Download Complete PDF Send Feedback Print This Page

Previous

Synchronize Contents

Command Line Reference

Related Topics

Check Point LSMcli Overview

SmartLSM Security Gateway Management Actions

SmartUpdate Actions

Push Actions

Gateway Conversion Actions

Multi-Domain Security Management Commands

Check Point LSMcli Overview

Check Point SmartLSM Command Line Utility (LSMcli) is a simple command line utility, an alternative to SmartProvisioning SmartConsole GUI. LSMcli provides the ability to perform SmartProvisioning GUI operations from a command line or through a script.

Note - LSMcli can run from locations other than SmartConsole clients, so be sure to define the location that LSMcli is running from as a GUI client. See Logging into SmartProvisioning.

Terms

In the LSMcli, commands may use the abbreviation ROBO (Remote Office/Branch Office) gateways. ROBO gateways in SmartProvisioning are known as SmartLSM Security Gateways.

Notation

Throughout this chapter square brackets ([ ]) are used with the LSMcli utility. These brackets are correct and syntactically necessary. The following is an example of how they are used:

A [b [c]] - means that for parameter A, you can provide b. If you provide b, you can provide c.

A [b] [c] - means that for parameter A, you can provide b, c, or b and c.

A [b c] - means that for parameter A, you can provide b and c.

Help

Displays command line usage and provides examples for different actions.

Usage

LSMcli [-h | --help]

Syntax

LSMcli [-d] <server> <user> <pswd> <action>

LSMCli Parameters

Parameter

Description

Server

Name/IP address of the Security Management Server or Domain Management Server

User

User name used in the standard Check Point authentication method

Pswd

Password used in the standard Check Point authentication method

Action

Specific function performed

(See the following sub-sections for a complete list of actions.)

Using Security Gateway 80 LSMcli ROBO Commands

LSMcli commands for Security Gateway 80 are similar to the ROBO commands for regular Security Gateways. When you are using a command on Security Gateway 80, replace VPN1 with CPSG80. For example, if you want to use the AddROBO command:

  • Regular Security Gateway: AddROBO VPN1
  • Security Gateway 80: AddROBO CPSG80

For more information, use the LSMcli Help command.

SmartLSM Security Gateway Management Actions

AddROBO VPN1

This command adds a new Check Point SmartLSM Security Gateway to SmartProvisioning and assigns it a specified SmartLSM Security Profile. If a one-time password is supplied, a SIC certificate will be created. If an IP address is also supplied, the SIC certificate will be pushed to the SmartLSM Security Gateway (in such cases, the SmartLSM Security Gateway SIC one-time password should be initialized first). If no IP address is supplied, the SIC certificate will be pulled from the SmartLSM Security Gateway afterwards. It is also possible to assign an IP address range to Dynamic Objects, specifying whether or not to add them to the VPN domain.

Usage

LSMcli [-d] <server> <user> <pswd> AddROBO VPN1 <ed Name> <Profile> [-RoboCluster=<OtherROBOName>] [-O=<ActivationKey> [-I=<IP>]] [[-CA=<CaName> [-R=<CertificateIdentifier#>] [-KEY=<AuthorizationKey>]]] [-D]:<DynamicObjectName>=<IP1>[-<IP2>] [-D]:..]]

Parameters

AddROBO VPN1 Parameters

Parameter

Description

server

Name/IP address of the Security Management Server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

RoboName

Name of a SmartLSM Security Gateway

Profile

Name of a SmartLSM Security Profile that has been defined in SmartDashboard

OtherROBOName

Name for an already defined SmartLSM Security Gateway that is to participate in the SmartLSM Cluster with the newly created gateway (if the -RoboCluster argument is provided).

ActivationKey

SIC one-time password. (For this action, a certificate will be generated)

IP

IP address of the gateway (For this action, certificate will be pushed to the gateway)

CaName

Name of the Trusted CA object (created from SmartDashboard). The IKE certificate request will be sent to this CA. Default is Check Point Internal CA.

CertificateIdentifier#

Key identifier for third-party CA.

AuthorizationKey

Authorization Key for third-party CA.

DynamicObjectName

Name of the Dynamic Object

IP1-IP2

IP address range for the Dynamic Object

Example

LSMcli mySrvr name pass AddROBO VPN1 MyRobo AnyProfile -O=MyPass -I=192.0.2.4 -DE:FirstDO=192.0.2.100

This action adds a new SmartLSM Security Gateway MyRobo and assigns it the specified SmartLSM Security Profile AnyProfile. A SIC password and an IP address are supplied, so the SIC Activation Key can be sent to the new SmartLSM Security Gateway. A Dynamic Object called FirstDO is resolved to an IP address for this gateway.

AddROBO VPN1 MyRobo AnyProfile -O=MyPass -I=10.10.10.1
-DE:FirstDO=10.10.10.5 -CA=OPSEC_CA -R=cert1233 -KEY=ab345

AddROBO VPN1Edge

This command adds a new UTM-1 Edge SmartLSM Security Gateway. Applicable for UTM-1 Edge gateways only.

Use this command to add a new UTM-1 Edge gateway to the SmartProvisioning system and assign it a specified SmartLSM Security Profile. Specify the product type of the UTM-1 Edge gateway and the firmware installed, which can be set as local, default or user-defined. It is also possible to assign an IP address range to Dynamic Objects, specifying whether to add them to the VPN domain.

