Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Lmelim
New Contributor II

Fortigate DMZ accesing from LAN

Hello

Can i configure FORTIGATE in order that internal LAN interface on PORT1 (VLAN30) of the FORTIGATE can comunicate to the builtin DMZ interface (no VLAN)?
I setuped IP 172.16.30.1 on LAN (port1) and 20.20.20.1 on DMZ Interface but im not abble to ping from LAN to DMZ (i have INTERNET on both interfaces)....what could be the reason?

thanks

1 Solution
ede_pfau
Esteemed Contributor III

The point here is that the VLAN30 interface is a sub-interface of the LAN port. But, the policy needs to allow traffic from "VLAN30" to "DMZ" interfaces, not from "LAN" interface.

Then, allow PING on the DMZ interface (in the interface setup).

 

BTW, take great care that there is no policy from DMZ to VLAN30 if the DMZ is a real DMZ. This would be a 'best practice'.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

3 REPLIES 3
Toshi_Esumi
Esteemed Contributor II

You need to have a policy, or a set of policies, between VLAN30 and DMZ.

ede_pfau
Esteemed Contributor III

The point here is that the VLAN30 interface is a sub-interface of the LAN port. But, the policy needs to allow traffic from "VLAN30" to "DMZ" interfaces, not from "LAN" interface.

Then, allow PING on the DMZ interface (in the interface setup).

 

BTW, take great care that there is no policy from DMZ to VLAN30 if the DMZ is a real DMZ. This would be a 'best practice'.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Lmelim
New Contributor II

Great
Thank you very much for your help