Skip to content

Local-In Policies (Protect the FortiGate Itself)

Normal firewall policies control traffic through the FortiGate. Local-in policies control traffic to the FortiGate itself — admin GUI, SSH, SNMP, IPsec, BGP, etc.

By default, services enabled on an interface (HTTPS / SSH / PING / etc. in Administrative Access) are open to anyone who can reach that interface. Local-in policies let you restrict that — e.g. "only allow SSH from my office IP."

When to Use Them

  • Admin access restriction — only allow HTTPS to the FortiGate from a trusted source.
  • BGP / OSPF / IKE neighbor restriction — only allow these protocols from specific peers.
  • Block specific attackers at the device level (rather than at the policy level for through-traffic).

Before You Start

  • Source address objects for the trusted hosts.
  • You're NOT going to lock yourself out — always have console access ready.

Steps

Local-in policies are CLI-only by default (no GUI section in most versions).

config firewall local-in-policy
edit 0
    set intf "wan1"
    set srcaddr "Admin-Trusted-Hosts"
    set dstaddr "all"
    set action accept
    set service "HTTPS" "SSH"
    set schedule "always"
    set comments "Allow admin from trusted hosts only"
next
edit 0
    set intf "wan1"
    set srcaddr "all"
    set dstaddr "all"
    set action deny
    set service "HTTPS" "SSH"
    set schedule "always"
    set comments "Deny admin from anywhere else on WAN"
next
end

This pair allows admin from Trusted-Hosts, denies everyone else, on wan1.

For BGP example:

config firewall local-in-policy
edit 0
    set intf "wan1"
    set srcaddr "Address-BGP-Peer-ISP-A"
    set dstaddr "all"
    set action accept
    set service "BGP"
next
edit 0
    set intf "wan1"
    set srcaddr "all"
    set dstaddr "all"
    set action deny
    set service "BGP"
next
end

Trusted Hosts (Alternative)

You can ALSO restrict admin access per-admin-user via "Trusted Hosts" on the admin account:

  1. System → Administrators → edit admin.
  2. Restrict login to trusted hosts = Enable.
  3. Add up to 10 subnets/IPs.
  4. OK.

This restricts admin login by user — separate from local-in policy. Use both for defense in depth.

Verify

diagnose firewall local-in-policy list

From an untrusted source, try to reach the FortiGate admin — should be blocked. From a trusted source, should still work.

Common Issues

  • Locked out! Most common mistake: deny-only rule without a permit-from-trusted above it. ALWAYS write the allow rule first, test, then add the deny. Console cable recovery if locked out.
  • Local-in policy doesn't seem to apply. Wrong interface — local-in is per-interface. Wrong service — must match a known service object.
  • Forgot to add HTTPS for emergency backup admin path. Always allow admin from a secondary trusted IP (your mobile hotspot, a backup VPN).