Description
This article how to use DDNS service and how to enable FortiGuard DDN Servers when the following error message is appearing from GUI:
Scope
FortiGate.
Solution
- If there is a PPPoE or DHCP connection on the WAN port, make sure overriding internal DNS is disabled:
- From GUI, go to Network -> Interfaces, edit WAN, and unselect Override internal DNS.
- From CLI/SSH:
config system interface
edit wan1
set dns-server-override disable
end
-
Manually configure the DDNS server via CLI/SSH:
config system fortiguard
set ddns-server-ip 173.243.138.225
end
-
Change the protocol to UDP and disable FortiGuard anycast (For version 6.4.2).
config system fortiguard
set fortiguard-anycast disable
set protocol udp
end
-
If an issue is found in FortiOS 7.0 with FortiDDNS please make the changes below:
config system fortiguard
set fortiguard-anycast disable
set ddns-server-ip 173.243.138.225
end
-
FortiGate will be able to reach FortiGuard Services. Ping the following domains:
execute ping service.fortiguard.net
execute ping update.fortiguard.net
execute ping guard.fortinet.net
execute ping securewf.fortiguard.net (HTTPS)
This is due to handshake failure for TLSv1.3 and will be resolved if the above changes are done.
Note:
If it is under multiple Vdoms: Configure the below setting on the FortiGuard Server:
config system fortiguard
set fortiguard-anycast enable
set ddns-server-ip 173.243.138.225
end
Additional context information:
- About DDNS default service: Currently, there are two FQDNs for DDNS service.
- When anycast is disabled, FQDN 'ddns.fortinet.net' (resolved to 173.243.138.226) will be used. When anycast is enabled, FQDN 'globalddns.fortinet.net' (resolved to 173.243.138.225) will be used.
Related Articles:
Technical Tip: How to update IP address with FortiGuard DDNS service and upstream router
