Submitting your feedback...
Knowledge Base Article
3171OSI8 - Questions and hints on the PI Firewall table
Product: PI Data Archive
Version(s): Any

Questions regarding the PI Firewall table:

1. How do you edit the PI Firewall table?
2. Is the PI Firewall Table replicated in an HA configuration?
3. How long does it take for new settings in the PI Firewall to take effect?
4. How do you access the PI Firewall table with piconfig?
5. What are the default PI Firewall table settings?
6. How can you see what is currently in the PI Firewall table using piconfig?
7. How can you delete the ALLOW ALL access entry in the PI Firewall table using piconfig?
8. How can you add new entries to the PI Firewall table?
9. How do I find the date of last change to the PI Firewall table?
10. What are some PI Firewall Table hints?

Answers

As part of your PI security plan, you could consider configuring the PI Firewall table on the PI Server to restrict access to the PI Server by IP Address, IP address masks, or individual host names. The PI Network Manager (pinetmgr.exe) uses the PI Firewall database to screen access. For more detailed discussion on the PI Firewall table, see the "Managing Security" chapter and the "Firewall Security" section in the PI Server System Management Guide.

1. How do you edit the PI Firewall table?

You can use the piconfig command-line utility to list or change what is in the PI Firewall, but you could also use the plug-in "Firewall" in the PI System Management Tools, version 3.3.0.1, if you have a PI Server version 3.4.363.68 or later. If you use piconfig you must make the changes on the PI Server itself. It cannot be edited remotely. See "How to access the PI Firewall table with piconfig" below.

This KB addresses how to make the changes using piconfig.

2. Is the PI Firewall Table replicated in an HA configuration?

No, it is not.

3. How long does it take for new settings in the PI Firewall to take effect?

In order for PI changes to the Firewall Database to take effect, you must either wait up to 15 minutes or, if you are in a hurry, restart the PI Server (the PINetMgr.exe).

4. How do you access the PI Firewall table with piconfig?

  1. Run a command session: Start> Run, type "cmd" and press Enter.
  2. Change to the pi\adm directory (for example, "cd \pi\adm" and press Enter)
  3. Type "piconfig" and press Enter.
  4. To access the PI Firewall table, type "@table pigen, pifirewall" and press Enter

Note: "pi_gen, pifirewall" also works

5. What are the default PI Firewall table settings?

The PI Firewall has two fields: "Hostmask," which is a host name, IP address, or IP address mask, and "Value," which defines whether that hostmask has access or not.

Values may be set to "allow" or "disallow."
 
The default setting in the PI Firewall table is "*.*.*.*,ALLOW" which means all IP addresses can connect to the PI Server. If you remove this entry, then no connections are allowed until you provide additional entries with the "allow" setting. 

6. How can you see what is currently in the PI Firewall table using piconfig?

From a pi\adm prompt, run piconfig and the following commands, as shown below:

piconfig
@table pigen, pifirewall
@ostr hostmask, value
@select hostmask = *
@ends
{{...,ALLOW""

 
Hint: A quicker way to list all the settings in the PI firewall table is to type the following:

@table pigen, pifirewall
@ostr *
@ends

 

7. How can you delete the ALLOW ALL access entry in the PI Firewall table using piconfig?

Since by default, everyone has read access to the PI Server, we recommend that you delete the {{...,ALLOW}} entry and add more restrictive entries instead.

To delete the "*.*.*.*" entry:

@mode delete
@istr hostmask
"*.*.*.*"
@ends

Note: Quotes must be used around the entry.

8. How can you add new entries to the PI Firewall table?

The PI firewall table should be configured so that connections are accepted only from your domain. Doing this includes explicitly disallowing all others. Connections to allow or disallow can be specified by individual IP addresses, an IP address mask or individual host names.

@table pigen,pifirewall
@mode create,t
@istr hostmask, value
192.168.168.*,allow
bob.mydomain.com, disallow
@ends

9. How do I find the date of last change to the PI Firewall table?

Check the Last Modified Date of the  pifirewall.tbl in the PI\dat directory. Changes in the PI Firewall table are not recorded in the PI server log or audit files.

10. What are some PI Firewall Table hints?

  • Entries which allow access to specific names or addresses override the (*.*.*.*, disallow) setting. These entries must not use wild cards (*).
  • With wild card entries, the PINetMgr currently only matches the first entry it reads, so do not create multiple entries using wild cards. An example which would be problematic is if your first wild card entry is (*.*.*.*, disallow), then the following entry of "192.173.2. *, allow." The "192.173.2. *, allow." entry will be ignored since wild cards were used in the first entry. Since  "*.*.*.*, disallow" is implied when there are no entries, there is no need to use this entry unless you want to block all connections to PI.
  • To disallow all network connection, make sure you have an entry with  "*.*.*.*",Disallow, and all other entries are either deleted or set to Disallow.
  • Connections from the PI Server itself are not affected by PI Firewall entries.
  • You cannot use masks or wild cards (*) with host names. You can only use masks with IP addresses.
  • Piconfig loads the pifirewall table in memory. Changes are written to disk when a new table is loaded or piconfig is exited. You may have to wait up to 15 minutes for the changes to take effect, or you can restart the PI Server.
  • Other considerations to increase security: Database security, and Point-level security. See "PI Server Security Best Practices" document in the Download Center under "White Papers."
  • For more detailed discussion on the PI Firewall, see the "Managing Security" chapter and the "Firewall Security" section in the PI Server System Management Guide.
Note: The PI Firewall table is not as flexible or powerful as a real network firewall device, so if you need a real firewall, please consider investing in such networking equipment.


Notes

  • Sources: PI Server Security Best Practices, PI Server System Management Guide
  • For Replication information, see the High Availability and PI Server Replication User Manual
  • Check the download center for PI Server documentation

Article ID: 3171OSI8 Created: 2005-12-16
Article Type: How-To Last Updated: 2014-04-14