NTP Server Configuration

The NTP server is located in the GUI at Services > NTP.

NTP Server Settings

The NTP server has the following options:


Select the interface(s) to use for NTP. The NTP daemon binds to all interfaces by default to receive replies properly. This may be minimized by selecting at least one interface to bind, but that interface will also be used to source the NTP queries sent out to remote servers, not only to serve clients. Deselecting all interfaces is the equivalent of selecting all interfaces.

Time Servers

A list of servers to query in order to keep the clock of this firewall synchronized. This list is initially pulled from the entries under System > General Setup. For best results, the best practice is to use at least three servers, but no more than five. Click fa-plus Add to configured additional time servers.


When checked, this NTP server entry is favored by the NTP daemon over others.

No Select

When checked, this NTP server is not used for time synchronization, but only to display statistics.

Orphan Mode

Orphan mode uses the system clock when no other clocks are available, otherwise clients will not receive a response when other servers are unreachable. The value entered here is the stratum used for Orphan Mode, and is typically set high enough that live servers are preferred. The default value is 12.

NTP Graphs

Check to enable RRD graphs for NTP server statistics.


When logging options are active, NTP logs are written using syslog and may be found under Status > System Logs, on the NTP tab.

Log Peer Messages

When checked, NTP will log messages about peer events, information, and status.

Log System Messages

When checked, NTP will log messages about system events, information, and status.

Statistics Logging

Click fa-cog Show Advanced to view these options. When enabled, NTP will create persistent daily log files in /var/log/ntp to keep statistics data. The format of the statistics records in the log files can be found in the ntp.conf man page

Log reference clock statistics

When checked, NTP records clock driver statistics on each update.

Log clock discipline statistics

When checked, NTP records loop filter statistics on each update of the local clock.

Log NTP Peer Statistics

When checked, NTP records statistics for all peers of the NTP daemon, along with special signals.

Leap Seconds

Click fa-cog Show Advanced to view these options. Defines the contents of the Leap Second file, used by NTP to announce upcoming leap seconds to clients. This is typically used only by stratum 1 servers. The exact format of the file may be found on the IETF leap second list

Access Restrictions

Access restrictions (ACLs) are configured on the ACL tab under Services > NTP. These ACLs control how NTP interacts with clients.

Default Access Restrictions

Control behavior for all clients by default.


When set, NTP will send a KoD packet when an access violation occurs. Such packets are rate limited and no more than one per second will be sent.


When set, ntpq and ntpdc queries that attempt to change the configuration of the server are denied, but informational queries are returned.


When set, all queries from ntpq and ntpdc are denied.


Setting this will effectively disable the NTP status page, which relies on ntpq.


When set, NTP will deny all packets except queries from ntpq and ntpdc.

Peer Association

When set, NTP denies packets that would result in a new peer association, including broadcast and symmetric active packets for peers without an existing association.

Trap Service

When set, NTP will not provide mode 6 control message trap service, used for remote event logging.

Custom Access Restrictions

Defines the behavior for specific client addresses or subnets. Click fa-plus Add to add a new network definition.


The subnet and mask to define the client controlled by the restrictions in this entry.


The option names are abbreviated versions of those in the default list, in the same order.