You can configure access control lists (ACLs) to deny known attacks and unwarranted traffic. For example, in a data center environment, you can use ACLs to protect the router from getting overloaded by floods from known attacks.
The ACLs are part of the core hardware architecture, so they do not add to latency through the device when you enable or disable them.
FortiDDoS enforces a Global ACL that applies to all traffic, and SPP ACLs that are applied after traffic has been sorted into an SPP.
The Global ACL features include:
It is possible for traffic to be denied based on multiple Global ACL rules, but only one deny reason-code is logged. The reason-code is based on the following order of precedence.
You can configure additional ACLs per SPP. The SPP ACL rules can be based on source IP address, service, or Layer 7 parameter.
The following table summarizes the traffic parameters you can use to enforce an ACL.
Parameter | ACL |
---|---|
Layer 3 | |
Any protocol (up to 256) | SPP |
Fragment | SPP |
IP netmask or address (up to 4 billion) | Global, SPP |
Geolocation (countries and regions), anonymous proxy, satellite provider | Global |
IP-reputation (based on data from external public sources) | IP Reputation (subscription) |
Layer 4 | |
TCP port (up to 64k) | SPP |
UDP port (up to 64k) | SPP |
ICMP type/code (up to 64k) | SPP |
Layer 7 | |
URLs (up to 32k) | SPP |
Host (512) | SPP |
Referer (512) | SPP |
Cookie (512) | SPP |
User-Agent (512) | SPP |
DNS-All | SPP |
DNS-Fragment | SPP |
DNS-MX | SPP |
DNS-Zone-Transfer | SPP |
Restrict DNS Queries to specific subnets | SPP |
DNS Blacklisted Domains | Global |
DNS Blacklisted IPv4 Addresses | Global |