Summary of Contents for Siemens SIMATIC NET SCALANCE S615
Page 1
___________________ SCALANCE S615 Preface ___________________ Description ___________________ SIMATIC NET Technical basics ___________________ Security recommendation Industrial Ethernet Security SCALANCE S615 ___________________ Configuring with Web Based Web Based Management Management ___________________ Service and maintenance Configuration Manual 05/2015 C79000-G8976-C388-02...
Note the following: WARNING Siemens products may only be used for the applications described in the catalog and in the relevant technical documentation. If products and components from other manufacturers are used, these must be recommended or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and maintenance are required to ensure that the products operate safely and without any problems.
Based on examples, this document explains the configuration of the SCALANCE S615. ● Operating Instructions SCALANCE S615 You will find this document on the Internet pages of Siemens Industry Online Support. It contains information on installation, connecting up and approvals of the SCALANCE S615.
Page 4
Siemens recommends strongly that you regularly check for product updates. For the secure operation of Siemens products and solutions, it is necessary to take suitable preventive action (e.g. cell protection concept) and integrate each component into a holistic, state-of-the-art industrial security concept.
Page 5
Preface Firmware The firmware is signed and encrypted. This ensures that only firmware created by Siemens can be downloaded to the device. License conditions Note Open source software Read the license conditions for open source software carefully before using the product.
Page 6
Preface Trademarks The following and possibly other names not identified by the registered trademark sign ® registered trademarks of Siemens AG: SCALANCE SCALANCE S615 Web Based Management Configuration Manual, 05/2015, C79000-G8976-C388-02...
Description Function Configuration Configuration of all parameters using the ● Web Based Management (WBM) via HTTP and HTTPS. ● Command Line Interface (CLI) via Telnet and SSH. Security functions ● Router with NAT function – IP masquerading – NAPT – SourceNAT –...
Page 12
Description 1.1 Function Monitoring / diagnostics / maintenance ● LEDs Display of operating statuses via the LED display. You will find further information on this in the Operating Instructions of the device. ● Logging For monitoring have the events logged. ●...
Description 1.2 Requirements for operation Requirements for operation Power supply A power supply with a voltage between 12 VDC and 24 VDC that can provide sufficient current. You will find further information on this in the device-specific operating instructions. Configuration In the factory settings, the SCALANCE S615 can be reached as follows for initial configuration: Default values set in the factory...
Description 1.3 Configuration examples Configuration examples 1.3.1 TeleControl with SINEMA RC In this configuration, the remote maintenance master station is a connected to the Internet/intranet via the SINEMA Remote Connect Server. The stations communicate via SCALANCE M874 or SCALANCE S615 that establish a VPN tunnel to the SINEMA RC server.
Page 15
Description 1.3 Configuration examples Procedure To be able to access a plant via a remote maintenance master station, follow the steps below: 1. Establish the Ethernet connection between the S615 and the connected Admin PC. 2. Create the devices and node groups on the SINEMA RC Server. 3.
Description 1.3 Configuration examples 1.3.2 Secure access with S615 Secure remote access and network segmentation with SCALANCE S615 A secure connection for data exchange between an automation plant and remote stations will be established via the Internet and mobile wireless network. At the same time, a secure connection will be established when necessary for service purposes.
WBM and CLI. Note If the digital input changes the status, an entry is made in the event protocol table. ● OID of the private MIB variable snMspsDigitalOutputLevel: iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).siemens(4329).industria lComProducts(20).iComPlatforms(1).simaticNet(1).snMsps(1).snMspsCommon(1).snMspsDi gitalIO(39).snMspsDigitalIOObjects(1).snMspsDigitalOutputTable(3).snMspsDigitalOut putEntry(1).snMspsDigitalOutputLevel(6) ● values of the MIB variable –...
Page 18
Using the private MIB variable snMspsDigitalInputLevel, you can read out the status of the digital input. Note If the digital output changes status, an entry is made in the event protocol table. ● OID of the private MIB variable snMspsDigitalInputLevel: iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).siemens(4329).industria lComProducts(20).iComPlatforms(1).simaticNet(1).snMsps(1).snMspsCommon(1).snMspsDi gitalIO(39).snMspsDigitalIOObjects(1).snMspsDigitalInputTable(2).snMspsDigitalInpu tEntry(1).snMspsDigitalInputLevel(6) ● values of the MIB variable –...
Technical basics IPv4 address, subnet mask and address of the gateway Range of values for IPv4 address The IPv4 address consists of four decimal numbers with the range from 0 to 255, each number separated by a period; example: 141.80.0.16 IPv4 address format - notation An IPv4 address consists of 4 bytes.
Page 20
Technical basics 2.1 IPv4 address, subnet mask and address of the gateway Relationship between the IPv4 address and subnet mask The first decimal number of the IPv4 address (from the left) determines the structure of the subnet mask with regard to the number of "1" values (binary) as follows (where "x" is the host address): First decimal number of the IPv4 address Subnet mask...
Technical basics 2.2 VLAN VLAN 2.2.1 VLAN Network definition regardless of the spatial location of the nodes VLAN (Virtual Local Area Network) divides a physical network into several logical networks that are shielded from each other. Here, devices are grouped together to form logical groups. Only nodes of the same VLAN can address each other.
Technical basics 2.2 VLAN 2.2.2 VLAN tagging Expansion of the Ethernet frames by four bytes For CoS (Class of Service, frame priority) and VLAN (virtual network), the IEEE 802.1 Q standard defined the expansion of Ethernet frames by adding the VLAN tag. Note The VLAN tag increases the permitted total length of the frame from 1518 to 1522 bytes.
Page 23
Technical basics 2.2 VLAN Tag Control Information (TCI) The 2 bytes of the Tag Control Information (TCI) contain the following information: CoS prioritization The tagged frame has 3 bits for the priority that is also known as Class of Service (CoS). The priority according to IEEE 802.1p is as follows: CoS bits Type of data...
Technical basics 2.3 NAT NAT (Network Address Translation) is a method of translating IP addresses in data packets. With this, two different networks (internal and external) can be connected together. A distinction is made between source NAT in which the source IP address is translated and destination NAT in which the destination IP address is translated.
Page 25
Technical basics 2.3 NAT Port forwarding can be used to allow external nodes access to certain services of the internal network e.g. FTP, WBM. You configure NAPT in "Layer 3" > "NAT" > "NAPT (Page 139)". Source NAT As in masquerading, in source NAT the source address is translated. In addition to this, the outgoing data packets can be restricted.
Technical basics 2.4 SNMP SNMP Introduction With the aid of the Simple Network Management Protocol (SNMP), you monitor and control network components from a central station, for example routers or switches. SNMP controls the communication between the monitored devices and the monitoring station. Tasks of SNMP: ●...
Page 27
Technical basics 2.4 SNMP The management station sends data packets of the following type: ● GET Request for a data record from the agent ● GETNEXT Calls up the next data record. ● GETBULK (available as of SNMPv2) Requests multiple data records at one time, for example several rows of a table. ●...
Technical basics 2.5 Security functions Security functions 2.5.1 Firewall The security functions of the device include a stateful inspection firewall. This is a method of packet filtering or packet checking. The IP packets are checked based on firewall rules in which the following is specified: ●...
Technical basics 2.5 Security functions 2.5.2 IPsecVPN The device is capable of establishing up to 20 IPsecVPN connections to a remote network. You configure the IPsec connections in "Security" > " IPsec VPN (Page 159)". With IPsecVPN, the frames are transferred in tunnel mode. To allow the device to establish a VPN tunnel, the remote network must have a VPN gateway as the partner.
Page 30
Technical basics 2.5 Security functions ● The Security Association (SA) contains the specifications negotiated between the partner, e.g. about the lifetime of the key, the encryption algorithm, the period for new authentication etc. ● Internet Key Exchange (IKE) is a key exchange method. The key exchange takes place in two phases: –...
Page 31
Technical basics 2.5 Security functions Encryption methods The device also supports the following methods: ● 3DES-168 ● AES-128 AES-128 is a commonly used method and is therefore set as default. ● AES-192 ● AES-256 Requirements of the VPN partner The VPN partner must support IPsec with the following configuration to be able to establish an IPsec connection successfully: ●...
Technical basics 2.5 Security functions 2.5.3 Certificates Certificate types The device uses different certificates to authenticate the various nodes. Certificate Is used in... CA certificate The CA certificate is a certificate issued by a Certificate Authority from IPsecVPN (Page 164) which the server, device and partner certificates are derived.
● Keep the software up to date. Check regularly for security updates of the product. You will find information on this at: Link to the area "Industrial Communication" (http://support.automation.siemens.com/WW/view/en/10805878/133400) ● Only activate protocols that you really require to use the device.
Page 34
Security recommendation ● Make sure that all passwords are protected and inaccessible to unauthorized personnel. ● Do not use the same password for different users and systems or after it has expired. Keys and certificates This section deals with the security keys and certificates you require to set up SSL, IPsec and SINEMA RC.
Page 35
Security recommendation Available protocols per port The following list provides you with an overview of the open ports on this device. Keep this in mind when configuring a firewall. The table includes the following columns: ● Protocol All protocols that the device supports ●...
Page 36
Security recommendation SCALANCE S615 Web Based Management Configuration Manual, 05/2015, C79000-G8976-C388-02...
Configuring with Web Based Management Web Based Management How it works The device has an integrated HTTP server for Web Based Management (WBM). If a device is addressed with a Web browser, it returns HTML pages to the Admin PC depending on the user input.
Page 38
Configuring with Web Based Management 4.1 Web Based Management ● If a firewall is used, the relevant ports must be opened. – For access using HTTP: Port 80 – For access using HTTPS: Port 443 ● The display of the WBM was tested with the following desktop Web browsers: –...
Configuring with Web Based Management 4.2 Starting and logging in Starting and logging in Establishing a connection to a device Follow the steps below to establish a connection to a device using an Internet browser: 1. There is a connection between the device and the Admin PC. With the ping command, you can check whether or not a connection exists.
Page 40
Configuring with Web Based Management 4.2 Starting and logging in Logon with HTTP There are two ways in which you can log on via HTTP. You either use the logon option in the center of the browser window or the logon option in the upper left area of the browser window.
Page 41
Configuring with Web Based Management 4.2 Starting and logging in 4. Click the "Login" button or confirm your entry with "Enter". When you log on for the first time or following a "Restore Factory Defaults and Restart", you will be prompted to change the password. The new password should meet the following password policies: –...
Configuring with Web Based Management 4.3 "Information" menu "Information" menu 4.3.1 Start page View of the Start page When you enter the IP address of the device, the start page is displayed after a successful login. General layout of the WBM page The following areas are available on every WBM page: ●...
Page 43
4.3 "Information" menu Selection area (1) The following is available in the selection area: ● Logo of Siemens AG ● Display of: "System Location/System Name". – "System Location" contains the location of the device. With the settings when the device ships, the IP address of the Ethernet interface is displayed.
Page 44
Configuring with Web Based Management 4.3 "Information" menu ● Drop-down list for language selection ● System time and date You can change the content of this display in "System" > "System Time". Display area (2) In the left-hand part of the display area, the full title of the currently selected menu item is always displayed.
Page 45
Configuring with Web Based Management 4.3 "Information" menu Content area (4) In the navigation area, click a menu to display the pages of the WBM in the content area. Below the device image, the following entries are possible: ● System Name: System name of the device ●...
Page 46
Configuring with Web Based Management 4.3 "Information" menu ● Save entries with "Set Values" WBM pages in which you can make configuration settings have a "Set Values" button at the lower edge. The button only becomes active if you change at least one value on the page.
Configuring with Web Based Management 4.3 "Information" menu 4.3.2 Versions This WBM page shows the versions of the hardware and software of the device. Description Table 1 has the following columns: ● Hardware – Basic Device Shows the basic device ●...
Configuring with Web Based Management 4.3 "Information" menu 4.3.3 ARP Table Assignment of MAC address and IP address With the Address Resolution Protocol (ARP), there is a unique assignment of MAC address to IP address. This assignment is kept by each network node in its own separate ARP table. The WBM page shows the ARP table of the device.
Configuring with Web Based Management 4.3 "Information" menu 4.3.4 Log tables 4.3.4.1 Event log Logging events The WBM page shows the system events that have occurred in the form of a table. Some of the system events can be configured in "System > Events", for example if the connection status of a port has changed.
Page 50
Configuring with Web Based Management 4.3 "Information" menu The table has the following columns: ● Restart Counts the number of restarts since you last reset to factory settings and shows the device restart after which the corresponding event occurred. ● System Up Time Shows the time the device has been running since the last restart when the described event occurred.
Configuring with Web Based Management 4.3 "Information" menu 4.3.4.2 Security log The WBM page shows the events that occurred during communication via a secure VPN tunnel in the form of the table. Description ● Severity Filters You can filter the entries in the table according to severity. To display all messages, enable or disable all parameters.
Page 52
Configuring with Web Based Management 4.3 "Information" menu ● System time Shows the system time of the device. If no system time is set, the box displays "Date/time not set". ● Severity Shows the severity of the event. ● Log Message Displays a brief description of the event that has occurred.
Configuring with Web Based Management 4.3 "Information" menu 4.3.4.3 Firewall log The firewall log logs the events that occurred on the firewall. When you create firewall rules, you can specify the event severity with which they are logged. Description ● Severity Filters You can filter the entries in the table according to severity.
Page 54
Configuring with Web Based Management 4.3 "Information" menu ● Severity Shows the severity of the event. ● Log Message Displays a brief description of the event that has occurred. Description of the button "Clear" button Click this button to delete the content of the log file. The display is also cleared. The restart counter is only reset after you have restored the device to the factory settings and restarted the device.
Configuring with Web Based Management 4.3 "Information" menu 4.3.5 Faults Error status This page shows errors that occur that are configured in "Events" and "Fault Monitoring". Errors of the "Cold/Warm Start" event can be deleted following confirmation. If there are no more unanswered error/fault messages, the fault LED goes off. The time calculation always begins after the last system start.
Configuring with Web Based Management 4.3 "Information" menu 4.3.6 DHCP Server This page shows whether IPv4 addresses were assigned to the devices by the DHCP server. Description ● IP Address Shows the IPv4 address assigned to the device. ● Pool ID Shows the number of the IPv4 address band.
Configuring with Web Based Management 4.3 "Information" menu 4.3.7 LLDP Status of the neighborhood table This page shows the current content of the neighborhood table. This table stores the information that the LLDP agent has received from connected devices. You set the interfaces via which the LLDP agent receives or sends information in the following section: "Layer 2 >...
Configuring with Web Based Management 4.3 "Information" menu – DOCSIS Cable Device – WLAN Access Point – Repeater – Station – Other ● Port ID Port of the device with which the IE switch is connected. 4.3.8 Routing table Introduction This page shows the routing table of the device.
Configuring with Web Based Management 4.3 "Information" menu ● Metric Shows the metric of the route. The higher the value, the longer packets require to their destination. ● Routing Protocol Shows the routing protocol from which the entry in the routing table originates. The following entries are possible: –...
Configuring with Web Based Management 4.3 "Information" menu ● Rekey Time Shows when the validity of the key elapses. ● Status Shows the status of the VPN connection. 4.3.10 SINEMA RC Shows information on SINEMA RC Server. Note This function can only be used with a KEY-PLUG. Description ●...
Page 61
Configuring with Web Based Management 4.3 "Information" menu ● Tunnel Interface Address Shows the IP address of the virtual tunnel interface. ● Connected Local Subnet(s) Shows the IP address of the local subnet. Is only displayed when the option "Connected local subnets"...
Configuring with Web Based Management 4.4 "System" menu "System" menu 4.4.1 Configuration System configuration The WBM page contains the configuration overview of the access options of the device. Specify the services that access the device. With some services, there are further configuration pages on which more detailed settings can be made.
Page 63
Configuring with Web Based Management 4.4 "System" menu ● "Syslog Client" check box Enable or disable the Syslog client. You can configure other settings in "System > Syslog Client". ● "DCP Server" drop-down list Specify whether or not the device can be accessed with DCP (Discovery and Configuration Protocol): –...
Page 64
Configuring with Web Based Management 4.4 "System" menu ● "SNMPv1 Traps" check box Enable or disable the sending of traps (alarm frames). You can configure other settings in "System > SNMP > Traps". ● "Configuration Mode" drop-down list: Select the mode from the drop-down list. The following modes are possible: –...
Configuring with Web Based Management 4.4 "System" menu 4.4.2 General 4.4.2.1 Device This WBM page contains the general device information. Description The WBM page contains the following boxes: ● Current System Time Shows the current system time. The system time is either set by the user or by a time-of- day frame: either SINEC H1 time-of-day frame, NTP or SNTP.
Page 66
Configuring with Web Based Management 4.4 "System" menu ● "System Contact" input box You can enter the name of a contact person responsible for managing the device. A maximum of 255 characters are possible. ● "System Location" input box You can enter the location where the device is installed. The location is displayed in the selection area.
Configuring with Web Based Management 4.4 "System" menu 4.4.2.2 Coordinates Information on geographic coordinates In the "Geographic Coordinates" window, you can enter information on the geographic coordinates. The parameters of the geographic coordinates (latitude, longitude and the height above the ellipsoid according to WGS84) are entered directly in the input boxes of the "Geographic Coordinates"...
Configuring with Web Based Management 4.4 "System" menu ● Input box: "Height" Geographical height: Here, you enter the value of the geographic height above sea level in meters. For example, 158 m means that the device is located at a height of 158 m above sea level.
Page 69
Configuring with Web Based Management 4.4 "System" menu Note Note the following points about restarting a device: • You can only restart the device with administrator privileges. • A device should only be restarted with the buttons of this menu and not by a power cycle on the device.
Configuring with Web Based Management 4.4 "System" menu 4.4.4 Load and Save 4.4.4.1 HTTP Loading and saving data using HTTP The WBM allows you to store device data in an external file on your client PC or to load such data from an external file from the PC to the devices.
Page 71
Configuring with Web Based Management 4.4 "System" menu ● Load With this button, you can load files on the device. The button can be enabled, if this function is supported by the file type. ● Save With this button, you can save files from the device. The button can only be enabled if this function is supported by the file type and the file exists on the device.
Page 72
Configuring with Web Based Management 4.4 "System" menu Reusing configuration data If several devices are to receive the same configuration and the IP addresses are assigned using DHCP, the effort for configuration can be reduced by saving and reading in the configuration data.
Configuring with Web Based Management 4.4 "System" menu 4.4.4.2 TFTP Loading and saving data using a TFTP server On this page, you can configure the TFTP server and the file names. The WBM also allows you to store device data in an external file on your client PC or to load such data from an external file from the PC to the devices.
Page 74
Configuring with Web Based Management 4.4 "System" menu The table has the following columns: ● Type Shows the file type. ● Description Shows the short description of the file type. ● "Filename" input box Enter a file name. ● "Actions" drop-down list Select the required action.
Configuring with Web Based Management 4.4 "System" menu 4.4.4.3 Passwords There are files to which access is password protected. To load the file on the device, enter the password specified for the file on the WBM page. Description The table has the following columns: ●...
Configuring with Web Based Management 4.4 "System" menu 4.4.5 Events 4.4.5.1 Configuration Selecting system events On this WBM page, you specify which system events are logged and how. The following messages are always entered in the event log table and cannot be deselected: ●...
Page 77
Configuring with Web Based Management 4.4 "System" menu Table 2 has the following columns: ● Event The "Event" column contains the following: – Cold/Warm Start The device was turned on or restarted by the user. – Link Change This event occurs only when the port status is monitored and has changed, see "System >...
Configuring with Web Based Management 4.4 "System" menu ● Syslog The device writes an entry to the system log server. This is only possible if the system log server is set up and the "Syslog client" function is enabled. ● Fault The error LED lights up on the device.
Page 79
Configuring with Web Based Management 4.4 "System" menu Description The table has the following columns: ● Client Type Select the client type for which you want to make settings: – E-Mail Sending messages by e-mail. – Log Table Entry of messages in the log table. –...
Configuring with Web Based Management 4.4 "System" menu 4.4.6 SMTP client Network monitoring with e-mails The device provides the option of automatically sending an e-mail if an alarm event occurs (for example to the network administrator). The e-mail contains the identification of the sending device, a description of the cause of the alarm in plain language, and a time stamp.
Page 81
Configuring with Web Based Management 4.4 "System" menu ● SMTP Port Enter the port via which your SMTP server can be reached. Factory settings: 25 This setting applies to all configured SMTP servers. ● SMTP Server Address Enter the IP address or the FQDN name of the SMTP server. This table contains the following columns: ●...
Configuring with Web Based Management 4.4 "System" menu 4.4.7 SNMP 4.4.7.1 General Configuration of SNMP On this page, you make the basic settings for SNMP. Enable the check boxes according to the function you want to use. Description The page contains the following boxes: ●...
Configuring with Web Based Management 4.4 "System" menu ● "SNMPv1/v2c Read/Write Community String" input box Enter the community string for read and write access of the SNMP protocol. ● "SNMPv1 Traps" check box Enable or disable the sending of traps (alarm frames). On the "Trap" tab, specify the IP addresses of the devices to which SNMP traps will be sent.
Page 84
Configuring with Web Based Management 4.4 "System" menu Description ● IP Address Enter the IP address or the FQDN name of the station to which the device sends SNMP traps. You can specify up to ten different recipients servers. The table has the following columns: ●...
Configuring with Web Based Management 4.4 "System" menu 4.4.7.3 Groups Security settings and assigning permissions SNMP version 3 allows permissions to be assigned, authentication, and encryption at protocol level. The security levels and read/write permissions are assigned according to groups. The settings automatically apply to every member of a group. Description The page contains the following boxes: ●...
Page 86
Configuring with Web Based Management 4.4 "System" menu ● Write Enable or disable wite access for the required group. Note For write access to work, you also need to enable read access. ● Persistence Shows whether or not the group is assigned to an SNMPv3 user. If the group is not assigned to an SNMPv3 user, no automatic saving is triggered and the configured group disappears again after restarting the device.
Configuring with Web Based Management 4.4 "System" menu 4.4.7.4 Users User-specific security settings On the WBM page, you can create new SNMPv3 users and modify or delete existing users. The user-based security model works with the concept of the user name; in other words, a user ID is added to every frame.
Page 88
Configuring with Web Based Management 4.4 "System" menu ● Privacy Protocol Specify whether or not the user uses the DES algorithm. Can only be enabled, if the group supports this function. ● Authentication Password Enter the authentication password in the first input box. This password must have at least 6 characters, the maximum length is 32 characters.
Configuring with Web Based Management 4.4 "System" menu Delete user 1. Enable "Select" in the row to be deleted. Repeat this for all users you want to delete. 2. Click the "Delete" button. The entry is deleted. Note If you click a different button prior to this step (for example the "Refresh" button), the delete action is canceled.
Page 90
Configuring with Web Based Management 4.4 "System" menu Description The page contains the following boxes: ● Time Manually Enable or disable manual setting of the time. If you enable the option, the "System Time" input box can be edited. ● System Time Enter the date and time in the format "MM/DD/YYYY HH:MM:SS".
Configuring with Web Based Management 4.4 "System" menu 4.4.8.2 SNTP client Time-of-day synchronization in the network SNTP (Simple Network Time Protocol) is used for synchronizing the time in the network. The appropriate frames are sent by an SNTP server in the network. Description The page contains the following boxes: ●...
Page 92
Configuring with Web Based Management 4.4 "System" menu – NTP Automatic time-of-day synchronization with NTP – SIMATIC Automatic time-of-day synchronization using the SIMATIC time frame – PTP Automatic time-of-day synchronization with PTP ● Time Zone Enter the time zone you are using in the format "+/- HH:MM". The time zone relates to UTC standard world time.
Configuring with Web Based Management 4.4 "System" menu 3. Select one of the following options from the "SNTP Mode" drop-down list: – Poll For this mode, you need to configure the following: - time zone difference (step 2) - time server (step 4) - Port (step 5) - query interval (step 6) - complete the configuration with step 7.
Page 94
Configuring with Web Based Management 4.4 "System" menu Description The page contains the following boxes: ● NTP Client Select this check box to enable automatic time-of-day synchronization with NTP. ● Current System Time This box displays the current system time. ●...
Configuring with Web Based Management 4.4 "System" menu Procedure 1. Click the "NTP Client" check box to enable the automatic time setting using NTP. 2. Enter the necessary values in the following boxes: – Time zone – NTP server IP address –...
Page 96
Configuring with Web Based Management 4.4 "System" menu ● Last Synchronization Time This box is read-only and shows when the last time-of-day synchronization took place. ● Last Synchronization Mechanism This box displays how the last time-of-day synchronization was performed. The following methods are possible: –...
Configuring with Web Based Management 4.4 "System" menu 4.4.9 Auto logout Setting the automatic logout On this page, set the times after which there is an automatic logout from WBM or the CLI following user in activity. If you have been logged out automatically, you will need to log in again. Note No automatic logout from the CLI If the connection is not terminated after the set time, check the setting of the "keepalive"...
Configuring with Web Based Management 4.4 "System" menu 4.4.10 Syslog Client System event agent Syslog according to RFC 3164 is used for transferring short, unencrypted text messages over UDP in the IP network. This requires a Syslog server. Requirements for sending log entries: ●...
Configuring with Web Based Management 4.4 "System" menu Procedure Enabling function 1. Select the "Syslog Client" check box. 2. Click the "Set Values" button. Creating a new entry 1. In the "Server IP Address" input box, enter the IP address or the FQDN name of the Syslog server on which the log entries will be saved.
Page 100
Configuring with Web Based Management 4.4 "System" menu Description Table 1 has the following columns: ● 1st column Shows that the settings are valid for all ports. ● Setting Select the setting from the drop-down list. You have the following setting options: –...
Page 101
Configuring with Web Based Management 4.4 "System" menu Table 2 has the following columns: ● Port Shows the available ports. The port is made up of the module number and the port number, for example port 0.1 is module 0, port 1. ●...
Configuring with Web Based Management 4.4 "System" menu 4.4.12 PLUG 4.4.12.1 Configuration NOTICE Do not remove or insert a C-PLUG / KEY-PLUG during operation! A PLUG may only be removed or inserted when the device is turned off. The device checks whether or not a PLUG is present at one second intervals. If it is detected that the PLUG was removed, there is a restart.
Page 103
Configuring with Web Based Management 4.4 "System" menu Description The table has the following rows: ● State Shows the status of the PLUG. The following are possible: – ACCEPTED There is a PLUG with a valid and suitable configuration in the device. –...
Page 104
Configuring with Web Based Management 4.4 "System" menu ● Device Type Shows the device type within the product line that used the C-PLUG previously. ● Configuration Revision The version of the configuration structure. This information relates to the configuration options supported by the device and has nothing to do with the concrete hardware configuration.
Configuring with Web Based Management 4.4 "System" menu 4.4.12.2 License NOTICE Do not remove or insert a C-PLUG / KEY-PLUG during operation! A PLUG may only be removed or inserted when the device is turned off. The device checks whether or not a PLUG is present at one second intervals. If it is detected that the PLUG was removed, there is a restart.
Page 106
Configuring with Web Based Management 4.4 "System" menu Description ● State Shows the status of the KEY-PLUG. The following are possible: – ACCEPTED The KEY-PLUG in the device contains a suitable and valid license. – NOT ACCEPTED The license of the inserted KEY-PLUG is not valid. –...
Configuring with Web Based Management 4.4 "System" menu 4.4.13 Ping Reachability of an address in an IP network With the ping function, you can check whether a certain IP address is reachable in the network. Description The table has the following columns: ●...
Configuring with Web Based Management 4.4 "System" menu 4.4.14 4.4.14.1 DNS client On the WBM page you specify whether or not the device uses the DNS server of the network provider or another DNS server. Description The page contains the following boxes: ●...
Configuring with Web Based Management 4.4 "System" menu The table has the following columns: ● Select Select the check box in the row to be deleted ● Name Server Address Shows the IP address of the DNS server. ● Origin Shows whether the DNS server was configured manually or assigned 4.4.14.2 DNS proxy...
Configuring with Web Based Management 4.4 "System" menu 4.4.14.3 DDNS client The DDNS (Dynamic Domain Name System) is an Internet service that allows a fixed hostname to be set up as a pseudonym for a dynamically changing IP address. The DDNS client synchronizes the assigned IP address with the hostname registered at the DDNS provider.
Configuring with Web Based Management 4.4 "System" menu Procedure Requirement: ● User name and password that gives you the right to use the DDNS service. ● Registered hostname, e.g. example.no-ip.com ● UDP port 53 for DNS is enabled and is not used for NAT. 1.
Page 112
Configuring with Web Based Management 4.4 "System" menu Description The page contains the following boxes: ● "DHCP Client Config File Request (Opt.66, 67)" check box Select this option if you want the DHCP client to use options 66 and 67 to download and then enable a configuration file.
