Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: Using NAT to achieve NTP proxy like functionality

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Table of Contents

Overview

The new engine provides great flexibility when solving interesting network problems.  I don't know if it has been shared here, but you can use NAT to achieve NTP proxy-like functionality.  A standard use case seen is that clients would like to use the IP address of the firewall as the NTP server. Consider this as an example environment:

  • The firewall has at least two interfaces: LAN and WAN. The LAN interface has an RFC1918 address, and the WAN interface utilizes a public address.
  • Clients behind the firewall would like to use the LAN interface IP as the NTP 'server'. In this regard, the default gateway and NTP destination on your clients use the same address.  
  • The NTP server you want to sync with is external to the organization, e.g. pool.ntp.org.

Types of Transparent NTP

There are two different approaches to a transparent NTP solution. 

1. NTP must be forwarded to a specific external (WAN) host/host group.

2. NTP must be forwarded to its resources within the network, and this server must provide the information. 

1st Scenario

The first scenario is rather simple.

It would be best to have one NAT Rule, which translates everything NTP-based to a specific host. 

You can specify all internal hosts with "Interface matching criteria - Inbound Interfaces". 
This example shows ANY. You can select all internal network interfaces (except WAN). 

This rule will fetch all NTP-related traffic, forward it to a public NTP service, and use MASQ. MASQ is required for WAN-related traffic. 

It would be best if you had a firewall rule: 

You can attach IPS rules to this if you want.
Build your own NTP rule with all NTP-related IPS patterns. 

Regardless of the configured IP on a client behind Sophos Firewall, the NTP request will work.
(Example: 1.2.3.4)

2nd Scenario

The second scenario needs more rules, as you can easily generate an NTP loop. 
Your internal server needs its own NAT rule and firewall rule. 
Example = Windows2016 is a NTP server. 

NAT Rule 1# 
NTP Server to WAN (to get the NTP server to the WAN NTP servers.)
You can also force the internal NTP server to get the IP from a specific NTP pool, but we assume the NTP server has its own NTP request pool. 

NAT 2# 
It’ll forward the NTP traffic transparently to the internal NTP server. 

  Firewall rules:

Firewall rule #1

Allowing the traffic of the NTP server to the WAN to get current time. 

 Firewall rule #2

Allowing the Traffic from all internal clients to the internal NTP server. 
Notice the destination zone. 

 You can naturally create variations of this NAT policy based on your network configuration and the location of the NTP server.




Revamped RR
[edited by: Erick Jan at 9:14 AM (GMT -7) on 18 Sep 2024]
Parents
  • Hello Rob,

    I voted, like the other 665 administrators, to implement the NTP server in the XG Firewall. Unfortunately, even though the NTP server is the second most demanded feature at the ideas.sophos.com.
    I think those who understand their work know why they need this feature on a firewall. Unfortunately, even 5 years after the start of XG Firewall development at Sophos, the developers or Product Managers of this product do not understand the importance of implementing this feature in XG Firewall.

    Really very sad finding ....

    Regards

    alda

  • I'm sorry to tell this, but Sophos Ideas shouldn't even exist, just take a moment and look at the amount of ideas there from 2015-2019 that still have 0 answers on it.

    Yes I know that some of those ideas there are terrible, but just look at the most voted ones right now.

    Not only a lot of admins asked for NTP Server on XG, they also asked for this. An Idea from 2014, answered in 2017, with 307 Votes right now, stated as "High Priority" in 2017, on something that all competitors have.

    Also the most voted Idea right now, with 706 votes, have no official answer. The Idea has made in 2016.

     

    Thanks,

     

    Edit: Don't get me wrong, Sophos Ideas is a incredible thing, on _paper_. It would let your own users give ideas for the own good of the product, also It gives the ability of those users to talk about new features, which they believe It's the best for the product. It's something that you don't see with the other competitors on the cybersecurity world.

    The problem right now It's the reality. You make an idea there, If you get lucky and enough votes It will get answer from a Dev/Manager in between 1-2 Years; They will tell you It's a great Idea and how it will be implemented in a future release, or It's a High Priority idea, and that's pretty much it. Later on, there's no talks about that Idea anymore, and your left in the dark.


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

Reply
  • I'm sorry to tell this, but Sophos Ideas shouldn't even exist, just take a moment and look at the amount of ideas there from 2015-2019 that still have 0 answers on it.

    Yes I know that some of those ideas there are terrible, but just look at the most voted ones right now.

    Not only a lot of admins asked for NTP Server on XG, they also asked for this. An Idea from 2014, answered in 2017, with 307 Votes right now, stated as "High Priority" in 2017, on something that all competitors have.

    Also the most voted Idea right now, with 706 votes, have no official answer. The Idea has made in 2016.

     

    Thanks,

     

    Edit: Don't get me wrong, Sophos Ideas is a incredible thing, on _paper_. It would let your own users give ideas for the own good of the product, also It gives the ability of those users to talk about new features, which they believe It's the best for the product. It's something that you don't see with the other competitors on the cybersecurity world.

    The problem right now It's the reality. You make an idea there, If you get lucky and enough votes It will get answer from a Dev/Manager in between 1-2 Years; They will tell you It's a great Idea and how it will be implemented in a future release, or It's a High Priority idea, and that's pretty much it. Later on, there's no talks about that Idea anymore, and your left in the dark.


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

Children
  • I can't find it at the moment, but from memory a post was sent out to all those who voted for the NTP proxy is it will not be implemented in the XG.

    Further the fail to develope the NTP proxy function in the XG fails the pub test of logic. The suggested method requires any small business who requires an NTP function to setup another box running an NTP server which becomes another device overhead to manage. 

    You cannot use a windows server as an NTP device except in a pure window environment which do not inreality exist.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.