- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Fortigate 100D: configuring DMZ
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate 100D: configuring DMZ
Hi, I'm new of this forum and of fortinet device. I have to install a Web server on GNU/linux zentyal 6 in a network managed by a fortinet fortigate 100D v6.0.5 build0268 firewall with DNS and active directory provided by Windows server 2016 machines. I followed this guide https://cookbook.fortinet...eb-server-with-dmz-54/ about how to setup a DMZ for the Web server. The only thing that is different in my configuration compared to the guide is that I'm using a DMZ port on the firewall instead of port3 as interface. So I have LAN on 10.0.0.0/16 network, DMZ on 10.10.10.0/24 networks (Web server with fixed internal IP 10.10.10.2/24, gateway 10.10.10.1 and DMZ with fixed external IP) and fortinet on 10.10.10.1 (DNS and active directory on LAN). At the moment, I can execute ping from firewall toward Web server and the opposite. While I'm not able to reach the Web server both from internal LAN and external network. Moreover, I cannot reach Internet from my Web server (I have to investigate if it could be a DNS problem). What am I missing? Thank you
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have firewall policies for LAN-DMZ? You need this for DNS for example. Do you have ICMP in the policy INTERNET-DMZ or only HTTP, HTTPS? Don't leave ICMP in the production. Limit the number of protocols to minimum.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On your post you mentionned that Webserver ip is 10.10.10.2 and Gateway 10.10.10.2. Do I understand correctly?
What is the IP of DMZ port of your Fortigate? This ip should be the default gateway of your server.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
julien.lacava wrote:On your post you mentionned that Webserver ip is 10.10.10.2 and Gateway 10.10.10.2. Do I understand correctly?
Thank you, I corrected my post. The gateway of the Web server is 10.10.10.1.
julien.lacava wrote:How can I check it? I assigned a subnet 10.10.10.0/24 to the DMZ interface and so I think it should be 10.10.10.1.What is the IP of DMZ port of your Fortigate? This ip should be the default gateway of your server.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I followed exactly the guide reported on the link. So you are right in order to obtain a DNS via DHCP I need a link between DMZ and my LAN where is the DHCP server. However, I prefer to setup a manual DNS on the Web server in order to maintain the DMZ and LAN isolated.
At the moment I enabled ICMP for testing functionality.
What is missing on fortigate side? Do you think that it is ok and I have to change something into the Web server?
Thank you
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you post a copy of your configuration and also tell me what is working and what is not?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
julien.lacava wrote:Hi,Can you post a copy of your configuration and also tell me what is working and what is not?
it is working all except the DMZ. I have to install a Web server that works if I leave out of firewall, while it does not work inside DMZ created by fortinet as described before.
Do you need the configuration file of the fortinet? Can I post it here?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
erotavlas wrote:The gateway of the Web server is 10.10.10.1.
How can I check it? I assigned a subnet 10.10.10.0/24 to the DMZ interface and so I think it should be 10.10.10.1.
Can you confirm you set 10.10.10.1/24 IP on the DMZ interface? -> 'show system interface'
Do you have policy for traffic between LAN<->DMZ?
When you post your config remove public IP.
Related Posts
- FortiClient IPSec VPN keeps connecting to... 44 Views
- How to Migrate VLANs to Virtual... 249 Views
- Configuring security profiles Fortigate 472 Views
- Fortigate with Mikrotik Site to site... 382 Views
- firmware 201 Views
Labels
-
FortiGate
6,451 -
FortiClient
1,287 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
66 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Interface
11 -
BGP
10 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.