What are you trying to block, which kind of traffic?
There are 2 main categories:
- traffic through the FGT
- traffic to the FGT
The first one is controlled by regular policies, and only applies if you use VIPs (destination NAT). Unless you use public IP addresses on your LAN.
The second one is controlled by local-in policies. These are configured in the CLI (config firewall local-in).
They do not only control management traffic (like brute-force SSH attacks on the wan port) but IPsec access also.
"Kernel panic: Aiee, killing interrupt handler!"