Palo Alto Networks Knowledgebase: NTP Service Route Does Not Work if Service Route for DNS is Configured
NTP Service Route Does Not Work if Service Route for DNS is Configured
Created On 07/18/19 19:26 PM - Last Updated 07/18/19 20:11 PM
Zone and DoS Protection
When setting service routes for DNS and NTP on different interfaces, the NTP service route does not work when NTP and DNS server is the same host like Secondary DNS/NTP server in the following example;
For example, see the following sample diagram and configuration:
Pri NTP Srv -+
.20 | +----------+
| (trust zone) | | (untrust zone)
+-+[Router]+-+---------+ (E1/2)+ PA-2020 +(E1/1)+------------+ Pri DNS Srv
For DNS, source address set as "192.168.100.2/24 (Eth1/1, untrust)"
For NTP, source address set as "172.16.100.2/24 (Eth1/2, trust)"
Primary DNS: 192.168.100.20 (untrust zone side)
Primary NTP: 172.16.100.20 (trust zone side)
Secondary DNS/NTP : 172.16.200.20 (trust zone side) - same host is used for NTP and DNS service
Service route setting:
As shown above, the Palo Alto Networks firewall is configured to use Eth1/1(untrust) for DNS and Eth1/2(trust) for NTP accessing. However, the firewall used Eth1/1 (untrust) for NTP traffic towards to 172.16.200.20, and the packet could be dropped since there no security policy exists that allows NTP traffic to source from the untrust zone.
> show ntp
NTP synched to LOCAL
NTP server 172.16.200.020 connected: False << Not connected
NTP server 172.16.100.20 connected: True
Under current architecture, the Palo Alto Networks firewall initiates NTP transactions from the same interface as the DNS service route if NTP and DNS server is the same host.