This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ahmadhr
Contributor
‎2020-12-06 12:03 PM
Jump to solution

web api locks the section after using "add-access-rule"

Hi everyone, 

 

i am trying to use the add-access-rule API to create a rule on top, it pushes the change, and publish with 200 status code for the first time, but it doesn't show the change on the smart-console. also after that, it locks that particular section. locked_section.png

below is the body: 

body_add_new_rule = {
    "layer": layer,
    "position": 2,
    "name": name,
    "action": "Accept",
    "service": "any",
    "destination": dst_node,
    "source": src_node,
    "track": {
        "type": "Log"
    }
}

 

this is the response API returns:

{'code': 'generic_error', 'message': "Runtime error: Object 'SHC Space at SOM' is locked by another session."}

 

FYI - i use the "logout" command to logout after each API to make sure the session doesnt get stuck, i have verified it in smart-console and session disconnects with no issue.

 

i appreciate if you can help me with this. pretty much stopping me from developing my app

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2020-12-06 01:09 PM
Jump to solution

Any (set of) changes made via the API are done as part of a session.
This also applies to changes made via SmartConsole.
That session must either be published or discarded with an explicit API call.
If you do neither, some objects/changes made via that session will remain locked.
Once the relevant session is published/discarded, the lock should be removed.
This is done to prevent conflicting changes from being made.

View solution in original post

16 Replies
PhoneBoy
Admin
Admin
‎2020-12-06 01:09 PM
Jump to solution

Any (set of) changes made via the API are done as part of a session.
This also applies to changes made via SmartConsole.
That session must either be published or discarded with an explicit API call.
If you do neither, some objects/changes made via that session will remain locked.
Once the relevant session is published/discarded, the lock should be removed.
This is done to prevent conflicting changes from being made.

Ahmadhr
Contributor
‎2020-12-06 01:37 PM
In response to PhoneBoy
Jump to solution

Thank you so much, i actually was able to find all the web-api sessions by "show-sessions" and discard them, i am unlocked now. pphhewwww 

 

thanks so much for your prompt response. 

Daniel_Kavan
Advisor
Advisor
‎2022-06-28 10:10 AM
In response to PhoneBoy
Jump to solution

Recently, a session didn't get logged out of (my bad) and I was getting object was locked, the user group actually had a lock on it in dashboard.  I was able to use this command to find a session id, that wasn't showing up with show-session, then I was able to discard it. 

psql_client cpm postgres -c "select username,objid, applicationname from worksession where state='OPEN';"

Ahmadhr
Contributor
‎2020-12-06 01:29 PM
Jump to solution

do i have to use the same uid that was generated initially when i created the session by "login"? 

i am doing show-sessions to find it, but i cant tell which one is what, 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-12-06 05:53 PM
In response to Ahmadhr
Jump to solution

The publish/discard action applies to the specified session uid.

Ahmadhr
Contributor
‎2020-12-06 06:25 PM
In response to PhoneBoy
Jump to solution

i use the below uid to publish the change, but i get 501 error not sure what i am doing wrong

 

{'uid': '<the uid>', ------->>>>> THIS UID 

'sid': 'WW0Z9DDxScwEYwMtbdLtRwK9IGOrLawwN0_FKWmgAEU',

'url': 'https://<myFW>:443/web_api', 'session-timeout': 600,

'last-login-was-at': {'posix': 1607307607855, 'iso-8601': '2020-12-06T18:20-0800'}, '

api-server-version': '1.5'}

PhoneBoy
Admin
Admin
‎2020-12-06 06:31 PM
In response to Ahmadhr
Jump to solution

You sure that uid is active? (i.e. does it show in show-sessions)

0 Kudos
Ahmadhr
Contributor
‎2020-12-07 08:56 AM
In response to PhoneBoy
Jump to solution

when login happens i instantly use the sid to api call other commands, but when i use the uid to publish the change, it throws error. FYI- i doing this in python as well as Postman, 

0 Kudos
Ahmadhr
Contributor
‎2020-12-07 09:14 AM
In response to PhoneBoy
Jump to solution

yes i just checked during the runtime of the code, the session is active and shows on the show-session

0 Kudos
Ahmadhr
Contributor
‎2020-12-07 10:51 AM
In response to PhoneBoy
Jump to solution

below is the log of my app, during the runtime. 

FYI - i only kept the last 4 digits of the uid. 

************ api_call for login and is being implemented ************

this is the sid generated in login time {'uid': '....... de04', 'sid': 'FIaWmYwY6cJPKceMDVjnEo_3NgB20p8edyaEcIhlY1E', 'url': 'https://<FW_IP>:443/web_api', 'session-timeout': 600, 'last-login-was-at': {'posix': 1607366481903, 'iso-8601': '2020-12-07T10:41-0800'}, 'api-server-version': '1.5'}

-------- This is the UID of the Login Session: ....... de04 ---------

************ api_call for show-session and FIaWmYwY6cJPKceMDVjnEo_3NgB20p8edyaEcIhlY1E is being implemented ************

################ this is the show session {'uid': '....... de04', 'type': 'session', 'domain': {'uid': '<domain uid>', 'name': 'MC-Core-DMS', 'domain-type': 'domain'}, ... omitted ....

