15.2 Advanced ACL
15.2.1 Overview
The Advanced ACL function enables the administrator to restrict the connections per second (CPS) and concurrent connections (CC) allowed for the clients on a specified subnet when accessing virtual services by configuring ACL rules. This prevents not only the network bandwidth resources from being over-occupied by some clients, but the malicious attacks of large traffic, which ensures the security of intranet resources.
The Advanced ACL function also allows the administrator to configure ACL whitelists to make the clients on the whitelists free from restriction of ACL rules. Furthermore, when accessing the HTTP or HTTPS virtual services for which the insert cookie policy has been used, the clients that carry cookies inserted by the FortiBalancer appliance in the requests are free from the restriction of any ACL rule.
ACL rules and ACL whitelists can be applied not only to an individual virtual service, but also to virtual services globally. The Advanced ACL function supports all TCP-based virtual services.
15.2.1.1 ACL Rule
The ACL rule supports two control modes and two control types.
Control modes:
- “total” mode indicates that all the clients on a subnet will be restricted by the ACL rule as a whole.
- “per-ip” mode indicates that every client on a subnet will be restricted by the ACL rule individually.
Control types:
- “cps” indicates restriction on the CPS.
- “concurrent” indicates restriction on the CC.
The administrator needs to combine the control modes and control types as needed for configuring ACL rules for a subnet. There are four combinations of ACL rules for the same subnet. See the following figure.
Table 15-2 Four Rules for the Same Subnet
Mode Type cps concurrent
The total CPS of all the clients on the The total CC of all the clients on
total subnet cannot exceed the specified the subnet cannot exceed the maximum value. specified maximum value.
The CPS of every client on the subnet The CC of every client on the
per-ip cannot exceed the specified maximum subnet cannot exceed the specified value. maximum value.
One or more rules of the preceding combinations are allowed for a subnet on the FortiBalancer appliance. If multiple rules have been configured for a subnet, these rules will work at the same time.
Subnet Nesting
The ACL rule supports subnet nesting. If the IP address of a client hits multiple subnets, the client is subject to the restriction of all the ACL rules of the smallest subnet hit, and of the “total” rules of all the upper subnets of the smallest subnet. The system supports 4-layer subnet nesting at most.
For example:
- 8.0.0/16: Both “total” and “per-ip” rules are configured.
- 8.0.0/24: Both “total” and “per-ip” rules are configured.
Then, clients on the subnet of 10.8.1.0/24 will be subject to the restriction of: 10.8.0.0/24: “total” and “per-ip”
- 8.1.0/16: “total” rules
Note:
ACL rules may impact on the system performance.
ACL rules take effect only for connections established after the ACL rules are configured.
15.2.1.2 ACL Whitelist
The administrator can configure ACL whitelists to make the clients on the whitelists free from restriction of ACL rules. When both ACL rules and whitelists are applied to the same virtual service, the whitelists have higher processing priorities than the ACL rules.
If the IP address of a client belongs to the subnet defined in an ACL whitelist, the client will not be subject to the restriction of any ACL rule. However, the CPS and CC of the client will be counted in the total CPS and CC of the subnet it belongs to respectively.
For example:
- Rule: 10.8.1.0/24; total concurrent≤10,000
- Whitelist: 10.8.1.10/32
If the CC on the client whose IP address is 10.8.1.10 is 1000,
Then, the maximum total CC of the subnet 10.8.1.0/24 (excluding 10.8.1.10) is 9000.
15.2.1.3 Application Scope
ACL rules and ACL whitelists can be applied not only to an individual virtual service, but also to virtual services globally. The advanced ACL function supports all TCP-based virtual services.
When accessing a specified virtual service, a client is subject to the restriction of not only the ACL rules applied to this virtual service individually but also the ACL rules applied globally.
For example:
- rule1: 0.0.0.0/0, per-ip concurrent≤1000
- rule2: 0.0.0.0/0, per-ip concurrent≤900
- rule1 is applied to vs1; rule2 is applied globally.
Then, when the client whose IP address is 10.8.1.10 accesses the virtual service “vs1”, the allowed maximum CC is 900.
15.2.1.4 Application of ACL Rules to HTTP-based Virtual Services
For Layer 7 HTTP and HTTPS virtual services with the insert cookie policy used, the
FortiBalancer appliance will insert cookies in the responses sent to the clients. The FortiBalancer appliance can identify these clients with the inserted cookies. When a client accesses the virtual service again and carries the cookie inserted by the FortiBalancer appliance in the requests, the client will not be subject to the restriction of any ACL rule. However, the CPS and CC of the client will be counted in the total CPS and CC of the subnet it belongs to respectively.
15.2.2 Advanced ACL Configuration
To complete the Advanced ACL configuration, perform the following steps:
- Configuring ACL rules
- (Optional) Configuring ACL whitelists
15.2.2.1 Configuring ACL rules
To configure ACL rules, you need to first add ACL rules and then apply these rules to a specified virtual service or apply them globally.
- web UI:
- Select System Configuration > Access Control > Advanced ACL > Rule. In the ACL Rule List area, click the Add action link. In the new displayed page, specify the required parameters and click the Save action link to save the configuration.
- Select the ACL Apply In the ACL Apply List table, click the Apply action link. In the new displayed page, apply the ACL rule to the specified virtual service or apply it globally. Then, click the Save action link to save the configuration.
- CLI:
- Execute the following command to add ACL rules:
acl rule <rule_name> <client_ip> {netmask|prefix} <acl_mode> <acl_type> <max_limit>
For example:
FortiBalancer(config)#acl rule rule1 61.130.10.0 255.255.255.0 total cps 1000000
FortiBalancer(config)#acl rule rule2 61.130.10.0 255.255.255.0 total concurrent 50000
FortiBalancer(config)#acl rule rule3 61.130.10.0 255.255.255.0 per-ip cps 10000 FortiBalancer(config)#acl rule rule4 61.130.10.0 255.255.255.0 per-ip concurrent 500
- Execute the following command to apply ACL rules to virtual services:
acl apply rule virtual <rule_name> <vs_name>
For example:
FortiBalancer(config)#acl apply rule virtual rule1 tcp_vs1 FortiBalancer(config)#acl apply rule virtual rule3 tcp_vs1
FortiBalancer(config)#acl apply rule virtual rule2 http_vs1
FortiBalancer(config)#acl apply rule virtual rule4 http_vs1
15.2.2.2 Configuring ACL Whitelists
To configure ACL whitelists, you need to first add ACL whitelists and then apply these whitelists to a specified virtual service or apply them globally.
- web UI:
- Select System Configuration > Access Control > Advanced ACL > Whitelist. In the ACL Whitelist List area, click the Add action link. In the displayed new page, specify the required parameters and click the Save action link to save the configuration.
- Select the ACL Apply In the ACL Apply List table, click the Apply action link. In the new displayed page, apply the ACL whitelist to the specified virtual service or apply it globally. Then, click the Save action link to save the configuration.
- CLI:
- Execute the following command to add ACL whitelists:
acl whitelist <whitelist_name> <client_ip> {netmask|prefix}
For example:
FortiBalancer(config)#acl whitelist whitelist1 61.130.10.10 255.255.255.255
- Execute the following command to apply ACL whitelists to virtual services:
acl apply whitelist virtual <whitelist_name> <vs_name>
For example:
FortiBalancer(config)#acl apply whitelist virtual whitelist1 tcp_vs1
FortiBalancer(config)#acl apply whitelist virtual whitelist1 http_vs1
15.2.2.3 Configuration Results
After the preceding configurations are completed, the FortiBalancer appliance will:
- When clients are accessing the virtual service “tcp_vs1”:
- Restrict the maximum total CPS of all clients on the subnet 61.130.10.0/24 to 1,000,000.
- Restrict the maximum CPS of every client on the subnet 61.130.10.0/24 to 10,000.
- Not restrict the maximum CPS of the client whose IP address is 61.130.10.10.
- When clients are accessing the virtual service “http_vs1”:
- Restrict the maximum total CC of all clients on the subnet 61.130.10.0/24 to 50,000.
- Restrict the maximum CC of every client on the subnet 61.130.10.0/24 to 500. Not restrict the maximum CC of the client whose IP address is 61.130.10.10.