Yes, this can be done on the gateway. If it was only one service policy, then you can go to Tasks->Manage LIsten ports and tie a specific service to a specific interface/port. If there are multiple services, then adding a policy fragment to the specific service policies that need to be restricted can be done. The policy can check the value of the variables ${request.tcp.localPort} and ${request.tcp.localIP} to determine which IP/port the request arrived at and reject it if did not come from the internal interface.