I was trying to export the firewall policy from one of the CMA’s on our R80.10 Multi-Domain Server using Check Point’s Show Package Tool (sk120342).
While running the command: [Expert@MDS:0]# $MDS_FWDIR/scripts/web_api_show_package.sh -d 192.10.20.30
I noticed that the script hung for a while and eventually returned the following error message: Script stopped running due to severe error!
So, as suggested in sk123863 I’ve verified and confirmed that the api service was running on the MDS, but it was unable to receive connections:
[Expert@MDS:0]# api status
API Settings:
---------------------
Accessibility: Require all granted
Automatic Start: Enabled
Processes:
Name State PID More Information
-------------------------------------------------
API Started 303
CPM Started 5747 Check Point Security Management Server is running and ready
FWM Started 12033
APACHE Started 4448
Port Details:
-------------------
JETTY Internal Port: 50276
APACHE Gaia Port: 443
--------------------------------------------
Overall API Status: Started
--------------------------------------------
API readiness test FAILED. The server is down and unable to receive connections!
Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'
[Expert@MDS:0]#
Restarting the api (# api stop;api start
) did not resolve the issue and also the log collection (api status -s
) did not revealed a potential root cause.
So after some further investigation on the MDS I noticed the .mgmt_cli directory within /home/admin which contains a known_hosts file with a single line:
[Expert@MDS:0]# pwd
/home/admin/.mgmt_cli
[Expert@MDS:0]# cat known_hosts
JUMP STREET GO WHY NO JOE COW SLIM FIRE DELTA FARM ACT@127.0.0.1:443
[Expert@MDS:0]#
As I suspected this to be an old/revoked fingerprint, I’ve deleted the file and restarted the api again which recreated the file with the actual/updated fingerprint. So, now the API started without any errors: Overall API Status: Started. API readiness test SUCCESSFUL. The server is up and ready to receive connections
.
And last but not least, also the firewall policy exporting script works now and successfully completed in a matter of seconds!
[Expert@MDS:0]# /opt/CPsuite-R80/fw1/scripts/web_api_show_package.sh -d 192.10.20.30
Script finished running successfully!
Result file location: show_package-2021-03-15_21-43-36.tar.gz
[Expert@MDS:0]#
Thank you for the tip, very useful.