Almost every network needs to expose some systems to the public Internet. These
systems should be reachable from the outside and, in the meanwhile, be protected
against external attacks.
This kind of configuration is obtained through the use of DMZs, which allow the access
to only explicitly allowed services and hide the real server IP address.
In the following slides we will show you how to create a DMZ using the FortiGate
In our configuration, we will use a single IP address (Internet side) and only the
http/https service will be permitted.
Keep in mind that you need a static IP address on the Internet facing interface in order
to implement a DMZ always reachable from the outside!
CONFIGURING A DMZ
To configure a DMZ you should configure an interface to be connected to your DMZ
Go to System > Network > Interfaces and choose the DMZ facing interface. Only a
static IP address should be configured, the remaining part of the configuration will be
A DMZ on the FortiGate firewall uses the concept of
virtual IP addresses. These objects are a static NAT
association between the public IP address and the
Go to Firewall Objects > Virtual IPs > Virtual IPs and
create your first Virtual IP (we will need two objects,
one for the http service and the other one for the
CONFIGURING A DMZ - CONTINUED
In the configuration menu give a Name to the virtual IP object and select the
Internet facing interface (External Interface). Two more configurations will be
needed, there is where the static NAT happens.
In our example we have the
Internet facing interface with an IP
address of 172.29.130.86 and a
web server with a private IP
address of 192.168.254.2.
Checking the Port Forwarding box,
we can map the TCP port for the
internal service to the TCP port we
will expose to the Internet.
The same configuration will be needed for the https service: create a new virtual IP
object for the new mapping using port 443 instead of 80.
CONFIGURING LOGGING – CONTINUED
Now we have to configure a new rule to allow traffic from the outside going to the
This time the communication session will go from the outside to the inside, so a
reverse rule will be needed.
Follow the example onto the right in order
to configure the policy for the DMZ.
As you could see, the incoming interface is
the Internet facing one and the source
address is “all” (everyone could connect to
The destination address is the Virtual IP
object we have just configured for http
and the service allowed is the same.
Add the Virtual IP object and the https
service to this rule (using the green plus
buttons) in order to allow https also.
See hints on www.ipmax.it
Or email us your questions to firstname.lastname@example.org
IPMAX is a Fortinet Partner in Italy.
IPMAX is the ideal partner for companies seeking quality in products and
services. IPMAX guarantees method and professionalism to support its
customers in selecting technologies with the best quality / price ratio, in the
design, installation, commissioning and operation.
Via Ponchielli, 4
20063 Cernusco sul Naviglio (MI) – Italy
+39 02 9290 9171