Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9790
Views
5
Helpful
19
Replies

FTD Daemon(service) restart

Go to solution
John500
Level 1
Level 1

‎06-06-2019 12:25 AM - edited ‎02-21-2020 09:11 AM

Hi,

 

How can i restart the ntpd Daemon in FTD ?

 

Should I do it from FMC cli or direct from FTD cli ?

 

The FMC is used to manage many FTDs, so how do i restart the service in just one FTD ?

 

Thanks in advance.

Labels:
0 Helpful
19 Replies 19

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to John500

‎06-25-2019 10:09 PM - edited ‎06-25-2019 10:11 PM

FTD-generated syslog messages will be timestamped with either legacy or RFC 5424 format (according to platform settings applied to the managed device).

That is noted in the FMC configuration guide:

Select the Timestamp Format for the syslog message:
• The Legacy (MMM dd yyyy HH:mm:ss) format is the default format for syslog messages.
When this timestamp format is selected, the messages do not indicate the time zone, which is always UTC.
• RFC 5424 (yyyy-MM-ddTHH:mm:ssZ) uses the ISO 8601 timestamp format as specified in the RFC 5425 syslog
format.
If you select the RFC 5424 format, a “Z” is appended to the end of each timestamp to indicate that the timestamp
uses the UTC time zone.

You cannot change them to make the syslog messages reflect a different timezone. Perhaps if you use RFC 5424 format your target system can interpret the "Z" which denotes "Zulu" or UTC (GMT) time zone and adjust it's intake accordingly.

I did confirm with a packet capture that change does reflect in the syslog messages.

The FMC displays (Connection Events etc.) will show time adjusted to match the User Preferences of the currently logged in user. All event storage and processing however is done using UTC time.

Go to solution
John500
Level 1
Level 1
In response to Marvin Rhoads

‎07-15-2019 01:46 AM

Thanks Marvin for the update.

 

But i have noticed ASA running on Firepower doesn't have this issue. The only difference i can see is FTD is managed via FMC and ASA with ASDM. The timestamp for ASA displays on SIEM seems to be fine.

 

So Is NTP on FTD & ASA running on Firepower are working differently ?

 

Below for your ref,

 

ASA :

Time Event
7/15/19
10:29:52.000 AM


FTD :

Time
7/15/19
8:35:12.000 AM
Event
<113>2019-07-15 T08:35:12+02:00

 

Thanks.

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to John500

‎07-15-2019 06:05 PM

@John500 

Are you looking at the ASA event locally on the ASA (from cli or ASDM) or is that how it is leaving the appliance as a syslog message?

0 Helpful

Go to solution
John500
Level 1
Level 1
In response to Marvin Rhoads

‎07-16-2019 06:48 AM

Not direct.

 

Both logs were taken from Syslog / SIEM device.

 

Thanks

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to John500

‎07-17-2019 10:54 PM

Apparently they do differ. I hadn't been aware of this distinction previously.

I would posit that the ASA developers figured they are more likely locally managed (or they didn't take into consideration the need to normalize timestamps) and thus just use the local time including timezone adjustment.

But that's just speculation on my part. :)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card