Firewall

Application

The control provides a firewall to allow or reject incoming network traffic, depending on the sender and service.

Description of function

To navigate to this function:

Settings Network/Remote Access Firewall

Overview of zones

The hefwconfig window always shows the OT Net zone after opening. If you select Zones in the breadcrumb navigation, the control opens an overview of the zones.

Five zones are displayed on the default overview screen. The overview shows which interfaces and sources have been added to the respective zones.

Each zone has its own default configuration.

Zones

You can edit the configuration of the zones.

Settings of the zones

 
Tip

For example, network specialists can make the following changes:

  • Add and remove zones
  • Rename zones
  • Edit the zone description
  • Edit the default target of the zone

If a network specialist has made changes to the firewall, the firewall of your machine might differ from the default configuration.

Icons and buttons

The hefwconfig window provides the following icons and buttons:

Icon or button

Meaning

Maximize

Open the selected zone

Reduce

Close the open zone and return to the overview screen

Add

Clear

Edit

Edit comprehensive rule

OK

Save the changes and close the window

Apply

Save the changes

Import the configuration

Import the configuration and overwrite the present configuration

Export configuration

Export the configuration of all zones

HEIDENHAIN default

Reset the settings to their default values

Advanced

Open the Firewall Configuration window

Available only to network specialists

Cancel

Discard the changes that have not been saved and close the window

Default targets

Each zone has a default target. The default target defines how the firewall will handle incoming network connections. The firewall provides the following default targets:

Default target

Meaning

ACCEPT

Accept all incoming network connections

This corresponds to the deactivation of the firewall.

DROP

Discard the incoming network connections

You can add or remove exceptions.

REJECT

Reject the incoming network connections

You can add or remove exceptions.

Settings of the zones

Zones

The following table shows the available zones and the default configuration:

Zone

Meaning

Block

Default target: REJECT

This zone rejects all incoming connections.

Drop

Default target: DROP

This zone discards all incoming connections.

Machine Net

Default target: REJECT with exceptions

This zone accepts all the services needed for connections between the control and an additional ITC operating station (e.g., VNC or DNS).

The eth1 interface is assigned to this zone.

OT Net

This zone is the default zone.

Default target: REJECT with exceptions

This zone accepts the SSH service.

The eth0 interface is assigned to this zone.

Trusted

Default target: ACCEPT

This zone accepts all incoming connections.

 
Tip

On programming stations, the eth1 interface is assigned to the additional zone Programmingstation Network by default.

Settings of the zones

OT Net zone with description of the DNS service

When you open a zone, the control displays the following settings:

Setting

Meaning

Default zone

In this area, the control shows whether the zone is the default zone. If the zone is not the default zone, you can define this zone as the default zone by selecting the check box.

The control automatically assigns all the unassigned interfaces and sources to the default zone.

Source assignment

In this area, the control shows the interfaces and sources assigned to this zone You can add or delete interfaces and sources.

Allowed services

On the Allowed services tab, the control displays all available services and the related ports. Use the check boxes to allow or reject services. If the check box is selected, the service is allowed. When you select a service, the control displays the appropriate description.

 
Tip

HEIDENHAIN recommends that you add or delete exceptions only in the OT Net zone.

Allowed ports

On the Allowed ports tab, you can allow the TCP or UDP protocol.

When you select the Add button, the control displays a window. Select TCP or UDP and define the port or the range of ports.

Rich rules

On the Rich rules tab, you can define the exceptions for sources, services, and ports in more detail.

When you create a comprehensive rule, the control provides the following selection options:

  • Action
    • Accept
    • Accept the selected element

    • Reject
    • Reject the selected element

    • Drop
    • Discard the selected element

  • Source
  • IP address or MAC address

  • You can also define a rule using the element Service, TCP, or UDP without specifying a source.

  • Element
    • All
    • You must specify a source.

    • The selected action applies to all services and ports.

    • Service
    • The control provides a selection menu containing all available services.

    • TCP
    • The control provides an input field for the port or the range of ports.

    • UDP
    • The control provides an input field for the port or the range of ports.

Notes

  • When user administration is active, you can set up only secure network connections via SSH or OPC UA (#56-61 / #3-02-1*). If non-secure network connections exist, you must set them up again as secure connections.
  • You must save all changes by using the Apply button; the control will discard the changes that have not been saved.
  • You can also open a zone by double-tapping or double-clicking the zone.
  • You can assign the interfaces or sources to different zones. A zone will be active once an interface or a source has been assigned to it.
  • You can also add or delete interfaces and sources on the overview screen of the zones.
  • If you delete an interface or source from a zone, the control will always assign this interface or source to the default zone. You cannot delete any interfaces or sources from the default zone.