Configure basic protection on Fortigate : LAN-WAN-DMZ

NC

In this article I explain how to configure basic security on FortiGate Firewall. Your network is divided into 3 roles which are WAN, LAN and DMZ. 

How to configure basic protection on Fortigate : LAN-WAN-DMZ

We have an example with a network with a file server. In this recipe, you will protect a File server by connecting it to your FortiGate DMZ network. In addition to protecting the File server, the DMZ also protects the rest of the network. 

Go to network interfaces and edit the DMZ interface

How to configure basic protection on Fortigate : LAN-WAN-DMZ

This example uses the port3 interface as the DMZ interface, port 1 as LAN interface, port 2 as WAN interface.

How to configure basic protection on Fortigate : LAN-WAN-DMZ

The interface Alias indicates that this is the DMZ interface. As well the Role is set to DMZ. For enhanced security, disable all Administrative Access options

Go to Policy & Objects > Virtual IPs

Create a virtual IPs for FTP access. Mapping from the Internet to the DMZ interface. 

  • Set the interface to the "WAN" interface.

  • External IP set to "0.0.0.0".

  • Mapped IP address, set to the internal IP address of the server you are forwarding to.

  • Enable "Port forwarding", Select "TCP".

  • Type in the port you want to forward.

How to configure basic protection on Fortigate : LAN-WAN-DMZ

Go to Policy & Objects > Firewall Policy

Create a firewall policy to allow traffic from the LAN to the internet. 

  • Give the policy and name that indicates that the policy will be for traffic to the internet.

  • Set the Incoming Interface to the lan interface and the Outgoing Interface to the Internet-facing interface.

  • Set Source, Destination Address, Schedule, and Services is all.

  • Make sure the Action is set to ACCEPT.

  • Turn on NAT.

How to configure basic protection on Fortigate : LAN-WAN-DMZ

How to configure basic protection on Fortigate : LAN-WAN-DMZ

You can now browse the Internet using any computer that connects to the FortiGate's internal interface.

How to configure basic protection on Fortigate : LAN-WAN-DMZ

Create a second firewall policy to allow FTP traffic from the internal network to the File server. 

  • Set the Incoming Interface to the lan interface and the Outgoing Interface to the DMZ interface.

  • Set Source, Destination Address, and Schedule is all.

  • Set Services is FTP.

  • Make sure the Action is set to ACCEPT.

  • Turn on NAT.

How to configure basic protection on Fortigate : LAN-WAN-DMZ

You can now access the file server from LAN address. 

How to configure basic protection on Fortigate : LAN-WAN-DMZ

Create a third firewall policy to allow FTP traffic from the Internet to the File server.

  • Set the Incoming Interface to the WAN interface and the Outgoing Interface to the DMZ interface.

  • Set source and schedule is all.

  • Add virtual IP as the destination address.

  • Set Services is FTP.

  • Make sure the action is set to accept.

  • Turn on NAT.

How to configure basic protection on Fortigate : LAN-WAN-DMZ

Internet users and internal network users can access the File server by the File server's Internet address. Internal users can also access the File server using its DMZ address. 

How to configure basic protection on Fortigate : LAN-WAN-DMZ

In this recipe, you will protect a server by connecting it to your FortiGate's DMZ network. In addition to protecting the server, the DMZ also protects the rest of the network. A hole in the network protection must be made to allow outside users to access the server. This hole creates a potential vulnerability that is mitigated by the DMZ.


Tags: DMZ FortiGate