Let's consider this topology: 172.16.1.1 ------ [LAN1|FGT|LAN2] ----- 192.168.1.1 LAN1 IP address: 172.16.1.2
You can block ping from 172.16.1.1 to 192.168.1.1 using firewall policy with srcintf LAN1 and dstintf LAN2. But to block ping from 172.16.1.1 to 172.16.1.2, you need a local-in policy.
Easy example: In GUI navigate to Network> Interface. Edit an interface and allow administrative access ping. This simply creates a local-in policy allow for ping on this interface. You can display local-in policies in GUI in System> Feature Visibility. If you don't allow administrative access ping on the interface: default local-in policy is used which is action=drop.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.