google · pc48m8n1 · Oct 28, 2024 · Oct 29, 2024 · Nov 6, 2024 · Nov 8, 2024
diff --git a/capirca/lib/fortigate.py b/capirca/lib/fortigate.py
@@ -677,8 +677,12 @@ def __str__(self):
       self._term.comment += [f"Owner: {self._term.owner}"]
     if self._term.comment and self._term.verbose:
        lines += [f'{_SP * 2} set comments "{self._obj_container.fix_comment_length((" ").join(self._term.comment))}"']
-    lines += [f"{_SP * 2} set srcintf {self._term.source_interface or 'any'}"]
-    lines += [f"{_SP * 2} set dstintf {self._term.destination_interface or 'any'}"]
+    # fortigate local-in policy exception
+    if self._term.destination_interface and not self._term.source_interface:
+      lines += [f"{_SP * 2} set intf {self._term.destination_interface or 'any'}"]
+    else:
+      lines += [f"{_SP * 2} set srcintf {self._term.source_interface or 'any'}"]
+      lines += [f"{_SP * 2} set dstintf {self._term.destination_interface or 'any'}"]      
     exist_src6 = False
     exist_dst6 = False
     if isinstance(dest_addresses, list):

diff --git a/policies/pol/sample_fortigate_localin.pol b/policies/pol/sample_fortigate_localin.pol
@@ -27,7 +27,6 @@ term customers-policy {
 }
 
 term customers-policy2 {
-  source-interface:: port2
   destination-interface:: port1
   source-address:: INTERNAL
   source-port:: SMTP

diff --git a/policies/pol/sample_fortigate_localin_ipv6.pol b/policies/pol/sample_fortigate_localin_ipv6.pol
@@ -3,7 +3,6 @@ header {
 }
 
 term accept-https-requests-v6{
-  source-interface:: loopback-1
   destination-interface:: loopback-1
   source-address:: HTTP-PROXY6-NETS
   destination-address:: REGIONAL-LOOPBACKS6
@@ -14,7 +13,6 @@ term accept-https-requests-v6{
 }
 
 term accept-ssh-requests-v6{
-  source-interface:: loopback-1
   destination-interface:: loopback-1
   source-address:: SSH-RELAY6-NETS
   destination-address:: REGIONAL-LOOPBACKS6
@@ -25,7 +23,6 @@ term accept-ssh-requests-v6{
 }
 
 term accept-snmp-requests-v6{
-  source-interface:: loopback-1
   destination-interface:: loopback-1
   source-address:: SNMP-SERVER6-NETS
   destination-address:: REGIONAL-LOOPBACKS6
@@ -36,7 +33,6 @@ term accept-snmp-requests-v6{
 }
 
 term accept-bgp-to-loopbacks-v6{
-  source-interface:: loopback-2
   destination-interface:: loopback-2
   source-address:: REGIONAL-LOOPBACKS6
   destination-address:: REGIONAL-LOOPBACKS6
@@ -47,7 +43,6 @@ term accept-bgp-to-loopbacks-v6{
 }
 
 term accept-esp-ah-tunnel-wan1-v6{
-  source-interface:: x1.15
   destination-interface:: x1.15
   source-address:: P2P-RANGE6
   destination-address:: ANY_V6
@@ -58,7 +53,6 @@ term accept-esp-ah-tunnel-wan1-v6{
 }
 
 term accept-ike-tunnel-wan1-v6{
-  source-interface:: x1.15
   destination-interface:: x1.15
   source-address:: P2P-RANGE6
   destination-address:: ANY_V6
@@ -69,7 +63,6 @@ term accept-ike-tunnel-wan1-v6{
 }
 
 term accept-esp-ah-tunnel-wan2-v6{
-  source-interface:: x3.1
   destination-interface:: x3.1
   source-address:: P2P-RANGE6
   destination-address:: ANY_V6
@@ -80,7 +73,6 @@ term accept-esp-ah-tunnel-wan2-v6{
 }
 
 term accept-ike-tunnel-wan2-v6{
-  source-interface:: x3.1
   destination-interface:: x3.1
   source-address:: P2P-RANGE6
   destination-address:: ANY_V6
@@ -91,7 +83,6 @@ term accept-ike-tunnel-wan2-v6{
 }
 
 term accept-bgp-wan-v6{
-  source-interface:: x6.15
   destination-interface:: x6.15
   source-address:: ANY_V6
   destination-address:: ANY_V6
@@ -102,7 +93,6 @@ term accept-bgp-wan-v6{
 }
 
 term accept-fgm-v6{
-  source-interface:: x6.15
   destination-interface:: v6.15
   source-address:: REGIONAL-FGMS6
   destination-address:: ANY_V6
@@ -113,7 +103,6 @@ term accept-fgm-v6{
 }
 
 term accept-test-v6{
-  source-interface:: x6.15
   destination-interface:: v6.15
   source-address:: REGIONAL-FGMS6
   destination-address:: ANY_V6