The Palo Alto Networks firewall can be configured to use specified Network Time Protocol (NTP) servers using GUI: Device > Setup > Services. For synchronization with the NTP server(s), NTP uses a minimum polling value of 64 seconds and a maximum polling value of 1024 seconds. These minimum and maximum polling values are not configurable on the firewall.
Once the Palo Alto Networks device goes through the initial synchronization process and synchronizes the system clock, it will poll the NTP server within the default minimum and maximum range.
For more information on NTP server polling and the determination of the polling interval, visit www.ntp.org.
To manually restart the NTP process, use the following CLI command:
> debug software restart ntp
or
> debug software restart process ntp => newer releases.
To view whether the NTP process has a new PID, execute:
(Note: Process ntp is not printed in below command output on PA-VM series and lower-end hardware platforms without dedicated dataplane.)
> show system software status | match ntp
Process ntp running (pid: 2216)
To verify NTP state, use the show ntp CLI command as in the following examples:
Example of successful connection:
> show ntp
NTP state:
NTP synched to ntp.nc.u-tokyo.ac.jp
NTP server ntp.nict.jp connected: True
NTP server ntp.nc.u-tokyo.ac.jp connected: True
The following output is seen in the newer releases:
> show ntp
NTP state:
NTP synched to 1.pool.ntp.org
NTP server: 1.pool.ntp.org
status: synched
reachable: yes
authentication-type: none
Example of unsuccessful connection (Could be due to: Error in NTP Sync Status Display)
> show ntp
NTP state:
NTP synched to LOCAL
NTP server ntp.example.com connected: False
NTP server ntp2.example.com connected: False
The following output is in the newer releases:
> show ntp
NTP state:
NTP server: 0.pool.ntp.org
status: rejected
reachable: no
authentication-type: none
To verify current system date and time, use the following CLI command:
> show clock