Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
marvine
New Contributor

DMZ dont get internet

Hi Guys,

 

I configured my foritgate 30e to also have a DMZ network on port 4 i used all information i can get on the internet.

From the normal lan network i can ping the dmz 10.10.10.1 or the webserver 10.10.10.2 .

 

From the webserver itself i cannot ping the inside network 192.168.1.110 (other server ) or the foritgate 192.168.1.99 so thats how it supposed to be.

 

I use the following network settings see attachment

 

Hope someone can help me or let me see the fault

 

Sincerly Marvin

 

 

7 REPLIES 7
marvine
New Contributor

Anyone ideas where it goes wrong i cant build the network now?

Fullmoon

see to it that you have correct firewall policy in placed.

From Port 4 to LAN and v.v. NAT should be disabled in the policy. Please put in mind each machines on different segment must have correct default gateway.

 

To allow internet traffic from port 4 you should create a policy from Port 4 to WAN with NAT Enabled.

 

 

Fortigate Newbie

Fortigate Newbie
marvine

"Please put in mind each machines on different segment must have correct default gateway."

 

I now use for the webserver gateway 10.10.10.1 should i be using a other gateway ?

And for more information port 4 is physical connected to port 4 on the esxi host.

 

See attachments for IPV4 policy config

Thanks for your input ! 

 

 

poundy

Seems like you have no policy permitting traffic from DMZ to WAN. You have policy #5 that permits traffic from WAN to DMZ, and given your default gateway config you should be able to see your webserver from the WAN and have return traffic work, you just don't have a policy to let traffic initiated from DMZ out (to either WAN or LAN)

FortiLearner
New Contributor III

poundy wrote:

Seems like you have no policy permitting traffic from DMZ to WAN. You have policy #5 that permits traffic from WAN to DMZ, and given your default gateway config you should be able to see your webserver from the WAN and have return traffic work, you just don't have a policy to let traffic initiated from DMZ out (to either WAN or LAN)

Agree there is no policy from DMZ to admin(WAN) interface.

This traffic is currently hitting the implicit deny policy.

marvine

Its that simple stupid me.

Are there any recomendations about optimal security ?

poundy

yes. only build rules you actually need, not ones you don't, and only enable services to/from devices you require to have that traffic.

So no, there's no rule book here, it's necessary for you to do what you need, and I'd say it's beyond simple guidance you'll get on a forum like this.  

Labels
Top Kudoed Authors