0

I'm considering buying a Fortigate 50b (or Fortigate 60b) firewall to separate my web (iis) machine from the DB machine. (See http://www.fortinet.com/doc/FGT50_100DS.pdf)

Till now the two servers were connected directly via a cross cable using the 2nd network card.

The 50b model doesn't have a DMZ port.

What does that mean? what is the difference between a firewall DMZ port to a interface port ? Is it not possible to create rules (block/allow port based traffic) on a interface port?

P.S: I know that in general i should put any server connected to the wan(internet) on a DMZ port , but on our current firewall(Fortigate 200a) , any interface port can be used as dmz port..

Thanks.

RuSh
  • 145
  • 1
  • 3
  • 8

2 Answers2

0

A DMZ is just a network design term that means that the network is firewalled in a way that it can not initiate traffic into a protected network. There isn't anything special about the port or that network for that matter. Although a port that's marked as DMZ from the firewall's software point of view may have different default firewall rule applied to it.

I don't know about the 50b but with the 60b you can unbridge all the internal ports and run different networks on each port. The firewall rules and all the other features of the FortiGate work fine between these networks. I used this approach to have multiple DMZs using a FortiGate 60b a couple years back. So I don't see any reason that this wouldn't work.

3dinfluence
  • 12,449
  • 2
  • 28
  • 41
  • thanks for the answers. so based on this do you have any idea why Fortinet and other firewall manufacturers so strongly point out the number of DMZ ports vs Interface Ports? – RuSh Mar 01 '12 at 15:32
  • It's more of a marketing thing than anything else I would imagine. I can't possibly know all firewalls out there so maybe there are some that the distinction is important. But if the product has a flexible design it would really only be important if you can't, or don't want to, use VLANs to turn the ports available into the networks that you need. Or can't unbridge the internal ports to get the networks you need. It's also possible that you can't bridge the designated DMZ port with other ports so you won't be able to use it as an internal network port depending on how flexible it is. – 3dinfluence Mar 01 '12 at 15:49
0

perfectly right,I have a 50B here and I have dmz.Just use any interface port and configure it with firewall rules from command line.use the concept like alias in the old school firewall with one interface.Just define where you want the interesting traffic to go or not to go and you are done.

For the dmz ,do not allow it to go to your inside network and allow it to go to your wan interface.otherwise you can limit by choosing only http,https and dns .

don
  • 1