Description
This article describes how to configure a local-in policy on a HA reserved management interface.
Scope
Administrators can configure a local-in policy via CLI with various services, source, and destination addresses to have precise control over the specific traffic heading towards FortiGate interfaces.
Firewall local-in policies are supported for the dedicated HA management interface in a High Availability (HA) environment.
However, the method is slightly different from that of regular firewall interfaces.
Unlike regular interfaces, an error will appear if a user is trying to apply the HA reserved management interface as interface settings during local-in policy creation.
The solution is to enable 'ha-mgmt-intf-only' settings before applying a HA reserved management interface into local-in policy configuration.
Solution
Here are the steps to configure a local-in policy associated with HA reserved management interface.
In this environment, port6 has been set as a HA reserved management interface in HA configuration:
The following error will appear if HA reserved management interface (port 6) is applied directly under interface settings while creating a new local-in policy:
To resolve this error, it is necessary to enable the 'ha-mgmt-intf-only' setting under the local-in policy before associating the port to our local-in policy.
The purpose is to enable dedicating HA management interface only for local-in policy.
# conf firewall local-in-policy
edit 1
set ha-mgmt-intf-only en <----- Enable HA management interface only for local-in policy.
set intf port6 <----- Now it is possible apply port6 as interface without any error.
set srcaddr <source_address_name>
set dstaddr <destination_address_name>
set service <service_name>
set action <accept/deny>
set status <enable/disable>
next
end
The local-in policy associated with HA management interface (port6) has been successfully configured, as can be observed.
