---

@PhoneBoy wrote:

I don't believe you can disable this limit, which is there to keep the API server performant.

---

An artificial limit with a "one size fits all" approach is bad systems design. 

---

@PhoneBoy wrote:

I don't believe you can disable this limit, which is there to keep the API server performant.

Did you log into the System Domain first, as noted in the API documentation?
https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/login-to-domain~v1.8%20 

---

Yes, I set domain = System Domain, then did the call to login to each CMA and looked for policy packages unique to each of them. I'll have to look into it another time.

I really wish CP sent RnD-developers out into the real world for some hands on experience with the products they create. Every developer should be a user once in a while.

Perhaps @Omer_Kleinstern can provide some additional rationale behind this limit. 
Meanwhile, it seems like performing these actions in sequence (versus in parallel) would yield appropriate results. 

When you say login-to-domain doesn't behave as expected:

• What is the precise behavior you expected
• What are the precise results you got

I suspect a larger code sample would be helpful here.
In any case, more details are needed to understand what the precise issue is.

Code:

#utilizing the Python API here:
client_args = APIClientArgs(server=api_server,fingerprint='x')
with APIClient(client_args) as client:
    login = client.login_with_api_key(api_key, domain="System Data")
    api_result = client.api_call('show-domains')
    if api_result.success:
        for cpobject in api_result.data['objects']:
           loginCMA = client.api_call('login-to-domain', {'domain' : cpobject["name"]})

In the for loop I check certain CMA specific calls. None give me the expected result.

Also, I do not perform these in parallel, I work on one CMA at a time. Sometimes my checks takes less than the artificial limit of three logins a minute. I could create timers, though that is just a solution to a problem caused by improper design in the first place.

@Omer_Kleinstern: Why do you create these speed bumps in your code? Why are modern web APIs capable of hundreds of logins per second and this API is not? We use powerful servers and expect better than this.

I found the solution in that login-to-domain just creates a new SID, it does not change the existing context. In that sense one has to create another APIClient to run api_call on.

client_args = APIClientArgs(server=api_server,fingerprint='x')
with APIClient(client_args) as client:
    login = client.login_with_api_key(api_key, domain="System Data")
    api_result = client.api_call('show-domains')
    if api_result.success:
        for cpobject in api_result.data['objects']:
            # Establish a API Client connection pr domain to retrive all gateways and hosts
            login2 = client.api_call('login-to-domain', {'domain' : cpobject["name"]})
            if not login2.success:
                print(login2.error_message)
            # Establish a API Client connection pr domain to retrive all gateways and hosts
            client_args2 = APIClientArgs(server=api_server,fingerprint='x', sid=login2.data[sid])
            with APIClient(client_args2) as client2:
                
                api_result2 = client2.api_call('show-packages')
                print(api_result2)

I wish the API had better documentation on the intended use of the commands. There is absolutely no hint that one has to switch to use another SID after using this call.

This is basically a variant of the "login" API call, which returns a SID as a successful result.
In this case, it's using one session to create another.

That said, the API documentation can always be improved.

Hi Harald,

There is no limit to the number of domains you can login to, the limit is 3 logins per minute for each admin to a specific domain.

The login-to-domain API functionality is similar to SmartConsole where you can login to a domain from the MDS level, a new SmartConsole opens to the domain while the SmartConsole to the MDS level remains open. We will improve the documentation to make it more clear.

Regarding your use case, in future Jumbo Hotfixes, there will be an option to show policy packages of all domains from the MDS level and login to all domains will not be needed.

Thanks,

Omer

---

@Omer_Kleinstern wrote:

There is no limit to the number of domains you can login to, the limit is 3 logins per minute for each admin to a specific domain.

I logged in once to each domain, after MDS - CMA1 - CMA2 succeeded, CMA3, CMA4 ... was denied.

Please consider making this a variable, not a hard limit.

---

The login-to-domain API functionality is similar to SmartConsole where you can login to a domain from the MDS level, a new SmartConsole opens to the domain while the SmartConsole to the MDS level remains open. We will improve the documentation to make it more clear.

---

Thanks for clarifying this; now that I understand the concept I will use it when working on multiple CMAs.

---

Regarding your use case, in future Jumbo Hotfixes, there will be an option to show policy packages of all domains from the MDS level and login to all domains will not be needed.

That was just an example on what I wanted to achieve. Though it is good to have visibility from the MDS level.