IP access protection - STEP 7

Communications modules and network components
ft:publication_title
Communications modules and network components
Product
STEP 7
Version
V20
Publication date
11/2024
Language
en-US
IP access protection

Reference

Making settings for the interface properties in the "Properties > General > IP access protection" parameter group.

Overview

The following options can be assigned for IP access protection according to the CP type:

  • "Enable web server" option

    The CP provides you with the functionality of a web server for access by means of a web browser. Certain HTML pages with CP information and diagnostic functions are stored in a memory area of the CP for this.

    Enable this option in order to be granted access to these HTML pages. Port 80 of the CP is thereby enabled.

    Web server access is enabled by default.

  • "Enable FTP server" option

    Select this option if you want to allow FTP access to the S7 station via Port 20/21 of the CP.

    If you configure FTP access to file DBs in the CPU in the "FTP" tab, access is only possible if you select the option here.

    FTP server access via Port 20/21 is enabled by default.

  • "Enable access protection for IP communication" option

    The Ethernet interface allows you to restrict access to the local device to partners with specified IP addresses. Partners you have not authorized then have no access to data on the local device via this interface.

    Here, you can enable or disable IP access protection and can also enter certain IP addresses in an IP address control list (IP-ACL).

    As default, IP access protection is deactivated.

    Blocked access attempts are registered on the CP and can be viewed with special diagnostics in the "IP access protection" diagnostic object. If the CP has IT functionality, a LOG file is also created in the file system of the CP that you can view with a WEB browser.

    Please refer to the instructions on handling the LOG file and the notes on loading the configuration data below.

IP access protection for configured communication partners

If you want to restrict access so that only the communication partners you specified in the configuration have access to the local device, you simply need to enable access protection. In this case, you do not need to enter any IP addresses in the list.

These communication partners include:

  • Stations to which communication connections are configured;

    With the exception of S7 connections, this also applies to connections on which the connection partner is located in a different subnet.

    You should, however, remember that where you have unspecified connections whose partner addresses are unknown; all IP addresses that are not entered are unauthorized and will be rejected. Even connections in PROFINET CBA will be treated as unspecified connections. You will need to enter the IP addresses of such connections explicitly in the IP access control list.

  • PROFINET IO devices when the Ethernet CP is used as a PROFINET IO controller;

    The IP addresses of PROFINET IO devices are entered dynamically in the IP access control list when the CPU is in RUN mode.

    If the CPU changes to STOP mode, the IP addresses of the PROFINET IO devices are deleted from the access list.

  • NTP servers, SMTP servers, DNS servers and DHCP servers.

    The IP addresses of NTP servers, SMTP servers, DNS servers and DHCP servers are also entered and removed dynamically when there are requests to these servers.

IP access protection relates to all connection types that use the IP protocol (TCP, ISO-on-TCP, UDP, S7)

Note on dynamically assigned IP addresses:
Since each service manages its dynamic entry in the ACL itself, it is perfectly possible for the same IP address to appear several times in module diagnostics.

IP access protection for partners with specific IP addresses

To allow access only by certain IP addresses, enter these IP addresses in the IP access control list. These can, for example, be the IP addresses of connection partners that remained unspecified in the connection configuration, of individual programming devices or of connection partners on PROFINET CBA.

The IP addresses you specified in the connection configuration always belong to the permitted IP addresses and do not therefore need to be entered explicitly in the IP-ACL.

Viewing the LOG File with a Web browser

On CPs with IT functionality, a LOG file is created in the file system of the CP and this can be viewed with a Web browser. Compared with the recording made in the special diagnostics, the LOG file provides space for up to 512 entries.

The LOG file is available only after activating IP access protection the first time.

You will find the LOG file as an HTML file in the file system of the CP in the following directory:

·ram/security/IPLogFile.htm

Further properties:

The LOG file is created as a ring buffer. When more than 512 entries have been recorded, the oldest entries are then overwritten.

Entries are made chronologically and there are no other criteria for sorting.

Note that this function is supported only by the newer firmware versions of the CPs; you will find more detailed information in the CP device documentation.

With Advanced CPs as of CP 343-1 Advanced (GX30) and CP 443-1 Advanced (GX20) the LOG file is not created. On these CPs, you can view the blocked access attempts directly with Web diagnostics.