Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 25 replies
  • Answers 2 answers
  • Subscribers 35 subscribers
  • Views 75272 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos as NTP Source?

tsull360

Hello,

In UTM 9 i was able to point Sophos at a time source, and then internal clients could reference it for time. I don't see this option in XG, is this no longer possible?

Thanks!



This thread was automatically locked due to age.
Parents
  • 0

    Hi 

    Cd you please check attached configuration. I tried routing NTP traffic to public NTP server. It's not working. Could yo please help with this ?

    All i need is to forward the NTP requests to a public NTP server.

     

    Model: XG450 (SFOS 17.0.5 MR-5) 

    Rule Type:Business Application Rule

  • 0 in reply to ce_Sophos

    Hi,

    why are you using a business rule, a simple network rule would be adequate.

    Source (local lan), local network, destination wan, any, service ntp.

    If you want to provide more security int he destination you can use the FQDN group for the NTP servers.

    Do you have country blocking enabled? I have found that country blocking blocked my NTP access for country based NTP servers ag AU and US business and government servers.

    Ian

Reply
  • 0 in reply to ce_Sophos

    Hi,

    why are you using a business rule, a simple network rule would be adequate.

    Source (local lan), local network, destination wan, any, service ntp.

    If you want to provide more security int he destination you can use the FQDN group for the NTP servers.

    Do you have country blocking enabled? I have found that country blocking blocked my NTP access for country based NTP servers ag AU and US business and government servers.

    Ian

Children
  • 0 in reply to rfcat_vk

    Hi  ,

    our client PC and Devices NTP server is set to Sophos XG IP. In this case simple LAN to WAN rule won't work.

     

  • 0 in reply to ce_Sophos

    Hi,

    but the XG is not an NTP server and does not have that function.

    Ian

  • +1 in reply to rfcat_vk

    Finally I got it worked. I Forwarded NTP requests coming to Sophos Device to a public NTP server

    Note:
    ** Do not use default Sophos NTP service, for some reason it was not working
    ** Create a custom NTP service with entry only for UDP 123
    ** Ensure to masquerade the DNAT rule
    ** Create new Business rule type DNAT

     

  • 0 in reply to ce_Sophos

    Hi,

    as far as I can see you have done it in a very convoluted way. Also you appear to be allowing your XG to be an NTP relay by having WAN in the source zone.

    You didn't need to add udp ntp service it is already in the XG.

    Ian

  • 0 in reply to ce_Sophos

    Is it me or you are allowing the whole universe, and more, to access an internal device 172.16.x1x.xxx via service NTP ???  NAT or not, seems to me your naked and vulnerable !!!

    I too noticed NTP do not work sometime.  And I too have created a custom NTP service.

  • +1 in reply to ce_Sophos

    Hi CharlesEapen,

     

    as i see, we have the same idea to make a workaround for the "open feature". :-)

    You should remove the "WAN" from the Zones, no need for it.

    It's not a security leak, like Big_Buck means, because maped to LAN and not WAN, but it looks not realy clean. :-)

     

    @ rfcat_vk

    You have to create a separate service, like CharlesEapen did it.

    The original "NTP" service in the XG contain two entries, TCP 123 and UDP 123.

    The problem is, a "Business Application Rule" (DNAT), didn't work with more than one target port. :-(

    So for a NTP TCP & UDP support you have to create two rules, one for NTP_UDP_123 and one for NTP_TCP_123.   

     

     

    At the end of the day, it works but an integrated NTP server is definitely a better solution.

    Have to create over 30 rules, for a simple NTP "Server" Support on 15 internal networks. :-(

     

    Alexander Fuchs

    IT System Admiral

    IT Technology Senior Evangelist

  • 0 in reply to Alexander Fuchs

    Understand what you are doing and probably should do the same thing for the DNS?

    Ian

  • 0 in reply to rfcat_vk

    Hi rfcat_vk,

     

    for DNS there is no need to do that.

    In contrast to NTP the DNS (Service/Server/Proxy) works fine on the XG.

     

    You found a god configuration example behind the following link.

    https://community.sophos.com/products/unified-threat-management/f/management-networking-logging-and-reporting/32566/solved-dns-best-practice/109152#109152

     

    rfcat are you really around 70?

    If yes, so my major respect that you work with a XG Setup.

    I see a lot of more younger guy's, which were completely overwhelmed with the configuration of a XG.

     

    Best Regards

    Alexander Fuchs

    IT System Admiral

    IT Technology Senior Evangelist

  • 0 in reply to Alexander Fuchs

     Hi Alexander,

    that post/thread is for the UTM and you would be the first person to say that the XG has DNS proxy similar to the UTM, but thinking about the default configuration where the internal devices point at the internal interface I suppose that then indicates a DNS proxy.

    Yes, I am 70 in a couple of months. The company I worked for was installing Pal Alto devices a couple of years ago and I needed to understand how they worked, no training budget and XG v15 happened to be released at the same time. The thinking is totally different and not always easy to grasp, but I give it my best shot. I have had some good teachers in these forums, Flo, Luk etc.

    I have been using the UTM since 2005.

     

    Ian

  • 0 in reply to rfcat_vk

    Hi rfcat_vk,


    I see, I have to relativize my statement regarding DNS.

    The “DNS-Service” on the XG is not really a full DNS-Server, it’s more a Proxy/Relay.   

    But that is exactly the same, that I see on all other Firewalls the last 20 years.

    OK, the Handling is a little bit confusing, but at the end of the day the XG did exactly that what I want and need.

     

    After today, no one can claim to me, that the XG is a bad firewall or something else.

    Yes, sure, “she” is very touchy to who she gets tackled not like she want.

    But if you take your time and try to understand her correctly, so you will be rewarded in the end with a very good solution.

        

    A Partner and me bring today a setup at a customer online, where the Sophos Presales says “Guys, you’re sure … we not ”.

     

    Forefront-Firewall:

    XG 330 CLUSTER

    • Multiple LAG’s
    • Multiple VLANS also on LAGS
    • Multiple DMZ’s
    • Multiple ISP’s
    • DNS
    • DHCP
    • NTP (Server)
    • NAT
    • DNAT
    • WAF
    • ATP
    • IPS
    • AD Authentication
    • SMTP-Proxy (Exchange)
    • HTTPS-Proxy (with Terminal Server Support)
    • Hotspot
    • Site to Site VPN also to a SG
    • SSL-VPN for the Remoteusers

     

    Backend-Firewall:

    XG 330 CLUSTER

    • Multiple LAG’s
    • Multiple VLANS also on LAGS
    • Multiple (V)LAN’s (User/Server/Machinery)
    • Multiple Management (V)LAN’s (Hyperv/Switch Administration/Backup)
    • DNS
    • DHCP
    • NTP (Server)
    • ATP
    • IPS

     

     

    We did the switch today at 12:15 till 13:15.

    Now we have the end of the day with the following state.

    • Customer is very happy
    • The Partner is very happy
    • Me is more than very happy

     

     

    Have a nice Evening

     

    Alexander Fuchs

     

    IT System Admiral

    IT Technology Senior Evangelist