Protect a web server with DMZ

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin

In this recipe, you will protect a web server by connecting it to your FortiGate’s DMZ network. A DMZ network (from the term ‘demilitarized zone’ is a secure network, protected by the FortiGate, that only grants access if it has been explicitly allowed. In this example the DMZ network allows access to a web server using different addresses for internal and external users, while preventing access from the web server to the internal network if the web server is compromised.

A WAN-to-DMZ security policy with a virtual IP (VIP) hides the DMZ address of the web server, allowing external users to access the web server using a public IP address (in this example., 172.20.120.22). An internal to DMZ security policy with NAT turned off allows internal users to access the web server using its DMZ address (10.10.10.22). Both of these security policies only allow access to the web server using HTTP and HTTPS. No other access is allowed.

Find this recipe for other FortiOS versions
5.2 | 5.4

Watch the video

1. Configuring the FortiGate’s DMZ interface

Go to System > Network > Interfaces. Edit the DMZ interface.

Using the DMZ interface is recommended but not required.

For enhanced security, disable all Administrative Access options.

 

2. Creating virtual IPs (VIPs)

Go to Policy & Objects > Objects > Virtual IPs. Create two virtual IPs: one for HTTP access and one for HTTPS access.

Each virtual IP has the same address, mapping from the public-facing interface to the DMZ interface. The difference is the port for each traffic type: port 80 for HTTP and port 443 for HTTPS.

In this example the Internet address of the web server is 172.20.120.22.

 

 

3. Creating security policies

Go to Policy & Objects > Policy > IPv4. Create a security policy to allow HTTP and HTTPS traffic from the Internet to the DMZ interface and the web server.

Do not enable NAT.

You can also enable logging for all sessions to make it easier to test the configuration.

 

Create a second security policy to allow HTTP and HTTPS traffic from the internal network to the DMZ interface and the web server.

Adding this policy allows traffic to pass directly from the internal interface to the DMZ interface.

Do not enable NAT.

You can also enable logging for all sessions to make it easier to test the configuration.

 

4. Results

Internet users and internal network users can access the web server by browsing to the web server’s Internet address (in this example, http://172.20.120.22 and https://172.20.120.22). Internal users can also access the web server using its DMZ address (in this example, http://10.10.10.22 and https://10.10.10.22).

Since only HTTP and HTTPS are enabled, the web server is not accessible using other protocols (such as FTP) and you also cannot ping the web server from the Internet or from the internal network.

Go to Policy & Objects > Monitor > Policy Monitor.

Use the policy monitor to verify that traffic from the Internet and from the internal network is allowed to access the web server. This verifies that the policies are configured correctly.

 

Go to Log & Report > Traffic Log > Forward Traffic.

The traffic log shows sessions from the internal network and from the Internet accessing the web server on the DMZ network.

 

For further reading, check out Firewall in the FortiOS 5.2 Handbook. Also, see this Knowledge Base article for information about improving VIP security.

Bill Dickie

Technical Writer at Fortinet
After completing a science degree at the University of Waterloo, Bill began his professional life teaching college chemistry in Corner Brook, Newfoundland and fell into technical writing after moving to Ottawa in the mid '80s. Tech writing stints at all sorts of companies finally led to joining Fortinet to write the first FortiGate-300 Administration Guide.
Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin
For this recipe to work the web server must be properly configured with its default route pointing at the FortiGate’s DMZ network.