Created on 06-15-2022 09:49 AM Edited on 06-15-2022 10:15 PM By Anthony_E
Description | This article discusses about the issue where local-in-policy doesn’t work as expected, forwards all traffic irrespective of the restriction. |
Scope | FortiOS. |
Solution |
In cases where a local-in-policy is not working as expected, meaning the traffic that is supposed to be denied are all being sent through.
The prime reason here could be that the implicit deny local in policy is not created. Unlike ipv4 policies there is not default implicit deny policy. In the list of local-in-policies the implicit deny policy needs to be at the bottom.
An example given below:
# config firewall local-in-policy edit 1 set intf "port4" set srcaddr "DMZ" < Address/subnet that needs to be allowed. set dstaddr "all" set action accept set service "ALL" set schedule "always" next edit 2 set intf "port4" set srcaddr "all" set dstaddr "all" set service "ALL" set schedule "always" next end
Local-in-policy is created per interface, so if one wants to create a general implicit deny rule for all interface for a particular service, source / destination address, use the interface 'ANY'.
Note: When there is no action set manually, action will be taken as 'deny'.
Related article:
https://docs.fortinet.com/document/fortigate/6.2.10/cookbook/363127/local-in-policies |