure that no unauthoriz...

Страница 23: ...until the password is assigned on the initial web page e g by commissioning with a direct connection to the respective PC To assign the IP address the PC and the Interface Network 1 of the Microwall m...

Страница 24: ...IP address is 190 107 233 110 Select the desired Microwall and then press the IP address button Enter the desired values for IP address subnet mask gateway and DNS server When you click Next the netwo...

Страница 25: ...error and alteration using standard web based management The additional parameters required for initial commissioning are set via an initial web page using a browser For more in formation refer to th...

Страница 26: ...The commissioning of several Microwalls via their default IP can only take place one after the other Only after one Microwall has received a new IP address may the next Micro wall be connected to the...

Страница 27: ...ress assigned by WuTility Make sure that no unauthorized access to the Microwall occurs until the password is assigned on the initial web page e g by commissioning with a direct connection to the resp...

Страница 28: ...28 W T Start up...

Страница 29: ...tained via DHCP In static operation assign the IP parameters for the Network 1 connection yellow iFor operational use of the Microwall we recommend ope ration with a static IP address Especially in th...

Страница 30: ...ng and to re duce the attack surface we therefore recommend disab ling this option in critical environments Configuration backup Allows you to upload a configuration backup previously secu red by anot...

Страница 31: ...agement The configuration of the Microwall is only possible encrypted via HTTPS The WBM Web based management works session oriented Changes made on the respective pages are immediately saved and valid...

Страница 32: ...the IP address of the Microwall and if necessary the port number to be used https IP address Port no 4 1 1 Navigation concept of the Microwall The WBM of the Microwall works session oriented via a pas...

Страница 33: ...Login Enter the password and press the Log in button After suc cessful login the extended navigation tree with all configurati on options is available iTo protect against brute force attacks password...

Страница 34: ...nfiguration items are not self explanatory the assigned info symbols contain the necessary descriptions explanations and notes For detailed information on the operating modes release ru les and VPN se...

Страница 35: ...35 W T Subject to error and alteration 5 Operating modes and rule configuration Mode NAT router Mode Standard router Rule configuration and labels IP inventories...

Страница 36: ...twork by the local IP address of the Microwall and are therefore not visible in the intranet at any time The island IP range can be selected completely freely in NAT mode Even several islands with ide...

Страница 37: ...static route If the island network is a marginal network without connecti on to further networks the local IP address of the Mircowall VPN is configured as default gateway on the island hosts If furth...

Страница 38: ...ways done from these address inventories Inventory entries can consist of individual IP addresses as well as areas or lists The following entries are permitted any Keyword for any IP address single IP...

Страница 39: ...r and alteration 5 3 1 Scan of Network 2 Using the magnifying glass in the area of Network 2 it is possible to search the island network for participants Newly found stations found during a scan can t...

Страница 40: ...rewall rules The overview contains information about the existing rules with the possibility to activate and deactivate them using the respective slide switch The Plus button at the upper right edge o...

Страница 41: ...to create additional labels Direction Clicking on the direction arrow sets the direction for the rule from the point of view of establishing a TCP connecti on For UDP the direction is determined by t...

Страница 42: ...d address ranges any Keyword for any IP address single IP address IP address in dot notation e g 10 20 0 4 Comma separated IP address list List of IP addresses in dot notation e g 10 10 10 1 20 20 20...

Страница 43: ...en works on a request reply principle e g DNS In these cases the option Allow response in reverse direction must be activated The Microwall will automatically accept an incoming reply datagram within...

Страница 44: ...re 10 110 0 1 and 10 20 0 55 For view fil tering in the rule overview the rule is marked with the label Normal mode Network 1 Intranet Net ID 10 20 0 0 16 Standard Gateway 10 20 0 1 10 20 0 55 Network...

Страница 45: ...45 W T Operation modes and rule configuration Subject to error and alteration The rule dialog to be filled out for this example...

Страница 46: ...of the Microwall is used as the destination address in the browser where it is usually replaced by the island IP 10 110 0 10 Network 1 Intranet Net ID 10 20 0 0 16 Standard Gateway 10 20 0 1 10 20 0...

Страница 47: ...and rule configuration Subject to error and alteration The rule dialog to be filled out for this example iFurther control examples for many standard applications can be found on our website at https w...

Страница 48: ...48 W T Operation modes and rule configuration...

