Firewall security policy does not take effect cause firewall fails to synchronize time from ntp server
- 0 Followed
- 0Collected ,804Browsed
Network Topology
fw--- ntp server
Problem Description
Firewall failed to synchronize time from ntp server/client-server mode
dis ntp status
Clock status unsynchronized
Process Analysis
Debugging ntp-service all shows that no ntp packets are sent, no session is generated to the ntp server, and no outgoing ntp packets are captured on the web capture outlet.
Since no session is generated, it is suspected that the NTP packet is blocked by the firewall.
Define acl xxx, match the source and destination IP of unreachable traffic, and configure two rules for bidirectional packets.
<H3C>debugging security-policy packet ip acl xxx
<H3C>debugging ip info acl XXX # If there is packet loss, the specific module of information packet loss will be printed. If there is no packet loss, it will not be printed.
<H3C>debugging aspf packet acl xxx
<H3C>debugging ip packet acl xxx
<FW>debugging session session-table all acl 3XXX # You can view the specific situation of the session being deleted
Collecting the above debug, we found that it was blocked by Rule-ID=100:
Apr 5 00:07:08:249 2023 H3C-FW FILTER/7/PACKET: -COntext=1; The packet is denied. Src-ZOne=Local, Dst-ZOne=Untrust;If-In=InLoopBack0(132), If-Out=GigabitEthernet1/0/15(17); Packet Info:Src-IP=a.a.a.a Dst-IP=b.b.b.b, VPN-Instance=, Src-MacAddr=0000-0000-0000,Src-Port=123, Dst-Port=123, Protocol=UDP(17), Application=ntp(47),Terminal=invalid(0), SecurityPolicy=any, Rule-ID=100.
The following policy is configured at the top of the web security policy, and should normally be matched first:
#
rule 108 name ntp
action pass
counting enable
source-zone Trust
source-zone Local
destination-zone Untrust
service dns-udp
service-port udp destination eq 123
#
Service port and service are two attributes, and they are in an AND relationship, so they must all match.
The NTP traffic did not match the above policy, but matched the following rule 100 and was discarded.
The same attribute is an OR relationship, such as the following:
source-zone Trust
source-zone Local
Solution
It works normally after removing service dns-udp: