Release Notes

Cyberoam Release Notes Version: 10.04.0 Build 214, 304, 311, 338 th Date: 12 December, 2012

Release Dates
Version 10.04.0 Build 214 24th September, 2012 Version 10.04.0 Build 304 19th November, 2012 Version 10.04.0 Build 311 04th December, 2012 Version 10.04.0 Build 338 12th December, 2012

Release Information
Release Type: General Availability Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license Applicable to Cyberoam Version:
V 10.01.0XXX or 10.01.X Build XXX V 10.02.0 Build XXX

All the versions 047, 174, 176, 192, 206, 224, 227, 409, 473

Upgrade procedure To upgrade the existing Cyberoam Appliance follow the procedure below: Logon to https://customer.cyberoam.com Click Upgrade link under Upgrade URL. Choose option Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware.
For Cyberoam versions prior to 10.01.0472 For Cyberoam version 10.01.0472 or higher

Upgrade the Cyberoam to 10.01.0472 selecting option Below 10.01.0472 and follow on-screen instruction. By doing this, the customer will not be able to roll back. Compatibility Annotations

Upgrade Cyberoam to latest version by selecting option 10.01.0472 or higher and follow onscreen instruction.

Firmware is Appliance model-specific firmware. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you are trying to upgrade Appliance model CR100ia with firmware for model CR500ia. This Cyberoam version release is compatible with the Cyberoam Central Console. Please always check http://docs.cyberoam.com for availability of latest CCC firmware to deal with this compatibility issue.

Document Version 1.00 -12/12/2012

Cyberoam Release Notes

Revision History
Old Revision Number New Revision Number Reference Section

Sr. No.

Revision Details

1.

1.00 24/09/2012 1.00 24/09/2012 1.00 19/11/2012

1.00 19/11/2012 1.00 19/11/2012 1.00 04/12/2012

Enhancement

Added enhancement Access Denied Page Optimization A bug (Bug ID 11463) is added to Certificate. Added LAN Bypass support for Cyberoam Appliances CR50iNG and CR100iNG. Appliances not supporting Outbound Spam list now includes: CR15iNG, CR15wiNG, CR25ia, CR35ia and CR1000i

2.

Bugs Solved

3.

4.

1.00 04/12/2012

1.00 12/12/2012

Features

Document Version 1.00 -12/12/2012

Cyberoam Release Notes

Contents
Release Dates ................................................................................................................................... 1 Release Information ......................................................................................................................... 1 Introduction ...................................................................................................................................... 5 Features ............................................................................................................................................ 5 1. Compatibility with CISCO VPN Client ........................................................................... 5 2. L2TP Over IPSec VPN Support for Android Devices ........................................................ 6 3. Outbound Spam .............................................................................................................. 6 4. YouTube Education Filter ................................................................................................ 7 5. 4G LTE Modem ............................................................................................................... 7 Enhancements .................................................................................................................................. 9 1. DHCP Server Optimization .............................................................................................. 9 2. Multicast over IPSec VPN tunnel ..................................................................................... 9 3. E-mail Alert for IPSec Tunnel Connection Flapping ........................................................ 11 4. Enhancement in AD Integration ..................................................................................... 12 5. Multicast Route Failover ................................................................................................ 13 6. Support of SSL-VPN for MAC-OS Tunnelblick ............................................................... 14 7. Version 9 Catch-up Feature Search Engine Cache Control ......................................... 15 8. Version 9 Catch-up Feature Internet Watch Foundation Support ................................. 15 9. Captive Portal Enhancements ....................................................................................... 15 10. URL Import List ............................................................................................................. 15 11. Optimization in Virtual Host Configuration ...................................................................... 16 12. Optimized IPSec Failover Configuration......................................................................... 17 13. Access Denied Page Optimization ................................................................................. 17 14. DNS Status Check support in Diagnostic Tool ............................................................... 17 15. Certificate with FQDN/IP Address as a Common Name ................................................. 18 16. User Defined Certificate ................................................................................................ 18 17. Quick Access to On-Appliance Reports ......................................................................... 18 18. iView Enhancement Dual Dashboard Support............................................................. 18 19. iView Enhancement Better Visibility and Presentation ................................................. 20 20. iView Enhancement - Top Users Widget ........................................................................ 20 21. iView Enhancement - Report Filter ................................................................................ 20 22. iView Enhancement - Country Map ................................................................................ 21 Known Behaviour ........................................................................................................................... 22 1. SSL VPN support with passcode ................................................................................... 22 2. Gateway specific routing for Reflexive Rule ................................................................... 22 Bugs Solved.................................................................................................................................... 23 Anti Spam............................................................................................................................... 23 Anti Virus................................................................................................................................ 23 Certificate ............................................................................................................................... 23
Document Version 1.00 -12/12/2012 3

Cyberoam Release Notes

CLI ..................................................................................................................................... 24 DHCP Server.......................................................................................................................... 24 Firewall................................................................................................................................... 24 GUI ..................................................................................................................................... 24 HA ..................................................................................................................................... 25 Identity ................................................................................................................................... 25 IM ..................................................................................................................................... 25 Intrusion Prevention System (IPS) .......................................................................................... 25 Log Viewer ............................................................................................................................. 26 Network Interface ................................................................................................................... 26 Proxy 26 Reports .................................................................................................................................. 27 System ................................................................................................................................... 27 SSL VPN ................................................................................................................................ 27 User ..................................................................................................................................... 28 VPN ..................................................................................................................................... 28 Web Filter ............................................................................................................................... 28 Wireless WAN ........................................................................................................................ 29 General Information........................................................................................................................ 30 Technical Assistance .............................................................................................................. 30 Technical Support Documents ................................................................................................ 30

Document Version 1.00 -12/12/2012

Cyberoam Release Notes

Introduction
This document contains the release notes for Cyberoam Version 10.04.0 Build 214, Version 10.04.0 Build 304, Version 10.04.0 Build 311 and Version 10.04.0 Build 338. The following sections describe the release in detail.

