FortiGate Firewall HOW-TO - DMZ
2 likes30,495 views
This document provides a guide on configuring a DMZ using a Fortigate firewall to expose certain systems to the internet while protecting them from external attacks. It details configuration steps, such as setting up a static IP address, creating virtual IPs for HTTP and HTTPS services, and configuring traffic rules to allow outside communication. The document also promotes IPMax as a partner for technological solutions in Italy.
FortiGate Firewall HOW-TO - DMZ
- 1. FORTIGATE FIREWALL HOW TO DMZ www.ipmax.it
- 2. INTRODUCTION Almost every network needs to expose some systems to the public Internet. These systems should be reachable from the outside and, in the meanwhile, be protected against external attacks. This kind of configuration is obtained through the use of DMZs, which allow the access to only explicitly allowed services and hide the real server IP address. In the following slides we will show you how to create a DMZ using the FortiGate Firewall. In our configuration, we will use a single IP address (Internet side) and only the http/https service will be permitted. Keep in mind that you need a static IP address on the Internet facing interface in order to implement a DMZ always reachable from the outside!
- 3. CONFIGURING A DMZ To configure a DMZ you should configure an interface to be connected to your DMZ network. Go to System > Network > Interfaces and choose the DMZ facing interface. Only a static IP address should be configured, the remaining part of the configuration will be implemented elsewhere. A DMZ on the FortiGate firewall uses the concept of virtual IP addresses. These objects are a static NAT association between the public IP address and the internal server. Go to Firewall Objects > Virtual IPs > Virtual IPs and create your first Virtual IP (we will need two objects, one for the http service and the other one for the https).
- 4. CONFIGURING A DMZ - CONTINUED In the configuration menu give a Name to the virtual IP object and select the Internet facing interface (External Interface). Two more configurations will be needed, there is where the static NAT happens. In our example we have the Internet facing interface with an IP address of 172.29.130.86 and a web server with a private IP address of 192.168.254.2. Checking the Port Forwarding box, we can map the TCP port for the internal service to the TCP port we will expose to the Internet. The same configuration will be needed for the https service: create a new virtual IP object for the new mapping using port 443 instead of 80.
- 5. CONFIGURING LOGGING – CONTINUED Now we have to configure a new rule to allow traffic from the outside going to the DMZ. This time the communication session will go from the outside to the inside, so a reverse rule will be needed. Follow the example onto the right in order to configure the policy for the DMZ. As you could see, the incoming interface is the Internet facing one and the source address is “all” (everyone could connect to our server). The destination address is the Virtual IP object we have just configured for http and the service allowed is the same. Add the Virtual IP object and the https service to this rule (using the green plus buttons) in order to allow https also.
- 6. MORE NEEDS? See hints on www.ipmax.it Or email us your questions to [email protected]
- 7. IPMAX IPMAX is a Fortinet Partner in Italy. IPMAX is the ideal partner for companies seeking quality in products and services. IPMAX guarantees method and professionalism to support its customers in selecting technologies with the best quality / price ratio, in the design, installation, commissioning and operation. IPMAX srl Via Ponchielli, 4 20063 Cernusco sul Naviglio (MI) – Italy +39 02 9290 9171