It is hard to argue that logs are as good as correct they are. And correct timestamps of the logs are crucial to this. Internal clock is prone to drifting with time, in my experience I’ve seen some UTM appliances to drift as much as 40 minutes in just one year ! Even worse is that you can never be sure of the drift distribution over time – it may be incremental drift every day, or sudden jump due to who knows what.
To prevent this from happening I use NTP time synchronization on all of my servers/firewalls. If you have been in system administration for some time it is old news for you – just use ntpd daemon and pool.ntp.org servers located close to you, and you are set in 5 minutes.
In Checkpoint they took the hardening of the underlying OS to extreme and supplied only outdated ntpdate utility for the task, no ntpd for us.
Not a big deal – I use the cron job below to run every 30 minutes ntpdate to update the firewall clock and so better be you.
Cheers
30 * * * * /usr/sbin/ntpdate 1.uk.pool.ntp.org > dev/null
Follow me on TwitterBlogroll
Most popular posts
- Change password for console expert user Checkpoint Splat
- Checkpoint SecurePlatform networking FAQ
- Checkpoint VPN debug cheat sheet
- Cisco ASA user privilege separation
- Creating Secure Passwords
- Debug VPN in Fortigate – seeing is believing
- fw monitor command reference
- Packet sniffer in IOS
- Ping – setting don't fragment bit in Linux/FreeBSD/Solaris/Cisco/Juniper
- Visio stencils for Cisco, Juniper, Fortinet, Checkpoint, Avaya
- You can't set duplex/speed settings of the Fortigate interfaces?
Issuing the command: “ntp -n 30 1.uk.pool.ntp.org” should also have the same result, which is pretty much a wrapper to set up the cron job.
yep, you are right, indeed ntp is wrapper BASH script that sets environment variables and then fires up the same ntpdat. Probably it is better way to do it, I just looked at these bash scripts and didn’t quite see any value , but may be i am wrong and missed something.
Thanks anyway.
Yuri
Look out. ntpdate is broke if the delta is too big, it goes negative. Have to do a -b -f to force it to accept the delta.
Thanks, I haven’t seen yet firewall timing differ that much to cause the issue, but good to know.
Yuri