Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jcutrufello
New Contributor

Make webserver on DMZ publicly accessible

We have a client that has a new Fortigate 100F that they (and in turn we) need assistance to setup properly, since they're our only client using DMZ.

 

We need 2 address available publicly. x.y.z.194, which we've set as the WAN1 address and added a VIP that's mapped to their 192.168.x.x mail server on the necessary ports. We also have a web server connected to the DMZ with a configured address of x.y.z.195. What do we have to configure to make the web server accessible on http and https from the internet properly. I assume we'll need policy routes to allow traffic from the WAN to the DMZ, but I'm not sure how the DMZ port needs to be configured, or what other items need to be set. Unfortunately we can't do much testing since the fortigate needs to be configured before replacing their current (non fortigate) firewall, so we're trying to get this as close to correct as possible

2 Solutions
6sITdept
New Contributor III

I followed this Youtube Video. https://www.youtube.com/watch?v=-EhygoAjLXE

It covers multiple topics, but the first half of the video is about the DMZ.  I did it and was able to Ping a computer in the DMZ. (that's all i was testing)

Also note the video Author did make a mistake, he fixes it and explains it.

 

Hope it helps.

 

View solution in original post

ac1
Contributor II

So, the server is directly external exposed, correct?

In this case there are two things that you can to do:

[ol]
  • From Interfaces create one Software or Hardware switch and assigne the 2 port, the first for WAN and second for direct to connect server. The bridge is done.
  • Connect new switch to provider router and uses two ports for FGT and Server.[/ol]

    Certainly not a safe solution.

  • View solution in original post

    5 REPLIES 5
    jcutrufello
    New Contributor

    Alternatively, is there a way to bypass NAT completely. In their current setup, they have a bridge between WAN1 and the DMZ to allow multiple Public IPs to run through a single WAN port

    6sITdept
    New Contributor III

    I followed this Youtube Video. https://www.youtube.com/watch?v=-EhygoAjLXE

    It covers multiple topics, but the first half of the video is about the DMZ.  I did it and was able to Ping a computer in the DMZ. (that's all i was testing)

    Also note the video Author did make a mistake, he fixes it and explains it.

     

    Hope it helps.

     

    ac1
    Contributor II

    So, the server is directly external exposed, correct?

    In this case there are two things that you can to do:

    [ol]
  • From Interfaces create one Software or Hardware switch and assigne the 2 port, the first for WAN and second for direct to connect server. The bridge is done.
  • Connect new switch to provider router and uses two ports for FGT and Server.[/ol]

    Certainly not a safe solution.

  • jcutrufello

    Thanks for the input. We ended up running two WANs. WAN1 handles their standard internal LANs, and we created a software switch with WAN2 and the DMZ, with WAN2 connected to their provider and the DMZ port connected to the web server directly.

    ac1
    Contributor II

    So, the server is directly external exposed, correct?

    In this case there are two things that you can to do:

    [ol]
  • From Interfaces create one Software or Hardware switch and assigne the 2 port, the first for WAN and second for direct to connect server. The bridge is done.
  • Connect new switch to provider router and uses two ports for FGT and Server.[/ol]

    Certainly not a safe solution.

  • Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors