New Member

Question

How to allow profinet protocol?

Forum|Forum|5 months ago
January 7, 2026
1 reply
353 views

We want to allow the following protocols between two physical ports with two mac addresses:

"arp || stp || mdns || pn_rt || pn_io_device || pn_io || pn_dcp" (wireshark notation)

With FortiOS 7.6.4 we have set the opmode to transparent and created a firewall policy to allow 'ALL' services, but that only lets the first protocols/services (arp || stp || mdns ) through, but blocks the rest (pn_*).

Is it possible to fix this in any way, e.g. by creating an IPS Signature for Profinet (--ethertype 0x8892) and adding that to the policy?

The test setup:

config firewall policy

edit 2

set name "Allow all MACs"

set uuid 6e874ff8-eaee-51f0-5cca-7370b58c116a

set srcintf "LAN2 and LAN3"

set dstintf "LAN2 and LAN3"

set action accept

set srcaddr "all MAC"

set dstaddr "all MAC"

set schedule "always"

set service "ALL"

set logtraffic all

config system zone

edit "LAN2 and LAN3"

set intrazone allow

set interface "lan2" "lan3"

and "all MAC" is :

config firewall address

edit "all MAC"

set type mac

set macaddr "00:00:00:00:00:00-ff:ff:ff:ff:ff:ff"

FortiGate

mpapisetty

Staff

@User921 ,

Did you try enabling the l2forward option under the interface?
config system interface
edit <interface name>
set l2forward enable
end

By default, the ALL is for IP traffic. Profinet does not come under IP but works with different ethertypes. Setting the l2forward should allow the traffic to go through. Let me know how it goes.

User921Author

New Member

Thank you for the suggestion, but it did not solve the issue.

We've also tried adding IPS for ethertype 0x8892 (Profinet RT) with Action=Pass, but that also did not help.

If we can get the first Profinet Real-Time: DCP (Dynamic Configuration Protocol) identify response, then the rest should follow.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded