Skip to main content
JensG
JensG
Explorer II
October 9, 2022
Question

Need advice for redirecting NTP traffic to own servers

  • October 9, 2022
  • 1 reply
  • 3657 views

Situation: a FortiGate fortiOS 7.2.2, behind that two internal NTP servers. Both need access to official NTP servers from the internet. Internal devices should use those internal NTP servers to sync time. If possible, internal devices are set up to use the internal servers. That was an easy one. But there are other devices with build in internet based NTP server addresses and which could not be changed. FortiGate is set to profile based and Central SNAT. Internal network is separated in subnets.

 

I need a way to catch all NTP (Port 123) traffic of all internal devices and redirect them transparently to my internal NTP servers. Only the two own NTP servers are allowed to access internet NTP.

 

Tried different suggested configs (e.g. VIP) but didn’t got it up and running. I would appreciate if someone could give me step by step advice to get this configured.

 

FortiGate 

#

1 reply

jintrah_FTNT
Staff
jintrah_FTNT
Staff
October 10, 2022

Hi,

 

We may redirect ntp traffic using policy routes, but then would your NTP server handle the traffic not destined to it?

 

Best regards,

Jin

JensG
JensGAuthor
Explorer II
October 28, 2022

Hi,

 

How would you do it with policy routes?

What do you mean with the NTP Server traffic not destined to it?

 

Thanks,

Jens

gfleming
Staff
gfleming
Staff
October 28, 2022

Hey Jens, I'm not sure if you can do this with policy routing alone as the destination IP does not get changed in the policy route. Policy routing can redirect the traffic but it will ultimately try and reach the internet-based server on the IP which your internal server will not be listening on.

 

You will have to employ some Destination NAT rules. You can create a catch-all rule each IP address you want to intercept traffic destined to UDP port 123 and destination NAT it to your internal server.

 

https://docs.fortinet.com/document/fortigate/6.4.10/administration-guide/510402/static-virtual-ips

Terms & ConditionsAccessibility statement