Fortinet Document Library

Version:


Table of Contents

New Features

6.4.0
Download PDF
Copy Link

Layer three ACL configurations for Wireless APs

For FortiAP devices (6.4.0 and later) that are managed by FortiGate, a layer three (L3) access control list (ACL) can be applied to a bridge or tunnel mode SSID.

Example

In this example:

  • Rule 10 is to block all traffic to 172.16.200.44
  • Rule 20 is to block all ICMP traffic
  • Rule 30 is to block traffic to destination port 21 (FTP)
To configure L3 ACL:
  1. Create L3 firewall rules:
    config wireless-controller access-control-list
        edit "ACL-1"
            config layer3-ipv4-rules
                edit 10
                    set dstaddr 172.16.200.44/255.255.255.255
                    set action deny
                next
                edit 20
                    set protocol 1
                    set action deny
                next
                edit 30
                    set dstport 21
                    set action deny
                next
            end
        next
    end
  2. Apply the rules to VAP:
    config wireless-controller vap
        edit "wifi.fap.01"
            set ssid "starr-ssid.fap.01"
            set passphrase **********
            set local-bridging enable
            set access-control-list "ACL-1"
        next
    end
  3. Check the rules on the FortiGate:
    # diagnose wireless-controller wlac -c afwprof
    
    AFWPROF (001/001) vdom,name: vdom1, ACL-1 
        refcnt           : 2 own(1) wlan(1) 
        deleted          : no
        Layer3 ipv4 rule : 3
            -----------------------------------------------------------------------
             ##### Policy Prot Source ==> Destination
            -----------------------------------------------------------------------
                10 deny   any  any:any ==> 172.16.200.44/32:any
                20 deny   1    any:any ==> any:any
                30 deny   any  any:any ==> any:21
            -----------------------------------------------------------------------
        wlan cnt         : 1
            vap 001 : 1    wifi.fap.01
  4. Confirm that the L3 rules are pushed to the FortiAP:
    # cw_diag -c afw-rules
    
    Interface wlan00 firewall rules:
    ===============================================================================
     RuleID HitCounter Policy Prot (IPv4)Source ==> Destination
    ------- ---------- ------ ---- ------------------------------------------------
         10          0 deny   any  any:any ==> 172.16.200.44/32:any
         20          0 deny   1    any:any ==> any:any
         30          0 deny   any  any:any ==> any:21
    ===============================================================================
  5. On the client, confirm that the rules are applied:
    1. Rule 10: Traffic to 172.16.200.44 is blocked, and traffic to other destinations are allowed:
      root@pc_wifi:~# curl 172.16.200.44 -v
      * Rebuilt URL to: 172.16.200.44/
      *   Trying 172.16.200.44...
      * connect to 172.16.200.44 port 80 failed: Connection timed out
      * Failed to connect to 172.16.200.44 port 80: Connection timed out
      * Closing connection 0
      curl: (7) Failed to connect to 172.16.200.44 port 80: Connection timed out
      root@pc_wifi:~# 
      
      root@pc_wifi:~# curl -k https://172.18.56.163
      <html><body><h1>It works!</h1>
      <p>This is the default web page for this server-44.</p>
      <p>The web server software is running but no content has been added, yet. Managed by Starr Q</p>
    2. Rule 20: ICMP traffic is blocked and HTTPS traffic is allowed:
      root@pc_wifi:~# ping 172.16.200.44
      PING 172.16.200.44 (172.16.200.44) 56(84) bytes of data.
      ^C
      --- 172.16.200.44 ping statistics ---
      86 packets transmitted, 0 received, 100% packet loss, time 85680ms
      
      root@pc_wifi:~# curl -k https://172.18.56.163
      <html><body><h1>It works!</h1>
      <p>This is the default web page for this server-44.</p>
      <p>The web server software is running but no content has been added, yet. Managed by Starr Q</p>
    3. Rule 30: FTP traffic is blocked:
      oot@pc_wifi:~# ftp 172.18.56.163
      ftp: connect: Connection timed out
      ftp> ^C
      ftp> bye
      

Layer three ACL configurations for Wireless APs

For FortiAP devices (6.4.0 and later) that are managed by FortiGate, a layer three (L3) access control list (ACL) can be applied to a bridge or tunnel mode SSID.

