Moxa Technologies IEF-G9010 Series User manual
IEF-G9010 Series User Manual
The software described in this manual is furnished under a license agreement and may be used only in accordance
with the terms of that agreement.
Copyright Notice
© 2022 Moxa Inc. All rights reserved.
Trademarks
The MOXA logo is a registered trademark of Moxa Inc.
All other trademarks or registered marks in this manual belong to their respective manufacturers.
Disclaimer
•Information in this document is subject to change without notice and does not represent a commitment
on the part of Moxa.
•Moxa provides this document as is, without warranty of any kind, either expressed or implied, including,
but not limited to, its particular purpose. Moxa reserves the right to make improvements and/or
changes to this manual, or to the products and/or the programs described in this manual, at any time.
•Information provided in this manual is intended to be accurate and reliable. However, Moxa assumes no
responsibility for its use, or for any infringements on the rights of third parties that may result from its
use.
•This product might include unintentional technical or typographical errors. Changes are periodically
made to the information herein to correct such errors, and these changes are incorporated into new
editions of the publication.
Technical Support Contact Information
www.moxa.com/support
Table of Contents
1. About the IEF-G9010 Series .................................................................................................................6
Introduction ..........................................................................................................................................6
Main Functions ...................................................................................................................................... 7
2. Getting Started .....................................................................................................................................8
Getting Started Task List ........................................................................................................................8
Opening the Management Console ...........................................................................................................9
Changing the Administrator’s Password .................................................................................................. 10
3. The System Screens............................................................................................................................11
Device Information .............................................................................................................................. 11
Secured Service Status......................................................................................................................... 11
System Resources ............................................................................................................................... 12
WAN Interface Summary ...................................................................................................................... 12
LAN Interface Summary ....................................................................................................................... 12
Throughput/Connection ........................................................................................................................ 12
4. The Visibility Screens..........................................................................................................................13
Enabling Active Query .......................................................................................................................... 13
Viewing Asset Information .................................................................................................................... 14
Viewing Real-time Network Application Traffic ......................................................................................... 15
5. The Network Screens..........................................................................................................................16
Port Settings ....................................................................................................................................... 16
Configuring Port Settings............................................................................................................... 16
Port Mapping....................................................................................................................................... 17
Network Interface................................................................................................................................ 17
Configuring the LAN Network Interface ........................................................................................... 18
Configuring the DMZ Network Interface........................................................................................... 19
Configuring the WAN Network Interface .......................................................................................... 21
Device Operation Modes ....................................................................................................................... 23
Selecting the Operation Mode ........................................................................................................ 24
6. The NAT Screens.................................................................................................................................27
NAT Rules........................................................................................................................................... 27
Configuring 1-to-1 NAT Rules......................................................................................................... 27
Configuring Multi 1-to-1 NAT Rules ................................................................................................. 28
Configuring Port Forwarding .......................................................................................................... 29
Application-layer Gateways (ALG).......................................................................................................... 30
Configuring ALG Settings............................................................................................................... 31
7. The Routing Screens...........................................................................................................................32
Static Routes....................................................................................................................................... 32
Configuring Static Routes .............................................................................................................. 32
8. The Object Profiles Screens ................................................................................................................34
Configuring IP Object Profiles ................................................................................................................ 34
Configuring Service Object Profiles......................................................................................................... 35
Configuring Protocol Filter Profiles.......................................................................................................... 36
Enabling the Drop Malformed Option for an ICS Protocol ................................................................... 39
Advanced Settings for the Modbus Protocol...................................................................................... 39
Advanced Settings for the CIP Protocol ........................................................................................... 42
Advanced Settings for S7Comm ..................................................................................................... 45
Advanced Settings for S7Comm Plus............................................................................................... 49
Advanced Settings for SLMP .......................................................................................................... 52
Advanced Settings for MELSOFT ..................................................................................................... 55
Advanced Settings for TOYOPUC .................................................................................................... 58
Configuring IPS Profiles................................................................................................................. 61
9. The Security Screens ..........................................................................................................................64
Cybersecurity ...................................................................................................................................... 64
Configuring Cybersecurity – Denial of Service Prevention .................................................................. 64
Policy Enforcement .............................................................................................................................. 65
Configuring Policy Enforcement ...................................................................................................... 65
Adding Policy Enforcement Rules (For Gateway Mode Only) ............................................................... 65
Adding Policy Enforcement Rules (For Bridge Mode Only) .................................................................. 67
Managing Policy Enforcement Rules ................................................................................................ 70
10. The Pattern Screens ...........................................................................................................................71
Viewing Device Pattern Information ....................................................................................................... 71
Manually Updating the Pattern............................................................................................................... 71
11. The Log Screens .................................................................................................................................72
Viewing Cybersecurity Logs................................................................................................................... 72
Viewing Policy Enforcement Logs ........................................................................................................... 73
Viewing Protocol Filter Logs................................................................................................................... 74
Viewing Asset Detection Logs ................................................................................................................ 74
Viewing System Logs ........................................................................................................................... 75
12. The Administration Screens ................................................................................................................76
Account Management ........................................................................................................................... 76
Built-in User Accounts................................................................................................................... 77
Adding a User Account .................................................................................................................. 77
Changing Your Account Password ................................................................................................... 77
Configuring Password Policy Settings...................................................................................................... 79
System Management............................................................................................................................ 80
Configuring the Device Name and Device Location Information .......................................................... 80
Configuring the Management Client Access Control List ..................................................................... 80
Configuring Management Protocols and Ports................................................................................... 81
The Sync Setting Screen....................................................................................................................... 81
Enabling SDC Management............................................................................................................ 81
The Syslog Screen ............................................................................................................................... 82
Configuring Syslog Settings ........................................................................................................... 82
Syslog Severity Levels .................................................................................................................. 83
Syslog Severity Level Mapping Table............................................................................................... 83
The System Time Screen ...................................................................................................................... 84
Configuring System Time .............................................................................................................. 84
The Back Up/Restore Screen ................................................................................................................. 85
Backing Up a Configuration............................................................................................................ 85
Restoring a Configuration .............................................................................................................. 85
The Firmware Management Screen ........................................................................................................ 86
Viewing Device Firmware Information ............................................................................................. 86
Updating the Firmware.................................................................................................................. 86
Rebooting and Applying Firmware .................................................................................................. 87
The Reboot System Screen ................................................................................................................... 87
Rebooting the System................................................................................................................... 87
13. Supported USB Devices.......................................................................................................................88
Loading Pattern Files............................................................................................................................ 88
Terms and Acronyms
The following table lists the terms and acronyms used in this document.
Term/Acronym
Definition
ALG
Application Layer Gateway
CEF
Comment Event Format
CIDR
Classless Inter-Domain Routing
DPI
Deep Packet Inspection
EWS
Engineering Workstation
HMI
Human-Machine Interface
ICS
Industrial Control System
IT
Information Technology
NAT
Network Address Translation
SDC
Security Dashboard Console
OT
Operational Technology
PLC
Programmable Logic Controller
SCADA
Supervisory Control and Data Acquisition
IEF-G9010 Series User Manual
6
1. About the IEF-G9010 Series
Introduction
The IEF-G9010 Series next generation firewalls are a highly integrated industrial multiport firewall with NAT
and IPS functions. They are designed for Ethernet-based security applications in factory networks and
provide an electronic security perimeter to protect critical cyber assets such as pump-and-treat systems in
water stations, DCS systems in oil and gas applications, and PLC/SCADA systems in factory automation. The
firewall’s web-based console provides an intuitive graphical user interface for device configuration and
security policy settings. The IEF-G9010 Series protects your individual assets with OT visibility,
cybersecurity, and OT protocol whitelisting.
Traditionally, IT and OT operate on separate networks, each with their own transportation team, goals, and
needs. In addition, industrial environments are equipped with tools and devices that are traditionally unable
to interface with a corporate network, thus making provisioning security updates or patches in a timely
manner difficult. Therefore, the demand for security products that provide comprehensive asset protection
and visibility are on the rise.
Moxa's Industrial Network Defense Solutions provide a wide range of security products that cover both the
IT and OT layers. These easy-to-build solutions provide active and immediate protection to the Industrial
Control System (ICS) environments with the following features:
•Certified industrial-grade hardware that complies with the size, power consumption, and durability
requirements for OT environments and can tolerate a wide range of temperature variations
•Threat detection and interception against the spread of worms
•Intrusion Prevention System and Denial-of-Service (DoS) protection against attacks that target
vulnerable legacy devices
•Virtual patch protection against OT device exploits
IEF-G9010 Series User Manual
7
Main Functions
The IEF-G9010 Series is a transparent network security device. Below are the main functions of the
product:
Extensive Support for Industrial Protocols
The IEF-G9010 Series supports the identification of a wide range of industrial control protocols, including
Modbus and other protocols used by industry leaders such as Siemens, Mitsubishi, Schneider Electric, ABB,
Rockwell, Omron, and Emerson. In addition to allowing OT and IT security system administrators to work
together, this feature also enables the flexibility to deploy defense measures in appropriate network
segments and seamlessly connects them to existing factory networks.
Policy Enforcement for Mission-critical Machines
The IEF-G9010 Series' core technology allows administrators to maintain a policy enforcement database. By
analyzing Layer 3 to Layer 7 network traffic between mission-critical production machines, policy
enforcement filters control commands of specific protocols and blocks traffic that is not defined in the policy
rules. This feature can help prevent unexpected operations, block unknown network attacks, and block other
traffic that matches the policy for sending data to these mission-critical machines.
Improve Shadow OT Visibility by Integrating IT and OT Networks
The IEF-G9010 Series integrates and coordinates your IT and OT networks with each other and grants
visibility of your shadow OT environment.
Intrusion Prevention and Intrusion Detection
IPS/IDS provides a powerful, up-to-date, first line of defense against known threats. Vulnerability filtering
rules provide effective protection against all potential exploits at the network level. Manufacturing personnel
manage patching and updating, providing pre-emptive protection against critical production failures, and
additional protection for old or terminated software.
Switch Between Two Flexible Modes, ‘Monitor’ & ‘Prevention’
The IEF-G9010 Series can easily switch between the ‘Monitor’ and ‘Prevention’ modes. The ‘Monitor’ mode
will log traffic without interfering, while ‘Prevention’ mode will filter traffic based on policies you create.
These modes work together to preserve your productivity while maximizing security.
Top Threat Intelligence and Analytics
The IEF-G9010 Series provides advanced protection against unknown threats with its up-to-date threat
information.
Centralized Management
Security Dashboard Console (SDC) provides a graphical user interface for policy management in compliance
with a manufacturing SOP. It centrally monitors operational information, edits network protection policies,
and sets patterns for attack behaviors.
The following protections are deployed throughout the entire information technology (IT) and operational
technology (OT) infrastructure. These include:
•A centralized policy deployment and reporting system
•Full visibility into assets, operations, and security threats
•IPS and policy enforcement configurations can be assigned per device group, allowing all devices in the
same device group to share the same policy configuration
•Management permissions for device groups can be assigned per user account
Flexible Segmentation and Isolation
The IEF-G9010 Series is the ideal solution to segment a network into easily manageable security zones. The
firewall can isolate connectivity between the different facilities and production zones to increase security
against outside attacks and to create highly secure isolated network zones that can contain threats if they
occur.
IEF-G9010 Series User Manual
8
2. Getting Started
This chapter describes the IEF-G9010 Series and how to get started with configuring the initial settings.
Getting Started Task List
This task list provides a high-level overview of all procedures required to get the IEF-G9010-2MGSFP Series
up and running as quickly as possible. Each step links to more detailed instructions later in the document.
Steps Overview:
1. Open the management console.
For more information, see Opening the Management Console..
2. Change the administrator password.
For more information, see Changing the Administrator’s Password.
3. Configure the link speed of the Ethernet ports to suit the network environment.
For more information, see Configuring Port Settings.
4. Change the default web interface IP address.
The default IP address is 192.168.127.254and is bound to the LAN1 port.
For more information, see Configuring the LAN Network Interface.
5. Configure the network interface.
For more information, see The Network Screens.
6. Configure the system time.
For more information, see Configuring System Time.
7. (Optional) Configure the Syslog settings.
For more information, see Configuring Syslog Settings.
8. Configure Object Profiles.
For more information, see The Object Profiles Screens.
9. Configure security policies.
For more information, see The Security Screens.
10. Configure the device name and device location information.
For more information, see Configuring the Device Name and Device Location Information.
11. (Optional) Configure access control list from management clients.
For more information, see Configuring the Management Client Access Control List.
12. (Optional) Configure management protocols and ports.
For more information, see Configuring Management Protocols and Ports.
13. (Optional) Update the DPI (Deep Packet Inspection) pattern for the device.
For more information, see Manually Updating the Pattern.
14. (Optional) Enable the device to be managed through SDC.
For more information, see Enabling SDC Management.
15. (Optional) Configure the password policy.
For more information, see Configuring Password Policy Settings.
IEF-G9010 Series User Manual
9
Opening the Management Console
The IEF-G9010 Series provides a built-in management web console that you can use to configure and
manage the product. The management console can be accessed through any supported any web browser.
