Summary of Contents for Siemens SIMATIC NET SCALANCE S615
Page 1
Preface Description Security recommendation SIMATIC NET Technical basics Industrial Ethernet Security SCALANCE S615 Web Based Configuring with Web Based Management Management Upkeep and maintenance Configuration Manual Appendix A 11/2019 C79000-G8976-C388-08...
Page 2
Note the following: WARNING Siemens products may only be used for the applications described in the catalog and in the relevant technical documentation. If products and components from other manufacturers are used, these must be recommended or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and maintenance are required to ensure that the products operate safely and without any problems.
Preface Scope of the manual This Configuration Manual covers the following product: ● SCALANCE S615 This Configuration Manual applies to the following software version: ● SCALANCE S615 firmware as of version V 6.2 Purpose of the Configuration Manual This Configuration Manual is intended to provide you with the information you require to install, commission and operate the device.
Page 4
615 device. ● Operating Instructions SCALANCE S615 You will find this document on the Internet pages of Siemens Industry Online Support. It contains information on installation, connecting up and approvals of the SCALANCE S615. ● Operating Instructions SINEMA RC Server You will find this document on the Internet pages of Siemens Industry Online Support.
Page 5
Siemens’ products and solutions undergo continuous development to make them more secure. Siemens strongly recommends that product updates are applied as soon as they are available and that the latest product versions are used. Use of product versions that are no longer supported, and failure to apply the latest updates may increase customers’...
Page 6
You will find license conditions in the following documents on the supplied data medium: ● OSS_Scalance-M-800-S615_86.pdf Trademarks The following and possibly other names not identified by the registered trademark sign ® registered trademarks of Siemens AG: SCALANCE, SINEMA, KEY-PLUG, C-PLUG SCALANCE S615 Web Based Management Configuration Manual, 11/2019, C79000-G8976-C388-08...
Table of contents Preface .................................3 Description..............................13 Function ..........................13 Configuration examples ......................14 1.2.1 TeleControl with SINEMA RC ....................14 1.2.2 Secure access with S615.......................16 Requirements for operation....................16 1.3.1 Use in a PROFINET environment ..................17 System functions........................18 Configuration limits for WBM and CLI ..................19 Configuration limits for SINEMA RC ..................21 PLUG .............................22 1.7.1...
Page 8
Table of contents Configuring with Web Based Management ....................61 Web Based Management.......................61 Starting and logging in ......................62 "Wizard" menu ........................66 4.3.1 Basic Wizard ..........................66 4.3.2 IP............................67 4.3.3 Device ............................69 4.3.4 Time Settings .........................70 4.3.5 DDNS .............................72 4.3.6 SINEMA RC ...........................73 4.3.7 Summary..........................76 "Information"...
Page 9
Table of contents 4.5.5 Events ..........................137 4.5.5.1 Event Configuration......................137 4.5.5.2 Severity Filters ........................141 4.5.6 SMTP client..........................142 4.5.6.1 General ..........................142 4.5.6.2 Recipient ..........................145 4.5.7 SNMP...........................147 4.5.7.1 General ..........................147 4.5.7.2 Traps ............................149 4.5.7.3 v3 Groups..........................151 4.5.7.4 v3 users..........................153 4.5.8 System Time ........................155 4.5.8.1 Manual Setting ........................156 4.5.8.2...
Page 10
Table of contents 4.7.1 Layer 2 configuration......................215 4.7.2 VLAN............................216 4.7.2.1 General ..........................216 4.7.2.2 Port Based VLAN .........................220 4.7.3 Dynamic MAC Aging ......................222 4.7.4 Spanning Tree........................223 4.7.4.1 General ..........................223 4.7.4.2 ST general..........................224 4.7.4.3 ST port ..........................225 4.7.5 LLDP ............................228 "Layer 3" menu........................230 4.8.1 Static routes .........................230 4.8.2...
Page 11
Table of contents 4.9.6.4 Authentication ........................286 4.9.6.5 Phase 1 ..........................288 4.9.6.6 Phase 2 ..........................290 4.9.7 OpenVPN client........................292 4.9.7.1 General ..........................292 4.9.7.2 Connections .........................293 4.9.7.3 Remote..........................295 4.9.7.4 Authentication ........................296 Upkeep and maintenance.........................297 Device configuration with PRESET-PLUG................297 Firmware update using WBM not possible................300 Restoring the factory settings....................301 Appendix A ...............................303 Format of the syslog messages ...................303...
Page 12
Table of contents SCALANCE S615 Web Based Management Configuration Manual, 11/2019, C79000-G8976-C388-08...
● VPN functions To establish a VPN (Virtual Private Network), the following functions are available – IPsec VPN – OpenVPN client ● SINEMA RC client ● Proxy server ● Siemens Remote Service (SRS) SCALANCE S615 Web Based Management Configuration Manual, 11/2019, C79000-G8976-C388-08...
Description 1.2 Configuration examples Monitoring / diagnostics / maintenance ● LEDs Display of operating statuses via the LED display. You will find further information on this in the Operating Instructions of the device. ● Logging For monitoring have the events logged. ●...
Page 15
Description 1.2 Configuration examples The devices must log on to the SINEMA RC server. The VPN tunnel between the device and the SINEMA RC Server is established only after successful authentication. Depending on the configured communications relations and the security settings, the SINEMA RC server connects the individual VPN tunnels.
Description 1.3 Requirements for operation 1.2.2 Secure access with S615 Secure remote access and network segmentation with SCALANCE S615 A secure connection for data exchange between an automation plant and remote stations will be established via the Internet and mobile wireless network. At the same time, a secure connection will be established when necessary for service purposes.
Description 1.3 Requirements for operation You will find further information on this in the device-specific operating instructions. Configuration In the factory settings, the SCALANCE S615 can be reached as follows for initial configuration: Default values set in the factory Ethernet interface for the configu‐ P1 ...
Description 1.4 System functions System functions Availability of the system functions The following table shows the availability of the system functions. Note that all functions are described in this configuration manual and in the online help. Some functions may not be available to you depending on the KEY PLUG.
Page 20
Description 1.5 Configuration limits for WBM and CLI Depending on your device, some functions are not available. Configurable function Maximum number System DNS server Syslog server SMTP server E-mail recipient 20 per SMTP server SNMPv1 trap recipient SMS receiver SNTP server NTP server One per layer 3 interface NTP (secure) - Server...
Description 1.6 Configuration limits for SINEMA RC Configurable function Maximum number Security Users (incl. user preset in the factory "admin") Groups Roles (incl. the predefined roles) RADIUS server Firewall IP protocols:16 IP services: 32 ICMP services:16 IP rules: 128 User-specific firewall: ●...
Description 1.7 PLUG PLUG 1.7.1 C-PLUG and KEY-PLUG The PLUG is a removable medium and is used to transfer the configuration of the old device to the new device when a device is replaced. The PLUG is available in the following variants: ●...
Description 1.7 PLUG Command Line Interface (CLI) and PROFINET diagnostics). The user then has the choice of either removing the PLUG again or selecting the option to reformat the PLUG. Type Properties Article number C-PLUG Exchangeable storage medium (32 MB) for the con‐ 6GK1900-0AB00 figuration data Exchangeable storage medium (256 MB) for the con‐...
Page 24
Description 1.7 PLUG SCALANCE S615 Web Based Management Configuration Manual, 11/2019, C79000-G8976-C388-08...
You will find information on this on the Internet pages "Industrial Security (https:// www.siemens.com/industrialsecurity)". ● Inform yourself regularly about security advisories and bulletins published by Siemens ProductCERT (https://www.siemens.com/cert/en/cert-security-advisories.htm). ● Only activate protocols that you really require to use the device.
Page 26
Security recommendation ● Use a central logging server to log changes and accesses. Operate your logging server within the protected network area and check the logging information regularly. ● We recommend formatting a PLUG that is not being used. Passwords ●...
Page 27
Security recommendation Secure/non-secure protocols ● Avoid or disable non-secure protocols, for example Telnet and TFTP. For historical reasons, these protocols are still available, however not intended for secure applications. Use non- secure protocols on the device using a secure connection (e.g. SINEMA RC). ●...
Page 28
Outgoing only Outgoing only ✓ ✓ ✓ UDP/1812 SFTP TCP/22 Outgoing only Outgoing only ✓ ✓ ✓ ✓ Siemens Re‐ TCP/443 Outgoing only Outgoing only ✓ Optional ✓ mote Service (cRSP/SRS) SINEMA RC HTTPS/443 Outgoing only Outgoing only ✓ ✓...
Page 29
Security recommendation Service Protocol/ Default port status Configurable Authentica‐ Encryption Port number tion Local access External ac‐ Service Port cess TCP/22 Open Closed ✓ ✓ ✓ ✓ Syslog UDP/514 Outgoing only Outgoing only ✓ ✓ Syslog over TLS TCP/514 Outgoing only Outgoing only ✓...
Page 30
Security recommendation SCALANCE S615 Web Based Management Configuration Manual, 11/2019, C79000-G8976-C388-08...
Technical basics Structure of an IPv4 address The IPv4 address consists of 4 decimal numbers separated by a dot. Each decimal number can have a value from 0 to 255. Example: 192.168.16.2 The IPv4 address is composed of: ● Address of the (sub)network ●...
Page 32
Technical basics 3.1 Structure of an IPv4 address Classless Inter-Domain Routing (CIDR) CIDR is a method that groups several IPv4 addresses into an address range by representing an IPv4 address combined with its subnet mask. To do this, a suffix is appended to the IPv4 address that specifies the number of bits of the network mask set to 1.
Technical basics 3.2 ICMP ICMP The acronym ICMP stands for Internet Control Message Protocol (RFC792) and is used to exchange error and information messages. ● Error message Informs the sender of the IP frame that when forwarding the frame an error or a parameter problem occurred.
Page 34
Technical basics 3.2 ICMP ICMP packet type 5 - Redirect Host A wants to send an IP frame to host C. Host C is not located in the same subnet as host A. For this reason host A sends the IP frame to its default gateway. The default gateway of host A is interface 1 of router A.
Technical basics 3.3 VLAN VLAN 3.3.1 VLAN Network definition regardless of the spatial location of the nodes VLAN (Virtual Local Area Network) divides a physical network into several logical networks that are shielded from each other. Here, devices are grouped together to form logical groups. Only nodes of the same VLAN can address each other.
Technical basics 3.3 VLAN 3.3.2 VLAN tagging Expansion of the Ethernet frames by four bytes For CoS (Class of Service, frame priority) and VLAN (virtual network), the IEEE 802.1Q standard defined the expansion of Ethernet frames by adding the VLAN tag. Note The VLAN tag increases the permitted total length of the frame from 1518 to 1522 bytes.
Technical basics 3.4 SNMP The tagged frame has 3 bits for the priority that is also known as Class of Service (CoS), see also IEEE 802.1Q. CoS bits Priority Type of the data traffic 0 (lowest) Background Best Effort Excellent Effort Critical Applications Video, <...
Page 38
Technical basics 3.4 SNMP Tasks of SNMP: ● Monitoring of network components ● Remote control and remote parameter assignment of network components ● Error detection and error notification In versions v1 and v2c, SNMP has no security mechanisms. Each user in the network can access data and also change parameter assignments using suitable software.
Page 39
Technical basics 3.4 SNMP The SNMP agent sends data packets of the following type: ● RESPONSE The SNMP agent returns the data requested by the manager. ● TRAP If a certain event occurs, the SNMP agent itself sends traps. SNMPv1/v2c/v3 use UDP (User Datagram Protocol) and use the UDP ports 161 and 162. The data is described in a Management Information Base (MIB).
Technical basics 3.5 Security functions Security functions 3.5.1 User management Overview of user management Access to the device is managed by configurable user settings. Set up users with a password for authentication. Assign a role with suitable rights to the users. The authentication of users can either be performed locally by the device or by an external RADIUS server.
Page 41
Technical basics 3.5 Security functions RADIUS authorization mode "SiemensVSA" Requirement For the RADIUS authorization mode "Siemens VSA" the following needs to be set on the RADIUS server: ● Manufacturer code: 4196 ● Attribute number: 1 ● Attribute format: Character string (group name) Procedure If you have set the authorization mode "SiemensVSA", the authentication of users via a...
Technical basics 3.5 Security functions 3.5.2 Firewall 3.5.2.1 Firewall The security functions of the device include a stateful inspection firewall. This is a method of packet filtering or packet checking. The IP packets are checked based on firewall rules in which the following is specified: ●...
Page 43
Technical basics 3.5 Security functions Communication directions from Meaning vlan x vlan x Access from IP subnet vlan x to IP subnet vlan x. Example: vlan1 (INT) → vlan2 (EXT) Access from the local IP subnet to the external IP subnet. ppp2 Access from the IP subnet to the WAN interface of the device.
Page 44
Technical basics 3.5 Security functions from Meaning ppp0/usb vlan x Access from the mobile wireless interface to the IP subnet. Device Access from the mobile wireless interface to the device. SINEMA RC Access from the mobile wireless interface to the SINEMA RC connection. IPsec (all) Access from the mobile wireless interface to the VPN tunnel partners that can be reached via all VPN connections (all) or via a certain VPN connec‐...
NAT in which the destination IP address is translated. You will find information on NAT scenarios that are implemented with the device at the following address: (https://support.industry.siemens.com/cs/gb/en/view/109744660) IP masquerading IP masquerading is a simplified source NAT. With each outgoing data packet sent via this interface, the source IP address is replaced by the IP address of the interface.
Technical basics 3.5 Security functions NAPT NAPT (Network Address and Port Translation) is a form of destination NAT and is often called port forwarding. This allows the services of the internal nodes to be reached from external that are hidden by IP masquerading or source NAT. Incoming data packets are translated that come from the external network and are intended for an external IP address of the device (destination IP address).
Page 47
Technical basics 3.5 Security functions The reply frames from the external network can pass through the NAT router and firewall without it being necessary for their addresses to be included extra in the firewall rule and the NAT address translation. Frames that are not a reply to a query from the internal network are discarded without a matching firewall rule.
Page 48
Technical basics 3.5 Security functions These IP rules allow the IP data traffic for all devices for the specified direction. NAT rule IP rules Description Ac‐ Source (Range) Destination tion (Range) ① Ac‐ vlan vlan 192.168.1.0/24 10.10.10.0/24 All packets sent from vlan1 (internal) to vlan2 (external) are allowed to pass.
Technical basics 3.5 Security functions 3.5.5 Certificates Certificate types The device uses different certificates to authenticate the various nodes. Certificate Is used in... CA certificate The CA certificate is a certificate issued by a Certificate Authority from which IPsec VPN (Page 286) the server, device and partner certificates are derived.
Page 50
Technical basics 3.5 Security functions For the VPN connections, the device distinguishes two modes: ● Roadwarrior mode In this mode either the address of the partner is fixed or an IP range is entered from which the connections are taken. The device learns the reachable remote subnets from the partner.
Page 51
Technical basics 3.5 Security functions Authentication method ● CA certificate, device and partner certificate (digital signatures) The use of certificates is an asymmetrical cryptographic system in which every node (device) has a pair of keys. Each node has a secret, private key and a public key of the partner.
Page 52
Technical basics 3.5 Security functions Default Ciphers During connection establishment a preset list can be transferred to the VPN connection partners. The list contains combinations of the three algorithms (Encryption, Authentication, Key Derivation). To establish a VPN connection, the VPN connection partner must support at least one of these combinations.
Technical basics 3.5 Security functions Dead peer detection This is only possible when the VPN partner supports DPD. DPD checks whether the connection is still operating problem free or whether there has been an interruption on the line. Without DPD and depending on the configuration, it may be necessary to wait until the SA lifetime has expired or the connection must be reinitiated manually.
Technical basics 3.5 Security functions 3.5.6.3 VPN connection establishment The device supports the following options for establishing a VPN connection. ● OpenVPN: Security > OpenVPN > Connections (Page 293) ● IPsec VPN: Security > IPsec VPN > Connections (Page 284) ●...
Page 55
Technical basics 3.5 Security functions Digital input (DI) The establishment of the VPN tunnel can also be controlled via the digital input, e.g. using a button. When the button is closed, voltage is applied to the digital input and the LED of the digital input lights up.
Page 56
Technical basics 3.5 Security functions Notification options If the status of the digital input or a VPN tunnel (IPsec, OpenVPN, SINEMA RC) changes, the device provides several options for notification on the "Events (Page 137)" page. Type of notifica‐ Behavior if there is a status change tion gi‐...
Page 57
Technical basics 3.5 Security functions Type of notifica‐ Behavior if there is a status change tion gi‐ tun‐ Digital Input Controls the digital output or signals the status change with the "DO" LED. A consumer can be connected to the digital output. You will find information on connecting in the operating instructions of the devices.
Technical basics 3.6 Redundancy Redundancy 3.6.1 Spanning Tree Avoiding loops on redundant connections The spanning tree algorithm allows network structures to be created in which there are several connections between two IE switches / bridges. Spanning tree prevents loops being formed in the network by allowing only one path and disabling the other (redundant) ports for data traffic.
Technical basics 3.6 Redundancy 3.6.1.1 RSTP Rapid Spanning Tree Protocol (RSTP) One disadvantage of STP is that if there is a disruption or a device fails, the network needs to reconfigure itself: The devices start to negotiate new paths only when the interruption occurs. This can take up to 30 seconds.
Page 60
Technical basics 3.6 Redundancy Several VRRP routers in a network segment are put together as a logical group representing a virtual router (VR). The group is defined using the virtual ID (VRID). Within the group, the VRID must be the same. The VRID can no longer be used for other groups. The virtual router is assigned a virtual IP address and a virtual MAC address.
Configuring with Web Based Management Web Based Management How it works The device has an integrated HTTP server for Web Based Management (WBM). If a device is addressed with a Web browser, it returns HTML pages to the Admin PC depending on the user input.
Configuring with Web Based Management 4.2 Starting and logging in ● If a firewall is used, the relevant ports must be opened. – For access using HTTPS: TCP port 443 ● The display of the WBM was tested with the following desktop Web browsers: –...
Page 63
Configuring with Web Based Management 4.2 Starting and logging in Changing language 1. From the drop-down list at the top right, select the language version of the WBM pages. 2. Click the "Go" button to change to the selected language. Default Login Page Under "System >...
Page 64
You can show an additional text on the login page. 1. Create a txt file that contains the desired text or the ASCII type. With ASCII type, pictograms, e.g. the Siemens company logo, are displayed based on the available characters. Note The use of the following special characters is not supported: ●...
Page 65
Configuring with Web Based Management 4.2 Starting and logging in 3. Click the "Login" button or confirm your input with "Enter". Note When you log in for the first time or following a "Restore Factory Defaults and Restart", you can rename the "admin" user preset in the factory once. Afterwards, renaming "admin" is no longer possible.
Configuring with Web Based Management 4.3 "Wizard" menu After successful login, the WBM page "User Specific Firewall Information" opens. The current ruleset and the remaining time are displayed. If needed, the user can extend the access time via the "Reset Timeout" button. "Wizard"...
Page 67
Configuring with Web Based Management 4.3 "Wizard" menu Buttons you require often The WBM pages of the Basic Wizard contain the following buttons: Button Description Goes to the next page Goes back to the previous page The Basic Wizard is closed without adopting the settings. Saves the configuration and exits the Basic Wizard.
Page 68
Configuring with Web Based Management 4.3 "Wizard" menu Description The Basic Wizard page contains the following boxes: ● Internal (vlan1) In this area make the settings for connection to the LAN. – IP Address Enter the IPv4 address of the interface that is unique within your network. –...
Configuring with Web Based Management 4.3 "Wizard" menu 4.3.3 Device Introduction On this Basic Wizard page, you configure the general device information. Description The Basic Wizard page contains the following boxes: ● System Name You can enter the name of the device. If you configure this box, this configuration is adopted and displayed in the selection area.
Configuring with Web Based Management 4.3 "Wizard" menu 4.3.4 Time Settings Time setting On this Basic Wizard page, you set the date and time of the system. Description Manual time setting: ● Time Manually Enable or disable manual setting of the time. If you enable the option, the "System Time" input box can be edited.
Page 71
Configuring with Web Based Management 4.3 "Wizard" menu In the table, configure the NTP server ● Select Select the row you want to delete. ● NTP Server Index Number corresponding to a specific NTP server entry. ● NTP Server Address Enter the IP address, the FQDN (Fully Qualified Domain Name) or the host name of the NTP server.
Configuring with Web Based Management 4.3 "Wizard" menu 4.3.5 DDNS On this Basic Wizard page, you configure the dynamic DNS client (DDNS client). The DDNS client synchronizes the assigned IP address with the hostname registered at the DDNS provider. This means that the device can always be reached using the same hostname. Description The table has the following columns: ●...
Configuring with Web Based Management 4.3 "Wizard" menu 4.3.6 SINEMA RC On this Basic Wizard page, you configure the access to the SINEMA RC server. Note This function can only be used with a KEY PLUG (Page 22). SCALANCE S615 Web Based Management Configuration Manual, 11/2019, C79000-G8976-C388-08...
Page 74
Configuring with Web Based Management 4.3 "Wizard" menu Description The page contains the following: ● Enable SINEMA RC – Enabled: A connection to the configured SINEMA RC Server is established. These boxes cannot be edited. – Disabled: The boxes can be edited. Any existing connection is terminated. "Server settings"...
Page 75
Configuring with Web Based Management 4.3 "Wizard" menu "Optional Settings" area ● Auto Firewall/NAT Rules – Enabled The firewall and NAT rules are created automatically for the VPN connection. The connections between the configured exported subnets and the subnets that can be reached via the SINEMA RC Server are allowed.
Configuring with Web Based Management 4.3 "Wizard" menu 4.3.7 Summary Introduction The settings are summarized on this page. The content of the page depends on the set parameters and the device. Check the settings before you exit the Basic Wizard with the "Set Values" button. If settings are incorrect, go back using the "Prev"...
Page 77
Configuring with Web Based Management 4.3 "Wizard" menu Set Values Click the "Set Values" button to exit the Basic Wizard. The settings are adopted. SCALANCE S615 Web Based Management Configuration Manual, 11/2019, C79000-G8976-C388-08...
Configuring with Web Based Management 4.4 "Information" menu "Information" menu 4.4.1 Start Page View of the Start page When you enter the IP address of the device, the start page is displayed after a successful login. General layout of the WBM page The following areas are available on every WBM page: ●...
Page 79
Configuring with Web Based Management 4.4 "Information" menu ● Navigation area (3): Left-hand area ● Content area (4): Middle area SCALANCE S615 Web Based Management Configuration Manual, 11/2019, C79000-G8976-C388-08...
Page 80
4.4 "Information" menu Selection area (1) The following is available in the selection area: ● Logo of Siemens AG When you click on the logo, you arrive at the Internet page of the corresponding basic device in Siemens Industry Online Support.
Page 81
Configuring with Web Based Management 4.4 "Information" menu ● Favorites When the product ships, the button is disabled on all pages If you click this button, the symbol changes and the currently open page or currently open tab is marked as favorite. Once you have enabled the button once, the navigation area is divided into two tabs.
Page 82
Configuring with Web Based Management 4.4 "Information" menu ● DDNS Status If a dynamic DNS service is used, the host name of the device is displayed, e.g. example.no- ip.com. The status of the update is also displayed. – update successful Update successful –...
Page 83
Configuring with Web Based Management 4.4 "Information" menu ● Page back with "Prev" On WBM pages with a lot of data records, the number of data records that can be displayed on a page is limited. Click the "Prev" button to page back through the data records. ●...
Configuring with Web Based Management 4.4 "Information" menu 4.4.2 Versions This WBM page shows the versions of the hardware and software of the device. Description Table 1 has the following columns: ● Hardware – Basic Device Shows the basic device ●...
Configuring with Web Based Management 4.4 "Information" menu 4.4.3 Identification & Maintenance Identification and Maintenance data This page contains information about device-specific vendor and maintenance data such as the order number, serial number, version number etc. You cannot configure anything on this page.
Configuring with Web Based Management 4.4 "Information" menu ● Location tag Shows the location tag of the device. The location identifier (LID) is created during configuration of the device with HW Config of STEP 7. ● Date Shows the date created during configuration of the device with HW Config of STEP 7. ●...
Configuring with Web Based Management 4.4 "Information" menu 4.4.5 Log Tables 4.4.5.1 Event log Logging events The WBM page shows the system events that have occurred in the form of a table. Some of the system events can be configured in "System > Events", for example if the connection status of a port has changed.
Page 88
Configuring with Web Based Management 4.4 "Information" menu Description ● Severity Filters You can filter the entries in the table according to severity. To display all the entries, enable or disable all parameters. Note For each severity, a maximum of 400 entries in the table are possible. If the maximum number of entries is reached for a severity, the oldest entries of this severity are overwritten in the table.
Configuring with Web Based Management 4.4 "Information" menu 4.4.5.2 Security Log The WBM page shows the events that occurred during communication via a secure VPN tunnel in the form of the table. SCALANCE S615 Web Based Management Configuration Manual, 11/2019, C79000-G8976-C388-08...
Page 90
Configuring with Web Based Management 4.4 "Information" menu Description ● Severity Filters You can filter the entries in the table according to severity. To display all the entries, enable or disable all parameters. Note For each severity, a maximum of 400 entries in the table are possible. If the maximum number of entries is reached for a severity, the oldest entries of this severity are overwritten in the table.
Configuring with Web Based Management 4.4 "Information" menu 4.4.5.3 Firewall Log The firewall log logs the events that occurred on the firewall. When you create firewall rules, you can specify the event severity with which they are logged. Description ● Severity Filters You can filter the entries in the table according to severity.
Configuring with Web Based Management 4.4 "Information" menu The table has the following columns: ● Restart Counts the number of restarts since you last reset to factory settings and shows the device restart after which the corresponding event occurred. ● System Up Time Shows the time the device has been running since the last restart when the described event occurred.
Configuring with Web Based Management 4.4 "Information" menu Description ● No. of Signaled Faults Indicates how often the fault LED lit up and not how many faults occurred. ● Reset Counters button The number is reset with this button. The counter is reset when there is a restart. The table contains the following columns: ●...
Configuring with Web Based Management 4.4 "Information" menu ● Allocation Method Shows whether the IPv4 address was assigned statically or dynamically. You configure the static entries in "System > DHCP > Static Leases". ● Binding State Shows the status of the assignment. –...
Configuring with Web Based Management 4.4 "Information" menu 4.4.9 LLDP Status of the neighborhood table This page shows the current content of the neighborhood table. This table stores the information that the LLDP agent has received from connected devices. You set the interfaces via which the LLDP agent receives or sends information in the following section: "Layer 2 >...
Configuring with Web Based Management 4.4 "Information" menu ● Capability Shows the properties of the connected device: – Router – Bridge – Telephone – DOCSIS Cable Device – WLAN Access Point – Repeater – Station – Other ● Port ID Device port that is connected to the device.
Configuring with Web Based Management 4.4 "Information" menu ● Metric Shows the metric of the route. The higher value, the longer packets require to their destination. ● Routing Protocol Shows the routing protocol from which the entry in the routing table originates. The following entries are possible: –...
Configuring with Web Based Management 4.4 "Information" menu ● Rekey Time Shows when the validity of the key expires. ● Status Shows the status of the VPN connection. 4.4.12 SINEMA RC Shows information on SINEMA RC Server. Note This function can only be used with a KEY PLUG. SCALANCE S615 Web Based Management Configuration Manual, 11/2019, C79000-G8976-C388-08...
Page 99
Configuring with Web Based Management 4.4 "Information" menu Description of the displayed values ● Status Shows the status of the connection to SINEMA RC Server. ● Device Name If configured, the name of the device is displayed. ● Device Location If configured, the location of the device is displayed.
Configuring with Web Based Management 4.4 "Information" menu 4.4.13 OpenVPN client The WBM page shows the status of the activated OpenVPN connections. Description of the displayed values This table contains the following columns: ● Name Shows the name of the OpenVPN connection. ●...
Configuring with Web Based Management 4.4 "Information" menu 4.4.14 Redundancy 4.4.14.1 Overview MSTP-CIST configuration The page consists of the following parts. ● The left-hand side of the page shows the configuration of the device. ● The right-hand part shows the configuration of the root bridge that can be derived from the spanning tree frames received by a device.
Page 102
Configuring with Web Based Management 4.4 "Information" menu ● Root Port Shows the port via which the switch communicates with the root bridge. ● Root Cost The path costs from this device to the root bridge. ● Topology Changes / Last Topology Change The entry for the device shows the number of reconfiguration actions due to the spanning tree mechanism since the last startup.
Configuring with Web Based Management 4.4 "Information" menu 4.4.14.2 Spanning Tree Introduction The page shows the current information about the spanning tree and the settings of the root bridge. SCALANCE S615 Web Based Management Configuration Manual, 11/2019, C79000-G8976-C388-08...
Page 104
Configuring with Web Based Management 4.4 "Information" menu Description of the displayed values The following fields are displayed: ● Spanning Tree Mode Shows the set mode. You specify the mode in "Layer 2 > Configuration" and in "Layer 2 > Spanning Tree >...
Page 105
Configuring with Web Based Management 4.4 "Information" menu ● Status Shows the current status of the interface. The values are only displayed. The parameter depends on the configured protocol. – Discarding The port receives BPDU frames. Other incoming or outgoing frames are discarded. –...
Configuring with Web Based Management 4.4 "Information" menu ● Edge Type Shows the type of the connection. The following values are possible: – Edge Port There is an end device at this port. – No Edge Port There is a spanning tree or rapid spanning tree device at this port. ●...
Page 107
Configuring with Web Based Management 4.4 "Information" menu Description The following fields are displayed: ● VRID Errors Shows how many VRRPv3 packets containing an unsupported VRID were received. ● Version Errors Shows how many VRRPv3 packets containing an invalid version number were received. ●...
Configuring with Web Based Management 4.4 "Information" menu ● Prio 0 received Shows how many VRRPv3 packets with priority 0 were received. VRRPv3 packets with priority 0 are sent when a master router is shut down. These packets allow a fast handover to the relevant backup router.
Page 109
Configuring with Web Based Management 4.4 "Information" menu Description Services The "Services" list shows the security settings. ● Telnet Server You configure the setting in "System > Configuration". – Enabled: Unencrypted access to the CLI. – Disabled: No unencrypted access to the CLI. ●...
Page 110
Configuring with Web Based Management 4.4 "Information" menu ● Web Server You configure the setting in "System > Configuration". – HTTP/HTTPS: Access to the WBM is possible with HTTP and HTTPS. – HTTPS: Access to the WBM is now only possible with HTTPS. ●...
Configuring with Web Based Management 4.4 "Information" menu the rights of the associated role. If the corresponding group is known on the device, both tables are evaluated. The user is assigned the role with the higher rights. Note The table "External User Accounts" is only evaluated if you have set "SiemensVSA" in the RADIUS Authorization Mode.
Configuring with Web Based Management 4.4 "Information" menu 4.4.16.3 Roles Note The values displayed depend on the role of the logged-on user. The page shows the roles valid locally on the device. Description The table contains the following columns: ● Role Shows the name of the role.
Configuring with Web Based Management 4.5 "System" menu Description of the displayed values The table has the following columns: ● Group Shows the name of the group. The name matches the group on the RADIUS server. ● Role Shows the name of the role. Users who are authenticated with the linked group on the RADIUS server receive the rights of this role locally on the device.
Page 114
Configuring with Web Based Management 4.5 "System" menu Description The page contains the following boxes: ● Telnet Server Enable or disable the "Telnet Server" service for unencrypted access to the CLI. ● Telnet Port Specify the port for Telnet access to the CLI. ●...
Page 115
Configuring with Web Based Management 4.5 "System" menu ● HTTPS Server Enable or disable HTTP access to the WBM. ● HTTPS Port Specify the port for HTTPS access to the WBM. ● HTTP Services Specify how the WBM is accessed: –...
Page 116
Configuring with Web Based Management 4.5 "System" menu ● Time Select the setting from the drop-down list. The following settings are possible: – Manual The system time is set manually. You can configure other settings in "System > System Time > Manual Setting". –...
Page 117
Configuring with Web Based Management 4.5 "System" menu ● Link-layer Address Plus Time (LLT) The value is based on the link layer address of the interface and a time stamp. The value is regenerated each time the factory settings are restored. ●...
Configuring with Web Based Management 4.5 "System" menu 4.5.2 General 4.5.2.1 Device This WBM page contains the general device information. Description The WBM page contains the following boxes: ● Current System Time Shows the current system time. The system time is either set by the user or by a time-of-day frame: either SIMATIC time-of-day frame, NTP or SNTP.
Configuring with Web Based Management 4.5 "System" menu ● System Location You can enter the location where the device is installed. The entered installation location is displayed in the selection area. A maximum of 255 characters are possible. Note Permitted characters The following printable ASCII characters (0x20 to 0x7e) are permitted in the input fields "System Name", "System Contact"...
Page 120
Configuring with Web Based Management 4.5 "System" menu The geographic coordinates can also be obtained using a GPS receiver. The geographic coordinates of these devices are normally displayed directly and only need to be entered in the input boxes of this page. Description The page contains the following input boxes with a maximum length of 32 characters.
Configuring with Web Based Management 4.5 "System" menu 4.5.3 Restart Resetting to the defaults Using the WBM page, you can restart the device manually or as scheduled. In addition, there are various options for resetting to the device defaults. Note Note the following points about restarting a device: ●...
Page 122
Configuring with Web Based Management 4.5 "System" menu Description To restart the device, the buttons on this page provide you with the following options: ● Restart Click this button to restart the system. You must confirm the restart in a dialog box. During a restart, the device is reinitialized, the internal firmware is reloaded, and the device runs a self-test.
This ZIP file stores all the configuration backups you have created. Debug This file contains information for Siemens Support. It is encrypted and can be sent by e-mail to Siemens Support without any security risk. Firmware The firmware is signed and encrypted. This ensures that only firmware created by Siemens can be downloaded to the device.
Page 124
Configuring with Web Based Management 4.5 "System" menu File type Description RunningSINEMA‐ You save the current device configuration in this file type for transfer to STEP 7 Config Basic/Professional. The file can be imported in STEP 7 Basic/Professional and installed on a device with the same article number and firmware version. Before you can save a file, you must assign a password for the "RunningSINE‐...
Admin PC. On this page, the certificates required to establish a secure VPN connection can also be loaded. Firmware The firmware is signed and encrypted. This ensures that only firmware created by Siemens can be downloaded to the device. Configuration files...
Page 126
Configuring with Web Based Management 4.5 "System" menu You can use the file types as follows: ● For offline diagnostics You can save the faulty configuration of a device as "RunningSINEMAConfig" via the WBM and import it in STEP 7 Basic/Professional. No connection to a real device is required for the diagnostics in STEP 7 Basic/Professional.
Page 127
Configuring with Web Based Management 4.5 "System" menu ● Load With this button, you can upload files to the device. The button can be enabled, if this function is supported by the file type. ● Save With this button, you can download files from the device. The button can only be enabled if this function is supported by the file type and the file exists on the device.
Admin PC. On this page, the certificates required to establish a secure VPN connection can also be loaded. Firmware The firmware is signed and encrypted. This ensures that only firmware created by Siemens can be downloaded to the device. Configuration files...
Page 129
Configuring with Web Based Management 4.5 "System" menu You can download existing CLI configurations (RunningCLI) and upload your own CLI scripts (Script). Note The downloadable CLI script is not intended to be uploaded again unchanged. CLI commands for saving and loading files cannot be executed with the CLI script file (Script). Exchange of configuration data with STEP 7 Basic/Professional using a file You use the two file types "RunningSINEMAConfig"...
Page 130
Configuring with Web Based Management 4.5 "System" menu Description The page contains the following boxes: ● TFTP Server Address Enter the IP address or the FQDN (Fully Qualified Domain Name) of the TFTP server with which you exchange data. ● TFTP Server Port Enter the port of the TFTP server via which data exchange will be handled.
Page 131
Configuring with Web Based Management 4.5 "System" menu ● Filename A file name is preset here for every file type. Note Changing the file name You can change the file name preset in this column. After loading on the device, the changed file name can also be used with the Command Line Interface.
Admin PC. On this page, the certificates required to establish a secure VPN connection can also be loaded. Firmware The firmware is signed and encrypted. This ensures that only firmware created by Siemens can be downloaded to the device. Configuration files...
Page 133
Configuring with Web Based Management 4.5 "System" menu Exchange of configuration data with STEP 7 Basic/Professional using a file You use the two file types "RunningSINEMAConfig" and "SINEMAConfig" to exchange configuration data between a device (WBM) and STEP 7 Basic/Professional via a file. Requirements: ●...
Page 134
Configuring with Web Based Management 4.5 "System" menu Description The page contains the following boxes: ● SFTP Server Address Enter the IP address or the FQDN of the SFTP server with which you exchange data. ● SFTP Server Port Enter the port of the SFTP server via which data exchange will be handled. If necessary, you can change the default value 22 to your own requirements.
Page 135
Configuring with Web Based Management 4.5 "System" menu 4. If applicable, enter the name of a file in which you want to save the data or take the data from in "Filename". Note Files whose access is password protected To save and load these files on the device successfully, you need to enter the password specified for the file in "System"...
Configuring with Web Based Management 4.5 "System" menu 4.5.4.5 Passwords There are files to which access is password protected. To successfully load the file into the device, enter the password specified for the file on the WBM page. Description The table has the following columns: ●...
Configuring with Web Based Management 4.5 "System" menu Procedure 1. Enter the password in "Password". 2. To confirm the password, enter the password again in "Password Confirmation". 3. Select the "Enabled" option. 4. Click the "Set Values" button. 4.5.5 Events 4.5.5.1 Event Configuration Selecting system events...
Page 138
Configuring with Web Based Management 4.5 "System" menu Description With Table 1, you can enable or disable all check boxes of a column of Table 2 at once. Table 1 has the following columns: ● All Events Shows that the settings are valid for all events of table 2. ●...
Page 139
Configuring with Web Based Management 4.5 "System" menu Table 2 has the following columns: ● Event The "Event" column contains the following: – Cold/Warm Start The device was turned on or restarted by the user. In the error memory of the device a new entry is generated with the type of restart performed.
Page 140
Configuring with Web Based Management 4.5 "System" menu – Mobile data usage (only with M87x) This event occurs when 75% or 100% of the defined data volume has been reached, see "Interfaces > Mobile > General". – Connection Check This event occurs when connections are being monitored, see "System > Connection Check".
Configuring with Web Based Management 4.5 "System" menu Procedure Establishing/terminating a VPN tunnel via the digital input 1. For the "Digital Input" event, enable the "VPN Tunnel" entry. 2. Configure the VPN connection – IPsec: In "Operation" set "wait on DI" or "start on DI". You will find more information on this in "IPsec >...
Configuring with Web Based Management 4.5 "System" menu Description The table has the following columns: ● Client Type Select the client type for which you want to make settings: – E-mail Sending system event messages by e-mail. – Log Table Entry of system events in the log table.
Page 143
Configuring with Web Based Management 4.5 "System" menu Requirements for sending e-mails ● "E-mail" is activated for the relevant event in "System > Events > Configuration". ● The desired severity is configured under "System > Events > Severity level". ● At least one entry exists under "System > SMTP Client > Recipient" and the setting "Send" is activated.
Page 144
Configuring with Web Based Management 4.5 "System" menu ● Security Specify whether transfer of the e-mail from the device to the SMTP server is encrypted. This is only possible when the SMTP server supports the selected setting. Note 2-factor authentication (2FA) 2-factor authentication is not supported.
Configuring with Web Based Management 4.5 "System" menu Testing the configuration of the SMTP server 1. Configure recipients – Click the "Recipient" tab. – Select the desired SMTP server under "SMTP server". – Enter the desired address under "E-mail address of the SMTP recipient". –...
Page 146
Configuring with Web Based Management 4.5 "System" menu The table contains the following columns: ● Select Select the check box in a row to be deleted. ● SMTP Server Shows the IP address or the FQDN (Fully Qualified Domain Name) of the SMTP server to which the entry relates.
Configuring with Web Based Management 4.5 "System" menu 4.5.7 SNMP 4.5.7.1 General Configuration of SNMP On this page, you make the basic settings for SNMP. Enable the check boxes according to the function you want to use. SCALANCE S615 Web Based Management Configuration Manual, 11/2019, C79000-G8976-C388-08...
Page 148
Configuring with Web Based Management 4.5 "System" menu Description The page contains the following boxes: ● SNMP Select the SNMP protocol from the drop-down list. The following settings are possible: – "-" (disabled) SNMP is disabled. – SNMPv1/v2c/v3 SNMPv1/v2c/v3 is supported. Note Note that SNMP in versions 1 and 2c does not have any security mechanisms.
Configuring with Web Based Management 4.5 "System" menu ● SNMP Engine ID Shows the SNMP engine ID. ● SNMP Agent Listen Port Specify the port at which the SNMP agent waits for the SNMP queries. Procedure 1. Select the required option from the "SNMP" drop-down list: –...
Page 150
Configuring with Web Based Management 4.5 "System" menu Description The page contains the following boxes: ● Trap Receiver Address Enter the IP address, the FQDN (Fully Qualified Domain Name) or the host name of the station to which the device sends SNMP traps. You can specify up to ten different recipients servers.
Configuring with Web Based Management 4.5 "System" menu 4.5.7.3 v3 Groups Security settings and assigning permissions SNMP version 3 allows permissions to be assigned, authentication, and encryption at protocol level. The security level and read/write permissions are assigned according to groups. The settings automatically apply to every member of a group.
Page 152
Configuring with Web Based Management 4.5 "System" menu ● Write Enable or disable write access for the required group. Note For write access to work, you also need to enable read access. ● Persistence Shows whether or not the group is assigned to an SNMPv3 user. If the group is not assigned to an SNMPv3 user, no automatic saving is triggered and the configured group is deleted after restarting the device.
Configuring with Web Based Management 4.5 "System" menu 4.5.7.4 v3 users User-specific security settings On the WBM page, you can create new SNMPv3 users and modify or delete existing users. The user-based security model works with the concept of the user name; in other words, a user ID is added to every frame.
Page 154
Configuring with Web Based Management 4.5 "System" menu ● Group Name Select the group which will be assigned to the user. ● Authentication Protocol Specify the authentication protocol for which a password will be stored. The following settings are available: –...
Configuring with Web Based Management 4.5 "System" menu Procedure Create a new user 1. Enter the name of the new user in the "User Name" input box. 2. Click the "Create" button. A new entry is generated in the table. 3.
Configuring with Web Based Management 4.5 "System" menu 4.5.8.1 Manual Setting Manual setting of the system time On this page, you set the date and time of the system yourself. For this setting to be used, enable "Time Manually". Description The page contains the following boxes: ●...
Page 157
Configuring with Web Based Management 4.5 "System" menu ● Last Synchronization Mechanism Shows how the last time synchronization was performed. – Not set The time was not set. – Manual Manual time setting – SNTP Automatic time-of-day synchronization with SNTP –...
Configuring with Web Based Management 4.5 "System" menu 4.5.8.2 DST Overview Daylight saving time switchover On this page, you can create new entries for the daylight saving time changeover. The table provides an overview of the existing entries. Settings The page contains the following boxes: ●...
Page 159
Configuring with Web Based Management 4.5 "System" menu ● Status Shows the status of the entry: – Enabled The entry was created correctly. – Invalid The entry was created new and the start and end date are identical. ● Type Shows how the daylight saving time changeover is made: –...
Configuring with Web Based Management 4.5 "System" menu 4.5.8.3 DST Configuration Configuring the daylight saving time switchover On this page, you can configure the entries for the daylight saving time changeover. As result of the changeover to daylight saving or standard time, the system time for the local time zone is correctly set.
Page 161
Configuring with Web Based Management 4.5 "System" menu You can set a fixed date for the start and end of daylight saving time. ● Year Enter the year for the daylight saving time changeover. ● Start Date Enter the following values for the start of daylight saving time: –...
Page 162
Configuring with Web Based Management 4.5 "System" menu You can create a rule for the daylight saving time changeover. ● Year Enter the year for the daylight saving time changeover. ● Start Date Enter the following values for the start of daylight saving time: –...
Configuring with Web Based Management 4.5 "System" menu 4.5.8.4 SNTP Client Time-of-day synchronization in the network SNTP (Simple Network Time Protocol) is used for synchronizing the time in the network. The appropriate frames are sent by an SNTP server in the network. Note To avoid time jumps, make sure that there is only one time server in the network.
Page 164
Configuring with Web Based Management 4.5 "System" menu Description The page contains the following boxes: ● SNTP Client When enabled, the device receives the system time from an SNTP server. ● Current System Time Shows the current date and current normal time received by the IE switch. If you specify a time zone, the time information is adapted accordingly.
Page 165
Configuring with Web Based Management 4.5 "System" menu ● SNTP Mode Select the synchronization mode from the drop-down list. The following types are possible: – Poll If you select this mode, the text boxes "SNTP Server Address", "SNTP Server Port" and "Poll Interval[s]"...
Configuring with Web Based Management 4.5 "System" menu 3. Select one of the following options from the "SNTP Mode" drop-down list: – Poll For this mode, you need to configure the following: - time zone difference (step 2) - query interval (step 4) -time server (step 5) - Port (step 7) - complete the configuration with step 8.
Page 167
Configuring with Web Based Management 4.5 "System" menu Requirement To receive the NTP frames, enable the entry "System Time" under "Security > Firewall > Pre- defined IPv4 rules". Description The page contains the following boxes: ● NTP client When enabled, the device receives the system time from an NTP server. ●...
Page 168
Configuring with Web Based Management 4.5 "System" menu ● Last Synchronization Mechanism Shows how the last time synchronization was performed. The following methods are possible: – Not set The time was not set. – Manual Manual time setting – SNTP Automatic time-of-day synchronization with SNTP –...
Page 169
Configuring with Web Based Management 4.5 "System" menu ● NTP Server Port Enter the port of the NTP server. The following ports are possible: – 123 (standard port) – 1025 to 36564 ● Poll Interval Specify the interval between two-time queries. The greater the interval, the less accurate the time of the device.
Configuring with Web Based Management 4.5 "System" menu To synchronize the time of day via a secure NTP server, the following additional steps are necessary: 1. Click the "Secure NTP Client only" check box to enable the automatic time setting using Secure NTP.
Page 171
Configuring with Web Based Management 4.5 "System" menu ● Last Synchronization Time Shows when the last time-of-day synchronization took place. ● Last Synchronization Mechanism Shows how the last time synchronization was performed. The following methods are possible: – Not set The time was not set.
Configuring with Web Based Management 4.5 "System" menu 4.5.8.7 NTP Server On this WBM page, you configure the device as an NTP server or as an NTP server of the type "NTP (secure)". The other devices can call up the time made available by the device via this NTP server.
Configuring with Web Based Management 4.5 "System" menu The table has the following columns: ● Select Select the row you want to delete. ● Interface Via this interface the time is transferred using NTP. ● Listen When enabled, the other devices can call up the time via this interface. ●...
Page 174
Configuring with Web Based Management 4.5 "System" menu If you have been logged out automatically, you will need to log in again. Note No automatic logout from the CLI If the connection is not terminated after the set time, check the "Keep alive" setting on the Telnet client.
Configuring with Web Based Management 4.5 "System" menu 4.5.10 Button Functionality The SELECT/SET button is used to: ● Restart ● Load new firmware ● Reset to factory settings. You will find a detailed description of the functions in the operating instructions for the device. On this page, the functionality of the button can be restricted.
Page 176
Configuring with Web Based Management 4.5 "System" menu Requirements for sending log entries ● The Syslog function is enabled on the device. ● The Syslog function is enabled for the relevant event. ● There is a Syslog server in your network that receives the log entries. ●...
Configuring with Web Based Management 4.5 "System" menu Procedure Enabling function 1. Select the "Syslog Client" check box. 2. Click the "Set Values" button. Creating a new entry 1. In the "Syslog Server Address" input box, enter the IP address of the Syslog server on which the log entries will be saved.
Page 178
Configuring with Web Based Management 4.5 "System" menu Description Table 1 has the following columns: ● 1st column Shows that the settings are valid for all ports. ● Setting Select the setting from the drop-down list. You have the following setting options: –...
Configuring with Web Based Management 4.5 "System" menu Procedure Configure error monitoring for a port 1. From the relevant drop-down list, select the options of the slots / ports whose connection status you want to monitor. 2. Click the "Set Values" button. Configure error monitoring for all ports 1.
Page 180
Configuring with Web Based Management 4.5 "System" menu Note The action is only executed after you click the "Set Values" button. The action cannot be undone. If you decide against executing the function after making your selection, click the "Refresh" button.
Page 181
Configuring with Web Based Management 4.5 "System" menu Description The table has the following rows: ● Status Shows the status of the PLUG. The following are possible: – ACCEPTED There is a PLUG with a valid and suitable configuration in the device. –...
Configuring with Web Based Management 4.5 "System" menu ● Info String Shows additional information about the device that used the PLUG previously, for example, article number, type designation, and the versions of the hardware and software. The displayed software version corresponds to the version in which the configuration was last changed.
Page 183
Configuring with Web Based Management 4.5 "System" menu Note Incompatibility with previous versions with PLUG inserted During the installation of a previous version, the configuration data can be lost. In this case, the device starts up with the factory settings after the firmware has been installed. In this situation, if a PLUG is inserted in the device, following the restart, this has the status "NOT ACCEPTED"...
Page 184
Configuring with Web Based Management 4.5 "System" menu Description ● Status Shows the status of the KEY-PLUG. The following are possible: – ACCEPTED There is a KEY-PLUG with a valid and matching license in the device. – NOT ACCEPTED The license of the inserted KEY-PLUG is not valid. –...
Configuring with Web Based Management 4.5 "System" menu 4.5.14 Ping Reachability of an address in an IPv4 network With the ping function, you can check whether a certain IPv4 address is reachable in the network. Description The table has the following columns: ●...
Configuring with Web Based Management 4.5 "System" menu 4.5.15 DCP Discovery On this page, you can select an interface and search for devices that are reachable via the interface and support DCP. DCP Discovery only searches for devices located in the same subnet as the interface.
Page 187
Configuring with Web Based Management 4.5 "System" menu The table has the following columns: ● Port Shows the port via which the device can be reached. ● MAC Address Shows the MAC address of the device. ● Device Type Shows the product line or product group to which the device belongs. ●...
Configuring with Web Based Management 4.5 "System" menu 4.5.16 4.5.16.1 DNS Client On the WBM page you specify whether or not the device uses the DNS server of the network provider or another DNS server. Description The page contains the following boxes: ●...
Configuring with Web Based Management 4.5 "System" menu ● DNS Server Address Shows the IP address of the DNS server. ● Origin Shows whether the DNS server was configured manually or was assigned by DHCP. 4.5.16.2 DNS Proxy The device provides a DNS server for the local network. If you enter the IP address of the device in the local application as a DNS server, then the device answers the DNS requests from its cache.
Page 190
Configuring with Web Based Management 4.5 "System" menu Description The table has the following columns: ● Service Shows which providers are supported. ● Enabled When enabled, the device logs on to the DDNS server. ● Host Enter the host name that you have agreed with your DDNS provider for the device, e.g. example.no-ip-com.
Configuring with Web Based Management 4.5 "System" menu 4.5.17 DHCP 4.5.17.1 DHCP Client If the device is configured as a DHCP client, it starts a DHCP request. As the reply to the query the device receives an IPv4 address from the DHCP server. The server manages an address range from which it assigns IPv4 addresses.
Page 192
Configuring with Web Based Management 4.5 "System" menu Description The page contains the following boxes: ● Keep Alive When this is enabled, the IP address is retained in the event of a connection breakdown and is not reset to 0.0.0.0. Keep Alive is enabled by default. When Keep Alive is disabled, the IP address is reset to 0.0.0.0 in the event of a communication breakdown.
Configuring with Web Based Management 4.5 "System" menu The table has the following columns: ● Interface Interface to which the setting relates. ● DHCP Enable or disable the DHCP client for the relevant interface. ● IAID Value Value with which the interface (DHCP client) identifies itself with the DHCP server. Procedure Follow the steps below to configure the IP address using the DHCP client ID: 1.
Page 194
Configuring with Web Based Management 4.5 "System" menu Requirement ● The connected devices are configured so that they obtain the IP address from a DHCP server. Description The page contains the following boxes: ● DHCP Server Enable or disable the DHCP server on the device. Note To avoid conflicts with IPv4 addresses, only one device may be configured as a DHCP server in the network.
Configuring with Web Based Management 4.5 "System" menu ● Interface Select a VLAN IP interface. The IPv4 addresses are assigned dynamically via this interface. The requirement for the assignment is that the IPv4 address of the interface is located in the subnet of the IPv4 address band.
Page 196
Configuring with Web Based Management 4.5 "System" menu Description The page contains the following boxes: ● Pool ID Select the required address band. ● Option Code Enter the number of the required DHCP option. Note DHCP options supported The DHCP options 1, 2, 3, 4, 5, 6, 42, 66, 67 are supported. The DHCP options 1, 3, 6, 66 and 67 are created automatically when the IPv4 address band is created.
Page 197
Configuring with Web Based Management 4.5 "System" menu ● Use Interface IP Specify whether or not the internal IP address of the device will be used. ● Value Enter the DHCP parameter that is transferred to the DHCP client. The content depends on the DHCP option.
Configuring with Web Based Management 4.5 "System" menu 4.5.17.4 Static Leases On this page you specify that certain devices will be assigned a certain IP address. The address assignment is made based on the MAC address, the client ID or the DUID. SCALANCE S615 Web Based Management Configuration Manual, 11/2019, C79000-G8976-C388-08...
