Download Print this page

Moxa Technologies NAT-108 Series User Manual

Mx-ros v3

Hide thumbs Also See for NAT-108 Series:

Quick installation manual (12 pages)

Table Of Contents

page of 412

/ 412
Contents
Table of Contents
Bookmarks

Table of Contents

Advertisement

Quick Links

Download this manual

MX-ROS V3 - NAT-108

Series

User Manual

Version 1.0

March 2025

Table of Contents

Advertisement

Table of Contents

Need help?

Need help?

Do you have a question about the NAT-108 Series and is the answer not in the manual?

Questions and answers

Summary of Contents for Moxa Technologies NAT-108 Series

Page 1 MX-ROS V3 - NAT-108 Series User Manual Version 1.0 March 2025...
Page 2: Table Of Contents
Model Information ..................31 Panel Status ..................... 32 Panel View ..................33 System Event Summary (Last 3 days) ............35 CPU Usage History (%) ................36 Memory Usage History (%) ................. 36 MX-ROS V3 - NAT-108 Series - User Manual...
Page 3 Management Interface ................69 User Interface ..................69 SNMP ....................72 Ping Response ..................75 Time ......................80 System Time ..................81 NTP/SNTP Server ................89 Setting Check ................... 90 Network Configuration ................92 MX-ROS V3 - NAT-108 Series - User Manual...
Page 4 Unicast Route ..................134 Static Routes ..................135 Routing Table ..................138 NAT......................140 NAT - User Privileges ................140 NAT Rule List ..................140 Create Index ..................141 Edit NAT Rule ..................161 MX-ROS V3 - NAT-108 Series - User Manual...
Page 5 Device Security ..................197 Login Policy ..................197 Trusted Access .................. 198 SSH & SSL ..................201 Authentication ..................204 Login Authentication ................204 RADIUS .................... 205 TACACS+ ..................206 MXview Alert Notification ................208 MX-ROS V3 - NAT-108 Series - User Manual...
Page 6 Firmware Image Recovery Overview ............271 Methodology ................... 271 How Dual-imaging Works................272 Device Applications ..................274 Device Applications Overview ..............275 Network Segmentation ................276 About Network Segmentation ..............276 Layer-2 Segments ................276 MX-ROS V3 - NAT-108 Series - User Manual...
Page 7 Example: Configuring 1-to-1 NAT for Device Management....... 301 Scenario: Isolated Product Network with Limited Internet Access (NAT N-to-1)304 Example: Configuring Interfaces for DMZ ..........306 Example: Creating Firewall Rules for DMZ ..........307 MX-ROS V3 - NAT-108 Series - User Manual...
Page 8 Supervisor ..................326 Auditor ..................... 326 Recommended Patching and Backup Practices ..........327 Firmware Upgrade ................327 Configuration Backup ................. 327 Recommendations for Vulnerability Management ......... 328 Recommendations for Decommissioning ..........329 MX-ROS V3 - NAT-108 Series - User Manual...
Page 9 Product Security Context ................351 Security Context of an Industrial Secure Router ........352 Security Context of an Industrial Ethernet Switch ........353 Appendix ......................354 Destination Ports for Layer 3 – 7 Protocol ..........355 MX-ROS V3 - NAT-108 Series - User Manual...
Page 10 System information in control direction ............369 Parameter in control direction ..............369 File transfer .................... 369 LED Behavior .................... 371 NAT-108 Series LED Behavior ..............371 MIB Groups ....................372 MIB Tree Structure .................. 372 MX-ROS V3 - NAT-108 Series - User Manual...
Page 11 Options Menu ..................407 System ....................407 Network Configuration ................408 Network Service ..................409 Routing ....................409 NAT ....................... 409 Firewall ....................409 Certificate Management ................410 Security ....................410 Diagnostics ..................... 410 MX-ROS V3 - NAT-108 Series - User Manual...
Page 12: Overview
Chapter 1 Overview MX-ROS V3 - NAT-108 Series - User Manual...
Page 13: Introduction
UI features, technical concepts, and tasks you may encounter while using your MX-ROS device. The goal is to simplify your experience and make the setup process easier. MX-ROS V3 - NAT-108 Series - User Manual...
Page 14: What's In This Document
Security Hardening Guide: This section gives you an overview of industrial • network security and the related product features and best practices needed to help you better secure your application. Appendix: This section provides additional reference information for your device. • MX-ROS V3 - NAT-108 Series - User Manual...
Page 15: Who This Document Is For
You may also find the Security section useful for learning how to get more out of your Moxa device and to optimize your application. MX-ROS V3 - NAT-108 Series - User Manual...
Page 16: Supported Series And Firmware Versions
Supported Features List. MX-ROS support may expand to other products in the future; please check the Moxa website for the latest information. MX-ROS V3 - NAT-108 Series - User Manual...
Page 17: Supported Features List
Device Summary Setup Wizard System System Management Information Settings Firmware Upgrade Configuration Backup and Restore Account Management User Accounts Password Policy Management Interface User Interface Ping Response SNMP Time System Time NTP/SNTP Server MX-ROS V3 - NAT-108 Series - User Manual...
Page 18 MAC Address Table Network Interfaces Network Service DHCP Server Routing Unicast Route Static Routes Routing Table Firewall Layer 3 Policy Device Lockdown Certificate Management Local Certificate Trusted CA Certificate Certificate Signing Request Security MX-ROS V3 - NAT-108 Series - User Manual...
Page 19 Login Authentication RADIUS TACACS+ Server MXview Alert Notification Diagnostics System Status Utilization Network Status Network Statistics LLDP ARP Table Event Log and Notifications Event Log Event Notifications Syslog SNMP Trap/Inform Email Settings Tools MX-ROS V3 - NAT-108 Series - User Manual...
Page 20 Configuration Section Function NAT Series Ping MX-ROS V3 - NAT-108 Series - User Manual...
Page 21: Document Conventions
Used to highlight important information in a paragraph or a table, such as indicating that a UI setting is only shown under certain conditions. Code/commands/CLI Used for code snippets, blocks, commands, and CLI output. MX-ROS V3 - NAT-108 Series - User Manual...
Page 22: Quick Start
Chapter 2 Quick Start MX-ROS V3 - NAT-108 Series - User Manual...
Page 23: Using A Web Browser To Configure The Industrial Secure Router
(the same as the Console password) and click LOG IN to continue. Note The default username is admin and the default password is moxa. We strongly recommend changing the password as soon as possible to ensure the security of your device. MX-ROS V3 - NAT-108 Series - User Manual...
Page 24 4. After successfully connecting to the router, the Device Summary screen will automatically appear. Use the menu tree on the left side of the window to open the function pages to access each of the router’s functions. MX-ROS V3 - NAT-108 Series - User Manual...
Page 25 MX-ROS V3 - NAT-108 Series - User Manual...
Page 26: Ui Reference
Chapter 3 UI Reference MX-ROS V3 - NAT-108 Series - User Manual...
Page 27: Ui Reference Overview
The rest of this section follows the order of the menu areas in the user interface: Device Summary • Setup Wizard • System • Network Configuration • Network Service • Routing • • Firewall • Certificate Management • Security • • Diagnostics MX-ROS V3 - NAT-108 Series - User Manual...
Page 28: The Mx-Ros User Interface
4. All the configuration options and information of the selected function page will be shown here. 5. The name of the currently logged-in user is shown here. 6. Clicking in the top-right will expand the Options menu. MX-ROS V3 - NAT-108 Series - User Manual...
Page 29: Options Menu
Reboot Reset to Default Settings Save Custom Default Log Out Reboot To manually reboot the device, click the Options ( ) icon in the upper-right corner of the page, and select Reboot. MX-ROS V3 - NAT-108 Series - User Manual...
Page 30: Reset To Default Settings
Save Custom Default. Log Out To log out of the device, click the Options ( ) icon in the upper-right corner of the page, and select Log Out. MX-ROS V3 - NAT-108 Series - User Manual...
Page 31: Device Summary
Device Summary Menu Path: Device Summary This page lets you see displays with information about your device and current status. Model Information This display shows basic information about your device. MX-ROS V3 - NAT-108 Series - User Manual...
Page 32: Panel Status
This display shows the status LEDs of your device. For example, connected ports will be shown in green, while disconnected ports will be shown in gray. Click EXPAND to view more detailed information. MX-ROS V3 - NAT-108 Series - User Manual...
Page 33: Panel View
) icon in the Panel Status display will show your device's port status on a representative image of the device. This image will vary depending on your device. Click the Close ( ) icon in the upper-right corner to close the Panel View. MX-ROS V3 - NAT-108 Series - User Manual...
Page 34 Note Available LEDs may vary across different versions of devices. For more information about status LEDs and their behavior, refer to LED Behavior. MX-ROS V3 - NAT-108 Series - User Manual...
Page 35: System Event Summary (Last 3 Days)
System Event Summary (Last 3 days) This display shows the event summary for the past three days. Click View All System Event Logs to go to the Event Log page to view event logs in more detail. MX-ROS V3 - NAT-108 Series - User Manual...
Page 36: Cpu Usage History (%)
) icon to refresh the graph. Memory Usage History (%) This display shows the device’s memory usage. The data will be shown as a percentage over time. Click the Refresh ( ) icon to refresh the graph. MX-ROS V3 - NAT-108 Series - User Manual...
Page 37 MX-ROS V3 - NAT-108 Series - User Manual...
Page 38: Setup Wizard
In this step, you can set each port of your device to act as a LAN, WAN, or Bridge port. Default UI Setting Description Valid Range Value MG1 / MG2 Select whether to use this fiber port as a LAN, LAN / WAN / WAN, or Bridge port. Bridge MX-ROS V3 - NAT-108 Series - User Manual...
Page 39: Interface
In this step, you can set up the connection interfaces for your device: LAN IP Configuration • Bridge IP Configuration • WAN Configuration • Note Some of these settings may not appear if there are no ports set to LAN, WAN, or Bridge. MX-ROS V3 - NAT-108 Series - User Manual...
Page 40: Lan Ip Configuration
Valid subnet mask PPTP Dialup Set the PPTP Dialup connection details for your device. This section only appears if Static IP or Dynamic IP is set for WAN Configuration > Connect Type. MX-ROS V3 - NAT-108 Series - User Manual...
Page 41: Pppoe Dialup
Specify the password for your PPTP connection. 1 to 31 characters Host Name Specify the host name for your PPPoE connection. 1 to 31 characters Service In this step, you can enable or disable services for your device. MX-ROS V3 - NAT-108 Series - User Manual...
Page 42: Confirm
Enable or disable using N-1 NAT for Enabled / Enabled Interface to WAN bridge interfaces to WAN. Disabled (if Bridge Mode is Port) Confirm Confirm your settings, then click APPLY to save and apply your changes. MX-ROS V3 - NAT-108 Series - User Manual...
Page 43: System
System > Account Management > User Accounts for more information on user accounts. Settings Admin Supervisor User System Management Information Settings Firmware Upgrade Configuration Backup and Restore Account Management User Account Password Policy Management Interface User Interface SNMP MX-ROS V3 - NAT-108 Series - User Manual...
Page 44: System Management
Configuration Backup and Restore • Information Settings Menu Path: System > System Management > Information Settings This page lets you add additional information about the device to make it easier to identify on the network. MX-ROS V3 - NAT-108 Series - User Manual...
Page 45: Firmware Upgrade
Menu Path: System > System Management > Firmware Upgrade This page lets you upgrade the firmware of your device. You can upgrade the firmware through the following methods: Local • TFTP • MX-ROS V3 - NAT-108 Series - User Manual...
Page 46 Make sure the connection to the firmware source is not interrupted during the upgrade process • Local If you select Local as your Method, these settings will appear. The Local method lets you upload firmware directly from local storage on the host device. MX-ROS V3 - NAT-108 Series - User Manual...
Page 47 TFTP server. UI Setting Description Valid Range Default Value Server IP Address Specify the IP address of the TFTP server. IP address File Name Specify the filename of the firmware file. File name MX-ROS V3 - NAT-108 Series - User Manual...
Page 48 Select the firmware file on the USB device. If you select SCP as your Method, these settings will appear. The SCP (secure copy protocol) method lets you upload and install firmware from a remote system. MX-ROS V3 - NAT-108 Series - User Manual...
Page 49 If you select SFTP as your Method, these settings will appear. The SFTP method lets you upload and install firmware stored on a remote SFTP server. UI Setting Description Valid Range Default Value Account Enter the SFTP server account name. 1 to 31 characters MX-ROS V3 - NAT-108 Series - User Manual...
Page 50: Configuration Backup And Restore
- Backup This page lets you create a backup of the current device configuration. There are multiple methods of backing up the device configuration: Local • • TFTP • • SFTP • MX-ROS V3 - NAT-108 Series - User Manual...
Page 51 TFTP If you select TFTP as your Method, these settings will appear. The TFTP method lets you upload the configuration backup file to a remote TFTP server. MX-ROS V3 - NAT-108 Series - User Manual...
Page 52 USB drive whenever the configuration is changed. Note This feature requires USB Function to be enabled in System > Management Interface > Hardware Interface. MX-ROS V3 - NAT-108 Series - User Manual...
Page 53 Enabled / Disabled Disabled If you select SCP as your Method, these settings will appear. The SCP (secure copy protocol) method lets you upload the configuration backup file to a remote system. MX-ROS V3 - NAT-108 Series - User Manual...
Page 54 Enter the SFTP server account name. 1 to 31 characters Password Enter the SFTP server account password. 1 to 31 characters Server IP Specify the IP address of the SFTP server. Valid IP address Address MX-ROS V3 - NAT-108 Series - User Manual...
Page 55 • TFTP • • • • SFTP Local If you select Local as your Method, these settings will appear. The Local method will restore from a configuration file on the local host. MX-ROS V3 - NAT-108 Series - User Manual...
Page 56: Tftp Server
Disabled firmware version or earlier. Server IP Specify the IP address of the TFTP server. Valid IP Address address File Name Specify the file name of the configuration file to restore from. MX-ROS V3 - NAT-108 Series - User Manual...
Page 57 USB drive connected to the device. Note This feature requires USB Function to be enabled in System > Management Interface > Hardware Interface. MX-ROS V3 - NAT-108 Series - User Manual...
Page 58 A sys.ini configuration file If you select SCP as your Method, these settings will appear. The SCP (secure copy protocol) method allows you to restore from a configuration file on a remote system. MX-ROS V3 - NAT-108 Series - User Manual...
Page 59 Specify the file name of the configuration file to restore from. SFTP If you select SFTP as your Method, these settings will appear. The SFTP method allows you to restore from a configuration file on a remote SFTP server. MX-ROS V3 - NAT-108 Series - User Manual...
Page 60 Configuration Backup and Restore - File Encryption Menu Path: System > System Management > Configuration Backup and Restore - File Encryption This page lets you configure data encryption settings for exported configuration files. MX-ROS V3 - NAT-108 Series - User Manual...
Page 61: Account Management
Account Management Menu Path: System > Account Management This section lets you manage the user accounts used to access the device. This section includes these pages: User Accounts • Password Policy • MX-ROS V3 - NAT-108 Series - User Manual...
Page 62: User Accounts
In compliance with the EU Radio Equipment Directive (RED), if the device includes wireless • functionality, users must change the password upon first login. MX-ROS V3 - NAT-108 Series - User Manual...
Page 63: Create New Account
) icon on the System > Account Management > User Accounts page will open this dialog box. This dialog lets you create a new user account. Click CREATE to save your changes and add the new account. MX-ROS V3 - NAT-108 Series - User Manual...
Page 64 Management > Password Policy Note The new password must follow any requirements set on the System > Account Management > Password Policy page. Confirm Enter the password again to confirm. 4 to 64 characters Password MX-ROS V3 - NAT-108 Series - User Manual...
Page 65: Edit Account Settings
UI Setting Description Valid Range Value Status Enable or disable this user account. Enabled / Disabled Username Shows the username for this account. The 4 to 32 characters username cannot be changed. MX-ROS V3 - NAT-108 Series - User Manual...
Page 66: Delete User Account
Menu Path: System > Account Management > User Accounts You can delete user accounts by using the checkboxes to select the accounts you want to delete, then clicking the Delete ( ) icon. MX-ROS V3 - NAT-108 Series - User Manual...
Page 67: Password Policy
Set the Minimum Length for passwords to 16. • Enable the Password complexity strength check and enable all the requirement options. • Set a Password Max-life-time to ensure that users change their password regularly. • MX-ROS V3 - NAT-108 Series - User Manual...
Page 68 Must contain at least one Enable or disable requiring the password to Enabled / Disabled special character contain at least one special character. Disabled (~!@#$%^&*- |:;,.<>{}[]()) (if Password complexity strength check is Enabled) MX-ROS V3 - NAT-108 Series - User Manual...
Page 69: Management Interface
Menu Path: System > Management Interface > User Interface This page lets you configure which interfaces can be used to access the device. Note For security reasons, users should access the device using the secure HTTPS and SSH interfaces. MX-ROS V3 - NAT-108 Series - User Manual...
Page 70 Valid Default UI Setting Description Range Value HTTP Enable or disable HTTP connections. Enabled / Enabled Disabled TCP Port (HTTP) Set the TCP port number for HTTP. 80, 1024 to 65535 MX-ROS V3 - NAT-108 Series - User Manual...
Page 71 Set the TCP port number for SSH. 22, 1024 to 65535 Ping Response Tick the selected interface to be ping. Drop- down check Note To ping selected interface, make sure the interface is checked in Ping Response. MX-ROS V3 - NAT-108 Series - User Manual...
Page 72: Snmp
• SNMP Account SNMP - General Menu Path: System > Management Interface > SNMP - General This page lets you enable or disable SNMP. SNMP versions V1, V2c, and V3 are supported. MX-ROS V3 - NAT-108 Series - User Manual...
Page 73 Specify an engine ID to manage 2 to 54 hexadecimal 800021f305 your device. character string. The length of the string must be even. If User-Defined Engine ID is disabled, the engine ID will be view- only. MX-ROS V3 - NAT-108 Series - User Manual...
Page 74 Shows authority level of the management account. admin: Can read/write configuration settings. user: Can only read configuration settings. Authentication Type Shows the authentication type used for the account. Encryption Method Shows the encryption method used for the account. MX-ROS V3 - NAT-108 Series - User Manual...
Page 75: Ping Response
Menu Path: System > Management Interface > Ping Response Policy This page allows you to configure and manage ping response policies that let you control how your device handles incoming ping requests. MX-ROS V3 - NAT-108 Series - User Manual...
Page 76 Note Ping response policies will override the default behavior. Interfaces Allowing Select the interfaces to allow ping responses Drop-down list Existing Default Ping for by default. of interfaces interfaces Response MX-ROS V3 - NAT-108 Series - User Manual...
Page 77 Shows the IP address and netmask to monitor for ping requests through this policy. Address/Netmask Action Shows whether the device will allow or deny ping responses for matching ping requests through this policy. MX-ROS V3 - NAT-108 Series - User Manual...
Page 78 Any / Single IP / for this policy. Subnet IP Address Specify the IP address to monitor for ping Valid IP Address requests through this policy. (If IP Type is Single IP or Subnet) MX-ROS V3 - NAT-108 Series - User Manual...
Page 79 ) icon for a policy on the Unable to render include or excerpt-include. Could not retrieve page. page will open this dialog box. This dialog lets you edit an existing policy. Click APPLY to save your changes. MX-ROS V3 - NAT-108 Series - User Manual...
Page 80: Time
Delete ( ) icon. Time Menu Path: System > Time This section lets you configure the system time settings for your device. This section includes these pages: System Time • • NTP/SNTP Server MX-ROS V3 - NAT-108 Series - User Manual...
Page 81: System Time
If you select Local as your Clock Source, these settings will appear. Local lets you set your device's system time manually, or you can copy the time from your local host by clicking SYNC FROM BROWSER. Click APPLY to save your changes. MX-ROS V3 - NAT-108 Series - User Manual...
Page 82 If you select SNTP as your Clock Source, these settings will appear. SNTP allows your device to update its system time from a Simplified Network Time Protocol (SNTP) time server. Click APPLY to save your changes. MX-ROS V3 - NAT-108 Series - User Manual...
Page 83 Network Time Protocol (NTP) server. Click APPLY to save your changes. Note When synchronizing device time using NTP, we recommend using NTP authentication to reduce cybersecurity risks. MX-ROS V3 - NAT-108 Series - User Manual...
Page 84 System Time - Time Zone Menu Path: System > Time > System Time - Time Zone This page lets you set the time zone settings of your device. Click APPLY to save your changes. MX-ROS V3 - NAT-108 Series - User Manual...
Page 85 Hour (if Daylight Saving Set the hour Daylight Saving time User-specified Status is Enabled) begins/ends. hour Minutes (if Daylight Set the minute Daylight Saving time User-specified Saving Status is Enabled) begins/ends. minute(s) MX-ROS V3 - NAT-108 Series - User Manual...
Page 86: Create Entry
) icon on the System > Time > System Time - NTP Authentication page will open this dialog box. This dialog lets you create a new NTP authentication key. Click CREATE to save your settings and create the new authentication key. MX-ROS V3 - NAT-108 Series - User Manual...
Page 87: Edit Entry
) icon for a key on the System > Time > System Time - NTP Authentication page will open this dialog box. This dialog lets you edit an existing authentication key. Click APPLY to save your settings. MX-ROS V3 - NAT-108 Series - User Manual...
Page 88: Delete Entry
Specify the key string to use for the authentication key. 1 to 32 String characters Delete Entry You can delete authentication keys by using the checkboxes to select the keys you want to delete, then clicking the Delete ( ) icon. MX-ROS V3 - NAT-108 Series - User Manual...
Page 89: Ntp/Sntp Server
Description Valid Range Value NTP/SNTP Enabled / Disabled Enable or disable NTP/SNTP server functionality for Server clients: Disabled Enabled: Enable NTP/SNTP server functionality for clients. Disabled: Disabled NTP/SNTP server functionality for clients. MX-ROS V3 - NAT-108 Series - User Manual...
Page 90: Setting Check
This page provides a double confirmation mechanism that allows you to verify configuration changes made by remote users before they are applied. Setting Check is available for the following configuration settings: Layer 3 -7 Policy • Network Address Translate • Trusted Access • MX-ROS V3 - NAT-108 Series - User Manual...
Page 91 Set the time (in seconds) the user has to confirm the 10 to 3600 changes. Note If the user does not confirm the changes within the specified time period, the system will automatically undo the changes. MX-ROS V3 - NAT-108 Series - User Manual...
Page 92: Network Configuration
Settings Admin Supervisor User Ports Port Settings Layer 2 Switching VLAN MAC Address Table Network Interfaces Ports Menu Path: Network Configuration > Ports This section includes these pages: Port Settings • MX-ROS V3 - NAT-108 Series - User Manual...
Page 93: Port Settings
Shows the description for the port. Speed / Duplex Shows the speed and duplex mode for the port. Flow Control Shows the whether flow control is enabled or disabled for the port. MX-ROS V3 - NAT-108 Series - User Manual...
Page 94 Media Type Displays the port’s media type. This setting cannot be Port's changed. media type Description Enter a description for the port to make it easier to identify. 1 to 127 characters MX-ROS V3 - NAT-108 Series - User Manual...
Page 95 • "straight-through"). MDIX: Force the port to use MDIX (also known as • "crossover"). Note Only choose MDI or MDIX if your connected Ethernet device has trouble auto-negotiating the correct port type. MX-ROS V3 - NAT-108 Series - User Manual...
Page 96 Shows whether the port is using MDI or MDIX for its connection. If the link is not active, a – will be shown. Port State Shows the port state for the port. If the link is not active, a – will be shown. MX-ROS V3 - NAT-108 Series - User Manual...
Page 97: Layer 2 Switching
Menu Path: Network Configuration > Layer 2 Switching > VLAN - Global This tab lets you configure the settings for the management VLAN and management port. Click APPLY to save your changes. MX-ROS V3 - NAT-108 Series - User Manual...
Page 98 Access VLAN devices that connect to the port and remove tags upon egress. VIDs / 1 to mode: 1 Use commas to separate different VLAN IDs. 4093 Trunk or Hybrid mode: N/A MX-ROS V3 - NAT-108 Series - User Manual...
Page 99: Vlan Settings
This tab lets you configure management VLAN and port settings. Click APPLY to save your changes. Note Please note that port numbers may vary depending on product model. Limitations You can create up to 32 VLANs. The top table shows a list of VLANs. MX-ROS V3 - NAT-108 Series - User Manual...
Page 100 1 to 4094. multiple VLANs at once by entering single VIDs or VID You can enter multiple ranges separated by commas, such as 2, 4-8, 10-13. VIDs and/or VID ranges, separated by commas. MX-ROS V3 - NAT-108 Series - User Manual...
Page 101 All Member untagged devices that connect to the port and remove VIDs / 1 to (when editing tags upon egress. Use commas to separate different 4094 settings for the VLAN IDs. Management Port) MX-ROS V3 - NAT-108 Series - User Manual...
Page 102: Vlan Status
Menu Path: Network Configuration > Layer 2 Switching > VLAN - Status This tab lets you monitor the status of the VLANs on your device. UI Setting Description VLAN Shows the VID of the VLAN. MX-ROS V3 - NAT-108 Series - User Manual...
Page 103: Mac Address Table
MAC Address Table Settings MAC Address Table UI Setting Description Index Shows the index number of the MAC address. VLAN ID Shows which VLAN ID is being used for the MAC address. MX-ROS V3 - NAT-108 Series - User Manual...
Page 104: Network Interfaces
This page lets you configure the settings for the various interfaces of your device. This page includes these tabs: • WAN/WAN1 • Secondary IP • Menu Path: Network Configuration > Network Interfaces - LAN This tab lets you manage your LAN interfaces. MX-ROS V3 - NAT-108 Series - User Manual...
Page 105: Network Interfaces List
Shows the IP address of the interface. Netmask Shows the subnet mask of the interface. Virtual MAC Shows the virtual MAC address of the interface. Directed Broadcast Shows whether directed broadcast is enabled for the interface. MX-ROS V3 - NAT-108 Series - User Manual...
Page 106 Click CREATE to save your changes and add the new interface. Limitations You can create up to 16 LAN interfaces by configuring each port with unique VLAN ID numbers. MX-ROS V3 - NAT-108 Series - User Manual...
Page 107 Specify the VLAN ID. 1 to 4094 Alias Specify an alias for the VLAN interface. 1 to 31 characters Proxy ARP Enable or disable proxy ARP for the Enabled / Disabled interface. Disabled MX-ROS V3 - NAT-108 Series - User Manual...
Page 108 ) icon on the Network Configuration > Network Interfaces - LAN page will open this dialog box. This dialog lets you edit an existing LAN interface entry for your device. Click SAVE to save your changes. MX-ROS V3 - NAT-108 Series - User Manual...
Page 109 Specify the VLAN ID. 1 to 4094 Alias Specify an alias for the VLAN interface. 1 to 31 characters Proxy ARP Enable or disable proxy ARP for the Enabled / Disabled interface. Disabled MX-ROS V3 - NAT-108 Series - User Manual...
Page 110 Menu Path: Network Configuration > Network Interfaces - LAN You can delete interfaces by using the checkboxes to select the interfaces you want to delete, then clicking the Delete ( ) icon. MX-ROS V3 - NAT-108 Series - User Manual...
Page 111: Wan/Wan1
There are multiple types of WAN you can select for your Connection Type: Static IP • Dynamic IP • PPPoE • Static IP If you select Static IP as your Connection Type, these settings will appear. MX-ROS V3 - NAT-108 Series - User Manual...
Page 112 Value Status Enable or disable the WAN interface. Enabled / Disabled Enabled Connection Specify the connection type to use for the Static IP / Dynamic IP / Dynamic IP Type connection. PPPoE MX-ROS V3 - NAT-108 Series - User Manual...
Page 113: Directed Broadcast
1 to 30 service. characters Password Enter the password to use for dialing in to the PPTP 1 to 30 service. characters MPPE Enable or disable MPPE encryption. None / Encrypt None Encrytion MX-ROS V3 - NAT-108 Series - User Manual...
Page 114: Dns Settings
IP Address 0.0.0.0 Dynamic IP If you select Dynamic IP as your Connection Type, these settings will appear. Note Please note that settings and available options will vary depending on the product model. MX-ROS V3 - NAT-108 Series - User Manual...
Page 115 Value Status Enable or disable the WAN interface. Enabled / Disabled Enabled Connection Specify the connection type to use for the Static IP / Dynamic IP / Dynamic IP Type connection. PPPoE MX-ROS V3 - NAT-108 Series - User Manual...
Page 116 Status Enable or disable DHCP client option 66/67. Enabled/Disabled Disabled Virtual MAC UI Setting Description Valid Range Default Value Virtual Specify the virtual MAC address for the interface. Valid MAC address 00.00.00.00.00.00 MX-ROS V3 - NAT-108 Series - User Manual...
Page 117 Specify the secondary DNS IP address. IP Address 0.0.0.0 Tertiary DNS Server Specify the tertiary DNS IP address. IP Address 0.0.0.0 PPPoE If you select PPPoE as your Connection Type, these settings will appear. MX-ROS V3 - NAT-108 Series - User Manual...
Page 118 1 to 30 Name service. characters Password Specify the password used to connect to the PPPoE 1 to 30 service. characters Host Specify the hostname of the PPPoE server. 1 to 30 Name characters MX-ROS V3 - NAT-108 Series - User Manual...
Page 119: Secondary Ip
IP for a network interface, allowing a single interface to communicate with multiple networks, increasing network flexibility and availability. UI Setting Description Interface Shows which interface the secondary IP is for. VLAN ID Shows the VLAN ID used for the interface. MX-ROS V3 - NAT-108 Series - User Manual...
Page 120 Select which interface the secondary IP is for. Drop-down list of interfaces Specify the IP address of the secondary Valid IP address Address interface. Netmask Specify the subnet mask of the secondary Valid netmask interface. MX-ROS V3 - NAT-108 Series - User Manual...
Page 121 Menu Path: Network Configuration > Network Interfaces - Secondary IP You can delete secondary IP entries by using the checkboxes to select the entries you want to delete, then clicking the Delete ( ) icon. MX-ROS V3 - NAT-108 Series - User Manual...
Page 122: Network Service
Menu Path: Network Service > DHCP Server This page lets you manage the DHCP server settings of your device. This page includes these tabs: • General DHCP • MAC-based IP Assignment • Lease Table • MX-ROS V3 - NAT-108 Series - User Manual...
Page 123: Dhcp Server - General
IP address from a user-configured IP address pool to connected Ethernet devices. Note The DHCP Server is only available for LAN interfaces. The DHCP pool’s Starting/Ending IP Address must be in the same LAN subnet. MX-ROS V3 - NAT-108 Series - User Manual...
Page 124 Clicking the Add (/) icon on the Network Service > DHCP Server - DHCP page will open this dialog box. This dialog lets you create a new DHCP server pool. Click CREATE to save your changes and add the new account. MX-ROS V3 - NAT-108 Series - User Manual...
Page 125 Ending IP Specify the ending IP address of the DHCP IP pool. Valid IP Address address Default Specify the default gateway to use for DHCP clients in the pool. Valid IP Gateway address MX-ROS V3 - NAT-108 Series - User Manual...
Page 126 ) icon for an pool on the Network Service > DHCP Server - DHCP page will open this dialog box. This dialog lets you edit an existing DHCP server pool. Click APPLY to save your changes. MX-ROS V3 - NAT-108 Series - User Manual...
Page 127 DHCP - Delete DHCP Server Pool Menu Path: Network Service > DHCP Server - DHCP You can delete a DHCP server pool by clicking the Delete ( ) icon for the pool. MX-ROS V3 - NAT-108 Series - User Manual...
Page 128: Dhcp Server - Mac-Based Ip Assignment
By configuring the DHCP server with a table of MAC addresses and their corresponding IP addresses, administrators can have greater control over IP address allocation and enhance network security and management. Limitations You can create up to 256 MAC-based IP assignments. MX-ROS V3 - NAT-108 Series - User Manual...
Page 129 ) icon on the Network Service > DHCP Server - MAC-based IP Assignment page will open this dialog box. This dialog lets you add a new MAC-based IP assignment. Click CREATE to save your changes and add the new assignment. MX-ROS V3 - NAT-108 Series - User Manual...
Page 130 1440 minutes DNS Server 1 Specify the primary DNS server for the IP Valid IP address assignment. DNS Server 2 Specify the secondary DNS server for the IP Valid IP address assignment. MX-ROS V3 - NAT-108 Series - User Manual...
Page 131 Enable or disable this MAC-based IP assignment. Enabled / Disabled Name Enter a hostname for the IP assignment. Max. 63 characters IP Address Specify the IP address for the IP assignment. Valid IP address MX-ROS V3 - NAT-108 Series - User Manual...
Page 132: Dhcp Server - Lease Table
Delete ( ) icon. DHCP Server - Lease Table Menu Path: Network Service > DHCP Server - Lease Table This page lets you see an overview of the device's current DHCP clients. MX-ROS V3 - NAT-108 Series - User Manual...
Page 133 Shows the hostname of the DHCP lease. IP Address Shows the IP address of the DHCP lease. MAC Address Shows the MAC address of the DHCP lease. Time Left Shows the time left for the DHCP lease. MX-ROS V3 - NAT-108 Series - User Manual...
Page 134: Routing
Static Routes Routing Table Unicast Route Menu Path: Routing > Unicast Route This section lets you manage unicast routes for your device. This section includes these pages: • Static Routes Routing Table • MX-ROS V3 - NAT-108 Series - User Manual...
Page 135: Static Routes
) icon on the Routing > Unicast Route > Static Routes page will open this dialog box. This dialog lets you create a new static route. Click CREATE to save your changes and add the new account. MX-ROS V3 - NAT-108 Series - User Manual...
Page 136: Edit A Static Route
) icon for an entry on the Routing > Unicast Route > Static Routes page will open this dialog box. This dialog lets you edit an existing static route. Click APPLY to save your changes. MX-ROS V3 - NAT-108 Series - User Manual...
Page 137 Menu Path: Routing > Unicast Route > Static Routes You can delete entries by using the checkboxes to select the entries you want to delete, then clicking the Delete ( ) icon. MX-ROS V3 - NAT-108 Series - User Manual...
Page 138: Routing Table
Shows the IP address of the next hop router or gateway that the packet should be forwarded to. Interface Shows the outgoing interface that should be used to reach the destination network. MX-ROS V3 - NAT-108 Series - User Manual...
Page 139 Metrics are used to calculate the shortest path for data to travel through the network, and are determined by assigning cost values to the interfaces connecting to each router. The lower the cost value, the more the path will be preferred. MX-ROS V3 - NAT-108 Series - User Manual...
Page 140: Nat
System > Account Management > User Accounts for more information on user accounts. Settings Admin Supervisor User NAT Rule List UI Setting Description Status Shows whether the NAT rule is enabled or disabled. MX-ROS V3 - NAT-108 Series - User Manual...
Page 141: Create Index
Available settings will change depending on what Mode is selected. Create Index - 1-to-1 NAT If 1-to-1 is selected for the Mode, these settings will appear. 1-to-1 NAT maps one public IP address to one private IP address. MX-ROS V3 - NAT-108 Series - User Manual...
Page 142 IP Twins Mapping: Allows you to set up a NAT rule with a duplicated LAN IP. Auto Create Enable or disable the Auto Create Source NAT feature. If this Enabled / Disabled Source NAT is disabled, 1-to-1 NAT will only perform DNAT. Disabled MX-ROS V3 - NAT-108 Series - User Manual...
Page 143 Range values in the Translated Packet (Action) settings for accurate destination IP mapping. Destination IP Specify the destination IP this rule will apply to. Valid IP 0.0.0.0 address (Only if Destination IP Mapping Type is Single) MX-ROS V3 - NAT-108 Series - User Manual...
Page 144 Mapping Type is Single) Destination IP: Specify the start of the destination IP range to translate to Valid IP 0.0.0.0 Start on the internal network. address (Only for Destination IP Mapping Type is Range) MX-ROS V3 - NAT-108 Series - User Manual...
Page 145 Value Status Enable or disable this rule. Enabled / Disabled Enabled Description Specify a name for this rule. 1 to 128 characters Index Specify the index of this rule. 1 to 512 MX-ROS V3 - NAT-108 Series - User Manual...
Page 146 Create Index - PAT If PAT is selected for the Mode, these settings will appear. Port Address Translation (PAT) maps multiple private IP addresses to one public IP address using different port numbers. MX-ROS V3 - NAT-108 Series - User Manual...
Page 147 Enable or disable NAT Loopback. NAT loopback allows Enabled / Disabled Disabled Loopback devices on a private network to access a server or service hosted on the same network using the public IP address of the network. MX-ROS V3 - NAT-108 Series - User Manual...
Page 148 If Advance is selected for the Mode, these settings will appear. This mode allows you to set up an advanced NAT rule, which can provide you with more flexibility for NAT configuration. MX-ROS V3 - NAT-108 Series - User Manual...
Page 149 • • If a Translated Destination IP is used, the Outgoing Interface cannot be configured. • If the Translated Source IP is set to Dynamic, the Translated Source Port cannot be set. MX-ROS V3 - NAT-108 Series - User Manual...
Page 150 MX-ROS V3 - NAT-108 Series - User Manual...
Page 151 Subnet: This rule will apply to a source IP and subnet mask. Source IP Specify the source IP this rule will apply Valid IP 0.0.0.0 address (Only if Source IP Mapping Type is Single or Subnet) MX-ROS V3 - NAT-108 Series - User Manual...
Page 152 Single: This rule will apply to a single destination IP for incoming packets. Range: This rule will apply to a range of destination IPs for incoming packets. Subnet: This rule will apply to a destination IP and subnet mask. MX-ROS V3 - NAT-108 Series - User Manual...
Page 153 (Only if Destination Port Mapping Type is Single) Destination Port: Start Specify the start of the destination port 1 to 65535 range this rule will apply to. (Only if Destination Port Mapping Type is Range) MX-ROS V3 - NAT-108 Series - User Manual...
Page 154 Refer to Network Configuration > Interface - Secondary IP for more information. Subnet Mask Specify the subnet this rule will translate to. Valid subnet (255.255.255.0) (Only if Source IP Mapping Type is Subnet) MX-ROS V3 - NAT-108 Series - User Manual...
Page 155 Single: This rule will translate to a single destination Range: This rule will translate to a range of destination IPs. Subnet: This rule will translate to a destination IP and subnet mask. MX-ROS V3 - NAT-108 Series - User Manual...
Page 156 Port Mapping Type is Single) Destination Specify the start of the destination port range this 1 to 65535 Port: Start rule will translate to. (Only if Destination Port Mapping Type is Range) MX-ROS V3 - NAT-108 Series - User Manual...
Page 157 NAT with a duplicated LAN IP to provide flexibility for configuring duplicated LAN IP conversion. Limitations Currently, IP Twins Mapping mode is only supported by the NAT-108 Series. • IP Twins Mapping mode does not support transitioning between duplicate IP devices.
Page 158 Default UI Setting Description Valid Range Value Status Enable or disable this rule. Enabled / Disabled Enabled Description Specify a name for this rule. 1 to 128 characters MX-ROS V3 - NAT-108 Series - User Manual...
Page 159 Mapping Type incoming packets. Range Single: This rule will apply to a single destination IP for incoming packets. Range: This rule will apply to a range of destination IPs for incoming packets. MX-ROS V3 - NAT-108 Series - User Manual...
Page 160 Mapping Type is Single) Destination IP: Start Specify the start of the destination IP range Valid IP 0.0.0.0 this rule will translate to. address (Only for Destination IP Mapping Type is Range) MX-ROS V3 - NAT-108 Series - User Manual...
Page 161: Edit Nat Rule
For a complete list of settings, see Create NAT Rule. Delete NAT Rule Menu Path: Main > NAT Select the NAT rules that you want to delete and click the trash can icon to delete. MX-ROS V3 - NAT-108 Series - User Manual...
Page 162 MX-ROS V3 - NAT-108 Series - User Manual...
Page 163: Firewall
This page lets you configure Layer 3 policies to secure and control network traffic. Click APPLY to save your changes. Note Availability of this feature may vary depending on your product model and version. MX-ROS V3 - NAT-108 Series - User Manual...
Page 164: Layer 3 Policy Settings
Shows the name of the policy. Protocol Shows the protocol used by the policy. Incoming Shows the incoming interface used by the policy. Interface Outgoing Shows the outgoing interface used by the policy. Interface MX-ROS V3 - NAT-108 Series - User Manual...
Page 165 Unable to render include or excerpt-include. Could not retrieve page. page will open this dialog box. This dialog lets you create a new Layer 3 policy. Click CREATE to save your changes and add the new policy. MX-ROS V3 - NAT-108 Series - User Manual...
Page 166 1 index will be processed before policies with a higher index. Status Enable or disable the policy. Enabled / Disabled Enabled Name Specify a name for the policy. 1 to 64 characters MX-ROS V3 - NAT-108 Series - User Manual...
Page 167 Any / Drop-down list of interfaces Interface this policy. Note Available interfaces will vary depending on your product model and configuration. Refer to Network Configuration > Network Interfaces for more information about managing your device's interfaces. MX-ROS V3 - NAT-108 Series - User Manual...
Page 168 (TCP) / IPsec (UDP) / L2TP (TCP) / L2TP (UDP) / PPTP (TCP) / PPTP (UDP) / RADIUS (TCP) / RADIUS (UDP) / RADIUS Accounting (TCP) / RADIUS Accounting (UDP) / EtherCAT (TCP) / EtherCAT (UDP) MX-ROS V3 - NAT-108 Series - User Manual...
Page 169 Address is Single or Range) Source IP: Specify the end of the source IP Valid IP address 0.0.0.0 address range this policy will apply to. (If Source IP Address is Range) MX-ROS V3 - NAT-108 Series - User Manual...
Page 170 Specify the destination IP Valid IP address 0.0.0.0 IP: Start address or the beginning of the destination IP address range this policy will apply to. Destination IP Address is Single or Range) MX-ROS V3 - NAT-108 Series - User Manual...
Page 171 ) icon for an entry on the Unable to render include or excerpt-include. Could not retrieve page. page will open this dialog box. This dialog lets you edit an existing Layer 3 policy. MX-ROS V3 - NAT-108 Series - User Manual...
Page 172 1 to 1024 Last used index the policy. Policies with a lower plus 1 index will be processed before policies with a higher index. Status Enable or disable the policy. Enabled / Disabled Enabled MX-ROS V3 - NAT-108 Series - User Manual...
Page 173 Any / Drop-down list of interfaces Interface this policy. Note Available interfaces will vary depending on your product model and configuration. Refer to Network Configuration > Network Interfaces for more information about managing your device's interfaces. MX-ROS V3 - NAT-108 Series - User Manual...
Page 174 (TCP) / IPsec (UDP) / L2TP (TCP) / L2TP (UDP) / PPTP (TCP) / PPTP (UDP) / RADIUS (TCP) / RADIUS (UDP) / RADIUS Accounting (TCP) / RADIUS Accounting (UDP) / EtherCAT (TCP) / EtherCAT (UDP) MX-ROS V3 - NAT-108 Series - User Manual...
Page 175 Address is Single or Range) Source IP: Specify the end of the source IP Valid IP address 0.0.0.0 address range this policy will apply to. (If Source IP Address is Range) MX-ROS V3 - NAT-108 Series - User Manual...
Page 176 Specify the destination IP Valid IP address 0.0.0.0 IP: Start address or the beginning of the destination IP address range this policy will apply to. Destination IP Address is Single or Range) MX-ROS V3 - NAT-108 Series - User Manual...
Page 177 Delete Layer 3 Policy Menu Path: Firewall > Layer 3 Policy You can delete an entry by using the checkboxes to select the entries you want to delete, then clicking the Delete ( ) icon. MX-ROS V3 - NAT-108 Series - User Manual...
Page 178: Device Lockdown
Device Lockdown is specifically designed for and is only available for NAT Series devices. This page includes these tabs: Settings • Learning Table • Device Lockdown - Settings Menu Path: Firewall > Device Lockdown - Settings This page lets you manage the Device Lockdown feature. MX-ROS V3 - NAT-108 Series - User Manual...
Page 179 START LEARNING: Learn whitelist information from ARP tables through network traffic. Note When the Learning Status process is in progress, Device Lockdown cannot be enabled until the process is complete. STOP LEARNING: Stop the current learning process. MX-ROS V3 - NAT-108 Series - User Manual...
Page 180 Select an interface to lock down. Drop-down list of interfaces Lockdown Select the firewall filtering criteria. MAC Address / MAC+IP Mode Access Address Enable or disable device lockdown event Enabled / Disabled Disabled logs. MX-ROS V3 - NAT-108 Series - User Manual...
Page 181: Device Lockdown - Learning Table
Shows the IP address the rule applies to. Any means it applies to all IP addresses. MAC Address Shows the MAC address the rule applies to. Any means it applies to all MAC addresses. Interface Shows the interface that the rule applies to. MX-ROS V3 - NAT-108 Series - User Manual...
Page 182 Click CREATE to save your changes and add the new entry. Default UI Setting Description Valid Range Value Description Specify a description to help identify the entry. Up to 128 characters MX-ROS V3 - NAT-108 Series - User Manual...
Page 183 Menu Path: Firewall > Device Lockdown - Learning Table You can delete an entry by using the checkboxes to select the entries you want to delete, then clicking the Delete ( ) icon. MX-ROS V3 - NAT-108 Series - User Manual...
Page 184: Certificate Management
Certificate Management - User Privileges Privileges to Certificate Management settings are granted to the different authority levels as follows. Refer to System > Account Management > User Accounts for more information on user accounts. MX-ROS V3 - NAT-108 Series - User Manual...
Page 185: Local Certificate
Shows who the certificate was issued to. Issued By Shows who the certificate was issued by. Expiration Date Shows the expiration date of the certificate. Key Length Shows the key length of the certificate. MX-ROS V3 - NAT-108 Series - User Manual...
Page 186: Generate Certificate
Label Enter a label to help identify the certificate. If this is 1 to 30 empty, the file name of the certificate will be used. characters MX-ROS V3 - NAT-108 Series - User Manual...
Page 187 Delete Certificate Menu Path: Certificate Management > Local Certificate You can delete certificates by using the checkboxes to select the certificates you want to delete, then clicking the Delete ( ) icon. MX-ROS V3 - NAT-108 Series - User Manual...
Page 188: Trusted Ca Certificate
Shows the name of the certificate file. Subject Shows the subject from the certificate. Expiration Date Shows the expiration date of the certificate. Key Length Shows the key length of the certificate. MX-ROS V3 - NAT-108 Series - User Manual...
Page 189 Delete CA Certificate Menu Path: Certificate Management > Trusted CA Certificate You can delete certificates by using the checkboxes to select the certificates you want to delete, then clicking the Delete ( ) icon. MX-ROS V3 - NAT-108 Series - User Manual...
Page 190: Certificate Signing Request
This page lets you generate and manage key pairs, which are used to generate CSRs. Limitations You can generate up to 10 key pairs. UI Setting Description Name Shows the name of the RSA key. MX-ROS V3 - NAT-108 Series - User Manual...
Page 191 Menu Path: Certificate Management > Certificate Signing Request - Key Pair Generate You can delete key pairs by using the checkboxes to select the entries you want to delete, then clicking the Delete ( ) icon. MX-ROS V3 - NAT-108 Series - User Manual...
Page 192: Csr Generate
You can generate up to 10 CSRs. UI Setting Description Name Shows the name of the CSR. Subject Shows the subject of the CSR. Key Length Shows the key length used by the CSR. MX-ROS V3 - NAT-108 Series - User Manual...
Page 193: Generate Certificate Signing Request
1 to 16 Name characters Organization Unit Specify the organization unit name for the CSR. 1 to 16 Name characters Common Name Specify the common name for the CSR. 1 to 16 characters MX-ROS V3 - NAT-108 Series - User Manual...
Page 194 You can export a CSR by using the checkboxes to select the entry you want to export, then clicking the Export ( ) icon. Note The export icon will only be available when a single entry is selected; it will not be available if multiple entries are selected. MX-ROS V3 - NAT-108 Series - User Manual...
Page 195 MX-ROS V3 - NAT-108 Series - User Manual...
Page 196: Security
System > Account Management > User Accounts for more information on user accounts. Settings Admin Supervisor User Device Security Login Policy Trusted Access SSH & SSL Authentication Login Authentication RADIUS TACACS+ MXview Alert Notification MX-ROS V3 - NAT-108 Series - User Manual...
Page 197: Device Security
SSH & SSL • Login Policy Menu Path: Security > Device Security > Login Policy This page lets you configure the login policies for your device. Click APPLY to save your changes. MX-ROS V3 - NAT-108 Series - User Manual...
Page 198: Trusted Access
This page lets you limit access to the device to trusted IP addresses you specify. You can also limit access to the device to LAN connections only. Limitations You can create up to 10 trusted IP entries. Trusted Access Settings MX-ROS V3 - NAT-108 Series - User Manual...
Page 199 LAN connections. Enabled: The device can only be accessed through a LAN connection. Disabled: The device can be accessed through any connection. Enable or disable Trusted Access Enabled / Disabled Disabled event logging. MX-ROS V3 - NAT-108 Series - User Manual...
Page 200 Notifications > Event Log for more information. Trusted IP List UI Setting Description Index Shows the index of the Trusted IP entry. Status Shows whether the Trusted IP entry is enabled or disabled. MX-ROS V3 - NAT-108 Series - User Manual...
Page 201: Ssh & Ssl
Select a netmask for the trusted host(s). Drop-down list of netmasks SSH & SSL Menu Path: Security > Device Security > SSH & SSL This page lets you manage your SSH key and SSL certificate. MX-ROS V3 - NAT-108 Series - User Manual...
Page 202 Regenerating the SSH key will restart the device's system services and will make the device temporarily unavailable. Menu Path: Security > Device Security > SSH & SSL - SSL This page lets you manage your device's SSL certificate. Click APPLY to save your changes. MX-ROS V3 - NAT-108 Series - User Manual...
Page 203: Ssl Settings
Drop-down list of applicable (if Certificate imported Source is Local certificates Certificate Database) Created on Shows when the current certificate was created. (View-only) Expiration Date Shows when the current certificate will expire. (View-only) MX-ROS V3 - NAT-108 Series - User Manual...
Page 204: Authentication
Login Authentication • RADIUS • TACACS+ • Login Authentication Menu Path: Security > Authentication > Login Authentication This page lets you configure your device's login authentication settings. Click APPLY to save your changes. MX-ROS V3 - NAT-108 Series - User Manual...
Page 205: Radius
This page lets you specify a RADIUS server to use for login authentication. Click APPLY to save your changes. Note The system will use the primary RADIUS server by default. If the primary RADIUS server is unavailable, it will use the secondary RADIUS server. MX-ROS V3 - NAT-108 Series - User Manual...
Page 206: Tacacs
Specify the shared key for the secondary 0 to 64 characters RADIUS server. TACACS+ Menu Path: Security > Authentication > TACACS+ This page lets you set up TACACS+ protocol to authenticate remote users. MX-ROS V3 - NAT-108 Series - User Manual...
Page 207 TACACS+ server. Shared Specify the shared encryption key for the primary TACACS+ 1 to 64 server. characters Auth Type Specify which authentication type the primary TACACS+ server PAP, CHAP, CHAP uses. ASCII MX-ROS V3 - NAT-108 Series - User Manual...
Page 208: Mxview Alert Notification
Security Notification Setting • Security Status • Security Notification Setting Menu Path: Security > MXview Alert Notification - Security Notification Setting This page lets you configure your MXview security alert notification settings. MX-ROS V3 - NAT-108 Series - User Manual...
Page 209 Enabled / Disabled Event Disabled Notification Note After enabling this, you will need to go to Firewall > DoS Policy to enable logging and select Trap as the log destination to receive notifications. MX-ROS V3 - NAT-108 Series - User Manual...
Page 210: Security Status
Menu Path: Security > MXview Alert Notification - Security Status This page lets you see the status of all MXview security event types. Clicking the Reset ( ) icon will clear the status of all events to default (safe). MX-ROS V3 - NAT-108 Series - User Manual...
Page 211 The status of Device Lockdown can not be accessed in MXview One. Status Shows the current status of the event type. safe: No event of this type has been detected. attacked: An event of this type was detected. MX-ROS V3 - NAT-108 Series - User Manual...
Page 212: Diagnostics
System > Account Management > User Accounts for more information on user accounts. Settings Admin Supervisor User System Status Utilization Network Status Network Statistics LLDP ARP Table Event Log & Notifications Event Log Event Notifications Syslog MX-ROS V3 - NAT-108 Series - User Manual...
Page 213: System Status
Utilization Utilization Menu Path: Diagnostics > System Status > Utilization This page lets you monitor current and historical system resource utilization. CPU Usage This shows the current CPU usage of your device. MX-ROS V3 - NAT-108 Series - User Manual...
Page 214: Memory Usage
CPU Usage History This shows the CPU usage of your device over time. Memory Usage This shows your device's current memory usage. Memory Usage History This shows your device's memory usage over time. MX-ROS V3 - NAT-108 Series - User Manual...
Page 215: Network Status
3 seconds. Note The default line shows activity for all IP interfaces for both Tx and Rx activity. You can add additional lines by clicking the Display Settings button. MX-ROS V3 - NAT-108 Series - User Manual...
Page 216: Display Settings
) icon on the Diagnostics > Network Status > Network Statistics page will open this dialog box. This dialog lets you define additional interfaces or ports to monitor. Click ADD to save your changes and add the new line. MX-ROS V3 - NAT-108 Series - User Manual...
Page 217 Port Select which port to monitor. Drop-down list of All ports Selection(if ports Display Type is Port) Note Available ports will vary depending on your product model. MX-ROS V3 - NAT-108 Series - User Manual...
Page 218 Packets and Error Packets will be available. Packet Interface Table This table shows how many packets are being handled by each interface. Values are shown as Total Packets + Packets in the past 5 seconds. MX-ROS V3 - NAT-108 Series - User Manual...
Page 219: Lldp Settings
Specify the interval in seconds at which LLDP 5 to 32768 Interval messages are sent. UI Setting Description Valid Range Default Value LLDP Ring Port Bypass Enable or disable LLDP Ring Port Bypass Enabled / Disabled Disabled MX-ROS V3 - NAT-108 Series - User Manual...
Page 220: Arp Table
Nbr. System Shows the hostname of the neighbor device. ARP Table Menu Path: Diagnostics > Network Status > ARP Table This page lets you see the device’s Address Resolution Protocol (ARP) table. MX-ROS V3 - NAT-108 Series - User Manual...
Page 221: Connection Management
Shows the interface the device is connecting through. Connection Management Menu Path: Diagnostics > Network Status > Connection Management This page lets you configure the Connection Management feature of your device. Click APPLY to save your changes. MX-ROS V3 - NAT-108 Series - User Manual...
Page 222 Specify the number of seconds a connection can be idle before 60 to 600 Time(Sec) deleting the connection. Longer idle times allow connections to stay open without relying on clients to send keep-alive (If Status is messages. Enabled) MX-ROS V3 - NAT-108 Series - User Manual...
Page 223: Connection Table
Shows the outgoing interface for the connection. Source Address Shows the source IP address for the connection. Source Port Shows the source port for the connection. Destination Shows the destination IP address for the connection. Address MX-ROS V3 - NAT-108 Series - User Manual...
Page 224: Event Logs And Notifications
Refer to Using a Web Browser to Configure the Industrial Secure Router for more information. This page includes these tabs: MX-ROS V3 - NAT-108 Series - User Manual...
Page 225: System Log
) to refresh the logs. • Click the Clear System Log icon ( ) to delete all logs. • Click the Export icon ( ) to export all logs to a file. • MX-ROS V3 - NAT-108 Series - User Manual...
Page 226: Firewall Log
Each firewall log can record up to 1000 events. You can switch between different firewall logs by clicking on the drop-down menu. • Trusted Access Malformed Packets • DoS Policy • Layer 3-7 Policy • MX-ROS V3 - NAT-108 Series - User Manual...
Page 227 Severity Level List more information. Ether Type Shows the EtherType that applies to this event. IP Protocol Shows the IP protocol for this traffic. Incoming Shows the incoming interface for this traffic. Interface MX-ROS V3 - NAT-108 Series - User Manual...
Page 228 Timestamp Shows the time of the event, including the date, time, and UTC time zone adjustment. Severity Shows the severity categorization of the event: Refer to the Severity Level List more information. MX-ROS V3 - NAT-108 Series - User Manual...
Page 229 Shows the ICMP code that applies to this event. Action Shows the action taken by the firewall for this event: • Aceept Drop • Additional Shows additional information about the event, based on the type of event. message DoS Policy MX-ROS V3 - NAT-108 Series - User Manual...
Page 230 Shows the destination interface for this traffic. Interface Destination IP Shows the destination IP address for this traffic. Destination Port Shows the destination port for this traffic. TCP Flags Shows the TCP flags that apply to this event. MX-ROS V3 - NAT-108 Series - User Manual...
Page 231 Shows the IP protocol for this traffic. Incoming Shows the incoming interface for this traffic. Interface Source MAC Shows the source MAC address for this traffic. Source IP Shows the source IP address for this traffic. MX-ROS V3 - NAT-108 Series - User Manual...
Page 232 Shows the severity categorization of the event: Refer to the Severity Level List more information. Application Shows which application this event is related to. Protocol Policy ID Shows the ID of the firewall policy that applies to this event. MX-ROS V3 - NAT-108 Series - User Manual...
Page 233 ICMP Type Shows the ICMP type that applies to this event. ICMP Code Shows the ICMP code that applies to this event. Action Shows the action taken by the firewall for this event. MX-ROS V3 - NAT-108 Series - User Manual...
Page 234 Accept: The traffic will be allowed to pass through. • Reset: The traffic will not be allowed to pass through. • Monitor: The traffic will be allowed to pass through, but a log entry will be • created for it. MX-ROS V3 - NAT-108 Series - User Manual...
Page 235 Policy Name Shows the name of the firewall policy that applies to this event. Ether Type Shows the EtherType that applies to this event. IP Protocol Shows the IP protocol for this traffic. MX-ROS V3 - NAT-108 Series - User Manual...
Page 236: Session Control
Shows the ID of the firewall policy that applies to this event. Policy Name Shows the name of the firewall policy that applies to this event. Ether Type Shows the EtherType that applies to this event. MX-ROS V3 - NAT-108 Series - User Manual...
Page 237 Shows the ICMP type that applies to this event. ICMP Code Shows the ICMP code that applies to this event. Action Shows the action taken by the firewall for this event. Layer 2 Policy MX-ROS V3 - NAT-108 Series - User Manual...
Page 238 Shows the severity categorization of the event: Refer to the Severity Level List more information. Ether Type Shows the EtherType that applies to this event. IP Protocol Shows the IP protocol for this traffic. MX-ROS V3 - NAT-108 Series - User Manual...
Page 239 Additional Shows additional information about the event, based on the type of event. message Device Lockdown Note Device Lockdown is specifically designed for and will only be available on the NAT series. MX-ROS V3 - NAT-108 Series - User Manual...
Page 240 Shows the additional message for this event. Message VPN Log Menu Path: Diagnostics > Event Logs and Notifications > Event Log - VPN Log This page lets you view your device's VPN-related event logs. MX-ROS V3 - NAT-108 Series - User Manual...
Page 241: Network Log
Menu Path: Diagnostics > Event Logs and Notifications > Event Log - Network This page lets you view your device's network-related event logs. You can switch between different network logs by clicking on the drop-down menu. MX-ROS V3 - NAT-108 Series - User Manual...
Page 242 Shows the incoming interface for the connection. Interface Source IP Shows the source IP address for the connection. Source Port Shows the source port for the connection. Outgoing Shows the outgoing interface for the connection. Interface MX-ROS V3 - NAT-108 Series - User Manual...
Page 243 Shows how many RX packets were discarded. Note The Discard Packets count will reset after the device is rebooted. Statistical Time Shows the interval in seconds between RX discard packet checks. (Sec) MX-ROS V3 - NAT-108 Series - User Manual...
Page 244 This page lets you clear all the logs or enable automatic event log backups. You can also set up capacity warnings and oversize actions that trigger when log storage has exceeded the specified storage threshold. Clear All Log Click the CLEAR button to clear all event logs. MX-ROS V3 - NAT-108 Series - User Manual...
Page 245 Auto Event Log Backup Default UI Setting Description Valid Range Value Automatically Enabled / Enable or disable automatic event log Disabled Restore backups. Disabled MX-ROS V3 - NAT-108 Series - User Manual...
Page 246: Threshold Settings
Threshold through the Registered Action methods. Oversize Action Shows what action will be taken when log storage is full for the selected category. Registered Shows how threshold warnings will be sent. Action MX-ROS V3 - NAT-108 Series - User Manual...
Page 247: Event Notifications
Stop recording event logs: No new events will be recorded. Event Notifications Menu Path: Diagnostics > Event Logs and Notifications > Event Notifications This page lets you configure notifications for various kinds of events. MX-ROS V3 - NAT-108 Series - User Manual...
Page 248 This page lets you configure notification settings for various system events related to the overall functions of the device. Each event can be configured independently with different warning methods and severity classifications. MX-ROS V3 - NAT-108 Series - User Manual...
Page 249 MX-ROS V3 - NAT-108 Series - User Manual...
Page 250 ) icon for an entry on the Diagnostics > Event Logs and Notifications > Event Notifications - System page will open this dialog box. This dialog lets you change the notification settings for the selected event. Click APPLY to save your changes. MX-ROS V3 - NAT-108 Series - User Manual...
Page 251 Select the severity to assign for this event. Emergency / Alert / Critical / Emergency Refer to the Severity Level List for more Error / Warning / Notice / information about the different severity Informational / Debug levels. MX-ROS V3 - NAT-108 Series - User Manual...
Page 252 Shows whether notifications for Link-Off events are enabled or disabled. Severity Shows the severity assigned to the event. Refer to the Severity Level List for more details. Registered Shows how notifications will be sent for this kind of event. Action MX-ROS V3 - NAT-108 Series - User Manual...
Page 253 Shows which physical port the event notifications are for. (View-only) Note Available ports will vary depending on your product and model. Status Enable or disable notifications for this port. Enabled / Disabled Disabled MX-ROS V3 - NAT-108 Series - User Manual...
Page 254 Menu Path: Diagnostics > Event Logs and Notifications > Event Notifications - CPU Usage This page lets you configure notification settings based on CPU usage. UI Setting Description Status Shows whether event notifications are enabled for this kind of event. MX-ROS V3 - NAT-108 Series - User Manual...
Page 255 CPU usage. Click APPLY to save your changes. Default UI Setting Description Valid Range Value Event Name Shows the CPU usage event name. (View-only) MX-ROS V3 - NAT-108 Series - User Manual...
Page 256 Menu Path: Diagnostics > Event Logs and Notifications > Event Notifications - Port Usage This page lets you configure notification settings based on port usage. Each port can be configured independently with different warning methods and severity classifications. MX-ROS V3 - NAT-108 Series - User Manual...
Page 257 ) icon for an entry on the Diagnostics > Event Logs and Notifications > Event Notifications - Port Usage page will open this dialog box. This dialog lets you change the notification settings for the selected port. Click APPLY to save your changes. MX-ROS V3 - NAT-108 Series - User Manual...
Page 258 Tx threshold to trigger a notification. Enable or disable Rx monitoring for event Enabled / Disabled Disabled notifications. Specify the Rx threshold percentage that 1 to 100 Threshold(%) must be exceeded for event notifications. MX-ROS V3 - NAT-108 Series - User Manual...
Page 259: Syslog
When the device sends an imported certificate to the syslog server, the syslog server will attempt to verify the certificate by searching the approved certificate pool on the server to identify the imported certificate. MX-ROS V3 - NAT-108 Series - User Manual...
Page 260 For security reasons, it is recommended to send event logs to a centralized syslog server for • continuous network event monitoring. Limitations You can connect to up to 3 syslog servers. MX-ROS V3 - NAT-108 Series - User Manual...
Page 261: Snmp Trap/Inform
SNMP Trap/Inform - General Menu Path: Diagnostics > Event Logs and Notifications > SNMP Trap/Inform - General This page lets you configure the SNMP Trap/Inform settings of your device. Click APPLY to save your changes. MX-ROS V3 - NAT-108 Series - User Manual...
Page 262 Recipient IP or IP/Name receive notifications. name 1/2/3 Inform Retries Specify the number of times to retry sending an inform 1 to 99 notification. (if Trap Mode is Inform V2 or Inform V3) MX-ROS V3 - NAT-108 Series - User Manual...
Page 263: Snmp Account
Description Name Shows the name of the SNMP trap account. Authentication Type Shows which authentication method is used for the account. Encryption Method Shows which encryption method is used for the account. MX-ROS V3 - NAT-108 Series - User Manual...
Page 264 Encryption Method Enable or disable AES encryption for the Enabled / Disabled account. Disabled Encryption Key Specify an encryption password for the 8 to 64 account. characters (if Encryption Method is Enabled) MX-ROS V3 - NAT-108 Series - User Manual...
Page 265 Specify an authentication key to use for 8 to 64 the account. characters (if Authentication Type is MD5 or SHA) Encryption Method Enable or disable AES encryption for the Enabled / Disabled account. Disabled MX-ROS V3 - NAT-108 Series - User Manual...
Page 266: Email Settings
Click APPLY to save your changes, or click SEND TEST MAIL to send a test email using the current settings and recipients. MX-ROS V3 - NAT-108 Series - User Manual...
Page 267 Password Specify the password used to log in to the email server. 0 to 60 characters Sender Address Specify the sender email address to use for email 0 to 60 notifications. characters MX-ROS V3 - NAT-108 Series - User Manual...
Page 268: Tools
The function’s most unique feature is that even though the ping command is entered from the user’s PC keyboard, the actual ping command originates from the device itself. In this way, you can use your device to send ping commands out through its ports. MX-ROS V3 - NAT-108 Series - User Manual...
Page 269 Specify the IP address or domain name you Valid IP address or Address/Domain want to ping, then click the PING button. domain name up to 50 Name The ping result will be displayed below. characters MX-ROS V3 - NAT-108 Series - User Manual...
Page 270: Other Features
Chapter 4 Other Features MX-ROS V3 - NAT-108 Series - User Manual...
Page 271: Firmware Image Recovery Overview
If a situation occurs, the firmware can still roll back to the previous version to boot the device. MX-ROS V3 - NAT-108 Series - User Manual...
Page 272: How Dual-Imaging Works
3 and Partition A is corrupted, the bootloader will choose backup Partition B as the active one to continue to boot the system and the system will record a “Boot Failed, Fallback to Previous Firmware” event into the system logs. MX-ROS V3 - NAT-108 Series - User Manual...
Page 273 Resetting the device to factory default settings only restores user configurations, and will not • restore the firmware image in both partitions. This mechanism is done automatically by the system and is not user-configurable. • MX-ROS V3 - NAT-108 Series - User Manual...
