FGFW-ND-000120 - The FortiGate device must synchronize internal information system clocks using redundant authoritative time sources. - ntp server 2

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions.

Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must utilize an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891.

DoD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DoD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.

Solution

Log in to the FortiGate GUI with Super-Admin privilege.

1. Open a CLI console, via SSH or available from the GUI.
2. Run the following command:

# config system ntp
# set ntpsync enable
# set type custom
# set syncinterval {INTEGER}
To add NTP server 1:
# config ntpserver
# edit {ID}
# set server {IP ADDRESS}
# set authentication enable
# set key {PASSWORD}
# set key-id {INTEGER}
# next
To add NTP server 2:
# config ntpserver
# edit {ID}
# set server {IP ADDRESS}
# set authentication enable
# set key {PASSWORD}
# set key-id {INTEGER}
# next
# end

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_FN_FortiGate_Firewall_Y22M10_STIG.zip

Item Details

References: CAT|II, CCI|CCI-000366, CCI|CCI-001893, Rule-ID|SV-234183r860668_rule, STIG-ID|FGFW-ND-000120, Vuln-ID|V-234183

Plugin: FortiGate

Control ID: 3f5e3ed8a679b017d6b2943a4a05be2baa83ac7c792b4222628e7b2603503570