Screen OS

Hello,

Our servers in the DMZ zone need to synchronize their time with a time server in the trusted zone. I allowed the predefined NTP protocol between both zones. When I sync the time I get a message "Time Out - Aged Out". One the time server the server is listing on UDP port 123.

Is this normal behavior?

Thanks

Try temporarily changing the policy from dmz to trust be "any" service instead of the ntp service.

Then run the ntp update and look at the policy log.  You will then see all of the ports that are being used for the update. 

Now create a group or use multiple select to allow all the necessary traffic on the log list.

I tried what you suggested, but I only see one connection, no other logs are generated. Rule is any any permit for all traffic between client and ntp server. 

This is what is logged:

Service: NETWORK TIME

Duration: 70 sec.

Bytes Sent: 196

Bytes Received: 196

Close Reason: Close - AGE OUT

But it seems that the sync on the client works...

This is normal behavior for UDP sessions. The nature of UDP is that it's stateless, unlike for example TCP. A TCP connection is normally ended explicitly using FIN-packets, so the firewall 'knows' that the session ended.

For UDP a time-out is used (which defaults  to 1 minute). So when the firewall hasn't seen traffic on the specified port for more than one minute, it closes the session and you'll see the "CLOSE - AGE OUT" message in your logs.

Steve