Integrated switch fabric (ISF) access control list (ACL) short-cut path
On FortiGate models that include NP4 and XLR ports and an integrated switch fabric (for example, the FortiGate-3x40 and 3950/1 models), you can create an ISF ACL security policy that allows some traffic (for example, multicast traffic) to bypass security inspection, resulting in reduced CPN and NP4 processor load.
This feature is only available in Transparent mode and only between port pairs.
| Traffic accepted and forwarded by an ISF policy is not subject to security inspection. Normally, you should only create ISF policies for traffic that you consider very low risk. |
Use the following command to add an ISF ACL shortcut policy:
config firewall isf-acl
config port-pair-1
edit 1
set type binary
set ingressport <port1 | port2>
set offset
set length
set matchpattern <patter in hex>
set action <bypass|block>
edit 2
set type 5-tuple
set srcaddr: a.b.c.d/32
set dstaddr 239.A.A.a/32
set proto UDP
set port XXX
set action <bypass|block>
end