FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 222005



This article describes how to configure a local-in policy on a HA reserved management interface.




Administrators can configure a local-in policy through the CLI with various services and source and destination addresses to have precise control over the specific traffic heading towards FortiGate interfaces.

Firewall local-in policies are supported for the dedicated HA management interface in a High Availability (HA) environment.

However, the method differs slightly from the methods used by regular firewall interfaces.

Unlike with regular interfaces, an error will appear if a user is trying to apply the HA reserved management interface as interface settings during local-in policy creation.

The solution is to enable 'ha-mgmt-intf-only' settings before applying a HA reserved management interface to a local-in policy configuration.




Follow the steps below to configure a local-in policy associated with an HA reserved management interface.

In this environment, port6 has been set as a HA reserved management interface in HA configuration:

The following error will appear if an HA reserved management interface (port 6) is applied directly under interface settings while creating a new local-in policy:

To resolve this error, it is necessary to enable the 'ha-mgmt-intf-only' setting under the local-in policy before associating the port to our local-in policy.


The purpose is to enable dedication of an HA management interface only for local-in policy.


conf firewall local-in-policy

edit 1

set ha-mgmt-intf-only en <----- Enable HA management interface only for local-in policy.

set intf port6 <----- Now it is possible apply port6 as interface without any error.

set srcaddr <source_address_name>

set dstaddr <destination_address_name>

set service <service_name>

set action <accept/deny>

set status <enable/disable>




The local-in policy associated with the HA management interface (port6) has been successfully configured, as seen in the screenshot below:





In the VDOM environment, this can be done on the specific VDOM where the HA management interface is allocated.


For example: the HA mgmt-interface in the diagram below is allocated to the root VDOM, so the result is that this policy can only be configured on the root VDOM.


This can only be configured in the management VDOM. By default, the root VDOM is the management VDOM.