Thanks for the video, Mike! Always enjoy your content! Other than roles limiting feature access (such as DHCP, as you mentioned in the video), what are the advantages to a DMZ port over simply putting internet facing services and/or servers in a VLAN with proper security policies to control traffic flow? Is this strictly an ease of administration feature, or are there real security advantages that can't be implemented in other ways?
A demilitarized zone is a concept. The ‘dmz’-labelled port is just a label - it can be configured to perform WAN access, as an extra LAN port or really use it as DMZ. Flagging a port with role DMZ in the FortiGate limits the functionality *from the GUI*. Everything is still CLI configurable. It may also help in traffic analysis or reporting as the logs will indicate the src and dst interface roles. Conceptually, you’re not limited to 1 DMZ. You could have tens or hundreds of DMZ’s if you’d like. Theres nothing an interface flagged or labeled as DMZ does differently in any regard to acccess control - it’s all about proper policies.
mostly I see DMZ being used as an extra port. Nothing wrong with that. DMZ is considered network design, and networking and security in most companies are still different islands belonging to the same country. The same i see with WAN-ports, but they are very different (depending on the model). You need a hardware schematic to clarify this to customers, as most WAN-ports are tied to the CPU, and not to the switch fabric. Perhaps i've just given you another topic for a video :-)
Would a DMZ would be the way to go for the phone system? That way the firewall doesn't get in the way? Or what would be the best way to connect the phone for low latency/high quality in conjunction with QoS?
I am new on fortigate I want to learn practical things.. I am student so don't expect 60d or 60e I have vm environment.. If you suggest me something that would be good.. Thanks..
@@FortinetGuru Thanks for the reply... I am new on Fortigate as well as security I don't know how to build a home lab so, that's why I need some VM based tutorials. If you can help me because I see some of other vids tutorials and all using on physical fortinet device. So if you help me that would be great..
@@DawidKellerman Ya I use GNS3 and EVE-ng and I manage appliance on VM but I need a good video tutorial. where I learn thins based on fundamentally and Practically.
Apply IPS and/or WAF profiles. Ensure your policies are strict and only allow the desirable traffic to your servers in DMZ in stead of allowing ‘all’ (possibly exposing stuff like RDP and SMB).
Do you use your DMZ Port? What services are you hosting from yours?
Super useful, late to the party, but subscribed!
"if fortinet support was good. I'd be broke"
-Fortinet Guru
:D
I thought it was clever and the wife turned it into a shirt.
Any advantage of using a FortiSwitch in the DMZ, as opposed to using another vendors switch?
Thanks for the video, Mike! Always enjoy your content!
Other than roles limiting feature access (such as DHCP, as you mentioned in the video), what are the advantages to a DMZ port over simply putting internet facing services and/or servers in a VLAN with proper security policies to control traffic flow? Is this strictly an ease of administration feature, or are there real security advantages that can't be implemented in other ways?
A demilitarized zone is a concept. The ‘dmz’-labelled port is just a label - it can be configured to perform WAN access, as an extra LAN port or really use it as DMZ. Flagging a port with role DMZ in the FortiGate limits the functionality *from the GUI*. Everything is still CLI configurable. It may also help in traffic analysis or reporting as the logs will indicate the src and dst interface roles. Conceptually, you’re not limited to 1 DMZ. You could have tens or hundreds of DMZ’s if you’d like. Theres nothing an interface flagged or labeled as DMZ does differently in any regard to acccess control - it’s all about proper policies.
I've wondered this too. I can't think of any advantages of using a "traditional" DMZ vs a VLAN with outbound ACLs.
mostly I see DMZ being used as an extra port. Nothing wrong with that. DMZ is considered network design, and networking and security in most companies are still different islands belonging to the same country. The same i see with WAN-ports, but they are very different (depending on the model). You need a hardware schematic to clarify this to customers, as most WAN-ports are tied to the CPU, and not to the switch fabric. Perhaps i've just given you another topic for a video :-)
is there any different between using a lan role with dhcp disabled or using dmz ?
Would a DMZ would be the way to go for the phone system? That way the firewall doesn't get in the way? Or what would be the best way to connect the phone for low latency/high quality in conjunction with QoS?
I would at the very least have a segmented vlan for it and use lldp to place phones on said vlan.
I'm curious what your recommendation is for dmz policy configuration? I'm fond of ssl offloading with waf and ips.
as strict as possible honestly. I never let DMZ space come into the internal network. Internal can reach out to it but never the other way.
Hi Guru, Im new. And want to learn Fortigate firewall. Please suggest video tutorial and hands on labs. And how
Absolutely. The training is now free through December and totally worth it.
@@FortinetGuru 👍
I am new on fortigate I want to learn practical things..
I am student so don't expect 60d or 60e I have vm environment..
If you suggest me something that would be good..
Thanks..
If you have a VM Environment then you can run trials from Fortinet
GNS4 lookat that if you have not done so :)
@@DawidKellerman You mean GNS3, right?
@@FortinetGuru Thanks for the reply...
I am new on Fortigate as well as security I don't know how to build a home lab so, that's why I need some VM based tutorials.
If you can help me because I see some of other vids tutorials and all using on physical fortinet device.
So if you help me that would be great..
@@DawidKellerman Ya I use GNS3 and EVE-ng and I manage appliance on VM but I need a good video tutorial. where I learn thins based on fundamentally and Practically.
Bro couldn’t decide which haircut to get so he got both
😂😂
Could you please elaborate,
How to tighten up security for web servers in DMZ?
Apply IPS and/or WAF profiles. Ensure your policies are strict and only allow the desirable traffic to your servers in DMZ in stead of allowing ‘all’ (possibly exposing stuff like RDP and SMB).
Very confusing video