Fortinet black logo

Handbook

Access Control List

Copy Link
Copy Doc ID 603e8323-b78c-11ec-9fd1-fa163e15d75b:878318
Download PDF

Access Control List

Global > Access Control List creates ACLs from System > Address and Service objects. For details, see Address and Service for IPv4, IPv6, ACLs, Geolocation and Service objects. These must be created prior to creating Global Access Control Lists.

Global ACLs protect all Service Protection Profiles and are always in Prevention Mode. Setting a Service Protection Profile to Detection Mode will not allow Global ACL matching packets to pass. They will always be dropped.

IPv4 and IPv6 ACLs are configured separately, each with their dedicated tabs in the Access Control List page.

Note: Source/Destination, Addresses/Groups and Services/Groups can be combined to create an ACL that drops one Service type between an IP Pair in a specific direction, for example. Check your configuration to avoid unexpected drops.

ACL type

Maximum supported

IPv4 Address/Geolocation/Address Group 1024
IPv6 Address/Address Group 1024
Service 1024
Service Group 256
Before you begin:
  • Configure the IPv4, IPv6, ACLs, Geolocation and Service objects in System > Address and Service.
To configure Global Access Control Lists:
  1. Go to Global Protection > Access Control List.
  2. Click the IPv4 or IPv6 tab.
  3. Click Create New to display the configuration editor.
  4. Configure the following parameters for either IPv4 or IPv6.

    Parameter

    Description

    Name Name of the ACL. Maximum 25 characters (a-Z, 0-9, - _ only).
    Status

    Enable/disable the ACL.

    When enabled, the ACL will always drop matching packets, even if the Protected IP matches an SPP that is in Detection Mode. Use with care.

    When disabled, the matching traffic is passed.

    Action

    Select either of the following options:

    • Reject — Deny and drop.

    • Accept — Allow to pass through remaining mitigations. This action is the same as disabling the Status.

    For Allowlists, use Track and Allow or Do Not Track.

    Source Type

    Select either of the following options:

    • Address

    • Address Group

    Source Address/ Source Address Group

    If the Source Type is Address:

    Select the preconfigured Addresses, Ranges, or Geolocation (IPv4 only) objects that matches the Source from the drop-down menu.

    If the Source Type is Address Group:

    Select the preconfigured Address Group objects that matches the Source from the drop-down menu.

    The default is ANY address.

    Destination Type

    Select either of the following options:

    • Address

    • Address Group

    Destination Address/ Destination Address Group

    If the Destination Type is Address:

    Select the preconfigured Addresses, Ranges, or Geolocation (IPv4 only) objects that matches the Destination from the drop-down menu.

    If the Destination Type is Address Group:

    Select the preconfigured Address Group objects that matches the Destination from the drop-down menu.

    The default is ANY address.

    Service Type

    Select either of the following options:

    • Service

    • Service Group

    Service/ Service Group

    If the Service Type is Service:

    Select the preconfigured Service objects from the drop-down menu.

    If the Service Type is Service Group:

    Select the preconfigured Service Group objects from the drop-down menu.

    The default is ALL services.

  5. Click Save.

Operation

Once the ACL has been successfully created, it will appear in the IPv4 or IPv6 table on the Global Protection > Access Control List page.

The system looks for the first match in the list from top to bottom, performs the associated Action and does not evaluate further. Use the up/down arrows to position ACLs to ensure you get the expected results.

For example, in the list below, the GlobalTestACL Source Address Test will be blocked even though it may be inside the test5 Source Address AddressRange, since GlobalTestACL is evaluated first.

Parameter

Description

Name Name of the ACL.
Status Enabled or Disabled.
Action Reject or Accept.
Source Address System > Address and Service object monitored as a Source Address or ANY Source.
Destination Address System > Address and Service object monitored as a Destination Address or ANY Destination.
Service System > Address and Service object monitored as a Service or ALL services
Edit/ Navigation Icons

Edit, Delete, Clone, Move up, Move down icons.

Note: ACLs are evaluated top-to-bottom of the list.

Tooltip

To configure using the CLI:

config ddos global {acl-ipv4 | acl-ipv6}
   edit <name>
   set action {Reject | Accept}
   set {source | dest}-addr{4 | 6} {Any | <name of System, Address and Service object>}
   set {source | dest}-addr-type {addr{4 |6} | addr{4 |6}-grp}
   set service-id {ALL | <name of System, Address and Service object>}
   set service-type {service | service-grp}
   set status {enable | disable)
end

Access Control List

Global > Access Control List creates ACLs from System > Address and Service objects. For details, see Address and Service for IPv4, IPv6, ACLs, Geolocation and Service objects. These must be created prior to creating Global Access Control Lists.

