In cases where a local-in-policy is not working as expected, meaning that the traffic that is supposed to be denied is all being sent through.

The prime reason here could be that the implicit deny local in policy is not created. Unlike IPv4 policies, there is no default implicit deny policy.  

In the list of local-in-policies, the implicit deny policy needs to be at the bottom.

An example is given below:

config firewall local-in-policy

    edit 1

        set intf "port4"

        set srcaddr "DMZ" <-- Address/subnet that needs to be allowed.

        set dstaddr "all"

        set action accept

        set service "ALL"

        set schedule "always"

    next

    edit 2

        set intf "port4"

        set srcaddr "all"

        set dstaddr "all"

        set service "ALL"

        set schedule "always"

    next

end

Local-in-policy is created per interface, so if one wants to create a general implicit deny rule for all interfaces for a particular service, source/destination address, use the interface 'ANY'.

Note: When there is no action set manually, the action will be taken as 'deny'.

Note: Starting from FortiGate v7.6.0, the Local-in-Policy can also be configured in the GUI. Refer to this article for reference: Technical Tip: Creating a Local-In policy (IPv4 and IPv6) on GUI.

Related documents:

Local-in policies 

Technical Tip: Filter ingress traffic going to the FortiGate using local-in-policy