Access control lists
An access control list (ACL) is a granular, targeted blocklist that is used to block IPv4 and IPv6 packets on a specified interface based on the criteria configured in the ACL policy.
On FortiGate models with ports that are connected through an internal switch fabric with TCAM capabilities, ACL processing is offloaded to the switch fabric and does not use CPU resources. VLAN interfaces that are based on physical switch fabric interfaces are also supported. Interfaces that are connected through an internal switch fabric usually have names prefixed with port or lan, such as port1 or lan2; other interfaces are not supported.
The packets will be processed by the CPU when offloading is disabled or not possible, such as when a port on a supported model does not connect to the internal fabric switch.
ACL is supported on the following FortiGate models:
- 100D, 100E, 100EF, 101E
- 140D, 140D-POE, 140E, 140E-POE
- 1500D, 1500DT
- 3000D, 3100D, 3200D, 3700D, 3800D
- All 300E and larger E-series models
- All 100F and larger F-series models
Example
To block all IPv4 and IPv6 telnet traffic from port2 to Company_Servers:
config firewall acl edit 1 set interface "port2" set srcaddr "all" set dstaddr "Company_Servers" set service "TELNET" next end config firewall acl6 edit 1 set interface "port2" set srcaddr "all" set dstaddr "Company_Servers_v6" set service "TELNET" next end
Diagnose commands
To check the number of packets dropped by an ACL:
# diagnose firewall acl counter ACL id 1 dropped 0 packets
# diagnose firewall acl counter6 ACL id 2 dropped 0 packets
To clear the packet drop counters:
# diagnose firewall acl clearcounter
# diagnose firewall acl clearcounter6