This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
David_Evans
Collaborator
‎2025-02-06 05:47 AM

Skyline - Full reset of Config Script

I have been running skyline for nearly 2 years now and so have configured it several ways as the SK's and admin guides have changed over time.   I have been seeing several of the firewalls and MLM / MDS boxes disappear from skyline in the various ways that the checkmates threads have been bringing up over the last few months (as well as a few others).

This is my "clear everything from the config, regardless of how it was originally configured, and how many different ways it was configured over time without resetting the config in between.... " script.

This has taken care of 95% of my disappearing devices since the first of the year.

I'll let someone from Checkpoint chime in if its doing something bad, but it runs every clear / wipe / reset command that I have found from the various SK's and Checkmates threads all in one script.  It is likely overkill, but I was tired of figuring out which config command was run on which firewall at what time so this seems to cover all the bases for me.

Doing the reset and then using the newest "sklnctl export --set" command to configure as a fresh device, seems to help the stability greatly.

My only note is, on Maestro devices, wait 5 -10 mins before running your new setup script so that the configuration, or lack there of, gets copied to all the members.   On non maestro boxes you can pretty much attach your setup script right to the end.

Change the .json file name and path to match your config(s).


/opt/CPotelcol/CPotelcolCli.sh set_dynamic_config "$(cat /opt/CPotelcol/config.json)"
rm /home/admin/payload-no-tls.json
touch /home/admin/payload-no-tls.json
/opt/CPotelcol/REST.py --set_open_telemetry "$(cat /home/admin/payload-no-tls.json)"
{
echo '{'
echo '"enabled": true,'
echo '"export-targets": {'
echo '"rebase": ['
echo '{'
echo ' "enabled": true,'
echo ' "type": "prometheus-remote-write",'
echo ' "url": "http://1.1.1.1:9090/api/v1/write"'
echo '}'
echo ']'
echo '}'
echo '}'
} > /home/admin/payload-no-tls.json
sklnctl export --set "$(cat /home/admin/payload-no-tls.json)"
rm /home/admin/payload-no-tls.json
/opt/CPviewExporter/CPviewExporterCli.sh stop
/opt/CPotelcol/CPotelcolCli.sh stop
cpview -a off

 




7 Replies
Elad_Chomsky
Employee
Employee
‎2025-02-08 06:10 AM

Hi @David_Evans ,

We have added the 'rebase' operation as a hidden flag - to do a total reset of the configuration. This should be used in emergency cases.

In general we are aware of a known issue with MLM/MDS and CPView - and are working to push a fix to the jumbo during Q1/Q2 of 2025. 

/opt/CPotelcol/CPotelcolCli.sh set_dynamic_config "$(cat /opt/CPotelcol/config.json)" - This can be skipped. ( done in 'rebase' already ). 

In Maestro, the configuration can be a bit more complex due to the sync mechanism, my recommendation is to run the rebase operation using g_all.  No need for the stop commands at the end, for the Skyline components. By default it will be run as part of the sklnctl operation. CPView stop/start is only needed in cases of problems in CPView - Summing it up:

1) Identify the current problem - Run 'cpview -m' and check it the command "/opt/CPotelcol/GetOTDynamicConfig.sh | jq . " is failing. 

2) In case of CPView problems, run 'kill -9 $(pidof cpviewd); sleep 120; cpview -a off; cpview -a on'

2) In case of Skyline problems, Run - 
/opt/CPotelcol/REST.py --set_open_telemetry "$(cat /home/admin/payload-no-tls.json)"
{
echo '{'
echo '"enabled": true,'
echo '"export-targets": {'
echo '"rebase": ['
echo '{'
echo ' "enabled": true,'
echo ' "type": "prometheus-remote-write",'
echo ' "url": "http://1.1.1.1:9090/api/v1/write"'
echo '}'
echo ']'
echo '}'
echo '}'
} > /home/admin/payload-no-tls.json
sklnctl export --set "$(cat /home/admin/payload-no-tls.json)"

To force configuration reset. 

 

Vincent_Bacher
Advisor
Advisor
‎2025-02-12 05:42 AM
In response to Elad_Chomsky

Kindly share more details about this, thanks 

In general we are aware of a known issue with MLM/MDS and CPView - and are working to push a fix to the jumbo during Q1/Q2 of 2025. 

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
David_Evans
Collaborator
‎2025-02-13 09:49 AM
In response to Vincent_Bacher

If this is the ticket I had open, on a real world busy, MLM or MDS, the Skyline services started to early.   They needed to wait 5 to 10 mins for MDS and services to actually come up and be really servicing "clients"... not just mdsstat say they were working....   There were way more details, but basically my hack fix of restarting skyline 10 mins after a reboot or mdsstart;mdsstop is what they were working on writing 'better'.

 

0 Kudos
David_Evans
Collaborator
‎2025-06-11 11:41 AM

I had the above reset scripts fail.    No matter what I tried, including running rebase, I kept getting this message when running the setup scripts.


"Error: to re-add an exporter - please run 'rebase' first"


I solved it by running: 

sklnctl export --off

then running the first time config script.

Not sure what was going on with these 2 firewalls but they were Maestro SG's running R81.20.

0 Kudos
Alexander_Wilke
Advisor
‎2025-06-12 03:47 AM
In response to David_Evans

In you skyline payload json there is an "add" at the top of the json. you need to replace it with "rebase" and then it works.

 

unfortunately now documentation anywere,

 

{
    "enabled": true,
    "export-targets": {"rebase": [
        {

 

another possibility for me was:

 

/opt/CPotelcol/CPotelcolCli.sh set_dynamic_config "$(cat /opt/CPotelcol/config.json)"

and then import the config again using "add" instead "rebase"

0 Kudos
David_Evans
Collaborator
‎2025-06-13 07:57 AM
In response to Alexander_Wilke

I didn't realize that rebase actually did an "add" as well.      I'd somehow thought that once it hit the rebase command that it just wiped the config.   So I was doing an rebase and then doing an add.    It does seem that a rebase doesn't always restart services? vs an add.   On some of my configs testing the last few days, rebase does update the configuration, but doesn't restart the services to actually pickup the new config.     Running an add generally does restart services?

To bad rebase isn't documented somewhere......

Elad_Chomsky
Employee
Employee
‎2025-06-13 09:09 AM
In response to David_Evans

Hi @David_Evans ,

We are working to close the documentation gaps, 'rebase' should restart the services, if you see other behavior please open a ticket to CP, and we will try to assist you. 

0 Kudos
Upcoming Events

    Sort by:
    CheckMates Events