Solved

FortiGate 100A DMZ configuration problem

Posted on 2010-11-18
18
6,633 Views
Last Modified: 2012-05-10
Hi Experts,

I have what i believe is a fairly simple problem, but because i am no expert with Firewalls and certainly not Fortigate firewalls i am having quite a time of it.

First off, Fortinet Support are utterly useless, so dont go there.

The Fortigate 100A has two DMZ interfaces, this server is connected to the DMZ2.

I have policies in place to be able to RDP to that machine from the Internal LAN of the FW.

We are implementing an Microsoft IIS server and need to access the server from the trusted LAN to the DMZ2 zone. I have created the rule to allow all LAN traffic to the DMZ zone at all times for all services.

The DMZ interface is configured on 192.168.0.1/24 the DMZ server (windows 2003) is on 192.168.0.2/24

I can receive ping's from the trusted interface to the Windows 2003 server (192.168.0.2), but cannot connect to any available services on this host. (RDP, SMB, etc..). The host also cannot reach the internet.

Some images here for the config of the FW at present.

 DMZ2 Configuration FW Policies
Any ideas how i can get traffic through to this Server?

0
Comment
Question by:dt3itsteam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
  • 4
18 Comments
 
LVL 2

Expert Comment

by:Sun12345
ID: 34167200
Is this server physically connected to the DMZ2 interface to via a switch? Also is there a route table some where on the FW? I have no experince of Fortigate however I am assuing it is not much different then the old style Sonicwall UI.
0
 
LVL 4

Expert Comment

by:iworks-uworks
ID: 34173296
Is your IIS server on DMZ2 able to connect to the internet without issue?

Are you RDP'ing to the server name or IP from the internal?

Maybe try turning on NAT on int -> DMZ2 and see if you get different results.
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 34195698
Apologies for late return, one has been busy! But thanks for your responses!

Sun12345:

Server is plugged directly into the interface on the FW, no switch.

I have attached, what i think is the info you are looking for :) (blanked ex IPs)

 Interface routes

iworks-uworks:

- no internet access at all
- tried RDP via hostname and IP no results on either. I get a login prompt tho, but fails after i "login". Pings are constant tho. RDP is enabled on the Server and the Windows FW is off.
- I will try the NAT thing.
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 4

Expert Comment

by:iworks-uworks
ID: 34196642
Can you post a screenshot of your policy config under firewall? That will show us why you can't ping or get out to the internet.
0
 
LVL 4

Expert Comment

by:iworks-uworks
ID: 34197193
Let me clarify (you already posted the ruels config), but can you post the config of each policy that we are dealing with? Thanks.
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 34197212
See the highlighted Rule, that rule gives me ping access to the server, if i removed it pings stop.

The other rules are tests really and can be removed.

 FW Policies
0
 
LVL 4

Expert Comment

by:iworks-uworks
ID: 34197244
So you can ping now? And RDP?
So what's left, just having that machine on DMZ2 connect out through the internet?
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 34197397
Ive always been able to ping, nothing else.

RDP brings up a login box but goes no where after that.

:)
0
 
LVL 4

Expert Comment

by:iworks-uworks
ID: 34197708
You get the login box as shown below (RDP-Login), but when you type a username/password nothing happens? No error message?
When your DMZ2 to WAN1 rule is enabled, can you confirm your rule is configured as the screen shot below (NAT enabled, and make it all to all to test in case there is a problem with your address).
RDP-Login.PNG
DMZ-WAN1.PNG
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 34198381
Login Prompt
 Login Error
 DMZ2 -> WAN1
0
 
LVL 2

Expert Comment

by:Sun12345
ID: 34198493
I do not see an issue with configuration. Silly suggestion. Can you please confirm if you can RDP to the server from same LAN (connect a switch to this server and a PC). I have waisted more then a day trying to toubleshoot a issue on router only to realized that Windows firewall on laptop was not letting me ping.
0
 
LVL 4

Expert Comment

by:iworks-uworks
ID: 34198542
Sun has a good suggestion. Could you also post IPCONFIG from that server?
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 34204199
Morning Gents!

I will give that a go, but please note:

1) I can ping the server ok, through the FW.
2) Windows FW is disabled on DMZ server
3) I do not have physical access to the DMZ server at the moment, which i will need to get the IPCONFIG details.

It will take a few days to get that info because of that and the fact that i have another project about to kick off.

I will post as soon as i have the info for you.

Thanks again Gentleman!
0
 
LVL 1

Author Comment

by:dt3itsteam
ID: 34206316
Right, i got access sooner than i thought.

IPconfig:

 
C:\Documents and Settings\Administrator>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : HFL0066
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter DMZ:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet #2
   Physical Address. . . . . . . . . : 00-18-8B-F9-5A-A0
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.0.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1
   DNS Servers . . . . . . . . . . . : 192.168.0.1
                                       8.8.8.8

C:\Documents and Settings\Administrator>

Open in new window


Also, RDP from the same subnet works 100% ok. I stuck a switch on DMZ and connected Server + Laptop to Switch and could RDP to Server from laptop ok. No problems.
0
 
LVL 2

Expert Comment

by:Sun12345
ID: 34230932
Here is from the Fortigate admin guide:

Status Select the check box to enable a policy or deselect it to disable a policy.

If you look at the Firewall policy screenshot that you have posted on 11/23/10 07:18 AM, ID: 34197212, the policies for DMZ are not selected. It seems when you do not have a check box against them, there status is disable.
Check this and let us know how it goes?
0
 
LVL 2

Expert Comment

by:Sun12345
ID: 34267068
dt3itsteam: Any update on this? Curious if it was only the check box missing on ACLs.
0
 
LVL 1

Accepted Solution

by:
dt3itsteam earned 0 total points
ID: 34282020
Hi Sun12345,

Sorry about the delay, been out the office buried under projects!

I hear what you are saying but there are other policies in place that should cover those policies you are talking about, those were purely test policies which can be removed in fact.

Also, i have had an update from Support and they have resovled the issue! They have added in a Policy Route for that interface and now its all working:

 Policy Route
There were some duplicates in there which we cleaned up as well, but that seems to have done the trick!

How do i assign points then?
0
 
LVL 1

Author Closing Comment

by:dt3itsteam
ID: 34324302
Got the solution from the 3rd party Support desk
0

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question