Checkpoint SPLAT Timezone Configuration Difference on WebUI and CMD - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Tuesday, March 13, 2012

Checkpoint SPLAT Timezone Configuration Difference on WebUI and CMD

When setting up Checkpoint Smart-1 / SPLAT / UTM gateway, there is one thing always confusing admin - how to set up correct timezone with daylight saving. Usually WebUI is the first interface to start setting up checkpoint gateway. Unfortunately, the NTP configuration is not that straightforward.

As the screenshot shows, it only allows admin to set time zone to GMT+-12 format. How about daylight saving configuration? Will you change time zone manually twice per year?

The better solution for this is not to use WebUI for NTP settings at all. There is quick wizard configuration method through CLI which listed below including all steps used in our environment.

1. Enter into Expert mode
2. type ntp command to configure NTP source and update frequency.
ntp -n 60
note: is our internal NTP server. Gateway will update time every 60 minutes.
3. Sysconfig

Choose a configuration item ('e' to exit):
1) Host name                    5) Network Connections         9) Export Setup
2) Domain name                  6) Routing                    10) Products Installation
3) Domain name servers          7) DHCP Server Configuration  11) Products Configuration
4) Time and Date                8) DHCP Relay Configuration
(Note: configuration changes are automatically saved)
Your choice: 4

Choose a time and date configuration item ('e' to exit):
1) Set time zone                3) Set local time
2) Set date                     4) Show date and time settings
(Note: configuration changes are automatically saved)
Your choice: 1

Identify a location so that time zone rules can be set correctly.
Select a continent or ocean.
 1) Africa
 2) Americas
 3) Antarctica
 4) Arctic Ocean
 5) Asia
 6) Atlantic Ocean
 7) Australia
 8) Europe
 9) Indian Ocean
10) Pacific Ocean
11) none - I want to specify the time zone using GMT<+|->N format.
12) cancel - I want to quit without changing the time zone.
#? 2

Select a country.
 1) Anguilla                 19) El Salvador              37) Puerto Rico
 2) Antigua & Barbuda        20) French Guiana            38) St Barthelemy
 3) Argentina                21) Greenland                39) St Kitts & Nevis
 4) Aruba                    22) Grenada                  40) St Lucia
 5) Bahamas                  23) Guadeloupe               41) St Martin (French part)
 6) Barbados                 24) Guatemala                42) St Pierre & Miquelon
 7) Belize                   25) Guyana                   43) St Vincent
 8) Bolivia                  26) Haiti                    44) Suriname
 9) Brazil                   27) Honduras                 45) Trinidad & Tobago
10) Canada                   28) Jamaica                  46) Turks & Caicos Is
11) Cayman Islands           29) Martinique               47) United States
12) Chile                    30) Mexico                   48) Uruguay
13) Colombia                 31) Montserrat               49) Venezuela
14) Costa Rica               32) Netherlands Antilles     50) Virgin Islands (UK)
15) Cuba                     33) Nicaragua                51) Virgin Islands (US)
16) Dominica                 34) Panama                   52) cancel
17) Dominican Republic       35) Paraguay
18) Ecuador                  36) Peru
#? 10
Select one of the following time zone regions.
 1) Newfoundland Time, including SE Labrador
 2) Atlantic Time - Nova Scotia (most places), PEI
 3) Atlantic Time - Nova Scotia - places that did not observe DST 1966-1971
 4) Atlantic Time - New Brunswick
 5) Atlantic Time - Labrador - most locations
 6) Atlantic Standard Time - Quebec - Lower North Shore
 7) Eastern Time - Quebec - most locations
 8) Eastern Time - Ontario - most locations
 9) Eastern Time - Ontario & Quebec - places that did not observe DST 1967-1973
10) Eastern Time - Thunder Bay, Ontario
11) Eastern Time - east Nunavut - most locations
12) Eastern Time - Pangnirtung, Nunavut
13) Eastern Standard Time - Resolute, Nunavut
14) Eastern Standard Time - Atikokan, Ontario and Southampton I, Nunavut
15) Central Time - central Nunavut
16) Central Time - Manitoba & west Ontario
17) Central Time - Rainy River & Fort Frances, Ontario
18) Central Standard Time - Saskatchewan - most locations
19) Central Standard Time - Saskatchewan - midwest
20) Mountain Time - Alberta, east British Columbia & west Saskatchewan
21) Mountain Time - west Nunavut
22) Mountain Time - central Northwest Territories
23) Mountain Time - west Northwest Territories
24) Mountain Standard Time - Dawson Creek & Fort Saint John, British Columbia
25) Pacific Time - west British Columbia
26) Pacific Time - south Yukon
27) Pacific Time - north Yukon
28) cancel
#? 8

The following information has been given:

        Eastern Time - Ontario - most locations

Therefore TZ='America/Toronto' will be used.
Is the above information OK?
1) Yes
2) No
3) Cancel
#? 1
Updating time zone succeeded.

Time zone is set.

4. verify the configuration

[Expert@CP-1]# cat /etc/sysconfig/ntp
[Expert@CP-1]# hwclock --show
Tue Mar 13 22:07:57 2012  -0.147808 seconds
[Expert@CP-1]# date
[Expert@CP-1]# /bin/date
Tue Mar 13 22:08:14 EDT 2012

[Expert@CP-1]# ntpdate
13 Mar 22:55:33 ntpdate[15774]: step time server offset 78.457643 sec

note: ntpdate can be used to update time right away with ntp server.

There is time configuration difference between WebUI and Command Line, please be aware of this and never touch webui's Date and Time configuration anymore:
From SPLAT box, when you select 4) to show date and time settings, it will show it is EDT (Eastern Daylight Time).
But from webui, it show GMT+0 although time is right. If you change the settings in WebUI, the Command Line configuration will be gone.

Cisco Switch NTP tip: 
The Catalyst 2950, 2955, 3550 and 3560 switches do not have a hardware-supported clock, and they cannot function as an NTP master clock to which peers synchronize themselves when an external NTP source is not available. These switches also have no hardware support for a calendar. As a result, the ntp update-calendar and the ntp master global configuration commands are not available.


  1. Thеn, a gradual addition of starch can be added in small quantіties.
    Τhere are now a great nսmber of ԝeight loss blogs that now exist
    all over the internet. Keep your HCG drops out of the sun and
    away from sߋurces of heat, and they'll keep for a lot longer.

    mʏ homepage lipotropics injections

  2. Youг way of explaining everything іո this article is truly
    pleaѕant, all be able to simply understand it, Thanbks a lot.

    Here is my web site: Thesis