User Guide

Version 10

Document version 10.0 -1.0-29/03/2010

Cyberoam User Guide

Important Notice
Elitecore has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. Elitecore assumes no responsibility for any errors that may appear in this document. Elitecore reserves the right, without notice to make changes in product design or specifications. Information is subject to change without notice. USERS LICENSE The Appliance described in this document is furnished under the terms of Elitecores End User license agreement. Please read these terms and conditions carefully before using the Appliance. By using this Appliance, you agree to be bound by the terms and conditions of this license. If you do not agree with the terms of this license, promptly return the unused Appliance and manual (with proof of payment) to the place of purchase for a full refund. LIMITED WARRANTY Software: Elitecore warrants for a period of ninety (90) days from the date of shipment from Elitecore: (1) the media on which the Software is furnished will be free of defects in materials and workmanship under normal use; and (2) the Software substantially conforms to its published specifications except for the foregoing, the software is provided AS IS. This limited warranty extends only to the customer as the original licenses. Customers exclusive remedy and the entire liability of Elitecore and its suppliers under this warranty will be, at Elitecore or its service centers option, repair, replacement, or refund of the software if reported (or, upon, request, returned) to the party supplying the software to the customer. In no event does Elitecore warrant that the Software is error free, or that the customer will be able to operate the software without problems or interruptions. Elitecore hereby declares that the anti virus and anti spam modules are powered by Kaspersky Labs and Commtouch respectively and the performance thereof is under warranty provided by Kaspersky Labs and by Commtouch. It is specified that Kaspersky Lab does not warrant that the Software identifies all known viruses, nor that the Software will not occasionally erroneously report a virus in a title not infected by that virus. Hardware: Elitecore warrants that the Hardware portion of the Elitecore Products excluding power supplies, fans and electrical components will be free from material defects in workmanship and materials for a period of One (1) year. Elitecore's sole obligation shall be to repair or replace the defective Hardware at no charge to the original owner. The replacement Hardware need not be new or of an identical make, model or part; Elitecore may, in its discretion, replace the defective Hardware (or any part thereof) with any reconditioned product that Elitecore reasonably determines is substantially equivalent (or superior) in all material respects to the defective Hardware. DISCLAIMER OF WARRANTY Except as specified in this warranty, all expressed or implied conditions, representations, and warranties including, without limitation, any implied warranty or merchantability, fitness for a particular purpose, non-infringement or arising from a course of dealing, usage, or trade practice, and hereby excluded to the extent allowed by applicable law. In no event will Elitecore or its supplier be liable for any lost revenue, profit, or data, or for special, indirect, consequential, incidental, or punitive damages however caused and regardless of the theory of liability arising out of the use of or inability to use the product even if Elitecore or its suppliers have been advised of the possibility of such damages. In no event shall Elitecores or its suppliers liability to the customer, whether in contract, tort (including negligence) or otherwise, exceed the price paid by the customer. The foregoing limitations shall apply even if the above stated warranty fails of its essential purpose. In no event shall Elitecore or its supplier be liable for any indirect, special, consequential, or incidental damages, including, without limitation, lost profits or loss or damage to data arising out of the use or inability to use this manual, even if Elitecore or its suppliers have been advised of the possibility of such damages. RESTRICTED RIGHTS Copyright 1999-2010 Elitecore Technologies Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of Elitecore Technologies Ltd. Corporate Headquarters Elitecore Technologies Ltd. 904 Silicon Tower, Off. C.G. Road, Ahmedabad 380015, INDIA Phone: +91-79-66065606 Fax: +91-79-26407640 Web site: www.elitecore.com, www.cyberoam.com

2/280

Cyberoam User Guide

Contents
Preface .............................................................................................................................. 6 About this Guide .............................................................................................................. 7
Guide Organization..................................................................................................................... 7 Typographic Conventions ......................................................................................................... 9 Technical Support .................................................................................................................... 10

Introduction .................................................................................................................... 11
Cyberoam Management Interface ........................................................................................... 11 Connecting to Web Admin Console ...................................................................................... 11 Navigating through Web Admin console ............................................................................... 12 Common Icons and buttons in the Web Admin Console....................................................... 13 Status Bar.............................................................................................................................. 13 Tooltips .................................................................................................................................. 14 Navigating through Tables .................................................................................................... 15 Web Console Authorization and Access control ................................................................... 16 Common Web Admin Console tasks..................................................................................... 17 Log out procedure ................................................................................................................. 17

Getting Started ............................................................................................................... 18 Basics.............................................................................................................................. 20 System ............................................................................................................................ 21

Dashboard ................................................................................................................................. 21 Administration .......................................................................................................................... 23 Settings.................................................................................................................................. 23 Appliance Access .................................................................................................................. 23 Profile..................................................................................................................................... 25 Password............................................................................................................................... 27 Configuration ............................................................................................................................ 29 Language............................................................................................................................... 29 Time....................................................................................................................................... 29 Notification............................................................................................................................. 30 Messages .............................................................................................................................. 31 Web Proxy ............................................................................................................................. 33 Parent Proxy.......................................................................................................................... 34 Captive Portal ........................................................................................................................ 34 Theme ................................................................................................................................... 36 Maintenance .............................................................................................................................. 37 Backup & Restore.................................................................................................................. 37 Firmware................................................................................................................................ 39 Licensing ............................................................................................................................... 40 Services................................................................................................................................. 42 Updates ................................................................................................................................. 43 SNMP.......................................................................................................................................... 44 Cyberoam MIB....................................................................................................................... 44 Agent Configuration............................................................................................................... 47 Community ............................................................................................................................ 48 V3 User.................................................................................................................................. 50 System Graph ........................................................................................................................... 52 Packet Capture.......................................................................................................................... 60

Objects ............................................................................................................................ 64
Hosts .......................................................................................................................................... 64

3/280

Cyberoam User Guide

IP Host................................................................................................................................... 64 IP Host Group........................................................................................................................ 67 MAC Host .............................................................................................................................. 69 Services ..................................................................................................................................... 72 Service Group........................................................................................................................ 74 Schedule.................................................................................................................................... 78 File Type .................................................................................................................................... 81 Certificate .................................................................................................................................. 84 Certificate Authority ............................................................................................................... 88 Certificate Revocation List..................................................................................................... 92

Network ........................................................................................................................... 94
Interface..................................................................................................................................... 94 Zone..................................................................................................................................... 102 Wireless WAN ......................................................................................................................... 106 Status................................................................................................................................... 106 Settings................................................................................................................................ 107 Gateway ................................................................................................................................... 111 Static Route............................................................................................................................. 118 Unicast................................................................................................................................. 118 Multicast .............................................................................................................................. 119 Source Route....................................................................................................................... 122 DNS .......................................................................................................................................... 125 DHCP........................................................................................................................................ 127 Server .................................................................................................................................. 127 Lease ................................................................................................................................... 129 Relay.................................................................................................................................... 130 ARP .......................................................................................................................................... 133 Dynamic DNS .......................................................................................................................... 138

Identity .......................................................................................................................... 140

Authentication......................................................................................................................... 140 Settings................................................................................................................................ 141 Authentication Server ..........................................................................................................144 Groups ..................................................................................................................................... 155 Users ........................................................................................................................................ 163 Clientless User .................................................................................................................... 172 Policy ....................................................................................................................................... 179 Access Time Policy .............................................................................................................179 Surfing Quota Policy............................................................................................................ 181 Data Transfer Policy ............................................................................................................ 184 Live Users................................................................................................................................ 188

Firewall.......................................................................................................................... 193
Rule .......................................................................................................................................... 196 Virtual Host.............................................................................................................................. 211 NAT Policy............................................................................................................................... 216 Spoof Prevention .................................................................................................................... 219 General Settings.................................................................................................................. 219 Trusted MAC ....................................................................................................................... 220 DoS........................................................................................................................................... 223 DoS Settings........................................................................................................................ 224 Bypass Rules....................................................................................................................... 226

4/280

Cyberoam User Guide

Web Filter ...................................................................................................................... 229

Settings.................................................................................................................................... 229 Category .................................................................................................................................. 230 Policy ....................................................................................................................................... 234

Application Filter .......................................................................................................... 240

Category .................................................................................................................................. 240 Policy ....................................................................................................................................... 242

IM ................................................................................................................................... 247
IM Contact ............................................................................................................................... 247 IM Contact Group ................................................................................................................ 249 IM Rules ................................................................................................................................... 250 Login .................................................................................................................................... 251 Conversation ....................................................................................................................... 253 File Transfer ........................................................................................................................ 255 Webcam .............................................................................................................................. 258 Content Filter .......................................................................................................................... 261

QoS ................................................................................................................................ 262

Policy ....................................................................................................................................... 262 Policy ................................................................................................................................... 264

Logs & Reports............................................................................................................. 270

Configuration .......................................................................................................................... 270 Syslog Servers .................................................................................................................... 271 Log Settings......................................................................................................................... 273 Log Viewer............................................................................................................................... 277

5/280

Cyberoam User Guide

Preface
Welcome to Cyberoams - User guide. Cyberoam Unified Threat Management appliances offer identity-based comprehensive security to organizations against blended threats - worms, viruses, malware, data loss, identity theft; threats over applications viz. Instant Messengers; threats over secure protocols viz. HTTPS; and more. They also offer wireless security (WLAN) and 3G wireless broadband and analog modem support can be used as either Active or Backup WAN connection for business continuity. Cyberoam integrates features like stateful inspection firewall, VPN, Gateway Anti-Virus and AntiSpyware, Gateway Anti-Spam, Intrusion Prevention System, Content & Application Filtering, Data Leakage Prevention, IM Management and Control, Layer 7 visibility, Bandwidth Management, Multiple Link Management, Comprehensive Reporting over a single platform. Cyberoam has enhanced security by adding an 8th layer (User Identity) to the protocol stack. Advanced inspection provides L8 user-identity and L7 application detail in classifying traffic, enabling Administrators to apply access and bandwidth policies far beyond the controls that traditional UTMs support. It thus offers security to organizations across layer 2 - layer 8, without compromising productivity and connectivity. Cyberoam UTM appliances accelerate unified security by enabling single-point control of all its security features through a Web 2.0-based GUI. An extensible architecture and an IPv6 Ready Gold logo provide Cyberoam the readiness to deliver on future security requirements. Cyberoam provides increased LAN security by providing separate port for connecting to the publicly accessible servers like Web server, Mail server, FTP server etc. hosted in DMZ which are visible the external world and still have firewall protection. Default Web Admin Console username is cyberoam and password is cyber Cyberoam recommends that you change the default password immediately after installation to avoid unauthorized access.

6/280

Cyberoam User Guide

About this Guide

This Guide provides information regarding the administration, maintenance, and customization of Cyberoam and helps you manage and customize Cyberoam to meet your organizations various requirements including creating groups and users and assigning policies to control web as well as application access.

Guide Organization
The Cyberoam User Guide organization is structured into the thirteen parts that follow the cyberoam Web Admin Console structure. Within these parts, individual topics correspond to security appliance management interface layout. This Guide is organized into thirteen parts:
Part I Introduction

This part covers various features of Web 2.0 based graphical interface.
Part II Getting started

This part covers how to start using Cyberoam after after deployment.
Part III Basics

This part covers basic building blocks in Cyberoam.

Part IV System

This part covers a various security appliance controls for managing system status information, registering and managing the Cyberoam security appliance and its subscription licenses through registration portal, managing firmware versions, defining profiles for role based access, scheduling backups and restoring, various and using included diagnostics tools for troubleshooting.
Part V Objects

This part covers various Objects which are the logical building blocks for configuring various policies and rules, which include: host IP, network and MAC addresses. They are used in defining firewall rules, virtual host, NAT policy, IPSec, L2TP and VPN policies services which represent specific protocol and port combination for example, DNS service for TCP protocol on 53 port. Access to services are allowed or denied through firewall rules. schedule to control when the firewall rule, Access time policy, Web filter policy, Application filter policy, or QoS policy will be in effect for example, All Days, Work Hours file types defining web filter policy, SMTP scanning rules certificates VPN policies

Part VI Network

This part covers configuring the Cyberoam appliance for your network. It includes configuring Cyberoam interfaces and DNS settings, adding VLAN subinterfaces and custom zones,

7/280

Cyberoam User Guide

configuring DHCP. It alco covers configuration of the 3G wireless WAN interface on the Cyberoam appliances that support the feature.
Part VII Identity

This part covers how to configure user level authentication and manage users and user groups.
Part VIII Firewall

This part covers tools for managing how the Cyberoam appliance handles traffic through the firewall.
Part IX Web Filter

This part covers how to configure and manage Web filtering in Cyberoam through categories and policies.
Part X Application Filter

This part covers how to configure and manage application filtering in Cyberoam through categories and policies.
Part XI IM

This part covers how to configure and manage restrictions on instant messaging services provided by the Yahoo and MSN messengers.
Part XII QoS

This part covers how to configure and manage bandwidth through QoS policy that allocates and limits the maximum bandwidth usage of the user and controls web and network traffic.
Part XIII Logs & Reports

This part covers managing logging and reporting feature. Cyberoam provides extensive logging capabilities for traffic, system and network protection functions. Detailed log information and reports provide historical as well as current analysis of network activity to help identify security issues and reduce network abuse.

8/280

Cyberoam User Guide

Typographic Conventions
Material in this manual is presented in text, screen displays, or command-line notation.

Item Server Client User Username Part titles

Convention

Example Machine where Cyberoam Software - Server component is installed Machine where Cyberoam Software - Client component is installed The end user Username uniquely identifies the user of the system

Bold and shaded font typefaces

Report
Introduction
Notation conventions
System Administration Appliance Access it means, to open the required page click on System then on Administration and finally click Appliance Access Enter policy name, replace policy name with the specific name of a policy Or Click Name to select where Name denotes command button text which is to be clicked Refer to Customizing User database Clicking on the link will open the particular topic

Topic titles

Shaded font typefaces

Subtitles

Bold & Black typefaces Bold typeface

Navigation link

Name of a particular parameter / field / command button text Cross references Notes & points to remember Prerequisites

Lowercase italic type

Hyperlink in different color Bold typeface between the black borders Bold typefaces between the black borders

Note

Prerequisite
Prerequisite details

9/280

Cyberoam User Guide

Technical Support
You may direct all questions, comments, or requests concerning the software you purchased, your registration status, or similar issues to Customer care/service department at the following address: Corporate Office eLitecore Technologies Ltd. 904, Silicon Tower Off C.G. Road Ahmedabad 380015 Gujarat, India. Phone: +91-79-66065606 Fax: +91-79-26407640 Web site: www.elitecore.com Cyberoam contact: Technical support (Corporate Office): +91-79-66065777 Email: support@cyberoam.com Web site: www.cyberoam.com Visit www.cyberoam.com for the regional and latest contact information.

10/280

Cyberoam User Guide

Introduction
This section describes various features of Web 2.0 based graphical interface.

Cyberoam Management Interface

Cyberoam version 10 introduced a new Web 2.0 based eay-to-use graphical interface termed as Web Admin Console to configure and manage your Cyberoam appliance. User sessions and disconnect icon in the active VPN connections can be disconnected with a single click on the Manage column. You can connect to Web Admin Console using HTTP or a secure HTTPS connection from any management computer using web browser Microsoft Internet Explorer 7+ or Mozilla Firefox 1.5+. The recommended minimum screen resolution for the management computer is 1024 X 768 and 32-bit true-color. You can configure the Cyberoam appliance for HTTP and HTTPS web-based administration from any Cyberoam interface but by default, only HTTPS connection is enabled from WAN interface while HTTP and HTTPS both are enabled from LAN interface. To connect to the Web Admin Console you require an administrator account and password. The Web Admin Console supports multiple languages, but by default appears in English.

Connecting to Web Admin Console

The Log on procedure verifies validity of user and creates a session until the user logs off. To get the log in window, open the browser and type LAN IP Address of Cyberoam in browsers URL box. A dialog box appears prompting you to enter username and password. Use the default user name cyberoam and password cyber if you are logging in for the first time after deployment. Asterisks are the placeholders in the password field.

Screen - Login screen

Screen Elements Login User name

Description Specify user login name. If you are logging on for the first time after installation, please use

PART

11/280

Cyberoam User Guide

Password

default username cyberoam Specify user account Password If you are logging on for the first time after installation, please use default password cyber To administer Cyberoam, select Web Admin Console Logs on to Web Admin Console Click Login Table - Login screen elements

Log on to Login button

Navigating through Web Admin console

Navigation menu Navigation bar on the leftmost side provides access to various configuration pages. Menu consists of sub-menus and tabs. On clicking menu item in the navigation bar, related management functions are displayed as submenu items in the navigation bar itself. On clicking submenu item, all the associated tabs are displayed as the horizontal menu bar on the top of the page. To view page associated with the tab, click the required tab. The left navigation bar expands and contracts dynamically when clicked on without navigating to a submenu. When you click on a top-level heading in the left navigation bar, it automatically expands that heading and contracts the heading for the page you are currently on, but it does not navigate away from the current page. To navigate to a new page, first click on the heading, and then click on the submenu you want navigate to. Cyberoam functions are grouped in such a way that the navigation bar does not continue below the bottom of your browser.

12/280

Cyberoam User Guide

Common Icons and buttons in the Web Admin Console

Icon bar The Icon bar on the upper rightmost corner of the every page provides access to several commonly used functions like: Dashboard - Click to view to Dashboard

Network Configuration wizard will guide you step-by-step through configuration of Wizard the network parameters like IP address, subnet mask and default gateway for Cyberoam at the time of deployment. Opens a Reports page for viewing various usage reports. Cyberoam is Reports integrated with Cyberoam-iView - a Logging and Reporting solution, to offer wide spectrum of 1000+ unique user identity-based reporting across applications and protocols and provide indepth network visibility to help organizations take corrective and preventive measures. It provides immediate access to CLI by initiating a telnet connection with CLI Console without closing Web Admin console. icon to open the customer login page for creating a Technical Support Support Click Ticket. It is fast, easy and puts your case right into the Technical Support queue. Cyberoam Click page. icon to open the Cyberoam Appliance and Registration information

Online help Each appliance includes a Web-based help online help which can be viewed from any of the page of Web Admin console. It is installed automatically with the software. Click icon to open the context-sensitive help for the page.

Logout Click

Logout icon to log out from the Web Admin Console.

The following describe the functions of common icons used in the Web Admin Console: Edit Delete - Clicking on edit icon displays a window for editing the configuration - Clicking on delete icon deletes a entry/record - Clicking on the parent record displayes its child records

Expand/Collapse icons

Note
Use F1 key for page specific help Use F10 key to return to Dashboard

Status Bar
The Status bar at the bottom of the window displays the status of actions executed in the Web Admin console.

13/280

Cyberoam User Guide

Tooltips
Version 10 has introduced embedded informative tool tips for many elements in the UI. These Tooltips are small pop-up windows that display brief configuration summary describing the element when you hover your mouse over a UI element. Not all UI elements have Tooltips. If a Tooltip does not display after hovering your mouse over an element for a couple of seconds, you can safely conclude that it does not have an associated Tooltip. When applicable, Tooltips display the configuration summary - minimum, maximum, and default values of the element. This configuration information is generated directly from your appliance itself.

14/280

Cyberoam User Guide

Navigating through Tables

With the new user interface, configuration details and log entires are presented in a tabular format. Table Navigation Bar on the upper right top corner of the table provides navigation buttons for moving through table pages with large number of entries. Table Navigation bar also includes an option to specify the number entries/records displayed per page.

Many tables like Log Viewer, Live Users, Group etc. can now be re-sorted by clicking on the headings for the various columns. On table columns that are sortable, a tooltip will pop-up when you mouseover headings that states Click to sort ascending or Click to sort descending.

15/280

Cyberoam User Guide

Live Users and active VPN connections can be disconnected with a single click on the

icon.

Web Console Authorization and Access control

By default, Cyberoam has two types of user:
Administrator

Log in as Administrator User to maintain, control and administer Cyberoam. This user can create, update and delete system configuration and user information as well as can create multiple administrator level users. Cyberoam appliances are shipped with two Administrator Users as: Username admin Password admin Console Access Web Admin console CLI console Privileges Full privileges for both the consoles i.e. read-write permission for entire configuration performed through either of the consoles. Full privileges i.e. read-write permission for entire configuration performed through Web Admin console

cyberoam

cyber

Web Admin console only

It is recommened that you change the password of both the users immediately on deployment.
User

User User is the user who accesses the resources through Cyberoam.

16/280

Cyberoam User Guide

Common Web Admin Console tasks

Below given are the common tasks performed through Web Admin Console: System Administration and Configuration Firmware maintenance Backup and restore Firewall rules management Configure user authentication User and user groups management Objects management hosts, services, schedules Network management - Interface speed, MTU and MSS settings, Gateway, DDNS Web and application filtering categories and policies configuration Policy management surfing quota, QoS, access time, data transfer Antivirus and anti spam filtering policies configuration VPN and SSL VPN access configuration IPS policies and signature IM controls

Log out procedure

To avoid un-authorized users from accessing Cyberoam, log off after you have finished working. This will end the session and exit from Cyberoam.

17/280

Cyberoam User Guide

Getting Started

Once you have deployed Cyberoam in your network and registered the copy of your Cyberoam, you can start using Cyberoam. 1. Start monitoring Once you have deployed Cyberoam successfully in your network you can monitor user activity in your Network. Depending on the Web and Application Filter Policy configured at the time of deployment, certain categories will be blocked or allowed for LAN to WAN traffic with or without authentication. 2. View Cyberoam Reports Monitor your Network activities using Cyberoam Reports. To view Reports, log on to Cyberoam-iView by clicking Reports on the topmost button bar from Web Admin Console and log on with default username admin and password admin. View user surfing trends from Web Usage Top Web User report View your organizations Category wise surfing trends from Web Usage Top Categories report View mail usage from Mail Usage Top Mail Senders and Mail Receivers report 3. Configure for Username based monitoring As Cyberoam monitors and logs user activity based on IP address, all the reports generated are also IP address based. To monitor and log user activities based on User names, you have to configure Cyberoam for integrating user information and authentication process. Integration will identify access request based on User names and generate reports based on Usernames. If your Network uses Active Directory Services and users are already created in ADS, configure Cyberoam to communicate your ADS. If your Network uses RADIUS, configure for Cyberoam to communicate with RADIUS. If your Network uses LDAP, configure for Cyberoam to communicate with LDAP.

4. Customize You can create additional policies to meet your organizations requirement. Cyberoam allows to: 1. Control user based per zone traffic by creating firewall rule. Refer to Firewall for more details. 2. Control individual user surfing time by defining Surfing quota policy. Refer to Surfing Quota policy for more details. 3. Schedule Internet access for individual users by defining Access time policy. Refer to Access time policy for more details. 4. Control web access by defining Web and Application Filter Policies. Refer to Web and

PART

18/280

Cyberoam User Guide

Application Filter Policy for more details. 5. Allocate and restrict the bandwidth usage by defining QoS policy. Refer to QoS policy for more details. 6. Limit total as well as individual upload and/or download data transfer by defining data transfer policy. Refer Data transfer policy for more details. 7. Connecting to Cyberoam CLI 8. From Web Admin Console a) Using Console Interface via remote login utility TELNET b) Direct Console connection - attaching a keyboard and monitor directly to Cyberoam server

19/280

Cyberoam User Guide

Basics

The basic building blocks in Cyberoam are Zones, Interfaces and (Network/Address) objects. This chapter describes the logical objects upon which Cyberoam is built. These objects are Zones, Interfaces and (Network/Address) Objects, Services and Schedules. This structure is used in defining firewall rules to allow or deny the access. Zone is the logical grouping of Interface, which includes: predefined zones - LAN, WAN, DMZ, LOCAL, VPN custom zone

Interface includes: actual physical Ethernet interfaces or ports i.e. Port A through Port J depending on the appliance model subinterfaces - VLAN PPPoE interfaces interface aliases and WWAN interface if Wireless WAN functionality is enabled

Objects are the logical building blocks of the firewall rule, which includes: host - IP and MAC addresses services which represent specific protocol and port combination e.g. DNS service for TCP protocol on 53 port schedule to control when the rule will be in effect e.g. All Days, Work Hours certificates file types

PART PAR

20/280

Cyberoam User Guide

System

System allows configuration and administration of Cyberoam appliance for secure and remote management as well as administrative privilege that you can assign to admin users. It also provides the basic system settings and language settings of the Web Admin console. Configure several non-network features, such as SNMP, custom messages, portal setting and themes through System.

Dashboard
Cyberoam displays Dashboard as soon as you logon to the Web Admin Console. Dashboard provides a quick and fast overview of all the important parameters of Cyberoam appliance that requires special attention such as password, access to critical security services, system resources usage, IPS alerts, and notifications of subscription expirations etc. are displayed. Dashboard page is completely customizable. Minimize or reposition each section (System Information, License Information, Gateway status information, Usage summary etc.) by dragging and dropping. Each section has an icon associated with it for easy recognition when minimized. Optionally click Reset to restore the default dashboard setting.

Screen - Dashboard

PART

21/280

Cyberoam User Guide

Customizable Dashboard allows to place the sections that are pertinent to the user and requires special attention for managing Cyberoam on the top and the information used less often moved to the bottom. There are three icons located at the top right corner on the Dashboard. They are as follows: Reboot Appliance Shutdown Appliance Reset Dashboard is used to reboot the appliance. is used to shutdown the appliance. is used to reset the Dashboard to factory default settings.

Available sections on Dashboard are as follows: Appliance information License information DoS attack status Recent IPS Alerts Recent Spyware Alerts Recent Mail Viruses detected Recent HTTP Viruses detected Recent FTP Viruses detected System Status Gateway status

Apart from preventing spyware from entering and infecting your network, the Cyberoam can also detect any unwanted applications and Spyware infected hosts that are already there in the network i.e. network infected before Cyberoam was deployed and provides alert on Dashboard.

Note
Use F10 key to return to Dashboard from any of the pages.

22/280

Cyberoam User Guide

Administration
Administration page allows configuration of general settings in Cyberoam. Various ports and login security can be configured using this submenu. Administrator can also restrict access to various local services. You can administer port numbers, remote login security, local login security and local ACL services from Administration submenu.

Settings
Use Settings page to make modifications in the general port settings for accessing Web Admin console. Make changes to the login parameters for restricting the local and remote users based on the time. To manage the administration settings, go to System Administration Settings.

Screen Manage Administration Settings Web Admin Console HTTP Port - Configure Port number (Web Admin Console unsecured). Default port: 80 Web Admin Console HTTPS Port - Configure Port number (Web Admin Console secured). Default port: 443 SSL VPN Port - Configure Port number. Default port: 8443

Note
SSL VPN Port configuration is not available for Cyberoam CR15i models.

Appliance Access
Appliance Access allows to limit the Administrative access of the following Cyberoam services from various zones LAN, WAN, DMZ, VPN: Admin Services HTTP, HTTPS, Telnet, SSH

23/280

Cyberoam User Guide

Authentication Services Windows/Linux Client, Captive Portal Network Services DNS, Ping Other Services Web Proxy, SSL VPN

Screen Appliance Access Settings

Default Access Control Configuration

To manage the access to devices, go to System Administration Appliance Access. When Cyberoam is connected and powered up for the first time, it will have a default Access configuration. Admin Services - HTTP (TCP port 80), HTTPS (TCP port 443), Telnet (TCP port 23) and SSH (TCP port 22) services will be enabled for administrative functions in LAN zone. HTTPS (TCP port 443) services will be enabled for administrative functions in WAN zone. HTTP (TCP port 80) service will be enabled for administrative functions in DMZ zone. Authentication Services - Windows/Linux Client (UDP port 6060) and Web Client Authentication (TCP port 8090) will be enabled for User Authentication Services in LAN zone. User Authentication Services are not required for any of the Administrative functions but required to apply user based internet surfing, bandwidth, and data transfer restrictions. Network Services Ping and DNS services will be enabled for LAN zone. Other Services Web Proxy service will be enabled for LAN zone. SSL VPN (TCP port 8443) service will be enabled for LAN, WAN and DMZ zone.

Custom Access Control Configuration

Use access control to limit the access to Cyberoam for administrative purposes from the specific authenticated/trusted networks only. Admin Services - Enable/disable access to Cyberoam using following service from the specified zone: HTTP, HTTPS, Telnet and SSH Authentication Services - Enable/disable following service from the specified zone: Windows/Linux Client, Captive Portal

24/280

Cyberoam User Guide

Network Services - Enable/disable following service from the specified zone: DNS, Ping Other Services - Enable/disable following service from specified zone: SSL VPN, Web Proxy

Note
SSL VPN service is not available for Cyberoam CR15i models.

Profile
Use Profile page to create profiles for various administrator users. To offer greater granular access control and flexibility, Cyberoam provides role-based administration capabilities. It allows an organization to separate super administrator's capabilities and assign through Profiles. Profiles are a function of an organization's security needs and can be set up for special-purpose administrators in areas such as firewall administration, network administration, and logs administration. Profiles allow assigning permissions to individual administrators depending on their role or job need in organization. The profile separates Cyberoam features into access control categories for which you can enable none, read only, or read-write access. For ease of use by default, Cyberoam provides four profiles: Administrator super administrator with full privileges Security Admin read-write privileges for all features except Profiles and Log & Reports Audit Admin read-write privileges for Logs & Reports only Crypto Admin read-write privileges for Certificate configuration only

To manage default and custom profiles, go to System Administration Profile. You can: Add View in the Manage column against the profile to be modified. Edit Edit Click the Edit icon Profile is displayed which has the same parameters as the Add Profile page. in the Manage column against a profile to be deleted. A Delete Click the Delete icon dialog box is displayed asking you to confirm the deletion. Click OK to delete the profile. To delete multiple profiles, select them and click the Delete button.

Note
You cannot delete default profiles. You cannot delete profile assigned to any Administrator user.

25/280

Cyberoam User Guide

Manage Profiles
To manage default and custom profiles, go to System Administration Profile.

Screen Manage Profile

Screen Elements Add Button Profile Name Edit Icon Delete Button

Description Add a new profile Name of the profile Edit the profile Delete the profile Alternately, click the delete icon against the profile you want to delete. Table Manage Profile screen elements

Profile Parameters
To add or edit profiles, go to System Administration Profile. Click Add Button to add a new profile. To update the details, click on the Profile or Edit icon against the profile you want to modify. in the Manage column

Screen Add Profile

26/280

Cyberoam User Guide

Screen Elements Profile Name Configuration

Description Name to identify the profile Click on the access level you want to provide to a profile. Administrator can assign three levels of access rights for the every configured profile. Available Options: None No access to any page Read-Only View the pages Read-Write Add or Modify the details Access levels can be set for individual menus as well. You can either set a common access level for all the menus or individually select the access level for each of the menu. Click on menu. icon against a menu to view the items under that

For example, if you set access level as Read-Only against the Web Filter, the user would only be able to view all the pages of Web Filter menu but would not be able to make any modifications. To allow modifications, you should select ReadWrite option. Table Add Profile screen elements

Password
Cyberoam is shipped with one global Super Administrator with the credentials username & password as admin. Both the consoles Web Admin console and CLI, can be access with the same credentials. This administrator is always authenticated locally i.e. by Cyberoam itself. We recommend that you change the password for this username immediately after deployment. To change password, go to System Administration Password.

Screen Change Password

27/280

Cyberoam User Guide

Screen Elements Name Current Password New Password Confirm New Password Reset to Default

Description Name of the administrator - admin Specify the current admin password Specify New admin password Confirm New admin password Click to reset the password to factory default password, i.e. admin. Table Change Password screen elements

28/280

Cyberoam User Guide

Configuration
Configuration page allows basic configuration of Cyberoam including GUI localization, mail server notification, customized messages, web and parent proxy settings, Cyberoam themes and outlook for the Captive portal.

Language
To cater to its non-English customers, Cyberoam supports Chinese and Hindi languages. Administrator can configure the preferred GUI language. To manage the language settings, go to System Configuration Language.

Screen Language Listed elements of Web Admin Console will be displayed in the configured language: Dashboard Doclet contents Navigation menu Screen elements including field & button labels and tips Error messages

Administrator can also specify description for firewall rule, various policies, services and various custom categories in any of the supported languages.

Time
Current date and time can be set according to the Cyberoams internal clock or Cyberoam can be configured to synchronize its internal clock with an NTP server. Cyberoams clock can be tuned to show the right time using global Time servers so that logs show the precise time and Cyberoam activities can also happen at a precise time. To configure time settings in Cyberoam, go to System Configuration Time.

29/280

Cyberoam User Guide

Screen Time Settings

Screen Elements Current Time Time Zone

Description Current system time Select time zone according to the geographical region in which Cyberoam is deployed.

Set Date & Time Sync with NTP server

Enable to set date and time Enable if you want Cyberoam to get time from an NTP server. Use the pre-defined NTP servers or specify NTP server IP address to synchronize time with a specific NTP server. Click Sync Now button to synchronize Cyberoam clock with the NTP Server. Table Time Settings screen elements

Sync Status

Notification
Configure mail server IP address, port and email address where the Cyberoam has to send alert emails. To configure mail server settings, go to System Configuration Notification.

30/280

Cyberoam User Guide

Parameters

Screen Mail Server Notification

Screen Elements Mail Server Setting Mail Server IP Address Port Authentication Required Email Setting From Email Address Send Notification to Email Address

Description Specify Mail server IP address and port number If Enabled, specify authentication parameters i.e. username and password. Specify the email addresses from which the notification is to be sent. Specify the email address to which the notification is to be sent.

Table Mail Server Notification screen elements

Prerequisite
Mail server configuration will change automatically when change from the Network Configuration Wizard and vice versa.

Messages
Messages page allows Administrator to send messages to the various users. Messages help Administrator to notify users about problems as well as Administrative alerts in areas such as access, user sessions, incorrect password, and successful log on and log off etc. Message up to 256 characters can be send to the User whenever the event occurs and send to the number of users simultaneously.

Predefined messages
To customize the default messages, go to System Configuration Messages. You can:

31/280

Cyberoam User Guide

Edit Click Edit icon displayed to the user. Save Click Save icon changes.

to edit the default message and create customized message to be to save the edited message or Cancel icon to ignore the

Screen Predefined Messages

Messages LoggedonsuccessfulMsg LoggedoffsuccessfulMsg SurfingtimeExpired NotAuthenticate DeactiveUser InvalidMachine NotCurrentlyAllowed

Description/Reason Message is sent when User logs on successfully Message is sent when User logs off successfully Administrator has temporarily deactivated the User and will not be able to log in because User surfing time policy has expired Message is sent if User name or password are incorrect Administrator has deactivated the User and the User will not be able to log on Message is sent if User tries to login from the IP address not assigned to him/her Message is sent if User is not permitted to access at this time Access Time policy applied to the User account defines the allowed access time and not allowed access at any other time. Message is sent if User has already logged in from other machine Message is sent if User has reached the maximum login limit Message is sent when User is disconnected because his/her allotted surfing time is exhausted The surfing time duration is the time in hours the User is allowed Internet access that is defined in Surfing time policy. If hours are exhausted, User is not allowed to access Table Predefined Messages screen elements

Loggedinfromsomewhereelse MaxLoginLimit SurfingtimeExhausted

32/280

Cyberoam User Guide

Web Proxy
Cyberoam can also act as a web proxy server. To use Cyberoam as a web proxy server, configure Cyberoam LAN IP address as a proxy server IP address in your browser setting and enable access to web proxy services from Appliance Access section.

Note
Web Proxy will enforce Web Filter policy, Application Filter policy and Anti Virus policy as configured in User and Firewall rule. IPS policy is applicable on the traffic between proxy and WAN, but not between user and proxy QoS policy is not applicable on the direct proxy traffics. To configure Web Proxy settings in Cyberoam, go to System Configuration Web Proxy.

Screen Web Proxy Settings

Screen Elements Web Proxy Port

Description Specify Web Proxy Port number. Default port is 3128 Cyberoam allows the access to sites hosted on standard port only if deployed as Web Proxy. To allow access to the sites hosted on the non-standard ports, you have to define non-standard ports as trusted ports. Click Add icon to add the HTTP trusted ports and remove to delete the trusted ports. icon Table Web Proxy Settings screen elements

Trusted Ports

33/280

Cyberoam User Guide

Parent Proxy
To configure Parent Proxy settings in Cyberoam, go to System Configuration Parent Proxy. Specify IP Address or FQDN, Port, Username and Password, if Parent Proxy is enabled.

Screen Parent Proxy Settings

Screen Elements Parent Proxy

Description Enable if the web traffic is blocked by the upstream Gateway. When enabled all the HTTP requests will be sent to parent proxy server via Cyberoam. Specify Domain Name or IP address for the Parent Proxy. Specify Port number for Parent Proxy. Default port is 3128. Specify Username & Password for authentication.

Domain Name / IP Address Port

Username & Password

Table Parent Proxy Settings screen elements

Captive Portal
Cyberoam provides flexibility to customize the Captive portal Login page. This page can include your organization name and logo. To customize the Captive portal page, go to System Configuration Captive portal. Cyberoam also supports customized page in languages other then English.

34/280

Cyberoam User Guide

Screen Captive Portal

Screen Elements Logo

Description To upload the custom logo, specify Image file name to be uploaded else click Default. Use Browse button to select the complete path. The image size should not exceed 256 X 256 pixels. Change the Page title if required. Default title: Cyberoam Web Client Portal Specify message to be displayed on the Captive Portal login page. Specify message to be displayed in the footer of Captive Portal login page. Specify Label or Title for the "Username" textbox to be displayed on the Captive Portal login page. Default: User Name Specify Label or Title for the "Password" textbox to be displayed on the Captive Portal login page. Default: Password Specify Label or Caption for the "Login" button to be displayed on the Captive Portal login page. Default: Login

Page Title

Login Page Message Login Page Footer User Name Caption

Password Caption

Button Caption

35/280

Cyberoam User Guide

Color Scheme Preview Button Reset to Default Button

Customize the color scheme of the Captive portal if required. Specify the color code or click the square box to pick the color. Click to view the custom settings before saving the changes. Click to revert to default settings Table Captive Portal screen elements

Theme
Theme page provides a quick way to switch between predefined themes for Web Admin Console. Each theme comes with its own custom skin, which provides the color scheme and font style for entire GUI i.e. navigation frame, tabs and buttons. Available themes: Cyberoam Standard Cyberoam Classic

Screen Manage Themes

The default theme is Cyberoam Standard.

36/280

Cyberoam User Guide

Maintenance
Maintenance facilitates Licensing, handling services, firmware versions and Backup & Restore facility in Cyberoam. Various can be handled from this Maintenance page. Administrator can take manual backup and alternately, automatic backup can be scheduled on regular intervals. Backup stored on the system can be restored anytime from Backup & Restore page. Administrator can upload new firmware image, boot from firmware or reset to the configuration to factory defaults. Firmware image can be downloaded from the relevant sites. Maximum two firmware images can be stored.

Backup & Restore

Backup is the essential part of data protection. No matter how well you treat your system, no matter how much care you take, you cannot guarantee that your data will be safe if it exists in only one place. Backups are necessary in order to recover data from the loss due to the disk failure, accidental deletion or file corruption. There are many ways of taking backup and just as many types of media to use as well. Backup consists of all the policies and all other user related information. Cyberoam provides a facility of taking backup of only system data, through scheduled automatic backup and manual backups. Once the backup is taken, you need to upload the file for restoring the backup. Restoring data older than the current data will lead to the loss of current data. To backup and restore data in cyberoam, go to System Maintenance Backup & Restore. You can: Backup & Restore Schedule Backup

37/280

Cyberoam User Guide

Backup & Restore

Screen Backup and Restore

Screen Elements Backup Configuration

Description Backup Now Click the Backup Now button to take the manual backup of System Data until date. Download Now Click Download Now button to download backup for uploading. Download Now button downloads the latest backup that is available. To restore the configuration, specify configuration to be uploaded. Use Browse button to select the complete path. Table Backup and Restore screen elements

Restore Configuration

Schedule Backup

Screen Schedule Backup

38/280

Cyberoam User Guide

Screen Elements Backup Frequency

Description Select System data backup frequency In general, it is best to schedule backup on regular basis. Depending on how much information you add or change will help you determine the schedule. Available options: Daily Daily Backup will be sent Weekly Weekly Backup will be sent Monthly Monthly Backup will be sent Never Backup will not be taken at all Select how and to whom backup files should be sent. Available Options: FTP -If backup is to be stored on FTP server, configure FTP server IP address, username and password to be used. Local backup will be taken and stored on the appliance itself. Table Schedule Backup screen elements

Backup Mode

Firmware
System Maintenance Firmware page displays the list of available firmware versions downloaded. Maximum of two firmware versions can be available simultaneously in Cyberoam and one of the two firmware versions is active i.e. the firmware is deployed. Upload firmware Administrator can upload the firmware. Click to specify the location of the firmware image or browse to locate the file. You can simply upload the image or upload and boot from the image. Incase of Upload & Boot, firmware image is uploaded and upgraded to the new version, closes all sessions, restarts, and displays the login page. This process might take few minutes as process also migrates the entire configuration. Boot from firmware Option to boot from the downloaded image

Appliance will be rebooted and will load default Boot with factory default configuration configuration. Entire configuration will be lost if you opt for this option. Active - Active icon against a firmware suggests that the appliance is using the firmware.

Screen Manage Firmware

39/280

Cyberoam User Guide

Licensing
Cyberoam consist of two types of modules: Basic module Firewall, VPN, Bandwidth Management, Multi Link Manager and Reports Subscription modules - Gateway Anti Virus, Gateway Anti-spam, Intrusion Prevention System, Web and Application Filtering

Basic Module is pre-registered with the Appliance for the indefinite time period usage while Subscription Modules are to be subscribed before use. You can subscribe to any of the subscription modules: without key for free 15-days trial subscription with key

On deployment, Appliance will be unregistered and all the modules will be unsubscribed. You need to register appliance if you want to Avail 8 X 5 support Subscribe to any of the subscription modules subscribe for free trial of any of the subscription modules Register for 24 X 7 support

Select System Maintenance Licensing to view the appliance registration details and various modules subscription details. Status - Registered Appliance registered Status - Unregistered, Appliance not registered Status - Subscribed - Module subscribed against the module in the Status - Unsubscribed - Module not subscribed. Subscription icon navigation menu indicates that the module is not subscribed. Click the icon to navigate to the Licensing page and follow the screen steps to subscribe. Alternately, browse to http://customer.cyberoam.com to subscribe the module. Status - Trial - Trial subscription Status - Expired - Subscription expired To manage the licensing options, go to System Maintenance Licensing. You can: View Appliance Registration Details Manage Module Subscription Online View Module Subscription Details Synchronize Click Synchronize button, once the appliance or modules are registered online. The details of appliance and subscription modules are automatically synchronized with Customer My Account and the updated details are displayed on the Licensing Page.

40/280

Cyberoam User Guide

Screen Licensing

Appliance Registration Details

Screen Elements Model Licensed Users applicable) Company Name Contact Person (if Description Cyberoam Appliance Model which is registered and its appliance key e.g. CR15i, CR25i Number of user licenses purchased Name of the company under whose name appliance is to be registered Name of the contact person in the company under whose name appliance is registered Table Appliance Registration screen elements

Manage Module Subscription Online

If the appliance is not registered, browse to http://customer.cyberoam.com and register. To register the appliance, you need to create a Customer Account. You can create customer account and register appliance in one step only. Once the appliance is registered, subscribe other modules for the trial or with license keys. You can subscribe to following modules: Web and Application Filter Intrusion Prevention System Gateway Anti Virus Gateway Anti-spam 8 X 5 Support 24 X 7 Support

41/280

Cyberoam User Guide

Once you register the appliance or subscribe for any module, if you do not synchronize the details, Web Admin console will not display the updated subscription details.

View the details of Subscription Modules

Screen Elements Module Status Expiration Date Description Module that can be subscribed in cyberoam. Status of the module Registered, Unregistered, Subscribed, Unsubscribed, Trial, Expired Module expiry date Table View Subscription Modules screen elements

Services
You can view the current status and manage all the configured servers: Anti Virus and Anti Spam Server Cyberoam Authentication server DHCP Server Domain Name Server IPS Server SNMP Web Proxy Server including HTTP, SMTP, POP3, IMAP, FTP Proxy

To manage various services, go to System Services Services.

Screen Manage Services Services - Name of the configured server/service Status - Current status of the server Manage - Click to Start or Stop the respective server. Click to Restart the respective server. Action table Button Start Usage Starts the Server whose status is Stopped

42/280

Cyberoam User Guide

Stop Restart

Stops the server whose status is Started Restarts server: Only for Authentication Server and Web Proxy Server Table Manage Services screen elements

Updates
Updates page allows the administrator to configure automatic updates for Anti Virus definitions, IPS Signatures and Web category database. Alternately, these definitions can also be updated manually from this page itself.

Note
Auto updates for Anti Virus signature are not available for Cyberoam CR15i and CR25i models To enable automatic updates, go to System Maintenance Updates and click against the required checkbox followed by Apply.

Screen Manage Updates

Screen Elements Module Version Last Update Status Last Update Mode Sync Now Button

Description Module name whose definitions will be updated. Version of the Module Status of the last update: Successful or Failure Mode of the Last update: Automatic or Manual Click Sync Now button to update the module definitions. Table Manage Updates screen elements

43/280

Cyberoam User Guide

SNMP
Simple Network Management Protocol (SNMP) is used as the transport protocol for network management. Network management consists of a station or manager communicating with network elements such as hosts, routers, servers, or printers. The agent is the software on the network element (host, router, printer) that runs the network management software. In other words, agent is the network element. The agent will store information in a management information base (MIB). Management software will poll the various network elements/agents and get the information stored in them. The manager uses UDP port 161 to send requests to the agent and the agent uses UDP port 162 to send replies or messages to the manager. The manager can ask for data from the agent or set variable values in the agent. Agents can reply and report events.

SNMP collects information two ways, if SNMP agent is installed on the devices: The SNMP management station/Manager will poll the network devices/agents Network devices/agents will send trap/alert to SNMP management station/Manager.

SNMP terms Trap - An alert that is sent to a management station by agents. Agent - A program at devices that can be set to watch for some event and send a trap message to a management station if the event occurs SNMP community - An SNMP community is the group that devices and management stations running SNMP belong to. It helps define where information is sent. The community name is used to identify the group. A SNMP device or agent may belong to more than one SNMP community. It will not respond to requests from management stations that do not belong to one of its communities.

Cyberoam MIB
The Cyberoam SNMP implementation is read-only. SNMP v1 and v2c compliant SNMP managers have read-only access to Cyberoam system information and can receive Cyberoam traps. To monitor Cyberoam system information and receive Cyberoam traps you must compile Cyberoam proprietary MIBs into your SNMP manager. SNMP allows network administrators to monitor the status of the Cyberoam appliance and receive notification of critical events as they occur on the network. The Cyberoam appliance supports SNMPv1, SNMPv2c and custom Management Information Base (MIB). The Cyberoam appliance

44/280

Cyberoam User Guide

replies to SNMP Get commands for MIB via configured interface and supports a custom Cyberoam MIB for generating trap messages. The custom Cyberoam MIB is available for download from the Cyberoam Web site and can be loaded into any third-party SNMP management software. The Cyberoam MIB contains fields that report current Cyberoam Appliance status information. The tables below list the names of the MIB fields and describe the status information available for each one. You can view more details about the information available from all Cyberoam MIB fields by compiling the cyberoam.mib file into your SNMP manager and browsing the Cyberoam MIB fields. Cyberoam supports following read-only MIB objects/fields: Cyberoam Appliance MIB fields MIB field (sysInstall) applianceKey applianceModel cyberoamVersion wabcatVersion avVersion asVersion idpVersion Description Appliance key number of the Cyberoam Appliance in use Appliance model number of the Cyberoam Appliance in use The Cyberoam version currently running on the Cyberoam Appliance. The Webcat version installed on the Cyberoam Appliance The antivirus definition version installed on the Cyberoam Appliance The antispam definition version installed on the Cyberoam Appliance The IDP signature definition version installed on the Cyberoam Appliance

System MIB fields MIB field (sysStatus) cyberoamOpMode systemDate cpuPercentageUsage diskCapacity diskUsage memoryCapacity memoryPercentageUsage swapCapacity swapPercentageUsage haMode liveUsers httpHits ftpHits pop3Hits (mailHits) Description The Cyberoam appliance Transparent or Bridge Current date The hard disk capacity (MB) The current hard disk usage (MB) The memory capacity (MB) The current memory utilization (as a percent). The swap capacity (MB) The current swap utilization (as a percent). The current Cyberoam High-Availability (HA) mode (standalone, A-P) The current live connected users i.e. logged on users in Cyberoam Total HTTP hits Total TTP hits Total POP3 hits operation mode

The current CPU usage (as a percent)

45/280

Cyberoam User Guide

imapHits (mailHits) smtpHits (mailHits) pop3Service (serviceStats) imapService (serviceStats) smtpService (serviceStats) ftpService (serviceStats) httpService (serviceStats) avService (serviceStats) asService (serviceStats) dnsService (serviceStats) haService (serviceStats) IDPService (serviceStats) analyzerService (serviceStats) snmpService (serviceStats) License MIB fields MIB field (sysLicesne) appRegStatus (liAppliance) appExpiryDate (liAppliance) supportSubStatus (lisupport) supportExpiryDate (lisupport) avSubStatus (liAntiVirus) supportExpiryDate (liAntiVirus) asSubStatus (liAntiSpam) supportExpiryDate (liAntiSpam) idpSubStatus (liIdp) supportExpiryDate (liIdp) asSubStatus

Total IMAP hits Total SMTP hits The current status of POP3 service The current status of IMAP service The current status of SMTP service The current status of FTP service The current status of HTTP service The current status of AntiVirus service The current status of AntiSpam service The current status of DNS The current status of HA The current status of IDP service The current status of Analyzer The current status of SNMP

Description Current Registration status of Cyberoam Appliance Expiry date of the Cyberoam Appliance, if Appliance is the Demo Appliance Current subscription status for Cyberoam Support Subscription Expiry date for Cyberoam Support, if subscribed Current subscription status for AntiVirus module Subscription Expiry date for AntiVirus module, if subscribed Current subscription status for AntiSpam module Subscription Expiry date for AntiSpam module, if subscribed Current subscription status for IDP module Subscription Expiry date for IDP module, if subscribed Current subscription status for Web and Application

46/280

Cyberoam User Guide

(liWebcat) supportExpiryDate (liWebcat) Alert MIB fields MIB field (sysAlerts) highCpuUsage highDiskUsage highMemUsage httpVirus (avAlerts) smtpVirus (avAlerts) pop3Virus (avAlerts) imap4Virus (avAlerts) ftpVirus (avAlerts) linkToggle (dgdAlerts) idpAlert1 (idpAlerts) synFlood (dosAlerts) tcpFlood (dosAlerts) udpFlood (dosAlerts) icmpFlood (dosAlerts)

Filter module Subscription Expiry date for Web and Application Filter module, if subscribed

Description High CPU usage i.e. CPU usage exceed 90 % High Disk usage i.e. Disk usage exceed 90 % High Memory usage i.e. memory usage exceed 90 % HTTP virus detected by Cyberoam SMTP virus detected by Cyberoam POP3 virus detected by Cyberoam IMAP virus detected by Cyberoam FTP virus detected by Cyberoam Change of link status (up or down) IDP alert DoS attack SYN flood detected by Cyberoam DoS attack TCP flood detected by Cyberoam DoS attack UDP flood detected by Cyberoam DoS attack ICMP flood detected by Cyberoam

Use SNMP to configure agent, community and the SNMPv3 users. Cyberoam supports SNMPv1 and SNMPv2c protocols. Agent configuration page is used to configure agent name, agent port and the contact person for the program. The community page is used for adding, managing and deleting the communities for protocols SNMPv1 and SNMPv2c. Use SNMPv3 user page to add, manage and delete v3 users.

Agent Configuration
Use Agent configuration page to configure SNMP agents. The configuration details include name, description, location, contact person, agent port and manager port. To configure agents, go to System SNMP Agent Configuration.

47/280

Cyberoam User Guide

Screen Agent Configuration Screen Elements Name Description Location Contact Person Agent Port Description Name to identify the agent Agent Description Physical location of the Cyberoam appliance. Contact information of the person responsible for the maintenance of above specified Cyberoam appliance. Cyberoam will use this port to send traps. The port number cannot be changed. Default port number: 161 Remote SNMP Management station/Manager will use this port to connect to the Cyberoam appliance. Table Agent Configuration screen elements

Manager Port

Community
Community is a group of SNMP Managers and SNMP Agent may belong to one or more than one community. Agent will not respond to the requests from management stations that does not belong its communities. Each Community can support SNMPv1, SNMPv2c or both. Cyberoam sends traps to all the communities. You must specify a trap version for each community. To configure communities, go to System SNMP Community. You can: Add View in the Manage column against the Community to be modified. Edit Edit Click the Edit icon Community pop-up window is displayed which has the same parameter as the Add Community window. Delete Click the Delete icon in the Manage column against a community to be deleted. A dialog box is displayed asking you to confirm the deletion. Click OK to delete the Community. To delete multiple Communities, select them and click the Delete button.

48/280

Cyberoam User Guide

Manage Communities
To manage communities, go to System SNMP Community.

Screen Manage Communities Description Add a new community Name of the community IP address of the SNMP Manager that can use the settings in the SNMP community to monitor Cyberoam Configured SNMP protocol version support v1 or v2c. Configured trap support- v1 or v2c. Traps will be sent to the SNMP Managers who support the specified versions only Edit the Community Delete the Community Alternately, click the Delete icon against the community you want to delete. Table Manage Communities screen elements

Screen Elements Add Button Name Source Protocol Version Trap Edit Icon Delete Button

Community Parameters
To add or edit a community, go to System SNMP Community. Click the Add button to add a new community. To update the details, click on the Community or Edit icon Manage column against the community you want to modify. in the

Screen Add Community

49/280

Cyberoam User Guide

Screen Elements Name Description Source Protocol Version

Description Name to identify the community. Community description. IP address of the SNMP Manager that can use the settings in the SNMP community to monitor Cyberoam. Enable the required SNMP protocol version support. SNMP v1 and v2c compliant SNMP managers have read-only access to Cyberoam system information and can receive Cyberoam traps. Enable the required version for trap support. Traps will be sent to the SNMP Managers who support the specified versions only. Table Add Community screen elements

Trap

V3 User
SNMP version 3 has the capability of using authentication. Only the authenticated user can request the information. To manage v3 users, go to System SNMP v3 User. You can: Add View in the Manage column against the v3 user to be modified. Edit v3 Edit Click the Edit icon User window is displayed which has the same parameter as the Add v3 user window. in the Manage column against a v3 user to be deleted. A Delete Click the Delete icon dialog box is displayed asking you to confirm the deletion. Click OK to delete the v3user. To delete multiple v3 users, select them and click the Delete button.

Manage v3 Users
To manage v3 users, go to System SNMP v3 User.

Screen Manage v3 Users

Screen Elements Add Button User Name Edit Icon Delete Button

Description Add a new v3 user Name of the v3 user Edit the v3 user Delete the v3 user

50/280

Cyberoam User Guide

Alternately, click the Delete icon against the v3 user you want to delete. Table Manage v3 users screen elements

V3 User Parameters
To add or edit a v3 user, go to System SNMP v3 User. Click the Add button to add a new v3 user. To update the details, click on the v3 user or Edit icon against the v3 user you want to modify. in the Manage column

Screen Add v3 User

Screen Elements Name Password Confirm Password

Description Name to identify the v3 user. Password for authentication Confirm password for authentication Table Add v3 User screen elements

51/280

Cyberoam User Guide

System Graph
Use System Graph to view Graphs pertaining to System related activities for different time intervals. Graphs can be viewed Utilities wise or period wise.

Period wise graph will display following graphs for the selected period: Live Graph, CPU usage Info, Memory usage Info, Load Average and Interface usage Info. These graphs are same as displayed in Utility wise graphs. They are regrouped based on the time interval.

Live Graphs
Live graphs allow Administrator to monitor the usage of resources of the last two hours. Graph displays the percentage wise CPU and Memory usage. It also displays load average and traffic statitistics on each interface. 9. Last two hour CPU Usage - Graph shows past two hours CPU usage in percentage. In addition, shows minimum, maximum, Average and Current CPU usage.

Screen Last two hour CPU usage X axis Minutes Y axis % use Legends Blue Color CPU used by Users Orange Color CPU used by System Green Color CPU Idle time 10. Last two hour Memory Usage - Graph shows past two hours memory usage in percentage. Graphs displays the memory used, free memory and total memory available.

52/280

Cyberoam User Guide

Screen Last two hour Memory usage X axis Time interval (minutes) Y axis Memory used in Giga bytes Legends Orange Color Memory used Green Color Free Memory Black Color Total Memory 3. Last two hour Load Average - Graph shows past two hour s average load on the system. In addition, shows minimum, maximum, Average and Current load.

Screen Last two hour Load Average usage X axis Time interval (minutes) Y axis % use

53/280

Cyberoam User Guide

Legends Blue Color One minute Orange Color Five minutes Green Color Fifteen minutes 4. Last two hour traffic statistics on each Interface - Graph shows past two hour s following traffic statistics for all the Interfaces: a. Bits received and transmitted through Interface b. Errors occurred while transmiting and receiving packets through the Interface c. Packets dropped while transmiting and receiving packets through the Interface d. Collisions occurred while transmiting and receiving packets through the Interface

54/280

Cyberoam User Guide

Screen Last two hour Interface Usage

55/280

Cyberoam User Guide

X axis Time interval (minutes) Y axis kbits/sec Legends Orange Color Bits Received Green Color Bits Transmitted Dark Blue Color Received Errors Light Blue Bits Transmitted but Dropped Red Color Collisions Dark green Color Transmitted Errors Yellow Bits Received but Dropped

CPU Info graphs

CPU Info graphs allow Administrator to monitor the CPU usage by the Users and System components. Graphs display percentage wise minimum, maximum, Average and Current CPU usage by User and System and CPU Idle time. Usage graphs can be viewed for: 1. Current 2. Yesterday 3. Current Week 4. Current Month 5. Current Year

Screen Todays CPU usage X axis Hours Y axis % use Legends

56/280

Cyberoam User Guide

Blue Color CPU used by Users Orange Color CPU used by System Green Color CPU Idle time

Memory Info graphs

Memory Info graphs allow Administrator to monitor the Memory usage. Graphs displays the memory used, free memory and total memory available. Memory usage graphs can be viewed for: 1. Current 2. Yesterday 3. Current Week 4. Current Month 5. Current Year

Screen Todays Memory usage X axis Hours Y axis Memory used in Mega bytes Legends Orange Color Memory used Green Color Free Memory Black Color Total Memory

Load Average graphs

Load Average graphs allow Administrator to monitor the load on the System. Graphs display the average load on the System at the interval of one minute, five minute, and fifteen minutes.

57/280

Cyberoam User Guide

Load Average of 1.0 is considered as Normal while above 1.0 is considered as Critical for the System. Load average graphs can be viewed for: 1. Current day 2. Yesterday 3. Current Week 4. Current Month 5. Current Year

Screen Todays Load Average usage X axis Hours Y axis Load average on the System Legends Blue Color Average load at one minute Green Color 5 minutes Orange Color 15 minutes

Interface Info graphs

Interface Info graph displays following information for all the Interfaces: 1. Bits received and transmitted through Interface 2. Errors occurred while transmiting and receiving packets through the Interface 3. Packets dropped while transmiting and receiving packets through the Interface 4. Collisions occurred while transmiting and receiving packets through the Interface

58/280

Cyberoam User Guide

Screen Todays Interface usage X axis Duration Y axis KBits/Sec Legends Orange Color Bits Received Green Color Bits Transmitted Dark Blue Color Received Errors Light Blue Bits Transmitted but Dropped Red Color Collisions Dark green Color Transmitted Errors Yellow Bits Received but Dropped

Note
Today and Yesterday Graphs are plotted at the average of 5 minutes. Weekly Graph is plotted at the average of 15 minutes. Monthly Graph is plotted at the average of 6 Hours Yearly Graph is plotted at the average of 1 Day

59/280

Cyberoam User Guide

Packet Capture
Packet capture displays dropped packets details on the specified interface. It will provide connection details and details on which module is dropping packets e.g. firewall, IPS along with information like firewall rule number, user, Web and Application Filter policy number etc. This will help Cyberoam administrators to troubleshoot errant firewall rules. To capture information about dropped packets, go to System Packet Capture Packet Capture. You can: Configure Capture Filter Click the Configure Button to configure general settings for capturing the packets. View Click on the packet to view the packet information. Display Filter Click the Display Filter Button to specify the filter conditions for the packets. Clear Click the Clear Button to clear the details of the packets captured.

View the list of Captured Packets

Screen View Captured Packets

60/280

Cyberoam User Guide

Screen Elements Packet Capture

Description Displays following capturing configuration: Trace On Trace Off - packet capturing is on - packet capturing is off.

Buffer Size : 2048 KB Buffer used : 0 - 2048 KB Captured packets fill the buffer up to a size of 2048 KB. While the packet capturing is on, if the buffer used exceeds the stipulated buffer size, packet capturing stops automatically. In such a case, you would have to manually clear the buffer for further use. Capture Filter There are various filter conditions for capturing the packets. The BPF String is used for filtering the packet capture. For example, Capture Filter - host 192.168.1.2 and port 137 Configure Capture Filter Configure Button Capture filter can be configured through following parameters: Number of Bytes to Capture (per packet) Wrap Capture Buffer Once Full Enter BPF String Refer to Configure Capture Filter for more details. Log can be filtered as per the following criteria: Interface Name, Ether Type, Packet Type, Source IP, Source Port, Destination IP, Destination Port Refer to Display Filter for more details. Start/Stop packet capturing Refresh the list of packets captured Clear Button is to clear the buffer Packet capture time Interface from which packet is coming Interface to which packet is sent Ether Type IP or ARP EtherType is a field in an Ethernet frame. It is used to indicate the protocol encapsulated in the Ethernet frame. Source IP Address of the packet Destination IP Address of the packet Type of Packet ARP Request or UDP Source and Destination ports Firewall Rule ID Packet Status: Incoming, Forwarded, Violation, Consumed or Generated Reason for packet being dropped, if it is dropped

Display Filter Button

Start/Stop Button Refresh Button Clear Button Time In Interface Out Interface Ether Type

Source IP Destination IP Packet Type Ports [src, dst] Rule ID Status Reason

61/280

Cyberoam User Guide

Packet Information Hex & ASCII Detail

Packet Information including header details and Cyberoam entities including firewall rules & policies. Packet Information in Hex & ASCII values. Table Captured Packets screen elements

Configure Capture Filter

Capture Filter page allows configuration of number of bytes to be captured per packet.

Screen Configure Capture Filter

Screen Elements Number of Bytes to Capture (per packet) Wrap Capture Buffer Once Full Enter BPF String

Description Specify the number of bytes to be captured per packet. Enable Wrap Capture Buffer Once Full checkbox to Specify BPF string BPF (Berkeley Packet Filter) sits between link-level driver and the user space. BPF is protocol independent and use a filterbefore-buffering approach. It includes a machine abstraction to make the filtering efficient. For example, host 192.168.1.2 and port 137 Refer to BPF String Parameters for filtering specific packets. Table Capture Filter screen elements

BPF String Parameters

How to drop packets of the specific host specific source host specific destination host specific network specific source network specific destination network

Example host 10.10.10.1 src host 10.10.10.1 dst host 10.10.10.1 net 10.10.10.0 src net 10.10.10.0 dst net 10.10.10.0

62/280

Cyberoam User Guide

specific port specific source port specific destination port specific host for the particular port the specific host for all the ports except SSH specific protocol particular interface specific port of a particular interface

port 21 src port 21 dst port 21 host 10.10.10.1 and port 21 host 10.10.10.1 and port not 22 proto ICMP, proto UDP , proto TCP, ARP packet-capture interface eth1 packet-capture interface eth1 port 21

Display Filter
Display Filter page restricts the packet capturing to specific type of packets only. There are other filtering conditions such as the type of interface, ether type, source IP address & destination IP address.

Screen Configure Display Filter

Screen Elements Interface Name Ether Type

Description Select the physical interface from the list for filtering packets log. Select the Ethernet Type: IP or ARP EtherType is a field in an Ethernet frame. It is used to indicate the protocol encapsulated in the Ethernet frame. Select the packet type used from the list for filtering packets. Specify source IP and port number Specify destination IP and port number Table Display Filter screen elements

Packet Type Source IP & Port Destination IP & Port

63/280

Cyberoam User Guide

Objects

Objects are the logical building blocks of various policies and rules, which include: host IP, network and MAC addresses. They are used in defining firewall rules, virtual host, NAT policy, IPSec, L2TP and VPN policies services which represent specific protocol and port combination for example, DNS service for TCP protocol on 53 port. Access to services are allowed or denied through firewall rules. schedule to control when the firewall rule, Access time policy, Web filter policy, Application filter policy, or QoS policy will be in effect for example, All Days, Work Hours file types defining web filter policy, SMTP scanning rules certificates VPN policies

Hosts
IP Host is a logical building block used in defining of firewall rules, virtual host and NAT policy. By default, the numbers of hosts equal to the ports in the Appliance are already created. Object IP Host represents various types of addresses, including IP addresses, networks. MAC Host represents Ethernet MAC addresses. Host Groups are used for grouping IP Hosts and thereby common policies can be applied on the hosts in a group.

IP Host
Hosts allow entities to be defined once and be re-used in multiple referential instances throughout the configuration. For example, an internal Mail Server with an IP address 192.168.1.15. Rather than repeated use of the IP address while constructing firewall rules or NAT Policies, it allows to create a single entity called Internal Mail Server as a Host name with an IP address of 192.168.1.15. This host, Internal Mail Server can then be easily selected in any configuration screen that uses Hosts as a defining criterion. By using hosts instead of numerical addresses, you only need to make changes in a single location, rather than in each configuration where the IP address appears. Using Hosts reduces the error of entering incorrect IP addresses, makes it easier to change addresses and increases readability. To configure IP Host, go to Objects Hosts IP Host. You can: Add View in the Manage column against the IP Host to be modified. Edit IP Edit Click the Edit icon Host window is displayed which has the same parameter as the Add IP Host window. Search in the Manage column against an IP Host to be deleted. A Delete Click the Delete icon dialog box is displayed asking you to confirm the deletion. Click OK to delete the IP Host. To

PART

64/280

Cyberoam User Guide

delete multiple IP Hosts, select them

and click the Delete button.

Note
System hosts cannot be updated or deleted. Dynamic hosts which are automatically added on creation of VPN Remote access connections cannot be updated or deleted. Default hosts that are created for remote access connection - ##ALL_RW, ##WWAN1, ##ALL_IPSEC_RW, ##ALL_SSLVPN_RW cannot be updated or deleted.

Manage IP Hosts
To manage IP hosts, go to Objects Hosts IP Host.

Screen Manage IP Host

Screen Elements Add Button Host Name Host Type

Description Add a new IP Host Name of the IP Host Type of IP Hosts Single or Range of IP, Network, list of assorted IP addresses Configured IP addresses for the host Edit the IP Host Delete the IP Host. Alternately, click the Delete icon against the host you want to delete. Table Manage IP Host screen elements

Address Detail Edit Icon Delete Button

List also displays dynamic hosts which are automatically added on creation of VPN Remote access connections (IPSec and SSL) and the default hosts that are automatically created for remote access connection - ##ALL_RW, ##WWAN1, ##ALL_IPSEC_RW, ##ALL_SSLVPN_RW.

65/280

Cyberoam User Guide

IP Host Parameters
To add or edit an IP host, go to Objects Hosts IP Host. Click the Add button to add a new host. To update the details, click on the host or Edit icon the host you want to modify. in the Manage column against

Screen Add IP Host Screen Elements Name Type Description Name to identify the IP Host. Select the type of host. Available options: Single IP address Network IP address with subnet IP Range IP list to add assorted IP addresses. Use comma to specify assorted multiple IP addresses. Create IP list when you want to create single firewall rule for multiple IP address, which are not in a range. Please note only Class B IP addresses can be added in IP list. IP addresses can be added or removed from IP list. Specify IP Address based on the Host Type selected. Select host group i.e. host group membership. Single host can be member of multiple host groups. You can also add IP Host Group from the IP Host page itself.

IP Address Host Group

Table Add IP Host screen elements

66/280

Cyberoam User Guide

Search IP Host
Click the Search icon in the Address Detail column to search for specific IP address. IP address can be searched on the following criteria: is equal to, starts with and contains. Click OK to get the search results and Clear button to clear the results.

Screen Search Address Detail Search Criteria is equal to Search Results All the IP addresses that exactly match with the IP address specified in the criteria. For example, if the search string is 192.168.1.1, all the addresses exactly matching the string will be displayed. All the IP addresses that starts with the specified criteria. For example, if the search string is 192, all the addresses starting with the number 192 will be displayed. All the IP addresses that are in the specified range of IP addresses. For example, if the search string is 1.1.1.2-1.1.1.10, all the IP addresses like 1.1.1.5 or 1.1.1.8 falling in this range will be displayed. Table Search Address Detail screen elements

starts with

contains

IP Host Group
Host group is a grouping on hosts. Firewall rule can be created for the individual host or host groups. To configure host groups, go to Objects Hosts IP Host Group. You can: Add View in the Manage column against the IP Host Group to be modified. Edit Click the Edit icon Edit IP Host Group pop-up window is displayed which has the same parameters as the Add IP Host Group window. Delete Click the Delete icon in the Manage column against an IP Host Group to be deleted. A dialog box is displayed asking you to confirm the deletion. Click OK to delete the IP Host Group. To delete multiple IP Host Groups, select them and click the Delete button.

Note
Dynamic host groups which are automatically added on creation of VPN Remote access connections cannot be updated or deleted.

67/280

Cyberoam User Guide

Manage IP Host Groups

To configure host groups, go to Objects Hosts IP Host Group.

Screen Manage IP Host Group Screen Elements Add Button Name Description Edit Icon Delete Button Description Add a new IP Host Name of the IP Host Group Description of the Host Group Edit the IP Host Group Delete the IP Host Group Alternately, click the Delete icon against the host group you want to delete. Table Manage IP Host Group screen elements

IP Host Group Parameters

To add or edit a host group, go to Objects Hosts IP Host Group. Click the Add button to add a new host group. To update the details, click on the host group or Edit icon Manage column against the host group you want to modify. in the

Screen Add IP Host Group

68/280

Cyberoam User Guide

Screen Elements Name Description Select Host

Description Name to identify the IP Host group. IP Host Group description 'Host' List displays all the hosts including default hosts. Click the checkbox to select the hosts. All the selected hosts are moved to 'Selected host' list. Single host can be a member of multiple host groups. Table Add IP Host Group screen elements

MAC Host
To configure MAC Host, go to Objects Hosts MAC Host. You can: Add View in the Manage column against the MAC Host to be modified. Edit Edit Click the Edit icon MAC Host pop-up window is displayed which has the same parameters as the Add MAC Host window. Search in the Manage column against a MAC Host to be deleted. A Delete Click the Delete icon dialog box is displayed asking you to confirm the deletion. Click OK to delete the MAC Host. To delete multiple MAC Hosts, select them and click the Delete button.

Manage MAC Host

To manage MAC hosts, go to Objects Hosts MAC Host.

Screen Manage MAC Host Screen Elements Add Button Host Name Host Type Address Detail Edit Icon Delete Button Description Add a new MAC Host Name of the MAC Host Type of MAC Hosts single or multiple Configured MAC Addresses Edit the MAC Host Delete the MAC Host Alternately, click the Delete icon against the host you want to delete. Table Manage MAC Host screen elements

69/280

Cyberoam User Guide

MAC Host Parameters

To add or edit a MAC host, go to Objects Hosts MAC Host. Click the Add button to add a new host. To update the details, click on the host or Edit icon the host you want to modify. in the Manage column against

Screen Add MAC Host Screen Elements Host Name Host Type Description Name to identify the MAC Host. Select the MAC Host Type. Available options: MAC Address Single MAC address MAC list Multiple MAC addresses Specify MAC Address based on the Host Type selected in the form of 00:16:76:49:33:CE Use comma to configure multiple addresses. Table Add MAC Host screen elements

MAC Address

Search MAC Host

Host MAC Address in the Address Detail column to search for specific MAC addresses. Click the Search icon MAC address can be searched on the following criteria: is equal to, starts with and contains. Click OK to get the search results and Clear button to clear the results.

Screen Search MAC Address Detail Search Criteria is equal to Search Results All the MAC addresses that exactly match with the MAC

70/280

Cyberoam User Guide

address specified in the criteria. For example, if the search string is 10:11:13:17:A1:BC, all the addresses exactly matching the string will be displayed. All the MAC addresses that starts with the specified search criteria. For example, if the search string is 10, all the addresses like 10:15:18:A1:BC:22, starting with the number 10 will be displayed. All the MAC addresses that contain the string specified in the criteria. For example, if the search string is BC, all the MAC addresses like 10:15:18:A1:BC:22, containing the string are displayed. Table Search MAC Address Detail screen elements MAC Host Name Click the Search icon to search for specific MAC hosts. Hosts can be searched on the following criteria: is, is not, contains and does not contain. Click OK to get the search results and Clear button to clear the results.

starts with

contains

Screen Search MAC Host Search Criteria is Search Results All the MAC hosts that exactly match with the string specified in the criteria. For example, if the search string is Test, only MAC hosts with the name exactly matching Test are displayed. All the users/user groups that do not match with the string specified in the criteria. For example, if the search string is Test, all MAC hosts except with the name exactly matching Test are displayed. All the MAC hosts that contain the string specified in the criteria. For example, if the search string is Test, all the MAC hosts containing the string Test are displayed. does not contain All the MAC hosts that do not contain the string specified in the criteria. For example, if the search string is Test, all the MAC hosts not containing the string Test are displayed. Table Search MAC Host screen elements

is not

contains

71/280

Cyberoam User Guide

Services
Services represent types of Internet data transmitted via particular protocols or applications. Service allows you to identify traffic based on the attributes of a given protocol. Services are definitions of certain types of network traffic and combine information about a protocol such as TCP, ICMP or UDP as well as protocol-related options such as port numbers. You can use services to determine the types of traffic allowed or denied by the firewall. Protect your network by configuring firewall rules to block services for specific zone limit some or all users from accessing certain services allow only specific user to communicate using specific service

Certain well-known traffic types have been predefined in services. These predefined services are defaults, and cannot be updated or deleted. If you require service definitions that are different from the predefined services, you can add them as custom services. Cyberoam provides several standard or default services and allows creating: Custom service definitions Firewall rule for custom service definitions

To manage and configure services, go to Objects Services Services. You can: Add View - View the details of default and custom services. Default services cannot be updated or deleted. in the Manage column against the service to be modified. Edit Edit Click the Edit icon service pop-up window is displayed which has the same parameters as the Add service window in the Manage column against a service to be deleted. A Delete Click the Delete icon dialog box is displayed asking you to confirm the deletion. Click OK to delete the service. To delete multiple services, select them and click the Delete button.

Note
Service used by firewall rule cannot be deleted

Manage Service
To manage services, go to Objects Services Services.

