Page 1 SCALANCE SC-600 Web Based Management (WBM) Introduction Security recommendations SIMATIC NET Description Technical basics Industrial Ethernet Security SCALANCE SC-600 Web Based Configuring with Web Management (WBM) Based Management Upkeep and maintenance Configuration Manual Exchange of configuration data with STEP7 Appendix A 10/2021 C79000-G8976-C475-03...
Page 2 Note the following: WARNING Siemens products may only be used for the applications described in the catalog and in the relevant technical documentation. If products and components from other manufacturers are used, these must be recommended or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and maintenance are required to ensure that the products operate safely and without any problems.
Page 3: Introduction
Introduction Validity of the configuration manual This Configuration Manual covers the following products: • SCALANCE SC622-2C • SCALANCE SC632-2C • SCALANCE SC636-2C • SCALANCE SC642-2C • SCALANCE SC646-2C This Configuration Manual applies to the following software version: • Firmware as of version V2.2 Purpose of the Configuration Manual This Configuration Manual is intended to provide you with the information you require to install, commission and operate the security appliances SCALANCE SC-600.
Page 4 Introduction Designations used Classification Description Term Product line If information applies to all product groups within the • SCALANCE SC-600 product line, the term SCALANCE SC-600 is used. Product group If information applies to all devices of a product group, a suitable term is used. •...
Page 5 • On the data medium that ships with some products: – Product CD / product DVD – SIMATIC NET Manual Collection • On the Internet pages of Siemens Industry Online Support: Link: (https://support.industry.siemens.com/cs/ww/en/ps/15327/man) Further documentation In the system manuals "Industrial Ethernet / PROFINET Industrial Ethernet" and "Industrial Ethernet / PROFINET passive network components", you will find information...
Page 6 • On the data medium that ships with some products: – Product CD / product DVD – SIMATIC NET Manual Collection • On the Internet pages of Siemens Industry Online Support: – Industrial Ethernet / PROFINET Industrial Ethernet System Manual Link: (https://support.industry.siemens.com/cs/ww/en/view/27069465) –...
Page 7 The firmware is signed and encrypted. This ensures that only firmware created by Siemens can be downloaded to the device. Device defective If a fault develops, please send the device to your Siemens representative for repair. Repairs on-site are not possible. Decommissioning Shut down the device properly to prevent unauthorized persons from accessing confidential data in the device memory.
Page 8 Siemens contact. Keep to the local regulations. You will find information on returning the product on the Internet pages of Siemens Industry Online Support: Link: (https://support.industry.siemens.com/cs/ww/en/view/109479891)
Page 9: Table Of Contents
Table of contents Introduction ..............................3 Security recommendations ........................15 Description ............................... 23 Function ............................. 23 Requirements for operation ......................25 2.2.1 Use in a PROFINET environment ....................26 System functions ..........................26 Configuration limits for WBM and CLI ..................28 PLUG ..............................
Page 10 Table of contents 3.8.7 VPN ..............................60 3.8.7.1 IPsec VPN............................60 3.8.7.2 OpenVPN ............................63 3.8.7.3 VPN connection establishment ..................... 64 Configuring with Web Based Management ..................69 Web Based Management ........................ 69 Starting and logging in ........................71 "Information" menu .......................... 75 4.3.1 Start page ............................
Page 11 Table of contents 4.4.3.4 DNS Records ........................... 130 4.4.4 Restart .............................. 131 4.4.5 Load&Save ............................133 4.4.5.1 File list .............................. 133 4.4.5.2 HTTP ..............................135 4.4.5.3 TFTP ..............................138 4.4.5.4 SFTP ..............................142 4.4.5.5 Passwords ............................146 4.4.6 Events ............................... 147 4.4.6.1 Configuration...........................
Page 12 Table of contents 4.4.21 Proxy server ............................ 225 4.4.22 SINEMA RC ............................. 227 "Layer 2" menu ..........................230 4.5.1 Configuration ..........................230 4.5.2 VLAN ..............................231 4.5.2.1 General ............................. 231 4.5.2.2 Port Based VLAN ........................... 234 4.5.3 Dynamic MAC Aging........................236 4.5.4 Ring redundancy (SC6x6-2C) ......................
Page 13 Table of contents 4.7.3 AAA ..............................293 4.7.3.1 General ............................. 293 4.7.3.2 RADIUS client ..........................294 4.7.3.3 802.1X Authenticator ........................297 4.7.4 Certificates ............................303 4.7.4.1 Overview............................303 4.7.4.2 Certificates ............................304 4.7.5 Firewall ............................. 306 4.7.5.1 General ............................. 306 4.7.5.2 Predefined ............................
Page 14 Table of contents SCALANCE SC-600 Web Based Management (WBM) Configuration Manual, 10/2021, C79000-G8976-C475-03...
Page 15: Security Recommendations
• Check regularly for security updates of the products and use them. • Check the user documentation of other Siemens products that are used together with the device for additional security recommendations. • Check regularly for news on the Siemens Internet pages.
Page 16 Security recommendations • Use passwords with a high password strength. Avoid weak passwords, (e.g. password1, 123456789, abcdefgh) or recurring characters (e.g. abcabc). This recommendation also applies to symmetrical passwords/keys configured on the device. • Make sure that passwords are protected and only disclosed to authorized personnel. •...
Page 17 • Verify certificates based on the fingerprint on the server and client side to prevent "man in the middle" attacks. Use a second, secure transmission path for this. • Before sending the device to Siemens for repair, replace the current certificates and keys with temporary disposable certificates and keys, which can be destroyed when the device is returned.
Page 18 Security recommendations • Ensure that the latest firmware version is installed, including all security-related patches. You can find the latest information on security patches for Siemens products at the Industrial Security (https://www.siemens.com/industrialsecurity) or ProductCERT Security Advisories website. For updates on Siemens product security advisories, subscribe to the RSS feed on the ProductCERT Security Advisories website or follow @ProductCert on Twitter.
Page 19 Security recommendations • If non-secure protocols and services are required, ensure that the device is operated in a protected network area. • Check whether use of the following protocols and services is necessary: – Non-authenticated and unencrypted ports – MRP, HRP –...
Page 20 Security recommendations Available protocols The following list provides you with an overview of the open protocol ports. The table includes the following columns: • Protocol • Port • Factory setting – Open The factory setting of the port is "Open". –...
Page 21 Outgoing Outgoing only ✓ ✓ ✓ only UDP/1813 SFTP TCP/22 Outgoing Outgoing only ✓ ✓ ✓ ✓ only Siemens Remote TCP/443 Outgoing Outgoing only ✓ Optional ✓ Service only (cRSP/SRS) SINEMA RC HTTPS/443 and Outgoing Outgoing only ✓ ✓ ✓...
Page 22 Security recommendations Service/Protocol Protocol/ Default status Configurable Authenticati Encryption SMTP Client TCP/25 Outgoing Outgoing only ✓ ✓ Optional only SMTP (secure) TCP/465 Outgoing Outgoing only ✓ ✓ Optional ✓ TCP/587 only SNMPv1/v2c UDP/161 Open Closed ✓ ✓ SNMPv3 UDP/161 Open Closed ✓...
Page 23: Description
To establish a VPN (Virtual Private Network), the following functions are available: – IPsec VPN (SC64x-2C) – OpenVPN • SINEMA RC client • Use of proxy servers • Siemens Remote Service cRSP/SRS (SC64x-2C) • Brute Force Prevention SCALANCE SC-600 Web Based Management (WBM) Configuration Manual, 10/2021, C79000-G8976-C475-03...
Page 24 Description 2.1 Function Monitoring / diagnostics / maintenance • LEDs Display of operating statuses via an LED display. You will find further information on this in the Operating Instructions of the device. • Logging For monitoring have the events logged. •...
Page 25: Requirements For Operation
Description 2.2 Requirements for operation Requirements for operation Requirements for installation and operation A PG/PC with a network connection must be available in order to configure the devices. If no DHCP server is available, a PG/PC on which SINEC PNI is installed is necessary for the initial assignment of an IP address to the device.
Page 26: Use In A Profinet Environment
Description 2.3 System functions Default values set in the factory User name admin The user name can be changed after the first login or after a "Restore Factory Defaults and Restart". Afterwards, renaming "admin" is no longer possible. Password admin The password needs to be changed after the first login or after a "Restore Factory Defaults and Restart".
Page 27 Description 2.3 System functions SINEMA RC OpenVPN System Configuration General Restart Load&Save Events SMTP client DHCP SNMP System time Auto logout Button Syslog client Ports Fault Monitoring PLUG Ping DCP Discovery Port diagnostics cRSP/SRS (SC64x-2C) Proxy server SINEMA RC Layer 2 Configuration Port Based VLAN Dynamic MAC Aging...
Page 28: Configuration Limits For Wbm And Cli
Description 2.4 Configuration limits for WBM and CLI Configuration limits for WBM and CLI Configuration limits of the device The following table lists the configuration limits for Web Based Management and the Command Line Interface of the device. Configurable function Maximum number System DNS Server...
Page 29: Plug
Description 2.5 PLUG Configurable function Maximum number Firewall rules IP protocols: 16 IP services: 128 ICMP services: 16 IP rules: 1000 MAC rules: 1000 Dynamic firewall: • Maximum number: 8 rule sets • Parallel user access: 4 • Maximum of 128 IP rules per firewall rule set IPsec VPN 200 tunnels...
Page 30 Description 2.5 PLUG The device supports the following modes of operation: • Without C-PLUG/KEY-PLUG The device stores the configuration in internal memory. This mode is active if no C-PLUG/KEY-PLUG is inserted. • With unwritten C-PLUG/KEY-PLUG If an unwritten C-PLUG/KEY-PLUG (factory status or deleted with Clean function) is used, the local configuration already existing on the device is automatically stored on the inserted C-PLUG/KEY-PLUG during startup.
Page 31: Preset Plug
Description 2.5 PLUG 2.5.1 PRESET PLUG PLUG with preset function (PRESET-PLUG) With PRESET-PLUG it is possible to install the same configuration and the firmware belonging to it on several devices. Note Using configurations with DHCP Create a PRESET-PLUG only from device configurations that use DHCP. Otherwise disruptions will occur in network operation due to multiple identical IP addresses.
Page 32 Description 2.5 PLUG SCALANCE SC-600 Web Based Management (WBM) Configuration Manual, 10/2021, C79000-G8976-C475-03...
Page 33: Technical Basics
Technical basics IP address 3.1.1 Structure of an IPv4 address The IPv4 address consists of 4 decimal numbers separated by a dot. Each decimal number can have a value from 0 to 255. Example: 192.168.16.2 The IPv4 address is composed of: •...
Page 34 Technical basics 3.1 IP address The following applies in general: • The network address results from the AND combination of IPv4 address and subnet mask. • The device address results from the AND-NOT combination of IPv4 address and subnet mask. Classless Inter-Domain Routing (CIDR) CIDR is a method that groups several IPv4 addresses into an address range by representing an IPv4 address combined with its subnet mask.
Page 35: Ipv4
Technical basics 3.1 IP address Network gateway (router) The task of the network gateways (routers) is to connect the IP subnets. If an IP datagram is to be sent to another network, it must first be sent to a router. For make this possible, you need to enter the router address for each member of the IP subnet.
Page 36: Initial Assignment Of An Ip Address
– To be able to assign an IP address to the device with SINEC PNI, it must be possible to reach the device via Ethernet. – You can find SINEC PNI on the Internet pages of Siemens Industry Online Support: Link: (https://support.industry.siemens.com/cs/ww/en/ps/26672/dl) –...
Page 37: Mac Address
The MAC address consists of a fixed and a variable part. The fixed part ("basic MAC address") identifies the manufacturer (Siemens, 3COM, ...). The variable part of the MAC address distinguishes the various Ethernet nodes.
Page 38: Icmp
Technical basics 3.3 ICMP ICMP The acronym ICMP stands for Internet Control Message Protocol (RFC792) and is used to exchange error and information messages. • Error message Informs the sender of the IP frame that when forwarding the frame an error or a parameter problem occurred.
Page 39 Technical basics 3.3 ICMP ICMP packet type 5 - Redirect Host A wants to send an IP frame to host C. Host C is not located in the same subnet as host A. For this reason host A sends the IP frame to its default gateway. The default gateway of host A is interface 1 of router A.
Page 40: Vlan
Technical basics 3.4 VLAN VLAN Network definition regardless of the spatial location of the nodes VLAN (Virtual Local Area Network) divides a physical network into several logical networks that are shielded from each other. Here, devices are grouped together to form logical groups.
Page 41: Vlan Tagging
Technical basics 3.4 VLAN 3.4.1 VLAN tagging Expansion of the Ethernet frames by four bytes For CoS (Class of Service, frame priority) and VLAN (virtual network), the IEEE 802.1Q standard defined the expansion of Ethernet frames by adding the VLAN tag. Note The VLAN tag increases the permitted total length of the frame from 1518 to 1522 bytes.
Page 42 Technical basics 3.4 VLAN The tagged frame has 3 bits for the priority that is also known as Class of Service (CoS), see also IEEE 802.1Q. CoS bits Priority Type of the data traffic 0 (lowest) Background Best Effort Excellent Effort Critical Applications Video, <...
Page 43: Snmp
Technical basics 3.5 SNMP SNMP Introduction With the aid of the Simple Network Management Protocol (SNMP), you monitor and control network components from a central station, for example routers or switches. SNMP controls the communication between the monitored devices and the monitoring station.
Page 44 Technical basics 3.5 SNMP The management station sends data packets of the following type: • GET Request for a data record from the SNMP agent • GETNEXT Calls up the next data record. • GETBULK (available as of SNMPv2c) Requests multiple data records at one time, for example several rows of a table. •...
Page 45: Redundancy
Technical basics 3.6 Redundancy Compatibility with predecessor products You can only transfer SNMPv3 users to a different device if you have created the users as migratable users. To create a migratable user the "SNMPv3 User Migration" function must be activated when you create the user. Redundancy 3.6.1 HRP - High Speed Redundancy Protocol...
Page 46: Mrp
Interface or using SNMP. Example for configuration You can find an example for configuration of HRP rings with standby coupling on the Internet pages of Siemens Industry Online Support. Link: (https://support.industry.siemens.com/cs/ww/en/view/109739600) 3.6.2 The "MRP" method conforms to the Media Redundancy Protocol (MRP) specified in the following standard: IEC 62439-2 Release 1.0 (2010-02) Industrial communication networks - High availability...
Page 47 Example for configuration You can find an example for configuration of a ring topology based on "MRP" on the Internet pages of Siemens Industry Online Support. Link: (https://support.industry.siemens.com/cs/ww/en/view/109739614) SCALANCE SC-600 Web Based Management (WBM) Configuration Manual, 10/2021, C79000-G8976-C475-03...
Page 48: Spanning Tree
Technical basics 3.6 Redundancy 3.6.3 Spanning Tree Avoiding loops on redundant connections The spanning tree algorithm allows network structures to be created in which there are several connections between two IE switches / bridges. Spanning tree prevents loops being formed in the network by allowing only one path and disabling the other (redundant) ports for data traffic.
Page 49: Rstp
Example for configuration You can find an example for configuration of a mesh network based on "RSTP" on the Internet pages of Siemens Industry Online Support. Link: (https://support.industry.siemens.com/cs/ww/en/view/109742120) SCALANCE SC-600 Web Based Management (WBM) Configuration Manual, 10/2021, C79000-G8976-C475-03...
Page 50: Routing Function
Technical basics 3.7 Routing function Routing function 3.7.1 Routing Introduction The term routing describes the specification of routes for communication between different networks; in other words, how does a data packet from subnet A get to subnet SCALANCE SC-600 supports the following routing functions: •...
Page 51: Static Routing
Technical basics 3.8 Security functions The new virtual master router adopts the virtual MAC and IP address. This means that no routing tables or ARP tables need to be updated. The consequences of a device failure are therefore minimized. You configure VRRP in "Layer 3 > VRRPv3". 3.7.3 Static routing The route is entered manually in the routing table.
Page 52 – The RADIUS server reports a failed authentication to the device: → The user is denied access. RADIUS authorization mode "SiemensVSA" Requirement For the RADIUS authorization mode "Siemens VSA" the following needs to be set on the RADIUS server: • Manufacturer code: 4196 • Attribute number: 1 •...
Page 53 Technical basics 3.8 Security functions If you have set the authorization mode "SiemensVSA", the authentication of users via a RADIUS server runs as follows: 1. The user logs on with user name and password on the device. 2. The device sends an authentication request with the login data to the RADIUS server. 3.
Page 54: Firewall
Technical basics 3.8 Security functions 3.8.3 Firewall 3.8.3.1 Firewall rules SC600 Firewall rules are automatically created, predefined or specially configured IP rules for data traffic. Automatic firewall rules The "Auto firewall rules" setting is available for the following functions: • System > SINEMA RC •...
Page 55 Technical basics 3.8 Security functions The firewall is enabled by default. In the delivery state (factory setting), the configuration of the predefined IPv4 rules is as follows: Service Access Local access (vlan1) to the External access (vlan2) to device the device DHCP ✓...
Page 56 Technical basics 3.8 Security functions You configure the firewall in "Security > Firewall". Note IP packets via layer 2 (within the same VLAN) If the IP packets from the device are sent via a switch port (layer 2), these IP packets are not checked based on firewall rules.
Page 57: Nat
NAT in which the destination IP address is translated. You will find information on NAT scenarios that are implemented with the device at the following address: (https://support.industry.siemens.com/cs/en/view/109744660) IP masquerading IP masquerading is a simplified source NAT. With each outgoing data packet sent via this interface, the source IP address is replaced by the IP address of the interface.
Page 58: Nat And Firewall
Technical basics 3.8 Security functions The options are available for port translation: from Response a single port the same port If the ports are the same, the frames will be forwarded without port translation. a single port a single port The frames are translated to the port.
Page 59: Certificates
Technical basics 3.8 Security functions NAT translation and firewall rules You will find an example of NAT translations on the Internet pages of Siemens Industry Online Support. Link: (https://support.industry.siemens.com/cs/ww/en/view/109744660) 3.8.6 Certificates Certificate types The device uses different certificates to authenticate the various nodes.
Page 60: Vpn
Technical basics 3.8 Security functions 3.8.7 The device supports the following VPN systems: • IPsec VPN (SC64x-2C) • OpenVPN 3.8.7.1 IPsec VPN You configure the IPsec connections in "Security" > " IPsec VPN". With IPsec VPN, the frames are transferred in tunnel mode. To allow the device to establish a VPN tunnel, the remote network must have a VPN gateway as the partner.
Page 61 Technical basics 3.8 Security functions To provide security, the IPsec protocol suite uses various protocols: • The Encapsulation Security Payload (ESP) encrypts the data. • The Security Association (SA) contains the specifications negotiated between the partners, e.g. about the lifetime of the key, the encryption algorithm, the period for new authentication etc.
Page 62 Technical basics 3.8 Security functions Encryption methods The following encryption methods are supported. The selection depends on the phase und the key exchange method (IKE) Phase 1 Phase 2 IKEv1 IKEv2 IKEv1 IKEv2 3DES AES128 CBC AES192 CBC AES256 CBC AES128 CTR AES192 CTR AES256 CTR...
Page 63: Openvpn
Technical basics 3.8 Security functions Requirements of the VPN partner The VPN partner must support IPsec with the following configuration to be able to establish an IPsec connection successfully: • Authentication with partner certificate, CA certificates or pre-shared key • IKEv1 or IKEv2 •...
Page 64: Vpn Connection Establishment
Technical basics 3.8 Security functions subnet by the OpenVPN server. The IP packets (layer 3) are routed between the virtual tunnel interface and the LAN interface. • TAP device: Bridge Mode For operation in flat networks. External and internal interface are in the same IP subnet.
Page 65 Technical basics 3.8 Security functions Options Description on demand The device attempts to establish a connection to a partner when necessary. The receipt of requests for VPN connection establishment is also possible. For the configured local and remote subnets, an entry is created in the routing table.
Page 66 Technical basics 3.8 Security functions Options The device supports the following options for controlling the VPN tunnel via the digital input: • start on DI If the event "Digital Input" occurs, the device becomes "active". The device attempts to establish a VPN connection (IPsec) to a partner. •...
Page 67 Using the private MIB variable snMspsDigitalInputLevel, you can read out status of the the status of the digital input. MIB variable • OID of the private MIB variable snMspsDigitalInputLevel: iso(1).org(3).dod(6).internet(1).private(4).enterprises( 1).siemens(4329).industrialComProducts(20).iComPlatforms (1).simaticNet(1).snMsps(1).snMspsCommon(1).snMspsDigita lIO(39).snMspsDigitalIOObjects(1).snMspsDigitalInputTabl e(2).snMspsDigitalInputEntry(1).snMspsDigitalInputLevel( • values of the MIB variable 1: Signal 0 at the digital input (DI) –...
Page 69: Configuring With Web Based Management
Configuring with Web Based Management Web Based Management How it works The device has an integrated HTTP server for Web Based Management (WBM). If a device is addressed with a Web browser, it returns HTML pages to the Admin PC depending on the user input.
Page 70 Configuring with Web Based Management 4.1 Web Based Management • If a firewall is used, the relevant ports must be opened. – For access using HTTPS: TCP port 443 • The display of the WBM was tested with the following desktop Web browsers: –...
Page 71: Starting And Logging In
Configuring with Web Based Management 4.2 Starting and logging in Starting and logging in Establishing a connection to a device Follow the steps below to establish a connection to a device using an Internet browser: 1. There is a connection between the device and the Admin PC. With the ping command, you can check whether or not a device can be reached.
Page 72 Configuring with Web Based Management 4.2 Starting and logging in Default Login Page Under "System > Configuration > Default Login Page", you can define which login page is opened by default. You can change the type of login via the "Switch to..." links. To log in, you have the following options: •...
Page 73 You can show an additional text on the login page. 1. Create a txt file that contains the desired text or the ASCII type. With ASCII type, pictograms, e.g. the Siemens company logo, are displayed based on the available characters.
Page 74 Configuring with Web Based Management 4.2 Starting and logging in 3. Click the "Login" button or confirm your input with "Enter". Note When you log in for the first time or following a "Restore Factory Defaults and Restart", you can rename the "admin" user preset in the factory once. Afterwards, renaming "admin"...
Page 75: Information" Menu
Configuring with Web Based Management 4.3 "Information" menu After successful login, the WBM page "Information on dynamic firewall rules" opens. The current ruleset and the remaining time are displayed. If needed, the user can extend the access time via the "Reset Timeout" button. "Information"...
Page 76 Configuring with Web Based Management 4.3 "Information" menu • Navigation area (3): Left-hand area • Content area (4): Middle area SCALANCE SC-600 Web Based Management (WBM) Configuration Manual, 10/2021, C79000-G8976-C475-03...
Page 77 • Logo of Siemens AG When you click on the logo, you arrive at the Internet page of the corresponding basic device in Siemens Industry Online Support. • Display of: "System Location / System Name" – "System Location" contains the location of the device.
Page 78 Configuring with Web Based Management 4.3 "Information" menu menus as previously. The second tab "Favorites" contains all the pages/tabs that you selected as favorites. On the "Favorites" tab the pages/tabs are arranged according to the structure in the "Menu" tab. To do this, click the button on the relevant pages/tabs.
Page 79 Configuring with Web Based Management 4.3 "Information" menu • DDNS Status If a dynamic DNS service is used, the host name of the device is displayed, e.g. example.no-ip.com. The status of the update is also displayed. – update successful Update successful –...
Page 80 Configuring with Web Based Management 4.3 "Information" menu displayed on a page is limited. Click the "Next" button to page down through the data records. Page back with "Prev" On WBM pages with a lot of data records, the number of data records that can be displayed on a page is limited.
Page 81: Versions
Configuring with Web Based Management 4.3 "Information" menu 4.3.2 Versions This WBM page shows the versions of the hardware and software of the device. Description Table 1 has the following columns: • Hardware – Basic Device Shows the basic device –...
Page 82: Identification & Maintenance
Configuring with Web Based Management 4.3 "Information" menu • Version Shows the version number of the software version. • Date Shows the date on which the software version was created. 4.3.3 Identification & Maintenance Identification and Maintenance data This page contains information about device-specific vendor and maintenance data such as the order number, serial number, version number etc.
Page 83: Arp Table
Configuring with Web Based Management 4.3 "Information" menu • Software Revision Shows the software version. • Revision Counter Regardless of a version change, this box always displays the value "0". • Revision Date Date and time of the last revision •...
Page 84: Log Tables
Configuring with Web Based Management 4.3 "Information" menu • IP Address Shows the IPv4 address of the destination device. • Media Type Shows the type of connection. – Dynamic The device recognized the address data automatically. – Static The addresses were entered as static addresses. 4.3.5 Log Tables 4.3.5.1...
Page 85 Configuring with Web Based Management 4.3 "Information" menu Description • Severity Filters You can filter the entries in the table according to severity. To display all the entries, enable or disable all parameters. Note For each severity, a maximum of 400 entries in the table are possible. If the maximum number of entries is reached for a severity, the oldest entries of this severity are overwritten in the table.
Page 86: Security Log
Configuring with Web Based Management 4.3 "Information" menu 4.3.5.2 Security Log The WBM page shows the events that occurred during communication via a secure VPN tunnel in the form of the table. SCALANCE SC-600 Web Based Management (WBM) Configuration Manual, 10/2021, C79000-G8976-C475-03...
Page 87 Configuring with Web Based Management 4.3 "Information" menu Description • Severity Filters You can filter the entries in the table according to severity. To display all the entries, enable or disable all parameters. Note For each severity, a maximum of 400 entries in the table are possible. If the maximum number of entries is reached for a severity, the oldest entries of this severity are overwritten in the table.
Page 88: Firewall Log
Configuring with Web Based Management 4.3 "Information" menu 4.3.5.3 Firewall Log The firewall log logs the events that occurred on the firewall. When you create firewall rules, you can specify the event severity with which they are logged. Description • Severity Filters You can filter the entries in the table according to severity.
Page 89: Faults
Configuring with Web Based Management 4.3 "Information" menu The table has the following columns: • Restart Counts the number of restarts since you last reset to factory settings and shows the device restart after which the corresponding event occurred. • System Up Time Shows the time the device has been running since the last restart when the described event occurred.
Page 90: Dhcp Server
Configuring with Web Based Management 4.3 "Information" menu Description The page contains the following boxes: • No. of Signaled Faults Number of faults displayed since the last startup. • Reset Counters The number is reset with this button. The counter is reset when there is a restart. The table contains the following columns: •...
