Command Line Reference
Check Point LSMcli Overview
Check Point SmartLSM Command Line Utility (LSMcli) is a simple command line utility, an alternative to SmartProvisioning SmartConsole GUI. LSMcli provides the ability to perform SmartProvisioning GUI operations from a command line or through a script.
|
Note - LSMcli can run from locations other than SmartConsole clients, so be sure to define the location that LSMcli is running from as a GUI client. See Logging into SmartProvisioning.
|
Terms
In the LSMcli, commands may use the abbreviation ROBO (Remote Office/Branch Office) gateways. These gateways in SmartProvisioning are called SmartLSM Security Gateways.
Notation
Throughout this chapter square brackets ([ ]) are used with the LSMcli utility. These brackets are correct and syntactically necessary. The following is an example of how they are used:
A [b [c]] - means that for parameter A, you can provide b. If you provide b, you can provide c.
A [b] [c] - means that for parameter A, you can provide b, c, or b and c.
A [b c] - means that for parameter A, you can provide b and c.
Help
Displays command line usage and provides examples for different actions.
Usage
LSMcli [-h | --help]
Syntax
LSMcli [-d] <server> <user> <pswd> <action>
LSMCli Parameters
Parameter
|
Description
|
Server
|
Name/IP address of the Security Management Server or Domain Management Server
|
User
|
User name used in the standard Check Point authentication method
|
Pswd
|
Password used in the standard Check Point authentication method
|
Action
|
Specific function performed
(See the following sub-sections for a complete list of actions.)
|
Using Security Gateway 80 LSMcli ROBO Commands
LSMcli commands for Security Gateway 80 are similar to the ROBO commands for regular Security Gateways. When you are using a command on Security Gateway 80, replace VPN1 with CPSG80. For example, if you want to use the AddROBO command:
- Regular Security Gateway:
AddROBO VPN1 - Security Gateway 80:
AddROBO CPSG80
For more information, use the LSMcli Help command.
SmartLSM Security Gateway Management Actions
AddROBO VPN1
This command adds a new Check Point SmartLSM Security Gateway to SmartProvisioning and assigns it a specified SmartLSM Security Profile. If a one-time password is supplied, a SIC certificate will be created. If an IP address is also supplied, the SIC certificate will be pushed to the SmartLSM Security Gateway (in such cases, the SmartLSM Security Gateway SIC one-time password should be initialized first). If no IP address is supplied, the SIC certificate will be pulled from the SmartLSM Security Gateway afterwards. It is also possible to assign an IP address range to Dynamic Objects, specifying whether or not to add them to the VPN domain.
Usage
LSMcli [-d] <server> <user> <pswd> AddROBO VPN1 <ed Name> <Profile>
[-RoboCluster=<OtherROBOName>] [-O=<ActivationKey> [-I=<IP>]] [[-CA=<CaName>
[-R=<CertificateIdentifier#>] [-KEY=<AuthorizationKey>]]] [-D]:<DynamicObjectName>=<IP1>
[-<IP2>] [-D]:..]]
Parameters
AddROBO VPN1 Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
RoboName
|
Name of a SmartLSM Security Gateway
|
Profile
|
Name of a SmartLSM Security Profile that has been defined in SmartDashboard
|
OtherROBOName
|
Name for an already defined SmartLSM Security Gateway that is to participate in the SmartLSM Cluster with the newly created gateway (if the -RoboCluster argument is provided).
|
ActivationKey
|
SIC one-time password. (For this action, a certificate will be generated)
|
IP
|
IP address of the gateway (For this action, certificate will be pushed to the gateway)
|
CaName
|
Name of the Trusted CA object (created from SmartDashboard). The IKE certificate request will be sent to this CA. Default is Check Point Internal CA.
|
CertificateIdentifier#
|
Key identifier for third-party CA.
|
AuthorizationKey
|
Authorization Key for third-party CA.
|
DynamicObjectName
|
Name of the Dynamic Object
|
IP1-IP2
|
IP address range for the Dynamic Object
|
Example
LSMcli mySrvr name pass AddROBO VPN1 MyRobo AnyProfile -O=MyPass
-I=192.0.2.4 -DE:FirstDO=192.0.2.100
This action adds a new SmartLSM Security Gateway MyRobo and assigns it the specified SmartLSM Security Profile AnyProfile. A SIC password and an IP address are supplied, so the SIC Activation Key can be sent to the new SmartLSM Security Gateway. A Dynamic Object called FirstDO is resolved to an IP address for this gateway.
LSMcli mySrvr name pass AddROBO VPN1 MyRobo AnyProfile -O=MyPass
-I=10.10.10.1 -DE:FirstDO=10.10.10.5 -CA=OPSEC_CA -R=cert1233 -KEY=ab345
AddROBO VPN1Edge
This command adds a new UTM-1 Edge SmartLSM Security Gateway. Applicable for UTM-1 Edge gateways only.
Use this command to add a new UTM-1 Edge gateway to the SmartProvisioning system and assign it a specified SmartLSM Security Profile. Specify the product type of the UTM-1 Edge gateway and the firmware installed, which can be set as local, default or user-defined. It is also possible to assign an IP address range to Dynamic Objects, specifying whether to add them to the VPN domain.
