Solved

FortiGate 100A DMZ configuration problem

Posted on 2010-11-18
18
6,289 Views
Last Modified: 2012-05-10
Hi Experts,

I have what i believe is a fairly simple problem, but because i am no expert with Firewalls and certainly not Fortigate firewalls i am having quite a time of it.

First off, Fortinet Support are utterly useless, so dont go there.

The Fortigate 100A has two DMZ interfaces, this server is connected to the DMZ2.

I have policies in place to be able to RDP to that machine from the Internal LAN of the FW.

We are implementing an Microsoft IIS server and need to access the server from the trusted LAN to the DMZ2 zone. I have created the rule to allow all LAN traffic to the DMZ zone at all times for all services.

The DMZ interface is configured on 192.168.0.1/24 the DMZ server (windows 2003) is on 192.168.0.2/24

I can receive ping's from the trusted interface to the Windows 2003 server (192.168.0.2), but cannot connect to any available services on this host. (RDP, SMB, etc..). The host also cannot reach the internet.

Some images here for the config of the FW at present.

 DMZ2 Configuration FW Policies
Any ideas how i can get traffic through to this Server?

0
Comment
Question by:dt3itsteam
  • 8
  • 6
  • 4
18 Comments
 
LVL 2

Expert Comment

by:Sun12345
Comment Utility
Is this server physically connected to the DMZ2 interface to via a switch? Also is there a route table some where on the FW? I have no experince of Fortigate however I am assuing it is not much different then the old style Sonicwall UI.
0
 
LVL 4

Expert Comment

by:iworks-uworks
Comment Utility
Is your IIS server on DMZ2 able to connect to the internet without issue?

Are you RDP'ing to the server name or IP from the internal?

Maybe try turning on NAT on int -> DMZ2 and see if you get different results.
0
 
LVL 1

Author Comment

by:dt3itsteam
Comment Utility
Apologies for late return, one has been busy! But thanks for your responses!

Sun12345:

Server is plugged directly into the interface on the FW, no switch.

I have attached, what i think is the info you are looking for :) (blanked ex IPs)

 Interface routes

iworks-uworks:

- no internet access at all
- tried RDP via hostname and IP no results on either. I get a login prompt tho, but fails after i "login". Pings are constant tho. RDP is enabled on the Server and the Windows FW is off.
- I will try the NAT thing.
0
 
LVL 4

Expert Comment

by:iworks-uworks
Comment Utility
Can you post a screenshot of your policy config under firewall? That will show us why you can't ping or get out to the internet.
0
 
LVL 4

Expert Comment

by:iworks-uworks
Comment Utility
Let me clarify (you already posted the ruels config), but can you post the config of each policy that we are dealing with? Thanks.
0
 
LVL 1

Author Comment

by:dt3itsteam
Comment Utility
See the highlighted Rule, that rule gives me ping access to the server, if i removed it pings stop.

The other rules are tests really and can be removed.

 FW Policies
0
 
LVL 4

Expert Comment

by:iworks-uworks
Comment Utility
So you can ping now? And RDP?
So what's left, just having that machine on DMZ2 connect out through the internet?
0
 
LVL 1

Author Comment

by:dt3itsteam
Comment Utility
Ive always been able to ping, nothing else.

RDP brings up a login box but goes no where after that.

:)
0
 
LVL 4

Expert Comment

by:iworks-uworks
Comment Utility
You get the login box as shown below (RDP-Login), but when you type a username/password nothing happens? No error message?
When your DMZ2 to WAN1 rule is enabled, can you confirm your rule is configured as the screen shot below (NAT enabled, and make it all to all to test in case there is a problem with your address).
RDP-Login.PNG
DMZ-WAN1.PNG
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:dt3itsteam
Comment Utility
Login Prompt
 Login Error
 DMZ2 -> WAN1
0
 
LVL 2

Expert Comment

by:Sun12345
Comment Utility
I do not see an issue with configuration. Silly suggestion. Can you please confirm if you can RDP to the server from same LAN (connect a switch to this server and a PC). I have waisted more then a day trying to toubleshoot a issue on router only to realized that Windows firewall on laptop was not letting me ping.
0
 
LVL 4

Expert Comment

by:iworks-uworks
Comment Utility
Sun has a good suggestion. Could you also post IPCONFIG from that server?
0
 
LVL 1

Author Comment

by:dt3itsteam
Comment Utility
Morning Gents!

I will give that a go, but please note:

1) I can ping the server ok, through the FW.
2) Windows FW is disabled on DMZ server
3) I do not have physical access to the DMZ server at the moment, which i will need to get the IPCONFIG details.

It will take a few days to get that info because of that and the fact that i have another project about to kick off.

I will post as soon as i have the info for you.

Thanks again Gentleman!
0
 
LVL 1

Author Comment

by:dt3itsteam
Comment Utility
Right, i got access sooner than i thought.

IPconfig:

 
C:\Documents and Settings\Administrator>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : HFL0066
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter DMZ:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet #2
   Physical Address. . . . . . . . . : 00-18-8B-F9-5A-A0
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.0.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1
   DNS Servers . . . . . . . . . . . : 192.168.0.1
                                       8.8.8.8

C:\Documents and Settings\Administrator>

Open in new window


Also, RDP from the same subnet works 100% ok. I stuck a switch on DMZ and connected Server + Laptop to Switch and could RDP to Server from laptop ok. No problems.
0
 
LVL 2

Expert Comment

by:Sun12345
Comment Utility
Here is from the Fortigate admin guide:

Status Select the check box to enable a policy or deselect it to disable a policy.

If you look at the Firewall policy screenshot that you have posted on 11/23/10 07:18 AM, ID: 34197212, the policies for DMZ are not selected. It seems when you do not have a check box against them, there status is disable.
Check this and let us know how it goes?
0
 
LVL 2

Expert Comment

by:Sun12345
Comment Utility
dt3itsteam: Any update on this? Curious if it was only the check box missing on ACLs.
0
 
LVL 1

Accepted Solution

by:
dt3itsteam earned 0 total points
Comment Utility
Hi Sun12345,

Sorry about the delay, been out the office buried under projects!

I hear what you are saying but there are other policies in place that should cover those policies you are talking about, those were purely test policies which can be removed in fact.

Also, i have had an update from Support and they have resovled the issue! They have added in a Policy Route for that interface and now its all working:

 Policy Route
There were some duplicates in there which we cleaned up as well, but that seems to have done the trick!

How do i assign points then?
0
 
LVL 1

Author Closing Comment

by:dt3itsteam
Comment Utility
Got the solution from the 3rd party Support desk
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now