Web-based Management 2:
Security - Firewall
Valid from firmware release 2025.0 - for earlier firmware see WBM Firewall
PLCnext Technology relies on the proven and commonly used Linux® firewall nftables. On the device, you don't need to configure the firewall rules via cryptic shell commands. Just choose from the predefined basic rules, or add your own rules to the set.
Please note the guidelines in our PLCnext Technology ‑ Security Info Center.For developing secure-by-design, IEC 62443‑2 compliant applications with PLCnext Technology, get a good grasp of the concepts used in the Security context.
General
By default, the firewall is 
Deactivated.
- Check and adapt the predefined rules in the Basic configuration tab.
- Activate the firewall at the toggle switch, then click .
↪ The firewall becomes
Activated.
Only if the firewall is active, you can generate an overview of all enabled firewall rules and save it in a *.txt file.
- Click on
↪ The *.txt file with the activated firewall rules is being generated and opens in a dialog box. - To save the active rules to a *.txt file, click in the dialog box.
↪ The *.txt file is saved to your specified Download folder on the host computer.
Basic configuration
The Basic Configuration tab provides predefined firewall rules. You can specify or add your own firewall rules on the IP INPUT RULES or IP OUTPUT RULES tabs.
ICMP configuration
In the ICMP configurations section at the top, you specify how incoming and outgoing ICMP echo requests are to be treated. By default, incoming and outgoing ping commands are allowed. This is necessary for testing rules.
Basic rules
In the Basic Rules section, you can specify firewall rules for different incoming connections, which you can enable or disable in the Action column. The configuration baseline is stored in the /etc/nftables/plcnext-filter file in the controller file system.
Options for activating and deactivating these rules for specific connections can be done via the Action column:
| Option | Description |
| Accept | Connection requests are accepted. A connection can be established. |
| Drop | Connection requests are not responded. The packet is dropped. After saving this setting, established connections are dropped. |
| Reject | Connection requests are rejected. The sender receives a response via the rejected connection. |
| Continue | The rule is not executed. Choose this option to skip the basic configuration and use a user-specific rule for the port instead. |
To change a basic rule, proceed as follows:
- In the Basic configuration tab, set a basic rule to Continue in the Action column. This way, this rule is skipped.
- Create and configure a new rule in the IP INPUT RULES tab.
Example: You can specify incoming SSH connection requests via TCP port 22 in more detail by excluding certain IP addresses or exclusively establishing access of some IP addresses. - To make sure that all newly applied rules are actively used (even for already established connections!), click .
Note: If you select the Reject or Drop action for HTTPS with activated firewall by clicking , Then you can then no longer change back the firewall rules via the WBM 2.
- To stop the firewall in this case, you have to reset the controller to the default settings.
For more detailed information, please refer to the user manual for your controller.
Note that during a reset to the default settings, user-specific data (applications, configuration, etc.) is deleted.
Once the firewall is deactivated, you can again access the WBM 2. - The firewall rules for SNMP and for PROFINET unicast/multicast ports have been removed from the default Basic configuration because PROFINET could almost not be used at all with an activated firewall. At PLCnext Security Info Center - Activating PROFINET you can find instructions on how to configure the firewall to enable PROFINET communication.
Protocols and ports
The settings are valid for all Ethernet interfaces. A limitation to certain Ethernet interfaces is specified via a user-specific rule in the IP INPUT RULES or IP OUTPUT RULES tabs.
| Description | Protocol | Port |
| NTP | UDP | Port 123 |
| Remoting (e.g. PLCnext Engineer) | TCP | Port 41100 |
| SSH connections, e.g., for SSH shell connection or SFTP connection | TCP | Port 22 |
| HTTP | TCP | Port 80 |
| HTTPS, (Proficloud,) eHMI and WBM 2 | TCP | Port 443 |
| OPC UA® | TCP | Port 4840 |
| EtherNet/IP™ | TCP |
|
| MATLAB®/Simulink® in External mode | TCP | Port 17725 |
If you need PROFINET or SNMP you may add this rule to your basic rules:
| Description | Protocol | Port |
| PROFINET unicast/multicast (see also Activating PROFINET in the PLCnext Technology ‑ Security Info Center) |
UDP | Ports 34962, 34963, 34964 |
| SNMP | TCP | Port 161 |
User Configuration tab
In addition or as an alternative to the basic rules, you can define and activate your own, user-specific firewall rules for different filter categories in the User Configuration tab. Below and in the table you will find the buttons to 
add, 
remove, or 
edit rules.
The following parameters are to be defined:
| Column | Description |
| Interface ( Input Rules only) |
You can configure Input Rules specifically for an interface. From the drop-down list, select the desired Ethernet interface to which the filter rule is to be applied. The Output Rules apply to all interfaces. |
| Protocol | From the drop-down list, select the TCP, UDP, UDPLITE protocol or all of them. |
| From IP |
In the From IP field, enter an IP address, if applicable. |
| From Port | In the From Port field, enter the corresponding ports, if applicable. The rule applies to connections coming in from this address. You can specify all ports, single ports, or a value range. A port range is specified with a - without spaces between the port numbers. Example: 22-30 If you leave the field empty (any), all ports are selected. |
| To IP | In the To IP field, enter an IP address, if applicable. You can specify all IP addresses, a single IP address or a range. An IP address range is specified with a - without spaces between the IP addresses. Example: 192.168.1.10-192.168.1.20 If you leave the field empty (0.0.0.0), all IP addresses are selected. |
| To Port | In the To Port field, enter the corresponding ports, if applicable. The rule applies to connections going out to this address. You can specify all ports, single ports, or a value range. A port range is specified with a - without spaces between the port numbers. Example: 22-30 If you leave the field empty (any), all ports are selected. |
| Comment | Here, enter a description of the filter rule. |
| Action | The options described in Action column can be used as actions for the filter rules. |
To activate the settings you configured and transmit them to the system, click on the button. If a configuration is already present on the system, it is overwritten during this process.
To drop the new configuration and call the basic settings, click on the button.