Protecting a web server with DMZ

In this recipe, you will protect a web server by connecting it to your FortiGate’s DMZ network. A DMZ network (from the term ‘demilitarized zone’) is a secure network, protected by the FortiGate, that only grants access if it has been explicitly allowed. In this example the DMZ network uses a private subnet and allows access to a web server using different addresses for internal and external users, while preventing access from the web server to the internal network if the web server is compromised.

A WAN-to-DMZ firewall policy with a Virtual IP (VIP) uses source NAT to hide the DMZ address of the web server, allowing external users to access the web server using a public IP address (in this example, 172.20.120.22). An internal to DMZ firewall policy allows internal users to access the web server using its DMZ address (10.10.10.22). Both of these firewall policies only allow access to the web server using HTTP and HTTPS. No other access is allowed.

Find this recipe for other FortiOS versions
5.2 | 5.4

1. Configuring the FortiGate’s DMZ interface

Go to Network > Interfaces and edit the DMZ interface.

This example uses the port3 interface as the DMZ interface. The interface Alias indicates that this is the DMZ interface. As well the Role is set to DMZ.

For enhanced security, disable all Administrative Access options.

 

2. Creating virtual IPs (VIPs)

Go to Policy & Objects > Virtual IPs. Create two virtual IPs: one for HTTP access and one for HTTPS access.

Each virtual IP has the same address, mapping from the Internet to the DMZ interface. The difference is the port for each traffic type: port 80 for HTTP and port 443 for HTTPS.

In this example the Internet address of the web server is 172.20.120.35.

 

 

 

3. Creating firewall policies

Go to Policy & Objects > IPv4 Policy. Create a firewall policy to allow HTTP and HTTPS traffic from the Internet to the web server. Add both VIPs as the destination address.

Do not enable NAT.

You can also enable logging for all sessions to make it easier to test the configuration.

 

Create a second firewall policy to allow HTTP and HTTPS traffic from the internal network to the web server.

Do not enable NAT.

You can also enable logging for all sessions to make it easier to test the configuration.

 

4. Results

Internet users and internal network users can access the web server by browsing to the web server’s Internet address (in this example, http://172.20.120.35 and https://172.20.120.35). Internal users can also access the web server using its DMZ address (in this example, http://10.10.10.22 and https://10.10.10.22).

Since only HTTP and HTTPS are enabled, the web server is not accessible using other protocols (such as FTP) and you also cannot ping the web server from the Internet or from the internal network.

Go to FortiView Policies to see current sessions for each firewall policy. If you add a filter to just show policies with the DMZ interface as the destination interface you will see sessions from the Internal network to the web server and from the Internet to the web server.

 

 
Double-clicking on the Internet to DMZ web server session shows sessions from Internet addresses (in the example 172.20.120.100) and from the internal network (192.1681.20).  

For further reading, check out Firewall in the FortiOS 5.4 Handbook.

Bill Dickie

Our Fearless Documentation Leader at Fortinet
After completing a science degree at the University of Waterloo, Bill began his professional life teaching college chemistry in Corner Brook, Newfoundland and fell into technical writing after moving to Ottawa in the mid '80s. Tech writing stints at all sorts of companies finally led to joining Fortinet to write the first FortiGate-300 Administration Guide.

Latest posts by Bill Dickie (see all)

Share this recipe:

Facebooktwittergoogle_pluslinkedin
In addition to protecting the web server, the DMZ also protects the rest of the network. A hole in the network protection must be made to allow outside users to access the web server. This hole creates a potential vulnerability that is mitigated by the DMZ.
For this recipe to work the web server must be properly configured with its default route pointing at the FortiGate’s DMZ interface.
Enabling the NAT option actually enables source NAT which is not required for this configuration since the VIPs are added to perform destination NAT. If you do enable source NAT the configuration will still work but all traffic received by the web server will have the same source IP address so you will loose information about your website users.
If you enable source NAT the configuration will still work but all traffic received by the web server will have the same source IP address so you will loose information about your website users.

Leave a comment:

Before commenting, please read the site's comment policy. Only questions related to documentation will be answered. For other concerns, please contact Fortinet support.

  • Inder Suthar

    I have Fortigate 80C firewall. with two ISP (WAN1, WAN2), 1 DMZ , 1 LAN.
    I want to connect WAN1 to DMZ and WAN2 to LAN. Also be able to access GMZ from LAN.
    How to configure?