Hirschmann EAGLE One Firewall Installation and Configuration Guide

Hirschmann EAGLE One Industrial Firewall Installation, Deployment, and Security Protection Configuration Guide

Introduction: Guardians of Industrial Network Boundary Security

With the development of Industry 4.0 and intelligent manufacturing, the connection between production network and office network, as well as the Internet, is increasingly close, and the traditional isolation strategy has been unable to meet the security requirements. As the first line of defense at the network boundary, the correct deployment and configuration of industrial firewalls are directly related to the secure operation of production systems. The Hirschmann EAGLE One series industrial firewall is designed specifically for industrial automation environments, supporting transparent mode, router mode, and PPPoE mode, with built-in Stateful Inspection firewall IPSec VPN、 Redundant routing and multiple authentication mechanisms can effectively isolate security sensitive production units from external networks. This article is based on the official installation manual, systematically reviewing the hardware installation, redundant power wiring, signal contacts and digital input configuration, SFP fiber port selection, initial login, and basic firewall policy settings of EAGLE One, to help engineers quickly complete the on-site deployment of security equipment.

Chapter 1 Product Positioning and Model Decoding

1.1 Application scenarios of industrial firewalls

The core task of EAGLE One equipment is to establish a controlled connection between the internal trusted network (production unit) and the external untrusted network (office network, Internet or remote service access). Typical applications include:

Protecting individual production units in a flat enterprise network

Isolate critical production areas in routing networks

Secure connection between production units and office networks through public networks

Provide protected service access channels (remote maintenance)

Communication of common components for separating machine equipment

This device supports 2 100Mbps Ethernet ports (Port 1 is the internal/trusted end, and Port 2 is the external/non trusted end), and each port can be equipped with RJ45 twisted pair or multi-mode DSC fiber (100BASE-FX) to meet the connection requirements of different distances and environments.

1.2 Model coding rules

Product model positions 14-15 define port media (see Table 1 in the manual):

T1: RJ45 10/100M twisted pair port

M2: Multi mode fiber DSC interface (100BASE-FX)

S2: Single mode fiber DSC interface (100BASE-FX)

For example, EAGLEONE-0200M2T1 indicates that port 1 is multimode fiber and port 2 is RJ45 twisted pair.

The temperature range is defined by position 18: S=standard 0~60 ° C, T or E=extended -40~70 ° C. The device supports wide voltage inputs of 9.6~60V DC or 18~30V AC, and has built-in redundant power inputs to meet the diverse power supply conditions of industrial sites.

Chapter 2 Mechanical Installation and Grounding Standards

2.1 Installation method and space requirements

EAGLE One supports two installation methods:

DIN rail installation (35mm, compliant with DIN EN 60715): Hang the upper hook of the device on the rail, pull down the lock buckle and press it in, release the lock buckle to lock it. When disassembling, insert a screwdriver into the locking groove and pull it downwards while lifting the device upwards.

Wall mounted vertical installation (optional installation board, attachment 943 971-003): Fix the wall mounted board on a flat wall, and then clip the equipment into the installation board.

Mandatory heat dissipation spacing: Keep at least 10cm (4 inches) gap above and below the device, and at least 2cm (0.8 inches) gap on each side to ensure natural convection heat dissipation. The device is designed without a fan, and the surface of the housing may be hot when the ambient temperature is above 60 ° C. It should be avoided to touch it during operation.

2.2 Functional grounding

The front panel of the device is equipped with an independent grounding screw, which must be grounded before connecting any other cables. When disconnecting, the grounding wire must be removed last. The cross-sectional area of the grounding wire should be at least the same as that of the power supply wire. The shielding layer of the shielded twisted pair cable has been internally connected to the front cover plate as a grounding conductor.

