Solved: Re: API commands on gateways

Moudar · ‎2024-07-13

Hi

If I want to get info with json of my gateway interface I run this command:

mgmt_cli -r true show interface name "eth0" --context gaia_api --version 1.7 --format json

This command should run on mannagement server or gateway it self?

If i run it on management server I get this:

[Expert@SMS-TEST-API:0]# mgmt_cli -r true show interface name "eth0" --context gaia_api --version 1.7 --format json
{
   "code" : "generic_error",
   "message" : "Error 503. The Management API service is not available. Please check that the Management API server is up and running."
}

even if api status is this:

[Expert@SMS-TEST-API:0]# api status
------------
API Settings:oubleshooting data, please run 'api status -s <comment>'
---------------------
Accessibility:                      Require local
Automatic Start:                    Enabled

Processes:

Name      State     PID       More Information
-------------------------------------------------
API       Started   17939
CPM       Started   17939     Check Point Security Management Server is running and ready
FWM       Started   17559
APACHE    Started   16609

Port Details:
-------------------
JETTY Internal Port:               54316
JETTY Documentation Internal Port: 56451
APACHE Gaia Port:                  443

Profile:
-------------------
Machine profile:                   Small Medium env resources profile
CPM heap size:                     1280m

                          Apache port retrieved from: httpd-ssl.conf


--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

and gaia api:

[Expert@SMS-TEST-API:0]# gaia_api status

API Status:
---------------------
Build: cp991255069
Uptime: 2 days, 0:36:33.266998
Current Sessions: Unknown
Latest Version: 1.6

Processes:

Name           State        PID
---------------------------------
GAIA_API       Started      16712
GAIA_API_DOCS  Started      16710
APACHE         Started      16609
CONFD          Started      16607
CLISHD         Started      55921 16675
CELERY         Started      16674
REDIS          Started      16678

Port Details:
-------------------
APACHE Gaia Port:         443

--------------------------------------------
Overall API Status: Stopped
- Error: Apache server unreachable
- Warning: Documentation server is unreachable
--------------------------------------------

if irun the command directly on the gateway i get this:

[Expert@A-GW-TEST:0]# mgmt_cli -r true show interface name "eth0" --context gaia_api --version 1.7 --format json
Error: Failed to login to the management server

[Expert@A-GW-TEST:0]# gaia_api status

API Status:
---------------------
Build: cp991255069
Uptime: 0:03:47.452001
Current Sessions: 0
Latest Version: 1.6

Processes:

Name           State        PID
---------------------------------
GAIA_API       Started      18650
GAIA_API_DOCS  Started      18648
APACHE         Started      18581
CONFD          Started      18579
CLISHD         Started      23264 22034 18643
CELERY         Started      18642
REDIS          Started      18646

Port Details:
-------------------
APACHE Gaia Port:         443

--------------------------------------------
Overall API Status: Started
--------------------------------------------

So, how and where can I run Gaia API commands?

Alex- · ‎2024-07-14

You have no hotfixes and sk143612 which describes the GAIA API states that R81.20 runs 1.6.

As of Take 43, it is updated by AutoUpdater but you can use the SK to download the 1.7 version on your test environment.

You will then have to install 1.7 manually.

View solution in original post

the_rock · ‎2024-07-13

Hey bro,

All API commands are ran on the management server.

Andy

the_rock · ‎2024-07-13

Here is good example buddy.

Andy

https://sc1.checkpoint.com/documents/latest/APIs/#cli/get-interfaces~v1.9.1%20

Moudar · ‎2024-07-13

The how to run Gaia APIs: !

https://sc1.checkpoint.com/documents/latest/GaiaAPIs/#introduction~v1.7%20

the_rock · ‎2024-07-13

But you dont run it on the fw, rather management server to get the data.

Moudar · ‎2024-07-13

running it on SMS i get this:

[Expert@SMS-TEST-API:0]# mgmt_cli -r true show interface name "eth0" --context gaia_api --version 1.7 --format json
{
   "code" : "generic_error",
   "message" : "Error 503. The Management API service is not available. Please check that the Management API server is up and running."
}

the_rock · ‎2024-07-13

Dont worry, I will test it in the lab once home and let you know, just biking/swimming/running now : - )

Andy

the_rock · ‎2024-07-13

Just ttried get interfaces flag, worked like a charm. Btw, dont see show interfaces option anywhere in API guide. Make sure, though most people would never change that, that web UI port for mgmt is NOT anything but 443.

clish -> show web ssl-port

Command I tested:

[Expert@CP-MANAGEMENT:0]# mgmt_cli get-interfaces target-name "CP-GW" with-topology true

Andy

Moudar · ‎2024-07-14

so why a command like:

mgmt_cli show interface name "eth0" --context gaia_api --version 1.7 --format json

does not work!

where can i find examples of "target-name" GAIA API or Management API, because i could not find any info there!

the_rock · ‎2024-07-14

I dont see show interfaces anywhere in API guide, sorry. Below is what I ran yesterday.

Andy

Moudar · ‎2024-07-14

what about these commands, so where do you run these commands?

Alex- · ‎2024-07-14

@the_rock your reference is the Management API, the question here is about the GAIA API.

You run the GAIA API on the gateway with an enabled user used to log into it. This is all described here:

https://sc1.checkpoint.com/documents/latest/GaiaAPIs/index.html#mgmt_cli~v1.7%20

the_rock · ‎2024-07-14

@Alex- You are 100% correct, my bad.

@Moudar Let me test one you have issue with, you run it on the gateway.

Andy

Moudar · ‎2024-07-14

So, if i run this command on a gateway:

[Expert@A-GW-TEST:0]# mgmt_cli -r true show hostname --context gaia_api
Error: Failed to login to the management server

or this:

[Expert@A-GW-TEST:0]# mgmt_cli show asset --context gaia_api --version 1.7 --format json
Username: admin
Password:
code: "generic_err_command_not_found"
errors: "Requested API command": [v1.7/login] not found'
message: "Command Not Found"

So, why I am getting these errors!? Version 81.20

the_rock · ‎2024-07-14

Stand by, will test it soon in the lab.

the_rock · ‎2024-07-14

I get different error, will troubleshoot later once Euro cup final game is done 🙂

Andy

[Expert@CP-GW:0]# mgmt_cli show interface name "eth0" --context gaia_api --version 1.7 --format json
Username: admin
Password:
Couldn't connect to server
If you need to use a proxy server, add the '--proxy' parameter
[Expert@CP-GW:0]# mgmt_cli show interfaces --context gaia_api --version 1.7 --format json
Username: amdin
Password:
Couldn't connect to server
If you need to use a proxy server, add the '--proxy' parameter
[Expert@CP-GW:0]#

Alex- · ‎2024-07-14

Make sure you allow your user to use the GAIA API, logging in is not enough.

To grant a user with GAIA API access, use the following command in expert mode:

[Expert@hostname]# gaia_api access --user <user> --enable true

https://sc1.checkpoint.com/documents/latest/GaiaAPIs/index.html#api_access~v1.7%20

the_rock · ‎2024-07-14

I tested again, same issue, will see what else could be the problem...

Andy

[Expert@CP-GW:0]# gaia_api access -u admin --enable true
[Expert@CP-GW:0]# mgmt_cli show interface name "eth0" --context gaia_api --version 1.7 --format json
Username: admin
Password:
Couldn't connect to server
If you need to use a proxy server, add the '--proxy' parameter
[Expert@CP-GW:0]#

Moudar · ‎2024-07-14

[Expert@A-GW-TEST:0]# gaia_api access -u admin --enable true
[Expert@A-GW-TEST:0]# mgmt_cli show interface name "eth0" --context gaia_api --version 1.7 --format json
Username: admin
Password:
code: "generic_err_command_not_found"
errors: "Requested API command": [v1.7/login] not found'
message: "Command Not Found"

the_rock · ‎2024-07-14

Thats odd, I ran it again in my lab, no issues.

Andy

[Expert@CP-GW:0]# mgmt_cli show interface name "eth0" --context gaia_api --version 1.7 --format json
Username: admin
Password:
{
"comments": "",
"enabled": true,
"ipv4-address": "172.16.10.249",
"ipv4-mask-length": "24",
"ipv6-address": "Not-Configured",
"ipv6-autoconfig": "Not configured",
"ipv6-local-link-address": "Not Configured",
"ipv6-mask-length": "Not-Configured",
"name": "eth0",
"type": "physical"
}

[Expert@CP-GW:0]#

Moudar · ‎2024-07-14

I can now see that I am running the wrong version 1.7

If I run version 1.6 it works:

[Expert@A-GW-TEST:0]# mgmt_cli show interface name "eth0" --context gaia_api --version 1.6 --format json
Username: admin
Password:
{
  "comments": "",
  "enabled": true,
  "ipv4-address": "10.0.0.15",
  "ipv4-mask-length": "24",
  "ipv6-address": "Not-Configured",
  "ipv6-autoconfig": "Not configured",
  "ipv6-local-link-address": "Not Configured",
  "ipv6-mask-length": "Not-Configured",
  "name": "eth0",
  "type": "physical"
}

this is my version:

show version all
Product version Check Point Gaia R81.20
OS build 631
OS kernel version 3.10.0-1160.15.2cpx86_64
OS edition 64-bit

So, what version does GAIA_API 1.7 is used for?

the_rock · ‎2024-07-14

I think I got it now...not sure if it was command @Alex- gave, though gaia api was enabled for admin, but I realized I was using port 4434 for web UI, changed it to 443, installed policy, ran command he provided, good now...so give it a try @Moudar

Andy

See below:

[Expert@CP-GW:0]# gaia_api access -u admin --enable true [Expert@CP-GW:0]#

[Expert@CP-GW:0]# mgmt_cli show interface name "eth0" --context gaia_api --version 1.7 --format json
Username: admin
Password:
{
"comments": "",
"enabled": true,
"ipv4-address": "172.16.10.249",
"ipv4-mask-length": "24",
"ipv6-address": "Not-Configured",
"ipv6-autoconfig": "Not configured",
"ipv6-local-link-address": "Not Configured",
"ipv6-mask-length": "Not-Configured",
"name": "eth0",
"type": "physical"
}

[Expert@CP-GW:0]# clish
CLINFR0771 Config lock is owned by admin. Use the command 'lock database override' to acquire the lock.
CP-GW> show web ssl
ssl-port - Web configuration tool SSL port number
ssl3-enabled - Allow using SSL3 to access the web configuration tool
CP-GW> show web ssl-p
CP-GW> show web ssl-port
web-ssl-port 443
CP-GW>

Moudar · ‎2024-07-14

A-GW-TEST> show web ssl-port
web-ssl-port 443

Tal_Paz-Fridman · ‎2024-07-14

In Gaia API context you cannot use -r true flag.

Try running without it to see if works, for example:

mgmt_cli -u <Gaia username> -p <Gaia password> show asset --version 1.7 --context gaia_api

Moudar · ‎2024-07-14

[Expert@A-GW-TEST:0]# gaia_api access -u admin --enable true
[Expert@A-GW-TEST:0]# mgmt_cli show interface name "eth0" --context gaia_api --version 1.7 --format json
Username: admin
Password:
code: "generic_err_command_not_found"
errors: "Requested API command": [v1.7/login] not found'
message: "Command Not Found"

Moudar · ‎2024-07-14

I can now see that I am running the wrong version 1.7

If I run version 1.6 it works:

[Expert@A-GW-TEST:0]# mgmt_cli show interface name "eth0" --context gaia_api --version 1.6 --format json
Username: admin
Password:
{
  "comments": "",
  "enabled": true,
  "ipv4-address": "10.0.0.15",
  "ipv4-mask-length": "24",
  "ipv6-address": "Not-Configured",
  "ipv6-autoconfig": "Not configured",
  "ipv6-local-link-address": "Not Configured",
  "ipv6-mask-length": "Not-Configured",
  "name": "eth0",
  "type": "physical"
}

this is my version:

show version all
Product version Check Point Gaia R81.20
OS build 631
OS kernel version 3.10.0-1160.15.2cpx86_64
OS edition 64-bit

So, what version does GAIA_API 1.7 is used for?

the_rock · ‎2024-07-14

What jumbo? My lab is latest, R81.20 jumbo 70.

Moudar · ‎2024-07-14

A-GW-TEST> cpinfo -y all

This is Check Point CPinfo Build 914000231 for GAIA
[MGMT]
        No hotfixes..
[IDA]
        No hotfixes..
[CPFC]
        No hotfixes..
[FW1]
        HOTFIX_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE
        HOTFIX_GOT_TPCONF_AUTOUPDATE

FW1 build number:
This is Check Point's software version R81.20 - Build 703
kernel: R81.20 - Build 597
[SecurePlatform]
        No hotfixes..
[CPinfo]
        No hotfixes..
[PPACK]
        No hotfixes..
[AutoUpdater]
        No hotfixes..
[DIAG]
        No hotfixes..
[CVPN]
        No hotfixes..
[core_uploader]
        HOTFIX_CHARON_HF
[CPUpdates]
        BUNDLE_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE        Take:  19
        BUNDLE_HCP_AUTOUPDATE   Take:  58
        BUNDLE_GOT_TPCONF_AUTOUPDATE    Take:  111
        BUNDLE_CPSDC_AUTOUPDATE Take:  21
        BUNDLE_CORE_FILE_UPLOADER_AUTOUPDATE    Take:  17
[cpsdc_wrapper]
        HOTFIX_CPSDC_AUTOUPDATE
[hcp_wrapper]
        HOTFIX_HCP_AUTOUPDATE

the_rock · ‎2024-07-14

Install take 70, reboot and Im sure it will work.

Andy

[Expert@CP-GW:0]# cpinfo -y fw1

This is Check Point CPinfo Build 914000248 for GAIA
[FW1]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 70
HOTFIX_R80_40_MAAS_TUNNEL_AUTOUPDATE
HOTFIX_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE
HOTFIX_GOT_TPCONF_AUTOUPDATE

FW1 build number:
This is Check Point's software version R81.20 - Build 032
kernel: R81.20 - Build 040

[Expert@CP-GW:0]#

Anywho, Im going to watch the final soccer game now, viva Spain 🙂

Moudar · ‎2024-07-14

maybe, i will test tomorrow !

Are you a member of CheckMates?

API commands on gateways