Fortinet white logo
Fortinet white logo

Administration Guide

Access control lists

Access control lists

An access control list (ACL) is a granular, targeted blocklist that is used to block IPv4 and IPv6 packets on a specified interface based on the criteria configured in the ACL policy.

On FortiGate models with ports that are connected through an internal switch fabric with TCAM capabilities, ACL processing is offloaded to the switch fabric and does not use CPU resources. VLAN interfaces that are based on physical switch fabric interfaces are also supported. Interfaces that are connected through an internal switch fabric usually have names prefixed with port or lan, such as port1 or lan2; other interfaces are not supported.

The packets will be processed by the CPU when offloading is disabled or not possible, such as when a port on a supported model does not connect to the internal fabric switch.

ACL is supported on the following FortiGate models:

  • 100D, 100E, 100EF, 101E
  • 140D, 140D-POE, 140E, 140E-POE
  • 1200D, 1500D, 1500DT
  • 3000D, 3100D, 3200D, 3700D, 3800D, 3810D, 3815D
  • All 300E and larger E-series models
  • All 100F and larger F-series models

Example

To block all IPv4 and IPv6 telnet traffic from port2 to Company_Servers:
config firewall acl
    edit 1
       set interface "port2"
       set srcaddr "all"
       set dstaddr "Company_Servers"
       set service "TELNET"
    next
end
config firewall acl6
    edit 1
        set interface "port2"
        set srcaddr "all"
        set dstaddr "Company_Servers_v6"
        set service "TELNET"
    next
end

Diagnose commands

To check the number of packets dropped by an ACL:
# diagnose firewall acl counter
ACL id 1 dropped 0 packets 
# diagnose firewall acl counter6
ACL id 2 dropped 0 packets 
To clear the packet drop counters:
# diagnose firewall acl clearcounter
# diagnose firewall acl clearcounter6

Access control lists

Access control lists

An access control list (ACL) is a granular, targeted blocklist that is used to block IPv4 and IPv6 packets on a specified interface based on the criteria configured in the ACL policy.

On FortiGate models with ports that are connected through an internal switch fabric with TCAM capabilities, ACL processing is offloaded to the switch fabric and does not use CPU resources. VLAN interfaces that are based on physical switch fabric interfaces are also supported. Interfaces that are connected through an internal switch fabric usually have names prefixed with port or lan, such as port1 or lan2; other interfaces are not supported.

The packets will be processed by the CPU when offloading is disabled or not possible, such as when a port on a supported model does not connect to the internal fabric switch.

ACL is supported on the following FortiGate models:

  • 100D, 100E, 100EF, 101E
  • 140D, 140D-POE, 140E, 140E-POE
  • 1200D, 1500D, 1500DT
  • 3000D, 3100D, 3200D, 3700D, 3800D, 3810D, 3815D
  • All 300E and larger E-series models
  • All 100F and larger F-series models

Example

To block all IPv4 and IPv6 telnet traffic from port2 to Company_Servers:
config firewall acl
    edit 1
       set interface "port2"
       set srcaddr "all"
       set dstaddr "Company_Servers"
       set service "TELNET"
    next
end
config firewall acl6
    edit 1
        set interface "port2"
        set srcaddr "all"
        set dstaddr "Company_Servers_v6"
        set service "TELNET"
    next
end

Diagnose commands

To check the number of packets dropped by an ACL:
# diagnose firewall acl counter
ACL id 1 dropped 0 packets 
# diagnose firewall acl counter6
ACL id 2 dropped 0 packets 
To clear the packet drop counters:
# diagnose firewall acl clearcounter
# diagnose firewall acl clearcounter6