Moxa Technologies IEC-G102-BP Series User Manual
Hide thumbs
Also See for IEC-G102-BP Series:
- Quick installation manual (11 pages) ,
- Quick installation manual (11 pages)
Subscribe to Our Youtube Channel
Related Manuals for Moxa Technologies IEC-G102-BP Series
Summary of Contents for Moxa Technologies IEC-G102-BP Series
- Page 1 IEC-G102-BP Series User’s Manual Version 1.1, June 2021 www.moxa.com/product © 2021 Moxa Inc. All rights reserved.
-
Page 2: Copyright Notice
IEC-G102-BP Series User’s Manual The software described in this manual is furnished under a license agreement and may be used only in accordance with the terms of that agreement. Copyright Notice © 2021 Moxa Inc. All rights reserved. Trademarks The MOXA logo is a registered trademark of Moxa Inc. -
Page 3: Table Of Contents
Table of Contents About IEC-G102-BP Series ........................ 1-1 Introduction ............................1-2 Main Functions ........................... 1-3 Getting Started..........................2-1 Getting Started Task List ........................2-2 Opening the Management Console ......................2-3 Changing the Administrator’s Password ....................2-4 The System Screen ..........................3-1 System Information .......................... - Page 4 Configuring Syslog Settings ...................... 10-11 Syslog Severity Levels ......................10-12 Syslog Severity Level Mapping Table..................10-12 The System Time Screen ......................... 10-13 Configuring System Time ......................10-13 The Back Up/Restore Screen ......................10-14 Backing Up a Configuration ....................... 10-14 Restoring a Configuration ......................10-14 The Firmware Management Screen ....................
-
Page 5: Terms And Acronyms
Terms and Acronyms The following table lists the terms and acronyms used in this document. Term/Acronym Definition Common Event Format Deep Packet Inspection Engineering Workstation Human-Machine Interface Industrial Control System Security Dashboard Console Programmable Logic Controller SCADA Supervisory Control And Data Acquisition... -
Page 6: About Iec-G102-Bp Series
About IEC-G102-BP Series The following topics are covered in this chapter: Introduction Main Functions... -
Page 7: Introduction
Ethernet LAN ports. Users can access its web-based management console that provides a graphical user interface for policy management. The whole management process is designed to comply with the manufacturing SOP of the industry. The IEC-G102-BP Series protects your individual assets with OT visibility, cybersecurity, and OT protocol whitelisting. -
Page 8: Main Functions
IEC-G102-BP Series About IEC-G102-BP Series Main Functions The IEC-G102-BP Series is a transparent network security device. Below are the main functions of the product: Extensive Support for Industrial Protocols The IEC-G102-BP Series supports the identification of a wide range of industrial control protocols, including Modbus and other protocols used by industry leaders such as Siemens, Mitsubishi, Schneider Electric, ABB, Rockwell, Omron, and Emerson. -
Page 9: Getting Started
Getting Started This chapter describes the IEC-G102-BP Series and how to get started with configuring the initial settings. The following topics are covered in this chapter: Getting Started Task List Opening the Management Console Changing the Administrator’s Password... - Page 10 Getting Started Getting Started Task List This task list provides a high-level overview of all procedures required to get the IEC-G102-BP Series up and running as quickly as possible. Each step links to more detailed instructions later in the document.
-
Page 11: Opening The Management Console
Password: moxa 3. Click Log On. 4. When you log in for the first time, the IEC-G102-BP Series will request you to create a new admin account and change the default password for security reasons. 5. The login screen will pop out again. Please use the new admin account and password to log in. -
Page 12: Changing The Administrator's Password
IEC-G102-BP Series Getting Started Changing the Administrator’s Password To change the password of the IEC-G102-BP Series, you have to log in to a web browser with proper credentials first. Steps: 1. In a web browser, type the address of the IEC-G102-BP Series in the following format: https://192.168.127.254, and the login screen will appear. -
Page 13: The System Screen
The System Screen Monitor your system information, system status, and system resource usage on the system screen. The following topics are covered in this chapter: System Information System Status Resource Monitor... -
Page 14: System Information
IEC-G102-BP Series The System Screen System Information This widget shows the time when the system started, name of the device, model name of the device, version of the firmware on the device, firmware build date/time, and the IP address settings of the device. -
Page 15: The Visibility Screen
The assets, listed on the screen, are automatically detected by the IEC-G102-BP Series devices. NOTE The term asset in this chapter refers to the devices or hosts that are protected by the IEC-G102-BP Series. The following topics are covered in this chapter: ... -
Page 16: Viewing Asset Information
IEC-G102-BP Series The Visibility Screen Viewing Asset Information Steps: 1. Go to [Visibility] [Assets View]. 2. Click an asset icon and view its detailed information. 3. The [Assets Information] pane shows the following information for the asset: Field Description Vendor Name The vendor name of the asset. -
Page 17: Viewing Real-Time Network Application Traffic
IEC-G102-BP Series The Visibility Screen Viewing Real-time Network Application Traffic Steps: 1. Go to [Visibility] [Assets View]. 2. Click an asset icon and view its detailed information. 3. The [Real Time Network Application Traffic] pane shows a list of network traffic statics of the asset... -
Page 18: The Device Screen
The Device Screen This chapter describes how to set up the network settings and port configurations for the device. The following topics are covered in this chapter: Configuring Network Settings Configuring Interface Link Mode for Ports... -
Page 19: Configuring Network Settings
IEC-G102-BP Series The Device Screen Configuring Network Settings NOTE Access to the [Network Settings] pane depends on the current device operation mode set in the [Configuring Security Operation Mode] section. If the device is set to the Inline Mode, [Network Settings] can be accessed through either physical Port 1 or Port 2. -
Page 20: The Object Profiles Screens
The Object Profiles Screens Object profiles simplify policy management by storing configurations that can be used by the IEC-G102-BP Series. You can configure the following types of object profiles for this device: IP Object Profile: Contains the IP addresses that you can apply to a policy rule. •... -
Page 21: Configuring Ip Object Profile
IEC-G102-BP Series The Object Profiles Screens Configuring IP Object Profile You can configure the IP address in an IP object profile, which can be used by other policy rules. The types of IP address you can assign are: • Single IP address •... -
Page 22: Configuring Service Object Profile
IEC-G102-BP Series The Object Profiles Screens Configuring Service Object Profile In a service object profile, you can define the following: • TCP protocol port range • UDP protocol port range • ICMP protocol type and code • Custom protocol with specified protocol number NOTE The term ‘protocol number’... -
Page 23: Configuring Protocol Filter Profiles
IEC-G102-BP Series The Object Profiles Screens Configuring Protocol Filter Profiles A protocol filter profile contains more sophisticated and advanced protocol settings that you can apply to a policy rule. The following can be configured in a protocol filter profile: •... -
Page 24: Specifying Commands Allowed In An Ics Protocol
IEC-G102-BP Series The Object Profiles Screens Specifying Commands Allowed in an ICS Protocol When configuring an ICS protocol, you can specify which commands will be included in the protocol profile, as the following picture shows. Enabling the Drop Malformed Option for an ICS Protocol When configuring an ICS protocol, you can enable the [Drop Malformed] function for specific protocols from the protocol profile. -
Page 25: Advanced Settings For The Modbus Protocol
IEC-G102-BP Series The Object Profiles Screens Advanced Settings for the Modbus Protocol The device features more detailed configurations for the Modbus ICS protocol. Through the [Advanced Settings] pane, you can further specify the code/function, unit ID, and address/addresses range against which the function will operate. -
Page 26: Advanced Settings For The Cip Protocol
IEC-G102-BP Series The Object Profiles Screens 5. In the [ICS Protocol] pane, select the protocols you want to include in the protocol filter. a. Click [Settings] next to a protocol, and select one of the following: • Any - Specify all available commands or function access in this protocol. - Page 27 IEC-G102-BP Series The Object Profiles Screens Steps 1. Go to [Object Profile] [Protocol Filter Profile]. 2. Click [Add] to add a protocol filter profile. The [Create Protocol Filter Profile] screen will appear. 3. Type a protocol filter profile name.
- Page 28 IEC-G102-BP Series The Object Profiles Screens 5. In the [ICS Protocol] pane, select the protocols you want to include in the protocol filter. a. Click [Settings] next to a protocol, and select one of the following: • Any - Specify all available commands or function access in this protocol.
-
Page 29: Advanced Settings For S7Comm
IEC-G102-BP Series The Object Profiles Screens • If you want to specify a custom service code, select [Custom Service Code] and input a service code in the [Custom Service Code] field. . • Click [Add]. • Repeat the above steps if you want to add more protocol definition entries. - Page 30 IEC-G102-BP Series The Object Profiles Screens Steps 1. Go to [Object Profile] [Protocol Filter Profile]. 2. Click [Add] to add a protocol filter profile. The [Create Protocol Filter Profile] screen will appear. 3. Type a protocol filter profile name.
- Page 31 IEC-G102-BP Series The Object Profiles Screens 4. Type a description. 5. In the [ICS Protocol] pane, select the protocols you want to include in the protocol filter. a. Click [Settings] next to a protocol, and select one of the following: •...
-
Page 32: Advanced Settings For S7Comm Plus
IEC-G102-BP Series The Object Profiles Screens • If you want to specify one or more sub-function codes, select [Preset Sub-function Code] and move the sub-function code(s) from the [Available Sub-function Code] to the [Selected Sub- function Code] field. • If you want to specify a custom sub-function, select [Custom Sub-function Code] and input a sub- function code in the [Custom Sub-function Code] field. - Page 33 IEC-G102-BP Series The Object Profiles Screens 3. Type a protocol filter profile name. 4. Type a description. 5. In the [ICS Protocol] pane, select the protocols you want to include in the protocol filter. a. Click [Settings] next to a protocol, and select one of the following: •...
- Page 34 IEC-G102-BP Series The Object Profiles Screens • Click [Add]. • Repeat the above steps if you want to add more protocol definition entries. • Click [OK]. 6. In the [General Protocol] pane, select the protocols you want to include in the protocol filter.
-
Page 35: Advanced Settings For Slmp
IEC-G102-BP Series The Object Profiles Screens Advanced Settings for SLMP The device features more detailed configurations for the SLMP ICS protocol. Through the [Advanced Settings] pane, you can further specify the command code against which the function will operate. Steps 1. - Page 36 IEC-G102-BP Series The Object Profiles Screens 3. Type a protocol filter profile name. 4. Type a description. 5. In the [ICS Protocol] pane, select the protocols you want to include in the protocol filter. a. Click [Settings] next to a protocol, and select one of the following: •...
- Page 37 IEC-G102-BP Series The Object Profiles Screens • Click [Add]. • Repeat the above steps if you want to add more protocol definition entries. • Click [OK]. 6. In the [General Protocol] pane, select the protocols you want to include in the protocol filter.
-
Page 38: Advanced Settings For Melsoft
IEC-G102-BP Series The Object Profiles Screens Advanced Settings for MELSOFT The device features more detailed configurations for the MELSOFT ICS protocol. Through the [Advanced Settings] pane, you can further specify the command code against which the function will operate. Steps 1. - Page 39 IEC-G102-BP Series The Object Profiles Screens 3. Type a protocol filter profile name. 4. Type a description. 5. In the [ICS Protocol] pane, select the protocols you want to include in the protocol filter. a. Click [Settings] next to a protocol, and select one of the following: Any - Specify all available commands or function access in this protocol.
- Page 40 IEC-G102-BP Series The Object Profiles Screens • Click [Add]. • Repeat the above steps if you want to add more protocol definition entries. • Click [OK]. 6. In the [General Protocol] pane, select the protocols you want to include in the protocol filter.
-
Page 41: Advanced Settings For Toyopuc
IEC-G102-BP Series The Object Profiles Screens Advanced Settings for TOYOPUC The device features more detailed configurations for the TOYOPUC ICS protocol. Through the [Advanced Settings] pane, you can further specify the command code, preset sub-command code, and custom sub- command code against which the function will operate. - Page 42 IEC-G102-BP Series The Object Profiles Screens 3. Type a protocol filter profile name. 4. Type a description. 5. In the [ICS Protocol] pane, select the protocols you want to include in the protocol filter. a. Click [Settings] next to a protocol, and select one of the following: •...
- Page 43 IEC-G102-BP Series The Object Profiles Screens • If you want to specify one or more sub-command codes, select [Preset Sub-cmd Code] and move the command code(s) from the [Available Sub-cmd Code] field to the [Selected Sub-cmd Code] field. • If you want to specify a custom sub-command code, select [Custom Sub-cmd Code] and input a service code in the [Custom Sub-cmd Code] field.
-
Page 44: Configuring Ips Profiles
IEC-G102-BP Series The Object Profiles Screens 6. In the [General Protocol] pane, select the protocols you want to include in the protocol filter. 7. Click [OK]. Configuring IPS Profiles An IPS profile contains more sophisticated pattern rules for more granular control and can be applied to policy rules. - Page 45 IEC-G102-BP Series The Object Profiles Screens Steps 1. Go to [Object Profile] [IPS Profile]. 2. Click [Add] to add an IPS profile. The [Create IPS Profile] screen will appear. 3. Type a name for the IPS profile. 4. Type a description.
