[FortiGate] How to configure NTP [Client/Server]

Firewall (UTM)

Work environment

  • FortiGate 60E
    • version 7.0.1

NTP setting in FortiGate

This article describes the following two setting procedures.

  1. Setting procedure for time synchronization with any NTP server
  2. Configuration procedure for FortiGate to operate as an NTP server

Synchronization source NTP server setting procedure

When setting with GUI

In the default state, FortiGuard is the only server that can be specified as an NTP server when configured in the GUI.

Therefore, thefollowing describes how to configure FortiGuard as an NTP server.

By default, FortiGuard is set to be used as the NTP server.

Open the [System> Settings] screen in the GUI. Select NTP for System Time and Fortiguard for Select server. Set the Sync interval as needed. (The default is 60 minutes.)

When setting with CLI

The config item that corresponds to the synchronization source NTP server setting is config system ntp.

Consider configuring the NTP server with the following requirements:

  • Primary NTP server: 202.234.233.106
  • Secondary NTP server: 219.188.200.128
  • Sync interval: 30 minutes

Config before setting

FW01 # show system ntp
config system ntp
    set ntpsync enable
end

Configuration command

config system ntp
    set ntpsync enable
    set type custom
    set syncinterval 30
    config ntpserver
        edit 1
            set server 202.234.233.106
        next
        edit 2
            set server 219.188.200.128
        next
    end
end

The meaning of each setting is as follows.

config system ntp
    set ntpsync enable  #Enable synchronization with the NTP server
    set type custom      #Set the NTP server to be specified manually
    set syncinterval 30  #The synchronization interval is specified as 30 minutes
    config ntpserver     #NTP server settings
        edit 1       #Primary NTP server settings
            set server 202.234.233.106
        next
        edit 2      #Secondary NTP server settings
            set server 219.188.200.128
        next
    end
end

Include as many edit-next chunks in config ntpserver as the number of NTP servers you want to set in the command (example: add edit 3 if you also want to set a third NTP server).

Config after setting

config system ntp
    set ntpsync enable
    set type custom
    set syncinterval 30
    config ntpserver
        edit 1
            set server "202.234.233.106"
        next
        edit 2
            set server "219.188.200.128"
        next
    end
end

If you can confirm that it is set as expected, it is completed

NTP status check command

diagnose sys ntp status

You can check if the time is synchronized with the diagnose sys ntp status command.

If the time is synchronized, the first line of the output will display synchronized: yes, as shown below. Also, the status of each NTP server is displayed as reachable.

FW01 # diagnose sys ntp status
HA primary: yes, HA primary ip: 1.0.0.0, management_vfid: 0 ha_direct=1, ha_mgmt_vfid=1
synchronized: yes, ntpsync: enabled, server-mode: disabled

ipv4 server(ntp1.fortiguard.com) 208.91.112.61 -- reachable(0xff) S:1 T:11 selected
        server-version=4, stratum=2
        reference time is e528889d.8a1b4736 -- UTC Sun Oct 31 03:14:37 2021
        clock offset is 0.008522 sec, root delay is 0.022430 sec
        root dispersion is 0.011337 sec, peer dispersion is 290 msec

ipv4 server(ntp2.fortiguard.com) 208.91.112.60 -- reachable(0xff) S:1 T:11
        server-version=4, stratum=2
        reference time is e528889d.8a1b4736 -- UTC Sun Oct 31 03:14:37 2021
        clock offset is 0.006184 sec, root delay is 0.022430 sec
        root dispersion is 0.011337 sec, peer dispersion is 200 msec

ipv4 server(ntp2.fortiguard.com) 208.91.112.62 -- reachable(0xfe) S:0 T:10
         no data
ipv4 server(ntp1.fortiguard.com) 208.91.112.63 -- reachable(0xff) S:1 T:11
        server-version=4, stratum=2
        reference time is e528889d.8a1b4736 -- UTC Sun Oct 31 03:14:37 2021
        clock offset is 0.008601 sec, root delay is 0.022430 sec
        root dispersion is 0.011337 sec, peer dispersion is 292 msec

If the time is not synchronized, the output will be as follows.

FW01 # diagnose sys ntp status
HA primary: yes, HA primary ip: 1.0.0.0, management_vfid: 0 ha_direct=1, ha_mgmt_vfid=1
synchronized: no, ntpsync: enabled, server-mode: disabled

ipv4 server(219.188.200.128) 219.188.200.128 -- unreachable(0x0) S:7 T:6
         no data
ipv4 server(202.234.233.106) 202.234.233.106 -- unreachable(0x0) S:7 T:6
         no data

execute time

You can check the current time and the last time synchronized with the execute time command.

FW01 # execute time
current time is: 12:36:31
last ntp sync:Sun Oct 31 12:35:52 2021

Manual date / time setting

When setting from the GUI, it can be set from the [System > Settings] screen.

To set with CLI, use the following command.

  • Date: execute date yyyy-mm-dd
  • Time: execute time hh:mm:ss
FW01 # execute date
    yyyy: 2001-2037, mm: 1-12, dd: 1-31.

FW01 # execute time
    hh: 0-23, mm: 0-59, ss: 0-59.

Settings to make FortiGate act as an NTP server

Select [System> Settings] and click the Setup device as local NTP server radio button to enable it.

The [Listen on Interfaces] setting field is displayed. Click the setting field. Then, the interface selection screen is displayed on the right side of the screen. Click the interface you want to accept as an NTP server to select it.

Once you have made your selection, click Apply at the bottom of the screen to confirm your settings.

Confirm that the settings are as expected on the screen after application.

This completes the settings for operating as an NTP server.

When setting with CLI

Suppose you want to configure two interfaces, VLAN10 and VLAN20, as listening interfaces.

Configuration command

config system ntp
    set server-mode enable
    set interface VLAN10 VLAN20
end

The meaning of each setting is as follows.

config system ntp
    set server-mode enable  #NTP server mode enable
    set interface VLAN10 VLAN20  #Specifies the interface to listen to
end

Config after setting

FW01 # show system ntp
config system ntp
    set ntpsync enable
    set server-mode enable
    set interface "VLAN10" "VLAN20"
end

If you can confirm that the settings are as expected, you are done.

References

Setting the system time | Administration Guide
config system ntp | CLI Reference


Comments

Copied title and URL