12.8. OPC

OPC stands for OLE for Process Control. A standard based on OLE, COM and DCOM for accessing process control information on Microsoft Windows systems.

The OPC is an integration protocol for industrial environments. The OPC Enforcer is a function that supports the network security. The device blocks the data packets that violate the specified profiles. Upon user request, the device verifies the data packets for their plausibility and their fragmentcharacteristics. The device verifies and observes OPC data connections and helps protect against invalid or fake data packets. The function dynamically activates TCP ports for each data connection. When requested by an OPC server, the device sets up the data connection only between the OPC server and the related OPC client.

The prerequisite is that authentication level 5 or lower is set up in your end device to perform the Deep Packet Inspection (DPI). The end device can be a computer or any other equipment capable of sending OPC data packets. The authentication level defines the type of authentication required for an OPC client to connect with an OPC server.

The device removes the state information from the packet filter on the following events:

  • When applying the profiles saved in the device to the data stream.

  • When activating/deactivating the Routing function on a router interface.

This includes potential DCE RPC information of the OPC Enforcer. In the process, the device interrupts open communication connections.

You can find the OPC protocol at Firewall → Enforcer → OPC.

OPC

12.8.1. OPC Settings

Enabled

Wheter the OPC enforcer is active or not.

Possible values:

  • Enabled

  • Disabled (default setting)

Name

Name of the OPC enforcer.

Possible values:

  • Character string with 0..100 characters

Description

Description of the OPC enforcer.

Possible values:

  • Character string with 0..250 characters

Sanity Check

Activates/deactivates the plausibility check for the data packets.

Possible values:

  • Enabled (default setting)

    The plausibility check is active.

    The device checks the plausibility of the data packets regarding format and specification.

    The device blocks the data packets that violate the specified profiles.

  • Disabled

    The plausibility check is inactive.

Fragment Check

Activates/deactivates the fragment check for the data packets.

Possible values:

  • Enabled (default setting)

    The fragment check is active.

    The device checks the data packets for fragment characteristics.

  • Disabled

    The fragment check is inactive.

Timeout Connect

Specifies the time in seconds after which the device removes the dynamic TCP ports, if there is no longer an active OPC data connection on the dynamic TCP ports.

Possible values:

  • 1..300 (default setting: 5)

  • 0

    The value 0 deactivates the function.

    The OPC data connection remains set up without a time limit.