Firewall Leap Second and Leap Year Compliance

Printer Friendly Page
Article updated on January 31, 2020. Updated Leap Second dates.

 

A leap second is a one-second adjustment that is applied to Coordinated Universal Time (UTC) in order to synchronize atomic clocks with astronomical clocks. The Earth's rotation around its own axis is slowing down gradually so a second is often added to compensate for this. Without this adjustment, there will be an increasing gap in the time between atomic time and astronomical time.

 

NOTE: The last leap second was added on December 31, 2016 at 23:59:60. The next possible Leap Second may be added on December 31, 2020.

 

The Palo Alto Networks firewall handles the leap second, as well as the leap year, in the following manner:

  • Leap second insertions should be picked up by time keeping NTP servers and devices acting as NTP clients will be able to synchronize their clocks with the servers.
  • Palo Alto Networks devices are NTP clients and will pick up the change from any in-house or global server.
  • If your IT department maintains an in-house NTP server, then make sure the leap second insertion has been picked up by this server in order for the clients to be properly synchronized.

 

Comments

Dear there,

 

How about the leap second handling of 31.12.2016 to 01.01.2017? On one active Panaroma server, we noticed that one higher CPU jump from 5%  to 20% during the lead second insertion, and it keeps the higher cpu ( average 20% )  since then until now, it lasts 11 days for  and  it even jumps to 80-90 percent for a while this morning during the business hour, one case is already open by PA, i have the feeling that this higher CPU is caused or related to that leap second. 

 

What do you think? Could you please verify with Panorama product developers?

 

Thank you for your cross-check and feedback.

 

Kind regards

Enyuan

Hi @enyuan.wu

 

An NTP update with a leap second should not cause much impact on the CPU. TAC should be able to confirm what is going and resolve the issue for you.

 

regards

Tom