Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7096
  • Last Modified:

FortiGate 100A DMZ configuration problem

Hi Experts,

I have what i believe is a fairly simple problem, but because i am no expert with Firewalls and certainly not Fortigate firewalls i am having quite a time of it.

First off, Fortinet Support are utterly useless, so dont go there.

The Fortigate 100A has two DMZ interfaces, this server is connected to the DMZ2.

I have policies in place to be able to RDP to that machine from the Internal LAN of the FW.

We are implementing an Microsoft IIS server and need to access the server from the trusted LAN to the DMZ2 zone. I have created the rule to allow all LAN traffic to the DMZ zone at all times for all services.

The DMZ interface is configured on 192.168.0.1/24 the DMZ server (windows 2003) is on 192.168.0.2/24

I can receive ping's from the trusted interface to the Windows 2003 server (192.168.0.2), but cannot connect to any available services on this host. (RDP, SMB, etc..). The host also cannot reach the internet.

Some images here for the config of the FW at present.

 DMZ2 Configuration FW Policies
Any ideas how i can get traffic through to this Server?

0
dt3itsteam
Asked:
dt3itsteam
  • 8
  • 6
  • 4
1 Solution
 
Sun12345Commented:
Is this server physically connected to the DMZ2 interface to via a switch? Also is there a route table some where on the FW? I have no experince of Fortigate however I am assuing it is not much different then the old style Sonicwall UI.
0
 
iworks-uworksCommented:
Is your IIS server on DMZ2 able to connect to the internet without issue?

Are you RDP'ing to the server name or IP from the internal?

Maybe try turning on NAT on int -> DMZ2 and see if you get different results.
0
 
dt3itsteamAuthor Commented:
Apologies for late return, one has been busy! But thanks for your responses!

Sun12345:

Server is plugged directly into the interface on the FW, no switch.

I have attached, what i think is the info you are looking for :) (blanked ex IPs)

 Interface routes

iworks-uworks:

- no internet access at all
- tried RDP via hostname and IP no results on either. I get a login prompt tho, but fails after i "login". Pings are constant tho. RDP is enabled on the Server and the Windows FW is off.
- I will try the NAT thing.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
iworks-uworksCommented:
Can you post a screenshot of your policy config under firewall? That will show us why you can't ping or get out to the internet.
0
 
iworks-uworksCommented:
Let me clarify (you already posted the ruels config), but can you post the config of each policy that we are dealing with? Thanks.
0
 
dt3itsteamAuthor Commented:
See the highlighted Rule, that rule gives me ping access to the server, if i removed it pings stop.

The other rules are tests really and can be removed.

 FW Policies
0
 
iworks-uworksCommented:
So you can ping now? And RDP?
So what's left, just having that machine on DMZ2 connect out through the internet?
0
 
dt3itsteamAuthor Commented:
Ive always been able to ping, nothing else.

RDP brings up a login box but goes no where after that.

:)
0
 
iworks-uworksCommented:
You get the login box as shown below (RDP-Login), but when you type a username/password nothing happens? No error message?
When your DMZ2 to WAN1 rule is enabled, can you confirm your rule is configured as the screen shot below (NAT enabled, and make it all to all to test in case there is a problem with your address).
RDP-Login.PNG
DMZ-WAN1.PNG
0
 
dt3itsteamAuthor Commented:
Login Prompt
 Login Error
 DMZ2 -> WAN1
0
 
Sun12345Commented:
I do not see an issue with configuration. Silly suggestion. Can you please confirm if you can RDP to the server from same LAN (connect a switch to this server and a PC). I have waisted more then a day trying to toubleshoot a issue on router only to realized that Windows firewall on laptop was not letting me ping.
0
 
iworks-uworksCommented:
Sun has a good suggestion. Could you also post IPCONFIG from that server?
0
 
dt3itsteamAuthor Commented:
Morning Gents!

I will give that a go, but please note:

1) I can ping the server ok, through the FW.
2) Windows FW is disabled on DMZ server
3) I do not have physical access to the DMZ server at the moment, which i will need to get the IPCONFIG details.

It will take a few days to get that info because of that and the fact that i have another project about to kick off.

I will post as soon as i have the info for you.

Thanks again Gentleman!
0
 
dt3itsteamAuthor Commented:
Right, i got access sooner than i thought.

IPconfig:

 
C:\Documents and Settings\Administrator>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : HFL0066
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter DMZ:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet #2
   Physical Address. . . . . . . . . : 00-18-8B-F9-5A-A0
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.0.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1
   DNS Servers . . . . . . . . . . . : 192.168.0.1
                                       8.8.8.8

C:\Documents and Settings\Administrator>

Open in new window


Also, RDP from the same subnet works 100% ok. I stuck a switch on DMZ and connected Server + Laptop to Switch and could RDP to Server from laptop ok. No problems.
0
 
Sun12345Commented:
Here is from the Fortigate admin guide:

Status Select the check box to enable a policy or deselect it to disable a policy.

If you look at the Firewall policy screenshot that you have posted on 11/23/10 07:18 AM, ID: 34197212, the policies for DMZ are not selected. It seems when you do not have a check box against them, there status is disable.
Check this and let us know how it goes?
0
 
Sun12345Commented:
dt3itsteam: Any update on this? Curious if it was only the check box missing on ACLs.
0
 
dt3itsteamAuthor Commented:
Hi Sun12345,

Sorry about the delay, been out the office buried under projects!

I hear what you are saying but there are other policies in place that should cover those policies you are talking about, those were purely test policies which can be removed in fact.

Also, i have had an update from Support and they have resovled the issue! They have added in a Policy Route for that interface and now its all working:

 Policy Route
There were some duplicates in there which we cleaned up as well, but that seems to have done the trick!

How do i assign points then?
0
 
dt3itsteamAuthor Commented:
Got the solution from the 3rd party Support desk
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

  • 8
  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now