Configuring the Firewall

The controller can be set up to use a firewall. The firewall is based on the trusted host principle, and only allows incoming connections via enabled ports or white-listed addresses.

By default, the firewall is disabled.

The firewall applies only to incoming connections on the Factory Ethernet Port.

Activating and configuring the firewall

  1. In the Home view, select Settings.

  2. Select Network in the left panel.

  3. In the right panel, scroll down to Firewall.

  4. Select Edit and set the Firewall to On. The Port Filtering (layer 4 firewall) and all its predefined filters are enabled by default.

  5. Configure the settings for the different firewall layers by setting services to On/Off or manually enter addresses.

    • Port filtering (layer 4 firewall): To open and specify reachable services through the firewall.

    • IP Filtering (layer 3 firewall): To specify a trusted host by IP on the network that can access all the services.

    • MAC Filtering (layer 2 firewall): To specify a trusted host by MAC.

    When no firewall layer is enabled, all incoming connections are let through.

Port Filtering (Layer 4 Firewall)

When the Port Filtering (Layer 4 Firewall) is set to ON, the firewall filter packets based on destination port. Packets sent to an open port are accepted immediately. Non-matching packets are also processed by the other firewall types, IP Filtering and MAC Filtering, before being accepted or rejected.

When the Port Filtering (Layer 4 Firewall) is OFF, the port filtering is disabled and all other options hidden.

Predefined service have their own enable switches:

  • Open ports for web (TCP 80, TCP 8080)

  • Open ports for SSH and SFTP (TCP 22)

  • Open ports for wireless tools (UDP 6677, TCP 6678)

  • Open ports for accessories (TCP 25000)

  • Additional TCP ports

  • Additional UDP ports

Predefined service

Description

Open ports for IxB Connect (default 62000, configurable)

Port required for connecting IxB Connect tools over factory network to the controller. IxB Connect requires a configured "base port" + 1 port/connected tool. Note that every new tool connected gets an increased offset. Example, if two tools are connected, the ports used are 62001 for tool 1 and 62002 for tool 2. An offset for a tool remains persistent on the system, even after an upgrade. This offset is removed only after a factory reset.

If a tool is disconnected, its corresponding port is not allowed to be used. For example, if the tool 2 at port 62002 is disconnected, the new tool connected must use 62003. The allowed ports must be 62000 (base port) and, 62001 and 62003 for tool 1 and tool 3 respectively.

Open ports for web (TCP 80, TCP 8080)

Ports required for web services so the controller is accessible over the factory network.

Setting Open ports for web (TCP 80, TCP 8080) to Off, triggers a warning that the connection with the Web HMI can be lost.

Open ports for SSH and SFTP (TCP 22)

Port required for SSH and SFTP functionality on the Factory Ethernet Port.

Open ports for wireless tools (UDP 6677, TCP 6678)

Ports required for wireless tools to connect to the controller over the factory network.

Open ports for accessories (TCP 25000)

Ports required for accessories to communicate with the controller over the factory network. This applies to Socket Selector 6.

Open additional TCP ports

Accepted are both comma-separated ports and port ranges using a dash (-). Example: when entering 1,2,3,4-10, all ports between 1 and 10 are opened.

Invalid port entries trigger an immediate pop-up warning.

Ports are automatically sorted after selecting the Apply button.

Open additional UDP ports

To use Open Protocol, add the port numbers manually in the Open additional TCP ports entry box. For example: 4545,4546,4547 (depends on the ports configured in Virtual Station > Virtual Station 1 > Protocols > Open Protocol > Server Port).

To use NTP server, add port 123 manually in the Open additional UDP ports entry box.

Multiple ports are added by using comma separation. Port ranges are added by using a dash.

IP Filtering (layer 3 firewall)

To specify trusted host or networks in the IP Filtering (layer 3 firewall), enter their IP addresses in the IP White List entry box. To access the entry box, set the switch to On. Accepted entries are lists of IP addresses or network addresses as IP tables, that is, host IP addresses or network IP addresses. The network mask can be entered as mask length (for example, /24) or as a network IP address (for example, /255.255.255.0). Packets coming from a white-listed IP address are immediately allowed. Other packets are screened by the other firewall layers (Port Filtering and MAC Filtering).

IP address white-list example

Due to security issues, entering host names or network names is not accepted.

Note that processes like NATing (Network Address Translation) may change source IP addresses. Consult your local network administrator when white-listing a host based on source IP address is required.

MAC Filtering (layer 2 firewall)

MAC Filtering (layer 2 firewall) allows specifying trusted hosts or networks by entering their MAC addresses in the MAC White List entry box. To access the entry box, set the switch to On. Accepted entries are comma-separated lists of MAC addresses. Packets coming from a white-listed MAC address are immediately allowed. Other packets are screened by the other firewall layers (Port Filtering and IP Filtering).

MAC address white-list example

Invalid entries trigger an immediate pop-up warning.

Note that routing may change source MAC addresses. Consult your local network administrator when white-listing a host based on source MAC address is required.

Packet counters

To display the Firewall statistics for each firewall layer, select Settings > Network > Firewall > Packet Counters.

The Update section includes the following buttons:

  • Refresh: used to refresh the displayed packet counters.

  • Reset: used to reset the packet counters to zero.

Both buttons has a switch that automatically resets itself to the original position after the action is done.

The Accepted Packet Counters section displays the counters for each of the firewall types and for rejected packets.

  • Port Filtering: displays the packet counter for packets accepted by the Port Filtering firewall type.

  • IP Filtering: displays the packet counter for packets accepted by the IP Filtering firewall type.

  • MAC Filtering: displays the packet counter for packets accepted by the MAC Filtering firewall type.

  • Rejected: displays the packet counter for packet that were rejected.

The packets accepted, and thus counted, by the Port, IP and MAC Filtering rules only include the initial packets that establish a connection.

The Rejected packets are all counted and displayed.

Firewall status

The status of the general firewall feature and its firewall layers is shown in the Firewall main view directly under Settings > Network.

Status

Description

OK

The firewall is enabled and the firewall configuration is applied.

Disabled

The firewall is disabled and the firewall configuration is not applied.

Configuration Error

The firewall is enabled, but the firewall configuration is not applied due to an internal error.

For safety reasons, the fail-open policy is applied, meaning all connections are allowed through.

When the general firewall status is OK, the status (Enabled / Disabled) for the respective firewall layers is also shown.