Siemens NK8237 MP4.70, Installation Function & Configuration Commissioning Safety Regulations

Page 1: ...lding Technologies 30 09 2014 Fire Safety Security Products NK8237 MP4 70 Firewall Application for Sinteso STT20 and Cerberus PRO Fire Detection Systems Installation Function Configuration Commissioning Safety Regulations ...

Page 2: ......

Page 3: ... Hardware installation 19 4 1 NK8237 hardware installation 19 5 Software installation 23 5 1 Installation checklist 23 5 2 Composer tool 23 5 3 Launching Composer 23 5 4 NK823x Web Server 25 5 5 NW8202 IP configuration download tool 26 5 5 1 NW8202 hardware requirements 26 5 5 2 NW8202 software requirements 27 5 5 3 NW8202 installation 27 5 6 NW8204 maintenance and diagnostic tool 27 5 6 1 NW8204 ...

Page 4: ...re download procedure 43 7 Maintenance and diagnostics 45 7 1 Kernel update 45 7 2 SNMP monitoring 46 7 3 The NW8204 maintenance and diagnostic tool 46 7 3 1 Launching NW8204 from DMS host 46 7 3 2 File commands 49 7 3 3 Diagnostic functions 49 7 3 4 Uploading diagnostic files 52 7 3 5 Using log files 54 7 3 6 Menu Send Default Configuration File 57 7 4 The NK823x Web Server 58 7 5 Correcting comm...

Page 5: ...rity management systems Documentation resource information The DMS8000 Documentation Resource Information and Glossary Guide assembles important information regarding documentation resources This document contains the following Comprehensive definitions of the target audiences for Siemens FS DMS documents Training program information including the Siemens intranet link A complete list of all avail...

Page 6: ...d any necessary corrections are included in subsequent editions Suggestions for improvement are welcome Copyrights and registered trademarks Brand or product names mentioned in this document may be names protected by copyright law or registered trademarks of other companies These are mentioned only for identification purposes and have no recommendatory character in regard to the product or manufac...

Page 7: ...hat minor or moderate injury or property damage may occur if a procedure is not followed Warning This is a Warning message and indicates that a serious injury or a severe equipment and property damage may occur if a procedure is not followed Cross references to other information in printed material are indicated with an arrow and the page number enclosed in brackets 92 For more information on crea...

Page 8: ... specific or local safety standards and or regulations that apply concerning project planning installation operation and device disposal must also be taken into account Note As for any electrical equipment proper grounding is critical to the safe operation as it provides a protection against electrical shocks Before starting any activity be sure that the electrical installation complies with relev...

Page 9: ...products Note Modifications to a system or to individual products may cause faults or malfunctioning Please request written approval from Siemens Building Technologies and from any relevant authorities concerning intended system modifications and system extensions 1 5 Data privacy and protection Make sure that the configuration of the system complies with local data privacy and protection regulati...

Page 10: ...dbus Gateway functionality for protecting Sinteso FS20 STT20 and Cerberus PRO FS720 fire detection systems 2 1 Firewall application examples In Sinteso FS20 STT20 and Cerberus PRO FS720 fire detection systems the connection to external networks or external access must be configured via a firewall for security reasons The NK823x firewall application can protect individual stations or the entire net...

Page 11: ...l GAP Station External network Internal network Management station e g MM8000 or 3rd party Engineering tool e g SintesoWork SintesoView Networking via Ethernet COM 1 COM 2 COM 3 COM 4 Power Tamper Download Diagnostics NK8237 firewall External network Internal network SAFEDLINK GAP Station Management station e g MM8000 or 3rd party Engineering tool e g SintesoWork SintesoView Networking via SAFEDLI...

Page 12: ... tool e g SintesoWork SintesoView Networking via SAFEDLINK and Ethernet External network Internal network 1 GAP Station SAFEDLINK Management station e g MM8000 or 3rd party COM 1 COM 2 COM 3 COM 4 Power Tamper Download Diagnostics NK8237 firewall Internal network 2 Internal network 3 GAP Station SAFEDLINK COM 1 COM 2 COM 3 COM 4 Power Tamper Download Diagnostics NK8237 firewall COM 1 COM 2 COM 3 C...

Page 13: ...23x Web Server 25 Configuring IP settings via the NK823x Web Server 30 The NK823x Web Server 58 New NK823x Web Server to configure IP addresses and get diagnostic information NW8204 installation 27 Added command line for silent installation Secure communication for web services 28 Added section to manage the security certificate for web services Configuring IP settings via NW8202 31 Downloading th...

Page 14: ...ital functions LED green Software vitality Blinking 1 flash core software running Blinking 2 flash core software running and logging function active Tamper LED bicolor Unit tamper Red means tamper alarm hardware controlled Green means tamper disabled from management station Download LED red Network diagnostics Off status OK Blinking 1 flash missing identification from NS8xxx Blinking 2 flashes not...

Page 15: ...Status Com3 Com4 not used Status Com4 Red RX Green TX 3 1 2 Internal DIP switches The internal DIP switches S101 enable a download session via FTP using a default IP address and the NK823x Web Server Internal switch Functions DIP switch 1 Default mode network access If DIP switch 1 is ON an FTP connection occurs by default on the Ethernet 1 at the default IP address 192 168 9 41 and the NK823x Web...

Page 16: ...001 A2 mainboard Item Name Description 1 S101 DIP Switches 2 S1 Reset button 3 S2 Tamper switch 4 X115 When closed it disables the box tamper alarm 3 1 4 Ethernet interfaces The NK8237 main board is equipped with two Ethernet interfaces The two RJ 45 connectors also include 2 LEDs yellow and green reporting the LAN status as follows Yellow LED if on a 100 Mbps link is active Green LED flashing whe...

Page 17: ... with a USB interface you can use to log data about network communications on a USB mass storage device see Network Connectivity Guide document no A6V10359485 3 1 6 SD card The NK8237 mainboard is equipped with a 16 GB SD card The SD card slot is located below the CPU module and can be accessed only by removing the plastic housing The SD card can be used to log data about network communications se...

Page 18: ...Structure and functions 3 NK8237 hardware 18 Building Technologies A6V10403182_a_en Fire Safety Security Products 30 09 2014 1 SD card slot location on the mainboard Item Description 1 SD card slot ...

Page 19: ...EE 802 3 10Base T 100Base T also possible for NK823x RJ 45 connection Fixed IP address DHCP not supported Stable network with guaranteed transmission characteristics no down times for maintenance predictable network load For the special mounting kits refer to the NK8000 datasheets WARNING The installation must be carried out by technically qualified personnel 4 1 NK8237 hardware installation Insta...

Page 20: ...rfaces top view Item Name Description 1 X1 USB 2 X2 Ethernet 2 3 X3 Ethernet 1 4 X101 1 output 5 X102 3 inputs 6 X103 Power supply 7 X104 RS485 in place of COM1 8 X105 RS485 in place of COM2 Bottom view 1 2 Serial RS232 interfaces bottom view Item Name Description 1 COM 1 In place of X104 2 COM 2 In place of X105 Power connections Note the dual power supply input for redundant solutions ...

Page 21: ...y Power connections Power supply Pin Assignment 1 2 Earth Primary 3 N A 4 Not used N A 5 Not used 6 7 Earth Secondary optional 8 X2 X3 Ethernet Connector A standard RJ45 connector connects Ethernet Category 5 or 6 UTP cabling is best suited Ethernet connections Pin Assignment 1 TX 2 TX 3 RX 4 n c 5 n c 6 RX 7 n c 8 n c X101 Onboard I O Output Relay Onboard I O output relay Pin Assignment 1 Common ...

Page 22: ... supply fault 4 Common 5 Val 6 Val DIN Rail Installation The modules are supplied in a plastic box that can be easily attached to the DIN rail by hooking it on the top of the rail and pressing it in on the opposite side To detach the box pull downward on the tab located at the rear of the module The I O modules are mounted the same way Note Before removing the box carefully disconnect the flat cab...

Page 23: ...pre installed on the SD card of the new NK8237 units or can be installed during the update of the kernel or install the NW8202 tool 26 3 If required for diagnostics install the NW8204 tool 27 5 2 Composer tool Composer tool can be installed using the standard DMS8000 DVD To commission an NK8237 for firewall application you can choose the Composer GW Tool NK8237 installation option which is a light...

Page 24: ... To change a server connection at a later time select the appropriate project or root node in the Projects Management window tree and then select the Change server icon see figure Projects Management window Note 2 You cannot change a server connection while a project is open After you make your server selection and for all subsequent times when you start Composer the Projects Management window dis...

Page 25: ...n must be selected NOTE In the default mode DIP switch 101 1 or 101 2 is ON the NK823x Web Server is enabled regardless of the check box setting in the Node tab of the NK823x 2 Start a web browser 3 Open the IP address of the NK8237 unit for example https 192 168 9 12 The welcome page of the NK823x Web Server displays NOTE To stop the browser s security warning see Secure communication for web ser...

Page 26: ...inistrator password Reset all passwords reset Administrator and Engineer passwords to default values The welcome page of the NK823x Web Server 5 5 NW8202 IP configuration download tool The NW8202 is used to download the IP configuration data to the target NK8237 units The NW8202 Tool allows a unique IP configuration to be assigned to the NK8237 s NW8202 should be installed on the PC used to send t...

Page 27: ...s for but not limited to the following Downloading firmware Setting IP addresses Loading default configurations Using available diagnostic files Note Part of the NW8204 tool is available in Composer limited functionality For details see the Network Connectivity Guide document no A6V10359485 5 6 1 NW8204 hardware requirements Pentium class PC hardware or higher Ethernet network interface adapter IE...

Page 28: ...ure the browser of your client systems to trust the self signed certificate This is a common technique for intranet websites that are not available publicly Here is how you can configure the browsers to trust the DMS8000 self signed certificates Firefox Add a security exception Open the browser to your server using HTTPS When the warning message displays expand I Understand the Risks Click Add Exc...

Page 29: ... the trusted certification list In Chrome open Settings click Show advanced settings and then Manage certificates Click the Trusted Root Certification Authorities tab Click Import then Next Browse to the certificate you exported and click Next Select Place all certificates in the following store and browse to select Trusted Root Certification Authorities Click Next and then Finish When prompted to...

Page 30: ... 30 or the NW8202 31 2 In Composer create 33 NK8237 firewall project by restoring the default predefined firewall project 3 Configure 34 the NK8237 Ethernet connections TCP IP and BACnet IP 4 Configure 35 the firewall 5 optional Configure 38 the routing table 6 Download 42 the configuration to the NK8237 via Composer Testing and commissioning tasks 1 Test the configuration 2 Troubleshoot 45 and ma...

Page 31: ...et all other settings to default values If the unit was previously configured you need to download the configuration again 9 Disconnect the NK8237 from the Service PC and replace the cover 10 Reset the Service PC IP address back to the original address Now the NK8237 is reachable from the DMS and is ready to receive the full configuration download which is performed from Composer Configuring IP se...

Page 32: ...pending on your system security settings 4 Select the Firmware Version NK823x 5 Select the Download Mode FTP default or Secure Download encrypted data transmission that makes use of TCP port 20500 If FTP is selected select the FTP Mode Active default or Passive needed if a firewall is active in the PC 6 Enter IP address Subnet mask and Default gateway in the corresponding fields NW8202 IP configur...

Page 33: ...eceive the full configuration download which is performed from Composer 6 4 Creating the NK8237 firewall project You create an NK8237 firewall project by restoring the default predefined NK8237 firewall project in Composer Proceed as follows 1 Click the Restore button in the Projects Management window The Restore window displays 2 Click the Browse button in the line corresponding with File to be r...

Page 34: ...he NK8237 Firewall default project backup Opening the project To open the NK8237 firewall project select it in the Projects Management window and click Open By default the project main node is named Project Node You can customise this name by clicking the node selecting the Node tab on the right pane and typing the new name in the Description field Firewall default project ...

Page 35: ...et port ETH1 or ETH2 acts as external network the other Ethernet port ETH2 or ETH1 respectively acts as internal network This means that the NK8237 units are protected from intrusions coming from the external network while all the traffic from the internal network to the firewall and to the external network is allowed In this case the router functionality is automatically enabled This configuratio...

Page 36: ...SintesoWorks tool communications 7 optional Select the ICMP echo ping Traceroute check box to enable the execution of ping and traceroute commands Note that Ping and Traceroute commands are not affected by the advanced filtering configuration of source and destination addresses Note The default NK8237 firewall project has a predefined firewall configuration the firewall itself the firewall logging...

