Hi,
I have a Fortigate 100F , with firmware 6.0.9, and I would like to know if it's possible to activate IPv4 Access Control List for the wan1 interface. I can activate for the other interfaces, but wan1 does not appear in the "Incoming Interface" list. I've read the ACL documentation on:
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/898126/ipv4-ipv6-access-control-lists
It says "the ACL function is only supported on switch fabric driven interfaces. It also cannot be applied to hardware switch interfaces or their members. Ports such as WAN1 or WAN2 on some models that use network cards that connect to the CPU through a PCIe bus do support ACL."
I'm not using hardware switch but I would like to know what does it mean when it says "switch facric driven interfaces". Is there any technical limitation in this interface in my specific model? If yes, How can I block incoming paquets to the wan1 interface, regardless of its destination interface?
Thanks in advance
Based on below doc, wan1&wan2 ports on 100F are a part of switch fabric connected ports. If they don't show up in ACL config options, there must be some extra-condition for ACL. If you really want to know, you probably need to open a ticket at TAC to ask.
But for most cases, local-in policy would block any access attempts to all FGT interfaces.
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/363127/local-in-policies
Hi!
Thanks for your answer! As you said, it seems that the WAN interfaces ARE connected to the internal switch fabric, so I can't understand why are not available to use for the ACL...
I have an open ticket with support for a week, but they weren't even able to send me this link with the fastpath architecture, so I don't know if we will find the answer. I keep this thread open just in case we will find the answer. Meanwhile the local-in policy is the option.
I keep trying, thanks again!
Probably they know the fact in the doc already but either or both looking for a bug report with your version or/and waiting for an answer from developers if the document is not an error, which is possible because the 'F' series is relatively new.
By the way, the forum thread never closes because these are not support cases. Some times people find an old case from a couple of years ago and comment on it to ask for similar cases of their own. They either find them in internet searches or in the search box on the forum page. It might be hard to be found if the subject line doesn't have enough specific key words to describe the issue. Yours is easy because 'ACL' and '100F' are in it.
Thanks for your help!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.