Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Harald_Hansen
Advisor
Advisor

Iterate through CMAs; disable API Remote Call Frequency Limit

While developing scripts iterating thorough multiple domains I need to be able to login to more than three domains a minute. I'm having problems when login to the third CMA in a row, and I found the following limit:

https://community.checkpoint.com/t5/API-CLI-Discussion/Heads-up-Management-API-Remote-calls-frequenc...

How do I disable the above limit? 

I've noticed the login-to-domain api command, though I cannot get this command to behave as expected. I use the Python API with

cmaName = "CMAname"
client.api_call('login-to-domain', {'domain' : cmaName})

Best regards,
Harald

0 Kudos
8 Replies
PhoneBoy
Admin
Admin

I don't believe you can disable this limit, which is there to keep the API server performant.

Did you log into the System Domain first, as noted in the API documentation?
https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/login-to-domain~v1.8%20 

0 Kudos
Harald_Hansen
Advisor
Advisor


@PhoneBoy wrote:

I don't believe you can disable this limit, which is there to keep the API server performant.


An artificial limit with a "one size fits all" approach is bad systems design. 


@PhoneBoy wrote:

I don't believe you can disable this limit, which is there to keep the API server performant.

Did you log into the System Domain first, as noted in the API documentation?
https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/login-to-domain~v1.8%20 


Yes, I set domain = System Domain, then did the call to login to each CMA and looked for policy packages unique to each of them. I'll have to look into it another time.

I really wish CP sent RnD-developers out into the real world for some hands on experience with the products they create. Every developer should be a user once in a while.

0 Kudos
PhoneBoy
Admin
Admin

Perhaps @Omer_Kleinstern can provide some additional rationale behind this limit. 
Meanwhile, it seems like performing these actions in sequence (versus in parallel) would yield appropriate results. 

When you say login-to-domain doesn't behave as expected:

  • What is the precise behavior you expected
  • What are the precise results you got

I suspect a larger code sample would be helpful here.
In any case, more details are needed to understand what the precise issue is.

0 Kudos
Harald_Hansen
Advisor
Advisor

Code:

#utilizing the Python API here:
client_args = APIClientArgs(server=api_server,fingerprint='x')
with APIClient(client_args) as client:
    login = client.login_with_api_key(api_key, domain="System Data")
    api_result = client.api_call('show-domains')
    if api_result.success:
        for cpobject in api_result.data['objects']:
           loginCMA = client.api_call('login-to-domain', {'domain' : cpobject["name"]})

In the for loop I check certain CMA specific calls. None give me the expected result.

Also, I do not perform these in parallel, I work on one CMA at a time. Sometimes my checks takes less than the artificial limit of three logins a minute. I could create timers, though that is just a solution to a problem caused by improper design in the first place.

@Omer_Kleinstern: Why do you create these speed bumps in your code? Why are modern web APIs capable of hundreds of logins per second and this API is not? We use powerful servers and expect better than this.

0 Kudos
Harald_Hansen
Advisor
Advisor

I found the solution in that login-to-domain just creates a new SID, it does not change the existing context. In that sense one has to create another APIClient to run api_call on.

client_args = APIClientArgs(server=api_server,fingerprint='x')
with APIClient(client_args) as client:
    login = client.login_with_api_key(api_key, domain="System Data")
    api_result = client.api_call('show-domains')
    if api_result.success:
        for cpobject in api_result.data['objects']:
            # Establish a API Client connection pr domain to retrive all gateways and hosts
            login2 = client.api_call('login-to-domain', {'domain' : cpobject["name"]})
            if not login2.success:
                print(login2.error_message)
            # Establish a API Client connection pr domain to retrive all gateways and hosts
            client_args2 = APIClientArgs(server=api_server,fingerprint='x', sid=login2.data[sid])
            with APIClient(client_args2) as client2:
                
                api_result2 = client2.api_call('show-packages')
                print(api_result2)

I wish the API had better documentation on the intended use of the commands. There is absolutely no hint that one has to switch to use another SID after using this call.

0 Kudos
PhoneBoy
Admin
Admin

This is basically a variant of the "login" API call, which returns a SID as a successful result.
In this case, it's using one session to create another.

That said, the API documentation can always be improved.

0 Kudos
Omer_Kleinstern
Employee
Employee

Hi Harald,

 

There is no limit to the number of domains you can login to, the limit is 3 logins per minute for each admin to a specific domain.

 

The login-to-domain API functionality is similar to SmartConsole where you can login to a domain from the MDS level, a new SmartConsole opens to the domain while the SmartConsole to the MDS level remains open. We will improve the documentation to make it more clear.

 

Regarding your use case, in future Jumbo Hotfixes, there will be an option to show policy packages of all domains from the MDS level and login to all domains will not be needed.

 

Thanks,

Omer

0 Kudos
Harald_Hansen
Advisor
Advisor


@Omer_Kleinstern wrote:

There is no limit to the number of domains you can login to, the limit is 3 logins per minute for each admin to a specific domain.

I logged in once to each domain, after MDS - CMA1 - CMA2 succeeded, CMA3, CMA4 ... was denied.

Please consider making this a variable, not a hard limit.


The login-to-domain API functionality is similar to SmartConsole where you can login to a domain from the MDS level, a new SmartConsole opens to the domain while the SmartConsole to the MDS level remains open. We will improve the documentation to make it more clear.


Thanks for clarifying this; now that I understand the concept I will use it when working on multiple CMAs.


Regarding your use case, in future Jumbo Hotfixes, there will be an option to show policy packages of all domains from the MDS level and login to all domains will not be needed.

That was just an example on what I wanted to achieve. Though it is good to have visibility from the MDS level.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events