Access Control Lists (ACLs) on FortiGate Devices:

ACL blocks IPv4 and IPv6 packets on specified interfaces based on criteria configured in the ACL.

To block all IPv4 and IPv6 HTTPS traffic from client to server:

config firewall acl

    edit 1

        set status enable

        set name ''

        set comments ''

        set interface "VLAN189"

        set srcaddr "all"

        set dstaddr "all"

        set service "HTTPS"

        set fragment pass

    next

end

When the traffic is blocked by ACL, it shows one-way traffic in the sniffer:

2024-07-27 20:04:02.280256 VLAN189 in 172.31.1.3.62740 -> 172.31.1.2.443: syn 1259685942

2024-07-27 20:04:02.283863 VLAN189 in 172.31.1.3.62741 -> 172.31.1.2.443: syn 3471340566

2024-07-27 20:04:02.532852 VLAN189 in 172.31.1.3.62742 -> 172.31.1.2.443: syn 3201707191

2024-07-27 20:04:03.282799 VLAN189 in 172.31.1.3.62740 -> 172.31.1.2.443: syn 1259685942

2024-07-27 20:04:03.298018 VLAN189 in 172.31.1.3.62741 -> 172.31.1.2.443: syn 3471340566

When an ACL drops traffic, the debug flow will not display any 'drop' keyword or statement indicating the traffic was blocked by the ACL. In debug flow, it will show allow with a matching policy.

If the packet is dropped due to ACL, the counter will increase gradually.

diagnose firewall acl  counter

ACL id 1 dropped 0 packets

diagnose firewall acl  counter

ACL id 1 dropped 30 packets

diagnose firewall acl  counter

ACL id 1 dropped 42 packets

The traffic drop by ACL will not generate forward traffic logs or local traffic logs as logs will be generated only when traffic comes to the CPU. 

Note:

ACL is supported on the following FortiGate models. For more information, see Config Firewall ACL - FortiGate CLI reference.

• 100D.
• 100E.
• 100EF.
• 101E.
• 140D.
• 140D-POE.
• 140E.
• 140E-POE.
• 1500D.
• 1500DT.
• 3000D.
• 3100D.
• 3200D.
• 3700D.
• 3800D.
• All 300E and larger E-series models.
• All 100F and larger F-series models.