i try to make local policy but there is no tunnel dial-up interface and even no interface of my internet (port1)

No. The local-in policy works outside of the tunnel. You just need to apply it to the physical incoming interface, port1. Are you using 7.6 GUI or CLI?
If you're using SD-WAN, you might need to use "virtual-wan-link" zone name instead.

Toshi

port1 which connected to the internet is not visible.

just hit 
   set intf ?

I believe port2 not visible because port1 is member of sdwan. The question now is i have 2 tunnels, one for ipsec vpn site to site and the other is ipsec vpn remote access.

I just only want limit access to the ipsec vpn site, if i create local policy with service 'IKE' then the ipsec remote acess will be limited also, am i right?

You need to allow those location's public IPs to be able to come in, then deny all others. Below is a part of my local-in policy to limit SSL VPN access to some sources.

config firewall local-in policy
<snip>
  edit 5
    set intf "virtual-wan-link"
    set srcaddr "SSLVPN-allowedSRC"
    set dstaddr "all"
    set action accept
    set service "SSL_VPN"
    set schedule "always"
  next
  edit 9
    set intf "any"
    set srcaddr "all"
    set dstaddr "all"
    set service "SSL_VPN"
    set schedule "always"
  next
<snip>
end

Toshi

For VPN remote access is impossible we can knowing the source ip since the users is can connected from every where so i don't want to limit incoming access for remote access.

For VPN site to site because this for connecting 2 location the for sure i know the public ip. So it's better if we can set interface to 'remote access tunnel' or 'site to site tunnel' as the source becasue we have 2 different tunnel with separate limitation.

The VPN remote access is visible but not for site to site tunnel.

Probably because you put those in SD-WAN zones.