![\"\"](\"https:\/\/www.avanet.com\/assets\/sophos-firewall-ntp-server-nat-rule-scaled.jpg\")
<\/a><\/figure>\n<\/figure>\n\nThe NAT rule now defines for which local networks the Sophos Firewall should answer NTP requests.<\/p>\n\n The networks or individual IP addresses that are to use this NAT rule are entered here. For example, 192.168.33.0\/24 or ANY, if every request is to be processed. <\/p>\n\n Here you list all IP addresses that the Sophos Firewall should listen to. For example, the gateway address: 192.168.12.1 or ANY, if every request is to be considered. <\/p>\n\n NTP<\/strong> is specified as the protocol, which is already a predefined service on the firewall.<\/p>\n\n The firewall should perform IP masquerading and therefore we select MASQ<\/strong> as the value here.<\/p>\n\n Here we enter the NTP server address to which the firewall should send all time requests. I use the FQDN time.google.com<\/strong> here or pool.ntp.org<\/strong> is also popular. <\/p>\n\n In addition, you can also store the local interfaces, for example, so that you are sure not to answer any WAN requests. I leave it at ANY and solve this afterwards via the firewall rule. <\/p>\n\n To allow the traffic of the NAT rule, you need a firewall rule, which you now create.<\/p>\n\n Here we list all source zones, such as LAN<\/strong>. What we do not want to see here is the WAN<\/strong> zone, as we do not want to provide an NTP server for the Internet here. <\/p>\n\n Here we can list the same networks as in the NAT rule at point 1. original source. Since I solve this here via the zone, I leave it at ANY, but you can of course also store both zone and source networks. <\/p>\n\n Since our time server is on the Internet, I choose the WAN<\/strong> zone here.<\/p>\n\n I have defined time.google.com as the NTP server in the NAT rule. That’s why I choose this FQDN here, but I could leave it at ANY, as this is already defined in the NAT rule. However, I like to see immediately in the firewall rule where the traffic is going. <\/p>\n\n As with the NAT rule, we use the predefined protocol NTP<\/strong>.<\/p>\n\n You have the firewall because you also want to bring some security to the network. That’s why we also provide an IPS rule for the NTP traffic. For this, I simply created an IPS rule with the Smart Filter nat<\/strong>. <\/p>\n\n \u26a0\ufe0f The IPS (Intrusion Prevention) function requires a Network Protection licence.<\/p>\n","protected":false},"author":5,"featured_media":0,"parent":0,"template":"","format":"standard","kb_kategorie":[382],"class_list":["post-84344","kb","type-kb","status-publish","format-standard","hentry","kb_kategorie-sophos-firewall"],"blocksy_meta":[],"acf":[],"_links":{"self":[{"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/kb\/84344","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/kb"}],"about":[{"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/types\/kb"}],"author":[{"embeddable":true,"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/users\/5"}],"wp:attachment":[{"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/media?parent=84344"}],"wp:term":[{"taxonomy":"kb_kategorie","embeddable":true,"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/kb_kategorie?post=84344"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}<\/a><\/figure>\n<\/figure>\n\n1. Original Source<\/h3>\n\n
2. Original Destination<\/h3>\n\n
3. Original Service<\/h3>\n\n
4. Translated Source (SNAT)<\/h3>\n\n
5. Translated destination (DNAT)<\/h3>\n\n
Inbound Interface<\/h3>\n\n
Firewall rule for NTP service<\/h2>\n\n
<\/a><\/figure>\n1. Source Zones<\/h3>\n\n
2. Source Networks and Devices<\/h3>\n\n
3. Destination Zones<\/h3>\n\n
4. Destination Networks<\/h3>\n\n
5. Services<\/h3>\n\n
6. Detect and prevent exploits (IPS)<\/h3>\n\n
<\/a><\/a>