Configuring with Web Based Management 4.4 "System" menu 4.4.15.2 DHCP server You can operate the device as a DHCP server. This allows IP addresses to be assigned automatically to the connected devices. The IP addresses are either distributed dynamically from an address range you have specified or you can a specific IP address is assigned to a particular device.
Page 114
Configuring with Web Based Management 4.4 "System" menu assigned. To do this the DHCP server sends ICMP echo messages (ping) to the IP address. If no reply is received, the DHCP server can assign the IP address. Note If there are devices in your network on which the echo service is disabled as default, there may be conflicts with the IP addresses.
Configuring with Web Based Management 4.4 "System" menu 4.4.15.3 DHCP Options On this page you specify which DHCP options the DHCP server supports. The various DHCP options are defined in RFC 2132. Description The page contains the following boxes: ● "Pool ID" drop-down list Select the required address band.
Configuring with Web Based Management 4.4 "System" menu ● Use Interface IP Specify whether or not the internal IP address of the device will be used. ● Value Enter the value that is transferred to the DHCP client. The content depends on the DHCP option.
Page 117
Configuring with Web Based Management 4.4 "System" menu ● "Hardware Type" drop-down list Specify the criterion according to which the IP address is specified. – Ethernet MAC Identification is based on the MAC address. Enter the MAC address in "Value". A MAC address consists of six byes separated by hyphens in hexadecimal notation, e.g.
Siemens Remote Service (SRS) is a remote maintenance platform via which remote maintenance access is possible. To use the platform, additional service contracts are necessary and certain constraints must be kept to. If you are interested in SRS, call your local Siemens contact or visit http://support.automation.siemens.com/WW/view/en/42346681 (http://support.automation.siemens.com/WW/view/en/42346681).
Configuring with Web Based Management 4.4 "System" menu ● User Name Enter the user name for access to the destination server. ● Password Enter the password for access to the destination server. Note The following printable ASCII characters are permitted for the user name and password: •...
Page 120
Configuring with Web Based Management 4.4 "System" menu The table has the following columns: ● Select Select the check box in the row to be deleted. Click "Delete" to delete the entry. ● Address Enter the IPv4 address of the proxy server. ●...
Configuring with Web Based Management 4.4 "System" menu 4.4.18 SINEMA RC On the WBM page, you configure the access to the SINEMA RC server. Note This function can only be used with a KEY-PLUG. Description The page contains the following: ●...
Page 122
Configuring with Web Based Management 4.4 "System" menu ● "Device Password" input box Enter the password with which the device logs on to the SINEMA RC Server. The password is assigned when configuring the device on the SINEMA RC Server. You will find further information on this in the Operating Instructions of the SINEMA RC Server.
Configuring with Web Based Management 4.5 "Interfaces" menu "Interfaces" menu 4.5.1 Ethernet 4.5.1.1 Overview The page shows the configuration for the data transfer for all ports of the device. You cannot configure anything on this page. Description The table has the following columns: ●...
Configuring with Web Based Management 4.5 "Interfaces" menu ● Link Shows the connection status to the network. With the connection status, the following is possible: – Up The port has a valid link to the network, a link integrity signal is being received. –...
Page 125
Configuring with Web Based Management 4.5 "Interfaces" menu Description of the displayed boxes ● Port Select the port to be configured from the drop-down list. ● Status Specify whether the port is enabled or disabled. – enabled The port is enabled. Data traffic is possible only over an enabled port. –...
Page 126
Configuring with Web Based Management 4.5 "Interfaces" menu ● MTU MTU (Maximum Transmission Unit) specifies the maximum size of the packet. If packets are longer than the set MTU they are fragmented. The range of values is from 64 to 1500 bytes. ●...
Configuring with Web Based Management 4.6 "Layer 2" menu "Layer 2" menu 4.6.1 Dynamic MAC Aging Protocol settings and switch functionality The device automatically learns the source addresses of the connected nodes. This information is used to forward frames to the nodes specifically involved. This reduces the network load for the other nodes.
Configuring with Web Based Management 4.6 "Layer 2" menu 4.6.2 VLAN 4.6.2.1 General VLAN configuration page On this WBM page, you define the VLAN and specify the use of the ports. Note Changing the Agent VLAN ID If the Admin PC is connected directly to the device via Ethernet and you change the agent VLAN ID, the device is no longer reachable via Ethernet following the change.
Page 129
Configuring with Web Based Management 4.6 "Layer 2" menu Description of the displayed boxes The page contains the following boxes: ● "VLAN ID" input box Enter the VLAN ID in the "VLAN ID" input box. Range of values: 1 ... 4094 The table has the following columns: ●...
Configuring with Web Based Management 4.6 "Layer 2" menu Steps in configuration 1. Enter an ID in the "VLAN ID" input box. 2. Click the "Create" button. A new entry is generated in the table. As default, the boxes have "-" entered. 3.
Page 131
Configuring with Web Based Management 4.6 "Layer 2" menu Table 2 has the following columns: ● Port Shows the available ports. ● Priority Select the required priority assigned to untagged frames. The CoS priority (Class of Service) used in the VLAN tag. If a frame is received without a tag, it will be assigned this priority.
Configuring with Web Based Management 4.6 "Layer 2" menu 4.6.3 LLDP Identifying the network topology LLDP (Link Layer Discovery Protocol) is defined in the IEEE 802.AB standard. LLDP is a method used to discover the network topology. Network components exchange information with their neighbor devices using LLDP.
Page 133
Configuring with Web Based Management 4.6 "Layer 2" menu Description Table 1 has the following columns: ● 1st column Shows that the settings are valid for all ports. ● Setting Select the setting from the drop-down list. If "No Change" is selected, the entry in table 2 remains unchanged.
Configuring with Web Based Management 4.7 "Layer 3" menu "Layer 3" menu 4.7.1 Routes Static route On this page you specify the routes via which a data exchange can take place with the various subnets. Dynamic routing protocols are not supported, for example RIP, OSPF. Description The page contains the following boxes: ●...
Configuring with Web Based Management 4.7 "Layer 3" menu ● Gateway Shows the IP address of the next gateway. ● Interface Shows the Interface of the route. ● Metric When creating the route, "not used" is entered automatically. The metric corresponds to the quality of a connection, for example speed, costs.
Page 136
Configuring with Web Based Management 4.7 "Layer 3" menu Description The page contains the following box: ● Interface In the "Interface" drop-down list, select the interface on which you want to configure a further subnet. The table has the following columns: ●...
Configuring with Web Based Management 4.7 "Layer 3" menu been assigned, the device sends the message that it is using this IP address as of now. – Conflict The interface is not enabled. The interface is attempting to use an IP address that has already been assigned.
Configuring with Web Based Management 4.7 "Layer 3" menu ● MAC Address Displays the MAC address of the selected interface. ● DHCP Enable or disable the DHCP client for the interface. Note If you want to operate the device as a router with several interfaces, disable DHCP on all interfaces.
Configuring with Web Based Management 4.7 "Layer 3" menu Description The table has the following columns: ● Interface VLAN interface to which the setting relates. Only VLANs with a configured subnet are available. ● Enable Masquerading When enabled, with each outgoing data packet sent via this interface, the source IP address is replaced by the IP address of the interface.
Page 140
Configuring with Web Based Management 4.7 "Layer 3" menu ● "Destination IP Address" input box Enter the destination IP address. The frames are received at this IP address. Can only be edited if "Use Interface IP from Source Interface" is disabled. ●...
Configuring with Web Based Management 4.7 "Layer 3" menu 4.7.3.3 Source NAT On this WBM page, you configure the rules for source NAT. Description ● "Source Interface" / "Destination Interface" drop-down list Specify the direction of the connection establishment. Only connections established in this specified direction are taken into account.
Page 142
Configuring with Web Based Management 4.7 "Layer 3" menu ● "Translated Source IP Address" input box Enter the IP address with which the IP address of the sender is replaced. Can only be edited if "Use Interface IP from Destination Interface" is disabled. ●...
Configuring with Web Based Management 4.7 "Layer 3" menu 4.7.3.4 NETMAP On this WBM page, you specify the rules for NETMAP. NETMAP is static 1:1 mapping of network addresses in which the host part is retained. Note Firewall rules with source NAT The source NAT rule is applied after routing and the firewall decision.
Page 144
Configuring with Web Based Management 4.7 "Layer 3" menu ● "Source IP Subnet" input box Enter the subnet of the sender. The subnet can also be a single PC or another subset of the subnet. Use the CIDR notation. ● "Translated Source IP Subnet" input box Enter the subnet with which the subnet of the sender will be replaced.
Page 145
Configuring with Web Based Management 4.7 "Layer 3" menu Examples Example 1 ● Type: Source ● Source Interface: vlan1 ● Destination Interface: vlan2 ● Source IP Subnet: 192.168.1.0/24 ● Translated Source IP Subnet: 10.100.1.0/24 ● Destination IP Subnet: 10.10.10.0/24 ● Translated Destination IP Subnet: - The rule applies to packets sent from vlan1 (internal) to vlan2 (external).
Configuring with Web Based Management 4.8 "Security" menu "Security" menu 4.8.1 Password Configuration of the device passwords On this WBM page, you can enter the administrator password. Procedure 1. Enter the valid administrator password in "Current Admin Password". 2. For "New Password", enter the new password. Note Password Policy: high Note the following password policies:...
Configuring with Web Based Management 4.8 "Security" menu 3. Repeat the new password in the "Password Confirmation" input box. 4. Click the "Set Values" button. Note The factory setting for the password when the devices ship is as follows: • admin: admin If you log on the first time or log on after a "Restore Factory Defaults and Restart", you will be prompted to change the password.
Page 148
Configuring with Web Based Management 4.8 "Security" menu Description ● Select Select the check box in the row to be deleted. Only unused certificates can be deleted. ● Type Shows the type of the loaded file. – CA Cert The CA certificate is signed by a CA (Certification Authority). –...
Configuring with Web Based Management 4.8 "Security" menu 4.8.2.2 Certificates The format of the certificate is based on X.509, a standard of the ITU-T for creating digital certificates. This standard describes the schematic structure of X509 certificates. You will find further information on this on the Internet at "http://www.itu.int". On this WBM page, the content of the following structure elements can be displayed.
Page 150
Configuring with Web Based Management 4.8 "Security" menu Description ● Filename Select the required certificate. ● Type Shows the type of the loaded file. – CA Cert The CA certificate is signed by a CA (Certification Authority). – Machine Cert Machine certificate –...
Page 151
Configuring with Web Based Management 4.8 "Security" menu ● Subject DN Shows the name of the certificate owner. ● Issuer DN Shows the name of the certificate issuer. ● Subject Alternate Name If it exists, an alternative name of the certificate issuer is displayed. ●...
Configuring with Web Based Management 4.8 "Security" menu 4.8.3 Firewall 4.8.3.1 General On this WBM page, you enable the firewall. Note Please remember that if you disable the firewall, your internal network is unprotected. Description The page contains the following: ●...
Configuring with Web Based Management 4.8 "Security" menu 4.8.3.2 Predefined IPv4 The WBM page contains predefined IPv4 rules. If you create user-defined IPv4 rules, these have a higher priority than the predefined IPv4 rules. Here, you can set which services of the device should be reachable from which VLAN interface/subnet.
Configuring with Web Based Management 4.8 "Security" menu – DNS DNS queries to the device. Necessary only if the "DNS-Relay" function is enabled on the device. – SNMP Incoming SNMP connections. Required, for example, to access the SNMP information of the device using a MIB browser. –...
Page 155
Configuring with Web Based Management 4.8 "Security" menu Description The page contains the following: ● "Service Name" input box Enter the name of the IP service. The name must be unique. This table contains the following columns: ● Select Select the check box in the row to be deleted. ●...
