Fortinet FortiGate (not) using NTP Authentication

A security device such as a firewall should rely on NTP authentication to overcome NTP spoofing attacks. Therefore I am using NTP authentication on the FortiGate as well. As always, this so-called next-generation firewall has a very limited GUI while you need to configure all details through the CLI. I hate it, but that’s the way Fortinet is doing it. Furthermore the “set authentication” command is hidden unless you’re downgrading to NTPv3 (?!?) and it only supports MD5 rather than SHA-1. Not that “next-generation”!

Finally, you have no chance of knowing whether NTP authentication is working or not. I intentionally misconfigured some of my NTP keys which didn’t change anything in the NTP synchronization process while it should not work at all. Fail!

This article is one of many blogposts within this NTP series. Please have a look!

I am using a FortiGate FG-100D with FortiOS version v5.6.6 build1630 (GA). If you want to configure custom NTP servers you have to go through the CLI at all:

Then, configuring on the CLI, it took me quite some time to realize that the NTP authentication commands are completely hidden unless you are using NTPv3. Don’t know why this is a requirement at all since NTP authentication, of course, works with NTPv4 as well. And why isn’t this documented?

However, here are the commands I used to set up my three NTP servers with authentication:

In order to view any live values the get system ntp is not quite helpful. At least you can see the sync interval:

diagnose sys ntp status helps a bit more:

Note that throughout this setup I misconfigured the NTP keys for server 1 and 2, while only number 3 was correct. However, there was no single hint from the monitoring outputs at all that there is something wrong with the authentication process. This is not how it’s supposed to work!

Trivia: Failed Upgrade

Initially, I wanted to upgrade the FortiGate for this blogpost to its latest version from v5.6.6 to v5.6.8. Just a minor upgrade, right? However, this upgrade destroyed my VPN that was needed for the NTP servers. Even downgrading the version and restoring hasn’t worked. Just another example why I don’t really like those FortiGates. Details:

My overall experience with FortiGate and NTP: fail!

Featured image “handypics August 2015 087” by PercyGermanyâ„¢ is licensed under CC BY-NC-ND 2.0.

3 thoughts on “Fortinet FortiGate (not) using NTP Authentication

    1. Hey Boris,

      no, I didn’t. Fortinet is not interested in my feedback as long as there is no big paying customer request behind it. That’s the way it is…

      Johannes

      1. Yes, that is how they treated my feature requests. They don’t see big customer request and they don’t care. Still, this could be potential security problem…

Leave a Reply

Your email address will not be published. Required fields are marked *