CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 8 of 8

Thread: about change CheckPoint firewall's time-setting

  1. #1
    Join Date
    2011-05-14
    Posts
    18
    Rep Power
    0

    Default about change CheckPoint firewall's time-setting

    Dear all CheckPoint experts,

    I have one CheckPoint UTM 576 firewall with software version R70.30
    I would like to sync the firewall's time with one NTP server at the secure platform.
    It is because the current time of that firewall is NOT correct.

    I heard that change CheckPoint firewall time-setting would require for reboot of CheckPoint UTM firewall.
    Is it correct ?

    Regards,
    Roc

  2. #2
    Join Date
    2007-06-04
    Posts
    3,313
    Rep Power
    17

    Default Re: about change CheckPoint firewall's time-setting

    I believe that the WebUI will generate you a message about restarting after changing the time.

    On SPLAT I always did this, however was at the point where was installing the gateway, so it wasn't in production.

    Personally find GAIA NTP to be a better implementation,in terms of managing, always had some slight niggle with SPLAT NTP.

    As a side note you really should be on a later release. R70 went End of Support last year and R71 went this year. Should be on R75 or later now.

    My personaly experience with the UTM-1's and the later releases was that they were OK providing you didn't start enabling the newer function blades.

  3. #3
    Join Date
    2014-09-02
    Posts
    356
    Rep Power
    10

    Default Re: about change CheckPoint firewall's time-setting

    Quote Originally Posted by mcnallym View Post
    I believe that the WebUI will generate you a message about restarting after changing the time.

    On SPLAT I always did this, however was at the point where was installing the gateway, so it wasn't in production.

    Personally find GAIA NTP to be a better implementation,in terms of managing, always had some slight niggle with SPLAT NTP.

    As a side note you really should be on a later release. R70 went End of Support last year and R71 went this year. Should be on R75 or later now.

    My personaly experience with the UTM-1's and the later releases was that they were OK providing you didn't start enabling the newer function blades.
    Agreed on all points.

    As for clock and rebooting, I would add that reboots are often "recommended" even when something less invasive (cpstop;cpstart) would likely be just as effective. The point is that there are a number of items, especially in the kernel, that are time sensitive. Things like connection timeouts, key expiration, etc. will get a little wonky if the time suddenly jumps ahead or back. Ultimately, maintaining connections is always going to be a concern, so you should plan on at least a stop and start, if not a reboot.

    My favorite "niggle" with NTP settings in SPLAT has always been with timezones. If set with sysconfig you chose TZ via geography, if done via WebUI it's just an offset from UTC - and neither supports DST.


    Strongly agree with the push to upgrade. As for performance, depending on what components/blades are in use, there are actually some performance enhancements. While the improvements are more significant with bigger/stronger hardware, unless the 576 is already overtaxed, don't let performance concerns scare you off.

    -E

  4. #4
    Join Date
    2014-09-04
    Location
    Johannesburg, South Africa
    Posts
    10
    Rep Power
    0

    Default Re: about change CheckPoint firewall's time-setting

    Personally, I never reboot a firewall after setting the time, unless the time change is large enough to affect the SIC certificates. I've done this hundreds of times with no problem. CP usually detects the clock change gracefully and will even add a log entry to state if it has assumed a clock change has taken place.

    For splat, I prefer setting the time zone via sysconfig and not via the webui so that it's geographic instead of a GMT offset (I also find that little niggle annoying), and generally use the ntp command on the cli to set the ntp server IP and polling interval. A simple "ntp - n <interval> <IP>" is all it takes to get basic ntp up and running.

    However, as pretty much every other poster has already stated, it's time to upgrade and move to Gaia.

    Matt

  5. #5
    Join Date
    2005-08-29
    Location
    Upstate NY
    Posts
    2,720
    Rep Power
    17

    Default Re: about change CheckPoint firewall's time-setting

    IIRC when we had the Daylight Savings Time change a few years back, one of the Check Point SE's tested SIC's tolerance and it was pretty long so even shifting a few hours shouldn't be an issue. THat said IPSec is much less tolerant and a drift of a few minutes can be an issue. SecureID is not tolerant and last I remember it is +/- five minutes.

    SO do you reboot? Nope let everything resync and fix itself IMO.

  6. #6
    Join Date
    2014-09-04
    Location
    Johannesburg, South Africa
    Posts
    10
    Rep Power
    0

    Default Re: about change CheckPoint firewall's time-setting

    Quote Originally Posted by chillyjim View Post
    IIRC when we had the Daylight Savings Time change a few years back, one of the Check Point SE's tested SIC's tolerance and it was pretty long so even shifting a few hours shouldn't be an issue. THat said IPSec is much less tolerant and a drift of a few minutes can be an issue. SecureID is not tolerant and last I remember it is +/- five minutes.

    SO do you reboot? Nope let everything resync and fix itself IMO.
    Yeah SIC is usually affected if you've just installed the box and you set the date back to a time that pre-dates the beginning of the certificate. I have this issue in my classes sometimes when students get the date wrong on first installation.

    IPSEC - now that's an interesting one. My understanding (which may be wrong), is that IPSEC timing doesn't care so much about the actual date and time, but more about the amount of seconds that elapse from one re-key to another. So I don't think that changing the time makes a difference, but if the clock is running faster or slower, that will definitely have an impact as there's only a one or two minute grace period between re-key periods. That said, I haven't actually tested it.

    SecurID however is not an issue at all. The RSA SecurID server is extremely time-sensitive, but the agent that handles the authentication (the firewall) really doesn't care. The only time sync that needs to be 100% is the time on the token vs the time on the RSA authentication server.

  7. #7
    Join Date
    2005-08-29
    Location
    Upstate NY
    Posts
    2,720
    Rep Power
    17

    Default Re: about change CheckPoint firewall's time-setting

    Re IPSec: you are correct that the differential makes a difference. If that differential soddenly changes it can cause the connection to drop. The actual time is an issue with the certificates used for auth. In general they should be +/- 5 minutes but a lot of vendors allow for much higher drift.

  8. #8
    Join Date
    2014-09-04
    Location
    Johannesburg, South Africa
    Posts
    10
    Rep Power
    0

    Default Re: about change CheckPoint firewall's time-setting

    Quote Originally Posted by chillyjim View Post
    Re IPSec: you are correct that the differential makes a difference. If that differential soddenly changes it can cause the connection to drop. The actual time is an issue with the certificates used for auth. In general they should be +/- 5 minutes but a lot of vendors allow for much higher drift.
    Makes sense. Thanks

Similar Threads

  1. Issues setting up VPN connection between Checkpoint and Zyxel firewall
    By torenhof in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 12
    Last Post: 2013-04-18, 03:40
  2. how to change checkpoint firewall gateway name in the dashboard
    By akchakravarthi09 in forum SmartDashboard
    Replies: 6
    Last Post: 2011-10-01, 12:15
  3. Gateway not setting time via NTP
    By BillM in forum Content Security/Security Servers/CVP/UFP
    Replies: 7
    Last Post: 2010-03-29, 11:39
  4. NTP Time Change
    By Dende in forum SmartDashboard
    Replies: 0
    Last Post: 2009-11-26, 06:26
  5. Configuring or setting up time syncing in Cluster
    By dkostuik in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 1
    Last Post: 2006-07-31, 09:59

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •