Fortinet Document Library

Version:

Version:


Table of Contents

Cookbook

Download PDF
Copy Link

Local-in policies

Security policies control the traffic flow through the FortiGate. The FortiGate also includes the option of controlling internal traffic, that is, management traffic.

Each interface includes an allow access configuration to allow management access for specific protocols. Local policies are set up automatically to allow access for all users. Local-in policies take this a step further by enabling or restricting user access. You can use local-in policies for administrative access, routing, central management by FortiManager, or other related purposes.

Note

Local-in policies can only be created or edited in the CLI. You can view the existing local-in policies in the GUI by enabling it in System > Feature Visibility under the Additional Features section. This page does not list the custom local-in policies.

To configure a local-in policy using the CLI:
config firewall {local-in-policy | local-in-policy6}
  edit <policy_number>
    set intf <source_interface>
    set srcaddr <source_address>
    set dstaddr <destination_address>
    set action {accept | deny}
    set service <service name>
    set schedule <schedule_name>
    set comments <string>
  end

Additional options

To disable or re-enable the local-in policy, use the set status [enable | disable] command.

To dedicate the interface as an HA management interface, use the set ha-mgmt-intf-only enable command.

Local-in policies

Security policies control the traffic flow through the FortiGate. The FortiGate also includes the option of controlling internal traffic, that is, management traffic.

Each interface includes an allow access configuration to allow management access for specific protocols. Local policies are set up automatically to allow access for all users. Local-in policies take this a step further by enabling or restricting user access. You can use local-in policies for administrative access, routing, central management by FortiManager, or other related purposes.

Note

Local-in policies can only be created or edited in the CLI. You can view the existing local-in policies in the GUI by enabling it in System > Feature Visibility under the Additional Features section. This page does not list the custom local-in policies.

To configure a local-in policy using the CLI:
config firewall {local-in-policy | local-in-policy6}
  edit <policy_number>
    set intf <source_interface>
    set srcaddr <source_address>
    set dstaddr <destination_address>
    set action {accept | deny}
    set service <service name>
    set schedule <schedule_name>
    set comments <string>
  end

Additional options

To disable or re-enable the local-in policy, use the set status [enable | disable] command.

To dedicate the interface as an HA management interface, use the set ha-mgmt-intf-only enable command.