Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/22.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=administration-time-ntp-server-using-nat

Forward NTP requests through the firewall using NAT

You can configure internal devices to use the firewall as a relay to forward NTP requests to an internal or external NTP server by using NAT. Using this setup, the internal client's default gateway and NTP server uses the firewall's IP address.

There are two configuration options:

  • Forward NTP requests from internal devices to an external NTP server, for example, 1.sophos.pool.ntp.org.
  • Forward NTP requests from internal devices to an internal NTP server.

To get step-by-step instructions, click the tab for your preferred NTP setup.

To forward NTP requests from internal devices through the firewall to an external NTP server, do as follows:

  1. Create an FQDN host for the external NTP server.
  2. Configure a NAT rule to forward NTP requests through the firewall.
  3. Configure a firewall rule to allow NTP traffic.

This setup lets internal devices use the firewall's IP address as their NTP server while the firewall synchronizes time from the external NTP server.

Create an FQDN host

To create an FQDN host for the external NTP server, do as follows:

  1. Sign in to the web admin console.
  2. Go to Hosts and services > FQDN host and click Add.
  3. Enter a Name.

  4. Under FQDN, enter the NTP server's FQDN. For example, 1.sophos.pool.ntp.org.

    External NTP server.

  5. Click Save.

Configure a NAT rule

To configure a NAT rule to forward all NTP requests to an external NTP server, do as follows:

  1. Go to Rules and policies > NAT rules.
  2. Click Add NAT rule > New NAT rule.

  3. Configure the following settings:

    1. Rule name: Enter a name.
    2. Rule position: Select Top.
    3. Original service: Remove Any, then select NTP.
    4. Translated source (SNAT): Select MASQ.
    5. Translated destination (DNAT): Select the external NTP server you created.
    6. Inbound interface: Remove Any, then select all your internal network interfaces. Alternatively, you can use Any.

    External NTP server NAT.

  4. Click Save.

Configure a firewall rule

To configure a firewall rule to allow NTP traffic, do as follows:

  1. Go to Rules and policies > Firewall rules.
  2. Click Add firewall rule > New firewall rule.

  3. Configure the following settings:

    1. Rule name: Enter a rule name.
    2. Rule position: Select Top.
    3. Log firewall traffic: Make sure this setting is selected.
    4. Source zones: Select all zones except WAN and Any.
    5. Source networks and devices: Select Any.
    6. Destination zones: Select WAN.
    7. Services: Select NTP.

    External NTP server firewall rule.

  4. Click Save.

To forward NTP requests from internal devices through the firewall to an internal NTP server, do as follows:

  1. Create a host for the internal NTP server.
  2. Configure two NAT rules to forward NTP requests through the firewall to an external and internal NTP server.
  3. Configure two firewall rules to allow external and internal NTP traffic.

This setup lets internal devices use the firewall's IP address as their NTP server while the firewall synchronizes time from the internal NTP server.

Create a host

To create a host for the internal NTP server, do as follows:

  1. Sign in to the web admin console.
  2. Go to Hosts and services and click Add.

  3. Configure the following settings:

    1. Name: Enter a name.
    2. IP version: Select IPv4.
    3. Type: Select IP.
    4. IP address: Enter the IP address of your internal NTP server.

    Internal NTP server.

  4. Click Save.

Configure NAT rules

Configure two NAT rules, one that allows the internal NTP server to access external NTP servers and another that forwards NTP requests to the internal NTP server.

NAT rule 1

To configure a NAT rule to allow the internal NTP server to access external NTP servers, do as follows:

  1. Go to Rules and policies > NAT rules.
  2. Click Add NAT rule > New NAT rule.

  3. Configure the following settings:

    1. Rule name: Enter a name.
    2. Rule position: Select Top.
    3. Original source: Select the internal NTP server you created.
    4. Original service: Remove Any, then select NTP.
    5. Translated source (SNAT): Select MASQ.

    Internal NTP server to WAN.

  4. Click Save.

NAT rule 2

To configure a NAT rule to forward NTP requests to the internal NTP server, do as follows:

  1. Go to Rules and policies > NAT rules.
  2. Click Add NAT rule > New NAT rule.

  3. Configure the following settings:

    1. Rule name: Enter a name.
    2. Rule position: Select Top.
    3. Original service: Remove Any, then select NTP.
    4. Translated source (SNAT): Select MASQ.
    5. Translated destination (DNAT): Select the internal NTP server you created.

    Forward NTP traffic to the itnernal NTP server.

  4. Click Save.

Configure firewall rules

Create two firewall rules, one that allows the internal NTP server to synchronize time with external NTP servers and another that allows the internal devices to access the internal NTP server through the firewall.

Firewall rule 1

To configure a firewall rule that allows the internal NTP server to synchronize time with external NTP servers, do as follows:

  1. Go to Rules and policies > Firewall rules.
  2. Click Add firewall rule > New firewall rule.

  3. Configure the following settings:

    1. Rule name: Enter a rule name.
    2. Rule position: Select Top.
    3. Log firewall traffic: Make sure this setting is selected.
    4. Source zones: Select LAN.
    5. Source networks and devices: Remove Any, then select the internal NTP server you created.
    6. Destination zones: Select WAN.
    7. Services: Remove Any, then select NTP.

    Firewall rule to access external NTP servers.

  4. Click Save.

Firewall rule 2

To configure a firewall rule that allows the internal devices to access the internal NTP server through the firewall, do as follows:

  1. Go to Rules and policies > Firewall rules.
  2. Click Add firewall rule > New firewall rule.

  3. Configure the following settings:

    1. Rule name: Enter a rule name.
    2. Rule position: Select Top.
    3. Log firewall traffic: Make sure this setting is selected.
    4. Source zones: Select all zones except WAN and Any.
    5. Destination zones: Select LAN.
    6. Services: Remove Any, then select NTP.

    Firewall rule to allow internal devices to access the internal NTP server.

  4. Click Save.

Internal devices can now use the firewall as a relay to forward NTP requests to an internal or external NTP server by using NAT.

Tip

To enhance security for NTP traffic, add an IPS rule that includes NTP-related IPS patterns. This helps detect and block malicious activity targeting NTP services. See Intrusion prevention.