1. Knowledge Base Information
1.1. Cyberoam Knowledge Base

Welcome to the Cyberoam Knowledge Base (CR KB)


CR KB is the Cyberoam's official technical support database. CR KB is a central repository of collected, organized, shared, searched and utilized small articles.

It is designed to enable CR KB users to retrieve and use the knowledge provided by the articles it contains. It is widely used CR customers as it contains over thousands of articles related to support solutions, error messages and troubleshooting guides. It is also commonly used to complement CR Pre-sales and Post-Sales or for sharing information among employees within an organization. It stores troubleshooting information, articles, white papers, user manuals, and answers to frequently asked questions by the CR customers.

You can locate information by searching through keywords or article ID with the help of search engine, or browse through the article groupings in the left-hand navigation panel. For ease of use, the articles are grouped as per the feature grouping used in the Product UI.

If you want to submit to request for a new article in case you do not find the relevant information, click Request New Article tab at the top of the page and submit a request.

If the article has provided you the required information and helped in resolving your problem, please rate the article. Your feedback regarding the article will help us serve you better and channelling our efforts in the correct direction..

If you want to request for additional information in the article or suggest improvements in the article, leave comments in the suggestion box provided at the end of the article.

We would love to hear your suggestions and comments on our efforts to populate KB with helpful articles on .
 
For Region-wise Technical Support phone numbers, refer Customer Support.

Do visit docs.cyberoam.com for technical information for each version release.

 

To know the latest articles added to Knowledgebase, check Recently Added Articles section on Home page.
1.2. Searching Tips

Using the Knowledge Base Search

The Knowledge Base Search enables you to search all articles. The search engine will lookup all the article fields.
There are three methods for searching through the Knowledge Base:
  • Click through the Article Navigation Tree until you find what you want. This can be time consuming.
  • Use the Basic Search feature.
  • Use the Advanced Search feature.

The Basic Search allows users to search in all article fields (Short Title, Long Title, Keywords, Search Results Summary and Content).

Try the following search options for a more effective search: 

Search Syntax

Description

Quotation marks

Use quotation marks to indicate a phrase or group of terms that should be searched together.

Example: "PPPoE server"

Asterisk (*)

Use when more than one character is not known

Example: block Or*

Plus (+) and Minus (-)

Use the "+" and "-" to add or remove words from a search phrase.

Example: DHCP -server
Example: DHCP +configuration

Question mark (?)

Substitute for a single unknown character

Example: DHC?

Note: Do not enter partial words as search criteria. For example, quar for quarantine. The Knowledge Base search will not search on partial words by themselves. If you want to use a partial term, include the asterisk (*) in the word. For example, quar*.

The Advanced Search lets you specify search criteria:

  • You determine the search method by selecting one of the following 4 choices from the Using field: 
    • All of the words entered
    • Any of the words entered
    • The exact phrase entered
    • Boolean (text contains +/-) 
  • Specify a Search Type. 
    • Full Text Search and Search in Attachment are ON by default. 
    • If you know the Article ID, search by Article ID. Searching by Article ID will give the fastest result. Article ID is provided at the end of the each article.

Searching by article ID number

If you know the ID number for a Knowledge Base article, you can search for the article by ID number.
To search by ID number:
  • Select the Advanced Search.
  • Enter the article id number. For example, 105.
  • In the Search type, select Article id.
  • Select Search.

Unable To Find What You're Looking For?

If you are not able to find the content that answers your question in the KB, please try to rephrase your question. If the KB still does not contain the information you want, please consult your appropriate technical product documentation if you have not already done so. You can access product documentation from http://docs.cyberoam.com

If you have searched the KB and your product's documentation content, please let us know that you are not able to find the information you want by sending Feedback to us at kb@cyberoam.com

 

1.3. Cyberoam Resource Links



Cyberoam Site:
www.cyberoam.com


Cyberoam Product Documentations: http://docs.cyberoam.com

Cyberoam Product Knowledge Base: http://kb.cyberoam.com

Cyberoam Firmware Download: http://download.cyberoam.com

Cyberoam Security Center for update information: http://csc.cyberoam.com

Cyberoam Customer My Account: http://customer.cyberoam.com

Cyberoam Partner Portal: http://partner.cyberoam.com

Cyberoam Technical Support requests:

 

Cyberoam Web Categorization URL submission and correction: 

 
Spam mail submission and correction: spammails@cyberoam.com
 
False Positive submission: 

Virus submission and correction: 

 

Feedback, suggestion including new Articles requests to Knowledgebase Administrators: 

 

Reporting issues with Cyberoam documentation:

 

 

2. Cyberoam Security Appliances (UTM and NGFW)
2.1. Vulnerability Security Advisories
2.1.1. Product Vulnerabilities Advisories
2.1.1.1. Cyberoam Security Bulletin Release September 2014

Cyberoam Security Notice

Date: 15 September, 2014

 
 

1. Stack-based Buffer Overflow

Summary
An unauthenticated remote attacker could execute arbitrary code on the Cyberoam appliance.

CVE
2014-5501

Severity/Risk
High
 

Firmware Affected

CyberoamOS10.4 GA and earlier
CyberoamOS 10.6.1 RC-4 and earlier
 

Resolution
Over-the-air Hotfix released for all the affected firmware on 15thJuly 2014
Fixed in Firmware - CyberoamOS 10.6.1 GA and later
 
Customers can contact Cyberoam Support at support@cyberoam.comfor details on the upgrade.
 
Acknowledgement
This vulnerability was reported by Agix working with HP's Zero Day Initiative.
 

2. Command Injection Vulnerability
 
Summary
An unauthenticated remote attacker could execute arbitrary code on the Cyberoam appliance.

CVE
2014-5502

Severity/Risk
High
 

Firmware Affected

CyberoamOS10.4 GA and earlier
CyberoamOS 10.6.1 RC-4 and earlier
 

Resolution
Over-the-air Hotfix released for all the affected firmware on 15thJuly 2014
Fixed in Firmware - CyberoamOS 10.6.1 GA and later
 
Customers can contact Cyberoam Support at support@cyberoam.comfor details on the upgrade.
 
Acknowledgement
This vulnerability was reported by Agix working with HP's Zero Day Initiative.
 
 

3. Unauthenticated Blind SQL Injection Vulnerability

Summary
An unauthenticated remote attacker could execute arbitrary SQL queries through Guest Login Portal.

CVE
2014-5503

Severity/Risk
High
 

Firmware Affected

CyberoamOS10.4 GA and earlier
CyberoamOS 10.6.1 RC-4 and earlier
 

Resolution
Over-the-air Hotfix released for all the affected firmware on 15thJuly 2014
Fixed in Firmware - CyberoamOS 10.6.1 GA and later
 
Customers can contact Cyberoam Support at support@cyberoam.comfor details on the upgrade.
 
Acknowledgement
This vulnerability was reported by Agix working with HP's Zero Day Initiative.
 
2.1.2. SSLv3.0 POODLE vulnerability

 

Security Advisory

 

Original Publication Date: 17 October, 2014

 

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack (CVE-2014-3566), also known as POODLE (Padding Oracle On Downgraded Legacy Encryption) CVE-2014-3566. This flaw allows encrypted information to be exposed by a hacker with access to the network. The affected version of SSL is implemented in Cyberoam products and thus, are exposed to this vulnerability.


Cyberoam provides the additional information in the blog:
Vulnerability Alert: SSL v3.0 Making Browsers Prone to Hacking.

 

Affected Cyberoam Versions: All Versions

 

Note: Cyberoam Threat Research Lab is further analysing the impact of the vulnerability and will be releasing the hotfix or firmware upgrade shortly to mitigate the said vulnerabilty. This advisory will be updated with solution once the hotfix/firmware is released.

 

Solution

 

IPS Signature

 

To mitigate the POODLE vulnerability, Cyberoam has released IPS Version 3.11.92/5.11.92 containing the following IPS signatures:

·        SSLv3.0 ServerHello from vulnerable server - CVE-2014-3566

·        SSLv3.0 ClientHello from vulnerable client - CVE-2014-3566

·        SSLv3.0 ChangeCipherSpec message - CVE-2014-3566

·        Excessive fatal alerts - possible CVE-2014-3566 attack against client

·        Excessive fatal alerts - possible CVE-2014-3566 attack against server
See Relese Notes for details.

When the IPS policy with signature is applied through Firewall, all the SSL connections attempting to exploit the said vulnerability will be detected since the default action of the signatures is ‘’Alert’’.
To drop all such packets, the administrator can set the defualt action manually to ‘’Drop’’. We request all Cyberoam customers to verify and update the version of IPS Signature from the Dashboard.

 

Cyberoam recommends implementing the following security measure for Clients and Servers using the affected SSL version:

 

For Clients and Browsers:

 

Google Chrome:

It is recommended to completely disable SSL 3.0 or CBC-mode ciphers SSL 3.0 on the client-end browser. Currently, only Google Chrome version 33.0.1750 (February 2014 Build) and
newer supports TLS_FALLBACK_SCSV, all other browsers are safest disabling SSL 3.0.


Mozilla Firefox:

Firefox users can install Mozilla security add-on to disable SSL 3.0. There’s also an option if users do not want to use an add on, they can go to About:Config
and set security.tls.version.min to 1.

Internet Explorer:

Internet Explorer users need to go to Internet Options, click Advanced tab and uncheck SSLv3 for disabling SSL 3.0.

 

For Servers:

 

For protecting the servers, it is recommended to verify the SSL version used on the server and disable or apply patch for respective server.

 

References

 

·        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566

·        https://www.openssl.org/~bodo/ssl-poodle.pdf

 

Revision History

 

Revision 1.0

17 October, 2014

Initial public release containing information on the vulnerability and security recommendations.


2.1.3. Microsoft Security Bulletin Release for September 2014

Security Advisory

Original Publication Date: 12-09-2014

Microsoft published its monthly Security Bulletin on September 09, 2014. Four bulletins were released that addressed a total of 37 vulnerabilities.
The bulletins described vulnerabilities in Microsoft Windows, Microsoft Internet Explorer, Microsoft Lync Server and Microsoft .NET Framework. The
vulnerabilities could allow an attacker to execute remote code, cause privilege elevation, or a denial of service condition.

Cyberoam Solution:

Cyberoam Threat Research Labs is currently studying the vulnerabilities. The Security Advisory will be updated as additional information is available.

The following table provides general information on the vulnerabilities described in the Microsoft Security Bulletins.
 
Microsoft Security Bulletin
CVE ID
Severity
Attack Vectors
Affected Products
Microsoft Security Bulletin MS14-052
CVE-2014-4080
CVE-2014-4081
CVE-2014-4082
CVE-2014-4083
CVE-2014-4084
CVE-2014-4085
CVE-2014-4086
CVE-2014-4087
CVE-2014-4088
CVE-2014-4089
CVE-2014-4090
CVE-2014-4091
CVE-2014-4092
CVE-2014-4093
CVE-2014-4094
CVE-2014-4095
CVE-2014-4096
CVE-2014-4097
CVE-2014-4098
CVE-2014-4099
CVE-2014-4100
CVE-2014-4101
CVE-2014-4102
CVE-2014-4103
CVE-2014-4104
CVE-2014-4105
CVE-2014-4106
CVE-2014-4107
CVE-2014-4108
CVE-2014-4109
CVE-2014-4110
CVE-2014-4111
High
An attacker could host a website that is used to attempt to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action. For example, an attacker could trick users into clicking a link that takes them to the attacker's site.
 
Microsoft Internet Explorer
Microsoft Security Bulletin MS14-053
CVE-2014-4072
High
 
To exploit this vulnerability, an unauthenticated attacker could send a small number of specially crafted requests to an affected .NET-enabled website, causing a denial of service condition.
 
Microsoft Windows
Microsoft Security Bulletin MS14-054
CVE-2014-4074
Medium
 
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take complete control over an affected system.
 
Microsoft Windows
Microsoft Security Bulletin MS14-055
CVE-2014-4068
CVE-2014-4070
CVE-2014-4071
 
Medium
A remote, unauthenticated attacker could exploit this vulnerability by executing a specially crafted call to trigger the improperly handled exceptions.
 
Microsoft Lync Server
 
 

Revision History

Revision 1.0

12 September 2014

Initial public release containing information on the the vulnerabilities described in the Microsoft Security Bulletins.

