This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
S_E_
Advisor
‎2025-06-02 06:24 AM
Jump to solution

GAIA API beginner questions

Access to the API server is forbidden. Can't see why.

API Status:
---------------------
Build: cp991255299
Uptime: 28 days, 13:19:31.071350
Current Sessions: 0
Latest Version: 1.8

Processes:

Name State PID
---------------------------------
GAIA_API Started 45144
GAIA_API_DOCS Started 45143
APACHE Started 45210
CONFD Started 46116
CLISHD Started 6752
CELERY Started 45142
REDIS Started 17073

Port Details:
-------------------
APACHE Gaia Port: 443

--------------------------------------------
Overall API Status: Started

 

 


FW81.20> show rba user apiadmin
User
apiadmin
access-mechanism Gaia-API
access-mechanism CLI
access-mechanism Web-UI
role adminRole

[Expert@FW81.20:0]# mgmt_cli login user apiadmin password <REMOVED> > id.txt
[Expert@FW81.20:0]# cat id.txt
message: "Error 403. Access to the API server is forbidden. Please check the Management API blade
settings to make sure that the server is allowed to accept requests from this IP address.
"code: "generic_error"

Management API Advanced is set to 'All IP'

Thanks,
Regards

0 Kudos
1 Solution

Accepted Solutions
Alex-
Leader Leader
Leader
‎2025-06-03 12:06 AM
In response to S_E_
Jump to solution

If you make the calls from the machine itself, you likely need to add 127.0.0.1 as allowed-client.

{
  "api-server-version": "1.8",
  "last-login-was-at": {
    "iso-8601": "2024-09-25T13:39+2.00.0",
    "posix": 1727264371178
  },
  "read-only": false,
  "session-timeout": 600,
  "sid": "[sid]",
  "url": "https://127.0.0.1:443/gaia_api"
}

 

View solution in original post

15 Replies
Bob_Zimmerman
Authority
Authority
‎2025-06-02 07:13 AM
Jump to solution

The management API and the Gaia API are two different things. The management API lets you read and change rules and objects (stuff you would do in SmartConsole). Only management servers run the management API.

The Gaia API lets you read and change OS-level things like interfaces and routes.

Is this system a management server, a gateway, or both?

What properties are you trying to read or change?

S_E_
Advisor
‎2025-06-02 07:20 AM
In response to Bob_Zimmerman
Jump to solution

Hi,

yes, with management API on MDS, I'm a little bit familiar.

 

Now, for GAIA API  (firewall cluster) i simply try to get the routing list (static and BGP) via an API call.

My test have been on the active firewall.

Later, I would prefer to run the call from the MGMT to fetch the routes of the GW.

Regards

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2025-06-02 08:10 AM
In response to S_E_
Jump to solution

To use mgmt_cli to interact with the Gaia API, you need to use the --context option, like so:

[Expert@DallasticXL-s01-01:0]# sessionCookie=$(mktemp)

[Expert@DallasticXL-s01-01:0]# mgmt_cli -f json --context gaia_api login user admin password '1qaz!QAZ' >"${sessionCookie}"

[Expert@DallasticXL-s01-01:0]# mgmt_cli -f json -s "${sessionCookie}" show routes
{
  "from": 1,
  "member-id": "1_1",
  "objects": [
    {
      "active-age": 6549591,
      "address": "0.0.0.0",
      "age": 6549591,
      "mask-length": 0,
      "next-hop": {
        "gateways": [
          {
            "address": "10.0.1.1",
            "interface": "wrp0"
          }
        ]
      },
      "protocol": "Static"
    },
    {
      "address": "10.0.1.0",
      "mask-length": 24,
      "next-hop": {
        "interface": "wrp0"
      },
      "protocol": "Connected"
    },
    {
      "address": "127.0.0.0",
      "mask-length": 8,
      "next-hop": {
        "interface": "lo"
      },
      "protocol": "Connected"
    },
    {
      "address": "192.0.2.0",
      "mask-length": 24,
      "next-hop": {
        "interface": "Sync"
      },
      "protocol": "Connected"
    }
  ],
  "to": 4,
  "total": 4,
  "virtual-system-id": 0
}
S_E_
Advisor
‎2025-06-02 11:20 PM
In response to Bob_Zimmerman
Jump to solution

hm,

still same error message.

Regards

 

[FW81.20:0]# mgmt_cli -f json -s "${sessionCookie}" show routes
Failed to parse login output file [/tmp/tmp.8sDz9rumHP]
[FW81.20:0]# more /tmp/tmp.8sDz9rumHP
{
"code" : "generic_error",
"message" : "Error 403. Access to the API server is forbidden.
Please check the Management API blade settings to make sure that the server is allowed to accept requests from this IP address."

0 Kudos
PhoneBoy
Admin
Admin
‎2025-06-03 10:29 AM
In response to S_E_
Jump to solution

What is configured in cpconfig in terms of allowed IP addresses?
This also applies to API requests.

0 Kudos
S_E_
Advisor
3 weeks ago
In response to Bob_Zimmerman
Jump to solution

Hi,

now I run in the next issue. It looks like that the output is limited to 50. (API 1.5, R81.10)

Newer API version seems to have a limit of 200.

However, Is there any idea to increase that to 2000 or more?

Or is gaia_api the completely wrong approach to read the routing table if routes > 2000.

Thanks

Regards

 

 

 

 

0 Kudos
Daniel_Kuhl1
Employee
Employee
3 weeks ago
In response to S_E_
Jump to solution

Hi, have you tried to specify a limit in the request body with v1.5? Then you could use a offset in the request body to query the next bunch of results. You can build a script with a loop to request all results query by query, add it to a variable, and write it to a file after you received all data or whatever you want to do with the data.

0 Kudos
S_E_
Advisor
3 weeks ago
In response to Daniel_Kuhl1
Jump to solution

Hi,

I tried with 2 different gateways (R81.10 & R81.20).

But I could not manage to accept the Limit parameter.

 

[does not work]

[Expert@fw1]# mgmt_cli show routes limit 200 --version 1.7 --context gaia_api -f json -s "${sessionCookie}"
{
"code": "generic_error",
"errors": "unsupported operand type(s) for +: 'int' and 'str'",
"message": "General Exception"
}

 

[works]

[Expert@fw1]# mgmt_cli show routes --context gaia_api -f json -s "${sessionCookie}"
{
"from": 1,
"objects": [
{
"address": "0.0.0.0",
"age": 4242532,

 

Regards

 

 

 

 

 

 

 

 

 

 

 

 

 

 

0 Kudos
PhoneBoy
Admin
Admin
2 weeks ago
In response to S_E_
Jump to solution

Usually limit is also used with the offset parameter.
The fact you're not specifying it in your command might have exposed a bug 🙂 

Try mgmt_cli show routes limit 200 offset 0 --version 1.7 --context gaia_api -f json -s "${sessionCookie}"

0 Kudos
PhoneBoy
Admin
Admin
2 weeks ago
In response to S_E_
Jump to solution

Also, you may want to double check the supported API versions with mgmt_cli show api-versions
To update to the latest, see: https://support.checkpoint.com/results/sk/sk143612 

0 Kudos
S_E_
Advisor
2 weeks ago
In response to PhoneBoy
Jump to solution

Hi,

Thanks

I tested with appliances with API versions 1.6 and 1.7. Both do not work. Seems liek a bug.

(However TAC confirmed issues)

With gaia_api 1.8 it does work.

 

Thanks a lot for help

Regards

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2025-06-02 10:45 AM
Jump to solution

What Bob said about the --context gaia_api option.  The Gaia API is nicely covered in the R81.20 version of the Check Point Certified Automation Specialist (CCAS) course which is available worldwide from Check Point ATCs.  A tip included in the class is the location of the file  /var/log/gaia_api_server.log which may need to be consulted if you can't seem to figure out what is wrong with an API call you are making, as sometimes the error message you get is not very helpful.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices
Self-Guided Video Series Coming Soon
0 Kudos
S_E_
Advisor
‎2025-06-02 11:23 PM
In response to Timothy_Hall
Jump to solution

Thanks, It looks like that I make something fundamentely wrong:

more /var/log/gaia_api_server.log
03/06/25 00:26:59: Dummy-2: sessions_manager: INFO: roles cache updated
03/06/25 01:16:59: Dummy-2: sessions_manager: INFO: roles cache updated
03/06/25 02:06:59: Dummy-2: sessions_manager: INFO: roles cache updated
03/06/25 02:56:30: Thread-1: server_util.udsListener: INFO: Internal request for 'status'
03/06/25 02:56:59: Dummy-2: sessions_manager: INFO: roles cache updated
03/06/25 03:46:59: Dummy-2: sessions_manager: INFO: roles cache updated
03/06/25 04:36:59: Dummy-2: sessions_manager: INFO: roles cache updated
03/06/25 05:26:59: Dummy-2: sessions_manager: INFO: roles cache updated
03/06/25 06:17:00: Dummy-2: sessions_manager: INFO: roles cache updated
03/06/25 06:17:36: MainThread: server_util.udsListener: INFO: remote_addr IP = 127.0.0.1
03/06/25 06:17:36: MainThread: server_util.udsListener: INFO: Request for endpoint /login [method: POST], for source 127.0.0.1, FAILED [duration 0ms]

 

Regards

0 Kudos
Alex-
Leader Leader
Leader
‎2025-06-03 12:06 AM
In response to S_E_
Jump to solution

If you make the calls from the machine itself, you likely need to add 127.0.0.1 as allowed-client.

{
  "api-server-version": "1.8",
  "last-login-was-at": {
    "iso-8601": "2024-09-25T13:39+2.00.0",
    "posix": 1727264371178
  },
  "read-only": false,
  "session-timeout": 600,
  "sid": "[sid]",
  "url": "https://127.0.0.1:443/gaia_api"
}

 

S_E_
Advisor
‎2025-06-03 12:36 AM
In response to Alex-
Jump to solution

awkward,

a lot of entries in allowed-list but no 127.0.0.1

Now it works, 

Both with session-id or session variable.

Thanks!!! 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events