Skip to main content
johnlee43
johnlee43
New Member
September 7, 2020
Question

Limitation on dmz hosts

  • September 7, 2020
  • 2 replies
  • 3168 views

I am setting up dmz zone on FG100E firmware v6.2.5build1142.

Is it true that only services like HTTP or HTTPS can delivered to dmz hosts?

I need to open other ports like FTP, RDS for dmz hosts through Virtual IPs.

Is there any way?

    2 replies

    lobstercreed
    lobstercreed
    New Member
    September 7, 2020

    That is absolutely not true.  I think you might be looking at this guide or something?  https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/361386

     

    That simply shows one way of doing it that assumes you have only 1 public IP.  If that's the case, you could absolutely add additional port-forward VIPs the same way this guide suggests for 80/443 (HTTP/HTTPS) to open the other ports. 

     

    If you have multiple public IPs, you can do a non-port forwarding VIP (i.e. forward ALL ports to specific internal IP) and use that VIP as the destination, setting the services you want to allow for that server.  See this for an explanation: https://kb.fortinet.com/kb/documentLink.do?externalID=FD38709

     

    James_G
    James_G
    New Member
    September 7, 2020

    No such limitations I know of, you can push any traffic into a DMZ.

     

    If you should is another matter, but a virtual IP can forward any TCP / UDP based traffic.

    Yurisk
    SuperUser
    Yurisk
    SuperUser
    September 8, 2020

    The "DMZ" notion comes from home and low-cost SMB devices, like when trying to disable NAT an d it is possible for DMZ interface only. In Fortigates DMZ is just convenience name for the otherwise regular and equally capable interface, just like any other on the Fortigate device. 

    Terms & ConditionsAccessibility statement