Fortinet black logo

Administration Guide

DMZ Mode

Copy Link
Copy Doc ID f93d05fe-c1b1-11ec-9fd1-fa163e15d75b:523635
Download PDF

DMZ Mode

Deploy a FortiDeceptor hardware unit or VM in the Demilitarized Zone (DMZ). You can monitor attacks on the DMZ network when FortiDeceptor is installed in the DMZ network.

DMZ mode is useful when you want to deploy decoys to a segment of the network that hosts critical services. When a threat actor attacks a server and attempts to move laterally inside the DMZ segment they are detected by the decoys without exposing the decoys on the Internet.

Limitations of the DMZ Mode

The DMZ Mode in FortiDeceptor functions like regular mode with the following exceptions:

  • When DMZ mode is enabled, the banner displays DMZ-MODE.
  • In Deception > Deployment Network, Deception Monitor IP/Mask is hidden. See Deployment Network.
  • In Deception > Decoy & Lure Status in the Deception Status view, the Attack Test selection is disabled.
  • Decoy VMs are limited to one deploy Interface. For information about IP address range, see Deploy Decoy VMs with the Deployment Wizard.
To enable DMZ mode in the CLI:

dmz-mode -e

To disable DMZ mode in the CLI:

dmz-mode -d

Enabling or disabling the DMZ mode removes all previous configurations including Decoy VMs, lures, and tokens. Deception OS is not removed.

DMZ Mode

Deploy a FortiDeceptor hardware unit or VM in the Demilitarized Zone (DMZ). You can monitor attacks on the DMZ network when FortiDeceptor is installed in the DMZ network.

DMZ mode is useful when you want to deploy decoys to a segment of the network that hosts critical services. When a threat actor attacks a server and attempts to move laterally inside the DMZ segment they are detected by the decoys without exposing the decoys on the Internet.

Limitations of the DMZ Mode

The DMZ Mode in FortiDeceptor functions like regular mode with the following exceptions:

  • When DMZ mode is enabled, the banner displays DMZ-MODE.
  • In Deception > Deployment Network, Deception Monitor IP/Mask is hidden. See Deployment Network.
  • In Deception > Decoy & Lure Status in the Deception Status view, the Attack Test selection is disabled.
  • Decoy VMs are limited to one deploy Interface. For information about IP address range, see Deploy Decoy VMs with the Deployment Wizard.
To enable DMZ mode in the CLI:

dmz-mode -e

To disable DMZ mode in the CLI:

dmz-mode -d

Enabling or disabling the DMZ mode removes all previous configurations including Decoy VMs, lures, and tokens. Deception OS is not removed.