Dynamic DNS
If your ISP changes your external IP address on a regular basis, and you have a static domain name, you can configure the external interface to use a dynamic DNS service to ensure external users and/or customers can always connect to your company firewall.
If you have a FortiGuard subscription, you can use FortiGuard as your DDNS server. To configure dynamic DNS in the web-based manager, go to System > Network > DNS, select Enable FortiGuard DDNS, and enter the relevant information for the interface communicating to the server, and which server to use, and relevant information.
If you do not have a FortiGuard subscription, or want to use an alternate server, you can configure dynamic DNS in the CLI use the commands below. Within the CLI you can configure a DDNS for each interface. Only the first configured port appears in the web-based manager. Additional commands vary with the DDNS server you select.
config system ddns
edit <instance_value>
set monitor-interface <external_interface>
set ddns-server <ddns_server_selection>
end
You can also use FortiGuard (when subscribed) as a DDNS as well. To configure, use the CLI commands:
config system fortiguard set ddns-server-ip
set ddns-server-port end
Currently we are facing the issue,the head office firewall not getting the updated ip of fortiddns host name that is configured at sites office firewall,which results downing the vpn.on sites the fortinet firewall resolving the new isp with its fortiddns host name but the head office fortinet firewall is unable to get the updated ip.currently we are using 5.4.1 os and the devices are 300D at head office and 80D at sites office…i raise this issue with fortinet support team but until now they are unable to find the proper solution.any one can help me ,how to take this issue and decrease the vpn downtime..
Note:ISP public ip frequently changing ,approximately after 12 hours.
Do any of the FortiGates in question have a static IP? If so, I would make it a dial up VPN and let the others dial in to it.
Hi Mike,
Can you advise on moving to a hybrid DNS?
Currently, all our LAN machines receive their IP address from our Fortigate 60D (each machine is either allocated an IP address from the Fortigate DHCP, or has a static IP address set in the Fortigate).
Our DNS records are currently managed from fortiddns.com.
Can I create a local DNS server, that will perform name-resolution for some of our LAN machines?
Thanks,
Ron.
You can. You can run the DNS Server functionality on the FortiGate and provide local lookups for the devices within (they would have to use the FortiGate as the DNS server OR their DNS servers would have to look at the FortiGate for forwarding purposes).
Most organizations utilize their Active Directory DNS and have a zone for the local items.
if i want to use a custom DDNS server, like freedns.afraid.org? its there a change of using some scripting to get that working? Also, since im behind a DHCP router providing me internet, i would need to check external ip with some external service instead of the ip of the wan interface.
Any advice?