- ONTAP 9
- Time skew
- Clock skew
Is there is an option on ONTAP 9 to show or modify the time skew limit for NTP?
No, the default value for maximum time skew for ONTAP is 1000 seconds, or approximately 16 minutes. The time skew can also be configured on the NTP server.
If an intruder successfully hacks our internal NTP service and changes the time which our NetApp systems get from these NTP servers, would be possible to delete Snapshots prior to the retention time if there is no maximum skew limit?
No. It is important that the cluster have the correct date/time set, because job schedules, CIFS authentication, logging, and system processes rely on it. If the time difference is more than 5+ minutes, then you would lose CIFS authentication, preventing new sessions from being established. As ONTAP does not sync to the NTP server when the skew is too high, other time based considerations, like snapshot expirations, will not be affected.
For settings to control how large a clock skew ONTAP will accept in regards to Kerberos, see: