Firewall settings for Tia portal.

Hello all and a merry Christmas.
I have a question for the forum. I have 10 Siemens PLC's talking in a ring main fibre optics rugged com and with two of the PLC,s are in turn connected to their own comfort 900 HMi. If I plug into lets say the PLC connected to the HMI I can go online to all including the HMi's.
The tia portal laptop has to go through a firewall that I have to configure for security reasons from my client. I have programmed all the IP addresses into the Firewall (Checkpoint security) and I am able to go online to any PLC but not the HMI. Remember the HMI is not connected to the ring main but straight to the PLC. The protocol I have allowed is ICCP is there any suggestions as to why I can't reach the HMI's through the firewall, What other protocol should I allow?:scratch I have allowed the rugged com, PLC's and HMI's IP addresses. Its got to be firewall setting that I am missing but what?

What test are you doing to see if you can reach the HMI?


I don't think you actually CAN "go online" with a comfort panel. Portal lets you click the button, but I don't think it does anything. To test you might need to do something like a download.

You might be able to see them using 'extended go online'

Thanks for the replies. my online wording is wrong with the hmi. I can't reach it to download unless I plug in the plc it is connected to or the ring main. The firewall is stopping me somehow.
Ultimately I am trying to set up smart server but I figured if I can't reach the HMI then it wouldn't be able to talk out. Also problem is with smart client there is only one place to put one IP address which should be the HMI.

There's a FAQ article on the Siemens website:
https://support.industry.siemens.com/cs/de/en/view/8970169

See section "Further information" in the article, there are links to informations which ports are used by the different products.

It may not be the firewall. I use an access point in bridge mode for commissioning. The discovery functions do not work unless I plug in directly. Once the paths have been established they will happily connect over wireless.

Geoff White said:

It may not be the firewall. I use an access point in bridge mode for commissioning. The discovery functions do not work unless I plug in directly. Once the paths have been established they will happily connect over wireless.

Click to expand...

I have had the same experience.

Is it to "go online" or to transfer the HMI project ?
If it is the latter, what are your transfer settings in TIA ?
The most reliable method is to search for device with matching IP. Searching for compatible devices is very finicky.

rigicon said:

Thanks for the replies. my online wording is wrong with the hmi. I can't reach it to download unless I plug in the plc it is connected to or the ring main. The firewall is stopping me somehow.
Ultimately I am trying to set up smart server but I figured if I can't reach the HMI then it wouldn't be able to talk out. Also problem is with smart client there is only one place to put one IP address which should be the HMI.

Click to expand...

Do you have a drawn network diagram you can show us? Including IP/subnetmask/gateway info?



What do you mean when you say that it is a problem that you can only give smartclient 1 IP address for the HMI?

Top right corner is the laptop that is connected to the firewall then onto the subsystem where all the PLC's and HMI's sit. As I said if you connect to this subsystem all can be accessed but only the PLC's and not the HMI when through the firewall.
I have to go through the firewall! but I can change the configuration in the firewall I have all the IP addresses allowed ICCP..... Got me well baffled as it should be easy.

In smart client one should put the IP address of the HMI only and this is why it has one Ip address input but as you can see there are multiple IP's to get to the HMI, through ruggedcoms and PLC's. A trace route would be at least 3 IP's needed.

Real time Network comms

How is routing set up? NAT or standard routing?



As long as the routing is configured correctly, you only need 1 IP address. You type 192.168.27.219, and the routers each know to pass that on to the next one, and then the HMI. Same happens on the reverse trip. If you're using NAT, the setup is slightly more complicated, but it is a similar story.


Does the HMI have the correct gateway address assigned?

Thanks mk42 for the reply. to be honest I am not a network expert more of a PLC HMI programmer. The actual setup works great with standard routing on the fibre ring main between the rugged com switches and the PLC's and HMI's - also I can talk to all when plugged into this sub system.
The problem came when my customer because of security issues wants to connect the programming laptop outside of this subsystem through a firewall to their client Lan so it can only talk to the HVAC system nothing else.
I setup the firewall at first with the laptop IP and the switches IP and I could talk to all except the HMI's so I added the HMI's IP addresses to the setup, that didn't work so I added and added until all the IP addresses are now programmed in the firewall and I still can't talk to the HMI's only the PLC's. Intrigued and confused so I thought after racking my brains I would ask the pro's on this forum.
The subsystem has the default gateway 255.255.255.0 on all devices. Most haven't been programmed and are default.
Also to add complexity the client Lan is connected to the subsystem Lan through the firewall and then with a fibre bridge but this is non programmable and only a transport.
The thing I noticed is the firewall asks for a protocol, default was ICCP so I left this but as Thomas_v2 has kindly given me all the protocols and port numbers from the Siemens website I think that is the next port of call (pun) ....
Anyway I can only try more things after the Xmas as the customer is in lockdown until then. Thanks for all the help

rigicon said:

The subsystem has the default gateway 255.255.255.0 on all devices. Most haven't been programmed and are default.

Click to expand...

255.255.255.0 is a subnet mask, not a gateway.


The subnet mask defines how big the local subnet of a device is (in your case 192.168.27.xxx). It will try to send a packet directly to the IP address inside it's local subnet. For IP addresses outside of that (like the laptop), it will send it to its default gateway/router address, if one is defined. If one is NOT defined, then it just won't communicate with that device at all.


My guess is that if the PLCs work and the HMIs don't, then it's possible that the PLCs have the router address assigned to it, but the HMIs do not.


Definitely worth verifying that the correct ports are open with the master list from SIOS as well, however.

Thinking that your laptop needs to see mac addressing also for connection.

Firewalls by defaul usually blocks macs.


https://support.industry.siemens.co...e-ip-address-of-plc/221577?page=0&pageSize=10