Layer three ACL configurations for Wireless APs
For FortiAP devices (6.4.0 and later) that are managed by FortiGate, a layer three (L3) access control list (ACL) can be applied to a bridge or tunnel mode SSID.
Example
In this example:
- Rule 10 is to block all traffic to 172.16.200.44
- Rule 20 is to block all ICMP traffic
- Rule 30 is to block traffic to destination port 21 (FTP)
To configure L3 ACL:
- Create L3 firewall rules:
config wireless-controller access-control-list edit "ACL-1" config layer3-ipv4-rules edit 10 set dstaddr 172.16.200.44/255.255.255.255 set action deny next edit 20 set protocol 1 set action deny next edit 30 set dstport 21 set action deny next end next end
- Apply the rules to VAP:
config wireless-controller vap edit "wifi.fap.01" set ssid "starr-ssid.fap.01" set passphrase ********** set local-bridging enable set access-control-list "ACL-1" next end
- Check the rules on the FortiGate:
# diagnose wireless-controller wlac -c afwprof AFWPROF (001/001) vdom,name: vdom1, ACL-1 refcnt : 2 own(1) wlan(1) deleted : no Layer3 ipv4 rule : 3 ----------------------------------------------------------------------- ##### Policy Prot Source ==> Destination ----------------------------------------------------------------------- 10 deny any any:any ==> 172.16.200.44/32:any 20 deny 1 any:any ==> any:any 30 deny any any:any ==> any:21 ----------------------------------------------------------------------- wlan cnt : 1 vap 001 : 1 wifi.fap.01
- Confirm that the L3 rules are pushed to the FortiAP:
# cw_diag -c afw-rules Interface wlan00 firewall rules: =============================================================================== RuleID HitCounter Policy Prot (IPv4)Source ==> Destination ------- ---------- ------ ---- ------------------------------------------------ 10 0 deny any any:any ==> 172.16.200.44/32:any 20 0 deny 1 any:any ==> any:any 30 0 deny any any:any ==> any:21 ===============================================================================
- On the client, confirm that the rules are applied:
- Rule 10: Traffic to 172.16.200.44 is blocked, and traffic to other destinations are allowed:
root@pc_wifi:~# curl 172.16.200.44 -v * Rebuilt URL to: 172.16.200.44/ * Trying 172.16.200.44... * connect to 172.16.200.44 port 80 failed: Connection timed out * Failed to connect to 172.16.200.44 port 80: Connection timed out * Closing connection 0 curl: (7) Failed to connect to 172.16.200.44 port 80: Connection timed out root@pc_wifi:~# root@pc_wifi:~# curl -k https://172.18.56.163 <html><body><h1>It works!</h1> <p>This is the default web page for this server-44.</p> <p>The web server software is running but no content has been added, yet. Managed by Starr Q</p>
- Rule 20: ICMP traffic is blocked and HTTPS traffic is allowed:
root@pc_wifi:~# ping 172.16.200.44 PING 172.16.200.44 (172.16.200.44) 56(84) bytes of data. ^C --- 172.16.200.44 ping statistics --- 86 packets transmitted, 0 received, 100% packet loss, time 85680ms root@pc_wifi:~# curl -k https://172.18.56.163 <html><body><h1>It works!</h1> <p>This is the default web page for this server-44.</p> <p>The web server software is running but no content has been added, yet. Managed by Starr Q</p>
- Rule 30: FTP traffic is blocked:
oot@pc_wifi:~# ftp 172.18.56.163 ftp: connect: Connection timed out ftp> ^C ftp> bye
- Rule 10: Traffic to 172.16.200.44 is blocked, and traffic to other destinations are allowed: