Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Uri_Bialik

Getting a "Forbidden" error message (HTTP status code 403)

In some scenarios browsing to https://<management-server>/web_api/ may lead to seeing this error message:

Forbidden

You don't have permission to access /web_api/login on this server.

What does it mean?

It means that the API server is not configured to accept requests from the machine running your browser.

For security reasons, the default settings for the API server allows him to accept requests only from the management server itself and not from any other IP address.

If you want your management server to accept API requests from other machines, please follow this procedure:

* Open SmartConsole and log into your management server. If you have a multi-domain environment, log into the MDS domain.

* Click on the "Manage & Settings" button on the left.

* Select "Blades"

* Look for the "Management API" section and click on "Advanced Settings".

Now you can choose between three options:

1) Accept API calls from the management server only (the default setting)

2) All IP addresses that can be used for GUI clients.

    This option would allow the API server to accept requests only from IP addresses that can be used to connect with the management server using SmartConsole.

3) All IP addresses

Once you make you selection:

* Click the publish button

* Use SSH to log into the management server in "expert mode" and type "api restart".

25 Replies
James_Tidwell
Explorer

Is there any means to change the Management API settings using an initialization script when the management instance is created? (like this: Support, Support Requests, Training, Documentation, and Knowledge base for Check Point products and ...) What I want to do is automate the build of the checkpoint management instance so that once it is created, I can use the web api to configure it. If I have to manually go into the smart console to set the management api blade to allow the api calls from our automation server that would defeat the purpose of automating.

0 Kudos
PhoneBoy
Admin
Admin

There's a CLI for that Smiley Happy

[Expert@eightyten:0]# mgmt_cli -r true set api-settings accepted-api-calls-from "All IP addresses" --domain 'System Data'

---------------------------------------------

Time: [10:06:06] 18/8/2017

---------------------------------------------

"Publish operation"  succeeded  (100%) 

[Expert@eightyten:0]# api restart

2017-Aug-18 10:06:10 - Stopping API...

2017-Aug-18 10:06:13 - API stopped successfully.

2017-Aug-18 10:06:13 - Starting API...

. . . . . . . . . . . . . . . . . .

2017-Aug-18 10:07:32 - API started successfully.

[Expert@eightyten:0]#

It'd be cool if you could specify that as part of the First-Time Wizard, of course.

Reference: Check Point - Management API reference 

James_Tidwell
Explorer

I get this error when I try to use that command: MGMT9000 code: "err_inappropriate_domain_type"
message: "This command can work only on domains of type MDS. Cannot execute it in the current domain (current domain type is Domain)."

0 Kudos
PhoneBoy
Admin
Admin

I think I got a similar message when I didn't specify the --domain parameter.

The example is copy/paste from the docs.

0 Kudos
venkata_marutur
Contributor

I did make the change to allow API calls from all IP addresses and did API restart as well. Same error still exists.

I also did reset the password for the username, made sure that the user is added to admin role on the webUI of the smartcenter as well.

#mgmt_cli login with same username and passwords is working on the smartcenter though. 

Still no luck!

Any suggestions?

0 Kudos
Robert_Decker
Advisor

There may be several reasons for this error code.

Please run "api status" command on your management server and paste the response here for analysis.

Robert.

0 Kudos
venkata_marutur
Contributor

expert# api status

API Settings:
---------------------
Accessibility: Allow from 127.0.0.1
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Started 25846
CPM Started 22711 Check Point Security Management Server is running and ready
FWM Started 26196

Port Details:
-------------------
JETTY Internal Port: 50276
APACHE Gaia Port: 443


--------------------------------------------
Overall API Status: Started
--------------------------------------------

Test SUCCESSFUL. The server is up and ready to receive connections

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

Accessibility from localhost?? It's set as All IP addresses in the Sconsole though.

Thanks.

0 Kudos
Robert_Decker
Advisor

Hi,

Please look at the "Accessibility" property value - it indicates that you have not granted the access from all IPs.

Robert.

