Introduction | Requirements | Downloads | Installation | Configuration | Known Limitations | Documentation | Revision History
Click Here to Show the Entire Article
Introduction
Skyline quickly and efficiently monitors your Check Point servers with industry-standard software and protocols (OpenTelemetry, Prometheus, and Grafana).
Skyline provides an OpenTelemetry CPView Agent service. The OpenTelemetry CPView Agent runs on a Check Point server to collect and export health metrics from the Check Point CPView tool to an external location.
The Skyline architecture includes three primary components:
Component
Description
OpenTelemetry CPView Agent
Runs on Check Point servers.
A service that queries CPView at defined intervals, collects the metrics, and exports them to an OpenTelemetry Collector.
OpenTelemetry Collector
Runs on Check Point servers.
An open-source service that receives metrics from multiple Agents and exports them to an external endpoint (a different OpenTelemetry Collector or a Prometheus Remote-Write).
Prometheus and Grafana Servers
Third-party software that runs on an external server.
The Prometheus Server receives data from the OpenTelemetry Collector, saves it in a Timeseries Database, and visualizes the data with visualization tools like Grafana.
Note: When enabled, the Skyline agent consumes approximately 50MB of RAM.
External Server
Runs this software to analyze the collected data:
Prometheus Server
A third-party software that collects, stores, and queries metrics with a dedicated Timeseries Database.
The Prometheus Server exposes a Remote Write endpoint to which data can be pushed and stores the data in its local database.
Check Point supports Prometheus version 2.37.1 and higher.
Grafana Server
A third-party software that connects to multiple data sources/databases (such as Prometheus) and visualizes the data, builds graphs, dashboards, and alerts.
Check Point supports Grafana version 9 and higher.
Downloads
Package Name
Download Link
Prerequisite
Release Date
Grafana Dashboards
(TGZ)
Skyline GA
24 October 2022
Sample Payload File (no TLS)
(JSON)
Skyline GA
28 December 2022
Sample Payload File (with TLS)
(JSON)
Skyline GA
28 December 2022
To share and examine Grafana dashboards for Skyline, visit the CheckMates ToolBox (category: Telemetry).
Setup and Configuration
Show All
Refer to the video below for a brief tutorial on how to install and configure Skyline:
(A) Open Telemetry Agent / Collector on Check Point Servers
The Open Telemetry Agent / Collector are installed automatically on all applicable Check Point devices, if the user enables the Automatic Downloads as described in sk94508. For users who do not allow automatic updates, the Open Telemetry Agent / Collector will be installed as part of the Jumbo installation, so you are required to install the minimum Take (see the "Requirements" section above).
Notes about the Telemetry Agent / Collector for Check Point Servers:
Open Telemetry services do not start automatically. After you complete the installation, you must configure the basic settings in the required configuration files and start the services manually.
(B) Prometheus
Note: Skip these installation steps if you have already installed Prometheus.
Prometheus and OpenTelemetry Collector support Transport Layer Security (TLS) encryption for their connection. Refer to these Prometheus instructions. Check Point also requires you to enable basic authentication to make the security bi-directional, Refer to these Prometheus instructions.
TLS configurations have two main components:
A pair of Key + Certificate, used for the encryption of your communication
(Optional) Certificate Authority (CA cert) that you trust, used to verify and trust the certificate of the other endpoint with which you communicate. If the certificate of the other endpoint is unknown to the CA, the communication is dropped.
You can create these certificates:
CA-signed certificates: You create a key and a certificate request, which is then signed by the CA.
Self-signed certificates: You create a key and a certificate signed by the user.
This section described self-signed certificates.
To configure TLS, you must create two pairs of a key and a certificate on the Prometheus server:
Procedure:
Create a self-signed certificate and a private key:
This command creates two files in the current working directory:
mykey.key
mycert.crt
Use the newly generated key and certificate to configure TLS on the Prometheus Server in the web-config.yaml configuration file (you may need to create this file).
Log in to Grafana and add a new Prometheus Data Source with the Prometheus Server you created.
Click on the side panel Configuration > Data sources > click on the Add data source button > select the Prometheus data source.
Make sure to mark the Prometheus data source as Default.
