Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Steven_Bade
Participant
Jump to solution

Enabling web api

Probably a really basic question, but i can't seem to find anything.  I'm attempting a simple login to R80.10 via the api.  I'm using postman, when i send the POST i get a web page returned instead of json.  

<!DOCTYPE html>
<HTML>
<HEAD>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE9,EmulateIE8">
<meta name="others" content="WEBUI LOGIN PAGE" />
<TITLE>Gaia</TITLE>
<link rel="shortcut icon" href="https://community.checkpoint.com/login/fav.ico">
<link rel="stylesheet" type="text/css" href="https://community.checkpoint.com/login/ext-all.css" />
<link rel="stylesheet" type="text/css" href="https://community.checkpoint.com/login/login.css" />
<STYLE TYPE="text/css">
.ext-ie .webui-login-fld{font-size: 11px;}
</STYLE>
<script type="text/javascript" src="/login/ext-base.js"></script>
<script type="text/javascript" src="/login/ext-all.js"></script>
<script type="text/javascript">var errMsgText = "";var bannerMsgText = "";bannerMsgText += "This system is for authorized use only.";var hostname='';var version='R80.10';var formAction="/cgi-bin/home.tcl";</script>
<script type="text/javascript" src="/login/login.js"></script>
</HEAD>
<BODY>
<noscript>
<div style='font-size:20px;position:relative;top:100px;'>For full functionality of this site it is necessary to enable JavaScript.</div>
</noscript>
</BODY>
</HTML>

Any pointers

3 Solutions

Accepted Solutions
Viktor
Participant
Make sure that you didn't forget the /web_api/ part of the URI. https://<management server>:<port>/web_api/<command>

Check Point - Management API reference:
POST https://<mgmt-server>:<port>/web_api/login
 

View solution in original post

PhoneBoy
Admin
Admin

Yes, it's a Windows only application.

However, the API can be enabled from the CLI using something like:

mgmt_cli -r true --domain MDS set api-settings accepted-api-calls-from "All IP addresses"

Then you will need to restart the API server for the change to take effect.

api restart

See also: Check Point - Management API reference 

View solution in original post

Adiel_Ashrov
Employee Alumnus
Employee Alumnus

Hey All,

Here is the slide Robert talked about

Regards,

Adiel

View solution in original post

32 Replies
Viktor
Participant
Make sure that you didn't forget the /web_api/ part of the URI. https://<management server>:<port>/web_api/<command>

Check Point - Management API reference:
POST https://<mgmt-server>:<port>/web_api/login
 
Norbert_Bohusch
Advisor

You have to use path /web_api/ for your management API calls, else you are accessing Gaia WebUI.

See Check Point - Management API reference  for reference.

Steven_Bade
Participant

I am using the https://<server>/web_api/ point..

 what I think the issue is that I don't think I set up the management server.  When I did the install i checked both the management server and the gateway boxes.  But when I login, i don't see the same screen as the docs indicate.

So I guess I need help in getting the right software installed.

Steven_Bade
Participant

I created a new VM and selected only the management option.  Now when I do the login attempt as admin, i get 403 with "you don't have permission to access /web_api/login on this server". 

Robert_Decker
Advisor

please run "api status" command on your management server and paste the response here.

robert.

Steven_Bade
Participant

Thanks robert.  

cpmgmt> api status

API Settings:
---------------------
Accessibility: Require ip 127.0.0.1
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Started 19458
CPM Started 19548 Check Point Security Management Server is running and ready
FWM Started 18989

Port Details:
-------------------
JETTY Internal Port: 50276
APACHE Gaia Port: 443
Apache port retrieved from: httpd-ssl.conf


--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

0 Kudos
Robert_Decker
Advisor

This is exactly what I wanted to ensure - you have to allow an access from remote machines to your management API server.

Please read this excellent document - 

Orchestration and Automation_Ryan Darst_Marco Garcia.pdf 

and refer to slide #5.

Robert.

Jordan_Martin1
Participant

What permissions do you need to be able to change this setting?  I'm a PowerAdmin and it is read-only for me.

Jordan

0 Kudos
PhoneBoy
Admin
Admin

I believe only SuperAdmins can change the setting.

Adiel_Ashrov
Employee Alumnus
Employee Alumnus

Hey All,

Here is the slide Robert talked about

Regards,

Adiel

ggmeza
Participant

Hi, I have a question. When you set "all ip addresses that can be use for GUI clients", where is configured as a filter that ip addresses? Where can i see that?

Thanks.

0 Kudos
Norbert_Bohusch
Advisor
See output: only access from 127.0.0.1 allowed


Change it in SmartConsole under “Manage & Settings” / “Blades” / “Management SPI”


0 Kudos
Steven_Bade
Participant

Thanks... However I don't have  smartconsole in the UI.  I pasted in a screenshot of what my UI looks like, which is not the same as in the document that Robert referenced

0 Kudos
Steven_Bade
Participant

is smartconsole a windows only application?

0 Kudos
PhoneBoy
Admin
Admin

Yes, it's a Windows only application.

However, the API can be enabled from the CLI using something like:

mgmt_cli -r true --domain MDS set api-settings accepted-api-calls-from "All IP addresses"

Then you will need to restart the API server for the change to take effect.

api restart

See also: Check Point - Management API reference 

Steven_Bade
Participant

ok.. once i realized that smart console was an external windows application i was able to get the config enabled properly.  have to find a windows vm to run this on, as i'm on a mac for all my work.   is there a command line way to enable this?

0 Kudos
PhoneBoy
Admin
Admin

Yes, see my answer above.

0 Kudos
Amit_Chaubey
Contributor

Hi , 

I am using below command to allow API calls from all IP but no lcuk, any help.

gw-b739b6> mgmt set api-settings accepted-api-calls-from "All IP addresses"
MGMT9205 You are not logged in to management server, in order to log-in you w ill need to run "mgmt login user [user name]"
gw-b739b6> expert
Enter expert password:


Warning! All configurations should be done through clish
You are in expert mode now.

[Expert@gw-b739b6:0]# mgmt set api-settings accepted-api-calls-from "All IP addr esses"
bash: mgmt: command not found
[Expert@gw-b739b6:0]#

[Expert@gw-b739b6:0]# mgmt set api-settings accepted-api-calls-from "All IP addr esses"
bash: mgmt: command not found
[Expert@gw-b739b6:0]# mgmt_cli set api-settings accepted-api-calls-from "All IP addresses"
Username: admin
Password:
code: "err_login_failed"
message: "Authentication to server failed."

[Expert@gw-b739b6:0]# exit
exit
gw-b739b6> mgmt_cli set api-settings accepted-api-calls-from "All IP addresses"
MGMT9205 You are not logged in to management server, in order to log-in you will need to run "mgmt login user [user name]"     <<<<<<<<<<<<< why we need to use suppy username and pasowrd>>>>>>
gw-b739b6>

Tried in both modes but no luck, 

Amit Chaubey

0 Kudos
PhoneBoy
Admin
Admin

You were most correct with this one: mgmt_cli set api-settings accepted-api-calls-from "All IP Addresses"

But it looks like you didn't type the admin password correct.

You can also try: mgmt_cli -r true set api-settings accepted-api-calls-from "All IP addresses"

(Assuming you are on Security Management)

0 Kudos
Amit_Chaubey
Contributor

Hi Dameon, 

I tried again with mgmt credentials but showing that this command is for MDS not in my case.OUt put is below, 

gw-b739b6> mgmt login user admin
Enter password:
gw-b739b6> mgmt_cli -r true set api-settings accepted-api-calls-from "All IP addresses"
MGMT9000 code: "err_inappropriate_domain_type"
message: "This command can work only on domains of type MDS. Cannot execute it in the current domain (current domain type is Domain)."

gw-b739b6>

Also, I am looking at some bash script or some other commands that can be incorporated with user data file so that in the case included once booting up mgmt server in AWS.

Thank you, 

Amit Chaubey

0 Kudos
PhoneBoy
Admin
Admin

If you use mgmt_cli -r true you don't need to login.

Also, if you were going to login, you would need to pass the session ID returned with each command. 

Try: mgmt_cli -r true set api-settings accepted-api-calls-from "All IP addresses" domain "System Data"

You realize we also have CloudFormation scripts for deploying gateways and management in AWS, right? 

AWS CloudFormation Templates 

0 Kudos
Amit_Chaubey
Contributor

Hi, 

I am not sure what's wrong with the mgmt server but it's not working for me. 

gw-b739b6> mgmt_cli -r true set api-settings accepted-api-calls-from "All IP addresses" domain "System Data"
MGMT9205 You are not logged in to management server, in order to log-in you will need to run "mgmt login user [user name]"
gw-b739b6>

Also, is this any script(bash) available which I can use in user data file. 

0 Kudos
PhoneBoy
Admin
Admin

Is this a management server or a gateway?

You can only enable the API from a management server, not a gateway.

The fact you have a "default" name for your management server suggests you have not run the First Time Wizard yet, either.

0 Kudos
HaTM
Explorer

Hi PhoneBoy, 

My CPM lab running with version R81.20, after add eval license and try to send API by Postman from my PC. i got this result. 

<!DOCTYPE html>
<HTML>

<HEAD>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE9,EmulateIE8">
    <meta name="others" content="WEBUI LOGIN PAGE" />
    <TITLE>GAiA</TITLE>
    <link rel="shortcut icon" href="/login/fav.ico">
    <link rel="stylesheet" type="text/css" href="/login/ext-all.css" />
    <link rel="stylesheet" type="text/css" href="/login/login.css" />
    <STYLE TYPE="text/css">
        .ext-ie .webui-login-fld {
            font-size: 11px;
        }
    </STYLE>
    <script type="text/javascript" src="/login/ext-base.js"></script>
    <script type="text/javascript" src="/login/ext-all.js"></script>
    <script type="text/javascript">
        var errMsgText = "";var bannerMsgText = "";bannerMsgText += "This%20system%20is%20for%20authorized%20use%20only.%0A";var hostname='';var version='R81.20';var formAction="/cgi-bin/home.tcl";
    </script>
    <script type="text/javascript" src="/login/login.js"></script>
</HEAD>

<BODY><noscript>
        <div style='font-size:20px;position:relative;top:100px;'>For full functionality of this site it is necessary to
            enable JavaScript.</div>
    </noscript></BODY>

</HTML>
I tried to restart API and reboot CPM but it's still not work. 
0 Kudos
PhoneBoy
Admin
Admin

What does the command "api status" say?

0 Kudos
HaTM
Explorer

This's API status of my lab now 

[Expert@gw-622262:0]# api status

API Settings:
---------------------
Accessibility: Require all granted
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Started 8846
CPM Started 8846 Check Point Security Management Server is running and ready
FWM Started 8255
APACHE Started 8733

Port Details:
-------------------
JETTY Internal Port: 53595
JETTY Documentation Internal Port: 62008
APACHE Gaia Port: 443

Profile:
-------------------
Machine profile: Small Medium env resources profile
CPM heap size: 1280m

 

--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

0 Kudos
Bob_Zimmerman
Authority
Authority

What is the full path you are trying to call? Seems likely you are missing the /web_api root prefix in the path.

0 Kudos
HaTM
Explorer

i'm trying to test with Identity Awareness function with path "/_IA_API/v1.0/add-identity", after old license expired and i attach new eval license i have this issue 

0 Kudos
PhoneBoy
Admin
Admin

Please provide output of cplic print and confirm if this is a centrally managed license or locally managed.
Also please provide version/JHF level of gateway.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events