Currently, some device functions from previous models cannot yet be supported on the new models (see Section 2.1.1).
The mGuard protects IP data links by combining the following functions:
–Industrial security network router.
–Depending on the model with built-in 3- or 4-port switch and DMZ port.
–VPN router for secure data transmission via public networks (AES encryption, IPsec and OpenVPN protocol).
–Configurable firewall for protection against unauthorized access. The dynamic packet filter inspects data packets using the source and destination address and blocks undesired data traffic.
2.1New device platform FL MGUARD 2000/4000
The FL MGUARD 2000/4000 series devices are gradually replacing the established Guard devices of the RS2000/RS4000 and PCI(E)4000 series.
The new devices with proven mGuard Security Technology are equipped with fast Gigabit Ethernet and are operated with the mGuard 10.x firmware version.
The devices are compatible with their predecessor models, can import existing configuration profiles (atv files), and can be configured via CGI and GAI interfaces.
The mGuard device manager (starting with version mdm 1.16.0) can be used to manage mGuard devices with firmware versions up to 10.4.x installed (see user manual "UM EN MDM 1.16" – 111024_en_xx).
Currently, some device functions from previous models cannot yet be supported on the new models (see Section 2.1.1). |
2.1.1Functions that are no longer supported
Certain functions of the old device platform are no longer supported on the new device platform.
Hardware
The new mGuard models of the FL MGUARD 2000/4000 series are offered without serial interface and without internal modem.
Firmware (functions)
Device functions that are not supported on the new device platform are listed in Table 2-1.
Table 2-1: Current functional differences
Functions currently not supported in the firmware mGuard 10.4.x |
|---|
Network: Interfaces –PPPoE –PPTP –Secondary external interface |
Network: Serial interface |
Network: GRE tunnel (Generic Routing Encapsulation) |
Network security: Deep packet inspection –ModbusTCP –OPC Inspector |
VPN redundancy |
Quality of Services (QoS) |
CIFS Integrity Monitoring |
SEC-Stick |
Update method „Online update“ (installation of package sets) |
When transferring older device configurations to these new devices, care must therefore be taken to ensure that the functions described in Table 2-1 have been deactivated or reset to the default settings in the device configuration before export (see also Section 2.1.5).
Variables have been added to the new device platform that are not available on the old device platform.
New variable in WBM |
New function / Impact of migration |
Firmware (Added with firmware version) |
|---|---|---|
[Update Server] Menu: Management >> Update >> Update Section: Update Servers Variable: Server certificate GAI variable: PSM_REPOSITORIES.x.REMOTE_CERT_REF
|
To ensure that a secure HTTPS connection is established to the configured update server, a server certificate for the update server can be installed on the mGuard device. This can be used by the mGuard device to check the authenticity of the update server. Migration of older mGuard configurations After migrating a configuration from an older firmware version, the value of the newly added variable is set to "Ignore". |
10.3.0 |
[Alarm Output] Menu: Management >> Service I/O >> Alarm Output Section: Operation Supervision Variable: Passwords not configured GAI variable: PASSWORD_CHECK
|
A configurable alarm "Passwords not configured" for default passwords that have not been changed (admin/root) has been added to the device. The alarm triggers the alarm output via I/Os and the corresponding FAIL LED. Migration of older mGuard configurations After migrating a configuration from an older firmware version, the value of the newly added variable is set to "Supervise". |
10.3.0 |
[OpenVPN Client] Menu: OpenVPN Client >> Connections >> Tunnel Settings Section: Data Encryption Variable: Hash algorith (HMAC authentication) GAI variable: OPENVPN_CONNECTION.x.VPN_AUTH_HMAC
|
The hash function used to calculate the checksum can be configured. Migration of older mGuard configurations After migrating a configuration from an older firmware version, the value of the newly added variable is set to "SHA-1". |
10.4.0 |
In a few cases, the default settings of existing variables on the old and new device platform differ.
Function |
Changed default settings / Impact of migration |
Firmware (Added with firmware version) |
|---|---|---|
[Network Address Translation] Menu: Network >> NAT >> Masquerading Section: Network Address Translation/IP Masquerading Variable: Outgoing on interface / From IP
|
In default settings, a table row/rule with the following variable values is added: –Outgoing on interface: External –From IP: 0.0.0.0/0 IP masquerading is thus activated for all packets that are routed from the internal network (LAN) to the external network (WAN) (LAN --> WAN). Migration of older mGuard configurations The values from the migrated configuration are adopted unchanged. A new table row/rule is not added. |
10.3.0 |
[Network Settings] Menu: Network >> Interfaces >> General Section: Network Mode Variable: Network mode
|
All devices of the new device generation are delivered in the network mode "Router". The external WAN interface receives its IP configuration via DHCP. In the default setting, however, the firewall prevents remote access to the device via the WAN interface. The device can be accessed from the LAN network via the internal LAN interface under the network address 192.168.1.1/24. Devices connected to the LAN interface can obtain their IP configuration via the DHCP server of the mGuard device. Migration of older mGuard configurations The values from the migrated configuration are adopted unchanged. The configured network mode will not be changed. |
10.3.0 |
In a few cases, variable values are no longer available on the new device platform and are replaced by other values.
Function |
Changed variable values / Impact of migration |
Firmware (Added with firmware version) |
|---|---|---|
[Multicast] Menu: Network >> Ethernet >> Multicast Section: General Multicast Configuration Variable: IGMP snooping
|
To ensure that data in "Static multicast groups" is forwarded correctly to the configured ports, "IGMP snooping" must be activated Migration of older mGuard configurations After a migration, the value of the variable is changed as follows: –Enabled: If "Static Multicast Groups" are configured. –Enabled: If "IGMP snooping" is enabled in the old configuration. –Deactivated: If no "Static Multicast Groups" are configured and "IGMP snooping" is deactivated in the old configuration. |
10.3.0 |
2.1.5Migration of the device configuration
Migrating the configuration of older mGuard devices can be done via web-based management (WBM) or via SD card (ECS).
Requirements
If device functions of the device whose configuration is to be migrated are not available on the new device, the variables must be reset to the default settings before the configuration on the old device is exported (see Table 2-1).
The exact procedure for device migration is described in document 111259_en_xx (AH EN MGUARD MIGRATE 10), available at phoenixcontact.com/product/1357875.
The mentioned properties are not guaranteed properties, as they are basically dependent on the respective device.
Network features
–Stealth (auto, static, multi), router (static, DHCP client)
–DMZ
–VLAN
–DHCP server/relay on the internal and external network interfaces
–DNS cache on the internal network interface
–Dynamic routing (OSPF)
–Administration via HTTPS and SSH
–LLDP
–MAU management
–SNMP
Firewall features
–Stateful packet inspection
–Anti-spoofing
–IP filter
–L2 filter (only in stealth mode)
–NAT with FTP, and IRC support (only in “Router” network mode)
–1:1 NAT (only in “Router” network mode)
–Port forwarding (not in “Stealth” network mode)
–Individual firewall rules for different users (user firewall)
–Individual rule sets as action (target) of firewall rules (apart from user firewall or VPN firewall)
–Protective device for PROFIsafe network cells (in accordance with IEC 61784-3-3).
VPN features (IPsec)
–Protocol: IPsec (tunnel and transport mode, XAuth/Mode Config)
–IPsec encryption with DES (56 bits), 3DES (168 bits), and AES (128, 192, 256 bits)
–Packet authentication: MD5, SHA-1, SHA-265, SHA-384, SHA-512
–Internet Key Exchange (IKE) with main and quick mode
–Authentication via:
–Pre-shared key (PSK)
–X.509v3 certificates with public key infrastructure (PKI) with certification authority (CA), optional certificate revocation list (CRL), and the option of filtering by subject
or
–Remote certificate, e.g., self-signed certificates
–Detection of changing peer IP addresses via DynDNS
–NAT traversal (NAT-T)
–Dead Peer Detection (DPD): detection of IPsec connection aborts
–IPsec/L2TP server: connection of IPsec/L2TP clients
–IPsec firewall and IPsec NAT
–Default route via VPN tunnel
–Data forwarding between VPNs (hub and spoke)
–Up to 250 active VPN tunnels (depending on the device)
VPN features (OpenVPN)
–OpenVPN client
–OpenVPN encryption with Blowfish, AES (128, 192, 256 bits)
–HMAC authentication: SHA-1, SHA-256, SHA-512
–Dead Peer Detection (DPD)
–Authentication via user identifier, password or X.509v3 certificate
–Detection of changing peer IP addresses via DynDNS
–OpenVPN firewall and 1:1 NAT
–Routes via VPN tunnels can be configured statically and learned dynamically
–Data forwarding between VPNs (hub and spoke)
–Up to 250 VPN tunnels
Additional features
–Remote Logging
–Administration using SNMP v1-v3 and mGuard device manager (FL MGUARD DM UNLIMITED)
–PKI support for HTTPS/SSH remote access
–Can act as an NTP and DNS server via the LAN interface
–Plug-n-Protect technology
–Compatible with mGuard Secure Cloud (mSC)
Support
In the event of problems with your mGuard, please contact your supplier.
