Managing Security through API

This section describes the API Server on a Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. and the applicable API Tools.

API

You can configure and control the Management Server through API Requests you send to the API Server that runs on the Management Server.

The API Server runs scripts that automate daily tasks and integrate the Check Point solutions with 3rd-party systems, such as virtualization servers, ticketing systems, and change management systems.

To learn more about the management APIs, to see code samples, and to take advantage of user forums, see:

The API Documentation:

Online - Check Point Management API Reference (at the top, select the correct version)

Local - https://<IP Address of Management Server>/api_docs

By default, access to the local API Documentation is disabled. Follow the instructions in sk174606.

Note - On a Standalone Configuration in which the Security Gateway and the Security Management Server products are installed and configured on the same server. server (a server which runs both a Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. and a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.), the API Documentation web portal (https://<IP Address of Management Server>/api_docs) stops working when you open SmartView Web Application (https://<IP Address of Management Server>/smartview).

The Developers Network section of Check Point CheckMates Community.

API Tools

You can run the required API commands on the Management Server in these ways:

From the Command Line dialog in the SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. GUI application (bottom left corner).
From the command line on the Management Server with the "mgmt_cli" command in the Expert mode.
From the command line on the Management Server with the "mgmt" command in Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)..
From the command line on the SmartConsole client host with the "mgmt_cli.exe" tool (installed as part of SmartConsole for Windows OS).

Configuring the API Server

To configure the API Server:

Connect with SmartConsole to the Security Management Server or applicable Domain Management Server Virtual Security Management Server that manages Security Gateways for one Domain, as part of a Multi-Domain Security Management environment. Acronym: DMS..
From the left navigation panel, click Manage & Settings.
In the upper left section, click Blades.
In the Management API section, click Advanced Settings.

The Management API Settings window opens.

Configure the Startup Settings and the Access Settings.

Click OK.
In the upper left section, click Permissions & Administrators.
In the object of each applicable Administrator, make sure the assigned Permission Profile allows access to Management API.
Instructions
1. Edit the Administrator object.
2. In the left panel, click General.
3. In the Permissions section, on the right side of the selected Permission Profile, click the eye icon.
  
  The Permission Profile object opens in the read-only view.
4. In the left panel, click Management.
5. The permission Management API Login has to be selected.
  
  If it is not selected, then close this window and edit this Permission Profile object.
6. Click Close.
Publish the SmartConsole session.

Restart the API Server on the Management Server with this command:

api restart

Notes:

On a Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS., you must run this command in the context of the applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

The output of this command must show:

API started successfully

Examine the status of the API server on the Management Server with this command:

api status

Notes:

The output of this command must show:

--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

The output this command may show the state of the "API" process as "Stopped" when the API access is set to "All IP addresses that can be used for GUI clients", and more than 200 Trusted Clients are configured:

Processes:

Name      State     PID       More Information
-------------------------------------------------
API       Stopped   ...