This release comes with new features, few enhancements and several bug fixes to improve quality, reliability and performance.

Features
1. Compatibility with CISCO VPN Client
From this version onwards, Cyberoam is compatible with Cisco IPSec VPN client.

This feature enables Cisco IPSec VPN clients to establish an IPSec connection with Cyberoam. To support this feature, a new page CISCO VPN Client is added on Web Admin Console. An IPSec connection that would serve Cisco IPSec VPN Clients must be created using this page.

Compatibility
1. At present only the native Cisco IPSec VPN client, present in Apple iOS (iPhone and iPad) and Windows are supported. The details of the versions supported are as provided below: Windows Windows OS Win XP- all service packs Win 7 Windows Vista Cisco Desktop Client V 4.1 and 4.8 V 5.0 Beta Version V 5.0 Beta Version

Apple iOS 4.3 5.0.1 5.1.1

Known Behavior
1. Apple iOS versions 5.0 onwards do not send any notification to Cyberoam when IPSec connection serving Cisco IPSec VPN Clients gets disconnected. The connection and route will be cleared from Cyberoam using Dead Peer Detection (DPD) after approximately 20 seconds and then the same client will be able to reconnect. 2. When there is no data transfer, Apple iPhone disconnects the IPSec connection serving
Document Version 1.00 -12/12/2012 5

Cyberoam Release Notes

Cisco IPSec VPN Clients. 3. When any clients are already connected and the CISCO VPN Client page is submitted, they will be disconnected and IP Address pool will be reinitialized. CISCO VPN Client is available for download only to users that are authorized by the Administrator. IPSec connection serving Cisco IPSec VPN Clients can be configured from VPN CISCO VPN Client CISCO VPN Client.

2. L2TP Over IPSec VPN Support for Android Devices

From this version onwards, Android device as a L2TP/IPSec Client will be supported by Cyberoam.

User will be able to connect and access Cyberoam L2TP/IPSec via an Android device using Pre-Shared Key authentication.

No special configuration is required in Cyberoam Web Admin Console or CLI.

Android Compatible Version: 2.1 clair, 2.2.x Froyo, 2.3.x Gingerbread, 3.x Honeycomb Enable Add L2TP/IPSec PSK VPN option of Android device to configure VPN tunnel.

This feature has a backward compatibility support from version 10.01.0 Build 667 onwards.

3. Outbound Spam
From this version onwards, Cyberoam will provide Outbound Spam to identify internal Spam. This feature will help the Internet Service Providers (ISPs) to identify and block any user trying to send spam mails by utilizing their network. Outbound Spam filtering is a subscription module.

Inbound Spam filtering and Outbound Spam filtering are mutually exclusive. On subscribing to Outbound Spam, Inbound Spam filtering will stop. Inbound Spam filtering will resume when the subscription of Outbound Spam expires.

This feature is not available in Cyberoam Models CR15i, CR15wi, CR15iNG, CR15wiNG, CR25i, CR25ia, CR25wi, CR35ia, CR35wi, CR50i, CR100i, CR250i, CR500i, CR500i-8P, CR1000i, CR1500i.
Document Version 1.00 -12/12/2012 6

Cyberoam Release Notes

To view logs, go to Logs & Reports Log Viewer and select option Anti Spam for parameter View logs for.

4. YouTube Education Filter

From this version onwards, Cyberoam will allow access to YouTube videos deemed as educational via a special portal YouTube EDU while being within a school network. YouTube EDU consists of two sections, YouTube.com/Teachers and YouTube for Schools. YouTube.com/Teachers educates teachers how to make optimum use of YouTube within the classroom. On the other hand, YouTube for Schools is a network setting, which redirects the video traffic, making it possible for schools that block YouTube to unblock and allow access to YouTube EDU (Youtube.com/education). The teachers and Administrators decide what videos must be made available to the students, making a safe and a controlled environment for students.

To allow educational videos via Cyberoam, school authority is required to get the school registered for YouTube for School. On registration, a custom HTTP Header with a unique ID will be displayed on the browser page.

E.g. X-YouTube-Edu-Filter:HMtp1sI9lxt0KAVpcg88kQ 1. Field Name: X-YouTube-Edu-Filter 2. Field Value Format: Alphanumeric [a-z][A-Z][0-9] 3. Field Value Length: up to 44 characters To allow YouTube EDU via Cyberoam, go to Web Filter Policy Policy and specify the unique ID in the textbox against parameter YouTube Education Filter As per recommendations of YouTube, it is mandatory to ensure the videos and following top-level domains are not blocked: 1. youtube.com 2. ytimg.com To access https://www.youtube.com , HTTPS scanning must be enabled.

5. 4G LTE Modem
Cyberoam will now support DHCP enabled 4G LTE services on Wi-Fi modems. With this feature, Cyberoam provides support for the following:

Document Version 1.00 -12/12/2012

Cyberoam Release Notes

1. 2. 3. 4.

