Starting from FortiOS v7.6.0, Local-In policies can be created on the GUI.

In previous firmware versions, this option was only available via the CLI. See Local-in policy.

1. Enable the Local-In policy by going to System -> Feature Visibility, searching for Local-In Policy, and enabling it.

Local-In Policy can also be enabled in CLI:

configure system settings

    set gui-local-in-policy enable
end

2. Once enabled, go to Policy & Objects -> Local-In Policy and select 'Create new'.

3. The option remains the same as the CLI; it is just necessary to select the details on the GUI.

config firewall {local-in policy | local-in-policy6}

    edit <policy number>

        set int <interface>

        set srcaddr <source address>

        set dstaddr <destination address>

        set action {accept | deny}

        set service <service name>

        set schedule <schedule name>

        set virtual-patch {enable| disable}

        set comments <string>

     next

end

In the GUI:

• Select the relevant interface or zone, which is usually the outbound (internet-facing) interface/zone, and then create the addresses that shall be allowed/blocked accordingly.
• Once done, select parameters such as destination, service, and action as per the requirement.

• Select 'OK' to apply the policy. Once done, the new policy is visible under Custom as shown below:

• For IPv6, enable IPv6 as well other than enabling the Local-In policy under System -> Feature Visibility:

• Once enabled, select IPv6 under Local-In Policy:

• Similar steps can be repeated to create the IPv6 Local-In policy, and IPv6 is visible under 'Custom' as well:

• To remove an existing local-in-policies, refer to the article: Technical Tip: How to remove existing local in policies from FortiGate GUI.

Notes:

As best practices, consider the following recommendations: 

• Do not allow administrative services from 'ANY'.
• Use specific IP objects, not wide ranges.
• Always place a deny-all at the bottom.