Page 199
Configuring with Web Based Management 4.5 "System" menu Description The page contains the following boxes: ● Pool ID Select the required address band. ● Client Identification Method Select the method according to which a client is identified. – Ethernet MAC Identification is based on the MAC address.
To use the platform, additional service contracts are necessary and certain constraints must be kept to. If you are interested in cRSP / SRS, call your local Siemens contact or visit Web page (https://support.industry.siemens.com/cs/gb/en/sc/2281).
Configuring with Web Based Management 4.5 "System" menu ● Scheme Identifies the access method and the resource type. https: Secure access to a Web page. ● Authority Contains the address of the destination server ● Path Contains the target path to the resource. The target path can correspond to a directory name or file name.
Configuring with Web Based Management 4.5 "System" menu ● Address Enter the IPv4 address of the proxy server. ● Type Specify the type of the proxy server. – HTTP: Proxy server only for access using HTTP. – SOCKS: Universal proxy server ●...
Page 203
Configuring with Web Based Management 4.5 "System" menu Description The page contains the following: ● Enable SINEMA RC – Enabled: A connection to the configured SINEMA RC Server is established. These boxes cannot be edited. – Disabled: The boxes can be edited. Any existing connection is terminated. "Server settings"...
Page 204
Configuring with Web Based Management 4.5 "System" menu "Server Verification" area ● Verification Type – Fingerprint: The identity of the server is verified based on the fingerprint. – CA certificate: The identity of the server is verified based on the CA certificate. ●...
Page 205
Configuring with Web Based Management 4.5 "System" menu "Optional Settings" area ● Auto Firewall/NAT Rules – Enabled The firewall and NAT rules are created automatically for the VPN connection. The connections between the configured exported subnets and the subnets that can be reached via the SINEMA RC Server are allowed.
Configuring with Web Based Management 4.5 "System" menu ● Autoenrollment Interval [min] Specify the period of time in minutes after which queries are sent to the SINEMA RC server. With this query, the device checks whether there is a newer firmware file on the SINEMA RC server or whether the connection settings have changed.
Configuring with Web Based Management 4.5 "System" menu ● Size [KB] The first row "Available memory" shows how much memory is available for backups on the device. When you create a backup, the available memory space is reduced accordingly. The other rows show the size of each backup. ●...
Page 208
Configuring with Web Based Management 4.5 "System" menu The "Group" table contains the following columns: ● Group Identifier Index of the group. ● Name Specify a name for the group. The entry is displayed in the "Action" table as column name. ●...
Configuring with Web Based Management 4.6 "Interfaces" menu "Interfaces" menu 4.6.1 Ethernet 4.6.1.1 Overview The page shows the configuration for the data transfer for all ports of the device. You cannot configure anything on this page. Description The table has the following columns: ●...
Configuring with Web Based Management 4.6 "Interfaces" menu ● Link Shows the connection status to the network. With the connection status, the following is possible: – Up The port has a valid link to the network, a link integrity signal is being received. –...
Page 211
Configuring with Web Based Management 4.6 "Interfaces" menu Description ● Port Select the port to be configured from the drop-down list. ● Status Specify whether the port is enabled or disabled. – enabled The port is enabled. Data traffic is possible only over an enabled port. –...
Configuring with Web Based Management 4.6 "Interfaces" menu ● Port Type Select the type of port from the drop-down list. – Switch Port VLAN Hybrid The port sends tagged and untagged frames. It is not automatically a member of a VLAN. –...
Configuring with Web Based Management 4.6 "Interfaces" menu Description of the displayed values This table contains the following columns: ● Interface Shows the PPP interface. The entry is a link. If you click on the link, the corresponding configuration page is opened. ●...
Page 214
Configuring with Web Based Management 4.6 "Interfaces" menu Description The page contains the following: ● Interface Select the PPP interface to be configured. ● Name Shows the name of the PPP interface. You can change the name in "Layer 3 > Subnets". ●...
Configuring with Web Based Management 4.7 "Layer 2" menu ● Forced Disconnect After a certain time, the DSL provider terminates the connection. Enable this option if you want to shift the forced disconnect of your provider to a specific time of day, for example at night outside normal office hours.
Configuring with Web Based Management 4.7 "Layer 2" menu Description ● Passive Listening When enabled the function ensures that the BPDUs from the RSTP network are forwarded transparently and return again. If this was not the case, loops would form at the connection point between RSTP and the ring.
Page 217
Configuring with Web Based Management 4.7 "Layer 2" menu Description The page contains the following boxes: ● Base Bridge Mode Note Changing Base bridge mode Note the section "Changing Base bridge mode" in this chapter. This section describes how a change affects the existing configuration. Select the required mode from the drop-down list.
Page 218
Configuring with Web Based Management 4.7 "Layer 2" menu ● Status Shows the status type of the entry in the internal port filter table. Here, "Static" means that the VLAN was entered statically by the user. ● List of ports Specify the use of the port.
Page 219
Configuring with Web Based Management 4.7 "Layer 2" menu 802.1Q VLAN Bridge: Important rules for VLANs Make sure you keep to the following rules when configuring and operating your VLANs: ● Frames with the VLAN ID "0" are handled as untagged frames but retain their priority value. ●...
Configuring with Web Based Management 4.7 "Layer 2" menu 4.7.2.2 Port Based VLAN Processing received frames On this WBM page, you specify the configuration of the port properties for receiving frames. Description Table 1 has the following columns: ● All ports Shows that the settings are valid for all ports of table 2.
Page 221
Configuring with Web Based Management 4.7 "Layer 2" menu ● Acceptable Frames Specify which types of frames will be accepted. The following alternatives are possible: – Tagged Frames Only The device discards all untagged frames. Otherwise, the forwarding rules apply according to the configuration.
Configuring with Web Based Management 4.7 "Layer 2" menu 4.7.3 Dynamic MAC Aging Protocol settings and switch functionality The device automatically learns the source addresses of the connected nodes. This information is used to forward data frames to the nodes specifically involved. This reduces the network load for the other nodes.
Configuring with Web Based Management 4.7 "Layer 2" menu 4.7.4 Spanning Tree 4.7.4.1 General This is the basic page for spanning tree. As default, Rapid Spanning Tree is enabled. Description The page contains the following boxes: ● Spanning Tree Enable or disable spanning tree. ●...
Configuring with Web Based Management 4.7 "Layer 2" menu 4.7.4.2 ST general The page consists of the following parts. ● The left-hand side of the page shows the configuration of the device. ● The right-hand part shows the configuration of the root bridge that can be derived from the spanning tree frames received by a device.
Configuring with Web Based Management 4.7 "Layer 2" menu ● Topology Changes / Last Topology Change The entry for the device shows the number of reconfiguration actions due to the spanning tree mechanism since the last startup. For the root bridge, the time since the last reconfiguration is displayed as follows: –...
Page 226
Configuring with Web Based Management 4.7 "Layer 2" menu Description Table 1 has the following columns: ● All ports Shows that the settings are valid for all ports of table 2. ● Spanning Tree Status In the drop-down list, select the setting for all ports. If "No Change" is selected, the entries of the corresponding column in table 2 remain unchanged.
Page 227
Configuring with Web Based Management 4.7 "Layer 2" menu ● Status Displays the current status of the port. The values are only displayed and cannot be configured. The "Status" parameter depends on the configured protocol. The following values are possible: –...
Configuring with Web Based Management 4.7 "Layer 2" menu ● Edge Shows the status of the port. – Enabled An end device is connected to this port. – Disabled There is a Spanning Tree or Rapid Spanning Tree device at this port. With an end device, a switch can change over the port faster without taking into account spanning tree frames.
Page 229
Configuring with Web Based Management 4.7 "Layer 2" menu The information sent is stored on every device with LLDP capability in an LLDP MIB file. Network management systems can access these LLDP MIB files using SNMP and therefore recreate the existing network topology. In this way, an administrator can find out which network components are connected to each other and can localize disruptions.
Configuring with Web Based Management 4.8 "Layer 3" menu Table 2 has the following columns: ● Port Shows the available ports. ● Setting Specify the LLDP functionality. The following options are available: – Rx This port can only receive LLDP frames. –...
Page 231
Configuring with Web Based Management 4.8 "Layer 3" menu Description The page contains the following boxes: ● Destination Network Enter the network address of the destination that can be reached via this route. ● Subnet Mask Enter the corresponding subnet mask. ●...
Configuring with Web Based Management 4.8 "Layer 3" menu Procedure 1. Enter the network address of the destination in the "Destination Network" input box. 2. Enter the corresponding subnet mask in the "Subnet Mask" input box. 3. For "Interface", select the entry "auto". 4.
Page 233
Configuring with Web Based Management 4.8 "Layer 3" menu ● Interface Name Shows the name of the interface. ● MAC Address Shows the MAC address. ● IP Address Shows the IPv4 address of the subnet. ● Subnet Mask Shows the subnet mask. ●...
Page 234
Configuring with Web Based Management 4.8 "Layer 3" menu ● Address Collision Detection Status If new IPv4 addresses become active in the network, the "Address Collision Detection" function checks whether this can result in address collisions. The allows IPv4 addresses that would be assigned twice to be detected.
Configuring with Web Based Management 4.8 "Layer 3" menu 4.8.2.2 Configuration On this page, you configure the subnet for the interface. Description The page contains the following: ● Interface (Name) Select the interface from the drop-down list. ● Interface Name Enter the name of the interface.
Configuring with Web Based Management 4.8 "Layer 3" menu ● Address Type Shows the address type. The following values are possible: – Primary The first subnet of the interface. – Secondary All further subnets of the interface. ● TIA Interface Select whether or not this interface should become the TIA Interface.
Configuring with Web Based Management 4.8 "Layer 3" menu 4.8.3.2 NAPT On this WBM page, you can configure a port translation in addition to the address translation. The following port translations are possible: ● From a single port to the same port: If the ports are the same, the frames will be forwarded without port translation.
Configuring with Web Based Management 4.8 "Layer 3" menu ● Translated Destination IP Enter the IP address of the node to which this frame will be forwarded. ● Translated Destination Port Enter the number of the port. This is the new destination port to which the incoming frame will be forwarded.
Page 239
Configuring with Web Based Management 4.8 "Layer 3" menu Note Firewall rule with source NAT Address translation with source NAT was only performed after the firewall; the non-translated addresses are therefore used. Security > Firewall > IP rules ● Source (Range): Input from "Source IP Addresses" ●...
Page 240
Configuring with Web Based Management 4.8 "Layer 3" menu ● Translated Source IP Address Enter the IP address with which the IP address of the sender is replaced. Can only be edited if "Use Interface IP from Destination Interface" is disabled. ●...
Configuring with Web Based Management 4.8 "Layer 3" menu 4.8.3.4 NETMAP On this WBM page, you specify the rules for NETMAP. NETMAP is static 1:1 mapping of network addresses in which the host part is retained. For more information, refer to the section "NAT and firewall (Page 45)".
