2. Global ACL Allow—Use global allow/deny rules for well known IPv4 addresses when the policy decision is not complicated. For example, you can create rules to allow traffic from source IP addresses for known systems, like devices that perform backups, which can have a high traffic profile because they need to establish many connections or send a large number of packets to perform their tasks. Traffic that matches Global ACL rules is not included in most SPP counters (like source or destination-centered counters), but it is included in protocol and port counters. The allow list is processed first. Packets that match IP address allow rules are forwarded without further processing. Packets that do not match IP address allow rules continue for further processing.

3. Global ACL Deny—You can configure rules that deny traffic to/from local addresses geolocations to prevent spoofing, and from IPv4 address spaces and geolocations known to have no business requesting resources from any of the protected subnets. You can also block addresses maintained by the FortiGuard IP Reputation service. Packets that match deny rules are dropped. Packets that do not match the deny rules continue for further processing.

4. Protocol Anomalies—Drop packets identified by built-in protocol anomaly detection methods. No configuration is required. Layer 3 protocol anomaly detection is performed first. If none found, the traffic continues to Layer 4 protocol anomaly detection. If none found, the packets continue for further processing.

5. Global ACL Deny IP netmask—Rules configured to match an IPv4 netmask are consulted next. Packets that match deny rules are dropped. Otherwise, processing continues.

6. SPP ACL—Use SPP allow/deny rules to enforce nuanced policy decisions based on Layer 3, Layer 4, and Layer 7 parameters. An SPP administrator can create granular rules based on his or her knowledge of the IP addresses and services that have reason or no reason to travel inbound or outbound in its network. Layer 3 rules are processed first. Packets not dropped continue to Layer 4 rule processing. Packets not dropped continue to Layer 7 processing. Packets that are not dropped continue.

7. TCP State Anomalies—You can enable rules to drop packets identified by TCP state anomaly detection methods. Packets that have TCP state anomalies are either harmful or useless, so we recommend you use the TCP state anomalies detection options to drop these. Packets that are not dropped continue.

8. Source SPP Thresholds—Packets are evaluated against the source table. Packets from source IP addresses subject to a FortiDDoS blocking period are dropped. Packets that exceed per-source thresholds are dropped. Packets that are not dropped continue.

9. Destination SPP Thresholds—Packets are evaluated against the destination table. Packets that exceed per-destination thresholds are dropped. Packets that are not dropped continue.

10. Port rules—Packets are evaluated against the SPP ACL and SPP thresholds. Packets that are not dropped continue.

11. SPP Thresholds—Packets are evaluated against SPP rate limits. Layer 3 thresholds are processed first, then Layer 4, then Layer 7.

12. HTTP Header rules—Packets are evaluated against the SPP ACL and SPP thresholds. Packets that are not dropped are forwarded toward their destination.