Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sunny_Gill
Employee
Employee

(NO) SCADA Traffic Logs in Application Control

I have come across in a few POC scenarios, though this could be equally valid in a live environment, whereby the SMB appliance may not be enforcing or logging any rules pertaining to deep inspection blades like Application Control.

 

(in my specific cases, these were 1200R POC whereby the Application Control blade logs were not classifying any SCADA applications)

 

In the POC'S I have come across where this has presented itself, it is often when the SMB appliance is in bridge mode i.e. LAN-to-LAN and the enforcing and logging is expected to run on these interfaces (bridge group) as oppose to a typical setup of LAN-TO-WAN.

 

 

By default, LAN traffic is not inspected by deep inspection blades such as Application Control SWB on embedded-GAIA appliance. To turn this inspection on, please follow these instructions.


For Locally Managed appliances:
1. Open WebUI.
2. Go to Device tab.
3. Open Advanced Settings Page.
4. Open "Stateful Inspection -> Allow LAN-LAN DPI" or "Stateful Inspection -> Allow LAN-DMZ DPI" attribute.
5. Select the checkbox.
6. Click "Apply".

 

For Centrally Managed appliance:
1. Connect to Security Management Server with GuiDBedit Tool.
2. Under the Global Properties -> properties -> firewall_properties , find a property called "dpi_lan_lan" or "dpi_lan_dmz".
3. Set the relevant property to "true".
4. Save the changes: go to 'File' menu - click on 'Save All'.
5. Close the GuiDBedit Tool.
6. Install Policy on your device.

 

As much as I'd like to take credit for the above, you can find this solution documented in SK102296.

2 Replies
PhoneBoy
Admin
Admin

Wonder if this will also be helpful for mirror port situations?

Danny_Yang
Ambassador
Ambassador

We faced to the similar situation in a ICS PoC. Jarvis LinSung-Lun Yang

The deployment scenario is PLC-1200R-HMI in bridge mode, locally managed.

We will try to modify setting by your suggestion.

Thanks!

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events