This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
oded_mass
Participant
‎2023-05-23 01:38 AM

unable to api login to system data domain in some versions of R81.10

Hi,

I am getting errors trying to login to the "system data" domain on some R81.10 machines.

using the rest api: POST https://<ip>/web_api/login
it results with:
responseCode : 400, {"code":"err_login_failed","message":"Authentication to server failed."}

loging in to other domains of these machines works fine.

this happens on some R81.10 machine but not on others. (api version on the machine is 1.8)

Is it a known problem? Is there a solution.

Thanks

0 Kudos
14 Replies
Amir_Senn
Employee
Employee
‎2023-05-23 03:53 AM

Can you share the syntax you used in the command?

Also, if you try this command locally using SSH, is there any different result?

Kind regards, Amir Senn
0 Kudos
the_rock
Legend
Legend
‎2023-05-23 07:54 AM

Dont believe it is a known issue. As @Amir_Senn asked, maybe send us the exact syntax you are using. Its certainly odd it happens only on some machines.

Andy

0 Kudos
oded_mass
Participant
‎2023-05-23 08:12 AM
In response to the_rock

Hellow,

the command is: https://<the ip-address>/web_api/login
the HTTP Method is: POST
and the body is:
{
"user": "the-user",
"password": "the-password",
"domain": "System Data",
"session-timeout": "60"
}

0 Kudos
the_rock
Legend
Legend
‎2023-05-23 09:11 AM
In response to oded_mass

Is it same if you try https://ip_address/web_api_login ?

Andy

0 Kudos
oded_mass
Participant
‎2023-05-23 10:12 AM
In response to the_rock

I do not understand. the documentation for login is:

{{server}}/login

for example https://192.168.0.120/web_api/login
this is what I do (of course with the relevant ip address)

 

0 Kudos
the_rock
Legend
Legend
‎2023-05-23 10:36 AM
In response to oded_mass

I went to that link and it showed me web_api_login...not sure if it makes a difference, but it did work.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-05-23 01:05 PM
In response to oded_mass

Are you sure the same credentials work, e.g. with SmartConsole?
Have you confirmed the configured user has API access as part of their permissions profile?
If so, then you may want to get the TAC involved: https://help.checkpoint.com

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2023-05-23 05:42 PM
In response to PhoneBoy

Also is the API set up to allow remote connections? By default, it doesn't. mgmt_cli local on the management will work, but HTTPS connections won't.

0 Kudos
Hugo_vd_Kooij
Advisor
‎2023-05-23 10:43 PM
In response to Bob_Zimmerman

Step 1 should be to run `api status` on the SmartCenter (or MDS).

Step 2 is check access rights for named account.

Step 3 is test with mgmt_cli and same account.

....

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
oded_mass
Participant
‎2023-05-24 12:40 AM
In response to Hugo_vd_Kooij

The login to "system data" domain is only a part of what my program does.
All other requests work fine.
The program logs in (with no domain name) and gets information about gateways and servers list of domains and other. This all work fine with the same credentials.
It then tries to login to the "System Data". this fails on some machines.
Then depending it it is a multi domain system or not if logs in to the appropriate domain and gets information about "firewall policies and rules". This also works ok with the same credentials.

0 Kudos
the_rock
Legend
Legend
‎2023-05-24 06:00 AM
In response to oded_mass

Can you send output of api status?

0 Kudos
Amir_Senn
Employee
Employee
‎2023-05-25 01:03 AM
In response to oded_mass

Try to connect without the domain name:

{
"user": "the-user",
"password": "the-password",
"session-timeout": "60"
}

Kind regards, Amir Senn
oded_mass
Participant
‎2023-05-25 10:36 AM
In response to Amir_Senn

This works and I am using this (no domain) for some API requests.
However  for the /show-administrators request I must login to the "System Data" domain.

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2023-05-25 11:01 AM
In response to oded_mass

How about logging in with the same credentials locally on the system via 'mgmt_cli -d "System Data" login'?

If that doesn't work, does local root? 'mgmt_cli -d "System Data" -r true login'

If login via HTTP call fails but local works, that points towards the web service. If local login with the same credentials still fails, but local login with the local root works, that points to permissions.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top