User Guide Version 9 Document version /03/2007

(1)

User Guide

Version 9

(2)

IMPORTANTNOTICE

Elitecore has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. Elitecore assumes no responsibility for any errors that may appear in this document. Elitecore reserves the right, without notice to make changes in product design or specifications. Information is subject to change without notice.

USER’S LICENSE

The Appliance described in this document is furnished under the terms of Elitecore’s End User license agreement. Please read these terms and conditions carefully before using the Appliance. By using this Appliance, you agree to be bound by the terms and conditions of this license. If you do not agree with the terms of this license, promptly return the unused Appliance and manual (with proof of payment) to the place of purchase for a full refund.

LIMITEDWARRANTY

Software: Elitecore warrants for a period of ninety (90) days from the date of shipment from Elitecore: (1) the media on which the Software is furnished will be free of defects in materials and workmanship under normal use; and (2) the Software substantially conforms to its published specifications except for the foregoing, the software is provided AS IS. This limited warranty extends only to the customer as the original licenses. Customers exclusive remedy and the entire liability of Elitecore and its suppliers under this warranty will be, at Elitecore or its service center’s option, repair, replacement, or refund of the software if reported (or, upon, request, returned) to the party supplying the software to the customer. In no event does Elitecore warrant that the Software is error free, or that the customer will be able to operate the software without problems or interruptions. Elitecore hereby declares that the anti virus and anti spam modules are powered by Kaspersky Labs and the performance thereof is under warranty provided by Kaspersky Labs. It is specified that Kaspersky Lab does not warrant that the Software identifies all known viruses, nor that the Software will not occasionally erroneously report a virus in a title not infected by that virus.

Hardware: Elitecore warrants that the Hardware portion of the Elitecore Products excluding power supplies, fans and electrical components will be free from material defects in workmanship and materials for a period of One (1) year. Elitecore's sole obligation shall be to repair or replace the defective Hardware at no charge to the original owner. The replacement Hardware need not be new or of an identical make, model or part; Elitecore may, in its discretion, replace the defective Hardware (or any part thereof) with any reconditioned product that Elitecore reasonably determines is substantially equivalent (or superior) in all material respects to the defective Hardware.

DISCLAIMEROFWARRANTY

Except as specified in this warranty, all expressed or implied conditions, representations, and warranties including, without limitation, any implied warranty or merchantability, fitness for a particular purpose, non-infringement or arising from a course of dealing, usage, or trade practice, and hereby excluded to the extent allowed by applicable law.

In no event will Elitecore or its supplier be liable for any lost revenue, profit, or data, or for special, indirect, consequential, incidental, or punitive damages however caused and regardless of the theory of liability arising out of the use of or inability to use the product even if Elitecore or its suppliers have been advised of the possibility of such damages. In the event shall Elitecore’s or its supplier’s liability to the customer, whether in contract, tort (including negligence) or otherwise, exceed the price paid by the customer. The foregoing limitations shall apply even if the above stated warranty fails of its essential purpose.

In no event shall Elitecore or its supplier be liable for any indirect, special, consequential, or incidental damages, including, without limitation, lost profits or loss or damage to data arising out of the use or inability to use this manual, even if Elitecore or its suppliers have been advised of the possibility of such damages.

RESTRICTEDRIGHTS

Copyright 2000 Elitecore Technologies Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of Elitecore Technologies Ltd. Information supplies by Elitecore Technologies Ltd. Is believed to be accurate and reliable at the time of printing, but Elitecore Technologies assumes no responsibility for any errors that may appear in this documents. Elitecore Technologies reserves the right, without notice, to make changes in product design or specifications. Information is subject to change without notice

CORPORATEHEADQUARTERS Elitecore Technologies Ltd. 904 Silicon Tower, Off. C.G. Road, Ahmedabad – 380015, INDIA Phone: +91-79-66065606 Fax: +91-79-26407640

(3)

Guide Sets _______________________________________________________________________________ 6 Technical Support _________________________________________________________________________ 7 Typographic Conventions___________________________________________________________________ 8 Preface ____________________________________________________________________________ 9 Guide Organization _______________________________________________________________________ 10 Cyberoam Basics__________________________________________________________________ 11 Benefits of Cyberoam _____________________________________________________________________ 11 Accessing Cyberoam _____________________________________________________________________ 11 Accessing the Web Admin Console _________________________________________________________ 13 Getting Started ______________________________________________________________________________ 16 Dashboard ______________________________________________________________________________ 18 Management ________________________________________________________________________________ 20 Setting up Zones __________________________________________________________________ 20 Create Zone _____________________________________________________________________________ 21 Setting up Users __________________________________________________________________ 22 Define Authentication _____________________________________________________________________ 22 Define User______________________________________________________________________________ 24 Setting up Groups _________________________________________________________________ 33 Firewall ___________________________________________________________________________ 38

Create Firewall rule _______________________________________________________________________ 40 Manage Firewall__________________________________________________________________________ 45 Host Management ________________________________________________________________________ 55

Setting up Logon Pools ____________________________________________________________ 60 Traffic Discovery __________________________________________________________________ 62

Live Connections report ___________________________________________________________________ 62 Today’s Connection History ________________________________________________________________ 69

Policy Management________________________________________________________________ 75

Surfing Quota policy ______________________________________________________________________ 76 Access Time policy _______________________________________________________________________ 80 Internet Access policy _____________________________________________________________________ 84 Bandwidth policy _________________________________________________________________________ 92 Data Transfer policy _____________________________________________________________________ 107 SNAT Policy ____________________________________________________________________________ 111 DNAT Policy ____________________________________________________________________________ 115 Zone Management ________________________________________________________________ 118 Manage Zone ___________________________________________________________________________ 118 Delete Zone ____________________________________________________________________________ 119 Group Management_______________________________________________________________ 120 Manage Group __________________________________________________________________________ 120 Delete Group ___________________________________________________________________________ 125 User Management ________________________________________________________________ 126 Search User ____________________________________________________________________________ 126 Live User _______________________________________________________________________________ 127 Manage User ___________________________________________________________________________ 128

Logon Pool Management__________________________________________________________ 140

(4)

Delete Logon Pool _______________________________________________________________________ 144

System Management _____________________________________________________________ 145

Configure Network_______________________________________________________________________ 145 Configure DNS __________________________________________________________________________ 145 Configure DHCP ________________________________________________________________________ 147 View Interface details ____________________________________________________________________ 148 Configuring Dynamic DNS service _________________________________________________________ 149 PPPoE _________________________________________________________________________________ 151 Manage Gateway________________________________________________________________________ 154 DoS Settings____________________________________________________________________________ 155 Bypass DoS Settings ____________________________________________________________________ 159 Reset Console Password _________________________________________________________________ 161 System Module Configuration _____________________________________________________________ 162

SNMP ___________________________________________________________________________ 163 Cyberoam SNMP Implementation__________________________________________________________ 164 Cyberoam MIB __________________________________________________________________________ 165 Cyberoam Traps ________________________________________________________________________ 168 Manage SNMP__________________________________________________________________________ 169 Configure SNMP Agent __________________________________________________________________ 170 Create SNMP Community ________________________________________________________________ 171 Manage SNMP Community _______________________________________________________________ 171 Delete SNMP Community_________________________________________________________________ 172 Create SNMP V3 User ___________________________________________________________________ 174 Manage SNMP V3 User __________________________________________________________________ 174 Delete SNMP V3 User ___________________________________________________________________ 175 Manage Data _____________________________________________________________________ 176 Client Services __________________________________________________________________________ 182 Customize Access Deny messages ________________________________________________________ 187 Upload Corporate logo ___________________________________________________________________ 188 Customize Login message ________________________________________________________________ 189

HTTP Proxy Management _________________________________________________________ 190

Manage HTTP Proxy_____________________________________________________________________ 190 Configure HTTP Proxy ___________________________________________________________________ 191 Set Default Internet Access Policy _________________________________________________________ 192

Manage Servers __________________________________________________________________ 193 Monitoring Bandwidth Usage______________________________________________________ 194 Migrate Users ____________________________________________________________________ 199

Migration from PDC server________________________________________________________________ 199 Migration from External file________________________________________________________________ 200 Customization _____________________________________________________________________________ 202 Schedule ________________________________________________________________________ 202 Define Schedule_________________________________________________________________________ 202 Manage Schedule _______________________________________________________________________ 205 Delete Schedule_________________________________________________________________________ 207 Services _________________________________________________________________________ 208

Define Custom Service ___________________________________________________________________ 208 Manage Custom Service _________________________________________________________________ 209 Delete Custom Service ___________________________________________________________________ 210 Create Service Group ____________________________________________________________________ 211 Update Service Group ___________________________________________________________________ 212 Delete Service Group ____________________________________________________________________ 213

Categories _______________________________________________________________________ 214

(5)

Application Protocol Category _____________________________________________________________ 228

Access Control___________________________________________________________________ 234 Syslog Configuration _____________________________________________________________ 236 Product Licensing & Updates _____________________________________________________ 239

Product Version information_______________________________________________________________ 239 Upgrade Cyberoam ______________________________________________________________________ 240 Licensing _______________________________________________________________________________ 243

Download ________________________________________________________________________ 248

Clients _________________________________________________________________________________ 248 Documentation __________________________________________________________________________ 249

(6)

Guide Sets

Guide Describes

User Guide

Console Guide Console Management

Windows Client Guide Installation & configuration of Cyberoam Windows Client

Linux Client Guide Installation & configuration of Cyberoam Linux Client

HTTP Client Guide Installation & configuration of Cyberoam HTTP Client

Analytical Tool Guide Using the Analytical tool for diagnosing and troubleshooting common problems

LDAP Integration Guide Configuration for integrating LDAP with Cyberoam for external authentication

ADS Integration Guide Configuration for integrating ADS with Cyberoam for external authentication

PDC Integration Guide Configuration for integrating PDC with Cyberoam for authentication

RADIUS Integration Guide Configuration for integrating RADIUS with Cyberoam for external authentication High Availability Configuration

Guide

Configuration of High Availability (HA) Data transfer Management

Guide

Configuration and Management of user based data transfer policy

Multi Link Manager User Guide Configuration of Multiple Gateways, load balancing and failover

Cyberoam Anti Virus Implementation Guide

Configuring and implementing anti virus solution Cyberoam Anti Spam

Implementation Guide

(7)

Technical Support

You may direct all questions, comments, or requests concerning the software you purchased, your registration status, or similar issues to Customer care/service department at the following address:

Corporate Office eLitecore Technologies Ltd. 904, Silicon Tower Off C.G. Road Ahmedabad 380015 Gujarat, India. Phone: +91-79-66065606 Fax: +91-79-26407640 Web site: www.elitecore.com

Cyberoam contact:

Technical support (Corporate Office): +91-79-26400707 Email: [email protected]

Web site: www.cyberoam.com

(8)

Typographic Conventions

Material in this manual is presented in text, screen displays, or command-line notation.

Item Convention Example

Server Machine where Cyberoam Software - Server component is installed

Client Machine where Cyberoam Software - Client component is installed

User The end user

Username Username uniquely identifies the user of the system Part titles Bold and

shaded font

typefaces

Report

Topic titles Shaded font typefaces

Introduction

Subtitles Bold & Black

typefaces

Notation conventions

Navigation link Bold typeface Group Management → Groups → Create it means, to open the required page click on Group management then on Groups and finally click Create tab Name of a particular parameter / field / command button text Lowercase italic type

Enter policy name, replace policy name with the specific name of a policy

Or

Click Name to select where Name denotes command button text which is to be clicked

Cross references

Hyperlink in different color

refer to Customizing User database Clicking on the link will open the particular topic

Notes & points to remember

Bold typeface between the black borders

Note

Prerequisites Bold typefaces between the black borders

(9)

Preface

Welcome to Cyberoam’s - User guide.

Cyberoam is an Identity-based UTM Appliance. Cyberoam’s solution is purpose-built to meet the security needs of corporates, government organizations, and educational institutions.

Cyberoam’s perfect blend of best-of-breed solutions includes User based Firewall, Content filtering, Anti Virus, Anti Spam, Intrusion Detection and Prevention (IDP), and VPN.

Cyberoam provides increased LAN security by providing separate port for connecting to the publicly accessible servers like Web server, Mail server, FTP server etc. hosted in DMZ which are visible the external world and still have firewall protection.

This Guide helps you manage and customize Cyberoam to meet your organization’s various requirements including creating groups and users and assigning policies to control internet access.

Default Web Admin Console username is ‘cyberoam’ and password is ‘cyber’

(10)

Guide Organization

This Guide provides information regarding the administration, maintenance, and customization of Cyberoam.

How do I search for relevant content?

For help on how to perform certain task use Contents

For help on a specific menu or screen function use Menu wise – Screen and Table Index

This Guide is organized into three parts:

Part I – Getting started

It describes how to start using Cyberoam after successful installation.

