How to create DMZ (Demilitarized Zone) on Fortigate Firewall?

What is DMZ (Demilitarized Zone)?

A DMZ (Demilitarized Zone) in computer networking refers to a physical or logical subnetwork that contains and exposes an organization’s external-facing services to an untrusted network, usually the internet. The purpose of a DMZ is to add an additional layer of security to an organization’s local area network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network.

Key aspects of a DMZ include:

  1. Isolation: Systems within the DMZ are isolated from the internal network. This is typically achieved using firewalls to create a boundary between the internal network and the DMZ.
  2. Access Control: Strict access controls are implemented, usually through firewalls, to manage the traffic that can flow between the DMZ, the internal network, and the external internet. Only necessary communication is permitted.
  3. Exposure: Services that need to be accessible from the external network, such as web servers, mail servers, and FTP servers, are placed in the DMZ. This ensures that these services are exposed to the internet while keeping the internal network protected.
  4. Security: If a service in the DMZ is compromised, the internal network remains protected due to the isolation provided by the DMZ setup.

Common Use Cases

  • Web Hosting: Hosting a website that needs to be accessed by the general public.
  • Email Servers: Allowing external email to be received while protecting the internal email system.
  • DNS Servers: Providing DNS resolution services to external clients without exposing internal DNS servers.

Firewall Initial configuration CLI

FortiGate-VM64-KVM login: admin
Password:
You are forced to change your password, please input a new password.
New Password:*****
Confirm Password:*****
Welcome !

FortiGate-VM64-KVM # config system interface

FortiGate-VM64-KVM (interface) # edit port1

FortiGate-VM64-KVM (port1) # set alias WAN

FortiGate-VM64-KVM (port1) # set role wan

FortiGate-VM64-KVM (port1) # set mode static

FortiGate-VM64-KVM (port1) # set ip 192.168.178.200 255.255.255.0

FortiGate-VM64-KVM (port1) # set allowaccess ssh ping http https telnet fgfm

FortiGate-VM64-KVM (port1) # next

FortiGate-VM64-KVM (interface) # edit port2

FortiGate-VM64-KVM (port2) # set alias LAN

FortiGate-VM64-KVM (port2) # set role lan

FortiGate-VM64-KVM (port2) # set mode static

FortiGate-VM64-KVM (port2) # set ip 192.168.200.1 255.255.255.0

FortiGate-VM64-KVM (port2) # set allowaccess ssh ping telnet fgfm http https

FortiGate-VM64-KVM (port2) # next

FortiGate-VM64-KVM (interface) # edit port3

FortiGate-VM64-KVM (port3) # set alias

incomplete command in the end
Command fail. Return code -160

FortiGate-VM64-KVM (port3) # set alias DMZ

FortiGate-VM64-KVM (port3) # set role dmz

FortiGate-VM64-KVM (port3) # set mode static

FortiGate-VM64-KVM (port3) # set ip 192.168.100.1 255.255.255.0

FortiGate-VM64-KVM (port3) # end

FortiGate-VM64-KVM #

Configuration Steps

1-) Initial configuration of the firewall

2-)Interface configurations and ipv4 basic policies

3-)DMZ interface configuration (no administrative access)

4-)Adding webserver’s IP address to Addresses as Subnet via /32 CIDR ending and DMZ as interface

5-)Configuring Virtual IP to map WAN to DMZ access. In this example we mapped 192.168.178.200:172 to 192.168.100.100:80 so once someone wants to access our webserver; outside address and port is 192.168.178.200:172 . As we are using 443 and 80 for administrative access we have chosen this specific port. If you change your administrative access port to something else then you can directly define 443 for webserver.

6-)Configuring DMZ ipv4 policies

7-)Access from remote network via 192.168.178.200:172 > 192.168.100.100:80

Please feel free to contact me if you have any questions.

Happy networking 🙂

Back To Top
error: Content is protected !!