This article describes how to configure automation stitches to update DNS records hosted in Cloudflare upon DHCP lease renewal or PPPoE (re)connection, effectively creating a dynamic DNS (DDNS) setup.
This guide applies to FortiGate devices that obtain public IP addresses from DHCP or PPPoE and to DNS zones hosted in Cloudflare. For other DDNS providers, refer to the built-in DDNS feature documentation:
At a high level, this automation stitch consists of the following steps:
Cloudflare Preparation:
Create an API token following the official guide at https://developers.cloudflare.com/fundamentals/api/get-started/create-token/
Select the following options during creation:
Save the newly generated token.
In the Overview screen of the DNS zone in the dashboard, make a note of the zone ID.
(Optional) Create the DNS record for the DDNS hostname if it does not exist yet. Ensure the status is 'DNS only'. (The record will not resolve to the FortiGate's public IP if the record is set to proxy mode).
Obtain the record ID of the hostname via Cloudflare API:
$ curl "https://api.cloudflare.com/client/v4/zones/<ZONE-ID>/dns_records?name=lab-test-ddns.<domain.com>" -H "Authorization: Bearer XXXXXXXXXX"
Example response:
{"result":[{"id":"aeXXXXXXXXXXXXXXXXXXXXXXXX5a","zone_id":"XXXXXXXXXXXXXXXXXXXX","zone_name": [...]
Note down the first 'id' value. This is the record ID. This API call can also be used to verify that the API token is valid.
At this stage the following should be ready for use in the automation stitch: API token, zone ID, and record ID.
FortiGate Configuration:
Two versions of the automation stitch are provided below: For DHCP and PPPoE.
The DHCP stitch requires an intermediate action to retrieve the current IP with a FortiOS REST API call as the IP cannot be retrieved from the triggering message. The PPPoE stitch does not require this step.
DHCP Version:
Create an API admin to retrieve the current IP:
Note down the API key generated after selecting 'OK'.
Create the automation trigger:
Create the FortiOS webhook to retrieve the IP:
Create the Cloudflare API webhook:
Create the automation stitch:
A full CLI configuration snippet is attached at the end of the article.
PPPoE Version:
Create the automation trigger:
Create the Cloudflare API webhook:
Note:
The PPPoE event does not announce for which interface it is generated. As a consequence, this stitch can be used when only one PPPoE interface is in use.
Create the automation stitch:
A full CLI configuration snippet is attached at the end of the article.
Verification:
To verify the automation stitch either wait for the next natural renewal or trigger the renewal manually:
execute interface dhcpclient-renew <interface-name>
execute interface pppoe-reconnect <interface-name>
Note: Short network disruption is expected during the renegotiation.
Troubleshooting:
Enable the debug commands:
diagnose test app autod 1 <----- This command is an on/off toggle, make sure the output says 'log packet dump enabled'.
diagnose debug app autod -1
diagnose debug enable
Trigger renewal as described in the Verification section above. In the resulting outputs, look for potential errors. If any curl errors are shown in the output, review the webhook automation actions, especially the URLs and variables (API keys, zone/record ID) for possible misspellings.
Example debug output for successful DHCP and PPPoE stitches:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.