- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- DMZ Default route for servers
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DMZ Default route for servers
Hi all,
I'm changing some things on my network. Currently (in summary) I have a DMZ with two Fortigate and one switch. The servers and the firewalls connect to the switch.
Each server has 2 static routes
1º)Default route --> IP address of the external fortigate.
2º)Route to reach internal private addresses -->Internal fortigate.
I'm thinking about configure the servers with just one default route for the switch that connects them. This switch, sends traffic to external or internal firewall and Doesn't route any traffic between DMZ network and other networks.
Server-->Switch-->Firewall Internal / Firewall External.
If I use a firewall as default gateway for servers, some times the traffic will have more hops than I want. Example
Traffic from server DMZ, to server Datacenter:
-ServerDMZ-->switch(layer 2)-->firewall external-->Switch another time-->Firewall internal.
What do you think about using a single default route to layer3 switch, that interconnects everything and it doesn't route between DMZ and other networks. It only sends traffic to internal or external firewall. It's an acceptable design to a DMZ in your opinion?
Thanks
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Doesn't the "server Datacenter" have a private IP to be reached via the 2nd static route on the DMZ servers? Then it shouldn't go to the external FGT.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks ¡¡ I'm talking about DMZ servers.
Yes, actually they have two static routes: Default (external firewall) and 2nd static route to the datacenter servers (internal firewall).
I would like to use only one default route (to the switch that connect both firewalls and servers).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So you're saying you want to eliminate any other static routes on the DMZ servers? If your switch is a L3 switch, yes, you can. Then the switch needs to have 1) default route to the external FGT, and 2) those necessary static routes to the internal FGT, instead.
Toshi
Created on 12-16-2025 01:54 PM Edited on 12-16-2025 02:06 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In other words, the path between the internet and the DMZ servers will have one more hop, the L3 switch.
Internet <-> external FGT <-> L3 switch <-> DMZ servers
You need to add a new small /31 or /30 subnet between the external FGT and the L3 switch. And obviously need to add a new static route on the external FGT for the DMZ subnet, which is now not directly connected.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Toshi. I know that is possible, if we are talking about routing. What I wonder is whether it is not recommended for some really important reason. I can't think of any, since north-south traffic will always be analysed by firewalls and traffic will always pass through the switch, even if it is not the gateway, since it interconnects everything.
On the other hand if I do that, my idea is not to use a different networks between firewalls and switch, all of them can have an IP address in the DMZ network.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Those are routing options you just need to decide, either make the switch as L2 one or L3 one. There is no difference security-wise. I personally prefer a L2 switch option since one less L3 node to worry about. But it's just a matter of preference.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your suggested design seem to work fine and seem better than the existing. But the first question I'd ask when it comes to design is: does it follow standards?
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
AEK,I'm not sure if he follows them. That's why I'm asking if it's a reasonable design, taking into account all aspects and comparing it to the current one (with some static routes in the servers).
Created on 12-17-2025 05:39 AM Edited on 12-17-2025 05:39 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm also not sure, but as long as the L3 switch doesn't route traffic between VLANs (without filtering) then you should be safe.
On the other hand a standard design that I always follow and I'm always happy with it is to attach the DMZ to the edge firewall only, even if the traffic transit through 2 firewalls instead of one. It is true that it is less performance but this little performance difference was never required in my case.
You know in enterprise environment we should always follow standards, otherwise one day some expert or some audit will find strange things and will ask who did this s***?!! (sorry for the expression)
AEK
AEK
Labels
-
FortiGate
11,019 -
FortiClient
2,263 -
FortiManager
927 -
FortiAnalyzer
703 -
5.2
687 -
5.4
638 -
FortiSwitch
610 -
FortiClient EMS
606 -
FortiAP
578 -
IPsec
474 -
6.0
416 -
SSL-VPN
408 -
FortiMail
388 -
5.6
362 -
FortiNAC
315 -
FortiWeb
267 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
215 -
FortiAuthenticator
195 -
FortiGuard
164 -
FortiGate-VM
158 -
5.0
152 -
Firewall policy
152 -
6.4
128 -
FortiCloud Products
122 -
FortiSIEM
116 -
FortiToken
116 -
FortiGateCloud
113 -
Wireless Controller
97 -
High Availability
95 -
Customer Service
91 -
Routing
85 -
SAML
84 -
ZTNA
84 -
FortiProxy
81 -
Authentication
76 -
VLAN
76 -
BGP
75 -
DNS
74 -
Certificate
74 -
Fortivoice
73 -
FortiEDR
73 -
FortiADC
73 -
RADIUS
68 -
LDAP
66 -
FortiLink
62 -
SSO
61 -
NAT
58 -
FortiSandbox
57 -
Interface
55 -
FortiExtender
53 -
Application control
52 -
VDOM
50 -
4.0MR3
49 -
Virtual IP
48 -
Logging
44 -
FortiDNS
43 -
SSL SSH inspection
42 -
FortiPAM
41 -
Web profile
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiConnect
36 -
Automation
36 -
FortiWAN
32 -
FortiConverter
31 -
API
30 -
Traffic shaping
29 -
FortiGate v5.2
28 -
FortiGate Cloud
27 -
Static route
27 -
SNMP
26 -
SSID
26 -
System settings
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
OSPF
23 -
WAN optimization
22 -
Web application firewall profile
22 -
FortiMonitor
21 -
Security profile
20 -
Web rating
20 -
IP address management - IPAM
20 -
FortiSOAR
19 -
FortiAP profile
18 -
Admin
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
Explicit proxy
16 -
IPS signature
15 -
Users
15 -
Traffic shaping policy
15 -
Proxy policy
15 -
Intrusion prevention
15 -
FortiManager v4.0
14 -
FortiCASB
14 -
NAC policy
14 -
FortiManager v5.0
13 -
DNS filter
13 -
FortiDeceptor
12 -
Fabric connector
12 -
Port policy
12 -
FortiWeb v5.0
11 -
FortiBridge
11 -
FortiRecorder
11 -
trunk
11 -
Traffic shaping profile
11 -
Authentication rule and scheme
11 -
FortiAnalyzer v5.0
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
Application signature
9 -
FortiCache
8 -
FortiToken Cloud
8 -
Packet capture
8 -
Vulnerability Management
8 -
4.0
7 -
4.0MR2
7 -
VoIP profile
7 -
FortiScan
6 -
FortiNDR
6 -
DoS policy
6 -
FortiCarrier
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
Email filter profile
5 -
Protocol option
5 -
TACACS
5 -
Service
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
Replacement messages
4 -
SDN connector
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
Kerberos
3 -
Video Filter
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
FortiEdge
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiPresence
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2857 | |
| 1443 | |
| 823 | |
| 816 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.