Technical Tip : Configuring NTP with authentication

Benoit_Rech_FTNT · ‎08-28-2012

Purpose

Configure the FortiGate to synchronize its clock to a different time server, and secure the NTP update using MD5 authentication.

NTP protocol:

NTP stands for Network Time Protocol. It is used to synchronize the time of a computer to reference NTP servers. NTP provides accuracies to within tens of milliseconds across the Internet relative to coordinate universal time.

RFCs associated to NTP

NTP:

* RFC 1305: Network Time Protocol Version 3
* RFC 5905: Network Time Protocol Version 4: Protocol and Algorithms Specification
* RFC 5906: Network Time Protocol Version 4: Autokey Specification
* RFC 5907: Definitions of Managed Objects for Network Time Protocol Version 4 (NTPv4)
* RFC 5908: Network Time Protocol (NTP) Server Option for DHCPv6

SNTP:

Simple NTP (SNTP) version 4 is described in RFC 5905.

Time is inherently important to the function of routers, firewalls, computers and networks. It provides the only frame of reference between all devices on the network. This makes synchronized time extremely important. Without synchronized time, accurately correlating information between devices becomes difficult, if not impossible. When it comes to security, if you cannot successfully compare logs between each of your firewalls and routers and all your network servers, you will find it very hard to develop a reliable picture of an incident.

FortiOS Support :

Among the features offered by NTP, FortiGate can only act as a "client", in a client/server operation mode, which means it cannot provide the time to other devices.

Server mode, peer mode and broadcast/multicast mode are not supported by the FortiOS.

By default, FortiOS runs NTPv4, which is backward compatible with previous versions.

For additional security, you can configure your NTP servers and clients to use authentication.

FortiOS supports only MD5 authentication for NTP.

If you want to use "authentication", you need to enable NTPv3 instead of NTPv4.

NTP checklist:

Make sure all the devices in the network use NTP to synchronize their time.
On larger networks, use redundant timeservers and synchronize the devices to multiple servers to prevent a single point of failure.
Use NTP authentication between clients and server to ensure that time is synchronized to approved servers.

Scope

FortiOS 4.3 and FortiOS 5.0

Diagram

[NTP server]10.120.0.21-----------------10.120.0.125[FortiGate]

Expectations, Requirements

FortiGate clock synchronized with an NTP server using MD5 authentication.

Configuration

Common to all the NTP servers:

source-ip: On a VDOM with multiple interfaces, the source address of the NTP packet is the same as the egressing interface. This may complicate things when authentication is used.

When the NTP server can be reached via multiple interface (including backup line), it is recommended to use a loopback interface as source-ip.
ntpsync: set to enable, in order to activate NTP service.
syncinterval: interval in minute, between two NTP requests.

For each NTP server:

server: the server FQDN or IP address.
ntpv3: enable NTPv3, needed to use MD5 authentication.
authentication: enable to activate MD5 authentication.
key: the key that will be used in the hash comparison.
key-id: the key identifier that identifies the hash key to use.

config system ntp
   set ntpsync enable
   set syncinterval 60
   set source-ip 10.120.0.125
   config ntpserver
      edit 1
         set ntpv3 enable
         set authentication enable
         set key fortinetsecret
         set key-id 234
         set server 10.120.0.21
      next
   end
end

Verification

FGT50B-5 # diag sys ntp status
server( 10.120.0.21 ) 10.120.0.21 -- Clock is synchronized
      server-version=3, stratum=3
      reference time is d3e7456b.38a02087 -- UTC Tue Aug 28 13:26:03 2012
      clock offset is 0.193389 sec, root delay is 1578 msec
      root dispersion is 4746 msec, peer dispersion is 2 msec

Troubleshooting
NTP use UDP protocol (17), and port 123 to communicate between the client and the servers.

FGT50B-5 # diagnose sniffer packet any 'port 123' 4 0 a
interfaces=[any]
filters=[port 123]

2012-08-27 15:34:28.782291 VLAN120 out 10.120.0.125.123 -> 10.120.0.21.123: udp 48
2012-08-27 15:34:28.782308 internal out 10.120.0.125.123 -> 10.120.0.21.123: udp 48
2012-08-27 15:34:28.782319 eth0 out 10.120.0.125.123 -> 10.120.0.21.123: udp 48
2012-08-27 15:34:28.782758 VLAN120 in 10.120.0.21.123 -> 10.120.0.125.123: udp 48
2012-08-27 15:34:28.783306 VLAN120 out 10.120.0.125.123 -> 10.120.0.21.123: udp 48
2012-08-27 15:34:28.783317 internal out 10.120.0.125.123 -> 10.120.0.21.123: udp 48
2012-08-27 15:34:28.783325 eth0 out 10.120.0.125.123 -> 10.120.0.21.123: udp 48
2012-08-27 15:34:28.783732 VLAN120 in 10.120.0.21.123 -> 10.120.0.125.123: udp 48
2012-08-27 15:34:28.784414 VLAN120 out 10.120.0.125.123 -> 10.120.0.21.123: udp 48
2012-08-27 15:34:28.784425 internal out 10.120.0.125.123 -> 10.120.0.21.123: udp 48
2012-08-27 15:34:28.784433 eth0 out 10.120.0.125.123 -> 10.120.0.21.123: udp 48
2012-08-27 15:34:28.784841 VLAN120 in 10.120.0.21.123 -> 10.120.0.125.123: udp 48
2012-08-27 15:34:28.785351 VLAN120 out 10.120.0.125.123 -> 10.120.0.21.123: udp 48
2012-08-27 15:34:28.785363 internal out 10.120.0.125.123 -> 10.120.0.21.123: udp 48
2012-08-27 15:34:28.785371 eth0 out 10.120.0.125.123 -> 10.120.0.21.123: udp 48
2012-08-27 15:34:28.785778 VLAN120 in 10.120.0.21.123 -> 10.120.0.125.123: udp 48

#diag debug application ntpd -1
#diag debug enable

success, without authentication

FGT50B-5 # 2012-08-27 17:32:34 Start updating the system time ...

2012-08-27 17:32:34 add server 1: server 10.120.0.21

2012-08-27 17:32:34 transmit(10.120.0.21)

2012-08-27 17:32:34 transmit to 10.120.0.21

2012-08-27 17:32:34 receive(10.120.0.21)

2012-08-27 17:32:34 transmit(10.120.0.21)

2012-08-27 17:32:34 transmit to 10.120.0.21

2012-08-27 17:32:34 receive(10.120.0.21)

2012-08-27 17:32:34 transmit(10.120.0.21)

2012-08-27 17:32:34 transmit to 10.120.0.21

2012-08-27 17:32:34 receive(10.120.0.21)

2012-08-27 17:32:34 transmit(10.120.0.21)

2012-08-27 17:32:34 transmit to 10.120.0.21

2012-08-27 17:32:34 receive(10.120.0.21)

2012-08-27 17:32:34 transmit(10.120.0.21)

2012-08-27 17:32:34 Adjust current time second=0, usec=2894

2012-08-27 17:32:34 waiting for 60 seconds ...

Client request:

Server response:

success, with authentication

2012-08-27 17:07:35 waiting for 60 seconds ...

2012-08-27 17:08:35 Start updating the system time ...

2012-08-27 17:08:35 add server 1: server 10.120.0.21

2012-08-27 17:08:36 transmit(10.120.0.21)

2012-08-27 17:08:36 transmit to 10.120.0.21 with MD5 authentication

2012-08-27 17:08:36 transmit to 10.120.0.21

2012-08-27 17:08:36 receive(10.120.0.21)

2012-08-27 17:08:36 receive: authentication passed

2012-08-27 17:08:36 transmit(10.120.0.21)

2012-08-27 17:08:36 transmit to 10.120.0.21 with MD5 authentication

2012-08-27 17:08:36 transmit to 10.120.0.21

2012-08-27 17:08:36 receive(10.120.0.21)

2012-08-27 17:08:36 receive: authentication passed

2012-08-27 17:08:36 transmit(10.120.0.21)

2012-08-27 17:08:36 transmit to 10.120.0.21 with MD5 authentication

2012-08-27 17:08:36 transmit to 10.120.0.21

2012-08-27 17:08:36 receive(10.120.0.21)

2012-08-27 17:08:36 receive: authentication passed

2012-08-27 17:08:36 transmit(10.120.0.21)

2012-08-27 17:08:36 transmit to 10.120.0.21 with MD5 authentication

2012-08-27 17:08:36 transmit to 10.120.0.21

2012-08-27 17:08:36 receive(10.120.0.21)

2012-08-27 17:08:36 receive: authentication passed

2012-08-27 17:08:36 transmit(10.120.0.21)

2012-08-27 17:08:36 Adjust current time second=0, usec=5310

2012-08-27 17:08:36 waiting for 60 seconds ...

Client request:

Server response:

fail, invalid key-id or key

2012-08-27 17:20:51 Start updating the system time ...

2012-08-27 17:20:51 add server 1: server 10.120.0.21

2012-08-27 17:20:51 transmit(10.120.0.21)

2012-08-27 17:20:51 transmit to 10.120.0.21 with MD5 authentication

2012-08-27 17:20:51 transmit to 10.120.0.21

2012-08-27 17:20:51 receive(10.120.0.21)

2012-08-27 17:20:51 receive: authentication failed

2012-08-27 17:20:51 transmit(10.120.0.21)

2012-08-27 17:20:51 transmit to 10.120.0.21 with MD5 authentication

2012-08-27 17:20:51 transmit to 10.120.0.21

2012-08-27 17:20:51 receive(10.120.0.21)

2012-08-27 17:20:51 receive: authentication failed

2012-08-27 17:20:51 transmit(10.120.0.21)

2012-08-27 17:20:51 transmit to 10.120.0.21 with MD5 authentication

2012-08-27 17:20:51 transmit to 10.120.0.21

2012-08-27 17:20:51 receive(10.120.0.21)

2012-08-27 17:20:51 receive: authentication failed

2012-08-27 17:20:51 transmit(10.120.0.21)

2012-08-27 17:20:51 transmit to 10.120.0.21 with MD5 authentication

2012-08-27 17:20:51 transmit to 10.120.0.21

2012-08-27 17:20:51 receive(10.120.0.21)

2012-08-27 17:20:51 receive: authentication failed

2012-08-27 17:20:51 transmit(10.120.0.21)

2012-08-27 17:20:51 no server suitable for synchronization found

2012-08-27 17:20:51

2012-08-27 17:20:51 waiting for 60 seconds ...

Client Request:





Server response: