APPLICABLE PRODUCTS
IN THIS ARTICLE
I. Introduction
To ensure system security, it is mandatory to update Ewon devices to the latest available firmware during installation.
Firmware version 23.0 has been specifically developed to comply with the new cybersecurity requirements of the Radio Equipment Directive (RED), effective August 1, 2025.
In addition to firmware updates, you must:
- Secure physical access to the Ewon device.
- Restrict LAN connections to authorized users only.
- Apply access rights levels in Talk2m to enforce the principle of least privilege.
These measures are essential to maintain the cybersecurity integrity of your installation.
II. Overview of Feature Changes
A) FTP server
Changes:
- Disabled by default
- Available on VPN and LAN; no longer available on WAN interfaces
Description:
The Ewon FTP server is now disabled by default (factory settings and after reset).
It can be enabled on VPN and/or LAN interfaces via the advanced parameter ‘ClosedDevice’.
Example values are provided; see (link) for details :
| Behavior | ClosedDevice Value |
| FTP server is closed on all interfaces : LAN, WAN & VPN | 21 (default) |
| FTP (& HTTP) server is opened on LAN & VPN | 0 |
| FTP server is closed on LAN, opened on VPN | 1 |
| FTP server is closed on VPN, opened on LAN | 16 |
The parameter can be set using the Tabular edition feature, under Setup > System > Storage > Tabular edition > Edit COM cfg
B) NTP server
Changes:
- Disabled by default
Description:
The Ewon NTP server is disabled by default. To use the Ewon as an NTP relay, the NTP server must be manually enabled in Setup > System > Main > Net Services > NTP server
C) USB over IP
Changes:
- Disabled by default
- Available on VPN and LAN; no longer available on WAN interfaces
Description:
USB over IP allows access to a USB device via a Talk2m connection, appearing locally in eCatcher. To use this feature, it must be manually enabled in Setup > System > Communication > General > USBIP
When enabling, the default Log Level and Start Port values can be kept.
Note: A shortcut to the USBIP setup page is available on the Cosy+ summary page under the Gateway Status section.
D) HTTP server
Changes:
- Available on VPN and LAN; no longer available on WAN interfaces
Description:
The Ewon HTTP server, used to display the web configuration pages, is no longer accessible via the WAN interface.
E) SMTP client
Changes:
- SMTP client restricted to the VPN interface; no longer available on LAN or WAN (including WiFi and cellular)
Description:
The SMTP client, used to send email or SMS notifications (via digital inputs), now works only through the VPN interface using the Talk2m mail relay.
Using a custom SMTP server is no longer supported.
F) Profinet Explorer
Changes:
- Network scan starts only when the user clicks the Refresh button.
Description:
Previously, the Profinet Explorer started scanning automatically when the page was opened. Now, the scan must be manually triggered using the Refresh button.
Path: Setup > System > Main > Net services > Profinet Explorer
G) DynDNS
Changes:
- No longer supported.
Description:
The DynDNS (dynamic DNS) feature has been removed from the Ewon device.
III. Reinforced Logging and Traceability
Authentication Logs:
The Ewon device now logs successful and failed login attempts across all its various configuration interfaces (Web server, EBD, FTP server, etc.)
Example EventLog messages:
| Time | Event | Description | Originator |
| 15/06/2025 23:10 | -21305 | eftp-Open FTP session (User: Adm) | Ftps |
| 15/06/2025 23:13 | -28611 | secu-Authentication failure (From FTP server) | ftps |
| 15/06/2025 22:51 | -28611 | secu-Authentication failure (From WEB server) | http |
| 15/06/2025 22:51 | -21020 | east-User has logged into the device web interface (adm) | http |
Privacy asset usage logs:
Logging has been added to track the configuration and usage of privacy assets (e.g., email and SMS). The log records when values are configured and when they are used.
Example EventLog messages:
| Time | Event | Description | Originator |
| 15/06/2025 22:22 | 1073788325 | cfgw-The COM configuration has been modified | http |
| 15/06/2025 22:23 | -34559 | ecfg-Default Admin password has been changed | http |
| 15/06/2025 23:18 | -34560 | ecfg-Privacy parameter of the COM configuration has been changed (DI1AlarmEmailRecipients) | http |
| 15/06/2025 23:18 | 1073780230 | di-WAN connection PREVENTED by digital input change | http |
| 15/06/2025 23:21 | 1073780233 | di-Sending email(s) to configured address(es) due to digital input event (1) | esyncitf |
| 15/06/2025 23:24 | 1073780234 | di-Sending short message(s) to configured phone number(s) due to digital input event (2) | esyncitf |
Privacy Asset Log (PAL) buffer
A persistent Privacy Asset Log (PAL) has been implemented to comply with RED requirements, ensuring PrivacyAssetEvent logs are retained after a reboot.
A new Export Block descriptor (EBD), dtPAL, allows downloading all log entries in a single file without deleting them.
EBD syntaxe Example: http://#deviceIP#/rcgi.bin/ParamForm?AST_Param=$dtPAL$fnLogText.txt
PAL log content example :
2025-05-27 12:19:18;1342215689;di-Sending email(s) to configured address(es) due to digital input event (1)
2025-05-27 12:04:23;-268470016;ecfg-Privacy parameter of the COM configuration has been changed (DI2AlarmSMSRecipients)
Note: The PAL stores events in three rotating log files located in /usr/PALog/, each up to 0.3 MB. Older files are automatically deleted to maintain storage limits.
IV. System and Workflow Changes You May Need to Make
Device configuration via FTP
The FTP server is disabled by default and needs to be enabled first via the GUI (tabular editor). If enabled on the LAN interface, it needs to be disabled after use unless physical and LAN access are secured.
Alternatively, configuration via USB stick can be used.
Backup / Restore (eBuddy)
Backup and restore via eBuddy use the FTP server, which needs to be enabled first through the GUI. If enabled on the LAN interface, the FTP server needs to be disabled after use unless physical and LAN access are secured.
Remote Access to USB Devices
As the USB over IP feature is disabled by default, you must first enable it on the Ewon device before you can remotely access the connected USB device.
A shortcut to the USB over IP setup page is available on the Cosy+ summary page, under the Gateway Status section.