Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 6.4.1 Administration Guide
    6.4.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    IPv4/IPv6 access control lists

    IPv4/IPv6 access control lists

    Access control lists (ACL) in the FortiOS firmware is a granular or more specifically targeted blocklist. ACL drop IPv4 and IPv6 packets at the physical network interface before the packets are analyzed by the CPU. On a busy appliance, this can really improve performance.

    ACL is available on FortiGates with NP6-accelerated interfaces. ACL checking is one of the first things that happens to the packet and checking is done by the NP6 processor. The result is very efficient protection that does not use CPU or memory resources.

    The following platforms support ACL:

    • FGT_100D, FGT_100E, FGT_100EF, FGT_101E.
    • FGT_140D, FGT_140D_POE, FGT_140E, FGT_140E_POE.
    • FGT_301E, FGT_500E, FGT_501E.
    • FGT_1200D, FGT_1500D, FGT_1500DT.
    • FGT_2000E, FGT_2500E.
    • FGT_3000D, FGT_3100D, FGT_3200D, FGT_3700D.
    • FGT_3800D, FGT_3810D, FGT_3815D.
    • FGT_3960E, FGT_3980E.

    Limitation

    The configuration of ACL allows you to specify which interface the ACL is applied to. You should be aware of a hardware limitation. The ACL is a Layer 2 function and is offloaded to the ISF hardware. Therefore, no CPU resources are used in the processing of the ACL. It is handled by the inside switch chip which can do hardware acceleration, which increases the performance of the FortiGate. The drawback is that the ACL function is only supported on switch fabric driven interfaces. It also cannot be applied to hardware switch interfaces or their members. Ports such as WAN1 or WAN2 on some models that use network cards that connect to the CPU through a PCIe bus do not support ACL.

    Sample configuration

    To block all IPv4 and IPv6 Telnet traffic from port2 to Company_Servers using the CLI:
    config firewall acl
    edit 1
       set interface "port2"
       set srcaddr "all"
       set dstaddr "Company_Servers"
       set service "TELNET"
    next
end
config firewall acl6
    edit 1
        set interface "port2"
        set srcaddr "all"
        set dstaddr "Company_Servers_v6"
        set service "TELNET"
    next
end

    Sample troubleshooting

    To check the number of packets drop by an ACL:
    # diagnose firewall acl counter 
ACL id 1 dropped 0 packets
    To clear the packet drop counter:
    # diagnose firewall acl clearcounter

    Use the same commands for IPv6 ACL.

    # diagnose firewall acl 
counter          Show number of packets dropped by ACL.
counter6         Show number of packets dropped by ACL6.
clearcounter     Clear ACL packet counter.
clearcounter6    Clear ACL6 packet counter.
    Previous
    Next

    IPv4/IPv6 access control lists

    IPv4/IPv6 access control lists

    Access control lists (ACL) in the FortiOS firmware is a granular or more specifically targeted blocklist. ACL drop IPv4 and IPv6 packets at the physical network interface before the packets are analyzed by the CPU. On a busy appliance, this can really improve performance.

    ACL is available on FortiGates with NP6-accelerated interfaces. ACL checking is one of the first things that happens to the packet and checking is done by the NP6 processor. The result is very efficient protection that does not use CPU or memory resources.

    The following platforms support ACL:

    • FGT_100D, FGT_100E, FGT_100EF, FGT_101E.
    • FGT_140D, FGT_140D_POE, FGT_140E, FGT_140E_POE.
    • FGT_301E, FGT_500E, FGT_501E.
    • FGT_1200D, FGT_1500D, FGT_1500DT.
    • FGT_2000E, FGT_2500E.
    • FGT_3000D, FGT_3100D, FGT_3200D, FGT_3700D.
    • FGT_3800D, FGT_3810D, FGT_3815D.
    • FGT_3960E, FGT_3980E.

    Limitation

    The configuration of ACL allows you to specify which interface the ACL is applied to. You should be aware of a hardware limitation. The ACL is a Layer 2 function and is offloaded to the ISF hardware. Therefore, no CPU resources are used in the processing of the ACL. It is handled by the inside switch chip which can do hardware acceleration, which increases the performance of the FortiGate. The drawback is that the ACL function is only supported on switch fabric driven interfaces. It also cannot be applied to hardware switch interfaces or their members. Ports such as WAN1 or WAN2 on some models that use network cards that connect to the CPU through a PCIe bus do not support ACL.

    Sample configuration

    To block all IPv4 and IPv6 Telnet traffic from port2 to Company_Servers using the CLI:
    config firewall acl
    edit 1
       set interface "port2"
       set srcaddr "all"
       set dstaddr "Company_Servers"
       set service "TELNET"
    next
end
config firewall acl6
    edit 1
        set interface "port2"
        set srcaddr "all"
        set dstaddr "Company_Servers_v6"
        set service "TELNET"
    next
end

    Sample troubleshooting

    To check the number of packets drop by an ACL:
    # diagnose firewall acl counter 
ACL id 1 dropped 0 packets
    To clear the packet drop counter:
    # diagnose firewall acl clearcounter

    Use the same commands for IPv6 ACL.

    # diagnose firewall acl 
counter          Show number of packets dropped by ACL.
counter6         Show number of packets dropped by ACL6.
clearcounter     Clear ACL packet counter.
clearcounter6    Clear ACL6 packet counter.
    Previous
    Next