Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gohgss
New Contributor

DMZ Configuration

hello,

 

Is there anyone can share the DMZ setup at Fortigate (201E)?

Do I need to trunk the interface port and create a VLAN for this at switch?

 

Appreciate your reply for this.

6 REPLIES 6
ede_pfau
Esteemed Contributor III

DMZ is a LAN segment like any other, with one exception: "regard the DMZ as hacked"

That is, no policies from DMZ to LAN!

For instance, if you need to synchronize data between a server on your LAN and a server in DMZ, you do not pull the data from the DMZ server. Instead, you push data from LAN to DMZ (with appropriate policy).

 

Whether you create a DMZ on a physical or a virtual port doesn't matter.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
gohgss

I have configured it as access port in switch that connect to FW interface.

 

Just try to find out the best practice for DMZ configuration.

CHR57
New Contributor III

If you have like a web server on the DMZ that acts as front end and then redirect external traffic to an internal site you have to have DMZ to LAN. Hard to get real-time data pushed to the DMZ.

 

Right?

 

CR
CR
CHR57
New Contributor III

If you have like a web server on the DMZ that acts as front end and then redirect external traffic to an internal site you have to have DMZ to LAN. Hard to get real-time data pushed to the DMZ.

 

Right?

 

CR
CR
ede_pfau
Esteemed Contributor III

@CHR57

I stated the 'ideal' situation for a DMZ. In your case you might be able to process the data in the DMZ, with data coming in from the LAN. YMMV and often the strict uni-directional layout has to be broken in reality.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Vishalv16

i have setup DMZ in my company directly on firewall port with totally different ip range (you can connect switch to it and use as many system you like). this way it will be separate from your local network. make the necessary policy as required. Note: we have mapped DMZ local ip to public ip , also only Few ip from IT team have given access to DMZ local IP. Regards Vishal

[size="1"] FGT100E,FGT100D,FGT300C,FGT300E[/size] FortiOS 5.2, 5.4, 5.6,6.0,6.0.2 and 6.2

[size="1"] FGT100E,FGT100D,FGT300C,FGT300E[/size] FortiOS 5.2, 5.4, 5.6,6.0,6.0.2 and 6.2
Labels
Top Kudoed Authors