Learning Mode accelerates deployment
Let the EAGLE One observe normal traffic, then review and activate the generated rules. No manual rule writing required.
19.1 EAGLE One Firewall
Rack mount switches handle the backbone. Protecting the boundary between network zones requires purpose-built industrial firewalls. The EAGLE One is Hirschmann’s entry-level industrial firewall for cell protection and simple IT/OT boundaries.
Why the EAGLE One Exists
Section titled “Why the EAGLE One Exists”A PLC cell communicates with the SCADA server over a small set of well-defined connections. Allowing unrestricted access from the plant network to the cell exposes the PLC to broadcast storms, port scans, and unauthorized configuration changes. The EAGLE One sits at the cell boundary and permits only the traffic the application requires.
Hardware
Section titled “Hardware”| Specification | Value |
|---|---|
| Ports | 2 FE (internal + external) |
| Software | Classic Firewall Software |
| Firewall type | Stateful L2 and L3 |
| Temperature | -40 C to +70 C (variant dependent) |
| Housing | DIN rail, IP20/IP30 |
| Power | 12-48 V DC, 24 V AC |
Firewall Learning Mode
Section titled “Firewall Learning Mode”The EAGLE One includes a Firewall Learning Mode that monitors traffic flowing through the device and automatically generates firewall rules based on observed connections. The workflow:
- Install the EAGLE One in the network path with the firewall in learning mode.
- Run the application through its normal operating cycle.
- The EAGLE One records every source/destination IP, port, and protocol combination.
- Review the generated rules, remove any unwanted entries, and activate the firewall.
This approach eliminates the need to manually document every connection before writing rules. It is especially valuable for legacy systems where protocol documentation is incomplete.
Certifications
Section titled “Certifications”| Certification | Scope |
|---|---|
| ATEX Zone 2 | Hazardous locations (EU) |
| IEC 61850-3 / IEEE 1613 | Substation environments |
| EN 50121-4 | Railway trackside EMC |
| DNVGL | Marine applications |
Use Cases
Section titled “Use Cases”Cell protection: An EAGLE One between the plant network and a robot cell permits only Modbus TCP (port 502) from the SCADA server and blocks everything else. The robot PLC is invisible to the rest of the network.
Simple IT/OT boundary: An EAGLE One at the DMZ boundary permits HTTPS from the historian server to the corporate network and blocks all inbound connections from IT to OT.
Key Takeaways
Section titled “Key Takeaways”Certified for substations and rail
IEC 61850-3, IEEE 1613, EN 50121-4, ATEX Zone 2, DNVGL. Deploy in regulated environments without additional enclosures.
What Comes Next
Section titled “What Comes Next”The EAGLE One handles simple cell protection. The next section covers the EAGLE40 Next-Generation Firewall with Deep Packet Inspection, IPSec VPN, and industrial protocol enforcement.
References
Section titled “References”- Belden/Hirschmann. (2024). EAGLE One Data Sheet. Belden Inc.