Monitoring Checkpoint firewall with OpenTelemetry

Checkpoint SMB (Spark) offers built-in OpenTelemetry support, enabling users to export logs to OpenTelemetry-compatible servers for monitoring and visualization in tools like Grafana.

Source: https://www.dash0.com/guides/opentelemetry-collector

Importing the Dashboard

Rather than building a dashboard from scratch, you can import a pre-configured one that includes all the key Checkpoint metrics. The dashboard is available here and can be imported directly into Grafana in just a few clicks.

Receiver Configuration (Prometheus)

For infrastructure simplicity, we'll deploy the Prometheus server using Docker Compose. One critical configuration is required to enable Prometheus as a receiver:

--web.enable-remote-write-receiver: This flag enables Prometheus to receive telemetry data remotely.

Complete docker-compose.yml:

services:
    prometheus:
        image: prom/prometheus:v3.9.0
        container_name: prometheus
        volumes:
          - ./prometheus/:/etc/prometheus
          - ./prometheus-volume:/prometheus
        ports:
          - 9090:9090
        command:
          - '--config.file=/etc/prometheus/prometheus.yml'
          - '--storage.tsdb.path=/prometheus'
          - '--web.console.libraries=/usr/share/prometheus/console_libraries'
          - '--web.console.templates=/usr/share/prometheus/consoles'
          - '--log.level=debug'
          - '--storage.tsdb.retention.time=1y'
          - '--web.enable-admin-api'
          - '--web.enable-remote-write-receiver'
        restart: unless-stopped

Verify Prometheus Installation

After launching the docker-compose file, verify that Prometheus is running using: docker compose ps

Checkpoint Configuration

Connect on the firewall and Navigate to Logs and Monitoring → Diagnostics → OpenTelemetry and configure the following:

1. Enable OpenTelemetry: Check the box "Monitor this appliance using OpenTelemetry"

2. Set the Endpoint URL: Enter http://<Prometheus_server_IP>:9090/api/v1/write

   • Example: http://10.10.10.100:9090/api/v1/write

3. Client Authentication (optional):

   • If authentication is enabled, provide the Username and Password

   • If not required, leave these fields blank

4. Server Authentication (optional):

   • Can be ignored when Prometheus is using HTTP (non-TLS)

The "Test Connection" feature can be used to validate the configuration. Note: A known issue exists where HTTPS connections using domain name will fail the connection test, even though telemetry data is being transmitted successfully.

Viewing Data in Grafana

With Grafana set up and Prometheus added as a data source, visualizing your Checkpoint telemetry becomes straightforward.

To view the data:

1. Navigate to Drilldown → Metrics in Grafana

2. Apply a filter: service_name = CPviewExporter

3. If everything is configured properly, metrics from your Checkpoint firewall should appear

This confirms that your OpenTelemetry integration is working as expected.

The Skyline Administration Guide provides detailed information on all available metrics for building Grafana dashboards.

Debug Mode

If data isn't being transmitted to your receiver, SSH into the gateway and troubleshoot using these commands:

# Enter expert mode
expert

# Navigate to the collector directory
cd /opt/CPotelcol/

# Monitor logs in real-time
tail -f otelcol.log

Additional troubleshooting steps:

• Review configuration: cat config.yaml

• Stop the collector: ./stop

• Start the collector: ./start