Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

NTP over LAN

Hello Community

I would like to setup the FortiWifi 80F to access a NTP server. This did work successfully to locate public NTP servers over the WAN port. However, I would like a computer on the LAN port to be broadcasting a NTP server. I have not been able to get the fortiwifi to access that address NTP server. Is this possible to get the NTP over LAN?


We can setup an NTP server on a LAN for FortiWiFi 80F to access is possible, however we may need to adjust the settings to allow the FortiWiFi to use a LAN-based NTP server. You might configure the Windows Time service to act in a server role and make sure the firewall settings on this computer allow incoming requests on NTP port (UDP 123). Add the IP address of the computer on the LAN that is acting as your NTP server under "System/settings" tab. Ensure that the firewall settings are configured to allow traffic to and from the NTP server on the LAN. This might involve setting up a policy to allow outgoing requests from the FortiWiFi device to the LAN computer on UDP port 123.

New Contributor III

Thank you for the reply.

The computer on port 1 of the LAN on the FortiWifi is communicating with and under ntpstat replies with 'synchronised to NTP server ( at stratum 3'.

Under the Fortinet GUI System > settings > select server > Custom is the IP to the local computer on port 1. Then on the Fortinet I run the command 'diag sys ntp status' which replies with 'synchronized: no, ntpsync: enabled, server-mode: disabled, no data'.



Not sure I got your point.
FortiGate/FortiWifi (FGT hereinafter) can act as :

- client - so listening to outer, usually public, NTP servers with low stratum. By default it listens to FortiGuard NTP service. And so adjust system time accordingly. Which is BTW critical for stuff like 2FA OTP tokens (FortiToken) proper token code generations, or for certificate based stuff etc.

server - so FGT can propagate itself as NTP server, for example through DHCP, to the connected clients which then can be in sync to FGT's clock (which is through client part usually synced to outer NTP).


Most default config can look like this:


hudzen-esx45 # show full system ntp
config system ntp
set ntpsync enable  <-- FGT as client syncing to outer NTP is enabled
set type fortiguard   <-- that outer NTP server is FortiGuard NTP service
set syncinterval 60   <-- sync timing
set source-ip  <-- source IP, which will affect egress port selection, by-default auto through routing table
set source-ip6 ::
set server-mode enable   <-- this is FGT's server side, enabled
set authentication disable
set interface "fortilink"  <-- on which port is NTP server service provided


Some parts are commented even in CLI:


hudzen-esx45 # config system ntp

hudzen-esx45 (ntp) # set ?
ntpsync Enable/disable setting the FortiGate system time by synchronizing with an NTP Server.
type Use the FortiGuard NTP server or any other available NTP Server.
syncinterval NTP synchronization interval (1 - 1440 min).
source-ip Source IP address for communication to the NTP server.
source-ip6 Source IPv6 address for communication to the NTP server.
server-mode Enable/disable FortiGate NTP Server Mode. Your FortiGate becomes an NTP server for other devices on your network. The FortiGate relays NTP requests to its configured NTP server.
authentication Enable/disable authentication.
interface FortiGate interface(s) with NTP server mode enabled. Devices on your network can contact these interfaces for NTP services.


So, let's pretend I do not want to use FortiGuard NTP service, as I do have my trusty nuke-based stratum 1 clock downstairs .. connected via port1 and reachable on IP
And I still proxy/provide NTP service to other clients connected via fortilink.


Config them might look like this:


hudzen-esx45 # show system ntp
config system ntp
  set ntpsync enable
  set type custom
  config ntpserver
    edit 1
    set server ""
    set ntpv3 enable
    set interface-select-method specify
    set interface "port1"
set server-mode enable
set interface "fortilink"


Tomas Stribrny - NASDAQ:FTNT - Fortinet stuff - TAC L3 Escalations engineer