cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Enabling web api

Jump to solution

Probably a really basic question, but i can't seem to find anything.  I'm attempting a simple login to R80.10 via the api.  I'm using postman, when i send the POST i get a web page returned instead of json.  

<!DOCTYPE html>
<HTML>
<HEAD>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE9,EmulateIE8">
<meta name="others" content="WEBUI LOGIN PAGE" />
<TITLE>Gaia</TITLE>
<link rel="shortcut icon" href="https://community.checkpoint.com/login/fav.ico">
<link rel="stylesheet" type="text/css" href="https://community.checkpoint.com/login/ext-all.css" />
<link rel="stylesheet" type="text/css" href="https://community.checkpoint.com/login/login.css" />
<STYLE TYPE="text/css">
.ext-ie .webui-login-fld{font-size: 11px;}
</STYLE>
<script type="text/javascript" src="/login/ext-base.js"></script>
<script type="text/javascript" src="/login/ext-all.js"></script>
<script type="text/javascript">var errMsgText = "";var bannerMsgText = "";bannerMsgText += "This system is for authorized use only.";var hostname='';var version='R80.10';var formAction="/cgi-bin/home.tcl";</script>
<script type="text/javascript" src="/login/login.js"></script>
</HEAD>
<BODY>
<noscript>
<div style='font-size:20px;position:relative;top:100px;'>For full functionality of this site it is necessary to enable JavaScript.</div>
</noscript>
</BODY>
</HTML>

Any pointers

3 Solutions

Accepted Solutions
Viktor
Iron

Re: Enabling web api

Jump to solution
Make sure that you didn't forget the /web_api/ part of the URI. https://<management server>:<port>/web_api/<command>

Check Point - Management API reference:
POST https://<mgmt-server>:<port>/web_api/login
 
0 Kudos
Admin
Admin

Re: Enabling web api

Jump to solution

Yes, it's a Windows only application.

However, the API can be enabled from the CLI using something like:

mgmt_cli -r true --domain MDS set api-settings accepted-api-calls-from "All IP addresses"

Then you will need to restart the API server for the change to take effect.

api restart

See also: Check Point - Management API reference 

Employee+
Employee+

Re: Enabling web api

Jump to solution

Hey All,

Here is the slide Robert talked about

Regards,

Adiel

0 Kudos
23 Replies
Viktor
Iron

Re: Enabling web api

Jump to solution
Make sure that you didn't forget the /web_api/ part of the URI. https://<management server>:<port>/web_api/<command>

Check Point - Management API reference:
POST https://<mgmt-server>:<port>/web_api/login
 
0 Kudos

Re: Enabling web api

Jump to solution

You have to use path /web_api/ for your management API calls, else you are accessing Gaia WebUI.

See Check Point - Management API reference  for reference.

0 Kudos

Re: Enabling web api

Jump to solution

I am using the https://<server>/web_api/ point..

 what I think the issue is that I don't think I set up the management server.  When I did the install i checked both the management server and the gateway boxes.  But when I login, i don't see the same screen as the docs indicate.

So I guess I need help in getting the right software installed.

0 Kudos

Re: Enabling web api

Jump to solution

I created a new VM and selected only the management option.  Now when I do the login attempt as admin, i get 403 with "you don't have permission to access /web_api/login on this server". 

0 Kudos
Employee++
Employee++

Re: Enabling web api

Jump to solution

please run "api status" command on your management server and paste the response here.

robert.

0 Kudos

Re: Enabling web api

Jump to solution

Thanks robert.  

cpmgmt> api status

API Settings:
---------------------
Accessibility: Require ip 127.0.0.1
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Started 19458
CPM Started 19548 Check Point Security Management Server is running and ready
FWM Started 18989

Port Details:
-------------------
JETTY Internal Port: 50276
APACHE Gaia Port: 443
Apache port retrieved from: httpd-ssl.conf


--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

0 Kudos
Employee++
Employee++

Re: Enabling web api

Jump to solution

This is exactly what I wanted to ensure - you have to allow an access from remote machines to your management API server.

Please read this excellent document - 

Orchestration and Automation_Ryan Darst_Marco Garcia.pdf 

and refer to slide #5.

Robert.

Re: Enabling web api

Jump to solution

What permissions do you need to be able to change this setting?  I'm a PowerAdmin and it is read-only for me.

Jordan

0 Kudos
Admin
Admin

Re: Enabling web api

Jump to solution

I believe only SuperAdmins can change the setting.

Employee+
Employee+

Re: Enabling web api

Jump to solution

Hey All,

Here is the slide Robert talked about

Regards,

Adiel

0 Kudos

Re: Enabling web api

Jump to solution
See output: only access from 127.0.0.1 allowed


Change it in SmartConsole under “Manage & Settings” / “Blades” / “Management SPI”


0 Kudos

Re: Enabling web api

Jump to solution

Thanks... However I don't have  smartconsole in the UI.  I pasted in a screenshot of what my UI looks like, which is not the same as in the document that Robert referenced

0 Kudos

Re: Enabling web api

Jump to solution

is smartconsole a windows only application?

