Technical Tip: Local-in-policy does not work as expected and forwards all traffic
| Description | This article describes the issue where local-in-policy does not work as expected and forwards all traffic irrespective of the restriction. |
| Scope | FortiOS. |
| Solution | In cases where a local-in-policy is not working as expected, meaning that the traffic that is supposed to be denied is all being sent through.
The prime reason here could be that the implicit deny local in policy is not created. Unlike IPv4 policies, there is no default implicit deny policy. In the list of local-in-policies, the implicit deny policy needs to be at the bottom.
An example is given below:
config firewall local-in-policy edit 1 set intf "port4" set srcaddr "DMZ" <-- Address/subnet that needs to be allowed. set dstaddr "all" set action accept set service "ALL" set schedule "always" next edit 2 set intf "port4" set srcaddr "all" set dstaddr "all" set service "ALL" set schedule "always" next end
Local-in-policy is created per interface, so if one wants to create a general implicit deny rule for all interfaces for a particular service, source/destination address, use the interface 'any'.
Note: When there is no action set manually, the action will be taken as 'deny'.
Note: Starting from FortiGate v7.6.0, the Local-in-Policy can also be configured in the GUI. Refer to this article for reference: Technical Tip: Creating a Local-In policy (IPv4 and IPv6) on GUI.
Related documents: Technical Tip: Filter ingress traffic going to the FortiGate using local-in-policy |