Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AlexFerenX
New Contributor III

Created on ‎10-21-2024 12:22 AM Edited on ‎10-21-2024 05:21 PM

Local-in vs Auto-provisioned vs Admin-in Policies

Hi!

there are three to-the-Fortigate policies - Local-in, Auto-provisioned and Admin-in Policies.

However, I'm unable to find documentation listing the order of execution/priority in which these are processed to determine which will occludes (ie. prevents access allowed by) others - is this documented? Otherwise, if it's dead-simple, provide answer?

R's, Feren

(Edit: removed "vs")

Labels:
619
0 Kudos
4 REPLIES 4
aastardzhiev
New Contributor II

Created on ‎10-21-2024 07:09 AM

Hi @AlexFerenX ,

 

If I am not mistaken by "Auto-provisioned" you probably refer to Auto provision rules | FortiPAM 1.4.1 | Fortinet Document Library which has nothing to do with access to the FortiGate itself.

And for "Admin-in" policies do  you mean the list of trusted hosts associated with the admin user?

Local-In and admin trusted hosts server sightly different purpose.
Local-in is blocking the traffic to enter the firewall, so if you try to access it from IP that is not allowed, firewall will not respond at all.

Trusted hosts list the IPs from which given admin is allowed to connected. If you connect from different IP, you still be presented with login page, but even with correct credentials you will receive authentication fail message.

571
AlexFerenX
New Contributor III
In response to aastardzhiev

Created on ‎10-21-2024 05:34 PM Edited on ‎10-21-2024 05:54 PM

Hi @aastardzhiev,

these are "Policy Group" I'm referring to:

  • (Custom) Local-in Policy - 00100001
  • Auto-provisioned Local-in Policy - 0010000e
  • (allowaccess) Admin-in Polilcy - 0010000f

So, no, they're very distinct and I seek definitive answer on the order of execution/priority.

539
0 Kudos
bkrishnan
Staff
Staff

Created on ‎10-24-2024 12:50 AM

Hi
Local-in-Policy is evaluated first when the traffic destined for the FGT
Admin-in-policy is for the administrative access lookup after local-in-policy
Auto-Provisioned Policies-https://docs.fortinet.com/document/fortipam/1.4.1/administration-guide/961601/auto-provision-rules

479
AlexFerenX
New Contributor III
In response to bkrishnan

Created on ‎10-24-2024 01:47 AM Edited on ‎10-24-2024 02:15 AM

Hi @bkrishnan 

I’ve provided “Policy Group” as related to Fortigate (not Fortipam). Is it possible to provide answer applicable to Fortigate - listed in order of execution/priority?

Thanks!

 

468
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.