Create a Function Profile
Functional Profile defines the template for the Service(s) that is going to deploy such as L4-L7 Device Interface IP addresses, Rule ID, Object Addresses, Policy Rules, Source/Destination Ports…etc.
Create Functional Profile Group
Remove Functional Profile Group
To remove Functional Profile Group, navigate to Tenant > L4-L7 Services > Functional Profiles and right click on the Functional Profile group name listed on the left hand panel and select Delete option.
Create a Function Profile
Create Functional Profile
- Navigate under Functional Profile group created from above right click and select Create L4-L7 Service Functional Profile
- Input Functional Profile Name, and leave Copy Existing Profile Parameters option checked and select Profile: Fortinet-FGAPIC-1.0/Basic-Firewall-Policy
Remove Functional Profile
To remove Functional Profile, navigate to Tenant > L4-L7 Services > Functional Profiles > profile name listed on the left hand panel and select Delete option.
VDOMs
- Input Vdom Name under the Name Column and check the box under Locked column.
- The Locked column is used to lock the field to ensure you can not make any modification after the deployment of the service graph. In this case, we do not want to change the mode of the VDOM from L2 to L3 or vice versa. This is a limitation for the moment since changing the VDOM mode requires removal of the original VDOM deployment and re-deploy with the new mode.
Device Network
Device Network is defining the physical interface information. For transparent mode, it is not required therefore you can input dummy information into the field. All the fields are following the same layout as what is seem from Fortigate interface.
Default populated port name are “port11” and “port12”, please make the changes accordingly by double clicking on the name field. Rest of the fields highlighted in green from below need to be update.
Firewall Objects
Firewall Objects field is pre-populated with default Objects from FortiGate. Please note that you need to select the “All Parameters” field in order to see the full list of default Objects. If you want to customize object(s), click on the + icon to add Object(s), otherwise, just move on to the next featured.
Firewall objects include Address object, Service object and Schedule object. These objects can be used in policy rule. For this release, the service object supports TCP, UDP, SCTP ICMP and IP only.
The screen shot below helps explain the customized Firewall Service.
Field | Description |
Firewall Service Field | Enter the name for the Firewall Service |
Port Range | If you have more port range to define then click on the left hand “+” icon to add additional Port Range Field. |
Dst/Src Port for TCP/UDP/SCTP | Select from drop down list to select your protocol. “TCP”, “UDP” or “SCTP” |
TCP/UDP/SCP – Dst Port Range Max [0-65535] | Upper range of the Destination port range |
TCP/UDP/SCP – Dst Port Range
Min [0-65535] |
Lower range of the Destination port range |
TCP/UDP/SCP – Src Port Range Max [0-65535] | Upper range of the Source port range |
Field | Description |
TCP/UDP/SCP – Src Port Range
Min [0-65535] |
Lower range of the Source port range |
Category | Select from the drop down list to select your Category |
ICMP –code [0-255] | Part of the ICMP entry if your service is relating to ICMP |
ICMP –port [0-255] | Part of the ICMP entry if your service is relating to ICMP |
IP – Protocol Number [0-254] | If the Service is relating to IP, this is where you define the protocol number if any |
Protocol Type (TCP/UDP/SCP, ICMP, IP) | Select from drop down list the desire protocol type |
Firewall Policy Rule
Firewall Rule is where we define the Policies on Fortigate. There are 2 default rules pre-populated. You can modify the 2 default rules or add additional rules by clicking on the + icon.
Rule ID:
Rule ID defines the order how the rule will be applied later on to FortiGate. Lower Number Rule number will be listed first. The Locked icon is used to lock the field or any other field in the template so the modification cannot take place.
Rule Policy Fields
All the fields:
- Action l Destination Address Name l Incoming Interface
- NAT
- Outcoming Interface l Service l Source Address Name l Schedule List Name
are pre-populated from basic template which you can select their value by select from the drop down menu under the Value column.
Static Router
For current release, we only support Static Route. You have to manual input all parameters for static route configuration.
Dynamic Router
Not support for current release.
Review
All Field display all the fields in the features listing. If you are satisfy with all your inputs, then hit the submit button to complete your creation of Functional Profile template.