Support Center > Search Results > SecureKnowledge Details
Skyline Deployment Technical Level
Solution

Table of Contents:

  • Introduction
  • Requirements
  • Downloads
  • Installation
  • Configuration
  • Known Limitations
  • Troubleshooting
  • Documentation
  • Revision History

Click Here to Show the Entire Article

Introduction

Skyline quickly and efficiently monitors your Check Point servers with industry-standard software and protocols (OpenTelemetry, Prometheus, and Grafana).

Skyline provides an OpenTelemetry CPView Agent service. The OpenTelemetry CPView Agent runs on a Check Point server to collect and export health metrics from the Check Point CPView tool to an external location.

The Skyline architecture includes three primary components:

Component Description

OpenTelemetry CPView Agent

Runs on Check Point servers.

A service that queries CPView at defined intervals, collects the metrics, and exports them to an OpenTelemetry Collector.

OpenTelemetry Collector

Runs on Check Point servers.

An open-source service that receives metrics from multiple Agents and exports them to an external endpoint (a different OpenTelemetry Collector or a Prometheus Remote-Write).

Prometheus and Grafana Servers

Third-party software that runs on an external server.

The Prometheus Server receives data from the OpenTelemetry Collector, saves it in a Timeseries Database, and visualizes the data with visualization tools like Grafana.

Logical Diagram:

Requirements

Server Description

Check Point Server R80.40 or above

With these minimal Jumbo versions:

External Server

Runs this software to analyze the collected data:

  • Prometheus Server

    A third-party software that collects, stores, and queries metrics with a dedicated Timeseries Database.

    The Prometheus Server exposes a Remote Write endpoint to which data can be pushed and stores the data in its local database.

    Check Point supports Prometheus version 2.37.1 and up.

  • Grafana Server

    A third-party software that connects to multiple data sources/databases (such as Prometheus) and visualizes the data, builds graphs, dashboards, and alerts.

    Check Point supports Grafana version V9 and up.


Downloads

Package Name Download Link Prerequisite  Release Date

Grafana Dashboards

(TGZ)

Skyline GA

24 October 2022


To share and examine Grafana dashboards for Skyline, visit the CheckMates ToolBox (category: Telemetry).

Setup and Configuration

Show All

(A) Open Telemetry Agent / Collector on Check Point Servers

The Open Telemetry Agent / Collector are installed automatically on all applicable Check Point devices, if the user allows the Automatic updates download per sk94508.
For users who do not allow automatic updates, the Open Telemetry Agent / Collector will be installed as part of the Jumbo installation, so you are required to install the minimum Take (see the "Requirements" section above).

Notes about the Telemetry Agent / Collector for Check Point Servers:

Open Telemetry services do not start automatically. After you complete the installation, you must configure the basic settings in the required configuration files and start the services manually.


(B) Prometheus

Note: Skip these installation steps if you have already installed Prometheus.

Install Prometheus

To install a Prometheus server on the external server, refer to Prometheus installation instructions for the various platforms.

Note: Make sure to enable the Remote write receiver feature

Check Point supports Prometheus version 2.37.1 and up.

Prometheus's default URL: http://localhost:9090

Configuring Prometheus

To enable the Remote Write Receiver:

Show / Hide this section

The Prometheus server must enable its Remote Write Receiver to get metrics data from the Check Point servers.

To enable the Remote Write Receiver, refer to these Prometheus instructions.

To secure Prometheus and Open Telemetry Collector connection using TLS Encryption and Basic authentication:

Show / Hide this section

Prometheus and OpenTelemetry Collector support Transport Layer Security (TLS) encryption for their connection. Refer to these Prometheus instructions. Check Point also requires you to enable basic authentication to make the security bi-directional, Refer to these Prometheus instructions.

TLS configurations have two main components:

  • A pair of Key + Certificate, used for the encryption of your communication
  • (Optional) Certificate Authority (CA cert) that you trust, used to verify and trust the certificate of the other endpoint with which you communicate. If the certificate of the other endpoint is unknown to the CA, the communication is dropped.

You can create these certificates:

  • CA-signed certificates: You create a key and a certificate request, which is then signed by the CA.
  • Self-signed certificates: You create a key and a certificate signed by the user.

This section described self-signed certificates.

To configure TLS, you must create two pairs of a key and a certificate on the Prometheus server:

Procedure:

  1. Create a self-signed certificate and a private key:

    Steps:

    Show / Hide this section
    1. Create the file called openssl.conf with the template below.

      Enter the applicable information in the "[ dn ]" and "[ alt_names ]" sections.

      Important - The Prometheus Server and the OpenTelemetry Collector must have different hostnames and IP addresses.

      [ req ]
      default_bits       = 4096
      default_md         = sha256
      req_extensions     = v3_req
      distinguished_name = dn
      prompt = no
      [ v3_req ]
      subjectAltName = @alt_names
      [ dn ]
      C = <Country Name>
      ST = <State Or Province Name>
      L = <Locality>
      O = <Organization>
      OU = <Organization Unit>
      CN = <Common Name>
      [ alt_names ]
      DNS = <HOSTNAME>
      IP = <IP ADDRESS>
      
    2. Generate the key and certificate pair on any Gaia OS:

      cpopenssl req -x509 -newkey rsa:4096 -nodes -config openssl.conf -keyout mykey.key -out mycert.crt -extensions v3_req

      This command creates two files in the current working directory:

      • mykey.key
      • mycert.crt
  2. Use the newly generated key and certificate to configure TLS on the Prometheus Server in the web-config.yaml configuration file (you may need to create this file).

    Example:

    tls_server_config:
     key_file: /home/prometheus/certs/prometheus.key
      cert_file: /home/prometheus/certs/prometheus.crt
    


(C) Grafana

Note: Skip these installation steps if you have already installed Grafana.

Install Grafana

To install a Grafana Server on the external server, refer to Grafana installation instructions.

Note: You can install Grafana on the same machine that contains your Prometheus instance

Check Point supports Grafana version V9 and up.

Grafana's default URL: http://localhost:3000

Configuring Grafana

To connect Data-source and Dashboards:

Show / Hide this section
  1. Log in to Grafana and add a new Prometheus Data Source with the Prometheus Server you created.

    Click on the side panel Configuration > Data sources > click on the Add data source button > select the Prometheus data source.

    Make sure to mark the Prometheus data source as Default.

  2. Import the Check Point dashboard to start monitoring your environment.

    Click on the side panel Create > Import > upload the applicable dashboard JSON file.

  3. You can modify the existing dashboards or create new dashboards according to your needs. Click here to see a full description of all the data exposed by Skyline.


(D) Configure the OpenTelemetry Collector on the Check Point Server

Important

  • In a cluster, it is recommended to do these steps on each cluster member.

  • In Management High Availability, it is recommended to do these steps on each server.

  • In a Maestro environment:
    • For the Maestro Hyperscale Orchestrator (MHO): you can run the script or the Gaia Rest API. The script runs on the MHO and only configures the MHO.
    • For a Security Group: Run the script only on the Single Management Object (SMO). The SMO applies it to all the related members of the Security Group.
    • If there are issues with the script, try to download it from here and replace it under the /opt/CPotelcol/REST.py file. 
    • The script uses gexec and g_cp2blades. Make sure they work correctly.

  • In the examples, the script runs from the "home" folder. Make sure to change the path accordingly. 

  • The REST API command is a Gaia REST API command. Refer to this guide for more information (section: OpenTelemetry). 

  • Do not cut and paste the commands below. Enter them manually. 

There are two methods to configure the OpenTelemetry Collector:

  • Run a script locally in one of these ways:

    • Run the script and provide the payload as an argument:

      /opt/CPotelcol/REST.py --set_open_telemetry “<PayloadTextHere>”

    • Save the payload in a file (for example, payload.json) and run the script:

      /opt/CPotelcol/REST.py --set_open_telemetry “$(cat payload.json)”

  • Run a rest API command (supported in API version 1.7 and higher)

POST {server}/v1.7/set-open-telemetry
Content-Type: application/json
X-chkp-sid: {{session}}
{
  <PayloadHere>
}  

Prepare the payload for the command:
Show / Hide this section

  1. In the "basic" entry, configure "username" and "password" to your monitoring server's username / password. 

  2. In the "ca-public-key" entry, configure TLS settings with the CA certificate of your monitoring server ( As PEM X509 ), or use the self-signed certificate you generated previously.
    Explanation: Replace <CERTIFICATE> with the CA certificate of the monitoring server ( PEX X509 ). 

  3. In the "url" entry, configure your monitoring server's IP address / URL.

    If you do not wish to use TLS encryption in labs or test environments, then make these changes in the payload:

    1. In the "url" entry, change the Prometheus URL prefix from "https://" to "http://"

    2. Remove the "client-auth" and "server-auth" entries (you will be warned when running the script ). 

Example payload (with TLS):

Show / Hide this section
 {
    "enabled": true,
    "export-targets": {"add": [
        {
            "client-auth": {
                "basic": {
                  "username": "<USERNAME>",
                  "password": "<PASSWORD>"
                }
            },
            "enabled": true,
            "server-auth": {
                "ca-public-key": {
                    "type": "PEM-X509",
                  "value": "<CERTIFICATE>"
                }
            },
            "type": "prometheus-remote-write",
          "url": "https://<EXTERNAL_PROMETHEUS_IP_ADDRESS>:9090/api/v1/write"
        }
    ]}
}  

Example payload (without TLS):

Show / Hide this section
 {
    "enabled": true,
    "export-targets": {"add": [
      {
          "enabled": true,
            "type": "prometheus-remote-write",
          "url": "http://<EXTERNAL_PROMETHEUS_IP_ADDRESS>:9090/api/v1/write"
        }
    ]}
}  

Known Limitations

  • Skyline deployment on a VSX Gateway / VSX Cluster with many Virtual Systems may increase the load on CPU cores. It is recommended to install it only on systems of up to 10 Virtual Systems.

  • Skyline deployment on Quantum Spark appliances with Gaia Embedded OS is not supported.

  • Skyline does not support Management Data Plane Separation (MDPS). Skyline runs on the data plane, not the management plane.

  • On a VSX Gateway / VSX Cluster, Skyline shows the information only for the context VS0 (the VSX Gateway / VSX Cluster Member itself).
    Fixed in: R80.40 Take 190 and R81.10 Take 81

Documentation

Troubleshooting

Refer to sk179870 - Skyline Troubleshooting and FAQ


Revision History

Show / Hide revision history
Date Description
24 October 2022 First draft of documentation for General Availability (GA) release
20 June 2022 Updated the section "Downloads" > Skyline Packages for Check Point Servers are now available for download again.
19 June 2022 Updated the section "Downloads" > Skyline Packages for Check Point Servers are temporarily unavailable for download.
12 June 2022 Updated the section "Downloads" > column "Prerequisite"
06 June 2022 Updated the list of supported Check Point servers to include Management Servers and Log Servers as well
29 May 2022 Updated the section "Configure the OpenTelemetry Collector on the Security Gateway / each Cluster Member" > The "prometheusremotewrite" section > instructions for disabling TLS encryption
15 May 2022

Resolved Issues:

  • When you run the command for the current request ("cpview -m"), you get the last request data. With this fix, the "cpview -m" command returns the latest data.
  • Metrics do not show data.

Added:

  • SD-WAN Metric content and CPView updates
  • Data revisions (on the OpenTelemetry Protocol side)
  • Partial diagnostics (on the CPView side)
  • New Grafana dashboards
  • Certificate extension for one year
19 April 2022 Updated the section "Configure the external server - Prometheus and Graphana" > "To secure Prometheus and Open Telemetry Collector connection using TLS Encryption"
05 April 2022 First release of this article

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment