Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pksubramanian
Staff
Staff

Created on ‎10-06-2025 10:52 PM

Article Id 414130

Technical Tip: Blocking TCP Ports using ACL on FortiGate

Description

 

This article describes how to block TCP ports using an Access Control List (ACL) on FortiGate to mitigate DDoS attacks. It provides a step-by-step guide on configuring an ACL to block specific ports and explains the difference between using an ACL and a local-in policy.

 

Scope

 

FortiGate.

 

Solution

 

To block TCP ports using an ACL on FortiGate, follow these steps:

  1. Go to Config -> Firewall -> service group and create a new service group that includes the ports to be blocked.
  2. Go to Config -> Firewall -> ACL and create a new ACL that references the service group created in step 1.
  3. Configure the ACL to block traffic from all sources to the specified destination IP address and ports.
  4. Apply the ACL to the external interface to block the specified ports.

 

Note:

The FortiGate CPU handles local-in policies and does not offload them to the Network Processing Unit (NPU). However, ACLs can be offloaded to the NPU7, which can help reduce CPU usage.

Labels:
193
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.