"Leap seconds" are extra seconds that are added or removed to keep Civil Time, which is based on Universal Coordinated Time (UTC), within 0.9 seconds of the Earth's rotational time (UT1).
The next leap second will be introduced in UTC on 30 June 2015 at UTC 23:59:60 (see the IERS Bulletin C).
Note that the leap second corrections are made at midnight UTC, which is at different local times around the world.
Additional information on leap seconds and how they are handled in Linux and by NTP can be found at the following links:
Recommended steps for handling Leap Second on Gaia OS and SecurePlatform OS
The relevant fix is included in the following versions: (Note: If NTP is not used, then manual configuration is still required - see the instructions below)
No changes are required on the following versions / appliances:
R80
R77.30
SMB appliances running Gaia Embedded OS R77.20.X
Edge and Safe@Office devices
On R77.20 and lower:
A very rare race condition can lead to kernel hang (very unlikely to happen) while the Linux kernel adds an extra second (Issue ID 01568676). This scenario is very unlikely to happen, and there were no reports of it happening on Check Point operating systems on previous Leap Second events.
For customers, who wish to eliminate the chance of this race condition happening:
Check Point Support can provide a hotfix for this issue (ID 01568676). A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix. For faster resolution and verification, please collect CPinfo file from the involved machine.
Hotfix has to be installed on machine running Gaia OS / SecurePlatform OS R77.20 and lower.
Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).
Unpack and install the hotfix package: [Expert@HostName:0]# cd /some_path_to_fix/ [Expert@HostName:0]# tar -zxvf SecurePlatform_<HOTFIX_NAME>.tgz [Expert@HostName:0]# ./SecurePlatform_<HOTFIX_NAME> Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
Reboot the machine.
If you do not wish to install the above hotfix / upgrade, then the following workaround is available:
Stop the NTPD daemon before June 30 00:00:00 2015 UTC (notice that this is 24 hours* before leap second time):
On Gaia OS (in Clish): HostName:0> set ntp active off HostName:0> save config
On SecurePlatform OS (in Expert mode): [Expert@HostName]# ntpstop
On 61000 / 41000 (in Expert mode): [Expert@HostName:0]# asg_ntp_sync_config disable
On Gaia Embedded OS R75.20.69 and lower (in Clish): HostName:0> set ntp active off
* Note: During the last 24 hours before leap second time, NTPD daemon will update the Linux kernel that a leap second event should occur at the end of June 30. Once the Linux kernel is updated, stopping NTPD daemon will have no effect. Therefore, NTPD daemon should be stopped at least 24 hours before leap second time.
Start the NTPD daemon after the Leap Second time (July 1 00:00:00 UTC):
On Gaia OS (in Clish): HostName:0> set ntp active on HostName:0> save config
On SecurePlatform OS (in Expert mode): [Expert@HostName]# ntpstart
On 61000 / 41000 (in Expert mode): [Expert@HostName:0]# asg_ntp_sync_config enable
On Gaia Embedded OS R75.20.69 and lower (in Clish): HostName:0> set ntp active on
and then manually correct the leap second deviation:
Either in Web GUI: go to Device tab - in the System section, click on Date and Time - set the correct time
On systems that do not use NTP, the system clock will be one second ahead of the real time clock after Leap Second insertion. This will not affect the functionality.
This section does not apply to the following appliances (no changes are required):
SMB appliances running Gaia Embedded OS
Edge and Safe@Office devices
The system clock can be adjusted after the leap second time - either manually by administrator, or automatically by a hotfix:
Either adjust system clock manually:
On Gaia OS:
Log in to Clish.
Set the desired time: HostName:0> set time HH:MM:SS
Save the configuration: HostName:0> save config
On SecurePlatform OS (run one of these commands):
From default shell (cpshell): # time <HH:MM>
From expert shell (bash): [Expert@HostName]# /bin/time_start <HH:MM>
Note: On SecurePlatform OS, the time will be rounded to a full minute, e.g., when setting "12:43", the clock will be adjusted to "12:43:00".
Or adjust system clock automatically by a hotfix (ID 01621187):
For R77.30 / R80: If you have upgraded to R77.30 / R80, or have performed a clean install of R77.30 / R80, then skip to the next Step B (the required leap seconds information is already integrated into the timezone database - you only need to manually configure it).
For R77.20 and lower: Contact Check Point Support to get a Hotfix that adds the relevant leap seconds information into the timezone database. A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix. For faster resolution and verification, please collect CPinfo file from the involved machine.
Hotfix has to be installed on machine running Gaia OS / SecurePlatform OS R77.20 and lower.
Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).
Unpack and install the hotfix package: [Expert@HostName:0]# cd /some_path_to_fix/ [Expert@HostName:0]# tar -zxvf SecurePlatform_<HOTFIX_NAME>.tgz [Expert@HostName:0]# ./SecurePlatform_<HOTFIX_NAME> Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
Reboot the machine.
Follow these steps after installing this hotfix from Step A / after upgrading to R77.30 or R80 / after performing a clean install of R77.30 or R80:
Set the desired time, date and timezone in Gaia OS (in Gaia Portal, or in Gaia Clish) / SecurePlatform OS (in WebUI, or in "sysconfig" menu).
Override the current default timezone database file with the timezone database file that includes leap seconds information (located in the /usr/share/zoneinfo/right/ directory):
Check Point recognizes the upcoming Leap Second correction in UTC due on 30 June 2015.
OS
Statement
Gaia OS
Versions R77.20 and lower may be susceptible to leap second issues when NTP is used.
SecurePlatform OS
Versions R77.20 and lower may be susceptible to leap second issues when NTP is used.
Gaia Embedded OS (600/700/1100/ 1200R/1400)
Versions R75.20.69 and lower may be susceptible to leap second issues when NTP is used.
Edge / Safe@Office
Not relevant.
X-Series XOS
lue Coat has resolved this issue in XOS 11.0 (released in Apr 2015), and in XOS 9.7.7 / XOS 10.0.4 (released in June 2015).
IPSO OS
Not relevant.
DDoS Protector
Not relevant (it ignores the NTP flag and does not add the additional leap second; the time is adjusted at the next NTP update; the same applies to the bypasses).
