On the one hand, if the time on the network device is inconsistent, such as the time difference between the router and the firewall is ten minutes, it will be very troublesome when troubleshooting. Because there are event logs on the firewall or router, the related fault information will be reflected on these logs. Because the system time of the two is inconsistent, the time displayed on the log may also be problematic, which is unfavorable for us to solve the problem. It is as if the time between your watch and the attendance machine in the company is inconsistent. Then it is difficult for you to grasp the time of work. Even if the time of the attendance machine is wrong, we must also make adjustments based on the time of the attendance machine. On the other hand, if there is a certificate application on the network device, the time consistency is more demanded. If you need to certify or revoke a certificate, you must ask for a more accurate time and require the same time between network devices.
Therefore, for various reasons, our network administrator is obliged to ensure that the firewall is consistent with other network devices in terms of time.
For the firewall, there are two main ways to adjust the time.
The first type: The firewall system clock is at the factory of the firewall. Like the computer motherboard, there is also a system time. When the firewall is initially deployed, the firewall server uses this system time to negotiate related issues with other devices. However, in the follow-up management of the firewall, we can configure the system clock according to our own needs.
1, modify the system clock time. In some cases, we may need to modify the system clock time. For some reason, network administrators may delay the time of all network devices by one hour. At this time, we need to manually modify the time according to the actual situation and to ensure that the firewall time is consistent with the clocks of other network devices, and reset the firewall system clock according to the time of other network devices.
2, set a reasonable time zone. By default, firewalls use a so-called world coordination time, and sometimes we may not be able to understand this representation of time. At this point, we need to manually set the time zone, such as set to Beijing time and so on. However, one thing to note here is that this time zone is used only for display purposes and does not change the system clock. In other words, the system clock is still three coordination times; and when the displayed firewall server has been processed, it is converted and displayed according to the time zone that we set.
3, we can also set the server for daylight saving time. However, this daylight saving time has already been cancelled on the mainland. Therefore, this function is basically not used in actual management.
When using the firewall system clock, there are several issues to be aware of:
One is that the firewall system clock is a relatively independent time system, which does not automatically keep time with other network devices. Therefore, if the system clock is used, the user needs to check the time based on other network devices and then make adjustments. Be sure to keep the clock with other network devices. Otherwise, it will cause great trouble for our follow-up network maintenance.
Second, in terms of time zone management, it is better to be able to use the World Coordinated Time, because this is the trend of future development. Subsequent network devices will basically adopt this world coordination time. Therefore, our network administrator should be used to this representation. In this case, you don't need to change the time zone every time.
Third, it is possible that the time of other network devices is inaccurate, such as ten minutes slower than the standard time. At this point, the firewall can only "smell together" and keep up with them. Because of the time to change other numerous network devices, it will obviously have a great impact on the network. Therefore, at this time, only the time of the firewall server can be changed to ensure consistency with their time.
Second: Network Time Protocol In addition to manually setting the firewall server's system clock, we can set up a time server in the network so that other network devices are consistent with this time server. In this case, the clock consistency of various network devices can be guaranteed to the greatest degree. It is as if China has already had Beijing time, and there will only be one time in the country, which will eliminate some unnecessary troubles between the exchanges.
In the firewall, there is a network time protocol. His role is to specifically obtain time information from the network to the time server to provide an accurate time synchronization source for the network system.
For example, we can use the ntp server ip-address key number source if-name prefer command to configure the network time protocol so that it can obtain the time information from our specified time server.
Where Ntp: represents the time protocol.
Ip-address: Specifies the IP address of the server that the firewall needs to synchronize. key number: Indicates that a specific key must be used for communication when communicating with the time server. Number is used to specify the key. This parameter is especially important when the network administrator uses multiple keys or multiple servers for the purpose of labeling.
If_name: This parameter is mainly used to specify the interface that uses the firewall to communicate with the time server, that is, the interface name used to send packets to the NTP server.
Prefer: This parameter is usually not used, mainly used to specify the IP address of the time server is the preferred server. Generally, in a large network, there may be multiple time servers. Therefore, in order to reduce the unnecessary cost of switching back and forth between the time servers, this parameter can be used to specify.
When using the network time protocol to maintain the consistency of the network time, you need to pay attention to the following issues:
One is that the network time protocol usually uses 123 ports for communication. This should be taken care of when configuring the firewall. Do not disable this port. When there is no time network time protocol, this port can be shielded.
The second is to use the network time protocol to keep time synchronized. This time source must be chosen accurately. If we can directly use the time server on the Internet. However, when you use the time server on the Internet to synchronize the time with the firewall, you need to pay attention to two issues. The first is that the firewall does not exist in the domain of the enterprise network, that is, it does not use the domain to manage the enterprise network. Otherwise, the firewall server can use the domain controller's clock to synchronize. The second is to note that the time on the Internet only synchronizes the clock and does not synchronize the date. In other words, you must first set the correct date on the firewall, and only then can you update the time information from the time server on the Internet. Otherwise, if the date is inaccurate, the time information cannot be updated or updated accurately. However, if you are synchronizing with a time server on the Internet, you can only complete it if the network is unobstructed. In case of disruption of the external network connecting the enterprises, if the earthquake or tsunami causes the broken solder, it will not be able to keep the time updated. Therefore, in the enterprise, if there are requirements for certificates, such as for companies with subordinates who have online banking and other requirements for certificates, it is better to set up a time server. Because their demand for time consistency is not comparable to other companies. For security reasons, it is still necessary to set up a dedicated time server. Moreover, this investment will not be great.
In addition, for the sake of safety and reliability, especially in some important industry sectors, such as finance, communications, electricity, transportation, broadcasting, security, water conservancy, petrochemical, metallurgy, national defense, medical, education, government agencies, IT and other areas of network time synchronization, it is recommended Use a dedicated network time server device1. With a modular structure, the number of NTP/SNTP ports can be flexibly configured. Up to 20 independent 10/100M network ports can be configured.
2. Dual CPUs work at the same time, 32-bit CPU dual-core processors, performance greatly improved.
3. High precision and quick synchronization.
4. Support single-star timing mode, suitable for the situation of poor star collection effect, there are roof and window antenna to choose from.
5. The self-retaining ability is better than 0.42 μS/min after the device is unable to receive satellite signals.
6. It can provide time service for hundreds of thousands of clients, servers, and workstations at the same time.
7. Supports WINDOWS9X/NT/2000/XP/2003, LINUX, UNIX, SUN SOLARIS, IBM AIX, HP-UX, and other network devices such as routers, switches, and intelligent controllers that support the NTP protocol.
8. A variety of configuration methods, easy to manage and upgrade.
9. Support power interruption, GPS missing dry contact signal alarm.
10. Dedicated embedded system, no hard disk and fan design, shockproof design, stable and reliable system.
11. High-quality industrial-grade components, high-level electrical design, and high-density integrated circuit structure enable the device to have excellent electrical isolation and electromagnetic shielding performance. The entire machine has no adjustable devices, which greatly improves the device's anti-jamming performance and reliability. Protection.
12. The GPS receiving antenna focuses on lightning protection design, stability design, anti-jamming design, high signal reception reliability, and is not limited by geographical conditions and environments.
13. The device has a self-resetting capability and can automatically resume normal operation when an error occurs in the device program due to interference.
14. The device provides a programmable TTL pulse signal for testing the accuracy of the clock.
15. There are a variety of job status indications that make it easy to run day-to-day inspections of people on duty.
16. The device adopts a full modular plug-and-play structure design, supports hot plugging of boards, flexible configuration, and convenient maintenance, and at the same time provides convenience for the addition of the time port in the future field network transformation and expansion.
17. The device can display the current collecting star number online through the digital tube, and displays the synchronization status of the device online.
1. Time source: GPS, BeiDou, CDMA, IRIG-B, OCXO with constant temperature crystal, atomic clock optional;
2. Power supply: 220V/110V AC and DC adaptive, dual power supply redundancy;
3. GPS receiving frequency: 1575.42MHz, receiving sensitivity: capture <-160dBW, tracking <-163dBW. Capture time: when the device is cold started, <5 min; when the device is hot started, <1 min.
4. Beidou receiver: channel: 6; receiving sensitivity: -157.6dBW; cold start first capture time: ≤ 2 seconds; lost lock recapture time: ≤ 1 second; 1PPS accuracy: better than 100nS.
5. Mean time between failures (MTBF) ≥ 150,000 hours; mean time to repair (MTTR): generally not more than 30 minutes, the service life of not less than 20 years. No maintenance is required under normal use conditions.
6. Timing accuracy: pulse, B code: 0.1μS, serial port: 10μS, NTP/SNTP: 1-10ms;
7. Network port support protocols: NTP/SNTP, ARP, UDP/Time, Telnet, ICMP, SNMP, MD5;
8. NTP/SNTP time records keep the latest 300 records;
9. Dimensions: 1U/2U, 19" standard chassis, easy installation.
10. Antenna length standard 30m, optional 50,60,80,100,120,200 meters