Re: Hello Team,

Machi Ma · ‎10-14-2016

Hello,

I have problem to setup timezone under SFR module. Under FireSIGHT there are only option to setup sync which timeserver, but it looks did not have options to setup the timezone.

How can I update from FireSIGHT WebGUI or CLI at SFR module?

Thanks!

> show time
UTC -       Fri Oct 14 06:21:07 UTC 2016
Localtime - Fri Oct 14 02:21:08 EDT 2016

> show ntp
NTP Server                :
Status                    : Being Used
Offset                    : 0.222 (milliseconds)
Last Update               : 64 (seconds)

> show ntp
NTP Server                : 202.147.104.60 (xx0.nerdboy.net.au)
Status                    : Being Used
Offset                    : -2.022 (milliseconds)
Last Update               : 5 (seconds)

NTP Server                : 202.127.210.37 (ns2.unico.com.au)
Status                    : Available
Offset                    : -2.750 (milliseconds)
Last Update               : 8 (seconds)

NTP Server                : 103.38.121.36 (dns02.ntl01.nsw.privatecloudco.com)
Status                    : Available
Offset                    : -3.852 (milliseconds)
Last Update               : 8 (seconds)

NTP Server                : 130.102.2.123 (b.pool.ntp.uq.edu.au)
Status                    : Not Available
Offset                    : 36.585 (milliseconds)
Last Update               : 12 (seconds)

Jetsy Mathew · ‎10-14-2016

Hello Team,

For the FMC GUI you can set the timezone using Time preferences option and the other option is to sync the timeserver between the FMC and GUI.

Other than that for an asa sfr module , you cannot and you are not supposed to change the timezone via cli.

The asa sfr module timezone will be in UTC and you are not supposed to change that timezone from UTC. If you change the timezone , it will leave the system un-supported.

Rate and mark the helpful posts.

Regards

Jetsy

Flavio Vettori · ‎10-24-2017

Why I am not supposed to change sfr time synch?? Who cares about sfr system time?? What I do care are about are security events!

I do need to export events to a SIEM and the *wrong* ('cause they're wrong) timestamps are messing all the way our security reports. Maybe I'm also supposed to thank god I'm just one single hour away from UTC, so most of the events we have to review and work on still remain in the right day.

Imho this is indefensible.

pcleaver · ‎01-02-2018

I'm running into the same problem as Flavio. We are getting events from the Firepower modules in our SIEM with time stamps that are 5 hours ahead of real-time due to the module being set to UTC... Are you saying there is no supported way to adjust the time zone for the Firepower modules? I've already created a platform setting policy to sync the modules up to the FMC for NTP but that doesn't adjust the time zone.

As Flavio said, if this is the case, this is absolutely indefensible...

Marvin Rhoads · ‎01-02-2018

FMC syslog events are always reported as UTC without offset.

It is RFC-compliant that way and Cisco does not provide an option to change it, either in the GUI or cli.

reachyoursolution · ‎08-13-2021

So, how do I get this corrected if I can't update SFR through the command line?
Thank you!

Marvin Rhoads · ‎08-13-2021

@reachyoursolution Cisco's approach is to have the ingesting system recognize RFC-compliant syslog messages that use UTC in their timestamps.

i.e., RFC 3339 states:

Because the daylight saving rules for local time zones are so
   convoluted and can change based on local law at unpredictable times,
   true interoperability is best achieved by using Coordinated Universal
   Time (UTC).

How to setup time-zone at sfr module?