Technical Tip: Configuring NTP with SHA1/SHA256 authentication on FortiGate

NTP authentication ensures that a FortiGate only synchronizes its clock with known and trusted NTP servers, preventing time manipulation by rogue or spoofed sources. Without authentication, an attacker could inject false time data, potentially undermining certificate validation, log correlation, and time-based security mechanisms.

FortiOS supports NTP authentication at two levels:

1. Global NTP settings: Applies when the FortiGate is configured to act as an NTP server for downstream devices on the network (server-mode). The global key is used to authenticate responses from the FortiGate to NTP clients.
2. Per-server NTP settings: Applies when configuring the FortiGate as an NTP client connecting to upstream NTP servers. Each NTP server entry can have its own authentication key.

Important: SHA1 and SHA256 authentication require NTPv4. If set ntpv3 enable is configured on the NTP server entry, only MD5 authentication is supported. SHA1 and SHA256 will not function with NTPv3.

Step 1: Configure the upstream NTP server with SHA1 authentication.

The following CLI commands configure the FortiGate to synchronize with a custom NTP server using SHA1 authentication:

config system ntp     set ntpsync enable     set type custom     set syncinterval 1         config ntpserver             edit 1                 set server "1.1.1.1"                 set authentication enable                 set key-type SHA1                 set key <pre-shared-key>                 set key-id 1             next         end     end 

The key and key-id values must match the configuration on the NTP server.

The key-id is a numeric identifier that allows both sides to reference the correct shared key.

Step 2 (optional): Configure SHA256 authentication (FortiOS v7.4.4 and later).

On FortiOS v7.4.4 and later, SHA256 is available as an additional option:

config system ntp     config ntpserver         edit 1             set server "1.1.1.1"             set authentication enable             set key-type SHA256             set key <pre-shared-key>             set key-id 2         next     end end 

Step 3 (optional): Configure global NTP authentication for server-mode.

If the FortiGate acts as an NTP server for other devices in the network (server-mode), the global authentication settings are configured under the top-level NTP configuration:

config system ntp     set server-mode enable     set authentication enable     set key-type SHA1     set key <pre-shared-key>     set key-id 1     set interface "port2" end 

Downstream NTP clients connecting to the FortiGate must be configured with the same key, key-id, and key-type.

Verification:

After configuring NTP authentication, verify the synchronization status using the following diagnostic command:

diagnose system ntp status 

Expected output when authentication is working correctly:

synchronized: yes, ntpsync: enabled, server-mode: disabled ipv4 server(10.1.100.11) 10.1.100.11 -- reachable(0xff) S:4 T:6 selected     server-version=4, stratum=3 

Key indicators:

• server-version=4 - Confirms NTPv4 is in use, which is required for SHA1 and SHA256.
• reachable(0xff) - The NTP server is reachable and responding. A value of 0xff indicates that the last 8 NTP polls were all successful.

If the server shows reachable(0x00) or server-version=3, authentication is likely failing. Refer to the troubleshooting section below.

Troubleshooting:

If NTP authentication is not working as expected, check the following:

1. Verify key-type, key, and key-id match on both the FortiGate and the NTP server.
   Authentication will silently fail if any of these values differ. The NTP protocol does not provide an explicit authentication failure message.
2. Check the reachability counter.
   Run diagnose sys ntp status multiple times. A reachable value of 0x00 indicates that none of the last 8 polls were successful. Each bit in the hex value represents one poll result (1 = success, 0 = failure). For example, 0x03 means only the last 2 polls succeeded.
3. Verify network connectivity to the NTP server.
   NTP uses UDP port 123. Ensure that no firewall policy or local-in policy is blocking NTP traffic. If the FortiGate has multiple WAN interfaces (for example with SD-WAN), use set source-ip or the per-server set interface-select-method option to control the outgoing interface.
4. Use a packet capture to analyze NTP traffic.
   Run the following sniffer command and compare the output with the expected NTP server IP:

    

diagnose sniffer packet any 'port 123' 4 10 l 

When authentication is enabled, the NTP packets will contain a MAC address field at the end of the packet. If authentication fails, the NTP server will respond but the FortiGate will discard the response, resulting in reachable (0x00).

Behavioral notes across FortiOS versions.

• Before v6.2.0: Only MD5 authentication is supported. The key-type option does not exist in the CLI.
• v6.2.0 to v7.4.3: MD5 and SHA1 are supported. The key-type option accepts MD5 and SHA1 values.
• v7.4.4 and later: MD5, SHA1, and SHA256 are supported. SHA256 provides the strongest authentication option available.

Important: When upgrading from a version below 6.2.0 to 6.2.0 or later, existing NTP authentication configurations using MD5 will continue to work without modification. The default key-type remains MD5 if not explicitly set. No manual migration is required.

Related articles:

• Technical Tip: Configuring NTP with authentication
• Technical Tip: Setting the system time
• Technical Tip: Configuring a FortiGate unit as an NTP server
• SHA-1 authentication support (for NTPv4)