| Description | This article describes how to move the order local-in policy to block traffic and delete existing policies. |
| Scope | FortiGate v6.4.x, v7.0.x and above. |
| Solution |
In the below example, there are two policies allowing all IP addresses from location geography-based Canada and denying all other country traffic and having a requirement to block certain Public IP addresses from Canadian locations.
Challenger-kvm52 # config firewall local-in-policy Challenger-kvm52 (local-in-policy) # edit 1 Challenger-kvm52 (1) # set intf port1 Challenger-kvm52 (1) # set srcaddr canada Challenger-kvm52 (1) # set dstaddr all Challenger-kvm52 (1) # set service PING Challenger-kvm52 (1) # set action accept Challenger-kvm52 (1) # set schedule always Challenger-kvm52 (1) # end Challenger-kvm52 # config firewall local-in-policy Challenger-kvm52 (local-in-policy) # edit 2 Challenger-kvm52 (2) # set intf port1 Challenger-kvm52 (2) # set srcaddr testIP Challenger-kvm52 (2) # set dstaddr all Challenger-kvm52 (2) # set service PING Challenger-kvm52 (2) # set schedule always Challenger-kvm52 (2) # set action deny Challenger-kvm52 (2) # end Challenger-kvm52 #
Deleting and recreating default local-in policy is not possible. However, it is possible to delete, move and re-create custom local-in policies, use the below commands to re-order the policies.
config firewall local-in-policy move <----- Desired policy to move> before <policy ID number which is on top> end
For example, in the below picture, ID 2 will be moved before ID 1 to block specific public IP traffic:
config firewall local-in-policy show end
Note: Starting v7.6.0, it is possible to create, delete and move local-in-policy from GUI: Local-in policies can be configured in the GUI and CLI Starting 7.6.x
Note: Consider that moving policies could affect the flow because the way the policies are read by the FortiGate goes from top to bottom. Meaning that everything moved to the top, or with the lowest ID, will have precedence over the other policies. |
