topic Re: Getting a "Forbidden" error message (HTTP status code 403) in API / CLI Discussion

Getting a "Forbidden" error message (HTTP status code 403)

Uri_Bialik — Tue, 12 Jan 2016 12:48:27 GMT

In some scenarios browsing to https://<management-server>/web_api/ may lead to seeing this error message:

Forbidden

You don't have permission to access /web_api/login on this server.

What does it mean?

It means that the API server is not configured to accept requests from the machine running your browser.

For security reasons, the default settings for the API server allows him to accept requests only from the management server itself and not from any other IP address.

If you want your management server to accept API requests from other machines, please follow this procedure:

* Open SmartConsole and log into your management server. If you have a multi-domain environment, log into the MDS domain.

* Click on the "Manage & Settings" button on the left.

* Select "Blades"

* Look for the "Management API" section and click on "Advanced Settings".

Now you can choose between three options:

1) Accept API calls from the management server only (the default setting)

2) All IP addresses that can be used for GUI clients.

This option would allow the API server to accept requests only from IP addresses that can be used to connect with the management server using SmartConsole.

3) All IP addresses

Once you make you selection:

* Click the publish button

* Use SSH to log into the management server in "expert mode" and type "api restart".

Re: Getting a "Forbidden" error message (HTTP status code 403)

James_Tidwell — Fri, 18 Aug 2017 15:59:23 GMT

Is there any means to change the Management API settings using an initialization script when the management instance is created? (like this: Support, Support Requests, Training, Documentation, and Knowledge base for Check Point products and services) What I want to do is automate the build of the checkpoint management instance so that once it is created, I can use the web api to configure it. If I have to manually go into the smart console to set the management api blade to allow the api calls from our automation server that would defeat the purpose of automating.

Re: Getting a "Forbidden" error message (HTTP status code 403)

PhoneBoy — Fri, 18 Aug 2017 16:53:47 GMT

There's a CLI for that

[Expert@eightyten:0]# mgmt_cli -r true set api-settings accepted-api-calls-from "All IP addresses" --domain 'System Data'

---------------------------------------------

Time: [10:06:06] 18/8/2017

---------------------------------------------

"Publish operation" succeeded (100%)

[Expert@eightyten:0]# api restart

2017-Aug-18 10:06:10 - Stopping API...

2017-Aug-18 10:06:13 - API stopped successfully.

2017-Aug-18 10:06:13 - Starting API...

. . . . . . . . . . . . . . . . . .

2017-Aug-18 10:07:32 - API started successfully.

[Expert@eightyten:0]#

It'd be cool if you could specify that as part of the First-Time Wizard, of course.

Reference: Check Point - Management API reference

Re: Getting a "Forbidden" error message (HTTP status code 403)

James_Tidwell — Fri, 18 Aug 2017 21:52:57 GMT

I get this error when I try to use that command: MGMT9000 code: "err_inappropriate_domain_type"
message: "This command can work only on domains of type MDS. Cannot execute it in the current domain (current domain type is Domain)."

Re: Getting a "Forbidden" error message (HTTP status code 403)

PhoneBoy — Fri, 18 Aug 2017 21:55:17 GMT

I think I got a similar message when I didn't specify the --domain parameter.

The example is copy/paste from the docs.

Re: Getting a "Forbidden" error message (HTTP status code 403)

venkata_marutur — Tue, 06 Mar 2018 18:45:14 GMT

I did make the change to allow API calls from all IP addresses and did API restart as well. Same error still exists.

I also did reset the password for the username, made sure that the user is added to admin role on the webUI of the smartcenter as well.

#mgmt_cli login with same username and passwords is working on the smartcenter though.

Still no luck!

Any suggestions?

Re: Getting a "Forbidden" error message (HTTP status code 403)

Robert_Decker — Tue, 06 Mar 2018 18:59:01 GMT

There may be several reasons for this error code.

Please run "api status" command on your management server and paste the response here for analysis.

Robert.

Re: Getting a "Forbidden" error message (HTTP status code 403)

venkata_marutur — Tue, 06 Mar 2018 19:02:53 GMT

expert# api status

API Settings:
---------------------
Accessibility: Allow from 127.0.0.1
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Started 25846
CPM Started 22711 Check Point Security Management Server is running and ready
FWM Started 26196

Port Details:
-------------------
JETTY Internal Port: 50276
APACHE Gaia Port: 443

--------------------------------------------
Overall API Status: Started
--------------------------------------------

Test SUCCESSFUL. The server is up and ready to receive connections

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

Accessibility from localhost?? It's set as All IP addresses in the Sconsole though.

Thanks.

Re: Getting a "Forbidden" error message (HTTP status code 403)

Robert_Decker — Tue, 06 Mar 2018 19:09:36 GMT

Hi,

Please look at the "Accessibility" property value - it indicates that you have not granted the access from all IPs.

Robert.

Re: Getting a "Forbidden" error message (HTTP status code 403)

Robert_Decker — Tue, 06 Mar 2018 19:12:00 GMT

take a look at my post -

https://community.checkpoint.com/docs/DOC-2731

Re: Getting a "Forbidden" error message (HTTP status code 403)

venkata_marutur — Tue, 06 Mar 2018 19:29:12 GMT

Hello Robert

Thank you for the quick reply.

If you look at my last reply, I mentioned that I have set the API calls from "All IP Addresses" in the smart console and automatic start is also in place. Installed the Db, did api restart as well.

I am using super user permission profile to make sure I am not running into permission related issues, anyway I double checked the "super user" profile too and in the mgmt tab, mgmt API login is checked.

Also I did check the server.crt file in web/conf and its just ASCII, no CRLF line terminators.

FYI, this is the script that I am running on the 3rd party server to test:

curl -k -X POST -H "Content-Type: application/json" -d '{ "user":"xxxx", "password":"xxxx" }' https://x.x.x.x:443/web_api/login
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /web_api/login
on this server.</p>
</body></html>

Any other things that can cause this?

Thanks.

Re: Getting a "Forbidden" error message (HTTP status code 403)

Robert_Decker — Tue, 06 Mar 2018 19:41:27 GMT

please check again, this is from your "api status" command reply -

Robert.

Re: Getting a "Forbidden" error message (HTTP status code 403)

venkata_marutur — Tue, 06 Mar 2018 19:48:33 GMT

Rob,

I understand what you are referring to. api status on the CLI says only from local host. BUT, I did configure it as "All IP addresses" from the smart console, installed DB, restarted the api.

So the question is why is it not reflecting in the CLI ??

Thanks for your patience on this.

Re: Getting a "Forbidden" error message (HTTP status code 403)

Robert_Decker — Tue, 06 Mar 2018 19:58:12 GMT

I really do not understand what is going here.

Are you running on MDM environment?

Re: Getting a "Forbidden" error message (HTTP status code 403)

venkata_marutur — Tue, 06 Mar 2018 20:15:08 GMT

No, its a single smart center.

FYI,

expert#mgmt_cli login output:

uid: "4d67542e-21ab-4019-9b23-8e0df9894c2b"
sid: "6YRu8AnYpjjXMy-vmeWUfP43gykmTu3z0F87E45z_44"
url: "https://127.0.0.1:443/web_api"
session-timeout: 600
last-login-was-at:
posix: 1520359819406
iso-8601: "2018-03-06T06:10-1200"
api-server-version: "1"

Agreed that it is weird. May be someone can see something different here.

Re: Getting a "Forbidden" error message (HTTP status code 403)

Robert_Decker — Tue, 06 Mar 2018 20:27:28 GMT

mgmt_cli login is running locally on your management server, so it doesn't need any special access.

your problem is when using a WEB Services from a remote server, this is why it needs an access.

what do you mean by "installed db"? do you mean "publish"?

Re: Getting a "Forbidden" error message (HTTP status code 403)

venkata_marutur — Tue, 06 Mar 2018 20:30:15 GMT

Got it. Installed db = Publish and Install Database.

Re: Getting a "Forbidden" error message (HTTP status code 403)

Robert_Decker — Tue, 06 Mar 2018 20:37:47 GMT

I've noticed that your API server version is "1".

Are you running R80 management (not R80.10)?

Re: Getting a "Forbidden" error message (HTTP status code 403)

venkata_marutur — Tue, 06 Mar 2018 20:40:11 GMT

Yes its R80 management server.

Re: Getting a "Forbidden" error message (HTTP status code 403)

Robert_Decker — Tue, 06 Mar 2018 20:43:40 GMT

ok, try "api reconf" instead of "api restart" that you have done previously, then again "api status".

any changes to "Accessibility" field value?