Using V18 NAT to achieve NTP proxy like functionality

Hi,

The new NAT engine in V18 provides a high degree of flexibility when it comes to solving some interesting network problems.  I don't know if it has been shared here or not, but you can use NAT to achieve NTP proxy like functionality.  A standard use case seen is that clients would like to use the IP address of the firewall as the NTP server. Consider this as an example environment:

  • Firewall has at least 2 interfaces, LAN and WAN.  LAN interface has an RFC1918 address, and the WAN interface utilizes a public address.
  • Clients behind the firewall would like to use the LAN interface IP as the NTP 'server'.  In this regard, the default gateway and NTP destination use the same address on your clients.  
  • The NTP server you want to sync with is external to the organization, e.g. pool.ntp.org.

 

To make this work, create a NAT policy like the following:

  • Original Source: Any host (or LAN subnets)
  • Original Service: NTP
  • Original Destination: XG LAN IP address 
  • Translated Source: Masqueraded (this is your WAN IP)
  • Translated Service: Original service
  • Translated Destination: pool.ntp.org (or pick NTP server of your liking)
  • Inbound Interface: Lan
  • Outbound Interface: ANY

Naturally, you can create variations of this NAT policy, based on your network configuration and the location of the NTP server.

In the new XG V18 architecture training course, there are a few more examples demonstrating how to control NTP and DNS traffic.   I encourage you to check out the training material as it provides more in-depth knowledge of the new V18 features.  

 

  • Hello Rob,

    I voted, like the other 665 administrators, to implement the NTP server in the XG Firewall. Unfortunately, even though the NTP server is the second most demanded feature at the ideas.sophos.com.
    I think those who understand their work know why they need this feature on a firewall. Unfortunately, even 5 years after the start of XG Firewall development at Sophos, the developers or Product Managers of this product do not understand the importance of implementing this feature in XG Firewall.

    Really very sad finding ....

    Regards

    alda

  • I'm sorry to tell this, but Sophos Ideas shouldn't even exist, just take a moment and look at the amount of ideas there from 2015-2019 that still have 0 answers on it.

    Yes I know that some of those ideas there are terrible, but just look at the most voted ones right now.

    Not only a lot of admins asked for NTP Server on XG, they also asked for this. An Idea from 2014, answered in 2017, with 307 Votes right now, stated as "High Priority" in 2017, on something that all competitors have.

    Also the most voted Idea right now, with 706 votes, have no official answer. The Idea has made in 2016.

     

    Thanks,

     

    Edit: Don't get me wrong, Sophos Ideas is a incredible thing, on _paper_. It would let your own users give ideas for the own good of the product, also It gives the ability of those users to talk about new features, which they believe It's the best for the product. It's something that you don't see with the other competitors on the cybersecurity world.

    The problem right now It's the reality. You make an idea there, If you get lucky and enough votes It will get answer from a Dev/Manager in between 1-2 Years; They will tell you It's a great Idea and how it will be implemented in a future release, or It's a High Priority idea, and that's pretty much it. Later on, there's no talks about that Idea anymore, and your left in the dark.

    ------------

    v18 MR 2 | Ryzen 3300x | 8GB RAM.

    If a post solves your question use the 'Verify Answer' button.

  • I can't find it at the moment, but from memory a post was sent out to all those who voted for the NTP proxy is it will not be implemented in the XG.

    Further the fail to develope the NTP proxy function in the XG fails the pub test of logic. The suggested method requires any small business who requires an NTP function to setup another box running an NTP server which becomes another device overhead to manage. 

    You cannot use a windows server as an NTP device except in a pure window environment which do not inreality exist.

    Ian

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with AP55/c - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Rob,

    thanks for this "patch" but community and professional users are waiting for NTP server on XG.

    Please start to consider the idea and put it in your backlog. Implementing a small package like NTP is not so difficult.

    Regards

    Luk

    Security Architect

    UTM Certified Architect - XG Certified Architect

  • Hi Rob,

    IMHO this is an interesting tip - would be cool to see more of these here in the forum. :-)

    I'm doing something similar, but more or less "inverted":

    I'm using the NAT rules to catch all DNS traffic on port 53 tcp/udp and forward it to the XG itself. This way I can avoid any traffic to unwanted nameservers from devices that cannot be reconfigured, e.g. Amazon Echo speakers with hardcoded 8.8.8.8.

    Best Regards

    Dom

  • Yes, Dom, that's another great example.

    In fact, we have a very similar example of that in our training.  You can steer DNS traffic, any service in fact, to the respective sanctioned servers. 

     

    Here's another odd-ball example you can noodle on that I've used NAT for: Imagine you have a network device that is incapable of setting a gateway address, it only has a network address and subnet mask.   Now imagine you have a client that is on a different network that needs access to said device.   As that device can't route out, you wouldn't traditionally be able to access it.  Using creative NAT policies you can get to that local network and manage the device. 

  • Hello Rob,

    That's pretty standard operation of a NAT as it not unique to XG v18, you could do this on v15.

    Emile

    Certified Architect | Pro-Services, Support & Pre-Sales Engineer

  • Hi Rob,

    I tried exactly the same configuration but it doesn't work, it seems the NAT rule not matching the NTP traffic requests.

    On the firewall log I found these denied traffic:

     

     
    Time
     
    Log comp
     
    Log subtype
     
    User name
     
    Firewall rule
     
    NAT rule
     
    In interface
     
    Out interface
     
    Src IP
     
    Dst IP
     
    Src port
     
    Dst port
     
    Protocol
     
    Rule type
     
    Message ID
     
    Live PCAP
     
    Message
     
    Firewall
    2020-08-13 16:08:40
    Appliance Access
    Denied
     
    N/A
    0
    Port1
     
    172.20.37.10
    172.20.37.254
    53056
    123
    UDP

    172.20.37.254 is the XG LAN IP address and 172.20.37.10 is the device asking for time service (NTP).

    Any idea?

    Regards.

    Max.

  • ...sorry, obviously it needs also a firewall rule to accept the traffic (NAT does only translation).

    So by configuring also this firewall rule:

    • Source zone: LAN
    • Source networks and devices: INTERNAL_LAN (172.20.37.0/24)
    • Destination zones: WAN
    • Destination networks: INTERNAL_GW_IP (172.20.37.254)
    • Services: NTP

    it works like a charm!

    Max.