Re: R80.10 API bug: fallback to "SmartCenter Only"...

Hugo_vd_Kooij · ‎2017-08-08

I think I found a bug in R80.10 SmartCenter.

The API service does not start with the correct access mode at reboot.

[Expert@mgmt:0]# api status

API Settings:
---------------------
Accessibility: Require all granted
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Started 21884
CPM Started 4333 Check Point Security Management Server is running and ready
FWM Started 3823

Port Details:
-------------------
JETTY Internal Port: 50277
APACHE Gaia Port: 443

--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

[Expert@mgmt:0]# shutdown -r now

Broadcast message from admin (pts/1) (Tue Aug 8 16:48:16 2017):

The system is going down for reboot NOW!
[Expert@mgmt:0]#
login as: admin
This system is for authorized use only.
admin@mgmt.hvdk.qilab.lan's password:
Last login: Tue Aug 8 12:54:37 2017 from dc01.hvdk.qilab.lan
[Expert@mgmt:0]# api status

API Settings:
---------------------
Accessibility: Require ip 127.0.0.1
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Starting 4912
CPM Started 4297 Check Point Security Management Server is during initialization
FWM Started 3831

Port Details:
-------------------
JETTY Internal Port: 50276
APACHE Gaia Port: 443

--------------------------------------------
Overall API Status: Starting
--------------------------------------------

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

[Expert@mgmt:0]# api restart
2017-Aug-08 16:56:43 - Stopping API...
2017-Aug-08 16:56:45 - API stopped successfully.
2017-Aug-08 16:56:45 - Starting API...
. . . . . . . . . . . . .
2017-Aug-08 16:57:44 - API started successfully.
[Expert@mgmt:0]# api status

API Settings:
---------------------
Accessibility: Require all granted
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Started 12728
CPM Started 4297 Check Point Security Management Server is running and ready
FWM Started 3831

Port Details:
-------------------
JETTY Internal Port: 50276
APACHE Gaia Port: 443

--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

Hugo_vd_Kooij · ‎2017-08-08

And I am up-to-date on patches:

[Expert@mgmt:0]# cpinfo -y all

This is Check Point CPinfo Build 914000176 for GAIA
[IDA]
HOTFIX_R80_10

[KAV]
HOTFIX_R80_10

[CPFC]
HOTFIX_R80_10
HOTFIX_R80_10_JUMBO_HF Take: 24

[FW1]
HOTFIX_R80_10
HOTFIX_R80_10_JUMBO_HF Take: 24

FW1 build number:
This is Check Point Security Management Server R80.10 - Build 001
This is Check Point's software version R80.10 - Build 423

[SecurePlatform]
HOTFIX_R80_10_JUMBO_HF Take: 24

[CPinfo]
No hotfixes..

[DIAG]
HOTFIX_R80_10

[SmartPortal]
No hotfixes..

[Reporting Module]
HOTFIX_R80_10
HOTFIX_R80_10_JUMBO_HF Take: 24

[CPuepm]
HOTFIX_R80_10

[VSEC]
HOTFIX_R80_10
HOTFIX_R80_10_JUMBO_HF Take: 24

[SmartLog]
HOTFIX_R80_10

[MGMTAPI]
No hotfixes..

[R7520CMP]
HOTFIX_R80_10

[R7540CMP]
HOTFIX_R80_10

[R7540VSCMP]
HOTFIX_R80_10

[R76CMP]
HOTFIX_R80_10

[SFWR77CMP]
HOTFIX_R80_10

[R77CMP]
HOTFIX_R80_10

[R75CMP]
HOTFIX_R80_10

[NGXCMP]
HOTFIX_R80_10

[EdgeCmp]
HOTFIX_R80_10

[SFWCMP]
HOTFIX_R80_10

[FLICMP]
HOTFIX_R80_10

[SFWR75CMP]
HOTFIX_R80_10

[CPUpdates]
BUNDLE_R80_10_JUMBO_HF_SC Take: 18
BUNDLE_R80_10_JUMBO_HF Take: 24

[rtm]
No hotfixes..

PhoneBoy · ‎2017-08-08

Just so that I understand the steps:

1. You configured the API to allow anyone to connect through SmartConsole.

2. You rebooted the management.

3. When the management started up, it started up in "allow 127.0.0.1" mode (which means SmartConsole only)

4. By restarting the api server, it started up with the correct setting (i.e. allow anyone to connect via API).

Did I read those steps correctly?

For what it's worth, I was unable to reproduce the issue.

Hugo_vd_Kooij · ‎2017-08-14

There is a slight but not insignificant difference. I have set API to the GUI client list. As I am not compfortable with opening this just to everyone.

PhoneBoy · ‎2017-08-14

From a reproduction standpoint, it's a significant enough difference...

In my output, though, it doesn't show "all granted" when I specify a specific host/subnet, it actually lists the specific host/subnets that are allowed.

One thing I did notice is that shortly after reboot, the API does restrict access to itself during the initial startup:

[Expert@mgmt:0]# api status
API Settings:
---------------------
Accessibility: Require ip 127.0.0.1
Automatic Start: Enabled
Processes:
Name State PID More Information
-------------------------------------------------
API Starting 5246
CPM Started 4748 Check Point Security Management Server is during initialization
FWM Started 4233
Port Details:
-------------------
JETTY Internal Port: 50276
APACHE Gaia Port: 443
--------------------------------------------
Overall API Status: Starting
--------------------------------------------
Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

It looks like that setting persists after initialization has completed and restarting the API server is required to clear it.

Please open a TAC case.

Uri Bialik‌

Ofir_Shikolski · ‎2017-08-14

Per the admin guide is needed to restart the API:

SmartConsole R80.10

Management API Settings

Startup Settings
- Select Automatic start to automatically start the API server when the Security Management Server starts.
  In these environments, Automatic start is selected by default:
  - Distributed Security Management Servers (without gateway functionality) with at least 4GB of RAM
  - Standalone Security Management Servers (with gateway functionality) with at least 8GB of RAM
In other environments, to reduce the memory consumption on the management server, Automatic start is not selected by default.
Access Settings
Configure IP addresses from which the API server accepts requests:
- Management server only (default) - API server will accept scripts and web service requests only from the Security Management Server. You must open a command line interface on the server and use the mgmt_cli utility to send API requests.
- All IP addresses that can be used for GUI clients - API server will accept scripts and web service requests from the same devices that are allowed access to the Security Management Server.
- All IP addresses - API server will accept scripts and web-service requests from any device.

To apply changes, you must publish the session, and run the api restart command on the Security Management Server.

PhoneBoy · ‎2017-08-14

The problem happens after you restart the API server, confirm the setting is correct, THEN reboot the management.

The API server starts up with the wrong setting (restricted to localhost versus the IPs/networks you configured).

A restart of the API server should not be required in this case.

Hugo_vd_Kooij · ‎2017-08-15

R80.10 API bug: fallback to "SmartCenter Only" after reboot

Management API Settings

API - Host creation

I want to filter firewall policy with NOT dst:192....

R80 NAT logs for RO accounts

R80 - SAM rules exception?

After MGMT upgrade to R80.40 - backups are smaller