factorytalk policy manager - rockwell automation...manager to cip configurations that are delivered...

Getting Results Guide

FactoryTalk Policy Manager FactoryTalk Services Platform 6.11.00

Initial Release, June 2019

Important user information

Read this document and the documents listed in the additional resources section about installation, configuration, and operation of this equipment before you install, configure, operate, or maintain this product. Users are required to familiarize themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws, and standards.

Activities including installation, adjustments, putting into service, use, assembly, disassembly, and maintenance are required to be carried out by suitably trained personnel in accordance with applicable code of practice. If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment may be impaired.

If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment may be impaired.

In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the use or application of this equipment.

The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or liability for actual use based on the examples and diagrams.

No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or software described in this manual.

Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation, Inc., is prohibited.

Throughout this manual, when necessary, we use notes to make you aware of safety considerations.

WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardous environment, which may lead to personal injury or death, property damage, or economic loss.

ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, property damage, or economic loss. Attentions help you identify a hazard, avoid a hazard, and recognize the consequence

Important: Identifies information that is critical for successful application and understanding of the product.

Labels may also be on or inside the equipment to provide specific precautions.

SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous voltage may be present.

BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may reach dangerous temperatures.

ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people to potential Arc Flash. Arc Flash will cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALL Regulatory requirements for safe work practices and for Personal Protective Equipment (PPE).

Rockwell Automation Publication FTALK-GR001A-EN-E 5

Table of contents

About this publication ......................................................................................................... 7 Intended audience ................................................................................................................. 7 Additional information........................................................................................................ 7 Legal Notices .......................................................................................................................... 9

Chapter 1

FactoryTalk Policy Manager and FactoryTalk System Services ............................... 11 Install FactoryTalk System Services and FactoryTalk Policy Manager ................... 13 Start FactoryTalk System Services .................................................................................. 14 Log on to FactoryTalk Policy Manager ......................................................................... 14 Navigating FactoryTalk Policy Manager ....................................................................... 15 FactoryTalk Policy Manager Global Settings ............................................................... 16 FactoryTalk Policy Manager planning ........................................................................... 17 FactoryTalk Policy Manager component considerations .......................................... 18 Authentication methods ................................................................................................... 19 Security Groups .................................................................................................................. 19

Chapter 2

Zones..................................................................................................................................... 21 Add a zone ................................................................................................................... 21 Edit zone properties ................................................................................................... 22 Delete a zone ............................................................................................................... 23 Zone properties ........................................................................................................... 23

Conduits .............................................................................................................................. 26 Add a conduit .............................................................................................................. 27 Edit conduit properties ............................................................................................. 28 Delete a conduit .......................................................................................................... 28 Conduit properties ..................................................................................................... 29

Devices .................................................................................................................................. 30 Add a device to a zone ............................................................................................... 31 Add a device to the device list .................................................................................. 32 Discover devices .......................................................................................................... 33 Ports .............................................................................................................................. 34

Add a port ............................................................................................................ 34 Configure port properties ................................................................................. 35 Port properties .................................................................................................... 36

Edit device properties ................................................................................................ 37 Delete a device ............................................................................................................. 38 Device properties ........................................................................................................ 38

Ranges ................................................................................................................................... 39 Add a range .................................................................................................................. 39

Preface

1 - Getting started

2 - Configure a security policy model

Table of contents

6 Rockwell Automation Publication FTALK-GR001A-EN-E

Range properties ......................................................................................................... 40

Chapter 3

Deploy a security model .................................................................................................... 43 Deployment options .......................................................................................................... 44 Deployment results ............................................................................................................ 45 Reload a security model ..................................................................................................... 46 Replace a device .................................................................................................................. 47 Remove the security policy from a device ...................................................................... 48

Chapter 4

Backup and restore security models ................................................................................ 51 Backup FactoryTalk System Services ............................................................................. 51 Restore FactoryTalk System Services ............................................................................. 52

3 - Deploy a security policy model

4 - Backup and restore


Preface

This Getting Results Guide provides information on installing and using FactoryTalk® System Services and FactoryTalk Policy Manager.

Review this section for information about:

• Intended audience

• Where to find additional information

• Legal notices

This guide is intended for the system administrator and assumes familiarity with:

• Microsoft® Windows® operating systems

• FactoryTalk Linx

• FactoryTalk Services Platform

• Allen-Bradley® programmable logic controllers (PLCs) and programmable automation controllers (PACs)

• Rockwell Automation control system development software

For additional information about security policy, consult the following resources:

Resource name Description

System Security Design Guidelines Provide guidance in these areas: • System security

• Networks and communications security

• Control system hardening

• User access management

• Control system monitoring

• Device disposal

Download from the Rockwell Automation Literature Library, System Security Design Guidelines (publication SECURE-RM001)-

Online help The Help includes overview, procedural, screen, and reference information for the product. The Help contains these basic components:

• Concepts

• Procedures

• Properties referenced

To view context-sensitive help in FactoryTalk Policy Manager, select the Help [?] icon.

About this publication

Intended audience

Additional information

https://literature.rockwellautomation.com/idc/groups/literature/documents/rm/secure-rm001_-en-p.pdf

https://literature.rockwellautomation.com/idc/groups/literature/documents/rm/secure-rm001_-en-p.pdf

Preface


Resource name Description

Release Notes The Release Notes contains this information: • System requirements

• System features

• Anomalies

• Functional changes

• Application notes

Release notes can be downloaded from the Product Compatibility and Download Center http://www.rockwellautomation.com/compatibility/#/scenarios or opened from FactoryTalk Policy Manager by selecting the Release Notes link under the Help [?] icon on the main menu .

Rockwell Automation Knowledgebase The Rockwell Automation Customer Support Center offers an extensive online database that includes frequently asked questions and the latest patches. The Knowledgebase web page leads to a comprehensive, searchable database of support information for all Rockwell Automation products. To access the Knowledgebase web page, visit http://www.rockwellautomation.com/support , then select Knowledgebase Support Center.

Rockwell Automation Technical Support Questions concerning installation and use of FactoryTalk Policy Manager software are handled by the Rockwell Automation Customer Support Center. The center is staffed Monday through Friday, except on U.S. holidays, from 8 a.m. to 5 p.m. Eastern time zone for calls originating within the U.S. and Canada. To reach the Customer Support Center, call 440-646-3434 and follow the prompts. For calls originating outside the U.S. or Canada, locate the number in your country by visiting http://support.rockwellautomation.com/contact information. When you call, you should be at your computer and be prepared to provide the following information:

• The product version number

• The type of hardware you are using

• The exact wording of any errors or messages that appeared on your screen

• A description of what happened and what you were doing when the problem occurred

• A description of how you tried to solve the problem

Training Rockwell Automation offers a wide range of training programs, from regularly scheduled classes to custom-tailored classes conducted at your site. If you need more information about these training programs, visit the Rockwell Automation site or contact the Rockwell Automation Training Coordinator. The web site address and telephone numbers are available at the bottom of the back cover.

Consulting Rockwell Automation provides expert consulting and turnkey implementations for making optimal use of Rockwell Automation software products. Please contact your local representative for more information.

http://www.rockwellautomation.com/compatibility/#/scenarios



http://www.rockwellautomation.com/support

Preface


Copyright notice

Copyright © 2019 Rockwell Automation Technologies, Inc. All Rights Reserved. Printed in USA.

This document and any accompanying Rockwell Software products are copyrighted by Rockwell Automation Technologies, Inc. Any reproduction and/or distribution without prior written consent from Rockwell Automation Technologies, Inc. is strictly prohibited. Please refer to the license agreement for details.

End User License Agreement (EULA)

You can view the Rockwell Automation End-User License Agreement ("EULA") by opening the License.rtf file located in your product's install folder on your hard drive.

Open Source Licenses

The software included in this product contains copyrighted software that is licensed under one or more open source licenses. Copies of those licenses are included with the software. Corresponding Source code for open source packages included in this product are located at their respective web site(s).

Alternately, obtain complete Corresponding Source code by contacting Rockwell Automation via the Contact form on the Rockwell Automation website: http://www.rockwellautomation.com/global/about-us/contact/contact.page Please include "Open Source" as part of the request text.

A full list of all open source software used in this product and their corresponding licenses can be found in the OPENSOURCE folder . The default installed location of these licenses is C:\Program Files (x86)\Common Files\Rockwell\Help\FactoryTalk Policy Manager\ReleaseNotes\OPENSOURCE\index.htm.

Trademark Notices

Allen-Bradley, Rockwell Automation, and Rockwell Software are trademarks of Rockwell Automation, Inc.

Any Rockwell Automation software or hardware not mentioned here is also a trademark, registered or otherwise, of Rockwell Automation, Inc.

Legal Notices

http://www.rockwellautomation.com/global/about-us/contact/contact.page

Preface


Other Trademarks

All other trademarks are the property of their respective holders and are hereby acknowledged.

Trademarks not belonging to Rockwell Automation are property of their respective companies

Warranty

This product is warranted in accordance with the product license. The product’s performance may be affected by system configuration, the application being performed, operator control, maintenance, and other related factors. Rockwell Automation is not responsible for these intervening factors. The instructions in this document do not cover all the details or variations in the equipment, procedure, or process described, nor do they provide directions for meeting every possible contingency during installation, operation, or maintenance. This product’s implementation may vary among users.

This document is current as of the time of release of the product; however, the accompanying software may have changed since the release. Rockwell Automation, Inc. reserves the right to change any information contained in this document or the software at any time without prior notice. It is your responsibility to obtain the most current information available from Rockwell when installing or using this product.

Contact Rockwell Automation

Customer Support Telephone — 1.888.382.1583

Online Support — http://www.rockwellautomation.com/support/

http://www.rockwellautomation.com/support/


Chapter 1

1 - Getting started

In this Section

FactoryTalk Policy Manager and FactoryTalk System Services 11 Install FactoryTalk System Services and FactoryTalk Policy Manager 13 Start FactoryTalk System Services 14 Log on to FactoryTalk Policy Manager 14 Navigating FactoryTalk Policy Manager 15 FactoryTalk Policy Manager Global Settings 16 FactoryTalk Policy Manager planning 17 FactoryTalk Policy Manager component considerations 18 Authentication methods 19 Security Groups 19

Use FactoryTalk® Policy Manager to configure, deploy, and view the system communication security policies.

FactoryTalk Policy Manager divides the system security policy into different components.

Use these components to design security models that control the permissions and usage of devices within the system.

• Zones - Groups of devices.

• Devices - Computers, controllers, modules, HMI panels, and drives.

• Conduits - Communication routes between components.

FactoryTalk Policy Manager depends on FactoryTalk System Services for certificate services, policy deployment, and authentication.

FactoryTalk System Services provides these services on the FactoryTalk directory server:

• Authentication Service

FactoryTalk Policy Manager and FactoryTalk System Services

Chapter 1 1 - Getting started


Authenticates users and validates user resource requests. Validate user credentials against the FactoryTalk Directory and FactoryTalk security policy settings to obtain privileges associated with the user.

• Certificate Service

Issues and manages X.509v3 certificates for use within the FactoryTalk system.

• Deployment Service

Translates the security policy model defined using FactoryTalk Policy Manager to CIP configurations that are delivered to endpoints.

• Diagnostics Service

Makes FactoryTalk audit and diagnostic logs available as a web service.

• Policy Service

Used to build and manage CIP network trust models and define security policy for the CIP endpoints.

FactoryTalk System Services provides the policy authority, certificate authority, identity services, and deployment services required to enforce security policies configured using FactoryTalk Policy Manager that are based on the ODVA™ CIP Security™ standard.

CIP Security helps protect an EtherNet/IP connected device from malicious communications by:

• Applying authentication rules and rejecting messages sent by untrusted people or untrusted devices.

• Verifying that data has not been altered during transmission and reject data that fails the integrity check.

• Helps prevent viewing of EtherNet/IP data by unauthorized parties for additional confidentiality

CIP Security features work with these Rockwell Automation products:

• FactoryTalk Linx version 6.11 or later

• ControlLogix® 5580 Controllers version 32.00 or later

• 1756-EN4TR ControlLogix Module

• Kinetix® 5700 Drives

Creating and deploying a security model with FactoryTalk Policy Manager supports these core security properties

1 - Getting started Chapter 1


Property Description

Device Identity X.509v3 Digital Certificates are used to provide cryptographically secure identities to devices.

Device Authentication TLS (Transport Layer Security) and DTLS (Datagram Transport Layer Security) cryptographic protocols are used to help provide secure transport of EtherNet/IP traffic.

Data Integrity Hashes or HMAC (keyed-Hash Message Authentication Code) are used as a cryptographic method of providing data integrity and message authenticity to EtherNet/IP traffic.

Data Confidentiality Data encryption is used to encode messages or information to help prevent reading or viewing of EtherNet/IP data by unauthorized parties.

See also

Navigating FactoryTalk Policy Manager on page 15

FactoryTalk Policy Manager planning on page 17

FactoryTalk Services Platform version 6.11.00 includes two optional components that are used to manage CIP Security; FactoryTalk System Service and FactoryTalk Policy Manager.

FactoryTalk Policy Manager is dependent upon FactoryTalk System Services and both components must be installed together on the network directory server.

To install FactoryTalk System Services and FactoryTalk Policy Manager

1. Log in to FactoryTalk on the computer hosting the FactoryTalk network directory using an administrator account.

2. Run FTUpdater to make sure you have the latest update of FactoryTalk Services Platform.

3. Run FactoryTalk Services Platform setup.exe.

4. In the FactoryTalk Security installation wizard:

• On a new installation of FactoryTalk Services Platform select Customize.

• On an existing installation of FactoryTalk Services Platform select Modify.

5. Expand the item for FactoryTalk Services Platform v6.11.00.

6. Select FactoryTalk Policy Manager and FactoryTalk System Services.

Install FactoryTalk System Services and FactoryTalk Policy Manager



7. Select Modify.

8. The installation proceeds.

After installation FactoryTalk System Services starts automatically. Some situations may require manually starting the services.

To start the service:

1. Go to the Windows Services snap-in (services.msc).

2. In the services list, scroll down to the FactoryTalk System Services item.

3. Right-click FactoryTalk System Services and select Start.

See also

Log on to FactoryTalk Policy Manager on page 14

Logging on to FactoryTalk Policy Manager checks the credentials of your user account to determine the access to resources and the ability to make changes to security policy.

To log on to FactoryTalk Policy Manager

1. Open FactoryTalk Policy Manager

The FactoryTalk Log On window opens.

2. In Username, type your FactoryTalk user name.

3. In Password, type your password.

4. Select Show password to display the password you typed. Not recommended if your workstation is easily viewed by others.

5. Select LOG ON.

Important: FactoryTalk Policy Manager must be able to connect to FactoryTalk System Services to log in successfully. If FactoryTalk System Services is not running, the error message FactoryTalk System Services Cannot Be Reached displays when you try to log in. Select EXIT POLICY MANAGER to close the error message. To resolve this error, attempt to start FactoryTalk System Services.

See also

Start FactoryTalk System Services on page 14

Start FactoryTalk System Services

Log on to FactoryTalk Policy Manager



FactoryTalk Policy Manager Global Settings on page 16

FactoryTalk Policy Manager component considerations on page 18


Security Groups on page 19

FactoryTalk Policy Manager displays the different configurable items in a security policy model.

This table provides a reference to the items in the display:

Item Description

FactoryTalk Policy Manager Title Bar. Displays the current status of the model being configured. Models that are "saved" are local to the FactoryTalk Policy Manager database. Once they are deployed the status is not shown. If you make a change to a deployed model, the "Saved" status will display again until the changes made are deployed.

FactoryTalk Policy Manager main menu bar. Use to deploy security model, to log on or log off FactoryTalk, and to access Help and Release Notes.

FactoryTalk Policy Manager navigation bar. Use this bar to move between the different components of the security model. Also use to access Global Settings.

Zones list. Displays all the zones configured in the model. Select a zone to edit the devices in the zone. Use the Zones list to quickly edit zone properties or delete zones.

Content pane. Displays the items that can be configured. Contains the FactoryTalk Policy Manager toolbar that contains the actions available for the items. Actions that are not displayed on the toolbar can be viewed by clicking the More actions icon (vertical ellipsis).

Properties pane. For zones and devices, automatically shows the port properties for the last device configured. For conduits, displays the properties of the last conduit configured

Properties pane display control. Toggles the display of the properties pane.

Navigating FactoryTalk Policy Manager



Item Description

Status bar. Displays the connection status to FactoryTalk System Services. Use the page icon to toggle the display of the deployment results and error pane.

See also

FactoryTalk Policy Manager Global Settings on page 16

Configure a security policy model on page 21

How do I open Global Settings?

• In the FactoryTalk Policy Manager navigation bar, select Global Settings.

Use Global Settings to define the certificate properties for the zones and devices contained in the model. FactoryTalk Policy Manager sends this information along with your certificate information to identify the different components and establish the trust relationships. Complete the Global Settings information before using the certificate authentication method.

This table describes the settings:

Property Descriptions

General

• Model Name The name of the security model being managed by this instance of FactoryTalk Policy Manager.

Certificate Settings

• Organization The name of the organization that was granted the certificate.

• City/Locality The legally registered location of the organization granted the certificate.

• State/Province If applicable, the State or Province in which the organization granted the certificate is conducting operations using the certificate.

• Country The country in which the organization operates.

Changes made to these settings are saved after pressing enter or selecting another field.

Now that FactoryTalk Policy Manager is installed and the global settings are configured, start planning the components of your security model and what type of authentication to use.

See also

Authentication methods on page 19

FactoryTalk Policy Manager component considerations on page 18


FactoryTalk Policy Manager Global Settings



Implementing a CIP Security policy requires preparation and planning before deployment. At a minimum, gather this information:

• Number of zones.

• Security requirements for each zone.

• Devices assigned to each zone.

• Required trust relationships:

• Zones and devices

• Devices to devices

• IP Addresses of all devices to be included in the policy.

This diagram depicts a simple deployment consisting of three zones

• The PC Zone which contains mobile devices, servers, and administrative computers.

• Zone 1 which contains a switch, controller system, and administrative computer.

• Zone 2 which contains a switch, monitoring panel, controller system, programming system, and maintenance computer.

• The PC Zone is connected to both plant zones by separate conduits

FactoryTalk Policy Manager planning



Item Description

Items with a lock are CIP Security capable.

Items with a list are not CIP Security capable and are trusted by their IP address.

Conduits connect the security zones enable secure communication between devices in different zones.

The zone are represented by different blocks. Each device within the block trusts the other devices in the block and can communicate with devices in zones that are connected by conduits.

See also

Zones on page 21

Conduits on page 26

Devices on page 30

When designing a security model using FactoryTalk Policy Manager consider these items.

• Devices.

Identify which devices are included in the security model.

• Conduits.

Identifies the communication pathways in the security model.

Determine whether the pathways are zone-to-zone, zone-to-device, or device-to-device.

• Zones.

Identifies a group of logical or physical devices to which security settings are applied.

Devices within a zone trust each other.

• Pre-shared keys (PSK).

A key based on a shared secret that is provided to devices to establish trust.

• Certificates.

Used to establish a devices identity by providing information about ownership of a public key.

• Security options

When a certificate is used as the authentication method additional security checks are available to be used with messaging and I/O data.

FactoryTalk Policy Manager component considerations



• Integrity Only

Checks whether data was altered and whether the data was sent by a trusted entity. Altered and/or untrusted data is rejected.

• Integrity & Confidentiality

Checks integrity and encrypts the data so the corresponding decryption key is required to read the data. Rejects altered and/or untrusted data.

• Devices that cannot support CIP Security.

Some devices do not support CIP Security and cannot authenticate themselves to the system. These devices can be included in the security model by adding them to the zone. However, these devices are not able to sign or encrypt communications.

Use FactoryTalk Policy Manager to combine these components into a security policy model to deploy to your FactoryTalk system.

See also

Zones on page 21

Conduits on page 26

Devices on page 30

FactoryTalk Policy Manager supports these authentication methods:

Name Description

Certificate Established by the use of an X.509v3 certificate granted by a trusted certificate authority.

Pre-shared key Established by presentation of a shared secret key that is propagated to trusted devices in the system. A pre-shared key can be created manually or FactoryTalk Policy Manager can automatically generate pre-shared keys for distribution to the devices in your system.

Trusted IP Established by identifying an IP address as trusted by the security model. A set of IP addresses can be defined as a trusted range on your network. Appropriate for use with devices that are not CIP Security capable.

See also

Zone properties on page 23

Conduit properties on page 29

Device properties on page 38

FactoryTalk Services Platform includes these built-in security groups that are used to define rights and privileges for users.

Authentication methods

Security Groups



FactoryTalk Policy Manager users can be granted the following rights:

Right Group Permissions

View Administrator Engineers Maintenance

All security policy items and global settings are read-only. Login/Logout is active on the main toolbar. Help is active on the main toolbar.

Edit Administrator All security policy items and global settings can be modified. Zones can be added, edited or deleted. Conduits can be added, edited or deleted. Devices can be added, discovered, edited or deleted. Ethernet ports can be added and configured. Trusted IP ranges can be added and configured. Security policy models can be deployed. All controls are active.

