IP port security depends on specific installation, requirements and existing infrastructure. The required external equipment can be separate devices or devices that combine firewall, router and secure VPN functionality. When the network is divided into security zones, it is done with substation devices having firewall functionality or with dedicated firewall products. Security zone boundaries are inside the substation or between the substation and the outside world.
The relay supports an option with multiple station communication Ethernet ports. In this case, all ports use the same IP and MAC address regardless of what redundancy option is activated in the relay configuration.
To set up an IP firewall the following table summarizes the IP ports used by the device. All closed ports can be opened in the configuration. Ports which are by default open are used for configuring the protection relay.
| Port number | Type | Default state | Description |
|---|---|---|---|
| 20, 21 | TCP | Open | File Transfer protocol (FTP and FTPS) |
| 102 | TCP | Open | IEC 61850 |
| 80 | TCP | Closed | Web Server HTTP |
| 443 | TCP | Closed | Web Server HTTPS |
| 123 | UDP | Not active | Simple Network Time Protocol |
| 502 | TCP | Closed | Modbus TCP |
| 20000 | TCP | Closed | DNP TCP |
| 20000 | UDP | Closed | DNP UDP |
FTP and IEC 61850 are primary services needed for relay configuration and those cannot be disabled. Additionally, the protection relay uses layer 2 communications in GOOSE, SMV, IEEE 1588 (PTP) and HSR/PRP supervision services, which needs to be taken into account when designing the network.
In addition to the HTTP and FTP protocols, the relay supports three Ethernet-based substation automation communication protocols, IEC 61850, Modbus and DNP3. IEC 61850 is always enabled, and the relay can be ordered with one additional station bus protocol. Additional protocols must be enabled in the configuration, otherwise the communication protocol TCP/UDP port is closed and unavailable. If the protocol service is configured, the corresponding port is open all the time.
See the relay series' technical manual and the corresponding protocol documentation for configuring a certain communication protocol.
In Modbus and DNP it is possible to assign the TCP or UDP port number if required and it is also possible to allow connection requests only from configured client IP address.