To load new firmware on the UTM-1 Edge gateway, use SmartUpdate.

Usage

LSMcli [-d] <server> <user> <pswd> AddROBO VPN1Edge<RoboName> <Profile> <ProductType> [-RoboCluster=<OtherROBOName>] [-O=<RegistrationKey>] [[-CA=<CaName> [-R=<CertificateIdentifier#>][-KEY=<AuthorizationKey>]]] [-F=LOCAL|DEFAULT|<Firmware-name>] [-M=<MAC>] [-K=<ProductKey>] [-D[E]:<D.O. name>=<IP1>[-<IP2>] [-D[E]:..]]

Parameters

AddROBO UTM-1 Edge Parameters

Parameter

Description

server

Name/IP address of the Security Management server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

RoboName

Name of the UTM-1 Edge gateway

Profile

Name of a SmartLSM Security Profile that has been defined in SmartDashboard

ProductType

Product type

OtherROBOName

Name of the already defined SmartLSM Security Gateway that is to participate in the SmartLSM Cluster with the newly created gateway (if the -RoboCluster argument is provided)

RegistrationKey

Registration Key

CaName

Name of the Trusted CA object (created from SmartDashboard). The IKE certificate request will be sent to this CA.

CertificateIdentifier#

Key identifier of the specific certificate

AuthorizationKey

Authorization Key that will be sent to the CA for certificate retrieval

Firmware-name

Firmware name, or LOCAL or DEFAULT

MAC

Mac address of the UTM-1 Edge, in the format xx:xx:xx:xx:xx:xx where "x" is a hexadecimal digit

ProductKey

Product key (license), in the format xxxxxx-xxxxxx-xxxxxx, where "x" is a hexadecimal digit

DO Name

Name of the Dynamic Object

E

Obsolete, refer to the LSMcli command: ModifyROBOManualVPNDomain.

Ip1-Ip2

IP address range for the Dynamic Object

Example

LSMcli mySrvr name pass AddROBO VPN1Edge MyRobo AnyProfile SBox-100

This example creates an object in SmartProvisioning for a UTM-1 Edge SmartLSM Security Gateway called MyRobo, based on a SmartLSM Security Profile defined in SmartDashboard called AnyProfile. MyRobo is defined for a UTM-1 Edge on an SBox-100 device.

LSMcli mySrvr name pass AddROBO VPN1Edge MyRobo AnyProfile IP30 -O=AnyRegKey -F=DEFAULT – M=00:08:AA:BB:CC:DD -K=123456-ABCDEF-ABC123

LSMcli mySrvr name pass AddROBO VPN1Edge MyRobo AnyProfile SBox-100 -F=Safe@_Safe@_3.0.23_Generic_Safe@_fcs

ModifyROBO VPN1

This command modifies a Check Point SmartLSM Security Gateway. This action modifies the SmartProvisioning details for an existing SmartLSM Security Gateway and can be used to update properties previously supplied by the user.

Usage

LSMcli [-d] <server> <user> <pswd> ModifyROBO VPN1 <RoboName> [and at least one of: [-P=Profile] [-RoboCluster=<OtherROBOName>|-NoRoboCluster]
[-D:<DO name>=<IP1>[-<IP2>] [-KeepDOs]..]

Parameters

ModifyROBO VPN1 Parameters

Parameter

Description

server

Name/IP address of the Security Management Server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

RoboName

Name of the SmartLSM Security Gateway

Profile

Name of a SmartLSM Security Profile that has been defined in SmartDashboard

OtherROBOName

Name of the already defined SmartLSM Security Gateway that is to participate in the Cluster with the newly created gateway (if the -RoboCluster argument is provided)

-NoRoboCluster

The -NoRoboCluster parameter is equivalent to the "Remove Cluster" operation from GUI. When a ModifyROBO VPN1 command with this argument is issued on a gateway that participates in a cluster, the cluster is removed).

DO Name

Name of the Dynamic Object

IP1-IP2

IP address range for the Dynamic Object

-KeepDOs

Keeps all existing dynamic objects in the dynamic objects list when adding new dynamic objects. If a dynamic object already exists in the list, its IP resolution is updated.

If this flag is not specified, the dynamic objects list is deleted when using the LSMcli command to add new dynamic objects.

Example

LSMcli mySrvr name pass ModifyROBO VPN1 MyRobo -D:MyEmailServer=123.45.67.8 -D:MySpecialNet=10.10.10.1-10.10.10.6

This example resolves Dynamic Objects for the given gateway.

Modify ROBO VPN1Edge

This command modifies a UTM-1 Edge gateway. This action modifies the SmartProvisioning details for an existing UTM-1 Edge gateway and can be used to update properties previously supplied by the user.

Usage

LSMcli [-d] <server> <user> <pswd> ModifyROBO VPN1Edge<RoboName> and at least one of: [-P=<Profile>] [-T=<ProductType>] [-RoboCluster=<OtherROBOName>|-NoRoboCluster][-O= RegistrationKey] [-F=LOCAL|DEFAULT|<Firmware-name>] [-M=<MAC>] [-K=<ProductKey>] [-D[E]:<D.O. name>=<IP1>[-<IP2>] [-KeepDOs]..]

Parameters

ModifyROBO UTM-1 Edge Parameters

Parameter

Description

server

Name/IP address of the Security Management server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

RoboName

Name of the UTM-1 Edge gateways

Profile

Name of a SmartLSM Security Profile that has been defined in SmartDashboard

ProductType

Product type

OtherROBOName

Name of the already defined SmartLSM Security Gateway that is to participate in the SmartLSM Cluster with the newly created gateway (if the -RoboCluster argument is provided)

-NoRoboCluster

The -NoRoboCluster parameter is equivalent to the "Remove SmartLSM Cluster" operation from GUI. When a ModifyROBO VPN1 command with this argument is issued on a gateway that participates in a SmartLSM cluster, the cluster is removed).

RegistrationKey

Registration key

Firmware

Firmware name, LOCAL or DEFAULT

MAC

Mac address of the UTM-1 Edge, in the format xx:xx:xx:xx:xx:xx where "x" is a hexadecimal digit

ProductKey

Product key (license), in the format xxxxxx-xxxxxx-xxxxxx, where "x" is a hexadecimal digit

DO Name

Name of the Dynamic Object

E

Obsolete, refer to the LSMcli command: ModifyROBOManualVPNDomain.

Ip1-Ip2

IP address range for the Dynamic Object

-KeepDOs

Keeps all existing dynamic objects in the dynamic objects list when adding new dynamic objects. If a dynamic object already exists in the list, its IP resolution is updated.

If this flag is not specified, the dynamic objects list is deleted when using the LSMcli command to add new dynamic objects.

Example

LSMcli mySrvr name pass ModifyROBO VPN1Edge MyEdgeROBO -P=MyNewEdgeProfile-NoRoboCluster

ModifyROBOManualVPNDomain

This command modifies the ROBO VPN Domain, to take effect when the VPN Domain becomes defined as Manual.

Usage

LSMcli [-d] <server> <user> <pswd> ModifyROBOManualVPNDomain <RoboName> and one of: -Add=<FirstIP-LastIP> -Delete=<Index (as shown by the last ShowROBOTopology command)> and optionally: [-IfOverlappingIPRangesDetected=<exit|warn|ignore>]

Parameters

ModifyROBOManual VPN Domain Parameters

Parameter

Description

server

Name/IP address of the Security Management Server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

RoboName

Name of the SmartLSM Security Gateway

FirstIP-LastIP

IP address range

Index

Value displayed by ShowInfo command

IfOverlappingIPRangesDetected

Flag to determine course of action, if overlapping IP address ranges are detected. The options are: exit, warn and ignore

Example

LSMcli mySrvr name pass ModifyROBOManualVPNDomain MyRobo -Add=192.0.2.1-192.0.2.20

LSMcli mySrvr name pass ModifyROBOManualVPNDomain MyRobo -Delete=1

ModifyROBOTopology VPN1

This command modifies the ROBO VPN Domain configuration for a selected Gateway.

Usage

LSMcli [-d] <server> <user> <pswd> ModifyROBOTopology VPN1 <RoboName> -VPNDomain=<not_defined|external_ip_only|topology|manual>

Parameters

ModifyROBOTopology VPN1 Parameters

Parameter

Description

server

Name/IP address of the Security Management server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

RoboName

Name of the SmartLSM Security Gateway

VPNDomain

Flag to determine the VPN Domain topology. The options are:

  • not_defined: Equivalent to the Not Defined option in the Topology tab of a SmartLSM Security Gateway in the SmartProvisioning GUI (or in the ShowROBOTopology output).
  • external_ip_only: Equivalent to Only the external interface
  • topology: Equivalent to All IP Addresses behind the Gateway based on Topology information
  • manual: Equivalent to Manually defined. VPN domain is defined according to ModifyROBOManualVPNDomain setting.

Example

LSMcli mySrvr name pass ModifyROBOTopology VPN1 MyRobo -VPNDomain=manual

ModifyROBOTopology VPN1Edge

This command modifies the VPN Domain configuration for a selected Gateway.

Usage

LSMcli [-d] <server> <user> <pswd> ModifyROBOTopology VPN1Edge <RoboName> and at least one of: [-VPNDomain=<not_defined|external_ip_only|topology|automatic |manual>]

Parameters

ModifyROBOTopology UTM-1 Edge Parameters

Parameter

Description

server

Name/IP address of the Security Management Server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

RoboName

Name of the SmartLSM Security Gateway

VPNDomain

Flag to configure the VPN Domain topology. The options are: not_defined, external_ip_only, topology, and manual.

  • not_defined: Equivalent to the Not Defined option in the Topology tab of a SmartLSM Security Gateway in the SmartProvisioning GUI (or in the ShowROBOTopology output).
  • external_ip_only: Equivalent to Only the external interface
  • topology: Equivalent to All IP Addresses behind the Gateway based on Topology information
  • automatic: The VPN domain of the gateway consists of all the IP addresses configured locally on the UTM-1 Edge device, regardless of the interface configuration of the Edge object in SmartDashboard. Selecting this option requires:
    • Manual definition of VTIs on the Edge and CO gateway so that the CO learns the VPN domain of the Edge device.
    • OSPF feature of the CO gateway to dynamically learn the VPN domain of the UTM-1 Edge device.
  • manual: Equivalent to Manually defined

Example

LSMcli mySrvr name pass ModifyROBOTopology VPN1Edge MyRobo -VPNDomain=manual

ModifyROBOInterface VPN1

This command modifies the Internal Interface list.

