FactoryTalk Policy Manager

Getting Results Guide

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

Supersedes Publication FTALK-GR001B-EN-E, May 2021

User Manual Original Instructions

FactoryTalk Policy Manager Getting Results Guide

Important User Information

Read this document and the documents listed in the additional resources section about installation, configuration, and
operation of this equipment before you install, configure, operate, or maintain this product. Users are required to familiarize
themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws, and standards.
Activities including installation, adjustments, putting into service, use, assembly, disassembly, and maintenance are required to
be carried out by suitably trained personnel in accordance with applicable code of practice.
If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment may be
impaired.
In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the use
or application of this equipment.
The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and
requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or liability for
actual use based on the examples and diagrams.
No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or software
described in this manual.
Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation, Inc., is
prohibited.
Throughout this manual, when necessary, we use notes to make you aware of safety considerations.
WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardous environment, which may lead to
personal injury or death, property damage, or economic loss.

ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, property damage, or economic loss.
Attentions help you identify a hazard, avoid a hazard, and recognize the consequence.

IMPORTANT Identifies information that is critical for successful application and understanding of the product.

Labels may also be on or inside the equipment to provide specific precautions.

SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous voltage may be present.

BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may reach dangerous
temperatures.

ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people to potential Arc Flash. Arc Flash
will cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALL Regulatory requirements for safe work practices and
for Personal Protective Equipment (PPE).

Rockwell Automation recognizes that some of the terms that are currently used in our industry and in this publication are not in
alignment with the movement toward inclusive language in technology. We are proactively collaborating with industry peers to
find alternatives to such terms and making changes to our products and content. Please excuse the use of such terms in our
content while we implement these changes.

2 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Table of Contents

Preface About this publication ................................................................................. 7

Intended audience ....................................................................................... 7
Legal Notices ................................................................................................ 7
Additional information ............................................................................... 8

Chapter 1
Getting started FactoryTalk Policy Manager ....................................................................... 11
FactoryTalk System Services ................................................................ 11
CIP Security .......................................................................................... 12
Install FactoryTalk System Services and FactoryTalk Policy Manager .. 13
Start FactoryTalk System Services ............................................................ 14
Log on to FactoryTalk Policy Manager...................................................... 14
Read-only mode.................................................................................... 15
Security Groups .................................................................................... 15
Navigate FactoryTalk Policy Manager ...................................................... 17
Context menu ....................................................................................... 17
Filter table data.................................................................................... 20
Multiple row selection in tables .......................................................... 21
Keyboard use ....................................................................................... 22
Policy management capabilities............................................................... 24
CIP Bridging Control .......................................................................... 25
CIP Bridging Control operation .................................................. 25
CIP bridging settings hierarchy .................................................. 26
Automatic Policy Deployment............................................................ 28
Automatic Policy Deployment operation .................................... 28
Automatic Policy Deployment notifications................................ 33
Security Eventing ................................................................................. 37
FactoryTalk Policy Manager Global Settings............................................ 37
FactoryTalk Policy Manager component considerations ....................... 40
FactoryTalk Policy Manager planning ...................................................... 41
Authentication methods ........................................................................... 42
Auditing ...................................................................................................... 43

Chapter 2
Configure a security policy Zones ........................................................................................................... 45
model Add a zone............................................................................................. 45
Edit zone properties............................................................................. 46
Delete a zone........................................................................................ 46
Zone properties ....................................................................................47
Conduits ..................................................................................................... 49
Add a conduit....................................................................................... 50

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 3

Table of Contents

Edit conduit properties ....................................................................... 51

Delete a conduit .................................................................................. 52
Conduit properties .............................................................................. 52
Discovery ..................................................................................................... 53
Discovery pane ..................................................................................... 53
Discover devices ...................................................................................54
Navigate the Discovery pane ............................................................... 55
Perform a search from the Discovery pane ........................................ 55
Add drivers from the Discovery pane .................................................56
Configure Settings from the Discovery pane ................................... 58
Devices ....................................................................................................... 58
CIP Proxy devices .................................................................................59
Add a device to a zone ......................................................................... 60
Add a device to the device table........................................................... 61
Ports ..................................................................................................... 62
Add a port ...................................................................................... 62
Configure port properties .............................................................63
Port properties .............................................................................. 64
Edit device properties ......................................................................... 66
Delete a deployed device ..................................................................... 66
Device properties .................................................................................67
Replace a device ................................................................................... 68
Remove the security policy from a device ......................................... 69
Ranges ........................................................................................................ 69
Add a range .......................................................................................... 70
Range properties ................................................................................. 70
Canvas ......................................................................................................... 71
Navigate Canvas .................................................................................. 72
Search Canvas ...................................................................................... 73
Graphical Explorer pane ...................................................................... 73
Navigate the Graphical Explorer pane ......................................... 73
Filter the security model tree ........................................................74
Move a device........................................................................................74

Chapter 3
Deploy a security policy model Deployment ................................................................................................ 77
Deploy a security model ............................................................................ 77
Deployment options ...................................................................................79
Deployment results ................................................................................... 80
Deployment errors .............................................................................. 80
Deployment warnings ........................................................................ 83
Reload a security model ............................................................................ 84

4 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Table of Contents

Chapter 4
Backup and restore Backup and restore security models ........................................................ 85
Backup FactoryTalk System Services ....................................................... 85
Restore FactoryTalk System Services....................................................... 86

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 5

 Preface

About this publication This Getting Results Guide provides information on installing and using
FactoryTalk® System Services and FactoryTalk Policy Manager.
Review this section for information about:
• Intended audience
• Where to find additional information
• Legal notices
Rockwell Automation recognizes that some of the terms that are currently
used in our industry and in this publication are not in alignment with the
movement toward inclusive language in technology. We are proactively
collaborating with industry peers to find alternatives to such terms and
making changes to our products and content. Please excuse the use of such
terms in our content while we implement these changes.

Intended audience This guide is intended for the system administrator and assumes familiarity
with:
• Microsoft® Windows® operating systems
• FactoryTalk Linx
• FactoryTalk Services Platform
• Allen-Bradley® programmable logic controllers (PLCs) and
programmable automation controllers (PACs)
• Rockwell Automation control system development software
Legal Notices Rockwell Automation publishes legal notices, such as privacy policies, license
agreements, trademark disclosures, and other terms and conditions on the
Legal Notices page of the Rockwell Automation website.

End User License Agreement (EULA)

You can view the Rockwell Automation End User License Agreement (EULA)
by opening the license.rtf file located in your product installation folder on
your hard drive.
The default location of this file is:
C:\Program Files (x86)\Common Files\Rockwell\license.rtf

Open Source Software Licenses

The software included in these products contains copyrighted software that is
licensed under one or more open source licenses.
You can view a full list of all open source software used in these products and
their corresponding licenses by opening the oss_licenses.txt files located in

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 7

Preface
your products' OPENSOURCE folders on your hard drive. These files are
divided into these sections:
• Components
Includes the name of the open source component, its version number,
and the type of license.
• Copyright Text
Includes the name of the open source component, its version number,
and the copyright declaration.
• Licenses
Includes the name of the license, the list of open source components
citing the license, and the terms of the license.
The default locations of these files are:
C:\Program Files (x86)\Common Files\Rockwell\Help\FactoryTalk
Policy Manager\ReleaseNotes\OPENSOURCE\oss_licenses.txt
C:\Program Files (x86)\Common Files\Rockwell\Help\FactoryTalk
System Services\ReleaseNotes\OPENSOURCE\oss_licenses.txt
You may obtain the Corresponding Source code for open source packages
included in these products from their respective project web sites.
Alternatively, you may obtain complete Corresponding Source code by
contacting Rockwell Automation via the Contact form on the Rockwell
Automation website:
http://www.rockwellautomation.com/global/about-us/contact/contact.page.
Please include "Open Source" as part of the request text.

Additional information For additional information about security policy, consult the following
resources:
Resource name Description
System Security Design Guidelines Provide guidance in these areas:
• System security
• Networks and communications security
• Control system hardening
• User access management
• Control system monitoring
• Device disposal
Download from the Rockwell Automation Literature Library, System
Security Design Guidelines (publication SECURE-RM001)-
Online help The Help includes overview, procedural, screen, and reference
information for the product. The Help contains these basic components:
• Concepts
• Procedures
• Properties referenced
To view context-sensitive help in FactoryTalk Policy Manager, select the
Help [?] icon.

8 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Preface
Resource name Description
Release Notes The Release Notes contains this information:
• System requirements
• System features
• Anomalies
• Functional changes
• Application notes
Release notes can be downloaded from the Product Compatibility and
Download Center
http://www.rockwellautomation.com/compatibility/#/scenarios or
opened from FactoryTalk Policy Manager by selecting the Release Notes
link under the Help [?] icon on the main menu .
Rockwell Automation Knowledgebase The Rockwell Automation Customer Support Center offers an extensive
online database that includes frequently asked questions and the latest
patches. The Knowledgebase web page leads to a comprehensive,
searchable database of support information for all Rockwell Automation
products.
To access the Knowledgebase web page, visit
http://www.rockwellautomation.com/support, then select
Knowledgebase Support Center.
Rockwell Automation Technical Support Questions concerning installation and use of FactoryTalk Policy Manager
software are handled by the Rockwell Automation Customer Support
Center. The center is staffed Monday through Friday, except on U.S.
holidays, from 8 a.m. to 5 p.m. Eastern time zone for calls originating
within the U.S. and Canada.
To reach the Customer Support Center, call 440-646-3434 and follow the
prompts. For calls originating outside the U.S. or Canada, locate the
number in your country by visiting
http://support.rockwellautomation.com/contact information.
When you call, you should be at your computer and be prepared to
provide the following information:
• The product version number
• The type of hardware you are using
• The exact wording of any errors or messages that appeared on your
screen
• A description of what happened and what you were doing when the
problem occurred
• A description of how you tried to solve the problem
Training Rockwell Automation offers a wide range of training programs, from
regularly scheduled classes to custom-tailored classes conducted at
your site.
If you need more information about these training programs, visit the
Rockwell Automation site or contact the Rockwell Automation Training
Coordinator. The web site address and telephone numbers are available
at the bottom of the back cover.
Consulting Rockwell Automation provides expert consulting and turnkey
implementations for making optimal use of Rockwell Automation
software products. Please contact your local representative for more
information.

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 9

 Chapter 1

Getting started

FactoryTalk Policy Manager Use FactoryTalk® Policy Manager to configure, deploy, and view the system
communication security policies.
FactoryTalk Policy Manager divides the system security policy into different
components.
Use these components to design security models that control the permissions
and usage of devices within the system.
• Zones - groups of devices
• Devices - computers, controllers, modules, HMI panels, and drives
• Conduits - communication routes between components
FactoryTalk Policy Manager depends on FactoryTalk System Services for
certificate services, policy deployment, and authentication.

See also
FactoryTalk System Services on page 11
CIP Security on page 12

FactoryTalk System FactoryTalk System Services provide the policy authority, certificate
authority, identity services, and deployment services required to enforce
Services security policies configured using FactoryTalk Policy Manager that are based
on the ODVA™ CIP Security™ standard.
FactoryTalk System Services uses CouchDB for the creation and maintenance
of the policy databases. When FactoryTalk System Services is installed, it will
automatically install CouchDB, add and configure the required administrative
user and controls, and create the policy databases. If CouchDB is already
present on the computer, it will configure the administrative controls as
needed to help ensure system security.
IMPORTANT FactoryTalk System Services is dependent upon database services. Database services
can take up to 2 minutes to start after the computer is restarted. During that time,
FactoryTalk Policy Manager will be unable to connect to FactoryTalk System Services.

FactoryTalk Policy Manager uses these FactoryTalk System Services:

• Authentication Service

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 11

Chapter 1 Getting started
Authenticates users and validates user resource requests. Validate user
credentials against the FactoryTalk Directory and FactoryTalk security
policy settings to obtain privileges associated with the user.
• Certificate Service
Issues and manages X.509v3 certificates for use within the FactoryTalk
system.
• Deployment Service
Translates the security policy model defined using FactoryTalk Policy
Manager to CIP™ configurations that are delivered to endpoints.
• Diagnostics Service
Makes FactoryTalk audit and diagnostic logs available as a web service.
• Policy Service
Used to build and manage CIP network trust models and define
security policy for the CIP endpoints.
• Differential deployment
Enables deployment of changes in the security policy model only to the
affected devices, instead of deploying the model to all devices.
• Support for CIP Security Proxy devices
Uses proxy devices to secure communications to and from devices that
do not have CIP Security capabilities.
• Backup and restore
Used to preserve and restore the security policy models in case of a
system failure.
• Security eventing
Sends eventing configuration to devices and stores events from
FactoryTalk Policy Manager and FactoryTalk System Services as Syslog
messages.
• DTLS timeout
Configures the devices to close their DTLS sessions after a specified
period of inactivity.

See also
CIP Security on page 12

CIP Security CIP Security helps protect an EtherNet/IP connected device from malicious
communications by:
• Applying authentication rules and rejecting messages sent by
untrusted people or untrusted devices
• Verifying that data has not been altered during transmission and
reject data that fails the integrity check

12 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 1 Getting started
• Helping to prevent accessing the EtherNet/IP data by unauthorized
parties for additional confidentiality
Creating and deploying a security model with FactoryTalk Policy Manager
supports these core security properties.
Property Description
Device Identity X.509v3 digital certificates provide cryptographically secure identities to devices.
Device Authentication The Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) cryptographic protocols
provide secure transport of EtherNet/IP traffic.
Data Integrity Hashes or keyed-hash message authentication code (HMAC) provides data integrity and message authenticity
to EtherNet/IP traffic.
Data Confidentiality Data encryption helps prevent accessing the EtherNet/IP data by unauthorized parties.

CIP Security features work with these Rockwell Automation products:

• FactoryTalk Linx version 6.11 or later
• ControlLogix® 5580 Controllers version 32.00 or later
• 1756-EN4TR ControlLogix Module
• Kinetix® 5300 Drives
• Kinetix 5700 Drives
• PowerFlex® 755T
• 1783-CSP CIP Security Proxy
• CompactLogix™ 5380 Controllers version 34.00 or later
• Compact GuardLogix® 5380 Controllers version 34.00 or later
• GuardLogix® 5580 Controllers version 34.00 or later

See also
FactoryTalk System Services on page 11

Install FactoryTalk System FactoryTalk System Services and FactoryTalk Policy Manager enable you to
manage CIP Security.
Services and FactoryTalk
IMPORTANT • FactoryTalk Policy Manager is dependent upon FactoryTalk System Services and
Policy Manager both components must be installed together on the network directory server.
• The FactoryTalk Policy Manager installation agent opens these Windows Firewall
ports: UDP 5353 and TCP 40014. To operate correctly, the Automatic Policy
Deployment functionality requires these ports to be open.

To install FactoryTalk System Services and FactoryTalk Policy

Manager
1. Run the FactoryTalk Policy Manager installer.
2. Follow the steps of the installation wizard.
3. (optional) To add or remove the components that you want to install,
select Customize.
4. Select Install.
5. Read and agree to the EULA.

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 13

Chapter 1 Getting started
6. Complete the installation.
7. Restart the machine.
8. If you want to use the Automatic Policy Deployment functionality and
the machine has multiple network interfaces, see Specify the network
interface for the EST service on page 32.
9. If you do not want to use the Automatic Policy Deployment
functionality:
a. Open FactoryTalk Policy Manager, select Global Settings and clear the
Enable automatic device discovery and onboarding checkbox.
b. Manually close the UDP 5353 and TCP 40014 ports on the
machine.

See also
Start FactoryTalk System Services on page 14

Start FactoryTalk System After installation, FactoryTalk System Services starts automatically after a
delay of a few minutes. Some situations may require manually starting the
Services services.

To start the service

1. Go to the Windows Services snap-in (services.msc).
2. In the services list, scroll down to the FactoryTalk System Services
item.
3. Right-click FactoryTalk System Services and select Start.

See also
Log on to FactoryTalk Policy Manager on page 14

Log on to FactoryTalk Logging on to FactoryTalk Policy Manager checks the credentials of your user
account to determine the access to resources and the ability to make changes
Policy Manager to security policy.

To log on to FactoryTalk Policy Manager

1. Open FactoryTalk Policy Manager
The FactoryTalk Log On window opens.
2. In Username, type your FactoryTalk user name.
3. In Password, type your password.
4. Select Show password to display the password you typed. Not
recommended if others can easily view your workstation.

