Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Nischit_Aryal
Participant
Jump to solution

Configure Checkpoint as NTP server

Hi,

Can I configure Checkpoint as NTP server to act as the primary time source for the network? I only found an option to sync time from external NTP server to Checkpoint. My Checkpoint is running on r80.10. 

1 Solution

Accepted Solutions
Chris_Atkinson
Employee Employee
Employee

Hello,

 

Unfortunately this isn't a supported practice, please refer: sk32027

 

Thanks,

Chris

CCSM R77/R80/ELITE

View solution in original post

15 Replies
Chris_Atkinson
Employee Employee
Employee

Hello,

 

Unfortunately this isn't a supported practice, please refer: sk32027

 

Thanks,

Chris

CCSM R77/R80/ELITE
n3ts3c_auto
Participant

As usual that is just another thing that was not carried over from IPSO. Additionally, there was a workaround at one point and now there is not. Why ..... Who knows what this company does and for what reason any longer. To me (someone doing NetSecEng for over 20 years), what better device to use as the Stratum 1 NTP servers than the most protected device on the network at the Internet edge. Then have your Stratum 2 servers get their updates from your Stratum 1's. However I don't understand why Check Point does not see it that way.

0 Kudos
_Val_
Admin
Admin

I think it is a bit late to complain about IPSO features, don't you think? 🙂

Anyhow, if you need this feature, please open an RFE

0 Kudos
n3ts3c_auto
Participant

No it will never be too late to complain about IPSO features that were not carried over ..... Check Point should be reminded over and over again because IPSO was the diamond standard OS that Check Point should have completely converted into GAIA and did not because someone at Check Point did not see the value in those features. The users that immersed themselves into the IPSO OS saw the value in nearly every feature in uses within SMBs all the way up to major deployments in major corporations. In some cases, having features such as these meant less equipment to build and maintain. 

And please tell me more about wasting my time requesting an RFE. That has been the answer since Check Point merged SPlat and IPSO. I don't bother any longer as Check Point just ignores them anyway and I'm tired of beating my head against a wall.

RFE's submitted multiple times and ignored:

- DHCP reservations

- NTP Server

 

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Appreciate your passion.

DHCP reservations are possible on SMB appliances (via GUI) and GAiA (sk92473), sure the latter implementation could be cleaner.

CCSM R77/R80/ELITE
0 Kudos
n3ts3c_auto
Participant

Cleaner? In IPSO it was clean ..... All handled right in the WEBUI ..... No vi editing ..... No start stop commands. That was the point.

0 Kudos
Bob_Zimmerman
Authority
Authority

Unless you're attaching GPS receivers and oven-controlled clocks to your firewalls, they'll never be stratum 1. I personally just throw an EndRun box at the problem. They're cheap, small, low-power, real stratum 1, and they have lifetime support included.

That said, I get what you mean about wanting some of the IPSO features which GAiA lacks. Just think. If GAiA had been based on IPSO instead of SecurePlatform, we could have ZFS, jails, and DTrace now! 😉

Ambar
Employee
Employee

Hi, indeed not all IPSO features made across to Gaia. We see the main GW role in security, hence minor networking things that can be easily achieved with many other standard tools may been left behind. We did perform a thorough analysis of all before making a decision.

Also, NTP server is not a common RFE request therefor it’s not in our roadmap

0 Kudos
n3ts3c_auto
Participant

Actually I have been working with Check Point products for over 20 years and I remember talking to the NYC account engineers that told us nearly all of the IPSO features were going to be ported over to Gaia. What we got was very far from that. Then they said "we will be adding more" as time goes on and only a few more made it over. So please don't tell me you performed a thorough analysis because you only talked to your largest customers and the SMBs were left out of the discussion. We who have been doing this for this long know what exactly happened and it has not been forgotten.

 

0 Kudos
n3ts3c_auto
Participant

Missed the point ..... No extra equipment to purchase and maintain in an SMB. Built right into the FW, at least Stratum 2 or 3 when using NIST NTP servers, and secure as hell if you used the NTP protocol inspection objects.

NTP from the AD server just does not give me the warm fuzzies and Microsoft has that laundry list of built in NTP servers that is a PITA to modify.

Not sure on the ZFS, jails and Dtrace. 

 

0 Kudos
Shira
Participant

By any chance, is it supported now?

version R81.20

 

Regards

0 Kudos
TJ_Aus
Contributor

It is supported on the SMBs on R81.10.15 according to this:  sk178604 - Check Point R81.10.X for 1500, 1600, 1800, 1900, and 2000 appliance Known Limitations

 

Supported and Unsupported Features

Note - All features available on a Locally Managed appliance are also available in the Spark Management App on the Infinity Portal (replacement for the old SMP portal).

Enter the string to filter this table: 

 

Blade / FeatureLocally
Managed
Centrally
Managed
Comments
OS
NTP ClientYesYes 
NTP ServerYesYes 

 

0 Kudos
Shira
Participant

Hi,

Thanks for the response.

I was looking for document specific to Quantum firewall. we are using 6200 model.

WR

0 Kudos
Chris_Atkinson
Employee Employee
Employee

sk83820 states:

Important Note: You can configure Gaia OS only as an NTP Client.

CCSM R77/R80/ELITE
0 Kudos
PhoneBoy
Admin
Admin

It might be possible to use the procedure in sk83820 to configure as an NTP server using the appropriate directives in ntp.conf.
Whether it works is a separate question, but it is definitely not supported.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events