Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Enabling web api

Jump to solution

Probably a really basic question, but i can't seem to find anything.  I'm attempting a simple login to R80.10 via the api.  I'm using postman, when i send the POST i get a web page returned instead of json.  

<!DOCTYPE html>
<HTML>
<HEAD>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE9,EmulateIE8">
<meta name="others" content="WEBUI LOGIN PAGE" />
<TITLE>Gaia</TITLE>
<link rel="shortcut icon" href="https://community.checkpoint.com/login/fav.ico">
<link rel="stylesheet" type="text/css" href="https://community.checkpoint.com/login/ext-all.css" />
<link rel="stylesheet" type="text/css" href="https://community.checkpoint.com/login/login.css" />
<STYLE TYPE="text/css">
.ext-ie .webui-login-fld{font-size: 11px;}
</STYLE>
<script type="text/javascript" src="/login/ext-base.js"></script>
<script type="text/javascript" src="/login/ext-all.js"></script>
<script type="text/javascript">var errMsgText = "";var bannerMsgText = "";bannerMsgText += "This system is for authorized use only.";var hostname='';var version='R80.10';var formAction="/cgi-bin/home.tcl";</script>
<script type="text/javascript" src="/login/login.js"></script>
</HEAD>
<BODY>
<noscript>
<div style='font-size:20px;position:relative;top:100px;'>For full functionality of this site it is necessary to enable JavaScript.</div>
</noscript>
</BODY>
</HTML>

Any pointers

3 Solutions

Accepted Solutions
Highlighted
Iron
Make sure that you didn't forget the /web_api/ part of the URI. https://<management server>:<port>/web_api/<command>

Check Point - Management API reference:
POST https://<mgmt-server>:<port>/web_api/login
 

View solution in original post

Highlighted
Admin
Admin

Yes, it's a Windows only application.

However, the API can be enabled from the CLI using something like:

mgmt_cli -r true --domain MDS set api-settings accepted-api-calls-from "All IP addresses"

Then you will need to restart the API server for the change to take effect.

api restart

See also: Check Point - Management API reference 

View solution in original post

Highlighted
Employee+
Employee+

Hey All,

Here is the slide Robert talked about

Regards,

Adiel

View solution in original post

25 Replies
Highlighted
Iron
Make sure that you didn't forget the /web_api/ part of the URI. https://<management server>:<port>/web_api/<command>

Check Point - Management API reference:
POST https://<mgmt-server>:<port>/web_api/login
 

View solution in original post

Highlighted

You have to use path /web_api/ for your management API calls, else you are accessing Gaia WebUI.

See Check Point - Management API reference  for reference.

Highlighted

I am using the https://<server>/web_api/ point..

 what I think the issue is that I don't think I set up the management server.  When I did the install i checked both the management server and the gateway boxes.  But when I login, i don't see the same screen as the docs indicate.

So I guess I need help in getting the right software installed.

Highlighted

I created a new VM and selected only the management option.  Now when I do the login attempt as admin, i get 403 with "you don't have permission to access /web_api/login on this server". 

Highlighted
Employee++
Employee++

please run "api status" command on your management server and paste the response here.

robert.

Highlighted

Thanks robert.  

cpmgmt> api status

API Settings:
---------------------
Accessibility: Require ip 127.0.0.1
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Started 19458
CPM Started 19548 Check Point Security Management Server is running and ready
FWM Started 18989

Port Details:
-------------------
JETTY Internal Port: 50276
APACHE Gaia Port: 443
Apache port retrieved from: httpd-ssl.conf


--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

0 Kudos
Highlighted
Employee++
Employee++

This is exactly what I wanted to ensure - you have to allow an access from remote machines to your management API server.

Please read this excellent document - 

Orchestration and Automation_Ryan Darst_Marco Garcia.pdf 

and refer to slide #5.

Robert.

Highlighted

What permissions do you need to be able to change this setting?  I'm a PowerAdmin and it is read-only for me.

Jordan

0 Kudos
Highlighted
Admin
Admin

I believe only SuperAdmins can change the setting.

Highlighted
Employee+
Employee+

Hey All,

Here is the slide Robert talked about

Regards,

Adiel

View solution in original post

Highlighted
See output: only access from 127.0.0.1 allowed


Change it in SmartConsole under “Manage & Settings” / “Blades” / “Management SPI”


0 Kudos
Highlighted

Thanks... However I don't have  smartconsole in the UI.  I pasted in a screenshot of what my UI looks like, which is not the same as in the document that Robert referenced

0 Kudos
Highlighted

is smartconsole a windows only application?

0 Kudos
Highlighted
Admin
Admin

Yes, it's a Windows only application.

However, the API can be enabled from the CLI using something like:

mgmt_cli -r true --domain MDS set api-settings accepted-api-calls-from "All IP addresses"

Then you will need to restart the API server for the change to take effect.

api restart

See also: Check Point - Management API reference 

View solution in original post

ok.. once i realized that smart console was an external windows application i was able to get the config enabled properly.  have to find a windows vm to run this on, as i'm on a mac for all my work.   is there a command line way to enable this?

