Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff

Created on ‎09-10-2019 02:15 AM

Article Id 194807

Technical Tip: Limit access to a VIP with DDNS (port forwarding)

Description
This article explains how to limit access to a VIP with DDNS.
Sometimes it's not convenient to provide VPN access to all users who need access to some resources behind the Fortigate. An easy solution can be to provide these users with DDNS records and configuring these records as the source address in the firewall policy.

Fortinet Documentation
Troubleshooting a VIP (Port Forwarding) – https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD45731

Port forwarding
https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/186598/port-forwarding


Scope
The scope of this article is to help create the address objects pointing to the Dynamic A records and configure an existing firewall policy to only allow traffic from these hostnames.
Please refer to the Port Forwarding cookbook for more details on how to configure a VIP (port forwarding).

This article does not provide details on how to configure DDNS on the clients or how to get DDNS. Fortinet only provides DDNS to Fortinet equipment and our DDNS service cannot be used for this.


Solution
STEP 1: Create the DDNS address objects:

config firewall address
    #edit "DDNS-User1"
        set type fqdn
        set associated-interface "wan1"
        set fqdn "ddns1.notarealdomain.com"
        set cache-ttl 30
    next
    edit "DDNS-User2"
        set type fqdn
        set associated-interface "wan1"
        set fqdn "ddns2.notarealdomain.com"
        set cache-ttl 30
    next
end

In this example, the cache-ttl is set to 30 seconds to allow for quick updates of the DNS records. Please consult the DDNS provider for a suitable TTL to use.

STEP 2 (Optional): Create a firewall address group:
#config firewall addrgrp
    edit "DDNS-Users"
             set member “DDNS-User1” “DDNS-User2”
    next
end
STEP 3: Add the address group or address object into the firewall policy allowing traffic to the VIP:
#config firewall policy
    edit 2
        set name "VIP-firewall-policy"
        set srcintf "wan1"
        set dstintf "internal"
        set srcaddr "DDNS-Users"
        set dstaddr "VIP-Rule"
end

Note: Set the srcaddr to the newly created address group or address object.

STEP 4: Verify the FQDN addresses.

Type the command:
# diagnose firewall fqdn list

The newly created firewall address objects should be resolved and appear in the list like this:

ddns1.notarealdomain.com: ID(49) REF(2) ADDR(20.20.20.20)

Labels:
1606
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.