Phoenix Contact FL MGUARD 1000 User Manual
  1. Manuals
  2. Brands
  3. Phoenix Contact Manuals
  4. Network Hardware
  5. FL MGUARD 1000 Series
  6. User manual
Phoenix Contact FL MGUARD 1000 User Manual

Phoenix Contact FL MGUARD 1000 User Manual

Web-based management
Hide thumbs Also See for FL MGUARD 1000:
Table of Contents

Advertisement

Quick Links

Download this manual
FL MGUARD 1000
Web-based management
mGuardNT 1.3.x
User manual
UM EN MGUARD NT

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the FL MGUARD 1000 and is the answer not in the manual?

Questions and answers

Related Manuals for Phoenix Contact FL MGUARD 1000

Summary of Contents for Phoenix Contact FL MGUARD 1000

  • Page 1 FL MGUARD 1000 Web-based management mGuardNT 1.3.x User manual UM EN MGUARD NT...
  • Page 2 This user manual is valid for: Designation Version Order No. FL MGUARD 1102 1153079 FL MGUARD 1105 1153078 For further information see mGuardNT 1.3.x firmware Release Notes. PHOENIX CONTACT GmbH & Co. KG • Flachsmarktstraße 8 • 32825 Blomberg • Germany phoenixcontact.com...

  • Page 3: Table Of Contents

    3.4.9 CIDR (Classless Inter-Domain Routing) ..........22 Menu: Password ........................23 Menu: Device access .......................25 Menu: Network .........................27 Network >> Interfaces ..................27 6.1.1 Interfaces ..................... 27 6.1.2 Routes ....................34 6.1.3 NAT ..................... 35 3 / 72 PHOENIX CONTACT 108420_en_03...
  • Page 4 10 Menu: Support .........................63 10.1 Support >> Ping....................63 10.2 Support >> TCP Dump ..................64 11 Menu: Logs ..........................67 12 Appendix ..........................69 12.1 Using the RESTful Configuration API ..............69 12.2 Using smart mode ....................69 4 / 72 PHOENIX CONTACT 108420_en_03...

  • Page 5: For Your Safety

    Phoenix Contact. IT security For Phoenix Contact devices that can be integrated in an industrial network via Ethernet, or- ganizational and technical measures must be taken in order to protect components, net- works, and systems against unauthorized access and to ensure data integrity.
  • Page 6 Do not make components and systems available in public networks. • Avoid integrating your components and systems into public networks. • If you have to access your components and systems via a public network, use a VPN (Virtual Private Network). 6 / 72 PHOENIX CONTACT 108420_en_03...

  • Page 7: About This User Manual

    To get help quickly in the event of an error, make a snapshot of the device configuration im- mediately when a device error occurs, if possible. You can then provide the snapshot to the support team. 7 / 72 PHOENIX CONTACT 108420_en_03...
  • Page 8 1.3.x 8 / 72 PHOENIX CONTACT 108420_en_03...

  • Page 9: Mguardnt Basics

    Integrity check of data packets to increase network security x Easy Protect Mode Automatic protection of connected network clients without configuration effort directly after connection of the device. Firewall Assistant Analysis of data traffic for the automatic creation of firewall rules. 9 / 72 PHOENIX CONTACT 108420_en_03...
  • Page 10 Mode button on the device and without ac- cess to a management interface. Support tools TCP Dump (packet data analysis) Ping (network analysis) Log viewer (evaluation of log entries) Support snapshot (status and error analysis) 10 / 72 PHOENIX CONTACT 108420_en_03...

  • Page 11: Network

    Data traffic unintentionally rejected by the firewall can be easily identified and permitted through the automated creation of corresponding firewall rules. (see Section 7.1, Firewall test mode) An alarm informs the user about the event (data traffic not acquired through an existing firewall rule). 11 / 72 PHOENIX CONTACT 108420_en_03...

  • Page 12: Easy Protect Mode

    2 (XF2–XF5) against external access (e.g., individual machines or pro- duction cells that are connected via a switch). For additional information refer to the “FL MGUARD 1000 – Installation and startup” user manual, available at phoenixcontact.net/product/1153078.

  • Page 13: Using The Web-Based Management

    IP address: 192.168.1.1 – Subnet mask: 24 (255.255.255.0) For additional information refer to the “FL MGUARD 1000 – Installation and startup” user manual, available at phoenixcontact.net/product/1153078. User login A competing login of the admin user from several instances is not recommended and might result in loss of data.

  • Page 14: User Logout

    The user is then forwarded to the login page if he/she tries to save a configuration change or an action. Once the user has logged in, the timeout starts at 30 minutes. It is reset to 30 minutes if a configuration change is saved or an action carried out. 14 / 72 PHOENIX CONTACT 108420_en_03...

  • Page 15: Help Regarding The Configuration

    Variable values can be selected via a drop-down menu or a checkbox, or entered manually. Depending on the variable, letters, numbers and/or certain special characters can be used (see Section 3.4.3). Some variables are entered into tables (e.g., 1:1 NAT rules). 15 / 72 PHOENIX CONTACT 108420_en_03...

  • Page 16: Icons And Buttons

    Click on the Waste bin icon to delete the selected table row. Click on the Plus icon to transfer the selected table row (test mode alarms) as a new firewall rule to the Firewall table. 16 / 72 PHOENIX CONTACT 108420_en_03...

  • Page 17: Entering And Changing Values

    Click on the icon to have the corresponding error messages dis- played in the right-hand page column (see Figure 3-3). Correct the entries and apply the changed values with a click on the button. 17 / 72 PHOENIX CONTACT 108420_en_03...

  • Page 18: Working With Tables

    Click on the row and hold the mouse button down to drag and drop the row to the de- sired position. • Release the mouse button. ⇒ The row was moved to a new position. • Click on the icon to apply the change. 18 / 72 PHOENIX CONTACT 108420_en_03...

  • Page 19: Resetting The Device Configuration To Factory Settings

    A snapshot can be used for error diagnostics and communication with the support team. The snapshot is created and downloaded as a compressed file (in tar.gz format). The snap- shot contains the current configuration and other system information of the device (see Table 3-1). 19 / 72 PHOENIX CONTACT 108420_en_03...
  • Page 20 Shows the currently installed firmware version. Safety-relevant information such as passwords or cryptographic keys are not contained in the snapshot. The time the snapshot was created is indicated in the file name as follows: <YYYY-MM-DD_hh:mm:ss> (example: snapshot_2019-10-09_22_00_00.tar.gz) 20 / 72 PHOENIX CONTACT 108420_en_03...

  • Page 21: Input: Netmask And Network

    Table 3-2, the entry is automatically changed accordingly (see Table 3-2). Table 3-2 Examples for the conversion of formats of networks in the WBM Entered format Converted format 10.1.1.1/32 10.1.1.1 10.1.1.1/24 10.1.1.0/24 10.1.1.1/16 10.1.0.0/16 10.1.1.1/8 10.0.0.0/8 10.1.1.1/0 0.0.0.0/0 21 / 72 PHOENIX CONTACT 108420_en_03...

  • Page 22: Cidr (Classless Inter-Domain Routing)

    00000000 00000000 00000000 240.0.0.0 11110000 00000000 00000000 00000000 224.0.0.0 11100000 00000000 00000000 00000000 192.0.0.0 11000000 00000000 00000000 00000000 128.0.0.0 10000000 00000000 00000000 00000000 0.0.0.0 00000000 00000000 00000000 00000000 Example: 192.168.1.0/255.255.255.0 corresponds to CIDR: 192.168.1.0/24 22 / 72 PHOENIX CONTACT 108420_en_03...

  • Page 23: Menu: Password

    After filling in the three mandatory fields, you have to adopt the password change with a click on the button. Current password The current password that is to be changed. New password The new password. Confirm new pass- Enter the new password again. word 23 / 72 PHOENIX CONTACT 108420_en_03...
  • Page 24 1.3.x 24 / 72 PHOENIX CONTACT 108420_en_03...

  • Page 25: Menu: Device Access

    Default setting: activated HTTPS access from When this function is activated, access to the HTTPS server of net zone 2 the device is permitted from the selected net zone. Default setting: activated 25 / 72 PHOENIX CONTACT 108420_en_03...
  • Page 26 1.3.x 26 / 72 PHOENIX CONTACT 108420_en_03...

  • Page 27: Menu: Network

    Menu: Network >> Interfaces >> Interfaces Mode The device can be operated in two network modes (Router mode and Stealth mode). Router See “Router mode” on page 29 Stealth See “Stealth mode” on page 32 27 / 72 PHOENIX CONTACT 108420_en_02...
  • Page 28 IP configuration from a DHCP server in stealth mode. If an IP configuration is still not assigned, this could be due to a non standard-compliant DHCP server. In this case, adjust the rules as follows: 28 / 72 PHOENIX CONTACT 108420_en_02...
  • Page 29 NAT/IP masquerading may have to be activated on the device so that devic- es from one net zone can communicate with devices from other net zones or with the Internet (see “NAT” on page 35). 29 / 72 PHOENIX CONTACT 108420_en_02...
  • Page 30 IP addresses of one or several DNS servers assigned by the DHCP server. (Status information in “DHCP” router mode) A DNS server (DNS = Domain Name System) allows clients to resolve host names into IP addresses. 30 / 72 PHOENIX CONTACT 108420_en_02...
  • Page 31 IP address of network interface XF2–XF5 (net zone 2). Input format: IPv4 address Default setting: 192.168.1.1 Subnet mask that defines in which subnet the device is lo- Netmask cated. Input format: CIDR or decimal format, e.g., 24 (= 255.255.255.0) Default setting: 24 31 / 72 PHOENIX CONTACT 108420_en_02...
  • Page 32 Netmask Subnet mask that defines in which subnet the device can be reached in stealth mode via the management IP address. Input format: CIDR or decimal format, e.g., 24 (= 255.255.255.0) Default setting: 24 32 / 72 PHOENIX CONTACT 108420_en_02...
  • Page 33 The default gateway can be reached via net zone 1 (XF1) and net zone 2 (XF2–XF5). Input format: IPv4 address Default setting: 192.168.1.254 33 / 72 PHOENIX CONTACT 108420_en_02...

  • Page 34: Routes

    Destination (network or IP address) that shall be reached via an additional route. Input format: IPv4 address, IPv4 network (CIDR notation) Gateway IP address of the gateway via which the destination can be reached using the additional route. Input format: IPv4 address 34 / 72 PHOENIX CONTACT 108420_en_02...

  • Page 35: Nat

    With port forwarding, data packets that are sent (from external devices) to a certain port of the device are forwarded to a defined destination IP address and a defined destination port in the (local) subnet of the device. See “Port forwarding” on page 37. 35 / 72 PHOENIX CONTACT 108420_en_02...
  • Page 36 (XF1/net zone 1). In the data packet, the sender's IP address is translated into the IP address of the network interface (XF1/net zone 1). Default setting: activated 36 / 72 PHOENIX CONTACT 108420_en_02...
  • Page 37 IP address of the device (XF1 = 10.1.0.70) and port 5001. All other devices in the production network (e.g., PLC 192.168.1.150) shall not be reached from the outside. They are protected by the firewall. 37 / 72 PHOENIX CONTACT 108420_en_02...
  • Page 38 Default setting: Net zone 1 Protocol TCP, UDP Network protocol that has to be used for transmitting the data packets so that the rule is applied. Default setting: TCP 38 / 72 PHOENIX CONTACT 108420_en_02...
  • Page 39 (e.g., 192.168.1.200) with translated (virtual) IP addresses from the office network (e.g., 10.1.0.102). Communication with devices in the office network is now implemented in both directions via the translated IP addresses of the clients in the production network. 39 / 72 PHOENIX CONTACT 108420_en_02...
  • Page 40 IP address without the need for manual configuration of MAC addresses. When this function is deactivated, ARP requests sent to trans- lated IP addresses remain unanswered. Default setting: activated 40 / 72 PHOENIX CONTACT 108420_en_02...
  • Page 41 Menu: Network 41 / 72 PHOENIX CONTACT 108420_en_02...

  • Page 42: Network >> Dhcp Server

    DHCP server are accepted via the con- figured network interface (net zone 2) and UDP port 67. The server then assigns IP addresses from the configured IP address range to the clients. Default setting: activated 42 / 72 PHOENIX CONTACT 108420_en_02...
  • Page 43 If the DNS server of the device shall be used, the IP address of the net zone on which this service is active has to be speci- fied (default setting: net zone 2 = 192.168.1.1). Input format: IPv4 address Default setting: 192.168.1.1 43 / 72 PHOENIX CONTACT 108420_en_02...
  • Page 44 IP address of a WINS server the DHCP server assigns to re- WINS server questing clients. A WINS server (Windows Internet Naming Service) allows cli- ents to resolve host names (NetBIOS names) into IP ad- dresses. Input format: IPv4 address Default setting: empty 44 / 72 PHOENIX CONTACT 108420_en_02...

  • Page 45: Network >> Dns

    Inter- net via the released net zone. When this function is deactivated, access to the DNS server via the selected net zone is dropped by the firewall. Default setting: deactivated 45 / 72 PHOENIX CONTACT 108420_en_02...
  • Page 46 If no user-defined DNS server is specified, the device uses a DNS server assigned via DHCP. – If a DNS server is not assigned via DHCP either, the de- vice uses default Root Name Servers. 46 / 72 PHOENIX CONTACT 108420_en_02...

  • Page 47: Menu: Network Security

    NTP server of the device) but are routed (Router mode) or forwarded (Stealth mode) by the device. The connections can also be received and forwarded on the same network interface (net zone). 47 / 72 PHOENIX CONTACT 108420_en_03...
  • Page 48 Log entries can be analyzed via the Menu: Logs or in the jour- nal file, which can be created and downloaded via a snapshot (see Section 3.4.7). Log prefix: fw-forward-policy- Default setting: deactivated 48 / 72 PHOENIX CONTACT 108420_en_03...
  • Page 49 Source and destination port in the TCP packet are not equal to zero. IPv4 packets Protocol not set to zero. Data packets that do not meet the specified requirements are dropped by the firewall and not forwarded. Default setting: activated 49 / 72 PHOENIX CONTACT 108420_en_03...
  • Page 50 If the Firewall test mode is deactivated, all entries in the Test mode alarms table are deleted and a signaling by the LED "PF2" and the switching output "O1" is terminated. Default setting: deactivated 50 / 72 PHOENIX CONTACT 108420_en_03...
  • Page 51 Accept: The data packets may pass through. Reject: The data packets are rejected. The sender is in- formed. Drop: The data packets are dropped. The sender is not in- formed. Default setting: Accept 51 / 72 PHOENIX CONTACT 108420_en_03...
  • Page 52 Log entries can be analyzed via the Menu: Logs or in the jour- nal file, which can be created and downloaded via a snapshot (see Section 3.4.7). Log prefix: fw-forward- Default setting: deactivated 52 / 72 PHOENIX CONTACT 108420_en_03...

  • Page 53: Network Security >> Firewall >> Test Mode Alarms

    Adapt the inserted firewall rules according to your security requirements. • Then click on the icon to apply the change. ⇒ The newly added firewall rules are activated and immediately permit the correspond- ing data traffic unless superordinate rules prohibit the data traffic. 53 / 72 PHOENIX CONTACT 108420_en_03...
  • Page 54 (e.g., ICMP data packets). Protocol Network protocol that was used for transmitting the data packet. The TCP, UDP, ICMP, GRE, and ESP protocols are ac- cepted. For all other protocols, the value All is entered. 54 / 72 PHOENIX CONTACT 108420_en_03...

  • Page 55: Network Security >> Firewall Assistant

    For all other protocols, the value “All” is entered in the firewall rule. Accept ––– Action In all firewall rules created via the Firewall Assistant or Firewall test mode, “Accept” is al- ways entered as the action value. 55 / 72 PHOENIX CONTACT 108420_en_03...
  • Page 56 If the created firewall rules are not visible under Network security >> Firewall >> Fire- wall, reload the page in the web browser. The Firewall table created using the Firewall Assistant can be adapted and extended as re- quired. 56 / 72 PHOENIX CONTACT 108420_en_03...

  • Page 57: Menu: Time And Date

    The current time and date of the device are configured and saved to the real-time clock (RTC). (Only visible if NTP is deactivated) Format: Coordinated Universal Time (UTC) Permissible range: >= 2018-01-01_00:00:00 <= 2069-01-01_00:00:00 57 / 72 PHOENIX CONTACT 108420_en_03...
  • Page 58 NOTE: Access from the Internet Possibly, the server can be reached from the In- ternet when the device is connected to the Inter- net via the released net zone. Default setting: deactivated 58 / 72 PHOENIX CONTACT 108420_en_03...
  • Page 59 (see Section 6.3). Default: – 0.pool.ntp.org | Port:123 – 1.pool.ntp.org | Port:123 – 2.pool.ntp.org | Port:123 – 3.pool.ntp.org | Port:123 Port Port on which the external NTP server accepts NTP requests. Default setting: 123 59 / 72 PHOENIX CONTACT 108420_en_03...
  • Page 60 1.3.x 60 / 72 PHOENIX CONTACT 108420_en_03...

  • Page 61: Menu: Firmware Update

    Starting the firmware update Menu: Firmware update Firmware update A signed update file provided by Phoenix Contact (e.g., mguard-image- 1.3.1.mguard3.update.signed) is uploaded from a configuration computer to the device and installed automatically. All current settings, passwords and certificates are retained on the device. Downgrading from a higher to a lower firmware version is not possible.
  • Page 62 1.3.x 62 / 72 PHOENIX CONTACT 108420_en_03...

  • Page 63: 10 Menu: Support

    5 packets transmitted, 5 packets received. ⇒ If the client cannot be reached via ICMP, a corresponding message is displayed: e.g., 100% packet loss). Input format: IPv4 address 63 / 72 PHOENIX CONTACT 108420_en_03...

  • Page 64: Support >> Tcp Dump

    To start the analysis, click on the Start button. • To stop and download the analysis, click on the Stop button. The result of the analysis was saved to a file (*.pcap), downloaded and deleted from ⇒ the device. 64 / 72 PHOENIX CONTACT 108420_en_03...
  • Page 65 The acquired packet contents are summarized in a file (*.pcap) and can be downloaded from the device. Afterwards, the file is deleted from the device. The time of the file download is indicated in the file name as follows: <YYYY-MM-DD_hh:mm:ss> (Example: tcpdump_2019-10-09_22_00_00.pcap) 65 / 72 PHOENIX CONTACT 108420_en_03...
  • Page 66 1.3.x 66 / 72 PHOENIX CONTACT 108420_en_03...

  • Page 67: 11 Menu: Logs

    = A routing firewall rule was applied to a package. – fw-forward-policy = A package for which no rules have been defined was reject- – fw-forward-testmode = Relates to entries (Test mode alarms) created by means of the Firewall test mode function. 67 / 72 PHOENIX CONTACT 108420_en_03...
  • Page 68 (Firewall - routing/stealth and incoming firewall) will be displayed. When the function is deactivated, all log entries will be dis- played. Default setting: activated Buttons Update Click the Update button to refresh the log entries display. 68 / 72 PHOENIX CONTACT 108420_en_03...

  • Page 69: 12 Appendix

    12.2 Using smart mode The use of smart mode is described in the “FL MGUARD 1000 – Installation and startup” user manual (UM EN FL MGUARD 1000). Available in the download area of the corresponding product page in the Phoenix Contact web shop, for example, under phoenixcontact.net/product/1153078.
  • Page 70 1.3.x 70 / 72 PHOENIX CONTACT 108420_en_03...
  • Page 71 The receipt of technical documentation (in particular user documentation) does not constitute any further duty on the part of Phoenix Contact to furnish information on modifications to products and/or technical documentation. You are responsible to verify the suitability and intended use of the products in your specific application, in particular with regard to observing the applicable standards and regulations.
  • Page 72 Should you have any suggestions or recommendations for improvement of the contents and layout of our manuals, please send your comments to: tecdoc@phoenixcontact.com 72 / 72 PHOENIX CONTACT GmbH & Co. KG • Flachsmarktstraße 8 • 32825 Blomberg • Germany phoenixcontact.com...
  • Page 74 PHOENIX CONTACT GmbH & Co. KG Flachsmarktstraße 8 32825 Blomberg, Germany Phone: +49 5235 3-00 Fax: +49 5235 3-41200 E-mail: info@phoenixcontact.com phoenixcontact.com...

Table of Contents