Deploy Administrator Engineers Maintenance

The security policy can be deployed to devices. Devices can be replaced in the security model. Security policy items and global settings are read-only. Deploy is active on the main toolbar. Replace Device is active on the zone toolbar. Replace Device is active on the device toolbar.

The controls available in FactoryTalk Policy Manager reflect the user rights granted to the logged in user account.

Tip: If you are logged on using an Administrator account but FactoryTalk Policy Manager is only permitting viewing of devices, zones, and conduits, verify that the FactoryTalk Directory services are running and that the computer is connected to the FactoryTalk Directory

See also

Devices on page 30


Chapter 2

2 - Configure a security policy model

In this Section

Zones 21 Conduits 26 Devices 30 Ranges 39

Zones are security policy groups to which devices are assigned. Once a device is assigned to a zone, the device uses the policy default settings of that zone.

Zones establish the rules for data integrity, data privacy, and the authentication method used to authenticate trusted devices. When configuring a zone, use the CIP Security Communication settings within the zone properties to establish these controls:

• Authentication method

• I/O data security

• Messaging security

• Port usage

See also

Add a zone on page 21

Edit zone properties on page 22

Delete a zone on page 23


Configure port properties on page 35

Add zones to establish areas of security policy. Devices assigned to the zone trust each other. Edit the zone properties to enable CIP Security and configure the related settings. CIP Security is not enabled by default.

Zones

Add a zone

Chapter 2 2 - Configure a security policy model


To add a zone

1. In the FactoryTalk Policy Manager navigation bar, select Zones.

2. On the toolbar next to ZONES, select Add [+].

Adds a new zone to the list with these default values:

• Name - Zone #

• Description - None

• Enable CIP Security - Not selected by default.

Select to enable configuration of CIP Security related settings.

See also




Edit the properties of a zone to specify a name, description, and enable CIP Security settings.

Tip: Selecting a zone in the ZONES bar displays the last device selected in the zone and the port properties of that device.

To edit zone properties

1. In the FactoryTalk Policy Manager navigation bar, select Zones. The ZONES column displays a list of the configured zones.

2. In the ZONES column, select a zone.

• If devices have not been added to the zone yet, the ZONE PROPERTIES are displayed in the right pane.

• If devices have been added to the zone, select the pencil icon next to the zone name to display ZONE PROPERTIES.

3. Change the properties of the zone as appropriate.

As the settings are changed the FactoryTalk Policy Manager title bar updates to show that the changes have been saved.

Edit zone properties

2 - Configure a security policy model Chapter 2


See also




Delete a zone that is no longer needed.

Important: Deleting a zone removes all devices, conduits, and endpoints assigned to the zone. To retain the devices in the device list, edit the device properties to reference a different zone or the unassigned zone before deleting the zone. Create new conduits as needed.

To delete a zone

1. In the FactoryTalk Policy Manager navigation bar, select Zones.

2. Either:

• In the ZONES column, next to the zone name, select the Delete icon.

• In the Overview table, select the zone name, then select the Delete icon from the toolbar.

3. A confirmation message displays, displaying the items that are going to be deleted when the zone is deleted. To continue deleting the zone, select DELETE.

The zone is deleted from the zone list and is no longer part of the security model.

See also



Edit device properties on page 37

Use zone properties to define the security settings to apply to devices that are assigned to this zone.

The zone properties are:


General The settings in this area differentiate this zone from other zones.

Delete a zone

Zone properties




• Name The name for the zone.

• Description A description for the zone.

CIP Security Communication The settings in this area relate to how the devices in the zone communicate with other devices.




• Enable CIP Security Enable CIP Security options for the zone. When selected, additional configuration options are available. Non-CIP Security capable devices can be added to a zone with CIP Security enabled. These devices will have an information icon displayed stating Incompatible with zone configuration. These devices won’t receive CIP Security policy themselves, but devices in this zone that are CIP Security capable will add the IP address of the non-CIP Security capable device to their Trusted IP list so that communication between the devices can occur.

• Authentication Method Select how the zone verifies the identity of assigned assets. Certificate A digital certificate is an electronic representation of an identity. A certificate binds the identities public key to its identifiable information, such as name, organization, email, username, and/or a device serial number. This certificate is used to authenticate the connection to the zone. Selected by default when CIP security is enabled. Pre-shared Key A pre-shared key is a secret that is shared amongst trusted entities. FactoryTalk Policy Manager can create a key that can be shared. • To generate a pre-shared key, select Auto-generate key.

• To view the key, select Show Key.

Non-CIP Security capable devices do not use any authentication method. If non-CIP Security capable devices are present in a zone, an information message displays stating "incompatible devices in zone" when Certificate or Pre-shared Key is selected.

• I/O Data Security Select the type of security check to perform on the input and output data. Integrity Only Checks whether data was altered and whether the data was sent by a trusted entity. Altered and/or untrusted data is rejected. Selected by default when CIP security is enabled. Integrity & Confidentiality Checks integrity and encrypts the data so the corresponding decryption key is required to read the data. Rejects altered and/or untrusted data. None No I/O Data Security setting is selected. Even when no I/O security is configured, only devices within the zone or from a conduit are capable of I/O data communications. Other devices will be blocked. Non-CIP Security capable devices do not use any I/O Data Security method. If non-CIP Security capable devices are present in a zone, an information message displays stating "incompatible devices in zone" when I/O Data Security is selected.

• Messaging Security Select the type of security check to perform on messages received by devices in the zone. Integrity Only Checks whether data was altered and whether the data was sent by a trusted entity. Rejects altered and/or untrusted data. Selected by default when CIP security is enabled. Integrity & Confidentiality Checks integrity and encrypts the data so the corresponding decryption key is required to read the data. Rejects altered and/or untrusted data. Non-CIP Security capable devices do not use any Messaging Security and cannot provide data integrity checking. If non-CIP Security capable devices are present in a zone, an information message displays stating "incompatible devices in zone" when Messaging Security is selected.




• TCP/UDP Ports Lists the protocols supported and the port assigned to each. Use the checkbox to disable communications over that port for the devices in the zone. Ports on non-CIP Security capable devices cannot be enabled or disabled using zone properties.

See also



Zones on page 21

Devices on page 30


Conduits create trusted communication pathways outside of zones. Conduits require two endpoints, such as:

• Two different zones.

• Two different devices.

• A zone and a device.

Conduits support two authentication methods:

• Trusted IP

Trusted IP assigns a trust relationship to an asset based on its IP address.

• Certificate

Certificate authentication methods establish the identity of the device through the use of a certificate from a trusted authority. This enables configuration of integrity and confidentiality options for communication over the conduit using the public key associated with the certificate.

Important: If an endpoint is a zone and the conduit uses certificate authentication, devices in that zone that don’t support CIP Security will not use the zones certificate for communication. The CIP Security capable devices will trust the non-CIP Security devices using Trusted IP

See also

Add a conduit on page 27

Edit conduit properties on page 28

Conduits



Delete a conduit on page 28


Add a conduit to connect two endpoints. Endpoints can be either a device or a zone.

Conduits must adhere to these rules:

• Each combination of endpoints must be unique.

• Duplicate conduits are not permitted.

• One of the endpoints must be CIP Security capable.

• If one endpoint is a zone, the other endpoint cannot be a device within that zone.

To add a conduit

1. In the FactoryTalk Policy Manager navigation bar, select Conduits.

2. On the toolbar, select Add [+].

CONDUIT PROPERTIES pane opens.

3. In Endpoint 1, next to Select an endpoint select Browse for Endpoint [...]. Select Endpoint opens.

4. Choose a zone or device to assign as the first endpoint of the conduit.

Tip: In Filter, type part of the name to list only endpoints that match that criteria.

After selecting the endpoint, select OK.

5. In Endpoint 2, next to Select an endpoint select Browse for Endpoint [...]. Select Endpoint opens.

After selecting the endpoint, select OK.

6. Choose a zone or device to assign as the second endpoint of the conduit.

7. Select Next to create the conduit.

The conduit is created and its properties can be configured as needed.

See also


Add a conduit





Conduits allows trusted communication outside of zones. Conduits require two endpoints defined in Conduit properties. An endpoint is a zone or device.

Edit the properties of a conduit if the type of security used on the conduit needs to be updated.

To edit conduit properties


Tip: CONDUIT PROPERTIES is automatically opened to the most recently configured conduit.

2. To edit a different conduit, select a conduit from the list to display its properties.

3. Change the conduit properties. If both endpoints are CIP Security capable, configure CIP Security Communication.

• In I/O Data Security and Messaging Security choose either:

Integrity only - Use to check if the data or message was altered and reject altered information. Integrity & Confidentiality - Use to check integrity plus encrypt the data or message so the corresponding decryption key is required to read the information. Rejects altered and/or untrusted information.

• In I/O Data Security, choose None to stop using additional security checks on I/O data.

See also




Delete a conduit that is no longer needed.

Edit conduit properties

Delete a conduit



Important: Deleting a conduit removes the connection between two endpoints.

To delete a conduit


2. In the table, select the conduit name from the list, then select the Delete icon from the toolbar.

3. A confirmation message displays, select DELETE.

The conduit is deleted from the conduit list and is no longer part of the security model.

See also



Use conduit properties to define the endpoints and security settings to apply to communications over this conduit. Endpoints are either a zone, a device, or a port of a device. Each conduit must be a unique combination of endpoints.

The conduit properties are:


Endpoint 1 The first endpoint of the conduit. The list is composed of the zones and devices that are identified in FactoryTalk Policy Manager.

Endpoint 2 The second endpoint of the conduit.

Name Type a name for the conduit.

Description Type a description for the conduit

Authentication Method Determines how the conduit verifies the identity of the assigned devices and/or zones. • Trusted IP

Devices and zones are trusted for communications based on their IP address. No additional security checks are performed.

• Certificate

Devices and zones are trusted by presenting a certificate that establishes their identity. With this setting selected, configure the I/O Data Security and Messaging Security settings.

Conduit properties




I/O Data Security Determines the type of security check performed on the input and output data. • Integrity Only

This option checks if the data was altered. If detected, rejects altered data.

• Integrity & Confidentiality Checks integrity and encrypts the data so the corresponding decryption key is required to read the data. Rejects altered and/or untrusted data.

• None

With this option no security checks are performed on input and output data.

This setting is available when you choose Certificate as the Authentication Method.

Messaging Security Determines the type of security check performed on messages received by assets in the zone. • Integrity Only

This option checks if the data in the message was altered. If detected, rejects altered data

• Integrity & Confidentiality

This option checks if the data in the message was altered and that the message was sent by a trusted entity. Rejects the data if it was altered or if it originated from an untrusted entity.

This setting is available when you choose Certificate as the Authentication Method.

See also



Devices are the modules, drives, controllers, HMI panels, computers, and servers that work together to create a FactoryTalk system. Add devices that share security requirements and that should trust each other to a zone. A device can have one or more ports that are added to the security model. Devices can be added manually or discovered by querying the network for devices.

Devices are connected to other devices or zones by conduits.

See also

Discover devices on page 33

Add a device to a zone on page 31

Add a device to the device list on page 32


Devices



Remove the security policy from a device on page 48

Add a device to a zone to include it in the FactoryTalk Policy Manager security model. Alternatively, use discovery to find devices on the network.

To add a device

1. In the FactoryTalk Policy Manager navigation bar, select:

• Zones and then select a zone in the Zones list to add a device to the selected zone's device list.

• Devices to add a device. By default the device is unassigned.

2. On the toolbar, select:

• Add Device [+] to manually add a device to the current device list by selecting its catalog number or to add a generic device.

• Discover Devices to select and add devices found on the network to the current device list

DEVICE PROPERTIES opens.

3. (optional) In Device Name, type a name for the device. Generic devices are automatically named Device <number>. Devices selected by catalog number or discovered are already named.

4. (optional) In Description, type a description of the device. Generic devices are do not have a description. Devices selected by catalog number or discovered may have an existing description.

5. For generic devices, in Catalog Number, select the ellipsis [...] and choose the catalog number for the device from the list.

Tip: Filter the list of catalog numbers by typing a portion of the catalog number in the space provided.

6. (optional) In Vendor, type the name of the device manufacturer. If a Rockwell Automation catalog number was provided, this setting is completed by default and cannot be modified.

7. In Firmware Revision, choose the applicable firmware revision. This setting is required to apply CIP Security settings to the device ports.

8. (optional) Enable CIP Security capable if the device supports CIP Security.

Add a device to a zone



CIP Security is associated with the Catalog Number and Firmware Revision properties. When both values are known the CIP Security capable setting is automatically enabled or disabled and is not editable.

9. Under Ports select the pencil icon next to the port to configure port properties, such as the port name, description, EtherNet driver name, IP address, and protocols used by the device.

See also



Delete a device on page 38


Replace a device on page 47

Add a device to the device list to create a pool of devices which can then be organized into zones. Alternatively, use discovery to find devices on the network.

To add a device to the device list

1. In the FactoryTalk Policy Manager navigation bar, select Devices to add an unassigned device.

2. On the toolbar, select Add Device [+] to manually add a device to the current device list by selecting its catalog number or to add a generic device.

3. (optional) In Device Name, type a name for the device. Generic devices are automatically named Device <number>. Devices selected by catalog number or discovered are already named.

4. (optional) In Description, type a description of the device. Generic devices are do not have a description. Devices selected by catalog number or discovered may have an existing description.

5. For generic devices, in Catalog Number, select the ellipsis [...] and choose the catalog number for the device from the list.

Tip: Filter the list of catalog numbers by typing a portion of the catalog number in the space provided.

6. (optional) In Vendor, type the name of the device manufacturer. If a Rockwell Automation catalog number was provided, this setting is completed by default and cannot be modified.

Add a device to the device list



7. In Firmware Revision, choose the applicable firmware revision. This setting is required to apply CIP Security settings to the device ports.

8. (optional) Enable CIP Security capable if the device supports CIP Security.

CIP Security is associated with the Catalog Number and Firmware Revision properties. When both values are known the CIP Security capable setting is automatically enabled or disabled and cannot be modified.

9. Under Ports select the pencil icon next to the port to configure port properties, such as the port name, description, EtherNet driver name, IP address, and protocols used by the device.

See also


Edit a device on page 37



Use Discover Devices to traverse your system and find devices. Devices found in discovery can be added to the device list and assigned to zones. Discovery can be useful for populating a list of devices or for checking that the devices added to the list manually are accurately identified.

To discover devices

1. In the FactoryTalk Policy Manager toolbar, select Discover Devices.

2. Discover Devices opens displaying the FactoryTalk Linx network tree.

3. (optional) Turn on the CIP Security indicator by clicking the shield icon on the toolbar. With the indicator enabled CIP Security capable devices available on the network will be indicated:

Discover devices



• means the device supports CIP Security and no configuration action has been taken yet.

• means the device is in the CIP Security configuration process.

• means the device is successfully configured with CIP Security.

• means the device configuration is in error

Tip: If a device doesn't support CIP Security, there is no icon in front of it.

4. Select the device to add to the model and then select ADD to add the device to the FactoryTalk Policy Manager Device list.

Multiple devices can be selected and added at once.

5. When finished adding devices, select CLOSE.

See also

Ports on page 34

Add a range on page 39


A port represents a physical socket of a device that allows communication with another device using CIP Security.

FactoryTalk Linx Devices and Rockwell Automation devices that are identified by catalog number have only a single port.

Add ports to Generic Devices to add them to the security policy model.

See also

Add a port on page 34


Port properties on page 36

Generic devices can have ports added to them to match their configuration.

To add a port

1. In the FactoryTalk Policy Manager navigation bar, select Devices to and then select a generic device from the FactoryTalk Policy Manager device list.

Ports

Add a port



2. In the PORT PROPERTIES pane, select the pencil icon next to the device name to open the DEVICE PROPERTIES pane.

3. Under Ports select the plus [+] icon.

A new port adds to the Ports list.

4. Select the pencil icon next to the port number to configure port properties, such as the port name, description, EtherNet driver, IP address, and protocols used by the device.

See also


Port properties on page 36

Devices have ports that are associated with IP addresses, ports, and protocols. Devices that have a specific catalog number have a predefined number of ports with assigned protocols. If a device does not have a catalog number FactoryTalk Policy Manager adds it as a Generic Device. When a security policy model includes generic devices, configure the number of ports on the device.

To configure port properties


• Zones to configure port properties for a device in the zone device list.

• Devices to configure port properties for any device in FactoryTalk Policy Manager.

Select the device to configure from the device list. The properties pane updates to display the port properties for that device.

Tip: When navigating to either zones or devices the PORT PROPERTIES pane opens automatically to the last item configured.

2. (optional) If the device was added as a Generic Device, edit the port name by selecting the Port Name setting and typing a new name.

Port names added through discovery of an associated EDS file are read-only.

3. (optional) In Description, type a description of the port.

4. For CIP Security capable devices, in EtherNet Driver Name, type the name of the EtherNet driver for the device.

5. In IP Address, type the IP address of the device.

Configure port properties



If the Clear configuration for previous IP Address confirmation dialog appears. Either:

• Choose CLEAR CONFIGURATION if the previous IP address is assigned to a different device. The IP address and the device name are added to the Deleted Devices list to be removed from the security model at the next deployment.

• Choose DON'T CLEAR CONFIGURATION if the previous IP address is not in use.

Important: Changing the IP Address of a CIP Security Capable device in a CIP Security enabled zone after deployment requires that the security configuration be cleared for the previous address if that IP address is in use.

6. In the Policies area, configure the security policies for the device.

• In Zone, assign the device to the appropriate security zone.

• If the device is CIP Security capable and the port was assigned to a CIP Security enabled zone, in TCP/UDP Ports, select which ports to disable on the device to further control communications activity on the device.

See also



These are the port properties.

Property Action

Device This area displays information about the device this port is present on.

• Device name The name of the device. Select the pencil icon next to the device name to open DEVICE PROPERTIES.

• Device description Read-only information that describes the device function.

• Device catalog number Read-only information that provides the catalog number of the device.

General Use this area to configure this port on the device.

• Name The name for the port.

• Description The description for the port.

• EtherNet Drive name For CIP Security capable devices. The name of the Ethernet driver used for communications. Example: AB-ETH-1

• IP Address The IP address of the Ethernet port. Example: 10.88.11.11

Policies Use this area to select the security zone and communication settings for the port

Port properties



Property Action

• Zone The name of the zone to which the port is assigned.

• TCP/UDP Ports For CIP Security capable devices. When a device is CIP Security capable and placed in a zone using the certificate authentication method, the TCP/UDP Port usage on the device is configurable. • Select the Disable checkbox next to a port to disable communication using that

port.

• Clear the Disable checkbox next to a port to enable communication using that port.

See also

Add a port on page 34


Edit the device properties to change the device information, to enable CIP Security options, or modify the port configuration. The properties changes are applied the next time the security policy model is deployed.

Tip: When navigating to either zones or devices the PORT PROPERTIES pane opens automatically to the last item configured.

To edit device properties


• Zones and then select a zone in the Zones list to edit a device in the selected zone's device list.

• Devices to edit any device on the FactoryTalk Policy Manager device list.

2. In PORT PROPERTIES select the Pencil icon next to the device name to display DEVICE PROPERTIES.

3. Change the device properties as needed.

As the settings are changed the FactoryTalk Policy Manager title bar updates to show that the changes have been saved.

See also




Edit device properties



Delete a device that is no longer needed. After a device is deleted it will be listed in the Deleted Devices table until the next time the model is deployed.

Important: If a device has multiple ports, the additional ports must be deleted to delete the device. These devices are shown in the device list with the port name appended after the device name; for example Device3:Port2

To delete a device

1. In the FactoryTalk Policy Manager navigation bar, select Devices.

2. In the table, select the device name from the list, then select the Delete icon from the toolbar.

3. A confirmation message is displayed, select DELETE.

The device is deleted from the device list and is no longer part of the security model.

See also


Add a device to the device list on page 32


Replace a device on page 47

Remove the security policy from a device on page 48

Use device properties to define the device information, security, and network settings for a device. Device properties defined using the electronic datasheet (EDS) for the device cannot be modified. A device can have one or more ports that are added to the security model.

The device properties are:


General These settings provide the identification parameters of the device

Delete a device

Device properties




• Name The name of the device. The name is required and must be unique.

• Description (optional) A description for the device.

• Catalog Number (optional) If defined using device discovery, the catalog number cannot be changed. Otherwise, choose a catalog number from the list. Choosing a Rockwell Automation catalog number automatically completes the Vendor information. Devices without catalog numbers are listed as Generic Device.

• Vendor (optional) The name of the device's vendor.

• Firmware Revision The firmware revision number of a device. Required to enable CIP Security for a device.

• CIP Security Capable Identifies whether a device can use the security settings of the zone. Select to configure additional CIP Security settings for a generic device. Note: The Catalog Number and firmware revision determine the CIP Security capability of a device automatically.

Ports These settings identify the ports available on the device. Note: Generic devices can manually add ports as needed by selecting the plus sign [+] next to Ports.

• <Port name and number> The name and number of the port(s) available on the device.