Example

In this example:

  • Rule 10 is to block all traffic to 172.16.200.44
  • Rule 20 is to block all ICMP traffic
  • Rule 30 is to block traffic to destination port 21 (FTP)
To configure L3 ACL:
  1. Create L3 firewall rules:
    config wireless-controller access-control-list
        edit "ACL-1"
            config layer3-ipv4-rules
                edit 10
                    set dstaddr 172.16.200.44/255.255.255.255
                    set action deny
                next
                edit 20
                    set protocol 1
                    set action deny
                next
                edit 30
                    set dstport 21
                    set action deny
                next
            end
        next
    end
  2. Apply the rules to VAP:
    config wireless-controller vap
        edit "wifi.fap.01"
            set ssid "starr-ssid.fap.01"
            set passphrase **********
            set local-bridging enable
            set access-control-list "ACL-1"
        next
    end
  3. Check the rules on the FortiGate:
    # diagnose wireless-controller wlac -c afwprof
    
    AFWPROF (001/001) vdom,name: vdom1, ACL-1 
        refcnt           : 2 own(1) wlan(1) 
        deleted          : no
        Layer3 ipv4 rule : 3
            -----------------------------------------------------------------------
             ##### Policy Prot Source ==> Destination
            -----------------------------------------------------------------------
                10 deny   any  any:any ==> 172.16.200.44/32:any
                20 deny   1    any:any ==> any:any
                30 deny   any  any:any ==> any:21
            -----------------------------------------------------------------------
        wlan cnt         : 1
            vap 001 : 1    wifi.fap.01
  4. Confirm that the L3 rules are pushed to the FortiAP:
    # cw_diag -c afw-rules
    
    Interface wlan00 firewall rules:
    ===============================================================================
     RuleID HitCounter Policy Prot (IPv4)Source ==> Destination
    ------- ---------- ------ ---- ------------------------------------------------
         10          0 deny   any  any:any ==> 172.16.200.44/32:any
         20          0 deny   1    any:any ==> any:any
         30          0 deny   any  any:any ==> any:21
    ===============================================================================
  5. On the client, confirm that the rules are applied:
    1. Rule 10: Traffic to 172.16.200.44 is blocked, and traffic to other destinations are allowed:
      root@pc_wifi:~# curl 172.16.200.44 -v
      * Rebuilt URL to: 172.16.200.44/
      *   Trying 172.16.200.44...
      * connect to 172.16.200.44 port 80 failed: Connection timed out
      * Failed to connect to 172.16.200.44 port 80: Connection timed out
      * Closing connection 0
      curl: (7) Failed to connect to 172.16.200.44 port 80: Connection timed out
      root@pc_wifi:~# 
      
      root@pc_wifi:~# curl -k https://172.18.56.163
      <html><body><h1>It works!</h1>
      <p>This is the default web page for this server-44.</p>
      <p>The web server software is running but no content has been added, yet. Managed by Starr Q</p>
    2. Rule 20: ICMP traffic is blocked and HTTPS traffic is allowed:
      root@pc_wifi:~# ping 172.16.200.44
      PING 172.16.200.44 (172.16.200.44) 56(84) bytes of data.
      ^C
      --- 172.16.200.44 ping statistics ---
      86 packets transmitted, 0 received, 100% packet loss, time 85680ms
      
      root@pc_wifi:~# curl -k https://172.18.56.163
      <html><body><h1>It works!</h1>
      <p>This is the default web page for this server-44.</p>
      <p>The web server software is running but no content has been added, yet. Managed by Starr Q</p>
    3. Rule 30: FTP traffic is blocked:
      oot@pc_wifi:~# ftp 172.18.56.163
      ftp: connect: Connection timed out
      ftp> ^C
      ftp> bye