0 Kudos
Highlighted
Admin
Admin

Yes, see my answer above.

0 Kudos
Highlighted

Hi , 

I am using below command to allow API calls from all IP but no lcuk, any help.

gw-b739b6> mgmt set api-settings accepted-api-calls-from "All IP addresses"
MGMT9205 You are not logged in to management server, in order to log-in you w ill need to run "mgmt login user [user name]"
gw-b739b6> expert
Enter expert password:


Warning! All configurations should be done through clish
You are in expert mode now.

[Expert@gw-b739b6:0]# mgmt set api-settings accepted-api-calls-from "All IP addr esses"
bash: mgmt: command not found
[Expert@gw-b739b6:0]#

[Expert@gw-b739b6:0]# mgmt set api-settings accepted-api-calls-from "All IP addr esses"
bash: mgmt: command not found
[Expert@gw-b739b6:0]# mgmt_cli set api-settings accepted-api-calls-from "All IP addresses"
Username: admin
Password:
code: "err_login_failed"
message: "Authentication to server failed."

[Expert@gw-b739b6:0]# exit
exit
gw-b739b6> mgmt_cli set api-settings accepted-api-calls-from "All IP addresses"
MGMT9205 You are not logged in to management server, in order to log-in you will need to run "mgmt login user [user name]"     <<<<<<<<<<<<< why we need to use suppy username and pasowrd>>>>>>
gw-b739b6>

Tried in both modes but no luck, 

Amit Chaubey

0 Kudos
Highlighted
Admin
Admin

You were most correct with this one: mgmt_cli set api-settings accepted-api-calls-from "All IP Addresses"

But it looks like you didn't type the admin password correct.

You can also try: mgmt_cli -r true set api-settings accepted-api-calls-from "All IP addresses"

(Assuming you are on Security Management)

0 Kudos
Highlighted

Hi Dameon, 

I tried again with mgmt credentials but showing that this command is for MDS not in my case.OUt put is below, 

gw-b739b6> mgmt login user admin
Enter password:
gw-b739b6> mgmt_cli -r true set api-settings accepted-api-calls-from "All IP addresses"
MGMT9000 code: "err_inappropriate_domain_type"
message: "This command can work only on domains of type MDS. Cannot execute it in the current domain (current domain type is Domain)."

gw-b739b6>

Also, I am looking at some bash script or some other commands that can be incorporated with user data file so that in the case included once booting up mgmt server in AWS.

Thank you, 

Amit Chaubey

0 Kudos
Highlighted
Admin
Admin

If you use mgmt_cli -r true you don't need to login.

Also, if you were going to login, you would need to pass the session ID returned with each command. 

Try: mgmt_cli -r true set api-settings accepted-api-calls-from "All IP addresses" domain "System Data"

You realize we also have CloudFormation scripts for deploying gateways and management in AWS, right? 

AWS CloudFormation Templates 

0 Kudos
Highlighted

Hi, 

I am not sure what's wrong with the mgmt server but it's not working for me. 

gw-b739b6> mgmt_cli -r true set api-settings accepted-api-calls-from "All IP addresses" domain "System Data"
MGMT9205 You are not logged in to management server, in order to log-in you will need to run "mgmt login user [user name]"
gw-b739b6>

Also, is this any script(bash) available which I can use in user data file. 

0 Kudos
Highlighted
Admin
Admin

Is this a management server or a gateway?

You can only enable the API from a management server, not a gateway.

The fact you have a "default" name for your management server suggests you have not run the First Time Wizard yet, either.

0 Kudos
Highlighted
Ivory

After you have enabled the Management API using either the command or from the GUI. Verify the status of the API  from the management cli. Execute the below command  to verify if the status of the API. 

> api status

CheckpointR> api status

API Settings:
---------------------
Accessibility: Require all granted
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Stopped
CPM Starting 8712 Check Point Security Management Server is during initialization
FWM Started 5666
APACHE Started 5055

Port Details:
-------------------
JETTY Internal Port: 50276
APACHE Gaia Port: 443
Apache port retrieved from: httpd-ssl.conf

--------------------------------------------
Overall API Status: The API Server Is Not Running!
--------------------------------------------

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

If it has not started, execute the below command.

> api start

Alternatively, restart the API

> api restart

0 Kudos
Highlighted
Silver
I restarted the api but still the overall api status is as below.

Overall API Status: Waiting for CPM to start

Please let me know what can be done on this?

> api status

API Settings:
---------------------
Accessibility: Require all granted
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Started 943
CPM Starting 6450 Check Point Security Management Server is during initialization
FWM Started 11530
APACHE Started 4988

Port Details:
-------------------
JETTY Internal Port: 50277
APACHE Gaia Port: 443
Apache port retrieved from: httpd-ssl.conf


--------------------------------------------
Overall API Status: Waiting for CPM to start
--------------------------------------------

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'
0 Kudos
Highlighted
Admin
Admin

Try again. It takes some moments for CPM to start. You can also check CPM status any time from CLI, just run $FWDIR/scripts/cpm_status.sh from expert shell.