- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Fortigate 300C/100D inbound routing to DMZ
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate 300C/100D inbound routing to DMZ
Hi,
I'm deploying one each of the above mentioned box. Both will essentially have the same setup, so I'll stick to the 300C for now. My question relates to inbound routing to the DMZ and what Fortinet best practice would be, I don't see anything specifically related to it in the literature I've read through so far. It's a Single WAN connected to the carrier via a /30 point to point link. The box also has a /27 subnet to play with which the carrier advertises for us. My intention is to use the /27 subnet for inbound traffic to Web and edge servers etc. I'm not entirely convinced on how best to config the /27 (relatively new to Fortigate), perhaps a sub interface on the WAN for the /27, perhaps a new zone for the /27 subnet....I'm thinking out loud here.
I would be grateful for any suggestions.
Cheers.
B.
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
what you're looking for is the "Virtual IP" feature in "Firewall objects". A VIP translates the destination IP address to a 'mapped' address. In order to do so, you use the VIP as a destination address in a policy from your WAN interface to the DMZ interface.
A VIP can either be 'straight through' or port forwarding. Original and mapped-to port need not be the same so you can have port translation at the same time.
If you have several VIPs for your DMZ if might pay off to use a VIP group. Just create VIPs and put them into a VIP group, and use that as the destination address in your incoming policy.
The VIP construct is not merely a NAT rule (more precisely: destination NAT). The FGT will proxy ARP requests for all active VIPs on the outward interface. Routing should be possible even without assigning a secondary IP to the WAN interface.
If you have further questions after going over the Admin Guide (or the Cookbook) feel free to post them here.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
what you're looking for is the "Virtual IP" feature in "Firewall objects". A VIP translates the destination IP address to a 'mapped' address. In order to do so, you use the VIP as a destination address in a policy from your WAN interface to the DMZ interface.
A VIP can either be 'straight through' or port forwarding. Original and mapped-to port need not be the same so you can have port translation at the same time.
If you have several VIPs for your DMZ if might pay off to use a VIP group. Just create VIPs and put them into a VIP group, and use that as the destination address in your incoming policy.
The VIP construct is not merely a NAT rule (more precisely: destination NAT). The FGT will proxy ARP requests for all active VIPs on the outward interface. Routing should be possible even without assigning a secondary IP to the WAN interface.
If you have further questions after going over the Admin Guide (or the Cookbook) feel free to post them here.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
what you're looking for is the "Virtual IP" feature in "Firewall objects". A VIP translates the destination IP address to a 'mapped' address. In order to do so, you use the VIP as a destination address in a policy from your WAN interface to the DMZ interface.
A VIP can either be 'straight through' or port forwarding. Original and mapped-to port need not be the same so you can have port translation at the same time.
If you have several VIPs for your DMZ if might pay off to use a VIP group. Just create VIPs and put them into a VIP group, and use that as the destination address in your incoming policy.
The VIP construct is not merely a NAT rule (more precisely: destination NAT). The FGT will proxy ARP requests for all active VIPs on the outward interface. Routing should be possible even without assigning a secondary IP to the WAN interface.
If you have further questions after going over the Admin Guide (or the Cookbook) feel free to post them here.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ede,
I had all the VIP's in place and configured correctly and still nothing. After some diag sniffer logs from the source and destination IP's............turns out the target server wasn't responding to the SYN requests due to the windows firewall:/. Silly me!, it's always the simple ones that catch you. (Or maybe that's just me.)
Thanks for the suggestions Ede, much appreciated.
B.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ha ha, been there...glad it works now for you. Enjoy!
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Related Posts
- Separate DNS for SdWan members 37 Views
- FortiLink not detecting FortiSwitch 41 Views
- web services posts on fortigate 41 Views
- VPIPSEC VPN PROBLEM 66 Views
- Port Scan showing port 541 being... 76 Views
Labels
-
FortiGate
6,866 -
FortiClient
1,362 -
5.2
801 -
5.4
639 -
FortiManager
587 -
FortiAnalyzer
432 -
6.0
416 -
5.6
362 -
FortiAP
358 -
FortiSwitch
353 -
FortiClient EMS
277 -
FortiMail
268 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
165 -
6.4
128 -
FortiNAC
117 -
FortiGuard
109 -
IPsec
94 -
FortiSIEM
91 -
FortiGateCloud
90 -
FortiCloud Products
85 -
SSL-VPN
78 -
FortiToken
75 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
63 -
FortiProxy
47 -
FortiADC
45 -
FortiEDR
42 -
Fortivoice
41 -
SD-WAN
37 -
FortiDNS
36 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiSandbox
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
27 -
FortiAuthenticator
26 -
VLAN
26 -
FortiConnect
24 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiGate v5.2
17 -
DNS
17 -
FortiSwitch v6.2
16 -
SAML
16 -
LDAP
16 -
Certificate
16 -
BGP
15 -
VDOM
15 -
FortiMonitor
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Authentication
12 -
fortilink
12 -
Routing
12 -
FortiCASB
12 -
RADIUS
10 -
SSL SSH inspection
10 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
Fortigate Cloud
8 -
Application control
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Traffic shaping policy
6 -
FortiBridge
6 -
Web application firewall profile
6 -
Web profile
6 -
Proxy policy
5 -
FortiAP profile
5 -
WAN optimization
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
trunk
4 -
Port policy
4 -
FortiDeceptor
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.