Support Center > Search Results > SecureKnowledge Details
Skyline Deployment Technical Level
Solution

Introduction  |  Requirements  Downloads Installation Configuration Known LimitationsDocumentationRevision History


Click Here to Show the Entire Article

Introduction

Skyline quickly and efficiently monitors your Check Point servers with industry-standard software and protocols (OpenTelemetry, Prometheus, and Grafana).

Skyline provides an OpenTelemetry CPView Agent service. The OpenTelemetry CPView Agent runs on a Check Point server to collect and export health metrics from the Check Point CPView tool to an external location.

The Skyline architecture includes three primary components:

Component Description

OpenTelemetry CPView Agent

Runs on Check Point servers.

A service that queries CPView at defined intervals, collects the metrics, and exports them to an OpenTelemetry Collector.

OpenTelemetry Collector

Runs on Check Point servers.

An open-source service that receives metrics from multiple Agents and exports them to an external endpoint (a different OpenTelemetry Collector or a Prometheus Remote-Write).

Prometheus and Grafana Servers

Third-party software that runs on an external server.

The Prometheus Server receives data from the OpenTelemetry Collector, saves it in a Timeseries Database, and visualizes the data with visualization tools like Grafana.



Logical Diagram:

Requirements

Server Description

Check Point Server R80.40 and higher

With these minimal Jumbo versions:

Note: When enabled, the Skyline agent consumes approximately 50MB of RAM.

External Server

Runs this software to analyze the collected data:

  • Prometheus Server

    A third-party software that collects, stores, and queries metrics with a dedicated Timeseries Database.

    The Prometheus Server exposes a Remote Write endpoint to which data can be pushed and stores the data in its local database.

    Check Point supports Prometheus version 2.37.1 and higher.

  • Grafana Server

    A third-party software that connects to multiple data sources/databases (such as Prometheus) and visualizes the data, builds graphs, dashboards, and alerts.

    Check Point supports Grafana version 9 and higher.


Downloads

Package Name Download Link Prerequisite  Release Date

Grafana Dashboards

(TGZ)

Skyline GA

24 October 2022

Sample Payload File (no TLS)

(JSON)

Skyline GA

28 December 2022

Sample Payload File (with TLS)

(JSON)

Skyline GA

28 December 2022


To share and examine Grafana dashboards for Skyline, visit the CheckMates ToolBox (category: Telemetry).

Setup and Configuration

Show All

Refer to the video below for a brief tutorial on how to install and configure Skyline:



(A) Open Telemetry Agent / Collector on Check Point Servers

The Open Telemetry Agent / Collector are installed automatically on all applicable Check Point devices, if the user enables the Automatic Downloads as described in sk94508.
For users who do not allow automatic updates, the Open Telemetry Agent / Collector will be installed as part of the Jumbo installation, so you are required to install the minimum Take (see the "Requirements" section above).

Notes about the Telemetry Agent / Collector for Check Point Servers:

Open Telemetry services do not start automatically. After you complete the installation, you must configure the basic settings in the required configuration files and start the services manually.


(B) Prometheus

Note: Skip these installation steps if you have already installed Prometheus.

Install Prometheus

To install a Prometheus server on the external server, refer to Prometheus installation instructions for the various platforms.

Note: Make sure to enable the Remote write receiver feature.

Prometheus's default URL: http://localhost:9090

Configuring Prometheus

To enable the Remote Write Receiver:

Show / Hide this section

The Prometheus server must enable its Remote Write Receiver to get metrics data from the Check Point servers.

To enable the Remote Write Receiver, refer to these Prometheus instructions.

To secure Prometheus and Open Telemetry Collector connection using TLS Encryption and Basic authentication:

Show / Hide this section

Prometheus and OpenTelemetry Collector support Transport Layer Security (TLS) encryption for their connection. Refer to these Prometheus instructions. Check Point also requires you to enable basic authentication to make the security bi-directional, Refer to these Prometheus instructions.

TLS configurations have two main components:

  • A pair of Key + Certificate, used for the encryption of your communication
  • (Optional) Certificate Authority (CA cert) that you trust, used to verify and trust the certificate of the other endpoint with which you communicate. If the certificate of the other endpoint is unknown to the CA, the communication is dropped.

You can create these certificates:

  • CA-signed certificates: You create a key and a certificate request, which is then signed by the CA.
  • Self-signed certificates: You create a key and a certificate signed by the user.

This section described self-signed certificates.

To configure TLS, you must create two pairs of a key and a certificate on the Prometheus server:

Procedure:

  1. Create a self-signed certificate and a private key:

    Steps:

    Show / Hide this section
    1. Create the file called openssl.conf with the template below.

      Enter the applicable information in the "[ dn ]" and "[ alt_names ]" sections.

      Important - The Prometheus Server and the OpenTelemetry Collector must have different hostnames and IP addresses.

      [ req ]
      default_bits       = 4096
      default_md         = sha256
      req_extensions     = v3_req
      distinguished_name = dn
      prompt = no
      [ v3_req ]
      subjectAltName = @alt_names
      [ dn ]
      C = <Country Name>
      ST = <State Or Province Name>
      L = <Locality>
      O = <Organization>
      OU = <Organization Unit>
      CN = <Common Name>
      [ alt_names ]
      DNS = <HOSTNAME>
      IP = <IP ADDRESS>
      
    2. Generate the key and certificate pair on any Gaia OS:

      cpopenssl req -x509 -newkey rsa:4096 -nodes -config openssl.conf -keyout mykey.key -out mycert.crt -extensions v3_req

      This command creates two files in the current working directory:

      • mykey.key
      • mycert.crt
  2. Use the newly generated key and certificate to configure TLS on the Prometheus Server in the web-config.yaml configuration file (you may need to create this file).

    Example:

    tls_server_config:
     key_file: /home/prometheus/certs/prometheus.key
      cert_file: /home/prometheus/certs/prometheus.crt
    


(C) Grafana

Note: Skip these installation steps if you have already installed Grafana.

Install Grafana

To install a Grafana Server on the external server, refer to Grafana installation instructions.

Note: You can install Grafana on the same machine that contains your Prometheus instance.

Grafana's default URL: http://localhost:3000

Configuring Grafana

To connect Data-source and Dashboards:

Show / Hide this section
  1. Log in to Grafana and add a new Prometheus Data Source with the Prometheus Server you created.

    Click on the side panel Configuration > Data sources > click on the Add data source button > select the Prometheus data source.

    Make sure to mark the Prometheus data source as Default.

  2. Import the Check Point dashboard to start monitoring your environment.

    Click on the side panel Create > Import > upload the applicable dashboard JSON file.

  3. You can modify the existing dashboards or create new dashboards according to your needs. Refer to the Skyline Metrics Repository to see a full description of all the data exposed by Skyline.


(D) Configure the OpenTelemetry Collector on the Check Point Server

Important

  • In a cluster, it is recommended to do these steps on each cluster member.

  • In Management High Availability, it is recommended to do these steps on each server.

  • In a Maestro environment:
    • For the Maestro Hyperscale Orchestrator (MHO): You can run the script or run the Gaia Rest API. The script runs on the MHO and configures only the MHO.
    • For a Security Group: Run the script only on the Single Management Object (SMO). The SMO applies it to all the Security Group Members.
    • If there are issues with the script, try to download it from here and replace the current /opt/CPotelcol/REST.py file. 
    • The script uses gexec and g_cp2blades commands. Make sure they work correctly.

  • In the examples, the script runs from the "home" directory. Make sure to change the path accordingly. 

  • The REST API command is a Gaia REST API command. Refer to the GAIA API Reference > Section "OpenTelemetry".

  • Do not cut and paste the commands below. Enter them manually. 

There are two methods to configure the OpenTelemetry Collector:

Note: You can download sample payload files from the "Downloads" section above. Replace the placeholder strings in <> in the sample files with your actual strings. 
  • Run a script locally in one of these ways:

    • Run the script and provide the payload as an argument:

      /opt/CPotelcol/REST.py --set_open_telemetry "<PayloadTextHere>"

    • Save the payload in a file (for example, payload.json) and run the script:

      /opt/CPotelcol/REST.py --set_open_telemetry "$(cat payload.json)"

  • Run a rest API command (supported in API version 1.7 and higher)

POST {server}/v1.7/set-open-telemetry
Content-Type: application/json
X-chkp-sid: {{session}}
{
  <PayloadHere>
}  

Note: To disable Skyline completely, change the "enabled" attribute inside the payload file (the top one), to "false" and re-run the script. 

Prepare the payload for the command:
Show / Hide this section

  1. In the "basic" entry, configure "username" and "password" to your monitoring server's username / password.

    Only these characters are permitted for the password field

    • alpha
    • digit
    • _ (underscore)
    • , (comma)
    • . (period)
    • \ (backslash)
    • / (slash)
    • - (hyphen)
  2. In the "ca-public-key" entry, configure TLS settings with the CA certificate of your monitoring server ( As PEM X509 ), or use the self-signed certificate you generated previously.
    Explanation: Replace <CERTIFICATE> with the CA certificate of the monitoring server ( PEX X509 ). 

  3. In the "url" entry, configure your monitoring server's IP address / URL.

    If you do not wish to use TLS encryption in labs or test environments, then make these changes in the payload:

    1. In the "url" entry, change the Prometheus URL prefix from "https://" to "http://"

    2. Remove the "client-auth" and "server-auth" entries (you will be warned when running the script ). 

Example payload (with TLS):

Show / Hide this section
 {
    "enabled": true,
    "export-targets": {"add": [
        {
            "client-auth": {
                "basic": {
                  "username": "<USERNAME>",
                  "password": "<PASSWORD>"
                }
            },
            "enabled": true,
            "server-auth": {
                "ca-public-key": {
                    "type": "PEM-X509",
                  "value": "<CERTIFICATE>"
                }
            },
            "type": "prometheus-remote-write",
          "url": "https://<EXTERNAL_PROMETHEUS_IP_ADDRESS>:9090/api/v1/write"
        }
    ]}
}  

Example payload (without TLS):

Show / Hide this section
 {
    "enabled": true,
    "export-targets": {"add": [
      {
          "enabled": true,
            "type": "prometheus-remote-write",
          "url": "http://<EXTERNAL_PROMETHEUS_IP_ADDRESS>:9090/api/v1/write"
        }
    ]}
}  

Known Limitations

  • Skyline deployment on a VSX Gateway / VSX Cluster with many Virtual Systems may increase the load on CPU cores. 

  • Skyline deployment on Quantum Spark Appliances with Gaia Embedded OS is not supported.

  • When you enable the Management Data Plane Separation (MDPS, sk138672), the Data plane manages the Skyline process and allocates resources to it.
    (The Skyline can query both the Data plane and the Management plane.)

  • On a VSX Gateway / VSX Cluster, Skyline shows the information only for the context VS0 (the VSX Gateway / VSX Cluster Member itself).
    Resolved in:

Documentation

Guides
Skyline Metrics Repository
Prometheus
Grafana
Related SecureKnowledge Articles
sk180630 - How to create basic alerts in Grafana for Skyline
sk179870 - Skyline Troubleshooting and FAQ


Revision History

Show / Hide revision history
Date Description
07 Mar. 2023 Added support for R81.20. 
28 Dec. 2022 Added sample payload files to the "Downloads" section. 
24 Oct. 2022 First draft of documentation for General Availability (GA) release
20 Jun. 2022 Updated the section "Downloads" > Skyline Packages for Check Point Servers are now available for download again.
19 Jun. 2022 Updated the section "Downloads" > Skyline Packages for Check Point Servers are temporarily unavailable for download.
12 Jun. 2022 Updated the section "Downloads" > column "Prerequisite"
06 Jun. 2022 Updated the list of supported Check Point servers to include Management Servers and Log Servers as well
29 May 2022 Updated the section "Configure the OpenTelemetry Collector on the Security Gateway / each Cluster Member" > The "prometheusremotewrite" section > instructions for disabling TLS encryption
15 May 2022

Resolved Issues:

  • When you run the command for the current request ("cpview -m"), you get the last request data. With this fix, the "cpview -m" command returns the latest data.
  • Metrics do not show data.

Added:

  • SD-WAN Metric content and CPView updates
  • Data revisions (on the OpenTelemetry Protocol side)
  • Partial diagnostics (on the CPView side)
  • New Grafana dashboards
  • Certificate extension for one year
19 Apr. 2022 Updated the section "Configure the external server - Prometheus and Graphana" > "To secure Prometheus and Open Telemetry Collector connection using TLS Encryption"
05 Apr. 2022 First release of this article

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment