FAQs – Advanced

Product FAQs for TXOne Network Defense Solutions: Edge Series

This document collects and answers the most common questions about our line of TXOne Network Defense products known as the Edge Series. Possible categories include, but are not limited to, Deployment, Maintenance, Security, License, etc.

License

1. What is the system behavior when there is no ODC-VA / EdgeOne-Node license?
Connections between ODC-VA / EdgeOne and devices will be closed.

2. What is the system behavior when there is no Edge series software license?
ODC-VA / EdgeOne will not dispatch updates to EdgeIPS devices.

3. What is the system behavior when the ODC-VA / EdgeOne-Node software license has expired?
Connections between ODC-VA / EdgeOne and devices will be closed.

4. What is the system behavior when the Edge series software license has expired?
ODC-VA / EdgeOne will not dispatch updates to EdgeIPS devices.

5. What is the system behavior when the number of managed nodes with a Trend Micro Activation Code & TXOne License Key exceeds the seat count of the ODC-VA / EdgeOne-Node license?
New nodes (EdgeIPS/IEF devices) will not be able to register with the ODC-VA / EdgeOne license.

6. What is the system behavior when the number of managed EdgeIPS devices exceeds the seat count of the Edge series software license?
ODC-VA / EdgeOne will not dispatch updates to EdgeIPS devices.

7. What is the system behavior when the number of managed nodes exceeds the seat count of the ODC-VA / EdgeOne-Node software license?
This can happen when users reduce the number of nodes while renewing their license. ODC-VA / EdgeOne will remove the extra nodes so that the number of total managed nodes equals to the seat count of the license. (Starting from offline devices, then the latest connected devices)

8. How can users add/renew ODC-VA / EdgeOne-Node or Edge series software licenses?
Sales will help users create a request to add/renew the Trend Micro Activation Code & TXOne License Key.

9. Can users reduce the seat count when renewing ODC-VA / EdgeOne-Node or Edge series software licenses?
Yes, they can by submitting a support case to the TXOne support team.

10. Can users transfer licenses between ODC-VA and EdgeOne VM when necessary?
Yes, you can switch between the two on the same virtual disk (recommended).

11. How does ODC-VA / EdgeOne retrieve the latest license content?
ODC-VA / EdgeOne will do an entitlement check every time users clicks the “Refresh” button, or when a license expires.

12. Can users activate licenses when ODC-VA / EdgeOne has no internet access?
A future release (after GM) will allow users to import license files.

13. Does ODC-VA / EdgeOne-VA / EdgeOne support offline license activation for the Trend Micro Activation Code & TXOne License Key?
Starting from v1.1, ODC-VA / EdgeOne-VA will support offline license activation.

14. Will EdgeOne be compatible with the ODC license key?
Yes, EdgeOne is fully backward compatible with the Trend Micro Activation Code & TXOne License Key.

Deployment

1. Do Edge devices only support inline deployment? Can they be installed on a switch mirror port for detection only?
EdgeIPS series devices support both inline and offline deployments. Inline deployment allows prevention and monitoring, while offline deployment provides monitoring only. To deploy Edge devices in offline mode, the devices need to connect to mirror ports.

2. What are the steps for deploying Edge devices? How do customers verify the results of the deployment?
- Install EdgeOne and pre-configure its policy settings.
- Configure IP addresses and management settings of Edge devices.
- Physically install Edge devices in the designated field location and connect them to the local network.
- Make sure Edge devices are synced with EdgeOne.
- Check detection logs.

3. What platform is required for installing the CMS? How can it be installed if we don’t have VMware or ESXi?
Currently, EdgeOne supports VMware, Hyper-V, and KVM. If users do not have VMware or ESXi, they can still use Windows-embedded Hyper-V to install EdgeOne.

4. For a PoC, where would TXOne generally recommend Edge devices be placed?
It depends on users’ needs. If an Edge device is placed in front of a critical asset, users can get detailed traffic information, but this information will be limited to that specific asset. If an Edge device is positioned at a higher layer in the network architecture, it will be able to collect more comprehensive asset information, although with less detailed traffic information for each asset.

5. When Edge devices are installed, is it necessary to change our network architecture?
Since EdgeIPS is transparent, there is no need to change the architecture for Edge device installation.

Maintenance

1. How often does TXOne release pattern updates? How can customers obtain a new update?
We regularly release pattern updates every month. If severe vulnerabilities are disclosed, we will also launch out-of-cycle releases within 7 to 10 working days.

2. If customers deploy massive Edge devices, how can they update all the devices within a limited downtime period?
All Edge devices have two partitions for firmware storage. Users can upload new firmware prior to downtime (this will not affect the operation) and apply new firmware during downtime.

3. What backup / restore methods are supported by TXOne Edge devices? What will be preserved in a backup file?
We support a couple of methods to perform backup / restore. The most basic one is to perform them via the device UI. Another way is to leverage the zero-config function restore data via a USB dongle. A backup file includes IP address, policy settings, management settings, and account information.

4. What software update method do Edge devices support? Is an internet connection required?
TXOne Edge devices support both online license update and local license import. If an internet connection is not available, users can still upload updated firmware / pattern files previously obtained from a local computer to the device web console.

5. How can we check and update licenses if we do not have direct internet access for our CMS?
Similar to a software update, EdgeOne (CMS for Edge devices) supports both online license checks and offline activation using a license file. Users can download the license file on any computer with an internet connection and then import the file into EdgeOne for license activation.

6. After a large-scale Edge device deployment, we will have many Edge devices in the field. It will take too much time if we need to log in to each device to change settings. Is there any efficient and convenient approach to solving this issue?
The most straightforward approach is to perform batch configurations through the CMS. In addition, Edge devices support RESTful APIs, allowing you to easily change device configurations and poll data.

7. As the number of Edge devices under EdgeOne management increases, how can we quickly locate a specific Edge device?
In EdgeOne Node Management, users can search specific devices based on their search criteria, such as device names or locations.

Security

1. Customers usually have multiple different operating systems in OT. Does it matter what systems are installed? Will the OS impact the protection?
TXOne Edge devices inspect and filter network packets to provide protection. As a result, the operating systems protected by these devices do not affect the security performance.

2. If customers have already deployed IT firewalls in the OT environments, why do they still need EdgeIPS devices?
An IT firewall is typically positioned at a higher layer within the network architecture.

3. What are the main differentiators between TXOne solutions and competing solutions from IT firewall vendors?
As TXOne focuses on a wide range of OT verticals, we support more and more OT protocol recognition and controls, including command and function controls. In contrast, competitors can only provide basic protocol-level controls. Additionally, our hardware design is OT-oriented, supporting a wide operating temperature range and a fanless design.

4. We use Splunk in our environment. Can TXOne solutions send detection records to our Splunk servers for integration?
Yes. The Edge CMS EdgeOne supports 3rd-party integration via API and syslog forwarding. EdgeOne can send logs in both CEF and LEEF formats to Splunk servers for integration.

5. What would happen if Edge devices are attacked (e.g., by malicious flooding traffic)?
All Edge devices have built-in self-protection features, including signature-based detection and DoS protection.

6. When gathering asset information, do Edge devices actively scan OT assets and could this cause device failures?
By default, Edge devices will perform passive information collection only and will not send any scan packets to OT assets.

7. If a detected network packet is actually secure, can the detection rule be disabled and the relevant log hidden?
Edge devices support rule-based editing, allowing users to customize actions for each rule, such as disabling it or changing the action to accept or deny.

8. Can Edge devices block our network traffic due to a false positive? If so, how does TXOne address such cases?
Before releasing new signatures, we always conduct internal tests to minimize the occurrence of false positives. However, we can't guarantee with 100% certainty that no false positives will occur. Therefore, we recommend that customers initially set the Edge device rule operation mode to monitoring mode, allowing detection of potential issues without blocking network attacks. Additionally, all Edge devices include a built-in packet capture function, enabling users to download rule-triggering packets for further analysis.

9. Where does TXOne obtain its signatures?
TXOne has its own dedicated pattern team that develops new signatures for comprehensive vulnerability coverage.

10. Is it possible to modify the actions of IPS rules? If patterns are updated, will the previously modified rule actions revert to their defaults?
We support a rule-based editing feature to modify each rule action. The modified action settings will not be affected by pattern updates.

11. We need to comply with SEMI E187. How do TXOne products assist with standard compliance?
As regulated, equipment must support secure protocols for data transmission and to control and limit network port usage. All these requirements can be fulfilled by implementing TXOne Edge solutions.

Visibility

1. What information can we obtain after installing Edge devices? Is it necessary to connect assets directly to Edge devices for asset information collection?
Edge devices can passively collect asset information, including IP address, MAC address, OS version, and applications in use. Additionally, Edge devices display logs based on configured policy rules, such as cybersecurity logs, protocol logs, and policy violation logs. Direct connections between Edge devices and assets are not required for information collection.

2. If I have multiple assets to protect under different port pairs of a single EdgeIPS Pro, how can I determine which port pair a specific asset is connected to?
Both Edge devices and the CMS allow users to create search filters to locate specific assets based on

Networking

1. How many IP addresses do I need to assign during a PoC?
Each Edge device requires one management IP address. EdgeOne also needs one management IP address each.

2. As an intermediate device, what is the throughput capability of an Edge device? What happens if the real throughput exceeds the device limitation?
The throughput ranges from 250 Mbps to 20 Gbps, depending on the model. Smaller models offer lower throughput and are ideal for deployment at lower network layers to provide micro-segmentation for critical assets. In contrast, larger models can be placed at higher layers, such as near a core switch, to inspect east-west network traffic. If the throughput exceeds the device's capacity, packets will be dropped because the CPU cannot handle the incoming traffic. However, the throughput figures in our specifications are based on worst-case scenarios, and customers can typically expect better performance in practice.

3. Which service ports need to be opened?
The most important ports that need to be open are TCP 7590 for management and TCP 443 for web services. For the rest of the ports, please refer to our administrator's guide.

4. What type of interface do Edge devices support? Do Edge devices support fiber connections?
EdgeIPS Pro 1048 / 2096, EdgeIPS Pro 2016F /4016F and EdgeIPS Pro 212-F support fiber interfaces. The rest of the models only support copper interfaces.

5. Does the Edge series have wireless models? How do Edge devices protect wireless assets in OT?
Currently, Edge devices only support wired connections. For wireless asset protection, we recommend placing the Edge devices behind access points.

6. If Edge devices operate in offline mode, will they consume excessive Ethernet switch resources when mirroring network traffic?
Typically, traffic mirroring doesn't consume excessive CPU resources on the switch. If you have concerns about this, we recommend initially limiting traffic mirroring to a few specific ports or VLANs.

7. How does the CMS manage Edge devices? Since direct internet connections for updates are not allowed on the OT network, does the CMS need to use an OT-specific IP address?
Edge devices must proactively initiate connections to EdgeOne, which requires network connectivity. Most Edge devices have MGMT interfaces that connect separately to the IT network for out-of-band management.

8. In OT networks, all network packets are tagged with VLAN IDs. Does TXOne offer a solution to support VLAN?
Yes, both Edge devices and EdgeOne support VLAN-tagged traffic.

Operation

1. Will OT network traffic be disrupted if Edge devices experience downtime?
All TXOne EdgeIPS series devices support hardware bypass, which automatically redirects network traffic to guarantee uninterrupted OT operations in the event of an Edge device failure.

2. How long does it take for the bypass mechanism to recover the OT traffic?
In general, the recovery time is within 3 seconds, depending on the connected uplink/downlink devices.

3. How long will the network be disconnected during the solution installation?
We recommend completing pre-configuration before physically installing Edge devices. During deployment, the network will experience a brief disconnection (less than 1 minute) because the Ethernet cable will be unplugged and then re-plugged.

4. What can we do if we don’t want any traffic blocking during the PoC?
Edge devices support monitoring mode for detection only, without blocking any network traffic.

5. If Edge devices cause a disconnection, is there a way to quickly enable bypass mode to allow traffic to pass through and recover our traffic?
For debugging purposes, Edge devices support a force-open bypass feature that directly enables bypass capability. When this mode is activated, traffic will pass through without any inspections.

6. Will inspection cause any latency? If so, how much? Will our operations be affected?
Based on our internal tests under the worst-case scenarios, the latency is less than 500 ms. In our experience, this level of latency is generally sufficient for most OT applications to operate without disruption.

7. Production is running at full capacity, and we cannot allow any disconnections. Can Edge devices ensure uninterrupted operation during deployment?
In addition to inline deployment, Edge devices support offline deployment, allowing devices to connect to mirror ports for traffic analysis. If inline deployment isn't feasible for your production environment, you can opt for offline mode. However, in offline mode, the devices will only detect malicious activities and will not take preventive actions.

8. We cannot allow sensitive data to be disclosed. What information will be collected by Edge devices?
Although Edge devices deployed in the field will collect asset and communication traffic information, the data will be exclusively stored on the on-premises CMS and will not be uploaded to any public sites.

9. We use some proprietary protocols in OT networks. Will Edge devices block these proprietary packets if they can't recognize them?
This might happen, which is why we recommend initially running Edge devices in monitoring mode. If users are willing to share the proprietary protocol data with us, we can further discuss including it in our protocol support list.

10. If a physical port of an Edge device is damaged, what should be done to ensure uninterrupted network traffic?
Since EdgeIPS Pro is equipped with multiple port pairs, the best option is to quickly switch to spare port pairs for traffic forwarding. Alternatively, you can utilize our newly released universal bypass feature to create redundant uplink ports for traffic continuity.

Security / Visibility

1. Fab equipment usually contains many internal devices within a small internal network. How do Edge devices protect and detect network traffic sent from internal devices?
Placing an Edge device in front of fab equipment can protect it and filter the bi-directional traffic to and from the equipment. Meanwhile, the Edge device can passively collect asset information from the traffic passing through it.