Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bvata
Staff
Staff

Created on ‎12-24-2019 05:45 AM Edited on ‎12-16-2024 07:59 AM By Moderator

Article Id 193219

Technical Tip: Configuring access lists

Description

 

This article describes how to configure an access list on FortiGate.

 

Scope

 

FortiGate:

  • 100D, 100E, 100EF, 101E, 140D, 140D-POE, 140E, 140E-POE, 1500D, 1500DT, 3000D, 3100D, 3200D, 3700D, 3800D.
  • All 300E and larger E-series models.
  • All 100F and larger F-series models.

 

Solution

 
 
Access lists are implemented after the TCP/IP Stack and before the DOS policy sensor on NP Processors (not NP Lite).
 
Configuration can be performed from the CLI:
 
config firewall acl
    edit 1
        set status enable
        set comments ''
        set interface "port1"
        set srcaddr "MyPc"
        set dstaddr "all"
        set service "ALL_ICMP"
    next
 
This will block the traffic coming from port1 and source address 'MyPc' to destination 'all'.
All other traffic is allowed.
Check the dropped packets with the command:
 
diag firewall acl counter
 
Packet Flow:Packet flow: NP6 and NP6lite sessions
CLI Reference: firewall {acl | acl6}
 

Sometimes the access list is used to block the incoming traffic from different IP addresses based on the FortiGuard IP Geolocation database, this service allows Fortinet devices to query the cloud-based FortiGuard servers for the location of public IP addresses.

It is possible to configure an access list to use as a source IP object which is from type 'Geography', for the example we have a country Finland :

 

config firewall address
    edit "Finland_addresses"
        set uuid 1fe3d272-2534-51ee-ddb1-10d3c8fdd4d0
        set type geography
        set comment ''
        set associated-interface ''
        set color 0
        set fabric-object disable
        set country "FI"
    next
end

 

To block the incoming traffic from IP addresses located in Finland our ACL will look like :

 

config firewall acl
    edit 1
        set status enable
        set name "block_ACL"
        set comments ''
        set interface "wan1"
        set srcaddr "Finland_addresses" -
        set dstaddr "all"
        set service "ALL"
    next
end

 

 

It is mandatory to note that, if traffic is generated from the LAN to the IP address located in Finland, the return traffic will be blocked by the ACL, because ACL works like a normal stateless 'access-list'. The 'access-list' does not track if the packet is SYN or SYN/ACK.

For example, if your host located behind the FW initiates a SYN packet to web server in Finland, the server will respond with SYN/ACK but that packet will be blocked on the firewall, if there is an ACL like the one above.

The behavior is the same even if a normal IP address configured is used on the access-list for the source address.

 

Enable GUI visibility:

 

To enable the GUI visualization of this option, it is necessary to enable the Additional Feature 'DoS Policy' under the Feature Visibility in the System configuration, as below:

 

screenshot.jpg

 

Before configuring an access list, read the following to confirm whether the device supports that feature:

6585
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.