Technical Tip: How to configure DNP3 Proxy on FortiGate Rugged

This article describes how to configure a FortiGate Rugged unit to act as a DNP3 proxy server. With this functionality, the FortiGate-Rugged can receive TCP/IP-based DNP3 polls from a Master station and act as a network proxy for a Remote Terminal Unit (RTU) attached to its onboard DB9 serial port.

FortiGate Rugged on FortiOS 7.0 and later (dnp3-proxy is not present on non-Rugged FortiGates).

DNP3 proxy functionality can be configured under 'config system dnp3-proxy' as follows:

config system dnp3-proxy

    set status <enable | disable>

    set port <1-65535, default = 20000>

    set term-baudrate <19200 | 38400, default = 19200>

    set term-databits <0-65535, default = 8>

    set term-stopbits <0-65535, default = 1>

    set term-parity <none | odd | even, default = none>

    set term-flowcontrol <none | xon_xoff | hardware, default = none>

end

The interface receiving the DNP traffic must have DNP allowed.

config system interface

    edit <interface>

        append allowaccess dnp

    next

end

Important notes:

• The 'set status' option was added in FortiOS 7.0.8 and 7.2.4. Prior to this, DNP3 proxy functionality was always enabled for FortiGate-Rugged units with no option to disable it (See Bug #686135 in the FortiOS Release Notes).
• In FortiOS v7.0.8 and v7.2.4, the 'set term-baudrate 9600' option was removed. The option was restored starting in FortiOS v7.2.8 and v7.4.4. See Issue ID# 929896 in Resolved Issues.

Troubleshooting Commands:

• Administrators can run the following diagnostic commands to view debug output for the DNP process on the FortiGate Rugged.
  
  

diagnose debug reset
diagnose debug application dnp -1
diagnose debug enable

• A packet capture on the FortiGate is also recommended to confirming polls are arriving successfully from the DNP3 Master.
  
  

diagnose sniffer packet any 'port 20000' 6 100 l