For additional information on the device as well as release notes and software updates, visit: phoenixcontact.net/products/<item number>. |
2.3Typical application scenarios
This section describes various application scenarios for the mGuard.
–Stealth mode (Plug-n-Protect)
–DMZ (Demilitarized Zone)
–WLAN via VPN tunnel
2.3.1Stealth mode (Plug-n-Protect)
In stealth mode, the mGuard can be positioned between an individual computer and the rest of the network.
The settings (e.g., for firewall and VPN) can be made using a web browser under the URL https://1.1.1.1/.
No configuration modifications are required on the computer itself.
Figure 2-1: Stealth mode (Plug-n-Protect)
When used as a network router, the mGuard can provide the Internet connection for several computers and protect the company network with its firewall.
For computers in the Intranet, the mGuard must be specified as the default gateway.
Figure 2-2: Network router
A DMZ (demilitarized zone) is a protected network that is located between two other networks. For example, a company's website may be in the DMZ so that new pages can only be copied to the server from the Intranet via FTP. However, the pages can be read from the Internet via HTTP.
IP addresses within the DMZ can be public or private, and the mGuard, which is connected to the Internet, forwards the connections to private addresses within the DMZ by means of port forwarding.
A DMZ scenario can be established either between two mGuards (see Figure 2-3) or via a dedicated DMZ port of some mGuard devices, e. g. the FL MGUARD 4305.
The DMZ port is only supported in router mode and requires at least one IP address and a corresponding subnet mask. The DMZ does not support any VLANs.
The VPN gateway provides company employees with encrypted access to the company network from home or when traveling. The mGuard performs the role of the VPN gateway.
IPsec-capable VPN client software must be installed on the external computers or failing that, the computer is equipped with an mGuard.
Figure 2-4VPN gateway
WLAN via VPN is used to connect two company buildings via a WLAN path protected using IPsec. The adjacent building should also be able to use the Internet connection of the main building.
Figure 2-5: WLAN via VPN
In this example, the mGuards were set to router mode and a separate network with 172.16.1.x addresses was set up for the WLAN.
To provide the adjacent building with an Internet connection via the VPN, a default route is set up via the VPN:
Tunnel configuration in the adjacent building
Connection type |
Tunnel (network <-> network) |
Address of the local network |
192.168.2.0/24 |
Address of the remote network |
0.0.0.0/0 |
In the main building, the corresponding counterpart is configured:
Tunnel configuration in the main building
Connection type |
Tunnel (network <-> network) |
Local network |
0.0.0.0 |
Address of the remote network |
192.168.2.0/24 |
The default route of an mGuard usually uses the WAN port. However, in this case the Internet can be accessed via the LAN port:
Default gateway in the main building:
IP address of the default gateway |
192.168.1.253 |
2.3.6Resolving network conflicts
Resolving network conflicts
In the example, the networks on the right-hand side should be accessible to the network or computer on the left-hand side. However, for historical or technical reasons the networks on the right-hand side overlap.
The 1:1 NAT feature of the mGuard can be used to translate these networks to other networks, thereby resolving the conflict.
(1:1 NAT can be used in normal routing, in IPsec tunnels, and in OpenVPN connections.)
