Evaluation Guide. Page 1 of

(1)

(2)

Welcome to Cyberoam Evaluation Guide! This document is designed to ensure that you are able to use the basic features of your Cyberoam. It contains configuration guidelines on what is to be done after Cyberoam appliance is up and running in your network and addresses the most common use-case scenarios.

In addition to this guide, you can access online help by clicking “Online Help” icon located on the right most corner of every page of GUI. Entire Cyberoam documentation set can be referred from http://docs.cyberoam.com.

The configuration given in the document is to be performed from Web Admin console (GUI) of Cyberoam unless specified. Solutions provided in the document are applicable up to version

9.5.9.

Cyberoam - Identity-based Unified Threat

Management

Cyberoam CR200i is part of the unique Identity-based Unified Threat Management range of appliances that offer comprehensive network security with fine granularity through its user identity-based security policies. Here are some key reasons why Cyberoam CR200i is able to provide intelligent threat management with multiple benefits for SMEs and large enterprises, leaving no loopholes in their security arrangements.

Full Feature Set – Excellent Value for Money: Due to its high performance and full feature set,

Cyberoam CR200i gives an excellent value for money. It has multiple security features integrated over a single UTM appliance: Stateful Inspection Firewall, Gateway Anti-Virus & Anti-Spyware, Gateway Anti-Spam, Intrusion Prevention System, Content Filtering, Bandwidth Management, Multiple Link Management and On-appliance Reporting for comprehensive logs and reports of user activities in the network.

Cyberoam offers IPSec VPN for secure remote access and the option of SSL VPN for greater security, ease of use and granular control in VPN environments, without the need to install individual VPN clients. Cyberoam’s multicore-aware software architecture fully leverages the strength of multicore processors, therefore offering high gigabit throughput performances, while ensuring enhanced flexibility and security. VLANs create work-profile based policies by enabling logical grouping of users in the network. Active-Active High Availability (HA) feature ensures continuous uptime along with multiple link management and failover detection feature for ISP links. Cyberoam UTM also complies with several regulatory requirements such as PCI-DSS, HIPAA, CIPA, GLBA, and SOX.

Quick Deployment and Easy Set-up: CR200i is very simple to operate and readily deployable in any networking environment. The “Quick Start” guide gives step-by-step deployment instructions for easy setup from Web Admin Console (GUI).

Zero-hour protection: Cyberoam UTM offers robust protection against rapidly evolving and short-lived threats through technologies such as Threat Free Tunneling (TFT) for safe VPN Internet browsing, Recurrent Pattern Detection (RPDTM) for content-agnostic, language and multi-format spam protection and ID-based Custom IPS policies to protect against external and internal threats, that work in dynamic environments to inform the administrator who is doing what in the

(5)

network, and take instant corrective actions.

Unified Security: Cyberoam's identity-based security offers a single window entry to dynamically

apply policies for all its UTM features - to the user directly, from within the “firewall rule”. This delivers truly unified controls in addition to ease of use and for troubleshooting.

Full Flexibility and High Customization: Cyberoam offers Identity-based policy detailing across

all its features, enabling higher granularity and greater flexibility in comparison to blanket policies. Cyberoam’s allows custom IPS signatures and custom web categories, allowing high levels of customization. Cyberoam GUI offers a clear screen-view of usage and threat patterns. Enterprises can use Cyberoam’s flexibility and customization to define and apply user, group and application-based policies.

Customer Support and Documentation: CR200i appliance carries Free 1 year subscription for

8x5 support and includes Web, Telephone, Email and Chat Support along with software upgrades. It also includes access to the knowledge base, Customer Support Portal (http://customer.cyberoam.com) and the Cyberoam Security Center (www.cyberoamsecuritycenter.com). Cyberoam appliances offer three levels of customer support, as shown in this link http://www.cyberoam.com/mcontracts.html. Basic, Advanced and Premium. Premium Support is a highly-personalized service offering that includes 24x7 Helpdesk, a dedicated account manager, and the option for on-site assistance.

The Cyberoam product Documentation website http://docs.cyberoam.com provides the latest documentation for all Cyberoam products. Also, Cyberoam’s knowledge database, http://kb.cyberoam.com contains an exhaustive array of information related to upgrades and troubleshooting guidelines.

Deploying Cyberoam

If Cyberoam is not already deployed in your network, refer to Appliance model specific Quick Start Guide to get step-by-step deployment help.

Accessing Cyberoam

Web Admin Console

If you are accessing Cyberoam appliance, first time after deployment and have not changed the default IP scheme, browse to http://172.16.16.16 else http://<LAN IP address of Cyberoam> and log on with default username “cyberoam” and password “cyber”.

LAN IP address of Cyberoam is the IP address configured through the Network Configuration Wizard at the time of deployment.

(6)

Verify Configuration

Verify configuration done through Network Configuration Wizard from Dashboard. Dashboard provides a quick and fast overview of all the important parameters of Cyberoam appliance including the current operating status of the Cyberoam appliance.

