FortiOS 5.2 Getting Started: Protect a web server with DMZ

A DMZ network (from the term ‘demilitarized zone’ is a secure network, protected by the FortiGate, that only grants access if it has been explicitly allowed. In this example the DMZ network allows access to a web server using different addresses for internal and external users, while preventing access from the web server to the internal network if the web server is compromised.

A WAN-to-DMZ security policy with a virtual IP (VIP) hides the DMZ address of the web server, allowing external users to access the web server using a public IP address (in this example., 172.20.120.22). An internal to DMZ security policy with NAT turned off allows internal users to access the web server using its DMZ address (10.10.10.22). Both of these security policies only allow access to the web server using HTTP and HTTPS. No other access is allowed.

1. Configuring the FortiGate’s DMZ interface

Go to System > Network > Interfaces. Edit the DMZ interface.

Using the DMZ interface is recommended but not required.

For enhanced security, disable all Administrative Access options.

2. Creating virtual IPs (VIPs)

Go to Policy & Objects > Objects > Virtual IPs. Create two virtual IPs: one for HTTP access and one for HTTPS access.

Each virtual IP has the same address, mapping from the public-facing interface to the DMZ interface. The difference is the port for each traffic type: port 80 for HTTP and port 443 for HTTPS.

In this example the Internet address of the web server is 172.20.120.22.

3. Creating security policies

Go to Policy & Objects > Policy > IPv4. Create a security policy to allow HTTP and HTTPS traffic from the Internet to the DMZ interface and the web server.

Do not enable NAT.

You can also enable logging for all sessions to make it easier to test the configuration.

Create a second security policy to allow HTTP and HTTPS traffic from the internal network to the DMZ interface and the web server.

Adding this policy allows traffic to pass directly from the internal interface to the DMZ interface.

Do not enable NAT.

You can also enable logging for all sessions to make it easier to test the configuration.

4. Results

Internet users and internal network users can access the web server by browsing to the web server’s Internet address (in this example, http://172.20.120.22 and https://172.20.120.22). Internal users can also access the web server using its DMZ address (in this example, http://10.10.10.22 and https://10.10.10.22).

Since only HTTP and HTTPS are enabled, the web server is not accessible using other protocols (such as FTP) and you also cannot ping the web server from the Internet or from the internal network.

Go to Policy & Objects > Monitor > Policy Monitor.

Use the policy monitor to verify that traffic from the Internet and from the internal network is allowed to access the web server. This verifies that the policies are configured correctly.

Go to Log & Report > Traffic Log > Forward Traffic.

The traffic log shows sessions from the internal network and from the Internet accessing the web server on the DMZ network.