Data Collector Firewall Settings

dataPARC Historian architecture typically consists of a Data Collector on the Process Control network (also known as OT network) that passes data up to the Historian server. The Historian server is usually positioned in a DMZ or on the Business Network (also known as the IT network) with a firewall separating it from the OT network.  The diagram below shows a typical example:

OT Network Firewall Settings

Described below are the recommended settings for optimum data transfer security with a dataPARC Historian.

Stateful Firewall

A stateful firewall is a network security device that monitors the state of active network connections to filter traffic. It maintains a dynamic record of connections in a "state table" to make context-aware decisions, allowing legitimate responses to return automatically without needing specific rules for every packet.  This means that if a connection was initiated from a trusted internal network on an outbound port, responses are allowed without opening an inbound port.  dataPARC recommends use of a stateful firewall for data collection from within an OT network; most modern firewalls are stateful.

Firewall Port Configuration

Assuming use of a stateful firewall, the dataPARC Historian’s Data Collection application only requires the following open ports:

Outbound ports (OT → DMZ):

• 12399 (TCP - Configurable)

• 12340 (TCP - Configurable)

Inbound ports (DMZ → OT):

• None

This means that the firewall can be configured with ONLY Outbound ports open - no Inbound ports are required for data transfer to the Historian Server.

Historian Maintenance

With no Inbound ports open to the OT network, most routine tag and data collection maintenance tasks can still be performed without accessing the Data Collector directly.  This is because the Data Collector regularly polls the Historian at a configurable interval for changes; i.e. the Historian does not “push” changes down to the Data Collector.  The stateful firewall allows the Historian to respond to the Data Collectors requests with the latest configuration information.

The configuration interface is accessed via a browser window on the Historian server (example below):

Historian Changes NOT Requiring OT Network Access

• Add new tags

• Change existing tag settings

• Start/stop data collection

• View error logs

• Backfill historical data (if historical data available from DCS)

• Change source level data collection settings including which OPC server that data is being collected from

Historian Changes that DO Require OT Network Access

• Update Data Collector app software to new version

• Change communication ports

• Point Data Collector at a new Historian IP address

• Change the user/password (account) that the Data Collector service runs as