- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hi all,
If you're working with remote scripts utilizing Management REST API, please read the below post.
To enable efficient work of Management REST API clients, starting R81 (expected release date – September 2020) we are going to limit the allowed frequency of the login command for remote API calls only, to 3 logins per admin per domain per minute.
Any request that will exceed this limit – will by failed by the server with a new error ("Too many requests in a given amount of time").To rule out possible impact, we recommend you to test your solutions which are based REST API once R81 Public EA is available for download.
Below you can find:
Please do not hesitate to contact us for further consultation.
Handling the new error in case too many login requests in a given time
Starting R81, login from a remote machine is limited to 3 logins per minute for each admin to a specific domain. Your scripts should catch the error below and try again later:
retries = 0
DO
wait for (2^retries) seconds
result = Do login operation.
IF result.is_success = true
retry = false
ELSE IF result.is_success = false
IF result.get_error_message = "Too many requests in a given amount of time"
retry = true
ELSE
Some other error occurred, stop calling the API.
retry = false
END IF
retries = retries + 1
WHILE (retry AND (retries < MAX_RETRIES))
General best practices for login API:
Example 1(mgmt_cli):
mgmt_cli login user "aa" password "aaaa" enter-last-published-session true -f json
Example 2(Web Services):
POST {{server}}/login
Content-Type: application/json
{
"user" : "aa",
"password" : "aaaa"
"enter-last-published-session" : "true"
}
Bad Practice Example (pseudo code):
In this example, API call is being executed without an explicit session-id. This means that each time, four commands are being executed (login,add-host,publish and logout)
for i=0 to i<100 do:
mgmt_cli -r true add-host name hosts_list[i] ip-address ip_list[i]
Good Practice Example (pseudo code):
In this example, login is done just once. All changes are made in one session, and at the end of the session there is a publish and logout. This saves the overhead of managing multiple login and logout operations on the server.
session=`mgmt_cli -r true login --format json| jq -r '.sid'` // login once and set session id (sid) into a variable
for i=0 to i<100 do:
mgmt_cli add-host name hosts_list[i] ip-address ip_list[i] --session-id $session // use the session id for adding hosts in loop
mgmt_cli publish --session-id $session // publish all changes in one session. Publish occur only once
mgmt_cli logout --session-id $session // logout once
Note- If you have many hundreds of changes, it is best to avoid publishing once at the end of the session. Instead, publish a few times within your session. For example, publish every 100 changes. However, you only need to log in once at the beginning of the session, and log out at the end of the session.
Hi Dima,
Thank you for sharing this valuable information.
I have R81 - Build 287 in my lab and I'm able to run API calls (using my application) with more then the above ratio you mentioned.
I made sure there is more then 3 logins per admin per domain per minute so In my lab this issue is not observed while one of my customers has the above described issue and he get's the following error
2021-03-26 11:29:23,417 ERROR com.checkpoint.management.web_api_is.exceptions.WebApiGeneralException.log:50 [qtp901620835-94] - Error message: [Too many requests in a given amount of time]
What can be the reason this happens only to my customer while according to this post this should be default REST configs for all new R81 installations ?
2021-04-05 10:33:43,040 DEBUG {R81} [com.skybox.view.agent.rest.client.generic.platform.EntityLoggingFilter] (EntityLoggingFilter.java:60) <@127.0.0.1:TASK:1> https://172.x.x.x/web_api/login
2021-04-05 10:33:44,403 DEBUG {R81} [com.skybox.view.agent.rest.client.generic.platform.EntityLoggingFilter] (EntityLoggingFilter.java:60) <@127.0.0.1:TASK:1> https://172.x.x.x/web_api/login
2021-04-05 10:33:47,892 DEBUG {R81} [com.skybox.view.agent.rest.client.generic.platform.EntityLoggingFilter] (EntityLoggingFilter.java:60) <@127.0.0.1:TASK:1> https://172.x.x.x/web_api/login
2021-04-05 10:33:49,146 DEBUG {R81} [com.skybox.view.agent.rest.client.generic.platform.EntityLoggingFilter] (EntityLoggingFilter.java:60) <@127.0.0.1:TASK:1> https://172.x.x.x/web_api/login
2021-04-05 10:33:49,243 DEBUG {R81} [com.skybox.view.agent.rest.client.generic.platform.EntityLoggingFilter] (EntityLoggingFilter.java:60) <@127.0.0.1:TASK:1> https://172.x.x.x/web_api/login
2021-04-05 10:33:50,380 DEBUG {R81} [com.skybox.view.agent.rest.client.generic.platform.EntityLoggingFilter] (EntityLoggingFilter.java:60) <@127.0.0.1:TASK:1> https://172.x.x.x/web_api/login
Hi,
Just realize that is working because I was running in MDS environment. This issue happens only with single management environment.
Hello,
is this the correct command to disable api throttling?
api throttling off
Is this the correct file to increase the number of logins per time interval?
/opt/CPsuite-R81.10/fw1/api/conf/api-load-control.xml
Regards
Alex
Hi,
I have used 'api throttling off' so I can run some pretty heavy logs requests against the api but have notice that throttling is re-enabled when the management software is patched or upgraded.
Does anyone know a way to maintain the throttling setting through a patch or upgrade?
Thanks
Simon
Perhaps a regular cron job that executes this command to ensure its always turned off?
That said, it's not recommended to do this.
Edit this file and turn it off. If you want to have it off the we do not have to care about any changes on this file in the future.
/opt/CPsuite-R81.10/fw1/api/conf/api-load-control.xml
Make the file immuteable. This prevents the system to modify the file.
chattr +i /opt/CPsuite-R81.10/fw1/api/conf/api-load-control.xml
The main issue with doing that is that you also prevent other necessary changes from being made to this file on upgrade.
Which could create other issues down the road.
Do not agree. This file is only for throttling opting. The main option on top is to turn it on or off. The other options a detailed options to throttle. So if you do not like throttling, you can disable it and other changes in the future are not relevant.
To be hones - the only reason for that throttling is that the MDS API is slow, is crashing and working much worse than other APIs. To circumvent these issue you (CheckPoint) just limited access and that's it.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY