This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Albert_Chang
Explorer
‎2019-05-27 01:32 AM

How to grant permission for the web api?

Jump to solution

I just install the Check Point API Python Development Kit and run a simple login. But it says "You don't have permission to access /web_api/login this server.

How could I troubleshoot the issue?

 

Code:

import getpass
from cpapi import APIClient, APIClientArgs

api_server = "fwmgr"
username = input("Enter username: ")
password = getpass.getpass("Enter password: ")

client_args = APIClientArgs(server=api_server)
client = APIClient(client_args)

client.debug_file = "api_calls.json"
login_res = client.login(username, password)
login_res.error_message

Error message returned:

cpapi.api_exceptions.APIException('APIResponse received a response which is not a valid JSON.',
                                  b'<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>403 Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p>You don\'t have permission to access /web_api/login\non this server.<br />\n</p>\n</body></html>\n')

 

 

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2019-05-30 06:24 AM
In response to Albert_Chang

Jump to solution
The reason you are seeing the error is the API server is only available from 127.0.0.1 (localhost) by default.
To fix this, see: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Enabling-web-api/m-p/32641#M2011

View solution in original post

15 Replies
Martin_Raska
Advisor
‎2019-05-27 08:29 AM

Jump to solution
Check API access setting is the SmartConsole, try -all IP addresses
0 Kudos
Albert_Chang
Explorer
‎2019-05-27 09:31 PM
In response to Martin_Raska

Jump to solution
Hi Martin,

Do you mean to configure an access control rule for API access? Do you have an example?

We already enabled SSH 443 to the firewall manager. Do we need to enable anything else?
0 Kudos
PhoneBoy
Admin
Admin
‎2019-05-27 09:02 PM

Jump to solution

https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Enabling-web-api/m-p/32641#M2011

0 Kudos
Albert_Chang
Explorer
‎2019-05-27 09:34 PM
In response to PhoneBoy

Jump to solution
Thanks for the reply, PhoneBoy.

Thanks PhoneBoy for the reply.
I am using the Check Point API Python Development Kit for Python. So I don't need to specify "web_api" string in the url.

https://github.com/CheckPointSW/cp_mgmt_api_python_sdk
0 Kudos
PhoneBoy
Admin
Admin
‎2019-05-30 06:24 AM
In response to Albert_Chang

Jump to solution
The reason you are seeing the error is the API server is only available from 127.0.0.1 (localhost) by default.
To fix this, see: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Enabling-web-api/m-p/32641#M2011

View solution in original post

ottis79
Explorer
‎2021-04-06 06:37 AM
In response to PhoneBoy

Jump to solution

Hi PhoneBoy

 

I' have the same problem:

 

<body>
    <h1>Forbidden</h1>
    <p>You don't have permission to access /web_api/login
        on this server.<br />
</p>
</body>
 
I'm tring to enablr the api by mgmt cli:
 
login: admin                                                                    
Password:
Last login: Tue Apr  6 15:28:58 on pts/2
gw-6825d9> mgmt login user admin password xxxx domain "MDS"
 
and then 

gw-6825d9> mgmt_cli -r true set api-settings accepted-api-calls-from "All IP Add
resses"
 
but I have the 403 error have you a suggestion to activate api?
 
thanks
Ottavio
0 Kudos
PhoneBoy
Admin
Admin
‎2021-04-06 07:32 AM
In response to ottis79

Jump to solution

You haven't restarted the API server?

0 Kudos
ottis79
Explorer
‎2021-04-06 07:38 AM
In response to PhoneBoy

Jump to solution

Hi 

thanks for you reply, Yes I do, with the command:

api restart 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-04-06 08:24 AM
In response to ottis79

Jump to solution

What does api status say?

0 Kudos
ottis79
Explorer
‎2021-04-06 08:30 AM
In response to PhoneBoy

Jump to solution

Api status: started

0 Kudos
PhoneBoy
Admin
Admin
‎2021-04-06 08:50 AM
In response to ottis79

Jump to solution

What precise IP are you connecting to here?
It should be the the CMA/Domain IP. 

0 Kudos
ottis79
Explorer
‎2021-04-06 08:57 AM
In response to PhoneBoy

Jump to solution

My R80 ip is https://192.0.2.80, I'm tring to connect from 192.0.2.81 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-04-06 09:03 AM
In response to ottis79

Jump to solution

You're either not connecting to the correct IP or there's an issue the TAC probably needs to assist you with. 

0 Kudos
ottis79
Explorer
‎2021-04-06 09:07 AM
In response to PhoneBoy

Jump to solution

Hi PhoneBoy

I think the ip is correct because I have a 403 error from R80, I'm not sure that with mgmt_cli I enabled the api to accept all ip addresses. It is possibile from gui to check the configuration?

Thanks

Ottavio 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-04-06 09:26 AM
In response to ottis79

Jump to solution

SmartConsole will only give you the status of the flag
It won't give you the full details, which api status will give you.
If you're still having issues, you may want to review the file created by api status -s.
And, like I said, a TAC case may be in order.

0 Kudos