Zone properties

Use zone properties to define the policy settings to apply to devices that are assigned to this zone.

General

The settings in this area differentiate this zone from other zones.
Property
Description
Name
The name for the zone.
Description
A description for the zone.

CIP Security

The settings in this area relate to how the devices in the zone communicate with other devices.
CIP security settings
Property
Description
Enable CIP Security
Enable CIP Security options for the zone. When selected, additional configuration options are available.
Non-
CIP Security
 capable devices can be added to a zone with
CIP Security
 enabled. These devices will have an information icon displayed stating
Incompatible with zone configuration
. These devices will not receive
CIP Security
 policy themselves, but devices in this zone that are
CIP Security
 capable will add the IP address of the non-
CIP Security
 capable device to their Trusted IP list so that communication between the devices can occur.
Authentication Method
Select which method the devices use to authenticate.
Certificate
A digital certificate is an electronic representation of an identity. A certificate binds the identities public key to its identifiable information, such as name, organization, email, username, and/or a device serial number. This certificate is used to authenticate the connection to other devices. Selected by default when
CIP Security
 is enabled.
Pre-shared Key
A pre-shared key is a secret that is shared among trusted entities.
FactoryTalk Policy Manager
 can create a key that can be shared.
To generate a pre-shared key, select
Auto-generate key
.
To view the key, select
Show Key
.
TIP: Once the authentication method is saved, you cannot show a pre-shared key.
Non-
CIP Security
 capable devices do not use any authentication method. If non-
CIP Security
 capable devices are present in a zone, an information message displays
stating incompatible devices in zone
 when
Certificate
 or
Pre-shared Key
 is selected.
I/O Data Security
Select the type of security check to perform on the input and output data.
Integrity Only
Checks whether data was altered and whether the data was sent by a trusted entity. Altered and/or untrusted data is rejected. Selected by default when
CIP Security
 is enabled.
Integrity & Confidentiality
Checks integrity and encrypts the data so the corresponding decryption key is required to read the data. Rejects altered and/or untrusted data.
TIP:
Rockwell Automation
 recommends choosing this option.
None
No I/O Data Security setting is selected. Even when no I/O security is configured, only devices within the zone or from a conduit are capable of I/O data communications. Other devices will be blocked.
Non-
CIP Security
 capable devices do not use any I/O Data Security method. If non-
CIP Security
 capable devices are present in a zone, an information message displays stating
incompatible devices in zone
 when
I/O Data Security
 is selected.
Messaging Security
Select the type of security check to perform on messages received by devices in the zone.
Integrity Only
Checks whether data was altered and whether the data was sent by a trusted entity. Rejects altered and/or untrusted data. Selected by default when
CIP Security
 is enabled.
Integrity & Confidentiality
Checks integrity and encrypts the data so the corresponding decryption key is required to read the data. Rejects altered and/or untrusted data
.
Non-
CIP Security
 capable devices do not use any Messaging Security and cannot provide data integrity checking. If non-
CIP Security
 capable devices are present in a zone, an information message displays stating
incompatible devices in zone
 when
Messaging Security
 is selected.
DIsable port HTTP (80)
Select to disable communication over port 80.
This functionality applies only to zones with
CIP Security
 enabled. The available options may be restricted by Global Settings.
CIP Bridging settings
Property
Description
Inbound CIP Bridging to the backplane
Allow all traffic
Allows bridging of secure and trusted IP traffic from the EtherNet/IP interface to backplane and other physical ports (for example: Ethernet, USB).
Allows bridging of unsecure traffic from the USB port.
TIP: Physical ports support is dependent on the hardware platform.
Allow secure traffic
Allows bridging of only secure traffic from the secured EtherNet/IP interface to backplane and other physical ports (for example: Ethernet, USB).
Blocks bridging of unsecure traffic from the USB port.
TIP: Physical ports support is dependent on the hardware platform.
Block all traffic
Blocks bridging of any traffic from the secured EtherNet/IP interface.
Outbound CIP Bridging from the backplane
Allow all traffic
Allows bridging of all traffic to the EtherNet/IP interface and the USB port.
Block all traffic
Blocks bridging of any traffic to the EtherNet/IP port and the USB port.

OPC UA

Zones and conduits follow these non-editable
OPC UA security policy
 settings:
  • OPC UA
     clients trust
    OPC UA
     servers
  • OPC UA
     servers do not trust
    OPC UA
     servers
  • OPC UA
     clients do not trust
    OPC UA
     clients
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.
Normal