FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 297808
Description This article describes how to use local-in policies to restrict administrative access from attackers or malicious IPs trying to get into the FortiGate.
Scope FortiGate.

There are instances where unauthorized login attempts are coming from malicious IPs trying to get into the FortiGate.

It is strongly recommended to restrict the login from those malicious IPs. Below are sample logs indicating brute force attempts from attackers.


brute force logs edited.png


To apply a local-in policy to restrict unauthorized attempts on administrative access (HTTPS, HTTP, SSH) of the firewall. local-in policy configuration is only available on the CLI.


  1. Create a firewall address object for specific IPs, subnets, countries, and sources to restrict access to the administrative interface. In this example, a specific IP will be blocked:


config firewall address
    edit "Block_IP"
        set subnet


  1. Create a local-in policy and apply the created firewall address. The default action of the local-in policy is 'deny'.


config firewall local-in-policy
    edit 1
        set intf "port1"
        set srcaddr "Block_IP"
        set dstaddr "all"
        set service "ALL" <----- Define specific service/s.
        set schedule "always"


Once the local-in policy is applied, the attacker from the defined IP/subnet will no longer be able to reach the administrator login prompt.


 local-in 4.png


By default, local traffic logs in FortiGate are disabled. To enable local traffic logs:

Technical Tip: Local traffic logs tab shows no results


To view local-in policy logs, navigate to Log & Report -> Local Traffic:


local-in 3.PNG