Clock Bootstrap Behavior

The firewall bootstraps its clock at boot in two ways and the firewall performs both of these actions once per boot before it starts the NTP daemon.

  • The firewall checks a few commonly modified files on the filesystem and sets the clock to whichever value is latest if it’s also later than the clock. This action is taken early in the boot process just after the firewall has mounted its filesystems.

    This ensures that the clock is set to a reasonably close value to current so long as the firewall has been active recently. This works even if there is no network connection available at boot time. The longer it has been since the firewall was last active, the less accurate this method becomes.

  • The firewall performs a one-time sync to multiple NTP servers with static IP addresses from Google Public NTP. This avoids a chicken-and-egg problem where the firewall cannot resolve NTP servers because DNSSEC, which is enabled by default, cannot function when the clock is inaccurate. This happens much later in the boot process because it cannot be performed until after the firewall has configured its interfaces and routing.

    This gets the clock as close to accurate as possible without a persistent NTP daemon. There is a hard timeout of 30 seconds in case the upstream servers are unreachable.

Changing Clock Bootstrap Behavior

The NTP clock bootstrap behavior can easily be disabled or changed if an administrator does not want a firewall to contact the default list of servers.

To disable the bootstrap, create the file /conf/ntp-boot-time-servers as an empty file. If the file exists and is empty the firewall will skip the initial sync.

To use alternate servers, create the file /conf/ntp-boot-time-servers and add in one or more IP addresses separated by a single space each. If this file contains a list of space-separated IP addresses, the firewall will use those for the bootstrap sync instead.