Usage

LSMcli [-d] <server> <user> <pswd> ModifyROBOInterface VPN1 <RoboName> <InterfaceName> and at least one of: [-i=<IPAddress>] [-Netmask=<NetMask>] and optionally: [-IfOverlappingIPRangesDetected=<exit|warn|ignore>]

Parameters

ModifyROBOInterface VPN1 Parameters

Parameter

Description

server

Name/IP address of the Security Management server Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

RoboName

Name of the SmartLSM Security Gateway

InterfaceName

Name of the existing interface

IPAddress

IP address of the interface

NetMask

Net mask of the interface

IfOverlappingIPRangesDetected

Flag to determine course of action, if overlapping IP address ranges are detected.
The options are: exit, warn and ignore

Example

LSMcli mySrvr name pass ModifyROBOInterface VPN1 MyRobo eth0 -i=192.0.2.1 -Netmask=255.255.255.0

ModifyROBOInterface VPN1Edge

This command modifies the VPN1Edge Internal Interface list.

Usage

LSMcli [-d] <server> <user> <pswd> ModifyROBOInterface VPN1Edge <RoboName> <InterfaceName> and at least one of: [-i=<IPAddress>] [-NetMask=<NetMask>] [-Enabled=<true|false>] [-HideNAT=<true|false>] [-DHCPEnabled=<true|false>] [-DHCPIpAllocation=<automatic|<FirstIP-LastIP>|<IP address of DHCP Relay Server>] and optionally: [-IfOverlappingIPRangesDetected=<exit|warn|ignore>]

Parameters

ModifyROBOInterface UTM-1 Edge Parameters

Parameter

Description

server

Name/IP address of the Security Management Server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

RoboName

Name of the SmartLSM Security Gateway

InterfaceName

Name of an existing interface

IPAddress

IP address of the interface

NetMask

Net mask of the interface

Enabled

Flag to enable/disable the selected interface

HideNAT

Flag to specify whether the interface is identified by the gateway IP address
(hidden behind NAT)

DHCPEnabled

Flag to enable dynamically allocated IP addresses

DHCPIpAllocation

Flag to determine how IP addresses are dynamically allocated.
The options are: automatic, <FirstIP-LastIP>, and DHCP Relay Server

IfOverlappingIPRangesDetected

Flag to determine course of action if overlapping IP address ranges are detected.
The options are: exit, warn and ignore

Example

LSMcli mySrvr name pass ModifyROBOInterface VPN1Edge MyRobo DMZ -i=192.0.2.1 -Netmask=255.255.255.0 -Enabled=true -HideNAT=false -DHCPEnabled=true -DHCPIpAllocation=automatic

AddROBOInterface VPN1

This command adds a new interface to the selected SmartLSM Security Gateway.

Usage

LSMcli [-d] <server> <user> <pswd> AddROBOInterface VPN1 <RoboName> <InterfaceName> -i=<IPAddress> -NetMask=<NetMask>

Parameters

AddROBOInterface VPN1 Parameters

Parameter

Description

server

Name/IP address of the Security Management server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

RoboName

Name of the SmartLSM Security Gateway

InterfaceName

Name of an existing interface

IPAddress

IP address of the interface

NetMask

Net mask of the interface

Example

LSMcli mySrvr name pass AddROBOInterface VPN1 MyRobo eth0 -i=192.0.2.1 -Netmask=255.255.255.0

DeleteROBOInterface VPN1

This command deletes an interface from the selected Gateway.

Usage

LSMcli [-d] <server> <user> <pswd> DeleteROBOInterface VPN1 <RoboName> <InterfaceName>

Parameters

DeleteROBOInterface VPN1 Parameters

Parameter

Description

server

Name/IP address of the Security Management Server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

RoboName

Name of the SmartLSM Security Gateway

InterfaceName

Name of an existing interface

Example

LSMcli mySrvr name pass DeleteROBOInterface VPN1 MyRobo eth0

ResetSic

This command resets the SIC Certificate of a SmartLSM Security Gateway. Applicable for SmartLSM Security Gateways only. This action revokes the existing gateway SIC certificate and creates a new one using the one-time password provided by the user. If an IP address is supplied for the SmartLSM Security Gateway, the SIC certificate will be pushed to the SmartLSM Security Gateway, in which case the SmartLSM Security Gateway SIC's one-time password should be initialized first. Otherwise, if no IP address is given, the SIC certificate will later be pulled from the SmartLSM Security Gateway.

Usage

LSMcli [-d] <server> <user> <pswd> ResetSic <RoboName> <ActivationKey> [-I=<IP>]

Parameters

ResetSic Parameters

Parameter

Description

server

Name/IP address of the Security Management server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

RoboName

Name of the SmartLSM Security Gateway

ActivationKey

One-time password for the Secure Internal Communications with the SmartLSM Security Gateway

IP

IP address of gateway
(for this action, the certificate is pushed to the gateway)

Example

LSMcli mySrvr name pass ResetSic MyROBO aw47q1

LSMcli mySrvr name pass ResetSic MyFixedIPROBO sp36rt1 -I=10.20.30.1

ResetIke

This command resets the IKE Certificate of a SmartLSM Security Gateway. Applicable for Security Gateway and UTM-1 Edge gateways. This action revokes the existing IKE certificate and creates a new one.

Usage

LSMcli [-d] <server> <user> <pswd> ResetIke <RoboName>[-CA=<CaName> [-R=<CertificateIdentifier#>] [-KEY=<AuthorizationKey>]]

Parameters

ResetIke Parameters

Parameter

Description

server

Name/IP address of the Security Management Server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

RoboName

Name of the Security Gateway or UTM-1 Edge gateway

CaName

Name of the Trusted CA object (created from SmartDashboard); the IKE certificate request will be sent to this CA

CertificateIdentifier

Key identifier of the specific certificate

AuthorizationKey

Authorization Key to be sent to the CA for the certificate retrieval

Example

LSMcli mySrvr name pass ResetIke MyROBO -CA=OPSEC_CA -R=cer3452s -KEY=ad23fgh

ExportIke

This command exports the IKE Certificate of a SmartLSM Security Gateway into a P12 file, encrypted with a provided password. The default location of the exported file is $FWDIR/conf.

Usage

LSMcli [-d] <server> <user> <pswd> ExportIke <RoboName> <Password> <FileName>

Parameters

ExportIke Parameters

Parameter

Description

server

Name/IP address of the Security Management server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

RoboName

Name of the SmartLSM Security Gateway whose certificate will be exported

Password

Password used to protect the p12 file

FileName

Destination file name (will be created)

Example

LSMcli mySrvr name pass ExportIke MyROBO ajg42k93N MyROBOCert.p12

UpdateCO

This command updates a Corporate Office gateway. This action updates the CO gateway with up-to-date available information about the SmartLSM Security Gateways VPN domains. Perform after adding a new SmartLSM Security Gateway to enable the CO gateway to initiate a VPN tunnel to the new SmartLSM Security Gateway. (Alternatively, the Install Policy action can be run on the CO gateway to obtain updated VPN Domain information.) Applicable for CO gateways only.

Usage

LSMcli [-d] <server> <user> <pswd> UpdateCO <COgw|COgwCluster>

Parameters

UpdateCO Parameters

Parameter

Description

server

Name/IP address of the Security Management Server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

Cogw

Name of a CO gateway

CogwCluster

Name of a cluster of CO gateways

Example

LSMcli mySrvr name pass UpdateCO MyCO

Remove

This command deletes a SmartLSM Security Gateway. This action revokes all the certificates used by the SmartLSM Security Gateway, releases all the licenses and, finally, removes the SmartLSM Security Gateway. Applicable for Security Gateway and UTM-1 Edge gateways.

Usage

LSMcli [-d] <server> <user> <pswd> Remove <RoboName> <ID>

Parameters

Remove Parameters

Parameter

Description

server

Name/IP address of the Security Management server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

RoboName

Name of Security Gateway or UTM-1 Edge gateway

ID

ID of the SmartLSM Security Gateway (use Show to check the ID of the specific SmartLSM Security Gateway)

Example

LSMcli mySrvr name pass Remove MyRobo 0.0.0.251

Show

This command displays a list of existing gateways. Applicable for Security Gateway and UTM-1 Edge gateways.

Usage

LSMcli [-d] <server> <user> <pswd> Show [-N=Name] [-F= nbcitvpglskd]

Parameters

Show Parameters

Parameter

Description

server

Name/IP address of the Security Management Server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

Name

Name of the gateway to display
If –N flag is not included, this action prints the existing Devices work space, including SmartLSM Security Gateways.

-F

One can filter the information printed out using the following flags:

n

Name

b

ID

c

Cluster ID

i

IP address

t

Type

v

Version

p

SmartLSM Security Profile

g

Gateway status

l

Policy status

s

SIC DN

k

IKE DN

d

List of Dynamic Objects assigned to this SmartLSM Security Gateway

Example

LSMcli mySrvr name pass Show -N=MyRobo

LSMcli mySrvr name pass Show -F=nibtp

ModifyROBOConfigScript

ModifyROBOConfigScript and ShowROBOConfigScript are equivalent to the Configuration Script tab in SmartProvisioning GUI for UTM-1 Edge SmartLSM Security Gateways. (Applicable only to UTM-1 Edge SmartLSM Security Gateways.)

ModifyROBOConfigScript sets the given UTM-1 Edge SmartLSM Security Gateway's configuration script to be a copy of the contents of the given text file <inputScriptFile>.

Usage

LSMcli [-d] <server> <user> <pswd> ModifyROBOConfigScript VPN1Edge <RoboName> <inputScriptFile>

Parameters

ModifyROBOConfigScript Parameters

Parameter

Description

server

Name/IP address of the Security Management server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

RoboName

Name of UTM-1 Edge gateway

inputScriptFile

The given UTM-1 Edge SmartLSM Security Gateway's configuration script is set to be a copy of the contents of the given text file.

Example

LSMcli mySrvr name pass ModifyROBOConfigScript VPN1Edge MyRobo myScriptFile

ShowROBOConfigScript

This command shows the given UTM-1 Edge SmartLSM Security Gateway's configuration script, and its SmartLSM Security Profile's configuration script.

Usage

LSMcli [-d] <server> <user> <pswd> ShowROBOConfigScript VPN1Edge <RoboName>

Parameters

ShowROBOConfigScript Parameters

Parameter

Description

server

Name/IP address of the Security Management Server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

RoboName

Name of UTM-1 Edge gateway

Example

LSMcli mySrvr name pass ShowROBOConfigScript VPN1Edge MyRobo

ShowROBOTopology

This command displays the Topology information of the SmartLSM Security Gateway. It lists the defined Interfaces and their respective IP Addresses and Network Masks, and the VPN Domain configuration. The indexes of the manually defined VPN domain IP address ranges, on the displayed list, can be used when requesting to delete a range, via the ModifyROBOManualVPNDomain command.