14 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 1 Getting started
5. Select LOG ON.
IMPORTANT FactoryTalk Policy Manager must be able to connect to FactoryTalk System
Services to log in successfully.
If FactoryTalk System Services is not running, the error message FactoryTalk
System Services Cannot Be Reached displays when you try to log in.
Select EXIT POLICY MANAGER to close the error message.
To resolve this error, attempt to start FactoryTalk System Services.

See also
Start FactoryTalk System Services on page 14

Read-only mode Read-only mode prevents modification of the security policy model. Policy
deployment and device replacement can be separated from policy creation,
which is useful if your organization has adopted role-based policy control.
If your account is a member of the Engineer or Maintenance group when you
log in to FactoryTalk Policy Manager a message appears under Login/Logout
on the main toolbar informing you that you are in read-only mode. The title
bar displays "[Read only]" in addition to the application name. In this
situation, the FactoryTalk Policy Manager user interface shows only accessible
functions.
When in read-only mode you can:
• View security policy model; including the configuration of zones,
devices, and conduits.
• View global settings.
• Display the Error pane.
• Display the Results pane.
• Deploy the security policy model.
• Replace a device.

See also
Security Groups on page 15

Security Groups FactoryTalk Services Platform includes these built-in security groups that are
used to define rights and privileges for users.
FactoryTalk Policy Manager users can be granted the following rights:
Right Group Permissions
View Administrator All security policy artifacts and global settings
Engineers are read-only.
Maintenance Login/Logout is active on the main toolbar.
Help is active on the main toolbar.

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 15

Chapter 1 Getting started
Right Group Permissions
Edit Administrator All security policy items and global settings can
be modified.
Zones can be added, edited or deleted.
Conduits can be added, edited or deleted.
Devices can be added, discovered, edited or
deleted.
Ethernet ports can be added and configured.
Trusted IP ranges can be added and configured.
Security policy models can be deployed.
All controls are active.
Deploy Administrator The security policy can be deployed to devices.
Engineers Devices can be replaced in the security model.
Maintenance Security policy items and global settings are
read-only.
Deploy is active on the main toolbar.
Replace Device is active on the zone toolbar.
Replace Device is active on the device toolbar.

The controls available in FactoryTalk Policy Manager reflect the user rights
granted to the logged in user account.
Tip: If you are logged on using an Administrator account but FactoryTalk Policy Manager is only
permitting viewing of devices, zones, and conduits, verify that the FactoryTalk Directory services
are running and that the computer is connected to the FactoryTalk Directory.

See also
Read-only mode on page 15
Devices on page 58
Deployment on page 77

16 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 1 Getting started

Navigate FactoryTalk Policy FactoryTalk Policy Manager displays different configurable items in the
security policy model. The FactoryTalk Policy Manager title bar displays the
Manager status of the model being configured. "Saved" models are local to the
FactoryTalk Policy Manager database. Once the models are deployed, the
status is not shown. If you change a deployed model, the "Saved" status
displays again until the changes are deployed.

The following table provides a reference to the items in the display:

Item Name Description
Navigation bar Use to move between different components and views of the security model and to access Global Settings.
Main menu bar Use to deploy the security model, to log on to or log off from FactoryTalk, and to access Help and Release Notes.
Configuration bar Use to edit the properties of existing components or to discover devices to add to the security model.
Zones list Displays all zones configured in the model. Select a zone to edit the devices in the zone. Use the Zones list to quickly
edit zone properties or delete zones.
Content pane Displays zones, conduits, and devices in the form of a table or canvas.
Contains a toolbar with the actions available for the zones, conduits, and devices. If the FactoryTalk Policy Manager
window is not wide enough to fit all actions, you can view the hidden actions by selecting the More actions icon
(vertical ellipsis).
Tip: In the table and on the canvas, you can configure zones, conduits, and devices by selecting the item and using
the Properties pane. In the table, you can also select the item to edit the item settings directly.
Errors pane Displays the errors, warning, and information messages received from model validation and FactoryTalk System
Services when the model is deployed. Errors can be filtered and sorted by message, type, and component.
Results pane Displays the results of the Automatic Policy Deployment process or the last manual policy model deployment.
You can save the results to a file for archival purposes.
Status bar Displays the connection status to FactoryTalk System Services. Use the page icon to toggle the display of the
deployment results and error pane.

See also
FactoryTalk Policy Manager Global Settings on page 37

Context menu Use the context menu to perform operations on the zones list, or on a row in

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 17

Chapter 1 Getting started
an FactoryTalk Policy Manager table.
• To open the context menu in a table, right-click the first column of a
row.
• To open the menu in the Discovery table, right-click an element of the
topology.

Zones list
You can open the context menu for each zone on the list.
Command Description
View Properties Opens the properties of the selected zone.
Copy Copies the properties of the selected zone.
Paste Creates a zone with the same properties as the last
copied zone. The new zone has the same name as the
original and adds a number in parentheses.
The conduits and devices do not transfer from the
original zone.
Delete Deletes the selected zone.

Overview table in Zones

Command Description
Copy Copies the properties of the selected zone.
Paste Creates a zone with the same properties as the copied
zone. The new zone has the same name as the original
and adds a number in parentheses.
The conduits and devices do not transfer from the
original zone.
Go to Zone Opens the device table of the selected zone.
Delete Deletes the selected zone.

Device table in Zones

Command Description
Device Properties Displays the properties pane of the device
Port Properties Displays the Port Properties of the selected device.
Cut Removes the device from the selected zone. You can
Paste this device to a different zone.
Copy Copies the properties of the selected device.

18 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 1 Getting started
Command Description
Paste • If you used Cut: Pastes the cut device to the selected
zone.
• If you used Copy: Creates a device with the same
properties as the copied device. The new device has
the same name as the original and adds a number in
parentheses.
Replace Device Opens the Deploy Configuration to Replace Device
window.
This command is active only if the device was already
deployed.
Delete Deletes the selected device.

Conduits table
Command Description
View Properties Opens the properties pane of the selected conduit.
Copy Copies the properties of the selected conduit.
Paste Creates a conduit with the same properties as the copied
conduit. The new conduit has the same name as the
original and adds a number in parentheses.
To complete the process, select endpoints for the new
conduit.
If one of the endpoints is not compatible with the CIP
Security standard, the CIP Security Communication
properties are not copied.
Delete Deletes the selected conduit.

Device table
Command Description
Device Properties Displays the properties pane of the device
Port Properties Displays the port properties of the selected device.
Cut Removes the device from the selected zone. You can
Paste this device to a different zone.
Copy Copies the properties of the selected device.
Paste • If you used Cut: Pastes the cut device to the selected
zone.
• If you used Copy: Creates a device with the same
properties as the copied device. The new device has
the same name as the original and adds a number in
parentheses.
Go to Zone Opens the device table of the zone that has the selected
device is assigned.

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 19

Chapter 1 Getting started
Command Description
Replace Device Opens the Deploy Configuration to Replace Device
window.
This command is active only if the device was already
deployed.
Delete Deletes the selected device.

Discovery pane
The commands available in this menu depend on the selected item in the
topology.
Command Description
Add Adds new devices to the selected zone.
Add Anchor Anchors a topology node to the root so that it can be
easily accessed without browsing the topology tree.
Driver Configuration Opens Configure Driver properties window.
View Property Opens a list of all properties of the selected device.
Refresh Refreshes the network topology.
Delete Deletes the item from the topology.

See also
Add a zone on page 45
Add a conduit on page 50
Discovery pane on page 53

Filter table data Use the filter function in tables and lists to search for a particular object or to
display only the objects that fit the chosen criteria.
When using filters, be aware of these functional details:
• Filter text can contain alphanumeric characters and can be full words,
compound expressions, fragments of a word, or a single letter or
number.
• Clear the search text to return to the default view of the table or
window.
• Filter includes predefined search categories.

20 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 1 Getting started

To perform a search using Filter

1. In Filter, type a keyword. Search text can contain alphanumeric
characters and can be full words, compound expressions, fragments
of a word, or a single letter or number.
Tip: To find an exact match to the keyword, enclose the keyword in quotation marks.

The filter function examines the text and presents all items that match
the search criteria.
2. (optional) Select a filter category by clicking the filter icon to narrow
the search results to keywords associated with the selected table
column or item parameter.
3. (optional) Use operators between keywords to refine the search results
using a logical statement:
• AND to search for two or more keywords.
• OR to search for several keywords.
Tip: An example of using operators between keywords to refine search results is
Device: 1756-L OR Device: 1768-L
This search locates both ControlLogix and CompactLogix controllers.
4. The table or window displays results within a few seconds, regardless
of pressing Enter.

See also
Perform a search from the Discovery pane on page 55

Multiple row selection in Select multiple rows in a table to perform actions on multiple items.

tables To select a row, select a cell in the first column of a row. This cell is called the
reference cell.
Use these methods to select multiple rows:
Key Description
Ctrl + mouse button Adds the row to the current selection.
Shift + Up arrow key Continues selection upward. If the selection moves over a
previously selected row, it deselects that row.
Shift + Down arrow key Continues selection downward. If the selection moves
over a previously selected row, it deselects that row.
Shift + mouse button Selects all rows between the previously selected row and
the last selected row.

You can perform these actions on a multiple-row selection:

• View Properties common to all selected items.
• Change the common properties of all selected items.
• Delete selected items.
• Copy selected items.
• Cut selected items.

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 21

Chapter 1 Getting started
Selecting multiple rows changes the properties pane:
• Adds SHARED to the pane title, for example: SHARED PORT
PROPERTIES.
• Displays only the properties common among the selected items. These
properties are editable even if no value is displayed.
• Displays only the values that are identical across all selected items.
• Checkboxes display a hyphen [-] when only some items have a property
selected.

See also
Zones on page 45
Conduits on page 49
Devices on page 58

Keyboard use The following tables contain the description of keyboard keys and their
combinations in different user interface elements.

Reference cell in a table

Key Description
Ctrl + mouse button Adds the row to the current selection
Shift + Up arrow key Continues selection upward. If the selection moves over a
previously selected row, it deselects that row.
Shift + Down arrow key Continues selection downward. If the selection moves
over a previously selected row, it deselects that row.
Shift + mouse button Selects all rows between the previously selected row and
the last selected row.

Text cell in a table

Key Description
Esc Discards all changes, the cell remains selected.
F2 Submits changes.
Tab Submits changes and moves to the next cell. Used on the
last cell in the row moves to the first cell of the next row.
Shift + Tab Submits changes and moves to the previous cell. Used on
the first cell in the row moves to the last cell of the
previous row.
Enter Submits changes and moves to the cell below.
Shift + Enter Submits changes and moves to the cell above.

22 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 1 Getting started
Key Description
Shift + Up arrow Selects all characters to the left of the cursor. If moved
over previously selected characters, deselects the
characters.
Shift + Down arrow Selects all characters to the right of the cursor. If moved
over previously selected characters, deselects the
characters.
Shift + Left arrow Selects a character to the left of the cursor. If moved over
previously selected characters, deselects the characters.
Shift + Right arrow Selects a character to the right of the cursor. If moved
over previously selected characters, deselects the
characters.
Ctrl + Up arrow Moves cursor to the first character.
Ctrl + Down arrow Moves cursor to the last character.
Ctrl + Left arrow Moves cursor to the first character.
Ctrl + Right arrow Moves cursor to the last character.
Page Up Discards all changes, moves up 10 cells.
Page Down Discards all changes, moves down 10 cells.

Drop-down list
Key Description
Esc Discards all changes, the cell remains selected.
F2 Submits changes, displays the list.
Tab Submits changes and moves to the next cell. Used on the
last cell in the row moves to the first cell of the next row.
Shift + Tab Submits changes and moves to the previous cell. Used on
the first cell in the row moves to the last cell of the
previous row.
Space Submits changes, the cell remains selected.
Enter Submits changes and moves to the cell below.
Shift + Enter Submits changes and moves to the cell above.
Page Up Discards all changes, moves up 10 cells.
Page Down Discards all changes, moves down 10 cells.

Popup window
Key Description
Esc Discards all changes, the cell remains selected.
F2 Submits changes.
Tab Submits changes and moves to the next cell. Used on the
last cell in the row moves to the first cell of the next row.
Shift + Tab Submits changes and moves to the previous cell. Used on
the first cell in the row moves to the last cell of the
previous row.
Enter Submits changes and moves to the cell below.

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 23

Chapter 1 Getting started
Key Description
Shift + Enter Submits changes and moves to the cell above.

Ctrl + Up arrow Moves cursor to the first character.

Ctrl + Down arrow Moves cursor to the last character.
Ctrl + Left arrow Moves cursor to the first character.
Ctrl + Right arrow Moves cursor to the last character.
Page Up Discards all changes, moves up 10 cells.
Page Down Discards all changes, moves down 10 cells.

Description field
Key Description
Esc Discards all changes, the cell remains selected.
F2 Submits changes.
Tab Moves focus to the next field or interface element.
Shift + Tab Moves focus to the previous field or interface element.
Enter Submits changes and moves to the field below.
Shift + Enter Breaks the line inside the field.

Filter field
Key Description
Esc Cancels filtering, deletes all characters from the field.
Tab Moves focus to the next field or interface element.
Shift + Tab Moves focus to the previous field or interface element.
Enter Starts the search.
Ctrl + Up arrow Moves cursor to the first character.
Ctrl + Down arrow Moves cursor to the last character.
Ctrl + Left arrow Moves cursor to the first character.
Ctrl + Right arrow Moves cursor to the last character.

See also
Navigate FactoryTalk Policy Manager on page 17
Multiple row selection in tables on page 21

Policy management FactoryTalk Policy Manager enables you to configure and manage industrial
control system policies from various domains, including: security,
capabilities communication, and eventing.

24 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 1 Getting started

See also
CIP Bridging Control on page 25
Automatic Policy Deployment on page 28
Security Eventing on page 37

CIP Bridging Control CIP Bridging Control enables you to control the traffic flow between physical
communication interfaces and backplanes.
Devices within an Industrial Control System (ICS) may involve multiple
network interfaces. The use of Common Industrial Protocol (CIP) on the
backplanes and communication ports of Rockwell Automation devices can
facilitate physical network segmentation. For EtherNet/IP interfaces, you can
provide data bridging between two separate physical Ethernet networks by
using CIP.
The CIP Security communication modules and embedded EtherNet/IP
interfaces can analyze and then allow or deny network traffic according to
device-specific policies. You can use CIP Bridging Control to help prevent
unintended data flows from occurring, especially data flows originating from
unsecured parts of the system to secure parts of the system.
The following device families support CIP Bridging Control:
• CompactLogix 5380
• ControlLogix 5580
• ControlLogix 1756 EN4TR

See also
Policy management capabilities on page 24
CIP Bridging Control operation on page 25
CIP bridging settings hierarchy on page 26

CIP Bridging Control In FactoryTalk Policy Manager, you can configure endpoint-specific rules for
bridging between:
operation
• EtherNet/IP interface and backplane
• USB interface and backplane
Due to the architectural differences between devices, endpoint-specific
settings can take various forms. For enhanced fidelity, policy definition
capabilities often specify the traffic direction property.
Tip: By default, the bridged traffic flows without any restrictions like in a CIP-based device that
does not support CIP Security.

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 25

Chapter 1 Getting started

See also
CIP Bridging Control on page 25

CIP bridging settings The CIP Bridging Control settings can be global or specific to a port, device,
or zone.
hierarchy

Settings levels
The following list outlines the CIP bridging settings levels (from the lowest
level to the highest level):
1. Port-level settings
2. Device-level settings
3. Zone-level settings
4. Global settings
The CIP Bridging Control settings follow these conventions:
• Lower-level settings must be compliant with higher-level settings
• Lower-level settings can be stricter than higher-level settings
• If lower-level settings are less strict than higher-level settings, the
higher-level settings overwrite the lower-level settings

Port-level settings
These settings apply to EtherNet/IP interfaces and provide the distinction
between secure and Trusted IP (permitted) traffic.
Tip: During the initial policy deployment, FactoryTalk Policy Manager attempts to identify the
modules that occupy chassis slots.

Device-level settings
These settings enable or disable the communication bridging between the
USB port of a device and a backplane or other physical ports.

