In this recipe, you will protect a web server by connecting it to your FortiGate’s DMZ network. A DMZ network (from the term ‘demilitarized zone’) is a secure network, protected by the FortiGate, that only grants access if it has been explicitly allowed. In this example the DMZ network uses a private subnet and allows access to a web server using different addresses for internal and external users, while preventing access from the web server to the internal network if the web server is compromised.
A WAN-to-DMZ firewall policy with a Virtual IP (VIP) uses source NAT to hide the DMZ address of the web server, allowing external users to access the web server using a public IP address (in this example, 172.20.120.22). An internal to DMZ firewall policy allows internal users to access the web server using its DMZ address (10.10.10.22). Both of these firewall policies only allow access to the web server using HTTP and HTTPS. No other access is allowed.
Find this recipe for other FortiOS versions
5.2 | 5.4
1. Configuring the FortiGate’s DMZ interface |
|
|
Go to Network > Interfaces and edit the DMZ interface. This example uses the port3 interface as the DMZ interface. The interface Alias indicates that this is the DMZ interface. As well the Role is set to DMZ. For enhanced security, disable all Administrative Access options. |
 |
2. Creating virtual IPs (VIPs) |
|
|
Go to Policy & Objects > Virtual IPs. Create two virtual IPs: one for HTTP access and one for HTTPS access. Each virtual IP has the same address, mapping from the Internet to the DMZ interface. The difference is the port for each traffic type: port 80 for HTTP and port 443 for HTTPS. In this example the Internet address of the web server is 172.20.120.35. |
|
3. Creating firewall policies |
|
|
Go to Policy & Objects > IPv4 Policy. Create a firewall policy to allow HTTP and HTTPS traffic from the Internet to the web server. Add both VIPs as the destination address. You can also enable logging for all sessions to make it easier to test the configuration. |
 |
|
Create a second firewall policy to allow HTTP and HTTPS traffic from the internal network to the web server. You can also enable logging for all sessions to make it easier to test the configuration. |
 |
4. Results |
|
|
Internet users and internal network users can access the web server by browsing to the web server’s Internet address (in this example, http://172.20.120.35 and https://172.20.120.35). Internal users can also access the web server using its DMZ address (in this example, http://10.10.10.22 and https://10.10.10.22). Since only HTTP and HTTPS are enabled, the web server is not accessible using other protocols (such as FTP) and you also cannot ping the web server from the Internet or from the internal network. |
|
|
Go to FortiView Policies to see current sessions for each firewall policy. If you add a filter to just show policies with the DMZ interface as the destination interface you will see sessions from the Internal network to the web server and from the Internet to the web server.
|
 |
| Double-clicking on the Internet to DMZ web server session shows sessions from Internet addresses (in the example 172.20.120.100) and from the internal network (192.1681.20). |  |
For further reading, check out Firewall in the FortiOS 5.4 Handbook.
The post Protecting a web server with DMZ appeared first on Fortinet Cookbook.