Rockwell Automation Publication 1783-UM010C-EN-P - June 2019 89
CIP Inspection Chapter 7
The following CIP Application Categories can be used in Access Control
Policy rules:
CIP Access Control Policy Rule Limitations
We only recommended to use CIP Access Control Policy rules to block specific
CIP traffic. Access control rules that you configure to log connections do not
generate events for specified CIP applications. And access-control rules that
you do not configure to log connections can generate events for CIP
applications. We recommended that you use an access-control policy default
action of Intrusion Prevention.
The CIP preprocessor does not support an access-control policy default action
of Access Control: Trust All Traffic. This default action could produce
undesirable behavior, including not dropping traffic triggered by CIP
applications specified in intrusion rules and access-control policy rules.
The CIP preprocessor does not support an access-control policy default action
of Access Control: Block All Traffic, which could produce undesirable
behavior, including blocked CIP applications that you do not expect to
be blocked.
The CIP preprocessor does not support application visibility for CIP
applications, including network discovery.
Table 9 - Access Control Policy Application Categories
Application Categories Description
CIP RA Admin Actions that change the state of the device via CIP that use standard and
Rockwell Automation-specific methods, such as CIP Reset.
• ControlFlash or any tool that updates RA firmware in a standard way.
• Usage of the Logix Designer application that goes online with a device; for
example, Go Online, Download, or Upload.
• Use of RSLinx™ software to change a Networking property of a module, such as: IP
address, Netmask, Gateway, DNS server, Domain name, Hostname, Speed, Duplex
Mode, Interface Speed.
CIP RA Read Actions that read values/attributes via CIP, via the use of standard and
Rockwell Automation-specific methods.
For example, RSLinx software browse, or the HMI reading a tag.
CIP RA Write Actions that set values/attributes via CIP, which do not fall under `CIP RA Admin’,
which uses standard and Rockwell Automation-specific methods.
For example, the HMI setting a tag value, RSLinx changes various properties of a
device (properties that do not fall under CIP RA Admin).
CIP Admin Actions that change the state of the device via CIP, with the use of standard methods,
such as CIP Reset.
CIP Read Actions that read values/attributes via CIP, with the use of standard methods.
CIP Write Actions that set values/attributes via CIP, which do not fall under "CIP Admin", with
the use of standard methods.
To Next Page
Loading...