Global ACLs protect all Service Protection Profiles and are always in Prevention Mode. Setting a Service Protection Profile to Detection Mode will not allow Global ACL matching packets to pass. They will always be dropped.

IPv4 and IPv6 ACLs are configured separately, each with their dedicated tabs in the Access Control List page.

Note: Source/Destination, Addresses/Groups and Services/Groups can be combined to create an ACL that drops one Service type between an IP Pair in a specific direction, for example. Check your configuration to avoid unexpected drops.

ACL type

Maximum supported

IPv4 Address/Geolocation/Address Group 1024
IPv6 Address/Address Group 1024
Service 1024
Service Group 256
Before you begin:
  • Configure the IPv4, IPv6, ACLs, Geolocation and Service objects in System > Address and Service.
To configure Global Access Control Lists:
  1. Go to Global Protection > Access Control List.
  2. Click the IPv4 or IPv6 tab.
  3. Click Create New to display the configuration editor.
  4. Configure the following parameters for either IPv4 or IPv6.

    Parameter

    Description

    Name Name of the ACL. Maximum 25 characters (a-Z, 0-9, - _ only).
    Status

    Enable/disable the ACL.

    When enabled, the ACL will always drop matching packets, even if the Protected IP matches an SPP that is in Detection Mode. Use with care.

    When disabled, the matching traffic is passed.

    Action

    Select either of the following options:

    • Reject — Deny and drop.

    • Accept — Allow to pass through remaining mitigations. This action is the same as disabling the Status.

    For Allowlists, use Track and Allow or Do Not Track.

    Source Type

    Select either of the following options:

    • Address

    • Address Group

    Source Address/ Source Address Group

    If the Source Type is Address:

    Select the preconfigured Addresses, Ranges, or Geolocation (IPv4 only) objects that matches the Source from the drop-down menu.

    If the Source Type is Address Group:

    Select the preconfigured Address Group objects that matches the Source from the drop-down menu.

    The default is ANY address.

    Destination Type

    Select either of the following options:

    • Address

    • Address Group

    Destination Address/ Destination Address Group

    If the Destination Type is Address:

    Select the preconfigured Addresses, Ranges, or Geolocation (IPv4 only) objects that matches the Destination from the drop-down menu.

    If the Destination Type is Address Group:

    Select the preconfigured Address Group objects that matches the Destination from the drop-down menu.

    The default is ANY address.

    Service Type

    Select either of the following options:

    • Service

    • Service Group

    Service/ Service Group

    If the Service Type is Service:

    Select the preconfigured Service objects from the drop-down menu.

    If the Service Type is Service Group:

    Select the preconfigured Service Group objects from the drop-down menu.

    The default is ALL services.

  5. Click Save.

Operation

Once the ACL has been successfully created, it will appear in the IPv4 or IPv6 table on the Global Protection > Access Control List page.

The system looks for the first match in the list from top to bottom, performs the associated Action and does not evaluate further. Use the up/down arrows to position ACLs to ensure you get the expected results.

For example, in the list below, the GlobalTestACL Source Address Test will be blocked even though it may be inside the test5 Source Address AddressRange, since GlobalTestACL is evaluated first.

Parameter

Description

Name Name of the ACL.
Status Enabled or Disabled.
Action Reject or Accept.
Source Address System > Address and Service object monitored as a Source Address or ANY Source.
Destination Address System > Address and Service object monitored as a Destination Address or ANY Destination.
Service System > Address and Service object monitored as a Service or ALL services
Edit/ Navigation Icons

Edit, Delete, Clone, Move up, Move down icons.

Note: ACLs are evaluated top-to-bottom of the list.

Tooltip

To configure using the CLI:

config ddos global {acl-ipv4 | acl-ipv6}
   edit <name>
   set action {Reject | Accept}
   set {source | dest}-addr{4 | 6} {Any | <name of System, Address and Service object>}
   set {source | dest}-addr-type {addr{4 |6} | addr{4 |6}-grp}
   set service-id {ALL | <name of System, Address and Service object>}
   set service-type {service | service-grp}
   set status {enable | disable)
end