Local-In policies for FortiManager limits the IPs or IP ranges that can access the FortiManager. However, Local-In policies for FortiManager are rather rudimentary compared to Local-In policies for other device types like FortiGate. Local-In only affects inbound connections. It is therefore recommended to use other means to limit access to FortiManager.
By default, all connections are accepted by FortiManager if there are no Local-In policies. The Local-In policies below are for FortiManager (7.4.6) and can only be configured through FortiManager CLI. The policies do two things.
- Whitelist a range of IPs and ports they are allowed on.
- The last two policies set the ports that are allowed which automatically sets all other options to ‘default’. If an option is set to default, it is dropped.
config system local-in-policy
edit 1
set action accept
set dport 443
set src 10.200.0.0 255.255.224.0
next
edit 2
set action accept
set dport 80
set src 10.200.0.0 255.255.224.0
next
edit 3
set action accept
set dport 443
set src 10.149.0.0 255.255.0.0
next
edit 4
set action accept
set dport 80
set src 10.149.0.0 255.255.0.0
next
edit 5
set action accept
set dport 443
set src 172.25.4.0 255.255.252.0
next
edit 6
set action accept
set dport 80
set src 172.25.4.0 255.255.252.0
next
edit 7
set action accept
set dport 443
set src 172.26.4.0 255.255.252.0
next
edit 8
set action accept
set dport 80
set src 172.26.4.0 255.255.252.0
next
edit 9
set dport 443
next
edit 10
set dport 80
next
end