Support Center > Search Results > SecureKnowledge Details
Check Point response to Leap Second introduced in UTC on 30 June 2015
Solution
Click Here to Show the Entire Article

 

Background

Show / Hide this section

"Leap seconds" are extra seconds that are added or removed to keep Civil Time, which is based on Universal Coordinated Time (UTC), within 0.9 seconds of the Earth's rotational time (UT1).

The next leap second will be introduced in UTC on 30 June 2015 at UTC 23:59:60 (see the IERS Bulletin C).

Note that the leap second corrections are made at midnight UTC, which is at different local times around the world.

Additional information on leap seconds and how they are handled in Linux and by NTP can be found at the following links:

 

Recommended steps for handling Leap Second on Gaia OS and SecurePlatform OS

The relevant fix is included in the following versions:
(Note: If NTP is not used, then manual configuration is still required - see the instructions below)

Check Point recommends to always upgrade to the most recent version (Security Gateway, Security Management, Multi-Domain Security Management / upgrade 600 / upgrade 700 / upgrade 1100 / upgrade 1200R / upgrade 1400).

 

If you do not wish to upgrade, then the following hotfix and workaround are available:

  • Show / Hide the instructions if Gaia / SecurePlatform OS updates the time using NTP

    No changes are required on the following versions / appliances:

    • R80
    • R77.30
    • SMB appliances running Gaia Embedded OS R77.20.X
    • Edge and Safe@Office devices

    On R77.20 and lower:

    • A very rare race condition can lead to kernel hang (very unlikely to happen) while the Linux kernel adds an extra second (Issue ID 01568676).
      This scenario is very unlikely to happen, and there were no reports of it happening on Check Point operating systems on previous Leap Second events.

    • For customers, who wish to eliminate the chance of this race condition happening:

      • Check Point Support can provide a hotfix for this issue (ID 01568676).
        A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.
        For faster resolution and verification, please collect CPinfo file from the involved machine.

        This fix is already included in:

        Hotfix installation instructions:

        1. Hotfix has to be installed on machine running Gaia OS / SecurePlatform OS R77.20 and lower.
        2. Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).
        3. Unpack and install the hotfix package:
          [Expert@HostName:0]# cd /some_path_to_fix/
          [Expert@HostName:0]# tar -zxvf SecurePlatform_<HOTFIX_NAME>.tgz
          [Expert@HostName:0]# ./SecurePlatform_<HOTFIX_NAME>
          Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
        4. Reboot the machine.
      • If you do not wish to install the above hotfix / upgrade, then the following workaround is available:

        1. Stop the NTPD daemon before June 30 00:00:00 2015 UTC (notice that this is 24 hours* before leap second time):

          • On Gaia OS (in Clish):
            HostName:0> set ntp active off
            HostName:0> save config

          • On SecurePlatform OS (in Expert mode):
            [Expert@HostName]# ntpstop

          • On 61000 / 41000 (in Expert mode):
            [Expert@HostName:0]# asg_ntp_sync_config disable

          • On Gaia Embedded OS R75.20.69 and lower (in Clish):
            HostName:0> set ntp active off

          * Note: During the last 24 hours before leap second time, NTPD daemon will update the Linux kernel that a leap second event should occur at the end of June 30. Once the Linux kernel is updated, stopping NTPD daemon will have no effect. Therefore, NTPD daemon should be stopped at least 24 hours before leap second time.

        2. Start the NTPD daemon after the Leap Second time (July 1 00:00:00 UTC):

          • On Gaia OS (in Clish):
            HostName:0> set ntp active on
            HostName:0> save config

          • On SecurePlatform OS (in Expert mode):
            [Expert@HostName]# ntpstart

          • On 61000 / 41000 (in Expert mode):
            [Expert@HostName:0]# asg_ntp_sync_config enable

          • On Gaia Embedded OS R75.20.69 and lower (in Clish):
            HostName:0> set ntp active on

            and then manually correct the leap second deviation:

            • Either in Web GUI:
              go to Device tab - in the System section, click on Date and Time - set the correct time
            • Or in Clish:
              HostName:0> set time <HH:MM>


  • Show / Hide the instructions if Gaia / SecurePlatform OS does not use NTP
    • On systems that do not use NTP, the system clock will be one second ahead of the real time clock after Leap Second insertion. This will not affect the functionality.

    • This section does not apply to the following appliances (no changes are required):

      • SMB appliances running Gaia Embedded OS
      • Edge and Safe@Office devices
    • The system clock can be adjusted after the leap second time - either manually by administrator, or automatically by a hotfix:

      • Either adjust system clock manually:

        • On Gaia OS:

          1. Log in to Clish.
          2. Set the desired time:
            HostName:0> set time HH:MM:SS
          3. Save the configuration:
            HostName:0> save config
        • On SecurePlatform OS (run one of these commands):

          • From default shell (cpshell):
            # time <HH:MM>
          • From expert shell (bash):
            [Expert@HostName]# /bin/time_start <HH:MM>

          Note: On SecurePlatform OS, the time will be rounded to a full minute, e.g., when setting "12:43", the clock will be adjusted to "12:43:00".

      • Or adjust system clock automatically by a hotfix (ID 01621187):

        1. For R77.30 / R80: If you have upgraded to R77.30 / R80, or have performed a clean install of R77.30 / R80, then skip to the next Step B
          (the required leap seconds information is already integrated into the timezone database - you only need to manually configure it).

          For R77.20 and lower: Contact Check Point Support to get a Hotfix that adds the relevant leap seconds information into the timezone database.
          A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.
          For faster resolution and verification, please collect CPinfo file from the involved machine.

          1. Hotfix has to be installed on machine running Gaia OS / SecurePlatform OS R77.20 and lower.
          2. Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).
          3. Unpack and install the hotfix package:
            [Expert@HostName:0]# cd /some_path_to_fix/
            [Expert@HostName:0]# tar -zxvf SecurePlatform_<HOTFIX_NAME>.tgz
            [Expert@HostName:0]# ./SecurePlatform_<HOTFIX_NAME>
            Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
          4. Reboot the machine.
        2. Follow these steps after installing this hotfix from Step A / after upgrading to R77.30 or R80  / after performing a clean install of R77.30 or R80:

          1. Set the desired time, date and timezone in Gaia OS (in Gaia Portal, or in Gaia Clish) / SecurePlatform OS (in WebUI, or in "sysconfig" menu).

          2. Check the name of the currently used timezone:

            [Expert@HostName:0]# ls -l /etc/localtime
            lrwxrwxrwx    1 0        0              DD MMM  1 00:00 /etc/localtime -> /usr/share/zoneinfo/<Name_of_Region>/<Name_of_TimeZone>
            

            Note the currently used timezone database file, to which this symbolic link points.

            Examples:

            • Region "Europe", Timezone "Paris"
              [Expert@HostName:0]# ls -l /etc/localtime
              lrwxrwxrwx    1 0        0              29 Jul  1 00:00 /etc/localtime -> /usr/share/zoneinfo/Europe/Paris
              
            • Region "US", Timezone "Pacific"
              [Expert@HostName:0]# ls -l /etc/localtime
              lrwxrwxrwx    1 0        0              29 Jul  1 00:00 /etc/localtime -> /usr/share/zoneinfo/US/Pacific
              
            • Region "ETC", Timezone "GMT+6"
              [Expert@HostName:0]# ls -l /etc/localtime
              lrwxrwxrwx    1 0        0              29 Jul  1 00:00 /etc/localtime -> /usr/share/zoneinfo/Etc/GMT+6
              
          3. Backup the current default timezone database file:

            [Expert@HostName:0]# cp /usr/share/zoneinfo/<Name_of_Region>/<Name_of_TimeZone> /usr/share/zoneinfo/<Name_of_Region>/<Name_of_TimeZone>_BACKUP

            Example:

            [Expert@HostName:0]# cp /usr/share/zoneinfo/Europe/Paris /usr/share/zoneinfo/Europe/Paris_BACKUP
            
          4. Override the current default timezone database file with the timezone database file that includes leap seconds information (located in the /usr/share/zoneinfo/right/ directory):

            [Expert@HostName:0]# cp /usr/share/zoneinfo/right/<Name_of_Region>/<Name_of_TimeZone> /usr/share/zoneinfo/<Name_of_Region>/<Name_of_TimeZone>

            Example:

            [Expert@HostName:0]# cp /usr/share/zoneinfo/right/Europe/Paris /usr/share/zoneinfo/Europe/Paris
            

 

Summary of susceptibility to Leap Second

Show / Hide this section

Check Point recognizes the upcoming Leap Second correction in UTC due on 30 June 2015.

OS Statement
Gaia OS
Versions R77.20 and lower may be susceptible to leap second issues when NTP is used.
SecurePlatform OS Versions R77.20 and lower may be susceptible to leap second issues when NTP is used.
Gaia Embedded OS
(600/700/1100/
1200R/1400)
Versions R75.20.69 and lower may be susceptible to leap second issues when NTP is used.
Edge / Safe@Office Not relevant.
X-Series XOS

lue Coat has resolved this issue in XOS 11.0 (released in Apr 2015), and in XOS 9.7.7 / XOS 10.0.4 (released in June 2015).

IPSO OS Not relevant.
DDoS Protector Not relevant (it ignores the NTP flag and does not add the additional leap second; the time is adjusted at the next NTP update; the same applies to the bypasses).

 

Revision History

Show / Hide this section
Date Description
24 Aug 2016
  • Improved the instructions
  • Added a note that SMB appliances running Gaia Embedded OS are not affected
  • Added a note that Edge and Safe@Office devices are not affected
18 Aug 2015
  • Added a note that suggested hotfix is already integrated into R80
  • Added a note that suggested hotfix is already integrated into Jumbo Hotfix Accumulators
29 June 2015
  • Added statement about DDoS Protector
02 June 2015
  • Updated the instructions for adjusting the system clock after the leap second time on Gaia / SecurePlatform OS in case it does not use NTP
  • Added the instructions for Edge and Safe@Office devices
01 June 2015
  • Updated the instructions for adjusting the system clock after the leap second time on Gaia / SecurePlatform OS in case it does not use NTP
31 May 2015
  • Since R77.30 was released added the suggestion to upgrade to R77.30 as the recommended fix
27 May 2015
  • Added a note that suggested hotfix is already integrated into R77.30
25 May 2015
  • Added statement about XOS
20 May 2015
  • Added commands for 61000 / 41000 Security Systems
07 May 2015
  • Improved CLI commands for workaround if NTP is used
04 May 2015
  • First release of this document
Applies To:
  • 01568676 , 01650583 , 01568677 , 01593234 , 01597864 , 01617871 , 01625909 , 01625915 , 01625931 , 01625956 , 01625957 , 01642762 , 01649304 , 01649315 , 01649387 , 01650794 , 01651185 , 01651778 , 01652804 , 01653095 , 01653197
  • 01621187 , 01652807 , 01653180 , 01653512

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment