Using V18 NAT to achieve NTP proxy like functionality

Hi,

The new NAT engine in V18 provides a high degree of flexibility when it comes to solving some interesting network problems.  I don't know if it has been shared here or not, but you can use NAT to achieve NTP proxy like functionality.  A standard use case seen is that clients would like to use the IP address of the firewall as the NTP server. Consider this as an example environment:

  • Firewall has at least 2 interfaces, LAN and WAN.  LAN interface has an RFC1918 address, and the WAN interface utilizes a public address.
  • Clients behind the firewall would like to use the LAN interface IP as the NTP 'server'.  In this regard, the default gateway and NTP destination use the same address on your clients.  
  • The NTP server you want to sync with is external to the organization, e.g. pool.ntp.org.

 

To make this work, create a NAT policy like the following:

  • Original Source: Any host (or LAN subnets)
  • Original Service: NTP
  • Original Destination: XG LAN IP address 
  • Translated Source: Masqueraded (this is your WAN IP)
  • Translated Service: Original service
  • Translated Destination: pool.ntp.org (or pick NTP server of your liking)
  • Inbound Interface: Lan
  • Outbound Interface: ANY

Naturally, you can create variations of this NAT policy, based on your network configuration and the location of the NTP server.

In the new XG V18 architecture training course, there are a few more examples demonstrating how to control NTP and DNS traffic.   I encourage you to check out the training material as it provides more in-depth knowledge of the new V18 features.  

 

Parents
  • Hi Rob,

    I tried exactly the same configuration but it doesn't work, it seems the NAT rule not matching the NTP traffic requests.

    On the firewall log I found these denied traffic:

     

     
    Time
     
    Log comp
     
    Log subtype
     
    User name
     
    Firewall rule
     
    NAT rule
     
    In interface
     
    Out interface
     
    Src IP
     
    Dst IP
     
    Src port
     
    Dst port
     
    Protocol
     
    Rule type
     
    Message ID
     
    Live PCAP
     
    Message
     
    Firewall
    2020-08-13 16:08:40
    Appliance Access
    Denied
     
    N/A
    0
    Port1
     
    172.20.37.10
    172.20.37.254
    53056
    123
    UDP

    172.20.37.254 is the XG LAN IP address and 172.20.37.10 is the device asking for time service (NTP).

    Any idea?

    Regards.

    Max.

Reply
  • Hi Rob,

    I tried exactly the same configuration but it doesn't work, it seems the NAT rule not matching the NTP traffic requests.

    On the firewall log I found these denied traffic:

     

     
    Time
     
    Log comp
     
    Log subtype
     
    User name
     
    Firewall rule
     
    NAT rule
     
    In interface
     
    Out interface
     
    Src IP
     
    Dst IP
     
    Src port
     
    Dst port
     
    Protocol
     
    Rule type
     
    Message ID
     
    Live PCAP
     
    Message
     
    Firewall
    2020-08-13 16:08:40
    Appliance Access
    Denied
     
    N/A
    0
    Port1
     
    172.20.37.10
    172.20.37.254
    53056
    123
    UDP

    172.20.37.254 is the XG LAN IP address and 172.20.37.10 is the device asking for time service (NTP).

    Any idea?

    Regards.

    Max.

Children