Settings

In the BMENUA0100 module web pages, starting in the Home page, select Settings to display links to the following configuration pages, where you can enter settings for device security:

User Account Policy
Event Logs
Network Services
Service Forwarding
IPSEC
SNMP
OPC UA
Security Banner

The configurable parameters for each node are described below.

Use these settings to configure device security for the BMENUA0100 module. After changing settings, select Submit or Cancel .

User Account Policy

Use these settings to configure user account policy:

Parameter	Description
Session maximum inactivity (minutes)	The idle session timeout period for HTTPS connections. If a connection is inactive for this period, the user session is automatically closed. Default = 15 min. NOTE: There exists no inactivity period timeout for OPC UA connections.
Maximum login attempts	The number of times a user may attempt, and fail, to login. Default = 5 attempts. When the configured maximum is reached, the user account is locked.
Login attempt timer (minutes)	The maximum time period to login. Default = 3 min.
Account locking duration (minutes)	Time period during which no additional logins may be attempted after the maximum login attempts is reached. Upon the expiration of this period, a locked user account is automatically unlocked. Default = 4 min.

NOTE: These user account policy settings apply to OPC UA clients that have been assigned a username.

Event Logs

Use these settings to configure the syslog client that resides in the BMENUA0100 module. The logs are stored locally in the module and exchanged with a remote syslog server.:

Parameter	Description
Service activation	Turns ON and OFF the syslog client service. Default = OFF.
Syslog server IP address	IPv4 or IPv6 address of the remote syslog server. NOTE: IPv6 is available only for firmware version 1.10 and higher.
Syslog server port	The port number used by the syslog client service. Default = 601.

Network Services Activation

These services together constitute a firewall that permits or denies the passage of communications through the BMENUA0100 module. Use these settings to enable or disable the following services:

GLOBAL POLICY:

Service	Description
Enforce Security	Disables all network services, except IPSec which is enabled.
Unlock Security	Enables all network services, except IPSec which is disabled.

NETWORK SERVICES ACTIVATION: The default setting for the following services depends on the cybersecurity operating mode (CS Op Mode), as follows:

Service	Description	CS Op Mode default
Service	Description	Standard	Secure
SNMP Agent	Enables and disables SNMP Agent communications.	Enabled	Disabled
NTP Server	Enables and disables NTP server communications.	Enabled	Disabled
IPSec	Enables and disables IPSec communications.	Disabled	Enabled¹
CPU to CPU Data Flows^{2, 3} Refer to Configuring Communication for CPU to CPU Data Flows.)	Enables and disables Modbus communications, passing through the BMENUA0100 module, between M580 CPUs.	Enabled	Disabled
Control Expert Data Flows to CPU only^{2, 3} (Refer to Configuring Communication for Control Expert Data Flow.)	Enables and disables Modbus, EtherNet/IP, Ping, explicit messaging, and FTP communications, passing through the BMENUA0100 module, between Control Expert configuration software and the CPU only.	Enabled	Disabled
Control Expert Data Flows to Device Network^{2, 3} (Refer to Configuring Communication for Control Expert Data Flow.)	Enables and disables Modbus, EtherNet/IP, Ping, explicit messaging, and FTP communications, passing through the BMENUA0100 module, between Control Expert configuration software and network devices, including the CPU.	Enabled	Disabled
HTTPS on control port	Enables and disables HTTPS communications over the control port. NOTE: If HTTPS is disabled, and the change applied, the web pages can not be accessed via the control port. To regain access to the web pages from the control port, you can reset the cybersecurity configuration.	Disabled	Enabled
1. IPSec is enabled with no rules defined. The service needs to be configured. 2. Refer to the troubleshooting topic Activating Network Services Using Only an IPv6 Connection for information regarding that configuration design. 3. Supported only by modules earlier than version BMENUA0100.2.

NOTE: SNMP, NTP, Syslog and Modbus services are not inherently secure protocols. They are rendered secure when encapsulated within IPSEC. It is recommended that you do not disable IPSEC if any one of the SNMP, NTP, Modbus, or Syslog services is enabled.

Configuring Communication for Remote Software Running on PCs (not using NAT forwarding)

The software will address the target device (e.g., the M580 CPU) using the IP address of the target device. To support this communication, set up two default gateways, as follows:

On the host PC running the software, using IPv4, set up a PC default gateway to the BMENUA0100 module control port IP address.
On the target device (e.g. the M580 CPU), using IPv4, set up a device default gateway to the BMENUA0100 module control port IP address.
On the host PC, add a route with the following command:

route ADD <<destination=subnet of the target device>> MASK <<subnet mask of the target device>> <<gateway=BMENUA0100 module backplane port IP address>>

For IPv4 in all firmware versions, and for IPv6 in firmware versions 1.10 and higher, Modbus communications from Control Expert Connect screen will address the BMENUA0100 control port IP address. Gateways are not needed for this communication.

Configuring Communication for CPU to CPU Data Flows

Modbus TCP/IP communications from CPU to CPU through the BMENUA0100 module will use the BMENUA0100 module IPv4 control port address, and not the address of the target CPU.

NOTE:

For BMENUA0100 V1.x, the CPU to CPU forwarding is limited to Modbus TCP/IP protocol.
Only IPv4 – and not IPv6 – addressing supports Modbus TCP/IP CPU to CPU data flows.

Service Forwarding (IP Forwarding)

A BMENUA0100 module with firmware version 2.01 or higher includes this web page. Use it to configure the forwarding of unicast data flows that pass through the module between the control network and device network. In this web page you can create, edit, or remove a list of IP forwarding rules for the module.

NOTE: The Service Forwarding (IP Forwarding) feature does not support the following features

Multicast data flows.
EtherNet/IP implicit messaging.

As a result, this service the following tasks are not supported:

Device discovery by the EcoStruxure Automation Device Maintenance (EADM) tool operating in automatic discovery mode. EADM device discovery using the manual discovery mode is supported. (multicast).
Message forwarding to the PAC's local slaves (EtherNet/IP implicit messaging).

Features:

The main features of the Service/IP forwarding function are:

Capability to forward all data flows (“Forward All”).
IP forwarding of the most common protocols used in the architecture through predefined templates (e.g.: Modbus, HTTPS, SNMP, …)
Creation and application of of custom IP forwarding templates.
NAT (Network Address Translation) forwarding of some protocols to local CPU if @remote IP address is the BMENUA0100 IP V4 Control port

NOTE: NAT forwarding applies to the following protocols: Modbus, Modbus over TLS, EIP explicit, EIP explicit over TLS, EIP implicit, OPC UA Client.
The option to use, or not use, IPSEC for protocols forwarded by NAT. Refer to the recommendations set forth in the notes at the end of the IPSEC section, below.

NOTE:

If several BMENUA0100 modules are placed in the same rack, configure only one BMENUA0100 module with the forwarding function.
Multicast data flows are not forwarded.
An online update of IP Forwarding rules may cause some ongoing communications to stop with resulting loss of messages.
For Service Forwarding (IP Forwarding) to succeed, the destination IP network needs to be different from the source IP network. For example, it is not possible to execute IP Forwarding between:
- Source IP network 192.168.x.x (Mask 255.255.0.0) and
- Destination IP network 192.168.x.x (Mask 255.255.0.0).
The value of OPC UA Listening port needs to be the same for all BMENUA0100 modules communicating together (for example, in the case of OPC UA NAT forwarding between several BMENUA0100 modules.
Activating the FTP protocol opens a range of TCP ports, from 1024 to 65535. As a result, other protocols with TCP ports in this range may also be forwarded. It is recommended to enable forwarding of the FTP protocol only temporarily when it is required.
- Activating the TFTP protocol as a custom rule causes the same result as activating the FTP protocol. It is recommended to enable forwarding of the TFTP protocol only temporarily when it is required.

Refer to the following topics for more information about Service (IP) Forwarding architectures:

IP Forwarding and OPC UA Communication

Both IP Forwarding and OPC UA compete for the BMENUA0100 module’s available communication bandwidth. For performance test results describing the impact of IP Forwarding, OPC UA communications, confidentiality settings, and custom rules on bandwidth, refer to the chapter IP Forwarding and OPC UA Communication.

