In previous firmware versions, this option was only available via the CLI. See Local-in policy.

1. Enable the Local-In policy by going to System -> Feature Visibility, search for Local-In Policy, and enable it.

2. Once enabled, go to Policy & Objects -> Local-In Policy and select 'Create new'.

3. The option remains the same as the CLI, it is just necessary to select the details on the GUI.

config firewall {local-in policy | local-in-policy6}

 edit <policy number>

   set int <interface>

   set srcaddr <source address>

   set dstaddr <destination address>

   set action {accept | deny}

   set service <service name>

   set schedule <schedule name>

   set virtual-patch {enable| disable}

   set comments <string>

 next

end

In the GUI:

• Select the relevant interface which usually is the outbound (internet-facing) interface and then create the addresses that shall be allowed/blocked accordingly.
• Once done, select parameters such as destination, service, and action as per the requirement.

• Select 'OK' to apply the policy. Once done, the new policy is visible under Custom as shown below:

• For IPv6, enable IPv6 as well other than enabling the Local-In policy under System -> Feature Visibility:

• Once enabled, select IPv6 under Local-In Policy:

• Similar steps can be repeated to create the IPv6 Local-In policy and the IPv6 is visible under 'Custom' as well: