Difference between Firewall Policy and Local In Policy

Kooolboy · March 10, 2025, 12:36pm

Hello,

Whats the main difference between firewall policy and local in policy? Though both are same I believe as, it depends on how you configure the policy if incoming traffic is coming from outside interface then it’s considered as local in policy?

Please correct me and I need to block few ports and TAC team suggested to use local in policy ( I haven’t read about it though).

Thanks in advance.

ultimattt · March 10, 2025, 12:36pm

ELI 10 version - firewall policy is for traffic going THROUGH the FortiGate.

Local-in is for traffic going TO the FortiGate.

pabechan · March 10, 2025, 12:36pm

local-in is for traffic where the FortiGate itself is the actual destination. Think admin GUI, admin SSH, SSL-VPN, IPsec, etc.
The FortiGate itself automatically opens ports when its services are enabled, which is why whenever you see local-in policies being used, it is almost exclusively deny policies (to override an auto-created rule).

“Regular” firewall policies handle traffic that is forwarded through the FortiGate (hence “forward traffic log”), so that is any traffic that hits the FortiGate and needs to leave to reach its final destination.

working_is_poisonous · March 10, 2025, 12:36pm

local-in policies is for traffic destined to the firewall, policies are for traffic TRANSITING THROUGH the firewall.

In any case, if you have a loopback interface for management for redundancy reasons, traffic to the loopback MUST be permitted on policies, ottherwise it doesn’t work. If you use local-in policies, in this case you’d probably configure a ‘permit any’ in the ‘transit’ policies, to avoid doing everything twice.

Local-out traffic is basicly allowed or not on FG’s configurations.

MaNiFeX · March 10, 2025, 12:36pm

To clarify, often these two flows are abstracted as “management plane” and “data plane.” These are often logically separated for policy reasons.

You don’t want to lock yourself out of a management interface because you put in an ACL for your VPN or DMZ network to not access 443 on your RFC1918, for example.

Edit: it’s why it’s good to change your management port to 4343 or 4433, as 443 is often used for VPN web gateway.

Fallingdamage · March 10, 2025, 12:36pm

For local in some of the best practices are to maintain a trusted hosts list to allow for any specific services, enable VIP on that policy and deny all other attempts… also making sure you receive alerts whenever access is attempted.

MaNiFeX · March 10, 2025, 12:36pm

And don’t look at the GUI for it either… it’s not good.