Managing Security through API

This section describes the API Server on a Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. and the applicable API Tools.

API

You can configure and control the Management Server through API Requests you send to the API Server that runs on the Management Server.

The API Server runs scripts that automate daily tasks and integrate the Check Point solutions with third party systems, such as virtualization servers, ticketing systems, and change management systems.

To learn more about the management APIs, to see code samples, and to take advantage of user forums, see:

• The API Documentation:

  • Online - Check Point Management API Reference

  • Local - https://<Server IP Address>/api_docs

    By default, access to the local API Documentation is disabled. Follow the instructions in sk174606.

• The Developers Network section of Check Point CheckMates Community.

API Tools

You can use these tools to work with the API Server on the Management Server:

• Standalone Configuration in which the Security Gateway and the Security Management Server products are installed and configured on the same server. management tool, included with Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. operating system:

  mgmt_cli

• Standalone management tool, included with SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.:

  mgmt_cli.exe

  You can copy this tool from the SmartConsole installation folder to other computers that run Windows operating system.

• Web Services APIs that allow communication and data exchange between the clients and the Management Server over the HTTP protocol.

  These APIs also let other Check Point processes communicate with the Management Server over the HTTPS protocol.

  https://<IP Address of Management Server>/web_api/<command>

Configuring the API Server

To configure the API Server:

1. Connect with SmartConsole to the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or applicable Domain Management Server.

2. From the left navigation panel, click Manage & Settings.

3. In the upper left section, click Blades.

4. In the Management API section, click Advanced Settings.

   The Management API Settings window opens.

5. Configure the Startup Settings and the Access Settings.

   Configuring Startup Settings

   Select Automatic start to automatically start the API server when you start or reboot the Management Server.

   Notes: If the Management Server has more than 4GB of RAM installed, the Automatic start option is activated by default during Management Server installation. If the Management Server has less than 4GB of RAM, the Automatic Start option is deactivated.

   Configuring Access Settings

   Select one of these options to configure which clients can connect to the API Server:

   • Management server only - Only the Management Server itself can connect to the API Server. This option only lets you use the mgmt_cli utility on the Management Server to send API requests. You cannot use SmartConsole or Web services to send API requests.

   • All IP addresses that can be used for GUI clients - You can send API requests from all IP addresses that are defined as Trusted Clients in SmartConsole. This includes requests from SmartConsole, Web services, and the mgmt_cli utility on the Management Server.

   • All IP addresses - You can send API requests from all IP addresses. This includes requests from SmartConsole, Web services, and the mgmt_cli utility on the Management Server.

6. Click OK.

7. In the upper left section, click Permissions & Administrators.

8. In the object of each applicable Administrator, make sure the assigned Permission Profile Predefined group of SmartConsole access permissions assigned to Domains and administrators. With this feature you can configure complex permissions for many administrators with one definition. allows access to Management API.

   Instructions

   1. Edit the Administrator object.

   2. In the left panel, click General.

   3. In the Permissions section, on the right side of the selected Permission Profile, click the eye icon.

      The Permission Profile object opens in the read-only view.

   4. In the left panel, click Management.

   5. The permission Management API Login has to be selected.

      If it is not selected, then close this window and edit this Permission Profile object.

      For more information, see Assigning Permission Profiles to Administrators.

   6. Click Close.

9. Publish the SmartConsole session.

10. Restart the API Server on the Management Server with this command:

    api restart

    Notes: On a Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS., you must run this command in the context of the applicable Domain Management Server: mdsenv <IP Address or Name of Domain Management Server> The output of this command must show: API started successfully

11. Examine the status of the API server on the Management Server with this command:

    api status

    Notes: The output of this command must show: -------------------------------------------- Overall API Status: Started -------------------------------------------- API readiness test SUCCESSFUL. The server is up and ready to receive connections The output this command may show the state of the "API" process as "Stopped" when the API access is set to "All IP addresses that can be used for GUI clients", and more than 200 Trusted Clients are configured: Processes: Name State PID More Information ------------------------------------------------- API Stopped ...