Setting up an inline DMZ

I've recently purchased several Firebox M200s. One M200 will act as an exterior bastion firewall; the internal firewall will be something else (taking into consideration a defense-in-depth strategy - never use the same firewall architectures between exterior and interior firewalls).

The configuration that I would like to create can be simply shown below:

External Internet >> External DMZ (DMZ-1) >> Internal DMZ (DMZ-2)

23.x.y.0/24 >> 10.1.y.0/24 >> 10.2.y.0/24

Servers will be like for line configuration. In other words, 23.x.y.1 will translate as 10.1.y.1 in the external DMZ, then translate to as 10.2.y.1 within the internal DMZ.

Are there any examples out there that I could use to create something for this simple configuration?

Mucho appreciato (in advance).



  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @rsradvan210922
    I don't have any guides to show setting up a firewall behind another firewall.

    -The inside firebox will simply just see the perimeter firebox as it's external interface.
    -The perimeter firebox will just see the inside firebox as a client PC.

    As long as the IP of the inside firebox is static, you can create rules on both to forward traffic in -- and out of the network.

    I would suggest potentially looking at a different model of firewall as the M200 will be going end of life at the end of the year, meaning that it will not be getting security updates or additional features beyond the end of the year. You can see more at https://www.watchguard.com/wgrd-trust-center/end-of-life-policy

    -James Carson
    WatchGuard Customer Support

Sign In to comment.