Add and Configure the Entries in an IP Firewall Table
This topic only applies to SCADAPack x70 devices on which the Enable IP Firewall check box is selected (see Enable or Disable the IP Firewall).
Ensure that the check box is clear if you do not intend using the IP Firewall. By design, the Download Configuration pick action is not available on outstations on which the IP Firewall is enabled, but the IP Firewall Table is empty. This is to help prevent loss of communications between Geo SCADA Expert and the SCADAPack x70 device.
You use a SCADAPack x70 IP Firewall Table to specify the addresses and services from which a particular SCADAPack x70 device is to accept inward network traffic. When the IP Firewall is enabled (see above), only network traffic that is transmitted from addresses and services that are included in the IP Firewall Table is accepted; network traffic that is transmitted from addresses and services that are not included in the IP Firewall Table is ignored.
You use the table to specify the IP addresses and other parameters of permitted IP network traffic. You need to add an entry for each non-local IP address from which the SCADAPack x70 device is permitted to accept data.
WARNINGcommunication loss
The entries that you specify in an IP Firewall Table are persistent (that is, they are retained when the SCADAPack x70 device restarts).
In the Geo SCADA Expert database, the table is built into the SCADAPack x70 Device Configuration item to which it relates. Changes made to the firewall configuration are downloaded to the SCADAPack x70 device when that device's Download Configuration pick action is next executed.
If you are to add or edit an IP Address, you have to enable the IP Firewall.
You can enable or disable the IP Firewall using either of the following options:
- Use the Enable IP Firewall check box on the IP Firewall Table tab on the SCADAPack x70 Device Configuration item's tables.
- Use the Enabled check box in the IP Firewall section on the IP Communications tab on the Form of the SCADAPack x70 Device Configuration item (see Enable or Disable the IP Firewall).
By design, each of these options is in sync with the other. (If the configuration Form is open when the check box's setting is changed on the Table, you might have to close and then re-open the configuration Form in order for the check box on that Form to display its inherited value. Likewise, if the check box's setting is changed on the configuration Form while the Table remains open, you might have to close and then re-open the Table in order for the check box on that Table to display its inherited value.)
You specify these properties for each entry in a SCADAPack x70 IP Firewall Table:
The IP address of the source of permitted network traffic. This could be the IP address of a device, a monitor PC, or another address. Use the IP Address in conjunction with the Subnet Mask to identify either a single source address, or a range of source IP addresses.
The valid format is nnn.nnn.nnn.nnn. Omit any leading zeros from the address.
192.168.0.1
Used in conjunction with the IP Address to identify either a single source address, or one of a range of source addresses (a subnet) to which the SCADAPack x70 device is permitted to receive TCP/IP packets.
The valid format is nnn.nnn.nnn.nnn. Omit any leading zeros from the address.
255.255.255.255
Short descriptive text used to identify the entry. The maximum length is 64 characters.
The direction(s) in which traffic is permitted for this IP address.
When adding or editing an entry in the table, you use a combo box to select the required direction. The options are Inbound and Outbound, Inbound, and Outbound. The default is Inbound and Outbound.
This property only applies when the Permitted Services (see below) is set to 'Custom Service'. The property is used to specify a custom Port Number via which IP traffic is permitted. The Port Number has to be in the range 0 to 65535 inclusive.
This property only applies when the Permitted Services (see below) is set to 'Custom Service'. The property is used to specify the data transmission protocol via which network traffic is permitted.
When adding or editing an entry in the table, you use a combo box to select the required protocol. The options are TCP, UDP, and TCP and UDP. The default is TCP.
Used to specify the service(s) for which traffic is permitted for this particular IP address. At least one option has to be selected. The options are:
- DNP3 over TCP
- DNP3 over UDP
- Modbus/TCP
- Modbus RTU over TCP
- Modbus RTU over UDP
- Logic Debug Service
- Telnet
- FTP
- IEC 60870-5-104
- HART Pass Through
- Terminal Server for Serial Port 1
- Terminal Server for Serial Port 2
- Terminal Server for Serial Port 3
- Terminal Server for Serial Port 4
- ICMP Ping Traffic
- All ICMP Traffic
- Custom Service.
The options that are available for selection vary, depending on the model of SCADAPack x70 device and the configuration of its ports (see Device Configuration Serial Port Tabs and see Device Configuration IP Communications Tab). Options that are not applicable are 'grayed out' and unavailable for use.
With the ICMP options, 'ICMP Ping Traffic' only permits ping traffic via the specified IP address, whereas 'All ICMP Traffic' permits all ICMP traffic via that IP address, including ping traffic.
Use the 'Custom Service' option if you want to specify a custom Port Number and transmission Protocol for which network traffic is to be permitted from a particular IP address.
To add an entry to an IP Firewall Table:
- Display the Table for the relevant SCADAPack x70 Device Configuration item.
- Select the IP Firewall Table tab to display the IP Firewall Table.
- Select the Add IP Address button.
The Add IP Firewall Entry dialog box is displayed.
- Populate the fields as required (see above).
A diagnostic message indicates the fields that need populating with values that have to take a specific format, or for which at least one option needs selecting. The diagnostic message is removed once the fields are populated with values that have the required format, and when at least one Permitted Services option is selected.
- Select the OK button to close the dialog box and add the entry to the table.
To edit an entry in an IP Firewall Table:
- Display the Table for the relevant SCADAPack x70 Device Configuration item.
- Select the IP FirewallTable tab to display the IP Firewall Table.
- Either:
- Double-click on the entry that you want to edit.
Or:
- Click on the address that you want to edit.
- Select the Edit IP Address button.
The Edit IP FirewallEntry dialog box is displayed.
- Change the address's configuration as required.
- Select the OK button to confirm the changes, close the dialog box, and update the Table.
To delete an obsolete entry from an IP FirewallTable:
- Display the Table for the relevant SCADAPack x70 Device Configuration item.
- Select the IP Firewall Table tab to display the IP Firewall Table.
- Select the entry for the address that is no longer required.
- Select the Remove IP Address button. (The button is only available for use when an entry is selected in the table.)
The address that was highlighted is removed from the table.
To sort the entries that are displayed in an IP Firewall Table:
- Click on the column heading by which you want to sort the entries in the table. (To reverse the sorting order, click on the same column heading again.) The order in which the entries are sorted does not impact on the firewall's functionality.
When you redisplay the table, the entries are listed in the order in which they were added to the table.