Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sfort9797
New Contributor

FortiSwitch ACL processing

Hi,

 

Coming from Cisco world i would like to know how ACL processing works in fortiswitches. Couldn't find any documentation. Does ACL order matter? For example:
config switch acl ingress
edit 10
set status active
config classifier
set dst-ip-prefix 172.16.10.0/29
set src-ip-prefix 192.168.1.0/24
end
config action
set drop disable
edit 8
set status active
config classifier
set dst-ip-prefix 172.16.10.0/24
set src-ip-prefix 192.168.1.0/24
end
config action
set drop enable

 

Policy 10 allow traffic to 172.16.10.0/29

Policy 8 deny traffic to 172.16.10.0/24 (supernet)

Will it process based on destination IP with longest subnet mask or pick up the policy with lowest policy identifier number?

1 REPLY 1
ebilcari
Staff
Staff

Keep in mind that there are two separate documentation/guides for FSW (FortiLink and Standalone). In this case I guess you are referring to standalone mode. As seen on this section of the Administration guide the order meters: The order of the classifiers provided during group creation (or during an ACL update in a group when new classifiers are added ) matter.

You can also refer to the examples to get a better understanding.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Top Kudoed Authors