FortiGate NTP config interface-select-method specify

Zhuo · ‎07-01-2024

Use custom source interface to exit, but the traffic will check the default route and exit through the found route interface, not the custom interface ip.
But after configuring the source ip, there is no problem.

Why is this?

config system ntp
set ntpsync enable
set type custom
set syncinterval 1
config ntpserver
edit 1
set server "10.0.0.17"
next
end
set source-ip 10.0.64.114---------------Can
end

------------------------------------------------------------

config system ntp
set ntpsync enable
set type custom
set syncinterval 1
config ntpserver
edit 1
set server "10.0.0.17"
set interface-select-method specify
set interface "port1"----------------------Can't
next
end
end

port1=10.0.64.114

saneeshpv_FTNT · ‎07-01-2024

Hi @Zhuo

The statement "set interface portx" tell the fortigate which Interface it should listen for incoming NTP traffic (used when Fortigate act as NTP server).

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-a-FortiGate-unit-as-a-NTP-serv...

The command "set source-ip <IP>" tells fortigate which IP it should use when it forwards the request to the NTP Configured. So both commands has different use case.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-control-change-the-FortiGate-source...

Best Regards,

Saneesh

Zhuo · ‎07-01-2024

config ntpserver
edit 1
set server "10.0.0.17"
set interface-select-method specify
set interface "port1"
next
I specified the interface in config ntpserver, edit 1, not in config system ntp, set interface "portx". It was not setting the NTP server.

Toshi_Esumi · ‎07-01-2024

There are two places you can configure "set interface" under "config sys ntp".
https://docs.fortinet.com/document/fortigate/7.4.0/cli-reference/110620/config-system-ntp

The OP configured "set interface port1" under "config ntpserver/edit 1". So it's supposed to be specifying outgoing interface to reach the custom NTP server.
Besides, the OP didn't seem to have enabled "server-mode".

Toshi

Zhuo · ‎07-01-2024

Hi Toshi,

I have it as a client, not a server, so I have not enabled server-mode. Does "config ntpserver/edit 1" set a specific interface here, and does it still mean that it must be enabled as a server in server-mode? Instead of using this interface to request forwarding?

Toshi_Esumi · ‎07-01-2024

Server mode is completely separated from configuring the outside NTP server.
Should have nothing to do with your issue. I still think you need to have a proper route to reach 10.0.0.17 via port1 though. Unless the subnet mask is /16 or shorter.

Toshi

Zhuo · ‎07-01-2024

Specify source IP forwarding：

Specify source interface for forwarding：

Zhuo · ‎07-01-2024

Yes, there is definitely a route.
Port1 is the inside port, which only has 64.0/24
It goes out through port2, which is connected to the peer ntp server and has a route of 0.0.0.0/0.

Toshi_Esumi · ‎07-01-2024

Looks like your FGT is disagreeing with you. If a more specific route than 0/0 toward port1 for 10.0.0.17, the FGT would never follow 0/0 route toward port2 even without specifying the interface.
Try "get router info routing-t detail 10.0.0.17". That's what the FGT sees.

Toshi

Zhuo · ‎07-02-2024

Hi Toshi

Thanks for the discussion
But it is not as you said, there is a more specific route to 10.0.0.17.
Only port2 3 4 To-JR-Tunnel can go to 10.0.0.17