Fortinet white logo
Fortinet white logo

Administration Guide

7.2.0

Create the Cisco extended ACL

Create the Cisco extended ACL

An extended ACL is an ordered list of statements that can deny or permit packets based on source and destination IP address, port numbers and upper-layer protocols.

This ACL is a sample of the type of ACL you might create to work in conjunction with your FortiNAC software and its CLI configurations. Be sure that you know the IP address of the FortiNAC appliance and the IP range of the DHCP scope for your hosts. Log into the device and create an extended access list.

Note

All information in an ACL is case sensitive.

Example

Configure term
ip access-list extended Nac
500 permit udp 192.168.34.0 0.0.0.255 host 192.168.105.2 eq 4567
501 deny ip 192.168.34.0 0.0.0.255 host 192.168.105.2
502 permit ip any any
end
write memory

Settings

Command

Definition

Data From Example

ip access list extended

Indicates the type of ACL and the user specified name of the ACL. In this example, the name is Nac.

ip access list extended Nac

permit or deny

Allow or block traffic. This is a required field.

protocol

IP, TCP, UDP, ICMP, GRE and IGRP. TCP, UDP and ICMP use IP at the network layer.

udp

ip

source

This is the Source IP address. This is a required field. In the example, this is the IP range for your hosts. When <any> is used it indicates that any IP address can connect.

192.168.34.0

any

source mask

Wildcard mask; 0 indicate positions that must match, 1s indicate don’t care positions (inverted mask). Required.

0.0.0.255

destination

Destination IP address. This is the IP address of the FortiNAC appliance that is used for isolating hosts who are not registered or who have failed a security policy scan. When <any> is used it indicates that the host can connect to any IP address.

host 192.168.105.2

any

operator destination port

lt, gt, eq, neq (less than, greater than, equal, not equal) and a port number. In this example 4567 is the port number through which the Persistent Agent communicates with the FortiNAC appliance. This must remain available if you are using the Persistent Agent to scan your hosts.

eq 4567

In the example 192.168.34.0/24 is the hosts IP range. The host IP 192.168.105.2 is the Isolation interface on the FortiNAC appliance. This is the default state of the all registered hosts. It allows the hosts to go to anywhere on the network except the Isolation interface.

Create the Cisco extended ACL

Create the Cisco extended ACL

An extended ACL is an ordered list of statements that can deny or permit packets based on source and destination IP address, port numbers and upper-layer protocols.

This ACL is a sample of the type of ACL you might create to work in conjunction with your FortiNAC software and its CLI configurations. Be sure that you know the IP address of the FortiNAC appliance and the IP range of the DHCP scope for your hosts. Log into the device and create an extended access list.

Note

All information in an ACL is case sensitive.

Example

Configure term
ip access-list extended Nac
500 permit udp 192.168.34.0 0.0.0.255 host 192.168.105.2 eq 4567
501 deny ip 192.168.34.0 0.0.0.255 host 192.168.105.2
502 permit ip any any
end
write memory

Settings

Command

Definition

Data From Example

ip access list extended

Indicates the type of ACL and the user specified name of the ACL. In this example, the name is Nac.

ip access list extended Nac

permit or deny

Allow or block traffic. This is a required field.

protocol

IP, TCP, UDP, ICMP, GRE and IGRP. TCP, UDP and ICMP use IP at the network layer.

udp

ip

source

This is the Source IP address. This is a required field. In the example, this is the IP range for your hosts. When <any> is used it indicates that any IP address can connect.

192.168.34.0

any

source mask

Wildcard mask; 0 indicate positions that must match, 1s indicate don’t care positions (inverted mask). Required.

0.0.0.255

destination

Destination IP address. This is the IP address of the FortiNAC appliance that is used for isolating hosts who are not registered or who have failed a security policy scan. When <any> is used it indicates that the host can connect to any IP address.

host 192.168.105.2

any

operator destination port

lt, gt, eq, neq (less than, greater than, equal, not equal) and a port number. In this example 4567 is the port number through which the Persistent Agent communicates with the FortiNAC appliance. This must remain available if you are using the Persistent Agent to scan your hosts.

eq 4567

In the example 192.168.34.0/24 is the hosts IP range. The host IP 192.168.105.2 is the Isolation interface on the FortiNAC appliance. This is the default state of the all registered hosts. It allows the hosts to go to anywhere on the network except the Isolation interface.