Zone-level settings
These settings ensure compliance for all port-level and device-level settings.
The port-level and device-level settings can be stricter than zone-level settings.
The following table shows examples of zone-level settings paired with
port-level settings:
Zone settings Port settings Description

26 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 1 Getting started
Zone settings Port settings Description
Inbound CIP bridging Inbound CIP bridging Allowed configuration.
• Allow secure traffic • Allow secure traffic The port-level settings (lower-level settings) and zone-level settings (higher-level
Outbound CIP bridging Outbound CIP bridging settings) match.
• Allow all traffic • Chassis size: 4
• Slots disabled: none
Inbound CIP bridging Inbound CIP bridging Allowed configuration.
• Allow secure trafic • Allow secure traffic The port-level settings (lower-level settings) are stricter than the zone-level settings
Outbound CIP bridging Outbound CIP bridging (higher-level settings).
• Allow all traffic • Chassis size: 4
• Slots disabled: 1, 2, 3
Inbound CIP bridging Inbound CIP bridging Disallowed configuration.
• Allow secure traffic • Allow secure traffic The port-level settings (lower-level settings) are less strict than the zone-level
Outbound CIP bridging Outbound CIP bridging settings (higher-level settings).
• Block all traffic • Chassis size: 4
• Slots disabled: none

Global settings
Global policy ensures compliance for all zones in the model. The zone-level
settings can be stricter than global settings.
The following table shows examples of global settings paired with zone-level
settings:
Global settings Zone settings Description
Inbound CIP bridging Inbound CIP bridging Allowed configuration.
• Allow secure traffic • Allow secure traffic The port-level settings (lower-level settings) and zone-level settings (higher-level
Outbound CIP bridging Outbound CIP bridging settings) match.
• Allow all traffic • Allow all traffic
Inbound CIP bridging Inbound CIP bridging Allowed configuration.
• Allow secure traffic • Allow secure traffic The zone-level settings (lower-level settings) are stricter than the global settings
Outbound CIP bridging Outbound CIP bridging (higher-level settings).
• Allow all traffic • Block all traffic
Inbound CIP bridging Inbound CIP bridging Disallowed configuration.
• Allow secure traffic • Allow all traffic The zone-level settings (lower-level settings) are less strict than the global settings
Outbound CIP bridging Outbound CIP bridging (higher-level settings).
• Allow all traffic • Allow all traffic

See also
CIP Bridging Control on page 25
Port properties on page 64
Device properties on page 67
Zone properties on page 47
FactoryTalk Policy Manager Global Settings on page 37

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 27

Chapter 1 Getting started

Automatic Policy Automatic Policy Deployment leverages the ODVA CIP Security pull model
that enables the EtherNet/IP endpoints (for example, field devices) to initiate
Deployment the deployment of policies defined on a system server.
During the onboarding process, the devices are discovered, identified, and
provisioned with identities and temporary polices. The onboarded devices can
be then merged into the security model and have their policies deployed
automatically.
By using Automatic Policy Deployment, you can improve the system:
• Operational readiness level
• Uptime
• Security (by provisioning security policies to field devices as soon as
they power up)
Automatic Policy Deployment supports the following devices:
• ControlLogix 5580 controllers (version 34)
• GuardLogix 5580 controllers (version 34)
• CompactLogix 5380 controllers (version 34)
• Compact GuardLogix 5380 controllers (version 34)
• EtherNet/IP communication modules (1756-EN4TR, version 4.001)
Automatic Policy Deployment requires a system server with FactoryTalk
Policy Manager installed and FactoryTalk System Services running.
Tip: After the FactoryTalk Policy Manager installation, FactoryTalk System Services start
automatically with Windows and run independently from FactoryTalk Policy Manager. FactoryTalk
System Services operate in the background even if the FactoryTalk Policy Manager application is
closed.

See also
Policy management capabilities on page 24
Automatic Policy Deployment operation on page 28
Automatic Policy Deployment notifications on page 33

Automatic Policy Automatic Policy Deployment discovers the devices in the network that you
can add to the security model.
Deployment operation
IMPORTANT Automatic Policy Deployment can onboard and merge only a single EtherNet/IP
interface of a device.
This applies to CompactLogix 5380 controllers operating in the Dual IP mode.
IMPORTANT Automatic Policy Deployment uses the Enrollment over Secure Transport (EST)
service. If your machine has multiple network interfaces, the EST service uses a
random network interface by default. To specify the network interface for the EST
service, see Specify the network interface for the EST service on page 32.

Depending on your requirements, you can set Automatic Policy Deployment

to:

28 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 1 Getting started
• Automatically or manually deploy the configuration of discovered
devices that match the devices in the security model.
• Allow or restrict the devices in the Onboarding Area from connecting
with other devices in the network.
Note: The Automatic Policy Deployment process is independent from the manual policy
deployment process.
The manual policy model deployment process can interrupt the Automatic Policy
Deployment process. Once the security model is deployed, Automatic Policy Deployment
continues adding and merging the discovered devices.

For auditing and troubleshooting purposes, Automatic Policy Deployment

indicates changes to the security model with:
• The Results pane updates.
• Toast notifications for onboarding devices and merged devices.
• The following icons throughout the FactoryTalk Policy Manager
interface:
Icon Event
Devices newly added to the Onboarding Area.
Automatically merged and deployed devices.
Automatically merged devices.

See also
Onboarding on page 29
Merging on page 30
Secured device replacement on page 32
FactoryTalk Policy Manager Global Settings on page 37

Onboarding The onboarding process automatically identifies EtherNet/IP endpoints and

provisions certificates and temporary policies. Once the onboarding process
finishes, the identified devices are placed in the Onboarding Area.
The devices in the Onboarding Area are not a part of the security model. You
cannot add a conduit to the Onboarding Area or to any onboarding device.
Depending on the onboarding policy, you can allow or restrict the onboarding
devices from connecting with other devices in the network.
IMPORTANT Secure onboarding policy is effective only for embedded EtherNet/IP interfaces.
Devices can still be accessed through backplanes.

You can manually move the devices from the Onboarding Area into the
security model.
IMPORTANT When you move a device from the Onboarding Area to a zone or make the device
unassigned, you cannot assign the device to the Onboarding Area again.

If you delete a device that can be discovered by Automatic Policy Deployment,

FactoryTalk Policy Manager prompts you to:

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 29

 Chapter 1 Getting started
• Disable the automatic discovery for the endpoint to prevent the device
from reappearing in the Onboarding Area.
• Keep the automatic discovery enabled to restore the device in the
Onboarding Area.

See also
Automatic Policy Deployment operation on page 28
FactoryTalk Policy Manager Global Settings on page 37

Merging Depending on the security model and the devices available in the network, the
merging process can be automatic or manual.

Automatic merging
The merging process is automatic if the onboarding device has the same IP
address as the matching device in the security model.
The onboarding device does not need to be identical with the matching device
in the security model. During the merging process, the newer device
properties overwrite the older device properties.
IMPORTANT The following properties are never overwritten by the automatic merging process:
• IP address
• Device name
• Device description

The following tables illustrate the examples on how the automatic merging
process operates in different scenarios.
Scenario 1 - Device replacement (policy erased)
Onboarding device Device in the security model (Zone 1) Merged device (Zone 1) Description
IP Address: 192.168.1.68 IP Address: 192.168.1.68 IP Address: 192.168.1.68 All device parameters match:
Name: 1756-L81E Name: Line Controller Name: Line Controller • Device name (retained)
Description: 1756-L81E Description: Main controller for assembly line Description: Main controller for • Device description (retained)
Product type: 14 Product type: 14 assembly line The device malfunctioned and was
Product code: 164 Product code: 164 Product type: 14 reset to factory defaults.
Firmware major revision: 34 Firmware major revision: 34 Product code: 164
Firmware minor revision: 001 Firmware minor revision: 001 Firmware major revision: 34
Serial number: SN12345 Serial number: SN12345 Firmware minor revision: 001
Serial number: SN12345

Scenario 2 - Device replacement (serial number mismatch)

Onboarding device Device in the security model (Zone 1) Merged device (Zone 1) Description

30 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 1 Getting started
Onboarding device Device in the security model (Zone 1) Merged device (Zone 1) Description
IP Address: 192.168.1.68 IP Address: 192.168.1.68 IP Address: 192.168.1.68 All device parameters match
Name: 1756-L81E Name: Line Controller Name: Line Controller except for:
Description: 1756-L81E Description: Main controller for assembly line Description: Main controller for • Serial numbers (overwritten)
Product type: 14 Product type: 14 assembly line • Device name (retained)
Product code: 164 Product code: 164 Product type: 14 • Device description (retained)
Firmware major revision: 34 Firmware major revision: 34 Product code: 164 The device malfunctioned and was
Firmware minor revision: 001 Firmware minor revision: 001 Firmware major revision: 34 replaced with a new device.
Serial number: SN12345 Serial number: SN54321 Firmware minor revision: 001
Serial number: SN1234

Scenario 3 - Device replacement (serial number and firmware revision

mismatch)
Onboarding device Device in the security model (Zone 2) Merged device (Zone 2) Description
IP Address: 192.168.1.73 IP Address: 192.168.1.73 IP Address: 192.168.1.73 All device parameters match
Name: 1756-L83E Name: Machine Controller Name: Machine Controller except for:
Description: 1756-L83E Description: Packaging machine controller Description: Packaging machine • Serial numbers (overwritten)
Product type: 14 Product type: 14 controller • Firmware major revision
Product code: 166 Product code: 166 Product type: 14 (overwritten)
Firmware major revision: 34 Firmware major revision: 33 Product code: 166 • Device name (retained)
Firmware minor revision: 001 Firmware minor revision: 001 Firmware major revision: 34 • Device description (retained)
Serial number: SN111213 Serial number: SN313211 Firmware minor revision: 001 The device malfunctioned and
Serial number: SN111213 was replaced with a new device.

Scenario 4 - Device replacement (several properties mismatch)

Onboarding device Device in the security model (Zone 3) Merged device (Zone 3) Description
IP Address: 192.168.1.82 IP Address: 192.168.1.82 IP Address: 192.168.1.82 A non-typical scenario with
Name: 1756-EN4TR Name: Conveyor PF755T #12 Name: Conveyor PF755T #12 device mismatch. The existing
Description: 1756-EN4TR Description: Conveyor drive #12 Description: Conveyor drive #12 device is treated as obsolete and
Product type: 12 Product type: 45 Product type: 12 overwritten.
Product code: 258 Product code: 7 Product code: 258 The device parameters are
Firmware major revision: 4 Firmware major revision: 10 Firmware major revision: 4 merged:
Firmware minor revision: 001 Firmware minor revision: 00 Firmware minor revision: 001 • Serial numbers (overwritten)
Serial number: SN223344 Serial number: SN556677 Serial number: SN223344 • Device name (retained)
• Device description (retained)
• Product type (overwritten)
• Product code (overwritten)
• Firmware major revision
(overwritten)
• Firmware minor revision
(overwritten)

Manual merging
The merging process is manual if the onboarding device cannot be associated
with any device in the security model.
An administrator can manually move the discovered device from the
Onboarding Area to the security model.

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 31

Chapter 1 Getting started
The following table illustrates an example of the manual merging process.
Onboarding device Device in the security model Merged device Description
IP address: 192.168.1.68 No match N/A No matching device found in the
Name: 1756-L81E security model.
Description: 1756-L81E Device added to the Onboarding
Product type: 14 Area.
Product code: 164
Firmware major revision: 34
Firmware minor revision: 001
Serial number: SN12345

See also
Automatic Policy Deployment operation on page 28
FactoryTalk Policy Manager Global Settings on page 37

Secured device The secured device replacement process identifies onboarded devices against
existing entries in the security model based on the specific criteria and
replacement deploys the policies automatically.
The onboarding device match with the device in the security model if the
following properties are the same:
• IP address
• Vendor
• Product type
• Product code
• Major firmware revision (the same or higher)
IMPORTANT The vendor certificate of a device determines the vendor property. Currently,
FactoryTalk Policy Manager supports only Rockwell Automation vendor
certificates.

See also
Automatic Policy Deployment operation on page 28
FactoryTalk Policy Manager Global Settings on page 37

Specify the network Automatic Policy Deployment uses the Enrollment over Secure Transport
(EST) service. If your machine has multiple network interfaces, the EST
interface for the EST service uses a random network interface by default. You can select a specific
service network interface by editing the appConfiguration.json file.
IMPORTANT You must be a Windows administrator and have a FactoryTalk Directory administrator
account to specify the network interface for the EST service.

32 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 1 Getting started

To specify the network interface for the EST service:

1. In a text editor, open the FactoryTalk System Services configuration
file: C:\ProgramData\Rockwell Automation\FactoryTalk System
Services\config\admin\appConfiguration.json
2. Add a configuration for the EST service.
Note: For the hostname property value, use the IP address.
Example:
"est": {
"port": 40014,
"filePathCertificate": "",
"filePathPrivateKey": "",
"hostname": "192.168.1.100"
}
3. Save the configuration file.
4. Restart FactoryTalk System Services.
Automatic Policy FactoryTalk Policy Manager displays the results of the Automatic Policy
Deployment process in the Results pane. If needed, you can use the following
Deployment notifications
messages to troubleshoot issues with Automatic Policy Deployment.
IMPORTANT For detailed information about the Automatic Policy Deployment process for specific
devices, see the FactoryTalk® Diagnostics log.

New devices
Discovered devices without references in the security model that Automatic
Policy Deployment adds to the Onboarding Area.
Message Description
The device {name} ({IP address}) is enrolled. The device is added to Onboarding The discovered device had no reference in the security model and was added to
Area. the Onboarding Area.
The Secure Onboarding Policy for device {name} ({IP address}) was not applied. Automatic Policy Deployment failed to deploy the policy to the discovered device.
The device does not support this policy. Verify if the device supports the policy.
The Secure Onboarding Policy for device {name} ({IP address}) was not applied Automatic Policy Deployment failed to deploy the policy to the discovered device.
because a valid FactoryTalk Linx Driver was not found. Verify if the correct EtherNet/IP driver is assigned to the discovered device. If the
driver does not exists, add the driver with FactoryTalk Linx.
The device {name} ({IP address}) is enrolled. The device is added to Onboarding The Automatic Policy Deployment process starts. The discovered device is added
Area. Initiating secure onboarding. to the Onboarding Area.
Establishing a connection between the discovered device and FactoryTalk Policy
Manager or other devices in the security model.
The deployment process completion time depends on the number of discovered
devices.
The device {name} ({IP address}) is enrolled. The device is added to Onboarding Automatic Policy Deployment added the device to the Onboarding Area and the
Area. The Secure Onboarding Policy was applied. deployment process completed.
Established a connection between the device added to the Onboarding Area and
FactoryTalk Policy Manager or other devices in the security model.
You can move the device from the Onboarding Area to the security model.

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 33

Chapter 1 Getting started
Message Description
The Secure Onboarding Policy for {name} ({IP address}) was not applied. Check Automatic Policy Deployment failed to deploy the discovered device. The
event log for more details. discovered device was not added to the Onboarding Area.
Failed to establish a connection between the device added to the Onboarding
Area and FactoryTalk Policy Manager or other devices in the security model.
For more information, see the FactoryTalk Diagnostics logs. Once you resolve the
issue with the device, Automatic Policy Deployment will discover and process the
device again.
The device {name} ({IP address}) was removed from the security model. The device that was deployed to the security model was deleted from the security
model.
Automatic Policy Deployment removed the device from the security model.

Devices qualified to merge

Discovered devices with deployed references in the security model that
Automatic Secured Device Replacement merges into the security model.
Message Description
The device {name} ({IP address}) is enrolled and qualified as a replacement for The automatic secured device replacement process starts. The discovered device
the device {name} ({Zone name}). All entries are merged. Initiating automatic is merged with the matching device in the security model.
secured device replacement. Establishing a connection between the discovered device and FactoryTalk Policy
Manager or other devices in the security model.
The deployment process completion time depends on the number of discovered
devices.
The device {name} ({IP address}) is enrolled and qualified as a replacement for The automatic secured device replacement process completed.
the device {name} ({Zone name}). All entries are merged. Policy deployment was The discovered device is merged with the previously deployed device in the
successful. security model.
Established a connection between the merged device and FactoryTalk Policy
Manager or other devices in the security model.
If needed, you can edit the merged device properties.
The device {name} ({IP address}) is enrolled and qualified as a replacement for The automatic secured device replacement process is in progress. The
the device {name} ({Zone name}). All entries are merged. discovered device is merged with the previously deployed device in the security
model.
Policy deployment for {name} ({IP address}) failed. Start Replace Device action The automatic secured device replacement process failed. Trying to establish a
manually. connection between the discovered device and FactoryTalk Policy Manager or
other devices in the security model.
For more information, see the FactoryTalk Diagnostics logs.
If needed, replace the device manually. For more information, see the Devices
chapter.
Policy deployment for {name} ({IP address}) failed. The secure onboarding policy The automatic secured device replacement process failed to deploy the policy to
was not applied. The device does not support this policy. the discovered device.
Verify if the device supports the policy.
Policy deployment for {name} ({IP address}) failed. The secure onboarding policy The automatic secured device replacement process failed to deploy the policy to
was not applied because a valid FactoryTalk Linx Driver was not found. Assign a the discovered device.
valid driver and initiate Replace Device action manually. Verify if the correct EtherNet/IP driver is assigned to the discovered device. If the
driver does not exists, you must add the driver with FactoryTalk Linx.
Replace the device manually. For more information, see the Devices chapter.
Device {name} ({IP address}) enrolled and qualified as replacement for Device The automatic secured device replacement process starts. The discovered device
{name} ({Zone name}). Entries merged. is merged with the matching device in the security model.
The deployment process completion time depends on the number of discovered
devices.

