8009

Just create a local firewire policy and custom service with a deny action config firewall service custom edit " port_8009_tcp" set protocol TCP/UDP/SCTP set tcp-portrange 8009 next end config firewall local edit 0 set intf " wan1" set srcaddr " all" set dstaddr " all" set service " port_8009_tcp" set schedule " always" next

Actually there is, but is applied by default in the local-in policies. You should see something like this on you firewall as well. As emnoc said, you can block the traffic with a policy specific to that port on your wan interfaces

I wish they let me modify the local in policies

What do you mean " wish the let you modify" you can.See the 2nd post ( by me ), you have the ability to filter anyting that ' s local no different than a juniper SRX . if you think about it. the allowaccess and local-in-policy is the exact same things on juniper SRX ( system services ) but 100x more effective and easier imho ( Okay not 100X better but 10 times better ) if you would execute the sample policy provided, you will see that 8009 would be close on a followup scan.

I should not need to create a deny rule as the default deny all rule should cover it since there is no higher priority/ordered policy specifically allowing it.

fwiw, regular fwpolicies ipv4 or ipv6 has nothing todo with this.

Repeat after me cli cli cli cli It ( fortigate ) is the same or similar to a juniper SRX to some degree. So if it can be done in a SRX, it probably be done on a FGT but simpler. And uses the same concept ( per-se ) and the fortinet engineers took what juniper did and made it smarter. And the WebGUI is slicker and quicker :) So yes you can do EVERYTHING in the CLI actually more than what you can do in the WebGUI. I spend approx 90% of my days work in CLI mode. fwiw; I don' t know of one fortigate model that will NOT allow you to modify local-in-policies if it has support for in policies.