FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ighita
Staff
Staff
Description
This article describes how to update the public IP address when a upstream router is being used. This article provides a sample configuration for FortiGuard DDNS service.
Scope

FortiGate (FortiOS) updates IP address on FortiGuard DDNS server when it detects change on monitored interface, for example: new lease from DHCP, PPPoE, interface flap etc.

Consider this network diagram:

Internet === (upstream router) === [wan1](FortiGate)[internal1] === LAN

Upstream router with PPPoE and public IP

FortiGate with private IP at wan1 interface

DDNS configuration in this setup:

config system ddns
    edit 1
        set ddns-server FortiGuardDDNS
        set ddns-domain "fg.fortiddns.com"
        set use-public-ip enable
        set monitor-interface "wan1"
    next
end

How it works:

DDNS monitors wan1 interface

with unstable ISP line the public IP on upstream router can change, but FortiGate is not aware of this change -> the connection on FortiGate’s wan1 interface is stable and without any change

so the public IP in FortiGuard DDNS service is not updated


Solution
Below are solutions on how to use DDNS with this scenario:

Solution 1(All versions)

Use DDNS service on upstream router with other DDNS service provider. The instability or changes on ISP line will trigger change on upstream router.

Solution 2 (FortiOS 5.6, 6.0 and 6.2)

With FortiOS 5.6 new option ‘update-interval’ is introduced to periodically update FortiGuard DDNS service with proper IP address. By default the value is set to 300 seconds.

Configuration with 5.6, 6.0 and 6.2 versions:

config system ddns
    edit 1
        set ddns-server FortiGuardDDNS
        set ddns-domain "fg.fortiddns.com"
        set use-public-ip enable
        set monitor-interface "wan1"
        set update-interval 300
    next
end

Solution 2 (FortiOS 5.4)

FortiOS 5.4 version does not have an ‘update-interval’ option. Anyway below workaround can be used.

For workaround configure:

link-monitor option over wan1 interface

on link failover flap another physical interface

the flapped interface is monitored by ddns

The final workaround configuration:

config system ddns
    edit 1
        set ddns-server FortiGuardDDNS
        set ddns-domain "fg.fortiddns.com"
        set use-public-ip enable
        set monitor-interface "internal1"
    next
end

config system interface
    edit wan1
        set fail-detect enable
        set fail-detect-option detectserver
        set fail-alert-interfaces "internal1"
    next
end

config system link-monitor
    edit isp
        set srcintf “wan1”
        set server “x.x.x.x” “y.y.y.y”
    next
end

How it works:

link-monitor monitors ISP line over wan1 interface

when ISP line is down, link-monitor detects the failure and flaps internal1 interface

internal1 interface is monitored by ddns process

when internal1 interface flaps then ddns process updates the IP address in FortiGuard DDNS service


Contributors