cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Getting a "Forbidden" error message (HTTP status code 403)

In some scenarios browsing to https://<management-server>/web_api/ may lead to seeing this error message:

Forbidden

You don't have permission to access /web_api/login on this server.

What does it mean?

It means that the API server is not configured to accept requests from the machine running your browser.

For security reasons, the default settings for the API server allows him to accept requests only from the management server itself and not from any other IP address.

If you want your management server to accept API requests from other machines, please follow this procedure:

* Open SmartConsole and log into your management server. If you have a multi-domain environment, log into the MDS domain.

* Click on the "Manage & Settings" button on the left.

* Select "Blades"

* Look for the "Management API" section and click on "Advanced Settings".

Now you can choose between three options:

1) Accept API calls from the management server only (the default setting)

2) All IP addresses that can be used for GUI clients.

    This option would allow the API server to accept requests only from IP addresses that can be used to connect with the management server using SmartConsole.

3) All IP addresses

Once you make you selection:

* Click the publish button

* Use SSH to log into the management server in "expert mode" and type "api restart".

Labels (1)
23 Replies

Re: Getting a "Forbidden" error message (HTTP status code 403)

Is there any means to change the Management API settings using an initialization script when the management instance is created? (like this: Support, Support Requests, Training, Documentation, and Knowledge base for Check Point products and ...) What I want to do is automate the build of the checkpoint management instance so that once it is created, I can use the web api to configure it. If I have to manually go into the smart console to set the management api blade to allow the api calls from our automation server that would defeat the purpose of automating.

0 Kudos
Admin
Admin

Re: Getting a "Forbidden" error message (HTTP status code 403)

There's a CLI for that Smiley Happy

[Expert@eightyten:0]# mgmt_cli -r true set api-settings accepted-api-calls-from "All IP addresses" --domain 'System Data'

---------------------------------------------

Time: [10:06:06] 18/8/2017

---------------------------------------------

"Publish operation"  succeeded  (100%) 

[Expert@eightyten:0]# api restart

2017-Aug-18 10:06:10 - Stopping API...

2017-Aug-18 10:06:13 - API stopped successfully.

2017-Aug-18 10:06:13 - Starting API...

. . . . . . . . . . . . . . . . . .

2017-Aug-18 10:07:32 - API started successfully.

[Expert@eightyten:0]#

It'd be cool if you could specify that as part of the First-Time Wizard, of course.

Reference: Check Point - Management API reference 

Re: Getting a "Forbidden" error message (HTTP status code 403)

I get this error when I try to use that command: MGMT9000 code: "err_inappropriate_domain_type"
message: "This command can work only on domains of type MDS. Cannot execute it in the current domain (current domain type is Domain)."

0 Kudos
Admin
Admin

Re: Getting a "Forbidden" error message (HTTP status code 403)

I think I got a similar message when I didn't specify the --domain parameter.

The example is copy/paste from the docs.

0 Kudos

Re: Getting a "Forbidden" error message (HTTP status code 403)

I did make the change to allow API calls from all IP addresses and did API restart as well. Same error still exists.

I also did reset the password for the username, made sure that the user is added to admin role on the webUI of the smartcenter as well.

#mgmt_cli login with same username and passwords is working on the smartcenter though. 

Still no luck!

Any suggestions?

0 Kudos
Employee++
Employee++

Re: Getting a "Forbidden" error message (HTTP status code 403)

There may be several reasons for this error code.

Please run "api status" command on your management server and paste the response here for analysis.

Robert.

0 Kudos

Re: Getting a "Forbidden" error message (HTTP status code 403)

expert# api status

API Settings:
---------------------
Accessibility: Allow from 127.0.0.1
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Started 25846
CPM Started 22711 Check Point Security Management Server is running and ready
FWM Started 26196

Port Details:
-------------------
JETTY Internal Port: 50276
APACHE Gaia Port: 443


--------------------------------------------
Overall API Status: Started
--------------------------------------------

Test SUCCESSFUL. The server is up and ready to receive connections

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

Accessibility from localhost?? It's set as All IP addresses in the Sconsole though.

Thanks.

0 Kudos
Employee++
Employee++

Re: Getting a "Forbidden" error message (HTTP status code 403)

Hi,

Please look at the "Accessibility" property value - it indicates that you have not granted the access from all IPs.

Robert.

0 Kudos
Employee++
Employee++

Re: Getting a "Forbidden" error message (HTTP status code 403)

0 Kudos

Re: Getting a "Forbidden" error message (HTTP status code 403)

Hello Robert

Thank you for the quick reply.

If you look at my last reply, I mentioned that I have set the API calls from "All IP Addresses" in the smart console and automatic start is also in place. Installed the Db, did api restart as well.

I am using super user permission profile to make sure I am not running into permission related issues, anyway I double checked the "super user" profile too and in the mgmt tab, mgmt API login is checked.

Also I did check the server.crt file in web/conf and its just ASCII, no CRLF line terminators.

FYI, this is the script that I am running on the 3rd party server to test:

curl -k -X POST -H "Content-Type: application/json" -d '{ "user":"xxxx", "password":"xxxx" }' https://x.x.x.x:443/web_api/login
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /web_api/login
on this server.</p>
</body></html>

Any other things that can cause this?

Thanks.

0 Kudos
Employee++
Employee++

Re: Getting a "Forbidden" error message (HTTP status code 403)

please check again, this is from your "api status" command reply - 

Robert.

0 Kudos

Re: Getting a "Forbidden" error message (HTTP status code 403)

Rob,

I understand what you are referring to. api status on the CLI says only from local host. BUT, I did configure it as "All IP addresses" from the smart console, installed DB, restarted the api.

So the question is why is it not reflecting in the CLI ??

 

Thanks for your patience on this.

0 Kudos
Employee++
Employee++

Re: Getting a "Forbidden" error message (HTTP status code 403)

I really do not understand what is going here.

Are you running on MDM environment?

0 Kudos

Re: Getting a "Forbidden" error message (HTTP status code 403)

No, its a single smart center.

FYI,

expert#mgmt_cli login output:

uid: "4d67542e-21ab-4019-9b23-8e0df9894c2b"
sid: "6YRu8AnYpjjXMy-vmeWUfP43gykmTu3z0F87E45z_44"
url: "https://127.0.0.1:443/web_api"
session-timeout: 600
last-login-was-at:
posix: 1520359819406
iso-8601: "2018-03-06T06:10-1200"
api-server-version: "1"

Agreed that it is weird. May be someone can see something different here.

0 Kudos
Employee++
Employee++

Re: Getting a "Forbidden" error message (HTTP status code 403)

mgmt_cli login is running locally on your management server, so it doesn't need any special access.

your problem is when using a WEB Services from a remote server, this is why it needs an access.

what do you mean by "installed db"? do you mean "publish"?

0 Kudos

Re: Getting a "Forbidden" error message (HTTP status code 403)

Got it. Installed db = Publish and Install Database.

0 Kudos
Employee++
Employee++

Re: Getting a "Forbidden" error message (HTTP status code 403)

I've noticed that your API server version is "1".

Are you running R80 management (not R80.10)?

0 Kudos

Re: Getting a "Forbidden" error message (HTTP status code 403)

Yes its R80 management server.

0 Kudos
Employee++
Employee++

Re: Getting a "Forbidden" error message (HTTP status code 403)

ok, try "api reconf" instead of "api restart" that you have done previously, then again "api status".

any changes to "Accessibility" field value?

0 Kudos

Re: Getting a "Forbidden" error message (HTTP status code 403)

Rob,

I've changed the access from "All IP addresses" in smart console to "All IP addresses that can be used for GUI clients" and my #api status changed to : Accessibility: Allow from all.

And my script from the remote server is also working fine.

So, may be a bug in R80.

Thanks for all your time.

0 Kudos
Employee++
Employee++

Re: Getting a "Forbidden" error message (HTTP status code 403)

Ok, I'm glad you managed to get it work.

I'll verify if this is really a bug and report it for further handling.

Robert.

0 Kudos
Yonghao_Gao
Nickel

Re: Getting a "Forbidden" error message (HTTP status code 403)

Hi ,I found that  I cannot login Gaia cli api when i setup ssl-port to 4430(none 443).I can login gaia cli api once i setup ssl-port to 443,this is why?

Re: Getting a "Forbidden" error message (HTTP status code 403)

Execute the following steps, then it works:

- SmartDashboard set "Accept API calls from" to "Management server onle" -> Publish -> Install Database -> api restart

api satus still shows "Require ip 127.0.0.1" 

- SmartDashboard set "Accept API calls from" to "All IP addresses" -> Publish -> Install Database -> api restart

api status displays now "Require all granted"

0 Kudos