Sunny Gill

(NO) SCADA Traffic Logs in Application Control

Blog Post created by Sunny Gill Employee on Jun 22, 2018

 

I have come across in a few POC scenarios, though this could be equally valid in a live environment, whereby the SMB appliance may not be enforcing or logging any rules pertaining to deep inspection blades like Application Control.

 

(in my specific cases, these were 1200R POC whereby the Application Control blade logs were not classifying any SCADA applications)

 

In the POC'S I have come across where this has presented itself, it is often when the SMB appliance is in bridge mode i.e. LAN-to-LAN and the enforcing and logging is expected to run on these interfaces (bridge group) as oppose to a typical setup of LAN-TO-WAN.

 

 

By default, LAN traffic is not inspected by deep inspection blades such as Application Control SWB on embedded-GAIA appliance. To turn this inspection on, please follow these instructions.


For Locally Managed appliances:
1. Open WebUI.
2. Go to Device tab.
3. Open Advanced Settings Page.
4. Open "Stateful Inspection -> Allow LAN-LAN DPI" or "Stateful Inspection -> Allow LAN-DMZ DPI" attribute.
5. Select the checkbox.
6. Click "Apply".

 

For Centrally Managed appliance:
1. Connect to Security Management Server with GuiDBedit Tool.
2. Under the Global Properties -> properties -> firewall_properties , find a property called "dpi_lan_lan" or "dpi_lan_dmz".
3. Set the relevant property to "true".
4. Save the changes: go to 'File' menu - click on 'Save All'.
5. Close the GuiDBedit Tool.
6. Install Policy on your device.

 

As much as I'd like to take credit for the above, you can find this solution documented in SK102296.

 

Outcomes