Starting from FortiManager v7.2.0 and onward, users can create a FortiManager local-in policy to control inbound traffic to a FortiManager interface. This feature is just a basic, implicit-allow, inbound access control list. FortiManager is essentially a server, not a firewall, and it is recommended to be placed in a protected network segment. 

By default there are no local-in policies configured, and FortiManager is 'accepting' inbound connections to all enabled services.
The local-in policies are therefore needed only if the network access to specific FortiManager services needs to be limited, and there is no firewall in front of FortiManager that can be used to do so.

FortiManager local-in policy can only be created via CLI:

config system local-in-policy

    edit <id>

        set action {accept | drop | reject}

        set dport <integer>

        set dst <ip&netmask>

        set intf <string>

        set protocol {tcp | tcp_udp | udp}

        set src <ip&netmask>

        end

end

Below is an example of a local-in policy configuration, where:

• Policy '1' allows connections to port 541 (FGFM) from a specified trusted network (i.e. 10.10.10.0/24).
• Policy '2' has all other options, apart from the destination port, set to 'default', which makes it an explicit drop policy, which blocks the inbound access to the FGFM service from everywhere else, except from the trusted network defined in policy '1'.

config system local-in-policy
    edit 1
        set action accept
        set dport 541
        set src 10.10.10.0/24
    next
    edit 2

        set dport 541
    next
end

Note that the local-in policies are applied only on the inbound, from FortiManager perspective, traffic.

Having such a configuration, as in the above example, would not prevent FortiManager from initiating an FGFM tunnel to a FortiGate in other than the trusted network.

However, if this tunnel is interrupted, only FortiManager would be able to reclaim it.

Related article:

local-in-policy