Select the pencil icon next to the port number to configure port properties, such as the port name, description, EtherNet driver, IP address, and protocols used by the device.

See also

Add a device on page 31

If there are groups of devices that are not CIP Security capable, they can be incorporated into the security model using a trusted IP range.

A trusted IP range is a contiguous set of IP addresses that are known to contain good devices, but that cannot use certificates or pre-shared keys to authenticate identities or authorize access.

When a device has an IP address within a defined trusted IP range, the authentication method for the device is set to None, because there is no other attestation of identity possible.

See also



Add a range to define a set of IP addresses to assign to a zone. A device range is useful for devices that do not support CIP Security, but that need to be part of the security policy model.

Ranges

Add a range



To add a range


• Zones and then select a zone in the Zones list to add a device range to the selected zone's device list.

• Devices to add an unassigned device range to the FactoryTalk Policy Manager device list.

2. On the toolbar, select Add Range. The RANGE PROPERTIES pane opens.

3. In Name, type a name for the range.

4. (optional) In Description, type a description of the range.

5. In Start IP Address, type the first IP address in the range being defined.

6. In End IP Address, type the last IP address in the range being defined.

7. (optional) In Zone, select the security zone to assign to this range. If adding a range from within the Zone list, the range is automatically assigned to the currently selected zone.

See also



Range properties on page 40

Use range properties to define the IP address range. Devices in a range cannot apply security configuration settings of a zone. In a zone where CIP Security is enabled, devices in this range will be trusted by CIP Security capable devices based solely on their IP address. All other communications with devices in this range will not use any authentication method.

The range properties are:


Name The name of the range. The name is required and must be unique.

Description (optional) A description for the range.

Start IP Address The first IP address of the range.

End IP Address The last IP address of the range

Zone The security zone to which the range is assigned.

Range properties



See also





Chapter 3

3 - Deploy a security policy model

In this Section

Deploy a security model 43 Deployment options 44 Deployment results 45 Reload a security model 46 Replace a device 47 Remove the security policy from a device 48

After the zones, conduits, and devices have been configured, the security policy model can be deployed.

Before a deployed security policy becomes active, communications must be reset to all configured devices, resulting in a short loss of connectivity. During deployment, there is the option of resetting the communication as part of deployment, or deploying the changes without resetting the communication channel so that the reset can occur at a different time than the deployment process.

Once the model is deployed and communications reset on the device, the device will only accept communications from other devices in the same zone or using conduits configured to enable communications with other security zones or devices.

Before deploying a security model, make sure that all devices are operational and have network access.

If changes are made the policy after it is deployed, an asterisk (*) will appear next to the device, indicating that the configured policy has not been deployed to that device.

To deploy a security model

1. On the FactoryTalk Policy Manager toolbar, select Deploy.

2. Review the Deploy dialog:

Deploy a security model

Chapter 3 3 - Deploy a security policy model


a. The list of devices identifies the devices that will be configured when this model is deployed. Scroll down or select More details to review the list. If the list contains unexpected devices, select CANCEL and then change the model as needed.

b. Choose when to reset the communication channels for the items includes in the security policy model.

• During deployment When this option is selected, the communication port will be closed and re-opened on the device during the deployment process. Similar to resetting the network card on a computer, the device stays functional but is disconnected from the network for a few moments. Using this option applies the new policy to the device at the same time that the policy is deployed.

• After deployment When this option is selected, the security policy settings will be deployed to the device but are not in effect. The communications ports will need to be reset before the security policy will be used. This option is useful if there is a scheduled maintenance reset process in your environment that can be relied upon to perform this function.

c. Select DEPLOY.

3. The Results pane updates with the results of the deployment as it occurs. Once deployment is complete a summary report is provided listing the successes, failures, and errors encountered during the process.

See also

Devices on page 30

Conduits on page 26

Zones on page 21

Deployment results on page 45

Choose when to reset the communication channels for the items includes in the security policy model.

• During deployment

When this option is selected, the communication port will be closed and re-opened on the device during the deployment process. Similar to resetting

Deployment options

3 - Deploy a security policy model Chapter 3


the network card on a computer, the device stays functional but is disconnected from the network for a few moments. Using this option applies the new policy to the device at the same time that the policy is deployed.

• After deployment

When this option is selected, the security policy settings will be deployed to the device but are not in effect. The communications ports will need to be reset before the security policy will be used. This option is useful if there is a scheduled maintenance reset process in your environment that can be relied upon to perform this function.

See also

Devices on page 30

Conduits on page 26

Zones on page 21


Depending on the size of your system, the deployment process can take a while. As assets are deployed, the Results tab updates with the result of the deployment on each item in the model. The possible results are:

• Configuration complete. No issues identified.

• Configuration complete. Warnings identified.

• Configuration not complete. Error identified.

At any point in the deployment process, the process can be stopped. If deployment is stopped, assets that have been configured, remain configured. Stopping the deployment process does not roll back the changes that have occurred.

If the deployment process is stopped during deploy, this can leave the system in an unexpected state. Communications between devices could be permanently interrupted requiring module reset.

After the deployment process is complete, a report is created that details which assets were successfully deployed, which items failed to deploy, and the errors and warning encountered. The report can be saved for reference, reporting, or other record keeping requirements.

Deployment results



Errors and warnings

This table provides a reference of the possible errors and warning encountered during deployment. Items in brackets are placeholders for specific items that are identified as appropriate for the environment.

Warning or Error Description

Catalog number does not match device type identified during deployment, <device type>.

The catalog number specified in FactoryTalk Policy Manager device properties does not match the catalog number provided by the device at the IP address. This could be a result of typographical error during device configuration in FactoryTalk Policy Manager or misidentification of the device. Verify the catalog number and update the device properties.

Firmware revision does not match revision identified during deployment, <firmware revision>.

The firmware revision specified in FactoryTalk Policy Manager device properties does not match the firmware revision provided by the device at the IP address. This could be a result of typographical error during device configuration in FactoryTalk Policy Manager or misidentification of the device firmware. Verify the firmware revision and update the device properties as needed.

Device found at IP address is not CIP Security capable The device properties configured in FactoryTalk Policy Manager record the device as CIP Security Capable, but the device at the IP address is not. Verify that the correct device and IP address are configured in FactoryTalk Policy Manager.

Device found at IP address is CIP Security capable The device properties configured in FactoryTalk Policy Manager record the device as not CIP Security Capable, but the device at the IP address support CIP Security. Verify that the correct device and IP address are configured in FactoryTalk Policy Manager.

Device does not support Confidentiality for I/O Data Either the device or the zone properties configured in FactoryTalk Policy Manager specify that data confidentiality should be enforced by encrypting input and output data from the device, but the device at this IP address does not support cryptography. Verify that the correct device and IP address are configured in FactoryTalk Policy Manager. This warning appears when a device that does not support CIP Security is placed in a zone configured with I/O Data Security.

Device does not support configuring <port name and number>. The device has been placed in a zone that has disabled communication over the specified port, but the device does not support individual port configuration.

Last deployment failed for this device. Device did not receive security configurations.

The device was unable to be configured by FactoryTalk System Services and the policy defined in FactoryTalk Policy Manager was not applied to the device. This could be because the device was unreachable or non-responsive. Verify that the device is operational and properly connected to the network.

See also





After a model has been deployed, changing the configuration of devices, zones, and conduits can change the performance of the system.

Reload a security model



Reloading the model synchronizes FactoryTalk Policy Manager and FactoryTalk System Services and refreshes the display of possible conflicts so that they can be addressed before deployment.

To reload a security model

• On the FactoryTalk Policy Manager toolbar, select Reload.

FactoryTalk Policy Manager refreshes the display with the most recent information from FactoryTalk System Services.

See also

Conduits on page 26

Devices on page 30

Replacing a device is used when a device that has already been configured and enabled for CIP Security has failed or needs to be rotated out for maintenance. Device replacement enables the identity and the security configuration of the previous device to be assigned to the replacement device. The communications port on a device must be reset after replacement to apply the security policy settings.

To replace a device


• Zones and then select a zone in the Zones list to replace a device on the selected zone's device list.

• Devices to replace any device on the FactoryTalk Policy Manager device list.

2. In the device list, select the name of the device to replace.

The selected device properties display in DEVICE PROPERTIES.

3. On the FactoryTalk Policy Manager toolbar, select Replace Device.

Deploy Configuration to Replace Device displays.

4. In Deploy Configuration to Replace Device choose when to reset the communication ports on the device:

Replace a device



• Choose During policy deployment to reset the ports automatically as part of the replacement process.

• Choose After deployment to manually reset the ports at a later time. The security policy is not being enforced on the device until the ports are reset.

5. Select Deploy. Deployment results are displayed as the deployment occurs.

See also


If the security model has been deployed and the device communications have been reset the device is constrained by the security policy. Removing the device from the model does not remove the security configuration. Even if FactoryTalk Policy Manager and FactoryTalk System Services are uninstalled the security policy configured for the device is still in effect.

Use these steps to remove the security policy if necessary.

To remove the security policy from a device

1. In the FactoryTalk Policy Manager navigation bar, select Devices and then select the device.

PORT PROPERTIES are displayed.

2. In the Policies area, change the security policies for the device.

• In Zone, choose either Unassigned or a zone that is not CIP Security enabled.

3. Deploy the security model and choose to reset the communications channels During deployment.

The device security configuration will be reset to none.

The device can then be removed from the model or reconfigured as necessary.

See also



Deploy a security model on page 43

Remove the security policy from a device


Chapter 4

4 - Backup and restore

In this Section

Backup and restore security models 51 Backup FactoryTalk System Services 51 Restore FactoryTalk System Services 52

Create backup files to preserve and restore the security models for your system in case of a systems failure.

These are the considerations related to using backup and restore with FactoryTalk Policy Manager:

• The FactoryTalk Policy Manager security model is stored by FactoryTalk System Services in a policy database.

• Create a backup after a policy deployment to keep the backup files synchronized with the current security policy.

See also

Deploy a security model on page 43

Backup FactoryTalk System Services to save copy of the security model and its associated certificates. After it has been created the FactoryTalk System Services backup file is included with the FactoryTalk Services Platform backup when it is performed.

Important: Backing up FactoryTalk System Services requires administrator privileges.

To backup FactoryTalk System Services databases

1. Open a command prompt as an Administrator.

2. In the command prompt window type: cd C:\Program Files (x86)\Rockwell Software\FactoryTalk System Services.

Backup and restore security models

Backup FactoryTalk System Services

Chapter 4 4 - Backup and restore


3. Run the backup utility by typing one of these commands:

• FTSSBackupRestore -B

Creates a plain text backup of the data.

• FTSSBackupRestore -B -PW "password"

Creates an encrypted backup of the data using the password supplied in quotation marks. This password must be supplied to restore the data.

4. The file backup.zip file is created. This file will be included in the FactoryTalk Services Platform Backup.

Verify the file is present in this location: C:\ProgramData\Rockwell\RNAServer\Global\RnaStore\FTSS_Backup

Tip: The ProgramData folder is hidden by default in Windows File Explorer.

See also

Backup and restore security models on page 51

Restore FactoryTalk System Services on page 52

Restore FactoryTalk System Services to return the FactoryTalk System Services databases to a known good state.

Important: Restoring FactoryTalk System Services requires administrator privileges.

To restore FactoryTalk System Services databases

1. Verify the backup.zip file is present in this location: C:\ProgramData\Rockwell\RNAServer\Global\RnaStore\FTSS_Backup

2. Open a command prompt as an Administrator.

3. In the command prompt window type: cd C:\Program Files (x86)\Rockwell Software\FactoryTalk System Services.

4. Run the FactoryTalk System Services Backup & Restore Utility by typing one of these commands:

• FTSSBackupRestore -R

Restores a plain text backup of the databases.

Restore FactoryTalk System Services

4 - Backup and restore Chapter 4


• FTSSBackupRestore -R -PW "password"

Restores an encrypted backup of the databases that is decrypted using the password supplied in quotation marks.

See also

Backup and restore security models on page 51

Rockwell Automation maintains current product environmental information on its website at http://www.rockwellautomation.com/rockwellautomation/about-us/sustainability-ethics/product-environmental-compliance.page.

Allen-Bradley, Rockwell Automation, and Rockwell Software are trademarks of Rockwell Automation, Inc.

Trademarks not belonging to Rockwell Automation are property of their respective companies.

Rockwell Automation Publication FTALK-GR001A-EN-E Inital Release, July 2019 Copyright © 2019 Rockwell Automation Technologies, Inc. All Rights Reserved. Printed in the U.S.A.

Rockwell Automation support

Use the following resources to access support information.

Technical Support Center Knowledgebase Articles, How-to Videos, FAQs, Chat, User Forums, and Product Notification Updates

https://rockwellautomation.custhelp.com

Local Technical Support Phone Numbers Locate the phone number for your country. http://www.rockwellautomation.com/global/support/get-support-now.page

Direct Dial Codes Find the Direct Dial Code for your product. Use the code to route your call directly to a technical support engineer.

http://www.rockwellautomation.com/global/support/direct-dial.page

Literature Library Installation Instructions, Manuals, Brochures, and Technical Data.

http://www.rockwellautomation.com/global/literature-library/overview.page

Product Compatibility and Download Center (PCDC)

Get help determining how products interact, check features and capabilities, and find associated firmware.

http://www.rockwellautomation.com/global/support/pcdc.page

Documentation feedback

Your comments will help us serve your documentation needs better. If you have any suggestions on how to improve this document, complete the How Are We Doing? form at http://literature.rockwellautomation.com/idc/groups/literature/documents/du/ra-du002_-en-e.pdf.

http://www.rockwellautomation.com/rockwellautomation/about-us/sustainability-ethics/product-environmental-compliance.page

https://rockwellautomation.custhelp.com/

http://www.rockwellautomation.com/global/support/get-support-now.page

http://www.rockwellautomation.com/global/support/direct-dial.page

http://www.rockwellautomation.com/global/literature-library/overview.page

http://www.rockwellautomation.com/global/support/pcdc.page

http://literature.rockwellautomation.com/idc/groups/literature/documents/du/ra-du002_-en-e.pdf

factorytalk policy manager - rockwell automation...manager to cip configurations that are delivered...

Documents