This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Albert_Chang
Explorer
‎2019-05-27 01:32 AM
Jump to solution

How to grant permission for the web api?

I just install the Check Point API Python Development Kit and run a simple login. But it says "You don't have permission to access /web_api/login this server.

How could I troubleshoot the issue?

 

Code:

import getpass
from cpapi import APIClient, APIClientArgs

api_server = "fwmgr"
username = input("Enter username: ")
password = getpass.getpass("Enter password: ")

client_args = APIClientArgs(server=api_server)
client = APIClient(client_args)

client.debug_file = "api_calls.json"
login_res = client.login(username, password)
login_res.error_message

Error message returned:

cpapi.api_exceptions.APIException('APIResponse received a response which is not a valid JSON.',
                                  b'<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>403 Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p>You don\'t have permission to access /web_api/login\non this server.<br />\n</p>\n</body></html>\n')

 

 

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2019-05-30 06:24 AM
In response to Albert_Chang
Jump to solution

The reason you are seeing the error is the API server is only available from 127.0.0.1 (localhost) by default.
To fix this, see: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Enabling-web-api/m-p/32641#M2011

View solution in original post

15 Replies
Martin_Raska
Advisor
Advisor
‎2019-05-27 08:29 AM
Jump to solution

Check API access setting is the SmartConsole, try -all IP addresses
0 Kudos
Albert_Chang
Explorer
‎2019-05-27 09:31 PM
In response to Martin_Raska
Jump to solution

Hi Martin,

Do you mean to configure an access control rule for API access? Do you have an example?

We already enabled SSH 443 to the firewall manager. Do we need to enable anything else?
0 Kudos
Albert_Chang
Explorer
‎2019-05-27 09:34 PM
In response to PhoneBoy
Jump to solution

Thanks for the reply, PhoneBoy.

Thanks PhoneBoy for the reply.
I am using the Check Point API Python Development Kit for Python. So I don't need to specify "web_api" string in the url.

https://github.com/CheckPointSW/cp_mgmt_api_python_sdk
0 Kudos
PhoneBoy
Admin
Admin
‎2019-05-30 06:24 AM
In response to Albert_Chang
Jump to solution

The reason you are seeing the error is the API server is only available from 127.0.0.1 (localhost) by default.
To fix this, see: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Enabling-web-api/m-p/32641#M2011
ottis79
Explorer
‎2021-04-06 06:37 AM
In response to PhoneBoy
Jump to solution

Hi PhoneBoy

 

I' have the same problem:

 

<body>
    <h1>Forbidden</h1>
    <p>You don't have permission to access /web_api/login
        on this server.<br />
</p>
</body>
 
I'm tring to enablr the api by mgmt cli:
 
login: admin                                                                    
Password:
Last login: Tue Apr  6 15:28:58 on pts/2
gw-6825d9> mgmt login user admin password xxxx domain "MDS"
 
and then 

gw-6825d9> mgmt_cli -r true set api-settings accepted-api-calls-from "All IP Add
resses"
 
but I have the 403 error have you a suggestion to activate api?
 
thanks
Ottavio
0 Kudos
PhoneBoy
Admin
Admin
‎2021-04-06 07:32 AM
In response to ottis79
Jump to solution

You haven't restarted the API server?

0 Kudos
ottis79
Explorer
‎2021-04-06 07:38 AM
In response to PhoneBoy
Jump to solution

Hi 

thanks for you reply, Yes I do, with the command:

api restart 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-04-06 08:24 AM
In response to ottis79
Jump to solution

What does api status say?

0 Kudos
ottis79
Explorer
‎2021-04-06 08:30 AM
In response to PhoneBoy
Jump to solution

Api status: started

0 Kudos
PhoneBoy
Admin
Admin
‎2021-04-06 08:50 AM
In response to ottis79
Jump to solution

What precise IP are you connecting to here?
It should be the the CMA/Domain IP. 

0 Kudos
ottis79
Explorer
‎2021-04-06 08:57 AM
In response to PhoneBoy
Jump to solution

My R80 ip is https://192.0.2.80, I'm tring to connect from 192.0.2.81 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-04-06 09:03 AM
In response to ottis79
Jump to solution

You're either not connecting to the correct IP or there's an issue the TAC probably needs to assist you with. 

0 Kudos
ottis79
Explorer
‎2021-04-06 09:07 AM
In response to PhoneBoy
Jump to solution

Hi PhoneBoy

I think the ip is correct because I have a 403 error from R80, I'm not sure that with mgmt_cli I enabled the api to accept all ip addresses. It is possibile from gui to check the configuration?

Thanks

Ottavio 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-04-06 09:26 AM
In response to ottis79
Jump to solution

SmartConsole will only give you the status of the flag
It won't give you the full details, which api status will give you.
If you're still having issues, you may want to review the file created by api status -s.
And, like I said, a TAC case may be in order.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top