This is a video blog covering the setup of the GE MDS Orbit Firewall. This video tutorial can be found using the YouTube link below. See below example CLI firewall script examples matching policies used in the video example.
How to apply a firewall to the interface(s):
The Firewall policy also known as an ACL (Access Control List) is tied to an interface under Filter sub-section located in the Interface type and Basic Config Tab shown below.
The default policies are:
IN_TRUSTED & OUT_TRUSTED or,
IN_UNTRUSTED & OUT_UNTRUSTED
To change simply select the new policies and click the now Green save button at the top.
Now your Policy has been applied to the specified interface. In this example we've changed the default IN/OUT_TRUSTED policies to the default IN/OUT_UNTRUSTED policies.
In the Video example, we have two different policies being used. Here's an example of the separate LN policies applied only on the LnRadio interface.
Firewall Script Examples
LN RADIO - Advanced routed interface version.
The below Firewall Script will create two policies, a LN_IN_UNTRUSTED and LN_OUT_UNTRUSTED on the GE MDS Orbit
These are matching policies and allow for https, ssh, remote management services along with the following Industrial Protocols: Ethernet IP, Modbus TCP / UDP, and DNP3.
set services firewall filter LN_IN_UNTRUSTED rule 1 match protocol tcp
set services firewall filter LN_IN_UNTRUSTED rule 1 match dst-port
set services firewall filter LN_IN_UNTRUSTED rule 1 match dst-port services [ https ssh ]
set services firewall filter LN_IN_UNTRUSTED rule 1 actions
set services firewall filter LN_IN_UNTRUSTED rule 1 actions action accept
set services firewall filter LN_IN_UNTRUSTED rule 2 match protocol icmp
set services firewall filter LN_IN_UNTRUSTED rule 2 actions
set services firewall filter LN_IN_UNTRUSTED rule 2 actions action accept
set services firewall filter LN_IN_UNTRUSTED rule 3 match protocol tcp
set services firewall filter LN_IN_UNTRUSTED rule 3 match dst-port
set services firewall filter LN_IN_UNTRUSTED rule 3 match dst-port port-range 44818
set services firewall filter LN_IN_UNTRUSTED rule 3 actions
set services firewall filter LN_IN_UNTRUSTED rule 3 actions action accept
set services firewall filter LN_IN_UNTRUSTED rule 4 match protocol udp
set services firewall filter LN_IN_UNTRUSTED rule 4 match dst-port
set services firewall filter LN_IN_UNTRUSTED rule 4 match dst-port port-range 2222
set services firewall filter LN_IN_UNTRUSTED rule 4 actions
set services firewall filter LN_IN_UNTRUSTED rule 4 actions action accept
set services firewall filter LN_IN_UNTRUSTED rule 5 match protocol tcp
set services firewall filter LN_IN_UNTRUSTED rule 5 match dst-port
set services firewall filter LN_IN_UNTRUSTED rule 5 match dst-port port-range 502 to 503
set services firewall filter LN_IN_UNTRUSTED rule 5 actions
set services firewall filter LN_IN_UNTRUSTED rule 5 actions action accept
set services firewall filter LN_IN_UNTRUSTED rule 6 match protocol udp
set services firewall filter LN_IN_UNTRUSTED rule 6 match dst-port
set services firewall filter LN_IN_UNTRUSTED rule 6 match dst-port port-range 502 to 503
set services firewall filter LN_IN_UNTRUSTED rule 6 actions
set services firewall filter LN_IN_UNTRUSTED rule 6 actions action accept
set services firewall filter LN_IN_UNTRUSTED rule 7 match protocol tcp
set services firewall filter LN_IN_UNTRUSTED rule 7 match dst-port
set services firewall filter LN_IN_UNTRUSTED rule 7 match dst-port port-range 20000
set services firewall filter LN_IN_UNTRUSTED rule 7 actions
set services firewall filter LN_IN_UNTRUSTED rule 7 actions action accept
set services firewall filter LN_IN_UNTRUSTED rule 8 match protocol udp
set services firewall filter LN_IN_UNTRUSTED rule 8 match dst-port
set services firewall filter LN_IN_UNTRUSTED rule 8 match dst-port port-range 20000
set services firewall filter LN_IN_UNTRUSTED rule 8 actions
set services firewall filter LN_IN_UNTRUSTED rule 8 actions action accept
set services firewall filter LN_IN_UNTRUSTED rule 9 match protocol tcp
set services firewall filter LN_IN_UNTRUSTED rule 9 match dst-port
set services firewall filter LN_IN_UNTRUSTED rule 9 match dst-port port-range 30020 to 30180
set services firewall filter LN_IN_UNTRUSTED rule 9 actions
set services firewall filter LN_IN_UNTRUSTED rule 9 actions action accept
set services firewall filter LN_IN_UNTRUSTED rule 10 match protocol all
set services firewall filter LN_IN_UNTRUSTED rule 10 actions
set services firewall filter LN_IN_UNTRUSTED rule 10 actions action drop
set services firewall filter LN_OUT_UNTRUSTED rule 1 match protocol tcp
set services firewall filter LN_OUT_UNTRUSTED rule 1 match dst-port
set services firewall filter LN_OUT_UNTRUSTED rule 1 match dst-port services [ https ssh ]
set services firewall filter LN_OUT_UNTRUSTED rule 1 actions
set services firewall filter LN_OUT_UNTRUSTED rule 1 actions action accept
set services firewall filter LN_OUT_UNTRUSTED rule 2 match protocol icmp
set services firewall filter LN_OUT_UNTRUSTED rule 2 actions
set services firewall filter LN_OUT_UNTRUSTED rule 2 actions action accept
set services firewall filter LN_OUT_UNTRUSTED rule 3 match protocol tcp
set services firewall filter LN_OUT_UNTRUSTED rule 3 match dst-port
set services firewall filter LN_OUT_UNTRUSTED rule 3 match dst-port port-range 44818
set services firewall filter LN_OUT_UNTRUSTED rule 3 actions
set services firewall filter LN_OUT_UNTRUSTED rule 3 actions action accept
set services firewall filter LN_OUT_UNTRUSTED rule 4 match protocol udp
set services firewall filter LN_OUT_UNTRUSTED rule 4 match dst-port
set services firewall filter LN_OUT_UNTRUSTED rule 4 match dst-port port-range 2222
set services firewall filter LN_OUT_UNTRUSTED rule 4 actions
set services firewall filter LN_OUT_UNTRUSTED rule 4 actions action accept
set services firewall filter LN_OUT_UNTRUSTED rule 5 match protocol tcp
set services firewall filter LN_OUT_UNTRUSTED rule 5 match dst-port
set services firewall filter LN_OUT_UNTRUSTED rule 5 match dst-port port-range 502 to 503
set services firewall filter LN_OUT_UNTRUSTED rule 5 actions
set services firewall filter LN_OUT_UNTRUSTED rule 5 actions action accept
set services firewall filter LN_OUT_UNTRUSTED rule 6 match protocol udp
set services firewall filter LN_OUT_UNTRUSTED rule 6 match dst-port
set services firewall filter LN_OUT_UNTRUSTED rule 6 match dst-port port-range 502 to 503
set services firewall filter LN_OUT_UNTRUSTED rule 6 actions
set services firewall filter LN_OUT_UNTRUSTED rule 6 actions action accept
set services firewall filter LN_OUT_UNTRUSTED rule 7 match protocol tcp
set services firewall filter LN_OUT_UNTRUSTED rule 7 match dst-port
set services firewall filter LN_OUT_UNTRUSTED rule 7 match dst-port port-range 20000
set services firewall filter LN_OUT_UNTRUSTED rule 7 actions
set services firewall filter LN_OUT_UNTRUSTED rule 7 actions action accept
set services firewall filter LN_OUT_UNTRUSTED rule 8 match protocol udp
set services firewall filter LN_OUT_UNTRUSTED rule 8 match dst-port
set services firewall filter LN_OUT_UNTRUSTED rule 8 match dst-port port-range 20000
set services firewall filter LN_OUT_UNTRUSTED rule 8 actions
set services firewall filter LN_OUT_UNTRUSTED rule 8 actions action accept
set services firewall filter LN_OUT_UNTRUSTED rule 9 match protocol tcp
set services firewall filter LN_OUT_UNTRUSTED rule 9 match dst-port
set services firewall filter LN_OUT_UNTRUSTED rule 9 match dst-port port-range 30020 to 30180
set services firewall filter LN_OUT_UNTRUSTED rule 9 actions
set services firewall filter LN_OUT_UNTRUSTED rule 9 actions action accept
set services firewall filter LN_OUT_UNTRUSTED rule 10 match protocol all
set services firewall filter LN_OUT_UNTRUSTED rule 10 actions
set services firewall filter LN_OUT_UNTRUSTED rule 10 actions action drop
set services firewall filter OUT_TRUSTED rule 10 match protocol all
commit
NX Radio - Standard Bridge L2 version
The below modifies the default firewall Scripts IN_UNTRUSTED and OUT_UNTRUSTED.
These policies and allow for https, ssh, remote management services along with the following Industrial Protocols: Ethernet IP, Modbus TCP / UDP, and DNP3.
set services firewall filter IN_UNTRUSTED rule 1 match protocol tcp
set services firewall filter IN_UNTRUSTED rule 1 match dst-port
set services firewall filter IN_UNTRUSTED rule 1 match dst-port services [ https ssh ]
set services firewall filter IN_UNTRUSTED rule 1 actions
set services firewall filter IN_UNTRUSTED rule 1 actions action accept
set services firewall filter IN_UNTRUSTED rule 2 match protocol icmp
set services firewall filter IN_UNTRUSTED rule 2 actions
set services firewall filter IN_UNTRUSTED rule 2 actions action accept
set services firewall filter IN_UNTRUSTED rule 3 match protocol tcp
set services firewall filter IN_UNTRUSTED rule 3 match dst-port
set services firewall filter IN_UNTRUSTED rule 3 match dst-port port-range 44818
set services firewall filter IN_UNTRUSTED rule 3 actions
set services firewall filter IN_UNTRUSTED rule 3 actions action accept
set services firewall filter IN_UNTRUSTED rule 4 match protocol tcp
set services firewall filter IN_UNTRUSTED rule 4 match dst-port
set services firewall filter IN_UNTRUSTED rule 4 match dst-port port-range 2222
set services firewall filter IN_UNTRUSTED rule 4 actions
set services firewall filter IN_UNTRUSTED rule 4 actions action accept
set services firewall filter IN_UNTRUSTED rule 5 match protocol tcp
set services firewall filter IN_UNTRUSTED rule 5 match dst-port
set services firewall filter IN_UNTRUSTED rule 5 match dst-port port-range 502 to 503
set services firewall filter IN_UNTRUSTED rule 5 actions
set services firewall filter IN_UNTRUSTED rule 5 actions action accept
set services firewall filter IN_UNTRUSTED rule 6 match protocol udp
set services firewall filter IN_UNTRUSTED rule 6 match dst-port
set services firewall filter IN_UNTRUSTED rule 6 match dst-port port-range 502 to 503
set services firewall filter IN_UNTRUSTED rule 6 actions
set services firewall filter IN_UNTRUSTED rule 6 actions action accept
set services firewall filter IN_UNTRUSTED rule 7 match protocol tcp
set services firewall filter IN_UNTRUSTED rule 7 match dst-port
set services firewall filter IN_UNTRUSTED rule 7 match dst-port port-range 20000
set services firewall filter IN_UNTRUSTED rule 7 actions
set services firewall filter IN_UNTRUSTED rule 7 actions action accept
set services firewall filter IN_UNTRUSTED rule 8 match protocol udp
set services firewall filter IN_UNTRUSTED rule 8 match dst-port
set services firewall filter IN_UNTRUSTED rule 8 match dst-port port-range 20000
set services firewall filter IN_UNTRUSTED rule 8 actions
set services firewall filter IN_UNTRUSTED rule 8 actions action accept
set services firewall filter IN_UNTRUSTED rule 9 match protocol tcp
set services firewall filter IN_UNTRUSTED rule 9 match dst-port
set services firewall filter IN_UNTRUSTED rule 9 match dst-port port-range 30020 to 30180
set services firewall filter IN_UNTRUSTED rule 9 actions
set services firewall filter IN_UNTRUSTED rule 9 actions action accept
set services firewall filter IN_UNTRUSTED rule 10 match protocol all
set services firewall filter IN_UNTRUSTED rule 10 actions
set services firewall filter IN_UNTRUSTED rule 10 actions action drop
set services firewall filter OUT_UNTRUSTED rule 1 match protocol tcp