0 Kudos
Robert_Decker
Advisor

0 Kudos
venkata_marutur
Contributor

Hello Robert

Thank you for the quick reply.

If you look at my last reply, I mentioned that I have set the API calls from "All IP Addresses" in the smart console and automatic start is also in place. Installed the Db, did api restart as well.

I am using super user permission profile to make sure I am not running into permission related issues, anyway I double checked the "super user" profile too and in the mgmt tab, mgmt API login is checked.

Also I did check the server.crt file in web/conf and its just ASCII, no CRLF line terminators.

FYI, this is the script that I am running on the 3rd party server to test:

curl -k -X POST -H "Content-Type: application/json" -d '{ "user":"xxxx", "password":"xxxx" }' https://x.x.x.x:443/web_api/login
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /web_api/login
on this server.</p>
</body></html>

Any other things that can cause this?

Thanks.

0 Kudos
Robert_Decker
Advisor

please check again, this is from your "api status" command reply - 

Robert.

0 Kudos
venkata_marutur
Contributor

Rob,

I understand what you are referring to. api status on the CLI says only from local host. BUT, I did configure it as "All IP addresses" from the smart console, installed DB, restarted the api.

So the question is why is it not reflecting in the CLI ??

 

Thanks for your patience on this.

0 Kudos
Robert_Decker
Advisor

I really do not understand what is going here.

Are you running on MDM environment?

0 Kudos
venkata_marutur
Contributor

No, its a single smart center.

FYI,

expert#mgmt_cli login output:

uid: "4d67542e-21ab-4019-9b23-8e0df9894c2b"
sid: "6YRu8AnYpjjXMy-vmeWUfP43gykmTu3z0F87E45z_44"
url: "https://127.0.0.1:443/web_api"
session-timeout: 600
last-login-was-at:
posix: 1520359819406
iso-8601: "2018-03-06T06:10-1200"
api-server-version: "1"

Agreed that it is weird. May be someone can see something different here.

0 Kudos
Robert_Decker
Advisor

mgmt_cli login is running locally on your management server, so it doesn't need any special access.

your problem is when using a WEB Services from a remote server, this is why it needs an access.

what do you mean by "installed db"? do you mean "publish"?

0 Kudos
venkata_marutur
Contributor

Got it. Installed db = Publish and Install Database.

0 Kudos
Robert_Decker
Advisor

I've noticed that your API server version is "1".

Are you running R80 management (not R80.10)?

0 Kudos
venkata_marutur
Contributor

Yes its R80 management server.

0 Kudos
Robert_Decker
Advisor

ok, try "api reconf" instead of "api restart" that you have done previously, then again "api status".

any changes to "Accessibility" field value?

0 Kudos
venkata_marutur
Contributor

Rob,

I've changed the access from "All IP addresses" in smart console to "All IP addresses that can be used for GUI clients" and my #api status changed to : Accessibility: Allow from all.

And my script from the remote server is also working fine.

So, may be a bug in R80.

Thanks for all your time.

0 Kudos
Robert_Decker
Advisor

Ok, I'm glad you managed to get it work.

I'll verify if this is really a bug and report it for further handling.

Robert.

0 Kudos
Jeff_Gao
Advisor

Hi ,I found that  I cannot login Gaia cli api when i setup ssl-port to 4430(none 443).I can login gaia cli api once i setup ssl-port to 443,this is why?

Rene_Dreher
Contributor

Execute the following steps, then it works:

- SmartDashboard set "Accept API calls from" to "Management server onle" -> Publish -> Install Database -> api restart

api satus still shows "Require ip 127.0.0.1" 

- SmartDashboard set "Accept API calls from" to "All IP addresses" -> Publish -> Install Database -> api restart

api status displays now "Require all granted"

0 Kudos
ISS_cognizantne
Explorer

could you share me the exact command for the below fix.

if you have any video link for this issue . please share it

 

 

0 Kudos
ISS_cognizantne
Explorer

Hi All,

While checking API status,

 

Script may not be run on non-management servers .

Please assist me on this.

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events