Page 91: Lldp
Configuring with Web Based Management 4.3 "Information" menu • Identification Method Shows the method with which the DHCP client is identified. – Remote ID Shows the remote ID of the DHCP client. – Circuit ID Shows the circuit ID of the DHCP client. •...
Page 92 Configuring with Web Based Management 4.3 "Information" menu Description of the displayed values The table contains the following columns: • System Name System name of the connected device. • Device ID Device ID of the connected device. The device ID corresponds to the device name assigned via SINEC PNI (STEP 7).
Page 93: Fiber Monitoring Protocol
Configuring with Web Based Management 4.3 "Information" menu 4.3.9 Fiber Monitoring Protocol Monitoring optical links With Fiber Monitoring, you can monitor optical links. The table shows the current status of the ports. You set the values to be monitored on the following page: "Layer 2 > FMP". Description of the displayed values Port Shows the optical ports that support Fiber Monitoring.
Page 94: Routing
Configuring with Web Based Management 4.3 "Information" menu Power Loss State To be able to monitor the power loss of the connection the function fiber monitoring must be enabled for the optical port of the connection partner. • disabled Fiber monitoring is disabled. •...
Page 95: Redundancy
Configuring with Web Based Management 4.3 "Information" menu Description The table has the following columns: • Destination Network Shows the destination address of this route. • Subnet Mask Shows the subnet mask of this route. • Gateway Shows the gateway for this route. •...
Page 96 Configuring with Web Based Management 4.3 "Information" menu Description of the displayed values The following fields are displayed: • Spanning Tree Mode Shows the set mode. You specify the mode in "Layer 2 > Configuration" and in "Layer 2 > Spanning Tree > General". The following values are possible: –...
Page 97 Configuring with Web Based Management 4.3 "Information" menu The table has the following columns: • Port Shows the interfaces via which the device communicates. • Role Shows the status of the port. The following values are possible: – Disabled The port was removed manually from the spanning tree and will no longer be taken into account by the spanning tree.
Page 98: Vrrpv3 Statistics
Configuring with Web Based Management 4.3 "Information" menu lowest value is selected. If several ports of a device have the same value, the port with the lowest port number is selected. If the value in the "Cost Calc" field is "0", the automatically calculated value is displayed.
Page 99 Configuring with Web Based Management 4.3 "Information" menu Description The following fields are displayed: • VRID Errors Shows how many VRRPv3 packets containing an unsupported VRID were received. • Version Errors Shows how many VRRPv3 packets containing an invalid version number were received.
Page 100 Configuring with Web Based Management 4.3 "Information" menu • Advertisement Interval Errors Shows how many bad VRRPv3 packets were received whose interval does not match the value set locally. • IP TTL Errors Shows how many bad VRRPv3 packets were received whose TTL (Time to live) value in the IP header is incorrect.
Page 101: Sync Firewall State
Configuring with Web Based Management 4.3 "Information" menu 4.3.11.3 Sync Firewall State Information on the Firewall State Sync On this page, you obtain the following information about the Firewall State Sync. Description of the displayed values The table has the following columns: •...
Page 102: Ring Redundancy
Configuring with Web Based Management 4.3 "Information" menu • Invalid Messages Number of invalid messages that were transferred by the synchronization partner. • Reset Counters Click this button to reset the counters on this page. Refresh Refreshes the display of the values. The result is shown in the table. 4.3.11.4 Ring redundancy Information on ring redundancy...
Page 103: Unicast
Configuring with Web Based Management 4.3 "Information" menu 4.3.12 Unicast Status of the unicast filter table This page shows the current content of the unicast filter table. This table lists the source addresses of unicast address frames. The entries are made statically through parameter assignment by the user.
Page 104: Multicast
Configuring with Web Based Management 4.3 "Information" menu 4.3.13 Multicast Status of the multicast filter table This table shows the multicast frames currently entered in the multicast filter table and their destination ports. The entries are configured statically by the user. Description of the displayed values The table contains the following columns: •...
Page 105: Snmp
Configuring with Web Based Management 4.3 "Information" menu 4.3.14 SNMP This page displays the created SNMPv3 groups. You configure the SNMPv3 groups in "System > SNMP". Description The table has the following columns: • Group Name Shows the group name. •...
Page 106 Configuring with Web Based Management 4.3 "Information" menu Description Services The "Services" list shows the security settings. • SSH Server You configure the setting in "System > Configuration". – Enabled: Encrypted access to the CLI. – Disabled: No encrypted access to the CLI. •...
Page 107 Configuring with Web Based Management 4.3 "Information" menu • SNMP You can configure setting in "System > SNMP > General". – "-" (SNMP disabled) Access to device parameters via SNMP is not possible. – SNMPv1/v2c/v3 Access to device parameters is possible with SNMP versions 1, 2c or 3. –...
Page 108: Supported Function Rights
Configuring with Web Based Management 4.3 "Information" menu In the table "External User Accounts" a user is linked to a role. In this example the user "Observer" is linked to the "user" role. The user is defined on a RADIUS server. The role is defined locally on the device.
Page 109: Roles
Configuring with Web Based Management 4.3 "Information" menu Description of the displayed values • Function Right Shows the number of the function right. Different rights relating to the device parameters are assigned to the numbers. • Description Shows the description of the function right. 4.3.15.3 Roles Note...
Page 110: Groups
Configuring with Web Based Management 4.3 "Information" menu • Description Shows a description of the role. • Remote Access Shows which remote access is currently being used. 4.3.15.4 Groups Note The values displayed depend on the role of the logged-on user. This page shows which group is linked to which role.
Page 111: Port Status
Configuring with Web Based Management 4.3 "Information" menu 4.3.15.5 802.1X Port Status This page shows the status of 802.1X authentication as well as the MAC authentication for the individual ports. Description The table has the following columns: • Port All ports of the device are displayed in this column. •...
Page 112: Mac Authentication
Configuring with Web Based Management 4.3 "Information" menu • MAC Auth. Port Status Shows the status of the MAC authentication for the port. The following options are possible: – - MAC authentication was disabled for the port. – Individual MAC authentication is configured for the port. Clients can be authenticated individually with their MAC address.
Page 113: Ipsec Vpn (Sc64X-2C)
Configuring with Web Based Management 4.3 "Information" menu Description The table has the following columns: • VLAN ID Shows the VLAN ID assigned to this MAC address. • MAC Address Shows the MAC address of the node for which the authentication status is displayed. •...
Page 114 Configuring with Web Based Management 4.3 "Information" menu • Local DN Shows the Distinguished Name (DN) of the device that was signaled to the remote station during connection establishment. The entry is adopted from the "Local ID" box, the device certificate or the IP address of the device. •...
Page 115: Sinema Rc
Configuring with Web Based Management 4.3 "Information" menu 4.3.17 SINEMA RC Shows information on SINEMA RC Server Description of the displayed values • Status Shows the status of the connection to SINEMA RC Server. • Device Name If configured, the name of the device is displayed. •...
Page 116: Openvpn
Configuring with Web Based Management 4.3 "Information" menu • Type of Connection (Server) Shows which type of connection is set on the SINEMA RC Server. • Type of Connection (Device) Shows which type of connection is set on the device. •...
Page 117: Server
Configuring with Web Based Management 4.3 "Information" menu Description of the displayed values The table contains the following columns: • Name Shows the name of the OpenVPN connection. • Remote Server Shows the IP address or the hostname of the OpenVPN server. •...
Page 118: System" Menu
Configuring with Web Based Management 4.4 "System" menu • Received bytes Shows how many bytes were received. • Sent bytes Shows how many bytes were sent. • Connected since Shows how long a connection has been present. "System" menu 4.4.1 Configuration System configuration The WBM page contains the configuration overview of the access options of the device.
Page 119 Configuring with Web Based Management 4.4 "System" menu Description of the displayed boxes The page contains the following boxes: • SSH Server Enable or disable the "SSH Server" service for encrypted access to the CLI. • SSH Port Specify the port for SSH access to the CLI. SCALANCE SC-600 Web Based Management (WBM) Configuration Manual, 10/2021, C79000-G8976-C475-03...
Page 120 Configuring with Web Based Management 4.4 "System" menu • SSH key exchange algorithm level Configure the level of SSH key exchange algorithm for SSH access to the CLI. High (default) – Curve25519-sha256 – Curve25519-sha256@libssh.org – Ecdh-sha2-nistp256 – Ecdh-sha2-nistp384 – Ecdh-sha2-nistp521 –...
Page 121 Configuring with Web Based Management 4.4 "System" menu • Min. TLS version Specify the minimum TLS version to be used. • Default Login Page Specify the login page with which the WBM starts by default. – Firewall Logging into the WBM page for dynamic firewall. –...
Page 122 Configuring with Web Based Management 4.4 "System" menu • SNMP Select the protocol from the drop-down list. The following settings are possible: – "-" (SNMP disabled) Access to device parameters via SNMP is not possible. – SNMPv1/v2c/v3 Access to device parameters is possible with SNMP versions 1, 2c or 3. You can configure other settings in "System >...
Page 123 Configuring with Web Based Management 4.4 "System" menu • Link-layer address (LL) The link-layer address is based on the MAC address. The value is regenerated each time the factory settings are restored. • Configuration mode Select the mode from the drop-down list. The following modes are possible: –...
Page 124: General
Configuring with Web Based Management 4.4 "System" menu 4.4.2 General 4.4.2.1 Devices This WBM page contains the general device information. Description The WBM page contains the following boxes: • Current System Time Shows the current system time. The system time is either set by the user or by a time-of-day frame: either SIMATIC time-of-day frame, NTP or SNTP.
Page 125: Coordinates
Configuring with Web Based Management 4.4 "System" menu • System Contact You can enter the name of a contact person responsible for managing the device. A maximum of 255 characters are possible. • System Location You can enter the location where the device is installed. The entered installation location is displayed in the selection area.
Page 126 Configuring with Web Based Management 4.4 "System" menu Description The page contains the following boxes. These are purely information boxes with a maximum length of 32 characters. • "Latitude" input box Geographical latitude: Here, enter the value for the northerly or southerly latitude of the location of the device.
Page 127: Dns
Configuring with Web Based Management 4.4 "System" menu 4.4.3 4.4.3.1 DNS client On the WBM page you specify whether or not the device uses the DNS server of the network provider or another DNS server. Description The page contains the following boxes: •...
Page 128: Dns Proxy
Configuring with Web Based Management 4.4 "System" menu • DNS Server Address Shows the IP address of the DNS server. • Origin Shows whether the DNS server was configured manually or was assigned by DHCP. 4.4.3.2 DNS proxy The device provides a DNS server for the local network. If you enter the IP address of the device in the local application as a DNS server, then the device answers the DNS requests from its cache.
Page 129 Configuring with Web Based Management 4.4 "System" menu Description The table has the following columns: • Service Shows which providers are supported. • Enabled When enabled, the device logs on to the DDNS server. • Host Enter the host name that you have agreed with your DDNS provider for the device, e.g.
Page 130: Dns Records
Configuring with Web Based Management 4.4 "System" menu 4.4.3.4 DNS Records You configure a DNS address directory on this WBM page. To do this, enter the IPv4 address associated with an FQDN. The device checks if there is an entry for DNS requests and converts the URL into the corresponding IPv4 address.
Page 131: Restart
Configuring with Web Based Management 4.4 "System" menu 4.4.4 Restart Resetting to the defaults Using the WBM page, you can restart the device manually or as scheduled. In addition, there are various options for resetting to the device defaults. Note Note the following points about restarting a device: •...
Page 132 Configuring with Web Based Management 4.4 "System" menu Description To restart the device, the buttons on this page provide you with the following options: • Restart Click this button to restart the system. You must confirm the restart in a dialog box. During a restart, the device is reinitialized, the internal firmware is reloaded, and the device runs a self-test.
Page 133: Load&Save
ZIP file with the open source software license conditions. Debug This file contains information for Siemens Support. It is encrypted and can be sent by e-mail to Siemens Support without any security risk. Firmware The firmware is signed and encrypted. This ensures that only firmware created by Siemens can be downloaded to the device.
Page 134 Configuring with Web Based Management 4.4 "System" menu File type Description HTTPSCert Default HTTPS certificates including key The preset and automatically created HTTPS certificates are self-signed. We strongly recommend that you create your own HTTPS certificates and make them available. We recommend that you use HTTPS certificates signed either by a reliable external or by an internal certification authority.
Page 135: Http
VPN connection can also be loaded. Firmware The firmware is signed and encrypted. This ensures that only firmware created by Siemens can be downloaded to the device. Configuration files Note Configuration files and Trial mode/Automatic Save In "Automatic Save"...
Page 136 Configuring with Web Based Management 4.4 "System" menu required for the diagnostics in STEP 7 Basic/Professional. You can export a corrected configuration and load it as "SINEMAConfig" again using the WBM. • For configuration No connection to a real device is required to configure a device in STEP 7 Basic/Professional.
Page 137 Configuring with Web Based Management 4.4 "System" menu • Save With this button, you can download files from the device. The button can only be enabled if this function is supported by the file type and the file exists on the device. •...
Page 138: Tftp
On this page, the certificates required to establish a secure VPN connection can also be loaded. Firmware The firmware is signed and encrypted. This ensures that only firmware created by Siemens can be downloaded to the device. Configuration files Note Configuration files and Trial mode/Automatic Save In "Automatic Save"...
Page 139 Configuring with Web Based Management 4.4 "System" menu CLI script file You can download existing CLI configurations (RunningCLI) and upload your own CLI scripts (Script). Note The downloadable CLI script is not intended to be uploaded again unchanged. CLI commands for saving and loading files cannot be executed with the CLI script file (Script).
Page 140 Configuring with Web Based Management 4.4 "System" menu Description The page contains the following boxes: • TFTP Server Address Enter the IP address or the FQDN (Fully Qualified Domain Name) of the TFTP server with which you exchange data. • TFTP Server Port Enter the port of the TFTP server via which data exchange will be handled.
Page 141 Configuring with Web Based Management 4.4 "System" menu • Filename A file name is preset here for every file type. Note Changing the file name You can change the file name preset in this column. After loading on the device, the changed file name can also be used with the Command Line Interface.
Page 142: Sftp
On this page, the certificates required to establish a secure VPN connection can also be loaded. Firmware The firmware is signed and encrypted. This ensures that only firmware created by Siemens can be downloaded to the device. Configuration files Note Configuration files and Trial mode/Automatic Save In "Automatic Save"...
Page 143 Configuring with Web Based Management 4.4 "System" menu CLI script file You can download existing CLI configurations (RunningCLI) and upload your own CLI scripts (Script). Note The downloadable CLI script is not intended to be uploaded again unchanged. CLI commands for saving and loading files cannot be executed with the CLI script file (Script).
Page 144 Configuring with Web Based Management 4.4 "System" menu Description The page contains the following boxes: • SFTP Server Address Enter the IP address or the FQDN of the SFTP server with which you exchange data. • SFTP Server Port Enter the port of the SFTP server via which data exchange will be handled. If necessary, you can change the default value 22 to your own requirements.
Page 145 Configuring with Web Based Management 4.4 "System" menu • Filename A file name is preset here for every file type. Note Changing the file name You can change the file name preset in this column. After loading on the device, the changed file name can also be used with the Command Line Interface.
Page 146: Passwords
Configuring with Web Based Management 4.4 "System" menu Follow the steps below to reuse configuration data: 1. Save the configuration data of a configured device on your PC. 2. Load these configuration files on all other devices you want to configure in this way. 3.
Page 147: Events
Configuring with Web Based Management 4.4 "System" menu • Password Enter the password for the file. • Password Confirmation Confirm the new password. • Status Shows whether the current settings for the file match the device. – Valid The settings are valid. –...
Page 148 Configuring with Web Based Management 4.4 "System" menu Description With Table 1, you can enable or disable all check boxes of a column of Table 2 at once. Table 1 has the following columns: • All Events Shows that the settings are valid for all events of table 2. •...
Page 149 Configuring with Web Based Management 4.4 "System" menu Table 2 has the following columns: • Event The "Event" column contains the following: – Cold/Warm Start The device was turned on or restarted by the user. In the error memory of the device a new entry is generated with the type of restart performed.
Page 150 Configuring with Web Based Management 4.4 "System" menu – FMP Status Change The value of the received power or the power loss has exceeded or fallen below a certain limit. Note You can only configure this event in devices that support FMP. –...
Page 151: Severity Filters
Configuring with Web Based Management 4.4 "System" menu • VPN Tunnel Controls the forwarding of an event to a VPN connection (IPsec, SINEMA RC). As long as the event is present, the VPN connection is switched to active. • Firewall Controls application of the user-defined rule set.
Page 152: Smtp Client
Configuring with Web Based Management 4.4 "System" menu Description The table has the following columns: • Client Type Select the client type for which you want to make settings: – Log Table Entry of system events in the log table. –...
Page 153 Configuring with Web Based Management 4.4 "System" menu Requirements for sending e-mails • "E-mail" is activated for the relevant event in "System > Events > Configuration". • The desired severity is configured under "System > Events > Severity level". • At least one entry exists under "System > SMTP Client > Receiver" and the setting "Send"...
Page 154 Configuring with Web Based Management 4.4 "System" menu • Security Specify whether transfer of the e-mail from the device to the SMTP server is encrypted. This is only possible when the SMTP server supports the selected setting. Note 2-factor authentication (2FA) 2-factor authentication is not supported.
Page 155: Receiver
Configuring with Web Based Management 4.4 "System" menu Testing the configuration of the SMTP server 1. Configure receivers – Click the "Receiver" tab. – Select the desired SMTP server under "SMTP server". – Enter the desired address under "SMTP Receiver Email Address". –...
Page 156: Dhcp
Configuring with Web Based Management 4.4 "System" menu The table contains the following columns: • Select Select the check box in a row to be deleted. • SMTP Server Shows the IP address or the FQDN (Fully Qualified Domain Name) of the SMTP server to which the entry relates.
Page 157 Configuring with Web Based Management 4.4 "System" menu Description The page contains the following boxes: • Keep Alive When this is enabled, the IP address is retained in the event of a connection breakdown and is not reset to 0.0.0.0. Keep Alive is enabled by default. When Keep Alive is disabled, the IP address is reset to 0.0.0.0 in the event of a communication breakdown.
Page 158: Dhcp Server
Configuring with Web Based Management 4.4 "System" menu Procedure Follow the steps below to configure the IP address using the DHCP client ID: 1. Select the identification method in the "DHCP Mode" drop-down list. If you select the DHCP mode "via DHCP Client ID" an input box appears. In the enabled input box "DHCP client ID"...
Page 159 Configuring with Web Based Management 4.4 "System" menu Description The page contains the following boxes: • DHCP Server Enable or disable the DHCP server on the device. Note To avoid conflicts with IPv4 addresses, only one device may be configured as a DHCP server in the network.
Page 160: Dhcp Options
Configuring with Web Based Management 4.4 "System" menu • Lower IP Address Enter the IPv4 address that specifies the start of the dynamic IPv4 address band. The IPv4 address must be within the network address range you configured for "Subnet". •...
Page 161 Configuring with Web Based Management 4.4 "System" menu Description The page contains the following boxes: • Pool ID Select the required address band. • Option Value Enter the number of the required DHCP option. Note DHCP options supported The DHCP options 1, 3, 6, 12, 15, 66, 67 are supported. The DHCP options are created automatically when the IPv4 address band is created.
Page 162 Configuring with Web Based Management 4.4 "System" menu • Use Interface IP Specify whether or not the internal IP address of the device will be used. • Value Enter the DHCP parameter that is transferred to the DHCP client. The content depends on the DHCP option.
Page 163: Static Leases
Configuring with Web Based Management 4.4 "System" menu 4.4.8.4 Static Leases On this page you specify that certain devices will be assigned a certain IP address. The address assignment is made based on the MAC address, the client ID or the DUID. Description The page contains the following boxes: •...
Page 164 Configuring with Web Based Management 4.4 "System" menu Note The maximum is 128 entries. The table has the following columns: • Select Select the check box in the row to be deleted. • Pool ID Shows the number of the address band. •...
Page 165: Snmp
Configuring with Web Based Management 4.4 "System" menu 4.4.9 SNMP 4.4.9.1 General Configuration of SNMP On this page, you make the basic settings for SNMP. Enable the check boxes according to the function you want to use. Description The page contains the following boxes: •...
Page 166 Configuring with Web Based Management 4.4 "System" menu • SNMPv1/v2c Read-Only If you enable this option, SNMPv1/v2c can only read the SNMP variables. Note Community String For security reasons, do not use the standard values "public" or "private". Change the community strings following the initial installation.
Page 167: Snmpv3 Users
Configuring with Web Based Management 4.4 "System" menu Procedure 1. Select the required option from the "SNMP" drop-down list: – "-" (disabled) – SNMPv1/v2c/v3 – SNMPv3 2. Enable the "SNMPv1/v2c Read Only" check box if you only want read access to SNMP variables with SNMPv1/v2c.
Page 168 Configuring with Web Based Management 4.4 "System" menu The table has the following columns: • Select Select the row you want to delete. • User Name Shows the created users. • Authentication Protocol Specify the authentication protocol for which a password will be stored. The following settings are available: –...
Page 169 Configuring with Web Based Management 4.4 "System" menu • Privacy Password Enter your encryption password. This password must have at least 1 character, the maximum length is 32 characters. Note Length of the password As an important measure to maximize security, we recommend that the password has a minimum length of 6 characters and that it contains special characters, uppercase/lowercase letters, numbers.
Page 170: Snmpv3 User To Group Mapping
Configuring with Web Based Management 4.4 "System" menu 4.4.9.3 SNMPv3 User to Group mapping Configuration of group members You assign users to SNMPv3 groups on this WBM page. Each user can only be a member of one group. Description The page contains the following boxes: •...
Page 171: Snmpv3 Access
Configuring with Web Based Management 4.4 "System" menu 4.4.9.4 SNMPv3 Access Security settings and assigning permissions SNMP version 3 allows permissions to be assigned, authentication, and encryption at protocol level. The security level and read/write permissions are assigned according to groups.
Page 172 Configuring with Web Based Management 4.4 "System" menu The table has the following columns: • Select Select the row you want to delete. • Group Name Shows the name of the SNMPv3 group. • Security Level Shows the security level to which this access permission applies. •...
Page 173: Snmpv3 Views
Configuring with Web Based Management 4.4 "System" menu 4.4.9.5 SNMPv3 Views Configuration of SNMPv3 views You configure the parameters of SNMP views on this WBM page. Note Controlling the SNMPv1 and SNMPv2c access The preconfigured SIMATICNETRD and SIMATICNETWR views are used internally to control the SNMPv1 and SNMPv2c access.
Page 174 Configuring with Web Based Management 4.4 "System" menu • MIB Tree Select the Object Identifier (OID) of the MIB area that is to be used for the SNMPv3 view. The following options are possible: – iso – std – member-body –...
Page 175: Notifications
Configuring with Web Based Management 4.4 "System" menu 4.4.9.6 Notifications SNMP traps and SNMPv3 notifications If an alarm event occurs, a device can send SNMP notifications (traps and inform notifications) to up to ten different management stations at the same time. Notifications are only sent for events that were specified in the "Events"...
Page 176 Configuring with Web Based Management 4.4 "System" menu • Notification Receiver Type The receiver type defines the SNMP version and the type of notification. SNMP inform notifications must be acknowledged by the receiver, SNMP traps do not. The following options are possible: –...
Page 177: System Time
Configuring with Web Based Management 4.4 "System" menu Procedure Configuring a notification 1. Select the receiver for SNMPv3 notifications in the "SNMPv3 Notify User" drop-down list. 2. Select the security level for SNMPv3 notifications in the "SNMPv3 Notify Security Level" drop-down list. 3.
Page 178: Manual Setting
Configuring with Web Based Management 4.4 "System" menu 4.4.10.1 Manual Setting Manual setting of the system time On this page, you set the date and time of the system yourself. For this setting to be used, enable "Time Manually". Description The page contains the following boxes: •...
Page 179 Configuring with Web Based Management 4.4 "System" menu • Last Synchronization Mechanism Shows how the last time synchronization was performed. – Not set The time was not set. – Manual Manual time setting – SNTP Automatic time-of-day synchronization with SNTP –...
Page 180: Dst Overview
Configuring with Web Based Management 4.4 "System" menu 4.4.10.2 DST Overview Daylight saving time switchover On this page, you can create new entries for the daylight saving time changeover. The table provides an overview of the existing entries. Settings The page contains the following boxes: •...
Page 181 Configuring with Web Based Management 4.4 "System" menu • Status Shows the status of the entry: – Enabled The entry was created correctly. – Invalid The entry was created new and the start and end date are identical. • Type Shows how the daylight saving time changeover is made: –...
Page 182: Dst Configuration
Configuring with Web Based Management 4.4 "System" menu Deleting an entry 1. Enable "Select" in the row to be deleted. 2. Click the "Delete" button. The entry is deleted. 4.4.10.3 DST Configuration Configuring the daylight saving time switchover On this page, you can configure the entries for the daylight saving time changeover. As result of the changeover to daylight saving or standard time, the system time for the local time zone is correctly set.
Page 183 Configuring with Web Based Management 4.4 "System" menu You can set a fixed date for the start and end of daylight saving time. • Year Enter the year for the daylight saving time changeover. • Start Date Enter the following values for the start of daylight saving time: –...
Page 184 Configuring with Web Based Management 4.4 "System" menu Settings with "Recurring" selected You can create a rule for the daylight saving time changeover. • Year Enter the year for the daylight saving time changeover. • Start Date Enter the following values for the start of daylight saving time: –...
Page 185: Sntp Client
Configuring with Web Based Management 4.4 "System" menu • End Date Enter the following values for the end of daylight saving time: – Hour Enter the hour. – Month Enter the month. – Week Enter the week. You can select the first to fourth or the last week of the month. –...
Page 186 Configuring with Web Based Management 4.4 "System" menu Requirement To receive the SNTP frames, enable the entry "System Time" under "Security > Firewall > Predefined IPv4 rules". Description The page contains the following boxes: • SNTP Client When enabled, the device receives the system time from an SNTP server. •...
Page 187 Configuring with Web Based Management 4.4 "System" menu • Last Synchronization Mechanism Shows how the last time synchronization was performed. The following types are possible: – Not set The time was not set. – Manual Manual time setting – SNTP Automatic time-of-day synchronization with SNTP –...
Page 188 Configuring with Web Based Management 4.4 "System" menu • Poll Interval[s] Enter the interval between two time queries. In this box, you enter the polling interval in seconds. Possible values are 16 to 16284 seconds. • SNTP Server Address Enter the IP address, the FQDN (Fully Qualified Domain Name) or the host name of the SNTP server.
Page 189: Ntp Client
Configuring with Web Based Management 4.4 "System" menu 5. In "SNTP Server Port", enter the port via which the SNTP server is available. The port can only be modified if the IP address of the SNTP server is entered. 6. In "Poll Interval[s]", enter the time in seconds after which a new time query is sent to the time server.
Page 190 Configuring with Web Based Management 4.4 "System" menu Description The page contains the following boxes: • NTP client When enabled, the device receives the system time from an NTP server. • Secure NTP Client only When enabled, the device receives the system time from a secure NTP server. The setting applies to all server entries.
Page 191 Configuring with Web Based Management 4.4 "System" menu • Daylight Saving Time Shows whether the daylight saving time changeover is active. – active (offset +1 h) The system time was changed to daylight saving time; in other words, an hour was added.
Page 192 Configuring with Web Based Management 4.4 "System" menu • Key Enter the authentication key. The length depends on the hash algorithm. – DES: ASCII 8 characters – MD5: ASCII 16 – 128 characters – SHA1: ASCII 20 – 128 characters •...
Page 193: Simatic Time Client
Configuring with Web Based Management 4.4 "System" menu 4.4.10.6 SIMATIC Time Client Time setting via SIMATIC time client Note To avoid time jumps, make sure that there is only one time server in the network. Description The page contains the following boxes: •...
Page 194: Ntp Server
Configuring with Web Based Management 4.4 "System" menu • Last Synchronization Time Shows when the last time-of-day synchronization took place. • Last Synchronization Mechanism Shows how the last time synchronization was performed. The following methods are possible: – Not set The time was not set.
Page 195 Configuring with Web Based Management 4.4 "System" menu Requirement • To receive the NTP frames, enable the entry "System Time" under "Security > Firewall > Predefined IPv4 rules". Description The page contains the following boxes: • NTP Server Enable or disable the service of the NTP server. Note SNTP Client in Listen mode and NTP Server cannot be enabled at the same time.
Page 196: Auto Logout
Configuring with Web Based Management 4.4 "System" menu The following columns are only relevant for "NTP (secure)". Otherwise, these boxes cannot be edited: • Key ID Enter the ID of the authentication key. • Hash Algorithm Specify the format for the authentication key. •...
Page 197: Button
Configuring with Web Based Management 4.4 "System" menu 4.4.12 Button Functionality The SET button is used for: • Resetting to factory settings. • Defining the fault mask and the LED display. You will find a detailed description of the functions in the operating instructions for the device.
Page 198: Syslog Client
Configuring with Web Based Management 4.4 "System" menu Configuration procedure 1. To use the functionality, select the corresponding check box. 2. Click the "Set Values" button. See also Upkeep and maintenance (Page 347) 4.4.13 Syslog client On this page, you configure the Syslog client. The Syslog messages can be sent to the Syslog server unencrypted or encrypted.
Page 199 Configuring with Web Based Management 4.4 "System" menu This table contains the following columns • Select Select the row you want to delete. • Syslog Server Address Shows the IP address, the FQDN (Fully Qualified Domain Name) or the host name of the Syslog server.
Page 200: Ports
Configuring with Web Based Management 4.4 "System" menu 4.4.14 Ports 4.4.14.1 Overview The page shows the configuration for the data transfer for all ports of the device. You cannot configure anything on this page. Description The table has the following columns: •...
Page 201 Configuring with Web Based Management 4.4 "System" menu • OperState Displays the current operational status. The operational status depends on the configured "Status" and the "Link". The following options are possible: – Up You have configured the status "enabled" for the port and the port has a valid connection to the network.
Page 202 Configuring with Web Based Management 4.4 "System" menu Deviating display of the transmission parameters with combo ports In the connection status "down", the displayed transmission parameters do not match the actual values of the combo port. In the connection status "up", the correct values are displayed.
Page 203: Configuration
Configuring with Web Based Management 4.4 "System" menu 4.4.14.2 Configuration Configuring ports With this page, you can configure all the ports of the device. Description • Port Select the port to be configured from the drop-down list. • Status Specify whether the port is enabled or disabled. –...
Page 204 Configuring with Web Based Management 4.4 "System" menu The port is disabled and the connection to the partner device is terminated. • Port Name Here, enter a name for the port. • MAC Address Shows the MAC address of the port. •...
Page 205 Configuring with Web Based Management 4.4 "System" menu • Port Type Select the type of port from the drop-down list. – Switch-Port VLAN Hybrid The port sends tagged and untagged frames. It is not automatically a member of a VLAN. –...
Page 206 Configuring with Web Based Management 4.4 "System" menu Note Automatic adaptation due to PROFINET configuration When establishing a PROFINET connection, the setting of the combo port media type is adapted automatically: • If a pluggable transceiver is configured, the combo port media type will be set to "sfp".
Page 207 Configuring with Web Based Management 4.4 "System" menu • Blocked by • Shows why the port is in the "blocked" status: – - The port is not blocked. – Admin down The status "disabled" is configured for the port, see "System > Ports > Configuration".
Page 208: Fault Monitoring
Configuring with Web Based Management 4.4 "System" menu 4.4.15 Fault monitoring 4.4.15.1 Power supply Settings for monitoring the power supply Configure whether or not the power supply should be monitored by the messaging system. With a redundant power supply, configure the monitoring separately for each individual feed-in line.
Page 209: Link Change
Configuring with Web Based Management 4.4 "System" menu 4.4.15.2 Link Change Configuration of fault monitoring of status changes on connections On this page, you configure whether or not an error message is triggered if there is a status change on a network connection. If connection monitoring is enabled, an error is signaled •...
Page 210 Configuring with Web Based Management 4.4 "System" menu Table 2 has the following columns: • Port Shows the available ports. The port is made up of the module number and the port number, for example port 0.1 is module 0, port 1. •...
Page 211: Plug
Configuring with Web Based Management 4.4 "System" menu 4.4.16 PLUG 4.4.16.1 Configuration NOTICE Do not remove or insert a C-PLUG / KEY-PLUG during operation! A PLUG may only be removed or inserted when the device is turned off. The device checks whether a PLUG is present at one second intervals. If it is detected that the PLUG was removed, there is a restart.
Page 212 Configuring with Web Based Management 4.4 "System" menu Description The table has the following rows: • Status Shows the status of the PLUG. The following are possible: – ACCEPTED There is a PLUG with a valid and suitable configuration in the device. –...
Page 213 Configuring with Web Based Management 4.4 "System" menu • Device Type Shows the device type within the product line that used the C-PLUG or KEY-PLUG previously. • Configuration Revision The version of the configuration structure. This information relates to the configuration options supported by the device and has nothing to do with the concrete hardware configuration.
Page 214: License
Configuring with Web Based Management 4.4 "System" menu Procedure 1. You can only make settings in this box if you are logged on as "Administrator". Here, you decide how you want to change the content of the PLUG. 2. Select the required option from the "Modify PLUG" drop-down list. 3.
Page 215 Configuring with Web Based Management 4.4 "System" menu Description • Status Shows the status of the KEY-PLUG. The following are possible: – ACCEPTED There is a KEY-PLUG with a valid and matching license in the device. – NOT ACCEPTED The license of the inserted KEY-PLUG is not valid. –...
Page 216: Ping
Configuring with Web Based Management 4.4 "System" menu • Serial Number Shows the serial number of the KEY-PLUG. • Info String Shows additional information about the device that used the KEY-PLUG previously, for example, article number, type designation, and the versions of the hardware and software.
Page 217: Dcp Discovery
Configuring with Web Based Management 4.4 "System" menu Description The table has the following columns: • Destination Address Enter the IPv4 address or FQDN of the device. • Repeat Enter the number of ping requests. • Ping Click this button to start the ping function. •...
Page 218 Configuring with Web Based Management 4.4 "System" menu Requirement: To adapt network parameters, DCP requires write access to the device. If access is write-protected, the network parameters cannot be configured. On devices, you configure access under "System > Configuration". Description The page contains the following boxes: •...
Page 219 Configuring with Web Based Management 4.4 "System" menu • Status Device Name – Discovered: The set device name is used. – Configured: The device was assigned a new device name. • Status IP Address – Discovered/IP: The device uses a static IPv4 address. –...
Page 220: Port Diagnostics
Configuring with Web Based Management 4.4 "System" menu 4.4.19 Port diagnostics 4.4.19.1 Cable tester With this page, each individual Ethernet port can run independent fault diagnostics on the cable. This test is performed without needing to remove the cable, connect a cable tester and install a loopback module at the other end.
Page 221: Sfp Diagnostics
Configuring with Web Based Management 4.4 "System" menu The table contains the following columns: • Pair Shows the wire pair in the cable. Note Wire pairs Wire pairs 4-5 and 7-8 of 10/100 Mbps network cables are not used. 1000 Mbps or gigabit Ethernet uses all 4 wire pairs. The wire pair assignment - pin assignment is as follows (DIN 50173): Pair 1 = pin 4-5 Pair 2 = pin 1-2...
Page 222 Configuring with Web Based Management 4.4 "System" menu Description The page contains the following boxes: • Port Select the required port from the drop-down list. • Refresh Refreshes the display of the values of the set port. The result is shown in the table. The values are shown in the following boxes: •...
Page 223: Crsp / Srs
To use the platform, additional service contracts are necessary and certain constraints must be kept to. If you are interested in cRSP / SRS, call your local Siemens contact or visit Web page (https://support.industry.siemens.com/cs/de/en/sc/2281).
Page 224 Configuring with Web Based Management 4.4 "System" menu Description The page contains the following boxes: • Enable DDNS for cRSP / SRS Enable or disable the use of cRSP / SRS. • Update Interval [s] Enter the time interval. • Validate Server Certificate When enabled, the device checks the validity of the received server certificate.
Page 225: Proxy Server
Configuring with Web Based Management 4.4 "System" menu • Query A query can contain parameter values for an application. – WAN_IP (keyword): Replaces WAN_IP with current external IP address of the device to the destination server. • Frag. Addresses local parts of the resource, e.g. the anchor attribute of a Web page. •...
Page 226 Configuring with Web Based Management 4.4 "System" menu • Type Specify the type of the proxy server. – HTTP: Proxy server only for access using HTTP. – SOCKS: Universal proxy server • Port Enter the port on which the proxy service runs. •...
Page 227: Sinema Rc
Configuring with Web Based Management 4.4 "System" menu 4.4.22 SINEMA RC On the WBM page, you configure the access to the SINEMA RC server. Description The page contains the following: • Enable SINEMA RC – Enabled A connection to the configured SINEMA RC Server is established. These boxes cannot be edited.
Page 228 Configuring with Web Based Management 4.4 "System" menu "Server settings" area • SINEMA RC Address Enter the IP address or the FQDN (Fully Qualified Domain Name) of the SINEMA RC Server. • SINEMA RC Port Enter the port via which the SINEMA RC Server can be reached. "Server Verification"...
Page 229 Configuring with Web Based Management 4.4 "System" menu "Optional Settings" area • Auto Firewall/NAT Rules – Enabled The firewall and NAT rules are created automatically for the VPN connection. The connections between the configured exported subnets and the subnets that can be reached via the SINEMA RC Server are allowed.
Page 230: Layer 2" Menu
Configuring with Web Based Management 4.5 "Layer 2" menu "Layer 2" menu 4.5.1 Configuration Configuring layer 2 On this page, you create a basic configuration for the functions of layer 2. Description • Dynamic MAC Aging Enable or disable the "Aging" mechanism. You can configure other settings under "Layer 2 >...
Page 231: Vlan
Configuring with Web Based Management 4.5 "Layer 2" menu If you select "Spanning Tree" in the "Redundancy Type" drop-down list, the following options are then available: • STP Enabled Spanning Tree Protocol. Typical reconfiguration times with spanning tree are between 20 and 30 seconds. You can configure other settings in "Layer 2 > Spanning Tree".
Page 232 Configuring with Web Based Management 4.5 "Layer 2" menu Description The page contains the following boxes: • Base Bridge Mode – 802.1Q VLAN Bridge Sets the mode "VLAN-aware" for the device. In this mode, VLAN information is taken into account. •...
Page 233 Configuring with Web Based Management 4.5 "Layer 2" menu • Status Shows the status type of the entry in the internal port filter table. Here, "Static" means that the VLAN was entered statically by the user. • List of ports Specify the use of the port.
Page 234: Port Based Vlan
Configuring with Web Based Management 4.5 "Layer 2" menu 4.5.2.2 Port Based VLAN Processing received frames On this WBM page, you specify the configuration of the port properties for receiving frames. Description Table 1 has the following columns: • All ports Shows that the settings are valid for all ports of table 2.
Page 235 Configuring with Web Based Management 4.5 "Layer 2" menu • Port VID Select the required VLAN ID. Only VLAN IDs defined in "VLAN > General" can be selected. If a received frame does not have a VLAN tag, it has a tag with the VLAN ID specified here added to it and is sent according to the rules at the port.
Page 236: Dynamic Mac Aging
Configuring with Web Based Management 4.5 "Layer 2" menu 4.5.3 Dynamic MAC Aging Protocol settings and switch functionality The device automatically learns the source addresses of the connected nodes. This information is used to forward frames to the nodes specifically involved. This reduces the network load for the other nodes.
Page 237: Ring Redundancy (Sc6X6-2C)
Configuring with Web Based Management 4.5 "Layer 2" menu 4.5.4 Ring redundancy (SC6x6-2C) 4.5.4.1 Ring Rules for ring redundancy Factory settings • The factory setting defines ports P0.1 and P0.2 as ring ports. Enabling redundancy You can enable ring redundancy as follows: •...
Page 238: Spanning Tree
Configuring with Web Based Management 4.5 "Layer 2" menu Restoring factory settings If you have restored the factory defaults, ring redundancy is disabled and the default ports are used as the ring ports. This can lead to circulating frames and failure of the data traffic if other settings were used in a previous configuration.
Page 239: St General
Configuring with Web Based Management 4.5 "Layer 2" menu Configuration procedure 1. Select the "Spanning Tree" check box. 2. From the "Protocol Compatibility" drop-down list, select the type of compatibility. 3. Click the "Set Values" button. 4.5.5.2 ST general The page consists of the following parts. •...
Page 240 Configuring with Web Based Management 4.5 "Layer 2" menu Description The page contains the following boxes: • Bridge Priority / Root Priority Which device becomes the root bridge is decided by the bridge priority. The bridge with the highest priority (in other words, with the lowest value for this parameter) becomes the root bridge.
Page 241: St Port
Configuring with Web Based Management 4.5 "Layer 2" menu 4.5.5.3 ST Port When the page is called, the table displays the current status of the configuration of the port parameters. To configure them, click the relevant cells in the port table. Description Table 1 has the following columns: •...
Page 242 Configuring with Web Based Management 4.5 "Layer 2" menu the same. The value must be divisible by 16. If the value that cannot be divided by 16, the value is automatically adapted. Range of values: 0 - 240. The default is 128. •...
Page 243 Configuring with Web Based Management 4.5 "Layer 2" menu • Edge Type Specify the type of the "Edge Port". You have the following options: – "-" Edge port is disabled. The port is treated as a "no Edge Port". – Admin Select this option when there is always an end device on this port.
Page 244: Lldp
Configuring with Web Based Management 4.5 "Layer 2" menu • Restr. Role If this check box is selected, the corresponding port is not selected as root port, regardless of the priority value. If the check box is selected, the port with the lowest priority also does not become the root port.
Page 245 Configuring with Web Based Management 4.5 "Layer 2" menu Description Table 1 has the following columns: • All Ports Shows that the settings are valid for all ports. • Setting Select the setting from the drop-down list. If "No Change" is selected, the entry in table 2 remains unchanged.
Page 246: Fiber Monitoring Protocol
Configuring with Web Based Management 4.5 "Layer 2" menu 4.5.7 Fiber Monitoring Protocol Requirements • You can only use Fiber Monitoring with transceivers capable of diagnostics. Note the documentation of the devices. • To be able to use the Fiber Monitoring function, enable LLDP. The Fiber Monitoring information is appended to the LLDP packets.
Page 247 Configuring with Web Based Management 4.5 "Layer 2" menu Description of the displayed boxes In the table you can specify the limit values for the measured received power too be monitored and the calculated power loss. • Port Shows the optical ports that support Fiber Monitoring. This depends on the transceivers.
Page 248: Unicast
Configuring with Web Based Management 4.5 "Layer 2" menu • Power Loss [dB] Maintenance Required (Warning) Specify the value at which you are informed of the power loss of the connection by a message of the severity level "Warning". If you enter the value "0", the power loss is not monitored. Default: -50 dB •...
Page 249 Configuring with Web Based Management 4.5 "Layer 2" menu Description of the displayed boxes The page contains the following boxes: • VLAN ID Select the VLAN ID in which you configure a new static MAC address. If nothing is set, "VLAN1" is set as the basic setting. •...
Page 250: Locked Ports
Configuring with Web Based Management 4.5 "Layer 2" menu Configuration procedure To edit the entries, follow the steps below. Creating a new entry 1. Select the relevant VLAN ID. 2. Enter the MAC address in the "MAC address" input box. 3.
Page 251 Configuring with Web Based Management 4.5 "Layer 2" menu Description of the displayed boxes Table 1 has the following columns: • 1st column Shows that the settings are valid for all ports of table 2. • Setting Select the setting from the drop-down list. You have the following setting options: –...
Page 252: Blocking
Configuring with Web Based Management 4.5 "Layer 2" menu Enabling access control for all ports 1. In the "Setting" drop-down list in Table 1, select the "Enabled" entry. 2. Click the "Copy to Table" button. The check box is enabled for all ports in table 2. 3.
Page 253: Multicast
Configuring with Web Based Management 4.5 "Layer 2" menu Table 2 has the following columns: • Port All available ports are listed in this column. Unavailable ports are not displayed. • Setting Enable or disable the blocking of unicast frames. Steps in configuration Enabling blocking for an individual port 1.
Page 254 Configuring with Web Based Management 4.5 "Layer 2" menu Description of the displayed boxes The page contains the following boxes: • VLAN ID If you click on this text box, a drop-down list is displayed. Here you can select the VLAN ID of a new MAC address you want to configure.
Page 255: Blocking
Configuring with Web Based Management 4.5 "Layer 2" menu 4.5.9.2 Blocking Disabling the forwarding of unknown multicast frames On this page, you can block the forwarding of unknown multicast frames for individual ports. Description of the displayed values Table 1 has the following columns: •...
Page 256: Inter-Vlan Bridge (Sc63X/Sc64X)
Configuring with Web Based Management 4.5 "Layer 2" menu Steps in configuration Enabling blocking for an individual port 1. Select the check box in the relevant row in table 2. 2. To apply the changes, click the "Set Values" button. Enabling blocking for all ports 1.
Page 257 Configuring with Web Based Management 4.5 "Layer 2" menu The table has the following columns: • Select Select the row you want to delete. • Bridge-ID Shows the bridge ID. • Transparent When you enable this option, the Inter-VLAN Bridge and the associated VLANs are switched to transparent mode when the bridge is activated.
Page 258: Configuration
Configuring with Web Based Management 4.5 "Layer 2" menu 4.5.10.2 Configuration Configuration On this page you specify the VLANs between which a bridge is to be set up and which VLAN is to be used as master VLAN. You select the bridge you want to use by using its Bridge-ID that was created in the "Overview"...
Page 259: Layer 3" Menu
Configuring with Web Based Management 4.6 "Layer 3" menu "Layer 3" menu 4.6.1 Subnets 4.6.1.1 Overview The page shows the subnets for the selected interface. A subnet always relates to an interface and is created in the "Configuration" tab. Description The page contains the following box: •...
Page 260 Configuring with Web Based Management 4.6 "Layer 3" menu • Address Type Shows the address type. The following values are possible: – Primary The first IPv4 address that was configured on an IPv4 interface. – Secondary All other IPv4 addresses that were configured on the IPv4 interface. SCALANCE SC-600 Web Based Management (WBM) Configuration Manual, 10/2021, C79000-G8976-C475-03...
Page 261 Configuring with Web Based Management 4.6 "Layer 3" menu • IP Assignment Method Shows how the IPv4 address is assigned. The following values are possible: – Static The IPv4 address is static. You enter the settings in "IP Address" and "Subnet Mask".
Page 262: Configuration
Configuring with Web Based Management 4.6 "Layer 3" menu 4.6.1.2 Configuration On this page, you configure the subnet for the interface. Description The page contains the following: • Interface (Name) Select the interface from the drop-down list. • Status Enable or disable the interface. •...
Page 263: Nat
Configuring with Web Based Management 4.6 "Layer 3" menu • Address Type Shows the address type. The following values are possible: – Primary The first subnet of the interface. – Secondary All further subnets of the interface. • TIA Interface Select whether or not this interface should become the TIA Interface.
Page 264: Masquerading
Configuring with Web Based Management 4.6 "Layer 3" menu 4.6.2.2 Masquerading On this WBM page, you enable the rules for IP masquerading. Description The table has the following columns: • Interface Interface to which the setting relates. Only interfaces with configured subnets are available.
Page 265 Configuring with Web Based Management 4.6 "Layer 3" menu Description The page contains the following boxes: • Source Interface Select the interface at which the queries will arrive. • Traffic Type Specify the protocol for which the address assignment is valid. •...
Page 266: Source Nat
Configuring with Web Based Management 4.6 "Layer 3" menu The table has the following columns: • Select Select the check box in the row to be deleted. • Source Interface Shows the interface from which the packets need to come. Only these packets are considered for port forwarding.
Page 267 Configuring with Web Based Management 4.6 "Layer 3" menu Note Firewall rule with source NAT Address translation with source NAT is only performed after the firewall; the non- translated addresses are therefore used. Security > Firewall > IP rules • Source (Range): Input from "Source IP Addresses" •...
Page 268: Netmap
Configuring with Web Based Management 4.6 "Layer 3" menu • Translated Source IP Address Enter the IP address with which the IP address of the sender is replaced. Can only be edited if "Use Interface IP from Destination Interface" is disabled. •...
Page 269 Configuring with Web Based Management 4.6 "Layer 3" menu Note Firewall rule with source NAT Address translation with source NAT is only performed after the firewall; the non- translated addresses are therefore used. Security > Firewall > IP rules • Source (Range): Input from "Source IP Subnet" •...
Page 270 Configuring with Web Based Management 4.6 "Layer 3" menu • Destination Interface Specify the destination interface. – VLANx: VLANs with configured subnet – SINEMA RC: Connection to SINEMA RC Server – IPsec: Either all IPsec VPN connections (all) or a specific IPsec VPN connection •...
Page 271 Configuring with Web Based Management 4.6 "Layer 3" menu • Bidirectional rule When this is enabled, the NETMAP rule for the opposite direction is automatically created when the NETMAP rule is created. The NETMAP rules are not connected to one another after creation. This means no synchronization of the NETMAP rules when they are changed or deleted.
Page 272: Static Routes
Configuring with Web Based Management 4.6 "Layer 3" menu • Alias IP When enabled, Alias IP addresses are created for the implemented address range. Enabled automatically when a /32 address is entered. – Source: For all IP addresses entered in the "Translated Source IP Subnet" field, Alias IP addresses are created at the "Destination Interface".
Page 273 Configuring with Web Based Management 4.6 "Layer 3" menu Description The page contains the following boxes: • Destination Network Enter the network address of the destination that can be reached via this route. • Subnet Mask Enter the corresponding subnet mask. •...
Page 274: Vrrpv3
Configuring with Web Based Management 4.6 "Layer 3" menu Procedure 1. Enter the network address of the destination in the "Destination Network" input box. 2. Enter the corresponding subnet mask in the "Subnet Mask" input box. 3. For "Interface", select the entry "auto". 4.
Page 275 Configuring with Web Based Management 4.6 "Layer 3" menu Description of the displayed values The page contains the following boxes: • VRRPv3 Enable or disable routing using VRRPv3. • Reply to pings on virtual interfaces When enabled, the virtual IPv addresses also reply to the ping. •...
Page 276 Configuring with Web Based Management 4.6 "Layer 3" menu • Router State Shows the current status of the virtual router. Possible values are: – Master The router is the Master router and handles the routing functionality for all assigned IP addresses. –...
Page 277: Configuration
Configuring with Web Based Management 4.6 "Layer 3" menu 6. Select the "VRID Tracking" check box to monitor the VRID. 7. Click the "Set Values" button. To configure the virtual router, click on the "Configuration" tab. 4.6.4.2 Configuration Introduction On this page, you configure the virtual router. Description of the displayed values The page contains the following boxes: •...
Page 278 Configuring with Web Based Management 4.6 "Layer 3" menu • Advertisement Interval Enter the interval in seconds after which a master router sends a VRRP packet again. • Preempt lower priority Master Allow the precedence when changing roles between backup and master based on the selection process.
Page 279: Addresses Overview
Configuring with Web Based Management 4.6 "Layer 3" menu 4.6.4.3 Addresses Overview Overview This page shows which IPv4 addresses are monitored by the virtual router. Each virtual router can monitor one IPv4 address. Description of the displayed boxes: The table has the following columns: •...
Page 280: Address Configuration
Configuring with Web Based Management 4.6 "Layer 3" menu 4.6.4.4 Address Configuration Creating or changing the assigned IPv4 addresses On this page, you can create, modify or delete the IPv4 addresses to be monitored. Each virtual router can monitor one IPv4 address. Description of the displayed values The page contains the following boxes: •...
Page 281: Interface Tracking
Configuring with Web Based Management 4.6 "Layer 3" menu 4.6.4.5 Interface Tracking Introduction On this page, you configure the monitoring of interfaces. When the link of a monitored interface changes from "up" to "down", the priority of the assigned VRRP interface is reduced. You configure the value by which the priority is reduced on the page "Layer 3 >...
Page 282: Address Tracking
Configuring with Web Based Management 4.6 "Layer 3" menu The table has the following columns: • Select Select the check box in the row to be deleted. • Track ID Shows the track ID. • Interface Shows the interface that is being monitored. Steps in configuration 1.
Page 283 Configuring with Web Based Management 4.6 "Layer 3" menu Description The page contains the following boxes: • Track ID Enter the track ID. • IP Address Enter the IPv4 address to be monitored. You can enter a maximum of five IPv4 addresses.
Page 284: Security" Menu
Configuring with Web Based Management 4.7 "Security" menu "Security" menu 4.7.1 Users 4.7.1.1 Local Users User accounts On this page, you create local user accounts with the corresponding rights. To be able to create a user account, the logged in user must have the "admin" role. Note You can create up to 30 additional user accounts.
Page 285 Configuring with Web Based Management 4.7 "Security" menu Description The page contains the following: • Account Enter the name for the user. The name must meet the following conditions: – It must be unique. – It must be between 1 and 250 characters long. Note User name cannot be changed After creating a user, the user name can no longer be modified.
Page 286 Configuring with Web Based Management 4.7 "Security" menu • Password Confirmation Enter the password again to confirm it. • Role Select a role. You can choose between system-defined and self-defined roles, refer to the page "Security > Users > Roles". The table contains the following columns: •...
Page 287: Roles
Configuring with Web Based Management 4.7 "Security" menu Creating users 1. Enter the name for the user. 2. Enter the password for the user. 3. Enter the password again to confirm it. 4. Select the role of the user. 5. Click the "Create" button. 6.
Page 288 Configuring with Web Based Management 4.7 "Security" menu Description The page contains the following: • Role Name Enter the name for the role. The name must meet the following conditions: – It must be unique. – It must be between 1 and 64 characters long. Note Role name cannot be changed After creating a role, the name of the role can no longer be changed.
Page 289: Groups
Configuring with Web Based Management 4.7 "Security" menu • Function Right Select the function rights of the role: – 1 Users with this role can read device parameters but cannot change them. Users with this role can change their own password. –...
Page 290 Configuring with Web Based Management 4.7 "Security" menu In this example the group "Administrators" is linked to the "admin" role: The group is defined on a RADIUS server. The role is defined locally on the device. When a RADIUS server authenticates a user and assigns the user to the "Administrators" group, this user is given rights of the "admin"...
Page 291 Configuring with Web Based Management 4.7 "Security" menu • Role Select a role. Users who are authenticated with the linked group on the RADIUS server receive the rights of this role locally on the device. You can choose between system-defined and self-defined roles, refer to the page "Security >...
Page 292: Passwords
Configuring with Web Based Management 4.7 "Security" menu 4.7.2 Passwords 4.7.2.1 Passwords Configuration of the passwords A user with the "admin" role can change the password of already created users. With the "user" role, users can only change their own password. Description The page contains the following: •...
Page 293: Aaa
Configuring with Web Based Management 4.7 "Security" menu • New Password Enter the new password for the selected user. It must not contain any of the following characters: | § ? " ; : ß \ Note When you log in for the first time or log in after a "Restore Factory Defaults and Restart", you are prompted to change the pre-defined password "admin".
Page 294: Radius Client
Configuring with Web Based Management 4.7 "Security" menu Description The page contains the following boxes: Note To be able to use the login authentication "RADIUS", "Local and RADIUS" or "RADIUS and fallback Local", a RADIUS server must be stored and configured for user authentication.
Page 295 Configuring with Web Based Management 4.7 "Security" menu Description The page contains the following boxes: • RADIUS Authorization Mode For the login authentication, the RADIUS authorization mode specifies how the rights are assigned to the user with a successful authentication. –...
Page 296 Configuring with Web Based Management 4.7 "Security" menu • Primary Server Using the options in the drop-down list, specify whether or not this server is the primary server. You can select one of the options "yes" or "no". • Test With this button, you can test whether or not the specified RADIUS server is available.
Page 297: 802.1X Authenticator
Configuring with Web Based Management 4.7 "Security" menu Modifying servers 1. In the relevant row, enter the following data in the input boxes: – RADIUS Server Address – Server Port – Shared Secret – Shared Secret Conf – Max. Retrans. –...
Page 298 Configuring with Web Based Management 4.7 "Security" menu Enabling authentication for individual ports By enabling the relevant options, you specify for each port whether or not network access protection according to IEEE 802.1X is enabled on this port. Figure 4-1 802.1x Authenticator - first part of the table Figure 4-2 802.1X Authenticator - second part of the table...
Page 299 Configuring with Web Based Management 4.7 "Security" menu Description of the displayed boxes The page contains the following boxes: • MAC Authentication Enable or disable MAC Authentication for the device. • 802.1X Fallback Timeout [s] Specify the time interval in seconds after which the device is reinitialized for 802.1X authentication at the relevant port after MAC authentication fails.
Page 300 Configuring with Web Based Management 4.7 "Security" menu • RADIUS VLAN Assignment Allowed Select the required setting. If "No Change" is selected, the entry in table 2 remains unchanged. Note The VLAN assignment of RADIUS is only applied if the port has not already been configured for this VLAN.
Page 301 Configuring with Web Based Management 4.7 "Security" menu • MAC Authentication Enable this option if you want end devices to be authenticated with the "MAC Authentication" method. If "Auto" is configured for "802.1x Auth. Control" and the "MAC Authentication" is enabled, the timeout for the "802.1X"...
Page 302 Configuring with Web Based Management 4.7 "Security" menu • Default VLAN ID If a VLAN ID is transmitted to the RADIUS server during a successful authentication and the "RADIUS VLAN Assignment Allowed" check box is selected, the current PVID of the port is changed to the value transmitted by the RADIUS server. Otherwise, an "Untagged membership"...
Page 303: Certificates
Configuring with Web Based Management 4.7 "Security" menu 4.7.4 Certificates 4.7.4.1 Overview All loaded files (certificates and keys) are shown on this WBM page. You have the following options for loading files on the device: • System > Load&Save > HTTP •...
Page 304: Certificates
Configuring with Web Based Management 4.7 "Security" menu • Issue Date Shows the start of the period of validity of the certificate. • Expiry Date Shows the end of the period of validity of the certificate. • Used Shows which function uses the certificate. 4.7.4.2 Certificates The format of the certificate is based on X.509, a standard of the ITU-T for creating...
Page 305 Configuring with Web Based Management 4.7 "Security" menu Description • Information Shows whether a certificate is loaded; if this is the case, the information on the respective certificate is displayed. • Filename Select the required certificate. • Type Shows the type of the loaded file. –...
Page 306: Firewall
Configuring with Web Based Management 4.7 "Security" menu • Key File Shows the key file. • Certificate Revocation List 1st URL Enter the URL with which the revocation list can be called up. Can only be edited if supported by the certificate. •...
Page 307: Predefined
Configuring with Web Based Management 4.7 "Security" menu Description The page contains the following: • Activate Firewall When enabled, the firewall is active. • TCP Idle Timeout [s] Enter the required time in seconds. If no data exchange takes place, the TCP connection is terminated automatically when this time has elapsed.
Page 308 Configuring with Web Based Management 4.7 "Security" menu Description • Interface Interface to which the setting relates. The list of interfaces/subnets is dynamic and is based on the settings from "Layer 3 > Subnets". – VLANx: Allows access from the IP subnet to the device. VLANs with configured IP subnet are available.
Page 309: Dynamic Rules
Configuring with Web Based Management 4.7 "Security" menu Note HTTPS disabled If you disable HTTPS, the WBM of the device can no longer be reached. – DNS DNS queries to the device. Only necessary if the "Enable DNS Proxy" function is enabled on the device.
Page 310 Configuring with Web Based Management 4.7 "Security" menu Description "Rule set" area • Name Define a unique name for the rule set. If you click the "Create" button, a new row with a unique number is created. The table contains the following columns: •...
Page 311 Configuring with Web Based Management 4.7 "Security" menu "Rule Set Assignment" area • Type Specify which rule set will be assigned to whom. The display of the following table depends on the selection for "Type". – Account The rule set is activated through a local user account. –...
Page 312 Configuring with Web Based Management 4.7 "Security" menu • Dynamic Source (Range) Enter the IP address or an IP range that is allowed to send IP packets. • Status Shows the remaining time for access. The "RADIUS Role" table contains the following columns: •...
Page 313: Ip Services
Configuring with Web Based Management 4.7 "Security" menu 4.7.5.4 IP services On this WBM page, you define IP services. Using the IP service definitions, you can define firewall rules for specific services. You select a name and assign the service parameters to it.
Page 314: Icmp Services
Configuring with Web Based Management 4.7 "Security" menu • Source Port (Range) Enter the source port. The rule applies specifically to the specified port. – If the rule is intended to apply to a port range, enter the range with start port "-" end port, for example 30 - 40.
Page 315: Ip Protocols
Configuring with Web Based Management 4.7 "Security" menu • Protocol Shows the version of the ICMP protocol. • Type Specify the ICMP packet type. A few examples are shown below: – Destination Unreachable IP frame cannot be delivered. – Time Exeeded Time limit exceeded –...
Page 316: Ip Rules
Configuring with Web Based Management 4.7 "Security" menu The page contains the following check boxes: • Select Select the check box in the row to be deleted. • Protocol Name Shows the protocol name. • Protocol Number Enter the protocol number, for example "2". You will find list of the protocol numbers on the Internet pages of iana.org Procedure Create IGMP protocol...
Page 317 Configuring with Web Based Management 4.7 "Security" menu Description • IP Version The version of the IP protocol. • Rule set Select the required rule set. Only the IP rules that are assigned to this rule set will then be displayed in the table. Requirement: "Show all"...
Page 318 Configuring with Web Based Management 4.7 "Security" menu • Source (Range) Enter the IP address or an IP range that is allowed to receive IP packets. – Individual IP address Enter the IPv4 address. – IP range Specify the range with the start address "-" end address, e.g. 192.168.100.10 - 192.168.100.20.
Page 319: Pre-Defined Mac Rules
Configuring with Web Based Management 4.7 "Security" menu • Precedence Define the sequence in which the IP rules of the firewall are processed (ascending from 0 ... 999). • Assign To assign the IP rules to the selected rule set, activate the setting for the desired IP rules and click the "Set Values"...
Page 320: Mac Services
Configuring with Web Based Management 4.7 "Security" menu 4.7.5.9 MAC services You define MAC services on this WBM page. Using the MAC service definitions, you can define firewall rules for specific services. You select a name and assign the service parameters to it.
Page 321: Mac Rules
Configuring with Web Based Management 4.7 "Security" menu The table contains the following columns: • Select Select the check box in the row to be deleted. • Name Shows the name of the MAC service. • Protocol Shows the name of the MAC protocol. Depending on the protocol, the following inputs are necessary: •...
Page 322 Configuring with Web Based Management 4.7 "Security" menu Description of the displayed boxes The table contains the following columns: • Select Activate the check box in the row to be deleted. • Protocol Shows the version of the MAC protocol. •...
Page 323: Firewall State Sync
Configuring with Web Based Management 4.7 "Security" menu 4.7.5.11 Firewall State Sync On this WBM page, you set the firewall states of two SC600 that are synchronized with each other via the network. When the firewall permits passage of a network packet, a firewall state is created for this event.
Page 324: Ipsec Vpn (Sc64X-2C)
Configuring with Web Based Management 4.7 "Security" menu • Local IP Address Enter the IP address of the node in the local network. • Sync Partner IP Enter the IP address of the synchronization partner. • Port Number Sync Partner Enter the port of the synchronization partner.
Page 325: Remote End
Configuring with Web Based Management 4.7 "Security" menu • IKEv2 DPD retries Specify the number of allowed failed attempts after which the IKEv2 connection is considered disrupted. The setting applies to all IKEv2 connections. • IKEv2 DPD Retry Interval[s] Specify the interval at which the failed attempts are sent. 4.7.6.2 Remote End On this WBM page, you configure the partner (VPN end point).
Page 326 Configuring with Web Based Management 4.7 "Security" menu • Remote Type Specify the type of remote station address. – Manual The address of the partner is known. The device can establish the VPN connection at this remote end either actively as a VPN client or wait passively for connection establishment by the partner.
Page 327: Connections
Configuring with Web Based Management 4.7 "Security" menu 3. For "Remote Mode", select "Standard". 4. For "Remote Type", select "manual". 5. In "Remote Address", enter the WAN IP address and in "Remote Subnet" the subnet of the remote station. 6. Click the "Set Values" button. Configure VPN Roadwarrior mode 1.
Page 328 Configuring with Web Based Management 4.7 "Security" menu Note If you use "NETMAP" • only auto firewall rules are supported • For "Operation" the setting "on demand" cannot be selected. Description The page contains the following boxes: • Connection name Enter a name for the VPN connection and click "Create"...
Page 329 Configuring with Web Based Management 4.7 "Security" menu • Operation Specify who establishes the VPN connection. You will find more detailed information in "Technical basics > VPN connection establishment (Page 64)". – Disabled The VPN connection is disabled. – start The device attempts to establish a VPN connection to the partner.
Page 330: Authentication
Configuring with Web Based Management 4.7 "Security" menu • Request Virtual IP When enabled, a virtual IP address is requested from the remote station during connection establishment. • Timeout [s] Only necessary with the "on demand" setting. Enter the interval after which the VPN connection will be terminated.
Page 331 Configuring with Web Based Management 4.7 "Security" menu • Method Select the authentication method. For the VPN connection, it is essential that the partner uses the same authentication method. – Disabled No authentication method is selected. Connection establishment is not possible. –...
Page 332: Phase 1
Configuring with Web Based Management 4.7 "Security" menu 4.7.6.5 Phase 1 Phase 1: Encryption agreement and authentication (IKE = Internet Key Exchange) On this WBM page, you set the parameters for the protocol of the IPsec key management. The key exchange uses the standardized IKE method for which you can set the following protocol parameters.
