Managing SmartLSM Clusters with LSMcli

With the LSMcli command, you can define SmartLSM clusters, and configure most of the options available in SmartLSM GUI client (in the New SmartLSM Cluster wizard and in the Edit windows).

To manage and configure your devices through the SmartProvisioning CLI:

On your Management Server, run:

LSMcli [-d] <server> <user> <pswd> <action>

This section lists available actions for SmartLSM Clusters.

What You Can Do with LSMcli

The main SmartLSM Cluster actions are:

• Define a new SmartLSM cluster
• Change a SmartLSM cluster main IP address
• Resolve a dynamic object for a SmartLSM cluster
• Set the VPN domain of a SmartLSM cluster
• Define the topology of a cluster (virtual) interface (external/internal, Anti-Spoofing and so on)
• Manage overrides for cluster members’ interface names and network addresses, and for cluster interface IP addresses and net masks
• Delete a SmartLSM cluster

AddROBO VPN1Cluster

You can define a new SmartLSM cluster with the AddROBO VPN1Cluster action. You can configure all of the options available in the New SmartLSM Cluster wizard, with the AddROBO VPN1Cluster command parameters. The only exception is the Topology overrides.

To define a new SmartLSM cluster, substitute <action> in the LSMcli syntax with this command:

AddROBO VPN1Cluster <Profile> <MainIPAddress> <SuffixName> [-S=<SubstitutedNamePart>]
[-CA=<CaName> [-R=<KeyIdentifier#>] [-KEY=<AuthorizationCode>]]

Parameters

Parameter	Description	SmartLSM GUI Location
Profile	Name of cluster Profile to which to map the new cluster.	New SmartLSM Cluster wizard.
MainIPAddress	Main IP address of cluster.	New SmartLSM Cluster wizard.
SuffixName	A suffix to be added to cluster and member Profile names.	New SmartLSM Cluster wizard.
SubstitutedName Part	A part of the Profile name to be replaced by the suffix in the previous field.	SmartLSM GUI supports adding Prefix and/or Suffix, not substitution.
CAName	The name of the Trusted CA object, defined in SmartConsole, to which a VPN certificate request is sent.	VPN tab of Edit window (double-click SmartLSM object).
KeyIdentifier#	Number to identify the specific certificate, once generated.	VPN tab of Edit window (double-click SmartLSM object).
AuthorizationCode	Authorization Key to be sent to CA to enable certificate retrieval.	VPN tab of Edit window (double-click SmartLSM object).

ModifyROBO VPN1Cluster

-I - Changing the Main IP Address

You can change a SmartLSM cluster main IP address in the Cluster tab of the cluster Edit window (double-click the cluster object), or with the ModifyROBO VPN1Cluster command.

To change a SmartLSM cluster main IP address with the ModifyROBO VPN1Cluster command, substitute <action> in the LSMcli syntax with this command:

ModifyROBO VPN1Cluster <ROBOClusterName> -I=<MainIPAddress>

where <ROBOClusterName> is the cluster name, and

<MainIPAddress> is the new IP address.

-D - Resolving a Dynamic Object

You can resolve a dynamic object for a SmartLSM cluster in the Dynamic Objects tab of the cluster Edit window (double-click the cluster object), or with the ModifyROBO VPN1Cluster command.

To resolve a dynamic object for a SmartLSM cluster, substitute <action> in the LSMcli syntax with this command:

ModifyROBO VPN1Cluster <ROBOClusterName> -D:<D.O. Name>=<IP|IP1-IP2>

where

<ROBOClusterName> is the cluster name,

<D.O. Name> is the Dynamic Object name, and

<IP|IP1-IP2> is an IP address or a range of IP addresses.

ModifyROBOTopology VPN1Cluster

You can set the VPN domain of a SmartLSM cluster in the VPN Domain area in the Topology tab of the cluster Edit window (double-click the cluster object). You can also set the VPN Domain of a SmartLSM cluster with the ModifyROBO VPN1Cluster command.

