For those interested, I'm in the process of implementing a TOSCA template for the initial deployment and configuration of a Fortigate VNF in Openstack. It uses a couple of borrowed Cloudify plugins: one for Openstack itself ( https://github.com/cloudify-cosmo/cloudify-openstack-plugin), and one for the terminal plugin (part of the Cloudify incubator "utilities" project ( https://github.com/cloudify-incubator/cloudify-utilities-plugin).
The basic idea is that a network and router is created with public access, and a private network with no direct public access. In between is the Fortigate firewall VNF that controls access to instances running on the private network. The initial template just sets up the VNF and networks. The next template (TBD) will deploy a service on the private network and reconfigure the firewall to allow access via port forwarding. This is very much a work in progress (the VNF configuration isn't quite working yet): https://github.com/dfilppi/fortigate-tosca-example
