If your external IP address changes regularly and you want a static domain name, you can configure the external interface to use a dynamic DNS (DDNS) service. This ensures that external users and customers can always connect to your company firewall. You can configure FortiGuard as the DDNS server using the GUI or CLI.
A license or subscription is not required to use the DDNS service, but configuring DDNS in the GUI is not supported if:
- The FortiGate model is a 1000-series or higher.
- The FortiGate is a VM.
- The DNS server is not using FortiGuard as the DNS.
FortiGate does not support DDNS when in transparent mode.
To configure FortiGuard as the DDNS server in the GUI:
- Go to Network > DNS
- Enable FortiGuard DDNS.
- Select the Interface with the dynamic connection.
- Select the Server that you have an account with.
- Enter your Unique Location.
- Click Apply.
To configure FortiGuard as the DDNS server in the CLI:
config system ddns edit <1> set ddns-server FortiGuardDDNS set ddns-domain "branch.float-zone.com" set monitor-interface "wan1" next end
If you do not have a FortiGuard subscription, or want to use a different DDNS server, you can configure a DDNS server for each interface. Only the first configure port appears in the GUI. The available commands vary depending on the selected DDNS server.
To configure DDNS servers other than FortiGuard in the CLI:
config system ddns edit <DDNS_ID> set monitor-interface <external_interface> set ddns-server <ddns_server_selection> ... next end
You can configure FortiGate to refresh DDNS IP addresses. FortiGate periodically checks the DDNS server that is configured.
To configure FortiGate to refresh DDNS IP addresses using the CLI:
config system ddns edit <1> set ddns-server FortiGuardDDNS set use-public-ip enable set update-interval seconds next end
clear-text is disabled, FortiGate uses the SSL connection to send and receive (DDNS) updates.
To disable cleartext and set the SSL certificate using the CLI:
config system ddns edit <1> set clear-text disable set ssl-certificate <cert_name> next end
A DHCP server has an override command option that allows DHCP server communications to go through DDNS to perform updates for the DHCP client. This enforces a DDNS update of the A field every time even if the DHCP client does not request it. This allows support for the
deny client‑updates options.
To enable DDNS update override using the CLI:
config system dhcp server edit <0> set ddns-update enable set ddns-update_override enable set ddns-server-ip <ddns_server_ip> set ddns-zone <ddns_zone> next end