Firewall (IT)

Data sheet
Cisco public

Cisco Secure Firewall

3100 Series
Cisco Secure Firewall
Cisco Secure IPS
 Data sheet
Cisco public

Cisco Secure Firewall 3100 Series

The mid-range Cisco Secure Firewall 3100 Series supports your evolving world. It makes hybrid work and zero trust practical, with
the flexibility to ensure strong return on investment. The Cisco Secure Firewall 3100 Series is a family of four threat-focused security
appliances that delivers business resiliency and superior threat defense. Each model offers outstanding performance for multiple
firewall use cases, even when advanced threat functions are enabled. These performance capabilities are enabled by a modern
CPU architecture coupled with purpose-built hardware that optimizes firewall, cryptographic, and threat inspection functions.
The 3100 series also supports clustering to maximize performance, along with higher port density and Q-in-Q support that enables
an expanded set of use cases. These capabilities flexibly support you as your needs evolve and the scale of your operations grows.
The series’ firewall throughput range addresses use cases from the Internet edge to the data center and private cloud. 3100 Series
platforms run either ASA or Firewall Threat Defense (FTD) software. The platforms can be deployed in both firewall and dedicated
IPS for inline sets and passive interfaces, the 3100 series supports Q-in-Q (stacked VLAN) up to two 802.1Q headers in a packet.
The platform also support FTW (fail-to-wire) network modules.

Model overview

Cisco Secure Firewall 3100 series summary

Table 1. Cisco Secure Firewall 3100 Series performance and specification highlights

Secure Firewall Model Firewall FW+AVC+IPS IPS Throughput Interfaces Optional interfaces
3110 18G 17G 17G 8 x RJ45, 8 x 1/10G SFP+ 10G SFP+
3120 22G 21G 21G 8 x RJ45, 8 x 1/10G SFP+ 10G SFP+
3130 42G 38G 38G 8 x RJ45, 8 x 1/10/25G SFP+ 10G/25G/40G SFP+, 4X40G NM
3140 49G 45G 45G 8 x RJ45, 8 x 1/10/25G SFP+ 10G/25G/40G SFP+, 4x40G NM

Performance specifications and feature details

Table 2. Cisco Secure Firewall 3100 Series performance and capabilities, running on Firewall Threat Defense (FTD) software

Features 3110 3120 3130 3140

Throughput: FW + AVC (1024B) 17.0 Gbps 21.0 Gbps 38.0 Gbps 45.0 Gbps
Throughput: FW + AVC + IPS (1024B) 17.0 Gbps 21.0 Gbps 38.0 Gbps 45.0 Gbps
Maximum concurrent sessions, with AVC 2 million 4 million 6 million 10 million
Maximum new connections per second, with AVC 130,000 170,000 240,000 300,000
TLS 1
4.8 Gbps 6.7 Gbps 9.1 Gbps 11.5 Gbps
Throughput: IPS (1024B) 17.0 Gbps 21.0 Gbps 38.0 Gbps 45.0 Gbps
IPSec VPN Throughput (1024B TCP w/Fastpath) 8 Gbps 10 Gbps 17.8 Gbps 22.4 Gbps
Projected IPSec VPN Throughput (1024B TCP w/ 11.0 Gbps 13.5 Gbps 33.0 Gbps 39.4 Gbps
Fastpath) with VPN Offload (FTD 7.2)
Maximum VPN Peers 3,000 6,000 15,000 20,000

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Secure Firewall 3100 Series | 3
 Data sheet
Cisco public

Features 3110 3120 3130 3140

Local On-device Management Yes Yes Yes Yes
Centralized management Centralized configuration, logging, monitoring, and reporting are performed by the Firewall Management
Center or alternatively in the cloud with Cisco Defense Orchestrator
Application Visibility and Control (AVC) Standard, supporting more than 4000 applications, as well as geolocations, users, and websites
AVC: OpenAppID support for custom, open Standard
source, application detectors
Cisco Security Intelligence Standard, with IP, URL, and DNS threat intelligence
Cisco Secure IPS Available; can passively detect endpoints and infrastructure for threat correlation and Indicators of
Compromise (IoC) intelligence
Cisco Malware Defense Available; enables detection, blocking, tracking, analysis, and containment of targeted and persistent
malware, addressing the attack continuum both during and after attacks. Integrated threat correlation
with Cisco Secure Endpoint is also optionally available
Cisco Secure Malware Analytics Available
URL Filtering: number of categories More than 80
URL Filtering: number of URLs categorized More than 280 million
Automated threat feed and IPS signature updates Yes: class-leading Collective Security Intelligence (CSI) from the Cisco Talos Group (https://www.cisco.
com/c/en/us/products/security/talos.html)
Third-party and open-source ecosystem Open API for integrations with third-party products; Snort® and OpenAppID community resources for
new and specific threats
High availability and clustering Active/active, Active/standby. Cisco Secure Firewall 3100 Series allows clustering of up to 8 chassis
Cisco Trust Anchor Technologies Secure Firewall 3100 Series platforms include Trust Anchor Technologies for supply chain and software
image assurance. Please see the section below for additional details

1 Throughput measured with 50% TLS 1.2 traffic with AES256-SHA with RSA 2048B keys.

NOTE: Performance will vary depending on features activated, and network traffic protocol mix, and packet size characteristics.
Performance is subject to change with new software releases. Consult your Cisco representative for detailed sizing guidance.

Table 3. Cisco Secure Firewall 3100 Series performance and capabilities, running on ASA software

Features 3110 3120 3130 3140

Stateful inspection firewall throughput 1
18.0 Gbps 22.0 Gbps 42.0 Gbps 49.0 Gbps
Stateful inspection firewall throughput 15.0 Gbps 17.0 Gbps 39.0 Gbps 43.0 Gbps
(multiprotocol)2
Concurrent firewall connections 2 million 4 million 6 million 10 million
New connections per second 300,000 500,000 875,000 1,100,000
IPsec VPN throughput (450B UDP L2L test) 8 Gbps 10 Gbps 14 Gbps 17 Gbps
Projected IPsec VPN throughput (450B UDP L2L 12.0 Gbps 15.4 Gbps 28.0 Gbps 33.0 Gbps
test) with VPN Offload (ASA 9.18)
Maximum VPN Peers 3,000 7,000 15,000 20,000
Security contexts (included; maximum) 2; 100 2; 100 2; 100 2; 100
High availability Active/active and active/ Active/active and active/ Active/active and active/ Active/active and active/
standby standby standby standby
Clustering 8 8 8 8
Scalability VPN Load Balancing
Centralized management Centralized configuration, logging, monitoring, and reporting are performed by Cisco Security Manager or
alternatively in the cloud with Cisco Defense Orchestrator
Adaptive Security Device Manager Web-based, local management for small-scale deployments

1 Throughput measured with 1500B User Datagram Protocol (UDP) traffic measured under ideal test conditions.
2 “Multiprotocol” refers to a traffic profile consisting primarily of TCP-based protocols and applications like HTTP, SMTP, FTP, IMAPv4, BitTorrent, and DNS.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Secure Firewall 3100 Series | 4
 Data sheet
Cisco public

Hardware specifications
Table 4. Cisco Secure Firewall 3100 Series hardware specifications

Features Cisco Secure Firewall Model

3110 3120 3130 3140
Dimensions (H x W x D) 1.75 x 17 x 20 in. 1.75 x 17 x 20 in. 1.75 x 17 x 20 in. 1.75 x 17 x 20 in.
(4.4 x 43.3 x 50.8 cm) (4.4 x 43.3 x 50.8 cm) (4.4 x 43.3 x 50.8 cm) (4.4 x 43.3 x 50.8 cm)
Form factor (rack units) 1RU 1RU 1RU 1RU
Integrated I/O 8 x 10M/100M/ 8 x 10M/100M/ 8 x 10M/100M/ 8 x 10M/100M/
1GBASE-T Ethernet 1GBASE-T Ethernet 1GBASE-T Ethernet 1GBASE-T Ethernet
interfaces (RJ- 45), 8 interfaces (RJ- 45), 8 interfaces (RJ- 45), 8 x interfaces (RJ- 45), 8 x
x 1/10 Gigabit (SFP) x 1/10 Gigabit (SFP) 1/10/25 Gigabit (SFP) 1/10/25 Gigabit (SFP)
Ethernet interfaces Ethernet interfaces Ethernet interfaces Ethernet interfaces
Network modules 8 x 1/10G Options 8 x 1/10G Options 8 x 1/10/25G, 8 x 1/10/25G,
4 x 40G Options 4 x 40G Options
Maximum number of interfaces Up to 24 total Ethernet Up to 24 total Ethernet Up to 24 total Ethernet Up to 24 total Ethernet
ports, (8x1G RJ-45, ports, (8x1G RJ-45, ports (8x1G RJ-45, ports (8x1G RJ-45,
8x1/10G SFP, and 8x1/10G SFP, and 8x1/10/25G SFP, and 8x1/10/25G SFP, and
network module) network module) network module) network module)
Integrated network management ports 1 x 1/10G SFP 1 x 1/10G SFP 1 x 1/10G SFP 1 x 1/10G SFP
Serial port 1 x RJ-45 console 1 x RJ-45 console 1 x RJ-45 console 1 x RJ-45 console
USB 1 x USB 3.0 Type-A 1 x USB 3.0 Type-A 1 x USB 3.0 Type-A 1 x USB 3.0 Type-A
(900mA) (900mA) (900mA) (900mA)
Storage 1x 900 GB, 1x spare slot 1x 900 GB, 1x spare slot 1x 900 GB, 1x spare slot 1x 900 GB, 1x spare slot
Power supply configuration Single 400W AC, Dual Single 400W AC, Dual Dual 400W AC. Dual 400W AC.
400W AC optional. 400W AC optional. Single/dual 400W DC Single/dual 400W DC
Single/Dual 400W DC Single/Dual 400W DC optional1 optional1
optional1 optional1
AC input voltage 100 to 240V AC 100 to 240V AC 100 to 240V AC 100 to 240V AC
AC maximum input current < 6A at 100V < 6A at 100V < 6A at 100V < 6A at 100V
AC maximum output power 400W 400W 400W 400W
AC frequency 50 to 60 Hz 50 to 60 Hz 50 to 60 Hz 50 to 60 Hz
AC efficiency >89% at 50% load >89% at 50% load >89% at 50% load >89% at 50% load
DC input voltage -48V to -60VDC -48V to -60VDC -48V to -60VDC -48V to -60VDC
DC maximum input current < 12.5A at -48V < 12.5A at -48V < 12.5A at -48V < 12.5A at -48V
DC maximum output power 400W 400W 400W 400W
DC efficiency >88% at 50% load >88% at 50% load >88% at 50% load >88% at 50% load
Redundancy 1+1 AC or DC with dual 1+1 AC or DC with dual 1+1 AC or DC with dual 1+1 AC or DC with dual
supplies supplies supplies supplies
Fans 2 hot-swappable fan 2 hot-swappable fan 2 hot-swappable fan 2 hot-swappable fan
modules (with 2 fans modules (with 2 fans modules (with 2 fans modules (with 2 fans
each)2 each)2 each)2 each)2
Noise 65 dBA@ 25C 65 dBA@ 25C 65 dBA@ 25C 65 dBA@ 25C
74 dBA maximum 74 dBA maximum 74 dBA maximum 74 dBA maximum
Rack mountable Yes. Fixed mount Yes. Fixed mount Yes. Fixed mount Yes. Fixed mount
brackets optional. brackets optional. brackets optional. brackets optional.
(2- post). Mount rails (2- post). Mount rails (2- post). Mount rails (2- post). Mount rails
included (4-post EIA- included (4-post EIA- included (4-post EIA- included (4-post EIA-
310-D rack) 310-D rack) 310-D rack) 310-D rack)

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Secure Firewall 3100 Series | 5
 Data sheet
Cisco public

Features Cisco Secure Firewall Model

3110 3120 3130 3140
Weight 23 lb (10.5 kg) 1 x 23 lb (10.5 kg) 1 x 25 lb (11.4 kg) 2 x 25 lb (11.4 kg) 2 x
power supplies, 1 x NM, power supplies, 1 x NM, power supplies, 1 x NM, power supplies, 1 x NM,
fan module, 1x SSD fan module, 1x SSD fan module, 1x SSD fan module, 1x SSD
Temperature: operating 32 to 104°F (0 to 40°C) 32 to 104°F (0 to 40°C) 32 to 104°F (0 to 40°C) 32 to 104°F (0 to 40°C)
or NEBS operation
(see below)3
Temperature: nonoperating -4 to 149°F -4 to 149°F -4 to 149°F -4 to 149°F
(-20 to 65°C) (-20 to 65°C) (-20 to 65°C) (-20 to 65°C)
Humidity: operating 10 to 85% 10 to 85% 10 to 85% 10 to 85%
noncondensing noncondensing noncondensing noncondensing
Humidity: nonoperating 5 to 95% 5 to 95% 5 to 95% 5 to 95%
noncondensing noncondensing noncondensing noncondensing
Altitude: operating 10,000 ft (max) 10,000 ft (max) or 10,000 ft (max) 10,000 ft (max)
NEBS operation
(see below)3
Altitude: nonoperating 40,000 ft (max) 40,000 ft (max) 40,000 ft (max) 40,000 ft (max)
NEBS operation (FPR- 3120 Only) 3
Operating altitude: 0
to 13,000 ft (3962 m)
Operating temperature:
Long term: 0 to 45°C,
up to 6,000 ft (1829 m)
Long term: 0 to 35°C,
6,000 to 13,000 ft
(1829 to 3964 m) Short
term: -5 to 55°C, up to
6,000 ft (1829 m)

1 Dual power supplies are hot-swappable.

2 Fans operate in a 3+1 redundant configuration where the system will continue to function with only 3 operational fans. The 3 remaining fans will run at
full speed.
3 FPR-3120 platform is designed to be NEBS ready. The availability of NEBS certification is pending.

Table 5. Cisco Secure Firewall 3100 Series NEBS, Regulatory, Safety, and EMC Compliance

Specification Description
Regulatory compliance Products comply with CE markings per directives 2004/108/EC and 2006/108/EC
Safety • UL 62368-1
• CAN/CSA-C22.2 No. 62368-1
• EN 62368-1
• IEC 62368-1
• IEC 60950-1
• AS/NZS 62368-1
• GB4943
EMC: emissions • FCC 47CFR15 Class A
• AS/NZS CISPR 32 Class A
• EN55032/CISPR 32 Class A
• ICES-003 Class A
• VCCI Class A
• KS C 9832 Class A
• CNS-13438 Class A
• EN61000-3-2 Power Line Harmonics
• EN61000-3-3 Voltage Changes, Fluctuations, and Flicker

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Secure Firewall 3100 Series | 6
 Data sheet
Cisco public

Specification Description
EMC: Immunity • IEC/EN61000-4-2 Electrostatic Discharge Immunity
• IEC/EN61000-4-3 Radiated Immunity
• IEC/EN61000-4-4 EFT-B Immunity
• IEC/EN61000-4-5 Surge
• IEC/EN61000-4-6 Immunity to Conducted Disturbances
• IEC/EN61000-4-11 Voltage Dips, Short Interruptions, and Voltage Variations
• KS C 9835
EMC: ETSI/EN • EN 300 386 Telecommunications Network Equipment (EMC)
• EN55032/CISPR 35 Multimedia Equipment (Emissions)
• EN55024/CISPR 24 Information Technology Equipment (Immunity)
• EN55035/CISPR 35 Multimedia Equipment (Immunity)
• EN61000-6-1 Generic Immunity Standard

Cisco Capital
Flexible payment solutions to help you achieve your objectives
Cisco Capital makes it easier to get the right technology to achieve your objectives, enable business transformation and help
you stay competitive. We can help you reduce the total cost of ownership, conserve capital, and accelerate growth. In more than
100 countries, our flexible payment solutions can help you acquire hardware, software, services and complementary third-party
equipment in easy, predictable payments. Learn more.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list
of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. C78-745072-02 08/22
Firewall (OT)
DeltaV Distributed Control System Product Data Sheet
October 2024

Emerson NextGen Smart Firewall

Emerson NextGen
Smart Firewall

The Emerson NextGen Smart Firewall protects the DeltaV ™ system with an easy-to-use perimeter defense solution.

