Hello
Can i configure FORTIGATE in order that internal LAN interface on PORT1 (VLAN30) of the FORTIGATE can comunicate to the builtin DMZ interface (no VLAN)?
I setuped IP 172.16.30.1 on LAN (port1) and 20.20.20.1 on DMZ Interface but im not abble to ping from LAN to DMZ (i have INTERNET on both interfaces)....what could be the reason?
thanks
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
The point here is that the VLAN30 interface is a sub-interface of the LAN port. But, the policy needs to allow traffic from "VLAN30" to "DMZ" interfaces, not from "LAN" interface.
Then, allow PING on the DMZ interface (in the interface setup).
BTW, take great care that there is no policy from DMZ to VLAN30 if the DMZ is a real DMZ. This would be a 'best practice'.
You need to have a policy, or a set of policies, between VLAN30 and DMZ.
The point here is that the VLAN30 interface is a sub-interface of the LAN port. But, the policy needs to allow traffic from "VLAN30" to "DMZ" interfaces, not from "LAN" interface.
Then, allow PING on the DMZ interface (in the interface setup).
BTW, take great care that there is no policy from DMZ to VLAN30 if the DMZ is a real DMZ. This would be a 'best practice'.
Great
Thank you very much for your help
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1633 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.