The management console supports Google Chrome version 63 or later; Firefox version 53 or later; Safari
version 10.1 or later; or Edge version 15 or later.
Steps:
1. In a web browser, type the address of the IEF-G9010 Series in the following format:
https://192.168.127.254
The login screen appears.
NOTE
The default IP address of the IEF-G9010 Series is 192.168.127.254 with subnet 255.255.255.0. Before
connecting a PC/Laptop to the IEF-G9010 Series, the PC's IP address should be set to an IP address that is
able to access the default IP address. After that, connect the PC and the IEF-G9010 Series using an
Ethernet cable.
NOTE
The IEF-G9010 Series uses an automatically generated self-signed SSL certificate to encrypt
communications to and from the client accessing the device. Given that the certificate is self-signed, most
browsers will not trust the certificate and will give a warning that the certificate being used is not signed
by a known authority.
NOTE
For security reasons, the web management console can only be accessed through port 1.
2. Enter your login credentials (user ID and password). Use the default administrator login credentials
when logging in for the first time:
User ID: admin
Password: moxa
3. Click Log On.
IEF-G9010 Series User Manual
10
4. When you log in for the first time, the IEF-G9010 Series will request you to create a new admin account
and change the default password for security reasons. Enter the new username and password and click
Confirm.
5. The system will return to the login screen. Use the new admin account and password to log in.
Changing the Administrator’s Password
To change the password of the IEF-G9010 Series, you have to log in to the web console with the admin
credentials.
Steps:
1. In a web browser, type the address of the IEF-G9010 Series in the following format:
https://192.168.127.254
The login screen appears.
2. Log in as the administrator.
3. Click the admin account icon at the top-right corner and select Change Password.
4. Proceed to change the password.
NOTE
If you forgot the administrator account and password, the only way to retrieve your administration access
is to reset the IEF-G9010 Series device to factory default settings by pressing and holding the reset button
for more than 10 seconds. The MANAGED LED will begin to blink every half-second, which means the
system is resetting itself to factory defaults. DO NOT power off the device while it is loading the default
settings.
IEF-G9010 Series User Manual
11
3. The System Screens
Monitor your system information, system status, and system resource usage on the system screen.
Device Information
This widget shows the system boot time, device name, model, firmware version, and firmware build date
and time.
Secured Service Status
This widget shows the status of the device’s security services, the current pattern version, and the sync
status with SDC.
IEF-G9010 Series User Manual
12
System Resources
This widget shows the resource usage of the device.
Item
Description
CPU Utilization
Real-time CPU utilization %
(Based on the refresh time settings)
Memory Utilization
Real-time memory utilization %
(Based on the refresh time settings)
WAN Interface Summary
This widget shows summary information for the WAN interface.
LAN Interface Summary
This widget shows summary information for the LAN1, LAN2, and DMZ interfaces.
Throughput/Connection
This widget shows the real-time throughput and connection usage of the device.
IEF-G9010 Series User Manual
13
4. The Visibility Screens
The Visibility screen gives you an overview of your managed assets. The screens provide you with timely
and accurate information on the assets that are managed by the IEF-G9010 Series.
The assets, listed on the screen, are automatically detected by IEF-G9010 Series devices.
NOTE
The term asset in this chapter refers to the devices or hosts that are protected by the IEF-G9010 Series.
Enabling Active Query
Active Query can detect inactive or dormant assets or passive assets on the network. Active Query is only
available in Inline Mode. In Offline Mode, the Active Query toggle will be inactive.
NOTE
In firmware v1.1, Active Query supports 4 protocols (Modbus, CIP, OMRON FINS, and SMB).
Steps:
1. Go to [Visibility] > [Assets View].
2. Click the Active Query in Inline Mode toggle in the top-left.
IEF-G9010 Series User Manual
14
Viewing Asset Information
Steps:
1. Go to [Visibility] > [Assets View].
2. Click an asset icon to view more detailed information.
3. The [Assets Information] pane shows the following information for the asset:
Field
Description
Vendor Name
The vendor name of the asset.
Model Name
The model name of the asset.
Asset Type
The asset type of the asset.
Host Name
The name of the asset.
Serial Number
The serial number of the asset.
OS
The operating system of the asset.
MAC Address
The MAC address of the asset.
IP Address
The IP address of the asset.
First Seen
The date and time the asset was first seen.
Last Seen
The date and time the asset was last seen.
IEF-G9010 Series User Manual
15
Viewing Real-time Network Application Traffic
Steps:
1. Go to [Visibility] > [Assets View].
2. Click an asset icon to view more detailed information.
3. The [Real Time Network Application Traffic] pane shows a list of network traffic statics of the asset.
Field
Description
No.
Ordinal number of the application traffic.
Application Name
The application type of the traffic.
TX
The amount of traffic transmitted by this application.
RX
The amount of traffic received by this application.
NOTE
Click Manual Asset Info Refresh to refresh the displayed information.
NOTE
You can specify the refresh time from the [Refresh Time] drop-down menu.
IEF-G9010 Series User Manual
16
5. The Network Screens
This chapter describes how to configure the physical ports and network interfaces of the IEF-G9010 Series.
Port Settings
The [Port Settings] tab allows you to enable or disable the ports and configure the port link speed.
NOTE
The term Port in the document refers to physical ports to which network cables are connected.
Configuring Port Settings
Steps:
1. Go to [Network] > [Port Settings].
2. Click on a port in the [Port Name] column to configure the port.
3. Use the toggle to enable or disable the port.
4. (Optional) Enter a description for the port.
5. Select the port speed and negotiation method from the [Link Speed] drop-down menu.
6. Click Ok.
IEF-G9010 Series User Manual
17
NOTE
The panel image on the page shows a graphical representation of the ports on the device that are
connected.
NOTE
Click the [Manual Port Info Refresh] button in the top-right to refresh the displayed information manually.
Port Mapping
Use the [Port Mapping] tab to view the port and interface mapping.
Steps:
Go to [Network] > [Port Mapping].
The Port Mapping tab will appear. This tab shows the mapping between the physical ports and the WAN and
LAN interfaces.
Network Interface
Use the [Network Interface] tab to configure the following settings:
•The settings of the device's network interfaces
•DHCP settings on the LAN interface
•The WAN connection type
NOTE
The term Network Interface or Interface in this document refers to the logical interface that maps to
one or more physical ports.
NOTE
The default web management console IP address is 198.168.127.254 and is bound to the LAN1 network
interface.
IEF-G9010 Series User Manual
18
Configuring the LAN Network Interface
Steps:
1. Go to [Network] > [Network Interface].
The Network Interface tab will appear.
2. Click on LAN1 or LAN2 in the [Interface] column to configure the port.
The Edit Network Interface window will appear.
3. Use the toggle to enable or disable the interface.
4. (Optional) Enter a descriptive name for the interface.
5. In the [Network Settings] section, configure the following settings:
a. IP Address: Enter a valid IP address.
b. Subnet Mask: Enter the subnet mask.
c. (Optional) Enable VLAN ID: Use the toggle to enable or disable VLAN ID tagging.
d. (Optional) VLAN ID: If VLAN ID is enabled, specify a VLAN ID.
IEF-G9010 Series User Manual
19
6. In the [DHCP Service] section, choose the DHCP Service mode:
a. Disabled: Disable DHCP services on the interface.
b. DHCP Server:Enable DHCP services on the interface. Configure the following additional settings:
i. Start IP Address: Enter the starting IP address of the DHCP address pool.
ii. End IP Address: Enter the ending IP address of the DHCP address pool.
iii. Gateway Address: Enter the gateway IP address that will be assigned to DHCP clients.
iv. Lease Time: Specify the time (in seconds) that a client device can use the assigned IP address
provided by the DHCP server.
v. (Optional) DNS Server 1,2: Enter the primary and secondary DNS server that will be assigned
to DHCP clients.
c. DHCP Relay: Configure the interface to act as a relay to a remote DHCP server. Configure the
following additional settings:
i. Relay Server Address: Enter the IP address of the remote DHCP server.
7. Click Ok.
Configuring the DMZ Network Interface
Steps
1. Go to [Network] > [Network Interface].
The Network Interface tab will appear.
IEF-G9010 Series User Manual
20
2. Click on DMZ in the [Interface] column to configure the port.
The Edit Network Interface window will appear.
3. Use the toggle to enable or disable the interface.
4. (Optional) Enter a descriptive name for the interface.
5. In the [Network Settings] section, configure the following settings for the interface:
a. IP Address: Enter a valid IP address.
b. Subnet Mask: Enter the subnet mask.
c. (Optional) VLAN ID: If VLAN ID is enabled, specify a VLAN ID.
Table of contents
Other Moxa Technologies Firewall manuals
