So I wanted to create a NTP Policy for one of my servers
The server users a pool of NTP servers eg
pool.ntp.org
time.windows.com
I set the firewall rules up as Allow ,UDP, destination pool.ntp.org and time.windows.com Port 123
I then created a final block rule
Due to the nature of NTP pools not every request is accepted as I am assuming that the server does a DNS look up and returns a round robin IP. The firewall then does a DNS lookup and is returned a IP address. As the ip's are coming from a pool of several hundred they are not always matching.
I could just allow UDP 123 out but there are many other services that use round robin dns what's the best way to address this
Hi @SimonT I think you were referring to the Meraki equipment itself and as you pointed out that is why it still lists UDP/123 outbound to ANY destination IP for NTP. However that is really for initial connections, and afterwards NTP is actually handled over the control plane connection (which was typically always UDP/7351 and in the latest MR/MS/MX firmware it'll happen over TCP/443). The “ANY” destination is not actually a hard requirement and you can assign any NTP server you like via DHCP options from an upstream DHCP server, and so long as that NTP server is aligned with global NTP to within a few seconds that can also work fine and without having to make a mess of the firewall rules. Sorry if I misunderstood.
I was talking more NTP for the devices rather than the firewall it's self.
I have a standard windows environment where the there is a FSMO DC that is in change of domain time. We are using public internet facing NTP server to sync with.
The DC server looks up the NTP servers IP address that IP address might not match the IP address the firewall gets due to the pool of ip address that can behind a NTP server that is using a round robin up address.
We use umbrella as well and I was wondering if there is a way for the device and the firewall to get the same resolved IP address.
Or from your comment can the Meraki be treated as a NTP server ?
But this will happen again with any other service that uses round robin DNS.
What about using FQDN-objects for this purpose?
Hi @KarstenI would you be able to point me at a RTFM article for this ? Are FQDN objects only updated by the API ?
Here you go:
https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Network_Objects_Configuration_Guide
Policy-Objects are still labelled "Beta" but they are already widely used.
Thanks I added the NTP servers in as network objects read that its only supported in firewall rules and not group policies so set it up as a firewall rule. Looking at my NTP logs I have it set to try 5 ntp servers and its getting at least 2 to 5 most of the time. Is the FQDN-Object updated differently to how I was doing it ?
What exactly do you mean with "getting at least 2 to 5 most of the time"?
The Meraki implementation is not really documented (or I didn't find the relevant documentation) but it could work the following way: