Skyline Configuration on Check Point Servers that run Gaia OS - Other Monitoring Tools
|
|
Best Practice - Use the Prometheus Server with the Grafana Server. See Skyline Configuration on Check Point Servers that run Gaia OS - Prometheus with Grafana. |
Skyline supports other third-party monitoring tools (to configure these tools, refer to the third-party official documentation):
This section applies to these Check Point Servers:
-
Security Groups
A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. on Scalable Platforms (Maestro and Scalable Chassis The container that contains the all the components of a 60000 / 40000 Appliance. Synonym: Chassis.) -
Security Management Servers
-
Multi-Domain Security Management Servers
-
Multi-Domain Log Servers
-
Log Servers
-
SmartEvent Servers
-
Endpoint Security Management Servers
-
Endpoint Policy Servers
Step 1 - Install the Third-Party Monitoring Tool
Refer to the third-party official documentation.
Step 2 - Install the OpenTelemetry Agent and OpenTelemetry Collector on the Check Point Server
Procedure
On online Check Point Servers:
The OpenTelemetry Agent (OtlpAgent) and the OpenTelemetry Collector (CPotelcol) packages are installed automatically on all applicable Check Point Servers, if you allowed the Automatic Update downloads as described in sk94508.
On offline Check Point Servers:
The minimum required OpenTelemetry Agent and OpenTelemetry Collector packages are also installed as part of the Jumbo Hotfix Accumulator Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA. installation.
See sk178566 > section "Requirements".
Related offline update packages:
Step 3 - Configure the OpenTelemetry Collector on the Check Point Server to work with the Third-Party Monitoring Tool
Important Notes
|
|
Important:
|
Procedure
-
Prepare the required payload for the command:
Notes:
-
Replace the placeholder strings "
< >" below with your actual strings. -
The "
name" attribute is optional, but recommended.The "
name" attribute must not contain the slash (/) character. -
To configure a TLS connection between the OpenTelemetry Collector and monitoring server:
In the "
ca-public-key" section, configure the TLS settings with the CA certificate of your monitoring server (as PEM X509), or use a self-signed certificate you generate for yourself.In the example payloads below, replace "
<CERTIFICATE>" with the CA certificate of the monitoring server (PEX X509) - paste the entire string:-----BEGIN CERTIFICATE-----<BASE64_TEXT>-----END CERTIFICATE----- -
In the "
url" attribute, configure your monitoring server's IP address / URL.If you do not wish to use TLS encryption in labs or test environments, then make these changes in the payload:
-
In the "
url" attribute, change the URL protocol from "https://" to "http://". -
Remove the "
client-auth" and "server-auth" attributes.Note - When you apply the payload, this warning appears: "
it is recommended to have both client and server authentication").
-
Example JSON payloads for Splunk:
Note - For information about a HEC Token for Splunk, click here.
JSON payload for Splunk - connection with TLS
{ "enabled": true, "export-targets": { "add": [ { "client-auth": { "token": { "custom-header": { "key": "token", "value": "<YOUR_HEC_TOKEN>" } } }, "server-auth": { "ca-public-key": { "type": "PEM-X509", "value": "<CERTIFICATE>" } }, "enabled": true, "type": "splunk_hec", "name": "splunkidisplunk", "url": "https://<FQDN_or_IP_of_SPLUNK_SERVER>:8088/services/collector" } ] } }JSON payload for Splunk - connection without TLS
{ "enabled": true, "export-targets": { "add": [ { "client-auth": { "token": { "custom-header": { "key": "token", "value": "<YOUR_HEC_TOKEN>" } } }, "enabled": true, "type": "splunk_hec", "name": "splunkidisplunk", "url": "https://<FQDN_or_IP_of_SPLUNK_SERVER>:8088/services/collector" } ] } }Example JSON payloads for SolarWinds:
Note - For information about an API Token for SolarWinds, click here.
JSON payload for SolarWinds - connection with TLS
{ "enabled": true, "export-targets": { "add": [ { "client-auth": { "token": { "custom-header": { "key": "Authorization", "value": "Bearer <YOUR_API_TOKEN>" } } }, "server-auth": { "ca-public-key": { "type": "PEM-X509", "value": "<CERTIFICATE>" } }, "enabled": true, "type": "otlp", "name": "solar-cert", "url": "otel.collector.<YOUR_REGION>.cloud.solarwinds.com:443" } ] } }JSON payload for SolarWinds - connection without TLS
{ "enabled": true, "export-targets": { "add": [ { "client-auth": { "token": { "custom-header": { "key": "Authorization", "value": "Bearer <YOUR_API_TOKEN>" } } }, "enabled": true, "type": "otlp", "name": "solarwindsendpoint", "url": "otel.collector.<YOUR_REGION>.cloud.solarwinds.com:443" } ] } }Example JSON payloads for Dynatrace:
Note - For information about a Access Token for Dynatrace, click here.
JSON payload for Dynatrace - connection with TLS
{ "enabled": true, "export-targets": { "add": [ { "client-auth": { "token": { "custom-header": { "key": "Authorization", "value": "Api-Token <YOUR_ACCESS_TOKEN>" } } }, "server-auth": { "ca-public-key": { "type": "PEM-X509", "value": "<CERTIFICATE>" } }, "enabled": true, "type": "otlphttp", "name": "dynatrace-eu01", "url": "https://<FQDN_or_IP_of_DYNATRACE_SERVER>.live.dynatrace.com/api/v2/otlp" } ] } }JSON payload for Dynatrace - connection without TLS
{ "enabled": true, "export-targets": { "add": [ { "client-auth": { "token": { "custom-header": { "key": "Authorization", "value": "Api-Token <YOUR_ACCESS_TOKEN>" } } }, "enabled": true, "type": "otlphttp", "name": "dynatrace-eu01", "url": "https://<FQDN_or_IP_of_DYNATRACE_SERVER>.live.dynatrace.com/api/v2/otlp" } ] } }Example JSON payloads for VictoriaMetrics:
JSON payload for VictoriaMetrics - connection with TLS
Note - In the "
basic" section, configure the "username" and "password" attributes to your monitoring server's username / password.The "
password" attribute supports only these characters:- letters (
a-Z,A-Z) - digits (
0-9) _(underscore),(comma).(period)\(backslash)/(slash)-(hyphen)
{ "enabled": true, "export-targets": { "add": [ { "client-auth": { "basic": { "username": "<USERNAME_on_VICTORIAMETRICS_SERVER>", "password": "<PASSWORD_on_VICTORIAMETRICS_SERVER>" } }, "enabled": true, "server-auth": { "ca-public-key": { "type": "PEM-X509", "value": "<CERTIFICATE>" } }, "type": "prometheus-remote-write", "url": "https://<EXTERNAL_IP_ADDRESS_of_VICTORIAMETRICS_SERVER>:9090/api/v1/write" } ] } }JSON payload for VictoriaMetrics - connection without TLS
{ "enabled": true, "export-targets": { "add": [ { "enabled": true, "type": "prometheusremotewrite", "url": "https://<EXTERNAL_IP_ADDRESS_of_VICTORIAMETRICS_SERVER>:8088/services/collector" } ] } } -
-
Run the configuration command to apply the payload - either the CLI command, or the Gaia REST API command:
-
Method 1 - Run the CLI command "
sklnctl":-
Save the JSON payload in a file (for example,
/home/admin/payload.json). -
Run this command:
sklnctl export --set "$(cat /home/admin/payload.json)"
-
-
Method 2 - Run the Gaia REST API command "
set-open-telemetry" (requires Gaia API v1.7 and higher):POST{server}/v1.7/set-open-telemetry Content-Type: application/json X-chkp-sid: {{session}} { <JSON Payload> }
Note - To disable Skyline completely:
-
Change the value of the "
enabled" attribute in the JSON payload file:from
"enabled": trueto
"enabled": false -
Run the API command again
-
-
Step 4 - Configure the filter for the OpenTelemetry Collector exported metrics
Procedure
The sklnctl tool configures the OpenTelemetry Collector.
The OpenTelemetry Collector filter works on the allow-list basis.
These are the available commands (in the Expert mode):
-
To show the currently exported metrics:
sklnctl otelcol metrics --show -
To check if default metrics are exported:
sklnctl otelcol metrics --is-default -
To add metrics to the allow-list:
sklnctl otelcol metrics --add <metric-id1> <metric-id2> <metric-id3> ... -
To remove metrics from the allow-list:
sklnctl otelcol metrics --remove <metric-id1> <metric-id2> <metric-id3> ... -
To reset the allow-list to the default:
sklnctl otelcol metrics --reset
Example workflow (in the Expert mode):
-
Show the currently exported metrics:
sklnctl otelcol metrics --show > /var/log/metrics.txt -
Edit the file to keep only the desired metrics:
vi /var/log/metrics.txt -
Add the desired metrics to the allow-list:
sklnctl otelcol metrics --add $(cat /var/log/metrics.txt | tr '\n' ' ')
Step 5 - Configure Access Control Policy
If you configured Skyline on a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., ClusterXL, or Scalable Platform Security Group, then you must make sure your Access Control Policy allows the connection to the Third-Party Monitoring Tool to send the exported metrics.
You must configure the required rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. on the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. (in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. or with Management API) and install the policy.
See the: