Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Routing from internal to DMZ

Hi any help would be greatly appreciated. I have a fortigate 60b 3.0 MR5 Patch 3. I have created a DMZ where I am placing a webserver. My config is as follows. WAN 1 *.*.*.* (external ip address) DMZ 10.10.10.0 LAN 192.168.0.0 External traffic can reach my DMZ ok, I have configured this the following way. create a VIP mapping the external address on WAN 1 to an ip address inside my DMZ. Create a custom service group and added the required services. Created a firewall policy source = WAN1 source address = All. Destination interface = DMZ destination address = VIP configured earlier, service = custom service group configured earlier. What I need to do is allow traffic either way between my internal network and the DMZ, mainly RDP and port 5432. I' ve tried to add a similar firewall policy as above but using internal but can' t seem to get it to work. I' m not sure if I need to setup a route of some sort, I' ve tried adding a route but this doesn' t appear to work either, so maybe I' m doing it wrong. An idiots guide to doing this would be great if one of you could help me. Cheers
4 REPLIES 4
rwpatterson
Valued Contributor III

If you don' t care about restrictions, then the easiest way would just be to open all traffic between internal <-> DMZ. This would only work if you' re using the local address of the DMZ server. This would kind of negate the security of the DMZ though, since any compromise on that server would leave your network at risk... (that is assuming you would also have a policy from DMZ <-> internal as well)

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Not applicable

Brilliant, thanks that worked a treat. I started by opening all the ports as you suggested to get it working, then locked it down to just the ones I needed. I do have one more question though, I thought RDP used port 3389, I' ve setup a custom service for this but when I try to RDP across it seems to get blocked, if I then set the service to any I can RDP to my server fine. Is there another port I should be using? Thanks for your help
Not applicable

oops my bad. I got it working please ignore my last post, typical I walk away for a coouple of minutes and when I come back the answer is staring me in the face
rwpatterson
Valued Contributor III

That' s why they invented beer... (LOL)

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors