Skip to Content
JACEHow to configure a manual firewall entry on a JACE9000

How to configure a manual firewall entry on a JACE9000

The JACE-9000 includes a built-in firewall that can be configured to control network traffic and enhance security. This guide covers manually configuring firewall entries on JACE-9000 controllers.

Overview

JACE-9000 firewall provides:

  • Traffic Control: Control incoming and outgoing network traffic
  • Security Enhancement: Protect JACE from unauthorised access
  • Port Management: Control access to specific ports and services
  • Access Rules: Define rules for allowed and blocked traffic
  • Network Segmentation: Support network segmentation strategies

Prerequisites

Before configuring firewall entries, ensure you have:

  • Administrative Access: Administrative access to JACE-9000
  • Network Knowledge: Understanding of network requirements
  • Port Information: Knowledge of required ports and services
  • Access Method: Network or serial access to JACE
  • Documentation: JACE-9000 documentation and network requirements

Understanding JACE-9000 Firewall

Firewall Types

JACE-9000 may support:

  • Stateful Firewall: Tracks connection state
  • Packet Filtering: Filters packets based on rules
  • Port-Based Rules: Rules based on ports and protocols
  • IP-Based Rules: Rules based on source/destination IP addresses

Default Firewall Behaviour

Default firewall configuration:

  • Default Policy: May allow or deny by default
  • Common Ports: Common ports may be pre-configured
  • Management Access: Management interfaces typically allowed
  • Service Ports: Service-specific ports may need configuration

Step-by-Step Configuration

Step 1: Access JACE-9000 Configuration

Via Web Interface:

  1. Open Browser: Open web browser
  2. Navigate: Navigate to JACE-9000 IP address
  3. Login: Login with administrative credentials
  4. Access Settings: Navigate to Settings or Administration

Via Workbench:

  1. Open Workbench: Launch Niagara Workbench
  2. Connect: Connect to JACE-9000
  3. Navigate: Navigate to JACE configuration
  4. Access Firewall: Locate Firewall or Security settings

Via Serial Shell:

  1. Serial Access: Connect via serial shell (see related topics)
  2. Login: Login with administrative credentials
  3. Firewall Commands: Access firewall configuration commands

Step 2: Navigate to Firewall Configuration

Web Interface:

  1. Settings Menu: Navigate to Settings menu
  2. Security: Select Security or Firewall section
  3. Firewall Rules: Access Firewall Rules or Access Control
  4. Manual Configuration: Look for manual rule configuration

Workbench:

  1. JACE Properties: Right-click JACE and select Properties
  2. Security Tab: Navigate to Security tab
  3. Firewall: Locate Firewall configuration section
  4. Rules: Access firewall rules configuration

Step 3: Understand Rule Structure

Firewall Rule Components:

  • Rule Name: Descriptive name for the rule
  • Action: Allow or Deny
  • Direction: Inbound or Outbound
  • Protocol: TCP, UDP, ICMP, or All
  • Source IP/Port: Source address and port
  • Destination IP/Port: Destination address and port
  • Interface: Network interface (if applicable)
  • Enabled: Rule enabled/disabled status

Step 4: Create New Firewall Rule

Via Web Interface:

  1. Add Rule: Click "Add Rule" or "New Rule" button
  2. Rule Name: Enter descriptive rule name
  3. Action: Select "Allow" or "Deny"
  4. Direction: Select "Inbound" or "Outbound"
  5. Protocol: Select protocol (TCP, UDP, ICMP, All)
  6. Source: Configure source IP/port:
    • Source IP: Enter source IP address or range
    • Source Port: Enter source port or "Any"
  7. Destination: Configure destination IP/port:
    • Destination IP: Enter destination IP (JACE IP or "Any")
    • Destination Port: Enter destination port number
  8. Interface: Select network interface (if applicable)
  9. Enabled: Check "Enabled" checkbox
  10. Save: Click "Save" or "Apply" to save rule

Example Rule Configuration:

Rule Name: Allow Workbench Access
Action: Allow
Direction: Inbound
Protocol: TCP
Source IP: Any (or specific IP/range)
Source Port: Any
Destination IP: JACE IP Address
Destination Port: 1911
Interface: eth0
Enabled: Yes

Step 5: Configure Common Service Ports

Essential Ports for Niagara:

  • Platform Port: 1911 (TCP) - Workbench and platform access
  • HTTP: 80 (TCP) - Web interface
  • HTTPS: 443 (TCP) - Secure web interface
  • BACnet: 47808 (UDP) - BACnet communication
  • Modbus: 502 (TCP) - Modbus communication
  • SNMP: 161 (UDP) - SNMP monitoring

Create Rules for Required Services:

  1. Platform Access: Allow port 1911 from management networks
  2. Web Access: Allow ports 80/443 as needed
  3. Protocol Ports: Allow protocol-specific ports (BACnet, Modbus, etc.)
  4. Management: Allow management ports from authorised networks

Step 6: Configure IP-Based Rules

Allow Specific IP Addresses:

