Guidelines for Configuring the CIP Preprocessor
Note the following when configuring the CIP preprocessor:
-
You must add the default CIP detection port 44818 and any other CIP Ports you list to the TCP stream Perform Stream Reassembly on Both Ports list.
-
Event viewers give special handling to CIP applications. See CIP Events.
-
We recommend that you use an intrusion prevention action as the default action of your access control policy.
-
The CIP preprocessor does not support an access control policy default action of Access Control: Trust All Traffic, which may produce undesirable behavior, including not dropping traffic triggered by CIP applications specified in intrusion rules and access control rules.
-
The CIP preprocessor does not support an access control policy default action of Access Control: Block All Traffic, which may produce undesirable behavior, including blocking CIP applications that you do not expect to be blocked.
-
The CIP preprocessor does not support application visibility for CIP applications, including network discovery.
-
To detect CIP and ENIP applications and use them in access control rules, intrusion rules and so on, you must manually enable the CIP preprocessor in the corresponding custom network analysis policy.
-
To drop traffic that triggers CIP preprocessor rules and CIP intrusion rules, ensure that Drop when Inline is enabled in the corresponding intrusion policy. See Setting Drop Behavior in an Inline Deployment.
-
To block CIP or ENIP application traffic using access control rules, ensure that the inline normalization preprocessor and its Inline Mode option are enabled (the default setting) in the corresponding network analysis policy.