MODBUS

General settings

Max. number of pending requests Maximum number of requests without responses in a single session. This value has to be between 1 and 512 (default value: 10).
Maximum request duration (seconds) This value is the period after which requests without responses will be deleted. This value has to be between 1 and 3600 seconds (default value: 10).

 

Support serial gateways If this option is selected, you will allow protocol scans for Modbus traffic heading to the TCP Modbus gateway to the serial port (in this case, Modbus messages will have fields containing particular values).

Allowed Unit IDs

This list shows the Unit IDs allowed. It is possible to Add or Delete elements to or from this list by clicking on the relevant buttons.

Modbus settings

Maximum message size (bytes) This value makes it possible to restrict the size allowed for a message. It has to be between 8 and 4096 (default value: 260).
Max. number of files This field allows defining the maximum number of fields allowed for "Read File Record" and "Write File Record" operations in order to protect certain vulnerable automatons beyond a defined number of files.

Managing Modbus function codes

Public operations

This list sets out the public functions allowed by default on the firewall. The buttons Modify write operations and Modify all operations allows modifying the action (Scan/Block) applied to the selected function or to all functions.

Other operations allowed

This list allows authorizing additional function codes blocked by default by the firewall. It is possible to Add or Delete elements to or from this list by clicking on the relevant buttons.

Managing Modbus addresses

In this panel, the access privileges of Modbus function codes to memory addresses on automatons can be filtered. By default, all Modbus function codes in read and write (1,2,3,4,5,6,15,16,22,23,24) are allowed to access all memory ranges on automatons (0-65535). It is possible to Add or Delete access rules to or from this list by clicking on the relevant buttons.

This added protection in the firewall therefore allows defining a Modbus profile that specifies the memory ranges on the automaton in which Modbus data can be written.

Support

Disable intrusion prevention When this option is selected, the scan of the protocol will be disabled and traffic will be authorized if the filter policy allows it.
Log each Modbus request Enables or disables the logging of requests.
Automatically detect and inspect the protocol If this protocol has been enabled, it will automatically be used for discovering corresponding packets in filter rules.