Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sfernando
Staff
Staff

Created on ‎03-03-2024 09:52 PM Edited on ‎03-03-2024 09:53 PM By Community Manager

Article Id 302556

Technical Tip: Setting up an NTP server and an NTP client using two FortiGates

Description This article describes how to set up an NTP server and NTP client using two FortiGates and how to troubleshoot. 
Scope FortiGate.
Solution

In practice, NTP clients will be different vendor devices such as PCs, IP phones, etc.

It is not possible to provide details of each of these vendors on how to set up the NTP client. Hence in this article, two FortiGates have been used: one as an NTP server and the other as an NTP client.

 

Configure NTP server:

In this setup, the Google NTP time server will be used as the main NTP source:

 

config system ntp
   set ntpsync enable
   set type custom  <----- If an external time source is used other than fortiguard servers set the type as Customer.
   set syncinterval 1   <----- This is the time interval FortiGate will talk to the NTP time server for the syncing purpose (in the eg, it is set as 1 min).
   config ntpserver
        edit 1
            set server "time1.google.com"   <-----  Google time server FQDN.
            set ntpv3 disable
            set authentication disable
            set interface-select-method auto
       next
   end
   set source-ip 0.0.0.0
   set source-ip6 ::
   set server-mode enable
   set authentication disable
   set interface "port2"      <----- Downstream listening port for NTP client devices

 

From the GUI,  set this from System -> Settings as in the below screenshot. User settings have to be done from CLI:

 

NTPserver.jpg

 

Sending the NTP information to downstream devices:

DHCP is used to send the NTP information to the downstream client devices.

 

config system dhcp server
   edit 1
      set lease-time 300
      set dns-service default
      set ntp-service local     <----- Set the NTP service from the local.
      set default-gateway 10.55.0.45
      set netmask 255.255.240.0
      set interface "port2"   <----- Interface to which the downstream devices are connected.
      config ip-range
         edit 1
            set start-ip 10.55.11.2
            set end-ip 10.55.11.254
           next
        end
   config options
      edit 1
         set code 4
         set type ip
         set ip "10.55.0.45" <----- Interface IP of the downstream devices and making it to provide NTP information.
     next
   end

It is possible to do it from the GUI under Network -> Interface, select the relevant port,  enable the DHCP server, and go to Advance.

 

DHCP NTPjpg.jpg

 

Configuring the NTP client.

As mentioned previously, another FortiGate will be used as the NTP client. In practice, it will be some other device such as a PC. IP phone etc.

 

config system ntp
   set ntpsync enable
   set type custom
   set syncinterval 1
   config ntpserver
      edit 1
         set server "10.55.0.45"
      next
   end

 

Below is from the GUI:

 

NTP client.jpg

 

On the client device, it is necessary to enable the DHCP on the interface to receive the IP along with the NTP information.

 

Note:

To check if the NTP is taken from the correct source, use the below command:

 

On the client:

 

dia sys ntp status
synchronized: yes, ntpsync: enabled, server-mode: disabled <----- Time is synced with the server.

ipv4 server(10.55.0.45) 10.55.0.45 -- reachable(0xff) S:1 T:5 selected <----- The NTP time is taken from the upstream device interface IP.
server-version=4, stratum=2   <----- Stratum level is 2.
reference time is e98fb9b4.cce220ca -- UTC Mon Mar 4 03:08:36 2024    <----- Current time in UTC.
clock offset is -0.000023 sec, root delay is 0.164825 sec
root dispersion is 0.000122 sec, peer dispersion is 0 msec

 

On the server:

 

dia sy ntp status
synchronized: yes, ntpsync: enabled, server-mode: enabled   <----- Time is synced with the server, and server mode is enabled.

ipv4 server(time1.google.com) 216.239.35.0 -- reachable(0xc3) S:2 T:6 selected  <----- NTP time is taken from google time server .
server-version=4, stratum=1    <----- Stratum level is 1.
reference time is e98fbaa7.95485235 -- UTC Mon Mar 4 03:12:39 2024   <----- Current time in UTC.
clock offset is -0.000043 sec, root delay is 0.000000 sec
root dispersion is 0.000092 sec, peer dispersion is 0 msec

 

The time on each device is based on the time zone you have selected below:

 

On the client:

 

execute time
current time is: 14:22:18
last ntp sync:Mon Mar 4 14:21:46 2024

 

time1.jpg

 

On the server:

 

execute time
current time is: 08:54:48
last ntp sync:Mon Mar 4 08:54:26 2024

 

time2.jpg

 

Troubleshooting Tips:

  1. If there are some issues, it is possible to clear the DHCP lease from the server side using the below command:

 

execute dhcp lease-list  <----- Or can use a specific interface.

execute dhcp lease-clear all  <----- Or can use the specific IP.

 

  1. When using a 3rd party device, it is necessary to set the NTP server on it where it will get the NTP server from the FortiGate.
  2. Other relevant articles or troubleshooting:

Technical Tip: Troubleshoot NTP synchronization issue
751
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.