FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable
Article Id 192086

Article

Description

This article describes how to set up a FTP server in the DMZ.

Components

FortiGates.

Steps

In the web-based manager complete the following steps:

 

- Set up a Virtual IP address

- Create a Service Group

- Create a Firewall policy

 

Set up a virtual IP address.

 

Configure a virtual IP address so that incoming requests for the FTP server are routed correctly.

The virtual IP can be included later in an External -> DMZ firewall policy.

 

To define the virtual IP address for the FTP server.

 

1) Go to Firewall -> Virtual IP.

2) Select.' Create New'.

3) Select Static NAT.

4) Enter the following information:

 

Name

Enter a name for the virtual IP, for example ServerName_External .

External Interface

External.

External IP Address

Enter the external IP address.

For example, 1.1.1.155.

Map IP Address

Enter the IP address of the internal host port.

For example, 10.10.10.2.

5) Select 'OK'.

 

Create a service group.

 

For FTP access through the DMZ, it is possible to add it alone to a firewall policy.

However, it is necessary to add additional services such as PING.

Add all services required into a single group for easier configuration.

 

To add a services group.

 

1) Go to Firewall  -> Service -> Group.

 

2 Select 'Create New'.

 

3) Enter a Group Name. For example, FTP_IP.

 

4) From the Available Services list, select the services to add to the group.
Select a service and select the right arrow to add it to the Members list.

For example, add FTP and PING.

 

5) Select 'OK'.

 

Createa firewall policy.

 

Create a firewall policy to accept traffic for the specified services.

 

To create a firewall policy:

 

1) Go to Firewall -> Policy.

 

2) Select 'Create New'.

 

3) Set the following options:

 

Interface/Zone (Source)

External.

Interface/Zone (Destination)

DMZ/HA.

Address Name (Source)

All.

Address Name (Destination)

Under Virtual IP, select the Virtual IP name created in the previous steps. For this example, ServerName_External .

Service

Select the service group created in the previous steps. For this example, FTP_IP.

Action

Accept.

 

4) Select 'OK'.

 

After completing these steps, it is possible to ping the FTP address of 1.1.1.155 from outside the firewall.

 

Contributors