To set the VPN domain of a SmartLSM cluster, substitute <action> in the LSMcli syntax with this command:

ModifyROBOTopology VPN1Cluster <RoboClusterName>
-VPNDomain=<not_defined|external_ip_only|topology|manual>

The parameters are the same as in the non-cluster ModifyROBOTopology VPN1 command, at the cluster level.

Note - When the VPN domain is set to Manual, the IP address ranges are those set in the SmartLSM GUI or with the ModifyROBOManualVPNDomain command.

ModifyROBOManualVPNDomain

This general LSM command applies to SmartLSM Clusters, with the same syntax. Use the cluster name for <ROBOName>.

ModifyROBONetaccess VPN1Cluster

For the actual SmartLSM cluster, you can override the profile topology definitions of a cluster (virtual) interface. Edit the interface in the upper half of the cluster Topology tab of the cluster Edit window, and then go to the interface Topology tab, or use the ModifyROBONetaccess VPN1Cluster action.

To define the topology of an interface, substitute <action> in the LSMcli syntax with these commands:

ModifyROBONetaccess VPN1Cluster <ClusterName> <InterfaceName> -Mode=<by_profile|override>
[-TopologyType=<external|internal>]
[-DMZAccess=<true|false>]
[-InternalIP=<not_defined|this|specific> [-AllowedGroup=<GroupName>]]
[-AntiSpoof=<false|true> [-AllowedGroup=<GroupName>][-SpoofTrack=<none|log|alert>]]

Parameters

Parameter	Description
ClusterName	Name of SmartLSM cluster.
InterfaceName	Name of cluster (virtual) interface. If the interface’s network objective (as defined in the Profile topology) is Sync only (not cluster+sync), there is no cluster interface, only member interface. In this case use the network objective (for example, 1st Sync) for this parameter.
-Mode	by_profile to set as defined in the cluster Profile, or override to define the settings here, in which case specify -TopologyType.
-TopologyType	external (leads out to the internet) or internal (leads to the local network).
-DMZAccess	true, if internal interface leads to DMZ. Otherwise, false.
-InternalIP	Defines hosts behind an internal interface: not_defined; network defined by IP and net mask of this interface; or: specific, by AllowedGroup.
-AntiSpoof	true, to perform ,Anti-Spoofing based on interface topology, in which case optionally define an AllowedGroup, and set SpoofTrack false, to not perform Anti-Spoofing. If the interface is internal and the addresses behind the interface are not defined, ,Anti-Spoofing is not possible.
-AllowedGroup	If TopologyType=external, AllowedGroup defines a group from which packets are not checked, if Anti-Spoofing is performed. If TopologyType=internal, AllowedGroup specifically (explicitly) defines the hosts behind the internal interface.
-SpoofTrack	Desired tracking action when detecting spoofing: none, log or alert.

ClusterSubnetOverride Actions (Add, Modify and Delete)

Cluster members’ interface names and network addresses, and cluster interface IP addresses and net masks, have default values from their Profiles. These values can (and in the case of addresses, usually must) be overridden for the individual SmartLSM cluster.

In SmartLSM, you can edit the interface properties, in the New SmartLSM Cluster wizard, or in the Topology tab of the general Edit window for the cluster (double-click the cluster object).

In LSMcli, substitute <action> in the LSMcli syntax with these commands:

<Add|Modify|Delete>ClusterSubnetOverride VPN1Cluster <ROBOClusterName> <InterfaceName> [-IName=<MembersInterfaceName>] [-MNet=<MembersNetAddress>]
[-CIP=<ClusterIPAddress> -CNetMask=<ClusterNetMask>]

If there is a set override value, and you want to change it, use only ModifyClusterSubnetOverride. If the override value you want to set is not defined (except at the Profile level), because it was never defined or because it was deleted, use only AddClusterSubnetOverride. To cancel a value and return to the Profile value, use DeleteClusterSubnetOverride.

