Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
alganatay
New Contributor

NTP server does not provide time for offline fortigate scenario

In environments which do not have NTP server, we usually prefer Fortigate to announce time to related interfaces. However, I recently bumped into an interesting problem. 

With this fortigate, time is set manually and it has never been connected to the internet. When ntp server to specific, directly connected, vlans is enabled. Even if it seems to be working none of the clients could reach out and grab time from fortigate time server.

I could not find any related info at the knowledgebase and documentation. Is there anybody who has experienced such a problem?

FYI: Fortigate should be kept offline and connection to the internet even for a brief second is not possible. 

2 Solutions
ebilcari
Staff
Staff

From the configuration command is stated that : "server-mode" Enable/disable FortiGate NTP Server Mode. Your FortiGate becomes an NTP server for other devices on your network. The FortiGate relays NTP requests to its configured NTP server.
So practically if your haven't configured a NTP server it doesn't have a destination to relay the requests on.
In my opinion this limitation has to do with NTP stratum and the local time is considered stratum 16 and the NTP server can't offer a valid time to the clients.

You can check the debug commands if they give a more detailed explanation:

diag debug application ntpd -1
diag debug enable

or
diagnose sys ntp status

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

ebilcari

In my experience, if you have any other network devices, some of them support lowering the stratum of hardware clock (for ex. 4) and present it as a valid NTP server. There are hardware NTP appliances that get the time from GPS or if you have any servers you can create a NTP server that is feed by the  hypervisor/hw clock

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

4 REPLIES 4
ebilcari
Staff
Staff

From the configuration command is stated that : "server-mode" Enable/disable FortiGate NTP Server Mode. Your FortiGate becomes an NTP server for other devices on your network. The FortiGate relays NTP requests to its configured NTP server.
So practically if your haven't configured a NTP server it doesn't have a destination to relay the requests on.
In my opinion this limitation has to do with NTP stratum and the local time is considered stratum 16 and the NTP server can't offer a valid time to the clients.

You can check the debug commands if they give a more detailed explanation:

diag debug application ntpd -1
diag debug enable

or
diagnose sys ntp status

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
alganatay

Hello Emirjon,

 

Thank you for this is enlightening explanation.

Unfortunately, my problem stands. Is there any way to hack fw to provide time to network?

ebilcari

In my experience, if you have any other network devices, some of them support lowering the stratum of hardware clock (for ex. 4) and present it as a valid NTP server. There are hardware NTP appliances that get the time from GPS or if you have any servers you can create a NTP server that is feed by the  hypervisor/hw clock

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
ede_pfau
Esteemed Contributor III

Unfortunately (or not), there is no "hack" to make a FGT be time server.

The reason has been mentioned earlier, the FGT's clock is not precise enough - for NTP standards ("stratum 16").

 

One possible solution would be to integrate a time source into your network, like a clock device connected via USB or LAN, which the FGT may use as a time source.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors