Symptom
When setting service routes for DNS and NTP on different interfaces, the NTP service route does not work when NTP and DNS server is the same host like Secondary DNS/NTP server in the following example;
For example, see the following sample diagram and configuration:
Pri NTP Srv -+
.20 | +----------+
| (trust zone) | | (untrust zone)
+-+[Router]+-+---------+ (E1/2)+ PA-2020 +(E1/1)+------------+ Pri DNS Srv
| .1 .2 | | .2 .20
| (172.16.100.0/24) +----------+ (192.168.100.0/24)
|
|
+---- Sec DNS/NTP Srv
.20
(172.16.200.0/24)
Service routes:
For DNS, source address set as "192.168.100.2/24 (Eth1/1, untrust)"
For NTP, source address set as "172.16.100.2/24 (Eth1/2, trust)"
Primary DNS: 192.168.100.20 (untrust zone side)
Primary NTP: 172.16.100.20 (trust zone side)
Secondary DNS/NTP : 172.16.200.20 (trust zone side) - same host is used for NTP and DNS service
Service route setting:
<route>
<service>
<entry name="ntp">
<source-address>172.16.100.2/24</source-address>
</entry>
<entry name="dns">
<source-address>192.168.100.2/24</source-address>
</entry>
</service>
</route>
As shown above, the Palo Alto Networks firewall is configured to use Eth1/1(untrust) for DNS and Eth1/2(trust) for NTP accessing. However, the firewall used Eth1/1 (untrust) for NTP traffic towards to 172.16.200.20, and the packet could be dropped since there no security policy exists that allows NTP traffic to source from the untrust zone.
> show ntp
NTP state:
NTP synched to LOCAL
NTP server 172.16.200.020 connected: False << Not connected
NTP server 172.16.100.20 connected: True
Cause
Under current architecture, the Palo Alto Networks firewall initiates NTP transactions from the same interface as the DNS service route if NTP and DNS server is the same host.
owner: kkondo