Connection to 3G/4G networks DHCP Modems Modem plug-in and plug-out auto detection Auto Connect type of behavior if the same modem is re-plugged in

Further, Cyberoam provides recommended values (auto detected) for modem configuration. To configure a 4G modem, go to Network Wireless WAN Settings.

CLI Commands
1. Command: cyberoam wwan query serialport <serial port> ATcommand <AT command> To view the Wi-Fi modem information (if plugged - in) E.G. cyberoam wwan query serialport 0 ATcommand ati 2. Command: cyberoam wwan show To view the Wi-Fi modem information and the recommended configuration (if plugged - in)

Document Version 1.00 -12/12/2012

Cyberoam Release Notes

Enhancements
1. DHCP Server Optimization
Support for Diverse Topologies Cyberoam now adds the capability of configuring DHCP for downstream networks that are connected to Cyberoam through relay, or through IPsec VPN. With this enhancement, Cyberoam will be able to assign IP Addresses to: Directly connected primary or alias networks Connected through relay Connected over IPsec VPN

Prior to this version, Cyberoam support DHCP configuration only for a primary network only.

Lease Report Enhancement Cyberoams Lease report now displays the type of lease, i.e. Static or Dynamic, for a given IP Address. To view these reports, go to Network DHCP Lease

CLI Commands
1. Command: cyberoam dhcp lease-over-IPSec enable To enable IP Lease over IPSec for all the DHCP servers 2. Command: cyberoam dhcp lease-over-IPSec disable To disable IP Lease over IPSec for all the DHCP servers (Default Value) 3. Command: cyberoam dhcp lease-over-IPSec show To display all the IP Lease over IPSec configuration

2. Multicast over IPSec VPN tunnel

From this version onwards, Cyberoam will support secure transport of multicast traffic over un-trusted network using IPSec/VPN connection.

With this enhancement, now it is possible to send/receive both, unicast and multicast traffic between two or more VPN sites connected through public Internet. This removes the dependency of multicast aware routers between the sites connecting via IPSec/VPN. Prior to this version, this was possible using GRE tunneling however, the packets could not be encrypted.
Document Version 1.00 -12/12/2012 9

Cyberoam Release Notes

Any unicast host wanting to access a multicast host shall require to be configured as an explicit host (with netmask /32) in VPN configuration.

Known Behavior
CLI shows only static interfaces as input and output interface whereas Web Admin Console shows both, static as well as dynamic interfaces (PPPoE, DHCP). To configure Multicast over IPSec/VPN connection, go to Network Static Route Multicast.

CLI Commands
1. Command: mroute add input-interface Port<port number> source-ip <ipaddress> dest-ip <ipaddress> output-interface Port <port number> To forward multicast traffic coming from a given interface to another interface. E.G. mroute add input-interface PortA source-ip 192.168.1.2 dest-ip 239.0.0.55 outputinterface PortB 2. Command: mroute add input-interface Port<port number> source-ip <ipaddress> dest-ip <ipaddress> output-tunnel gre name <gre tunnel name> To forward multicast traffic coming from a given interface to GRE tunnel. E.G. mroute add input-interface PortA source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel gre name Elitecore 3. Command: mroute add input-interface Port<port number> source-ip <ipaddress> dest-ip <ipaddress> output-tunnel ipsec To forward multicast traffic coming from a given interface to IPSec tunnels. Cyberoam automatically selects an appropriate tunnel to be used depending upon the Local Network and Remote Network configuration. E.G. mroute add input-interface PortA source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel ipsec 4. Command: mroute add input-tunnel ipsec name <ipsec connection name> source-ip <ipaddress> dest-ip <ipaddress> output-interface Port<port number> To forward multicast traffic coming from IPSec tunnel to an interface. E.G. mroute add input-tunnel ipsec name Net2Net source-ip 192.168.1.2 dest-ip 239.0.0.55 output-interface PortB 5. Command: mroute add input-tunnel ipsec name <ipsec connection name> source-ip <ipaddress> dest-ip <ipaddress> output-tunnel ipsec To forward multicast traffic coming from a given IPSec tunnel to other IPSec tunnels. Cyberoam automatically selects an appropriate tunnel to be used depending upon the Local Network and Remote Network configuration.
Document Version 1.00 -12/12/2012 10

Cyberoam Release Notes

E.G. mroute add input-tunnel ipsec name Net2Net source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel ipsec 6. Command: mroute add input-tunnel ipsec name <ipsec connection name> source-ip <ipaddress> dest-ip <ipaddress> output-tunnel gre name <gre tunnel name> To forward multicast traffic coming from a given IPSec tunnel to GRE tunnel. E.G. mroute add input-tunnel ipsec name Net2Net source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel gre name Elitecore 7. Command: mroute add input-tunnel gre name <gre tunnel name> source-ip <ipaddress> dest-ip <ipaddress> output-interface Port<port number> To forward multicast traffic coming from a GRE tunnel to an interface. E.G. mroute add input-tunnel gre name Elitecore source-ip 192.168.1.2 dest-ip 239.0.0.55 output-interface PortB 8. Command: mroute add input-tunnel gre name <gre tunnel name> source-ip <ipaddress> dest-ip <ipaddress> output-tunnel gre name <gre tunnel name> To forward multicast traffic coming from a GRE tunnel to another GRE tunnel. E.G. mroute add input-tunnel gre name Elitecore source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel gre name Terminal1 9. Command: mroute add input-tunnel gre name <gre tunnel name> source-ip <ipaddress> dest-ip <ipaddress> output-tunnel ipsec To forward multicast traffic coming from a given GRE tunnel to IPSec tunnels. Cyberoam automatically selects an appropriate tunnel to be used depending upon the Local Network and Remote Network configuration. E.G. mroute add input-tunnel gre name Elitecore source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel ipsec 10. Command: mroute del source-ip <ipaddress> dest-ip <ipaddress> To delete multicast route. E.G. mroute del source-ip 192.168.1.2 dest-ip 239.0.0.

