Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
himanshusince1989
New Contributor II

Created on ‎01-18-2025 01:20 AM Edited on ‎01-21-2025 04:58 AM

Time not syncing in Fortigate Firewall

I am using Fortigate 100G in HA and running Firmware 7.2.9. The issues I am facing is the interface is able to reach the NTP Server.

 

NTP Server : 192.168.1.10

FGT MGMT : 192.168.1.4

 

I have added a MGMT interface under dedicated management interface, which changes the MGMT interface in different vdom and getting removed in interface GUI. I want to get the time through management interface. I have configured NTP with below config

 

set ntpsync enable
set type custom
set syncinterval 1
config ntpserver
edit 1
set server "192.168.1.10"

once I try to add command "set source ip" it is showing below error "192.168.1.4 does not match any interface ip in vdom root." , as Management interface is removed from root vdom

 

So my question here is can we configured ntp on dedicated management interface vdom, or how can we achive.

 

Also I am referring to below docs in which we can set the interface under ntp server-->edit 1, but I cannot see it in my firewall.

 

https://docs.fortinet.com/document/fortiproxy/7.2.9/cli-reference/98620/config-system-ntp

 

fgt.PNG

Labels:
2052
0 Kudos
1 Solution
dingjerry_FTNT
Staff
Staff
In response to dingjerry_FTNT

Created on ‎01-18-2025 10:58 PM

Hi @himanshusince1989 ,

 

Actually, I remember that you want to use the mgmt interface as the OOB access to the Primary and Secondary FGTs.

 

So:

 

1) Disable the dedicated management interface:

config system dedicated-mgmt

    set status disable

end

2) Configure HA dedicated management interface:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-HA-Reserved-Management-Interface/ta-p/1901...

 

Search for "For v6.4.x and newer versions" section.

 

3) Enable the "ha-direct" setting in the HA configuration.  

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Allow-NTP-synchronization-when-HA-cl...

 

You don't need to set the source-ip setting in the NTP configurations.

Regards,

Jerry

View solution in original post

1769
17 REPLIES 17
funkylicious
SuperUser
SuperUser

Created on ‎01-18-2025 04:10 AM

Hi,

Take a look at this doc, https://community.fortinet.com/t5/FortiGate/Technical-Tip-Access-NTP-Server-Connected-directly-with-... .

Also, the link you are using is for FortiProxy and not FortiGate, couple of differences in CLI but the same principle, https://docs.fortinet.com/document/fortigate/7.2.9/cli-reference/105110478 

"jack of all trades, master of none"
"jack of all trades, master of none"
1235
dingjerry_FTNT
Staff
Staff
In response to funkylicious

Created on ‎01-18-2025 08:27 AM

Hi @funkylicious ,

 

@himanshusince1989 his scenario is different than the one in the doc link you provided.

 

Also, FGT and FortiProxy are very similar.  For NTP configuration, they are almost identical.

 

Regards,

Jerry
1204
dingjerry_FTNT
Staff
Staff

Created on ‎01-18-2025 08:24 AM

Hi @himanshusince1989 ,

 

I assume that your dedicated management interface is mgmt.

Do you use it anywhere, i.e., the HA management interface?

 

If possible, please provide the FGT config.

 

Regards,

Jerry
1210
himanshusince1989
New Contributor II
In response to dingjerry_FTNT

Created on ‎01-18-2025 08:47 AM Edited on ‎01-18-2025 08:48 AM

Hello, Thanks for yor response here.

You are assuming it Right, the mgmt interface is used for dedicated managemnt interface, which is now not visible under interface configuration, also I cannot see the MGMT interface in HA Management interface as well...

1194
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to himanshusince1989

Created on ‎01-18-2025 09:00 AM

Hi @himanshusince1989 ,

 

Please try the following to see whether it will work for you:

 

config system ntp

config ntpserver
edit 1

set interface-select-method specify

set interface mgmt

end

end

Then no need to specify the source-ip setting.

 

Regards,

Jerry
1171
himanshusince1989
New Contributor II
In response to dingjerry_FTNT

Created on ‎01-18-2025 10:20 AM

Appreciate your response, I tried, but unfortunately the MGMT interface is not showing the list, only the interface which are in root vdom are only seen

 

fgt.PNG

 

If I try to remove the MGMT interface from dedicated management interface, so I can only access the active firewall at a time, but customer wants to login to both the firewall at the same time.

1160
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to himanshusince1989

Created on ‎01-18-2025 11:48 AM

Now I am confused. 

 

"If I try to remove the MGMT interface from dedicated management interface, so I can only access the active firewall at a time"

 

It sounds like you configured the mgmt interface as the HA management interface.   Is it true?

 

It's better to provide your FGT config.

 

At least, please provide all configurations using the mgmt interface.  You may mask any sensitive info.

Regards,

Jerry
1139
himanshusince1989
New Contributor II
In response to dingjerry_FTNT

Created on ‎01-18-2025 07:52 PM Edited on ‎01-18-2025 08:05 PM

Hello, Please dont get confused, I was trying to say that, I tried removing the interface from root VDOM, so it was apperaing in interface list, so it is also becoming a PART of HA Config Sync, so the same configuration on MGMT interface is syncing on backup firewall as well. I did not configuration anyting on deicate HA Management interface.

 

In simple layman language, I want NTP server should get synced using different VRF(VDOM) which is not happening. I am trying to attach the notepad file here not sure why it is not showing. Pasting here

 

edit "mgmt"
set vdom "dmgmt-vdom"
set ip 192.168.1.4 255.255.255.0
set allowaccess ping https ssh snmp
set type physical
set dedicated-to management
set snmp-index 2
next

 

config system ntp
set ntpsync enable
set type custom
set syncinterval 1
config ntpserver
edit 1
set server "192.168.1.10"
next
end
end

 

config system ha
set group-id 1
set group-name "HA"
set mode a-p
set password ENC 3L7a8iGsTMPrMbd6GA7WxXCeTtpiSWaRRJON7b1OQ1P/lsjydKO8nqVBJ/6DPwYl3jZC7x165KarSQIhdxeKyD5lk4bn3uzJvty9FR9fPGfc7l6tc1QLz4gKt/Nl9ZtAW7fjDgwlztYahDaizkpN0bxgJ97qdXSl+q8WJjshGiL7r4uuhcccSVAeh4kwrzntWMuRYA==
set hbdev "ha1" 0 "ha2" 0
set override disable
set priority 200
end


config system dedicated-mgmt
set status enable
set interface "mgmt"
set default-gateway 192.168.1.1
end

1111
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to himanshusince1989

Created on ‎01-18-2025 10:49 PM Edited on ‎01-18-2025 10:50 PM

Hi @himanshusince1989 ,

 

Please try this:

 

config system dedicated-mgmt

    set status disable

end

Then you should be able to set the source-ip setting in the NTP server settings.

Regards,

Jerry
1090
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.