Managing Security through API

This section describes the API Server on a Management Server and the applicable API Tools.

API

You can configure and control the Management Server through API Requests you send to the API Server that runs on the Management Server.

The API Server runs scripts that automate daily tasks and integrate the Check Point solutions with 3rd-party systems, such as virtualization servers, ticketing systems, and change management systems.

To learn more about the management APIs, to see code samples, and to take advantage of user forums, see:

The API Documentation:

Online - Check Point Management API Reference

Local - https://<Server IP Address>/api_docs

By default, access to the local API Documentation is disabled. Follow the instructions in sk174606.

Note - On a Standalone server (a server which runs both a Security Management Server and a Security Gateway), the API Documentation web portal (https://<Server IP Address>/api_docs) stops working when you open SmartView Web Application (https://<Server IP Address>/smartview).

The Developers Network section of Check Point CheckMates Community.

API Tools

You can use these tools to work with the API Server on the Management Server:

Standalone management tool, included with Gaia operating system:

mgmt_cli
Standalone management tool, included with SmartConsole:

mgmt_cli.exe

You can copy this tool from the SmartConsole installation folder to other computers that run Windows operating system.
Web Services APIs that allow communication and data exchange between the clients and the Management Server over the HTTP protocol.

These APIs also let other Check Point processes communicate with the Management Server over the HTTPS protocol.

https://<IP Address of Management Server>/web_api/<command>

Configuring the API Server

To configure the API Server:

Connect with SmartConsole to the Security Management Server or applicable Domain Management Server.
From the left navigation panel, click Manage & Settings.
In the upper left section, click Blades.
In the Management API section, click Advanced Settings.

The Management API Settings window opens.

Configure the Startup Settings and the Access Settings.

Click OK.
In the upper left section, click Permissions & Administrators.
In the object of each applicable Administrator, make sure the assigned Permission Profile allows access to Management API.
Instructions
1. Edit the Administrator object.
2. In the left panel, click General.
3. In the Permissions section, on the right side of the selected Permission Profile, click the eye icon.
  
  The Permission Profile object opens in the read-only view.
4. In the left panel, click Management.
5. The permission Management API Login has to be selected.
  
  If it is not selected, then close this window and edit this Permission Profile object.
6. Click Close.
Publish the SmartConsole session.

Restart the API Server on the Management Server with this command:

api restart

Notes:

On a Multi-Domain Server, you must run this command in the context of the applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

The output of this command must show:

API started successfully

Examine the status of the API server on the Management Server with this command:

api status

Notes:

The output of this command must show:

--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

The output this command may show the state of the "API" process as "Stopped" when the API access is set to "All IP addresses that can be used for GUI clients", and more than 200 Trusted Clients are configured:

Processes:

Name      State     PID       More Information
-------------------------------------------------
API       Stopped   ...