- Products
- Learn
- Local User Groups
- Partners
- More
CheckMates Fifth Birthday
Celebrate with Us!
days
hours
minutes
seconds
Join the CHECKMATES Everywhere Competition
Submit your picture to win!
Check Point Proactive support
Free trial available for 90 Days!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
The 2022 MITRE Engenuity ATT&CK®
Evaluations Results Are In!
Now Available: SmartAwareness Security Training
Training Built to Educate and Engage
MITRE ATT&CK
Inside Check Point products!
CheckFlix!
All Videos In One Space
I think I found a bug in R80.10 SmartCenter.
The API service does not start with the correct access mode at reboot.
[Expert@mgmt:0]# api status
API Settings:
---------------------
Accessibility: Require all granted
Automatic Start: Enabled
Processes:
Name State PID More Information
-------------------------------------------------
API Started 21884
CPM Started 4333 Check Point Security Management Server is running and ready
FWM Started 3823
Port Details:
-------------------
JETTY Internal Port: 50277
APACHE Gaia Port: 443
--------------------------------------------
Overall API Status: Started
--------------------------------------------
API readiness test SUCCESSFUL. The server is up and ready to receive connections
Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'
[Expert@mgmt:0]# shutdown -r now
Broadcast message from admin (pts/1) (Tue Aug 8 16:48:16 2017):
The system is going down for reboot NOW!
[Expert@mgmt:0]#
login as: admin
This system is for authorized use only.
admin@mgmt.hvdk.qilab.lan's password:
Last login: Tue Aug 8 12:54:37 2017 from dc01.hvdk.qilab.lan
[Expert@mgmt:0]# api status
API Settings:
---------------------
Accessibility: Require ip 127.0.0.1
Automatic Start: Enabled
Processes:
Name State PID More Information
-------------------------------------------------
API Starting 4912
CPM Started 4297 Check Point Security Management Server is during initialization
FWM Started 3831
Port Details:
-------------------
JETTY Internal Port: 50276
APACHE Gaia Port: 443
--------------------------------------------
Overall API Status: Starting
--------------------------------------------
Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'
[Expert@mgmt:0]# api restart
2017-Aug-08 16:56:43 - Stopping API...
2017-Aug-08 16:56:45 - API stopped successfully.
2017-Aug-08 16:56:45 - Starting API...
. . . . . . . . . . . . .
2017-Aug-08 16:57:44 - API started successfully.
[Expert@mgmt:0]# api status
API Settings:
---------------------
Accessibility: Require all granted
Automatic Start: Enabled
Processes:
Name State PID More Information
-------------------------------------------------
API Started 12728
CPM Started 4297 Check Point Security Management Server is running and ready
FWM Started 3831
Port Details:
-------------------
JETTY Internal Port: 50276
APACHE Gaia Port: 443
--------------------------------------------
Overall API Status: Started
--------------------------------------------
API readiness test SUCCESSFUL. The server is up and ready to receive connections
Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'
And I am up-to-date on patches:
[Expert@mgmt:0]# cpinfo -y all
This is Check Point CPinfo Build 914000176 for GAIA
[IDA]
HOTFIX_R80_10
[KAV]
HOTFIX_R80_10
[CPFC]
HOTFIX_R80_10
HOTFIX_R80_10_JUMBO_HF Take: 24
[FW1]
HOTFIX_R80_10
HOTFIX_R80_10_JUMBO_HF Take: 24
FW1 build number:
This is Check Point Security Management Server R80.10 - Build 001
This is Check Point's software version R80.10 - Build 423
[SecurePlatform]
HOTFIX_R80_10_JUMBO_HF Take: 24
[CPinfo]
No hotfixes..
[DIAG]
HOTFIX_R80_10
[SmartPortal]
No hotfixes..
[Reporting Module]
HOTFIX_R80_10
HOTFIX_R80_10_JUMBO_HF Take: 24
[CPuepm]
HOTFIX_R80_10
[VSEC]
HOTFIX_R80_10
HOTFIX_R80_10_JUMBO_HF Take: 24
[SmartLog]
HOTFIX_R80_10
[MGMTAPI]
No hotfixes..
[R7520CMP]
HOTFIX_R80_10
[R7540CMP]
HOTFIX_R80_10
[R7540VSCMP]
HOTFIX_R80_10
[R76CMP]
HOTFIX_R80_10
[SFWR77CMP]
HOTFIX_R80_10
[R77CMP]
HOTFIX_R80_10
[R75CMP]
HOTFIX_R80_10
[NGXCMP]
HOTFIX_R80_10
[EdgeCmp]
HOTFIX_R80_10
[SFWCMP]
HOTFIX_R80_10
[FLICMP]
HOTFIX_R80_10
[SFWR75CMP]
HOTFIX_R80_10
[CPUpdates]
BUNDLE_R80_10_JUMBO_HF_SC Take: 18
BUNDLE_R80_10_JUMBO_HF Take: 24
[rtm]
No hotfixes..
Just so that I understand the steps:
1. You configured the API to allow anyone to connect through SmartConsole.
2. You rebooted the management.
3. When the management started up, it started up in "allow 127.0.0.1" mode (which means SmartConsole only)
4. By restarting the api server, it started up with the correct setting (i.e. allow anyone to connect via API).
Did I read those steps correctly?
For what it's worth, I was unable to reproduce the issue.
There is a slight but not insignificant difference. I have set API to the GUI client list. As I am not compfortable with opening this just to everyone.
From a reproduction standpoint, it's a significant enough difference...
In my output, though, it doesn't show "all granted" when I specify a specific host/subnet, it actually lists the specific host/subnets that are allowed.
One thing I did notice is that shortly after reboot, the API does restrict access to itself during the initial startup:
[Expert@mgmt:0]# api status
API Settings:
---------------------
Accessibility: Require ip 127.0.0.1
Automatic Start: Enabled
Processes:
Name State PID More Information
-------------------------------------------------
API Starting 5246
CPM Started 4748 Check Point Security Management Server is during initialization
FWM Started 4233
Port Details:
-------------------
JETTY Internal Port: 50276
APACHE Gaia Port: 443
--------------------------------------------
Overall API Status: Starting
--------------------------------------------
Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'
It looks like that setting persists after initialization has completed and restarting the API server is required to clear it.
Please open a TAC case.
Per the admin guide is needed to restart the API:
In these environments, Automatic start is selected by default:
In other environments, to reduce the memory consumption on the management server, Automatic start is not selected by default.
Configure IP addresses from which the API server accepts requests:
mgmt_cli
utility to send API requests.To apply changes, you must publish the session, and run the api restart
command on the Security Management Server.
The problem happens after you restart the API server, confirm the setting is correct, THEN reboot the management.
The API server starts up with the wrong setting (restricted to localhost versus the IPs/networks you configured).
A restart of the API server should not be required in this case.
See also: 1-9692776081
Solved in Take 37!
Noticed it in the list of issues this morning
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY