Siemens SIMATIC NET SCALANCE S615, Configuration Manual

Page 1: ...curity SCALANCE S615 Web Based Management Configuration Manual 11 2019 C79000 G8976 C388 08 Preface Description 1 Security recommendation 2 Technical basics 3 Configuring with Web Based Management 4 Upkeep and maintenance 5 Appendix A A ...

Page 2: ... those who based on their training and experience are capable of identifying risks and avoiding potential hazards when working with these products systems Proper use of Siemens products Note the following WARNING Siemens products may only be used for the applications described in the catalog and in the relevant technical documentation If products and components from other manufacturers are used th...

Page 3: ...D5 and SHA256 Port can be configured for HTTP HTTPS Telnet SSH and SNMP Password protected loading and saving of Config and Config Pack DHCP client on all devices DHCP Configuration limits for static IP addresses expanded to 128 per pool Events extended by firewall Support for TLS based Syslog Connection Check Schedule restart NETMAP rules editable bidirectional rules auto firewall rules User spec...

Page 4: ...s and a link to detailed configuration instructions You will find this document on the Internet under the following entry ID 26662448 https support industry siemens com cs ww en view 26662448 SIMATIC NET manuals You will find SIMATIC NET manuals on the Internet pages of Siemens Industry Online Support Using the search function Link to Siemens Industry Online Support http support automation siemens...

Page 5: ...ected to an enterprise network or the internet if and to the extent such a connection is necessary and only when appropriate security measures e g firewalls and or network segmentation are in place For additional information on industrial security measures that may be implemented please visit https www siemens com industrialsecurity Siemens products and solutions undergo continuous development to ...

Page 6: ..._Scalance M 800 S615_86 pdf Trademarks The following and possibly other names not identified by the registered trademark sign are registered trademarks of Siemens AG SCALANCE SINEMA KEY PLUG C PLUG Preface SCALANCE S615 Web Based Management 6 Configuration Manual 11 2019 C79000 G8976 C388 08 ...

Page 7: ...2 1 7 2 PRESET PLUG 23 2 Security recommendation 25 3 Technical basics 31 3 1 Structure of an IPv4 address 31 3 2 ICMP 33 3 3 VLAN 35 3 3 1 VLAN 35 3 3 2 VLAN tagging 36 3 4 SNMP 37 3 5 Security functions 40 3 5 1 User management 40 3 5 2 Firewall 42 3 5 2 1 Firewall 42 3 5 3 NAT 45 3 5 4 NAT and firewall 46 3 5 5 Certificates 49 3 5 6 VPN 49 3 5 6 1 IPsec VPN 49 3 5 6 2 OpenVPN 53 3 5 6 3 VPN con...

Page 8: ... 93 4 4 8 SNMP 94 4 4 9 LLDP 95 4 4 10 Routing Table 96 4 4 11 IPsec VPN 97 4 4 12 SINEMA RC 98 4 4 13 OpenVPN client 100 4 4 14 Redundancy 101 4 4 14 1 Overview 101 4 4 14 2 Spanning Tree 103 4 4 15 VRRPv3 Statistics 106 4 4 16 Security 108 4 4 16 1 Overview 108 4 4 16 2 Supported Function Rights 111 4 4 16 3 Roles 112 4 4 16 4 Groups 112 4 5 System menu 113 4 5 1 Configuration 113 4 5 2 General ...

Page 9: ...2 1 Link Change 177 4 5 13 PLUG 179 4 5 13 1 Configuration 179 4 5 13 2 License 182 4 5 14 Ping 185 4 5 15 DCP Discovery 186 4 5 16 DNS 188 4 5 16 1 DNS Client 188 4 5 16 2 DNS Proxy 189 4 5 16 3 DDNS Client 189 4 5 17 DHCP 191 4 5 17 1 DHCP Client 191 4 5 17 2 DHCP Server 193 4 5 17 3 DHCP Options 195 4 5 17 4 Static Leases 198 4 5 18 cRSP SRS 200 4 5 19 Proxy Server 201 4 5 20 SINEMA RC 202 4 5 ...

Page 10: ... 4 4 Address Configuration 250 4 8 4 5 Interface Tracking 251 4 8 4 6 Address monitoring 253 4 9 Security menu 254 4 9 1 Users 254 4 9 1 1 Local users 254 4 9 1 2 Roles 257 4 9 1 3 Groups 259 4 9 2 Passwords 260 4 9 3 AAA 262 4 9 3 1 General 262 4 9 3 2 RADIUS client 263 4 9 4 Certificates 265 4 9 4 1 Overview 265 4 9 4 2 Certificates 267 4 9 5 Firewall 270 4 9 5 1 General 270 4 9 5 2 Predefined I...

Page 11: ...nce 297 5 1 Device configuration with PRESET PLUG 297 5 2 Firmware update using WBM not possible 300 5 3 Restoring the factory settings 301 A Appendix A 303 A 1 Format of the syslog messages 303 A 2 Parameters in Syslog messages 304 A 3 Syslog messages 305 A 3 1 Syslog messages SR7 4 314 Index 317 Table of contents SCALANCE S615 Web Based Management Configuration Manual 11 2019 C79000 G8976 C388 0...

Page 12: ...Table of contents SCALANCE S615 Web Based Management 12 Configuration Manual 11 2019 C79000 G8976 C388 08 ...

Page 13: ...APT SourceNAT NETMAP Password protection Firewall function Port forwarding IP firewall with stateful packet inspection layer 3 and 4 Global and user defined firewall rules VPN functions To establish a VPN Virtual Private Network the following functions are available IPsec VPN OpenVPN client SINEMA RC client Proxy server Siemens Remote Service SRS SCALANCE S615 Web Based Management Configuration Ma...

Page 14: ... a fast growing number of nodes a physical network can be divided into several virtual subnets Digital input digital output Dynamic DNS client DNS client DNS proxy SMTP client TIA Portal Cloud Connector SCALANCE M804PB 1 2 Configuration examples 1 2 1 TeleControl with SINEMA RC In this configuration the remote maintenance master station is a connected to the Internet intranet via the SINEMA Remote...

Page 15: ... PC LQWHUQDO QHWZRUN 931 WXQQHO QGXVWULDO WKHUQHW M874 M874 S615 M812 TIM 3V IE Advanced S7 300 CP 1243 1 DNP3 S7 1200 Procedure To be able to access a plant via a remote maintenance master station follow the steps below 1 Establish the Ethernet connection between the S615 and the connected Admin PC 2 Create the devices and node groups on the SINEMA RC Server 3 Configure the connection to the SINE...

Page 16: ...s to the Internet With the SOFTNET Security Client he or she establishes a secure VPN connection to the S615 Various IP subnets are connected to the S615 between which the integrated firewall checks communication This allows the communication of the service technician to be restricted to a specific IP subnet Industrial Ethernet Automation application Automation system SCALANCE S615 PROFINET PROFIN...

Page 17: ...lts and Restart Afterwards renaming admin is no longer possible Password admin The password needs to be changed after the first logon or after a Restore Factory Defaults and Restart You will find more information in Web Based Management Page 61 and in Starting and logging in Page 62 1 3 1 Use in a PROFINET environment Note Validity of CCA declaration The CCA declaration applies to PROFINET RT with...

Page 18: ...s SCALANCE S615 Basic Wizard IP settings Device Settings Time settings SINEMA RC 1 DDNS Information ARP Table Log Tables Redundancy VRRPv3 SINEMA RC 1 System SMTP client SNMP Time setting Automatic logout Syslog client Fault Monitoring PLUG SMS DNS DHCP Client DHCP Server cRSP SRS Proxy Server SINEMA RC1 Connection Check Interfaces Ethernet PPP Layer 2 Configuration VLAN Dynamic MAC aging LLDP Spa...

Page 19: ...KEY PLUG SINEMA Remote Connect 6GK5908 0PB00 1 5 Configuration limits for WBM and CLI Configuration limits of the device The following table lists the configuration limits for Web Based Management and the Command Line Interface of the device Description 1 5 Configuration limits for WBM and CLI SCALANCE S615 Web Based Management Configuration Manual 11 2019 C79000 G8976 C388 08 19 ...

Page 20: ...One per layer 3 interface DHCP pools 8 Static assignments per DHCP pool 128 DHCP options 1 2 3 4 5 6 42 66 67 9 SINEMA RC 1 Proxy server 5 Layer 2 Virtual LANs port based including VLAN 1 16 Maximum frame size 2048 bytes Layer 3 IP interfaces 12 Static routes 100 NETMAP 256 SourceNAT 32 NAPT 32 VRRPv3 VRRPv3 instances VRID 2 Assigned IP addresses 1 per VRID Description 1 5 Configuration limits for...

Page 21: ...evices 800 Mbps Maximum number of devices and users connected simultaneously 1024 devices with 1 subnet each User device combinations can be freely selected up to the maximum overall quantity structure As the number of subnets is also dependent on the communication relationships permitted among one another for example these must be checked questioned and restricted where necessary If devices do no...

Page 22: ...status or deleted with Clean function is used the local configuration already existing on the device is automatically stored on the inserted PLUG If the PLUG contains a license additional functions are also enabled A device with a written and accepted PLUG ACCEPTED status uses the configuration data of the PLUG automatically when it starts up Acceptance is possible only when the data was written b...

Page 23: ...SET PLUG only from device configurations that use DHCP Otherwise disruptions will occur in network operation due to multiple identical IP addresses You assign fixed IP addresses extra following the basic installation In a PLUG that was configured as a PRESET PLUG the device configuration user accounts certificates and the firmware are stored Note Restore factory defaults and restart with a PRESET ...

Page 24: ...Description 1 7 PLUG SCALANCE S615 Web Based Management 24 Configuration Manual 11 2019 C79000 G8976 C388 08 ...

Page 25: ...PN Separate connections correctly WBM Telnet SSH etc Physical access Limit physical access to the device to qualified personnel The memory card or the PLUG C PLUG KEY PLUG contains sensitive data such as certificates keys etc that can be read out and modified Lock unused physical ports on the device Unused ports can be used to gain forbidden access to the plant Software security functions Keep the...

Page 26: ...eys and certificates you require to set up TLS VPN IPsec OpenVPN and SINEMA RC The device contains a pre installed X 509 certificate with key Replace this certificate with a self made certificate with key We recommend that you use a certificate signed by a reliable external or internal certification authority Use the certification authority including key revocation and management to sign the certi...

Page 27: ... preventing write access The product provides you with suitable setting options If SNMP is enabled change the community names If no unrestricted access is necessary restrict access with SNMP HTTP HTTPS Telnet SSH NTP Secure NTP SNTP Secure NTP TFTP SFTP Use secure protocols when access to the device is not prevented by physical protection measures To prevent unauthorized access to the device or ne...

Page 28: ...ing only Outgoing only NTP client se cure UDP 123 Outgoing only Outgoing only NTP server UDP 123 Closed Closed NTP server se cure UDP 123 Closed Closed OpenVPN UDP 1194 TCP 1194 Outgoing only Outgoing only Ping ICMP Open Closed PROFINET UDP 34964 Closed Closed RADIUS client TCP 1812 UDP 1812 Outgoing only Outgoing only SFTP TCP 22 Outgoing only Outgoing only Siemens Re mote Service cRSP SRS TCP 44...

Page 29: ...with SCALANCE S615 Explanation for table Default port status The port status on delivery factory setting distinguishes between local and external access Local access The port is accessed via a local connection vlan1 External access The port is accessed via an external connection vlan2 Service Port configurable Indicates whether the port number or the service can be configured via WBM CLI Authentic...

Page 30: ...Security recommendation SCALANCE S615 Web Based Management 30 Configuration Manual 11 2019 C79000 G8976 C388 08 ...

Page 31: ...he 0 values determine the device address within the IPv4 address Example Correct values 255 255 0 0 D 1111 1111 1111 1111 0000 0000 0000 0000 B 255 255 128 0 D 1111 1111 1111 1111 1000 0000 0000 0000 B 255 254 0 0 D 1111 1111 1111 1110 0000 0000 0000 0000 B Incorrect value 255 255 1 0 D 1111 1111 1111 1111 0000 0001 0000 0000 B Subnet mask 255 255 0 0 11111111 11111111 00000000 00000000 In the exa...

Page 32: ...h bit set to 1 the number of private networks doubles and the number of nodes contained in them is halved Externally the network still looks like a single network Example You change the default subnet mask for a subnet of address class B e g IP address 129 80 xxx xxx as follows Masks Decimal Binary Default subnet mask 255 255 0 0 11111111 11111111 00000000 00000000 Subnet mask 255 255 128 0 111111...

Page 33: ...t type The most important ICMP packet types are as follows Redirect The router informs the host in one of its subnets that there is a better route to the destination This ICMP packet type is dealt with in more detail in the following description Destination Unreachable IP frame cannot be delivered Time Exceeded Time limit exceeded Echo Request Echo request better known as ping Code The code descri...

Page 34: ...ubnet C Router A sends a redirect message to host A In this router A instructs host A in future to send IP frames to host C via router B whose IP address is contained in the redirect message The initial IP frame is sent by router A directly to router B that forwards it to Host C Conditions for sending redirect messages The IP frame is received and sent via the same interface of router A The source...

Page 35: ...formation Options for the VLAN assignment There are various options for the assignment to VLANs Port based VLAN Each port of a device is assigned a VLAN ID You configure port based VLAN in Layer 2 VLAN Port based VLAN Page 220 Protocol based VLAN Each port of a device is assigned a protocol group Subnet based VLAN The IP address of the device is assigned a VLAN ID VLAN assignment on the device In ...

Page 36: ...een the source address and the Ethernet type length field 3UHDPEOH E WHV HVWLQDWLRQ DGGUHVV E WHV 6RXUFH DGGUHVV E WHV 73 E WHV 7 E WHV 7 SH E WHV DWD a E WHV 5 E WHV ELW 9 1 ELWV 3ULRULW ELWV Figure 3 1 Structure of the expanded Ethernet frame The additional bytes contain the tag protocol identifier TPID and the tag control information TCI Tag protocol identifier TPID The first 2 bytes form the T...

Page 37: ...CFI is required for compatibility between Ethernet and the token Ring The values have the following meaning Value Meaning 0 The format of the MAC address is canonical In the canonical representation of the MAC address the least significant bit is transferred first Standard setting for Ethernet switches 1 The format of the MAC address is not canonical VLAN ID In the 12 bit data field up to 4096 VLA...

Page 38: ... strings are used for access protection do not use the standard values public or private Change these values following the initial commissioning Further simple protection mechanisms at the device level Allowed Host The IP addresses of the monitoring systems are known to the monitored system Read Only If you assign Read Only to a monitored device monitoring stations can only read out data but canno...

Page 39: ...r an SNMP agent This ID must be unique in the network It is used to authenticate access data of SNMPv3 users and to encrypt it Depending on whether you have enabled or disabled the SNMPv3 User Migration function the SNMP engine ID is generated differently Restriction when using the function Use the SNMPv3 User Migration function only to transfer configured SNMPv3 users to a substitute device when ...

Page 40: ... centrally Depending on the RADIUS authorization mode you have selected on the Security AAA RADIUS Client page the device evaluates different information of the RADIUS server RADIUS authorization mode Standard If you have set the authorization mode conventional the authentication of users via a RADIUS server runs as follows 1 The user logs on with user name and password on the device 2 The device ...

Page 41: ...up is known on the device and the user is entered in the table External User Accounts The user is assigned the role with the higher rights and logged in with these rights The group is not known on the device and the user is entered in the table External User Accounts The user is logged in with the rights of the role linked to the user account The group is not known on the device and the user is no...

Page 42: ...o the destination A second rule for the response direction from the destination to the source Stateful Inspection Firewall You only need to specify one firewall rule for the query direction from the source to the destination The second rule is added implicitly The packet filter recognizes when for example computer A is communicating with computer B and only then does it allow replies A query by co...

Page 43: ...PN Connec tion Name Access from the device to the tunnel partners that can be reached via all VPN connections all or via a certain VPN connection Connection Name SINEMA RC vlan x Access from SINEMA RC connections to the IP subnet ppp2 Access from the IP subnet to the WAN interface of the device Device Access from SINEMA RC connections to the device IPsec all IPsec Connection Name OpenVPN all OpenV...

Page 44: ...A RC Security IPsec VPN Phase 2 Security OpenVPN Client Connections The automatically created firewall rules allow packets in the following direction From To SINEMA RC IPsec VPN OpenVPN Internal External External Internal Device External External Device Predefined IPv4 rules When the connection is created the following IPv4 serv ices are enabled HTTP HTTPS SSH Ping Ping Ping Predefined firewall ru...

Page 45: ... scenarios that are implemented with the device at the following address https support industry siemens com cs gb en view 109744660 IP masquerading IP masquerading is a simplified source NAT With each outgoing data packet sent via this interface the source IP address is replaced by the IP address of the interface The adapted data packet is sent to the destination IP address For the destination hos...

Page 46: ...237 Source NAT As with masquerading in source NAT the source address is translated In addition to this the outgoing data packets can be restricted These include limitation to certain IP addresses or IP address ranges and limitation to certain interfaces Source NAT can be used if the internal IP addresses cannot or should not be forwarded externally for example because a private address range such ...

Page 47: ...to 10 100 1 102 For the devices connected to vlan2 it appears as if the packets were sent from the IP subnet 10 100 1 0 24 This allows for example overlaps of IP subnets to be resolved The rule is only specified for the send direction The retranslation is performed implicitly If the rule does not apply the packets are forwarded without translation Destina tion vlan2 external vlan1 internal 10 10 1...

Page 48: ...ent from vlan2 external to vlan1 internal are allowed to pass Example 2 These IP rules restrict the IP data traffic to a specific device NAT rule IP rules Description Ac tion Fro m To Source Range Destination Range Ser vic e Ac cep t vla n1 in ter nal vlan 2 ex ter nal 192 168 1 20 32 Source IP sub net 10 10 10 0 24 Destination IP sub net all Only packets sent to vlan2 external from the IP address...

Page 49: ...ertificates with the private key key file with which the device identifies itself IPsec VPN Page 286 Partner certificate Certificates with which the VPN gateway of the partner identifies itself with the device IPsec VPN Page 286 File types File type Description crt File that contains the certificate p12 In the PKCS12 certificate file the private key is stored with the corresponding certif icate an...

Page 50: ...negotiated between the partners e g about the lifetime of the key the encryption algorithm the period for new authentication etc Internet Key Exchange IKE is a key exchange method The key exchange takes place in two phases Phase 1 In this phase no security services such as encryption authentication and integrity checks are available yet since the required keys and the IPsec SA still need to be cre...

Page 51: ...mmon password Local ID and remote ID The local ID and the remote ID are used by IPsec to uniquely identify the partners VPN end point during establishment of a VPN connection Encryption methods The following encryption methods are supported The selection depends on the phase und the key exchange method IKE Phase 1 Phase 2 IKEv1 IKEv2 IKEv1 IKEv2 3DES x x x x AES128 CBC x x x x AES192 CBC x x x x A...

Page 52: ... keys are exchanged This means that Perfect Forward Secrecy PFS is disabled Requirements of the VPN partner The VPN partner must support IPsec with the following configuration to be able to establish an IPsec connection successfully Authentication with partner certificate CA certificates or pre shared key IKEv1 or IKEv2 Support of at least one of the following DH groups Diffie Hellman group 1 2 5 ...

Page 53: ...vice drivers the TAP and TUN device During this virtual network interfaces are created that act like a physical interface of the device and represent the endpoint of the VPN tunnel The device supports the following TUN device Routing mode The LAN Interface and the virtual network interface are located in different IP subnets The virtual tunnel interface is assigned a virtual IP address from a devi...

Page 54: ...igured local and remote subnets an entry is created in the routing table If a node attempts to send data packets via the VPN tunnel from one of the networks the VPN connection is established The settable timeout has the effect that after this time without any further data packets the VPN tunnel is termi nated again start on DI x x x Connection establishment is controlled via the digital input DI W...

Page 55: ... Requirement In System Events Configuration for the Digital Input event VPN Tunnel is activated If this setting is not activated the event is not passed on to the VPN connection Options The device supports the following options for controlling the VPN tunnel via the digital input start on DI If the event Digital Input occurs the device becomes active The device tries to establish a VPN connection ...

Page 56: ...ress of the SMTP server are configured Trap x x The device sends an SNMP trap Requirement SNMPv1 traps is enabled in System Configuration In System Configuration Traps a recipient is configured to which the device sends the SNMP traps Log table x x The device writes an entry in the event log table The content of the event log table is displayed in Information Log Table Syslog x x The device writes...

Page 57: ...ctly when you use this in the WBM and CLI Read out the status of the MIB variable x Using the private MIB variable snMspsDigitalInputLevel you can read out the status of the digital input OID of the private MIB variable snMspsDigitalInputLevel iso 1 org 3 dod 6 internet 1 private 4 enterprises 1 siemen s 4329 industrialComProducts 20 iComPlatforms 1 simaticNet 1 snMsps 1 snMspsCommon 1 snMspsDigit...

Page 58: ... for all involved components Once the root bridge has been specified each device sets a root port The root port is the port with the lowest path costs to the root bridge Response to changes in the network topology If nodes are added to a network or drop out of the network this can affect the optimum path selection for data packets To be able to respond to such changes the root bridge sends configu...

Page 59: ...o the edge port status Point to point direct communication between two neighboring devices By directly linking the devices a status change reconfiguration of the ports can be made without any delays Alternate port substitute for the root port A substitute for the root port is configured If the connection to the root bridge is lost the device can establish a connection over the alternate port witho...

Page 60: ...ments to the backup routers at specific intervals With the VRRP packets the master router signals that it is still functioning The master router also replies to the ARP queries If the virtual master router fails a backup router takes over the role of the master router The backup router with the highest priority becomes the master router If the priority of the backup routers is the same the higher ...

Page 61: ...ion Requirements WBM display The device has an IP address There is a connection between the device and the Admin PC With the Windows ping command you can check whether or not a connection exists If the device has the factory settings refer to Requirements for operation Page 16 Access via HTTPS is enabled JavaScript is activated in the Web browser The Web browser must not be set so that it reloads ...

Page 62: ...vice via HTTP the address is automatically diverted to HTTPS Note Information on the security certificate Because the device can only be administered using encrypted access it is delivered with a self signed certificate If certificates with signatures that the operating system does not know are used a security message is displayed You can display the certificate A message relating to the security ...

Page 63: ...gin Page you can define which login page is opened by default You can change the type of login via the Switch to links To log in you have the following options Login option in the center of the browser window Login option in the upper left area of the browser window Configuring with Web Based Management 4 2 Starting and logging in SCALANCE S615 Web Based Management Configuration Manual 11 2019 C79...

Page 64: ...ut box When you log in for the first time or following a Restore Factory Defaults and Restart enter the user preset in the factory admin With this user account you can change the settings of the device read and write access to the configuration data Enter the user name of the created user account You configure local user accounts and roles in Security Users 2 Password input box When you log in for...

Page 65: ...after the admin password is changed The network parameters can be read with the Primary Setup Tool or with DCP Discovery but can no longer be changed Once you have logged in successfully the start page appears Logging into the WBM page for user specific firewall Requirement The user has the right to remote access You configure the setting Security Users Local users A rule set is assigned to the us...

Page 66: ...an IP address and can be reached via the Ethernet interface You are logged on in the WBM as a user with administrator rights When shipped or following a Restore Factory Defaults and Restart the device can be reached with the values preset in the factory For more detailed information refer to the section Requirements for operation Page 16 Starting the Basic Wizard Click on Wizard Basic Wizard in th...

Page 67: ...uration and exits the Basic Wizard Navigation within the pages of the Basic Wizard is possible only with the Previous and Next buttons 4 3 2 IP Introduction One of the basic steps in configuration of a device is setting the IPv4 address The IP address identifies a device in the network uniquely Configuring with Web Based Management 4 3 Wizard menu SCALANCE S615 Web Based Management Configuration M...

Page 68: ...et mask are assigned to the DHCP client by the DHCP server The DHCP client is disabled by default IP Address Enter the IPv4 address of the interface Subnet Mask Enter the subnet mask of the subnet you are creating Subnets on different interfaces must not overlap DHCP Gateway Shows the IP address of the gateway when the DHCP server has transmitted it Create new gateway You define the gateway in thi...

Page 69: ...I input prompt is limited The system name is truncated after 16 characters Device Location You can enter the location where the device is installed The location is displayed in the selection area A maximum of 255 characters are possible Note Permitted characters The following printable ASCII characters 0x20 to 0x7 are permitted in the input fields 0123456789 A Z a z _ System Contact You can enter ...

Page 70: ... NTP Client Enable or disable time synchronization using NTP Secure NTP Client only When enabled the device receives the system time from a secure NTP server The setting applies to all server entries To enable the secure NTP client the parameters for authentication key ID hash algorithm key must be configured Time Zone In this box enter the time zone you are using in the format HH MM The time zone...

Page 71: ...ueries The greater the interval the less accurate the time of the device Possible values are 64 to 2592000 seconds 30 days Key ID Enter the ID of the authentication key Hash Algorithm Specify the format for the authentication key Key Enter the authentication key The length depends on the hash algorithm The following minimum lengths are recommended for the hash algorithm MD5 ASCII 16 characters SHA...

Page 72: ...ce Shows which providers are supported Enabled When enabled the device logs on to the DDNS server Host Enter the hostname that you have agreed with your DDNS provider for the device e g example no ip com User Name Enter the user name with which the device logs on to the DDNS server Password Enter the password assigned to the user Password Confirmation Confirm the password Configuring with Web Base...

Page 73: ... configure the access to the SINEMA RC server Note This function can only be used with a KEY PLUG Page 22 Configuring with Web Based Management 4 3 Wizard menu SCALANCE S615 Web Based Management Configuration Manual 11 2019 C79000 G8976 C388 08 73 ...

Page 74: ... the device checks whether the correct SINEMA RC Server is involved You will find further information on this in the Operating Instructions of the SINEMA RC Server CA Certificate Only necessary with the setting CA Certificate Select the CA certificate of the server used to sign the server certificate Only loaded CA certificates can be selected Device Credentials area Device ID Enter the device ID ...

Page 75: ...connection to the SINEMA RC Server The VPN tunnel is established permanently Digital Input The settings of the SINEMA RC server are ignored If the Digital In event occurs the device attempts to establish a VPN connection to the SINEMA RC Server This is on the condition that the event Digital In is forwarded to the VPN connection To do this in System Events Configuration activate VPN Tunnel for the...

