Solved: NTP Keep Alive - Moving from 1200R to 1595R

VikingsFan

We're migrating from 1200R gateways to 1595R gateways and have syslog configured to send system logs back to our SIEM. With the 1200R gateways, we would get a system message about once every hour or so with a message like this:

"05 23 2025 07:00:45 10.X.X.X <SYSD:NOTE> 2025 May 23 07:00:45 1200R-FW daemon.notice ntpdate[23250]: adjust time server 192.X.X.X offset 0.017780 sec"

We have alerts on the SIEM that trigger if the log source stops sending and it was working fine with the 1200R and we would set the alarm to trigger after 1-2 hours. With the 1595R gateways, the NTP daemon seems to operate differently and we're not getting any system level syslog events to help the SIEM understand if the log source is alive or not.

Is there a way to force NTP to work similar to the 1200R was and trigger a system log and/or is there another method that could be set to just trigger any system level event every X minutes?

PhoneBoy

There are some differences in the underlying Linux between the 1200R and the 1500.
While I don't have a 1200R handy, the 1490 runs similar firmware.
The Linux kernel version is definitely different, which I assume means there may be some different versions of userspace processes like ntpd.

In any case, I suspect what you'll want to use is run the tool "logger" which you can use to craft an arbitrary syslog message.
I assume this will also be forwarded to the SIEM.

View solution in original post

PhoneBoy

There are some differences in the underlying Linux between the 1200R and the 1500.
While I don't have a 1200R handy, the 1490 runs similar firmware.
The Linux kernel version is definitely different, which I assume means there may be some different versions of userspace processes like ntpd.

In any case, I suspect what you'll want to use is run the tool "logger" which you can use to craft an arbitrary syslog message.
I assume this will also be forwarded to the SIEM.

VikingsFan

That got me pointed in the right direction. Had to figure out the right formatted text that the system log would pickup but once I got that, the logs show up in the Systems view in the Web GUI and also get forwarded to the SIEM.

Question: If I want these triggered on an hourly basis, is editing the crontab file allowed by Check Point? Would it get overwritten during version upgrades?

If anyone else comes across this post, this is the line I'm adding to the crontab file, which triggers a system event every hour:

0 * * * * /usr/bin/logger -p user.info '[AUDIT] This is a keep alive message'

PhoneBoy

Considering we have an SK that mentions modifying crontab as a workaround to an unrelated issue, I'd say yes: https://support.checkpoint.com/results/sk/sk166361

G_W_Albrecht

sk166361 is not accessible ! See https://community.checkpoint.com/t5/SMB-Gateways-Spark/R77-20-80-cpdiag-and-crond/td-p/39788 for my post about this...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

PhoneBoy

Yeah, I missed the part where it was an internal SK.

VikingsFan

Thank you both. Reviewing GW's post, if Hristo's last comment is accurate then my cron changes get reset after every firmware upgrade. Luckily the SMB firmware is pretty static but something I'll just have to be aware of. So far it's working great on my test firewall and bringing in my test message every X minutes.

"Just to mention that cron daemon is for internal use only (no support from TAC for it). Whatever you add there will be reset one the next firmware upgrade so keep a copy of it somewhere."

PhoneBoy

We don't have a UI for adding cron entries (in cliish/WebUI).
As such, I assume changes to crontab would, in fact, need to be re-applied after a firmware update.

VikingsFan

10-4. I have it scripted out so I should be able to push it out via a one liner via the mgmt server if we ever need to. Thanks again!

Are you a member of CheckMates?

NTP Keep Alive - Moving from 1200R to 1595R