3. E-mail Alert for IPSec Tunnel Connection Flapping

From this version onwards, if the IPSec VPN tunnel connectivity is lost, Cyberoam will notify the Administrator via an E-mail alert, specifying the reason for the connection loss. E-mail alert will be sent on the configured E-mail Address.

Upon configuring E-mail alerts via the available single central configurable option, it will automatically be applicable on all the IPSec tunnels.

Document Version 1.00 -12/12/2012

11

Cyberoam Release Notes

An E-mail will be sent only for Host to Host and Site to Site tunnel connections; if it flaps due to one of the following reasons: 1. 2. 3. 4. A peer is found to be dead during Dead Peer Detection (DPD) phase. Failed to re-establish connection after Dead Peer Detection (DPD). IPSec Security Association (SA) is expired and is required to be re-established. IPSec Tunnel comes up without administrator intervention after losing the connectivity.

E-mail sent to the administrator shall contain following basic information: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. IPSec Connection name IP Addresses of both participating hosts/network Current state of the IPSec Tunnel connection, viz., Up or Down Exact Time when the IPSec Tunnel connection was lost Reason for lost of IPSec Tunnel connection Appliance Model Number Firmware version and build number Appliance Key (if registered) Appliance LAN IP Address HA configuration Primary/Auxiliary (if configured)

An E-mail will be sent for each subnet pair in case of Site to Site connections, having multiple local/remote networks.

An E-mail sent with respect to IPSec Tunnel coming up shall not have any reason mentioned within.

Description of IPSec Tunnel connection shall be included in the E-mail, only if information for same is provided by the administrator. To enable E-mail alerts for IPSec tunnels, go to System Configuration Notification Email Notification and check option IPSec Tunnel UP/Down.

4. Enhancement in AD Integration
From this version onwards, Administrator is given an option to delete users from Cyberoam if they do not exist in any of the configured External Active Directory servers at a push of Purge AD Users button. Prior to purging, connectivity and authentication of all the configured External Active Directory servers is verified. If a users entry is not found in any of the external server(s), it is purged from Cyberoam too.

The purge operation will not interrupt user login/logout and accounting events.

Document Version 1.00 -12/12/2012

12

Cyberoam Release Notes

While the purge activity is in progress and if the server connectivity is lost, the activity will be aborted.

If a user entry is purged, it will be deleted from both, Primary and Auxiliary Cyberoam Appliance. To purge the users, go to Identity Users Users and click Purge Users button. Further, when the User logs in to the Cyberoam, and if the E-mail Address of that User is configured on the external Active Directory server/ LDAP server then the Users E -mail Address within the Cyberoam gets sync with the E-mail Address on the external Active Directory server/LDAP server. Every time a user logs in, the corresponding Email ID will be updated. If the Email ID is null on the External Active Directory Server/LDAP, there will be no updates.

5. Multicast Route Failover

From this version onwards, Cyberoam supports Link Failover for Multicast Traffic using IPSec/VPN connection or GRE Tunnel.

If a user has multicast routes configured on a port then a Link Failover can be configured for same using IPSec/VPN or GRE configuration. Now if the port goes down, all multicast routes configured on it will automatically fail over to given IPSec/VPN connection or GRE Tunnel.

Prior to this version, link failover was supported only for static unicast routes.

CLI Commands
1. Command: cyberoam link_failover add primarylink Port<Port number> backuplink gre tunnel <gre tunnel name> monitor PING host <ip address> To configure a GRE Tunnel as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given GRE Tunnel. E.G. cyberoam link_failover add primarylink PortB backuplink gre tunnel Elitecore monitor PING host 192.168.1.2 2. Command: cyberoam link_failover add primarylink Port<Port number> backuplink gre tunnel <gre tunnel name> monitor UDP host <ip address> Port <Port Number> To configure a GRE Tunnel as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given GRE Tunnel. E.G. cyberoam link_failover add primarylink PortB backuplink gre tunnel Elitecore monitor UDP host 192.168.1.2 Port 100 3. Command: cyberoam link_failover add primarylink Port<Port number> backuplink gre tunnel <gre tunnel name> monitor TCP host <ip address> Port <Port Number>
Document Version 1.00 -12/12/2012 13

Cyberoam Release Notes

To configure a GRE Tunnel as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given GRE Tunnel. E.G. cyberoam link_failover add primarylink PortB backuplink gre tunnel Elitecore monitor TCP host 192.168.1.2 Port 100 4. Command: cyberoam link_failover add primarylink Port<Port number> backuplink vpn tunnel <ipsec connection name> monitor PING host <ip address> To configure an IPSec/VPN connection as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given IPSec/VPN connection. E.G. cyberoam link_failover add primarylink PortB backuplink vpn tunnel Net2Net monitor PING host 192.168.1.2 5. Command: cyberoam link_failover add primarylink Port<Port number> backuplink vpn tunnel <ipsec connection name> monitor UDP host <ip address> Port <Port Number> To configure an IPSec/VPN connection as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given IPSec/VPN connection. E.G. cyberoam link_failover add primarylink PortB backuplink vpn tunnel Net2Net monitor UDP host 192.168.1.2 Port 100 6. Command: cyberoam link_failover add primarylink Port<Port number> backuplink vpn tunnel <ipsec connection name> monitor TCP host <ip address> Port <Port Number> To configure an IPSec/VPN connection as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given IPSec/VPN connection. E.G. cyberoam link_failover add primarylink PortB backuplink vpn tunnel Net2Net monitor TCP host 192.168.1.2 Port 100 7. Command: cyberoam link_failover del primarylink <Port name> To delete link failover configuration. E.G. cyberoam link_failover del primarylink PortC 8. Command: cyberoam link_failover show To see all the link failover configurations.

