Allowed login from all nodes

Allows Users defined under the Group to login from all the nodes 2) Allowed login from the selected nodes

Allow Users defined under the Group to login from the selected nodes only.

Specifies IP address from where User can login

Click Select Node, opens a new window and allows to select IP Address Refer to Select Node table for more details Refer to Apply Login Node restriction for more details

Click to select Select Node button

Only if ‘Allowed Login from selected node’

option is selected

for Login restriction

Opens a new page and allows to select the node Click to select the Node

Create button Creates Group

Cancel button Cancels the current operation and returns to the Manage Group page Table - Create Group screen elements

Note

It is not necessary to add user at the time of the creation of Group. One can add users to the group even after the creation of group.

Apply Login Node Restriction

Screen – Apply Login Node Restriction

Screen Elements Description

Logon Pool name Logon Pool from which the Node/IP address is to be added Click Logon Pool name list to select

Select User will be allowed to login from the selected nodes only.

Click to select Node

Multiple nodes can also be selected

OK button Applies login restriction and closes the window Click to apply restriction

Cancel button Cancels the current operation

Table - Apply Login Node Restriction screen elements

Import AD group (only if Active Directory authentication is implemented)

If Active Directory authentication is implemented and Cyberoam is configured to communicate with AD server, Administrator can import user groups created in AD server. Once you have configured and added AD details, select User → Authentication Settings and click Import Group (s) link against the AD server from which you want to import AD groups.

Screen – Import Group Wizard

Follow the on-screen steps:

Step 1. Specify Base DN. Cyberoam will fetch AD groups from the specified Base DN.

To import users from default AD Container:

To import users from custom AD Container:

If multiple custom containers are created, repeat the entire process for each container.

Step 2. Select Groups that are to be imported in Cyberoam. Use <Ctrl> + Click to select multiple groups.

All the groups (both imported and not imported groups) created in AD are displayed. * besides the group name indicates that the group is already imported to Cyberoam.

Use arrows to move groups across the group lists.

Step 3. Select various policies (Surfing Quota, Access time, Bandwidth, Internet Access and Data transfer) and user authentication time out to be applied on the group members.

By default, “Attach to all the Groups” is enabled, hence Cyberoam will attach same policies to all the imported Groups i.e. common policies across the imported groups.

Do not enable “Attach to all the Groups” for the policy if you want to specify:

• different policy for all the groups

• specific policy to all the groups

• specific policy to a specific group

. For example if you want to specify different Internet Access policy to different groups, do not enable

“Attach to all the Groups”

Screen – Define same policy to all the imported Groups

Screen – Define different policies to different Groups

Step 4. If you have disabled “Attach to all the Groups”, specify policies to be applied to each group

Screen – Define specific policy for a Group

Step 5. View Results page displays successful message if groups are imported and policies are successfully attached else appropriate error message will be displayed. Once you close the Wizard, Manage Groups page will be opened. All the imported groups are appended at the end of the list.

Screen – Groups imported and common policies attached successfully

Screen – Groups imported and specific policies attached to specific Group

All the imported groups are appended at the end of the list on the Manage Group page.

If user is the member of multiple AD groups, Cyberoam will decide the user group based on the order of the groups defined in Cyberoam. Cyberoam searches Group ordered list from top to bottom to determine the user group membership. The first group that matches is considered as the group of the user and that group policies are applied to the user.

Re-ordering of groups to change the membership preference is possible using Wizard.

Firewall

A firewall protects the network from unauthorized access and typically guards the LAN and DMZ networks against malicious access; however, firewalls may also be configured to limit the access to harmful sites for LAN users.

The responsibility of firewall is to grant access from Internet to DMZ or Service Network according to the Rules and Policies configured. It also keeps watch on state of connection and denies any traffic that is out of connection state.

Firewall rules control traffic passing through the Cyberoam. Depending on the instruction in the rule, Cyberoam decides on how to process the access request. When Cyberoam receives the request, it checks for the source address, destination address and the services and tries to match with the firewall rule. If Identity match is also specified then firewall will search in the Live Users Connections for the Identity check. If Identity (User) found in the Live User Connections and all other matching criteria fulfills then action specified in the rule will be applied. Action can be allow or deny.

