Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bvata
Staff
Staff

Created on ‎12-24-2019 05:45 AM Edited on ‎07-18-2023 01:18 AM By Community Manager

Article Id 193219

Technical Tip: Configuring access lists

Description

 

This article describes how to configure access list on FortiGate.

Solution

 
 
Access lists are implemented after TCP/IP Stack and before the DOS policy sensor on NP Processors (not NP Lite).
 
Configuration can be performed from the CLI:
 
config firewall ac
    edit 1
        set status enable
        set comments ''
        set interface "port1"
        set srcaddr "MyPc"
        set dstaddr "all"
        set service "ALL_ICMP"
    next
 
This will block the traffic coming from port1 and source address 'MyPc' to destination 'all'.
All other traffic is allowed.
Check the dropped packets with the command:
 
diag firewall acl counter
 
Packet Flow: https://docs.fortinet.com/document/fortigate/6.0.0/parallel-path-processing-life-of-a-packet/881625...
CLI Reference: https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/929257/firewall-acl-acl6
 

Sometimes the access list is used to block the incoming traffic from different IP addresses based on the FortiGuard IP Geolocation database, this service allows Fortinet devices to query the cloud-based FortiGuard servers for the location of public IP addresses.

It is possible to configure access list to use as a source IP object which is from type 'Geography', for the example we have a country Finland :

 

config firewall address
    edit "Finland_addresses"
        set uuid 1fe3d272-2534-51ee-ddb1-10d3c8fdd4d0
        set type geography
        set comment ''
        set associated-interface ''
        set color 0
        set fabric-object disable
        set country "FI"
    next
end

 

To block the incoming traffic from IP addresses located in Finland our ACL will look like :

 

config firewall acl
    edit 1
        set status enable
        set name "block_ACL"
        set comments ''
        set interface "wan1"
        set srcaddr "Finland_addresses" -
        set dstaddr "all"
        set service "ALL"
    next
end

 

 

It is mandatory to note that, if a traffic is generated from the LAN to IP address located in Finland, the return traffic will be blocked by the ACL, because ACL works like a normal stateless 'access-list'. The 'access-list' does not track if the packet is SYN or SYN/ACK.

For example, if your host located behind the FW initiate a SYN packet to web server in Finland, the server will respond with SYN/ACK but that packet will be blocked on the firewall, if there is an ACL like the one above.

The behaviour is the same even if a normal IP address configured is used on the access-list for source address.

 

Before configuring an access list, read if the device supports that feature:

https://docs.fortinet.com/document/fortigate/7.4.0/cli-reference/715620/config-firewall-acl

https://docs.fortinet.com/document/fortigate/7.2.5/cli-reference/696620/config-firewall-acl

https://docs.fortinet.com/document/fortigate/7.0.12/cli-reference/678620/config-firewall-acl

4142
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.