Helpful ReplyHot!DMZ functionality

Author
AlexDragos
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/08/03 06:47:36
  • Status: offline
2020/08/03 08:13:25 (permalink)
0

DMZ functionality

Hello everyone,
       I am new into working with firewalls. I took some online classes and learned to do small activities, like filtering trafic from web. But now I face a problem: I need to set-up a DMZ (on a Fortigate E-50) with a particular action - Remote Desktop Gateway.
I mention from start that I know how to configure the PCs already, for RD gateway as well. However I am facing issue with the traffic between networks. The setup cannot be changed to a simpler version, you can see the layout attached to this topic.
  Host PC: 50.2.2.40/16 Gateway: 50.2.2.100
  DMZ PC: 50.4.1.1/24 Gateway: 50.4.1.100
  Client PC: 10.10.30.1/24 Gateway 10.10.30.100
 
  Firewall P1: 50.2.2.100/16 Internal Network - configured as Interface/hardware switch
  Firewall P2: 50.4.2.100/24 DMZ Network - configured as Interface/hardware switch
  Firewall P3: 10.10.30.100/24 External Network - configured as Interface/hardware switch
 
  I am configuring traffic from Internal to DMZ with port 3389 open. Also External to DMZ with port 3389. I cannot make a connection from External to DMZ or Internal to DMZ. I tried will all ports open and all availeble services. I cannot even get a ping from internal/external to DMZ. So, no chance to go from Internal to External.
 Can someone help me to understand exactly what I am not doing or doing wrong? 
  Thanks for helping
post edited by AlexDragos - 2020/08/03 08:43:59

Attached Image(s)

#1
Toshi Esumi
Expert Member
  • Total Posts : 2241
  • Scores: 215
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: online
Re: DMZ functionality 2020/08/03 13:21:24 (permalink) ☄ Helpfulby AlexDragos 2020/08/05 04:45:19
0
I'm assuming you're just testing your DMZ setup with a PC on P3 interface/network. Are those 50.2/16 and 50.4.1/24 networks are real subnets? It's unusual to have a public subnet inside while you have a DMZ network. Those seem to belong to two different ISPs.
 
Regardless, it's about policies you created for P3->P2 and P1->P2. Add 'ICMP_ALL' to the policies and sniff pinging packets at each interface.
 
#2
akabarasif
New Member
  • Total Posts : 10
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/07/30 20:52:09
  • Status: offline
Re: DMZ functionality 2020/08/03 13:42:09 (permalink) ☄ Helpfulby AlexDragos 2020/08/05 04:52:40
0
HI,
first of all enable Ping on interface if not enable for testing, otherwise the ping wont work, 
Enable all session log on each policy so you can verify where it is blocking.
make sure security policies are not blocking the traffic.
 
make sure that you enable return traffic.
LAN -> DMZ
DMZ -> External
External -> DMZ
DMZ-> LAN
 
Enable all session on all the these policy for log and troubleshoot.
 
#3
AlexDragos
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/08/03 06:47:36
  • Status: offline
Re: DMZ functionality 2020/08/03 13:54:22 (permalink)
0
This is for testing purpose in first stage,
    In real scenario it will be 172.17.XX.XX AND 172.24.XX.XX instead of 50.2.XX.XX and 50.4.XX.XX.
    But, now I realise that I only allowed trafic from Internal to DMZ and from External to DMZ. No return policy was in place. Maybe this is the issue. I will check asap.
   
 
#4
AlexDragos
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/08/03 06:47:36
  • Status: offline
Re: DMZ functionality 2020/08/03 13:57:37 (permalink)
0
Hi,
    Ping was enabled already. But return policies were not configured. Only LAN to DMZ and External to DMZ. I will try and see what happens after that.
#5
AlexDragos
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/08/03 06:47:36
  • Status: offline
Re: DMZ functionality 2020/08/05 04:52:29 (permalink)
0
Ok,
  I made the return policies. But still struggling. Now I have all services enabled on this policies, no restrictions, yet I fail to comunicatate between zones.
  I can Ping on the following routes: 
    Host PC (internal network) to Internal Interface of Firewall : OK
    Host PC (internal network) to anything else (DMZ interface or DMZ PC): FAIL
    DMZ PC (DMZ Network) to DMZ Interface : OK
    DMZ PC (DMZ Network) to Internal Interface of firewall : OK (strangely or correctly?)
    DMZ PC (DMZ Network) to External Interface of firewall : OK (strangely or correctly?)
    DMZ PC (DMZ Network) to Host PC (internal network) or to Client PC (External Network): FAIL
    Client PC (external network) to External Interface of Firewall : OK
    CLient PC (external network) to anything else (DMZ interface or DMZ PC): FAIL
 
   How can I jump between zones since I get stopped into the interface of the specific firewall zone?
   
    
#6
poundy
Silver Member
  • Total Posts : 61
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/13 20:58:45
  • Status: offline
Re: DMZ functionality 2020/08/12 15:19:43 (permalink)
0
diag debug flow is your friend. You are clearly not hitting an allow rule, and looking at the debug will tell you more about the IP traffic. 
 
Are you using VIPs? Are your policies on the VIP or on the address object? 
 
Are you hitting routing issues? Do all your devices have the FGT interface IP as the default gateway?   
#7
AlexDragos
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/08/03 06:47:36
  • Status: offline
Re: DMZ functionality 2020/08/13 01:53:49 (permalink)
0
Hi, 
  It was a routing issue. I have manage to do it. Thanks for all support I received here. 
#8
Jump to:
© 2020 APG vNext Commercial Version 5.5