beautypg.com

Fortinet 548B User Manual

Page 896

background image

- 896 -

minute report interval is used for the entire system. A trap is not issued if the ACL rule hit count is
zero for the current interval. This field is visible for a 'Deny' Action.

Assign Queue ID - Specifies the hardware egress queue identifier used to handle all packets
matching this IP ACL rule. Valid range of Queue Ids is (0 to 6). This field is visible when 'Permit' is
chosen as 'Action'.

Mirror Interface - Specifies the specific egress interface where the matching traffic stream is copied
in addition to being forwarded normally by the device. This field cannot be set if a Redirect Interface
is already configured for the ACL rule. This field is visible for a 'Permit' Action.

Redirect Interface - Specifies the specific egress interface where the matching traffic stream is
forced, bypassing any forwarding decision normally performed by the device. This field is visible
when 'Permit' is chosen as 'Action'.

Match Every - Select true or false from the pulldown menu. True signifies that all packets will match
the selected IP ACL and Rule and will be either permitted or denied. In this case, since all packets
match the rule, the option of configuring other match criteria will not be offered. To configure specific
match criteria for the rule, remove the rule and re-create it, or re-configure 'Match Every' to 'False' for
the other match criteria to be visible.

Protocol Keyword - Specify that a packet's IP protocol is a match condition for the selected IP ACL
rule. The possible values are ICMP, IGMP, IP, TCP, and UDP. Either the 'Protocol Keyword' field or
the 'Protocol Number' field can be used to specify an IP protocol value as a match criterion.

Protocol Number - Specify that a packet's IP protocol is a match condition for the selected IP ACL
rule and identify the protocol by number. The protocol number is a standard value assigned by IANA
and is interpreted as an integer from 1 to 255. Either the 'Protocol Number' field or the 'Protocol
Keyword' field can be used to specify an IP protocol value as a match criterion.

Source IP Address - Enter an IP address using dotted-decimal notation to be compared to a
packet's source IP Address as a match criteria for the selected IP ACL rule.

Source Wildcard Mask - Specify the IP Mask in dotted-decimal notation to be used with the Source
IP Address value.

Source L4 Port Keyword - Specify a packet's source layer 4 port as a match condition for the
selected extended IP ACL rule. This is an optional configuration. The possible values are DOMAIN,
ECHO, FTP, FTPDATA, HTTP, SMTP, SNMP, TELNET, TFTP, and WWW. Each of these values
translates into its equivalent port number, which is used as both the start and end of the port range.

Source L4 Port Number - Specify a packet's source layer 4 port as a match condition for the
selected extended IP ACL rule. This is an optional configuration.

Destination IP Address - Enter an IP address using dotted-decimal notation to be compared to a
packet's destination IP Address as a match criteria for the selected extended IP ACL rule.

Destination IP Mask - Specify the IP Mask in dotted-decimal notation to be used with the
Destination IP Address value.

Destination L4 Port Keyword - Specify the destination layer 4 port match conditions for the
selected extended IP ACL rule. The possible values are DOMAIN, ECHO, FTP, FTPDATA, HTTP,
SMTP, SNMP, TELNET, TFTP, and WWW. Each of these values translates into its equivalent port
number, which is used as both the start and end of the port range. This is an optional configuration.

Destination L4 Port Number - Specify a packet's destination layer 4 port number match condition
for the selected extended IP ACL rule. This is an optional configuration.

Service Type - Select a Service Type match condition for the extended IP ACL rule from the
pulldown menu. The possible values are IP DSCP, IP precedence, and IP TOS, which are
alternative ways of specifying a match criterion for the same Service Type field in the IP header,
however each uses a different user notation. After a selection is made the appropriate value can be
specified.

IP DSCP Configuration Specify the IP DiffServ Code Point (DSCP) field. The DSCP is
defined as the high-order six bits of the Service Type octet in the IP header. This is an