Solved: Re: Enabling web api

Steven_Bade · ‎2018-02-26

Probably a really basic question, but i can't seem to find anything. I'm attempting a simple login to R80.10 via the api. I'm using postman, when i send the POST i get a web page returned instead of json.

<!DOCTYPE html>
<HTML>
<HEAD>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE9,EmulateIE8">
<meta name="others" content="WEBUI LOGIN PAGE" />
<TITLE>Gaia</TITLE>
<link rel="shortcut icon" href="https://community.checkpoint.com/login/fav.ico">
<link rel="stylesheet" type="text/css" href="https://community.checkpoint.com/login/ext-all.css" />
<link rel="stylesheet" type="text/css" href="https://community.checkpoint.com/login/login.css" />
<STYLE TYPE="text/css">
.ext-ie .webui-login-fld{font-size: 11px;}
</STYLE>
<script type="text/javascript" src="/login/ext-base.js"></script>
<script type="text/javascript" src="/login/ext-all.js"></script>
<script type="text/javascript">var errMsgText = "";var bannerMsgText = "";bannerMsgText += "This system is for authorized use only.";var hostname='';var version='R80.10';var formAction="/cgi-bin/home.tcl";</script>
<script type="text/javascript" src="/login/login.js"></script>
</HEAD>
<BODY>
<noscript>
<div style='font-size:20px;position:relative;top:100px;'>For full functionality of this site it is necessary to enable JavaScript.</div>
</noscript>
</BODY>
</HTML>

Any pointers

Viktor · ‎2018-02-26

Make sure that you didn't forget the /web_api/ part of the URI. https://<management server>:<port>/web_api/<command>

Check Point - Management API reference:

POST https://<mgmt-server>:<port>/web_api/login

View solution in original post

PhoneBoy · ‎2018-02-26

Yes, it's a Windows only application.

However, the API can be enabled from the CLI using something like:

mgmt_cli -r true --domain MDS set api-settings accepted-api-calls-from "All IP addresses"

Then you will need to restart the API server for the change to take effect.

api restart

See also: Check Point - Management API reference

View solution in original post

Adiel_Ashrov · ‎2019-02-10

Hey All,

Here is the slide Robert talked about

Regards,

Adiel

View solution in original post

Viktor · ‎2018-02-26

Make sure that you didn't forget the /web_api/ part of the URI. https://<management server>:<port>/web_api/<command>

Check Point - Management API reference:

POST https://<mgmt-server>:<port>/web_api/login

Norbert_Bohusch · ‎2018-02-26

You have to use path /web_api/ for your management API calls, else you are accessing Gaia WebUI.

See Check Point - Management API reference for reference.

Steven_Bade · ‎2018-02-26

I am using the https://<server>/web_api/ point..

what I think the issue is that I don't think I set up the management server. When I did the install i checked both the management server and the gateway boxes. But when I login, i don't see the same screen as the docs indicate.

So I guess I need help in getting the right software installed.

Steven_Bade · ‎2018-02-26

I created a new VM and selected only the management option. Now when I do the login attempt as admin, i get 403 with "you don't have permission to access /web_api/login on this server".

Robert_Decker · ‎2018-02-26

please run "api status" command on your management server and paste the response here.

robert.

Steven_Bade · ‎2018-02-26

Thanks robert.

cpmgmt> api status

API Settings:
---------------------
Accessibility: Require ip 127.0.0.1
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Started 19458
CPM Started 19548 Check Point Security Management Server is running and ready
FWM Started 18989

Port Details:
-------------------
JETTY Internal Port: 50276
APACHE Gaia Port: 443
Apache port retrieved from: httpd-ssl.conf

--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

Robert_Decker · ‎2018-02-26

This is exactly what I wanted to ensure - you have to allow an access from remote machines to your management API server.

Please read this excellent document -

Orchestration and Automation_Ryan Darst_Marco Garcia.pdf

and refer to slide #5.

Robert.

Jordan_Martin1 · ‎2018-06-22

What permissions do you need to be able to change this setting? I'm a PowerAdmin and it is read-only for me.

Jordan

PhoneBoy · ‎2018-06-22

I believe only SuperAdmins can change the setting.

Adiel_Ashrov · ‎2019-02-10

Hey All,

Here is the slide Robert talked about

Regards,

Adiel

ggmeza · ‎2021-05-13

Hi, I have a question. When you set "all ip addresses that can be use for GUI clients", where is configured as a filter that ip addresses? Where can i see that?

Thanks.

Norbert_Bohusch · ‎2018-02-26

See output: only access from 127.0.0.1 allowed

Change it in SmartConsole under “Manage & Settings” / “Blades” / “Management SPI”

Steven_Bade · ‎2018-02-26

Thanks... However I don't have smartconsole in the UI. I pasted in a screenshot of what my UI looks like, which is not the same as in the document that Robert referenced

Steven_Bade · ‎2018-02-26

is smartconsole a windows only application?

PhoneBoy · ‎2018-02-26

Yes, it's a Windows only application.

However, the API can be enabled from the CLI using something like:

mgmt_cli -r true --domain MDS set api-settings accepted-api-calls-from "All IP addresses"

Then you will need to restart the API server for the change to take effect.

api restart

See also: Check Point - Management API reference

Steven_Bade · ‎2018-02-26

ok.. once i realized that smart console was an external windows application i was able to get the config enabled properly. have to find a windows vm to run this on, as i'm on a mac for all my work. is there a command line way to enable this?