set services firewall filter OUT_UNTRUSTED rule 1 match dst-port
set services firewall filter OUT_UNTRUSTED rule 1 match dst-port services [ https ssh ]
set services firewall filter OUT_UNTRUSTED rule 1 actions
set services firewall filter OUT_UNTRUSTED rule 1 actions action accept
set services firewall filter OUT_UNTRUSTED rule 2 match protocol icmp
set services firewall filter OUT_UNTRUSTED rule 2 actions
set services firewall filter OUT_UNTRUSTED rule 2 actions action accept
set services firewall filter OUT_UNTRUSTED rule 3 match protocol tcp
set services firewall filter OUT_UNTRUSTED rule 3 match dst-port
set services firewall filter OUT_UNTRUSTED rule 3 match dst-port port-range 44818
set services firewall filter OUT_UNTRUSTED rule 3 actions
set services firewall filter OUT_UNTRUSTED rule 3 actions action accept
set services firewall filter OUT_UNTRUSTED rule 4 match protocol udp
set services firewall filter OUT_UNTRUSTED rule 4 match dst-port
set services firewall filter OUT_UNTRUSTED rule 4 match dst-port port-range 2222
set services firewall filter OUT_UNTRUSTED rule 4 actions
set services firewall filter OUT_UNTRUSTED rule 4 actions action accept
set services firewall filter OUT_UNTRUSTED rule 5 match protocol tcp
set services firewall filter OUT_UNTRUSTED rule 5 match dst-port
set services firewall filter OUT_UNTRUSTED rule 5 match dst-port port-range 502 to 503
set services firewall filter OUT_UNTRUSTED rule 5 actions
set services firewall filter OUT_UNTRUSTED rule 5 actions action accept
set services firewall filter OUT_UNTRUSTED rule 6 match protocol udp
set services firewall filter OUT_UNTRUSTED rule 6 match dst-port
set services firewall filter OUT_UNTRUSTED rule 6 match dst-port port-range 502 to 503
set services firewall filter OUT_UNTRUSTED rule 6 actions
set services firewall filter OUT_UNTRUSTED rule 6 actions action accept
set services firewall filter OUT_UNTRUSTED rule 7 match protocol tcp
set services firewall filter OUT_UNTRUSTED rule 7 match dst-port
set services firewall filter OUT_UNTRUSTED rule 7 match dst-port port-range 20000
set services firewall filter OUT_UNTRUSTED rule 7 actions
set services firewall filter OUT_UNTRUSTED rule 7 actions action accept
set services firewall filter OUT_UNTRUSTED rule 8 match protocol udp
set services firewall filter OUT_UNTRUSTED rule 8 match dst-port
set services firewall filter OUT_UNTRUSTED rule 8 match dst-port port-range 20000
set services firewall filter OUT_UNTRUSTED rule 8 actions
set services firewall filter OUT_UNTRUSTED rule 8 actions action accept
set services firewall filter OUT_UNTRUSTED rule 9 match protocol tcp
set services firewall filter OUT_UNTRUSTED rule 9 match dst-port
set services firewall filter OUT_UNTRUSTED rule 9 match dst-port port-range 30020 to 30180
set services firewall filter OUT_UNTRUSTED rule 9 actions
set services firewall filter OUT_UNTRUSTED rule 9 actions action accept
set services firewall filter OUT_UNTRUSTED rule 10 match protocol all
set services firewall filter OUT_UNTRUSTED rule 10 actions
set services firewall filter OUT_UNTRUSTED rule 10 actions action dropGE MDS Orbit firewall CLI script tutorial: Importing into Device Manager
Here's a quick video on the GE MDS Orbit firewall cli script tutorial and how to import these scripts into your Orbit using the Web user interface (WUI) aka Device manager.