Part II Management

It describes how to define groups and users to meet the specific requirements of your Organization. It also describes how to manage and customize Cyberoam.

1. Define Authentication process and firewall rule.

2. Manage Groups and Users. Describes how to add, edit and delete Users and User Groups 3. Manage & Customize Policies. Describes how to define and manage Surfing Quota policy,

Access Time policy, Internet Access policy, Bandwidth policy and Data transfer policy 4. Manage Logon Pools. Describes how to add, edit and delete Logon Pools

5. Manage Cyberoam server

Part III Customization

(11)

Cyberoam Basics

Cyberoam is an Identity-based UTM Appliance. Cyberoam’s solution is purpose-built to meet the security needs of corporates, government organizations, and educational institutions.

Cyberoam’s perfect blend of best-of-breed solutions includes Identity based Firewall, Content filtering, Anti Virus, Anti Spam, Intrusion Detection and Prevention (IDP), and VPN.

Cyberoam provides increased LAN security by providing separate port for connecting to the publicly accessible servers like Web server, Mail server, FTP server etc. hosted in DMZ which are visible the external world and still have firewall protection.

It also provides assistance in improving Bandwidth management, increasing Employee productivity and reducing legal liability associated with undesirable Internet content access.

Benefits of Cyberoam

1. Boost Employee productivity by

a. Blocking access to the sites like Gaming, Shopping, news, Pornography 2. Conserve bandwidth by

a. Controlling access to non-productive site access during working hours b. Controlling rate of uploading & downloading of data

3. Load balancing over multiple links a. Improved User response time b. Failover solution

c. Continuous availability of Internet d. Reduced bandwidth bottlenecks 5. Enforce acceptable Internet usage policies

6. Comprehensive, easy-to-use reporting tool enabling the IT managers to compile reports on Internet and other resources usage and consumption patterns

Accessing Cyberoam

Two ways to access Cyberoam:

1. Web Admin Console • Managing Firewall rules • Used for policy configuration

• Managing users, groups and policies • Managing Bandwidth

• Viewing bandwidth graphs as well as reports

2. Telnet Console

• Used for Network and System configuration (setting up IP Addresses, setting up gateway) • Managing Cyberoam application

a) Using Console Interface via remote login utility – TELNET

b) Direct Console connection - attaching a keyboard and monitor directly to Cyberoam server

Accessing Console via remote login utility - TELNET

Access Cyberoam Console with the help of TELNET utility. To use TELNET, IP Address of the Cyberoam server is required.

(12)

In Open, type TELNET xxx.xxx.x.xxx

Click OK, opens a console login window and prompts to enter Password Default password for Cyberoam TELNET console is “admin”.

Screen - Console access

Screen - Console login screen

Accessing Console using SSH client

Access Cyberoam Console using any of the SSH client. Cyberoam server IP Address is required.

Start SSH client and create new Connection with the following parameters: Hostname - <Cyberoam server IP Address>

(13)

Accessing the Web Admin Console

Cyberoam Web Admin Console (GUI) access requires Microsoft Internet Explorer 5.5+ or Mozilla Firefox 1.5+ and Display settings as True color (32 bits)

Log on & log off from the Cyberoam Web Admin Console

The Log on procedure verifies validity of user and creates a session until the user logs off.

Log on procedure

To get the log in window, open the browser and type IP Address in browser’s URL box. A dialog box appears prompting you to enter username and password to log on. Use the default user name ‘cyberoam’ and password ‘cyber’ if you are logging in for the first time after installation.

Asterisks are the placeholders in the password field.

Log on Methods

HTTP log in

To open unencrypted login page, in the browser’s Address box, type http://<IP address of Cyberoam>

Screen - HTTP login screen HTTPS log in

Cyberoam provides secured communication method which encrypts the User log on information and which prevents unauthorized users from viewing the user information. For this, Cyberoam uses https protocol.

(14)

HTTPS protocol opens a secure hypertext transfer session with the specified site address.

To open login over secure HTTP, type https://<IP address of Cyberoam>

Screen - HTTPS login

Screen Elements Description Login

User name Specify user login name.

If you are logging on for the first time after installation, please use default username ‘cyberoam’

(15)

If you are logging on for the first time after installation, please use default password ‘cyber’

Log on to To administer Cyberoam, select ‘Web Admin Console’ Login button Logs on to Web Admin Console

Click Login

Table - Login screen elements

Web console Authorization and Access control

By default, Cyberoam has four types of user groups:

Administrator group

Log in as Administrator group User to maintain, control and administer Cyberoam.

Administrator group User can create, update and delete system configuration and user information. Administrator can create multiple administrator level users.

Manager group

Manager group User can only view the reports.

User group

User group User is the user who accesses the resources through Cyberoam.

Clientless group

Clientless User group User who can bypass Cyberoam Client login to access resources. Cyberoam itself takes care of login of this level user.

For Administrators and Managers, IP address based access restriction/control can be implemented. Refer to Access Configuration to implement.

Log out procedure

(16)

Getting Started

Once you have configured network, you can start using Cyberoam.

1. Start monitoring

Once you have installed Cyberoam successfully, you can monitor user activity in your Network. Depending on the Internet Access policy configured at the time of installation, certain categories will be blocked/allowed for LAN to WAN traffic with or without authentication.

2. View Cyberoam Reports

Monitor your Network activities using Cyberoam Reports.

To view Reports, log on to Reports from Web Admin Console using following URL: http://<Internal IP Address>

To log on, use default username ‘cyberoam’ and password ‘cyber’.

View your organization’s surfing pattern from Web Surfing ÆOrganization wise report View your organization’s general surfing trends from Trends Æ Web Trends report

View your organization’s Category wise surfing trends from Trends Æ Category Trends report

3. Discover Network Application Traffic

Detect your network traffic i.e. applications and protocols accessed by your users.

To view traffic pattern of your network, log on to Cyberoam Web Management Console using following URL: http://<Internal IP Address>

To log on, use default username ‘cyberoam’ and password ‘cyber’.

View amount of network traffic generated by various applications from Traffic Discovery Æ Live Connections ÆApplication wise

4. Configure for User name based monitoring

As Cyberoam monitors and logs user activity based on IP address, all the reports generated are also IP address based. To monitor and log user activities based on User names, you have to configure Cyberoam for integrating user information and authentication process.

Integration will identify access request based on User names and generate reports based on Usernames.

