Palo Alto Networks Knowledgebase: NTP Service Route Does Not Work if Service Route for DNS is Configured

NTP Service Route Does Not Work if Service Route for DNS is Configured

5909
Created On 07/18/19 19:26 PM - Last Updated 07/18/19 20:11 PM
Device Management Initial Configuration Installation QoS Zone and DoS Protection
Resolution

Symptom

When setting service routes for DNS and NTP on different interfaces, the NTP service route does not work when NTP and DNS server is the same host like Secondary DNS/NTP server in the following example;

 

For example, see the following sample diagram and configuration:

   Pri NTP Srv -+

            .20 |                 +----------+

                | (trust zone)    |          |      (untrust zone)

   +-+[Router]+-+---------+ (E1/2)+  PA-2020 +(E1/1)+------------+ Pri DNS Srv

   |        .1                .2  |          | .2                .20

   |         (172.16.100.0/24)    +----------+  (192.168.100.0/24)

   |

   |

   +---- Sec DNS/NTP Srv

          .20

    (172.16.200.0/24)

 

Service routes:

For DNS, source address set as "192.168.100.2/24 (Eth1/1, untrust)"

For NTP, source address set as "172.16.100.2/24  (Eth1/2, trust)"

 

Primary DNS: 192.168.100.20 (untrust zone side)

Primary NTP: 172.16.100.20 (trust zone side)

Secondary DNS/NTP : 172.16.200.20 (trust zone side) - same host is used for NTP and DNS service

 

Service route setting:

<route>

   <service>

     <entry name="ntp">

       <source-address>172.16.100.2/24</source-address>

     </entry>

     <entry name="dns">

       <source-address>192.168.100.2/24</source-address>

     </entry>

  </service>

</route>

 

As shown above, the Palo Alto Networks firewall is configured to use Eth1/1(untrust) for DNS and Eth1/2(trust) for NTP accessing. However, the firewall used Eth1/1 (untrust) for NTP traffic towards to 172.16.200.20, and the packet could be dropped since there no security policy exists that allows NTP traffic to source from the untrust zone.

> show ntp

 

NTP state:

    NTP synched to LOCAL

    NTP server 172.16.200.020 connected: False << Not connected

    NTP server 172.16.100.20 connected: True

 

Cause

Under current architecture, the Palo Alto Networks firewall initiates NTP transactions from the same interface as the DNS service route if NTP and DNS server is the same host.

 

owner: kkondo



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CldDCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language