Configuring Network Time Protocol and NTP Backup Server in NSM Overview

Use the Date/Time option to configure date and time synchronization on security devices. The date and time setting on the device affects VPN tunnel setup and schedule objects used in active security policies.

You configure the device time in relation to GMT.

Configuring Network Time Protocol

To ensure that the security device always maintains the right time, the device can use Network Time Protocol (NTP) to synchronize its system clock with that of an NTP server on the Internet.

To use NTP, first enable Network Time Protocol, and then configure the settings as described in Table 34.

Table 34: Network Time Protocol Settings

NTP Settings

Your Action


You can configure the security device to perform this synchronization automatically at time intervals that you specify. By default, the synchronization interface is set to 10 minutes, with a 3 second maximum adjustment threshold.


You can secure NTP traffic by enabling authentication. When using authentication, for each NTP server you configure on the security device, you must assign a unique server key ID and preshare key; the key ID and preshare key serve to create an MD5 checksum, with which the device and the NTP server can authenticate NTP data. Select the authentication mode that the device uses when connecting to an NTP server:

  • Required—The device must include the authentication information—server key ID and MD5 checksum—in every packet it sends to an NTP server and must authenticate all NTP packets it receives from an NTP server. If authentication fails, the device denies NTP traffic from the NTP server.
  • Preferred—The device attempts to authenticate NTP traffic using the same methods as the Required options but continues to send and receive NTP traffic if authentication fails.
  • None (default mode)— Select this mode if you do not want to authenticate NTP packets.

NTP Servers

You can configure up to three NTP servers (one primary and two backups) from which the security device can regularly update its system clock. If you enable authentication by selecting the Required or Preferred authentication options, you must also provide a unique server key ID and preshare key for each NTP server that you configure.

Configuring an NTP Backup Server

You can specify an individual interface as the source address to direct Network Time Protocol (NTP) requests from the device over a VPN tunnel to the primary NTP server or a backup server as necessary. Among other interface types, you can select a loopback interface to perform this function.

The security device sends NTP requests from a source interface and optionally uses an encrypted preshared key when sending NTP requests to the NTP server. The encrypted preshared key provides authentication.

Related Documentation