In practice, NTP clients will be different vendor devices such as PCs, IP phones, etc.
It is not possible to provide details of each of these vendors on how to set up the NTP client. Hence in this article, two FortiGates have been used: one as an NTP server and the other as an NTP client.
Configure NTP server:
In this setup, the Google NTP time server will be used as the main NTP source:
config system ntp set ntpsync enable set type custom <----- If an external time source is used other than fortiguard servers set the type as Customer. set syncinterval 1 <----- This is the time interval FortiGate will talk to the NTP time server for the syncing purpose (in the eg, it is set as 1 min). config ntpserver edit 1 set server "time1.google.com" <----- Google time server FQDN. set ntpv3 disable set authentication disable set interface-select-method auto next end set source-ip 0.0.0.0 set source-ip6 :: set server-mode enable set authentication disable set interface "port2" <----- Downstream listening port for NTP client devices
From the GUI, set this from System -> Settings as in the below screenshot. User settings have to be done from CLI:

Sending the NTP information to downstream devices:
DHCP is used to send the NTP information to the downstream client devices.
config system dhcp server edit 1 set lease-time 300 set dns-service default set ntp-service local <----- Set the NTP service from the local. set default-gateway 10.55.0.45 set netmask 255.255.240.0 set interface "port2" <----- Interface to which the downstream devices are connected. config ip-range edit 1 set start-ip 10.55.11.2 set end-ip 10.55.11.254 next end config options edit 1 set code 4 set type ip set ip "10.55.0.45" <----- Interface IP of the downstream devices and making it to provide NTP information. next end
It is possible to do it from the GUI under Network -> Interface, select the relevant port, enable the DHCP server, and go to Advance.

Configuring the NTP client.
As mentioned previously, another FortiGate will be used as the NTP client. In practice, it will be some other device such as a PC. IP phone etc.
config system ntp set ntpsync enable set type custom set syncinterval 1 config ntpserver edit 1 set server "10.55.0.45" next end
Below is from the GUI:

On the client device, it is necessary to enable the DHCP on the interface to receive the IP along with the NTP information.
Note:
To check if the NTP is taken from the correct source, use the below command:
On the client:
dia sys ntp status synchronized: yes, ntpsync: enabled, server-mode: disabled <----- Time is synced with the server.
ipv4 server(10.55.0.45) 10.55.0.45 -- reachable(0xff) S:1 T:5 selected <----- The NTP time is taken from the upstream device interface IP. server-version=4, stratum=2 <----- Stratum level is 2. reference time is e98fb9b4.cce220ca -- UTC Mon Mar 4 03:08:36 2024 <----- Current time in UTC. clock offset is -0.000023 sec, root delay is 0.164825 sec root dispersion is 0.000122 sec, peer dispersion is 0 msec
On the server:
dia sy ntp status synchronized: yes, ntpsync: enabled, server-mode: enabled <----- Time is synced with the server, and server mode is enabled.
ipv4 server(time1.google.com) 216.239.35.0 -- reachable(0xc3) S:2 T:6 selected <----- NTP time is taken from google time server . server-version=4, stratum=1 <----- Stratum level is 1. reference time is e98fbaa7.95485235 -- UTC Mon Mar 4 03:12:39 2024 <----- Current time in UTC. clock offset is -0.000043 sec, root delay is 0.000000 sec root dispersion is 0.000092 sec, peer dispersion is 0 msec
The time on each device is based on the time zone you have selected below:
On the client:
execute time current time is: 14:22:18 last ntp sync:Mon Mar 4 14:21:46 2024

On the server:
execute time current time is: 08:54:48 last ntp sync:Mon Mar 4 08:54:26 2024

Troubleshooting Tips:
- If there are some issues, it is possible to clear the DHCP lease from the server side using the below command:
execute dhcp lease-list <----- Or can use a specific interface.
execute dhcp lease-clear all <----- Or can use the specific IP.
- When using a 3rd party device, it is necessary to set the NTP server on it where it will get the NTP server from the FortiGate.
- Other relevant articles or troubleshooting:
Technical Tip: Troubleshoot NTP synchronization issue
|