PhoneBoy · ‎2018-02-26

Yes, see my answer above.

Amit_Chaubey · ‎2018-09-18

Hi ,

I am using below command to allow API calls from all IP but no lcuk, any help.

gw-b739b6> mgmt set api-settings accepted-api-calls-from "All IP addresses"
MGMT9205 You are not logged in to management server, in order to log-in you w ill need to run "mgmt login user [user name]"
gw-b739b6> expert
Enter expert password:

Warning! All configurations should be done through clish
You are in expert mode now.

[Expert@gw-b739b6:0]# mgmt set api-settings accepted-api-calls-from "All IP addr esses"
bash: mgmt: command not found
[Expert@gw-b739b6:0]#

[Expert@gw-b739b6:0]# mgmt set api-settings accepted-api-calls-from "All IP addr esses"
bash: mgmt: command not found
[Expert@gw-b739b6:0]# mgmt_cli set api-settings accepted-api-calls-from "All IP addresses"
Username: admin
Password:
code: "err_login_failed"
message: "Authentication to server failed."

[Expert@gw-b739b6:0]# exit
exit
gw-b739b6> mgmt_cli set api-settings accepted-api-calls-from "All IP addresses"
MGMT9205 You are not logged in to management server, in order to log-in you will need to run "mgmt login user [user name]" <<<<<<<<<<<<< why we need to use suppy username and pasowrd>>>>>>
gw-b739b6>

Tried in both modes but no luck,

Amit Chaubey

PhoneBoy · ‎2018-09-18

You were most correct with this one: mgmt_cli set api-settings accepted-api-calls-from "All IP Addresses"

But it looks like you didn't type the admin password correct.

You can also try: mgmt_cli -r true set api-settings accepted-api-calls-from "All IP addresses"

(Assuming you are on Security Management)

Amit_Chaubey · ‎2018-09-18

Hi Dameon,

I tried again with mgmt credentials but showing that this command is for MDS not in my case.OUt put is below,

gw-b739b6> mgmt login user admin
Enter password:
gw-b739b6> mgmt_cli -r true set api-settings accepted-api-calls-from "All IP addresses"
MGMT9000 code: "err_inappropriate_domain_type"
message: "This command can work only on domains of type MDS. Cannot execute it in the current domain (current domain type is Domain)."

gw-b739b6>

Also, I am looking at some bash script or some other commands that can be incorporated with user data file so that in the case included once booting up mgmt server in AWS.

Thank you,

Amit Chaubey

PhoneBoy · ‎2018-09-18

If you use mgmt_cli -r true you don't need to login.

Also, if you were going to login, you would need to pass the session ID returned with each command.

Try: mgmt_cli -r true set api-settings accepted-api-calls-from "All IP addresses" domain "System Data"

You realize we also have CloudFormation scripts for deploying gateways and management in AWS, right?

AWS CloudFormation Templates

Amit_Chaubey · ‎2018-09-19

Hi,

I am not sure what's wrong with the mgmt server but it's not working for me.

gw-b739b6> mgmt_cli -r true set api-settings accepted-api-calls-from "All IP addresses" domain "System Data"
MGMT9205 You are not logged in to management server, in order to log-in you will need to run "mgmt login user [user name]"
gw-b739b6>

Also, is this any script(bash) available which I can use in user data file.

PhoneBoy · ‎2018-09-19

Is this a management server or a gateway?

You can only enable the API from a management server, not a gateway.

The fact you have a "default" name for your management server suggests you have not run the First Time Wizard yet, either.

HaTM · ‎2024-07-09

Hi PhoneBoy,

My CPM lab running with version R81.20, after add eval license and try to send API by Postman from my PC. i got this result.

<!DOCTYPE html>

<HTML>

<HEAD>

.ext-ie .webui-login-fld {

font-size: 11px;

}

</STYLE>

var errMsgText = "";var bannerMsgText = "";bannerMsgText += "This%20system%20is%20for%20authorized%20use%20only.%0A";var hostname='';var version='R81.20';var formAction="/cgi-bin/home.tcl";

</script>

</HEAD>

<div style='font-size:20px;position:relative;top:100px;'>For full functionality of this site it is necessary to

enable JavaScript.</div>

</noscript></BODY>

</HTML>

I tried to restart API and reboot CPM but it's still not work.

PhoneBoy · ‎2024-07-10

What does the command "api status" say?

HaTM · ‎2024-07-10

This's API status of my lab now

[Expert@gw-622262:0]# api status

API Settings:
---------------------
Accessibility: Require all granted
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Started 8846
CPM Started 8846 Check Point Security Management Server is running and ready
FWM Started 8255
APACHE Started 8733

Port Details:
-------------------
JETTY Internal Port: 53595
JETTY Documentation Internal Port: 62008
APACHE Gaia Port: 443

Profile:
-------------------
Machine profile: Small Medium env resources profile
CPM heap size: 1280m

--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

Bob_Zimmerman · ‎2024-07-10

What is the full path you are trying to call? Seems likely you are missing the /web_api root prefix in the path.

HaTM · ‎2024-07-10

i'm trying to test with Identity Awareness function with path "/_IA_API/v1.0/add-identity", after old license expired and i attach new eval license i have this issue

PhoneBoy · ‎2024-07-11

Please provide output of cplic print and confirm if this is a centrally managed license or locally managed.
Also please provide version/JHF level of gateway.

Are you a member of CheckMates?

Enabling web api