This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
VikingsFan
Advisor
‎2025-05-23 04:08 AM
Jump to solution

NTP Keep Alive - Moving from 1200R to 1595R

We're migrating from 1200R gateways to 1595R gateways and have syslog configured to send system logs back to our SIEM.  With the 1200R gateways, we would get a system message about once every hour or so with a message like this:

"05 23 2025 07:00:45 10.X.X.X <SYSD:NOTE> 2025 May 23 07:00:45 1200R-FW daemon.notice ntpdate[23250]: adjust time server 192.X.X.X offset 0.017780 sec"

We have alerts on the SIEM that trigger if the log source stops sending and it was working fine with the 1200R and we would set the alarm to trigger after 1-2 hours.  With the 1595R gateways, the NTP daemon seems to operate differently and we're not getting any system level syslog events to help the SIEM understand if the log source is alive or not.

Is there a way to force NTP to work similar to the 1200R was and trigger a system log and/or is there another method that could be set to just trigger any system level event every X minutes?

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2025-05-27 09:03 AM
Jump to solution

There are some differences in the underlying Linux between the 1200R and the 1500.
While I don't have a 1200R handy, the 1490 runs similar firmware.
The Linux kernel version is definitely different, which I assume means there may be some different versions of userspace processes like ntpd.

In any case, I suspect what you'll want to use is run the tool "logger" which you can use to craft an arbitrary syslog message.
I assume this will also be forwarded to the SIEM.

View solution in original post

8 Replies
PhoneBoy
Admin
Admin
‎2025-05-27 09:03 AM
Jump to solution

There are some differences in the underlying Linux between the 1200R and the 1500.
While I don't have a 1200R handy, the 1490 runs similar firmware.
The Linux kernel version is definitely different, which I assume means there may be some different versions of userspace processes like ntpd.

In any case, I suspect what you'll want to use is run the tool "logger" which you can use to craft an arbitrary syslog message.
I assume this will also be forwarded to the SIEM.

VikingsFan
Advisor
‎2025-05-27 10:41 AM
In response to PhoneBoy
Jump to solution

That got me pointed in the right direction.  Had to figure out the right formatted text that the system log would pickup but once I got that, the logs show up in the Systems view in the Web GUI and also get forwarded to the SIEM.

Question: If I want these triggered on an hourly basis, is editing the crontab file allowed by Check Point?  Would it get overwritten during version upgrades?

If anyone else comes across this post, this is the line I'm adding to the crontab file, which triggers a system event every hour:

 

0 * * * * /usr/bin/logger -p user.info '[AUDIT] This is a keep alive message'

0 Kudos
PhoneBoy
Admin
Admin
‎2025-05-27 03:20 PM
In response to VikingsFan
Jump to solution

Considering we have an SK that mentions modifying crontab as a workaround to an unrelated issue, I'd say yes: https://support.checkpoint.com/results/sk/sk166361 

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-05-28 01:56 AM
In response to PhoneBoy
Jump to solution

sk166361 is not accessible ! See https://community.checkpoint.com/t5/SMB-Gateways-Spark/R77-20-80-cpdiag-and-crond/td-p/39788 for my post about this...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
PhoneBoy
Admin
Admin
‎2025-05-28 09:10 AM
In response to G_W_Albrecht
Jump to solution

Yeah, I missed the part where it was an internal SK.

0 Kudos
VikingsFan
Advisor
‎2025-05-28 03:14 AM
In response to PhoneBoy
Jump to solution

Thank you both.  Reviewing GW's post, if Hristo's last comment is accurate then my cron changes get reset after every firmware upgrade.  Luckily the SMB firmware is pretty static but something I'll just have to be aware of.  So far it's working great on my test firewall and bringing in my test message every X minutes.

"Just to mention that cron daemon is for internal use only (no support from TAC for it). Whatever you add there will be reset one the next firmware upgrade so keep a copy of it somewhere."

0 Kudos
PhoneBoy
Admin
Admin
‎2025-05-28 09:11 AM
In response to VikingsFan
Jump to solution

We don't have a UI for adding cron entries (in cliish/WebUI).
As such, I assume changes to crontab would, in fact, need to be re-applied after a firmware update.

0 Kudos
VikingsFan
Advisor
‎2025-05-28 09:12 AM
In response to PhoneBoy
Jump to solution

10-4.  I have it scripted out so I should be able to push it out via a one liner via the mgmt server if we ever need to.  Thanks again!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events