Configuring industrial protocol traffic filtering in Web Console

You can use the Kaspersky IoT Secure Gateway Network Protector application to configure rules for blocking and filtering industrial protocol traffic. Industrial traffic filtering uses packet analysis rules and includes the following checks:

For Kaspersky IoT Secure Gateway Network Protector to work, you need to configure it first. When started without a completed configuration, Kaspersky IoT Secure Gateway 1000 enters emergency mode, as it cannot receive traffic filtering rules to ensure a secure state.

To configure traffic filtering rules for industrial protocols:

  1. Use Kaspersky Update Utility to download files with lists of supported network packet analysis rules:
    • The industrial_commands.rules file contains a list of supported command filtering rules for industrial protocols.
    • The industrial_anomalies.rules file contains a list of supported traffic anomaly detection rules for industrial protocols.

    The entire range of identifiers (sid) 9XXXXXXX is used for service purposes. Do not use these identifiers for custom rules. When using service identifiers from this range for custom rules, Kaspersky IoT Secure Gateway 1000 may switch to emergency support mode.

    For detailed information on using the utility, refer to the Kaspersky Update Utility documentation.

  2. Select from these files the rules that you want to apply to industrial protocol traffic filtering.

    Some rules contained in the industrial_commands.rules and industrial_anomalies.rules files may block business scenarios. Before using the rules from these files, we recommend that you first analyze them and select only the ones you need. As an example, you can use the rule described in step 11 of this instruction.

  3. In the main window of the Web Console, select DevicesManaged devices.
  4. Click the name of the device running Kaspersky IoT Secure Gateway 1000. If the device name is not on the list, add it to the Managed devices group.
  5. In the device properties window that opens, select the Applications tab.
  6. Press Kaspersky IoT Secure Gateway.

    This opens a window containing information about Kaspersky IoT Secure Gateway 1000.

  7. Select the Application settings tab.
  8. Select Settings of appsApplications.

    The installed apps table will be displayed.

  9. Stop Kaspersky IoT Secure Gateway Network Protector if running.

    While Kaspersky IoT Secure Gateway Network Protector is stopped, transit traffic on the device will be blocked to ensure the security of connected devices.

  10. Click the name of Kaspersky IoT Secure Gateway Network Protector.

    The Kaspersky IoT Secure Gateway Network Protector application management panel opens on the right.

  11. Provide rules for filtering industrial protocol traffic:
    • In the Rules for filtering commands in industrial protocols field, provide industrial command filtering rules from the industrial_commands.rules file.
    • In the Rules for searching anomalies in industrial protocols field, provide anomaly detection rules for industrial traffic from the industrial_anomalies.rules file.

    You can provide rules in one of the fields or in both. For Kaspersky IoT Secure Gateway Network Protector to work, define at least one configuration setting, or else Kaspersky IoT Secure Gateway 1000 will enter emergency mode after you start it, as it cannot receive traffic filtering rules to ensure a secure state.

    Rule configuration example

  12. Click Save in the lower part of the panel to save the changes.
  13. Start Kaspersky IoT Secure Gateway Network Protector.

Industrial protocol traffic will be filtered using the specified rules. If the rule is triggered, traffic that matches the rule is blocked, and the IP address where the traffic originated is added to the IP address denylist. The information that the IP address was blocked is sent to the Kaspersky IoT Secure Gateway 1000 firewall. The traffic blocking event is recorded in the audit log.

Page top