router : access-list, access-list6
 
access-list, access-list6
Use this command to add, edit, or delete access lists. Access lists are filters used by FortiGate unit routing processes. For an access list to take effect, it must be called by a FortiGate unit routing process (for example, a process that supports RIP or OSPF). Use access-list6 for IPv6 routing.
Each rule in an access list consists of a prefix (IP address and netmask), the action to take for this prefix (permit or deny), and whether to match the prefix exactly or to match the prefix and any more specific prefix.
 
If you are setting a prefix of 128.0.0.0, use the format 128.0.0.0/1. The default route, 0.0.0.0/0 can not be exactly matched with an access-list. A prefix-list must be used for this purpose. For more information, see router prefix-list, prefix-list6.
The FortiGate unit attempts to match a packet against the rules in an access list starting at the top of the list. If it finds a match for the prefix, it takes the action specified for that prefix. If no match is found the default action is deny.
Syntax
config router access-list, access-list6
edit <access_list_name>
set comments <string>
config rule
edit <access_list_id>
set action {deny | permit}
set exact-match {enable | disable}
set prefix { <prefix_ipv4mask> | any }
set prefix6 { <prefix_ipv6mask> | any }
set wildcard <address_ipv4> <wildcard_mask>
end
end
 
The action and prefix fields are required. The exact-match field is optional.
 
Variable
Description
Default
edit <access_list_name>
Enter a name for the access list. An access list and a prefix list cannot have the same name.
No default.
comments <string>
Enter a descriptive comment. The max length is 127 characters.
No default.
config rule variables
edit <access_list_id>
Enter an entry number for the rule. The number must be an integer.
No default.
action {deny | permit}
Set the action to take for this prefix.
permit
exact-match {enable | disable}
By default, access list rules are matched on the prefix or any more specific prefix. Enable exact-match to match only the configured prefix.
disable
prefix { <prefix_ipv4mask> | any }
Enter the prefix for this access list rule. Enter either:
IPv4 address and network mask
any — match any prefix.
any
prefix6 { <prefix_ipv6mask> | any }
Enter the prefix for this IPv6 access list rule. Enter either:
IPv6 address and network mask
any — match any prefix.
This variable is only used with config access-list6.
any
wildcard <address_ipv4> <wildcard_mask>
Enter the IP address and reverse (wildcard) mask to process. The value of the mask (for example, 0.0.255.0) determines which address bits to match. A value of 0 means that an exact match is required, while a binary value of 1 indicates that part of the binary network address does not have to match. You can specify discontinuous masks (for example, to process “even” or “odd” networks according to any network address octet).
For best results, do not specify a wildcard attribute unless prefix is set to any.
This variable is only used with config access-list.
No default.