Fortinet Document Library

Version:


Table of Contents

Cookbook

6.2.0
Download PDF
Copy Link

IPv4/IPv6 access control lists

Access control lists (ACL) in the FortiOS firmware is a granular or more specifically targeted blacklist. ACL drop IPv4 and IPv6 packets at the physical network interface before the packets are analyzed by the CPU. On a busy appliance, this can really improve performance.

ACL is available on FortiGates with NP6-accelerated interfaces. ACL checking is one of the first things that happens to the packet and checking is done by the NP6 processor. The result is very efficient protection that does not use CPU or memory resources.

The following platforms support ACL:

  • FGT_100D, FGT_100E, FGT_100EF, FGT_101E.
  • FGT_140D, FGT_140D_POE, FGT_140E, FGT_140E_POE.
  • FGT_301E, FGT_500E, FGT_501E.
  • FGT_1200D, FGT_1500D, FGT_1500DT.
  • FGT_2000E, FGT_2500E.
  • FGT_3000D, FGT_3100D, FGT_3200D, FGT_3700D.
  • FGT_3800D, FGT_3810D, FGT_3815D.
  • FGT_3960E, FGT_3980E.

Limitation

The configuration of ACL allows you to specify which interface the ACL is applied to. You should be aware of a hardware limitation. The ACL is a Layer 2 function and is offloaded to the ISF hardware. Therefore, no CPU resources are used in the processing of the ACL. It is handled by the inside switch chip which can do hardware acceleration, which increases the performance of the FortiGate. The drawback is that the ACL function is only supported on switch fabric driven interfaces. It also cannot be applied to hardware switch interfaces or their members. Ports such as WAN1 or WAN2 on some models that use network cards that connect to the CPU through a PCIe bus do support ACL.

Sample configuration

To block all IPv4 and IPv6 Telnet traffic from port2 to Company_Servers using the CLI:
config firewall acl
    edit 1
       set interface "port2"
       set srcaddr "all"
       set dstaddr "Company_Servers"
       set service "TELNET"
    next
end
config firewall acl6
    edit 1
        set interface "port2"
        set srcaddr "all"
        set dstaddr "Company_Servers_v6"
        set service "TELNET"
    next
end

Sample troubleshooting

To check the number of packets drop by an ACL:
# diag firewall acl counter 
ACL id 1 dropped 0 packets 
To clear the packet drop counter:
# diag firewall acl clearcounter

Use the same commands for IPv6 ACL.

# dia firewall acl 
counter          Show number of packets dropped by ACL.
counter6         Show number of packets dropped by ACL6.
clearcounter     Clear ACL packet counter.
clearcounter6    Clear ACL6 packet counter.

IPv4/IPv6 access control lists

Access control lists (ACL) in the FortiOS firmware is a granular or more specifically targeted blacklist. ACL drop IPv4 and IPv6 packets at the physical network interface before the packets are analyzed by the CPU. On a busy appliance, this can really improve performance.

ACL is available on FortiGates with NP6-accelerated interfaces. ACL checking is one of the first things that happens to the packet and checking is done by the NP6 processor. The result is very efficient protection that does not use CPU or memory resources.

The following platforms support ACL:

  • FGT_100D, FGT_100E, FGT_100EF, FGT_101E.
  • FGT_140D, FGT_140D_POE, FGT_140E, FGT_140E_POE.
  • FGT_301E, FGT_500E, FGT_501E.
  • FGT_1200D, FGT_1500D, FGT_1500DT.
  • FGT_2000E, FGT_2500E.
  • FGT_3000D, FGT_3100D, FGT_3200D, FGT_3700D.
  • FGT_3800D, FGT_3810D, FGT_3815D.
  • FGT_3960E, FGT_3980E.

Limitation

The configuration of ACL allows you to specify which interface the ACL is applied to. You should be aware of a hardware limitation. The ACL is a Layer 2 function and is offloaded to the ISF hardware. Therefore, no CPU resources are used in the processing of the ACL. It is handled by the inside switch chip which can do hardware acceleration, which increases the performance of the FortiGate. The drawback is that the ACL function is only supported on switch fabric driven interfaces. It also cannot be applied to hardware switch interfaces or their members. Ports such as WAN1 or WAN2 on some models that use network cards that connect to the CPU through a PCIe bus do support ACL.

Sample configuration

To block all IPv4 and IPv6 Telnet traffic from port2 to Company_Servers using the CLI:
config firewall acl
    edit 1
       set interface "port2"
       set srcaddr "all"
       set dstaddr "Company_Servers"
       set service "TELNET"
    next
end
config firewall acl6
    edit 1
        set interface "port2"
        set srcaddr "all"
        set dstaddr "Company_Servers_v6"
        set service "TELNET"
    next
end

Sample troubleshooting

To check the number of packets drop by an ACL:
# diag firewall acl counter 
ACL id 1 dropped 0 packets 
To clear the packet drop counter:
# diag firewall acl clearcounter

Use the same commands for IPv6 ACL.

# dia firewall acl 
counter          Show number of packets dropped by ACL.
counter6         Show number of packets dropped by ACL6.
clearcounter     Clear ACL packet counter.
clearcounter6    Clear ACL6 packet counter.