I have an issue with changing NTP and DNS values on my HA of FTD2110.
The 2 FTDs are connected to my FMC.
I could not find how to change the NTP servers or the DNS servers
> show ntp
NTP Server : 127.127.1.1
Status : Unknown
Offset : 0.000 (milliseconds)
Last Update : 44h (seconds)
NTP Server : 127.0.0.2
Status : Being Used
Offset : 0.238 (milliseconds)
Last Update : 32 (seconds)
> show dns
INFO: no activated FQDN
You need to change the info from platform settings option under Device section of FMC.
Create a new policy and make changes and assign the FTD in that. Deploy the changes to take affect.
You may change the DNS settings in FTD from CLI as well.
In the FTD CLISH mode type "configure network dns servers 18.104.22.168" (example)
Then nslookup and use a hostname to verify.
Rate if helps,
Tnak you for your help !
I added the NTP server (22.214.171.124) but i still see the 127.127.1.1 and my timezone is still wrong.
Try restarting the daemons after making the changes.
Switch to expert mode and use the following commands for DNS and NTP respectively:
sudo /etc/rc.d/init.d/nscd restart
sudo /ngfw/usr/bin/ntpd restart
Your sensor's ntp is falling back to using localhost (e.g. its own internal clock).
Can your sensor reach the configured NTP server on udp/123?
You can use ntpq from expert mode and look at the peers to see if the configured server is reachable and providing the ntp service.
> show ntp NTP Server : 126.96.36.199 (time.unisza.edu.my) Status : Available Offset : -11.995 (milliseconds) Last Update : 467 (seconds) NTP Server : Managing DC Status : Available Offset : 22.754 (milliseconds) Last Update : 61 (seconds) NTP Server : Managing DC Status : Being Used Offset : 0.479 (milliseconds) Last Update : 578 (seconds) > expert admin@vftd-new:~$ ntpq ntpq> peers remote refid st t when poll reach delay offset jitter ============================================================================== *127.0.0.2 188.8.131.52 3 u 595 1024 377 5.930 0.479 4.219 +time.unisza.edu 184.108.40.206 2 u 484 1024 367 48.632 -11.995 4.327 +220.127.116.11 18.104.22.168 2 u 78 1024 347 26.536 22.754 4.649 ntpq>
It being in ".INIT." status means that it is configured but not reachable (or not serving up ntp).
Once it successfully initializes it should report a stratum better than the Stratum 10 that your localhost provides. (Stratum 16 is the default for unknown or no NTP.)
Okay, thanks for the explanation.
Should I add an access policy to allow flow on port UDP 123 ?
or maybe is it because I'm using management interface to reach the NTP server ?
Maybe FTD is designed to use only outisde or indide interface for NTP ?
The ntp queries from your FTD device should originate from the management interface. That source address must have the udp/123 access to the configured and working ntp server.
Hi, where exactly are the setting for dns within the Platform settings for FMC ? I am dont see see any such settings there.
Platform settings are for managed sensors. For those, there's a DNS tab:
For FMC's DNS resolver please look under System > Configuration > Management Interfaces > Shared Settings: