Managing Security through API

This section describes the API Server on a Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. and the applicable API Tools.

API

You can configure and control the Management Server through API Requests you send to the API Server that runs on the Management Server.

The API Server runs scripts that automate daily tasks and integrate the Check Point solutions with 3rd-party systems, such as virtualization servers, ticketing systems, and change management systems.

To learn more about the management APIs, to see code samples, and to take advantage of user forums, see:

The API Documentation:

Online - Check Point Management API Reference

Local - https://<Server IP Address>/api_docs

By default, access to the local API Documentation is disabled. Follow the instructions in sk174606.

Note - On a Standalone Configuration in which the Security Gateway and the Security Management Server products are installed and configured on the same server. server (a server which runs both a Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. and a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.), the API Documentation web portal (https://<Server IP Address>/api_docs) stops working when you open SmartView Web Application (https://<Server IP Address>/smartview).

The Developers Network section of Check Point CheckMates Community.

API Tools

You can use these tools to work with the API Server on the Management Server:

Standalone management tool, included with Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. operating system:

mgmt_cli
Standalone management tool, included with SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.:

mgmt_cli.exe

You can copy this tool from the SmartConsole installation folder to other computers that run Windows operating system.
Web Services APIs that allow communication and data exchange between the clients and the Management Server over the HTTP protocol.

These APIs also let other Check Point processes communicate with the Management Server over the HTTPS protocol.

https://<IP Address of Management Server>/web_api/<command>

Configuring the API Server

To configure the API Server:

Connect with SmartConsole to the Security Management Server or applicable Domain Management Server.
From the left navigation panel, click Manage & Settings.
In the upper left section, click Blades.
In the Management API section, click Advanced Settings.

The Management API Settings window opens.

Configure the Startup Settings and the Access Settings.

Click OK.
In the upper left section, click Permissions & Administrators.
In the object of each applicable Administrator, make sure the assigned Permission Profile allows access to Management API.
Instructions
1. Edit the Administrator object.
2. In the left panel, click General.
3. In the Permissions section, on the right side of the selected Permission Profile, click the eye icon.
  
  The Permission Profile object opens in the read-only view.
4. In the left panel, click Management.
5. The permission Management API Login has to be selected.
  
  If it is not selected, then close this window and edit this Permission Profile object.
6. Click Close.
Publish the SmartConsole session.

Restart the API Server on the Management Server with this command:

api restart

Notes:

On a Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS., you must run this command in the context of the applicable Domain Management Server:

mdsenv <IP Address or Name of Domain Management Server>

The output of this command must show:

API started successfully

Examine the status of the API server on the Management Server with this command:

api status

Notes:

The output of this command must show:

--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

The output this command may show the state of the "API" process as "Stopped" when the API access is set to "All IP addresses that can be used for GUI clients", and more than 200 Trusted Clients are configured:

Processes:

Name      State     PID       More Information
-------------------------------------------------
API       Stopped   ...