Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kanand
Staff
Staff

Created on ‎09-24-2025 11:08 AM

Article Id 412467

Technical Tip: Blocking non-NTP traffic on FortiGate

Description

 

This article describes how to block non-NTP traffic on FortiGate devices. It provides a step-by-step guide on configuring custom application control signatures to drop non-legitimate NTP traffic.

 

Scope

 

FortiGate.

 

Solution

 

To ensure that only legitimate NTP (Network Time Protocol) traffic passes through port 123 and all other traffic is blocked, FortiGate firewalls can be configured with custom application signatures. The procedure below outlines the configuration steps.

 

 

  1. Create Custom Application Signatures.


On the FortiGate, navigate to Policy & Objects -> Application Control -> Application Signatures.

 


Create a new custom signature for TCP traffic on port 123 with the following parameters:

 

F-SBID( --name "Non.NTP.Custom.1"; --app_cat 12; --protocol tcp; --flow from_client; --dst_port 123; )

 

Repeat the process to create a second custom signature for UDP traffic on port 123 using these parameters:

 

F-SBID( --name "Non.NTP.Custom.2"; --app_cat 12; --protocol udp; --flow from_client; --dst_port 123; )

 

These signatures enable the identification of non-NTP traffic attempting to use the NTP port.

 

  1. Apply the Signatures to the Application Control Profile.

 

In the Application Control section under Security Profiles, create an application control profile and add both custom signatures to this profile under Application and Filter Overrides and set the Action to Block.

 

  1. Apply the Application Control Profile to a Policy.

 

Open Policy & Objects -> Firewall Policy and edit the policy governing NTP traffic. In the Application Control section, select the profile to which the signatures are added and select the SSL inspection profile as deep-inspection.

 

  1. Adjust Signature Priority.

 

Set the priority of the custom signatures lower than the built-in NTP signature provided by FortiGuard in the application control profile to ensure that genuine NTP traffic is allowed to continue. In contrast, non-NTP traffic on port 123 is blocked.

 

  1. Manual Deployment Note.

 

Because these signatures are custom, they are not distributed by FortiGuard automatically and must be created or imported manually on each FortiGate device where the restriction is required.

180
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.