Allen-Bradley Stratix 5950 - Cell;Area Zone Monitoring

To Next Page

To Previous Page

102 Rockwell Automation Publication 1783-UM010C-EN-P - June 2019

Chapter 8 Firewall Modes

Cell/Area Zone Monitoring

The cell/area zone monitor mode use case is used to monitor traffic of interest

without placing the IFW directly inline of a controller, skid, machine, or cell/

area zone of interest. The IFR is connected to a switch that has visibility to the

traffic that is required to be monitored. A span session or port mirror is created

to send the traffic of interest to the IFW.

Figure 29

illustrates this use case.

Figure 29 - Industrial Firewall Placement for Cell/Area Zone Monitoring

Considerations

Before implementing the IFW as a monitor, it is recommended that the

designer understand and document:

• Ingress and egress traffic volume

Main Page

Default Chapter3
- Table of Contents3
- Additional Resources8
Preface8
- Summary of Changes8
About the Security Appliance11
Chapter 1 Overview11
- Hardware Features12
  - Status Indicators15
- Installation of the Security Appliance16
- Express Setup Button16
- Power Supply17
- Small Form Factor Pluggable (SFP) Modules17
- Memory and Storage17
- SD Card17
- USB Ports17
- Management Ethernet Port18
- Console Port18
- Alarm Ports19
- Power Supply19
  - CLI Commands19
- Temperature Sensor20
- Software Features20
Chapter 2 Industrial Firewall Technology Overview21
- Logical Framework23
- Network Protection (Adaptive Security Appliance)23
- Intrusion Prevention and Detection (Firepower)25
- Machine/Skid Protection25
  - Transparent Mode25
- Routed Mode26
  - Nat26
  - Considerations26
- Redundant Star Cell/Area Zone Protection28
  - Considerations28
- Ring Cell/Area Zone Protection29
  - Considerations30
- Cell/Area Zone Monitoring31
  - Considerations31
- Time Synchronization32
Industrial Firewall Use Cases21
Configure the Security Appliance37
Chapter 3 Configure the Security Appliance Prerequisites38
- Device Setup39
- Configure a Test Policy to Block CIP Administrative Traffic53
- Configure Precision Time Protocol (PTP)71
Prerequisites38
- Ethernet Devices38
Chapter 4 Status Indicators73
Chapter 575
- Firesight Management Center75
- Cisco Security Manager (CSM)77
- Management Recommendations79
- Integration of New Firewalls79
- Centralized Management80
Overview75
Chapter 6 Power Failure of the System81
- Enable the Hardware Bypass by Using CLI Commands81
  - Default State of the Hardware Bypass82
- ASA CLI Commands for Hardware Bypass82
- Limitations of Hardware Bypass83
  - Hardware Bypass CLI83
Chapter 7 CIP Preprocessor87
- CIP Access Control Policies88
- CIP Access Control Policy Rule Limitations89
- CIP Intrusion Policies90
Chapter 8 Industrial Firewall Deployment Considerations92
- Inline Transparent Mode92
- Inline Transparent Monitor-Only Mode94
- Inline Routed Mode95
- Passive Monitor-Only Mode95
- Deployment Recommendations96
- Industrial Firewall Use Cases97
Chapter 9 Updating ASDM Software103
- Updating ASA Software107
- Back up Controls License111
- Install the SFR 6.4.0 Update111
Updating the Device103
Chapter 10 Obtain the Current Running Software Versions117
- Reset the Device to Factory Defaults118
Troubleshoot117
Glossary125
Index127

Allen-Bradley Stratix 5950 - Cell;Area Zone Monitoring

Table of Contents