This article provides you with information related to the Windows Firewall, how to access, configure and adjust it.
A firewall is a program installed on your machine or a piece of hardware in your network, that uses a rule-set to block or allow access to a computer, server or network. It seperatres dedicated network segments, likly your LAN from the Internet. Firewalls can permit traffic to be routed through a specific port to a program or destination, while blocking all other traffic.
The Windows Firewall interface can be accessed multiple ways. The way we will look during this TB is via the Windows search function.
Click the Windows icon and type in “firewall“. Then, click on the “Windows Firewall with Advanced Security” icon.
The GUI provides you a general overview, about the basic function of the software. Displaying the current status of the firewall also which profiles are currently set up. By default the firewall should be enabled.
We strongly recommend that the Windows Firewall is enabled on all your Bosch devices featuring a Windows Operating System.
There are 3 different profiles within your Windows Firewall, which are simply groups of different firewall rule-sets, depending where your machine is currently connected.
Public Profile: This profile is used when the computer is connected directly to a public network like a restaurant, library or airport. This profile should be the most restrictive because security is usually not well controlled in public places.
Private Profile: This profile is used if your are only connected to a private network, not directly to the Internet. In these cases, your device is located behind a router or hardware firewall. Which allows to set this profil less restrictive.
Domain Profile: This profile is used when the machine is connected to a domain controller, which in turn is controlling a windows domain. This profile should be the least restrictive of the other profiles because security is usually very well controlled within a domain.
by default the Windows Firewall behavior is the following:
Windows Firewall never blocks outgoing traffic. Any requests sent out from the server will not be hindered in any way.
Windows Firewall blocks all incoming traffic, except for traffic that is in responses to a request. This means that if you make a request to Google, Google’s inbound reply to your outbound request will not be blocked.
Windows Firewall blocks all other traffic. This means that any traffic that is not explicitly allowed is blocked in the firewall.
In the Windows Firewall we can filter connection in two different kinds: port exceptions (rule assigned to a dedicated port number) and program exception (rule assigned to a dedicated program)
In general we need to distinguish between the inbound (frome somewhere to your machine) and outbound (from your machine to somewhere) rule-set.
Open a port in the firewall (inbound rule)
In the Windows Firewall with Advanced Security window, right-click "Inbound Rules", and then click "New Rule..." in the action pane.
"Rule Type" dialog box, select "Port" depending on your need and then click "Next".
In the "Protocol and Ports" dialog box, select "TCP". Then select "Specific local Ports", and then type the port number and then click "Next".
In the "Action" dialog box, select "Allow the connection" and then click "Next".
In the "Profile" dialog box, select any profiles that apply and then click "Next". (We have allowed all three for demonstration purposes, your selection may vary.)
In the "Name" dialog box, type a name and description for this rule, and then click "Finish".
At this point, you will now see a new rule in the main firewall rules in the center section, as well as a new listing in the right window panel.
Open a program in the firewall (inbound rule)
Click on the "Inbound Rules" option on the top left of the firewall interface. Then, click on the "New rule…"
Under "Rule Type" dialog box, select the option "Program" and then click "Next".
Select the option "This Program path" browse to the path/location of the program and click "Next".
Next, we select the option “Allow the connection” and then click “Next”.
Select the "Profile" the rule will be applied to and click "Next". (We have allowed all three for demonstration purposes, your selection may vary.)
Select a "Name" and "Description" for this rule and then Click “Finish”.
At this point, you will be dropped back to the main firewall screen. You will now see a new rule in the main firewall rules in the center section, as well as a new listing in the right window pane
Edit a port / program in the firewall
Right-click on the rule which will open a context menu. Then click "Properties" and adjust the rule according your needs .
Close a port / program in the firewall
Right-click on the rule which will open a context menu. Then click " Delete".
Adjust program rule after BVMS upgrade
In case you upgraded your current BVMS up to BVMS10, refering to the article TSG-Upgrading-VRM-from-32bit-to-64bit you need to adjust the inbound + outbound rule "Bosch VRM Server" and "USB Transcoder".
