Kaspersky IoT Secure Gateway 1000 processes traffic at the packet level according to firewall rules and the lists of allowed and blocked IP addresses.
Kaspersky IoT Secure Gateway 1000 stops processing a network packet on the first match with a rule; all the following rules are ignored.
The traffic processing procedure differs for unidirectional gateway and network router device types. The type of network device is defined when installing Kaspersky IoT Secure Gateway 1000.
Traffic processing procedure for the unidirectional gateway device type
If Kaspersky IoT Secure Gateway 1000 functions as unidirectional gateway, traffic processing rules are applied differently depending on the type of network.
For external network traffic, the rules are applied in the following order:
These rules are supplied as part of Kaspersky IoT Secure Gateway 1000. They are required for allowing traffic when starting Kaspersky IoT Secure Gateway 1000 self-diagnostics.
These rules cannot be modified, and they are not displayed in Kaspersky Security Center 14.2 Web Console.
These rules are supplied as part of Kaspersky IoT Secure Gateway 1000. They are required for allowing traffic from a device on an internal network to a device on the external network.
These rules cannot be modified, and they are not displayed in Kaspersky Security Center 14.2 Web Console.
These rules are supplied as part of Kaspersky IoT Secure Gateway 1000. They allow traffic over the ICPM protocol.
These rules cannot be modified, and they are not displayed in Kaspersky Security Center 14.2 Web Console.
These rules are delivered automatically after the VPN application is installed. They are required for allowing traffic initiated by the VPN application.
These rules cannot be modified, and they are not displayed in Kaspersky Security Center 14.2 Web Console.
These rules are supplied as part of Kaspersky IoT Secure Gateway 1000. They are required for blocking all incoming traffic.
These rules cannot be modified, and they are not displayed in Kaspersky Security Center 14.2 Web Console.
For internal network traffic, the rules are applied in the following order:
These rules are supplied as part of Kaspersky IoT Secure Gateway 1000. They are required for allowing traffic when starting Kaspersky IoT Secure Gateway 1000 self-diagnostics.
These rules cannot be modified, and they are not displayed in Kaspersky Security Center 14.2 Web Console.
These rules are supplied as part of Kaspersky IoT Secure Gateway 1000. They are required for allowing traffic between devices on the internal network.
These rules cannot be modified, and they are not displayed in Kaspersky Security Center 14.2 Web Console.
These rules are supplied as part of Kaspersky IoT Secure Gateway 1000. They allow traffic over the ICPM and CARP protocols, as well as Kaspersky IoT Secure Gateway 1000 web interface traffic and the Kaspersky Security Center 14.2 Web Console traffic.
These rules cannot be modified, and they are not displayed in Kaspersky Security Center 14.2 Web Console.
You can select application protocols whose traffic you want to block. Traffic processing rules will be generated according to your choices.
This list of rules applies only if emergency support mode is active. In that event, all traffic is blocked. You cannot modify these rules.
With Kaspersky IoT Secure Gateway Network Protector, you can add to the allowlist, edit and delete the IP addresses of devices whose traffic must be allowed.
The list is generated automatically from information about suspicious industrial traffic filtered with Kaspersky IoT Secure Gateway Network Protector rules. You can set up filtering rules to block traffic that uses industrial protocols. You can also delete IP addresses previously added to the IP address denylist, if required.
You can create, edit, or delete these rules for the internal and external networks.
You can create, edit, or delete these rules for the internal and external networks.
These rules are supplied as part of Kaspersky IoT Secure Gateway 1000. These rules cannot be modified, and they are not displayed in Kaspersky Security Center 14.2 Web Console.
These rules are supplied as part of Kaspersky IoT Secure Gateway 1000. They are required for allowing outgoing traffic in response to incoming requests from an external network.
These rules cannot be modified, and they are not displayed in Kaspersky Security Center 14.2 Web Console.
These rules are supplied as part of Kaspersky IoT Secure Gateway 1000. These rules cannot be modified, and they are not displayed in Kaspersky Security Center 14.2 Web Console.
Traffic processing procedure for the network router device type
If Kaspersky IoT Secure Gateway 1000 is functioning as a network router, traffic processing rules are applied in the following order:
These rules are supplied as part of Kaspersky IoT Secure Gateway 1000. They are required for allowing traffic when starting Kaspersky IoT Secure Gateway 1000 self-diagnostics.
These rules cannot be modified, and they are not displayed in Kaspersky Security Center 14.2 Web Console.
These rules are supplied as part of Kaspersky IoT Secure Gateway 1000. They allow traffic over the ICPM and CARP protocols, as well as Kaspersky IoT Secure Gateway 1000 web interface traffic and the Kaspersky Security Center 14.2 Web Console traffic.
These rules cannot be modified, and they are not displayed in Kaspersky Security Center 14.2 Web Console.
You can select application protocols whose traffic you want to block. Traffic processing rules will be generated according to your choices.
This list of rules applies only if emergency support mode is active. In that event, all traffic is blocked. You cannot modify these rules.
With Kaspersky IoT Secure Gateway Network Protector, you can add to the allowlist, edit and delete the IP addresses of devices whose traffic must be allowed.
The list is generated automatically from information about suspicious industrial traffic filtered with Kaspersky IoT Secure Gateway Network Protector rules. You can set up filtering rules to block traffic that uses industrial protocols. You can also delete IP addresses previously added to the IP address denylist, if required.
You can create, edit, or delete these rules for the internal and external networks.
You can create, edit, or delete these rules for the internal and external networks.
These rules are supplied as part of Kaspersky IoT Secure Gateway 1000. These rules cannot be modified, and they are not displayed in Kaspersky Security Center 14.2 Web Console.
These rules are supplied as part of Kaspersky IoT Secure Gateway 1000. They are required for allowing outgoing traffic in response to incoming requests from an external network.
These rules cannot be modified, and they are not displayed in Kaspersky Security Center 14.2 Web Console.
These rules block all incoming traffic. They are supplied as part of Kaspersky IoT Secure Gateway 1000. These rules cannot be modified, and they are not displayed in Kaspersky Security Center 14.2 Web Console.