2Configuration help

2.1Secure encryption

The mGuard  generally offers the option to use different encryption and hash algorithms.

In the following areas of the mGuard , the user must ensure that secure encryption and hash algorithms are used:

–IPsec VPN connections

–OpenVPN connections

–Shell Access (SSH)

–HTTPS Web Access (TLS/SSL)

–Encrypted State Synchronization of redundancy pairs (up to 8.7.1)

The secure use of encryption is explained in the following sections.

Further information can for example be found in the technical directive of the Federal office for information security: “BSI TR-02102 Cryptographic procedure: recommendations and key lengths”.

Using secure encryption and hash algorithms

Phoenix Contact recommends using encryption and hash algorithms according to the fol­lowing table.

The following generally applies: the longer the key length (in bits), which is used in the en­cryption algorithm (specified by the appended number), the more secure it is.

Use of secure SSH clients

Establishing encrypted SSH connections to the mGuard  is initiated by the SSH client used. If the SSH client uses dated and thus insecure encryption algorithms, these are generally accepted by the mGuard .

Use of secure web browsers

Establishing encrypted HTTPS connections (TLS/SSL) to the mGuard  is initiated by the web browser used. If the web browser uses dated and thus insecure encryption algorithms, these are generally accepted by the mGuard .

Creation of secure X.509 certificates

X.509 certificates are generated using various software tools.

Use of X.509 certificates instead of Pre-Shared Keys (PSK)

Pre-shared key (PSK) authentication in VPN connections is considered insecure and should no longer be used. For security reasons, use X.509 certificates for authentication.

2.2Suitable web browsers

The device is configured via a graphic user interface in the web browser.

Current versions of the following web browsers are supported:

–Mozilla Firefox

–Google Chrome

–Microsoft Edge

Limitation of login attempts

In the event of a Denial of Service attack, services are intentionally made unable to function. To prevent this type of attack, the mGuard  is provided with a throttle for different network requests.

This feature is used to count all the connections going out from one IP address and using a specific protocol. When a certain number of connection attempts is counted, the throttle be­comes effective. The throttle is reset if there are no further connection attempts for 30 sec­onds.

The number of connection attempts that lead to activation of the throttle depends on the pro­tocol used:

–32 when using HTTPS

–6 when using SSH, SNMP

2.3User roles

The predefined users (root, admin, netadmin, audit, and mobile) have different permissions.

–The root user has unrestricted access to the mGuard .

–The admin user also has unrestricted functional access to the mGuard , however the number of simultaneous SSH sessions is limited.

–Permissions are explicitly assigned to the netadmin user via the mGuard device manager (FL MGUARD DM) . This user only has read access to the other functions. Passwords and private keys cannot be read by this user.

–The audit user only has read access to all functions. By default, the audit user role can only be activated via the mGuard device manager (FL MGUARD DM) , in the same way as netadmin.

–The mobile user can send text messages with the mGuard  using a CGI script. Further functions cannot be accessed by the mobile user (see "CGI interface" on page 455).

2.4Input help during configuration (system mes­sages)

With firmware 8.0 or later, modified or invalid entries are highlighted in color on the web in­terface.

System messages which explain why an entry is invalid, for example, are also displayed.

Figure 2-1 Example system message

–Modified entries are highlighted in green on the relevant page and in the associated menu item until the changes are applied or reset. In the case of tables, it is only indicat­ed that a table row has been modified or removed; the modified value is not indicated.

–Invalid entries are highlighted in red on the relevant page and tab and in the associ­ated menu item.

The modified or invalid entries remain highlighted even when you close a menu.

When necessary, information relating to the system is displayed at the top of the screen.

2.5Using the web interface

You can click on the desired configuration via the menu on the left-hand side, e.g., “Management, Licensing”.

The page is then displayed in the main window – usually in the form of one or more tab pages – where settings can be made. If the page is organized into several tab pages, you can switch between them using the tabs at the top.

Working with tab pages

–You can make the desired entries on the corresponding tab page (see also "Working with sortable tables" on page 25).

–You can return to the previously accessed page by clicking on the “Back” button locat­ed at the bottom right of the page, if available.

Modifying values

If you modify the value of a variable on the web interface, the change will not be applied until you click on the  Save icon. The variable name for the modified variable is then dis­played in green.

In order to make it easier to trace the changes, the full menu path for the modified variable is also displayed in green: Menu >> Submenu >> Tab page >> Section >> Variable.

Entry of impermissible values

If you enter an impermissible value (e.g., an impermissible number in an IP address) and click on the  Save icon, the relevant variable name is displayed in red and an error mes­sage is usually displayed.

In order to make it easier to trace the error, the full menu path for the modified variable is also displayed in red: Menu >> Submenu >> Tab page >> Section >> Variable.

Entry of a timeout

A timeout can be entered in three ways:

–In seconds [ss]

–In minutes and seconds [mm:ss]

–In hours, minutes, and seconds [hh:mm:ss]

The three possible values are each separated by a colon. If only one value is entered, it will be interpreted as seconds, two values as minutes and seconds, three values as hours, min­utes and seconds. The values for minutes and seconds may be greater than 59. After the values have been applied, they will always be shown as [hh:mm:ss] regardless of the format they were entered in (if you enter 90:120 for example, it will be shown as 1:32:00).

Global icons

The following icons are located at the top of every page:

Logout	To log out after configuration access to the mGuard . If the user does not log out, he/she is logged out automatically if there has been no further activity and the time period specified by the con­figuration has elapsed. Access can only be restored by logging in again.
Reset	Reset to the original values. If you have entered values on one or more configuration pages and have not yet activated them (by click­ing on Save), you can reset the modified values to the original values by clicking on Reset.
Save	To apply the settings on the device, you must click on Save. Please note that changes made elsewhere (highlighted in green) will also be applied.
Session timeout	Displays the time remaining until the logged in user will be logged out of the web interface. Clicking on the time display resets the timeout time to the configured output value (see "Management >> Web Set­tings >> General" on page 68).
Online help	Link to the online help for the installed firmware version. The online help can only be accessed when an Internet connection is established and the firewall is set accordingly. Clicking on the icon opens the corresponding section of the mGuard  firmware user manual for the page contents in a new tab/window of the web browser. The mGuard  firmware user manual is also available in a PDF version and can be downloaded on the corresponding product pages at phoenixcontact.net/products or help.mguard.com.

Working with sortable tables

Many settings are saved as data records. Accordingly, the adjustable parameters and their values are presented in the form of table rows. If multiple firewall rules are defined, these are queried starting from the top of the list of entries until an appropriate rule is found. There­fore, note the order of the entries, if necessary. The order can be changed by moving table rows up or down.

With tables you can:

–Insert rows to create a new data record with settings (e.g., the firewall settings for a spe­cific connection)

–Move rows (i.e., re-sort them)

–Delete rows to delete the entire data record

Inserting rows

1.Click on the  Insert Row icon in the row below which a new row is to be inserted.

2.A new row is inserted below the selected row.

The inserted row is displayed in green until the change has been applied.

Moving rows

1.Move the mouse pointer over the row number (seq.) of the row that you wish to move.

The mouse pointer changes to a cross .

2.Left-click in the desired row and hold down the mouse button.

The row is deleted from the existing sequence.

3.With the mouse, move the selected row to the desired position.

A border around the target row shows where the row will be inserted.

4.Release the mouse button.

5.The row is moved to the position marked with a box.

Deleting rows

1.Click on the  Delete Row icon in the row that you wish to delete.

2.Then click on the  Save icon to apply the change.

2.6CIDR (Classless Inter-Domain Routing)

IP netmasks and CIDR are methods of notation that combine several IP addresses to create a single address area. An area comprising consecutive addresses is handled like a network.

To specify an area of IP addresses for the mGuard , e.g., when configuring the firewall, it may be necessary to specify the address area in CIDR format. In the table below, the left-hand column shows the IP netmask, while the right-hand column shows the corresponding CIDR format.

Example: 192.168.1.0/255.255.255.0 corresponds to CIDR: 192.168.1.0/24

2.7Network example diagram

The following diagram shows how IP addresses can be distributed in a local network with subnetworks, which network addresses result from this, and how the details regarding ad­ditional internal routes may look for the mGuard .

2.8LED status indicator and blinking behavior

With the help of built-in LED diodes, mGuard devices indicate different system states. This can be status, alarm or error messages.

Detailed information on the LEDs can be found in the Appendix (see "LED status indicator and blinking behavior" on page 457).