Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.6
Download PDF
Copy Link

router {access-list | access-list6}

Use this command to configure routing access lists for either IPv4 (access-list) or IPv6 (access-list6).

Access lists are filters used by FortiGate routing processes. Each rule in an access list consists of a prefix (IP address and netmask), the action to take for this prefix (permit or deny), and whether to match the prefix exactly or to match the prefix and any more specific prefix.

The FortiGate attempts to match a packet against the rules in an access list starting at the top of the list. If it finds a match for the prefix, it takes the action specified for that prefix. If no match is found the default action is deny.

note icon If you are setting a prefix of 128.0.0.0, use the format 128.0.0.0/1. The default route, 0.0.0.0/0 can not be exactly matched with an access list; a prefix list must be used for this purpose. For more information, see router {prefix-list | prefix-list6}.
config router access-list
    edit {name}
    # Configure access lists.
        set name {string}   Name. size[35]
        set comments {string}   Comment. size[127]
        config rule
            edit {id}
            # Rule.
                set id {integer}   Rule ID. range[0-4294967295]
                set action {permit | deny}   Permit or deny this IP address and netmask prefix.
                        permit  Permit or allow this IP address and netmask prefix.
                        deny    Deny this IP address and netmask prefix.
                set prefix {string}   IPv4 prefix to define regular filter criteria, such as "any" or subnets.
                set wildcard {string}   Wildcard to define Cisco-style wildcard filter criteria.
                set exact-match {enable | disable}   Enable/disable exact match.
                set flags {integer}   Flags. range[0-4294967295]
            next
    next
end
config router access-list6
    edit {name}
    # Configure IPv6 access lists.
        set name {string}   Name. size[35]
        set comments {string}   Comment. size[127]
        config rule
            edit {id}
            # Rule.
                set id {integer}   Rule ID. range[0-4294967295]
                set action {permit | deny}   Permit or deny this IP address and netmask prefix.
                        permit  Permit or allow this IP address and netmask prefix.
                        deny    Deny this IP address and netmask prefix.
                set prefix6 {string}   IPv6 prefix to define regular filter criteria, such as "any" or subnets.
                set exact-match {enable | disable}   Enable/disable exact prefix match.
                set flags {integer}   Flags. range[0-4294967295]
            next
    next
end

Additional information

The following section is for those options that require additional explanation.

edit {name}

The name of the access list. An access list and a prefix list cannot have the same name.

action {permit | deny}

Set the action to take for this prefix. The default is permit.

exact-match {enable | disable}

Enable or disable (by default) matching only the configured prefix.

wildcard {string}

Note: This variable is only used for IPv4 access lists.

Enter the IP address and reverse (wildcard) mask to process. The value of the mask (for example, 0.0.255.0) determines which address bits to match. A value of 0 means that an exact match is required, while a binary value of 1 indicates that part of the binary network address does not have to match. You can specify discontinuous masks (for example, to process “even” or “odd” networks according to any network address octet).

For best results, do not specify a wildcard attribute unless prefix is set to any.

 

 

 

router {access-list | access-list6}

Use this command to configure routing access lists for either IPv4 (access-list) or IPv6 (access-list6).

Access lists are filters used by FortiGate routing processes. Each rule in an access list consists of a prefix (IP address and netmask), the action to take for this prefix (permit or deny), and whether to match the prefix exactly or to match the prefix and any more specific prefix.

The FortiGate attempts to match a packet against the rules in an access list starting at the top of the list. If it finds a match for the prefix, it takes the action specified for that prefix. If no match is found the default action is deny.

note icon If you are setting a prefix of 128.0.0.0, use the format 128.0.0.0/1. The default route, 0.0.0.0/0 can not be exactly matched with an access list; a prefix list must be used for this purpose. For more information, see router {prefix-list | prefix-list6}.
config router access-list
    edit {name}
    # Configure access lists.
        set name {string}   Name. size[35]
        set comments {string}   Comment. size[127]
        config rule
            edit {id}
            # Rule.
                set id {integer}   Rule ID. range[0-4294967295]
                set action {permit | deny}   Permit or deny this IP address and netmask prefix.
                        permit  Permit or allow this IP address and netmask prefix.
                        deny    Deny this IP address and netmask prefix.
                set prefix {string}   IPv4 prefix to define regular filter criteria, such as "any" or subnets.
                set wildcard {string}   Wildcard to define Cisco-style wildcard filter criteria.
                set exact-match {enable | disable}   Enable/disable exact match.
                set flags {integer}   Flags. range[0-4294967295]
            next
    next
end
config router access-list6
    edit {name}
    # Configure IPv6 access lists.
        set name {string}   Name. size[35]
        set comments {string}   Comment. size[127]
        config rule
            edit {id}
            # Rule.
                set id {integer}   Rule ID. range[0-4294967295]
                set action {permit | deny}   Permit or deny this IP address and netmask prefix.
                        permit  Permit or allow this IP address and netmask prefix.
                        deny    Deny this IP address and netmask prefix.
                set prefix6 {string}   IPv6 prefix to define regular filter criteria, such as "any" or subnets.
                set exact-match {enable | disable}   Enable/disable exact prefix match.
                set flags {integer}   Flags. range[0-4294967295]
            next
    next
end

Additional information

The following section is for those options that require additional explanation.

edit {name}

The name of the access list. An access list and a prefix list cannot have the same name.

action {permit | deny}

Set the action to take for this prefix. The default is permit.

exact-match {enable | disable}

Enable or disable (by default) matching only the configured prefix.

wildcard {string}

Note: This variable is only used for IPv4 access lists.

Enter the IP address and reverse (wildcard) mask to process. The value of the mask (for example, 0.0.255.0) determines which address bits to match. A value of 0 means that an exact match is required, while a binary value of 1 indicates that part of the binary network address does not have to match. You can specify discontinuous masks (for example, to process “even” or “odd” networks according to any network address octet).

For best results, do not specify a wildcard attribute unless prefix is set to any.