Cyberoam User Guide
Uploaded by
Amadou MbayeCyberoam User Guide
Uploaded by
Amadou MbayeCyberoam User Guide
Version 10
Document version 1.0 10.6.2.378 - 12/01/2015
Cyberoam User Guide
Important Notice
Cyberoam Technologies Pvt. Ltd. has supplied this Information believing it to be accurate and reliable at the time of printing, but
is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any
products. Cyberoam Technologies Pvt. Ltd. assumes no responsibility for any errors that may appear in this document.
Cyberoam Technologies Pvt. Ltd. reserves the right, without notice to make changes in product design or specifications.
Information is subject to change without notice.
USERS LICENSE
Use of this product and document is subject to acceptance of the terms and conditions of Cyberoam End User License
Agreement (EULA) and Warranty Policy for Cyberoam UTM Appliances.
You will find the copy of the EULA at http://www.cyberoam.com/documents/EULA.html and the Warranty Policy for Cyberoam
UTM Appliances at http://kb.cyberoam.com.
RESTRICTED RIGHTS
Copyright 1999 - 2015 Cyberoam Technologies Pvt. Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of
Cyberoam Technologies Pvt. Ltd.
Corporate Headquarters
Cyberoam House,
Saigulshan Complex, Opp. Sanskruti,
Beside White House, Panchwati Cross Road,
Ahmedabad - 380006, GUJARAT, INDIA.
Tel: +91-79-66216666
Fax: +91-79-26407640 Website: www.cyberoam.com
Page 1 of 490
Cyberoam User Guide
Content
Preface ................................................................................................................................. 6
About this Guide ................................................................................................................. 7
Guide Organization .............................................................................................................................. 7
Technical Support ................................................................................................................................ 9
Introduction ....................................................................................................................... 10
Administrative Interfaces ................................................................................................................... 11
Web Admin Console ...................................................................................................................... 11
Command Line Interface (CLI) Console ........................................................................................ 11
Cyberoam Central Console (CCC) ................................................................................................ 12
Web Admin Console .......................................................................................................................... 13
Web Admin Language ................................................................................................................... 13
Supported Browsers ...................................................................................................................... 14
Login procedure ............................................................................................................................. 15
Log out procedure .......................................................................................................................... 16
Menus and Pages .......................................................................................................................... 17
Page ............................................................................................................................................... 19
Icon bar .......................................................................................................................................... 20
List Navigation Controls ................................................................................................................. 21
Tool Tips ........................................................................................................................................ 21
Status Bar ...................................................................................................................................... 21
Common Operations ...................................................................................................................... 22
Getting Started .................................................................................................................. 24
Dashboard ......................................................................................................................................... 26
Alert Messages Doclet ................................................................................................................... 26
Appliance Information Doclet ......................................................................................................... 27
System Usage Doclet .................................................................................................................... 27
System Status Doclet..................................................................................................................... 28
Recent Web Viruses Detected Doclet ........................................................................................... 28
Recent Mail Viruses Detected Doclet ............................................................................................ 29
Gateway Status Doclet .................................................................................................................. 29
Recent Malware Alerts Doclet ....................................................................................................... 30
License Information Doclet ............................................................................................................ 31
Recent FTP Viruses Detected Doclet ............................................................................................ 31
Recent IPS Alerts Doclet ............................................................................................................... 31
Today Usage Summary Doclet ...................................................................................................... 32
DoS Attack Status Doclet .............................................................................................................. 32
Web Traffic Analysis Doclet ........................................................................................................... 33
HA Details Doclet ........................................................................................................................... 33
System ............................................................................................................................... 35
Administration .................................................................................................................................... 35
Settings .......................................................................................................................................... 36
Appliance Access........................................................................................................................... 40
Administrator Profiles ..................................................................................................................... 42
Profile Parameters ......................................................................................................................... 43
Access Denied Page...................................................................................................................... 44
Password ....................................................................................................................................... 45
Central Management ..................................................................................................................... 46
API ................................................................................................................................................. 49
Configuration .................................................................................................................................. 51
Time ............................................................................................................................................... 51
Notification ..................................................................................................................................... 53
Messages ....................................................................................................................................... 57
Configuring Web Proxy Settings .................................................................................................... 66
Enabling and Configuring Parent Proxy......................................................................................... 67
Configuring Captive portal ............................................................................................................. 68
Theme ............................................................................................................................................ 70
Maintenance ...................................................................................................................................... 71
Page 2 of 490
Cyberoam User Guide
Backup & Restore .......................................................................................................................... 71
Firmware ........................................................................................................................................ 74
Licensing ........................................................................................................................................ 76
Services ......................................................................................................................................... 79
Updates .......................................................................................................................................... 81
SNMP ................................................................................................................................................ 83
SNMP terms ................................................................................................................................... 83
Agent Configuration ....................................................................................................................... 84
Community ..................................................................................................................................... 85
V3 User .......................................................................................................................................... 87
Certificate........................................................................................................................................... 88
Certificate ....................................................................................................................................... 89
Certificate Authority........................................................................................................................ 95
Certificate Authority Parameters .................................................................................................... 97
Certificate Revocation List (CRL) ................................................................................................ 100
Adding a new CRL ....................................................................................................................... 101
Diagnostics ...................................................................................................................................... 102
Tools ............................................................................................................................................ 102
System Graph .............................................................................................................................. 106
Packet Capture ............................................................................................................................ 114
Connection List ............................................................................................................................ 121
Consolidated Troubleshoot Report (CTR) ................................................................................... 124
Objects............................................................................................................................. 125
Hosts................................................................................................................................................ 126
IP Host ......................................................................................................................................... 126
IP Host Group .............................................................................................................................. 130
MAC Host ..................................................................................................................................... 132
FQDN Host .................................................................................................................................. 134
FQDN Host Group ....................................................................................................................... 136
Country Host ................................................................................................................................ 138
Country Host Group ..................................................................................................................... 141
Services ........................................................................................................................................... 143
Services ....................................................................................................................................... 143
Service Group .............................................................................................................................. 146
Schedule .......................................................................................................................................... 148
Schedule ...................................................................................................................................... 148
File Type .......................................................................................................................................... 150
Network............................................................................................................................ 152
Interface ........................................................................................................................................... 152
Interface ....................................................................................................................................... 153
VLAN ............................................................................................................................................ 164
Link Aggregation Group ............................................................................................................... 169
IP Tunnel ...................................................................................................................................... 173
Zone ............................................................................................................................................. 176
Wireless WAN ................................................................................................................................. 180
Status ........................................................................................................................................... 181
Settings ........................................................................................................................................ 182
Gateway........................................................................................................................................... 187
Gateway ....................................................................................................................................... 188
Static Route ..................................................................................................................................... 198
Unicast ......................................................................................................................................... 198
Multicast ....................................................................................................................................... 200
Source Route ............................................................................................................................... 203
Dynamic Route ................................................................................................................................ 205
RIP ............................................................................................................................................... 206
OSPF ........................................................................................................................................... 211
BGP.............................................................................................................................................. 218
PIM-SM ........................................................................................................................................ 220
Routing Information...................................................................................................................... 221
DNS ................................................................................................................................................. 234
Page 3 of 490
Cyberoam User Guide
DNS Host Entry............................................................................................................................ 237
Address Assignment for IPv6 Devices ............................................................................................ 239
Router Advertisement .................................................................................................................. 240
DHCP............................................................................................................................................... 245
DHCP Server ............................................................................................................................... 246
DHCP Lease ................................................................................................................................ 251
DHCP Relay ................................................................................................................................. 252
ARP-NDP......................................................................................................................................... 254
Neighbors ..................................................................................................................................... 255
Dynamic DNS .................................................................................................................................. 260
Identity ............................................................................................................................. 263
Authentication .................................................................................................................................. 264
Authentication Server................................................................................................................... 265
Configuring External Authentication Server ................................................................................. 267
1. Configuring Active Directory Server Settings .......................................................................... 267
2. Configure LDAP Authentication Settings ................................................................................. 279
3. Configure RADIUS Server Settings ......................................................................................... 283
Firewall ......................................................................................................................................... 286
Configuring Authentication for VPN Traffic...................................................................................... 292
Configuring Authentication for Admin Traffic ............................................................................... 294
User Groups .................................................................................................................................... 295
Users ............................................................................................................................................... 302
Users ............................................................................................................................................ 303
Clientless Users ........................................................................................................................... 313
Guest Users ..................................................................................................................................... 319
General Settings .......................................................................................................................... 319
Manage Guest Users ................................................................................................................... 323
SMS Gateway .............................................................................................................................. 334
Policy ............................................................................................................................................... 338
Access Time Policy ...................................................................................................................... 339
Surfing Quota Policy .................................................................................................................... 342
Data Transfer Policy .................................................................................................................... 345
Live Users ........................................................................................................................................ 349
Live Users .................................................................................................................................... 349
Firewall ............................................................................................................................ 357
IPv6.................................................................................................................................................. 358
IPv6 Features supported in CyberoamOS ...................................................................................... 358
Default Firewall Rules ...................................................................................................................... 360
Rule ................................................................................................................................................. 362
IPv4 Firewall Rule ........................................................................................................................ 362
Manage Firewall Rule List ........................................................................................................... 365
IPv4 Firewall Rule Parameters .................................................................................................... 368
IPv6 Firewall Rules ...................................................................................................................... 379
Manage Firewall Rule List ........................................................................................................... 381
IPv6 Firewall Rule Parameters .................................................................................................... 384
Virtual Host ...................................................................................................................................... 391
NAT Policy ....................................................................................................................................... 400
Spoof Prevention ............................................................................................................................. 402
Configuring Spoof Prevention Settings ........................................................................................ 402
Trusted MAC ................................................................................................................................ 404
DoS .................................................................................................................................................. 407
Settings ........................................................................................................................................ 409
Bypass Rules ............................................................................................................................... 412
Web Filter ........................................................................................................................ 415
Settings ............................................................................................................................................ 415
Web Category .................................................................................................................................. 417
Search URL ................................................................................................................................. 421
URL Group ................................................................................................................................... 422
Web Filter Policy .............................................................................................................................. 424
Page 4 of 490
Cyberoam User Guide
ICAP ................................................................................................................................................ 430
Server........................................................................................................................................... 430
Policy............................................................................................................................................ 431
Application Filter............................................................................................................. 434
Application List ................................................................................................................................ 434
Application Filter Category .............................................................................................................. 436
Application Filter Policy ................................................................................................................... 438
IM...................................................................................................................................... 444
IM Contact ....................................................................................................................................... 444
IM Contact Group ......................................................................................................................... 446
IM Rules........................................................................................................................................... 448
Login ............................................................................................................................................ 449
Conversation ................................................................................................................................ 451
File Transfer ................................................................................................................................. 454
Webcam ....................................................................................................................................... 456
Content Filter ................................................................................................................................... 457
QoS .................................................................................................................................. 459
Settings ............................................................................................................................................ 460
QoS Policy ....................................................................................................................................... 462
Logs & Reports ............................................................................................................... 469
Configuration ................................................................................................................................... 470
Syslog Servers ............................................................................................................................. 471
Log Settings ................................................................................................................................. 474
Netflow ......................................................................................................................................... 477
Log Viewer ....................................................................................................................................... 478
4-Eye Authentication ....................................................................................................................... 485
Settings ........................................................................................................................................ 486
De-Anonymize ............................................................................................................................. 487
Page 5 of 490
Cyberoam User Guide
Preface
Welcome to Cyberoams - User Guide.
Cyberoam Unified Threat Management Appliances offer identity-based comprehensive security to
organizations against blended threats - worms, viruses, malware, data loss, identity theft; threats over
applications viz. Instant Messengers; threats over secure protocols viz. HTTPS; and more. They also
offer wireless security (WLAN) and 3G wireless broadband and analog modem support can be used as
either Active or Backup WAN connection for business continuity.
Cyberoam integrates features like stateful inspection firewall, VPN, Gateway Anti-Virus and AntiSpyware, Gateway Anti-Spam, Intrusion Prevention System, Content & Application Filtering, Data
Leakage Prevention, IM Management and Control, Layer 7 visibility, Bandwidth Management, Multiple
Link Management, Comprehensive Reporting over a single platform.
Cyberoam has enhanced security by adding an 8th layer (User Identity) to the protocol stack. Advanced
inspection provides L8 user-identity and L7 application detail in classifying traffic, enabling
Administrators to apply access and bandwidth policies far beyond the controls that traditional UTMs
support. It thus offers security to organizations across layer 2 - layer 8, without compromising
productivity and connectivity.
Cyberoam UTM Appliances accelerate unified security by enabling single-point control of all its security
features through a Web 2.0-based GUI. An extensible architecture and an IPv6 Ready Gold logo
provide Cyberoam the readiness to deliver on future security requirements.
Cyberoam provides increased LAN security by providing separate port for connecting to the publicly
accessible servers like Web server, Mail server, FTP server etc. hosted in DMZ which are visible the
external world and still have firewall protection.
Note
Default Web Admin Console username is admin and password is admin
Cyberoam recommends that you change the default password immediately after installation to
avoid unauthorized access.
Page 6 of 490
Cyberoam User Guide
About this Guide
This Guide provides information regarding the administration, maintenance, and customization of
Cyberoam and helps you manage and customize Cyberoam to meet your organizations various
requirements including creating groups and users and assigning policies to control web as well as
application access.
Guide Organization
The Cyberoam User Guide organization is structured into the thirteen parts that follow the Cyberoam
Web Admin Console structure. Within these parts, individual topics correspond to security Appliance
management interface layout.
This Guide is organized into thirteen parts:
Part I Introduction
This part covers various features of Web 2.0 based graphical interface.
Part II Getting started
This part covers how to start using Cyberoam after deployment.
Part III Basics
This part covers basic building blocks in Cyberoam.
Part IV System
This part covers a various security Appliance controls for managing system status information,
registering and managing the Cyberoam security Appliance and its subscription licenses through
registration portal, managing firmware versions, defining profiles for role based access, scheduling
backups and restoring, various and using included diagnostics tools for troubleshooting.
Part V Objects
This part covers various Objects which are the logical building blocks for configuring various policies
and rules, which include:
host IP, network and MAC Addresses. They are used in defining firewall rules, virtual host, NAT
policy, IPSec, L2TP and VPN policies
services which represent specific protocol and port combination for example, DNS service for
TCP protocol on 53 port. Access to services are allowed or denied through firewall rules.
schedule to control when the firewall rule, Access time policy, Web filter policy, Application filter
policy, or QoS policy will be in effect for example, All Days, Work Hours
file types defining web filter policy, SMTP scanning rules
certificates VPN policies
Page 7 of 490
Cyberoam User Guide
Part VI Network
This part covers configuring the Cyberoam Appliance for your network. It includes configuring
Cyberoam interfaces and DNS settings, adding VLAN sub interfaces and custom zones, configuring
DHCP. It also covers configuration of the 3G wireless WAN interface on the Cyberoam Appliances that
support the feature.
Part VII Identity
This part covers how to configure user level authentication and manage users and user groups.
Part VIII Firewall
This part covers tools for managing how the Cyberoam Appliance handles traffic through the firewall.
Part IX Web Filter
This part covers how to configure and manage Web filtering in Cyberoam through categories and
policies.
Part X Application Filter
This part covers how to configure and manage application filtering in Cyberoam through categories and
policies.
Part XI IM
This part covers how to configure and manage restrictions on instant messaging services provided by
the Yahoo and MSN messengers.
Part XII QoS
This part covers how to configure and manage bandwidth through QoS policy that allocates and limits
the maximum bandwidth usage of the user and controls web and network traffic.
Part XIII Logs & Reports
This part covers managing logging and reporting feature. Cyberoam provides extensive logging
capabilities for traffic, system and network protection functions. Detailed log information and reports
provide historical as well as current analysis of network activity to help identify security issues and
reduce network abuse.
Page 8 of 490
Cyberoam User Guide
Technical Support
You may direct all questions, comments, or requests concerning the software you purchased, your registration
status, or similar issues to Customer care/service department at the following address:
Corporate Office
Cyberoam House,
Saigulshan Complex, Opp. Sanskruti,
Beside White House, Panchwati Cross Road,
Ahmedabad - 380006, GUJARAT, INDIA.
Tel: +91-79-66216666
Fax: +91-79-26407640: www.cyberoam.com
Cyberoam contact:
Technical support (Corporate Office): +91-79-66065777
Email: [email protected]
Web site: www.cyberoam.com
Visit www.cyberoam.com for the regional and latest contact information.
Page 9 of 490
Cyberoam User Guide
Introduction
The Appliances use Layer 8 technology to help organizations maintain a state of readiness against today's
blended threats and offer real-time protection.
Unified Threat Management Appliances offer identity-based comprehensive security to organizations against
blended threats - worms, viruses, malware, data loss, identity theft; threats over applications viz. Instant
Messengers; threats over secure protocols viz. HTTPS; and more. They also offer wireless security (WLAN)
and 3G wireless broadband. Analog modem support can be used as either Active or Backup WAN connection
for business continuity.
The Appliance integrates features like stateful inspection firewall, VPN, Gateway Anti-Virus and AntiSpyware, Gateway Anti-Spam, Intrusion Prevention System, Content & Application Filtering, Data Leakage
Prevention, IM Management and Control, Layer 7 visibility, Web Application Firewall, Bandwidth
Management, Multiple Link Management and Comprehensive Reporting over a single platform.
The Appliance has enhanced security by adding an 8th layer (User Identity) to the protocol stack. Advanced
inspection provides L8 user-identity and L7 application detail in classifying traffic, enabling Administrators to
apply access and bandwidth policies far beyond the controls that traditional UTMs support. It thus offers
security to organizations across layer 2 - layer 8, without compromising productivity and connectivity.
The Appliance accelerates unified security by enabling single-point control of all its security features through
a Web 2.0-based GUI. An extensible architecture and an IPv6 Ready Gold logo provide Appliance the
readiness to deliver on future security requirements.
The Appliances provides increased LAN security by providing separate port for connecting to the publicly
accessible servers like Web server, Mail server, FTP server etc. hosted in DMZ which are visible the external
world and still have firewall protection.
Layer 8 Security:
The Appliances features are built around its patent pending Layer 8 technology. The Layer 8 technology
implements the human layer of networking by allowing organizations control traffic based on users instead of
mere IP Addresses. Layer 8 technology keeps organizations a step ahead of conventional security solutions
by providing full business flexibility and security in any environment including WI-FI and DHCP.
Note
All the screen shots in the Cyberoam User Guides are taken from NG series of Appliances. The feature
and functionalities however remains unchanged across all Cyberoam Appliances.
Page 10 of 490
Cyberoam User Guide
Administrative Interfaces
Appliance can be accessed and administered through:
Web Admin Console
Command Line Interface Console
Cyberoam Central Console
Administrative Access An administrator can connect and access the Appliance through HTTP, HTTPS, telnet,
or SSH services. Depending on the Administrator login account profile used for access, an administrator can
access number of Administrative Interfaces and Web Admin Console configuration pages.
Appliance is shipped with two administrator accounts and four administrator profiles.
Administrator
Type
Login Credentials
Console Access
Privileges
Super
Administrator
admin/admin
Web Admin
Console
Full privileges for both the
consoles. It provides readwrite permission for all the
configuration performed
through either of the
consoles.
CLI console
Default
cyberoam/cyber
Web Admin
console only
Full privileges. It provides
read-write permission for all
the configuration pages of
Web Admin console.
Note
We recommend that you change the password of both the users immediately on deployment.
Web Admin Console
Web Admin Console is a web-based application that an Administrator can use to configure, monitor, and
manage the Appliance.
You can connect to and access Web Admin Console of the Appliance using HTTP or a HTTPS connection
from any management computer using web browser:
HTTP login: http://<LAN IP Address of the Appliance>
HTTPS login: https://<LAN IP Address of the Appliance>
For more details, refer section Web Admin Console.
Command Line Interface (CLI) Console
Appliance CLI console provides a collection of tools to administer, monitor and control certain Appliance
component. The Appliance can be accessed remotely using the following connections:
Remote login Utility TELNET login
Page 11 of 490
Cyberoam User Guide
To access Appliance from command prompt using remote login utility Telnet, use command
TELNET <LAN IP Address of the Appliance>. Use default admin.
SSH Client (Serial Console)
SSH client securely connects to the Appliance and performs command-line operations. CLI console
of the Appliance can be accessed via any of the SSH client using LAN IP Address of the Appliance
and providing Administrator credentials for authentication.
Note
Start SSH client and create new Connection with the following parameters:
Host <LAN IP Address of the Appliance>
Username admin
Password admin
Use CLI console for troubleshooting and diagnose network problems in details. For more details, refer version
specific Console Guide available on http://docs.cyberoam.com/.
Cyberoam Central Console (CCC)
Distributed Cyberoam Appliances can be centrally managed using a single Cyberoam Central Console (CCC)
Appliance, enabling high levels of security for Managed Security Service Provider (MSSPs) and large
enterprises. To monitor and manage Cyberoam using CCC Appliance you must:
Configure CCC Appliance in Cyberoam
Integrate Cyberoam Appliance with CCC using: Auto Discovery or Manually
Once you have added the Appliances and organized them into groups, you can configure single Appliance or
groups of Appliances.
For more information, please refer CCC Administrator Guide.
Page 12 of 490
Cyberoam User Guide
Web Admin Console
CyberoamOS uses a Web 2.0 based easy-to-use graphical interface termed as Web Admin Console to
configure and manage the Appliance.
You can access the Appliance for HTTP and HTTPS web browser-based administration from any of the
interfaces. Appliance when connected and powered up for the first time, it will have a following default Web
Admin Console Access configuration for HTTP and HTTPS services.
Services
Interface/Zones
Default Port
HTTP
LAN, WAN
TCP Port 80
HTTPS
WAN
TCP Port 443
The administrator can update the default ports for HTTP and HTTPS services from System >
Administration > Settings.
Web Admin Language
The Web Admin Console supports multiple languages, but by default appears in English. To cater to its nonEnglish customers, apart from English, Chinese-Simplified, Chinese-Traditional, Hindi, Japanese and French
languages are also supported. Administrator can choose the preferred GUI language at the time of logging
on.
Listed elements of Web Admin Console will be displayed in the configured language:
Dashboard Doclet contents
Navigation menu
Screen elements including field & button labels and tips
Error messages
Page 13 of 490
Cyberoam User Guide
Supported Browsers
You can connect to the Web Admin Console of the Appliance using HTTP or a secure HTTPS connection
from any management computer using one of the following web browsers:
Browser
Supported Version
Microsoft Internet Explorer
Version 8+
Mozilla Firefox
Version 3+
Google Chrome
All versions
Safari
5.1.2(7534.52.7)+
Opera
15.0.1147.141+
The minimum screen resolution for the management computer is 1024 X 768 and 32-bit true xx-color.
The Administrator can also specify the description for firewall rule, various policies, services and various
custom categories in any of the supported languages.
All the configuration done using Web Admin Console takes effect immediately. To assist you in configuring
the Appliance, the Appliance includes a detailed context-sensitive online help.
Page 14 of 490
Cyberoam User Guide
Login procedure
The log on procedure authenticates the user and creates a session with the Appliance until the user logs-off.
To get to the login window, open the browser and type the LAN IP Address of Cyberoam in the browsers
URL box. A dialog box appears prompting you to enter username and password.
Screen Login Screen
Screen Element
Description
Enter user login name.
Username
If you are logging on for the first time after installation, use the
default username.
Specify user account password.
Password
Dots are the placeholders in the password field.
If you are logging on for the first time after installation with the
default username, use the default password.
Select the language. The available options are ChineseSimplified, Chinese-Traditional, English, French, and Hindi.
Language
Default English
To administer Cyberoam, select Web Admin Console
Log on to
To view logs and reports, select Reports.
To login into your account, select My Account.
Login button
Click to log on the Web Admin Console.
Screen Login screen elements
The Dashboard appears as soon as you log on to the Web Admin Console. It provides a quick and fast
overview of all the important parameters of your Appliance.
Page 15 of 490
Cyberoam User Guide
Log out procedure
To avoid un-authorized users from accessing Cyberoam, log off after you have finished working. This will end
the session and exit from Cyberoam.
To log off from the Appliance, click the
Console pages.
button located at the top right of any of the Web Admin
Page 16 of 490
Cyberoam User Guide
Menus and Pages
The Navigation bar on the leftmost side provides access to various configuration pages. This menu consists
of sub-menus and tabs. On clicking the menu item in the navigation bar, related management functions are
displayed as submenu items in the navigation bar itself. On clicking submenu item, all the associated tabs are
displayed as the horizontal menu bar on the top of the page. To view a page associated with the tab, click the
required tab.
The left navigation bar expands and contracts dynamically when clicked on without navigating to a submenu.
When you click on a top-level heading in the left navigation bar, it automatically expands that heading and
contracts the heading for the page you are currently on, but it does not navigate away from the current page.
To navigate to a new page, first click on the heading, and then click on the submenu you want navigate to.
On hovering the cursor upon the up-scroll icon
navigation bar up or down respectively.
or the down-scroll icon
, automatically scrolls the
The navigation menu includes following modules:
System System administration and configuration, firmware maintenance, backup - restore
Objects Configuration of various policies for hosts, services, schedules and file type
Networks Network specific configuration viz., Interface speed, MTU and MSS settings, Gateway,
DDNS
Identity Configuration and management of User and user groups
Firewall Firewall Rule Management
Page 17 of 490
Cyberoam User Guide
VPN VPN and SSL VPN access configuration
IPS IPS policies and signature
Web Filter Web filtering categories and policies configuration
Application Filter Application filtering categories and policies configuration
WAF Web Application Filtering policies configuration. Available in all the models except CR15iNG
and CR15wiNG.
IM IM controls
QoS Policy management viz., surfing quota, QoS, access time, data transfer
Anti Virus Antivirus filtering policies configuration
Anti Spam Anti Spam filtering policies configuration
Traffic Discovery Traffic monitoring
Logs & Reports Logs and reports configuration
Note
Use F1 key for page-specific help.
Use F10 key to return to Dashboard.
Each section in this guide shows the menu path to the configuration page. For example, to reach the Zone
page, choose the Network menu, then choose Interface sub-menu from the navigation bar, and then choose
Zone tab. Guide mentions this path as Network > Interface > Zone.
Page 18 of 490
Cyberoam User Guide
Page
A typical page looks as shown in the below given image:
Screen Page
Page 19 of 490
Cyberoam User Guide
Icon bar
The Icon bar on the upper rightmost corner of every page provides access to several commonly used functions
like:
Dashboard Click to view the Dashboard
Wizard Opens a Network Configuration Wizard for a step-by-step configuration of the network
parameters like IP Address, subnet mask and default gateway for your Appliance.
Report Opens a Reports page for viewing various usage reports. Integrated Logging and Reporting
solution - iView, to offer wide spectrum of 1000+ unique user identity-based reporting across applications
and protocols and provide in-depth network visibility to help organizations take corrective and preventive
measures.
This feature is not available for CR15xxxx series of Appliances.
Console Provides immediate access to CLI by initiating a telnet connection with CLI without closing Web
Admin console.
Logout Click to log off from the Web Admin Console.
More Options
Provides options for further assistance. The available options are as follows:
Support Opens the customer login page for creating a Technical Support Ticket. It is fast, easy
and puts your case right into the Technical Support queue.
About Product Opens the Appliance registration information page.
Help Opens the context sensitive help page.
Reset Dashboard Resets the Dashboard to factory default settings.
Lock Locks the Web Admin Console. Web Admin Console is automatically locked if the
Appliance is in inactive state for more than 3 minutes. To unlock the Web Admin Console you
need to re-login. By default, Lock functionality is disabled. Enable Admin Session Lock from
System > Administration > Settings.
Reboot Appliance Reboots the Appliance.
Shutdown Appliance Shut downs the Appliance .
Page 20 of 490
Cyberoam User Guide
List Navigation Controls
The Web Admin Console pages display information in the form of lists that are spread across the multiple
pages. Page Navigation Control Bar on the upper right top corner of the list provides navigation buttons for
moving through the list of pages with a large number of entries. It also includes an option to specify the number
entries/records displayed per page.
Tool Tips
To view the additional configuration information use tool tip. Tool tip is provided for many configurable fields.
Move the pointer over the icon
to view the brief configuration summary.
Status Bar
The Status bar at the bottom of the page displays the action status.
Page 21 of 490
Cyberoam User Guide
Common Operations
Adding an Entity
You can add a new entity like policy, group, user, rule, ir host by clicking the Add button available on most of
the configuration pages. Clicking this button either opens a new page or a pop-up window.
Editing an Entity
All the editable entities are hyperlinked. You can edit any entity by clicking either the hyperlink or the Edit icon
under the Manage column.
Deleting an Entity
You can delete an entity by selecting the checkbox and clicking the Delete button or Delete icon.
To delete multiple entities, select
individual entity and click the Delete button.
Page 22 of 490
Cyberoam User Guide
To delete all the entities, select
in the heading column and click the Delete button.
Sorting Lists
To organize a list spread over multiple pages, sort the list in ascending or descending order of a column
attribute. You can sort a list by clicking a column heading.
Ascending Order icon
the column attribute.
Descending Order icon
the column attribute.
in a column heading indicates that the list is sorted in ascending order of
in a column heading indicates that the list is sorted descending order of
Filtering Lists
To search specific information within the long list spread over multiple pages, filter the lists. Filtering criteria
vary depending on a column data and can be a number or an IP address or part of an address, or any text
string combination.
To create filter, click the Filter
icon changes to
icon in a column heading. When a filter is applied to a column, the Filter
Configuring Column Settings
By default on every page all columnar information is displayed but on certain pages where a large number of
columnar information is available, all the columns cannot be displayed. It is also possible that some content
may not be of use to everyone. Using column settings, you can configure to display only those numbers of
columns which are important to you.
To configure column settings, click Select Column Settings and select the checkbox against the columns you
want to display and clear the checkbox against the columns which you do not want to display. All the default
columns are greyed and not selectable.
Page 23 of 490
Cyberoam User Guide
Getting Started
Once you have deployed and configured Cyberoam in your network and registered the copy of your
Cyberoam, you can start using the Cyberoam.
1. Start monitoring
Once you have deployed the Appliance successfully you can start monitoring user activities in your Network.
Depending on the Web and Application Filter Policy configured at the time of installation, certain categories
will be blocked or allowed for LAN to WAN traffic with or without authentication.
2. View Reports
Monitor your Network activities using Reports.
To view Reports, log on to iView by clicking Reports on the topmost button bar from the Web Admin Console
and log on with the default username admin and password admin.
View user surfing trends from Web Usage > Top Web User report
View your organizations Category wise surfing trends from Web Usage > Top Categories
report
View mail usage from Mail Usage > Top Mail Senders and Mail Receivers report
3. Configure for Username based monitoring
As user activity is monitored and logged based on IP address, all the reports generated are also IP address
based. To monitor and log user activities based on User names, you have to configure Appliance for
integrating user information and authentication process.
Integration will identify access request based on Usernames and generate reports based on them.
If your Network uses Active Directory Services and users are already created in ADS, configure your
Appliance to communicate your ADS.
If your Network uses RADIUS, configure for your Appliance to communicate with RADIUS.
If your Network uses LDAP, configure for your Appliance to communicate with LDAP.
If your Network uses NTLM, configure your Appliance to communicate with NTLM.
4. Customize
You can create additional policies to meet your organizations requirement.
You can:
Control user based per zone traffic by creating firewall rule. Refer to Firewall for more details.
Control individual user surfing time by defining Surfing quota policy. Refer to Surfing Quota policy for more
details.
Page 24 of 490
Cyberoam User Guide
Schedule Internet access for individual users by defining Access time policy. Refer to Access time policy
for more details.
Control web access by defining Web and Application Filter Policies. Refer to Web and Application Filter
Policy for more details.
Allocate and restrict the bandwidth usage by defining QoS policy. Refer to QoS policy for more details.
Limit total as well as individual upload and/or download data transfer by defining data transfer policy. (Refer
Data transfer policy for more details.)
Page 25 of 490
Cyberoam User Guide
Dashboard
The Appliance dashboard appears as soon as you log on to the Web Admin Console.
The Dashboard provides a quick and birds eye view of all the important parameters of your Appliance that
require special attention such as password, access to critical security services, system resources usage, IPS
alerts, notifications of subscription expirations and many more. Dashboard uses Doclets to display this
information.
Dashboard page is completely customizable and the administrator can reposition doclets by dragging and
dropping or close the doclet by clicking
icon that are pertinent to the user and requires special attention for
managing your Appliance on the top and the information used less often moved to the bottom. Administrator
can even reset doclets position to default by selecting Reset Dashboard option
dropdown button
. You can also refresh the doclets by clicking
from More Options
icon.
Alert Messages Doclet
Alert Message doclet allows the administrator to monitor and track system events of the Appliance. Each alert
message displays the date and time that the event occurred.
Alert Message doclet displays following alerts:
The default password for the user "admin" has not been changed. We highly recommend you to change
the password. This alert is displayed when default password for the super administrator is not changed.
On-Appliance reporting is currently OFF. No reports are being generated. Use CLI command "set onAppliance-report on" to start on-Appliance reporting. This alert is displayed when Appliance reporting is
disabled. By default, Appliance reporting is enabled.
The default Web Admin Console password has not been changed.
HTTPS, SSH based management is allowed from the WAN. This is not a secure configuration. We
recommend using a good password.
HTTP, Telnet based management is allowed from the WAN. This is not a secure configuration. We
recommend using a good password.
Your Appliance is not registered.
The modules expired.
Apart from preventing spyware from entering and infecting your network, the Appliance can also detect any
unwanted applications and Spyware infected hosts that are already there in the network that is, network
infected before Appliance was deployed and provides alert on Dashboard.
Color coding and symbolic representations are used for easier identification of alert messages.
The color coding is as under:
Green: Indicates less severe notifications.
Red: Indicates severe and security related notifications.
Blue: Indicates firmware download notifications.
Page 26 of 490
Cyberoam User Guide
The icons used are as under:
: Indicates password related notifications.
: Indicates security related advice.
: Indicates Alert messages.
: Indicates firmware download notifications.
Appliance Information Doclet
The Appliance Information doclet provides Appliance information. Doclet provides:
Model number of the Appliance which is deployed for example, CR35iNG and its Appliance key,
Base firmware version, for example 10.6.1 and build number which is installed,
Version number of various subscription modules - IPS Signature, Anti Virus, Webcat Signature, and
Application Signatures used by the Appliance to categorize and control traffic or detect and block virus.
System Usage Doclet
The System Usage doclet displays graphs pertaining to CPU and memory usage. A period-wise graph is
displayed providing information of the last two hours of CPU and Memory Usage.
CPU Info graphs
CPU Info graphs allow the Administrator to monitor the CPU usage by the Users and System components.
Last two hour CPU Usage - Graph shows past two hours CPU usage in percentage.
Page 27 of 490
Cyberoam User Guide
Memory Info graphs
Memory Info graphs allow the Administrator to monitor the memory usage in MB.
Last two hours Memory Usage - Graph shows past two hours memory usage in MB.
To view more graphs, go to System > Diagnostics > System Graphs. You can view Period wise
Utilities graphs.
System Status Doclet
System Status doclet provides general system information such as current system date and time, number of
days since the Appliance is up and running, and the total number of currently connected users.
You can change the system time from CLI Console from System Settings menu though we do not recommend
changing time as this affects all the logs and reports. Refer Cyberoam Console Guide for more information.
Recent Web Viruses Detected Doclet
The Web Viruses Detected doclet provides web virus information.
Doclet provides:
The date and time at which the web virus is detected. The date is displayed in format Day
DD:MM:YYYY. The time is displayed in format HH:MM:SS.
Page 28 of 490
Cyberoam User Guide
The name of the user during whose activity the web virus was detected.
The name of the domain in which the web virus is detected.
The name of the detected web virus.
Recent Mail Viruses Detected Doclet
The Recent Mail Viruses detected doclet provides information about the mail virus detected by the Appliance.
Doclet provides:
The time and date when the Appliance detected virus. The date and time is displayed in the format Day
DD:MM:YYYY HH:MM:SS.
The name of the protocol via which the virus infected Email is received.
The Email address of the recipient who has received the virus infected Email.
The subject of the virus infected Email that is received.
The name of the virus detected by the Appliance.
Gateway Status Doclet
The Gateway Status Doclet provides information about the Gateway. Doclet provides:
The name of the gateway. Click the Graph icon
particular gateway.
against the Gateway to view data transfer via the
The IP Address (IPv4/IPv6) of the gateway.
The status of Gateway whether is reachable or not that is Active
or Deactive
View Data Transfer Graph.
Page 29 of 490
Cyberoam User Guide
User can select the period from the available options for the Report of Data Transfer through the Gateway.
Available Options:
Last Week
Last Month
Custom
Graph displays the upload, download and total data transfer through Gateway.
X-axis Date (depending on the period selected)
Y-axis KB /MB/GB used.
Legends
Orange Color Upload Data Transfer (MB)
Purple Color Download Data Transfer (MB)
Green Color Total Data Transfer (MB)
Note
When the selected period is Custom, then the user can select to view data of maximum last six (06)
months. At a time maximum of thirty (30) days data will be displayed.
Recent Malware Alerts Doclet
The Malware Alerts doclet provides spyware information. Doclet provides:
The date and time at which the spyware is detected. The date is displayed in format Day DD:MM:YYYY.
The time is displayed in format HH:MM:SS.
Page 30 of 490
Cyberoam User Guide
The source IP Addresses and destination IP address from where the spyware originated and is destined
to, respectively.
The name of the signature using which the spyware got detected.
The severity level of the spyware viz., critical, major, moderate, minor, warning.
The action taken on the detected spyware as per the configured policy viz., allow packet, drop packet,
drop session, reset, and bypass session.
The Signature Identification Number to which the spyware matched.
License Information Doclet
License Information doclet provides the information about the subscription modules. Doclet provides:
The Appliance registration information. If the Appliance is registered, the Email Address used for
Appliance registration is displayed. If the Appliance is not registered, click the underlined link against
Appliance Not Registered, to navigate to System > Maintenance > Licensing for further information.
Subscription status of the modules available for subscription.
The status of the subscription module can be one of the following:
Status
Expires on Day DD MM YYYY
Unsubscribed
Subscription Expired
Meaning
Subscription expiry date
Module is not subscribed
Subscription has expired
Recent FTP Viruses Detected Doclet
The FTP Viruses Detected doclet provides web virus information. Doclet provides:
The date and time at which the FTP virus is detected. The date is displayed in format Day
DD:MM:YYYY. The time is displayed in format HH:MM:SS.
The name of the user during whose file transfer activity the FTP virus was detected.
The name of the domain in which the FTP virus is detected.
The name of the detected FTP virus.
Recent IPS Alerts Doclet
The IPS Alert doclet provides traffic information identified for malicious activity on the network. Doclet
provides:
Page 31 of 490
Cyberoam User Guide
The date and time at which the malicious traffic is detected. The date is displayed in format Day
DD:MM:YYYY. The time is displayed in format HH:MM:SS.
The source and destination IP address from where the malicious traffic originated and is destined to,
respectively.
The name of the signature using which the malicious traffic got detected.
The severity level of the malicious traffic.
The action taken on the detected malicious traffic as per the configured policy.
Today Usage Summary Doclet
The Today Usage Summary doclet provides Internet usage information and search statistics for the current
day. Doclet provides:
Total HTTP hits
The total number of search queries made using google and yahoo search engines. Clicking any search
engine opens respective search engine report, providing search details like search date and time, name
of the user, IP address through which the search request was placed, and the search string. The
Appliance also provides similar report for other search engines like Bing, Wikipedia, Rediff, and eBay
and can be viewed from Logs & Reports > View Reports > Reports > Search Engine.
DoS Attack Status Doclet
The DoS Attack Status Doclet provides information about DoS Attacks. Doclet provides:
1. Attack type. Click on the hyperlink to view real time updates on flooding. It displays details of the
Source IP Addresses (Flooders) used for flooding and the targeted IP Addresses (Flood Victims).
Also, it displays the date and time at which the flooding is detected.
2. Displays whether Source/Destination packet control is applied or not.
3. Number of packets dropped in case Source/Destination packet control is applied.
Page 32 of 490
Cyberoam User Guide
Web Traffic Analysis Doclet
The Web Traffic Analysis doclet provides web traffic information.
The web traffic is by default classified into four categories: Productive, Non-Working, Neutral, and Unhealthy.
Traffic is classified under category - N/A, if it does not fall in any of the default categories. Different colors
represent different categories. Doclet provides:
Distribution by Hits Graph displays total traffic hits per category. Clicking the hyperlink will open the
detailed report.
Distribution by Data Transfer Graph displays total data transferred per category.
HA Details Doclet
The HA Details doclet not available in models CR15i, CR25ia, CR15wi, CR25wi, CR35wi, CR15iNG.
The Doclet provides HA configuration mode, Primary and Auxiliary Appliance key, Dedicated link port,
Monitored Interface list and current connections.
Screen Element
Description
HA Configuration
Mode
Displays the HA Configuration mode for cluster. HA can be
configured in one of the following two modes: Active-Active
and Active-Passive.
Appliance Key
Displays Appliance key only after HA is configured.
Peer Appliance Key
Displays peers Appliance Key.
Page 33 of 490
Cyberoam User Guide
In case of Primary Appliance, it displays the Auxiliary
Appliance Key.
In case of Auxiliary Appliance, it displays the Primary
Appliance Key.
Dedicated HA Link
Port
Displays the HA link port that is configured on Primary
Appliance and to be used HA link port on Auxiliary Appliance
Displays the Appliance port to be monitored.
Monitored Interface
List
Connection
Both the Appliances will monitor their own ports and if any of
the monitored port goes down, Appliance will leave the cluster
and failover will occur.
Displays connections served by Primary and Auxiliary
Appliance.
Page 34 of 490
Cyberoam User Guide
System
System allows configuration and administration of Cyberoam Appliance for secure and remote management
as well as administrative privilege that you can assign to admin users. It also provides the basic system
settings and language settings for the Web Admin Console. Configuration of several non-network features,
such as SNMP, custom messages, portal setting and themes can be done through System.
Administration
Administration page provides an option to configure general settings for your Appliance. Various ports and
login security can be configured using this submenu. The Administrator can also restrict administrative access
to various local services available from the zone. Administrator can create profile(s) to be assigned to the
admin users for configuring and managing the Appliance. You can administer port numbers, remote login
security, local login security and local ACL services from Administration submenu.
Page 35 of 490
Cyberoam User Guide
Settings
Use the Settings page to make modifications in the general port settings and Web Admin Login parameters.
Make changes to the login parameters for restricting the local and remote users based on the time.
To manage the administration settings, go to System > Administration > Settings.
Screen Manage Administration Settings
Parameters
Screen Element
Description
Web Admin Settings
HTTP Port
Provide the port number to configure HTTP Port.
Page 36 of 490
Cyberoam User Guide
Default 80
HTTPS Port
Provide the port number to configure HTTPS Port for Secured
Web Admin Console access.
Default 443
Certificate
Certificate to be used by User MyAccount and Captive Portal.
SSL VPN Settings
SSL VPN Port
Provide the port number to configure SSL VPN Port.
Default 8443
Certificate
Default Certificate that will be used by SSL VPN. After
configuring Tunnel Access if you want to configure Certificate
from a different CA, change SSL Server Certificate from VPN
> SSL > Tunnel Access page.
Per User Certificate
Encryption
Selecting this option will allow the user to have user specific
certificate encryption.
Receive Passphrase
via
Select a mode to receive a passphrase from the available
options:
Available Options:
Client Bundle
On-screen Link
Email
Default By default, the passphrase is received is Client
Bundle.
Default Language for
SSL VPN Web Portal
Select a default language to be used for SSL VPN Web Portal
from the available options:
Available Options:
English
Hindi
Chinese Traditional
Chinese Simplified
French
Japanese
Login Security (Remote Admins)
To prevent the unauthorized access to the Web Admin Console and CLI, configure Admin
Session Lock, Admin Session Logout time and Block Admin Login to block the access after
number of failed login attempts.
Configure inactive time in minutes after which the Appliance will be locked automatically. This
configuration will be applicable to following Cyberoam components:
Page 37 of 490
Cyberoam User Guide
Web Admin Console
Telnet Console
IPSec Connection Wizard
Network Wizard
Group Import Wizard
Configure inactive time in minutes after which the administrator will be logged out automatically.
By default, admin session logout time is 30 minutes.
Note
Admin Session Logout time value must be greater than the Lock Admin Session time.
Block Admin Login Enable to block login to the Web Admin Console and CLI if allowed failed
login attempts exceeds.
Configure number of allowed failed login attempts from the same IP Address within the time limit.
Specify number of minutes for which the administrator will not be allowed to login i.e. if allowed
failed login attempts exceeds, the administrator account will locked for the configured minutes.
Administrator Password Complexity Settings
Password Complexity can be configured to ensure that administrators are using secure
passwords.
Enable Password Complexity Settings to enforce following constraints:
Minimum Password length. Configure minimum characters required in the
password. By default, the Minimum Password length is eight (8) characters.
Require minimum one Upper and lower case alphabet
Require minimum one number i.e. 0 - 9
Require at least one special character e.g. @, $, %
Password cannot be same as username.
All the enabled constraints are applied to administrator user password.
Login Disclaimer Settings
The Login Disclaimer allows setting a written message that administrators must read and agree
prior to logging on to the Web Admin Console and CLI for Appliance administration. If a
disclaimer is set, it must be accepted before administrator can login.
Default disclaimer can be customized as per the requirement from the Messages page (System
> Configuration > Messages). One can also review the customized message before
setting.
Language Settings
Default Configuration
Language
Select a default configuration language. On changing the
language Appliance reboots, removes all the customizations,
and displays all the default configurations in the selected
language.
Available Options:
Page 38 of 490
Cyberoam User Guide
English
Hindi
Chinese Traditional
Chinese Simplified
French
Japanese
Please make sure to take the backup as the entire custom
configuration will be lost. Appliance restores the backup in the
same language in which it is taken.
Table Administration Settings screen elements
Page 39 of 490
Cyberoam User Guide
Appliance Access
Appliance Access allows limiting the Administrative access of the following Appliance services from various
default as well as custom zones LAN, WAN, DMZ, and VPN:
Admin Services HTTP, HTTPS, Telnet, SSH
Authentication Services Windows/Linux Client, Captive portal, NTLM, Radius SSO
Network Services DNS, Ping/Ping6
Other Services Web Proxy, SSL VPN
To manage the access to devices, go to System > Administration > Appliance Access.
Screen Appliance Access Settings
Default Access Control Configuration
When the Appliance is connected and powered up for the first time, it will have a default Access configuration.
Admin Services HTTP (TCP port 80), HTTPS (TCP port 443), Telnet (TCP port 23) and SSH (TCP port 22)
services will be enabled for administrative functions in LAN zone. HTTP (TCP port 80), HTTPS (TCP port
443) and SSH (TCP port 22) services will be enabled for administrative functions in WAN zone. HTTP (TCP
port 80) services will be enabled for administrative functions in DMZ zone.
Authentication Services Windows/Linux Client (UDP port 6060), Captive portal Authentication (TCP port
8090) and Radius SSO will be enabled for User Authentication Services in LAN zone. User Authentication
Services are not required for any of the Administrative functions but required to apply user based internet
surfing, bandwidth, and data transfer restrictions.
Network Services Ping/Ping6 and DNS services will be enabled for LAN zone.
Other Services Web Proxy service will be enabled for LAN zone. SSL VPN (TCP port 8443) service will be
enabled for LAN, WAN and DMZ zone.
Updating Default Access Control Configuration
Use access control to limit the access to the Appliance for administrative purposes from the specific
authenticated/trusted networks only.
Admin Services Enable/disable access to the Appliance using following service from the specified zone:
HTTP, HTTPS, Telnet and SSH.
Page 40 of 490
Cyberoam User Guide
Authentication Services Enable/disable following service from the specified zone: Windows/Linux Client,
Captive portal, NTLM, Radius SSO.
Network Services Enable/disable following service from the specified zone: DNS, Ping/Ping6
Other Services Enable/disable following service from specified zone: Web Proxy, SSL VPN.
Page 41 of 490
Cyberoam User Guide
Administrator Profiles
Role-based administration capabilities are provided to offer greater granular access control and flexibility.
It allows an organization to separate super administrator's capabilities and assign through Profiles. Profiles
are a function of an organization's security needs and can be set up for special-purpose administrators in
areas such as firewall administration, network administration, and logs administration. Profiles allow granting
permissions to individual administrators depending on their role or job need in organization.
The profile separates Appliance features into access control categories for which you can enable none, read
only, or read-write access.
For ease of use, by default the Appliance provides 5 profiles:
Administrator super administrator with full privileges
Audit Admin read-write privileges for Logs & Reports Configuration, Report Access and DeAnonymization only
Crypto Admin read-write privileges for Certificate configuration only
HAProfile read-only privileges. If HA is configured, any user accessing Web Admin Console of
Auxiliary Appliance will have privileges as defined in HAProfile.
Security Admin read-write privileges for all features except Profiles, Password. Certificates, WAF
Alerts, Traffic Discovery and Log & Reports - Configuration, Log Viewer, Report Access
An Administrator with full privileges can create other custom administrators and assign them restricted/full
privileges. A custom administrator so created, has restricted privileges and can only update their Email
Address and password.
Note
You cannot delete the default profiles.
You cannot delete the profile assigned to administrator.
Manage Profiles
To manage default and custom profiles, go to System > Administration > Profile.
The Profiles list shows the default and custom profiles you have created and enables you to add, edit, and
delete profiles.
Screen Manage Profile
Page 42 of 490
Cyberoam User Guide
Profile Parameters
To add or edit profiles, go to System > Administration > Profile. Click Add Button to add a new
profile. To update the details, click on the Profile or Edit icon
be modified.
in the Manage column against the profile to
Screen Add Profile
Screen Element
Description
Add Profile
Profile Name
Specify a name to identify the profile.
Configuration
Click on the access level you want to provide to a profile. There
are three levels of access each of the created profile can have.
Available Options:
None No access to any page
Read-Only View the pages
Read-Write Modify the details
Access levels can be set for individual menus as well. You can
either set a common access level for all the menus or
individually select the access level for each of the menu. Click
icon against a menu to view the items under that menu.
For example, if you set access level as Read-Only against the
Web Filter, the profile user would only be able to view the Web
Filter menu but would not be able to make any modifications.
To make modifications, Read-Write option is to be used.
Table Add Profile screen elements
Page 43 of 490
Cyberoam User Guide
Access Denied Page
The Appliance provides role-based administration capabilities and privileges are assigned to the Administrator
through Profiles. Administrator can have read only, read-write or no access privilege for the pages of Web
Admin Console.
Access denied page is displayed when the Administrator tries to access a page or perform the operation,
which is not allowed to them.
Page 44 of 490
Cyberoam User Guide
Password
The Appliance is shipped with one global super admin with the credentials username & password as
admin. Both the consoles Web Admin Console and CLI, can be accessed with the same credentials. This
administrator is always authenticated locally that means by the Appliance itself.
Note
It is strongly recommended to change the password for this username immediately after deployment.
To change password, go to System > Administration > Password.
Screen Change Password
Parameters
Screen Element
Description
Default Admin Password Settings
User Name
The Default Admin User Name is admin.
Current Password
Provide the current admin password.
New Password
Password - Specify new admin password.
Confirm Password - Confirm the specified new admin
password.
Reset to Default
Click to reset the password to factory default password.
Table Change Password screen elements
Page 45 of 490
Cyberoam User Guide
Central Management
Apart from managing and monitoring the Appliance directly, it can also be done through Cyberoam Central
Management if deployed within your organization.
To enable Appliance management through CCC, go to System > Administration > Central
Management.
Screen Central Management
Parameters
Screen Element
Description
Central Management Settings
Enable Central
Management
Enable to manage the Appliance through Central Management.
IP Address / Domain
Specify the IP Address/Domain for Central Management.
Port
Specify the value to the Port over which the information will be
sent.
Appliance
Management
Enable to configure and communicate with the Appliance
through Central Management.
Communication Details
Heartbeat Protocol
Select Heartbeat Protocol from the available options.
Available Options:
Syslog
HTTP
Page 46 of 490
Cyberoam User Guide
Selected Heartbeat Protocol specifies how the information will
be provided.
Syslog is the default Heartbeat Protocol.
Secure
Communication
Enable this option to secure the Connection between the
Appliance and Central Management Server.
Heartbeat Port
Specify the Heartbeat Port.
Central Management receives heartbeat information on the
specified port.
By default, the Heartbeat Port are:
Syslog 514
HTTP 80
The Appliance will send information at specific intervals to
Central Management. The Central Management will analyze
the information received from the Appliance periodically and
send necessary alerts.
For details about Alerts, refer to Central Management Guide.
Enabling the Secure Communication option will set the default
Heartbeat Port values to
Syslog 6514
HTTP 443
Configuration Synchronization
Synchronization
Mode
Specify the method to be used for sending configuration
updates:
Available Options:
Central Management will push configuration changes
to the Appliance Select if the Appliance is directly
connected to the Internet. In this case the Central
Management keeps on passing updates to the Appliance if
any configurations are updates. Communication will be
done on port 80.
Appliance will fetch configuration changes from Central
Management Select if the Appliance is behind NAT
device. In this case the Appliance keeps on asking for
updates to the Central Management.
Page 47 of 490
Cyberoam User Guide
Connection Protocol
Select the protocol through which the updates are sent from the
available options:
Available Options:
HTTP
HTTPS
Port
Displays the port number for the protocol selected.
Signature
Distribution
Enable if you want to automatically update AV, IPS and
Application Signatures from the Central Management Console.
Signature
Distribution Port
Configure port on which appliance and Central Management
Console communicates.
Default - 80
Table Central Management screen elements
Page 48 of 490
Cyberoam User Guide
API
Application Programming Interface (API) is an interface which allows third party applications to communicate
with Cyberoam. This page allows the Administrator to log on and log off users.
Screen API Configuration
Parameters
Screen Element
Description
API Configuration
API Configuration
Enable to allow only authorized third-party Solution Providers
like ISP, System Integrators to use API for log on and log off
process.
Default - Disable
IP Address
Add the IP Addresses allowed to place the XML log on and log
off requests.
You will be able to add IP Address only if API Configuration is
enabled.
API Explorer
Request XML String
Specify the XML content containing the configurations to enable
user log on or log off.
Parse and Apply
Click to parse the XML Content and apply the configurations.
Table API screen elements
Page 49 of 490
Cyberoam User Guide
For all the requests, XML response will be displayed in a pop-up window.
Sample XML Request Code:
<Request><LiveUserLogin><UserName>cyberoam</UserName><Password>cyber</Password><IPAddres
s>10.21.18.15</IPAddress><MacAddress>00:0C:29:2D:D3:AC</MacAddress></LiveUserLogin></Request
>
<Request><LiveUserLogout><Admin><UserName>admin</UserName><Password>admin</Password></A
dmin><UserName>cyberoam</UserName><IPAddress>10.21.18.15</IPAddress></LiveUserLogout></Req
uest>
For versions prior to 10.6.1 MR-1
<Request><LiveUserLogout><UserName>cyberoam</UserName><IPAddress>10.21.18.15</IPAddress></
LiveUserLogout></Request>
Please use the below link to use API:
https://<Cyberoam IP>/corporate/APIController?reqxml=<Add the XML request here>
For example:
https://<Cyberoam
IP>/corporate/APIController?reqxml=<Request><LiveUserLogin><UserName>cyberoam</UserName><Pas
sword>cyber</Password><IPAddress>10.21.18.15</IPAddress><MacAddress>00:0C:29:2D:D3:AC</MacA
ddress></LiveUserLogin></Request>
Note
When the user logs on using API, the client type of all users will display API Client on the Live Users
page.
Page 50 of 490
Cyberoam User Guide
Configuration
The Configuration page allows basic configuration of the Appliance including GUI localization, mail server,
customized messages, web & parent proxy settings, themes and outlook for the Captive portal.
Time
Appliance current date and time can be set according to the Appliances internal clock or synchronized with
an NTP server. Appliance clock can be tuned to show the right time using global Time servers so that logs
show the precise time and Appliance internal activities can also happen at a precise time.
To configure time settings, go to System > Configuration > Time.
Screen Time Settings
Page 51 of 490
Cyberoam User Guide
Parameters
Screen Element
Description
Current Time
Displays the current system time.
Time Zone
Select time zone according to the geographical region in which
the Appliance is deployed.
Set Date & Time
Select to configure the date and time for Appliances clock.
Date
Specify the date by clicking Calendar
Time
Specify the time in HH:MM:SS format.
Sync with NTP server
Select to synchronize the Appliance time automatically with an
NTP server.
icon.
NTP stands for Network Time Protocol, and it is an Internet
standard protocol used to synchronize the clocks of Appliance
to time reference.
Use pre-defined
Select to use the pre-defined NTP servers asia.pool.ntp.org
& in.pool.ntp.org.
Use Custom
Specify the NTP server IP Address or domain name to
synchronize time with it. If custom NTP server is defined, time
is synchronized with custom server and not with pre-defined
servers.
Appliances use NTP Version 3 (RFC 1305). One can configure
up to 10 NTP servers. At the time of synchronization, it queries
each configured NTP server sequentially. When the query to
the first server is not successful, Appliance queries second
server and so on until it gets a valid reply from one of the NTP
servers configured.
Sync Status
Click Sync Now button to synchronize the Cyberoam clock with
the NTP Server.
Table Time Setting screen elements
Page 52 of 490
Cyberoam User Guide
Notification
Configure a Mail Server IP Address, Port and Email Address for the Appliance to send and receive alert
Emails.
To configure mail server settings, go to System > Configuration > Notification.
Screen Mail Server Notification
Parameters
Screen Element
Description
Mail Server Settings
Mail Server IPv4
Address/FQDN - Port
Specify the Mail Server IP Address or FQDN and Port number.
Default 25 if Connection Security is configured as STARTTLS
Default 465 if Connection Security is configured as SSL/TLS
Authentication
Required
Enable to authenticate user before sending an Email.
Specify user credentials.
User Name
Specify the User Name, which uniquely identifies user and will
be used for login.
Password
Specify the password.
Page 53 of 490
Cyberoam User Guide
Connection Security
Select Connection Security mode, to be used for establishing a
secured connection between SMTP Client and the SMTP
Server for SMTP Mail Notification.
Available Options:
None Select if your SMTP Server does not support TLS
(Transport Layer Security) or a secured connection
between SMTP Client and the SMTP Server is not
required. If selected, a normal TCP connection is
established, without any security.
STARTTLS SMTP Client establishes a TCP
connection with the SMTP Server to learn about the TLS
capabilities of the server. If the SMTP Server supports
STARTTLS, the connection is upgraded to TLS. If the
SMTP Server does not support STARTTLS, the SMTP
Client continues to use the normal TCP connection.
SSL/TLS SMTP Client establishes a TLS connection
with the SMTP Server. In case the SMTP Server does
not support TLS, no connection is made between the
SMTP Client and the SMTP Server.
Default None
Certificate
Select a Certificate, to be used for authentication by SMTP
Client and the SMTP Server.
Default - ApplianceCertificate
Email Settings
From Email Address
Specify the Email Addresses from which the notification is to be
mailed.
Send Notifications to
Email Address
Specify the Email Address to which the notification is to be
mailed.
Email Notification
Page 54 of 490
Cyberoam User Guide
IPSec Tunnel
UP/Down
Check to enable receiving of Email notification, if the IPSec
VPN tunnel connectivity is lost.
Email alerts are sent to Administrator on the configured Email
Address. All the IPSec tunnels follow the single central
configuration done.
An Email is sent only for Host to Host and Site to Site tunnel
connections; if it flaps due to one of the following reasons:
A peer is found dead (DPD)
Failed to re-establish connection after Dead Peer
Detection (DPD)
IPSec Security Association (SA) is expired and is
required to be re-established.
IPSec Tunnel comes up without
intervention after losing the connectivity
administrator
Email shall contain following basic information:
IPSec Connection name
IP Addresses of both participating hosts/network
Current state of the IPSec Tunnel connection, viz, Up or
Down
Exact Time when the IPSec Tunnel connection was lost
Reason for lost of IPSec Tunnel connection
Appliance Model Number
Firmware version and build number
Appliance Key (if registered)
Appliance LAN IP Address
HA configuration Primary/Auxiliary (if configured)
Note
Test Mail
An Email is sent for each subnet pair in case of Site to
Site connections, having multiple local/remote networks.
An Email sent with respect to IPSec Tunnel coming; do
not have any reason mentioned within.
Description of IPSec Tunnel connection is included in the
Email, only if the information for same is provided by the
Administrator.
Click to validate the Senders and Receivers Email Address.
The Appliance does so by sending a test mail that follows the
Sender Receiver path thereby verifying its validity.
From Email Address of the sender.
To Email Address of the receiver.
Subject Subject starting the purpose of the Email.
Body Message to be sent via Email.
Page 55 of 490
Cyberoam User Guide
Click Send button to send the Email.
An error message is automatically generated in case the test
Email is unsent. The following screen shows the message that
is displayed at the bottom left of the console in case such an
event occurs.
This event is logged as Notice in the Reports > Event section
of Cyberoam iView Reports.
Table Mail Server Notification screen elements
Screen Predefined Authentication Messages
Note
Mail Server configuration changes automatically when changed from the Network Configuration Wizard
and vice versa.
Page 56 of 490
Cyberoam User Guide
Messages
The Messages page allows the Administrator to send messages to the various users. Messages help
Administrator to notify users about problems as well as Administrative alerts in areas such as access, user
sessions, incorrect password, and successful log on and log off etc.
Messages, up to 256 characters can be sent to a single user or multiple users simultaneously, whenever an
event occurs.
To customize the default messages, go to System > Configuration > Messages. You can:
Edit Click Edit icon
to the user.
Save Click Save icon
Reset Click Reset icon
to edit the default message and create a customized message to be displayed
to save the edited message or Cancel icon
to ignore the changes.
to reset the edited message to the default message.
Page 57 of 490
Cyberoam User Guide
Predefined Authentication Messages
Screen Predefined Authentication Messages
Page 58 of 490
Cyberoam User Guide
Messages
Description/Reason
Authentication
User account
blocked (AD Policy)
Login failed. Your AD Server account is locked.
User account
disabled (AD Policy)
Login failed. Your account on AD Server is disabled.
User account expired
(AD Policy)
Login failed. Your account on AD Server has expired.
Clientless User Login
Not Allowed
Clientless user is not required to login.
Data Transfer
Exhausted
Your data transfer has been exceeded. Please contact the
Administrator.
Deactive User
You have been deactivated by the Administrator.
Delete User
You have been disconnected.
Disconnect User
You have been disconnected by Admin.
Guest User Validity
Expired
Guest User validity has expired.
Login not allowed at
this time (AD Policy)
Login failed. You are not permitted by AD Server to login at this
time.
Invalid Machine
Message is sent if User tries to login from the IP Address not
assigned to him/her.
Login not allowed at
this workstation (AD
Policy)
Login failed. You are not permitted by AD Server to login at this
workstation.
Someone else is
logged in from same
IP Address
Message is sent if someone else has already logged with the same
IP Address.
Logged Off
Successful Message
Message is sent when User logs off successfully.
Logged On
Successful Message
Message is sent when User logs on successfully.
Max Login Limit
Message is sent if User has reached the maximum login limit.
Not Authenticate
Message is sent if User name or password is incorrect..
Not Currently
Allowed
Message is sent if User is not permitted to access at this time
Access Time policy applied to the User account defines the
allowed access time and not allowed access at any other time.
User password
expired (AD Policy)
Login failed. Your password on AD Server has expired.
Page 59 of 490
Cyberoam User Guide
User needs to reset
the Password (AD
Policy)
Login failed. You must reset your AD Server password.
Logged Off Due To
Session Time Out
Message is sent when session has timed out and user is logged
of automatically.
Surfing Time
Exhausted
Message is sent when User is disconnected because his/her
allotted surfing time is exhausted
The surfing time duration is the time in hours the User is allowed
Internet access that is defined in Surfing time policy. If hours are
exhausted, User is not allowed to access.
Surfing Time Expired
Administrator has temporarily deactivated the User and will not be
able to log on because User surfing time policy has expired.
Logout Notification
You will be logged off automatically after sometime. If you wish to
continue browsing tap this notification.
Table Predefined Authentication Message screen elements
Page 60 of 490
Cyberoam User Guide
Predefined SMTP Messages
Screen Predefined SMTP Messages
Messages
Description/Reason
SMTP
CTIPD Rejection
Message will be sent when the mail is blocked as sender's IP
Address is blacklisted.
CTIPD Temporary
Rejection
Message will be sent when the mail is blocked as sender's IP
Address is blacklisted temporarily.
Page 61 of 490
Cyberoam User Guide
Probable Spam
Rejection
Message will be sent when mail is suspected as probable spam
mail and is rejected.
Probable Virus
Outbreak Rejection
Message will be sent when outbreak detection engine rejects mail
because it seems to be a Probable Virus outbreak.
Spam Rejection
Message will be sent when spam mail is rejected.
Virus Outbreak
Rejection
Message will be sent when outbreak detection engine rejects mail
because it is identified as a Virus outbreak.
Email Domain
Rejection
Message will be sent when Administrator has blocked the mail
sender domain.
Spam Mail Rejection
Message will be sent when Administrator has blocked the mail
sender.
Mail Header
Rejection
Message will be sent when mail is rejected as it contains a
restricted mime header.
Mail/Virus Rejection
Message will be sent when virus infected mail is rejected.
IP Address Rejection
Message will be sent when Administrator has blocked the mail
sender IP.
Oversized Mail
Rejection
Message will be sent when mail is rejected because message size
exceeds the maximum allowed size.
Undersized Mail
Rejection
Message will be sent when mail is rejected because the message
size is less than the allowed size.
Delivery Notification
(to Sender)
Message will be sent to the mail sender when mail is successfully
delivered to the receiver.
Attachment Infection
Message will be sent when mail is rejected due to virus infected
attachment.
RBL Rejection
Message will be sent when the IP Address from which mail is send
is blacklisted.
Suspected Infection
Message will be sent when mail is suspected as virus infected mail
and is rejected.
Table Predefined SMTP Message screen element
Page 62 of 490
Cyberoam User Guide
Predefined IM Messages
Screen Predefined IM Messages
Messages
Description/Reason
IM
File Transfer Block
Notification (to
sender)
Message will be sent when the Administrator has blocked transfer
files with this contact.
Message Block
Notification (to
sender)
Message will be sent when the Administrator has blocked
communication with this contact.
Privacy Notification
to Non-Suspect (on
the first message
sent from either side)
Message will be sent once the IM session starts to inform user that
their conversation is being monitored with this contact.
Privacy Notification
to Suspect (After
user has logged in)
Message will be sent as soon as the user logs on to IM to inform
users that their conversation is being monitored.
Virus Scan
Notification (to
sender)
Message will be sent when the file transferred is virus infected.
Webcam Block
Notification (to
Inviter)
Message will be sent when Administrator has blocked webcam
usage.
Table Predefined IM Message screen element
Page 63 of 490
Cyberoam User Guide
Administration Messages
Screen Administration Message
Messages
Description/Reason
Administration
Disclaimer Message
ACCESSWARNING
This is a private computer system. Unauthorized access or use is
prohibited and only authorized users are permitted.
Use of this system constitutes consent to monitoring at all times
and user should have no expectation of privacy.
Unauthorized access or violations of security regulations is
unlawful and hence if monitoring reveals either of it, appropriate
disciplinary action will be taken against the employees violating
security regulations or making unauthorized use of this system.
Table Predefined Administration Message screen elements
Predefined SMS Customization Messages
Screen Predefined SMS Customization Message
Messages
Description/Reason
SMS Customization
Default SMS Text
Your Username is "{username}" and Password is "{password}".
Your account validity is up to "{expiredate}". We highly
recommend you to change your password.
Table Predefined SMS Customization Message screen elements
Page 64 of 490
Cyberoam User Guide
Customizing the Default Messages
Click the Edit icon
against the message to be customized, update the message and click the Save icon
to save the edited message.
Resetting the Customized Messages
Click the Reset icon
against the message to reset it to the default message.
Page 65 of 490
Cyberoam User Guide
Configuring Web Proxy Settings
The Appliance can also act as a Web Proxy Server. To use your Appliance as a Web Proxy Server, configure
the Appliances LAN IP Address as a proxy server IP Address in the browser setting and enable access to
Web Proxy services from the Appliance Access section.
Note
Web Proxy enforces Web and Application Filter policy and Anti Virus policy as configured in User and
Firewall Rule.
IPS policy is applicable on the traffic between proxy and WAN, but not between user and proxy.
QoS policy is not applicable on the direct proxy traffic.
To configure Web Proxy settings, go to System > Configuration > Web Proxy.
Screen Web Proxy Settings
Parameters
Screen Element
Description
Web Proxy Port
(Applicable only
when the Appliance
is configured as Web
Proxy)
Specify the Port number which is to be used for Web Proxy.
Trusted Ports
Appliance allows the access to those sites which are hosted on
standard ports, only if deployed as Web Proxy. To allow access
to the sites hosted on the non-standard ports, you have to
define non-standard ports as trusted ports.
Default 3128
Click Add button to add the HTTP trusted ports and Cancel icon
to delete the trusted ports.
Table Web Proxy Settings screen elements
Page 66 of 490
Cyberoam User Guide
Enabling and Configuring Parent Proxy
Parent Proxy is essential when it is required that the Internet access is to be routed through a governmentapproved proxy server. In this situation, it is necessary that the security Appliance routes the user access
request through that government-approved proxy server. The Appliance may be deployed as Parent Proxy
either within (LAN) or outside (WAN) the network.
Enable Parent Proxy when the web traffic is blocked by the upstream Gateway. When enabled all the HTTP
requests will be sent to web parent proxy server via Appliance.
To configure Parent Proxy settings, go to System > Configuration > Parent Proxy. Specify IP
Address or FQDN, Port, Username and Password, if Parent Proxy is enabled.
Screen Parent Proxy Settings
Parameters
Screen Element
Description
Click to enable the Parent Proxy if the web traffic is blocked by
the upstream Gateway.
Parent Proxy
If enabled, the Appliance forwards all the HTTP requests to
parent proxy server.
Domain
Name/IPv4Address
Specify the Domain Name or IPv4 Address for the Parent
Proxy.
Port
Specify the Port number, which is to be used for Parent Proxy.
Default 3128
Username &
Password
Specify the Username & Password for authentication.
Table Parent Proxy Setting screen elements
Page 67 of 490
Cyberoam User Guide
Configuring Captive portal
Appliance provides flexibility to customize the Captive portal Login page. This page can include your
organization name and logo.
To customize the Captive portal page, go to System > Configuration > Captive portal.
Appliance also supports customized page in languages other than English.
Screen Captive Portal Settings
Parameters
Screen Element
Description
General Settings
Logo
To upload the custom logo, specify Image file name to be
uploaded else click Default.
Use Browse to browse and select the complete path.
The image size should not exceed 125 X 70 pixels.
Logo URL
Provide a URL to be redirected to on clicking the Logo.
Page 68 of 490
Cyberoam User Guide
Default - http://www.cyberoam.com.
Provide a page title.
Page Title
Default - Cyberoam User Portal
Login Page Header
Provide the text to be displayed as header on the Captive Portal
login page.
Login Page Footer
Provide text to be displayed as footer on the Captive Portal login
page.
User Name Caption
Provide label for the user name textbox to be displayed on the
Captive Portal login page.
Default - User Name
Password Caption
Provide label for the password textbox to be displayed on the
Captive Portal login page.
Default - Password
Login Button Caption
Provide label for the login button to be displayed on the Captive
Portal login page.
Default Login
Logout Button
Caption
Provide label for the logout button to be displayed on the
Captive Portal login page.
Default - Logout
My Account Link
Caption
Provide a text to be displayed for My Account login page link.
By clicking the link, user will be directed to the My Account login
page.
Default - Click here for User My Account
Color Scheme
Customize the color scheme of the Captive portal if required. Specify the color
code or click the square box to pick the color.
Preview Button
Click to view the custom settings before saving the changes.
Reset to Default
Button
Click to revert to the default settings.
Table Captive Portal Setting screen elements
Page 69 of 490
Cyberoam User Guide
Theme
Theme page provides a quick way to switch between predefined themes for Web Admin Console. Each theme
comes with its own custom skin, which provides the color scheme and font style for entire Web Admin Console
i.e. navigation frame, tabs and buttons.
To change the theme, go to System > Configuration > Theme.
Page 70 of 490
Cyberoam User Guide
Maintenance
Maintenance facilitates handling the backup and restore, firmware versions, licensing, services and update.
The Administrator can take manual backup and alternately, automatic backup can be scheduled on regular
intervals.
Backup stored on the system can be restored anytime from Backup & Restore page.
The Administrator can upload a new firmware image, boot from firmware or reset to the configuration to factory
defaults. Firmware image can be downloaded from the relevant sites. Maximum of two firmware images are
available simultaneously.
Backup & Restore
Firmware
Licensing
Services
Update Definitions
Backup & Restore
Backup is the essential part of data protection. No matter how well your system is treated, no matter how
much it is taken care of, you cannot guarantee that your data is safe, if it exists only at one place.
Backups are necessary in order to recover data from the loss due to the disk failure, accidental deletion or file
corruption. There are many ways of taking backup and just as many types of media to use as well.
Backup consists of all the policies and all other user related information.
Appliance facilitates to take back-up only of the system data, either though scheduled automatic backup or
using a manual backup.
Once the backup is taken, the file for restoring the backup must be uploaded.
Note
Restoring data older than the current data results to the loss of current data.
To backup and restore data, go to System > Maintenance > Backup & Restore, You can:
Backup & Restore
Schedule Backup
Page 71 of 490
Cyberoam User Guide
Screen Backup and Restore
Screen Element
Description
Backup
Backup Mode
Select how and to whom backup files should be sent.
Available Options:
Local Backup is taken and stored on the Appliance
itself.
FTP configure FTP server IP Address (IPv4/IPv6) and
login credentials.
Email configure Email ID on which backup is to be
mailed.
Backup Prefix
Specify backup file name (prefix). The backup file name format
is as follows:
With Prefix: <Prefix>_Backup_<Appliance
Key>_<timestamp>
For example:
Dallas_Backup_ABCDEY190_26Nov2014_12.09.24
NY_Backup_ABCDEY190_26Nov2014_12.09.24
Without Prefix(Default): Backup_<Appliance
Key>_<timestamp>
For example:
Backup_ABCDEY190_26Nov2014_12.09.24
If prefix is not provided, the default format is used for backup
file.
Backup Frequency
Select the system data backup frequency.
We recommend to schedule the backup on a regular basis. To
determine the backup frequency, consider how much
information is added or modified regularly.
Page 72 of 490
Cyberoam User Guide
Available Options:
Never Backup will not be taken at all.
Daily Backup will be taken every day.
Weekly Backup will be taken every week.
Monthly Backup will be taken every month.
Schedule
Specify the day/date and time for Daily, Weekly and Monthly
backup.
Backup Now
Click to take the backup of system data till date.
Download Now
Click to download the latest backup that is available for
uploading.
Backup Restore
Restore
Configuration
To restore the configuration, specify configuration to be
uploaded.
Use Browse button to select the complete path.
Table Backup and Restore screen elements
Page 73 of 490
Cyberoam User Guide
Firmware
System > Maintenance > Firmware page displays the list of available firmware versions downloaded.
A Maximum of two firmware versions are available simultaneously and one of the two firmware versions is
active i.e. the firmware is deployed.
Upload firmware
The Administrator can upload a new firmware. Click to specify the location of the
firmware image or browse to locate the file. You can simply upload the image or upload and boot from the
image. The uploaded firmware can only be active after the next reboot. The existing firmware then will be
removed and the new firmware will be available.
In case of Upload & Boot, firmware image is uploaded and upgraded to the new version, closes all sessions,
restarts, and displays the login page. This process may take few minutes since the entire configuration is also
migrated in this process.
Boot from firmware
Option to boot from the downloaded image and activate the respective firmware.
Boot with factory default configuration
Appliance is rebooted and loads default configuration.
Note
Active
Entire existing configuration will be lost, if this option is selected.
- Active icon against a firmware suggests that the Appliance is using that firmware.
Screen Manage Firmware
At the time of uploading new firmware, error New Firmware could not be uploaded" might occur due to one
of the following reasons:
Wrong upgrade file - You are trying to upload wrong upgrade file i.e. trying to upload version 9.x upgrade
on version X Appliances. Download the upgrade file specific to your Appliance model and version from
https://customer.cyberoam.com.
Incorrect firmware image - You are trying to upload an incorrect firmware image for your Appliance
model. All the firmwares are model-specific firmware and are not inter-changeable. Hence, firmware of
one model is not applicable on another model. For example, an error is displayed, if Appliance model
CR25ia is upgraded with firmware for model CR50ia.
Incompatible firmware - You are trying to upload incompatible firmware. For compatibility issues, refer
the Compatibility Annotations section in Release Notes of the version before trying to upload.
Mismatch in Registration information - Registration information of the Appliance and Customer My
Account are not matching.
Changes in Appliance Hardware - Appliance Hardware configuration is not the standard hardware
configuration. Contact support for assistance.
Image with incorrect MD5 checksum There are chances that the firmware you have downloaded has
got corrupted during the downloading process. Download it again and compute MD5 checksum of the
Page 74 of 490
Cyberoam User Guide
downloaded firmware. Compare computed checksum with the checksum published on the
http://download.cyberoam.com/checksum. In case of mismatch, download the file again.
Page 75 of 490
Cyberoam User Guide
Licensing
Appliance consists of two (2) types of modules:
Basic module Firewall, VPN, SSL VPN, Bandwidth Management, Multi Link Manager and Reports.
Subscription modules Web and Application Filter, IPS, Gateway Anti Virus, Gateway Anti Spam, 8
x 5 Support, 24 x 7 Support, WAF and Outbound Spam Protection. All the appliance models may not
support subscription modules. Please refer to Subscription Matrix for details.
Basic Module is pre-registered with the Appliance for the indefinite time period usage while Subscription
Modules are to be subscribed before use.
You can subscribe to any of the subscription modules:
without key for free 15-days trial subscription
with key
On deployment, Appliance is considered to be unregistered and all the modules as unsubscribed. You need
to register the Appliance if you want to
Avail 8 X 5 support
Subscribe to any of the subscription modules
Subscribe for free trial of any of the subscription modules
Register for 24 X 7 support
Select System > Maintenance > Licensing to view the Appliance registration details and various
modules subscription details. The various status of the Appliance is described below:
Registered Appliance is registered
Unregistered Appliance is not registered
Subscribed - Module is subscribed
Unsubscribed Module is not subscribed. Subscription icon
against the module in the navigation
menu indicates that the module is not subscribed. Click the subscription icon to navigate to the
Licensing page and follow the screen steps to subscribe. Alternately, browse to
http://customer.cyberoam.com to subscribe the module.
Trial Trial subscription
Expired Subscription expired
To manage the licensing options, go to System > Maintenance > Licensing. You can:
View Appliance Registration Details
Manage Module Subscription Online
View Module Subscription Details
Synchronize Click Synchronize button, once the Appliance or modules are registered online. The
details of Appliance and subscription modules are automatically synchronized with Customer My
Account and the updated details are displayed on the Licensing Page.
Page 76 of 490
Cyberoam User Guide
Screen Licensing
Viewing the Appliance Registration Details
Screen Element
Description
Appliance Registration Details
Model
Displays Appliance Model number which is registered and its
Appliance key e.g. CR35iNG (C127900005-868DBB)
Licensed Users (if
applicable)
Number of user licenses purchased
Company Name
Name of the company under which the Appliance is registered
Contact Person
Name of the contact person in the company
Registered Email
Address
Email Address used for Appliance registration.
Table Licensing screen elements
Manage Module Subscription Online
If the Appliance is not registered, browse to http://customer.cyberoam.com to register.
To register the Appliance, you need to create a Customer Account. You can a create customer account and
register the Appliance in a single step. Once the Appliance is registered, subscribe other modules for the trial
or with license keys.
Page 77 of 490
Cyberoam User Guide
You can subscribe to following modules:
Web and Application Filter
IPS
Gateway Anti Virus
Gateway Anti-spam
8 X 5 Support
24 X 7 Support
WAF
Outbound Spam Protection
Once the Appliance is registered or subscribed for any module, if the details are not synchronized, Web Admin
console do display the updated subscription details.
Viewing the details of Module Subscription
Screen Element
Description
Module Subscription Details
Module
Module that can be subscribed.
Status
Status of the module Registered, Unregistered, Subscribed,
Unsubscribed, Trial, Expired.
Expiration Date
Module subscription expiry date.
Table Module Subscription screen elements
Page 78 of 490
Cyberoam User Guide
Services
You can view the current status and manage all the configured services:
Anti Spam
Anti Spam Center Connectivity
Anti Virus
Authentication
DNS Server
IPS
Web Proxy
WAF Available in all the models except CR15iNG and CR15wiNG
DHCP Server
DHCPv6 Server
Router Advertisement Service
To manage various services, go to System > Maintenance > Services.
Screen Manage Services
Parameters
Services - Name of the configured service.
Status - Current status of the service
Manage - Click to start or stop or restart the respective service.
Action table
Button
Usage
Start
Start the service whose status is Stopped.
Stop
Stop the service whose status is Started.
Restart
Restart service: Only for Authentication Service and Web Proxy
Service.
Page 79 of 490
Cyberoam User Guide
Status table
Status
Description
No Web Server
configured
No Web Server is configured. If web server is not configured, Start
button will be disabled.
Connected
When Internet connectivity is available for the Gateway.
Running
Service has successfully started.
Disconnect
When Internet connectivity unavailable for the Gateway.
Stopped
When a service is stopped.
Page 80 of 490
Cyberoam User Guide
Updates
The Updates page allows the administrator to configure automatic updates for Anti Virus definitions, IPS
Signatures and Web category database. Definitions can be updated from Central Server or CCC. Alternately,
these definitions can also be updated manually from this page itself.
To enable automatic updates, go to System > Maintenance > Updates and click against the required
checkbox followed by Apply.
Screen Manage Updates
Manual Updates Parameters
Screen Element
Description
Updates Status
Module
Module name whose definitions can be updated.
Version
Version number of the Module
Last Update Status
Status along with date of the last update: Successful or Failure
Last Update Mode
Mode of the Last update: Automatic or Manual
Auto Update
To update module definitions automatically, select Auto
Update as ON.
Update Now Button
Click Update Now button to update the module definitions.
Manual Signature Updates
Upload File
To update signature manually, browse and upload the file.
Over-the-air Hotfix and Product Improvement Program
Allow Over-the-air
Hotfix
Hotfixes are applied automatically if available. Disable if you do
not want to apply hotfix.
Default - Enable
Page 81 of 490
Cyberoam User Guide
Participate in the
Product
Improvement
Program
Cyberoam has designed and implemented Product
Improvement Program to benefit its customers and to
continuously improve the product. Through this program, we
seek user participation to allow us to collect the appliance
hardware, configuration, and usage statistics periodically in the
encrypted form.
Participation in the program is voluntary and disable this option
if you do not want to participate.
Click here to view details of the program.
Default - Enable
Table Manage Updates screen elements
Page 82 of 490
Cyberoam User Guide
SNMP
Simple Network Management Protocol (SNMP) is used as the transport protocol for network management.
Network management consists of a station or manager communicating with network elements such as hosts,
routers, servers, or printers. The agent is the software on the network element (host, router, printer) that runs
the network management software. In other words, the agent is a network element. The agent will store
information in a Management Information Base (MIB). Management software will poll the various network
elements/agents and get the information stored in them. The manager uses UDP port 161 to send requests
to the agent and the agent uses UDP port 162 to send replies or messages to the manager. The manager
can ask for data from the agent or set variable values in the agent. Agents can reply and report events.
SNMP collects information two ways, if SNMP agent is installed on the devices:
The SNMP Management Station/Manager will poll the network devices/agents
Network devices/agents will send trap/alert to SNMP management station/Manager.
SNMP terms
Trap An alert that is sent to a management station by agents.
Agent A program at devices that can be set to watch for some event and send a trap message to a
management station if that event occurs
SNMP community An SNMP community is the group that devices and management stations running
SNMP belong to. It helps define where information is sent. The community name is used to identify the
group. A SNMP device or agent may belong to more than one SNMP community. It will not respond to
requests from management stations that do not belong to one of its communities.
Use SNMP to configure agent, community and the SNMPv3 users. Appliance supports SNMPv1 & SNMPv2c
protocols. Agent configuration page is used to configure agent name, agent port and the contact person for
the program. The community page is used for adding, managing and deleting the communities for protocols
SNMPv1 and SNMPv2c. Use SNMPv3 user page to add, manage and delete v3 users. Apart from IPv4
Addresses, SNMP now supports IPv6 Addresses also.
Page 83 of 490
Cyberoam User Guide
Agent Configuration
Use Agent configuration page to configure SNMP agents. The configuration details include name, description,
location, contact person, agent port and manager port.
To configure agents, go to System > SNMP > Agent Configuration.
Screen Agent Configuration
Parameters
Screen Element
Description
Enable SNMP Agent
Select to enable SNMP Agent.
Name
Specify a name to identify the agent.
Description
Agent Description
Location
Specify the physical location at which
deployed.
Contact Person
Specify the contact information for the person responsible for
the maintenance of above specified Appliance.
Agent Port
Specify the port which the Appliance should use to send traps.
the Appliance is
Default - 161
Manager Port
Remote SNMP Management station/Manager uses this port to
connect to the Appliance.
Default - 161
Table Agent Configuration screen elements
Page 84 of 490
Cyberoam User Guide
Community
Community is a group of SNMP Managers and an SNMP Agent may belong to one or more than one
community. An Agent does not respond to requests from a management station(s) that does not belong its
communities.
Each Community can support SNMPv1, SNMPv2c or both. The Appliance sends traps to all the communities.
You must specify a trap version for each community.
This page provides a list of all the communities added and you can sort the list based on community name.
The page also provides the option to add a new community, update the parameters of the existing community,
or delete the community.
Manage Communities
To configure communities, go to System > SNMP > Community.
Screen Manage Communities
Screen Element
Description
Name
Name of the community.
Source
IP Address of the SNMP Manager that can use the settings in
the SNMP community to monitor the Appliance.
Protocol Version
Configured SNMP protocol version support v1 or v2c.
Trap
Configured trap support- v1 or v2c. Traps will be sent to the
SNMP Managers who support the specified versions only.
Table Manage Communities screen elements
Page 85 of 490
Cyberoam User Guide
Adding a new SNMP Community
To add or edit a community, go to System > SNMP > Community and click the Add button . To update
the details, click on the Community or Edit icon
to modify.
in the Manage column against the community you want
Screen Add Community
Parameters
Screen Element
Description
Name
Enter the name to identify the community.
Description
Enter the community description.
IP Address
Specify IP Address (IPv4/IPv6 Address) of the SNMP Manager
that can use the settings in the SNMP community to monitor the
Appliance.
Protocol Version
Enable the required SNMP protocol version support.
SNMP v1 and v2c compliant SNMP managers have read-only
access to Appliance system information and can receive
Appliance traps.
Trap Support
Enable the required version for trap support.
Traps will be sent to the SNMP Managers who support the
specified versions only.
Table Add Community screen elements
Page 86 of 490
Cyberoam User Guide
V3 User
SNMP version 3 has the capability of using authentication. Only the authenticated user can request the
information.
This page displays the list of all the v3 users. The page provides the option to add a new v3 user, update the
password of the user, or delete the user.
Manage v3 Users
To manage v3 users, go to System > SNMP > v3 User.
Screen Manage v3 Users
Screen Element
User Name
Description
User name of the v3 user.
Table Manage v3 Users screen elements
Adding a new V3 User
To add or edit a v3 user, go to System > SNMP > v3 User. Click the Add button to add a new v3 user.
To update the details, click on the v3 user or Edit icon
to modify.
in the Manage column against the v3 user you want
Screen Add v3 User
Parameters
Screen Element
Description
Name
Specify a name to identify the v3 user.
Password
Provide a password for authentication.
Confirm the password for authentication.
Table Add v3 User screen elements
Page 87 of 490
Cyberoam User Guide
Certificate
A digital certificate is a document that guarantees the identity of a person or entity and is issued by the
Certificate Authority (CA). Certificates are generated by the third party trusted CA. They create certificates by
signing public keys and identify the information of the communicating parties with their own private keys. This
way it is possible to verify that a public key really belongs to the communicating party only and not been forged
by someone with malicious intentions.
A certificate signed by a Certificate Authority (CA) identifies the owner of a public key. Each communicating
party may be required to present its own certificate signed by a CA verifying the ownership of the
corresponding private key. Additionally, the communicating parties need to have a copy of the CAs public
key. In case private key is lost or stolen or the information is changed, CA is responsible for revoking the
certificate. CA also maintains the list of valid and revoked certificates.
To use Certificates for authentication, you must have valid CA and a certificate. You need to upload CA if you
are using external CA. You also require to upload the certificate. You can generate a self signed certificate if
you want to use it as CA.
You can also use Appliance to act as a certificate authority and sign its own certificates. This eliminates the
need of having your own certificate authority. If you are using Appliance as CA, you have to generate a selfsigned certificate, which can be used in various VPN policies.
Certificate
Certificate Authority
CRL
Page 88 of 490
Cyberoam User Guide
Certificate
Certificate page allows you to generate self-signed certificate, upload certificate or generate certificate signing
request (CSR). This page also facilitates you to manage certificates, which involve updating and regenerating,
revoking, downloading and deleting certificates.
You can use Appliance to act as a certificate authority and sign its own certificates. This eliminates the need
of having your own certificate authority.
If Appliance is used as CA, you have to generate a self-signed certificate, which can be used in various VPN
policies.
If you are using a third party CA, you have to submit a request to CA for issuing a certificate. Once CA issues
a certificate, you have to upload to use it in VPN policy.
Manage Certificates
To manage certificates, go to System > Certificate > Certificate.
Revoke Click to revoke self-signed certificate if lost, stolen or updated.
Download Click to download the self-signed certificate or CSR.
Screen Manage Certificate
View the list of Certificates
Screen Element
Description
Name
Name of the Certificate
Valid From
Valid activation date for the certificate
Valid Up To
Certificate expiry date
Authority
Certificate Authority if applicable.
- If the Certificate Authority is available.
- If the Certificate Authority is not available
Type
Certificate Type self-signed or certificate signing request
(CSR) or Upload (third party certificate)
Download Icon
Click Download Icon
to download Certificate. Only self
signed certificate and certificate signing request can be
downloaded.
Page 89 of 490
Cyberoam User Guide
Revoke Icon
Click Revoke Icon
stolen or updated.
to revoke self-signed certificate if lost,
Revoked certificate is automatically added to the Certificate
Revocation List (CRL). You can download revoked certificate
and circulate if required.
Table Manage Certificate screen element
Adding a new Certificate
To add or edit certificates, go to System > Certificate > Certificate. Click Add Button to add a new
certificate or Edit Icon to modify the details of the certificate.
Screen Add Certificate (Upload Certificate)
Screen Add Certificate (Generate Self Signed Certificate)
Page 90 of 490
Cyberoam User Guide
Screen Add Certificate (Generate Certificate Signing Request (CSR))
Parameters
Screen Element
Action
Description
Select an action from the available options:
Available Options:
Upload Certificate
Generate Self Signed Certificate
Generate Certificate Signing Request
Upload Certificate
Name
Specify a name to identify the Certificate.
Certificate File
Format
Select the format of Certificate file from the available options.
Available Options:
PEM (.pem): Privacy Enhanced Mail (PEM) is a Base64
encoded DER certificate. It is used for encoding the
certificate in ASCII code. The certificate and private key are
stored in separate files.
DER (.der): Distinguished Encoding Rules (DER) is a binary
form of ASCII PEM format certificate used on Java platform.
The certificate and private key are stored in separate files.
CER (.cer): Canonical Encoding Rules (CER) is a binary
format for encoding certificates. It contains information about
the owner of certificate, its public and private keys.
PKCS7 (.p7b): Public Key Cryptography Standards (PKCS)
is a format for encoding the certificate in ASCII code. It
contains only certificates and not the private key.
PKCS12 (.pfx or .p12): Public Key Cryptography Standards
(PKCS12) is a binary format for encoding certificates. It
Page 91 of 490
Cyberoam User Guide
stores a private key with a public key certificate. It is used on
Windows platform.
Certificate
Specify the certificate to be uploaded. Use Browse to select the
complete path.
Private Key
Specify private key for the certificate. Use Browse to select the
complete path.
Passphrase
Specify and re-confirm a passphrase for a certificate used for
authentication. Passphrase must be at least 4 characters long.
Generate Self Signed Certificate (Option available only after configuring Error!
eference source not found.)
Name
Specify a name to identify the certificate.
Valid From and Valid
Up To
Specify certificate validity period using Calendar
. Validity
period is the certificate life i.e. period up to which the certificate
will be considered as valid.
Default 1 day
Key Length
Select key length. Key length is the number of bits used to
construct the key.
Available Options:
512
1024
1536
2048
4096
Generally the larger the key, lesser is the chance that it will be
compromised but requires more time to encrypt and decrypt
data than smaller keys.
Default 512
Key Encryption
Click to enable key encryption.
Passphrase
Password for a Certificate used for authentication. Password
must be at least 8 characters long. This option is enabled only
if the Key Encryption option is selected.
Confirm Passphrase
Re-enter password for confirmation.
Certificate ID
Specify certificate ID. You can specify any one of the following:
Available Options:
DNSIP Address (IPv4/IPv6 Address)
Email Address
DER ASN1 DN(X.509) (Applicable when Authentication
Type is Digital Certificate)
Page 92 of 490
Cyberoam User Guide
Once the certificate is created, you need to download and send
this certificate to the remote peer with whom the connection is
to be established.
Identification Attributes
Country Name
Select the country.
State
Specify the state within the country.
Locality Name
Specify the name of the locality.
Organization Name
Specify the organization name, which will use this certificate
and domain name. This domain will be certified to use the
Certificate.
Use unique Domain name only.
Organization Unit
Name
Specify the department/unit name, which will use this certificate
and domain name. This domain will be certified to use the
Certificate.
Use unique Domain name only.
Common Name
Specify the common name.
A common name comprises of host + domain name or is a fully
qualified domain name that is used to resolve to SSL VPN
interface. It must be same as that of the Web address to be
accessed when connecting to a secured site.
Email Address
Specify the Email Address of the contact person for
communication.
Generate Certificate Signing Request (CSR)
Name
Name to identify the certificate.
Valid Up To
Specify certificate validity period using Calendar. Validity period
is the certificate life i.e. period up to which the certificate will be
considered as valid. Minimum validity period is one day.
Key Length
Select key length. Key length is the number of bits used to
construct the key.
Generally the larger the key, the less chance that it will be
compromised but requires more time to encrypt and decrypt
data than smaller keys.
Encryption
Click to enable the key encryption.
Passphrase
Passphrase for a Certificate used for authentication.
Passphrase must be at least 4 characters long. This option is
available only if the Encryption option is checked.
Confirm Passphrase
Re-enter passphrase for confirmation
Certificate ID
Specify certificate ID. You can specify any one of the following:
Available Options:
DNSIP Address (IPv4/IPv6 Address)
Page 93 of 490
Cyberoam User Guide
Email Address
DER ASN1 DN(X.509) (Applicable when Authentication
Type is Digital Certificate)
Identification Attributes
Select the Country for which the Certificate will be used.
Country Name
Generally, this would be the name of the country where
Appliance is deployed.
Select the State for which the Certificate will be used.
State
Generally, this would be the name of the state where Appliance
is deployed.
Select the Locality for which the Certificate will be used.
Locality Name
Generally, this would be the name of the Locality where
Appliance is deployed.
Specify your organization name, which will use this certificate
and domain name. This domain will be certified to use the
Certificate.
Organization Name
Use unique Domain names only.
Specify your department/unit name, which will use this
certificate and domain name. This domain will be certified to
use the Certificate.
Organization Unit
Name
Use unique Domain names only.
Common Name
Specify Common Name.
Email Address
Specify Email Address.
Table Add Certificate screen elements
Downloading the Certificate
Under the Manage column, click the Download Icon against the certificate you want to download. Only self
signed certificate and certificate signing request can be downloaded. Certificate is downloaded as a .tar.gz
file.
Revoking the Certificate
Under the Manage column, click the Revoke Icon
to revoke self-signed certificate if lost, stolen or updated.
Revoked certificate is automatically added to the Certificate Revocation List (CRL). You can download
revoked certificate and circulate if required.
Page 94 of 490
Cyberoam User Guide
Certificate Authority
The Appliance provides a facility to generate a local certificate authority as well as import certificates, signed
by commercial providers, such as VeriSign.
A certificate signed by a Certificate Authority (CA) identifies the owner of a public key. Each communicating
party may be required to present its own certificate signed by a CA verifying the ownership of the
corresponding private key. Additionally, the communicating parties need to have a copy of the CAs public
key. In case private key is lost or stolen or the information is changed, CA is responsible for revoking the
certificate. CA also maintains the list of valid and revoked certificates.
After your CA has issued a certificate or have local certificate, you can upload it for use in VPN.
You can use default CA and can modify and re-generate it as per your requirement if you are not using any
external CA. Using this CA, you can generate self-signed certificate and use it in VPN policy.
Using Third Party CA involves uploading:
CA and root certificate
Certificate
CRL (Certificate Revocation List)
If the remote peer is using certificate issued by the following third party CA, you are not required to upload
CA:
VeriSign
Entrust
Microsoft
Note
Default CA is regenerated automatically when it is updated.
The page displays list of all the certificate authority and you can filter list based on certificate authority name.
The page also provides option to download, regenerate CA, update the parameters of the existing CA, or
delete the CA.
To manage Certificate Authorities, go to System > Certificate > Certificate Authority.
Download Click the Edit icon
in the Manage column against the Default Certificate Authority to
modify the certificate authority. Once modified, click Download button to download the certificate
Authority.
Page 95 of 490
Cyberoam User Guide
Manage Certificate Authorities
To manage Certificate Authorities, go to System > Certificate > Certificate Authority.
Screen Manage Certificate Authority
View the list of Certificate Authorities
Screen Element
Description
Name
Name of the Certificate Authority
Subject
Certificate Subject
Valid From and Valid
Up To
Certificate validity date i.e. activation and expiry date.
Local
Whether CA is local or third party
Regenerate
Certificate Authority
Icon
Click to regenerate Certificate Authority.
Table Manage Certificate Authority screen elements
Note
Default CA cannot be deleted.
Download Certificate Authority
If you are using a local CA, you need to download CA and forward to the remote peer. Go to System >
Certificate > Certificate Authority and click Default. It displays the details of the default CA. Click
download icon
to download the zip file.
Regenerating Certificate Authority
Under the Manage column, click the regenerate icon
Note
Default CA is regenerated automatically when it is updated
Page 96 of 490
Cyberoam User Guide
Certificate Authority Parameters
To add or edit certificate authority, go to System > Certificate > Certificate Authority. Click the
Add button to add a new certificate authority. To update the details, click on the certificate authority or Edit
icon
in the Manage column against the certificate authority you want to modify. To update and regenerate
the default certificate, click on the default certificate.
CA Parameters
Default CA Parameters
CA Parameters
Screen Add Certificate Authority
Screen Element
Description
Certificate Authority
Name
Specify a name to identify the Certificate Authority.
Certificate File
Format
Select format of the root certificate to be uploaded.
Available Options:
PEM (Privacy Enhanced Mail): A format encoding the
certificate in ASCII code. The certificate, request, and
private key are stored in separate files.
DER: A binary format for encoding certificates. The
certificate, request, and private key are stored in
separate files.
Page 97 of 490
Cyberoam User Guide
Certificate
Specify full path from where the certificate is to be uploaded.
Alternately, use Browse button to select the path.
Private Key
Specify full path from where the Private Key is to be uploaded.
Alternately, use Browse button to select the path.
CA Passphrase
CA Passphrase for authentication. Passphrase must be at least
4 characters long.
Confirm CA passphrase for authentication.
Table Add Certificate Authority screen elements
Default CA Parameters
To edit default certificate authority, go to System > Certificate > Certificate Authority. Click on the
Default certificate to update and regenerate the default certificate.
Screen Default Certificate Authority
Screen Element
Description
Certificate Authority
Name
Default. This name cannot be changed
Country Name
Specify the name of the country where Appliance is installed.
State
Specify the name of the state where Appliance is installed.
Locality Name
Specify the name of the locality where Appliance is installed.
Organization Name
Specify the organization name, which will use this certificate
and domain name. This domain will be certified to use the
Certificate.
Use unique Domain name only.
Page 98 of 490
Cyberoam User Guide
Organization Unit
Name
Specify the department/unit name, which will use this certificate
and domain name. This domain will be certified to use the
Certificate.
Use unique Domain name only.
Common Name
Specify the common name.
A common name comprises of host + domain name or is a fully
qualified domain name that is used to resolve to SSL VPN
interface. It must be same as that of the Web address to be
accessed when connecting to a secured site.
Email Address
Specify the Email Address of the contact person for
communication.
CA Passphrase
Specify Passphrase for a Certificate Authority. Passphrase
must be at least 4 characters long.
Re-enter passphrase for confirmation.
Click Change CA Passphrase to modify the passphrase.
Table Default Certificate Authority screen elements
Download Certificate Authority
If you are using local CA, you need to download CA and forward to the remote peer. Go to System >
Certificate > Certificate Authority and click Default. It will display details of the default CA. Click
Download to download the zip file.
Page 99 of 490
Cyberoam User Guide
Certificate Revocation List (CRL)
CA maintains the list of valid and revoked certificates.
Certificate Revocation List (CRL) page is a way to check the validity of an existing certificate. Certificates
which are stolen, lost or updated are revoked by CA and CA publishes such revoked certificates in Revocation
list. VPN connection cannot be established using revoked certificates, hence it is necessary to update the
CRL at regular intervals.
The page displays the list of available CRLs. It also provides option to add a new CRL, download the CRL,
edit, and delete the existing CRL.
Download Click Download to download CRL.
Manage Certificate Revocation List
To manage CRL, go to System > Certificate > CRL.
Screen Manage Certificate Revocation List (CRL)
Screen Element
Description
Name
Name of the Certificate Revocation list.
Local
Whether CA is local or third party.
Table Manage Certificate Revocation List (CRL) screen elements
Page 100 of 490
Cyberoam User Guide
Adding a new CRL
If you are using an External Certificate Authority, you need to upload the CRL obtained from that External
Certificate Authority.
To add or edit CRL, go to System > Certificate > CRL. Click Add Button to add a new CRL or Edit Icon
to modify the details of the CRL.
Screen Add Certificate Revocation List (CRL)
Parameters
Screen Element
Description
Certificate Revocation List
Name
Name to identify the CRL.
CRL File
Specify CRL file to be uploaded. Use Browse to select the
complete path.
Table Add Certificate Revocation List (CRL) screen element
Download CRL
Once CA is generated, default CRL is generated with name Default.tar.gz. Once you revoke the certificate,
the details of the revoked certificate are added to the default file and regenerated. You can download and
distribute if required.
Select System > Certificate > CRL and to view the list of CRLs.
Click Download link against the CRL name to be downloaded. It downloads the zip file, unzip the file to
check the details.
Page 101 of 490
Cyberoam User Guide
Diagnostics
Diagnostic page allows checking of the health of your Appliance in a single shot. Information can be used for
troubleshooting and diagnosing problems found in your Appliance.
It is like a periodic health check up that helps to identify the impending Appliance related problems. After
identifying the problem, appropriate actions can be taken to solve the problems and keep the Appliance
running smoothly and efficiently.
Tools
System Graphs
Packet Capture
Connection List
Consolidated Troubleshoot Report (CTR)
Tools
Using Tools, one can view the statistics to diagnose the connectivity problem, network problem and test
network communication. It assists in troubleshooting issues such as hangs, packet loss, connectivity,
discrepancies in the network.
Go to System > Diagnostics > Tools to view the various statistics.
Ping
Trace Route
Name lookup
Route lookup
Ping
Ping is a most common network administration utility used to test the reachability of a host on an Internet
Protocol (IP) network and to measure the round-trip time for messages sent from the originating host to a
destination computer.
Ping sends ICMP echo request/replies to test connectivity to other hosts. Use standard ICMP ping to confirm
that the server is responding. Ping confirms that the server can respond to an ICMP ping request.
Page 102 of 490
Cyberoam User Guide
Use Ping diagnostically to
Ensure that a host computer you are trying to reach is actually operating or address is reachable or not
Check how long it takes to get a response back
Get the IP Address from the domain name
Check for packet loss
Screen Tools - Ping
Screen Element
IP Address/Host
Name
Description
Specify the IP Address (IPv4/IP6) or fully qualified domain
name to be pinged.
It determines network connection between Appliance and host
on the network. The output shows if the response was received,
packets transmitted and received, packet loss if any and the
round-trip time. If a host is not responding, ping displays 100%
packet loss.
Interface
Select the Interface through which the ICMP echo requests are
to be sent.
Available Options:
IPv4
IPv6
Interface
Select the Interface through which the ICMP echo requests are
to be sent.
Size
Specify the Ping packet size.
Default 32 bytes
Size Range 1 to 65507
Table Tools - Ping
Page 103 of 490
Cyberoam User Guide
Trace Route
Trace Route is a useful tool to determine if a packet or communications stream is being stopped at the
Appliance, or is lost on the Internet by tracing the path taken by a packet from the source system to the
destination system, over the Internet.
Use trace Route to
find any discrepancies in the network or the ISP network within milliseconds.
trace the path taken by a packet from the source system to the destination system, over the Internet.
Screen Tools Trace Route
Screen Element
IP Address/Host
Name
Description
Specify the IP Address (IPv4/IPv6) or fully qualified domain
name.
It determines network connection between Appliance and host
on the network. The output shows all the routers through which
data packets pass on way to the destination system from the
source system, maximum hops and Total time taken by the
packet to return measured in milliseconds.
Interface
Select the Interface through which the requests are to be sent.
Available Options:
IPv4
IPv6
Interface
Size
Select the interface (Port) through which the requests are
to be sent.
Specify the Ping packet size (in bytes).
Table Tools Trace Route
Page 104 of 490
Cyberoam User Guide
Name lookup
Name lookup is used to query the Domain Name Service for information about domain names and IP
Addresses. It sends a domain name query packet to a configured domain name system (DNS) server. If a
domain name is entered, one gets back an IP Address to which it corresponds, and if an IP Address is entered,
then one gets back the domain name to which it corresponds. In other words, it reaches out over the Internet
to do a DNS lookup from an authorized name server, and displays the information in the user understandable
format. Also one can view all the available DNS Servers configured in Appliance by selecting option Name
Lookup. Selecting this option will also provide information about the time taken to connect to each of the DNS
server. Based on the least time, one can prioritize the DNS server.
Screen Tools Name Lookup
Screen Element
Description
IP Address/Host
Name
Specify IP Address (IPv4/IPv6) or fully qualified domain name
that needs to be resolved.
DNS Server IP
Select the DNS server to which the query is to be sent.
Table Tools Name Lookup
Route lookup
If you have routable networks and wish to search through which Interface, the Appliance routes the traffic
then lookup the route for the IP Address (IPv4/IPv6).
Screen Tools Route Lookup
Page 105 of 490
Cyberoam User Guide
System Graph
Use System Graph to view Graphs pertaining to System related activities for different time intervals.
Screen System Health Overview
Period wise graph will display following graphs for the selected period: Live Graph, CPU usage Info, Memory
usage Info, Load Average and Interface usage Info. These graphs are same as displayed in Utility wise
graphs. They are regrouped based on the time interval.
To view graphs, go to System > Diagnostics > System Graphs. You can view Period wise Utilities
graphs.
Utility wise graph will display following graphs for the selected time period i.e. Live Graph (last two hours),
Last 24 hours, Last 48 hours, Last Week, Last Month, Last Year:
CPU usage Info
Memory usage Info
Load Average
Disk usage
Number of Live Users
Data transfer through WAN Zone
Interface usage Info
Live Graphs
Live graphs allow Administrator to monitor the usage of resources of the last two hours. Graph displays the
percentage wise CPU and Memory usage. It also displays load average and traffic statistics on each interface.
CPU Info graphs
CPU Info graphs allow Administrator to monitor the CPU usage by the Users and System components. Graphs
display percentage wise minimum, maximum, average and current CPU usage by User and System and CPU
Idle time.
Page 106 of 490
Cyberoam User Guide
Last two hour CPU Usage Below graph shows past two hours CPU usage in percentage.
Screen Last two hours CPU usage
X-axis Minutes/ Hours/Days/Months (depending on the period selected)
Y-axis CPU usage (%)
Legends
Orange Color CPU used by User
Purple Color CPU used by System
Green Color CPU Idle time
Memory Info graphs
Memory Info graphs allow Administrator to monitor the memory usage in percentage. Graphs displays the
memory used, free memory and total memory available.
Last two hours Memory Usage Below graph shows past two hours memory usage in percentage. Graphs
displays the memory used, free memory and total memory available.
Page 107 of 490
Cyberoam User Guide
Screen Last two hours Memory usage
X-axis Minutes/ Hours/Days/Months (depending on the period selected)
Y-axis Memory used (MB)
Legends
Orange Color Memory used
Purple Color Free Memory
Green Color Total Memory
Load Average graphs
Load Average graphs allow Administrator to monitor the load on the System. Graphs display the minimum,
maximum, average and current load on the System at the interval of one minute, five minute, and fifteen
minutes.
Last two hour Load Average - Below graph shows past two hours average load on the system.
Screen Last two hours Load Average usage
Page 108 of 490
Cyberoam User Guide
X-axis Minutes/ Hours/Days/Months (depending on the period selected)
Y-axis Load Average (%)
Legends
Orange Color One minute
Purple Color Five minutes
Green Color Fifteen minutes
Disk Usage graphs
Disk Usage graphs allow the Administrator to monitor the disk usage by various components viz., root file,
signatures, configurations, reports and temporary files. Graphs display the minimum, maximum, average and
current disk usage.
Last two hours Disk Usage Below graphs displays the minimum, maximum, average and currently used
disk space in percentage by various components in last two hours.
Screen Last two hours Disk Usage
X-axis Minutes/ Hours/Days/Months (depending on the period selected)
Y-axis Disk usage (%)
Legends
Orange Color Disk space used by Root
Purple Disk space used by Signatures
Green Color Disk space used by Config files
Blue Color Disk space used by Reports
Pink Color Disk space used by Temp
Page 109 of 490
Cyberoam User Guide
Live Users Graph
Live Users graphs allow the Administrator to monitor the number of live user for the selected time duration.
Last two hours Live Users Below graphs displays number of users (live) connected to the Internet. In
addition, shows minimum, maximum and average no. of users connected during the selected graph period.
This will help in knowing the peak hour of the day.
Screen Last two hours Live Users
X-axis Minutes/ Hours/Days/Months (depending on the period selected)
Y-axis Number of Live Users
Legends
Orange Color Number of Live Users
Data transfer Graphs for WAN zone
Data transfer graphs for WAN zone segregated in to three (3) graphs providing the various information about
data transfer via WAN zone.
Last two hours Data Transfer through WAN Zone Below graphs displays combined graph of Upload and
Download data transfer. Colors differentiate upload and download data traffic. In addition, shows the
minimum, maximum and average data transfer for upload and download individually.
Page 110 of 490
Cyberoam User Guide
Screen Last two hours Upload/Download Data Transfer
X axis Minutes/ Hours/Days/Months (depending on the period selected)
Y-axis Upload + Download in KBits/Second
Legends
Orange Color - Upload traffic
Purple Color Download traffic
Last two hours Total Data Transfer through WAN Zone Below graphs displays total data transfer during the
last two hours. In addition, shows minimum, maximum and average data transfer.
Screen Last two hours Total Data Transfer
X axis Minutes/ Hours/Days/Months (depending on the period selected)
Y-axis Total data transfer in KBits/Second
Page 111 of 490
Cyberoam User Guide
Legends
Orange Color Total KBits/Second
Last two hours Gateway wise Total Data Transfer through WAN Zone Gateway wise total data transfer for
last two hours through WAN Zone - Graph displays total data transferred through all the configured gateways
during last two hours. In addition, shows minimum, maximum and average data transfer.
Screen Last two hours Gateway wise Total Data Transfer
X axis Minutes/ Hours/Days/Months (depending on the period selected)
Y-axis Gateway wise data transferred in KBits/Second
Legends
Orange Color Default Gateway
Purple Color Second Gateway (if configured)
Interface Info graphs
Interface Info graph displays following traffic statistics for all the Interfaces - physical interfaces, VLAN
interfaces, Wireless LAN and WAN interfaces:
Bits received and transmitted through Interface
Errors occurred while transmitting and receiving packets through the Interface
Packets dropped while transmitting and receiving packets through the Interface
Collisions occurred while transmitting and receiving packets through the Interface
Page 112 of 490
Cyberoam User Guide
Screen Last two hours Port A Interface Usage
Screen Last two hours Port B Interface Usage
X-axis Minutes/ Hours/Days/Months (depending on the period selected)
Y-axis KBits/Sec
Legends
Orange Color Bits Received (Kbits/Sec)
Purple Color Bits Transmitted (Kbits/Sec)
Light Green Color Received Errors
Blue Color Bits Transmitted but Dropped
Pink Color Collisions
Red Color Transmitted Errors
Dark Green Bits Received but Dropped
Note
Today and yesterday graphs are plotted at an average of five (5) minutes.
Weekly Graph is plotted at an average of fifteen (15) minutes.
Monthly Graph is plotted at an average of six (6) hours.
Yearly Graph is plotted at an average of one (1) day.
Page 113 of 490
Cyberoam User Guide
Packet Capture
Packet capture displays packets details on the specified interface. It will provide connection details and details
of the packets processed by each module packets e.g. firewall, IPS along with information like firewall rule
number, user, Web and Application Filter policy number etc. This will help administrators to troubleshoot
errant Firewall Rules.
To capture information about packets, go to System > Diagnostics > Packet Capture. You can:
Configure Capture Filter Click the Configure Button to configure filter settings for capturing the
packets.
View Click on the packet to view the packet information.
Display Filter Click the Display Filter Button to specify the filter conditions for the packets.
Clear Click the Clear Button to clear the details of the packets captured.
View the list of Captured Packets
Screen Packet Capture
Screen Element
Description
Packet Capture
Packet Capture
Displays following capturing configuration:
Trace On
- packet capturing is on
Trace Off
- packet capturing is off.
Page 114 of 490
Cyberoam User Guide
Buffer Size : 2048 KB
Buffer used : 0 - 2048 KB
Captured packets fill the buffer up to a size of 2048 KB. While
the packet capturing is on, if the buffer used exceeds the
stipulated buffer size, packet capturing stops automatically. In
such a case, you would have to manually clear the buffer for
further use.
Capture Filter There are various filter conditions for capturing
the packets. The BPF String is used for filtering the packet
capture.
For example, Capture Filter - host 192.168.1.2 and port 137
Captured Packet
Configure Button
Capture filter can be configured through following parameters:
Number of Bytes to Capture (per packet)
Wrap Capture Buffer Once Full
Enter BPF String
Refer to Configure Capture Filter for more details.
Display Filter Button
Log can be filtered as per the following criteria: Interface Name,
Ether Type, Packet Type, Source IP, Source Port, Destination
IP, Destination Port.
Refer to Display Filter for more details.
Start/Stop Button
Start/Stop packet capturing
Refresh Button
Refresh the list of packets captured
Clear Button
Clear Button is to clear the buffer
Time
Packet capture time
In Interface
Interface from which packet is coming
Out Interface
Interface to which packet is sent
Ether Type
Ether Type IPv4 or IPv6 or ARP
Ether Type is a field in an Ethernet frame. It is used to indicate
the protocol encapsulated in the Ethernet frame.
Source IP
Source IP Address (IPv4/IPv6) of the packet
Destination IP
Destination IP Address (IPv4/IPv6) of the packet
Packet Type
Type of Packet ARP Request or UDP
Ports [src, dst]
Source and Destination ports
Page 115 of 490
Cyberoam User Guide
Rule ID
Firewall Rule ID
Status
Displays the status of the packet. The various status are as
described below:
Incoming Packets received on on WAN or LAN
interface.
Forwarded Packet forwarded to Out Interface
Consumed Packets designated for or used by the
Appliance
Generated Packets generated by the Appliance
Violation In case of any policy violation, Appliance will
drop the packet and show the status Violation
Reason
Reason for packet being dropped, if it is dropped.
Connection Status
Displays state of connection.
Served By
Web Filter ID
Web Filter policy ID applied on the connection traffic.
Connection Flags
System Flags
Application ID
Application ID applied on the connection traffic.
Application Category
ID
Application category ID applied on the connection traffic.
Connection ID
Unique ID assigned to a connection.
Gateway ID
Gateway ID through which the connection traffic is routed.
SSL VPN Policy ID
SSL VPN policy ID applied on the connection traffic.
Bandwidth Policy ID
Bandwidth policy ID applied on the connection traffic.
User Group
User Group membership.
IPS Policy ID
IPS policy ID applied on the connection traffic.
Application Filter ID
Application filter policy ID applied on the connection traffic.
Web Category ID
Web category ID applied on the connection traffic.
Master Connection ID
Master connection ID of current connection.
User Name
Name of the user establishing connection.
Packet Information
Packet Information
Packet Information including header details and entities
including firewall rules & policies.
Hex & ASCII Detail
Hex & ASCII Detail
Packet Information in Hex & ASCII values.
Table Packet Capture screen elements
Page 116 of 490
Cyberoam User Guide
Configuring Capture Filter
Capture Filter page allows configuration of number of bytes to be captured per packet.
Screen Configure Capture Filter
Screen Element
Description
Number of Bytes to
Capture (per packet)
Specify the number of bytes to be captured per packet.
Wrap Capture Buffer
Once Full
Click to Enable Wrap Capture Buffer Once Full checkbox to
continue capturing the packets even after the buffer is full.
When the checkbox is enabled, the packet capturing starts
again from the beginning of the buffer.
Enter BPF String
Specify BPF string
BPF (Berkeley Packet Filter) sits between link-level driver and
the user space. BPF is protocol independent and use a filterbefore-buffering approach. It includes a machine abstraction to
make the filtering efficient. For example, host 192.168.1.2 and
port 137.
Refer to BPF String Parameters for filtering specific packets.
Table Configure Capture Filter screen elements
BPF String Parameters
How to check packets of the
Example
specific host
host 10.10.10.1
specific source host
src host 10.10.10.1
specific destination host
dst host 10.10.10.1
specific network
net 10.10.10.0
Page 117 of 490
Cyberoam User Guide
specific source network
src net 10.10.10.0
specific destination network
dst net 10.10.10.0
specific port
Port 20 or port 21
specific source port
src port 21
specific destination port
dst port 21
specific host for the particular
port
host 10.10.10.1 and port 21
the specific host for all the
ports except SSH
host 10.10.10.1 and port not 22
specific protocol
proto ICMP, proto UDP , proto TCP or
proto ARP
Page 118 of 490
Cyberoam User Guide
Display Filter
Display Filter page restricts the packet capturing to specific type of packets only. There are other filtering
conditions such as the type of interface, ether type, source IP address & destination IP address.
Screen Configure Display Filter
Screen Element
Description
Interface Name
Select the physical interface from the list for filtering packets
log.
Ether Type
Select the Ethernet Type: IPv4 or IPv6 or ARP,
EtherType is a field in an Ethernet frame. It is used to indicate
the protocol encapsulated in the Ethernet frame.
Packet Type
Select the packet type used from the list for filtering packets.
Source IP
Specify Source IP Address (IPv4/IPv6).
Source Port
Specify Source Port number.
Destination IP
Specify Destination IP Address (IPv4/IPv6).
Destination Port
Specify Destination Port number.
Page 119 of 490
Cyberoam User Guide
Reason
Select the reason to display filter from the available options.
Available Options:
Firewall
Local_ACL
DOS_ATTACK
INVALID_TRAFFIC
INVALID_FRAGMENTED_TRAFFIC
ICMP_REDIRECT
SOURCE_ROUTED_PACKET
FRAGMENTED_TRAFFIC
APPLICATION FILTER
USER_IDENTITY
IPS
FOREIGN_HOST
IPMAC_FILTER
IP_SPOOF
ARP_POISONING
SSL_VPN_ACL_VIOLATION
Virtual_Host
Status
Select status of the filter from available options.
Available Options:
Allowed
Violation
Consumed
Generated
Incoming
Forwarded
Rule ID
Specify ID for the Rule.
User
Select user from the list of users created before.
Connection ID
Specify connection ID.
Clear
Click to clear the details of filter.
Table Configure Display Filter screen elements
Page 120 of 490
Cyberoam User Guide
Connection List
Connection list provides current or live connection snapshot of your Appliance in the list form. Apart from the
connection details, it also provides information like Firewall Rule ID, User ID, Connection ID per connection.
It is also possible to filter the connections list as per the requirement and delete the connection.
The Administrator can set the Refresh Interval to automatically refresh the list at the configured time interval
or manually refresh the list by clicking the Refresh button. To filter the connection list click the Display Filter
button and specify the parameters.
To view connection list, go to System > Diagnostics > Connection List. You can:
Set refresh interval
Display Filter Click the Display Filter Button to specify the filter connection based on the various
parameters.
Screen Connection List
Live Connections Details
Screen Element
Description
Connection List
Refresh Interval
Select the time interval after which the connection list will be
refreshed.
Choose the time or click Refresh button to refresh the list.
Display Filter Button
Connections can be filtered as per the following criteria:
Interface, Source IP Address and Port, Destination IP Address
and Port, Protocol, Firewall rule ID and Username.
Refer to Display Filter for more details.
Select Columns
Customize Columns to be displayed. Click the Select Column
to customize the columns to be displayed. By default, Time,
Connection Status, In Interface, Out Interface, Source IP,
Destination IP, Protocol, Source Port, Destination Port, Rule ID,
Username and Flag columns are selected and visible. You can
select other column to be displayed.
Time
Connection time
In Interface
Interface used by incoming connection
Page 121 of 490
Cyberoam User Guide
Out Interface
Interface used by outgoing connection
Source IP
Source IP Address of the connection
Destination IP
Destination IP Address of the connection
Protocol
Connection protocol e.g. TCP, UDP
Source Port
Source port of the connection
Destination Port
Destination port of the connection
Rule ID
Firewall Rule ID that allows the session
User Name
Name of the user establishing connection
Flags
System flag
Connection ID
Unique ID of a connection
Master Connection ID
Master connection ID of current connection
User Group
User Group membership
Web Filter ID
Web filter policy ID applied on the connection traffic
Application Filter ID
Application filter policy ID applied on the connection traffic
IPS Policy ID
IPS policy ID applied on the connection traffic
QoS Policy ID
QoS policy ID applied on the connection traffic
SSLVPN Policy ID
SSL VPN policy ID applied on the connection traffic
Gateway ID
Gateway ID through which the connection traffic is routed
Web Category ID
Web category ID applied on the connection traffic
Application ID
Application ID applied on the connection traffic
Application Category
ID
Application category ID applied on the connection traffic
Connection served
by
Appliance serving the connection
Translated Source
Translated source IP Address for outgoing traffic.
Translation
Destination
Translated Destination IP Address for outgoing traffic
Rx Bytes
The amount of data in bytes received this session
Tx Bytes
The amount of data in bytes sent this session
Rx Packets
Number of packets received in this session
Tx Packets
Number of packets received in this session
Connection Status
Displays the status of the connection.
Connection State
Displays the state of the connection.
Expiry (second)
Connection will expire in displayed seconds if idle
Delete Button
Stops the connection
Table Connection List screen elements
Page 122 of 490
Cyberoam User Guide
Configuring Connection Filter Parameters
To filter the connection list click the Display Filter button and specify the parameters.
Screen Configure Connection Filter
Screen Element
Description
In Interface
Interface used by incoming connection.
Out Interface
Interface used by outgoing connection.
User
Name of the user establishing connection.
Network Protocol
Select the network protocol used to establish connection.
Available Options:
IPv4
IPv6
Source IP
IP Address (IPv4/IPv6) from which connection is established.
Destination IP
IP Address (IPv4/IPv6) on which connection is established.
Protocol
Protocol used to establish connection.
Source Port
Source port of the connection.
Destination Port
Destination port for the connection.
Rule ID
Firewall Rule ID.
Clear
Click to clear the details of connection filter.
Table Configure Connection Filter screen elements
Page 123 of 490
Cyberoam User Guide
Consolidated Troubleshoot Report (CTR)
To help Support team to debug the system problems, troubleshooting report can be generated which consists
of the systems current status file and log files. File contains details like list of all the processes currently
running on system, resource usage etc. in the encrypted form.
The Administrator has to generate and mail the saved file at [email protected] for diagnosing and
troubleshooting the issue. File will be generated with the name: CTR_<APPKEY>__<MM_DD_YY >
_<HH_MM_SS>
where
APPKEY is the Appliance key of the Appliance for which the report is generated
MM_DD_YY is the date (month date year) on which the report is generated
HH_MM_SS is the time (hour minute second) at which the report is generated
By default, debug mode is off for all the subsystems. Before generating Log file, enable debug mode by
executing following command at CLI command prompt:
console > diagnostics subsystems <subsystem name> debug on
Note
Debug mode cannot be enabled, if you want to generate only the system snapshot.
Screen Cyberoam Troubleshoot Report
Screen Element
Description
Consolidated Troubleshooting Report
Generate CTR for
Enable the option(s) for which CTR should be generated.
Available Options:
System Snapshot Generates snapshots to display the
issues in the system.
Log Files Generates log files.
Reason
Specify the reason for generating CTR.
Table Cyberoam Troubleshoot Report screen elements
Page 124 of 490
Cyberoam User Guide
Objects
Objects are the logical building blocks of various policies and rules, which include:
Host IP, network and MAC Addresses. They are used in defining the Firewall Rules, Virtual Host,
NAT policy, IPSec, L2TP and VPN policies.
Services Represents specific protocol and port combination for example, DNS service for TCP on
port 53. Access to services are allowed or denied through Firewall Rules.
Schedule Controls when the Firewall Rule, Access Time policy, Web Filter policy, Application Filter
policy, or QoS policy is applicable for example, All Days, Work Hours.
File Types Defining Web Filter policy, SMTP Scanning Rules
Appliance supports four types of hosts:
IP Host
MAC Host
FQDN Host
Country Host
Hosts
Services
Schedule
File Type
Page 125 of 490
Cyberoam User Guide
Hosts
An IP host is a logical building block used in defining Firewall Rules, Virtual Host and NAT policy. By default,
the numbers of hosts equal to the number of ports in the Appliance, are already created.
Object IP/MAC Host represents various types of addresses, including IP Addresses, networks and Ethernet
MAC Addresses.
To apply common policies to multiple IP hosts, group IP hosts in an IP Host Group.
IP Host
IP Host Group
MAC Host
FQDN Host
FQDN Host Group
Country Host
Country Host Group
IP Host
Hosts allow the entities to be defined once and be re-used in multiple referential instances throughout the
configuration. For example, an Internal Mail Server with an IP Address as 192.168.1.15. Rather than repeated
use of the IP Address while constructing Firewall Rules or NAT Policies, it allows to create a single entity
called Internal Mail Server as a Host name with an IP Address as 192.168.1.15. This host, Internal Mail Server
can then be easily selected in any configuration screen that uses Hosts as a defining criterion.
By using hosts instead of numerical addresses, you only need to make changes at a single location, rather
than in each configuration where the IP Address appears.
Using Hosts, reduces the error of entering incorrect IP Addresses, makes it easier to change addresses and
increases readability.
To configure IP Host, go to Objects > Hosts > IP Host.
The IP Host page displays the list of all the dynamic hosts which are automatically added on creation of VPN
Remote access connections (IPSec and SSL) and the default hosts that are automatically created for remote
access connection - ##ALL_RW, ##WWAN1, ##ALL_IPSEC_RW and ##ALL_SSLVPN_RW along the
manually added hosts. The page also provides option to add a new host, update the existing host, or delete
a host.
Note
System hosts cannot be updated or deleted.
Dynamic hosts which are automatically added on creation of VPN Remote access connections cannot be
updated or deleted.
Default hosts that are created for remote access connection - ##ALL_RW, ##WWAN1,
##ALL_IPSEC_RW and ##ALL_SSLVPN_RW cannot be updated or deleted.
Page 126 of 490
Cyberoam User Guide
Manage the list of IP Hosts
To manage IP hosts, go to Objects > Hosts > IP Host.
Screen Manage IP Host
Screen Element
Description
Name
Displays the name of the IP Host.
IP Family
Displays the type of IP Family.
Type
Type of IP Hosts Single or range of IP, Network, and list of
assorted IP Addresses.
Address Detail
Configured IP Addresses for the host.
Table Manage IP Host screen elements
List also displays dynamic hosts which are automatically added on creation of VPN Remote access
connections (IPSec and SSL) and the default hosts that are automatically created for remote access
connection - ##ALL_RW, ##WWAN1, ##ALL_IPSEC_RW and ##ALL_SSLVPN_RW.
Page 127 of 490
Cyberoam User Guide
Add an IP Host
To add or edit an IP host, go to Objects > Hosts > IP Host. Click the Add button to add a new host. To
update the details, click on the host or Edit icon
in the Manage column against the host to be modified.
Screen Add IP Host
Screen Element
Description
Name
Specify a name to identify the IP Host.
IP Family
Select the type of IP Family from the options available.
Available Options:
IPv4
Type
IPv6
Select the type of host.
Available options:
Single IP Address
Network IP Address with subnet
IP Range
IP list to add assorted IP Addresses. Use comma to
specify assorted multiple IP Addresses. Create IP list to
configure single Firewall Rule for multiple IP Address
which are not in a range.
Note
Only Class B IP Addresses can be added in IP list. IP
Addresses can be added or removed from IP list.
IP Address
Specify IP Address based on the Host Type selected.
IP Host Group
Select host group i.e. host group membership. Single host can
be member of multiple host groups.
Page 128 of 490
Cyberoam User Guide
You can also add a host group from Add Host page itself.
Note
IP Host Group is not available for IP List type.
Table Add IP Host screen elements
Page 129 of 490
Cyberoam User Guide
IP Host Group
Host group is a grouping of hosts. Firewall Rule can be created for the individual host or host groups.
The IP Host Group page displays the list of all the host groups. The page also provides an option to add a
new host group, update the parameters of the existing host group, add members to the existing host group,
or delete a host group.
Note
Dynamic host groups that are automatically added on creation of VPN Remote Access Connections
cannot be updated or deleted.
Manage IP Host Groups list
To configure host groups, go Objects > Hosts > IP Host Group.
Screen Manage IP Host Group
Screen Element
Description
Name
Name of the IP Host Group.
IP Family
Displays the type of IP Family.
Description
Description of the Host Group.
Table Manage IP Host Group screen elements
Page 130 of 490
Cyberoam User Guide
IP Host Group Parameters
To add or edit a host group, go to Objects > Hosts > IP Host Group. Click the Add button to add a
new host group. To update the details, click on the host group or Edit icon
the host group to be modified.
in the Manage column against
Screen Add IP Host Group
Screen Element
Description
Name
Specify a name to identify the IP Host group.
IP Family
Select the type of IP Family from the options available.
Available Options:
IPv4
Description
IPv6
Describe the IP Host Group.
Select Host
'Host' List displays all the hosts including default hosts.
Click the checkbox to select the hosts. All the selected hosts are
moved to 'Selected host' list.
Single host can be a member of multiple host groups.
A group with IPv4 and IPv6 hosts cannot be created.
Table Add IP Host Group screen elements
Page 131 of 490
Cyberoam User Guide
MAC Host
Appliance allows creating a host based on MAC Address. One can create a MAC Host of either a single MAC
Address or multiple MAC Addresses.
MAC Hosts allow entities to be defined once and be re-used in multiple referential instances throughout the
configuration. For example, test has a MAC Address as 00:16:76:49:33:CE or 00-16-76-49-33-CE. Rather
than remembering the MAC Address of the intended machine while applying policies, you can simply provide
its MAC Host name.
By using MAC hosts, you only need to make changes in a single location, rather than in each configuration
where the MAC Address appears.
Using MAC Hosts reduces the error of entering incorrect MAC Addresses, makes it easier to change
addresses, and increases readability.
The MAC Host page displays the list of all the available MAC host. The page also provides option to add a
new MAC host, update the existing host, or delete a host.
View the list of MAC Hosts
To view list of MAC Host, go to Objects > Hosts > MAC Host.
Screen Manage MAC Host
Screen Element
Description
Name
Displays the name of the MAC Host.
Type
Displays the Type of MAC Hosts single or multiple.
Address Detail
Displays the configured MAC Addresses.
Table Manage MAC Host screen elements
Page 132 of 490
Cyberoam User Guide
MAC Host Parameters
To add or edit a MAC host, go to Objects > Hosts > MAC Host. Click the Add button to add a new host.
To update the details, click on the host or Edit icon
in the Manage column against the host to be modify.
Screen Add MAC Host
Screen Element
Description
Name
Specify a name to identify the MAC Host.
Type
Select the MAC Host Type.
Available Options:
MAC Address Single MAC Address
MAC list Multiple MAC Addresses
MAC Address
Specify MAC Address based on the Host Type selected in the
form of 00:16:76:49:33:CE or 00-16-76-49-33-CE
Use comma to configure multiple addresses.
Table Add MAC Host scren elements
Page 133 of 490
Cyberoam User Guide
FQDN Host
Hosts allow entities to be defined once and be re-used in multiple referential instances throughout the
configuration. For example, www.example.com has an IP Address as 192.168.1.15. Rather than remembering
the IP Address of the intended website while accessing it, you can simply provide www.example.com in the
browser. The FQDN www.example.com will now be mapped to its respective IP Address, and the intended
webpage opens.
The FQDN Host page displays the list of all the available FQDN host. The page also provides option to add
a new FQDN host, update the existing host, or delete a host.
To configure FQDN Host, go to Objects > Hosts > FQDN Host.
Note
System hosts cannot be updated or deleted.
Dynamic hosts which are automatically added on creation of VPN Remote access connections cannot be
updated or deleted.
Default hosts that are created for remote access connection - ##ALL_RW, ##WWAN1,
##ALL_IPSEC_RW and ##ALL_SSLVPN_RW cannot be updated or deleted.
Manage FQDN Hosts list
To manage MAC hosts, go to Objects > Hosts > FQDN Host.
Screen Manage FQDN Host
Screen Element
Description
Name
Displays the name of the FQDN Host.
FQDN
Displays the configured FQDN addresses for the host.
Table Manage FQDN Host screen elements
List also displays dynamic hosts which are automatically added on creation of VPN Remote access
connections (IPSec and SSL) and the default hosts that are automatically created for remote access
connection - ##ALL_RW, ##WWAN1, ##ALL_IPSEC_RW and ##ALL_SSLVPN_RW.
Page 134 of 490
Cyberoam User Guide
Adding an FQDN Host
To add or edit a FQDN host, go to Objects > Hosts > FQDN Host. Click the Add button to add a new
host. To update the details, click on the host or Edit icon
modified.
in the Manage column against the host to be
Screen AddFQDN Host
Screen Element
Description
Name
Specify a name to identify the FQDN Host.
FQDN
Specify the FQDN Address based on the Host Type selected.
FQDN Host Group
Select host group i.e. host group membership. Single host can
be a member of multiple host groups.
You can also add a host group from Add Host page itself or from
Objects > Hosts > FQDN Host Group page..
Table Add FQDN Host screen elements
Page 135 of 490
Cyberoam User Guide
FQDN Host Group
FQDN Host Group is a grouping of FQDN hosts. Firewall Rule can be created for the individual FQDN host
or host group to block or unblock access to any website.
The FQDN Host page displays the list of all the available FQDN host. The page also provides an option to
add a new FQDN host group, update the parameters of the existing host group, add members to the existing
host group, or delete a group.
To configure host groups, go to Objects > Hosts > FQDN Host Group.
Note
Dynamic host groups which are automatically added on creation of VPN Remote Access connections
cannot be updated or deleted.
Manage FQDN Host Group list
To manage FQDN hosts group, go to Objects > Hosts > FQDN Host Group.
Screen Manage FQDN Host Group
Screen Element
Description
Name
Displays the name of the FQDN Host Group.
Description
Displays the description of the FQDN Host Group.
Table Manage FQDN Host Group screen elements
Adding a FQDN Host Group
To add or edit a FQDN host group, go to Objects > Hosts > FQDN Host Group. Click the Add button
to add a new host. To update the details, click on the host or Edit icon
host group to be modified.
in the Manage column against the
Page 136 of 490
Cyberoam User Guide
Screen Add FQDN Host Group
Screen Element
Description
Name
Specify a name to identify the FQDN Host group.
Description
FQDN Host Group description.
Select Host
Host List displays all the hosts including default hosts.
Click the checkbox to select the hosts. All the selected hosts are
moved to Selected host list.
Single host can be a member of multiple host groups.
Table Add FQDN Host Group screen elements
Page 137 of 490
Cyberoam User Guide
Country Host
Country Based Host is required to allow/block the traffic from/to a particular country. Hosts allow entities to
be defined once and be re-used in multiple referential instances throughout the configuration. For example,
you want to deny incoming traffic from country X. You can select the country X and select the option to
block the traffic coming from X.
To configure Country Host, go to Objects > Hosts > Country Host.
Note
System hosts cannot be updated or deleted.
Dynamic hosts which are automatically added on creation of VPN Remote access connections cannot be
updated or deleted.
Default hosts that are created for remote access connection - ##ALL_RW, ##WWAN1,
##ALL_IPSEC_RW and ##ALL_SSLVPN_RW cannot be updated or deleted.
Manage Country Host List
To manage Country hosts, go to Objects > Hosts > Country Host.
Screen Manage Country Host
Screen Element
Description
Name
Displays the name of the Country Host.
Country
Displays the configured Country.
Table Manage Country Host screen elements
List also displays dynamic hosts which are automatically added on creation of VPN Remote access
connections (IPSec and SSL) and the default hosts that are automatically created for remote access
connection - ##ALL_RW, ##WWAN1, ##ALL_IPSEC_RW and ##ALL_SSLVPN_RW.
Page 138 of 490
Cyberoam User Guide
Adding a Country Host
To add or edit a Country host, go to Objects > Hosts > Country Host. Click the Add button to add a
new host. To update the details, click on the host or Edit icon
be modified.
in the Manage column against the host to
Screen Add Country Host
Screen Element
Description
Name
Specify a name to identify the Country Host.
Country
Select the Country.
Country Host Group
Select host group i.e. host group membership. Single host can
be member of multiple host groups.
Page 139 of 490
Cyberoam User Guide
You can also add a host group from Add Host page itself or from
Objects > Hosts > Country Host Group page.
Table Add Country Host screen elements
Page 140 of 490
Cyberoam User Guide
Country Host Group
Country Host Group is a grouping of Country Hosts. Multiple countries can be selected to block or allow
incoming traffic by using Country Host Group. Firewall Rule can be created for an individual Country Host or
Country Host Groups.
The Country Host Group page displays the list of all the available Country host groups. The page also provides
option to add a new host group, update the parameters of the existing host group, add members to the existing
host group, or delete a group.
Note
Dynamic host groups which are automatically added on creation of VPN Remote Access connections
cannot be updated or deleted.
Manage Country Host Group list
To manage Country host group, go to Objects > Hosts > Country Host Group.
Screen Manage Country Host Group
Screen Element
Description
Name
Displays the name of the Country Host Group.
Description
Displays the description of the Country Host Group.
Table Manage Country Host Group screen elements
Page 141 of 490
Cyberoam User Guide
Adding a Country Host Group Parameter
To add or edit a Country Host Group, go to Objects > Hosts > Country Host Group. Click the Add
button to add a new host. To update the details, click on the host or Edit icon
against the host group to be modified.
in the Manage column
Screen Add Country Host Group
Screen Element
Description
Name
Specify a name to identify the Country Host group.
Description
Country Host Group description.
Select Host
The Host List displays all the hosts including default hosts.
Click the checkbox to select the hosts. All the selected hosts are
moved to the 'Selected host' list.
Single host can be a member of multiple host groups.
Table Add Country Host Group screen elements
Page 142 of 490
Cyberoam User Guide
Services
Services represent types of Internet data transmitted via particular protocols or applications. Itallows
identifying the traffic based on the attributes of a given protocol.
Protect your network by configuring Firewall Rules to
block services for specific zone
limit some or all users from accessing certain services
allow only specific user to communicate using specific service
Appliance is shipped with several default services and allows creating:
Custom service definitions
Firewall Rule for custom service definitions
Services
Service Group
Services
Services are definitions of certain types of network traffic and combine information about a protocol such as
TCP, ICMP or UDP as well as protocol-related options such as port numbers. You can use services to
determine the types of traffic allowed or denied by the firewall.
Certain well-known traffic types have been predefined in services. These predefined services are defaults,
and cannot be updated or deleted. If you require service definitions that are different from the predefined
services, you can add them as custom services.
The Services page displays the list of all the default and custom services. The page also provides an option
to add a new service, update the parameters of the existing service, or delete a service.
Note
Service used by a Firewall Rule cannot be deleted.
Default Service can neither be updated nor deleted.
Page 143 of 490
Cyberoam User Guide
Manage Service List
To manage services, go to Objects > Services > Services.
Screen Manage Service
Screen Element
Description
Name
Displays the name of the Service.
Protocol
Displays the protocol used for the service.
Details
Details of the ports, protocol number or ICMP type and code
based on the protocol selected.
Table Manage Service screen elements
Page 144 of 490
Cyberoam User Guide
Service Parameters
To add or edit a service, go to Objects > Services > Services. Click the Add button to add a new
service. To update the details, click on the service or Edit icon
you want to modify.
in the Manage column against the service
Screen Add Services
Screen Element
Description
Name
Specify a name to identify the Service.
Type
Select a protocol for the service.
Available options:
TCP/UPD Enter Source and Destination port. You can
enter multiple ports for the same service.
IP Select Protocol Number for the service. You can
select multiple ports for the same service.
ICMP Select ICMP Type and Code. You can enter
multiple types and codes for the same service.
ICMPv6 Select ICMPv6 Type and Code. You can enter
multiple types and codes for the same service.
Use Add icon
and Remove icon
parameters respectively.
to add and delete the
Table Add Services screen elements
Page 145 of 490
Cyberoam User Guide
Service Group
Service Group is a grouping of services. Custom and default services can be grouped in a single group.
Use to configure Firewall Rules to:
block group of services for specific zone
limit some or all users from accessing group of services
allow only specific user to communicate using group of service
To make it easier to add Firewall Rules, create groups of services and then add one firewall to allow or block
access for all the services in the group. A service group can contain default services as well as custom
services in any combination. A service can be member of multiple groups i.e. service can be included in
multiple service groups.
The Service Group page displays the list of all default and custom groups. The page also provides options to
add a new group, update the parameters of the existing group, add members to the existing group, or delete
a group.
Note
Service Groups used by a Firewall Rule cannot be deleted.
Default Service Groups can neither be updated nor deleted.
To manage Service Groups, go to Objects > Services > Service Group.
Note
Default Service Groups cannot be deleted.
If a service group is assigned to Firewall Rule, it cannot be deleted.
Manage Service Group list
Screen Manage Service Group
Page 146 of 490
Cyberoam User Guide
Screen Element
Description
Name
Displays the name of the Service Group.
Description
Description of the Service Group.
Table Manage Service Group screen elements
Service Group Parameters
To add or edit a service group, go to Objects > Services > Service Group. Click the Add button to
add a new service group. To update the details, click on the service group or Edit icon
column against the service group to be modified.
in the Manage
Screen Add Services Group
Screen Element
Description
Name
Specify a name to identify the Service Group.
Description
Service Group Description.
Select Service
Service List displays all the services including default
services.
Click the checkbox to select the service. All the selected
services are moved to the Selected Service list.
Single service can be member of multiple groups.
You can also search for a particular service from the list.
Table Add Services Group screen elements
Page 147 of 490
Cyberoam User Guide
Schedule
Schedule defines a time schedule for applying Firewall Rule or Web & Application Filter policy i.e. used to
control when Firewall Rules or Internet Access policies are active or inactive.
Schedule also defines the system triggered scan for Rogue AP Scan.
Types of Schedules:
Recurring use to create policies that are effective only at specified times of the day or on specified
days of the week.
One time - use to create Firewall Rules that are effective once for the period of time specified in the
schedule. One time schedule can be implemented through firewall only.
Schedule
Schedule
TheAppliance is shipped with following pre-defined schedules which can be applied to Firewall Rules and
various policies: Work hours (5 Day week), Work hours (6 Day week), All Time on Weekdays, All Time on
Weekends, All Time on Sunday, All Days 10:00 to 19:00. You can also create new schedule and modify the
existing schedules.
The Schedule page displays the list of all the predefined and custom schedules. The page also provides
options to add a new schedule, update the parameters of the existing schedule, or delete a schedule.
To manage Schedules, go to Objects > Schedule > Schedule.
Note
If a Schedule is used by Firewall Rule or any policies, it cannot be deleted.
Manage Schedules
To manage schedules, go to Objects > Schedule > Schedule.
Screen Manage Schedule
Page 148 of 490
Cyberoam User Guide
Screen Element
Description
Name
Displays the name of the Schedule.
Type
Displays the Type of Schedule Recurring or One Time
Description
Description of the Schedule.
Table Manage Schedule screen elements
Schedule Parameters
Screen Add Schedule
Screen Element
Description
Name
Name to identify the Schedule.
Description
Specify Schedule Description.
Type
Select Schedule Type.
Available Options:
Recurring Use to create access time policies that are
effective only at specified times of the day or on specified
days of the week.
One Time Use to create Firewall Rules that are
effective once for the period of time specified in the
schedule. It cannot be applied to any of the policies but
can be implemented through Firewall Rule only.
Start & End Date - Specify Start and Stop date. This is
applicable for the one time schedule only.
Also, select the days of the week and specify time for the
schedule to be active. Stop time cannot be greater than start
time.
Table Add Schedule screen elements
Page 149 of 490
Cyberoam User Guide
File Type
File Type is a grouping of file extensions or MIME headers. The Appliance allows filtering Internet content
based on file extension and MIME headers. For example, you can restrict access to particular types of files
from sites within an otherwise-permitted category.
When both Extension & MIME header are configured, both will be matched separately. If a file does not match
any extension or header, it is passed. Access decision is based on the action configured for the extension.
Depending on the organization requirement, allow or deny access to the file types with the help of policies by
groups, individual user, time of day, and many other criteria.
For convenience, the Appliance is shipped with several default File Types categories. You can use these or
even create a new File Type category to suit your needs.
Custom file type is given priority over default category while allowing/restricting the access and is implemented
through Web Filter policy.
The File Type Category page displays the list of all the predefined and custom file type categories. The page
also provides options to add a new category, update the parameters of the existing category, or delete a
category.
Note
Category included in Web Filter Policy cannot be deleted.
Default Categories cannot be edited or deleted.
Manage File Type Categories
To manage file type categories, go to Objects > File Type > File Type.
Screen Manage File Type Category
Page 150 of 490
Cyberoam User Guide
Screen Element
Description
Name
Displays the name of the File Type Category.
File Extensions
Displays the File types included in Category.
MIME Headers
MIME header included in Category.
Description
Description of the File Type Category.
Table Manage File Type Category screen elements
File Type Category Parameters
To add or edit a file type category, go to Objects > File Type. Click the Add button to add a new file type
category. To update the details, click on the file type category or Edit icon
the file type category to be modified.
in the Manage column against
Screen Add File Type Category
Screen Element
Description
Name
Specify a name to identify the File Type Category.
Template
Select a template if you want to create a new category based
on an existing category and want to inherit all the file extensions
and MIME header from the existing category.
File
Extension(s)/MIME
Header(s)
Enter the file extensions and MIME header to be included in the
category. Multiple extensions and MIME headers can be
entered using comma e.g. bmp, jpeg
At the end of the MIME header, wildcard * can be added to
include all-inclusive pattern. For example, if MIME header is
configured in the format audio/*, than all the files with MIME
Type - audio will be considered.
Appendix C lists the default file type categories.
Description
Describe the File Type Category.
Table Add File Type Category screen elements
Page 151 of 490
Cyberoam User Guide
Network
Network establishes how your Appliance connects, interacts with your network, and allows configuring of
network specific settings.
This menu covers how to configure the Appliance to operate in your network. Basic network settings include
configuring your Appliance interface and DNS settings. More advanced configuration includes adding Virtual
LAN sub-interfaces and custom zones to the network configuration. It also describes how to use DHCP to
provide convenient automatic network configuration for your clients. It provides steps on how to backup and
restore your system configuration.
Interface
Wireless LAN
Wireless WAN
Gateway
Static Route
DNS
DHCP
ARP
Dynamic DNS
Interface
The Appliance is shipped with a number of physical interfaces/ports and the number of interfaces depends
on the Appliance model. The physical interfaces can be configured as:
Alias Alias allows binding multiple IP Addresses onto a single physical interface. It is another name
for the interface that will easily distinguish this interface from another interface.
Bridge Pair Bridge pair enables to configure transparent subnet gatewaying.
LAG Link Aggregation Group (LAG) is a method by which multiple network connections can be
combined into a single connection. It is also known as trunking, NIC teaming, NIC bonding and Ether
Channel. LAG is mostly used for handling LAN traffic.
VLAN Virtual LAN is a broadcast domain configured on switch on a port-by-port basis.
WLAN Wireless Local Area Network (WLAN) is used to associate devices through wireless
distribution method and connection to the Internet is provided through an access point.
WWAN Wireless WAN is wide area network (WAN) for data that is typically provided by the cellular
carriers to transmit a wireless signal over a range of several miles to a mobile device.
TAP - Test Access Point (TAP) interface enables to deploy Cyberoam in Discover Mode. This mode
enables Cyberoam to monitor all network traffic without making any changes in the existing network
schema. Discover Mode could be configured through Command Line Interface (CLI).
Pre-requisites for Discover Mode:
1. All relevant modules (IPS, Web & Application Filter, Anti Virus and Anti Spam) should be
subscribed.
2. Cyberoam must be connected to the Internet for Web classification, IPS updates and SAR
generation on cloud.
3. Cyberoam must be integrated with External Authentication servers like Active Directory, RADIUS,
LDAP etc. to get users specific data in the Security Assessment Report (SAR). SAR provides
Page 152 of 490
Cyberoam User Guide
visibility into potential risks prevailing within the corporate network like application and web risks,
risky users and intrusion risks.
A Zone is a logical grouping of ports/interfaces and each port is a member of a zone.
Note
If PPPoE is configured, WAN port is displayed as the PPPoE interface.
Interface
IP Tunnel
Zone
Interface
The Interface page displays a list of physical interfaces, aliases, virtual sub-interfaces, bridge-pair interfaces,
interfaces configured as LAG, interfaces configured for wireless LAN, interfaces configured for wireless WAN
and interfaces configured as TAP.
If the virtual sub-interface is configured for the physical interface, it is also displayed beneath the physical
interface. Virtual sub-interface configuration can be updated or deleted. Click the Toggle Drill Down
to view the alias and virtual sub-interfaces defined for the said physical interface.
icon
To manage interfaces, go to Network > Interface > Interface. You can:
Update Physical Interface/Port details Only Default Physical interface can be updated. Click the
Interface Name or Edit icon
interface to be modified.
in the Manage column against the IP Address and netmask of physical
Update Wireless WAN Connection Wireless WAN is the default interface along with other physical
interfaces, if the device is supported by your Appliance.
Note
Updating Interface also removes all its dependent configurations including:
Interface Zone Binding, DNS, Gateway, Interface Based Hosts, VLAN Interfaces, Dynamic DNS
Stops the DHCP Server to update the details and one need to restart manually
Disconnects all tunnels and updates all the VPN Policies, Tunnels need to be manually reconnected.
Toggle Drill Down icon Click the
said physical interface.
icon to view the alias and virtual sub-interfaces defined for the
Note
A virtual sub-interface cannot be deleted, if virtual sub-interface is member of any zone or a firewall rule is
defined for the virtual sub-interface.
Deleting Interface also removes all its dependent configurations including: Interface Zone Binding, DHCP
Server or Relay, Interface Based Firewall Rule, ARP Static and Proxy, Virtual Hosts, Virtual Host based
Firewall Rules, Interface based Hosts and References from Host Groups, Unicast and Multicast Routes.
When deployed in Discover Mode, Cyberoam functions ONLY in a listening mode and, hence, none of
the security policies will be applied.
Page 153 of 490
Cyberoam User Guide
Manage Interfaces - Physical, Aliases & Virtual Sub-interfaces
To manage interfaces, go to Network > Interface > Interface.
Screen Manage Interface
Screen Element
Interface Name
Description
Displays the Interface name in case of Physical Interface, Port
name and for Wireless WAN connection, WWAN name.
If Alias or VLAN is added for the Interface, it is displayed beneath
the physical interface. Click
to view the Alias or VLAN details.
Interface Type
Displays interface type.
Status
(Only when
Appliance is
deployed in Gateway
mode)
IP Address - IP
TAP is displayed for the interfaces configured in Discover
mode.
Interface connection status
Connected
Unplugged
Disabled
When appliance is deployed in Gateway mode, IP Address and the
Netmask is displayed.
When Appliance is deployed in Bridge mode, IP Address and
Netmask is displayed for the bridge pair and not for the individual
member interfaces.
IP Address Type
(Only when
Appliance is
deployed in Gateway
mode)
IP Address type
Static
PPPoE
DHCP
Wireless Modem
Zone Name
(Only when the
Appliance is
deployed in Gateway
mode)
Type of Zone to which the interface or sub-interface is bound to.
MAC Address
MAC Address selected.
Page 154 of 490
Cyberoam User Guide
MSS
Maximum Segment size specified
MTU
Configured Maximum Transmission Unit
Interface Speed
(Only when the
Appliance is
deployed in Gateway
mode)
Configured Interface Speed.
Screen Manage Interface screen elements
Note
Not all the operations are supported when Cyberoam is deployed in Bridge mode.
Interface Manage page will display Zone Name as Discover for interfaces configured in Discover Mode.
TAP interface cannot be updated or deleted.
Only unbound Physical Interfaces can be configured in Discover mode.
Page 155 of 490
Cyberoam User Guide
Edit Physical Interface
(Only when the Appliance is deployed in Gateway mode)
Go to Network > Interface > Interface. Click the hyperlink of the physical interface whose settings
need to be updated.
Screen Edit Physical Interface
Screen Element
Description
General Settings
Physical Interface
Physical Interface for example, Port A, Port B
Network Zone
(Only when
Appliance is
deployed in Gateway
mode)
Select Zone to which Interface belongs.
Available Options:
None
LAN
WAN
DMZ
Page 156 of 490
Cyberoam User Guide
To unbind, select None.
IPv4 Configuration
IP Assignment
Select IP Assignment type.
Available Options:
Static Static IP Addresses are available for all the zones.
PPPoE PPPoE is available only for WAN Zone. If PPPoE
is configured, WAN port is displayed as the PPPoE
Interface.
DHCP DHCP is available only for WAN Zone.
IPv4 / Netmask
Gateway Detail
(Only when Network
Zone is WAN)
Specify IPv4 Address and Network Subnet mask.
For Static IP assignment Specify the Gateway Name and
IP Address through which the traffic is to be routed.
For PPPoE IP assignment Specify the Gateway Name,
IP Address, PPPoE account Username and Password,
Service Name, LCP Echo Interval, LCP failure attempts.
Appliance initiates only those sessions with Access Concentrator,
which can provide the specified service.
Preferred IP
Many Internet Service Providers assign a fixed IP Address for
the PPPoE connection. The Administrator is allowed to bind a
static IP Address for a PPPoE.
LCP Echo Interval
It is time to wait before sending echo request to check whether
the link is alive or not.
Default 20 Seconds.
Page 157 of 490
Cyberoam User Guide
LCP failure
Appliance will wait for the LCP echo request response for the
LCP Echo interval defined after every attempt. It declare
PPPoE link as closed if it does not receive response after
defined number of attempts.
Default Attempts Allowed 3
Schedule Time For Reconnect
The assigned IP Address, dynamic or static (preferred), for a
PPPoE connection may have a stipulated validity. Once the
validity is over the PPPoE connection is terminated and
reconnected.
In order to avoid the reconnection during the working hours, the
Administrator can enable the PPPoE reconnection schedule. An
Administrator can choose to schedule the PPPoE reconnection
on daily or weekly basis on the configured time (HH:MM).
Default - Disable
Default schedule when enabled All days of week at 00:00
hours.
For DHCP IP assignment Specify the Gateway Name and
IP Address through which the traffic is to be routed.
IPv6 Configuration
IPv6 / Prefix
Specify IPv6 Address and the Prefix.
Advanced Settings
Interface Speed
Select Interface speed for synchronization.
Speed mismatch between Appliance and 3rd party routers and
switches can result into errors or collisions on interface, no
connection or traffic latency, slow performance.
Depending on the model deployed following options will be
available:
Auto Negotiate
Page 158 of 490
Cyberoam User Guide
10 Mbps - Full duplex
10 Mbps - Half duplex
100 Mbps - Full duplex
100 Mbps - Half duplex
1000 Mbps - Full duplex
1000 Mbps - Half duplex
Default Auto Negotiate
MTU
Specify MTU value (Maximum Transmission Unit)
MTU is the largest physical packet size, in bytes, that a network
can transmit. This parameter becomes an issue when networks are
interconnected and the networks have different MTU sizes. Any
packets larger than the MTU value are divided (fragmented) into
smaller packets before being sent.
Default 1500
Acceptable Range 576 to 1500
Override MSS
Click to override default MSS.
MSS defines the amount of data that can be transmitted in a single
TCP packet.
Default 1460
Acceptable Range 536 to 1460
For PPPoE
Default 1452
Acceptable Range 528 to 1452
Use Default MAC
Address
(Not available for
alias, VLAN, virtual
interfaces, PPPoE,
serial modem
interface, dedicated
HA link, Wireless
LAN, Wireless WAN
and bridge interface)
Click to use the default MAC Address for the Interface.
Override Default
MAC Address
Address
(Not available for
alias, VLAN, virtual
interfaces, PPPoE,
serial modem
interface, dedicated
Click to override the default MAC Address for the Interface and
enter the new MAC Address.
If High Availability is configured, Virtual MAC Address will be the
default MAC Address.
On factory reset, it will be set to the default MAC Address.
Page 159 of 490
Cyberoam User Guide
HA link, Wireless
LAN, Wireless WAN
and bridge interface)
Table Edit Physical Interface screen elements
Note
PPPoE Interface is assigned a new dynamic IP Address for each new PPP session
IP Address in Firewall Rules automatically changes when the new IP Address is leased
If multiple gateways are defined then IP Address in the failover condition automatically changes when the
new IP Address is leased.
As IP Address to PPPoE interface is assigned dynamically, it cannot be viewed or changed from Network
Configuration option of CLI Console.
Page 160 of 490
Cyberoam User Guide
Bridge Pair Parameters
(When Appliance is deployed as Bridge Mode / L2 Bridge Mode)
This feature is not supported in Cyberoam Virtual Security Appliances when deployed in Microsoft HyperV Hypervisors only.
To add or edit, go to Network > Interface > Interface and click Add Bridge Pair. To update the
details, click on the name of Bridge Pair or Edit icon
you want to modify.
in the Manage column against the Bridge Pair
Screen Add Bridge - Pair Interface
Screen Element
Description
General Settings
Name
Provide a name to Identify the Bridge Pair.
Description
Provide description for Bridge Pair description.
Enable routing on
this bridge-pair
Click to enable routing on this bridge-pair.
Member Interfaces
Interface
Select the first physical interface for the bridge pair.
For example, Port A, Port B.
Zone
Select zone to which the Interface 1 belongs.
IPv4 Configuration
Page 161 of 490
Cyberoam User Guide
Specify IPv4 Address and the network subnet mask.
IPv4/Netmask
Gateway Detail
Gateway Name
Specify a name to identify the Gateway.
Gateway IP
Specify IPv4 Address for the Gateway.
IPv6 Configuration
Specify IPv6 Address and the prefix.
IPv6 / Prefix
Gateway Detail
Gateway Name
Specify a name to identify the Gateway.
IP Address
Specify IPv6 Address for the Gateway.
Advanced Settings
MTU
Specify MTU value (Maximum Transmission Unit)
MTU is the largest physical packet size, in bytes, that a network
can transmit. This parameter becomes an issue when networks
are interconnected and the networks have different MTU sizes.
Any packets larger than the MTU value are divided
(fragmented) into smaller packets before being sent.
Default 1500
Acceptable Range 576 to 1500
Override MSS
Click to override default MSS.
MSS defines the amount of data that can be transmitted in a
single TCP packet.
Default 1460
Acceptable Range 536 to 1460
Table Add Bridge - Pair Interface screen elements
Note
Multiport bridge can be configured. All interfaces of Cyberoam can be configured as member interfaces
for a bridge-pair.
A single WAN interface is supported in a multiport bridge-pair.
Single interface cannot be part of multiple bridge.
Page 162 of 490
Cyberoam User Guide
Alias Parameters
Alias allows binding multiple IP Addresses onto a single physical interface. It is another name for the interface
that easily distinguishes this interface from other interfaces.
To add or edit an alias, go to Network > Interface > Interface. Click the Add button to add a new
alias. To update the details, click on the alias name or Edit icon
you want to modify.
in the Manage column against the alias
Screen Add Alias
Screen Element
Description
Add Alias
Physical Interface
Select Physical Interface for which Alias is to be bounded.
Note
IP Family
Alias can be added for the Virtual Sub-Interface and WLAN
interface.
Select the IP Family for Alias.
Available options:
IPv4
IPv6
IPv4/Netmask (For
IPv4 Family)
Specify IPv4 Address and select the network subnet mask.
IPv6/Prefix
Specify IPv6 Address and the prefix.
Default 64
Page 163 of 490
Cyberoam User Guide
VLAN
A LAN is a local area network and is defined as all devices in the same broadcast domain. Routers stop
broadcasts while switches just forward them.
VLAN is a virtual LAN. In technical terms, VLAN is a broadcast domain configured on switch on a port-by-port
basis. Normally, it is a router that creates the broadcasts domain but with VLANs, a switch can create the
broadcast domain.
VLAN allow you to segment your switched network so that broadcast domains are smaller, leaving more
bandwidth for your end nodes. Devices that are in one VLAN can communicate with each other but cannot
communicate with the devices in another VLAN. The communication among devices on a VLAN is
independent of the physical network.
For devices on different VLANs to communicate, a layer 3 device (usually a router) must be used.
A VLAN segregates devices by adding 802.1Q VLAN tags to all of the packets sent and received by the
devices in the VLAN. VLAN ID/tags are 4-byte frame extensions that contain a VLAN identifier as well as
other information.
Advantages
Increased Port density
Logical segmentation of Network irrespective of physical placement
Granular security on heterogeneous LANs
Improved Network throughput as VLAN confines broadcast domain
Appliance and VLAN support
The Appliance supports VLANs for constructing VLAN trunks between an IEEE 802.1Q-compliant switch or
router and your Appliances. Normally, the Appliance internal interface connects to a VLAN trunk on an internal
switch, and the external interface connects to an upstream Internet router. Appliance can then apply different
policies for traffic on each VLAN that connects to the internal interface.
In a typical VLAN configuration, 802.1Q-compliant VLAN layer-2 switches or layer-3 routers add VLAN IDs to
packets. Layer-2 switches can handle packets passing between devices in the same VLAN. A layer-3 device
such as router or layer-3 switch must handle packets passing between devices in different VLANs.
Appliance functions as a layer-3 device to control the flow of packets between VLANs. Appliance can also
remove VLAN IDs/tags from incoming VLAN packets and forward untagged packets to other networks, such
as the Internet.
VLAN support on the Appliance is achieved by means of virtual interface, which are logical interfaces nested
beneath a physical interface/port. Every unique VLAN ID requires its own virtual interface. You add virtual
interfaces to the Appliances internal interface that have VLAN IDs that match the VLAN IDs of packets in the
VLAN trunk. Appliance then directs packets with VLAN IDs to interfaces with matching VLAN IDs. You can
define virtual interfaces on all the interfaces except the external interface i.e. interface for the WAN zone.
Appliance adds VLAN IDs to packets leaving a VLAN interface or removes VLAN IDs from incoming packets
and adds a different VLAN IDs to outgoing packets.
Page 164 of 490
Cyberoam User Guide
Virtual interface has most of the capabilities and characteristics of a physical interface, including zone
membership, security services, routing, access rule controls, virus, and spam scanning.
Using VLANs, a single Appliance can provide security services and control connections between multiple
domains. Traffic from each domain is given a different VLAN ID. Appliance can recognize VLAN IDs and apply
security policies to secure network between domains. Appliance can also apply authentication, various
policies, and firewall rule features on the network traffic.
VLAN Interface Parameters
To add or edit VLAN interfaces, go to Network > Interface > Interface. Click the Add VLAN Button
to add a new VLAN interface or the Edit Icon to modify the details of an existing VLAN interface.
Screen Add VLAN Interface
Parameters
Screen Element
Description
ADD VLAN
Physical Interface
Select parent Interface for the virtual sub-interface. Virtual subinterface will be the member of the selected physical
Interface/Port.
Page 165 of 490
Cyberoam User Guide
Zone
Select a Zone to assign to the virtual sub-interface. Virtual subinterface will be the member of the selected zone. It can be the
member of LAN, DMZ, WAN or custom zone.
Virtual sub-interface created will remain unused until it is included
in a zone.
Note
VLAN ID
Zone membership can be defined at the time of defining
virtual sub-interface or later whenever required.
One can also create a custom zone for Virtual sub-interface
and Virtual sub-interface can be the member of this custom
zone.
Specify the VLAN ID. The interface VLAN ID can be any number
between 2 and 4094. The VLAN ID of each Virtual sub-interface
must match the VLAN ID of the packet. If the IDs do not match,
the virtual sub-interface will not receive the VLAN tagged traffic.
Note
Virtual sub-interfaces added to the same physical interface
cannot have the same VLAN ID. However, you can add
virtual sub-interfaces with the same VLAN ID to different
physical interface.
IPv4 Configuration
IP Assignment
Select IP Assignment type.
Available Options:
Static Static IP Addresses are available for all the zones.
PPPOE PPPOE is available only for WAN Zone. If
PPPoE is configured, the WAN port will be displayed as the
PPPoE Interface.
DHCP DHCP is available only for WAN Zone.
IPv4/Netmask
Gateway Detail
(Only when Network
Zone is WAN)
Specify the IPv4 Address for the interface and select the Network
subnet mask.
For Static IP assignment Specify the Gateway Name
and IP Address through which the traffic is to be routed.
For PPPoE IP assignment Specify the Gateway Name,
IP Address, PPPoE account Username and Password,
Service Name, LCP Echo Interval, LCP failure attempts.
Page 166 of 490
Cyberoam User Guide
The Appliance initiates only those sessions with Access
Concentrator, which can provide the specified service.
Preferred IP
Many Internet Service Providers assign a fixed IP Address for
the PPPoE connection. The Administrator is allowed to bind a
static IP Address for a PPPoE.
LCP Echo Interval
It is time to wait before sending echo request to check whether
the link is alive or not.
Default 20 Seconds.
LCP failure
The Appliance will wait for the LCP echo request response for
the LCP Echo interval defined after every attempt. It declare
PPPoE link as closed if it does not receive response after
defined number of attempts.
Default Attempts Allowed 3.
Schedule Time For Reconnect
The assigned IP Address, dynamic or static (preferred), for a
PPPoE connection may have a stipulated validity. Once the
validity is over the PPPoE connection is terminated and
reconnected.
In order to avoid the reconnection during the working hours,
the Administrator can enable the PPPoE reconnection
schedule. An Administrator can choose to schedule the
PPPoE reconnection on daily or weekly basis on the
configured time (HH:MM).
Default - Disable
Page 167 of 490
Cyberoam User Guide
Default schedule when enabled All days of week at 00:00.
For DHCP IP assignment Specify the Gateway Name
and IP Address through which the traffic is to be routed.
IPv6 Configuration
IPv6/Prefix
Select IP Assignment type.
Gateway Detail
(Only when Network
Zone is WAN)
Provide the gateway name and IPv6 Address through which the traffic
is to be routed.
Table Add VLAN Interface screen elements
If custom zone is created for Virtual sub-interface, two default firewall rules for the zone are automatically
created depending on zone type of the custom zone. For example, if the zone type for the virtual sub-interface
is LAN, 2 default firewall rules under Virtual sub-interface to WAN zone are automatically created based on
the default LAN to WAN zone firewall rules.
Page 168 of 490
Cyberoam User Guide
Link Aggregation Group
Link Aggregation Group (LAG) is a method by which multiple network connections can be combined into a
single connection. It is also known as trunking, NIC teaming, NIC bonding and Ether Channel. LAG is mostly
used for handling LAN traffic.
LACP
Link Aggregation Control Protocol (LACP) is a part of IEEE specification that groups two or more physical
links into a single logical link. LACP must be enabled at both ends of the link to be functional.
Appliance supports LAG to combine multiple physical links into a single logical link so that bandwidth can be
increased and automatic failover is available.
LAG supports two modes:
Active- Backup Provides automatic link failover facility. In this a single slave (member of LAG)
remains active. If the active slave fails then other slave in the LAG becomes the active slave
LACP (802.3ad) This mode provides load balancing and automatic failover. In this mode all the links
are used for forwarding the traffic.
Note
Both the switches must support LACP.
The member interface in LAG must have same properties.
Advantages
Unbound physical interfaces are supported.
Only static physical interfaces are supported.
PPPoE, 3G, 4G, WWAN, WLAN and Transport mode are not supported in LAG.
Page 169 of 490
Cyberoam User Guide
Add LAG Interface
LAG interface cannot be added from CLI. Only its properties can be configured or edited from CLI.
Screen Add LAG Interface
Parameters
Screen Element
Description
Global Settings
Interface Name
Enter a name for LAG interface.
Member Interface
Port List displays all the unbounded ports.
Click the checkbox to select the port. All the selected ports are
moved to Selected Port list.
At least 2 member ports are required for creating a LAG
interface.
Page 170 of 490
Cyberoam User Guide
Mode
Maximum 4 ports can be configured on a single LAG
interface.
Select mode of LAG.
Available Options:
Active-Backup Select Active-Backup mode to provide
fault tolerance only.
802.3ad (LACP) Select 802.3ad (LACP) mode to load
balance the traffic and provide fault tolerance.
Network Zone
Select network zone for the interface.
Available Options:
LAN
DMZ
WAN
IPv4 Configuration
IP Assignment
Select the IP Assignment scheme for interface from the options
available:
Available Options:
Static
DHCP
Default Static
IPv4 Address
Specify IPv4 Address.
Netmask
Select the network subnet mask for the interface.
Gateway Detail
Gateway Name (Only
for WAN Zone)
Provide Gateway Name.
IPv4 Address (Only for
WAN Zone)
Provide Gateway IPv4 Address.
IPv6 Configuration
IPv6 / Prefix
Specify IPv6 Address and the prefix.
Gateway Detail
Gateway Name
(Only for WAN Zone)
Provide Gateway Name.
IPv6 Address (Only for
WAN Zone)
Provide Gateway IPv6 Address.
Advanced Settings
Interface Speed
Select Interface speed for synchronization.
Page 171 of 490
Cyberoam User Guide
Speed mismatch between the Appliance and 3rd party routers and
switches can result into errors or collisions on interface, no
connections or traffic latency, slow performance.
Depending on the model deployed following options will be
available:
Auto Negotiate
100 Mbps - Full duplex
100 Mbps - Half duplex
10 Mbps - Full duplex
10 Mbps Half Duplex
Default - Auto Negotiate
MTU
Specify MTU value (Maximum Transmission Unit).
MTU is the largest physical packet size, in bytes, that a network
can transmit. This parameter becomes an issue when networks
are interconnected and the networks have different MTU sizes.
Any packets larger than the MTU value are divided (fragmented)
into smaller packets before being sent.
Default - 1500
Acceptable Range - 576 to 1500
Override MSS
Click to override default MSS.
MSS defines the amount of data that can be transmitted in a
single TCP packet.
Default - 1460
Acceptable Range - 536 to 1460
Xmit Hash
Policy(Available only if
LACP (802.3ad) mode
is selected)
Select the Xmit hash Policy to be used for member interfaces from
the options available:
Available Options:
Layer2 Select to generate the hash value using hardware
MAC Addresses.
Layer2+3 Select to generate the hash value using a
combination of Layer 2 (MAC Address) and Layer 3 (IP
Address) protocol information.
Layer3+4 Select to generate the hash value using
Transport layer protocol information.
Primary Interface
(Available only if
Select an interface to be a primary interface. This interface
remains active while it is available.
Page 172 of 490
Cyberoam User Guide
Active-Backup mode
is selected)
The interfaces included in the member interface are available in
this list.
Use Default MAC
Address
Click to use the default MAC Address for the Interface.
By default, the first port that is included in the member port
becomes the default MAC Address.
Override Default MAC
Address
Click to override the default MAC Address for the Interface and
enter the new MAC Address.
On factory reset, it will be set to the default MAC Address.
Table Add LAG Interface screen elements
IP Tunnel
An IP Tunnel is an Internet Protocol network communications path between two networks. It is used to
encapsulate one network protocol as carrier for another network protocol. It is often used by two separate
networks having a router with different network address for communication. The Appliance supports IPv6
Tunnelling. Hence, IPv6 packets can be encapsulated in IPv4 headers using IP Tunnel.
This page provides a list of all the configured IP tunnels and the administrator can manage IP tunnels from
this page.
To manage zones, go to Network > Interface > IP Tunnel
Screen Manage Zones
Screen Element
Description
Tunnel Name
Displays the name of the Tunnel.
Tunnel Type
Type of IP Tunnel selected 6in4 or 6to4 or 6rd or 4in6.
Zone
Type of Zone selected LAN or DMZ or WAN.
Local End Point
Displays the IP Address of the Local End Point of the Tunnel.
Remote End Point
Displays the IP Address of the Remote End Point of the Tunnel.
Other configurations
Displays Time to Live (TTL) and Type Of Service (TOS)
configuration.
Table Manage IP Tunnel screen elements
Page 173 of 490
Cyberoam User Guide
Adding an IP Tunnel
Screen IP Tunnel
Screen Element
Description
Tunnel Name
Specify a unique name to identify the tunnel.
Tunnel Type
Select the type of tunnel from the options available.
Available Options:
6in4 Select to allow communication between two IPv6
endpoints across IPv4 network.
6to4 Select to allow communication between two IPv6
endpoints across IPv4 network.
6rd Select to allow communication between two IPv6
endpoints across IPv4 network.
4in6 Select to allow communication between two IPv4
endpoints across IPv6 network.
Zone
Select the zone to create the tunnel for, from the options available.
The tunnel will cater to the traffic of selected zone.
Available Options:
LAN
DMZ
WAN
Local End Point
Specify IP Address of the Local End Point of the tunnel.
Specify IPv4 Address for 6to4, 6in4 and 6rd tunnels.
Specify IPv6 Address for 4in6 tunnel.
Page 174 of 490
Cyberoam User Guide
Remote End Point
Specify IP Address of the Remote End Point of the tunnel.
Specify IPv4 Address for 6in4 tunnel.
Specify IPv6 Address for 4in6 tunnel.
Advanced Settings
TTL
Specify the Time To Live (TTL) life time of data.
The attribute Time to live (TTL) defines a limit on number of
attempts to transmit an IP packet before discarding it.
Default - 0
Acceptable Range - 0 to 255
TOS
Specify the Type Of Service (TOS) of data.
The attribute Type Of Service (TOS) provides the value for an IP
packet depending on which the service is provided. The service
mainly defines the packet priority, type of route (latency,
throughput, or reliable service)
Default - 0
Acceptable Range - 0 to 99
Table IP Tunnel screen elements
Page 175 of 490
Cyberoam User Guide
Zone
A Zone is a logical grouping of ports/physical interfaces and/or virtual sub-interfaces if defined.
Zones provide a flexible layer of security for the firewall. With the zone-based security, the administrator can
group similar ports and apply the same policies to them, instead of having to write the same policy for each
interface.
Default Zone Types
LAN Depending on the Appliance in use and network design, one can group one to six physical ports in this
zone. Group multiple interfaces with different network subnets to manage them as a single entity. Group all
the LAN networks under this zone.
By default the traffic to and from this zone is blocked and hence the highest secured zone. However, traffic
between ports belonging to the same zone will be allowed.
DMZ (DeMilitarized Zone) This zone is normally used for publicly accessible servers. Depending on the
Appliance in use and network design, one can group multiple physical ports in this zone.
WAN This zone is used for Internet services. It can also be referred to as Internet zone.
VPN This zone is used for simplifying secure, remote connectivity. It is the only zone that does not have an
assigned physical port/interface. Whenever the VPN connection is established, port/interface used by the
connection is automatically added to this zone and on disconnection; port is automatically removed from the
zone. Like all other default zones, scanning and access policies can be applied on the traffic for this zone.
Local Entire set of physical ports available on your Appliance including their configured aliases are grouped
in LOCAL zone. In other words, IP Addresses assigned to all the ports fall under the LOCAL zone.
Page 176 of 490
Cyberoam User Guide
Manage Zone list
To manage zones, go to Network > Interface > Zone.
Screen Manage Zones
Screen Element
Description
Name
Displays the name of the Zone.
Members
Displays the physical interface bounded to the zone.
Type
Displays the Type of Zone selected LAN or DMZ.
Device Access
Displays the name of device access activated under a zone.
Description
Displays the Zone description.
Table Manage Zones screen elements
Page 177 of 490
Cyberoam User Guide
Zone Parameters
To add or edit zones, go to Network > Interface > Zone. Click Add Button to add a new zone. To
update the details, click on the zone or Edit icon
modify.
in the Manage column against the zone you want to
Screen Add Zones
Screen Element
Description
Name
Specify a name to identify the zone
Type
Select the type of Zone from the available options.
Available Options:
LAN Depending on the Appliance in use and network
design, one can group one to six physical ports in this zone.
Group multiple interfaces with different network subnets to
manage them as a single entity. Group all the LAN networks
under this zone.
By default the traffic to and from this zone is blocked and hence
the highest secured zone. However, traffic between ports
belonging to the same zone will be allowed.
DMZ (DeMilitarized Zone) - This zone is normally used for
publicly accessible servers. Depending on the Appliance in
use and network design, one can group one to five physical
ports in this zone.
Note
Page 178 of 490
Cyberoam User Guide
Member Ports
By default, entire traffic will be blocked except LAN to Local
zone service likes Administration, Authentication, and
Network.
'Member Ports' List displays all the ports that have been assigned
to the selected Zone
Click the checkbox to select the ports. All the selected ports are
moved to 'Selected port' list.
Description
Provide the description for the zone.
Appliance Access
Appliance access defines the type of administrative access
permitted on zone.
Admin Services Enable Administrative Services that should be
allowed through Zone
HTTP Allow HTTP connection to the Web Admin console
through this zone
HTTPS Allow secure HTTPS connection to the Web Admin
console through this zone
Telnet Allow Telnet connection to CLI through this zone
SSH Allow SSH connection to CLI through this zone
Authentication Services Enable Authentication Services that
should be allowed through Zone
Windows/Linux Clients
Captive Portal
NTLM
Radius SSO
Network Services Enable Network Services that should be
allowed through Zone
DNS Allow this zone to respond to DNS requests
PING Allow this zone to respond to pings
Other Services Enable other Services that should be allowed
through Zone
Web Proxy
SSL VPN - SSL VPN service is not available for Cyberoam
CR15i models.
Table Add Zones screen elements
Note
If DMZ uses Private IP Address, use NATing to make them publicly accessible.
One cannot add zone if the Appliance is deployed as Bridge.
Page 179 of 490
Cyberoam User Guide
Local and VPN zone cannot be updated or deleted.
Wireless WAN
This feature is not supported in Cyberoam Virtual Security Appliances.
Wireless WAN is wide area network (WAN) for data that is typically provided by the cellular carriers to transmit
a wireless signal over a range of several miles to a mobile device. WWAN connectivity allows a user with a
laptop and a WWAN support to use the web, or connect to a VPN from anywhere within the regional
boundaries of the cellular service.
They are popularly known as "wireless broadband".
To configure WWAN:
4. Enable WWAN from CLI with command: cyberoam wwan enable
5. Re-login to Web Admin console
6. Configure WWAN Initialization string and gateway from Network > Wireless WAN >
Settings page
Once WWAN is enabled from CLI, an interface named WWAN1 is created and it is the member of the
WAN zone.
As WWAN interface is a member of WAN zone:
1. All the services enabled for the WAN zone from the Appliance Access page are automatically
applicable on WWAN1 connection too.
2. All the firewall rules applied on WAN zone will be applied on WWAN interface
A default host named ##WWAN1 is created and firewall rule and VPN policies can be created for the
default host.
WWAN1 gateway is added as Backup gateway
When the Wireless WAN is disabled from CLI, Wireless WAN menu, default host ##WWAN1and
WWAN gateway options will be removed from Web Admin Console.
Note
Wireless WAN is not supported in Bridge Mode.
DHCP Server configuration is not supported for WWAN interface.
If backup of an Appliance is taken on, which WWAN is enabled and restored on an Appliance where it is
not enabled, WWAN configuration would still be visible.
Status
Settings
Page 180 of 490
Cyberoam User Guide
Status
The page displays the status of the Wireless WAN connection. Along with details of the WWAN connection,
the page also provides the facility to connect and disconnect the WWAN connection.
View Connection Status
To view and manage WWAN connection, go to Network > Wireless WAN > Status.
Screen WWAN Status
Screen Element
Description
Connect/Disconnect
Button
Click the button to connect or disconnect the WWAN connection.
This process may take some time.
Status
Status of the Connection. Status messages can be of following
types.
Possible Status:
Modem not supported
No Modem plugged-in
Connecting
Reconnecting
Connected
Disconnected
Modem Name
Name of the Modem.
IP Address
IP Address assigned to the device.
Gateway IP
IP Address assigned as the gateway.
Bytes Uploaded
Number of Bytes uploaded (in KB).
Bytes Downloaded
Number of Bytes downloaded (in KB).
Time Duration
Time period since WWAN is connected.
Format: HH:MM::SS
Table WWAN Status screen elements
Page 181 of 490
Cyberoam User Guide
Settings
The page allows configuration of Wireless WAN connection.
Configure WWAN Connection
To configure WWAN connection, go to Network > Wireless WAN > Settings.
Screen WWAN Settings
Screen Element
Description
General Settings
Interface Name
Specify a name of the interface
IP Assignment
Select the IP Assignment method from the available options:
Available Options:
Dialup (PPP)
Network Adapter (DHCP)
Click to view the modem details and the recommended
configuration.
Page 182 of 490
Cyberoam User Guide
Show
Recommended
Configuration Button
The Information section shows following details:
Modem Name
Vendor ID
Product ID
SIM PIN Enabled Yes/No
The Configuration section provides following information:
Field Name
Available IP
Assignment Methods
Possible Values
Dialup (PPP)
Network Adapter (DHCP)
Dialup (PPP) &
Adapter (DHCP)
Modem Port
Network
Not Available
Serial n (n= 0, 1, 9)
Secondary Modem
Ports
Not Available
Serial n (n = 0, 1, 9)
It displays next promising
modem port. This port must be
utilized as Modem Port, if the
recommended modem port
fails to function.
Not Available
APN
<name>
DHCP Connect
Command
Not Required
Required but not available
<AT command>
DHCP Disconnect
Command
Not Required
Required but not available
<AT command>
Click Load Recommended Configuration button to load
recommended configuration in the Settings page and use the
same.
Note
Clicking Load Recommended Configuration button flushes
out previous configuration if any exist and replace it with the
recommended configurations.
Values of Secondary Modem Ports will not be loaded on
Settings page on clicking Load Recommended
Configuration button.
Page 183 of 490
Cyberoam User Guide
Connect
Types of Dialing of WWAN connection.
Available Options:
Auto Dial & Active Gateway When auto-dial is configured
and gateway is added as Active. Appliance automatically
connects to the ISP and this gateway takes part in Load
balancing as per the weight configurations.
Manual Dial & Active Gateway When manual dial is
configured and gateway is added as Active, Appliance does
not automatically connect to ISP. Administrator needs to
initiate dial action.
Auto Dial & Backup Gateway When auto-dial is
configured and gateway is added as backup, on the event of
failover, Appliance auto-dials to the ISP and all the traffic
passes through that Wireless WAN link.
Manual Dial & Backup Gateway When Manual Dial is
configured and gateway is added as backup, on event of
failover, Appliance does not automatically connect the ISP.
The Admin needs to go to the Web Console and perform the
"Connect" action. Only then, traffic passes through Wireless
WAN interface.
Reconnect Tries
Select the number attempts allowed to reconnect from the
available options.
Available options:
Always
1
2
3
Default Always
Note
Modem Port (Only
for Dialup (PPP))
In case of DHCP, Always is the only available option.
Serial interface on which modem will establish connection
Available Options:
Serial 0 to 9
In case incorrect serial interface is configured, one needs plug-out
the modem or reboot the Appliance.
Phone Number (Only
for Dialup (PPP))
Specify Phone number for connection.
User Name
Specify a Username for the connection.
Password
Specify a Password.
Page 184 of 490
Cyberoam User Guide
SIM Card PIN Code
PIN code to unlock PIN-enabled SIM card.
Many operators lock their SIM card to prevent the use of other
operator's SIM cards. These kinds of modems can be unlocked
with the PIN code for connecting.
APN
Specify Access Point Name.
Access Point Name (APN) is a configurable network identifier,
used by the Appliance to identify the packet data network (PDN) /
GSM carrier with which the user wants to communicate.
DHCP Connect
Command (Only for
Network Adapter
(DHCP))
Specify a DHCP command to connect to the Wireless WAN.
DHCP Disconnect
Command (Only for
Network Adapter
(DHCP))
Specify a DHCP command to disconnect from the Wireless WAN.
Initialization String
Specify initialization string for the specific wireless modem. There
can be more than one string and in such case, strings should be
entered in proper order.
Gateway Settings
Gateway Name
Specify a name to identify the Gateway.
Gateway IP Address
Specify IP Address of the Gateway.
Gateway Type
Specify Type of Gateway: Active or Backup.
Weight
Depending on the weight, gateway for load balancing is selected.
Appliance distributes traffic across links in proportion to the ratio of
weights assigned to individual link.
This weight determines how much traffic will pass through a
particular link relative to the other link.
When more than two gateways are configured and one gateway
goes down, the traffic is switched over to the available gateways
according to the ratio of the weights assigned to the available
gateways.
Activate This
Gateway (Only if
option Backup
Gateway Type is
selected)
Select Gateway Activation Condition
Dropdown will list all the configured gateways. Backup gateway will
take over and traffic will be routed through the backup gateway only
when the selected gateway fails.
Available Options:
If <Gateway Name> Gateway Fails Backup gateway will
take over and traffic will be routed through the backup
gateway only when the <Gateway Name> gateway fails.
Page 185 of 490
Cyberoam User Guide
If Any Gateway Fails Backup gateway will take over and
traffic will be routed through backup gateway when any of
the active gateways fail.
If ALL the Gateways Fail Backup gateway will take over
and traffic will be routed through backup gateway when all
the configured active gateways fail.
Action on Activation
(Only if option
Backup Gateway
Type is selected)
Configure weight for the backup gateway. Appliance distributes
traffic across links in proportion to the ratio of weights assigned to
individual link. This weight determines how much traffic will pass
through a particular link relative to the other link.
Select Inherit weight of the failed active gateway if you want
Backup gateway to inherit the parent gateways (Active gateway)
weight or select User pre-configured weight and specify weight.
Other Settings
MTU
Specify MTU value (Maximum Transmission Unit)
MTU is the largest physical packet size, in bytes, that a network
can transmit. This parameter becomes an issue when networks are
interconnected and the networks have different MTU sizes. Any
packets larger than the MTU value are divided (fragmented) into
smaller packets before being sent.
Default 1500.
Acceptable Range 576 to 1500
MSS
MSS defines the amount of data that can be transmitted in a single
TCP packet.
Default 1460
MSS Input range 536 to 1460
MAC Address (Only
for Network Adapter
(DHCP))
Select a method from the available options to provide MAC
Address for the Modem:
Available Options:
Use Default MAC Address
Override Default MAC Address On selection of this option,
provide the MAC Address.
Table WWAN Settings screen elements
Page 186 of 490
Cyberoam User Guide
Gateway
A Gateway is used to route traffic between networks. In case of failure of the gateway, the entire network
traffic is dropped and communication with the outside network(s) is not possible.
By default, Appliance supports only one gateway. However, to cope with gateway failure problems, the
Appliance provides an option to configure multiple gateways. But simply adding one more gateway is not an
end to the problem. Optimal utilization of all the gateways is also necessary. The Appliance Multi Link Manger
provides link failure protection by detecting the dead gateway and switching over to the active link and also
provides a mechanism to balance traffic between various links.
At the time of deployment, you configured the IP Address for a default gateway through Network Configuration
Wizard. You can change this configuration any time and configure additional gateways. You can use Multi
Link Manger to configure multiple gateways for load balancing and failover.
By default, all the gateways defined through Network Configuration Wizard will be defined as Active gateway.
Gateway Name
Name of the Gateway assigned at the time of installation.
Gateway IP Address
IP Address of the Gateway assigned at the time of installation.
Ethernet Port
Gateway/WAN port
Gateway Type
Active By default, traffic is routed through Active gateway.
Backup Routes the traffic only when active gateway fails.
Weight
Weight assigned to the Gateway and used for load balancing. Weight determines how much traffic will pass
through a particular link relative to the other link. Administrators can set weight and define how the traffic
should be directed to providers to best utilize their bandwidth investments.
Page 187 of 490
Cyberoam User Guide
Gateway
The Appliance provides a powerful solution for routing and managing traffic across multiple Internet
connections. Designed to provide business continuity to an organization of any size, Multilink Manager
optimizes the use of multiple Internet links, such as T1s, T3s, DSL and cable connections from one or multiple
Internet service providers. Capable of automatic failover in the event of link failure, it helps to assure that your
network is always connected to the Internet.
It also gives you an option to configure multiple WAN interfaces to allow connecting your Appliance to more
than one Internet Service Provider (ISP).
When you configure multiple external interfaces, you have even have an option to control which interface an
outgoing packet uses.
Load Balancing
Load balancing is a mechanism that enables balancing traffic between various links. It distributes traffic among
various links, optimizing utilization of all the links to accelerate performance and cut operating costs. The
Appliance employs weighted round robin algorithm for load balancing to enable maximum utilization of
capacities across the various links.
Using link load balancing provides organizations a way to achieve:
Traffic distribution that does not overburden any link
Automatic ISP failover
Improved User performance because of no downtime
Increased bandwidth scalability
To achieve outbound traffic load balancing between multiple links:
configure links in active-active setup i.e. define gateways as Active
Assign appropriate weight to each gateway. Traffic is distributed across the links in proportion to the
ratio of weights assigned to individual link.
How it works
Load balancing is determined by the load metric also known as weight. Each link is assigned a relative weight
and the Appliance distributes traffic across links in proportion to the ratio of weights assigned to individual
link. This weight determines how much traffic will pass through a particular link relative to the other link.
Administrator can set weight and define how the traffic should be directed to providers to best utilize their
bandwidth investments. Weight can be selected based on:
Link capacity (for links with different bandwidth)
Link/Bandwidth cost (for links with varying cost)
Weighted load balancing feature enables Network Managers to optimize network traffic and balance the load
between multiple links/interfaces.
Gateway failover
Page 188 of 490
Cyberoam User Guide
Gateway failover provides link failure protection so that when one link goes down; the traffic is switched over
to the active link. This safeguard helps provide uninterrupted, continuous Internet connectivity to users. The
transition is seamless and transparent to the end user with no disruption in service without any downtime.
To achieve WAN failover between multiple links:
Configure links in Active-Backup setup
define Active gateway/interface
define Backup gateway/interface traffic through this link is routed only when active interface is down
define failover rule
In the event of Internet link failure, the Multilink Manager automatically sends traffic to available Internet
connections without administrator intervention. If more than one link is configured as backup link, traffic is
distributed among the links in the ratio of the weights assigned to them. On fail over, Backup Gateway can
inherit the parent gateways (Active Gateway) weight or can be configured.
Gateway Failback
During a link failure, the Appliance regularly checks the health of a given connection, assuring fast
reconnection when Internet service is restored. When the connection is restored and gateway is up again,
without the Administrators intervention, traffic is again routed through the Active gateway. In other words,
backup gateway fails back on Active gateway. The page also displays status as Active
or Deactive
of the each gateway and failover rule in case multiple gateways are configured. You can change the gateway
parameters, change gateway status, add or remove the failover rule, and view the data transfer done through
the gateway.
For Backup gateway, weight is NA while for Active gateway, the configured weight is displayed.
Manage Gateway list
To manage gateways, go to Network > Gateway.
Failover Rules Click the Edit icon
in the Manage column against the Gateway. Edit Gateway page
is displayed through which you can configure Failover rules.
View Data Transfer Click the graph icon
data transfer.
in the Manage column against the Gateway to view
Screen Manage Gateway
Page 189 of 490
Cyberoam User Guide
Screen Element
Description
IPv4 Gateway
Name
Name of the Gateway.
IP Address
IPv4 Address of Gateway.
Interface
IPv4 Address and Netmask of the Interface.
Type
Type of Gateway Active or Backup
Activate on Failure of
Activation condition, if Gateway is configured as Backup
Gateway.
Weight
Weight assigned to the Gateway.
For Active gateway, weight which is configured will be
displayed.
For Backup gateway, zero will be displayed when inactive
Status
Status of Gateway Active
NAT Policy
NAT policy assigned to the Gateway.
Edit Icon
Click
to Edit the Gateway
Data Transfer
Click
to view graph of data transfer.
or Deactive
IPv6 Gateway
Name
Name of the Gateway.
IP Address
IPv6 Address of Gateway.
Interface
IPv6 Address and Prefix of the Interface.
Type
Type of Gateway Active or Backup
Activate on Failure of
Activation condition, if Gateway is configured as Backup
Gateway.
Weight
Weight assigned to the Gateway.
For Active gateway, weight which is configured will be
displayed.
For Backup gateway, zero will be displayed when inactive
NAT Policy
NAT policy assigned to the Gateway.
Status
Status of Gateway Active
Edit Icon
Click
to Edit the Gateway
Data Transfer
Click
to view graph of data transfer.
or Deactive
Gateway Failover Timeout Configuration
Gateway Failover
Timeout
Configure the Gateway Failover timeout in seconds.
Page 190 of 490
Cyberoam User Guide
This is the time period for which Appliance waits before the
Gateway Failover occurs.
Default 60 seconds
Gateway Failover Timeout Input Range: 1 - 3600 seconds.
Table Manage Gateway screen elements
Updating Gateway Configurations
To edit gateway details, go to Network > Gateway > Gateway. Click Edit Icon
to modify the details of the gateway.
against the gateway
Screen Edit Gateway (Active Gateway)
Screen Edit Gateway (Backup Gateway)
Page 191 of 490
Cyberoam User Guide
Screen Element
Description
Gateway Detail
Name
Specify a name to identify the Gateway.
IP Address
Specify IP Address assigned to the Gateway.
Interface
Displays the IP Address and Netmask of the Interface.
Type
Specify Gateway Type.
Available Options:
Active Default gateway(s). Traffic will route through
active gateway(s). If there exists more than one active
gateway then the traffic will be load balanced between
these gateways depending upon their weight.
Backup A gateway that can be used in an
active/passive setup, where traffic is routed through
Backup gateway only when Active gateway is down.
Note
Weight
This option is only available when two or more Gateways
are configured.
Depending on the weight, gateway is selected for the load
balancing. Appliance distributes traffic across links in proportion
to the ratio of weights assigned to individual link.
This weight determines how much traffic will pass through a
particular link relative to the other link.
Gateways can be assigned weights from 1 to 100.
Note
When more than two gateways are configured and one
gateway goes down, the traffic is switched over to the
available gateways according to the ratio of the weights
assigned to the available gateways.
Backup Gateway (Only when Type is Backup)
Activate This
Gateway
Select Gateway Activation Condition: Automatically or Manually
Automatic failover
From the dropdown list specify when the backup gateway
should take over from active Gateway. This takeover process
will not require administrators intervention.
Page 192 of 490
Cyberoam User Guide
Available Options:
Specific Gateway Dropdown will list all the configured
gateways. Backup gateway will take over and traffic will
be routed through the backup gateway only when the
selected gateway fails.
ANY Backup gateway will take over and traffic will be
routed through backup gateway when any of the active
gateway fails
ALL Backup gateway will take over and traffic will be
routed through backup gateway when all the configured
active gateways fail
Manual failover
If you select Manually, Administrator will have to manually
change the gateway if the active gateway fails.
Action on Activation
Configure weight for the backup gateway. Appliance distributes
traffic across links in proportion to the ratio of weights assigned
to individual link. This weight determines how much traffic will
pass through a particular link relative to the other link.
Inherit weight of the failed active gateway - backup gateway to
inherit the parent gateways (Active gateway) weight
User pre-configured weight - Specify weight for the backup
gateway.
Table Edit Gateway screen elements
Page 193 of 490
Cyberoam User Guide
Configure Gateway Failover Rules
The transition from dead link to active link is based on the failover rule defined for the link. Failover rule
specifies:
how to check whether the link is active or dead
what action to take when link is not active
Failover rule has the form:
IF
Condition 1
AND/OR
Condition 2
then
Action
Depending on the outcome of the condition, traffic is shifted to any other available/backup gateway.
Ping rule gets automatically created for every gateway. The Appliance periodically sends the ping request to
check the health of the link and if it does not respond within the specified time, traffic is automatically sent
through another available link. Selection of the gateway and how much traffic is to be routed through each
gateway depends on number of configured active and backup gateways.
To configure Failover Rules, go to Network > Gateway > Gateway. Click the Edit Icon
Manage column against the Gateway.
in the
Screen - Configure Gateway Failover
Screen Add Gateway Failover Rule
Page 194 of 490
Cyberoam User Guide
Screen Element
IF Then Condition
Description
Specify communication Protocol as TCP or PING (ICMP).
Select the protocol depending on the service to be tested on the
host.
Specify port number for communication in case of TCP
communication.
IP Address
IP Address must be represented by the computer or Network
device which is permanently running or most reliable.
Condition
AND - all the conditions must be satisfied
OR - at least one condition must be satisfied
A request is sent to an IP Address. If IP Address does not
respond to the request, Appliance considers the IP Address as
unreachable.
Table Configure Gateway Failover screen elements
Page 195 of 490
Cyberoam User Guide
Viewing Data Transfer Activity through a Gateway
To configure failover rules, go to Network > Gateway > Gateway. Click the Data Transfer icon
in the Manage column against the Gateway to view the total data transferred through the gateway in the
graphical as well as tabular format.
Screen View Data Transfer
Screen Element
Description
Data Transfer Report for Default Gateway Period
Select the period from the available options for the Report of
Data Transfer through the Gateway.
Available Options:
Last Week
Last Month
Custom
Graph displays the upload, download and total data transfer
through Gateway.
X-axis Date (depending on the period selected)
Y-axis KB /MB/GB used.
Legends
Orange Color Upload Data Transfer (MB)
Purple Download Data Transfer (MB)
Page 196 of 490
Cyberoam User Guide
Green Color Total Data Transfer (MB)
Note
When the selected period is Custom, then the user can
select to view data of maximum last six (06) months. At a
time, maximum of thirty (30) days data will be displayed.
Table View Data Transfer screen elements
Page 197 of 490
Cyberoam User Guide
Static Route
A route provides the Appliance with the information it needs to forward a packet to a particular destination. A
static route causes packets to be forwarded to a destination other than the configured default gateway.
By specifying through which interface the packet will leave and to which device the packet should be routed,
static routes control the traffic exiting the Appliance.
Unicast
Multicast
Source Route
Unicast
The Unicast page displays list of all the configured IPv4 and IPv6 unicast routes. You can filter the list based
on IP address, gateway, interface, or distance. The page also provides option to update the route
configuration, and delete the route.
To manage unicast routes, go to Network > Static Route > Unicast.
Screen Manage Unicast Route
Screen Element
Description
Unicast Route (IPv4/IPv6)
IP/Netmask/Prefix
Destination Network IP Address (IPv4/IPv6) and the Subnet
Mask/Prefix.
Gateway
Destination Gateway IP Address.
Interface
Interface selected.
Distance
Distance between the source and the destination.
Table Manage Unicast Route screen elements
Page 198 of 490
Cyberoam User Guide
Unicast Route Parameters
To add or edit a unicast route, go to Network > Static Route > Unicast. Click the Add button to add
a new unicast route. To update the details, click on the unicast route or Edit icon
against the unicast route you want to modify.
in the Manage column
Screen Add IPv4 Unicast Route
Screen Add IPv6 Unicast Route
Screen Element
Description
Destination IP
Specify Destination IP Address.
Netmask (IPv4)
Specify Subnet Mask.
Prefix (IPv6)
Specify Prefix.
Gateway
Specify Gateway IP Address.
Interface
Select Interface from the list including Physical Interfaces, Virtual
Sub-interfaces and Aliases.
Distance
Specify Distance for routing. Range of value is from 0 to 255.
Table Add Unicast Route screen elements
Page 199 of 490
Cyberoam User Guide
Multicast
Configure and manage multicast routes from this page.
IP Multicast
Internet Protocol (IP) multicast is a bandwidth-conserving technology that reduces traffic by simultaneously
delivering a single stream of information to thousands of recipients and homes. IP Multicast delivers source
traffic to multiple receivers without adding any additional burden on the source or the receivers.
Applications like videoconferencing, corporate communications, distance learning, and distribution of
software, stock quotes, and news use IP multicasting.
If IP multicast is not used, the source is required to send more than one copy of a packet or individual copy
to each receiver. In such case, high-bandwidth applications like Video or Stock, in which data is to be sent
more frequently and simultaneously, use a large portion of the available bandwidth. In these applications, the
only efficient way of sending information to more than one receiver simultaneously is by using IP Multicast.
Multicast Group
Multicast is based on the concept of a group. An arbitrary group of receivers expresses an interest in receiving
a particular data stream. This group does not have any physical or geographical boundariesthe hosts can
be located anywhere on the Internet. Hosts that are interested in receiving data flowing to a particular group
must join the group. Hosts must be a member of the group to receive the data stream.
IP Multicast Addresses
Multicast addresses specify an arbitrary group of IP hosts that have joined the group and want to receive
traffic sent to this group.
IP Class D Addresses
The Internet Assigned Numbers Authority (IANA) controls the assignment of IP multicast addresses. Multicast
addresses fall in Class D address space ranging from 224.0.0.0 to 239.255.255.255.
This address range is only for the group address or destination address of IP multicast traffic. The source
address for multicast datagrams is always the unicast source address.
Page 200 of 490
Cyberoam User Guide
Multicast forwarding
With multicast forwarding, a router forwards multicast traffic to networks where other multicast devices are
listening. Multicast forwarding prevents the forwarding of multicast traffic to networks where there are no
nodes listening.
For multicast forwarding to work across inter-networks, nodes and routers must be multicast-capable.
A multicast-capable node must be able to:
Send and receive multicast packets.
Register the multicast addresses being listened to by the node with local routers, so that multicast
packets can be forwarded to the network of the node.
IP multicasting applications that send multicast traffic must construct IP packets with the appropriate IP
multicast address as the destination IP Address. IP multicasting applications that receive multicast traffic must
inform the TCP/IP protocol that they are listening for all traffic to a specified IP multicast address.
Manage Multicast Route list
To manage multicast routes, go to Network > Static Route > Multicast.
Screen Manage Multicast Route
Page 201 of 490
Cyberoam User Guide
Screen Element
Description
Multicast Forwarding Setting
Click to enable multicast forwarding.
Enable Multicast
Forwarding
By default, Multicast Forwarding is disabled.
Manage Multicast Route
Source IP
Source IP Address.
Multicast IP
Range of IP Address selected for Multicast route.
Source Interface
Source Interface selected.
Destination Interface
Destination Interface selected.
Table Manage Multicast Route screen elements
Multicast Route Parameters
To add or edit a multicast route, go to Network > Static Route >Multicast. Click the Add button to
add a new multicast route. To update the details, click on the multicast route or Edit icon
column against the multicast route you want to modify.
in the Manage
Screen Add Multicast Route
Screen Element
Description
Source IPv4 Address
Specify Source IPv4 Address.
Source Interface
Select Source Interface from the list.
Multicast IPv4
Address
Specify range of Multicast
(224.0.2.0 - 239.255.255.255)
Destination Interface
Select Destination Interface from the list. You can select more than
one destination interface.
IPv4
Address.
For
example,
Click the checkbox against the interface.
Table Add Multicast Route screen elements
Page 202 of 490
Cyberoam User Guide
Source Route
A route provides the Appliance with the information it needs to forward a packet to a particular destination.
Source Routing is the technique by which the sender can explicitly mention the route through which the packet
travels.
The page displays list of all the IPv4 and IPv6 source routes. The page provides an option to add, update and
delete the existing routes.
To manage source routes, go to Network > Static Route > Source Route.
Screen Manage Source Routes
Screen Element
Description
Network
Network IP Address and the Subnet mask.
Gateway
Gateway IP Address.
Table Manage Source Routes screen elements
Parameters
To add or edit an explicit source route for packets, go to Network > Static Route > Source Route.
Click the Add button to add a new source route. To update the details, click on the source route or Edit icon
in the Manage column against the source route you want to modify.
Screen Add Source Route
Page 203 of 490
Cyberoam User Guide
Screen Element
Description
Gateway
Select the Gateway from the list.
Network ID/Prefix
Specify Network ID/Prefix (In case of IPv6 Addresses)
Netmask
Specify Subnet Mask.
Table Add Source Route screen elements
Page 204 of 490
Cyberoam User Guide
Dynamic Route
A route provides the Appliance with the information it needs to forward a packet to a particular destination. A
dynamic route causes the Appliance to get the packet information at run time using dynamic routing protocols
like RIP, OSPF, and BGP.
RIP
OSPF
BGP
PIM-SM
Routing Information
Page 205 of 490
Cyberoam User Guide
RIP
To configure RIP routes, go to Network > Dynamic Route > RIP.
Routing Information Protocol (RIP) is a widely used routing protocol that uses hop count to determine the best
route to a destination.
RIP avoids routing loops from continuing indefinitely by limiting the number of hops permitted between the
source and destination. The maximum number of hops supported is 15. Hence, if the hop count becomes 16,
it is known as an infinite distance and is considered as unreachable.
With the help of RIP protocol, the Appliance sends the routing update messages at regular intervals to the
next router. When the next router receives the changes, it updates them in the routing table and also increases
the metric value for the path by 1. The sender of the message is considered as the next hop. The Appliance
maintains only the route with the least metric value to a destination.
Screen Dynamic Route RIP
Page 206 of 490
Cyberoam User Guide
Screen Element
Description
Global Configuration
Default Metric
Specify the default metric value to be used for redistributed
routes.
Metric is a property that contains a value used by a routing
protocol to decide a particular route to be taken.
Default - 1
Acceptable Range - 1 - 16
Administrative
Distance
Specify the administrative distance.
Default - 120
Acceptable Range - 1 255
RIP Version
Select the RIP version to be used for sending and receiving the
updates.
Available Options:
Send V2 & Receive both
V1
V2
Timers
Update
Specify the time interval in seconds between two periodic
routing updates.
Default - 30 seconds
Acceptable Range (seconds) - 5 to 2147483647
Timeout
Specify the timeout time in seconds after which the route
becomes invalid.
Default - 180 seconds
Acceptable Range (seconds) - 5 to 2147483647
Garbage
Specify the garbage time.
Default - 120 seconds
Acceptable Range (seconds) - 5 to 2147483647
Default Information
Originate
Enable to control the distribution of default route.
Default - Disabled
Redistribute
Connected
Click to enable the redistribution of connected routes into RIP
routing table.
Page 207 of 490
Cyberoam User Guide
Specify metric for redistributed connected routes.
Acceptable Range - 0 to 16
Click to enable the redistribution of static routes into RIP routing
table.
Redistribute Static
Specify metric for redistributed static routes.
Acceptable Range - 0 to 16
Click to enable the redistribution of OSPF routes into RIP
routing table.
Redistribute OSPF
Specify metric for redistributed OSPF routes.
Acceptable Range - 0 to 16
Click to enable the redistribution of BGP routes into RIP routing
table.
Redistribute BGP
Specify metric for redistributed BGP routes.
Acceptable Range - 0 to 16
Network
Add
Click to add an RIP network.
Network
Displays the IP Address of the Network.
Netmask
Displays the netmask of the Network.
Edit
Edit the Network.
Delete
Delete the Network
Override Interface Configuration
Select Interface
Click to select an Interface.
Interface
Displays the configured interface.
Table Dynamic Route RIP screen elements
Adding RIP Networks
Click Add button under Networks to specify IPv4 Address network and subnet mask. You can also add,
update, or delete the networks from this page.
Screen Add RIP Network
Page 208 of 490
Cyberoam User Guide
Overriding Global Interface Configuration
Click Select Interface button under Override Interface Configuration to override the Interface configuration.
You can also add, update, or delete the Interface-specific configuration from this page.
Screen Override Interface Configuration
Screen Element
Interface
Description
Select the interface for which you want to override the default
configuration.
RIP Version
Send
Select the RIP version to be used for sending the routing
updates.
The RIP version can be V1 or v2 or v1 and v2 both. This
overrides the version selected in the Global Configuration
settings.
Default - V2
Receive
Select the RIP version to be used for receiving the routing
updates.
The RIP version can be V1 or V2 or V1 and V2 both. This
overrides the version selected in the Global Configuration
settings.
By default, it receives both V1 and V2
Split Horizon
Enable to prevent the routing loops.
Page 209 of 490
Cyberoam User Guide
Default - Disable
Poisoned Reverse
Enable to prevent the Appliance from sending packets through
the route that has become invalid.
Note
This option is available only after enabling Split Horizon.
Default Disable
Authentication
Click to enable authentication of RIP packets.
Provide password to authenticate the RIP packets.
Passive Mode
Enable to prevent
advertisements.
the
interface
from
sending
RIP
Default - Disable
Table Override Interface Configuration screen elements
Page 210 of 490
Cyberoam User Guide
OSPF
To configure OSPF routes, go to Network > Dynamic Route > OSPF.
Open Shortest Path First (OSPF) is an interior gateway protocol that multicasts the routing information to all
the hosts within a single network. It sends routing information to all the routers in the network by calculating
the shortest path to each router on the basis of the structure built up by each router.
OSPF allows sets of networks to be grouped together into what is known as areas. Area is a logical division
of a network. Each area maintains a separate database whose information may be summarized by the
connecting router. Hence, the topology of an area is not known to outside world. There are three types of
areas:
Backbone Area
Backbone area also known as area 0, distributes information between non-backbone areas. All other areas
in the network are connected to it and the routing between areas takes place using routers which are
connected to the backbone area as well as to their respective areas.
Stub Area
A stub area is an area that do not receive route advertisements external to the Autonomous System (AS),
which is a collection of networks under a common network operator that share same routing policy.
NSSA
A Not-so-stubby-area (NSSA) is a type of stub area that can import AS external routes in a limited amount.
Area Border Router
An Area Border Router (ABR) is a router that connects areas to the backbone network and maintains separate
routing information for each area that it is connected to. It has interfaces in more than one area with at least
one interface in backbone area.
Page 211 of 490
Cyberoam User Guide
Screen Dynamic Routing OSPF
Screen Element
Description
Global Configuration
Router ID
Specify a unique router ID.
Example: 12.34.5.66.
Advanced Settings
Default Metric
Specify the default metric value to be used for redistributed
routes.
Metric is a property that contains a value used by a routing
protocol to decide whether a particular route should be taken or
not.
Default - 1
Page 212 of 490
Cyberoam User Guide
Acceptable Range - 1 to 16777214
ABR Type
Select the type of Area Border Router (ABR).
Available Options:
Auto Cost Reference
Bandwidth (Mbits/s)
Standard:
CISCO
IBM
Shortcut
Specify cost reference to calculate the OSPF interface cost
based on bandwidth.
Default - 100Mbits/s
Acceptable Range - 1 to 4294967
Default Information
Originate
Select an option to control the distribution of default route.
Available Options:
Never
Regular On selecting regular provide the metric
and select the metric type.
Always On selecting regular provide the metric
and select the metric type.
Default - Never
Redistribute
Connected
Click to enable the redistribution of connected routes into OSPF
routing table.
Specify metric and metric type for redistributing connected
routes.
Acceptable Range - 0 to 16777214
Metric Type - External Type 1 or External Type 2.
Redistribute Static
Click to enable the redistribution of static routes into OSPF
routing table.
Specify metric and metric type for redistributing static routes.
Acceptable Range - 0 to 16777214
Metric Type - External Type 1 or External Type 2.
Redistribute RIP
Click to enable the redistribution of OSPF routes into OSPF
routing table.
Specify metric and metric type for redistributing RIP routes.
Page 213 of 490
Cyberoam User Guide
Acceptable Range - 0 to 16777214
Metric Type - External Type 1 or External Type 2.
Redistribute BGP
Click to enable the redistribution of BGP routes into OSPF
routing table.
Specify metric and metric type for redistributing BGP routes.
Acceptable Range - 0 to 16777214
Metric Type - External Type 1 or External Type 2.
Areas
Add
Click to add an OSPF Area.
Area
Displays the IP Address of the Area.
Type
Displays the type of OSPF Area Normal or Stub or Stub NoSummary or NSSA or NSSA No-Summary.
Authentication
Displays the type of authentication Text or MD5.
Area Cost
Displays the area cost
Virtual Links
Displays the virtual link for an area
Edit
Edit the area.
Delete
Delete the area.
Network
Add
Click to add an OSPF network.
Network
Displays the IP Address of the Network.
Netmask
Displays the netmask of the Network.
Area
Displays the IP Address of the Network.
Edit Icon
Edit the Network.
Delete
Delete the Network
Override Interface Configuration
Select Interface
Click to select an Interface.
Interface
Displays the configured interface.
Edit Icon
Edit the Interface.
Delete Icon
Delete the Interface.
Table Dynamic Routing OSPF screen elements
Page 214 of 490
Cyberoam User Guide
Adding OSPF Areas
Click Add button under Areas to add, update, or delete areas.
Screen Adding OSPF Areas
Screen Element
Description
Area
Specify IP Address for the area.
Type
Select the type of OSPF area.
Available Options:
Virtual Link
(Available only if
Normal area type is
selected)
Normal
Stub
Stub No-Summary
NSSA
NSSA No-Summary
Specify a virtual link for an area that does not have a physical
connection to connect to the backbone area.
Use Add icon
Virtual Links.
Authentication
and Remove icon
to add and remove the
Select the type of authentication from the options available.
Available Options:
Area Cost
Text
MD5
Specify the area cost.
Acceptable Range - 0 to 16777215
Table Adding OSPF Areas screen elements
Page 215 of 490
Cyberoam User Guide
Adding OSPF Networks
Click Add button under Networks to specify IPv4 Address network and subnet mask. You can also add,
update, or delete the networks from this page.
Screen Adding OSPF Network
Overriding Global Interface Configuration
Click Select Interface button under Override Interface Configuration to override the Interface configuration.
You can also add, update, or delete the Interface-specific configuration from this page.
Screen Overriding Global Interface Configuration
Screen Element
Description
Interface
Select the interface to be configured for OSPF.
Hello Interval
Specify the time interval after which the interface sends hello
packet to the neighbor router.
Default - 10 seconds
Acceptable Range (seconds) - 1 to 65535
Page 216 of 490
Cyberoam User Guide
Dead Interval
Specify the time interval after which the interface is declared as
dead.
Default - 40 seconds
Acceptable Range (seconds) - 1 to 65535
Retransmit Interval
Specify the time interval for retransmitting the link state
advertisements (LSA) to the interfaces neighbor.
Default - 5 seconds
Acceptable Range (seconds) - 3 to 65535
Transmit Delay
Specify the time in seconds needed to transmit a link state
update packet to the interface.
Default - 1 second
Acceptable Range (seconds) - 1 to 65535
Interface Cost
Specify Interface Cost.
Interface Cost can be provided either automatically by selecting
Auto or providing interface cost manually.
Acceptable Range (seconds) - 1 to 65535
Authentication
Select the type of authentication for authenticating the OSPF
packets.
Available Options:
Router Priority
Text If text is selected provide a password for
authentication.
MD5 If MD5 is selected provide Key ID and Key.
Key ID can be from 0 to 255.
Specify priority for a router.
Default - 1
Acceptable Range - 0 to 255
Table Overriding Global Interface Configuration screen elements
Page 217 of 490
Cyberoam User Guide
BGP
To configure BGP routes, go to Network > Dynamic Route > BGP.
Border Gateway Protocol (BGP) is a path vector protocol that contains path information, enabling the routers
to share routing information so that loop-free routes can be created. This protocol is generally used by ISPs.
BGP selects a single path from the multiple advertisements received from multiple sources for the same route.
When the path is selected, BGP puts it in the IP routing table and passes the path to its neighbor.
Screen Dynamic Routing BGP
Screen Element
Description
Global Configuration
Router ID
Specify router ID for BGP.
Example: 12.34.5.66.
Local As
Specify Local Autonomous System (AS) number.
Acceptable Range - 1 to 4294967295
Neighbors
Add
Click to add a BGP neighbor.
Neighbor
Displays the IP Address of the Neighbor.
Page 218 of 490
Cyberoam User Guide
Remote AS
Displays Remote AS number of the Neighbor.
Networks
Add
Click to add a BGP network.
Network
Displays the IP Address of the Network.
Netmask
Displays the Netmask.
Table Dynamic Routing BGP screen elements
Neighbors
Neighbors are the routers between which a TCP connection is established.
Click Add button under Neighbors to specify IPv4 Address of the neighbor router and AS number remoteas. You can also add, update, or delete the neighbors from this page.
Screen BGP Neighbors
Screen Element
Description
IPv4 Address
Specify IPv4 Address of the neighbor router.
Remote AS
Specify the remote AS number of neighbor.
Acceptable Range - 1 to 4294967295
Table BGP Neighbors screen elements
Networks
Click Add button under Networks to specify IPv4 Address network and subnet mask. You can also add,
update, or delete the networks from this page.
Screen BGP Networks
Page 219 of 490
Cyberoam User Guide
PIM-SM
To configure PIM, go to Network > Dynamic Route > PIM-SM.
Protocol Independent Multicast (PIM) is a protocol for routing IP packets efficiently to multicast groups that
may span throughout the internet. PIM provides dynamic multicast support on the appliance. With dynamic
multicast support, a host can join/leave a multicast group dynamically and there is no need to manually
add/delete multicast routing entries on the appliance.
Screen Dynamic Routing PIM-SM
Screen Element
Description
PIM-SM Configuration
Enable PIM
Enable PIM to provide dynamic multicast support on the
appliance.
PIM Enabled Interface
Select the physical interfaces on which PIM service needs to be
enabled.
To enable PIM, at least one interface has to be selected.
Note:
Only IPv4 bound interfaces can be selected.
RP Settings
Alias, PPPoE and WWAN interfaces are not supported.
Enable to configure Static or Candidate RP.
Available Options:
Page 220 of 490
Cyberoam User Guide
Static RP
Candidate RP
Static RP
Specify a unicast IP Address for Static RP. RPs can be added
or deleted.
RP IP
Maximum eight RP IP Addresses and maximum eight Multicast
Group Addresses per RP are allowed.
Multicast Group List
Specify Multicast Group IP address or Network Address
separated by comma that will be served by given RP.
Use * in Multicast Group List to serve all the Multicast Groups
by the defined RP.
Candidate RP
Candidate RP IP
Select interface IP that will be used as RP IP, if the router is
selected as candidate RP.
Multicast Group List
Specify Multicast Group IP address or Network Address
separated by comma that will be served by given RP.
Maximum eight Multicast Group IP/Network Addresses are
allowed.
Use * in Multicast Group List to serve all the Multicast Groups
by the selected RP.
Candidate RP Priority
Specify the priority of the PIM router in RP election process.
Default 1
Acceptable Range 1 to 255
Specify time in seconds after which at every specified time, RP
candidate messages are generated.
Timer
Default 60 seconds
Acceptable Range (seconds) 30 to 180
Table Dynamic Routing PIM screen elements
Note
Cyberoam supports PIM version2 and PIM-SM mode with Rendezvous Point (RP) selection method as
BSR (Bootstrap Router)
Routing Information
The Administrator can view various information and status of any dynamic routes configured using RIP, OSPF,
and BGP protocols. This overview of the dynamic route information will be useful for further configurations
and/or debugging.
Page 221 of 490
Cyberoam User Guide
RIP
Routes
Displays the entire routing configuration information and the routing table for an interface configured using
RIP protocol.
Codes and Sub-codes: Shows how the destination routing information is obtained.
Codes: R RIP, C connected, S Static, O OSPF, B BGP, K Kernel route
Sub-codes: (n) normal, (s) static, (d) default, (r) redistribute, (i) interface
Network: It is the IP Address and subnet mask of the destination.
Next Hop: It is an IP Address of the next hop routing device.
Metric: It is the number of routing devices (hop count) a packet must pass through to reach the
final destination.
From: Indicates the router (router IP Address) from which the metric is calculated to reach the
destination. If it is directly connected it will show self.
Tag: Indicates the method used for distinguishing between internal routes (learned by RIP) and
external routes learned from External Gateway Protocol (ERP) protocols.
0 indicates no tag attached to the route.
Time: Indicates the elapsed time after which the routing entry will be flushed from RIP table.
Status
Displays the RIP routing protocol process parameters and statistics.
Page 222 of 490
Cyberoam User Guide
Routing Protocol is rip: Indicates the routing protocol used.
Sending Updates: Indicates the time between sending updates.
Next due: Specifies when the next update is due to be sent.
Timeout after: Indicates the timeout interval for RIP route after which it is declared invalid and
removed from the routing table until the garbage-collect time expires.
Garbage collect: Indicates the time period during which the route metric is set to 16. If no updates
are received for the route before the expiry of garbage-collect timer, a route with metric 16 is
deleted from the routing table.
Outgoing update: Indicates whether the outgoing filtering list has been set.
Incoming update: Indicates whether the incoming filtering list has been set.
Default redistribution metric: Metric of routes that are redistributed from other routes
Redistribution: Indicates the information about redistributed of other protocols.
Default version control: Indicates the version of RIP packet that are sent and received.
Interface: Shows a RIP-enabled routing interface
send: Displays the version of RIP packets sent out to routing interface. The version is one of the
following: RIP1 or RIP2
recv: Displays the version of RIP packets accepted on routing interface. The version is one of the
following: RIP1, RIP2, Both
key-chain: Displayed the authentication key-chain name for the interface, if it is configured.
Routing for Network: Indicates the networks for which the routing process is currently injecting
routes.
Routing Information Sources: Indicates the routing sources used to build the routing table. For
each source, the following information is displayed.
Gateway: It is an IP Address of the next hop routing device.
Bad Packets: Indicates the number of bad packets received by router.
Bad Routes: Indicates the number of invalid routes from the router.
Distance Last Update: Indicates the time when the administrative distance was last updated.
Distance: Indicates the administrative distance. The distance displayed by default is 120.
Page 223 of 490
Cyberoam User Guide
OSPF
Border Routers
Displays the information about the internal OSPF routing table entries to an Area Border Router (ABR) and
Autonomous System Boundary Router (ASBR).
R: Indicates that the information is provided for route to a particular border router.
Network IP Address: Indicates the Router ID of the destination
Metric: It is the cost to reach the final destination.
Area: Indicates the Area Identifier of the outgoing interface.
Next Hop: It is the management IP Address of the next hop routing device.
Outgoing Interface: Indicates the name and IP Address of the outgoing interface to reach the
destination.
Routes
Displays the information about the internal OSPF routing table entries
Page 224 of 490
Cyberoam User Guide
N: Indicates that the information is provided for a network.
Network IP Address: Indicates the Router ID of the destination.
Metric: It is the cost to reach the final destination.
Area: Indicates the Area Identifier of the outgoing interface.
Next Hop: It is the management IP Address of the next hop routing device.
Directly attached: Indicates a network is directly connected to the interface.
Outgoing Interface: Indicates the name and IP Address of the outgoing interface to reach the
destination.
Database
Database shows the list of information related to the OSPF database summary for a specific router. Each
link-state database includes link-state an advertisement from throughout the areas to which router is attached.
Link ID: Indicates the ID of the link-state advertisement using which a router learns the route. In
other words, while a link-state advertisement describes a router, the link-state ID routers OSPF
router ID. It can be Networks IP Address or An address generated using the link-state ID
ADV Router: Indicates the advertising Router ID of the destination.
Age: Indicates the time, in seconds, since the LSA was generated.
Seq#: Link state sequence number (detects old or duplicate link-state advertisements)
Page 225 of 490
Cyberoam User Guide
CkSum: Fletcher checksum of the complete content of the link-state advertisement.
Link count: Number of interfaces detected for router.
Net Link States: It gives information about network LSA originated by DR (Designated Router)
Router Link States: It gives information about router LSA originated by every router
Summary Net Link States: Indicates the information about Summary LSA originated by ABRs
Neighbors
It provides neighbor information based on peer-interface relation.
Neighbor ID: Indicates the neighbor routers ID.
Pri: Indicates the router priority assigned to that neighbor.
State: Displays the conversation between router and neighbor, since the neighbor was created. It
can have one of the following values:
Down: Indicates the initial state of a neighbor conversation, that is, there has been no recent
information received from the neighbor.
Attempt: It is valid only for neighbors attached to non-broadcast networks. It indicates that there
has been no recent information received from the neighbor.
Init: Indicates a hello packet though has been received recently from a neighbor, the adjacency is
not two-way that is, a bi-directional communication has not yet been established with neighbor.
2-Way: Indicates that a bi-directional communication is established between the routers and the
neighbor has included the router ID in its hello message. The DR and BDR are elected from the
set of neighbors in 2-Way state or higher.
ExStart: Indicates that the two routers are going to synchronize and determine which router will
be Master and which the slave.
Exchange: Indicates that the two routers are describing their respective link-state database by
sending database description packets.
Loading: Indicates that a link-state request packets are sent to the neighbor, requesting for more
advertisement that have been discovered but are not yet received in Exchange state.
Full: Indicates both the routers have accomplished the exchange of all the relevant advertisements
and can now appear in router-link and neighbor-link advertisements.
Backup Indicates that the neighbor is backup designated router
Dead time: The wait time in seconds to receive a Hello message from OSPF neighbor before
assuming the neighbor is dead.
Address: The IP Address of the routers interface with the neighbor.
Interface: Indicates the IP Address of neighbor Interface
RXmtL: Indicates that the link-state retransmit count.
RqstL: Indicates that the link-state request count.
DBsmL: Indicates that the link-state summary count.
Page 226 of 490
Cyberoam User Guide
Interface
Displays OSPF interface information.
Interface Value: Indicates the status of the physical interface, that is, whether the interface is up
or down.
IfIndex: Indicates the value of interface index (IfIndex). IfIndex is an identification unique number
associated with an interface.
MTU: Indicates the Maximum Transmission Unit (MTU) value of the interface. MTU is the largest
physical packet size, in bytes, that a network can transmit. This parameter becomes an issue
when networks are interconnected and the networks have different MTU sizes. Any packets larger
than the MTU value are divided (fragmented) into smaller packets before being sent
BW: Indicates the bandwidth of the Interface.
Internet Address: Displays the IP Address of the Interface.
Network Type/IP Address: Indicates the type of the network along with the IP Address.
Area: Indicates the IP Address of the Area Identifier.
MTU mismatch detection: Indicates whether the MTU Mismatch detection is enabled or disabled.
If it is enabled, it would match the MTU of both the interfaces participating in Neighbor-ship
establishment.
Router ID: Indicates the identification number of the OSPF Router selected at the start of OSPF
process. The Router ID is unique within the OSPF Domain and does not change unless OSPF
restarts or is manually modified.
Network Type: Indicates the type of Network to which the OSPF interface is connected. A network
can be one of the following types:
Point-to-point: A point-to-point network can connect only two routers.
Page 227 of 490
Cyberoam User Guide
Point-to-Multipoint (non-broadcast): A point-to-multipoint network connects one router to several
other routers.
Broadcast: Indicates a network that supports broadcast. In broadcast network a single packet sent
(broadcasted) by a router is received by all the routers within the network.
Non Broadcast Multiple Access (NBMA) - Indicates that the network does not have capability to
broadcast or multicast. It is used to accurate model X.25 and frame-relay environment in multipleaccess network.
Cost: Displays the OSPF metric. It is calculated using formula:
108 / Bandwidth (in bits per seconds [bps])
where
108 - Reference Bandwidth
Bandwidth bandwidth of the interface in bps
Transmit delay: Indicates time the time in seconds for which the OSPF router waits before flooding
a link-state advertisement (LSA) over the link. The link state age is incremented by this value,
before transmitting an LSA. Default - 1 second.
State: Indicates current state of the specified interface. The state can be one of the following:
DR: The router is a designated router (DR) on the network.
BDR: The router is backup designated router (BDR) on the network.
DROTHER: The router is neither a DR nor a BDR on the network and it establishes adjacencies
only with the DR and the BDR.
Waiting: The interface router is in waiting to announce the state of the link as DR. The wait time
is determined by the wait time. This state is normal in case of non broadcast multi access network.
Point-to-Point: The interface in point-to-point state is fully functional and it starts exchanging hello
packets with all its neighbors.
Point-to-Multipoint: Indicates the interface to be point-to multipoint for ODPF.
Priority: Indicates the priority of the interface router. It assists in electing the DR and BDR on the
network to which the interface is connected. A router with priority value 0 can never be a DR/BDR.
Default - 1.
Designated Router ID: Indicates the DR router ID for the respective network.
Backup Designated Router ID: Indicates the BDR router ID for the respective network.
Saved Network-LSA sequence number: Indicates the networks link-state sequence number. It is
used to calculate shortest path first (SPF).
Multicast group membership: Indicates the multicast group for which the router is a member.
Timer intervals configured: Displays the value of following OSPF Timers:
Hello: Time interval in seconds that a router sends a hello packet.
Dead: Indicates the wait time in seconds before declaring a neighbor dead.
Wait: Displays the time interval that results the interface to exit out of the wait period and elect the
DR on the network.
Retransmit: Displays the wait time before re-transmitting a Database Description (DBD) packet if
it has not been acknowledged earlier.
Hello Due In - Specifies when the next Hello packet is due to be sent.
Neighbor Count: Indicates the total number of discovered neighbors on the interface.
Adjacent neighbor count: Indicates the total number of adjacent neighbors that are fully adjacent
to the interface.
Page 228 of 490
Cyberoam User Guide
BGP
Neighbors
Displays the information about the TCP and BGP peers connections and number of routes
advertised/neighbor to/from that peer.
BGP Neighbor: Indicates IP Address of the BGP neighbor
Remote AS: Indicates the AS number of the neighbor router.
Local AS: Indicates the value of the configured Local Autonomous Systems (AS).
Internal/External Link: Displays internal links for internal BGP (iBGP) neighbors and external
link for external BGP (eBGP).
BGP Version: Indicates BGP version used for communication with remote router.
Remote Router ID: Indicates router ID (IP Address) of the neighbor router.
BGP State: Indicates the Finite State Machine (FSM) stage. It describes what action should be
taken by the BGP routing engine and when for session negotiation.
Last Read: Displays the time, since BGP router the last received a message from neighbor. The
time is displayed in HH:MM:SS format.
Hold Time: Displays the time in seconds, until which the BGP will maintain the session with the
neighbor without receiving any message from it.
Keepalive Interval: Displays the time interval in seconds specifying how often BGP router sends
the keep-alive message to the neighbor.
Message Statistics: Indicates the statistics organized by message type.
Page 229 of 490
Cyberoam User Guide
InQ: Indicates the number of messages that are in queue, pending to be processed from the
neighbor.
OutQ: Indicates the number of messages that are in queue, pending to be sent to the neighbor
Sent: Indicates the number of messages sent to the neighbor.
Received: Indicates the number of messages received from the neighbor.
Opens: Indicates the total number of open messages sent and received.
Notifications: Indicates the total number of error notification messages sent and received.
Updates: Indicates the total number of update messages sent and received.
Keepalives: Indicates the total number of keep-alive messages sent and received.
Route Refresh: Indicates the total number of route refresh messages sent and received.
Capability: Indicates the total number of BJP capabilities advertised and received from the
neighbor.
Total: Indicates the total number messages sent and received.
Minimum Time between advertisement runs: Displays the time in seconds between the sent
advertisements.
For Address Family: Indicates the IP Address family.
Community attribute sent to this neighbor: Indicates the numerical value of BGP community. This
numerical value is assigned to a specific prefix and advertised to neighbor, based on which it decides
the whether to filter or modify attributes.
Accepted Prefix: Indicates the number of accepted prefixes that can participate in a BGP peer
session.
Connections established: Indicates the number of times a TCP and a BGP connection has been
established successfully.
Dropped: Indicates the number of times valid session failed or been taken down.
Last reset: Displays the time since the previously established session with neighbor ended.
Local host and Local port: Displays the IP Address and port number of local BGP router.
Foreign host and Foreign port: Displays the IP Address of Neighbor and BGP destination port
number.
Nexthop: It is the management IP Address of the next hop routing device.
Next connect timer due in: Specifies when the next hello packet is due to be sent to the BGP
neighbor.
Read Thread: Indicates if the Read Thread is ON or Off.
Write Thread: Indicates if the Write Thread is ON or Off.
Page 230 of 490
Cyberoam User Guide
Routes
Displays the entire routing configuration information and the routing table for an interface configured using
BGP protocol.
BGP Table Version: Indicates the table version number. The version number is updated with any
change in the BGP table.
Local Router ID: Indicates the IP Address of the router.
Status codes and Origin codes: Shows how the destination routing information is obtained.
Status codes: A Status code indicates the status of the table entry and is displayed at the
beginning of each line in the table. Status code value can be one of the following: s suppressed,
d damped, h history, * valid, > best, i internal, r Routing Information Base (RIB)-failure, S
Stale, R Removed
Origin codes: An Origin code indicates the origin of the entry and is displayed at the end of each
line in the table. Origin code value can be one of the following: i Interior Gateway Protocol (IGP),
e Exterior Gateway Protocol (EGP), ? incomplete/path not clear.
Network: It is the IP Address and subnet mask of the destination.
Next Hop: It is the management IP Address of the next hop routing device. 0.0.0.0 indicates the
router has noon-BGP routes to the network.
Metric: It is the value of inter autonomous system metric.
LocPrf: Indicates Local preference value.
Local Preference is one of the methods to change the path taken by one Autonomous System (AS) to
reach to another AS.
Local Preference value indicates to AS about the path that has local preference, and one with the highest
preference being preferred.
Weight: Indicates the route weight as set via autonomous system filters. If there exist more than
one path to a particular IP Address, then a path with highest weight is selected.
Path: Indicates the Autonomous system path to the destination network.
Total number of prefixes: Indicates the total number of prefixes/networks.
Page 231 of 490
Cyberoam User Guide
Summary
Displays the status of all the BGP connections details like, path, prefixes and attributes information about all
the connections to BGP neighbors.
BGP Router Identifier: Router ID of the BGP Router
Local AS Number: Indicates the local Autonomous System number to which this router belongs.
RIB entries: Indicates the number of routing information entries in RIB
Memory: Indicates the memory used by RIB entry(ies)
Peer: Indicates the number of neighbor with which the connection is established.
Memory: Indicates the memory used by neighbor entries.
Neighbor: Indicates the IP Address of the neighbor.
V: Indicates BGP version number provided to the neighbor.
Local Preference is one of the methods to change the path taken by one Autonomous System (AS) to
reach to another AS.
Local Preference value indicates to AS about the path that has local preference, and one with the highest
preference being preferred.
AS: Indicates autonomous system number.
MsgRcvd: Indicates the number of messages received from the neighbor.
MsgSent: Indicates the number of messages sent to the neighbor.
TblVer: Indicates the last version of the BGP database that was sent to the neighbor.
InQ: Indicates the number of messages that are in queue, pending to be processed from the
neighbor.
OutQ: Indicates the number of messages that are in queue, pending to be sent to the neighbor.
Up/Down: Indicates the total time of a BGP session to remain in Established state, or the current
status of BGP session, if it is not in established state.
State/PfxRcd: Indicates the state of the neighbor and the number of prefixes received.
Total number of neighbors: Indicates the total number of neighbors.
PIM
Interface Table
Displays all the PIM enabled interfaces and the neighbor information of each interface.
Page 232 of 490
Cyberoam User Guide
Multicasting Routing Table
Displays the information of the multicast groups joined. The information includes the source address, multicast
group address, the incoming interface from which packets are accepted, list of outgoing interfaces to which
packets are sent, PIM timers, flag bits etc.
RP SET
Displays RP set information which is a collection of group-to-RP mappings. This information is used to
determine the RP for a multicast group and is maintained by a PIM router.
Page 233 of 490
Cyberoam User Guide
DNS
The Domain Name System (DNS) is a system that provides a method for identifying hosts on the Internet
using alphanumeric names called fully qualified domain names (FQDNs) instead of using difficult to remember
numeric IP Addresses. In other words, it translates domain names to IP Addresses and vice versa.
The DNS server is configured at the time of installation. You can add additional IP addresses of the DNS
servers to which the Appliance can connect for name resolution. If multiple DNS are defined, they are queried
in the order as they are entered.
To configure DNS, go to Network > DNS > DNS.
Screen Configure DNS
Parameters
Screen Element
Description
DNS List
IPv4
Obtain DNS from
DHCP
Click Obtain DNS from DHCP to override the Appliance DNS with
the DNS address received from DHCP server.
Page 234 of 490
Cyberoam User Guide
Option is available if enabled from Network Configuration Wizard
or if a DHCP interface is configured.
Obtain DNS from
PPPoE
Click Obtain DNS from PPPoE to override the Appliance DNS
with the DNS address received from PPPoE server.
Option is available if enabled from Network Configuration Wizard
or if a DHCP interface is configured.
Static DNS
Select to provide static IPv4 DNS server address.
A maximum three static DNS IPv4 Addresses can be provided.
IPv6
DNS
Provide static IPv6 address of DNS server.
A maximum three static DNS IPv6 addresses can be provided.
DNS Query Configuration
Choose server
based on incoming
requests record type
Select to choose the DNS server to be used for resolving the
domain name on the basis of the incoming requests record type.
Incoming request can be of A or AAAA.
Choose IPv6 DNS
server over IPv4
Select to first choose IPv6 DNS server for resolving the DNS and
then IPv4 DNS Server.
If both IPv6 and IPv4 DNS servers are configured, then it first
selects IPv6 DNS server for all requests followed by IPv4 DNS
server.
Choose IPv4 DNS
server over IPv6
Select to first choose IPv4 DNS server for resolving the DNS and
then IPv6 DNS Server.
If both IPv6 and IPv4 DNS servers are configured, then it first
selects IPv4 DNS server for all requests followed by IPv6 DNS
server.
Choose IPv6 if
request originator
address is IPv6, else
IPv4
Select to choose IPv6 DNS server if request is received from IPv6
or choose IPv4 DNS server, if request is received from IPv4.
Apply
Click to apply the configured settings.
Test Name Lookup
Click and provide IP Address or host name for testing the
connectivity with the DNS server.
Page 235 of 490
Cyberoam User Guide
Table Configure DNS screen elements
Page 236 of 490
Cyberoam User Guide
DNS Host Entry
The DNS Host Entry page displays the list of all the configured host entries. You can filter list based on
Host/Domain name. The page provides the option to add, update, or delete the entries.
To manage DNS Host Entry, go to Network > DNS > DNS Host Entry.
Screen Manage DNS Host Entries
Screen Element
Description
Name of the Host/Domain.
Host/Domain
Name
IP Address Displays the IP Address of Host/Domain.
IP Address
TTL (Time To Live)(Seconds) Time until which the
Host/Domain is valid for the DNS client.
Weight Displays the weight for load balancing the traffic.
Publish on WAN Displays whether the DNS Host Entry is
published on WAN Yes or No.
Displays if Reverse DNS Lookup is enabled for Host/Domain.
Reverse DNS
Lookup
Table Manage DNS Host Entries
Adding a DNS Host Entry
To add or edit a DNS Host Entry, go to Network > DNS > DNS Host Entry. Click the Add button to add a DNS
Host Entry. To update the details, click on the DNS Host Entry or Edit icon
the DNS Host Entry you want to modify.
in the Manage column against
Screen Add DNS Host Entry screen elements
Page 237 of 490
Cyberoam User Guide
Screen Element
Host/Domain
Name
Description
Enter a Fully Qualified Domain Name (FQDN) for Host/Domain.
Address
Entry Type
Select DNS Host Entry type.
Available Options:
Manual Manually enter the IP address for the host
Interface IP Configure Interface as host
Maximum Entries Per Host- 8
IP Address
Specify the IP Address of Host/Domain or select an Interface IP
depending on the option selected for Entry Type.
Time To Live
(Seconds)
Specify TTL in seconds.
Default - 60 Seconds
Weight
Specify weight for load balancing the traffic. distributes traffic
across the links in proportion to the ratio of weights assigned to
individual link.
This weight determines how much traffic will pass through a
particular link relative to the other link.
Default - 1
Publish on WAN
Enable to publish DNS Host Entry on WAN.
Default - Disabled
Reverse DNS
Lookup
Enable to allow reverse DNS lookup.
If there are multiple hosts resolving to same IP Address than
Reverse DNS Lookup can be configured only for one of the
multiple IP Address.
Table Add DNS Host Entry screen elements
Note
Only A and PTR type of DNS records are supported i.e. host/domain's IP Address and reverse lookup.
Address (A) record - points a hostname to an IP Address and returns a 32-bit IPv4 address.
AAAA record - points a hostname to an IP Address and returns a 128-bit IPv6 address.
Pointer records (PTR) - are just the reverse of A records and are used for reverse lookups. It maps IP
Address to a hostname.
Maximum number of DNS entries allowed is 1024.
If the Appliance interface is used as a DNS in client system then, a query is sent to configured DNS servers
prior to querying the ROOT severs.
Page 238 of 490
Cyberoam User Guide
Address Assignment for IPv6 Devices
IPv6 Clients are assigned IP Address through:
DHCP for IPv6
Similar to IPv4, IPv6 can also use DHCP to assign IP Addresses to any clients. Cyberoam can be configured
to be a stateful DHCP server. DHCP server is responsible for assigning the IP Address to the client and for
keeping a record of all clients and the IPv6 Address assigned to them.
Stateless Address Auto-Configuration (SLAAC)
The IPv6 protocol supports address auto configuration for stateless addresses. IPv6 devices automatically
create unique link-local addresses for IPv6 enabled interfaces and clients use Router Advertisement
messages to automatically configure their own IP Address.
Page 239 of 490
Cyberoam User Guide
Router Advertisement
The Appliance acting as a router has the ability to participate in Stateless Auto Configuration (SLAAC) and
by default provides IPv6 Address and a default gateway to the client.
When the Appliance interface is connected to a network and enabled, the host may send out an ICMPv6 (type
135) Router Solicitation (RS) message that requests Cyberoam to immediately generate Router
Advertisement (RA) instead of their next scheduled time. On receiving the RS message, the Appliance
immediately sends an ICMPv6 (type 134) Router Advertisement (RA) message announcing about its
availability. Router Advertisements includes the information about which method to be used for address
assignment, prefixes that are utilized for on-link determination and/or address configuration, hop limit value,
several flag status, etc. The critical parameters can be administered centrally and could be automatically
propagated to all hosts on the network. The Appliance advertises information about various interfaces and
the Internet parameters either periodically or in response to RS message, informing all the nodes on the
network about any modification in addressing information. Thus Router Advertisement (along with prefix flags)
allows simple stateless auto configuration and guides a host about generating an address using autoconfiguration.
Configuring Router Advertisement Settings for an Interface
Screen Router Advertisement Settings
Screen Element
Interface
Description
Select an interface for router advertisement.
All IPv6 enabled physical interfaces, LAG, VLAN and Bridge
interfaces can be selected.
Description
Provide description for the interface to be selected for router
advertisement.
Min Advertisement
Interval
Specify the minimum time interval in seconds between two
consecutive unsolicited router advertisement messages sent to
the clients.
Acceptable Range (Seconds) - 3 to 1350
Default - 198 seconds
Page 240 of 490
Cyberoam User Guide
If the Maximum Advertisement Interval is 9 seconds or above,
then the Minimum Advertisement Interval must be:
0.75 * Maximum Advertisement Interval
Max Advertisement
Interval
Specify the maximum time interval in seconds between two
consecutive unsolicited router advertisement messages sent to
the clients.
Acceptable Range (Seconds) - 4 to 1800
Default - 600 seconds
Managed Flag
Select to set the Manage Flag. When this flag is set, IPv6
addresses are obtained from DHCPv6 server.
The option must be selected only if a DHCPv6 Server is
available.
By default, this flag is not selected.
Other Flag
Select to set the Other Flag. When this flag is set, DHCPv6
client obtains other network parameters like DNS server,
Domain Name, NIS, NISP, SIP, SNTP, BCMS servers from
DHCPv6 server.
The option must be selected if a DHCPv6 Server is available.
Default Gateway
Select to use Cyberoam as default gateway for communication
with client
Life Time Specify the time in seconds for Router
Advertisement to be used as a default gateway at client end.
The value specified should be between the value specified for
Max Advertisement Interval and 9000 seconds.
Default - 1800 seconds
Prefix Advertisement
Configuration
Prefix Advertisement includes zero or more prefix options
containing information that the default gateway advertises. This
information is used by stateless address auto configuration to
auto-generate a global IPv6 Address.
Prefix Advertisement has its own list of attributes:
Prefix / 64 - Provide first 64 bits of the IPv6 Address.
Page 241 of 490
Cyberoam User Guide
The interface uses this prefix information from the Router
Advertisement message to determine last 64 bits (interface
identifier) of its 128-bit IPv6 Address.
The first 64 bits (higher order bits) of IPv6 Address so provided,
specifies the network, while the remaining specify a particular
address in the network. Hence IPv6 Addresses in one network
have same first 64 bits and are called prefix.
On-link - Select to set the prefix to be On-link. With attribute
On-link set, the devices with IPv6 Addresses that are within
this prefix are reachable on the subnet without a need of router.
By default, this flag is set
Autonomous - Select to set the prefix attribute Autonomous.
On being set, the global IPv6 Address is automatically
generated by appending 64 bit interface identifier to prefix
(prefix /64) advertised in the Prefix Information.
Only those prefixes that has Autonomous flag set gets a
Stateless Address Auto Configuration (SLAAC) IPv6 Address.
Default Set
Preferred Life Time - Specify the time in minutes for a valid
address to remain in the preferred state. The use of preferred
address is unrestricted.
On expiry of the valid life time, the preferred address becomes
deprecated. The use of the deprecated address must be
avoided, however it is not forbidden and can be continued to be
used as source address for existing communication.
The IPv6 Address will continue to remain in Preferred state as
long as it is refreshed by prefixes in Router Advertisement or by
any other means or are renewed by DHCPv6.
Acceptable Range (Seconds) - 0 to Infinite
Default - 240 minutes
Specify the attribute value as -1 for infinite preferred life time.
Valid Life Time - Specify the time in minutes for an address to
remain in the valid state.
Page 242 of 490
Cyberoam User Guide
This value determines the time for an address to be in valid
state. Until the time expires, the prefix is considered to be onlink and auto-configured addresses using the prefix can be
used.
On expiry of the valid life time, the IPv6 Address becomes
invalid and cannot be used to send or receive traffic.
Note
The value of attribute Valid Life Time must be greater
than or equal to value of Preferred Life Time.
Acceptable Range (Seconds) - 0 to Infinite
Default - 1440 minutes
Specify the attribute value as -1 for infinite valid life time.
Use
and
icons to add or remove a prefix.
Advanced Settings
Using Network Discovery Protocol (NDP) the devices on the same interface
discovers the presence of each other and the respective link-layer addresses
finds gateway routers and maintains the reachability information about the active
paths to the peers.
Link MTU
Specify the Maximum Transmission Unit (MTU) in bytes for the
packets sent on this interface.
Default - 0
Acceptable Range - 1280 to 1500 bytes
If link MTU is set to zero, the information will not be advertised
by the interface.
Reachable Time
Specify the reachable time in seconds that the client will use to
assume a neighbor is reachable after having received a
reachability confirmation message.
Default 0
Acceptable Range (Seconds) - 0 to 3600
Retransmit Time
Specify the retransmission time in seconds that the client will
use to determine how long it should wait before retransmitting
neighbor solicitation messages.
Default 0
Page 243 of 490
Cyberoam User Guide
Acceptable Range (Seconds) - 0 to 60
Hop Limit
Specify the hop limit value.
This value determines the number of hops that a packet is
limited to. The hop value is decremented by each router along
the route. On reaching zero, the packet is destroyed.
Default 64
Acceptable Range - 0 to 255
Table Router Advertisement Settings screen elements
Page 244 of 490
Cyberoam User Guide
DHCP
Dynamic Host Configuration Protocol (DHCP) automatically assigns IP Address for the hosts on a network
reducing the Administrators configuration task. Instead of requiring administrators to assign, track and change
(when necessary) for every host on a network, DHCP does it all automatically. Furthermore, DHCP ensures
that duplicate addresses are not used.
The Appliance acts as a DHCP server and assigns a unique IP Address to a host, releases the address as
host leaves and re-joins the network. Host can have different IP Address every time it connects to the network.
In other words, it provides a mechanism for allocating IP Address dynamically so that addresses can be reused.
Deploying DHCP in a single segment network is easy. All DHCP messages are IP broadcast messages, and
therefore all the computers on the segment can listen and respond to these broadcasts. But things get
complicated when there is more than one subnet on the network. This is because the DHCP broadcast
messages do not, by default, cross the router interfaces.
