Like FTP, the PROFINET IO protocol may be used to set up several connections for the same traffic stream: a parent connection from the client to the server over the port dedicated to the service, followed by one or several child connections over random ports for data exchange.
When the PROFINET IO protocol is analyzed, the firewall extracts data from the parent connection in order to create child connections (random ports allowed), so that you obtain a connection skeleton that enables dialog.
Connection skeleton settings
|Allow creation of skeletons||When this option is selected, the PROFINET IO analyzer will allow parent and child connections to be created.|
|Allow creation of EPMAP skeletons||When this option is selected, the PROFINET IO analyzer will allow parent and child connections to be created for EPMAP-based transactions.|
|Expiry date of a skeleton||This parameter determines when a skeleton, which was created by a PROFINET IO connection and has become idle, will be deleted.
By default, it is set to 60 seconds.
In this grid, you can manage the action (Analyze / Block) that will be applied to PROFINET IO service categories defined earlier on the firewall.
This service category is identified by a 16-byte UUID (Universal Unique Identifier). Whenever the user scrolls over each category, a tool tip will display its UUID (Universal Unique Identifier).
An action can be applied to a whole service category, or to all service categories entered in the grid (Modify all operations button).
Managing operation numbers
In this grid, you can manage the action (Analyze / Block) that will be applied to PROFINET IO operations (in read or write mode) defined earlier on the firewall and identified by an operation number.
You can assign an action to an operation, to all operations (Modify all operations button) or to all read operations entered in the grid (Modify write operations button).
|Disable intrusion prevention||When this option is selected, the scan of the PROFINET IO protocol will be disabled and traffic will be authorized if the filter policy allows it.|
|Log every PROFINET IO query||Enables or disables the logging of PROFINET IO requests.|
|Automatically detect and inspect the protocol||If this protocol has been enabled, it will automatically be used for discovering corresponding packets in filter rules.|