Page 76: ...e device Check the settings before you exit the Basic Wizard with the Set Values button If settings are incorrect go back using the Prev button and change the settings to the required ones Configuring with Web Based Management 4 3 Wizard menu SCALANCE S615 Web Based Management 76 Configuration Manual 11 2019 C79000 G8976 C388 08 ...

Page 77: ...ck the Set Values button to exit the Basic Wizard The settings are adopted Configuring with Web Based Management 4 3 Wizard menu SCALANCE S615 Web Based Management Configuration Manual 11 2019 C79000 G8976 C388 08 77 ...

Page 78: ...e is displayed after a successful login General layout of the WBM page The following areas are available on every WBM page Selection area 1 Top area Display area 2 Top area Configuring with Web Based Management 4 4 Information menu SCALANCE S615 Web Based Management 78 Configuration Manual 11 2019 C79000 G8976 C388 08 ...

Page 79: ...vigation area 3 Left hand area Content area 4 Middle area Configuring with Web Based Management 4 4 Information menu SCALANCE S615 Web Based Management Configuration Manual 11 2019 C79000 G8976 C388 08 79 ...

Page 80: ... always displayed LED simulation Each device has one or more LEDs that provide information on the operating state of the device Depending on its location direct access to the device may not always be possible Web Based Management therefore displays simulated LEDs The meaning of the LED displays is described in the operating instructions If you click this button you open the window for the LED simu...

Page 81: ...d every 2 seconds To disable the update click On Instead of On Off is displayed As default updating is always enabled on the WBM page Navigation area 3 In the navigation area you have various menus available Click the individual menus to display the submenus The submenus contain pages on which information is available or with which you can create configurations These pages are always displayed in ...

Page 82: ... the lower edge The button only becomes active if you change at least one value on the page Click this button to save the configuration data you have entered on the device Once you have saved the button becomes inactive again Note Changing configuration data is possible only with the admin role Note The changes take immediate effect But it takes some time for the changes in the configuration to be...

Page 83: ...rge number of data records you can navigate to the desired page From the drop down list select the relevant page to display it Reset Counters button Click Reset Counters to reset all counters The counters are reset by a restart Logout You can log out from any WBM page by clicking the Logout link Messages If you have enabled the Automatic Save mode and you change a parameter the following message a...

Page 84: ...not yet restarted the firmware version of the downloaded firmware file is displayed here After the next restart the loaded firmware is activated and used Bootloader Shows the version of the boot software stored on the device Firmware_Running Shows the firmware version currently being used on the device Description Shows the short description of the software Version Shows the version number of the ...

Page 85: ...order ID Serial Number Shows the serial number Hardware Revision Shows the hardware version Software Revision Shows the software version Revision Counter Regardless of a version change this box always displays the value 0 Revision Date Date and time of the last revision Function tag Shows the function tag plant designation of the device The plant designation HID is created during configuration of ...

Page 86: ... to IP address This assignment is kept by each network node in its own separate ARP table The WBM page shows the ARP table of the device Description The table has the following columns Interface Shows the interface via which the row entry was learnt MAC Address Shows the MAC address of the destination or source device IP Address Shows the IPv4 address of the destination device Media Type Shows the...

Page 87: ... configured in System Events for example if the connection status of a port has changed The content of the table is retained even when the device is turned off The event log file can be loaded using HTTP TFTP or SFTP Configuring with Web Based Management 4 4 Information menu SCALANCE S615 Web Based Management Configuration Manual 11 2019 C79000 G8976 C388 08 87 ...

Page 88: ...o Informative When this parameter is enabled all entries of the category Info are displayed The table has the following columns Restart Counts the number of restarts since you last reset to factory settings and shows the device restart after which the corresponding event occurred System Up Time Shows the time the device has been running since the last restart when the described event occurred Syst...

Page 89: ...the events that occurred during communication via a secure VPN tunnel in the form of the table Configuring with Web Based Management 4 4 Information menu SCALANCE S615 Web Based Management Configuration Manual 11 2019 C79000 G8976 C388 08 89 ...

Page 90: ...o Informative When this parameter is enabled all entries of the category Info are displayed The table has the following columns Restart Counts the number of restarts since you last reset to factory settings and shows the device restart after which the corresponding event occurred System Up Time Shows the time the device has been running since the last restart when the described event occurred Syst...

Page 91: ...f the maximum number of entries is reached for a severity the oldest entries of this severity are overwritten in the table The table remains permanently in the memory Critical Critical When this parameter is enabled all entries of the category Critical are displayed Warning warning When this parameter is enabled all entries of the category Warning are displayed Info Informative When this parameter...

Page 92: ...try into the categories above Log Message Displays a brief description of the event that has occurred 4 4 6 Faults Error status if an error occurs it is shown on this page On the device errors are indicated by red fault LED lighting up Internal errors of the device and errors that you configure on the following pages are indicated System Events System Fault Monitoring The calculation of the time o...

Page 93: ... Warm Start If the Clear Fault State button is enabled you can delete the error 4 4 7 DHCP Server This page shows which IPv4 addresses were assigned to the devices by the DHCP server Description of the displayed values IP Address Shows the IPv4 address assigned to the DHCP client Pool ID Shows the number of the IPv4 address band Identification Method Shows the method with which the DHCP client is ...

Page 94: ...address is still valid When half the period of validity has elapsed the DHCP client can extend the period of the assigned IPv4 address When the entire time has elapsed the DHCP client needs to request a new IPv4 address 4 4 8 SNMP This page displays the created SNMPv3 groups You configure the SNMPv3 groups in System SNMP Description The table has the following columns Group Name Shows the group na...

Page 95: ...ted device Device ID Device ID of the connected device The device ID corresponds to the device name assigned via PST STEP 7 If no device name is assigned the MAC address of the device is displayed Local Interface Port at which the device received the information Hold Time An entry remains stored on the device for the time specified here If the IE switch does not receive any new information from th...

Page 96: ...page shows the routes currently being used Description The table has the following columns Destination Network Shows the destination address of this route Subnet Mask Shows the subnet mask of this route Gateway Shows the gateway for this route Interface Shows the interface for this route Configuring with Web Based Management 4 4 Information menu SCALANCE S615 Web Based Management 96 Configuration ...

Page 97: ...the VPN connection Local Host Shows the IP address of the device Local DN Shows the Distinguished Name DN of the device that was signaled to the remote station during connection establishment The entry is adopted from the Local ID box the device certificate or the IP address of the device Local Subnet Shows the local subnet Remote Host Shows the IP address or the host name of the remote device Rem...

Page 98: ...us of the VPN connection 4 4 12 SINEMA RC Shows information on SINEMA RC Server Note This function can only be used with a KEY PLUG Configuring with Web Based Management 4 4 Information menu SCALANCE S615 Web Based Management 98 Configuration Manual 11 2019 C79000 G8976 C388 08 ...

Page 99: ... address of the SINEMA RC Server Connected Local Subnet s Shows the IP addresses of the local subnets Is only displayed when the option Connected local subnets is enabled on the SINEMA RC Server You will find further information on this in the Operating Instructions of the SINEMA RC Server Connected Local Host s Shows the destination IP address of the hosts that can be reached Tunnel Interface Add...

Page 100: ...he IP address or the hostname of the OpenVPN server Tunnel Interface IP Shows the IP address of the virtual tunnel interface Exported Subnets Shows the IP address of the local subnets Routed Subnets Shows the subnets of the OpenVPN server Status Shows the status of the OpenVPN connection Configuring with Web Based Management 4 4 Information menu SCALANCE S615 Web Based Management 100 Configuration...

Page 101: ...er the priority If several devices in a network have the same priority the device whose MAC address has the lowest numeric value will become the root bridge Both parameters bridge priority and MAC address together form the Bridge identifier Since the root bridge manages all path changes it should be located as centrally as possible due to the delay of the frames The value for the bridge priority i...

Page 102: ...ward Delay New configuration information is not used immediately by a bridge but only after the forwarding delay specified in the parameter This ensures that operation is only started with the new topology after all the bridges have the required information The default for this parameter is 15 seconds Bridge Max Age Root Max Age When the max age timer elapses the received BPDU is discarded to be a...

Page 103: ...page shows the current information about the spanning tree and the settings of the root bridge Configuring with Web Based Management 4 4 Information menu SCALANCE S615 Web Based Management Configuration Manual 11 2019 C79000 G8976 C388 08 103 ...

Page 104: ...Bridge Address Root Address The bridge address shows the MAC address of the device and the root address shows the MAC address of the root switch Root Cost Shows the path costs from the device to the root bridge Bridge Status Shows the status of the bridge e g whether or not the device is the root bridge The table has the following columns Port Shows the interfaces via which the device communicates...

Page 105: ...her words the lowest value for this parameter is selected A value between 0 and 240 can be entered for the priority in steps of 16 If you enter a value that cannot be divided by 16 the value is automatically adapted The default is 128 Path Cost This parameter is used to calculate the path that will be selected The path with the lowest value is selected If several ports of a device have the same va...

Page 106: ... link The following values are possible P t P With half duplex a point to point link is assumed Shared Media With a full duplex connection a point to point link is not assumed 4 4 15 VRRPv3 Statistics Introduction This page shows the statistics of the VRRPv3 protocol and all configured virtual routers Configuring with Web Based Management 4 4 Information menu SCALANCE S615 Web Based Management 106...

Page 107: ...virtual router Valid values are 1 255 Address Type Shows the version of the IP protocol Become Master Shows how often this virtual router changed to the Master status Advertisements Received Shows how many VRRPv3 packets were received Advertisement Interval Errors Shows how many bad VRRPv3 packets were received whose interval does not match the value set locally IP TTL Errors Shows how many bad VR...

Page 108: ...bad VRRPv3 packets were received whose value in the Type field of the IP header is invalid Address List Errors Shows how many bad VRRPv3 packets were received whose address list does not match the locally configured list Packet Length Errors Shows how many bad VRRPv3 packets were received whose length is not correct 4 4 16 Security 4 4 16 1 Overview Note The values displayed depend on the rights o...

Page 109: ...encrypted access to the CLI SSH Server You configure the setting in System Configuration Enabled Encrypted access to the CLI Disabled No encrypted access to the CLI SSH Fingerprint x The following SSH fingerprints are displayed MD5 SH256 Configuring with Web Based Management 4 4 Information menu SCALANCE S615 Web Based Management Configuration Manual 11 2019 C79000 G8976 C388 08 109 ...

Page 110: ...nd fallback local The authentication must be handled via a RADIUS server A local authentication is performed only when the RADIUS server cannot be reached in the network Password Policy Shows which password policy is currently being used Local and external user accounts You configure local user accounts and roles in Security Users When you create a local user account an external user account is ge...

Page 111: ...hows the role of the user You can obtain more information on the function rights of the role in Information Security Roles 4 4 16 2 Supported Function Rights Note The values displayed depend on the role of the logged on user The page shows the function rights available locally on the device Description of the displayed values Function Right Shows the number of the function right Different rights r...

Page 112: ...th read and change device parameters 0 This is a role that the device assigns internally when a user could not be authenticated The user is denied access to the device Description Shows a description of the role 4 4 16 4 Groups Note The values displayed depend on the role of the logged on user This page shows which group is linked to which role The group is defined on a RADIUS server The roll is d...

Page 113: ...guration pages on which more detailed settings can be made The standard port can also be changed for your own services Note Change standard port Some programs can only access the service over the standard port e g TIA Portal accesses HTTPS over standard port 443 Before you change the port check which port the program uses When you change the standard port you must access the service over the chang...

Page 114: ...the CLI SSH Server Enable or disable the SSH Server service for encrypted access to the CLI SSH Port Specify the port for SSH access to the CLI HTTP Server Enable or disable HTTP access to the WBM HTTP Port Specify the port for HTTP access to the WBM Configuring with Web Based Management 4 5 System menu SCALANCE S615 Web Based Management 114 Configuration Manual 11 2019 C79000 G8976 C388 08 ...

Page 115: ...er specific firewall Configuration Logging into the WBM SMTP Client Enable or disable the SMTP client You can configure other settings in System SMTP Client Syslog Client Enable or disable the Syslog client You can configure other settings in System Syslog Client DCP Server Specify whether or not the device can be accessed with DCP Discovery and Configuration Protocol disabled DCP is disabled Devi...

Page 116: ... in System SNMP General SNMPv3 Access to device parameters is possible only with SNMP version 3 You can configure other settings in System SNMP General SNMPv1 v2 Read Only Enable or disable write access to SNMP variables with SNMPv1 v2c SNMPv1 Traps Enable or disable the sending of SNMPv1 traps alarm frames You can configure other settings in System SNMP Traps SINEMA Configuration Interface If the...

Page 117: ...y Note Interrupting the save Saving starts only after the timer in the message has elapsed How long saving takes depends on the device During the save the message Saving configuration data in progress Please do not switch off the device is displayed Do not switch off the device immediately after the timer has elapsed Trial Trial mode In Trial mode although changes are adopted they are not saved in...

Page 118: ...ignation of the device System Name You can enter the name of the device The entered name is displayed in the selection area A maximum of 255 characters are possible The system name is also displayed in the CLI input prompt The number of characters in the CLI input prompt is limited The system name is truncated after 16 characters System Contact You can enter the name of a contact person responsibl...

Page 119: ...arding to the changed IP address Procedure 1 Enter the contact person responsible for the device in the System Contact input box 2 Enter the identifier for the location at which the device is installed in the System Location input box 3 Enter the name of the device in the System Name input box 4 Click the Set Values button Note Steps 1 to 3 can also be performed with the SNMP Management Tool 4 5 2...

Page 120: ...u enter the value of the eastern or western longitude of the location of the device The value 8 20 58 73 means that the device is located at 8 degrees 20 minutes and 58 73 seconds east A western longitude is indicated by a preceding minus sign You can also add the letter E easterly longitude or W westerly longitude to the numeric information 8 20 58 73 E Input box Height Height Here you enter the ...

Page 121: ...ed with the buttons of this menu and not by a power cycle on the device If the device is in Trial mode configuration modifications must be saved manually before a restart Any modifications you have made only become active on the device after clicking the Set values button on the relevant WBM page If the device is in Automatic Save mode the last changes are saved automatically before a restart Conf...

Page 122: ...s of the default gateway DHCP client ID DHCP System name System location System contact Mode of the device Login text Restore Factory Defaults and Restart Click this button to restore the factory defaults of the device and to restart the device You must confirm the restart in a dialog box Note By resetting to the factory configuration settings the device is reachable again with the IP address 192 ...

Page 123: ...d by Siemens can be downloaded to the device HTTPSCert Default HTTPS certificates including key The preset and automatically created HTTPS certificates are self signed We strongly recommend that you create your own HTTPS certificates and make them available We recommend that you use HTTPS certificates signed either by a reliable external or by an internal certification authority The HTTPS certific...

Page 124: ...o need this password to export the file from STEP 7 Basic Professional See also RunningSINEMAConfig StartupInfo Startup log file This file contains the messages that were entered in the log during the last start up Users This file contains the assignment of the user names to the corresponding pass words WBMFav WBM favorites This file contains the favorites that you created in the WBM You can downl...

Page 125: ...re not saved in the configuration files ConfigPack and Config Use the Write Startup Config button on the System Configuration WBM page to save changes in the configuration files CLI script file You can download existing CLI configurations RunningCLI and upload your own CLI scripts Script Note The downloadable CLI script is not intended to be uploaded again unchanged CLI commands for saving and loa...

Page 126: ...real device is required to configure a device in STEP 7 Basic Professional You can export the configuration and load it as SINEMAConfig to the real device using the WBM X509 certificates The following file types can be loaded into the device crt pem zip Maximum file name length 255 characters p12 Maximum file name length 248 characters Description The table has the following columns Type Shows the...

Page 127: ...d to enter the password specified for the file in System Load Save Passwords A dialog for uploading a file opens 2 Select the required file and confirm the upload The file is uploaded 3 If a restart is necessary a message to this effect will be output Click the OK button and run the restart If you click the Abort button there is no device restart The changes only take effect after a restart Note C...

Page 128: ...le on your client PC or to load such data from an external file from the PC to the devices This means for example that you can also load new firmware from a file located on your Admin PC On this page the certificates required to establish a secure VPN connection can also be loaded Firmware The firmware is signed and encrypted This ensures that only firmware created by Siemens can be downloaded to ...

Page 129: ...as follows For offline diagnostics You can save the faulty configuration of a device as RunningSINEMAConfig via the WBM and import it in STEP 7 Basic Professional No connection to a real device is required for the diagnostics in STEP 7 Basic Professional You can export a corrected configuration and load it as SINEMAConfig again using the WBM For configuration No connection to a real device is requ...

Page 130: ... the port of the TFTP server via which data exchange will be handled If necessary you can change the default value 69 to your own requirements The table has the following columns Type Shows the file type Description Shows the short description of the file type Configuring with Web Based Management 4 5 System menu SCALANCE S615 Web Based Management 130 Configuration Manual 11 2019 C79000 G8976 C388...

Page 131: ... the data from in Filename Note Files whose access is password protected To save and load these files on the device successfully you need to enter the password specified for the file in System Load Save Passwords 4 Select the action you want to execute from the Actions drop down list 5 Click Set Values to start the selected action 6 If a restart is necessary a message to this effect will be output...

Page 132: ...ates required to establish a secure VPN connection can also be loaded Firmware The firmware is signed and encrypted This ensures that only firmware created by Siemens can be downloaded to the device Configuration files Note Configuration files and Trial mode Automatic Save In Automatic Save mode the data is saved automatically before the configuration files ConfigPack and Config are transferred In...

Page 133: ...in STEP 7 Basic Professional No connection to a real device is required for the diagnostics in STEP 7 Basic Professional You can export a corrected configuration and load it as SINEMAConfig again using the WBM For configuration No connection to a real device is required to configure a device in STEP 7 Basic Professional You can export the configuration and load it as SINEMAConfig to the real devic...

Page 134: ...r every file type Note Changing the file name You can change the file name preset in this column After loading on the device the changed file name can also be used with the Command Line Interface Actions Select the action from the drop down list The selection depends on the selected file type for example you can only save the log file The following actions are possible Save file With this action y...

Page 135: ...After a cell firmware update the device automatically restarts Reusing configuration data If several identical devices are to receive the same configuration and the IP addresses are assigned using DHCP the effort for reconfiguration can be reduced by saving and reading in the configuration data Follow the steps below to reuse configuration data 1 Save the configuration data of a configured device ...

Page 136: ... is used Can only be enabled if the password is configured Password Enter the password for the file Password Confirmation Confirm the new password Status Shows whether the current settings for the file match the device Valid The settings are valid Invalid the settings are invalid Status cannot be evaluated Required To successfully load the file into the device enter the password set for the file C...

Page 137: ... a follow up reaction The following messages are always entered in the event log table and cannot be deselected Changing the admin password Starting the device Operational status of the device e g whether or not a PLUG is inserted Status of errors not yet dealt with To send these messages to a Syslog server as well select the Syslog check box for the event System General Logs Configuring with Web ...

Page 138: ...MS Digital Out VPN Tunnel Cloud Connector Firewall Enable or disable the required type of notification for all events If No Change is selected the entries of the corresponding column in table 2 remain unchanged Copy To Table If you click the button the setting is adopted for all events of table 2 Configuring with Web Based Management 4 5 System menu SCALANCE S615 Web Based Management 138 Configura...

Page 139: ...pplied this is recorded in the firewall log To do this the LOG function must be enabled for the various firewall functions DDNS Client Logs The event occurs when the DDNS client synchronizes the assigned IP address with the hostname registered at the DDNS provider System General Logs Connection establishment change to the configuration System Connection Status The connection status has changed Dig...

Page 140: ...SMS This is only possible if System SMS Event SMS is enabled and the telephone number of the recipient is configured Digital Out Controls the digital output or signals the status change with the DO LED The digital output is closed by default The digital output is opened when you activate at least one event for the digital output It also is no longer automatically connected to the fault LED You con...

Page 141: ...INEMA RC In Type of connection set Auto Digital In or Digital Input Wake up SMS only with M87x With Type of connection Auto on the SINEMA RC Server you need to set the type of connection Digital In or Wake up SMS digital input only with M87x in Remote connections You will find further information on this topic in the operating instructions SINEMA RC Server 3 Click the Set Values button 4 5 5 2 Sev...

Page 142: ...nd the critical severity are sent or logged Critical Only the messages of this severity are sent or logged 4 5 6 SMTP client 4 5 6 1 General Network monitoring with e mails If events occur the device can automatically send an e mail e g to the service technician The e mail contains the identification of the sending device a description of the cause in plain text and a time stamp This allows centra...

Page 143: ...x in a row to be deleted Status Specify whether this SMTP server will be used SMTP Server Address Shows the IP address or the FQDN Fully Qualified Domain Name of the SMTP server Sender Email Address Enter the e mail address of the sender that is specified in the e mail User Name If necessary enter the user name used for authentication on the SMTP server Password If necessary enter the password use...

Page 144: ...he IP address or the FQDN of the SMTP server for SMTP Server Address 3 Click the Create button A new entry is generated in the table 4 Enter the name of the sender that will be included in the e mail for Sender Email Address 5 Enter the user name and password if the SMTP server prompts you to log in 6 Under Security specify whether transfer to the SMTP server is encrypted 7 Enable the SMTP server ...

Page 145: ...P server entry The device sends to every configured recipient Check the test result If sending was not successful the message contains possible causes 4 5 6 2 Recipient On this page you specify who receives an e mail when an event occurs Description The page contains the following boxes SMTP Server Specify the SMTP server via which the e mail is sent Email address of the SMTP recipient Enter the e...

Page 146: ... SMTP recipient Shows the e mail address to which the device sends an e mail if a fault occurs Procedure Configuring an SMTP recipient 1 Select the required SMTP Server 2 Enter the e mail address of the SMTP recipient 3 Click the Create button A new entry is generated in the table 4 Activate the Send option for the entry 5 Click the Set Values button Configuring with Web Based Management 4 5 Syste...

Page 147: ...this page you make the basic settings for SNMP Enable the check boxes according to the function you want to use Configuring with Web Based Management 4 5 System menu SCALANCE S615 Web Based Management Configuration Manual 11 2019 C79000 G8976 C388 08 147 ...

Page 148: ... the SNMP protocol SNMPv1 Traps Enable or disable the sending of SNMPv1 traps alarm frames On the Trap tab specify the IP addresses of the devices to which SNMPv1 traps will be sent SNMPv1 v2c Trap Community String Enter the community string for sending SNMPv1 v2c messages SNMPv3 User Migration Enabled If the function is enabled an SNMP engine ID is generated that can be migrated You can transfer ...

Page 149: ... character string in the SNMPv1 v2c Read Write Community String input box 5 If necessary enable the SNMPv3 User Migration 6 Click the Set Values button 4 5 7 2 Traps SNMP traps for alarm events If an alarm event occurs a device can send SNMP traps alarm frames to up to ten different management stations at the same time Traps are only sent if the events specified in the Events menu occur Note Traps...

Page 150: ...ns Trap Enable or disable the sending of traps Stations that are entered but not selected do not receive SNMP traps Procedure Creating a trap entry 1 In Trap Receiver Address enter the IP address the FQDN or the host name of the station to which the device will send traps 2 Click the Create button to create a new trap entry 3 Select the check box in the required row Trap 4 Click the Set Values but...

Page 151: ...security level authentication encryption valid for the selected group The available options are as follows No Auth no Priv No authentication enabled no encryption enabled Auth no Priv Authentication enabled no encryption enabled Auth Priv Authentication enabled encryption enabled The table has the following columns Select Select the row you want to delete Group Name Shows the defined group names S...

Page 152: ...red read rights for the group in Read 5 Specify the required write rights for the group in Write 6 Click the Set Values button Modifying a group 1 Specify the required read rights for the group in Read 2 Specify the required write rights for the group in Write 3 Click the Set Values button Note Once a group name and the security level have been specified they can no longer be modified after the gr...

Page 153: ... both the sender and recipient 6103Y 8VHUV VHFRQG SDUW RI WKH WDEOH 6103Y 8VHUV ILUVW SDUW RI WKH WDEOH Description The page contains the following boxes User Name Enter a freely selectable user name After you have entered the data you can no longer modify the name The table has the following columns Select Select the row you want to delete User Name Shows the created users Configuring with Web Ba...

Page 154: ...ers Authentication Password Confirmation Confirm the password by repeating the entry Privacy Password Enter your encryption password This password must have at least 1 character the maximum length is 32 characters Note Length of the password As an important measure to maximize security we recommend that the password has a minimum length of 6 characters and that it contains special characters upper...

Page 155: ...mation 5 If encryption was specified for the group select the algorithm in Privacy Protocol In the relevant input boxes enter the encryption password and the confirmation 6 Click the Set Values button Delete user 1 Enable Select in the row to be deleted Repeat this for all users you want to delete 2 Click the Delete button The entry is deleted 4 5 8 System Time There are different methods that can...

Page 156: ...box can be edited System Time Enter the date and time in the format MM DD YYYY HH MM SS After a restart the time of day begins at 01 01 2000 00 00 00 Use PC Time Click the button to use the time setting of the PC Last Synchronization Time Shows when the last time of day synchronization took place If no time of day synchronization was possible the box displays Date time not set Configuring with Web...

Page 157: ... in other words an hour was added You can see the current system time at the top right in the selection area of the WBM The set time continues to be displayed in the System Time box inactive offset 0 h The current system time is not changed Procedure 1 Enable the Time Manually option 2 Click in the System Time input box 3 In the System Time input box enter the date and time in the format MM DD YYY...

Page 158: ...ame Shows the name of the entry Year Shows the year for which the entry was created Start Date Shows the month day and time for the start of daylight saving time End Date Shows the month day and time for the end of daylight saving time Recurring Date With an entry of the type Recurring the period in which daylight saving time is active is displayed consisting of week day month and time of day With...

Page 159: ...uired type in the Type drop down list Depending on the selected type various settings are available 4 Enter a name name in the Name box 5 If you have selected the type Date fill in the following boxes Year Day for start and end date Hour for start and end date Month for start and end date 6 If you have selected the type Recurring fill in the following boxes Hour for start and end date Month for st...

Page 160: ...lect the type of the entry Type Select how the daylight saving time changeover is made Date You can enter a fixed date for the daylight saving time changeover This setting is suitable for regions in which the daylight saving time changeover is not governed by rules Recurring You can define a rule for the daylight saving time changeover This setting is suitable for regions in which the daylight sav...

Page 161: ...daylight saving time Day Enter the day Hour Enter the hour Month Enter the month End Date Enter the following values for the end of daylight saving time Day Enter the day Hour Enter the hour Month Enter the month Settings with Recurring selected Configuring with Web Based Management 4 5 System menu SCALANCE S615 Web Based Management Configuration Manual 11 2019 C79000 G8976 C388 08 161 ...

Page 162: ... week You can select the first to fourth or the last week of the month Day Enter the weekday End Date Enter the following values for the end of daylight saving time Hour Enter the hour Month Enter the month Week Enter the week You can select the first to fourth or the last week of the month Day Enter the weekday Configuring with Web Based Management 4 5 System menu SCALANCE S615 Web Based Manageme...

Page 163: ...nt by an SNTP server in the network Note To avoid time jumps make sure that there is only one time server in the network Requirement To receive the SNTP frames enable the entry System Time under Security Firewall Predefined IPv4 rules Configuring with Web Based Management 4 5 System menu SCALANCE S615 Web Based Management Configuration Manual 11 2019 C79000 G8976 C388 08 163 ...

Page 164: ...of day synchronization with NTP SIMATIC Automatic time of day synchronization using the SIMATIC time frame Time Zone In this box enter the time zone you are using in the format HH MM The time zone relates to UTC standard world time The time in the Current System Time box is adapted accordingly Daylight Saving Time Shows whether the daylight saving time changeover is active active offset 1 h The sy...

Page 165: ...econds SNTP Server Address Enter the IP address the FQDN Fully Qualified Domain Name or the host name of the SNTP server The table has the following columns Select Select the row you want to delete SMTP Server Address Shows the IP address the FQDN Fully Qualified Domain Name or the host name of the SMTP server SNTP Server Port Enter the port of the SNTP server The following ports are possible 123 ...

Page 166: ...ed to synchronize the time of day 5 In SNTP Server Port enter the port via which the SNTP server is available The port can only be modified if the IP address of the SNTP server is entered 6 In Poll Interval s enter the time in seconds after which a new time query is sent to the time server 7 Click the Set Values button 4 5 8 5 NTP Client Automatic time of day setting with NTP If time synchronizati...

Page 167: ...ver The setting applies to all server entries To use the secure NTP client you configure the parameters for authentication key ID hash algorithm key Current System Time Shows the current date and current normal time received by the device If you specify a time zone the time information is adapted accordingly Last Synchronization Time Shows when the last time of day synchronization took place Confi...

Page 168: ...as added You can see the current system time at the top right in the selection area of the WBM The set time continues to be displayed in the System Time box inactive offset 0 h The current system time is not changed NTP Server Index Select the index of the NTP server The NTP servers are queried in the order of the NTP Server Index The time of the server that is found first is applied If time frame...

Page 169: ...t check box to enable the automatic time setting using NTP 2 In Time Zone enter the local time difference to world time UTC The input format is HH MM because the NTP server always sends UTC time for example 02 00 for CEST the Central European Summer Time This time is recalculated and displayed as the local time based on the specified time zone 3 Select the NTP Server Index 4 Click the Create butto...

Page 170: ...ates itself with the secure NTP server These entries must be present on the secure NTP server 3 Click the Set Values button 4 5 8 6 SIMATIC Time Client Time setting via SIMATIC time client Note To avoid time jumps make sure that there is only one time server in the network Description The page contains the following boxes SIMATIC Time Client Select this check box to enable the device as a SIMATIC ...

Page 171: ...light Saving Time Shows whether the daylight saving time changeover is active active offset 1 h The system time was changed to daylight saving time in other words an hour was added You can see the current system time at the top right in the selection area of the WBM The set time continues to be displayed in the System Time box inactive offset 0 h The current system time is not changed Procedure 1 ...

Page 172: ...ver does not send cyclic messages with time information on its own but only responds to corresponding requests Settings in the function as a client time zone and daylight saving time do not influence the time information that the device sends as a server Requirement To receive the NTP frames enable the entry System Time under Security Firewall Predefined IPv4 rules Description The page contains th...

Page 173: ...be edited Key ID Enter the ID of the authentication key Hash Algorithm Specify the format for the authentication key Key Enter the authentication key The length depends on the hash algorithm The following minimum lengths are recommended for the hash algorithm DES ASCII 8 characters MD5 ASCII 16 characters SHA1 ASCII 20 characters Key Confirmation Enter the authentication key for confirmation 4 5 9...

Page 174: ...s case a packet is sent every 120 seconds that keeps the connection uninterrupted Turn off the Keep alive interval time 0 or Set the interval high enough so that the underlying connection is terminated when there is inactivity Procedure 1 Enter a value of 60 3600 seconds in the Web Base Management s input box If you enter the value 0 the automatic logout is disabled 2 Enter a value of 60 600 secon...

Page 175: ...ling is only valid during operation When restarting for example after power off the function is active until the configuration is loaded and the device can therefore inadvertently be reset to the factory settings This may cause unwanted disruption in network operation since the device then needs to be reconfigured An inserted PLUG is also deleted and returned to the status as shipped You will find...

Page 176: ... Syslog Client Enable or disable the Syslog function Syslog Server Address Enter the IP address of the Syslog server This table contains the following columns Select Select the row you want to delete Syslog Server Address Shows the IP address of the Syslog server Server Port Enter the port of the Syslog server being used TLS Enabled The syslog messages are sent using TLS encryption over TCP Disabl...

Page 177: ...he Delete button All selected entries are deleted and the display is refreshed 4 5 12 Fault Monitoring 4 5 12 1 Link Change Configuration of fault monitoring of status changes on connections On this page you configure whether or not an error message is triggered if there is a status change on a network connection If connection monitoring is enabled an error is signaled when there should be a link ...

Page 178: ...ble ports and link aggregations The port is made up of the module number and the port number for example port 0 1 is module 0 port 1 Setting Select the setting from the drop down list You have the following options Up Error handling is triggered when the port changes to the active status From Link down to Link up Down Error handling is triggered when the port changes to the inactive status From Li...

Page 179: ...LUG the device can no longer be used without this PLUG To be able to use the device again reset the device to the factory settings Information about the configuration of the KEY PLUG This page provides detailed information about the configuration stored on the C PLUG It is also possible to reset the PLUG to factory defaults or to load it with new contents Note Incompatibility with previous version...

Page 180: ...inst executing the function after making your selection click the Refresh button As a result the data of this page is read from the device again and the selection is canceled Configuring with Web Based Management 4 5 System menu SCALANCE S615 Web Based Management 180 Configuration Manual 11 2019 C79000 G8976 C388 08 ...

Page 181: ... or KEY PLUG previously Configuration Revision The version of the configuration structure This information relates to the configuration options supported by the device and has nothing to do with the concrete hardware configuration This revision information does not therefore change if you add or remove additional components modules or extenders it can however change if you update the firmware File...

Page 182: ...to factory default Deletes all data from the PLUG and triggers low level formatting Procedure 1 You can only make settings in this box if you are logged on as Administrator Here you decide how you want to change the content of the PLUG 2 Select the required option from the Modify PLUG drop down list 3 Click the Set Values button 4 5 13 2 License NOTICE Do not remove or insert a C PLUG KEY PLUG dur...

Page 183: ...o return to the previous more up to date firmware without any loss of configuration data If the original configuration on the PLUG is no longer required the PLUG can be deleted or rewritten manually using System PLUG Information about the license of the KEY PLUG A C PLUG can only store the configuration of a device In addition to the configuration a KEY PLUG also contains a license that enables ce...

Page 184: ...nhancements and for various target systems Serial Number Shows the serial number of the KEY PLUG Info String Shows additional information about the device that used the KEY PLUG previously for example article number type designation and the versions of the hardware and software The displayed software version corresponds to the version in which the configuration was last changed With the NOT ACCEPT...

Page 185: ...nation Address Enter the IPv4 address or the FQDN of the device Repeat Enter the number of ping requests Ping Click this button to start the ping function Ping Output This box shows the output of the ping function Clear Click this button to empty the Ping Output box Configuring with Web Based Management 4 5 System menu SCALANCE S615 Web Based Management Configuration Manual 11 2019 C79000 G8976 C3...

Page 186: ...rface You can configure the TIA interface with Layer 3 Subnets Configuration Requirement To adapt network parameters DCP requires write access to the device If access is write protected the network parameters cannot be configured On the SCALANCE devices you configure the access in System Configuration Description The page contains the following boxes Interface Select the required interface Discove...

Page 187: ... device name is not used Discovered The set device name is used Configured The device was assigned a new device name Status IP address Discovered IP The device uses a static IPv4 address Discovered DHCP The device has obtained the IPv4 address from a DHCP server Configured The device was assigned a new IPv4 address Timeout Specify the time for flashing When the time elapses flashing stops Flash Ma...

Page 188: ...nly The device uses only the DNS servers assigned by DHCP manual only The device uses only the manually configured DNS servers The DNS servers must be connected to the Internet A maximum of two DNS servers can be configured all The device uses all available DNS servers DNS Server Address Enter the IP address of the DNS server The table has the following columns Select Activate the check box in the...

Page 189: ... also supplies the life span of this information Description The page contains the following boxes Enable DNS Proxy Enable or disable the proxy of the DNS server Cache Name Errors NXDOMAIN Enable or disable the caching of NXDOMAIN replies If you enable the option the domain names that were unknown to the DNS server remain in the cache 4 5 16 3 DDNS Client The DDNS Dynamic Domain Name System is an ...

Page 190: ...on Confirm the password Procedure Requirement User name and password that gives you the right to use the DDNS service Registered hostname e g example no ip com UDP port 53 for DNS is enabled and is not used for NAT 1 In Host enter the hostname that you have agreed with your DDNS provider for the device e g example no ip com 2 Enter the login data user name password for the DDNS server 3 Select Ena...

Page 191: ... from the DHCP server The server manages an address range from which it assigns IPv4 addresses It is also possible to configure the server so that the client always receives the same IPv4 address in response to its request Configuring with Web Based Management 4 5 System menu SCALANCE S615 Web Based Management Configuration Manual 11 2019 C79000 G8976 C388 08 191 ...

Page 192: ...ts DHCP server via MAC Address Identification is based on the MAC address via DHCP Client ID Identification is based on a freely defined DHCP client ID via System Name Identification is based on the system name If the system name is 255 characters long the last character is not used for identification via Iaid and Duid With this the DHCP client can log on with DHCP servers that support parallel op...

Page 193: ...le the DHCP option in the table 4 Click the Set Values button Note If a configuration file is downloaded this can trigger a system restart If the currently running configuration and the configuration in the downloaded configuration file differ the system restarts Make sure that the option DHCP Client Configuration Request Opt 66 67 is no longer set 4 5 17 2 DHCP Server You can operate the device a...

Page 194: ...ICMP echo messages ping to the IPv4 address If no reply is received the DHCP server can assign the IPv4 address Note If there are devices in your network on which the echo service is disabled as default there may be conflicts with the IPv4 addresses To avoid this assign these devices an IPv4 address outside the IPv4 address band The table has the following columns Select Select the check box in th...

Page 195: ...of the dynamic IPv4 address band The IPv4 address must be within the network address range you configured for Subnet Upper IP address Enter the IPv4 address that specifies the end of the dynamic IPv4 address band The IPv4 address must be within the network address range you configured for Subnet Lease Time sec Specify for how many seconds the assigned IPv4 address remains valid When half the perio...

Page 196: ... and 67 are created automatically when the IPv4 address band is created With the exception of option 1 the options can be deleted The table has the following columns Select Select the check box in the row to be deleted Pool ID Shows the number of the address band Option Code Shows the number of the DHCP option Configuring with Web Based Management 4 5 System menu SCALANCE S615 Web Based Management...

Page 197: ... 4 Time server The IPv4 address of the time server available to the DHCP cli ent 5 Name server The IPv4 address of the name server available to the DHCP cli ent 6 DNS Server The IPv4 address of the DNS server available to the DHCP cli ent If the device itself is the DNS server the IPv4 address of the interface is used 42 NTP Server The IPv4 address of the NTP server available to the DHCP cli ent 6...

Page 198: ...ces will be assigned a certain IP address The address assignment is made based on the MAC address the client ID or the DUID Configuring with Web Based Management 4 5 System menu SCALANCE S615 Web Based Management 198 Configuration Manual 11 2019 C79000 G8976 C388 08 ...

Page 199: ... 00 72 00 1B 1B B6 32 9D Value Enter the required value The entry depends on the selected identification method of the client Note The maximum is 128 entries The table has the following columns Select Select the check box in the row to be deleted Pool ID Shows the number of the address band Identification Method Shows the method with which the client identifies itself with the DHCP server Value Sh...

Page 200: ... the access data for the SRS cRSP acc to URI syntax The Uniform Resource Identifier URI is defined in RFC 3986 Description The page contains the following boxes Enable DDNS for cRSP SRS Enable or disable the use of cRSP SRS Update Interval Enter the time interval Validate Server Certificate When enabled the device checks the validity of the received server certificate The table has the following c...

Page 201: ...ddresses local parts of the resource e g the anchor attribute of a Web page Status Shows the status of the last cRSP SRS access of the entry Enabled When enabled this entry is used 4 5 19 Proxy Server On this WBM page you configure the proxy server that is used by various components for example SINEMA RC Description Proxy Name Enter a name for the proxy server The table has the following columns S...

Page 202: ...encrypted NTLM NT LAN Manager Authentication according to the NTLM standard Windows user logon User Name Enter the user name for access to the proxy server Password Enter the password for access to the proxy server Password Confirmation Enter the password again to confirm it 4 5 20 SINEMA RC On the WBM page you configure the access to the SINEMA RC server Note This function can only be used with a...

Page 203: ...edited Any existing connection is terminated Server settings area SINEMA RC Address Enter the IPv4 address or the FQDN Fully Qualified Domain Name of the SINEMA RC Server SINEMA RC Port Enter the port via which the SINEMA RC Server can be reached Configuring with Web Based Management 4 5 System menu SCALANCE S615 Web Based Management Configuration Manual 11 2019 C79000 G8976 C388 08 203 ...

Page 204: ...tificate Select the CA certificate of the server used to sign the server certificate Only loaded CA certificates can be selected Device Credentials area Device ID Enter the device ID The device ID is assigned when configuring the device on the SINEMA RC Server You will find further information on this in the Operating Instructions of the SINEMA RC Server Device Password Enter the password with whi...

Page 205: ...ed permanently Wake up SMS only with M87x The settings of the SINEMA RC Server are ignored When the device receives a command SMS message wake up SMS message it attempts to establish a connection to the SINEMA RC Server On condition that in System SMS SMS Command it is specified who a command SMS of the class System will be accepted from Digital In The settings of the SINEMA RC Server are ignored ...

Page 206: ...ly terminated 4 5 21 Configuration Backup Configuration Package Backup On this page you can create backups of the configuration The created backups are saved in the file type ConfigPackBackup On the System Load Save HTTP TFTP SFTP page you can save configuration backups on your client PC or load them from there Description The page contains the following boxes Name Enter a name for the backup This...

Page 207: ...te a ping test that monitors connections During the ping test the device sends ICMP echo request packets pings to the configured destination address at regular intervals If this destination address does not respond the device tries to reach the destination address again If all ping attempts retries are unsuccessful the ping test is considered to have failed or the group is considered unreachable I...

Page 208: ...he destination address that is used as reference for the reachability The Group table contains the following columns Group 1 5 If a name if configured it is used as column name Assign the groups to the desired interface The interface is considered reachable when all assigned groups are reachable If only one of the groups is not reachable the configured action is executed on the selected interface ...

Page 209: ... are possible Switch Port VLAN Hybrid Switch Port VLAN Trunk Status Shows whether the port is on or off Data traffic is possible only over an enabled port OperState Displays the current operational status The operational status depends on the configured Status and the Link The available options are as follows Up You have configured the status enabled for the port and the port has a valid connectio...

Page 210: ...ted device is turned off Mode Shows the transfer parameters of the port Negotiation Shows whether the automatic configuration is enabled or disabled MAC Address Shows the MAC address of the port 4 6 1 2 Configuration Configuring ports With this page you can configure all the ports of the device Configuring with Web Based Management 4 6 Interfaces menu SCALANCE S615 Web Based Management 210 Configu...

Page 211: ...tings are possible 10 Mbps full duplex FD or half duplex HD 100 Mbps full duplex FD or half duplex HD Auto negotiation If you set the mode to Auto negotiation these parameters are automatically negotiated with the connected end device or network component This must also be in the Autonegotiation mode Note Before the port and partner port can communicate with each other the settings must match at b...

Page 212: ...enabled for the port and the port has a valid connection to the network Down You have configured the status disabled or Link down for the port or the port has no connection Link Shows the physical connection status to the network The available options are as follows Up The port has a valid link to the network a link integrity signal is being received Down The link is down for example because the c...

Page 213: ...ted The PPP connection is established Error Error status in which operator intervention is required e g wrong password Stopped Error message of the server e g incorrect login data There is a wait time before login is attempted again 4 6 2 2 Configuration On this page you configure the PPP connection The point to point protocol PPP allows the connection of an external ADSL modem to an Ethernet inte...

Page 214: ...ether the PPP connection is activated or deactivated L2 Interface Specify the interface via which the PPP connection is established Only VLANs with a configured subnet can be selected User Name Enter the user name You will receive the user name from the DSL provider Password Enter the password You will receive the password from the DSL provider Password Confirmation Repeat the password Configuring...

Page 215: ...available Dynamic Activate the DHCP function on the PPP interface You can configure this setting in Layer 3 Subnets Configuration Note With the subnets a maximum of one interface can have a dynamic IP configuration Static IP address Deactivate the DHCP function on the PPP interface Enter the IP address and the subnet mask 2 Configure the PPP interface 3 Select Enabled for operation to activate the...

Page 216: ...mode or takes VLAN information into account IEEE 802 1Q VLAN aware mode If the device is in the 802 1Q VLAN Bridge mode you can define VLANs and specify the use of the ports The possible settings on this page depend on what you select in the Base Bridge Mode box Note Changing the Agent VLAN ID If the configuration PC is connected directly to the device via Ethernet and you change the agent VLAN ID...

Page 217: ...transparently In this mode you cannot create any VLANs Only a management VLAN is available VLAN 1 VLAN ID Enter the VLAN ID in the VLAN ID input box Range of values 1 4094 The table has the following columns Select Select the row you want to delete VLAN ID Shows the VLAN ID The VLAN ID a number between 1 and 4094 can only be assigned once when creating a new data record and can then no longer be c...

Page 218: ... a member of this VLAN even if it is configured as a trunk port T This option is only displayed and cannot be selected in the WBM This port is a trunk port making it a member in all VLANs You configure this function in the CLI Command Line Interface using the switchport mode trunk command or in the WBM under Interfaces Ethernet Configuration Changing Base bridge mode VLAN unaware 802 1D transparen...

Page 219: ...going frames should be sent without a tag static access port If however there is a further switch at this port the frame should have a tag added trunk port Procedure Requirement For Base Bridge mode 802 1Q VLAN Bridge is set Creating a new VLAN 1 Enter an ID in the VLAN ID input box 2 Click the Create button A new entry is generated in the table As default the boxes have entered 3 Enter a name for...

Page 220: ...ailable ports Priority Select the required priority assigned to untagged frames The CoS priority Class of Service used in the VLAN tag If a frame is received without a tag it will be assigned this priority This priority specifies how the frame is further processed compared with other frames There are a total of eight priorities with values 0 to 7 where 7 represents the highest priority IEEE 802 1p...

Page 221: ...es whether they are forwarded To forward a VLAN tagged frame the receiving port must be a member in the same VLAN Frames from unknown VLANs are discarded at the receiving port Disabled All frames are forwarded Steps in configuration 1 In the row of the port to be configured click on the relevant cell in the table to configure it 2 Enter the values to be set in the input boxes as follows 3 Select t...

Page 222: ...displayed boxes The page contains the following boxes Dynamic MAC Aging Enable or disable the function for automatic aging of learned MAC addresses Aging Time s Enter the time in seconds in steps of 15 After this time a learned address is deleted if the device does not receive any further frames from this sender address Range of values 15 630 seconds Note Rounding of the values deviation from desi...

Page 223: ... the following boxes Spanning Tree Enable or disable spanning tree Protocol Compatibility The following setting is available RSTP Procedure 1 Select the Spanning Tree check box 2 Click the Set Values button Configuring with Web Based Management 4 7 Layer 2 menu SCALANCE S615 Web Based Management Configuration Manual 11 2019 C79000 G8976 C388 08 223 ...

Page 224: ...whose MAC address has the lowest numeric value will become the root bridge Both parameters bridge priority and MAC address together form the bridge identifier Since the root bridge manages all path changes it should be located as centrally as possible due to the delay of the frames The value for the bridge priority is a whole multiple of 4096 Range of values 0 61440 Bridge Address Root Address The...

Page 225: ...onfiguration data is not used immediately by a bridge but only after the period specified in the Forward Delay parameter This ensures that operation is only started with the new topology after all the bridges have the required information Factory setting 15 seconds Bridge Max Age s Root Max Age s If the BPDU is older than the specified Max Age it is discarded Factory setting 20 seconds Reset Count...

Page 226: ...ally adapted Range of values 0 240 The default is 128 Cost Calc Enter the path cost calculation If you enter the value 0 here the automatically calculated value is displayed in the Path costs box Path Cost This parameter is used to calculate the path that will be selected The path with the lowest value is selected as the path If several ports of a device have the same value for the path costs the ...

Page 227: ...rds data frames Fwd Trans Specifies the number of changes from the Discarding status to the Forwarding status Edge Type Specify the type of edge port You have the following options Edge port is disabled The port is treated as a no Edge Port Admin Select this option when there is always an end device on this port Otherwise a reconfiguration of the network will be triggered each time a connection is...

Page 228: ...k is not assumed Note Point to point link means a direct connection between two devices A shared media connection is for example a connection to a hub 4 7 5 LLDP Identifying the network topology LLDP Link Layer Discovery Protocol is defined in the IEEE 802 1 AB standard LLDP is a method used to discover the network topology Network components exchange information with their neighbor devices using ...

Page 229: ... this page you have the option of enabling or disabling sending and or receiving per port Description Table 1 has the following columns All Ports Shows that the settings are valid for all ports Setting Select the setting from the drop down list If No Change is selected the entry in table 2 remains unchanged Copy to Table If you click the button the setting is adopted for all ports of table 2 Confi...

Page 230: ...ther receive nor send LLDP frames Procedure 1 Select the LLDP functionality of the port from the Setting drop down list 2 Click the Set Values button 4 8 Layer 3 menu 4 8 1 Static routes On this page you specify the routes via which data exchange can take place between the various subnets Dynamic routing protocols are not supported for example RIP OSPF Configuring with Web Based Management 4 8 Lay...

Page 231: ... possible route The higher value the longer packets require to their destination The table has the following columns Select Select the row you want to delete Destination Network Shows the network address of the destination Subnet Mask Shows the corresponding subnet mask Gateway Shows the IPv4 address of the next gateway Interface Shows the interface of the route Administrative Distance Enter the m...

Page 232: ...button 4 8 2 Subnets 4 8 2 1 Overview The page shows the subnets for the selected interface A subnet always relates to an interface and is created in the Configuration tab Description The page contains the following box Interface Select the interface on which you want to configure another subnet The table has the following columns Select Select the row you want to delete Interface Shows the interf...

Page 233: ...IPv4 interface Secondary All other IPv4 addresses that were configured on the IPv4 interface IP Assignment Method Shows how the IPv4 address is assigned The following values are possible Static The IPv4 address is static You enter the settings in IP Address and Subnet Mask Dynamic DHCP The device obtains a dynamic IPv4 address from a DHCPv4 server Configuring with Web Based Management 4 8 Layer 3 ...

Page 234: ...ned IPv4 address already exists If the address is not yet been assigned the device sends the message that it is using this IP address as of now Conflict The interface is not enabled The interface is attempting to use an IPv4 address address that has already been assigned Defending The interface uses a unique IPv4 address Another interface is attempting to use the same IPv4 address Active The inter...

Page 235: ...Pv4 interface IP Address Enter the IPv4 address of the interface The IPv4 addresses must not be used more than once Subnet Mask Enter the subnet mask of the subnet you are creating Subnets on different interfaces must not overlap Broadcast IP Address If a specific IP address is to be used as the broadcast IP address of the subnet enter this Otherwise the last IP address of the subnet will be used ...

Page 236: ...the set MTU they are fragmented The MTU covers the IP header and the headers of the higher layers The range of values is from 90 to 1500 bytes 4 8 3 NAT 4 8 3 1 Masquerading On this WBM page you enable the rules for IP masquerading Description The table has the following columns Interface Interface to which the setting relates Only interfaces with a configured subnet are available Enable Masquerad...

Page 237: ... boxes Source Interface Select the interface on which the queries will arrive Traffic Type Specify the protocol for which the address assignment is valid Use Interface IP from Source Interface When enabled the IP address of the selected interface is used for Dest IP Address Destination IP Address Enter the destination IP address The frames are received at this IP address Can only be edited if Use ...

Page 238: ...warding Traffic Type Shows the protocol for which the address assignment applies Interface IP Shows whether the IP address of the interface is used Destination IP Shows the destination IP address The frames are received at this IP address Destination Port Shows the destination port Incoming frames with this port as the destination port are forwarded Translated Destination IP Shows the IP address o...

Page 239: ...igure a NAT address translation to or from the direction of the VPN tunnel only the IP addresses involved in the NAT address translation rules can be reached via the VPN tunnel Source IP Address es Specify the source IP addresses for which this source NAT rule is valid Only the packets that correspond to the addresses entered are taken into account The following entries are possible IP address App...

Page 240: ... address number of bits of the network part CIDR notation The table has the following columns Select Activate the check box in the row to be deleted Source Interface Shows the source interface Destination Interface Shows the destination interface Source IP Address es Shows the IP addresses of the senders for which address translation is required Use Interface IP Shows whether the IP address of the...

Page 241: ...ore used Security Firewall IP rules Source Range Input from Source IP Subnet Destination Range Input from Destination IP Subnet Firewall rule with destination NAT Address translation with NAT was already performed before the firewall the translated addresses are therefore used in the firewall Security Firewall IP rules Source Range Input from Source IP Subnet Destination Range Input from Translate...

Page 242: ...nections all or a specific OpenVPN connection Source IP Subnet Enter the subnet of the sender The subnet can also be a single PC or another subset of the subnet Use the CIDR notation Translated Source IP Subnet Enter the subnet with which the subnet of the sender is replaced Can only be edited with the setting Source The subnet can also be a single PC or another subset of the subnet Use the CIDR n...

Page 243: ...he check box in the row to be deleted Type Shows the direction of the address translation Source Interface Shows the source interface Destination Interface Shows the destination interface Source IP Subnet Shows the subnet of the sender This entry can be changed when necessary Translated Source IP Subnet Shows the subnet of the sender with which the subnet of the sender is replaced This entry can b...

Page 244: ...ing VRRPv3 Enable or disable routing using VRRPv3 Reply to pings on virtual interfaces When enabled the virtual IPv4 addresses also reply to the ping VRID Tracking Enable or disable VRID tracking When enabled all VRRP instances are monitored If the status of a VRRP instance changes to Initialize the priority of all VRRP instances is reduced to the value 1 If the status of a VRRP instance changes t...

Page 245: ...ues Router State Shows the current status of the virtual router Possible values are Master The router is the master router and handles the routing functionality for all assigned IPv4 addresses Backup The router is the backup router If the master router fails the backup router takes over the tasks of the master router Initialize The virtual router has just been turned on It will soon change to the ...

Page 246: ...router is statically configured and that after a failure becomes the master of the VRRP group again Procedure 1 Select the VRRPv3 check box 2 Select the required interface 3 Enter the ID of the virtual router in the VRID input box 4 Click the Create button A new row is inserted in the table 5 Select the Reply to pings on virtual interfaces check box so that virtual IPv4 addresses reply to pings as...

Page 247: ...nd you want a specific IPv4 address to be used as the source address for VRRP packets select the IPv4 address Otherwise the numerically lowest IPv4 address will be used Master When enabled the numerically lowest IPv4 address is entered for Associated IP Address This means that the numerically lowest IPv4 address of the VRRPv3 router is used as the virtual IP address of the virtual master router Th...

Page 248: ...elect a track ID Decrement Priority Enter the value by which the priority of the VRRPv3 interface will be reduced Current Priority Shows the priority of the VRRPv3 interface after the monitored interface has changed to the down status Procedure To configure a virtual router as the master router follow the steps below 1 Select the ID of the virtual router you want to configure from the Interface VR...

Page 249: ...router VRID Shows the ID of this virtual router Number of Addresses Shows the number of IPv4 addresses Associated IP Address 1 Associated IP Address 4 Shows the router IPv4 addresses monitored by this virtual router If a router takes over the role of master the routing function is taken over by this router for all these IPv4 addresses Configuring with Web Based Management 4 8 Layer 3 menu SCALANCE...

Page 250: ...Pv4 address that the virtual router will monitor The table has the following columns Select Select the check box in the row to be deleted Associated IP Address Shows the IPv4 addresses that the virtual router monitors Procedure 1 Select the ID of the virtual router 2 Enter the IPv4 address that the virtual router will monitor 3 Click the Create button A new entry is generated in the table Configur...

Page 251: ...interface changes back from down to up the original priority of the VRRP interface is restored Description The page contains the following boxes Interface From the drop down list select the interface to be monitored Track ID Enter a track ID Track ID Select a track ID Track Interface Count Enter how many monitored interfaces need to change to the down status before the priority is changed Configur...

Page 252: ...rop down list 2 In the Track ID box enter the required ID 3 Click the Create button 4 Select an ID from the Track ID drop down list 5 In the Track Interface Count enter the number of interfaces 6 Click the Set Values button 7 Link the monitoring to a VRRP interface in the Configuration tab Configuring with Web Based Management 4 8 Layer 3 menu SCALANCE S615 Web Based Management 252 Configuration M...

Page 253: ...nding interface is reduced Description The page contains the following boxes Track ID Enter the track ID IP Address Enter the IPv4 address to be monitored You can enter a maximum of five IPv4 addresses The table has the following columns Select Select the row you want to delete Track ID Shows the track ID IP Address Show the IPv4 address to be monitored Configuring with Web Based Management 4 8 La...

Page 254: ...v4 Address field enter the IPv4 address that the virtual router is to monitor 3 Click the Create button A new entry is generated in the table 4 9 Security menu 4 9 1 Users 4 9 1 1 Local users On this page you create local users with the corresponding rights To create a user account the logged on user must have the admin role Configuring with Web Based Management 4 9 Security menu SCALANCE S615 Web...

Page 255: ...ou can also rename the admin user preset in the factory once Afterwards renaming admin is no longer possible Password Policy Shows which password policy is being used High Password length at least 8 characters maximum 128 characters At least 1 uppercase letter At least 1 special character At least 1 number Low Password length at least 6 characters maximum 128 characters You configure the password ...

Page 256: ...cess The user cannot log on to the user specific firewall but only to the WBM of the device Additional The user can log on to both the WBM of the device and the user specific firewall Procedure Note Changes in Trial mode Even if the device is in Trial mode changes that you carry out on this page are saved immediately Creating users 1 Enter the name for the user 2 Enter the password for the user 3 ...

Page 257: ...he page contains the following Role Name Enter the name for the role The name must meet the following conditions It must be unique It must be between 1 and 64 characters long Note Role name cannot be changed After creating a role the name of the role can no longer be changed If a name of a role needs to be changed the role must be deleted and a new role created Configuring with Web Based Managemen...

Page 258: ...o change the function right of a role follow the steps outlined below 1 Delete all assigned users 2 Change the function right of the role 3 Assign the role again Description Enter a description for the role With predefined roles a description is displayed The description text can be up to 100 characters long Procedure Creating a role 1 Enter the name for the role 2 Click the Create button 3 Select...

Page 259: ...pend on the rights of the logged in user Description The page contains the following Group Name Enter the name of the group The name must match the group on the RADIUS server The name must meet the following conditions It must be unique It must be between 1 and 64 characters long The following are not permitted The table contains the following columns Select Select the check box in the row to be d...

Page 260: ...roup 2 Click the Create button 3 Select a role 4 Enter a description for the link of a group to a role 5 Click the Set Values button Deleting the link between a group and a role 1 Select the check box in the row to be deleted 2 Click the Delete button The entries are deleted and the page is updated 4 9 2 Passwords Configuration of the passwords A user with the admin role can change the password of...

Page 261: ... password for the selected user The following characters are not permitted ß Note When you log in for the first time or log in after a Restore Factory Defaults and Restart you will be prompted to change the predefined password admin You can also rename the admin user preset in the factory once Afterwards renaming admin is no longer possible The factory setting for the password when the devices shi...

Page 262: ...tication Specify how the login is made Local The authentication must be made locally on the device RADIUS The authentication must be handled via a RADIUS server Local and RADIUS The authentication is possible both with the users that exist on the device user name and password and via a RADIUS server The user is first searched for in the local database If the user does not exist there a RADIUS requ...

Page 263: ...rator rights if the server returns the value Administrative User to the device for the attribute Service Type In all other cases the user is logged in with read rights SiemensVSA In this mode the assignment of rights depends on whether and which group the server returns for the user and whether or not there is an entry for the user in the table External User Accounts The table has the following co...

Page 264: ... whether or not the RADIUS server is available Not reachable The IP address is not reachable The IP address is reachable the RADIUS server is however not running Reachable key not accepted The IP address is reachable the RADIUS server does not however accept the shared secret Reachable key accepted The IP address is reachable the RADIUS server accepts the specified shared secret Procedure Entering...

Page 265: ...ou want to modify Deleting servers 1 Click the check box in the first column before the row you want to delete to select the entry for deletion Repeat this for all entries you want to delete 2 Click the Delete button The data is deleted from the memory of the device and the page is updated 4 9 4 Certificates 4 9 4 1 Overview All loaded files certificates and keys are shown on this WBM page You hav...

Page 266: ...can be deleted Type Shows the type of the loaded file CA Cert The CA certificate is signed by a CA Certification Authority Machine certificate Key File Remote Cert Partner certificate Configuring with Web Based Management 4 9 Security menu SCALANCE S615 Web Based Management 266 Configuration Manual 11 2019 C79000 G8976 C388 08 ...

Page 267: ...is based on X 509 a standard of the ITU T for creating digital certificates This standard describes the schematic structure of X509 certificates You will find further information on this on the Internet at http www itu int On this WBM page the content of the following structure elements can be displayed If the structure element does not exist or is not completed in the selected certificate nothing...

Page 268: ...The CA certificate is signed by a CA Certification Authority Machine certificate Key File Remote Cert Partner certificate DN Shows the name of the applicant Configuring with Web Based Management 4 9 Security menu SCALANCE S615 Web Based Management 268 Configuration Manual 11 2019 C79000 G8976 C388 08 ...

Page 269: ...y to verify signatures of the CA certificate Key File Shows the key file Certificate Revocation List 1st URL Enter the URL with which the revocation list can be called up Can only be edited if supported by the certificate Certificate Revocation List 2nd URL Enter an alternative URL If the revocation list cannot be called up using the 1st URL the alternative URL is used Can only be edited if suppor...

Page 270: ...is 1 to 21474836 Default setting 86400 seconds UDP Idle Timeout s Enter the required time in seconds If no data exchange takes place the UDP connection is terminated automatically when this time has elapsed The range of values is 1 to 21474836 Default setting 300 seconds ICMP Idle Timeout s Enter the required time in seconds If no data exchange takes place the ICMP connection is terminated automat...

Page 271: ...acket filter rules these have a higher priority than the predefined IP packet filter rules Set which IPv4 services of the device should be reachable from which interface Configuring with Web Based Management 4 9 Security menu SCALANCE S615 Web Based Management Configuration Manual 11 2019 C79000 G8976 C388 08 271 ...

Page 272: ...Web Based Management Note HTTP and HTTPS deactivated If you disable HTTP and HTTPS the WBM of the device can no longer be reached HTTPS disabled When you disable HTTPS you can only access the WBM using HTTP This assumes that HTTP HTTPS is set in System Configuration HTTP Services If for example Redirect HTTP to HTTPS is set access via HTTP cannot be redirected to HTTPS This means that the WBM of t...

Page 273: ...rver and the devices accessible via the interface VRRP Access to VRRPv3 4 9 5 3 User specific On this page you define user specific rule sets Firewall rules that are required for remote access for example can be summarized with a rule set You can assign a rule set to one or more users If login of this user was successful the firewall rule set intended for this user is enabled A timer is started af...

Page 274: ... user account Digital Input The rule set is executed by controlling the digital input The prerequisite for this is that the entry Digital Input is activated for the Firewall event under System Events Configuration The User Account table contains the following columns User Account Only users with the remote access only or additional are displayed Role Shows the role of the user Rule set Define the ...

Page 275: ...rvices Using the IP service definitions you can define firewall rules for specific services You select a name and assign the service parameters to it When you configure the IP rules you simply use this name Description The page contains the following Service Name Enter the name of the IP service The name must be unique This table contains the following columns Select Activate the check box in the ...

Page 276: ...he rule is intended to apply to a port range enter the range with start port end port for example 30 40 If the rule is intended to apply to all ports enter 4 9 5 5 ICMP services On this page you define ICMP services Using the ICMP service definitions you can define firewall rules for specific services You select a name and assign the service parameters to it When you configure the IP rules you sim...

Page 277: ...ket type in greater detail The selection depends on the selected ICMP packet type With Destination Unreachable for example Code 1 host cannot be reached 4 9 5 6 IP protocols On this WBM page you can configure user defined protocols e g IGMP for multicast groups You select a protocol name and assign the service parameters to it When you configure the IP rules you simply use this protocol name Descr...

Page 278: ...nter IGMP in Protocol Name 2 Click the Set Values button A new entry is generated in the table 3 Enter 2 in Protocol Number 4 9 5 7 IP rules On this WBM page you specify your own IP rules for the firewall The IP rules set here have priority Over the predefined IPv4 rules and Over the IP rules created automatically due to a connection configuration SINEMA RC Configuring with Web Based Management 4 ...

Page 279: ...P protocol Action Select how incoming IP packets are handled Accept The data packets can pass through Reject The data packets are rejected and the sender receives a corresponding message Drop The data packets are discarded without any notification to the sender From To Specify the communications direction of the IP rule VLANx VLANs with configured subnet Device Device ppp0 or usb0 only with M876 4...

Page 280: ...ge Specify the range with the start address end address e g 192 168 100 10 192 168 100 20 All IP addresses Specify 0 0 0 0 0 Service Select the service or the protocol name for which this rule is valid Log Specify whether or not there should be a log entry every time the rule comes into effect and specify the severity of the event The following settings are available none The rule coming into effe...

Page 281: ...tificates is checked based on the CRL Certificate Revocation List The certificate revocation list lists the certificates issued by the certification authority that have lost their validity before the set expiry date You configure the certificate revocation list to be used on the WBM page Certificates Page 267 NAT Keep Alive Time Interval Specify the interval at which sign of life frames keepalives...

Page 282: ...check box in the row to be deleted Name Shows the name of the partner Remote Mode Specify the role the remote stations will adopt Roadwarrior The reachable remote addresses are entered The reachable remote subnets are learned from the partner Standard The reachable remote address and the reachable remote subnets are entered permanently Configuring with Web Based Management 4 9 Security menu SCALAN...

Page 283: ...In Roadwarrior mode the remote address informs the device of its accessible subnets and the device learns them Virtual IP Mode Specify whether or not the remote station is offered a virtual IP address The following options are available User defined IPv4 The virtual IP address is from the band specified in Virtual IP None No virtual IP address The VPN tunnel is established dynamically to the inter...

Page 284: ...ons to different remote subnets via the same VPN endpoint the first configured VPN connection lowest index is the main connection parent Via the main connection all other IPsec VPN connections children are created and established If all VPN tunnels are now established and the main parent connection is terminated all child connections are interrupted After the DPD timeout has expired all IPsec VPN ...

Page 285: ... demand The VPN connection is established when necessary start on DI If the event Digital In occurs the device attempts to establish a VPN connection to the remote station This is on condition that the event Digital In is forwarded to the VPN connection To do this in System Events Configuration activate VPN Tunnel for the Digital In event wait on DI If the event Digital In occurs the device waits ...

Page 286: ... a comma Request Virtual IP When enabled a virtual IP address is requested from the remote station during connection establishment Timeout min Specify the period of time in minutes If no data exchange takes place when this time has elapsed the VPN tunnel is automatically terminated 4 9 6 4 Authentication On this WBM page you specify how the VPN connection partners authenticate themselves with each...

Page 287: ...d certificates can be selected Local Certificate Select the machine certificate You load the certificates on the device with System Load Save The loaded certificates and key files are shown on the WBM page Security Certificates Local ID Enter the local ID from the partner certificate Only when you use the partner certificate can you leave the box empty The box is automatically filled with the valu...

Page 288: ... partner must support at least one of the combinations The selection depends on the key exchange method Additional information can be found in the section IPsec VPN Encryption For phase 1 select the required encryption algorithm Can only be selected if Default Ciphers is disabled The selection depends on the key exchange method Additional information can be found in the section IPsec VPN Note The ...

Page 289: ...blishment will be attempted endlessly Lifetime min Enter a period in minutes to specify the lifetime of the authentication When the time has elapsed the VPN endpoints involved must authenticate themselves with each other again and generate a new key DPD When enabled DPD Dead Peer Detection is used Using DPD it is possible to find out whether the VPN connection still exists or whether it has aborte...

Page 290: ...page you set the parameters for the protocol of the IPsec data exchange The entire communication during this phase is encrypted using the standardized security protocol ESP for which you can set the following protocol parameters Description The table contains the following columns Name Shows the name of the VPN connection to which the settings relate Default Ciphers When enabled a preset list is t...

Page 291: ... SHA512 SHA256 SHA384 Key Derivation Select the required Diffie Hellmann group DH from which a key will be generated Can only be selected if Default Ciphers is disabled The following DH groups are supported None For phase 2 no separate keys are exchanged This means that Perfect Forward Secrecy PFS is disabled DH group 1 DH group 2 DH group 5 DH group 14 DH group 15 DH group 16 DH group 17 DH group...

Page 292: ...to apply to all ports enter The setting is only effective for port based protocols Auto Firewall Rules enabled For the VPN connection the firewall rules for access from External to Internal and vice versa are created automatically You can enable access to specific services of the device under Security Firewall Predefined IPv4 Ping is enabled by default disabled You will need to create the firewall...

Page 293: ...on in Technical basics VPN connection establishment Page 54 start The device attempts to establish a VPN connection to the partner Start on DI If the event Digital In occurs the device attempts to establish a VPN connection to the remote station This is on condition that the event Digital In is forwarded to the VPN connection To do this in System Events Configuration activate VPN Tunnel for the Di...

Page 294: ... Disabled You will need to create the suitable firewall rules yourself Enable NAT With this setting you enable automatic IP masquerading for this interface The local devices are not directly reachable from the outside but only via the IP address of the interface The local devices can however connect to the devices downstream from the OpenVPN server You will find more information on NAT in Technica...

Page 295: ...ect the corresponding connection Only connections can be configured that have been configured on the Connections WBM page Remote Address Enter the WAN IP address or the DNS host name of the OpenVPN partner Port Specify the port via which the OpenVPN tunnel can communicate The setting applies specifically to the specified port Protocol Specify the protocol for which the OpenVPN connection will be u...

Page 296: ...me password are used for the authentication CA Certificate Select the certificate Only loaded certificates can be selected You load the certificates on the device with System Load Save The loaded certificates and key files are shown on the WBM page Security Certificates Machine certificate Select the machine certificate Only loaded certificates can be selected You load the certificates on the devi...

Page 297: ... PRESET PLUG using the Command Line Interface CLI You can create a PRESET PLUG from any PLUG To do this follow the steps outlined below Note Using configurations with DHCP Create a PRESET PLUG only from device configurations that use DHCP Otherwise disruptions will occur in network operation due to multiple identical IP addresses You assign fixed IP addresses extra following the basic installation...

Page 298: ...al 2 sec on 0 2 sec off Afterwards the device is restarted and the device configuration incl users and certificates on the PRESET PLUG is transferred to the device 5 Wait until the device has fully started up the red F LED is off 6 Turn off the power to the device after the installation 7 Remove the PRESET PLUG 8 Start the device either with a new PLUG inserted or with the internal configuration N...

Page 299: ...le 4 Click the Open button in the dialog Firmware update via TFTP 1 Click System Load Save in the navigation area Click the TFTP tab 2 Enter the IP address of the TFTP server in the TFTP Server Address input box 3 Enter the port of the TFTP server in the TFTP Server Port input box 4 Click the Load file button in the Firmware table row 5 Go to the storage location of the firmware file 6 Click the O...

Page 300: ...Requirement The PC is connected to the device via the interfaces P1 P4 A TFTP client is installed on the PC and the firmware file exists Solution You can then also transfer firmware to the device using TFTP Follow the steps below to load new firmware using TFTP 1 Now press the SET button 2 Hold down the button until the red fault LED F starts to flash after approximately 3 seconds Note If you hold...

Page 301: ...ing TFTP If you want to access TFTP in Windows 7 make sure that the corresponding Windows function is enabled in the operating system Result The firmware is transferred to the device Note Please note that the transfer of the firmware can take several minutes During the transmission the red error LED F flashes Once the firmware has been transferred completely to the device the device is restarted a...

Page 302: ...ED F stops flashing after approximately 10 seconds and is permanently lit 4 Now release the button and wait until the fault LED F goes off again 5 The device then starts automatically with the factory settings Via the configuration You will find detailed information on resetting the device parameters using the WBM and CLI in the configuration manuals Web Based Management section Restart Command Li...

Page 303: ... the Syslog message broken down into a Severity and Facility box Facility Severity VERSION Set to 1 HOSTNAME_CONTENT IPv4 address according to RFC1035 Each byte is represented in decimal with a dot separating it from the previous one XXX XXX XXX XXX IPv6 address according to RFC4291 Section 2 2 STRUCTURED DATA timeQuality block MESSAGE ASCII string in English Note Additional information about the ...

Page 304: ...r name Identifies the user based on his her name This is not the authenticated user Format s Peter Maier role Symbolic name for the group role Format s Administrator time minute timeout Number of minutes Format d 44 failed login count Number of failed logins Format d 10 max sessions Number of sessions Format d 10 trigger pin String for an IO pin that triggers the event without spaces Format s DI1 ...

Page 305: ...le Console User admin logged in Severity Info Facility local0 Log text Console Default user user name logged in Standard IEC 62443 3 3 Reference n a NERC CIP 007 R5 Description User is logged in with default user name and password Example Console Default user admin logged in Severity Info Facility local0 Log text protocol User user name logged in from ip address Standard IEC 62443 3 3 Reference SR...

Page 306: ...login Example Console User testuser failed to log in Severity Warning Facility local0 Log text protocol User user name failed to log in from ip address Standard IEC 62443 3 3 Reference SR1 1 Description Incorrect user name or incorrect password login information specified during remote login Example SSH User testuser failed to log in from 192 168 0 1 Severity Warning Facility local0 Identification...

Page 307: ...og text Cloud Connector Connection number config detail from ip address established Standard IEC 62443 3 3 Reference SR 1 2 Description A known device requested a connection Connection via TIA Portal Cloud Con nector Example Cloud Connector Connection number 10 from 192 168 55 111 established Severity Info Facility local0 Log text Cloud Connector Connection number config detail from ip address clo...

Page 308: ...ser name Standard IEC 62443 3 3 Reference SR1 3 Description The administrator deleted an existing account Example WBM User admin deleted user account joachim Severity Info Facility local0 Management of the identifiers Log text protocol User user name created group group Standard IEC 62443 3 3 Reference SR1 4 Description The administrator has created a group Example WBM User admin created group it ...

Page 309: ...5 211 remote Severity Info Facility local0 Log text IKE connection name config detail deleting IKE_SA connection name config detail between ip address config detail ip address config detail Standard IEC 62443 3 3 Reference n a NERC CIP 005 R1 Description VPN tunnel is closed IPsec Example IKE c1 3 deleting IKE_SA c2 1 between 192 168 55 211 lokal 192 168 55 210 remote Severity Info Facility local0...

Page 310: ...ut Example SINEMA RC State of Digital Input changed to HIGH SINEMA RC OpenVPN connection established Severity Info Facility local0 Log text SINEMA RC Received Wakeup SMS SINEMA RC OpenVPN connection established Standard IEC 62443 3 3 Reference SR 1 13 Description Remote access is permitted SINEMA RC Wakeup SMS Example SINEMA RC Received Wakeup SMS SINEMA RC OpenVPN connection established Severity ...

Page 311: ...ard IEC 62443 3 3 Reference n a NERC CIP 005 R2 Description User has logged onto the user specific firewall USF Digital Input Login Example User specific firewall digital input trigger pin activated rule set firewall rule with ip address ip address Severity Info Facility local0 Log text User specific firewall user user name ruleset firewall rule time expired Standard IEC 62443 3 3 Reference SR 2 1...

Page 312: ... User specific firewall digital input 1 deactivated rule set rs1 Severity Warning Facility local0 Session lock Log text The session of user user name was closed after time seconds of inactivity Standard IEC 62443 3 3 Reference SR2 5 Description The current session was locked due to inactivity Example The session of user admin was closed after 60 seconds of inactivity Severity Warning Facility loca...

Page 313: ...This section describes selected Syslog messages The selection is based on IEC 62443 3 3 This means you can integrate these events into a central monitoring system SIEM Non deniability change configuration Log text Device configuration changed Standard IEC 62443 3 3 Reference SR2 12 Description The configuration has been changed permanently Example Device configuration changed Severity Info Facilit...

Page 314: ... Facility local0 Log text protocol User user name loaded file type Firmware version restart required Standard IEC 62443 3 3 Reference SR7 4 Description Firmware update was successfully uploaded Example WBM User admin loaded file type Firmware V02 00 00 restart required Severity Info Facility local0 Log text protocol Failed to load file type Firmware Standard IEC 62443 3 3 Reference SR7 4 Descripti...

Page 315: ...rd IEC 62443 3 3 Reference SR7 4 Description The configuration is applied Example WBM User admin loaded file type Config restart required Severity Info Facility local0 Log text protocol User user name loaded file type ConfigPack restart required Standard IEC 62443 3 3 Reference SR7 4 Description The configuration is applied Example WBM User admin loaded file type ConfigPack restart required Severi...

Page 316: ...Appendix A A 3 Syslog messages SCALANCE S615 Web Based Management 316 Configuration Manual 11 2019 C79000 G8976 C388 08 ...

Page 317: ...on 182 D DCP Discovery 186 DCP server 115 Dead peer detection 53 Device Basic Wizard 69 System 118 Device certificate 49 DHCP Client 192 DST Daylight saving time 158 160 E Error status 92 F Factory defaults 301 Factory setting 301 Fault monitoring Connection status change 177 Forward Delay 102 225 G Geographic coordinates 119 Glossary 5 Groups 259 H Hardware Revision 85 Hello time 102 225 HTTP Ser...

Page 318: ...APT 46 NAT traversal 52 NETMAP 46 Source NAT 46 NAT traversal 52 NTP Client 166 Server 172 O Order ID 85 P Password 260 Ping 185 PLUG 183 C PLUG C PLUG point to point 59 Port Port configuration 209 PPP Configuration 214 Overview 212 Q QoS Trust 36 R RADIUS 263 Redundant networks 101 224 Requirement Power supply 16 Reset 121 RESET button 175 Reset device 301 Restart 121 Restore Factory Defaults 301...

Page 319: ...37 Severity filter 142 T Telnet Server 114 TFTP Load save 128 Time Time zone 169 UTC time 169 Time of day Manual setting 70 156 NTP Client 70 SIMATIC Time Client 170 SNTP Simple Network Time Protocol 163 System time 70 156 Time zone 165 Time of day synchronization 163 UTC time 165 Time setting 116 Training 4 U User groups 259 V VLAN 35 Port VID 220 Priority 220 Tag 220 VLAN ID 37 VLAN tag 36 VPN c...

Page 320: ...Index SCALANCE S615 Web Based Management 320 Configuration Manual 11 2019 C79000 G8976 C388 08 ...