Skip to content
Avanet

Set up Sophos Firewall as an NTP server

Sophos Firewall

The title is, technically speaking, incorrect, as the Sophos Firewall does not run an NTP service. However, this can be solved with a NAT rule so that the Sophos Firewall takes care of all NTP requests and the gateway IP can still be specified as the NTP server on the client or server.

Create NAT NTP rule

First, I create a NAT rule that takes care of the NTP protocol.

Sophos Firewall NAT rule for the NTP server
Sophos Firewall NAT rule for the NTP server

The NAT rule now defines for which local networks the Sophos Firewall should answer NTP requests.

Detail view of the Sophos Firewall NAT rule for NTP
Detail view of the Sophos Firewall NAT rule for NTP

1. Original Source

The networks or individual IP addresses that are to use this NAT rule are entered here. For example, 192.168.33.0/24 or ANY, if every request is to be processed.

2. Original Destination

Here you list all IP addresses that the Sophos Firewall should listen to. For example, the gateway address: 192.168.12.1 or ANY, if every request is to be considered.

3. Original Service

NTP is specified as the protocol, which is already a predefined service on the firewall.

4. Translated Source (SNAT)

The firewall should perform IP masquerading and therefore we select MASQ as the value here.

5. Translated destination (DNAT)

Here we enter the NTP server address to which the firewall should send all time requests. I use the FQDN time.google.com here or pool.ntp.org is also popular.

Inbound Interface

You can also enter the local interfaces here, for example, to make sure the firewall does not answer WAN requests. I leave this set to ANY and handle the restriction later in the firewall rule.

Firewall rule for NTP service

To allow the traffic of the NAT rule, you need a firewall rule, which you now create.

Sophos Firewall rule for the NTP server
Sophos Firewall rule for the NTP server

Sophos Firewall rule for NTP server traffic

1. Source Zones

Here we list all source zones, such as LAN. What we do not want to see here is the WAN zone, as we do not want to provide an NTP server for the Internet here.

2. Source Networks and Devices

Here we can list the same networks as in the NAT rule under 1. Original Source. Since I handle this through the zone here, I leave it at ANY, but you can of course also define both the zone and the source networks.

3. Destination Zones

Since our time server is on the Internet, I choose the WAN zone here.

4. Destination Networks

I have defined time.google.com as the NTP server in the NAT rule. That’s why I choose this FQDN here, but I could leave it at ANY, as this is already defined in the NAT rule. However, I like to see immediately in the firewall rule where the traffic is going.

5. Services

As with the NAT rule, we use the predefined protocol NTP.

6. Detect and prevent exploits (IPS)

You have the firewall because you also want to add security to the network. That is why we also provide an IPS rule for the NTP traffic. For this, I simply created an IPS rule with the Smart Filter nat.

IPS NAT rule
IPS NAT rule
Add new IPS rule for NAT
Add new IPS rule for NAT

⚠️ The IPS (Intrusion Prevention) function requires a Network Protection license.