34 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 1 Getting started
Message Description
Deployment for {name} ({IP address}) unsuccessful. Initiating secure The automatic secured device replacement process failed. Reapplying the secure
onboarding. policy to the device.
Establishing a connection between the discovered device and FactoryTalk Policy
Manager or other devices in the security model.
Policy for {name} ({IP address}) deployment failed. The automatic secured device replacement process failed. For more information,
see the FactoryTalk Diagnostics logs.
The secure onboarding policy for {name} ({IP address}) was applied The automatic secured device replacement applied the secure policy to the
successfully. Start Replace Device action manually. device.
Established a connection between the merged device and FactoryTalk Policy
Manager or other devices in the security model.
Replace the device manually. For more information, see the Devices chapter.
Deployment for {name} ({IP address}) failed. The secure onboarding policy was The automatic secured device replacement failed to deploy the policy to the
not applied. Check event log for more details. discovered device.
Failed to establish a connection between the merged device and FactoryTalk
Policy Manager or other devices in the security model.
Replace the device manually. For more information, see the Devices chapter.
For detailed information about the automatic secured device replacement
process, see the FactoryTalk Diagnostics logs.

Discovered devices with not deployed references in the security model that
Automatic Policy Deployment merges into the security model.
Message Description
The device {name} ({IP address}) is enrolled and qualified to merge with existing The automatic secured device replacement process starts. The discovered device
{name} ({Zone name}) device in the model. All entries are merged. is merged with the matching device in the security model.
The deployment process completion time depends on the number of discovered
devices.
The secure onboarding policy for {name} ({IP address}) was not applied. The The automatic secured device replacement process failed deploy the policy to
device does not support this policy. the discovered device.
Verify if the device supports the policy.
The secure onboarding policy for {name} ({IP address}) was not applied because The automatic secured device replacement process failed to deploy the policy to
a valid FactoryTalk Linx Driver was not found. the discovered device.
Verify if the correct EtherNet/IP driver is assigned to the discovered device. If the
driver does not exists, add the driver with FactoryTalk Linx.
The device {name} ({IP address}) is enrolled and qualified to merge with existing The automatic secured device replacement process starts. The discovered device
{name} ({Zone name}) device in the model. All entries are merged. Initiating is merged with the matching device in the security model.
secure onboarding. Established a connection between the merged device and FactoryTalk Policy
Manager or other devices in the security model.
The deployment process completion time depends on the number of discovered
devices.
The device {name} ({IP address}) is enrolled and qualified to merge with existing The automatic secured device replacement process starts. The discovered device
{name} ({Zone name}) device in the model. All entries are merged. The secure is merged with the matching device in the security model.
onboarding policy was applied. Established a connection between the merged device and FactoryTalk Policy
Manager or other devices in the security model.
The deployment process completion time depends on the number of discovered
devices.
The secure onboarding policy for {name} ({IP address}) was not applied. Check The automatic secured device replacement process failed.
event log for more details. Failed to establish a connection between the merged device and FactoryTalk
Policy Manager or other devices in the security model.
For more information, see the FactoryTalk Diagnostics logs.

Discovered devices with deployed references in the security model that

Automatic Policy Deployment merges into the security model.

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 35

Chapter 1 Getting started
Message Description
The device {name} ({IP address}) is enrolled and qualified as a replacement for The automatic secured device replacement process starts. The discovered device
the device {name} ({Zone name}). All entries are merged. is merged with the matching device in the security model.
The device {name} ({IP address}) is enrolled and qualified as a replacement for The automatic secured device replacement process was unable to deploy the
the device {name} ({Zone name}). The secure onboarding policy was not applied. policy to the discovered device. Verify if the device supports the policy.
The device does not support this policy. The discovered device is merged with the matching device in the security model.
The secure onboarding policy for {name} ({IP address}) was not applied because The automatic secured device replacement process failed to deploy the policy to
a valid FactoryTalk Linx Driver was not found. Assign a valid driver and Replace the discovered device.
Device. Verify if the correct EtherNet/IP driver is assigned to the discovered device. If the
driver does not exists, add the driver with FactoryTalk Linx.
Replace the device manually. For more information, see the Devices chapter.
The device {name} ({IP address}) is enrolled and qualified as a replacement for The discovered device is merged with the matching device in the security model.
the device {name} ({Zone name}). All entries are merged. Initiating secure Establishing a connection between the device added to the security model and
onboarding. FactoryTalk Policy Manager or other devices in the model.
The automatic secured device replacement process starts.
The deployment process completion time depends on the number of discovered
devices.
Device {name} ({IP address}) enrolled and qualified as replacement for Device The automatic secured device replacement process completed.
{name} ({Zone name}). All entries are merged. The secure onboarding policy was Established a connection between the device added to the security model and
applied successfully. FactoryTalk Policy Manager or other devices in the model.
The secure onboarding policy for {name} ({IP address}) was not applied. Check The automatic secured device replacement process failed to deploy the
event log for more details. discovered device.
Failed to establish a connection between the device added to the security model
and FactoryTalk Policy Manager or other devices in the model.
For more information, see the FactoryTalk Diagnostics logs. Once you resolve the
issue with the device, Automatic Policy Deployment will discover and process the
device again.

Discovered devices with not deployed references in the security model that
Automatic Policy Deployment merged into the security model.
Message Description
The device {name} ({IP address}) is enrolled and qualified to merge with existing The Automatic Policy Deployment process starts. The discovered device is
{name} ({Zone name}) device in the model. All entries are merged. merged with the matching device in the security model.
The secure onboarding policy for ({name} ({IP address}) was not applied. The The Automatic Policy Deployment process failed to deploy the policy to the
device does not support this policy. discovered device. Verify if the device supports the policy.
The secure onboarding policy for {name} ({IP address}) was not applied because The Automatic Policy Deployment process failed to deploy the policy to the
a valid FactoryTalk Linx Driver was not found. Perform manual merge in a discovered device.
destination zone. Verify if the correct EtherNet/IP driver is assigned to the discovered device. If the
driver does not exists, add the driver with FactoryTalk Linx.
The device {name} ({IP address}) is enrolled and qualified to merge with existing The discovered device is merged with the matching device in the security model.
{name} ({Zone name}) device in the model. All entries are merged. Initiating The secure onboarding process starts.
secure onboarding. Establishing a connection between the device added to the security model and
FactoryTalk Policy Manager or other devices in the model.
The deployment process completion time depends on the number of discovered
devices.
The device {name} ({IP address}) is enrolled and qualified to merge with existing The Automatic Policy Deployment process added the device to the security model
{name} ({Zone name}) device in the model. All entries are merged. The secure and the deployment process completed.
onboarding policy was applied. Established a connection between the device added to the security model and
FactoryTalk Policy Manager or other devices in the model.

36 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 1 Getting started
Message Description
The secure onboarding policy for {name} ({IP address}) was not applied. Check The Automatic Policy Deployment process failed to deploy the discovered device.
event log for more details. Failed to establish a connection between the device added to the security model
and FactoryTalk Policy Manager or other devices in the model.
For more information, see the FactoryTalk Diagnostics logs.

See also
Automatic Policy Deployment on page 28
Replace a device on page 68

Security Eventing Use Security Eventing to configure the logging of messages that are sent
between devices.
The Security Eventing service requires a Syslog server to operate. The Security
Eventing policy is applied to every device in the security model that supports
Security Eventing.
Configure Security Eventing Settings in FactoryTalk Policy Manager Global
Settings.
The Security Eventing service uses these communication protocols to log
messages:
• UDP: a protocol that gives good performance for a high volume of
messages, however, it can lose data during network issues.
• TCP: a reliable protocol that is best suited for high-priority messaging.

See also:
Policy management capabilities on page 24
FactoryTalk Policy Manager Global Settings on page 37

FactoryTalk Policy Manager How do I open Global Settings?

Global Settings • In the FactoryTalk Policy Manager navigation bar, select Global
Settings.
Use Global Settings to define the settings that are applied to all devices
contained in the model. FactoryTalk Policy Manager sends the information
along with your certificate information to identify different components and
establish the trust relationships.
Tip: It is recommended to complete the Global Settings information before using the certificate
authentication method.
IMPORTANT Changes to the Automatic Policy Deployment settings take immediate effect. To avoid
onboarding devices with unintended settings, you can edit the Automatic Policy
Deployment settings:
• With the FactoryTalk System Services server disconnected from the network.
• When you do not expect any devices to be onboarded.

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 37

Chapter 1 Getting started
This table describes the settings:
Property Descriptions
General
• Model Name The name of the security model managed by this instance of FactoryTalk Policy
Manager.
Certificate Settings
• Organization The name of your organization.
• City/Locality The legally registered location of your organization.
State/Province If applicable, the State or Province in which your organization is using the
certificate.
• Country The country in which your organization operates.
Port settings
• DTLS timeout Enter a value between 1 and 3600 seconds. The default value is 12 seconds.
If a device does not support the timeout functionality, a warning appears in the
Device Properties pane.
• CIP Bridging Allow or restrict communication to and from the backplane of eligible devices in
all zones of the security policy model. The CIP bridging settings affect secured
EtherNet/IP interfaces and USB ports (if present).
The selected option becomes default for all zones and devices.
Inbound CIP Bridging to Allow all traffic
the Backplane Allows bridging of secure and trusted IP traffic from the EtherNet/IP interface
to backplane and other physical ports (for example: Ethernet, USB).
Allows bridging of unsecure traffic from the USB port.
Note: Physical ports support is dependent on the hardware platform.
Allow secure traffic
Allows bridging of only secure traffic from the secured EtherNet/IP interface
to backplane and other physical ports (for example: Ethernet, USB).
Blocks bridging of unsecure traffic from the USB port.
Note: Physical ports support is dependent on the hardware platform.
Block all traffic
Blocks bridging of any traffic from the secured EtherNet/IP interface and the
USB port.
Outbound CIP Bridging Allow all traffic
from the Backplane Allows bridging of all traffic to the Ethernet port and the USB port.
Block all traffic
Blocks bridging of any traffic to the Ethernet port and the USB port.
Automatic Policy Deployment
• Enable automatic device Select to enable Automatic Policy Deployment that:
discovery and • Starts the Domain Name Server-Service Discovery (DNS-SD) services to
onboarding enable device discovery and certificate provisioning.
• Starts the Enrollment over Secure Transport (EST) system service, which
responds to endpoint queries.
• Merges the discovered devices with the matching devices in the security
model.
• Adds the discovered devices to the Onboarding Area if the discovered device
does not match any device in the security model.
• Enable automatic Select to automatically deploy the configuration of onboarded devices that
secured device match the devices in the security model based on the specific criteria.
replacement This feature requires the Enable automatic device discovery and onboarding
checkbox selected.

38 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 1 Getting started
Property Descriptions
• Enable secure During the onboarding process, the discovered devices can receive different
onboarding sets of temporary policies that determine their networking behavior until they
are provisioned with final policies.
Select to prevent the onboarding devices from establishing connections with
any other device in the network except for FactoryTalk Policy Manager.
This feature requires the Enable automatic device discovery and onboarding
checkbox selected.
Security Eventing Settings
• Enable security eventing When selected, FactoryTalk Policy Manager configures the devices in the
using Syslog server security policy model to send Syslog messages. The devices send the messages
to the specified server for storage using the chosen protocol.
These settings apply to all devices that support security eventing.
• Server Settings Use these settings to identify the location of the Syslog server.
IP Address Select to identify the Syslog server by the IP address.
Hostname Select to identify the Syslog server by the DNS host name.
Port number Identify the communications port on the server to receive the Syslog messages.
Default port number is 514.
Protocol Select UDP for low-priority logging. UDP is not a guaranteed reliability protocol,
log data that is transferred using UDP can be lost in transit due to various
network problems.
Select TCP for log data that cannot tolerate loss and which must be retained.
• Filter Settings Use these settings to filter the event messages that are logged to the Syslog
server.
Event types that will Failures only. Select to log events upon failures related to model deployment,
generate messages device discovery, component connections, and component authentications or
authentications.
Failures and successes. Select to log all success and failure events related to
model deployment, device discovery, component connections, and component
authentications or authorizations.
Lowest level of severity Log messages that are greater than or equal to the severity level selected.
to log Defined severity levels from highest to lowest are:
• Emergency - System is unusable.
• Alert - Action must be taken immediately.
• Critical - Critical operational conditions such as device hardware major
faults.
• Error - Error conditions in software applications and device hardware
minor faults.
• Warning - Warning conditions in software applications and hardware.
• Notice - Significant conditions that may require special handling.
• Information - Informational messages about software or hardware
operations.
• Audit - Messages from the auditing service.
• Debug - Messages about the programmatic operations of the software.

• Message Settings Specify which details to include in the event log message.
• Sequence ID - Uniquely identify the type and purpose of the message.
• Time quality (sync info, time zone accuracy) - Describes the system time
mechanism used by the message originator.

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 39

Chapter 1 Getting started
Property Descriptions
• Time resolutions Defines the level of precision used in the time stamp of the log messages:
• Seconds
• Milliseconds
• Microseconds
• Nanoseconds

Changes to the settings described in the previous table are saved when you
press ENTER or select another field.

See also
Policy management capabilities on page 24
FactoryTalk Policy Manager component considerations on page 40
FactoryTalk Policy Manager planning on page 41
Authentication methods on page 42

FactoryTalk Policy Manager When designing a security model using FactoryTalk Policy Manager, consider
these items.
component considerations
• Devices.
Identify which devices are included in the security model.
• Conduits.
Identifies the communication pathways in the security model.
Determine whether the pathways are zone-to-zone, zone-to-device, or
device-to-device.
• Zones.
Identifies a group of logical or physical devices to which security
settings are applied.
Devices within a zone trust each other.
• Pre-shared keys (PSK).
A key based on a shared secret that is provided to devices to establish
trust.
• Certificates.
Used to establish a devices identity by providing information about
ownership of a public key.
• Security options
When a certificate is used as the authentication method additional
security, checks are available to be used with messaging and I/O data.
• Integrity Only
Checks whether data was altered and whether the data was sent by a
trusted entity. Altered and/or untrusted data is rejected.

40 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 1 Getting started
• Integrity & Confidentiality
Checks integrity and encrypts the data so the corresponding
decryption key is required to read the data. Rejects altered and/or
untrusted data.
• Devices that cannot support CIP Security.
Some devices do not support CIP Security and cannot authenticate
themselves to the system. Decide how these devices will be included in
the system. There are two approaches:
• Use a CIP Proxy device. A CIP Proxy device can be placed in front of
the non-CIP securable device. The CIP Proxy device controls the
communication to the device it proxies and can sign and encrypt
data from the device.
• Use a trusted IP address. The device is assigned an IP address that is
trusted by the system and permitted to communicate within the
security zone. However, these devices are not able to sign or encrypt
communications.
Use FactoryTalk Policy Manager to combine these components into a security
policy model to deploy to your FactoryTalk system.

See also
Zones on page 45
Conduits on page 49
Devices on page 58

FactoryTalk Policy Manager Implementing a CIP Security policy requires preparation and planning before
deployment. At a minimum, gather this information:
planning
• Number of zones.
• Security requirements for each zone.
• Devices assigned to each zone.
• Required trust relationships:
• Zones and devices
• Devices to devices
• IP addresses of all devices to be included in the policy.
This diagram depicts a simple deployment consisting of three zones
• The PC Zone that contains mobile devices, servers, and administrative
computers.
• Zone 1 that contains a switch, controller system, and administrative
computer.
• Zone 2 that contains a switch, monitoring panel, controller system,
programming system, and maintenance computer.

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 41

Chapter 1 Getting started
• The PC Zone is connected to both plant zones by separate conduits

Item Description
Items with a lock are CIP Security capable.

Items with a list are not CIP Security capable and are trusted by their IP address.
Conduits connect the security zones enable secure communication between devices in different
zones.
The zones are represented by different blocks. Each device within the block trusts the other
devices in the block and can communicate with devices in zones that are connected by conduits.

See also
Zones on page 45
Conduits on page 49
Devices on page 58

Authentication methods FactoryTalk Policy Manager supports these authentication methods:

Name Description
Certificate Established by the use of an X.509v3 certificate granted by a trusted certificate
authority.
Pre-shared key Established by presentation of a shared secret key that is propagated to trusted
devices in the system. A pre-shared key can be created manually or FactoryTalk
Policy Manager can automatically generate pre-shared keys for distribution to the
devices in your system.

42 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 1 Getting started
Name Description
Trusted IP Established by identifying an IP address as trusted by the security model. A set of
IP addresses can be defined as a trusted range on your network. Appropriate for
use with devices that are not CIP Security capable.

Ingress/Egress rules
The Ingress/Egress Object is a set of rules that govern which network nodes
can communicate to the device and through the device:
• Ingress Rules determine which other nodes can communicate with
this device.
• Egress rules determine how the device can communicate with other
nodes.
To learn more about the Ingress/Egress rules, visit the ODVA website.

See also
Zone properties on page 47
Conduit properties on page 52
Device properties on page 67

Auditing FactoryTalk System Services generate diagnostic messages upon specific

actions and log them to FactoryTalk Diagnostics. These messages can be later
reviewed as a part of an audit.
The diagnostic messages are divided into these categories:
• Model deployment: sent when you deploy a security policy model or
cancel deployment.
• Model creation: sent when you create a security policy model.
• Model editing: sent when you make changes to the security policy
model.

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 43

 Chapter 2

Configure a security policy model

Zones Zones are security policy groups to which devices are assigned. Once a device
is assigned to a zone, the device uses the policy default settings of that zone.
Zones establish the rules for data integrity, data privacy, and the
authentication method used to authenticate trusted devices. When
configuring a zone, use the CIP Security Communication settings within the
zone properties to establish these controls:
• Authentication method
• I/O data security
• Messaging security
• Port usage

See also
Add a zone on page 45
Edit zone properties on page 46
Delete a zone on page 46
Zone properties on page 47
Configure port properties on page 63

Add a zone Add zones to establish areas of security policy. Devices assigned to the zone
trust each other. Edit the zone properties to enable CIP Security and
configure the related settings. CIP Security is not enabled by default.

To add a zone
1. In the FactoryTalk Policy Manager navigation bar, select Zones.
2. On the toolbar next to ZONES, select Add [+].
Adds a new zone to the list with these default values:
• Name - Zone #
• Description - None
• Enable CIP Security - Not selected by default.
Select to enable configuration of CIP Security related settings.

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 45

Chapter 2 Configure a security policy model

See also
Zone properties on page 47
Edit zone properties on page 46
Delete a zone on page 46

Edit zone properties Edit the properties of a zone to specify a name, description, and enable CIP
Security settings.
Tips:
• Selecting a zone in the ZONES explorer displays the last device selected in the zone and the port
properties of that device.
• Select an active cell in the table to directly edit a property.

To edit zone properties

1. In the FactoryTalk Policy Manager navigation bar, select Zones. The
ZONES column displays a list of the configured zones.
2. In the ZONES column, select a zone.
• If devices have not been added to the zone yet, the ZONE
PROPERTIES are displayed in the right pane.
• If devices have been added to the zone, select the pencil icon
next to the zone name to display ZONE PROPERTIES.
3. Change the properties of the zone as appropriate.
As the settings are changed the FactoryTalk Policy Manager title bar
updates to show that the changes have been saved.
Tip: You can also edit the properties of a zone in the zone Overview table or open the zone
properties pane from the Overview table.

See also
Zone properties on page 47
Add a zone on page 45
Delete a zone on page 46

Delete a zone Delete a zone that is no longer needed.

IMPORTANT Deleting a zone removes all devices, conduits, and endpoints assigned to the zone. To
retain the devices in the device list, edit the device properties to reference a different
zone or the unassigned zone before deleting the zone. Create conduits as needed.

To delete a zone
1. In the FactoryTalk Policy Manager navigation bar, select Zones.
2. Either:

46 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 2 Configure a security policy model

• In the ZONES column, next to the zone name, select the Delete
icon.
• In the Overview table, select the zone name, then select the Delete
icon from the toolbar.
3. A confirmation message displays, displaying the items that are going
to be deleted when the zone is deleted. To continue deleting the zone,
select DELETE.
The zone is deleted from the zone list and is no longer part of the
security model.

See also
Add a zone on page 45
Edit zone properties on page 46
Edit device properties on page 66

Zone properties Use zone properties to define the security settings to apply to devices that are
assigned to this zone.
The zone properties are:
Property Description
General The settings in this area differentiate this zone from other zones.
• Name The name for the zone.
• Description A description for the zone.
CIP Security Communication The settings in this area relate to how the devices in the zone
communicate with other devices.
• Enable CIP Security Enable CIP Security options for the zone. When selected, additional
configuration options are available.
Non-CIP Security capable devices can be added to a zone with CIP
Security enabled. These devices will have an information icon
displayed stating Incompatible with zone configuration. These
devices won’t receive CIP Security policy themselves, but devices in
this zone that are CIP Security capable will add the IP address of the
non-CIP Security capable device to their Trusted IP list so that
communication between the devices can occur.

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 47

Chapter 2 Configure a security policy model
Property Description
• Authentication Method Select which method the devices use to authenticate.
Certificate
A digital certificate is an electronic representation of an identity. A
certificate binds the identities public key to its identifiable
information, such as name, organization, email, username, and/or a
device serial number. This certificate is used to authenticate the
connection to other devices. Selected by default when CIP Security
is enabled.
Pre-shared Key
A pre-shared key is a secret that is shared among trusted entities.
FactoryTalk Policy Manager can create a key that can be shared.
• To generate a pre-shared key, select Auto-generate key.
• To view the key, select Show Key.
Non-CIP Security capable devices do not use any authentication
method. If non-CIP Security capable devices are present in a zone,
an information message displays stating "incompatible devices in
zone" when Certificate or Pre-shared Key is selected.
• I/O Data Security Select the type of security check to perform on the input and output
data.
Integrity Only
Checks whether data was altered and whether the data was sent by
a trusted entity. Altered and/or untrusted data is rejected. Selected
by default when CIP Security is enabled.
Integrity & Confidentiality
Checks integrity and encrypts the data so the corresponding
decryption key is required to read the data. Rejects altered and/or
untrusted data.
None
No I/O Data Security setting is selected. Even when no I/O security is
configured, only devices within the zone or from a conduit are
capable of I/O data communications. Other devices will be blocked.
Non-CIP Security capable devices do not use any I/O Data Security
method. If non-CIP Security capable devices are present in a zone,
an information message displays stating "incompatible devices in
zone" when I/O Data Security is selected.
• Messaging Security Select the type of security check to perform on messages received
by devices in the zone.
Integrity Only
Checks whether data was altered and whether the data was sent by
a trusted entity. Rejects altered and/or untrusted data. Selected by
default when CIP Security is enabled.
Integrity & Confidentiality
Checks integrity and encrypts the data so the corresponding
decryption key is required to read the data. Rejects altered and/or
untrusted data.
Non-CIP Security capable devices do not use any Messaging Security
and cannot provide data integrity checking. If non-CIP Security
capable devices are present in a zone, an information message
displays stating "incompatible devices in zone" when Messaging
Security is selected.

48 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 2 Configure a security policy model
Property Description
• TCP/UDP Ports Lists the protocols supported and the port assigned to each. Use the
checkbox to disable communications over that port for the devices
in the zone.
Ports on non-CIP Security capable devices cannot be enabled or
disabled using zone properties.
CIP Bridging This functionality applies only to zones with CIP Security enabled.
The available options may be restricted by Global Settings.
• Inbound CIP Bridging to the Allow all traffic
Backplane Allows bridging of secure and trusted IP traffic from the
EtherNet/IP interface to backplane and other physical ports (for
example: Ethernet, USB).
Allows bridging of unsecure traffic from the USB port.
Note: Physical ports support is dependent on the hardware
platform.
Allow secure traffic
Allows bridging of only secure traffic from the secured
EtherNet/IP interface to backplane and other physical ports (for
example: Ethernet, USB).
Blocks bridging of unsecure traffic from the USB port.
Note: Physical ports support is dependent on the hardware
platform.
Block all traffic
Blocks bridging of any traffic from the secured EtherNet/IP
interface.
• Outbound CIP Bridging from the Allow all traffic
Backplane Allows bridging of all traffic to the EtherNet/IP interface and the
USB port.
Block all traffic
Blocks bridging of any traffic to the EtherNet/IP port and the USB
port.

See also
Add a zone on page 45
Edit zone properties on page 46
Zones on page 45
Devices on page 58
Configure port properties on page 63
CIP Bridging Control on page 25

Conduits Conduits create trusted communication pathways outside of zones. Conduits

require two endpoints, such as:
• Two different zones.
• Two different devices.
• A zone and a device.
Conduits support two authentication methods:

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 49

Chapter 2 Configure a security policy model
• Trusted IP
Trusted IP assigns a trust relationship to an asset based on its IP
address.
• Certificate
Certificate authentication methods establish the identity of the device
through the use of a certificate from a trusted authority. This enables
configuration of integrity and confidentiality options for
communication over the conduit using the public key associated with
the certificate.
IMPORTANT If an endpoint is a zone and the conduit uses certificate authentication,
devices in that zone that don’t support CIP Security will not use the certificate
for communication. The CIP Security capable devices will trust the non-CIP
Security devices using Trusted IP.

See also
Add a conduit on page 50
Edit conduit properties on page 51
Delete a conduit
Conduit properties on page 52

Add a conduit Add a conduit to connect two endpoints. Endpoints can be either a device or a
zone.
Conduits must adhere to these rules:
• Each combination of endpoints must be unique.
• Duplicate conduits are not permitted.
• One of the endpoints must be CIP Security capable.
• If one endpoint is a zone, the other endpoint cannot be a device within
that zone.

To add a conduit
1. In the FactoryTalk Policy Manager navigation bar, select Conduits.
2. On the toolbar, select Add [+].
CONDUIT PROPERTIES pane opens.
3. In Endpoint 1, next to Select an endpoint select Browse for Endpoint
[...]. Select Endpoint opens.
4. Choose a zone or device to assign as the first endpoint of the conduit.
Tip: In Filter, type part of the name to list only endpoints that match that criteria.

After selecting the endpoint, select OK.

50 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 2 Configure a security policy model
5. In Endpoint 2, next to Select an endpoint select Browse for Endpoint
[...]. Select Endpoint opens.
After selecting the endpoint, select OK.
6. Choose a zone or device to assign as the second endpoint of the
conduit.
7. Select Next to create the conduit.
The conduit is created and its properties can be configured as needed.

See also
Conduit properties on page 52
Edit conduit properties on page 51
Delete a conduit

Edit conduit properties Conduits allow trusted communication outside of zones. Conduits require
two endpoints defined in Conduit properties. An endpoint is a zone or device.
Edit the properties of a conduit if the type of security used on the conduit
needs to be updated or if you want to change an endpoint.
Tips:
• CONDUIT PROPERTIES is automatically opened to the most recently configured conduit.
• Select an active cell in the table to directly edit a property.

To edit conduit properties

1. In the FactoryTalk Policy Manager navigation bar, select Conduits.
2. To edit a different conduit, select a conduit from the list to display its
properties.
3. Change the conduit properties. If both endpoints are CIP Security
capable, configure CIP Security Communication.
• In I/O Data Security and Messaging Security choose either:
Integrity only - Use to check if the data or message was altered and
reject altered information.
Integrity & Confidentiality - Use to check integrity plus encrypt the
data or message so the corresponding decryption key is required to
read the information. Rejects altered and/or untrusted information.
• In I/O Data Security, choose None to stop using additional security
checks on I/O data.

See also
Conduit properties on page 52

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 51

Chapter 2 Configure a security policy model
Add a conduit on page 50
Delete a conduit on page 52

Delete a conduit Delete a conduit that is no longer needed.

IMPORTANT Deleting a conduit removes the connection between two endpoints.

To delete a conduit
1. In the FactoryTalk Policy Manager navigation bar, select Conduits.
2. In the table, select the conduit name from the list, then select the
Delete icon from the toolbar.
3. A confirmation message displays, select DELETE.
The conduit is deleted from the conduit list and is no longer part of the
security model.

See also
Add a conduit on page 50
Edit conduit properties on page 51

Conduit properties Use conduit properties to define the endpoints and security settings to apply
to communications over this conduit. Endpoints are either a zone, a device, or
a port of a device. Each conduit must be a unique combination of endpoints.
The conduit properties are:
Property Description
Endpoint 1 The first endpoint of the conduit. The list is composed of the zones
and devices that are identified in FactoryTalk Policy Manager.
Endpoint 2 The second endpoint of the conduit.
Name Type a name for the conduit.
Description Type a description for the conduit
Authentication Method Determines how the conduit verifies the identity of the assigned
devices and/or zones.
• Trusted IP
Devices and zones are trusted for communications based on
their IP address. No additional security checks are performed.
• Certificate
Devices and zones are trusted by presenting a certificate that
establishes their identity.
With this setting selected, configure the I/O Data Security and
Messaging Security settings.

52 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 2 Configure a security policy model
Property Description
I/O Data Security Determines the type of security check performed on the input and
output data.
• Integrity Only
This option checks if the data was altered. If detected, rejects
altered data.
• Integrity & Confidentiality
Checks integrity and encrypts the data so the corresponding
decryption key is required to read the data. Rejects altered
and/or untrusted data.
• None
With this option, no security checks are performed on input and
output data.
This setting is available when you choose Certificate as the
Authentication Method.
Messaging Security Determines the type of security check performed on messages
received by assets in the zone.
• Integrity Only
This option checks if the data in the message was altered. If
detected, rejects altered data
• Integrity & Confidentiality
This option checks if the data in the message was altered and
that the message was sent by a trusted entity. Rejects the data
if it was altered or if it originated from an untrusted entity.
This setting is available when you choose Certificate as the
Authentication Method.

See also
Add a conduit on page 50
Edit conduit properties on page 51

Discovery Use Discovery to traverse your system and find devices. Devices found in
discovery can be added to the device list and assigned to zones. Discovery can
be useful for populating a list of devices or for checking that the devices added
to the list manually are accurately identified.

See also
Discovery pane on page 53
Discover devices on page 54
Navigate the Discovery pane on page 55
Perform a search from the Discovery pane on page 55
Add drivers from the Discovery pane on page 56

Discovery pane How do I access the Discovery pane?

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 53

Chapter 2 Configure a security policy model
From FactoryTalk Policy Manager, click the Discovery icon on the right
toolbar to launch the Discovery pane.

The Discovery pane is used to traverse device networking configurations.

Use the Discovery pane to:
• Navigate a network topology to locate a device for interaction
• Automatically discover devices
• Add and delete drivers
• Edit driver settings
• Search for devices

See also
Discovery on page 53

Discover devices on page 54

Navigate the Discovery pane on page 55
Perform a search from the Discovery pane on page 55
Add drivers from the Discovery pane on page 56

Discover devices Use Discovery to traverse your system and find devices. Devices found in
discovery can be added to the device list and assigned to zones.
Tip: Discovery can show multiple child devices under one CIP Proxy device. This can occur when a
security policy is not yet deployed to the CIP Proxy device. After security policy deployment,
Discovery will show only the proxied device as a child.

To discover devices
1. In the right toolbar, select Discovery.
2. The Discovery pane opens displaying the FactoryTalk Linx network
tree.
3. (optional) Turn on the CIP Security indicator by clicking the shield
icon on the toolbar.
With the indicator enabled CIP Security capable devices available on
the network will be indicated:
• means that the device supports CIP Security and no
configuration action has been taken yet.
• means that the device is in the CIP Security configuration
process.
• means that the device is successfully configured with CIP
Security.
• means that the device is not recognized.

54 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 2 Configure a security policy model

• means that the device configuration is in error.

Tip: If a device does not support CIP Security, there is no icon in front of it.

4. Select the device to add to the model and then select ADD to add the
device to the opened Zone table and the Device table.
Multiple devices can be selected and added at once.
Tip: To add a device, you can also:
• Drag a device from Discovery to the device table.
• Drag a device from Discovery to Canvas.
• Use the Add command from the context menu in Discovery.

See also
Ports on page 62
Add a range on page 70
Edit device properties on page 66

Navigate the Discovery Use the Discovery pane to browse the network and display information.
Resize the Discovery pane to see more or less of a network topology.
pane
The Discovery pane includes these items:
Item Description

Add Adds new devices to the selected zone.

Enables the Discovery pane to continuously discover the devices and

Auto Browse
networks.
Settings Opens Settings to configure network discovery settings.
Adds a driver on the computer to provide communications to a network and
Configure Drivers
configures existing drivers for edit or delete.
CIP Security Show or hide the CIP Security configuration status of a device.
Filter Provides a filtered list of devices based upon the specified search criteria.
Increases (zoom in) or decreases (zoom out) the view of the network topology
Zoom
tree.

See also
Discover devices on page 54

Perform a search from the Use the Discovery pane to search for a device to determine its location. After
the initial discovery of the network topology, you can use filters to limit the
Discovery pane scope of the search.
When using filters, be aware of these functional details:
• Filter only examines devices detected or viewed by the browser.
Initiating a search will not cause the browser to discover a new device.

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 55

Chapter 2 Configure a security policy model
• Filter text can contain alphanumeric characters and can be full words,
compound expressions, fragments of a word, or a single letter or
number.
• Clear the search text to return to the network topology tree view.
• Filter includes predefined search criteria to filter search results by
device, name, path, and IP address.

To perform a search from the Discovery pane

1. In Filter, type a keyword and then press Enter. Search text can contain
alphanumeric characters and can be full words, compound
expressions, fragments of a word, or a single letter or number.
Tip: To find an exact match to the keyword, enclose the keyword in quotation marks.

The Discovery pane examines the text and presents all known devices
in the network topology tree that match the search criteria.
2. (optional) Select a search filter by clicking the filter icon to narrow the
search results to keywords associated with the selected device
parameter:
• Device. The name of the device. Example: 1756-L
• OnlineName. The online name of the device. Example: Packaging
line
• Path. The communications path used for the device: Example:
AB-Eth
• Address. The IP address or a portion of the IP address of the device:
Example: 10.122.155
3. (optional) Use operators between keywords to refine the search results
using a logical statement:
• AND to search for two or more keywords.
• OR to search for several keywords.
Tip: An example of using operators between keywords to refine search results is
Device: 1756-L OR Device: 1768-L
This search locates both ControlLogix and CompactLogix controllers.
4. The Discovery pane displays results within a few seconds, regardless of
pressing Enter.

See also
Devices on page 58

Add drivers from the A driver is the software interface to the computer or workstation hardware
that allows the computer to communicate with a network to detect and
Discovery pane communicate with a control system device. If a device is not detected in the
Discovery pane, select the Drivers icon to add or modify a driver
configuration.

56 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 2 Configure a security policy model

To add a driver from the Discovery pane

1. From the Discovery pane, click the Drivers icon.
2. In Configure Drivers list, select a driver, and then select the configure
icon. Configure Driver properties opens.
3. (optional) On the General tab, assign a name for the device.
4. Under Discovery Method, select either:
• Device List/Range. A discovery message is sent to each specified
individual IP address. The list can identify target devices using the
device name, IP address, or IP address range.
• Broadcast. A broadcast UDP message is sent to all devices on the
network at once.
5. In Interface select the physical port of the computer.
Tip: Select Listen on Ethernet/IP encapsulation ports to enable listening on port 44818 so
that the Discovery pane will update in response to network browse requests and receive
unsolicited messages from Logix5000 controllers.
6. Select Tuning and configure the tuning settings to change how fast
items on the network are discovered.
• Device discovery poll rate (msec). Defines how often (in
milliseconds) the Discovery pane requests data from a device. For
example, a poll rate of 1000 ms results in data being requested every
second. This setting is inactive when the driver utilizes broadcast
discovery.
Tip: When a driver makes a discovery request to a device, it waits for the amount of
time specified by the Device discovery poll rate before making a request to a new
device. Setting this rate to a higher value slows down the rate that devices appear in
the browser tree, and reduces the number of messages sent on the network.
• Offline device discovery poll rate. Defines how often (in
milliseconds) the Discovery pane waits to try to establish
communication with an offline device. For example, a poll rate of
10,000 results in a 10-second delay before additional requests are
sent to a device that was offline. This setting is inactive when the
driver uses broadcast discovery.
Tip: Setting this rate to a higher value slows down the rate that a newly attached device
appears in the browser tree, and reduces the number of messages sent on the network.
• Poll interval between discovery cycles (msec). The number of
milliseconds that occur between each query of the network by the
Discovery pane.
Tip: After a driver polls the network branch, it waits the amount of time specified by the
Poll Interval between discovery cycles before starting another discovery cycle. Setting
the Poll interval between discovery cycles to a higher value reduces the number of
network messages sent.
• Poll timeout (msec). Specifies the amount of time (in milliseconds)
to wait for a device to respond to a request.
• Maximum concurrent packets to this network. Used to configure
the maximum number of requests that can be waiting for a

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 57

Chapter 2 Configure a security policy model
response on this network at any given time as part of the discovery
process.
7. Click Apply.

See also
Discover devices on page 54

Configure Settings from the Configure Settings to control the discovery behavior and create bridges
across networks. Once a network is bridged a conduit can be created between
Discovery pane the networks.

To configure Settings from the Discovery pane

1. From the Discovery pane, select the Settings icon.
2. On the General tab, select as appropriate:
• Enable Automatic Discovery. Enables the Discovery pane to
automatically discover devices on the network. When selected, the
Make Discovery Continuous (Autobrowse) item is also selected.
Both items toggle on or off together.
Tip: This feature can also be enabled or disabled from the Discovery pane toolbar
using the Auto discover icon.
3. To create a bridge across networks, select the Bridged tab and then
select Add New.
4. In Add Bridge, under Name type a name for the bridge.
5. Next to Selected Target Bridge Network, select Browse (...).
In Bridge Path Selection, select the network to connect the current network
and then select OK.
Tip: To add an existing configuration path from another bridge instead of creating a new target
bridge path, click the Copy Setting From list and select a configuration. If there are no existing
configuration paths to select, Empty is displayed in the Copy Setting From list.

See also
Conduits on page 49

Devices Devices are the modules, drives, controllers, HMI panels, computers, CIP
Proxy devices, and servers that work together to create a FactoryTalk system.
Add devices that share security requirements and that should trust each other
to a zone. A device can have one or more ports that are added to the security
model. Devices can be added manually or discovered by querying the network
for devices.
Devices are connected to other devices or zones by conduits.

58 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 2 Configure a security policy model

See also
Discovery on page 53
Add a device to a zone on page 60
Add a device to the device table on page 61
Configure port properties on page 63
Remove the security policy from a device on page 69

CIP Proxy devices The CIP Proxy device is CIP-Security capable and can be communicated to
securely. It is placed on the communication path to a non-CIP Security
capable device and allows for secure communication to that device.
IMPORTANT CIP Proxy devices cannot be used as proxies for controllers or HMI devices.

When first installed, the proxy device allows all communication to pass
through. Once the proxy is configured to represent a device, then it only
allows communication to that one device. The proxy can only represent a
device that does not yet exist in the security policy model. To configure a
device as a proxied device after it has been added to the security policy model,
delete the device and add it again as a proxied device. After you deploy the
security policy model, you cannot change which device is proxied until you
delete the proxy and the proxy device, and add them again.
The CIP Proxy device has the same device properties as other devices when
configured using FactoryTalk Policy Manager:
• Vendor
• Firmware Revision
• CIP Security capable
• Ports
CIP Proxy devices have only a single port. That port is used to proxy the port of
another device. The device being proxied is identified using the Port Proxied
setting.
The CIP Proxy device can be placed in a different zone than its proxied device.
When you move a CIP Proxy device to a different zone in the model, the
proxied device is not affected, it stays assigned to the same zone.
Tip: If you used the EDS file or Discovery to add the CIP Proxy device and associate a proxied
device, the properties settings are automatically configured.
If you are working with a Generic device, you must configure the proxy manually.

See also
Discovery on page 53
Configure port properties on page 63

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 59

Chapter 2 Configure a security policy model
Port properties on page 64

Add a device to a zone Add a device to a zone to include it in the FactoryTalk Policy Manager security
model. Alternatively, use discovery to find devices on the network.

To add a device
1. In the FactoryTalk Policy Manager navigation bar, select:
• Zones and then select a zone in the Zones table to add a device to
the selected zone's device list.
• Devices to add a device. By default the device is unassigned.
2. On the toolbar, select:
• Add Device [+] to manually add a device to the current device table
by selecting its catalog number or to add a generic device.
• Discovery to select and add devices [+] found on the network to the
current device table.
Tips:
• To add a device, you can also:
• Drag a device from Discovery to the device table.
• Use the Add command from the context menu in Discovery.
• When you add a proxy device, you are prompted to select a proxied device.
DEVICE PROPERTIES opens.
3. (optional) In Device Name, type a name for the device. Generic devices
are automatically named Device <number>. Devices selected by catalog
number or discovered are already named.
4. (optional) In Description, type a description of the device. The
description of generic devices is empty by default. Devices selected by
catalog number or discovered may have an existing description.
5. For generic devices, in Catalog Number, select the ellipsis [...] and
choose the catalog number for the device from the list.
Tip: Filter the list of catalog numbers by typing a portion of the catalog number in the space
provided.
6. (optional) In Vendor, type the name of the device manufacturer. If a
Rockwell Automation/Allen-Bradley catalog number was provided, this
setting is completed by default and cannot be modified.
7. In Firmware Revision, choose the applicable firmware revision. This
setting is required to apply CIP Security settings to the device ports.
FactoryTalk Policy Manager automatically assigns the latest firmware
version to devices added using a catalog number or using Discovery.
8. (optional) Enable CIP Security capable if the device supports CIP
Security. It is not possible to change this setting after deploying the
security policy model.
CIP Security is associated with the Catalog Number and Firmware
Revision properties. When both values are known the CIP Security
capable setting is automatically enabled or disabled and is not editable.

60 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 2 Configure a security policy model

9. Under Ports select the pencil icon next to the port to configure
port properties, such as the port name, description, EtherNet driver
name, IP address, and protocols used by the device.
Tip: For devices added from the Catalog, the default EtherNet driver name is Ethernet.
Change this value to reflect the appropriate FactoryTalk Linx driver.

See also
Configure port properties on page 63
Edit device properties on page 66
Delete a deployed device on page 66
Device properties on page 67

Replace a device on page 68

Add a device to the device Add a device to the device list to create a pool of devices that can then be
organized into zones. Alternatively, use discovery to find devices on the
table network.

To add a device to the device table

1. In the FactoryTalk Policy Manager navigation bar, select Devices to
add a device that is not assigned to any zone.
2. On the toolbar, select Add Device [+] to manually add a device to the
current device table by selecting its catalog number or to add a generic
device.
Tip: To add a device, you can also:
• Drag a device from Discovery to the device table.
• Use the Add command from the context menu in Discovery.
3. (optional) In Device Name, type a name for the device. Generic devices
are automatically named Device <number>. Devices selected by catalog
number or discovered are already named.
4. (optional) In Description, type a description of the device. Generic
devices do not have a description. Devices selected by catalog number
or discovered may have an existing description.
5. For generic devices, in Catalog Number, select the ellipsis [...] and
choose the catalog number for the device from the list.
Tip: Filter the list of catalog numbers by typing a portion of the catalog number in the space
provided.
6. (optional) In Vendor, type the name of the device manufacturer. If a
Rockwell Automation/Allen-Bradley catalog number was provided, this
setting is completed by default and cannot be modified.
7. In Firmware Revision, choose the applicable firmware revision. This
setting is required to apply CIP Security settings to the device ports.

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 61

Chapter 2 Configure a security policy model
FactoryTalk Policy Manager automatically assigns the latest firmware
version to devices added using a catalog number or using Discovery.
8. (optional) Enable CIP Security capable if the device supports CIP
Security. It is not possible to change this setting after deploying the
security policy model.
CIP Security is associated with the Catalog Number and Firmware
Revision properties. When both values are known the CIP Security
capable setting is automatically enabled or disabled and cannot be
modified.
9. Under Ports select the pencil icon next to the port to configure
port properties, such as the port name, description, EtherNet driver
name, IP address, and protocols used by the device.
Tip: For devices added from the Catalog, the default EtherNet driver name is Ethernet.
Change this value to reflect the appropriate FactoryTalk Linx driver.

See also
Configure port properties on page 63
Edit device properties on page 66
Delete a deployed device on page 66
Device properties on page 67

Ports A port represents a physical socket of a device that allows communication

with another device using CIP Security.
FactoryTalk Linx Devices, CIP Proxy devices and Rockwell Automation devices
that are identified by catalog number have only a single port.
CIP Proxy devices and proxied devices have an additional section in PORT
PROPERTIES indicating the paired device.

Add ports to Generic Devices to add them to the security policy model.

See also
Add a port on page 62
Configure port properties on page 63
Port properties on page 64

Add a port Generic devices can have ports added to them to match their configuration.

62 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 2 Configure a security policy model

To add a port
1. In the FactoryTalk Policy Manager navigation bar, select Devices to
and then select a generic device from the FactoryTalk Policy Manager
device list.
2. In the PORT PROPERTIES pane, select the pencil icon next to the
device name to open the DEVICE PROPERTIES pane.
3. Under Ports select the plus [+] icon.
A new port adds to the Ports list.
4. Select the pencil icon next to the port number to configure port
properties, such as the port name, description, EtherNet driver, IP
address, and protocols used by the device.

See also
Configure port properties on page 63
Port properties on page 64

Configure port properties Devices have ports that are associated with IP addresses, ports, and protocols.
Devices that have a specific catalog number have a predefined number of
ports with assigned protocols. If a device does not have a catalog number,
FactoryTalk Policy Manager adds it as a Generic Device. When a security
policy model includes generic devices, configure the number of ports on the
device.

To configure port properties

1. In the FactoryTalk Policy Manager navigation bar, select:
• Zones to configure port properties for a device in the zone device
table.
• Devices to configure port properties for any device in FactoryTalk
Policy Manager.
Select the device to configure from the device table. The properties
pane updates to display the port properties for that device.
Tips:
• When navigating to either zones or devices the PORT PROPERTIES pane opens automatically to
the last item configured.
• You can also edit the properties directly in the table by selecting the active cells.
2. (optional) If the device was added as a Generic Device, edit the port
name by selecting the Port Name setting and typing a new name.
Port names added through discovery of an associated EDS file are
read-only.
3. (optional) In Description, type a description of the port.

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 63

Chapter 2 Configure a security policy model
4. (optional) For CIP Security capable devices, in EtherNet Driver Name,
type the name of the EtherNet driver for the device. The default name
is Ethernet.
5. In IP Address, type the IP address of the device.
If the Clear configuration for previous IP Address confirmation dialog
appears. Either:
• Choose CLEAR CONFIGURATION if the previous IP address is
assigned to a different device.
The IP address and the device name are shown grayed-out and
struck through in the Devices table These devices are removed from
the security model at the next deployment.
• Choose DON'T CLEAR CONFIGURATION if the previous IP address
is not in use.
IMPORTANT Changing the IP Address of a CIP Security Capable device in a CIP Security
enabled zone after deployment requires that the security configuration be
cleared for the previous address if that IP address is in use.

6. In the Policies area, configure the security policies for the device.
• In Zone, assign the device to the appropriate security zone.
• If the device is CIP Security capable and the port was assigned to a
CIP Security enabled zone, you can select Disable port HTTP (80)
further control communications activity on the device.

See also
Device properties on page 67
Discovery on page 53

Port properties Some of the following properties may be read-only for:

• The devices added to the Onboarding Area by Automatic Policy
Deployment.
• The devices that are not added to a secure zone.
Property Action

Device This area displays information about the device on which the port is
present.
• Device name The name of the device. Select the pencil icon next to the device
name to open the device properties.
• Device description Read-only information that describes the device function.
• Device catalog number Read-only information that provides the catalog number of the device.
General Use this area to configure the port on the device.
• Name The name for the port.
• Description The description for the port.

64 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 2 Configure a security policy model
Property Action

• EtherNet Drive name A drop-down list of the available EtherNet drivers used for
communication.
If the list does not contain a driver, add the driver with FactoryTalk®
Linx™.
This property is only available for the devices that support CIP Security.
• IP Address The IP address of the Ethernet port, for example: 10.88.11.11.
You cannot edit the IP address if you:
• Deployed the security policy to the device.
• Moved a device from the Onboarding Area to the security model.
Port Proxied Appears only for proxy devices. Shows the name and the IP address of
the device secured by this proxy device.
Select the pencil icon next to the device name to open the port
properties.
Proxy Device Appears only for proxied devices. Shows the name and the IP address of
the device securing this proxy device.
Select the pencil icon next to the device name to open the device
properties.
Policies Use this area to select the security zone and communication settings for
the port.
• Zone The name of the zone to which the port is assigned.
If Automatic Policy Deployment is enabled, the Onboarding Area displays
in the list of zones.
• Disable port HTTP (80) For CIP Security capable devices.
• When a device is CIP Security capable and placed in a zone using the
certificate authentication method, the HTTP Port usage can be
disabled.
When viewing the device list, the Disabled TCP Port column reflects
whether HTTP port 80 has been disabled.
• CIP Bridging This functionality applies only to CIP Security capable devices.
• Inbound CIP Bridging Allow all traffic
Allows bridging of secure and trusted IP traffic from the EtherNet/IP
interface to backplane and other physical ports (for example: Ethernet,
USB).
Note: Physical ports support is dependent on the hardware platform.
Allow secure traffic
Allows bridging of only secure traffic from the secured EtherNet/IP
interface to backplane and other physical ports (for example: Ethernet,
USB).
Note: Physical ports support is dependent on the hardware platform.
Block all traffic
Blocks bridging of any traffic from the secured EtherNet/IP interface.
• Outbound CIP Bridging Chassis size
Displays the number of slots in a chassis. The default number of slots
for manually added devices is 10. Change this value to reflect the
chassis capacity.
Slot 1 - 10
Select chassis slots for which to disable CIP Bridging.

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 65

Chapter 2 Configure a security policy model

See also
Add a port on page 62
Configure port properties on page 63
CIP Bridging Control on page 25
Automatic Policy Deployment on page 28

Edit device properties Edit the device properties to change the device information, to enable CIP
Security options, or modify the port configuration. The properties changes
are applied the next time the security policy model is deployed.
Tips:
• When navigating to either zones or devices the PORT PROPERTIES pane opens automatically to
the last item configured.
• Select an active cell in the table to directly edit a property.

To edit device properties

1. In the FactoryTalk Policy Manager navigation bar, select:
• Zones and then select a zone in the Zones table to edit a device in
the selected zone's device table.
• Devices to edit any device on the FactoryTalk Policy Manager device
list.
2. In PORT PROPERTIES select the pencil icon next to the device
name to display DEVICE PROPERTIES.
3. Change the device properties as needed.
As the settings are changed the FactoryTalk Policy Manager title bar
updates to show that the changes have been saved.

See also
Device properties on page 67
Add a device to a zone on page 60
Delete a deployed device on page 66

Delete a deployed device Delete a deployed device that is no longer needed. After a device is deleted,
the device name appears grayed-out and struck through in the device table.
Deleting a device also removes its security configuration. When you delete a
device from the proxy-proxied pair, both devices are deleted. The deleted
device remains in the Device table until the next time the model is deployed.
The properties of deleted devices are read-only.
IMPORTANT If a device has multiple ports, the additional ports must be deleted to delete the
device. These devices are shown in the device table with the port name appended
after the device name; for example, Device3:Port2.

66 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 2 Configure a security policy model

To delete a device
1. In the FactoryTalk Policy Manager navigation bar, select Devices.
2. In the table, select the device name from the list, then select the Delete
icon from the toolbar.
3. A confirmation message is displayed, select DELETE.
The device name is struck-through on the device table. The device is
removed from the security model upon deployment.

See also
Add a device to a zone on page 60
Add a device to the device table on page 61
Edit device properties on page 66
Replace a device on page 68
Remove the security policy from a device on page 69

Device properties Use device properties to define the device information, security, and network
settings for a device. Device properties defined using the electronic data sheet
(EDS) for the device cannot be modified. A device can have one or more ports
that are added to the security model.
Some of the following properties may be read-only for:
• The devices added to the Onboarding Area by Automatic Policy
Deployment.
• The devices that are not added to a secure zone.
Property Description
General The settings that provide the identification parameters of the
device.
• Name The name of the device. The name is required and must be unique.
• Description (optional) A description for the device.
• Catalog Number (optional) If defined using device discovery, the catalog number
cannot be changed. Otherwise, choose a catalog number from the
list. Choosing a Rockwell Automation catalog number automatically
completes the Vendor information.
A device without a catalog number is listed as a Generic Device.
• Vendor (optional) The name of the device's vendor.
• Firmware Revision The firmware revision number of a device.
Required to enable CIP Security for a device.
• CIP Security Capable Identifies whether a device can use the security settings of the
zone.
Select to configure additional CIP Security settings for a generic
device.
Note: The Catalog Number and firmware revision determine the
CIP Security capability of a device automatically.

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 67

Chapter 2 Configure a security policy model
Property Description
USB This section is only available for the devices with the CIP
Security Capable property enabled.
The available options may be restricted by Global Settings.
• Disable CIP Bridging through USB When selected, it disables inbound and outbound CIP Bridging
through the USB port.
When cleared, it enables inbound traffic through the USB port.
Outbound traffic is enabled if the device supports it.
Ports These settings identify the ports available on the device.
Note: For generic devices, you can manually add ports as needed
by selecting the plus sign [+] next to Ports.
For CompactLogix 5380 Controllers and Compact GuardLogix 5380
Controllers that operate in dual mode, you cannot add Port 2.
• <Port name and number> The name and number of the port(s) available on the device.
Select the pencil icon next to the port number to configure
port properties, such as the port name, description, EtherNet
driver, IP address, and protocols used by the device.

See also
Add a device to a zone on page 60
CIP Bridging Control on page 25
Automatic Policy Deployment on page 28

Replace a device Replacing a device is used when a device that has already been configured and
enabled for CIP Security has failed or needs to be rotated out for
maintenance. Device replacement enables the identity and the security
configuration of the previous device to be assigned to the replacement device.
The communications port on a device must be reset after replacement to
apply the security policy settings.

To replace a device
1. In the FactoryTalk Policy Manager navigation bar, select:
• Zones and then select a zone in the Zones table to replace a device
on the selected zone's device table.
• Devices to replace any device on the FactoryTalk Policy Manager
device list.
2. In the device table, select the name of the device to replace.
The selected device properties display in DEVICE PROPERTIES.
3. On the FactoryTalk Policy Manager toolbar, select Replace Device.
Deploy Configuration to Replace Device displays.
4. In Deploy Configuration to Replace Device choose when to reset the
communication ports on the device:

68 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 2 Configure a security policy model
• Choose During policy deployment to reset the ports automatically
as part of the replacement process.
• Choose After deployment to manually reset the ports at a later time.
The security policy is not being enforced on the device until the
ports are reset.
5. Select Deploy. Deployment results are displayed as the deployment
occurs.

See also
Deployment results on page 80

Remove the security policy If the security model has been deployed and the device communications have
been reset the device is constrained by the security policy. Even if FactoryTalk
from a device Policy Manager and FactoryTalk System Services are uninstalled the security
policy configured for the device is still in effect.
Use these steps to remove the security policy if necessary.

To remove the security policy from a device

1. In the FactoryTalk Policy Manager navigation bar, select Devices and
then select the device.
PORT PROPERTIES are displayed.
2. In the Policies area, change the security policies for the device.
• In Zone, choose either Unassigned or a zone that is not CIP Security
enabled.
3. Deploy the security model and choose to reset the communications
channels During deployment.
The device security configuration will be reset to none.
The device can then be removed from the model or reconfigured as
necessary.
Tip: You can remove the security policy from the device by deleting the device from the
security policy model. The changes take place during the next deployment.

See also
Edit device properties on page 66
Delete a deployed device on page 66
Deploy a security model on page 77

Ranges If there are groups of devices that are not CIP Security capable, they can be
incorporated into the security model using a trusted IP range.

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 69

Chapter 2 Configure a security policy model
A trusted IP range is a contiguous set of IP addresses that are known to
contain good devices, but that cannot use certificates or pre-shared keys to
authenticate identities or authorize access.
When a device has an IP address within a defined trusted IP range, the
authentication method for the device is set to None.

See also
Add a range on page 70
Authentication methods on page 42

Add a range Add a range to define a set of IP addresses to assign to a zone. A device range
is useful for devices that do not support CIP Security, but that need to be part
of the security policy model.

To add a range
1. In the FactoryTalk Policy Manager navigation bar, select:
• Zones and then select a zone in the Zones list to add a device range
to the selected zone's device list.
• Devices to add an unassigned device range to the FactoryTalk Policy
Manager device list.
2. On the toolbar, select Add Range. The RANGE PROPERTIES pane
opens.
3. In Name, type a name for the range.
4. (optional) In Description, type a description of the range.
5. In Start IP Address, type the first IP address in the range being
defined.
6. In End IP Address, type the last IP address in the range being defined.
7. (optional) In Zone, select the security zone to assign to this range. If
adding a range from within the Zone list, the range is automatically
assigned to the currently selected zone.

See also
Discovery on page 53
Add a zone on page 45
Range properties on page 70

Range properties Use range properties to define the IP address range. Devices in a range
cannot apply security configuration settings of a zone. In a zone where CIP

70 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 2 Configure a security policy model
Security is enabled, devices in this range will be trusted by CIP Security
capable devices based solely on their IP address. All other communications
with devices in this range will not use any authentication method.
The range properties are:
Property Description
Name The name of the range. The name is required and must be unique.
Description (optional) A description for the range.
Start IP Address The first IP address of the range.
End IP Address The last IP address of the range
Zone The security zone to which the range is assigned.

See also
Add a range on page 70
Add a zone on page 45
Authentication methods on page 42

Canvas The Canvas view visualizes the security model in the form of a diagram and as
a tree. You can modify the security model visualization by rearranging and
resizing its components. You can also automatically lay out the security model
components and save the diagram to a graphic file.
Canvas includes information about zones, conduits, and devices.
In the Canvas view, the devices can either be in:
• A Zone container
• The Unassigned container
• The Onboarding Area container (the devices discovered by Automatic
Policy Deployment)
From the Canvas view, you can modify the properties of the security model
components by using the Properties pane. You can also drag devices between
containers, but you cannot set the properties of components directly on the
canvas. You can also browse, manage, and add the devices available in the
FactoryTalk Linx network to the security model by using the Discovery pane.

See also
Navigate Canvas on page 72
Search Canvas on page 73
Graphical Explorer pane on page 73
Move a device on page 74
Automatic Policy Deployment on page 28

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 71

Chapter 2 Configure a security policy model

Navigate Canvas Use Canvas to visualize the security model in the form of a customizable
diagram.
The Canvas toolbar includes these items:
Item Description
Global View Shows or hides a mini map of the security model
visualization in the bottom-right corner of the model.
You can use Global View to navigate complex security
models and adjust the zoom level of the security model.
Straight Lines Shows conduits as straight lines.
Curved Lines Shows conduits as curved lines.
Auto Layout Automatically lays out the security model visualization.
Save Saves the security model visualization to a graphic file.
Zoom Out Zooms out the security model visualization.
Zoom In Zooms in the security model visualization.
Zoom Displays the current zoom level of the security model
visualization. Enables you to select or enter a custom
zoom level value.
Tip: You can also zoom in and zoom out the security
model visualization by using the mouse wheel.
Search Highlights security model components based on the
specified criteria.

The Canvas security model visualization can include these items:

Tip: You can move, resize, collapse, and expand containers in the security model visualization.

Item Name Description

Zone Contains devices added to the security model.
Onboarding Area Contains the devices found by Automatic Policy
Deployment that can be added to the security model.
Unassigned Contains the devices that are added to the security model
but are not added to any zone in the security model.
Conduit Visualizes conduits between zones and devices.
Note: Dotted conduits represent trusted unsecure
connections. Solid conduits represent secure
connections.

72 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 2 Configure a security policy model

See also
Canvas on page 71
Navigate the Graphical Explorer pane on page 73

Search Canvas Use Search to find zones, conduits, devices, and other components on the
visualized security model. The search results are highlighted in yellow and
can be filtered.

To search canvas
1. In the FactoryTalk Policy Manager navigation bar, select Canvas.
2. On the toolbar, fill in the Search field.
Tip: You can press Ctrl+F to place the cursor in the Search field.
3. (optional) Restrict the search results by selecting the Filters to add to
search field icon and selecting: Zones, Conduits, or Devices.
4. (optional) Cycle through the search results by selecting the Go to next
search result icon or Go to previous search result icon.
5. (optional) Clear the search results by selecting the Clear search
icon.

See also
Canvas on page 71
Filter the security model tree on page 74

Graphical Explorer pane The Graphical Explorer pane is a part of the Canvas view that displays the
security model in the form of a tree. Depending on your needs, the Graphical
Explorer pane can be collapsed or expanded.

See also
Canvas on page 71
Navigate the Graphical Explorer pane on page 73
Filter the security model tree on page 74

Navigate the Graphical Use the Graphical Explorer pane to browse the zones, devices, and conduits
tree. You can filter, collapse, and expand the tree nodes.
Explorer pane
Tip: Selecting a component in the Graphical Explorer tree focuses the security model visualization
on that component.
Selecting a component in the security model visualization, focuses the tree on that component.

The Graphical Explorer pane includes these items:

Item Description

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 73

Chapter 2 Configure a security policy model
Item Description
Filter Provides a filtered tree based on the specified criteria.
Zones Lists zones added to the security model and devices
added to these zones.
Conduits Lists conduits added to the security model.
Onboarding Area Lists the devices found by Automatic Policy Deployment
that can be added to the security model.
Unassigned Lists the devices that are added to the security model but
are not added to any zone in the security model.

See also
Graphical Explorer pane on page 73
Navigate Canvas on page 72

Filter the security model Use Filter to find zones, conduits, and devices in the security model tree.

tree
To filter the security model tree:
1. In the FactoryTalk Policy Manager navigation bar, select Canvas.
2. On the left, ensure that the Graphical Explorer pane is expanded.
3. Fill in the Filter field.
4. (optional) Restrict the filtering scope by selecting the Quick filter
icon and selecting: Zones, Conduits, or Devices.
5. (optional) Discard filters by selecting the Clear view icon.

See also
Graphical Explorer pane on page 73
Search Canvas on page 73

Move a device In the Canvas security model visualization and in the Graphical Explorer
tree, you can move devices between these containers:
• Zones
• Unassigned
• Onboarding Area
IMPORTANT When you move a device from the Onboarding Area to a Zone or to the
Unassigned container, the device cannot be moved to the Onboarding Area
container again.

To move a device between containers:

1. In the FactoryTalk Policy Manager navigation bar, select Canvas.

74 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 2 Configure a security policy model
2. From a container, drop a device to a different container.
Tip: You can drop devices from the Graphical Explorer tree to the
Canvas security model visualization or in the opposite way.

See also
Canvas on page 71
Discover devices on page 54

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 75

 Chapter 3

Deploy a security policy model

Deployment After the zones, conduits, and devices have been configured, the security
policy model can be deployed.
Making changes to the security policy of an item requires that the
communications channel be reset, which results in a short loss of
connectivity. During deployment, there is the option of resetting the
communication as part of deployment, or deploying the changes without
resetting the communication channel so that the reset can occur at a different
time than the deployment process.
If changes are made the policy after it is deployed, an asterisk (*) will appear
next to the device, indicating that the configured policy has not been deployed
to that device.
After the initial deployment, a differential deployment can be done to deploy
just items changed since the last deployment. Differential deployment
includes any changes made in the model or made to the physical device in the
field such as in the event of device replacement.

See also
Deploy a security model on page 77
Deployment options on page 79
Deployment results on page 80

Deploy a security model After the zones, conduits, and devices have been configured, the security
policy model can be deployed.
Before a deployed security policy becomes active, communications must be
reset to all configured devices, resulting in a short loss of connectivity. During
deployment, there is the option of resetting the communication as part of
deployment, or deploying the changes without resetting the communication
channel so that the reset can occur at a different time than the deployment
process.
If you choose to reset the communication after deployment, the security
policy may be applied to the devices at different times, depending on the
device type, function and state of the control system.
Once the model is deployed and communications reset on the device, the
device will only accept communications from other devices in the same zone

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 77

Chapter 3 Deploy a security policy model
or using conduits configured to enable communications with other security
zones or devices. The device can still send communication to other devices.
Before deploying a security model, make sure that all devices are operational
and have network access.
If changes are made the policy after it is deployed, an asterisk (*) will appear
next to the device, indicating that the configured policy has not been deployed
to that device.
You can perform a differential deployment to only deploy the security
configuration to devices that have been changed since the last deployment.
This type of deployment would include any changes made in the model
configuration or changes made to the physical device, such as when a device is
replaced for maintenance.

To deploy a security model

1. On the FactoryTalk Policy Manager toolbar, select Deploy.
2. Review the Deploy dialog:
c. In Deployment scope, choose whether to perform a full deployment
or a differential deployment.
• Select Changed device communication ports only for differential
deployment.
• Select All device communication ports in the model for full
deployment.
d. The list of devices identifies the devices that will be configured
when this model is deployed. Scroll down or select More details to
review the list.
Tip: The list may contain devices that you have not modified directly. This can happen modification
of one device impacted a related device. If the list contains unexpected devices, select CANCEL
and then change the model as needed.
e. Choose when to reset the communication channels for the items
includes in the security policy model.
• During policy deployment
When this option is selected, the communication port will be
closed and reopened on the device during the deployment
process. Similar to resetting the network card on a computer, the
device stays functional but is disconnected from the network for
a few moments. Using this option applies the new policy to the
device at the same time that the policy is deployed.
• After deployment
When this option is selected, the security policy settings will be
deployed to the device but are not in effect. The communications
ports will need to be reset before the security policy will be used.

