Knowledge Base /
Technical Notes
Recommended EtherNet/IP Firewall Rules
By Jake Nichelson
Product: IOD-4112 - Rockwell PLC EtherNet/IP Driver for DeltaV VIM2

Introduction

MYNAH Technologies recommends the following firewall rules when integrating the Tofino Xenon Firewall with any of the EtherNet/IP VIM2s. See Industrial Ethernet Integration with a Tofino Xenon Security Appliance for more information.


Firewall Rules for EtherNet/IP Devices

In this scenario the VIM2 is communicating to a ControlLogix. When using Class 1 communications, the VIM2 is a Class 1 Adapter which means that the ControlLogix will open the connection. When using any Explicit Messaging, the VIM2 will open the connection. The Tofino SA is connected between the ControlLogix and the switch.

Implicit Messaging:

  • Class 1

Explicit Messaging:

  • Tag Access
  • UCMM DF1
  • Class 3

Network Diagram

Without EtherNet/IP LSM (Loadable Security Module)

Rule 1: Default rule to allow all ARP traffic. ARP is necessary for all IP traffic to function.

Rule 2: The ControlLogix is always an EtherNet/IP Class 1 Scanner and will open the connection to the VIM. Therefore the direction arrow should point to the VIM2. All Class 1 communications between the ControlLogix and the VIM will be forwarded through the Tofino SA with this rule. If the VIM2 is acting as a Class 1 scanner connecting to an EtherNet/IP adapter such as a PowerFlex VFD then the direction arrow will point away from the VIM2. This rule is only required if using Class 1 communications.

Rule 3: When using Explicit Messaging, the VIM will establish the connection to the ControlLogix so the direction arrow will point towards the ControlLogix. This rule is only required if using UCMM DF1, Tag Access, or Class 3 Messaging.

Rule 4: The VIM2 must be able to ping the ControlLogix before establishing a network connection.

With EtherNet/IP LSM

Rule 1: Default rule to allow all ARP traffic. ARP is necessary for all IP traffic to function

Rule 2: Currently there is not an Enforcer permission for Implicit Messaging; the permission must be set to Allow. The ControlLogix is always an EtherNet/IP Class 1 Scanner and will open the connection to the VIM. Therefore the direction arrow should point to the VIM2. All Class 1 communications between the ControlLogix and the VIM will be forwarded through the Tofino SA with this rule. If the VIM2 is acting as a Class 1 scanner connecting to an EtherNet/IP adapter such as a PowerFlex VFD then the direction arrow will point away from the VIM2. This rule is only required if using Class 1 communications.

Rule 3: The Permission is set to Enforcer; use the Enforcer Rule Details to configure special rules regarding Explicit Messaging. When using Explicit Messaging, the VIM will establish the connection to the ControlLogix so the direction arrow will point towards the ControlLogix. This rule is only required if using UCMM DF1, Tag Access, or Class 3 Messaging.

Rule 4: The VIM2 must be able to ping the ControlLogix before establishing a network connection.

The EtherNet/IP Enforcer rule can be used to create additional rules specific to EtherNet/IP (CIP) Explicit Messaging. Enforcer permissions for EtherNet/IP (CIP) Implicit Messaging is not currently supported. There are 4 radial selections and a checkbox for CIP Services:

  • Read-Only Data - Only allow Read-Only messages (no Writes or Programming)
  • Read/Write Data - Allow Read and Write function codes (no Programming)
  • Any - Allow all Modbus traffic
  • Advanced… - Used to specify which CIP Object Class ID and CIP Service Codes are allowed
  • Allow Embedded PCCC - This box must be checked to support UCMM DF1 Messages

MYNAH Technologies recommends using the default settings for Sanity Check, Reset, and Debug Options.


Firewall Rules for EtherNet/IP VIM2s

In this scenario the VIM2 is communicating to a ControlLogix. When using Class 1 communications, the VIM2 is a Class 1 Adapter which means that the ControlLogix will open the connection. When using any Explicit Messaging, the VIM2 will open the connection. The Tofino SA is connected between the VIM and the switch.

Implicit Messaging:

  • Class 1

Explicit Messaging:

  • Tag Access
  • UCMM DF1
  • Class 3

Network Diagram

Without EtherNet/IP

Rule 1: Default rule to allow all ARP traffic. ARP is necessary for all IP traffic to function.

Rule 2: The ControlLogix is always an EtherNet/IP Class 1 Scanner and will open the connection to the VIM2. Therefore the direction arrow should point to the VIM2. All Class 1 communications between the ControlLogix and the VIM2 will be forwarded through the Tofino SA with this rule. If the VIM2 is acting as a Class 1 scanner connecting to an EtherNet/IP adapter such as a PowerFlex VFD then the direction arrow will point away from the VIM2. This rule is only required if using Class 1 communications.

Rule 3: When using Explicit Messaging, the VIM2 will establish the connection to the ControlLogix so the direction arrow will point towards the ControlLogix. This rule is only required if using UCMM DF1, Tag Access, or Class 3 Messaging.

Rule 4: The VIM2 must be able to ping the ControlLogix before establishing a network connection and the VIMNet Explorer computer must be able to ping the VIM2.

Rule 5: The VIMNet Explorer Messaging protocol must be allowed for VIMNet Explorer to properly communicate to the VIM2. See DeltaV Virtual IO Module Network Ports for more details about which network ports are used by VIMNet Explorer. The VIMNet Explorer Messaging protocol under Protocols → Common Industrial must be updated manually. The two ports (51001 and 52000) need to be updated as follows:

  • Add the last octet of the VIM's IP Address to 51001 (e.g.: 192.168.1.28 = 51029)
  • Add the last octet of the VIM's IP Address to 52000 (e.g.: 192.168.1.28 = 52028)

Rule 6: The VIMNet Explorer Special Rule must be allowed for VIMNet Explorer to detect the VIM2 on the network.

With EtherNet/IP LSM

Rule 1: Default rule to allow all ARP traffic. ARP is necessary for all IP traffic to function

Rule 2: The ControlLogix is always an EtherNet/IP Class 1 Scanner and will open the connection to the VIM2. Therefore the direction arrow should point to the VIM2. All Class 1 communications between the ControlLogix and the VIM2 will be forwarded through the Tofino SA with this rule. If the VIM2 is acting as a Class 1 scanner connecting to an EtherNet/IP adapter such as a PowerFlex VFD then the direction arrow will point away from the VIM2. This rule is only required if using Class 1 communications.

Rule 3: The specific behavior of the Enforcer Rule is determined by the Enforcer settings. The Enforcer rule cannot be bidirectional. The direction arrow specifies which node opens the connection, not the flow of traffic. The arrow should point away from the VIM2 towards the ControlLogix.

Rule 4: The VIM2 must be able to ping the ControlLogix before establishing a network connection and the VIMNet Explorer computer must be able to ping the VIM2.

Rule 5: The VIMNet Explorer Messaging protocol must be allowed for VIMNet Explorer to properly communicate to the VIM2. See DeltaV Virtual IO Module Network Ports for more details about which network ports are used by VIMNet Explorer. The VIMNet Explorer Messaging protocol under Protocols → Common Industrial must be updated manually. The two ports (51001 and 52000) need to be updated as follows:

  • Add the last octet of the VIM's IP Address to 51001 (e.g.: 192.168.1.28 = 51029)
  • Add the last octet of the VIM's IP Address to 52000 (e.g.: 192.168.1.28 = 52028)

Rule 6: The VIMNet Explorer Special Rule must be allowed for VIMNet Explorer to detect the VIM2 on the network.

The EtherNet/IP Enforcer rule can be used to create additional rules specific to EtherNet/IP (CIP) Explicit Messaging. Enforcer permissions for EtherNet/IP (CIP) Implicit Messaging is not currently supported. There are 4 radial selections and a checkbox for CIP Services:

  • Read-Only Data - Only allow Read-Only messages (no Writes or Programming)
  • Read/Write Data - Allow Read and Write function codes (no Programming)
  • Any - Allow all Modbus traffic
  • Advanced… - Used to specify which CIP Object Class ID and CIP Service Codes are allowed
  • Allow Embedded PCCC - This box must be checked to support UCMM DF1 Messages

MYNAH Technologies recommends using the default settings for Sanity Check, Reset, and Debug Options.