Access Control Lists (ACLs) are a set of rules to filter traffic. Each rule is ordered and has a set of conditions that a packet needs to satisfy. The packet is tested against all rules and the first match determines if it is permitted/denied. 

To add an ACL group, go to Organization > ACL Groups tab. 

Begin by select a Group Name.

Pick the Network, Tag, device where the ACL group is applied

Select your logging preferences. You can choose to Log all ACLs, Log only denied ACLs, Log only accepted ACLs, Log as per ACL Logging or Log disabled. 

Add a rule:

Click the +Add button for either Layer 3 or Layer 7 ACLs

For Layer 3 confligure the Policy, Protocol, Src Uplink Type, Src IP/domain, Src Bitmask, Src Portm Dst Upl;ink Type, Dsp IP/Domain, Dst Bitmask, Dst Port. 

Select Yes or No for Enabled and Log. 

For Layer 7 configure the Policy, Uplink Type, Src IP/Domain, Src Bitmask, Category and application. 

Re-order ACL:

To reorder the rules, click the arrows at the end of the rule. 

To Save an ACL:

Click Create ACL group