LAN Clients unable to receive External NTP Server Time

Question

Hello, 
 Recently moved from UTM to XG and I'm encountering an issue where my LAN clients are unable to receive NTP replied from NTP servers. I did not have this issue in UTM. 
 My general rule setup is to allow any LAN client unrestricted access to the internet. When viewing the logs, port 123 traffic is allowed outbound, but does not appear that any client is recieiving the reply. I have no other known issues connecting to the internet for any other services. The Sophos XG appliance is able to get accurate time from NTP servers. 
 Are there any configurations I should be making to allow NTP for the LAN clients? 
 Thanks! 
 Brad

Badrobot · Answer

I had to create a specific firewall rule for this- 
 
 Source - LAN 
 Device - ANY (You can define this more) 
 Destination - WAN 
 Device - the location you are pulling NTP from ex ntp.pool.org enter as IP or FQDN (host name) 
 Service - NTP 
 
 Then place at the top, you do not need protection for this since it will only allow to the specific destination, on the specific port.

rfcat_vk · Answer

Hi, 
 Once a connection is established you do not see traffic in both directions unless you are using an analyser. Logviewer only shows the connection and because it is created from your devices there is never any returned traffic showing. 
 Why do you think that the devices are not receiving the NTP updates? 
 Ian

LHerzog · Answer

I stumbled accross this when setting up a SG firewall in a new customers network. 
 I had the same issue with NTP server access because the PDC could not access any external NTP server. Firewall rules were in place. 
 
 After a while I found out that someone misconfigured the internal server with PDC FSMO role with a bad w32tm command line setting some time ago. 
 The problem is the AnnounceFlag 0x8 behind the IP address of the external NTP server. The 0x8 setting sets Windows Time to use client mode. 
 w32tm /config /manualpeerlist: NTP_server_IP_Address , 0x8 
 
 Solution: 
 do not use 0x1 or 0,8 or whatever, just use the IP addresses, no flags. 
 Simply enter the correct command on the PDC to overwrite the current setting 
 e.g. 
 w32tm /config /manualpeerlist:"0.de.pool.ntp.org 1.de.pool.ntp.org 2.de.pool.ntp.org" /syncfromflags:manual /reliable:yes /update 
 restart Windows Time service. 
 
 Update: 02 June 2020 
 At an other customer I had a similar problem. NTP was configured correctly in Windows. But between Sophos SG and WAN was a HP OfficeConnect 1920s Layer2 Switch. The Switch has a Anti-DoS feature enabled by default called Automatic Denial-of-Service (DoS) protection 
 A Sub-feature is: Prevent UDP Blat Attack 
 This drops packets that have a UDP source port equal to the UDP destination port. That is what matches to UDP Communication. So there the switch broke NTP. After disabling UDP Blat Attack NTP was working.