If your Network uses Active Directory Services and users are already created in ADS, configure Cyberoam to communicate your ADS. Refer to Cyberoam – ADS Integration guide for more details.

If your Network uses Windows Domain Controller, configure for Cyberoam to communicate with Windows Domain Controller. Refer to Cyberoam – PDC Integration guide for more details.

(17)

5. Customize

Depending on the Internet Access configuration done at the time of installation, default firewall rules will be created.

You can create additional firewall rules and other policies to meet your organization’s requirement.

Cyberoam allows you to:

1. Control user based per zone traffic by creating firewall rule. Refer to Firewall for more details. 2. Control individual user surfing time by defining Surfing quota policy. Refer to Policy

Management-Surfing Quota policy for more details.

3. Schedule Internet access for individual users by defining Access time policy. Refer to Policy Management-Access time policy for more details.

4. Control web access by defining Internet Access policy. Refer to Policy Management-Internet Access policy for more details.

5. Allocate and restrict the bandwidth usage by defining Bandwidth policy. Refer to Policy Management-Bandwidth policy for more details.

(18)

Dashboard

As soon as you logon to the Web Admin Console, Dashboard is displayed.

Dashboard provides one solution to many analytical needs. Using the "dashboard" concept of information presentation, Cyberoam makes it easy to view access data from multiple perspectives, allowing management to identify patterns and potential areas of risk and productivity loss. It will empower organizations to plan, understand, integrate and leverage strategy all from a single page report.

The goal of dashboard is to provide fast access to monitor and analyze employee Internet usage. As a result, managers gain an unprecedented ability to report on and manage a wide spectrum of the data and applications that employees use during their working hours.

Dashboard is the answer to – ‘Why can't Cyberoam automatically show me things that will help me with what I'm doing, instead of making me search around for them?’

Dashboard is divided into following section: 1. HTTP Traffic Analysis

2. User Surfing pattern 3. Usage Summary

4. Recent Mail Viruses detected 5. Recent HTTP Viruses detected 6. Installation Information

7. System Resources 8. System Status

(19)

(20)

Management

Setting up Zones

A Zone is a logical grouping of ports.

Zones provide flexible layer of security for the firewall. With the zone-based security, the administrator can group similar ports and apply the same policies to them, instead of having to write the same policy for each interface.

Default Zones Types

LAN – Depending on the appliance in use and on your network design, you can group one to six ports in this zone. Even though each interface will have a different network subnet attached to it, when grouped together they can be managed as a single entity. Group all the LAN networks under this zone.

By default the traffic to and from this zone is blocked and hence the highest secured zone. However, traffic between ports belonging to the same zone will be allowed.

DMZ (DeMilitarized Zone) - This zone is normally used for publicly accessible servers. Depending on the appliance in use and on your network design, you can group one to five ports in this zone.

WAN – This zone is used for Internet services. It can also be referred as Internet zone. Depending on the appliance in use and on your network design, you can group one to six ports in this zone.

Local - This zone is the grouping of all the available ports of Cyberoam.

Cyberoam provides single zone of each type. These are called System Zones. Administrator can add LAN and DMZ zone types.

By default, entire traffic will be blocked except LAN to Local zone service likes Administration, Authentication and Network.

(21)

Create Zone

Select System Æ Zone Æ Create to open the create page

Screen - Create Zone

Screen Elements Description Create Zone

Zone Name Specify name of the Zone Zone Type Select zone type

LAN – Depending on the appliance in use and on your network design, you can group one to six ports in this zone.

By default the traffic to and from this zone is blocked and hence the highest secured zone.

DMZ (DeMilitarized Zone) - This zone is normally used for publicly accessible servers. Depending on the appliance in use and on your network design, you can group one to five ports in this zone.

WAN – This zone type is used for the Internet services. Only one WAN zone is allowed, hence you will not be able to create additional WAN zones.

Multiple LAN is not possible if Cyberoam is placed deployed as Bridge It is not possible to add Zone if Cyberoam is placed deployed as Bridge Select Port Allows to bind port to the zone

‘Available Ports’ list displays the list of ports that can be binded to the selected zone.

Use Right arrow button to move the selected ports to ‘Member Port’ list. Description Specify zone description

(22)

Setting up Users

Define Authentication

Cyberoam provides policy-based filtering that allows defining individual filtering plans for various users of your organization. You can assign individual policies to users (identified by IP address), or a single policy to number of users (Group).

Cyberoam detects users as they log on to Windows domains in your network via client machines.

Cyberoam can be configured to allow or disallow users based on username and password. In order to use User Authentication, you must select at least one database against which Cyberoam should authenticate users.

Cyberoam supports user authentication against: • an Active Directory

• an Windows Domain controller • an LDAP server

• an RADIUS server

• an internal database defined in Cyberoam

To filter Internet requests based on policies assigned, Cyberoam must be able to identify a user making a request.

When the user attempts to access, Cyberoam requests a user name and password and authenticates the user's credentials before giving access. User level authentication can be performed using the local user database on the Cyberoam, an External ADS server, RADIUS server, LDAP or Windows Domain Controller.

Integrate with ADS, LDAP or Domain Controller if external authentication is required.

If your network uses an Active Directory service, configure Cyberoam to communicate with ADS. Refer to Cyberoam - ADS Integration Guide for details.

If your network uses a Windows Domain controller, configure Cyberoam to communicate with Domain controller. Refer to Cyberoam - PDC Integration for details.

If your Network uses LDAP, configure Cyberoam to communicate with LDAP server. Refer to Cyberoam – LDAP Integration for details.

If your Network uses RADIUS server, configure Cyberoam to communicate with RADIUS server. Refer to RADIUS Integration Guide for details.

Cyberoam can prompt for user identification if your network does not use Windows environment. Refer to Cyberoam Authentication for details.

Cyberoam Authentication

When Cyberoam is installed in Non PDC environment, it is necessary to create users and groups in Cyberoam.

(23)

When user attempts to log on, Cyberoam server performs authentication i.e. User is authenticated directly by the Cyberoam server.

Select User Æ Authentication Settings to open configuration page

Screen – Cyberoam Authentication

Screen Elements Description

Configure Authentication & Integration parameters

Integrate with Select Cyberoam as the authentication server Default Group Allows to select default group for users

Click Default Group list to select Update button Updates and saves the configuration

(24)

Define User

User

Users are identified by an IP address or a user name and assigned to a group. All the users in a group inherit all the group policies. Refer to Policy Management to define new policies.

