Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
raffaeledp
Contributor

Created on ‎06-13-2025 12:39 AM

Why is this Local-in Policy not working?

Hello everyone,
I have two Fortigates:
A Fortigate 60F and a Fortigate 70G.

On the Fortigate 60F, there is a WiFi network, where I reserved the IP address 172.16.10.110:

Screenshot 2025-06-13 alle 09.31.14.png


The Fortigate 60F is connected to the 70G via a link and a static route:

 

Screenshot 2025-06-12 alle 18.47.34.png

 

All traffic destined for the 70G must pass through the 60F.
Conversely, on the 70G:

 

Screenshot 2025-06-12 alle 18.48.41.png

 

The connection works well, everything works fine.

Now, I tried to restrict access to the 60G GUI (https://10.0.1.0:40443) using two local-in-policies:

 

config firewall local-in-policy
edit 1
set uuid 5c0a2180-47a5-51f0-1e8d-733b986f1a94
set intf "any"
set srcaddr “My_IP_ADDRESS”
set dstaddr "login_group"
set action accept
set service "HTTPS-40443"
set schedule "always"
next
edit 2
set uuid 71f5a26c-47aa-51f0-21c9-79d49494eb3e
set intf "any"
set srcaddr "all"
set dstaddr "login_group"
set service "HTTPS-40443"
set schedule "always"
set status disable
next

 

login_grourp is the GUI address and My_IP_ADDRESS is 172.16.10.110/24.

The first rule allows access only to me, the second rule denies access to everyone else.
Everything works correctly.
In fact, if I check administrator access on the 60F, my IP address is correct and therefore it can be filtered.

 

Source Address.png

I want to do the same on the 70G, blocking access to https://172.16.1.1:40443/, defining “My_IP_ADDRESS” in the same way and defining "login_group" consistently and creating the two same Local-in Policy.

However, what happens is that the final deny policy blocks everyone, including me.

My PC IP is still 172.16.10.110, since I am always connected to the same network, but the Fortigate 70G, I believe, does not see me as 172.16.10.110, but as 10.0.0.1, that is the outgoing 60F interface, and I notice this by checking my access to the 70G GUI:

 

Screenshot 2025-06-12 alle 18.53.45.png

 So, the first accept policy, reserved for 172.16.10.110, is ignored.
How can I solve this problem?
Has anyone experienced something similar?

RDP
RDP
Labels:
196
0 Kudos
1 REPLY 1
funkylicious
SuperUser
SuperUser

Created on ‎06-13-2025 12:48 AM Edited on ‎06-13-2025 12:49 AM

if the source is changed into the IP of the interface, you are most likely doing NAT for the traffic on the 60F, so disable NAT for this traffic on the device for 172.16.10.110 to interface IP and port 40443 or whatever https port you are using.

"jack of all trades, master of none"
"jack of all trades, master of none"
191
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.