Description
This article describes how to configure access list on FortiGate.
Solution
Sometimes the access list is used to block the incoming traffic from different IP addresses based on the FortiGuard IP Geolocation database, this service allows Fortinet devices to query the cloud-based FortiGuard servers for the location of public IP addresses.
It is possible to configure access list to use as a source IP object which is from type 'Geography', for the example we have a country Finland :
config firewall address
edit "Finland_addresses"
set uuid 1fe3d272-2534-51ee-ddb1-10d3c8fdd4d0
set type geography
set comment ''
set associated-interface ''
set color 0
set fabric-object disable
set country "FI"
next
end
To block the incoming traffic from IP addresses located in Finland our ACL will look like :
config firewall acl
edit 1
set status enable
set name "block_ACL"
set comments ''
set interface "wan1"
set srcaddr "Finland_addresses" -
set dstaddr "all"
set service "ALL"
next
end
It is mandatory to note that, if a traffic is generated from the LAN to IP address located in Finland, the return traffic will be blocked by the ACL, because ACL works like a normal stateless 'access-list'. The 'access-list' does not track if the packet is SYN or SYN/ACK.
For example, if your host located behind the FW initiate a SYN packet to web server in Finland, the server will respond with SYN/ACK but that packet will be blocked on the firewall, if there is an ACL like the one above.
The behaviour is the same even if a normal IP address configured is used on the access-list for source address.
Before configuring an access list, read if the device supports that feature:
https://docs.fortinet.com/document/fortigate/7.4.0/cli-reference/715620/config-firewall-acl
https://docs.fortinet.com/document/fortigate/7.2.5/cli-reference/696620/config-firewall-acl
https://docs.fortinet.com/document/fortigate/7.0.12/cli-reference/678620/config-firewall-acl
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.