User types

Cyberoam supports three types of Users: 1. Normal

2. Clientless 3. Single Sign on

Normal User has to logon to Cyberoam. Requires Cyberoam client (client.exe) on the User machine or user can use HTTP Client component and all the policy-based restriction can be applied.

Clientless Does not require Cyberoam client component (client.exe) on the User machines. Symbolically represented as User name (C)

Single Sign On If User is configured for Single Sign On, whenever User logs on to Windows, he/she is automatically logged to the Cyberoam. Symbolically represented as User name (S)

Use the given decision matrix below to decide which type of the user should be created.

Decision matrix for creation of User

Feature Normal User Clientless User Single Sign on User

User Login required Yes No No

Type of Group Normal Clientless Yes No No Yes Yes No

Apply Login restriction Yes Yes Yes

Apply Surfing Quota policy Yes No No

Apply Access Time policy Yes No No

Apply Bandwidth policy Yes Yes Yes

Apply Internet Access policy Yes Yes Yes Apply Data Transfer policy Yes No Yes

(25)

Add a User

Prerequisite

• Group created – for Normal Users only

Select User Æ User Æ Add User to open add user page

Screen - Add User

Screen Elements Description User Information

Name Specify name of the User

Username Specify a name that uniquely identifies user & used for logging Password Specify Password

Confirm Password Specify password again for conformation Should be same as typed in the Password field Windows Domain

Controller

Only if Authentication is done by Windows

(26)

User Type Specify the user group type. Depending on user group type default web console access control will be applied. Refer to Web console Authorization and Access control for more details.

Available option: Administrator Manager User

Click User type list to select

Refer to Add Clientless User on how to create clientless user Number of

simultaneous login(s) allowed

OR Unlimited

Customize the maximum number of concurrent logins allowed to the user

Specify number of concurrent logins allowed to the user OR

Allows unlimited concurrent logins to the user

The setting specified will override the setting specified in client preference.

For example,

If in Client preferences, the number of concurrent logins allowed is 5 and here you have specified 3, then this particular user will be allowed to login from 3 machines concurrently and not from 5 machines.

Group Information

Group Specify in Group in which user is to be added. User will inherit all the group policies.

Click Group list to select

View details link Open a new Window and displays details of the selected Group Refer to View Group details table for more details

Login Restriction

Select any one option Allows to apply login restriction Available options

1) All Nodes

Allows Users to login from all the nodes in the network 2) Group Nodes only

Allows Users to login only from the nodes assigned to the group 3) Selected Nodes only

Allows Users to login from the selected nodes only. Refer to Apply Login Node Restriction for details. Nodes from which the User is allowed login can be specified after creating the user also.

Click to select

Personal details link Allows to enter personal details of the user Personal information

Only if Personal details link is clicked

(27)

Add button Adds user Click to add

Review button Opens a new page and displays the user details for reviewing.

Review details before adding to make sure details entered are correct.

Click to review

Click Submit to add user

Table - Add User screen elements View Group details table

Group name Displays name of the Group

Surfing Quota policy Displays name of the Surfing Quota policy assigned to the group

Access Time policy Displays name of the Access Time policy assigned to the group

Internet Access policy Displays name of the Internet Access policy assigned to the group

Bandwidth policy Displays name of the Bandwidth policy assigned to the group

Data transfer policy Displays name of the Data Transfer policy assigned to the group

Allotted time (HH:mm) Displays total allotted surfing time to User Expiry date Displays User policy Expiry date

Used minutes Displays total time used by the user in minutes

At the time of creation of user, it will be displayed as 0:0 Close button Closes window

Table - View Group details screen elements

(28)

Screen Elements Description Select Node(s) button

Only if the option ‘Selected Node(s) Only’ is selected

Opens a new page and allows to select the node Click to select the Node for restriction

Logon Pool name Logon Pool from which the Node/IP address is to be added

Click Logon Pool name list to select

Select Selects the Node

Multiple nodes can also be selected OK button Click to apply restriction

(29)

Add Clientless users

Clientless Users are the Users who can bypass Cyberoam Client login to access resources. It is possible to add a single clientless user as well as more than one clientless user at a time.

When you add multiple clientless users, users are represented by IP addresses and not by the User name.

Add multiple clientless users

Creates Clientless users with given IP addresses as their username. Change the Username of the clientless users if required.

Prerequisite

• Clientless Group created

Select User Æ Clientless Users Æ Add Multiple Clientless Users to open create user page

Screen - Add multiple Clientless users

Screen Elements Description Host Group Details

Host Group name Specify name of Logon Pool

(30)

Click to Select, if IP Addresses assigned to the Users are public IP Addresses

Bandwidth policy By default, group bandwidth policy is applied to the user but you can override this policy.

Specify Bandwidth Policy to be applied. Click Bandwidth Policy list to select

Click View details link to view details of the policy Description Specify full description

Machine details

From – To Specify range of IP Address that will be used by Users to login Machine name Specify Machine name

Select Group

Group Specify Group in which User is to be added Click Group list to select

Create button Adds multiple Clientless Users

(31)

Add single Clientless user

Prerequisite • Group created • Logon Pool created

Select User Æ Clientless Users Æ Add Single Clientless User to open create user page

Screen - Add single Clientless user

Screen Elements Description User Information

Name Specify name of the User

Username Specify a unique name used for logging

Activate on Creation Specifies whether user should be logged in automatically after registration

Options:

Yes – Automatically logs in as soon as registered successfully i.e. becomes a live user

No – User is registered but is in De-active mode. Activate user before first log in. Refer to Activate Clientless User for more details

(32)

Click Group list to select

View details link Open a new window and displays details of the selected group

Click to view details Login Restriction

Allowed Login from IP Address

Specifies IP address from where User can login

Click Select Node, opens a new window and allows to select IP Address

Refer to Select Node table for more details Personal details link Allows to enter the personal details of the user Personal information

Only if Personal details link is clicked

Birth date Specify date of birth of User

Use Popup Calendar to enter date Email Specify Email Id of User

Register Registers a clientless user Cancel button Cancels current operation

Table - Create single Clientless user screen elements

Select Node table

Logon Pool name Allows to select the Logon Pool

Click Logon Pool name list to select

Select Selects the Node

Apply Restriction button User will be allowed to login from the selected node only.

Click to apply login restriction Close button Closes window

Table - Select Node screen elements

NOTE

Duplicate Usernames cannot be created

Make sure that subnets or individually defined IP addresses do not overlap

(33)

Setting up Groups

Group

Group is a collection of users having common policies and a mechanism of assigning access of resources to a number of users in one operation/step.

Instead of attaching individual policies to the user, create group of policies and simply assign the appropriate Group to the user and user will automatically inherit all the policies added to the group. This simplifies user configuration.

A group can contain default as well as custom policies.

Various policies that can be grouped are:

1. Surfing Quota policy which specifies the duration of surfing time and the period of subscription 2. Access Time policy which specifies the time period during which the user will be allowed access 3. Internet Access policy which specifies the access strategy for the user and sites

4. Bandwidth policy which specifies the bandwidth usage limit of the user 5. Data Transfer policy which specifies the data transfer quota of the user Refer to Policy Management for more details on various policies.

Group types

Two types of groups: 1. Normal 2. Clientless

Normal A user of this group need to logon to Cyberoam using the Cyberoam Client to access the Internet

Clientless A user of this group need not logon to Cyberoam using the Cyberoam Client to access the Internet. Access control is placed on the IP Address. Symbolically represented as Group name (C)

Use the below given decision matrix to decide which type of group will best suited for your network configuration.

Decision matrix for creation of Group

Feature Normal Group Clientless Group

Logon into Cyberoam required Yes No

Type of User Normal Clientless Yes No No Yes

Apply Login restriction Yes No

Apply Surfing Quota policy Yes No

Apply Access Time policy Yes No

Apply Bandwidth policy Yes Yes

Apply Internet Access policy Yes Yes

Apply Data transfer policy Yes No

(34)

Add a New Group

Prerequisite

• All the policies which are to be added to the Group are created

• Logon Pool created if login is to be restricted from a particular Node/IP Address

Select Group Æ Add Group to open add group page

Screen - Create Group

Screen Elements Description Create Group

Group name Specify Group name. Choose a name that best describes the Group. Group type Specify type of Group

Click Group type to select

Select Normal if Group members are required to log on using Cyberoam Client

Select Clientless if Group members are not required to log on using Cyberoam Client

(35)

Only if Group type is ‘Normal’

Click Surfing Quota Policy list to select

By default, ‘Unlimited policy’ is assigned to the ‘Clientless’ Group type

Refer to Surfing Quota Policy for more details Access Time Policy

Only if Group type is ‘Normal’

Specify Access Time policy for Group Click Access Time Policy list to select

By default, ‘Unlimited policy’ is assigned to ‘Clientless’ Group type

Refer to Access Time Policy for more details Internet Access

policy

Specify Internet Access policy for Group Click Internet Access policy list to select Refer Internet Access policy for details Bandwidth Policy Specify Bandwidth Policy for Group

Click Bandwidth Policy list to select Refer Bandwidth Policy for details Data Transfer policy

Only if Group type is ‘Normal’

Specify data transfer policy for Group Click Data Transfer policy list to select Refer Data Transfer Policy for details Login Restriction

Select any one option

Apply login restriction if required for the users defined under the Group

Available options

1) Allowed login from all nodes

Allows Users defined under the Group to login from all the nodes 2) Allowed login from the selected nodes

Allow Users defined under the Group to login from the selected nodes only.

Specifies IP address from where User can login

Click Select Node, opens a new window and allows to select IP Address

Refer to Select Node table for more details Refer to Apply Login Node restriction for more details

Click to select Select Node button

Only if ‘Allowed Login from selected node’ option is selected for Login restriction

(36)

Cancel button Cancels the current operation and returns to the Manage Group page

Table - Create Group screen elements

Note

It is not necessary to add user at the time of the creation of Group. Users can be added even after the creation the group.

Apply Login Node Restriction

Screen – Apply Login Node Restriction

Logon Pool name Logon Pool from which the Node/IP address is to be added Click Logon Pool name list to select

Select User will be allowed to login from the selected nodes only. Click to select Node

Multiple nodes can also be selected

(37)

Cancel button Cancels the current operation

(38)

Firewall

A firewall protects the network from unauthorized access and typically guards the LAN and DMZ networks against malicious access; however, firewalls may also be configured to limit the access to harmful sites for LAN users.

The responsibility of firewall is to grant access from Internet to DMZ or Service Network according to the Rules and Policies configured. It also keeps watch on state of connection and denies any traffic that is out of connection state.

Firewall rules control traffic passing through the Cyberoam. Depending on the instruction in the rule, Cyberoam decides on how to process the access request. When Cyberoam receives the request, it checks for the source address, destination address and the services and tries to match with the firewall rule. If Identity match is also specified then firewall will search in the Live Users Connections for the Identity check. If Identity (User) found in the Live User Connections and all other matching criteria fulfills then action specified in the rule will be applied. Action can be allow or deny.

If Action is ‘Allow’ then each rule can be further configured to apply source or destination NATting (Network Address Translation). You can also apply different protection settings to the traffic controlled by firewall:

• Enable load balancing between multiple links

• Configure antivirus protection and spam filtering for SMTP, IMAP, POP3, and HTTP traffic. To apply antivirus protection and spam filtering, you need to subscribe for Gateway Anti Virus and Gateway Anti Spam modules individually. Refer to Licensing section for details.

• Implement Intrusion detection and prevention. To apply IDP policy you need to subscribe for Intrusion Detection and Prevention module. Refer to Licensing section for details.

• Configure content filtering policies. To apply content filtering you need to subscribe for Web and Application Filter module. Refer to Licensing section for details.

• Apply bandwidth policy restriction

By default, Cyberoam blocks any traffic to LAN.

Default Firewall rules

At the time of deployment, Cyberoam allows to define one of the following Internet Access policies using Network Configuration Wizard:

• Monitor only

• General Internet policy • Strict Internet policy

Depending on the Internet Access policy set through Network Configuration Wizard, Cyberoam defines the two default firewall rules as follows:

Monitor only

Cyberoam applies the firewall rules in the order as specified below.