0 Kudos
Admin
Admin

Re: Enabling web api

Jump to solution

Yes, it's a Windows only application.

However, the API can be enabled from the CLI using something like:

mgmt_cli -r true --domain MDS set api-settings accepted-api-calls-from "All IP addresses"

Then you will need to restart the API server for the change to take effect.

api restart

See also: Check Point - Management API reference 

Re: Enabling web api

Jump to solution

ok.. once i realized that smart console was an external windows application i was able to get the config enabled properly.  have to find a windows vm to run this on, as i'm on a mac for all my work.   is there a command line way to enable this?

0 Kudos
Admin
Admin

Re: Enabling web api

Jump to solution

Yes, see my answer above.

0 Kudos

Re: Enabling web api

Jump to solution

Hi , 

I am using below command to allow API calls from all IP but no lcuk, any help.

gw-b739b6> mgmt set api-settings accepted-api-calls-from "All IP addresses"
MGMT9205 You are not logged in to management server, in order to log-in you w ill need to run "mgmt login user [user name]"
gw-b739b6> expert
Enter expert password:


Warning! All configurations should be done through clish
You are in expert mode now.

[Expert@gw-b739b6:0]# mgmt set api-settings accepted-api-calls-from "All IP addr esses"
bash: mgmt: command not found
[Expert@gw-b739b6:0]#

[Expert@gw-b739b6:0]# mgmt set api-settings accepted-api-calls-from "All IP addr esses"
bash: mgmt: command not found
[Expert@gw-b739b6:0]# mgmt_cli set api-settings accepted-api-calls-from "All IP addresses"
Username: admin
Password:
code: "err_login_failed"
message: "Authentication to server failed."

[Expert@gw-b739b6:0]# exit
exit
gw-b739b6> mgmt_cli set api-settings accepted-api-calls-from "All IP addresses"
MGMT9205 You are not logged in to management server, in order to log-in you will need to run "mgmt login user [user name]"     <<<<<<<<<<<<< why we need to use suppy username and pasowrd>>>>>>
gw-b739b6>

Tried in both modes but no luck, 

Amit Chaubey

0 Kudos
Admin
Admin

Re: Enabling web api

Jump to solution

You were most correct with this one: mgmt_cli set api-settings accepted-api-calls-from "All IP Addresses"

But it looks like you didn't type the admin password correct.

You can also try: mgmt_cli -r true set api-settings accepted-api-calls-from "All IP addresses"

(Assuming you are on Security Management)

0 Kudos

Re: Enabling web api

Jump to solution

Hi Dameon, 

I tried again with mgmt credentials but showing that this command is for MDS not in my case.OUt put is below, 

gw-b739b6> mgmt login user admin
Enter password:
gw-b739b6> mgmt_cli -r true set api-settings accepted-api-calls-from "All IP addresses"
MGMT9000 code: "err_inappropriate_domain_type"
message: "This command can work only on domains of type MDS. Cannot execute it in the current domain (current domain type is Domain)."

gw-b739b6>

Also, I am looking at some bash script or some other commands that can be incorporated with user data file so that in the case included once booting up mgmt server in AWS.

Thank you, 

Amit Chaubey

0 Kudos
Admin
Admin

Re: Enabling web api

Jump to solution

If you use mgmt_cli -r true you don't need to login.

Also, if you were going to login, you would need to pass the session ID returned with each command. 

Try: mgmt_cli -r true set api-settings accepted-api-calls-from "All IP addresses" domain "System Data"

You realize we also have CloudFormation scripts for deploying gateways and management in AWS, right? 

AWS CloudFormation Templates 

0 Kudos

Re: Enabling web api

Jump to solution

Hi, 

I am not sure what's wrong with the mgmt server but it's not working for me. 

gw-b739b6> mgmt_cli -r true set api-settings accepted-api-calls-from "All IP addresses" domain "System Data"
MGMT9205 You are not logged in to management server, in order to log-in you will need to run "mgmt login user [user name]"
gw-b739b6>

Also, is this any script(bash) available which I can use in user data file. 

0 Kudos
Admin
Admin

Re: Enabling web api

Jump to solution

Is this a management server or a gateway?

You can only enable the API from a management server, not a gateway.

The fact you have a "default" name for your management server suggests you have not run the First Time Wizard yet, either.

0 Kudos
rishshah
Ivory

Re: Enabling web api

Jump to solution

After you have enabled the Management API using either the command or from the GUI. Verify the status of the API  from the management cli. Execute the below command  to verify if the status of the API. 

> api status

CheckpointR> api status

API Settings:
---------------------
Accessibility: Require all granted
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Stopped
CPM Starting 8712 Check Point Security Management Server is during initialization
FWM Started 5666
APACHE Started 5055

Port Details:
-------------------
JETTY Internal Port: 50276
APACHE Gaia Port: 443
Apache port retrieved from: httpd-ssl.conf

--------------------------------------------
Overall API Status: The API Server Is Not Running!
--------------------------------------------

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

If it has not started, execute the below command.

> api start

Alternatively, restart the API

> api restart

0 Kudos