I need to allow traffic from my DMZ application server (192.168.1.2) to communicate with our internal network (172.10.2.1). Could you kindly assit.
For any communication, you will need:
1. Route
2. Security Policy
3. Possibly a source network address translation if 172.10.2.1 does not know anything.
1. Route: a route from 192.168.1.0/24 to 172.10.2.0/24. This may be the default route on the system (192.168.1.2) to the gateway at 192.168.1.1. If 172.10.2.0/24 is connected interface on the FortiGate, the FortiGate will know how to connect to that system.
2. Security policy for the traffic. Port/protocol/application.
3. Does 172.10.2.1 know how to get back to 192.168.1.0/24? Source NAT needed?
For DMZ traffic inbound, you need to only allow the specific traffic to the specific destination. Application control, IPS, everything turned on in protect mode. DMZ is basically letting the Internet in to your internal network, so only communications that are permitted. You would most likely want to enforce that traffic as internal-->DMZ and not the reverse.
---
Opinions expressed are my own and may not represent the official opinion of my employer.
User | Count |
---|---|
2677 | |
1412 | |
810 | |
703 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.