1. Masquerade and Allow entire LAN to WAN traffic for all the authenticated users after applying following policies:

Internet Access policy – User specific Bandwidth policy – User specific

Anti Virus & Anti Spam policy – Allows SMTP, POP3, IMAP and HTTP traffic without scanning

(39)

IMAP and HTTP traffic

General Internet policy

Internet Access policy – User specific Bandwidth policy – User specific

Anti Virus & Anti Spam policy - Scan SMTP, POP3, IMAP and HTTP traffic

2. Masquerade and Allow entire LAN to WAN traffic for all the users after applying following policies: Internet Access policy – Applies ‘General Corporate Policy’ to block Porn, Nudity, AdultContent, URL TranslationSites, Drugs, CrimeandSuicide, Gambling, MilitancyandExtremist, PhishingandFraud, Violence, Weapons categories

IDP – General policy

Anti Virus & Anti Spam policy - Scan SMTP, POP3, IMAP and HTTP traffic Strict Internet policy

Internet Access policy – User specific Bandwidth policy – User specific IDP policy – General policy

Anti Virus & Anti Spam policy - Scan SMTP, POP3, IMAP and HTTP traffic

2. Drop entire LAN to WAN traffic for all the users

Note

Default Firewall rules can be modified as per the requirement but cannot be deleted

IDP policy will not be effective until the Intrusion Detection and Prevention (IDP) module is subscribed.

Virus and Spam policy will not be effective until the Gateway Anti Virus and Gateway Anti-spam modules are subscribed respectively.

If Internet Access Policy is not set through Network Configuration Wizard at the time of deployment, the entire traffic is dropped.

Additional firewall rules can be defined to extend or override the default rules. For example, rules can be created that block certain types of traffic such as FTP from the LAN to the WAN, or allow certain types of traffic from specific WAN hosts to specific LAN hosts, or restrict use of certain protocols such as Telnet to authorized users on the LAN.

(40)

Create Firewall rule

Previous versions allowed creating firewall rules based on source and destination IP addresses and services but now Cyberoam’s Identity based firewall allows to create firewall rules embedding user identity into the firewall rule matching criteria.

Firewall rule matching criteria now includes: • Source and Destination Zone and Host • User

• Service

Prior to this version, all the Unified Threat Control policies were to be enabled individually from their respective pages. Now one can attach the following policies to the firewall rule as per the defined matching criteria:

• Intrusion Detection and Prevention (IDP) • Anti Virus

• Anti Spam • Internet Access

• Bandwidth Management

• Routing policy i.e. define user and application based routing

To create a firewall rule, you should: • Define matching criteria

• Associate action to the matching criteria • Attach the threat management policies

For example, now you can:

• Restrict the bandwidth usage to 256kb for the user John every time he logs on from the IP 192.168.2.22

• Restrict the bandwidth usage to 1024kb for the user Mac if he logs on in working hours from the IP 192.168.2.22

Processing of firewall rules is top downwards and the first suitable rule found is applied.

Hence, while adding multiple rules, it is necessary to put specific rules before general rules. Otherwise, a general rule might allow a packet that you specifically have a rule written to deny later in the list. When a packet matches the rule, the packet is immediately dropped or forwarded without being tested by the rest of the rules in the list.

(41)

Screen - Create Firewall rule

Screen Elements Description Matching Criteria

Source Specify source zone and host IP address/network address to which the rule applies.

To define host group based firewall rule you need to define host group. Under Select Address, click Create Host Group to define host group from firewall rule itself or from Firewall Æ Host Group Æ Create

(42)

Check Identity (Only if source

zone is LAN/DMZ)

Check identity allows you to check whether the specified user/user group from the selected zone is allowed the access of the selected service or not. Click Enable to check the user identity.

Enable check identity to apply following policies per user:

• Internet Access policy for Content Filtering (User’s Internet access policy will be applied automatically but will not be effective till the Web and Content Filtering module is subscribed)

• Schedule Access

• IDP (User’s IDP policy will be applied automatically but will not be effective till the IDP module is subscribed)

• Anti Virus scanning (User’s anti virus scanning policy will be applied automatically but it will not be effective till the Gateway Anti Virus module is subscribed)

• Anti Spam scanning (User’s anti spam scanning policy will be applied automatically but it will not be effective till the Gateway Anti Spam module is subscribed)

• Bandwidth policy - User’s bandwidth policy will be applied automatically

• The policy selected in Route through Gateway is the static routing policy that is applicable only if more then one gateway is defined and used for load balancing.

and limit access to available services.

Destination Specify destination zone and host IP address /network address to which the rule applies.

Under Select Address, click Create Host Group to define host group from firewall rule itself or from Firewall Æ Host Group Æ Create

Under Select Address, click Add Host to define host group from firewall rule itself rule itself or from Firewall Æ Host Æ Add Host

Service/Service group

Services represent types of Internet data transmitted via particular protocols or applications.

Select service/service group to which the rule applies.

Under Select Here, click Create Service Group to define service group from firewall rule itself rule itself or from Firewall Æ Service Æ Create Service

(43)

Protect by configuring rules to • block services at specific zone

• limit some or all users from accessing certain services

• allow only specific user to communicate using specific service Apply Schedule Select Schedule for the rule

Firewall Action When Criteria Match Action Select rule action

Accept – Allow access Drop – Silently discards

Reject – Denies access and ‘ICMP port unreachable’ message will be sent to the source

When sending response it might be possible that response is sent using a different interface than the one on which request was received. This may happen depending on the Routing configuration done on Cyberoam. For example,

If the request is received on the LAN port using a spoofed IP address (public IP address or the IP address not in the LAN zone network) and specific route is not defined, Cyberoam will send a response to these hosts using default route. Hence, response will be sent through the WAN port. Apply Source

NAT (Only if Action is ‘ACCEPT’)

Select the SNAT policy to be applied

(44)

This option is not available if Cyberoam is deployed as Bridge Advanced Settings

Click to apply different protection settings to the traffic controlled by firewall. You can: • Enable load balancing and failover when multiple links are configured. Applicable only

if Destination Zone is WAN

• Configure antivirus protection and spam filtering for SMTP, IMAP, POP3, and HTTP policies. To apply antivirus protection and spam filtering, you need to subscribe for Gateway Anti Virus and Gateway Anti Spam modules individually. Refer to Licensing section for details.

• Implement Intrusion detection and prevention. To apply IDP policy you need to subscribe for Intrusion Detection and Prevention module. Refer to Licensing section for details.

• Configure content filtering policies. To apply content filtering you need to subscribe for Web and Application Filter module. Refer to Licensing section for details.

• Apply bandwidth policy Destination NAT Settings Destination NAT policy

Select DNAT policy to be applied

DNAT rule tells the firewall to forward the requests from the specified machine and port to the specified machine and port.

Under Select Here, click Create DNAT Policy to define dnat policy from firewall rule itself rule itself or from Firewall Æ DNAT Policy Æ Create

This option is not available if Cyberoam is deployed as Bridge Policy Settings

IDP Policy Select IDP policy for the rule.

