Access lists
Use this command to add, edit, or delete access lists. Access lists are filters used by FortiGate unit routing processes. For an access list to take effect, it must be called by a FortiGate unit routing process (for example, a process that supports RIP or OSPF). Use access-list6 for IPv6 routing.
Access lists can be used to filter which updates are passed between routers, or which routes are redistributed to different networks and routing protocols. You can create lists of rules that will match all routes for a specific router or group of routers.
Each rule in an access list consists of a prefix (IP address and netmask), the action to take for this prefix (permit or deny), and whether to match the prefix exactly or to match the prefix and any more specific prefix.
If you are setting a prefix of 128.0.0.0, use the format 128.0.0.0/1. The default route,
0.0.0.0/0 can not be exactly matched with an access-list. A prefix-list must be used for this purpose.
The FortiGate unit attempts to match a packet against the rules in an access list starting at the top of the list. If it finds a match for the prefix, it takes the action specified for that prefix. If no match is found the default action is deny.
The syntax for access lists is:
config router access-list, access-list6 edit <access_list_name>
set comments config rule
edit <access_list_id>
set action
set exact-match set prefix
set prefix6 set wildcard
For an example of how access lists can be used to create receiving or sending “groups” in routing, see Border
Gateway Protocol (BGP) on page 338.