Page 242
Configuring with Web Based Management 4.8 "Layer 3" menu Description ● Type Specify the type of address translation. – Source: Replacement of the source IP address – Destination: Replacement of the destination IP address ● Source Interface Specify the source interface. –...
Page 243
Configuring with Web Based Management 4.8 "Layer 3" menu ● Bidirectional rule When this is enabled, the NETMAP rule for the opposite direction is automatically created when the NETMAP rule is created. The NETMAP rules are not connected to one another after creation. This means that no synchronization takes place between the NETMAP rules when they are changed or deleted.
Configuring with Web Based Management 4.8 "Layer 3" menu 4.8.4 VRRPv3 4.8.4.1 Router Introduction Using the "Create" button, you can create new virtual routers. A maximum of 2 virtual routers can be configured. You can configure other parameters on the "Configuration" tab. Note ●...
Page 245
Configuring with Web Based Management 4.8 "Layer 3" menu ● Interface Select the required VLAN interface operating as virtual router. ● VRID Enter the ID of the virtual router. This ID defines the group of routers that form a virtual router (VR).
Page 246
Configuring with Web Based Management 4.8 "Layer 3" menu ● Advert. Internal Shows the interval at which the master router sends VRRPv3 packets. ● Preempt Shows the precedence of a router when changing roles between backup and master. – yes This router has precedence when changing roles.
Configuring with Web Based Management 4.8 "Layer 3" menu 4.8.4.2 Configuration Introduction On this page, you configure the virtual router. Description The page contains the following: ● Interface / VRID Select the ID of the virtual router to be configured. ●...
Page 248
Configuring with Web Based Management 4.8 "Layer 3" menu ● Priority Enter the priority of this virtual router. Valid values are 1-254. If an IPv4 address is assigned to the VRRPv3 router that is also actually configured on the local IPv4 interface, the value 255 is entered automatically. All other priorities can be distributed freely among the VRRPv3 routers.
Configuring with Web Based Management 4.8 "Layer 3" menu 4.8.4.3 Address overview Overview This page shows which IPv4 addresses the virtual router monitors. Each virtual router can monitor on IPv4 address. Description of the displayed values The table has the following columns: ●...
Configuring with Web Based Management 4.8 "Layer 3" menu 4.8.4.4 Address Configuration Creating or changing the monitored IP addresses On this page, you can create, modify or delete the IPv4 addresses to be monitored. Each virtual router can monitor on IPv4 address. Description The page contains the following: ●...
Configuring with Web Based Management 4.8 "Layer 3" menu 4.8.4.5 Interface Tracking Introduction On this page, you configure the monitoring of interfaces. When the link of a monitored interface changes from "up" to "down", the priority of the assigned VRRP interface is reduced. You configure the value by which the priority is reduced on the page "Layer 3 >...
Page 252
Configuring with Web Based Management 4.8 "Layer 3" menu The table has the following columns: ● Select Select the check box in the row to be deleted. ● Track ID Shows the track ID. ● Interface Shows the interface that is being monitored. Procedure 1.
Configuring with Web Based Management 4.8 "Layer 3" menu 4.8.4.6 Address monitoring Introduction You configure the monitoring of IPv4 addresses on this page. The router sends a ping request to each of the configured IPv4 addresses within the specified time period. If no response is received within a specified time period, the VRRP priority of the corresponding interface is reduced.
Configuring with Web Based Management 4.9 "Security" menu ● Ping Period Shows the cycle time in seconds between two ping requests. ● Ping Timeout Shows the time in seconds that the router waits for a ping response. The minimum duration is three times the ping period.
Page 255
Configuring with Web Based Management 4.9 "Security" menu Description The page contains the following: ● User Account Enter the name for the user. The name must meet the following conditions: – It must be unique. – It must be between 1 and 250 characters long. –...
Page 256
Configuring with Web Based Management 4.9 "Security" menu The table contains the following columns: ● Select Select the check box in the row to be deleted. Note The users preset in the factory as well as logged in users cannot be deleted or changed. ●...
Configuring with Web Based Management 4.9 "Security" menu Deleting users 1. Select the check box in the row to be deleted. 2. Click the "Delete" button. The entries are deleted and the page is updated. 4.9.1.2 Roles Roles On this page, you create roles that are valid locally on the device. Note The values displayed depend on the rights of the logged-in user.
Page 258
Configuring with Web Based Management 4.9 "Security" menu The table contains the following columns: ● Select Select the check box in the row to be deleted. Note Predefined roles and assigned roles cannot be deleted or modified. ● Role Shows the name of the role. ●...
Configuring with Web Based Management 4.9 "Security" menu 4.9.1.3 Groups User groups On this page you link a group with a role. In this example the group "Administrators" is linked to the "admin" role: The group is defined on a RADIUS server. The role is defined locally on the device. When a RADIUS server authenticates a user and assigns the user to the "Administrators"...
Configuring with Web Based Management 4.9 "Security" menu ● Role Select a role. Users who are authenticated with the linked group on the RADIUS server receive the rights of this role locally on the device. You can choose between system-defined and self-defined roles, refer to the page "Security >...
Page 261
Configuring with Web Based Management 4.9 "Security" menu Description The page contains the following: ● Current User Shows the user that is currently logged in. ● Current User Password Enter the password for the currently logged in user. ● User Account Select the user whose password you want to change.
Configuring with Web Based Management 4.9 "Security" menu 4.9.3 4.9.3.1 General Login of network nodes The designation "AAA" stands for "Authentication, Authorization, Accounting". This feature is used to identify and allow network nodes, to make the corresponding services available to them and to specify the range of use.
Configuring with Web Based Management 4.9 "Security" menu 4.9.3.2 RADIUS client Authentication over an external server The concept of RADIUS is based on an external authentication server. Each row of the table contains access data for one server. In the search order, the primary server is queried first.
Page 264
Configuring with Web Based Management 4.9 "Security" menu ● Shared Secret Conf. Enter your access ID again as confirmation. ● Max. Retrans. Here, enter the maximum number of retries for an attempted request. The initial connection attempt is repeated the number of times specified here before another configured RADIUS server is queried or the login counts as having failed.
Configuring with Web Based Management 4.9 "Security" menu 3. If necessary check the reachability of the RADIUS server. 4. Click the "Set Values" button. Repeat this procedure for every server you want to enter. Modifying servers 1. In the relevant row, enter the following data in the input boxes: –...
Page 266
Configuring with Web Based Management 4.9 "Security" menu Figure 4-1 Part 1 Figure 4-2 Part 2 Description ● Select Select the check box in the row to be deleted. Only unused certificates can be deleted. ● Type Shows the type of the loaded file. –...
Configuring with Web Based Management 4.9 "Security" menu ● Filename Shows the file name. ● Status Shows whether the certificate is valid or has already expired. ● Subject DN Shows the name of the applicant. ● Issuer DN Shows the name of the certificate issuer. ●...
Page 268
Configuring with Web Based Management 4.9 "Security" menu Description ● Filename Select the required certificate. ● Type Shows the type of the loaded file. – CA Cert The CA certificate is signed by a CA (Certification Authority). – Machine certificate –...
Page 269
Configuring with Web Based Management 4.9 "Security" menu ● Issuer DN Shows the name of the certificate issuer. ● Subject Alternate Name If it exists, an alternative name of the applicant is displayed. ● Issue Date Shows the start of the period of validity of the certificate ●...
Configuring with Web Based Management 4.9 "Security" menu 4.9.5 Firewall 4.9.5.1 General On this WBM page, you enable the firewall. Note Please remember that if you disable the firewall, your internal network is unprotected. Description The page contains the following: ●...
Configuring with Web Based Management 4.9 "Security" menu 4.9.5.2 Predefined IPv4 rules The WBM page contains predefined IP packet filter rules. If you create your own IP packet filter rules, these have a higher priority than the predefined IP packet filter rules. Set which IPv4 services of the device should be reachable from which interface.
Page 272
Configuring with Web Based Management 4.9 "Security" menu Description ● Interface The list is dynamic. – pppx or usb0 (only with M876-4) Allows access from the WAN interface to the device. – VLANx Allows access from the IP subnet to the device. VLANs with configured IP subnet are available.
Configuring with Web Based Management 4.9 "Security" menu – IPSec VPN Allows IKE (Internet Key Exchange) data transfer from the external network to the device. Necessary if an IPsec VPN remote station needs to establish a connection to this device. –...
Page 274
Configuring with Web Based Management 4.9 "Security" menu Description "Rule set" area ● Name Define a unique name for the rule set. If you click the "Create" button, a new row with a unique number is created. The table contains the following columns: ●...
Configuring with Web Based Management 4.9 "Security" menu ● Remote access ● Shows what remote access the user has. The "Digital Input" table contains the following columns: ● Digital In The available digital inputs. ● Rule set Define the rule set that is controlled via the digital input. ●...
Configuring with Web Based Management 4.9 "Security" menu ● Transport Specify the protocol type. – UDP The rule applies only to UDP frames. – TCP The rule applies only to TCP frames. ● Source Port (Range) Enter the source port. The rule applies specifically to the specified port. –...
Configuring with Web Based Management 4.9 "Security" menu The table contains the following columns: ● Select Select the check box in the row to be deleted. ● Service Name Shows the name of the ICMP service. ● Protocol Shows the version of the ICMP protocol. ●...
Configuring with Web Based Management 4.9 "Security" menu The page contains the following check boxes: ● Select Select the check box in the row to be deleted. ● Protocol Name Shows the protocol name. ● Protocol Number Enter the protocol number, for example 2. You will find list of the protocol numbers on the Internet pages of iana.org Procedure Create IGMP protocol...
Page 279
Configuring with Web Based Management 4.9 "Security" menu Description ● IP Version The version of the IP protocol. ● Rule set Select the required rule set. Only the IP rules that are assigned to this rule set will then be displayed in the table, provided that "Show all"...
Page 280
Configuring with Web Based Management 4.9 "Security" menu ● Source (Range) Enter the IP address or an IP range that is allowed to receive IP packets. – Individual IP address: Enter the IPv4 address. – IP range Specify the range with the start address "-" end address, e.g. 192.168.100.10 - 192.168.100.20.
Configuring with Web Based Management 4.9 "Security" menu ● Assigned Shows the rule set to which this IP rule is assigned. The IP rules can also be assigned to multiple rule sets. If the IP rule is assigned to all rule sets, "all" is displayed. ●...
Configuring with Web Based Management 4.9 "Security" menu 4.9.6.2 Remote End On this WBM page, you configure the partner (VPN end point). Description The page contains the following: ● Remote End Name Enter the name of the remote station and click "Create" to create a new remote station. This table contains the following columns: ●...
Page 283
Configuring with Web Based Management 4.9 "Security" menu ● Remote Type Specify the type of remote station address. – Manual The address of the partner is known. The device can either establish the VPN connection actively as a VPN client or wait passively for connection establishment by the partner. –...
