Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sthapa
Staff
Staff

Created on ‎05-03-2020 10:34 PM Edited on ‎07-08-2025 08:59 PM By Community Manager

Article Id 193706

Technical Tip: About NTP (Network Time Protocol) in the VDOM environment

Description

 

This article discusses NTP in the FortiGate VDOM environment.

 

Scope

 

FortiGate.

Solution

 

In the VDOM environment, the management traffic like NTP, DNS etc., will pass through with the management VDOM, and by default, a management VDOM is 'root' VDOM used by FortiOS to communicate with FortiGuard NTP server and other services like SNMP, FortiGuard License etc.
 
Inthe  VDOM environment, an internet connection in the management VDOM for NTP is necessary. SYNC with the global FortiGuard NTP server 'ntp2.fortiguard.com' and 'ntp1.fortiguard.com'.

Refer below for the command to verify the FortiGuard NTP server used by the FortiGate firewall.

Log in from CLI.

 

config global
diagnose sys ntp status

synchronized: yes, ntpsync: enabled, server-mode: disabled

ipv4 server(ntp2.fortiguard.com) 208.91.113.71 -- reachable(0xd7) S:0 T:456
        server-version=4, stratum=2
        reference time is e25a00d7.8fc275c6 -- UTC Mon May  4 02:47:51 2020
        clock offset is -0.087029 sec, root delay is 0.000092 sec
        root dispersion is 0.012268 sec, peer dispersion is 2371 msec

ipv4 server(ntp2.fortiguard.com) 208.91.114.23 -- reachable(0xff) S:0 T:27 selected         <----- NTP server currently using by FortiOS.
        server-version=4, stratum=2
        reference time is e259fa1c.f83911d7 -- UTC Mon May  4 02:19:08 2020
        clock offset is -0.097479 sec, root delay is 0.000244 sec
        root dispersion is 0.046616 sec, peer dispersion is 2491 msec

ipv4 server(ntp1.fortiguard.com) 208.91.113.70 -- reachable(0xff) S:0 T:346
        server-version=4, stratum=2
        reference time is e25a0014.934486c8 -- UTC Mon May  4 02:44:36 2020
        clock offset is -0.082452 sec, root delay is 0.000153 sec
        root dispersion is 0.013306 sec, peer dispersion is 3659 msec

ipv4 server(ntp1.fortiguard.com) 208.91.114.98 -- reachable(0xbf) S:0 T:97
        server-version=4, stratum=2
        reference time is e259ff75.db5383eb -- UTC Mon May  4 02:41:57 2020
        clock offset is -0.072992 sec, root delay is 0.000107 sec
        root dispersion is 0.012192 sec, peer dispersion is 2374 msec

 

If the Internet line is on a different VDOM instead of the management VDOM then there are two solutions for the case:

Solution 1:
Make the Internet-facing VDOM as management VDOM. Find the below CLI and GUI options.

From GUI:
Go to 'Global VDOM' -> System -> 'VDOM, select VDOM from the List and select 'Switch Management'.

 

 
Using CLI command.
 
config global
config sys global
    set management-vdom  <ANOTHERVDOM>

end
 
Solution 2:
Provide the Internet access to the management VDOM using 'inter-vdom' link to connect the MGMT VDOM with internet-facing VDOM for internet access.

Related 'inter-vdom' link:
https://cookbook.fortinet.com/inter-vdom-communication-with-static-routing-56/index.html
22129
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.