Tofino Firewall LSM

Traffic Control Cop for industrial networks

  • Create, test and deploy network traffic rules

  • Block and report unauthorized communications


The vast majority of control networks have little or no isolation between different subsystems. If a device misconfiguration, hardware failure or virus causes a problem in one part of the network it can spread throughout the entire network in seconds and bring your whole plant down. Even redundant backup systems can fail simultaneously if their network connections are not protected!


The Tofino Firewall LSM is a traffic control cop for industrial networks, checking all communications on your control network against a list of traffic ‘rules’ that are defined by your controls engineer. Any communication that is not on the ‘allowed’ list will be blocked and reported by the Firewall.


The Tofino Firewall is deployed quickly with easy-to-use visual editing tools. Control engineers can build traffic rules using terms and concepts that are already familiar. Tofino’s unique ‘test’ mode helps test traffic rules without any risk of accidentally blocking communications that are critical to plant operation.


Tofino provides pre-defined templates for over 25 families of popular industrial controllers, including rule definitions to protect devices with known vulnerabilities. These definitions are updated regularly to provide ongoing protection of your critical controllers.


Saves You Money Through:

  • Reduced down time and production losses

  • Lower maintenance costs

  • Improved system reliability and stability


  • Control engineer defines list of traffic rules, specifying which devices are allowed to communicate and what protocols they may use

  • Automatically blocks and reports any traffic that does not match your rules

  • Simple rule definition using graphical drag-and-drop editor

  • Over 50 IT and industrial protocols pre-defined

  • Over 25 pre-defined controller templates

  • Controller vulnerability definitions, with regular update releases

  • Pre-defined ‘special rules’ for advanced traffic filtering and vulnerability protection


  • Isolate critical controllers from threat sources

  • Separate control network into security ‘zones’, restricting communications between zones

  • Protect controllers that exhibit known vulnerabilities


Protects Multiple Devices

Multiple client and server devices are supported, with unique direction and permission settings for each client/server connection

Filter Policy

Deny by default: any network traffic that is not on the ‘allowed’ list is automatically blocked and reported

State Tracking

Stateful Packet Inspection (SPI)

User-Settable Options

IP-based protocols:

  • Source device: specific IP address, network, or ‘any’

  • Destination device: specific IP address, network, broadcast, multicast, or ‘any’

  • Application protocol: any combination of single, list, and/or range of port numbers

  • Direction: incoming, outgoing, bidirectional

Both IP-based and non-IP protocols:

  • Permission: allow, deny, allow/log, deny/no log

Transport Protocols

TCP, UDP, and non-IP protocols supported

Configuration Method

Simple configuration using built-in editor in Tofino Central Management Platform (CMP)

Operating Modes

All standard Tofino modes supported:

  • Passive: no filtering or alerting

  • Test: no traffic filtered; alerts generated as per user-defined rules

  • Operational: traffic filtered and alerts generated as per user-defined rules

Security Alerts

Reports blocked traffic to Tofino CMP management console via Tofino ‘Exception Heartbeat’ mechanism


  • MUSIC-2007 Security Certification

  • Certified Modbus-compliant by Modbus-IDA

Standards Compliance

System Requirements

Ordering Information

Part number LSM-FW-100 (Tofino Firewall LSM)


Additional Information:


PDF Tofino Firewall LSM Data Sheet