About the Firewall

The POWER FOCUS 6000 can be set up to use a firewall. The firewall is based on the trusted host principle, and only allows incoming connections via ports that are enabled, or addresses that are white-listed.

By default, the firewall is disabled.

The firewall applies only to incoming connections on the Factory Ethernet Port.

Activating and configuring the firewall

To activate and configure the firewall, select Edit.

In the top container, activate the general firewall feature by setting it to On.
In the remaining containers, configure any of the following firewall layers:

  • Port Filtering (layer 4 firewall). Opening a service on the controller - you can specify which services are reachable through the firewall.

  • IP Filtering (layer 3 firewall). Specifying a trusted host by IP- you can specify an IP that is considered trusted on the network and can access all the services.

  • MAC Filtering (layer 2 firewall). Specifying a trusted host by MAC.

When activating the general firewall feature, Port Filtering (layer 4 firewall) and all its predefined services are enabled by default.

A connection is allowed, when any of the firewall layers accepts it. When no firewall layer is enabled, all incoming connections are allowed through.

Further firewall configuring is done by enabling/disabling connections through the predefined services specified, by adding TCP or UDP ports manually and/or by white-listing IP/MAC addresses.

Port Filtering (layer 4 firewall)

When Port Filtering (layer 4 firewall) sets Firewall rules, and TCP and UDP ports.

Port Filtering (layer 4 firewall) can be turned ON or OFF.
When Port Filtering (layer 4 firewall) is ON, the firewall is performing packet filtering based on destination port, and packets sent to an open port are immediately accepted. Non-matching packets are also processed by the other firewall types (IP Filtering and MAC Filtering) before being eventually rejected.
When Port Filtering (layer 4 firewall) is OFF, port filtering is disabled and all the other settings are hidden.

Predefined services have their own enable-switches:

  • Open ports for web services (TCP 80, TCP 8080)

  • Open ports for SSH and SFTP (TCP 22)

  • Open ports for wireless tools (UDP 6677, TCP 6678)

  • Open ports for accessories (TCP 25000)

  • Additional TCP ports

  • Additional UDP ports

Predefined service

Description

Open ports for web (TCP 80, TCP 8080)

Ports required for web services so the controller is accessible over the factory network.

Setting Open ports for web (TCP 80, TCP 8080) to Off, triggers a warning that the connection with the Web HMI can be lost.

Open ports for SSH and SFTP (TCP 22)

Port required for SSH and SFTP functionality on the Factory Ethernet Port.

Open ports for wireless tools (UDP 6677, TCP 6678)

Ports required for wireless tools to connect to the controller over the factory network.

Open ports for accessories (TCP 25000)

Ports required for accessories to communicate with the controller over the factory network. This applies to Socket Selector 6.

Open additional TCP ports

Accepted are both comma-separated ports and port ranges using a dash (-). Example: when entering 1,2,3,4-10, all ports between 1 and 10 are opened.

Invalid port entries trigger an immediate pop-up warning.

Ports are automatically sorted after pressing the Apply button.

Open additional UDP ports

When using Open Protocol, the ports to be opened must be added manually in the Open additional TCP ports entry box. For example: 4545,4546,4547 (depending on the ports configured in Virtual Station > Virtual Station 1 > Protocols > Open Protocol > Server Port).

When using an NTP server, port 123 must be added manually in the Open additional UDP ports entry box.

Multiple ports can be added by using comma separation. Port ranges can be added by using a dash.

IP Filtering (layer 3 firewall)

IP Filtering (layer 3 firewall) allows specifying trusted hosts or networks by entering their IP addresses in the IP White List entry box. To access the entry box, set the switch to On. Accepted entries are lists of IP addresses or network addresses in the form of IP tables, that is, host IP addresses or network IP addresses. The network mask can be entered as mask length (for example, /24) or as network IP address (for example, /255.255.255.0). Packets coming from a white-listed IP address are immediately allowed. Other packets are screened by the other firewall layers (Port Filtering and MAC Filtering).

IP address white-list example

Due to security issues, entering host names or network names is not accepted.

Note that processes like NATing (Network Address Translation) may change source IP addresses. Consult your local network administrator when white-listing a host based on source IP address is required.

MAC Filtering (layer 2 firewall)

MAC Filtering (layer 2 firewall) allows specifying trusted hosts or networks by entering their MAC addresses in the MAC White List entry box. To access the entry box, set the switch to On. Accepted entries are comma-separated lists of MAC addresses. Packets coming from a whitelisted MAC address are immediately allowed. Other packets are screened by the other firewall layers (Port Filtering and IP Filtering).

MAC address white-list example

Invalid entries trigger an immediate pop-up warning.

Note that routing may change source MAC addresses. Consult your local network administrator when white-listing a host based on source MAC address is required.

Packet counters

To display the Firewall statistics for each firewall layer, select Settings > Network > Firewall - Packet Counters.

The Update section includes the following buttons:

  • Refresh – used to refresh the displayed packet counters.

  • Reset – used to reset the packet counters to zero.

Both buttons are implemented with a switch that automatically resets itself to the original position after performing the action.

The Accepted Packet Counters section displays the counters for each of the firewall types and for rejected packets.

  • Port Filtering – displays the packet counter for packets accepted by the Port Filtering firewall type.

  • IP Filtering – displays the packet counter for packets accepted by the IP Filtering firewall type.

  • MAC Filtering – displays the packet counter for packets accepted by the MAC Filtering firewall type.

  • Rejected – displays the packet counter for packet that were rejected.

The packets accepted, and thus counted, by the Port, IP and MAC Filtering rules only include the initial packets that establish a connection.

The Rejected packets are all counted and displayed.

Firewall status

The status of the general firewall feature and its firewall layers is shown in the Firewall main view directly under Settings > Network.

Status

Description

OK

The firewall is enabled and the firewall configuration is applied.

Disabled

The firewall is disabled and the firewall configuration is not applied.

Configuration Error

The firewall is enabled, but the firewall configuration is not applied due to an internal error.

For safety reasons, the fail-open policy is applied, meaning all connections are allowed through.

When the general firewall status is OK, the status (Enabled / Disabled) for the respective firewall layers is also shown.