Troubleshooting Tip: How to troubleshoot if the traffic is blocked by ACL
| Description | This article describes how to troubleshoot the traffic block using the access control lists. |
| Scope | FortiGate v7.0, v7.2, v7.4, v7.6. |
| Solution | Access Control Lists (ACLs) on FortiGate Devices: ACL blocks IPv4 and IPv6 packets on specified interfaces based on criteria configured in the ACL.
To block all IPv4 and IPv6 HTTPS traffic from client to server:
config firewall acl edit 1 set status enable set name '' set comments '' set interface "VLAN189" set srcaddr "all" set dstaddr "all" set service "HTTPS" set fragment pass next end
When the traffic is blocked by ACL, it shows one-way traffic in the sniffer:
2024-07-27 20:04:02.280256 VLAN189 in 172.31.1.3.62740 -> 172.31.1.2.443: syn 1259685942 2024-07-27 20:04:02.283863 VLAN189 in 172.31.1.3.62741 -> 172.31.1.2.443: syn 3471340566 2024-07-27 20:04:02.532852 VLAN189 in 172.31.1.3.62742 -> 172.31.1.2.443: syn 3201707191 2024-07-27 20:04:03.282799 VLAN189 in 172.31.1.3.62740 -> 172.31.1.2.443: syn 1259685942 2024-07-27 20:04:03.298018 VLAN189 in 172.31.1.3.62741 -> 172.31.1.2.443: syn 3471340566
When an ACL drops traffic, the debug flow will not display any 'drop' keyword or statement indicating the traffic was blocked by the ACL. In debug flow, it will show allow with a matching policy. If the packet is dropped due to ACL, the counter will increase gradually.
diagnose firewall acl counter ACL id 1 dropped 0 packets diagnose firewall acl counter ACL id 1 dropped 30 packets diagnose firewall acl counter ACL id 1 dropped 42 packets
The traffic drop by ACL will not generate forward traffic logs or local traffic logs, as logs will be generated only when traffic comes to the CPU.
Note: |