Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Allowing LAN Internal Network To A DMZ Device

Hello People,


User asked me to allow lan network to access a dmz device ip:

lan ip-range is gateway:


1- i went to addresses > create new> i didnt find a place to create an object for dmz device

so the first question question how do i create an object and give it a name and an ip address. what i found is to create subnet and ip range and this is not what i was looking for.

i need to create this dmz object because i want to allow lan only to this dmz machine. how do i do that in forti.


2- what i did for now for testing is allowing lan to all dmz network, even this didnt work and i dont know why...

i went to policy and objects > addresses > created 2 new ip range pbjects

name dmz-network and name internal-network ip ranges.

then i went to ipv4 policy > create new

name: lan_to_dmz

incoming interface: internal

outgoing interface: dmz

source: internal network

destination: dmz-network

shedule: always

service: all

action: accept

nat: disabled


when i went to a pc in lan tried to ping there was no ping?

how do i go from here? please assist.


what did you put into your ranges?

you can enter one host as a subnet wih <ipofhost>/ as a FGT Address object.

If is the ip of the dmz interface, does the interface allow ping?

Is that dmz_network connected to the dmz interface?


"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams



ok i create the dmz object.  is a device in dmz network listening on port 80  dmz interface


i need to allow ALL lan Computers to access one specific device in dmz on port

when they open a browser lan users type:  and they should reach a web interface.

lan interface is:


hope its more clear now.


hm ok

your policy seems to be correct so far. 

If you enable ping access on your dmz interface and then try to piing from out of you lan ip range - does that work?

Do you have any other policy that matches that traffic and comes before this one?


For further debug you might use the debug package flow feature on cli:


diag debug enable

diag debug flow show console enable

diag debug flow filter clear

diag debug flow filter daddr

diag debug flow trace start <numberofpackets>


then ping and watch the console. You will see the incoming ping (ICMP Echo) and you will see what happens to it.


"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams



thanks for your response.


1- tried to ping from lan computer not ping to dmz interface pr the dmz device

ping is enabled on dmz interface


2- no policy other policy that matches that traffic and comes before this one


i run debug and this is what i see



FGT60ETK18099PXJ # diag debug enable FGT60ETK18099PXJ # FGT60ETK18099PXJ # diag debug flow show console enable command parse error before 'console' Command fail. Return code -61 FGT60ETK18099PXJ # FGT60ETK18099PXJ # diag debug flow filter clear FGT60ETK18099PXJ # FGT60ETK18099PXJ # diag debug flow filter daddr FGT60ETK18099PXJ # FGT60ETK18099PXJ # diag debug flow trace start FGT60ETK18099PXJ # id=20085 trace_id=1 func=print_pkt_detail line=5494 msg="vd-root:0 received a packet(proto=1,> from internal. type=8, code=0, id=1, seq=104." id=20085 trace_id=1 func=init_ip_session_common line=5654 msg="allocate a new session-01c712b4" id=20085 trace_id=1 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw- via dmz" id=20085 trace_id=1 func=fw_forward_handler line=751 msg="Allowed by Policy-8:"


policy 8 is the rule that allow all traffic from lan to dmz.


what's next?

Top Kudoed Authors