Troubleshooting: Check Point R80 - "CheckPoint API client error"

Symptom

TOS returns a Checkpoint API client error even though a status check on the Check Point R80 API server shows that it is running.

Check the Status of the Check Point API server

  • Run the following commands to display the status of the API server:
    • [<ADMIN> ~]#expert
    [<ADMIN> ~]#api status

    The output displays the following:

    --------------------------------------------
    Overall API Status: Started
    --------------------------------------------
    Test SUCCESSFUL. The server is up and ready to receive connections

Cause

You do not have permission to access /web_api/login on this server. You can verify the cause by looking at the following log files on the Tufin server:

  • /opt/tufin/logs/services/device-collector/securetrack.client.<device ip>_<mgmt_id> 
    --> 42299 20220531 22:36:23.031  ::err_exception
    FAULT: 42299 20220531 22:36:23.031  Checkpoint API client error at: static std::string CCheckpointR80PlusApiClient::Expect(const string&, const TStringBoolPairVector&, const CCheckpointR80PlusApiClientArgs&, const TStringVector&)
    FAULT: 25335 20220531 22:10:31.492  File: /root/jenkins/workspace/tss/securetrack/checkpoint/libcheckpoint/CheckpointR80PlusApiClient.cc:232

  • /opt/tufin/logs/services/device-collector/config_<IP>_<ID>.log 

    Checkpoint error code: http_forbidden API: CPApi#loginToMds(CPObjectParamLogin), Status Code: 403, Error Code: http_forbidden on Domain:
    ERROR 2017-04-03 11:06:44,838 [main::c.t.s.c.AbstractClient.retrieveConf] [user:] Failed to retrieve device configuration [ ]
    com.tufin.securetrack.javatool_util.ClientException: Cannot init Checkpoint SDK
    Caused by: com.tufin.checkpoint.entities.CPException: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>403 Forbidden</title>
    </head><body>
    <h1>Forbidden</h1>
    <p>You don't have permission to access /web_api/v1/login
    on this server.</p>
    </body></html>

Resolution

  1. Open SmartConsole and log in to the management server.

    If you have a multi-domain environment, log in to the MDS domain.

  2. Click the Manage and Settings button.

  3. Select Blades.

  4. In the Management API section, click Advanced Settings.

  5. Select All IP addresses to grant the SecureTrack server access to the API server.

  6. Click Publish.

  7. Connect to the Check Point management server via SSH and and restart the API:

    8. [<ADMIN> ~]#expert
    [<ADMIN> ~]#api restart