Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Hugo_vd_Kooij
Advisor

R80.10 API bug: fallback to "SmartCenter Only" after reboot

I think I found a bug in R80.10 SmartCenter.

The API service does not start with the correct access mode at reboot.

[Expert@mgmt:0]# api status

API Settings:
---------------------
Accessibility: Require all granted
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Started 21884
CPM Started 4333 Check Point Security Management Server is running and ready
FWM Started 3823

Port Details:
-------------------
JETTY Internal Port: 50277
APACHE Gaia Port: 443


--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

[Expert@mgmt:0]# shutdown -r now

Broadcast message from admin (pts/1) (Tue Aug 8 16:48:16 2017):

The system is going down for reboot NOW!
[Expert@mgmt:0]#
login as: admin
This system is for authorized use only.
admin@mgmt.hvdk.qilab.lan's password:
Last login: Tue Aug 8 12:54:37 2017 from dc01.hvdk.qilab.lan
[Expert@mgmt:0]# api status

API Settings:
---------------------
Accessibility: Require ip 127.0.0.1
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Starting 4912
CPM Started 4297 Check Point Security Management Server is during initialization
FWM Started 3831

Port Details:
-------------------
JETTY Internal Port: 50276
APACHE Gaia Port: 443


--------------------------------------------
Overall API Status: Starting
--------------------------------------------

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

[Expert@mgmt:0]# api restart
2017-Aug-08 16:56:43 - Stopping API...
2017-Aug-08 16:56:45 - API stopped successfully.
2017-Aug-08 16:56:45 - Starting API...
. . . . . . . . . . . . .
2017-Aug-08 16:57:44 - API started successfully.
[Expert@mgmt:0]# api status

API Settings:
---------------------
Accessibility: Require all granted
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Started 12728
CPM Started 4297 Check Point Security Management Server is running and ready
FWM Started 3831

Port Details:
-------------------
JETTY Internal Port: 50276
APACHE Gaia Port: 443


--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
9 Replies
Hugo_vd_Kooij
Advisor

And I am up-to-date on patches:

[Expert@mgmt:0]# cpinfo -y all

This is Check Point CPinfo Build 914000176 for GAIA
[IDA]
HOTFIX_R80_10

[KAV]
HOTFIX_R80_10

[CPFC]
HOTFIX_R80_10
HOTFIX_R80_10_JUMBO_HF Take: 24

[FW1]
HOTFIX_R80_10
HOTFIX_R80_10_JUMBO_HF Take: 24

FW1 build number:
This is Check Point Security Management Server R80.10 - Build 001
This is Check Point's software version R80.10 - Build 423

[SecurePlatform]
HOTFIX_R80_10_JUMBO_HF Take: 24

[CPinfo]
No hotfixes..

[DIAG]
HOTFIX_R80_10

[SmartPortal]
No hotfixes..

[Reporting Module]
HOTFIX_R80_10
HOTFIX_R80_10_JUMBO_HF Take: 24

[CPuepm]
HOTFIX_R80_10

[VSEC]
HOTFIX_R80_10
HOTFIX_R80_10_JUMBO_HF Take: 24

[SmartLog]
HOTFIX_R80_10

[MGMTAPI]
No hotfixes..

[R7520CMP]
HOTFIX_R80_10

[R7540CMP]
HOTFIX_R80_10

[R7540VSCMP]
HOTFIX_R80_10

[R76CMP]
HOTFIX_R80_10

[SFWR77CMP]
HOTFIX_R80_10

[R77CMP]
HOTFIX_R80_10

[R75CMP]
HOTFIX_R80_10

[NGXCMP]
HOTFIX_R80_10

[EdgeCmp]
HOTFIX_R80_10

[SFWCMP]
HOTFIX_R80_10

[FLICMP]
HOTFIX_R80_10

[SFWR75CMP]
HOTFIX_R80_10

[CPUpdates]
BUNDLE_R80_10_JUMBO_HF_SC Take: 18
BUNDLE_R80_10_JUMBO_HF Take: 24

[rtm]
No hotfixes..

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
PhoneBoy
Admin
Admin

Just so that I understand the steps:

1. You configured the API to allow anyone to connect through SmartConsole.

2. You rebooted the management.

3. When the management started up, it started up in "allow 127.0.0.1" mode (which means SmartConsole only)

4. By restarting the api server, it started up with the correct setting (i.e. allow anyone to connect via API).

Did I read those steps correctly? 

For what it's worth, I was unable to reproduce the issue.

0 Kudos
Hugo_vd_Kooij
Advisor

There is a slight but not insignificant difference. I have set API to the GUI client list. As I am not compfortable with opening this just to everyone.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
PhoneBoy
Admin
Admin

From a reproduction standpoint, it's a significant enough difference... Smiley Happy

In my output, though, it doesn't show "all granted" when I specify a specific host/subnet, it actually lists the specific host/subnets that are allowed.

One thing I did notice is that shortly after reboot, the API does restrict access to itself during the initial startup:

[Expert@mgmt:0]# api status

API Settings:      

---------------------

Accessibility:                      Require ip  127.0.0.1    

Automatic Start:                    Enabled                  

Processes:      

Name      State     PID       More Information

-------------------------------------------------

API       Starting  5246                

CPM       Started   4748      Check Point Security Management Server is during initialization

FWM       Started   4233                

Port Details:      

-------------------

JETTY Internal Port:      50276          

APACHE Gaia Port:         443            

--------------------------------------------

Overall API Status: Starting

--------------------------------------------

Notes:      

------------

To collect troubleshooting data, please run 'api status -s <comment>'

It looks like that setting persists after initialization has completed and restarting the API server is required to clear it.

Please open a TAC case. 

Uri Bialik

0 Kudos
Ofir_Shikolski
Employee
Employee

Per the admin guide is needed to restart the API:

SmartConsole R80.10 

Management API Settings

  • Startup Settings
    • Select Automatic start to automatically start the API server when the Security Management Server starts.

      In these environments, Automatic start is selected by default:

      • Distributed Security Management Servers (without gateway functionality) with at least 4GB of RAM
      • Standalone Security Management Servers (with gateway functionality) with at least 8GB of RAM

    In other environments, to reduce the memory consumption on the management server, Automatic start is not selected by default.

  • Access Settings

    Configure IP addresses from which the API server accepts requests:

    • Management server only (default) - API server will accept scripts and web service requests only from the Security Management Server. You must open a command line interface on the server and use the mgmt_cli utility to send API requests.
    • All IP addresses that can be used for GUI clients - API server will accept scripts and web service requests from the same devices that are allowed access to the Security Management Server.
    • All IP addresses - API server will accept scripts and web-service requests from any device.

To apply changes, you must publish the session, and run the api restart command on the Security Management Server.

0 Kudos
PhoneBoy
Admin
Admin

The problem happens after you restart the API server, confirm the setting is correct, THEN reboot the management.

The API server starts up with the wrong setting (restricted to localhost versus the IPs/networks you configured).

A restart of the API server should not be required in this case.

Hugo_vd_Kooij
Advisor

See also: 1-9692776081

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Hugo_vd_Kooij
Advisor

Solved in Take 37!

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
PhoneBoy
Admin
Admin

Noticed it in the list of issues this morning Smiley Happy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events