Skip to main content
AlexDragos
AlexDragos
New Member
August 3, 2020
Solved

DMZ functionality

  • August 3, 2020
  • 3 replies
  • 12040 views

Hello everyone,

       I am new into working with firewalls. I took some online classes and learned to do small activities, like filtering trafic from web. But now I face a problem: I need to set-up a DMZ (on a Fortigate E-50) with a particular action - Remote Desktop Gateway.

I mention from start that I know how to configure the PCs already, for RD gateway as well. However I am facing issue with the traffic between networks. The setup cannot be changed to a simpler version, you can see the layout attached to this topic.

  Host PC: 50.2.2.40/16 Gateway: 50.2.2.100

  DMZ PC: 50.4.1.1/24 Gateway: 50.4.1.100

  Client PC: 10.10.30.1/24 Gateway 10.10.30.100

 

  Firewall P1: 50.2.2.100/16 Internal Network - configured as Interface/hardware switch

  Firewall P2: 50.4.2.100/24 DMZ Network - configured as Interface/hardware switch

  Firewall P3: 10.10.30.100/24 External Network - configured as Interface/hardware switch

 

  I am configuring traffic from Internal to DMZ with port 3389 open. Also External to DMZ with port 3389. I cannot make a connection from External to DMZ or Internal to DMZ. I tried will all ports open and all availeble services. I cannot even get a ping from internal/external to DMZ. So, no chance to go from Internal to External.

 Can someone help me to understand exactly what I am not doing or doing wrong? 

  Thanks for helping

    Best answer by akabarasif

    HI,

    first of all enable Ping on interface if not enable for testing, otherwise the ping wont work, 

    Enable all session log on each policy so you can verify where it is blocking.

    make sure security policies are not blocking the traffic.

     

    make sure that you enable return traffic.

    LAN -> DMZ

    DMZ -> External

    External -> DMZ

    DMZ-> LAN

     

    Enable all session on all the these policy for log and troubleshoot.

     

    3 replies

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    August 3, 2020

    I'm assuming you're just testing your DMZ setup with a PC on P3 interface/network. Are those 50.2/16 and 50.4.1/24 networks are real subnets? It's unusual to have a public subnet inside while you have a DMZ network. Those seem to belong to two different ISPs.

     

    Regardless, it's about policies you created for P3->P2 and P1->P2. Add 'ICMP_ALL' to the policies and sniff pinging packets at each interface.

     

    AlexDragos
    AlexDragosAuthor
    New Member
    August 3, 2020

    This is for testing purpose in first stage,

        In real scenario it will be 172.17.XX.XX AND 172.24.XX.XX instead of 50.2.XX.XX and 50.4.XX.XX.

        But, now I realise that I only allowed trafic from Internal to DMZ and from External to DMZ. No return policy was in place. Maybe this is the issue. I will check asap.

       

     

    AlexDragos
    AlexDragosAuthor
    New Member
    August 3, 2020

    Hi Ping was enabled already. But return policies were not configured. Only LAN to DMZ and External to DMZ. I will try and see what happens after that.

      

    akabarasif
    akabarasifAnswer
    New Member
    August 3, 2020

    HI,

    first of all enable Ping on interface if not enable for testing, otherwise the ping wont work, 

    Enable all session log on each policy so you can verify where it is blocking.

    make sure security policies are not blocking the traffic.

     

    make sure that you enable return traffic.

    LAN -> DMZ

    DMZ -> External

    External -> DMZ

    DMZ-> LAN

     

    Enable all session on all the these policy for log and troubleshoot.

     

    AlexDragos
    AlexDragosAuthor
    New Member
    August 3, 2020

    Hi,

        Ping was enabled already. But return policies were not configured. Only LAN to DMZ and External to DMZ. I will try and see what happens after that.

    Terms & ConditionsAccessibility statement