mbNETFIX Industrial Firewall

The Industrial Firewall for the automation user

MB connect line presents mbNETFIX as a new industrial firewall for automation users. It provides protection against attacks by using the industrial firewall to segment the production network into manageable and logically separated units.

  • Intelligent firewall: monitoring of the communication and learning mode for more security
  • User-friendly: Configured with only a few mouse clicks
  • Cybersecurity at the highest level thanks to RSA key authentication
  • Multistage user level concept
  • Secure Boot concept
  • Avoid address conflicts when installing new machines
    Integrating a new machine in an existing production network can yield address conflicts, making machine installation longer and more expensive. With the mbNETFIX you can simplify and shorten machine installation while preserving the internal network conventions.
  • Easily access devices in an isolated network segment
    Accessing machines in isolated Network segments can be difficult or sometimes not possible. With the simple NAT Feature, the mbNETFIX easily forwards Adresses from the WAN to the LAN side. You just need to fill out the mapping table.
  • Secure new machine internal network
    Industry 4.0 is about seamless data flow. No one wants that a threat, that came from a HMI, a USB stick or a PC to spread to the factory floor. The mbNETFIX will filter allowed and forbidden traffic and thus preserves communication flows, while ensuring cybersecurity.
  • Isolate network segments with heavy traffic
    Modern machine communication protocols use a lot of broadcast communications. With the mbNETFIX, you can isolate network segments, so overhead traffic remains local and factory network bandwidth is preserved.
  • Secure machines already installed on the network
    You might know that challenge: to raise the level of cybersecurity of existing machines without introducing a change in the network. With the mbNETFIX‘s so called bridge mode, you can do that. Just plug it in between, and traffic is controlled while no change is introduced.
  • Secure sensitive network components
    To ensure a decent level of cybersecurity, you would need to update PLC constantly. But that would be a dramatic disruption and just not feasible. By enabling the mbNETFIX as external cybersecurity guard, you can raise the cybersecurity easily without patching the devices.


The mbNETFIX is developed according to the highest security standard, this firewall is easily configured with little knowledge and manipulations. With the operating modes Gateway and Bridge it seamlessly integrates into new and already existing network structures.

The Automation Firewall offers two operation modes:

  • Bridge mode
  • Gateway mode

In the Bridge mode it can be integrated easily into existing networks, that are in the same network segment and protects the data exchange between WAN<> LAN via packet filter. It integrates itself transparently and an IP-Address allocation is not necessary.

In the Gateway mode WAN and LAN will get a defined IP-address and therefore segment the networks. Here functions such as NAT and Forwarding can be used to route data traffic to secondary networks. Here the packet filter is also available and manages the data exchange between WAN <> LAN.

A special feature is the integrated learning function. This means the firewall learns the traffic and the user can explicitly release or block the connections among the IP devices directly from a learned packet table. The built-in learning feature simplifies commissioning and does not require special IT skills.

The concept is based on security by design right from the start. In order to keep the attack vectors as small as possible, a web interface for configuration was deliberately abandonned. The firewall is configured with software via the USB port. For IT experts, an optional SSH interface is available.

With the integrated packet filter the mbNETFIX protects your networks. It blocks or releases traffic between WAN and LAN on both sides. Using the software, you can use simple filter tables to determine which communication you want to allow or prohibit.

The mbNETFIX has various NAT functionalities that can be configured via the software. So you can use this firewall to connect different networks, even if the IP address ranges are different. The device includes Simple NAT, Network NAT, DNAT (Port Forwarding), SNAT and Static Routes.

The configuration tool generates an RSA key pair during commissioning and transmits it to the mbNETFIX. With this RSA key authentication you replace the classic password and are secured from brute force attacks.

With convenient user role management, you can assign a total of four user levels that have different rights.