Chapter 3 Power Supply and Signal Interface Connection

3.1 6-pin power/signal terminal block

The top of the device provides a 6-pin pluggable screw terminal block (torque 0.51Nm), which also supports redundant power and signal contacts:

Pin symbol function

1+24V (P1) power input 1 positive pole (DC) or external conductor (AC)

2 0V power input, 1 return line (DC) or neutral line (AC)

3 FAULT signal contacts (normally closed relay)

4 FAULT signal contact common terminal

5V power input with 2 loops

6+24V (P2) power input 2 positive poles

Voltage range:

DC: Rated 12~48V DC, allowing 9.6~60V DC (Class 2)

AC: Rated 24V AC, allowing 18-30V AC (Class 2)

Redundant power supply: Two input internal decoupling, no load balancing, automatically selecting the higher voltage. If only a single channel is used, the device will continue to report power loss alarms, which can be resolved by managing configuration blocking or simultaneously connecting two channels.

External fuse requirements (see manual page 51):

When using a single power supply, the 48V system uses a 1~2A slow fuse; 1~4A for 24V system; 1~5A for 12V system

When dual redundant power supply is used, the rated value of each fuse can be halved

3.2 Signal Contact (FAULT)

The contact is a normally closed relay, which disconnects in case of a fault and is used for remote alarm. The triggering conditions include power loss, internal failure, port link interruption, temperature exceeding the limit, or ACA adapter unplugged. Electrical parameters: maximum 1A/60V DC or 30V AC (resistive load), SELV/ES1。

3.3 Digital Input (2-pin Terminal)

The front panel of the device is equipped with a 2-pin digital input terminal (torque 0.34Nm) for connecting external sensors (such as door switches and temperature alarms) to achieve remote status acquisition

Input voltage range: -32~+32V DC

Nominal value:+24V DC

High level (state "1"):+11~+30V DC

Low level (state "0"): -0.3~+5V DC

Maximum input current: 15mA

Compliant with IEC 61131-2 Type 3 standard

Chapter 4: Network Ports and Fiber Optic Connections

4.1 Port Definition and Roles

Port 1 (internal/trusted port): Connect to the production network or device that needs protection

Port 2 (external/untrusted port): connect to external network (office network, Internet or remote access point)

The two ports are physically completely independent and carry different security zones. In the factory state, firewall rules allow internal to external traffic and prohibit external to internal traffic.

4.2 Twisted pair port (RJ45)

Support 10/100BASE-TX, Auto negotiation, Auto polarity, Auto crossover (MDI/MDI-X adaptive)

Maximum length of 100m (Cat5e)

Pin definition: MDI-X mode (1=RD+, 2=RD -, 3=TD+, 6=TD -)

4.3 Fiber port (DSC multimode)

Support 100BASE-FX, default 100M full duplex

Multimode fiber (50/125 µ m or 62.5/125 µ m), wavelength 1300nm

Transmission distance: 50 µ m fiber optic 0-5km, 62.5 µ m fiber optic 0-4km (including 3dB system margin)

Strict rule: Multimode fiber (MM) can only be connected to multimode fiber and is prohibited from being mixed with single-mode (SM).

Chapter 5 LED Status Diagnosis

5.1 System Status LED

Meaning of LED color status

Power green constantly on, dual power supply is normal

Yellow is always on, only one power supply is normal

Turn off power supply under voltage or missing

The device is ready and configurable with a green constant light status

The red constant light signal contact is disconnected (alarm state)

Turn off the device while it is starting or not ready

RR (router redundancy) green constant light device as the main mode

The yellow slow flashing device is in standby mode

ACA green flashing reading and writing configuration memory

5.2 Port Status LED (L/D)

Green constantly on: Link is valid

Green flash (3 times/cycle): The port is managed to be closed

Yellow flashing: Data transmission and reception in progress

Chapter 6 Initial Access and Basic Configuration

6.1 Factory state and IP address

Factory working mode: Transparent mode

Default IP address: 192.168.1.1/24 (HTTPS access)

Factory firewall rules: Allow internal to external traffic, prohibit external to internal traffic

6.2 First login steps

Connect the configuration computer to port 1 (internal port) of EAGLE One and set the computer IP to 192.168.1.x/24 (such as 192.168.1.10).

