Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nithincs
Staff & Editor
Staff & Editor

Created on ‎09-25-2025 04:09 AM Edited on ‎09-25-2025 04:11 AM By Community Manager

Article Id 412583

Technical Tip: How does 'diagnose sys waninfo ipify' command identify the WAN ip address of the FortiGate

Description This article explains the communication flow used by the FortiGate to identify the public IP.
Scope FortiGate
Solution
To get the public IP address, the FortiGate performs a series of steps:
  • DNS Resolution: The FortiGate must first successfully resolve the hostname api.ipify.org to its corresponding server IP address. This is a crucial initial step to ensure connectivity..
  • TCP and TLS Handshake: After resolving the hostname, the FortiGate initiates a TCP and TLS handshake with the resolved server IP.

 

tcptlsandhttpscommunication.png
 
HTTP Request: A GET request is then sent to the https://api.ipify.org/ server.:
 
"request": {
          "method": "GET",
          "url": "https://api.ipify.org/",
          "httpVersion": "http/2.0",
          "headers": [
            {
              "name": ":authority",
              "value": "api.ipify.org"
            },
            {
              "name": ":method",
              "value": "GET"
            },
            {
              "name": ":path",
              "value": "/"
            },
 
            {
.
.
.
.
            {
              "name": "user-agent",
              "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36"
            }
          ],
          "queryString": [],
          "cookies": [],
          "headersSize": -1,
          "bodySize": 0
        },
 
  • Response: In response to the request, the api.ipify.org server sends back the public IP address of the source that connected to it. The response has a status code of 200, indicating success, and the content type is text/plain. The public IP address is returned in the body of the response.
 
"response": {
          "status": 200,
          "statusText": "",
          "httpVersion": "http/2.0",
          "headers": [
            {
              "name": "cf-cache-status",
              "value": "DYNAMIC"
            },
            {
              "name": "cf-ray",
              "value": "98492fa3fc6f7937-AMD"
            },
            {
              "name": "content-encoding",
              "value": "br"
            },
            {
              "name": "content-type",
              "value": "text/plain"
            },
            {
              "name": "date",
              "value": "Thu, 25 Sep 2025 08:35:05 GMT"
            },
            {
              "name": "server",
              "value": "cloudflare"
            },
            {
              "name": "vary",
              "value": "Origin"
            }
          ],
          "cookies": [],
          "content": {
            "size": 13,
            "mimeType": "text/plain",
            "text": "X.X.X.235" <<<<< Public ip information shared by "api.ipify.org"
          },
          "redirectURL": "",
          "headersSize": -1,
          "bodySize": -1,
          "_transferSize": 143,
          "_error": null,
          "_fetchedViaServiceWorker": false
        },
176
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.