Ip Configuration" Parameter Group - Siemens S7-300 Configuration Manual

Hide thumbs Also See for S7-300:

Manual (676 pages)

Reference manual (574 pages)

Installation and operating manual (356 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

page of 246

/ 246
Contents
Table of Contents
Bookmarks

Table of Contents

Enable security - effects

If IP access protection is enabled for IP communication, when the security function is

enabled, the firewall is activated automatically regardless of the entries. The IP-ACL entries

created in STEP 7 are adopted with the corresponding rights as firewall rules. These firewall

rules derived from the ACL entries when security is enabled apply only on the interface to

the external network.

Note

IP-ACL without entries when security is enabled

If you adopt an IP-ACL without entries, the firewall is enabled and it is no longer possible to

access the CP from external. To make CP available, configure suitable firewall rules in the

advanced mode of SCT.

Note

Behavior in the internal subnet

When you enable security, there are initially no access restrictions between communications

partners connected in the internal network.

The following therefore applies to internal subnets: Previously existing entries in the IP-ACL

that restricted communication to certain partners are not initially effective when security is

enabled.

When security is enabled, it is then possible to make detailed firewall settings for individual

nodes. With specified connections to external partners, firewall rules are automatically

created in SCT that allow connection establishment. With unspecified connections, you must

first configure the relevant firewall rules.

Stateful packet inspection

The firewall and NAT/NAPT router supports the "Stateful Packet Inspection" mechanism. As

a result, reply frames can pass through the NAT/NAPT router and firewall without it being

necessary for their addresses to be included in the firewall rule and the NAT/NAPT address

conversion. IP addresses that would appear temporarily in the ACL if security were disabled

can be detected by the mechanism of Stateful Packet Inspection. Such IP addresses are

then not visible in the corresponding pages of diagnostics.

3.3.7