************ api_call for add-access-rule and FIaWmYwY6cJPKceMDVjnEo_3NgB20p8edyaEcIhlY1E is being implemented ************

************ Publish function is being implemented for ....... de04 ************

************ api_call for publish and FIaWmYwY6cJPKceMDVjnEo_3NgB20p8edyaEcIhlY1E is being implemented ************

############## add rule base function {'code': 'not_implemented', 'message': 'Publishing other than current session is not implemented'}

 

0 Kudos
FraP
Contributor
‎2020-12-07 11:03 AM
Jump to solution

For reference http 5xx is a server side error...

Run this cmd on the SMS in expert mode tailf $FWDIR/log/api.elg and run your script again...at some point you should be able to see what's wrong

Ahmadhr
Contributor
‎2020-12-07 11:10 AM
In response to FraP
Jump to solution

Francesco, 

thanks for the reply, i get the same error even when i run it from postman. although when i discard the session with the same uid it works fine. 

so you are suggesting i check the log in the checkpoint fw itself to see whats going on? 

0 Kudos
FraP
Contributor
‎2020-12-07 11:21 AM
In response to Ahmadhr
Jump to solution

On the manager...not the firewall!

1. connect on SMS and run in expert : tailf $FWDIR/log/api.elg
2. Make your api calls to the SMS
3. Grap the output, and share with us

From your output it seems that your are publish a different session...

 

Ahmadhr
Contributor
‎2020-12-07 11:24 AM
In response to FraP
Jump to solution

Understood, I will share that here shortly

Thanks 

0 Kudos
Ahmadhr
Contributor
‎2020-12-07 12:29 PM
In response to FraP
Jump to solution

2020-12-07 12:13:14,635 INFO com.checkpoint.management.web_api_is.utils.helpers.ApiCache.<init>:21 [qtp1742603008-28] - Cache created and initialized
2020-12-07 12:13:14,636 INFO com.checkpoint.management.web_api.web_services.WebApiEntryPoint.logRequestedCommandInfo:19 [qtp1742603008-28] - Executing [publish] of version 1.5 (references 1)
2020-12-07 12:13:14,636 ERROR com.checkpoint.management.web_api_is.exceptions.WebApiGeneralException.log:42 [qtp1742603008-28] - Error code: [NOT_IMPLEMENTED]
2020-12-07 12:13:14,636 ERROR com.checkpoint.management.web_api_is.exceptions.WebApiGeneralException.log:43 [qtp1742603008-28] - Error message: [Publishing other than current session is not implemented]
2020-12-07 12:13:14,636 ERROR com.checkpoint.management.web_api.utils.WebApiCommandExceptionUtils.getErrorReply:94 [qtp1742603008-28] -
com.checkpoint.management.web_api_is.exceptions.WebApiGeneralException
at com.checkpoint.management.web_api.core.handler.commands.session.publish.PublishRequest.normalize(PublishRequest.java:11)
at com.checkpoint.management.web_api_is.core.handler.base.request.ApiRequest.prepare(ApiRequest.java:3)
at com.checkpoint.management.web_api.core.handler.commands.session.publish.PublishRequestHandler.publish(PublishRequestHandler.java:6)
at sun.reflect.GeneratedMethodAccessor254.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
at com.checkpoint.management.web_api_is.utils.WebApiReflectionUtils.invoke(WebApiReflectionUtils.java:7)
at com.checkpoint.management.web_api.web_services.WebApiEntryPoint.postEntryPoint(WebApiEntryPoint.java:102)
at sun.reflect.GeneratedMethodAccessor211.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:181)
at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:97)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:204)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:101)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:251)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:212)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:755)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:268)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:686)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1494)
at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:247)
at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:210)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at com.checkpoint.management.web_api.core.filter.LogCustomDebugFieldFilter.doFilter(LogCustomDebugFieldFilter.java:19)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:255)
at org.eclipse.jetty.server.handler.IPAccessHandler.handle(IPAccessHandler.java:203)
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:154)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
at org.eclipse.jetty.server.Server.handle(Server.java:370)
at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:960)
at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1021)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240)
at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
at java.lang.Thread.run(Thread.java:812)
2020-12-07 12:13:14,637 INFO com.checkpoint.management.web_api_is.utils.CsvFileWriterUtils.writeCsvLine:7 [qtp1742603008-28] - 2020-12-07,12:13:14 -0800,publish,FAILED,2
2020-12-07 12:13:14,638 INFO org.apache.cxf.interceptor.LoggingOutInterceptor.log:250 [qtp1742603008-28] - Outbound Message
---------------------------
ID: 1585
Response-Code: 501
Content-Type: application/json
Headers: {Content-Type=[application/json], Date=[Mon, 07 Dec 2020 20:13:14 GMT]}
Payload: {
"code" : "not_implemented",
"message" : "Publishing other than current session is not implemented"
}
--------------------------------------
0 Kudos
Ahmadhr
Contributor
‎2020-12-07 03:39 PM
Jump to solution

guys, 

i got it working, our firewall admin has enabled the "session description" at publish/install time, but i was not aware of it, when i added session-name and session-description it fixed the issue

thank you so much for your suggestions and help. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top