FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.


This article describes how to configure a local-in policy on a HA reserved management interface.




Administrators can configure a local-in policy via CLI with various services, source, and destination addresses to have precise control over the specific traffic heading towards FortiGate interfaces.

Firewall local-in policies are supported for the dedicated HA management interface in a High Availability (HA) environment.

However, the method is slightly different from that of regular firewall interfaces.

Unlike regular interfaces, an error will appear if a user is trying to apply the HA reserved management interface as interface settings during local-in policy creation.

The solution is to enable 'ha-mgmt-intf-only' settings before applying a HA reserved management  interface into local-in policy configuration.



Here are the steps to configure a local-in policy associated with HA reserved management interface.

In this environment, port6 has been set as a HA reserved management interface in HA configuration:

The following error will appear if HA reserved management interface (port 6) is applied directly under interface settings while creating a new local-in policy:


To resolve this error, it is necessary to enable the 'ha-mgmt-intf-only' setting under the local-in policy before associating the port to our local-in policy.

The purpose is to enable dedicating HA management interface only for local-in policy.

# conf firewall local-in-policy
    edit 1
         set ha-mgmt-intf-only en <----- Enable HA management interface only for local-in policy.
         set intf port6 <----- Now it is possible apply port6 as interface without any error.
        set srcaddr <source_address_name>
        set dstaddr <destination_address_name>
        set service <service_name>
        set action <accept/deny>
        set status <enable/disable>


The local-in policy associated with HA management interface (port6) has been successfully configured, as can be observed.