• Matt Sherif

FortiOS Feature Highlight: 3rd party Dynamic DNS

When I was out for my run this morning, I found myself thinking about how we used to do things, and how far we've come as an industry, but also how far I've come in the way I do things. One of these things was remote access to my home environment.


At the risk of sounding like that old guy - queue "back in my day, we walked to school barefoot, in the snow, uphill both ways" - when I was starting out, I always understood the value being able to test things out "not in production". I frequently found myself trying to access my environment at home, and between trying to figure out my public IP (yeah cloud wasn't a thing then), and my router's port forwarding settings I normally managed. Though sometimes my ISP would pull the rug out, and my public IP would change and I was unable to access my home for the day.


Until one of my co-workers mentioned dynamic DNS, back in those days you providers were few, and no-ip and ddns.org were free-ish. My life changed then. Enough about the past, let's fast forward to today, where Dynamic DNS (DDNS) is still prevalent, in fact many organizations pay for it to facilitate remote access to their dynamic IP sites.


Say you manage the WAN/Network for a retail organization, or an organization with a number of sites that are dynamically IP'd, as they don't need static IPs. However from time to time you'll need access via the public IP of that site. Now traditionally you'd need a PC running some sort of DDNS update agent, and that would update your record accordingly. However FortiGate allows you to integrate with a number of popular DDNS providers, in this article we'll go over how this is configured with no-ip.com.


Assumptions


As of the writing of this post, the following assumptions are being made:


  • FortiOS version: 6.4.5

  • You're using one of the following DDNS providers:

  • dyndns.org

  • dyns.net

  • tzo.com

  • vavic.com

  • dhs.org

  • dipdns.net

  • now.net.cn

  • noip.com

  • There is a genericDDNS entry in the CLI - it's based on RFC2136

With that out of the way, let's get this going!


Creating a hostname on no-ip


In this case we want to create a hostname called 11321.ddns.net and do the following:


  • Under Dynamic DNS > No-IP Hostnames > click on Create New

  • Set your settings accordingly

  • Click 'Create Hostname'

  • Note that the "last updated" will reflect the date/time you created this entry

  • Browse to Account > Account info and make note of your username


That's all you need to create on the No-IP side.


FortiGate Configuration


For this scenario we will use the following configuration:

config system ddns
    edit 1
        set ddns-server noip.com
        set ddns-domain "11321.ddns.net"
        set ddns-username <ddns-username>
        set ddns-password <ddns-provider-password>
        set use-public-ip enable
        set ssl-certificate <your_publicly_trusted_cert>
        set monitor-interface "wan1"
    next
end

Let's take a look at some of these settings:

  • ddns-domain: this is required so No-IP knows which record to update, this should be the FQDN (i.e. 11321.ddns.net)

  • ddns-username: this is the username noted above (your value may be different depending on your provider

  • set use-public-ip: set this in the event your FortiGate is behind a NAT - this will basically look up your public IP using (diag sys waninfo ipify) and use that to update your dynamic DNS provider. I use it out of habit.

  • ssl-certificate: it's recommended you use SSL for these transactions, hence using a publicly trusted certificate

  • monitor-interface: this is the interface who's public IP we'll be monitoring for this record, in this case wan1

And that's really all there is to it! You can validate this by waiting a few minutes and running this command:

diag test application ddnscd 5

0, id=1, ddns entry (intf:wan1 domain:11321.ddns.net, address:x.x.x.x, use public ip), server:dynupdate.no-ip.com dynupdate.no-ip.com


You can also validate on the No-IP portal when the last checkin was, and it should be recent.


And that's it! Thank you for reading, I hope this has been helpful.



254 views