Fortinet black logo

Administration Guide

L3 firewall profiles

Layer 3 firewall rules provide granular access control of client traffic in your wireless network. An L3 firewall profile allows or denies traffic between wireless clients based on the configured source and destination IP addresses/ports and specific protocols. The L3 firewall profile must be assigned to an SSID profile.

To view access control lists:
  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to AP Manager > Protection Profiles > L3 Firewall Profiles.

    The following options are available in the toolbar and right-click menu:

    Create New

    Create a new access control list.

    Edit

    Edit the selected access control list.

    Delete

    Delete the selected access control list.

    Clone

    Clone the selected access control list.

    Where Used

    View where the selected access control list is used.

    Import

    Import access control lists from a connected FortiGate (toolbar only).

To create access control lists:
  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to AP Manager > Protection Profiles > L3 Firewall Profiles.
  3. In the toolbar, Create New.

    The Create New Access Control List pane opens.

  4. Enter the following information:

    Name

    Type a name for the access control list.

    Comment

    Optionally, enter comments.

    Layer3 IPv4 Rules

    Click Create New to define access control rules for IPv4 addresses in layer 3.

    Select the following, then click OK:

    • Rule ID: Enter an ID for the rule.
    • Comments: Optionally, enter a description.

    • Source Address: Enter the source IP address.

    • Source Port: Enter the source port.

    • Destination Address: Enter the destination IP address.

    • Destination Port: Enter the destination port.

    • Protocol: Enter the protocol.

    • Action: Select the policy action. Select Allow or Deny to allow or deny traffic matching the policy.

    Layer 3 IPv6 Rules

    Click Create New to define access control rules for IPv6 addresses in layer 3.

    Select the following, then click OK:

    • Rule ID: Enter an ID for the rule.

    • Comments: Optionally, enter a description.

    • Source Address: Enter the source IP address.

    • Source Port: Enter the source port.

    • Destination Address: Enter the destination IP address.

    • Destination Port: Enter the destination port.

    • Protocol: Enter the protocol.

    • Action: Select the policy action. Select Allow or Deny to allow or deny traffic matching the policy.

  5. Click OK to create the new access control list.

You can edit, delete, clone and import existing profiles, as well as see where the profile is being used.

To edit a profile:
  1. Select the profile to edit.
  2. In the toolbar, click Edit.

    Alternatively, you can right-click the profile and select Edit, or double-click a profile.

  3. Edit the settings as required.
  4. Click OK to apply your changes.
To delete profiles:
  1. Select the profile(s) to be deleted.
  2. In the toolbar, click Delete.

    Alternatively, right-click the profile and select Delete.

  3. Click OK.
To clone a profile:
  1. Select a profile in the list.
  2. In the toolbar, click Clone.

    Alternatively, right-click a profile and select Clone.

  3. Edit the name of the profile, then edit the remaining settings as required.
  4. Click OK to clone the profile.
To import a profile:
  1. In the toolbar, click Import.

    The Import dialog opens.

  2. From the FortiGate dropdown, select a device. The list will include all of the devices in the current ADOM.
  3. From the Profiles dropdown, select a profile.
  4. Click OK.
To view where a profile is used:
  1. Select the profile.
  2. In the toolbar, click More > Where Used.

    Alternatively, you can right-click the profile and select Where Used.

    The Where <profile name> is used pane opens.

  3. Click Close.

Layer 3 firewall rules provide granular access control of client traffic in your wireless network. An L3 firewall profile allows or denies traffic between wireless clients based on the configured source and destination IP addresses/ports and specific protocols. The L3 firewall profile must be assigned to an SSID profile.

To view access control lists:
  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to AP Manager > Protection Profiles > L3 Firewall Profiles.

    The following options are available in the toolbar and right-click menu:

    Create New

    Create a new access control list.

    Edit

    Edit the selected access control list.

    Delete

    Delete the selected access control list.

    Clone

    Clone the selected access control list.

    Where Used

    View where the selected access control list is used.

    Import

    Import access control lists from a connected FortiGate (toolbar only).

To create access control lists:
  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to AP Manager > Protection Profiles > L3 Firewall Profiles.
  3. In the toolbar, Create New.

    The Create New Access Control List pane opens.

  4. Enter the following information:

    Name

    Type a name for the access control list.

    Comment

    Optionally, enter comments.

    Layer3 IPv4 Rules

    Click Create New to define access control rules for IPv4 addresses in layer 3.

    Select the following, then click OK:

    • Rule ID: Enter an ID for the rule.
    • Comments: Optionally, enter a description.

    • Source Address: Enter the source IP address.

    • Source Port: Enter the source port.

    • Destination Address: Enter the destination IP address.

    • Destination Port: Enter the destination port.

    • Protocol: Enter the protocol.

    • Action: Select the policy action. Select Allow or Deny to allow or deny traffic matching the policy.

    Layer 3 IPv6 Rules

    Click Create New to define access control rules for IPv6 addresses in layer 3.

    Select the following, then click OK:

    • Rule ID: Enter an ID for the rule.

    • Comments: Optionally, enter a description.

    • Source Address: Enter the source IP address.

    • Source Port: Enter the source port.

    • Destination Address: Enter the destination IP address.

    • Destination Port: Enter the destination port.

    • Protocol: Enter the protocol.

    • Action: Select the policy action. Select Allow or Deny to allow or deny traffic matching the policy.

  5. Click OK to create the new access control list.

You can edit, delete, clone and import existing profiles, as well as see where the profile is being used.

To edit a profile:
  1. Select the profile to edit.
  2. In the toolbar, click Edit.

    Alternatively, you can right-click the profile and select Edit, or double-click a profile.

  3. Edit the settings as required.
  4. Click OK to apply your changes.
To delete profiles:
  1. Select the profile(s) to be deleted.
  2. In the toolbar, click Delete.

    Alternatively, right-click the profile and select Delete.

  3. Click OK.
To clone a profile:
  1. Select a profile in the list.
  2. In the toolbar, click Clone.

    Alternatively, right-click a profile and select Clone.

  3. Edit the name of the profile, then edit the remaining settings as required.
  4. Click OK to clone the profile.
To import a profile:
  1. In the toolbar, click Import.

    The Import dialog opens.

  2. From the FortiGate dropdown, select a device. The list will include all of the devices in the current ADOM.
  3. From the Profiles dropdown, select a profile.
  4. Click OK.
To view where a profile is used:
  1. Select the profile.
  2. In the toolbar, click More > Where Used.

    Alternatively, you can right-click the profile and select Where Used.

    The Where <profile name> is used pane opens.

  3. Click Close.