The DHCP Relay Agent allows to place DHCP clients and DHCP servers on different networks. Relay Agent
makes it possible for DHCP broadcast messages to be sent over routers that do not support forwarding of
these types of messages. The DHCP Relay Agent enables DHCP clients to obtain IP Addresses from a DHCP
server on a remote subnet, or which is not located on the local subnet. If DHCP Relay Agent is not configured,
clients would only be able to obtain IP Addresses from the DHCP server which is on the same subnet.
Server
Lease
Relay
Page 245 of 490
Cyberoam User Guide
DHCP Server
Each internal Interface can act as a DHCP server. You can disable or change this DHCP Server configuration.
The Appliance cannot act as DHCP server and DHCP Relay Agent simultaneously. Hence, if the Appliance
is configured as DHCP server, you will not be able to configure it as a Relay agent and vice-versa.
Manage DHCP Server list
The DHCP Server page displays a list of all the configured DHCP servers and you can filter this list based on
IP Family. The page also provides option to add a new server, update parameters of existing servers, or
remove the DHCP server settings.
To manage DHCP servers, go to Network > DHCP > Server.
Screen Manage DHCP Servers
Screen Element
Description
Name
DHCP Server Name.
Interface
Internal interface Port C or Port A (LAN or DMZ).
Lease Detail
Type of Lease Static or Dynamic
Also, displays the IP Address range for Dynamic Lease type and
MACIP Mapping list for Static Lease type.
IP Family
Displays the IP Family IPv4 Address or IPv6 Address.
Table Manage DHCP Server screen elements
Page 246 of 490
Cyberoam User Guide
Configuring Interface as DHCPv4 Server
To add or edit a DHCP server, go to Network > DHCP > Server. Click the Add button to add a DHCP server.
To update the details, click on the DHCP server or Edit icon
server you want to modify.
in the Manage column against the DHCP
Screen Add IPv4 DHCP Server
Screen Element
Description
General Settings
Name
Specify a name to identify DHCP server uniquely.
Interface
Select any internal interface to set it as DHCPv4 server. DHCP
service can be configured on virtual sub-interface but cannot be
configured on Interface alias.
Dynamic IP Lease
Specify range of IP Address from which DHCP server must
assign to the clients and subnet mask for the IP Address range.
It is also possible to configure multiple IP range for a same
interface. You can provide multiple IP range for the DHCP
Server.
Use icon
Static IP MAC
Mapping
and icon
to add or delete the range.
If you always want to assign specific IP Addresses to some or
all clients, you can define static MAC Address to IP Address
Page 247 of 490
Cyberoam User Guide
mappings. For defining, MAC-IP mapping, you should know the
MAC Address of the clients network card. The MAC Address is
usually specified in a hexadecimal digits separated by colons
(for example, 00:08:76:16:BC:21). Specify host name, MAC
Address and IP Address. You can provide multiple MAC-IP
mappings for the DHCP Server.
Use icon
and icon
to add or delete the MAC-IP mapping.
Subnet Mask
Select subnet mask for the server.
Domain Name
Specify domain name that the DHCP server will assign to the
DHCP Clients.
Gateway
Enable to use Interface IP as Gateway.
Specify IP Address for default Gateway or click Use Interface
IP as Gateway.
Default Lease Time
Specify default lease time and maximum lease time.
Default - 1440 minutes
Acceptable Range - 1 to 43200 minutes (30 days).
Specify maximum lease time. DHCP client must ask the DHCP
server for new settings after the specified maximum lease time.
Max Lease Time
Default - 2880 minutes
Acceptable Range - 1 to 43200 minutes (30 days).
Conflict Detection
Enable IP conflict detection to check the IP Address before
leasing. If enabled the already leased IP Address will not be
leased again
DNS Server
Use Appliances DNS
Settings
Click to use Appliance DNS Server. In this case the first two
configured DNS will be utilized.
If not enabled, then provide Primary and Secondary DNS to be
used.
Primary DNS
Specify IP Address of Primary DNS server.
Secondary DNS
Specify IP Address of Secondary DNS server.
WINS Server
Primary WINS Server
Specify IP Address of Primary WINS server.
Secondary WINS
Server
Specify IP Address of Secondary WINS server.
Table Add IPv4 DHCP server screen elements
Page 248 of 490
Cyberoam User Guide
Configuring Interface as DHCPv6 Server
Screen Add DHCPv6 Server
Screen Element
Description
General Settings
Name
Enter a name to identify DHCPv6 server uniquely.
Interface
Select any internal interface to set it as DHCPv4 server. DHCP
service can be configured on virtual sub-interface but cannot be
configured on Interface alias.
Dynamic IP Lease
Specify range of IPv6 Address from which DHCP server must
assign to the clients and subnet mask for the IPv6 Address
range. It is also possible to configure multiple IPv6 range for a
same interface.
You can provide multiple IP range for the DHCP Server.
Click icon
Static IP DUID
Mapping
and icon
to add and delete the range.
If you always want to assign specific IP Addresses to some or
all clients, you can define static DUID Address to IP Address
mappings. For defining, DUID-IP mapping, you should know the
DHCP Unique Identifier (DUID) of the client. The DUID Address
is usually specified in groups of two hexadecimal digits
separated by colons.
Page 249 of 490
Cyberoam User Guide
Specify host name, DUID and IP Address. You can provide
multiple DUID-IP mappings for the DHCP Server.
Use icon
and icon
to add or delete the DUID-IP mapping.
Specify the preferred time. Preferred time should be less than
valid time.
Preferred Time
Default - 540 minutes
Acceptable Range - 1 to 43200 minutes
Specify the valid time.
Valid Time
Default - 720 minutes
Acceptable Range - 1 to 43200 minutes
DNS Server
Use Appliances DNS
Settings
Click to use Appliance DNS Server. In this case the first two
configured DNS will be utilized.
If not enabled, then provide Primary and Secondary DNS to be
used.
Primary DNS
Specify IPv6 Address of Primary DNS server.
Secondary DNS
Specify IPv6 Address of Secondary DNS server.
Table Add DHCPv6 server screen elements
Page 250 of 490
Cyberoam User Guide
DHCP Lease
The Appliance acting as a DHCP server assigns or leases an IP Address from an address pool to a host
DHCP client. The IP Address is leased for a determined period of time or until the client relinquishes the
address. The page displays a list of all the IP Addresses leased dynamically and you can filter list based on
Leased IP, or Client Physical Address.
IPv4 Address
The following information is displayed for the leased IPv4 addresses:
Leased IP Address
Lease start and end time
Client Physical Address
Client Host Name
Leased Type
IPv6 Addresses
The following information is displayed for the leased IPv6 addresses:
Leased IP Address
Lease start and end time
Client Physical Address
DUID
List will display IP Addresses leased dynamically only
Screen Lease DHCP Server
Page 251 of 490
Cyberoam User Guide
DHCP Relay
The DHCP Relay Agent allows place DHCP clients and DHCP servers on different networks. Deploying DHCP
in a single segment network is easy. All DHCP messages are IP broadcast messages, and therefore all the
computers on the segment can listen and respond to these broadcasts. But things get complicated when there
is more than one subnet on the network. This is because the DHCP broadcast messages do not, by default,
cross the router interfaces.
The DHCP Relay Agent makes it possible for DHCP broadcast messages to be sent over routers that do not
support forwarding of these type of messages. The DHCP Relay Agent enables DHCP clients to obtain IP
Addresses from a DHCP server on a remote subnet, or which is not located on the local subnet. If DHCP
Relay Agent is not configured, clients would only be able to obtain IP Addresses from the DHCP server which
is on the same subnet.
Note
DHCP Relay and Server cannot be configured at the same time.
The DHCP Relay page displays list of all the interfaces configured as a relay agent and you can filter the list
based on relay agent name and IP Family. The page also provides option to add a new relay agent, update
parameters, or delete an agent.
Manage DHCP Relay Agent list
To manage DHCP relay agents, go to Network > DHCP > Relay.
Screen Manage DHCP Relay Agent
Screen Element
Description
Interface
Internal Interface which is configured as Relay Agent.
DHCP Server IP
DHCP Server IP Address.
IP Family
Displays the IP Family IPv4 Address or IPv6 Address.
Table Manage DHCP Relay Agent screen elements
Page 252 of 490
Cyberoam User Guide
Configuring an Interface as a DHCP Relay Agent
To add or edit a DHCP relay agent, go to Network > DHCP > Relay. Click the Add button to add a relay
agent. To update the details, click on the relay agent or Edit icon
agent you want to modify.
in the Manage column against the relay
Screen Add DHCP Relay Agent
Screen Element
Description
Name
Enter a name to identify DHCP Relay Agent.
IP Family
Select the IP Family for DHCP Relay Agent.
Available Options:
IPv4
IPv6
Interface
Select internal interface.
Each internal Interface can act as a DHCP Relay Agent. The
Appliance cannot act as a DHCP server and DHCP Relay Agent
simultaneously. Hence if the Appliance is configured as a DHCP
Relay Agent, you will not be able to configure it as a server and
vice-versa.
DHCP Relay agent can be configured on virtual sub-interface
but cannot be configured on Interface alias.
DHCP Server IP
Specify the DHCP Server IP Address.
DHCP requests arriving on the interface selected in above step
will be forwarded to this DHCP server.
Relay through IPSec
(Only if IP Family is
IPv4)
Click to enable Relay through IPSec.
Page 253 of 490
Cyberoam User Guide
Table Add DHCP Relay Agent screen elements
ARP-NDP
TCP/IP uses ARP (Address Resolution Protocol) protocol to translate IPv4 Address into MAC Address
(physical network address). In other words, it maps layer 3 (IPv4 Addresses) to layer 2 (physical or MAC
Addresses) to enable communications between hosts residing on the same subnet. Similarly to translate IPv6
Addresses, NDP (Neighbor Discovery Protocol) is used.
ARP is used by hosts that are directly connected on a local network and uses either or both unicast and
broadcast transmissions directly to each other. Host finds the physical address of another host on its network
by sending an ARP query packet that includes the IP Address of the receiver. As a broadcast protocol, it can
create excessive amounts of network traffic on your network. To minimize the broadcast traffic, an ARP cache
is maintained to store and reuse previously learned ARP information.
NDP in IPv6 is similar to ARP in IPv4. The main purpose of both the protocols is to enable a host (node) to
determine the link layer address (MAC Address) of the node it wants to communicate with, in the local network
and to find out the link layer address of the router through which it can access a node in an external network.
Thus, the actual exchange of messages can take place between the two nodes. Apart from neighbor
discovery, NDP functionality includes router discovery, neighbor presence, redirects, network options (as in
DHCP options) and stateless auto-configuration. Similar to ARP, NDP is also susceptible to flooding and
poisoning attacks.
NDP has Neighbor solicitations analogous to ARP request and Neighbor Advertisements analogous to ARP
replies. Unsolicited neighbor advertisements in IPv6 correspond to gratuitous ARP replies in IPv4. Static
Neighbor configuration protects the Neighbor cache for trusted or vulnerable nodes in the network. Static
Neighbor Discovery helps in not making solicit request for configured entries and ignores any incoming solicit
or advertised ND for configured entries.
Page 254 of 490
Cyberoam User Guide
Neighbors
ARP and NDP traffic is vital communication on a network and is enabled on Appliance interfaces by default.
Static Neighbor entry allows binding of the MAC Address to the designated IP Address and port. Once the
MAC Address is bound to a port and IP Address, the Appliance will not update its Neighbor table dynamically
and will not respond to that IP-MAC pair on any other port. It will also remove any dynamically cached
references to that IP Address that might be present, and will not allow additional static mappings of that IP
Address.
These entries will be stored in Static Neighbor as well as IPv4 and IPv6 Neighbor Cache table. The Appliance
performs the neighbor lookup in the static neighbor table when it receives the request on a particular port. If
there is any mismatch in IP Address or MAC Address, the Appliance considers it as a neighbor poisoning
attempt and does not update its Neighbor Cache. If entry is not available in the table, the Appliance will look
it up in the IPv4 or IPv6 Neighbor Cache and add the MAC Address to Neighbor Cache if required.
Consider an example when IP1 is mapped with MAC1 and IP1-MAC1 pair is bounded to Port A. Similarly IP2
is mapped with MAC1 and IP2-MAC1 pair is bounded to Port A.
IP Address
MAC
Address
Port
Neighbor poisoning
attempt
IP1
MAC1
No
IP1
MAC1
Any other
than Port A
IP1
MAC2
Yes
IP1
MAC2
Any Other Port
Yes
IP3
MAC1
No static ARP
No
IP2
MAC1
No
IP2
MAC1
Any other
than Port A
Port
Port
Yes
Yes
Table Showing an example of having IPs having bounded MAC and Port addresses.
Neighbor Configuration
The Appliance maintains 3 (three)types of tables for ARP entries: Static Neighbor table, IPv4 Neighbor Cache
and IPv6 Neighbor Cache.
IPv4/IPv6 Neighbor Cache table
IPv4/IPv6 Neighbor Cache table stores static and dynamic Neighbor entries. Static Neighbor entries are
defined by Administrators and are permanent while dynamic Neighbor entries are the learned entries and are
updated dynamically. Such dynamic entries can be flushed by clicking on the Flush button.
Go to System > ARP-NDP > Neighbors and select IPv4 Neighbor Cache or IPv6 Neighbor Cache
to view the large number of Neighbor entries. Page allows navigating and managing the Neighbor entries in
Page 255 of 490
Cyberoam User Guide
all the three tables. Select the table type from the dropdown list to view the Neighbor entries in the respective
table. It lists IP Address, MAC Address, interface and type of the entry. Entry type can be static or dynamic.
If everything is working properly with Neighbor, dynamic Neighbor entry will be displayed as Complete,
Dynamic. Complete, Dynamic means both MAC and IP values are there in the table while Incomplete,
Dynamic means that the Neighbor request was sent but no reply has yet been received.
Screen ARP Configuration
Screen Element
Description
Neighbor Configuration
Specify time interval after which the entries in the cache should
be flushed.
Neighbor Cache
Entry Time Out
Default - 2 minutes
Input range - 1 to 500 minutes
Flush the IPv4/IPv6 Neighbor cache whenever the host IP
Address on the network changes. As the IP Address is linked to
a physical address, it can change but can still be associated
with the physical address in the IPv4/IPv6 Neighbor Cache.
Flushing the IPv4/IPv6 Neighbor Cache allows new information
to be gathered and stored in the IPv4/IPv6 Neighbor Cache.
Log Possible
Neighbor Poisoning
Attempts
Enable to log the poisoning attempts.
Table ARP Configuration screen elements
Page 256 of 490
Cyberoam User Guide
Static Neighbor
Manage Static ARP list
Manage Static ARP in Appliance; go to Network > ARP-NDP > Neighbor.
Screen Static Neighbor Cache
Screen Element
Description
IP Family
Displays the IP Family for DHCP Relay Agent IPv4 or IPv6.
IP Address
IP Address (Ipv4/IPv6) of the host.
MAC Address
Physical Address of the host.
Interface
Physical Interface of the host.
Table Static Neighbor Cache
Static Neighbor Parameter
To Manage Static ARP in , go to Network > ARP-NDP > Neighbor.
Screen Add Static Neighbor
Screen Element
IP Family
Description
Select the IP Family for DHCP Relay Agent.
Available Options:
Page 257 of 490
Cyberoam User Guide
IPv4
IPv6
IPv4/IPv6 Address
Specify IPv4/IPv6 Address of the host outside the firewall.
MAC Address
Specify the MAC Address of the host
Interface
Specify the physical Interface. Port A, Port B, Port C or Port D
Add as Trusted MAC
entry in Spoof
Prevention
If enabled, adds MAC/IP pair in the trusted MAC list.
By default, it is enabled.
Table Add Static Neighbor screen elements
Page 258 of 490
Cyberoam User Guide
ARP-NDP Cache
Manage ARP Cache list
To Manage ARP Cache in Appliance, go to Network > ARP-NDP > Neighbor.
Screen ARP Cache Configuration
Screen Element
Description
IP Address
IP Address of the host.
MAC Address
Physical Address of the host.
Interface
Physical Interface of the host.
Type
Type of ARP Table.
Edit Icon
Edit the Static ARP.
Delete Button
Delete the Static ARP.
Table ARP Cache Configuration screen elements
Page 259 of 490
Cyberoam User Guide
Dynamic DNS
Dynamic DNS (Domain Name Service) is a method of keeping a static domain/host name linked to a
dynamically assigned IP Address allowing your server to be more easily accessible from various locations on
the Internet.
Powered by Dynamic Domain Name System (DDNS), you can now access your Appliance by the domain
name and not the dynamic IP Address. DDNS will tie a domain name (for example, myAppliance.com, or
mycompany.myAppliance.com) to your dynamic IP Address.
Manage Dynamic DNS list
The Appliance supports following Dynamic DNS providers:
DynDNS
ZoneEdit
EasyDNS
DynAccess
Cyberoam
The page displays list of all the configured DDNS and also provides an option to add, update or delete the
configuration.
To manage Dynamic DNS, go to Network > Dynamic DNS > Dynamic DNS.
Screen Manage Dynamic DNS
Screen Element
Description
Name
Displays the name of the Host on DDNS server.
Interface
External Interface selected.
Service Provider
Service Provider with whom Hostname is registered.
Last Updated IP
Recently updated IP Address.
Last Updated Status
Recently updated Status.
Last Updated Time
Time of the recent update.
Failure Reason
Reason for failure.
Table Manage Dynamic DNS
Page 260 of 490
Cyberoam User Guide
Configuring Dynamic DNS
Prerequisite:
Registered Account with any of the following Dynamic DNS providers:
DynDNS
ZoneEdit
EasyDNS
DynAccess
To add or edit DDNS, go to Network > Dynamic DNS > Dynamic DNS. Click the Add button to add
a DDNS. To update the details, click on the DDNS name or Edit icon
DDNS you want to modify.
in the Manage column against the
Screen Add DDNS Account
Screen Element
Description
Host Details
Host Name
Specify a name to identify the host that you want to use on the
DDNS server. It is the domain name that you registered with
your DDNS service provider for example cyber.com
In case you are configuring DynAccess as a Service Provider,
provide host name in the following format:
<accountname>.dynaccess.com.
Page 261 of 490
Cyberoam User Guide
In case you are configuring Cyberoam as a Service Provider,
provide host name in the following format:
<host name>.ddns.cyberoam.com
For example, mycompany.ddns.cyberoam.com
Interface
Select External Interface. IP Address of the selected interface
will be bound to the specified host name
IP Address
Select IPv4 Address source: Port IP or NATed Public IP.
IP Edit Checking
Interval
Specify the time interval after which Cyberoam should check
and edit the IP Address of your server if changed.
Default - 20 minutes
Acceptable Range - 4 to 60 minutes
For example, if time interval is set to 10 minutes, after every 10
minutes, Cyberoam will check for any changes in your server IP
Address.
Service Providers Details
Service Provider
Select Service provider with whom you have registered your
hostname.
In case you are configuring Cyberoam as a Service Provider,
login name and password is not required.
Login Name
Specify your DDNS accounts Login name.
In case you are configuring DynAccess as a Service Provider,
provide host name in the following format:
<accountname>.dynaccess.com.
Provide login name as accountname.
Password
Specify your DDNS accounts Password.
Table Add DDNS Account screen elements
Page 262 of 490
Cyberoam User Guide
Identity
Once you have deployed the Appliance, default access policy is automatically applied which will allow
complete network traffic to pass through the Appliance. This will allow you to monitor user activity in your
Network based on default policy.
As the Appliance monitors and logs user activity based on IP Address, all the reports are also generated
based on the IP Address. To monitor and log user activities based on User names or log on names, you have
to configure the Appliance for integrating user information and authentication process. Integration will identify
access request based on User names and generate reports based on Usernames.
When the user attempts to access, the Appliance requests a user name and password and authenticates the
users credentials before giving access. User level authentication can be performed using the local user
database on the External ADS server, LDAP or RADIUS server.
To set up user database:
Integrate ADS, LDAP or RADIUS, if external authentication is required.
Configure for local authentication.
Register user
Authentication
Groups
Users
Guest Users
Policy
Live Users
Page 263 of 490
Cyberoam User Guide
Authentication
The Appliance provides policy-based filtering that allows defining individual filtering plans for various users of
your organization. You can assign individual policies to users (identified by IP Address), or a single policy to
a number of users (Group).
The Appliance detects users as they log on to Windows domain in your network via client machines. Users
are allowed or denied access based on username and password. In order to authenticate user(s), you must
select at least one database against which the Appliance should authenticate users.
To filter Internet requests based on policies assigned, the Appliance must be able to identify a user making a
request.
Administrator can configure authentication based on the type of Administrator, Firewall, VPN and SSL VPN
with multiple servers.
Authentication Server
Firewall
VPN
Admin
Page 264 of 490
Cyberoam User Guide
Authentication Server
The Appliance supports user authentication against:
an Active Directory
an LDAP server
an RADIUS server
an internal database defined in the Appliance
User authentication can be performed using local user database, RADIUS, LDAP, Active Directory or any
combination of these.
Local Authentication
The Appliance provides a local database for storing user and group information. You can configure the
Appliance to use this local database to authenticate users and control their access to the network. Choose
local database authentication over ADS, LDAP or RADIUS when the number of users accessing the network
is relatively small. Registering dozens of users and groups takes time, although once the entries are in place
they are not difficult to maintain. For networks with larger number of users, user authentication using ADS,
LDAP or RADIUS servers can be more efficient.
A combination of external and local authentication is useful in large networks where it is required to provide
guest user accounts for temporary access while a different authentication mechanism like RADIUS for VPN
and SSL VPN users provides better security as password is not exchanged over the wire.
Administrator can configure up to twenty authentication servers. In case of multiple servers, authentication
request will be forwarded as per the server order configured in the Server Priority list.
External Authentication Servers can be integrated with the Appliance for providing secure access to the users
of those servers. The external authentication servers support IPv4 and IPv6 Addresses. You can configure
following external servers:
Active Directory
LDAP Server
RADIUS Server
The page displays list of all the configured external servers. The page provides option to add a server, update,
or delete the server settings. Page also provides option to import AD user groups in case Active Directory is
configured.
Page 265 of 490
Cyberoam User Guide
Manage Authentication Servers
To manage external authentication servers, go to Identity > Authentication > Authentication
Server.
Screen Manage External Authentication Server
Screen Element
Description
Name
Name of the Server.
IP
IP Address (IPv4/IPv6) of the server.
Port
Port through which the server communicates.
Type
Type of Server ADS, LDAP or RADIUS.
Domain/Admin
Domain/Admin Name for the ADS Server.
Import Icon
Import the Authentication Server.
Table Manage External Authentication Server
Page 266 of 490
Cyberoam User Guide
Configuring External Authentication Server
1. Configuring Active Directory Server Settings
ADS integration feature allows the Appliance to map the users and groups from ADS for the purpose of
authentication. This enables the Appliance to identify the network users transparently. Appliance
communicates with Windows Directory Services Active directory (AD) to authenticate user based on groups,
domains and organizational units.
Whenever the existing user(s) in ADS logs on for the first time after configuration, user is automatically created
in the Appliance and assigned to the default group. If the Groups are already created in the Appliance, User(s)
will be created in the respective Groups i.e. the ADS User Groups will be mapped to the Appliance User
Groups. In case user is already created and there is a change in expiry date or group name, user will be
logged in with the changes.
ADS Authentication Process
User has to be authenticated by the Appliance before accessing any resources controlled by the Appliance.
This authentication mechanism allows users to access using their Windows authentication tokens (login/user
name and password) in the Windows-based directory services.
User sends the log on request/user authentication request to ADS and ADS authenticates user against the
directory objects created in ADS. Once the user is authenticated, Appliance communicates with ADS to get
these additional authorization data such as user name, password, user groups, and expiry date as per the
configuration, which is used to control the access.
Note
If ADS is down, the authentication request always returns with Wrong username/password message.
To configure and manage ADS, go to Identity > Authentication > Authentication Server. You
can:
Configure Configure ADS Server to communicate with the Appliance
Import AD Group Click Import icon
in the Manage column against the ADS Server for which you
want to import the Active Directory Group.
NetBIOS Name, FQDN and Search DN The details of NetBIOS Name, FQDN and Search DN is
available from the ADS server.
To configure ADS, go to Identity > Authentication > Authentication Server. Click Add Button
and select the server type as Active Directory to add a server. To update the details, click on the Server or
Edit icon
in the Manage column against the AD server you want to modify.
Page 267 of 490
Cyberoam User Guide
Screen Add Active Directory Server
Screen Element
Description
Server Type
Select the Active Directory Service. If a user is required to
authenticate using ADS, Appliance needs to communicate with
ADS server for authentication.
Server Name
Specify name to identify the server.
Server IP
Specify ADS server IP Address(IPv4/IPv6) or Domain Name.
Port
Specify Port number through which the server communicates.
Default 389.
NetBIOS Domain
Specify NetBIOS Domain for ADS server.
ADS Username
Specify username for the user with Administrative privileges for
ADS server.
Password
Provide Password for the user with Administrative privileges for
ADS server.
Connection Security
Select the type of security to be implemented on the established
connection. It provides a method to login to the external server
by sending the username and password in encrypted format
instead of clear text. We strongly recommend using the
encryption method to protect user credentials.
Page 268 of 490
Cyberoam User Guide
Available Options:
Simple Select to send the user credentials in un-encrypted
or clear text format. The default port number is TCP 389.
SSL Select to login to external server. This is the most
common method used for secured connection. The default
port number is TCP 636.
STARTTLS Select to use same port for simple connection
as well as secured connection. In case of the latter, the
connection is switched to TLS for security. The default port
is 389.
Default Simple
Validate Server
Certificate (For
Secured Connection
SSL, STARTTLS)
Select to validate the certificate of the external server.
Integration Type
Select implementation type of Integration. Integration type is
used in setting the user group membership. It provides an
added layer of protection by authenticating user based on the
group membership apart from authentication attribute.
By default the certificate is not validated.
Available Options:
Loose integration With loose integration,
Administrators require to manage the User Groups
themselves. Administrator can modify the group
membership. The Appliance does not synchronize
groups with the AD Server automatically when user logs
into the Appliance.
By default, users are the members of the Appliance default
group irrespective of the AD Server group. Appliance uses
authentication attribute for authenticating users with AD
Server.
Tight integration With tight integration, Appliance
synchronizes groups with AD Server every time the user
logs in. The group membership of each user is as defined
in the AD Server. Hence, even if the group of a user is
changed in the Appliance, on subsequent log on attempt,
user logs on as the member of the same group as
configured in AD Server.
If the user is a member of multiple AD groups, the
Appliance decides the user group based on the order of
the groups defined in the Appliance. The Appliance
searches group list from top to bottom to determine the
membership. The first group that matches is considered
as the group of the user and that group policies are
applied to the user.
Page 269 of 490
Cyberoam User Guide
Screen Tight Integration
Display Name Attribute Specify the alias to be displayed
for the configured ADS to the user.
Email Address Attribute It is the alias that is displayed to
the user for the configured Email Address.
Default Email Attribute mail.
Domain Name
Specify the Domain name to which the query is to be added.
Search Queries
Click the Add button to enter the search query. Use the Move
Up and Move Down buttons to move the search queries in the
list.
If you do not know search DN, refer to NetBIOS name, FQDN
and Search DN.
Test Connection
Click to check the connectivity between ADS and Appliance. It
also validates Active Directory user credentials.
Table Add Active Directory Server screen elements
Note
Whenever the existing user(s) in ADS logs on, user is automatically created in Appliance and assigned to
the default group.
If the Groups are already created in the Appliance, Users are created in the respective Groups and the ADS
User Groups will be mapped to the Appliance User Groups.
In case user is already created and there is a change in expiry date or group name, user will be logged in with
the changes.
Note
Connection to ADS is enabled automatically during Active Directory setup, but as ADS server is used for
authenticating users it is necessary to check whether the Appliance is able to connect to ADS or not.
Page 270 of 490
Cyberoam User Guide
Importing AD User Group
Once you have configured and added AD details select Identity
Authentication Server and click Import Group icon
to be imported. Follow the on-screen steps:
>
Authentication
>
against the AD server from which AD groups are
Step 1. Specify Base DN. Appliance fetches AD Groups or OU Groups from the specified Base DN.
Page 271 of 490
Cyberoam User Guide
Screen Define Base DN
Page 272 of 490
Cyberoam User Guide
Step 2. Select the AD Groups or OU Groups to be imported in the Appliance. Use <Ctrl> + Click to select
multiple groups.
If you import OU then OU will also be imported as a Group in the appliance. Once the OU is imported, OU is
listed on the Manage Groups page in the format for example, OU=Marketing,DC=Cyberoam,DC=com where
OU=<ou name as defined in AD>,DC=<DC as defined in AD>.
The Appliance will not allow importing those groups which are already in the Appliance.
Screen Select AD Groups to Import
Page 273 of 490
Cyberoam User Guide
Step 3. Select various policies (Surfing Quota, QoS, Web Filter, Application Filter, Data transfer and SSL
VPN) and user authentication time out to be applied on the group members. All the security policies can be
applied on OU group also.
Same policy is attached to all the imported groups. If you want to specify different policies for different groups,
do not enable the policy.
For example, if you want to specify different Internet policy to different groups, do not enable Attach to all the
Groups.
Screen Define policies for the Groups
Page 274 of 490
Cyberoam User Guide
Step 4. If common policies are not to be applied, specify policies to be applied to each group.
Screen Define specific policy for a Group
Page 275 of 490
Cyberoam User Guide
Step 5. View the summary of the groups and policies to be imported. You can also go back and change the
configuration.
Screen Groups imported and specific policies attached to specific Group
Page 276 of 490
Cyberoam User Guide
Step 6. View Results page displays successful message if groups are imported and policies are successfully
attached else appropriate error message will be displayed. Once you close the Wizard, it remains on the
Authentication Server page only. All the imported groups are appended at the end of the list.
Screen Groups imported and common policies attached successfully
If the user is a member of multiple AD groups, the Appliance will decide the user group based on the order of
the groups defined in the appliance. Appliance searches the Group ordered list from top to bottom to
determine the user group membership. The first group that matches is considered as the group of the user
and that group policies are applied to the user.
User belonging to OU will be a member of OU group in Cyberoam. Group priority will depend on the group
sequence implemented in Cyberoam.
Importing OU is supported only when Active Directory is tightly integrated with CyberoamOS.
Page 277 of 490
Cyberoam User Guide
NetBIOS Name, FQDN and Search DN
On the ADS server:
Go to Start > Programs > Administrative Tools > Active Directory Users and
Computers
Right Click the required domain and go to Properties tab
Search DN will be based on the FQDN. In the given example FQDN is google.com and Search DN will
be DC=google, BC=com
Page 278 of 490
Cyberoam User Guide
2. Configure LDAP Authentication Settings
When Appliance is installed in Windows environment with LDAP server, it is not necessary to create users
again in the Appliance. The Appliance provides a facility to automatically create user(s) on first log on.
Whenever the LDAP users logs on for the first time after configuration, user is automatically created in the
Appliance and is assigned to the default group.
This reduces Administrators burden of creating the same users in the Appliance.
User has to be authenticated by Appliance before granting access to the Internet. Appliance sends the user
authentication request to LDAP and LDAP server authenticates user as per supplied tokens. User can log on
using their Windows authentication tokens (login/user name and password).
Configure LDAP Server
To configure LDAP, go to Identity > Authentication > Authentication Server. Click Add Button
and select the server type as LDAP to add a server. To update the details, click on the Server or Edit icon
in the Manage column against the LDAP server you want to modify.
Screen Add LDAP Server
Screen Element
Description
Server Type
Select LDAP Server. If the user is required to authenticate using
an LDAP server, Appliance needs to communicate with LDAP
server for authentication.
Server Name
Specify a name to identify the server.
Server IP / Domain
Specify LDAP Server IP Address (IPv4/IPv6) or Domain Name.
Port
Specify Port number through which Server communicates.
Default 389
Version
Select LDAP version. For example, 2
Page 279 of 490
Cyberoam User Guide
Anonymous Login
Disable if identity (username and password) and authentication
of Administrator is required to log on to the LDAP server to
retrieve information. If disabled, specify a domain or local
administrator username and password to log on to the LDAP
server.
If Anonymous Login is enabled, you connect as the anonymous
user on LDAP server and there is no need to supply username
and password.
Connection Security
Select the type of security to be implemented on the established
connection. It provides a method to login to the external server
by sending the username and password in encrypted format
instead of clear text. We strongly recommend using one of the
encryption method to protect user credentials.
Available Options:
Simple Select to send the user credentials in unencrypted format i.e. clear text. The default port number
is TCP 389.
SSL Select to login to external server. This is the most
common method used for secured connection. The
default port number is TCP 636.
STARTTLS Select to use the same port for simple
connection as well as secured connection. In case of the
latter, the connection is switched to TLS for security. The
default port is 389.
Default Simple
Validate Server
Certificate (For
Secured Connection
SSL, STARTTLS)
Select to validate the certificate on the external server.
Client Certificate (For
Secured Connection
SSL, STARTTLS)
Select a client certificate from the list to establish a secured
connection.
By default, the certificate is not validated.
By default, the Appliance Certificate is used.
Base DN
Specify the base distinguished name (Base DN) of the directory
service, indicating the starting point for searching user in the
directory service. If you are not aware about Base DN, click Get
Base DN to retrieve the base DN.
The top level of the LDAP directory tree is the base, referred to
as the "Base DN". A base DN usually takes one of the three
forms: Organization name, Companys Internet Domain name
or DNS domain name. For example dc=google, dc=com
Authentication
Attribute
Set authentication attribute. It is the attribute used to perform a
user search.
Page 280 of 490
Cyberoam User Guide
By default, LDAP uses Unique Identification (UID) attribute to
identify user entries. If you want to use a different attribute (such
as a given name), specify the attribute name in this field.
Integration Type
Select implementation type of Integration. Integration type is
used in setting the user group membership.
It provides an added layer of protection by authenticating user
based on the group membership apart from authentication
attribute. One needs to configure both Group Name attribute
and authentication attribute for authentication. Group
membership of each User and expiry day as defined in LDAP
server.
Available Options:
Loose integration With loose integration, Administrators
require to manage the User Groups themselves.
Administrator can modify the group membership. The
Appliance does not synchronize groups with LDAP Server
automatically when user logs into the Appliance.
By default, users are the member of Appliance default group
irrespective of LDAP Server group. Appliance uses
authentication attribute for authenticating users with LDAP
Server.
Tight integration With tight integration, Appliance
synchronizes groups with LDAP Server every time the user
logs in. The group membership of each user is as defined in
the LDAP Server. Hence, even if the group of a user is
changed in Appliance, on subsequent log on attempt, user
logs on as the member of the same group as configured in
LDAP Server.
If the user is a member of multiple LDAP groups, the
Appliance decides the user group based on the order of the
groups defined in the Appliance. searches group list from
top to bottom to determine the membership. The first group
that matches is considered as the group of the user and that
group policies are applied to the user.
Screen Tight Integration
Page 281 of 490
Cyberoam User Guide
Display Name Attribute Specify the alias to be
displayed for the configured ADS to the user.
Email Address Attribute It is the alias that is displayed to
the user for the configured Email Address. By default, the
Email Address Attribute is mail.
Group Name Attribute Specify the alias to be
displayed to the user for the configured Group Name.
Expire Date Attribute Specify the attribute to be
displayed to the user against which the expiry date is
configured.
Test Connection
Click to check the connectivity between LDAP and Appliance. It
also validates LDAP user credentials.
Table Add LDAP Server screen elements
Note
Whenever the existing user(s) in LDAP logs on, user is automatically created in the Appliance and
assigned to the default group.
If the Groups are already created in the Appliance, Users are added in the respective Groups and the LDAP
User Groups are mapped to Appliance User Groups.
Page 282 of 490
Cyberoam User Guide
3. Configure RADIUS Server Settings
RADIUS stands for Remote Authentication Dial In User Service and is a protocol for allowing network devices
to authenticate users against a central database. In addition to user information, RADIUS can store technical
information used by network devices such as protocols supported, IP Addresses, telephone numbers, routing
information, and so on. Together this information constitutes a user profile that is stored in a file or database
on the RADIUS server.
RADIUS servers provide authentication, authorization, and accounting functions but the Appliance uses only
the authentication function of the RADIUS server.
Before you can use RADIUS authentication, you must have a functioning RADIUS server on the network.
Configure RADIUS Server
To configure RADIUS, go to Identity > Authentication > Authentication Server. Click Add Button
and select the server type as RADIUS to add a server. To update the details, click on the Server or Edit icon
in the Manage column against the RADIUS server you want to modify.
Screen Add RADIUS Server
Screen Element
Description
Server Type
Select RADIUS Server. If user is required to authenticate using
a RADIUS server, Appliance needs to communicate with
RADIUS server for authentication.
Server Name
Specify name to identify the RADIUS Server.
Server IP
Specify RADIUS Server IP Address (IPv4/IPv6).
Authentication Port
Specify Port number through which Server communicates.
Default 1812
Page 283 of 490
Cyberoam User Guide
Enable RADIUSbased Accounting
Select to enable accounting on RADIUS server.
Appliance sends following information to the RADIUS server as
soon as the user logs in:
Accounting Start Request
User logon time
Appliance sends following information to the RADIUS server
the moment the user logs out:
Accounting Stop Request
User log out time
Supported Client Types: Windows Client, HTTP Client, Linux
Client, Android, iOS, iOS HTTP Client, Android HTTP Client,
API Client.
Note: Accounting stop message is not sent to RADIUS server
when Cyberoam shuts down or reboots.
Accounting Port
Specify RADIUS port number through which the appliance can
communicate with RADIUS.
Shared Secret
Provide share secret, which is to be used to encrypt information
passed to the Appliance.
Integration Type
Select Integration type. Integration type is used in setting the
user group membership.
Select Tight Integration with the Appliance if you want to use
vendor specific attribute for setting the user group membership
and specify group name attribute.
Available Options:
Loose integration With loose integration, Administrators
require to manage the User Groups themselves.
Administrator can modify the group membership. The
Appliance does not synchronize groups with RADIUS
Server automatically when user logs into the Appliance.
By default, users are the member of Appliance default group
irrespective of RADIUS Server group. Appliance uses
authentication attribute for authenticating users with
RADIUS Server.
Tight integration With tight integration, Appliance
synchronizes groups with RADIUS Server every time the
user logs in. The group membership of each user is as
defined in the RADIUS Server. Hence, even if the group of
a user is changed in Appliance, on subsequent log on
attempt, user logs on as the member of the same group as
configured in RADIUS Server.
Page 284 of 490
Cyberoam User Guide
If the user is a member of multiple RADIUS groups, the
Appliance decides the user group based on the order of the
groups defined in the Appliance. Appliance searches group
list from top to bottom to determine the membership. The
first group that matches is considered as the group of the
user and that group policies are applied to the user.
Group Name Attribute
Specify the name to be displayed to the user for the
configured Group Name.
Test Connection
Button
Click to check the connectivity between RADIUS and
Appliance. It also validates RADIUS user credentials.
Table Add RADIUS Server screen elements
Note
Whenever the existing user(s) in RADIUS logs on, user is automatically created in Appliance and assigned
to the default group.
If the Groups are already created in the Appliance, Users are created in the respective Groups and the
RADIUS User Groups will be mapped to the Appliance User Groups.
Page 285 of 490
Cyberoam User Guide
Firewall
To configure and manage authentication settings for Firewall, go to Identity > Authentication >
Firewall.
Screen Firewall Authentication
Page 286 of 490
Cyberoam User Guide
Parameters
Screen Element
Description
Authentication Methods
Authentication Server
List
Select Authentication server.
Authentication Server List displays all the configured servers
while Selected Authentication Server List displays servers that
will be used for authentication when user tries to login.
In case of multiple servers, authentication request will be
forwarded as per the order configured in the Selected
Authentication server List.
Default Group
Select the default group for Firewall authentication.
Global Settings
Maximum Session
Timeout
Specify timeout duration in minutes.
Acceptable Range (Minutes) 3 to 1440
Authentication Session timeout is the time in minutes a user is
logged into the Appliance. Exceeding the period, user will be
logged out automatically and user must re-authenticate. This is
applicable to administrative sessions only.
Enable Unlimited to allow the users to remain logged in.
Simultaneous Logins
Customize the maximum number of concurrent logins allowed
to the user.
Specify number of concurrent logins allowed to the user.
Acceptable Range 1 to 99 concurrent users
OR
Enable Unlimited to allow unlimited concurrent logins to the
user.
Login restriction is applicable to only those users who are added
after this configuration.
CTAS Settings
User Inactivity
Select to enable or disable User Inactivity.
When users logs in the Appliance and performs no activity,
remaining idle for specific time span, they are considered
inactive.
Page 287 of 490
Cyberoam User Guide
By default, User Inactivity is disabled.
Inactivity Time
Specify the inactivity time in minutes.
User Inactivity timeout is the inactive/idle time in minutes after
which the user will be logged out and has to re-authenticate.
Inactivity Time Range (Minutes): 3 1440
Default - 3 minutes
Data Transfer
Threshold
Specify the minimum data to be transferred.
If the minimum data is not transferred within the specified time,
the user will be marked as inactive.
Default 100 Bytes
NTLM Settings
Inactivity Time
Specify the inactivity time in minutes.
User Inactivity timeout is the inactive/idle time in minutes after
which user will be logged out and has to re-authenticate.
Inactivity Time Range (Minutes): 6 1440
Default 6
Data Transfer
Threshold
Specify the minimum data to be transferred.
If the minimum data is not transferred within the specified time,
the user will be marked as inactive.
Default Value 1024 Bytes
HTTP challenge
redirect on Intranet
Zone
Select to Enable or Disable the redirection of NTLM HTTP
challenge on Intranet Zone.
Default - Enable
Web Client Settings (iOS and Android)
Inactivity Time
Specify the inactivity time in minutes.
User Inactivity timeout is the inactive/idle time in minutes after
which user will be logged out and has to re-authenticate.
Inactivity Time Range (Minutes): 6 1440
Default 6 minutes
Page 288 of 490
Cyberoam User Guide
Data Transfer
Threshold
Specify the minimum data to be transferred.
If the minimum data is not transferred within the specified time,
the user will be marked as inactive.
Default Value 1024 Bytes
SSO using radius accounting request
Radius Client IPv4
Specify IPv4 Address of Radius Client.
Shared Secret
Only request from specified IP Address will be considered for
SSO.
Provide Shared Secret for authentication.
Show Shared Secret
Click Show to view the configured Shared Secret.
Captive Portal Settings
Unauthenticated
users redirection
Select "Yes" to redirect the access request of unauthenticated
user either to the Captive Portal or Custom Message page.
Select "No" to display "Access
unauthorized user.
Unauthenticated
users settings
Denied"
message to
Configure where the unauthenticated user access requests
should be redirected.
Select Captive Portal, if an unauthenticated user access
request is to be forwarded to captive portal.
HTTPS Redirection
Enable to provide access of the Captive portal page through
secure channel.
My Account Link
Enable/Disable to make the My Account link available on
the Captive Portal page.
Default Enable
URL Redirection after Login
Enable to redirect request to the user requested page or
custom page. If request is to be redirected to the custom
page, click Custom URL and specify URL.
Preserve captive portal after login
Select Yes to minimize the captive portal popup, once the
user is successfully authenticated.
Selecting No lets the Captive Portal to be displayed on
system screen after successful authentication.
Page 289 of 490
Cyberoam User Guide
Keep Alive Request For Captive Portal
Keep-Alive request is constantly exchanged between the
Appliance and user to check whether user has logged out or
is idle. If the Appliance does not receive the response, user
is logged out automatically.
More number of concurrent HTTP Captive Portal users,
more number of keep-alive requests. In case of more
concurrent HTTP Captive Portal users we recommend to
disable it.
Default Enable
If disabled, user is logged out after the configured inactivity
time. If disabled, specify user inactivity time and data transfer
threshold.
User Inactivity Timeout
User Inactivity timeout is the inactive/idle time in minutes
after which user will be logged out and has to reauthenticate.
Enable and specify timeout duration in minutes.
Acceptable Range - 3 to 1440 minutes.
Default - Disable
Data Transfer Threshold
Specify threshold value in Bytes for Data Transfer.
If the minimum data is not transferred within the specified
time, the user will be marked as inactive.
Select Custom Message, unauthenticated user is to be
displayed custom message.
Windows Corporate Client Download Link
Enable to publish a link to download the Windows Corporate
Client in the custom message.
Linux Corporate Client Download Link
Enable to publish a link to download the Linux Corporate
Client in the custom message.
MAC Corporate Client Download Link
Enable to publish a link to download the MAC Corporate
Client in the custom message.
Page 290 of 490
Cyberoam User Guide
Page Header Image
Display the default image shipped with the Appliance at the
top of the custom message page or use Browse and upload
the custom image.
Supported Image format - JPG, PNG or GIF
Size - 700 X 80 pixels
Page Footer Image
Display the default image shipped with the Appliance at the
bottom of the custom message page or use Browse and
upload the custom image.
Supported Image format - JPG, PNG or GIF
Size - 700 X 80 pixels
Custom Message
Specify message. You can customize the message to
include client IP Address, category, and URL.
Enable Blink Custom Message to display blinking message.
Preview
Preview and check how message will be displayed before
saving the configuration.
Table Firewall Authentication screen elements
Page 291 of 490
Cyberoam User Guide
Configuring Authentication for VPN Traffic
To configure and manage authentication settings for VPN, go to Identity > Authentication > VPN.
Screen VPN authentication screen
Parameters
Screen Element
Description
VPN (IPSec/L2TP/PPTP) Authentication Methods
Set Authentication
Methods Same As
Firewall
Enable to use the same authentication method as configured
for firewall traffic. If enabled all the authentication servers
configured for the firewall traffic will be available for VPN traffic
authentication configuration.
Authentication Server List displays all the configured servers
while Selected Authentication Server List displays servers that
will be used for authentication when user tries to login.
Page 292 of 490
Cyberoam User Guide
Override authentication method for VPN traffic by selecting or
deselecting any Authentication server.
In case of multiple servers, authentication request will be
forwarded as per the order configured in the Selected
Authentication server List.
If RADIUS server authenticates users then PPTP and L2TP
connections established using MSCHAPv2 or CHAP protocol
can be authenticated through RADIUS.
SSL VPN Authentication Methods
Enable to use the same authentication method as configured
for VPN or Firewall or configure authentication server for SSL
VPN.
Authentication Server List displays all the configured servers
while Selected Authentication server list displays servers that
will be used for authentication when user tries to login.
Override authentication method for SSL VPN traffic by selecting
or deselecting any Authentication server.
In case of multiple servers, authentication request will be
forwarded as per the order configured in the Selected
Authentication server List.
Single Sign On For VPN Users
Enable Single Sign
On For
Click to enable Single Sign On for VPN users.
Available Options:
IPSec Users
L2TP Users
PPTP Users
SSL VPN Users
If enabled, the user will not need to re-authenticate in Cyberoam
after VPN connection is established. Also, the user will be
automatically logged out from Cyberoam when VPN tunnel is
disconnected.
Table VPN Authentication screen elements
Page 293 of 490
Cyberoam User Guide
Configuring Authentication for Admin Traffic
The Administrator can configure and manage authentication settings for all the Administrator users except for
the Super Administrator from this page.
To configure and manage authentication settings for all the Administrator user except for the global Super
Administrator admin , go to Identity > Authentication > Admin.
Screen Administrator Authentication screen
Screen Element
Description
Administrator Authentication Methods
Set Authentication
Methods Same As
Firewall
Enable to use the same authentication method as configured
for firewall traffic. If enabled all the authentication servers
configured for the firewall traffic will be available for
administrator traffic authentication configuration.
The Authentication Server List displays all the configured
servers while Selected Authentication Server list displays
servers that will be used for authentication when user tries to
login.
Override authentication method for VPN traffic by selecting or
deselecting any Authentication server.
In case of multiple servers, authentication request will be
forwarded as per the order configured in the Selected
Authentication server List.
Table Administrator Authentication settings page screen elements
Page 294 of 490
Cyberoam User Guide
User Groups
Group is a collection of users having common policies that can be managed as a single unit and a mechanism
of assigning various policies to a number of users in one operation/step. Users that belong to a particular
group are referred to as a group user.
Instead of attaching individual policies to the user, create group of policies and simply assign the appropriate
Group to the user and user will automatically inherit all the policies added to the group which simplifies the
user configuration.
A group can contain default as well as custom policies.
Various policies that can be grouped are:
Surfing Quota policy which specifies the duration of surfing time and the period of subscription
Access Time policy which specifies the time period during which the user will be allowed access
Web Filter Policy which controls and blocks access to inappropriate web sites
Application Filter Policy which controlling access to application like IM and P2P, VOIP
QoS policy which specifies the bandwidth usage limit of the user
Data Transfer Policy which specifies the data transfer quota of the user
SSL VPN Policy which determines the access mode and controls access to private network resources.
Manage User Group list
The Groups page displays the list of all the default and custom groups and provides option to add new group,
update group parameters, add new members to the existing group, viewing user group membership, or delete
a group.
To manage user groups, go to Identity > Groups > Group.
Screen Manage Groups
Screen Element
Description
Page 295 of 490
Cyberoam User Guide
Group Name
Displays the name of the group.
Web Filter
Displays the Web Filter Policy applied to all the group users.
Point to the policy link to view or edit the policy details.
Application Filter
Displays the Application Filter Policy applied to all the group
users.
Point to the policy link to view or edit the policy details.
Displays the QoS Policy applied to all the group users.
QoS
Point to the policy link to view or edit the policy details.
MAC Binding
(Not applicable to
Clientless Group)
Disable User MAC Binding disabled for all the group users.
Access Time
(Not applicable to
Clientless Group)
Displays the Access Time Policy applied to all the group users.
Surfing Quota
(Not applicable to
Clientless Group)
Displays the Surfing Quota Policy applied to all the group users.
PPTP
(Not applicable to
Clientless Group)
Disable PPTP access disabled for all the group users.
L2TP
(Not applicable to
Clientless Group)
Disable L2TP access disabled for all the group users.
Login Restriction
(Not applicable to
Clientless Group)
Displays the Login Restriction applied Any, Selected Nodes
or Range.
Data Transfer
(Not applicable to
Clientless Group)
Displays the Data Transfer Policy applied to all the group users.
Enable User MAC Binding enabled for all the group users.
Point to the policy link to view or edit the policy details.
Point to the policy link to view or edit the policy details.
Enable PPTP access enabled for all the group users.
Enable L2TP access enabled for all the group users.
Point to the policy link to view or edit the policy details.
Table Manage Groups screen elements
Creating a new User Group
To add or edit user group details, go to Identity > Groups. Click the Add Button to add a new user group
or Edit Icon
to modify the details of the user group.
Page 296 of 490
Cyberoam User Guide
Screen Add Group
Parameters
Screen Element
Description
Group Name
Provide a name to identify the group.
Description
Provide group description.
Group Type
Select Group Type.
Available Options:
Normal User of this group needs to log on using the
Appliance Client to access the Internet.
Clientless User of this group need to log on using the
Appliance Client to access the Internet and is symbolically
represented as Group name(C). Access control is placed on
the IP Address.
Policies
Web Filter
Select the Web Filter Policy from the list.
Page 297 of 490
Cyberoam User Guide
Configured policy will be applicable to all the users who are
member of this group.
Application Filter
Select the Application Filter Policy from the list.
Configured policy will be applicable to all the users who are
member of this group
Surfing Quota
Select the Surfing Quota Policy from the list.
Page 298 of 490
Cyberoam User Guide
Note
Access Time
(Not applicable to
Clientless Group)
Ultimate policy is automatically applied to Clientless
Group.
Select the Access Time Policy from the list.
Note
Data Transfer
(Not applicable to
Clientless Group)
Ultimate policy is automatically applied to Clientless
Group.
Select the Data Transfer Policy from the list.
Page 299 of 490
Cyberoam User Guide
Configured policy will be applicable to all the users who are
member of this group.
QoS
Select the QoS Policy from the list.
Configured policy will be applicable to all the users who are
member of this group.
SSL VPN
(Not applicable to
Clientless Group)
Select SSL VPN policy from the list.
If user is not to be provided the SSL VPN access then select
No Policy Applied.
Quarantine Digest
Enable Quarantine Digest. Quarantine Digest is an Email and
contains a list of quarantined spam messages filtered by the
Appliance and held in the user quarantine area. If configured,
the Appliance will mail the Quarantine Digest every day to the
user. Digest provides a link to User My Account from where
user can access his quarantined messages and take the
required action.
Available Options:
Enable User will receive the Quarantine Digest daily
and overrides Group setting.
Disable User will not receive Quarantine Digest and
overrides Group setting.
MAC Binding
(Not applicable to
Clientless Group)
Enable/disable MAC Binding. By binding User to MAC
Address, you are mapping user with a group of MAC
Addresses.
Page 300 of 490
Cyberoam User Guide
L2TP
(Not applicable to
Clientless Group)
Enable if group users can get access through L2TP connection.
PPTP
(Not applicable to
Clientless Group)
Enable if group users can get access through PPTP
connection.
Login Restriction
(Not applicable to
Clientless Group)
Select the appropriate option to specify the login restriction for
the user group.
Available Options:
Any Node Select to allow user to login from any of the
nodes in the network.
Selected Nodes Select to allow user to login from the
specified nodes only. Specify IP Address and click Add
button to add more nodes and remove icon
to delete
nodes.
Node Range Select to allow range of IP Address.
Specify IP Address range.
Table Add Group screen elements
Note
User configuration MAC binding and policies is given precedence over Group configuration.
Adding Users to the existing Groups
To add a user to the existing group, follow the below steps:
1. Edit the Group in which you want to add the users by clicking Manage icon
in the Manage
column.
2. Click Add Member(s) button. A pop-up Add Group Member appears providing list all the users
along their details that can be added in the group. To search user filter the list based on user
name and/or current group.
3. Select the user you want to add in the group. You can select a single or multiple users on a single
page.
4. Click Apply and click OK to confirm adding member in the group.
Viewing List of Group Members
To view group members, follow the below steps:
1. Edit the Group in which you want to add the users by clicking Manage icon
in the Manage
column.
2. Click Show Group Member(s) button. A pop-up Group Member appears providing the list all the
users with the details who are member of the selected group.
3. Click Close button or Close
icon to close the Group Member pop-up.
Page 301 of 490
Cyberoam User Guide
Users
Users are identified by an IP Address or a user name and are assigned to a user group. All the users in a
group inherit the policies defined for that group.
Media Access Control (MAC) Address is a unique identifier (hardware address) assigned to a host by the
manufacturer for identification and is intended to be immutable. MAC Addresses are 48 bit values that are
expressed in 6 byte hex-notation separated by colon for example 01:23:45:67:89:AB.
To improve the security of your network and provide spoofing protection, you can enable User-MAC Address
binding. By binding User to MAC Address, you are mapping the user with a group of MAC Addresses. It
means a user would be able to login through a group of pre-specified machines only making it more difficult
for a hacker using random MAC Addresses or spoofing a MAC Address to gain access to your network.
User types
The Appliance supports five types of Users:
Normal
Clientless
Single Sign on
Thin Client User
WWAN User
Normal User has to log on to the Appliance. Requires client (client.exe) on the User machine or user can use
HTTP Client component and all the policy-based restriction are applied.
Clientless does not require client component (client.exe) on the User machines. Symbolically represented as
User name (C)
If User is configured for Single sign on, whenever User logs on to Windows, he/she is automatically logged to
the Appliance. Symbolically represented as User name (S)
Use the given decision matrix below to choose which type of the user should be created.
Decision matrix for creation of User
Feature
User Login required
Normal
User
Clientless
User
Single Sign
On User
Yes
No
No
Normal
Yes
No
Yes
Clientless
No
Yes
No
Apply Login restriction
Yes
Yes
Yes
Apply Surfing Quota policy
Yes
No
No
Type of Group
Page 302 of 490
Cyberoam User Guide
Apply Access Time policy
Yes
No
No
Apply QoS policy
Yes
Yes
Yes
Apply Web Filter Policy
Yes
Yes
Yes
Apply Application Filter policy
Yes
Yes
Yes
Apply Data Transfer policy
Yes
No
Yes
Users
Clientless Users
Users
To manage users, go to Identity > Users > Users. You can:
Import
Export Click the Export button to download the user details in a csv file. csv file is generated with
the following headers: Name, Username, Enc_password, Email Address, and Group.
Manage User list
The Users page displays list of all the users added in the Appliance. You can filter the list of users Name,
User Name, Group, Web and Application Filter policy applied to the user, and date on which users were
added. The page also provides option to add new users manually or by importing user details from the file,
exporting user details, purging AD users, changing status of the user, or deleting user.
Screen Manage Users
Screen Element
Import Button
Description
Browse and select a .csv file to import all the user details.
Format of .csv File
First row of the csv file must be the header row, divided into
following fields separated by comma (,)
Username - Compulsory field
Password - Optional field
Name - Optional field
Group Name - Optional field
Email ID - Optional field
Page 303 of 490
Cyberoam User Guide
The remaining rows are values corresponding to the
header fields.
Number of fields in each row must be same as those
within the header row.
An error message is displayed, if data is missing for any
field within the header.
If a Password field is not included in the header, then the
field will be set same as that of the Username.
If a Name field is not included in the header, then the field
will be set same as that of the Username.
If a Group Name field is not included in the header, then
it can be configured by the Administrator during the
migration.
All the blank rows will be ignored.
Export Button
Click to export all the user details.
Change Status
Click to change the status of the user from Active to Inactive
and vice-versa.
Purge AD Users
Click to purge and sync Appliance Active Directory users with
external Active Directory server.
Purge operation will not interrupt user login/logout and
accounting events.
User details are deleted from both, the Primary Appliance as
well as Auxiliary Appliance at the same time.
User ID
Displays a unique ID for the user.
Name
Displays name of the user.
User Name
Specify a unique username to identify the user.
Type
Type of User selected User or Administrator.
Profile
Profile applied to the Administrator if the User Type is
Administrator.
Group
Name of the user group.
Point to the group link to view or edit the group details.
Status
Status of the User.
Inactive Inactive user.
Active Active user.
Web Filter
Web Filter Policy applied to the user.
Page 304 of 490
Cyberoam User Guide
Point to the policy link to view or edit the policy details.
Application Filter
Application Filter Policy applied to the user.
Point to the policy link to view or edit the policy details.
QoS
QoS Policy applied to the user.
Point to the policy link to view or edit the policy details.
L2TP
Disable L2TP access disabled for the user.
Enable L2TP access enabled for the user.
PPTP
Disable PPTP access disabled for the user.
Enable PPTP access enabled for the user.
MAC Address
MAC Address list.
Data Transfer
Data Transfer Policy applied to the user.
Point to the policy link to view or edit the policy details.
MAC Binding
Disable User MAC Binding disabled.
Enable User MAC Binding enabled.
Access Time
Access Time Policy applied to the user.
Point to the policy link to view or edit the policy details.
Surfing Quota
Surfing Quota Policy applied to the user.
Point to the policy link to view or edit the policy details.
Login Restriction
Login Restriction applied Any, User Group Nodes, Selected
Nodes or Range.
Created Date
Creation date of the user.
Simultaneous Logins
Simultaneous Logins allowed to the user.
Table Manage Users screen elements
Page 305 of 490
Cyberoam User Guide
Adding a new User
To add or edit user details, go to Identity > User > User. Click Add Button to register a new user. To
update the details, click on the username or Edit icon
modify.
in the Manage column against the user you want to
Screen Add User
Parameters
Screen Element
Description
Username
Provide username, which uniquely identifies user and will be used
for login.
Name
Provide a Name of the User.
Password
Enter password and re-enter same password for confirmation.
Password is case sensitive.
User Type
Select the type of user from the available options.
Available Options:
User
Administrator
Profile (Only when
the User Type
Select the Administrator Profile. Administrator will get access of
various Web Admin Console menus as per the configured profile.
Page 306 of 490
Cyberoam User Guide
Administrator is
selected)
Create a new profile directly from this page or from the Profile
page.
Email
Specify Email Address of the user.
Use comma to separate multiple Email Addresses.
Description
Provide user description.
Policies
Group
Select Group in which the user is to be added. User will inherit all
the policies assigned to the group.
Web Filter
By default, user will inherit its group policy. To override the group
policy, select the policy from the list.
You can create also a new policy directly from this page itself or
from Web Filter > Policy page.
Application Filter
By default, the user will inherit its group policy. To override the
group policy, select the policy from the list.
Page 307 of 490
Cyberoam User Guide
You can create also a new policy directly from this page itself or
from Application Filter > Policy page.
Surfing Quota
By default, user will inherit its group policy. To override the group
policy, select the policy from the list.
You can create also a new policy directly from this page itself or
from Identity > Policy > Surfing Quota page.
Access Time
By default, user will inherit its group policy. To override the group
policy, select the policy from the list
You can create also a new policy directly from this page itself or
from Identity > Policy > Access Time page.
Page 308 of 490
Cyberoam User Guide
Data Transfer
By default, user will inherit its group policy. To override the group
policy, select the policy from the list.
You can create also a new policy directly from this page itself or
from Identity > Policy > Data Transfer page.
QoS
By default, user will inherit its group policy. To override the group
policy, select the policy from the list.
You can create also a new policy directly from this page itself or
from QoS > Policy page.
SSL VPN
By default, user will inherit its group policy. To override the group
policy, select the policy from the list.
Page 309 of 490
Cyberoam User Guide
You can create also a new policy directly from this page itself
or from SSL VPN > SSL > Policy page.
If user is not to be provided the SSL VPN access then select
No Policy Applied.
L2TP
By default, user is provided remote access through L2TP. Disable
if remote access is not to be provided to the user.
Provide the IP Address (IPv4 / IPv6) to be leased to the user for
L2TP access.
PPTP
By default, user is provided remote access through PPTP. Disable
if remote access is not to be provided to the user.
Provide the IP Address (IPv4 / IPv6) to be leased to the user for
PPTP access.
CISCOTM VPN Client
By default, user is provided remote access through CISCO VPN
Client. Disable if remote access is not to be provided to the user.
Provide the IP Address (IPv4/IPv6) to be leased to the user for
CISCO VPN access.
Quarantine Digest
Note: To use this feature, CISCOTM VPN Client needs to be
configured from VPN > CISCOTM VPN Client.
Configure Quarantine Digest.
Quarantine digest is an Email containing a list of quarantined spam
messages filtered by the Appliance and held in the user quarantine
area. If configured, Appliance will mail the digest at the configured
frequency to the user. Digest also provides a link to User My
Account from where user can access and take the action
quarantined messages.
Available Options:
Enable User receives the spam digest daily and overrides
Group setting.
Disable User does not receive a spam digest and overrides
Group setting.
Simultaneous Logins
Specify number of concurrent logins that will be allowed to user OR
Click Unlimited for allowing unlimited Concurrent logins.
Default - 1
Acceptable Range - 1 to 99
The specified setting overrides the global setting specified in the
client preferences.
Page 310 of 490
Cyberoam User Guide
MAC Binding
Enable/disable MAC Binding. By binding User to MAC Address,
you are mapping user with a group of MAC Addresses.
If
enabled,
specify
01:23:45:67:89:AB.
MAC
Addresses
for
example
Once you enable MAC binding, user will be able to login through
pre-specified machines only.
To configure multiple MAC Addresses use comma. For example
01:23:45:67:89:AB, 01:23:45:67:89:AC
Login Restriction
Select the appropriate option to specify the login restriction for the
user.
Available Options:
Any Node User will be able to login from any of the nodes
in the network.
User Group Node(s) User will be able to login only from
the nodes assigned to her group.
Selected Nodes User will be able to login from the
specified nodes only.
Node Range User will be able to login from any of the IP
Address from the configured range.
Administrator Advanced Settings (Only if User Type is selected as Administrator)
Schedule for
Appliance Access
Schedule the Appliance access.
Administrator will be able to access the Appliance only during the
time configured in schedule.
Login Restriction for
Appliance Access
Select the appropriate option to specify the login restriction for the
user.
Available Options:
Any Node Administrator will be able to login from any of
the nodes in the network.
Selected Nodes Administrator will be able to login from the
specified nodes only.
Node Range Administrator will be able to login from any of
the IP Address from the configured range
Reset User
Accounting
(Displayed only after
user is added)
Click to reset the usage accounting i.e. internet usage time and
data transfer of the user.
View Usage
(Displayed only after
user is added)
Click to view the Internet usage and data transfer usage.
Table Add User screen elements
Page 311 of 490
Cyberoam User Guide
Note
User configuration is given precedence over Group configuration.
Import Users Information
Instead of creating users again in the Appliance, if you already have users detail in a csv file, you can upload
csv file.
Click the Import Button to import csv file. Select the complete path for migrating users information file.
.csv file format and processing:
1. Header (first) row should contain field names. Format of header row:
2. Compulsory field: username
3. Optional fields: password, name, group, Email Address
Fields can be configured in any order.
Subsequent rows should contain values corresponding to the each field in header row
Number of fields in each row should be same as in the header row
Error will be displayed if data is not provided for any field specified in the header
Blank rows will be ignored
If password field is not included in the header row then it will set same as username
If group name is not included in the header row, administrator will be able to configure group at
the time of migration
Purging Active Directory (AD) Users
Click Purge AD Users button to synchronize the Appliances Active Directory users with external Active
Directory server.
Note
Purge operation will not interrupt user login/logout and accounting events.
If HA is configured, user details are deleted from both, the Primary Appliance as well as Auxiliary Appliance
at the same time.
To successfully initialize Purging of AD Users, the Appliance should be connected/authenticated to/by at
least one (or more) one or more AD servers.
Exporting Users
Click the Export button to export the user details in a csv file. csv file is generated with the following headers:
Name, Username, Enc_password, Email Address, and Group.
Page 312 of 490
Cyberoam User Guide
Clientless Users
Clientless Users are the users who can bypass Client login to access the Internet and are managed by the
Appliance itself. As clientless users can bypass Appliance login, create clientless users when your network
has few Non-windows machines, VOIP boxes, or servers.
Manage Clientless User list
The page displays the list of all the clientless users. You can filter the list based on name or username of the
user, IP address, group of the user, web and application filter policy, or created date. The page also provides
option to add a single clientless user or multiple users, delete or change status of the user. The administrator
can also reset user accounting data or view the usage statistics.
To manage Clientless users, go to Identity > User > Clientless User.
Screen Manage Clientless Users
Screen Element
Description
Add Range
Click to add the range of IP Address for Clientless User.
Change Status
Click to change the status of clientless user from active to
inactive and vice-versa.
ID
Displays the User ID for a Clientless User.
Name
Displays the name of the user.
User Name
Unique username to identify the User.
IP Address
Displays the IP Address of Clientless user IPv4 or IPv6.
Group
Displays Group to which user belongs.
Status
Status of the Clientless User:
Inactive Inactive user.
Active Active user.
Web filter
Web Filter policy applied to the traffic.
Point to the policy link to view or edit the policy details.
Application filter
Application filter policy applied to the traffic.
Page 313 of 490
Cyberoam User Guide
Point to the policy link to view or edit the policy details.
QoS policy applied to the traffic.
QoS
Point to the policy link to view or edit the policy details.
Table Manage Clientless Users screen elements
Clientless User Parameters
To add or edit Clientless user details, go to Identity > Users > Clientless Users. Click Add Button to
register a new clientless user or Edit Icon to modify the details of the clientless user.
Screen Add Clientless User
Parameters
Screen Element
Description
Username
Specify username, which uniquely identifies user and will be
used for login.
IP Address
Specify IP Address (IPv4/IPv6) for the Clientless user.
Group
Select Group in which user is to be added. User will inherit all
the policies assigned to the group.
Change the policies applied to the user by editing the user
details.
Name
Provide a name of the User.
Provide an Email Address.
Page 314 of 490
Cyberoam User Guide
Configure Quarantine Digest. Quarantine digest is an Email and
contains a list of quarantined spam messages filtered by the
Appliance and held in the user quarantine area. If configured,
Appliance will mail the spam digest every day to the user.
Digest provides a link to User My Account from where user can
access his quarantined messages and take the required action.
Quarantine Digest
Available Options:
Enable User will receive the spam digest daily
and overrides Group setting.
Disable User will not receive spam digest and
overrides Group setting.
Apply Groups Settings - User will receive Spam
Digests as per configured for the Group user
belongs to.
Add Icon
Click the Add
Icon to add a new Clientless User.
Remove Icon
Click the Remove
Icon to delete a Clientless User
Table Add Clientless User screen elements
You can change the policies applied to the user by updating the user details. If you change the policies for
the user, user specific policies will take precedence over user group policies. Refer to Change Policies
Parameters to change the policies.
Change Policies Parameters
To change the policies applied to the clientless user, go to Identity > Users > Clientless Users and
click Edit icon
against the user whose policies are to be changed.
Screen Add Clientless User (Change Policies)
Page 315 of 490
Cyberoam User Guide
Screen Element
Description
Username
Name with which user logs on.
Name
Name of the User.
IP Address
IP Address from which user logs on.
Group
Group in which the user is added. User will inherit all the policies
assigned to the group.
Change the group, if required.
Email ID of the user.
Internet Usage Time
Displays total Internet usage time information.
Policies
Web Filter
Web filter policy applied to the user.
Change the policy, if required.
Policy applied here will take the precedence over the group
policy.
Application filter
Application filter policy applied to the user.
Change the policy, if required.
Policy applied here will take the precedence over the group
policy.
Page 316 of 490
Cyberoam User Guide
QoS Policy applied to the user.
QoS
Change the policy, if required.
Policy applied here will take the precedence over the group
policy.
Configure Quarantine Digest. Quarantine digest is an Email and
contains a list of quarantined spam messages filtered by the
Appliance and held in the user quarantine area. If configured,
Appliance will mail the spam digest every day to the user.
Digest provides a link to User My Account from where user can
access his quarantined messages and take the required action.
Quarantine Digest
Available Options:
Enable User will receive the spam digest daily and overrides
Group setting.
Disable User will not receive spam digest and overrides
Group setting.
Reset User
Accounting
(Displayed only after
user is added)
Click to reset the usage accounting i.e. internet usage time and
data transfer of the user.
View Usage
(Displayed only after
user is added)
Click to view the Internet usage and data transfer usage.
Table Edit Clientless User screen elements
Page 317 of 490
Cyberoam User Guide
Add Multiple Clientless Users
To add multiple Clientless users, go to Identity > Users > Clientless Users and click Add Range
button to configure following parameters:
Screen Add Multiple Clientless User
Screen Element
Description
From
Specify Starting IP Address for the range.
To
Specify Ending IP Address for the range.
Group
Select Group for users. Users will inherit all the policies
assigned to the group.
You can change the policies applied to the user by editing the
user details. If you change the policies for the user, user specific
policies will take precedence over user group policies. Refer to
Change Policies Parameters to change the policies.
Table Add Multiple Clientless User screen elements
Page 318 of 490
Cyberoam User Guide
Guest Users
Users without a pre-existing user account wanting to access internet using a hotspot, or via a network
available at airport, hotels, hostels, etc. are called Guest Users. These users, that are otherwise considered
unauthenticated and/or denied access, are allowed to make request to connect to the Internet for a limited
period by authenticating themselves. On being authenticated, these users are authorized to access internet
using as a Guest Users. At such locations, Internet access is secured by configuring access policies to restrict
any malicious use of the network.
Cyberoam allows the Administrator to pre-configure single or multiple Guest Users using Web Admin Console.
The credentials of Guest Users configured via Web Admin Console can be printed and handed over to Guest
User. Alternately, Guest Users can register themselves using Guest User Portal. The credentials and Internet
access details of Guest Users registered via Guest User Portal can either be sent via SMS or can be printed.
In case of successful authentication Guest User is granted access according to applicable group, else is be
redirected captive portal page.
General Settings
Guest Users
SMS Gateway
General Settings
The page allows configuring general parameters to provide secured internet access for guest user
To configure General Settings, go to Identity > Guest Users > General Settings.
Screen Manage Guest User General Settings
Page 319 of 490
Cyberoam User Guide
Parameters
Screen Element
Description
Guest User General Settings
Username Prefix
Provide prefix to be used for Auto-Generation of username for
guest users.
Group
Select a group of policies to assign to Guest users.
Alternately, you can also add group of policies.
Password Length
Specify the length of the auto-generated password for Guest
Users.
Minimum password length: 3 characters
Maximum password length: 60 characters
Default password length: 8 characters
The password length is a basic security parameter, the value of
which affects the strength of password against brute force
attack..
Password Complexity
Select a type of password from the available options to be used
for complexity of an auto-generated password:
Available Options:
Numeric Password Password will include only
numeric characters.
Alphabetic Password Password will include
only alphabetic characters.
Alphanumeric Password Password will include
numeric as well as alphabetic characters.
Alphanumeric with Special Character Password
Password will include numeric, alphabets and
special characters.
The password strength is a function of its length and complexity.
Combining password length with password complexity makes a
password difficult to guess.
Page 320 of 490
Cyberoam User Guide
Disclaimer
Provide the disclaimer message to be printed below every
users login credentials.
Note
Auto Purge on Expiry
Disclaimer once configured can be edited but cannot be
removed.
Check to enable automatic purging of user details on expiry of
user validity.
Note
Details of a user who is bound to rules (like Firewall, IM,
etc) does not get purged automatically.
Guest User Registration Settings
Enable Guest Users
Registration
Enable to allow secured Internet access to guest users.
SMS Gateway
Select the Gateway using which the SMS should be sent.
Rest of the options in this field can only be configured after you
have selected this option.
Alternately you may add the SMS gateway from SMS
Gateway tab.
Guest Username
Select the method of generating Username using the following
options:
Use Cell Number as Username
If the option is not selected then new username will be
generated with the value specified in Username Prefix.
User Validity
(Duration in Days)
Specify guest user validity period in days.
Default Country Code
Enable to configure a default country code on the Guest User
Registration page.
Selected country is displayed as default option in Cell Number
selection at Guest User registration page.
CAPTCHA
Verification
Select to Enable or Disable CAPTCHA (Completely Automated
Public Turing Test To Tell Computers and Humans Apart) code
verification on Guest User Registration page to ensure the
request is received for human being.
Page 321 of 490
Cyberoam User Guide
By enabling CAPTCHA Verification, the user will be displayed
a picture with characters that user must insert in a provided
textbox below picture. The administrator can therefore protect
Cyberoam against attacks generated by automated programs.
Default - Enable
Table Manage Guest User General Setting screen elements
Page 322 of 490
Cyberoam User Guide
Manage Guest Users
To manage Guest Users, go to Identity > Guest Users > Guest Users. You can:
Add Single Guest User Click Add Single button to add a single Guest User.
Add Multiple Guest Users Click Add Multiple button to add multiple Guest Users.
Resend Credential Click the Resend Credential icon
in the Manage column against a User
registered via Guest User Portal to whom the access details SMS are to be resent.
The page displays the list of all the guest users added. You can filter the list based on name or username of
the user, cell number of the user, validity of the user account, Email address of the user, web or application
filter policy, or group of the user. The page also provides option to add single or multiple users, distributing
credentials for the Internet access, update user parameters, view or reset the data transfer usage.
Screen Manage Guest Users
Screen Element
Description
Print Button
Click to Print the credentials of the selected Guest User(s).
Name
Name of Guest User.
User Name
Username of the Guest User.
Cell Phone Number
Cell Phone Number of the Guest User.
Create Date
Date on which the Guest User was created.
Valid From
Date on which the Guest User was created.
Validity
Duration till which the Guest User remains active.
Expiry Date
Date at which the user gets expired.
Web Filter
Web Filter Policy applied to the user.
Point to the policy link to view or edit the policy details.
Data Transfer
Data Transfer Policy applied to the user.
Point to the policy link to view or edit the policy details.
MAC Address
MAC Address list.
Quarantine Digest
Disable Quarantine Digest disabled for the user.
Enable Quarantine Digest enabled for the user.
SSL VPN
SSL VPN Policy applied to the user.
Point to the policy link to view or edit the policy details.
Page 323 of 490
Cyberoam User Guide
Email Address
Email Address of the user.
Application Filter
Application Filter Policy applied to the user.
Point to the policy link to view or edit the policy details.
QoS
QoS Policy applied to the user.
Point to the policy link to view or edit the policy details.
Access Time
Access Time Policy applied to the user.
Point to the policy link to view or edit the policy details.
L2TP
Disable L2TP access disabled for the user.
Enable L2TP access enabled for the user.
MAC Binding
Disable User MAC Binding disabled.
Enable User MAC Binding enabled.
Login Restriction
Login Restriction applied Any, User Group Nodes, Selected
Nodes or Range.
Surfing Quota
Surfing Quota Policy applied to the user.
Point to the policy link to view or edit the policy details.
PPTP
Disable PPTP access disabled for the user.
Enable PPTP access enabled for the user.
Status
Status of the User.
Inactive Inactive user.
Active Active user.
Group
Name of the user group.
Point to the group link to view or edit the group details.
Table Manage Guest User screen elements
Page 324 of 490
Cyberoam User Guide
Registering Single Guest User Parameters
To add a single Guest User, go to Identity > Guest Users > Guest Users. Click Add Single button
to add the details of a single Guest User.
Screen Add Single Guest User Parameters
Screen Element
Description
Username
Auto-Generated password.
Password
Auto-Generated password.
Name
Specify name of the Guest User.
Specify Email Address of the Guest User.
User Validity
(Duration in Days)
Specify the validity of a Guest User in days.
Validity Start
Select the type when a users validity should begin.
Available Options:
Immediately Validity is counted from the time a Guest
User is created.
After First Login Validity is counted from the time after
a Guest User logs into the network for the first time.
Add
Click to add a Guest User.
Add and Print
Navigates to a printable HTML page which contains user
Internet Access Credentials. Click the Print command to
simultaneously Print and Add the Guest User.
Table Add Single Guest User screen elements
Page 325 of 490
Cyberoam User Guide
Registering Multiple Guest User Parameters
To add multiple Guest Users, go to Identity > Guest Users > Guest Users. Click Add Multiple
button to add the details of multiple Guest Users.
Screen Add Multiple Guest User Parameters
Screen Element
Description
Number of Users
Specify the number of Guest Users to be created.
User Validity
(Duration in Days)
Specify the validity of multiple Guest Users in days.
Validity Start
Select the type from when a users validity should be counted.
Available Options:
Immediately Validity is counted from the time a Guest
User is created.
After First Login Validity is counted from the time after
a Guest User logs into the network for the first time.
Add
Click to add multiple Guest Users.
Add and Print
Navigates to a printable HTML page which contains user
Internet Access Credentials. Click the Print command to
simultaneously Print and Add the Guest User(s).
Table Add Multiple Guest User screen elements
Page 326 of 490
Cyberoam User Guide
Registering Guest User(s) through Captive Portal
1. Browse to the Captive Portal using http://<LAN IP Address assigned to your Appliance>:8090.
2. Click the hyperlink Click here to get a username to access the Internet.
3. Provide guest user details for registration and click OK button.
Page 327 of 490
Cyberoam User Guide
Updating Guest User Configuration
To edit user details, go to Identity > Guest Users > Guest Users. Click Edit Icon
details of the user.
to modify the
Screen Edit Guest User Parameters
Page 328 of 490
Cyberoam User Guide
Parameters
Screen Element
Description
Username
Displays username of the Guest User.
Name
Provide a name of the Guest User.
Password
Displays the password in encrypted format.
One can also change the password by clicking on Change
Password link.
Cell Number
Displays Cell phone number.
Provide Email Address of the user.
Internet Usage time
Displays the Internet Usage Time in HH:MM format.
Policies
Group
Group in which user belongs. User will inherit all the policies
assigned to the group.
Web Filter
Select the Web Filter Policy from the list.
You can also create a new policy directly from this page itself and
attach to the user.
Application Filter
Select the Application Filter Policy from the list.
You can also create a new policy directly from this page itself and
attach to the user.
Page 329 of 490
Cyberoam User Guide
Surfing Quota
Select the Surfing Quota Policy from the list.
You can also create a new policy directly from this page itself and
attach to the user.
Access Time
Select the Access Time Policy from the list.
You can also create a new policy directly from this page itself and
attach to the user.
Page 330 of 490
Cyberoam User Guide
Data Transfer
Select the Data Transfer Policy from the list.
You can also create a new policy directly from this page itself and
attach to the user.
QoS
Select the QoS Policy from the list.
You can also create a new policy directly from this page itself and
attach to the user.
SSL VPN
Select SSL VPN policy from the list.
If user is not to be provided the SSL VPN access then select No
Policy Applied.
Page 331 of 490
Cyberoam User Guide
L2TP
Enable if you want to allow user to get access through L2TP
connection.
PPTP
Enable if you want to allow user to get access through PPTP
connection.
Quarantine Digest
Configure Quarantine Digest. Quarantine Digest is an Email and
contains a list of quarantined spam messages filtered by the
Appliance and held in the user quarantine area. If configured,
Appliance will mail the Quarantine Digest every day to the user.
Digest provides a link to User My Account from where user can
access his quarantined messages and take the required action.
Available Options:
Enable User will receive the Quarantine Digest daily and
overrides Group setting.
Disable User will not receive Quarantine Digest and
overrides Group setting.
Simultaneous Logins
Specify number of concurrent logins that will be allowed to user OR
Click Unlimited for allowing unlimited Concurrent logins.
The specified setting overrides the global setting specified in the
client preferences.
Default login allowed 1
Simultaneous Login Range : 1 to 99
Select Unlimited to avoid restriction on number of simultaneous
logins.
MAC Binding
Enable/disable MAC Binding. By binding User to MAC Address,
you are mapping user with a group of MAC Addresses.
Only IPv4 Address must be provided for options Selected Node
and Node Range.
MAC Address List
Specify MAC Addresses for example 01:23:45:67:89:AB.
Once you enable MAC binding, user will be able to login through
pre-specified machines only.
To configure multiple MAC Addresses use comma. For example
01:23:45:67:89:AB, 01:23:45:67:89:AC
Login Restriction
Select the appropriate option to specify the login restriction for the
user.
Available Options:
Page 332 of 490
Cyberoam User Guide
Any Node User will be able to login from any of the nodes
in the network.
User Group Node(s) User will be able to login only from
the nodes assigned to her group.
Selected Nodes User will be able to login from the
specified nodes only.
Node Range User will be able to login from any of the IP
Address from the configured range.
Reset User
Accounting
(Displayed only after
Guest User is added)
Click to reset the user accounting details.
View Usage
(Displayed only after
Guest User is added)
Displays the detailed Internet usage.
Table Guest User Parameter screen elements
Note
User configuration is given precedence over Group configuration that is, User MAC binding and policies
configuration is given priority over Group configuration.
Distributing Access Credentials to Guest Users
Guest Users can be registered from Guest User Portal as well as Web Admin Console.
If the guest user is registered from the Web Admin Console, the login credentials and the Internet access
details can be printed and distributed. Option is provided to print the credentials at the time of registering or
can be printed later also.
If the guest user is registered from the Guest User Portal, the login credentials and the Internet access details
are SMSed on the registered cell phone number or printed and distributed. The administrator can resend the
credentials to guest users through SMS by clicking Resend icon
Manage column or can also print them.
against the Guest User under the
Page 333 of 490
Cyberoam User Guide
SMS Gateway
An SMS Gateway allows sending and receiving Short Service Message (SMS) to/from a home network for
Guest User registration. The Appliance supports HTTP and HTTPS protocol based SMS service.
The page displays list of all the configured SMS Gateways and provides option to delete and edit the SMS
gateway configuration.
To manage users, go to Identity > Guest Users > SMS Gateway.
Screen SMS Gateway
Screen Element
Description
Name
Displays name of the SMS Gateway.
URL
Displays URL of the SMS Gateway.
Response Format
Displays the Response Format.
Table SMS Gateway screen elements
SMS Gateway Parameters
To add SMS Gateway details, go to Identity > Guest Users > SMS Gateway. Click Add Button to
register a new SMS Gateway.
Screen Add SMS Gateway
Page 334 of 490
Cyberoam User Guide
Screen Element
Description
Name
Specify Name of the SMS Gateway.
URL
Specify URL of the SMS Gateway.
Http Method
Select the method for sending SMS request to SMS Gateways
from the options available:
Available Options:
Get
Post
Cell Number Format
Check to use country code with cell number.
Number Prefix
Specify the prefix value to be used with the cell number. Number
Prefix can include alpha-numeric and ASCII special characters.
It can be up to 4 characters long.
Request Parameters
Specify the following request parameters to configure the SMS
Gateway.
Name: Name for the value. Name is a descriptor used to
describe the meaning of the value. E.g. username,
password, mobile
Value: Value of variables that are defined against name
Response Format
Response describes delivery status of the message such as
success, failed, limit exceeded. Status message can be in various
formats. Few of them are described below:
For Example
Response Format
Page 335 of 490
Cyberoam User Guide
{0} | {1} | {2}
Response Received
success | mbno | msgid/transactionid
Response Format
<status>500</status><transactionid>{0}</transactionid><reason>
{1}</reason>
Response Received
<status>500</status><transactionid>2323</transactionid><reaso
n>Limit Exceeded</reason>
When the response format is different for success and failure, it is
recommended that the response format string should have a single
content holder. E.g. {0}
Response
Parameters
Response Parameter is the value presented by content holder {0,1,
2...n} that will be displayed in log viewer.
Parameter Index: Parameter Index is the content holder value {0,
1, 2...n}.
Name: Name represents the content holder in the Log Viewer.
Example 1
0 Status
1 Recipient
2 SMSID
Example 2
0 SMSID 2323
1 SMS Status Message Length Exceeded
Table Add SMS Gateway screen elements
Testing Connectivity with SMS Gateway
Screen Test Connectivity with SMS Gateway
Page 336 of 490
Cyberoam User Guide
Once you configure the SMS Gateway, check whether you are able to connect with the gateway or not. Click
the Test Connection button and provide cell phone number. You will receive SMS through the gateway
configured if you are able to connect to the gateway.
Changing Status of a User
To change the status of a User go to, Identity > Users > Users or Identity > Users > Clientless
Users. Select the user and click the Change Status button. User Status can be changed from Active to
Inactive and vice versa.
Resetting User Accounting
To reset the User accounting go to, Identity > Users > Users or Identity > Users > Clientless
Users or Identity > Users > Guest Users and follow the below steps:
1. Edit the User account of the user whose data accounting you want to reset by clicking Manage
icon
in the Manage column.
2. Click Reset User Accounting button and click OK button to confirm.
Note
You cannot reset user accounting for the live user.
Viewing Internet and Data Transfer Usage of a User
To view Internet and data transfer usage of a user go to, Identity > Users > Users or Identity >
Users > Clientless Users or Identity > Users > Guest Users and follow the below steps:
1. Edit the User account of the user whose data usage you want to view by clicking Manage icon
under the Manage column.
2. Click View Usage button.
3. A pop-up displays information of policies applied on the user account, upload and download data
transferred by the user.
Page 337 of 490
Cyberoam User Guide
Policy
The Appliance allows controlling access to various resources with the help of Policy.
The Appliance allows defining following types of policies:
1. Schedule Internet access for individual users by defining Access time policy. (See Access time
policy for more details)
2. Control individual user surfing time by defining Surfing quota policy. (See Surfing Quota policy for
more details)
3. Limit total as well as individual upload and/or download data transfer by defining data transfer
policy. (See Data transfer policy for more details).
Appliance comes with several predefined policies. These predefined policies are immediately available for
use until configured otherwise.
Access Time Policy
Surfing Quota Policy
Data Transfer Policy
Page 338 of 490
Cyberoam User Guide
Access Time Policy
Access time is the time period during which user can be allowed/denied Internet access. An example would
be only office hours access for a certain set of users.
Access time policy enables to set time interval - days and time - for the Internet access with the help of
schedules. See Schedules for more details.
A time interval defines days of the week and times of each day of the week when the user will be
allowed/denied the Internet access.
Two strategies based on which Access time policy can be defined:
Allow strategy - By default, allows access during the schedule
Deny strategy - By default, disallows access during the schedule
Appliance comes with the following predefined policies: Allowed all the time, Denied all the time, Allowed only
during Work Hours, Denied during Work hours. These predefined policies are immediately available for use
until configured otherwise. You can also define custom policies to define different levels of access for different
users to meet your organizations requirements.
Manage Access Time Policy list
The Access Time page displays list of all the default as well as custom policies. The page also provides option
to add, update, or delete the access time policies.
To manage Access Time Policies, go to Identity > Policy > Access Time.
Screen Manage Access Time Policy
Screen Element
Description
Name
Displays the name for the Policy.
Strategy
Displays the Type of Strategy selected: Allow or Deny.
Page 339 of 490
Cyberoam User Guide
Schedule
Displays the Type of Schedule selected.
Description
Policy Description.
Table Manage Access Time Policies screen elements
Access Time Policy Parameters
To add or edit an access time policy, go to Identity > Policy > Access Time. Click the Add button to
add a new policy. To update the details, click on the policy or Edit icon
policy you want to modify.
in the Manage column against the
Screen Add Access Time Policy
Screen Element
Description
Name
Provide a Name to identify the Policy.
Strategy
Specify strategy to be applied during the scheduled time
interval.
Available Options:
Allow Allows the Internet access during the scheduled
time interval.
Deny Does not allow the Internet access during the
scheduled time interval.
Schedule
Select Schedule. Only Recurring schedule can be applied.
Available Options:
All The Time
Work hours (5 Day Week)
Work hours (6 Day week)
All Time on Weekdays
All Time on Weekends
All Time on Sunday
All Days 10:00 to 19:00
Page 340 of 490
Cyberoam User Guide
Depending on the policy strategy, access will be allowed/denied
for the scheduled time interval.
Description
Provide Policy Description.
Table Add Access Time Policy screen elements
Note
A change made in a policy becomes effective immediately on saving the changes.
Page 341 of 490
Cyberoam User Guide
Surfing Quota Policy
Surfing quota policy defines the duration of Internet surfing time. Surfing time duration is the allowed time in
hours for a Group or an Individual User to access Internet.
Surfing Quota Policy:
Allows allocating Internet access time on a cyclic or non-cyclic basis.
Single policy can be applied to number of Groups or Users.
The Appliance comes with the following predefined policies: Unlimited Internet Access, 1 Month Unlimited
Access, 1 month 100 hours, Monthly 100 hours Cyclic, Daily 1 hour Cyclic, Weekly 7 hours Cyclic. These
predefined policies are immediately available for use until configured otherwise. You can also define custom
policies to define different levels of access for different users to meet your organizations requirements.
Manage Surfing Quota Policy list
The Surfing Quota page displays list of all the default as well as custom policies. The page also provides
option to add, update, or delete surfing quota policies.
To manage surfing quota policies, go to Identity > Policy > Surfing Quota.
Screen Manage Surfing Quota Policy
Screen Element
Description
Name
Displays the name for the Policy.
Time Allowed (HH)
Maximum Time in a day for which the policy remains active.
Validity
Specify the time period in day(s) for which the policy remains
active.
Cycle Type
Displays the Type of Cycle: Cyclic or Non-Cyclic.
Cycle Time
Displays the Hours for which the cycle is active.
Description
Policy Description.
Table Manage Surfing Quota Policies screen elements
Page 342 of 490
Cyberoam User Guide
Surfing Quota Policy Parameters
To add or edit a surfing quota policy, go to Identity > Policy > Surfing Quota. Click the Add button
to add a new policy. To update the details, click on the policy or Edit icon
the policy you want to modify.
in the Manage column against
Screen Add Surfing Quota Policy
Screen Element
Description
Name
Specify name to identify the Policy. Duplicate names are not
allowed.
Cycle Type
Select Cycle type.
Available Options:
Cyclic Restricts surfing hours up to cycle hours defined
on predefined time duration.
Non-Cyclic Surfing hour restriction is defined by total
allotted days and time.
Cycle Hours
Specify Cycle Hours. Cycle hours define the upper limit of
surfing hours for cyclic types of policies i.e. Daily, Weekly,
Monthly and Yearly.
At the end of each Cycle, cycle hours are reset to zero i.e. for
Weekly Cycle type, cycle hours will to reset to zero every week
even if cycle hours are unused.
Validity
Specify Validity in number of days. Validity defines the upper
limit of total surfing days allowed i.e. restricts total surfing days
to valid allotted days.
OR
Click Unlimited Days, if you do not want to restrict the total
surfing days.
Maximum Hours
Specify Maximum Hours. Maximum hours define the upper limit
of total surfing hours allowed i.e. restricts total surfing hours to
maximum hours.
Page 343 of 490
Cyberoam User Guide
OR
Click Unlimited Hours, if you do not want to restrict the total
surfing hours.
Description
Provide description for Surfing Quota Policy.
Table Add Surfing Quota Policy screen elements
Page 344 of 490
Cyberoam User Guide
Data Transfer Policy
Once the user logs on, the bandwidth is available and the total available bandwidth is shared amongst all the
active users at the particular time. Bandwidth being a limited resource, its shortage and congestion problems
are common. Appliance allows limiting data transfer allowed to individual user according to the requirement.
Bandwidth is limited using the Bandwidth policy while data transfer policy defines the upper limit for data
transfer carried out by the user.
Data transfer policy:
Allows limiting data transfer on a cyclic or non-cyclic basis.
Single policy can be applied to number of Groups or Users.
Data transfer restriction can be based on:
Total Data transfer (Upload + Download)
Individual Upload and/or Download
The Appliance comes with the following predefined policies: 100 MB Total Data Transfer policy, Daily 10 MB.
These predefined policies are immediately available for use until configured otherwise. You can also define
custom policies to define different levels of access for different users to meet your organizations
requirements.
Manage Data Transfer Policy list
To manage data transfer policies, go to Identity > Policy > Data Transfer.
Screen Manage Data Transfer Policy
Screen Element
Description
Name
Displays the name for the Policy.
Cycle Type
Displays the Type of Cycle: Cyclic or Non-Cyclic.
Absolute Limit (MB)
Absolute Data transfer limit in MB including upload, download
and total data transfer.
Cycle Limit (MB)
Cyclic Data transfer limit in MB including upload, download and
total data transfer.
Table Manage Data Transfer Policies screen elements
Page 345 of 490
Cyberoam User Guide
Data Transfer Policy Parameters
To add or edit a data transfer policy, go to Identity > Policy > Data Transfer. Click the Add button to
add a new policy. To update the details, click on the policy or Edit icon
policy you want to modify.
in the Manage column against the
Screen Add Data Transfer Policy
Screen Element
Description
Name
Name to identify the Policy. Duplicate names are not allowed.
Restriction Based On
Specify whether the data transfer restriction is on total data
transfer or on individual data transfer (upload and download).
Cycle Type
Select Cycle type.
Available Options:
Cyclic Restricts surfing hours up to cycle hours defined
on predefined time duration.
Non Cyclic Surfing hour restriction is defined by total
allotted days and time duration
Based on the options selected for the Restriction and Cycle Type, specify the following details.
Restriction based on Total Data Transfer and Cyclic Policy
Cycle Period
Specify Cycle Period. Cycle period defines the duration for
cyclic types of policies i.e. Day, Week, Month and Year.
Cycle Data Transfer
Specify Cycle Data Transfer limit. It is the limit of data transfer
allowed to the user per cycle. User will be disconnected if limit
is reached.
OR
If you do not want to restrict data transfer per cycle, click
Unlimited Cycle Data transfer.
Page 346 of 490
Cyberoam User Guide
Maximum Data
Transfer
Specify the Maximum Data Transfer limit. It is the data transfer
allowed to the user and if the limit is reached, user will not be
able to log on until the policy is renewed.
OR
If you do not want to restrict maximum data transfer, click
Unlimited Maximum Data Transfer.
Restriction based on Total Data Transfer and Non-Cyclic Policy
Maximum Data
Transfer
Specify the Maximum Data Transfer limit. It is the data transfer
allowed to the user and if the limit is reached user will not be
able to log on until the policy is renewed.
OR
If you do not want to restrict maximum data transfer, click
Unlimited Maximum Data Transfer.
Restriction based on Individual Data Transfer and Cyclic Policy
Cycle Period
Specify Cycle Period. Cycle period defines the duration for
cyclic types of policies i.e. Day, Week, Month and Year.
Cycle Upload Data
Transfer
Specify Cycle Upload Data Transfer limit. It is the upper limit of
upload data transfer allowed to the user per cycle. User will be
disconnected if limit is reached.
OR
If you do not want to restrict upload data transfer per cycle, click
Unlimited Cycle Upload Data transfer.
Cycle Download Data
Transfer
Specify Cycle Download Data Transfer limit. It is the upper limit
of download data transfer allowed to the user per cycle. User
will be disconnected if limit is reached.
OR
If you do not want to restrict download data transfer per cycle,
click Unlimited Cycle Download Data transfer.
Maximum Upload
Data Transfer
Specify the Maximum Upload Data Transfer limit. It is the
maximum upload data transfer allowed to the user and if the
limit is reached user will not be able to log on until the policy is
renewed.
OR
If you do not want to restrict maximum upload data transfer,
click Unlimited Upload Data Transfer.
Maximum Download
Data Transfer
Specify Maximum Download Data Transfer limit. It is the
maximum download data transfer allowed to the user and if the
limit is reached user will not be able to log on until the policy is
renewed.
OR
If you do not want to restrict maximum download data transfer,
click Unlimited Download Data Transfer.
Restriction based on Individual Data Transfer and Non-Cyclic Policy
Maximum Upload
Data Transfer
Specify Maximum Upload Data Transfer limit. It is the maximum
upload data transfer allowed to the user and if the limit is
reached user will not be able to log on until the policy is
renewed.
Page 347 of 490
Cyberoam User Guide
OR
If you do not want to restrict maximum upload data transfer,
click Unlimited Upload Data Transfer.
Maximum Download
Data Transfer
Specify Maximum Download Data Transfer limit. It is the
maximum download data transfer allowed to the user and if the
limit is reached user will not be able to log on until the policy is
renewed.
OR
If you do not want to restrict maximum download data transfer,
click Unlimited Download Data Transfer.
Description
Provide Policy Description.
Table Add Data Transfer Policy screen elements
Note
Cycle Data Transfer limit cannot be greater than Maximum Data Transfer limit.
Page 348 of 490
Cyberoam User Guide
Live Users
Live users in the Appliance can be managed from a single page. All the active normal users, Clientless Users
and Single Sign On users are visible from the Live Users. The Administrator can disconnect these users from
this page directly.
User types
Appliance supports five types of Users:
Normal
Clientless
Single Sign on
Thin Client User
WWAN User
Normal User has to log on to the Appliance. Requires client (client.exe) on the User machine or user can use
HTTP Client component and all the policy-based restriction are applied.
Clientless does not require client component (client.exe) on the User machines.
If User is configured for Single sign on, whenever User logs on to Windows, he/she is automatically logged to
the Appliance.
If the User is a thin client user, whenever user logs on, he/she is visible on Live Users page.
If a wireless user is configured and connected, he/she is visible on Live User page.
Live Users
Identity > Live Users > Live Users page displays list of currently logged on users and their important
parameters. You can:
Disconnect Click the Disconnect icon
in the Manage column against a live user to be disconnected.
A dialog box is displayed asking you to specify a customized message for the user that is to be
disconnected. Click OK to disconnect the User. To disconnect multiple live users, select them
and
click the Disconnect button.
View Live User List
The page displays list of currently logged on users and their important parameters. Page also provides option
to disconnect the user.
To disconnect a user:
1. Click the Disconnect icon
under the Manage column against a user.
2. Specify the message in a dialog box.
Page 349 of 490
Cyberoam User Guide
3. Click the OK button to disconnect the User. To disconnect multiple live users, select them
click the Disconnect button.
and
Note
Configured Message would not be sent to a Clientless User.
To view and disconnect live users in Cyberoam, go to Identity > Live Users > Live User.
Screen Live Users
Screen Element
Description
User ID
Displays the User Identification number.
User Name
Displays the name of the user with which she has logged in.
Client Type
Displays the name of the Group to which user belongs.
Host IP
Displays IP Address from which user has logged on.
IP Family
Displays the IP Family IPv4 and IPv6.
MAC
MAC Address of the machine from which user had logged in.
Start Time
Session start time or login time.
Upload / Download
Data uploaded and Download during the session
Data Transfer Rate
(bits/sec)
Bandwidth used during the session
Internet Usage Time
(HH:MM)
Internet usage during the session.
Disconnect Icon
Disconnect the Live User.
Table Live Users screen elements
Page 350 of 490
Cyberoam User Guide
Live User Parameters
To edit user details, go to Identity > User > Live User. Click the Edit Icon
the live user.
to modify the details of
Screen Edit Live User
Screen Element
Description
Username
Specify a unique username to identify the user and for login.
Name
Name of the User.
IP Address
Specify the IP Address.
Group
Select Group for any live user.
Specify Email ID.
Internet Usage Time
Displays total Internet usage time information.
Policies
Web Filter
Select the Web Filter Policy.
You can also add and edit the details of web filter policy from the
Clientless User Page itself. But, policy details can only be
modified once the User is created.
By default, Allow All Web filter Policy is applied to the user.
Page 351 of 490
Cyberoam User Guide
Application Filter
Select the Application Filter Policy.
You can also add and edit the details of application filter policy
from the Clientless User Page itself. But, policy details can only
be modified once the User is created.
By default, Allow All Application filter Policy is applied to the
user.
Surfing Quota
(Not applicable to
Clientless user)
Select the Surfing Quota Policy from the list.
You can also create a new policy directly from this page itself
and attach to the user.
Page 352 of 490
Cyberoam User Guide
Access Time
(Not applicable to
Clientless user)
Select the Access Time Policy from the list.
Data Transfer
(Not applicable to
Clientless user)
Select the Data Transfer Policy from the list.
You can also create a new policy directly from this page itself
and attach to the user.
You can also create a new policy directly from this page itself
and attach to the user.
Page 353 of 490
Cyberoam User Guide
QoS
Select the QoS Policy.
You can also add and edit the details of QoS policy from the
Clientless User Page itself. But, policy details can only be
modified once the User is created.
SSL VPN
Select an SSL VPN policy from the list.
If user is not to be provided the SSL VPN access then select No
Policy Applied.
L2TP
Enable if you want to allow user to get access through L2TP
connection.
Page 354 of 490
Cyberoam User Guide
(Not applicable to
Clientless user)
PPTP
(Not applicable to
Clientless user)
Enable if you want to allow user to get access through PPTP
connection.
Quarantine Digest
Enable/Disable Quarantine Digest.
Simultaneous Logins
(Not applicable to
Clientless user)
Specify the number of concurrent logins that will be allowed to
user OR Click Unlimited for allowing unlimited Concurrent
logins.
Note
The specified setting will override the global setting
specified in the client preferences.
MAC Binding
(Not applicable to
Clientless user)
Enable/disable MAC Binding. By binding User to MAC Address,
you are mapping user with a group of MAC Addresses.
MAC Address List
(Not applicable to
Clientless user)
Specify MAC Addresses for example 01:23:45:67:89:AB.
Once you enable MAC binding, user will be able to login through
pre-specified machines only.
To configure multiple MAC Addresses use comma. For example
01:23:45:67:89:AB, 01:23:45:67:89:AC
Login Restriction
(Not applicable to
Clientless user)
Select the appropriate option to specify the login restriction for
the user.
Available Options:
Any Node Select to allow user to login from any of the
nodes in the network.
User Group Node(s) Select to allow user to login only
from the nodes assigned to her group.
Selected Nodes Select to allow user to login from the
specified nodes only.
Node Range Select to allow range of IP Address and
specify IP Address range.
Administrator Advanced Settings
Schedule for
Appliance Access
Schedule the Appliance access.
Administrator will be able to access the Appliance only during the
time configured in schedule.
Login Restriction for
Appliance Access
Select the appropriate option to specify the login restriction for
the user.
Available Options:
Page 355 of 490
Cyberoam User Guide
Any Node Administrator will be able to login from any of
the nodes in the network.
Selected Nodes Administrator will be able to login from
the specified nodes only.
Node Range Administrator will be able to login from any of
the IP Address from the configured range.
Reset User
Accounting
(Displayed only after
user is added)
Click to reset the usage accounting i.e. internet usage time and
data transfer of the user.
View Usage
(Displayed only after
user is added)
Click to view the Internet usage and data transfer usage.
Table Edit Live Users screen elements
Page 356 of 490
Cyberoam User Guide
Firewall
A Firewall protects the network from unauthorized access and typically guards the LAN and DMZ networks
against malicious access; however, Firewalls may also be configured to limit the access to harmful sites for
LAN users.
The responsibility of Firewall is to grant access from Internet to DMZ or Service Network according to the
Rules and Policies configured. It also keeps a watch on the state of connection and denies any traffic that is
out of the connection state.
Firewall Rule provides centralized management of security policies. From a single Firewall Rule, you can
define and manage an entire set of Appliance security policies.
Use Firewall Rule to:
Monitor and scan VPN traffic.
Define inbound and outbound access based on source and destination hosts/network.
Enable scanning for HTTP, HTTPS, FTP, SMTP, SMTP over SSL, POP3 or IMAP traffic for Email
spam filtering, virus security and also get spyware, malware and phishing protection. To apply Anti
Virus protection and spam filtering, you need to subscribe Gateway Anti Virus and Gateway Anti Spam
modules individually. Refer to Licensing section for details.
Define IPS policy for protection against threats and attacks originating from external world and
internal network. To apply IPS policy you need to subscribe for Intrusion Prevention System module.
Refer to Licensing section for details.
Attach Gateway routing policy for load balancing and gateway failover protection in case of multiple
gateways
Define Web filtering policy for web access control and block access to inappropriate web sites. To
control access based on custom web categories, you need to subscribe Web and Application Filter
module. Refer to Licensing section for details.
Define Applications filtering policy for controlling access to applications like IM, P2P and VOIP. To
control access based on custom web categories, you need to subscribe Web and Application Filter
module. Refer to Licensing section for details.
Schedule access
Attach QoS policy to control and schedule bandwidth usage per user, group or prioritize bandwidth
usage for particular application.
How it works
Firewall Rules control traffic passing through the Appliance. Depending on the instruction in the rule, the
Appliance decides on how to process the access request. When the Appliance receives the request, it checks
for the source address, destination address and the services and tries to match with the Firewall Rule. If
Identity match is also specified, Firewall will search in the Live Users Connections for the Identity check i.e.
will check whether the user is allowed access or not. If Identity (User) is found in the Live User Connections
and all other matching criteria are fulfilled, access is allowed or denied based on the action configured in the
rule.
By default, the Appliance blocks any traffic to LAN.
Page 357 of 490
Cyberoam User Guide
IPv6
Internet Protocol version 6 (IPv6) is the latest revision of the Internet Protocol (IP). It is a routable protocol,
that provides identification and location system for devices on networks and routes traffic across the Internet.
The Internet Engineering Task Force (IETF), an open standards organization that develops and promotes
Internet standards, has developed IPv6 to deal with the long-anticipated problem of IPv4 address exhaustion.
IPv6 replaces IPv4, the existing Internet Protocol.
Benefits of IPv6:
Large address space
New and simplified header format
Efficient and hierarchical addressing and routing
Stateless and stateful address configuration
Built-in security and interoperability
In-built mobility
Mandatory Multicast support
Better support for QoS
ICMPv6 based new protocol for neighboring node interaction
Extensibility in packet headers
IPv6 Features supported in CyberoamOS
You will be able to use IPv6 as well as IPv4 for the following:
Networking
1. Alias and VLAN (needs the IP Address of the same family on the respective physical interface)
2. Alias over WLAN
3. LAG
4. Multiport Bridge
5. Gateway
6. Route Static and Dynamic
7. DNS and DHCP Services
8. Router Advertisement
9. Neighbor Discovery Protocol
Firewall Security
1. QoS Policy
2. DoS and Spoof Prevention
3. Host, Host Group, MAC Group
4. IPv6 Services
5. NAT Policy (NAT66)
6. Scheduling
7. Virtual Host
Layer 8 Identity over IPv6
1. Authentication AD, LDAP, Radius
2. Clientless Users
3. IPv6 Captive Portal
Logging and Reporting
Page 358 of 490
Cyberoam User Guide
1. Traffic Discovery (For User and Source IP Address)
2. Logs and Reports
3. 4-Eye Authentication
Diagnostic
1. Packet Capture
2. Connection List
3. Ping6
4. Tracert6
5. Name Lookup
6. Route Lookup
7. System Graphs
SNMP
SYSLOG
NTP
IPv6 Certificate
Scheduled Backup on IPv6 Server
Backup Restore
High Availability
Page 359 of 490
Cyberoam User Guide
Default Firewall Rules
At the time of deployment, the Appliance allows to define one of the following access policies through Network
Configuration Wizard:
Monitor only
General Internet policy
Strict Internet policy
Default Firewall Rules for Monitor only policy
Masquerade and allow entire LAN to WAN traffic for all the authenticated users after applying following
policies:
Web Filter Policy User specific
Application Filter Policy User specific
QoS Policy User specific
Anti Virus & Anti Spam policy Allows SMTP, SMTP over SSL, POP3, IMAP, HTTP and HTTPS
traffic without scanning
Masquerade and allow entire LAN to WAN traffic for all the users without scanning SMTP, SMTP over
SSL, POP3, IMAP, HTTP and HTTPS traffic
Default Firewall Rules for General Internet policy policy
Masquerade and allow entire LAN to WAN traffic for all the authenticated users after applying following
policies:
Web Filter Policy User specific
Application Filter Policy User specific
QoS Policy User specific
Anti Virus & Anti Spam policy Scan SMTP, SMTP over SSL, POP3, IMAP, HTTP and HTTPS
traffic
Masquerade and allow entire LAN to WAN traffic for all the users after applying following policies:
Web Filter & Application Filter policy Applies General Corporate Policy to block Porn, Nudity,
Adult Content, URL Translation Sites, Drugs, Crime and Suicide, Gambling, Militancy and
Extremist, Phishing and Fraud, Violence, Weapons categories
IPS General policy
Anti Virus & Anti Spam policy Scan SMTP, SMTP over SSL, POP3, IMAP, HTTP and HTTPS
traffic
Default Firewall Rules for Strict Internet policy policy
Masquerade and Allow entire LAN to WAN traffic for all the authenticated users after applying following
policies:
Web Filter Policy User specific
Application Filter Policy User specific
QoS Policy User specific
Anti Virus & Anti Spam policy Scan SMTP, SMTP over SSL, POP3, IMAP, HTTP and HTTPS
traffic
Drop entire LAN to WAN traffic for all the users
Note
Page 360 of 490
Cyberoam User Guide
Default Firewall Rules can be modified as per the requirement but cannot be deleted.
IPS policy will not be effective until Intrusion Prevention System (IPS) module is subscribed.
Virus and Spam policy will not be effective until Gateway Anti Virus and Gateway Anti Spam modules are
subscribed respectively.
If access Policy is not set through Network Configuration Wizard at the time of deployment, the entire
traffic is dropped.
Additional Firewall Rules for any of the zones can be defined to extend or override the default rules. For
example, rules can be created that block certain types of traffic such as FTP from the LAN to the WAN, or
allow certain types of traffic from specific WAN hosts to specific LAN hosts, or restrict use of certain protocols
such as Telnet to authorized users on the LAN.
Custom rules evaluate network traffics source IP Addresses, destination IP Addresses, User, IP protocol
types, and compare the information to access rules created on the Appliance. Custom rules take precedence,
and override the default Appliance Firewall Rules.
Rule
Virtual Host
NAT Policy
Spoof Prevention
DoS
Page 361 of 490
Cyberoam User Guide
Rule
IPv4 Firewall Rule
The Appliances Identity based Firewall allows creation of Firewall Rules embedding user identity into the
Firewall Rule matching criteria. It also allows to bind identity and device by embedding device MAC Address
through MAC Host in Firewall Rule.
Firewall Rule matching criteria now includes:
Source and Destination Zone and Host. The direction of traffic is determined by source and destination
zone. The same zone cannot be defined as both the source or destination zone.
User
Service
Schedule
Attach all the Unified Threat Control policies to the Firewall Rule as per the defined matching criteria:
Intrusion Prevention System (IPS)
Anti Virus
Anti Spam
Web Filter
Application Filter
QoS
User and application based Routing policies
To create a Firewall Rule, you should:
Define matching criteria
Associate action to the matching criteria
Attach the threat management policies
For example, now you can:
Restrict the bandwidth usage to 256kb for the user John every time he logs on from the IP Address
192.168.2.22
Restrict the bandwidth usage to 1024kb for the user Mac if he logs on in working hours from the IP
Address 192.168.2.22
The rule page displays list of default and custom firewall rules. All the firewall rules are grouped by its source
and destination zone. The page also provides option to add or insert a new rule, update the existing rule,
changing the rule order, or delete a rule.
Viewing Firewall Rules between two Zones
To view the firewall rules for the specific zones, select zones. For example, if you select LAN and WAN, all
the Firewall Rules created for LAN zone to WAN zone will be displayed.
Firewall rule controls the traffic flowing through the Appliance and are created for a pair of source and
destination zone which determines the traffic direction.
Page 362 of 490
Cyberoam User Guide
Processing of firewall rules is top downwards and the first suitable rule found is applied.
Hence, while adding multiple rules, it is necessary to put specific rules before general rules. Otherwise, a
general rule might allow a packet that you specifically have a rule written to deny later in the list. When a
packet matches the rule, the packet is immediately dropped or forwarded without being tested by the rest of
the rules in the list.
As the firewall rules are grouped source and destination zone wise, rule can be added at the bottom of the
list or can be inserted in the group.
Inserting a Firewall Rule To insert a rule for a particular source and destination zone click the Insert
icon
under the Manage column against a firewall rule for the required source and destination zone.
For example, if you have already added a firewall rule for LAN to DMZ zone and want to add another
rule for the same zones then click Insert icon against the firewall rule for LAN to DMZ zone. It will add
a new firewall rule for the same zones.
Reordering Firewall Rules Rules are ordered by their priority. When the rules are applied, they are
processed from the top down and the first suitable rule found is applied. Hence, while adding multiple
rules, it is necessary to put specific rules before the general rules. Otherwise, a general rule might allow
a packet that you specifically have a rule to deny later in the list. When a packet matches the rule, the
packet is immediately dropped or forwarded without being tested by the rest of the rules in the list. To
change order of the rule, click the Move icon
against the rule whose order is to be changed. Move
the rule by dragging and dropping to a required position.
Clear All Filters To clear all the search filters applied on the source, destination or identity columns,
click the Clear All Filters button. This helps in removing filters on multiple columns at a time.
View Firewall Rules between two Zones To view Firewall Rules for the selected zones, select zones
For example, if you select LAN and WAN, all the Firewall Rules created for LAN zone to WAN zone will
be displayed.
Icons and their Meaning in Firewall Rule
Icon
Meaning
Appearing under
Column
Firewall rule is enabled and is currently
applied to the traffic.
Enable
Firewall rule is disabled.
Enable
Firewall rule is enabled but is not
currently applied. It will be applied to the
traffic as per the time configured in the
schedule.
Enable
Enabled
Disabled
SMTP Scanning enabled.
SMTP Scanning disabled.
SMTP over SSL Scanning enabled
IM
Scanning,
WAF,
Logging, Bypass User
Accounting
AV & AS Scanning
AV & AS Scanning
Page 363 of 490
Cyberoam User Guide
SMTP over SSL Scanning disabled
POP Scanning enabled.
POP Scanning disabled.
IMAP Scanning enabled.
IMAP Scanning disabled.
HTTP Scanning enabled.
HTTP Scanning disabled.
FTP Scanning enabled.
FTP Scanning disabled.
HTTPS Scanning enabled.
HTTPS Scanning disabled.
AV & AS Scanning
AV & AS Scanning
AV & AS Scanning
AV & AS Scanning
AV & AS Scanning
Inserts rule before the existing rule.
Manage
Changes order of the rule.
Manage
Page 364 of 490
Cyberoam User Guide
Manage Firewall Rule List
Firewall Rules control the traffic flowing through Appliance. Firewall > Rule > IPv4 Rule page displays
a list of Firewall Rules and provides a way to manage rules.
Rules are created for a pair of source and destination zone which determines the traffic direction.
Screen Firewall Rule
Screen Element
Description
ID
Firewall Rule ID which is generated automatically at the time of
creation.
Rule Name
Firewall Rule name to identify the Firewall Rule.
Enable
Click to activate/deactivate the rule. If you do not want to apply
the Firewall Rule temporarily, disable rule instead of deleting.
Source
Source Host to which the rule applies.
Destination
Destination Host to which the rule applies.
Service
Service for which the rule is created.
Action
Displays the action to be taken when the rule matches a
connection attempt.
Identity
Displays user or user group on which the firewall rule is applied.
If Identity is configured, user based policies will be applied to
the traffic.
Web Filter
A Web Filter policy to be applied to the traffic.
Point to the policy link to view or edit the policy details.
Application Filter
An Application Filter policy to be applied to the traffic.
Point to the policy link to view or edit the policy details.
NAT
NAT policy to be applied to the traffic.
Point to the policy link to view or edit the policy details.
IPS
IPS policy to be applied to the traffic.
QoS Policy
QoS policy to be applied to the traffic.
Point to the policy link to view or edit the policy details.
Page 365 of 490
Cyberoam User Guide
IM Scanning
Displays whether IM Scanning is enabled or disabled.
AV & AS Scanning
Displays the protocols selected for AV & AS Scanning.
Schedule
A Schedule that controls when the rule should be active.
Point to the schedule link to view or edit the schedule details.
Logging
Firewall Rule logging.
Description
Firewall Rule Description.
Routing through
Gateway
Routing policy applied to the traffic.
Backup Gateway
Backup gateway for the traffic.
Upload Data
Displays total outgoing traffic.
Download Data
Displays total incoming traffic.
DSCP Marking
Displays DSCP value for rule.
WAF
Displays whether WAF is active mode or inactive mode for a
rule.
Bypass User
Accounting
Displays whether Bypass User Accounting is enabled or
disabled.
Table - Manage IPv4 Firewall Rule screen elements
Change Firewall Rule order
Rule order defines the rule processing priority. When the rules are applied, they are processed from the top
down and the first suitable rule found is applied.
Hence, while adding multiple rules, it is necessary to put specific rules before general rules. Otherwise, a
general rule might allow a packet that you specifically have a rule written to deny later in the list. When a
packet matches the rule, the packet is immediately dropped or forwarded without being tested by the rest of
the rules in the list.
Go to Firewall > Rule > IPv4 Rule. Click the move rule
changed.
against the rule whose order is to be
Click on the rule to be moved and then drag & drop the rule in the desired order.
Click close to save the order.
Page 366 of 490
Cyberoam User Guide
Screen Move IPv4 Firewall Rule
Page 367 of 490
Cyberoam User Guide
IPv4 Firewall Rule Parameters
To add or edit Firewall Rules, go to Firewall > Rule > IPv4 Rule. Click Add Button to add a new rule
or the Edit Icon
in the Manage column against the Firewall Rule to modify the details of the rule. Firewall
Rule Parameters are given below.
Screen - Add IPv4 Firewall Rule
Page 368 of 490
Cyberoam User Guide
Parameters
Screen Element
Description
General Settings
Rule Name
Name
Specify a name to identify the Firewall Rule.
Description
Provide description for the rule.
Basic Settings
Zone
Select the source and destination zone to which the rule
applies.
Attach Identity
(Only if source zone
is LAN/DMZ/VPN)
Attach Identity allows you to check whether the specified
user/user group from the selected zone is allowed to access the
selected service or not.
This feature is not available in case WAN is selected and the
Source Zone.
Click to attach the user identity.
Enable check identity to apply following policies per user:
Web policy and Application policy for Content Filtering
(Users policy will be applied automatically but will not
be effective till the Web and Application Filtering
module is subscribed).
Schedule Access.
IPS (Users IPS policy will be applied automatically but
will not be effective till the IPS module is subscribed).
Anti Virus scanning (Users anti virus scanning policy
will be applied automatically but it will not be effective
till the Gateway Anti Virus module is subscribed).
Anti Spam scanning (Users anti spam scanning policy
will be applied automatically but it will not be effective
till the Gateway Anti Spam module is subscribed).
QoS policy Users QoS policy will be applied
automatically.
Page 369 of 490
Cyberoam User Guide
WAF (Users WAF policy will be applied automatically
but will not be effective till the WAF module is
subscribed).
Policy selected in the Route through Gateway field is
the static routing policy that is applicable only if more
than one gateway is defined and used for load
balancing.
Limit access to available services.
Identity
Select user/user group for the selected zone to allow/deny
access the selected service.
Exclude traffic from
data accounting for
selected user(s)
By default users network traffic is considered in data
accounting. Select to exclude certain traffic user data
accounting. The traffic allowed through this firewall rule will not
be accounted towards data transfer for the user.
This option is available only if the parameter Attach Identity is
enabled.
This traffic will not be included in the user accounting reports Internet Usage report and My Account reports, but will be
included in the firewall activity reports.
Example:
A User is added from Identity > Users > Users
User Name Cyberoam
Maximum Data Transfer limit for User Cyberoam
100 MB
An IPv4 Firewall Rule is created
Firewall Rule Name Bypass Data Transfer
Firewall Rule for zones LAN to WAN
Attached Identity Enabled (User Cyberoam)
Bypass User Data Transfer Accounting Enabled
User Activity
The user transfers data in LAN to LAN Zone 50
MB
The user transfers data in LAN to WAN Zone 10
MB
Accounted Data Transfer
Calculated Total Data Transfer 50 MB
Reason Only the data transferred on LAN to LAN zone is
considered i.e. 50MB. Data transferred on LAN to WAN Zone
i.e. 10 MB is not calculated and bypassed by the Administrator
as per the IPv4 Firewall Rule Bypass Data Transfer.
Page 370 of 490
Cyberoam User Guide
Network/Host
Specify source and destination host or network address to
which the rule applies.
Host dropdown list also displays MAC based host, dynamic
hosts and host groups which are automatically added on
creation of VPN Road warrior connections(IPSec and SSL). It
will also display the default hosts created for road warrior
connection
##ALL_RW,
##ALL_IPSEC_RW,
##ALL_SSLVPN_RW, ##WWAN1(when WWAN is enabled)
You can also define a new IP host, IP host group, MAC host,
virtual host, FQDN host, FQDN host group, country host,
country host group and Web Server directly from this page.
Services
Services represent the types of Internet data transmitted via
particular protocols or applications.
Select Services/Service Group to which the rule applies.
If Virtual host is selected as Destination host, you will be able to
configure services only if the selected virtual host is not port
forwarded.
Page 371 of 490
Cyberoam User Guide
You can also add a custom service or service group from this
page itself.
Protect by configuring rules to:
block services at specific zone.
limit some or all users from accessing certain services
allow only specific user to communicate using specific
service
Schedule
Select Schedule for the rule.
You can also add a new schedule directly from this.
Action
Select rule action.
Available Options:
Accept Allow access
Drop Silently discards
Reject Denies access and ICMP port unreachable
message will be sent to the source.
Page 372 of 490
Cyberoam User Guide
While sending a response it might be possible that response is
sent using a different interface than the one on which request
was received. This may happen depending on the Routing
configuration done on Appliance.
For Example,
If the request is received on the LAN port using a spoofed IP
Address (public IP Address or the IP Address not in the LAN
zone network) and specific route is not defined, Appliance will
send a response to these hosts using default route. Hence,
response will be sent through the WAN port.
Apply NAT (Only if
Action is ACCEPT)
On enabling Allow NAT access is allowed only after replacing
the source IP Address with the IP Address specified in the NAT
policy.
Select NAT Policy for the Firewall Rule. Traffic from this rule will
pass as per the NAT Policy selected for all gateways.
Default - MASQ
You can also use NAT policy configured for the gateway from
Network > Gateway > Gateway. All traffic passing from
this rule is NATed as per the gateways default NAT policy.
You can also override this gateway specific NAT policy by
selecting a NAT policy. Multiple Gateways and NAT Policy can
be added. If enabled the overridden policy is applied instead of
gateways default NAT policy.
Select None NATing is not required for a particular gateway.
Note
This option is available if
Gateway.
Appliance is deployed as
Advanced Settings
Toggle Drill Down icon Click to apply different protection settings to the traffic controlled by
Firewall. You can:
Enable load balancing and failover when multiple links are configured. Applicable only if
Destination Zone is WAN
Configure antivirus protection and spam filtering for SMTP, IMAP, POP3, and HTTP
policies. To apply antivirus protection and spam filtering, you need to subscribe for
Gateway Anti Virus and Gateway Anti Spam modules individually. Refer to Licensing
section for details.
Implement Intrusion Prevention System. To apply IPS policy you need to subscribe for
Intrusion Prevention System module. Refer to Licensing section for details.
Page 373 of 490
Cyberoam User Guide
Configure content filtering policies. To apply content filtering you need to subscribe for
Web and Application Filter module. Refer to Licensing section for details.
Apply QoS policy
Security Policies
Application Filter
Select Application Filter Policy for the rule. One can apply policy
on following traffic:
Incoming traffic (source zone configured as WAN)
Cyberoam destined traffic (destination zone configured as
LOCAL)
It controls access to application like IM and P2P, VOIP.