„ Purpose-built for easy deployment in the Introduction

DeltaV™ system
The Emerson NextGen Smart Firewall is a built-for-purpose
„ Easy-to-use HTML5 web based user interface perimeter firewall specifically designed to provide an easy
to install and easy to maintain perimeter security solution
„ “Firewall friendly” distributed component
for a Distributed Control System (DCS).
object model (DCOM) communications
The Emerson NextGen Smart Firewall is a hardware-based
„ Monitor firewall hardware alerts on perimeter protection solution designed to enforce highly
DeltaV operator workstations controlled external network access to a DeltaV™ DCS.
Even without security expertise, it is easy to configure to meet
requirements for strongly enforced network segmentation.
Emerson NextGen Smart Firewall October 2024

The Emerson NextGen Smart Firewall is specifically

Benefits Consistent with
designed for use with DeltaV systems. Its user-friendly
interface provides simplicity through easy-to-understand Previous Firewall
setup menus. With pre-loaded DeltaV application rules,
Purpose Built – The Emerson NextGen Smart Firewall is
it is easy for a DeltaV administrator, or controls engineer,
specifically designed for use in DeltaV network architecture.
to create secure connections for DeltaV applications that
The user-friendly interface provides simplified and easy to
communicate with computers outside the DeltaV network.
understand setup menus.
– Simple to install and maintain.
New Benefits of NextGen Firewall
Tailored to DeltaV Administrators – No Security or
Greater Bandwidth – The Emerson NextGen Smart IT expertise is required to setup and maintain standard
Firewall offers the option of two models with either features of the firewall. Enabling DeltaV support personnel
10/100/1000 Mbps all copper Ethernet ports or a 1000 to manage the perimeter security of a DeltaV system.
Mbps SFP Fiber external port and two 10/100/1000 Mbps – No expertise for standard features.
copper Ethernet internal ports. Bandwidth supports
Extensive, out of the box DeltaV Application List –
improved performance for higher bandwidth applications
Over 80 pre-loaded application rules are provided with the
e.g., backup and recovery
Emerson NextGen Smart Firewall, covering connections
– Faster communication.
typically used with DeltaV systems. The ability to add
Ruggedized Construction – Convection-cooled high additional custom applications is supported.
strength sheet metal non-condensing enclosure. – Easy communications setup.
– Built for OT.
Management Interface – The password protected,
Traffic Shaping – Safeguard high performance of web-based user interface provides intuitive, menu-based
critical applications in limited bandwidth scenarios. navigation and easy-to-understand configuration selections.
– Prioritization / Quality of Service (QoS). – Ease of management.

User-friendly UI – Updated, user interface. Simplify DCOM Connectivity – Advanced capability

– Simple and easy. makes the firewall DCOM “friendly.” Dynamic port mapping
provides a more secure solution for communications.
More Granular User Roles – More user roles/permissions
– Easier and more secure DCOM communications.
providing increased, yet intuitive, access control.
– Enhanced role-based access controls (RBAC). Conform to new Security Standards – The Emerson
NextGen Smart Firewall allows you to meet emerging
Centralize User Management – Control firewall access
security standards that require strong network
by integrating up to 4 redundant Light Directory Access
perimeter protection with an economical and easy
Protocol (LDAP) or 8 redundant Remote Authentication
to implement solution.
Dial-In User (RADIUS) authentication servers.
– Meet security standards.
– Access Control Management.

www.emerson.com/deltav 2
Emerson NextGen Smart Firewall October 2024

Hardware Description
The Emerson NextGen Smart Firewall is a DIN rail, or rack mountable, 20-48 V DC device. It is a fanless device with rugged
convection cooled metal construction fit for industrial environments.

Emerson NextGen Smart Firewall all copper Ethernet (TX) model. Emerson NextGen Smart Firewall dimensions.

Recovery Port – serial port to access Command Line L2.5 and the DeltaV Security Zone
Interface (CLI) for same role based configuration access as
The Emerson NextGen Smart Firewall is specifically
the WebUI.
designed to be installed at the perimeter of the DeltaV
External Local Area Network (LAN) Connection – system and help manage external communication
network connection for external LAN. connections between the plant LAN or DMZ (demilitarized
zone) and DeltaV workstations. Locating the firewall
DeltaV Connection – network connection to the L2.5
between DeltaV workstations and external plant networks
on the DeltaV workstations.
creates a network that needs to be treated as part of the
Status Indicator LEDs – provides visual indication of DeltaV security zone.
firewall status.
This network is architecturally located between the level
Power Inputs and Supplies: Bringing power from two 2 control network and the level 3 external network and is
different sources increases overall availability. referred to as the “L2.5.”
USB Drive: Stores configuration for quick firewall
replacement if option is enabled by the user.

www.emerson.com/deltav 3
Emerson NextGen Smart Firewall October 2024

Installing the Emerson NextGen Smart Firewall effectively All communications allowed through the firewall should
locates the boundary of the DeltaV system at the external be tightly managed to permit only data flows and remote
output of the firewall. The firewall and the networks below user access necessary to manage the system and export or
the firewall should be treated as high security zones. import process information.

Plant/Enterprise LAN

Firewall or Anti-virus Historian Data

Security Appliance and Patches Servers Servers
(Managed by IT)

Level 3 LAN

DMZ or Secure Process LAN

Emerson NextGen Smart Firewall

The 2.5 LAN

Level 1 and 2 LAN

www.emerson.com/deltav 4
Emerson NextGen Smart Firewall October 2024

Ideally, each DeltaV system should have a dedicated Emerson NextGen Smart Firewall Setup
Emerson NextGen Smart Firewall for ease of management and Management
and maintenance. L2.5 should only contain computers
and devices that are dedicated to support the single DeltaV The Emerson NextGen Smart Firewall management
system connected to the DeltaV side of the firewall port. interface has several sections that group
Computers that will be accessed by other DeltaV systems similar functionality.
or other control systems should be in the DMZ. Access to the information in the tabs is user access
controlled, so changes to the firewall settings can be
Secure Configuration assigned based on user roles.
The user interface of the Emerson NextGen Smart Firewall
encourages a more secure environment where adding Easy-to-Configure Communications Access
new connections or new external computers to the system The “smart” part of the Emerson NextGen Smart Firewall lies
require deliberate action by the firewall administrator. in the pre-loaded list of DeltaV application rules increasing
This prevents unauthorized users from easily gaining configuration simplicity.
access to the DeltaV control system without the knowledge
The list includes application rule information for all
of the firewall administrator.
the standard DeltaV applications that are designed to
communicate with applications located on the L3/DMZ
The Firewall Configuration Interface
Network computers or above.
The Emerson NextGen Smart Firewall is configured from
The UI shows all communication paths through the firewall
a built-in web-based interface (WebUI) that can be accessed
that are currently being used.
from any workstation on the DeltaV network with network
access to the firewall. The WebUI is password-protected Pre-loaded application rules are part of the configuration
with granular access control that allows for four different and can be managed by the user to delete rules that would
levels of user access (and one deny-list). never be used in a specific system, to reduce the size of the
list and, to configure custom rules.
Firewall User Roles
Applications can also be disabled or deleted so that they do
There are different levels of user access: Administrator, not appear in the application list when creating authorized
Engineer, Auditor and Guest. Administrator has access communications. This allows the administrator to delegate
to all functions for viewing and configuring the the ability to create a very limited set of communications to
firewall configuration. a user assigned the “engineer” access role.
Engineer can configure some features (enable/disable Rules can be renamed to fit the context of a specific
protection rules) but cannot manage other users. site’s nomenclature.
Creating new firewall users and assigning one of the preset Customer-specific (custom) rules can easily be created
roles is easy. and added to the list to support non-DeltaV applications
that will communicate through the firewall.

It is also easy to add new DeltaV applications to the list

when upgrading your system.

DeltaV Application rules are pre-loaded.

www.emerson.com/deltav 5
Emerson NextGen Smart Firewall October 2024

Emerson NextGen Smart Firewall Features and Capabilities

Hardware Specifications
Dimensions 7.37 in. high x 5.34 in. wide x 2.75 in. deep
Weight 69.13 oz (1960 g)
Power Supply 2 voltage inputs for redundant power supply
Safety extra-low voltage (SELV), redundant inputs disconnected
Nominal Voltage DC = 24V DC … 48 V DC
Voltage Range DC = 20 V DC … 58 V DC
Connection Type – 6-pin terminal block
Input Terminal Block 24 AWG (0.2 mm2 ... 18 AWG (0.75 mm2)
One individual conductor in a clamping point
Grounding Conductor – at least 18 AWG (0.75 mm2)
Signal Contact Connection Type – 6 – pin terminal block
Tightening Torque – 7 lb-in (0.79 N-m)
Nominal Value – (Imax = 0.5 A at Umax = 24 V DC),
(Imax = 0.5 A at Umax = 48 V DC)
Digital Input Connection Type 2-pin terminal block
Tightening torque – 7 lb-in (0.79 N-m)
24 AWG (0.2 mm2 ... 18 AWG (0.75 mm2)
Maximum permitted input voltage range = -32 V DC … +32 V DC
Nominal input voltage = 24 V DC
Input voltage, low level, status “0” = -0.3 V DC … +5.0 V DC
Input voltage, high level, status “1” = +11 V DC … +30 V DC
Maximum input current at 24 V input voltage = 15 mA
Input characteristic Type 3
acc. to IEC 61131-2
(current-consuming)
Power Consumption/Power Output Max Power Consumption = 15 W
Power Output = 51 Btu (IT)/h
Mounting Supports rackmount kit, DIN Rail kit or wall mounting
Environmental Ambient air temperature* – (-40°F … +158°F) or (-40°C ... +70°C)
Storage/transport temperature – (-40°F ... +185°F) or (-40°C ... +85°C)
Relative humidity (non-condensing) – (10% ... 95%)
Certifications FCC, UL, CE, UKCA RoHS, China RoHS, RCM, EAC

*For the Rackmount Kit, the power supplies are rated at a max operating temperature of 55°C.

www.emerson.com/deltav 6
Emerson NextGen Smart Firewall October 2024

Specifications – Emerson NextGen Smart Firewall

Compatibility with DeltaV versions
The Emerson NextGen Smart Firewall is compatible with all versions of DeltaV1.
Custom communications rules can be created to allow the firewall to be used with virtually any system or application2.
1. The ports and protocol parameters used in the DeltaV system and complementary products available in the Application List have been tested with
all supported versions of DeltaV. These parameters should also be valid for older versions of the applications. However, it is possible that there are
differences in the older application versions that are not reflected in the current Application List. If differences are encountered, the Application List is user
configurable to allow the correct parameters to be changed and/or entered manually into the list. Custom applications can also be created and added to
the Application List.
2. Use of the firewall is not limited to the protection of just DeltaV systems, but it can be used to protect many different systems. The Application List specific
to Emerson communications can be removed and lists specific to the applications easily created.

