FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
anderson_yee
Staff
Staff
Description

 

This article covers the procedures for deleting the local-in policies currently displayed on the FortiGate GUI.

Scope

 

Local in policies regulate the traffic and services that are dedicated to FortiGate interfaces, in contrast to standard firewall policies. 

To have precise control over the services, source, and destination addresses, administrators can design a custom local-in policy to allow or deny the particular traffic.

 

Be aware that the creation or editing of custom local-in policies can only be done via CLI.

This article only applies to the existing local in policies that are displayed on the GUI  after enabling the additional feature 'Local In Policy' under System -> Feature Visibility.

These policies can only be viewed from the GUI. 

It cannot be deleted there since additional actions must be taken at the interface level.

Solution

 

By turning on 'Local In Policy' under System -> Feature Visibility -> Additional Features, administrators can observe the existing  local-in policies in the GUI.

 

anderson_yee_0-1659496233515.png

 

It is possible to view the current local-in policies by selecting Policy & Objects -> Local In Policy.
For instance, port1 is open for PING, HTTP, HTTPS, SSH, and TELNET traffic shown as below.

 

anderson_yee_1-1659496233519.png

 

Note:.

This page does not list the custom local-in policies. Custom local-in policies can only be created or edited in the CLI. 

It is possible now to see that there is no direct method to remove the existing local in-policies from the GUI.
These existing local-in policies should be removed from interface-level .

 

From GUI, uncheck the selected protocol under Network -> Interface -> Edit Interface -> Administrative Access.


For example, TELNET has been unchecked from port1 administrative access protocols.

 

anderson_yee_2-1659496233521.png

 

It is now possible to observe that TELNET application towards port1 has been removed under 'Local In Policy'.

 

anderson_yee_0-1659676731348.png


The interface-level administrative access protocols can also be configured via the CLI:


# config system interface

    edit port1
        set allowaccess ping http https <---- Remove SSH protocol under port1 interface.

        end


It is now  possible to observe that SSH application towards port1 has been removed under 'Local In Policy'.

 

anderson_yee_1-1659676870443.png