Configuring Network Time Protocol and NTP Backup Server in
NSM Overview
Use the Date/Time
option to configure date and time synchronization on security devices.
The date and time setting on the device affects VPN tunnel setup and
schedule objects used in active security policies.
You configure the device time in relation to GMT.
Configuring Network Time Protocol
To ensure that the security device always maintains
the right time, the device can use Network Time Protocol (NTP) to
synchronize its system clock with that of an NTP server on the Internet.
To use NTP, first enable Network Time Protocol,
and then configure the settings as described in Table 1.
Table 1: Network Time Protocol Settings
NTP Settings
|
Your Action
|
Synchronization
|
You can configure the security device to perform this synchronization
automatically at time intervals that you specify. By default, the
synchronization interface is set to 10 minutes, with a 3 second maximum
adjustment threshold.
|
Authentication
|
You can secure NTP traffic by enabling authentication. When
using authentication, for each NTP server you configure on the security
device, you must assign a unique server key ID and preshare key; the
key ID and preshare key serve to create an MD5 checksum, with which
the device and the NTP server can authenticate NTP data. Select the
authentication mode that the device uses when connecting to an NTP
server:
- Required—The device must include the authentication
information—server key ID and MD5 checksum—in every packet
it sends to an NTP server and must authenticate all NTP packets it
receives from an NTP server. If authentication fails, the device denies
NTP traffic from the NTP server.
- Preferred—The device attempts to authenticate NTP
traffic using the same methods as the Required options but continues
to send and receive NTP traffic if authentication fails.
- None (default mode)— Select this mode if you do
not want to authenticate NTP packets.
|
NTP Servers
|
You can configure up to three NTP servers (one primary and two
backups) from which the security device can regularly update its system
clock. If you enable authentication by selecting the Required or Preferred
authentication options, you must also provide a unique server key
ID and preshare key for each NTP server that you configure.
|
Configuring an NTP Backup Server
You can specify an individual interface as the
source address to direct Network Time Protocol (NTP) requests from
the device over a VPN tunnel to the primary NTP server or a backup
server as necessary. Among other interface types, you can select a
loopback interface to perform this function.
The security device sends NTP requests from a source
interface and optionally uses an encrypted preshared key when sending
NTP requests to the NTP server. The encrypted preshared key provides
authentication.
Published: 2009-08-20