Import the Check Point dashboard to start monitoring your environment.
Click on the side panel Create > Import > upload the applicable dashboard JSON file.
You can modify the existing dashboards or create new dashboards according to your needs. Refer to the Skyline Metrics Repository to see a full description of all the data exposed by Skyline.
(D) Configure the OpenTelemetry Collector on the Check Point Server
Important
In a cluster, it is recommended to do these steps on each cluster member.
In Management High Availability, it is recommended to do these steps on each server.
In a Maestro environment:
For the Maestro Hyperscale Orchestrator (MHO): You can run the script or run the Gaia Rest API. The script runs on the MHO and configures only the MHO.
For a Security Group: Run the script only on the Single Management Object (SMO). The SMO applies it to all the Security Group Members.
If there are issues with the script, try to download it from here and replace the current /opt/CPotelcol/REST.py file.
The script uses gexec and g_cp2blades commands. Make sure they work correctly.
In the examples, the script runs from the "home" directory. Make sure to change the path accordingly.
The REST API command is a Gaia REST API command. Refer to the GAIA API Reference > Section "OpenTelemetry".
Do not cut and paste the commands below. Enter them manually.
There are two methods to configure the OpenTelemetry Collector:
Note: You can download sample payload files from the "Downloads" section above. Replace the placeholder strings in <> in the sample files with your actual strings.
Run a script locally in one of these ways:
Run the script and provide the payload as an argument:
In the "basic" entry, configure "username" and "password" to your monitoring server's username / password.
Only these characters are permitted for the password field
alpha
digit
_ (underscore)
, (comma)
. (period)
\ (backslash)
/ (slash)
- (hyphen)
In the "ca-public-key" entry, configure TLS settings with the CA certificate of your monitoring server ( As PEM X509 ), or use the self-signed certificate you generated previously. Explanation: Replace <CERTIFICATE> with the CA certificate of the monitoring server ( PEX X509 ).
In the "url" entry, configure your monitoring server's IP address / URL.
If you do not wish to use TLS encryption in labs or test environments, then make these changes in the payload:
In the "url" entry, change the Prometheus URL prefix from "https://" to "http://"
Remove the "client-auth" and "server-auth" entries (you will be warned when running the script ).
Skyline deployment on a VSX Gateway / VSX Cluster with many Virtual Systems may increase the load on CPU cores.
Skyline deployment on Quantum Spark Appliances with Gaia Embedded OS is not supported.
When you enable the Management Data Plane Separation (MDPS, sk138672), the Data plane manages the Skyline process and allocates resources to it. (The Skyline can query both the Data plane and the Management plane.)
On a VSX Gateway / VSX Cluster, Skyline shows the information only for the context VS0 (the VSX Gateway / VSX Cluster Member itself). Resolved in:
Added sample payload files to the "Downloads" section.
24 Oct. 2022
First draft of documentation for General Availability (GA) release
20 Jun. 2022
Updated the section "Downloads" > Skyline Packages for Check Point Servers are now available for download again.
19 Jun. 2022
Updated the section "Downloads" > Skyline Packages for Check Point Servers are temporarily unavailable for download.
12 Jun. 2022
Updated the section "Downloads" > column "Prerequisite"
06 Jun. 2022
Updated the list of supported Check Point servers to include Management Servers and Log Servers as well
29 May 2022
Updated the section "Configure the OpenTelemetry Collector on the Security Gateway / each Cluster Member" > The "prometheusremotewrite" section > instructions for disabling TLS encryption
15 May 2022
Resolved Issues:
When you run the command for the current request ("cpview -m"), you get the last request data. With this fix, the "cpview -m" command returns the latest data.
Metrics do not show data.
Added:
SD-WAN Metric content and CPView updates
Data revisions (on the OpenTelemetry Protocol side)
Partial diagnostics (on the CPView side)
New Grafana dashboards
Certificate extension for one year
19 Apr. 2022
Updated the section "Configure the external server - Prometheus and Graphana" > "To secure Prometheus and Open Telemetry Collector connection using TLS Encryption"
05 Apr. 2022
First release of this article
Give us Feedback
Thanks for your feedback!
Are you sure you want to rate this stars?