Policy configuration – FortiOS 6

IPv4 access control list

The IPv4 Access Control List is a specialized policy for denying IPv4 traffic based on:

l the incoming interface l the source addresses of the traffic l the destination addresses of the traffic l the services or ports the traffic is using

The only action available in this policy is DENY

For more information on see Access Control Lists

To configure a IPv4 access control list entry in the GUI

  1. Go to Policy & Objects > IPv4 Access Control List

The right side window will display a table of the existing IPv4 Access Control List entries.

l To edit an existing entry, double click on the policy you wish to edit l To create a new entry, select the Create New icon in the top left side of the right window.

  1. Set the Incoming Interface parameter by using the drop down menu to select a single interface.
  2. Set the Source Address parameter by selecting the field with the “+” next to the field label. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option. For more information on addresses, check the Firewall Objects section called Addresses.
  3. Set the Destination Address parameter by selecting the field with the “+” next to the field label. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option.

IPv6 access control list

  1. Set the Services parameter by selecting the field with the “+” next to the field label. Single or multiple options can be selected unless the ALL option is chosen in which case, it will be the only option. For more information on services, check the Firewall Objects section called Services and TCP ports.
  2. Toggle whether or not to Enable this policy.The default is enabled.
  3. Select the OK button to save the policy.

To configure a IPv4 access control list entry in the CLI

Use the following syntax:

config firewall acl edit <acl Policy ID #> set status enable set interface <interface> set srcaddr <address object> set dstaddr <address object> set service <service object>

end

end

This entry was posted in Administration Guides, FortiGate, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.