Страница 49: ...49 W T Subject to error and alteration 6 Security Maintenance Security and operating notes Firmware updates Individual certificates Emergency access via service button Reset to factory defaults...

Страница 50: ...N server 6 1 2 Installation location The installation location of the Microwall must ensure that no unauthorized physical access can occur e g suitably secured room or network cabinet Physical access...

Страница 51: ...aracters consisting of upper and lower case letters numbers and special characters Registration for security relevant information Devices can be registered with W T via the inventory tool In case of s...

Страница 52: ...be chan ged In environments with increased security requirements it may make sense to deactivate some or all of these services after the communication rules have been set up during operation For any...

Страница 53: ...ser friendliness Only choose this method if you can guarantee a confidential transmission of this key to the VPN client For applications with increased pro tection requirements we recommend generating...

Страница 54: ...nfiguration The Download configuration button starts the download of all current configuration parameters of the Microwall If the file is to receive an individual backup password this must be ente red...

Страница 55: ...t to error and alteration iBackup files also contain the new IP address of the Micro wall To avoid an IP conflict make sure that the original or a previously programmed Microwall is no longer connecte...

Страница 56: ...ype number of your de vice in the input field If you do not know the type number you can find it on the sticker on the narrow side of the housing which also contains the Ethernet address Type number E...

Страница 57: ...d and also the actual upload is encryp ted and therefore confidential To transfer the new firmware to the Microwall select the desi red Microwall in the WuTility inventory list and click on the Firmwa...

Страница 58: ...ctivated for security reasons the firmware update can be performed from the Web based management Switch to the Maintenance page in the menu tree of the Micro wall The Upload File button starts the sel...

Страница 59: ...n of a CSR Certificate Signing Request with asso ciated private key in the Microwall Download the CSR and external signature to a certificate by a trusted certificate authority Upload and installation...

Страница 60: ...rnal signature The download is in PEM format After the signature by a trustworthy certification authority CA the certificate and any certificate chain that may be re quired can be loaded into the Micr...

Страница 61: ...The router firewall function is completely retained in this state iThe emergency access activates a non password protected web page on the Microwall with the possibility to overwrite the current passw...

Страница 62: ...t of the Microwall should sub sequently be accessible Terminating the emergency access Changes are applied with a click on Apply and the Microwall restarts the affected services Afterwards access to t...

Страница 63: ...ED starts flashing slowly and after approx 10s it starts flashing fast After a total of approx 20s the device is reset to the factory settings If the service button is released while the service LED i...

Страница 64: ...64 W T Security Maintenanceh...

Страница 65: ...65 W T Subject to error and alteration 7 Appendix Technical data and form factor Licenses...

Страница 66: ...24V DC max 200mA 24V DC Galvanic isolation Network interfaces min 500V LAN Port Network 1 10 100 1000BaseT RJ45 au tosensing autocrossing PoE LAN Port Network 2 10 100 1000BaseT RJ45 autosensing autoc...

Страница 67: ...instead You can apply it to your programs too When we speak of free software we are referring to freedom not price Our General Public Licenses are designed to make sure that you have the freedom to di...

Страница 68: ...ITIONS FOR COPYING DISTRIBUTION AND MODIFICATION 0 This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms...

Страница 69: ...a whole at no charge to all third parties under the terms of this License c If the modified program normally reads commands interactively when run you must cause it when started running for such inte...

Страница 70: ...company it with a written offer valid for at least three years to give any third party for a charge no more than your cost of physically performing source distribution a complete machine readable copy...

Страница 71: ...e the Program or its derivative works These actions are prohibited by law if you do not accept this License Therefore by modifying or distributing the Program or any work based on the Program you indi...

Страница 72: ...f that system it is up to the author donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice This section is intended to make t...

Страница 73: ...E LAW EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND OR OTHER PARTIES PROVIDE THE PROGRAM AS IS WITHOUT WARRANTY OF ANY KIND EITHER EXPRESSED OR IMPLIED INCLUDING BUT NOT LIMITED TO...

Страница 74: ...orm factor 66 H Hardware installation 14 I IP inventories 38 L Licenses 67 Link state 17 Login 33 Logout 33 N NAT router 36 navigation concept 32 Network Interfaces 16 P PoE 15 Power supply 15 R Reset...

Страница 75: ...75 W T Index...

Отзывы: