Latest safety instructions for your product ............. 9 Support........................ 10 Overview FL MGUARD 2000/4000 series ................11 Product overview ....................11 New device platform FL MGUARD 2000/4000 ............ 12 Scope of supply....................16 Default settings....................17 FL MGUARD 2102/2105 and 4302/4305 .................21 Device description ....................
Page 4
FL MGUARD 2000/4000 product family Operating the device in router mode..............48 Remote configuration ..................54 Starting up a device with a stored configuration from an SD card......55 Using web-based management................55 Restarting the device (reboot) ................56 Using the Generic Administration Interface (GAI) ..........56 Smart mode ..........................57...
The devices of the FL MGUARD series are security routers for industrial use, with inte- grated stateful packet inspection firewall and VPN. They are suitable for distributed pro- tection of production cells or individual machines against manipulation and for secure remote maintenance. 5 / 78 PHOENIX CONTACT 110192_en_06...
FL MGUARD 2000/4000 product family – The devices are not intended for private use. They may only be used and operated in the commercial or industrial sector. Modifications to the product Modifications to hardware and firmware of the device are not permitted.
(ISMS) to manage all of the infrastructure-based, organizational, and personnel measures that are needed to ensure compliance with information security directives. Furthermore, Phoenix Contact recommends that at minimum the following measures are taken into consideration. More detailed information on the measures described is available on the following websites (last accessed on 2023-09-15;...
Page 8
Incident Response Team (PSIRT) website regarding any published vulnerabilities. Assure the integrity of downloaded files Phoenix Contact provides checksums of files that can be downloaded on the product page for the respective device. • To ensure that the downloaded firmware or update files as well as downloaded docu-...
Latest safety instructions for your product Product Security Incident Response Team (PSIRT) The Phoenix Contact PSIRT is the central team for Phoenix Contact as well as for its sub- sidiaries, authorized to respond to potential security vulnerabilities, incidents and other se- curity issues related to Phoenix Contact products, solutions as well as services.
The usage of snapshots is described in the user manual "Web-based management" (UM EN FW MGUARD10). Available in the download area of the corresponding prod- uct page in the Phoenix Contact Web Shop, e.g., at phoenixcontact.net/prod- uct/1357828. 10 / 78...
The FL MGUARD 2000 series devices are a version with basic firewall and integrated IPsec VPN and OpenVPN with a maximum of 2 VPN tunnels. Their scope of functions is reduced to the essentials.
Certain functions of the old device platform are no longer supported on the new device plat- form. Hardware The new mGuard models of the FL MGUARD 2000/4000 series are offered without a serial interface and internal modem. In case of the DIN rail devices, the connections for the power supply as well as digital inputs...
Page 13
Overview FL MGUARD 2000/4000 series 2.2.2 Newly added functions Variables have been added to the new device platform that are not available on the old de- vice platform. Table 2-3 Newly added functions / variabels New variable in WBM New function / Impact of migration...
Page 14
FL MGUARD 2000/4000 product family 2.2.3 Changed default settings In a few cases, the default settings of existing variables on the old and new device platform differ. Table 2-4 Changed default settings Function Changed default settings / Impact of migration...
Page 15
Overview FL MGUARD 2000/4000 series 2.2.4 Changed variable values In a few cases, variable values are no longer available on the new device platform and are replaced by other values. Table 2-5 Changed variabel values Function Changed variable values / Impact of migration...
Immediately upon delivery, refer to the delivery note to ensure that the delivery is com- plete. • Submit claims for any transport damage immediately, and inform Phoenix Contact or your supplier as well as the shipping company without delay. •...
Overview FL MGUARD 2000/4000 series Default settings In the default settings (delivery state), the device is configured as described below. 2.4.1 Network interfaces The basic network functions (Ethernet) of the device are available after the device start (see Table 2-6).
Page 18
FL MGUARD 2000/4000 product family 2.4.3 Active network services (device as client) The following network services are activated by default on the device (as client). Table 2-7 Default settings: active services (as client) Service Active via Configuration (default settings) DHCP client...
Page 19
Overview FL MGUARD 2000/4000 series 2.4.5 Firewall and device access At the firewall, a distinction is made between incoming and routed data traffic: – Incoming data traffic is the packets that are sent to the device (device access). – Routed data traffic is the packets that are routed through the device, for example that come in via LAN (XF2) and go out via WAN (XF1).
Page 20
FL MGUARD 2000/4000 product family Default settings: firewall (routed data traffic: packet filter >> outgoing rules) All packets that are sent from the LAN network (XF2-5 or XF2-4) to any target ad- dresses are forwarded by the device. Default settings: firewall (routed data traffic: packet filter >>...
With the FL MGUARD 4305, a dedicated DMZ port with its own firewall rules enables seg- mentation and more differentiated security concepts. FL MGUARD 2000:The FL MGUARD 2000 series devices are a version with basic firewall and integrated IPsec VPN and OpenVPN with a maximum of 2 VPN tunnels. Their scope of functions is reduced to the essentials.
The PF1 LED flashes (orange). with the rhythm of a O1: The PF3 LED flashes O1: The PF3 LED lights up heartbeat. O2: The PF4 LED flashes O2: The PF4 LED lights up 25 / 78 PHOENIX CONTACT 110192_en_06...
Page 26
FL MGUARD 2000/4000 product family 3.2.2 LNK/ACT and SPD The LNK/ACT (Link/Activity) and SPD (Speed) LEDs indicate the status of the network con- nection of the related network port (see Section 3.2.5). LNK/ACT MODE FAIL Figure 3-6 LED: LNK/ACT and SPD...
Page 27
Green Supply voltage within the tolerance range (see Section (only FL MGUARD 4000 series) Supply voltage not present or too low (see Section Only FL MGUARD 4000 series devices have a redundant power supply. 27 / 78 PHOENIX CONTACT 110192_en_06...
Page 28
FL MGUARD 2000/4000 product family 3.2.4 FAIL The FAIL LED indicates different statuses and error states of the device (see Section 3.2.5). MODE FAIL Figure 3-8 LED: FAIL 28 / 78 PHOENIX CONTACT 110192_en_06...
Page 29
Service contact O1: The firewall rule set monitored via service contact O1 has been successfully acti- vated. Service contact O2: The VPN connection moni- Heartbeat Flashing tored via service contact O2 is being established. 29 / 78 PHOENIX CONTACT 110192_en_06...
Page 30
FL MGUARD 2000/4000 product family Table 3-5 System states visualized by the illumination and flashing behavior of LEDs FAIL Description of the system state (green) (green) (green) (green) (ERR) (FAULT) (red) (red) Service contact O2: The VPN connection moni- Heartbeat tored via service contact O2 has been successfully established.
Page 31
FLASH PROCEDURE: The signature of the firmware image is not valid. FLASH PROCEDURE: Failed to load the installation script. FLASH PROCEDURE: The signature of the installation script is not valid. FLASH PROCEDURE: The rollout script failed. 31 / 78 PHOENIX CONTACT 110192_en_06...
FL MGUARD 2000/4000 product family Mounting and removal NOTE: Device damage Only mount or remove the device when disconnected from the voltage. The device is intended for installation in a control cabinet. Mount the device on a clean DIN rail in accordance with DIN EN 50 022.
Page 33
DIN 46228-1 Cross-section: 0.5 mm Length: 8 mm … 10 mm Cross-section: 0.75 mm Length: 8 mm … 10 mm Cross-section: 1 mm Length: 8 mm … 10 mm Cross-section: 1.5 mm Length: 10 mm 33 / 78 PHOENIX CONTACT 110192_en_06...
FL MGUARD 2000/4000 product family Connecting the supply voltage NOTE: Electrical voltage The module is designed exclusively for operation with safety extra-low voltage (SELV/PELV). In redundant operation, both power supplies must satisfy the require- ments of the safety extra-low voltage. Provide overcurrent protection (I ≤ 5 A) in the installation.
Only use shielded twisted pair cables and corresponding shielded RJ45 connectors. In- sert the Ethernet cable with the RJ45 connector into a port of the twisted pair interface (network interface 1 or 2), until the connector engages with a click. 35 / 78 PHOENIX CONTACT 110192_en_06...
FL MGUARD 2000/4000 product family Connecting switching inputs and switching out- puts (I/Os) NOTE: Do not connect the voltage and ground outputs (O1–3 and GND) to an exter- nal voltage source. The connecting cables for inputs and outputs must not be longer than 30 meters.
FL MGUARD 2102/2105 and 4302/4305 Using an SD card Please note that correct function of the SD card and the product can only be ensured when using a Phoenix Contact SD card (e.g., SD FLASH 2GB - 2988162). Ensure that unauthorized persons do not have access to the SD card.
FL MGUARD 4102 PCI(E) FL MGUARD 4102 PCI(E) Table 4-1 Currently available products Product designation Phoenix Contact item number FL MGUARD 4102 PCI 1441187 FL MGUARD 4102 PCIE 1357842 Product description The FL MGUARD 4000 series devices are security routers with intelligent stateful packet in- spection firewall and integrated IPsec VPN and OpenVPN with up to 250 VPN tunnels.
LNK/ACT (XF1/2) LANGreen Link active Flashing Data packets are being trans- mitted. Link not active SPD and LNK/ACT Various LED Rescue procedure / Flashing the firmware light codes Section 6.3, “Flashing the firmware (Rescue mode)” 41 / 78 PHOENIX CONTACT 110192_en_06...
Page 42
FL MGUARD 2000/4000 product family 4.2.2 PF1 / FAIL The PF1 / FAIL LED (green/red) indicates different statuses and error states of the device. FAIL Figure 4-4 LED: PF1 / FAIL Table 4-3 LED: PF1 / FAIL Designa- Color Status...
Install the FL MGUARD PCI4000 in a free PCI or PCI Express slot (PCI: 3.3 V and 5 V | PCIE: 3.3 V and 12 V). Observe the notes in the documentation for your system. 43 / 78 PHOENIX CONTACT 110192_en_06...
FL MGUARD 2000/4000 product family Connecting to the network The network can be connected (depending on the device) via RJ45 ports using twisted pair cables (IEEE 802.3i/u/ab). NOTE: Telecommunications connections Connect the network connections (Ethernet) of the device to LAN installations only.
FL MGUARD 4102 PCI(E) Using an SD card Please note that correct function of the SD card and the product can only be ensured when using a Phoenix Contact SD card (e.g., SD FLASH 2GB - 2988162). Ensure that unauthorized persons do not have access to the SD card.
5.2.2 Remote configuration via the WAN port An initial remote configuration via the WAN port (HTTPS or SSH) is not possible because this is prevented by the preset firewall rules (see also Section 5.4). 47 / 78 PHOENIX CONTACT 110192_en_06...
FL MGUARD 2000/4000 product family Operating the device in router mode If the device is operated in router mode, it acts as gateway between different subnets (see Figure 5-1). Figure 5-1 Operating the device in router mode (example configuration) The data is routed between the two network interfaces of the device.
Page 49
Example: Open the Windows start menu and type “cmd” to open a command line. tion • Enter the command “ipconfig” and press the Enter button. ⇒ IPv4 address, subnet mask and default gateway of the Ethernet adapter are displayed. 49 / 78 PHOENIX CONTACT 110192_en_06...
Page 50
FL MGUARD 2000/4000 product family Obtaining the IP setting To automatically obtain the IP setting of the configuration computer, proceed as follows (e.g. Microsoft Windows): per DHCP • Open the Windows start menu and type “Control Panel”. • Open (Network and Internet) / Network and Sharing Center •...
Page 51
Initial startup ⇒ From the answer to the ping request, you can tell whether the device reacts to requests from the configuration computer. 51 / 78 PHOENIX CONTACT 110192_en_06...
Page 52
FL MGUARD 2000/4000 product family 5.3.3 Assigning the IP address via BootP After assigning an IP address via BootP, access via IP address 192.168.1.1 is no lon- ger possible. The device uses the BootP protocol for IP address assignment. The IP address can also be assigned via BootP.
Page 53
The device can then be configured via the web interface. Information on this is available in the user manual UM EN FW MGUARD10 “Web-based management” in the Phoenix Contact online shop at phoenixcontact.net/product/1357828. For security reasons, change the root and administrator passwords during initial con- figuration.
FL MGUARD 2000/4000 product family Remote configuration The option for remote configuration is deactivated and blocked by the firewall settings by default. Remote access is activated under Management >> System Settings >> Shell Ac- cess or Management >> Web Settings >> Access.
Enter the IP address of the connected network interface of the device in the address line of the web browser (e.g., https://192.168.1.1). ⇒ Since Phoenix Contact supplied the device with a self-signed security certificate that is unfamiliar to your browser, a certificate warning appears. Figure 5-5 Certificate warning (Firefox) •...
FL MGUARD 2000/4000 product family ⇒ The login page of web-based management opens. Figure 5-6 Login page of web-based management • Log in with the admin or root user name and the associated administrator password (default settings: mGuard or root).
• Release the Mode button. ⇒ The device is restarted. Procedure (PCI cards) • Press and hold the Mode button for approx. 3 seconds. • Release the Mode button. ⇒ The device is restarted. 57 / 78 PHOENIX CONTACT 110192_en_06...
FL MGUARD 2000/4000 product family Restoring the configuration access (Recovery mode) Passwords and installed licenses are retained and are not reset to default settings. Applications – The IP configuration of the device is not known. It is therefore no longer possible to ac- cess the device.
Page 59
Select the configuration profile created during the recovery procedure named “Recov- ery-DATE” (e.g., “Recovery-2022.04.01-18:02:50”). • Click on the “Edit profile” icon to analyze the configuration profile and subsequently restore it with or without changes. Click on the “Save” icon to apply the changes. • 59 / 78 PHOENIX CONTACT 110192_en_06...
FL MGUARD 2000/4000 product family Flashing the firmware (Rescue mode) Applications – A new firmware version is to be installed on the device. – The administrator password is not known. It is therefore no longer possible to log in to the device.
Page 61
TFTP server if no SD card is found. Downloading the flash file • Open the product website in the Phoenix Contact online shop at: phoenixcontact.com/products. • Select the Downloads tab and the Firmware update category.
Page 62
FL MGUARD 2000/4000 product family FL MGUARD 4102 PCI(E) Performing a flash procedure (PCI cards) NOTE: Damage to the device in case of premature termination Do not restart the device until the flash procedure is completed. (Duration: approxi- mately 2 minutes) •...
Page 63
Carry out the flash process as described for your device. Loading configuration profile from the TFTP server In order to load and activate a configuration profile during the flash process, see the descrip- tion in Section Section 6.3.3. 63 / 78 PHOENIX CONTACT 110192_en_06...
Page 64
NOTE: Third-party software Phoenix Contact does not undertake any guarantee or liability for the use of third-party products. Any reference to third-party software does not constitute a recommenda- tion, rather serves as an example of a program that could be used.
Page 65
The mGuard image files must be saved in the /tftpboot directory: e.g., install.aarch64.p7s, firmware.img.aarch64.p7s. Then restart the inetd process to apply the configuration changes. If you are using a different mechanism, e.g., xinetd, please consult the corresponding documentation. 65 / 78 PHOENIX CONTACT 110192_en_06...
Page 66
FL MGUARD 2000/4000 product family 6.3.3.1 TFTP server: Error messages During the flash process, the mGuard device searches by default for the files rollout.sh, license.lic and <Seriennummer>.lic. If these files are not available, a corresponding error message is displayed: File rollout.sh: error 2 in system call CreateFile The system cannot find the file specified.
Device defect and repair Repairs may only be carried out by Phoenix Contact. • Send defective devices back to Phoenix Contact for repair or to receive a replacement device. • We strongly recommend using the original packaging to return the product.
The symbol with the crossed-out trash can indicates that this item must be collected and disposed of separately. Phoenix Contact or our service partners will take the item back for free disposal. For information on the available disposal options, visit www.phoenixcontact.com.
Housing dimensions (width x height x depth) in mm 45 x 130 x 130 (depth from top edge of DIN rail) Net weight 302 g 446 g Firmware and power values Supported firmware mGuard 10.2.0 or later 69 / 78 PHOENIX CONTACT 110192_en_06...
Page 70
FL MGUARD 2000/4000 product family Firmware and power values Management support Web-based management (HTTPS) | SSH | GAI Config | SD card Supply voltage (US1/US2) (US2 only with FL MGUARD 4305) Connection Via COMBICON connector (Push-in spring connection); maximum conductor cross section = 1.5 mm...
Page 71
Immunity in accordance with EN 61000-4-5 (IEC 1000-4-5) (surge) Requirements in accordance with DIN EN 61000-6-2 Data cables: Test intensity 2, criterion B Power supply: Test intensity 1, criterion B Service contacts: Test intensity 1, criterion B 71 / 78 PHOENIX CONTACT 110192_en_06...
FL MGUARD 2000/4000 product family FL MGUARD 2102 / FL MGUARD 4302 Table 8-2 Technical data (FL MGUARD 2102 / FL MGUARD 4302) General data Platform Marvell Armada 3720 Network interfaces FL MGUARD 2102 / FL MGUARD 4302 2 Ethernet interfaces with: –...
Page 73
Test intensity 3, criterion B Indirect discharge: Test intensity 3, criterion B Immunity in accordance with EN 61000-4-3 (IEC 1000-4-3) Requirements in accordance with DIN EN 61000-6-2 (electromagnetic fields) Test intensity 3, criterion A 73 / 78 PHOENIX CONTACT 110192_en_06...
Page 74
FL MGUARD 2000/4000 product family Conformance with EMC directives Immunity in accordance with EN 61000-4-6 (IEC 1000-4-6) (conducted) Requirements in accordance with DIN EN 61000-6-2 Test intensity 3, criterion A Immunity in accordance with EN 61000-4-4 (IEC 1000-4-4) (burst) Requirements in accordance with DIN EN 61000-6-2...
Free PCI or PCI Express slot on the host system Connection to functional ground Via slot plate Firmware and power values Supported firmware mGuard 10.1.0 or later Management support Web-based management (HTTPS) | SSH | GAI Config | SD card 75 / 78 PHOENIX CONTACT 110192_en_06...
Page 76
FL MGUARD 2000/4000 product family Network interfaces Properties of RJ45 connections Number FL MGUARD 2102 FL MGUARD 4302 Connection format 8-pos. RJ45 jack Connection medium Twisted-pair cable with a conductor cross section of 0.14 mm to 0.22 mm Cable impedance...
Page 77
The receipt of technical documentation (in particular user documentation) does not consti- tute any further duty on the part of Phoenix Contact to furnish information on modifications to products and/or technical documentation. You are responsible to verify the suitability and intended use of the products in your specific application, in particular with regard to observ- ing the applicable standards and regulations.
Page 78
Should you have any suggestions or recommendations for improvement of the contents and layout of our manuals, please send your comments to: tecdoc@phoenixcontact.com 78 / 78 PHOENIX CONTACT GmbH & Co. KG • Flachsmarktstraße 8 • 32825 Blomberg • Germany phoenixcontact.com...
Need help?
Do you have a question about the FL MGUARD 2000 and is the answer not in the manual?
Questions and answers