Hi,
I'm new with firewalls in general, and I need to do a simple set up for both DMZ and SNMP, both of which don't seem to be working, I'm using Fortigate v5.4.6 VM.
For DMZ I need to add a server to a DMZ and only network clients from 1 LAN interface should be able to access it, I have managed to get client to access DMZ Server but everybody else can also access it ?!
My question is particularly about the Static Route, which interface should it point to ?
This gallery shows the Interface, Static Route & Policy configuration.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
It would be nice to know the structure of your network.
youo do have interfaces on the FGT for both LAN and DMZ so you should not need a static route at all because once you have an interface in a subnet you automagically have a net route via it too.
Also you set up a static route that matches all traffic from everywhere (0.0.0.0/0.0.0.0) and routes it to your dmz interface.
thus your policy looks good :)
Do you have any other policies *before* it which might match that traffic?
Policies are sequential top down and the first one that matches wins the packet :)
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
I will upload the structure as well, thanks for highlighting that.
I have a Lan1 (which has server), Lan2 (which has client), both in VM, the client VM has 1 internet access policy and 1 DMZ policy, I believe this is what is causing the policy override.
I will recheck and try again..
Thanks..
This is what the setup looks like.
Now my concern is to only allow the client connected to the same firewall as the DMZ server, NO ONE ELSE, the client should be able internet access.
I'm getting confused with the policies, is this done in the same policy or does it need 2 policies.
Hi again,
So I made these changes.
First off is I changed the address from 191.165 to 192.168 to avoid any PC pinging to any internet IP instead of local PC.
Next I created 2 policies in the Right side FW.
Seen here [link]https://postimg.cc/gallery/28k0ml3jw/,[/link] its working now, I have tried from the client on the left side FW, they are not able to access the DMZ web server address and even added another network with a client to the right side FW and he too is not able to access.
Thank you again for the assistance.
Just a question,
Am I correct in understanding that the role part of configuration of DMZ on a port sets a default deny on the port ?
Thank You
. A DMZ network is a secure network, protected by the FortiGate, that only grants access if it has been explicitly allowed. When defining a local-in policy on a port, if no action is set manually, the action will default to deny. This means that without specifying an action in the configuration, the default behavior will be to deny traffic on that port.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1558 | |
1033 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.