Technical Tip: Blocking TCP Ports using ACL on FortiGate

Description

This article describes how to block TCP ports using an Access Control List (ACL) on FortiGate to mitigate DDoS attacks. It provides a step-by-step guide on configuring an ACL to block specific ports and explains the difference between using an ACL and a local-in policy.

Scope

FortiGate.

Solution

It is important to note that the ACL is implemented on models with an NPU and ISF (Integrated Switch Fabric), and therefore only specific models have this feature.
The following FortiGate models support ACLs:

• 100D, 100E, 100EF, 101E

• 140D, 140D-POE, 140E, 140E-POE

• 1500D, 1500DT

• 3000D, 3100D, 3200D, 3700D, 3800D

• All 300E and larger E-series models

• All 100F and larger F-series models

To block specific TCP ports using an ACL on FortiGate, follow these steps:

1. Go to Policy & Objects -> Services and create a new service that includes the ports to be blocked. It is possible to use a range (e.g. 99-199) in a single service. If multiple ports in different ranges should be blocked, make a new service for each port and instead put them into a single Service Group.

2. Go to Policy & Objects -> IPv4 Access Control List and create a new ACL that references the Service / Service group created in step 1. Configure the ACL to block traffic from all sources to the specified destination IP address and ports, with the correct interface.

Note:

The FortiGate CPU handles local-in policies and does not offload them to the Network Processing Unit (NPU). However, ACLs can be offloaded to the NPU7, which can help reduce CPU usage.