Press F10 key to go to view Dashboard from any of the pages. Confirm:

• subscription of all the modules from the License Information section • deployment mode from Appliance Information section

(7)

Configure Mail and Web server access

To configure Cyberoam to provide the access of internal resources i.e. mail and web server hosted in LAN, you need to create:

• Virtual host from (Firewall Æ Virtual Host Æ Create)

• WAN to LAN firewall rule for the respective virtual host to allow the inbound traffic (when servers are hosted in LAN)

• WAN to DMZ firewall rule for respective virtual host to allow the inbound traffic (when servers are hosted in DMZ)

Refer Configure one-to-one IP address mapping to access devices on Internal network for step-by-step configuration.

User Authentication

Configure user authentication from User Æ Authentication settings. Available options:

• Active Directory (AD) Authentication - Refer to article

(http://kb.cyberoam.com/default.asp?id=525&Lang=1&SID=) for more details.

• LDAP Authentication - Refer to article

• RADIUS Authentication - Refer to article

• Windows NT Domain controller Authentication - Refer to article

http://kb.cyberoam.com/default.asp?id=534&Lang=1&SID= for more details.

• Cyberoam/Local Authentication - If you want Cyberoam to authenticate users, add users and configure group membership for users. Cyberoam supports various user types, refer to User types for details on user types and how to add users.

Generate Reports with user names

You need to configure authentication to generate reports with user names. It is easy to monitor user activity and identify the source and destination of the traffic with user name rather than with IP address.

Firewall

Zones

Cyberoam provides zone-based security. Zone is a logical grouping of ports that have similar functions. Cyberoam provides 5 default zones types: LAN, DMZ, WAN, LOCAL, VPN

Entire set of physical ports available on the Cyberoam appliance including their configured aliases are grouped in LOCAL zone. In other words, IP addresses assigned to all the ports fall under the LOCAL zone.

(8)

Firewall rule

Firewall rule provides centralized management of entire set of security policies. From a single firewall rule, you can define and manage entire set of Cyberoam security policies. Zone based firewall rules are created to control (allow or block) the network traffic. If you wish to have more granular control, include user and/or service in the zone based firewall rule.

From the firewall rule, you can:

• Define inbound and outbound access based on source and destination hosts/Network and

MAC address.

• Enable scanning for HTTP, FTP, SMTP, POP3 or IMAP traffic - for email spam filtering, virus security, spyware, malware and phishing protection

• Define IPS policy - for protection against threats and attacks originating from external world and internal network

• Attach Gateway routing policy - for loading balancing and gateway failover protection incase of multiple gateways

• Specify Internet Access policy - for web access to control access of inappropriate web sites, IM and P2P traffic

• Schedule access

• Attach bandwidth policy - to control and schedule bandwidth usage for individual user or group and prioritize bandwidth usage for particular application

To create firewall rule, go to Firewall Æ Create Rule

Multiple

Configurable

policies

Click “Check

Identity” and

specify user

name to

configure

user-based firewall

rule

(9)

Default Firewall rules

Cyberoam automatically creates two default firewall rules based on the Internet Access policy (IAP) defined through Network Configuration Wizard at the time of deployment.

Refer to Cyberoam User Guide for more details.

Firewall rule processing order

Cyberoam processes firewall rules from top to bottom and the first suitable matching rule found is applied. When a matching rule is found, traffic is immediately dropped or forwarded without being tested by the rest of the rules in the list.

While adding multiple firewall rules, make sure specific rules are placed above the general rules. If general rule is placed above the specific rule, general rule will allow the traffic for which you have defined the deny rule later in the list.

Manage firewall rules

Edit, delete, or change the rule order from Firewall Æ Manage Rule

Please note that default rules cannot be deleted but edited as per the requirement.

NAT(Network Address Translation)

NAT rule changes the source IP address of the packet i.e. the IP address of the connection initiator is changed. Apply NAT rule whenever it is required to send the outgoing traffic with a specific IP address.

For example, multiple public IP address for WAN port - 202.134.168.202, 202.134.168.208. To route the traffic of a Group of users through 202.134.168.208 only, you need to create NAT rule for Group of users.

Intrusion Prevention System (IPS)

To reduce the chances of excessive false positives and number of alerts, Cyberoam allows creation of tailor-made IPS scanning policy. Administrator can fine-tune the default policies as well as create custom policies to reduce the false positives. By disabling the IPS scanning for the traffic of the applications not in use allows to reduce network load.

Edit Insert Move

Delete Enable/Disable Rule

Schedule Deactive

(10)

Fine-tuning policies will help in reducing false positive, alerts and network choking.

Apart from the fine-tuning default policies, Administrator can also create custom policies for individual applications and users.

Create Custom IPS policy

Create IPS policy from IPS Æ Policy ÆCreate

Once you create a policy, all the signature categories are enabled and the individual signatures within the category are set to ‘Detect’ or ‘Drop’ mode. You can enable/disable signature category or configure individual signature as and when needed. Click “Edit” icon against the category/signature

Detect – When any traffic that matches the signature is detected, Cyberoam does not take any action against the traffic and the connection proceeds to its intended destination.

Drop - When any traffic that matches the signature is detected, Cyberoam automatically drops the packets that triggered IPS, resets the connection, and prevents the traffic to reach its destination. In both the case, Cyberoam logs the details, gives the alert to the Administrator, and to be enabled/disabled.

(11)

Create Identity-based IPS Policy

In order to provide high level of granularity, Cyberoam allows to implement IPS scanning for individual user also. This additionally reduces the network load as the traffic for the other users will not be scanned.

