How to Configure Custom NTP Servers on FortiGate Firewall

Last updated: 26-01-2026

Introduction

Accurate time is very important for any network device — especially firewalls like FortiGate. Correct timestamps help with:

  • Reading logs in the right order during troubleshooting
  • Matching events across different devices
  • Certificate validation (VPNs, SSL inspection)
  • Security auditing and compliance reporting

By default, FortiGate uses FortiGuard time servers over the internet. This works well for most people, but many organizations prefer internal NTP servers for better security, faster sync, or compliance rules.

This guide shows you how to configure custom NTP servers on FortiGate — using both the web GUI and CLI — with a practical example.

Why Use Custom (Internal) NTP Servers?

Here are the main reasons companies choose their own NTP servers instead of FortiGuard:

  • Security & Isolation — Keeps time sync inside your network perimeter (no outbound internet dependency for time)
  • Compliance Requirements — Some standards (banking, government, healthcare) require internal, controlled time sources
  • Faster & More Reliable Sync — Local servers usually respond quicker and are not affected by internet issues
  • Control & Auditing — You know exactly which time source is used and can monitor it yourself
  • Redundancy — Easy to set multiple internal stratum-1 or stratum-2 servers

Example Scenario

We will configure the following settings (you can change them to match your environment):

  • Primary NTP server: 192.168.20.10
  • Sync interval: 1440 minutes (once every 24 hours)
  • NTP enabled and set to custom mode

1440 minutes = 24 hours — this is a common setting for internal servers. You can use shorter intervals (e.g., 60 minutes) if needed.

Method 1: Configure NTP Using the Web GUI

  1. Log in to the FortiGate web interface[](https://your-fortigate-ip)
  2. Go to System → Settings
  3. In the Network Time Protocol (NTP) section, click Edit or Configure
  4. Set Mode to Custom
  5. Enable Synchronize with NTP Server
  6. Click Create New under NTP Servers
  7. Enter Server IP: 192.168.20.10
  8. (Optional) Add a second server if you have one
  9. Set Sync Interval to 1440 minutes
  10. Click OKApply

After applying, FortiGate will immediately try to sync with your server.

Method 2: Configure NTP Using CLI (Recommended for Precision)

Log in via SSH or console and run these commands:

config system ntp
    set ntpsync enable
    set type custom
    set syncinterval 1440
    config ntpserver
        edit 1
            set server "192.168.20.10"
        next
    end
end

To add a second server (recommended for redundancy): 

config system ntp
    config ntpserver
        edit 2
            set server "192.168.20.11"
        next
    end
end

Save changes:

end

Verify NTP Is Working

After configuration, check status with these CLI commands:

get system ntp status

Look for:

  • sync: yes — means it successfully synced
  • server: 192.168.20.10
  • last update: shows when it last synced
diagnose sys ntp status

This gives more details including offset, delay, and stratum level.

diagnose debug application ntpd -1
diagnose debug enable

(Run for a short time, then disable with diagnose debug disable — shows real-time sync activity.)

Common Problems & Fixes

  • No sync after 5–10 minutes → Check firewall policy allows UDP 123 outbound to your NTP server
  • Server unreachable → Ping your NTP IP from FortiGate CLI: execute ping 192.168.20.10
  • Wrong time after sync → Make sure your internal NTP server is using a good upstream source (GPS, pool.ntp.org, etc.)
  • Sync interval too long/short → 1440 minutes is fine for stable servers; use 60–720 for more frequent checks

FortiGate blocks NTP by default in policies — create a policy: LAN → WAN, service NTP, allow.

Conclusion

Setting up custom NTP servers on FortiGate is simple and gives you better control, security, and compliance. Whether you use the GUI for quick setup or CLI for scripting/automation, the process is the same: enable NTP, set custom mode, add your server(s), choose a sync interval, and verify.

Accurate time sync is a small setting with a big impact — it makes logs trustworthy, certificates valid, and troubleshooting much easier.

Once configured, your FortiGate will quietly keep perfect time — exactly how you want it.