Technical Tip: Closing unused services using local-in policies

Description

This article describes how to close undesired open ports on the FortiGate to avoid being scanned from external sources or giving responses to unusual requests.

Scope

FortiGate.

Solution

Use local-in policies to close open ports or otherwise restrict access to FortiOS.
Here is an example to close all ICMP services on the WAN1 interface.

Use the following command to close all ICMP ports on the WAN1 interface.
The following example blocks traffic that matches the ALL_ICMP firewall service.

config firewall local-in-policy
    edit <ID>
        set intf wan1
        set srcaddr all
        set dstaddr all
        set action deny
        set service ALL_ICMP
        set schedule always
end

This policy denies ICMP requests coming from all sources to the WAN1 interface.  
It is possible to exempt or include the specific sources under set srcaddr.
Also, blocking any services using the predefined services or by creating the custom services is possible under: Policy and Object -> Services.

Note: 

From FortiGate V7.6.0 the Local-in-Policy can be found in GUI itself.

Select Policy & Objects -> Local-In-Policy -> Create New
Select all the options required and, in the service, select ALL_ICMP.