Technical Tip: Local-in policies may be missing and not working after upgrading to v7.4.6

In the previous version:

fgt # config firewall local-in-policy

fgt (local-in-policy) # edit 0
new entry '0' added

fgt (0) # set intf
*
<string> Please input string value.
any Match any interface in the virtual domain.
new1 zone
port1 interface  <----- SD-WAN member.
port2 interface
port3 interface
port4 interface  <----- SD-WAN member.

The local-in policy interface behavior is different from the ipv4 policy. In the local-in policy, the SD-WAN member can be selected as the source interface instead of the SD-WAN zone.

After upgrading to v7.4.6 and v7.6.1, some config errors may occur:

fgt # diagnose debug config-error-log read
>>> "set" "intf" "port1" @ root.firewall.local-in-policy.1:value parse error (error -651)
>>> "next" @ root.firewall.local-in-policy.1:failed command (error 1)

The local-in policy:

fgt # config firewall local-in-policy

fgt (local-in-policy) # edit 0
new entry '0' added

fgt (0) # set intf
*
<string> Please input string value.
any Match any interface in the virtual domain.
new1 zone
virtual-wan-link sdwan    <---------

Ports 1 and 4 are no longer available and have been replaced by the virtual-wan-link SD-WAN zone. All interface members of an SD-WAN zone and ZONE cannot be referenced individually on the local-in policy. To target an SD-WAN member interface, assign the local-in policy to the SD-WAN zone and restrict the traffic by setting the destination to the member interface's IP address.

If the local-in-policy is missing or shows an empty value for the 'intf' setting, recreate the policy and assign it to the appropriate SD-WAN zone.

Related documents:

Known issues
Troubleshooting Tip: Unable to create local-in-policy - 'node_check_object fail!'