72/280

Cyberoam User Guide

Screen Manage Service Screen Elements Add Button Name Protocol Details Edit Icon Delete Button Description Add a new Service Name of the Service Protocol used for the service Details of the ports, protocol number or ICMP type and code based on the protocol selected. Edit the service Delete the service. Alternately, click the Delete icon against the service you want to delete. Table - Manage Service screen elements

Service Parameters
To add or edit a service, go to Objects Services Services. Click the Add button to add a new service. To update the details, click on the service or Edit icon against the service you want to modify. in the Manage column

73/280

Cyberoam User Guide

Screen - Add Service Screen Elements Name Service Type Description Name to identify the Service Select a protocol for the service. Available options: TCP/UPD Enter Source and Destination port. You can enter multiple ports for the same service. Click Add icon to add multiple source and destination ports and to delete the ports. remove icon IP Select Protocol Number for the service. You can select multiple ports for the same service. Click Add icon to add multiple protocols and remove icon to delete the protocols. ICMP Select ICMP Type and Code. You can enter multiple types and codes for the same service. Click Add to add ICMP type and ICMP code and remove icon to delete the parameters. icon Table - Add Service screen elements

Service Group
Service Group is a grouping of services. Custom and default services can be grouped in a single group. Use to configure firewall rules to: block group of services for specific zone limit some or all users from accessing group of services allow only specific user to communicate using group of service

To make it easier to add firewall rules, create groups of services and then add one firewall to allow or block access for all the services in the group. A service group can contain default services as well as custom services in any combination. A service can be member of multiple groups i.e. service can be included in multiple service groups. To manage service groups, go to Objects Services Service Group. You can: Add

74/280

Cyberoam User Guide

View in the Manage column against the Service Group to be modified. Edit Click the Edit icon Edit Service Group pop-up window is displayed which has the same parameter as the Add Service Group window. Search in the Manage column against a Service Group to be deleted. Delete Click the Delete icon A dialog box is displayed asking you to confirm the deletion. Click OK to delete the Service Group. To delete multiple Service Groups, select them and click the Delete button.

Note
You cannot delete default Service Groups. Service group assigned to firewall rule cannot be deleted.

Manage Service Group

To manage service groups, go to Objects Services Service Group.

Screen Manage Service Group Screen Elements Add Button Name Description Edit Icon Delete Button Description Add a new Service Group Name of the Service Group Description of the Service Group Edit the service group Delete the service group Alternately, click the Delete icon against the service group you want to delete. Table Manage Service Group screen elements

Service Group Parameters

To add or edit a service group, go to Objects Services Service Group. Click the Add button to add a new service group. To update the details, click on the service group or Edit icon in the Manage column against the service group you want to modify.

75/280

Cyberoam User Guide

Screen Add Service Group Screen Elements Group Name Description Select Service Description Name to identify the Service Group Service Group Description Service List displays all the services including default services. Click the checkbox to select the service. All the selected services are moved to the 'Selected Service list. Single service can be member of multiple groups. You can also search for a particular service. Table Add Service Group screen elements

Search Service Group

Click the Search icon in the Name column to search for specific Service group name. Address can be searched on the following criteria: is, is not, contains, does not contain. Click OK to get the search results and Clear button to clear the results.

Screen Search Service Group

Search Criteria

Search Results

76/280

Cyberoam User Guide

is

All the service groups that exactly match with the string specified in the criteria. For example, if the search string is Test, only service groups with the name exactly matching Test are displayed. All the service groups that do not match with the string specified in the criteria. For example, if the search string is Test, all service groups except with the name exactly matching Test are displayed. All the service groups that contain the string specified in the criteria. For example, if the search string is Test, all the service groups containing the string Test are displayed. All the service groups that do not contain the string specified in the criteria. For example, if the search string is Test, all the service groups not containing the string Test are displayed. Table Search Service Group screen elements

is not

contains

does not contain

77/280

Cyberoam User Guide

Schedule
Schedule defines a time schedule for applying firewall rule or Internet Access policy i.e. used to control when firewall rules or Internet Access policies are active or inactive. Types of Schedules: Recurring use to create policies that are effective only at specified times of the day or on specified days of the week. One-time - use to create firewall rules that are effective once for the period of time specified in the schedule. One time schedule can be implemented through firewall only.

Cyberoam provides following pre-defined schedules and can be applied to firewall rules and various policies: Work hours (5 Day week), Work hours (6 Day week), All Time on Weekdays, All Time on Weekends, All Time on Sunday, All Days 10:00 to 19:00. To manage schedules, go to Objects Schedule Schedule. You can: Add View in the Manage column against the Schedule to be modified. Edit Edit Click the Edit icon Schedule pop-up window is displayed which has the same parameter as the Add Schedule window. in the Manage column against a Schedule to be deleted. A Delete Click the Delete icon dialog box is displayed asking you to confirm the deletion. Click OK to delete the Schedule. To delete multiple Schedules, select them and click the Delete button.

Note
Schedule assigned to firewall rule or any policies,cannot be deleted.

Manage Schedule
To manage schedules, go to Objects Schedule Schedule.

Screen Manage Schedule

78/280

Cyberoam User Guide

Screen Elements Add Button Name Type Description Edit Icon Delete Button

Description Add a new Schedule Name of the Schedule Type of Schedule Recurring or One Time Description of the Schedule Edit the Schedule Delete the schedule Alternately, click the Delete icon against the schedule you want to delete. Table Manage Schedule screen elements

Schedule Parameters
To add or edit a schedule, go to Objects Schedule Schedule. Click the Add button to add a new schedule. To update the details, click on the schedule or Edit icon column against the schedule you want to modify. in the Manage

Screen Add Schedule Screen Elements Name Description Type Description Name to identify the Schedule Specify Schedule Description Select Schedule Type Available Options: Recurring use to create access time policies that are effective only at specified times of the day or on specified days of the week One Time use to create firewall rules that are effective once for the period of time specified in the schedule. It cannot be applied to any of the policies but can be implemented through firewall rule only

79/280

Cyberoam User Guide

Start & End Date - Specify Start and Stop date. This is applicable for the one time schedule only.

Also, select the days of the week and specify time for the schedule to be active. Stop time cannot be greater than start time. Table Add Schedule screen elements

80/280

Cyberoam User Guide

File Type
File type is a grouping of file extensions. Cyberoam allows filtering Internet content based on file extension. For example, you can restrict access to particular types of files from sites within an otherwise-permitted category. For your convenience, Cyberoam provides several default File Types categories. You can use these or even create new categories to suit your needs. Depending on the organization requirement, allow or deny access to the categories with the help of policies by groups, individual user, time of day, and many other criteria. Cyberoam provides five default File Type categories which cannot be modified or deleted and also allows to add custom file types if required. Custom file type category is given priority over default category while allowing/restricting the access and is implemented through Web Filter policy. To manage file type categories, go to Objects File Type File Type. You can: Add View in the Manage column against the File Type Category to be Edit Click the Edit icon modified. Edit File Type pop-up window is displayed which has the same parameters as the Add File Type window. in the Manage column against a File Type Category to be Delete Click the Delete icon deleted. A dialog box is displayed asking you to confirm the deletion. Click OK to delete the File Type Category. To delete multiple File Type Categories, select them and click the Delete button.

Note
Category used by Web filter policy cannot be deleted

Manage File Type Categories

To manage file type categories, go to Objects File Type File Type.

81/280

Cyberoam User Guide

Screen Manage File Type Category Screen Elements Add Button Name File Extensions Description Edit Icon Delete Button Description Add a new File Type Category Name of the File Type Category File types included in Category Description of the File Type Category Edit the File Type Category Delete the File Type Category Alternately, click the Delete icon against the file type category you want to delete. Table Manage File Type Category screen elements

File Type Category Parameters

To add or edit a file type category, go to Objects File Type File Type. Click the Add button to add a new file type category. To update the details, click on the file type category or Edit icon in the Manage column against the file type category you want to modify.

Screen Add File Type Category

82/280

Cyberoam User Guide

Screen Elements Name File Extensions

Description Name to identify the File Type Category Specify the file extensions to be included in the category. Multiple extensions can be entered using comma. For example, bmp, jpeg. File Type Category Description Table Add File Type Category screen elements

Description

83/280

Cyberoam User Guide

Certificate
A digital certificate is a document that guarantees the identity of a person or entity and is issued by the Certificate Authority (CA). Certificates are generated by the third party trusted CA. They create certificates by signing public keys and identify the information of the communicating parties with their own private keys. This way it is possible to verify that a public key really belongs to the communicating party only and not forged by someone with malicious intentions. To use Certificates for authentication with Cyberoam in various VPN policies, you must have valid CA and a certificate. You need to upload CA if you are using external CA. You also need to upload the certificate. If you are using third party CA, you have to submit a request to CA for issuing a certificate. Once CA issues a certificate, you have to upload to use it in VPN policy. You can also use Cyberoam to act as a certificate authority and sign its own certificates. This eliminates the need of having your own certificate authority. If you are using Cyberoam as CA, you have to generate a self-signed certificate, which can be used in various VPN policies. Certificate page allows you to generate self-signed certificate, upload certificate or generate certificate signing request. This page also allows you to manage certificates, which involve updating and regenerating, revoking, downloading and deleting certificates. You can use Cyberoam to act as a certificate authority and sign its own certificates. This eliminates the need of having your own certificate authority. If you are using Cyberoam as CA, you have to generate a self-signed certificate, which can be used in various VPN policies. If you are using third party CA, you have to submit a request to CA for issuing a certificate. Once CA issues a certificate, you have to upload to use it in VPN policy. To manage certificates, go to Objects Certificate Certificate. You can: Add You can add two types of certificates as: Third Party Certificate and Self Signed Certificate. If you are using third party CA, you have to submit the request to CA, CA will verify the details and then send the signed certificate. View Download Click to download the self signed certificate or CSR. Revoke Click to revoke self signed certificate if lost, stolen or updated. in the Manage column against the Certificate to be modified. Edit Edit Click the Edit icon Certificate window is displayed which has the same parameters as the Add Certificate window. in the Manage column against a Certificate. A dialog box is Delete Click the Delete icon displayed asking you to confirm the deletion. Click OK to delete the Certificate. To delete multiple certificates, select them and click the Delete button.

Manage Certificates
To manage certificates, go to Objects Certificate Certificate.

84/280

Cyberoam User Guide

Screen Manage Certificate Screen Elements Add Button Name Valid From Valid Up To Certificate Authority Description Add a new Certificate Name of the Certificate Valid activation date for the certificate Certificate expiry date Certificate Authority if applicable. - If the Certificate Authority is available in Cyberoam. Type Download Icon Revoke Icon - If the Certificate Authority is not available in Cyberoam. Certificate Type - self signed or certificate signing request (CSR) or Upload (third party certificate) Select to download Certificate or CSR. Select to revoke self signed certificate if lost, stolen or updated. Revoked certificate is automatically added to the Certificate Revocation List (CRL). You can download revoked certificate and circulate if required. Edit the Certificate details Delete the Certificate Alternately, click the Delete icon against the certificate you want to delete. Table Manage Certificate screen elements

Edit Icon Delete Button

Certificate Parameters
To add or edit a certificate, go to Objects Certificate Certificate. Click the Add button to add a new certificate. To update the details, click on the certificate or Edit icon Manage column against the certificate you want to modify. in the

85/280

Cyberoam User Guide

Screen Add Certificate (Upload Certificate)

Screen Add Certificate (Generate Self Signed Certificate)

Screen Add Certificate (Generate Certificate Signing Request Certificate)

86/280

Cyberoam User Guide

Screen Elements Actions Upload Certificate Certificate Name Password Confirm Password Certificate

Description

Name to identify the Certificate. Password for a Certificate used for authentication Re-enter password for confirmation Specify certificate to be uploaded. Use Browse to select the complete path Private Key Specify private key for the certificate. Use Browse to select the complete path Generate Self Signed Certificate Certificate Name Name to identify the certificate. Valid Up To Specify certificate validity period using Calendar. Validity period is the certificate life i.e. period up to which the certificate will be considered as valid. Minimum validity period is one day. Select key length. Key length is the number of bits used to construct the key. Generally the larger the key, the less chance that it will be compromised but requires more time to encrypt and decrypt data than smaller keys. Password for a Certificate used for authentication. Password must be at least 10 characters long. Re-enter password for confirmation Specify certificate ID. You can specify any one of the following: DNS, IP address, Email address, DER ASN1 DN/X.509 (applicable when Authentication Type is Digital Certificate)

Key Length

Password Confirm Password Certificate ID

Once the certificate is created, you need to download and send this certificate to the remote peer with whom the connection is to be established. Generate Certificate Signing Request Certificate Name Name to identify the certificate. Valid Up To Specify certificate validity period using Calendar. Validity period is the certificate life i.e. period up to which the certificate will be considered as valid. Minimum validity period is one day. Select key length. Key length is the number of bits used to construct the key. Generally the larger the key, the less chance that it will be compromised but requires more time to encrypt and decrypt data than smaller keys. Password for a Certificate used for authentication. Password must be at least 10 characters long. Re-enter password for confirmation Specify certificate ID. You can specify any one of the

Key Length

Password

Confirm Password Certificate ID

87/280

Cyberoam User Guide

Country

following: DNS, IP address, Email address, DER ASN1 DN/X.509 (applicable when Authentication Type is Digital Certificate) Select the Country for which the Certificate will be used. Generally, this would be the name of the country where Cyberoam is installed. Select the State/Province for which the Certificate will be used. Generally, this would be the name of the state/province where Cyberoam is installed. Select the Locality for which the Certificate will be used. Generally, this would be the name of the Locality where Cyberoam is installed. Specify your organization name, which will use this certificate and domain name. This domain will be certified to use the Certificate. Use unique Domain name only Specify your department/unit name, which will use this certificate and domain name. This domain will be certified to use the Certificate. Use unique Domain name only Specify Common Name. Specify Email address Table Add Certificate screen elements

State/Province

Locality

Organization

Organization Unit

Common Name Email Address

Certificate Authority
Cyberoam provides a facility to generate a local certificate authority as well as import certificates, signed by commercial providers, such as VeriSign. A certificate signed by a Certificate Authority (CA) identifies the owner of a public key. Each communicating party may be required to present its own certificate signed by a CA verifying the ownership of the corresponding private key. Additionally, the communicating parties need to have a copy of the CAs public key. In case private key is lost or stolen or the information is changed, CA is responsible for revoking the certificate. CA also maintains the list of valid and revoked certificates. After your CA has issued a certificate or have local certificate, you can upload it for use in VPN. You can use Cyberoams default CA and can modify and re-generate it as per your requirement if you are not using any external CA. Using this CA, you can generate self-signed certificate and use it in VPN policy. Using Third Party CA involves uploading: CA and root certificate Certificate CRL (Certificate Revocation List)

If the remote peer is using certificate issued by the following 3rd party CA, you are not required to upload CA in Cyberoam: VeriSign

88/280

Cyberoam User Guide

Entrust Microsoft

To manage Certificate Authorities, go to Objects Certificate Certificate Authority. You can: Add View in the Manage column against the Certificate Authority to be Edit Click the Edit icon modified. Edit Certificate Authority window is displayed which has the same parameters as the Add Certificate Authority window.

Note
Default CA will be regenerated automatically when it is updated. Download Click the Edit icon in the Manage column against the Default Certificate Authority to modify the certificate authority. Once the details are modified, click Download button to download the certificate Authority. in the Manage column against a Certificate Authority. A Delete Click the Delete icon dialog box is displayed asking you to confirm the deletion. Click OK to delete the Certificate Authority. To delete multiple certificate Authorities, select them and click the Delete button.

Manage Certificate Authorities

To manage certificate authorities, go to Objects Certificate Certificate Authority.

Screen Manage Certificate Authority

Screen Elements Add Button Name Local Edit Icon Delete Button

Description Add a new Certificate Authority Name of the Certificate Authority Whether CA is local or third party Edit the Certificate Authority Delete the Certificate Authority Alternately, click the Delete icon against the certificate authority you want to delete.

Table Manage Certificate Authority screen elements

89/280

Cyberoam User Guide

Note You cannot delete default CA.

Certificate Authority Parameters

To add or edit a certificate authority, go to Objects Certificate Certificate Authority. Click the Add button to add a new certificate authority. To update the details, click on the certificate authority or Edit icon want to modify. in the Manage column against the certificate authority you

Screen Add Certificate Authority Screen Elements Authority Name Certificate Format Description Name to identify the Certificate Authority Select format of the root certificate to be uploaded Available options: PEM (Privacy Enhanced Mail): A format encoding the certificate in ASCII code. The certificate, request, and private key are stored in separate files. DER: A binary format for encoding certificates. The certificate, request, and private key are stored in separate files. Specify full path from where the certificate is to be uploaded. Alternately, use Browse button to select the path. Table Add Certificate Authority screen elements

Authority Name

Default CA Parameters
To edit default certificate authority, go to Objects Certificate Certificate Authority. Click on the default certificate to update and regenerate the default certificate.

90/280

Cyberoam User Guide

. Screen Default Certificate Authority Screen Elements Authority Name Country Description Default. This name cannot be changed Select the Country for which the Certificate will be used. Generally this would be the name of the country where Cyberoam is installed. Select the State/Province for which the Certificate will be used. Generally this would be the name of the state/province where Cyberoam is installed. Select the Locality for which the Certificate will be used. Generally this would be the name of the Locality where Cyberoam is installed. Specify your organization name, which will use this certificate and domain name. This domain will be certified to use the Certificate. Use unique Domain name only. Specify your department/unit name, which will use this certificate and domain name. This domain will be certified to use the Certificate. Use unique Domain name only Specify Common Name. Specify Email address Password for a Certificate Authority Re-enter password for confirmation Table Default Certificate Authority screen elements

State/Province

Locality

Organization

Organization Unit

Common Name Email Address CA Password Confirm Password

91/280

Cyberoam User Guide

Download Certificate Authority

If you are using local CA, you need to download CA and forward to the remote peer. Go to Objects Certificate Certificate Authority and click Default. It will display details of the default CA. Click Download to download the zip file.

Certificate Revocation List

CA maintains the list of valid and revoked certificates. Certificate Revocation List (CRL) tab is a way to check the validity of an existing certificate. Certificates which are stolen, lost or updated are revoked by CA and CA publishes such revoked certificates in Revocation list. VPN connection cannot be established using revoked certificates, hence it is necessary to update the CRL at regular interval. To manage CRL, go to Objects Certificate CRL. You can: Add View Download Click Download button to download CRL. in the Manage column against the Certificate Revocation list. Delete Click the Delete icon A dialog box is displayed asking you to confirm the deletion. Click OK to delete the Certificate Revocation list. To delete multiple Certificate Revocation list, select them and click the Delete button.

Manage Certificate Revocation List

Screen Manage CRL Screen Elements Add Button CRL Name Local Download Delete Button Description Add a new Certificate Revocation list Name of the Certificate Revocation list Whether CA is local or third party Download the Certificate Revocation list Delete the Certificate Revocation list Alternately, click the Delete icon against the CRL you want to delete. Table Manage Certificate Revocation List screen elements

Add Certificate Revocation List

If you are using External Certificate Authority, you need to upload the CRL obtained from External

92/280

Cyberoam User Guide

Certificate Authority.

Screen Add Certificate Revocation List

Screen Elements Authority Name Certificate

Description Name to identify the Certificate Revocation list Specify CRL file to be uploaded. Use Browse to select the complete path

Table Add Certificate Revocation List screen elements

Download CRL
Cyberoam creates the Default CRL with name Default.crl. Once you revoke the certificate, the details of the revoked certificate are added to the default file and regenerated. You can download and distribute if required. Select Objects Certificate CRL and to view the list of CRLs. Click Download link against the default CRL. It downloads the tar file, untar the file to check the details.

93/280

Cyberoam User Guide

Network

Network establishes how Cyberoam connects and interacts with your network and allows configuring network specific settings. Basic network settings include configuring Cyberoam interfaces and DNS settings. It also describes how to use DHCP to provide convenient automatic network configuration for your clients. This menu covers how to configure your Cyberoam to operate in your network. Basic network settings include configuring Cyberoam interfaces and DNS settings. More advanced configuration includes adding VLAN subinterfaces and custom zones to the Cyberoam network configuration. It also describes how to use DHCP to provide convenient automatic network configuration for your clients.

Interface
Use Network Interface to view port wise network (physical interface) and zone details. If virtual subinterfaces are configured for VLAN implementation, they are nested and displayed beneath the physical interface. Interface - Physical interfaces/ports are available on Cyberoam. If virtual subinterface is configured for the physical interface, it is also displayed beneath the physical interface. Virtual subinterface configuration can be updated or deleted. Zone and Zone Type - Displays port to zone relationship i.e. zone membership of port. If PPPoE is configured, WAN port will be displayed as the PPPoE Interface. Status If PPPoE connection is established, status will be displayed as Connected To manage interfaces, go to Network Interface Interface. You can: Update Physical Interface/Port details The default Physical interface can only be updated. in the Manage column against the IP address and Click the Interface Name or Edit icon netmask of physical interface to be modified. Update Wireless WAN Connection Wireless WAN is the default interface along with other physical interfaces, if the device is supported in Cyberoam. View Add Alias Click to configure alias IP address for the physical interface. Alias cannot be created for the Virtual Subinterface. in the Manage column against the Alias to be modified. Edit Edit Alias Click the Edit icon Alias page is displayed which has the same parameters as the Add Alias window. Add VLAN interface in the Manage column against the virtual Edit VLAN interface Click the Edit icon subinterface to be modified. Edit virtual subinterface page is displayed which has the same parameters as the Add virtual subinterface window.

Note

PART

94/280

Cyberoam User Guide

Updating Interface will also remove all its dependent configurations including: Interface Zone Binding, DNS, Gateway, Interface Based Hosts, VLAN Interfaces, Dynamic DNS. Stops the DHCP Server to update the details. It needs to be manually restarted. Disconnects all tunnels and updates all the VPN Policies. Tunnels need to be manually reconnected. Toggle Drill Down icon - Click the physical interface. icon to view the virtual subinterfaces defined for the said

in the Manage column against a virtual subinterface or Alias Delete Click the Delete icon to be deleted. A dialog box is displayed asking you to confirm the deletion. Click OK to delete the virtual subinterface or Alias. To delete multiple virtual subinterfaces or Aliases, select them and click the Delete button. A virtual subinterface cannot be deleted, if virtual subinterface is member of any zone or a firewall rule is defined for the virtual subinterface.

Note
Deleting Interface will also remove all its dependent configurations including: Interface Zone Binding, DHCP Server or Relay, Interface Based Firewall Rule, ARP Static and Proxy, Virtual Hosts, Virtual Host based Firewall Rules, Interface based Hosts and References from Host Groups, Unicast and Multicast Routes.

Manage Interfaces - Physical, Aliases & Virtual Subinterfaces

To manage interfaces, go to Network Interface Interface.

Screen Manage Interface Screen Elements Add Alias Button Add VLAN Button Name Status Description Add a new Alias. Add a new Virtual Subinterface. Interface Name. Ports in case of Physical Interfaces & WWAN name in case of wireless WAN connection. Interface connection status Available Options: Connected, Unplugged or Disabled. IP Assignment type Static, PPPOE, DHCP or Wireless Modem. IP Address and the Netmask MAC Address selected. Type of Zone the interface or subinterface is bound to.

IP Assignment IP/ Netmask MAC Address Zone Name

95/280

Cyberoam User Guide

MTU MSS Interface Speed Edit Icon Delete Button

Configured Maximum Transmission Unit Maximum Segment size specified Configured Interface Speed Edit the Interface, Alias or Virtual Subinterface. Delete the Alias or Virtual Subinterface. Alternately, click the Delete icon against the alias or subinterface you want to delete. Table Manage Interface screen elements

Edit Physical Interface

Go to Network Interface Interface. Click the Interface Name or Edit icon Manage column against the interface you want to modify. in the

Screen Edit Physical Interface Screen Elements Physical Interface Description Physical Interface e.g. Port A, Port B It cannot be modified Select Zone to which Interface belongs To unbind, select None Select IP Assignment type. Available Options:

Network Zone

IP Assignment

96/280

Cyberoam User Guide

Static Static IP Addresses are available for all the zones PPPOE PPPOE is available only for WAN Zone. If PPPoE is configured, WAN port will be displayed as the PPPoE Interface. DHCP DHCP is available only for WAN Zone. Specify IP Address Specify Network Subnet mask. Enable to override appliance DNS and use DNS received from the external DHCP server This option is available only for WAN Zone and when IP assignment is configured as DHCP Configure primary and secondary DNS server IP address For Static IP assignment - Specify the gateway name and IP address through which the traffic is to be routed. For PPPoE IP assignment Specify PPPoE account user name and password, Access Concentrator name, Service name, LCP Echo Interval, LCP failure attempts. Cyberoam will initiate only those sessions with Concentrator, which can provide the specified service. Access

IP Address Netmask Obtain DNS from Server

Primary & Secondary DNS Gateway Detail (Only when Network Zone is WAN)

LCP Echo Interval It is time to wait before sending echo request to check whether the link is alive or not. Default 20 seconds LCP failure Cyberoam will wait for the LCP echo request response for the LCP Echo interval defined after every attempt. It declare PPPoE link as closed if it does not receive response after defined number of attempts. Default 3 attempts Advanced Settings Interface Speed Select Interface speed for synchronization. Speed mismatch between Cyberoam and 3rd party routers and switches can result into errors or collisions on interface, no connection or traffic latency, slow performance. Available options: Auto Negotiated 10 Mbps - Full duplex 10 Mbps - Half duplex 100 Mbps - Full duplex 100 Mbps - Half duplex 1000 Mbps - Full duplex 1000 Mbps - Half duplex Default - Auto Negotiate Specify MTU value (Maximum Transmission Unit) MTU is the largest physical packet size, in bytes, that a network

MTU

97/280

Cyberoam User Guide

can transmit. This parameter becomes an issue when networks are interconnected and the networks have different MTU sizes. Any packets larger than the MTU value are divided (fragmented) into smaller packets before being sent. Default - 1500 Input range - 576 to 1500 Click to override default MSS. MSS defines the amount of data that can be transmitted in a single TCP packet. Default value is 1460 Input range - 576 to 1460 Table Edit Physical Interface screen elements

Override MSS

Note
A new dynamic IP address will be leased to the PPPoE Interface, each time a new PPP session is established with Access Concentrator. IP address in Firewall rules will automatically change when the new IP address is leased. If multiple gateways are defined then IP address in the failover condition will automatically change when the new IP address is leased. As IP address to PPPoE interface is assigned dynamically: Network Configuration from CLI Console will not display the PPPoE interface configuration. You will not be able to change the IP address of the PPPoE interface from CLI Console using Network Configuration.

Alias Parameters
Alias allows to configure multiple IP addresses onto a physical interface. It is another name for the interface that will easily distinguish this interface from other interfaces. To add or edit an alias, go to Network Interface Interface. Click the Add button to add a new alias. To update the details, click on the alias name or Edit icon column against the alias you want to modify. in the Manage

Screen Add Alias

98/280

Cyberoam User Guide

Screen Elements Physical Interface Alias

Description Select Physical Interface for which Alias is to be added. Select type of IP address to be assigned to Alias Available options: Single Range Specify IP address Select the network subnet mask Table Add Alias screen elements

IP address Netmask

VLAN
A LAN is a local area network and is defined as all devices in the same broadcast domain. Routers stop broadcasts while switches just forward them. VLAN is a virtual LAN. In technical terms, VLAN is a broadcast domain configured on switch on a port-by-port basis. Normally, it is a router that creates a broadcast domain but with VLANs, a switch can create the broadcast domain. VLAN allow you to segment your switched network so that broadcast domains are smaller, leaving more bandwidth for your end nodes. Devices that are in one VLAN can communicate with each other but cannot communicate with the devices in another VLAN. The communication among devices on a VLAN is independent of the physical network. For devices on different VLANs to communicate, a layer 3 device (usually a router) must be used. A VLAN segregates devices by adding 802.1Q VLAN tags to all of the packets sent and received by the devices in the VLAN. VLAN ID/tags are 4-byte frame extensions that contain a VLAN identifier as well as other information. Advantages Increased Port density Logical segmentation of Network irrespective of physical placement Granular security on heterogeneous LANs Improved Network throughput as VLAN confines broadcast domain

Cyberoam and VLAN support

Cyberoam support VLANs for constructing VLAN trunks between an IEEE 802.1Q-compliant switch or router and the Cyberoam Appliances. Normally, the Cyberoam Appliance internal interface connects to a VLAN trunk on an internal switch, and the external interface connects to an upstream Internet router. Cyberoam can then apply different policies for traffic on each VLAN that connects to the internal interface. In a typical VLAN configuration, 802.1Q-compliant VLAN layer-2 switches or layer-3 routers add VLAN IDs to packets. Packets passing between devices in the same VLAN can be handled by layer-2 switches. Packets passing between devices in different VLANs must be handled by a layer3 device such as router or layer-3 switch.

99/280

Cyberoam User Guide

Cyberoam appliance functions as a layer-3 device to control the flow of packets between VLANs. Cyberoam can also remove VLAN IDs/tags from incoming VLAN packets and forward untagged packets to other networks, such as the Internet. VLAN support on Cyberoam is achieved by means of virtual interface, which are logical interfaces nested beneath a physical interface/port. Every unique VLAN ID requires its own virtual interface. You add virtual interfaces to the Cyberoams internal interface that have VLAN IDs matching the VLAN IDs of packets in the VLAN trunk. Cyberoam then directs packets with VLAN IDs to interfaces with matching VLAN IDs. You can define virtual interfaces on all the Cyberoam interfaces except the external interface i.e. interface for the WAN zone. Cyberoam adds VLAN IDs to packets leaving a VLAN interface or remove VLAN IDs from incoming packets and add a different VLAN IDs to outgoing packets. Virtual interface has most of the capabilities and characteristics of a physical interface, including zone membership, security services, routing, access rule controls, virus, and spam scanning. Cyberoam supports up to 4093 interfaces. Using VLANs, a single Cyberoam appliance can provide security services and control connections between multiple domains. Traffic from each domain is given a different VLAN ID. Cyberoam can recognize VLAN IDs and apply security policies to secure network between domains. Cyberoam can also apply authentication, various policies, and firewall rule features for network.

VLAN Interface Parameters

To add or edit VLAN interfaces, go to Network Interface Interface. Click Add VLAN Button to add a new VLAN interface or Edit Icon to modify the details of the VLAN interface.

Screen Add VLAN Interface

100/280

Cyberoam User Guide

Screen Elements Physical Interface

Description Select parent Interface for the virtual subinterface. Virtual subinterface will be the member of selected physical Interface/Port. Select a Zone to assign to the virtual subinterface. Virtual subinterface will be the member of the selected zone. Virtual subinterface created will remain unused until it is included in a zone. Virtual subinterface can be the member of LAN, DMZ or custom zone.

Zone

Note
Zone membership can be defined at the time of defining virtual subinterface or later whenever required. One can also create a custom zone for Virtual subinterface and Virtual subinterface can be the member of this custom zone Virtual subinterface cannot be the member of WAN zone. IP Assignment Select IP Assignment type. Available Options: Static Static IP Addresses are available for all the zones PPPOE PPPOE is available only for WAN Zone. If PPPoE is configured, WAN port will be displayed as the PPPoE Interface. DHCP DHCP is available only for WAN Zone. Specify VLAN ID. The interface VLAN ID can be any number between 2 and 4094. The VLAN ID of each Virtual subinterface must match the VLAN ID of the packet. If the IDs do not match, the virtual subinterface will not receive the VLAN tagged traffic. Virtual subinterfaces added to the same interface cannot have the same VLAN ID. physical

VLAN ID

However, you can add virtual subinterfaces with the same VLAN ID to different physical interface. IP Address Specify IP address for the interface. Only static IP address can be assigned. Only static IP address can be assigned and Subnet ID should be unique across all the physical/virtual subinterfaces. Netmask Obtain DNS from Server Specify subnet mask for the interface. Enable to override appliance DNS and use DNS received from the external DHCP server. This option is available only for WAN Zone and when IP

101/280

Cyberoam User Guide

Primary & Secondary DNS Gateway Detail (Only when Network Zone is WAN)

assignment is configured as DHCP Configure primary and secondary DNS server IP address For Static IP assignment - Specify the gateway name and IP address through which the traffic is to be routed. For PPPoE IP assignment Specify PPPoE account user name and password, Access Concentrator name, Service name, LCP Echo Interval, LCP failure attempts. Cyberoam will initiate only those sessions with Access Concentrator, which can provide the specified service. LCP Echo Interval It is time to wait before sending echo request to check whether the link is alive or not. Default 20 seconds LCP failure Cyberoam will wait for the LCP echo request response for the LCP Echo interval defined after every attempt. It declare PPPoE link as closed if it does not receive response after defined number of attempts. Default 3 attempts

Table Add VLAN Interface screen elements If custom zone is created for Virtual subinterface, two default firewall rules for the zone are automatically created depending on zone type of the custom zone. For example, if the zone type for the virtual subinterface is LAN, 2 default firewall rules under Virtual subinterface to WAN zone are automatically created based on the default LAN to WAN zone firewall rules.

Zone
A Zone is a logical grouping of ports/physical interfaces and/or virtual subinterfaces if defined. Zones provide a flexible layer of security for the firewall. With the zone-based security, the administrator can group similar ports and apply the same policies to them, instead of having to write the same policy for each interface. Default Zone Types LAN Depending on the appliance in use and network design, Cyberoam allows to group one to six physical ports in this zone. Group multiple interfaces with different network subnets to manage them as a single entity. Group all the LAN networks under this zone. By default the traffic to and from this zone is blocked and hence the highest secured zone. However, traffic between ports belonging to the same zone will be allowed. DMZ (DeMilitarized Zone) - This zone is normally used for publicly accessible servers. Depending on the appliance in use and network design, Cyberoam allows to group one to five physical ports in this zone. WAN - This zone is used for Internet services. It can also be referred as Internet zone. VPN - This zone is used for simplifying secure, remote connectivity. It is the only zone that does

102/280

Cyberoam User Guide

not have an assigned physical port/interface. Whenever the VPN connection is established, port/interface used by the connection is automatically added to this zone and on disconnection; port is automatically removed from the zone. Like all other default zones, scanning and access policies can be applied on the traffic for this zone. Local Entire set of physical ports available on the Cyberoam appliance including their configured aliases are grouped in LOCAL zone. In other words, IP addresses assigned to all the ports fall under the LOCAL zone. To manage zones, go to Network Interface Zone. You can: Add - Cyberoam provides single zone of each type i.e. LAN, WAN and DMZ. These are called System Zones. Administrator can add LAN and DMZ zone types. View in the Manage column against the zone to be modified. Edit zone Edit Click the Edit icon page is displayed which has the same parameters as the Add zone window. VPN and Local zones cannot be updated. in the Manage column against a server to be deleted. A Delete Click the Delete icon dialog box is displayed asking you to confirm the deletion. Click OK to delete the server. To delete multiple servers, select them and click the Delete button.

Manage Zones
To manage zones, go to Network Interface Zone.

Screen Manage Zones

Screen Elements Add Button Name Interface Type Appliance Access Description Edit Icon Delete Button

Description Add a new Zone. Name of the Zone. Physical interface bound to the zone. Type of Zone selected LAN, WAN, DMZ, Local or VPN. Name of access activated under a zone. Zone Description Edit the Zone Delete the Zone. Alternately, click the Delete icon against the zone you want to delete. Table Manage Zones screen elements

103/280

Cyberoam User Guide

Zone Parameters
To add or edit a zone, go to Network Interface Zone. Click the Add button to add a custom zone. To update the details, click on the zone or Edit icon against the zone you want to modify. in the Manage column

Screen Add Zones

Screen Elements Name Type

Description Name to identify the zone Select Zone Type LAN, DMZ Available Options: LAN Depending on the appliance in use and network design, Cyberoam allows to group one to six physical ports in this zone. Group multiple interfaces with different network subnets to manage them as a single entity. Group all the LAN networks under this zone. By default the traffic to and from this zone is blocked and hence the highest secured zone. However, traffic between ports belonging to the same zone will be allowed. DMZ (DeMilitarized Zone) - This zone is normally used for publicly accessible servers. Depending on the appliance in use and network design, Cyberoam allows to group one to five physical ports in this zone. By default, entire traffic will be blocked except LAN to Local zone service likes Administration, Authentication, and Network.

Member Ports

'Port' List displays all the ports.

104/280

Cyberoam User Guide

Click the checkbox to select the ports. All the selected ports are moved to 'Selected port' list. You can also search for a particular port. Appliance Access defines the type of administrative access permitted on zone. Admin Services Enable Administrative Services that should be allowed through Zone HTTP Allow HTTP connection to the Web Admin console through this zone HTTPS Allow secure HTTPS connection to the Web Admin console through this zone Telnet Allow Telnet connection to CLI through this zone SSH Allow SSH connection to CLI through this zone Authentication Services Enable Authentication Services that should be allowed through Zone Windows/Linux Clients Web Client Network Services Enable Network Services that should be allowed through Zone DNS Allow this zone to respond to DNS requests PING Allow this zone to respond to pings Other Services Enable other Services that should be allowed through Zone Web Proxy SSL VPN

Appliance Access

Note
SSL VPN service is not available for Cyberoam CR15i models. Table Add Zones screen elements

Note
If DMZ uses private IP address, use NATing to make them publicly accessible. It is not possible to add zone if Cyberoam is deployed as Bridge. Local and VPN zone cannot be updated or deleted.

105/280

Cyberoam User Guide

Wireless WAN
Wireless WAN is wide area network (WAN) for data that is typically provided by the cellular carriers to transmit a wireless signal over a range of several miles to a mobile device. WWAN connectivity allows a user with a laptop and a WWAN support to use the web, or connect to a VPN from anywhere within the regional boundaries of cellular service. They are popularly known as "wireless broadband". To configure WWAN: 1. Enable WWAN from CLI with command: cyberoam wwan enable 2. Re-login to Web Admin console 3. Configure WWAN Initialization string and gateway from Network Wireless WAN Settings page Once WWAN is enabled from CLI, a default interface named WWAN1 is created with the default IP address 0.0.0.0 and is the member of the WAN zone. As WWAN interface is a member of WAN zone: All the services enabled for the WAN zone from the Appliance Access page are automatically applicable on WWAN1 connection too. All the firewall rules applied on WAN zone will be applied on WWAN interface A default host named ##WWAN1 is created and firewall rule and VPN policies can be created for the default host. WWAN1 gateway is added as Backup gateway When the Wireless WAN is disabled from CLI, Wireless WAN menu, default host ##WWAN1and WWAN gateway options will be removed from Web Admin Console.

Note
Wireless WAN is not supported in Bridge Mode. DHCP Server configuration is not supported for WWAN interface. If Cyberoam backup is taken from a system where WWAN is enabled and restored on a system where it is not enabled, WWAN configuration would still be visible.

Status
The page displays the status of the Wireless WAN connection. Along with details of the WWAN connection, the page also provides the facility to connect and disconnect the WWAN connection.

View Connection Status

To view and manage WWAN connection, go to Network Wireless WAN Status.

106/280

Cyberoam User Guide

Screen WWAN Status

Screen Elements Connect/Disconnect Button Status

Description Click the button to connect or disconnect the WWAN connection. This process may take some time. Status of the Connection. Status messages can be of following types. Available Options: Connected Connected as Explicit Gateway Disconnected Connecting Device not supported. Device not found. Point to the Signal strength icon to know the connection strength Options: Excellent, Very Good, Good, Low IP address assigned to the device IP address assigned as the gateway Number of Bytes uploaded (in KB) Number of Bytes downloaded (in KB) Time period since WWAN is connected. Format: HH:MM::SS Table WWAN Status screen elements

Signal Strength

IP Address Gateway IP Bytes Uploaded Bytes Downloaded Time Duration

Settings
The page allows configuration of Wireless WAN connection.

Configure WWAN Connection

To configure WWAN connection, go to Network Wireless WAN Settings.

107/280

Cyberoam User Guide

Screen WWAN Settings

Screen Elements General Settings Interface Name Phone Number User Name Password Initialization String

Description Name of the interface Specify Phone number for connection Specify Username for the connection Specify Password Specify initialization string for the specific wireless modem. There can be more than one string and in such case, strings should be entered in proper order. Types of Dialing of WWAN connection Available Options: Auto Dial & Active Gateway - When auto-dial is configured and gateway is added as Active. Cyberoam automatically connects to the ISP and this gateway takes part in Load balancing as per the weight configurations. Manual Dial & Active Gateway When manual dial is configured and gateway is added as Active, Cyberoam does not automatically connect to ISP. Administrator needs to initiate dial action. Auto Dial & Backup Gateway When auto-dial is configured and gateway is added as backup, on the event of failover, cyberoam auto-dials to the ISP and all the traffic passes through that Wireless WAN link. Manual Dial & Backup Gateway - When Manual Dial is

Dial

108/280

Cyberoam User Guide

Redial Tries Gateway Settings Gateway Name Gateway IP Address Type Active Gateway Weight

configured and gateway is added as backup, on event of failover, Cyberoam does not automatically connect the ISP. Admin needs to go to the Web Console and perform the "Connect" action. Only then, traffic passes through Wireless WAN interface. Select number of times redial should be attempted. Name to identify the Gateway Specify IP Address of the Gateway Specify Type of Gateway: Active or Backup Depending on the weight, Cyberoam will select gateway for load balancing. Cyberoam distributes traffic across links in proportion to the ratio of weights assigned to individual link. This weight determines how much traffic will pass through a particular link relative to the other link. When more than two gateways are configured and one gateway goes down, the traffic is switched over to the available gateways according to the ratio of the weights assigned to the available gateways.

Backup Gateway Activate This Gateway

Select Gateway Activation Condition Dropdown will list all the configured gateways. Backup gateway will take over and traffic will be routed through the backup gateway only when the selected gateway fails. Available Options: If Default Gateway Fails - Backup gateway will take over and traffic will be routed through the backup gateway only when the Default gateway fails. If Any Gateway Fails Backup gateway will take over and traffic will be routed through backup gateway when any of the active gateways fail. If ALL the Gateways Fail - Backup gateway will take over and traffic will be routed through backup gateway when all the configured active gateways fail. Configure weight for the backup gateway. Cyberoam distributes traffic across links in proportion to the ratio of weights assigned to individual link. This weight determines how much traffic will pass through a particular link relative to the other link. Select Inherit weight of the failed active gateway if you want Backup gateway to inherit the parent gateways (Active gateway) weight or select User pre-configured weight and specify weight. Specify the Hold Down time (in seconds). Range: 1 - 60 seconds Hold Down time is the time before the backup gateway stops working, once the Active gateway resumes after failure. This delay in time is configured for cases when the active gateway connection is not stable.

Action on Activation

Hold Down Time

109/280

Cyberoam User Guide

Other Settings MTU

Specify MTU value (Maximum Transmission Unit) MTU is the largest physical packet size, in bytes, that a network can transmit. This parameter becomes an issue when networks are interconnected and the networks have different MTU sizes. Any packets larger than the MTU value are divided (fragmented) into smaller packets before being sent. Default - 1500 Input range - 576 to 1500 MSS defines the amount of data that can be transmitted in a single TCP packet. Default value is 1460 Input range - 576 to 1460 Table WWAN Settings screen elements

MSS

110/280

Cyberoam User Guide

Gateway
Gateway routes traffic between the networks and if gateway fails, communication with outside Network is not possible. By default, Cyberoam supports only one gateway. However, to cope with gateway failure problems, Cyberoam also provides an option for supporting multiple gateways. But simply adding one more gateway is not an end to the problem. Optimal utilization of all the gateways is also necessary. Cyberoam Multi Link Manger provides link failure protection by detecting the dead gateway and switching over to the active link and also provides a mechanism to balance traffic between various links. At the time of installation, you configured the IP address for a default gateway through Network Configuration Wizard. You can change this configuration any time and configure additional gateways. You can use Multi Link Manger to configure multiple gateways for load balancing and failover. By default, all the gateways defined through Network Configuration Wizard will be defined as Active gateway. Gateway Name Name of the Gateway assigned at the time of installation. Gateway IP Address IP address of the Gateway assigned at the time of installation. Ethernet Port Gateway/WAN port Gateway Type Active By default, traffic is routed through Active gateway Backup Routes the traffic only when active gateway fails Weight Weight assigned to the Gateway and used for load balancing. Weight determines how much traffic will pass through a particular link relative to the other link. Administrators can set weight and define how the traffic should be directed to providers to best utilize their bandwidth investments. Cyberoam provides a powerful solution for routing and managing traffic across multiple Internet connections. Designed to provide business continuity for an organization of any size, Cyberoams Multilink Manager optimizes the use of multiple Internet links, such as T1s, T3s, DSL and cable connections from one or multiple Internet service providers. Capable of automatic failover in the event of link failure, Cyberoams Multilink Manager helps assure that your network is always connected to the Internet. Cyberoam gives you an option to configure multiple WAN interfaces to allow to connect Cyberoam appliance to more than one Internet Service Provider (ISP). When you configure multiple external interfaces, you even have an option to control which

111/280

Cyberoam User Guide

interface an outgoing packet uses. Load Balancing Load balancing is a mechanism that enables balancing traffic between various links. It distributes traffic among various links, optimizing utilization of all the links to accelerate performance and cut operating costs. Cyberoam employs weighted round robin algorithm for load balancing to enable maximum utilization of capacities across the various links. Using link load balancing provides organizations a way to achieve: Traffic distribution that does not overburden any link Automatic ISP failover Improved User performance because of no downtime Increased bandwidth scalability

To achieve outbound traffic load balancing between multiple links: configure links in active-active setup i.e. define gateways as Active Assign appropriate weight to each gateway. Cyberoam distributes traffic across links in proportion to the ratio of weights assigned to individual link.

How it works Load balancing is determined by the load metric i.e. weight. Each link is assigned a relative weight and Cyberoam distributes traffic across links in proportion to the ratio of weights assigned to individual link. This weight determines how much traffic will pass through a particular link relative to the other link. Administrator can set weight and define how the traffic should be directed to providers to best utilize their bandwidth investments. Weight can be selected based on: Link capacity (for links with different bandwidth) Link/Bandwidth cost (for links with varying cost)

Weighted load balancing feature enables Network Managers to optimize network traffic and balance the load between multiple links/interfaces. Gateway failover Gateway failover provides link failure protection i.e. when one link goes down; the traffic is switched over to the active link. This safeguard helps provide uninterrupted, continuous Internet connectivity to users. The transition is seamless and transparent to the end user with no disruption in service i.e. no downtime. To achieve WAN failover between multiple links: Configure links in Active-Backup setup define Active gateway/interface define Backup gateway/interface traffic through this link is routed only when active interface is down define failover rule

In the event of Internet link failure, the Multilink Manager automatically sends traffic to available Internet connections without administrator intervention. If more than one link is configured as backup link, traffic is distributed among the links in the ratio of the weights assigned to them. On failover, Backup gateway can inherit the parent gateways (Active gateway) weight or can be

112/280

Cyberoam User Guide

configured. Gateway Failback During a link failure, Cyberoam regularly checks the health of a given connection, assuring fast reconnection when Internet service is restored. When the connection is restored and gateway is up again, without the administrators intervention, traffic is again routed through the Active gateway. In other words, backup gateway fails back on Active gateway. To update gateway details, go to Network Gateway Gateway. You can: View in the Manage column against the Gateway. Edit Failover Rules Click the Edit icon Gateway page is displayed through which you can configure Failover rules. Failover Rules can only be configured when there are two or more Gateways. Edit Click the Edit icon Gateway page is displayed. in the Manage column against the Gateway to be modified. Edit

Manage Gateways
To manage gateways, go to Network Gateway Gateway.

Screen Manage Gateway

Screen Elements Name IP address Interface Type Activate on Failure of Weight

Description Gateway Name IP Address of Gateway Ethernet Port number selected as Interface Type of Gateway Active or Backup Activation condition, if Gateway is configured as Backup Gateway. Weight assigned to the Gateway, For active gateway, weight that is configured will be displayed. For backup gateway, zero will be displayed when inactive

Status Edit Icon Gateway Failover Timeout Configuration

or Deactive Status of Gateway Active Edit the Gateway Configure Gateway Failover timeout in seconds. This is the time period for which Cyberoam waits before the Gateway Failover occurs.

113/280

Cyberoam User Guide

Default time - 60 seconds Input Range - 1-3600 seconds Table Manage Gateway screen elements

Gateway Parameters
To edit a gateway, go to Network Gateway Gateway Edit. Click the Edit icon in the Manage column against the Gateway to be modified. Edit Gateway page is displayed.

Screen Edit Gateway (Active Gateway)

Screen Edit Gateway (Backup Gateway)

Screen Elements Name IP Address Interface Type

Description Gateway Name Specify IP Address Specify Ethernet port number as Interface Specify Gateway Type. Available Options: Active Default gateway Backup A gateway that can be used in an

114/280

Cyberoam User Guide

active/passive setup, where traffic is routed through Backup gateway only when Active gateway is down

Note
This option is available only when two or more Gateways are configured Active Gateway Weight Depending on the weight, Cyberoam will select gateway for load balancing. Cyberoam distributes traffic across links in proportion to the ratio of weights assigned to individual link. This weight determines how much traffic will pass through a particular link relative to the other link. When more than two gateways are defined and one gateway goes down, the traffic is switched over to the available gateways according to the ratio of the weights assigned to the available gateways. Backup Gateway Activate This Gateway Select Gateway Manually Activation Condition: Automatically or

Automatic failover From the dropdown list specify when the backup gateway should take over from active Gateway. This takeover process will not require administrators intervention. Available Options: Specific Gateway - Dropdown will list all the configured gateways. Backup gateway will take over and traffic will be routed through the backup gateway only when the selected gateway fails. ANY Backup gateway will take over and traffic will be routed through backup gateway when any of the active gateway fails ALL - Backup gateway will take over and traffic will be routed through backup gateway when all the configured active gateways fail Manual failover If you select Manually, Administrator will have to manually change the gateway if the active gateway fails. Configure weight for the backup gateway. Cyberoam distributes traffic across links in proportion to the ratio of weights assigned to individual link. This weight determines how much traffic will pass through a particular link relative to the other link. Select Inherit weight of the failed active gateway if you want Backup gateway to inherit the parent gateways (Active gateway) weight or select User pre-configured weight and specify weight. Specify the Hold Down time (in seconds).

Action on Activation

Hold Down Time

115/280

Cyberoam User Guide

Range: 1 - 60 seconds Hold Down time is the time before the backup gateway stops working, once the Active gateway resumes after failure. This delay in time is configured in such cases where the active gateway connection is not stable. Table Edit Gateway screen elements

Configure Gateway Failover

The transition from dead link to active link is based on the failover rule defined for the link. Failover rule specifies: how to check whether the link is active or dead what action to take when link is not active

Failover rule has the form: IF Condition 1 AND/OR Condition 2 then Action Depending on the outcome of the condition, traffic is shifted to any other available gateway. By default, Cyberoam creates Ping rule for every gateway. Cyberoam periodically sends the ping request to check health of the link and if link does not respond, traffic is automatically sent through another available link. Selection of the gateway and how much traffic is to be routed through each gateway depends on number of configured active and backup gateways. To configure failover rules, go to Network Gateway Gateway. Click the Edit icon in the Manage column against the Gateway.

Screen - Configure Gateway Failover

116/280

Cyberoam User Guide

Screen Add Gateway Failover Rule Screen Elements Add Button IF Then Condition Description Add a new Failover Rule. Specify communication Protocol i.e. TCP, UDP, PING (ICMP). Select the protocol depending on the service to be tested on the host. Specify Port number for communication Specify Host Host must be represented by the computer or Network device which is permanently running or most reliable. Specify whether all of the rule conditions must be met before the specified action occurs (AND) or whether at least one must be met (OR) by selecting AND or OR A request on the specified port is send to the Host. If Host does not respond to the request, Cyberoam considers the Host as dead, stops sending traffic to the Host and sends traffic through another available Host. Edit the Failover Rule Delete the Failover Rule Alternately, click the Delete icon against the rule you want to delete. Table Configure Gateway Failover screen elements

Edit Icon Delete Button

117/280

Cyberoam User Guide

Static Route
A route provides the Cyberoam with the information it needs to forward a packet to a particular destination. A static route causes packets to be forwarded to a destination other than the configured default gateway. By specifying through which interface the packet will leave and to which device the packet should be routed, static routes control the traffic exiting the Cyberoam.

Unicast
This page allows you to manage unicast routes in Cyberoam. To configure unicast static routes, define the destination IP address and netmask of packets that the Cyberoam is intended to intercept, and provide a (gateway or next hop) IP address for those packets. The gateway address specifies the next-hop router to which traffic will be routed. Also, provide the interface and the approximate distance for routing. To manage unicast routes, go to Network Static Route Unicast. You can: Add View in the Manage column against the Unicast Route to be modified. Edit Click the Edit icon Edit Unicast Route pop-up window is displayed which has the same parameters as the Add Unicast Route window. in the Manage column against a Unicast Route to be Delete Click the Delete icon deleted. A dialog box is displayed asking you to confirm the deletion. Click OK to delete the Unicast route. To delete multiple routes, select them and click the Delete button.

Manage Unicast Routes

To manage unicast routes, go to Network Static Route Unicast.

Screen Manage Unicast Route

Screen Elements Add Button IP/Netmask Gateway Interface Distance

Description Add a new Unicast route. Destination Network IP Address and the Subnet mask Destination Gateway IP Address. Interface selected. Distance between the source and the destination.

118/280

Cyberoam User Guide

Edit Icon Delete Button

Edit the Unicast route. Delete the Unicast route. Alternately, click the Delete icon against the route you want to delete. Table Manage Unicast Route screen elements

Unicast Route Parameters

To add or edit a unicast route, go to Network Static Route Unicast. Click the Add button to add a new unicast route. To update the details, click on the unicast route or Edit icon in the Manage column against the unicast route you want to modify.

Screen Add Unicast Route

Screen Elements Destination IP Netmask Gateway Interface Distance

Description Specify Destination IP Address Specify Subnet Mask Specify Gateway IP Address Select Interface from the list including Physical Interfaces, Virtual Subinterfaces and Aliases. Specify Distance for routing. Range of value is from 0 to 255. Table Add Unicast Route screen elements

Multicast
This page is used to configure and manage multicast routes in Cyberoam. IP Multicast Internet Protocol (IP) multicast is a bandwidth-conserving technology that reduces traffic by simultaneously delivering a single stream of information to thousands of recipients and homes. IP Multicast delivers source traffic to multiple receivers without adding any additional burden on the source or the receivers. Applications like videoconferencing, corporate communications, distance learning, and distribution of software, stock quotes, and news use IP multicasting.

119/280

Cyberoam User Guide

If IP multicast is not used, source is required to send more than one copy of a packet or individual copy to each receiver. In such case, high-bandwidth applications like Video or Stock where data is to be send more frequently and simultaneously, uses large portion of the available bandwidth. In these applications, the only efficient way of sending information to more than one receiver simultaneously is by using IP Multicast. Multicast Group Multicast is based on the concept of a group. An arbitrary group of receivers expresses an interest in receiving a particular data stream. This group does not have any physical or geographical boundariesthe hosts can be located anywhere on the Internet. Hosts that are interested in receiving data flowing to a particular group must join the group. Hosts must be a member of the group to receive the data stream. IP Multicast Addresses Multicast addresses specify an arbitrary group of IP hosts that have joined the group and want to receive traffic sent to this group. IP Class D Addresses The Internet Assigned Numbers Authority (IANA) controls the assignment of IP multicast addresses. Multicast addresses fall in Class D address space ranging from 224.0.0.0 to 239.255.255.255. This address range is only for the group address or destination address of IP multicast traffic. The source address for multicast datagrams is always the unicast source address.

Multicast forwarding With multicast forwarding, a router forwards multicast traffic to networks where other multicast devices are listening. Multicast forwarding prevents the forwarding of multicast traffic to networks where there are no nodes listening. For multicast forwarding to work across inter-networks, nodes and routers must be multicastcapable. A multicast-capable node must be able to: Send and receive multicast packets.

120/280

Cyberoam User Guide

Register the multicast addresses being listened to by the node with local routers, so that multicast packets can be forwarded to the network of the node.

IP multicasting applications that send multicast traffic must construct IP packets with the appropriate IP multicast address as the destination IP address. IP multicasting applications that receive multicast traffic must inform the TCP/IP protocol that they are listening for all traffic to a specified IP multicast address. To manage multicast routes, go to Network Static Route Multicast. Multicast Forwarding Enable/Disable Multicast Forwarding. Enable and Click Apply to allow the router to forward packets to other networks where other multicast devices are active and listening. Add View in the Manage column against the Multicast Route to be modified. Edit Click the Edit icon Edit Multicast Route pop-up window is displayed which has the same parameters as the Add Multicast Route window. in the Manage column against a Multicast Route to be Delete Click the Delete icon deleted. A dialog box is displayed asking you to confirm the deletion. Click OK to delete the Multicast route. To delete multiple multicast routes, select them and click the Delete button.

Manage Multicast Routes

To manage multicast routes, go to Network Static Route Multicast.

Screen Manage Multicast Route

Screen Elements Add Button Source IP Multicast IP Source Interface Destination Interface

Description Add a new multicast route. Source IP Address. Range of IP Address selected for Multicast route. Source Interface selected. Destination Interface selected.

121/280

Cyberoam User Guide

Edit Icon Delete Button

Edit the Multicast route. Delete the Multicast route. Alternately, click the Delete icon against the route you want to delete. Table Manage Multicast Route screen elements

Multicast Route Parameters

To add or edit a multicast route, go to Network Static Route Multicast. Click the Add button to add a new multicast route. To update the details, click on the multicast route or Edit icon in the Manage column against the multicast route you want to modify.

Screen Add Multicast Route

Screen Description Source IP Address Source Interface Multicast Address Destination Interface

Description Specify Source IP Address Select Source Interface from the list. Specify range of Multicast IP Address. For example, (224.0.2.0 - 239.255.255.255) Select Destination Interface from the list. You can select more than one destination interface. Click the checkbox against the interface. Table Add Multicast Route screen elements

Source Route
A route provides the Cyberoam with the information it needs to forward a packet to a particular destination. Source Routing is the technique by which the sender can explicitly mention the route through which the packet travels. To configure explicit source routes, go to Network Static Route Source Route. You can:

122/280

Cyberoam User Guide

Add View in the Manage column against the Source Route to be modified. Edit Click the Edit icon Edit Source Route pop-up window is displayed which has the same parameters as the Add Source Route window. in the Manage column against a Source Route to be deleted. Delete Click the Delete icon A dialog box is displayed asking you to confirm the deletion. Click OK to delete the source route. To delete multiple source routes, select them and click the Delete button.

Manage Source Routes

To manage source routes, go to Network Static Route Source Route.

Screen Manage Source Routes

Screen Elements Add Button Network Gateway Edit Icon Delete Button

Description Add a new Explicit source route. Network IP Address and the Subnet mask Gateway IP Address Edit the source route Delete the source route Alternately, click the Delete icon against the host you want to delete. Table Manage Source Routes screen elements

Source Route Parameters

To add or edit an explicit source route for packets, go to Network Static Route Source Route. Click the Add button to add a new source route. To update the details, click on the source route or Edit icon modify. in the Manage column against the source route you want to

123/280

Cyberoam User Guide

Screen Add Source Route Screen Elements Gateway Network ID Netmask

Description Select the Gateway from the list. Specify Network ID. Specify Subnet Mask. Table Add Source Route screen elements

124/280

Cyberoam User Guide

DNS
The Domain Name System (DNS) is a system that provides a method for identifying hosts on the Internet using alphanumeric names called fully qualified domain names (FQDNs) instead of using difficult to remember numeric IP addresses. In other words, it translates domain names to IP addresses and vice versa. DNS server is configured at the time of installation. You can add additional IP addresses of the DNS servers to which Cyberoam can connect for name resolution. If multiple DNS are defined, they are queried in the order as they are entered.

Configure DNS
To configure DNS, go to Network DNS DNS.

Screen Configure DNS

Screen Add DNS Server

Screen Elements Obtain DNS from DHCP

Description Click Obtain DNS from DHCP to override the appliance DNS with the DNS address received from DHCP server. Option is available if enabled from Network Configuration Wizard

125/280

Cyberoam User Guide

IP Address List

Click Add Button to specify IP Address in the list. To remove IP address from list, select the IP address and click Remove Button. Use Ctrl or Shift Key to select multiple IP Address from the list.

Change the Order

Use Move Up & Move Down buttons to change the order of DNS. If more than one Domain name server exists, query will be resolved according to the order specified. Select the IP Address and Click Move Down Button to move down in the list. Order of the list indicates the preference of the server. Table Configure DNS

Move Down Button

126/280

Cyberoam User Guide

DHCP
Dynamic Host Configuration Protocol (DHCP) automatically assigns IP address for the hosts on a network reducing the Administrators configuration task. Instead of requiring administrators to assign, track and change (when necessary) for every host on a network, DHCP does it all automatically. Furthermore, DHCP ensures that duplicate addresses are not used. Cyberoam acts as a DHCP server and assigns a unique IP address to a host, releases the address as host leaves and re-joins the network. Host can have different IP address every time it connects to the network. In other words, it provides a mechanism for allocating IP address dynamically so that addresses can be re-used. Deploying DHCP in a single segment network is easy. All DHCP messages are IP broadcast messages, and therefore all the computers on the segment can listen and respond to these broadcasts. But things get complicated when there is more than one subnet on the network. This is because the DHCP broadcast messages do not, by default, cross the router interfaces. The DHCP Relay Agent allows you to place DHCP clients and DHCP servers on different networks. Relay Agent makes it possible for DHCP broadcast messages to be sent over routers that do not support forwarding of these types of messages. The DHCP Relay Agent enables DHCP clients to obtain IP addresses from a DHCP server on a remote subnet, or which is not located on the local subnet. If DHCP Relay Agent is not configured, clients would only be able to obtain IP addresses from the DHCP server which is on the same subnet.

Server
Each internal Interface can act as a DHCP server. You can disable or change this DHCP Server configuration. Cyberoam cannot act as DHCP server and DHCP Relay Agent simultaneously. Hence if Cyberoam is configured as DHCP server, you will not be able to configure it as a Relay agent and vice-versa. To manage DHCP servers, go to Network DHCP Server. You can: Add View in the Manage column against the Server to be modified. Edit Edit Click the Edit icon server window is displayed which has the same parameters as the Add server window. in the Manage column against a server to be deleted. A Delete Click the Delete icon dialog box is displayed asking you to confirm the deletion. Click OK to delete the server. To delete multiple servers, select them and click the Delete button.

Manage DHCP Servers

To manage DHCP servers, go to Network DHCP Server.

Screen Manage DHCP Servers

127/280

Cyberoam User Guide

Screen Elements Add Button Interface Lease Type Lease Range Edit Icon Delete Button

Description Add a new DHCP Server Internal interface Port C or Port A (LAN or DMZ). Type of Lease Static or Dynamic IP Address range for Dynamic Lease type and MACIP Mapping list for Static Lease type Edit the DHCP Server Delete the DHCP Server Alternately, click the Delete icon against the DHCP server you want to delete. Table Manage DHCP Server screen elements

DHCP server Parameters

To add or edit a DHCP server, go to Network DHCP Server. Click the Add button to add a DHCP server. To update the details, click on the DHCP server or Edit icon Manage column against the DHCP server you want to modify. in the

Screen Add DHCP Server

128/280

Cyberoam User Guide

Screen Elements Interface

Description Select internal interface i.e. Port C or Port A (LAN or DMZ). DHCP service can be configured on virtual subinterface but cannot be configured on Interface alias Select Lease Type. Available Options: Dynamic - Specify range of IP address from which DHCP server must assign to the clients and subnet mask for the IP address range. It is also possible to configure multiple IP range for a same interface. Static - If you always want to assign specific IP addresses to some or all clients, you can define static MAC address to IP address mappings. For defining, MAC-IP mapping, you should know the MAC address of the clients network card. The MAC address is usually specified in a hexadecimal digits separated by colons (e.g., 00:08:76:16:BC:21). Specify host name, MAC and IP address. to add more than one MAC-IP mapping pair Click Add icon to delete MAC-IP mapping pair. and Remove icon Select subnet mask for the server. Specify domain name that the DHCP server will assign to the DHCP Clients. Specify IP address for default Gateway or click Use Interface IP as Gateway Specify default lease time and maximum lease time. Input range - 1 to 43200 seconds (30 days). Default - 10 minutes Specify maximum lease time. DHCP client must ask the DHCP server for new settings after the specified maximum lease time. Input range - 1 to 43200 seconds (30 days). Default - 120 minutes Enable IP conflict detection to check the IP before leasing i.e. if enabled the already leased IP will not be leased again. Can be configured only if lease type is Dynamic Click Use Cyberoams DNS settings to use Cyberoam DNS or Specify IP address of Primary and Secondary DNS servers Specify IP address of Primary and Secondary WINS servers Table Add DHCP server screen elements

Lease Type

Subnet Mask Domain Name Gateway Default Lease Time

Max Lease Time

Conflict Detection

DNS Server WINS Server

Lease
Cyberoam acting as a DHCP server assigns or leases an IP address from an address pool to a host DHCP client. The IP address is leased for a determined period of time or until the client relinquishes the address.

129/280

Cyberoam User Guide

To view a list of leased IP address, go to Network DHCP Lease.

Screen DHCP Leased IP list The following information is available in the leased IP list: Leased IP address Lease start and end time MAC address and host name

List will display dynamically leased IP addresses only.

Relay
The DHCP Relay Agent allows place DHCP clients and DHCP servers on different networks. Deploying DHCP in a single segment network is easy. All DHCP messages are IP broadcast messages, and therefore all the computers on the segment can listen and respond to these broadcasts. However, things get complicated when there is more than one subnet on the network. This is because the DHCP broadcast messages do not, by default, cross the router interfaces. The DHCP Relay Agent makes it possible for DHCP broadcast messages to be sent over routers that do not support forwarding of these types of messages. The DHCP Relay Agent enables DHCP clients to obtain IP addresses from a DHCP server on a remote subnet, or which is not located on the local subnet. If DHCP Relay Agent is not configured, clients would only be able to obtain IP addresses from the DHCP server which is on the same subnet. To configure Cyberoam as a relay agent, go to Network DHCP Relay. You can: Add View in the Manage column against the Relay Agent to be modified. Edit Click the Edit icon Edit Relay Agent pop-up window is displayed which has the same parameters as the Add Relay Agent window. in the Manage column against a Relay Agent to be deleted. Delete Click the Delete icon A dialog box is displayed asking you to confirm the deletion. Click OK to delete the Relay Agent. To delete multiple Relay Agents, select them and click the Delete button.

Manage DHCP Relay Agents

To manage DHCP relay agents, go to Network DHCP Relay.

130/280

Cyberoam User Guide

Screen Manage DHCP Relay Agent

Screen Elements Add Button Interface DHCP Server IP Edit Icon Delete Button

Description Add a new Relay Agent Internal Interface which is configured as Relay Agent DHCP Server IP Address Edit the Relay Agent Delete the Relay Agent Alternately, click the Delete icon against the relay agent you want to delete. Table Manage DHCP Relay Agent screen elements

DHCP Relay Agent Parameters

To add or edit a DHCP relay agent, go to Network DHCP Relay. Click the Add button to add a relay agent. To update the details, click on the relay agent or Edit icon column against the relay agent you want to modify. in the Manage

Screen Add DHCP Relay Agent Description Select internal interface Each internal Interface can act as a DHCP Relay Agent. Cyberoam cannot act as DHCP server and DHCP Relay Agent simultaneously. Hence, if Cyberoam is configured as DHCP Relay Agent, you will not be able to configure it as a server and vice-versa. DHCP Relay agent can be configured on virtual subinterface but cannot be configured on Interface alias. Specify DHCP Server IP Address

Screen Elements Interface

DHCP Server IP

131/280

Cyberoam User Guide

DHCP requests arriving on the interface selected in above step will be forwarded to this DHCP server. Table Add DHCP Relay Agent screen elements

132/280

Cyberoam User Guide

ARP
ARP (Address resolution protocol is a protocol that TCP/IP uses to translate IP address into MAC address (physical network address). In other words, it maps layer 3 (IP addresses) to layer 2 (physical or MAC addresses) to enable communications between hosts residing on the same subnet. It is used by hosts that are directly connected on a local network and uses either or both unicast and broadcast transmissions directly to each other. Host finds the physical address of another host on its network by sending an ARP query packet that includes the IP address of the receiver. As a broadcast protocol, it can create excessive amounts of network traffic on your network. To minimize the broadcast traffic, an ARP cache is maintained to store and reuse previously learned ARP information. ARP traffic is vital to communication on a network and is enabled on Cyberoam interfaces by default. Static ARP entry allows to bind the MAC address to the designated IP address and port. Once the MAC address is bound to a port and IP address, the Cyberoam appliance will not update its ARP table dynamically and will not respond to that IP-MAC pair on any other port. It will also remove any dynamically cached references to that IP address that might be present, and will not allow additional static mappings of that IP address. These entries will be stored in static ARP as well as ARP Cache table. When the Cyberoam appliance receives the ARP request on a particular port, Cyberoam performs the ARP lookup in the static ARP table. If there is any mismatch in IP address or MAC address Cyberoam considers it as an ARP poisoning attempt and does not update its ARP Cache. If entry is not available in the table, Cyberoam will lookup in the ARP Cache and adds MAC address to ARP Cache if required. Consider an example when IP1 is mapped with MAC1 and IP1-MAC1 pair is bounded to Port A. Similarly IP2 is mapped with MAC1 and IP2-MAC1 pair is bounded to Port A. ARP attempt No Yes Yes Yes No No Yes poisoning

IP address IP1 IP1 IP1 IP1 IP3 IP2 IP2 .

MAC address MAC1 MAC1 MAC2 MAC2 MAC1 MAC1 MAC1

Port A Any other Port than Port A A Any Other Port No static ARP A Any other Port than Port A

ARP Configuration
To configure ARP in Cyberoam, go to Network ARP ARP.

133/280

Cyberoam User Guide

Screen ARP Configuration

Screen Elements ARP Cache Entry Time Out

Description Specify time interval after which the entries in the cache should be flushed. Default - 2 minutes Input range - 1 to 500 minutes It becomes necessary to flush the ARP cache if the host IP address on the network changes. As the IP address is linked to a physical address, it can change but can still be associated with the physical address in the ARP Cache. Flushing the ARP Cache allows new information to be gathered and stored in the ARP Cache Enable to log the poisoning attempts

Log Possible ARP Poisoning Attempts

Table ARP Configuration screen elements

Static ARP
To manage Static ARP, go to Network ARP ARP. You can: Add View Search in the Manage column against the Static ARP to be modified. Edit Edit Click the Edit icon Static ARP pop-up window is displayed which has the same parameters as the Add Static ARP window. in the Manage column against a Static ARP to be deleted. A Delete Click the Delete icon dialog box is displayed asking you to confirm the deletion. Click OK to delete the Static ARP. To delete multiple Static ARPs, select them and click the Delete button.

Manage Static ARP

To manage Static ARP, go to Network ARP ARP.

134/280

Cyberoam User Guide

Screen Manage Static ARP

Screen Elements Add Button IP Address MAC Address Interface Edit Icon Delete Button

Description Add a new Static ARP IP Address of the host Physical Address of the host Physical Interface of the host Edit the Static ARP Delete the Static ARP Alternately, click the Delete icon against the static ARP you want to delete. Table Manage Static ARP screen elements

Static ARP Parameters

To add or edit static ARP, go to Network ARP ARP. Click the Add button to add a static ARP. To update the details, click Edit icon want to modify. in the Manage column against the ARP entry you

Screen Add Static ARP

135/280

Cyberoam User Guide

Screen Elements IP Address MAC Address Interface Add as Trusted MAC entry in Spoof Prevention

Description Specify IP address of the host outside the firewall. Specify MAC address of the host Specify the physical Interface. Port A, Port B, Port C or Port D If enabled, adds MAC/IP pair in the trusted MAC list. By default, it is enabled. Table Add Static ARP screen elements

Search ARP
IP Address in the IP Address column to search specific address. A pop-up window Click the Search icon is displayed that has filter criteria for search. Address can be searched on the following criteria: is equal to, starts with, contains. Click OK to get the search results and Clear button to clear the results.

Screen Search IP Address

Search Criteria is equal to

Search Results All the IP addresses that exactly match the IP address specified in the criteria. For example, if the search string is 192.168.1.1, all the addresses exactly matching the string will be displayed. All the IP addresses that starts with the specified criteria. For example, if the search string is 10, all the addresses like 10.1.1.1, starting with the number 10 will be displayed. All the addresses that are in the IP range specified in the search string. For example, if the search string is 1.1.1.2-1.1.1.10, all the IP addresses like 1.1.1.5 or 1.1.1.8 falling in this range will be displayed. Table Search IP Address screen elements

starts with

contains

MAC Address Click the Search icon in the MAC Address column to search specific address. A pop-up window is displayed that has filter criteria for search. Address can be searched on the following criteria: is equal to, starts with, contains. Click OK to get the search results and Clear button to clear the results.

136/280

Cyberoam User Guide

Screen Search IP Address Search Criteria is equal to Search Results All the MAC addresses that exactly match the MAC address specified in the criteria. For example, if the search string is 10:15:18:A1:BC:22, all the addresses exactly matching the string will be displayed. All the MAC addresses that starts with the specified search criteria. For example, if the search string is 10, all the addresses like 10:15:18:A1:BC:22, starting with the number 10 will be displayed. All the MAC addresses that contain the string specified in the criteria. For example, if the search string is BC, all the MAC addresses like 10:15:18:A1:BC:22, containing the string are displayed. Table Search MAC Address screen elements

starts with

contains

137/280

Cyberoam User Guide

Dynamic DNS
Dynamic DNS (Domain Name System) is a method of keeping a static domain/host name linked to a dynamically assigned IP address allowing your server to be more easily accessible from various locations on the Internet. Powered by Dynamic Domain Name System (DDNS), you can now access your Cyberoam server by the domain name, not the dynamic IP address. DDNS will tie a domain name (e.g. mycyberoam.com, or elitecore.cyberoam.com) to your dynamic IP address. To manage Dynamic DNS, go to Network Dynamic DNS Dynamic DNS. You can: Add View in the Manage column against the DDNS to be modified. Edit Edit Click the Edit icon DDNS window is displayed which has the same parameters as the Add DDNS Details window. in the Manage column against a DDNS to be deleted. A Delete Click the Delete icon dialog box is displayed asking you to confirm the deletion. Click OK to delete the DDNS. To delete multiple DDNS, select them and click the Delete button.

Manage Dynamic DNS

To manage Dynamic DNS, go to Network Dynamic DNS Dynamic DNS.

