Fortinet Firewall Live!
Objective
Enhance security by limiting internet access from the DMZ zone to only web services (HTTP/HTTPS). This is a common security policy to restrict DMZ servers from accessing unnecessary services.
Step 1: Delete or Disable the “DMZ-to-Untrust” Rule
From GUI:
1. Navigate to Policy & Objects > Firewall Policy
2. Locate and select DMZ-to-Untrust policy.
3. Click on Delete
Note: Why? Because it allows all services, and we now want to create a more granular policy.
Step 2: Create a DMZ Web-Only Policy
From GUI:
1. Go to Policy & Objects > Firewall Policy
2. Click Create New
● Name: DMZ-Web-Only
● Incoming Interface: DMZ-Zone (port3)
● Outgoing Interface: Untrust-Zone (port1)
● Source: DMZ-Subnet
● Destination: all
● Schedule: always
● Service: Click on the dropdown and select:
HTTP
HTTPS
● Action: ACCEPT
● NAT: Enable NAT (use outgoing interface address)
● Log Allowed Traffic: All Sessions
3. Click OK
From CLI:
Step 3: Verification:
On DMZ Server:
Try ping 8.8.8.8 or telnet 8.8.8.8 53 → ❌ should fail (non-HTTP/S traffic is blocked)
On Fortinet:
Check Log & Report > Forward Traffic
Only HTTP/HTTPS sessions should be allowed.
All other services should be blocked or show no hits.
Note: DMZ Server is based on CLI only so we can not test HTTP/HTTPs from this server.
