Previous versions allowed creating firewall rules based on source and destination IP addresses and services but now Cyberoam’s Identity based firewall allows to create firewall rules embedding user identity into the firewall rule matching criteria.
Firewall rule matching criteria now includes:
• Source and Destination Zone and Host
• User
• Service
Prior to this version, all the Unified Threat Control policies were to be enabled individually from their respective pages. Now one can attach the following policies to the firewall rule as per the defined matching criteria:
• Intrusion Detection and Prevention (IDP)
• Anti Virus
• Anti Spam
• Internet Access
• Bandwidth Management
• Routing policy i.e. define user and application based routing
To create a firewall rule, you should:
• Define matching criteria
• Associate action to the matching criteria
• Attach the threat management policies
For example, now you can:
• Restrict the bandwidth usage to 256kb for the user John every time he logs on from the IP 192.168.2.22
• Restrict the bandwidth usage to 1024kb for the user Mac if he logs on in working hours from the IP 192.168.2.22
Processing of firewall rules is top downwards and the first suitable rule found is applied.
Hence, while adding multiple rules, it is necessary to put specific rules before general rules. Otherwise, a general rule might allow a packet that you specifically have a rule written to deny later in the list. When a packet matches the rule, the packet is immediately dropped or forwarded without being tested by the rest of the rules in the list.
Select Firewall Æ Create Rule
Screen - Create Firewall rule
Screen Elements Description Matching Criteria
Source Specify source zone and host IP address/network address to which the rule applies.
Host dropdown list also displays dynamic hosts and host groups which are automatically added on creation of VPN Road warrior connections. It will also display the default hosts created for road warrior connection - ##ALL_RW,
##ALL_IPSEC_RW
To configure host group based firewall rule you need to define host group. Under Select Address dropbox, click Create Host Group to define host group from firewall rule itself or you can also define from Firewall Æ Host Group Æ Create
Under Select Address dropbox, click Add Host to define host group from firewall rule itself rule itself or you can also define from Firewall Æ Host Æ Add Host
Check Identity (Only if source
zone is LAN/DMZ/VPN)
Check identity allows you to check whether the specified user/user group from the selected zone is allowed the access of the selected service or not.
Click Enable to check the user identity.
Enable check identity to apply following policies per user:
• Internet Access policy for Content Filtering (User’s Internet access policy will be applied automatically but will not be effective till the Web and Application Filtering module is subscribed)
• Schedule Access
• IDP (User’s IDP policy will be applied automatically but will not be effective till the IDP module is subscribed)
• Anti Virus scanning (User’s anti virus scanning policy will be applied automatically but it will not be effective till the Gateway Anti Virus module is subscribed)
• Anti Spam scanning (User’s anti spam scanning policy will be applied automatically but it will not be effective till the Gateway Anti Spam module is subscribed)
• Bandwidth policy - User’s bandwidth policy will be applied automatically
• policy selected in the ‘Route through Gateway’ field is the static routing policy that is applicable only if more then one gateway is defined and used for load balancing.
• limit access to available services.
Destination Specify destination zone and host IP address /network address to which the rule applies.
Host dropdown list also displays dynamic hosts and host groups which are automatically added on creation of VPN Road warrior connections. It will also display the default hosts created for road warrior connection - ##ALL_RW,
##ALL_IPSEC_RW
Under Select Address dropbox, click Create Host Group to define host group from firewall rule itself or you can also define from Firewall Æ Host Group Æ Create
Under Select Address dropbox, click Add Host to define host group from firewall rule itself rule itself or you can also define from Firewall Æ Host Æ Add Host
Service/Service group
Services represent types of Internet data transmitted via particular protocols or applications.
Select service/service group to which the rule applies.
If Virtual host is selected as Destination host, you will be able to configure services only if the selected virtual host is not port forwarded.
Under Select Here, click Create Service Group to define service group from firewall rule itself rule itself or you can also define from Firewall Æ Service Æ Create Service Group
Cyberoam provides several standard services and allows creating the custom services also. Under Select Here, click Create Service to define service from firewall rule itself rule itself or you can also define from Firewall Æ Service Æ Create Service
Protect by configuring rules to
• block services at specific zone
• limit some or all users from accessing certain services
• allow only specific user to communicate using specific service Apply Schedule Select Schedule for the rule
Firewall Action When Criteria Match Action Select rule action
Accept – Allow access Drop – Silently discards
Reject – Denies access and ‘ICMP port unreachable’ message will be sent to the source
When sending response it might be possible that response is sent using a different interface than the one on which request was received. This may happen depending on the Routing configuration done on Cyberoam.
For example,
If the request is received on the LAN port using a spoofed IP address (public IP address or the IP address not in the LAN zone network) and specific route is not defined, Cyberoam will send a response to these hosts using default route.
Hence, response will be sent through the WAN port.
Apply NAT (Only if Action is
‘ACCEPT’)
Select the NAT policy to be applied
It allows access but after changing source IP address i.e. source IP address is substituted by the IP address specified in the NAT policy.
You can create NAT policy from firewall rule itself or from Firewall Æ NAT Policy Æ Create
This option is not available if Cyberoam is deployed as Bridge Advanced Settings
Click to apply different protection settings to the traffic controlled by firewall. You can:
• Enable load balancing and failover when multiple links are configured. Applicable only if Destination Zone is WAN
• Configure antivirus protection and spam filtering for SMTP, IMAP, POP3, and HTTP policies. To apply antivirus protection and spam filtering, you need to subscribe for Gateway Anti Virus and Gateway Anti Spam modules individually. Refer to Licensing section for details.
• Implement Intrusion detection and prevention. To apply IDP policy you need to subscribe for Intrusion Detection and Prevention module. Refer to Licensing section for details.
• Configure content filtering policies. To apply content filtering you need to subscribe for Web and
Application Filter module. Refer to Licensing section for details.
• Apply bandwidth policy Policy Settings
IDP Policy Select IDP policy for the rule.
To use IDP, you have to subscribe for the module. Refer to Licensing for more details.
Refer to IDP, Policy for details on creating IDP policy Internet Access
Policy
Select Internet access policy for the rule. One can apply IAP on LAN to WAN rule only.
Internet Access policy controls web access.
Refer to Policies, Internet Access Policy for details on creating Internet Access policy.
Bandwidth Policy Select Bandwidth policy for the rule. Only the Firewall Rule based Bandwidth policy can be applied.
Bandwidth policy allocates & limits the maximum bandwidth usage of the user.
Refer to Policies, Bandwidth Policy for details on creating Bandwidth policy.
Route Through Gateway
Select routing policy
Can be applied only if more than one gateway is defined.
This option is not available if Cyberoam is deployed as Bridge Refer to Multiple Gateway Implementation Guide for more details.
Virus & Spam Settings
Scan Protocol(s) Click the protocol for which the virus and spam scanning is to be enabled By default, HTTP scanning is enabled.
To implement Anti Virus and Anti Spam scanning, you have to subscribe for the Gateway Anti Virus and Anti Spam modules individually. Refer to Licensing for more details.
Refer to Anti Virus Implementation Guide and Anti Spam Implementation Guide for details.
Log Traffic
Log Traffic Click to enable traffic logging for the rule i.e. traffic permitted and denied by the firewall rule.
Make sure, firewall rule logging in ON/Enable from the Logging Management.
Refer to Cyberoam Console Guide, Cyberoam Management for more details.
To log the traffic permitted and denied by the firewall rule, you need to ON/Enable the firewall rule logging from the Web Admin ConsoleÆFirewall rule and from the Telnet ConsoleÆCyberoam Management. Refer to Cyberoam Console Guide for more details.
Refer to Appendix B - Network Traffic Logging Entry for more details.
Description
Description Specify full description of the rule Save button Saves the rule
Table - Create Firewall rule screen elements