Firewall Rule Configuration - Siemens SCALANCE XC-200 Set Up And Configuration

5 Firewall configuration using the example of a SCALANCE SC632-2C
5.2.2

Firewall rule configuration

The firewall rules are configured within the WBM in the "Security" tab.
In the following section packet filter rules are defined based on MAC addresses
(layer 2) and IP address (layer 3).
Based on the MAC addresses (layer 2), a filter rule is created that only allows
message frames that have the MAC address of selected devices (e.g. the ES) as a
source or destination address. This means multicast, broadcast and message
frames between other subscribers are rejected.
Based on the IP addresses (layer 3), a filter rule is created that only allows
communication from selected sources in the plant bus (e.g. the ES). This means
that all the message frames stemming from the field bus are rejected with the
exception of response message frames.
Note IP rules apply for Layer 3 packets, MAC rules apply for Layer 2 packets.
The processing in the firewall is controlled as follows.
The rules in the Layer 2 firewall are checked first. If there is an IPV4 rule there,
the rules are then checked in the Layer 3 firewall.
There must be an "Allow" rule in the Layer 3 firewall, otherwise the message
frame will be rejected, although this is allowed in the Layer 2 firewall.
By default, IPV4 is active on the "Predefined MAC" tab, which allows any IP
traffic through the Layer 2 firewall.
Definition of IP rules
The following are the IP rules that only allow communication from selected sources
on the plant bus (e.g. the ES).
Since the ES's separate network card for accessing the Service Bridge's Web
Based Management (WBM) and the various PROFINET networks has several IP
addresses, several rules must be created. One rule per IP address used.
The IP addresses and filters in the following configuration refer to the structure
presented in chapter
Service Bridge – Setup and Configuration
Entry ID: 109747975, V1.4,
2.2 (Figure 2-3).
05/2019
53