To configure Identity-based IPS policy:

1. Define IPS policy from IPS→ Policy → Create

2. Configure Firewall rule for the user and attach IPS policy created in step 1

Create custom IPS signatures

Default signatures included in Cyberoam cover common attacks signature.

But, enterprises with diverse network environments require flexibility to customize IPS and deliver instant protection against emerging threats and high levels of granularity.

(12)

requirements for blocking, detecting traffic on a network e.g. define a custom signature for blocking a particular Yahoo! id

To use custom signature for scanning and allowing/blocking specific traffic: • Create signature from IPS → Custom Signature → Create

• Enable from signature from IPS policy

Custom signature is the advanced feature and to create signatures requires previous experience in IPS and signatures. Refer to Create Custom IDP Signature for syntax and other details.

Virtual Private Network

Cyberoam can be used to establish VPN connection and supports following protocols to authenticate and encrypt traffic:

• Internet Protocol Security (IPSec) • Layer Two Tunneling Protocol (L2TP) • Point-to-Point Tunneling Protocol (PPTP)

Configure Net-to-Net IPSec VPN connection

To make VPN connection configuration an easy task, Cyberoam provides six preconfigured VPN policies for the frequently used VPN deployment scenarios:

• DefaultRoadWarrior • DefaultL2TP • DefaultHeadOffice • DefaultBrachOffice • AES128_MD5 • Default Policy

Administrator can directly use “DefaultHeadOffice“ and “DefaultBrachOffice” default policies for the most common scenario to establish net-to-net connection using preshared key to authenticate peers. For step by step configuration, refer to http://kb.cyberoam.com/default.asp?id=805&Lang=1&SID=

Cyberoam provides VPN interoperability with number of third party IPSec VPN Gateways, refer to http://kb.cyberoam.com/default.asp?id=388&Lang=1&SID= for list of supported gateways and how to establish connection with them.

Configure remote VPN access using Cyberoam VPN Client

This is commonly called a "road warrior" configuration, because the client is typically a laptop being used from remote locations, and connected over the internet using service providers and dialup connections. The most common use of this scenario is when you are at home or on the road and want access to the corporate network.

For step by step configuration, refer to http://kb.cyberoam.com/default.asp?id=786&Lang=1&SID= If you are using Cyberoam IPSec VPN Client for the first time, download Client from http://www.cyberoam.com/vpnhelp.html.

(13)

Configure VPN failover

You will need to configure VPN failover condition to keep your VPN connection always ON. To configure connection failover, you have to:

• Create Connection Group from VPN → Connection Failover → Create Connection Group. Connection Group is the grouping of all the connections that are to be used for failover. The order of connections in the Group defines fail over priority of the connection.

• Define Fail over condition in the Group itself

Your primary VPN connection will failover to the very next active Connection in the Group if Connection group is created including the primary connection. For example, if the connection established using 4th Connection in the Group is lost then 5th Connections will take over provided the 5th_{connection is active.}

SSL VPN

SSL ((Secure Socket Layer)) VPN allows access to the Enterprise network from anywhere, anytime and provides the ability to create point-to-point encrypted tunnels between remote employees and company’s internal network, requiring combination of SSL certificates and a username/password for authentication to enable access to the internal resources.

To provide access, it operates in two modes: Full Access and Web Access mode.

Full access – for the remote users who are to be provided with the Enterprise network access from laptops, Internet cafes, hotels etc. It requires an SSL VPN Client at the remote end. Remote users can download and install SSL VPN Client from the End user Web Portal.

Web access – for the remote users who are equipped with the web browser only and when access is to be provided to the certain Enterprise Web applications/servers through web browser only. In other words, it is a clientless access.

The basic and common administrative configuration for both the modes of operation can be configured from the Global settings and portal settings.

Allow access to Internal network

Cyberoam Configuration

3 step configuration is required to provide access of the Internal network to the remote users: Step 1. Create hosts for all the Internal networks whose access is to be provided from Firewall → Host → Add.

(14)

Step 2. Create SSL VPN policy from SSL VPN → SSL VPN Policy → Add SSL VPN Policy with the following parameters:

Parameters Value

Name networkaccesspolicy

Access Mode Full Access Mode

Full Access Setting

Tunnel Type Split Tunnel (default)

Tunnel type determines how the remote user’s traffic will be routed. Split tunneling ensures that only the traffic for the private network is tunneled and encrypted while in full tunneling private network traffic as well as other Internet traffic is also tunneled and encrypted.

(15)

Step 3. Edit SSL VPN policy (created in step 2) from SSL VPN → SSL VPN Policy → Manage SSL VPN Policy to assign policy to the required user. Click “Add Policy Member(s)” and select the user. Once the above configuration is done, remote user can access hosts specified in the SSL VPN policy through End user Web Portal.

Cyberoam Administrator needs to provide End user Web portal URL - https://<WAN IP address of Cyberoam:port> to the remote users. Use default port: 8443 unless customized. Confirm port number from System → Configure → Customize Client Preferences before forwarding URL to the remote user.

End-user Configuration

Step 1. To logon to the End user Web portal, browse to the Web portal URL provided by the Cyberoam Administration. Default URL: https://<WAN IP address of Cyberoam:8443>.

Step 2. Download and install “Cyberoam SSL VPN client”

Step 3. Download “Cyberoam SSL VPN client configuration”. Right Click the client to import downloaded configuration.

Step 4. Once the tunnel is establish, user can access all the hosts specified in his SSL VPN policy.

Allow access to internally hosted sites

Step 1. Create Bookmark for all the resources whose access is to be provided from SSL VPN → Bookmark → Add Bookmark.

Step 2. Create SSL VPN policy from SSL VPN → SSL VPN Policy → Add SSL VPN Policy with the following parameters:

(16)

Access Mode Web Access Mode Web Access setting

Accessible Resources QAserver (created in step 1)

Step 3. Edit SSL VPN policy (created in step 2) from SSL VPN → SSL VPN Policy → Manage SSL VPN Policy to assign policy to the required user. Click “Add Policy Member(s)” and select the user. Once the above configuration is done, remote user can access resources (bookmarks) specified in the SSL VPN policy from the End user Web Portal.

Cyberoam Administrator needs to provide End user Web portal URL - https://<WAN IP address of Cyberoam:port> to the remote users. Use default port: 8443 unless customized. Confirm port number from System → Configure → Customize Client Preferences before forwarding URL to the remote user.

Portal Access

Step 1. To logon to the End user Web portal, browse to the Web portal URL provided by the Cyberoam Administration. Default URL: https://<WAN IP address of Cyberoam:8443>.

.

(17)

Virus and Spam scanning

Cyberoam scans incoming and outgoing HTTP, FTP, IMAP, POP3, and SMTP traffic, blocking malicious programs at the entry.

What From

Enable HTTP virus scanning Firewall Æ Manage Rule

Enable scanning from LAN to WAN firewall rule Enable SMTP/FTP virus scanning

when Mail server/FTP server deployed in LAN

Firewall Æ Manage Rule

Enable SMTP/FTP scanning from WAN to LOCAL firewall rule

Enable SMTP/FTP virus scanning when Mail server/FTP server deployed in DMZ

Firewall Æ Manage Rule

Enable SMTP/FTP scanning from WAN to LOCAL firewall rule and LAN to DMZ firewall rule

Fine tune virus scanning parameters Anti Virus Æ Mail Æ General Configuration Fine tune spam scanning parameters Anti Spam Æ Mail Æ General Configuration Block password protected attachments

(for all the recipients)

Update default policy from Anti Virus Æ SMTP Æ Default Scan policy

Specify “All” for Block File Types

Enable “Protected Attachment” for Receiver’s Action and Notify Administrator

Managing Spam

Actions for Spam mails

Cyberoam tags suspected spam mail as a “Probable Spam” while mail tagged as “Spam” is actually a spam mail.

You can reject, drop, accept, change the mail recipient or add a prefix to the mail subject and forward the spam mails. Spam actions can be specified from Spam policy.

You can define different actions for: • Spam and Probable spam mails

(18)

• SMTP and POP3/IMAP spam mails

Block mails using White lists and Black lists

Step 1. Create White list from Anti Spam Æ Configuration Æ Address Groups with the following parameters:

Name Whitelist

Group Type Email Address

Email Address Type all the email address from which

(19)

Step 2. Create Black list from Anti Spam Æ Configuration Æ Address Groups with the following parameters:

Name Blacklist

Group Type IP Address

Email Address Type all the email address from which

mails are to be blocked

Update Global Policy (Anti Spam Æ Spam Policy Æ Global Policy) and use white list and black list to allow and block spam mails.

Quarantine management

Cyberoam quarantines virus infected and SMTP spam mails.

If you are Network Administrator, you can view quarantined mails from:

Anti Virus Æ Mail Æ General Configuration

Anti Spam Æ Configuration Æ General Configuration

As a Network Administrator, you can also educate your network users to view and manage their own quarantine space.

(20)

Individual network user can log on to User My Account and go to Quarantine Mails option and view the list of their quarantined mails.

Spam Digest

Spam digest is an email containing a list of quarantined spam messages filtered by Cyberoam and held in the user quarantine area. If configured, Cyberoam mails the spam digest every day to the user. Digest provides a link to User My Account from where user can access his quarantined messages and take the required action.

Digest service can be configured globally for all the users or for individual user. Configure digest service for all the users from Anti Spam Æ Spam Quarantine Æ Spam Digest Setting. Administrator can even customize the Digest service setting for individual user.

Release Quarantined Spam Mails

Either Administrator or user himself can release the quarantined spam mails. Administrator can release the quarantined spam mails from Quarantine area while user can release from his My Account. Released quarantined spam mails are delivered to the intended recipient’s inbox.

Administrator can access Spam Quarantine area from Anti Spam Æ Configuration Æ General Configuration while user can logon to My Account and access Spam Quarantine area from Quarantine Mails Æ Spam Æ Spam Quarantine area.

Archive mails

The email communications that pertain to the organization’s business activity are subject to regulatory requirements. This act necessitates retaining email correspondence. Cyberoam’s “Copy-to” provides an in-house email archiving solution for building your email repository.

By specifying email address in “Send copy to email address(s)” field, you can transparently co-deliver and archive all the mails to the pre-defined mail address.

