Skip to main content
sfort9797
sfort9797
New Member
November 9, 2023
Question

FortiSwitch ACL processing

  • November 9, 2023
  • 1 reply
  • 1094 views

Hi,

 

Coming from Cisco world i would like to know how ACL processing works in fortiswitches. Couldn't find any documentation. Does ACL order matter? For example:
config switch acl ingress
edit 10
set status active
config classifier
set dst-ip-prefix 172.16.10.0/29
set src-ip-prefix 192.168.1.0/24
end
config action
set drop disable
edit 8
set status active
config classifier
set dst-ip-prefix 172.16.10.0/24
set src-ip-prefix 192.168.1.0/24
end
config action
set drop enable

 

Policy 10 allow traffic to 172.16.10.0/29

Policy 8 deny traffic to 172.16.10.0/24 (supernet)

Will it process based on destination IP with longest subnet mask or pick up the policy with lowest policy identifier number?

1 reply

ebilcari
Staff
ebilcari
Staff
November 12, 2023

Keep in mind that there are two separate documentation/guides for FSW (FortiLink and Standalone). In this case I guess you are referring to standalone mode. As seen on this section of the Administration guide the order meters: The order of the classifiers provided during group creation (or during an ACL update in a group when new classifiers are added ) matter.

You can also refer to the examples to get a better understanding.

Emirjon
    Terms & ConditionsAccessibility statement