Fortinet black logo

CLI Reference

firewall {local-in-policy | local-in-policy6}

firewall {local-in-policy | local-in-policy6}

Use these commands to create firewall policies for traffic destined for the FortiGate unit itself.

Command Description

set comments [comment]

Comments field added, for both local-in-policy and local-in-poolicy6.

config firewall local-in-policy
    edit {policyid}
    # Configure user defined IPv4 local-in policies.
        set policyid {integer}   User defined local in policy ID. range[0-4294967295]
        set ha-mgmt-intf-only {enable | disable}   Enable/disable dedicating the HA management interface only for local-in policy.
        set intf {string}   Incoming interface name from available options. size[35] - datasource(s): system.zone.name,system.interface.name
        config srcaddr
            edit {name}
            # Source address object from available options.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        config dstaddr
            edit {name}
            # Destination address object from available options.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        set action {accept | deny}   Action performed on traffic matching the policy (default = deny).
                accept  Allow traffic matching this policy.
                deny    Deny or block traffic matching this policy.
        config service
            edit {name}
            # Service object from available options.
                set name {string}   Service name. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name
            next
        set schedule {string}   Schedule object from available options. size[35] - datasource(s): firewall.schedule.onetime.name,firewall.schedule.recurring.name,firewall.schedule.group.name
        set status {enable | disable}   Enable/disable this local-in policy.
        set comments {string}   Comment. size[1023]
    next
end
config firewall local-in-policy6
    edit {policyid}
    # Configure user defined IPv6 local-in policies.
        set policyid {integer}   User defined local in policy ID. range[0-4294967295]
        set intf {string}   Incoming interface name from available options. size[35] - datasource(s): system.zone.name,system.interface.name
        config srcaddr
            edit {name}
            # Source address object from available options.
                set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
            next
        config dstaddr
            edit {name}
            # Destination address object from available options.
                set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
            next
        set action {accept | deny}   Action performed on traffic matching the policy (default = deny).
                accept  Allow local-in traffic matching this policy.
                deny    Deny or block local-in traffic matching this policy.
        config service
            edit {name}
            # Service object from available options. Separate names with a space.
                set name {string}   Service name. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name
            next
        set schedule {string}   Schedule object from available options. size[35] - datasource(s): firewall.schedule.onetime.name,firewall.schedule.recurring.name,firewall.schedule.group.name
        set status {enable | disable}   Enable/disable this local-in policy.
        set comments {string}   Comment. size[1023]
    next
end

Additional information

The following section is for those options that require additional explanation.

firewall {local-in-policy | local-in-policy6}

Use these commands to create firewall policies for traffic destined for the FortiGate unit itself.

Command Description

set comments [comment]

Comments field added, for both local-in-policy and local-in-poolicy6.

config firewall local-in-policy
    edit {policyid}
    # Configure user defined IPv4 local-in policies.
        set policyid {integer}   User defined local in policy ID. range[0-4294967295]
        set ha-mgmt-intf-only {enable | disable}   Enable/disable dedicating the HA management interface only for local-in policy.
        set intf {string}   Incoming interface name from available options. size[35] - datasource(s): system.zone.name,system.interface.name
        config srcaddr
            edit {name}
            # Source address object from available options.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        config dstaddr
            edit {name}
            # Destination address object from available options.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        set action {accept | deny}   Action performed on traffic matching the policy (default = deny).
                accept  Allow traffic matching this policy.
                deny    Deny or block traffic matching this policy.
        config service
            edit {name}
            # Service object from available options.
                set name {string}   Service name. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name
            next
        set schedule {string}   Schedule object from available options. size[35] - datasource(s): firewall.schedule.onetime.name,firewall.schedule.recurring.name,firewall.schedule.group.name
        set status {enable | disable}   Enable/disable this local-in policy.
        set comments {string}   Comment. size[1023]
    next
end
config firewall local-in-policy6
    edit {policyid}
    # Configure user defined IPv6 local-in policies.
        set policyid {integer}   User defined local in policy ID. range[0-4294967295]
        set intf {string}   Incoming interface name from available options. size[35] - datasource(s): system.zone.name,system.interface.name
        config srcaddr
            edit {name}
            # Source address object from available options.
                set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
            next
        config dstaddr
            edit {name}
            # Destination address object from available options.
                set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
            next
        set action {accept | deny}   Action performed on traffic matching the policy (default = deny).
                accept  Allow local-in traffic matching this policy.
                deny    Deny or block local-in traffic matching this policy.
        config service
            edit {name}
            # Service object from available options. Separate names with a space.
                set name {string}   Service name. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name
            next
        set schedule {string}   Schedule object from available options. size[35] - datasource(s): firewall.schedule.onetime.name,firewall.schedule.recurring.name,firewall.schedule.group.name
        set status {enable | disable}   Enable/disable this local-in policy.
        set comments {string}   Comment. size[1023]
    next
end

Additional information

The following section is for those options that require additional explanation.