To load new firmware on the UTM-1 Edge gateway, use SmartUpdate.
Usage
LSMcli [-d] <server> <user> <pswd> AddROBO VPN1Edge<RoboName> <Profile> <ProductType>
[-RoboCluster=<OtherROBOName>] [-O=<RegistrationKey>] [[-CA=<CaName>
[-R=<CertificateIdentifier#>][-KEY=<AuthorizationKey>]]] [-F=LOCAL|DEFAULT|<Firmware-name>]
[-M=<MAC>] [-K=<ProductKey>] [-D[E]:<D.O. name>=<IP1>[-<IP2>] [-D[E]:..]]
Parameters
AddROBO UTM-1 Edge Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
RoboName
|
Name of the UTM-1 Edge gateway
|
Profile
|
Name of a SmartLSM Security Profile that has been defined in SmartDashboard
|
ProductType
|
Product type
|
OtherROBOName
|
Name of the already defined SmartLSM Security Gateway that is to participate in the SmartLSM Cluster with the newly created gateway (if the -RoboCluster argument is provided)
|
RegistrationKey
|
Registration Key
|
CaName
|
Name of the Trusted CA object (created from SmartDashboard). The IKE certificate request will be sent to this CA.
|
CertificateIdentifier#
|
Key identifier of the specific certificate
|
AuthorizationKey
|
Authorization Key that will be sent to the CA for certificate retrieval
|
Firmware-name
|
Firmware name, or LOCAL or DEFAULT
|
MAC
|
Mac address of the UTM-1 Edge, in the format xx:xx:xx:xx:xx:xx where "x" is a hexadecimal digit
|
ProductKey
|
Product key (license), in the format xxxxxx-xxxxxx-xxxxxx, where "x" is a hexadecimal digit
|
DO Name
|
Name of the Dynamic Object
|
E
|
Obsolete, refer to the LSMcli command: ModifyROBOManualVPNDomain.
|
Ip1-Ip2
|
IP address range for the Dynamic Object
|
Example
LSMcli mySrvr name pass AddROBO VPN1Edge MyRobo AnyProfile SBox-100
This example creates an object in SmartProvisioning for a UTM-1 Edge SmartLSM Security Gateway called MyRobo, based on a SmartLSM Security Profile defined in SmartDashboard called AnyProfile. MyRobo is defined for a UTM-1 Edge on an SBox-100 device.
LSMcli mySrvr name pass AddROBO VPN1Edge MyRobo AnyProfile IP30 -O=AnyRegKey
-F=DEFAULT – M=00:08:AA:BB:CC:DD -K=123456-ABCDEF-ABC123
LSMcli mySrvr name pass AddROBO VPN1Edge MyRobo AnyProfile SBox-100
-F=Safe@_Safe@_3.0.23_Generic_Safe@_fcs
ModifyROBO VPN1
This command modifies a Check Point SmartLSM Security Gateway. This action modifies the SmartProvisioning details for an existing SmartLSM Security Gateway and can be used to update properties previously supplied by the user.
Usage
LSMcli [-d] <server> <user> <pswd> ModifyROBO VPN1 <RoboName> [and at least one of:
[-P=Profile] [-RoboCluster=<OtherROBOName>|-NoRoboCluster]
[-D:<DO name>=<IP1>[-<IP2>] [-KeepDOs]..]
Parameters
ModifyROBO VPN1 Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
RoboName
|
Name of the SmartLSM Security Gateway
|
Profile
|
Name of a SmartLSM Security Profile that has been defined in SmartDashboard
|
OtherROBOName
|
Name of the already defined SmartLSM Security Gateway that is to participate in the Cluster with the newly created gateway (if the -RoboCluster argument is provided)
|
-NoRoboCluster
|
The -NoRoboCluster parameter is equivalent to the "Remove Cluster" operation from GUI. When a ModifyROBO VPN1 command with this argument is issued on a gateway that participates in a cluster, the cluster is removed).
|
DO Name
|
Name of the Dynamic Object
|
IP1-IP2
|
IP address range for the Dynamic Object
|
-KeepDOs
|
Keeps all existing dynamic objects in the dynamic objects list when adding new dynamic objects. If a dynamic object already exists in the list, its IP resolution is updated.
If this flag is not specified, the dynamic objects list is deleted when using the LSMcli command to add new dynamic objects.
|
Example
LSMcli mySrvr name pass ModifyROBO VPN1 MyRobo -D:MyEmailServer=123.45.67.8
-D:MySpecialNet=10.10.10.1-10.10.10.6
This example resolves Dynamic Objects for the given gateway.
ModifyROBO VPN1Edge
This command modifies a UTM-1 Edge gateway. This action modifies the SmartProvisioning details for an existing UTM-1 Edge gateway and can be used to update properties previously supplied by the user.
Usage
LSMcli [-d] <server> <user> <pswd> ModifyROBO VPN1Edge<RoboName> and at least one of:
[-P=<Profile>] [-T=<ProductType>] [-RoboCluster=<OtherROBOName>|-NoRoboCluster]
[-O= RegistrationKey] [-F=LOCAL|DEFAULT|<Firmware-name>] [-M=<MAC>]
[-K=<ProductKey>] [-D[E]:<D.O. name>=<IP1>[-<IP2>] [-KeepDOs]..]
Parameters
ModifyROBO UTM-1 Edge Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
RoboName
|
Name of the UTM-1 Edge gateways
|
Profile
|
Name of a SmartLSM Security Profile that has been defined in SmartDashboard
|
ProductType
|
Product type
|
OtherROBOName
|
Name of the already defined SmartLSM Security Gateway that is to participate in the SmartLSM Cluster with the newly created gateway (if the -RoboCluster argument is provided)
|
-NoRoboCluster
|
The -NoRoboCluster parameter is equivalent to the "Remove SmartLSM Cluster" operation from GUI. When a ModifyROBO VPN1 command with this argument is issued on a gateway that participates in a SmartLSM cluster, the cluster is removed).
|
RegistrationKey
|
Registration key
|
Firmware
|
Firmware name, LOCAL or DEFAULT
|
MAC
|
Mac address of the UTM-1 Edge, in the format xx:xx:xx:xx:xx:xx where "x" is a hexadecimal digit
|
ProductKey
|
Product key (license), in the format xxxxxx-xxxxxx-xxxxxx, where "x" is a hexadecimal digit
|
DO Name
|
Name of the Dynamic Object
|
E
|
Obsolete, refer to the LSMcli command: ModifyROBOManualVPNDomain.
|
Ip1-Ip2
|
IP address range for the Dynamic Object
|
-KeepDOs
|
Keeps all existing dynamic objects in the dynamic objects list when adding new dynamic objects. If a dynamic object already exists in the list, its IP resolution is updated.
If this flag is not specified, the dynamic objects list is deleted when using the LSMcli command to add new dynamic objects.
|
Example
LSMcli mySrvr name pass ModifyROBO VPN1Edge MyEdgeROBO -P=MyNewEdgeProfile-NoRoboCluster
ModifyROBOManualVPNDomain
This command modifies the SmartLSM VPN Domain, to take effect when the VPN Domain becomes defined as Manual.
Usage
LSMcli [-d] <server> <user> <pswd> ModifyROBOManualVPNDomain <RoboName> and one of:
-Add=<FirstIP-LastIP> -Delete=<Index (as shown by the last ShowROBOTopology command)> and optionally: [-IfOverlappingIPRangesDetected=<exit|warn|ignore>]
Parameters
ModifyROBOManual VPN Domain Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
RoboName
|
Name of the SmartLSM Security Gateway
|
FirstIP-LastIP
|
IP address range
|
Index
|
Value displayed by ShowInfo command
|
IfOverlappingIPRangesDetected
|
Flag to determine course of action, if overlapping IP address ranges are detected. The options are: exit, warn and ignore
|
Example
LSMcli mySrvr name pass ModifyROBOManualVPNDomain MyRobo -Add=192.0.2.1-192.0.2.20
LSMcli mySrvr name pass ModifyROBOManualVPNDomain MyRobo -Delete=1
ModifyROBOTopology VPN1
This command modifies the SmartLSM VPN Domain configuration for a selected Gateway.
Usage
LSMcli [-d] <server> <user> <pswd> ModifyROBOTopology VPN1 <RoboName>
-VPNDomain=<not_defined|external_ip_only|topology|manual>
Parameters
ModifyROBOTopology VPN1 Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
RoboName
|
Name of the SmartLSM Security Gateway
|
VPNDomain
|
Flag to determine the VPN Domain topology. The options are:
- not_defined
: Equivalent to the Not Defined option in the Topology tab of a SmartLSM Security Gateway in the SmartProvisioning GUI (or in the ShowROBOTopology output). - external_ip_only: Equivalent to Only the external interface
- topology: Equivalent to All IP Addresses behind the Gateway based on Topology information
- manual
: Equivalent to Manually defined. VPN domain is defined according to ModifyROBOManualVPNDomain setting.
|
Example
LSMcli mySrvr name pass ModifyROBOTopology VPN1 MyRobo -VPNDomain=manual
ModifyROBOTopology VPN1Edge
This command modifies the VPN Domain configuration for a selected Gateway.
Usage
LSMcli [-d] <server> <user> <pswd> ModifyROBOTopology VPN1Edge <RoboName> and at least one of: [-VPNDomain=<not_defined|external_ip_only|topology|automatic |manual>]
Parameters
ModifyROBOTopology UTM-1 Edge Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
RoboName
|
Name of the SmartLSM Security Gateway
|
VPNDomain
|
Flag to configure the VPN Domain topology. The options are: not_defined, external_ip_only, topology, and manual.
- not_defined
: Equivalent to the Not Defined option in the Topology tab of a SmartLSM Security Gateway in the SmartProvisioning GUI (or in the ShowROBOTopology output). - external_ip_only: Equivalent to Only the external interface
- topology: Equivalent to All IP Addresses behind the Gateway based on Topology information
- automatic: The VPN domain of the gateway consists of all the IP addresses configured locally on the UTM-1 Edge device, regardless of the interface configuration of the Edge object in SmartDashboard. Selecting this option requires:
- Manual definition of VTIs on the Edge and CO gateway so that the CO learns the VPN domain of the Edge device.
- OSPF feature of the CO gateway to dynamically learn the VPN domain of the UTM-1 Edge device.
- manual
: Equivalent to Manually defined
|
Example
LSMcli mySrvr name pass ModifyROBOTopology VPN1Edge MyRobo -VPNDomain=manual
ModifyROBOInterface VPN1
This command modifies the Internal Interface list.
Usage
LSMcli [-d] <server> <user> <pswd> ModifyROBOInterface VPN1 <RoboName> <InterfaceName> and at least one of: [-i=<IPAddress>] [-Netmask=<NetMask>] and optionally:
[-IfOverlappingIPRangesDetected=<exit|warn|ignore>]
Parameters
ModifyROBOInterface VPN1 Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
RoboName
|
Name of the SmartLSM Security Gateway
|
InterfaceName
|
Name of the existing interface
|
IPAddress
|
IP address of the interface
|
NetMask
|
Net mask of the interface
|
IfOverlappingIPRangesDetected
|
Flag to determine course of action, if overlapping IP address ranges are detected.
The options are: exit, warn and ignore
|
Example
LSMcli mySrvr name pass ModifyROBOInterface VPN1 MyRobo eth0 -i=192.0.2.1
-Netmask=255.255.255.0
ModifyROBOInterface VPN1Edge
This command modifies the VPN1Edge Internal Interface list.
Usage
LSMcli [-d] <server> <user> <pswd> ModifyROBOInterface VPN1Edge <RoboName> <InterfaceName> and at least one of: [-i=<IPAddress>] [-NetMask=<NetMask>]
[-Enabled=<true|false>] [-HideNAT=<true|false>] [-DHCPEnabled=<true|false>]
[-DHCPIpAllocation=<automatic|<FirstIP-LastIP>|<IP address of DHCP Relay Server>] and optionally: [-IfOverlappingIPRangesDetected=<exit|warn|ignore>]
Parameters
ModifyROBOInterface UTM-1 Edge Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
RoboName
|
Name of the SmartLSM Security Gateway
|
InterfaceName
|
Name of an existing interface
|
IPAddress
|
IP address of the interface
|
NetMask
|
Net mask of the interface
|
Enabled
|
Flag to enable/disable the selected interface
|
HideNAT
|
Flag to specify whether the interface is identified by the gateway IP address
(hidden behind NAT)
|
DHCPEnabled
|
Flag to enable dynamically allocated IP addresses
|
DHCPIpAllocation
|
Flag to determine how IP addresses are dynamically allocated.
The options are: automatic, <FirstIP-LastIP>, and DHCP Relay Server
|
IfOverlappingIPRangesDetected
|
Flag to determine course of action if overlapping IP address ranges are detected.
The options are: exit, warn and ignore
|
Example
LSMcli mySrvr name pass ModifyROBOInterface VPN1Edge MyRobo DMZ -i=192.0.2.1
-Netmask=255.255.255.0 -Enabled=true -HideNAT=false -DHCPEnabled=true
-DHCPIpAllocation=automatic
AddROBOInterface VPN1
This command adds a new interface to the selected SmartLSM Security Gateway.
Usage
LSMcli [-d] <server> <user> <pswd> AddROBOInterface VPN1 <RoboName> <InterfaceName>
-i=<IPAddress> -NetMask=<NetMask>
Parameters
AddROBOInterface VPN1 Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
RoboName
|
Name of the SmartLSM Security Gateway
|
InterfaceName
|
Name of an existing interface
|
IPAddress
|
IP address of the interface
|
NetMask
|
Net mask of the interface
|
Example
LSMcli mySrvr name pass AddROBOInterface VPN1 MyRobo eth0 -i=192.0.2.1
-Netmask=255.255.255.0
DeleteROBOInterface VPN1
This command deletes an interface from the selected Gateway.
Usage
LSMcli [-d] <server> <user> <pswd> DeleteROBOInterface VPN1 <RoboName> <InterfaceName>
Parameters
DeleteROBOInterface VPN1 Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
RoboName
|
Name of the SmartLSM Security Gateway
|
InterfaceName
|
Name of an existing interface
|
Example
LSMcli mySrvr name pass DeleteROBOInterface VPN1 MyRobo eth0
ResetSic
This command resets the SIC Certificate of a SmartLSM Security Gateway. Applicable for SmartLSM Security Gateways only. This action revokes the existing gateway SIC certificate and creates a new one using the one-time password provided by the user. If an IP address is supplied for the SmartLSM Security Gateway, the SIC certificate will be pushed to the SmartLSM Security Gateway, in which case the SmartLSM Security Gateway SIC's one-time password should be initialized first. Otherwise, if no IP address is given, the SIC certificate will later be pulled from the SmartLSM Security Gateway.
Usage
LSMcli [-d] <server> <user> <pswd> ResetSic <RoboName> <ActivationKey> [-I=<IP>]
Parameters
ResetSic Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
RoboName
|
Name of the SmartLSM Security Gateway
|
ActivationKey
|
One-time password for the Secure Internal Communications with the SmartLSM Security Gateway
|
IP
|
IP address of gateway
(for this action, the certificate is pushed to the gateway)
|
Example
LSMcli mySrvr name pass ResetSic MyROBO aw47q1
LSMcli mySrvr name pass ResetSic MyFixedIPROBO sp36rt1 -I=10.20.30.1
ResetIke
This command resets the IKE Certificate of a SmartLSM Security Gateway. Applicable for Security Gateway and UTM-1 Edge gateways. This action revokes the existing IKE certificate and creates a new one.
