Dynamic DNS

Dynamic DNS

If your ISP changes your external IP address on a regular basis, and you have a static domain name, you can configure the external interface to use a dynamic DNS service to ensure external users and/or customers can always connect to your company firewall.

If you have a FortiGuard subscription, you can use FortiGuard as your DDNS server. To configure dynamic DNS in the web-based manager, go to System > Network > DNS, select Enable FortiGuard DDNS, and enter the relevant information for the interface communicating to the server, and which server to use, and relevant information.

If you do not have a FortiGuard subscription, or want to use an alternate server, you can configure dynamic DNS in the CLI use the commands below. Within the CLI you can configure a DDNS for each interface. Only the first configured port appears in the web-based manager. Additional commands vary with the DDNS server you select.


config system ddns

edit <instance_value>

set monitor-interface <external_interface>

set ddns-server <ddns_server_selection>



You can also use FortiGuard (when subscribed) as a DDNS as well. To configure, use the CLI commands:

config system fortiguard set ddns-server-ip

set ddns-server-port end

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in FortiGate, FortiOS, FortiOS 5.4 Handbook and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

5 thoughts on “Dynamic DNS

  1. akhtar ali

    Currently we are facing the issue,the head office firewall not getting the updated ip of fortiddns host name that is configured at sites office firewall,which results downing the vpn.on sites the fortinet firewall resolving the new isp with its fortiddns host name but the head office fortinet firewall is unable to get the updated ip.currently we are using 5.4.1 os and the devices are 300D at head office and 80D at sites office…i raise this issue with fortinet support team but until now they are unable to find the proper solution.any one can help me ,how to take this issue and decrease the vpn downtime..
    Note:ISP public ip frequently changing ,approximately after 12 hours.

    1. Mike Post author

      Do any of the FortiGates in question have a static IP? If so, I would make it a dial up VPN and let the others dial in to it.

  2. Ron

    Hi Mike,
    Can you advise on moving to a hybrid DNS?

    Currently, all our LAN machines receive their IP address from our Fortigate 60D (each machine is either allocated an IP address from the Fortigate DHCP, or has a static IP address set in the Fortigate).
    Our DNS records are currently managed from fortiddns.com.

    Can I create a local DNS server, that will perform name-resolution for some of our LAN machines?


    1. Mike Post author

      You can. You can run the DNS Server functionality on the FortiGate and provide local lookups for the devices within (they would have to use the FortiGate as the DNS server OR their DNS servers would have to look at the FortiGate for forwarding purposes).

      Most organizations utilize their Active Directory DNS and have a zone for the local items.

  3. rick

    if i want to use a custom DDNS server, like freedns.afraid.org? its there a change of using some scripting to get that working? Also, since im behind a DHCP router providing me internet, i would need to check external ip with some external service instead of the ip of the wan interface.
    Any advice?


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.