Page 274: Device Applications
Chapter 5 Device Applications MX-ROS V3 - NAT-108 Series - User Manual...
Page 275: Device Applications Overview
The following applications are covered: • Network Segmentation Redundancy • Routing • OpenVPN Client • NetFlow • Loopback Interfaces • MX-ROS V3 - NAT-108 Series - User Manual...
Page 276: Network Segmentation
Hosts on the same subnet can communicate directly using the layer-2 segment that connects them. VLANs in Depth A VLAN, or Virtual Local Area Network, is a logical grouping of devices on a network. MX-ROS V3 - NAT-108 Series - User Manual...
Page 277: Vlan Standards And Implementation
Benefits of VLANs The main benefit of VLANs is that they provide a network segmentation system that is far more flexible than traditional networks. Using VLANs also provides you with three other benefits: MX-ROS V3 - NAT-108 Series - User Manual...
Page 278: Scenario: Layer 2 Segmentation Of 3 Factories
VLAN. Each VLAN can be enlarged using simple switches to connect any number of devices in the factory MX-ROS V3 - NAT-108 Series - User Manual...
Page 279 For example, if the management VLAN of the switch is VLAN 1 and you are connected to ports that do not belong to VLAN 1, you may be disconnected from the switch during configuration. MX-ROS V3 - NAT-108 Series - User Manual...
Page 280: Example: Creating Vlans For Layer 2 Segmentation Of 3 Factories
VLAN. A similar procedure must be performed on each switch or router on the network. 1. Sign in to Switch A using administrator credentials. MX-ROS V3 - NAT-108 Series - User Manual...
Page 281 VLAN, and do not need to communicate with devices in other VLANs. Trunk mode allows a port to carry traffic for multiple VLANs over a single physical connection. This is useful for linking switches together that may have many different VLANs. MX-ROS V3 - NAT-108 Series - User Manual...
Page 282: Example: Assigning Vlans To Ports On Switch B
VLAN. A similar procedure must be performed on each switch or router on the network. 1. Sign in to Switch A using administrator credentials. MX-ROS V3 - NAT-108 Series - User Manual...
Page 283 VLAN, and do not need to communicate with devices in other VLANs. Trunk mode allows a port to carry traffic for multiple VLANs over a single physical connection. This is useful for linking switches together that may have many different VLANs. MX-ROS V3 - NAT-108 Series - User Manual...
Page 284 When combined with the previous settings, we complete the network segmentation. Traffic on VLANs 1-3 will remain isolated, and VLAN 1000 will allow traffic between switches while retaining VLAN tagging. MX-ROS V3 - NAT-108 Series - User Manual...
Page 285: Scenario: Layer 3 Segmentation Of Two Services
(an interface), so it's important to note which port we'll be using for each device. We need a topology that: Allows devices on the same subnet to communicate with each other • Ensure devices on different subnet cannot communicate with each other • MX-ROS V3 - NAT-108 Series - User Manual...
Page 286: Example: Creating Vlans For Layer 3 Segmentation
Example: Creating VLANs for Layer 3 Segmentation Create VLANs in preparation for assigning them to ports. Before you begin: Make sure you have an environment configured in line with our scenario. This includes: MX-ROS V3 - NAT-108 Series - User Manual...
Page 287: Example: Assigning Vlans To Ports For Layer 3 Segmentation
VLAN. A similar procedure must be performed on each switch or router on the network. 1. Sign in to Router 1 using administrator credentials. 2. Go to Network Configuration→Layer 2 Switching→VLAN. MX-ROS V3 - NAT-108 Series - User Manual...
Page 288 Trunk mode allows a port to carry traffic for multiple VLANs over a single physical connection. This is useful for linking switches together that may have many different VLANs. Hybrid mode is similar to a Trunk port, except users can explicitly assign tags to be removed from egress packets. MX-ROS V3 - NAT-108 Series - User Manual...
Page 289: Example: Assigning Ips To Router Interfaces
Example: Assigning IPs to Router Interfaces IP subnets must be assigned to interfaces to ensure traffic from corresponding VLANs is segmented correctly. To assign IPs to router interfaces: 1. Sign in to Router 1 using administrator credentials. MX-ROS V3 - NAT-108 Series - User Manual...
Page 290 Result: The LAN interface will appear on the Network Interface list. 5. To add the interface for the backbone connection, specify all of the following, and then click Create: Field Setting Backbone Name 1000 VLAN ID MX-ROS V3 - NAT-108 Series - User Manual...
Page 291: Example: Configuring Static Routing For Layer 3 Segmentation
To configure dynamic routing for the Layer 3 example: 1. Sign in to Switch A using administrator credentials. 2. Go to Routing→Unicast Route→Static Routes, and then click the Add ( icon. MX-ROS V3 - NAT-108 Series - User Manual...
Page 292: Click Create
Refers to Production Service A on Router 2. Subnet Mask 8 (255.0.0.0) Refers to the subnet mask of the destination address. 30.0.0.2 Next Hop Refers to the Router 2 Interface as the next hop on the network. Metric MX-ROS V3 - NAT-108 Series - User Manual...
Page 293 Results: Once the routing configuration is completed, the Example Layer 3 Segmented Network will be ready to use. This will ensure that packets for each service will be isolated from the other, while still be efficiently guided around the network. MX-ROS V3 - NAT-108 Series - User Manual...
Page 294: Routing
Multicast delivery, on the other hand, is used to send packets from one sender to many recipients. With multicast, a single packet is sent out to a group of devices on the MX-ROS V3 - NAT-108 Series - User Manual...
Page 295: Routing And Packet Delivery
This allows for increased control over network traffic while ensuring that data can reach otherwise unspecified networks, typically including the public Internet. MX-ROS V3 - NAT-108 Series - User Manual...
Page 296: Example: Adding A Static Unicast Route For Factory Automation
Before you begin: Make sure you have correctly configured: Each device with an IP address. • VLANs for each subnet. Refer to VLAN for more information. • MX-ROS V3 - NAT-108 Series - User Manual...
Page 297 Refers to Production Line 1. Subnet Mask 24(255.255.255.0) Refers to the subnet mask of the destination address. 10.10.10.254 Next Hop Refers to the Secure Router LAN1 Interface as the next hop on the network. MX-ROS V3 - NAT-108 Series - User Manual...
Page 298 What to do next: Repeat this procedure to add Production Line 2 ( 10.10.20.1 ), the Remote Control Center ( 10.10.40.1 ), and Other Systems ( 10.10.30.1 ) to the Static Routing Table. MX-ROS V3 - NAT-108 Series - User Manual...
Page 299: About Nat
Commonly used for devices that require a consistent public IP, such as web servers. 2. NAT N-1: Maps private IP addresses to a pool of public IP addresses on a first-come, first-served basis. MX-ROS V3 - NAT-108 Series - User Manual...
Page 300: Nat Advantages
For instance, every generator's internal devices use the same private IP scheme (e.g., 192.168.100.x). When these generators are deployed at a tidal power farm, they are connected to a shared local network. However: MX-ROS V3 - NAT-108 Series - User Manual...
Page 301: Example: Configuring 1-To-1 Nat For Device Management
The Create Index screen appears. 3. Configuring the First Device on Generator 1. 4. To add the inbound NAT rule for the first generator, specify all of the following, and then click Apply: MX-ROS V3 - NAT-108 Series - User Manual...
Page 302 To configure additional devices in this scenario, repeat the above procedure with the following differences: MX-ROS V3 - NAT-108 Series - User Manual...
Page 303 Pack (Con dition Desti natio n IP Trans 192.16 10.10. 192.16 10.10. 192.16 10.10. 192.16 10.10. 192.16 10.10. lated 8.100. 8.100. 8.100. 8.100. 8.100. Pack (Acti on) - Desti natio n IP MX-ROS V3 - NAT-108 Series - User Manual...
Page 304: Scenario: Isolated Product Network With Limited Internet Access (Nat N
A DMZ network with a single computer serving as a remote access server for • connections from the internet, which has network access to the production equipment. Security is contingent on the security of the remote access server. A WAN network (Internet Connection). • MX-ROS V3 - NAT-108 Series - User Manual...
Page 305 LAN-to-DMZ  LAN-to-WAN  3. Configure NAT rules to route data between interfaces. This is done after creating firewall rules to ensure no unfiltered traffic gets through. 4. Create the following rules MX-ROS V3 - NAT-108 Series - User Manual...
Page 306: Example: Configuring Interfaces For Dmz
4. To add interface WAN, go to Network Configuration > Network Interfaces > WAN1 (WAN1 for dual-WAN devices), and then press Add. 5. Specify all of the following, and then click Apply: MX-ROS V3 - NAT-108 Series - User Manual...
Page 307: Example: Creating Firewall Rules For Dmz
3. To configure the allowlist paradigm, under Global Policy Settings, set Status to Enabled, and make sure Default Action is set to Deny All, and then click Apply. Add and configure the following: 4. To add the WAN-to-DMZ rule, click MX-ROS V3 - NAT-108 Series - User Manual...
Page 308 Allow Incoming Interface Outgoing Interface Filter Mode IP and Port Filtering Click Create to add the entry to the table. 7. To add the LAN-to-WAN rule, click Add and configure the following: MX-ROS V3 - NAT-108 Series - User Manual...
Page 309: Example: Configuring Nat Rules For Dmz
LAN access to WAN (WAN1 for dual-WAN devices): Option Value LAN-WAN Description Mode N-to-1 192.168.127.1 Source IP Start 192.168.127.254 Source IP END Outgoing Interface WAN (WAN1 for dual-WAN devices) Click Apply to add the rule to the table. MX-ROS V3 - NAT-108 Series - User Manual...
Page 310 Translated Packet (Action) - Destination IP 192.168.127.102 3389 Translated Packet (Action) - Destination Port Click Apply to add the rule to the table. 5. Click Apply under the table to save your changes. MX-ROS V3 - NAT-108 Series - User Manual...
Page 311: Security Hardening Guide
Chapter 6 Security Hardening Guide MX-ROS V3 - NAT-108 Series - User Manual...
Page 312: Security Hardening Guide Overview
The threat landscape is constantly evolving, and no security guide can ever provide 100% protection. This chapter is constantly being expanded, and is not exhaustive. MX-ROS V3 - NAT-108 Series - User Manual...
Page 313: Security Best Practices
The specific measures you choose should be based on your environment and the level of risk you face. MX-ROS V3 - NAT-108 Series - User Manual...
Page 314: Account Management Guidelines
Setting the minimum password length to at least eight characters. Require passwords to have at least one uppercase and lowercase letter, a digit, and a special character. Setting password expiration. Updating passwords regularly. Never sharing passwords. MX-ROS V3 - NAT-108 Series - User Manual...
Page 315: Protecting Vulnerable Network Ports
By using encryption, you can ensure that the data being transmitted is secure and cannot be intercepted by unauthorized users. MX-ROS V3 - NAT-108 Series - User Manual...
Page 316: Communication Integrity Features
HTTPS is a secure version of the regular HTTP protocol for transmitting data over the internet. HTTPS uses TLS (Transport Layer Security) encryption and digital certificates to protect the data in transit from interception, tampering, or eavesdropping. Refer to Management Interface for more information. MX-ROS V3 - NAT-108 Series - User Manual...
Page 317: Device Access Control Best Practices
Device access control is an essential aspect of network security that helps protect against unauthorized access to network resources. Unauthorized access can occur through various means, including physical access to network devices, hacking, or social engineering. Without proper access control measures MX-ROS V3 - NAT-108 Series - User Manual...
Page 318 Note You can block intranet hosts from all external access with isolation, such as with a DMZ, and only allow connections from specifically authorized IP addresses. MX-ROS V3 - NAT-108 Series - User Manual...
Page 319: Configuring Allowlists In Compliance With Iec 61162-460
Block Uncontrolled Networks • Do not permit direct access from hosts in uncontrolled or unverified networks. By adhering to these guidelines, you help maintain network security and comply with IEC 61162-460 requirements. MX-ROS V3 - NAT-108 Series - User Manual...
Page 320: Example Configuration
Secure Boot Secure Boot is a security mechanism designed to ensure that devices boot using only software that is verified as trusted. The primary function of Secure Boot is to prevent MX-ROS V3 - NAT-108 Series - User Manual...
Page 321: Device Resource Management And Monitoring
CPU utilization could be indicative of a malware infection or a denial-of-service attack. Examples of activities to monitor include: • Connected ports CPU usage • Memory usage • MX-ROS V3 - NAT-108 Series - User Manual...
Page 322: Event Logs
When prioritizing device security, the first point of assessment is often the network interfaces and services. By deactivating unneeded interfaces and services, one can reduce potential vulnerabilities and associated security threats. Additionally, activating the appropriate MX-ROS V3 - NAT-108 Series - User Manual...
Page 323 Moxa TCP 443 Enabled These 2 ports are only used by the Moxa management software. Services Disable it if you don’t use Moxa management software. 40404 Security-Related Functions MX-ROS V3 - NAT-108 Series - User Manual...
Page 324: Common Threats And Countermeasures
HTTP data flow. transmission with HTTPS. Disclosure Tampering & An attacker can read or modify data Disable Telnet, and replace HTTP Information transmitted over Telnet data flow. transmission by SSH. Disclosure MX-ROS V3 - NAT-108 Series - User Manual...
Page 325: Recommended Operational Roles And Duties
Designated for system management, this privilege level permits: • Creation and deletion of configuration objects, files, and user accounts. Monitoring system status and resources. • Modifying parameter values. • Reviewing stored data within the device. • Administrator Responsibilities: MX-ROS V3 - NAT-108 Series - User Manual...
Page 326: Supervisor
Moxa devices provide three user privilege categories: admin, supervisor, and user. We advise aligning the admin role for administrator users, the supervisor role for supervisor users, and the user role for auditor users. MX-ROS V3 - NAT-108 Series - User Manual...
Page 327: Recommended Patching And Backup Practices
Configuration Backup For network operators and system administrators, it is essential to regularly back up device configurations. This precaution allows for quick recovery in unforeseen scenarios, such as cyber attacks. MX-ROS V3 - NAT-108 Series - User Manual...
Page 328: Recommendations For Vulnerability Management
To report vulnerabilities for Moxa products, please submit your findings on the following web page: https://www.moxa.com/en/support/product-support/security-advisory/report- a-vulnerability. For the most up-to-date Moxa security information, please visit our security advisory page: https://www.moxa.com/en/support/product-support/security-advisory MX-ROS V3 - NAT-108 Series - User Manual...
Page 329: Recommendations For Decommissioning
• Delete all logs, and verify deletion. After all reset processes are complete, verify that all sensitive data has been cleared. • MX-ROS V3 - NAT-108 Series - User Manual...
Page 330: Using Security Features
They can distinguish between packets belonging to different connections and apply more complex security policies. Stateful firewalls maintain a state table that tracks information such as source and destination IP addresses, port numbers, and connection status. MX-ROS V3 - NAT-108 Series - User Manual...
Page 331: Categories Of Firewall
• Protocol filter policy: The Industrial Secure Router supports industrial protocol filtering, allowing users to inspect network traffic based on specific protocols to detect anomalies and protect your network. MX-ROS V3 - NAT-108 Series - User Manual...
Page 332: When To Use Firewalls
Airport Lighting Control and Monitoring System (ALCMS): Manages lighting • information for approaches, runways, and taxiways. Apron Docking Guide Systems: Aids aircraft in safe and precise docking at the • airport. MX-ROS V3 - NAT-108 Series - User Manual...
Page 333: Interoperability And Security
Integrating subsystems while preserving security and redundancy requires meticulous design and strategic solutions. With the right tools and approaches, airports can achieve high levels of operational efficiency and safety. MX-ROS V3 - NAT-108 Series - User Manual...
Page 334: Example: Allowing Atms-Alcms Traffic
1. Go to Firewall →Layer 3-7 Policy, and then click [Add]. Result: The Layer 3-7 Policy creation panel appears. 2. Specify all of the following: Item Value Action Allow Filter Mode IP and Port Filtering MX-ROS V3 - NAT-108 Series - User Manual...
Page 335: Example: Configuring Blocked Traffic (Air)
3. In the Filter Mode field, select IP and Port Filtering. 4. Click Apply. 5. Make sure that the "deny all" rule is the last rule on the list, otherwise this rule may override the allow rules. MX-ROS V3 - NAT-108 Series - User Manual...
Page 336 1. Go to Firewall →Layer 3-7 Policy 2. Specify Status as Enabled. 3. Specify Default Action as Deny All. 4. Click Apply. Specific rules override generalized policies, effectively making the policy the last rule on the list. MX-ROS V3 - NAT-108 Series - User Manual...
Page 337: Security Standards And Concepts
For instance, a normal user with limited permissions may only view the device's system settings, whereas an administrator would have full control to view or edit all system settings. MX-ROS V3 - NAT-108 Series - User Manual...
Page 338: About Authentication Types
Local vs. Remote Authentication Feature Comparison Features Local Remote Configuration location Local device Remote RADIUS server, local as fallback Number of accounts Many MX-ROS V3 - NAT-108 Series - User Manual...
Page 339 6. In the New Password field, type 1qaz!@#$ , and then type again to confirm. 7. Click Create. Results: By creating the user Nick, Authorization and Accounting details can now be configured. MX-ROS V3 - NAT-108 Series - User Manual...
Page 340 Warning! The account will be temporarily locked if there are too many consecutive login failures. 4. Set Login Failure Account Lockout to Enabled. 5. In the Login Failure Retry Threshold field, type MX-ROS V3 - NAT-108 Series - User Manual...
Page 341 This is the amount of time in minutes before inactive accounts automatically log out. Results: This configuration: Displays a warning message on failed login attempts, enabling troubleshooting • Blocks accounts for five minutes after three unsuccessful login attempts, limiting • the effectiveness of credential guessing MX-ROS V3 - NAT-108 Series - User Manual...
Page 342 RADIUS server is not reachable. For details, see Example: Creating a Local User. 3. Go to Security→Authentication→RADIUS. Result: The RADIUS Server will appear. 4. Configure all of the following: MX-ROS V3 - NAT-108 Series - User Manual...
Page 343 Note If RADIUS is enabled, but unreachable, network-based logins (HTTP/HTTPS/Telnet/SSH) will not be possible, and users will be limited to logins through the console port only. MX-ROS V3 - NAT-108 Series - User Manual...
Page 344: Isa/Iec 62443 Standards And Architecture
To help mitigate this risk, Moxa implements the ISA/IEC 62443-4-2 standard into our network device designs. Security Standards and Vertical Markets MX-ROS V3 - NAT-108 Series - User Manual...
Page 345: Isa/Iec 62443 Standards And Architecture
62443 ISA/IEC 62443-1 General Part 1-1: Terminology, concepts, and models Part 1-2: Master glossary of terms and abbreviations Part 1-3: System security compliance metrics Part 1-4: IACS security life cycle and use-cases MX-ROS V3 - NAT-108 Series - User Manual...
Page 346 IEC 62443-3-3 • These standards help integrators: • Determine security zones Specify security capability levels for each zone • Integrate products into an Automation Solution • Key Parts of ISA/IEC 62443 Standard MX-ROS V3 - NAT-108 Series - User Manual...
Page 347: Establishing Foundational Requirements
Once the solution is ready, it's installed on-site, becoming a vital part of the IACS. Summary of IEC 62443 Stakeholders Establishing Foundational Requirements ISA/IEC 62443-1-1 Foundational Requirements (FR) FR 1 Identification and Authentication Control FR 2 User Control FR 3 System Integrity MX-ROS V3 - NAT-108 Series - User Manual...
Page 348: Component Requirements
Part 4-2 extends the SRs from Part 3-3 by introducing CRs tailored for a variety of IACS components. These components fall under four broad categories of SRs: Software Applications • Embedded Devices • Host Devices • Network Devices • MX-ROS V3 - NAT-108 Series - User Manual...
Page 349: Fr 1 Applications: User Identification And Authentication
Security Level 1: Implementing basic identification and authentication for all • human users. Security Level 2: Incorporates RE1 - uniquely identify and authenticate users, • like using ID cards for employees. Security Level 3: Engages RE2 - multifactor authentication. • MX-ROS V3 - NAT-108 Series - User Manual...
Page 350: Product Lifecycle And Security
For more information about CRs, SLs, and REs, refer to the ISA/IEC 62443 standard. Product Lifecycle and Security Component security plays a role throughout the product lifecycle. Moxa's Application of ISA/IEC 62443-4-1 MX-ROS V3 - NAT-108 Series - User Manual...
Page 351: Product Security Context
The fusion of these component requirements with their enhancement requirements defines the component's target security level. Product Security Context Security context describes a product's role in a network and the security features of its environment. MX-ROS V3 - NAT-108 Series - User Manual...
Page 352: Security Context Of An Industrial Secure Router
(IDS/IPS), virtual private network (VPN) support, and advanced encryption capabilities. Secure router Intrusion Detection Systems (IDS) can be deployed behind the firewall for a defense-in-depth approach, increasing detection of attacks bypassing first-layer firewalls. MX-ROS V3 - NAT-108 Series - User Manual...
Page 353: Security Context Of An Industrial Ethernet Switch
ACLs and VLANs can help isolate devices on the same physical or logical network segments. This isolation adds further security to minimize or mitigate the effects of an attack. MX-ROS V3 - NAT-108 Series - User Manual...
Page 354: Appendix
Chapter 7 Appendix MX-ROS V3 - NAT-108 Series - User Manual...
Page 355: Destination Ports For Layer 3 - 7 Protocol
Destination Ports for Layer 3 – 7 Protocol Network Service Remote-Access Remote-Desktop Email File-Transfer Web-Access Network-Service Authentication VOIP-and-Streaming SQL-Server Industrial Application Service Modbus DNP3 IEC-60870-5-104 IEC-61850-MMS OPC-DA OPC-UA CIP-EtherNet/IP Siemens-Step7 Moxa-RealCOM MX-ROS V3 - NAT-108 Series - User Manual...
Page 356 Industrial Application Service moxa-MXview-Request MX-ROS V3 - NAT-108 Series - User Manual...
Page 357: Glossary
IP address of the network. Network Address Translation (NAT) NAT (Network Address Translation) is method of changing an IP address during Ethernet packet transmission, which can also enhance network security. If you wan to hide an MX-ROS V3 - NAT-108 Series - User Manual...
Page 358: Port Address Translation (Pat)
IP address to a specific IP address, or an internal IP address range to one external IP address. Port Address Translation (PAT) Port Address Translation (PAT) maps multiple private IP addresses to one public IP address using different port numbers. MX-ROS V3 - NAT-108 Series - User Manual...
Page 359: Iec 61162-460 Supplementary Declaration
When users configure this device, they need to additionally consider the following requirements to determine if they are necessary for the specific site. If they are, the following recommendations can be referenced: MX-ROS V3 - NAT-108 Series - User Manual...
Page 360 Layer 3-7 policy. 6. The communication between devices or software defined within the 460-network must be managed through the EDR-G9010/EDR-8010 or by using alternative devices equipped with 460-switch and 460-forwarder functionalities to achieve control. MX-ROS V3 - NAT-108 Series - User Manual...
Page 361: Iec 61375-2-3 Communication Identifiers
Conformance test- control telegram Conformance test - status telegram Conformance test - confirmation request telegram Conformance test - confirmation reply telegram Conformance test - opTrnDir request telegram Conformance test - opTrnDir reply telegram MX-ROS V3 - NAT-108 Series - User Manual...
Page 362 ECSP - Confirmation/Correction request ECSP - Confirmation/Correction reply ETBN - control request ETBN - status reply ETBN - train network directory request ETBN - train network directory reply TCN-DNS - resolving request telegram (query) MX-ROS V3 - NAT-108 Series - User Manual...
Page 363 ComID Description TCN-DNS - resolving reply telegram MX-ROS V3 - NAT-108 Series - User Manual...
Page 364: Iec-104 Cause Of Transmission List
14-19 reserved for further compatible definitions interrogated by general interrogation interrogated by interrogation group 1 interrogated by interrogation group 2 interrogated by interrogation group 3 interrogated by interrogation group 4 MX-ROS V3 - NAT-108 Series - User Manual...
Page 365 1 interrogated by interrogation counter group 2 interrogated by interrogation counter group 3 interrogated by interrogation counter group 4 type-Identification unknown cause unknown ASDU address unknown Information object address unknown MX-ROS V3 - NAT-108 Series - User Manual...
Page 366: Iec-104 Type Identification List
Measured value, short floating-point value Measured value, short floating-point value with time tag Integrated totals Integrated totals with time tag Event of protection equipment with time tag Packed start events of protection equipment with time tag MX-ROS V3 - NAT-108 Series - User Manual...
Page 367: Process Telegrams With Long Time Tag (7 Octets)
Event of protection equipment with time tag CP56Time2a Packed start events of protection equipment with time tag CP56time2a Packed output circuit information of protection equipment with time tag CP56Time2a Process information in control direction Type Description Single command MX-ROS V3 - NAT-108 Series - User Manual...
Page 368: Command Telegrams With Long Time Tag (7 Octets)
Setpoint command, scaled value with time tag CP56Time2a Setpoint command, short floating-point value with time tag CP56Time2a Bit string 32 bit with time tag CP56Time2a System information in monitor direction Type Description End of initializ MX-ROS V3 - NAT-108 Series - User Manual...
Page 369: System Information In Control Direction
Parameter in control direction Type Description Parameter of measured value, normalized value Parameter of measured value, scaled value Parameter of measured value, short floating-point value Parameter activation File transfer Type Description File ready Section ready MX-ROS V3 - NAT-108 Series - User Manual...
Page 370 Type Description Call directory, select file, call file, call section Last section, last segment Ack file, Ack section Segment Directory QueryLog – Request archive file MX-ROS V3 - NAT-108 Series - User Manual...
Page 371: Led Behavior
The system failed the self-diagnosis test on boot-up. LEARN Amber Blinking The device lockdown learning is in progress. Learning finished. LOCKDOWN Green The device lockdown allowlist is enabled. The device lockdown allowlist is disabled. MX-ROS V3 - NAT-108 Series - User Manual...
Page 372: Mib Groups
The MIB tree structure is designed for all Moxa router series. However, some MIB files may not be supported due to the varying support levels of each product series. Refer to Supported Features List for detailed information about supported features. MX-ROS V3 - NAT-108 Series - User Manual...
Page 373 +-- r-n DisplayString varDeviceLockdownStateChangeTrap(81) +--swMgmt(1) +--basicSetting(2) +--systemSetting(1) +-- rwn DisplayString sysRouterName(1) +--accessibleIP(2) +-- r-n Enumeration enableAccessibleIP(1) +-- r-n Enumeration enableAccessibleLan(2) +--accessibleIpTable(3) +--accessibleIpEntry(1) [accessibleIpAddress] +-- r-n IpAddress accessibleIpAddress(1) +-- r-n IpAddress accessibleIpNetMask(2) +-- r-n Enumeration accessibleIpState(3) MX-ROS V3 - NAT-108 Series - User Manual...
Page 374 +-- r-n IpAddress lanIpAddr(4) +-- r-n IpAddress lanIpMask(5) +-- r-n Enumeration lanDirectedBroadcast(6) +-- r-n Enumeration lanSourceIPOverwrite(7) +--dhcpServer(4) +--dhcpSrvTable(1) +--dhcpSrvEntry(1) [dhcpSvrEnable] +-- r-n Enumeration dhcpSvrEnable(1) +-- r-n Integer32 dhcpSvrLeaseTime(2) +-- r-n IpAddress dhcpSvrDns1(3) MX-ROS V3 - NAT-108 Series - User Manual...
Page 375 +-- r-n IpAddress birdgeIpAddr(3) +-- r-n IpAddress bridgeIpMask(4) +--cellularSetting(10) +-- rwn Enumeration cellularEnable(1) +-- rwn Enumeration cellularConnectionEnable(2) +--cellularSimTable(3) +--cellularSimEntry(1) [cellularSimIndex] +-- r-n Integer32 cellularSimIndex(1) +-- rwn Enumeration cellularSimEnable(2) +-- rwn Enumeration cellularSimPriority(3) MX-ROS V3 - NAT-108 Series - User Manual...
Page 376 +-- r-n IpAddress natTransSrcIp2(161) +-- r-n IpAddress natTransSrcMask(162) +-- r-n Enumeration natTransSrcDyn(163) +-- r-n Integer32 natTransSrcPort1(164) +-- r-n Integer32 natTransSrcPort2(165) +-- r-n IpAddress natTransDstIp1(180) +-- r-n IpAddress natTransDstIp2(181) +-- r-n IpAddress natTransDstMask(182) MX-ROS V3 - NAT-108 Series - User Manual...
Page 377 +-- r-n DisplayString ipsecLocalId(13) +-- r-n IpAddress ipsecRemoteNetwork(14) +-- r-n IpAddress ipsecRemoteMask(15) +-- r-n DisplayString ipsecRemoteId(17) +-- r-n Enumeration ipsecAuthMode(18) +-- r-n DisplayString ipsecPsk(19) +-- r-n DisplayString ipsecLocalSelectPem(20) +-- r-n DisplayString ipsecRemoteSelectPem(21) MX-ROS V3 - NAT-108 Series - User Manual...
Page 378 +-- rwn DisplayString snmpReadCommunity1(14) +-- rwn DisplayString snmpReadCommunity2(15) +-- rwn DisplayString snmpTrapCommunity(16) +-- rwn Enumeration snmpTrapMode(17) +-- r-n Enumeration snmpAdminSecurityLevel(22) +-- r-n Enumeration snmpUserSecurityLevel(23) +--diagnosisSetting(12) +--lldpSetting(2) +-- rwn Enumeration lldpEnable(1) +-- rwn Integer32 lldpInterval(2) MX-ROS V3 - NAT-108 Series - User Manual...
Page 379 +-- r-n Enumeration vrrpIfStatus(8) +-- rwn DisplayString vrrpIfTrack(9) +-- rwn IpAddress vrrpPingTrackIP(10) +-- rwn Integer32 vrrpPingTrackInt(11) +-- rwn Integer32 vrrpPingTimeout(12) +-- rwn Integer32 vrrpPingTrackSuccess(13) +-- rwn Integer32 vrrpPingTrackFailure(14) +-- rwn Integer32 vrrpAdvInt(15) MX-ROS V3 - NAT-108 Series - User Manual...
Page 380 +-- r-n Enumeration spanningTreePortEdge(6) +-- r-n Enumeration activeProtocolOfRedundancy(4) +--turboRingV2(5) +--turboRingV2Ring1(1) +-- r-n Integer32 ringIndexRing1(1) +-- r-n Enumeration ringEnableRing1(2) +-- r-n Enumeration masterSetupRing1(3) +-- r-n Enumeration masterStatusRing1(4) +-- r-n MacAddress designatedMasterRing1(5) +-- r-n Integer32 rdnt1stPortRing1(6) MX-ROS V3 - NAT-108 Series - User Manual...
Page 381 +-- r-n Enumeration vlanType(4) +--swMgmtGroup(22) +-- r-n Integer32 numberOfPorts(1) +-- r-n DisplayString switchModel(2) +-- r-n DisplayString firmwareVersion(4) +--globalStatus(23) +-- r-n Enumeration firewallGlobalStatus(1) +-- r-n Enumeration natGlobalStatus(2) +-- r-n Enumeration vpnGlobalStatus(3) +-- r-n Enumeration securityNotificationFirewallStatus(4) MX-ROS V3 - NAT-108 Series - User Manual...
Page 382 +-- rwn Integer32 powerLimit(4) +-- rwn Enumeration pdfailure(5) +-- rwn DisplayString pdipaddr(6) +-- rwn Integer32 pdPollingInterval(7) +-- rwn Enumeration poePortLegacyPdDetect(9) +-- rwn Integer32 pdNoResponseTimeout(10) +-- rwn Enumeration pdNoResponseAction(11) +-- rwn Enumeration poePowerOutputMode(12) +--poeStatusTable(6) MX-ROS V3 - NAT-108 Series - User Manual...
Page 383 +-- r-n DisplayString eventlogTruseAccessTimestamp(2) +-- r-n Integer32 eventlogTruseAccessSeverity(3) +-- r-n DisplayString eventlogTruseAccessEvent(4) +-- rwn Enumeration eventlogTruseAccessClear(2) +--eventlogMalformed(4) +--eventlogMalformedTable(1) +--eventlogMalformedEntry(1) [eventlogMalformedIndex] +-- r-n Integer32 eventlogMalformedIndex(1) +-- r-n DisplayString eventlogMalformedTimestamp(2) +-- r-n Integer32 eventlogMalformedSeverity(3) MX-ROS V3 - NAT-108 Series - User Manual...
Page 384 +-- r-n DisplayString eventlogProtocolFilterPolicyEvent(4) +-- rwn Enumeration eventlogProtocolFilterPolicyClear(2) +--eventlogADP(9) +--eventlogADPTable(1) +--eventlogADPEntry(1) [eventlogADPIndex] +-- r-n Integer32 eventlogADPIndex(1) +-- r-n DisplayString eventlogADPTimestamp(2) +-- r-n Integer32 eventlogADPSeverity(3) +-- r-n DisplayString eventlogADPEvent(4) +-- rwn Enumeration eventlogADPClear(2) MX-ROS V3 - NAT-108 Series - User Manual...
Page 385 +-- rwn Enumeration httpEnable(1) +-- rwn Integer32 httpPort(2) +-- rwn Enumeration sslEnable(3) +-- rwn Integer32 sslPort(4) +-- rwn Enumeration telnetEnable(5) +-- rwn Integer32 telnetPort(6) +-- rwn Enumeration sshEnable(7) +-- rwn Integer32 sshPort(8) MX-ROS V3 - NAT-108 Series - User Manual...
Page 386 +-- r-n DisplayString httpLoginMessage(1) +-- r-n DisplayString httpLoginFailureMessage(2) +-- r-n DisplayString serialNumber(78) +-- r-n Enumeration configEncryptEnable(79) +--security(80) +--portAccessControl(2) +--dot1x(2) +-- rwn Enumeration dataBaseOption(1) +-- rwn Enumeration dot1xReauthEnable(5) +-- rwn Integer32 dot1xReauthPeriod(6) +--dot1xSettingTable(7) +--dot1xSettingEntry(1) [portIndex] MX-ROS V3 - NAT-108 Series - User Manual...
Page 387 +-- r-n Enumeration softLockdownModeStatusDhcpRelayAgent(4) +-- r-n Enumeration softLockdownModeStatusSnmpSvr(5) +--mibNotificationsPrefix(3) +--configChangeTrap(1) [varconfigChangeTrap] +--power1Trap(2) [varpower1Trap] +--power2Trap(3) [varpower2Trap] +--di1Trap(4) [vardi1Trap] +--di2Trap(5) [vardi2Trap] +--redundancyTopologyChangedTrap(10) [varredundancyTopologyChangedTrap] +--turboRingCouplingPortChangedTrap(11) [varturboRingCouplingPortChangedTrap] +--turboRingMasterChangedTrap(12) [varturboRingMasterChangedTrap] +--vpnConnectedTrap(40) [varVPNConnectedTrap] +--vpnDisconnectedTrap(41) [varVPNDisconnectedTrap] +--firewallPolicyTrap(50) [varFirewallPolicyTrap] +--securityNotificationTrap(51) [varSecurityNotificationTrap] MX-ROS V3 - NAT-108 Series - User Manual...
Page 388 +--loggingCapacityTrap(52) [varLoggingCapacityTrap] MX-ROS V3 - NAT-108 Series - User Manual...
Page 389: Mms Command Type List
MMS Command Type List This is a list of MMS command type codes and command names. Command Type Command Name confirmed_RequestPDU confirmed_ResponsePDU confirmed_ErrorPDU unconfirmed_PDU rejectPDU cancel_RequestPDU cancel_ResponsePDU cancel_ErrorPDU initiate_RequestPDU initiate_ResponsePDU initiate_ErrorPDU conclude_RequestPDU conclude_ResponsePDU conclude_ErrorPDU MX-ROS V3 - NAT-108 Series - User Manual...
Page 390: Mms Service Operation List
This is a list of MMS service operation codes and their names. Service Operation Service Operation Name acknowledgeEventNotification alterEventConditionMonitoring alterEventEnrollment createJournal createProgramInvocation defineEventAction defineEventCondition defineEventEnrollment defineNamedType defineNamedVariable defineNamedVariableList defineScatteredAccess defineSemaphore deleteDomain deleteEventAction deleteEventCondition deleteEventEnrollment deleteJournal deleteNamedType deleteNamedVariableList MX-ROS V3 - NAT-108 Series - User Manual...
Page 391 Service Operation Service Operation Name deleteProgramInvocation deleteSemaphore deleteVariableAccess downloadSegment eventNotification fileClose fileDelete fileDirectory fileOpen fileRead fileRename getAlarmEnrollmentSummary getAlarmSummary getCapabilityList getDomainAttributes getEventActionAttributes getEventConditionAttributes getEventEnrollmentAttributes getNamedTypeAttributes getNamedVariableListAttributes getNameList getProgramInvocationAttributes getScatteredAccessAttributes MX-ROS V3 - NAT-108 Series - User Manual...
Page 392 Service Operation Service Operation Name getVariableAccessAttributes identify informationReport initializeJournal initiateDownloadSequence initiateUploadSequence input kill loadDomainContent obtainFile output read readJournal relinquishControl rename reportActionStatus reportEventActionStatus reportEventConditionStatus reportEventEnrollmentStatus reportJournalStatus reportPoolSemaphoreStatus reportSemaphoreEntryStatus reportSemaphoreStatus MX-ROS V3 - NAT-108 Series - User Manual...
Page 393 Service Operation Service Operation Name requestDomainDownLoad requestDomainUpload reset resume start status stop storeDomainContent takeControl terminateDownloadSequence terminateUploadSequence triggerEvent unsolicitedStatus uploadSegment write writeJournal MX-ROS V3 - NAT-108 Series - User Manual...
Page 394: Sample Local Consist Info File
<fctId>30</fctId> <fctName>grpDoor1</fctName> </functioninfo> </vehicleinfo></consistinfo> This page explains security practices for installing, operating, maintaining, and decommissioning the device. We strongly recommend that our customers follow these guidelines to enhance network and equipment security. MX-ROS V3 - NAT-108 Series - User Manual...
Page 395: Installation
Setting user passwords to expire after a certain period of time. 3. Enforce regulations that ensure that only a trusted host can access the device. Please refer to the Trusted Access section for detailed instructions. MX-ROS V3 - NAT-108 Series - User Manual...
Page 396: Vulnerable Network Ports
Authenticati Encrypti Cypher Suite Name Exchan Functio TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_S ECDHE CHACHA2 SHA256 HA256 POLY1305 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA25 ECDHE ECDSA AES128 SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDHE AES128 SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDHE AES256 SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 Ephemer AES128 SHA256 al DH MX-ROS V3 - NAT-108 Series - User Manual...
Page 397 SHA256 2. Below is a list of the recommended secure browsers that support TLS v1.2 or above: Browser Version Microsoft Edge Microsoft Internet Explorer v11 or above Mozilla Firefox v27 or above MX-ROS V3 - NAT-108 Series - User Manual...
Page 398 6. Time synchronization with authentication: Time synchronization is crucial for process control. To prevent malicious attacks whereby the settings are changed without permission, authentication must be in place between the NTP server and client. The MX-ROS V3 - NAT-108 Series - User Manual...
Page 399 Please refer to the SSH & SSL section fordetailed instructions. 8. Below is the list for the protocol port numbers used for all external interfaces: Protocol Service Type Port Number Telnet HTTP HTTPS DHCP SNMP Moxa Service 40404 MX-ROS V3 - NAT-108 Series - User Manual...
Page 400: Maintenance
3. Examine event logs frequently to detect any anomalies. 4. To report vulnerabilities of Moxa products, please submit your findings on the following web page: https://www.moxa.com/en/support/product-support/security-advisory/report- a-vulnerability. MX-ROS V3 - NAT-108 Series - User Manual...
Page 401: Decommission
Decommission To avoid any sensitive information such as your account password or certificate from being disclosed, always reset the system settings to factory default before decommissioning the device. MX-ROS V3 - NAT-108 Series - User Manual...
Page 402: Severity Level List
Severity Description Emergency System is unusable Alert Action must be taken immediately Critical Critical conditions Error Error conditions Warning Warning conditions Notice Normal but significant condition Infomational Informational messages Debug Debug-level messages MX-ROS V3 - NAT-108 Series - User Manual...
Page 403: System Event List
Log Service Ready Log service is ready. Redundancy Ring/RSTP Topology The Ring/RSTP topology was changed. Changed Redundancy Master Mismatch A Turbo Ring Master mismatch occurred. Redundancy Coupling Topology Changed The Coupling topology was changed. MX-ROS V3 - NAT-108 Series - User Manual...
Page 404 The active SIM has been switched to another SIM card. Cellular GuaranLink Cellular GuaranLink has successfully reconnected the cellular Reconnected network. Cellular Guaranlink Triggered ISP GuaranLink triggered re-registration with the Internet Reregister Service Provider. MX-ROS V3 - NAT-108 Series - User Manual...
Page 405 The Data Carrier Detect (DCD) state of the serial port has changed. DHCP DHCP Error Log An error occurred in the DHCP process, and it has been logged. General Device Lockdown State The device lockdown learning status has changed. Change MX-ROS V3 - NAT-108 Series - User Manual...
Page 406 Snooping NTP/SNTP NTP/SNTP Error Log An error occurred in NTP/SNTP synchronization and has Error Log been logged. Redundancy Ring/Chain/RSTP Topology The topology of the ring, chain, or RSTP network has Changed changed. MX-ROS V3 - NAT-108 Series - User Manual...
Page 407: User Role Privileges
Available settings and options will vary depending on the product model. Options Menu Settings Admin Supervisor User Reboot Reset to Default Settings Save Custom Default Log Out System Settings Admin Supervisor User System Management Information Settings Firmware Upgrade MX-ROS V3 - NAT-108 Series - User Manual...
Page 408: Network Configuration
Password Policy Management Interface User Interface SNMP Time System Time NTP/SNTP Server Setting Check Network Configuration Settings Admin Supervisor User Ports Port Settings Layer 2 Switching VLAN MAC Address Table Network Interfaces MX-ROS V3 - NAT-108 Series - User Manual...
Page 409: Network Service
Network Service Settings Admin Supervisor User DHCP Server Routing Settings Admin Supervisor User Unicast Routing Static Routes Routing Table Settings Admin Supervisor User Firewall Settings Admin Supervisor User Layer 3 Policy Device Lockdown MX-ROS V3 - NAT-108 Series - User Manual...
Page 410: Certificate Management
Certificate Signing Request Security Settings Admin Supervisor User Device Security Login Policy Trusted Access SSH & SSL Authentication Login Authentication RADIUS TACACS+ MXview Alert Notification Diagnostics Settings Admin Supervisor User System Status Utilization MX-ROS V3 - NAT-108 Series - User Manual...
Page 411 Settings Admin Supervisor User Network Status Network Statistics LLDP ARP Table Event Log & Notifications Event Log Event Notifications Syslog SNMP Trap/Inform Email Settings Tools Ping MX-ROS V3 - NAT-108 Series - User Manual...
Page 412 Moxa Inc. Copyright © 2025 Moxa, Inc. All rights reserved. Reproduction without permission is prohibited. Trademarks and logos are copyrights of their respective owners. www.moxa.com/products MX-ROS V3 - NAT-108 Series - User Manual...