Hi Guys,
I configured my foritgate 30e to also have a DMZ network on port 4 i used all information i can get on the internet.
From the normal lan network i can ping the dmz 10.10.10.1 or the webserver 10.10.10.2 .
From the webserver itself i cannot ping the inside network 192.168.1.110 (other server ) or the foritgate 192.168.1.99 so thats how it supposed to be.
I use the following network settings see attachment
Hope someone can help me or let me see the fault
Sincerly Marvin
Anyone ideas where it goes wrong i cant build the network now?
see to it that you have correct firewall policy in placed.
From Port 4 to LAN and v.v. NAT should be disabled in the policy. Please put in mind each machines on different segment must have correct default gateway.
To allow internet traffic from port 4 you should create a policy from Port 4 to WAN with NAT Enabled.
Fortigate Newbie
"Please put in mind each machines on different segment must have correct default gateway."
I now use for the webserver gateway 10.10.10.1 should i be using a other gateway ?
And for more information port 4 is physical connected to port 4 on the esxi host.
See attachments for IPV4 policy config
Thanks for your input !
Seems like you have no policy permitting traffic from DMZ to WAN. You have policy #5 that permits traffic from WAN to DMZ, and given your default gateway config you should be able to see your webserver from the WAN and have return traffic work, you just don't have a policy to let traffic initiated from DMZ out (to either WAN or LAN)
poundy wrote:Agree there is no policy from DMZ to admin(WAN) interface.Seems like you have no policy permitting traffic from DMZ to WAN. You have policy #5 that permits traffic from WAN to DMZ, and given your default gateway config you should be able to see your webserver from the WAN and have return traffic work, you just don't have a policy to let traffic initiated from DMZ out (to either WAN or LAN)
This traffic is currently hitting the implicit deny policy.
Its that simple stupid me.
Are there any recomendations about optimal security ?
yes. only build rules you actually need, not ones you don't, and only enable services to/from devices you require to have that traffic.
So no, there's no rule book here, it's necessary for you to do what you need, and I'd say it's beyond simple guidance you'll get on a forum like this.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.