Screen Manage Dynamic DNS

Screen Elements Add Button Name Interface Service Provider Last Updated IP Last Updated Status Last Updated Time Failure Reason Edit Icon Delete Button

Description Add new Host & Service Provider Details Name of the Host on DDNS server. External Interface selected Service Provider with whom Hostname is registered Recently updated IP Address Recently updated Status Time of the recent update Reason for failure Edit the Host & Service Provider Details Delete the Host & Service Provider Details Alternately, click the Delete icon against the host you want to delete. Table Manage Dynamic DNS screen elements

138/280

Cyberoam User Guide

DDNS Account Parameters

To add or edit DDNS, go to Network Dynamic DNS Dynamic DNS. Click the Add button to add a DDNS. To update the details, click on the DDNS name or Edit icon Manage column against the DDNS you want to modify. in the

Screen Add DDNS Account

Screen Elements Host Details Host Name

Description Name to identify the host that you want to use on DDNS server i.e. domain name that you registered with your DDNS service provider for example, cyber.com Select External Interface. IP address of the selected interface will be bound to the specified host name Select IP Address source: Port IP or NATed Real IP Specify the time interval after which DDNS server should check and edit the IP address of your server if changed. Default - 20 minutes. For example, if time interval is set to 10 minutes, after every 10 minutes, DDNS server will check for any changes in your server IP address

Interface IP Address IP Edit Checking Interval

Service Providers Details Service Provider Login Name Password

Select Service provider with whom you have registered your hostname. Specify your DDNS accounts Login name Specify your DDNS accounts Password

Table Add DDNS Account screen elements

139/280

Cyberoam User Guide

Identity

Once you have deployed Cyberoam, default access policy is automatically applied which will allow complete network traffic to pass through Cyberoam. This will allow you to monitor user activity in your Network based on default policy. As Cyberoam monitors and logs user activity based on IP address, all the reports are also generated based on IP address. To monitor and log user activities based on User names or logon names, you have to configure Cyberoam for integrating user information and authentication process. Integration will identify access request based on User names and generate reports based on Usernames. When the user attempts to access Cyberoam, Cyberoam requests a user name and password and authenticates the users credentials before giving access. User level authentication can be performed using the local user database on the Cyberoam, an External ADS server, LDAP or RADIUS server. To set up user database: 1. Integrate ADS, LDAP or RADIUS, if external authentication is required. Two different servers can be used for authentication simultaneously. 2. Configuration for local authentication. 3. Register user

Authentication
Cyberoam provides policy-based filtering that allows to define individual filtering plans for various users of your organization. You can assign individual policies to users (identified by IP address), or a single policy to number of users (Group). Cyberoam detects users as they log on to Windows domains in your network via client machines. Users are allowed or disallowed access based on username and password. In order to authenticate user, you must select at least one database against which Cyberoam should authenticate users. Administrator can configure authentication based on the type of user Firewall, VPN and SSL VPN and with multiple servers. Cyberoam supports user authentication against: an Active Directory an LDAP server an RADIUS servers an internal database defined in Cyberoam

To filter Internet requests based on policies assigned, Cyberoam must be able to identify a user making a request. Administrator can configure two authentication servers with one serving as a Primary Authentication Server and other as a Secondary Authentication Server. When user tries to login, authentication request is forwarded to the secondary authentication server only if primary server is not able to authenticate the user. User is denied the access if secondary server is also not able to authenticate the user. In other words, user will be able to login only if authenticated by either of the

PART

140/280

Cyberoam User Guide

configured authentication server. This assures secure access to the networks internal resources and guarantees that only the authenticated users are able to login successfully.

Settings
User Authentication process is initiated, when the client tries to login with the login credentials. Cyberoam provides an authentication mechanism wherein users registered on two different servers can be authenticated. Administrator can configure authentication based on the type of Administrator, Firewall, VPN and SSL VPN and with multiple servers. User level authentication can be performed using local user database, RADIUS, LDAP, Active Directory or any combination of these. Combination of external and local authentication is useful in the large networks where it is required to provide guest user accounts for temporary access while a different authentication mechanism like RADIUS for VPN and SSL VPN users provides better security as password is not exchanged over the wire. In case of multiple servers, administrator can designate primary and optionally the secondary server. If primary server cannot authenticate the user then only secondary server will try to authenticate. If secondary server also cannot authenticate the user then Cyberoam refuses the access. By default, primary authentication method is Local while secondary authentication method is None. To configure and manage user authentication settings, go to Identity Authentication Settings.

Screen Authentication Settings

141/280

Cyberoam User Guide

Screen Elements

Description Administrator would

Administrator Authentication Primary Authentication Primary Authentication method for Method always be Local

Secondary Authentication Method

Primary and secondary authentication method cannot be same. Select the Secondary Server for administrator. Authentication request is forwarded to the secondary server only when primary server fails to authenticate user or primary server is down. Default method - None Primary and secondary authentication method cannot be same. You can also add and configure a new external server directly from the Authentication Settings page itself.

Firewall Authentication Primary Authentication Method

Select the Primary Server to authenticate firewall users. Default method - Local Primary and secondary authentication method cannot be same. You can also add and configure a new external server directly from the Authentication Settings page itself. Select the Secondary Server to authenticate firewall users. Authentication request is forwarded to the secondary server only when primary server fails to authenticate user or primary server is down. Default method - None Primary and secondary authentication method cannot be same. You can also add a new external server directly from the Authentication Settings page. Select the default group for firewall authentication Specify Maximum Session timeout duration in minutes. Range is from 3 to 1440 minutes. Authentication Session timeout is the idle period in minutes after which a user must re-authenticate. Enable the Unlimited checkbox to allow the users to remain checked in. Enable the HTTPS Redirection checkbox to access the Captive portal page through secure channel. Select Keep Alive Request. Available Options:

Secondary Method

Authentication

Default Group Maximum Session Timeout

HTTPS Redirection Keep Alive Request Captive Portal For

142/280

Cyberoam User Guide

Enable Click Enable option to keep the connections alive. Disable - Click Disable option to close the connection i.e. terminate the data transmission after the request is served. Keep-Alive request are constantly exchanged between server and client to check the connectivity between them. More number of concurrent HTTP Captive Portal users, more number of keep-alive requests. Hence, Cyberoam recommends to disable Keep-alive request if there are more number of concurrent HTTP Captive Portal users. Default - Enabled User Inactivity timeout is the inactive/idle period in minutes after which a user must re-authenticate. Enable and specify timeout duration in minutes. Acceptable Range - 3 to 1440 minutes. Default - Disabled Data Transfer Threshold Specify threshold value in KB for Data Transfer. VPN (IPSec / L2TP / PPTP) Authentication Primary VPN Authentication Select the Primary Server to authenticate VPN users. Method Default method - Local You can also add a new external server directly from the Authentication Settings page. Primary and secondary authentication method cannot be same. Select the Secondary Server for VPN authentication. Select the Secondary Server to authenticate firewall users. Authentication request is forwarded to the secondary server only when primary server fails to authenticate user or primary server is down. Default method - None Primary and secondary authentication method cannot be same. You can also add and configure a new external server directly from the Authentication Settings page itself. SSL VPN Authentication (Option not available for CR15i models) Primary SSL VPN Select the Primary Server to authenticate SSL VPN users. Authentication Method Default method - Local You can also add and configure a new external server directly from the Authentication Settings page itself.

User Inactivity Timeout

Secondary Authentication Method

VPN

143/280

Cyberoam User Guide

Secondary SSL Authentication Method

VPN

Primary and secondary authentication method cannot be same. Select the Secondary Server for SSL VPN authentication. Select the Secondary Server to authenticate firewall users. Authentication request is forwarded to the secondary server only when primary server fails to authenticate user or primary server is down. Default method - None Primary and secondary authentication method cannot be same. You can also add and configure a new external server directly from the Authentication Settings page itself.

Table Settings Screen Elements

Authentication Server
External Authentication Servers can be integrated with Cyberoam for providing secure access to the users of those servers. To manage external authentication servers, go to Identity Authentication Authentication Server. Add View View the details of ADS/LDAP/RADIUS Servers in the Manage column against the Server to be modified. Edit Edit Click the Edit icon Server window is displayed which has the same parameters as the Add Server window. in the Manage column against Server to be deleted. A dialog Delete Click the Delete icon box is displayed asking you to confirm the deletion. Click OK to delete the Server. To delete multiple Servers, select them and click the Delete button.

Manage Authentication Servers

To manage external authentication servers, go to Identity Authentication Authentication Server.

Screen Manage External Authentication Server

Screen Elements Add Button Name

Description Add an external server Name of the Server

144/280

Cyberoam User Guide

IP Port Type Domain Edit Icon Delete Button

IP Address of the server Port through which server communicates Type of Server ADS, LDAP or RADIUS Domain Name for the ADS Server Edit the Server details Delete the Authentication Server Alternately, click the Delete icon against the server you want to delete. Table Manage Authentication Server screen elements

Authentication Server Parameters

Screen Elements Server Type Description Select the service with which you want to use your network. Available Options: Active Directory LDAP Server RADIUS Server Table Add Authentication Server screen elements

Active Directory Authentication

Cyberoam ADS integration feature allows Cyberoam to map the users and groups from ADS for the purpose of authentication. This enables Cyberoam to identify the network users transparently. Cyberoam communicates with Windows Directory Services Active directory (AD) to authenticate user based on groups, domains and organizational units. Whenever the existing user(s) in ADS logs on for the first time after configuration, user is automatically created in Cyberoam and assigned to the default group. If the Groups are already created in Cyberoam, User(s) will be created in the respective Groups i.e. the ADS User Groups will be mapped to Cyberoam User Groups. In case user is already created and there is change in expiry date or group name, user will be logged in with the changes. User has to be authenticated by Cyberoam before accessing any resources controlled by Cyberoam. This authentication mechanism allows Users to access using their Windows authentication tokens (login/user name and password) in the Windows-based directory services. User sends the log on request/user authentication request to ADS and ADS authenticates user against the directory objects created in ADS. Once the user is authenticated, Cyberoam communicates with ADS to get these additional authorization data such as user name, password, user groups, and expiry date as per the configuration, which is used to control the access.

Note
If ADS is down, the authentication request will always return Wrong username/password message.

145/280

Cyberoam User Guide

It is necessary to have shared NETLOGON directory on ADS with the following permissions: Read, Read & Execute, List Folder Contents. To configure and manage ADS, go to Identity Authentication Server. Select server type as Active Directory. You can: Configure Configure ADS Server to communicate with Cyberoam. in the Manage column against the ADS Server for Import AD Group Click Import icon which you want to import the Active Directory Group. NetBIOS Name, FQDN and Search DN The details of NetBIOS Name, FQDN and Search DN is available from the ADS server. Authentication

Configure ADS
To configure ADS, go to Identity Authentication Authentication Server. Click Add Button and select the server type as Active Directory to add a server. To update the details, click on the Server or Edit icon modify. in the Manage column against the AD server you want to

Screen Add Active Directory Server Screen Elements Server Type Description Select the Active Directory Service. If a user is required to authenticate using ADS, Cyberoam needs to communicate with ADS server for authentication. Name to identify the server Specify ADS server IP address.

Server Name Server IP

146/280

Cyberoam User Guide

Port

Specify Port number through which server communicates. Default port is 389 Specify NetBIOS Name Specify Username for the user with Administrative privileges for ADS server Specify Password for the user with Administrative privileges for ADS server Select implementation type of Integration. Integration type is used in setting the user group membership. It provides an added layer of protection by authenticating user based on the group membership apart from authentication attribute. Available Options: Loose integration users are imported in default group of Cyberoam while in tight integration, ADS User Groups will be mapped to Cyberoam User Groups and users are imported in the respective groups. Tight integration if user is a member of multiple AD groups, Cyberoam will decide the user group based on the order of the groups defined in Cyberoam. Cyberoam searches Group ordered list from top to bottom to determine the user group membership. The first group that matches is considered as the group of the user and that group policies are applied to the user. Specify Domain name to which the query is to be added. Click Add button to enter the search query. Use the Move Up and Move Down buttons to move the search queries in the list. If you do not know search DN, refer to NetBIOS name, FQDN and Search DN Click Test connection button to check the ADS-Cyberoam connectivity. Table Add Active Directory Server screen elements

NetBIOS Domain ADS Username Password Integration Type

Domain Name Search Queries

Test Connection

Note
Whenever the existing user(s) in ADS logs on, user is automatically created in Cyberoam and assigned to the default group If the Groups are already created in Cyberoam, User(s) will be created in the respective Groups i.e. the ADS User Groups will be mapped to Cyberoam User Groups. In case user is already created and there is change in expiry date or group name, user will be logged in with the changes.

Note
Connection to ADS is enabled automatically during Active Directory setup, but as ADS server is used for authenticating users it is necessary to check whether Cyberoam is able to connect to ADS or not.

147/280

Cyberoam User Guide

Import AD group
Once you have configured and added AD details select Identity Authentication against the AD server from which AD Authentication Server and click Import Group icon groups are to be imported. Follow the on-screen steps: Step 1. Specify Base DN. Cyberoam will fetch AD groups from the specified Base DN.

Screen Define Base DN Step 2. Select the Groups to be imported in Cyberoam. Use <Ctrl> + Click to select multiple groups. Cyberoam will not allow to import those groups which are already in Cyberoam.

Screen Select AD Groups to Import

148/280

Cyberoam User Guide

Step 3. Select various policies (Surfing Quota, QoS, Web Filter, Application Filter, Data transfer and SSL VPN policy) and user authentication time out to be applied on the group members. Same policy is attached to all the imported groups. If you want to specify different policy for different groups, do not enable the policy. For example if you want to specify different Web Filter policy to different groups, do not enable Attach to all the Groups

Screen Define policies for the Groups

Step 4. If common policies are not to be applied, specify policies to be applied to each group.

Screen Define specific policy for a Group Step 5. View the summary of the groups and policies to be imported. You can also go back and change the configuration.

149/280

Cyberoam User Guide

Screen Groups imported and specific policies attached to specific Group Step 6. View Results page displays successful message if groups are imported and policies are successfully attached else appropriate error message will be displayed. Once you close the Wizard, Manage Groups page will be opened. All the imported groups are appended at the end of the list.

Screen Groups imported and common policies attached successfully If user is a member of multiple AD groups, Cyberoam will decide the user group based on the order of the groups defined in Cyberoam. Cyberoam searches Group ordered list from top to bottom to determine the user group membership. The first group that matches is considered as the group of the user and that group policies are applied to the user.

150/280

Cyberoam User Guide

Re-ordering of groups to change the membership preference is possible using Wizard.

NetBIOS Name, FQDN and Search DN

On the AD server: Go to Start Programs Administrative Tools Active Directory Users and Computers Right Click the required domain and go to Properties tab Search DN will be based on the FQDN. In the given example FQDN is elitecore.com and Search DN will be DC=elitecore, DC=com

LDAP Authentication
When Cyberoam is installed in Windows environment with LDAP server, it is not necessary to create users again in Cyberoam. Cyberoam provides a facility to create user(s) on first logon automatically. Whenever the existing user(s) in LDAP logs on for the first time after configuration, user is automatically created in Cyberoam and is assigned to the default group. This reduces Administrators burden of creating the same users in Cyberoam. User has to be authenticated by Cyberoam before granting access the Internet. Cyberoam sends the user authentication request to LDAP and LDAP server authenticates user as per supplied tokens. User can log on using their Windows authentication tokens. (login/user name and password). Cyberoam allows implementing LDAP integration in two ways: Tight Integration It provides an added layer of protection by authenticating user based on the group membership apart from authentication attribute. One needs to configure both Group Name attribute and authentication attribute for authentication. Group membership of each User and expiry day as defined in LDAP server. Loose Integration It uses authentication attribute for authenticating users.

To configure LDAP, go to Identity Authentication Authentication Server. Click Add Button and select the server type as LDAP to add a server. To update the details, click on the Server or Edit icon in the Manage column against the LDAP server you want to modify.

151/280

Cyberoam User Guide

Screen Add LDAP Server Screen Elements Server Type Server Name Server IP Port Description Select LDAP Server. Name to identify the server Specify LDAP Server IP address. Specify Port number through which Server communicates. Default port is 389 Select LDAP version. For example, 2 Enable Anonymous Login if identity (username and password) and authentication of Administrator is required to logon to LDAP server to retrieve information. If enabled, specify domain or local administrator username and password to logon to LDAP server. If Anonymous Login is disabled, you connect as the anonymous user on LDAP server and there is no need to supply username and password. Specify the base distinguished name (Base DN) of the directory service, indicating the starting point for searching user in the directory service. If you are not aware about Base DN, click Get Base DN to retrieve base DN. The top level of the LDAP directory tree is the base, referred to as the "Base DN". A base DN usually takes one of the three forms: Organization name, Companys Internet Domain name or DNS domain name. For example dc=Cyberoam, dc=com Set authentication attribute. It is the attribute used to perform user search. By default, LDAP uses uid attribute to identify user entries. If you want to use a different attribute (such as givenname), specify the attribute name in this field. Select implementation type of Integration. Integration type is

Version Anonymous Login

Base DN

Authentication Attribute

Integration Type

152/280

Cyberoam User Guide

used in setting the user group membership. It provides an added layer of protection by authenticating user based on the group membership apart from authentication attribute. One needs to configure both Group Name attribute and authentication attribute for authentication. Group membership of each User and expiry day as defined in LDAP server. Click Test connection button to check the LDAP-Cyberoam connectivity. Table Add LDAP Server screen elements

Test Connection

Note
Whenever the existing user(s) in LDAP logs on, user is automatically created in Cyberoam and assigned to the default group If the Groups are already created in Cyberoam, User(s) will be created in the respective Groups i.e. the LDAP User Groups will be mapped to Cyberoam User Groups.

RADIUS Authentication
RADIUS stands for Remote Authentication Dial In User Service and is a protocol for allowing network devices to authenticate users against a central database. In addition to user information, RADIUS can store technical information used by network devices such as protocols supported, IP addresses, telephone numbers, routing information, and so on. Together this information constitutes a user profile that is stored in a file or database on the RADIUS server. RADIUS servers provide authentication, authorization, and accounting functions but Cyberoam uses only the authentication function of the RADIUS server. Before you can use RADIUS authentication, you must have a functioning RADIUS server on the network. To configure RADIUS, go to Identity Authentication Authentication Server. Click Add Button and select the server type as RADIUS to add a server. To update the details, click on the Server or Edit icon modify. in the Manage column against the RADIUS server you want to

153/280

Cyberoam User Guide

Screen Add RADIUS Server

Screen Elements Server Type Server Name Server IP Authentication Port

Description Select RADIUS Server. Name to identify the RADIUS Server. Specify RADIUS Server IP address. Specify Port number through which Server communicates. Default port - 1812 Specify share secret, which is to be used to encrypt information passed to Cyberoam Select Integration type. Integration type is used in setting the user group membership. Select Tight Integration with Cyberoam if you want to use vendor specific attribute for setting the user group membership and specify group name attribute Click Test connection button to check the RADIUS-Cyberoam connectivity.

Shared Secret Integration Type

Test Connection Button

Table Add RADIUS Server screen elements

Note
Whenever the existing user(s) in RADIUS logs on, user is automatically created in Cyberoam and assigned to the default group If the Groups are already created in Cyberoam, User(s) will be created in the respective Groups i.e. the RADIUS User Groups will be mapped to Cyberoam User Groups.

154/280

Cyberoam User Guide

Groups
Group is a collection of users having common policies that can be managed as a single unit and a mechanism of assigning various policies to a number of users in one operation/step. Users that belong to a particular group are referred to as a group user. Instead of attaching individual policies to the user, create group of policies and simply assign the appropriate Group to the user and user will automatically inherit all the policies added to the group which simplifies the user configuration. A group can contain default as well as custom policies. Various policies that can be grouped are: Surfing Quota policy which specifies the duration of surfing time and the period of subscription Access Time policy which specifies the time period during which the user will be allowed access Web Filter and Application Filter Policy which specifies the access strategy for the user and sites QoS policy which specifies the bandwidth usage limit of the user Data Transfer policy which specifies the data transfer quota of the user SSL VPN policy which determines the access mode and controls access to private network resources.

Note
SSL VPN Policies are not available in User Group configuration for Cyberoam CR15i models. To manage user groups, go to Identity Groups User Group. You can: Add View in the Manage column against the user group to be modified. Edit Edit Click the Edit icon User Group page is displayed which has the same parameters as the Add User Group window. Search Customize Display Columns Click the Select Columns list to customize the columns to be displayed. By default, all the columns are selected and visible. You can uncheck the checkbox against the column which is not to be displayed. in the Manage column against a User group to be deleted. A Delete Click the Delete icon dialog box is displayed asking you to confirm the deletion. Click OK to delete the User Group. To delete multiple User groups, select them and click the Delete button.

Manage Groups
To manage user groups, go to Identity Groups Group.

155/280

Cyberoam User Guide

Screen Manage Groups Screen Elements Add Button Group Name Web Filter Policy Description Add a new User Group. Name of the group Web Filter Policy applied Point to the policy link to view or edit the policy details. Application Filter Policy applied. Point to the policy link to view or edit the policy details. Surfing Quota Policy applied. to Point to the policy link to view or edit the policy details. Access Time Policy applied. to Point to the policy link to view or edit the policy details. Data Transfer Policy applied. to Point to the policy link to view or edit the policy details. QoS Policy applied. Point to the policy link to view or edit the policy details. MAC Binding (Not applicable Clientless Group) L2TP (Not applicable Clientless Group) PPTP (Not applicable Clientless Group) Login Restriction Edit Icon to - User MAC Binding disabled for all the group users - User MAC Binding enabled for all the group users - L2TP access disabled for all the group users - L2TP access enabled for all the group users - PPTP access disabled for all the group users - PPTP access enabled for all the group users Login Restriction applied Any, Selected Nodes or Range. Edit the User Group.

Application Filter Policy

Surfing Quota Policy (Not applicable Clientless Group) Access Time Policy. (Not applicable Clientless Group) Data Transfer Policy (Not applicable Clientless Group) QoS Policy

to

to

156/280

Cyberoam User Guide

Delete Button

Delete the User Group. Alternately, click the Delete icon against the server you want to delete. Table Manage Groups screen elements

User Group Parameters

To add or edit user group details, go to Identity User Group. Click Add Button to add a new user group or Edit Icon to modify the details of the user group.

Screen Add Group

Screen Elements Group Name Group Type

Description Name to identify the group. Select Group Type. Available Options: Normal - User of this group needs to log on using Cyberoam Client to access the Internet. Clientless - User of this group need to log on using Cyberoam Client to access the Internet and is symbolically represented as Group name(C). Access control is placed on IP address.

Policies Web Filter

Select the Web Filter Policy from the list.

157/280

Cyberoam User Guide

Application Filter

Select the Application Filter Policy from the list.

Surfing Quota

Select the Surfing Quota Policy from the list. Unlimited policy is automatically applied to Clientless Group.

Access Time (Not applicable Clientless Group)

Select the Access Time Policy from the list. to

Data Transfer (Not applicable Clientless Group)

Select the Data Transfer Policy from the list. to

158/280

Cyberoam User Guide

QoS

Select the QoS Policy from the list.

SSL VPN (Not applicable Clientless Group)

Select SSL VPN policy from the dropdown list. to If user is not to be provided the SSL VPN access then select No Policy Applied.

(Option not available for Cyberoam CR15i models)

Spam Digest (Option not available for Cyberoam CR15i models)

Configure Spam Digest. Spam digest is an email and contains a list of quarantined spam messages filtered by Cyberoam and held in the user quarantine area. If configured, Cyberoam will mail the spam digest every day to the user. Digest provides a link to User My Account from where user can access his quarantined messages and take the required action. Available Options: Enable User group will receive the spam digest daily and overrides Group setting. Disable User group will not receive spam digest and overrides Group setting. Enable/disable MAC Binding. By binding User to MAC address, you are mapping user with a group of MAC addresses.

MAC Binding (Not applicable

to

159/280

Cyberoam User Guide

Clientless Group) L2TP (Not applicable Clientless Group) PPTP (Not applicable Clientless Group) Login Restriction (Not applicable Clientless Group)

Enable if group users can get access through L2TP connection to Enable if group users can get access through PPTP connection to Select the appropriate option to specify the login restriction for the user group. Available Options: Any Node - Select to allow user to login from any of the nodes in the network Selected Nodes - Select to allow user to login from the specified to add more nodes only. Specify IP address and click Add icon to delete nodes. nodes and remove icon Node Range Select to allow range of IP Address. Specify IP Address range. Click the Add Member(s) button to add users to the current group. A pop-up window is displayed and a list of users with their username and group are seen.

to

Add Member(s) Button

Select all the users that are to be added into the group. You can also search for users based on current group and username. Add Member(s) Button is only visible once the group is created. Click the Show Group Members button to view the list of users in the current group.

Show Group Members

You can also search for users based on username. Show Group Members Button is only visible once the group is created. Table Add Group screen elements

Note
User configuration - MAC binding and policies is given precedence over Group configuration.

160/280

Cyberoam User Guide

Search Groups
Click the Search icon in the Group columns to search for groups with specific Group. Group can be searched on the following criteria: is, is not, contains and does not contain. A pop-up window is displayed that has filter conditions for search. Click OK to get the search results and Clear button to clear the results.

Screen Search Groups

Search Criteria is

Search Results All the Groups that exactly match with the string specified in the criteria. For example, if the search string is Test, only Groups with the name exactly matching Test are displayed. All the Groups that do not match with the string specified in the criteria. For example, if the search string is Test, all Groups except with the name exactly matching Test are displayed. All the Groups that contain the string specified in the criteria. For example, if the search string is Test, all the Groups containing the string Test are displayed. All the Groups that do not contain the string specified in the criteria. For example, if the search string is Test, all the Groups not containing the string Test are displayed. Table Search Groups screen elements

is not

contains

does not contain

Customize Display Columns

By default, User Group page displays details of the user groups in the following columns: Group Name, Web Filter, Application Filter, QoS, Surfing Quota, Access Time, Data Transfer, MAC Binding, L2TP, PPTP and Login Restriction. You can customize the number of columns to be displayed as per your requirement. Go to Identity Groups Group and click on the Select Column list to customize the number of columns to be displayed.

161/280

Cyberoam User Guide

to be displayed on the page. You can also select the order in which the Select the columns columns will be displayed. Drag & drop the column to customize the view in desired order.

162/280

Cyberoam User Guide

Users
Users are identified by an IP address or a user name and assigned to a user group. All the users in a group inherit the policies defined for that group. Media Access Control (MAC) address is a unique identifier (hardware address) assigned to a host by the manufacturer for identification and is intended to be immutable. MAC addresses are 48 bit values that are expressed in 6-byte hex-notation separated by colon for example 01:23:45:67:89:AB. To improve the security of your network and provide spoofing protection, you can enable UserMAC address binding. By binding User to MAC address, you are mapping user with a group of MAC addresses. It means a user would be able to login through a group of pre-specified machines only making it more difficult for a hacker using random MAC addresses or spoofing a MAC address to gain access to your network. User types Cyberoam supports five types of Users: Normal Clientless Single Sign on Thin Client User WWAN User

Normal User has to logon to Cyberoam. Requires Cyberoam client (client.exe) on the User machine or user can use HTTP Client component and all the policy-based restriction are applied. Clientless does not require Cyberoam client component (client.exe) on the User machines. Symbolically represented as User name (C) If User is configured for Single sign on, whenever User logs on to Windows, he/she is automatically logged to the Cyberoam. Symbolically represented as User name (S) Use the given decision matrix below to choose which type of the user should be created. Decision matrix for creation of User Feature User Login required Type of Group Normal Clientless Apply Login restriction Apply Surfing Quota policy Apply Access Time policy Apply QoS policy Apply Web Filter Policy Apply Application Filter policy Normal User Yes Yes No Yes Yes Yes Yes Yes Yes Clientless User No No Yes Yes No No Yes Yes Yes Single Sign on User No Yes No Yes No No Yes Yes Yes

163/280

Cyberoam User Guide

Apply Data Transfer policy

Yes

No

Yes

To manage users, go to Identity User User. You can: Add View Import Export Click the Export button to download the user details in a CSV file. in the Manage column against the User to be modified. Edit User Edit Click the Edit icon page is displayed which has the same parameters as the Add User window. Change Status User Status can be changed from connected to disconnected and visa versa. and click the Change Status button. Select the users Search Customize Display Columns Click the Select Columns list to customize the columns to be displayed. By default, all the columns are selected and visible. You can uncheck the checkbox against the column which is not to be displayed. in the Manage column against a User to be deleted. A Delete Click the Delete icon dialog box is displayed asking you to confirm the deletion. Click OK to delete the User. To delete multiple Users, select them and click the Delete button.

Manage Users
To manage users, go to Identity User User.

Screen Manage Users

164/280

Cyberoam User Guide

Screen Elements Add Button User ID Name Username Type Profile Group

Description Add a new User. Unique user id for the user. Name for the User. Unique username to identify the user. Type of User selected User or Administrator. Profile applied to the Administrator if the User Type is Administrator. User Group under which user is placed. Point to the group link to view or edit the group details. Status of the User - Deactive user

Status

Web Filter Policy

- Active user Web Filter Policy applied Point to the policy link to view or edit the policy details. Application Filter Policy applied Point to the policy link to view or edit the policy details. Surfing Quota Policy applied to the user Point to the policy link to view or edit the policy details. Access Time Policy applied Point to the policy link to view or edit the policy details. Data Transfer Policy applied to the user Point to the policy link to view or edit the policy details. QoS Policy applied to the user Point to the policy link to view or edit the policy details.

Application Filter Policy

Surfing Quota Policy

Access Time Policy

Data Transfer Policy

QoS Policy

MAC Binding L2TP PPTP Login Restriction MAC Address Edit Icon Delete Button

- If MAC Binding disabled - If MAC Binding enabled - If L2TP Configuration disabled - If L2TP Configuration enabled - If PPTP Configuration disabled - If PPTP Configuration enabled Login Restriction applied Any, User Group Nodes, Selected Nodes or Range. MAC Address list Edit the User Delete the User Alternately, click the delete icon against the user you want to delete. Table Manage Users screen elements

165/280

Cyberoam User Guide

User Parameters
To add or edit user details, go to Identity User User. Click Add Button to register a new user. To update the details, click on the username or Edit icon the user you want to modify. in the Manage column against

Screen Add User

Screen Elements Username Name Password Confirm Password User Type

Description Specify username, which uniquely identifies user and will be used for login. Specify Name of the User Specify Password Specify Password again for confirmation. You must use the same spelling. Password is case sensitive. Click User Type list to select the type of user. Available options: User or Administrator Select the Profile from the list. This option is only available for Administrator user type.

Profile

166/280

Cyberoam User Guide

Depending on user group type default Web Admin Console access control will be applied. You can create a new profile directly from this page itself and attach to the user.

Email Policies Group Web Filter

Specify Email ID of the user Select Group in which user is to be added. User will inherit all the policies assigned to the group. Select the Web Filter Policy from the list. You can also create a new policy directly from this page itself and attach to the user.

Application Filter

Select the Application Filter Policy from the list. You can also create a new policy directly from this page itself and attach to the user.

Surfing Quota

Select the Surfing Quota Policy from the list. You can also create a new policy directly from this page itself and attach to the user.

167/280

Cyberoam User Guide

Access Time

Select the Access Time Policy from the list. You can also create a new policy directly from this page itself and attach to the user.

Data Transfer

Select the Data Transfer Policy from the list. You can also create a new policy directly from this page itself and attach to the user.

QoS

Select the QoS Policy from the list. You can also create a new policy directly from this page itself and attach to the user.

168/280

Cyberoam User Guide

SSL VPN (Option not available for Cyberoam CR15i models)

Select SSL VPN policy from the dropdown list. If user is not to be provided the SSL VPN access then select No Policy Applied.

L2TP PPTP Spam Digest (Option not available for Cyberoam CR15i models)

Enable if you want to allow user to get access through L2TP connection Enable if you want to allow user to get access through PPTP connection Configure Spam Digest. Spam digest is an email and contains a list of quarantined spam messages filtered by Cyberoam and held in the user quarantine area. If configured, Cyberoam will mail the spam digest every day to the user. Digest provides a link to User My Account from where user can access his quarantined messages and take the required action. Available Options: Enable User will receive the spam digest daily and overrides Group setting. Disable User will not receive spam digest and overrides Group setting. Specify number of concurrent logins that will be allowed to user OR Click Unlimited for allowing unlimited Concurrent logins.

Simultaneous Logins

Note
The specified setting will override the global setting specified in the client preferences. MAC Binding MAC Address List Enable/disable MAC Binding. By binding User to MAC address, you are mapping user with a group of MAC addresses. Specify MAC addresses for example 01:23:45:67:89:AB.

169/280

Cyberoam User Guide

Once you enable MAC binding, user will be able to login through prespecified machines only. To configure multiple MAC addresses use comma for example 01:23:45:67:89:AB, 01:23:45:67:89:AC or specify each address in new line. Select the appropriate option to specify the login restriction for the user. Available Options: Any Node - Select to allow user to login from any of the nodes in the network User Group Node(s) - Select to allow user to login only from the nodes assigned to the group. Selected Nodes - Select to allow user to login from the specified to add more nodes only. Specify IP address and click Add icon to delete nodes. nodes and remove icon Node Range Select to allow range of IP Address. Specify IP Address range. Table Add User screen elements

Login Restriction

Note
User configuration is given precedence over Group configuration i.e. User MAC binding and policies configuration is given priority over Group configuration.

Import User Information

Instead of creating user again in Cyberoam, if you already have User details in a CSV file, you can upload CSV file. Click the Import Button to import Users File. Select the complete path for migrating users information file. CSV file format and processing: 1. Header (first) row should contain field names. Format of header row: 2. Compulsory first field: username, name 3. Optional fields in any order: password, name, groupname, mailquota 4. Subsequent rows should contain values corresponding to the each field in header row 5. Number of fields in each row should be same as in the header row 6. Error will be displayed if data is not provided for any field specified in the header 7. Blank rows will be ignored 8. If password field is not included in the header row then it will set same as username 9. If groupname is not included in the header row, administrator will be able to configure group at the time of migration

Search User, User Name or User Group

Click the Search icon in the Name, Username or Group columns to search for users with specific name, username or Group. All the columns can be searched on the following criteria: is, is not, contains and does not contain. A pop-up window is displayed that has filter conditions for

170/280

Cyberoam User Guide

search. Click OK to get the search results and Clear button to clear the results.

Screen Search User / Username / Group Search Criteria is Search Results All the Names/Usernames/Groups that exactly match with the string specified in the criteria. For example, if the search string is Test, only Names/Usernames/Groups with the name exactly matching Test are displayed. All the Names/Usernames/Groups that do not match with the string specified in the criteria. For example, if the search string is Test, all Names/Usernames/Groups except with the name exactly matching Test are displayed. All the Names/Usernames/Groups that contain the string specified in the criteria. For example, if the search string is Test, all the Names/Usernames/Groups containing the string Test are displayed. All the Names/Usernames/Groups that do not contain the string specified in the criteria. For example, if the search string is Test, all the Names/Usernames/Groups not containing the string Test are displayed. Table Search User screen elements

is not

contains

does not contain

Customize Display Columns

By default, User page displays details of the users in the following columns: User ID, Name, Type, Profile, Group, Status, Web Filter, Application Filter, QoS, Surfing Quota, Access Time, Data Transfer, MAC Binding, L2TP, PPTP, Login Restriction and MAC Address. You can customize the number of columns to be displayed as per your requirement. Go to Identity Users of columns to be displayed. User and click on the Select Column list to customize the number

171/280

Cyberoam User Guide

Select the columns to be displayed on the page. You can also select the order in which the columns will be displayed. Drag & drop the column to customize the view in desired order.

Clientless User
Clientless Users are the users who can bypass Cyberoam Client login to access Internet and are managed by Cyberoam server itself. It is possible to add a single clientless user or multiple users. As clientless users can bypass Cyberoam login, create clientless users when your network has few Non-windows machines, VOIP boxes or servers. To manage Clientless users, go to Identity User Clientless User. You can: Add Add Range View in the Manage column against the Clientless User to be modified. Edit Click the Edit icon Edit Clientless User page is displayed which has the same parameters as the Add Clientless User window. Customize Display Columns Click the Select Columns list to customize the columns to be displayed. By default, all the columns are selected and visible. You can uncheck the checkbox against the column which is not to be displayed. Change Status Clientless User Status can be changed from connected to disconnected and visa versa. Select the users and click the Change Status button. Search Delete Click the Delete icon in the Manage column against a User to be deleted. A dialog

172/280

Cyberoam User Guide

box is displayed asking you to confirm the deletion. Click OK to delete the User. To delete multiple Users, select them and click the Delete button.

Manage Clientless Users

To manage Clientless users, go to Identity User Clientless User.

Screen Manage Clientless Users

Screen Elements Add Button ID Username Group Status

Description Add a new Clientless User. User ID for Clientless User. Unique username to identify the User. Group Name to which user belongs. Status of the Clientless User - Deactive user

Name Web filter

- Active user Name of the user. Web filter policy to be applied to the traffic You can also view and edit the details of web filter policy from the Clientless User Page itself. Application filter policy to be applied to the traffic You can also view and edit the details of application filter policy from the Clientless User Page itself. QoS policy to be applied to the traffic You can also view and edit the details of QoS policy from the Clientless User Page itself. Configured Digest Setting Enable, Disable or Apply Groups Setting. Edit the Clientless User Delete the Clientless User Alternately, click the delete icon against the clientless user you want to delete. Table Manage Clientless Users screen elements

Application filter

QoS

Spam Digest Edit Icon Delete Button

Clientless User Parameters

To add or edit clientless user details, go to Identity User Clientless User. Click Add Button to register a new clientless user or Edit Icon to modify the details of the clientless user.

173/280

Cyberoam User Guide

Screen Add Clientless User

Screen Elements Username IP Address Group Name Email Spam Digest (Option not available for Cyberoam CR15i models)

Description Specify username, which uniquely identifies user and will be used for login. Specify IP Address. Select Group for Clientless User. Name of the User. Specify Email ID. Configure Spam Digest. Spam digest is an email and contains a list of quarantined spam messages filtered by Cyberoam and held in the user quarantine area. If configured, Cyberoam will mail the spam digest every day to the user. Digest provides a link to User My Account from where user can access his quarantined messages and take the required action. Available Options: Enable User will receive the spam digest daily and overrides Group setting. Disable User will not receive spam digest and overrides Group setting. Apply Groups Settings - User will receive Spam Digests as per configured for the Group user belongs to.

Add Icon Remove Icon

Click the Add

Icon to add a new Clientless User. Icon to delete a Clientless User

Click the Remove

Table Add Clientless user screen elements You can change the policies applied to the user by updating the user details. If you change the policies for the user, user specific policies will take precedence over user group policies.

Change Policies Parameters

To change the policies applied to the clientless user, go to Identity User Clientless User and click Edit icon against the user whose policies are to be changed.

174/280

Cyberoam User Guide

Screen Add Clientless User (Change Policies)

Screen Elements Username Name IP Address Group

Description Name with which user logs in. Name of the User IP Address from which user logs in Group in which user is added. User will inherit all the policies assigned to the group. Change the group, if required Email ID of the user. Web filter policy applied to the user. Change the policy, if required. Policy applied here will take the precedence over the group policy.

Email Policies Web Filter

Application filter

Application filter policy applied to the user.

175/280

Cyberoam User Guide

Change the policy, if required. Policy applied here will take the precedence over the group policy.