Usage

LSMcli [-d] <server> <user> <pswd> ShowROBOTopology <RoboName>

Parameters

ShowROBOTopology Parameters

server

Name/IP address of the Security Management server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

RoboName

Name of Security Gateway or UTM-1 Edge gateway

Example

LSMcli mySrvr name pass ShowROBOTopology MyRobo

SmartUpdate Actions

Before software can be installed on gateways, it must first be loaded to the Security Management Server. We recommend that you make sure that software is compatible by running the VerifyInstall command first. Install software using the Install command.

Uninstall the software suing the uninstall command.

Install

This command installs a product on a SmartLSM Security Gateway. This action installs the specified software on the SmartLSM Security Gateway. Note that the software must be loaded to the Security Management Server before attempting to install it on the SmartLSM Security Gateway. It is recommended that you run the VerifyInstall command first, before installing software on the SmartLSM Security Gateway. Applicable to SmartLSM Security Gateways only.

Usage

LSMcli [-d] <server> <user> <pswd> Install <RoboName> <Product> <Vendor> <Version> <SP> [-P=Profile] [-boot] [-DoNotDistribute]

Parameters

Install Parameters

Parameter

Description

server

Name/IP address of the Security Management Server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

RoboName

Name of the SmartLSM Security Gateway

Product

Name of the package

Vendor

Name of the vendor of the package

Version

Major Version of the package

SP

Minor Version of the package

Profile

Assign a different SmartLSM Security Profile (already defined in SmartDashboard) after installation

boot

Reboot the SmartLSM Security Gateway after the installation is done

-DoNotDistribute

(Optional) Install previously distributed packages

Example

LSMcli mySrvr name pass Install MyRobo firewall checkpoint NG_AI fcs -P=AnyProfile -boot

Uninstall

This command uninstalls a product on a SmartLSM Security Gateway. This action uninstalls the specified package from the SmartLSM Security Gateway. The ShowInfo command can be used to see what products are installed on the SmartLSM Security Gateway. Applicable to SmartLSM Security Gateways only.

Usage

LSMcli [-d] <server> <user> <pswd> Uninstall <ROBO> <Product> <Vendor> <Version> <SP> [-P=Profile] [-boot]

Parameters

Uninstall Parameters

Parameter

Description

server

Name/IP address of the Security Management server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

ROBO

Name of the SmartLSM Security Gateway

Product

Name of the package

Vendor

Name of the vendor of the package

Version

Major Version of the package

SP

Minor Version of the package

Profile

Assign a different SmartLSM Security Profile (already defined in SmartDashboard) after uninstall

boot

Reboot the SmartLSM Security Gateway after the installation is finished

Example

LSMcli mySrvr name pass Uninstall MyRobo firewall checkpoint NG_AI fcs -boot

VerifyInstall

This command verifies whether selected software can be installed on the SmartLSM Security Gateway, whether the software is compatible. Note that this action does not perform an installation. Run this command before using the install command to install software on the SmartLSM Security Gateway. Applicable to SmartLSM Security Gateways only.

Usage

LSMcli [-d] <server> <user> <pswd> VerifyInstall <RoboName> <Product> <Vendor> <Version> <SP>

Parameters

VerifyInstall Parameters

Parameter

Description

server

Name/IP address of the Security Management Server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

RoboName

Name of the SmartLSM Security Gateway

Product

Name of the package

Vendor

Name of the vendor of the package

Version

Major version of the package

SP

Minor version of the package

Example

LSMcli mySrvr name pass VerifyInstall MyRobo firewall checkpoint NG_AI fcs

Distribute

This command distributes a package from the Repository to the SmartLSM Security Gateway, but does not install it.

Usage

LSMcli [-d] <server> <user> <pswd> Distribute <RoboName> <Product> <Vendor> <Version> <SP>

Parameters

Distribute Parameters

Parameter

Description

server

Name/IP address of the Security Management server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

RoboName

Name of the SmartLSM Security Gateway

Product

Name of the package

Vendor

Name of the vendor of the package

Version

Major version of the package

SP

Minor version of the package

Example

LSMcli mySrvr name pass Distribute MyRobo fw1 checkpoint NG_AI R54

Upgrade

This command upgrades all the (appropriate) available software packages on the SmartLSM Security Gateway. Applicable to SmartLSM Security Gateways only.

Usage

LSMcli [-d] <server> <user> <pswd> Upgrade <RoboName> [-P=Profile] [-boot]

Parameters

Upgrade Parameters

Parameter

Description

server

Name/IP address of the Security Management Server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

RoboName

Name of the SmartLSM Security Gateway

Profile

Assign a different SmartLSM Security Profile (already defined in SmartDashboard) after installation

boot

Reboot the SmartLSM Security Gateway after the installation is finished

Example

LSMcli mySrvr name pass Upgrade MyRobo -P=myprofile -boot

VerifyUpgrade

This command verifies whether selected software can be upgraded on the SmartLSM Security Gateway, whether the software is compatible. Note that this command does not perform an installation. Run this command before using the upgrade command. Applicable to SmartLSM Security Gateways only.

