I'm considering buying a Fortigate 50b (or Fortigate 60b) firewall to separate my web (iis) machine from the DB machine. (See http://www.fortinet.com/doc/FGT50_100DS.pdf)
Till now the two servers were connected directly via a cross cable using the 2nd network card.
The 50b model doesn't have a DMZ port.
What does that mean?
what is the difference between a firewall DMZ port to a interface port ?
Is it not possible to create rules (block/allow port based traffic) on a interface port?
P.S:
I know that in general i should put any server connected to the wan(internet) on a DMZ port , but on our current firewall(Fortigate 200a) , any interface port can be used as dmz port..
Thanks.
Best Answer
A DMZ is just a network design term that means that the network is firewalled in a way that it can not initiate traffic into a protected network. There isn't anything special about the port or that network for that matter. Although a port that's marked as DMZ from the firewall's software point of view may have different default firewall rule applied to it.
I don't know about the 50b but with the 60b you can unbridge all the internal ports and run different networks on each port. The firewall rules and all the other features of the FortiGate work fine between these networks. I used this approach to have multiple DMZs using a FortiGate 60b a couple years back. So I don't see any reason that this wouldn't work.