QoS

QoS Policy applied to the user. Change the policy, if required. Policy applied here will take the precedence over the group policy.

Spam Digest (Option not available for Cyberoam CR15i models)

Configure Spam Digest. Spam digest is an email and contains a list of quarantined spam messages filtered by Cyberoam and held in the user quarantine area. If configured, Cyberoam will mail the spam digest every day to the user. Digest provides a link to User My Account from where user can access his quarantined messages and take the required action. Available Options: Enable User will receive the spam digest daily and overrides Group setting. Disable User will not receive spam digest and overrides Group setting. Table Edit Clientless User screen elements

Add Multiple Clientless Users

To add multiple Clientless users, go to Identity User Clientless User and click Add Range button to configure following parameters:

176/280

Cyberoam User Guide

Screen Add Multiple Clientless User

Screen Elements From To Group

Description Specify Starting IP Address for the range Specify Ending IP Address for the range. Select Group for users. Users will inherit all the policies assigned to the group. You can change the policies applied to the user by updating the user details. If you change the policies for the user, user specific policies will take precedence over user group policies. Refer to Change Policies to change the policies.

Table Add Multiple Clientless User screen elements

Search User, User Name or User Group

Click the Search icon in the Name, Username or Group columns to search for clientless users with specific name, username or Group. All the columns can be searched on the following criteria: is, is not, contains and does not contain. A pop-up window is displayed that has filter conditions for search. Click OK to get the search results and Clear button to clear the results.

Screen Search User / Username / Group Search Criteria is Search Results All the Names/Usernames/Groups that exactly match with the string specified in the criteria. For example, if the search string is Test, only Names/Usernames/Groups with the name exactly matching Test are displayed. All the Names/Usernames/Groups that do not match with the string specified in the criteria.

is not

177/280

Cyberoam User Guide

contains

For example, if the search string is Test, all Names/Usernames/Groups except with the name exactly matching Test are displayed. All the Names/Usernames/Groups that contain the string specified in the criteria. For example, if the search string is Test, all the Names/Usernames/Groups containing the string Test are displayed. All the Names/Usernames/Groups that do not contain the string specified in the criteria. For example, if the search string is Test, all the Names/Usernames/Groups not containing the string Test are displayed. Table Search Clientless User screen elements

does not contain

Customize Display Columns

By default, Clientless User page displays details of the rule in the following columns: Group Name, Web Filter, Application Filter, QoS, Surfing Quota, Access Time, Data Transfer, MAC Binding, L2TP, PPTP and Login Restriction. You can customize the number of columns to be displayed as per your requirement. Go to Identity Users Clientless User and click on the Select Column list to customize the number of columns to be displayed.

to be displayed on the page. You can also select the order in which the Select the columns columns will be displayed. Drag & drop the column to customize the view in desired order.

178/280

Cyberoam User Guide

Policy
Cyberoam allows controlling access to various resources with the help of Policy. Cyberoam allows defining following types of policies: 1. Schedule Internet access for individual users by defining Access Time Policy. (See Access time policy for more details) 2. Control individual user surfing time by defining Surfing quota policy. (See Surfing quota policy for more details) 3. Limit total as well as individual upload and/or download data transfer by defining data transfer policy. (See Data transfer policy for more details). Cyberoam comes with several predefined policies. These predefined policies are immediately available for use until configured otherwise.

Access Time Policy

Access time is the time period during which user can be allowed/denied the Internet access. An example would be only office hours access for a certain set of users. Access time policy enables to set time interval - days and time - for the Internet access with the help of schedules. See Schedules for more details. A time interval defines days of the week and times of each day of the week when the user will be allowed/denied the Internet access. Two strategies based on which Access time policy can be defined: Allow strategy - By default, allows access during the schedule Deny strategy - By default, disallows access during the schedule

Cyberoam comes with the following predefined policies: Allowed all the time, Denied all the time, Allowed only during Work Hours, Denied during Work hours. These predefined policies are immediately available for use until configured otherwise. You can also define custom policies to define different levels of access for different users to meet your organizations requirements. To manage Access Time Policies, go to Identity Policy Access Time. You can: Add View in the Manage column against the Policy to be modified. Edit Edit Click the Edit icon Policy pop-up window is displayed which has the same parameter as the Add Policy window in the Manage column against a Policy to be deleted. A Delete Click the Delete icon dialog box is displayed asking you to confirm the deletion. Click OK to delete the Policy. To delete multiple Policies, select them and click the Delete button.

179/280

Cyberoam User Guide

Manage Access Time Policies

To manage Access Time Policies, go to Identity Policy Access Time.

Screen Manage Access Time Policy

Screen Elements Add Button Name Strategy Schedule Description Edit Icon Delete Button

Description Add a new Access Time Policy Name for the Policy Type of Strategy selected: Allow or Deny Type of Schedule selected Policy Description Edit the Access Time Policy Delete the Access Time Policy. Alternately, click on the delete icon against the policy you want to delete.

Table Manage Access Time Policies screen elements

Access Time Policy Parameters

To add or edit an access time policy, go to Identity Policy Access Time. Click the Add button to add a new policy. To update the details, click on the policy or Edit icon column against the policy you want to modify. in the Manage

Screen Add Access Time Policy

180/280

Cyberoam User Guide

Screen Elements Name Strategy

Description Name to identify the Policy Specify strategy to be applied during the scheduled time interval. Available Options: Allow Allows the Internet access during the scheduled time interval Deny Does not allow the Internet access during the scheduled time interval Select Schedule. Only Recurring schedule can be applied. Depending on the policy strategy, access allowed/denied for the scheduled time interval. Specify Policy Description Table Add Access Time Policy screen elements will be

Schedule

Description

Note
Changes made in the policy becomes effective immediately on saving the changes

Surfing Quota Policy

Surfing quota policy defines the duration of Internet surfing time. Surfing time duration is the allowed time in hours for a Group or an Individual User to access Internet. Surfing quota policy: Allows allocating Internet access time on a cyclic or non-cyclic basis. Single policy can be applied to number of Groups or Users.

Cyberoam comes with the following predefined policies: Unlimited Internet Access, 1 Month Unlimited Access, 1 month 100 hours, Monthly 100 hours Cyclic, Daily 1 hour Cyclic, Weekly 7 hours Cyclic. These predefined policies are immediately available for use until configured otherwise. You can also define custom policies to define different levels of access for different users to meet your organizations requirements. To manage surfing quota policies, go to Identity Policy Surfing Quota. You can: Add View in the Manage column against the Policy to be modified. Edit Edit Click the Edit icon Policy pop-up window is displayed which has the same parameter as the Add Policy window. in the Manage column against a Policy to be deleted. A Delete Click the Delete icon dialog box is displayed asking you to confirm the deletion. Click OK to delete the Policy. To delete multiple policies, select them and click the Delete button.

Manage Surfing Quota Policies

To manage surfing quota policies, go to Identity Policy Surfing Quota.

181/280

Cyberoam User Guide

Screen Manage Surfing Quota Policy

Screen Elements Add Button Name Time Allowed Days Allowed Cycle Type Cycle Time Description Edit Icon Delete Button

Description Add a new Surfing Quota Policy Name for the Policy Maximum Time for which the policy is active Maximum number of days for which the policy is active Type of Cycle: Cyclic or Non-Cyclic Hours for which the cycle is active Policy Description Edit the Surfing Quota Policy Delete the Surfing Quota Policy Alternately, click on the delete icon against the policy you want to delete.

Table Manage Surfing Quota Policies screen elements

Surfing Quota Policy Parameters

To add or edit a surfing quota policy, go to Identity Policy Surfing Quota. Click the Add button to add a new policy. To update the details, click on the policy or Edit icon Manage column against the policy you want to modify. in the

182/280

Cyberoam User Guide

Screen Add Surfing Quota Policy Screen Elements Name Cycle Type Description Name to identify the Policy. Duplicate names are not allowed. Select Cycle type. Available Options: Cyclic Restricts surfing hours up to cycle hours defined on predefined time duration. Non Cyclic Surfing hour restriction is defined by total allotted days and time Specify Cycle Hours. Cycle hours define the upper limit of surfing hours for cyclic types of policies i.e. Daily, Weekly, Monthly and Yearly. At the end of each Cycle, cycle hours are reset to zero i.e. for Weekly Cycle type, cycle hours will to reset to zero every week even if cycle hours are unused. Cycle Hours cannot be configured if Cycle Type is non cyclic. Specify Validity in number of days. Validity defines the upper limit of total surfing days allowed i.e. restricts total surfing days to valid allotted days. OR Click Unlimited Days, if you do not want to restrict the total surfing days Specify Maximum Hours. Maximum hours define the upper limit of total surfing hours allowed i.e. restricts total surfing hours to maximum hours. OR Click Unlimited Hours, if you do not want to restrict the total surfing hours. Specify Policy Description Table Add Surfing Quota Policy screen elements

Cycle Hours

Validity

Maximum Hours

Description

183/280

Cyberoam User Guide

Data Transfer Policy

Once the user log on, the bandwidth is available and the total available bandwidth is shared among all the active users at the particular time. Bandwidth being the limited resource, bandwidth shortage and congestion problems is common. Cyberoam allows limiting data transfer allowed to individual user according to the requirement. Bandwidth is limited using the Bandwidth policy while data transfer policy defines the upper limit for data transfer carried out by the user. Data transfer policy: Allows limiting data transfer on a cyclic or non-cyclic basis. Single policy can be applied to number of Groups or Users.

Data transfer restriction can be based on: Total Data transfer (Upload+Download) Individual Upload and/or Download

Cyberoam comes with the following predefined policies: 100 MB Total Data Transfer policy, Daily 10 MB. These predefined policies are immediately available for use until configured otherwise. You can also define custom policies to define different levels of access for different users to meet your organizations requirements. To manage data transfer policies, go to Identity Policy Data Transfer. You can: Add View in the Manage column against the Policy to be modified. Edit Edit Click the Edit icon Policy pop-up window is displayed which has the same parameter as the Add Policy window. in the Manage column against a Policy to be deleted. A Delete Click the Delete icon dialog box is displayed asking you to confirm the deletion. Click OK to delete the Policy. To delete multiple policies, select them and click the Delete button.

Manage Data Transfer Policies

To manage data transfer policies, go to Identity Policy Data Transfer.

Screen Manage Data Transfer Policy

Screen Elements Add Button Name Cycle Type

Description Add a new Data Transfer Policy Name for the Policy Type of Cycle: Cyclic or Non-Cyclic

184/280

Cyberoam User Guide

Absolute Limit Cycle Limit Edit Icon Delete Button

Absolute Data transfer limit in MB including upload, download and total data transfer Cyclic Data transfer limit in MB including upload, download and total data transfer Edit the Data Transfer Policy Delete the Data Transfer Policy Alternately, click the delete icon against the policy you want to delete. Table Manage Data Transfer Policies screen elements

Data Transfer Policy Parameters

To add or edit a data transfer policy, go to Identity Policy Data Transfer. Click the Add button to add a new policy. To update the details, click on the policy or Edit icon Manage column against the policy you want to modify. in the

Screen Add Data Transfer Policy

Screen Elements Name Restriction Based On Cycle Type

Description Name to identify the Policy. Duplicate names are not allowed. Specify whether the data transfer restriction is on total data transfer or on individual data transfer (upload and download) Select Cycle type Available Options: Cyclic Restricts surfing hours up to cycle hours defined on predefined time duration.

Non Cyclic Surfing hour restriction is defined by total allotted days and time duration Based on the options selected for the Restriction and Cycle Type, specify the following details. Restriction based on Total Data Transfer and Cyclic Policy Cycle Period Specify Cycle Period. Cycle period defines the duration for

185/280

Cyberoam User Guide

cyclic types of policies i.e. Day, Week, Month and Year. Specify Cycle Data Transfer limit. It is the limit of data transfer allowed to the user per cycle. User will be disconnected if limit is reached. OR If you do not want to restrict data transfer per cycle, click Unlimited Cycle Data transfer Maximum Data Transfer Specify Maximum Data Transfer limit. It is the data transfer allowed to the user and if the limit is reached, user will not be able to log on until the policy is renewed. OR If you do not want to restrict maximum data transfer, click Unlimited Maximum Data Transfer Restriction based on Total Data Transfer and Non-Cyclic Policy Maximum Data Transfer Specify Maximum Data Transfer limit. It is the data transfer allowed to the user and if the limit is reached user will not be able to log on until the policy is renewed. OR If you do not want to restrict maximum data transfer, click Unlimited Maximum Data Transfer. Restriction based on Individual Data Transfer and Cyclic Policy Cycle Period Specify Cycle Period. Cycle period defines the duration for cyclic types of policies i.e. Day, Week, Month and Year. Cycle Upload Data Transfer Specify Cycle Upload Data Transfer limit. It is the upper limit of upload data transfer allowed to the user per cycle. User will be disconnected if limit is reached. OR If you do not want to restrict upload data transfer per cycle, click Unlimited Cycle Upload Data transfer Cycle Download Data Specify Cycle Download Data Transfer limit. It is the upper Transfer limit of download data transfer allowed to the user per cycle. User will be disconnected if limit is reached. OR If you do not want to restrict download data transfer per cycle, click Unlimited Cycle Download Data transfer Maximum Upload Data Specify Maximum Upload Data Transfer limit. It is the Transfer maximum upload data transfer allowed to the user and if the limit is reached user will not be able to log on until the policy is renewed. OR If you do not want to restrict maximum upload data transfer, click Unlimited Upload Data Transfer. Maximum Download Specify Maximum Download Data Transfer limit. It is the Data Transfer maximum download data transfer allowed to the user and if the limit is reached user will not be able to log on until the policy is renewed. OR If you do not want to restrict maximum download data transfer, click Unlimited Download Data Transfer. Restriction based on Individual Data Transfer and Non-Cyclic Policy Maximum Upload Data Specify Maximum Upload Data Transfer limit. It is the Transfer maximum upload data transfer allowed to the user and if the limit is reached user will not be able to log on until the policy is renewed. OR If you do not want to restrict maximum upload data transfer, click Unlimited Upload Data Transfer. Cycle Data Transfer

186/280

Cyberoam User Guide

Maximum Transfer

Download

Data

Description

Specify Maximum Download Data Transfer limit. It is the maximum download data transfer allowed to the user and if the limit is reached user will not be able to log on until the policy is renewed. OR If you do not want to restrict maximum download data transfer, click Unlimited Download Data Transfer Specify Policy Description

Table Add Data Transfer Policy screen elements

Note
Maximum data transfer limit cannot be greater than Cycle data transfer limit.

187/280

Cyberoam User Guide

Live Users
Live users in Cyberoam can be managed from a single page. All the active normal users, clientless users and single sign on users are visible from the Live Users. Administrator can disconnect these users from this page directly. User types Cyberoam supports five types of Users: Normal - Normal User has to logon to Cyberoam. Requires Cyberoam client (client.exe) on the User machine or user can use HTTP Client component and all the policy-based restriction are applied. Clientless - Clientless does not require Cyberoam client component (client.exe) on the User machines. Symbolically represented as User name (C). Single Sign on - If User is configured for Single sign on, whenever User logs on to Windows, he/she is automatically logged to the Cyberoam. Symbolically represented as User name (S). Thin Client User - If the User is a thin client user, whenever user logs on, he/she is visible on Live Users page as User name (T). WWAN User - If a wireless user is configured and connected, he/she is visible on Live User page as User name (W).

Identity Live Users Live Users page displays list of currently logged on users and their important parameters. You can: View in the Manage column against the Live User to be modified. Edit Edit Click the Edit icon User pop-up window is displayed. Live user details can be updated from this page itself. Search in the Manage column against a live user to be Disconnect Click the Disconnect icon disconnected. A dialog box is displayed asking you to specify a customized message for the user that is to be disconnected. Click OK to disconnect the User. To disconnect multiple live users, select them and click the Disconnect button.

Manage Live Users

To view and disconnect live users in Cyberoam, go to Identity Live Users Live User.

Screen Live Users

Screen Elements User ID Username

Description User ID for User. Unique username to identify the User.

188/280

Cyberoam User Guide

Client Type Host ID MAC Address Start Time Upload / Download Data Transfer Rate (bits/sec) Edit Icon Disconnect

Group Name to which user belongs. IP address from which user has logged on MAC address of the machine from which user had logged in. Displayed only if configured. Session start time or login time Data uploaded and Download during the sessions Bandwidth used during the session Edit the Live User Disconnect the Live User

Table Manage Live Users screen elements

Live User Parameters

To edit user details, go to Identity User Live User. Click Edit Icon to modify the details of the live user.

Screen Edit Live User

Screen Elements Username Name IP Address Group Email Policies Web filter

Description Specify username, which uniquely identifies user and will be used for login. Name of the User Specify IP Address. Select Group for Clientless User. Specify Email ID. Select the Web filter policy You can also add and edit the details of web filter policy from the Clientless User Page itself. But, policy details can only be modified once the User is created.

189/280

Cyberoam User Guide

By default, Allow All Web filter Policy is applied to the user.

Application filter

Select the Application filter policy You can also add and edit the details of application filter policy from the Clientless User Page itself. But, policy details can only be modified once the User is created. By default, Allow All Application filter Policy is applied to the user.

Surfing Quota (Not applicable to Clientless user)

Select the Surfing Quota Policy from the list. You can also create a new policy directly from this page itself and attach to the user.

Access Time (Not applicable to Clientless user)

Select the Access Time Policy from the list. You can also create a new policy directly from this page itself and attach to the user.

Data Transfer

Select the Data Transfer Policy from the list.

190/280

Cyberoam User Guide

(Not applicable to Clientless user)

You can also create a new policy directly from this page itself and attach to the user.

QoS

Select the QoS Policy You can also add and edit the details of QoS policy from the Clientless User Page itself. But, policy details can only be modified once the User is created.

L2TP (Not applicable to Clientless user) PPTP (Not applicable to Clientless user) Simultaneous Logins (Not applicable to Clientless user) MAC Binding (Not applicable to Clientless user) MAC Address List (Not applicable to Clientless user)

Enable if you want to allow user to get access through L2TP connection

Enable if you want to allow user to get access through PPTP connection Specify number of concurrent logins that will be allowed to user OR Click Unlimited for allowing unlimited Concurrent logins. The specified setting will override the global setting specified in the client preferences. Enable/disable MAC Binding. By binding User to MAC address, you are mapping user with a group of MAC addresses. Specify MAC addresses for example 01:23:45:67:89:AB. Once you enable MAC binding, user will be able to login through prespecified machines only. To configure multiple MAC addresses use comma. For example 01:23:45:67:89:AB, 01:23:45:67:89:AC Select the appropriate option to specify the login restriction for the user.

Login Restriction (Not applicable to

191/280

Cyberoam User Guide

Clientless user)

Available Options: Any Node - Select to allow user to login from any of the nodes in the network. User Group Node(s) - Select to allow user to login only from the nodes assigned to her group. Selected Nodes - Select to allow user to login from the specified to add more nodes only. Specify IP address and click Add icon to delete nodes. nodes and remove icon Node Range Select to allow range of IP Address and specify IP Address range. Table Edit Live Users screen elements

Search Live Users

Click the Search icon in the Username columns to search for users with specific username. All the columns can be searched on the following criteria: is, is not, contains and does not contain. A pop-up window is displayed that has filter conditions for search. Click OK to get the search results and Clear button to clear the results. Search Criteria is Search Results All the Usernames that exactly match with the string specified in the criteria. For example, if the search string is Test, only Usernames with the name exactly matching Test are displayed. All the Usernames that do not match with the string specified in the criteria. For example, if the search string is Test, all Usernames except with the name exactly matching Test are displayed. All the Usernames that contain the string specified in the criteria. For example, if the search string is Test, all the Usernames containing the string Test are displayed. All the Names/Usernames/Groups that do not contain the string specified in the criteria. For example, if the search string is Test, all the Names/Usernames/Groups not containing the string Test are displayed. Table Search Live Users screen elements

is not

contains

does not contain

192/280

Cyberoam User Guide

Firewall

A firewall protects the network from unauthorized access and typically guards the LAN and DMZ networks against malicious access; however, firewalls may also be configured to limit the access to harmful sites for LAN users. The responsibility of firewall is to grant access from Internet to DMZ or Service Network according to the Rules and Policies configured. It also keeps watch on state of connection and denies any traffic that is out of connection state. Firewall rule provides centralized management of security policies. From a single firewall rule, you can define and manage entire set of Cyberoam security policies. From the firewall rule, you can: Monitor and scan VPN traffic Define inbound and outbound access based on source and destination hosts/network Enable scanning for HTTP, FTP, SMTP, POP3 or IMAP traffic - for email spam filtering and virus security and also get spyware, malware and phishing protection. To apply antivirus protection and spam filtering, you need to subscribe for Gateway Anti Virus and Gateway Anti Spam modules individually. Refer to Licensing section for details. Define IPS policy - for protection against threats and attacks originating from external world and internal network. To apply IPS policy you need to subscribe for Intrusion Prevention System module. Refer to Licensing section for details. Attach Gateway routing policy - for loading balancing and gateway failover protection incase of multiple gateways Define Web filtering policy - for web access control and block access to inappropriate web sites. To control access based on custom web categories, you need to subscribe for Web and Application Filter module. Refer to Licensing section for details. Define Applications filtering policy for controlling access to application like IM and P2P, VOIP. To control access based on custom web categories, you need to subscribe for Web and Application Filter module. Refer to Licensing section for details. Schedule access Attach QoS policy - to control and schedule bandwidth usage per user, group or prioritize bandwidth usage for particular application.

How it works Firewall rules control traffic passing through the Cyberoam. Depending on the instruction in the rule, Cyberoam decides on how to process the access request. When Cyberoam receives the request, it checks for the source address, destination address and the services and tries to match with the firewall rule. If Identity match is also specified, firewall will search in the Live Users Connections for the Identity check i.e. will check whether the user is allowed access or not. If Identity (User) is found in the Live User Connections and all other matching criteria are fulfilled, access is allowed or denied based on the action configured in the rule. By default, Cyberoam blocks any traffic to LAN.

Default Firewall rules

At the time of deployment, Cyberoam allows to define one of the following access policies through

PART

193/280

Cyberoam User Guide

Network Configuration Wizard: Monitor only General Internet policy Strict Internet policy

Default firewall rules for Monitor only policy 1. Masquerade and allow entire LAN to WAN traffic for all the authenticated users after applying following policies Web Filter & Application Filter policy User specific QoS policy User specific Anti Virus & Anti Spam policy Allows SMTP, POP3, IMAP and HTTP traffic without scanning 2. Masquerade and allow entire LAN to WAN traffic for all the users without scanning SMTP, POP3, IMAP and HTTP traffic Default firewall rules for General Internet policy policy 1. Masquerade and allow entire LAN to WAN traffic for all the authenticated users after applying following policies: Web Filter & Application Filter policy User specific QoS User specific Anti Virus & Anti Spam policy - Scan SMTP, POP3, IMAP and HTTP traffic 2. Masquerade and allow entire LAN to WAN traffic for all the users after applying following policies: Web Filter & Application Filter Policy Applies General Corporate Policy to block Porn, Nudity, AdultContent, URL TranslationSites, Drugs, CrimeandSuicide, Gambling, MilitancyandExtremist, PhishingandFraud, Violence, Weapons categories IPS General policy Anti Virus & Anti Spam policy - Scan SMTP, POP3, IMAP and HTTP traffic Default firewall rules for Strict Internet policy policy 1. Masquerade and Allow entire LAN to WAN traffic for all the authenticated users after applying following policies: Web Filter & Application Filter Policy User specific QoS User specific IPS General policy Anti Virus & Anti Spam policy - Scan SMTP, POP3, IMAP and HTTP traffic 2. Drop entire LAN to WAN traffic for all the users

Note
Default Firewall rules can be modified but cannot be deleted. IPS policy will not be effective until the Intrusion Prevention System (IPS) module is subscribed. Virus and Spam policy will not be effective until the Gateway Anti Virus and Gateway Anti-spam modules are subscribed respectively.

194/280

Cyberoam User Guide

If Access Policy is not set through Network Configuration Wizard at the time of deployment, the entire traffic is dropped. Additional firewall rules for any of the zones can be defined to extend or override the default rules. For example, rules can be created that block certain types of traffic such as FTP from the LAN to the WAN, or allow certain types of traffic from specific WAN hosts to specific LAN hosts, or restrict use of certain protocols such as Telnet to authorized users on the LAN. Custom rules evaluate network traffics source IP addresses, destination IP addresses, User, IP protocol types, and compare the information to access rules created on the Cyberoam appliance. Custom rules take precedence, and override the default Cyberoam firewall rules.

195/280

Cyberoam User Guide

Rule
Cyberoams Identity based firewall allows creation of firewall rules embedding user identity into the firewall rule matching criteria. It also allows to bind identity and device by embedding device MAC address through MAC Host in firewall rule. Firewall rule matching criteria now includes: Source and Destination Zone and Host. The direction of traffic is determined by source and destination zone. The same zone cannot be defined as both the source or destination zone. User Service

Attach the following Unified Threat Control policies to the firewall rule as per the defined matching criteria: Intrusion Prevention System (IPS) Anti Virus Anti Spam Web Filter Application Filter QoS Routing policy i.e. define user and application based routing

To create a firewall rule, you should: Define matching criteria Associate action to the matching criteria Attach the threat control policies

For example, now you can: Restrict the bandwidth usage to 256kb for the user John every time he logs on from the IP 192.168.2.22 Restrict the bandwidth usage to 1024kb for the user Mac if he logs on in working hours from the IP 192.168.2.22

Processing of firewall rules is top downwards and the first suitable rule found is applied. Hence, while adding multiple rules, it is necessary to put specific rules before general rules. Otherwise, a general rule might allow a packet that you specifically have a rule written to deny later in the list. When a packet matches the rule, the packet is immediately dropped or forwarded without being tested by the rest of the rules in the list.

196/280

Cyberoam User Guide

Screen Firewall Rule To configure firewall rules, go to Firewall Rule Rule. You can: Add View Search in the Manage column against the firewall rule to be modified. Edit Edit Click the Edit icon firewall rule window is displayed which has the same parameters as the Add firewall rule window. in the Manage column against a firewall rule to insert a new Insert Click the Insert icon firewall rule between the same source and destination zone. For example, if you have a Firewall rule created from LAN to WAN zone, the new firewall can be inserted using the Insert icon having same zones. Change Rule order Rules are ordered by their priority. When the rules are applied, they are processed from the top down and the first suitable rule found is applied. Hence, while adding multiple rules, it is necessary to put specific rules before general rules. Otherwise, a general rule might allow a packet that you specifically have a rule written to deny later in the list. When a packet matches the rule, the packet is immediately dropped or forwarded without being tested by the rest of the rules in the list. Customize Display Columns Click the Select Column list to customize the columns to be displayed. By default, all the columns are selected and visible. You can uncheck the checkbox against the column which is not to be displayed. Clear All Filters To clear all the search filters applied on the source, destination or identity columns, click the Clear All Filters button. This helps in removing filters on multiple columns at a time. View Firewall Rules between two Zones To view firewall rules for the selected zones, select zones For example, if you select LAN and WAN, all the firewall rules created for LAN zone to WAN zone will be displayed. in the Manage column against a Firewall rule to be deleted. Delete Click the Delete icon A dialog box is displayed asking you to confirm the deletion. Click OK to delete the rule. To and click the Delete button. Default Firewall rules cannot delete multiple rules, select them be deleted.

197/280

Cyberoam User Guide

Note
You cannot delete or disable default rules.

Manage Firewall rules

Use to: Enable/disable SMTP, POP3, IMAP, FTP and HTTP scanning Disable rule Delete rule Change rule order Insert rule Select display columns

Firewall rules control the traffic flowing through Cyberoam. Firewall Rule page displays list of firewall rules and provides a way to manage rules. Rules are created for a pair of source and destination zone which determines the traffic direction.

Screen Manage Firewall Rule

198/280

Cyberoam User Guide

Screen Elements Add button ID Name Enable

Description Add new firewall rule Firewall rule ID which is generated automatically at the time of creation Firewall rule name to identify the firewall rule Click to activate/deactivate the rule. If you do not want to apply the firewall rule temporarily, disable rule instead of deleting it. Active Rule Disable Rule - The icon against the firewall rule suggests that rule is only active during a specified schedule. Source Host to which the rule is applied Destination Host to which the rule is applied. Service for which rule is created If Identity is configured, user based policies will be applied to the traffic. Action to be taken when the rule matches a connection attempt. Web filter policy to be applied to the traffic Point to the policy link to view or edit the policy details. Application filter policy to be applied to the traffic Point to the policy link to view or edit the policy details. NAT policy to be applied to the traffic Point to the policy link to view or edit the policy details. IPS policy to be applied to the traffic Point to the policy link to view or edit the policy details. QoS policy to be applied to the traffic Point to the policy link to view or edit the policy details.

Source Destination Service Identity Action Web filter

Application filter

NAT

IPS

QoS

Scan

- SMTP scanning - POP scanning - IMAP scanning - HTTP scanning - FTP scanning Green Scanning Enabled Red Scanning Disabled Schedule to be applied when the rule is active Point to the schedule link to view or edit the schedule details. Firewall rule logging Status: - Active - Deactive

Schedule

Logging

199/280

Cyberoam User Guide

Description Routing through Gateway Backup Gateway Edit Icon Insert Icon Move Icon Delete Button

Firewall rule description Routing policy applied to the traffic Backup gateway for the traffic Edit firewall rule Insert a new rule before the existing rule Change the order of the rule Delete firewall rule Alternately, click the Delete icon against the rule you want to delete. Table - Manage Firewall rule screen elements

Firewall Rule Parameters

To add or edit a firewall rule, go to Firewall Rule Rule. Click the Add button to add a new in the Manage column against the rule rule. To update the details, click on the Rule or Edit icon you want to modify.

Screen - Add Firewall rule

200/280

Cyberoam User Guide

Screen Elements General Settings Name Description Zone Attach Identity (Only if source zone is LAN/DMZ/VPN)

Description

Specify name to identify the Firewall Rule. Specify description of the rule Specify source and destination zone to which the rule applies. Attach identity allows you to check whether the selected user/user group from the selected zone is allowed the access of the selected service or not.

Click to attach the user identity. Enable attach identity to apply following policies per user: Web policy and Application policy for Content Filtering (Users policy will be applied automatically but will not be effective till the Web and Application Filtering module is subscribed) Schedule Access IPS (Users IPS policy will be applied automatically but will not be effective till the IPS module is subscribed) Anti Virus scanning (Users anti virus scanning policy will be applied automatically but it will not be effective till the Gateway Anti Virus module is subscribed) Anti Spam scanning (Users anti spam scanning policy will be applied automatically but it will not be effective till the Gateway Anti Spam module is subscribed) QoS policy - Users QoS policy will be applied automatically Policy selected in the Route through Gateway field is the static routing policy that is applicable only if more then one gateway is defined and used for load balancing. Limit access to available services. Specify source and destination host or network address to which the rule applies. Host dropdown list also displays MAC based host and dynamic hosts and host groups which are automatically added on creation of VPN Remote Access connections (IPSec and SSL). It will also display the default hosts created for remote access connection ##ALL_RW, ##ALL_IPSEC_RW, ##ALL_SSLVPN_RW, ##WWAN1(when WWAN is enabled)

Network/Host

201/280

Cyberoam User Guide

You can define new IP host, MAC host, host group and virtual host directly from the firewall rule itself.

Service/Service group

Services represent types of Internet data transmitted via particular protocols or applications. Select service/service group to which the rule applies. If Virtual host is selected as Destination host, you will be able to configure services only if the selected virtual host is not port forwarded. You can also add a new custom service or service group directly from the firewall rule itself and attach. Protect by configuring rules to block services at specific zone limit some or all users from accessing certain services allow only specific user to communicate using specific service.

202/280

Cyberoam User Guide

Schedule

Select Schedule for the rule. You can also add a new schedule directly from the firewall rule itself and attach.

Action

Select rule action Accept Allow access Drop Silently discards Reject Denies access and ICMP port unreachable message will be sent to the source When sending response it might be possible that response is sent using a different interface than the one on which request was received. This may happen depending on the Routing configuration done on Cyberoam. For example, If the request is received on the LAN port using a spoofed IP address (public IP address or the IP address not in the LAN zone network) and specific route is not defined, Cyberoam will send a response to these hosts using default route. Hence, response will be sent through the WAN port. Select the NAT policy to be applied It allows access but after changing source IP address i.e. source IP address is substituted by the IP address specified in the NAT policy. This option is not available if Cyberoam is deployed as Bridge

Apply NAT (Only if Action is ACCEPT)

Advanced Settings

203/280

Cyberoam User Guide

Toggle Drill Down icon Click to apply different protection settings to the traffic controlled by firewall. You can: Enable load balancing and failover when multiple links are configured. Applicable only if Destination Zone is WAN Configure antivirus protection and spam filtering for SMTP, IMAP, POP3, and HTTP policies. To apply antivirus protection and spam filtering, you need to subscribe for Gateway Anti Virus and Gateway Anti Spam modules individually. Refer to Licensing section for details. Implement Intrusion Prevention System. To apply IPS policy you need to subscribe for Intrusion Prevention System module. Refer to Licensing section for details. Configure content filtering policies. To apply content filtering you need to subscribe for Web and Application Filter module. Refer to Licensing section for details. Apply QoS policy Security Policies Web filter policy Select web filter policy for the rule. One can apply web filter policy on LAN to WAN rule only. It controls web access control and block access to inappropriate web sites. You can also add a new web filter policy directly from the firewall rule itself and attach.

Apply Category QoS

Web Based

Click to restrict bandwidth for the URLs categorized under the Web category. A three step configuration is required as follows: 1. Create QoS policy from menu item QoS Policy Add 2. Assign above created QoS policy to the Web category from menu item Web Filter Category. Policy can be assigned to the default as well as custom web categories. 3. Enable Web Category based QoS Policy from Firewall rule Above configured policy will be applicable, whenever the URL falling under the Web category is accessed. Select Application Filter Policy for the rule. One can apply policy on LAN to WAN rule only. It controls access to application like IM and P2P, VOIP. You can also add a new Application Filter policy directly from the firewall rule itself and attach.

Application policy

filter

204/280

Cyberoam User Guide

IPS Policy

Select IPS policy for the rule. To use IPS, you have to subscribe for the IPS module. Refer to Licensing for more details. You can also add a new IPS policy directly from the firewall rule itself and attach.

IM Scanning AV & scanning AS

Click IM Scanning Checkbox to enable IM scanning. If enabled, all the messaging applications traffic is scanned. Click the protocol for which the virus and spam scanning is to be enabled. By default, HTTP scanning is enabled.

To implement Anti Virus and Anti Spam scanning, you have to subscribe for the Gateway Anti Virus and Anti Spam modules individually. Refer to Licensing for more details. QoS and Routing policy QoS Policy Select QoS policy for the rule. Only the Firewall Rule based QoS policy can be applied. QoS policy allocates & limits the maximum bandwidth usage of the user. You can also add a new QoS policy directly from the firewall rule itself and attach.

205/280

Cyberoam User Guide

Route Through Gateway

Select routing policy. Option is available only if more than one gateway is configured. This option is not available if Cyberoam is deployed as Bridge. Specify the backup gateway. The traffic will be routed through the configured gateway incase gateway configured in Route Through Gateway goes down. Option is available only if Load Balance is not selected for Route Through Gateway.

Backup Gateway

Log Traffic Log Traffic

Click to enable traffic logging for the rule i.e. traffic permitted and denied by the firewall rule. Table - Add Firewall rule screen elements

Search Rules
Use the search facility for searching firewall rules having specific users or hosts. The search string can be either an IP address or a string. Source Host IP Address Click the Search icon to search firewall rules for specific source host. It can be searched on the following criteria: is equal to, starts with and contains. Click OK to get the search results and Clear button to clear the results.

Screen Search Source Host

206/280

Cyberoam User Guide

Search Criteria is equal to

Search Results All the IP addresses that exactly match with the IP address specified in the criteria. For example, if the search string is 192.168.1.1, all the addresses exactly matching the string will be displayed. All the IP addresses that starts with the specified criteria. For example, if the search string is 192, all the addresses starting with the number 192 will be displayed. All the IP addresses that are in the specified range of IP addresses. For example, if the search string is 1.1.1.2-1.1.1.10, all the IP addresses like 1.1.1.5 or 1.1.1.8 falling in this range will be displayed.

starts with

contains

Table Search Source Host screen elements Destination Host IP Address Click the Search icon to search firewall rules for specific destination host. It can be searched on the following criteria: is equal to, starts with and contains. Click OK to get the search results and Clear button to clear the results. All Hosts satisfying the will be displayed irrespective of

Screen Search Destination Host Search Criteria is equal to Search Results All the IP addresses that exactly match with the IP address specified in the criteria. For example, if the search string is 192.168.1.1, all the addresses exactly matching the string will be displayed. All the IP addresses that starts with the specified criteria. For example, if the search string is 192, all the addresses starting with the number 192 will be displayed. All the IP addresses that are in the specified range of IP addresses. For example, if the search string is 1.1.1.2-1.1.1.10, all the IP addresses like 1.1.1.5 or 1.1.1.8 falling in this range will be displayed. Table Search Destination Host screen elements

starts with

Contains

User/User Group Click the Search icon to search firewall rules for specific user. It can be searched on the following criteria: is, is not, contains and does not contain. Click OK to get the search results and Clear button to clear the results.