Capacities
Max Throughput Up to 1 Gbps (1000 Mbps)
Max VPN Sessions 64 max VPN Tunnels possible
Max Concurrent VPN Connections 16 max active sessions

Specifications – Emerson NextGen Smart Firewall

Firewall Users Supported user types:
„ Administrator – full access
„ Engineer – limited configuration access
„ Auditor – device monitoring and saving logs
„ Guest – device monitoring only
„ Unauthorized – blocked access (deny-list)
Interface
Configuration Firewall configuration is supported using the built-in HTML5
browser-based interface.
Ports Two models:
„ VE6206TX - 2x 10/100/1000 Mbps Copper Ethernet Internal-Ports
and 1x 10/100/1000 Mbps Copper Ethernet External-Port
„ VE6206SFP - 2x 10/100/1000 Mbps Copper Ethernet Internal-Ports
and 1x 1000 Mbps SFP Fiber External-Port
USB 3.0 1x USB 3.0 port to be used for backups, recovery, and firmware upgrades.
USB is not included
Serial/Console V.24 console port for local management with command line capability.
Serial cable not included.
Status LEDs LEDs on front panel for supply voltage indication, device status, fiber connection
(where applicable), USB storage medium presence and status, VPN (if enabled
using advanced menus) and for future use.
Power 6-pin terminal block with uncoupled inputs with no distributed load.

www.emerson.com/deltav 7
Emerson NextGen Smart Firewall October 2024

Emerson NextGen Smart Firewall Network Security Features

Stateful Firewall
Supported Firewall Modes Routed Mode, Transparent Mode, NAT
Security DoS Prevention, IPSec VPN, OPC Enforcer, Modbus TCP Enforcer
Dynamic Host Configuration Protocol Provides network (IP) addresses to devices on the DeltaV side of the firewall.
(DHCP) Server DHCP can be disabled to allow static addressing of DeltaV workstations.
DHCP Client External firewall port can obtain network (IP) address from external DHCP
server or use a static address. (DHCP client disabled by default. DHCP client
for external port ideal with a reserved IP address from external DHCP server.
Alternatively, static addressing can be used to avoid DHCP readdressing the
firewall external port).
Infrastructure
DeltaV NDCC Integration SNMPv3 access can be enabled to monitor firewall parameters. Network Device
and Monitoring Command Center (NDCC) can be used to monitor Emerson NextGen Smart
Firewall hardware alarms on DeltaV v13.3.2 and later.
Syslog Support The firewall can send all logs to a Syslog server (e.g., Kiwi Syslog) if enabled and
the server address configured.
Network Time Protocol (NTP) Support The firewall can have time set locally, get time from connected computer, or
through an NTP Server.

Ordering Information
Emerson NextGen Smart Firewall - Copper Internal Ports, Copper External L2.5 Port VE6206TX
Emerson NextGen Smart Firewall - Copper Internal Ports, SFP Fiber External L2.5 Port. VE6206SFP
A Fiber Optic SFP Transceiver is required (and not included).
DeltaV Bulk Power Supply 100-240 V AC to 24 V DC, 5A. This option is available if VE5138
you want to order the power supply component as a standalone. Otherwise, for the
complete “KIT”, reference VE6206XX-KIT part numbers below.

Rackmount Adapter for use with Emerson NextGen Smart Firewall. This option VE6206RM
is available if you want to order the power supply component as a standalone.
Otherwise, for the complete “KIT”, reference VE6206XX-KIT part numbers below.

www.emerson.com/deltav 8
Emerson NextGen Smart Firewall October 2024

Rackmount Kit
The Emerson NextGen Smart Firewall is available in a 2U, 19inch x 8.5inch Rackmount Kit that consists of: one firewall,
two 24V DC power supplies, and a 2U rack mount.

Description Model Number

Rackmount Kit: Emerson NextGen Smart Firewall, Copper Ethernet Ports; VE6206TX-KIT
Two 24 V DC Power Supplies*, and 1 Rackmount Adapter. Does not include
power cabling.
*Power supplies max operating temperature 55°C

Rackmount Kit: Emerson NextGen Smart Firewall, SFP and Copper Ethernet Ports; VE6206SFP-KIT
Two 24V DC Power Supplies*, and 1 Rackmount Adapter. Does not include power
cabling. A Fiber Optic SFP Transceiver is required (and not included).
*Power supplies max operating temperature 55°C

Fiber Optic SFP Transceivers for use in Emerson NextGen Smart Firewall
The Gigabit transceivers can be used only in the gigabit WAN port of the VE6026SFP model.

The transceiver VE6050T011 cannot be used when certain certifications are required such as: KCC.
Note: The Emerson NextGen Smart Firewall must use the transceiver modules indicated below. It is not compatible with other brands of transceiver modules.

Description Model Number

Transceiver for Emerson NextGen Smart Firewall: 1 Gigabit Ethernet; VE6050T01
Single Mode Long Haul, for up to 120 Kilometers of fiber-optic cable (M-SFP-LH+/LC). Gigabit

Transceiver for Emerson NextGen Smart Firewall: 1 Gigabit Ethernet; VE6050T02

Single Mode Long Haul, for up to 80 Kilometers of fiber-optic cable Gigabit
(M-SFP-LH/LC-EEC).

Transceiver for Emerson NextGen Smart Firewall: 1 Gigabit Ethernet; VE6050T03

Single Mode, for up to 20 Kilometers of fiber-optic cable (M-SFP-LX/LC EEC).

Transceiver for Emerson NextGen Smart Firewall: 1 Gigabit Ethernet; Multi-mode, VE6050T07
for up to 550 meters of fiber-optic cable (M-SFP-SX/LC EEC).

Transceiver for Emerson NextGen Smart Firewall: 1 Gigabit Ethernet; VE6050T011

Single Mode, for up to 20 Kilometers of fiber-optic cable (SFP-GIG-LX/LC EEC).

Related Products Prerequisites

DeltaV Smart Switches – the DeltaV Smart Switch and To implement the Emerson NextGen Smart Firewall, it is
the DeltaV Network Device Command Center (NDCC) helpful to have basic knowledge of Ethernet networking
are also part of DeltaV family of built-for-purpose security including network addressing and routing.
related products.

www.emerson.com/deltav 9
Continuous Threat Detection
(CTD)
 Industrial

SOLUTION OVERVIEW

Claroty Continuous Threat Detection

Comprehensive On-Premise CPS Cybersecurity for The Modern OT Network

Digitalization initiatives and the expansion of remote workforces have

transformed enterprises, causing once-isolated operational technology
(OT) environments to become interconnected with their information
At A Glance
technology (IT) counterparts. The result is the rise of converged IT/ • Delivers complete visibility into
OT networks that offer great opportunities to enhance innovation industrial environments with
and efficiencies within OT environments. However, as organizations multiple discovery methods
continue to embrace digital transformation they face growing and deployment mechanisms
complexity in protecting their cyber-physical systems (CPS) amid • Supports the full cyber-
expanding threat activity by malicious cyber actors. physical system (CPS)
cybersecurity journey from
Due to their unique architectures, proprietary protocol usage, and asset discovery to network
environmental and operational constraints, existing IT solutions fall integration and optimization
short when protecting CPS. Purpose-build OT security is critical to • Detailed network mapping
provide a comprehensive solution for CPS cyber risk reduction enabling supports automated
quicker time to value and a lower total cost of ownership. zoning and virtual network
segmentation

Claroty Continuous Threat Detection (CTD) was created to help • Provides a contextualized
operational and/or cyber practitioners overcome the challenges of root-cause analysis and risk-
cyber-physical connectivity. Achieving resilience is far from impossible – based scoring for all alerts
and it requires a robust set of requirements that cannot be satisfied by • Integrates with Claroty xDome
traditional IT-centric solutions. Powered by an unmatched library of CPS Secure Access to enhance
communication protocols and in-depth industry knowledge, remote session incident
CTD provides superior visibility to OT environments. This enables the response and investigation
further implementation of core cybersecurity controls that span the
• Leverages existing IT
entire cyber-physical security journey. These controls cover:
infrastructure such as SIEM,
• Exposure Management Firewalls, SOAR, CMDB tools
to extend core cybersecurity
• Threat Detection
capabilities to industrial
• Remote Incident Response
environments

claroty.com ©Copyright Claroty. All rights reserved

Asset Discovery
Asset Discovery
Effective OT cybersecurity starts with knowing what needs to be secured. CTD leverages the broadest and
deepest
EffectiveOT
OTprotocol coverage
cybersecurity in the
starts industry
with knowing employs
andwhat multiple
needs discoveryCTD
to be secured. methods to ensure
leverages the most
the broadest
and deepest
complete OTprotocol
network profile. coverage in the industry and employs multiple discovery methods to ensure the
most complete network profile.

Passive Monitoring Safe Queries Claroty Edge Project File Analysis

Continuous monitoring of Targeted discovery of Speedy, host-based Regular ingestion of

network traffic to identify assets in their native asset profiling through offline configuration files
asset profiles protocol localized queries for asset enrichment

Claroty CPS discovery methods

This multi-spectral approach helps to uncover parts of the network that are not suitable for a single discovery
method and results in unmatched visibility into CPS environments. This depth of discovery is seen across three
This multi-spectral
aspects of visibility: approach helps to uncover parts of the network that are not suitable for a single
discovery method and results in unmatched visibility into CPS environments. This depth of discovery is
1.seen
Breadth of three
across Discovery: Employ
aspects distinct, highly flexible methods that can be combined or used separately to
of visibility:
1. Breadth
create of Discovery:
comprehensive Employ distinct, highly flexible methods that can be combined or used
asset profiles
separately to create comprehensive asset profiles
2. Zone-Based Mapping: Leverage in-depth asset profiles and communication monitoring to automate virtual
2. Zone-Based Mapping: Leverage in-depth asset profiles and communication monitoring to
segmentation
automateof virtual
the OTsegmentation
network into Virtual
of the Zones.
OT network into Virtual Zones.
3. Identify Asset Changes: Additions to the network,
3. Identify Asset Changes: Additions to the network, configuration
configuration changes, changes, and anomalies
and anomalies are some ofare
the
some of the many variables monitors by xDome to support MoC programs
many variables monitored by CTD to support MoC programs

Claroty CTD segmentation view with virtual zones

claroty.com ©Copyright Claroty. All rights reserved

agement
Exposure Management
lly compares each asset in an OT
CTD automatically compares each asset in an OT
an extensive database of insecure protocols,
environment to an extensive database of insecure
tions, substandard security practices, and
protocols, CVEs, configurations, substandard security
ties tracked by Claroty’s award-winning
practices, and other vulnerabilities tracked by Claroty’s
hers. As a result, users can identify,
award-winning Team82 researchers. As a result, users
mediate risk exposures in OTnetworks more
can identify, prioritize, and remediate risk exposures
in OT networks more effectively.
Exposures: Profile assets to identify their
• Identify Exposures: Profile assets to identify
e to risk, including vulnerabilities,
their exposure to risk, including vulnerabilities,
gurations, end-of-life insights, and more
misconfigurations, end-of-life insights, and more
Vector Mapping: Contextualize and validate
es by •analyzing
Attack Vector Mapping: Contextualize and validate
known risks to calculate the
exposures by analyzing known risks to calculate
ely scenarios in which an attacker could
the most likely scenarios in which an attacker could
mise the network
compromise the network
ased Scoring: Automatically evaluate and
• Risk-Based Scoring: Automatically evaluate and
ulnerabilities based on the unique risk they
score vulnerabilities based on the unique risk they
your network, enabling more efficient and
pose to your network, enabling more efficient and
e prioritization and remediation
effective prioritization and remediation CTD Risk Score comrpised of five unique factors

