On This Page
Troubleshooting: Check Point R80 - "CheckPoint API client error"
Symptom
TOS returns a Checkpoint API client error even though a status check on the Check Point R80 API server shows that it running.
Check the Status of the Check Point API server
- Run the following commands to display the status of the API server:
The output displays the following:
Cause
You do not have permission to access /web_api/login on this server. You can verify the cause by looking at the following log files on the Tufin server:
-
/var/log/st/securetrack.client.*_id
-
--> 42299 20220531 22:36:23.031 ::err_exception
FAULT: 42299 20220531 22:36:23.031 Checkpoint API client error at: static std::string CCheckpointR80PlusApiClient::Expect(const string&, const TStringBoolPairVector&, const CCheckpointR80PlusApiClientArgs&, const TStringVector&)
FAULT: 25335 20220531 22:10:31.492 File: /root/jenkins/workspace/tss/securetrack/checkpoint/libcheckpoint/CheckpointR80PlusApiClient.cc:232
-
/var/log/st/checkpoint.get_checkpoint_conf_<IP>
Checkpoint error code: http_forbidden API: CPApi#loginToMds(CPObjectParamLogin), Status Code: 403, Error Code: http_forbidden on Domain:
ERROR 2017-04-03 11:06:44,838 [main::c.t.s.c.AbstractClient.retrieveConf] [user:] Failed to retrieve device configuration [ ]
com.tufin.securetrack.javatool_util.ClientException: Cannot init Checkpoint SDK
Caused by: com.tufin.checkpoint.entities.CPException: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /web_api/v1/login
on this server.</p>
</body></html>
Resolution
-
Open SmartConsole and log in to the management server.
If you have a multi-domain environment, log in to the MDS domain.
-
Click the Manage and Settings button.
-
Select Blades.
-
In the Management API section, click Advanced Settings.
-
Select All IP addresses to grant the SecureTrack server access to the API server.
-
Click Publish.
-
Connect to the Check Point management server via SSH and and restart the API: