Sophos as NTP Source?

Hello,

In UTM 9 i was able to point Sophos at a time source, and then internal clients could reference it for time. I don't see this option in XG, is this no longer possible?

Thanks!

  • In reply to rfcat_vk:

    Hi rfcat_vk,


    I see, I have to relativize my statement regarding DNS.

    The “DNS-Service” on the XG is not really a full DNS-Server, it’s more a Proxy/Relay.   

    But that is exactly the same, that I see on all other Firewalls the last 20 years.

    OK, the Handling is a little bit confusing, but at the end of the day the XG did exactly that what I want and need.

     

    After today, no one can claim to me, that the XG is a bad firewall or something else.

    Yes, sure, “she” is very touchy to who she gets tackled not like she want.

    But if you take your time and try to understand her correctly, so you will be rewarded in the end with a very good solution.

        

    A Partner and me bring today a setup at a customer online, where the Sophos Presales says “Guys, you’re sure … we not ”.

     

    Forefront-Firewall:

    XG 330 CLUSTER

    • Multiple LAG’s
    • Multiple VLANS also on LAGS
    • Multiple DMZ’s
    • Multiple ISP’s
    • DNS
    • DHCP
    • NTP (Server)
    • NAT
    • DNAT
    • WAF
    • ATP
    • IPS
    • AD Authentication
    • SMTP-Proxy (Exchange)
    • HTTPS-Proxy (with Terminal Server Support)
    • Hotspot
    • Site to Site VPN also to a SG
    • SSL-VPN for the Remoteusers

     

    Backend-Firewall:

    XG 330 CLUSTER

    • Multiple LAG’s
    • Multiple VLANS also on LAGS
    • Multiple (V)LAN’s (User/Server/Machinery)
    • Multiple Management (V)LAN’s (Hyperv/Switch Administration/Backup)
    • DNS
    • DHCP
    • NTP (Server)
    • ATP
    • IPS

     

     

    We did the switch today at 12:15 till 13:15.

    Now we have the end of the day with the following state.

    • Customer is very happy
    • The Partner is very happy
    • Me is more than very happy

     

     

    Have a nice Evening

     

    Alexander Fuchs

     

    IT System Admiral

    IT Technology Senior Evangelist

  • In reply to Alexander Fuchs:

    I'm late to the show, but my business rule only has 'LAN' as source, which covers all of my VLANs looking for NTP.

    I created a service 'NTP-udp' for port 123.  No need for a TCP rule.  NTP on my gear is not using TCP.

    All my Cisco switches are synced with an FQDN '3.north-america.pool.ntp.org' .

    The NTP pool FQDN is working...different switches have received updates from different IP addresses in that pool.

     

    Next step...can we create a group with multiple FQDNs?  I'd like to use more than one pool.

     

    But...at least I'm happy I got this far.  XG firewall is a strange animal.

     

     

  • In reply to AlanLeghart:

    Hi,

    you can create a FQDN group in the Host and Services -> FQDN host Group tab. You could have used the existing service definition for NTP regardless of your TCP requirements.

    Ian

  • In reply to rfcat_vk:

    I'm exploring moving from utm to XG also.

    I too use UTM's ntp server to keep everything in sync.  I find not including an ntp server function a significant oversight.  I'm surprised this still hasn't been added considering the simplicity of the function itself.

    So I guess for now, it leaves this convolution of redirecting all ntp requests that go to the lan interface ip (I'm still learning xg terminology) to the internet. 

    In my case this will work with most devices except for those that don't have a gateway & dns addresses defined.  One example is my network printer.  It has no business doing anything outside the local lan. Its static IP is fined with just the ip/subnet mask. 

    Without allowing it internet access, how do I get it to sync time?

  • In reply to Jay Jay:

    Hello

    v18 is on a "radio silence" mode these days.  Our firewall renewal is showing at the horizon and not knowing what's coming does not help.  So many basic things missing.  Full-Features DHCP.  XG as NTP source, usable logs, et.c.

    Paul Jr

  • In reply to Jay Jay:

    I simply DNAT NTP Traffic from my old UTM interface(IP) to my DC and use the NTP server of my DC. 

    My DC is the only source, which can use NTP. 

    As simple as that is a workaround. 

     

    UTM NTP Server is quite simple. It simply stores the time. So basically no security benefits at all. 

  • In reply to LuCar Toni:

    LuCar Toni
    UTM NTP Server is quite simple. It simply stores the time. So basically no security benefits at all. 

    Not quite true, because you could point your internal devices at it either individually or via network object. Also you could set which NTP services it accessed, you could test the servers to see which were failing/accurate.

    Ian

  • In reply to rfcat_vk:

    I am not sure, what you mean. 

    If i redirect everything to my DC / NTP Server in my network, i can use this NTP Server with more possibilities as UTM can do right now. 

     

    Or maybe i miss your point? 

    NTP Server (and which should i use) are sometimes a real issue. 

    https://community.sophos.com/products/unified-threat-management/f/general-discussion/22627/use-the-utm-as-an-ntp-server#pi2353=2

    Some devices are not using the DNS/DHCP Server, so they will try to reach the Internet pool and fails sometimes. 

     

    There is another limitation of not being able to create DNAT rules from LAN to WAN like in UTM.  

    https://community.sophos.com/cfs-file/__key/communityserver-discussions-components-files/51/Dest_2D00_Nat_2D00_Rule_2D00_Redirect_2D00_NTP.png

    But this is addressed, as far as i know, with future releases. 

    And again, this is just a UTM workaround for addressing another issue. If XG had a NTP server / proxy right now, it would not help for this issue at all. 

     

    PS: I do not want to argue with you at all. I would like to see a NTP server in XG as well. But i do not think, this is the right solution right now for this point. You would need a transparent NTP proxy, not a NTP server. 

  • In reply to LuCar Toni:

    Ii was talking about the UTM not the DC.

    Bring on NTP proxy in XG.

    Ian

  • In reply to LuCar Toni:

    Hello Lucar Toni

    I assume your DCs are Windows.  In that case, many devices will not use Windows as NTP.  It is well known Windows' NTP is a "Windows" NTP only, and nothing else.  It is not a full featured universal NTP.  Many devices will not talk to Windows as NTP source, namely hardware devices like switches and bare metal server's UEFI (or BIOS).  For example, IBM's Storwise was incompatible with Windos NTP.

    Some reading: support.ntp.org/.../WindowsTimeService

    What I foresee for XG is at least NTP relay "without rules".  Leaving managing NTP pools and firewall rules entirely to XG.  

    Paul Jr