Usage
LSMcli [-d] <server> <user> <pswd> ResetIke <RoboName> [-CA=<CaName>
[-R=<CertificateIdentifier#>] [-KEY=<AuthorizationKey>]]
Parameters
ResetIke Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
RoboName
|
Name of the Security Gateway or UTM-1 Edge gateway
|
CaName
|
Name of the Trusted CA object (created from SmartDashboard); the IKE certificate request will be sent to this CA
|
CertificateIdentifier
|
Key identifier of the specific certificate
|
AuthorizationKey
|
Authorization Key to be sent to the CA for the certificate retrieval
|
Example
LSMcli mySrvr name pass ResetIke MyROBO -CA=OPSEC_CA -R=cer3452s -KEY=ad23fgh
ExportIke
This command exports the IKE Certificate of a SmartLSM Security Gateway into a P12 file, encrypted with a provided password. The default location of the exported file is $FWDIR/conf.
Usage
LSMcli [-d] <server> <user> <pswd> ExportIke <RoboName> <Password> <FileName>
Parameters
ExportIke Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
RoboName
|
Name of the SmartLSM Security Gateway whose certificate will be exported
|
Password
|
Password used to protect the p12 file
|
FileName
|
Destination file name (will be created)
|
Example
LSMcli mySrvr name pass ExportIke MyROBO ajg42k93N MyROBOCert.p12
UpdateCO
This command updates a Corporate Office gateway. This action updates the CO gateway with up-to-date available information about the SmartLSM Security Gateways VPN domains. Perform after adding a new SmartLSM Security Gateway to enable the CO gateway to initiate a VPN tunnel to the new SmartLSM Security Gateway. (Alternatively, the Install Policy action can be run on the CO gateway to obtain updated VPN Domain information.) Applicable for CO gateways only.
Usage
LSMcli [-d] <server> <user> <pswd> UpdateCO <COgw|COgwCluster>
Parameters
UpdateCO Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
Cogw
|
Name of a CO gateway
|
CogwCluster
|
Name of a cluster of CO gateways
|
Example
LSMcli mySrvr name pass UpdateCO MyCO
Remove
This command deletes a SmartLSM Security Gateway. This action revokes all the certificates used by the SmartLSM Security Gateway, releases all the licenses and, finally, removes the SmartLSM Security Gateway. Applicable for Security Gateway and UTM-1 Edge gateways.
Usage
LSMcli [-d] <server> <user> <pswd> Remove <RoboName> <ID>
Parameters
Remove Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
RoboName
|
Name of Security Gateway or UTM-1 Edge gateway
|
ID
|
ID of the SmartLSM Security Gateway (use Show to check the ID of the specific SmartLSM Security Gateway)
|
Example
LSMcli mySrvr name pass Remove MyRobo 0.0.0.251
Show
This command displays a list of existing gateways. Applicable for Security Gateway and UTM-1 Edge gateways.
Usage
LSMcli [-d] <server> <user> <pswd> Show [-N=Name] [-F= nbcitvpglskd]
Parameters
Show Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
Name
|
Name of the gateway to display
If –N flag is not included, this action prints the existing Devices work space, including SmartLSM Security Gateways.
|
-F
|
One can filter the information printed out using the following flags:
|
n
|
Name
|
b
|
ID
|
c
|
Cluster ID
|
i
|
IP address
|
t
|
Type
|
v
|
Version
|
p
|
SmartLSM Security Profile
|
g
|
Gateway status
|
l
|
Policy status
|
s
|
SIC DN
|
k
|
IKE DN
|
d
|
List of Dynamic Objects assigned to this SmartLSM Security Gateway
|
Example
LSMcli mySrvr name pass Show -N=MyRobo
LSMcli mySrvr name pass Show -F=nibtp
Configuration Scripts
ModifyROBOConfigScript and ShowROBOConfigScript are equivalent to the Configuration Script tab in SmartProvisioning GUI for UTM-1 Edge SmartLSM Security Gateways. (Applicable only to UTM-1 Edge SmartLSM Security Gateways.)
ModifyROBOConfigScript
ModifyROBOConfigScript sets the given UTM-1 Edge SmartLSM Security Gateway's configuration script to be a copy of the contents of the given text file <inputScriptFile>.
Usage
LSMcli [-d] <server> <user> <pswd> ModifyROBOConfigScript VPN1Edge <RoboName> <inputScriptFile>
Parameters
ModifyROBOConfigScript Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
RoboName
|
Name of UTM-1 Edge gateway
|
inputScriptFile
|
The given UTM-1 Edge SmartLSM Security Gateway's configuration script is set to be a copy of the contents of the given text file.
|
Example
LSMcli mySrvr name pass ModifyROBOConfigScript VPN1Edge MyRobo myScriptFile
ShowROBOConfigScript
This command shows the given UTM-1 Edge SmartLSM Security Gateway's configuration script, and its SmartLSM Security Profile's configuration script.
Usage
LSMcli [-d] <server> <user> <pswd> ShowROBOConfigScript VPN1Edge <RoboName>
Parameters
ShowROBOConfigScript Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
RoboName
|
Name of UTM-1 Edge gateway
|
Example
LSMcli mySrvr name pass ShowROBOConfigScript VPN1Edge MyRobo
ShowROBOTopology
This command displays the Topology information of the SmartLSM Security Gateway. It lists the defined Interfaces and their respective IP Addresses and Network Masks, and the VPN Domain configuration. The indexes of the manually defined VPN domain IP address ranges, on the displayed list, can be used when requesting to delete a range, via the ModifyROBOManualVPNDomain command.
Usage
LSMcli [-d] <server> <user> <pswd> ShowROBOTopology <RoboName>
Parameters
ShowROBOTopology Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
RoboName
|
Name of Security Gateway or UTM-1 Edge gateway
|
Example
LSMcli mySrvr name pass ShowROBOTopology MyRobo
SmartUpdate Actions
Before software can be installed on gateways, it must first be loaded to the Security Management Server. We recommend that you make sure that software is compatible by running the VerifyInstall command first. Install software using the Install command.
Uninstall the software suing the uninstall command.
VerifyInstall
This command verifies whether selected software can be installed on the SmartLSM Security Gateway, whether the software is compatible. Note that this action does not perform an installation. Run this command before using the install command to install software on the SmartLSM Security Gateway. Applicable to SmartLSM Security Gateways only.
Usage
LSMcli [-d] <server> <user> <pswd> VerifyInstall <RoboName> <Product> <Vendor> <Version> <SP>
Parameters
VerifyInstall Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
RoboName
|
Name of the SmartLSM Security Gateway
|
Product
|
Name of the package
|
Vendor
|
Name of the vendor of the package
|
Version
|
Major version of the package
|
SP
|
Minor version of the package
|
Example
LSMcli mySrvr name pass VerifyInstall MyRobo firewall checkpoint NG_AI fcs
Install
This command installs a product on a SmartLSM Security Gateway. This action installs the specified software on the SmartLSM Security Gateway. Note that the software must be loaded to the Security Management Server before attempting to install it on the SmartLSM Security Gateway. It is recommended that you run the VerifyInstall command first, before installing software on the SmartLSM Security Gateway. Applicable to SmartLSM Security Gateways only.
Usage
LSMcli [-d] <server> <user> <pswd> Install <RoboName> <Product> <Vendor> <Version> <SP>
[-P=Profile] [-boot] [-DoNotDistribute]
Parameters
Install Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
RoboName
|
Name of the SmartLSM Security Gateway
|
Product
|
Name of the package
|
Vendor
|
Name of the vendor of the package
|
Version
|
Major Version of the package
|
SP
|
Minor Version of the package
|
Profile
|
Assign a different SmartLSM Security Profile (already defined in SmartDashboard) after installation
|
boot
|
Reboot the SmartLSM Security Gateway after the installation is done
|
-DoNotDistribute
|
(Optional) Install previously distributed packages
|
Example
LSMcli mySrvr name pass Install MyRobo firewall checkpoint NG_AI fcs -P=AnyProfile -boot
Uninstall
This command uninstalls a product on a SmartLSM Security Gateway. This action uninstalls the specified package from the SmartLSM Security Gateway. The ShowInfo command can be used to see what products are installed on the SmartLSM Security Gateway. Applicable to SmartLSM Security Gateways only.
Usage
LSMcli [-d] <server> <user> <pswd> Uninstall <ROBO> <Product> <Vendor> <Version> <SP>
[-P=Profile] [-boot]
Parameters
Uninstall Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
ROBO
|
Name of the SmartLSM Security Gateway
|
Product
|
Name of the package
|
Vendor
|
Name of the vendor of the package
|
Version
|
Major Version of the package
|
SP
|
Minor Version of the package
|
Profile
|
Assign a different SmartLSM Security Profile (already defined in SmartDashboard) after uninstall
|
boot
|
Reboot the SmartLSM Security Gateway after the installation is finished
|
Example
LSMcli mySrvr name pass Uninstall MyRobo firewall checkpoint NG_AI fcs -boot
Distribute
This command distributes a package from the Repository to the SmartLSM Security Gateway, but does not install it.
Usage
LSMcli [-d] <server> <user> <pswd> Distribute <RoboName> <Product> <Vendor> <Version> <SP>
Parameters
Distribute Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
RoboName
|
Name of the SmartLSM Security Gateway
|
Product
|
Name of the package
|
Vendor
|
Name of the vendor of the package
|
Version
|
Major version of the package
|
SP
|
Minor version of the package
|
Example
LSMcli mySrvr name pass Distribute MyRobo fw1 checkpoint NG_AI R54
VerifyUpgrade
This command verifies whether selected software can be upgraded on the SmartLSM Security Gateway, whether the software is compatible. Note that this command does not perform an installation. Run this command before using the upgrade command. Applicable to SmartLSM Security Gateways only.
Usage
LSMcli [-d] <server> <user> <pswd> VerifyUpgrade <RoboName>
Parameters
VerifyUpgrade Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
RoboName
|
Name of the SmartLSM Security Gateway
|
Example
LSMcli mySrvr name pass VerifyUpgrade MyRobo
Upgrade
This command upgrades all the (appropriate) available software packages on the SmartLSM Security Gateway. Applicable to SmartLSM Security Gateways only.
