Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
anderson_yee
Staff
Staff

Created on ‎08-04-2022 11:48 PM Edited on ‎07-15-2025 02:41 AM By Community Manager

Article Id 219439

Technical Tip: How to remove existing local in policies from FortiGate GUI

Description

 

This article describes the procedures for deleting the local-in policies currently displayed on the FortiGate GUI.

 

Scope

 

FortiGate.

 

Solution

Local policies regulate the traffic and services that are dedicated to FortiGate interfaces, in contrast to standard firewall policies. 

To have precise control over the services, source, and destination addresses, administrators can design a custom local-in policy to allow or deny the particular traffic.

 

Be aware that the creation or editing of custom local-in policies can only be done via CLI.

This article only applies to the existing local in policies that are displayed on the GUI  after enabling the additional feature 'Local In Policy' under System -> Feature Visibility.

These policies can only be viewed from the GUI.  It cannot be deleted there since additional actions must be taken at the interface level.

 

By turning on 'Local In Policy' under System -> Feature Visibility -> Additional Features, administrators can observe the existing local-in policies in the GUI.

 

anderson_yee_0-1659496233515.png

 

It is possible to view the current local-in policies by selecting Policy & Objects -> Local In Policy. For instance, port1 is open for PING, HTTP, HTTPS, SSH, and TELNET traffic, shown as below.

 

anderson_yee_1-1659496233519.png

 

Note:.

Local-in Policy is configurable only from CLI for v7.4 and below. Starting FortiOS 7.6, local-in policy can be configured from GUI and CLI: GUI support for local-in policies

It is possible now to see that there is no direct method to remove the existing local in-policies from the GUI. These existing local-in policies should be removed from interface-level .

 

From the GUI, uncheck the selected protocol under Network -> Interface -> Edit Interface -> Administrative Access. For example, TELNET has been unchecked from port1 administrative access protocols.

 

anderson_yee_2-1659496233521.png

It is now possible to observe that the TELNET application towards port1 has been removed under 'Local In Policy'.

 

anderson_yee_0-1659676731348.png


The interface-level administrative access protocols can also be configured via the CLI:


config system interface
    edit port1
        set allowaccess ping http https <---- Remove SSH protocol under port1 interface.

        end


It is now possible to observe that the SSH application towards port1 has been removed under 'Local In Policy'.

 

anderson_yee_1-1659676870443.png

 

From v7.6.x, it is possible to create local-in-policy from the GUI and delete from the GUI.

 

Below is the example policy created from the GUI to allow traffic from geolocation on all services traffic from  :

  • The interface will be the incoming WAN, which is port1 in the example. For the source, choose a specific address or geolocation.

 

kbss2.png

 

To delete the local in policy: Policy&object -> Local-in-policy, and choose desired policy and select delete:

Below is an example of deleting local in the policy :

 

kb1.png

 

Related article:
Technical Tip: Creating a Local-In policy (IPv4 and IPv6) on GUI

5900
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.