Configuring with Web Based Management 4.8 "Security" menu 4.8.3.4 ICMP Services On this WBM page, you define ICMP services. Using the ICMP service definitions, you can define firewall rules for specific services. You select a name and assign the service parameters to it.
Configuring with Web Based Management 4.8 "Security" menu 4.8.3.5 IP Protocols On this WBM page, you can configure user-defined protocols, e.g. IGMP for multicast groups. You select a protocol name and assign the service parameters to it. When you configure the IP rules, you simply use this protocol name. Description The page contains the following: ●...
Configuring with Web Based Management 4.8 "Security" menu 4.8.3.6 IP Rules On this WBM page you specify your own IP rules for the firewall. These IP rules have a higher priority than the predefined IP rules. Description of the displayed boxes This table contains the following columns: ●...
Configuring with Web Based Management 4.8 "Security" menu ● Service Select the service or the protocol name for which this rule is valid. ● Log Specify whether or not there should be a log entry every time the rule comes into effect and specify the severity of the event.
Configuring with Web Based Management 4.8 "Security" menu device between two VPN endpoints, when there is inactivity, the connection is deleted from its dynamic NAT table. To prevent this, keepalives are sent. 4.8.4.2 Remote End On this WBM page, you configure the partner (VPN end point). Description The page contains the following: ●...
Page 161
Configuring with Web Based Management 4.8 "Security" menu – manual (With Standard) Only establishes a connection to a specific remote station with a fixed IP address or with (D)DNS hostname. Or only accepts a connection from a specific remote station with a fixed IP address or with (D)DNS hostname.
Configuring with Web Based Management 4.8 "Security" menu 6. In "Virtual IP Mode", specify how the IP address of the VPN gateway is obtained. 7. Click the "Set Values" button. 4.8.4.3 Connections On the WBM page, you configure the basic settings for the VPN connection. With these settings, the device can establish a non-secure VPN tunnel to the partner.
Page 163
Configuring with Web Based Management 4.8 "Security" menu ● Operation Specify the connection partner that establishes the VPN connection. – disabled The VPN connection is disabled. – start The VPN connection is initiated by the local endpoint. – wait The VPN connection is established by the partner. –...
Configuring with Web Based Management 4.8 "Security" menu 4.8.4.4 Authentication On this WBM page, you specify how the VPN connection partners authenticate themselves with each other. Description This table contains the following columns: ● Name Shows the name of the VPN connection to which the settings relate. ●...
Configuring with Web Based Management 4.8 "Security" menu ● Remote ID Enter the "Distinguished Name" or "Alternate Name" from the partner certificate. Only when you use the partner certificate can you leave the box empty. The box is automatically filled with the value from the partner certificate. ●...
Page 166
Configuring with Web Based Management 4.8 "Security" menu ● Authentication Specify the method for calculating the checksum. The following methods available: – Auto: automatic detection – MD5 – SHA1 – SHA512 ● IKE Key Derivation Select the required Diffie-Hellmann group (DH) from which a key will be generated. If "Auto"...
Configuring with Web Based Management 4.8 "Security" menu 4.8.4.6 Phase 2 Phase 2: Data exchange (ESP = Encapsulating Security Payload) On this WBM page, you set the parameters for the protocol of the IPsec data exchange. The entire communication during this phase is encrypted using the standardized security protocol ESP for which you can set the following protocol parameters.
Page 168
Configuring with Web Based Management 4.8 "Security" menu ● Key Derivation Select the required Diffie-Hellmann group (DH) from which a key will be generated. If "Auto" is set, there is no restriction. It is compared to the capabilities of the remote station and selected accordingly.
Service and maintenance Firmware update using HTTP 5.1.1 Firmware update using HTTP Requirement ● The device has an IP address and is reachable. ● WBM has been started and the "admin" user is logged in. Firmware update using HTTP 1. Click "System" > "Load&Save" in the navigation area. Click the "HTTP" tab. 2.
Page 170
Service and maintenance 5.1 Firmware update using HTTP Result The firmware is has been transferred completely to the device and under "Information" > "Versions" there is also the entry "Firmware_Running". Firmware_Running shows the version of the current firmware. Firmware shows the firmware version stored after loading the firmware.
Service and maintenance 5.2 Firmware update - using TFTP Firmware update - using TFTP Requirement ● The device has an IP address and is reachable. ● WBM has been started and the "admin" user is logged in. ● There is a TFTP server in the network. ●...
Page 172
Service and maintenance 5.2 Firmware update - using TFTP Result The firmware is has been transferred completely to the device and under "Information" > "Versions" there is also the entry "Firmware_Running". Firmware_Running shows the version of the current firmware. Firmware shows the firmware version stored after loading the firmware.
Service and maintenance 5.3 Firmware update using WBM not possible Firmware update using WBM not possible Cause If there is a power failure during the firmware update, it is possible that the device is no longer accessible using WBM and CLI. Requirement ●...
Page 174
Service and maintenance 5.3 Firmware update using WBM not possible Result The firmware is transferred to the device. Note Please note that the transfer of the firmware can take several minutes. During the transmission, the red error LED (F) flashes. Once the firmware has been transferred completely to the device, the device is restarted automatically.
Service and maintenance 5.4 Firmware update using WBM not possible Firmware update using WBM not possible Cause If there is a power failure during the firmware update, it is possible that the device is no longer accessible using WBM and CLI. Requirement ●...
Page 176
Service and maintenance 5.4 Firmware update using WBM not possible Result The firmware is transferred to the device. Note Please note that the transfer of the firmware can take several minutes. During the transmission, the red error LED (F) flashes. Once the firmware has been transferred completely to the device, the device is restarted automatically.
Page 179
Index VPN connection Status, 59 Web Based Management, 37 Requirement, 37 SCALANCE S615 Web Based Management Configuration Manual, 05/2015, C79000-G8976-C388-02...
Page 180
Index SCALANCE S615 Web Based Management Configuration Manual, 05/2015, C79000-G8976-C388-02...