Technical Tip: Local in policies behavior in the FortiGate VM

The Local policies cannot be created or edited in the FortiGate GUI. There are system-defined Local in Policies by default, and they cannot be removed.

Make sure to enable the Local in policy feature in the System -> Feature Visibility under the additional feature section to view the local in policies in the GUI.

Previously, Local policies could only be created or edited via the CLI.

From v7.6.0 onwards, it is also possible to configure them from the GUI: GUI support for local-in policies.

For example, to prevent the source subnet 11.11.11.0/24 from pinging port5, but allow administrative access for PING on port5. Create an Address with 11.11.11.0/24 as subnet address:

config firewall address
    edit "11.11.11.0"
        set subnet 11.11.11.0 255.255.255.0
    next
end

Create a local in policy by defining the interface as port5, source address as 11.11.11.0, and destination address as all for the service ping:

config firewall local-in-policy
    edit 7
        set intf "port5"
        set srcaddr "11.11.11.0"
        set dstaddr "all"
        set service "PING"
        set schedule "always"
    next
end

In the debug logs, the output for the matching traffic will be dropped:

id=20085 trace_id=1 func=fw_local_in_handler line=474 msg="iprope_in_check() check failed on policy 7, drop"

To view the local in policies created in the CLI:

config firewall local-in-policy
show

Note 1:

If the local in policy is defined and no action is set, then the default action will be set to Deny.

Note 2:

Starting from FortiOS v7.6.x firmware custom local-in policies can be created and configured in the GUI in Policy & Objects -> Local-In Policy. Before the mentioned, only implicit read-only policies can be displayed.

In FortiOS v7.6.x tabs have also been implemented to separate IPv4 and IPv6 policies. IPv4 and IPv6 local-in policies can be created and edited in their respective tabs.