Using FortiDDoS ACLs
You can configure access control lists (ACLs) to deny known attacks and unwarranted traffic. For example, in a data center environment, ACLs can protect the router from getting overloaded by floods from known attacks.
The ACLs are part of the core hardware architecture, so they do not add to latency through the device when you enable or disable them.
FortiDDoS enforces a Global ACL that applies to all traffic, and SPP ACLs that are applied after traffic has been sorted into an SPP.
The Global ACL features include:
• An anti-spoofing ACL based on the local address configuration
• An ACL based on source IP address
• An ACL based on GeoLocation addresses
• An ACL based on the IP Reputation list provided through FortiGuard
It is possible for traffic to be denied based on multiple Global ACL rules, but only one deny reason-code is logged. The reason-code is based on the following order of precedence.
• Anti-spoofing
• Source IP address
• GeoLocation
• IP Reputation
You can configure additional ACLs per SPP. The SPP ACL rules can be based on source IP address, service port, or Layer 7 parameter.
The following table summarizes the traffic parameters you can use to enforce an ACL.
Table 5: ACL parameters
Layer | Parameter | ACL |
Layer 3 | Any protocol (up to 256) | SPP |
| Fragment | SPP |
| IP netmask or address (up to 4 billion) | Global, SPP |
| Geolocation (countries and regions), anonymous proxy, satellite provider | Global |
| IP-reputation (based on data from external public sources) | IP Reputation (subscription) |
Layer 4 | TCP port (up to 64k) | SPP |
| UDP port (up to 64k) | SPP |
| ICMP type/code (up to 64k) | SPP |
Layer 7 | URLs (up to 32k) | SPP |
| Host (512) | SPP |
| Referer (512) | SPP |
| Cookie (512) | SPP |
| User-Agent (512) | SPP |