Configuring Network Time Protocol; Configuring An Ntp Backup Server - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Configuring ScreenOS Devices Guide

Configuring Network Time Protocol

Table 34: Network Time Protocol Settings
NTP Settings
Synchronization
Authentication
NTP Servers

Configuring an NTP Backup Server

Related
Documentation
164
To ensure that the security device always maintains the right time, the device can use
Network Time Protocol (NTP) to synchronize its system clock with that of an NTP server
on the Internet.
To use NTP, first enable Network Time Protocol, and then configure the settings as
described in Table 34 on page 164.
Your Action
You can configure the security device to perform this synchronization automatically at time
intervals that you specify. By default, the synchronization interface is set to 10 minutes, with
a 3 second maximum adjustment threshold.
You can secure NTP traffic by enabling authentication. When using authentication, for each
NTP server you configure on the security device, you must assign a unique server key ID and
preshare key; the key ID and preshare key serve to create an MD5 checksum, with which the
device and the NTP server can authenticate NTP data. Select the authentication mode that
the device uses when connecting to an NTP server:
Required—The device must include the authentication information—server key ID and MD5
checksum—in every packet it sends to an NTP server and must authenticate all NTP packets
it receives from an NTP server. If authentication fails, the device denies NTP traffic from the
NTP server.
Preferred—The device attempts to authenticate NTP traffic using the same methods as the
Required options but continues to send and receive NTP traffic if authentication fails.
None (default mode)— Select this mode if you do not want to authenticate NTP packets.
You can configure up to three NTP servers (one primary and two backups) from which the
security device can regularly update its system clock. If you enable authentication by selecting
the Required or Preferred authentication options, you must also provide a unique server key
ID and preshare key for each NTP server that you configure.
You can specify an individual interface as the source address to direct Network Time
Protocol (NTP) requests from the device over a VPN tunnel to the primary NTP server
or a backup server as necessary. Among other interface types, you can select a loopback
interface to perform this function.
The security device sends NTP requests from a source interface and optionally uses an
encrypted preshared key when sending NTP requests to the NTP server. The encrypted
preshared key provides authentication.
Setting ScreenOS Authentication Options Using General Auth Settings on page 165
Setting ScreenOS Authentication Options Using Banners Overview on page 166
Configuring Secure Connections in ScreenOS Devices Using NSM Overview on page 162
Copyright © 2010, Juniper Networks, Inc.