A security device such as a firewall should rely on NTP authentication to overcome NTP spoofing attacks. Therefore I am using NTP authentication on the FortiGate as well. As always, this so-called next-generation firewall has a very limited GUI while you need to configure all details through the CLI. I hate it, but that’s the way Fortinet is doing it. Furthermore the “set authentication” command is hidden unless you’re downgrading to NTPv3 (?!?) and it only supports MD5 rather than SHA-1. Not that “next-generation”!
Finally, you have no chance of knowing whether NTP authentication is working or not. I intentionally misconfigured some of my NTP keys which didn’t change anything in the NTP synchronization process while it should not work at all. Fail!
I am using a FortiGate FG-100D with FortiOS version v5.6.6 build1630 (GA). If you want to configure custom NTP servers you have to go through the CLI at all:
Then, configuring on the CLI, it took me quite some time to realize that the NTP authentication commands are completely hidden unless you are using NTPv3. Don’t know why this is a requirement at all since NTP authentication, of course, works with NTPv4 as well. And why isn’t this documented?
However, here are the commands I used to set up my three NTP servers with authentication:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
config system ntp set ntpsync enable set type custom config ntpserver edit 1 set server "ntp1.weberlab.de" set ntpv3 enable set authentication enable set key ENC 3xZj6FcN+Hg0ltR3BIQevJR3G+umyFrzN4mXeRRoxlTXM9HwKMMb1wo/t3AscNHjuuVkC58OTXP30U6rPce7RvGXfVfBA81s92JQ9duTKZv3be+N4KPiOM8EbTxYFN9irk/Kf8VuNDVZITsVGW+m6qaJewHycIk4wRypuHbA4s2/6GtL4ryYXHvksoB9bckwqOCqAw== set key-id 1 next edit 2 set server "ntp2.weberlab.de" set ntpv3 enable set authentication enable set key ENC wdqOtz4Q6HAe+RSzpGpx0nqZmRImT2gH3nwGStdDJn93EOLNv+kP5fxxjazyT+ArjRVWZVFYZnT/8fFqujwWP2GhyyALS4FdYPExaKTFAe/9m6DpIzTod1k8m8LbAJT0PnOG+8O3CgqLnhpnHm8v8Cp2oly/iORJ/ajVPQzvuvCuDzHX1fDQxsO4fJhFOVKlMgn/RQ== set key-id 2 next edit 3 set server "ntp3.weberlab.de" set ntpv3 enable set authentication enable set key ENC 0XXZMf6zshlsRxbElifoqXJXRxuM4Pti92wIYHq3pKKjvsHLuGPYx3wpqhylITZcabVS49X6EE6JwmHS22BTrCJLTVoO8TAvKaq/ZXHsawBLLme7WO7VQA5SumIx88q9VCj7Bd9aYKoevn4oBl5VRomY3I78DvoQ015nK8J+zReuWXWGL5LgL9qo3mM7j0YJTTGsgw== set key-id 3 next end end |
In order to view any live values the get system ntp is not quite helpful. At least you can see the sync interval:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
fg # get system ntp ntpsync : enable type : custom syncinterval : 1 ntpserver: == [ 1 ] id: 1 == [ 2 ] id: 2 == [ 3 ] id: 3 source-ip : 0.0.0.0 server-mode : disable |
diagnose sys ntp status helps a bit more:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
fg # diagnose sys ntp status synchronized: yes, ntpsync: enabled, server-mode: disabled ipv6 server(ntp3.weberlab.de) 2003:de:2016:330::dcfb:123 -- reachable(0xff) S:1 T:8 selected server-version=3, stratum=1 reference time is e03fd1c3.96a0308 -- UTC Fri Mar 22 21:27:31 2019 clock offset is 0.019739 sec, root delay is 0.000000 sec root dispersion is 0.000153 sec, peer dispersion is 623 msec ipv6 server(ntp2.weberlab.de) 2003:de:2016:330::6b5:123 -- reachable(0xff) S:0 T:7 server-version=3, stratum=1 reference time is e03fd1bb.d7cf8fae -- UTC Fri Mar 22 21:27:23 2019 clock offset is 0.015482 sec, root delay is 0.000000 sec root dispersion is 0.001114 sec, peer dispersion is 504 msec ipv6 server(ntp1.weberlab.de) 2003:de:2016:336::dcf7:123 -- reachable(0xff) S:0 T:7 server-version=3, stratum=1 reference time is e03fd18c.e184d3e8 -- UTC Fri Mar 22 21:26:36 2019 clock offset is -0.023505 sec, root delay is 0.000000 sec root dispersion is 0.004059 sec, peer dispersion is 411 msec |
Trivia: Failed Upgrade
Initially, I wanted to upgrade the FortiGate for this blogpost to its latest version from v5.6.6 to v5.6.8. Just a minor upgrade, right? However, this upgrade destroyed my VPN that was needed for the NTP servers. Even downgrading the version and restoring hasn’t worked. Just another example why I don’t really like those FortiGates. Details:
I just did a minor upgrade on a @Fortinet #FortiGate FG-100D (5.6.6 to 5.6.8) with the result that my configured IPsec VPN tunnel is completely lost. Fortinet at its best. #fail #Ihaveit pic.twitter.com/76pwBYyFMM
— Johannes Weber ? (@webernetz) March 22, 2019
Featured image “handypics August 2015 087” by PercyGermany™ is licensed under CC BY-NC-ND 2.0.
Did you contact Fortinet about this “problem” ?
Hey Boris,
no, I didn’t. Fortinet is not interested in my feedback as long as there is no big paying customer request behind it. That’s the way it is…
Johannes
Yes, that is how they treated my feature requests. They don’t see big customer request and they don’t care. Still, this could be potential security problem…