Enter in the browser https://192.168.1.1 (Note that it is HTTPS).

The browser will prompt a security certificate warning, select 'Continue' or 'Accept Risk'.

Login credentials:

Username: admin

Password: private (case sensitive)

Mandatory security measures: The default password must be changed immediately after the first login. The new password should be at least 8 characters long, including uppercase and lowercase letters, numbers, and special characters. If you forget your password, you need to reset it through the System Monitor.

6.3 Alternative Configuration Methods

V. 24 serial port (RJ119600bps, 8N1): Enter CLI through VT100 terminal, suitable for scenarios where IP address is unknown or network is unreachable.

HiDiscovery Protocol: Discovering devices and assigning IP addresses within the broadcast domain through HiVision or HiDiscovery tools.

ACA21 USB configuration adapter: Batch loading configuration files and firmware updates.

6.4 Introduction to Three Operating Modes

Transparent mode (factory default): The device operates as a layer 2 bridge and only forwards IP and ARP packets according to firewall rules. No need to modify existing network topology and IP subnet planning, plug and play.

Router mode: The device operates as a layer three router, with internal and external networks belonging to different subnets, providing NAT, IP Masking, 1-to-1 NAT, and port forwarding functions.

PPPoE mode: a variant of the router mode. The external port connects to the DSL modem through the PPPoE protocol, which is suitable for Internet access scenarios.

Chapter 7 Overview of VPN and Firewall Functions

7.1 Firewall Function

EAGLE One adopts Stateful Inspection technology and supports the following security features:

State based packet filtering (inbound/outbound traffic)

Transparent firewall mode

IP Masking, 1-to-1 NAT, Port Forwarding

IP spoofing protection

Modem access control

External management interface access control

7.2 VPN Function

Multi point VPN (routing mode)

VPN protocol: IPSec

Encryption algorithms: DES-56, 3DES-168, AES-128/192/256

Authentication method: Pre shared key (PSK) or X.509v3 digital certificate

Hash algorithm: MD5, SHA-1

NAT-T traversal support

Chapter 8 Compliance with Explosion proof Zones (ATEX/IECEx)

For EAGLE One equipment (models with ATEX or UKEX labels) used in Zone 2 explosive gas environments, the following special conditions must be observed:

Temperature level T4: Standard type (S) ambient temperature 0~+60 ° C; Extended type (T/E) -40~+70 ° C.

Shell protection: The equipment is open and needs to be installed in cabinets with IP54 or higher.

USB interface restrictions: USB connectors are only allowed for temporary use and are prohibited from plugging or unplugging USB devices in explosive environments (connection or disconnection may cause explosions). The USB interface is only allowed to be used in known non hazardous areas.

Fault contact parameters: The relay contact is a sealed device, with a maximum switching current of 1A (resistive load) and a maximum voltage of 60V DC or 30V AC, SELV.

Grounding wire requirement: The cross-sectional area of the protective grounding wire should be at least the same as that of the power supply line.

Chapter 9 Environmental Monitoring and Maintenance

Temperature monitoring: CLI/GUI displays the internal temperature of the device, which is about 20 ° C higher than the ambient temperature (5cm away from the device). If the internal temperature exceeds the threshold (expansion type ≤ 90 ° C, standard type ≤ 85 ° C), the signal contact may trigger an alarm.

Relay maintenance: Relays are naturally worn components, and the degree of wear depends on the switching frequency. The resistance of the closed contacts should be checked regularly.

Firmware updates: Regularly visit Hirschmann's official website to check for software updates, obtain new features, and security patches.

Ventilation inspection: Regularly check whether the ventilation holes are blocked according to the degree of pollution on site.

Chapter 10 Disassembly and Disposal

Dismantling sequence (strictly follow):

Disconnect all data cables

Turn off the power supply voltage

Disconnect the signal terminal and digital input terminal

Finally disconnect the grounding wire (the grounding wire must be removed last)

DIN rail disassembly: Insert a screwdriver horizontally into the locking groove, pull down, and lift the bottom of the device outward away from the rail.