In previous firmware versions, this option was only available via the CLI. See Local-in policy.

1. Enable the Local-In policy by going to System -> Feature Visibility, searching for Local-In Policy, and enabling it.

2. Once enabled, go to Policy & Objects -> Local-In Policy and select 'Create new'.

3. The option remains the same as the CLI, it is just necessary to select the details on the GUI.

config firewall {local-in policy | local-in-policy6}

   edit <policy number>

       set int <interface>

       set srcaddr <source address>

       set dstaddr <destination address>

       set action {accept | deny}

       set service <service name>

       set schedule <schedule name>

       set virtual-patch {enable| disable}

       set comments <string>

    next

end

In the GUI:

• Select the relevant interface, which is usually the outbound (internet-facing) interface, and then create the addresses that shall be allowed/blocked accordingly.
• Once done, select parameters such as destination, service, and action as per the requirement.

• Select 'OK' to apply the policy. Once done, the new policy is visible under Custom as shown below:

• For IPv6, enable IPv6 as well other than enabling the Local-In policy under System -> Feature Visibility:

• Once enabled, select IPv6 under Local-In Policy:

• Similar steps can be repeated to create the IPv6 Local-In policy, and IPv6 is visible under 'Custom' as well: