DMZ is a LAN segment like any other, with one exception: "regard the DMZ as hacked"
That is, no policies from DMZ to LAN!
For instance, if you need to synchronize data between a server on your LAN and a server in DMZ, you do not pull the data from the DMZ server. Instead, you push data from LAN to DMZ (with appropriate policy).
Whether you create a DMZ on a physical or a virtual port doesn't matter.
I stated the 'ideal' situation for a DMZ. In your case you might be able to process the data in the DMZ, with data coming in from the LAN. YMMV and often the strict uni-directional layout has to be broken in reality.
i have setup DMZ in my company directly on firewall port with totally different ip range (you can connect switch to it and use as many system you like).
this way it will be separate from your local network.
make the necessary policy as required.
Note: we have mapped DMZ local ip to public ip , also only Few ip from IT team have given access to DMZ local IP.
FortiOS 5.2, 5.4, 5.6,6.0,6.0.2 and 6.2
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.