Required Firewall Rules

A typical Predix Edge deployment involves connectivity to a variety of systems, including both assets at the customer location, and the Predix cloud environment where the corresponding Edge Manager instance is located. We recommend the application of a least-privilege based firewall policy within the installed environment to permit only required communications for typical operation. The Predix Edge virtual machine should be granted access to only those hosts required for their operation as a whitelist.

The table below lists the firewall rules required for Predix Edge. Note that only GE Digital-provided components and protocol adapters are listed, but firewall rules are required to be created only for the components used in the deployment. Additionally, either the customer or an approved third party may create custom adapters, which would likely require additional firewall rules. If this is the case, please consult with the application author to determine the requirements.
Table 1. Required Firewall Rules
Rule purposeDirectionProtocol and Port
Edge device to Edge ManagerOutbound to ExternalHTTPS (TCP 443)
Cloud Gateway (to Predix Timeseries)Outbound to ExternalHTTPS/Web sockets (TCP 443)
Cloud Gateway (to Predix EventHubInbound from ManagementHTTPS (TCP 443)
PETCInbound from ManagementHTTPS (TCP 443)
ModbusOutbound to ControlTCP 502
OPC-UAOutbound to ControlTCP 4840
OSI PiOutbound to ControlHTTPS (TCP 443)
EGDInbound and Outbound from/to ControlUDP 18246
MQTTOutbound to ControlTCP 1883
MQTT over WebSocketsOutbound to ControlHTTPS/WebSockets (TCP 9001)
SNMP monitoring of the Edge deviceInbound from Control or ExternalUDP 161
NTP (if using external)Outbound to ExternalUDP 123
Note:
  • The “control” network refers to the local assets the Predix Edge device connects to; “external” is the path to the open Internet.The “management” network is ideally a local management network used for site administration functions, if available. If unavailable, please default to whatever network is considered most secure/restricted.
  • EGD typically makes heavy use of multicast and broadcast traffic.
  • All of the above mentioned port numbers are considered standard IANA assigned port numbers, however deployments may often use different port numbers due to operational considerations. Consult with a network engineer familiar with the site network if you are unsure.

When possible, we also recommend further restricting firewall rules for specific ports to required hosts only. For example, the Modbus rule should be further refined to allow the Edge device to communicate on port 502 to only those devices with which it is intended to communicate. In addition there are several IPS/IDS options available to restrict control network traffic via segmentation and inspection, such as GE Digital's OpShield.