n Threat Detection
Threats to OT networks are often innovative yet can be deceptively simple, exploiting our compulsion toward
etworks are often innovative yet can be deceptively simple, exploiting our compulsion
process adherence to introduce risk. CTD utilizes multiple detection engines to automatically profile all
adherence to introduce risk. CTD utilizes multiple detection engines to automatically
assets, communications, and processes in OT networks, generate a behavioral baseline that characterizes
, communications, and processes in OT networks, generate a behavioral baseline that
legitimate traffic in order to weed out false positives, and alert users in real-time to anomalies and known,
gitimate traffic in order to weed out false positives, and alert users in real-time to
unknown, and emerging threats. Highlights:
nown, unknown, and emerging threats. Highlights:
• Detect Known and Unknown Threats: Characterize legitimate traffic to detect anomalous communications,
Known and Unknown Threats: Characterize legitimate traffic to detect anomalous
identify threat signatures, weed out false positives, and alert users in real-time to known, unknown, and
nications, identify threat signatures, weed out false positives, and alert users in real-time
emerging threats.
n, unknown, and emerging threats.
• Operational
onal Event EventContinuously
Alerting: Alerting: Continuously monitor
monitor criticalchange
critical change operations in thein
operations industry environment to
the industry
help ensure your process integrity and uptime, receiving alerts for actions like configuration downloads
ment to help ensure your process integrity and uptime, receiving alerts for actions like
which provide insights into the exact code changes within a file.
ation downloads which provide insights into the exact code changes within a file.
ATT&CK • MITRE
AlertATT&CK Alert Mapping:
Mapping: IncomingIncoming alerts
alerts arearemapped
mapped toto thethe
MITRE ATT&CK
MITRE for ICS Framework
ATT&CK for ICSto
help increase the context surrounding the event and assist in identifying known remediation measures.
ork to help increase the context surrounding the event and assist in identifying known
tion measures.
• Root Cause Analysis: Reduce network noise, false positives, and overall alert fatigue by correlating related
ause Analysis: Reduceinto
alerts and indicators network
a single noise, false positives,
chain-of-events, and overall
providing a consolidated alert
view of thefatigue by
activities
surrounding an alert.
ng related alerts and indicators into a single chain-of-events, providing a consolidated
he activities surrounding an alert.

claroty.com ©Copyright Claroty. All rights reserved

 Claroty CTD alert view showing root-cause analysis and chain of events
Remote Incident Response

Remote Incident Response

As part of a holistic approach to CPS cybersecurity, CTD and Claroty xDome Secure Access join forces to
drive enhanced alert response capabilities across the two solutions–enabling users to detect, investigate,
As part of a holistic approach
and respond to CPS
to incidents fromcybersecurity,
any location. As a CTD
result,and Clarotycan
organizations xDome Secure
adapt their Access
overall securityjoin forces to
posture and workflows for a remote, distributed, or hybrid work environment with:
drive enhanced alert response capabilities across the two solutions–enabling users to detect, investigate, and
Receive alerts and related Investigate remote user Respond to remote incident
respond to incidents from any location. As a result, organizations can adapt their overall security posture and
indicators for events during activity with access to remote alerts with the ability to
workflows for a remote, distributed,
remote sessions directly or hybrid logs,
worklive
environment
monitoring, andwith: immediately disconnect
within CTD recorded sessions remote sessions

Receive alerts and related Investigate remote user activity Respond to remote incident alerts
indicators for events during remote with access to remote logs, live with the ability to immediately
sessions directly within CTD monitoring, and recorded sessions disconnect remote sessions

CPS Protection with Claroty

Claroty’s unrivaled industry expertise across a variety of manufacturing and other critical infrastructure sectors
and breadth of cyber-physical-system (CPS) knowledge sits at the foundation of our comprehensive portfolio
of cybersecurity solutions. This protection begins with Claroty’s intimate understanding of CPS networks and
all assets within them. Recognizing that no two CPS networks are the same, there cannot be a one-size-fits-all
approach to discovering them.

Our solutions, paired with cloud-based or on-premises deployment modes, eliminate the need to purchase and
maintain multiple point products and provide the flexibility to choose the deployment approach that best suits
asset owners’ scalability needs, cost considerations, and compliance requirements. This dynamic approach to
CPS cybersecurity is why Claroty is able to help critical infrastructure enterprises reduce the cyber risk that
results from increased connectivity with the quickest time-to-value (TTV) and a lower total cost of ownership
(TCO)–regardless of the scale or maturity of the asset owners’ CPS cybersecurity program.

About Claroty

Claroty empowers organizations to secure cyber-physical systems across industrial, healthcare, commercial, and public sector environments:
the Extended Internet of Things (XIoT). The company’s unified platform integrates with customers’ existing infrastructure to provide a full
range of controls for visibility, exposure management, network protection, threat detection, and secure access.

Backed by the world’s largest investment firms and industrial automation vendors, Claroty is deployed by hundreds of organizations at
thousands of sites globally. The company is headquartered in New York City and has a presence in Europe, Asia-Pacific, and Latin America.
To learn more, visit claroty.com.

©Copyright Claroty. All rights reserved

Reference
1.CISCO Secure Firewall 3100 Series
https://www.emerson.com/documents/automation/product-data-
sheet-emerson-nextgen-smart-firewall-ve6206-deltav-en-57794.pdf
2.Emerson NextGen Smart Firewall
https://www.secureitstore.com/datasheets/secure-firewall-3100-
series-
ds.pdf?srsltid=AfmBOoqKwx5vxr5LkBe4XYm0hYT7754dQxIO5RJx9d8
wg_54Fl1nqp3s
3.Claroty Continuous Threat Detection (CTD)
https://web-assets.claroty.com/resource-downloads/ctd-overview-
2024.pdf