You need to  enable logging  for local-in-policies

e.g

set local-in-allow enable

As already posted, local-in policies are only effective for traffic reaching one of the FGTs port addresses, i.e. the WAN address. They are meant to restrict access to the FGT management servers, which could be HTTP, HTTPS, SSH or telnet. Notice that you cannot specify a destination interface like in a regular policy - the destination is always the FGT itself.

In order to attack an internal server you would need to allow incoming traffic in the first place. That is, a policy from WAN to LAN. This is quite uncommon and usually requires a VIP to translate a public destination address to an internal, private address. You usually handle all security in this policy.

If there is no policy allowing some sort of traffic (even inbound) then it will hit the implicit final DENY policy, policy 0.

As far as I can see it, your problem is that you've allowing traffic in. Note that you do not need an inbound policy to allow traffic replies - policies allow/deny session setup, not traffic. You can surf the web from the LAN with an outbound policy only.

I checked my config log setting, and I've already got local-in-allow (and local-in-deny-broadcast and local-in-deny-unicast) enabled, as well as fw-policy-implicit-log.  So it looks like local-in-policy denies (and allows) should all be getting logged.

Looking at my local-in-policy, I have a guess for what I'm seeing.  I think the local-in-policy logs and the regular security policy logs both just write their policyid into the log.  The confusion was that my main local-in-policy deny rule and the main firewall lan_to_wan rule both have the same policy ID.  So in the logs it all looks the same.

I'll change the policy ids for my local-in-policy to be separate and identifiable and see what that gives me.  Will post my findings after I test this.

Regardless, I'm still seeing occasional denies for services that local-in-policy should be blocking, which are instead getting caught by the the default deny rule (policy ID of 0).  I would like to track backwards to find out how those are getting there.

@ede_pfau, our responses just crossed paths there.  I don't have an inbound wan_to_lan policy as we aren't hosting any servers.  And my local-in-policy denies most of what would hit the FortiGate from the wan directly, only allowing VPN connections from specific IPs.

I think the issue was/is simply the policyid for rules in the local-in-policy matching policyid for regular firewall rules.

Yep, that was it.  Logging just puts in a policyid field so the default display of the logs doesn't show any difference between local-in-policy and normal firewall policies.

I should have looked at the raw logs, which do have a  policytype field which is set to either "local-in-policy" or just "policy".

I've changed my policyid numbers for local-in-policy so its easy to tell them apart from the rest of the logs.

After filtering the rest out, I now think I see why I was getting some logs showing TELNET getting blocked by policyid=0 (default deny).  Those logs actually were local-in-policy logs (they had policytype=local-in-policy).  They were getting caught by, I assume, the local-in-policy default deny (whose policyid I can't unfortunately change).  The reason they fell through was that they were targeting a currently unused public IP for which I didn't have explicit local-in-policy rules.

Good catch! Always check with the raw logs