6. Support of SSL-VPN for MAC-OS Tunnelblick

From this version, SSL VPN will be functional with Tunnelblicks; a free, open source graphic user interface for OpenVPN on Mac OS X.

The user can download the SSL VPN Client Configuration - MAC Tunnelblick from Cyberoam SSL VPN User Portal.

Document Version 1.00 -12/12/2012

14

Cyberoam Release Notes

7. Version 9 Catch-up Feature Search Engine Cache Control

From this version onwards, Cyberoam will be able to categorize actual URL contents that are accessed via cache option available in search engines Google, Yahoo, Bing based on the existing Web Filter Policy.

8. Version 9 Catch-up Feature Internet Watch Foundation Support

From this version onwards, Cyberoam s General Internet Policy by default, supports filtering of URL based on Internet Watch Foundation (IWF) categorization.

The filtering logs are displayed in the Log Viewer and iView Reports

The Internet Watch Foundation provides the list of accurate and current URLs to minimise the availability of potentially criminal internet content as mentioned below: 1. Child sexual abuse content hosted anywhere in the world. 2. Criminally obscene adult content hosted in the UK. 3. Non-photographic child sexual abuse images hosted in the UK.

9. Captive Portal Enhancements

From this version onwards, Cyberoam Captive Portal is esthetically optimized.

Further it supports the following functionalities: 1. Hyperlinked logo 2. Obtaining username and password for unauthenticated users (Only when Guest Users functionality is enabled). To configure them, go to System Configuration Captive Portal.

Also, Administrator can choose redirect unauthorized user either to Captive Portal or display a customized message. To customize the Captive Portal response, go to Identity Authentication Firewall.

10. URL Import List

From this version onwards, while adding or updating a Web Category, Cyberoam facilitates to import a file (.txt or .csv) consisting of all the configured URL/Keyword from the white list domain of an existing web categorization solution to Cyberoam instead of copying and pasting the same into Cyberoam.

Document Version 1.00 -12/12/2012

15

Cyberoam Release Notes

To add white listed URL file, go to Web Filter Category Category and click Add button.

11. Optimization in Virtual Host Configuration

From this version onwards, while a virtual host is created and port forwarding is enabled, Cyberoam allows configuring a Port list. The ports within the list can be comma separated. It can be mapped against a Port List or a Port. Further a Port Range can now also be mapped against a single port. This creates one to one mapping or many to one mapping between the external port and the mapped port.

Example: Port Forwarding Type (External Port Type to Mapped Port Type) Port List to Port List Port List to a Port Port Range to a Port External Ports 22, 24, 26, 28, 30 22, 24, 26, 28, 30 21 - 26 Mapped Ports 42, 44, 46, 48, 50 20 28

In case of Port List to Port List mapping, number of ports must be same for both, External Ports and Mapped Ports. Request received on first external port will be redirected to first mapped port; second request on external port will be redirected to second mapped port and so on. From the example above, for Port List to Port List type of configuration, any request received for external ports 22, 24, 26, 28, 30 will be forwarded respectively to mapped ports 42, 44, 46, 48, 50.

For a single virtual host, a maximum of 16 ports can be configured in a Port List.

All the ports within a Port List support single protocol viz., either a TCP or a UDP protocol as per the configuration. A combination of both of these protocols within a Port List is not allowed.

Prior to this version, only Single Port to Single Port and Port Range to Port Range Type for port forwarding were allowed. Also, from this version onwards, for Firewall, when any virtual host is created without port forwarding, one can select multiple services instead of a single service.

Prior to this version, selecting multiple services was not allowed within a Firewall Rule configured with a virtual host having port forwarding disabled. To configure multiple ports separated by comma, go to Firewall Virtual Host Virtual Host.

Document Version 1.00 -12/12/2012

16

Cyberoam Release Notes

12. Optimized IPSec Failover Configuration

From this version onwards, Cyberoam IPSec connection configuration for failover can be done while configuring the IPSec connection itself. This optimization will facilitate configuring failover connection with minimum inputs for commonly used failover conditions. Also the previously available method of configuration remains intact. Failover connection configurations can be done only for Connection Type- Site to Site and Host to Host type of IPSec connections.

Maximum of four (4) failover connection can be added while configuring a new failover group. More connections can be configured later by editing the failover group configuration To configure an IPSec failover connection for Site to Site and Host to Host type of IPSec connections, go to VPN IPSec Connection. Click add icon under Endpoint Details, only after which IPSec failover connection can be configured.

13. Access Denied Page Optimization

From this version onwards, to optimize the loading time of Access Denied Page, the maximum size for the image allowed is as follows: 1. Top Image 125 x 70 pixels (.jpg, .jpeg) 2. Bottom Image 70 x 60 pixels (.jpg, .jpeg)

If the Appliance is running on an older version, and if the image size is greater than the above specified dimensions, it is mandatory to reduce the size of images for appropriate display. To upload an image, go to Web Filter Settings Settings.

14. DNS Status Check support in Diagnostic Tool

From this version onwards, Cyberoam will provide an option to view the list of all the available DNS servers configured in Cyberoam. It also provides information about the time taken to connect to each of the DNS server. Based on the least response time, one can prioritize the DNS server. To view the list of DNS server available for an IP Address/host name, go to System Diagnostics Tools Name Lookup, provide the IP Address/Host Name , select option Lookup Using All Configured Server from the dropdown box and click Name Lookup.

Document Version 1.00 -12/12/2012

17

Cyberoam Release Notes

15. Certificate with FQDN/IP Address as a Common Name

From this version onwards, Cyberoam will allow using FQDN or IP Address as a common name while generating a Self Signed Certificate.

Prior to this version certificate name was used as a common name. To configure common name for a certificate, go to System Certificate Certificate and click Add to generate a certificate.

16. User Defined Certificate

From this version onwards, Cyberoam supports generation of Self-Signed Certificates with Identification Attribute details to meet the needs of compliance criteria. To generate a Self-Signed Certificate, go to System Certificate Certificate.

17. Quick Access to On-Appliance Reports

From this version onwards, Cyberoam supports quick access to On-Appliance Reports from login page of the Appliance. To access the On-Appliance Reports directly, select Reports for parameter Log on to on Appliance login page at the time of authentication.

18. iView Enhancement Dual Dashboard Support

From this version onwards, Cyberoam iView main dashboard has been bifurcated into two. 1. Traffic Dashboard Traffic dashboard is a collection of widgets displaying information regarding total network traffic. This dashboard gives complete visibility of network traffic in terms of applications, web categories, users, hosts, source and destination countries, mail traffic and FTP activities.

Traffic dashboard consists of following widgets: Top Applications List of top applications along with percentage wise data transfer Top Categories List of top accessed web categories with number of hits and amount of data transfer Top Users List of top users along with percentage wise data transfer
18

Document Version 1.00 -12/12/2012

Cyberoam Release Notes

Top Hosts List of top hosts along with percentage wise data transfer Top Source Countries List of top source countries along with percentage wise data transfer Top Destination Countries List of top destination countries along with percentage wise data transfer Top Rule ID List of top firewall rules along with percentage wise data transfer Top Domains List of top domains along with percentage wise data transfer Top File Upload List of top uploaded files along with date, user, source IP, domain name , file name and file size Top Files Uploaded via FTP List of top uploaded files via FTP along with percentage wise amount of data transfer Top Files Downloaded via FTP List of top downloaded files via FTP along with percentage wise amount of data transfer Top FTP Servers List of top FTP servers Mail Traffic Summary Email traffic with type of traffic and amount of data transfer Top Mail Senders List of top email senders along with percentage wise data transfer Top Mail Recipients List of top email recipients along with percentage wise data transfer

2. Security Dashboard Security dashboard is a collection of widgets displaying information regarding denied network activities and traffic. It also gives an overview of malwares and spam along with source and destination countries. Security dashboard consists of following widgets: Top Denied Hosts List of top denied hosts along with number of hits Top Denied Users List of top denied users along with number of hits Top Denied Applications List of top denied applications along with number of hits Top Denied Destination Countries List of top denied destination countries along with number of hits Top Denied Source Countries List of top denied source countries along with number of hits Top Denied Rule ID List of top denied firewall rules along with number of hits Top Denied Categories List of top denied web categories along with number of hits Top Denied Domains List of top denied domains along with number of hits Top Attacks List of top attacks launched at network Top Viruses List of top viruses blocked by Cyberoam Top Spam Senders List of top spam senders Top Spam Recipients List of top spam recipients

All these widgets can be drilled down for next level reports.

Document Version 1.00 -12/12/2012

19

Cyberoam Release Notes

19. iView Enhancement Better Visibility and Presentation

From this version onwards, Cyberoam iView has introduced few enhancements to increase visibility and improve presentation of the reports. 1. Chart Preferences Now the administrator can select the type of charts to show reports. The administrator can choose between Bar charts and Pie-Doughnut charts. To choose the chart type and palette go to System Configuration Chart Preferences. 2. Records per Page Control Now the user has option to set number of records to be displayed for report groups also. Previously this control was available for individual reports only. 3. Inline Charts If the number of records to be displayed is more than 10, then Cyberoam iView shows them in the form of inline charts i.e. a bar diagram for number of bytes and percentage respectively will be displayed in the same column. 4. Animated Charts With this version, Cyberoam iView has introduced animated bar charts and pie charts to improve user experience and data presentation. 5. Report Group Dashboard With this version, all the report group dashboards show collection of reports available under the selected report group.

20. iView Enhancement - Top Users Widget

From this version onwards, a new widget Top Users has been added under risk reports. This widget displays list of users who imposed risk on organization network. This report can further be drilled down to view list of applications, hosts, source countries, destination countries and firewall rules associated with the selected user and risk level. To view reports, go to Reports Applications Top Risks Risk.

21. iView Enhancement - Report Filter

From this version onwards, Cyberoam iView provides option to filter dashboard reports. When the user selects any record from dashboard report widgets, the selection is displayed on the next level of reports
Document Version 1.00 -12/12/2012 20

Cyberoam Release Notes

i.e. on the resultant reports page. The user can apply multiple filters one by one to get appropriate report.

