Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
johnlee43
New Contributor

Limitation on dmz hosts

I am setting up dmz zone on FG100E firmware v6.2.5build1142.

Is it true that only services like HTTP or HTTPS can delivered to dmz hosts?

I need to open other ports like FTP, RDS for dmz hosts through Virtual IPs.

Is there any way?

3 REPLIES 3
lobstercreed
Valued Contributor

That is absolutely not true.  I think you might be looking at this guide or something?  https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/361386

 

That simply shows one way of doing it that assumes you have only 1 public IP.  If that's the case, you could absolutely add additional port-forward VIPs the same way this guide suggests for 80/443 (HTTP/HTTPS) to open the other ports. 

 

If you have multiple public IPs, you can do a non-port forwarding VIP (i.e. forward ALL ports to specific internal IP) and use that VIP as the destination, setting the services you want to allow for that server.  See this for an explanation: https://kb.fortinet.com/kb/documentLink.do?externalID=FD38709

 

James_G
Contributor III

No such limitations I know of, you can push any traffic into a DMZ.

 

If you should is another matter, but a virtual IP can forward any TCP / UDP based traffic.

Yurisk

The "DMZ" notion comes from home and low-cost SMB devices, like when trying to disable NAT an d it is possible for DMZ interface only. In Fortigates DMZ is just convenience name for the otherwise regular and equally capable interface, just like any other on the Fortigate device. 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors