Hello guys,
All Network devices are configured to query time to fortinet acting a time server, fortinet is sending packets to the internal LAN to Cisco Nexus switches but becz of stratum 16 Nexus switches are not syncing how i can reduce the stratum value on fortinet firewall. also i want to enable authentication for only internal LAN switches and not to the ( internet servers pool.ntp.org ) how can i achieve that. can anybody help me the configuration example.
(ntp) # show config system ntp set interface "port22" "port32" config ntpserver edit 1 set server "pool.time.org" next end set ntpsync enable set server-mode enable set syncinterval 10 set type custom end
Default fortigate settings will only show what is configured differently from the default value; use "show all" instead of "show" if you want to see what other options that are configurable for a setting; also some feature set is not showable until an option is first enabled (e.g. set status enable.).
In your case, I think you will want to configure the server mode type/IP and enable the authentication options.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Dear Dave/emnoc
if my fortinet is requesting a time to an NTP server which is enabled with authentication then the below configs will work.
(ntp) # show config system ntp set interface "port22" "port32" config ntpserver edit 1 set authentication enable set key fortinetsecret set key-id 234 set server 10.120.0.21 next end set ntpsync enable set server-mode enable set syncinterval 10 set type custom
[style="background-color: #888888;"]but for my switches who are requesting a time from fortinet firewall 1200D how i can enable authentication on 1200D for switches [style="background-color: #ff0000;"]only[/style][/style] ,,is it the below commands are correct ?? i have not entered a set server X.X.X.X command becz fortinet itself is a server for the switches,
edit 2 set authentication enable set key fortinetsecret set key-id 234 next
Thanks
You can't just decrease a NTP stratum value, a value of 16 means your NOT IN SYNC, so the nexus will never establish sync. I would 1st make sure you diagnostic shows your have an establised clock discipline 1st and then double check the ntp config on the nexus.
IMHO & from my experience, NX_OS has created big issues in NTP vrs IOS or IOS-XR. I've experience major issues with NX-OS sync to a local stratum clock GM from symmetric TP5500 where everybody else sync'd correctly to the GM ( stratum 1 ).
Here's a post I placed for a client of mine and pertains to 3500s but our 7K didn't have any issues btw, since this post date, we have upgraded our NX3548 numerous times.
http://socpuppet.blogspot...-6x-how-to-enable.html
If you have the means to use ntpq , i would query the local fortigate 1st and then look at the NX switches, if you have others ( systems ) maintaining clock sync with no issues, than look at the NX-Switches.
PCNSE
NSE
StrongSwan
| User | Count |
|---|---|
| 2279 | |
| 1244 | |
| 772 | |
| 452 | |
| 408 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.
