Sophos as NTP Source?

Hi Kranthi Yadlapudi

Cd you please check attached configuration. I tried routing NTP traffic to public NTP server. It's not working. Could yo please help with this ?

All i need is to forward the NTP requests to a public NTP server.

Model: XG450 (SFOS 17.0.5 MR-5) 

Rule Type:Business Application Rule

Hi,

why are you using a business rule, a simple network rule would be adequate.

Source (local lan), local network, destination wan, any, service ntp.

If you want to provide more security int he destination you can use the FQDN group for the NTP servers.

Do you have country blocking enabled? I have found that country blocking blocked my NTP access for country based NTP servers ag AU and US business and government servers.

Ian

Hi,

but the XG is not an NTP server and does not have that function.

Ian

Finally I got it worked. I Forwarded NTP requests coming to Sophos Device to a public NTP server

Note:
** Do not use default Sophos NTP service, for some reason it was not working
** Create a custom NTP service with entry only for UDP 123
** Ensure to masquerade the DNAT rule
** Create new Business rule type DNAT

Hi,

as far as I can see you have done it in a very convoluted way. Also you appear to be allowing your XG to be an NTP relay by having WAN in the source zone.

You didn't need to add udp ntp service it is already in the XG.

Ian

Is it me or you are allowing the whole universe, and more, to access an internal device 172.16.x1x.xxx via service NTP ???  NAT or not, seems to me your naked and vulnerable !!!

I too noticed NTP do not work sometime.  And I too have created a custom NTP service.

Hi CharlesEapen,

as i see, we have the same idea to make a workaround for the "open feature". :-)

You should remove the "WAN" from the Zones, no need for it.

It's not a security leak, like Big_Buck means, because maped to LAN and not WAN, but it looks not realy clean. :-)

@ rfcat_vk

You have to create a separate service, like CharlesEapen did it.

The original "NTP" service in the XG contain two entries, TCP 123 and UDP 123.

The problem is, a "Business Application Rule" (DNAT), didn't work with more than one target port. :-(

So for a NTP TCP & UDP support you have to create two rules, one for NTP_UDP_123 and one for NTP_TCP_123.   

At the end of the day, it works but an integrated NTP server is definitely a better solution.

Have to create over 30 rules, for a simple NTP "Server" Support on 15 internal networks. :-(

Alexander Fuchs

IT System Admiral

IT Technology Senior Evangelist

Understand what you are doing and probably should do the same thing for the DNS?

Ian

Hi rfcat_vk,

for DNS there is no need to do that.

In contrast to NTP the DNS (Service/Server/Proxy) works fine on the XG.

You found a god configuration example behind the following link.

https://community.sophos.com/products/unified-threat-management/f/management-networking-logging-and-reporting/32566/solved-dns-best-practice/109152#109152

rfcat are you really around 70?

If yes, so my major respect that you work with a XG Setup.

I see a lot of more younger guy's, which were completely overwhelmed with the configuration of a XG.

Best Regards

Alexander Fuchs

IT System Admiral

IT Technology Senior Evangelist

 Hi Alexander,

that post/thread is for the UTM and you would be the first person to say that the XG has DNS proxy similar to the UTM, but thinking about the default configuration where the internal devices point at the internal interface I suppose that then indicates a DNS proxy.

Yes, I am 70 in a couple of months. The company I worked for was installing Pal Alto devices a couple of years ago and I needed to understand how they worked, no training budget and XG v15 happened to be released at the same time. The thinking is totally different and not always easy to grasp, but I give it my best shot. I have had some good teachers in these forums, Flo, Luk etc.

I have been using the UTM since 2005.

Ian

Hi rfcat_vk,

I see, I have to relativize my statement regarding DNS.

The “DNS-Service” on the XG is not really a full DNS-Server, it’s more a Proxy/Relay.   

But that is exactly the same, that I see on all other Firewalls the last 20 years.

OK, the Handling is a little bit confusing, but at the end of the day the XG did exactly that what I want and need.

…

After today, no one can claim to me, that the XG is a bad firewall or something else.

Yes, sure, “she” is very touchy to who she gets tackled not like she want.

But if you take your time and try to understand her correctly, so you will be rewarded in the end with a very good solution.

A Partner and me bring today a setup at a customer online, where the Sophos Presales says “Guys, you’re sure … we not ”.

Forefront-Firewall:

XG 330 CLUSTER

• Multiple LAG’s
• Multiple VLANS also on LAGS
• Multiple DMZ’s
• Multiple ISP’s
• DNS
• DHCP
• NTP (Server)
• NAT
• DNAT
• WAF
• ATP
• IPS
• AD Authentication
• SMTP-Proxy (Exchange)
• HTTPS-Proxy (with Terminal Server Support)
• Hotspot
• Site to Site VPN also to a SG
• SSL-VPN for the Remoteusers

Backend-Firewall:

XG 330 CLUSTER

• Multiple LAG’s
• Multiple VLANS also on LAGS
• Multiple (V)LAN’s (User/Server/Machinery)
• Multiple Management (V)LAN’s (Hyperv/Switch Administration/Backup)
• DNS
• DHCP
• NTP (Server)
• ATP
• IPS

We did the switch today at 12:15 till 13:15.

Now we have the end of the day with the following state.

• Customer is very happy
• The Partner is very happy
• Me is more than very happy

Have a nice Evening

Alexander Fuchs

IT System Admiral

IT Technology Senior Evangelist

I'm late to the show, but my business rule only has 'LAN' as source, which covers all of my VLANs looking for NTP.

I created a service 'NTP-udp' for port 123.  No need for a TCP rule.  NTP on my gear is not using TCP.

All my Cisco switches are synced with an FQDN '3.north-america.pool.ntp.org' .

The NTP pool FQDN is working...different switches have received updates from different IP addresses in that pool.

Next step...can we create a group with multiple FQDNs?  I'd like to use more than one pool.

But...at least I'm happy I got this far.  XG firewall is a strange animal.

I'm late to the show, but my business rule only has 'LAN' as source, which covers all of my VLANs looking for NTP.

I created a service 'NTP-udp' for port 123.  No need for a TCP rule.  NTP on my gear is not using TCP.

All my Cisco switches are synced with an FQDN '3.north-america.pool.ntp.org' .

The NTP pool FQDN is working...different switches have received updates from different IP addresses in that pool.

Next step...can we create a group with multiple FQDNs?  I'd like to use more than one pool.

But...at least I'm happy I got this far.  XG firewall is a strange animal.

Hi,

you can create a FQDN group in the Host and Services -> FQDN host Group tab. You could have used the existing service definition for NTP regardless of your TCP requirements.

Ian

I'm exploring moving from utm to XG also.

I too use UTM's ntp server to keep everything in sync.  I find not including an ntp server function a significant oversight.  I'm surprised this still hasn't been added considering the simplicity of the function itself.

So I guess for now, it leaves this convolution of redirecting all ntp requests that go to the lan interface ip (I'm still learning xg terminology) to the internet. 

In my case this will work with most devices except for those that don't have a gateway & dns addresses defined.  One example is my network printer.  It has no business doing anything outside the local lan. Its static IP is fined with just the ip/subnet mask. 

Without allowing it internet access, how do I get it to sync time?

Hello

v18 is on a "radio silence" mode these days.  Our firewall renewal is showing at the horizon and not knowing what's coming does not help.  So many basic things missing.  Full-Features DHCP.  XG as NTP source, usable logs, et.c.

Paul Jr

I simply DNAT NTP Traffic from my old UTM interface(IP) to my DC and use the NTP server of my DC. 

My DC is the only source, which can use NTP. 

As simple as that is a workaround. 

UTM NTP Server is quite simple. It simply stores the time. So basically no security benefits at all. 

LuCar Toni said:

UTM NTP Server is quite simple. It simply stores the time. So basically no security benefits at all. 

Not quite true, because you could point your internal devices at it either individually or via network object. Also you could set which NTP services it accessed, you could test the servers to see which were failing/accurate.

Ian

I am not sure, what you mean. 

If i redirect everything to my DC / NTP Server in my network, i can use this NTP Server with more possibilities as UTM can do right now. 

Or maybe i miss your point? 

NTP Server (and which should i use) are sometimes a real issue. 

https://community.sophos.com/products/unified-threat-management/f/general-discussion/22627/use-the-utm-as-an-ntp-server#pi2353=2

Some devices are not using the DNS/DHCP Server, so they will try to reach the Internet pool and fails sometimes. 

There is another limitation of not being able to create DNAT rules from LAN to WAN like in UTM.  

/cfs-file/__key/communityserver-discussions-components-files/46/0250.Dest_2D00_Nat_2D00_Rule_2D00_Redirect_2D00_NTP.png

But this is addressed, as far as i know, with future releases. 

And again, this is just a UTM workaround for addressing another issue. If XG had a NTP server / proxy right now, it would not help for this issue at all. 

PS: I do not want to argue with you at all. I would like to see a NTP server in XG as well. But i do not think, this is the right solution right now for this point. You would need a transparent NTP proxy, not a NTP server. 

Ii was talking about the UTM not the DC.

Bring on NTP proxy in XG.

Ian

Hello Lucar Toni

I assume your DCs are Windows.  In that case, many devices will not use Windows as NTP.  It is well known Windows' NTP is a "Windows" NTP only, and nothing else.  It is not a full featured universal NTP.  Many devices will not talk to Windows as NTP source, namely hardware devices like switches and bare metal server's UEFI (or BIOS).  For example, IBM's Storwise was incompatible with Windos NTP.

Some reading: support.ntp.org/.../WindowsTimeService

What I foresee for XG is at least NTP relay "without rules".  Leaving managing NTP pools and firewall rules entirely to XG.  

Paul Jr