Creating Rules:

To document both predefined rules and custom rules, click New Forwarding, and complete the settings that define that rule.

NOTE: When you select a service name, the port number and protocol are automatically assigned their default settings. These can be edited as required.
To edit an existing rule, click the pencil icon, and edit its settings.
To remove an existing rule, click the trash container icon.

Set Forward All to OFF to apply the listed rules. If you set Forward All to ON:

The rules are suspended and the module forwards all protocols;
You cannot configure forwarding for individual services, and
All services will be forwarded over IPSec if IPSec is enabled.

Each rule is defined by the following fields:

Setting	Description
Service name	The following services are pre-defined: Modbus FTP EIP explicit ICMP NTP / SNTP SNMP SNMP trap HTTPS Modbus over TLS EIP explicit over TLS LDAP Start TLS Syslog HTTP DPWS meta data OPC UA (for OPC UA client) DNP3 DNP3 over TLS IEC 60870 IEC 60870 over TLS EIP Implicit NOTE: For OPC UA, the port number is the OPC UA port set in Control Expert for the BMENUA0100 module.
Port Number¹	The port associated with the service.
Protocol¹	The protocol associated with the service.
IPSec use	true : the protocol is carried over IPSec. false: the protocol is not carried over IPSec, even if IPSec is activated in the configuration. This selection is available only when IPSec is enabled. NOTE: It is recommended that you: Do not use IPSec for natively secured protocols (e.g. Modbus over TLS, EIP explicit over TLS, DNP3 over TLS, EIP 60870 over TLS) Do use IPSEC for non-natively secured protocols (e.g. Modbus , EIP explicit, OPC UA client, EIP IO)
Inbound Interface	Control Port: if the remote Client request is received on Control Port (e.g.: Modbus TCP/IP request from Control Expert). Backplane Port: if the remote Client request is received on Backplane Port (e.g., Modbus TCP Request from a PLC Function block). Both: if the remote Client request can be received on both Control and Backplane Port (e.g.: Modbus TCP/IP request from Control Expert + Modbus TCP Request from a PLC Function block).
1. Auto-filled, but editable, for a predefined service names.

IPSEC

Use IPSEC to help secure IPv4 Ethernet communication.

NOTE: IPSEC does not support IPv6 addressing.

Use these settings to configure a maximum of 8 IKE / IPSEC channels over IPv4 for the BMENUA0100 module. If more than 4 IPSec links are configured, the automatic connection to the PAC after transfer through the BMENUA0100 may not succeed. In that case, connect to the PAC manually.

Parameter	Description
IPSEC SERVICE	ON: Enables IPSec service. OFF: Disables IPSec service.
NTP authorized outside IPSEC	De-selected (disabled): NTP is exchanged only through IPSEC. Selected (enabled): NTP is exchanged through IPSEC if IPSEC channel is opened, and outside IPSEC if IPSEC channel is not opened.
New link	Creates a new IKE / IPSEC channel and adds it to the list for editing. NOTE: A maximum of 8 IKE / IPSec channels are supported.
For each IKE / IPSEC channel, configure the following settings:
Remote IP address	IPv4 address of the remote IPSEC endpoint. NOTE: The remote device needs to be accessible from the BMENUA0100 Control Port (and not from the BMENUA0100 Backplane Port).
Confidentiality	Selected: Communication will be encrypted. De-selected: No encryption. NOTE: Confidentiality is disabled if NTP without IPSEC is enabled.
Client type	Type of the remote IPSEC endpoint: Windows or Device. NOTE: Default is Windows. Verify that the configured endpoint type matches the actual client.
PSK	A pre-shared key that is 32 hexadecimal characters long, the result of a random number generated by the BMENUA0100 module. It can be copied and edited in this web page. NOTE: PSK is disabled if NTP without IPSEC is enabled.

NOTE: Configure Windows firewall settings by downloading the "Windows script" from BMENUA0100 using the Download script command for each remote IP address. If the IPSEC use setting is changed for some protocols, the Windows script needs to be downloaded again from the BMENUA0100 module and executed on Windows. For an example of Windows script, refer to the topic IPSEC Windows Scripts.

NOTE: If 8 IPSEC tunnels are configured, it may not be possible to automatically reconnect to the PAC after download of an application. In this case, reconnect manually to the PAC after the download.

NOTE: If IPSEC is activated, local HTTPS server Data Flow will go outside IPSEC.

SNMP

Use these settings to configure the SNMP version and related settings.

NOTE: In Secured mode, the SNMP version needs to be configured the same in both Control Expert and in the SNMP web page. If these settings are not the same, the SNMP service will not start.

Parameter	Description
SNMP Version	v1 v3
Security Level	For SNMP v1 and v3: NoAuthNoPriv: Communication without authentication or privacy. NOTE: For SNMP v1, this is the only available setting. For SNMP v3 only: AuthNoPriv: Communication with authentication but without privacy. The authentication protocol is SHA (Secure Hash Algorithm). AuthPriv: Communication with both authentication and privacy. The protocols used are: Authentication: SHA. Privacy: AES (Advanced Encryption Standard).
Authentication Password	If authentication is enabled, enter a case-sensitive authentication password. It can contain from 8 to 12 characters, and can include alphanumeric characters (uppercase letters, lowercase letters, and numbers) as indicated by the web page tool tip.
Privacy Password	If privacy is enabled, enter a case-sensitive privacy password. It must contain 8 characters, and can and include alphanumeric characters (uppercase letters, lowercase letters, and numbers) as indicated by the web page tool tip.

OPC UA

Use these settings to configure the connection for the OPC UA server embedded in the BMENUA0100 module:

Parameter	Description
Message Security mode	Sign&Encrypt (default): Each message is given a signature and is encrypted. Sign: A signature is applied to each message. None: No security policy is applied. In this case, the following two fields are disabled. NOTE: When None is selected, the User Identifier token type in the BMENUA0100 module is defined as Anonymous . In this case, you also need to configure the user identifier token type in the OPC UA client to Anonymous.
Security Policy	Basic256Sha256 (default): It defines a security policy for configurations with valid crypto suite. Basic256: It defines a security policy for configurations with deprecated crypto suite. NOTE: This selection is not used unless needed for interoperability with remote client. Basic128Rsa15: It defines a security policy for configurations with deprecated crypto suite. NOTE: This selection is not used unless needed for interoperability with remote client.
User Identifier token types	Anonymous: No user information is available. User Name (default): User is identified by username & password.

NOTE: Cybersecurity configuration changes to the OPC UA server settings cause the server to restart and apply the new settings. As a result, if one or more OPC UA sessions exist when configuration changes are made, these sessions are suspended. When the SessionTimeout period expires, these sessions finally will be closed. The SessionTimeout is part of the OPC UA SCADA client configuration.

NOTE: When the OPC UA server Message Security Mode setting is initially configured for Sign&Encrypt or Sign and an OPC UA client establishes a connection, if you subsequently set the OPC UA serverMessage Security Mode setting to None, an OPC UA Client (with its Message Security Mode setting also set to None) cannot establish a connection to the server.

To re-establish a connection:

Disconnect your current OPC UA clients.
Change the OPC UA configuration in BMENUA0100 web page.
Wait while the BUSY LED is ON (yellow) until it turns OFF (not lighted).
For the OPC UA clients, change their configuration (Message Security Mode) to the same setting used for the OPC UA server.
Reconnect the OPC UA clients to the server.

Security Banner

This page contains editable text that is displayed when a user accesses the BMENUA0100 module web pages:

Parameter	Description
Banner text	A string of up to 128 characters that is displayed to a user on the login page. The following editable text is displayed by default: “Unauthorized use of the system is prohibited and subject to criminal and/or civil penalties.”

Parameter

Description

Banner text

A string of up to 128 characters that is displayed to a user on the login page. The following editable text is displayed by default:

“Unauthorized use of the system is prohibited and subject to criminal and/or civil penalties.”