Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
slautenschlager
Staff
Staff

Created on ‎06-05-2015 02:47 AM Edited on ‎12-16-2024 05:37 AM By Community Manager

Article Id 189921

Technical Tip: How to Deny access to a local IP in the Fortigate with a Local-In Policy

Description

 

This article describes how to restrict access to a FortiGate to either avoid being scanned or just allow specific 'trusted IPs' to manage the FortiGate.
 
Scope
 
FortiGate.


Solution

 

While security or firewall policies control traffic that goes trough the FortiGate, Local-in-policies control traffic that is destined to the FortiGate (to a local IP). For example, management traffic or VPN access.   
 
Contrary to the firewall policies, local-in-policies have an implicit permit at the end.  The following example will restrict traffic to port 8000 from all sources to the outside interface (WAN1) while allowing everything else.
 
  1. Create a Custom Service by going to Firewall Object/Service/Services and select 'Create New'.

 

Name: Port-8000.
Protocol Type: TCP/UDP/STCP.
Protocol: TCP.
Destination Port: 800.
Leave the other fields blank.
Select 'OK' to save.

 
 
  1. Create the Local-In Policy. This step has to be configured from the CLI.

 

config firewall local-in-policy
    edit 1
        set intf "wan1"           <----- External interface.
        set srcaddr "all"         <----- Source.
        set dstaddr "all"         <----- Destination.
        set action deny           <----- Action.
        set service "Port 8000"   <----- Custom Service created in step 1.
        set schedule "always"
        set status enable
    end

 

Note

In case the local-in policy was already configured to allow 'ALL'  services, use the following command to move the newly configured denied policy on top of the allowed policy:

 

config firewall local-in-policy

       move <New policy ID> before <Old policy ID>

 

To verify the settings, from the CLI type:

 

config firewall local-in-policy
show full

This policy cannot be checked from the WEB GUI, only from the CLI.

 

Starting from v7.6.0,  it is possible to create the same policy from GUI as well.

 

Check the following article for creating local-in policies from GUI: Technical Tip: Creating a Local-In policy (IPv4 and IPv6) on GUI


Note:
Ports that are handled by Session Helpers like SIP or SCCP are not affected by this change.
To deny these, see the related articles.

 

Related articles:

Troubleshooting Tip: FortiGate session table information

Technical Tip: Disabling VoIP Inspection

Technical Tip: Enable and disable FortiGate system session helpers

17200
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.