Siemens SIMATIC S7-1500 Function Manual page 301

Routing
10.3 IP forwarding
Take network security into account for IP forwarding
If you activate IP forwarding for a CPU, you enable "external" access to devices that are
actually only accessible and controlled by the CPU. These devices are therefore usually not
protected against attacks.
The following figure shows how to protect your automation system against unauthorized
access.
Figure 10-11 Network security for IP forwarding
● The CPU accesses all devices within the dark green IP subnets B and C close to the
CPU via the interfaces X1 and X2.
● A SCALANCE S router is configured in the CPU. The CPU accesses the devices in the
remote, light green IP subnet A via the router.
● The "Access to PLC via communication module" function is enabled for the CP 1543 in
the CPU. The CPU reaches all devices within the IP subnet D via W1 interface.
If IP forwarding is enabled in the CPU, then a device from IP subnet A can access any
device within IP subnets B,C and D close to the CPU.
Protect your automation system and connected devices against unauthorized access from
outside.
Separate the CPU-related IP subnets from the remote IP subnets with a firewall. For
example, use the SCALANCE S security modules with integrated firewall.
This application example (https://support.industry.siemens.com/cs/ww/en/view/22376747)
describes how to protect an automation cell with a firewall using the SCALANCE S602 V3
and SCALANCE S623 security modules.
300
Function Manual, 11/2019, A5E03735815-AH
Communication