AXC F 1252

Security context

The AXC F 1252 can be used in various security contexts. Below are three examples of different security contexts.

Decentralized control of an Axioline F station:

Operation as PROFINET device:

Connecting and operating elements

The controller consists of the following components:

Security seals

In order to prevent manipulation of the device supplied and to detect unauthorized opening of the device, security seals have been applied to the controller.

These security seals are damaged in the event of unauthorized opening. In this case, correct operation of the PLCnext Control can no longer be ensured.

Check the delivery for transport damage. Damaged packaging is an indicator of potential damage to the device that may have occurred during transport. This could result in a malfunction.
Do not open the housing. If the housing is opened, the function of the device can no longer be ensured.
Check at regular intervals that none of the seals are damaged. If any of the seals are damaged or missing, it may be that the device has been tampered. In this case, contact Phoenix Contact without delay before using the device.

1 Security seal

Security integrity indication (LED CSEC)

The AXC F 1252 has a special security integrity indication in the form of a blue LED: CSEC.

LED	Meaning	Color	State	Description
CSEC	Cyber Security	Blue	On	Security incident detected (e.g. Secure Boot failed because the RootFS could not be verified). The firmware was not loaded. The LED lights up briefly at the start of the boot process. This has no security-relevant meaning.
			Flashing	Security incident detected (e.g. Secure Boot failed because the kernel could not be verified). The firmware was not loaded.
			Off	No security incident detected. The firmware has been loaded.

Configuring system time

The AXC F 1252 does not have a battery-buffered realtime clock (RTC). After the supply
voltage is interrupted, the system time of the controller is reset. Security-related functions (e.g., event logging, time stamp for signing libraries) are impaired as a result.
Make sure that the system time is automatically synchronized with an NTP server after every interruption of the supply voltage.

To add an NTP server, proceed as follows:

Log in to the WBM.
Return to topicHow do I get to the WBM again? Click here for more information...
Establishing a connection to the Web-based Management (WBM2):
- Open a web browser on your computer.
- In the address field, enter the URL https://<IP-address-of-the-controller>/wbm,
  for example: https://192.168.1.10/wbm.
For further information, see WBM2.
Open the Date & Time page (Configuration → Date & Time).
To add a new NTP server entry, click the button.

↪ A new window opens.
Provide the following information:
- Server hostname: IP address of the NTP server
- Status: Active
- Min. polling time: The shortest interval at which the NTP client retrieves the current time from the NTP server.
- Max. polling time: The longest interval at which the NTP client retrieves the current time from the NTP server.
- Note: The relationship between the minimum and maximum polling time is that together they determine the frequency of the time queries. The NTP client dynamically adjusts the polling intervals within these limits based on the stability and accuracy of the time source and the network conditions.

Note: Make sure that the firewall basic configurations and the input rules on the Firewall page (Security → Firewall) in the WBM are correct:

Basic Configuration:

Input Rules:

For information on how to set the system time, refer to the System time topic in the main PLCnext Technology ‑ Info Center.

There are some parameters to be set, e.g. what deviation from the time is acceptable, the maximum unavailability, etc.

Note: If the system time is not synchronized via the NTP server during the boot phase, the controller starts with the last system time before the supply voltage was interrupted.

Configuring firewall settings

Which configurations you make depends on the security context in which you use the controller to be set (see e.g. Security context):

Decentralized control of an Axioline F station

Open the Firewall page (Security → Firewall) in the WBM.
Open the BASIC CONFIGURATION tab.
In the Basic Rules section, select Continue from the drop-down list for the Remoting in the Action column.
Click the SAVE & APPLY PAGE button.
Open the IP INPUT RULES tab.
Add a new rule via the .
Provide the following information:
- Select the interface (refer to the topic of the respective controller).
- Enter the corresponding IP address (the IP address of the Engineering Station in the superordinate network, refer to the topic Deriving IP addresses).
- Enter the target port (refer to the topic Configuring basic firewall settings ).
- Select Accept in the Action column.
Click the SAVE & APPLY PAGE button.
↪ Now you have access from the superordinate network (e.g. PLCnext Engineer).

Operation as PROFINET device

Open the Firewall page (Security → Firewall) in the WBM.
Open the IP INPUT RULES tab.
Provide the following information:
- Select the interface.
- Select the protocol.
- Enter the target port (here: 34964).
- Select the Accept in the Action column.
- Click the SAVE & APPLY PAGE button.
On the IP INPUT RULES tab, add another new rule via the .
Provide the following information:
- Select the interface.
- Select the protocol.
- Enter a target port (here: 49152-65535).
- Select the action Accept.
- Click the SAVE & APPLY PAGE button.
Open the IP OUTPUT RULES tab.
Add a new rule via the .
Provide the following information:
- Enter the target port.
- Select Accept in the Action column.
Click the SAVE & APPLY PAGE button.

Operation as PROFINET controller

Open the Firewall page (Security → Firewall) in the WBM.
Provide the following information:
- Select the interface (refer to the topic of the respective controller).
- Enter the corresponding IP address (the IP address of the Engineering Station in the superordinate network, refer to the topic Deriving IP addresses).
- Enter the target port (refer to the topic Configuring basic firewall settings ).
Click the SAVE & APPLY PAGE button.

Configuring system services

Activating further system services can compromise security

Before activating further system services, you must perform a risk and threat analysis of the system service and its impact on the security of the device and the application, taking into account the overall security context.

The following system services (System → System services in the WBM) are activated by default for secure-by-default devices:

Using PROFINET

Designation	Meaning	Color	State	Description
BF-C	Bus error at PROFINET controller	Red/yellow	AXC F 1252 as PROFINET controller
			Red on	Bus error. No link status at the Ethernet interface and/or no 100 Mbit transmission and/or no full duplex mode.
			Flashing red (0.5 Hz)	Bus error. Link status present at the Ethernet interface but at least one configured PROFINET device has no communication connection.
			Flashing yellow (2 Hz)	No bus error. PROFINET device identification (DCP Signal Service) has been enabled.
			Off	No bus error. The AXC F 1252 has established an active communication connection to each configured PROFINET device. Or: No PROFINET devices are configured. Or: The PROFINET controller function is disabled
BF-D	Bus error at PROFINET device	Red/yellow	AXC F 1252 as PROFINET device
			Red on	Bus error. No link status at the Ethernet interface; a communication connection cannot be established.
			Flashing red (0.5 Hz)	Bus error. Link status present at the Ethernet interface but there is no communication connection to the PROFINET controller.
			Flashing yellow (2 Hz)	No bus error. PROFINET device identification (DCP Signal Service) has been enabled.
			Off	No bus error. An active communication connection has been established between the PROFINET controller and the AXC F 1252. Or: The PROFINET device function is disabled.

Note: If the LEDs flash red, check your security context and decide whether you want to use PROFINET or not. If you do not want to use PROFINET, you must deactivate PROFINET on the system services page (System → System services ) in the WBM.

How to reset the controller

General information

There are two reset types that you can use to reset the controller:
Reset type 1 and reset type 2.
Both reset types delete all the settings you have made. Reset type 2 also provides a recovery system that can be used to install new firmware.

Perform reset type 1 if you wish to delete all the settings you have made.
Perform reset type 2 if the firmware installed on the device is compromised or faulty and the controller is no longer booting correctly as a result (for further information, refer to Secure by default: Resetting with reset type 2).

Component to be deleted during the reset	Reset type 1	Reset type 2
PLCnext Engineer project	✓	✓
IEC 61131‑3 applications	✓	✓
High-level language applications	✓	✓
Configured bus configuration	✓	✓
Network settings	✓	✓
Changes and extensions that you have made to the operating system, to the firmware, or in the WBM	✓	✓
Proficloud.io connection	✓	✓
After the reset: Recovery system is started	X	✓

How to reset with reset type 1

To reset your controller with reset type 1, proceed as follows:

warning label NOTICE

Unintentional reset with reset type 2

If you do not release the reset button in time, the controller is reset with reset type 2. In this case, the controller is not restarted automatically after resetting. You must open the recovery system and perform one of the possible actions (see Secure by default: Resetting with reset type 2).

When resetting with reset type 1, observe the status of the STAT LED.
Release the reset button as soon as the STAT LED flashes yellow.

Disconnect the power to the controller.
Press and hold down the reset button with a non-conductive, pointed object.
Hold down the reset button and switch the supply voltage of the controller on.
Press and hold the reset button until the STAT LED flashes yellow. The process takes approx. 2 seconds.
While the reset button is pressed, the LEDs behave as follows:
- The CSEC LED starts to light up blue.
- The STAT LED starts to flash yellow.
As soon as the STAT LED flashes yellow, release the reset button.
↪ The STAT LED briefly lights up green, then the CSEC LED goes out.
↪ The controller is reset with reset type 1. During the reset process, all LEDs are off.

Once the reset process has been completed, the controller is restarted automatically.

After the reset:

Before starting up the controller again, perform all the steps that were necessary for the initial startup of the controller. Please refer to the corresponding user manual.

Alternatively, you can also reset the controller via the WBM with reset type 1 (System → Device maintenance).

How to reset with reset type 2

To reset your controller with reset type 2, proceed as follows:

Disconnect the power to the controller.
Press and hold down the reset button with a non-conductive, pointed object.
Hold down the reset button and switch the supply voltage of the controller on.
Press and hold the reset button until the STAT LED lights up green. The process takes approx. 40 seconds.
While the reset button is pressed, the LEDs behave as follows:
- The CSEC LED starts to light up blue.
- The STAT LED starts to flash yellow.
- The STAT LED starts to light up green.
Release the reset button as soon as the STAT LED lights up green.
↪ All LEDs go out.
Shortly thereafter, the STAT LED starts to flash red/yellow.
↪ The controller is reset with reset type 2 and the recovery system is started.
Connect the controller to your PC using a suitable Ethernet cable.
Open your web browser.
Open the recovery system via the URL http://192.168.1.10.
If the recovery system does not open:
Check whether the URL you entered in the web browser actually starts with “http://”.
The recovery system cannot be opened via an HTTPS connection.
Please note:
- As long as the recovery system is active, the LNK and ACT LEDs on the Ethernet interface are switched off (even when the Ethernet connection is active).
- As long as the recovery system is active, the reset button has no function.

You can perform the following actions in the recovery system:

Install new firmware
Restart the controller with the existing firmware

Project integrity

Information on this can be found in the topic Secure by default: Checking project integrity .

• Published/reviewed: 2026-01-30 • Revision 020 •

1	Ethernet interface
2	Reset button
3	Diagnostic and status indicators (LEDs)
4	Security seal
5	Supply connector
6	Base latch
7	Integrated bus socket

AXC F 1252