You can also create a new policy directly from this page and
attach to the user.
Apply Application
Based QoS Policy
Click to restrict bandwidth for the applications categorized under
the Application category.
A three step configuration is required as follows:
Create QoS policy from menu item QoS > Policy >
Policy > Add.
Assign above created QoS policy to the Application
category from menu item Application Filter. Policy can
be assigned to application categories.
Enable Application Category based QoS Policy from
Firewall Rule.
Above configured policy will be applicable, whenever the
application falling under the Application category is accessed.
Web Filter
Select the Web Filter Policy for the rule. One can apply the
policy on following traffic:
Incoming traffic (source zone configured as WAN)
Cyberoam destined traffic (destination zone
configured as LOCAL)
Page 374 of 490
Cyberoam User Guide
It controls web access control and blocks access to
inappropriate web sites.
You can also create a new policy directly from this page and
attach to the user.
Apply Web Category
Based QoS Policy
Click to restrict bandwidth for the URLs categorized under the
Web category.
A three step configuration is required as follows:
Create QoS policy from menu item QoS > Policy >
Policy > Add
Assign above created QoS policy to the Web category
from menu item Web Filter. Policy can be assigned to
the default as well as custom web categories.
Enable Web Category based QoS Policy from Firewall
Rule
Above configured policy will be applicable, whenever the URL
falling under the Web category is accessed.
IPS
Select IPS policy for the rule.
To use IPS, you have to subscribe for the module. Refer to
Licensing for more details.
You can also create a new policy directly from this page and
attach to the user.
Page 375 of 490
Cyberoam User Guide
ICAP
Select ICAP Policy for the rule.
You can also create a new policy directly from this page.
IM Scanning
This feature is supported in iNG series appliances
CR50iNG and above.
Click to enable IM scanning.
If enabled, all the messaging applications traffic is scanned.
WAF
Click to enable WAF.
If enabled, WAF policies will be applied.
AV & AS Scanning
Click the protocol for which the virus and spam scanning is to
be enabled
Default Disable
To implement Anti Virus and Anti Spam scanning, you have to
subscribe for the Gateway Anti Virus and Anti Spam modules
individually. Refer to Licensing for more details.
QoS and Routing Policy
QoS
Select QoS policy for the rule.
QoS policy allocates & limits the maximum bandwidth usage of
the user.
You can also create a new policy directly from this page and
attach to the user.
Page 376 of 490
Cyberoam User Guide
Select DSCP Marking.
DSCP Marking
DSCP (DiffServ Code Point) classifies flow of packets as they
enter the local network depending upon QoS. Flow is defined
by 5 elements; Source IP Address, Destination IP Address,
Source port, Destination port and the transport protocol.
For available options, refer DSCP Values.
Route Through
Gateway (Available
only if Appliance is
deployed as Gateway)
Select the routing policy. Option is available only if more than
one gateway is configured.
Backup Gateway
Specify the backup gateway.
The traffic will be routed through the configured gateway in case
gateway configured in Route Through Gateway goes down.
Note
This Option is available only if Load Balance is not
selected for Route Through Gateway
Log Traffic
Log Firewall Traffic
Click to enable traffic logging for the rule i.e. traffic permitted
and denied by the Firewall Rule.
Table - Add IPv4 Firewall Rule screen elements
DSCP Values
DiffServ Code Point (DSCP) uses the 6 bits, thereby giving 26 = 64 different values (0 to 63). Table Standard
DSCP Marking describes the standard DSCP values. Remaining DSCP values can be customized as per
the QoS requirement.
Page 377 of 490
Cyberoam User Guide
Decimal
DSCP
Description
Default
Best Effort
CS1
Class 1 (CS1)
10
AF11
Class 1, Gold (AF11)
12
AF12
Class 1, Silver (AF12)
14
AF13
Class 1, Bronze (AF13)
16
CS2
Class 2 (CS2
18
AF21
Class 2, Gold (AF21)
20
AF22
Class 2, Silver (AF22)
22
AF23
Class 2, Bronze (AF23)
24
CS3
Class 3 (CS3)
26
AF31
Class 3, Gold (AF31)
28
AF32
Class 3, Silver (AF32)
30
AF33
Class 3, Bronze (AF33)
32
CS4
Class 4 (CS4)
34
AF41
Class 4, Gold (AF41)
36
AF42
Class 4, Silver (AF42)
38
AF43
Class 4, Bronze (AF43)
40
CS5
Class 5 (CS5)
46
EF
Expedited Forwarding (EF)
48
CS6
Control (CS6)
56
CS7
Control (CS7)
Table Standard DSCP Marking
Page 378 of 490
Cyberoam User Guide
IPv6 Firewall Rules
The Appliances Identity based Firewall allows creation of Firewall Rules embedding user identity into the
Firewall Rule matching criteria. It also allows to bind identity and device by embedding device MAC Address
through MAC Host in Firewall Rule.
Firewall Rule matching criteria now includes:
Source and Destination Zone and Host. The direction of traffic is determined by source and destination
zone. The same zone cannot be defined as both the source or destination zone.
User
Service
Schedule
To create a Firewall Rule, you should:
Define matching criteria
Associate action to the matching criteria
Attach the threat management policies
For example, now you can:
Restrict the bandwidth usage to 256kb for the user John every time he logs on from the IP Address
FEC2::1
Restrict the bandwidth usage to 1024kb for the user Mac if he logs on in working hours from the IP
Address FEC1::5
The rule page displays list of default and custom firewall rules. All the firewall rules are grouped by its source
and destination zone. The page also provides option to add or insert a new rule, update the existing rule,
changing the rule order, or delete a rule.
Viewing Firewall Rules between two Zones
To view the firewall rules for the specific zones, select zones. For example, if you select LAN and WAN, all
the Firewall Rules created for LAN zone to WAN zone will be displayed.
Firewall rule controls the traffic flowing through Appliance and are created for a pair of source and destination
zone which determines the traffic direction.
Processing of firewall rules is top downwards and the first suitable rule found is applied.
Hence, while adding multiple rules, it is necessary to put specific rules before general rules. Otherwise, a
general rule might allow a packet that you specifically have a rule written to deny later in the list. When a
packet matches the rule, the packet is immediately dropped or forwarded without being tested by the rest of
the rules in the list.
As the firewall rules are grouped source and destination zone wise, rule can be added at the bottom of the
list or can be inserted in the group.
Page 379 of 490
Cyberoam User Guide
Inserting a Firewall Rule To insert a rule for a particular source and destination zone click the Insert
icon
under the Manage column against a firewall rule for the required source and destination zone.
For example, if you have already added a firewall rule for LAN to DMZ zone and want to add another
rule for the same zones then click Insert icon against the firewall rule for LAN to DMZ zone. It will add
a new firewall rule for the same zones.
Reordering Firewall Rules Rules are ordered by their priority. When the rules are applied, they are
processed from the top down and the first suitable rule found is applied. Hence, while adding multiple
rules, it is necessary to put specific rules before the general rules. Otherwise, a general rule might allow
a packet that you specifically have a rule to deny later in the list. When a packet matches the rule, the
packet is immediately dropped or forwarded without being tested by the rest of the rules in the list. To
change order of the rule, click the Move icon
against the rule whose order is to be changed. Move
the rule by dragging and dropping to a required position.
Clear All Filters To clear all the search filters applied on the source, destination or identity columns,
click the Clear All Filters button. This helps in removing filters on multiple columns at a time.
View Firewall Rules between two Zones To view Firewall Rules for the selected zones, select zones
For example, if you select LAN and WAN, all the Firewall Rules created for LAN zone to WAN zone will
be displayed.
Page 380 of 490
Cyberoam User Guide
Manage Firewall Rule List
Firewall Rules control the traffic flowing through Appliance. Firewall > Rule > IPv6 Rule page displays
a list of Firewall Rules and provides a way to manage rules.
Rules are created for a pair of source and destination zone which determines the traffic direction.
Icons and their Meaning in Firewall Rule
Icon
Appearing
under
Column
Meaning
Firewall rule is enabled and is currently applied
to the traffic.
Enable
Firewall rule is disabled.
Enable
Firewall rule is enabled but is not currently
applied. It will be applied to the traffic as per the
time configured in the schedule.
Enable
Inserts rule before the existing rule.
Manage
Changes order of the rule.
Manage
Screen IPv6 Firewall Rule
Screen Element
Description
ID
Firewall Rule ID which is generated automatically at the time of
creation.
Rule Name
Firewall Rule name to identify the Firewall Rule.
Enable
Click to activate/deactivate the rule. If you do not want to apply
the Firewall Rule temporarily, disable rule instead of deleting.
Source
Source Host to which the rule applies.
Destination
Destination Host to which the rule applies.
Service
Service for which the rule is created.
Action
Displays the action to be taken when the rule matches a
connection attempt.
Identity
Displays user or user group on which the firewall rule is applied.
Page 381 of 490
Cyberoam User Guide
If Identity is configured, user based policies will be applied to
the traffic.
NAT policy to be applied to the traffic.
NAT
Point to the policy link to view or edit the policy details.
QoS policy to be applied to the traffic.
QoS Policy
Point to the policy link to view or edit the policy details.
A Schedule that controls when the rule should be active.
Schedule
Point to the schedule link to view or edit the schedule details.
Logging
Firewall Rule logging.
Description
Firewall Rule Description.
Routing through
Gateway
Routing policy applied to the traffic.
Backup Gateway
Backup gateway for the traffic.
Upload Data
Displays total outgoing traffic.
Download Data
Displays total incoming traffic.
DSCP Marking
Displays DSCP value for rule.
Bypass User
Accounting
Displays whether Bypass User Accounting is enabled or
disabled.
Table - Manage IPv6Firewall Rule screen elements
Change Firewall Rule Order
Rule Order defines the rule processing priority. When the rules are applied, they are processed from the top
down and the first suitable rule found is applied.
Hence, while adding multiple rules, it is necessary to put specific rules before general rules. Otherwise, a
general rule might allow a packet that you specifically have a rule written to deny later in the list. When a
packet matches the rule, the packet is immediately dropped or forwarded without being tested by the rest of
the rules in the list.
Go to Firewall > Rule > IPv6 Rule. Click the move rule
changed.
against the rule whose order is to be
Click on the rule to be moved and then drag & drop the rule in the desired order.
Page 382 of 490
Cyberoam User Guide
Click close to save the order.
Screen Move IPv6 Firewall Rule
Page 383 of 490
Cyberoam User Guide
IPv6 Firewall Rule Parameters
To add or edit Firewall Rules, go to Firewall > Rule > IPv6 Rule. Click the Add button to add a new
rule or Edit Icon
in the Manage column against the Firewall Rule to modify the details of the rule. Firewall
Rule Parameters are given below.
Screen - Add Firewall Rule
Parameters
Screen Element
Description
General Settings
Rule Name
Name
Specify a name to identify the Firewall Rule.
Description
Provide description for the rule.
Basic Settings
Zone
Select source and destination zone to which the rule applies.
Note
VPN Zone is not available for IPv6.
Page 384 of 490
Cyberoam User Guide
Attach Identity
(Only if source zone
is LAN/DMZ/VPN)
Attach identity allows you to check whether the specified
user/user group from the selected zone is allowed to access the
selected service or not. Click to attach the user identity.
Enable check identity to apply following policies per user:
Schedule Access.
QoS policy Users QoS policy will be applied
automatically.
Policy selected in the Route through Gateway field is
the static routing policy that is applicable only if more
than one gateway is defined and used for load
balancing.
Limit access to available services.
Identity
Select user/user group for the selected zone to allow/deny
access the selected service.
Exclude traffic from
data accounting for
selected user(s)
By default users network traffic is considered in data
accounting. Select to exclude certain traffic user data
accounting. The traffic allowed through this firewall rule will not
be accounted towards data transfer for the user.
This option is available only if the parameter Attach Identity is
enabled.
This traffic will not be included in the user accounting reports Internet Usage report and My Account reports, but will be
included in the firewall activity reports.
Example:
A User is added from Identity > Users > Users
User Name Cyberoam
Maximum Data Transfer limit for User Cyberoam
100 MB
An IPv4 Firewall Rule is created
Firewall Rule Name Bypass Data Transfer
Firewall Rule for zones LAN to WAN
Attached Identity Enabled (User Cyberoam)
Page 385 of 490
Cyberoam User Guide
Bypass User Data Transfer Accounting Enabled
User Activity
The user transfers data in LAN to LAN Zone 50
MB
The user transfers data in LAN to WAN Zone 10
MB
Accounted Data Transfer
Calculated Total Data Transfer 50 MB
Reason Only the data transferred on LAN to LAN zone is
considered i.e. 50MB. Data transferred on LAN to WAN Zone
i.e. 10 MB is not calculated and bypassed by the Administrator
as per the IPv4 Firewall Rule Bypass Data Transfer.
Network/Host
Specify source and destination host or network address to
which the rule applies.
Host dropdown list also displays MAC based host, dynamic
hosts and host groups which are automatically added on
creation of VPN Road warrior connections(IPSec and SSL). It
will also display the default hosts created for road warrior
connection
##ALL_RW,
##ALL_IPSEC_RW,
##ALL_SSLVPN_RW, ##WWAN1(when WWAN is enabled)
You can also define a new IP host, IP host group, MAC host,
virtual host, FQDN host, FQDN host group, country host,
country host group and Web Server directly from this page.
Page 386 of 490
Cyberoam User Guide
Services
Services represent the types of Internet data transmitted via
particular protocols or applications.
Select Services/Service Group to which the rule applies.
If Virtual host is selected as Destination host, you will be able to
configure services only if the selected virtual host is not port
forwarded.
You can also add a custom service or service group from this
page itself.
Protect by configuring rules to:
block services at specific zone.
limit some or all users from accessing certain services
allow only specific user to communicate using specific
service
Schedule
Select Schedule for the rule.
You can also add a new schedule directly from this.
Page 387 of 490
Cyberoam User Guide
Action
Select rule action.
Available Options:
Accept Allow access
Drop Silently discards
Reject Denies access and ICMP port unreachable
message will be sent to the source.
When sending response it might be possible that response is
sent using a different interface than the one on which request
was received. This may happen depending on the Routing
configuration done on the Appliance.
For Example,
If the request is received on the LAN port using a spoofed IP
Address (public IP Address or the IP Address not in the LAN
zone network) and specific route is not defined, the Appliance
will send a response to these hosts using default route. Hence,
response will be sent through the WAN port.
Apply NAT (Only if
Action is ACCEPT)
Enabling Allow NAT access is allowed only after replacing the
source IP Address with the IP Address specified in the NAT
policy.
Select the NAT Policy for the Firewall Rule. Traffic from this rule
will pass as per the NAT Policy selected for all gateways.
By default, MASQ NAT Policy is selected.
You can also use the NAT policy configured for the gateway
from Network > Gateway > Gateway. All traffic passing
from this rule is NATed as per the gateways default NAT policy.
You can also override this gateway specific NAT policy by
selecting a NAT policy. Multiple Gateways and NAT Policy can
be added. If enabled the overridden policy is applied instead of
gateways default NAT policy.
Page 388 of 490
Cyberoam User Guide
Select None if NATing is not required for a particular gateway.
Note
This option is available if Appliance is deployed as
Gateway.
Advanced Setting
QoS and Routing Policy
QoS
Select QoS policy for the rule.
QoS policy allocates & limits the maximum bandwidth usage of
the user.
You can also create a new policy directly from this page and
attach to the user.
DSCP Marking
Select DSCP Marking.
DSCP (DiffServ Code Point) classifies flow of packets as they
enter the local network depending upon QoS. Flow is defined
by 5 elements; Source IP Address, Destination IP Address,
Source port, Destination port and the transport protocol.
For available options, refer DSCP Values.
Route Through
Gateway (Available
only if Appliance is
deployed as Gateway)
Select routing policy. Option is available only if more than one
gateway is configured.
Backup Gateway
Specify the backup gateway.
The traffic will be routed through the configured gateway in case
gateway configured in Route Through Gateway goes down.
Note
Page 389 of 490
Cyberoam User Guide
This Option is available only if Load Balance is not
selected for Route Through Gateway
Log Traffic
Log Firewall Traffic
Click to enable traffic logging for the rule i.e. traffic permitted
and denied by the Firewall Rule.
Table Add IPv6 Firewall Rule screen elements
Page 390 of 490
Cyberoam User Guide
Virtual Host
Virtual Host maps services of a public IP Address to services of a host in a private network.
A Virtual Host can be a single IP Address or an IP Address range or the Appliance interface itself.
The Appliance will automatically respond to the ARP request received on the WAN zone for the external IP
Address of Virtual Host. Default LAN to WAN (Any Host to Any Host) Firewall Rule will allow traffic to flow
between the Virtual Host and the network.
The Virtual Host page displays list of all the available virtual hosts. You can filter the list based on IP Family
or sort the list based on virtual host name. The page also provides option to add a new virtual host, update
the parameters of the existing virtual hosts, or delete a host.
To manage virtual hosts, go to Firewall > Virtual Host > Virtual Host.
Screen Manage Virtual Host
Screen Element
Description
Name
Displays the name of Virtual Host.
Public Address
Public IP Address through which Internet users access internal
Server/host.
Mapped Address
Mapped IP Address type is the IP Address of the internal
server/host.
Public Port
Public port used when Port Forwarding is configured.
Mapped Port
The Mapped port number on destination network when Port
Forwarding is enabled.
IP Family
Displays the IP Family IPv4 or IPv6.
Table Manage Virtual host screen elements
Virtual Host Parameters
To add or edit a virtual host, go to Firewall > Virtual Host > Virtual Host. Click the Add button to
add a new virtual host. To update the details, click on the virtual host or Edit icon
against the host that you want to modify.
in the Manage column
Page 391 of 490
Cyberoam User Guide
Screen Add Virtual host
Screen Element
Description
General Settings
Basic Settings
Name
Specify a name to identify the Virtual Host.
Description
Provide description for the Virtual Host.
IP Family
Select the IP Family to create the Virtual Host
Available Options:
IPv4 A virtual host configured for this option must have IPv4 IP
Address for both, external IP Address(s) and mapped IP
Address(s).
Page 392 of 490
Cyberoam User Guide
IPv6 A virtual host configured for this option must have IPv6 IP
Address for both, external IP Address(s) and mapped IP
Address(s).
Note
External IP
External IP Address and Mapped IP Address of a virtual host
must be of the same IP Family.
External IP Address is the IP Address through which Internet users
access internal server/host.
Available Options:
IP Address Specified IP Address is mapped to a
corresponding mapped single or range of IP Address. If single
IP Address is mapped to a range of IP Address, Appliance
uses round robin algorithm to load balance the requests.
IP Range Specified IP Address range is mapped to a
corresponding range of mapped IP Address. The IP range
defines the start and end of an address range. The start of
the range must be lower than the end of the range.
Interface IP Select when any of the Appliance Port, Alias or
Virtual LAN (VLAN) sub-interface is required to be mapped to
the destination host or network.
This option is only available for IPv4 family.
If IP Address or IP Range option is selected, Appliance
automatically responds to the ARP request received on the WAN
zone for the external IP Address.
Note
Mapped IP
If the IPv4 Family is selected, only IPv4 Address will be
available for configuration.
If the IPv6 Family is selected, only IPv6 Address will be
available for configuration.
Mapped IP is the IP Address to which the external IP Address is
mapped. This is the actual private IP Address of the host being
accessed using the Virtual Host.
Page 393 of 490
Cyberoam User Guide
Mapped IP Address is the IP Address of the internal server/host.
Available Options:
IP Address External IP Address is mapped to the specified
IP Address.
IP Range External IP Address Range is mapped to the
specified IP Address Range.
IP List External IP Address is mapped to the specified IP
list.
FQDN External IP Address is mapped to the specified
FQDN. Internal mapped server can be accessed by FQDN.
This option is only available for IPv4 Virtual Host.
Note
All the mapped servers must be bound to the same zone..
Physical Zone
LAN, WAN, DMZ, VPN or custom zone of the mapped IP
Addresses. For example, if mapped IP Address represents any
internal server then the zone in which server resides physically.
Default LAN Zone
Note
VPN zone is not supported for IPv6.
Port Forwarding
Enable Port Forwarding
Click to enable service port forwarding.
Protocol Select the protocol TCP or UDP that you want the
forwarded packets to use.
External Port Type Select the type of external port from the
available options:
Page 394 of 490
Cyberoam User Guide
Available Options:
Port
Port Range
Port List
External Port Select the public port number for which you want to
configure port forwarding.
Mapped Port Type Select the type of mapped port from the
available options:
Available Options:
Port
Port Range
Port List
Mapped Port Specify mapped port number on the destination
network to which the public port number is mapped..
Advanced Settings
Enable Load Balancing
Click to enable load balancing.
This option is available if incoming traffic is to be distributed to more than one internal server (Mapping
of single External Port to multiple Mapped Ports.)
Method
Select the method for load balancing from the available options.
Available Options:
Round Robin - In this method, requests are served in a
sequential manner where the first request is forwarded to the
first server, second request to the second server and so on.
When a request is received, Cyberoam checks to see which
the last server that was assigned a request was. It then
assigns this new request to the next available server. This
method is can be used when equal distribution of traffic is
required and there is no need for session-persistence.
First Alive - In this method, all incoming requests are served
by the first server (the first IP Address that is configured in the
IP Range). This server is considered as the primary server
and all others are considered as backup. Only when the first
server fails, the requests are forwarded to the next server in
line. This method is used for failover scenarios.
Random - In this method, the requests are forwarded to the
servers randomly. Although, Cyberoam makes sure that all
configured servers receive equally distributed load. Hence,
this method is also called uniform random distribution. This
method can be used when equal distribution of traffic is
required and there is no need for session-persistence or order
of distribution.
Page 395 of 490
Cyberoam User Guide
Sticky IP - In this method, Along with Round Robin
distribution of traffic, Cyberoam forwards incoming traffic
according to the Source IP Address. All traffic from a
particular source is forwarded only to its mapped Server. This
means that all requests for a given source IP are sent to the
same application server instance. This method is useful in
cases where all requests or sessions are required to be
processed by the same server. For example: Banking
websites, E-Commerce websites.
Enable Health Check (For failover)
Click to enable checking for failover.
This option is available only if Load Balancing is enabled.
Health Check Method
Select the method to check the health of the server from the
available options.
Available Options:
TCP Probe
ICMP Probe
Port
Specify the Port number on the server health is monitored.
Acceptable Range: 1 - 65535
This option is available only if TCP Probe Health Check Method is
selected.
Interval
Specify the time interval in seconds after which the health will be
monitored.
Acceptable Range (Seconds): 5 65535
Default - 60 seconds.
Timeout
Specify the time interval in seconds within which the server must
respond.
Timeout (Seconds): 1 10
Default - 2 Seconds
Retries
Specify the number of tries to probe the health of the server, after
which the server will be declared unreachable
Retries Range: 1 10
Default 3
Table Add Virtual host screen elements
Note
Page 396 of 490
Cyberoam User Guide
Deleting Virtual host will remove all its dependent configurations including:
Interface-Zone binding
DHCP Server or Relay
Alias based Firewall Rules
ARP Static & Proxy
Virtual Hosts and Virtual Host based Firewall Rules
Interface based Hosts and reference from Host Groups
Routes Unicast, Multicast
Once the virtual host is added, you can add a firewall rule for it at the same time or later from the firewall page
Once the Virtual Host is created successfully, Appliance automatically creates a loopback Firewall Rule for
the zone of the mapped IP Address. For example, if Virtual Host is created for the LAN mapped IP zone then
LAN to LAN Firewall Rule is created for the Virtual Host. Firewall Rule is created for the service specified in
Virtual Host. If port forwarding is not enabled in Virtual Host then Firewall Rule with All Services is created.
Verify the creation of loopback rule from Firewall page.
For Appliance to reply to the ARP requests received on any other zones than WAN zone for External IP
Address, create proxy ARP from Appliance Console option of CLI Console.
Virtual hosts have following restrictions:
Virtual Host name cannot be same as host or host group name.
External IP Address range cannot be mapped with the single Mapped IP Address.
The number of IP Addresses in mapped External address range and Mapped IP Address range must
be same.
The number of port in mapped External ports range and Mapped port range must be same.
Virtual Host with the same pair of External IP and Port cannot be created.
Different Virtual Hosts can have same External IP Address only if port forwarding is enabled for different
public port. For example,
Virtual_host1
External IP Address 192.168.1.1/ FEC0::1
Mapped IP Address 10.10.10.12/ FEC1::1
Port forward External port 25
Mapped port 35
Virtual_host2
External IP Address 192.168.1.1/ FEC0::1
Mapped IP Address 10.10.10.1 /FEC2::1
Port forward External port 42
Mapped port 48
Different Virtual Hosts cannot have same External IP Address, if port forwarding in enabled in one
Virtual Host and disabled in another Virtual Host. For example, Appliance will not allow you the creation
of:
Virtual_host1
External IP Address 192.168.1.15/FEC0::1
Mapped IP Address 10.10.10.1/FEC1::1
Virtual_host2
External IP Address 192.168.1.15/FEC0::1
Page 397 of 490
Cyberoam User Guide
Mapped IP Address 10.10.10.2/FEC2::1
Port forward External port 42
Mapped port 48
Virtual Host cannot be created with overlapping IP Address. For example, Appliance will not allow you
to create:
Virtual_host1
External IP Address 192.168.1.15-192.168.1.20/FEC0::1 - FEC0::5
Mapped IP Address 10.10.10.15-10.10.10.20/FEC1::1 FEC1::5
Virtual_host2
External IP Address 192.168.1.18/FEC0::3
Mapped IP Address 10.10.10.18/FEC2::1
Virtual Host cannot be created with overlapping ports. For example, Appliance will not allow you to
create:
Virtual_host1
External IP Address 192.168.1.15/FEC0::1
Mapped IP Address 10.10.10.1/FEC1::1
Port forward - External port 20-80
Mapped port 20-80
Virtual_host2
External IP Address - 192.168.1.15/FEC0::1
Mapped IP Address 10.10.10.2/FEC2::1
Port forward External port 25
Mapped port 25
Adding a Firewall Rule for Virtual Host list
Once the virtual host is added, you can add a firewall rule for it at the same time or later from the firewall
page. Below given parameters can be configured if you add the firewall rule at the time of adding virtual host.
Screen Firewall Rule for Virtual Host
Screen Element
Description
Add Firewall Rule(s)
For Virtual Host
Enable to add a Firewall Rule(s) once the Virtual Host is
configured.
Firewall Rule Name
Name of Firewall Rule for the configured Virtual Host.
Page 398 of 490
Cyberoam User Guide
Select a Source Zone.
Source Zone
A service for which the rule is created.
Service
If port forwarding is enabled then services for that virtual host is
uneditable.
Select the NAT policy to be applied.
Apply NAT
It allows access after replacing the source IP Address to the IP
Address specified in the NAT policy.
Select the protocol for which the virus and spam scanning is to
be enabled.
AV & AS Scanning
To implement Anti Virus and Anti Spam scanning, you have to
subscribe for the Gateway Anti Virus and Anti Spam modules
individually. Refer to Licensing for more details.
Select Yes to enable logging of traffic permitted and denied by
the Firewall Rule.
Log Traffic
Select Yes to automatically create a reflexive firewall rule for
the Virtual Host.
Reflexive rule has same firewall rule policies as those
configured for the virtual host but instead of source zone to
destination zone, this rule is applicable on traffic from
destination zone to source zone.
Create Reflexive
Rule
Consider a Mail server deployed in LAN. To publish internal
Mail server, a virtual host is created for WAN to LAN zone. The
traffic traverses from Public Internet to internal Server using the
created virtual host. On creating virtual host, firewall rules can
be configured for inbound traffic. If selected to create a reflexive
rule, a firewall rule is automatically created for outbound traffic
LAN to WAN zone with same policies applied for WAN to LAN
zone. All the outbound traffic like email sent passes from
reflexive rule
By default, the reflexive rule is not created.
Add Firewall Rule(s)
For Virtual Host
Enable to add a Firewall Rule(s) once the Virtual Host is
configured.
Firewall Rule Name
Name of Firewall Rule for the configured Virtual Host.
Source Zone
Select a Source Zone.
Table Firewall Rule for Virtual Host screen elements
Page 399 of 490
Cyberoam User Guide
NAT Policy
Network Address Translation (NAT) is the process of rewriting the source addresses of IP packets as they
pass through a router or Firewall. Mostly NAT is used to enable multiple hosts on a private network to access
the Internet using a single public IP Address. When a client sends an IP packet to the router, NAT translates
the sending address to a different, public IP Address before forwarding the packet to the Internet. When a
response packet is received, NAT translates the public address into the original address and forwards it to
the client.
NAT policy tells Firewall Rule to allow access but only after changing source IP Address i.e. source IP Address
is substituted by the IP Address specified in the NAT policy.
Use NAT to change or remap source or destination address of the packet.
Using NAT eliminates the need for public IP Addresses for all computers on your LAN. It is a way to conserve
IP Addresses available from the pool of Public IP Addresses for the Internet. NAT also allows you to conceal
the addressing scheme of your network.
The NAT Policy page displays the list of all the NAT policies and you can sort the list based on policy name.
The page also provides options to add a new policy, update the parameters of the existing policy, or delete a
policy.
Manage NAT Policy list
To manage NAT policies, go to Firewall > NAT Policy > NAT Policy.
Screen Manage NAT Policy
Screen Element
Description
Name
Displays name of the NAT Policy.
IP Family
Displays the IP Family IPv4 or IPv6.
IP Mapped To
Source IP/Range is replaced with the specified IP/Range.
Table Manage NAT Policy screen elements
NAT Policy Parameters
To add or edit NAT policies, go to Firewall > NAT Policy. Click the Add button to add a new policy. To
update the details, click on the Policy or Edit icon
modify.
in the Manage column against the policy you want to
Page 400 of 490
Cyberoam User Guide
Screen Add NAT Policy
Screen Element
Description
Name
Specify a name to identify the NAT Policy.
IP Address
Select IP Address for Source Typo.
Available Options:
IP Address It replaces source IP Address with the
specified IP Address
IP Range It replaces source IP Address with any of the
IP Address from the specified range
You can search and select a particular IP Address based on the
Host name. If IP Host or range is not already added, it can be
added from here itself or can be added from Objects >
Hosts > IP Hosts.
Table Add NAT Policy screen elements
Note
MASQ is a default policy and cannot be updated or deleted.
Page 401 of 490
Cyberoam User Guide
Spoof Prevention
You can configure MAC and/or IP Address pair entry in the IP-MAC trusted list to improve the security of your
network. Using MAC Address filtering makes it more difficult for a hacker to guess and use a random MAC
Address or spoof a MAC Address to gain access to your network as the traffic does not even reach your
Firewall.
Similarly, it is also possible to filter packets based on IP-MAC pair. It prevents hosts which try to violate trusted
IP-MAC. To make the restriction more granular, one can enable over zones.
General Settings
Trusted MAC
Configuring Spoof Prevention Settings
To enable Spoof Prevention for LAN, WAN and DMZ zones go to Firewall > Spoof Prevention >
General Settings.
If enabled, the Appliance provides 3 ways to prevent spoofing using IP-MAC trusted list:
IP Spoofing Packets will be dropped if matching route entry is not available.
MAC Filter Packets will be dropped if the MAC Addresses are not configured in the Trusted MAC
list.
IP-MAC Pair Filter Packets will be dropped if IP and MAC do not match with any entry in the IP-MAC
trusted list.
Enable Restrict Unknown IP on Trusted MAC if you want to drop traffic from any IP Address not in the trusted
list for the trusted MAC Address.
By default, it is disabled. When disabled, traffic from any IP Address not in the trusted list will be allowed even
if it is coming from the trusted MAC Address. It is enabled automatically when Spoof Prevention is enabled.
Screen General Settings
Zone
LAN
WAN
DMZ
Page 402 of 490
Cyberoam User Guide
IP Spoofing
If enabled:
Yes
No
Yes
Yes
Yes
Yes
Yes
No
Yes
Enable at least for one zone
The Appliance will reverse lookup for the route of source
network and if not available, packets will be dropped and
logged.
By default, it is not enabled for any zone.
MAC Filter
It restricts the access of your network to the external
hosts. As the Appliance will drop all the requests from the
MAC Address not configured in the trusted list, please
make sure to include MAC Addresses of all your internal
devices.
If enabled, it is to be enabled for at least one zone.
By default, it is not enabled for any zone.
IP-MAC Pair Filter
Appliance will drop the request considering it as a spoofed
request if:
MAC Address differs for the trusted IP Address
IP Address differs for the trusted MAC Address
But, the request will be allowed if IP or MAC Address does not
exist at all in the list. Request is dropped if IP-MAC pair does
not exist in the trusted list.
If enabled, it is to be enabled for at least one zone.
By default, it is not enabled for any zone.
Table General Settings
Page 403 of 490
Cyberoam User Guide
Trusted MAC
You can enable MAC Address and/or IP Address pair filtering to improve security. By enabling filtering, you
define the devices that can access your network. It is also possible to import the trusted MAC list through
CSV (Comma Separated Value) file. When a user attempts to access the network, the Appliance checks the
MAC Address and/or IP Address from the list. User gets access to the network only if the MAC Address and/or
IP Address is on the trusted MAC list else the request is rejected.
Manage Trusted MAC list
The Trusted MAC page displays list of all the MAC addresses configured as trusted MAC. The page also
provides option to add a new MAC address, update the existing addresses, and import the list of addresses.
To manage Trusted MAC list, go to Firewall > Spoof Prevention > Trusted MAC.
Screen Manage Trusted MAC list
Screen Element
Description
Import Button
Import a Trusted MAC.
MAC Address
MAC Address of the user.
IPv4 Association
Displays the type of IP Association selected: Static, DHCP or
None.
IPv4 Address
IPv4 Address bound to MAC Address, incase of static IP
association.
IPv6 Association
Displays the type of IP Association selected: Static, DHCP or
None.
IPv6 Address
IPv6 Address bound to MAC Address, incase of static IP
association.
Table Manage Trusted MAC screen elements
Page 404 of 490
Cyberoam User Guide
Trusted MAC Parameters
To add Trusted MAC list, go to Firewall > Spoof Prevention > Trusted MAC. Click the Add button
to add a Trusted MAC.
Screen Add Trusted MAC list
Screen Element
Description
MAC Address
Specify the MAC Address to be added to a Trusted MAC list.
IPv4 Address
Specify the IPv4 Address to bind with the MAC Address.
Packets will be rejected if either MAC or IPv4 Address does not
match.
Available Options:
Static IP Address to bind to the MAC Address. Packets
will be rejected if either MAC or IP Address does not
match. Multiple IP Addresses separated by comma can
be provided.
DHCP MAC Address will be bind to the IP Address
leased by the Appliance DHCP server as and when the
IP is leased. Entry will be updated automatically when the
leased IP Address is updated.
To unbind IPv4 Address, select None.
IPv6 Address
Specify the IPv6 Address to bind with the MAC Address.
Packets will be rejected if either MAC or IPv6 Address does not
match.
Available Options:
Static IP Address to be bound to the MAC Address.
Packets will be rejected if either MAC or IP Address does
Page 405 of 490
Cyberoam User Guide
not match. Multiple IP Addresses separated by comma
can be provided.
DHCP MAC Address will be bind to the IP Address
leased by the Appliance DHCP server as and when the
IP is leased. Entry will be updated automatically when the
leased IP Address is updated.
To unbind IPv6 Address, select None.
Table Add Trusted MAC list
Import Trusted MAC Address
Instead of adding the trusted entries individually, Appliance provides a facility to import the trusted list from a
CSV (Comma Separated Value) file. Click the Import button to import a CSV file. The format for the CSV file
should be as follows:
First row of the CSV file has to be the header row: MAC Address, IP Association, IP Address
The rest of the rows are values corresponding to the header fields
Blank rows will be ignored
Error Message is displayed only for invalid rows
Format of values:
Compulsory fields: MAC Address and IP Association
Optional fields: IP Address
IP Association must be Static or DHCP or None
For Static IP Association, IP Address must be available
For None/DHCP type of IP Association, IP-Address is not required
For Invalid MAC/IP Address or IP Association entry will be discarded
Use comma to insert multiple static IP Addresses
Screen Import Trusted MAC Address
Page 406 of 490
Cyberoam User Guide
DoS
The Appliance provides several security options that cannot be defined by the Firewall Rules. This includes
protection from several kinds of Denial of Service attacks. These attacks disable computers and circumvent
security.
Denial of Service (DoS) attack is a method that hackers use to prevent or deny legitimate users access to a
service.
DoS attacks are typically executed by sending many request packets to a targeted server (usually Web, FTP,
or Mail server), which floods the server's resources, making the system unusable. Their goal is not to steal
the information but disable or deprive a device or network so that users no longer have access to the network
services/resources.
All servers can handle traffic volume up to a limit, beyond which they become disabled. Hence, attackers send
a very high volume of redundant traffic to a system so it cannot examine and allow permitted network traffic.
Best way to protect against the DoS attack is to identify and block such redundant traffic.
Packet rate per Source
Total number of connections or packets allowed to a particular user.
Burst rate per Source
Maximum number of packets allowed to a particular user at a given time.
Packet rate per Destination
Total number of connections or packets allowed from a particular user.
Packet rate per Destination
Maximum number of packets allowed from a particular user at a given time.
How it works
When the brust rate is crossed, the Appliance considers it as an attack. The Appliance provides DoS attack
protection by dropping all the excess packets from the particular source/destination. It will continue to drop
the packets till the attack subsides. Because the Appliance applies threshold value per IP Address, traffic
from the particular source/destination will only be dropped while the rest of the network traffic will not be
dropped at all i.e. traffic from the remaining IP Addresses will not be affected at all.
Time taken to re-allow traffic from the blocked source/destination = time taken to subside the attack + 30
seconds
Page 407 of 490
Cyberoam User Guide
For example,
Packet rate per Source 100 packets per second
Burst rate per Source 200 packets per second
.Intially, the user will be able to send 200 packets per second. However once these 200 packets are received,
the user the user will only be allowd to send 100 packets per second. So in the next phase, if the user sends
150 packets per second, the Appliance will consider it as an attack and drop the last 50 (101-150) packets
and will only accept traffic from that user 30 seconds after the time that it dropped the first packet.
Threshold values
The Appliance uses packet rate and brust rate values as a threshold value to detect DoS attack. These values
depend on various factors like:
Network bandwidth
Nature of traffic
Capacity of servers in the network
These values are applicable to the individual source or destination i.e. requests per user/IP Address and not
globally to the entire network traffic. For example, if source rate is 2500 packets/minute and the network
consists of 100 users then each user is allowed packet rate of 2500 packets per minute.
Configuring high values will degrade the performance and too low values will block the regular requests.
Hence it is very important to configure appropriate values for both source and destination IP Address.
Settings
Bypass Rules
Page 408 of 490
Cyberoam User Guide
Settings
Define the attack definition from Firewall > DoS > Settings
(Attack definition can be defined both for source and destination)
Screen DoS Settings
Parameters
Screen Element
SYN Flood
Description
Configure Packet Rate (packets/minute) and Burst Rate
(packets/second) for source and destination.
Click Apply Flag checkbox to apply the SYN flood definition
and control allowed number of packets.
Source Traffic Dropped displays number of source packets
dropped in case source packet rate control is applied.
Destination Traffic Dropped displays number of packets
dropped in case destination packet rate control is applied.
Click SYN Flood to view the real-time updates on flooding. It
displays the source IP Address - which was used for flooding
and IP Address which was targeted.
SYN Flood is the attack in which large numbers of connections
are sent so that the backlog queue overflows. The connection
is created when the victim host receives a connection request
and allocates for it some memory resources. A SYN flood attack
creates so many half-open connections that the system
becomes overwhelmed and cannot handle incoming requests
any more.
UDP Flood
Configure Packet Rate (packets/minute) and Burst Rate
(packets/second) for source and destination.
Page 409 of 490
Cyberoam User Guide
Click Apply Flag checkbox to apply the UDP flood definition
and control the allowed number of packets.
Source Traffic Dropped displays number of source packets
dropped in case source packet rate control is applied.
Destination Traffic Dropped displays number of packets
dropped in case destination packet rate control is applied.
Click UDP Flood to view the real time updates on flooding. It
displays the source IP Address - which was used for flooding
and IP Address which was targeted.
User Datagram Protocol (UDP) Flood links two systems. It
hooks up one systems UDP character-generating service, with
another systems UDP echo service. Once the link is made, the
two systems are tied up exchanging a flood of meaningless
data.
TCP Flood
Configure Packet Rate (packets/minute) and Burst Rate
(packets/second) for source and destination.
Click Apply Flag checkbox to apply the TCP flood definition
and control the allowed number of packets.
Source Traffic Dropped displays number of source packets
dropped in case source packet rate control is applied.
Destination Traffic Dropped displays number of packets
dropped in case destination packet rate control is applied.
TCP attack sends huge amount of TCP packet so that the
host/victim computer cannot handle.
ICMP/ICMPv6 Flood
Configure Packet Rate (packets/minute) and Burst Rate
(packets/second) for source and destination.
Click Apply Flag checkbox to apply the ICMP/ICMPv6 flood
definition and control allowed number of packets.
Click ICMP/ICMPv6 Flood to view the real time updates on
flooding. It displays the source IP Address - which was used for
flooding and IP Address which was targeted.
ICMP/ICMPv6 attack sends huge amount of packet/traffic so
that the protocol implementation of the host/victim computer
cannot handle.
Page 410 of 490
Cyberoam User Guide
Dropped Source
Routed Packets
Click Apply Flag checkbox to enable. This will block any
source routed connections or any packets with internal address
from entering your network.
Disable ICMP
Redirect Packet
An ICMP redirect packet is used by routers to inform the hosts
what the correct route should be. If an attacker is able to forge
ICMP redirect packets, he or she can alter the routing tables on
the host and possibly weaken the security of the host by
causing traffic to flow via another path.
Disable ARP
Flooding
Click Disable ARP Flooding to drop invalid ARP request.
ARP attack sends ARP requests at a very high rate to the
server. Because of this, server is overloaded with requests and
will not be able to respond to the valid requests. Appliance
protects by dropping such invalid ARP requests.
Table DoS Settings screen elements
Page 411 of 490
Cyberoam User Guide
Bypass Rules
The Appliance allows you to bypass the DoS rule in case you are sure that the specified source will not be
used for flooding or ignore if flooding occurs from the specified source. By default, VPN zone traffic is also
subjected to DoS inspection. You can also bypass DoS inspection of the traffic coming from certain hosts of
VPN zone.
Manage DoS Bypass Rule List
To manage Bypass Rules, go to Firewall > DoS > Bypass Rules.
The DoS Bypass Rule page displays the list of all the bypass rule(s). You can filter the list based on IP Family.
The page provides option to add a new rule, update the existing rule, or delete a rule.
Screen Manage DoS Bypass Rules
Screen Element
Description
Source IP
Source IP/Netmask to be bypassed.
Source Port
Source Port Number to be bypassed.
Destination IP
Destination IP/Netmask to be bypassed.
Destination Port
Destination Port Number to be bypassed.
Protocol
Protocols to be bypassed.
IP Family
Diplays the IP Family IPv4 or IPv6.
Table Manage DoS Bypass rule screen elements
Page 412 of 490
Cyberoam User Guide
DoS Bypass Rule Parameters
To add or edit a DoS Bypass Rule, go to Firewall > DoS > Bypass Rules. Click the Add button to add
a new rule. To update the details, click on the Rule or Edit icon
you want to modify.
in the Manage column against the rule
Screen Add Bypass Rule
Screen Element
Description
IP Family
Select the IP Family to configure a DoS Bypass Rule.
Source IP/Netmask
(only IPv4)
Specify Source IP/Netmask.
Destination
IP/Netmask (Only
IPv4)
Specify Destination IP/Netmask.
Source IP/Netmask
(only IPv6)
Specify Source IP/Prefix.
Destination
IP/Netmask (Only
IPv6)
Specify Destination IP/Prefix.
Protocol
Select protocol whose traffic is to be bypassed if generated from
the specified source to destination.
Specify * if you want to bypass entire network.
Specify * if you want to bypass entire network.
Specify * if you want to bypass entire network.
Specify * if you want to bypass entire network.
Available Options:
TCP
UDP
ICMP
All Protocols
For example, if you select TCP protocol then DoS rules will not
be applied on the TCP traffic from the specified source to
destination.
Source Port
Specify Port Number for Source.
Specify * if you want to bypass entire network.
Page 413 of 490
Cyberoam User Guide
Destination Port
Specify Port Number for Destination.
Specify * if you want to bypass entire network.
Table Add DoS bypass rule screen elements
Page 414 of 490
Cyberoam User Guide
Web Filter
Web Filter menu allows to configure and manage Web Filtering through the Appliance. The traffic coming
from the web is filtered by various policies and categories.
Settings
Category
Policy
Settings
Use this page to enable Safe Search feature and Pharming protection useful in filtering Web traffic.
Safe Search This feature allows you to enforce safe searching into your search engines, thus helping you
against malicious sites.
Pharming Protection This feature allows you to stop Pharming by various attacker sites by Domain Name
resolution.
Web Filter Setting Parameters
Configure Web Filter Settings from Web Filter > Settings > Settings.
Screen Configure Settings
Screen Element
Enforce Safe Search
Description
Enable safe search so that web sites containing pornography
and explicit sexual content are blocked from the Google,
Yahoo, AltaVista and Bing search results.
Page 415 of 490
Cyberoam User Guide
This will be applicable only when access to Porn, Adult
Content and Nudity categories are denied in the Web Filter
Policy.
Enable Pharming
Protection
Enable to protect against Pharming attacks and direct users
to the legitimate websites instead of fraudulent websites.
Pharming attacks require no additional action from the user
from their regular web surfing activities. Pharming attack
succeeds by redirecting the users from legitimate websites
instead of similar fraudulent websites that has been created
to look like the legitimate site.
Denied Message
Specify default deny message to be displayed for all the web
categories.
Enable Override Default Denied Message to display a
customized message for all the web categories.
Denied Message
Image
Specify whether the default or custom image should be
displayed on the Denied message page.
Top Image
Specify the image which is to be displayed at the top of the
message page.
Dimension of Image should be 125 x 70 pixels and jpg file
only.
Bottom Image
Specify the image which is to be displayed at the bottom of
the message page.
Dimension of Image should be 700 * 80 pixels and jpg file
only.
Table Configure Settings screen elements
Page 416 of 490
Cyberoam User Guide
Web Category
Web Category is the grouping of Domains and Keywords used for Internet site filtering. Domains and any
URL containing the keywords defined in the Web Category will be blocked.
Each category is classified according to the type of sites in the category. Categories are grouped into four
types specifying whether surfing those categories is considered as productive or not:
Neutral
Productive
Non-working
Un-healthy
For your convenience, database of default web categories is provided. You can use these or even create new
web categories to suit your needs. To use the default web categories, the add-on module Web and Application
Filter should be registered.
Depending on the organizations requirement, allow or deny access to the categories with the help of policies
by groups, individual user, time of day, and many other criteria. It is also possible to restrict the bandwidth
based on the web category. For example, to reserve 512 kbps for SAP applications, define a QoS Policy of
512 kbps and assign this policy to the SAP Web Category and Firewall Rule. Users accessing any URLs
falling under the SAP Web Category will get 512 kbps. 512 kbps bandwidth will be shared among all the users
when more than one user is accessing.
The Appliance provides pre-defined categories which can be used to block the malicious and objectionable
content. The page displays the list of pre-defined as well as custom categories.
The page allows you to manage default web categories and create custom web categories. You can also add
or remove specific domains or keywords in the category. Appliance also provides pre-defined categories
which can be used to block the malicious and objectionable contents.
Custom web category is given priority over default category while allowing/restricting the access.
Page 417 of 490
Cyberoam User Guide
Manage Web Category List
To manage web categories, go to Web Filter > Category > Category.
Screen Manage Web Categories
Screen Element
Description
Name
Displays name of the Web Filter Category.
Type
Displays type of Policy Default OR Custom.
Classification
Category Classification Unhealthy, Non-working, Neutral,
Productive.
QoS Policy
Displays the QoS Policy applied on the category.
Table Manage Web Categories screen elements
Page 418 of 490
Cyberoam User Guide
Web Category Parameters
To add or edit a web category, go to Web Filter > Category > Category. Click the Add button to add
a new web category. To update the details, click on the web category or Edit icon
against the web category you want to modify.
in the Manage column
Screen Add Web Category
Screen Element
Description
Name
Specify a name to identify the Web Category name. Name
cannot be same as the default category name.
Classification
Select the type of classification for the category from the
available options.
Available Options:
Neutral
Page 419 of 490
Cyberoam User Guide
Productive
Non-working
Healthy
QoS Policy
Select the QoS Policy, if bandwidth restriction is to be applied
from the QoS Policy dropdown list.
Configure Category
(Applicable only
while adding a
Category)
Select to create a web category from the options available.
Available Options:
Local Select to create a Web Category with URL stored in
the local Appliance.
External URL Database Select to create a Web Category
with external webcat URL located anywhere on the Internet.
Import Domain/
Keyword (Only if
Local Configure
Category is selected)
Import a file consisting of all the configured URL/Keyword from
the white list domain of an existing web categorization solution
to Cyberoam Appliance.
This will automatically include the domains/keywords in the
Domain / Keyword list.
Domain/Keyword
(Only if Local
Configure Category
is selected)
Specify Domain / Keyword to include it under a Web Category.
URL (HTTP or FTP)
(Only if External
URL Database
Configure Category
is selected)
Specify URL of external Web Category URL database. The
Appliance will fetch database from the specified URL. The
database of URLs should be in following file types: .tar, .tar.gz,
.gz, .bz2, or plain text file.
Use Add button to add multiple URLs.
Description
Specify Category Description.
Advanced Settings
Action (Only
applicable while
adding a Category)
List displays all the policies available.
Select Web Filter policy. Multiple categories can also be
selected. You can also search the category name from the
search text box provided.
Specify action Allow OR Deny for HTTP and HTTPS traffic.
Denied Message
Click to override default denied message and set your custom
message.
Table Add Web Category screen elements
Page 420 of 490
Cyberoam User Guide
Search URL
Use Search URL to search whether the URL is categorized or not. It searches the specified URL and displays
Category name under which the URL is categorized along with the category description.
When a custom category is created with a Domain/URL which is already categorized in default category then
the custom category overrides the default category and the search result displays custom category name and
not the default category name.
To search a URL
Select Web Filter > Category > Search URL
Screen Search URL
Enter URL to be searched in Search URL
Click Search
Page 421 of 490
Cyberoam User Guide
URL Group
When you want to configure same rule for multiple URLs, create a URL Group and instead of adding web
filter rule for individual URLs, and create a single the rule for the group.
The page allows you to group URLs and manage URL Groups. When you want to configure same rule for
multiple URLs, create URL Group and instead of adding Web Filter Rule for individual URL, you add rule for
the Group.
Manage URL Group list
To manage URL Groups, go to Web Filter > Category > URL Group.
Screen URL Group
Screen Element
Description
URL Group Name
Displays a name of the URL Group.
URL
Displays a list of URL(s) grouped.
Description
Displays Group description.
Screen URL Group screen elements
Parameters
To add or edit a web category, go to Web Filter > Category > URL Group. Click the Add button to
add a new web category. To update the details, click on the web category or Edit icon
column against the web category you want to modify.
in the Manage
Screen Add URL
Page 422 of 490
Cyberoam User Guide
Screen Element
Description
URL Group Name
Specify a name to identify the URL Group.
URL(s)
Provide the URL.
Use a comma to separate multiple URLs.
Single URL can be member of multiple groups.
Description
Provide group description, if required.
Table Add URL screen elements
Page 423 of 490
Cyberoam User Guide
Web Filter Policy
Web Filter Policy controls users web access. It specifies which user has access to what sites and allows
defining powerful security policies based on almost limitless policy parameters like:
Individual users
Groups of users
Time of day
Location/Port/Protocol type
Content type
Bandwidth usage (for audio, video and streaming content)
You can control access to an entire application category, or individual file extensions within a category with
the help of policy. For example, you can define a policy that blocks access to all audio files with .mp3
extensions.
Two strategies based on which Web Filter Policy can be defined are:
Allow: By default, allows access to all the categories except the specified categories. Access to the
specified categories depends on the strategy defined for each category.
Deny: By default, denies access to all the categories except the specified categories. Access to the
specified categories depends on the strategy defined for each category.
Appliance is shipped with the following predefined policies: Allow All, CIPA, Deny all and General Corporate
Policy. These predefined policies are immediately available for use until configured otherwise. You can also
define custom policies to define different levels of access for different users to meet your organizations
requirements.
The Web Filter policy page displays list predefined and custom policies. You can filter or sort the list based
on policy name. The page provides option to add new policy, update, or delete a policy.
To manage Web Filter Policies, go to Web Filter > Policy > Policy.
Screen Manage Web Filter Policies
Screen Element
Description
Name
Displays a name of Web Filter Policy.
Default Action
Displays default Action: Allow or Deny.
Page 424 of 490
Cyberoam User Guide
Reporting
Displays whether reporting is Enabled or Disabled.
Description
Displays Policy Description.
Table Manage Web Filter Policy screen elements
Web Filter Policy Parameters
To add or edit Web Filter Policies, go to Web Filter > Policy > Policy. Click Add Button to add a new
policy or Edit Icon to modify the details of the policy.
Screen Web Filter Policy
Screen Element
Description
Add Web Filter Policy
Name
Provide a name to identify the Policy. Duplicate names are not
allowed.
Template
Select a template. A new policy will be based on the selected
template and will inherit all the category restrictions defined in
the template.
Enable Reporting
By default, Internet usage report is generated for all the users.
But Appliance allows to bypass reporting of certain users.
Clear Enable Reporting to bypass reporting. Internet usage
reports will not include access details of all the users to whom
this policy will be applied.
Download File Size
Restriction
Specify the file size (in MB) in the textbox against Download
File Size Restriction to configure the maximum allowed file
download size.
User will not be allowed to download file greater than the
configured size.
Page 425 of 490
Cyberoam User Guide
This restriction is applicable only if HTTPS scanning is
enabled in the corresponding firewall rule for which Web Filter
Policy is configured.
Specify 0 for no restriction.
Web Categories HTTPS Upload, ActiveX, Applets and
Cookies, will work only if HTTPS scanning is enabled.
YouTube Education
Filter
Specify the unique ID provided by YouTube for Schools while
registration.
YouTube for Schools, makes available a collection/ wide
range of educational videos that can be accessible while being
within a school network. On registering for YouTube for
Schools a custom HTTP Header with a unique ID will be
provided.
E.g. X-YouTube-Edu-Filter:HMtp1sI9lxt0KAVpcg88kQ
Note
Field Name: X-YouTube-Edu-Filter
Field Value Format: Alphanumeric [a-z][A-Z][0-9]
Field Value Length: up to 44 characters
Description
Ensure the following top-level domains are not blocked
youtube.com
ytimg.com
Videos
Provide Policy Description.
Table Web Filter Policy screen elements
Manage Web Filter Policy Rule list
Once the policy is created, policy rules can be added to schedule the implementation of the policy. Rules can
be added for custom policies only.
Screen Web Filter Policy Rule
Screen Element
Category Name
Description
Displays a name of the Web Filter Category.
Page 426 of 490
Cyberoam User Guide
Type
Displays type of Policy.
Schedule
Displays schedule for the category.
Web Action
Displays action for HTTP and HTTPS traffic.
Exception
Selected Category of File Type.
Table Web Filter Policy Rule screen elements
Web Filter Policy Rules Parameters
To add a policy rule, edit the policy in which you want to add a rule.
Web Filter Policy rules can be added to custom web filter policies. To add Web Filter Policy rules, go to Web
Filter > Policy > Policy.
Screen Add Web Filter Policy Rule
Web Filter Policy Rule Parameters
Screen Element
Category Type (Only
while adding a Web
Filter Policy Rule)
Description
Select category Type for which the rule is to be added. You can
configure rule for 4 types of categories:
Available Options:
Web Category
File Type
URL Group
Dynamic Category.
URL Group is a custom group of URLs
Dynamic Category includes Cookies, Applets, ActiveX and
HTTP Upload category.
Category
Select Category for which the rule is to be added. Multiple
categories can also be selected.
Page 427 of 490
Cyberoam User Guide
You can also search the category name from the search text
box provided.
HTTP Action
Specify action Allow or Deny for HTTP traffic.
HTTPS Action
Specify action Allow or Deny for HTTPS traffic.
Exception link
Click to add the file type category exception rule for a selected
category type and select file type category.
For Example: If you want to allow Sport category and deny
video file from Sport category then specify Allow action for Sport
category and add Video File in Exception list.
Note
Exception Link is available only for Web Category and
URL Group.
Select the Schedule for categories selected from the list
available.
Schedule
Table Add Web Filter Policy Rule screen elements
Edit Web Filter Policy Rule
Click the Edit icon
in the Manage column against the Web Filter Policy to which rules are to be added.
Edit Web Filter Policy window is displayed for modifications. You can add or delete rules from this page.
Screen Edit Web Filter Policy Rule
Screen Element
Description
Category
Category for which the rule is to be added. Multiple categories
can also be selected.
HTTP Action
Specify action Allow or Deny for HTTP traffic.
HTTPS Action
Specify action Allow or Deny for HTTPS traffic.
Page 428 of 490
Cyberoam User Guide
Exception link
Click to add the file type category exception rule for a selected
category type and select file type category.
For Example: If you want to allow Sports category and deny
video file from Sports category then specify the Allow action for
Sport category and add Video File in Exception list.
Note
Schedule
Exception Link is available only for Web Category and
URL Group.
Select the Schedule for categories selected from the list
available.
Table Edit Web Filter Policy Rule screen elements
Page 429 of 490
Cyberoam User Guide
ICAP
Internet Content Adaption Protocol (ICAP) is a lightweight protocol that encapsulates underlying
HTTP/HTTPS request and response to/from ICAP Server. It allows ICAP Clients to pass HTTP messages to
ICAP Servers for transformation/adaption and thereby offloading the primary server. These ICAP Servers are
focused on specific functions like ad insertion, content filtering, virus scanning etc.
Appliance can be deployed in heterogeneous enterprise environments and can hand over HTTP traffic to
ICAP Server for malware scanning, content filtering and DLP scanning or other processing. Cyberoam after
applying its Web Filter Policy will forward the Web traffic to ICAP server which in turn can apply data usage
policies, antivirus scanning policies and content filtering policies. Depending on the services configured in the
ICAP server, user either receives access denied message or virus detection message from Cyberoam or
ICAP server.
Cyberoam can be seamlessly integrated using ICAP-compliant DLP/AV Scanning/Web Filtering applications:
Symantec DLP
Symantec Protection Engine 7.0
Trend Micro Interscan Web Security Virtual Appliance
Sophos Anti Virus
Commtouch Anti Virus
Single ICAP profile with Request and Response mode are supported. Administrator can view all the events
logs from the Log Viewer.
Note
This feature is supported in iNG series appliances CR50iNG and above.
Server
The ICAP Server page displays list of configured ICAP Servers. You can filter or sort the list based on Server
Name. The page provides option to add, update, or delete Server.
Manage ICAP Server
To manage ICAP Server, go to Web Filter > ICAP > Server.
Screen Manage ICAP Server
Screen Element
Server Name
Description
Displays name of the ICAP Server.
Page 430 of 490
Cyberoam User Guide
IP
Displays IPv4 Address of ICAP Server.
Port
Displays port number on which ICAP Server is running
Service
Displays the name of ICAP Service.
Table Manage ICAP Server screen elements
ICAP Server Parameters
To add or edit ICAP Server, go to Web Filter > ICAP > Server. Click the Add button to add a new ICAP
Server. To update the details, click on the Server name or Edit icon
Server you want to modify.
in the Manage column against the
Screen Add ICAP Server
Screen Element
Description
Server Name
Specify name for ICAP Server.
Server IP
Specify IPv4 Address of ICAP Server.
Port
Specify the port number on which ICAP Server is running.
Service
Specify the name of ICAP Service.
Table ICAP Server screen elements
Policy
The ICAP Policy page displays list of configured ICAP Policies. You can filter or sort the list based on Policy
Name. The page provides option to add, update, or delete a policy.
Manage ICAP Policy
To manage ICAP Policy, go to Web Filter > ICAP > Policy.
Page 431 of 490
Cyberoam User Guide
Screen Manage ICAP Policy
Screen Element
Description
Policy Name
Displays name of the ICAP Policy.
Request Server
Displays configured Request Server.
Response Server
Displays configured Response Server.
Max Connections
Displays the maximum concurrent connections.
Content Limit
Displays the Content limit.
Table Manage ICAP Policy screen elements
ICAP Policy Parameters
To add or edit ICAP Policy, go to Web Filter > ICAP > Policy. Click the Add button to add a new ICAP
Policy. To update the details, click on the Policy name or Edit icon
Policy you want to modify.
in the Manage column against the
Screen Add ICAP Policy
Screen Element
Description
Policy Name
Specify name for the Policy.
Request
Modifications
Enable to configure ICAP Server in Request mode.
Page 432 of 490
Cyberoam User Guide
Request Server
Select configured Request Server.
Response
Modifications
Enable to configure ICAP Server in Response mode.
Response Server
Select configured Response Server.
Max connections
Specify maximum concurrent connections to be allowed with
the ICAP Server.
Default 16
Note: Maximum connection limit and acceptable range differs
as per appliance model as below:
For Appliance models: CR50iNG, CR100iNG, CR200iNG,
CR200iNG-XP, CR300iNG, CR300iNG-XP
Max connections 32
Acceptable Range 1 to 32
For Appliance models: CR500iNG-XP, CR750iNG-XP
Max connections 64
Acceptable Range 1 to 64
For Appliance models: CR1000iNG-XP, CR1500iNG-XP,
CR2500iNG, CR2500iNG-XP
Max connections 128
Acceptable Range 1 to 128
Content Limit
Specify the content limit for ICAP Server to process.
Default 0 KB
Acceptable Range (KB) 0 to 51200
DLP Mode
Bypass Error
Note: When content limit is set to 0, the default limit set is
25000KB.
Enable to process only DLP methods. If enabled, ICAP Server
will only process POST/PUT methods.
Enable to bypass error messages.
Table ICAP Policy screen elements
Page 433 of 490
Cyberoam User Guide
Application Filter
Application Filter menu allows configuring and managing filtering on various applications. The traffic coming
from the web is filtered by various policies and categories.
Application List
Category
Policy
Application List
The Appliance can identify and control applications which use standard Port 80, 443, non-standard ports, port
hopping or tunnel through encrypted SSL traffic. The feature enables prioritization of applications based on
user identity, time, applications, and bandwidth, allowing great flexibility, visibility, and control. The Appliance
also provides implementation of application-based bandwidth management, accelerating critical applications
while blocking malware-laden sites through Web Filtering. Organizations can group applications as per their
requirements into business-critical, entertainment, communication, collaboration and control access through
Firewall policies.
Note
Web and Application Filter module is a subscription module that needs to be subscribed before use. Check
the features of the module by subscribing free trial subscription of the module. (See System >
Maintenance > Licensing)
The Appliance is shipped with a set of predefined applications. This applications are classified based on their
risk level, characteristics and technology, offering more granular controls.
Note
Web and Application Filter module is a subscription module that needs to be subscribed before use. Check
the features of the module by subscribing free trial subscription of the module. (See System >
Maintenance > Licensing)
The total number of application signatures included depends on the Application Signatures Database used
by the Appliance. Appliance Information doclet in the Dashboard provides the version of Application
Signatures Database used by your Appliance.
The Application List page displays total number of applications available for use and list of all the
applications including information describing category it belongs to, risk factors, its characteristics and
technology.
The application list can be filtered based on name of the application, category of the application, risk,
characteristics, and technology.
Page 434 of 490
Cyberoam User Guide
Manage Applications list
To view and search applications, go to Application Filter > Application List > Application List.
Screen Manage Application List
Screen Element
Description
Name
Displays the Application Name.
Category
Displays the name of the category.
Risk
Displays the type of risk.
Characteristics
Displays the characteristics of an application.
Technology
Displays the technology name used by an application.
Table Manage Application List screen parameters
Page 435 of 490
Cyberoam User Guide
Application Filter Category
The applications shipped with the Appliance are grouped into categories. These categories can be used in
filtering policy and bandwidth restriction can be applied. Bandwidth restriction can be applied on the category
or on the individual application within the category. Appliance
The Category page displays list of all the categories. The categories list can be filtered based on name of
the category. Use plus or minus toggle besides the category name to expand and collapse list of
applications grouped in the respective category.
Configuring QoS Policy for Category or Application
The Category page provides a list of default Application Filter Categories on the Web Admin Console like
Conferencing, Desktop Mail etc. Each of the categories contains sub categories and can be viewed by clicking
the
icon against the category.
To edit the Application Filter Category, go to Application Filter > Category > Category.
Screen Manage Application Filter Categories
Screen Element
Description
Category Name
Displays the name of Category.
QoS Policy
Select QoS Policy to be applied.
QoS policy allocates and limits the maximum bandwidth usage
of the user.
You can create a new policy directly from this page or from QoS
> Policy > Policy page.
Bandwidth Usage
Type
Displays the bandwidth usage allotted to the QoS Policy.
Shared or Individual.
Table Manage Application Filter Category screen elements
Edit Category
Page 436 of 490
Cyberoam User Guide
Screen Edit Category
Screen Element
Description
Name
Name of the Application Filter Category. Category Name cannot
be changed.
QoS Policy
Select QoS Policy to be applied to the Application Filter
Category.
QoS policy allocates & limits the maximum bandwidth usage of
the user.
You can also create a new policy directly from this page and
attach to the category.
Table Edit Category screen elements
Page 437 of 490
Cyberoam User Guide
Application Filter Policy
The Application Filter Policy controls the users application access. It specifies which user has access to which
applications and allows defining powerful security policies based on almost limitless policy parameters like:
Individual users
Groups of users
Time of day
Application Filter Policy strategies:
Allow: By default, allows access to all the categories except the specified categories. Access to the
specified categories depends on the strategy defined for each category.
Deny: By default, denies access to all the categories except the specified categories. Access to the
specified categories depends on the strategy defined for each category.
Appliance is shipped with the following predefined policies for applications: Allow All and Deny All. These two
predefined policies are immediately available for use until configured otherwise. You can also define custom
policies to define different levels of access for different users to meet your organizations requirements.
The Application Filter policy page displays a list of all the predefined and custom policies. The page also
provides option to add a new policy, update parameters of the existing policy, delete a policy, add a filtering
rule to a policy or delete a filtering rule attached to a policy.
Manage Application Filter Policies
To manage application filter policies, go to Application Filter > Policy > Policy.
Screen Manage Application Filter Policies
Screen Element
Description
Name
Displays name of the Application Filter Policy.
Default Action
Default Action: Allow or Deny.
Description
Policy Description.
Table Manage Application Filter Policies screen elements
Page 438 of 490
Cyberoam User Guide
Application Filter Policy Parameters
To add or edit an Application Filter Policy, go to Application Filter > Policy > Policy. Click the Add
button to add an Application Filter Policy. Application Filter Policy Parameters are given below.
Parameters
Screen Add Application Filter Policy
Screen Element
Description
Name
Specify a name to identify the Application Filter Policy.
Description
Provide describe for the Application Filter Policy.
Enable Micro App
Discovery
Enable to scan and classify microapps using HTTPS protocol
for communication. Microapps are applications that are used
within web browsers.
To allow/deny microapps, you need to specify action
accordingly.
Template
Select template for the Application Filter Policy.
Table Add Application Filter Policy screen elements
Edit Application Filter Policy Rule
To update the details, click on the policy or Edit icon
modified.
in the Manage column against the policy to be
Page 439 of 490
Cyberoam User Guide
Screen Edit Application Filter Policy
Screen Element
Description
Name
Name of the Application Filter Policy to be edited.
Description
Description of the Application Filter Policy to be edited.
Application
Displays a list of the selected applications.
Application Filter
Criteria
Displays the criteria selected for the Application Filter Policy
Rule.
Schedule
Displays the selected schedule.
Action
Displays the selected Action.
Table Edit Application Filter Policy screen elements
Application Filter Policy Rules Parameters
Once the policy is created, policy rules can be added to schedule the implementation of the policy.
Note
Rules can be added for custom policies only.
Page 440 of 490
Cyberoam User Guide
Screen Add Application Filter Policy Rules
Parameters
Screen Element
Description
Application Filter Criteria
Category
Select the Application Category from the list of available
categories.
Risk
Select the type of risk from the available options.
Available Options:
Select All
1 - Very Low
2 Low
3 Medium
4 High
5 Very High
Characteristics
Select the characteristics from the available options.
Available Options:
Select All
Can bypass firewall policy
Excessive Bandwidth
Loss of productivity
Prone to misuse
Transfer files
Tunnels other apps
Vulnerabilities
Widely Used
Technology
Select the technology from the available options.
Page 441 of 490
Cyberoam User Guide
Available Options:
Select All
Browser Based
Client Server
Network Protocol
P2P
List of Matching Applications
Select All
Select the option Select All to choose all the Applications listed
for the selected criteria.
Based on the Application Filter Criteria the applications are
made available.
Select Individual
Application
Select the option Select Individual Application to customize
the choice of Applications list for the selected criteria.
Based on the Application Filter Criteria the applications are
made available.
Search
Specify the Application Name in the textbox to search an
Application.
This option is available, only if option Select Individual
Application is selected.
Name
Displays name of the Applications under the Category selected.
You can also select more than one application using the
checkbox.
Description
Displays description of the Application.
Category
Displays category of the Application.
Risk
Displays the risk factor involved with the Application.
Characteristics
Displays the characteristics of the Application.
Technology
Displays the technology utilized for the Application.
Action
Action
Select an Action for the Policy from the available options.
Available Options:
Allow
Deny
Schedule
Select Schedule from the list of Schedules available in the
dropdown list.
Page 442 of 490
Cyberoam User Guide
Table Add Application Filter Policy Rules screen elements
Page 443 of 490
Cyberoam User Guide
IM
IM (Instant Messaging) allows configuring and managing restrictions on Instant Messaging services provided
by the Yahoo and MSN messengers. The traffic coming from web in the form of files and chat is filtered by
various rules and content filtering strategies. You can add an IM Contact or IM Contact Group for configuring
the rules.
IM Contact
IM Rules
Content Filter
IM Contact
IM Contact is used to register various Yahoo and MSN messaging application users. A Contact can be created
for a user having access to any of the two IM applications. Along with the contacts, IM Contact Groups can
also be created. Once the users are registered, various IM rules can be created for monitoring them. The
rules can be set on groups as well as on users individually.
IM Contact
IM Contact Group
The IM Contact page is used to create and manage contacts. These contacts can either be Yahoo or MSN
Email IDs. Any of the Email ID created through Yahoo or MSN are valid for creating IM Contacts.
Note
Contact cannot be deleted, If a Contact Group exists for the user.
Manage IM Contact list
To manage IM contacts, go to IM > IM Contact > IM Contact.
Screen Manage IM Contacts
Screen Element
Protocol
Description
Displays the protocol that suggests
application in use. Yahoo or MSN.
the
messenger
Page 444 of 490
Cyberoam User Guide
Username
Displays the username provided for the IM contact.
Table Manage IM Contacts screen elements
Note
A Contact cannot be deleted, if a Contact Group exists for the user.
Adding an IM Contacts
To add or edit an IM contact, go to IM > IM Contact > IM Contact. Click the Add button to add IM
contact. To update the details, click on the contact or Edit icon
you want to modify.
in the Manage column against the contact
Screen Add IM Contact
Screen Element
Protocol
Description
Select the application used for Instant Messaging.
Available Options:
Yahoo
IM User Name
IM Contact Group
MSN
Specify the username to identify the IM Contact. The username
can either be an Email Address or name of the user.
Select the IM Contact Group to which an IM Contact will be
assigned.
Table Add IM Contact screen elements
Page 445 of 490
Cyberoam User Guide
IM Contact Group
A Group is a collection of users that are managed as a single unit. By creating a group, filtering rules can be
applied to a number of contacts simultaneously. Contacts that belong to a particular group are referred to as
group contacts.
IM Contact Group page is used to create and manage contact groups. These contact groups have IM
Contacts. A single IM Contact can be added to multiple contact groups. Rules to the user get applied in the
order in which they are created.
Manage IM Contact Group list
To manage IM contact groups, go to IM > IM Contact > IM Contact Group.
Screen Manage IM Contact Groups
Screen Element
Description
Name
Displays name of the IM Contact Group.
Description
Displays description for an IM Contact Group.
Table Manage IM Contact Group screen elements
Page 446 of 490
Cyberoam User Guide
Creating IM Address Group Parameters
To add or edit an IM contact group, go to IM > IM Contact > IM Contact Group. Click the Add button
to add IM contact group. To update the details, click on the contact group or Edit icon
column against the contact group you want to modify.
in the Manage
Screen Add IM Contact Group
Screen Element
Description
Group Name
Specify a name to identify the IM Contact Group.
Select IM Contact
IM Contact List displays all the IM Contacts.
Click the checkbox to select the contacts. All the selected
contacts are moved to Selected IM Contact list.
Single IM Contact can be a member of multiple IM Contact
Groups.
Description
Provide description for IM Contact Group.
Table Add IM Contact Group screen elements
Page 447 of 490
Cyberoam User Guide
IM Rules
IM Rule controls the users Instant Messaging access. It specifies which users have access to what IM
applications. Processing of IM Rules is top downwards and the first suitable rule found is applied. Individual
rules for Login, Conversation (chats), File Transfer and Webcam access can be defined based on parameters
like:
One-to-One Conversation One-to-One conversations can be allowed/denied between individual
contacts or contacts within groups.
Group Conversation Group conversations between multiple users can be allowed/denied.
Content Filtering
Virus Scanning
Archiving
Maintaining Logs
Allow/Deny access can be set for an IM Contact or entire IM Contact Group, or even normal users or User
Groups. For example, you can define a rule that blocks access to all one-to-one conversations between an
IM Contact Group and a User Group.
For ease of configuration, Appliance provides default rules for Login, Conversation, File Transfer and
Webcam. A custom rule can also be created to meet an organizations requirements.
If IM access between contacts is restricted, an access denied message is displayed in the conversation
window.
Login
Conversation
File Transfer
Webcam
Page 448 of 490
Cyberoam User Guide
Login
Login page allows you to configure and manage Login Rules for IM Contact, IM Contact Group, User and
User Group.
To manage login rules for contacts, go to IM > IM Rules > Login.
Screen Manage Login Rules
Note
Default Login Rules cannot be deleted.
Screen Element
Description
Name
Displays the name of the Login Rule.
Participants
Username or IM Contact name of the participant for whom the
Login Rule is established.
Action
Displays the type of Action selected Allow or Deny.
Logging
Displays whether logging is On or Off.
Logging Level
Displays the level of login for a rule.
Table Manage Login Rule screen elements
Creating an IM Login Rule
To add or edit a login rule, go to IM > IM Rules > Login. Click the Add button to add login rule. To update
the details, click on the rule or Edit icon
in the Manage column against the rule you want to modify.
Screen Add Login Rule
Page 449 of 490
Cyberoam User Guide
Screen Element
Description
Name
Specify a name for the Login Rule.
User / IM Contact
Select the Participants between whom the Login Rule is to be
defined.
Available Options:
IM Contact
IM Contact Group
User
User Group
You can also add above contacts from the Add Login Rule Page
itself.
Action
Select an Action for login.
Available Options:
Allow
Privacy Disclaimer
Deny
If the Login is allowed, you can enable the Privacy Disclaimer
checkbox to inform the IM Contacts about the privacy policy.
Default Privacy Disclaimer is displayed when the contact logs
into an IM application.
Logging
Enable Logging, if the log has to be maintained for the contacts.
If logging is enabled, the logs can be viewed from Logs &
Reports > Log Viewer. Select IM from Log Modules list.
Logging Level
Select the Logging Level if the Logging is enabled.
Meta Data Meta Data contains the information about
the Login time, logout time, login action configured and
name of the User or Group logged in.
Table Add Login Rule screen elements
Page 450 of 490
Cyberoam User Guide
Conversation
The Conversation page allows configuring and managing Conversation Rules between any of the two
identities: IM Contact, IM Contact Group, User and User Group. The IM conversation between these two
contacts can be monitored and logged.
Appliance provides a default Conversation Rule that can be applied. This rule allows all the conversations but
logs the content of the conversation.
Note
Default Conversation Rules cannot be deleted.
View the list of Conversation Rules
To manage default and custom conversation rules between contacts, go to IM > IM Rules >
Conversation.
Screen Manage Conversation Rules
Screen Element
Description
Name
Displays name of the Conversation Rule.
Participant
Displays the first participant involved in the conversation.
Participant
Displays the second participant involved in the conversation.
One-to-One
Conversation
Displays the type of One-to-One-Conversation selected- Allow
OR Deny.
Group Conversation
Displays the type of Group Conversation selected- Allow OR
Deny.
Logging
Displays whether Conversation Logs are On or Off.
If logging is enabled, the logs can be viewed from Logs &
Reports > Log Viewer. Select IM from Log Modules list.
Logging Level
Displays the Logging Level selected Full Data or Meta Data.
Full Data Full Data contains the entire information about
conversation including the content of the chat, the Login
time, logout time. Name of User or Groups between
whom the conversation happened and duration of the
conversation.
Page 451 of 490
Cyberoam User Guide
Meta Data Meta Data contains the information about
the Login time, logout time. Name of User or Groups
between whom the conversation happened and duration
of the conversation.
Table Manage Conversation Rule screen elements
Creating IM Conversation Rule
To add or edit a conversation rule, go to IM > IM Rules > Conversation. Click the Add button to add
conversation rule. To update the details, click on the rule or Edit icon
rule you want to modify.
in the Manage column against the
Screen Add Conversation Rule
Screen Element
Description
Name
Specify a Name for the Conversation Rule.
Between User / IM
Contact
Select the Participants between whom the Conversation Rule is
to be defined.
Available Options:
IM Contact
IM Contact Group
User
User Group
You can also add above contacts from the Add Conversation
Rule Page itself.
One-to-One
Conversation
Specify Action for the one-to-one conversation - Allow OR
Deny.
Group Conversation
Specify Action for the group conversation or chat - Allow OR
Deny.
Content Filter
Enable Content Filtering.
Page 452 of 490
Cyberoam User Guide
Logging
Enable Logging, if the log has to be maintained for the
conversation.
If logging is enabled, the logs can be viewed from Logs &
Reports > Log Viewer. Select IM from Log Modules list
Logging Level
Select the Logging Level if the Logging is enabled.
Available Options:
Full Data Full Data contains the entire information
about conversation including the content of the chat, the
Login time, logout time. Name of User or Groups between
whom the conversation happened and duration of the
conversation.
Meta Data Meta Data contains the information about
the Login time, logout time. Name of User or Groups
between whom the conversation happened and duration
of the conversation.
Table Add Conversation Rule screen elements
Page 453 of 490
Cyberoam User Guide
File Transfer
File Transfer page allows the user to configure and manage File Transfer Rules between any of the two
identities: IM Contact, IM Contact Group, User and User Group. The file transfers between these two identities
is monitored and logged.
If the file transfer access between contacts is restricted and contact tries to transfer a file, an access denied
message is displayed in the conversation window.
To manage file transfer rules between contacts, go to IM > IM Rules > File Transfer.
Screen Manage File Transfer Rules
Screen Element
Description
Name
Displays name of the File Transfer Rule.
Participant
Displays the first participant involved in transferring the file.
Participant
Displays the second participant involved in transferring the file.
Action
Displays the type of Action selected for File transferring Allow
or Deny.
Virus Scanning
Displays whether Virus Scanning is On or Off.
Logging
Displays whether File Transfer logs is On or Off.
If logging is enabled, the logs can be viewed from Logs &
Reports > Log Viewer. Select IM from Log Modules list.
Logging Level.
Logging Level
Meta Data Meta Data contains the information about
the Login time, logout time. Name of User or Groups
between whom the conversation happened and duration
of the conversation.
Table Manage File Transfer Rule screen elements
Creating IM File Transfer Rule
To add or edit a file transfer rule, go to IM > IM Rules > File Transfer. Click the Add button to add file
transfer rule. To update the details, click on the rule or Edit icon
you want to modify.
in the Manage column against the rule
Page 454 of 490
Cyberoam User Guide
Screen Add File Transfer Rule
Screen Element
Description
Name
Specify a name for the File Transfer Rule.
Between User / IM
Contact
Select the Participants between whom the File Transfer Rule is
to be defined.
Available Options:
IM Contact
IM Contact Group
User
User Group
You can also add above contacts from the Add File Transfer
Rule Page itself.
Action
Select the type of Action.
Available Options:
Allow
Deny
Virus Scanning
Enable Virus Scanning, if the file transferred between contacts
is to be scanned.
Logging
Enable Logging, if the log has to be maintained for the transfer
of files.
If logging is enabled, the logs can be viewed from Logs &
Reports > Log Viewer. Select IM from Log Modules list.
Logging Level
Select the Logging Level if you have enabled Logging.
Meta Data Meta Data contains the information about
the File Transferred including Login time, logout time, file
transfer action defined and name of User or Groups
between whom the file transfer happened.
Table Add File Transfer Rule screen elements
Page 455 of 490
Cyberoam User Guide
Webcam
The Webcam page allows configuring and managing Webcam Rules between any of the two identities: IM
Contact, IM Contact Group, User and User Group. The video conversations via Webcam between these two
contacts are monitored and logged.
If video conversation access between contacts is restricted and the contact tries to use the Webcam, an
access denied message is displayed in the conversation window.
To manage webcam rules between contacts, go to IM > IM Rules > Webcam.
Screen Manage Webcam Rules
Screen Element
Description
Name
Displays the name of the Webcam Rule.
Participant
Displays the first participant involved in video conversation.
Participant
Displays the second participant involved in video conversation.
Action
Displays Action taken for the Webcam viewing:
Available Options:
Allow
Deny
Displays whether logging of Video Conversation is On or Off.
Logging
If logging is enabled, the logs can be viewed from Logs &
Reports > Log Viewer. Select IM from Log Modules list.
Logging Level.
Logging Level
Meta Data Meta Data contains the information about
the Login time, logout time. Name of User or Groups
between whom the conversation happened and duration
of the conversation.
Table Manage Webcam Rule screen elements
Creating IM Webcam Rule
To add or edit a webcam rule, go to IM > IM Rules > Webcam. Click the Add button to add webcam
rule. To update the details, click on the rule or Edit icon
to modify.
in the Manage column against the rule you want
Page 456 of 490
Cyberoam User Guide
Screen Add Webcam Rule
Screen Element
Description
Name
Specify a name for the Webcam Rule.
Between User / IM
Contact
Select the Participants between whom the Webcam Rule is to
be defined.
Available Options:
IM Contact
IM Contact Group
User
User Group
You can also add above contacts from the Add Webcam Rule
Page itself.
Action
Select an Action for the webcam viewing or video chat from the
available options:
Available Options:
Allow
Deny
Logging
Enable Logging, if the log has to be maintained for the contacts.
If logging is enabled, the logs can be viewed from Logs &
Reports > Log Viewer. Select IM from Log Modules list.
Logging Level
Select the Logging Level if you have enabled Logging.
Meta Data Meta Data contains the information about the
Login time, logout time, webcam rule defined, name of User or
Groups between whom the video conversation happened and
duration of the conversation.
Table Add Webcam Rule screen elements
Content Filter
Content Filtering functionality is applied to Instant Messaging applications wherein content can be removed
from the conversation if appears in the conversation.
Page 457 of 490
Cyberoam User Guide
The Content Filter page allows you to specify a list of keywords and regular expressions to be blocked, if
encountered in any of the chat conversation. If content filtering is enabled from IM Conversation Rule, the
configured keywords are removed and an error message is displayed for the same.
Configure Settings
To configure content filtering expressions, go to IM > Content Filter > Content Filter.
Screen Configure Content Filter Settings
Screen Element
Description
RegEx Settings
Specify Regular Expressions to be removed from the IM applications. For example, if the string
AB* is specified in the RegEx list, all the strings starting with AB would be dropped from the
conversation and an error message would be displayed.
You can add multiple regular expressions. Click Add icon
remove icon
to delete expressions.
to add more expressions and
Keyword Settings
Specify Keywords to be removed from the IM applications. For example, if the strings like
ammunition and terrorism are specified in the keywords list, all such strings would be dropped
from the conversation and an error message would be displayed.
You can add multiple keywords. Click Add icon
to delete keywords.
to add more keywords and remove icon
Table Configure Content Filter Setting screen elements
Page 458 of 490
Cyberoam User Guide
QoS
Bandwidth is the amount of data passing through a media over a period of time and is measured in terms of
kilobytes per second (kbps) or kilobits per second (kbits) (1 Byte = 8 bits).
The primary objective of QoS (Quality of Service) policy is to manage and distribute the total bandwidth on
certain parameters and user attributes. QoS policy allocates & limits the maximum bandwidth usage of the
user and controls the web and network traffic.
To configure QoS policy:
Define for whom you want to create policy
Define Type of policy
Define the Implementation strategy of the policy
Define Bandwidth Usage
Page 459 of 490
Cyberoam User Guide
Settings
Use Settings page to configure default QoS settings. Administrator can also configure it from Command Line
Interface (CLI). All the bandwidth related data are displayed only with unit KB (Kilo bytes per second).
Screen QoS Settings
Screen Element
Bandwidth maximum
limit
Description
Specify maximum bandwidth limit in KB. It is generally a sum of
all WAN links maximum limits.
Default 100000 KB
Acceptable Range (KB) - 1 to 2560000
Allocation Behavior
Select bandwidth allocation behavior from the available options.
It allows the administrator to handle traffic as normal or give
priority to real time traffic like VOIP.
Available Options:
Normal
Real Time
If the bandwidth behavior is normal then priority will be
applicable only for excess bandwidth i.e. bandwidth remaining
after guaranteed bandwidth allocation.
If the bandwidth behavior is real time then Real-time traffic (QoS
policy with priority 0) like VOIP will be given precedence over all
other traffic.
Guarantee
Select Guarantee type from the available options. Administrator
can enforce all internet bound traffic to be handled by any QoS
Policy applied on it. If there is no policy applied on the traffic
then it will be handled by the Default Policy.
Page 460 of 490
Cyberoam User Guide
Available Options:
Lenient
Enforced
Select Enforced to enforce bandwidth restriction on the traffic
on which the bandwidth policy is not applied.
Select Lenient if you do not want to enforce bandwidth
restriction on the traffic on which the bandwidth policy is
not applied. It will only handle traffic on which QoS Policy
is applied.
Default Policy will be applicable on the traffic which does not
have any bandwidth policy applied.
Default Policy
(Available only if Enforced
is selected)
Guaranteed: Specify bandwidth which is the minimum
guaranteed bandwidth that the user can use.
Default 1 KB
Acceptable Range (KB) - 1 to 2560000
Burstable: Specify burstable bandwidth which is the maximum
bandwidth that the user can use, if available.
Default 100000 KB
Acceptable Range (KB) - 1 to 2560000
Priority: Set the bandwidth priority. Priority can be set from 0
(highest) to 7 (lowest) depending on the traffic required to be
shaped.
0 Real Time For example, VOIP
1 Business Critical
2 to 5 Normal
6 Bulky - FTP
7 Best Effort e.g. P2P
Show Bandwidth
Usage
Click to view Bandwidth Usage.
Table QoS Settings screen elements
Page 461 of 490
Cyberoam User Guide
QoS Policy
Policy can be defined/created for:
User It restricts the bandwidth of a particular user.
Firewall Rule It restricts the bandwidth for any entity to which the Firewall Rule is applied.
Web Category It restricts the bandwidth for the URL categorized under the Web Category. To
implement restriction, policy is to be assigned through Firewall Rule.
Application It restricts the bandwidth for the application. To implement restriction, policy is to be
assigned through Firewall Rule.
Types of Policy
Two types of bandwidth restriction can be placed:
Strict In this type of bandwidth restriction, user cannot exceed the defined bandwidth limit.
Committed In this type of bandwidth restriction, user is allocated the guaranteed amount of bandwidth
and can draw bandwidth up to the defined burst-able limit, if available.
It enables to assign fixed minimum and maximum amounts of bandwidth to the users. By borrowing
the excess bandwidth when available, users are able to burst above guaranteed minimum limits, up
to the burst-able rate. Guaranteed rates also assure minimum bandwidth to critical users for receiving
constant levels of bandwidth during peak and non-peak traffic periods.
Guaranteed represents the minimum guaranteed bandwidth and burst-able represents the maximum
bandwidth that the user can use, if available.
Implementation strategy
The Policy can be implemented in two ways depending on the policy Type:
Total (Upload + Download)
Individual Upload and Individual Download
Strict policy
In this type of bandwidth restriction, the user cannot exceed the defined bandwidth limit. There are two ways
to implement strict policy:
Total (Upload + Download)
Individual Upload and Individual Download
Implementation on
Bandwidth specified
Example
Total
(Upload + Download)
Total bandwidth
Total bandwidth is 20 kbps
upload and download combined
cannot cross 20 kbps
Individual (Upload /
Download)
Individual bandwidth i.e.
separate for both
Upload and Download bandwidth
is 20 kbps then either cannot
cross 20 kbps
Page 462 of 490
Cyberoam User Guide
Committed policy
Implementation on
Bandwidth specified
Example
Total
(Upload + Download)
Guaranteed bandwidth
Guaranteed bandwidth is 20 kbps
upload and download combined
will get 20 kbps guaranteed
(minimum) bandwidth.
Burst-able bandwidth
Burst-able bandwidth is 50 kbps
upload and download combined
can get up to 50 kbps of
bandwidth (maximum), if
available.
Individual guaranteed bandwidth
is 20 kbps
Individually get 20 kbps
guaranteed (minimum)
bandwidth.
Individual (Upload /
Download)
Individual Guaranteed
and Burstable bandwidth
i.e. separate for both
Individual burstable bandwidth is
50 kbps
Individually get maximum
bandwidth up to 50 kbps, if
available.
Bandwidth Usage
Policy can be configured for two types of bandwidth usage:
Individual Allocated bandwidth is for the particular user only.
Shared Allocated bandwidth is shared amongst all the users who have been assigned this policy.
The Appliance is shipped with predefined QoS policies. These predefined policies are immediately available
for use until configured otherwise. You can also define custom policies to meet your organizations
requirements.
Manage QoS Policy list
To manage QoS Policies, go to QoS > Policy > Policy.
The Policy page displays a list of predefined and custom policies and provides option to create a new QoS
policy, schedule QoS policy, update parameters, or delete the policy.
To Schedule the QoS policy:
Navigate to QoS > Policy > Policy page.
Edit the policy to which you want to add schedule configuration.
Click Add and update the schedule details.
Page 463 of 490
Cyberoam User Guide
Screen Manage QoS Policies
Note
QoS Policy assigned to any Group or User cannot be deleted.
Screen Element
Description
Name
Displays the name of the QoS Policy.
Restriction Type
Displays the type of restriction based on Bandwidth Usage and
Policy implemented.
Total Bandwidth (in
KB) (Min/Max)
Displays the Total Bandwidth provided including Upload and
Download in KB.
For example, 8/16 for min/max size.
Upload Bandwidth (in
KB) (Min/Max)
Displays the Upload Bandwidth provided in KB.
For example, 8/16 KB for min/max size.
Download Bandwidth
(in KB) (Min/Max)
Displays the Download Bandwidth provided in KB.
For example, 8/16 KB for min/max size.
Table Manage QoS Policies screen elements
Creating a new QoS Policy
To add or edit a QoS policy, go to QoS > Policy > Policy. Click the Add button to add QoS policy. To
update the details, click on the policy or Edit icon
modify.
in the Manage column against the policy you want to
Page 464 of 490
Cyberoam User Guide
Screen Add a QoS Policy
Screen Element
Description
Add QoS Policy
Name
Specify a name to identify the Policy. Duplicate names are not
allowed.
Policy Based On
Select an option to specify for whom the policy is to be created.
receive
Available Options:
User Restricts the bandwidth of a particular user.
Firewall Rule Restricts the bandwidth of any entity to
which Firewall Rule is applied.
Web Category Restricts the bandwidth for the URL
categorized under the Web category.
Application Restricts the bandwidth for the applications
categorized under the Application category.
Policy Type
Select the type of policy.
Available Options:
Strict In this type of policy, user cannot exceed the
defined bandwidth limit.
Committed In this type of policy, user is allocated the
guaranteed amount of bandwidth and can draw
bandwidth up to the defined burst-able limit, if available.
It enables to assign fixed minimum and maximum amounts of
bandwidth to the users. By borrowing excess bandwidth when
available, users are able to burst above guaranteed minimum
limits, up to the burst-able rate. Guaranteed rates also assure
minimum bandwidth to critical users to receive constant levels
of bandwidth during peak and non-peak traffic periods.
Guaranteed represents the minimum guaranteed bandwidth
and burst-able represents the maximum bandwidth that the
user can use, if available.
Page 465 of 490
Cyberoam User Guide
Implementation On
Select any one option to specify implementation strategy of
policy. See Implementation Strategy for more details.
Priority
Set the bandwidth priority. Priority can be set from 0 (highest)
to 7 (lowest) depending on the traffic required to be shaped.
0 Real Time e.g. VOIP
1 Business Critical
2 to 5 - Normal
6 Bulky - FTP
7 Best Effort e.g. P2P
By default, priority is given to the real time traffic. However, if
administrator does not want this preference, feature can be
disabled using CLI command - set bandwidth allocationbehavior normal. If required, it can be enabled by CLI command
- set bandwidth allocation-behavior real-time.
If the bandwidth behavior is normal then priority will be
applicable only for excess bandwidth i.e. bandwidth remaining
after guaranteed bandwidth allocation.
If the bandwidth behavior is real-time then Real-time traffic
(QoS policy with priority 0) like VOIP will be given precedence
over all other traffic.
As priority is given to the real time traffic, it is possible that some
non real-time traffic will not get their minimum guaranteed
bandwidth. Specifically, if sum of burstable (max allowed) of all
bandwidth policies (real-time and non real-time) is greater than
total max-limit then guarantee of the real-time policies will be
fulfilled but non real-time might not get the minimum guaranteed
bandwidth.
Total Bandwidth (in
KB)
Specify allowed Total or Individual and Guaranteed-Burst-able
bandwidth depending on Policy Type and Implementation
strategy.
Total Bandwidth Range: 2 10240000KB.
Burst-able bandwidth should be greater than or equal to
guaranteed bandwidth.
Bandwidth Usage
Type
Select the type of bandwidth usage.
Available Options:
Individual Allocated bandwidth is for the particular user
only.
Shared Allocated bandwidth is shared among all the
users who have been assigned this policy.
Page 466 of 490
Cyberoam User Guide
Provide Policy Description.
Description
Table Add a QoS Policy screen elements
Scheduling QoS Policy
You can implement the QoS at the schedule time or override the QoS policy parameters for certain time period
defined in the schedule. Navigate to QoS > Policy > Policy page and edit the policy which you want to
schedule.
Manage Schedule list
Go to QoS > Policy > Policy. Click Edit icon
Policy Details.
against a QoS policy to manage Schedule wise QoS
Screen Add a QoS Policy Schedule
Screen Element
Description
Add Schedule wise QoS Policy Details to override the default QoS Policy Details
Schedule
Displays the schedule for Policy selected.
Policy Type
Displays the type of Policy: Strict or Committed.
Bandwidth (Min/Max)
Displays the Total Bandwidth provided including Upload and
Download in KB. For example, 8/16 for min/max size.
Upload Bandwidth
(Min/Max)
Displays the Download Bandwidth provided in KB For example,
8/16 KB for min/max size.
Download Bandwidth
(Min/Max)
Displays the Upload Bandwidth provided in KB For example,
8/16 KB for min/max size.
Page 467 of 490
Cyberoam User Guide
Table Manage Schedule screen elements
Policy Schedule Parameters
Go to QoS > Policy > Policy and click Edit icon
configure Schedule wise QoS Policy Detail.
against a QoS policy. Click the Add button to
Screen Add a QoS Policy Schedule
Screen Element
Description
Name
Displays policy name.
Policy Type
Displays default Policy Type set at the time of creation of policy,
modify if required.
Implementation On
Total Bandwidth (in
KB)
Schedule
Configured policy type overrides the default policy and is
applicable only for the selected scheduled time interval.
Displays default Implementation strategy set at the time of
creation of policy, modify if required.
Configured policy type overrides the default policy and is
applicable only for the selected scheduled time interval.
Displays allocated Total or Individual and Guaranteed -Burstable bandwidth depending on Policy Type and Implementation
strategy. Modify if required.
The modified bandwidth restriction is applicable only for the
selected time interval.
Select Schedule from the list available during which the QoS
policy will be applied.
Only Recurring Schedule can be applied.
If you are not sure about the Schedule details, select Schedule
to view the Schedule details.
Table Add a QoS Policy Schedule screen elements
Page 468 of 490
Cyberoam User Guide
Logs & Reports
The Appliance provides extensive logging capabilities for traffic, system and network protection functions.
Detailed log information and reports provide historical as well as current analysis of network activity to help
identify security issues and reduce network abuse.
The Appliance can either store logs locally or send logs to external syslog servers for storage and archival
purposes.
The Appliance can log many different network activities and traffic including:
Firewall log
Anti Virus infection and blocking
Web filtering, URL and HTTP content blocking
Signature and anomaly attack and prevention
Spam filtering
IM logs
Administrator logs
User Authentication logs
VPN IPSec, L2TP, PPTP
WAF logs
ICAP logs
The Appliance can either store logs locally or send to the syslog servers. Traffic Discovery logs can be stored
locally only.
Configuration
Log Viewer
4-Eye Authentication
Page 469 of 490
Cyberoam User Guide
Configuration
Syslog is an industry standard protocol/method for collecting and forwarding messages from devices to a
server running a Syslog daemon usually via UDP Port 514. Syslog is a remote computer running a Syslog
Server. Logging to a central Syslog Server helps in aggregation of logs and alerts.
The Appliance sends a detailed log to an external Syslog server in addition to the standard event log. Syslog
support requires an external server running a Syslog daemon on any of the UDP Port. When configuring
logging to a Syslog server, one needs to configure the facility, severity and log file format. One can also
specify logging location if multiple Syslog servers are defined.
The Appliance captures all log activity and includes every connection source and destination IP Address
(IPv4/IPv6), IP service, and number of bytes transferred.
A SYSLOG service simply accepts messages, and stores them in files or prints. This form of logging is the
best as it provides a central logging facility and a protected long-term storage for logs. This is useful both in
routine troubleshooting and in incident handling.
Syslog Servers
Log Settings
Netflow
Page 470 of 490
Cyberoam User Guide
Syslog Servers
The Syslog Servers page displays a list of configured syslog servers. You can sort this list based on server
name. The page also provides option to add, update, or delete the server.
Manage Syslog Server list
To manage Syslog servers, go to Logs & Reports > Configuration > Syslog Server.
Screen Manage Syslog Servers
Screen Element
Description
Name
Displays name of the Syslog Server.
Server IP
IP Address of the server.
Port
Displays the server port.
Facility
Displays the facility configured for log messages.
Severity
Displays the severity level configured for logged messages.
Format
Displays log format.
Table Manage Syslog Server screen elements
Syslog Server Parameters
You can configure maximum five syslog servers.
To add or edit Syslog Server details, go to Logs & Reports > Configuration > Syslog Servers.
Click Add Button to add a new server or Edit Icon to modify the details of the server.
Page 471 of 490
Cyberoam User Guide
Screen Add Syslog Server
Screen Element
Description
Name
Provide a unique name for Syslog Server.
IP Address / Domain
Specify IP Address (IPv4/IPv6) or domain name of the Syslog
Server. Messages from the Appliance will be sent to the server.
Port
Specify the port number for communication with the Syslog
Server. The Appliance will send messages using the configured
port.
Facility
Select Syslog facility for log messages to be sent to the Syslog
Server.
Facility indicates to the Syslog Server the source of a log
message. It is defined by the Syslog protocol. You can
configure facility to distinguish log messages from different
Appliances. In other words, it can be helpful in identifying the
device that recorded the log file.
The Appliance supports following Syslog facilities for log
messages received from the remote servers and network
devices:
Available Options:
DAEMON Daemon logs (Information of Services running
in Appliance as daemon).
KERNEL Kernel log
LOCAL0 LOCAL7 Log level information.
USER Logging based on users who are connected to the
Server.
Severity Level
Specify severity levels of logged messages.
Severity level is the severity of the message that has been
generated.
Appliance logs all the messages at and above the logging
severity level you select. For example, select ERROR to log
Page 472 of 490
Cyberoam User Guide
all messages tagged as ERROR, as well as any messages
tagged with CRITICAL, ALERT and EMERGENCY and
select DEBUG to log all messages.
Appliance supports following Syslog levels:
EMERGENCY System is not usable
ALERT Action must be taken immediately
CRITICAL Critical condition
ERROR Error condition
WARNING Warning condition
NOTIFICATION Normal but significant condition
INFORMATION Informational
DEBUG Debug - level messages.
Format
Appliance produces logs in the specified format. The Appliance
currently produces logs in its own Cyberoam Standard Format.
Table Add Syslog Server screen elements
Once you add the server, go to Logs & Reports > Configuration > Log Settings page and enable
all those logs, which are to be sent to the Syslog Server.
Page 473 of 490
Cyberoam User Guide
Log Settings
After configuring Syslog server, configure logs to be sent to the Syslog server. If multiple Syslog servers are
configured, you can send various logs on different servers.
To record logs you must enable the respective log and specify logging location. The Administrator can choose
between On-Appliance (local) logging and Syslog logging. The Administrator can also disable logging
temporarily.
Manage Log Type list
To manage Syslog servers, go to Logs & Reports > Configuration > Log Settings.
Screen Configure Log Settings
Screen Element
Description
Log Type(System)
Displays the various logs.
Local
Displays the logging location.
Syslog
Central_Management
Displays Central Management logs.
Cyberoam
Displays Cyberoam Logs
Table Configure Log Setting screen elements
The Appliance logs many different network activities and traffic including:
Page 474 of 490
Cyberoam User Guide
Firewall Log
Firewall Log records invalid traffic, local ACL traffic, DoS attack, ICMP redirected packets, source routed and
fragmented traffic. Firewall logs can be disabled or send to the remote syslog server only but cannot be stored
locally.
Firewall Rules
Log records the entire traffic for Firewall.
Invalid Traffic Log
Log records the dropped traffic that does not follow the protocol standards, invalid fragmented traffic
and the traffic whose packets or Appliance is not able to relate to any connection.
Local ACLs Log
Log records the entire (allowed and dropped) incoming traffic.
DoS Attack Log
The DoS Attack Log records attacks detected and prevented by the Appliance i.e. dropped TCP, UDP
and ICMP packets.
To generate logs, go to Firewall > DoS > Settings and click Apply Flag against SYN Flood,
UDP Flood, TCP Flood, and ICMP Flood individually.
Dropped ICMP Redirected Packet Log
Log records all the dropped ICMP redirect packets.
To generate log, go to Firewall > DoS > Settings and click Apply Flag against Disable ICMP
redirect Packets.
Dropped Source Routed Packet Log
Log records all the dropped source routed packets.
To generate log, go to Firewall > DoS > Settings and click Apply Flag against Drop Source
Routed Packets.
Dropped Fragmented Traffic
Log records the dropped fragmented traffic.
MAC Filtering
Log records the dropped packets when filtering is enabled from Spoof prevention.
IP-MAC Pair Filtering
Log records the dropped packets when filtering is enabled from Spoof prevention.
IP Spoof Prevention
Log records the dropped packets when filtering is enabled from Spoof prevention.
SSL VPN
Log records of SSL VPN traffic.
Page 475 of 490
Cyberoam User Guide
Virtual Host
Log records of Virtual Host traffic.
IPS Logs
Records detect and drop attacks based on unknown or suspicious patterns (anomaly) and signatures.
Anti Virus Logs
Viruses detected in HTTP, SMTP, FTP, POP3, IMAP4, HTTPS and IM traffic. HTTP and FTP logs can be
disabled or sent to the remote log server only.
Anti Spam Logs
SMTP, POP3, IMAP4 spam and probable spam mails.
Content Filtering Logs
Web Filtering, Application Filtering and IM logs.
Event Logs
Admin Events, Authentication Events and System Events.
WAF Logs
Alert Events and Allowed Events.
Note
WAF logs are not available in CR10iNG, CR15i, CR15wi, CR15iNG, CR15wiNG, CR25ia, CR25wi,
CR35ia and CR35wi Cyberoam Appliances.
Page 476 of 490
Cyberoam User Guide
Netflow
To configure Netflow, go to Logs & Reports > Configuration > Netflow.
Netflow is a flow technology used for network bandwidth monitoring. Details of the traffic passing through the
firewall rule can be exported as NetFlow records to the Netflow Server. Based on the records received by the
Netflow Server, data analyzing tools like Open Source Data Analyzer and PRTG software can generate
reports.
The Netflow page displays list of configured netflow servers. The page also provides option to add, update,
or delete the server. Use
to add and
to delete Netflow Server.
Note
Only traffic of Firewall rules where "Log Firewall Traffic" is enabled will be sent to the NetFlow Server.
You can configure maximum five Netflow Servers.
Cyberoam supports NetFlow v5 and all the parameters of v5 can be exported.
Screen Add Netflow Servers
Screen Element
Description
Netflow Configuration
Server Name
Specify a unique name for Netflow server.
Netflow Server
IP/Domain
Specify IP Address (IPv4 / IPv6) or domain name of the
Netflow Server.
Netflow Server Port
Specify the UDP port number for communication with the
Netflow Server. NetFlow records will be sent on the specified
port.
Default - 2055
Table Add Netflow Server screen elements
Page 477 of 490
Cyberoam User Guide
Log Viewer
View the logs for modules like IPS, Web Filter, Anti Spam, Anti Virus and Firewall from Log Viewer page. This
page gives consolidated information about all the events that have occurred.
To view and manage logs, go to Logs & Reports > Log Viewer > Log Viewer.
View Log Modules
Set Refresh Interval Select the refresh interval for refreshing the logs automatically. Choose the time
or click Refresh button to refresh the logs.
De-Anonymize
View Log Modules
System System logs provide information about all the system related logs. System logs also include
logs for VPN events.
Web Filter Web Filter logs provide information about the users that were detected accessing restricted
URLs and the action taken by the Appliance.
Application Filter Application Filter logs provide information about applications whose access was
denied by the Appliance.
IM IM logs provide information about Instant Messaging logs that are enabled. Logging, Conversation,
File Transfer and Webcam.
Anti Virus Anti Virus logs provide information about the Viruses identified by Appliance.
Anti Spam Anti Spam logs provide information about the spam mails identified by Appliance.
Firewall Firewall logs provide information about how much traffic passes through a particular Firewall
rule and through which interfaces.
IPS IPS logs provide information about the signatures that were detected.
Authentication Authentication logs provide information about all the authentication logs including
Firewall, VPN and My Account authentication.
Admin Admin logs provide information about administrator event and tasks.
WAF WAF logs provide information about HTTP/S requests and action taken on the same.
ICAP ICAP logs provide information about the ICAP events.
View list of System events
Screen Element
Description
Time
Time when the event occurred.
Log Comp
Displays the Log Components of the System event.
Type of Log Components HTTP, HA, Central Management,
IPSec, L2TP, PPTP, SSL VPN, Appliance, DHCP Server,
Interface, Gateway, DDNS, Web cat, IPS, Anti Virus, Dial-In,
Quarantine, WLAN, HTTPS, Guest User, Virtual Host and CTA.
Status
Successful or failed.
User Name
Username of the user.
Message
Message for the type of system event.
Page 478 of 490
Cyberoam User Guide
Message ID
Message ID of the message.
View list of Web Filter events
Screen Element
Description
Time
Time when the event occurred.
Action
Allowed or Denied.
User Name
Username of the user that accessed the URL.
Source IP
Source IP Address (IPv4/IPv6).
Destination IP
Destination IP Address (IPv4/IPv6).
Category
Category under which the URL comes.
URL
URL accessed.
Bytes Transfer
No. of bytes transferred.
Message ID
Message ID of the message.
View list of Application Filter events
Screen Element
Description
Time
Time when the event occurred.
Action
Denied
User Name
Username of the user that accessed the application.
Source IP
Source IP Address (IPv4/IPv6).
Destination IP
Destination IP Address (IPv4/IPv6).
Application Category
Category under which the Application is categorized.
Application
Name of the application denied.
Firewall Rule
Firewall rule ID applied to the traffic.
Message ID
Message ID of the message.
View list of IM events
Screen Element
Description
Time
Time when the event occurred.
IM Action
Displays the IM Action.
Action: Message, File transfer, Webcam, Login and Logout.
Rule Action
Rule action defined Allowed or Denied.
Protocol
Type of Protocol used Yahoo or MSN.
User Name
Username of the user.
IP Address
IP Address (IPv4/IPv6) of the user.
Page 479 of 490
Cyberoam User Guide
Protected Contact
Displays the Email ID of the participant protected by Cyberoam.
Peer Contact
Displays the Email ID of the other participant.
This participant may/may not be protected by Cyberoam.
Message
Message for the type of IM event.
Message ID
Message ID of the message.
View list of Anti Virus events
Screen Element
Description
Time
Time when the event occurred.
Protocol
Displays name of the protocol.
Types of protocol: HTTP, HTTPS, FTP, POP, IMAP, SMTP and
SMTPS.
User Name
Username on the user on whose system virus was detected.
Source IP
Source IP Address (IPv4/IPv6)
Destination IP
Destination IP Address (IPv4/IPv6).
Virus
Name of the Virus detected.
Message
Message for the Virus detected.
Message ID
Message ID of the message.
View list of Anti Spam events
Screen Element
Description
Time
Time when the event occurred.
Log Comp
Displays the Log Components of the Anti Spam events.
Types of Log Components: SMTP, SMTPS, POP and IMAP.
Action
Displays action taken against any Anti Spam events.
Actions: Reject, Drop, Accept, Change Recipient and Prefix
Subject.
User Name
Username on the user on whose system, spam was detected.
Source IP
Source IP Address (IPv4/IPv6).
Destination IP
Destination IP Address (IPv4/IPv6).
Email Sender
Spam Email sender IP Address.
Email Receiver
Spam Email recipient IP Address.
Email Subject
Subject of the Email.
Message
Message for the Virus detected.
Page 480 of 490
Cyberoam User Guide
Message ID
Message ID of the message.
View list of Firewall events
Screen Element
Description
Time
Time when the event occurred.
Log Comp
Displays the Log Components of the Firewall events.
Types of Log Components: Firewall Rule, Invalid Traffic, Local
ACL, DoS Attack, ICMP Redirection, Source Routed,
Fragmented Traffic, Foreign Host, IPMAC Filter, IP Spoof and
Virtual Host.
Action
Allowed or Denied.
User Name
Username of user on which Firewall rule is applied.
Firewall Rule
Firewall Rule ID.
In Interface
Interface through which the traffic is coming in.
Out Interface
Interface through which the traffic is going out.
Source IP
Source IP Address (IPv4/IPv6).
Destination IP
Destination IP Address (IPv4/IPv6).
Message ID
Message ID for the Virus detected.
View list of IPS events
Screen Element
Description
Time
Time when the event occurred.
Log Comp
Displays the Log Components of IPS events.
Types of Log Components: Anomaly and Signatures.
Action
Detect or Drop.
User Name
Username of the user that triggered the signature.
Source IP
Source IP Address (IPv4/IPv6).
Destination IP
Destination IP Address (IPv4/IPv6).
Signature ID
Signature ID of the signature.
Signature Name
Name for the detected Signature.
Firewall Rule
Firewall Rule applied.
Message ID
Message ID of the message.
View list of Authentication events
Screen Element
Time
Description
Date and Time when the event occurred.
Page 481 of 490
Cyberoam User Guide
Log Comp
Displays the Log Components of Authentication events.
Type of Log Components: Firewall Authentication, VPN
Authentication, SSL VPN Authentication, My Account
Authentication,
Dial-In
Authentication,
and
NTLM
Authentication.
Status
Successful or failed.
User Name
Username of the user.
IP Address
IP Address of the user.
Auth. Client
Authentication client which is used for authentication: Web
Client, Corporate Client or CTA.
Auth. Mechanism
Type of Authentication Mechanism: Local or External Server
(AD, LDAP or RADIUS).
Message
Message for the type of authentication event.
Message ID
Message ID of the message.
View list of Admin events
Screen Element
Description
Time
Time when the event occurred.
Log Comp
Displays type of Log Components of Admin events.
Types of Log Components: GUI, CLI, Console, Central
Management.
Status
Successful or failed.
User Name
Username of the admin user.
IP Address
IP Address of the admin user.
Message
Message for the type of Admin event.
Message ID
Message ID of the message.
View list of WAF events
Screen Element
Description
Time
Time when the event occurred.
Action
Displays action taken against any Web Application events.
Web Server Name
Displays a name for the web server,
Source IP/Name
Source IP Address or Name.
Message
Message for the WAF event.
URL
URL accessed.
Reason
Reason for the action taken on any Web Application.
Page 482 of 490
Cyberoam User Guide
Status Code
Status code of the action taken on the Web Application.
Bytes Transferred
Displays the bytes of information transferred.
Message ID
Message ID of the message.
View list of ICAP events
Screen Element
Description
Time
Time when the event occurred.
Action
Displays action taken by server from the below:
No Change
Body Modified
Header modified
4xx_Error
5xx_Error
Denied
Mode
Mode in which ICAP Server is configured (Request/Response)
User Name
Username of user that accessed the URL.
Source IP
Source IPv4 Address.
Destination IP
Destination IPv4 Address.
URL
URL accessed.
Bytes Transferred
Displays number of bytes transferred from the appliance to
ICAP Server.
Server Tag
Unique tag used by Server.
X-Info
Displays messages sent by server.
Message ID
Message ID of the message.
Page 483 of 490
Cyberoam User Guide
De-Anonymize
The Appliance anonymizes all the user identities - Username, IP Address, MAC Address, Email Address and
IM Contact ID in all logs / reports. It means user identities in all the reports are displayed in encrypted form.
To view the actual details, IT Administrator has to de-anonymize. To de-anonymize, approval from one of the
authorizers configured on the Settings page is required.
To de-anonymize:
1. Click Copy icon
against the Username, IP Address, MAC Address, Email Address or IM
Contact ID to be de-anonymized.
2. Click De-anonymize icon . It will open a pop-up.
3. Select the authorizer and enter the authorizers password.
4. Select for how long the de-anonymized data is to be kept. Available options: For this search,
Session and Permanent.
5. Select the type of string to be de-anonymized - Username, IP Address (IPv4/IPv6), MAC
Address, Email Address or IM Contact ID
Page 484 of 490
Cyberoam User Guide
4-Eye Authentication
Appliance logs and reports provide organizations with visibility into their networks for high levels of security,
data confidentiality while meeting the requirements of regulatory compliance.
Cyberoam collects current log data and provides near real-time reports in graphical and tabular format. It
offers user identity-based reporting across applications, protocols and multiple Appliances allowing
organizations to see Who is doing What anywhere in the network. It offers wide spectrum of 1000+ unique
reports to get in-depth network visibility help organizations to take corrective and preventive measures.
For legal compliant logging, reporting and archiving, it is important that an organization follows all the
obligations for keeping relevant information archived and accessible all the time. To maintain the security, it
also required to monitor the logs related to user-specific activities. On the other hand, the organization must
also not invade its employees privacy.
Monitoring user-specific activities without the consent or the presence of the employee or their delegate is
illegal. Internal protection is necessary when a person can access activity logs of other employees.
In an organization, usually the IT Administrator has access permissions to view the user activity logs to ensure
security. However, administrator can violate the organizations privacy regulations and have insight to
confidential documents and can misuse to track user activities.
To prevent a single administrator from having complete control over the logs, Appliance has implemented a
Four-Eye authentication. It enhances the already existing logging and security mechanisms by adding an
additional administrator, without whose permission access cannot be granted.
In this system, Administrator can view user (employee) specific activities / logs /reports only if an Independent
Authorized person approves it.
Once it is enabled, Four-Eye authentication can be used to prevent unauthorized access to private data. To
view user specific logs, two authorized administrators must log on. Additionally, data can also be anonymized
to enhance privacy protection.
Settings
De-Anonymize
Page 485 of 490
Cyberoam User Guide
Settings
Enable Four-Eye Authentication for IT Administrator to view or download user-specific activities, logs or
reports. Apart from the IT Administrator, at least one independent authorizer with the administrative privileges
is required.
Once enabled:
1. All the user identities - Username, IP Address (IPv4 / IPv6), MAC Address, Email Address and IM
Contact ID in all logs /activities / reports are anonymized.
2. If the IT administrator wants to de-anonymize the above mentioned user details, an approval is
required from all the authorizers.
3. To disable Four-Eye Authentication, approval from both the authorized people is required.
Screen 4-Eye Authentication
Screen Element
Description
Enable 4-Eye
Authentication
Enable 4-Eye Authentication to enable administrator to view
or download user-specific activities, logs or reports.
Select Authorizer
Administrator List displays all the administrators.
Click the checkbox to select the administrator. All the selected
administrators are moved to Selected Authorizer list.
Table 4-Eye Authentication
Page 486 of 490
Cyberoam User Guide
De-Anonymize
To comply with the Data Privacy Law, it is necessary to protect individual data. The Appliance anonymizes
data to achieve this by encrypting the log data in a random manner.
The Appliance anonymizes all the user identities - Username, IP Address (IPv4/IPv6), MAC Address, Email
Address and IM Contact ID in all logs /activities / reports. It means user identities in all the reports are
displayed in encrypted form.
To view the actual details, the IT Administrator has to de-anonymize. To de-anonymize, approval from one of
the authorizers configured on the Settings page is required.
Screen Element
Description
Users
Select Username(s) to be de-anonymized.
IP
Add IP Address(s) (IPv4/IPv6) to be de-anonymized.
Advanced Settings (MAC Address, Email, IM Contact)
MAC
Add MAC Address to be de-anonymized.
Add Email Address to be de-anonymized.
IM Contact
Add IM Contact to be de-anonymized.
Table De-Anonymize
Page 487 of 490
Cyberoam User Guide
Screen De-Anonymize
Once approved, all the logs and reports are displayed with the actual user details and not in the encrypted
form. Click the Apply button. An Authorization Window will pop-up.
In addition, you can De-Anonymize from the Reports.
Page 488 of 490
Cyberoam User Guide
Screen Authorization
Screen Elements
Description
User Name
Select the User Name.
Password
Provide the password for approval.
Table Authorization
Page 489 of 490
You might also like
- Cyberoam CR50ia - & - CR100ia - Quick Start Guide - PDF0% (1)Cyberoam CR50ia - & - CR100ia - Quick Start Guide - PDF12 pages
- Cyberoam Release Notes V 10 CR15wi, CR15i & CR25iNo ratings yetCyberoam Release Notes V 10 CR15wi, CR15i & CR25i17 pages
- Document Version 10.04.4.0028 - 08/10/2013: Cyberoam Anti Spam Implementation GuideNo ratings yetDocument Version 10.04.4.0028 - 08/10/2013: Cyberoam Anti Spam Implementation Guide30 pages
- Web Application Firewall Guide: Document Version 10.04.4.0028 - 08/10/2013No ratings yetWeb Application Firewall Guide: Document Version 10.04.4.0028 - 08/10/201349 pages
- Cyberoam Iview Administrator Guide: Document Version 1.0-10.04.3.0543-21/06/2013No ratings yetCyberoam Iview Administrator Guide: Document Version 1.0-10.04.3.0543-21/06/201387 pages
- Unified Threat Management: Quick Start GuideNo ratings yetUnified Threat Management: Quick Start Guide12 pages
- Unified Threat Management: Quick Start GuideNo ratings yetUnified Threat Management: Quick Start Guide12 pages
- Cyberoam-iView Administrators - Guide PDFNo ratings yetCyberoam-iView Administrators - Guide PDF153 pages
- Unified Threat Management: Quick Start GuideNo ratings yetUnified Threat Management: Quick Start Guide12 pages
- Unified Threat Management: Quick Start GuideNo ratings yetUnified Threat Management: Quick Start Guide12 pages
- How To - Configure Cyberoam As SNMP Agent PDFNo ratings yetHow To - Configure Cyberoam As SNMP Agent PDF5 pages
- Aginet ACS V1.0 - UG - REV1.0 - 01 - 2022 - 0322No ratings yetAginet ACS V1.0 - UG - REV1.0 - 01 - 2022 - 032263 pages
- Installation & Maintenance Guide For Co-Resident Server100% (1)Installation & Maintenance Guide For Co-Resident Server3,226 pages
- Quick Start Guide: Centralized ManagementNo ratings yetQuick Start Guide: Centralized Management7 pages
- McAfee SMC Administrator's Guide 5.7 PDFNo ratings yetMcAfee SMC Administrator's Guide 5.7 PDF1,328 pages
- Adminmanager User Manual: LGC Wireless ConfidentialNo ratings yetAdminmanager User Manual: LGC Wireless Confidential130 pages
- Cyberoam Virtual UTM Appliance Installation Guide For Microsoft Hyper-VNo ratings yetCyberoam Virtual UTM Appliance Installation Guide For Microsoft Hyper-V26 pages
- Cyberoam Version 10.04.0 Build 214, 304, 311, 338No ratings yetCyberoam Version 10.04.0 Build 214, 304, 311, 33831 pages
- Installation Guide: Complete The Basic SetupNo ratings yetInstallation Guide: Complete The Basic Setup2 pages
- Cyberoam IView Windows Installation GuideNo ratings yetCyberoam IView Windows Installation Guide30 pages
- Install and Configure Cyberoam Corporate Client For WindowsNo ratings yetInstall and Configure Cyberoam Corporate Client For Windows5 pages
- Manual - Netgear ReadyNAS Pro 6 RNDP6000No ratings yetManual - Netgear ReadyNAS Pro 6 RNDP6000132 pages
- Set Up Your Own IPsec VPN, OpenVPN and WireGuard Server: Build Your Own VPNFrom EverandSet Up Your Own IPsec VPN, OpenVPN and WireGuard Server: Build Your Own VPN5/5 (1)
- How To Do Virtualization: Your Step-By-Step Guide To VirtualizationFrom EverandHow To Do Virtualization: Your Step-By-Step Guide To VirtualizationNo ratings yet
- Create Your Website and E-Commerce at No Cost. Thanks to WordPress and Google Cloud PlatformFrom EverandCreate Your Website and E-Commerce at No Cost. Thanks to WordPress and Google Cloud Platform5/5 (1)
- Traffic Policing: Finding Feature InformationNo ratings yetTraffic Policing: Finding Feature Information6 pages
- Cisco Catalyst 9200 Series Switching ArchitectureNo ratings yetCisco Catalyst 9200 Series Switching Architecture30 pages
- Notes_Data_Analysis_and_Visualization_using_Tableau_complete_notesNo ratings yetNotes_Data_Analysis_and_Visualization_using_Tableau_complete_notes101 pages
- CP 224 LECT - 2 - 2 - Relational Database DesignNo ratings yetCP 224 LECT - 2 - 2 - Relational Database Design31 pages
- BD FACSCelesta™ Flow Cytometer User's GuideNo ratings yetBD FACSCelesta™ Flow Cytometer User's Guide152 pages
- HP Compaq Notebook and Desktop Price ListNo ratings yetHP Compaq Notebook and Desktop Price List3 pages
- Full Download Globalization and Its Discontents Revisited Anti Globalization in The Era of Trump Joseph E. Stiglitz PDF100% (7)Full Download Globalization and Its Discontents Revisited Anti Globalization in The Era of Trump Joseph E. Stiglitz PDF34 pages
- Full Download (Ebook) Inside the Microsoft Build Engine: Using MSBuild and Team Foundation Build, Second Edition by Sayed Ibrahim Hashimi, William Bartholomew ISBN 9780735645240, 0735645248 PDF DOCX100% (1)Full Download (Ebook) Inside the Microsoft Build Engine: Using MSBuild and Team Foundation Build, Second Edition by Sayed Ibrahim Hashimi, William Bartholomew ISBN 9780735645240, 0735645248 PDF DOCX86 pages
- Cracking Linux Password With Hashcat Using AWS P2 GPU PDFNo ratings yetCracking Linux Password With Hashcat Using AWS P2 GPU PDF7 pages
- Wolters Kluwer CCH Tagetik - IfRS 17 - DatasheetNo ratings yetWolters Kluwer CCH Tagetik - IfRS 17 - Datasheet2 pages
- Download full Using Excel For Principles of Econometrics 4th Edition Genevieve Briand ebook all chapters100% (16)Download full Using Excel For Principles of Econometrics 4th Edition Genevieve Briand ebook all chapters50 pages
- Alignment-Free Sequence Comparison A Systematic Survey From A Machine Learning PerspectiveNo ratings yetAlignment-Free Sequence Comparison A Systematic Survey From A Machine Learning Perspective17 pages