Usage
LSMcli [-d] <server> <user> <pswd> Upgrade <RoboName> [-P=Profile] [-boot]
Parameters
Upgrade Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
RoboName
|
Name of the SmartLSM Security Gateway
|
Profile
|
Assign a different SmartLSM Security Profile (already defined in SmartDashboard) after installation
|
boot
|
Reboot the SmartLSM Security Gateway after the installation is finished
|
Example
LSMcli mySrvr name pass Upgrade MyRobo -P=myprofile -boot
GetInfo
This command collects product information from the SmartLSM Security Gateway. You must run this command before running the ShowInfo command if you manually upgrade any package instead of using SmartUpdate.
|
Important - This command works only with SmartLSM Security Gateways.
|
Usage
LSMcli [-d] <server> <user> <pswd> GetInfo <RoboName>
Parameters
GetInfo Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
RoboName
|
Name of the SmartLSM Security Gateway
|
Example
LSMcli mySrvr name pass GetInfo MyRobo
ShowInfo
This command displays product information for the list of the products installed on the SmartLSM Security Gateway. For a SmartLSM Security Gateway, run the GetInfo command before using this command to verify that the displayed information is up-to-date. Applicable to Security Gateway and UTM-1 Edge gateways.
Usage
LSMcli [-d] <server> <user> <pswd> ShowInfo <VPN1EdgeRoboName>
Parameters
ShowInfo Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
VPN1EdgeRoboName
|
Name of the Security Gateway or UTM-1 Edge gateway
|
Example
LSMcli mySrvr name pass ShowInfo MyRobo
ShowRepository
This command shows the list of the available products on Security Management Server. Use SmartUpdate to manage the products, load new products, remove products, and so on.
Usage
LSMcli [-d] <server> <user> <pswd> ShowRepository
Example
LSMcli mySrvr name pass ShowRepository
Stop
This command stops Security Gateway services on the selected gateway. Note that this command utilizes CPRID, therefore CPRID services must be running on the gateway. Applicable to Security Gateways and SmartLSM Security Gateways.
Usage
LSMcli [-d] <server> <user> <pswd> Stop <Robo|Gateway>
Parameters
Stop Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
Robo or Gateway
|
Name of the SmartLSM Security Gateway, or Security Gateway
|
Example
LSMcli mySrvr name pass Stop MyRobo
Start
This command starts Security Gateway services on the selected gateway. Note that this command utilizes CPRID, therefore CPRID services must be running on the gateway. Applicable to Security Gateways and SmartLSM Security Gateways.
Usage
LSMcli [-d] <server> <user> <pswd> Start <Robo|Gateway>
Parameters
Start Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
Robo or Gateway
|
Name of the SmartLSM Security Gateway or Security Gateway
|
Example
LSMcli mySrvr name pass Start MyRobo
Restart
This command re-starts Security Gateway services on the chosen gateway. Note that this command utilizes CPRID, therefore CPRID services must be running on the gateway. Applicable to SmartLSM Security Gateways, UTM-1 Edge gateways and Security Gateways.
Usage
LSMcli [-d] <server> <user> <pswd> Restart <Robo|Gateway>
Parameters
Restart Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
Robo or Gateway
|
Name of the SmartLSM Security Gateway, UTM-1 Edge gateway or Security Gateway
|
Example
LSMcli mySrvr name pass Restart MyRobo
Reboot
This command reboots the chosen gateway. Note that this command utilizes CPRID, therefore CPRID services must be running on the gateway. Applicable to SmartLSM Security Gateways, UTM-1 Edge gateways and Security Gateways.
Usage
LSMcli [-d] <server> <user> <pswd> Reboot <Robo|Gateway>
Parameters
Reboot Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
Robo or Gateway
|
Name of the SmartLSM Security Gateway, UTM-1 Edge gateways or Security Gateway
|
Example
LSMcli mySrvr name pass Reboot MyRobo
Push Actions
The following commands are used to push updated values, settings, and security rules to gateways. After creating a gateway or dynamic object in the SmartProvisioning system, it must be assigned a security policy. Use the push command to commit the security policy: see PushPolicy, and PushDOs.
PushPolicy
This command pushes a policy to the chosen gateway. Note that this command utilizes CPRID, therefore CPRID services must be running on the gateway. Applicable to SmartLSM Security Gateways and UTM-1 Edge gateways.
Usage
LSMcli [-d] <server> <user> <pswd> PushPolicy <Robo|Gateway>
Parameters
PushPolicy Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
Robo or Gateway
|
Name of the SmartLSM Security Gateway or standard gateway
|
Example
LSMcli mySrvr name pass PushPolicy MyRobo
PushDOs
This command updates a Dynamic Object's information on the SmartLSM Security Gateway. Note that this command does not remove/release the IP address range for the deleted Dynamic Object, but only adds new ones. To overcome this difficulty, run the PushPolicy command. Applicable to SmartLSM Security Gateways and UTM-1 Edge gateways.
Usage
LSMcli [-d] <server> <user> <pswd> PushDOs <RoboName>
Parameters
PushDOs Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
RoboName
|
Name of the SmartLSM Security Gateway
|
Example
LSMcli mySrvr name pass PushDOs MyRobo
GetStatus
This command fetches various statistics from the chosen gateway. Applicable to Security Gateway ROBO and Security Gateways.
