Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- NTP responses blocked, even though allowed through...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NTP responses blocked, even though allowed through policy
Hi All,
I'm trying to get NTP working through my FortiWifi 60D. However, normal NTP traffic gets blocked because it is using a privileged port as source port:
<linux-host-behind-fortigate># ntpdate nl.pool.ntp.org 11 Jan 11:46:19 ntpdate[14461]: no server suitable for synchronization found <linux-host-behind-fortigate>#
This results in these packets (captured on the linux host):
11:46:16.440887 IP 10.0.0.108.123 > 217.77.132.1.123: NTPv4, Client, length 48 11:46:16.640870 IP 10.0.0.108.123 > 91.148.192.49.123: NTPv4, Client, length 48 11:46:16.840873 IP 10.0.0.108.123 > 129.250.35.250.123: NTPv4, Client, length 48 11:46:17.040829 IP 10.0.0.108.123 > 131.211.8.244.123: NTPv4, Client, length 48
When I force ntpdate to use a non-privileged port, all is well:
<linux-host-behind-fortigate># ntpdate -u nl.pool.ntp.org 11 Jan 11:46:35 ntpdate[14462]: adjust time server 131.211.8.244 offset 0.001271 sec <linux-host-behind-fortigate>#
This results in these packets (captured on the linux host):
11:46:28.746542 IP 10.0.0.108.51394 > 217.77.132.1.123: NTPv4, Client, length 48
11:46:28.857244 IP 217.77.132.1.123 > 10.0.0.108.51394: NTPv4, Server, length 48 11:46:28.946480 IP 10.0.0.108.51394 > 91.148.192.49.123: NTPv4, Client, length 48 11:46:29.054651 IP 91.148.192.49.123 > 10.0.0.108.51394: NTPv4, Server, length 48 11:46:29.146484 IP 10.0.0.108.51394 > 129.250.35.250.123: NTPv4, Client, length 48 11:46:29.255057 IP 129.250.35.250.123 > 10.0.0.108.51394: NTPv4, Server, length 48 11:46:29.346372 IP 10.0.0.108.51394 > 131.211.8.244.123: NTPv4, Client, length 48 11:46:29.455309 IP 131.211.8.244.123 > 10.0.0.108.51394: NTPv4, Server, length 48 However, most ntp daemons use the privileged port as source port and I don't want to reconfigure all systems behind the FortiWifi.
Is there a configuration setting that makes the firewall accept source ports in the privileged range?
I already tried creating a custom service with source and destination ports equal to 123, but that did not help. Cheers, Sake
Solved! Go to Solution.
Labels:
- Labels:
-
5.2
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
oheigl wrote:Try to analyze the traffic on the FortiGate, maybe some other device is blocking requests.
diag sniffer packet any 'port 123' 4 0 a
I see that the fortigate translates the port to another privileged port:
2018-01-11 15:05:59.279387 SYN-bit_OFFICE in 10.0.0.8.123 -> 95.211.160.148.123: udp 48 2018-01-11 15:05:59.279537 INTERNET out <my-public-IP>.634 -> 95.211.160.148.123: udp 48 2018-01-11 15:05:59.279569 wan1 out <my-public-IP>.634 -> 95.211.160.148.123: udp 48
As my ISP modem is in bridged mode, there is nothing in my own network after the fortigate. Combined with this text from the ntpdate manpage, I suspected the Fortigate:
-u Direct ntpdate to use an unprivileged port for outgoing packets. This is most useful when behind a firewall that blocks incoming traffic to privileged ports, and you want to synchronise with hosts beyond the firewall. Note that the -d option always uses unprivileged ports.
However, I just captured traffic in between my modem and my fortigate, and it seems something upstream is blocking the NTP requests or the responses, as I do not see any traffic coming back (which is whay the fortigate was also telling me).
I changed the NAT for this particular rule to "fixed port" to keep 123 as source port and now it works:
2018-01-11 15:21:51.509456 SYN-bit_OFFICE in 10.0.0.8.123 -> 95.211.160.148.123: udp 48 2018-01-11 15:21:51.509540 INTERNET out <my-public-IP>.123 -> 95.211.160.148.123: udp 48 2018-01-11 15:21:51.509567 wan1 out <my-public-IP>.123 -> 95.211.160.148.123: udp 48 2018-01-11 15:21:51.516922 wan1 in 95.211.160.148.123 -> <my-public-IP>.123: udp 48 2018-01-11 15:21:51.516922 INTERNET in 95.211.160.148.123 -> <my-public-IP>.123: udp 48 2018-01-11 15:21:51.517003 SYN-bit_OFFICE out 95.211.160.148.123 -> 10.0.0.8.123: udp 48
Thank you for making me look a little deeper into the issue (which I should have done in the first place).
Weird though that my ISP seems to block NTP traffic if it is from a privileged port other that 123.
THX! Case closed :)
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The default NTP service doesn't limit the source port value, you can look it up under Policy & Objects > Services
Try to analyze the traffic on the FortiGate, maybe some other device is blocking requests.
diag sniffer packet any 'port 123' 4 0 a
If you can see that it's the FortiGate, check your policies and objects, or start a debug flow :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to use diag debug flow filter port 123 and validate it's really blocked. std port is 123 udp.
e.g
diag debug reset
diag debug en
diag debug flow filter port 123
diag debug flow show console enable
diag debug flow trace start 40
re-run the ntpdate or query command
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
oheigl wrote:Try to analyze the traffic on the FortiGate, maybe some other device is blocking requests.
diag sniffer packet any 'port 123' 4 0 a
I see that the fortigate translates the port to another privileged port:
2018-01-11 15:05:59.279387 SYN-bit_OFFICE in 10.0.0.8.123 -> 95.211.160.148.123: udp 48 2018-01-11 15:05:59.279537 INTERNET out <my-public-IP>.634 -> 95.211.160.148.123: udp 48 2018-01-11 15:05:59.279569 wan1 out <my-public-IP>.634 -> 95.211.160.148.123: udp 48
As my ISP modem is in bridged mode, there is nothing in my own network after the fortigate. Combined with this text from the ntpdate manpage, I suspected the Fortigate:
-u Direct ntpdate to use an unprivileged port for outgoing packets. This is most useful when behind a firewall that blocks incoming traffic to privileged ports, and you want to synchronise with hosts beyond the firewall. Note that the -d option always uses unprivileged ports.
However, I just captured traffic in between my modem and my fortigate, and it seems something upstream is blocking the NTP requests or the responses, as I do not see any traffic coming back (which is whay the fortigate was also telling me).
I changed the NAT for this particular rule to "fixed port" to keep 123 as source port and now it works:
2018-01-11 15:21:51.509456 SYN-bit_OFFICE in 10.0.0.8.123 -> 95.211.160.148.123: udp 48 2018-01-11 15:21:51.509540 INTERNET out <my-public-IP>.123 -> 95.211.160.148.123: udp 48 2018-01-11 15:21:51.509567 wan1 out <my-public-IP>.123 -> 95.211.160.148.123: udp 48 2018-01-11 15:21:51.516922 wan1 in 95.211.160.148.123 -> <my-public-IP>.123: udp 48 2018-01-11 15:21:51.516922 INTERNET in 95.211.160.148.123 -> <my-public-IP>.123: udp 48 2018-01-11 15:21:51.517003 SYN-bit_OFFICE out 95.211.160.148.123 -> 10.0.0.8.123: udp 48
Thank you for making me look a little deeper into the issue (which I should have done in the first place).
Weird though that my ISP seems to block NTP traffic if it is from a privileged port other that 123.
THX! Case closed :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Such a problem is new to me, never had to use fixed port before for NTP sync. Are you located in USA, maybe you need to pay extra for NTP access 
Glad it works now, you could also use the NTP server feature of the FortiGate, so only the firewall is syncing the time with the external NTP, and all other devices only generate internal traffic. That's how I usually configure it (if no domain controller or something else is available)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You use FortiOS 5.6.x? This is an new Bug or new Future and not an USA specific problem ;)
Diag Flow with FortiOS 5.4.8:
id=20085 trace_id=11 func=__ip_session_run_tuple line=3209 msg="SNAT 10.82.16.134->5.147.253.12:123"
Diag Flow with FortiOS 5.6.3
id=20085 trace_id=1 func=__ip_session_run_tuple line=3209 msg="SNAT 10.82.16.134->5.147.253.12:634"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SYN_bit wrote:I changed the NAT for this particular rule to "fixed port" to keep 123 as source port and now it works:
Saw your posts on the Ziggo forums. I had the exact same problems. Setting the NTP policy in the fortigate to fixedport solved the problem. Ziggo apparently does not allow requests from other sourceports anymore.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,863 -
FortiClient
1,794 -
5.2
801 -
FortiManager
753 -
5.4
639 -
FortiAnalyzer
568 -
FortiSwitch
486 -
FortiAP
478 -
FortiClient EMS
440 -
6.0
416 -
5.6
362 -
FortiMail
325 -
SSL-VPN
259 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
220 -
FortiWeb
212 -
FortiNAC
197 -
5.0
196 -
FortiGuard
140 -
6.4
128 -
SD-WAN
119 -
FortiAuthenticator
111 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
99 -
FortiToken
92 -
Firewall policy
86 -
Wireless Controller
82 -
Customer Service
81 -
4.0MR3
64 -
High Availability
62 -
FortiProxy
61 -
Fortivoice
57 -
FortiADC
54 -
FortiEDR
53 -
VLAN
53 -
ZTNA
50 -
Routing
49 -
DNS
48 -
FortiExtender
46 -
FortiSandbox
44 -
FortiDNS
42 -
BGP
42 -
LDAP
42 -
Authentication
39 -
RADIUS
38 -
SAML
38 -
NAT
37 -
Certificate
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SSO
34 -
VDOM
33 -
Interface
32 -
FortiConnect
31 -
FortiLink
30 -
Application control
29 -
FortiWAN
27 -
Web profile
27 -
FortiGate-VM
26 -
Virtual IP
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
FortiPortal
20 -
FortiSwitch v6.2
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
18 -
SSID
17 -
OSPF
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
SNMP
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
IPS signature
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
DNS filter
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
API
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
Service
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1751 | |
| 1114 | |
| 766 | |
| 447 | |
| 241 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.