All the filters are displayed on the top of the resultant report in the form of rowed text box(es) with the option to remove filter.

22. iView Enhancement - Country Map

From this version onwards, Cyberoam iView introduces a new report Country Map under Application report menu. This report gives geographical overview of network traffic along with amount of data transfer and risk. To view reports, go to Reports Applications Country Map.

Document Version 1.00 -12/12/2012

21

Cyberoam Release Notes

Known Behaviour
1. SSL VPN support with passcode
From this version onwards, Cyberoam supports key encryption with password in certificates. If certificates are being generated with encryption enabled then user will be prompted to provide a password in the form of a passcode. If the parameter Per User Certificate is configured then new certificates will get generated with key encryption and password. An error is displayed while generating a per user certificate, if the user name consist of a character other then alpha-numeric characters, special characters like @, _, - and a space.

2. Gateway specific routing for Reflexive Rule

To allow the traffic to route through a specific gateway with a reflexive rule selected while configuring a virtual host, parameter Route Through Gateway in Firewall Rule must have Source NAT selected as a Routing Policy.

Document Version 1.00 -12/12/2012

22

Cyberoam Release Notes

Bugs Solved
Anti Spam
Bug ID 6533 Description Irrespective of the date range selected, the spam mails of last seven days are displayed. Bug ID 9597 Description Mail of size greater than 3Mb do not get released from Anti Spam Quarantine Area if the send mail client do not release them within the configured time. Bug ID 9599 Description An error message Data Error is displayed for a log on Anti Spam Quarantine Area, if the subject of the mail contains special characters like double quotes () or a backslash (\). Bug ID 9989 Description Quarantine mails having a space in subject line do not get released.

Anti Virus
Bug ID 8029 Description Adobe flash player exe cannot be downloaded from http://get.adobe.com/flashplayer with HTTP scanning enabled.

Certificate
Bug ID 5300 Description Cyberoam allows uploading a certificate with a different password or private key than that of the original password or private key of Generated Certificate Signing Request (CSR). Bug ID 8054 Description Certificate Sending Request (CSR) generated from version 10 Cyberoam Appliance cannot be uploaded at third party Certificate Authority (CA) end. Bug ID 8191 Description Certificate having encrypted private key cannot be upload from Web Admin Console.

Document Version 1.00 -12/12/2012

23

Cyberoam Release Notes

Bug ID 10001 Description Value of parameter Valid From do not change on regenerating a new Cyberoam_SSL_CA certificate from Certificate page of the System. Bug ID 10045 Description A certificate error message secure connection failed is displayed on the Mozilla browser page if Cyberoam is accessed via HTTPS and a default Cyberoam Appliance Certificate is stored in the browser. Bug ID 11463 Description Cyberoam Web Admin Console is not accessible over HTTPS after upgrading to firmware version 10.04.0.build 304, if the Appliance Time Zone is earlier than GMT and Firmware Upgrade Time is between (00:00:00 X) and 00:00:00. X here represents the difference between the Appliance Tme Zone and the GMT.

CLI
Bug ID 10122 Description Default routing precedence do not get displayed on Cyberoam console when command cyberoam route_precedence show is executed.

DHCP Server
Bug ID 10245 Description An error message is displayed when a host name of parameter IP MAC Mapping List contains a space while configuring a static DHCP.

Firewall
Bug ID 9658 Description A false error message user.err kernel: outdev_target: ERRORRRRR > rtable is already initialized <192.168.141.255>... is displayed in System - Log Viewer. Bug ID 10870 Description A reflexive rule is created for a virtual host with NAT Policy as Masquerade instead of IP Host. skb-

GUI
Bug ID 9810
Document Version 1.00 -12/12/2012 24

Cyberoam Release Notes

Description A Web Filter policy do not function in a non-english version of Cyberoam on configuring an URL Group within the Web Filter Policy. Bug ID 9985 Description In captive portal settings and CTAS settings, the parameter User Inactivity Timeout do not accept number beyond 99 on Web Admin Console from Authentication page of Identity. Bug ID 10109 Description Heart Beat port in System configured to sync with CCC, do not change if the Heart Beat Protocol is HTTP for Central Management. Bug ID 10165 Description Dashboard and System Graph continues to remain in processing due to internal error for Cyberoam Version 10.02.0 Build 227. Bug ID 10307 Description IPSec-VPN connection list tales a long time while loading, if the number of IPSec connections is more than 2000.

HA
Bug ID 10573 Description IPS service stops functioning in the HA deployment, when two Appliances are configured with different versions of IPS are enabled in HA.

Identity
Bug ID 9756 Description Special characters _ and . are not allowed to be used consecutively while adding an Email Address on the User page for Identity.

IM
Bug ID 9866 Description IM Policy do not displayed in Log Viewer with Yahoo ! Messenger (Version 11.5.0.228-in).

Intrusion Prevention System (IPS)

Bug ID 9327
Document Version 1.00 -12/12/2012 25

Cyberoam Release Notes

Description Search option is available only while editing IPS Policy.

Log Viewer
Bug ID 9880 Description No records are displayed when the language selected for Web Admin Console is French in Cyberoam and multiple filters are u sed while viewing logs of Application Filter in Log Viewer.

Network Interface
Bug ID 8002 Description STC 3G modem is not compatible with Cyberoam Appliance. Bug ID 8457 Description ZTE MF688a 3G modem is not compatible with Cyberoam Appliance. Bug ID 10921 Description Modem Sierra 320U is not supported by Cyberoam Appliance. Bug ID 10939 Description Modem IG Huawai E177 is not supported by Cyberoam Appliance.