- Page 46 IEC-G102-BP Series The Object Profiles Screens When you are done configuring the pattern rule, click [Save]. 6-27...
-
Page 47: The Security Screens
The Security Screens This chapter describes the security general setting, cybersecurity, and policy enforcement. The following topics are covered in this chapter: Security General Settings Configuring Security Operation Mode Cybersecurity Configuring Cybersecurity – Denial of Service Prevention ... -
Page 48: Security General Settings
Offline Mode Data packets are mirrored from a core or other type of switch to port 2 of the IEC-G102-BP Series, which keeps detecting, monitoring, as well as outputting detection logs if threat events are detected. -
Page 49: Configuring Security Operation Mode
IEC-G102-BP Series The Security Screens NOTE By default, Port 1 of the IEC-G102-BP Series functions as the management port, which connects to another switch, allowing the IEC-G102-BP Series to be managed by SDC. Configuring Security Operation Mode Steps: 1. Go to [Security] [Security General Setting] 2. -
Page 50: Cybersecurity
IEC-G102-BP Series The Security Screens Cybersecurity This device features cybersecurity, which covers both intrusion prevention and denial of service attack prevention. The signature rules of intrusion prevention are called ‘DPI (Deep Packet Inspection) Pattern’. This pattern can be regularly updated through SDC as well by manual import via the device’s web management UI. -
Page 51: Policy Enforcement
IEC-G102-BP Series The Security Screens Policy Enforcement Policy enforcement allows you to define a custom protocol that matches to an industrial protocol, and then whitelist or blacklist activities fitting that protocol in your network environment. Configuring Policy Enforcement Steps: 1. Go to [Security] [Policy Enforcement]. -
Page 52: Adding Policy Enforcement Rules
IEC-G102-BP Series The Security Screens Adding Policy Enforcement Rules Steps: 1. Configure the required object or objects. • IP object profiles - For more information, see Configuring IP Object Profile. • Service object profiles - For more information, see Configuring Service Object Profile. -
Page 53: Managing Policy Enforcement Rules
IEC-G102-BP Series The Security Screens 9. At the [Destination IP / IP Object Profile] drop-down menu, select either one of the following for the destination IP address(es): • • Single IP • IP Range • IP Subnet • Object 10. At the [Service Object] drop-down menu, select either one of the following for the layer 4 criteria: •... - Page 54 NOTE When more than one policy enforcement rule is matched, the IEC-G102-BP Series takes the action of the rule with the highest priority, and ignores the rest of the rules. The rules are listed on the table of the UI...
-
Page 55: The Pattern Screens
This chapter describes how to view the pattern information and how to import a DPI (Deep Packet Inspection) pattern to the IEC-G102-BP Series device. The DPI pattern contains signatures to enable the intrusion prevention feature on the device. The intrusion prevention feature detects and prevents behaviors related to network intrusion attempts or targeted attacks at the network level. -
Page 56: Viewing Device Pattern Information
IEC-G102-BP Series The Pattern Screens Viewing Device Pattern Information Steps: 1. Go to [Pattern] [Pattern Update] 2. At the [Pattern Update] screen you will see the following pane. 3. The [Device Pattern Information] pane shows the [Current Pattern Version] and [Pattern Build Date]... -
Page 57: The Log Screens
The Log Screens This chapter describes the system event logs and security detection logs you can view on the management console. You can view the following logs on the operational technology defense console: Viewing Cybersecurity Logs Viewing Policy Enforcement Logs ... -
Page 58: Viewing Cybersecurity Logs
IEC-G102-BP Series The Log Screens Viewing Cybersecurity Logs The cybersecurity logs will include logs detected by both intrusion prevention and denial of service prevention features. Steps: Go to [Logs] [Cyber Security Logs]. The following table describes the log table. -
Page 59: Viewing Policy Enforcement Logs
IEC-G102-BP Series The Log Screens Viewing Policy Enforcement Logs The policy enforcement logs cover logs created by the [Policy Enforcement] feature without [Protocol Filter] being enabled, i.e., the [Action] of the policy enforcement rule is either to allow or to deny. The protocol filter is not used in the policy rule. -
Page 60: Viewing Asset Detection Logs
IEC-G102-BP Series The Log Screens L7 Protocol Name The layer 7 protocol name of the connection. The term layer 7 refers to the one defined in the OSI (Open Systems Interconnection) model. Cmd / Fun No The command or the function number that triggered the log. -
Page 61: The Administration Screens
IEC-G102-BP Series The Log Screens The Administration Screens This chapter describes the available administrative settings for the IEC-G102-BP Series device. The following topics are covered in this chapter: Account Management Built-in User Accounts Adding a User Account ... -
Page 62: Account Management
IEC-G102-BP Series The Log Screens Account Management NOTE Log in to the management console using the default administrator account (“admin”) to access the Accounts screens. This system uses role-based administration to grant and control access to the management console. Use this feature to assign specific management console privileges to the accounts and present them with only the tools and permissions necessary to perform specific tasks. -
Page 63: Built-In User Accounts
IEC-G102-BP Series The Log Screens Built-in User Accounts The following table lists the built-in user accounts in the device. Built-in Account ID User Role Default Password admin Admin moxa auditor Auditor moxa NOTE The built-in user accounts cannot be deleted from the device. -
Page 64: Configuring Password Policy Settings
IEC-G102-BP Series The Log Screens Configuring Password Policy Settings The IEC-G102-BP Series provides the following password policy settings to enhance web console access security: • Password complex settings Specify password complexity settings to enforce strong passwords. For example, you can specify that users must create strong passwords that contain a combination of both uppercase and lowercase letters, numbers, and symbols, and which are at least eight characters in length. -
Page 65: Configuring Device Name And Device Location Information
IEC-G102-BP Series The Log Screens Configuring Device Name and Device Location Information Steps: 1. Go to [Administration] [System Management]. 2. In the [System Setting] pane, provide the host name and location information for the device. Configuring Control List Access from Management Clients Steps: 1. -
Page 66: Configuring Management Protocols And Ports
Telnet protocols are used for connecting to the CLI commands. The Sync Setting Screen (Pro Version) The IEC-G102-BP Series can be managed by Moxa SDC (Security Dashboard Console). Use this screen to register the IEC-G102-BP Series to a Moxa SDC. -
Page 67: The Syslog Screen
The Log Screens The Syslog Screen The IEC-G102-BP Series system maintains Syslog events that provide summaries of security and system events. Common Event Format (CEF) syslog messages are used in the IEC-G102-BP Series. Configure the Syslog settings to enable the device to send the Syslog to a Syslog server. -
Page 68: Syslog Severity Levels
IEC-G102-BP Series The Log Screens Syslog Severity Levels The Syslog severity level specifies the type of messages to be sent to the Syslog server. Level Severity Description Emergency • Complete system failure Take immediate action. Critical • Primary system failure Take immediate action. -
Page 69: The System Time Screen
IEC-G102-BP Series The Log Screens The System Time Screen The Network Time Protocol (NTP) synchronizes computer system clocks across the Internet. Configure NTP settings to synchronize the server clock with an NTP server, or manually set the system time. Configuring System Time Steps: 1. -
Page 70: The Back Up/Restore Screen
The Log Screens The Back Up/Restore Screen Export settings from the management console to back up the configuration of your IEC-G102-BP Series. If a system failure occurs, you can restore the settings by importing the configuration file that you previously backed up. -
Page 71: The Firmware Management Screen
Name], [Partition Status], [Firmware Version] and [Firmware Build Date]. NOTE The IEC-G102-BP Series can have up to two firmware versions installed. Each firmware is installed in its own and separate partition. At any given point in time, one partition will have the status of [Running], which indicates the currently running and active firmware. -
Page 72: Rebooting And Applying Firmware
IEC-G102-BP Series The Log Screens Rebooting and Applying Firmware To boot into an upgraded firmware or to revert to a previous firmware, a user may need to boot into the [Standby] partition and load the firmware from there. Steps: 1. Go to [Administration] [Firmware Management]. -
Page 73: Supported Usb Devices
Supported USB Devices This chapter describes the USB devices that can be used with the IEC-G102-BP device for extended or supporting functionality. To ensure optimal operation, only use the USB listed below. Model Device Type Moxa Backup Configurator (ABC-02 Series) USB Disk Drive Model: ABC-02-USB-T Pattern Loading Function... - Page 74 IEC-G102-BP Series Supported USB Devices 3. Upon successful detection of the USB disk device, the “USB” LED will change to steady green. The system log can also be checked to confirm that a supported USB disk device was properly detected when inserted.
- Page 75 IEC-G102-BP Series Supported USB Devices 9. If any error occurs when an action is being attempted, the following LEDs will indicate it as shown below: Action COLOR/STATE Error Indication (any error while action was being COLOR/STATE processed) Fault LED Red – Steady...
Need help?
Do you have a question about the IEC-G102-BP Series and is the answer not in the manual?
Questions and answers