CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 5 of 5

Thread: Checkpoint 13500 appliances and NTP servers

  1. #1
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default Checkpoint 13500 appliances and NTP servers

    Good morning,

    I have to point the IP address of the NTP servers to two different NTP servers IP addresses. I've made the change in GAIA, restart NTP service with "set ntp active off/on" and also with "service ntpd restart" but when I do "ntpq -n" and "lpeers", I am still seeing the old NTP servers IP addresses. What strange is that I only see this issue with Checkpoint appliance 13500 and no where else.

    gw004> show configuration ntp
    set ntp active on
    set ntp server primary 4.2.2.2 version 4
    set ntp server secondary 8.8.8.8 version 4
    gw004> quit

    [Expert@gw004:0]# ntpq -n
    ntpq> lpeers
    remote refid st t when poll reach delay offset jitter
    ================================================== ============================
    *192.168.1.1 169.254.169.123 4 u 50 512 377 2.524 -1.662 0.005
    +192.168.1.2 169.254.169.123 4 u 98 512 377 16.077 -1.642 0.089
    ntpq> quit

    Thoughts?

  2. #2
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: Checkpoint 13500 appliances and NTP servers

    You may want to check to see if the immutable flag has been set on /etc/ntp.conf by using the command lsattr /etc/ntp.conf.
    If the immutable flag is set, then GAiA will not be able to update the file when you change the configuration in clish/webui
    (Note: this "trick" is useful when you want to use options not supported through clish/webui).
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  3. #3
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default Re: Checkpoint 13500 appliances and NTP servers

    Quote Originally Posted by PhoneBoy View Post
    You may want to check to see if the immutable flag has been set on /etc/ntp.conf by using the command lsattr /etc/ntp.conf.
    If the immutable flag is set, then GAiA will not be able to update the file when you change the configuration in clish/webui
    (Note: this "trick" is useful when you want to use options not supported through clish/webui).
    [Expert@OpenSrvgw1:0]# lsattr /etc/ntp.conf
    ------------- /etc/ntp.conf
    [Expert@OpenSrvgw1:0]#

    [Expert@CP13500gw1:0]# lsattr /etc/ntp.conf
    ------i------ /etc/ntp.conf
    [Expert@CP13500gw1:0]#


    Why is there a diff. between Checkpoint appliance and open servers? On the appliances, I tried to do the
    followings and it does not work either:

    In Expert mode:
    chattr -i /etc/ntp.conf
    lsattr /etc/ntp.conf

    in clish mode:
    set ntp active off
    set ntp active on

    when I run "ntpq -n" it is showing the old NTP servers even though I have the new NTP servers in the
    configuration.

  4. #4
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    308
    Rep Power
    13

    Default Re: Checkpoint 13500 appliances and NTP servers

    The immutable flag isn't expected to be set on any system. Here's some output from a 13800 I have:

    Code:
    [Expert@MyFW1 Standby]# fw ver
    This is Check Point's software version R77.30 - Build 503
    [Expert@MyFW1 Standby]# installed_jumbo_take
    R77.30 Jumbo Hotfix Accumulator take_63 is installed, see sk106162.
    [Expert@MyFW1 Standby]# lsattr /etc/ntp.conf
    ------------- /etc/ntp.conf
    The /etc/ntp.conf file is the actual ntpd configuration. The NTP lines in clish are just used to generate this file. Since the file is flagged immutable, clish can't update it when you make changes in clish.

    To fix this, you probably need to boot into single-user mode. On normal systems, this involves using the root password locally on the box (single-user mode does not bring up any network interfaces). I think Check Point uses the expert password for this, but I'm not sure.

    As for how the system got into this state, no idea. I wonder what other files on your system are set immutable. I would check using this command (it will take quite a while to run):

    Code:
    lsattr -Ra / 2>/dev/null | egrep "^[-a-zA-Z]+i"
    Last edited by Bob_Zimmerman; 2018-05-01 at 12:40. Reason: Just noticed my browser "helpfully" corrected the lowercase I to an uppercase I in the command at the end.
    Zimmie

  5. #5
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default Re: Checkpoint 13500 appliances and NTP servers

    Quote Originally Posted by Bob_Zimmerman View Post
    The immutable flag isn't expected to be set on any system. Here's some output from a 13800 I have:

    Code:
    [Expert@MyFW1 Standby]# fw ver
    This is Check Point's software version R77.30 - Build 503
    [Expert@MyFW1 Standby]# installed_jumbo_take
    R77.30 Jumbo Hotfix Accumulator take_63 is installed, see sk106162.
    [Expert@MyFW1 Standby]# lsattr /etc/ntp.conf
    ------------- /etc/ntp.conf
    The /etc/ntp.conf file is the actual ntpd configuration. The NTP lines in clish are just used to generate this file. Since the file is flagged immutable, clish can't update it when you make changes in clish.

    To fix this, you probably need to boot into single-user mode. On normal systems, this involves using the root password locally on the box (single-user mode does not bring up any network interfaces). I think Check Point uses the expert password for this, but I'm not sure.

    As for how the system got into this state, no idea. I wonder what other files on your system are set immutable. I would check using this command (it will take quite a while to run):

    Code:
    lsattr -Ra / 2>/dev/null | egrep "^[-a-zA-Z]+I"
    Now I remember why the 13500 has this problem. It was an upgrade from R75.47 to R77.30. Everything else was a "fresh" install.

    Should not have drunk the Checkpoint Kool Aid....

    thank you Zimmie.

Similar Threads

  1. Checkpoint 13500 Device Performance
    By Dsen123 in forum Check Point Security Gateway Appliances
    Replies: 3
    Last Post: 2015-11-16, 21:29
  2. Problems with Fw 13500 10gig expansion slot
    By switzer in forum Check Point Security Gateway Appliances
    Replies: 2
    Last Post: 2015-03-25, 10:09
  3. Replacing cluster of 2 open servers to 2 appliances
    By adirn in forum Check Point Security Gateway Appliances
    Replies: 1
    Last Post: 2014-07-03, 13:26
  4. Trial Licenses, 2012 Appliances, Separate Management Servers
    By Spawn in forum Check Point 2012 Appliances
    Replies: 2
    Last Post: 2012-11-28, 22:44
  5. Multiple LEA Servers and log checkpoint
    By implain in forum Check Point SecurePlatform (SPLAT)
    Replies: 2
    Last Post: 2008-12-04, 07:39

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •