Problem to connect from internal network to external ntp server

First off, you don't need the second rule as XG is a stateful firewall. Meaning, if you allow a traffic one way, it will keep the state of this traffic and returning traffic will be allowed as well until the connection is terminated.

Regarding your issue, make sure that the NTP service definition you created is set to sourceport = 1:65535. This is often overlooked.

First off, you don't need the second rule as XG is a stateful firewall. Meaning, if you allow a traffic one way, it will keep the state of this traffic and returning traffic will be allowed as well until the connection is terminated.

Regarding your issue, make sure that the NTP service definition you created is set to sourceport = 1:65535. This is often overlooked.

Source port 1:65535 that are all internal ports? ntp is port 123 udp, so why do you need to open all ports?

The reason is that when your client initiates a connect to the NTP server, the XG will assign a random port from 1024-65535 (AFAIK) so that return traffic will know how to get back to the client who initiated the request. This is the standard Port Address Translation spec because without this, you will not be able to share one public IP to access the internet. This is what the XG or any other router/firewall uses to be able to use one public IP for all internal clients when going to the internet.

Hi thanx for explaination its clear now :-)