You can also apply different protection settings to the traffic controlled by firewall:

• Enable load balancing between multiple links

• Configure antivirus protection and spam filtering for SMTP, IMAP, POP3, and HTTP traffic. To apply antivirus protection and spam filtering, you need to subscribe for Gateway Anti Virus and Gateway Anti Spam modules individually. Refer to Licensing section for details.

• Implement Intrusion detection and prevention. To apply IDP policy you need to subscribe for Intrusion Detection and Prevention module. Refer to Licensing section for details.

• Enable VPN traffic scanning

• Configure content filtering policies. To apply content filtering you need to subscribe for Web and Application Filter module. Refer to Licensing section for details.

• Apply bandwidth policy restriction

By default, Cyberoam blocks any traffic to LAN.

Default Firewall rules

At the time of deployment, Cyberoam allows to define one of the following Internet Access policies using Network Configuration Wizard:

• Monitor only

• General Internet policy

• Strict Internet policy

Depending on the IAP, Cyberoam creates two default firewall rules.

Default firewall rules for “Monitor only” IAP

1. Masquerade and Allow entire LAN to WAN traffic for all the authenticated users after applying following policies:

Internet Access policy – User specific Bandwidth policy – User specific

Anti Virus & Anti Spam policy – Allows SMTP, POP3, IMAP and HTTP traffic without scanning 2. Masquerade and Allow entire LAN to WAN traffic for all the users without scanning SMTP, POP3,

IMAP and HTTP traffic

Default firewall rules for “General Internet policy” IAP

3. Masquerade and Allow entire LAN to WAN traffic for all the authenticated users after applying following policies:

Internet Access policy – User specific Bandwidth policy – User specific

Anti Virus & Anti Spam policy - Scan SMTP, POP3, IMAP and HTTP traffic

4. Masquerade and Allow entire LAN to WAN traffic for all the users after applying following policies:

Internet Access policy – Applies ‘General Corporate Policy’ to block Porn, Nudity, AdultContent, URL TranslationSites, Drugs, CrimeandSuicide, Gambling, MilitancyandExtremist, PhishingandFraud, Violence, Weapons categories

IDP – General policy

Anti Virus & Anti Spam policy - Scan SMTP, POP3, IMAP and HTTP traffic

Default firewall rules for “Strict Internet policy” IAP

5. Masquerade and Allow entire LAN to WAN traffic for all the authenticated users after applying following policies:

Internet Access policy – User specific Bandwidth policy – User specific IDP policy – General policy

Anti Virus & Anti Spam policy - Scan SMTP, POP3, IMAP and HTTP traffic 6. Drop entire LAN to WAN traffic for all the users

Note

Default Firewall rules can be modified as per the requirement but cannot be deleted

IDP policy will not be effective until the Intrusion Detection and Prevention (IDP) module is subscribed.

Virus and Spam policy will not be effective until the Gateway Anti Virus and Gateway Anti-spam modules are subscribed respectively.

If Internet Access Policy is not set through Network Configuration Wizard at the time of deployment, the entire traffic is dropped.

Default VPN firewall rules

On upgrading to V 9.5.8 build 03, Cyberoam also automatically creates following default rules for VPN zone to allow VPN traffic as:

• VPN to LAN and LAN to VPN

• VPN to DMZ and DMZ to VPN

• VPN to WAN and WAN to VPN

• VPN to Custom zone and Custom zone to VPN

You can update the default VPN policies to enable virus scanning and apply IDP to the VPN traffic.

Additional firewall rules can be defined to extend or override the default rules. For example, rules can be created that block certain types of traffic such as FTP from the LAN to the WAN, or allow certain types of traffic from specific WAN hosts to specific LAN hosts, or restrict use of certain protocols such as Telnet to authorized users on the LAN.

Custom rules evaluate network traffic’s source IP addresses, destination IP addresses, User, IP protocol types, and compare the information to access rules created on the Cyberoam appliance. Custom rules take precedence, and override the default Cyberoam firewall rules.