Use custom source interface to exit, but the traffic will check the default route and exit through the found route interface, not the custom interface ip.
But after configuring the source ip, there is no problem.
Why is this?
config system ntp
set ntpsync enable
set type custom
set syncinterval 1
config ntpserver
edit 1
set server "10.0.0.17"
next
end
set source-ip 10.0.64.114---------------Can
end
------------------------------------------------------------
config system ntp
set ntpsync enable
set type custom
set syncinterval 1
config ntpserver
edit 1
set server "10.0.0.17"
set interface-select-method specify
set interface "port1"----------------------Can't
next
end
end
port1=10.0.64.114
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @Zhuo
The statement "set interface portx" tell the fortigate which Interface it should listen for incoming NTP traffic (used when Fortigate act as NTP server).
The command "set source-ip <IP>" tells fortigate which IP it should use when it forwards the request to the NTP Configured. So both commands has different use case.
Best Regards,
Saneesh
config ntpserver
edit 1
set server "10.0.0.17"
set interface-select-method specify
set interface "port1"
next
I specified the interface in config ntpserver, edit 1, not in config system ntp, set interface "portx". It was not setting the NTP server.
Created on 07-01-2024 10:49 PM Edited on 07-01-2024 10:50 PM
There are two places you can configure "set interface" under "config sys ntp".
https://docs.fortinet.com/document/fortigate/7.4.0/cli-reference/110620/config-system-ntp
The OP configured "set interface port1" under "config ntpserver/edit 1". So it's supposed to be specifying outgoing interface to reach the custom NTP server.
Besides, the OP didn't seem to have enabled "server-mode".
Toshi
Hi Toshi,
I have it as a client, not a server, so I have not enabled server-mode. Does "config ntpserver/edit 1" set a specific interface here, and does it still mean that it must be enabled as a server in server-mode? Instead of using this interface to request forwarding?
Server mode is completely separated from configuring the outside NTP server.
Should have nothing to do with your issue. I still think you need to have a proper route to reach 10.0.0.17 via port1 though. Unless the subnet mask is /16 or shorter.
Toshi
Specify source IP forwarding:
Specify source interface for forwarding:
Yes, there is definitely a route.
Port1 is the inside port, which only has 64.0/24
It goes out through port2, which is connected to the peer ntp server and has a route of 0.0.0.0/0.
Looks like your FGT is disagreeing with you. If a more specific route than 0/0 toward port1 for 10.0.0.17, the FGT would never follow 0/0 route toward port2 even without specifying the interface.
Try "get router info routing-t detail 10.0.0.17". That's what the FGT sees.
Toshi
Hi Toshi
Thanks for the discussion
But it is not as you said, there is a more specific route to 10.0.0.17.
Only port2 3 4 To-JR-Tunnel can go to 10.0.0.17
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1720 | |
1093 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.