Local-in policies
Security policies control the traffic flow through the FortiGate. The FortiGate also includes the option of controlling internal traffic, that is, management traffic.
Each interface includes an allow access configuration to allow management access for specific protocols. Local policies are set up automatically to allow access for all users. Local-in policies take this a step further by enabling or restricting user access. You can use local-in policies for administrative access, routing, central management by FortiManager, or other related purposes.
![]() |
Local-in policies can only be created or edited in the CLI. You can view the existing local-in policies in the GUI by enabling it in System > Feature Visibility under the Additional Features section. This page does not list the custom local-in policies. |
To configure a local-in policy using the CLI:
config firewall {local-in-policy | local-in-policy6} edit <policy_number> set intf <source_interface> set srcaddr <source_address> set dstaddr <destination_address> set action {accept | deny} set service <service name> set schedule <schedule_name> set comments <string> next end
Additional options
To disable or re-enable the local-in policy, use the set status [enable | disable]
command.
To dedicate the interface as an HA management interface, use the set ha-mgmt-intf-only enable
command.