Usage
LSMcli [-d] <server> <user> <pswd> GetStatus <Robo|Gateway>
Parameters
GetStatus Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
Robo or Gateway
|
Name of the Security Gateway ROBO or Security Gateway
|
Example
LSMcli mySrvr name pass GetStatus MyRobo
Gateway Conversion Actions
The following commands enable you to convert a gateway from a SmartLSM Security Gateway to a regular gateway and vice versa.
Convert ROBO VPN1
This command converts a SmartLSM Security Gateway to a Security Gateway. You can specify whether the gateway should be a CO gateway, or not. Applicable to SmartLSM Security Gateways only.
Usage
LSMcli [-d] <server> <user> <pswd> Convert ROBO VPN1 <Name> [-CO] [-Force]
Parameters
Convert ROBO VPN1 Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
Name
|
Name of the Security Gateway, or UTM-1 Edge gateway
|
CO
|
Define as a CO gateway
|
Force
|
Convert the gateway, even if no connection can be established
Use with caution, as a forced conversion will always succeed, even if no connection to the gateway exists. If this happens, make sure the remote operations are done manually on the gateway computer:
- Execute the command LSMenabler –r off to turn off SmartLSM Security Gateway support.
- Execute the command LSMenabler on to make the gateway a CO gateway.
- In SmartDashboard, define gateway parameters: interfaces, communities, etc.; then install the policy.
|
Example
LSMcli mySrvr name pass Convert ROBO VPN1 MyRobo –CO
LSMcli mySrvr name pass Convert ROBO VPN1 MyRobo -Force
Convert Gateway VPN1
This command converts a Security Gateway to a SmartLSM Security Gateway. You can specify whether the gateway should have a CO gateway. Applicable to Security Gateways only.
Usage
LSMcli [-d] <server> <user> <pswd> Convert Gateway VPN1 <Name> <Profile> [<-E=EXT> [-I=INT]
[-D=DMZ] [-A=AUX]] [-NoRestart] [-Force]
Parameters
Convert VPN Gateway Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
Name
|
Name of the Security Gateway or UTM-1 Edge gateway
|
Profile
|
Assign a different SmartLSM Security Profile (already defined in SmartDashboard) after conversion
|
EXT
|
Name of external interface
|
INT
|
Name of internal interface
|
DMZ
|
Name of DMZ interface
|
AUX
|
Name of Auxiliary Network interface
|
NoRestart
|
Do not restart Check Point services, on the remote machine, after convert operation has finished
|
Force
|
Convert the gateway, even if no connection can be established
Use with caution, as a forced conversion will always succeed, even if no connection to the gateway exists. If this happens, make sure the remote operations are done manually on the gateway computer:
- Execute LSMenabler –r on to turn on SmartLSM Security Gateway support.
- Define gateway parameters and map it to a SmartLSM Security Profile in SmartProvisioning.
|
Example
LSMcli mySrvr name pass Convert Gateway VPN1 MyGW MyProfile –E=hme0 –I=hme1
–D=hme2 -Force
Convert ROBO VPN1Edge
This command converts a UTM-1 Edge SmartLSM Security Gateway to a UTM-1 Edge gateway. You must completely define the gateway using SmartDashboard, and adjust and reinstall the security policy. Applicable to UTM-1 Edge gateways only.
Usage
LSMcli [-d] <server> <user> <pswd> Convert ROBO VPN1Edge <Name>
Parameters
Convert ROBO UTM-1 Edge Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
Name
|
Name of the UTM-1 Edge gateway
|
Example
LSMcli mySrvr name pass Convert ROBO VPN1Edge MyRobo
Convert Gateway VPN1Edge
This command converts a UTM-1 Edge gateway to a UTM-1 Edge SmartLSM Security Gateway. The gateway is assigned the specified SmartLSM Security Profile. You must completely define the gateway using SmartDashboard, and adjust and reinstall the security policy. Applicable to UTM-1 Edge gateways only.
Usage
LSMcli [-d] <server> <user> <pswd> Convert Gateway VPN1Edge <Name> <Profile>
Parameters
Convert Gateway UTM-1 Edge Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Security Management Server or Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
Name
|
Name of the UTM-1 Edge gateway
|
Profile
|
Assign a different SmartLSM Security Profile (already defined in SmartDashboard) after conversion
|
Example
LSMcli mySrvr name pass Convert Gateway VPN1Edge MyRobo MyProfile
Multi-Domain Security Management Commands
SmartProvisioning in a Multi-Domain Security Management environment has additional features and commands.
hf_propagate
Multi-Domain Security Management may contain INSPECT files (*.def). Use this command to propagate updated INSPECT files from the Multi-Domain Server to a given Domain Management Server.
Usage
LSMcli <server> <user> <pswd> hf_propagate [m | o | u] [--override_manual]
Parameters
hf_propagate Parameters
Parameter
|
Description
|
server
|
Name/IP address of the Domain Management Server
|
user
|
User name of standard Check Point authentication method
|
pswd
|
Password of standard Check Point authentication method
|
m
|
Do not copy INSPECT files (default)
|
o
|
Replace INSPECT files
|
u
|
Uninstall INSPECT files
|
override_manual
|
Add to override manual changes in INSPECT files
|
Example
LSMcli myCMAsrvr name pass hf_propagate
|
