The fgt has a number of "open" ports that it listens in on, including ports for administrative access. Local-in policies (for the most part) are meant to control (block or allow) this access.
Here is a script example:
config firewall address
set type geography
set associated-interface "wan1"
set country "CN"
config firewall addrgrp
set member "China-Country"
config firewall local-in-policy
set intf "wan1"
set srcaddr "blocked-countries-group"
set dstaddr "all"
set service "ALL"
set schedule "always"
(code snippy is from 5.2.)
But if you merely want to restrict admin log in access to local or trusted hosts (as tioeudes noted above) you may be better off doing that. The section on restricting administrative access can be found here.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C