This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Grigoriy
Contributor
Sunday
Jump to solution

FW Hardware Datetime instead of NTP-settings

Good Day, Dear Checkpmates!

We had an issue with our NTP-servers (IT department is still resolving it) - as a result FWs syncronised to 2006 year and stopped to sync in the cluster correctly (in the SMS the clusters were red).

I've changed datetime settings to 'Manual' and gave the correct datetime - the problem has been resolved.

So a question came to my mind - is it technically possible to use FW Hardware Datetime instead of NTP-settings or system datetime and if yes what should I change?

What are the caveats and "hidden rocks" of such  approach?

 

Thank you in advance!

0 Kudos
2 Solutions

Accepted Solutions
emmap
Employee
Employee
Monday
Jump to solution

I believe the system will take its time from the BIOS clock at bootup, and then sync what it has to BIOS on shutdown. So by turning off any NTP syncing you have already achieved this as much as it can be done.

View solution in original post

0 Kudos
the_rock
Legend
Legend
Monday
Jump to solution

For what is worth, AI pretty much says what @emmap advised.

Andy

 

************************

 

1. Where the firewall gets its time

  • Hardware clock (RTC / BIOS clock):
    This is a low-level clock on the appliance. It starts ticking as soon as you power on, but it is not precise and tends to drift over time.
    On boot, Gaia copies the hardware time into the system clock.

  • System clock (software clock):
    This is what the OS (and all processes, including clustering, VPN, logs, etc.) actually uses during runtime.
    You can set it manually (set timezone, set date, set time) or let it sync to NTP.

  • NTP:
    This is the recommended way to continuously discipline the system clock against a reliable source.

2. Can you rely on the hardware clock instead of NTP?

Technically: No, not in a reliable way.

  • After boot, the system does not continuously sync to the hardware clock.

  • The hardware clock drifts significantly compared to NTP sources (minutes or even hours per month).

  • Time drift will break:

    • Cluster synchronization (CPHA/CCP timestamps)

    • VPN tunnels (IKE relies on time windows)

    • Log correlation in SmartConsole/SMS

    • Certificates validity

    • Forensics/auditing

So the hardware clock is only a bootstrap fallback, not a long-term alternative.

3. What you could do if NTP is not available

  • Short-term workaround: Set the time manually on all cluster members + SMS (like you did). Make sure they are very close (within a second or two).

  • Medium-term: Use an internal stratum-1/stratum-2 NTP server in your infra, even if isolated from the internet. Many orgs run an internal NTP server that syncs to GPS or an upstream source.

  • Last-resort hack: You could schedule a cron job to periodically sync the system clock to the hardware clock (hwclock --hctosys), but this is not supported and won’t solve drift — you’d just be reinforcing a drifting clock.

View solution in original post

(1)
11 Replies
emmap
Employee
Employee
Monday
Jump to solution

I believe the system will take its time from the BIOS clock at bootup, and then sync what it has to BIOS on shutdown. So by turning off any NTP syncing you have already achieved this as much as it can be done.

0 Kudos
Grigoriy
Contributor
Monday
In response to emmap
Jump to solution

Do you mean that even when I choose 'Set Time and Date Manually' (as on the screenshot below) the appliance will take time from system/BIOS?

cp1.JPG

0 Kudos
emmap
Employee
Employee
Monday
In response to Grigoriy
Jump to solution

It has to get it from somewhere when it boots up. My understanding is that any OS gets the time from BIOS on bootup, then keeps it going either itself or regularly checks it via NTP. On shutdown the OS then updates the BIOS clock.

0 Kudos
Bob_Zimmerman
Authority
Authority
Monday
In response to emmap
Jump to solution

It depends. Some syscalls reference the RTC directly, others reference one of a number of software clocks the system maintains. Most commands will use the kernel's main software clock, as the system RTC is generally less accurate.

And speaking of accuracy, most servers which don't discipline their software clocks against NTP gain or lose as much as a minute per day. I have several mechanical watches with less drift. Servers' clocks are really, really bad, and NTP papers over the problem. Rather than not using NTP, you should use multiple NTP servers with known behavior when handling large offsets. NTP servers from reputable sources should not be able to hand out a time that far off of real TAI. If they have significant clock disagreements, they should go to stratum 16 and make an admin fix the problem.

Grigoriy
Contributor
yesterday
In response to emmap
Jump to solution

Hello,

Let's suppose that Checkpoint FW synchronizes from NTP stratum 1-4 - everything is ok and works like charm.

But at some moment of time NTP changes it's stratum to 16 - What would happen with FW in this case? Would it change it's synchronization to system time?

0 Kudos
Bob_Zimmerman
Authority
Authority
yesterday
In response to Grigoriy
Jump to solution

NTP clients will not synchronize to a server at stratum 16. The firewall will run on its local clock, not synchronized to anything. If all NTP servers report stratum 16, it's effectively the same as not having any configured NTP servers.

0 Kudos
the_rock
Legend
Legend
Monday
Jump to solution

For what is worth, AI pretty much says what @emmap advised.

Andy

 

************************

 

1. Where the firewall gets its time

  • Hardware clock (RTC / BIOS clock):
    This is a low-level clock on the appliance. It starts ticking as soon as you power on, but it is not precise and tends to drift over time.
    On boot, Gaia copies the hardware time into the system clock.

  • System clock (software clock):
    This is what the OS (and all processes, including clustering, VPN, logs, etc.) actually uses during runtime.
    You can set it manually (set timezone, set date, set time) or let it sync to NTP.

  • NTP:
    This is the recommended way to continuously discipline the system clock against a reliable source.

2. Can you rely on the hardware clock instead of NTP?

Technically: No, not in a reliable way.

  • After boot, the system does not continuously sync to the hardware clock.

  • The hardware clock drifts significantly compared to NTP sources (minutes or even hours per month).

  • Time drift will break:

    • Cluster synchronization (CPHA/CCP timestamps)

    • VPN tunnels (IKE relies on time windows)

    • Log correlation in SmartConsole/SMS

    • Certificates validity

    • Forensics/auditing

So the hardware clock is only a bootstrap fallback, not a long-term alternative.

3. What you could do if NTP is not available

  • Short-term workaround: Set the time manually on all cluster members + SMS (like you did). Make sure they are very close (within a second or two).

  • Medium-term: Use an internal stratum-1/stratum-2 NTP server in your infra, even if isolated from the internet. Many orgs run an internal NTP server that syncs to GPS or an upstream source.

  • Last-resort hack: You could schedule a cron job to periodically sync the system clock to the hardware clock (hwclock --hctosys), but this is not supported and won’t solve drift — you’d just be reinforcing a drifting clock.

(1)
Grigoriy
Contributor
Monday
In response to the_rock
Jump to solution

Thank you for the detailed explanation.

0 Kudos
the_rock
Legend
Legend
yesterday
In response to Grigoriy
Jump to solution

Well, its nothing really, I just copied what AI showed, haha.

Andy

0 Kudos
Grigoriy
Contributor
yesterday
In response to the_rock
Jump to solution

Checkpoint AI?)

0 Kudos
the_rock
Legend
Legend
yesterday
In response to Grigoriy
Jump to solution

Chatgpt lol

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events