Behaviour of the new version:
If dynamic ports are opened by the OPC UA PLCopen client for communication with an external OPC UA server, these ports are automatically released in the firewall.
______________________________________________________________________________________________
Description of behaviour:
By default, the controller's firewall is not active and must be activated by parameter 0x5910:001.
If this is activated, it filters the incoming ports of the controller, depending on the settings in the parameter set (parameters 0x5911 to 0x5913). Outgoing ports are not considered in the firewall.
However, if an outgoing connection (e.g. OPC-UA Client) is created, a random outgoing port is selected and communication to an OPC-UA Server is created.
This responds to the same randomly selected port. The response represents an incoming connection. This is filtered by the firewall.
Thus, no connection can be established.
Under what conditions does the behaviour occur?
Use of outgoing connections, e.g.:
- OPC-UA Client or
- TCP socket connections from IEC 61131 or
- Access from the OPC-UA client of the UI runtime to an external IP address (e.g. another controller)
and activated firewall.
Affected products:
c520, c550 as of firmware version 1.9.0.3470
Short-term measures:
Two options are available:
1) Deactivate the firewall in EasyStarter or in the parameter menu of the PLC Designer.
2) Record a firewall rule in the "Application Ports" section in the EasyStarter or in the parameter menu of the PLC Designer.
Port Range Start = 32768
Port Range End = 60999
Protocol Type = TCP
Activation = Allow
Client IP Range = Any
Network: Engineering Port = True
=> from a security point of view, 2) is to be favoured.
Rating/Recommendations:
