Technical Tip: Configuring a FortiGate unit as a NTP server
Description
This article describes how to configure FortiGate as an NTP server.
Scope
FortiGate.
Solution
FortiGate can be used as an authoritative NTP source for other clients.
In this setup, 'port1' is the interface connected to the internet, and 'port2' is the LAN interface (where clients are connected).
The first step is to make sure the local time configuration is correct:
- Configure the correct time zone
- Select the servers that FortiGate will use to synchronize its own time
- Sync interval.
- Standard NTP configuration:
Below is an example of configuration which uses:
- Time Zone GMT+1.
- FortiGuard servers to synchronize (default).
- Synchronize the time every 30 minutes.
- Custom NTP configuration. One can also configure custom NTP servers that the FortiGate will use to synchronize its own time. This is only configurable from the CLI:
config system ntp
set ntpsync enable
set type custom
config ntpserver
edit 1
set server "ntpserver.local"
next
end
set server-mode enable
set interface "port2"
end
'ntpserver.local' has to be replaced with correct NTP server (IP address or hostname). If the hostname is used, the DNS resolution has to be working from the FortiGate.
- Quick troubleshooting
Once this is configured, the client NTP has to be configured with the IP address of the FortiGate port2 interface.
It is possible to verify the synchronization status from the FortiGate using “diag sys ntp status”.
Below is an example using FortiGuard servers as NTP source:
#VM01_LAB # diag sys ntp status
synchronized: yes, ntpsync: enabled, server-mode: enabled
ipv4 server(ntp2.fortiguard.com) 208.91.114.23 -- reachable(0xff) S:3 T:54
server-version=4, stratum=1
reference time is e12361d5.f27e0322 -- UTC Wed Sep 11 12:06:45 2019
clock offset is -0.001569 sec, root delay is 0.000000 sec
root dispersion is 0.010269 sec, peer dispersion is 19 msec
ipv4 server(ntp1.fortiguard.com) 208.91.115.123 -- reachable(0xff) S:3 T:54 selected
server-version=4, stratum=1
reference time is e12361d4.4f8b22a5 -- UTC Wed Sep 11 12:06:44 2019
clock offset is -0.000652 sec, root delay is 0.000000 sec
root dispersion is 0.010284 sec, peer dispersion is 8 msec
ipv4 server(ntp2.fortiguard.com) 208.91.113.71 -- reachable(0xff) S:3 T:54
server-version=4, stratum=2
reference time is e12361d6.4caf57ab -- UTC Wed Sep 11 12:06:46 2019
clock offset is -0.004814 sec, root delay is 0.000137 sec
root dispersion is 0.011154 sec, peer dispersion is 3 msec
ipv4 server(ntp1.fortiguard.com) 208.91.113.70 -- reachable(0xff) S:3 T:54
server-version=4, stratum=2
reference time is e123617b.c98e2059 -- UTC Wed Sep 11 12:05:15 2019
clock offset is -0.005106 sec, root delay is 0.000122 sec
root dispersion is 0.013382 sec, peer dispersion is 6 msec
synchronized: yes, ntpsync: enabled, server-mode: enabled
ipv4 server(ntp2.fortiguard.com) 208.91.114.23 -- reachable(0xff) S:3 T:54
server-version=4, stratum=1
reference time is e12361d5.f27e0322 -- UTC Wed Sep 11 12:06:45 2019
clock offset is -0.001569 sec, root delay is 0.000000 sec
root dispersion is 0.010269 sec, peer dispersion is 19 msec
ipv4 server(ntp1.fortiguard.com) 208.91.115.123 -- reachable(0xff) S:3 T:54 selected
server-version=4, stratum=1
reference time is e12361d4.4f8b22a5 -- UTC Wed Sep 11 12:06:44 2019
clock offset is -0.000652 sec, root delay is 0.000000 sec
root dispersion is 0.010284 sec, peer dispersion is 8 msec
ipv4 server(ntp2.fortiguard.com) 208.91.113.71 -- reachable(0xff) S:3 T:54
server-version=4, stratum=2
reference time is e12361d6.4caf57ab -- UTC Wed Sep 11 12:06:46 2019
clock offset is -0.004814 sec, root delay is 0.000137 sec
root dispersion is 0.011154 sec, peer dispersion is 3 msec
ipv4 server(ntp1.fortiguard.com) 208.91.113.70 -- reachable(0xff) S:3 T:54
server-version=4, stratum=2
reference time is e123617b.c98e2059 -- UTC Wed Sep 11 12:05:15 2019
clock offset is -0.005106 sec, root delay is 0.000122 sec
root dispersion is 0.013382 sec, peer dispersion is 6 msec
Note:
VLAN interface has to be added under 'Listen on Interface', if users are connected via VLAN.