Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pccstech
New Contributor II

Created on ‎05-05-2023 09:29 AM Edited on ‎05-05-2023 09:30 AM

Create a DMZ for a set of VMs?

Hello 

 

I have several VMs I'd like to protect with a DMZ. They need to be accessible from the Internet and internally. I'm looking for assistance in finding some "howto" docs or general guidance in creating the DMZ.

 

We have a Fortigate appliance with two connections to it. One internet facing the other is internal.

 

Our VMs are of the form 10.10.10.x. We currently have a few Virtual IPs and polices allowing internet traffic to these VMs. I am able to understand the "cookbooks" for wired connection to protect physical servers but I'm lost as where to start to protect a VM.  Thx in advance for any guidance you can provide

 

Labels:
2121
0 Kudos
7 REPLIES 7
abarushka
Staff
Staff

Created on ‎05-05-2023 09:46 AM

Hello,

 

I can not think about the differences between protecting physical servers and VMs. Firewall is treating the same way traffic from/to physical servers and VMs.

FortiGate
2114
0 Kudos
pccstech
New Contributor II
In response to abarushka

Created on ‎05-05-2023 09:54 AM

The traffic filtering being the same I get.  To start building the DMZ I think I need to create a new interface?  What kind?  

2113
0 Kudos
pccstech
New Contributor II
In response to pccstech

Created on ‎05-05-2023 09:58 AM

We are on version 7.0.11

2107
0 Kudos
abarushka
Staff
Staff

Created on ‎05-05-2023 10:17 AM

Hello,

 

You may consider to set DMZ role for the interface:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Behaviour-on-the-GUI-of-the-Interface-Role...

 

Here is a sample topology:

https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/361386

FortiGate
2103
0 Kudos
pccstech
New Contributor II
In response to abarushka

Created on ‎05-05-2023 10:38 AM

Thx for the replies.    The topology example looks to be for a physical server connecting to an open port. 

 

Q: Is creating a new interface the correct first step in creating the DMZ? IF so what type should it be?   My Choices are:

802.3ad Aggregate

EMAC VLAN

Loopback

Redundant

Software Switch

SSL-VPS Tunnel

VLAN

 

Also which interface member should I choose? External or Internal?

 

2100
0 Kudos
abarushka
Staff
Staff
In response to pccstech

Created on ‎05-08-2023 01:40 AM

Hello,

 

Interface type selection rather depends on the network topology and requirements (speed, redundancy, etc.) than security. I can not see significant difference between interfaces in terms of security.

FortiGate
1928
0 Kudos
pccstech
New Contributor II
In response to abarushka

Created on ‎05-08-2023 09:44 AM

All set. Thx

1907
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.