Page 333 Configuring with Web Based Management 4.7 "Security" menu • Authentication Specify the method for calculating the checksum. Can only be selected if "Default Ciphers" is disabled. The following methods are supported: – MD5 – SHA1 – SHA512 – SHA256 – SHA384 •...
Page 334: Phase 2
Configuring with Web Based Management 4.7 "Security" menu • DPD Timeout [sec] Enter a period. If there is no response to the DPD queries, the connection to the remote station is declared to be invalid after this time has elapsed. Note To avoid unwanted connection breakdowns, set the DPD timeout significantly higher than the DPD period.
Page 335 Configuring with Web Based Management 4.7 "Security" menu Description The table contains the following columns: • Name Shows the name of the VPN connection to which the settings relate. • Default Ciphers When enabled, a preset list is transferred to the VPN connection partner during connection establishment.
Page 336 Configuring with Web Based Management 4.7 "Security" menu • Key Derivation (PFS) Select the required Diffie-Hellmann group (DH) from which a key will be generated. Can only be selected if "Default Ciphers" is disabled. The following DH groups are supported: –...
Page 337: Openvpn
Configuring with Web Based Management 4.7 "Security" menu • Port (Range) Specify the port via which the VPN tunnel can communicate. The setting applies specifically to the specified port – If the setting is intended to apply to a port range, enter the range with start port "-" end port, for example 30 - 40.
Page 338: Connections
Configuring with Web Based Management 4.7 "Security" menu 4.7.7.2 Connections On this WBM page, you configure the basic settings for the OpenVPN connection. You specify the security settings on the WBM page "Authentication". Description • Connection name Enter a unique name for the OpenVPN connection and click "Create" to create a new connection.
Page 339 Configuring with Web Based Management 4.7 "Security" menu • Encryption Select the required encryption algorithm. – AES-128-CBC (Default) – AES-192-CBC – AES-256-CBC – DES-EDE3 – BF-CBC • Authentication Specify the method for calculating the checksum. – SHA256 (default) – SHA384 –...
Page 340: Client
Configuring with Web Based Management 4.7 "Security" menu • Enable NAT With this setting, you enable automatic IP masquerading for this interface. The local devices are not directly reachable from the outside, but only via the IP address of the interface.
Page 341: Authentication
Configuring with Web Based Management 4.7 "Security" menu • Protocol Specify the protocol for which the OpenVPN connection will be used. • Proxy Specify whether the OpenVPN tunnel to the defined client is established via a proxy server. Only the proxy servers that you created in "System > Proxy Server" can be selected.
Page 342: Server
Configuring with Web Based Management 4.7 "Security" menu • CA Certificate Select the certificate. Only loaded certificates can be selected. You load the certificates into the device with "System > Load&Save". The loaded certificates and key files are shown on the WBM page "Security > Certificates". •...
Page 343: Brute Force Prevention
Configuring with Web Based Management 4.7 "Security" menu • Connection Select the corresponding connection. Only connections can be configured that have been configured on the "Connections" WBM page. • Max. Clients Select the maximum number of clients to which the server can establish a connection at the same time.
Page 344 Configuring with Web Based Management 4.7 "Security" menu Description The page contains the following boxes: • User Specific BFP is Enabled. / User Specific BFP is Disabled. – Enabled: With login authentication, the "Local" or "Local and RADIUS" mode is set and the maximum number of invalid login attempts is greater than 0.
Page 345 Configuring with Web Based Management 4.7 "Security" menu The User Specific BFP table has the following columns: • User The users configured locally on the device. The users that are not locally configured on the device are summarized under the user name "UnknownUser". •...
Page 346 Configuring with Web Based Management 4.7 "Security" menu SCALANCE SC-600 Web Based Management (WBM) Configuration Manual, 10/2021, C79000-G8976-C475-03...
Page 347: Upkeep And Maintenance
Upkeep and maintenance Device configuration with PRESET-PLUG Please not the additional information and security notes in the operating instructions of your device. NOTICE Do not remove or insert a PLUG during operation A PLUG may only be removed or inserted when the device is turned off. With the PRESET-PLUG, you can install the same device configuration (start configuration, user accounts, certificates) including the corresponding firmware on multiple devices.
Page 348 Upkeep and maintenance 5.1 Device configuration with PRESET-PLUG accounts and certificates are stored on the PLUG and the PLUG is then write protected. 5. Turn off the power to the device. 6. Remove the PRESET-PLUG. 7. Start the device either with a new PLUG inserted or with the internal configuration. Procedure for installation with the aid of the PRESET-PLUG 1.
Page 349: Firmware Update Using Wbm Not Possible
5. Write the current configuration of the device with the "write" command. Firmware The firmware is signed and encrypted. This ensures that only firmware created by Siemens can be downloaded to the device. Firmware update using WBM not possible Cause If there is a power failure during the firmware update, it can occur that the device is no longer accessible using WBM and CLI.
Page 350 Upkeep and maintenance 5.2 Firmware update using WBM not possible Solution You can then also transfer firmware to the device using TFTP. Follow the steps below to load new firmware using TFTP: 1. When starting up press the SET button. 2.
Page 351 Upkeep and maintenance 5.2 Firmware update using WBM not possible Requirement • The device has an IP address. • The user is logged in with administrator rights. Firmware update via HTTP 1. Click "System > Load&Save" in the navigation area. Click the "HTTP" tab. 2.
Page 352: Restoring The Factory Settings
Upkeep and maintenance 5.3 Restoring the factory settings Restoring the factory settings NOTICE Previous settings If you reset, all the settings you have made will be overwritten by factory defaults. NOTICE Inadvertent reset An inadvertent reset can cause disturbances and failures in a configured network with further consequences.
Page 353: Exchange Of Configuration Data With Step7
Exchange of configuration data with STEP7 Exchange of configuration data with STEP 7 Basic/Professional using a file You use the two file types "RunningSINEMAConfig" and "SINEMAConfig" ("System > Load&Save > HTTP/TFTP/SFTP") to exchange configuration data between a device (WBM) and STEP7 Basic/Professional using a file. The export/import of a file via STEP 7 Basic/Professional is described below.
Page 354: Message: Sinema Configuration Not Yet Accepted
Exchange of configuration data with STEP7 6.2 Message: SINEMA configuration not yet accepted Importing configuration data via STEP 7 Basic/Professional To import configuration data via STEP 7 Basic/Professional, follow these steps: 1. Open the relevant STEP 7 project in STEP 7 Basic/Professional. 2.
Page 355 Exchange of configuration data with STEP7 6.2 Message: SINEMA configuration not yet accepted Solution 1. Open the relevant STEP 7 project in STEP 7 Basic / Professional 2. Open the project view. 3. Select the device in the project tree. 4.
Page 356 Exchange of configuration data with STEP7 6.2 Message: SINEMA configuration not yet accepted SCALANCE SC-600 Web Based Management (WBM) Configuration Manual, 10/2021, C79000-G8976-C475-03...
Page 357: Structure Of The Syslog Messages
Appendix A Structure of the Syslog messages The Syslog server collects log information of the devices about specific events. The Syslog messages are received by the Syslog server via the set UDP port (standard: 514) and output according to RFC 5424 or RFC 5426. The Syslog protocol prescribes a fixed sequence and structure of the possible parameters.
Page 358: Tags In Syslog Messages
Appendix A A.2 Tags in Syslog messages Note Additional information You can read more detailed information on the structure of the Syslog messages and on the meaning of the parameters in the RFCs: https://tools.ietf.org/html/rfc5424 https://tools.ietf.org/html/rfc5426 Tags in Syslog messages The tags are displayed in the section "Syslog messages" in the field "Message text" within curly brackets {variable}.
Page 359: Syslog Messages
Appendix A A.3 Syslog messages Description Format Possible values or example {Subject} String (with space) for the subject in the (Peter Maier) certificate. Used as part of the certificate-based With UTF8 code: %S authentication and must include Unicode characters. {Config String (with space) for the configuration OpenVPN detail}...
Page 360 Appendix A A.3 Syslog messages Facility local0 Standard IEC 62443-3-3 Reference: SR 1.1 Message text {protocol}: User {User name} has logged out from {ip address}. Example SSH: User "Admin" has logged out from 192.168.0.1. Explanation User session completed - logged out. Severity Info Facility...
Page 361 Appendix A A.3 Syslog messages User account management Message text {protocol}: User {user name} changed own password. Example WBM: User admin changed own password. Explanation User has changed own password. Severity Notice Facility local0 Standard IEC 62443-3-3 Reference: SR1.3 Message text {protocol}: User {user name} changed password of user {action user name}.
Page 362 Appendix A A.3 Syslog messages Facility local0 Standard IEC 62443-3-3 Reference: SR 1.4 Unsuccessful logon attempts Message text {User name} account is locked for {Time minute} minutes after {Failed login count} unsuccessful login attempts. Example User service account is locked for 44 minutes after 10 unsuccessful login attempts.
Page 363 Appendix A A.3 Syslog messages Access via untrusted networks (OpenVPN) Message text OVPN_{connection name}[{config detail}]: Initialization Sequence Completed Example OVPN_Conn_1[2427]: Initialization Sequence Completed Explanation VPN connection is established (OpenVPN). Severity Info Facility local0 Standard IEC 62443-3-3 Reference: n/a (NERC CIP 005-R1) Message text OpenVPN connection {connection name} has been deactivated.
Page 364 Appendix A A.3 Syslog messages Explanation Remote access denied (SINEMA RC, Digital Input) Severity Info Facility local0 Standard IEC 62443-3-3 Reference: SR 1.13 Authorization enforcement (access via custom firewall) Message text User specific firewall user "{user name}" activated rule set "{firewall rule}" with ip address "{ip address}".
Page 365 Appendix A A.3 Syslog messages Severity Error Facility local0 Standard IEC 62443-3-3 Reference: SR 2.1 Message text User specific firewall digital input {trigger pin} deactivated rule set "{firewall rule}". Example User specific firewall digital input 1 deactivated rule set "rs1". Explanation The access to the user-specific firewall was denied.
Page 366 Appendix A A.3 Syslog messages Nonrepudiation Message text Device configuration changed. Example Device configuration changed. Explanation The device configuration has been changed permanently. Severity Info Facility local0 Standard IEC 62443-3-3 Reference: SR2.12 Communication integrity Message text [IKE] {connection name} {config detail} received invalid DPD sequence number {config detail} (expected {config detail}), ignored.
Page 367 Appendix A A.3 Syslog messages Message text {protocol}: Failed to load file type Firmware. Example WBM: Failed to load file type Firmware. Explanation Firmware upload has failed. Severity Warning Facility local0 Standard IEC 62443-3-3 Reference: SR7.4 Message text {protocol}: Loaded file type Config (restart required). Example TFTP: Loaded file type Config (restart required).
Page 368 Appendix A A.3 Syslog messages SCALANCE SC-600 Web Based Management (WBM) Configuration Manual, 10/2021, C79000-G8976-C475-03...
Page 369: Index
Index Aging, 236 Ethernet interface, 25 Authentication, 168, 297, 298 Available system functions, 26 Factory defaults, 352 Factory setting, 352 BFP, 343 Fault monitoring Bridge, 240 Connection status change, 209 Bridge priority, 240 Fault status, 89 Root bridge, 240 Filter Bridge Max Age, 240 Filter configuration, 250 Brute Force Prevention, 343...
Page 370 Index OpenVPN server, 117 Ring redundancy, 102 NAPT Role, 109 Configuring, 265 Security, 106, 109 Security log, 86 1-to-1 NAT, 269 SINEMA RC, 115 Configuring, 264 SNMP, 105, 105 Masquerading, 57 Software, 81 NAPT, 57 Spanning Tree, 95 NAT traversal, 63 Start page, 75 NETMAP, 58 Versions, 81...
Page 371 Index Requirement Software version, 83 Power supply, 25 Source NAT Reset, 131 Masquerading, 57 RESET button, 197 Spanning Tree Reset device, 352, 352 Information, 95 Reset timer BFP, 343 Rapid Spanning Tree, 49 Restart, 131 RSTP, 238 Restore Factory Defaults, 352 SSH, 25 Ring redundancy, 237 Server, 119...
Page 372 Index User groups, 289 User name, 26 VLAN, 40 Port VID, 235 Priority, 234 Tag, 234 VLAN ID, 42 VLAN tag, 41 VPN connection OpenVPN server, 117 Status, 113 Status OpenVPN client, 116 VRRP Interface Tracking, 281 VRRP address configuration (IPv4), 280 VRRP address overview (IPv4), 279 VRRP configuration (IPv4), 277 VRRP routers (IPv4), 274...

This manual is also suitable for:

Simatic net scalance sc622-2c Simatic net scalance sc632-2c Simatic net scalance sc636-2c Simatic net scalance sc642-2c Simatic net scalance sc646-2c

Siemens SIMATIC NET SCALANCE SC-600 Configuration Manual

Introduction

1 Security Recommendations

2 Description

3 Technical Basics

4 Configuring with Web Based Management

5 Upkeep and Maintenance

6 Exchange of Configuration Data with STEP7

Index

Quick Links

Related Manuals for Siemens SIMATIC NET SCALANCE SC-600

Summary of Contents for Siemens SIMATIC NET SCALANCE SC-600