Proxy
Bug ID 9115 Description Proxy services do not function, if a HTTP Upload Web Category is added in HTTPS scanning exceptions. Bug ID 9848 Description An error is received while accessing hotmail.com, http://google.com.au when HTTPS scanning is enabled in Firewall Rule. Bug ID 10046 Description Web Proxy service do not restart when Administrator restarts it from Maintenance page of System. Bug ID 10135 Description Some of the components with the YouTube website do not get displayed with HTTPS
Document Version 1.00 -12/12/2012 26

Cyberoam Release Notes

scanning applied. Bug ID 10244 Description Browsing becomes slow when external proxy is implemented in the network while Cyberoam is deployed in Bridge mode. Bug ID 10936 Description In Cyberoam firmware version 10.04.0.0214, mails are dropped for mail servers that are configured to support BDAT as an optional parameter.

Reports
Bug ID 7818 Description The data transfer reports of top web host and traffic discovery displayed in On-Appliance iView are not identical. Bug ID 9993 Description All the logs of the selected period are displayed in Web Surfing reports for IP Address based filtering, if Search Type is IP Address and Report Type as Detail. Bug ID 10427 Description Only current days report details are displayed in the Application Reports of O n-Appliance iView on migrating to Cyberoam Version 10.02.0 Build 473.

System
Bug ID 9927 Description Error messages are displayed on executing command tcpdump port80filedump on Cyberoam Console.

SSL VPN
Bug ID 6523 Description Once the User certificates are updated manually, they do not get updated automatically. Bug ID 10171 Description SSL VPN RDP Bookmark cannot be accessed in Version 10.02.0 Build 473 if RDP bookmark has a / at the end (e.g. rdp://10.102.1.152 /).
Document Version 1.00 -12/12/2012 27

Cyberoam Release Notes

Bug ID 11198 Description SSL VPN bookmark URL with RDP, TELNET, SSH & FTP protocol having backslash ('/') as last character cannot be accessed after migrating Appliance firmware from 10.02.0 Build 224 to 10.04.0 Build 214.

User
Bug ID - 6141 Description - When special characters are included in the login message, the user receives a continuous process icon on the Captive Portal page in spite of logging in successfully. Bug ID 9920 Description Cyberoam supports only SMS Gateways that uses Post method.

VPN
Bug ID 9812 Description An error message We cannot identify ourselves with either end of this connection is received when VPN connection with VLAN over WAN is configured with PPPoE link and VLAN ID is more than 2 digits. Bug ID 10191 Description VPN service do not restart when head office and branch office are using default head office and default branch office policy respectively and an if an intermediate device between them is switched off. Bug ID 11202 Description Manual intervention is required to activate the tunnel, if the default value of parameter "Rekey Margin" is configured below 100 seconds from VPN Policy page and the Appliance is rebooted.

Web Filter
Bug ID 9840 Description Denied Message is updated to default message, if an e xisting Web Filter Category having configured for customized message is edited without opening Advance Settings of it. Bug ID 10092 Description Webcat do not get upgraded to latest version while performing manual sync after auto
Document Version 1.00 -12/12/2012 28

Cyberoam Release Notes

Webcat upgrade has failed.

Wireless WAN
Bug ID 5315 Description 3G Modem LW272 is not compatible with Cyberoam Appliance.

Document Version 1.00 -12/12/2012

29

Cyberoam Release Notes

General Information
Technical Assistance
If you have problems with your system, contact customer support using one of the following methods: Email ID: support@cyberoam.com Telephonic support (Toll free) APAC/EMEA: +1-877-777- 0368 Europe: +44-808-120-3958 India: 1-800-301-00013 USA: +1-877-777- 0368

Please have the following information available prior to contacting support. This helps to ensure that our support staff can best assist you in resolving problems: Description of the problem, including the situation where the problem occurs and its impact on your operation Product version, including any patches and other software that might be affecting the problem Detailed steps on the methods you have used to reproduce the problem Any error logs or dumps

Technical Support Documents

Knowledgebase: http://kb.cyberoam.com Documentation set: http://docs.cyberoam.com

Document Version 1.00 -12/12/2012

30

Cyberoam Release Notes

Important Notice
Cyberoam Technologies Pvt. Ltd. has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any prod ucts. Cyberoam Technologies Pvt. Ltd. assumes no responsibility for any errors that may appear in this document. Cyberoam Technologies Pvt. Ltd. reserves the right, without notice to make changes in product design or specifications. Information is subject to change without notice.

USERS LICENSE
Use of this product and document is subject to acceptance of the terms and conditions of Cyberoam End User License Agreement (EULA) and Warranty Policy for Cyberoam UTM Appliances. You will find the copy of the EULA at http://www.cyberoam.com/documents/EULA.html and the Warranty Policy for Cyberoam UTM Appliances at http://ikb.cyberoam.com.

RESTRICTED RIGHTS
Copyright 1999 - 2013 Cyberoam Technologies Private Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of Cyberoam Technologies Pvt. Ltd.

Corporate Headquarters
Cyberoam Technologies Pvt. Ltd. 901, Silicon Tower, Off. C.G. Road, Ahmedabad 380006, INDIA Phone: +91-79-66065606 Fax: +91-79-26407640 Web site: www.cyberoam.com

Document Version 1.00 -12/12/2012

31