Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
acvaldez
Staff
Staff

Created on ‎04-08-2022 01:26 AM Edited on ‎09-18-2025 02:01 AM By Moderator

Article Id 208780

Technical Tip: How to configure Dynamic DNS FortiGate

Description This article describes how to configure Dynamic DNS FortiGate.
Scope FortiGate.
Solution

Diagram.

 

 

acvaldez_0-1649403613656.png

 

In the FortiGate GUI, go to Network -> DNS -> Enable FortiGuard DDNS, select the interface with the dynamic connection, select the server that is linked to the account, and enter 'Unique Location'.

 

acvaldez_1-1649403613660.png

 

From CLI:

 

config system ddns

    edit 101

        set ddns-server FortiGuardDDNS

        set ddns-domain "fgtbacoor.fortiddns.com"

        set use-public-ip enable

        set monitor-interface "wan1"

    next

end

 

Try to NSLOOKUP the fgtbacoor.fortiddns.com, and it will be resolved to whatever public IP the FortiGate is getting translated into.

 

acvaldez_2-1649403613669.png

 

acvaldez_3-1649403613670.png

 

After configuring, if the DDNS is not working, take the debug commands output below and open a TAC ticket, and update the debug output for TAC investigation. 

 

diagnose debug disable
diagnose debug reset
diagnose debug app ddnscd -1

diagnose debug enable 

 

To stop the debug processes in the end, press Ctrl + C and enter 'diagnose debug disable'.

 

Note:

  • DDNS can only be configured via CLI for FortiGate VMs. Configuring DDNS via GUI is not supported for FortiGate-1000 series or higher or FortiGate-VM.
  • Configuring DDNS via GUI is not supported when the configured DNS server is not using FortiGuard Servers. FortiGate does not support DDNS when in transparent mode.
  • By default, one DDNS can be configured through the GUI. If it is necessary to configure multiple DDNS, configure them through the CLI.
  • The 'use-public-ip' option is only available when 'ddns-server' is set to 'FortiGuardDDNS'.
  • When configuring a FortiGuardDDNS domain in a High Availability (HA) cluster, the same entry is valid for both devices. When a failover event occurs, the ddnscd daemon will communicate with FortiGuard and trigger a removal request of the entry from the primary Serial Number, to the secondary (new primary) Serial Number. 
  • If it's necessary to delete a FortiGuardDDNS entry, due to a migration for a new device, raise a TAC Ticket with the Serial Number of the device that currently holds the DNS Records. This ticket will have to be created from the account that owns the FortiGate Appliance.
  • If after creating all the configurations and with a nslookup the FQDN shows the Public IP of the ISP but there is still no communication to services and also the setup of a VPN (SSL - IPSec) do not come up or using a sniffer there is no traffic catch by the FortiGate coming from the WAN (or the upstream device giving Internet), keep in mind that the Public IP is still manage by the ISP (Internet Service Provider), check if there is any block o port forwarding need it on the router managing the Public IP address in order to all the queries be properly forwarded to the FortiGate.

 

Note: It is not possible to use the same DDNS on multiple FortiGates. In this case, the device is replaced and it is necessary to use the same DDNS. Open a ticket with Fortinet Support so the TAC team can transfer the DDNS from the old device to the new device.

 

Related documents:
Labels:
70797
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.