Global Settings

Use
Global Settings
 to define the settings applied to all devices contained in the model. Only administrators can edit
Global Settings
.
IMPORTANT:
Rockwell Automation
 recommends configuring
Global Settings
 before using the certificate authentication method.
TIP: Changes are saved when you select another field.

General

Property
Description
Model Name
The name of the policy model managed by this instance of
FactoryTalk Policy Manager
.

Certificate Settings

Property
Description
Organization
The name of your organization.
City/Location
The legally registered location of your organization.
State/Province
If applicable, the state or province where an organization is using the certificate.
Country
The country where an organization operates.

Device Authentication

Property
Description
Enable enhanced device authentication
Enabling
enhanced device authentication
 involves the deployment of updates to all devices in the policy model. You can deploy the updates directly after enabling
enhanced device authentication
 or do that later.
Display deployment warnings for devices that do not support enhanced device authentication
For more information about the supported devices, see Enhanced device authentication.
Skip or Continue the device policy deployment if a device cannot be authenticated
Skip
If a device fails the
enhanced device authentication
 check, the device policy deployment process continues.
Continue
If a device fails the
enhanced device authentication
 check, policy deployment to that device continues and a warning appears.
Include DNS Information
Includes DNS information to the digital identity certificate of the device.

Port Settings

DTLS settings
Property
Description
DTLS timeout
Enter a value between 1 and 3600 seconds. The default value is 12 seconds.
If the device does not support the timeout functionality, a warning appears in
Device Properties
.
Allow or restrict communication to and from the backplane of eligible devices in all zones of the security policy model. The CIP bridging settings affect secured EtherNet/IP interfaces and USB ports (if present). The selected option becomes default for all zones and devices.
CIP Bridging settings
Property
Description
Inbound CIP Bridging to the Backplane
Allow all traffic
Allows bridging secure and trusted IP traffic from the EtherNet/IP interface to backplane and other physical ports (for example: Ethernet, USB).
Allows bridging unsecure traffic from the USB port.
TIP: Physical port support depends on the hardware platform.
Allow secure traffic
Allows bridging only secure traffic from the secured EtherNet/IP interface to backplane and other physical ports (for example: Ethernet, USB).
Blocks bridging unsecure traffic from the USB port.
TIP: Physical port support depends on the hardware platform.
Block all traffic
Blocks bridging any traffic from the secured EtherNet/IP interface and the USB port.
Outbound CIP Bridging from the Backplane
Allow all traffic
Allows bridging all traffic to the Ethernet port and the USB port.
Block all traffic
Blocks bridging traffic to the Ethernet port and the USB port.

Automatic Policy Deployment

TIP:
Changes to the Automatic Policy Deployment settings take immediate effect. To avoid onboarding devices with unintended settings, you can edit the Automatic Policy Deployment settings:
  • With the FactoryTalk System Services server disconnected from the network.
  • When you do not expect any devices to be onboarded.
Property
Description
Enable automatic device discovery and onboarding
Enables Automatic Policy Deployment that:
  • Starts the Domain Name Server-Service Discovery (DNS-SD) services to enable device discovery and certificate provisioning.
  • Starts the Enrollment over Secure Transport (EST) system service, which responds to endpoint queries.
  • Merges the discovered devices with the matching devices in the policy model.
  • Adds the discovered devices to the Onboarding Area if the discovered device does not match any device in the policy model.
Enable automatic secured device replacement
Deploys the configuration of onboarded devices that match the devices in the policy model based on the specific criteria automatically.
This feature requires the
Enable automatic device discovery and onboarding
 checkbox selected.
Enable secure onboarding
During onboarding, discovered devices can receive different sets of temporary policies that determine their networking behavior until they are provisioned with final policies.
Prevents the onboarding devices from establishing connections with any other device in the network except for
FactoryTalk Policy Manager
.
This feature requires the
Enable automatic device discovery and onboarding
 checkbox selected.

Security Eventing Settings

Security Eventing Settings
Property
Description
Enable security eventing using Syslog server
Enables devices that support security eventing to start sending Syslog messages as configured in the policy.
These settings apply to all devices that support security eventing.
Use these settings to identify the location of the Syslog server.
Syslog Server Settings
Property
Description
IP Address
Identifies the Syslog server by the IP address.
Hostname
Identifies the Syslog server by the DNS host name.
Port
Identifies the communications port on the server to receive the Syslog messages. Default port number is 514.
Protocol
Configures logging.
  • Select
    UDP
     for low-priority logging. UDP is not a guaranteed reliability protocol, log data that is transferred using UDP can be lost in transit due to various network problems.
  • Select
    TCP
     for log data that cannot tolerate loss and which must be retained.
Use these settings to filter the event messages that are logged to the Syslog server.
Filter Settings
Property
Description
Event types that will generate messages
Used to determine which event types generate messages.
Failures only
Logs events upon failures related to model deployment, device discovery, component connections, and component authentications or authentications.
Failures and successes
Logs all success and failure events related to model deployment, device discovery, component connections, and component authentications or authorizations.
Lowest level of severity to log
Logs messages that are greater than or equal to the severity level selected. Defined severity levels from highest to lowest are:
Emergency
System is unusable.
Alert
Action must be taken immediately.
Critical
Critical operational conditions such as device hardware major faults.
Error
Error conditions in software applications and device hardware minor faults.
Warning
Warning conditions in software applications and hardware.
Notice
Significant conditions that may require special handling.
Information
Informational messages about software or hardware operations.
Audit
Messages from the auditing service.
Debug
Messages about the programmatic operations of the software.
Message Settings
Property
Description
Details to include in message
Specifies details included in the message.
Sequence ID
Uniquely identify the type and purpose of the message.
Time quality (sync info, time zone accuracy)
Describes the system time mechanism used by the message originator.
Time resolutions
Defines the level of precision used in the time stamp of the log messages:
  • Seconds
  • Milliseconds
  • Microseconds
  • Nanoseconds
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.
Normal