Skip to Content

Solved: How do I remove existing local in policies from FortiGate GUI

By: Author Alex Lim

Posted on  - Last updated:

Categories Troubleshooting

This article covers the procedures for deleting the local-in policies currently displayed on the FortiGate GUI.

Scope

Local in policies regulate the traffic and services that are dedicated to FortiGate interfaces, in contrast to standard firewall policies.

To have precise control over the services, source, and destination addresses, administrators can design a custom local-in policy to allow or deny the particular traffic.

Be aware that the creation or editing of custom local-in policies can only be done via CLI.

This article only applies to the existing local in policies that are displayed on the GUI after enabling the additional feature ‘Local In Policy’ under System > Feature Visibility.

These policies can only be viewed from the GUI.

It cannot be deleted there since additional actions must be taken at the interface level.

Solution

By turning on ‘Local In Policy’ under System > Feature Visibility > Additional Features, administrators can observe the existing local-in policies in the GUI.

By turning on 'Local In Policy' under System > Feature Visibility > Additional Features, administrators can observe the existing local-in policies in the GUI.

It is possible to view the current local-in policies by selecting Policy & Objects > Local In Policy.
For instance, port1 is open for PING, HTTP, HTTPS, SSH, and TELNET traffic shown as below.

For instance, port1 is open for PING, HTTP, HTTPS, SSH, and TELNET traffic shown as below.

Note: This page does not list the custom local-in policies. Custom local-in policies can only be created or edited in the CLI.

It is possible now to see that there is no direct method to remove the existing local in-policies from the GUI.

These existing local-in policies should be removed from interface-level .

From GUI, uncheck the selected protocol under Network > Interface > Edit Interface > Administrative Access.

For example, TELNET has been unchecked from port1 administrative access protocols.

For example, TELNET has been unchecked from port1 administrative access protocols.

It is now possible to observe that TELNET application towards port1 has been removed under ‘Local In Policy’.

It is now possible to observe that TELNET application towards port1 has been removed under 'Local In Policy'.

The interface-level administrative access protocols can also be configured via the CLI:

# config system interface
edit port1
set allowaccess ping http https <---- Remove SSH protocol under port1 interface.
end

It is now possible to observe that SSH application towards port1 has been removed under ‘Local In Policy’.

It is now possible to observe that SSH application towards port1 has been removed under 'Local In Policy'.