Page 37: ...Configuration Configuring the firewall 6 37 Building Technologies A6V10403182_a_en Fire Safety Security Products 30 09 2014 Default firewall configuration Default firewall advanced port settings ...

Page 38: ...53 traceroute standard network diagnostics command Note If the BACnet UDP port is changed the same changes should be applied in the BACnet parameters of the NS8011 BACnet Driver node 6 7 Configuring the routing table Configuring the routing table 1 Select the NK8237 firewall node 2 In the Routing tab click the Add button to add a new route 3 Configure the following parameters Applying standard IP ...

Page 39: ...it 1 Select the NK8237 node 2 In the Routing tab click the Get Info button to upload the routing configuration from the selected NK8237 unit The updated information populates the list in the Routing Info section 3 Check that the uploaded table actually matches the configured table Inconsistencies will indicate a configuration error or network problems At this point you can be sure that the unit ca...

Page 40: ...ocol OSPF automatically manages the shortest routing paths available in complex networks To enable dynamic routing proceed as follows 1 In the Routing protocol section of the Routing tab select the Enable dynamic routing OSPF check box NOTE To use the OSPF protocol you must enable the dynamic routing for all NK8237 in the network 2 Add a route only in the NK8237 connected to the GAP unit of the fi...

Page 41: ...lures and software errors To enable the relay output for diagnostic purpose proceed as follows 1 Select the NK8237 node and expand the subtree 2 In the toolbar on the left select the Onboard I O icon A new Onboard I O node appears 3 Select the new I O Onboard node 4 In the toolbar on the left select the Relay Output icon A new Relay Output node appears under the Onboard I O node 5 Select the Relay...

Page 42: ...lable in active or passive mode or secured by a dedicated protocol to ensure data privacy To enable the secure download or to set the FTP mode select the related option in the Node tab of the NK8237 node If enabled the secure download makes use of the TCP port 20500 instead of the ports 20 and 21 required by FTP 6 9 1 Verifying the connection to the NK8237 unit The download requires that the TCP I...

Page 43: ...d Note You add and remove versions in the Firmware list by selecting them and using the Add and Remove buttons 3 Select the NK8237 in the list in the upper part of the form Note In order to select multiple NK8237 keep the CTRL key pressed while you make your selections 4 Click the button Download Firmware The download procedure starts 5 To ensure that the download completed successfully verify tha...

Page 44: ...omplete status report which includes Hardware version e g NKM8001 A2 Firmware version available on the PC and actually installed on the unit Product Identifier ID NK8237 Delivery Date Time Add on information list of installed add on components Hardware configuration 2 serial ports Free RAM available bytes Kernel Version Linux version and release date Factory Burning Date when the product burned in...

Page 45: ...e NK8237 firmware is compatible with the new Kernel If not a message will instruct you to download a new firmware and try updating the Kernel again It verifies whether the existing Kernel is older the same or newer then the new Kernel and prompts you to confirm the update It verifies whether there is enough free memory space to install the new Kernel If not the NK8237 configuration will be tempora...

Page 46: ...ansfer Protocol and diagnostic interface to locate where the problem occurred so you can resolve it This tool provides functionalities for but not limited to the following Downloading firmware Setting IP addresses Loading default configurations Using available diagnostic and log files Since the NW8204 maintenance tool is designed mainly for customer support technical use this guide covers only the...

Page 47: ...ndow installed GUI 2 Insert the NK IP Address Note Inserting an incorrect IP address causes the following window to appear If you receive this message select OK and re type the IP Address If you want to enter the NK8237 default IP address 192 168 9 41 you can use the menu Set Default IP Address instead of typing it 3 Select Open Connection Note You can select the FTP Mode Active default or Passive...

Page 48: ... step 1 2 About Displays the version of the NW8204 tool 3 Local File Browse for a local copy of DIAGNO LOG or EEPROM LOG to analyse troubleshoot a remote NK82xx admin user only 4 Set Default IP Address See step 2 5 Send Default Configuration File See Menu Send Default Configuration File 57 6 History log frame 7 Error log frame 8 Download Upload progress status Transferred Bytes Percent and Byte Se...

Page 49: ... perform a software reset Edit Configuration File Edit View the INI file containing the NK8237 configuration Edit Diagno log Edit View the diagnostic file see Uploading diagnostic files 52 Edit EEprom log Event log Edit View the diagnostic file see Uploading diagnostic files 52 FTP mode Set the FTP connection mode to Active default or Passive needed if a firewall is active in the PC 7 3 3 Diagnost...

Page 50: ...t of configured subsystems organized by name number and creation date Read Kernel Version Reads the version of the Linux kernel installed on NK8237 Read NK Version Reads the version of the installed NK8237 firmware NK8237 EXE Read NK Date Time Reads current settings of date and time from the NK8237 RTC Read HW Conf ID Reads the HW Configuration ID from the unit The HW Conf ID is used to check the ...

Page 51: ...MP4 40 or later firmware is required Read Mass Storage Reads a mass storage device USB mass storage device or SD card available on the NK8237 unit Right click the icon of the connected mass storage device the icons display in the box at right to show the available commands Show info show information about the connected mass storage device Unmount command needed to safely remove the mass storage de...

Page 52: ...button This file contains information about the NK8237 hardware status stored on the EEProm For example if it wasn t possible to use the serial interface on COM3 because the serial add on board is broken that message is saved to the EEProm Note Every time you select the Save EEProm on File button you overwrite any existing EEProm LOG file A detailed description of the EEProm log entries is provide...

Page 53: ...eshold 3 41 EV_EEPROM_DLL_EVENT DLL diagnostic event 42 EV_EEPROM_HW_MISMATCH PIC24 microcontroller init detected a hardware version different from version in EEProm 43 EV_EEPROM_PIC24_FLASH_FAI LURE PIC24 microcontroller init failed to write the microcontroller flash memory 44 EV_EEPROM_PIC24_PROGRAM MED PIC24 microcontroller init wrote a new firmware into the microcontroller flash memory 45 EV_E...

Page 54: ...ng 1 Click the Upload Log button 2 Select the source media Usb or SD from the Media drop down list in the Source section 3 In the Filtering Criteria section of the Upload Log window select the filtering criteria that fit your needs Period section you can select a time frame select the Enable criteria check box to enable this criterion Category section you can select the information categories you ...

Page 55: ...king the Abort Log Upload button Note The log file can be imported as CSV file in a spreadsheet application in order to be analyzed by expert users Technical Support Changing the active mass storage device on the fly If two mass storage devices are available on your system USB and SD card you can change on the fly the active storage device Proceed as follows 1 Right click the inactive mass storage...

Page 56: ...again the SD card as the active log storage In such a case you need to manually set the SD card as the active log storage Configuring the logging function on the fly To configure the log files on the fly do the following You need to be logged in as admin see Launching NW8204 from DMS host 46 about different user types 1 Click the Protocol Info button 2 In the NK Protocols window select the protoco...

Page 57: ... in Composer 7 3 6 Menu Send Default Configuration File Sends a default configuration file containing only the new IP configuration to the NK8237 This function allows the download of a default configuration file with new IP parameter settings to any reachable NK8237 while NW8202 assumes that the NK8237 is set to default IP address before downloading the new configuration Send default configuration...

Page 58: ...ion PIC FW version firmware version of PIC microcontroller for NKM8001 A2 mainboard only Free RAM Free memory on SD card USB MSC free memory available on the SD card and on the USB mass storage device if available Branch number ID assigned to the NK823x in the project configuration Configuration info of the interfaces information about configured interfaces for example IP configuration of Ethernet...

Page 59: ...gnostic information about the LAN state can be obtained from different layers Link state LED of Repeater or Ethernet adapters gives you information about the physical connection and the speed of the Ethernet link 1 Select Start Programs Accessories Command Prompt 2 Choose from the following commands Command Meaning ipconfig all Shows comprehensive information about the local PC s IP configuration ...

Page 60: ...alled on the system computers Critical Operating System updates should also be installed whenever they are available and required for security and or system stability refer to Microsoft Windows Updates web services DMS8000 software and tools have shown good compatibility with most popular antivirus and security suite applications In the installation and configuration the specific security features...

Page 61: ......

Page 62: ...tional Headquarters Gubelstrasse 22 CH 6301 Zug Tel 41 41 724 24 24 www siemens com buildingtechnologies 2014 Copyright Siemens Switzerland Ltd Technical specifications and availability subject to change without notice Document ID A6V10403182_a_en DMS8000 Technical Material Edition 30 09 2014 Section 2 ...