Smart Energy IoT Firewall

Harden your solar, BESS & EV charger networks — on the DIN rail.

EdgeGuard enforces zero-trust at the edge with Modbus/MQTT Deep Packet Inspection, protocol allow-lists, IDS/IPS integration, and OTA hardening — built for installers, integrators, and grid operators.

Get Early Access View Specifications
  • Drop-in DIN-rail form factor — WAN & LAN Ethernet ports
  • Modbus TCP/RTU DPI, MQTT proxy, RS-485 bridge built in
  • Learn Mode auto-generates firewall & protocol rules
  • Designed with NIS2 & CRA readiness in mind
Cyberfort EdgeGuard DIN-rail cybersecurity device with WAN and LAN Ethernet ports

Capabilities

Built for the energy edge

Real protections that installers and operators can deploy in minutes — from L3/L4 firewalling to OT-aware deep packet inspection and automated policy learning.

Modbus TCP / RTU DPI

Transparent proxy inspects every Modbus frame. Enforce function-code allow-lists, register-range locks, and unit-ID filtering in monitor or enforce mode.

Proxy listen port configurable · Stats & anomaly counters

MQTT Proxy & Topic Filtering

Secure MQTT bridge between local devices and upstream brokers. Enforce topic allow/deny lists, require TLS, and log every publish/subscribe event.

TLS upstream · Client ID prefixing · Anonymous block

nftables Firewall Engine

Policy-driven L3/L4 firewall with host/port allow-lists, transactional rule application, automatic rollback on failure, and playbook presets.

Playbooks: solar_mvp · open_debug · learned

Learn Mode & Auto-Rules

Capture traffic, analyze PCAPs, and auto-generate firewall, Modbus DPI, and MQTT rules. Review diffs in the GUI, then apply with one click.

PCAP capture · Summary JSON/CSV · Suggestion engine

RS-485 / Modbus RTU Bridge

Passive serial sniffer with CRC validation, frame decoding, and anomaly detection. Bridges RS-485 bus traffic into the EdgeGuard telemetry pipeline.

Configurable baud, parity, stop bits · Unit ID range

IDS / IPS (Suricata)

Integrated Suricata engine with OT-focused rule packs. Operate in IDS (detect) or IPS (block) mode. Alerts feed into telemetry and SOC.

EVE JSON log · OTA rule-pack updates

Secure OTA Updates

Signed firmware and rules-bundle updates with SHA-256 verification, staged rollouts, rollback protection, and auto-apply options.

Firmware + IDS/DPI/firewall rules bundles

SOC / SIEM Connector

TLS 1.3 mutual-auth uplink to Cyberfort Armora or any SIEM. Batched telemetry push, heartbeats, and remote-triggered actions (OTA, Learn Mode).

CEF/LEEF/JSON · Remote config via signed commands

Audit Trail & Telemetry

Append-only audit log for every config change (GUI, SOC, OTA). Unified telemetry collector with JSONL export, source/severity filtering, and log rotation.

NIS2-aligned logging · Download ZIP archives

Technical Specifications

Hardware & software at a glance

Purpose-built for plant rooms, electrical cabinets, and wall boxes. No re-wiring needed.

Hardware Platform

Form factorDIN-rail mount, compact enclosure
Network interfaces2× RJ-45 Ethernet (WAN + LAN)
Serial interfacesRS-485 (Modbus RTU, configurable baud/parity)
ComputeARM or x86 SBC (Ubuntu Server LTS)
Security elementTPM 2.0 (device identity, key storage, secure boot)
PowerLow-power DC input, suitable for cabinet PSU
Operating environmentPlant rooms, electrical cabinets, wall boxes

Software Stack

Operating systemUbuntu Server 22.04+ LTS (hardened)
RuntimePython 3.11+ in isolated virtualenv
Core APIHTTP on 127.0.0.1:8787 (health, status, control)
GUI API & dashboardFastAPI + static web on 0.0.0.0:8527
Firewall backendnftables (transactional apply + rollback)
IDS/IPS engineSuricata with OT rule packs
ConfigurationCanonical YAML (edgeguard.yml)
Servicessystemd units: edgeguard-core, edgeguard-gui

Protocol Support

Modbus TCPDeep packet inspection proxy · Function-code & register-range enforcement · Monitor/enforce modes
Modbus RTU / RS-485Passive sniff · CRC validation · Frame decoding · Anomaly logging
MQTTProxy bridge · Topic allow/deny lists · TLS upstream · Client ID prefixing
IP / TCP / UDPnftables L3/L4 firewall · Host/port allow-lists · Playbook presets
Syslog / WebhooksNorthbound telemetry export · SIEM/SOAR integration
REST APIFull control & status plane · Config read/write · Module control

Integration & Management

SOC uplinkTLS 1.3 mTLS to Cyberfort Armora · Batched JSON telemetry push · Heartbeats
Remote commandsSigned payloads: trigger OTA, start Learn Mode, reload config
OTA channelsFirmware + rules bundles (IDS, DPI signatures, firewall playbooks)
Update verificationSHA-256 checksum · TPM-backed signing (planned) · Rollback protection
Audit trailAppend-only log · GUI/SOC/OTA source tracking · GET /audit/logs
Health monitoringPer-module health · Watchdog loop · Auto-reboot on cascade failure

Supported Device Profiles

EdgeGuard ships with pre-built configuration profiles for popular energy devices. Each profile defines connection parameters, Modbus register maps, allowed function codes, and Learn Mode summarization rules.

Sungrow SH5.0–10RT Hybrid Inverter BYD BatteryBox (via inverter gateway) Pylontech US2000 (RS-485) Victron GX ESS Custom profiles via YAML

System Architecture

Modular, layered, extensible

EdgeGuard is organized into four architectural layers — from hardened OS through core services, network/security modules, and cloud integration — developed across eight MVP phases.

OS & Hardening

Ubuntu LTS · nftables · AppArmor · TPM2 · Secure boot

Core Services

Orchestrator · Config Manager · Key Manager · Audit Logger

Network & Security Modules

Firewall · Modbus DPI · MQTT Proxy · RS-485 · IDS/IPS · Learn Mode

Cloud & Management

Armora SOC Connector · OTA Agent · Fleet Policy · Web GUI

Product Capabilities Roadmap

Allows installers to commission the device without SSH by configuring network interfaces from the web GUI.

  • Network Manager — abstracts Ubuntu netplan, supports DHCP and static IPv4 with rollback logic
  • Core API: GET /network/config · POST /network/config/apply
  • GUI: Network card with interface dropdown, DHCP/static toggle, IP fields, and Apply button

Real logs and a minimal local forensics story — unified telemetry events with source, severity, and structured context.

  • TelemetryEvent dataclass — timestamp, source (firewall, modbus_dpi, ids, mqtt_proxy…), severity, type, message, context
  • Storage: telemetry.jsonl (size-rotated) + per-module logs (firewall.log, modbus.log, mqtt.log, ids.log)
  • GUI: Logs tab with source/severity filters, max-events control, and ZIP download

Real nftables enforcement with transactional rule application, automatic rollback, and starter playbooks.

  • Engine: writes rulesets → validates with nft -c -f → applies atomically → rolls back on failure
  • Playbooks: default_solar_mvp, open_all_debug, learned_from_learn_mode
  • Core API: POST /control/firewall/apply · /disable · /playbook
  • GUI: Firewall card with active/disabled state, last apply time, errors, playbook selector, and action buttons

Enforce minimal protocol-level policies and logging for the three primary OT/IoT protocols.

  • Modbus TCP DPI: transparent proxy, Modbus ADU parsing (MBAP + PDU), function-code & address-range policies, monitor/enforce modes, stats counters
  • MQTT Proxy: TLS upstream, topic allow/deny lists, client ID prefixing, anonymous block, per-event telemetry
  • RS-485 Bridge: passive sniff on serial port, Modbus RTU CRC validation, frame decoding, anomaly detection (invalid CRC, short frames)
  • GUI cards: dedicated status cards for each protocol with connection info, allowed/blocked lists, and live counters

Turn captured PCAPs into actionable firewall, Modbus DPI, and MQTT rule suggestions — "learned playbooks".

  • PCAP Analyzer: extracts unique IPs/ports, Modbus function codes & unit IDs, MQTT topic strings → writes summary JSON + CSV
  • Suggestions Builder: generates firewall allow-lists, Modbus DPI policies, MQTT topic rules as config deltas or auto-playbooks
  • Core API: GET /learn-mode/suggestions · POST /learn-mode/apply/firewall|modbus-dpi|mqtt-proxy
  • GUI: suggestion tables per subsystem with "Review" and "Apply" buttons

Extends OTA beyond firmware to support rules and signature bundles for IDS, DPI, and firewall modules.

  • Dual-track OTA: separate firmware and rules polling intervals, per-type version tracking, independent apply actions
  • Rules bundles: IDS signatures → /etc/suricata/rules, DPI signatures → var/dpi_signatures, firewall playbooks → var/firewall_playbooks
  • Verification: SHA-256 checksum per bundle, download to var/ota_downloads, service reload after install
  • GUI: OTA card split into firmware section and threat signatures/rulesets section with current/latest info and manual apply

Minimal but functional integration with Cyberfort Armora SOC for telemetry export and remote-triggered actions.

  • Telemetry push: reads events from telemetry.jsonl using offsets, batches JSON, sends over TLS with mTLS client certs
  • Remote commands: POST /soc/config/signed accepts signed payloads with actions: trigger_ota_rules, start_learn_mode
  • Security: device ID verification, stub-signature checks, telemetry for every command execution
  • GUI: SOC card with telemetry push metrics, remote-config timestamps, results, and error display

Prepare for long-term evolution with append-only audit logging, a plugin interface for new modules, and automated health monitoring.

  • Audit Trail: log_audit_event() / log_config_change() → append-only audit.log tracking GUI/SOC/OTA changes
  • Module Plugin Interface: ModuleBase with start(), stop(), get_status(), on_config_reload() — all modules implement it
  • ModuleManager: dynamic registration, lifecycle management, status aggregation, config-reload forwarding
  • Health & Watchdog: per-module health tracking (healthy/degraded/unhealthy), failure counts, optional systemctl reboot on cascade failure
  • Core API: GET /health · GET /status/full · GET /audit/logs?limit=N

Web Dashboard

Configure, monitor, and respond — from one screen

The EdgeGuard web dashboard provides real-time module status, protocol-level controls, Learn Mode capture & rule review, OTA management, and full telemetry log access — all served from the device itself on port 8527.

EdgeGuard dashboard — System overview, modules table, network config, firewall, and Learn Mode cards

Dashboard tab — System overview, live module status, network configuration, firewall controls, and Learn Mode capture

EdgeGuard Device Profiles tab — Sungrow SH5.0-10RT Hybrid Inverter with Modbus, RS-485, and connection parameters

Device Profiles tab — Pre-built profiles with connection, Modbus register maps, RS-485 parameters, and Learn Mode defaults

Live Module Status

See every module running/stopped/error at a glance with heartbeat timestamps and detail info.

Protocol Cards

Dedicated cards for Modbus DPI, MQTT Proxy, and RS-485 with live stats, allowed/blocked lists, and mode indicators.

Logs & Telemetry

Filter by source and severity, set max events, refresh live, and download complete log archives as ZIP.

Device Profiles

Browse & select profiles for Sungrow, BYD, Pylontech, Victron — see all Modbus/RS-485/MQTT parameters instantly.

API Reference

Control & status API surface

EdgeGuard exposes two HTTP services — a core orchestrator API and a GUI-facing API that proxies core endpoints and serves the web dashboard.

Core Orchestrator :8787

MethodEndpoint
GET/health — basic health & version
GET/status — deep status (all modules + OTA + SOC + Learn Mode)
GET/network/config — current network settings
POST/network/config/apply — apply network config
POST/control/firewall/apply|disable|playbook
POST/control/learn-mode/start|stop
GET/learn-mode/suggestions
POST/learn-mode/apply/firewall|modbus-dpi|mqtt-proxy
POST/control/ota/check|apply
POST/control/soc/ping|push-sample
POST/soc/config/signed — remote command handler
GET/audit/logs?limit=N

GUI API :8527

MethodEndpoint
GET/health
GET/api/status — proxies core /status
GET/PUT/api/config — read/write YAML config
POST/api/learn-mode/start|stop
POST/api/ota/check|apply
GET/api/ota/status
POST/api/soc/ping|push-sample
GET/api/telemetry/logs — filtered log view
GET/api/telemetry/download — ZIP archive
GET/api/device-profiles — list profiles
GET/api/device-profiles/:id — profile detail
GET/static/* — web dashboard assets

Security & compliance, made practical

EdgeGuard supports NIS2 and CRA-aligned practices through identity-aware policies, append-only audit logs, incident integration, and health monitoring. Technical focus areas include nftables firewall enforcement, Modbus/MQTT DPI, network segmentation, OTA updates with SHA-256 verification, and SOC telemetry with mTLS.

Request documentation

Get Early Access

Installers, integrators, DSO/DSR teams, and early adopters — we invite you to evaluate EdgeGuard in pilot deployments.

  • Pilot hardware & setup guide
  • Configuration profiles for Sungrow, BYD, Pylontech, Victron
  • Support for fleet & SOC integration
  • Full REST API access and YAML config customization
Email Us
By contacting us, you agree to be reached about EdgeGuard. We'll keep it concise.

Talk to an Expert

For technical documentation, integration questions, or pilot requests, contact our team.

[email protected] cyberfort.systems

Integration surfaces

  • Northbound REST / syslog / webhooks
  • Policy profiles for Modbus register maps
  • MQTT broker topic allow-lists
  • mTLS client auth & key rotation
  • SOC remote commands via signed payloads
  • OTA rules bundle distribution (IDS, DPI, firewall)