Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    7.4.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Support user-configurable ACL

    Support user-configurable ACL

    You can now use an access control list (ACL) to configure a policy for the ingress stage of the pipeline for incoming traffic. After creating an ACL group for the ingress policy, you apply the ACL group to a managed switch port.

    Note

    A user-configurable ACL might conflict with or be overridden by an ACL implemented by other managed FortiSwitch features. If a user-configurable ACL and an internal ACL do not conflict, the resulting behavior depends on the FortiSwitch model. Fortinet recommends validating user-configurable ACLs to make certain that they operate correctly with other enabled features.
    To use an ACL:

    1. Create an ACL ingress policy.

    2. Create an ACL group and add the ingress policy to it.

    3. Apply the ACL group to a managed switch port.

    4. View the counters.

    Create an ACL ingress policy

    The ACL ingress policy includes the following key attributes:

    • Interface—The port on which traffic arrives at the switch. The policy applies to ingress traffic only (not egress traffic).

    • Classifier—The classifier identifies the packets that the policy will act on. Each packet can be classified based on one or more criteria. The supported criteria are source and destination MAC address, VLAN identifier, and source and destination IP address.

    • Actions—If a packet matches the classifier criteria for a given ACL, the following types of action can be applied to the packet:

      • Allow or block the packet
      • Count the number of ingress packets

    The switch uses specialized TCAM memory to perform ACL matching.

    Note

    The order of the classifiers provided during group creation (or during an ACL update in a group when new classifiers are added ) matter. Hardware resources are allocated as best fit at the time of creation, which can cause some fragmentation and segmentation of hardware resources because not all classifiers are available at all times. Because the availability of classifiers is order dependent, some allocations succeed or fail at different times.
    To create an ACL ingress policy in the CLI:

    config switch-controller acl ingress

    edit <policy_identifier>

    config action

    set count {enable | disable}

    set drop {enable | disable}

    end

    config classifier

    set dst-ip-prefix <IPv4_address> <netmask>

    set dst-mac <destination_MAC_address>

    set src-ip-prefix <IPv4_address> <netmask>

    set src-mac <source_MAC_address>

    set vlan <1-4094>

    end

    next

    end

    Create an ACL group

    An ACL group contains one or more ACLs.

    Note

    The ACL ingress policies are assigned to ACL group 3 in the managed FortiSwitch unit. If the managed FortiSwitch unit does not support ACL group 3, the user-configurable ACL is not supported.
    To create an ACL group in the CLI:

    config switch-controller acl group

    edit "<ACL_group_name>"

    set ingress <policy_identifier1> <policy_identifier2> ...

    next

    end

    For example:

    config switch-controller acl group

    edit "ACLgroup1"

    set ingress 2 3 4

    next

    end

    Apply the ACL group to a managed switch port

    You can apply one or more ACL groups to a managed switch port.

    To apply an ACL group to a managed switch port in the CLI:

    config switch-controller managed-switch

    edit <FortiSwitch_serial_number>

    config ports

    edit <managed_switch_port_name>

    set acl-group "<ACL_group_name1> <ACL_group_name2> ..."

    next

    end

    next

    end

    For example:

    config switch-controller managed-switch

    edit FS1D243Z14000016

    config ports

    edit port10

    set acl-group "ACLgroup1 ACLgroup2 ACLgroup3"

    next

    end

    next

    end

    View the counters

    Note

    On the 4xxE, 1xxE, and 1xxF platforms, the ACL byte counters are not available (they will always show as 0 on the CLI). The packet counters are available.

    You can use the CLI to view the counters associated with the ingress policies.

    To view the counters in the CLI:

    diagnose switch-controller switch-info acl-counters <FortiSwitch_serial_number>

    For example:

    diagnose switch-controller switch-info acl-counters FS1D243Z14000016

    Configuration example

    In the following example, the ingress ACL policy prevents a PC connected to S248EPTF18001384 (which is managed by a FortiGate device) from accessing 8.8.8.8 255.255.255.255.

    config switch-controller acl ingress

    edit 1

    config action

    set drop enable

    end

    config classifier

    set dst-ip-prefix 8.8.8.8 255.255.255.255

    set src-mac 00:0c:29:d4:4f:3c

    end

    next

    end

    config switch-controller acl group

    edit "group1"

    set ingress 1

    next

    end

    config switch-controller managed-switch

    edit "S248EPTF18001384"

    config ports

    edit "port6"

    set acl-group "group1"

    next

    end

    next

    end

    Previous
    Next

    Support user-configurable ACL

    Support user-configurable ACL

    You can now use an access control list (ACL) to configure a policy for the ingress stage of the pipeline for incoming traffic. After creating an ACL group for the ingress policy, you apply the ACL group to a managed switch port.

    Note

    A user-configurable ACL might conflict with or be overridden by an ACL implemented by other managed FortiSwitch features. If a user-configurable ACL and an internal ACL do not conflict, the resulting behavior depends on the FortiSwitch model. Fortinet recommends validating user-configurable ACLs to make certain that they operate correctly with other enabled features.
    To use an ACL:

    1. Create an ACL ingress policy.

    2. Create an ACL group and add the ingress policy to it.

    3. Apply the ACL group to a managed switch port.

    4. View the counters.

    Create an ACL ingress policy

    The ACL ingress policy includes the following key attributes:

    • Interface—The port on which traffic arrives at the switch. The policy applies to ingress traffic only (not egress traffic).

    • Classifier—The classifier identifies the packets that the policy will act on. Each packet can be classified based on one or more criteria. The supported criteria are source and destination MAC address, VLAN identifier, and source and destination IP address.

    • Actions—If a packet matches the classifier criteria for a given ACL, the following types of action can be applied to the packet:

      • Allow or block the packet
      • Count the number of ingress packets

    The switch uses specialized TCAM memory to perform ACL matching.

    Note

    The order of the classifiers provided during group creation (or during an ACL update in a group when new classifiers are added ) matter. Hardware resources are allocated as best fit at the time of creation, which can cause some fragmentation and segmentation of hardware resources because not all classifiers are available at all times. Because the availability of classifiers is order dependent, some allocations succeed or fail at different times.
    To create an ACL ingress policy in the CLI:

    config switch-controller acl ingress

    edit <policy_identifier>

    config action

    set count {enable | disable}

    set drop {enable | disable}

    end

    config classifier

    set dst-ip-prefix <IPv4_address> <netmask>

    set dst-mac <destination_MAC_address>

    set src-ip-prefix <IPv4_address> <netmask>

    set src-mac <source_MAC_address>

    set vlan <1-4094>

    end

    next

    end

    Create an ACL group

    An ACL group contains one or more ACLs.

    Note

    The ACL ingress policies are assigned to ACL group 3 in the managed FortiSwitch unit. If the managed FortiSwitch unit does not support ACL group 3, the user-configurable ACL is not supported.
    To create an ACL group in the CLI:

    config switch-controller acl group

    edit "<ACL_group_name>"

    set ingress <policy_identifier1> <policy_identifier2> ...

    next

    end

    For example:

    config switch-controller acl group

    edit "ACLgroup1"

    set ingress 2 3 4

    next

    end

    Apply the ACL group to a managed switch port

    You can apply one or more ACL groups to a managed switch port.

    To apply an ACL group to a managed switch port in the CLI:

    config switch-controller managed-switch

    edit <FortiSwitch_serial_number>

    config ports

    edit <managed_switch_port_name>

    set acl-group "<ACL_group_name1> <ACL_group_name2> ..."

    next

    end

    next

    end

    For example:

    config switch-controller managed-switch

    edit FS1D243Z14000016

    config ports

    edit port10

    set acl-group "ACLgroup1 ACLgroup2 ACLgroup3"

    next

    end

    next

    end

    View the counters

    Note

    On the 4xxE, 1xxE, and 1xxF platforms, the ACL byte counters are not available (they will always show as 0 on the CLI). The packet counters are available.

    You can use the CLI to view the counters associated with the ingress policies.

    To view the counters in the CLI:

    diagnose switch-controller switch-info acl-counters <FortiSwitch_serial_number>

    For example:

    diagnose switch-controller switch-info acl-counters FS1D243Z14000016

    Configuration example

    In the following example, the ingress ACL policy prevents a PC connected to S248EPTF18001384 (which is managed by a FortiGate device) from accessing 8.8.8.8 255.255.255.255.

    config switch-controller acl ingress

    edit 1

    config action

    set drop enable

    end

    config classifier

    set dst-ip-prefix 8.8.8.8 255.255.255.255

    set src-mac 00:0c:29:d4:4f:3c

    end

    next

    end

    config switch-controller acl group

    edit "group1"

    set ingress 1

    next

    end

    config switch-controller managed-switch

    edit "S248EPTF18001384"

    config ports

    edit "port6"

    set acl-group "group1"

    next

    end

    next

    end

    Previous
    Next