Forbidden

There's a CLI for that

[Expert@eightyten:0]# mgmt_cli -r true set api-settings accepted-api-calls-from "All IP addresses" --domain 'System Data'
---------------------------------------------
Time: [10:06:06] 18/8/2017
---------------------------------------------
"Publish operation"  succeeded  (100%) 
[Expert@eightyten:0]# api restart
2017-Aug-18 10:06:10 - Stopping API...
2017-Aug-18 10:06:13 - API stopped successfully.
2017-Aug-18 10:06:13 - Starting API...
. . . . . . . . . . . . . . . . . . 
2017-Aug-18 10:07:32 - API started successfully.
[Expert@eightyten:0]# 

It'd be cool if you could specify that as part of the First-Time Wizard, of course.

Reference: Check Point - Management API reference 

I get this error when I try to use that command: MGMT9000 code: "err_inappropriate_domain_type"
message: "This command can work only on domains of type MDS. Cannot execute it in the current domain (current domain type is Domain)."

I think I got a similar message when I didn't specify the --domain parameter.

The example is copy/paste from the docs.

There may be several reasons for this error code.

Please run "api status" command on your management server and paste the response here for analysis.

Robert.

expert# api status

API Settings:
---------------------
Accessibility: Allow from 127.0.0.1
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Started 25846
CPM Started 22711 Check Point Security Management Server is running and ready
FWM Started 26196

Port Details:
-------------------
JETTY Internal Port: 50276
APACHE Gaia Port: 443

--------------------------------------------
Overall API Status: Started
--------------------------------------------

Test SUCCESSFUL. The server is up and ready to receive connections

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

Accessibility from localhost?? It's set as All IP addresses in the Sconsole though.

Thanks.

Hi,

Please look at the "Accessibility" property value - it indicates that you have not granted the access from all IPs.

Robert.

take a look at my post - 

https://community.checkpoint.com/docs/DOC-2731

Hello Robert

Thank you for the quick reply.

If you look at my last reply, I mentioned that I have set the API calls from "All IP Addresses" in the smart console and automatic start is also in place. Installed the Db, did api restart as well.

I am using super user permission profile to make sure I am not running into permission related issues, anyway I double checked the "super user" profile too and in the mgmt tab, mgmt API login is checked.

Also I did check the server.crt file in web/conf and its just ASCII, no CRLF line terminators.

FYI, this is the script that I am running on the 3rd party server to test:

curl -k -X POST -H "Content-Type: application/json" -d '{ "user":"xxxx", "password":"xxxx" }' https://x.x.x.x:443/web_api/login
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /web_api/login
on this server.</p>
</body></html>

Any other things that can cause this?

Thanks.

please check again, this is from your "api status" command reply - 

Robert.

Rob,

I understand what you are referring to. api status on the CLI says only from local host. BUT, I did configure it as "All IP addresses" from the smart console, installed DB, restarted the api.

So the question is why is it not reflecting in the CLI ??

Thanks for your patience on this.

I really do not understand what is going here.

Are you running on MDM environment?

No, its a single smart center.

FYI,

expert#mgmt_cli login output:

uid: "4d67542e-21ab-4019-9b23-8e0df9894c2b"
sid: "6YRu8AnYpjjXMy-vmeWUfP43gykmTu3z0F87E45z_44"
url: "https://127.0.0.1:443/web_api"
session-timeout: 600
last-login-was-at:
posix: 1520359819406
iso-8601: "2018-03-06T06:10-1200"
api-server-version: "1"

Agreed that it is weird. May be someone can see something different here.

mgmt_cli login is running locally on your management server, so it doesn't need any special access.

your problem is when using a WEB Services from a remote server, this is why it needs an access.

what do you mean by "installed db"? do you mean "publish"?

Got it. Installed db = Publish and Install Database.

I've noticed that your API server version is "1".

Are you running R80 management (not R80.10)?

Yes its R80 management server.

ok, try "api reconf" instead of "api restart" that you have done previously, then again "api status".

any changes to "Accessibility" field value?

Rob,

I've changed the access from "All IP addresses" in smart console to "All IP addresses that can be used for GUI clients" and my #api status changed to : Accessibility: Allow from all.

And my script from the remote server is also working fine.

So, may be a bug in R80.

Thanks for all your time.

Ok, I'm glad you managed to get it work.

I'll verify if this is really a bug and report it for further handling.

Robert.

Execute the following steps, then it works:

- SmartDashboard set "Accept API calls from" to "Management server onle" -> Publish -> Install Database -> api restart

api satus still shows "Require ip 127.0.0.1" 

- SmartDashboard set "Accept API calls from" to "All IP addresses" -> Publish -> Install Database -> api restart

api status displays now "Require all granted"

could you share me the exact command for the below fix.

if you have any video link for this issue . please share it

Hi All,

While checking API status,

Script may not be run on non-management servers .

Please assist me on this.