Fortinet MR1 User Manual
Page 593
593
Selection Criteria
IP ACL ID - Use the pulldown menu to select the IP ACL for which to create or update a rule.
Rule - Select an existing rule from the pulldown menu, or select 'Create New Rule.' ACL as well as an
option to add a new Rule. New rules cannot be created if the maximum number of rules has been
reached. For each rule, a packet must match all the specified criteria in order to be true against that rule
and for the specified rule action (Permit/Deny) to take place.
Configurable Data
Rule ID - Enter a whole number in the range of 1 to 8 that will be used to identify the rule. An IP ACL
may have up to 8 rules.
Action - Specify what action should be taken if a packet matches the rule's criteria. The choices are
permit or deny.
Assign Queue ID - Specifies the hardware egress queue identifier used to handle all packets matching
this IP ACL rule. Valid range of Queue Ids is (0 to 6). This field is visible when 'Permit' is chosen as
'Action'.
Redirect Interface - Specifies the specific egress interface where the matching traffic stream is forced,
bypassing any forwarding decision normally performed by the device. This field is visible when 'Permit'
is chosen as 'Action'.
Match Every - Select true or false from the pulldown menu. True signifies that all packets will match the
selected IP ACL and Rule and will be either permitted or denied. In this case, since all packets match
the rule, the option of configuring other match criteria will not be offered. To configure specific match
criteria for the rule, remove the rule and re-create it, or re-configure 'Match Every' to 'False' for the other
match criteria to be visible.
Protocol Keyword - Specify that a packet's IP protocol is a match condition for the selected IP ACL
rule. The possible values are ICMP, IGMP, IP, TCP, and UDP. Either the 'Protocol Keyword' field or the
'Protocol Number' field can be used to specify an IP protocol value as a match criterion.
Protocol Number - Specify that a packet's IP protocol is a match condition for the selected IP ACL rule
and identify the protocol by number. The protocol number is a standard value assigned by IANA and is
interpreted as an integer from 1 to 255. Either the 'Protocol Number' field or the 'Protocol Keyword' field
can be used to specify an IP protocol value as a match criterion.
Source IP Address - Enter an IP address using dotted-decimal notation to be compared to a packet's
source IP Address as a match criteria for the selected IP ACL rule.
Source IP Mask - Specify the IP Mask in dotted-decimal notation to be used with the Source IP
Address value.
Source L4 Port Keyword - Specify a packet's source layer 4 port as a match condition for the selected
extended IP ACL rule. This is an optional configuration. The possible values are DOMAIN, ECHO, FTP,
FTPDATA, HTTP, SMTP, SNMP, TELNET, TFTP, and WWW. Each of these values translates into its
equivalent port number, which is used as both the start and end of the port range.
Source L4 Port Number - Specify a packet's source layer 4 port as a match condition for the selected
extended IP ACL rule. This is an optional configuration.