Fortinet white logo
Fortinet white logo

CLI Reference

config firewall local-in-policy

config firewall local-in-policy

Configure user defined IPv4 local-in policies.

config firewall local-in-policy
    Description: Configure user defined IPv4 local-in policies.
    edit <policyid>
        set action [accept|deny]
        set comments {var-string}
        set dstaddr <name1>, <name2>, ...
        set dstaddr-negate [enable|disable]
        set ha-mgmt-intf-only [enable|disable]
        set internet-service-src [enable|disable]
        set internet-service-src-custom <name1>, <name2>, ...
        set internet-service-src-custom-group <name1>, <name2>, ...
        set internet-service-src-group <name1>, <name2>, ...
        set internet-service-src-name <name1>, <name2>, ...
        set internet-service-src-negate [enable|disable]
        set intf <name1>, <name2>, ...
        set schedule {string}
        set service <name1>, <name2>, ...
        set service-negate [enable|disable]
        set srcaddr <name1>, <name2>, ...
        set srcaddr-negate [enable|disable]
        set status [enable|disable]
        set uuid {uuid}
        set virtual-patch [enable|disable]
    next
end

config firewall local-in-policy

Parameter

Description

Type

Size

Default

action

Action performed on traffic matching the policy.

option

-

deny

Option

Description

accept

Allow traffic matching this policy.

deny

Deny or block traffic matching this policy.

comments

Comment.

var-string

Maximum length: 1023

dstaddr <name>

Destination address object from available options.

Address name.

string

Maximum length: 79

dstaddr-negate

When enabled dstaddr specifies what the destination address must NOT be.

option

-

disable

Option

Description

enable

Enable destination address negate.

disable

Disable destination address negate.

ha-mgmt-intf-only

Enable/disable dedicating the HA management interface only for local-in policy.

option

-

disable

Option

Description

enable

Enable dedicating HA management interface only for local-in policy.

disable

Disable dedicating HA management interface only for local-in policy.

internet-service-src

Enable/disable use of Internet Services in source for this local-in policy. If enabled, source address is not used.

option

-

disable

Option

Description

enable

Enable use of Internet Services source in local-in policy.

disable

Disable use of Internet Services source in local-in policy.

internet-service-src-custom <name>

Custom Internet Service source name.

Custom Internet Service name.

string

Maximum length: 79

internet-service-src-custom-group <name>

Custom Internet Service source group name.

Custom Internet Service group name.

string

Maximum length: 79

internet-service-src-group <name>

Internet Service source group name.

Internet Service group name.

string

Maximum length: 79

internet-service-src-name <name>

Internet Service source name.

Internet Service name.

string

Maximum length: 79

internet-service-src-negate

When enabled internet-service-src specifies what the service must NOT be.

option

-

disable

Option

Description

enable

Enable negated Internet Service source match.

disable

Disable negated Internet Service source match.

intf <name>

Incoming interface name from available options.

Address name.

string

Maximum length: 79

policyid

User defined local in policy ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

schedule

Schedule object from available options.

string

Maximum length: 35

service <name>

Service object from available options.

Service name.

string

Maximum length: 79

service-negate

When enabled service specifies what the service must NOT be.

option

-

disable

Option

Description

enable

Enable negated service match.

disable

Disable negated service match.

srcaddr <name>

Source address object from available options.

Address name.

string

Maximum length: 79

srcaddr-negate

When enabled srcaddr specifies what the source address must NOT be.

option

-

disable

Option

Description

enable

Enable source address negate.

disable

Disable source address negate.

status

Enable/disable this local-in policy.

option

-

enable

Option

Description

enable

Enable this local-in policy.

disable

Disable this local-in policy.

uuid

Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

uuid

Not Specified

00000000-0000-0000-0000-000000000000

virtual-patch

Enable/disable virtual patching.

option

-

disable

Option

Description

enable

Enable virtual patching.

disable

Disable virtual patching.

config firewall local-in-policy

config firewall local-in-policy

Configure user defined IPv4 local-in policies.

config firewall local-in-policy
    Description: Configure user defined IPv4 local-in policies.
    edit <policyid>
        set action [accept|deny]
        set comments {var-string}
        set dstaddr <name1>, <name2>, ...
        set dstaddr-negate [enable|disable]
        set ha-mgmt-intf-only [enable|disable]
        set internet-service-src [enable|disable]
        set internet-service-src-custom <name1>, <name2>, ...
        set internet-service-src-custom-group <name1>, <name2>, ...
        set internet-service-src-group <name1>, <name2>, ...
        set internet-service-src-name <name1>, <name2>, ...
        set internet-service-src-negate [enable|disable]
        set intf <name1>, <name2>, ...
        set schedule {string}
        set service <name1>, <name2>, ...
        set service-negate [enable|disable]
        set srcaddr <name1>, <name2>, ...
        set srcaddr-negate [enable|disable]
        set status [enable|disable]
        set uuid {uuid}
        set virtual-patch [enable|disable]
    next
end

config firewall local-in-policy

Parameter

Description

Type

Size

Default

action

Action performed on traffic matching the policy.

option

-

deny

Option

Description

accept

Allow traffic matching this policy.

deny

Deny or block traffic matching this policy.

comments

Comment.

var-string

Maximum length: 1023

dstaddr <name>

Destination address object from available options.

Address name.

string

Maximum length: 79

dstaddr-negate

When enabled dstaddr specifies what the destination address must NOT be.

option

-

disable

Option

Description

enable

Enable destination address negate.

disable

Disable destination address negate.

ha-mgmt-intf-only

Enable/disable dedicating the HA management interface only for local-in policy.

option

-

disable

Option

Description

enable

Enable dedicating HA management interface only for local-in policy.

disable

Disable dedicating HA management interface only for local-in policy.

internet-service-src

Enable/disable use of Internet Services in source for this local-in policy. If enabled, source address is not used.

option

-

disable

Option

Description

enable

Enable use of Internet Services source in local-in policy.

disable

Disable use of Internet Services source in local-in policy.

internet-service-src-custom <name>

Custom Internet Service source name.

Custom Internet Service name.

string

Maximum length: 79

internet-service-src-custom-group <name>

Custom Internet Service source group name.

Custom Internet Service group name.

string

Maximum length: 79

internet-service-src-group <name>

Internet Service source group name.

Internet Service group name.

string

Maximum length: 79

internet-service-src-name <name>

Internet Service source name.

Internet Service name.

string

Maximum length: 79

internet-service-src-negate

When enabled internet-service-src specifies what the service must NOT be.

option

-

disable

Option

Description

enable

Enable negated Internet Service source match.

disable

Disable negated Internet Service source match.

intf <name>

Incoming interface name from available options.

Address name.

string

Maximum length: 79

policyid

User defined local in policy ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

schedule

Schedule object from available options.

string

Maximum length: 35

service <name>

Service object from available options.

Service name.

string

Maximum length: 79

service-negate

When enabled service specifies what the service must NOT be.

option

-

disable

Option

Description

enable

Enable negated service match.

disable

Disable negated service match.

srcaddr <name>

Source address object from available options.

Address name.

string

Maximum length: 79

srcaddr-negate

When enabled srcaddr specifies what the source address must NOT be.

option

-

disable

Option

Description

enable

Enable source address negate.

disable

Disable source address negate.

status

Enable/disable this local-in policy.

option

-

enable

Option

Description

enable

Enable this local-in policy.

disable

Disable this local-in policy.

uuid

Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

uuid

Not Specified

00000000-0000-0000-0000-000000000000

virtual-patch

Enable/disable virtual patching.

option

-

disable

Option

Description

enable

Enable virtual patching.

disable

Disable virtual patching.