Work environment
- FortiGate 60E
- version 7.0.1
NTP setting in FortiGate
This article describes the following two setting procedures.
- Setting procedure for time synchronization with any NTP server
- Configuration procedure for FortiGate to operate as an NTP server
Synchronization source NTP server setting procedure
When setting with GUI
In the default state, FortiGuard is the only server that can be specified as an NTP server when configured in the GUI.
Therefore, thefollowing describes how to configure FortiGuard as an NTP server.
Open the [System> Settings] screen in the GUI. Select NTP for System Time and Fortiguard for Select server. Set the Sync interval as needed. (The default is 60 minutes.)
When setting with CLI
The config item that corresponds to the synchronization source NTP server setting is config system ntp
.
Consider configuring the NTP server with the following requirements:
- Primary NTP server: 202.234.233.106
- Secondary NTP server: 219.188.200.128
- Sync interval: 30 minutes
Config before setting
FW01 # show system ntp
config system ntp
set ntpsync enable
end
Configuration command
config system ntp
set ntpsync enable
set type custom
set syncinterval 30
config ntpserver
edit 1
set server 202.234.233.106
next
edit 2
set server 219.188.200.128
next
end
end
The meaning of each setting is as follows.
config system ntp
set ntpsync enable #Enable synchronization with the NTP server
set type custom #Set the NTP server to be specified manually
set syncinterval 30 #The synchronization interval is specified as 30 minutes
config ntpserver #NTP server settings
edit 1 #Primary NTP server settings
set server 202.234.233.106
next
edit 2 #Secondary NTP server settings
set server 219.188.200.128
next
end
end
Include as many edit-next chunks in config ntpserver as the number of NTP servers you want to set in the command (example: add edit 3 if you also want to set a third NTP server).
Config after setting
config system ntp
set ntpsync enable
set type custom
set syncinterval 30
config ntpserver
edit 1
set server "202.234.233.106"
next
edit 2
set server "219.188.200.128"
next
end
end
If you can confirm that it is set as expected, it is completed
NTP status check command
diagnose sys ntp status
You can check if the time is synchronized with the diagnose sys ntp status
command.
If the time is synchronized, the first line of the output will display synchronized: yes
, as shown below. Also, the status of each NTP server is displayed as reachable
.
FW01 # diagnose sys ntp status
HA primary: yes, HA primary ip: 1.0.0.0, management_vfid: 0 ha_direct=1, ha_mgmt_vfid=1
synchronized: yes, ntpsync: enabled, server-mode: disabled
ipv4 server(ntp1.fortiguard.com) 208.91.112.61 -- reachable(0xff) S:1 T:11 selected
server-version=4, stratum=2
reference time is e528889d.8a1b4736 -- UTC Sun Oct 31 03:14:37 2021
clock offset is 0.008522 sec, root delay is 0.022430 sec
root dispersion is 0.011337 sec, peer dispersion is 290 msec
ipv4 server(ntp2.fortiguard.com) 208.91.112.60 -- reachable(0xff) S:1 T:11
server-version=4, stratum=2
reference time is e528889d.8a1b4736 -- UTC Sun Oct 31 03:14:37 2021
clock offset is 0.006184 sec, root delay is 0.022430 sec
root dispersion is 0.011337 sec, peer dispersion is 200 msec
ipv4 server(ntp2.fortiguard.com) 208.91.112.62 -- reachable(0xfe) S:0 T:10
no data
ipv4 server(ntp1.fortiguard.com) 208.91.112.63 -- reachable(0xff) S:1 T:11
server-version=4, stratum=2
reference time is e528889d.8a1b4736 -- UTC Sun Oct 31 03:14:37 2021
clock offset is 0.008601 sec, root delay is 0.022430 sec
root dispersion is 0.011337 sec, peer dispersion is 292 msec
If the time is not synchronized, the output will be as follows.
FW01 # diagnose sys ntp status
HA primary: yes, HA primary ip: 1.0.0.0, management_vfid: 0 ha_direct=1, ha_mgmt_vfid=1
synchronized: no, ntpsync: enabled, server-mode: disabled
ipv4 server(219.188.200.128) 219.188.200.128 -- unreachable(0x0) S:7 T:6
no data
ipv4 server(202.234.233.106) 202.234.233.106 -- unreachable(0x0) S:7 T:6
no data
execute time
You can check the current time and the last time synchronized with the execute time
command.
FW01 # execute time
current time is: 12:36:31
last ntp sync:Sun Oct 31 12:35:52 2021
Manual date / time setting
When setting from the GUI, it can be set from the [System > Settings] screen.
To set with CLI, use the following command.
- Date:
execute date yyyy-mm-dd
- Time:
execute time hh:mm:ss
FW01 # execute date
yyyy: 2001-2037, mm: 1-12, dd: 1-31.
FW01 # execute time
hh: 0-23, mm: 0-59, ss: 0-59.
Settings to make FortiGate act as an NTP server
Select [System> Settings] and click the Setup device as local NTP server radio button to enable it.
The [Listen on Interfaces] setting field is displayed. Click the setting field. Then, the interface selection screen is displayed on the right side of the screen. Click the interface you want to accept as an NTP server to select it.
Once you have made your selection, click Apply at the bottom of the screen to confirm your settings.
Confirm that the settings are as expected on the screen after application.
This completes the settings for operating as an NTP server.
When setting with CLI
Suppose you want to configure two interfaces, VLAN10 and VLAN20, as listening interfaces.
Configuration command
config system ntp
set server-mode enable
set interface VLAN10 VLAN20
end
The meaning of each setting is as follows.
config system ntp
set server-mode enable #NTP server mode enable
set interface VLAN10 VLAN20 #Specifies the interface to listen to
end
Config after setting
FW01 # show system ntp
config system ntp
set ntpsync enable
set server-mode enable
set interface "VLAN10" "VLAN20"
end
If you can confirm that the settings are as expected, you are done.
Comments
Thank you!