FortiGate (FortiOS) updates IP address on FortiGuard DDNS server when it detects change on monitored interface, for example: new lease from DHCP, PPPoE, interface flap etc.

Consider this network diagram:

Internet === (upstream router) === [wan1](FortiGate)[internal1] === LAN

- Upstream router with PPPoE and public IP

- FortiGate with private IP at wan1 interface

DDNS configuration in this setup:

config system ddns

    edit 1

        set ddns-server FortiGuardDDNS

        set ddns-domain "fg.fortiddns.com"

        set use-public-ip enable

        set monitor-interface "wan1"

    next

end

How it works:

- DDNS monitors wan1 interface

- with unstable ISP line the public IP on upstream router can change, but FortiGate is not aware of this change -> the connection on FortiGate’s wan1 interface is stable and without any change

- so the public IP in FortiGuard DDNS service is not updated

Solution 1(All versions)

Use DDNS service on upstream router with other DDNS service provider. The instability or changes on ISP line will trigger change on upstream router.

Solution 2 (FortiOS 5.6, 6.0 and 6.2)

With FortiOS 5.6 new option ‘update-interval’ is introduced to periodically update FortiGuard DDNS service with proper IP address. By default the value is set to 300 seconds.

Configuration with 5.6, 6.0 and 6.2 versions:

config system ddns

    edit 1

        set ddns-server FortiGuardDDNS

        set ddns-domain "fg.fortiddns.com"

        set use-public-ip enable

        set monitor-interface "wan1"

        set update-interval 300

    next

end

Solution 2 (FortiOS 5.4)

FortiOS 5.4 version does not have an ‘update-interval’ option. Anyway below workaround can be used.

For workaround configure:

- link-monitor option over wan1 interface

- on link failover flap another physical interface

- the flapped interface is monitored by ddns

The final workaround configuration:

config system ddns

    edit 1

        set ddns-server FortiGuardDDNS

        set ddns-domain "fg.fortiddns.com"

        set use-public-ip enable

        set monitor-interface "internal1"

    next

end

config system interface

    edit wan1

        set fail-detect enable

        set fail-detect-option detectserver

        set fail-alert-interfaces "internal1"

    next

end

config system link-monitor

    edit isp

        set srcintf “wan1”

        set server “x.x.x.x” “y.y.y.y”

    next

end

How it works:

- link-monitor monitors ISP line over wan1 interface

- when ISP line is down, link-monitor detects the failure and flaps internal1 interface

- internal1 interface is monitored by ddns process

- when internal1 interface flaps then ddns process updates the IP address in FortiGuard DDNS service