207/280

Cyberoam User Guide

Screen Search User/User Group Search Criteria is Search Results All the users/user groups that exactly match with the string specified in the criteria. For example, if the search string is Test, only users/user groups with the name exactly matching Test are displayed. All the users/user groups that do not match with the string specified in the criteria. For example, if the search string is Test, all users/user groups except with the name exactly matching Test are displayed. All the users/user groups that contain the string specified in the criteria. For example, if the search string is Test, all the users/user groups containing the string Test are displayed. All the users/user groups that do not contain the string specified in the criteria. For example, if the search string is Test, all the users/user groups not containing the string Test are displayed. Table Search User/User Group screen elements

is not

contains

does not contain

Change Firewall Rule order

Rule order defines the rule processing priority. When the rules are applied, they are processed from the top down and the first suitable rule found is applied. Hence, while adding multiple rules, it is necessary to put specific rules before general rules. Otherwise, a general rule might allow a packet that you specifically have a rule written to deny later in the list. When a packet matches the rule, the packet is immediately dropped or forwarded without being tested by the rest of the rules in the list. Go to Firewall Rule Rule. Click the move rule against the rule whose order is to be changed. Click on the rule to be moved and then drag & drop the rule in the desired order. Click close to save the order.

208/280

Cyberoam User Guide

Screen Move Firewall Rule

Customize Display Columns

By default, Manage Firewall Rules page displays details of the rule in the following columns: ID, Enable, Source, Identity, Destination, Service, Action and Manage. You can customize the number of columns to be displayed as per your requirement. Go to Firewall Rule of columns to be displayed. Rule and click on the Select Column list to customize the number

to be displayed on the page. You can also select the order in which the Select the columns columns will be displayed. Drag & drop the column to customize the view in desired order. Select the checkbox against the column that is to be displayed. Click OK to customize the selected columns.

209/280

Cyberoam User Guide

210/280

Cyberoam User Guide

Virtual Host
Virtual Host maps services of a public IP address to services of a host in a private network. A Virtual host can be a single IP address or an IP address range or Cyberoam interface itself. Cyberoam will automatically respond to the ARP request received on the WAN zone for the external IP address of Virtual host. Default LAN to WAN (Any Host to Any Host) firewall rule will allow traffic to flow between the virtual host and the network. To configure a Virtual Host, go to Firewall Virtual Host Virtual Host. You can: Add View in the Manage column against the Virtual host to be modified. Edit Edit- Click the Edit icon Virtual Host pop-window window is displayed which has the same parameters as the Add Virtual Host window. in the Manage column against a Virtual Host to be deleted. A Delete Click the Delete icon dialog box is displayed asking you to confirm the deletion. Click OK to delete the rule. To delete multiple virtual hosts, select them and click the Delete button.

Manage Virtual host

To manage virtual hosts, go to Firewall Virtual Host Virtual Host.

Screen Manage Virtual Host Screen Elements Add Button Host Name Public Address Mapped Address Public Port Mapped Port Edit Icon Delete Button Description Add a new Virtual Host Name of Virtual Host. Public IP address through which Internet users access internal Server/host. Mapped IP address type is the IP address of the internal server/host. Public port used when Port Forwarding is configured. Mapped port number on destination network when Port Forwarding is enabled. Edit the Virtual Host details. Delete the Virtual Host Alternately, click the Delete icon against the host you want to delete. Table Manage Virtual host screen elements

211/280

Cyberoam User Guide

Virtual Host Parameters

To add or edit a virtual host, go to Firewall Virtual Host Virtual Host. Click the Add in button to add a new virtual host. To update the details, click on the virtual host or Edit icon the Manage column against the host you want to modify.

Screen Add Virtual host

Screen Elements Name External IP

Description Name to identify the Virtual Host. Public IP address is the IP address through which Internet users access internal server/host. Available options: Interface IP - Select when any of the Cyberoam Port, Alias or Virtual LAN (VLAN) subinterface is required to be mapped to the destination host or network IP address - Specified IP address is mapped to a corresponding mapped single or range of IP address. If single IP address is mapped to a range of IP address, Cyberoam uses round robin algorithm to load balance the requests. IP address range - Specified IP address range is mapped to a corresponding range of mapped IP address. The IP range defines the start and end of an address range. The start of the range must be lower than the end of the range.. If IP or IP Range option is selected, Cyberoam automatically responds to

212/280

Cyberoam User Guide

the ARP request received on the WAN zone for the external IP address.

Mapped IP

Mapped IP is the IP address to which the external IP address is mapped. This is the actual private IP address of the host being accessed using the virtual host. Mapped IP address is the IP address of the internal server/host. Available options: IP address External IP address is mapped to the specified IP address. IP address range External IP address range is mapped to the specified IP Address range.

Physical Zone

LAN, WAN, DMZ, VPN or custom zone of the mapped IP addresses. For example, if mapped IP address represents any internal server then the zone in which server resides physically. By default, LAN zone is configured but can be changed if required.

Port Forwarding Enable Port Forwarding Protocol Port Type External Port Mapped Port Description

Click to enable service port forwarding. If Port Forwarding is enabled, following options are available. Select the protocol TCP or UDP that you want the forwarded packets to use. Click to specify whether port mapping should be single or range of ports. Specify public port number for which you want to configure port forwarding. Specify mapped port number on the destination network to which the public port number is mapped. Virtual host Description. Table Add Virtual host screen elements

213/280

Cyberoam User Guide

Note
Deleting Virtual host will remove all its dependent configurations including: 1. Interface-zone binding 2. DHCP Server or Relay 3. Alias based Firewall Rules 4. ARP Static & Proxy 5. Virtual Hosts and Virtual Host based Firewall Rules 6. Interface based Hosts and reference from host groups 7. Routes Unicast, Multicast Once the virtual host is added successfully, Cyberoam automatically creates a loopback firewall rule for the zone of the mapped IP address. For example, if virtual host is created for the LAN mapped IP zone then LAN-to-LAN firewall rule is created for the virtual host. Firewall rule is created for the service specified in virtual host. If port forwarding is not enabled in virtual host then firewall rule with All Services is created. Check creation of loopback rule from Firewall Rule. For Cyberoam to reply to the ARP requests received on any other zones than WAN zone for External IP address, create proxy ARP from option - Cyberoam Console of CLI Console. Virtual host restrictions: Virtual host name cannot be same as host or host group name. External IP address range cannot be mapped with a single Mapped IP address. The number of IP addresses in External IP address range and Mapped IP address range must be same. The number of ports in External ports range and Mapped port range must be same. Virtual host with the same pair of External IP and Port cannot be created. Example Virtual_host1 External IP address - 192.168.1.1 Mapped IP address 10.10.10.12 Port forward External port 25 Mapped port 35 Virtual_host2 External IP address - 192.168.1.1 Mapped IP address 10.10.10.1 Port forward External port 42 Mapped port 48 Virtual_host1 External IP address - 192.168.1.15 Mapped IP address 10.10.10.1 Virtual_host2 External IP address - 192.168.1.15 Mapped IP address 10.10.10.2 Port forward External port 42 Mapped port 48 Virtual_host1 External IP address - 192.168.1.15192.168.1.20

Description Different virtual hosts can have same External IP address only if port forwarding is enabled for different external port.

Different virtual hosts cannot have same external IP address if port forwarding in enabled in one virtual host and disabled for another virtual host.

Virtual host cannot be created with overlapping IP address.

214/280

Cyberoam User Guide

Mapped IP address 10.10.10.1510.10.10.20 Virtual_host2 External IP address - 192.168.1.18 Mapped IP address 10.10.10.18 Virtual_host1 External IP address - 192.168.1.15 Mapped IP address 10.10.10.1 Port forward - External port 20-80 Mapped port 20-80 Virtual_host2 External IP address - 192.168.1.15 Mapped IP address 10.10.10.2 Port forward - External port 25 Mapped port 25

Virtual host cannot be created with overlapping ports.

215/280

Cyberoam User Guide

NAT Policy
Network Address Translation (NAT) is the process of rewriting the source addresses of IP packets as they pass through a router or firewall. Mostly NAT is used to enable multiple hosts on a private network to access the Internet using a single public IP address. When a client sends an IP packet to the router, NAT translates the sending address to a different, public IP address before forwarding the packet to the Internet. When a response packet is received, NAT translates the public address into the original address and forwards it to the client. NAT policy tells firewall rule to allow access but only after changing source IP address i.e. source IP address is substituted by the IP address specified in the NAT policy. Use NAT to change or remap source or destination address of the packet. Using NAT eliminates the need for public IP addresses for all computers on your LAN. It is a way to conserve IP addresses available from the pool of Public IP addresses for the Internet. NAT also allows you to conceal the addressing scheme of your network. NAT policy tells firewall rule to allow access but after changing source IP address i.e. source IP address is substituted by the IP address specified in the NAT policy. To manage NAT Policy, go to Firewall NAT Policy NAT Policy. You can: Add View in the Manage column against the NAT Policy to be modified. Edit Edit Click the Edit icon NAT Policy pop-up window is displayed which has the same parameters as the Add NAT Policy window. in the Manage column against a NAT Policy to be deleted. A Delete Click the Delete icon dialog box is displayed asking you to confirm the deletion. Click OK to delete the NAT Policy. To delete multiple NAT Policies, select them and click the Delete button.

Manage NAT policy

To manage NAT policies, go to Firewall NAT Policy NAT Policy.

Screen Manage NAT policy

216/280

Cyberoam User Guide

Screen Elements Add Button Name IP Mapped To Edit Icon Delete Button

Description Add a NAT Policy Name of the NAT Policy Source IP/Range will be replaced with the specified IP/Range Edit the NAT Policy Delete the NAT Policy Alternately, click the Delete icon against the policy you want to delete. Table Manage NAT policy screen elements

NAT Policy Parameters

To add or edit NAT policies, go to Firewall NAT Policy NAT Policy. Click the Add button to add a new policy. To update the details, click on the Policy or Edit icon column against the policy you want to modify. in the Manage

Screen Add NAT policy Screen Elements Name Map Source IP To Description Name to identify the NAT Policy Select Masquerade or IP Host for NAT Policy Available Options: MASQ will replace source IP address with Cyberoams WAN IP address IP Host will replace source IP address with specified IP address or range. Under IP Host, specify IP address for source natting Available Options: IP Address will replace source IP address with the specified IP address IP Range will replace source IP address with any of the IP address from the specified range You can search and select a particular IP Address based on the Host

IP Address

217/280

Cyberoam User Guide

name. Alternately, an IP address or range can also be added using Add IP Address link.

Table Add NAT policy screen elements

Note
Deafult MASQ policy cannot be updated or deleted.

218/280

Cyberoam User Guide

Spoof Prevention
You can configure MAC and/or IP address pair entry in IP-MAC trusted list to improve the security of your network. Using MAC address filtering makes it more difficult for a hacker to guess and use a random MAC address or spoof a MAC address to gain access to your network as the traffic does not even reach your firewall. Similarly, it is also possible to filter packets based on IP-MAC pair. It prevents hosts which try to violate trusted IP-MAC. To make the restriction more granular, one can enable restriction on the zones.

General Settings
To enable spoof prevention for LAN, WAN and DMZ zones, go to Firewall Spoof Prevention General Settings. If enabled, Cyberoam provides 3 ways to prevent spoofing using IP-MAC trusted list: IP spoofing Packets will be dropped if matching route entry is not available. MAC Filter Packets will be dropped if the MAC addresses not configured in the Trusted MAC list. IP-MAC Pair Filter Packets will be dropped if IP and MAC do not match with any entry in the IP-MAC trusted list.

Enable Restrict Unknown IP on Trusted MAC if you want to drop traffic from any IP address not in the trusted list for the trusted MAC address. By default, it is disabled. When disabled, traffic from any IP address not in the trusted list will be allowed even if it is coming from the trusted MAC address. It is enabled automatically when Spoof Prevention is enabled.

Screen General Settings

219/280

Cyberoam User Guide

Zone IP Spoofing If enabled: Enable at least for one zone Cyberoam will reverse lookup for the route of source network and if not available, packets will be dropped and logged. By default, it is not enabled for any zone. MAC filter It restricts the access of your network to the external hosts. As Cyberoam will drop all the requests from the MAC address not configured in the trusted list, please make sure to include MAC addresses of all your internal devices. If enabled, it is to be enabled for atleast one zone. By default, it is not enabled for any zone. IP-MAC pair filter Cyberoam will drop the request considering it as a spoofed request if MAC address differs for the trusted IP address IP address differs for the trusted MAC address But, the request will be allowed if IP or MAC address does not exist at all in the list. Request is dropped if IP-MAC pair does not exist in the trusted list. If enabled, it is to be enabled for atleast one zone. By default, it is not enabled for any zone. Table General Settings

LAN Yes

WAN No

DMZ Yes

Yes

Yes

Yes

Yes

No

Yes

Trusted MAC
You can enable MAC address and/or IP address pair filtering to improve security. By enabling filtering, you define the devices that can access your network. It is also possible to import the trusted MAC list through CSV (Comma Separated Value) file. When a user attempts to access the network, Cyberoam checks the MAC address and/or IP address from the list. User gets access to the network only if the MAC Address and/or IP address is on the trusted MAC list else the request is rejected. To manage Trusted MAC list, go to Firewall Spoof Prevention Trusted MAC. You can: Add View Import in the Manage column against a Trusted MAC to be deleted. Delete Click the Delete icon A dialog box is displayed asking you to confirm the deletion. Click OK to delete the Trusted MAC. To delete multiple Trusted MACs, select them and click the Delete button.

220/280

Cyberoam User Guide

Manage Trusted MAC list

To manage Trusted MAC list, go to Firewall Spoof Prevention Trusted MAC.

Screen Manage Trusted MAC list Screen Elements Add Button MAC Address IP Association IP Address Delete Button Description Add a Trusted MAC MAC address of the user Static, DHCP or no IP association IP address bound to MAC address, incase of static IP association. Delete the Trusted MAC Alternately, click the Delete icon against the trusted MAC you want to delete. Table Manage Trusted MAC screen elements

Trusted MAC List Parameters

To add Trusted MAC list, go to Firewall Spoof Prevention Trusted MAC. Click the Add button to add a Trusted MAC.

Screen Add Trusted MAC list Screen Elements MAC Address Description MAC Address to be added to a trusted MAC list

221/280

Cyberoam User Guide

IP Association

Specify IP Association if you want to implement IP-MAC pair filtering. Available Options: None No IP address is binded with the MAC address. Static IP address to be binded to the MAC address. Packets will be rejected if either MAC or IP address does not match. Use comma as a seperator to configure multiple IP address. DHCP MAC will be binded to the IP address leased by the Cyberoam DHCP server as and when the IP is leased. Entry will be updated automatically when the leased IP address is updated. Specify the IP Address for IP-MAC binding. Use comma to add multiple IP addresses. Table Add Trusted MAC list

IP Addresses

Import Trusted MAC Address

Instead of adding the trusted entries individually, Cyberoam provides a facility to import the trusted list from a CSV (Comma Separated Value) file. Click the Import button to import a CSV file. The format for the CSV file should be as follows: 1. 2. 3. 4. 5. First row of the CSV file has to be the header row: MAC Address, IP Association, IP Address The rest of the rows are values corresponding to the header fields Blank rows will be ignored Error Message display only for invalid rows Format of values: Compulsory fields: MAC Address and IP Association Optional fields: IP Address IP Association must be Static or DHCP or None For Static IP Association, IP Address must be available For None/DHCP type of IP Association, IP-Address is not required and if it is given, it will be ignored For Invalid MAC / IP Address or IP Association entry will be discarded Use comma to insert Multiple staic IP Addresses

Screen Import Trusted MAC Address

222/280

Cyberoam User Guide

DoS
Cyberoam provides several security options that cannot be defined by the firewall rules. This includes protection from several kinds of Denial of Service attacks. These attacks disable computers and circumvent security. Denial of Service (DoS) attack is a method hackers use to prevent or deny legitimate users access to a service. DoS attacks are typically executed by sending many request packets to a targeted server (usually Web, FTP, or Mail server), which floods the server's resources, making the system unusable. Their goal is not to steal the information but disable or deprive a device or network so that users no longer have access to the network services/resources. All servers can handle traffic volume up to a maximum, beyond which they become disabled. Hence, attackers send a very high volume of redundant traffic to a system so it cannot examine and allow permitted network traffic. Best way to protect against the DoS attack is to identify and block such redundant traffic. Packet rate per Source Total number of connections or packets allowed to a particular user. Burst rate per Source Maximum number of packets allowed to a particular user at a given time. Packet rate per Destination Total number of connections or packets allowed from a particular user. Packet rate per Destination Maximum of packets allowed from a particular user at a given time.

How it works
When the burst rate is crossed, Cyberoam considers it as an attack. Cyberoam provides DoS attack protection by dropping all the excess packets from the particular source/destination. Cyberoam will continue to drop the packets till the attack subsides. Because Cyberoam applies threshold value per IP address, traffic from the particular source/destination will only be dropped while the rest of the network traffic will not be dropped at all i.e. traffic from the remaining IP addresses will not be affected at all. Time taken to re-allow traffic from the blocked source/destination = time taken to subside the attack + 30 seconds For example, Packet rate per Source 100 packets per second Burst rate per Source 200 packets per second When user starts sending requests, initially user will be able to send 200 packets per second but once the 200 packets are received, in the next phase user will be able to send only 100 packets per second. So in the next phase, if user sends 150 packets per second, Cyberoam will consider it as an attack and drop 50 (150 -100) packets. Cyberoam will accept traffic from the user only after

223/280

Cyberoam User Guide

30 seconds of dropping the packets.

Threshold values
Cyberoam uses packet rate and brust rate values as a threshold value to detect DoS attack. These values depend on various factors like: Network bandwidth Nature of traffic Capacity of servers in the network These values are applicable to the individual source or destination i.e. requests per user/IP address and not globally to the entire network traffic. For example, if source rate is 2500 packets/minute and the network consists of 100 users then each user is allowed packet rate of 2500 packets per minute. Configuring high values will degrade the performance and too low values will block the regular requests. Hence it is very important to configure appropriate values for both source and destination IP address.

DoS Settings
Define the attack definition from Firewall DoS Settings (Attack definition can be defined both for source and destination)

Configure DoS Settings

Screen DoS Settings

Screen Elements SYN Flood

Description Configure Packet Rate (packets/minute) (packets/second) for source and destination. and Burst Rate

224/280

Cyberoam User Guide

Click Apply Flag checkbox to apply the SYN flood definition and control allowed number of packets. Source Traffic Dropped displays number of source packets dropped in case source packet rate control is applied. Destination Traffic Dropped displays number of packets dropped in case destination packet rate control is applied. Click SYN Flood to view the real time updates on flooding. It displays the source IP address - which was used for flooding and IP address which was targeted. SYN Flood is the attack in which large numbers of connections are send so that the backlog queue overflows. The connection is created when the victim host receives a connection request and allocates for it some memory resources. A SYN flood attack creates so many halfopen connections that the system becomes overwhelmed and cannot handle incoming requests any more. Configure Packet Rate (packets/minute) and Burst Rate (packets/second) for source and destination. Click Apply Flag checkbox to apply the UDP flood definition and control the allowed number of packets. Source Traffic Dropped displays number of source packets dropped in case source packet rate control is applied. Destination Traffic Dropped displays number of packets dropped in case destination packet rate control is applied. Click UDP Flood to view the real time updates on flooding. It displays the source IP address - which was used for flooding and IP address which was targeted. User Datagram Protocol (UDP) Flood links two systems. It hooks up one systems UDP character-generating service, with another systems UDP echo service. Once the link is made, the two systems are tied up exchanging a flood of meaningless data. Configure Packet Rate (packets/minute) and Burst Rate (packets/second) for source and destination. Click Apply Flag checkbox to apply the TCP flood definition and control the allowed number of packets. Source Traffic Dropped displays number of source packets dropped in case source packet rate control is applied. Destination Traffic Dropped displays number of packets dropped in case destination packet rate control is applied. TCP attack sends huge amount of TCP packet so that the host/victim computer cannot handle. Configure Packet Rate (packets/minute) and Burst Rate (packets/second) for source and destination. Click Apply Flag checkbox to apply the ICMP flood definition and control allowed number of packets. Click ICMP Flood to view the real time updates on flooding. It displays

UDP Flood

TCP Flood

ICMP Flood

225/280

Cyberoam User Guide

the source IP address - which was used for flooding and IP address which was targeted. ICMP attack sends huge amount of packet/traffic so that the protocol implementation of the host/victim computer cannot handle. Click Apply Flag checkbox to enable. This will block any source routed connections or any packets with internal address from entering your network. An ICMP redirect packet is used by routers to inform the hosts what the correct route should be. If an attacker is able to forge ICMP redirect packets, he or she can alter the routing tables on the host and possibly weaken the security of the host by causing traffic to flow via another path. ARP attack sends ARP requests at a very high rate to the server. Because of this, server is overloaded with requests and will not be able to respond to the valid requests. Cyberoam protects by dropping such invalid ARP requests. Table DoS Settings screen elements

Dropped Source Routed Packets Disable Packet ICMP Redirect

Disable ARP Flooding

Bypass Rules
Cyberoam allows you to bypass the DoS rule in case you are sure that the specified source will not be used for flooding or ignore if flooding occurs from the specified source. By default, VPN zone traffic is also subjected to DoS inspection. You can also bypass DoS inspection of the traffic coming from certain hosts of VPN zone. To manage Bypass Rules, go to Firewall DoS Bypass Rules. You can: Add View in the Manage column against the DoS Bypass Rule to be Edit Click the Edit icon modified. Edit DoS Bypass Rule pop-up window is displayed which has the same parameter as the Add DoS Bypass Rule window in the Manage column against a DoS Bypass Rule to be Delete Click the Delete icon deleted. A dialog box is displayed asking you to confirm the deletion. Click OK to delete the DoS Bypass Rule. To delete multiple DoS Bypass rules, select them and click the Delete button.

Manage DoS Bypass Rules

To manage bypass rules, go to Firewall DoS Bypass Rules.

Screen Manage DoS Bypass Rules

226/280

Cyberoam User Guide

Screen Elements Add Button Source Source Port Destination Destination Port Protocol Edit Icon Delete Button

Description Add a DoS Bypass Rule Source IP/Netmask to be bypassed Source Port Number to be bypassed Destination IP/Netmask to be bypassed Destination Port Number to be bypassed Protocols to be bypassed Edit the DoS Bypass Rule Delete the DoS Bypass Rule Alternately, click the Delete icon against the rule you want to delete. Table Manage DoS Bypass rule screen elements

DoS Bypass Rules Parameters

To add or edit DoS Bypass Rule, go to Firewall DoS Bypass Rules. Click the Add button to add a new rule. To update the details, click on the Rule or Edit icon column against the rule you want to modify. in the Manage

Screen Add Bypass Rule Screen Elements Source IP Address Description Specify Source IP/Netmask. Specify * if you want to bypass entire network Specify Port Number for Source. Specify * if you want to bypass entire network Specify Destination IP/Netmask. Specify * if you want to bypass entire network Specify Port Number for Destination. Specify * if you want to bypass entire network rt

Source Port

Destination IP Address

Destination Port

227/280

Cyberoam User Guide

Protocol

Select protocol whose traffic is to be bypassed if generated from the specified source to destination. For example, if you select TCP protocol then DoS rules will not be applied on the TCP traffic from the specified source to destination. Table Add DoS bypass rule screen elements

228/280

Cyberoam User Guide

Web Filter
Settings

Web Filter menu allows to configure and manage Web Filtering in Cyberoam. The traffic coming from the web is filtered by various policies and categories.

Use this page to enable Safe Search feature and Pharming protection useful in filtering Web traffic. Safe Search This feature allows you to enforce safe searching into your search engines, thus helping you against malicious sites. Pharming Protection This feature allows you stop Pharming by various attacker sites by Domain Name resolution. Configure web filter settings from Web Filter Settings Settings.

Screen Configure Settings

Screen Elements Enforce Safe Search

Description Enable safe search so that web sites containing pornography and explicit sexual content are blocked from the Google, Yahoo, Altavista and Bing search results. This will be applicable only when access to Porn, AdultContent and Nudity categories is denied in Web Filter Policy. Enable to protect against pharming attacks and direct users to the legitimate web sites instead of fraudulent web sites. Click Save button after changing the configuration. Pharming attacks require no additional action from the user from their regular web surfing activities. Pharming attack succeeds by redirecting the users from legitimate web sites instead of similar fraudulent web sites that has been created to look like the legitimate site. Table Configure Settings screen elements

Enable Pharming Protection

PART

229/280

Cyberoam User Guide

Category
Web category is the grouping of Domains and Keywords used for Internet site filtering. Domains and any URL containing the keywords defined in the Web category will be blocked. Each category is classified according to the type of sites in the category. Categories are grouped in to four types and specifies whether the surfing those categories is considered as productive or not: Neutral Productive Non-working Un-healthy

For your convenience, Cyberoam provides a database of default Web categories. You can use these or even create new web categories to suit your needs. To use the default web categories, the add-on module Web and Application Filter should be registered. Depending on the organization requirement, allow or deny access to the categories with the help of policies by groups, individual user, time of day, and many other criteria. It is also possible to restrict the bandwidth based on the web category. For example, to reserve 512 kbps for SAP applications, define a QoS policy of 512 kbps and assign this policy to the SAP Web category and firewall rule. Users accessing any URLs falling under the SAP Web category will get 512 kbps. 512 kbps bandwidth will be shared among all the users when more than one user is accessing. The page allows you to manage default web categories and create custom web categories. You can also add or remove specific domains or keywords in the category. Cyberoam also provides pre-defined categories which can be to block the malicious and objectionable contents. Custom web category is given priority over default category while allowing/restricting the access. To manage web categories, go to Web Filter Category Category. You can: Add View Search in the Manage column against the category to be modified. Edit Edit Click the Edit icon Web Category pop-up window is displayed which has the same parameters as the Add Web Category window. Delete Click the Delete icon in the Manage column against a Web Category to be deleted. A dialog box is displayed asking you to confirm the deletion. Click OK to delete the Web Category. To delete multiple Web Categories, select them and click the Delete button.

Manage Web Categories

To manage web categories, go to Web Filter Category Category.

230/280

Cyberoam User Guide

Screen Manage Web Categories Screen Elements Add Button Name Type Classification QoS Policy Edit Icon Delete Button Description Add a custom Web Category Name of the Web Filter Category. Type of Policy Default OR Custom Category Classification Unhealthy, Non-working, Neutral, Productive. QoS Policy applied on the category. Edit the web category. Delete the web category. Alternately, click the Delete icon against the category you want to delete. Table Manage Web Categories screen elements

Web Category Parameters

To add or edit a web category, go to Web Filter Category Category. Click the Add button to add a new web category. To update the details, click on the web category or Edit icon in the Manage column against the web category you want to modify.

231/280

Cyberoam User Guide

Screen Add Web Category Screen Elements Name Description Name to identify the web category name. Custom category name and default category name cannot be same. Select the classification type for the category. Available Options: Neutral, Productive, Non-working, Healthy Select QoS policy if want to apply bandwidth restriction from the QoS Policy dropdown list Specify URL to include it under a web category. to add more than one URL and You can use Add icon to delete the URL specified. Remove icon Specify Keywords to include it under a web category. to add more than one keyword and You can use Add icon to delete the keyword specified. Remove icon Advanced Settings Action (Only applicable adding a Category) 'Policies' List displays all the policies available. Category cannot be added to default policies from this page. Click the checkbox to select the policies. All the selected policies are moved to 'Selected Policies' list.

Classification

QoS Policy URL

Keyword

while

232/280

Cyberoam User Guide

Denied Message

Category, once created, will be automatically added to the selected policies. Enable/disable the Override Default Denied Message checkbox. If enabled, you can set your custom message for Denied service. Specify Category Description. Table Add Web Category screen elements

Description

Search Category
Click the Search icon in the Application Filter Category column to search for specific web categories. Category can be searched on the following criteria: is, is not, contains, does not contain. A pop-up window is displayed that has filter conditions for search. Click OK to get the search results and Clear button to clear the results.

Screen Search Web Categories Search Criteria is Search Results All the categories that exactly match with the string specified in the criteria. For example, if the search string is Test, only categories with the name exactly matching Test are displayed. All the categories that do not match with the string specified in the criteria. For example, if the search string is Test, all categories except with the name exactly matching Test are displayed. All the categories that contain the string specified in the criteria. For example, if the search string is Test, all the categories containing the string Test are displayed. All the categories that do not contain the string specified in the criteria. For example, if the search string is Test, all the categories not containing the string Test are displayed. Table Search Web Categories screen elements

is not

contains

does not contain

233/280

Cyberoam User Guide

Policy
Web Filter Policy controls users web access. It specifies which user has access to which sites and allows defining powerful security policies based on almost limitless policy parameters like: Individual users Groups of users Time of day Location/Port/Protocol type Content type Bandwidth usage (for audio, video and streaming content)

Allow/deny access to an entire application category, or individual file extensions within a category with the help of policy. For example, you can define a policy that blocks access to all audio files with .mp3 extensions. Two strategies based on which Web Filter Policy can be defined: Allow: By default, allows access to all the categories except the specified categories. Access to the specified categories depends on the strategy defined for each category. Deny: By default, denies access to all the categories except the specified categories. Access to the specified categories depends on the strategy defined for each category.

Cyberoam comes with the following predefined policies: Allow All, CIPA, Deny all and General Corporate Policy. These predefined policies are immediately available for use until configured otherwise. You can also define custom policies to define different levels of access for different users to meet your organizations requirements. To manage web filter policies, go to Web Filter Policy Policy. You can: Add View Search in the Manage column against the Web Filter Policy to be Edit Click the Edit icon modified. Edit Web Filter Policy page is displayed which has the same parameters as the Add Web Filter Policy window. Add Web Filter Policy Rules in the Manage column against a Web Filter Policy to be Delete Click the Delete icon deleted. A dialog box is displayed asking you to confirm the deletion. Click OK to delete the Web Filter Policy. To delete multiple Web Filter Policies, select them and click the Delete button.

Manage Web Filter Policies

To manage Web Filter Policies, go to Web Filter Policy Policy.

234/280

Cyberoam User Guide

Screen Manage Web Filter Policies Screen Elements Add Button Web Filter Policy Name Default Strategy Reporting Description Edit Icon Delete Button Description Add a new Web Filter Policy Name of Web Filter Policy Default Strategy: Allow or Deny Reporting: Enabled or Disabled Policy Description Edit the Web Filter Policy Delete the Web Filter Policy Alternately, click the Delete icon against the policy you want to delete. Table Manage Web Filter Policies screen elements

Web Filter Policy Parameters

To add or edit a web filter policy, go to Web Filter Policy Policy. Click the Add button to add a new web filter policy. To update the details, click on the policy or Edit icon column against the policy you want to modify. in the Manage

235/280

Cyberoam User Guide

Screen Add Web Filter Policy

Screen Elements Name Template

Description Name to identify the Policy. Duplicate names are not allowed. Select a template if you want to create a new policy based on an existing policy and want to inherit all the categories restrictions from the existing policy. By default, Internet usage report is generated for all the users. But Cyberoam allows to bypass reporting of certain users. Enable the Enable Reporting checkbox to create Bypass reporting web filter policy. Internet usage reports will not include access details of all the users to whom this policy will be applied. Enable the Enable Certificate based categorization for HTTPS check box to enable filtering of HTTPS traffic based on domain names using site X.509 certificates. If enabled, users will not be able to bypass and access blocked sites using URL translation or HTTP proxy websites hosted on HTTPS.

Enable Reporting

Enable Certificate based categorization for HTTPS

236/280

Cyberoam User Guide

Download Restriction

File

Size

In other words, if enabled Cyberoam will block attempts to by web content filtering and sites hosted on SSLv2, SSLv3 and TLS protocols. Specify the file size (in MB) in the textbox against Download File Size Restriction to configure the maximum allowed file download size. User will not be allowed to download file greater than the configured size. Specify 0 if there has to be no restriction on the maximum file size for download. Specify Policy Description. Add rules after policy is added successfully.

Description

Table Add Web Filter Policy screen elements Once the policy is created, policy rules can be added to schedule the implementation of the policy. Rules can be added for custom policies only.

Web Filter Policy Rule Parameters

Web Filter Policy rules can be added to custom web filter policies. To add Web Filter Policy rules, in the Manage column against go to Web Filter Policy Policy. Click the Edit icon the Web Filter Policy to which rules are to be added. Edit Web Filter Policy window is displayed for modifications. You can add or delete rules from this page.

Screen Add Web Filter Policy Rules

Screen Elements Category Name

Description Select Web Category or File Type Category to be added. You can select more than one category by selecting the checkbox. You can also search the category name from the search text box provided.

237/280

Cyberoam User Guide

Action Schedule

Specify Action for the categories selected - Allow OR Deny Select the Schedule for categories selected. Table Add Web Filter Policy Rule screen elements

Search Policy
Click the Search icon in the Web Filter policy column to search for specific policies. Policy can be searched on the following criteria: is, is not, contains, does not contain. A pop-up window is displayed that has filter conditions for search. Click OK to get the search results and Clear button to clear the results.

Screen Search Web Filter Policies Search Criteria is Search Results All the policies that exactly match with the string specified in the criteria. For example, if the search string is Test, only policies with the name exactly matching Test are displayed. All the policies that do not match with the string specified in the criteria. For example, if the search string is Test, all policies except with the name exactly matching Test are displayed. All the policies that contain the string specified in the criteria. For example, if the search string is Test, all the policies containing the string Test are displayed.

is not

contains

238/280

Cyberoam User Guide

does not contain

All the policies that do not contain the string specified in the criteria. For example, if the search string is Test, all the policies not containing the string Test are displayed.

Table Search Web Filter Policies screen elements

239/280

Cyberoam User Guide

Application Filter

10

Application Filter menu in Cyberoam allows to configure and manage filtering on various applications. The traffic coming from the web is filtered by various policies and categories.

Category
Cyberoam provides certain default Application category that can be used in filtering policy. You can also add custom category as per your network requirement. To view and search application categories, go to Application Filter Category Category. You can: View Search

View Categories
To view and search application categories, go to Application Filter Category Category. Each of the categories contains sub categories and can be viewed by clicking the icon against the category.

Screen Manage Application Filter Categories Category Names File Transfer, Gaming, General Internet, IM, Internet Protocol, Network Services, P2P, Proxy, Remote Access, VOIP, Streaming Media

Search Category
Click the Search icon in the Category Name column to search for specific application categories. Address can be searched on the following criteria: is, is not, contains, does not contain.

PART

240/280

Cyberoam User Guide

A pop-up window is displayed that has filter conditions for search. Click OK to get the search results and Clear button to clear the results.

Screen Search Categories Search Criteria is Search Results All the categories that exactly match with the string specified in the criteria. For example, if the search string is Gaming, only categories with the name exactly matching Gaming are displayed. All the categories that do not match with the string specified in the criteria. For example, if the search string is Gaming, all categories except with the name exactly matching Gaming are displayed. All the categories that contain the string specified in the criteria. For example, if the search string is Gam, all the categories containing the string Gam are displayed. All the categories that do not contain the string specified in the criteria. For example, if the search string is Gam, all the categories not containing the string Gam are displayed. Table Search Categories screen elements

is not

contains

does not contain

241/280

Cyberoam User Guide

Policy
Application Filter Policy controls users application access. It specifies which user has access to which applications and allows defining powerful security policies based on almost limitless policy parameters like: Individual users Groups of users Time of day

Two strategies based on which Application Filter Policy can be defined: Allow: By default, allows access to all the categories except the specified categories. Access to the specified categories depends on the strategy defined for each category. Deny: By default, denies access to all the categories except the specified categories. Access to the specified categories depends on the strategy defined for each category.

Cyberoam comes with the following predefined policies for applications: Allow All and Deny All. These two predefined policies are immediately available for use until configured otherwise. You can also define custom policies to define different levels of access for different users to meet your organizations requirements. To manage application filter policies, go to Application Filter Policy Policy. You can: Add View Search in the Manage column against the Application Filter Policy to be Edit Click the Edit icon modified. Edit Application Filter Policy page is displayed which has the same parameters as the Add Application Filter Policy window. in the Manage column against the Add Application Filter Policy Rules Click the Edit icon Application Filter Policy to which Application categories are to be added. Edit Application Filter Policy page is displayed for modifications. in the Manage column against an Application Filter Policy to Delete Click the Delete icon be deleted. A dialog box is displayed asking you to confirm the deletion. Click OK to delete the Application Filter Policy. To delete multiple Application Filter Policies, select them and click the Delete button.

Manage Application Filter Policies

To manage application filter policies, go to Application Filter Policy Policy.

242/280

Cyberoam User Guide

Screen Manage Application Filter Policies

Screen Elements Add Button Name Action Description Edit Icon Delete Button

Description Add a new Application Filter Policy Name of Application Filter Policy Default Action: Allow or Deny Policy Description Edit the Application Filter Policy Delete the Application Filter Policy Alternately, click the Delete icon against the policy you want to delete.

Table Manage Application Filter Policies screen elements

Application Filter Policy Parameters

To add or edit an application filter policy, go to Application Filter Policy Policy. Click the Add button to add an application filter policy. To update the details, click on the policy or Edit icon in the Manage column against the policy you want to modify.

Screen Add Application Filter Policy

243/280

Cyberoam User Guide

Screen Edit Application Filter Policy (Policy Rule)

Screen Elements Name Description Template Select Categories (Only available once the policy is created)

Description Name to identify the Policy. Duplicate names are not allowed. Specify Policy Description. Add rule after policy is created successfully. Select the template for the policy. Select Application Category from the list of available categories.

Table Add Application Filter Policy screen elements Once the policy is created, policy rule can be scheduled for implementation.

Application Filter Policy Rule Parameters

Application Filter Policy rules can be added to custom application filter policies. To add application in the filter policy rules, go to Application Filter Policy Policy. Click the Edit icon Manage column against the Application Filter Policy to which rules are to be added. Edit Application Filter Policy window is displayed for modifications. You can add or delete rules from this page.

244/280

Cyberoam User Guide

Screen Add Application Filter Policy Rule

Screen Elements Select Categories Select Application

Description Select Application Category from the list of available categories. Select the Applications under the Category selected. You can also select more than one application using the checkbox. You can search for the application using the Search textbox. Select the Action: Allow OR Deny Select the Schedule from the list of schedules available.

Action Schedule

Table Add Application Filter Policy Rule screen elements

Search Policy
Click the Search icon in the Application Filter policy name column to search for specific policies. Policy can be searched on the following criteria: is, is not, contains, does not contain. A pop-up window is displayed that has filter conditions for search. Click OK to get the search results and Clear button to clear the results.