78 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 3 Deploy a security policy model
This option is useful if there is a scheduled maintenance reset
process in your environment that can be relied upon to perform
this function.
If you choose to reset the communication after deployment, the
security policy may be applied to the devices at different times,
depending on the device type, function and state of the control
system.
f. Select DEPLOY.

3. The Results pane updates with the results of the deployment as it

occurs.
Once deployment is complete a summary report is provided listing the
successes, failures, and errors encountered during the process.

See also
Devices on page 58
Conduits on page 49
Zones on page 45
Deployment results on page 80

Deployment options Choose how to deploy the security policy configuration defined in the security
policy model.
• In Deployment scope, choose whether to perform a full deployment or
a differential deployment.
• Select Changed device communication ports only for differential
deployment.
• Select All device communication ports in the model for full
deployment.
• In Devices and ports updated review the list of devices that will be
configured when this model is deployed. Scroll down or select More
details to see the entire list. If the list contains unexpected devices,
select CANCEL and then change the model as needed.
• Under Choose when to reset device communication ports included in
this model select either:
• During policy deployment
When this option is selected, the communication port will be closed
and reopened on the device during the deployment process. Similar
to resetting the network card on a computer, the device stays
functional but is disconnected from the network for a few
moments. Using this option applies the new policy to the device at
the same time that the policy is deployed.

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 79

Chapter 3 Deploy a security policy model
• After deployment
When this option is selected, the security policy settings are
deployed to the device but are not in effect. The communications
ports will need to be reset before the security policy will be used.
This option is useful if there is a scheduled maintenance reset
process in your environment that can be relied upon to perform this
function.
If you choose to reset the communication after deployment, the
security policy may be applied to the devices at different times,
depending on the device type, function and state of the control
system.

See also
Deployment errors on page 80
Deployment warnings on page 83

Deployment results Depending on the size of your system, the deployment process can take a
while. As assets are deployed, the Results tab updates with the result of the
deployment on each item in the model. The possible results are:
• Configuration complete. No issues identified.
• Configuration complete. Warnings identified.
• Configuration not complete. Error identified.
At any point in the deployment process, the process can be stopped. If
deployment is stopped, assets that have been configured, remain configured.
Stopping the deployment process does not roll back the changes that have
occurred.
IMPORTANT If the deployment process is stopped during deploy, this can leave the system in an
unexpected state. Communications between devices could be permanently
interrupted requiring module reset.

After the deployment process is complete, a report is created that details

which assets were successfully deployed, which items failed to deploy, and the
errors and warning encountered. The report can be saved for reference,
reporting, or other record keeping requirements.

See also
Deployment errors on page 80
Deployment warnings on page 83

Automatic Policy Deployment notifications on page 33

Deployment errors This table provides a reference of the possible errors encountered during
deployment. Items in brackets are placeholders for specific items that are

80 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 3 Deploy a security policy model
identified as appropriate for the environment.
Tip: Third-party devices may not support all security capabilities and features of FactoryTalk Policy
Manager. Depending on the device specifications, you may have to adjust your security policy
model

General troubleshooting
If you encounter one of the messages from the table, first check the
description for a possible solution. If the same error message still appears
next deploy, or there is no solution provided, try one or more of the below
actions.
• Check the network.
• Check the physical connection of the device.
• Cycle power to the device.
• Retry deployment.
• Perform the factory reset of the device.
• Update the firmware of the device.

IMPORTANT CIP Security is supported with the 1756-EN4TR, however, it is not yet supported when
the 1756-EN4TR is in redundant adapter mode.
If a 1756-EN4TR is installed and using CIP Security, and it is reconfigured to be part of
a redundant adapter pair, the module will lose its CIP Security configuration. When
this occurs, the I/O chassis will lose communication with the controller.
At this point, the CIP Security policy must be redeployed.

Error Description
Cannot read the state of the CIP Security Object for <device name> The system cannot obtain information if the device is CIP Security capable.
<endpoint name>.
Unable to retrieve the list of administered ports for <device name> The system cannot obtain information on device ports. The device may not support
<endpoint name>. ports or CIP Security.
<device name> does not support configuration for the port. The device is in a zone that has disabled communication over the specified port. The
device does not support individual port configuration.
Make sure that the device is CIP Security capable.
Cannot obtain the list of available encryption methods for <device The system cannot determine if the device supports any encryption methods.
name> <endpoint name>. Check the device specifications.
Unable to retrieve the list of supported encryption methods for The system cannot retrieve information on which encryption methods supported by the
<endpoint name>. device.
Check the device specifications.
Unable to set encryption method for <endpoint name>. The system cannot set which encryption method is used by the device.
Update the device firmware.
Unable to retrieve the pre-shared key from <endpoint name>. The device does not support pre-shared key authentication, the device lost data, or the
device replacement procedure was not followed.
Go to the specified zone, generate a new pre-shared key and redeploy the security
policy model.
For more information, see Zone properties chapter.

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 81

Chapter 3 Deploy a security policy model
Error Description
Unable to set the pre-shared key from <endpoint name>. The device does not support pre-shared key authentication, the device lost data, or the
device replacement procedure was not followed.
Go to the specified zone, generate a new pre-shared key and redeploy the security
policy model.
For more information, see Zone properties chapter.
Unable to clear the pre-shared key from <endpoint name>. The previously assigned pre-shared key could not be removed from the device.
For more information, see Zone properties chapter.
Unable to retrieve the active certificate from <endpoint name>. The system cannot connect to the Certificate Management Objects on the device.
Unable to assign a certificate to <endpoint name>. The system could not switch from the default certificate to a new certificate on the
device.
Unable to create Certificate Management Objects for <endpoint name>. The system could not create a new certificate for the device. The device may have
insufficient space.
Review the security policy model and check if the number of conduits to the device
does not exceed the capacity of the device.
Contact the device's manufacturer.
Unable to retrieve the certificate attributes for <endpoint name>. The system could not retrieve the certificate from the device.
Device certificate is invalid or unverified for <endpoint name>. The device is unable to verify its certificate.
CA certificate is invalid or unverified for <endpoint name>. The device is unable to verify the Certificate Authority certificate.
Unable to delete certificate from <endpoint name>. The firmware of the device may be preventing the system from deleting the certificate
from the device.
Unable to read certificates from <endpoint name>. The system could not read the certificate from the device.
No new identity certificates assigned for <endpoint name>. The system could not locate expected certificates on the device.
Unable to obtain the list of trusted authorities for <endpoint name>. The device cannot access the list of zone certificates.
Unable to assign a trusted authority certificate for <device name> The device could not access one of its parameters.
<endpoint name>.
Cannot get Trusted Devices. The system could not retrieve the list of Trusted Devices form the device.

Cannot set Trusted Devices. The system could not set the list of Trusted Devices for the device.
Cannot obtain a list of Certificate Management Objects for <device The system could not retrieve a list of certificates from the device.
name> <endpoint name>.
Unable to obtain required file object list on <device name> <endpoint The system encountered a problem communicating with the device.
name>.
Unable to obtain required file object on <device name> <endpoint The system encountered a problem communicating with the device.
name>.
Endpoint <path> does not support configuring state of: <protocol> <port The device does not support the mentioned communication protocol or port.
number>. Check if the device supports the protocol or port.
Cannot read device IE setting from <device name>. The system encountered a problem with the Ingress/Egress rules on the device. The
device may not support this feature.
For more information, see Authentication methods chapter.
Cannot verify IE rules on <device name>. The system encountered a problem with the Ingress/Egress rules on the device. The
device may not support this feature.
For more information, see Authentication methods chapter.
Unable to obtain the max instance for <endpoint name>. The system encountered a problem with the Ingress/Egress rules on the device. The
device may not support this feature.
For more information, see Authentication methods chapter.
Cannot read device IE rules from <device name>. The system encountered a problem with the Ingress/Egress rules on the device. The
device may not support this feature.
For more information, see Authentication methods chapter.
Cannot read device IE rules size from <device name>. The system encountered a problem with the Ingress/Egress rules on the device. The
device may not support this feature.
For more information, see Authentication methods chapter.

82 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 3 Deploy a security policy model
Error Description
Cannot get number of instances from <device name>. The system encountered a problem with the Ingress/Egress rules on the device. The
device may not support this feature.
For more information, see Authentication methods chapter.
Cannot get configuration sequence count from <device name>. The system encountered a problem with the Ingress/Egress rules on the device. The
device may not support this feature.
For more information, see Authentication methods chapter.
Unable to obtain the list of port instances for <endpoint name>, not The device may not support this feature.
supported by the device. Check the list of ports supported by the device and make the required changes in the
security policy model.
Unable to read the proxy instance attributes for <endpoint name>. The system was unable to retrieve data from the device set as a proxy device in the
security policy model.
Check if the device has proxy capabilities, check if the firmware is proxy-capable.
Unable to read the number of proxied endpoints supported by <endpoint The system was unable to retrieve data from the device set as a proxy device in the
name>. security policy model.
Check if the device has proxy capabilities, check if the firmware is proxy-capable,
check if the device is connected to a proxied device in the security policy model.
Unable to set the list of proxied endpoints for the proxy: <endpoint The system was unable to retrieve data from the device set as a proxy device in the
name>. security policy model.
Check if the device has proxy capabilities, check if the firmware is proxy-capable,
check if the device is connected to a proxied device in the security policy model.
Unable to connect to the endpoint (<device name>) using the <device Specific to 1756-EN4TR devices in redundant adapter mode.
path>. Turn off the redundant adapter mode on the device and redeploy the CIP Security
policy.

See also
Deployment results on page 80

Deployment warnings This table provides a reference of the possible warnings encountered during
deployment. Items in brackets are placeholders for specific items that are
identified as appropriate for the environment.
Warning Description
Cannot read the Device Identity for the <device name> <endpoint name> The system is unable to read a CIP Security object containing device identifiers.
Make sure that the device is CIP Security capable, cycle power to the device, check
physical connection to the device, update device firmware.
<device name> does not support configuration for port. The device has been placed in a zone that has disabled communication over the
specified port, but the device does not support individual port configuration.
Make sure that the device is CIP Security capable, update device firmware.
Device does not support configuration of the DTLS Timeout setting. Check if the device supports the DTLS Timeout setting, update device firmware, or
disable the DTLS Timeout setting.
For more information, see Global Settings chapter.
Device <device name> cannot configure Trusted IP lists. Trusted IP Lists are a feature specific to Rockwell Automation/Allen-Bradley devices.
Check the device specifications.
Device <device name> does not support Trusted IP lists. Trusted IP Lists are a feature specific to Rockwell Automation/Allen-Bradley devices.
Check the device specifications.
Cannot set IE rules on <device name>. The system encountered a problem with the Ingress/Egress rules on the device.
Cycle power to the device, retry deployment,or replace the device.
For more information, see Authentication methods chapter.

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 83

Chapter 3 Deploy a security policy model
Warning Description
Unable to obtain the device IE support settings for <endpoint name>. The system encountered a problem with the Ingress/Egress rules on the device.
Cycle power to the device, retry deployment,or replace the device.
For more information, see Authentication methods chapter.

Unable to obtain the IE rules for <endpoint name>. The system encountered a problem with the Ingress/Egress rules on the device.
Cycle power to the device, retry deployment,or replace the device.
For more information, see Authentication methods chapter.
Unable to obtain converted IE rules for <endpoint name>. The system encountered a problem with the Ingress/Egress rules on the device.
Cycle power to the device, retry deployment,or replace the device.
For more information, see Authentication methods chapter.

See also
Deployment results on page 80

Reload a security model Reloading the model synchronizes FactoryTalk Policy Manager and
FactoryTalk System Services and refreshes the display of possible conflicts so
that they can be addressed before deployment.

To reload a security model

• On the FactoryTalk Policy Manager toolbar, select Reload.
FactoryTalk Policy Manager refreshes the display with the most recent
information from FactoryTalk System Services.

See also
Conduits on page 49
Devices on page 58

84 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 4

Backup and restore

Backup and restore Create backup files to preserve and restore the security models for your
system in case of a systems failure.
security models
These are the considerations related to using backup and restore with
FactoryTalk Policy Manager:
• The FactoryTalk Policy Manager security model is stored by
FactoryTalk System Services in a policy database.
• Create a backup after a policy deployment to keep the backup files
synchronized with the current security policy.

See also
FactoryTalk System Services on page 11
Deploy a security model on page 77

Backup FactoryTalk System Backup FactoryTalk System Services to save copy of the security model and its
associated certificates. After it has been created the FactoryTalk System
Services Services backup file is included with the FactoryTalk Services Platform
backup when it is performed.
IMPORTANT Backing up FactoryTalk System Services requires administrator privileges.

To backup FactoryTalk System Services databases

1. Open a command prompt as an Administrator.
2. In the command prompt window type :
cd C:\Program Files (x86)\Rockwell Software\FactoryTalk
System Services.
3. Run the backup utility by typing one of these commands:
• FtssBackupRestore -B
Creates a plaintext backup of the data.
• FtssBackupRestore -B -P "password"
or
• FtssBackupRestore -B -P password

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 85

Chapter 4 Backup and restore
Creates an encrypted backup of the data using the password
supplied after the -P parameter. Quotation marks are optional. This
password must be supplied to restore the data.
4. The file backup.zip file is created. This file will be included in the
FactoryTalk Services Platform Backup.
Verify that the file is present in this location:
C:\ProgramData\Rockwell\RNAServer\Global\RnaStore\FTS
S_Backup
Tip: The ProgramData folder is hidden by default in Windows File Explorer.

See also
Backup and restore security models on page 85
Restore FactoryTalk System Services on page 86

Restore FactoryTalk Restore FactoryTalk System Services to return the FactoryTalk System
Services databases to a known good state.
System Services
IMPORTANT Restoring FactoryTalk System Services requires administrator privileges.

To restore FactoryTalk System Services databases

1. Verify the backup.zip file is present in this location:
C:\ProgramData\Rockwell\RNAServer\Global\RnaStore\FT
SS_Backup
2. Open a command prompt as an Administrator.
3. In the command prompt window type :
cd C:\Program Files (x86)\Rockwell Software\FactoryTalk
System Services.
4. Run the FactoryTalk System Services Backup & Restore Utility by
typing one of these commands:
• FTSSBackupRestore -R
Restores a plaintext backup of the databases.
• FTSSBackupRestore -R -P "password"
• or
• FTSSBackupRestore -R -P password
Restores an encrypted backup of the databases that is decrypted
using the password supplied after the -P parameter. Quotation
marks are optional.

86 Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

 Chapter 4 Backup and restore

See also
Backup and restore security models on page 85

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022 87

Rockwell Automation support
Use these resources to access support information.
Technical Support Center Find help with how-to videos, FAQs, chat, user forums, and product notification rok.auto/support
updates.
Knowledgebase Access Knowledgebase articles. rok.auto/knowledgebase
Local Technical Support Phone Numbers Locate the telephone number for your country. rok.auto/phonesupport

Literature Library Find installation instructions, manuals, brochures, and technical data publications. rok.auto/literature
Product Compatibility and Download Center Get help determining how products interact, check features and capabilities, and rok.auto/pcdc
(PCDC) find associated firmware.

Documentation feedback
Your comments help us serve your documentation needs better. If you have any suggestions on how to improve our content, complete the form at
rok.auto/docfeedback.

Waste Electrical and Electronic Equipment (WEEE)

At the end of life, this equipment should be collected separately from any unsorted municipal waste.

Rockwell Automation maintains current product environmental information on its website at rok.auto/pec.

Allen-Bradley, expanding human possibility, Logix, Rockwell Automation, and Rockwell Software are trademarks of Rockwell Automation, Inc.

EtherNet/IP is a trademark of ODVA, Inc.

Trademarks not belonging to Rockwell Automation are property of their respective companies.

Rockwell Otomayson Ticaret A.Ş. Kar Plaza İş Merkezi E Blok Kat:6 34752, İçerenkÖy, İstanbul, Tel: +90 (216) 5698400 EEE YÖnetmeliğine Uygundur

Rockwell Automation Publication FTALK-GR001C-EN-E, June 2022

Supersedes Publication FTALK-GR001B-EN-E, May 2021 Copyright © 2022 Rockwell Automation Technologies, Inc. All Rights Reserved. Printed in the U.S.A.