FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes how to troubleshoot DDNS issue when private IP is confirued in FortiGate WAN interface.
Scope FortiGate.

Two issues:


1) The DDNS domain is updated to the private IP instead of the public IP address.


2) It is not possible access the firewall with the DDNS domain name.


DDNS domain updating to private IP:


First, enable DDNS, select an interface, define the domain, and then use the Network -> DDNS option to understand how DDNS works with FortiGate.

The domain gets the IP address of the affected interface and updates the DNS record with the domain and IP address.


If the ISP provides a private IP address, the domain will be mapped to private in this case because the private IP address cannot be routed over the Internet.

Users will not access the firewall with this domain name.


In order to avoid this scenario, it is necessay  to enable 'use public ip' option as shown below:


# config sys ddns

    edit <id> (ID of DDNS)

        set use-public-ip enable



When this 'use-public-ip' option is enabled, the first IP that exists inline to the ISP from the firewall gets that IP and maps it to the DDNS domain in question.


It is not possible to access firewall with DDNS domain name:


Suppose the domain does not point to the IP address of the interface, but to the IP address of the firewall's upstream router (in the scenario where the private IP points to the IP address of the firewall interface).

In such a scenario, it is necessary to perform port forwarding on the upstream router to forward all traffic to the firewall.


Packet flow:


This is the packet flow.

On the user machine, the firewall is accessed with a DDNS domain name. The domain refers to the IP of the upstream router and the firewall is behind the upstream router.

Therefore, port forwarding must be performed on the upstream router for traffic to reach the firewall.