Configuration, programming
4.8 Security
CP 1543-1
66 Operating Instructions, 12/2019, C79000-G8976-C289-08
This is the case in the following typical configuration:
VPN subscriber (active) ⇔ gateway (dyn. IP address) ⇔ Internet ⇔ gateway (fixed IP
address) ⇔ CP (passive)
Configure the permission for VPN connection establishment for the CP as a passive
subscriber as follows:
1. In STEP 7, go to the devices and network view.
2. Select the CP.
3. Open the parameter group "VPN“ in the local security settings.
4. For each VPN connection with the CP as a passive VPN subscriber, change the default
setting "Initiator/Responder" to the setting "Responder".
4.8.3 Firewall
4.8.3.1 Firewall sequence when checking incoming and outgoing frames
Each incoming or outgoing frame initially runs through the MAC firewall (layer 2). If the frame
is discarded at this level, it is not checked by the IP firewall (layer 3). This means that with
suitable MAC firewall rules, IP communication can be restricted or blocked.
See also
Programmed connections: Restriction of firewall rules (Page 40)
Virtual interface of the CPU (Page 37)
4.8.3.2 Notation for the source IP address (advanced firewall mode)
If you specify an address range for the source IP address in the advanced firewall settings of
the CP, make sure that the notation is correct:
● Separate the two IP addresses only using a hyphen.
Correct: 192.168.10.0-192.168.10.255
● Do not enter any other characters between the two IP addresses.
Incorrect: 192.168.10.0 - 192.168.10.255
If you enter the range incorrectly, the firewall rule will not be used.
4.8.3.3 HTTP and HTTPS not possible with IPv6
It is not possible to use HTTP and HTTPS communication on the Web server of the station
using the IPv6 protocol.
If the firewall is enabled in the local security settings in the entry "Firewall > Predefined IPv6
rules": The selected check boxes "Allow HTTP" and "Allow HTTPS" have no function.
To Next Page
Loading...
Need help?
General
