Required Firewall Rules

A typical Predix Edge deployment involves connectivity to a variety of systems, including both assets at the customer location, and the Predix cloud environment where the corresponding Edge Manager instance is located. We recommend the application of a least-privilege based firewall policy within the installed environment to permit only required communications for typical operation. The Predix Edge virtual machine should be granted access to only those hosts required for their operation as a whitelist.

The table below lists the firewall rules required for Predix Edge. Note that only GE Vernova-provided components and protocol adapters are listed, but firewall rules are required to be created only for the components used in the deployment. Additionally, either the customer or an approved third party may create custom adapters, which would likely require additional firewall rules. If this is the case, please consult with the application author to determine the requirements.
Table 1. Required Firewall Rules
Rule purpose Direction Protocol and Port
Edge device to Edge Manager Outbound to External HTTPS (TCP 443)
Cloud Gateway (to Predix Timeseries) Outbound to External HTTPS/Web sockets (TCP 443)
Cloud Gateway (to Predix EventHub Inbound from Management HTTPS (TCP 443)
PETC Inbound from Management HTTPS (TCP 443)
Modbus Outbound to Control TCP 502
OPC-UA Outbound to Control TCP 4840
OSI Pi Outbound to Control HTTPS (TCP 443)
EGD Inbound and Outbound from/to Control UDP 18246
MQTT Outbound to Control TCP 1883
MQTT over WebSockets Outbound to Control HTTPS/WebSockets (TCP 9001)
SNMP monitoring of the Edge device Inbound from Control or External UDP 161
NTP (if using external) Outbound to External UDP 123
Note:
  • The “control” network refers to the local assets the Predix Edge device connects to; “external” is the path to the open Internet.The “management” network is ideally a local management network used for site administration functions, if available. If unavailable, please default to whatever network is considered most secure/restricted.
  • EGD typically makes heavy use of multicast and broadcast traffic.
  • All of the above mentioned port numbers are considered standard IANA assigned port numbers, however deployments may often use different port numbers due to operational considerations. Consult with a network engineer familiar with the site network if you are unsure.

When possible, we also recommend further restricting firewall rules for specific ports to required hosts only. For example, the Modbus rule should be further refined to allow the Edge device to communicate on port 502 to only those devices with which it is intended to communicate. In addition there are several IPS/IDS options available to restrict control network traffic via segmentation and inspection.