topic Re: NTP Keep Alive - Moving from 1200R to 1595R in Spark Firewall (SMB)

NTP Keep Alive - Moving from 1200R to 1595R

VikingsFan — Fri, 23 May 2025 11:08:41 GMT

We're migrating from 1200R gateways to 1595R gateways and have syslog configured to send system logs back to our SIEM. With the 1200R gateways, we would get a system message about once every hour or so with a message like this:

"05 23 2025 07:00:45 10.X.X.X <SYSD:NOTE> 2025 May 23 07:00:45 1200R-FW daemon.notice ntpdate[23250]: adjust time server 192.X.X.X offset 0.017780 sec"

We have alerts on the SIEM that trigger if the log source stops sending and it was working fine with the 1200R and we would set the alarm to trigger after 1-2 hours. With the 1595R gateways, the NTP daemon seems to operate differently and we're not getting any system level syslog events to help the SIEM understand if the log source is alive or not.

Is there a way to force NTP to work similar to the 1200R was and trigger a system log and/or is there another method that could be set to just trigger any system level event every X minutes?

Re: NTP Keep Alive - Moving from 1200R to 1595R

PhoneBoy — Tue, 27 May 2025 16:03:34 GMT

There are some differences in the underlying Linux between the 1200R and the 1500.
While I don't have a 1200R handy, the 1490 runs similar firmware.
The Linux kernel version is definitely different, which I assume means there may be some different versions of userspace processes like ntpd.

In any case, I suspect what you'll want to use is run the tool "logger" which you can use to craft an arbitrary syslog message.
I assume this will also be forwarded to the SIEM.

Re: NTP Keep Alive - Moving from 1200R to 1595R

VikingsFan — Tue, 27 May 2025 17:41:14 GMT

That got me pointed in the right direction. Had to figure out the right formatted text that the system log would pickup but once I got that, the logs show up in the Systems view in the Web GUI and also get forwarded to the SIEM.

Question: If I want these triggered on an hourly basis, is editing the crontab file allowed by Check Point? Would it get overwritten during version upgrades?

If anyone else comes across this post, this is the line I'm adding to the crontab file, which triggers a system event every hour:

0 * * * * /usr/bin/logger -p user.info '[AUDIT] This is a keep alive message'

Re: NTP Keep Alive - Moving from 1200R to 1595R

PhoneBoy — Tue, 27 May 2025 22:20:17 GMT

Considering we have an SK that mentions modifying crontab as a workaround to an unrelated issue, I'd say yes: https://support.checkpoint.com/results/sk/sk166361

Re: NTP Keep Alive - Moving from 1200R to 1595R

G_W_Albrecht — Wed, 28 May 2025 08:56:50 GMT

sk166361 is not accessible ! See https://community.checkpoint.com/t5/SMB-Gateways-Spark/R77-20-80-cpdiag-and-crond/td-p/39788 for my post about this...

Re: NTP Keep Alive - Moving from 1200R to 1595R

VikingsFan — Wed, 28 May 2025 10:14:00 GMT

Thank you both. Reviewing GW's post, if Hristo's last comment is accurate then my cron changes get reset after every firmware upgrade. Luckily the SMB firmware is pretty static but something I'll just have to be aware of. So far it's working great on my test firewall and bringing in my test message every X minutes.

"Just to mention that cron daemon is for internal use only (no support from TAC for it). Whatever you add there will be reset one the next firmware upgrade so keep a copy of it somewhere."

Re: NTP Keep Alive - Moving from 1200R to 1595R

PhoneBoy — Wed, 28 May 2025 16:10:13 GMT

Yeah, I missed the part where it was an internal SK.

Re: NTP Keep Alive - Moving from 1200R to 1595R

PhoneBoy — Wed, 28 May 2025 16:11:33 GMT

We don't have a UI for adding cron entries (in cliish/WebUI).
As such, I assume changes to crontab would, in fact, need to be re-applied after a firmware update.

Re: NTP Keep Alive - Moving from 1200R to 1595R

VikingsFan — Wed, 28 May 2025 16:12:52 GMT

10-4. I have it scripted out so I should be able to push it out via a one liner via the mgmt server if we ever need to. Thanks again!