Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

PI System Management Tools

TABLE OF CONTENTS

PI Firewall connection protocol

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedFeb 28, 2025
  • 1 minute read

New connection host names and IP addresses are checked against PI Firewalls in the following order:

  1. Local host connections: If the connection originates from the local host, it is always accepted.

  2. Exact match search: The PI Firewall database is first searched for an exact match of the IP address or host name. If an exact match is found, the connection is processed according to that entry, and the search stops.

  3. Wildcard match search: If no exact match is found, the database is searched for a wildcard match. For example, a connecting address of 192.168.168.22 matches a host mask of 192.168.*.*.

    Important rules for wildcard entries:

    • An exact match DISALLOW takes precedence over a wildcard match ALLOW. For example, if 192.168.168.67 is explicitly set to DISALLOW, it will be blocked even if there is a broader wildcard rule allowing 192.168.168.*.

    • When multiple wildcard entries exist, only the first wildcard entry encountered by PI Network Manager (PINetMgr) is applied. Creating multiple wildcard entries can cause conflicts, as later wildcard entries may be ignored.

      Example of problematic wildcard entries (shown in plain text)

      *.*.*.*, DISALLOW

      192.173.2.*, ALLOW

      In this example, the 192.173.2.*, ALLOW entry is ignored because the first wildcard entry (*.*.*.*, DISALLOW) takes precedence.

      Since *.*.*.*, DISALLOW is implied when no entries are present, explicitly adding this entry is unnecessary unless you intend to block all connections.

TitleResults for “How to create a CRG?”Also Available in