Screen Search Policies

245/280

Cyberoam User Guide

Search Criteria is

Search Results All the policies that exactly match with the string specified in the criteria. For example, if the search string is Test, only policies with the name exactly matching Test are displayed. All the policies that do not match with the string specified in the criteria. For example, if the search string is Test, all policies except with the name exactly matching Test are displayed. All the policies that contain the string specified in the criteria. For example, if the search string is Test, all the policies containing the string Test are displayed. All the policies that do not contain the string specified in the criteria. For example, if the search string is Test, all the policies not containing the string Test are displayed.

is not

contains

does not contain

Table Search Policies screen elements

246/280

Cyberoam User Guide

IM

11

IM (Instant Messaging) allows to configure and manage restrictions on instant messaging services provided by the Yahoo and MSN messengers. The traffic coming from the web in form of files and chat is filtered by various rules and content filtering strategies. You can add an IM contact or IM contact group for configuring rules.

IM Contact
IM Contact is used to register various Yahoo and MSN messaging application users. A Contact can be created for a user having access any of the two IM applications. Along with the contacts, IM Contact Groups can also be created. Once the users are registered, various IM rules can be created for monitoring them. The rules can be set on groups as well as users individually. IM Contact page is used to create and manage contacts in Cyberoam. These contacts can be either Yahoo or MSN Email IDs. Any of the email id created through Yahoo or MSN are valid for creating IM Contacts. To manage IM contacts, go to IM IM Contact IM Contact. You can: Add View in the Manage column against the contact to be modified. Edit IM Edit Click the Edit icon Contact pop-up window is displayed which has the same parameters as the Add IM Contact window. in the Manage column against the contact to be deleted. A Delete Click the Delete icon dialog box is displayed asking you to confirm the deletion. Click OK to delete the IM Contact. To delete multiple contacts, select them and click the Delete button.

Manage IM Contacts
To manage IM contacts, go to IM IM Contact IM Contact.

Screen Manage IM Contacts Screen Elements Add Button Protocol Description Add a new IM contact Protocol suggests the messenger application in use. Yahoo or MSN

PART

247/280

Cyberoam User Guide

Username Edit Icon Delete Button

Username provided for the IM contact. Edit the IM Contact details Delete the IM Contact Alternately, click the Delete icon against the contact you want to delete. Table Manage IM Contacts screen elements

Note
Contact cannot be deleted, if contact is member of a Contact Group.

IM Contact Parameters
To add or edit an IM contact, go to IM IM Contact IM Contact. Click the Add button to add IM contact. To update the details, click on the contact or Edit icon against the contact you want to modify. in the Manage column

Screen Add IM Contact

Screen Elements Protocol

Description Select the application used for instant messaging. Available Options: Yahoo or MSN Username to identify the IM contact. The username can either be an email address or name of the user. Select the IM group to which the IM contact will be assigned.

IM Username IM Group

Table Add IM Contact screen elements

248/280

Cyberoam User Guide

IM Contact Group
Group is a collection of users that are managed as a single unit. By creating a group, filtering rules can be applied to a number of contacts simultaneously. Contacts that belong to a particular group are referred to as group contacts. IM Contact Group page is used to create and manage contact groups in Cyberoam. These contact groups have IM Contacts. A single IM contact can be added to multiple contact groups and rules to the user gets applied in the order in which they are created. To manage IM contact groups, go to IM IM Contact IM Contact Group. You can: Add View in the Manage column against the contact group to be modified. Edit Click the Edit icon Edit IM Contact Group pop-up window is displayed which has the same parameters as the Add IM Contact Group window. Delete Click the Delete icon in the Manage column against the contact group to be deleted. A dialog box is displayed asking you to confirm the deletion. Click OK to delete the IM Contact Group. To delete multiple contact groups, select them and click the Delete button.

Manage IM Contact Groups

To manage IM contact groups, go to IM IM Contact IM Contact Group.

Screen Manage IM Contact Groups

Screen Elements Add Button Name Description Edit Icon Delete Button

Description Add a new IM Contact Group Name of the IM Contact Group IM Contact Group Description. Edit the IM Contact Group Delete the IM Contact Group Alternately, click the Delete icon against the contact group you want to delete.

Table Manage IM Contact Groups screen elements

IM Contact Group Parameters

To add or edit an IM contact group, go to IM IM Contact IM Contact Group. Click the Add button to add IM contact group. To update the details, click on the contact group or Edit icon

249/280

Cyberoam User Guide

in the Manage column against the contact group you want to modify.

Screen Add IM Contact Group

Screen Elements Group Name Select IM Contact

Description Name to identify the IM Group. 'IM Contact' List displays all the IM Contacts. Click the checkbox to select the contacts. All the selected contacts are moved to 'Selected IM Contact' list. Single IM Contact can be a member of multiple IM contact groups. Specify Description Table Add IM Contact group screen elements

Description

IM Rules
IM Rule controls users instant messaging access. It specifies which users have access to IM applications. Processing of IM rules is top downwards and the first suitable rule found is applied. Individual rules for Conversation (chats), File Transfer, Webcam access and Login can be defined based on parameters like: One-to-One Conversation One-to-One conversations can be allowed/denied between individual contacts or contacts within groups. Group Conversation Group conversations between multiple users can be allowed/denied individual contacts or contacts within groups. Content Filtering Virus Scanning Archiving Maintaining Logs

250/280

Cyberoam User Guide

Allow/deny access can be set for an IM contact or entire IM contact group, or even normal users or user groups. For example, you can define a rule that blocks access to all one-to-one conversations between an IM contact group and a user group. If IM access between contacts is restricted by configuring rules, an access restriction message is displayed in the conversation window.

Login
Login page allows you to configure and manage login rules for IM Contact, IM Contact Group, User and User Group. To manage login rules for contacts, go to IM IM Rules Login. You can: Add View in the Manage column against the login rule to be modified. Edit Edit Click the Edit icon Login Rule pop-up window is displayed which has the same parameters as the Add Login Rule window. in the Manage column against a Login rule to be deleted. A Delete Click the Delete icon dialog box is displayed asking you to confirm the deletion. Click OK to delete the Login rule. To delete multiple Login rules, select them and click the Delete button.

Manage Login Rules

To manage login rules for contacts, go to IM IM Rules Login.

Screen Manage Login Rules

Screen Elements Add Button Participant Action Edit Icon Delete Button

Description Add a Login Rule Username or IM Contact name of the participant for whom the login rule is established. Type of Action selected logging the user Allow or Deny Edit the Login Rule. Delete the Login Rule. Alternately, click the Delete icon against the rule you want to delete. Table Manage Login Rules screen elements

251/280

Cyberoam User Guide

Login Rule Parameters

To add or edit a login rule, go to IM IM Rules Login. Click the Add button to add login rule. To update the details, click on the rule or Edit icon you want to modify. in the Manage column against the rule

Screen Add Login Rule Screen Elements User / IM Contact Description Select the Participant for whom the Login Rule is to be defined. Available Options: IM Contact IM Contact Group User User Group

You can also add above contacts from the Add Login Rule Page itself.

Login Privacy Disclaimer

Specify Action for logging the contact Allow OR Deny If the Login is allowed, you can enable the Privacy Disclaimer checkbox to inform the IM contacts about the privacy policy. Default Privacy Disclaimer is displayed when the contact logs into the IM application. Enable Logging, if the log has to be maintained for the contacts. If logging is enabled, the logs can be viewed from Logs & Reports Log Viewer. Select IM from Log Modules list

Logging

252/280

Cyberoam User Guide

Logging Level

If logging is enabled, meta data is logged into cyberoam. Meta Data Meta Data contains the information about the Login time, logout time, login action configured and name of User or Group logged in. Table Add Login Rule screen elements

Conversation
Conversation page allows to configure and manage conversation rules between any of the two identities: IM Contact, IM Contact Group, User and User Group. The IM conversation between these two contacts can be monitored and logged. Cyberoam provides a default conversation rule that can be applied. This rule allows all the conversations but logs the content of the conversation. To manage default and custom conversation rules between contacts, go to IM IM Rules Conversation. You can: Add View in the Manage column against the conversation rule to be Edit Click the Edit icon modified. Edit Conversation Rule pop-up window is displayed which has the same parameters as the Add Conversation Rule window. in the Manage column against a conversation rule to be Delete Click the Delete icon deleted. A dialog box is displayed asking you to confirm the deletion. Click OK to delete the conversation rule. To delete multiple conversation rules, select them and click the Delete button.

Manage Conversation Rules

To manage default and custom conversation rules between contacts, go to IM IM Rules Conversation.

Screen Manage Conversation Rules

Screen Elements Add Button Participant

Description Add a Conversation Rule Username or IM Contact name of the participants between whom the rule is established.

253/280

Cyberoam User Guide

Action Logging

Type of Action selected Allow or Deny Conversation Logs On or Off If logging is enabled, the logs can be viewed from Logs & Reports Log Viewer. Select IM from Log Modules list Logging Level selected Full Data or Meta Data Full Data Full Data contains the entire information about conversation including the content of the chat, the login time, logout time, name of User or Groups between whom the conversation happened and duration of the conversation. Meta Data Meta Data contains the information about the login time, logout time, name of User or Groups between whom the conversation happened and duration of the conversation. Edit the Conversation Rule. Delete the Conversation Rule. Alternately, click the Delete icon against the rule you want to delete. Table Manage IM Conversation Rules screen elements

Logging Level

Edit Icon Delete Button

Conversation Rule Parameters

To add or edit a conversation rule, go to IM IM Rules Conversation. Click the Add button to add conversation rule. To update the details, click on the rule or Edit icon Manage column against the rule you want to modify. in the

Screen Add Conversation Rule

Screen Elements Between User / IM Contact

Description Select the Participants between whom the Conversation Rule is to be defined. Available Options: IM Contact IM Contact Group

254/280

Cyberoam User Guide

User User Group You can also add above contacts from the Add Conversation Rule Page itself.

One-to-One Conversation Group Conversation Content Filter Logging

Specify Action for the one-to-one conversation - Allow OR Deny Specify Action for the group conversation or chat - Allow OR Deny Enable Content Filtering, Enable Logging, if the log has to be maintained for the conversation. If logging is enabled, the logs can be viewed from Logs & Reports Log Viewer. Select IM from Log Modules list Select the Logging Level, if the Logging is enabled. Available Options: Full Data Full Data contains the entire information about conversation including the content of the chat, the Login time, logout time, name of User or Groups between whom the conversation happened and duration of the conversation. Meta Data Meta Data contains the information about the Login time, logout time, name of User or Groups between whom the conversation happened and duration of the conversation.

Logging Level

Table Add IM Conversation Rule screen elements

File Transfer
File Transfer page allows to configure and manage file transfer rules between any of the two identities: IM Contact, IM Contact Group, User and User Group. The files transfers between these two identities is monitored and logged. If file transfer access between contacts is restricted and contact tries to tries to transfer a file, an access restriction message is displayed in the conversation window. To manage file transfer rules between contacts, go to IM IM Rules File Transfer. You can:

255/280

Cyberoam User Guide

Add View in the Manage column against the file transfer rule to be modified. Edit Click the Edit icon Edit File Transfer Rule pop-up window is displayed which has the same parameters as the Add File Transfer Rule window. in the Manage column against a file transfer rule to be Delete Click the Delete icon deleted. A dialog box is displayed asking you to confirm the deletion. Click OK to delete the File Transfer rule. To delete multiple File Transfer rules, select them and click the Delete button.

Manage File Transfer Rules

To manage file transfer rules between contacts, go to IM IM Rules File Transfer.

Screen Manage File Transfer Rules

Screen Elements Add Button Participant Action Virus Scanning Archiving Logging

Description Add a File Transfer Rule Username or IM Contact name of the participants between whom the rule is established. Type of Action selected Allow or Deny Virus Scanning On or Off Archiving of Files On or Off File Transfer logs On or Off If logging is enabled, the logs can be viewed from Logs & Reports Log Viewer. Select IM from Log Modules list If logging is enabled, meta data is logged into cyberoam. Meta Data Meta Data contains the information about the Login time, logout time. Name of User or Groups between whom the conversation happened and duration of the conversation. Edit the File Transfer Rule. Delete the File Transfer Rule. Alternately, click the Delete icon against the rule you want to delete. Table Manage File Transfer Rules screen elements

Logging Level

Edit Icon Delete Button

256/280

Cyberoam User Guide

File Transfer Rule Parameters

To add or edit a file transfer rule, go to IM IM Rules File Transfer. Click the Add button to add file transfer rule. To update the details, click on the rule or Edit icon column against the rule you want to modify. in the Manage

Screen Add File Transfer Rule Screen Elements Between User / IM Contact Description Select the Participants between whom the File Transfer Rule is to be defined. Available Options: IM Contact IM Contact Group User User Group

You can also add above contacts from the Add File Transfer Rule Page itself.

Virus Scanning Archiving Logging

Enable Virus Scanning, if the file transferred between contacts is to be scanned. Enable Archiving, if the files are to be archived for further information. Enable Logging, if the log has to be maintained for the transfer of files. If logging is enabled, the logs can be viewed from Logs & Reports Log Viewer. Select IM from Log Modules list

257/280

Cyberoam User Guide

Logging Level

If logging is enabled, meta data is logged into cyberoam. Meta Data Meta Data contains the information about the File Transferred including Login time, logout time, file transfer action defined and name of User or Groups between whom the file transfer happened. Table Add File Transfer Rule screen elements

Webcam
Webcam page allows to configure and manage webcam rules between any of the two identities: IM Contact, IM Contact Group, User and User Group. The video conversations via webcam between these two contacts is monitored and logged. If video conversation access between contacts is restricted and the contact tries to use the webcam, an access restriction message is displayed in the conversation window. To manage webcam rules between contacts, go to IM IM Rules Webcam. You can: Add View in the Manage column against the webcam rule to be modified. Edit Click the Edit icon Edit Webcam Rule pop-up window is displayed which has the same parameters as the Add Webcam Rule window. in the Manage column against a webcam rule to be deleted. Delete Click the Delete icon A dialog box is displayed asking you to confirm the deletion. Click OK to delete the Webcam rule. To delete multiple Webcam rules, select them and click the Delete button.

Manage Webcam Rules

To manage webcam rules between contacts, go to IM IM Rules Webcam.

Screen Manage Webcam Rules

Screen Elements Add Button Participant Webcam Logging

Description Add a Webcam Rule Username or IM Contact name of the participants between whom the rule is established. Type of Action selected for Webcam viewing Allow or Deny Video Conversation logs On or Off

258/280

Cyberoam User Guide

Logging Level

If logging is enabled, the logs can be viewed from Logs & Reports Log Viewer. Select IM from Log Modules list If logging is enabled, meta data is logged into cyberoam. Meta Data Meta Data contains the information about the Login time, logout time. Name of User or Groups between whom the conversation happened and duration of the conversation. Edit the Webcam Rule. Delete the Webcam Rule. Alternately, click the Delete icon against the rule you want to delete. Table Manage Webcam Rules screen elements

Edit Icon Delete Button

Webcam Rule Parameters

To add or edit a webcam rule, go to IM IM Rules Webcam. Click the Add button to add webcam rule. To update the details, click on the rule or Edit icon the rule you want to modify. in the Manage column against

Screen Add Webcam Rule

Screen Elements Between User / IM Contact

Description Select the Participants between whom the Webcam Rule is to be defined. Available Options: IM Contact IM Contact Group User User Group

You can also add above contacts from the Add Webcam Rule Page itself.

259/280

Cyberoam User Guide

Webcam Logging

Specify Action for the webcam viewing or video chat - Allow OR Deny Enable Logging, if the log has to be maintained for the contacts. If logging is enabled, the logs can be viewed from Logs & Reports Log Viewer. Select IM from Log Modules list If logging is enabled, meta data is logged into cyberoam. Meta Data Meta Data contains the information about the Login time, logout time, webcam rule defined, name of User or Groups between whom the video conversation happened and duration of the conversation. Table Add Webcam Rule screen elements

Logging Level

260/280

Cyberoam User Guide

Content Filter
Content Filtering feature in Cyberoam is applied to Instant Messaging applications wherein content can be removed from the conversation if encountered. Content Filter page allows you specify list of keywords and regular expressions to be blocked, if encountered in any of the chat conversation. If content filtering is enabled from IM conversation rule, the configured keywords are removed and an error message is displayed for the same.

Configure Settings
To configure content filtering expressions, go to IM Content Filter Content Filter.

Screen Configure Content Filter Settings

Screen Elements RegEx Settings

Description Specify Regular Expressions to be removed from the IM applications. For example, if the string AB* is specified in the RegEx list, all the strings starting with AB would be dropped from the conversation and an error message would be displayed. You can add multiple regular expressions. Click Add icon to delete to add more expressions and remove icon expressions. Specify Keywords to be removed from the IM applications. For example, if the strings like ammunition, terrorism are specified in the keywords list, all such strings would be dropped from the conversation and an error message would be displayed You can add multiple keywords. Click Add icon to add to delete keywords. more keywords and remove icon

Keyword Settings

Table Configure Content Filter Settings screen elements

261/280

Cyberoam User Guide

QoS

12

Bandwidth is the amount of data passing through a media over a period of time and is measured in terms of kilobytes per second (kbps) or kilobits per second (kbits) (1 Byte = 8 bits). The primary objective of QoS (Quality of Service) policy is to manage and distribute total bandwidth on certain parameters and user attributes. QoS policy allocates & limits the maximum bandwidth usage of the user and controls web and network traffic. To configure QoS policy: Define for whom you want to create policy Define Type of policy Define the Implementation strategy of the policy Define Bandwidth Usage

Policy
Policy can be defined/created for:
User - It restricts the bandwidth of a particular user. Firewall Rule - It restricts the bandwidth for any entity to which the firewall rule is applied. Web Category It restricts the bandwidth for the URL categorized under the Web category. To implement restriction, policy is to be assigned through firewall rule.

Types of Policy
Two types of bandwidth restriction can be placed: 1. Strict - In this type of bandwidth restriction, user cannot exceed the defined bandwidth limit 2. Committed - In this type of bandwidth restriction, user is allocated the guaranteed amount of bandwidth and can draw bandwidth up to the defined burst-able limit, if available. It enables to assign fixed minimum and maximum amounts of bandwidth to the users. By borrowing excess bandwidth when available, users are able to burst above guaranteed minimum limits, up to the burst-able rate. Guaranteed rates also assure minimum bandwidth to critical users to receive constant levels of bandwidth during peak and nonpeak traffic periods. Guaranteed represents the minimum guaranteed bandwidth and burst-able represents the maximum bandwidth that the user can use, if available.

Implementation strategy
Policy can be implemented in two ways depending on policy Type: Total (Upstream + Downstream) Individual Upstream and Individual Downstream

PART

262/280

Cyberoam User Guide

Strict policy
In this type of bandwidth restriction, user cannot exceed the defined bandwidth limit. Two ways to implement strict policy: Total (Upstream + Downstream) Individual Upstream and Individual Downstream

Implementation on Total (Upstream Downstream) +

Bandwidth specified Total bandwidth

Example Total bandwidth is 20 kbps upstream and downstream combined cannot cross 20 kbps Upstream and Downstream bandwidth is 20 kbps then either cannot cross 20 kbps

Individual Upstream and Individual Downstream

Individual bandwidth i.e. separate for both

Committed policy

Implementation on Total (Upstream + Downstream)

Bandwidth specified Guaranteed bandwidth

Example Guaranteed bandwidth is 20 kbps upstream and downstream combined will get 20 kbps guaranteed (minimum) bandwidth Burst-able bandwidth is 50 kbps upstream and downstream combined can get up to 50 kbps of bandwidth (maximum), if available Individual guaranteed bandwidth is 20 kbps Individually get 20 kbps guaranteed (minimum) bandwidth Individual brustable bandwidth is 50 kbps Individually get maximum bandwidth up to 50 kbps, if available

Burst-able bandwidth

Individual Upstream and Individual Downstream

Individual Guaranteed and Brustable bandwidth i.e. separate for both

Bandwidth Usage
Policy can be configured for two types of bandwidth usage: Individual Allocated bandwidth is for the particular user only Shared Allocated bandwidth is shared among all the users who have been assigned this policy

Cyberoam provides certain predefined QoS policies. These predefined policies are immediately available for use until configured otherwise. You can also define custom policies to meet your organizations requirements.

263/280

Cyberoam User Guide

Policy
To manage QoS Policies, go to QoS Policy Policy. You can: Add View in the Manage column against the QoS Policy to be modified. Edit Edit Click the Edit icon QoS Policy page is displayed which has the same parameters as the Add QoS Policy window. in the Manage column against the QoS Policy to add Add Schedule - Click the Edit icon and manage schedules. Edit QoS Policy page is displayed which has Schedule details. in the Manage column against a QoS Policy to be deleted. A Delete Click the Delete icon dialog box is displayed asking you to confirm the deletion. Click OK to delete the QoS Policy. To delete multiple QoS Policies, select them and click the Delete button.

Manage QoS Policies

To manage QoS Policies, go to QoS Policy Policy.

Screen Manage QoS Policies

264/280

Cyberoam User Guide

Screen Elements Add Button Name Restriction Type Total Bandwidth (Min/Max) (in KB)

Description Add a new QoS Policy QoS Policy Name Restriction Type based on Bandwidth Usage and Policy implemented Total Bandwidth provided including Upload and Download in KB. For e.g. 8/16 for min/max size Download Bandwidth provided in KB For e.g. 8/16 KB for min/max size Upload Bandwidth provided in KB For e.g. 8/16 KB for min/max size Edit the QoS Policy Delete the QoS Policy Alternately, click the Delete icon against the policy you want to delete. Table Manage QoS Policies screen elements

Download Bandwidth (in KB) (Min/Max) Upload Bandwidth (in KB) (Min/Max) Edit Icon Delete Button

QoS Policy Parameters

To add or edit a QoS policy, go to QoS Policy Policy. Click the Add button to add QoS policy. To update the details, click on the policy or Edit icon policy you want to modify. in the Manage column against the

Screen Add a QoS Policy

265/280

Cyberoam User Guide

Screen Add a QoS Policy (Schedule wise)

Screen Elements Policy Name Policy Based On

Description Name to identify the Policy. Duplicate names are not allowed. Select any one option to specify for whom the policy is to be created. Available Options: User - restricts the bandwidth of a particular user. Firewall Rule - restricts the bandwidth of any entity to which firewall rule is applied. Web Category - restricts the bandwidth for the URL categorized under the Web category Select any one option to specify policy type Available Options: Strict - In this type of policy, user cannot exceed the defined bandwidth limit. Committed - In this type of policy, user is allocated the guaranteed amount of bandwidth and can draw bandwidth up to the defined burst-able limit, if available.

Policy Type (Option available only for User or Firewall rule (IP address) based policy)

266/280

Cyberoam User Guide

It enables to assign fixed minimum and maximum amounts of bandwidth to the users. By borrowing excess bandwidth when available, users are able to burst above guaranteed minimum limits, up to the burst-able rate. Guaranteed rates also assure minimum bandwidth to critical users to receive constant levels of bandwidth during peak and non-peak traffic periods. Guaranteed represents the minimum guaranteed bandwidth and burst-able represents the maximum bandwidth that the user can use, if available. Select any one option to specify implementation strategy of policy. See Implementation strategy for more details.

Implementation On (Option available only for User or Firewall rule (IP address) based policy) Priority

Set the bandwidth priority. Priority can be set from 0 (highest) to 7 (lowest). Set the priority for SSH/Voice/Telnet traffic to be highest as this traffic is more of the interaction. Specify allowed Total or Individual and Guaranteed-Burst-able bandwidth depending on Policy Type and Implementation strategy. Select any one to specify the bandwidth usage. Individual Allocated bandwidth is for the particular user only Shared Allocated bandwidth is shared among all the users who have been assigned this policy Specify Policy Description.

Total Bandwidth (KB) / Guaranteed-Burst-able(KB)

Bandwidth Usage (Option available only for User or Firewall rule (IP address) based policy)

Description

Table Add a QoS Policy screen elements

Policy Scheduling
Schedule wise QoS Policy details can be added to override the default QoS policy details. These details can only be added after the QoS policy is created. Go to QoS Policy Policy. Click Edit icon manage Schedule wise QoS Policy Details. You can: Add View in the Manage column against a Schedule to be deleted. A Delete Click the Delete icon dialog box is displayed asking you to confirm the deletion. Click OK to delete the Schedule. To delete multiple schedules, select them and click the Delete button. against a QoS policy to configure and

Manage Schedules
Go to QoS Policy Policy. Click Edit icon wise QoS Policy Details. against a QoS policy to manage Schedule

267/280

Cyberoam User Guide

Screen Add a QoS Policy Schedule Screen Elements Add Button Schedule Policy Type Bandwidth (in KB) (Min/Max) Description Add a new QoS Policy Detail Schedule for Policy selected Type of Policy: Strict or Committed Total Bandwidth provided including Upload and Download in KB. For e.g. 8/16 for min/max size Download Bandwidth provided in KB For e.g. 8/16 KB for min/max size Upload Bandwidth provided in KB For e.g. 8/16 KB for min/max size Delete the QoS Policy Detail. Alternately, click the Delete icon against the policy schedule you want to delete. Table Manage Schedules screen elements

Upload Bandwidth (in KB) (Min/Max) Download Bandwidth (in KB) (Min/Max) Delete Button

Policy Schedule Parameters

Go to QoS Policy Policy and click Edit icon button to configure Schedule wise QoS Policy Detail. against a QoS policy. Click the Add

Screen Add a QoS Policy Schedule

268/280

Cyberoam User Guide

Screen Elements Policy Name Policy Type

Description Displays policy name Displays default Policy Type set at the time of creation of policy, modify if required.

Note
Configured policy type will override the default policy and will be applicable only for the selected scheduled time interval Implementation On Displays default Implementation strategy set at the time of creation of policy, modify if required.

Note
Configured policy type will override the default policy and will be applicable only for the selected scheduled time interval Total Bandwidth in KB Displays allocated Total or Individual and Guaranteed -Burstable bandwidth depending on Policy Type and Implementation strategy. Modify if required.

Note
The modified bandwidth restriction will be applicable only for the selected time interval Schedule Select Schedule during which the default policy. Only Recurring schedule can be applied. If you are not sure about the schedule details, select schedule and click View details link to view the schedule details. Table Add a QoS Policy Schedule screen elements

269/280

Cyberoam User Guide

Logs & Reports

13

Cyberoam provides extensive logging capabilities for traffic, system and network protection functions. Detailed log information and reports provide historical as well as current analysis of network activity to help identify security issues and reduce network abuse. Cyberoam can either store logs locally or send logs to external syslog servers for storage and archival purposes. Cyberoam can log many different network activities and traffic including: Firewall log Anti-virus infection and blocking Web filtering, URL and HTTP content blocking Signature and anomaly attack and prevention Spam filtering IM logs Administrator logs User Authentication logs Cyberoam supports multiple syslog servers for remote logging. When configuring logging to a Syslog server, one needs to configure the facility, severity and log file format. One can also specify logging location if multiple syslog servers are defined. Maximum five syslog servers can be defined from Logging page of Web Admin Console. Cyberoam can either store logs locally or send to the syslog servers. Traffic Discovery logs can be stored locally only.

Configuration
Syslog is an industry standard protocol/method for collecting and forwarding messages from devices to a server running a syslog daemon usually via UDP Port 514. The syslog is a remote computer running a syslog server. Logging to a central syslog server helps in aggregation of logs and alerts. Cyberoam appliance can also send a detailed log to an external Syslog server in addition to the standard event log. The Cyberoam Syslog support requires an external server running a Syslog daemon on any of the UDP Port. The Cyberoam captures all log activity and includes every connection source and destination IP address, IP service, and number of bytes transferred. A SYSLOG service simply accepts messages, and stores them in files or prints. This form of logging is the best as it provides a Central logging facility and a protected long-term storage for logs. This is useful both in routine troubleshooting and in incident handling.

PART

270/280

Cyberoam User Guide

Syslog Servers
To configure and manage syslog server, go to Logs & Reports Configuration Syslog server. You can: Add View in the Manage column against the server to be modified. Edit Edit Click the Edit icon Server pop-up window is displayed which has the same parameter as the Add Server window. in the Manage column against a server to be deleted. A Delete - Click the Delete icon dialog box is displayed asking you to confirm the deletion. Click OK to delete the server.

Manage Syslog servers

To manage syslog servers, go to Logs & Reports Configuration Syslog server.

Screen Manage Syslog Servers Screen Elements Add Button Name Server IP Port Facility Severity Format Edit icon Delete Button Description Add a new syslog server Name of the syslog server IP address of server Server port Facility configured for log messages Severity level configured for logged messages Log format Edit server details Delete Server Alternately, click the delete icon against the server you want to delete. Table Manage Syslog Server screen elements

Syslog Server Parameters

To add or edit syslog server details, go to Logs & Reports Configuration Syslog Server. Click Add Button to add a new server or Edit Icon to modify the details of the server.

271/280

Cyberoam User Guide

Screen Add Syslog Server Screen Elements Name IP address Description Specify unique name for syslog server Specify IP address of the syslog server. Messages from the Cyberoam will be sent to the server. Default: 192.168.1.254 Specify the port number for communication with the syslog server. Cyberoam will send messages using the configured port Default: 514 Select syslog facility for log messages to be send to the syslog server. Facility indicates to the syslog server the source of a log message. It is defined by the syslog protocol. You can configure facility to distinguish log messages from different Cyberoams. In other words, it can be helpful in identifying the device that recorded the log file. Cyberoam supports following syslog facilities for log messages received from remote servers and network devices: Available Options: DAEMON - Daemon logs (Information of Services running in Cyberoam as daemon) KERNEL Kernel log LOCAL0 LOCAL7 Log level information USER - Logging on the basis of users who are connected to Server Specify severity levels of logged messages. Severity level is the severity of the message that has been generated. Cyberoam logs all messages at and above the logging severity level you select. For example, select ERROR to log

Port

Facility

Severity Level

272/280

Cyberoam User Guide

all messages tagged as ERROR, as well as any messages tagged with CRITICAL, ALERT and EMERGENCY and select DEBUG to log all messages. Cyberoam supports following syslog levels: EMERGENCY - System is not usable ALERT - Action must be taken immediately CRITICAL - Critical condition ERROR - Error condition WARNING - Warning condition NOTICE - Normal but significant condition INFORMATION - Informational DEBUG - Debug - level messages Cyberoam produces logs in the specified format. Cyberoam currently produces logs in its own standard format Table Add Syslog Server screen elements Once you add the server, go to Logs & Reports Configuration Log Settings and enable all those logs, which are to be send to the syslog sever.

Format

Log Settings
Once you add the server, configure logs to be sent to the syslog server, Logs & Reports Configuration Log Settings. If multiple servers are configured various logs can be send on different servers.

273/280

Cyberoam User Guide

Screen Configure Log Settings To record logs you must enable the respective log and specify logging location. Administrator can choose between on-appliance (local) logging, Syslog logging or disabling logging temporarily. Cyberoam logs many different network activities and traffic including: Firewall Log Firewall Log records invalid traffic, local ACL traffic, DoS attack, ICMP redirected packets, source routed and fragmented traffic. Firewall logs can be disabled or send to the remote syslog server only but cannot be stored locally. Firewall Rules Log records the entire traffic for firewall Invalid Traffic Log Log records the dropped traffic that does not follow the protocol standards, invalid fragmented traffic and traffic whose packets Cyberoam is not able to relate to any connection.

274/280

Cyberoam User Guide

Local ACL Log Log records the entire (allowed and dropped) incoming traffic DoS attack Log The DoS Attack Log records attacks detected and prevented by the Cyberoam i.e. dropped TCP, UDP and ICMP packets. To generate log, go to Firewall DoS Settings and click Apply Flag against SYN Flood, UDP flood, TCP flood, and ICMP flood individually Dropped ICMP Redirected Packet Log Log records all the dropped ICMP redirect packets. To generate log, go to Firewall DoS Settings and click Apply Flag against Disable ICMP redirect Packets' Dropped Source Routed Packet Log Log records all the dropped source routed packets. To generate log, go to Firewall DoS Settings and click Apply Flag against Drop Source Routed Packets Dropped Fragmented traffic Log records the dropped fragmented traffic MAC filtering Log records the dropped packets when filtering is enabled from Spoof prevention IP-MAC pair filtering Log records the dropped packets when filtering is enabled from Spoof prevention IP Spoof Prevention Log records the dropped packets when filtering is enabled from Spoof prevention IPS Logs Records detected and dropped attacks based on unknown or suspicious patterns (anomaly) and signatures. Anti Virus Logs Virus detected in HTTP, SMTP, FTP, POP3 and IMAP4 traffic. Enabling logging for SMTP will also enable logging for POP3 and IMAP4 on local server. HTTP and FTP logs can be disabled or send to the remote log server only. Anti Spam Logs SMTP, POP3, IMAP4 spam and probable spam mails. Content Filtering Logs HTTP filtering log.

275/280

Cyberoam User Guide

Event Logs Admin Events, Authentication Events and System Events

276/280

Cyberoam User Guide

Log Viewer
Event Viewer page allows to view the logs for event modules like IPS, Web Filter and Anti Virus. This page gives concentrated information about all the events that occurred under respective modules. Event Modules IPS IPS event log provides information about the signatures that were detected. Web Filter Web Filter event log provides information about the users that were detected accessing restricted URLs and the action taken by Cyberoam. Anti Spam Anti Spam event log provides information about the spam mails encountered in Cyberoam. Anti Virus Anti Virus event log provides information about the Virus encountered in Cyberoam. Firewall Firewall logs provides information about how much traffic passes through a particular Firewall rule and through which interfaces. Admin - Admin logs provide information about administrator event and tasks. IM IM logs provide information about Instant messaging logs that are enabled. Logging, Conversation, File Transfer and Webcam. Authentication - Authentication logs provide information about all the authentication logs including firewall, VPN and My Account authentication. System System logs provide information about all the system related logs. For now, only VPN logs are available for logging.

View list of IPS events

To view list of IPS events, go to Logs & Reports Event Viewer Event Viewer. Select IPS from the list of event modules.

Screen Elements Time Log Comp Action User Name Source IP Destination IP Signature ID Signature Message Firewall Rule Message ID

Description Time when the event occured. Signatures Detect Username of the user that triggered the signature. Source IP Address Destination IP Address Signature ID of the signature Message for the detected Signature. Firewall Rule applied Message ID of the message Table IPS Logs screen elements

277/280

Cyberoam User Guide

View list of Web Filter events

To view list of web filter events, go to Logs & Reports Log Viewer Log Viewer. Select Web Filter from the list of event modules.

Screen Elements Time Action User Name Source IP Destination IP Category URL Bytes Transfer Message ID

Description Time when the event occured. Allowed or Denied Username of the user that accessed the URL. Source IP Address Destination IP Address Category under which the URL comes. URL accessed. No. of bytes transferred. Message ID of the message Table Web Filter Logs screen elements

View list of Anti Spam events

Screen Elements Time Log Comp User Name Source IP Destination IP Email Sender Email Receiver Email Subject Message Message ID

Description Time when the event occured. SMTP, POP3, IMAP4 spam or Probable spam Username on the user on whose sytem, spam was detected. Source IP Address Destination IP Address Spam Email sender IP address Spam Email recipient IP address Subject of the Email. Message for the Virus detected. Message ID of the message Table Anti Spam Logs screen elements

View list of Anti Virus events

To view list of antivirus events, go to Logs & Reports Event Viewer Event Viewer. Select Anti Virus from the list of event modules.

Screen Elements Time Log Comp User Name Source IP Destination IP

Description Time when the event occured. IMAP or POP3 type of mail Username of the user virus was detected. Source IP Address Destination IP Address

278/280

Cyberoam User Guide

Virus Message Message ID

Name of the Virus detected. Message for the Virus detected. Message ID of the message Table Anti Virus Logs screen elements

View list of Firewall logs

Screen Elements Time Log Comp Action User Name Firewall Rule In Interface Out Interface Source IP Destination IP Bytes Rx/Tx Message Description Time when the event occured. Firewall Rule Allowed or Denied Username of user on which Firewall rule is applied Firewall Rule ID Interface through which the traffic is coming in Interface through which the traffic is going out Source IP Address Destination IP Address Name of the Virus detected. Message for the Virus detected. Table Firewall Events screen elements

View list of Admin Logs

Screen Elements Time Log Comp Status Username IP address Message Message ID Description Time when the event occured. Type of Log Components - GUI, CLI, CONSOLE, CCC Successful or failed Username of the admin user IP address of the admin user Message for the type of Admin event. Message ID of the message Table Admin Logs screen elements

View list of IM Logs

Screen Elements Time IM Action Rule Action Protocol User Name IP Address Suspect Description Time when the event occured. Type of IM Action - Conversation, File transfer, Webcam, Login Rule action defined - Allowed or Denied Type of Protocol used Yahoo or MSN Username of the user IP address of the user Cyberoam User involved in IM conversation

279/280

Cyberoam User Guide

Non-suspect Message Message ID

Other user involved in IM conversation with Cyberoam user Message for the type of IM event Message ID of the message Table IM Logs screen elements

View list of Authentication Logs

Screen Elements Time Log Comp Description Date and Time when the event occurred Type of Log Components - Firewall Authentication, VPN Authentication, SSL VPN Authentication, My Account Authentication Successful or failed Username of the user IP address of the user Authentication client which is used for authentication: Web Client, Corporate Client or CTA Type of Authentication Mechanism: Local or External Server (AD, LDAP or RADIUS) Message for the type of authentication event. Message ID of the message Table Authentication Logs screen elements

Status Username IP address Auth. Client Auth. Mechanism Message Message ID

View list of System Logs

Screen Elements Time Log Comp Status Username Message Message ID Description Time when the event occurred Type of Log Components - IPSec, PPTP, L2TP or SSL VPN Successful or failed Username of the user Message for the type of system event. Message ID of the message Table System Logs screen elements

280/280