Skip to main content
jcutrufello
jcutrufello
New Member
August 21, 2021
Solved

Make webserver on DMZ publicly accessible

  • August 21, 2021
  • 2 replies
  • 6030 views

We have a client that has a new Fortigate 100F that they (and in turn we) need assistance to setup properly, since they're our only client using DMZ.

 

We need 2 address available publicly. x.y.z.194, which we've set as the WAN1 address and added a VIP that's mapped to their 192.168.x.x mail server on the necessary ports. We also have a web server connected to the DMZ with a configured address of x.y.z.195. What do we have to configure to make the web server accessible on http and https from the internet properly. I assume we'll need policy routes to allow traffic from the WAN to the DMZ, but I'm not sure how the DMZ port needs to be configured, or what other items need to be set. Unfortunately we can't do much testing since the fortigate needs to be configured before replacing their current (non fortigate) firewall, so we're trying to get this as close to correct as possible

Best answer by 6sITdept

I followed this Youtube Video. https://www.youtube.com/watch?v=-EhygoAjLXE

It covers multiple topics, but the first half of the video is about the DMZ.  I did it and was able to Ping a computer in the DMZ. (that's all i was testing)

Also note the video Author did make a mistake, he fixes it and explains it.

 

Hope it helps.

 

2 replies

jcutrufello
jcutrufelloAuthor
New Member
August 23, 2021

Alternatively, is there a way to bypass NAT completely. In their current setup, they have a bridge between WAN1 and the DMZ to allow multiple Public IPs to run through a single WAN port

6sITdept
6sITdeptAnswer
Visitor III
August 23, 2021

I followed this Youtube Video. https://www.youtube.com/watch?v=-EhygoAjLXE

It covers multiple topics, but the first half of the video is about the DMZ.  I did it and was able to Ping a computer in the DMZ. (that's all i was testing)

Also note the video Author did make a mistake, he fixes it and explains it.

 

Hope it helps.

 

ac1
ac1
Explorer III
August 24, 2021

So, the server is directly external exposed, correct?

In this case there are two things that you can to do:

[ol]
  • From Interfaces create one Software or Hardware switch and assigne the 2 port, the first for WAN and second for direct to connect server. The bridge is done.
  • Connect new switch to provider router and uses two ports for FGT and Server.[/ol]

    Certainly not a safe solution.

    • jcutrufello
    jcutrufelloAuthor
    New Member
    August 25, 2021

    Thanks for the input. We ended up running two WANs. WAN1 handles their standard internal LANs, and we created a software switch with WAN2 and the DMZ, with WAN2 connected to their provider and the DMZ port connected to the web server directly.

    Terms & ConditionsAccessibility statement