Created on
09-05-2022
06:26 AM
Edited on
05-27-2025
01:29 AM
By
Jean-Philippe_P
Description
This article describes how to configure a local-in policy on a HA reserved management interface.
Scope
Administrators can configure a local-in policy through the CLI with various services and source and destination addresses to have precise control over the specific traffic heading towards FortiGate interfaces.
Firewall local-in policies are supported for the dedicated HA management interface in a High Availability (HA) environment.
However, the method differs slightly from the methods used by regular firewall interfaces.
Unlike with regular interfaces, an error will appear if a user is trying to apply the HA reserved management interface as interface settings during local-in policy creation.
The solution is to enable 'ha-mgmt-intf-only' settings before applying a HA reserved management interface to a local-in policy configuration.
Solution
Follow the steps below to configure a local-in policy associated with an HA reserved management interface.
In this environment, port6 has been set as a HA reserved management interface in HA configuration:
The following error will appear if an HA reserved management interface (port 6) is applied directly under interface settings while creating a new local-in policy:
To resolve this error, it is necessary to enable the 'ha-mgmt-intf-only' setting under the local-in policy before associating the port to our local-in policy.
The purpose is to enable the dedication of an HA management interface only for the local-in policy.
conf firewall local-in-policy
edit 1
set ha-mgmt-intf-only en <----- Enable HA management interface only for local-in policy.
set intf port6 <----- Now it is possible to apply port6 as an interface without any error.
set srcaddr <source_address_name>
set dstaddr <destination_address_name>
set service <service_name>
set action <accept/deny>
set status <enable/disable>
next
end
The local-in policy associated with the HA management interface (port6) has been successfully configured, as seen in the screenshot below:
The above example is to deny a specific connection towards FortiGate from the 1.1.1.1 source address.
If the aim is to allow administration access from a certain subnet alone, for example, '192.168.0.0/24', blocking all other connections, then the configuration would be as follows:
config firewall local-in-policy
edit 1
set ha-mgmt-intf-only enable
set intf "port6"
set srcaddr "192.168.0.0/24"
set dstaddr "all"
set action accept
set service "ALL"
set schedule "always"
next
edit 2
set ha-mgmt-intf-only enable
set intf "port6"
set srcaddr "all"
set dstaddr "all"
set action deny
set service "ALL"
set schedule "always"
next
end
In the above entry 1 ('edit 1') allows connections from 192.168.0.0/24 with action accept. Entry 2 ('edit 2') is required to block all other connections coming towards mgmt1 interface. Unlike IPv4 firewall policy, local-in-policy does not have a default implicit deny policy.
Note:
In the VDOM environment, this can be done on the specific VDOM where the HA management interface is allocated.
For example: the HA mgmt-interface in the diagram below is allocated to the root VDOM, so the result is that this policy can only be configured on the root VDOM.
This can only be configured in the management VDOM. By default, the root VDOM is the management VDOM.
Starting v7.6.0, it is now possible to create and delete local-in-policy from the GUI:
Local-in policies can be configured in the GUI and CLI starting v7.6.x: Local-in policy.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.