Protect a web server with DMZ (Video)


In this video, you will learn how to configure a DMZ network to protect a public web server from unauthorized access. A DMZ network is a secure network connected to the FortiGate that only grants access if it has been explicitly allowed. In this example the DMZ network will allow access to a webserver using different addresses for internal and external users, while preventing access to the internal network if the web server is compromised.

The recipe for this video is available here.

Watch more videos

Kayla Robinson

Kayla Robinson

Technical Writer at Fortinet
Kayla Robinson works in Ottawa as part of Fortinet's Technical Documentation and New Media team. With a Bachelor's degree from Carleton, and a graduate certificate in Technical Writing from Algonquin College, she enjoys creating FortiOS Cookbook videos.
Kayla Robinson

Latest posts by Kayla Robinson (see all)

  • Was this helpful?
  • Yes   No
  • Rick

    Hi, if i use another port as dmz, for example port3, i need to setup something in special at that port ?


    • bdickie

      Hello, no there are no special requirements for a DMZ interface in this recipe and you can choose any interface to be your DMZ interface.

      You can set the Role of your port3 interfaces to DMZ. The Role option means the GUI makes it easier to configure additional features that you might find useful on a DMZ interface.

  • Arman Kadoian

    In the initial configuration of the Fortigate Firewall one will activate NAT for the internal users , I’m wondering is there no conflict when applying the solution above with activation of NAT in the initial configuration?

    • bdickie

      NAT can be activated independently for some firewall policies and disabled for others. In the recipe, NAT is disabled for the policy that allow users on the Internet to access the web server and NAT is also disabled for the policy that allows users on the internal network to access web server. But the policy that allows users on the Internal network to access the Internet will not be changed and will continue to have NAT enabled.

  • Brent Mair

    Is there a benefit to this instead of giving the DMZ server a publicly routeable access and not doing any NAT?

    • bdickie

      I think the answer depends on your network configuration. For example, if you didn’t use the port forwarding described in this video and if you have multiple servers on your DMZ network they would all have to have public IP addresses. If that works for you then great (although I guess it would mean that you have to use up one of your public IP addresses for the DMZ interface.) Let me know if you don’t find this reply helpful.

      • Brent Mair

        That is helpful. Thank you.