Situation: a FortiGate fortiOS 7.2.2, behind that two internal NTP servers. Both need access to official NTP servers from the internet. Internal devices should use those internal NTP servers to sync time. If possible, internal devices are set up to use the internal servers. That was an easy one. But there are other devices with build in internet based NTP server addresses and which could not be changed. FortiGate is set to profile based and Central SNAT. Internal network is separated in subnets.
I need a way to catch all NTP (Port 123) traffic of all internal devices and redirect them transparently to my internal NTP servers. Only the two own NTP servers are allowed to access internet NTP.
Tried different suggested configs (e.g. VIP) but didn’t got it up and running. I would appreciate if someone could give me step by step advice to get this configured.
#
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
We may redirect ntp traffic using policy routes, but then would your NTP server handle the traffic not destined to it?
Best regards,
Jin
Hi,
How would you do it with policy routes?
What do you mean with the NTP Server traffic not destined to it?
Thanks,
Jens
Hey Jens, I'm not sure if you can do this with policy routing alone as the destination IP does not get changed in the policy route. Policy routing can redirect the traffic but it will ultimately try and reach the internet-based server on the IP which your internal server will not be listening on.
You will have to employ some Destination NAT rules. You can create a catch-all rule each IP address you want to intercept traffic destined to UDP port 123 and destination NAT it to your internal server.
https://docs.fortinet.com/document/fortigate/6.4.10/administration-guide/510402/static-virtual-ips
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1557 | |
1033 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.