Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AlexDragos
New Contributor

DMZ functionality

Hello everyone,

       I am new into working with firewalls. I took some online classes and learned to do small activities, like filtering trafic from web. But now I face a problem: I need to set-up a DMZ (on a Fortigate E-50) with a particular action - Remote Desktop Gateway.

I mention from start that I know how to configure the PCs already, for RD gateway as well. However I am facing issue with the traffic between networks. The setup cannot be changed to a simpler version, you can see the layout attached to this topic.

  Host PC: 50.2.2.40/16 Gateway: 50.2.2.100

  DMZ PC: 50.4.1.1/24 Gateway: 50.4.1.100

  Client PC: 10.10.30.1/24 Gateway 10.10.30.100

 

  Firewall P1: 50.2.2.100/16 Internal Network - configured as Interface/hardware switch

  Firewall P2: 50.4.2.100/24 DMZ Network - configured as Interface/hardware switch

  Firewall P3: 10.10.30.100/24 External Network - configured as Interface/hardware switch

 

  I am configuring traffic from Internal to DMZ with port 3389 open. Also External to DMZ with port 3389. I cannot make a connection from External to DMZ or Internal to DMZ. I tried will all ports open and all availeble services. I cannot even get a ping from internal/external to DMZ. So, no chance to go from Internal to External.

 Can someone help me to understand exactly what I am not doing or doing wrong? 

  Thanks for helping

2 Solutions
Toshi_Esumi
Esteemed Contributor II

I'm assuming you're just testing your DMZ setup with a PC on P3 interface/network. Are those 50.2/16 and 50.4.1/24 networks are real subnets? It's unusual to have a public subnet inside while you have a DMZ network. Those seem to belong to two different ISPs.

 

Regardless, it's about policies you created for P3->P2 and P1->P2. Add 'ICMP_ALL' to the policies and sniff pinging packets at each interface.

 

View solution in original post

akabarasif
New Contributor III

HI,

first of all enable Ping on interface if not enable for testing, otherwise the ping wont work, 

Enable all session log on each policy so you can verify where it is blocking.

make sure security policies are not blocking the traffic.

 

make sure that you enable return traffic.

LAN -> DMZ

DMZ -> External

External -> DMZ

DMZ-> LAN

 

Enable all session on all the these policy for log and troubleshoot.

 

View solution in original post

9 REPLIES 9
Toshi_Esumi
Esteemed Contributor II

I'm assuming you're just testing your DMZ setup with a PC on P3 interface/network. Are those 50.2/16 and 50.4.1/24 networks are real subnets? It's unusual to have a public subnet inside while you have a DMZ network. Those seem to belong to two different ISPs.

 

Regardless, it's about policies you created for P3->P2 and P1->P2. Add 'ICMP_ALL' to the policies and sniff pinging packets at each interface.

 

AlexDragos

This is for testing purpose in first stage,

    In real scenario it will be 172.17.XX.XX AND 172.24.XX.XX instead of 50.2.XX.XX and 50.4.XX.XX.

    But, now I realise that I only allowed trafic from Internal to DMZ and from External to DMZ. No return policy was in place. Maybe this is the issue. I will check asap.

   

 

AlexDragos

Hi Ping was enabled already. But return policies were not configured. Only LAN to DMZ and External to DMZ. I will try and see what happens after that.

  

AlexDragos

Ok,

  I made the return policies. But still struggling. Now I have all services enabled on this policies, no restrictions, yet I fail to comunicatate between zones.

  I can Ping on the following routes: 

    Host PC (internal network) to Internal Interface of Firewall : OK

    Host PC (internal network) to anything else (DMZ interface or DMZ PC): FAIL

    DMZ PC (DMZ Network) to DMZ Interface : OK

    DMZ PC (DMZ Network) to Internal Interface of firewall : OK (strangely or correctly?)

    DMZ PC (DMZ Network) to External Interface of firewall : OK (strangely or correctly?)

    DMZ PC (DMZ Network) to Host PC (internal network) or to Client PC (External Network): FAIL

    Client PC (external network) to External Interface of Firewall : OK

    CLient PC (external network) to anything else (DMZ interface or DMZ PC): FAIL

 

   How can I jump between zones since I get stopped into the interface of the specific firewall zone?

   

    

poundy

diag debug flow is your friend. You are clearly not hitting an allow rule, and looking at the debug will tell you more about the IP traffic. 

 

Are you using VIPs? Are your policies on the VIP or on the address object? 

 

Are you hitting routing issues? Do all your devices have the FGT interface IP as the default gateway?   

AlexDragos

Hi, 

  It was a routing issue. I have manage to do it. Thanks for all support I received here. 

esaban

Hi, what was your solution? I have a similar issue.

akabarasif
New Contributor III

HI,

first of all enable Ping on interface if not enable for testing, otherwise the ping wont work, 

Enable all session log on each policy so you can verify where it is blocking.

make sure security policies are not blocking the traffic.

 

make sure that you enable return traffic.

LAN -> DMZ

DMZ -> External

External -> DMZ

DMZ-> LAN

 

Enable all session on all the these policy for log and troubleshoot.

 

AlexDragos
New Contributor

Hi,

    Ping was enabled already. But return policies were not configured. Only LAN to DMZ and External to DMZ. I will try and see what happens after that.