Dynamic DNS is a practical way to keep a FortiGate firewall reachable when its public IP address changes, which is common on broadband, LTE, and many small business internet connections. Instead of tracking the WAN IP manually, FortiGate can update a hostname automatically so administrators, VPN users, or remote services can connect reliably using a domain name.

TLDR: FortiGate DDNS allows you to map a changing public IP address to a stable hostname. The setup is usually completed under the FortiGate WAN interface settings by enabling DDNS, selecting a provider, and entering the required domain and account details. After configuration, verify that the hostname resolves to the correct WAN IP and test remote access carefully. Always secure exposed services with strong authentication, trusted access rules, and appropriate firewall policies.

What FortiGate DDNS Is Used For

DDNS, or Dynamic Domain Name System, updates DNS records automatically whenever the public IP address on your FortiGate changes. This is especially useful for organizations that do not have a static IP address from their internet service provider but still need dependable remote connectivity.

Common use cases include:

  • Remote administration of a FortiGate firewall through a stable hostname.
  • SSL VPN or IPsec VPN access for users connecting from outside the office.
  • Site to site VPN tunnels where one side has a dynamic public IP address.
  • Remote access to internal services, when properly protected by firewall policies and security controls.

FortiGate supports its own FortiGuard DDNS service in many firmware versions, and it may also support third party DDNS providers depending on the FortiOS version and licensing status. Before beginning, confirm the supported options in your specific FortiOS release.

Before You Start

A reliable DDNS setup depends on accurate interface and DNS behavior. Before changing settings, verify the following:

  • The FortiGate has an active internet connection.
  • The WAN interface receives a public IP address, or the upstream router forwards traffic correctly.
  • You have administrator access to the FortiGate web interface or CLI.
  • You know which hostname you want to use.
  • If using a third party provider, you have the correct username, password, token, or update credentials.

Important: If the FortiGate WAN interface receives a private IP address, such as 192.168.x.x, 10.x.x.x, or 172.16.x.x to 172.31.x.x, then the FortiGate is behind another router or carrier grade NAT. In that case, DDNS may still update, but remote access from the internet may fail unless the upstream device is configured properly or the ISP provides a true public IP.

Method 1: Configure DDNS from the FortiGate GUI

The graphical interface is the most straightforward method for most administrators. Menu names may vary slightly depending on FortiOS version, but the general process is consistent.

  1. Log in to the FortiGate web interface using an administrator account.
  2. Go to Network and then Interfaces.
  3. Edit the WAN interface that receives the internet connection, commonly named wan1, wan2, or a custom interface name.
  4. Locate the DDNS section.
  5. Enable DDNS.
  6. Select the DDNS provider, such as FortiGuard DDNS if available.
  7. Enter the hostname or unique domain label you want to use.
  8. If required, enter account credentials or authentication details.
  9. Apply or save the interface configuration.

After saving, the FortiGate should attempt to register or update the hostname with the selected DDNS service. If the hostname is already taken, choose another name that is unique and clearly associated with the site or organization.

Method 2: Configure DDNS from the CLI

Administrators who prefer scripted or repeatable configuration can use the FortiGate command line. The exact syntax may differ by FortiOS version and DDNS provider, so use the built in question mark help when needed.

A typical FortiGuard DDNS style configuration may look similar to this:

config system ddns
    edit 1
        set ddns-server FortiGuardDDNS
        set ddns-domain "example.fortiddns.com"
        set monitor-interface "wan1"
    next
end

If your firmware configures DDNS directly under the interface, the structure may differ. You can inspect available options with:

config system ddns
    edit 1
        set ?

Use CLI configuration carefully, especially on production firewalls. A good practice is to record the current configuration before making changes and schedule work during a maintenance window if remote connectivity depends on the same WAN interface.

Verifying That DDNS Works

Once DDNS is enabled, confirm the hostname resolves to the correct public IP address. You can test from a computer outside the local network using tools such as nslookup or dig.

nslookup example.fortiddns.com

Compare the returned IP address with the public IP shown on the FortiGate WAN interface. If they match, the DDNS update is working. If they do not match immediately, wait a few minutes and test again because DNS propagation and provider update timing can vary.

You should also verify from the FortiGate itself where possible. Check system event logs for DDNS update messages, authentication failures, or network reachability issues. A successful configuration should show no repeated update errors.

Using DDNS for VPN Access

One of the most common reasons to configure FortiGate DDNS is VPN connectivity. For SSL VPN, users can connect to a hostname such as vpn.example.fortiddns.com instead of an IP address. For IPsec VPN, a remote peer can use the DDNS hostname as the gateway identifier when the IP address is not static.

When using DDNS with VPN, review the following:

  • Confirm the VPN listens on the correct WAN interface.
  • Use valid certificates where possible, especially for SSL VPN portals.
  • Restrict access by geography, source IP, or user group if appropriate.
  • Enable multi factor authentication for remote users.
  • Monitor VPN logs for repeated failed login attempts.

DDNS improves reachability, not security. It makes the firewall easier to find on the internet, so exposed services must be hardened with strong policy controls.

Security Considerations

Because DDNS provides a consistent public name for your firewall, it can also make scanning and targeting easier. Treat the DDNS hostname as a sensitive operational detail and avoid exposing unnecessary management services.

Recommended security practices include:

  • Disable public administrative access unless it is absolutely required.
  • If remote administration is needed, limit it to trusted source IP addresses.
  • Use HTTPS and SSH only; avoid insecure protocols such as HTTP or Telnet.
  • Change default administrative ports only as an additional measure, not as a primary defense.
  • Use strong administrator passwords and, where supported, multi factor authentication.
  • Keep FortiOS updated with stable security releases approved for your environment.
  • Review firewall policies to ensure DDNS does not unintentionally expose internal systems.

Troubleshooting Common Problems

If the DDNS hostname does not update or remote access fails, work through the issue methodically.

  • Hostname does not resolve: Check that DDNS is enabled, the provider is reachable, and the hostname is valid.
  • Wrong IP address is returned: Confirm the monitored interface is the actual internet facing interface.
  • Remote access still fails: Verify firewall policies, local in policies, VPN settings, and upstream NAT.
  • Authentication errors: Re enter provider credentials or regenerate the DDNS update token.
  • Intermittent updates: Check WAN stability, DNS server reachability, and FortiGate system logs.

If the FortiGate is behind another modem or router, place the upstream device in bridge mode if possible, or configure port forwarding to the FortiGate. In ISP carrier grade NAT environments, inbound access may not be possible without requesting a public IP address or using an alternative remote access design.

Final Checklist

Before considering the deployment complete, confirm these items:

  • The DDNS hostname resolves to the current public WAN IP.
  • The hostname updates after a WAN IP change.
  • VPN or remote access services work from an external network.
  • Administrative access is restricted and secured.
  • Firewall logs show no recurring DDNS update failures.

FortiGate DDNS is a dependable solution for environments where static IP addressing is unavailable or unnecessary. When configured correctly, it simplifies remote connectivity and reduces administrative overhead. However, it should always be implemented with disciplined security controls, careful testing, and ongoing monitoring to ensure that convenience does not introduce avoidable risk.

Scroll to Top
Scroll to Top