Configuring with Web Based Management 4.9 "Security" menu Configure VPN Roadwarrior mode 1. Enter the name of the remote station in "Remote End Name". 2. Click the "Create" button. A new entry is generated in the table. 3. For "Remote Mode", select "Roadwarrior". 4.
Page 285
Configuring with Web Based Management 4.9 "Security" menu Description The page contains the following boxes: ● Connection name Enter a name for the VPN connection and click "Create" to create a new connection. This table contains the following columns: ● Select Select the check box in the row to be deleted.
Configuring with Web Based Management 4.9 "Security" menu ● Remote End Select the required remote station. Only partners can be configured that have been configured on the "Remote End" WBM page. ● Local Subnet Enter the local subnet. Use the CIDR notation. The local network can also be a single PC or another subset of the local network.
Page 287
Configuring with Web Based Management 4.9 "Security" menu Description This table contains the following columns: ● Name Shows the name of the VPN connection to which the settings relate. ● Authentication Select the authentication method. For the VPN connection, it is essential that the partner uses the same authentication method.
Configuring with Web Based Management 4.9 "Security" menu 4.9.6.5 Phase 1 Phase 1: Encryption agreement and authentication (IKE = Internet Key Exchange) On this WBM page, you set the parameters for the protocol of the IPsec key management. The key exchange uses the standardized IKE method for which you can set the following protocol parameters.
Page 289
Configuring with Web Based Management 4.9 "Security" menu ● Authentication Specify the method for calculating the checksum. Can only be selected if "Default Ciphers" is disabled. The following methods are supported: – MD5 – SHA1 – SHA512 – SHA256 – SHA384 ●...
Configuring with Web Based Management 4.9 "Security" menu ● DPD Timeout [sec] Enter a period. If there is no response to the DPD queries, the connection to the remote station is declared to be invalid after this time has elapsed. Note To avoid unwanted connection breakdowns, set the DPD timeout significantly higher than the DPD period.
Page 291
Configuring with Web Based Management 4.9 "Security" menu ● Encryption For phase 2, select the required encryption algorithm. Can only be selected if "Default Ciphers" is disabled. Further information can be found in the section "IPsec VPN". Note The AES modes CCM and GCM contain separate mechanisms for authenticating data. If you use a mode AES x CCM or AES x GCM for "Encryption", this will also be used for authentication.
Configuring with Web Based Management 4.9 "Security" menu ● Lifebytes Enter the data limit in bytes that specifies the lifetime of the agreed key. When the data limit is reached, the key is renegotiated. ● Protocol Specify the protocol for which the VPN connection is valid e.g. UDP, TCP, ICMP. If the setting is intended to apply to all protocols, enter "*".
Configuring with Web Based Management 4.9 "Security" menu 4.9.7.2 Connections On this WBM page, you configure the basic settings for the OpenVPN connection. You specify the security settings on the WBM page "Authentication". Description ● Connection name Enter a unique name for the OpenVPN connection and click "Create" to create a new connection.
Page 294
Configuring with Web Based Management 4.9 "Security" menu ● Authentication Specify the method for calculating the checksum. – SHA256 (default) – SHA384 – SHA512 – SHA224 – SHA1 – MD5 ● Use LZO When enabled, the data is compressed with the LZO algorithm. ●...
Configuring with Web Based Management 4.9 "Security" menu 4.9.7.3 Remote On this WBM page, you configure the partner (OpenVPN end point). Per connection, you can specify several OpenVPN partners. The device tries all configured OpenVPN partners one after the other until a connection is successfully established. Description The page contains the following: ●...
Configuring with Web Based Management 4.9 "Security" menu 4.9.7.4 Authentication On this WBM page, you specify how the VPN connection partners authenticate themselves with each other. Description This table contains the following columns: ● Name Shows the name of the VPN connection to which the settings relate. ●...
Upkeep and maintenance Device configuration with PRESET-PLUG Please not the additional information and security notes in the operating instructions of your device. NOTICE Do not remove or insert a PLUG during operation A PLUG may only be removed or inserted when the device is turned off. Note Support as of V4.3 The PRESET-PLUG functionality is supported as of firmware version V4.3.
Page 298
Upkeep and maintenance 5.1 Device configuration with PRESET-PLUG 4. Create the PRESET-PLUG with the "presetplug" command. The firmware version of the device and the current device configuration incl. user accounts and certificates are stored on the PLUG and the PLUG is then write protected. 5.
Page 299
Upkeep and maintenance 5.1 Device configuration with PRESET-PLUG Formatting a PRESET-PLUG (resetting the preset function) You format the PRESET PLUG using the Command Line Interface (CLI) to reset the preset function. To do this, follow the steps outlined below: 1. Start the remote configuration using Telnet (CLI) and log on with a user with the "admin" role. 2.
Upkeep and maintenance 5.2 Firmware update using WBM not possible Result When the firmware is successfully loaded a dialog is displayed . Confirm the dialog with "OK". The device is restarted. In "Information" > "Versions" there is the additional entry "Firmware_Running". Firmware_Running shows the version of the current firmware.
Upkeep and maintenance 5.3 Restoring the factory settings 3. Now release the button. The bootloader waits in this state for new firmware file that you can download by TFTP. Note If you want to exit the boot loader without making changes, press the SET button briefly. The device restarts with the loaded configuration.
Page 302
Upkeep and maintenance 5.3 Restoring the factory settings With the reset button When pressing the button, remember the information in the section "Reset button" in the operating instructions. Follow the steps below to reset the device parameters to the factory settings: 1.
Appendix A Format of the syslog messages The devices generate Syslog messages (UDP default port 514) according to RFC 5424 that contain the following boxes. HEADER ● TIMESTAMP according to RFC 3339 ● Host name ● APPNAME, PROCID and MSGID: If no information is known, the "-" character is output. PRIORITY PRIORITY contains the coded priority of the Syslog message broken down into a Severity and Facility box.
Appendix A A.2 Parameters in Syslog messages Parameters in Syslog messages The Syslog messages can contain the following parameters: Parameter Description Possible values or example ip address IPv4 or IPv6 address IP address according to RFC1035 or RFC4291 Sec‐ tion 2.2 src port Port that is shown as decimal number.
Appendix A A.3 Syslog messages Parameter Description Possible values or example firewall Firewall action executed (accepted package) ACCEPT accept firewall action reject Firewall action executed (rejected package) REJECT DROP length Length of the network packet (in bytes) Format: %d network interface Symbolic name of a network interface vlan1 Format: %s...
Page 306
Appendix A A.3 Syslog messages Severity Info Facility local0 Log text Console: User {user name} logged out. Standard IEC 62443-3-3 Reference: SR1.1 Description User session completed - logged out. Example Console: User admin logged out. Severity Info Facility local0 Log text {protocol}: User {user name} logged out from {ip address}.
Page 307
Appendix A A.3 Syslog messages Example ACCEPT(1) in:vlan1 out:ppp0 len:52 s-mac:58:EF:68:B3:FA:CE d-mac:00:1B:1B:A7:5B:D8 s-ip:172.23.1.6 d-ip:158.85.11.68 tcp:53788->443 Severity Info or Warning or Error (configurable) Facility local0 Log text {firewall action reject}(1) in:{network interface} out:{network interface} len:{length} s-mac:{src mac} d-mac:{dest mac} s-ip:{ip address} d-ip:{ip address} {protocol}:{src port}->{dest port} Standard IEC 62443-3-3 Reference: SR 1.2...
Page 308
Appendix A A.3 Syslog messages Severity Info Facility local0 Log text {protocol}: User {user name} changed password of user {action user name}. Standard IEC 62443-3-3 Reference: SR1.3 Description User has changed other password. Example Console: User admin changed password of user test. Severity Info Facility...
Page 309
Appendix A A.3 Syslog messages Failed login attempts Log text User {user name} account is locked for {time} minutes after {failed login count} unsuccessful login attempts. Standard IEC 62443-3-3 Reference: SR1.11 Description If there are too many failed logins, the corresponding user account was locked for a specific period of time.
Page 310
Appendix A A.3 Syslog messages Description VPN connection established. (OpenVPN) Example OVPN_Conn_1[2427]: Initialization Sequence Completed Severity Info Facility local0 Log text OpenVPN connection {connection name} has been deactivated. Standard IEC 62443-3-3 Reference: n/a (NERC CIP 005-R1) Description VPN connection was closed (OpenVPN). Example OpenVPN connection c1 has been deactivated.
Page 311
Appendix A A.3 Syslog messages Log text SINEMA RC - Received Shutdown SMS. SINEMA RC - OpenVPN terminated. Standard IEC 62443-3-3 Reference: SR 1.13 Description Remote access denied (SINEMA RC, Wakeup SMS) Example SINEMA RC - Received Shutdown SMS. SINEMA RC - OpenVPN terminated. Severity Info Facility...
Page 312
Appendix A A.3 Syslog messages Severity Warning Facility local0 Log text User specific firewall user "{user name}" deactivated by administrator configura‐ tion. Standard IEC 62443-3-3 Reference: SR 2.1 Description Access to the user-specific firewall denied. The device administrator has deacti‐ vated the user.
Page 313
Appendix A A.3 Syslog messages Log text OVPN_{connection name}[{config detail}]: [{config detail}] Inactivity timeout (-- ping- restart), restarting Standard IEC 62443-3-3 Reference: SR 2.6 Description The remote session was ended after a period of inactivity. (OpenVPN) Example OVPN_c1[26296]: [router] Inactivity timeout (--ping-restart), restarting Severity Info Facility...
Appendix A A.3 Syslog messages Log text OVPN_{connection name}[{config detail}]: Authenticate/Decrypt packet error: packet HMAC authentication failed Standard IEC 62443-3-3 Reference: SR 3.1 Description Integrity check failed (OpenVPN). Example OVPN_c1[25409]: Authenticate/Decrypt packet error: packet HMAC authentica‐ tion failed Severity Warning Facility local0 A.3.1...
Page 315
Appendix A A.3 Syslog messages Severity Info Facility local0 Log text {protocol}: Loaded file type ConfigPack (restart required). Standard IEC 62443-3-3 Reference: SR7.4 Description The configuration is applied. Example TFTP: Loaded file type ConfigPack (restart required). Severity Info Facility local0 Log text {protocol}: User {user name} loaded file type Config (restart required).
Page 316
Appendix A A.3 Syslog messages SCALANCE S615 Web Based Management Configuration Manual, 11/2019, C79000-G8976-C388-08...
Page 319
Index Server certificate, 49 Time Service & Support, 4 Time zone, 169 SFTP UTC time, 169 Load/save, 132 Time of day SHA algorithm, 151 Manual setting, 70, 156 SIMATIC NET glossary, 5 NTP Client, 70 SIMATIC NET manual, 4 SIMATIC Time Client, 170 SMTP SNTP (Simple Network Time Protocol), 163 Client, 115...
Page 320
Index SCALANCE S615 Web Based Management Configuration Manual, 11/2019, C79000-G8976-C388-08...