Access Lists
Access lists are filters used by FortiGate unit OSPF routing. An access list provides a list of IP addresses and the action to take for them — essentially an access list makes it easy to group addresses that will be treated the same into the same group, independent of their subnets or other matching qualities. You add a rule for each address or subnet that you want to include, specifying the action to take for it. For example if you wanted all traffic from one department to be routed a particular way, even in different buildings, you can add all the addresses to an access list and then handle that list all at once.
Each rule in an access list consists of a prefix (IP address and netmask), the action to take for this prefix (permit or deny), and whether to match the prefix exactly or to match the prefix and any more specific prefix.
The FortiGate unit attempts to match a packet against the rules in an access list starting at the top of the list. If it finds a match for the prefix, it takes the action specified for that prefix. If no match is found the default action is deny.
Access lists greatly speed up configuration and network management. When there is a problem, you can check each list instead of individual addresses. Also, it eases troubleshooting since if all addresses on one list have problems, it eliminates many possible causes right away.
If you are using the OSPF+ IPv6 protocols you will need to use access-list6, the IPv6 version of access list. The only difference is that access-list6 uses IPv6 addresses.
For example, if you want to create an access list called test_list that only allows an exact match of 10.10.10.10 and 11.11.11.11, enter the command:
config router access-list edit test_list
config rule edit 1
set prefix 10.10.10.10 255.255.255.255 set action allow
set exact-match enable next
edit 2
set prefix 11.11.11.11 255.255.255.255 set action allow
set exact-match enable end
end
Another example is if you want to deny ranges of addresses in IPv6 that start with the IPv6 equivalents of
10.10.10.10 and 11.11.11.11, enter the command access-list6 as follows:
config router access-list6 edit test_list_ip6
config rule edit 1
set prefix6 2002:A0A:A0A:0:0:0:0:0:/48 set action deny
next edit 2
set prefix6 2002:B0B:B0B:0:0:0:0:0/48 set action deny
end
To use an access_list, you must call it from a routing protocol such as RIP. The following example uses the access_list from the earlier example called test_list to match routes coming in on the port1 interface. When there is a match, it will add 3 to the hop count metric for those routes to artificially decrease their priority. Enter the following command:
config router ospf
config distribute-list edit 5
set access-list test_list
set protocol connected end
If you are setting a prefix of 128.0.0.0, use the format 128.0.0.0/1. The default route 0.0.0.0/0 can not be exactly matched with an access-list. A prefix-list must be used for this purpose.