Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Cyberoam Release Notes Version: 10.04.0 Build 214, 304, 311, 338 th Date: 12 December, 2012
Release Dates
Version 10.04.0 Build 214 24th September, 2012 Version 10.04.0 Build 304 19th November, 2012 Version 10.04.0 Build 311 04th December, 2012 Version 10.04.0 Build 338 12th December, 2012
Release Information
Release Type: General Availability Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license Applicable to Cyberoam Version:
V 10.01.0XXX or 10.01.X Build XXX V 10.02.0 Build XXX
All the versions 047, 174, 176, 192, 206, 224, 227, 409, 473
Upgrade procedure To upgrade the existing Cyberoam Appliance follow the procedure below: Logon to https://customer.cyberoam.com Click Upgrade link under Upgrade URL. Choose option Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware.
For Cyberoam versions prior to 10.01.0472 For Cyberoam version 10.01.0472 or higher
Upgrade the Cyberoam to 10.01.0472 selecting option Below 10.01.0472 and follow on-screen instruction. By doing this, the customer will not be able to roll back. Compatibility Annotations
Upgrade Cyberoam to latest version by selecting option 10.01.0472 or higher and follow onscreen instruction.
Firmware is Appliance model-specific firmware. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you are trying to upgrade Appliance model CR100ia with firmware for model CR500ia. This Cyberoam version release is compatible with the Cyberoam Central Console. Please always check http://docs.cyberoam.com for availability of latest CCC firmware to deal with this compatibility issue.
Revision History
Old Revision Number New Revision Number Reference Section
Sr. No.
Revision Details
1.
Enhancement
Added enhancement Access Denied Page Optimization A bug (Bug ID 11463) is added to Certificate. Added LAN Bypass support for Cyberoam Appliances CR50iNG and CR100iNG. Appliances not supporting Outbound Spam list now includes: CR15iNG, CR15wiNG, CR25ia, CR35ia and CR1000i
2.
Bugs Solved
3.
4.
1.00 04/12/2012
1.00 12/12/2012
Features
Contents
Release Dates ................................................................................................................................... 1 Release Information ......................................................................................................................... 1 Introduction ...................................................................................................................................... 5 Features ............................................................................................................................................ 5 1. Compatibility with CISCO VPN Client ........................................................................... 5 2. L2TP Over IPSec VPN Support for Android Devices ........................................................ 6 3. Outbound Spam .............................................................................................................. 6 4. YouTube Education Filter ................................................................................................ 7 5. 4G LTE Modem ............................................................................................................... 7 Enhancements .................................................................................................................................. 9 1. DHCP Server Optimization .............................................................................................. 9 2. Multicast over IPSec VPN tunnel ..................................................................................... 9 3. E-mail Alert for IPSec Tunnel Connection Flapping ........................................................ 11 4. Enhancement in AD Integration ..................................................................................... 12 5. Multicast Route Failover ................................................................................................ 13 6. Support of SSL-VPN for MAC-OS Tunnelblick ............................................................... 14 7. Version 9 Catch-up Feature Search Engine Cache Control ......................................... 15 8. Version 9 Catch-up Feature Internet Watch Foundation Support ................................. 15 9. Captive Portal Enhancements ....................................................................................... 15 10. URL Import List ............................................................................................................. 15 11. Optimization in Virtual Host Configuration ...................................................................... 16 12. Optimized IPSec Failover Configuration......................................................................... 17 13. Access Denied Page Optimization ................................................................................. 17 14. DNS Status Check support in Diagnostic Tool ............................................................... 17 15. Certificate with FQDN/IP Address as a Common Name ................................................. 18 16. User Defined Certificate ................................................................................................ 18 17. Quick Access to On-Appliance Reports ......................................................................... 18 18. iView Enhancement Dual Dashboard Support............................................................. 18 19. iView Enhancement Better Visibility and Presentation ................................................. 20 20. iView Enhancement - Top Users Widget ........................................................................ 20 21. iView Enhancement - Report Filter ................................................................................ 20 22. iView Enhancement - Country Map ................................................................................ 21 Known Behaviour ........................................................................................................................... 22 1. SSL VPN support with passcode ................................................................................... 22 2. Gateway specific routing for Reflexive Rule ................................................................... 22 Bugs Solved.................................................................................................................................... 23 Anti Spam............................................................................................................................... 23 Anti Virus................................................................................................................................ 23 Certificate ............................................................................................................................... 23
Document Version 1.00 -12/12/2012 3
CLI ..................................................................................................................................... 24 DHCP Server.......................................................................................................................... 24 Firewall................................................................................................................................... 24 GUI ..................................................................................................................................... 24 HA ..................................................................................................................................... 25 Identity ................................................................................................................................... 25 IM ..................................................................................................................................... 25 Intrusion Prevention System (IPS) .......................................................................................... 25 Log Viewer ............................................................................................................................. 26 Network Interface ................................................................................................................... 26 Proxy 26 Reports .................................................................................................................................. 27 System ................................................................................................................................... 27 SSL VPN ................................................................................................................................ 27 User ..................................................................................................................................... 28 VPN ..................................................................................................................................... 28 Web Filter ............................................................................................................................... 28 Wireless WAN ........................................................................................................................ 29 General Information........................................................................................................................ 30 Technical Assistance .............................................................................................................. 30 Technical Support Documents ................................................................................................ 30
Introduction
This document contains the release notes for Cyberoam Version 10.04.0 Build 214, Version 10.04.0 Build 304, Version 10.04.0 Build 311 and Version 10.04.0 Build 338. The following sections describe the release in detail.
This release comes with new features, few enhancements and several bug fixes to improve quality, reliability and performance.
Features
1. Compatibility with CISCO VPN Client
From this version onwards, Cyberoam is compatible with Cisco IPSec VPN client.
This feature enables Cisco IPSec VPN clients to establish an IPSec connection with Cyberoam. To support this feature, a new page CISCO VPN Client is added on Web Admin Console. An IPSec connection that would serve Cisco IPSec VPN Clients must be created using this page.
Compatibility
1. At present only the native Cisco IPSec VPN client, present in Apple iOS (iPhone and iPad) and Windows are supported. The details of the versions supported are as provided below: Windows Windows OS Win XP- all service packs Win 7 Windows Vista Cisco Desktop Client V 4.1 and 4.8 V 5.0 Beta Version V 5.0 Beta Version
Known Behavior
1. Apple iOS versions 5.0 onwards do not send any notification to Cyberoam when IPSec connection serving Cisco IPSec VPN Clients gets disconnected. The connection and route will be cleared from Cyberoam using Dead Peer Detection (DPD) after approximately 20 seconds and then the same client will be able to reconnect. 2. When there is no data transfer, Apple iPhone disconnects the IPSec connection serving
Document Version 1.00 -12/12/2012 5
Cisco IPSec VPN Clients. 3. When any clients are already connected and the CISCO VPN Client page is submitted, they will be disconnected and IP Address pool will be reinitialized. CISCO VPN Client is available for download only to users that are authorized by the Administrator. IPSec connection serving Cisco IPSec VPN Clients can be configured from VPN CISCO VPN Client CISCO VPN Client.
User will be able to connect and access Cyberoam L2TP/IPSec via an Android device using Pre-Shared Key authentication.
Android Compatible Version: 2.1 clair, 2.2.x Froyo, 2.3.x Gingerbread, 3.x Honeycomb Enable Add L2TP/IPSec PSK VPN option of Android device to configure VPN tunnel.
This feature has a backward compatibility support from version 10.01.0 Build 667 onwards.
3. Outbound Spam
From this version onwards, Cyberoam will provide Outbound Spam to identify internal Spam. This feature will help the Internet Service Providers (ISPs) to identify and block any user trying to send spam mails by utilizing their network. Outbound Spam filtering is a subscription module.
Inbound Spam filtering and Outbound Spam filtering are mutually exclusive. On subscribing to Outbound Spam, Inbound Spam filtering will stop. Inbound Spam filtering will resume when the subscription of Outbound Spam expires.
This feature is not available in Cyberoam Models CR15i, CR15wi, CR15iNG, CR15wiNG, CR25i, CR25ia, CR25wi, CR35ia, CR35wi, CR50i, CR100i, CR250i, CR500i, CR500i-8P, CR1000i, CR1500i.
Document Version 1.00 -12/12/2012 6
To view logs, go to Logs & Reports Log Viewer and select option Anti Spam for parameter View logs for.
To allow educational videos via Cyberoam, school authority is required to get the school registered for YouTube for School. On registration, a custom HTTP Header with a unique ID will be displayed on the browser page.