Usage

LSMcli [-d] <server> <user> <pswd> VerifyUpgrade <RoboName>

Parameters

VerifyUpgrade Parameters

Parameter

Description

server

Name/IP address of the Security Management server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

RoboName

Name of the SmartLSM Security Gateway

Example

LSMcli mySrvr name pass VerifyUpgrade MyRobo

GetInfo

This command collects product information from the SmartLSM Security Gateway. You must run this command before running the ShowInfo command if you manually upgrade any package instead of using SmartUpdate. Applicable to SmartLSM Security Gateways only.

Usage

LSMcli [-d] <server> <user> <pswd> GetInfo <RoboName>

Parameters

GetInfo Parameters

Parameter

Description

server

Name/IP address of the Security Management Server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

RoboName

Name of the SmartLSM Security Gateway

Example

LSMcli mySrvr name pass GetInfo MyRobo

ShowInfo

This command displays product information for the list of the products installed on the SmartLSM Security Gateway. For a SmartLSM Security Gateway, run the GetInfo command before using this command to verify that the displayed information is up-to-date. Applicable to Security Gateway and UTM-1 Edge gateways.

Usage

LSMcli [-d] <server> <user> <pswd> ShowInfo <VPN1EdgeRoboName>

Parameters

ShowInfo Parameters

Parameter

Description

server

Name/IP address of the Security Management server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

VPN1EdgeRoboName

Name of the Security Gateway or UTM-1 Edge gateway

Example

LSMcli mySrvr name pass ShowInfo MyRobo

ShowRepository

This command shows the list of the available products on Security Management Server. Use SmartUpdate to manage the products, load new products, remove products, and so on.

Usage

LSMcli [-d] <server> <user> <pswd> ShowRepository

Example

LSMcli mySrvr name pass ShowRepository

Stop

This command stops Security Gateway services on the selected gateway. Note that this command utilizes CPRID, therefore CPRID services must be running on the gateway. Applicable to Security Gateways and SmartLSM Security Gateways.

Usage

LSMcli [-d] <server> <user> <pswd> Stop <Robo|Gateway>

Parameters

Stop Parameters

Parameter

Description

server

Name/IP address of the Security Management Server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

Robo or Gateway

Name of the SmartLSM Security Gateway, or Security Gateway

Example

LSMcli mySrvr name pass Stop MyRobo

Start

This command starts Security Gateway services on the selected gateway. Note that this command utilizes CPRID, therefore CPRID services must be running on the gateway. Applicable to Security Gateways and SmartLSM Security Gateways.

Usage

LSMcli [-d] <server> <user> <pswd> Start <Robo|Gateway>

Parameters

Start Parameters

Parameter

Description

server

Name/IP address of the Security Management server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

Robo or Gateway

Name of the SmartLSM Security Gateway or Security Gateway

Example

LSMcli mySrvr name pass Start MyRobo

Restart

This command re-starts Security Gateway services on the chosen gateway. Note that this command utilizes CPRID, therefore CPRID services must be running on the gateway. Applicable to SmartLSM Security Gateways, UTM-1 Edge gateways and Security Gateways.

Usage

LSMcli [-d] <server> <user> <pswd> Restart <Robo|Gateway>

Parameters

Restart Parameters

Parameter

Description

server

Name/IP address of the Security Management Server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

Robo or Gateway

Name of the SmartLSM Security Gateway, UTM-1 Edge gateway or Security Gateway

Example

LSMcli mySrvr name pass Restart MyRobo

Reboot

This command reboots the chosen gateway. Note that this command utilizes CPRID, therefore CPRID services must be running on the gateway. Applicable to SmartLSM Security Gateways, UTM-1 Edge gateways and Security Gateways.

Usage

LSMcli [-d] <server> <user> <pswd> Reboot <Robo|Gateway>

Parameters

Reboot Parameters

Parameter

Description

server

Name/IP address of the Security Management server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

Robo or Gateway

Name of the SmartLSM Security Gateway, UTM-1 Edge gateways or Security Gateway

Example

LSMcli mySrvr name pass Reboot MyRobo

Push Actions

The following commands are used to push updated values, settings, and security rules to gateways. After creating a gateway or dynamic object in the SmartProvisioning system, it must be assigned a security policy. Use the push command to commit the security policy: see PushPolicy, and PushDOs.

PushPolicy

This command pushes a policy to the chosen gateway. Note that this command utilizes CPRID, therefore CPRID services must be running on the gateway. Applicable to SmartLSM Security Gateways and UTM-1 Edge gateways.

Usage

LSMcli [-d] <server> <user> <pswd> PushPolicy <Robo|Gateway>

Parameters

PushPolicy Parameters

Parameter

Description

server

Name/IP address of the Security Management Server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

Robo or Gateway

Name of the SmartLSM Security Gateway or standard gateway

Example

LSMcli mySrvr name pass PushPolicy MyRobo

PushDOs

This command updates a Dynamic Object's information on the SmartLSM Security Gateway. Note that this command does not remove/release the IP address range for the deleted Dynamic Object, but only adds new ones. To overcome this difficulty, run the PushPolicy command. Applicable to SmartLSM Security Gateways and UTM-1 Edge gateways.

Usage

LSMcli [-d] <server> <user> <pswd> PushDOs <RoboName>

Parameters

PushDOs Parameters

Parameter

Description

server

Name/IP address of the Security Management server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

RoboName

Name of the SmartLSM Security Gateway

Example

LSMcli mySrvr name pass PushDOs MyRobo

GetStatus

This command fetches various statistics from the chosen gateway. Applicable to Security Gateway ROBO and Security Gateways.

