Network Security

Dos/DDos

[Network Security > DoS/DDoS]

A DoS/DDoS attack is a type of cyberattack designed to disrupt and render services or devices unusable. In this dialog, you can configure various filters to help protect both the device itself and other network devices from DoS attacks.

ICMP Protection:

  • ICMP Flood Protection: Prevent overwhelming the network with a high volume of ICMP packets.
  • ICMP Sweep Protection: Detect and block attempts to map out active devices on a network by sending ICMP requests to multiple IP addresses.
  • ICMP Source Session Protection: Limit the number of ICMP requests from a single source
  • ICMP Dest Session Protection: Limit the number of ICMP requests directed at a single destination

TCP Protection:

  • Null Scan Filter Function: Blocks null scan attacks by filtering packets with no flags set.
  • Xmas Filter Function: Prevents Xmas scan attacks by blocking packets with FIN, URG, and PSH flags set.
  • SYN/FIN Filter Function: Detects and blocks SYN/FIN scan attacks.
  • TCP Offset Protection Function: Ensures TCP packets have valid offsets to prevent manipulation.
  • Min. Header Size Filter Function: Blocks packets below the minimum TCP header size to prevent attacks with malformed packets.
  • TCP Source Session Protection: Limits the number of concurrent TCP connections from a single source IP address.
  • TCP Dest Session Protection: Limits the number of concurrent TCP connections to a single destination IP address.

UDP Protection:

  • UDP Flood Protection: Detects and blocks excessive UDP packets sent to a network.
  • UDP Source Session Protection: Limits the number of concurrent UDP connections from a single source IP address.
  • UDP Dest Session Protection: Limits the number of concurrent UDP connections to a single destination IP address.

DDOS - Rate Limiting Adjustment Explanation

Routing Mode

[Network Security > Packet Filtering > Routing Mode]

In this menu, you can configure the settings for the Routing Mode packet filter. This packet filter contains rules that the device sequentially applies to the data stream on its router interfaces. The Routing Mode packet filter performs stateful evaluation of the data stream, selectively filtering out undesired data packets.

When a data packet meets the criteria of one or more rules, the device executes the action specified by the first matching rule and disregards any subsequent rules. If no rules match the data packet, the device applies the default rule, which is set to “Block” by default. You can modify this default rule in the Configuration > Setting > Policy.

Settings

[Network Security > Packet Filtering > Routing Mode > Settings]

Bandwidth Limitation: Limit the maximum bandwidth in Routing mode.

Log Limitation: Restrict the logging of each firewall rule based on the specified rate limit and burst limit.

Default Policy: The default policy for routing mode is set to “Block.” This can be changed to “Allow” if needed.

Firewall Rules

[Network Security > DoS/DDoS > Routing Mode > Firewall Rules]

This page allows you to create a new firewall rule to control traffic that is being routed between different network interfaces. In Routing Mode, the firewall acts as a gateway or router, making security decisions as traffic passes from one network segment to another. Each interface must have its own IP address.

Filter:

  • Protocol: Select the protocol to apply filtering rules
  • Protected IPs: Specify the IP addresses configured in the Alert settings.

Search: Perform a quick search by IP address, port, or protocol name.

Action:

  • Clear All: Remove all existing rules.
  • Import: Import the rules from a file.
  • Export: Export the current rule to a file.

Add New Rule:

  • Incoming Interface: Select the interface where the traffic will enter the firewall (e.g., DEVICE).

  • Outgoing Interface: Select the interface where the traffic will exit the firewall after being inspected (e.g., LAN).

  • Source IP: Specify the IP address of the device initiating the communication.

    • Check the Any box to have this rule apply to traffic from any source IP address.

  • Source Port: Specify the TCP or UDP port number the source device is using.

    • Check the Any box to have this rule apply to any source port. This is the most common setting.

  • Destination IP: Specify the IP address of the device receiving the communication.

    • Check the Any box to have this rule apply to traffic going to any destination IP address.

  • Protocol: Select the network protocol for this rule from the dropdown menu. The available protocols depend on your license.

  • Rule Type: Choose the action the firewall will take when traffic matches this rule.

    • Allow: Permits the traffic to pass.
    • Block: Drops the traffic and prevents it from reaching its destination.

  • Activity: For supported industrial protocols, you can select a specific activity to control. This allows for granular control based on Deep Packet Inspection (DPI).

  • Destination Port Specify the TCP or UDP port number the destination device is listening on. This is often determined by the selected protocol (e.g., port 502 for Modbus/TCP).

    • Check the Any box to have this rule apply to any destination port.

  • Concurrent TCP Connections: Enter a number to limit the number of simultaneous TCP connections allowed for this specific traffic flow.

  • Limit Packets Rate: Enter a number to control the maximum rate of packets per second allowed for this traffic flow. This can help prevent network flooding.

  • Limit Bandwidth: Check this box to enable and specify a bandwidth limit for this traffic flow.

  • Enable Log: Check this box to have the firewall create a log entry in the System Log every time this rule is matched.

Learning Mode Settings

[Network Security > Packet Filtering > Routing Mode > Learning Mode Settings]

The Learning Mode is a powerful feature that uses Deep Packet Inspection (DPI) to analyze the specific actions within industrial protocols. It automatically determines the operational behavior of your network traffic (e.g., distinguishing between "Read" and "Write" commands). This analysis allows the firewall to suggest highly accurate, granular firewall rules, dramatically speeding up the policy creation process.__

Learn Port (Incoming Traffic): This setting specifies which physical interface(s) the firewall will monitor for traffic. Select the port where the traffic you want to learn is entering the firewall.

Learn All Traffic: Controls the scope of the analysis.

  • Enabled: Analyzes all TCP/UDP traffic on the selected Learn Port, including DPI for supported protocols.
  • Disabled: Only analyzes traffic destined for the IPs listed in Protected OT Assets.

Protected OT Assets: Define your critical assets here. This list is used for:

  • Focused Learning: To analyze traffic for only these specific assets when Learn All Traffic is disabled.
  • Alert: To generate specific alerts when traffic to these assets is blocked.

Transparent Mode

This mode is used when configuring the LAN and DEVICE interfaces to operate in Transparent Mode.

Settings

[Network Security > Packet Filtering >Transparent Mode > Settings]

This page allows you to create a new firewall rule to control traffic passing through the firewall in Transparent Mode. In this mode, the firewall acts as a "bump in the wire," inspecting traffic at both Layer 2 (MAC address) and Layer 3 (IP address) without needing its own IP address on the protected network.__

Monitor Log: Enable this option to log all traffic, whether it is allowed or blocked.

Block IPv6: Enable this option to block all IPv6 traffic.

Block ICMP: Enable this option to block ICMP (Internet Control Message Protocol) traffic.

Firewall Rules

[Network Security > Packet Filtering >Transparent Mode > Firewall Rules]

Filter:

  • Protocol: Select the protocol to apply filtering rules.
  • Protected IPs: Specify the IP addresses configured in the Alert settings.

Search: Perform a quick search by IP address, port, or protocol name.

Action:

  • Clear All: Remove all existing rules.
  • Import: Import the rules from a file.
  • Export: Export the current rule to a file.

Add New Rule:

  • Incoming Interface: Select the interface (LAN or DEVICE) where the traffic will enter the firewall.

  • Outgoing Interface: Select the interface (LAN or DEVICE) where the traffic will exit the firewall after being inspected.

  • Source IP/MAC: Specify the address of the device initiating the communication.

    • For Layer 3 traffic (like TCP/UDP), enter the IP address.
    • For Layer 2 protocols (like GOOSE or SV), enter the MAC address.
    • Check the Any box to have this rule apply to traffic from any source.

  • Source Port: Specify the TCP or UDP port number the source device is using.

    • Check the Any box to have this rule apply to any source port. This is the most common setting.

  • Destination IP/MAC: Specify the address of the device receiving the communication.

    • For Layer 3 traffic, enter the destination IP address.
    • For Layer 2 protocols, enter the destination MAC address.
    • Check the Any box to have this rule apply to traffic going to any destination.

  • Protocol: Select the network protocol for this rule from the dropdown menu (e.g., TCP, UDP, Modbus/TCP, GOOSE). The available protocols depend on your license.

  • Activity: For supported industrial protocols, you can select a specific activity to control. This allows for granular control based on Deep Packet Inspection (DPI).

  • Destination Port: Specify the TCP or UDP port number the destination device is listening on. This is often determined by the selected protocol (e.g., port 502 for Modbus/TCP).

    • Check the Any box to have this rule apply to any destination port.

  • Limit Packets Rate: (Optional) Enter a number to control the maximum rate of packets per second allowed for this traffic flow. This can help prevent network flooding.

  • Limit Bandwidth: (Optional) Check this box to enable and specify a bandwidth limit for this traffic flow.

Learning Mode Settings

[Network Security > Packet Filtering > Transparent Mode > Learning Mode Settings_]_

In Transparent Mode, Learning Mode analyzes Layer 2 and Layer 3 traffic to automatically generate firewall rules. It discovers general TCP/UDP and Layer 2 (e.g., GOOSE, SV) traffic flows, and for supported industrial protocols, also uses Deep Packet Inspection (DPI) to identify specific activities (e.g., Read vs. Write).__

Learn Port (Incoming Traffic): Select the interface(s) (LAN or/and DEVICE) where the firewall will monitor traffic for analysis. In Transparent Mode, learning is only available on these two ports.

Learn All Traffic: Controls the scope of the analysis.

  • Enabled: Analyzes all traffic on the selected Learn Port, including TCP/UDP (Layer 3) and MAC-based protocols like GOOSE or SV (Layer 2).
  • Disabled: Only analyzes traffic destined for the IP or MAC addresses listed in Protected OT Assets.

Protected OT Assets: Define your critical assets here. This list is used for:

  • Focused Learning: To analyze traffic for only these specific assets when Learn All Traffic is disabled.
  • Alert: To generate specific alerts when traffic to these assets is blocked.

Configure Modbus Registers

You can configure a new or existing traffic flow to specific MODBUS registers and generate policies that only allow the specific learned registers or register ranges.

For a new traffic flow, click Add New Rule button:

  • Protocol: MODBUS
  • Activity: Read Only or Read/Write

Additional boxes display to configure the MODBUS registers:

  • Limit Read Functions Registers: Click to read only specified registers. You must click this box to display the Read Registers box.
  • Write Registers: MODBUS registers that the policy will restrict writes to. Specify the registers as a comma-delimited list of individual values or ranges (e.g., 1,2,3,6-10).
  • Read Registers: MODBUS registers that the policy will restrict reads to. Specify the registers as a comma-delimited list of individual values or ranges.

DPI Profile

[Network Security > DPI Profile]

The DPI (Deep Packet Inspection) function allows you to monitor and filter data packets, helping to protect your network from undesirable content such as spam or viruses. It inspects data packets for unwanted characteristics and protocol violations by examining both the header and the payload.

In this page, you can create the DPI profile. The device will block any data packets that do not match with the specified profiles.

The menu contains the following protocols:

  • BN3500
  • DNP3
  • EtherNet/IP
  • Modbus/TCP
  • MQTT
  • PROFINET-PTCP

Example Creating Modbus Profile

This page allows you to define Modbus TCP-specific profiles. These profiles specify function codes and register or coil addresses. The function codes in the Modbus TCP protocol determine the purpose of the data transfer. The device will block any data packets that violate the specified profiles. If an error is detected, the device can terminate the data connection upon user request. To assist you in defining function codes, predefined function code lists and a function code generator are provided.

  • Add Profile: Create a new profile.

Action:

  • Modify the selected profile.
  • Remove the profile.
  • Duplicate the profile.

Submit: Click this button to save all changes to the profiles.

After creating a profile, it will be available for selection when adding a new rule. You can select the DPI Profile, where the newly created profile will be displayed for use.
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
On This Page
Network SecurityDos/DDosRouting ModeSettingsFirewall RulesLearning Mode SettingsTransparent ModeSettingsFirewall RulesLearning Mode SettingsConfigure Modbus RegistersDPI ProfileExample Creating Modbus Profile