144 GE INFORMATION D400 SUBSTATION GATEWAY INSTRUCTION MANUAL
CHAPTER 12: USING THE D400 LOCAL CONFIGURATION UTILITY
Network interfaces can operate in one of two modes:
• Internal
The Internal mode permits traffic from known protocols and should only be enabled
on interfaces connected to known devices only. The Internal mode is the default mode
for Net1 and would typically be used when the interface is connected to the
substation LAN.
•External
The External mode offers a stricter set of rules and is the default mode for all
interfaces except Net 1. The External mode would typically be used when the interface
is connected to a WAN.
By default, the firewall allows outbound traffic on internal interfaces and blocks all
outbound traffic except outbound SSH on external interfaces. If you want the firewall to
allow outbound traffic for a particular protocol on an external interface you must create a
“custom” rule. See section:
“Add/Edit/Remove Custom Rules” on page 145.
By default, the firewall blocks inbound traffic on both internal and external interfaces. The
D400 automatically generates rules allowing inbound traffic on internal interfaces for all
configured services. If you want the firewall to allow inbound traffic on an external
interface, you may modify the associated “generated” rule to allow the traffic on ALL
interfaces rather than only the “Internal” interface. See section:
“Add/Edit/Remove Custom
Rules” on page 145.
Table 34: Service traffic through the firewall
Service Name Notes External Mode Internal Mode
Modbus/TCP Server (Inbound) Deny Allow
DNP/UDP Server (Inbound) Deny Allow
DNP/TCP Server (Inbound) Deny Allow
DNP/TCP Client (Inbound) Dual Endpoint Enabled Deny Allow
DNP/UDP Client (Inbound) Deny Allow
IEC 60870-5-104 Server (Inbound) Deny Allow
Terminal Server (Inbound) SSL/TLS Disabled Deny Allow
DCA Pass-Through (Inbound) SSL/TLS Disabled Deny Allow
Secure Connection Relay (Inbound) Allow Allow
Secure DCA Pass-Through (Inbound) SSL/TLS Enabled Allow Allow
Secure Terminal Server (Inbound) SSL/TLS Enabled Allow Allow
SNMP Client (Inbound) Deny Allow
LogicLinx Executor (Inbound) Deny Allow
HTTP (Inbound) When enabled in d400cfg Deny Allow
HTTPS (Inbound) When enabled in d400cfg,
see note below
Deny Allow
DHCP Client (Inbound) When enabled in d400cfg Deny Allow
Telnet Server (Inbound) When enabled in d400cfg Deny Allow
FTP Client/Server (Active & Passive,
Inbound)
When enabled in d400cfg Deny Allow
SSH/SFTP/SCP Server (Inbound) When enabled in d400cfg,
see note below
Deny Allow
TFTP Client (Inbound) When enabled in d400cfg Deny Allow
NTP Client (Inbound) When enabled in d400cfg Deny Allow
NTP Server (Inbound) When enabled in d400cfg Deny Allow
SSH/SFTP/SCP (Outbound) When enabled in d400cfg Allow Allow
All other services (Outbound) Don't Care Deny Allow
To Next Page
Loading...
Need help?
General
