Access Control List
Global > Access Control List creates ACLs from System > Address and Service objects. For details, see Address and Service for IPv4, IPv6, ACLs, Geolocation and Service objects. These must be created prior to creating Global Access Control Lists.
|
Global ACLs protect all Service Protection Profiles and are always in Prevention Mode. Setting a Service Protection Profile to Detection Mode will not allow Global ACL matching packets to pass. They will always be dropped. Almost all Global ACLs can be configured as SPP-based ACLs which do follow Detection (report but pass) and Prevention (report and drop) rules. It is highly recommended that ACLs be created in the Service Protection Profiles when required. |
IPv4 and IPv6 ACLs are configured separately, each with their dedicated tabs in the Access Control List page.
Note 1: Source/Destination, Addresses/Groups and Services/Groups can be combined to create an ACL that drops one Service type between an IP Pair in a specific direction, for example. Check your configuration to avoid unexpected drops.
Note 2: If you deactivate (disable "Status" in the Global > Access Control menu) or delete a Global ACL, you will no longer be able to see drops from that ACL in the Monitor > DROPS MONITOR > Global graphs. Logs are retained.
|
ACL type |
Maximum supported |
|---|---|
| IPv4 Address/Geolocation/Address Group | 1024 |
| IPv6 Address/Address Group | 1024 |
| Service | 1024 |
| Service Group | 256 |
Before you begin:
- Configure the IPv4, IPv6, ACLs, Geolocation and Service objects in System > Address and Service.
To configure Global Access Control Lists:
- Go to Global Protection > Access Control List.
- Click the IPv4 or IPv6 tab.
- Click Create New to display the configuration editor.
- Configure the following parameters for either IPv4 or IPv6.
Parameter
Description
Name Name of the ACL. Maximum 25 characters (a-Z, 0-9, - _ only). Status Enable/disable the ACL.
When enabled, the ACL will always drop matching packets, even if the Protected IP matches an SPP that is in Detection Mode. Use with care.
When disabled, the matching traffic is passed.
Action Select either of the following options:
Reject — Deny and drop.
Accept — Allow to pass through remaining mitigations. This action is the same as disabling the Status.
For Allowlists, use Track and Allow or Do Not Track.
Source Type Select either of the following options:
Address
Address Group
Source Address/ Source Address Group If the Source Type is Address:
Select the preconfigured Addresses, Ranges, or Geolocation (IPv4 only) objects that matches the Source from the drop-down menu.
If the Source Type is Address Group:
Select the preconfigured Address Group objects that matches the Source from the drop-down menu.
The default is ANY address.
Destination Type Select either of the following options:
Address
Address Group
Destination Address/ Destination Address Group If the Destination Type is Address:
Select the preconfigured Addresses, Ranges, or Geolocation (IPv4 only) objects that matches the Destination from the drop-down menu.
If the Destination Type is Address Group:
Select the preconfigured Address Group objects that matches the Destination from the drop-down menu.
The default is ANY address.
Service Type Select either of the following options:
Service
Service Group
Service/ Service Group
If the Service Type is Service:
Select the preconfigured Service objects from the drop-down menu.
If the Service Type is Service Group:
Select the preconfigured Service Group objects from the drop-down menu.
The default is ALL services.
- Click Save.
Operation
Once the ACL has been successfully created, it will appear in the IPv4 or IPv6 table on the Global Protection > Access Control List page.
The system looks for the first match in the list from top to bottom, performs the associated Action and does not evaluate further. Use the up/down arrows to position ACLs to ensure you get the expected results.
For example, in the list below, the GlobalTestACL Source Address Test will be blocked even though it may be inside the test5 Source Address AddressRange, since GlobalTestACL is evaluated first.
|
Parameter |
Description |
|---|---|
| Name | Name of the ACL. |
| Status | Enabled or Disabled. |
| Action | Reject or Accept. |
| Source Address | System > Address and Service object monitored as a Source Address or ANY Source. |
| Destination Address | System > Address and Service object monitored as a Destination Address or ANY Destination. |
| Service | System > Address and Service object monitored as a Service or ALL services |
| Edit/ Navigation Icons |
Edit, Delete, Clone, Move up, Move down icons. Note: ACLs are evaluated top-to-bottom of the list. |
|
To configure using the CLI: config ddos global {acl-ipv4 | acl-ipv6}
edit <name>
set action {Reject | Accept}
set {source | dest}-addr{4 | 6} {Any | <name of System, Address and Service object>}
set {source | dest}-addr-type {addr{4 |6} | addr{4 |6}-grp}
set service-id {ALL | <name of System, Address and Service object>}
set service-type {service | service-grp}
set status {enable | disable)
end
|