The action must define at least one parameter: -IName, -MNet, or both -CIP and -CNetMask.

Note - To define overrides for a private (monitored or non-monitored) interface, use the PrivateSubnetOverride action

Parameters

Parameter	Description
Add|Modify|Delete	Defines the action - see above. No space after this parameter.
ROBOClusterName	The SmartLSM cluster to override values for.
InterfaceName	Name of cluster (virtual) interface, as defined in the Profile topology. Use the cluster interface name even if you set values for members’ interfaces. If the interface’s network objective (as defined in the Profile topology) is Sync only (not cluster+sync), there is no cluster interface, only member interface. In this case use the network objective (for example, 1st Sync) for this parameter.
-IName	New interface name for cluster members. The name must match the name defined in the operating system.
-MNet	New network address for cluster members. This address, together with the host parts defined in the Profile, produces complete IP addresses.
-CIP	New IP address for the cluster (virtual) interface.
-CNetMask	Net mask for ClusterIPAddress.

PrivateSubnetOverride Actions (Add, Modify and Delete)

This action is similar to the ClusterSubnetOverride action, for a private (monitored or non-monitored) interface. For a private interface, you can only override cluster members’ interface names and network addresses, not cluster interface IP addresses or net masks.

In LSMcli, substitute <action> in the LSMcli syntax with this command:

<Add|Modify|Delete>PrivateSubnetOverride VPN1ClusterMember <ROBOMemberName> <InterfaceName> [-IName=<MembersInterfaceName>] [-MNet=<MembersNetAddress>]

If there is a set override value, and you want to change it, use only ModifyPrivateSubnetOverride. If the override value you want to set is not defined (except at the Profile level), because it was never defined or because it was deleted, use only AddPrivateSubnetOverride. To cancel a value and return to the Profile value, use DeletePrivateSubnetOverride.

The action must define at least one parameter: -IName or -MNet.

Parameters

Parameter	Description
Add|Modify|Delete	Defines the action - see above. No space after this parameter.
ROBOMemberName	The SmartLSM cluster member to override values for.
InterfaceName	Current name of member interface, as defined in the Profile topology.
-IName	New interface name. The name must match the name defined in the operating system.
-MNet	New network address for this interface. This address, together with the host parts defined in the Profile, produces complete IP addresses.

RemoveCluster

This action revokes all the certificates used by the SmartLSM cluster and its members, releases all the licenses and, finally, deletes the SmartLSM cluster and member objects.

In LSMcli, substitute <action> in the LSMcli syntax with this command:

RemoveCluster <ROBOClusterName>

ResetSic

This general LSM command applies to SmartLSM Clusters, with the same syntax as for SmartLSM gateways.

Use the cluster member name for <ROBOName>.

ResetIke

This general LSM command applies to SmartLSM Clusters, with the same syntax as for SmartLSM gateways.

For <ROBOName>, use a cluster name, to reset IKE for the cluster, or a cluster member name to reset IKE for that member.

ExportIke

This general LSM command applies to SmartLSM Clusters, with the same syntax as for SmartLSM gateways.

For <ROBOName>, use a cluster name to export IKE for the cluster, or a cluster member name to export IKE for that member.

Convert Actions

There is no convert action for or to SmartLSM clusters.

SmartUpdate Actions

The SmartUpdate actions listed in this guide apply to SmartLSM cluster members, with the same syntax as for the SmartLSM gateways that run on Gaia OS.

Push Policy

This general LSM command applies to SmartLSM Clusters, with the same syntax as for SmartLSM gateways that run on Gaia OS.

In the command syntax, use the cluster name (not a cluster member name).

The policy is pushed to all cluster members.

Other Push Actions

PushDOs and GetStatus are general LSM commands that apply to SmartLSM cluster members, with the same syntax as for SmartLSM gateways that run on Gaia OS.