Re: Server hosting problem with Fortigate60
From: Somebody. (somebody._at_spamout.russdoucet.com)
Date: 11/07/05
- Previous message: Somebody.: "Re: Server hosting problem with Fortigate60"
- In reply to: pop_alex_at_yahoo.com: "Re: Server hosting problem with Fortigate60"
- Next in thread: pop_alex_at_yahoo.com: "Re: Server hosting problem with Fortigate60"
- Reply: pop_alex_at_yahoo.com: "Re: Server hosting problem with Fortigate60"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 7 Nov 2005 07:52:03 -0500
<pop_alex@yahoo.com> wrote in message
news:1131330094.379930.88080@g47g2000cwa.googlegroups.com...
> Hi,
> Here are my Fortigate60's policies and I would like you to check
> and give comment whether these are ok.
> -----------------------------------------------------------
> a) Internal to Wan1
>
> Source Destination Service Action NAT
> Internal (All) Wan1 (All) Any Accept Enable
Fine.
>
>
> b) Internal to DMZ
>
> Source Destination Service Action NAT
> Internal (All) DMZ (WebServer) Any Accept Not Enable
If it's not enabled, why do you have it? If you do this, you can't hit your
dmz server from Internal using it's 10.x address, which you may decide is
ok.
>
> c) Wan1 to DMZ
>
> Source Destination Service Action NAT
> Wan1 (All) DMZ (WebServer) Any Accept Enable
>
> -------------------------------------------------------------------------
>
> Virtual IP
>
> Name WebServer
> Ext. Interface Wan1
> Type Port Forwarding
> External IP <External IP>
> Ext. Service Port HTTP
> Map to IP 10.10.10.1
> Map to Port 80
> Protocol TCP
> -------------------------------------------------------------------------
That looks sorta ok, assuming policy c) has your vip as the destination as
it looks like from what you wrote. Your external port is 80 though, not
HTTP right? Your policy c) should specify HTTP however, not Any.
>
>
> Our Fortigate60 is using the latest version FortiOS 2.80 MR10 and
> there's no such version 3.0 available for this yet. I'm using
> Transparent Mode.
3.0 isn't availble to you, but I have it. And it's *very* cool. :-)
But anyway MR10 is fine even though MR11 is out.
There are still a few ways to mess this up -- putting other policies above
c) that do the wrong thing, enabling http management on the External,
enabling an IPS signature that triggers on your type of traffic.
What is the IP of the DMZ interface on the firewall?
-Russ.
- Previous message: Somebody.: "Re: Server hosting problem with Fortigate60"
- In reply to: pop_alex_at_yahoo.com: "Re: Server hosting problem with Fortigate60"
- Next in thread: pop_alex_at_yahoo.com: "Re: Server hosting problem with Fortigate60"
- Reply: pop_alex_at_yahoo.com: "Re: Server hosting problem with Fortigate60"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