E.g. X-YouTube-Edu-Filter:HMtp1sI9lxt0KAVpcg88kQ 1. Field Name: X-YouTube-Edu-Filter 2. Field Value Format: Alphanumeric [a-z][A-Z][0-9] 3. Field Value Length: up to 44 characters To allow YouTube EDU via Cyberoam, go to Web Filter Policy Policy and specify the unique ID in the textbox against parameter YouTube Education Filter As per recommendations of YouTube, it is mandatory to ensure the videos and following top-level domains are not blocked: 1. youtube.com 2. ytimg.com To access https://www.youtube.com , HTTPS scanning must be enabled.
5. 4G LTE Modem
Cyberoam will now support DHCP enabled 4G LTE services on Wi-Fi modems. With this feature, Cyberoam provides support for the following:
1. 2. 3. 4.
Connection to 3G/4G networks DHCP Modems Modem plug-in and plug-out auto detection Auto Connect type of behavior if the same modem is re-plugged in
Further, Cyberoam provides recommended values (auto detected) for modem configuration. To configure a 4G modem, go to Network Wireless WAN Settings.
CLI Commands
1. Command: cyberoam wwan query serialport <serial port> ATcommand <AT command> To view the Wi-Fi modem information (if plugged - in) E.G. cyberoam wwan query serialport 0 ATcommand ati 2. Command: cyberoam wwan show To view the Wi-Fi modem information and the recommended configuration (if plugged - in)
Enhancements
1. DHCP Server Optimization
Support for Diverse Topologies Cyberoam now adds the capability of configuring DHCP for downstream networks that are connected to Cyberoam through relay, or through IPsec VPN. With this enhancement, Cyberoam will be able to assign IP Addresses to: Directly connected primary or alias networks Connected through relay Connected over IPsec VPN
Prior to this version, Cyberoam support DHCP configuration only for a primary network only.
Lease Report Enhancement Cyberoams Lease report now displays the type of lease, i.e. Static or Dynamic, for a given IP Address. To view these reports, go to Network DHCP Lease
CLI Commands
1. Command: cyberoam dhcp lease-over-IPSec enable To enable IP Lease over IPSec for all the DHCP servers 2. Command: cyberoam dhcp lease-over-IPSec disable To disable IP Lease over IPSec for all the DHCP servers (Default Value) 3. Command: cyberoam dhcp lease-over-IPSec show To display all the IP Lease over IPSec configuration
With this enhancement, now it is possible to send/receive both, unicast and multicast traffic between two or more VPN sites connected through public Internet. This removes the dependency of multicast aware routers between the sites connecting via IPSec/VPN. Prior to this version, this was possible using GRE tunneling however, the packets could not be encrypted.
Document Version 1.00 -12/12/2012 9
Any unicast host wanting to access a multicast host shall require to be configured as an explicit host (with netmask /32) in VPN configuration.
Known Behavior
CLI shows only static interfaces as input and output interface whereas Web Admin Console shows both, static as well as dynamic interfaces (PPPoE, DHCP). To configure Multicast over IPSec/VPN connection, go to Network Static Route Multicast.
CLI Commands
1. Command: mroute add input-interface Port<port number> source-ip <ipaddress> dest-ip <ipaddress> output-interface Port <port number> To forward multicast traffic coming from a given interface to another interface. E.G. mroute add input-interface PortA source-ip 192.168.1.2 dest-ip 239.0.0.55 outputinterface PortB 2. Command: mroute add input-interface Port<port number> source-ip <ipaddress> dest-ip <ipaddress> output-tunnel gre name <gre tunnel name> To forward multicast traffic coming from a given interface to GRE tunnel. E.G. mroute add input-interface PortA source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel gre name Elitecore 3. Command: mroute add input-interface Port<port number> source-ip <ipaddress> dest-ip <ipaddress> output-tunnel ipsec To forward multicast traffic coming from a given interface to IPSec tunnels. Cyberoam automatically selects an appropriate tunnel to be used depending upon the Local Network and Remote Network configuration. E.G. mroute add input-interface PortA source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel ipsec 4. Command: mroute add input-tunnel ipsec name <ipsec connection name> source-ip <ipaddress> dest-ip <ipaddress> output-interface Port<port number> To forward multicast traffic coming from IPSec tunnel to an interface. E.G. mroute add input-tunnel ipsec name Net2Net source-ip 192.168.1.2 dest-ip 239.0.0.55 output-interface PortB 5. Command: mroute add input-tunnel ipsec name <ipsec connection name> source-ip <ipaddress> dest-ip <ipaddress> output-tunnel ipsec To forward multicast traffic coming from a given IPSec tunnel to other IPSec tunnels. Cyberoam automatically selects an appropriate tunnel to be used depending upon the Local Network and Remote Network configuration.
