Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
himanshusince1989
New Contributor II

Created on ‎01-18-2025 01:20 AM Edited on ‎01-21-2025 04:58 AM

Time not syncing in Fortigate Firewall

I am using Fortigate 100G in HA and running Firmware 7.2.9. The issues I am facing is the interface is able to reach the NTP Server.

 

NTP Server : 192.168.1.10

FGT MGMT : 192.168.1.4

 

I have added a MGMT interface under dedicated management interface, which changes the MGMT interface in different vdom and getting removed in interface GUI. I want to get the time through management interface. I have configured NTP with below config

 

set ntpsync enable
set type custom
set syncinterval 1
config ntpserver
edit 1
set server "192.168.1.10"

once I try to add command "set source ip" it is showing below error "192.168.1.4 does not match any interface ip in vdom root." , as Management interface is removed from root vdom

 

So my question here is can we configured ntp on dedicated management interface vdom, or how can we achive.

 

Also I am referring to below docs in which we can set the interface under ntp server-->edit 1, but I cannot see it in my firewall.

 

https://docs.fortinet.com/document/fortiproxy/7.2.9/cli-reference/98620/config-system-ntp

 

fgt.PNG

Labels:
2062
0 Kudos
1 Solution
dingjerry_FTNT
Staff
Staff
In response to dingjerry_FTNT

Created on ‎01-18-2025 10:58 PM

Hi @himanshusince1989 ,

 

Actually, I remember that you want to use the mgmt interface as the OOB access to the Primary and Secondary FGTs.

 

So:

 

1) Disable the dedicated management interface:

config system dedicated-mgmt

    set status disable

end

2) Configure HA dedicated management interface:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-HA-Reserved-Management-Interface/ta-p/1901...

 

Search for "For v6.4.x and newer versions" section.

 

3) Enable the "ha-direct" setting in the HA configuration.  

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Allow-NTP-synchronization-when-HA-cl...

 

You don't need to set the source-ip setting in the NTP configurations.

Regards,

Jerry

View solution in original post

1779
17 REPLIES 17
dingjerry_FTNT
Staff
Staff
In response to dingjerry_FTNT

Created on ‎01-18-2025 10:58 PM

Hi @himanshusince1989 ,

 

Actually, I remember that you want to use the mgmt interface as the OOB access to the Primary and Secondary FGTs.

 

So:

 

1) Disable the dedicated management interface:

config system dedicated-mgmt

    set status disable

end

2) Configure HA dedicated management interface:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-HA-Reserved-Management-Interface/ta-p/1901...

 

Search for "For v6.4.x and newer versions" section.

 

3) Enable the "ha-direct" setting in the HA configuration.  

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Allow-NTP-synchronization-when-HA-cl...

 

You don't need to set the source-ip setting in the NTP configurations.

Regards,

Jerry
1780
himanshusince1989
New Contributor II
In response to dingjerry_FTNT

Created on ‎01-19-2025 12:13 AM Edited on ‎01-19-2025 12:36 AM

I lost the access to both the firewall once I executed below command. Will try tomorrow by connecting the console cable. 

 

config system dedicated-mgmt

    set status disable

771
0 Kudos
himanshusince1989
New Contributor II
In response to dingjerry_FTNT

Created on ‎01-18-2025 11:46 PM Edited on ‎01-18-2025 11:52 PM

Hello 

 

Just FYI that system is under production, I believe that working on the Management inteface does not cause traffic disruption. But want to know if I execute this command will the System be accessilble through SSH?

 

Also If I remove the disable dedicated mgmt then MGMT interface will be have the same IP Address on both the firewall as they are in HA

788
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to himanshusince1989

Created on ‎01-19-2025 12:03 AM

Hi @himanshusince1989 ,

 

1) Working on the management interface will not impact your production traffic;

2) You can still access to the HA cluster via SSH to 192.168.1.4;  You should have enabled HTTPS/SSH on the mgmt interface already;

3) Yes, the secondary will have the mgmt interface settings synced from the Primary first.  However, once you have configured the HA management interface on the Secondary FGT (Of course, you have to configure it on the PrimaryFGT first), you can adjust the mgmt interface IP on the Secondary FGT, I guess that you may use something like 192.168.1.5.

 

4) After you have configured the HA management interface on the Primary FGT, you can access the Secondary FGT via CLI:

 

Please check this KB for how to access Secondary FGT via CLI:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-access-secondary-unit-of-HA-cluster...

Regards,

Jerry
777
dingjerry_FTNT
Staff
Staff
In response to dingjerry_FTNT

Created on ‎01-19-2025 08:40 AM

Hi @himanshusince1989 ,

 

If you do not have any interface than mgmt enabled with HTTPS/SSH access, you may have to access the HA cluster from a host in the 192.168.1.0/24 subnet.

 

 

Regards,

Jerry
728
himanshusince1989
New Contributor II
In response to dingjerry_FTNT

Created on ‎01-21-2025 04:31 AM Edited on ‎01-21-2025 05:00 AM

I manage to access both the firewall, but NTP issue is still not fixed.

687
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to himanshusince1989

Created on ‎01-21-2025 06:53 AM

Hi @himanshusince1989 ,

 

Could you please attach your current FGT config?

 

If you can't, please provide the following info:

 

1) Did you disable the dedicated management interface for mgmt?

2) If yes, did you add mgmt into the HA settings as the HA management interface?

3) If yes, did you enable "ha-direct" setting in HA settings?

Regards,

Jerry
668
0 Kudos
himanshusince1989
New Contributor II
In response to dingjerry_FTNT

Created on ‎01-21-2025 07:43 AM

Thanks you for all of your support now, for testing I have created another NTP Server and firewall are able to sync the time. :) :)

659
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.