- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Static Routes to DMZ hosts
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 09-30-2004 05:46 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Static Routes to DMZ hosts
Should I set statics routes to hosts connected to DMZ interface in " Network - Routing table" ?
Or should be enough to set DMZ address in " network interface" and hence the routing to that hosts is implicit
Thanks
4 REPLIES 4
Not applicable
Created on 09-30-2004 06:50 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming that your DMZ comprises only one IP subnet and no VLANs/subinterfaces, then no, you don' t need to configure routes to individual DMZ hosts.
And yes, configuring a route to the DMZ subnet is the common-practice standard approach.'
Your config might could include something like this, where route 0 provides a default route to the internet, route 1 supports traffic to the internal network, and route 2 sends traffic to the DMZ:
set system route number 0 dst 0.0.0.0 0.0.0.0 gw1 ExternalInterfaceIPaddress set system route number 1 dst internalNetworkAddress internalNetmask gw1 internalInteraceIPaddress set system route number 2 dst dmzNetworkAddress dmzNetmask gw1 dmzInterfaceIPaddresscheers, ybiC freelance consultant to Christian non-profits IOS, CatOS, Debian, Perl, Zaurus, Win32 desktop hw/sw, cable-plant testing
Not applicable
Created on 09-30-2004 07:47 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Below is the settings os the router table
# get system route table
No. Dst Gw1 interface Gw2 interface
0 0.0.0.0 0.0.0.0 (IProuter) auto auto
As you can see, there is no routes defined to DMZ hosts (192.168.x.x)
Should I add new routes to DMZ hosts?
Not applicable
Created on 09-30-2004 08:17 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let me clarify a wee bit, good sir...
You will need to add a routing table entry for your DMZ network, and you could do it in this format: your DMZ network is addressed as 192.168.1.0
your DMZ network has a netmask of 255.255.255.255
your DMZ interface is addressed as 192.168.1.1
your Fortigate is set for NAT and not transparent mode
there are no other routes already in your routing table
you are using the CLI instead of the web GUI[/ul] result in this example:
set system route number N dst DMZ_NETWORK_ADDRESS DMZ_NETMASK gw1 DMZ_INTERFACE_ADDRESSThe following assumptions[ul]
set system route number 1 dst 192.168.1.0 255.255.255.0 gw1 192.168.1.1You will likely also need to add a similar routing table entry for your inside network. That is, if you want the DMZ hosts to be able to communicate with inside network hosts.
Not applicable
Created on 12-07-2004 08:13 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Gah - I must have been on drugs when I posted my first two replies in this thread... 8^(
No, you don' t need to configure any static routes for networks directly connected to your Fortigate interfaces (internal, wan, dmz, wlan etc). Static routing table entries are only needed for remote networks that aren' t behind your default gateway, and that only when you aren' t using dynamic routing in your network (rip, ospf, eigrp, etc).
Any layer 3 routing device, like a Fortigate, automatically adds connected networks to it' s routing table.
Apologies to any whom my initial advice may have mis-directed.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- OSPF redistributed routes filtering 268 Views
- Fortigate Firewall BGP received routes not... 487 Views
- Strange routing issue for PPPoE interface... 284 Views
- Fortigate- Redundant links 278 Views
- Decommissioning a FG 200D and migrating... 472 Views
Labels
-
FortiGate
7,162 -
FortiClient
1,414 -
5.2
801 -
5.4
639 -
FortiManager
620 -
FortiAnalyzer
456 -
6.0
416 -
FortiAP
376 -
FortiSwitch
373 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
281 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
FortiNAC
128 -
6.4
128 -
FortiGuard
115 -
IPsec
107 -
SSL-VPN
103 -
FortiGateCloud
97 -
FortiSIEM
93 -
FortiCloud Products
89 -
FortiToken
77 -
Customer Service
71 -
Wireless Controller
65 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
48 -
FortiADC
45 -
FortiEDR
44 -
Fortivoice
44 -
FortiDNS
39 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
FortiSandbox
34 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
FortiConverter
21 -
Certificate
20 -
SAML
19 -
FortiGate v5.2
19 -
LDAP
19 -
FortiPortal
18 -
Interface
18 -
FortiSwitch v6.2
17 -
Routing
17 -
VDOM
17 -
FortiMonitor
15 -
Authentication
15 -
FortiGate v5.0
14 -
FortiLink
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Logging
14 -
NAT
13 -
RADIUS
12 -
FortiCASB
12 -
Application control
11 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
SSL SSH inspection
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
SNMP
8 -
FortiGate v4.0 MR3
8 -
OSPF
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiAP profile
7 -
4.0
7 -
Admin
7 -
Web application firewall profile
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
Automation
6 -
IPS signature
5 -
Packet capture
5 -
DNS Filter
5 -
FortiCache
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
FortiPAM
4 -
FortiCarrier
4 -
FortiTester
4 -
3.6
4 -
DLP sensor
4 -
FortiScan
4 -
Fabric connector
3 -
NAC policy
3 -
Multicast routing
3 -
System settings
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
Fortinet Engage Partner Program
3 -
DLP Dictionary
3 -
DLP profile
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
FortiInsight
2 -
Netflow
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
VoIP profile
2 -
Internet Service Database
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1062 | |
| 889 | |
| 527 | |
| 441 | |
| 152 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.