FTD 1150 with FMC, NTP traffic via management (diagnostic)

mario.jost · ‎12-03-2020

We are working on setting up a HA FTD 1150 pair with FMC both running Version 6.6.1

I configured NTP on the FMC wihtout issues. Then i deployed the same NTP server (singular) to the FDTs via a configuration policy under platform settings. It works sort of great... Devices are in synch. but I am a bit buffled where the traffic is going thru.

> show ntp
Password: 

NTP Server                : 172.16.100.50
Status                    : Being Used
Offset                    : 0.037 (milliseconds)
Last Update               : 20 (seconds)

NTP Server                : 127.127.1.1
Status                    : Unknown
Offset                    : 0.000 (milliseconds)
Last Update               : 45h (seconds)

I set the timezone as well (GMT+1) but then i issue a show time, it is all wrong

> show time
UTC -       Thu Dec  3 12:49:19 UTC 2020
Localtime - Thu Dec 03 07:49:20 EST 2020

It is 13:49 right now. I know that the UTC (GMT+0) is pretty much the database time of the FTDs, but what about the locatime? Shouldnt this reflect the configuration of the timezone?

Questions:

Why can we configure 2 NTP server for the FMC, but only 1 for the FTDs?
Which interface is used on the FTDs to synch NTP? Management (diagnostic) or the LAN interfaces?
If LAN interfaces are used, why does NTP synch work without having a corresponding allow rule in the ACP?
Can we configure somehow, what interfaces will be used for NTP?

Thanks for the clarification. The manuals dont answer this questions.

Marvin Rhoads · ‎12-04-2020

I don' have a document to cite, but I believe ntp uses the management interface on an FTD appliance. It's not configurable to make it do otherwise.

mario.jost · ‎12-23-2020

To answer question1, It dies not get mentioned in the documentation, but you can actually enter multiple NTP servers seperated by commas.