Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Albert_Chang
Explorer

How to grant permission for the web api?

Jump to solution

I just install the Check Point API Python Development Kit and run a simple login. But it says "You don't have permission to access /web_api/login this server.

How could I troubleshoot the issue?

 

Code:

import getpass
from cpapi import APIClient, APIClientArgs

api_server = "fwmgr"
username = input("Enter username: ")
password = getpass.getpass("Enter password: ")

client_args = APIClientArgs(server=api_server)
client = APIClient(client_args)

client.debug_file = "api_calls.json"
login_res = client.login(username, password)
login_res.error_message

Error message returned:

cpapi.api_exceptions.APIException('APIResponse received a response which is not a valid JSON.',
                                  b'<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>403 Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p>You don\'t have permission to access /web_api/login\non this server.<br />\n</p>\n</body></html>\n')

 

 

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
The reason you are seeing the error is the API server is only available from 127.0.0.1 (localhost) by default.
To fix this, see: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Enabling-web-api/m-p/32641#M2011

View solution in original post

15 Replies
Martin_Raska
Advisor
Check API access setting is the SmartConsole, try -all IP addresses
0 Kudos
Albert_Chang
Explorer
Hi Martin,

Do you mean to configure an access control rule for API access? Do you have an example?

We already enabled SSH 443 to the firewall manager. Do we need to enable anything else?
0 Kudos
PhoneBoy
Admin
Admin
0 Kudos
Albert_Chang
Explorer
Thanks for the reply, PhoneBoy.

Thanks PhoneBoy for the reply.
I am using the Check Point API Python Development Kit for Python. So I don't need to specify "web_api" string in the url.

https://github.com/CheckPointSW/cp_mgmt_api_python_sdk
0 Kudos
PhoneBoy
Admin
Admin
The reason you are seeing the error is the API server is only available from 127.0.0.1 (localhost) by default.
To fix this, see: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Enabling-web-api/m-p/32641#M2011

View solution in original post

ottis79
Explorer

Hi PhoneBoy

 

I' have the same problem:

 

<body>
    <h1>Forbidden</h1>
    <p>You don't have permission to access /web_api/login
        on this server.<br />
</p>
</body>
 
I'm tring to enablr the api by mgmt cli:
 
login: admin                                                                    
Password:
Last login: Tue Apr  6 15:28:58 on pts/2
gw-6825d9> mgmt login user admin password xxxx domain "MDS"
 
and then 

gw-6825d9> mgmt_cli -r true set api-settings accepted-api-calls-from "All IP Add
resses"
 
but I have the 403 error have you a suggestion to activate api?
 
thanks
Ottavio
0 Kudos
PhoneBoy
Admin
Admin

You haven't restarted the API server?

0 Kudos
ottis79
Explorer

Hi 

thanks for you reply, Yes I do, with the command:

api restart 

0 Kudos
PhoneBoy
Admin
Admin

What does api status say?

0 Kudos
ottis79
Explorer

Api status: started

0 Kudos
PhoneBoy
Admin
Admin

What precise IP are you connecting to here?
It should be the the CMA/Domain IP. 

0 Kudos
ottis79
Explorer

My R80 ip is https://192.0.2.80, I'm tring to connect from 192.0.2.81 

0 Kudos
PhoneBoy
Admin
Admin

You're either not connecting to the correct IP or there's an issue the TAC probably needs to assist you with. 

0 Kudos
ottis79
Explorer

Hi PhoneBoy

I think the ip is correct because I have a 403 error from R80, I'm not sure that with mgmt_cli I enabled the api to accept all ip addresses. It is possibile from gui to check the configuration?

Thanks

Ottavio 

0 Kudos
PhoneBoy
Admin
Admin

SmartConsole will only give you the status of the flag
It won't give you the full details, which api status will give you.
If you're still having issues, you may want to review the file created by api status -s.
And, like I said, a TAC case may be in order.

0 Kudos