Good question, always wondered about that. Poking around in the documentation, older code versions seem to indicate that the clock must be matched within one second for proper functionality which is clearly not correct; this statement has been softened in later versions. I have personally seen operational cluster members that were several hours off from each other and it didn't seem to have an adverse effect.
Here is a sampling of what the documentation says:
R76 Multi-Domain Admin Guide:
Multi-Domain Server (including dedicated Multi-Domain Log Servers) system clocks must be synchronized to the nearest second. When adding another Multi-Domain Server to your deployment, synchronize its clock with the other Multi-Domain Server before installing the Multi-Domain Security Management package.
R77 ClusterXL Guide:
For VPN cluster members, synchronize member clocks accurately to within one second of each other. If these members are constantly up and running it is usually enough to set the time once. More reliable synchronization can be achieved using NTP or some other time synchronization services supplied by the operating system. Cluster member clock synchronization is not applicable for non VPN cluster functionality.
R81.20 ClusterXL Guide:
Features, such as VPN, only function properly when the clocks of all of the Cluster Members are synchronized.
SIC failures can occur if the firewall and management module clocks are not correctly synchronized. The clocks do not have to match exactly, but they should match within a few minutes. Both your management module and firewall module should synchronize to an external time source via NTP.
Quantum Spark R80.20.40 CLI Reference:
set vpn site-to-site advanced-settings period-before-crl-valid <threshold>
Configures the time (in seconds), during which a certificate is considered valid prior to the time set by the Certificate Authority. This is to allow a wider window for CRL validity in case of mismatch in clock on the VPN sites.
Updated 2023 IPS/AV/ABOT R81.20 Course now
available at maxpowerfirewalls.com