OnLogic Quick Start Guide | OT Cybersecurity

Initial Setup

After you purchase the BlastWave certified OnLogic Gateway, the following Quick Start Guide will walk you through the initial connection and configuration of your device.

First Steps and Concerns

Before you begin, please take a moment to review power, mounting, ambient temperature, and airflow considerations.

CL210G - Prepare adequate space for DIN rail mounting, if possible. The CL210G requires 12VDC, which may come from a preexisting power supply rail or the included power supply. The CL210G uses a mini DisplayPort digital video connector. Please see the manufacturer’s device manual for more information: https://static.onlogic.com/resources/manuals/OnLogic-CL200-Series-Manual-v2.pdf
‍
K410 - The K410 may be Wall, Surface, VESA, or DIN rail mounted (with appropriate hardware). The voltage block may be rail provided or, if PoE module configured, with Power over Ethernet. The K410 uses a full-sized DisplayPort digital video connector. Please see manufacturer’s device manual for more information: https://static.onlogic.com/resources/manuals/OnLogic-K410-K430-Manual-v6.pdf
‍

Network Connections

Each BlastWave certified OnLogic Gateway provides two (2) RJ45 Ethernet ports. One of these will be used for Uplink (to the Internet, Higher Levels, or Routing network) and the other will in most cases connect downstream to the Endpoint network (with the devices to be protected, such as RTUs, PLCs, or Relays).

After removing the unit from its shipping material, provide at least one live network connection to the Uplink port that can connect to the BlastShield Orchestrator hosted in the cloud at https://lighthouse.blastwave.com across UDP/12345 or within your on-premise network, if so configured.

The devices will utilize different RJ45 network ports depending upon the model number employed. The label in software may actually be opposite, however, in current iterations the Uplink port will be located on the left, if oriented as the picture below. It is critical that the Uplink port (sometimes called the WAN port) be connected to the correct subnet.

CL210G - The Uplink port on this unit will be labeled “enp2s0” within software and will be found closest to the USB 3.0 ports on the end of the device.

K410 - The Uplink port on this unit will be labeled as Port 1 on the outside, and can be found closest to the Display Port (DP) on the end of the device. The K410 may be configured to make use of Power over Ethernet (PoE), if so, please consult vendor documentation and ensure that

‍

Please note that in certain cases, the Gateway may be configured in passive mode utilizing only a single Ethernet port. Contact your BlastWave Representative for more information.

While the manufacturer intends these devices to function as “headless” systems, with no permanent keyboard, video, or mouse (KVM) required. For initial configuration, please connect a digital video monitor to the device using either DisplayPort or a DisplayPort-to-HDMI adapter.

Registering Device in BlastWave Orchestrator

Before the BlastWave certified OnLogic Gateway may be used, it must first be registered to your BlastShield Orchestrator with a valid cryptographic invitation.

Booting the Gateway

After the device properly boots and loads the firmware image, it will display the BlastShield Main Menu which should include a “Local IP Address” and a “provisioning PIN code.” If you do not see both the IP Address and the PIN code, the device will not be prepared for provisioning into the BlastShield system. Follow these troubleshooting steps if you run into an issue:

Black Screen / No POST - Check power connection to device and video display. Check DisplayPort and/or HDMI connections.
POST / No Boot - Please remove any external media, such as USB drives, and cycle the power. If the device continues to display a message indicating “no boot drive found” please contact your vendor for help and support.
Stuck While Loading - If the boot process does not complete, try to cycle the power. If the device continues to POST and begin loading the BlastWave Gateway firmware but stops, please contact your vendor for help and support.
No IP Address - If no Dynamic Host Configuration Protocol (DHCP) server responds, the device will not be ready to enroll into your BlastShield Orchestrator. If DHCP will be used, please review the configuration of your network. If you wish to use a static IP address, please see the section below on configuring network interfaces.
‍

Registering the Gateway

At this point, log into your BlastWave Orchestrator and select Gateways from the left-hand menu. Click “Add New Gateway” and fill out the form with all required information. Finally, click “Save Changes” in the bottom right corner of the interface.

When the Orchestrator presents you with a choice, select “Provision Running Gateway Appliance” and complete the popup dialog with the IP address and PIN number from the interface of the device.

Finally, click on “Provision.”

In only moments after provisioning, the Gateway status in the BlastWave Orchestrator should change from “Unregistered” to “Online.”

If the device does not connect and move to an online status, it is likely that a firewall is blocking the gateway from communicating on UDP/12345 with the Internet and your cloud-hosted Orchestrator (or with your on-premise Orchestrator, as applicable).

Please contact the BlastWave support team or your internal Network Support team for more help and support.

Configuring Network Interfaces

If possible, BlastWave recommends utilizing DHCP with Address Reservations to simplify the configuration of the BlastShield Gateway, now and in the future. Use your DHCP server interface to assign the appropriate address reservation by MAC address. Check with your internal network team and policy documentation for more information. Once a reservation has been created, cycle the power on the BlastWave Certified OnLogic Gateway to verify at the device console that the correct IP has been assigned.

If DHCP (with or without reservations) will not be used on the Uplink connection, you will need to select “Configure network interfaces” from the main console menu.

Then select “Manual Configuration” from the options listed.

When configuring the Uplink Port, verify that the Linux interface name matches the one noted above (Network Connections) for your device model. Generally, the interface designations are listed in numerical order, not physical order.

Finally, enter the correct IP address, subnet gateway (router), and DNS server addresses. Please note that the IP address must be entered with the network prefix, sometimes called CIDR notation. It is imperative that the address include the network prefix or the subnet will default to a thirty-two bit subnet (i.e., /32).

Commonly, the prefix will be twenty-four bits, or /24, to indicate a subnet mask of 255.255.255.0. Be certain to verify the bit length of the subnet where you will Uplink your BlastWave Certified OnLogic Gateway or inconsistent behavior will result!

Consult a subnet calculator if needed: https://www.calculator.net/ip-subnet-calculator.html

Quick Start Guide

Implementing the BlastWave certified OnLogic CL210G and K410 Gateways.

US BlastWave Products

EU BlastWave Products

UK BlastWave Products