Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sprashant
Staff
Staff

Created on ‎07-17-2024 09:10 PM Edited on ‎01-02-2026 10:38 AM By Community Manager

Article Id 326547

Technical Tip: Creating a Local-In policy (IPv4 and IPv6) on GUI

Description This article describes how, starting from v7.6.x, a Local-In policy can be created via the GUI.
Scope FortiGate v7.6.x.
Solution

Starting from FortiOS v7.6.0, Local-In policies can be created on the GUI.

In previous firmware versions, this option was only available via the CLI. See Local-in policy.

 

  1. Enable the Local-In policy by going to System -> Feature Visibility, searching for Local-In Policy, and enabling it.
 

1..PNG


Local-In Policy can also be enabled in CLI:

 

configure system settings

    set gui-local-in-policy enable
end

 

  1. Once enabled, go to Policy & Objects -> Local-In Policy and select 'Create new'.

 

2..PNG

 

  1. The option remains the same as the CLI; it is just necessary to select the details on the GUI.

 

config firewall {local-in policy | local-in-policy6}

    edit <policy number>

        set int <interface>

        set srcaddr <source address>

        set dstaddr <destination address>

        set action {accept | deny}

        set service <service name>

        set schedule <schedule name>

        set virtual-patch {enable| disable}

        set comments <string>

     next

end

 

In the GUI:

  • Select the relevant interface or zone, which is usually the outbound (internet-facing) interface/zone, and then create the addresses that shall be allowed/blocked accordingly.
  • Once done, select parameters such as destination, service, and action as per the requirement.

 

3..PNG

 

  • Select 'OK' to apply the policy. Once done, the new policy is visible under Custom as shown below:

 

4..PNG

 

  • For IPv6, enable IPv6 as well other than enabling the Local-In policy under System -> Feature Visibility:

 

5..PNG

 

  • Once enabled, select IPv6 under Local-In Policy:

 

6..PNG

 

  • Similar steps can be repeated to create the IPv6 Local-In policy, and IPv6 is visible under 'Custom' as well:

 

7..PNG

 

The Negate option can also be used for source and destination addresses in both local-in policies and firewall policies by enabling Policy Advanced Options under System -> Feature Visibility. (For more details, see Technical Tip: Firewall Policy 'Negate' option.)


Notes:

As best practices, consider the following recommendations: 

  • Do not allow administrative services from 'ANY'.
  • Use specific IP objects, not wide ranges.
  • Always place a deny-all at the bottom.
Labels:
13598
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.