Usage

LSMcli [-d] <server> <user> <pswd> GetStatus <Robo|Gateway>

Parameters

GetStatus Parameters

Parameter

Description

server

Name/IP address of the Security Management Server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

Robo or Gateway

Name of the Security Gateway ROBO or Security Gateway

Example

LSMcli mySrvr name pass GetStatus MyRobo

Gateway Conversion Actions

The following commands enable you to convert a gateway from a SmartLSM Security Gateway to a regular gateway and vice versa.

Convert ROBO VPN1

This command converts a SmartLSM Security Gateway to a Security Gateway. You can specify whether the gateway should be a CO gateway, or not. Applicable to SmartLSM Security Gateways only.

Usage

LSMcli [-d] <server> <user> <pswd> Convert ROBO VPN1 <Name> [-CO] [-Force]

Parameters

Convert ROBO VPN1 Parameters

Parameter

Description

server

Name/IP address of the Security Management server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

Name

Name of the Security Gateway, or UTM-1 Edge gateway

CO

Define as a CO gateway

Force

Convert the gateway, even if no connection can be established

Use with caution, as a forced conversion will always succeed, even if no connection to the gateway exists. If this happens, make sure the remote operations are done manually on the gateway computer:

  1. Execute the command LSMenabler –r off to turn off SmartLSM Security Gateway support.
  2. Execute the command LSMenabler on to make the gateway a CO gateway.
  3. In SmartDashboard, define gateway parameters: interfaces, communities, etc.; then install the policy.

Example

LSMcli mySrvr name pass Convert ROBO VPN1 MyRobo –CO

LSMcli mySrvr name pass Convert ROBO VPN1 MyRobo -Force

Convert Gateway VPN1

This command converts a Security Gateway to a SmartLSM Security Gateway. You can specify whether the gateway should have a CO gateway. Applicable to Security Gateways only.

Usage

LSMcli [-d] <server> <user> <pswd> Convert Gateway VPN1 <Name> <Profile> [<-E=EXT> [-I=INT] [-D=DMZ] [-A=AUX]] [-NoRestart] [-Force]

Parameters

Convert VPN Gateway Parameters

Parameter

Description

server

Name/IP address of the Security Management Server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

Name

Name of the Security Gateway or UTM-1 Edge gateway

Profile

Assign a different SmartLSM Security Profile (already defined in SmartDashboard) after conversion

EXT

Name of external interface

INT

Name of internal interface

DMZ

Name of DMZ interface

AUX

Name of Auxiliary Network interface

NoRestart

Do not restart Check Point services, on the remote machine, after convert operation has finished

Force

Convert the gateway, even if no connection can be established

Use with caution, as a forced conversion will always succeed, even if no connection to the gateway exists. If this happens, make sure the remote operations are done manually on the gateway computer:

  1. Execute LSMenabler –r on to turn on SmartLSM Security Gateway support.
  2. Define gateway parameters and map it to a SmartLSM Security Profile in SmartProvisioning.

Example

LSMcli mySrvr name pass Convert Gateway VPN1 MyGW MyProfile –E=hme0 –I=hme1 –D=hme2 -Force

Convert ROBO VPN1Edge

This command converts a UTM-1 Edge SmartLSM Security Gateway to a UTM-1 Edge gateway. You must completely define the gateway using SmartDashboard, and adjust and reinstall the security policy. Applicable to UTM-1 Edge gateways only.

Usage

LSMcli [-d] <server> <user> <pswd> Convert ROBO VPN1Edge <Name>

Parameters

Convert ROBO UTM-1 Edge Parameters

Parameter

Description

server

Name/IP address of the Security Management server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

Name

Name of the UTM-1 Edge gateway

Example

LSMcli mySrvr name pass Convert ROBO VPN1Edge MyRobo

Convert Gateway VPN1Edge

This command converts a UTM-1 Edge gateway to a UTM-1 Edge SmartLSM Security Gateway. The gateway is assigned the specified SmartLSM Security Profile. You must completely define the gateway using SmartDashboard, and adjust and reinstall the security policy. Applicable to UTM-1 Edge gateways only.

Usage

LSMcli [-d] <server> <user> <pswd> Convert Gateway VPN1Edge <Name> <Profile>

Parameters

Convert Gateway UTM-1 Edge Parameters

Parameter

Description

server

Name/IP address of the Security Management Server or Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

Name

Name of the UTM-1 Edge gateway

Profile

Assign a different SmartLSM Security Profile (already defined in SmartDashboard) after conversion

Example

LSMcli mySrvr name pass Convert Gateway VPN1Edge MyRobo MyProfile

Multi-Domain Security Management Commands

SmartProvisioning in a Multi-Domain Security Management environment has additional features and commands.

hf_propagate

Multi-Domain Security Management Domain Management Servers may contain INSPECT files (*.def). Use this command to propagate updated INSPECT files from the Multi-Domain Server to a given Domain Management Server.

Usage

LSMcli <server> <user> <pswd> hf_propagate [m | o | u] [--override_manual]

Parameters

hf_propagate Parameters

Parameter

Description

server

Name/IP address of the Domain Management Server

user

User name of standard Check Point authentication method

pswd

Password of standard Check Point authentication method

m

Do not copy INSPECT files (default)

o

Replace INSPECT files

u

Uninstall INSPECT files

override_manual

Add to override manual changes in INSPECT files

Example

LSMcli myCMAsrvr name pass hf_propagate

 
Top of Page ©2013 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print