To use IDP, you have to subscribe for the module. Refer to Licensing for more details.

Refer to IDP, Policy for details on creating IDP policy Internet Access

Policy

Select Internet access policy for the rule. It can be applied only to LAN to WAN rule.

Internet Access policy controls web access.

(45)

Bandwidth Policy Select Bandwidth policy for the rule. Only the Firewall Rule based Bandwidth policy can be applied.

Bandwidth policy allocates & limits the maximum bandwidth usage of the user.

Refer to Policies, Bandwidth Policy for details on creating Bandwidth policy.

Route Through Gateway

Select routing policy

Can be applied only if more than one gateway is defined.

This option is not available if Cyberoam is deployed as Bridge Refer to Multiple Gateway Implementation Guide for more details. Virus & Spam Settings

Scan Protocol(s) Click the protocol for which the virus and spam scanning is to be enabled By default, HTTP scanning is enabled.

To implement Anti Virus and Anti Spam scanning, you have to subscribe for the Gateway Anti Virus and Anti Spam modules individually. Refer to Licensing for more details.

Refer to Anti Virus Implementation Guide and Anti Spam Implementation Guide for details.

Log Traffic Click to enable traffic logging for the rule i.e. traffic permitted and denied by the firewall rule.

Make sure, firewall rule logging in ON/Enable from the Logging Management. Refer to Cyberoam Console Guide, Cyberoam Management for more details.

To log the traffic permitted and denied by the firewall rule, you need to ON/Enable the firewall rule logging from the Web Admin ConsoleÆFirewall rule and from the Telnet ConsoleÆCyberoam Management. Refer to Cyberoam Console Guide for more details.

Refer to Appendix B - Network Traffic Logging Entry for more details. Description Specify full description of the rule

Save button Saves the rule

Table - Create Firewall rule screen elements

Manage Firewall

Use to:

• Enable/disable SMTP, POP3, IMAP and HTTP scanning • Deactivate rule

• Delete rule • Change rule order

• Append rule (zone to zone) • Insert rule

• Select display columns

(46)

Screen components

Append Rule button - Click to add zone to zone rule

Select Column button – Click to customize the number of columns to be displayed on the page

Subscription icon - Indicates subscription module. To implement the functionality of the subscription module you need to subscribe the respective module. Click to open the licensing page.

Enable/Disable rule icon - Click to activate/deactive the rule. If you do not want to apply the firewall rule temporarily, disable rule instead of deleting.

Green – Active Rule Red – Deactive Rule

Edit icon - Click to edit the rule. Refer to Edit Firewall rule for more details.

Insert icon - Click to insert a new rule before the existing rule. Refer to Define Firewall Rule for more details.

Move icon - Click to change the order of the selected rule. Refer to Change the firewall rule order for details.

Delete icon - Click to delete the rule. Refer to Delete Firewall Rule for more details.

Update Rule

(47)

Screen- Edit Firewall Rule

Screen Elements Description Matching Criteria

Source Displays source zone and host IP address /network address to which the rule applies.

Zone Type cannot be modified

Modify host/network address if required

(48)

Check Identity (Only if source zone is LAN or DMZ)

Check identity allows you to check whether the specified user/user group from the selected zone is allowed the access of the selected service or not. Click Enable to check the user identity

Destination Displays destination zone and host IP address /network address to which the rule applies.

Zone Type cannot be modified

Modify host/network address if required.

Under Select Address, click Add Host to define host group from firewall rule itself rule itself or from Firewall Æ Host Æ Add Host

Service/Service group

Services represent types of Internet data transmitted via particular protocols or applications.

Displays service/service group to which the rule applies, modify if required Under Select Here, click Create Service Group to define service group from firewall rule itself rule itself or from Firewall Æ Service Æ Create Service

Cyberoam provides several standard services and allows creating the custom services also. Under Select Here, click Create Service to define service from firewall rule itself rule itself or from Firewall Æ Service Æ Create Service

Protect by configuring rules to • block services at specific zone

• limit some or all users from accessing certain services

(49)

Apply Schedule Displays rule’s schedule, modify if required Firewall Action When Criteria Match

Action Displays rule action, modify if required Accept – Allow access

Drop – Silently discards i.e. without sending ‘ICMP port unreachable’ message to the source

Reject – Denies access and sends ‘ICMP port unreachable’ message to the source

Apply Source NAT (Only if Action is ‘ACCEPT’)

Displays the SNAT policy applied to the rule, modify if required

It allows access but after changing source IP address i.e. source IP address is substituted by the specified IP address in the SNAT policy. You can create SNAT policy from firewall rule itself or from Firewall Æ SNAT Policy Æ Create

This option is not available if Cyberoam is deployed as Bridge Advanced Settings

Click to apply different protection settings to the traffic controlled by firewall. You can: • Enable load balancing between multiple links

• Configure antivirus protection and spam filtering for SMTP, IMAP, POP3, and HTTP policies

• Apply bandwidth policy

• Configure content filtering policies Destination NAT Settings

Destination NAT policy

Displays DNAT policy applied, modify if required

DNAT rule tells the firewall to forward the requests from the specified machine and port to the specified machine and port.

(50)

This option is not available if Cyberoam is deployed as Bridge Policy Settings

IDP Policy Displays IDP policy for the rule, modify if required

To use IDP, you have to subscribe for the module. Refer to Licensing for more details.

Refer to IDP, Policy for details on creating IDP policy Internet Access

Policy

(Only if source zone is LAN)

Displays Internet access policy for the rule, modify if required Internet Access policy controls web access.

Refer to Policies, Internet Access Policy for details on creating Internet Access policy.

Bandwidth Policy Displays Bandwidth policy for the rule, modify if required. Only the Firewall Rule based Bandwidth policy can be applied.

Bandwidth policy allocates & limits the maximum bandwidth usage of the user.

Refer to Policies, Bandwidth Policy for details on creating Bandwidth policy.

Route Through Gateway

Displays routing policy, modify if required

Can be applied only if more than one gateway is defined.

This option is not available if Cyberoam is deployed as Bridge Refer to Multiple Gateway Implementation Guide for more details. Virus & Spam Settings

Scan Protocol(s) Displays protocols for which the virus and spam scanning is to be enabled, modify if required

By default, HTTP scanning is enabled.

To implement Anti Virus and Anti Spam scanning, you have to subscribe for the Gateway Anti Virus and Anti Spam modules individually. Refer to Licensing for more details.

Refer to Anti Virus Implementation Guide and Anti Spam Implementation Guide for details.