I would like to setup the FortiWifi 80F to access a NTP server. This did work successfully to locate public NTP servers over the WAN port. However, I would like a computer on the LAN port to be broadcasting a NTP server. I have not been able to get the fortiwifi to access that address NTP server. Is this possible to get the NTP over LAN?
We can setup an NTP server on a LAN for FortiWiFi 80F to access is possible, however we may need to adjust the settings to allow the FortiWiFi to use a LAN-based NTP server. You might configure the Windows Time service to act in a server role and make sure the firewall settings on this computer allow incoming requests on NTP port (UDP 123). Add the IP address of the computer on the LAN that is acting as your NTP server under "System/settings" tab. Ensure that the firewall settings are configured to allow traffic to and from the NTP server on the LAN. This might involve setting up a policy to allow outgoing requests from the FortiWiFi device to the LAN computer on UDP port 123.
The computer on port 1 of the LAN on the FortiWifi is communicating with ntp.ubuntu.com and under ntpstat replies with 'synchronised to NTP server (188.8.131.52) at stratum 3'.
Under the Fortinet GUI System > settings > select server > Custom is the IP to the local computer on port 1. Then on the Fortinet I run the command 'diag sys ntp status' which replies with 'synchronized: no, ntpsync: enabled, server-mode: disabled, no data'.
Not sure I got your point. FortiGate/FortiWifi (FGT hereinafter) can act as :
- client - so listening to outer, usually public, NTP servers with low stratum. By default it listens to FortiGuard NTP service. And so adjust system time accordingly. Which is BTW critical for stuff like 2FA OTP tokens (FortiToken) proper token code generations, or for certificate based stuff etc.
- server - so FGT can propagate itself as NTP server, for example through DHCP, to the connected clients which then can be in sync to FGT's clock (which is through client part usually synced to outer NTP).
Most default config can look like this:
hudzen-esx45 # show full system ntp config system ntp set ntpsync enable <-- FGT as client syncing to outer NTP is enabled set type fortiguard <-- that outer NTP server is FortiGuard NTP service set syncinterval 60 <-- sync timing set source-ip 0.0.0.0 <-- source IP, which will affect egress port selection, by-default auto through routing table set source-ip6 :: set server-mode enable <-- this is FGT's server side, enabled set authentication disable set interface "fortilink" <-- on which port is NTP server service provided end
Some parts are commented even in CLI:
hudzen-esx45 # config system ntp
hudzen-esx45 (ntp) # set ? ntpsync Enable/disable setting the FortiGate system time by synchronizing with an NTP Server. type Use the FortiGuard NTP server or any other available NTP Server. syncinterval NTP synchronization interval (1 - 1440 min). source-ip Source IP address for communication to the NTP server. source-ip6 Source IPv6 address for communication to the NTP server. server-mode Enable/disable FortiGate NTP Server Mode. Your FortiGate becomes an NTP server for other devices on your network. The FortiGate relays NTP requests to its configured NTP server. authentication Enable/disable authentication. interface FortiGate interface(s) with NTP server mode enabled. Devices on your network can contact these interfaces for NTP services.
So, let's pretend I do not want to use FortiGuard NTP service, as I do have my trusty nuke-based stratum 1 clock downstairs .. connected via port1 and reachable on IP 10.42.0.1 And I still proxy/provide NTP service to other clients connected via fortilink.
Config them might look like this:
hudzen-esx45 # show system ntp config system ntp set ntpsync enable set type custom config ntpserver edit 1 set server "10.42.0.1" set ntpv3 enable set interface-select-method specify set interface "port1" next end set server-mode enable set interface "fortilink" end
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.