IPv4/IPv6 access control lists
Access control lists (ACL) in the FortiOS firmware is a granular or more specifically targeted blacklist. ACL drop IPv4 and IPv6 packets at the physical network interface before the packets are analyzed by the CPU. On a busy appliance, this can really improve performance.
ACL is available on FortiGates with NP6-accelerated interfaces. ACL checking is one of the first things that happens to the packet and checking is done by the NP6 processor. The result is very efficient protection that does not use CPU or memory resources.
The following platforms support ACL:
- FGT_100D, FGT_100E, FGT_100EF, FGT_101E.
- FGT_140D, FGT_140D_POE, FGT_140E, FGT_140E_POE.
- FGT_301E, FGT_500E, FGT_501E.
- FGT_1200D, FGT_1500D, FGT_1500DT.
- FGT_2000E, FGT_2500E.
- FGT_3000D, FGT_3100D, FGT_3200D, FGT_3700D.
- FGT_3800D, FGT_3810D, FGT_3815D.
- FGT_3960E, FGT_3980E.
The configuration of ACL allows you to specify which interface the ACL is applied to. You should be aware of a hardware limitation. The ACL is a Layer 2 function and is offloaded to the ISF hardware. Therefore, no CPU resources are used in the processing of the ACL. It is handled by the inside switch chip which can do hardware acceleration, which increases the performance of the FortiGate. The drawback is that the ACL function is only supported on switch fabric driven interfaces. It also cannot be applied to hardware switch interfaces or their members. Ports such as WAN1 or WAN2 on some models that use network cards that connect to the CPU through a PCIe bus do support ACL.
To block all IPv4 and IPv6 Telnet traffic from port2 to Company_Servers using the CLI:
config firewall acl edit 1 set interface "port2" set srcaddr "all" set dstaddr "Company_Servers" set service "TELNET" next end config firewall acl6 edit 1 set interface "port2" set srcaddr "all" set dstaddr "Company_Servers_v6" set service "TELNET" next end
To check the number of packets drop by an ACL:
# diag firewall acl counter ACL id 1 dropped 0 packets
To clear the packet drop counter:
# diag firewall acl clearcounter
Use the same commands for IPv6 ACL.
# dia firewall acl counter Show number of packets dropped by ACL. counter6 Show number of packets dropped by ACL6. clearcounter Clear ACL packet counter. clearcounter6 Clear ACL6 packet counter.