Rule Name: Allow Management Network
Action: Allow
Direction: Inbound
Protocol: All
Source IP: 192.168.1.0/24 (management network)
Source Port: Any
Destination IP: Any
Destination Port: Any
Enabled: Yes

Block Specific IP Addresses:

Rule Name: Block Unauthorised Network
Action: Deny
Direction: Inbound
Protocol: All
Source IP: 10.0.0.0/8 (unauthorised network)
Source Port: Any
Destination IP: Any
Destination Port: Any
Enabled: Yes

Step 7: Configure Port-Based Rules

Allow Specific Port:

Rule Name: Allow HTTPS Access
Action: Allow
Direction: Inbound
Protocol: TCP
Source IP: Any
Source Port: Any
Destination IP: JACE IP
Destination Port: 443
Enabled: Yes

Block Specific Port:

Rule Name: Block Telnet
Action: Deny
Direction: Inbound
Protocol: TCP
Source IP: Any
Source Port: Any
Destination IP: Any
Destination Port: 23
Enabled: Yes

Step 8: Set Default Firewall Policy

Configure Default Action:

  1. Default Policy: Locate default firewall policy setting
  2. Policy Options:
    • Allow All: Allow all traffic not matching rules
    • Deny All: Deny all traffic not matching rules (recommended)
  3. Select Policy: Choose appropriate default policy
  4. Save: Save default policy configuration

Recommended: Use "Deny All" as default policy for better security.

Step 9: Order Firewall Rules

Rule Order Matters:

  1. Rule Priority: Rules are typically processed in order
  2. First Match: First matching rule applies
  3. Order Rules: Order rules from specific to general:
    • Specific IP/port rules first
    • General rules last
  4. Review Order: Review rule order for correct behaviour

Step 10: Apply and Test Configuration

Apply Configuration:

  1. Save Rules: Save all firewall rule changes
  2. Apply Configuration: Apply firewall configuration
  3. Restart Services: Restart firewall service if required
  4. Verify Active: Verify firewall is active and rules are loaded

Test Configuration:

  1. Test Allowed Access: Test access that should be allowed
  2. Test Blocked Access: Verify blocked access is actually blocked
  3. Test Services: Test all required services work correctly
  4. Monitor Logs: Monitor firewall logs for activity

Configuration Examples

Example 1: Basic Security Configuration

Default Policy: Deny All

Rule 1: Allow Management Network
- Action: Allow
- Direction: Inbound
- Protocol: All
- Source: 192.168.1.0/24
- Destination: Any

Rule 2: Allow Platform Access
- Action: Allow
- Direction: Inbound
- Protocol: TCP
- Source: 192.168.1.0/24
- Destination Port: 1911

Rule 3: Allow Web Access
- Action: Allow
- Direction: Inbound
- Protocol: TCP
- Source: Any
- Destination Port: 443

Example 2: Protocol-Specific Configuration

Rule 1: Allow BACnet
- Action: Allow
- Direction: Inbound
- Protocol: UDP
- Source: Any
- Destination Port: 47808

Rule 2: Allow Modbus
- Action: Allow
- Direction: Inbound
- Protocol: TCP
- Source: 192.168.2.0/24
- Destination Port: 502

Troubleshooting

Cannot Access After Configuration

If access is lost after firewall configuration:

  1. Serial Access: Use serial shell access to regain access
  2. Rule Review: Review firewall rules for blocking rules
  3. Default Policy: Check default policy setting
  4. Rule Order: Verify rule order is correct
  5. Temporary Disable: Temporarily disable firewall to regain access

Services Not Working

If services stop working:

  1. Service Ports: Verify required ports are allowed
  2. Protocol: Check protocol matches service requirements
  3. Direction: Verify direction (inbound/outbound) is correct
  4. Source/Destination: Check source and destination settings
  5. Rule Status: Verify rules are enabled

Rules Not Applying

If rules don't seem to apply:

  1. Rule Save: Verify rules were saved correctly
  2. Firewall Active: Check firewall is active
  3. Rule Order: Verify rule order allows desired traffic
  4. Default Policy: Check default policy isn't overriding rules
  5. Service Restart: Restart firewall service

Security Best Practices

Firewall Configuration

  • Deny by Default: Use "Deny All" as default policy
  • Least Privilege: Allow only necessary ports and IPs
  • Specific Rules: Use specific IP ranges rather than "Any"
  • Regular Review: Periodically review and update rules
  • Documentation: Document all firewall rules and reasons

Network Security

  • Network Segmentation: Use firewall with network segmentation
  • Management Networks: Restrict management access to specific networks
  • Service Isolation: Isolate services using firewall rules
  • Monitoring: Monitor firewall logs regularly
  • Updates: Keep JACE firmware updated for security

Additional Resources

  • JACE-9000 Security Guide
  • Firewall Configuration Best Practices
  • Network Security Documentation
  • JACE-9000 Technical Manual
JACE FAQsHow to generate a platform reset Token