Document Version 1.00 -12/12/2012 10
E.G. mroute add input-tunnel ipsec name Net2Net source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel ipsec 6. Command: mroute add input-tunnel ipsec name <ipsec connection name> source-ip <ipaddress> dest-ip <ipaddress> output-tunnel gre name <gre tunnel name> To forward multicast traffic coming from a given IPSec tunnel to GRE tunnel. E.G. mroute add input-tunnel ipsec name Net2Net source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel gre name Elitecore 7. Command: mroute add input-tunnel gre name <gre tunnel name> source-ip <ipaddress> dest-ip <ipaddress> output-interface Port<port number> To forward multicast traffic coming from a GRE tunnel to an interface. E.G. mroute add input-tunnel gre name Elitecore source-ip 192.168.1.2 dest-ip 239.0.0.55 output-interface PortB 8. Command: mroute add input-tunnel gre name <gre tunnel name> source-ip <ipaddress> dest-ip <ipaddress> output-tunnel gre name <gre tunnel name> To forward multicast traffic coming from a GRE tunnel to another GRE tunnel. E.G. mroute add input-tunnel gre name Elitecore source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel gre name Terminal1 9. Command: mroute add input-tunnel gre name <gre tunnel name> source-ip <ipaddress> dest-ip <ipaddress> output-tunnel ipsec To forward multicast traffic coming from a given GRE tunnel to IPSec tunnels. Cyberoam automatically selects an appropriate tunnel to be used depending upon the Local Network and Remote Network configuration. E.G. mroute add input-tunnel gre name Elitecore source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel ipsec 10. Command: mroute del source-ip <ipaddress> dest-ip <ipaddress> To delete multicast route. E.G. mroute del source-ip 192.168.1.2 dest-ip 239.0.0.
Upon configuring E-mail alerts via the available single central configurable option, it will automatically be applicable on all the IPSec tunnels.
11
An E-mail will be sent only for Host to Host and Site to Site tunnel connections; if it flaps due to one of the following reasons: 1. 2. 3. 4. A peer is found to be dead during Dead Peer Detection (DPD) phase. Failed to re-establish connection after Dead Peer Detection (DPD). IPSec Security Association (SA) is expired and is required to be re-established. IPSec Tunnel comes up without administrator intervention after losing the connectivity.
E-mail sent to the administrator shall contain following basic information: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. IPSec Connection name IP Addresses of both participating hosts/network Current state of the IPSec Tunnel connection, viz., Up or Down Exact Time when the IPSec Tunnel connection was lost Reason for lost of IPSec Tunnel connection Appliance Model Number Firmware version and build number Appliance Key (if registered) Appliance LAN IP Address HA configuration Primary/Auxiliary (if configured)
An E-mail will be sent for each subnet pair in case of Site to Site connections, having multiple local/remote networks.
An E-mail sent with respect to IPSec Tunnel coming up shall not have any reason mentioned within.
Description of IPSec Tunnel connection shall be included in the E-mail, only if information for same is provided by the administrator. To enable E-mail alerts for IPSec tunnels, go to System Configuration Notification Email Notification and check option IPSec Tunnel UP/Down.
4. Enhancement in AD Integration
From this version onwards, Administrator is given an option to delete users from Cyberoam if they do not exist in any of the configured External Active Directory servers at a push of Purge AD Users button. Prior to purging, connectivity and authentication of all the configured External Active Directory servers is verified. If a users entry is not found in any of the external server(s), it is purged from Cyberoam too.
The purge operation will not interrupt user login/logout and accounting events.
12
While the purge activity is in progress and if the server connectivity is lost, the activity will be aborted.
If a user entry is purged, it will be deleted from both, Primary and Auxiliary Cyberoam Appliance. To purge the users, go to Identity Users Users and click Purge Users button. Further, when the User logs in to the Cyberoam, and if the E-mail Address of that User is configured on the external Active Directory server/ LDAP server then the Users E -mail Address within the Cyberoam gets sync with the E-mail Address on the external Active Directory server/LDAP server. Every time a user logs in, the corresponding Email ID will be updated. If the Email ID is null on the External Active Directory Server/LDAP, there will be no updates.
If a user has multicast routes configured on a port then a Link Failover can be configured for same using IPSec/VPN or GRE configuration. Now if the port goes down, all multicast routes configured on it will automatically fail over to given IPSec/VPN connection or GRE Tunnel.
Prior to this version, link failover was supported only for static unicast routes.
CLI Commands
1. Command: cyberoam link_failover add primarylink Port<Port number> backuplink gre tunnel <gre tunnel name> monitor PING host <ip address> To configure a GRE Tunnel as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given GRE Tunnel. E.G. cyberoam link_failover add primarylink PortB backuplink gre tunnel Elitecore monitor PING host 192.168.1.2 2. Command: cyberoam link_failover add primarylink Port<Port number> backuplink gre tunnel <gre tunnel name> monitor UDP host <ip address> Port <Port Number> To configure a GRE Tunnel as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given GRE Tunnel. E.G. cyberoam link_failover add primarylink PortB backuplink gre tunnel Elitecore monitor UDP host 192.168.1.2 Port 100 3. Command: cyberoam link_failover add primarylink Port<Port number> backuplink gre tunnel <gre tunnel name> monitor TCP host <ip address> Port <Port Number>
Document Version 1.00 -12/12/2012 13
To configure a GRE Tunnel as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given GRE Tunnel. E.G. cyberoam link_failover add primarylink PortB backuplink gre tunnel Elitecore monitor TCP host 192.168.1.2 Port 100 4. Command: cyberoam link_failover add primarylink Port<Port number> backuplink vpn tunnel <ipsec connection name> monitor PING host <ip address> To configure an IPSec/VPN connection as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given IPSec/VPN connection. E.G. cyberoam link_failover add primarylink PortB backuplink vpn tunnel Net2Net monitor PING host 192.168.1.2 5. Command: cyberoam link_failover add primarylink Port<Port number> backuplink vpn tunnel <ipsec connection name> monitor UDP host <ip address> Port <Port Number> To configure an IPSec/VPN connection as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given IPSec/VPN connection. E.G. cyberoam link_failover add primarylink PortB backuplink vpn tunnel Net2Net monitor UDP host 192.168.1.2 Port 100 6. Command: cyberoam link_failover add primarylink Port<Port number> backuplink vpn tunnel <ipsec connection name> monitor TCP host <ip address> Port <Port Number> To configure an IPSec/VPN connection as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given IPSec/VPN connection. E.G. cyberoam link_failover add primarylink PortB backuplink vpn tunnel Net2Net monitor TCP host 192.168.1.2 Port 100 7. Command: cyberoam link_failover del primarylink <Port name> To delete link failover configuration. E.G. cyberoam link_failover del primarylink PortC 8. Command: cyberoam link_failover show To see all the link failover configurations.
The user can download the SSL VPN Client Configuration - MAC Tunnelblick from Cyberoam SSL VPN User Portal.
14
The filtering logs are displayed in the Log Viewer and iView Reports
The Internet Watch Foundation provides the list of accurate and current URLs to minimise the availability of potentially criminal internet content as mentioned below: 1. Child sexual abuse content hosted anywhere in the world. 2. Criminally obscene adult content hosted in the UK. 3. Non-photographic child sexual abuse images hosted in the UK.
Further it supports the following functionalities: 1. Hyperlinked logo 2. Obtaining username and password for unauthenticated users (Only when Guest Users functionality is enabled). To configure them, go to System Configuration Captive Portal.
Also, Administrator can choose redirect unauthorized user either to Captive Portal or display a customized message. To customize the Captive Portal response, go to Identity Authentication Firewall.
15
To add white listed URL file, go to Web Filter Category Category and click Add button.
Example: Port Forwarding Type (External Port Type to Mapped Port Type) Port List to Port List Port List to a Port Port Range to a Port External Ports 22, 24, 26, 28, 30 22, 24, 26, 28, 30 21 - 26 Mapped Ports 42, 44, 46, 48, 50 20 28
In case of Port List to Port List mapping, number of ports must be same for both, External Ports and Mapped Ports. Request received on first external port will be redirected to first mapped port; second request on external port will be redirected to second mapped port and so on. From the example above, for Port List to Port List type of configuration, any request received for external ports 22, 24, 26, 28, 30 will be forwarded respectively to mapped ports 42, 44, 46, 48, 50.
For a single virtual host, a maximum of 16 ports can be configured in a Port List.
All the ports within a Port List support single protocol viz., either a TCP or a UDP protocol as per the configuration. A combination of both of these protocols within a Port List is not allowed.
Prior to this version, only Single Port to Single Port and Port Range to Port Range Type for port forwarding were allowed. Also, from this version onwards, for Firewall, when any virtual host is created without port forwarding, one can select multiple services instead of a single service.
Prior to this version, selecting multiple services was not allowed within a Firewall Rule configured with a virtual host having port forwarding disabled. To configure multiple ports separated by comma, go to Firewall Virtual Host Virtual Host.
16
Maximum of four (4) failover connection can be added while configuring a new failover group. More connections can be configured later by editing the failover group configuration To configure an IPSec failover connection for Site to Site and Host to Host type of IPSec connections, go to VPN IPSec Connection. Click add icon under Endpoint Details, only after which IPSec failover connection can be configured.
If the Appliance is running on an older version, and if the image size is greater than the above specified dimensions, it is mandatory to reduce the size of images for appropriate display. To upload an image, go to Web Filter Settings Settings.
17
Prior to this version certificate name was used as a common name. To configure common name for a certificate, go to System Certificate Certificate and click Add to generate a certificate.
Traffic dashboard consists of following widgets: Top Applications List of top applications along with percentage wise data transfer Top Categories List of top accessed web categories with number of hits and amount of data transfer Top Users List of top users along with percentage wise data transfer
18
Top Hosts List of top hosts along with percentage wise data transfer Top Source Countries List of top source countries along with percentage wise data transfer Top Destination Countries List of top destination countries along with percentage wise data transfer Top Rule ID List of top firewall rules along with percentage wise data transfer Top Domains List of top domains along with percentage wise data transfer Top File Upload List of top uploaded files along with date, user, source IP, domain name , file name and file size Top Files Uploaded via FTP List of top uploaded files via FTP along with percentage wise amount of data transfer Top Files Downloaded via FTP List of top downloaded files via FTP along with percentage wise amount of data transfer Top FTP Servers List of top FTP servers Mail Traffic Summary Email traffic with type of traffic and amount of data transfer Top Mail Senders List of top email senders along with percentage wise data transfer Top Mail Recipients List of top email recipients along with percentage wise data transfer
2. Security Dashboard Security dashboard is a collection of widgets displaying information regarding denied network activities and traffic. It also gives an overview of malwares and spam along with source and destination countries. Security dashboard consists of following widgets: Top Denied Hosts List of top denied hosts along with number of hits Top Denied Users List of top denied users along with number of hits Top Denied Applications List of top denied applications along with number of hits Top Denied Destination Countries List of top denied destination countries along with number of hits Top Denied Source Countries List of top denied source countries along with number of hits Top Denied Rule ID List of top denied firewall rules along with number of hits Top Denied Categories List of top denied web categories along with number of hits Top Denied Domains List of top denied domains along with number of hits Top Attacks List of top attacks launched at network Top Viruses List of top viruses blocked by Cyberoam Top Spam Senders List of top spam senders Top Spam Recipients List of top spam recipients
All these widgets can be drilled down for next level reports.
19
i.e. on the resultant reports page. The user can apply multiple filters one by one to get appropriate report.
All the filters are displayed on the top of the resultant report in the form of rowed text box(es) with the option to remove filter.
21
Known Behaviour
1. SSL VPN support with passcode
From this version onwards, Cyberoam supports key encryption with password in certificates. If certificates are being generated with encryption enabled then user will be prompted to provide a password in the form of a passcode. If the parameter Per User Certificate is configured then new certificates will get generated with key encryption and password. An error is displayed while generating a per user certificate, if the user name consist of a character other then alpha-numeric characters, special characters like @, _, - and a space.
22
Bugs Solved
Anti Spam
Bug ID 6533 Description Irrespective of the date range selected, the spam mails of last seven days are displayed. Bug ID 9597 Description Mail of size greater than 3Mb do not get released from Anti Spam Quarantine Area if the send mail client do not release them within the configured time. Bug ID 9599 Description An error message Data Error is displayed for a log on Anti Spam Quarantine Area, if the subject of the mail contains special characters like double quotes () or a backslash (\). Bug ID 9989 Description Quarantine mails having a space in subject line do not get released.
Anti Virus
Bug ID 8029 Description Adobe flash player exe cannot be downloaded from http://get.adobe.com/flashplayer with HTTP scanning enabled.
Certificate
Bug ID 5300 Description Cyberoam allows uploading a certificate with a different password or private key than that of the original password or private key of Generated Certificate Signing Request (CSR). Bug ID 8054 Description Certificate Sending Request (CSR) generated from version 10 Cyberoam Appliance cannot be uploaded at third party Certificate Authority (CA) end. Bug ID 8191 Description Certificate having encrypted private key cannot be upload from Web Admin Console.
23
Bug ID 10001 Description Value of parameter Valid From do not change on regenerating a new Cyberoam_SSL_CA certificate from Certificate page of the System. Bug ID 10045 Description A certificate error message secure connection failed is displayed on the Mozilla browser page if Cyberoam is accessed via HTTPS and a default Cyberoam Appliance Certificate is stored in the browser. Bug ID 11463 Description Cyberoam Web Admin Console is not accessible over HTTPS after upgrading to firmware version 10.04.0.build 304, if the Appliance Time Zone is earlier than GMT and Firmware Upgrade Time is between (00:00:00 X) and 00:00:00. X here represents the difference between the Appliance Tme Zone and the GMT.
CLI
Bug ID 10122 Description Default routing precedence do not get displayed on Cyberoam console when command cyberoam route_precedence show is executed.
DHCP Server
Bug ID 10245 Description An error message is displayed when a host name of parameter IP MAC Mapping List contains a space while configuring a static DHCP.
Firewall
Bug ID 9658 Description A false error message user.err kernel: outdev_target: ERRORRRRR > rtable is already initialized <192.168.141.255>... is displayed in System - Log Viewer. Bug ID 10870 Description A reflexive rule is created for a virtual host with NAT Policy as Masquerade instead of IP Host. skb-
GUI
Bug ID 9810
Document Version 1.00 -12/12/2012 24
Description A Web Filter policy do not function in a non-english version of Cyberoam on configuring an URL Group within the Web Filter Policy. Bug ID 9985 Description In captive portal settings and CTAS settings, the parameter User Inactivity Timeout do not accept number beyond 99 on Web Admin Console from Authentication page of Identity. Bug ID 10109 Description Heart Beat port in System configured to sync with CCC, do not change if the Heart Beat Protocol is HTTP for Central Management. Bug ID 10165 Description Dashboard and System Graph continues to remain in processing due to internal error for Cyberoam Version 10.02.0 Build 227. Bug ID 10307 Description IPSec-VPN connection list tales a long time while loading, if the number of IPSec connections is more than 2000.
HA
Bug ID 10573 Description IPS service stops functioning in the HA deployment, when two Appliances are configured with different versions of IPS are enabled in HA.
Identity
Bug ID 9756 Description Special characters _ and . are not allowed to be used consecutively while adding an Email Address on the User page for Identity.
IM
Bug ID 9866 Description IM Policy do not displayed in Log Viewer with Yahoo ! Messenger (Version 11.5.0.228-in).
Log Viewer
Bug ID 9880 Description No records are displayed when the language selected for Web Admin Console is French in Cyberoam and multiple filters are u sed while viewing logs of Application Filter in Log Viewer.
Network Interface
Bug ID 8002 Description STC 3G modem is not compatible with Cyberoam Appliance. Bug ID 8457 Description ZTE MF688a 3G modem is not compatible with Cyberoam Appliance. Bug ID 10921 Description Modem Sierra 320U is not supported by Cyberoam Appliance. Bug ID 10939 Description Modem IG Huawai E177 is not supported by Cyberoam Appliance.
Proxy
Bug ID 9115 Description Proxy services do not function, if a HTTP Upload Web Category is added in HTTPS scanning exceptions. Bug ID 9848 Description An error is received while accessing hotmail.com, http://google.com.au when HTTPS scanning is enabled in Firewall Rule. Bug ID 10046 Description Web Proxy service do not restart when Administrator restarts it from Maintenance page of System. Bug ID 10135 Description Some of the components with the YouTube website do not get displayed with HTTPS
Document Version 1.00 -12/12/2012 26
scanning applied. Bug ID 10244 Description Browsing becomes slow when external proxy is implemented in the network while Cyberoam is deployed in Bridge mode. Bug ID 10936 Description In Cyberoam firmware version 10.04.0.0214, mails are dropped for mail servers that are configured to support BDAT as an optional parameter.
Reports
Bug ID 7818 Description The data transfer reports of top web host and traffic discovery displayed in On-Appliance iView are not identical. Bug ID 9993 Description All the logs of the selected period are displayed in Web Surfing reports for IP Address based filtering, if Search Type is IP Address and Report Type as Detail. Bug ID 10427 Description Only current days report details are displayed in the Application Reports of O n-Appliance iView on migrating to Cyberoam Version 10.02.0 Build 473.
System
Bug ID 9927 Description Error messages are displayed on executing command tcpdump port80filedump on Cyberoam Console.
SSL VPN
Bug ID 6523 Description Once the User certificates are updated manually, they do not get updated automatically. Bug ID 10171 Description SSL VPN RDP Bookmark cannot be accessed in Version 10.02.0 Build 473 if RDP bookmark has a / at the end (e.g. rdp://10.102.1.152 /).
Document Version 1.00 -12/12/2012 27
Bug ID 11198 Description SSL VPN bookmark URL with RDP, TELNET, SSH & FTP protocol having backslash ('/') as last character cannot be accessed after migrating Appliance firmware from 10.02.0 Build 224 to 10.04.0 Build 214.
User
Bug ID - 6141 Description - When special characters are included in the login message, the user receives a continuous process icon on the Captive Portal page in spite of logging in successfully. Bug ID 9920 Description Cyberoam supports only SMS Gateways that uses Post method.
VPN
Bug ID 9812 Description An error message We cannot identify ourselves with either end of this connection is received when VPN connection with VLAN over WAN is configured with PPPoE link and VLAN ID is more than 2 digits. Bug ID 10191 Description VPN service do not restart when head office and branch office are using default head office and default branch office policy respectively and an if an intermediate device between them is switched off. Bug ID 11202 Description Manual intervention is required to activate the tunnel, if the default value of parameter "Rekey Margin" is configured below 100 seconds from VPN Policy page and the Appliance is rebooted.
Web Filter
Bug ID 9840 Description Denied Message is updated to default message, if an e xisting Web Filter Category having configured for customized message is edited without opening Advance Settings of it. Bug ID 10092 Description Webcat do not get upgraded to latest version while performing manual sync after auto
Document Version 1.00 -12/12/2012 28
Wireless WAN
Bug ID 5315 Description 3G Modem LW272 is not compatible with Cyberoam Appliance.
29
General Information
Technical Assistance
If you have problems with your system, contact customer support using one of the following methods: Email ID: support@cyberoam.com Telephonic support (Toll free) APAC/EMEA: +1-877-777- 0368 Europe: +44-808-120-3958 India: 1-800-301-00013 USA: +1-877-777- 0368
Please have the following information available prior to contacting support. This helps to ensure that our support staff can best assist you in resolving problems: Description of the problem, including the situation where the problem occurs and its impact on your operation Product version, including any patches and other software that might be affecting the problem Detailed steps on the methods you have used to reproduce the problem Any error logs or dumps
30
Important Notice
Cyberoam Technologies Pvt. Ltd. has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any prod ucts. Cyberoam Technologies Pvt. Ltd. assumes no responsibility for any errors that may appear in this document. Cyberoam Technologies Pvt. Ltd. reserves the right, without notice to make changes in product design or specifications. Information is subject to change without notice.
USERS LICENSE
Use of this product and document is subject to acceptance of the terms and conditions of Cyberoam End User License Agreement (EULA) and Warranty Policy for Cyberoam UTM Appliances. You will find the copy of the EULA at http://www.cyberoam.com/documents/EULA.html and the Warranty Policy for Cyberoam UTM Appliances at http://ikb.cyberoam.com.
RESTRICTED RIGHTS
Copyright 1999 - 2013 Cyberoam Technologies Private Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of Cyberoam Technologies Pvt. Ltd.
Corporate Headquarters
Cyberoam Technologies Pvt. Ltd. 901, Silicon Tower, Off. C.G. Road, Ahmedabad 380006, INDIA Phone: +91-79-66065606 Fax: +91-79-26407640 Web site: www.cyberoam.com
31