Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Trouble with NTP traffic

I am having problems getting time sync with a Internet time source through the firewall. The Fortigate itself will sync it' s time with a Internet source. Since I already had a Internal to External All rule set, I really shouldn' t need a specific NTP rule, however I created one anyway, and also created an External to Internal NTP rule as well, both using the predefined Service Port list. NTP traffic from remote Domain Controllers travels through the VPN links with no problem. It is only traffic from my internal zone to the internet that isn' t working. I have tried several time sites including the one that the firewall itself sets by with no luck. For successful traffic (across the VPN) the log shows 96 packets sent and 96 received. For the unsuccessful attempts (to the internet) the log shows 76 packets sent and 0 received. Any ideas would be appreciated.
9 REPLIES 9
rwpatterson
Valued Contributor III

Is your internal server using the correct NTP? There' s a Microsoft version that isn' t compatable with -nix platforms. Try placing the server on the outside of the firewall (for a quick test!), and see if it works from there. Or you could simply choose a different time source. If you do have an M$ server, look to M$ for more information in the knowledge base.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Not applicable

The server (MS 2003 Server) is configured per Microsoft Instructions from the KB. I have been testing with a non-domain member (domain members will only get time from the domain controler) XP laptop. It gets time fine on my home network behind a simple Linksys firewall. I also tested it successfully connected directly to the internet at this location (the only item connected, set to our public IP address). The server that Is at the top of my forest that is the controlling time source for the network and the laptop both show the same results in the log. (76 sent, zero received). The only suggestion in the MS KB is to make sure that the correct port is open in the firewall. I have tried every time source in the standard dropdown list in XP as well as the Canadian source that the Fortigate is configured for.
rwpatterson
Valued Contributor III

With the laptop behind the firewall, and service in the policy set to ' any' it fails? Is NAT turned on in that policy? Any port facing the Internet needs NAT enabled if the IP is an RFC 3330 address (10.x.x.x, 172.16.x.x, or 192.168.0.x). If both the above are true, then I am at a loss. If it works under ' any' but not ' ntp' , then there is another issue to deal with. You' ll have to determine what ports ARE being used via the statistics viewer. Let us know.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Not applicable

Thanks for the help, it was a NAT problem. NAT was set in my all policy, but not in the NTP policy that was higher in the list. I' m still not sure why the all policy wasn' t working in the first place (before I added the special NTP policy), but things seem to be doing fine now (at least with the XP laptop). I' ll check the logs after the server has had enough time to try again and make sure it is getting a response as well. Thanks again.
ArcticWolf
New Contributor

Can a person sync the NTP time of a network hardware with a FG300a? I would like to have the FG300A set to get the time from the internet and all internal equipment sync with the firewall. When i try to configure a router to get the time from the firewall i am getting ntp traffic denied by policy 0.
Ver 4.0 1-FG300A-hd 1-FG310B 4-FG60 6-FG60B Ver 3.0 1-FAZ800 1-FortiManager400B Ver 4.12 50-Forticlient 50-Forticlient Mobile
Ver 4.0 1-FG300A-hd 1-FG310B 4-FG60 6-FG60B Ver 3.0 1-FAZ800 1-FortiManager400B Ver 4.12 50-Forticlient 50-Forticlient Mobile
abelio

FTG it' s not a timeserver and it cannot set such way. It uses NTP for syncronize itself. You can do the same using public and reliable time servers

regards




/ Abel

regards / Abel
rwpatterson
Valued Contributor III

I would choose an MS domain controller, or Novell server or such as your local master time server. Have all unit poll to it.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Not applicable

A follow up on my original problem. Things now seem to be working okay on all fronts. The Server has been getting reliable time updates for a couple of days now. Thanks for all the help I was given.
Hracio
New Contributor

If you have multiple users/servers using ntp for time sync, you should consider using ntp relays. Configure two servers to sync against an ntp pool and then use them as relays.. Regards,..!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors