Quantcast
Channel: Fortinet – Weberblog.net
Viewing all articles
Browse latest Browse all 36

Fortinet FortiGate (not) using NTP Authentication

$
0
0

A security device such as a firewall should rely on NTP authentication to overcome NTP spoofing attacks. Therefore I am using NTP authentication on the FortiGate as well. As always, this so-called next-generation firewall has a very limited GUI while you need to configure all details through the CLI. I hate it, but that’s the way Fortinet is doing it. Furthermore the “set authentication” command is hidden unless you’re downgrading to NTPv3 (?!?) and it only supports MD5 rather than SHA-1. Not that “next-generation”!

Finally, you have no chance of knowing whether NTP authentication is working or not. I intentionally misconfigured some of my NTP keys which didn’t change anything in the NTP synchronization process while it should not work at all. Fail!

This article is one of many blogposts within this NTP series. Please have a look!

I am using a FortiGate FG-100D with FortiOS version v5.6.6 build1630 (GA). If you want to configure custom NTP servers you have to go through the CLI at all:

Then, configuring on the CLI, it took me quite some time to realize that the NTP authentication commands are completely hidden unless you are using NTPv3. Don’t know why this is a requirement at all since NTP authentication, of course, works with NTPv4 as well. And why isn’t this documented?

However, here are the commands I used to set up my three NTP servers with authentication:

config system ntp
    set ntpsync enable
    set type custom
    config ntpserver
        edit 1
            set server "ntp1.weberlab.de"
            set ntpv3 enable
            set authentication enable
            set key ENC 3xZj6FcN+Hg0ltR3BIQevJR3G+umyFrzN4mXeRRoxlTXM9HwKMMb1wo/t3AscNHjuuVkC58OTXP30U6rPce7RvGXfVfBA81s92JQ9duTKZv3be+N4KPiOM8EbTxYFN9irk/Kf8VuNDVZITsVGW+m6qaJewHycIk4wRypuHbA4s2/6GtL4ryYXHvksoB9bckwqOCqAw==
            set key-id 1
        next
        edit 2
            set server "ntp2.weberlab.de"
            set ntpv3 enable
            set authentication enable
            set key ENC wdqOtz4Q6HAe+RSzpGpx0nqZmRImT2gH3nwGStdDJn93EOLNv+kP5fxxjazyT+ArjRVWZVFYZnT/8fFqujwWP2GhyyALS4FdYPExaKTFAe/9m6DpIzTod1k8m8LbAJT0PnOG+8O3CgqLnhpnHm8v8Cp2oly/iORJ/ajVPQzvuvCuDzHX1fDQxsO4fJhFOVKlMgn/RQ==
            set key-id 2
        next
        edit 3
            set server "ntp3.weberlab.de"
            set ntpv3 enable
            set authentication enable
            set key ENC 0XXZMf6zshlsRxbElifoqXJXRxuM4Pti92wIYHq3pKKjvsHLuGPYx3wpqhylITZcabVS49X6EE6JwmHS22BTrCJLTVoO8TAvKaq/ZXHsawBLLme7WO7VQA5SumIx88q9VCj7Bd9aYKoevn4oBl5VRomY3I78DvoQ015nK8J+zReuWXWGL5LgL9qo3mM7j0YJTTGsgw==
            set key-id 3
        next
    end
end

In order to view any live values the

get system ntp
is not quite helpful. At least you can see the sync interval:
fg # get system ntp
ntpsync             : enable
type                : custom
syncinterval        : 1
ntpserver:
    == [ 1 ]
    id:     1
    == [ 2 ]
    id:     2
    == [ 3 ]
    id:     3
source-ip           : 0.0.0.0
server-mode         : disable

diagnose sys ntp status
helps a bit more:
fg # diagnose sys ntp status
synchronized: yes, ntpsync: enabled, server-mode: disabled

ipv6 server(ntp3.weberlab.de) 2003:de:2016:330::dcfb:123 -- reachable(0xff) S:1 T:8 selected
        server-version=3, stratum=1
        reference time is e03fd1c3.96a0308 -- UTC Fri Mar 22 21:27:31 2019
        clock offset is 0.019739 sec, root delay is 0.000000 sec
        root dispersion is 0.000153 sec, peer dispersion is 623 msec

ipv6 server(ntp2.weberlab.de) 2003:de:2016:330::6b5:123 -- reachable(0xff) S:0 T:7
        server-version=3, stratum=1
        reference time is e03fd1bb.d7cf8fae -- UTC Fri Mar 22 21:27:23 2019
        clock offset is 0.015482 sec, root delay is 0.000000 sec
        root dispersion is 0.001114 sec, peer dispersion is 504 msec

ipv6 server(ntp1.weberlab.de) 2003:de:2016:336::dcf7:123 -- reachable(0xff) S:0 T:7
        server-version=3, stratum=1
        reference time is e03fd18c.e184d3e8 -- UTC Fri Mar 22 21:26:36 2019
        clock offset is -0.023505 sec, root delay is 0.000000 sec
        root dispersion is 0.004059 sec, peer dispersion is 411 msec

Note that throughout this setup I misconfigured the NTP keys for server 1 and 2, while only number 3 was correct. However, there was no single hint from the monitoring outputs at all that there is something wrong with the authentication process. This is not how it’s supposed to work!

Trivia: Failed Upgrade

Initially, I wanted to upgrade the FortiGate for this blogpost to its latest version from v5.6.6 to v5.6.8. Just a minor upgrade, right? However, this upgrade destroyed my VPN that was needed for the NTP servers. Even downgrading the version and restoring hasn’t worked. Just another example why I don’t really like those FortiGates. Details:

My overall experience with FortiGate and NTP: fail!

Featured image “handypics August 2015 087” by PercyGermany™ is licensed under CC BY-NC-ND 2.0.


Viewing all articles
Browse latest Browse all 36

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>