topic Re: how to add NTP server on firepower :FPR1120-NGFW-K9 in Network Security

how to add NTP server on firepower :FPR1120-NGFW-K9

suruchigupta555 — Fri, 13 Sep 2024 12:32:27 GMT

my FTD is not connected with FMC and is showing a pending state. checked on my FTD , the time was showing wrong and NTP server was also not Sync

# show ntp

NTP Overall Time-Sync Status: Ntp Config Failed

please help me removing my current NTP server and re add it on my FPR1120 running on FTD code using CLI, as I dont have GUI access.

Re: how to add NTP server on firepower :FPR1120-NGFW-K9

MHM Cisco World — Fri, 13 Sep 2024 12:40:54 GMT

One by one I think ftd 1120 sync with fmc for NTP not direct

And for pending between ftd and fmc

You use data interface?

Any of device behind NAT?

MHM

Re: how to add NTP server on firepower :FPR1120-NGFW-K9

Aref Alsouqi — Fri, 13 Sep 2024 15:42:18 GMT

Can you ping the FMC from the FTD? if you didn't try this please issue the command "ping system < the FMC IP address >" from the FTD CLISH mode and see if you get any replies. If so, I would suggest to check the /var/log/messages file from the FTD in expert mode and see if there is anything flagged that would suggest what the issue could be. Also, you can run some packet capture on the FMC to see if it actually receives any traffic from the FTD on port 8305/tcp which is the port used to establish the sftunnel. Please check this post of mine that shows you how to do it:

Packet Capture in FMC | Blue Network Security (bluenetsec.com)

Usually we see the pending state on the FTD until it is added and registered to the FMC, did you add the FTD on the FMC?

Regarding configuring NTP directly from FTD CLI, I don't believe that is possible unless you want to try to go into expert mode and try to edit the ntp.conf file located into /etc/ directory, and then restart the NTP services.

Re: how to add NTP server on firepower :FPR1120-NGFW-K9

Marvin Rhoads — Fri, 13 Sep 2024 17:48:33 GMT

Does "show time" from the cli at least have something close to correct? If not then you may need to go into expert mode and correct at as @Aref Alsouqi suggested.

It should not affect the ability to register unless it's so far off that the certificate pushed from FMC during registration isn't parsed as valid.

Re: how to add NTP server on firepower :FPR1120-NGFW-K9

MHM Cisco World — Fri, 13 Sep 2024 18:00:58 GMT

@Aref Alsouqi @Marvin Rhoads please check link below ' the ftd 1k/2k ntp config only via fmc'

If it can via cli' please share command to do that

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/215468-configure-verify-and-troubleshoot-netwo.html#toc-hId-1997286687

Re: how to add NTP server on firepower :FPR1120-NGFW-K9

Marvin Rhoads — Fri, 13 Sep 2024 18:12:21 GMT

The steps in 4c and following at this link: https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118626-technote-firesight-00.html describe how the ntp.conf file looks. By the way, it is located in /ngfw/etc in newer platforms (7.x+).

Using that a a basis, it can potentially be modified (although this should only be a last resort as the time should not drift much even if NTP is not working).

Re: how to add NTP server on firepower :FPR1120-NGFW-K9

MHM Cisco World — Fri, 13 Sep 2024 19:49:54 GMT

This for firesight' I make check abd in start guide of 1100 series you can set ntp server.

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp1100/firepower-1100-gsg/ftd-fmc.html

Maybe this what he looking for

MHM

Re: how to add NTP server on firepower :FPR1120-NGFW-K9

Marvin Rhoads — Sun, 15 Sep 2024 02:35:54 GMT

The method in the GSG could be used if one switches back to a locally managed (FDM) mode.

Re: how to add NTP server on firepower :FPR1120-NGFW-K9

MHM Cisco World — Sun, 15 Sep 2024 07:36:21 GMT

5. Time Difference Between FTD and FMC

The FTD-FMC communication is sensitive to time differences between the 2 devices. It is a design requirement to have FTD and FMC synchronized by the same NTP server.

Specifically, when the FTD is installed on a platform like 41xx or 93xx it takes its time settings from the parent chassis (FXOS).

Recommended Action

Ensure that the chassis manager (FCM) and the FMC use the same time source (NTP server)

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/215540-configure-verify-and-troubleshoot-firep.html

I dont think it NTP mismatch issue but maybe I am wrong

MHM

Re: how to add NTP server on firepower :FPR1120-NGFW-K9

suruchigupta555 — Fri, 04 Oct 2024 09:54:08 GMT

yes, we are using data interface to configure manager of FTD, I tried to remove and re-add the manager but it didnt help.

Re: how to add NTP server on firepower :FPR1120-NGFW-K9

shariri — Tue, 08 Oct 2024 23:36:18 GMT

To get more detailed information regarding NTP configuration, please log in on FTD CLI :

>show support ntp

>show ntp

expert >> sudo su >>
#cat /etc/ntp.conf

#ntp q

You can check the NTP server's reachability from expert mode if using FQDN please make sure the DNS resolve is working.