DMZ – with vlan 100D + 30D

05 Jan

DMZ – with vlan 100D + 30D

This post discuss how we managed to isolate each of our servers to its own network (vlan).

In this scenario, We have 2 firewalls in place for some reason.
Fortigate 30D and Fortigate 100D. All wan-side incoming traffic will be received by 30D. 30D will then send them to the servers based on the Virtual IP configuration (port forwarding).
The reply packets from servers will go out through the 100D fortigate (100D is the gateway).

  1. Create and assign vlan in switch port.
    create a vlan for each server. Then assign them to the port to which the physical servers are connected.
    on cisco:
    #Switchport mode access
    #switchport access vlan
  2. create vlan in esxi:
    open esxi server,
    select physical server and goto configurations tab,
    selct networing on left panel then click on properties
    click add, select virual machine, give a network lable and vlan ID. (network label: name for the vlan)
  3. assign the vlan to VM:
    select VM
    right clik – edit server
    select netowrk adapter
    change network label.(select the vlan label created in step 2)
  4. Open the server and make necessory changes
    Change RDP port in server.
    give ip address in the vlan range.
    set default gateway 100D
  5. open 30D and Add vlan.
    basically we need to create a vlan port and assign an ip in vlan range.
  6. OPEN 30D- create virtual IPs and group
    Policy and object
    virtual IP
    create virtual ip ( rdp,http,https )
    create virtual ip group, for example:server-vlan-group. #Change RDP port in server.
  7. create wan-incoming policy on 30D
    incoming:WAN port
    Outgoing interface: VlanInterface
    destination: server-vlan-group( virtual ip group )
    schedule: always
    action: accept
    security profile: select default.
  8. Open 100D and create vlan.
    open vdom
    network – interfaces – create new – interface
    name: vlanname
    interface: new vlan will come under this interface.
    Vlan ID: give vlan number
    vitual domain: select your vdom
    role: LAN
    IP/Network: IP address/Subnet mask for the vlan port
    administrationve access: give none.
  9. create address for vlan subnet in 100D. example: DMZ01
    or create a device-address for the server.
  10. create lan-wan policy on 100D:
    Name: give a name
    incoming int: vlan interface
    outgoing int: WAN port
    source:name of address group we created in step 9
    select security profiles.
Leave a comment

Posted by on January 5, 2021 in Fortigate


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: