FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anonymous
Not applicable
Article Id 214777
Description This article discusses about the issue where local-in-policy doesn’t work as expected, forwards all traffic irrespective of the restriction.
Scope FortiOS.
Solution

In cases where a local-in-policy is not working as expected, meaning the traffic that is supposed to be denied are all being sent through.

 

The prime reason here could be that the implicit deny local in policy is not created. Unlike ipv4 policies there is not default implicit deny policy.  

In the list of local-in-policies the implicit deny policy needs to be at the bottom.

 

An example given below:

 

# config firewall local-in-policy

    edit 1

        set intf "port4"

        set srcaddr "DMZ" < Address/subnet that needs to be allowed.

        set dstaddr "all"

        set action accept

        set service "ALL"

        set schedule "always"

    next

    edit 2

        set intf "port4"

        set srcaddr "all"

        set dstaddr "all"

        set service "ALL"

        set schedule "always"

    next

end

 

Local-in-policy is created per interface, so if one wants to create a general implicit deny rule for all interface for a particular service, source / destination address, use the interface 'ANY'.

 

Note: When there is no action set manually, action will be taken as 'deny'.

 

Related article:

 

https://docs.fortinet.com/document/fortigate/6.2.10/cookbook/363127/local-in-policies 

https://community.fortinet.com/t5/FortiGate/Technical-Note-Filter-ingress-traffic-going-to-the-Forti... 

Contributors