NTP requests to pool.ntp.org dropped by CFS when rule specifically allowing request is enabled
Article ID: 274646
Updated On:
Products
Issue/Introduction
IPSEC tunnel into Cloud SWG forwarding all traffic from on premise networks into Cloud SWG.
Cloud Firewall Service (CFS) enabled and CFS rules created allowing NTP traffic (tcp/udp 123) to pool.ntp.org. pool.ntp.org has a fairly dynamic database of IP addresses (https://www.pool.ntp.org/en/).
A number of IOT devices, such as building sensors and cameras, generate requests into Cloud SWG/CFS to this pool.ntp.org endpoint on tcp/udp 123.
Many of these NTP requests are dropped despite going to the ntp.pool.org NTP servers as shown below:
IOT admins are expecting that, adding the FQDN of pool.ntp.org to their devices, would cover all outbound NTP requests.
Environment
Cloud Firewall Service (CFS).
IPSEC firewall.
IOT devices.
Cause
pool.ntp.org can resolv to potentially 1000s of IP addresses that changed dynamically.
When CFS initialises and refreshes, it caches a subset of IP addresses and any service that has 1000s of potentially different and changing IP addresses may be impacted.
Resolution
A number of workaround exists for now including:
- allow any request from the secured network these IOT devices are running from to TCP/UDP 123 or
- change NTP configuration on IOT devices to point to another NTP server e.g. clock1.org.
- add all ntp.pool.org IP addresses visible from the internal DNS server, or pulled from the CFS drop logs, as IP addresses within CFS rules.
Additional Information
Limitation documented at https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/cloud-swg/help/cfs-about/cfs-policy-editor.html.
Feedback
