Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mguernsey
New Contributor

At my wit's end with FortiGate and NTP

It shouldn't be hard to configure FortiGate to be an NTP server on a network - go into the system date and time, click change, tell it you want it to be an NTP server, give it the source IP, tell it what ports to listen on. Done!

 

Unfortunately I can't get it to synchronize with or for anything. Not sure if there's a policy I'm missing, a route, or something that prevents this. I'm in that stage where I don't know what I don't know, and it's really starting to tick me off.

 

My layout is as follows:

 

WAN2 is plugged into a switch, which is in turn connected to a router with a link to the outside world and has the hypothetical IP of 192.168.1.33

 

The FortiGate is configured to be an NTP server and is supposed to sync with pool.ntp.org as the source, and listen for any NTP requests on the LAN ports.

 

No traffic is passing, no syncing is being done, and clueless here is getting a headache from pounding his head against the desk. Any assistance would be appreciated.

3 REPLIES 3
emnoc
Esteemed Contributor III

1st off I would never use a firewall as a ntp server

 

2nd did you run diag debug flow 

 

or

 

 

3rd diag sniffer packet <wan1>  "udp and  port 123"

 

4th are you using custom or  fortiguard timeserver?

 

5, are you  running "diag debug  application  ntpd -1" it should show traffic and what server(s). I would start with the fortiguard ntp-peers 1st

 

lastly, if your using a <name> for the server, make sure it's resolvable.

 

force a sync-update against the name time-server and make sure it goes out the right interface and with the right-address,etc...

 

Also "diag sys ntp status" from  the cmd line shows the status

 

 

sample cfg for fortiguard

 

config system ntp    set ntpsync enable    set server-mode enable    set interface port1 end

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
SCSIraidGURU
Contributor

Firewall should only be a firewall.   You don't want to waste resources using it for DNS, NTP or any other service.  You want all its attention used for protection only.   In my data center, I have three Domain Controllers that handle important tasks. 1.) AD, Primary DNS, Roles, DHCP for its VLAN

2.) AD, Secondary DNS, Schema Role, DHCP for its VLAN

3.) AD, NTP for every device on the network, DHCP for its VLAN.  This server goes out to Tick and Tock (Naval Clocks) for its time.  It even does all the blades in the blade center.   They push time to every VM on the blades in VMware. 

 

 

 

emnoc
Esteemed Contributor III

agreed 

 

We do the same but with 4x AD servers. If your a big outfit a synserver or microsemi time provider might come in hand or even a  "linux" distribution as a unicast or multicast  ntp-server

 

YMMV

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors