Learn how to configure PI firewall

For all incoming connections, the Data Archive server first checks the PIFIREWALL table for partial or complete IP host names or addresses. If there is no entry in the table that allows the incoming connection, the Data Archive server terminates the connection immediately.

By default, the PIFIREWALL table allows all connections. Edit the table to allow connections only from the subnets defined for your community of users. You can change settings for the table with the PI SMT Firewall tool, which you can access by choosing Security > Firewall. Data Archive collectives do not replicate the PIFIREWALL table.

Note: PIFIREWALL does not filter IPv6 traffic. Do not remove all entries in the PIFIREWALL table; for PI Server 2016 or later, the public listener will not open if the PIFIREWALL table is empty.

In order to change settings in the PIFIREWALL table, you need read/write access to the PITUNING entry in the Database Security tool. To access the Database Security tool, open PI SMT, choose Security > Database Security.

Note: Use Windows firewall or install a hardware firewall for additional security. PIFIREWALL is installed by default with Data Archive, and blocks connections to AVEVA™ PI System™ only. A Windows firewall or a hardware firewall offer more robust firewall filtering, such as IPv6 filtering. Using a Windows firewall or hardware firewall in addition to the PIFIREWALL is recommended.