Archive all incoming mails

If you want to archive all the mails, update Anti Spam Global policy from Anti Spam → Spam Policy → Global Policy and configure email id in “Send copy to email address(s)” field.

(21)

Archive mails of specific mail recipient or group of recipients

If you want to archive mails for the specific recipient or group of recipients

• Create Anti Spam Custom policy from Anti Spam → Spam Policy → Create Custom Policy and configure email id in “Send copy to email address(s)” field

• Create spam rule for specific recipient or group of recipients whose mails you want to archive from Anti Spam → Spam Rules and attach above policy

Content filtering

Content filtering is used to limit the access of the contents available to the user based on combination of categories, keywords, URLs, domain names and file types.

Fine-tune the default Internet Access Policy (IAP) for controlling access as per your requirement.

Access

control For How and from

Block Category All the users

(Blanket block)

Update “Allow All” default policy from Policies Æ Internet Access Policy Æ Manage Policy:

Category - specify category to be blocked e.g. “music”

Strategy – “Deny”

Schedule – “Work hours (5 Day week)”

All the mails received by

0Haccounts@cyber.co.in will also be delivered at the email address

(22)

With the above policy, all the users will be denied the access to the “music” category during the working hours.

Group/User 1. Create policy from Policies Æ Internet Access

Policy Æ Create Policy Policy Type – Allow

Category - specify category to be blocked Strategy - Deny

2. Attach IAP created in step 1 to the user Group 2. Create LAN to WAN Identity based rule from Firewall Æ Create Rule

Select user for whom the category is to be blocked

Block

Uncategorized URL/sites

All the users

(Blanket block) 1. Create Custom category from Categories Æ Web Category Æ Create Custom and specify the URL to be blocked Under Domain Management

2. Update “Allow All” default policy from Policies Æ Internet Access Policy Æ Manage Policy and add category created in step 1

Group/User 1. Create Custom category from Categories Æ Web

Category Æ Create Custom and specify the URL to be blocked Under Domain Management

2. Create policy from Policies Æ Internet Access Policy Æ Create Policy

Policy Type – Allow

Category - specify category created in step 1 Strategy - Deny

3. Attach IAP created in step 2 to the user Group

4. Create LAN to WAN Identity based rule from Firewall Æ Create Rule

Select user for whom the category is to be blocked

Filter traffic based on Domain names

If enabled, users will not be able to bypass and access to sites using URL translation or HTTP proxy websites hosted on HTTPS will be blocked. In other word, Cyberoam will block any attempts to bypass the web content filtering and sites hosted on SSLv2, SSLv3 and TLS protocols.

By default, it is enabled from CLI console and for all the default Internet Access Policy (Web Admin console).

(23)

Block P2P applications for a particular user

Create following Internet Access Policy (IAP) and firewall rule for the user as follows: Step 1. Create IAP from Policies Æ Internet Access Policy Æ Create Policy

• Specify policy name, policy type (Allow)

• Click “Add” button to add categories for blocking

• In “Select Category”, under “Application Protocol Category” column, select “P2P Applications” • Select “Deny” for “Strategy”

• Select the appropriate schedule. User will not be able to access any of the “P2P Applications” during the time specified in the schedule.

Step 2. Include IAP created in step 1 in the user Group from Group Æ Manage Group Step 3. Create User based Firewall rule from Firewall Æ Create Rule

• Source: LAN, Any Host

• Click “Check Identity” to enable User based Firewall rule and select the user whose access “P2P Applications” category (created in step 1) is to be blocked

• Destination: WAN, Any Host • Service: All Services

Block “Facebook” – a social networking service

Facebook (www.facebook.com) is a social networking website and is categorized in “DatingAndMatrimonials” category. So to block the site you need to deny access for the site.

(24)

Access policy. Select “DatingAndMatrimonials” in Web Category field and “Deny” in Strategy field. Above solution will work only if you have not changed LAN to WAN, “Allow All” default firewall rule.

Allow specific Messenger (IM)

Consider the example where one wants allow access of yahoo messenger only and block all other messengers.

1. Update “Allow All” default policy from Policies Æ Internet Access Policy Æ Manage Policy to allow access to yahoo messenger while deny “Chat” category.

2. Create LAN to WAN firewall rule and apply “Allow All” IAP (updated in step 1)

Manage Bandwidth

Control bandwidth for group of users

• Create User based Bandwidth policy from Policies → Bandwidth Policy → Create Policy • Create user group from Group → Add group and attach the bandwidth policy created for the

group

• Create Identity based firewall rule from Firewall → Create Rule and select the user group. Prioritize bandwidth usage of an Application

• Create Firewall rule based Bandwidth policy from Policies → Bandwidth Policy → Create Policy. Set the priority as required. Priority can be set from 0 (highest) to 7 (lowest)

• Create firewall rule from Firewall → Create Rule and select service and bandwidth policy created in above step.

(25)

Configure Multiple Gateways

Please note that multiple gateways can be configured only if Cyberoam is deployed as a Gateway.

Add Gateway

One unused WAN port is required for each new Gateway to be added.

Go to System → Gateway → Manage Gateway(s) and click “Add” button to configure Gateway IP address and port.

Define gateway weight for load balancing

Assign weight to the Gateway if load balancing is required. Cyberoam distributes traffic across links in proportion to the ratio of weights assigned to the individual link. This weight determines how much traffic will pass through a particular link relative to the other link.

• Set weight as 0 (zero) to disable load balancing and pass the traffic through the default gateway

• Set same weight to all the gateways to distribute traffic equally among all the links

• Set different weights to various gateways to distribute traffic in the ratio of the proportions of the weight set

Configure Source based routing

Configure source based routing if it is required to route traffic of a particular network/subnet from the specific gateway.

Go to System → Gateway → Manage Gateway(s) and click the Gateway for which the source based routing is defined. Page displays the details of the Gateway; click “Add Network” and add the network IP address.

Configure Outbound Load balancing

Load balancing is a mechanism that enables balancing traffic between various links. It distributes traffic among various links, optimizing utilization of all the links to accelerate performance and cut operating costs.

• Configure links in active-active setup i.e. define gateways as “Active”

• Assign appropriate weight to each gateway. Cyberoam distributes traffic across links in proportion to the ratio of weights assigned to the individual link.

Configure Gateway Failover

Gateway failover provides link failure protection i.e. when one link goes down; the traffic is switched over to the active link. This safeguard helps provide uninterrupted, continuous Internet connectivity to users. The transition is seamless and transparent to the end user with no disruption in service i.e. no downtime.

To achieve WAN failover between multiple links: • Configure links in Active-Backup

• Define Active gateway

• Define Backup gateway – traffic through this link is routed only when active interface is down • Define failover rule

(26)

In the event of link failure, traffic will automatically be routed through the Backup gateway without administrator intervention. If more than one backup gateway is configured, traffic is distributed among the gateways in the ratio of the weights assigned to them. On fail over, “Backup” gateway can inherit the parent gateway’s (Active gateway) weight or the configured weight.

Gateway Failback

During a link failure, Cyberoam regularly checks the health of a given connection, assuring fast reconnection when Internet service is restored. When the connection is restored and gateway is up again, without administrator’s intervention, traffic is again routed through the “Active” gateway. In other words, backup gateway fails back on “Active” gateway.

Virtual LAN (VLAN)

Virtual LANs are useful in different network scenarios where administrator needs expand the number of interfaces or when traffic filtering is required between different VLANs in an organization.

Cyberoam follows the IEEE 802.1Q specification for VLAN and allows the definition of one or more VLAN Subinterfaces to be associated with a particular physical interface. These are then considered to be logical interfaces and are treated like physical interfaces in firewall rule sets.

For step-by-step creation and implementation of VLAN, refer to http://kb.cyberoam.com/default.asp?id=1065&SID=&Lang=1.

Dynamic Routing

Cyberoam supports following dynamic routing protocols:

• Routing Information Protocol (RIP) – For configuration, refer

http://kb.cyberoam.com/default.asp?id=1000&SID=&Lang=1

• Open Shortest Path First (OSPF) – For configuration, refer

• Border Gateway Protocol (BGP) – For configuration, refer

Additionally, a firewall rule is to be configured for the zone for which the BGP & OSPF traffic is to be allowed i.e. LAN to LOCAL or WAN to LOCAL.

On-Appliance Reports

Dashboard

Dashboard serves the purpose of a ready-reference providing the instant visibility into the network resource usability as well as alerts providing attack vs. user information without in-depth search. Drag-and-Drop Dashboard doclets can be minimized or repositioned to place doclets that requires special attention for managing Cyberoam. Press F10 key to go to view Dashboard from any of the pages.

(27)

Threats detected

Dashboard - “Recent IPS Alerts” doclet

Administrator can get the information of threat origin even in DHCP environment as username is included in the IPS alerts. In DHCP environment, where IP address is allocated dynamically, without username it is practically impossible to track the threat origin.

(28)

Dashboard - “Recent HTTP Viruses detected” doclet

Dashboard - “Recent Mail Viruses detected” doclet

Access Reports

Browse to http://<LAN IP Address of Cyberoam> and logon to “Reports” with default username and password to view various reports. Most of the reports can be drilled down to the last level which provides User wise full URL details.

Analytical Reports

Analytical reports provide details on each and every activity for your network including users receiving virus and spam mails, spam and virus mail senders, users becoming victims of IPS attacks as well as details on IPS attackers.

(29)

Additionally, extensive reports that can help to analyze all the User activities like sites surfed, amount of data transferred and surfing time, carried out by user, group and so on are also provided to take the corrective actions by tuning the policies based on the user behavior.

Want to know From

Does “Joe” receive SMTP Spam mails? Anti Spam→SMPT Spam Reports→Top 10 Spam Receivers

Click Show All How many virus mails did “Abraham”

receive Anti Virus→HTTP→Top 10 users

Click Show All

List of IPS attack victims IPS→Top 10 Victims

Is “Margaret” user accessing Chat

category? Web Surfing→Search Search by “Chat” category and <xyz> user How many users are attempting to

access blocked sites? Web Surfing→Blocked attempts→Top 10 Blocked-User

Drill down from username to view the list of blocked categories, sites and the URL wise attempt details that user has tried to access.

Which top 10 Categories accessed? Web Surfing→Organization wide→Top 10

Categories (By Hits)

Drill down from Category name Which applications are accessed

through a 172.168.2.59? Traffic Discovery→Report by LAN IP Address

Traffic Discovery→Report by WAN IP Address

Sample Blocked Categories report

View from Web Surfing → Blocked Attempts

Web Trends

Web Trends track and reports surfing activity i.e. hits and displays the usage pattern over a period of time (hourly/weekly/monthly) in the form of graph. View from Trends → Web Trends

(30)

Category & Category Type Trends

Category Trends tracks and reports hits on category and category type i.e. category wise surfing activity and displays the usage pattern in the form of graph.

(31)

Search Engine Report

Google and Yahoo Search Engine Report displays the keywords searched by using Google search engine. It displays username, date and time of the search.

View from Web Surfing → Search

Compliance reports

Many business and organizations require protecting their critical applications as well as customer (patient) data, controlling access to that date and proving how they have done. For this, they need to meet regulatory requirements such as HIPAA, GLBA, SOX, FISMA and PCI. Cyberoam provides 45+ compliance reports and can be accessed from Reports > Compliance Reports.

HIPAA - Health Insurance Portability & Accountability Act for Health care Industry regulations i.e.

healthcare providers and insurance companies.

GLBA - The Gramm-Leach-Bliley Act regulations for on financial institutions including banks,

mortgage brokers, lenders, credit unions, insurance and real-estate companies.

SOX - Sarbanes-Oxley for publicly held companies.

PCI - Payment Card Industry regulations for organization that processes credit or debit card

information, including merchants and third-party service providers that store, process or transmit credit card/debit card data.

FISMA – The Federal Information Security Management Act regulations for all information systems

used or operated by a US Government federal agency or by a contractor or other organization on behalf of a US Government agency.

(32)

Data Leakage report

Data leakage reveals the data loss resulting from employee behavior like lack of awareness, lack of diligence or deliberate action from the disgruntled employees, which poses a much more extensive threat than Enterprise can realize. Report provides files uploaded by the employees. View from Web Surfing Æ By User Æ HTTP File Upload.

High Availability

Using High availability for hardware failover and load balancing, involves installing two Cyberoam appliances – Primary and Auxiliary appliance, with the same number of interfaces and same version installed on both the appliances.

Cyberoam offers high availability by using Virtual MAC address shared between a primary and auxiliary appliance linked together as a “cluster”. Appliances - primary and auxiliary appliance, must be physically connected over a dedicated HA link port. Cluster appliances use this link to communicate cluster information and to synchronize with each other.

Active-Active Active-Passive

Continuous

connectivity - Failover Yes Yes

Load balance traffic Yes No

Traffic processing Both Primary and Auxiliary

appliance.

Primary appliance acts as a load balancer and forwards traffic to the Auxiliary appliance for processing. But when primary appliance fails, an auxiliary appliance takes over and processes the entire traffic.

Primary appliance

Auxiliary appliance process only when primary appliance or any of the monitored links fails.

(33)

How high availability cluster works

Appliances - primary and auxiliary appliance, are physically connected over a dedicated HA link port to operate as an HA Cluster. Cluster appliances use this link to communicate cluster information and to synchronize with each other.

Once the HA cluster is configured, Cyberoam assigns a Virtual MAC address to one of the appliance in the cluster. Entire network traffic is forwarded to the cluster appliance which has the virtual MAC address. The appliance which has virtual MAC address becomes Primary Appliance while peer becomes Auxiliary Appliance.

Primary appliance regularly sends keep-alive request through HA link, which is answered by Auxiliary appliance. If keep-alive request is not returned by primary appliance, the device is considered to have failed. In this case, Auxiliary appliance takes ownership of the virtual MAC address from primary appliance, and becomes primary appliance temporarily. Primary appliance automatically takes over from the Auxiliary appliance once it starts functioning.

Configure Active-Active HA cluster

The appliance from which HA is enabled becomes primary appliance and is assigned the virtual MAC address while the peer appliance acts as auxiliary appliance

Step A: Configuring Auxiliary appliance

1. Create firewall rule to allow HA service traffic from Firewall Æ Create Rule as • Source: DMZ/Any Host

• Destination: LOCAL/Dedicated HA link port • Service: HA Service

• Action: Accept

Step B: Configuring Primary appliance

1. Create firewall rule to allow HA service traffic from Firewall Æ Create Rule as • Source: DMZ/Any Host

• Destination: LOCAL/Dedicated HA link port • Service: HA Service

• Action: Accept

2. Add HA administrator from User Æ User Æ Add User to log HA events under this name in Audit log. Make sure, “User Type” of this user is “Administrator”

3. Configure HA cluster from System Æ HA Æ Configure HA and select “Active-Active” from “HA Configuration Mode” dropdown list.

(34)

Trouble Shooting

Cyberoam provides Analytical Tool to check the health of the System in a single shot. It is used for troubleshooting and diagnosing problems found in the System.

Analytical Tool is like a periodic health check up that helps to identify the impending System related problems. After identifying the problem, appropriate actions can be taken to solve the problems and keep the System running smoothly and efficiently.

(35)

You can use default Cyberoam IP address - 172.16.16.16 or IP address configured for LAN interface from Network Configuration Wizard at the time of deployment.

Username – cyberoam Password – cyber

Analytical tool also provides a Dropped Packet log which can be to monitor the dropped packet. Refer to http://kb.cyberoam.com/default.asp?id=975&Lang=1&SID= on how to view and interpret the dropped packet log.

General Administration

Restart Cyberoam management services

Cyberoam management services can be restarted from CLI Console.

Add Alias

Alias refers to assigning multiple IP addresses to an Interface. You can add alias from System Æ Configure Network Æ Manage Interface.

General Administration using Web Admin Console

Apart from Network management, following configurations can be performed only from Web Admin Console:

• DNS and DHCP • firewall rules

• content filtering categories and policies

• user authentication method and integration with external authentication servers • access control (Local ACL)

• antivirus and anti spam filtering policies • VPN connection policies

• multiple gateways • user and user groups

• bandwidth and internet access policy • IPS policies and signature

In addition, Dashboard, reports including traffic discovery and bandwidth usage graphs can be viewed only from Web Admin Console.

General Administration using CLI Console

Use CLI console for troubleshooting and diagnose network problems in details. Additionally you can also:

• Restart management services • Restart and shutdown Cyberoam • View log information

• Update MTU and MSS value • Configure static and dynamic routes • Upgrade Cyberoam and restore backup • Restore to factory default settings • Reset and change password

(36)

For more details, refer version specific Console Guide available on http://docs.cyberoam.com/

Reboot or shutdown Cyberoam

You can reboot or shutdown Cyberoam from CLI Console

Points to remember

• If you are integrating Cyberoam with Active Directory for authentication, use Active Directory as your DNS. You are required to define Active Directory as DNS both in Cyberoam as well as all the desktops.

• If you have configured Cyberoam as DHCP server for leasing IP addresses, make sure DHCP server is enabled for autostart. If not, then IP address will be leased only after rebooting Cyberoam.

(37)

IMPORTANTNOTICE

Elitecore has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. Elitecore assumes no responsibility for any errors that may appear in this document. Elitecore reserves the right, without notice to make changes in product design or specifications. Information is subject to change without notice.

USER’S LICENSE

The Appliance described in this document is furnished under the terms of Elitecore’s End User license agreement. Please read these terms and conditions carefully before using the Appliance. By using this Appliance, you agree to be bound by the terms and conditions of this license. If you do not agree with the terms of this license, promptly return the unused Appliance and manual (with proof of payment) to the place of purchase for a full refund.

LIMITEDWARRANTY

Software: Elitecore warrants for a period of ninety (90) days from the date of shipment from Elitecore: (1) the media on which the Software is furnished will be free of defects in materials and workmanship under normal use; and (2) the Software substantially conforms to its published specifications except for the foregoing, the software is provided AS IS. This limited warranty extends only to the customer as the original licenses. Customers exclusive remedy and the entire liability of Elitecore and its suppliers under this warranty will be, at Elitecore or its service center’s option, repair, replacement, or refund of the software if reported (or, upon, request, returned) to the party supplying the software to the customer. In no event does Elitecore warrant that the Software is error free, or that the customer will be able to operate the software without problems or interruptions. Elitecore hereby declares that the anti virus and anti spam modules are powered by Kaspersky Labs and Commtouch respectively and the performance thereof is under warranty provided by Kaspersky Labs and by Commtouch. It is specified that Kaspersky Lab does not warrant that the Software identifies all known viruses, nor that the Software will not occasionally erroneously report a virus in a title not infected by that virus.

Hardware: Elitecore warrants that the Hardware portion of the Elitecore Products excluding power supplies, fans and electrical components will be free from material defects in workmanship and materials for a period of One (1) year. Elitecore's sole obligation shall be to repair or replace the defective Hardware at no charge to the original owner. The replacement Hardware need not be new or of an identical make, model or part; Elitecore may, in its discretion, replace the defective Hardware (or any part thereof) with any reconditioned product that Elitecore reasonably determines is substantially equivalent (or superior) in all material respects to the defective Hardware.

DISCLAIMEROFWARRANTY

Except as specified in this warranty, all expressed or implied conditions, representations, and warranties including, without limitation, any implied warranty or merchantability, fitness for a particular purpose, non-infringement or arising from a course of dealing, usage, or trade practice, and hereby excluded to the extent allowed by applicable law.

In no event will Elitecore or its supplier be liable for any lost revenue, profit, or data, or for special, indirect, consequential, incidental, or punitive damages however caused and regardless of the theory of liability arising out of the use of or inability to use the product even if Elitecore or its suppliers have been advised of the possibility of such damages. In the event shall Elitecore’s or its supplier’s liability to the customer, whether in contract, tort (including negligence) or otherwise, exceed the price paid by the customer. The foregoing limitations shall apply even if the above stated warranty fails of its essential purpose.

In no event shall Elitecore or its supplier be liable for any indirect, special, consequential, or incidental damages, including, without limitation, lost profits or loss or damage to data arising out of the use or inability to use this manual, even if Elitecore or its suppliers have been advised of the possibility of such damages.

RESTRICTEDRIGHTS

CORPORATEHEADQUARTERS

Elitecore Technologies Ltd. 904 Silicon Tower, Off. C.G. Road, Ahmedabad – 380015, INDIA Phone: +91-79-66065606 Fax: +91-79-26407640