Fortinet white logo
Fortinet white logo

Administration Guide

Configuring an ACL policy

Configuring an ACL policy

You can configure ACL policies for each stage: ingress, egress, and prelookup.

NOTE: The order of the classifiers provided during group creation (or during an ACL update in a group when new classifiers are added ) matter. Hardware resources are allocated as best fit at the time of creation, which can cause some fragmentation and segmentation of hardware resources because not all classifiers are available at all times. Because the availability of classifiers is order dependent, some allocations succeed or fail at different times. Rebooting the switch or running the execute acl key-compaction <acl-stage><group-id> command can help reduce the classifier resource fragmentation.

This section covers the following topics:

Creating an ACL ingress policy

Using the GUI:
  1. Go to Switch > ACL > Ingress.
  2. Select Add Ingress Policy.
  3. Required. In the ID field, enter a unique number to identify this policy.
  4. By default, Active is selected. If you do not want this policy to be active, clear the Active checkbox.
  5. Required. Select which interfaces the policy applies to or select the All Interface checkbox.
  6. Select a schedule for when the ACL policy is enforced. To create a schedule, see Example 4.
  7. In the Description field, enter a description or other information about the policy. The description is limited to 63 characters.
  8. Configure the classifier.
    1. Enter the VLAN identifier to be matched.
    2. Enter the 802.1Q cost of service (CoS) value to match.
    3. Enter the DSCP value to match.
    4. Enter the Ethernet type to be matched.
    5. Select the service type to be matched.
    6. Enter the source MAC address to be matched.
    7. Enter the destination MAC address to be matched.
    8. Enter the source IP address and subnet mask to be matched.
    9. Enter the destination IP address and subnet mask to be matched.
  9. Configure the action.
    1. Select the Count checkbox if you want to track the number of matching packets.
    2. Select the Drop checkbox if you want to drop matching packets.
    3. Select the Redirect Broadcast CPU checkbox if you want to redirect broadcast traffic to all ports including the CPU.
    4. Select the Redirect Broadcast No CPU checkbox if you want to redirect broadcast traffic to all ports excluding the CPU.
    5. In the CPU COS Queue field, enter the CPU CoS queue number. This CoS queue is only used if the packets reach the CPU.
    6. In the COS Queue field, enter the CoS queue number.
    7. In the Remark COS field, enter the CoS marking value.
    8. In the Outer VLAN Tag field, enter the outer VLAN tag.
    9. In the Remark DSCP field, enter the DSCP marking value.
    10. Select Egress Mask to configure which physical ports are included in the egress mask or select Redirect Physical Port to redirect packets to the selected physical ports.
    11. Select the physical ports to include in the egress mask or to redirect packets to.
    12. Select which policer to use from the Policer drop-down list. To create a policer, see Creating a policer.
    13. Select which redirect interface to use from the Redirect Interface drop-down list.
    14. Select the name of the mirror to use collect packets to analyze.
  10. Select OK to save the ingress policy.
Using the CLI:

config switch acl ingress

edit <policy_ID>

set description <string>

set group <group_ID>

set ingress-interface <port_name>

set ingress-interface-all {enable | disable}

set schedule <schedule_name>

set status {active | inactive}

config classifier

set src-mac <MAC_address>

set dst-mac <MAC_address>

set ether-type <integer>

set src-ip-prefix <IP_address> <mask>

set dst-ip-prefix <IP_address> <mask>

set service <service_ID>

set vlan-id <VLAN_ID>

set cos <802.1Q CoS value to match>

set dscp <DSCP value to match>

end

config action

set cos-queue <0 - 7>

set count {enable | disable}

set cpu-cos-queue <integer>

set drop {enable | disable}

set egress-mask {<physical_port_name> | internal}

set mirror <mirror_session>

set outer-vlan-tag <integer>

set policer <policer>

set redirect <interface_name>

set redirect-bcast-cpu {enable | disable}

set redirect-bcast-no-cpu {enable | disable}

set redirect-physical-port <list of physical ports to redirect>

set remark-cos <0-7>

set remark-dscp <0-63>

end

end

Creating an ACL egress policy

Using the GUI:
  1. Go to Switch > ACL > Egress.
  2. Select Add Egress Policy.
  3. Required. In the ID field, enter a unique number to identify this policy.
  4. By default, Active is selected. If you do not want this policy to be active, clear the Active checkbox.
  5. Select which interface the policy applies to.
  6. Select a schedule for when the ACL policy is enforced. To create a schedule, see Example 4.
  7. In the Description field, enter a description or other information about the policy. The description is limited to 63 characters.
  8. Configure the classifier.
    1. Enter the VLAN identifier to be matched.
    2. Enter the 802.1Q cost of service (CoS) value to match.
    3. Enter the DSCP value to match.
    4. Enter the Ethernet type to be matched.
    5. Select the service type to be matched.
    6. Enter the source MAC address to be matched.
    7. Enter the destination MAC address to be matched.
    8. Enter the source IP address and subnet mask to be matched.
    9. Enter the destination IP address and subnet mask to be matched.
  9. Configure the action.
    1. Select the Count checkbox if you want to track the number of matching packets.
    2. Select the Drop checkbox if you want to drop matching packets.
    3. In the Outer VLAN Tag field, enter the outer VLAN tag.
    4. In the Remark DSCP field, enter the DSCP marking value.
    5. Select which policer to use from the Policer drop-down list. To create a policer, see Creating a policer.
    6. Select which redirect interface to use from the Redirect Interface drop-down list.
    7. Select the name of the mirror to use collect packets to analyze.
  10. Select OK to save the egress policy.
Using the CLI:

config switch acl egress

edit <policy_ID>

set description <string>

set interface <port_name>

set schedule <schedule_name>

set status {active | inactive}

config classifier

set src-mac <MAC_address>

set dst-mac <MAC_address>

set ether-type <integer>

set src-ip-prefix <IP_address> <mask>

set dst-ip-prefix <IP_address> <mask>

set service <service_ID>

set vlan-id <VLAN_ID>

set cos <802.1Q CoS value to match>

set dscp <DSCP value to match>

end

config action

set count {enable | disable}

set drop {enable | disable}

set mirror <mirror_session>

set outer-vlan-tag <integer>

set policer <policer>

set redirect <interface_name>

set remark-dscp <0-63>

end

end

Creating an ACL prelookup policy

Using the GUI:
  1. Go to Switch > ACL > Prelookup.
  2. Select Add Prelookup Policy.
  3. Required. In the ID field, enter a unique number to identify this policy.
  4. By default, Active is selected. If you do not want this policy to be active, clear the Active checkbox.
  5. Select which interface the policy applies to.
  6. Select a schedule for when the ACL policy is enforced. To create a schedule, see Example 4.
  7. In the Description field, enter a description or other information about the policy. The description is limited to 63 characters.
  8. Configure the classifier.
    1. Enter the VLAN identifier to be matched.
    2. Enter the 802.1Q cost of service (CoS) value to match.
    3. Enter the DSCP value to match.
    4. Enter the Ethernet type to be matched.
    5. Select the service type to be matched.
    6. Enter the source MAC address to be matched.
    7. Enter the destination MAC address to be matched.
    8. Enter the source IP address and subnet mask to be matched.
    9. Enter the destination IP address and subnet mask to be matched.
  9. Configure the action.
    1. Select the Count checkbox if you want to track the number of matching packets.
    2. Select the Dropcheckbox if you want to drop matching packets.
    3. In the Outer VLAN Tag field, enter the outer VLAN tag.
    4. In the COS Queue field, enter the CoS queue number.
    5. In the Remark COS field, enter the CoS marking value.
  10. Select OK to save the prelookup policy.
Using the CLI:

config switch acl prelookup

edit <policy_ID>

set description <string>

set interface <port_name>

set schedule <schedule_name>

set status {active | inactive}

config classifier

set src-mac <MAC_address>

set dst-mac <MAC_address>

set ether-type <integer>

set src-ip-prefix <IP_address> <mask>

set dst-ip-prefix <IP_address> <mask>

set service <service_ID>

set vlan-id <VLAN_ID>

set cos <802.1Q CoS value to match>

set dscp <DSCP value to match>

end

config action

set cos-queue <0-7>

set count {enable | disable}

set drop {enable | disable}

set outer-vlan-tag <integer>

set remark-cos <0-7>

end

end

Creating or customizing a service

Optionally, you can create or customize a service. When you create an ACL policy (ingress, egress, or prelookup), you select the service to use with the set service <service_ID> command under config classifier.

The FortiSwitch unit provides a set of pre-configured services that you can use. Use the following command to list the services:

show switch acl service custom

Using the GUI to create a service:
  1. Go to Switch > ACL > Service.
  2. Click Add Service.
  3. Required. In the Name field, enter the name of the service.
  4. If you want to change the icon color for the service in the Service page, click Change and then click the new color.
  5. Optional. Enter a description of the service.
  6. If you do not want the custom service to use TCP, select ICMP, IP, UDP, or SCTP.
  7. If you selected TCP, UDP, or SCTP, enter the destination ports and source ports.
    You can enter a single port or a range of ports in each field.
  8. If you selected ICMP or IP, enter the protocol number.
  9. If you selected ICMP, enter the ICMP code.
  10. Click Add.
Using the GUI to customize a service:
  1. Go to Switch > ACL > Service.
  2. Click Edit for the service that you want to customize.
  3. Make any changes.
  4. Click Update.
Using the CLI to create or customize a service:

config switch acl service custom

edit <service_name>

set comment <string>

set color <0-32>

set protocol {ICMP | IP | TCP/UDP/SCTP}

set sctp-portrange <dstportlow_int>[-<dstporthigh_int>: <srcportlow_int>-<srcporthigh_int>]

set tcp-portrange <dstportlow_int>[-<dstporthigh_int>:

<srcportlow_int>-<srcporthigh_int>]

set udp-portrange <dstportlow_int>[-<dstporthigh_int>:<srcportlow_int>-<srcporthigh_int>]

end

Creating a policer

The ACL policer uses a single-rate three-color marker (RFC 2697) to mark packets as green, yellow, or red, based on the guaranteed bandwidth, guaranteed burst, and maximum burst settings. Traffic below the guaranteed bandwidth is allowed. Traffic above the guaranteed burst or maximum burst is dropped.

Optionally, you can create a policer if you are defining ACLs to police different types of traffic. When you create an ACL ingress or egress policy, you select the policer to use with it.

Using the GUI:
  1. Go to Switch > ACL > Policer.
  2. Select Add Policer.
  3. Required. In the ID field, enter a unique number to identify this policer.
  4. In the Type drop-down list, select whether the policer is for the egress policy or the ingress policy.
  5. In the Guaranteed Bandwidth field, enter the amount of bandwidth guaranteed (in Kbits/second) to be available for traffic controlled by the policy.
  6. In the Guaranteed Burst field, enter the guaranteed burst size in bytes.
  7. In the Maximum Burst field, enter the maximum burst size in bytes
  8. In the Description field, enter a description of the policer.
  9. Select OK to save the policer.
Using the CLI:

config switch acl policer

edit <1-2048>

set description <string>

set guaranteed-bandwidth <bandwidth_value>

set guaranteed-burst <in_bytes>

set maximum-burst <in_bytes>

set type {egress | ingress}

end

Each policy is assigned a unique policy ID that is automatically assigned. To view it, use the get switch acl {egress | ingress | prelookup} command.

Viewing counters

NOTE: On the 4xxE platforms, the ACL byte counters for the prelookup stage are not available (they will always show as 0 on the CLI). The packet counters are available.

You can use the GUI and CLI to view the counters associated with the ingress, egress, and prelookup policies.

Using the GUI:

Go to Switch > Monitor > ACL Counters.

Using the CLI:

get switch acl counters {all | egress | ingress | prelookup}

For example:

S524DF4K15000024 # get switch acl counters ingress

ingress:

ID Packets Bytes description

___________________________________________________________

0001 0 0 cnt_n_mirror13

0002 0 0 cnt_n_mirror31

0003 0 0 cnt_n_mirror41

Clearing counters

You can use the GUI or CLI to clear the counters associated with all policies or the counters associated with just ingress, egress, or prelookup policies.

Using the GUI:
  1. Go to Switch > Monitor > ACL Counters.
  2. Select Ingress, Egress, Prelookup, or All to clear those counters.
Using the CLI:

execute acl clear-counter {all | egress | ingress | prelookup}

Clearing unused classifiers

Use the following command to clear the unused classifiers on ASIC hardware associated with ingress, egress, prelookup, or all policies for a particular group:

execute acl key-compaction {all | ingress | egress | prelookup} <group_ID>

NOTE: This command currently only works on the ingress policy.

Configuring an ACL policy

Configuring an ACL policy

You can configure ACL policies for each stage: ingress, egress, and prelookup.

NOTE: The order of the classifiers provided during group creation (or during an ACL update in a group when new classifiers are added ) matter. Hardware resources are allocated as best fit at the time of creation, which can cause some fragmentation and segmentation of hardware resources because not all classifiers are available at all times. Because the availability of classifiers is order dependent, some allocations succeed or fail at different times. Rebooting the switch or running the execute acl key-compaction <acl-stage><group-id> command can help reduce the classifier resource fragmentation.

This section covers the following topics:

Creating an ACL ingress policy

Using the GUI:
  1. Go to Switch > ACL > Ingress.
  2. Select Add Ingress Policy.
  3. Required. In the ID field, enter a unique number to identify this policy.
  4. By default, Active is selected. If you do not want this policy to be active, clear the Active checkbox.
  5. Required. Select which interfaces the policy applies to or select the All Interface checkbox.
  6. Select a schedule for when the ACL policy is enforced. To create a schedule, see Example 4.
  7. In the Description field, enter a description or other information about the policy. The description is limited to 63 characters.
  8. Configure the classifier.
    1. Enter the VLAN identifier to be matched.
    2. Enter the 802.1Q cost of service (CoS) value to match.
    3. Enter the DSCP value to match.
    4. Enter the Ethernet type to be matched.
    5. Select the service type to be matched.
    6. Enter the source MAC address to be matched.
    7. Enter the destination MAC address to be matched.
    8. Enter the source IP address and subnet mask to be matched.
    9. Enter the destination IP address and subnet mask to be matched.
  9. Configure the action.
    1. Select the Count checkbox if you want to track the number of matching packets.
    2. Select the Drop checkbox if you want to drop matching packets.
    3. Select the Redirect Broadcast CPU checkbox if you want to redirect broadcast traffic to all ports including the CPU.
    4. Select the Redirect Broadcast No CPU checkbox if you want to redirect broadcast traffic to all ports excluding the CPU.
    5. In the CPU COS Queue field, enter the CPU CoS queue number. This CoS queue is only used if the packets reach the CPU.
    6. In the COS Queue field, enter the CoS queue number.
    7. In the Remark COS field, enter the CoS marking value.
    8. In the Outer VLAN Tag field, enter the outer VLAN tag.
    9. In the Remark DSCP field, enter the DSCP marking value.
    10. Select Egress Mask to configure which physical ports are included in the egress mask or select Redirect Physical Port to redirect packets to the selected physical ports.
    11. Select the physical ports to include in the egress mask or to redirect packets to.
    12. Select which policer to use from the Policer drop-down list. To create a policer, see Creating a policer.
    13. Select which redirect interface to use from the Redirect Interface drop-down list.
    14. Select the name of the mirror to use collect packets to analyze.
  10. Select OK to save the ingress policy.
Using the CLI:

config switch acl ingress

edit <policy_ID>

set description <string>

set group <group_ID>

set ingress-interface <port_name>

set ingress-interface-all {enable | disable}

set schedule <schedule_name>

set status {active | inactive}

config classifier

set src-mac <MAC_address>

set dst-mac <MAC_address>

set ether-type <integer>

set src-ip-prefix <IP_address> <mask>

set dst-ip-prefix <IP_address> <mask>

set service <service_ID>

set vlan-id <VLAN_ID>

set cos <802.1Q CoS value to match>

set dscp <DSCP value to match>

end

config action

set cos-queue <0 - 7>

set count {enable | disable}

set cpu-cos-queue <integer>

set drop {enable | disable}

set egress-mask {<physical_port_name> | internal}

set mirror <mirror_session>

set outer-vlan-tag <integer>

set policer <policer>

set redirect <interface_name>

set redirect-bcast-cpu {enable | disable}

set redirect-bcast-no-cpu {enable | disable}

set redirect-physical-port <list of physical ports to redirect>

set remark-cos <0-7>

set remark-dscp <0-63>

end

end

Creating an ACL egress policy

Using the GUI:
  1. Go to Switch > ACL > Egress.
  2. Select Add Egress Policy.
  3. Required. In the ID field, enter a unique number to identify this policy.
  4. By default, Active is selected. If you do not want this policy to be active, clear the Active checkbox.
  5. Select which interface the policy applies to.
  6. Select a schedule for when the ACL policy is enforced. To create a schedule, see Example 4.
  7. In the Description field, enter a description or other information about the policy. The description is limited to 63 characters.
  8. Configure the classifier.
    1. Enter the VLAN identifier to be matched.
    2. Enter the 802.1Q cost of service (CoS) value to match.
    3. Enter the DSCP value to match.
    4. Enter the Ethernet type to be matched.
    5. Select the service type to be matched.
    6. Enter the source MAC address to be matched.
    7. Enter the destination MAC address to be matched.
    8. Enter the source IP address and subnet mask to be matched.
    9. Enter the destination IP address and subnet mask to be matched.
  9. Configure the action.
    1. Select the Count checkbox if you want to track the number of matching packets.
    2. Select the Drop checkbox if you want to drop matching packets.
    3. In the Outer VLAN Tag field, enter the outer VLAN tag.
    4. In the Remark DSCP field, enter the DSCP marking value.
    5. Select which policer to use from the Policer drop-down list. To create a policer, see Creating a policer.
    6. Select which redirect interface to use from the Redirect Interface drop-down list.
    7. Select the name of the mirror to use collect packets to analyze.
  10. Select OK to save the egress policy.
Using the CLI:

config switch acl egress

edit <policy_ID>

set description <string>

set interface <port_name>

set schedule <schedule_name>

set status {active | inactive}

config classifier

set src-mac <MAC_address>

set dst-mac <MAC_address>

set ether-type <integer>

set src-ip-prefix <IP_address> <mask>

set dst-ip-prefix <IP_address> <mask>

set service <service_ID>

set vlan-id <VLAN_ID>

set cos <802.1Q CoS value to match>

set dscp <DSCP value to match>

end

config action

set count {enable | disable}

set drop {enable | disable}

set mirror <mirror_session>

set outer-vlan-tag <integer>

set policer <policer>

set redirect <interface_name>

set remark-dscp <0-63>

end

end

Creating an ACL prelookup policy

Using the GUI:
  1. Go to Switch > ACL > Prelookup.
  2. Select Add Prelookup Policy.
  3. Required. In the ID field, enter a unique number to identify this policy.
  4. By default, Active is selected. If you do not want this policy to be active, clear the Active checkbox.
  5. Select which interface the policy applies to.
  6. Select a schedule for when the ACL policy is enforced. To create a schedule, see Example 4.
  7. In the Description field, enter a description or other information about the policy. The description is limited to 63 characters.
  8. Configure the classifier.
    1. Enter the VLAN identifier to be matched.
    2. Enter the 802.1Q cost of service (CoS) value to match.
    3. Enter the DSCP value to match.
    4. Enter the Ethernet type to be matched.
    5. Select the service type to be matched.
    6. Enter the source MAC address to be matched.
    7. Enter the destination MAC address to be matched.
    8. Enter the source IP address and subnet mask to be matched.
    9. Enter the destination IP address and subnet mask to be matched.
  9. Configure the action.
    1. Select the Count checkbox if you want to track the number of matching packets.
    2. Select the Dropcheckbox if you want to drop matching packets.
    3. In the Outer VLAN Tag field, enter the outer VLAN tag.
    4. In the COS Queue field, enter the CoS queue number.
    5. In the Remark COS field, enter the CoS marking value.
  10. Select OK to save the prelookup policy.
Using the CLI:

config switch acl prelookup

edit <policy_ID>

set description <string>

set interface <port_name>

set schedule <schedule_name>

set status {active | inactive}

config classifier

set src-mac <MAC_address>

set dst-mac <MAC_address>

set ether-type <integer>

set src-ip-prefix <IP_address> <mask>

set dst-ip-prefix <IP_address> <mask>

set service <service_ID>

set vlan-id <VLAN_ID>

set cos <802.1Q CoS value to match>

set dscp <DSCP value to match>

end

config action

set cos-queue <0-7>

set count {enable | disable}

set drop {enable | disable}

set outer-vlan-tag <integer>

set remark-cos <0-7>

end

end

Creating or customizing a service

Optionally, you can create or customize a service. When you create an ACL policy (ingress, egress, or prelookup), you select the service to use with the set service <service_ID> command under config classifier.

The FortiSwitch unit provides a set of pre-configured services that you can use. Use the following command to list the services:

show switch acl service custom

Using the GUI to create a service:
  1. Go to Switch > ACL > Service.
  2. Click Add Service.
  3. Required. In the Name field, enter the name of the service.
  4. If you want to change the icon color for the service in the Service page, click Change and then click the new color.
  5. Optional. Enter a description of the service.
  6. If you do not want the custom service to use TCP, select ICMP, IP, UDP, or SCTP.
  7. If you selected TCP, UDP, or SCTP, enter the destination ports and source ports.
    You can enter a single port or a range of ports in each field.
  8. If you selected ICMP or IP, enter the protocol number.
  9. If you selected ICMP, enter the ICMP code.
  10. Click Add.
Using the GUI to customize a service:
  1. Go to Switch > ACL > Service.
  2. Click Edit for the service that you want to customize.
  3. Make any changes.
  4. Click Update.
Using the CLI to create or customize a service:

config switch acl service custom

edit <service_name>

set comment <string>

set color <0-32>

set protocol {ICMP | IP | TCP/UDP/SCTP}

set sctp-portrange <dstportlow_int>[-<dstporthigh_int>: <srcportlow_int>-<srcporthigh_int>]

set tcp-portrange <dstportlow_int>[-<dstporthigh_int>:

<srcportlow_int>-<srcporthigh_int>]

set udp-portrange <dstportlow_int>[-<dstporthigh_int>:<srcportlow_int>-<srcporthigh_int>]

end

Creating a policer

The ACL policer uses a single-rate three-color marker (RFC 2697) to mark packets as green, yellow, or red, based on the guaranteed bandwidth, guaranteed burst, and maximum burst settings. Traffic below the guaranteed bandwidth is allowed. Traffic above the guaranteed burst or maximum burst is dropped.

Optionally, you can create a policer if you are defining ACLs to police different types of traffic. When you create an ACL ingress or egress policy, you select the policer to use with it.

Using the GUI:
  1. Go to Switch > ACL > Policer.
  2. Select Add Policer.
  3. Required. In the ID field, enter a unique number to identify this policer.
  4. In the Type drop-down list, select whether the policer is for the egress policy or the ingress policy.
  5. In the Guaranteed Bandwidth field, enter the amount of bandwidth guaranteed (in Kbits/second) to be available for traffic controlled by the policy.
  6. In the Guaranteed Burst field, enter the guaranteed burst size in bytes.
  7. In the Maximum Burst field, enter the maximum burst size in bytes
  8. In the Description field, enter a description of the policer.
  9. Select OK to save the policer.
Using the CLI:

config switch acl policer

edit <1-2048>

set description <string>

set guaranteed-bandwidth <bandwidth_value>

set guaranteed-burst <in_bytes>

set maximum-burst <in_bytes>

set type {egress | ingress}

end

Each policy is assigned a unique policy ID that is automatically assigned. To view it, use the get switch acl {egress | ingress | prelookup} command.

Viewing counters

NOTE: On the 4xxE platforms, the ACL byte counters for the prelookup stage are not available (they will always show as 0 on the CLI). The packet counters are available.

You can use the GUI and CLI to view the counters associated with the ingress, egress, and prelookup policies.

Using the GUI:

Go to Switch > Monitor > ACL Counters.

Using the CLI:

get switch acl counters {all | egress | ingress | prelookup}

For example:

S524DF4K15000024 # get switch acl counters ingress

ingress:

ID Packets Bytes description

___________________________________________________________

0001 0 0 cnt_n_mirror13

0002 0 0 cnt_n_mirror31

0003 0 0 cnt_n_mirror41

Clearing counters

You can use the GUI or CLI to clear the counters associated with all policies or the counters associated with just ingress, egress, or prelookup policies.

Using the GUI:
  1. Go to Switch > Monitor > ACL Counters.
  2. Select Ingress, Egress, Prelookup, or All to clear those counters.
Using the CLI:

execute acl clear-counter {all | egress | ingress | prelookup}

Clearing unused classifiers

Use the following command to clear the unused classifiers on ASIC hardware associated with ingress, egress, prelookup, or all policies for a particular group:

execute acl key-compaction {all | ingress | egress | prelookup} <group_ID>

NOTE: This command currently only works on the ingress policy.