Configuration, programming
4.8 Security
CP 1543-1
Operating Instructions, 12/2019, C79000-G8976-C289-08
67
4.8.3.4 Firewall settings for connections via a VPN tunnel
IP rules in advanced firewall mode
If you have configured connections between CPs, note the following setting if you operate
the CPs in advanced firewall mode.
In the parameter group "Security > Firewall > IP rules" select the setting "Accept" for tunnel
connections for both CPs.
If you do not enable the option, the VPN connection is terminated and re-established.
This applies to connections between a CP 154x-1 and, for example, a CP 343-1 Advanced,
CP 443-1 Advanced, CP 1628 or CP 1243-1.
See also
Settings for online security diagnostics and downloading to station with the firewall activated
(Page 67)
4.8.4 Online functions
4.8.4.1 Settings for online security diagnostics and downloading to station with the firewall
activated
Setting the firewall for online functions
With the security functions enabled, follow the steps outlined below:
1. In the global security settings (see project tree), select the entry "Firewall > Services >
Define services for IP rules".
2. Select the "ICMP" tab.
3. Insert a new entry of the type "Echo Reply" and another of the type "Echo Request".
4. Now select the CP in the S7 station.
5. Enable the advanced firewall mode in the local security settings of the CP in the "Security
> Firewall" parameter group.
6. Open the "IP rules" parameter group.
7. In the table, insert a new IP rule for the previously created global services as follows:
– Action: Allow; "From external -> To station " with the globally created "Echo request"
service
– Action: Allow; "From station -> to external" with the globally created "Echo reply"
service
8. For the IP rule for the Echo Request, enter the IP address of the engineering station in
"Source IP address". This ensures that only ICMP frames (ping) from your engineering
station can pass through the firewall.
To Next Page
Loading...
Need help?
General