Therefore right-click on the rule which will open a context menu. Then click "Properties" and adjust the programs path to:
Bosch VRM Server: "C:\Program Files\Bosch\Video Recording Manager\VRM Server\bin\rms.exe"
USB Transcoder: "C:\Program Files (x86)\Bosch\Video Recording Manager\VRM Server\bin\usbsvc.exe" Keep in mind, that you need to perform this action on all four rules (inbound and outbound)
Alternatively download the attachment set_fw_rules.zip (1 KB) locally to your device, extract the archive and run the PowerShell script "set_fw_rule_trancoder.ps1" as administrator. The script will adjust all necessary rules.
Bosch has been providing 2 types of VRM packages: a 32bit and a 64bit version. Since VRM 3.82 we are only offering the 64bit version.
As all of our released DIVAP IP units started off as 32bit VRM which includes a Transcoder service.
If you do not use the Start.exe included in the VRM Master Installer, you will not be offered the oppertunity to also upgarde the Transcoder. Just running the Setup_VRM_Service_<version>.exe found in the <Install\Bosch> folder, will cause the Transcoder service to stop functioning!
This includes if the upgarde is done via BVMS installer.
Since BVMS 10.0, VRM 3.82 "64bit" was implemented.
Due to the fact that BVMS does not manage the transcoder, it was not installed.
Also see Firewall settings: HowTo Configure Windows Firewall Rules, includes PS script to adjust the VRM 64bit and Transcoder rules.
Download the appropriate VRM version from our Downloadstore
Run the Start.exe
Deselect all components and choose only the Transcoder Service
Click on "Install"
To confirm that the Transcoder is fully functional, open your browser and navigate to the VRM Monitor:
Log in with you Credentials
BVMS Lite and BVMS Viewer are BVMS editions that you can download and activate free-of-charge.
How can I set-up a basic (live and recorded video) BVMS system?
First, you need to download the software package, active the BVMS Lite license and install the software. This is described in this article: BVMS - Activating a license.
Second, you need to prepare an iSCSI environment which is suitable for recording video. Any Windows Server based operating system will do. This is described in this article: BVMS - Configuring a Microsoft iSCSI target.
Last, you need to add cameras to the system and start the recording. This is described in this youtube video: How to add a new camera using Configuration Client (BVMS).
Now, have a look at the Operator Client quick guide and you're ready to go!
Where can I get more information on advanced functionality?
Once the software (configuration client or operator client) is running you can press F1 at any time to open the embedded software help! All of the advanced functionality BVMS offers is explained in the help files.
Related Products DiBos version 8.0 to 8.7 BRS version 8.8 and later Question How to configure LDAP in DiBos / BRS? Answer See attached 8 screenshots which guide through the LDAP configuration. Known restrictions on the AD: - users and user groups must be located in the same directory in the AD - DiBos / BRS supports max. 1000 user groups in the AD - Comma separated user (ex. User, John) are not supported.
In all VRM installation packages the required .NET framework package is included in the VRM installation routine.
As Microsoft Operating Systems are expected to get and have the latest security updates applied before installing any new software component like VRM (Video Recording Manger) or VSG (Video Streaming Gateway), the installer will successfully finish the installation routine. The same is valid for BOSCH DIVAR IP product range: The DIVAR IP Appliance installer contains Microsoft update packages available from Microsoft at the time BOSCH creates the Appliance installer. But all Microsoft Updates release after the Appliance installer release date are not included in the BOSCH package. It is therefore recommended to check for Microsoft updates whenever a Bosch DIVAR IP Appliance installer is installed.
For VRM (Video Recording Manager) stand-alone Systems and Servers with VSG (Video Streaming Gateway) installed, it is also strongly recommended to check for Microsoft OS updates before the VRM Master Installer is installed/updated.
Note: In case an error code 5100 is shown during the VRM Software installation, please ensure that all Microsoft updates for the used Operating Systems are installed and run the BOSCH Software installer after that once again. For more details Microsoft provides more informaiton here: https://blogs.msdn.microsoft.com/astebner/2008/10/13/net-framework-setup-verification-tool-users-guide/
For older BVMS and VRM installations please also refer to the following previous article:
This article describes how to set LUNs on a target to Read Only via Configuration Manager.
If you want to move a Storage from one VRM to another, this procedure is needed in Order to retain your video footage until the desired Retention Time is over. All you need is the Configuration Manager on a PC in the same Network as the VRM. If you don’t have the Configuration Manager, you can download it here.
Please be aware that setting the LUNs to Read only will decrease the Capacity of the VRM, which might lead to a lower Minimum Retention Time then desired. Calculate upfront, if the available Storage is enough!
Start the Configuration Manager and add the local VRM to the System.
Change to the Tab My devices and select the Target on the Storage Device you want to move.
Set all LUNs to the Type Read Only. It should look like this then.
Now press the button Set and acknowledge it in the next window.
After, the window looks like this and the LUNs are now in Read Only Mode.
Now you need to wait until your desired Retention time passed (eg 30 days), afterwarts you can remove the Storage from the VRM and add it to another VRM (In this Process the Storage needs to be Factory defaulted to work).
Status February 25, 2017
BOSCH offers and confirms that since February 2017 the firmware version 3.180.05-1562 can be used with the LSI MegaRAID Controller. In case there are newer versions supported and recommended with BOSCH DIVAR IP this will be announced in cooperation with the Product Management.
For DIVAR IP units (e.g. DIVAR IP 6000) BOSCH BT Security & Safety Systems offers an firmware update for the internal MegaRADI Controller.
It could happen that in the Megaraid Software the user can see the following: potential non-optimal configuration due, PD commissioned as Emergency Spare error.
Here we provide the steps to update a DIVAR IP system:
Using MegaRAID Storage Manager utility under OS
1) Open MSM, Right click on Supermicro MegaRAID controller to be updated and click Update Controller Firmware
2) Click Browse to search for new firmware
3) Select the new MegaRAID controller firmware
4) Click OK to continue
5) Check the “Confirm” box and click OK to continue
*** Wait for around 1~2 minutes to complete
6) Click OK once firmware update completed
7) Reboot the system and check firmware version in controller OPROM banner during boot. At the section Revision you can see version 3.180.05-1562
😎 Check firmware version using MSM in OS When selecting the "Supermicro SMC 2208 (Bus1, Dev 0) device you can see on the right the "Firmware Version" = 3.180.05-1562
The firmware *.rom filw is available via the following link - inside the ZIP file:
This Firmware Version is subject of change. Any new version must be announce by BOSCH PRM responsible for DIVAR IP via the BT-ST/ETP-MKP2 organisation and BOSCH support at BT-ASA here in the BOSCH Knowledge Base.
Potential for Data Inconsistency Issues on E-Series Storage Systems
With the controller firmware 11.50.1 and newer version an issues are fixed by NetApp, which enforce an immediate update of all E2800 iSCSI Storage Systems (their controllers). In July 2019 BOSCH announced the need to update from all former NetApp controller firmware 08.30.40.00 to newer versions. These newer versions should be certified and approved by BOSCH. In 2019 there was also an announcement by NetApp. All customers owning a NetApp storage system with valid warranty agreement and registered unit do have access to the public announcemnt of NetApp. This was announced by NetApp on their support websites (see https://mysupport.netapp.com/).
Bosch approval 31st of January 2018
Bosch approval 7th of May 2019
Bosch approval 20th of September 2019
outlook May 2020
NetApp Firmware 08.30.40.00 no longer allowed for usage
NetApp Firmware: 11.50.R1 no longer allowed for usage
NetApp Firmware: 11.50.2 no longer allowed for usage
NetApp works on a global release of a version newer than 11.60.1 - Please ensure that Bosch has certified any newer version before installing!
Please follow our BOSCH Knowledge Base and monitor for updates at this article for important news. The BOSCH submodel ID 356 ensures that the NetApp system is optimized for 24/7 video recording. See article here: ℹ️ https://community.boschsecurity.com/t5/Security-Video/TB-VS-date-2020-04-22-New-Firmware-11-50-3R1P3-is-available-for/ta-p/12778
All DSA E-Series (E2800 12-bay) and DSA E-Series (E2800 60-bay)
Example product variants:
DSA-N2E8X4-12AT Base unit 12x4TB High-performance and high-capacity storage system base unit with iSCSI disk arrays, single controller. DSA E2800, 12 x 4 TB HDD, Order number DSA-N2E8X4-12A
DSA-N2C8X4-12AT Dual controller unit 12x4TB High-performance and high-capacity storage system base unit with iSCSI disk arrays, dual controller. DSA E2800, 12 x 4 TB HDD, Order number DSA-N2C8X4-12AT
Note: There are other models with various HDD capacity (e.g. 8TB harddrives and larger) available For more details visit the BOSCH product website
Summary of issue
NetApp® has become aware of issues that could occur when an E-Series controller reboots at certain points during the evacuation of data from a drive that is performed as part of the sequence when a drive is being failed by the controller. As a result, there is a small possibility of data inconsistency on controllers running certain versions of E-Series SANtricity® OS controller software.
First announced in 06/2019: The issues are possible on E-Series controllers running 8.30, 8.40, 11.30, 11.40, and 11.50 versions of E-Series SANtricity OS controller software. The overall probability of these issues occurring is very low, but RAID 1 volumes have a higher probability of encountering the issues than other RAID levels or NetApp Dynamic Disk Pools. These issues do not affect traditional RAID volume groups that have no global hot spare drives because drive evacuation does not occur in this configuration. For information about fixes in these releases, view the readme notes for each revision release.
No workaround available. Controller Firmware update is needed. HDD Firmware update is not in relation to the descdribed issue here, but it is in general recommended to install the latest offered HDD firmware that is recommended by BOSCH and NetApp. The same applies for HDD firmware.
Solution: Update the NetApp Controller Firmware
Upgrade E-Series SANtricity OS controller software to the latest applicable revision release for each platform as soon as possible. Please reach out to your local BOSCH technical team and BOSCH BT-SC/ETP-MKP team to ensure that the relevant NetApp Firmware has been approved to be usable for 24/7 video recording and replay use case. Even the global NetApp Firmware can be installed on BOSCH submodel ID 356
Where to get the Controller Firmware
All customers with a full NetApp NOW support account and valid warranty on their system can download the controller firmware by using the own NetApp user account. The verison offered at the NetApp NOW platform should be certified and allowed by BOSCH for video use cases. See also: https://community.boschsecurity.com/t5/Security-Video/TB-VS-date-2020-04-22-New-Firmware-11-50-3R1P3-is-available-for/ta-p/12778
In caase the download option is not offered to one of our customers, we kindly ask to make sure that the unit is registered on the company and that the NetApp NOW account belongs to the company that has registered the unit. In all other cases, please recout out to the BOSCH Support organisation or local Bosch Technical Support desk.
A NetApp SANtricity firmware / controller firmware package for E2800 model can be downloaded from the NetApp NOW website. Revisions can be found at https://mysupport.netapp.com/NOW/cgi-bin/software/ See also: https://mysupport.netapp.com/products/web/ECMLP2854621.html
Additional information is available at NetApp and accessible after user registration. First go to https://mysupport.netapp.com/ to register. Product Release Notes from NetApp: https://mysupport.netapp.com/ecm/ecm_download_file/ECMLP2842060
NetApp Support Bulletin, please view the following URL: https://kb.netapp.com/app/answers/answer_view/a_id/1086731 (As the URL can change any time by NetApp, search for the KB id 1086731)
Steps to update
The E-Series SANtricity ® OS package includes data for simplex controller and duplex controller systems and the firmware file itself.
NVSRAM File for for duplex.
NVSRAM file for simplex
and the controller firmware
Download the latest SANtricity OS software files from the NetApp Support Site to your management client.
From SANtricity System Manager, select Support > Upgrade Center .
In the area labeled “SANtricity OS Software upgrade,” click NetApp Support .
On the NetApp Support Site, click the Downloads tab, and then select Software .
Locate E-Series/EF-Series SANtricity OS (Controller Firmware) .
For the platform, select E2800 , and click Go!
Select the version of SANtricity OS (Controller Firmware) you want to install, and click View & Download .
Follow the online instructions to complete the file download.
Attention: Risk of data loss or risk of damage to the storage array — Do not make changes to the storage array while the upgrade is occurring. Maintain power to the storage array.
In August 2018 (10-08-2018) the VRM version 03.71.0029 was released.
The Video Recording Manager 03.71.0029 is fully supported with BVMS 8.0 and Product Management of BVMS and VRM recommend to use this VRM version instead of the former Release version of VRM 03.70.0056.
Changes / Bug Fixes:
One of the main bugfix reasons to use VRM 03.71.0029 is a fix in regards to correct display and replay of recorded clips in continous and alarm recording mode. This fix is listed on page 2 of hte attached Relase Letter.
For Troubleshooting and support reasons it is essential to double-check a reported gap in recording and to analyze on Level 2 and Level 3 support side what circoumstanced could lead to a video gap. See in the following chapter what kind of data a trained BOSCH partner, Installer or Video expert should provide to the BOSCH Technical Support to advise on next steps. The data described here below can and should be collected before the software VRM is changed and updated to a latger version. Note: Video Recording Manager version 03.71.0029 is not the latest available version of VRM, but in combination with other 3rd party implemantation or usage of special BOSCH VMS software version (e.g. BVMS 8.0) this VRM version 03.71.0029 may be required.
VRM logging to collect for in depth expert troubleshooting
In certain situations and troubleshooting scenarios extended logfiles might be required. The BOSCH Level 1 and BOSCH Level 2 team will assist all users on how to collect these data and cooperate with the BOSCH Level 3 Support where needed.
Backup the configuration of BVMS and VRM (BVMS elements and VRM config.xml file)
Enable debug logging of the VRM Depending on the used Configuraiton Software the debug logging need to be enabled to get an extended logging informaiton. In case a gap in recording happened in the past it is anyhow helpful to enable the debug logging for a defined time for future incidents. To analyze the already occured video recording gap the available VRM logging must be collected.
Depending on 32-Bit or 64-Bit version of the VRM software, the loggings are found in the "primary" or "secondary" sub-directory structure. Surch for ...\Bosch\Video Recording Manager\VRM Server folder at your VRM server to find a similar directory view like shown in the screenshot here below:
Inside the directory "log" the standard logging data of the VRM are found and need to bre collected. In addition to the standard logfiles of the relevant day, the debug logging from a defined time period need to be provided in case debug logging was enabled prior to an incident.
Here the "debug" logfiles are found: The debug loggins are saved in a special directory "debug".
The Spanhistory logging does provide details of the storage usage. It describes which internal "storage block" was used. It describes the IP of the target, the LUN and the block used for a recording. The Spanhistory of the day where the recording was done and shows issues (e.g. the video reocriding gap), the related spanhistory logfiles is required.
As seen in an earlier screenshot above the VRM configuration file is found in the directory: ...\Bosch\Video Recording Manager\VRM Server\primaryAll versions of the config.xml need to be provided to the Technical Support.
Network switch has port security on and shuts down a NetApp iSCSI data port (e.g. CH3). This article is only relevant in aspects of network security / port security where MAC addresses are analysed. Some network security applications are capable of sniffing network packets thoroughly enough to pick up MAC addresses on E-Series Controller ports that are not seen in the Storage Array Profile data.
The password for the local admin and diagnostic port is set to the same starting with E2800 controller firmware 11.40.2 or later.
In case a user does not know his password any longer, it is not possible to reset and re-configure this password by using the diagnostic port (serial port on the rear side near the uplink ports of the controller). With controller firmware older than 11.40.2 it was possible to reset the Administrator Password needed for configuration. But older NetApp controller firmware cannot and must not be used any longer due to other technical reasons. When accessing the Management Port IP to enter the WEB GUI of the NetApp E2800 system for configuraiton or support data collection, the Administrator Password is required. For the time being this is reported to NetApp to work out a solution for all NetApp customers and BOSCH.
Solution and Procedure:
Right now, BOSCH and our customers have no documented instruciton or procedure to remove / reset the password. We are working ont hat with high preassure and awareness. We kindly ask all customers requiring access to the configuraiton but having not the Administrator Password on hand for configuraiton, to reach out to BOSCH support and ask to sent the requewst immediately up to a Levle 3 Ticket to the Gatekeeper team at BOSCH BT-SC/ETP-MKP2 or BT-VS Support in the BU.