Protecting a web server with DMZ
In this recipe, you will protect a web server by connecting it to your FortiGate's DMZ network. In addition to protecting the web server, the DMZ also protects the rest of the network. A hole in the network protection must be made to allow outside users to access the web server. This hole creates a potential vulnerability that is mitigated by the DMZ.. A DMZ network (from the term ‘demilitarized zone') is a secure network, protected by the FortiGate, that only grants access if it has been explicitly allowed. In this example the DMZ network uses a private subnet and allows access to a web server using different addresses for internal and external users, while preventing access from the web server to the internal network if the web server is compromised.
A WAN-to-DMZ firewall policy with a Virtual IP (VIP) uses source NAT to hide the DMZ address of the web server, allowing external users to access the web server using a public IP address (in this example, 172.20.120.22). An internal to DMZ firewall policy allows internal users to access the web server using its DMZ address (10.10.10.22). Both of these firewall policies only allow access to the web server using HTTP and HTTPS. No other access is allowed. For this recipe to work the web server must be properly configured with its default route pointing at the FortiGate's DMZ interface.
1. Configuring the FortiGate's DMZ interface
Go to Network > Interfaces and edit the DMZ interface.
This example uses the port3 interface as the DMZ interface. The interface Alias indicates that this is the DMZ interface. As well the Role is set to DMZ.
For enhanced security, disable all Administrative Access options.
2. Creating virtual IPs (VIPs)
Go to Policy & Objects > Virtual IPs. Create two virtual IPs: one for HTTP access and one for HTTPS access.
Each virtual IP has the same address, mapping from the Internet to the DMZ interface. The difference is the port for each traffic type: port 80 for HTTP and port 443 for HTTPS.
In this example the Internet address of the web server is 172.20.120.35.
3. Creating firewall policies
Go to Policy & Objects > IPv4 Policy. Create a firewall policy to allow HTTP and HTTPS traffic from the Internet to the web server. Add both VIPs as the destination address.
Do not enable NAT. Enabling the NAT option actually enables source NAT which is not required for this configuration since the VIPs are added to perform destination NAT. If you do enable source NAT the configuration will still work but all traffic received by the web server will have the same source IP address so you will loose information about your website users.
You can also enable logging for all sessions to make it easier to test the configuration.
Create a second firewall policy to allow HTTP and HTTPS traffic from the internal network to the web server.
Do not enable NAT. If you enable source NAT the configuration will still work but all traffic received by the web server will have the same source IP address so you will loose information about your website users.
You can also enable logging for all sessions to make it easier to test the configuration.
4. Results
Internet users and internal network users can access the web server by browsing to the web server's Internet address (in this example, http://172.20.120.35 and https://172.20.120.35). Internal users can also access the web server using its DMZ address (in this example, http://10.10.10.22 and https://10.10.10.22).
Since only HTTP and HTTPS are enabled, the web server is not accessible using other protocols (such as FTP) and you also cannot ping the web server from the Internet or from the internal network.
Go to FortiView Policies to see current sessions for each firewall policy. If you add a filter to just show policies with the DMZ interface as the destination interface you will see sessions from the Internal network to the web server and from the Internet to the web server.
Double-clicking on the Internet to DMZ web server session shows sessions from Internet addresses (in the example 172.20.120.100) and from the internal network (192.1681.20).
For further reading, check out Firewall in the FortiOS 5.4 Handbook. Also, see this Knowledge Base article for information about improving VIP security.