No NTP servers configured for Fortinet

Vendor

Fortinet

Description

Many odd and complicated outages occur due to lack of clock synchronization between devices. In addition, logs may have the wrong time stamps. Indeni will alert when a device has no NTP servers configured.

Remediation Steps

Configure one or more NTP servers to be used by this device for clock synchronization.

1. Login via ssh to the Fortinet firewall and execute the FortiOS "execute time" and "execute date" commands to check the current date/time and the last date of NTP sync.

2. Login via ssh to the Fortinet firewall and execute the FortiOS "diagnose sys ntp status" to review the status of the NTP servers and configuration.

3. NTP uses UDP protocol (17) and port 123 to communicate between the client and the servers. Make sure that the firewall rules allow these UDP ports and can route toward the NTP servers.

4. Login via ssh to the Fortinet firewall and execute the FortiOS debug commands "diag debug application ntpd -1" and "diag debug enable" and review the debug messages.

5. Make sure NTP authentication keys match on both ends. Review the next link for more information: http://kb.fortinet.com/kb/viewContent.do?externalId=FD33783.

6. More NTP configuration information can be found at http://help.fortinet.com/cli/fos50hlp/56/Content/FortiOS/fortiOS-cli-ref-56/config/system/ntp.htm.

How does this work?

This script logs into the FortiGate using SSH and retrieves the NTP servers configuration status information using the output of the "diagnose sys ntp status" command. The output includes the device's servers configuration status as well as information about the NTP configured parameters.

Why is this important?

This script logs into the FortiGate using SSH and retrieves the NTP servers configuration status information using the output of the "diagnose sys ntp status" command. The output includes the device's servers configuration status as well as information about the NTP configured parameters.

Without Indeni how would you find this?

An administrator would need to log into the device and use the "diagnose sys ntp status" command to identify if the NTP servers are reachable from the device.


View Source Code