 
2.1.4. DTLS Memory Exhaustion Vulnerability in OpenSSL

Security Advisory

Original Publication Date: 28-08-2014

On 26thAugust 2014, the OpenSSL team released an update which fixed the OpenSSL DTLS Memory Exhaustion Vulnerability. Cyberoam recommends all the DTLS users to upgrade OpenSSL 0.9.8
versions to 0.9.8zb, 1.0.0 versions to 1.0.0n and 1.0.1 versions to 1.0.1i. For more information, please refer DTLS Memory Exhaustion Vulnerability.

Note:Cyberoam Threat Research Labs is currently studying this vulnerability and shall announce a remedial solution shortly. Once, we have the solution the advisory will be updated.

What is the OpenSSL DTLS Memory Exhaustion Vulnerability?

A Memory Exhaustion vulnerability (CVE-2014-3506) exists in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 versions prior to 0.9.8zb, 1.0.0 versions prior to 1.0.0n and 1.0.1
versions prior to 1.0.1i. The vulnerability is due to DTLS flaw that could lead to memory exhaustion. It could allow a remote, unauthenticated attacker to force OpenSSL to consume large
amounts of memory by sending specially crafted DTLS handshake messages. Successful exploitation could lead to Denial of Service attack.

Affected Versions

·        OpenSSL 0.9.8 versions prior to 0.9.8zb

·        OpenSSL 1.0.0 versions prior to 1.0.0n

·        OpenSSL 1.0.1 versions prior to 1.0.1i

References

·        https://www.openssl.org/news/vulnerabilities.html

·        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3506

·        https://www.openssl.org/news/secadv_20140806.txt

Revision History

Revision 1.0

28 August 2014

Initial public release containing information on the Vulnerability.


2.1.5. SRP Buffer Overrun Vulnerability in OpenSSL

Security Advisory

Original Publication Date: 25-08-2014

On 22ndAugust 2014, the OpenSSL team released an update for their popular SSL/TLS package, which fixed the OpenSSL SRP Buffer Overrun Vulnerability. Only applications which are explicitly set up
for SRP use are affected. Cyberoam recommends all the customers to upgrade OpenSSL 1.0.1 SSL/TLS versions to 1.0.1i. For more information, please refer SRP Buffer Overrun Vulnerability.

Note: Cyberoam Threat Research Labs is currently studying this vulnerability and shall announce a remedial solution shortly. Once, we have the solution the advisory will be updated.

What is the OpenSSL SRP Buffer Overrun Vulnerability?

A heap buffer overflow vulnerability (CVE-2014-3512) exists in crypto/srp/srp_lib.c in the SRP implementation in OpenSSL 1.0.1 versions prior to 1.0.1i. This vulnerability is due to insufficient
input validation when processing the A, g or B parameter used in SRP ciphersuites. A malicious client/server can send invalid SRP parameters and overrun an internal buffer. The vulnerability
may allow a remote,unauthenticated attacker to send specially crafted TLS messages to the target and could also cause a denial of service. Successful exploitation could lead to arbitary
code execution in context of the OpenSSL Server application.

Affected Software

·        OpenSSL 1.0.1 versions prior to 1.0.1i

References

·        https://www.openssl.org/news/secadv_20140806.txt

·        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3512

Revision History

Revision 1.0
25 August 2014
Initial public release containing information on the Vulnerability.
 
 
2.1.6. Microsoft Security Bulletin Release for August 2014

Security Advisory

Original Publication Date: 19-08-2014

Microsoft published its monthly Security Bulletin on August 12, 2014. Nine bulletins were released that addressed a total of 34 vulnerabilities. The bulletins described vulnerabilities in Microsoft Windows, Microsoft Internet Explorer, Mircrosoft Office, Mircosoft Server Software, Microsoft SQL Server and Microsoft .NET Framework. The vulnerabilities could allow an attacker to execute remote code, cause privilege elevation, or bypass Security feature.

Cyberoam Solution:

Cyberoam Threat Research Labs is currently studying the vulnerabilities. The Security Advisory will be updated as additional information is available.

The following table provides general information on the vulnerabilities described in the Microsoft Security Bulletins.

Microsoft Security Bulletin

CVE ID

Severity

Attack Vectors

Affected Products

Microsoft Security Bulletin MS14-043

Vulnerability in Windows Media Center Could Allow Remote Code Execution

CVE-2014-4060

Moderate

An attacker could exploit this vulnerability by placing specially crafted Office files on a remote share or by attaching them to an email. When a user double-clicks the specially crafted file from a computer containing Windows Media Center, the malicious code may be able to run.

Microsoft Windows

Microsoft Security Bulletin MS14-044

Vulnerability in SQL Server Could Allow Elevation of Privilege

CVE-2014-1820

Moderate

An attacker could exploit the vulnerability by sending a specially crafted link to the user and convincing the user to click the link. An attacker could also host a website that contains a webpage designed to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability.

Microsoft SQL Server

Microsoft Security Bulletin MS14-045

Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of Privilege

CVE-2014-0318

Moderate

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application designed to increase privileges.

Microsoft Windows

Microsoft Security Bulletin MS14-046

Vulnerability in .NET Framework Could Allow Security Feature Bypass

CVE-2014-4062

Moderate

An attacker could tie this security feature bypass vulnerability to an additional vulnerability, usually a remote code execution vulnerability. The additional vulnerability would take advantage of the security feature bypass for exploitation. For example, a remote code execution vulnerability that is blocked by ASLR, could be exploited after a successful ASLR bypass.

Microsoft Windows

Microsoft Security Bulletin MS14-047

Vulnerability in LRPC Could Allow Security Feature Bypass

CVE-2014-0316

Moderate

An attacker could tie this security feature bypass vulnerability to an additional vulnerability, usually a remote code execution vulnerability. The additional vulnerability would take advantage of the security feature bypass for exploitation. For example, a remote code execution vulnerability that is blocked by ASLR, could be exploited after a successful ASLR bypass.

Microsoft Windows

Microsoft Security Bulletin MS14-048

Vulnerability in OneNote Could Allow Remote Code Execution

CVE-2014-2815

 

Moderate

Exploitation of this vulnerability requires that a user open a specially crafted file with an affected version of Microsoft OneNote.

Microsoft OneNote 2007 and Above

Microsoft Security Bulletin MS14-049

Vulnerability in Windows Installer Service Could Allow Elevation of Privilege

CVE-2014-1814

 

Moderate

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take complete control over the affected system.

Microsoft Windows

 

Microsoft Security Bulletin MS14-050

Vulnerability in Mircrosoft SharePoint Server Could Allow Elevation of Privilege

 

CVE-2014-2816

 

Moderate

An attacker could create a specially crafted app designed to exploit this vulnerability, and then convince users to install the specially crafted app.

Microsoft Sharepoint

Microsoft Security Bulletin MS14-051

Cumulative Security Update for Internet Explorer

 

 

CVE-2014-2774
CVE-2014-2784
CVE-2014-2796
CVE-2014-2808
CVE-2014-2810
CVE-2014-2811
CVE-2014-2817
CVE-2014-2818
CVE-2014-2819
CVE-2014-2820
CVE-2014-2821
CVE-2014-2822
CVE-2014-2823
CVE-2014-2824
CVE-2014-2825
CVE-2014-2826
CVE-2014-2827
CVE-2014-4050
CVE-2014-4051
CVE-2014-4052
CVE-2014-4055
CVE-2014-4056
CVE-2014-4057
CVE-2014-4058
CVE-2014-4063
CVE-2014-4067

 

Critical

An attacker could host a website that is used to attempt to exploit these vulnerabilities. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit these vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action.

 

Microsoft Windows, Internet Explorer

  

Revision History

 

Revision 1.0

19 August 2014

Initial public release containing information on the the vulnerabilities described in the Microsoft Security Bulletins.


2.1.7. Microsoft Security Bulletin Release for July 2014
 Security Advisory

Original Publication Date: 11-07-2014

Updated Date: 19-08-2014

Microsoft published its monthly Security Bulletin on July 8, 2014. Five bulletins were released that addressed a total of 28 vulnerabilities. The bulletins described vulnerabilities in Microsoft Windows, Microsoft Internet Explorer and Microsoft Server Software. The vulnerabilities could allow an attacker to execute arbitrary code, cause a denial of service condition or elevate privileges.

Cyberoam Solution:

To mitigate the vulnerabilities identified by CVE IDs mentioned in the table below, Cyberoam has released IPS Signature Versions 3.11.75 and 5.11.75. Read the Release Notes for IPS Signature Versions 3.11.75 and 5.11.75.

CVE ID

Cyberoam IPS Signature Name

CVE-2014-1765

Microsoft Internet Explorer CVE-2014-1765 Use After Free

CVE-2014-2787

Microsoft Internet Explorer CVE-2014-2787 Remote Memory Corruption Vulnerability

CVE-2014-2795

Microsoft Internet Explorer CVE-2014-2795 Remote Memory Corruption Vulnerability

CVE-2014-2797

Microsoft Internet Explorer CVE-2014-2797 Remote Memory Corruption Vulnerability

CVE-2014-2801

Microsoft Internet Explorer CVE-2014-2801 Remote Memory Corruption Vulnerability

CVE-2014-2804

Microsoft Internet Explorer CVE-2014-2804 Use After Free


Note: Cyberoam Threat Research Labs is currently studying the remaining vulnerabilities. The Security Advisory will be updated as additional information is available.

The following table provides general information on the vulnerabilities described in the Microsoft Security Bulletins.

Microsoft Security Bulletin

CVE ID

Severity

Attack Vectors

Affected Products

Microsoft Security Bulletin MS14-037

Cumulative Security Update for Internet Explorer

CVE-2014-1763
CVE-2014-1765
CVE-2014-2785
CVE-2014-2786
CVE-2014-2787
CVE-2014-2788
CVE-2014-2789
CVE-2014-2790
CVE-2014-2791
CVE-2014-2792
CVE-2014-2794
CVE-2014-2795
CVE-2014-2797
CVE-2014-2798
CVE-2014-2800
CVE-2014-2801
CVE-2014-2802
CVE-2014-2803
CVE-2014-2804
CVE-2014-2805
CVE-2014-2806
CVE-2014-2807
CVE-2014-2809
CVE-2014-2813

Critical

 

An attacker could host a specially crafted website that is designed to exploit these vulnerabilities through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit these vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by getting them to open an attachment sent through email.

Internet Explorer,
Microsoft Windows

 

Microsoft Security Bulletin MS14-038

Vulnerability in windows Journal Could Allow Remote Code Execution

 

CVE-2014-1824

 

Critical

An attacker could exploit the vulnerability by sending a specially crafted Journal file to the user and by convincing the user to open the file.

 

Microsoft Windows

Microsoft Security Bulletin MS14-039

Vulnerability in On-Screen Keyboard Could Allow Elevation of Privilege

 

CVE-2014-2781

 

Important

 

An attacker would have to first use a vulnerability in a low integrity process to execute the On-Screen Keyboard and then have a method of uploading a specially crafted program to the target system.

 

Microsoft Windows

Microsoft Security Bulletin MS14-040

Vulnerability in Ancillary Function Driver (AFD) could Allow Elevation of Privilege

 

CVE-2014-1767

 

Important

 

An attacker who successfully exploited the vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

Microsoft Windows

Microsoft Security Bulletin MS14-041

Vulnerability in DirectShow Could Allow Elevation of Privilege

 

CVE-2014-2780

 

Important

 

To exploit this vulnerability an attacker would first have to have successfully exploit another vulnerability in a low integrity process and then use this vulnerability to execute specially crafted code in the context of the logged on user.

 

Microsoft Windows

Revision History

Revision 1.0

11 July 2014

Initial public release containing information on the the vulnerabilities described in the Microsoft Security Bulletins.

Revision 1.1 19 August 2014 Included the Cyberoam Solution table.
 
2.1.8. Microsoft Security Bulletin Release for June 2014

Security Advisory

Original Publication Date: 17-06-2014

Updated Date: 20-06-2014

Microsoft published its monthly Security Bulletin on June 10, 2014. Seven bulletins were released that addressed a total of 66 vulnerabilities. The bulletins described vulnerabilities in Microsoft Windows, Microsoft Internet Explorer, and Microsoft Lync. The vulnerabilities could allow an attacker to execute arbitrary code, cause a denial of service condition, or access sensitive information.

Cyberoam Solution:

To mitigate the vulnerabilities identified by CVE IDs mentioned in the table below, Cyberoam has released IPS Signature Versions 3.11.71 and 5.11.71. Read the Release Notes for IPS Signature Versions 3.11.71 and 5.11.71. 

CVE ID

Cyberoam IPS Signature Name

CVE-2014-0282

Microsoft Internet Explorer CVE-2014-0282 Remote Memory Corruption Vulnerability

CVE-2014-1762

Microsoft Internet Explorer CVE-2014-1762 Remote Code Execution Vulnerability

CVE-2014-1766

Microsoft Internet Explorer CVE-2014-1766 Remote Code Execution Vulnerability

CVE-2014-1772

Microsoft Internet Explorer CVE-2014-1772 Remote Memory Corruption Vulnerability

CVE-2014-1785

Microsoft Internet Explorer CVE-2014-1785 Remote Memory Corruption Vulnerability

CVE-2014-1789

Microsoft Internet Explorer CVE-2014-1789 Remote Memory Corruption Vulnerability

CVE-2014-1791

Microsoft Internet Explorer CVE-2014-1791 Remote Memory Corruption Vulnerability

CVE-2014-1795

Microsoft Internet Explorer CVE-2014-1795 Remote Memory Corruption Vulnerability

CVE-2014-1797

Microsoft Internet Explorer CVE-2014-1797 Remote Memory Corruption Vulnerability

CVE-2014-1800

Microsoft Internet Explorer CVE-2014-1800 Remote Memory Corruption Vulnerability

CVE-2014-1802

Microsoft Internet Explorer CVE-2014-1802 Remote Memory Corruption Vulnerability

CVE-2014-1804

Microsoft Internet Explorer CVE-2014-1804 CBlockContainerBlock Use After Free

CVE-2014-1805

Microsoft Internet Explorer CVE-2014-1805 Remote Memory Corruption Vulnerability

Note: Cyberoam Threat Research Labs is currently studying the remaining vulnerabilities. The Security Advisory will be updated as additional information is available.

The following table provides general information on the vulnerabilities described in the Microsoft Security Bulletins: 

Microsoft Security Bulletin

CVE ID

Severity

Attack Vectors

Affected Products

Microsoft Security Bulletin MS14-030

Vulnerability in Remote Desktop Could Allow Tampering

CVE-2014-0296

Important

Attacker acting as man-in-the-middle at the start of a Remote Desktop session may be able to read information from or tamper with RDP session.

Microsoft Windows

Microsoft Security Bulletin MS14-031

Vulnerability in TCP Protocol Could Allow Denial of Service

CVE-2014-1811

Important

Attacker initiates large number of connections with malformed TCP options.  Each connection temporarily consumes non-paged pool memory longer than it should, leading to resource exhaustion.

Microsoft Windows

Microsoft Security Bulletin MS14-032

Vulnerability in Microsoft Lync Could Allow Information Disclosure

CVE-2014-1823

Important

Victim clicks on a specially-crafted malicious link to an established Lync meeting.  Attacker can take action in context of Lync Server service that victim would normally have access to take.

Microsoft Lync Server

Microsoft Security Bulletin MS14-033

Vulnerability in Microsoft XML Core Services Could Allow Information Disclosure

CVE-2014-1816

Important

Victim browses to a malicious webpage or opens a malicious document, inadvertently sending local path name of downloaded file to attacker.  Path name by default includes the user’s login name.

Microsoft Windows

Microsoft Security Bulletin MS14-034

Vulnerability in Microsoft Word Could Allow Remote Code Execution

CVE-2014-2778

Important

Victim opens malicious Office document.

Microsoft Windows

Microsoft Security Bulletin MS14-036

Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution

CVE-2014-1817

Critical

Victim open malicious graphics file or malicious PowerPoint document.

Microsoft Windows,

Microsoft Office,

Microsoft Lync

CVE-2014-1818

Important

Microsoft Security Bulletin MS14-035

Cumulative Security Update for Internet Explorer

CVE-2014-0282, CVE-2014-1762, CVE-2014-1766, CVE-2014-1769, CVE-2014-1770, CVE-2014-1772, CVE-2014-1773, CVE-2014-1774, CVE-2014-1775, CVE-2014-1779, CVE-2014-1780, CVE-2014-1781, CVE-2014-1782, CVE-2014-1783, CVE-2014-1784, CVE-2014-1785, CVE-2014-1786, CVE-2014-1788, CVE-2014-1789, CVE-2014-1790, CVE-2014-1791, CVE-2014-1792, CVE-2014-1794, CVE-2014-1795, CVE-2014-1796, CVE-2014-1797, CVE-2014-1799, CVE-2014-1800, CVE-2014-1802, CVE-2014-1803, CVE-2014-1804, CVE-2014-1805, CVE-2014-2753, CVE-2014-2754, CVE-2014-2755, CVE-2014-2756, CVE-2014-2757, CVE-2014-2758, CVE-2014-2759, CVE-2014-2760, CVE-2014-2761, CVE-2014-2763, CVE-2014-2764, CVE-2014-2765, CVE-2014-2766, CVE-2014-2767, CVE-2014-2768, CVE-2014-2769, CVE-2014-2770, CVE-2014-2771, CVE-2014-2772, CVE-2014-2773, CVE-2014-2775, CVE-2014-2776

Critical

Victim browses to a malicious webpage.

Microsoft Windows,

Internet Explorer

CVE-2014-1764, CVE-2014-1771, CVE-2014-1777, CVE-2014-1778, CVE-2014-2777

Important

  

Revision History

Revision 1.0

17 June 2014

Initial public release containing information on the the vulnerabilities described in the Microsoft Security Bulletins.

Revision 1.1

20 June 2014

Included the Cyberoam Solution table.


2.1.9. Multiple Vulnerabilities in OpenSSL

Security Advisory

Original Publication Date: 12-06-2014

Updated Date: 30-06-2014

On June 5th 2014, the OpenSSL team published a Security Advisory describing about following vulnerabilities:

·         SSL/TLS MITM vulnerability (CVE-2014-0224)

·         DTLS recursion flaw (CVE-2014-0221)

·         DTLS invalid fragment vulnerability (CVE-2014-0195)

·         SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)

·         SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)

·         Anonymous ECDH denial of service (CVE-2014-3470)

Detailed information on these vulnerabilities can be found in the original OpenSSL Security Advisory.

Like many other network security vendors, Cyberoam also uses OpenSSL; however, out of the Six (6) CVEs mentioned above, CyberoamOS is impacted by just Two (2) vulnerabilities i.e. SSL/TLS MITM vulnerability (CVE-2014-0224) and Anonymous ECDH denial of service (CVE-2014-3470).

 

Affected CyberoamOS Versions:

·    CVE-2014-0224 – All publicly available CyberoamOS versions

·    CVE-2014-3470 – 10.6.XX only

Note: Cyberoam Threat Research Labs is currently studying these vulnerabilities and shall announce a remedial solution shortly. Once we have the solution, the advisory will be updated accordingly.

Cyberoam offers a free testing tool to find if a web server is vulnerable to the SSL/TLS MITM vulnerability (CVE-2014-0224), click here to test.

Cyberoam provides the additional information in the blog: OpenSSL continues to bleed out more flaws – more critical vulnerabilities found.


Solution

1.     Firmware Fix

The SSL/TLS MITM vulnerability (CVE-2014-0224) is fixed in firmware version 10.6.1 MR-1, released on June 27, 2014. 

Obtaining Fixed Firmware

Cyberoam customers using the 10.6.1 firmware version can download the fix firmware 10.6.1 MR-1 from  the Dashboard of their Appliances.

Cyberoam requests the customers using 10.04.XX firmware version to upgrade to the fix firmware 10.6.1 MR-1.

 

2.     IPS Signature

To mitigate the SSL/TLS MITM vulnerability (CVE-2014-0224), Cyberoam has released IPS Signature Versions 3.11.69 and 5.11.69 containing IPS signature named “OpenSSL ChangeCipherSpec MITM Security Bypass”.

 By default, once an IPS policy with the mentioned signature is applied through Firewall, all connections attempting to exploit the said vulnerability will be allowed. However, depending on the network requirements, the default action can be changed to “Drop”. If the default action is not changed, in the event of a suspicious activity, the administrator would receive an IPS Alert. The administrator can check the details of the alert from IPS Logs, verify if it is a threat or false positive and accordingly, take the corrective actions.

 We request all Cyberoam customers to verify the version of IPS Signature from the Dashboard of their Appliances. Read the Release Notes for IPS Signature Versions 3.11.69 and 5.11.69.

  

References

 ·     https://www.openssl.org/news/secadv_20140605.txt

  

Revision History 

Revision 1.0

12 June 2014

Initial public release containing information about the Vulerabilities.

Revision 1.1

13 June 2014

Included the link of Release Notes for IPS Signature Versions 3.11.69 and 5.11.69.

Revision 1.2

30 June 2014

Updated Solution section with information about CyberoamOS firmware upgrade that addresses the SSL/TLS MITM vulnerability.


2.1.10. Adaptive Computing TORQUE pbs_server count Value Validation Buffer Overflow

S
ecurity Advisory

Original Publication Date: 30-05-2014

A stack-based buffer overflow vulnerability(CVE-2014-0749) exists in the older versions (2.5.x to 2.5.13) of Adaptive Computing TORQUE - a widely used open source resource manager. TORQUE provides control over batch jobs and distributed computing resources.The vulnerability is due to a misplaced bounds check by “pbs_server” component within TORQUE.

The vulnerability was discovered by MWR Labs.To mitigate the vulnerablity, MWR Labs have submitted a fix to the 2.5-dev GitHub repository and the same has been incorporated by Adaptive Computing into its 2.5 development branch. Cyberoam recommends its customers using the affected versions of TORQUE to upgrade to the fix version.

Note: Cyberoam Threat Research Labs is currently studying this vulnerability and shall announce a remedial solution shortly. Once, we have the solution the advisory will be updated.

Affected TORQUE Versions: All 2.5 releases up to and including 2.5.13.

What is Adaptive Computing TORQUE pbs_server count Value Validation Buffer Overflow Vulnerability?

Thevulnerability is due to a misplaced bounds check by“pbs_server” component withinTORQUE. Operations such as job submissions and querying of job queues are handled by the “pbs_server”component. It was found that the “pbs_server” did not perform sufficient bound scheck on the incoming messages. As a result, it is possible for an attacker to submit messages with overly large amount data. Processing the oversized message can trigger stack-based buffer overflow, which could allow for arbitrary code execution with ROOT level privileges. This could be achieved from a remote, unauthenticated perspective regardless of whether the source IP address is permitted to submit jobs toTORQUE or not.
 
Cyberoam provides the additional information in theblog: Vulnerability Alert – TORQUE Buffer Overflow.
 
 References

·   https://github.com/adaptivecomputing/torque/blob/2.5-dev/src/lib/Libdis/disrsi_.c

·   http://www.securityfocus.com/archive/1/archive/1/532110/100/0/threaded

·   https://labs.mwrinfosecurity.com/system/assets/662/original/torque-buffer-overflow_2014-05-14.pdf

·   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0749

 
Revision History
 

Revision 1.0

30 May 2014

Initial public release containing information on the vulnerability.


2.1.11. Linux Kernel Race Condition DoS Vulnerability

 

Security Advisory

 

Original Publication Date: 30 May, 2014

 

Linux released a security patch update on May 27, 2104 to address the vulnerability (CVE-2014-2706) in the Linux Kernel versions below 3.13.7. The vulnerability is considered to be high risk and the Red Hat Security Response Team has rated this update as having Important security impact.  

 

A Linux kernel built with a Generic IEEE 802.11 Networking Stack (MAC80211) implementation is vulnerable to a crash caused by a Race Condition. The race between the TX and the STA wakeup code paths can trigger a system crash. A remote unprivileged attacker may use this flaw to crash the system kernel, resulting in Denial of Service (DoS).

 

Note: Cyberoam Threat Research Lab is currently analysing the impact of the vulnerability and will publish the response as solution or additional information in this advisory.

 

Affected Products

 

·         Linux Kernel 3.13.x to 3.13.7

·         Linux Kernel 3.12.x to 3.12.15

·         Linux Kernel 3.10.x to 3.10.34

·         Linux Kernel 3.4.x to 3.4.84

·         Linux Kernel 3.2.x to 3.2.56

Cyberoam provides the additional information in the blog: Vulnerability Alert – Linux Kernel Wireless 802.11 Race Condition Denial of Service

 

 

Solution

 

Apply the patch for this vulnerability, available from the Linux Kernel GIT Repository.

 

References

 

·         http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2706

·         https://access.redhat.com/security/cve/CVE-2014-2706

Revision History

 

Revision 1.0

30 May, 2014

Initial public release containing information on the vulnerability and vendor patch availability.


2.1.12. Apache ‘mod_wsgi’ Information Disclosure Vulnerability

Security Advisory

Original Publication Date: 29-05-2014

On 21st May,2014, Apache released security update for their Graham Dumpleton software which fixed the Information Disclosure vulnerability in Apache HTTP Server module ‘mod_wsgi’. Cyberoam recommends all the customers to update their software installations to the latest versions. For more information, please refer Graham Dumpleton.

Note: Cyberoam Threat Research Labs is currently studying this vulnerability and shall announce a remedial solution shortly. Once, we have the solution the advisory will be updated.

What is the Information Disclosure Vulnerability?

An Information disclosure vulnerability (CVE-2014-0242) exists in Apache HTTP Server module ‘mod_wsgi’ .The vulnerability is due to a memory access error in the mod_wsgi module when handling a malicious Content-Type Header. This vulnerability may allow the attacker to cause arbitary corruption of the Content-Type value in the HTTP Response which could result in an information disclosure to the HTTP Client. 

Cyberoam provides the additional information in the blog: Vulnerability Alert – Information Disclosure Vulnerability in Apache HTTP Server mod_wsgi.                                             

Affected Software Versions

  • Graham Dumpleton mod_wsgi prior to 3.5

References

Revision History

Revision 1.0

29 May 2014

Initial public release containing information on the Vulnerability

2.1.13. Multiple Vulnerabilities in Cisco NX-OS

Security Advisory

 Original Publication Date: 27-05-2014

 Cisco released software updates in May, 2014 for their multiple products running on the Cisco NX-OS Software which fixed the following vulnerabilities:
 Cisco NX-OS Virtual Device Context SSH Privilege Escalation    Vulnerability, Cisco NX-OS Virtual Device Context SSH Key Privilege Escalation Vulnerability,
 Cisco NX-OS-Based Products Smart Call Home Buffer Overflow Vulnerability, Cisco NX-OS Message Transfer Service Denial of Service Vulnerability.

 Cyberoam recommends all the customers to update their Cisco product installations to the latest versions. For more information, please refer Cisco Security Advisory.

 Note: Cyberoam Threat Research Labs is currently studying this vulnerability and shall announce a remedial solution shortly. Once, we have the solution the advisory will be updated.

 
Information about the Vulnerabilities 
 

Cisco NX-OS Virtual Device Context SSH Privilege Escalation Vulnerability (CVE-2014-2200)

This vulnerability exists in the Cisco NX-OS based devices when multiple virtual device contexts (VDC) exist in the system and local authentication is configured. This vulnerability allows a remote, authenticated attacker to obtain administrator privileges in another VDC by accessing the management interfaces via SSH of an affected device. Under certain conditions, the attacker can take complete control of the compromised device.

Cisco NX-OS Virtual Device Context SSH Key Privilege Escalation Vulnerability(CVE-2013-1191)

This vulnerability exists in the Cisco NX-OS based devices when multiple virtual device contexts (VDC) exist in the System and local authentication is configured. This vulnerability allows a remote, authenticated attacker to modify the login information provided as part of the SSH key file by accessing the SSH management interfaces of an affected device.

Cisco NX-OS-Based Products Smart Call Home Buffer Overflow Vulnerability(CVE-2014-3261)

This vulnerability exists in the Cisco NX-OS based devices that support the Smart Call Home feature set. This vulnerablity allows an unauthenticated, remote attacker to trigger a buffer overflow condition. Successful exploitation could lead to arbitary code execution with elevated privileges on the affected device.

Cisco NX-OS Message Transfer Service Denial of Service Vulnerability(CVE-2014-2201)

This vulnerability exists in the Message Transfer Service (MTS) of Cisco NX-OS . This vulnerability is due to a NULL pointer deference that occurs when the affected device is heavily loaded. This exploit could allow the remote attacker to trigger a Denial of Service (DoS) condition on the affected device.

Cyberoam provides the additional information in the blog: Vulnerability Alert – Cisco NX-OS-Based Products Affected                                                                                         

Affected Software Versions 

Ø Cisco Systems NX-OS 6.1(4a) and prior

Ø Cisco Systems NX-OS 6.0

Ø Cisco Systems NX-OS 1.4(1h) and prior

Ø Cisco Systems NX-OS 1.3

Ø Cisco Systems NX-OS 1.2

Ø Cisco Systems NX-OS 1.1

Ø Cisco Systems NX-OS 1.0

Ø Cisco Systems NX-OS 5.x

Ø Cisco Systems NX-OS 4.x

 References

 ·        http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140521-nxos#@ID

 Revision History 

Revision 1.0

27 May 2014

Initial public release containing information about the vulnerabilities.


2.1.14. HP Release Control Authenticated Privilege Escalation

Security Advisory

Original Publication Date: 29-05-2014

A privilege escalation vulnerability has been found in HP Release Control 9.20.0000, Build 395. The vulnerability is due to a design weakness that can allow an unprivileged authenticated user to find out current users, admin ID and also their password hashes. Though the exploit code is publicly available, HP has not yet released an advisory regarding this vulnerability.

Note: This advisory will be updated as additional information is available.

What is HP Release Control Authenticated Privilege Escalation Vulnerability?

The HP Release Control Authenticated Privilege Escalation Vulnerability allows an unprivileged authenticated user to find out current users, admin ID and also their password hashes. Upon successful exploitation of this vulnerability, an attacker can send requests to the password change AMF endpoint to change the admin password. The vulnerability, if exploited successfully, can have serious consequences; as it gives full ROOT level access to the unprivileged authenticated user.

Cyberoam provides the additional information in the blog: Vulnerability Alert – HP Release Control Authenticated Privilege Escalation.

Solution

1.  IPS Signature

To mitigate the HP Release Control Authenticated Privilege Escalation Vulnerability,Cyberoam has released IPS Signature Versions 3.11.67 and 5.11.67 containing IPS signature named “HP Release Control Authenticated Privilege Escalation”. By default, once the IPS policy with the mentioned signature is applied through Firewall, all connections attempting to exploit the said vulnerability will be dropped. We request all Cyberoam customers to verify the version of IPS Signature from the Dashboard of their Appliances.

Read the Release Notes for IPS Signature Versions 3.11. 67 and 5.11.67.

References

·    http://seclists.org/fulldisclosure/2014/May/77

·    https://gist.github.com/brandonprry/1ed5633fa7ba18538f02


Revision Histor
y
 

Revision 1.0

29 May 2014

Initial public release containing information about the vulnerability and how to use Cyberoam IPS to mitigate the same.


2.1.15. Symantec Workspace Streaming XML-RPC Arbitrary File Upload

Security Advisory

Original Publication Date: 27-05-2014

Updated Date: 29-05-2014

On May 12, 2014, Symantec published a Security Advisory informing its users about an arbitrary file upload vulnerability in Symantec Workspace Streaming (SWS) version 7.5.x and prior. The vulnerability exists in the functionality used to process incoming XMLRPC requests as the management server for SWS does not properly handle external XMLRPC requests. The vulnerability could potentially allow unauthorized access to restricted server-side data and server functionality.
 
Affected Versions: Symantec Workspace Streaming (SWS) version 7.5.x and prior.

Note: This advisory will be updated as additional information is available.

What is Symantec Workspace Streaming XML-RPC Arbitrary File Upload Vulnerability?

As mentioned earlier, the vulnerability exists because the management server for SWS does not properly handle incoming HTTPS XMLRPC requests. This could allow an attacker with unauthorized access to sensitive server-side files and functionality. With the help of a sufficiently crafted XMLRPC request, the attacker could place arbitrary code on the SWS server. Successful execution of the arbitrary code would allow the attacker to create a back door on the targeted server, resulting in unauthorized privileged access to the SWS server.

Cyberoam provides the additional information in the blog: Vulnerability Alert – Symantec Workspace Streaming Arbitrary File Upload.

Solution

1.  IPS Signature

To mitigate the Symantec Workspace Streaming XML-RPC Arbitrary FileUpload Vulnerability, Cyberoam has released IPS Signature Versions 3.11.67 and 5.11.67 containing IPS signature named “Symantec Workspace Streaming XML-RPC Arbitrary File Upload Vulnerability”.

By default, once the IPS policy with the mentioned signature is applied through Firewall, all connections attempting to exploit the said vulnerability will be allowed. As the default action for the signature is “Allow”, Cyberoam customers using Symantec Workspace Streaming (SWS) version 7.5.x and prior should modify the default action to “Drop”. If the default action is not changed to "Drop", in the event of a suspicious activity, the administrator would receive an IPS Alert. The administrator can check the details of the alert from IPS Logs, verify if it is a threat or false positive and accordingly, take the corrective actions.

We request all Cyberoam customers to verify the version of IPS Signature from the Dashboard of their Appliances. Read the Release Notes for IPS Signature Versions 3.11.67 and 5.11.67.

2.   After upgrading the IPS Signature Version, Cyberoam recommends all the customers using affected Symantec Workspace Streaming (SWS) version i.e. 7.5.x and prior, to upgrade to the recently released fix version - SWS 7.5.0.749 (7.5 SP1). The update is available through Symantec File Connect.


References

·        http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140512_00

Revision History

Revision 1.0

27 May 2014

Initial public release containing information on the vulnerability.

Revision 1.1

29 May 2014

Added the Solution section with information about how to use Cyberoam IPS to mitigate the vulnerability.


2.1.16. Multiple Vulnerabilities in ASUS RT series routers

Security Advisory

Original Publication Date: 26-05-2014

Updated Date: 26-05-2014

In April this year, ASUS released a firmware update (3.0.0.4.374.5656) for multiple RT series of routers that resolved multiple publicly disclosed vulnerabilities including a Remote Code Execution (CVE-2013-5948), a Password Disclosure (CVE-2014-2719) and a Cross-Site Scripting (CVE-2014-2925) vulnerability.

Note: This advisory will be updated as additional information is available.

Affected ASUS Routers:

·   Asus RT-N12 D1 Router

·   Asus RT-N10U B Router

·   Asus RT-AC56U Wireless Router

·   Asus RT-N66W Router

·   Asus RT-N66R Router

·   Asus RT-AC66U Router

·   Asus RT-AC66R Router

 

Information about the Vulnerabilities

·   Remote Code Execution Vulnerability (CVE-2013-5948)

This vulnerability allows for an authenticated user to perform arbitrary command execution within the Network Tools of web management interface of the affected ASUS RT series routers. The vulnerability is due to a bug with the "Network Analysis" tab of this web management interface, that results in granting remote command execution to logged in users.

·   Password Disclosure Vulnerability (CVE-2014-2719)

This vulnerability allows remote authenticated users of affected ASUS RT series routers to obtain the administrator user name and password by reading the source code. The vulnerability is due to the fact that the source code displays the login credentials in plain text. Thus, if the administrator is logged in, an attacker can browse to <router_address>/Advanced_System_Content.asp and easily obtain the username and password of the logged in administrator.

·   Cross-SiteScripting Vulnerability (CVE-2014-2925)

This vulnerability allows attacks against users using web management interface of the affected ASUS RT series routers. An attacket can lure the users into clicking a link provided with malicious content, which in turn, executes on the context of the victim's browser. An attacker can exploit the bug with "Wireless" tab of this web management interface to execute malicious content within another user's browser.

Cyberoam provides the additional information in the blog: Vulnerability Alert – Multiple ASUS products affected.

Solution

1.    IPS Signature

To mitigate the mentioned vulnerabilities, Cyberoam has released IPS Signature Versions 3.11.66 and 5.11.66 containing IPS signatures named “Asus RT Series Remote Code Execution Vulnerability”, “Asus RT Series Password Disclosure Vulnerability” and “Asus RT Series Cross Site Scripting Vulnerability”.

By default, once the IPS policy with the mentioned signatures is applied through Firewall, the connections attempting to exploit the said vulnerabilitywill be allowed. However, in the event of a suspicious activity, the administrator would receive an IPS Alert. The administrator can check the details of the alert from IPS Logs, verify if it is a threat or false positive and accordingly, take the corrective actions. For Cyberoam customers using RT series routers running firmware lower than 3.0.0.4.374.5656, should modify the default action of all three signatures to “Drop”.

We request all Cyberoam customers to verify the version of IPS Signaturefrom the Dashboard of their Appliances. Click here to read the Release Notes for IPS SignatureVersions 3.11.66 and 5.11.66.

2.   After upgrading the IPS Signature Version, Cyberoam recommends all the customers using affected RT series routers to upgrade to the recently released fixed firmware version (3.0.0.4.374. 5656).

 

References

·        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5948

·        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2719

·        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2925

 

Revision History
 
 

Revision 1.0

26 May 2014

Initial public release containing information about the vulnerabilities.

Revision 1.1

26 May 2014

Added Solution section with infoirmation about How to Mitigate the Vulerabilities using Cyberoam IPS.


2.1.17. Remote Code Execution Vulnerability in Oracle Java

 

Security Advisory

 

Original Publication Date: 23-05-2014

 

Updated Date: 26-05-2014

 

Oracle released a critical patch update on 15-April, 2014 for its multiple products affected with the Remote Code Execution Vulnerability (CVE-2014-0456). The systems which employ affected versions of the product are exposed to attacks where a malicioius code can be executed with elevated user/administrator privileges. Attacks may be executed by staging an authentic website/web-service to users and manipulating the user response to run the malicious code.

 

This code execution vulnerability is due to a race condition in the System.arraycopy() object.   

 

Based on the serious nature of the vulnerabilty, Oracle released the update patch for the affected versions, refer Oracle Critical Patch Update Advisory - April 2014. It is strongly recommended to update the systems employing the affected versions of the product.

 

Note: Cyberoam Threat Research Labs is currently studying this vulnerability and shall announce a remedial solution shortly. Once, we have the solution, the advisory will be updated.

 

For additional information, read the Cyberoam blog Remote Code Execution Vulnerability (CVE-2014-0456) Found in Oracle Java.

 


Affected Oracle Java  
Versions

 

·         SE 6u71

·         SE 7u51

·         SE 8

·         SE Embedded 7u51


Solution

 

      1.     Update your Oracle Java product from the following links:

 

a.    Oracle Java SE, versions 5.0u61, 6u71, 7u51, 8

b.    Oracle Java SE Embedded, version 7u51


2.     IPS Signature 

To mitigate the Remote Code Execution vulnerability, Cyberoam has released IPS Signature Versions 3.11.66 and 5.11.66 containing an IPS signature named “Oracle Java System.arraycopy Race Condition Vulnerability”. By default, once the IPS policy with the mentioned signatures is applied through Firewall, the connections attempting to exploit the said vulnerability will be allowed. However, in the event of a suspicious activity, the administrator would receive an IPS Alert. The administrator can check the details of the alert from IPS Logs, verify if it is a threat or false positive and accordingly, take the corrective actions.

Cyberoam customers using the compromised versions of Oracle Java Products should modify the default action of the signature to "Drop".

We request all Cyberoam customers to verify the version of IPS Signature from the Dashboard of their Appliances.

Click here to read the Release Notes for IPS Signature Versions 3.11.66 and 5.11.66.


References

 

·         http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF.

·         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0456


Revision Histor
y

 

Revision 1.0

23  May, 2014

Initial public release of vulnerability information.

Revision 1.1

26 May, 2014

Added IPS Signature in the Solution section with links for Release Notes of IPS Signature Versions 3.11.66 and 5.11.66

 

2.1.18. Mozilla Firefox TypeObject Use-after-free Vulnerability

Security Advisory

 Original Publication Date: 23-05-2014
 
 Updated Date
: 26-05-2014
 
 On 18thMarch,2014, Mozilla released security updates for Mozilla Firefox versions prior to 28.0, Firefox ESR 24.x versions prior to 24.4, Thunderbird versions
 prior to 24.4 and SeaMonkey versions prior to 2.25 which fixed the Use-after-free Vulnerability. Cyberoam recommends all the customers to update their Mozilla
 product installations to the latest versions. For more information, please refer Mozilla Foundation Security Advisory 2014-30.
 
 Note: This advisory will be updated as additional information is available.

What is the Use-after-free Vulnerability?

The Use-after-free vulnerability (CVE-2014-1512) is a vulnerability in the TypeObject Class in the JavaScript Engine. This vulnerability is due to a use-after-free
condition when handling TypeObjects under memory pressure conditions. A remote attacker could exploit this vulnerability by enticing a user to open a
crafted webpage. Successful exploitation could allow attacker to execute arbitrary code in the context of the currently logged in user by triggering extensive
memory consumption during garbage collection.

Cyberoam provides the additional information in the blog: Vulnerability Alert – Use After Free condition in Mozilla Firefox.

Solution

 1.    IPS Signature

To mitigate the Use-after-free vulnerability, Cyberoam has released IPS Signature Versions 3.11.66 and 5.11.66 containing an IPS signature named
“Mozilla Firefox TypeObject Use After Free Vulnerability”. By default, once the IPS policy with the mentioned signatures is applied through Firewall,
the connections attempting to exploit the said vulnerability will be allowed. However, in the event of a suspicious activity, the administrator would receive
an IPS Alert. The administrator can check the details of the alert from IPS Logs verify if it is a threat or false positive and accordingly, take the corrective actions.

Cyberoam customers using the compromised versions of Mozilla Products should modify the default action of the signature to "Drop".

We request all Cyberoam customers to verify the version of IPS Signature from the Dashboard of their Appliances.

Click here to read the Release Notes for IPS Signature Versions 3.11.66 and 5.11.66.


References

 ·       http://www.mozilla.org/security/announce/2014/mfsa2014-30.html

·        http://www.rapid7.com/db/vulnerabilities/mfsa2014-30-cve-2014-1512

·        http://telussecuritylabs.com/threats/show/TSL20140520-07

·        http://www.cvedetails.com/cve/CVE-2014-1512/

 

Revision History

Revision 1.0

23 May 2014

Initial public release containing information on the vulnerability

Revision 1.1

26 May 2014

Added Solution section with links for Release Notes of IPS Signature Versions 3.11.66 and 5.11.66


2.1.19. OpenSSL Heartbleed Vulnerability Fix
2.1.19.1. Security Advisory

Security Advisory

Original Publication Date: 11-04-2014
 
Updated Date: 26-04-2014

On Monday, the OpenSSL team released a critical update for their popular SSL/TLS package (OpenSSL 1.0.1g), which fixed the OpenSSL Heartbleed Vulnerability. Cyberoam, like many others also use OpenSSL but we are happy to announce that most of the publicly available versions of CyberoamOS are not affected, as they do not run on these compromised versions of OpenSSL. 

Only limited number of customers have affected versions. For the affected versions, Cyberoam has released a firmware upgrade 10.6.1 RC-4 on April 12, 2014. We request all the customers using the affected versions to upgrade to this version immediately.
 
Note: This advisory will be updated as additional information is available.
 

What is the Heartbleed Vulnerability?

 
An information disclosure vulnerability (CVE-2014-0160) has been discovered in 1.0.1 and 1.0.2-beta releases of OpenSSL versions including 1.0.1f and 1.0.2-beta1. This vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension. The vulnerability may allow an attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server. This means, an attacker can access sensitive information (read: private keys, login credentials for Internet Banking, Emails, Social Networking sites etc. or contents of encrypted traffic) from a connected client or server by sending specially-crafted TLS “heartbeat” requests.
 

Cyberoam provides the additional information in the blog: Cyberoam Users Need not Bleed over Heartbleed Exploit.

 
Affected CyberoamOS Versions

·  10.6.0 Beta-3
·  10.6.1 RC-1
·  10.6.1 RC-3
 
Workaround

1. Firmware Fix

The vulnerability is fixed in firmware 10.6.1 RC-4 and Cyberoam has released the firmware upgrade for the affected CyberoamOS versions on April 12, 2014. Please note that this vulnerability does not affect anyone using any other earlier versions of CyberoamOS. 

Obtaining Fixed Firmware

Cyberoam customers using the affected versions can download the fix firmware 10.6.1 RC-4 from  the Dashboard of their Appliances.
 
2. IPS Signature 

To mitigate the heartbleed vulnerability, Cyberoam has released IPS Signature Versions 3.11.61 and 5.11.61 containing an IPS signature named “OpenSSL TLS DTLS Heartbeat Information Disclosure”. By  default, once the IPS policy with signature “OpenSSL TLS DTLS Heartbeat Information Disclosure” is applied through Firewall, all the SSL connections attempting to exploit the said vulnerability will be dropped. We request all Cyberoam customers to verify the version of IPS Signature from the Dashboard of their Appliances.

Click here to read the Release Notes for IPS SignatureVersions 3.11.61 and 5.11.61.
 
Click here for detailed information on applying Firmware Fix and updating IPS Signature Version.
 
3. After upgrading or taking steps to mitigate this vulnerability, Cyberoam also recommends all the customers to apply the fix provided by the OpenSSL team in their applications such as Web services etc. which use the comprised versions of OpenSSL.
 
4. Cyberoam recommends to disable all the non mission-critical SSL services and applications running on the compromised OpenSSL versions.
 
5. In addition, Cyberoam recommends to renew/update all Digital Certificates including Appliance Certificate, SSL CA Certificate and Self Signed Certificate. Click here for detailed information on renewing/updating a Digital Certificate.
 
References

·   http://heartbleed.com/


Revision History 
  

 Revision 1.0

 11 April 2014

Initial public release containing information about Affected CyberoamOS Versions and How to Mitigate the Vulerability using Cyberoam IPS.

 Revision 1.1

 12 April 2014

Updated Solution section with information about CyberoamOS firmware upgrade that addresses the vulnerability.

 Revision 1.2

 14 April 2014

Updated Solution section with links for Release Notes of IPS Signature Versions 3.11.61 and 5.11.61

 Revision 1.3
 26 April 2014Updated Solution section with links of KB articles titiled “Mitigate Heartbleed Vulnerability: Firmware Fix” and “Mitigate Heartbleed Vulnerability: Additional Security Fix”.
 

Document Version: 1.3-26/04/2014
 

 

2.1.19.2. Mitigate Heartbleed Vulnerability: Firmware Fix

Applicable Version: 10.6.X onwards

Overview

What is Heartbleed Vulnerability?

The OpenSSL Heartbleed Vulnerability is a security vulnerability which has been discovered in 1.0.1 and 1.0.2-beta releases of OpenSSL versions including 1.0.1f and 1.0.2-beta1. This vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension. The vulnerability may allow an attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server. This means, an attacker can access sensitive information from a connected client or server by sending specially-crafted TLS “heartbeat” requests.

Which Cyberoam Firmware Versions does it affect?

The Cyberoam firmware releases which are affected by this vulnerability are only the controlled firmware releases (10.6.XX):

1. 10.6.0 Beta-3
2. 10.6.1 RC-1
3. 10.6.1 RC-3

For details on affected Cyberoam firmware release versions, refer to the Security Advisory published by Cyberoam.

How do I test?

As this vulnerability is causing quite a stir and has significant impact on security of a number of servers across the globe, Cyberoam has posted Heartbleed Test tool on Cyberoam Security Center and enables its customers to test sites for the presence of this vulnerability. In case the servers are believed to be exploited, there are steps that can be taken to counter further exploitation. Digital certificates, Secret Keys or usernames/passwords are authentication entities of an SSL session. Any system or server that may have been exposed to this vulnerability, should regenerate all such authentication entities with the assumption that an attacker has already used this vulnerability to obtain these items. 

Cyberoam Fix

Cyberoam recommends the following step-wise comprehensive approach to deal with Heartbleed Vulnerability:

1. Upgrade affected firmware to the latest version 10.6.01 RC-4 to fix the security threat from Heartbleed Vulnerability.

2. Mitigate all possible threats by upgrading to the latest IPS signatures to IPS Signatures 3.11.61 and 5.11.61 for all the Cyberoam GA and 10.6.X versions for all firmware versions (including the un-affected GA firmware versions). The latest IPS version is capable of securing the Web Servers or other applications which employ the compromised version of OpenSSL.

3. Mitigate all possible threats by regenerating certificates, keys and user credentials.

Configuration

You must log on to the Web Admin Console as an Administrator with Read-Write permission for relevant feature(s).

Step 1: Confirm Firmware Release Version

Check the Cyberoam firmware version in use from the Web Admin Console Dashboard.

 

 For all the affected firmwares, the latest upgrade will be available. You can confirm the availability of the latest firmware by clicking on [Check for Upgrades] link in the Appliance Information Doclet. A confirmation message is displayed as shown.

 

Step 1: Apply the Firmware-Fix: Upgrade to the latest firmware

The affected versions must be updated to the latest version 10.06.01 RC- 4. The firmware can be upgraded by downloading and applying the new firmware.

To download the latest firmware:

On the Dashboard, click on the new firmware download link. Download and Save the firmware image.

 

To apply the Upgrade

Go to System> Maintenance > Firmware and click the icon to upload the new firmware image.

 
 
In the pop-up window, click Browse and select the downloaded firmware image file. Click Upload and Boot to upgrade to the new firmware. It may take several minutes to complete the Upgrade procedure depending on the appliance.

 
 
To confirm the status of upgrade, go to System > Maintenance > Firmware and check the active status of the uploaded firmware.
 

The firmware update is also possible through the Customer Account portal, for details, refer article Upgrade Firmware of Cyberoam Appliance.

Step 2: Mitigate risk by configuring/upgrading IPS signatures

The IPS Signatures Versions 3.11.61 and 5.11.61 containing IPS signature named OpenSSL TLS DTLS Heartbeat Information Disclosure have been released by Cyberoam to mitigate all risks arising due to the OpenSSL vulnerability. Once the IPS signature database is updated and synchronized, it must be applied at the firewall to drop all SSL connections attempting to exploit the said vulnerability.

To check the IPS Signature Version, refer the Web Admin Console Dashboard. By default, the IPS Signatures are updated automatically. It can also be updated manually, for details, refer article Upgrade IPS Signature Manually.

In network scenarios, where the Web Servers (employing OpenSSL packages) are present in DMZ, it is highly recommended that the IPS Policy is applied to a Firewall Rule defined for the respective zone.

Note:

– IPS is a subscription module. You must confirm that the IPS module is subscribed before configuring the IPS policy.

1. Default or Custom IPS implementation

In case you have already configured a default or custom IPS policy on the firewall rule, no further configuration is required. Although, it is recommended that you confirm that the IPS Signature Version is upgraded to the latest version.

To check the IPS Signature Version, refer the Web Admin Console Dashboard.

2. If IPS is NOT implemented currently

A. Applicable Firmwares - All versions above 10.6.1 XX (10.6.1 RC-1, 10.6.1 RC-3, 10.6.1 RC-4)

Cyberoam provides pre-configured default IPS policy templates which can be applied through Firewall Rule to protect web servers. You can also create custom IPS policy based on these IPS policy templates from IPS > Policy > Policy.

Go to Firewall > Rule and select the Firewall Rule on which IPS policy is to be applied.

 

Under Advanced settings > Security Policies, apply the desired IPS policy. You can select any policy from the list of default or custom policies or add a new IPS policy. In this example, we select the default IPS policy WAN TO DMZ.

 

 
B.   Applicable Firmware – All versions below 10.6.1 XX

a.    Add IPS policy

Go to IPS > Policy > Policy and click Add.

 
 
Specify a Name for the policy as Heartbleed. Check the signature category Exploit from the list of categories. Click OK to add the policy.

 


b.   
Apply IPS policy in firewall
 
Go to Firewall > Rule and select the Firewall Rule on which the policy is to be applied.

 
 
Under Advanced settings > Security Policies, apply the IPS policy created in step a.

 

 

The above IPS configuration drops all the SSL connections attempting to exploit the said vulnerability for all the traffic between the WAN and DMZ zones.

Step 3: Mitigate further risks: Security Best Practices
 
As the impact of the vulnerability is not known and there are higher risks involved we further recommend a clean-up process in case attacker has acquired passwords, certificates or secret keys to gain access to your network.

Administrators are strongly recommended to revoke and regenerated Digital Certificates, Secret Keys and login credentials for all relevant services, for details, refer article Mitigate Heartbleed Vulnerability: Security Best Practices

Note:

- Cyberoam encourages its customers to be vigilant with the security of their online accounts, change account passwords periodically as well as use complex passwords.

                                                                                                                                                                                   Document Version 2.0 – 26 April, 2014

2.1.19.3. Mitigate Heartbleed Vulnerability: Additional Security Fix

Applicable Version: 10.00 onwards

Overview

How can I determine if my systems have already been attacked?

There is no method to determine if the systems or servers have been attacked or that the secure encryption keys have been leaked. Any system or server which employs/employed the vulnerable OpenSSL version can be assumed to be security compromised.

What information could have been compromised if the Heartbleed vulnerability is exploited?

The vulnerability can allow the attacker to obtain critical information such as Digital Certificates, Secret Keys or User and Administrator Passwords. 

How does Cyberoam address the Heartbleed Vulnerability?

Refer article Mitigate Heartbleed Vulnerability: Firmware Fix.

What additional steps need to be taken to counter further exploitation or unauthorized use of leaked information?

Based on security best practices, it is strongly recommended that you change/reset all passwords, private keys and certificates used for decryption. All active sessions, including User and VPN sessions, must be reset.

Configuration

You must log on to the Web Admin Console as an Administrator with Read-Write permission for relevant feature(s).

Step 1: Renew/Update Digital Certificates

Digital Certificates issued by the Certificate Authority (CA) are exchanged between communicating parties to establish SSL connection. On revoking and regenerating these certificates, the private keys are changed, which ensures secure communication, in case private keys have leaked.    

Cyberoam uses digital certificates for HTTPS scanning and VPN authentication. Customers can use certificate issued by Cyberoam itself or any Third-Party CA. All the certificates in use are to be revoked and regenerated. Customers using third-party certificate must request the certificate provider to issue a new certificate. 

Regenerate Appliance Certificate

Go to System > Certificate > Certificate and click  icon to regenerate the Appliance certificate.

 

Regenerate SSL CA Certificate

Go to System > Certificate > Certificate and click  icon corresponding to Cyberoam_SSL_CA Certificate to regenerate a unique SSL CA Certificate.
 

Regenerate Self Signed Certificate

1. Go to System > Certificate > Certificate and click  icon to revoke the Self Signed Certificate.

 

Revoked certificates are added to the Certificate Revocation List (CRL) and are not used for SSL communication.

2. After revoking self signed certificate, create a new Self Signed Certificatefrom System > Certificate > Certificate.

Revoke Third-Party Certificate

Request your trusted third party CA or certificate provider to generate a new certificate. Once the new certificate has been issued by the provider, revoke the old certificate and use the new certificate.

Step 2: Update VPN settings

Based on the configuration, the VPN authentication type can be Preshared Key or Digital Certificates.

All secret keys must be changed for the configured VPN connections (IPSec/L2TP/Cisco VPN Client).

In case, Digital Certificates are used as authentication type for the configured VPN connections, refer Step 1 to regenerate the certificates and use them for the VPN authentication.

a. Change Preshared Keys   

Preshared Keys are defined while configuring the IPsec VPN, L2TP VPN or Cisco VPN Client configuration. You can change the old Preshared Keys and specify a new Preshared Key for the configured VPN connections.
For demonstration purpose, we change the Preshared Key of the IPSec VPN connection.

Go to VPN > IPSec > Connection and click icon corresponding to the VPN connection.

 

Under Authentication Details, click Change Preshared Key and specify the new Preshared Key Confirm the new Preshared Key.

 
 
 

Click OK to apply the new Preshared Key.

Similarly, you can change the Preshared Keys of other VPN connections, if configured.   

b. Reset VPN session

All the live VPN sessions must be disconnected from VPN > Live Connections and re-established using the new preshared keys.

Step 3: Change user and administrator passwords

Go to Identity > Users to see the list of users and administrator. Change passwords for all the users and administrators.

Note:

- The administrator can instruct users to change their passwords using the My Account link (only when authentication is done through the local database) 

-  If an external server (AD, LDAP or RADIUS) is used for authentication, the user and administrator passwords of the server must be changed on the respective servers.

                                                                                                                                   Document Version 1.0 – 26 April, 2014

2.1.20. Internet Explorer Memory Corruption Vulnerability

Security Advisory

Original Publication Date: 02-05-2014

On Thursday, Microsoft released a security update for Internet Explorer that resolves a publicly disclosed vulnerability (Internet Explorer Memory Corruption Vulnerability - CVE-2014-1776) in Internet Explorer. Although this vulnerability was categorized critical and as per FireEye, attackers are actively using this exploit in an ongoing campaign named “Operation ClandestineFox”, we are happy to announce that Cyberoam users need not panic. Cyberoam has released IPS Signature Versions 3.11.64 and 5.11.64 to address this vulnerability for all CyberoamOS versions including all the GA and 10.6 versions.

Note: This advisory will be updated as additional information is available.

What is the Internet Explorer Memory Corruption Vulnerability?

The vulnerability, identified by FireEye Research Labs on April 26, 2014, could allow remote code execution if a user views a specially crafted webpage using an affected version of Internet Explorer. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. 

This means, an attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Accordingly, users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Microsoft has assigned CVE-2014-1776 to the vulnerability and released security advisory to track this issue.

Solution

1. IPS Signature

To mitigate the Internet Explorer Memory Corruption Vulnerability, Cyberoam has released IPS Signature Versions 3.11.64 and 5.11.64 containing IPS signatures named “Microsoft Internet Explorer CVE-2014-1776 Use After Free” and “GIF Image Known Bad Struct Marker CVE-2014-1776”. By default, once the IPS policy with the mentioned signatures is applied through Firewall, connections attempting to exploit the said vulnerability will be dropped. We request all Cyberoam customers to verify the version of IPS Signature from the Dashboard of their Appliances.

Click here to read the Release Notes for IPS Signature Versions 3.11.64 and 5.11.64.

 2. Anti Virus Scanning

In addition to upgrading the IPS Signature Version, Cyberoam recommends all the customers to enable Anti Virus scanning on HTTP and HTTPS protocols from their Cyberoam appliances.

3. After upgrading or taking steps to mitigate this vulnerability, Cyberoam recommends all the customers to apply the security update provided by Microsoft. The security update addresses the vulnerability by modifying the way that Internet Explorer handles objects in memory. For detailed information, please refer to Microsoft’s response to the publicly disclosed vulnerability in Internet Explorer - Microsoft Security Bulletin.
 
 
 References

- https://technet.microsoft.com/en-US/library/security/2963983

- http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html

Revision History 

Revision 1.0

02 May 2014

Initial public release containing information about How to Mitigate the Vulerability using Cyberoam IPS and Anti Virus modules.


2.1.21. Adobe Flash Player Buffer Overflow Vulnerability

Security Advisory

 Original Publication Date: 02-05-2014

On 28thApril, 2014, Adobe released security updates for Adobe Flash Player 13.0.0.182 and earlier versions for windows, Adobe Flash Player 13.0.0.201 and earlier versions for Macintosh and Adobe Flash Player 11.2.202.350 and earlier versions for Linux, which fixed the Code execution vulnerability in Adobe Flash Player.

 Cyberoam has released IPS Signature Versions 3.11.64 and 5.11.64 to address this vulnerability for all CyberoamOS versions including all the GA and 10.6 versions.

 Note:This advisory will be updated as additional information is available.

 What is the Buffer Overflow Vulnerability? 

The Code execution vulnerability (CVE-2014-0515)is a zero-day SWF vulnerability located in the Pixel Bender component, designed for video/image processing. This vulnerability is due to an unspecified buffer overflow error. A remote attacker could exploit this vulnerability and lead a target user to visit a web page embedding a specially crafted Flash file. Successful exploitation of the vulnerability could result in arbitrary code execution in the context of the currently logged in user which can in turn take control of the affected system. 

 According to KSN data, these exploits were stored as movie.swf and include.swf at an infected site. The only difference between the two exploits is their shellcodes. Both the exploits were first detected at a Syrian   government website which was designed as an online form for the citizens to register complaints about law and order violations.          

 Cyberoam provides the additional information in the blog:Vulnerability Alert – Adobe Flash Player is vulnerable to a buffer overflow

 Solution

 1.    IPS Signature

To mitigate the Buffer Overflow vulnerability, Cyberoam has released IPS Signature Versions 3.11.64 and 5.11.64 containing an IPS signature named “Adobe Flash Player CVE-2014-0515 Unspecified Buffer Overflow”. By default, once the IPS Policy with above signature is applied through Firewall, all the connections trying to explolit the vulnerability will be dropped.We request all Cyberoam customers to verify the version of IPS Signature from the Dashboard of their Appliances.

 Click here to read the Release Notes for IPS Signature Versions 3.11.64 and 5.11.64.

 2.    After upgrading the IPS Signature Versions, Cyberoam also recommends all the customers to updatetheir Adobe product installations to the latest versions. For more information, please refer Adobe Security Bulletin.

 References

 ·        http://helpx.adobe.com/security/products/flash-player/apsb14-13.html

·        http://www.securelist.com/en/blog/8212/New_Flash_Player_0_day_CVE_2014_0515_used_in_watering_hole_attacks

 

Revision History

Revision 1.0

02 May 2015

Initial public release containing information about How to Mitigate the Vulerability using Cyberoam IPS.

2.2. Best Practices & Policies
2.2.1. Cyberoam Best Practices

Deployment

1.
  Always connect Cyberoam WAN interface with a Router via a switch and NOT with cross over cable to avoid
     autonegotiation problem between Cyberoam WAN interface and Router.       

2.   By default, Cyberoam sends periodic Ping requests to its default gateway to check connectivity to Internet. It is 
      recommended to change this setting so that Cyberoam sends Ping requests to a host on the Internet that is 
      permanently running or most reliable, like 8.8.8.8 or 4.2.2.2. 

3.   If users have browser based proxy settings, make sure configured HTTP proxy port is same in both Cyberoam 
      and desktop browser. By default, Cyberoam is configured for port 3128. 

4.   For security purposes, Gateway mode is preferred because it uses NAT Policies to secure private addresses of 
      internal or DMZ networks. 

5.     If Cyberoam is deployed in Bridge Mode: 

      •   Do not configure Cyberoam IP address as Gateway IP address. If this happens, users will not be able to access 
           the Internet.
      •   Do not terminate both ports in the same L2 switch. The switch would become instable if it receives packets of 
           same MAC address from more than one switch ports. 

6.   It is recommended to use the High Availability feature of Cyberoam for maximum network uptime.  

     Note: 

     This feature is not available in models CR15i, CR15wi, CR25wi, CR35wi, CR15iNG, CR15wiNG, CR25wiNG/6P and CR35wiNG.  

7.   In case of wireless networks, ensure maximum security by using WPA or WPA2 protocols rather than WEP.  

8.   Do not broadcast the SSID of your wireless networks to avoid unauthorized users from entering into the network.
 

Administration 

1.   Access to Cyberoam should be carefully monitored and protected. This can be done by changing the default 
      administration settings like:
      o    Administrator Passwords
      o    Port used to access Appliance
      o    Access Protocols (Use secure protocols like SSH and HTTPS)

2.
   Create multiple administrator profiles for special-purpose administrators like VPN Administrator, Security Administrator,
      Audit Administrator, etc. Each administrator should be assigned only the required permissions according to his role in the
      organization.
 
3.   It is recommended to disable administrative access to Cyberoam from all zones except the internal LAN zone or
      management zone. Even from LAN or management zone, use secured protocols like HTTPS and SSH for GUI and 
      CLI access. 

4.  Check regularly for firmware releases and upgrade Cyberoam to the latest firmware available. 

5.  Take regular backup of Cyberoam. Also, make sure you take a backup before any changes are to be made in the
     configuration of the appliance. 

6.  Test your firewall rules and policies regularly.  

7.  Conduct internal audits to check the health of the appliance. 

8.   Enable Login security in terms of:
      o    Enabling password complexity for the administrator.
      o    Restricting number of login attempts to prevent brute force attack. 

Firewall 

1.  Create Firewall rule for DNS IP Address if desktops are configured with a public DNS IP address. 

2.  Create firewall rule to allow required and critical traffic across each zone because, by default, complete traffic across each zone 
     is dropped by Cyberoam, except for LAN to WAN traffic. This will be applicable in both bridge and gateway mode. For example, 
     if Mail server is placed in the DMZ zone, then Cyberoam will not allow access of Mail server from LAN and WAN zone.
   
     o    To access specific applications running on mail server, create necessary firewall rule from each zone.
     o    Create firewall rule to give external world access to the Mail server.  

3.   Create Firewall rule to allow access to and from applications running on DMZ as, by default, entire traffic from LAN to DMZ is dropped. 

4.   If Cyberoam is configured in Bridge mode and DHCP server is running in WAN zone of Cyberoam then create firewall rule to allow 
      packets from DHCP server to LAN to lease IP addresses on desktop.
 

5.   If MX IP is bound to the WAN port of Cyberoam, create NAT and Virtual Host rules to map the private IP address of mail server with the MX IP. 

6.   If the LAN zone has Routed Networks, then create static routes in Cyberoam to forward requests to and from the Routed Networks over 
      the Internet. 
 
7.   If Cyberoam is configured for multiple Internet Service Providers i.e. multiple gateways then:

      o    To improve browsing speed and reduce latency, create a firewall rule to route the DNS IP address requests through a specific Gateway. For 
            example, if DNS IP address is from ISP1 and DNS request is going from ISP2 then latency will increase and time taken to resolve the site 
            name will also increase. 
      o    If access to certain application like VPN application, SAP or ERP application is allowed from specific IP address, create firewall rule to route 
            the application request from the specific IP address only.

      o    Create a NAT policy to bind the Mail Server IP Address with MX IP. This will establish connection as well as reduce chances of return 
            MX check problem. 

8.    It is recommended to bypass DoS screening for traffic-intensive servers like VOIP and FTP to avoid dropping of legitimate traffic. 

9.    Disable NAT policies for WAN to LAN rule for Mail Server to avoid making it an open relay. 


Authentication
 
 
1.    If Cyberoam is integrated with one or more external authentication servers, make sure the servers are selected for firewall authentication and 
      are in the order of preference. 
 
2.    In case of AD integration with Single Sign On enabled, create clientless users for servers like VOIP server, MFDs, etc. whose manual 
      authentication is not feasible. 
 
3.    After importing groups from AD, modify the order of the groups according to preference. Any user, who is a part of multiple groups, will be 
      mapped to the first matching group on Cyberoam.


IPS
 

1.    Create custom IPS policies with relevant signatures to decrease packet latency and improve performance. 

2.    It is recommended to apply IPS policy in WAN to LAN firewall rules for servers hosted in the network to protect them against known 
       and unknown attacks. 

3.    IPS policy is not recommended for LAN to WAN traffic, unless it is used to control applications using custom signatures. 


VPN
 

1.    Create VPN to LAN firewall rules to enable Threat Free Tunnelling, i.e., protect the network from malicious traffic through the VPN tunnel. 
       In these rules, NAT policies should be disabled to allow access to internal resources. 

2.    For additional security, use CHAP and MSCHAP Handshaking Protocols for PPTP remote access VPN. 

3.    If VPN connectivity is to be configured between a Head Office and multiple Branch Offices, create a Hub and Spoke VPN configuration, 
       i.e., create virtual tunnels from each Branch Office directly to the Head Office.


Antivirus
 
 
1.   For scanning of HTTP and HTTPS traffic, configure the Scan Mode as “Real Time” rather than “Batch”. The Real Time scan mode allows 
      virus scanning of files as soon as their download starts while Batch scan mode waits for download of the complete file before scanning.  

2.   Configure Cyberoam to disallow access to HTTPS websites with invalid certificates.


Antispam
 

1.   Configure Cyberoam to “Accept” oversized emails to avoid dropping of emails that might be useful. 

2.   Enable Spam Digest to allow end users to manage quarantined mails by themselves. 

3.   Configure Cyberoam to verify IP Reputation of senders of all emails to improve Antispam performance.


QoS
 

1.   Create appropriate QoS policies for mission critical applications. 

2.   Assign highest priority to real time traffic like VOIP and lowest priority to bulky protocols like FTP or P2P file transfer for better managed 
      bandwidth. 

                                                                                                                                                  




                                                                                                                                    Document Version: 1.3 - 20 January, 2014

 

2.2.2. Legal Documents
2.2.2.1. Return Material Authorization (RMA) Support and Policy
2.2.2.2. Warranty Policy for Cyberoam Network Security Appliances (UTM & NGFW)


    

1.Introduction
  • This Warranty Policy provides terms and conditions for Network Security appliances warranty availability for all Cyberoam Network Security Appliances (UTMs & Next Generation Firewalls).
  • The contents herein are subject to change by Cyberoam Technologies Private Limited (CTPL) without prior notice.
  • As a pre-condition to avail the warranty under this Warranty Policy, the Cyberoam Network Security appliance must be duly registered with CTPL within 6 months of purchase. 

2.   Default Warranty

 
All Cyberoam Network Security appliances come with CTPL’s Default Warranty, valid from the date of purchase. This includes:

         - 1 year limited hardware warranty (Limited Hardware Warranty)

 
         - 90 days default software warranty (Default Warranty Period)

3.   Other conditions applicable to Default Warranty


   3.1 Within the Default Warranty period, the customer has the option of Return Merchandise Authorization (RMA) in case of hardware related problem in the 
         Cyberoam Network Security appliance. Such RMA shall be subject to the approval of the Cyberoam Technical Support Representative (TSR) from the Global Support 
         Management Center (GSMC) team and / or Supply Chain Management (SCM) team of CTPL. If a replacement unit is required during the limited hardware 
         warranty period, CTPL will provide a Standard Exchange Replacement as per terms stated herein below.

   Standard Exchange Replacement procedure for Shipping the RMA unit and receiving the repaired / replaced unit:

      Under Standard Exchange Replacement, the customer must ship the RMA unit to CTPL’s warehouse with all expenses pre-paid.        

         1. Product hardware must be shipped, shipment pre-paid, to CTPL by the customer    

         2. A repaired or replacement unit will be shipped via ground carrier at CTPL's expense within seven (7) business days after receipt of the failed unit.
      
 

         3. A replacement unit may be a new unit or a refurbished unit of equivalent or higher value.
  
Note:

           -  Customer will pay any other tariffs along with customs, applicable in the geography to ship the RMA unit to CTPL’s warehouse.          

      -  For more details on RMA, please refer to the RMA policy on Cyberoam Knowledge Base (KB)                 

 

         

All Cyberoam Network Security  appliances

Software Warranty (Firmware updates)

Hardware Warranty

RMA fulfillment

Default Warranty

90 days

1 Year

Standard Exchange

  4.    Extended Warranty

   4.1 Customer has an option to extend their software warranty beyond the Default Warranty period (i.e. of 90 days in case of Software) by subscribing to 
         Support modules available in Cyberoam Network Security Appliances, as mentioned in Table-1 below. In such case, the hardware warranty shall also be extended and shall continue 
         till the validity of the subscription period. The Support module subscription offering (mentioned in Table-1) may vary across Cyberoam Network Security Appliance models.

    4.2  If a replacement unit is required during the extended hardware warranty period as stated hereinabove, CTPL will provide following additional benefits:


   o
    A Standard Exchange Replacement if any of the 8x5 support-related subscriptions mentioned in Table-1 is found active on the subject 
          Cyberoam Network Security  appliance.

   o    An Advance Exchange Replacement (as described in clause 7 herein below) if any of the 24x7 support-related subscriptions mentioned 
          in Table-1 is found active on the subject Cyberoam Network Security  appliance.

Table-1 

Support Module Subscriptions

Description

Basic 8 X 5 Support

8x5 Phone, Email and Web Chat support with firmware upgrades, hardware warranty and RMA fulfillment with Standard Exchange Replacement

Premium 24 X 7 Support

24x7 Phone, Email and Web Chat support with firmware upgrades, hardware warranty and RMA fulfillment with Advance Exchange Replacement

Comprehensive Value Subscription (CVS)

Comprehensive Value Subscription  includes Anti Malware, Anti Spam, Web and Application Filter, WAF, Intrusion Prevention System  , 24x7 Support, hardware warranty and RMA fulfillment

Total Value Subscription (TVS)

Includes AntiMalware, AntiSpam, Web and Application Filter and Intrusion Prevention System, hardware warranty and RMA fulfillment with Standard Exchange Replacement

Security Value Subscription (SVS)

Includes AntiMalware, Web and Application Filter and Intrusion Prevention System, hardware warranty and RMA fulfillment with Standard Exchange Replacement

Total Value Subscription Plus (TVSP)

Includes AntiMalware, Anti Spam, Web and Application Filter, Intrusion Prevention System, 24x7 Support, hardware warranty and RMA fulfillment with Advance Exchange Replacement

Security Value Subscription Plus (SVSP)

Includes AntiMalware, Web and Application Filter, Intrusion Prevention System, 24x7 Support, hardware warranty and RMA fulfillment with Advance Exchange Replacement

Next Generation Firewall Security Subscription (NGS)

Next Generation Firewall Security Subscription includes Intrusion Prevention System, Web and Application Filter, 24x7 Support, hardware warranty and RMA fulfillment

Note:

      
         All support module subscriptions are available for a duration of 1, 2 and 3 years.
 

 5. Renewal of Warranties

   The customer shall have an option to renew the warranty at the end of the warranty period. The customer shall at his/her own discretion may choose from the following options as applicable to the subject Cyberoam Network    Security Appliance model for the renewal of the warranty: 

 

Support Module Subscriptions

Description

Basic 8 X 5 Support

8x5 Phone, Email and Web Chat support with firmware upgrades, hardware warranty and RMA fulfillment with Standard Exchange Replacement

Premium 24 X 7 Support

24x7 Phone, Email and Web Chat support with firmware upgrades, hardware warranty and RMA fulfillment with Advance Exchange Replacement

Comprehensive Value Subscription (CVS)

Comprehensive Value Subscription  includes Anti Malware, Anti Spam, Web and Application Filter, WAF, Intrusion Prevention System  , 24x7 Support, hardware warranty and RMA fulfillment

Total Value Subscription (TVS)

Includes AntiMalware, AntiSpam, Web and Application Filter and Intrusion Prevention System, hardware warranty and RMA fulfillment with Standard Exchange Replacement

Security Value Subscription (SVS)

Includes AntiMalware, Web and Application Filter and Intrusion Prevention System, hardware warranty and RMA fulfillment with Standard Exchange Replacement

Total Value Subscription Plus (TVSP)

Includes AntiMalware, Anti Spam, Web and Application Filter, Intrusion Prevention System, 24x7 Support, hardware warranty and RMA fulfillment with Advance Exchange Replacement

Security Value Subscription Plus (SVSP)

Includes AntiMalware, Web and Application Filter, Intrusion Prevention System, 24x7 Support, hardware warranty and RMA fulfillment with Advance Exchange Replacement

Next Generation Firewall Security Subscription (NGS)

Next Generation Firewall Security Subscription includes Intrusion Prevention System, Web and Application Filter, 24x7 Support, hardware warranty and RMA fulfillment



6.   Other conditions for Extended Warranty and Renewal of Warranties

      
The customer shall have to avail the option of Extended Warranty (as per the terms of clause 4) and / or Renewal of
 
Warranty (as per the terms of clause 5) prior to expiration of the warranty period. In case of any request from customer
 
for Extended Warranty and / or Renewal of Warranty after the expiry of the said warranty, the request shall be accepted
 
by CTPL subject to terms and conditions of CTPL's Warranty Reinstatement Policy prevailing at that point of time.


 7.  Advance Exchange Replacement procedure

 Advance Replacement allows the customer to request a replacement unit to be shipped prior to CTPL receiving the RMA unit.

                 -   The process begins once the ‘RMA registration and Acceptance procedure’ steps given in the RMA policy are complied with, the RMA number generated 

      and the SCM Team approves the RMA Request.

             -  Within 2 business days after issuing the RMA number (acceptance of RMA Request by CTPL’s SCM TEAM), a repaired or replacement unit will be shipped 

      to the customer at CTPL’s expense via ground carrier.

       -  Customer must ensure that CTPL receives the failed unit within seven (7) working days of issuing the RMA number to avoid replacement charges.

                -  The replacement unit may be a new unit or a refurbished unit of equivalent or higher value. Replacement hardware will be sent directly to customer as per the 

      address mentioned in the RMA Form.  

 
 For more details on RMA,please refer to the RMA policyon Cyberoam Knowledge Base (KB)


8.   Tariffs to be paid by the customer


      In case of Standard Exchange Replacement and Advance Exchange Replacement, customer will pay any other tariffs 
      along with customs, applicable in the geography, to ship the RMA unit to CTPL’s warehouse.

 

      ·        For more details on RMA, please refer to the RMA policy on Cyberoam Knowledge Base (KB)

 

9.          Warranty Notice

·                     All warranty claims must be submitted before the expiration of warranty term.

 

10.  Warranty Limitations and Voidance of Warranty

 

      a.  CTPL warranties as set forth herein including the Default Warranties and Extended Warranties ("Warranties") are expressly conditioned upon 
           customer’s acceptance of terms of the End User License Agreement, which is incorporated herein by reference lieu of a replaced unit.

 

      b  Except as provided in this warranty policy, CTPL is not liable to give to the client any guarantee or warranty for the use and performance of the 
           scheduled equipment, nor does this agreement give rise to any liability or obligation whatsoever on the part of CTPL to be performed and observed
.

  

              c. CTPL shall not be liable or responsible in any manner whatsoever for any incidental, direct, special or consequential damages, including but not 

          limited to loss of profit and/or business opportunities in connection with or arising out of the use by a customer of the scheduled equipment or services 
          provided by CTPL.

 

             d.  The liability of CTPL does not extend to or survive or Warranty service does not cover repair for damages, mal-functions or service failures caused due 
            to the following cases :

             i.        Unauthorized upgrading/modification of the equipment/system by customer. 

             ii.        Failure due to malfunction of P&T trunks/tie lines  

                                    iii.       Failure due to input AC power.
   
                                    iv.       Failure due to external cabling.

                                    v.        Any damage caused to the equipment by reason of neglect, misuse, mishandling, unauthorized access by any person who is not CTPL authorized 
                         representative etc., intentional or unintentional, by the customer.

            vi.       Failure on account of lightning induced voltages on trunk or extension lines irrespective of whether protection devices were used or not.

 
                                 vii.       Any other reason not occasioned by normal wear and tear of the equipment 
 
                                 viii.       Customer’s failure to permit CTPL– remote access to customer’s equipment 
 
                                 ix.       CTPL shall not be responsible for any malfunctioning of equipment due to virus related problems.  
 
                                 x.       CTPL liability excludes any third party liability on account of malfunctioning of equipments or any mishap.    
   
                                  xi.       Force Majeure conditions. 

 

      e.  CTPL shall not be responsible for the repairs of any damages or physical loss caused to the equipment and accessories by accident, fire, theft, flood, riots or any acts of god or from neglect, misuse, mishandling,          deliberate or otherwise by the customer.

 

      f.    CTPL is committed to provide support during the warranty period and thereafter as per the service charges specified by CTPL during the technological 
            useful lifespan of the equipment. While CTPL will make every effort to provide the services committed, it may not be possible for CTPL to provide the
 
            services in case the product has become obsolete or the product has completed its technological useful life span. In such cases CTPL undertakes to
 
            inform the customer reasonably well in advance of such an event and also recommend the list of spares that are normally required for functioning
 
            of the equipment. If such circumstances arise, CTPL will not be able to guarantee the desired level of service
.       

 
      g.   CTPL is under no obligation to provide service of software if:

              i.            The software has been modified or moved without CTPL’s prior written approval 

 
                                     ii.           The original software program identification marks have been removed or altered.

             iii.            The software is the system software of third-party equipment (i.e. core operating system, system utilities and libraries drivers, etc. 

 
                                     iv.           Customer’s software does not conform to the software currently listed as software subject to service support.  
 
                                     v.           Customer is using the software program in violation of its licenses.

                                     vi.            The host computer does not conform to the update level by CTPL to be necessary to support the software or has been modified other than 
                            by CTPL personnel, so as not to conform to the specifications for which the software was designed. 
     

 
                                     vii.           The software is infected by virus.

       
            
 
            

      h.   CTPL reserves the right to suspend the service/supplies in the event of delayed payment from customer on account of the said equipment and shall not beliable in any manner for any loss or damage of any kind in                   the event of suspension due to delayed payment. CTPL also reserves the right to charge an interestof 15% per annum for the delayed period.

 

      i.   CTPL accepts no liability for any insurance coverage during the warranty period or any other period there after.

 

      j.   All the terms and conditions not specifically mentioned herein would be governed by the terms of the standard terms and conditions of CTPL and are further 
         expressly contingent upon proper use of the CTPL hardware and software ("Products") and shall not apply if the Products have been modified without CTPL
 
         written approval, if the Products' serial number label has been removed, or if the Product has been damaged or impaired in any way. The terms of the Warranty
 
         are limited to the remedies as set forth herein
.   

 
      k. Support / Warranty period for the subject appliance has expired

 

            l.       Warranty sticker is punctured or damaged
 

     11.  Regional Variations Outside of India and USA 

      
      Due to country-specific import and export regulations, customs and shipping authorization may take longer to obtain for some countries than for others. Advance 
      Replacements will be shipped within 2 business days of issuing the RMA. Warranty Returns for customers outside of America and India will be shipped within 
      7 business days after receipt of the failed unit. In Countries apart from USA and India, Distributors have to replace the faulty unit at customer end only after getting 
      a RMA confirmation from CTPL support/presales team and online RMA form is submitted. If the RMA unit is more than two (2) numbers, then CTPL will replace the 
      units immediately otherwise Distributor will receive a replacement unit against the RMA unit with next purchase order. If there is no purchase order from Distributor 
      in two (2) months from the RMA unit date, the unit will be replaced immediately without waiting for new order from Distributor. In the same manner Distributor will 
      be required to send the RMA units back to our manufacturing hub or distribution centre in USA and India as per confirmation from CTPL SCM team. This option applies 
      only in countries where there is no local CTPL RMA centre
. 


12. Miscellaneous Disclaimers


      CTPL reserves the right, in its sole discretion, to change, revise, limit, expand or otherwise alter the Program and any element thereof at any time with no notice required. 


13. Exclusions


The services provided by
 CTPL hereunder will not include warranty, support and/or maintenance of any third party software or hardware, whether or not such third party 
software or hardware is provided by
 CTPL.CTPL is not required to provide any services for problems arising out of: (i) your failure to implement all Maintenance or 
Feature issued under this Agreement; (ii) any alterations of or additions to the Products performed by parties other than
 CTPL; (iii) accident, negligence, or misuse of 
the Products (such as, without limitation, operation outside of environmental specifications or in a manner for which the Products were not designed); or
 
(iv) interconnection of the Products with other products not supplied by
 CTPL. CTPL shall only be obligated to support the then-current version of the Products and the 
immediately prior version
.


Contact Information


E-mail : scm@cyberoam.com


Phone: +1-781-460-2080

 



14.  Appendix – Terms used in this document

 

 

CTPL

Cyberoam Technologies Private Limited

RMA

Return Merchandise Authorization

Customer

A customer can be the end-user or the channel partner taking care of end customer

 





“This Cyberoam Warranty Policy is subject to the terms and conditions of EULA. Accordingly, mere acceptance of the product by CTPL as per the terms of this policy shall not, in any case, extend it’s liability of whatsoever nature towards the Customer. CTPL’s liability to the Customer shall be limited to the extent of what is stated in the EULA.

2.2.2.3. Cyberoam Appliance Policy FAQs

•  How do I register a Cyberoam device?

   Please refer to Registration and Subscription Guide for details.

OR

   Contact nearest Cyberoam channel partner. To find the nearest channel partner, go to http://www.cyberoam.com/findpartner.html
 

 

•  How do I purchase subscription keys?

   Please refer to Registration and Subscription Guide for details.

OR

   Contact nearest Cyberoam channel partner. To find the nearest channel partner, go to http://www.cyberoam.com/findpartner.html

 

•  How do I renew subscription keys?

   Please refer to Registration and Subscription Guide for details.

OR

   Contact nearest Cyberoam channel partner. To find the nearest channel partner, go to http://www.cyberoam.com/findpartner.html

 

•  Where can I find an RMA form?   

   Cyberoam provides online RMA request forms at:


   Customer My Account Portal

   For Customers, login to Customer My Account and go toSupport > Create RMA Request.

 

   Partner Portal

   For Partners/Distributors/Resellers, login to Partner Portal.

 

   Cyberoam Website

   From the website www.cyberoam.com, go toSupport > RMA.



•  How to track the RMA request?

   Tracking of RMA request will depend on how the RMA request is being submitted:


   Customer My Account Portal

   If the request is submitted via Customer My Account Portal, then customer can see the status of RMA request by logging Customer My Account 
   and going to
Support > View Previous RMA Requests.


   Partner Portal

   If the request is submitted via Partner portal then partner/distributor/reseller can see the status of RMA request by logging into Partner Portal.
 

   General

   If RMA request is not submitted via above two methods then the customer can get the status of RMA request by emailing to scm@cyberoam.com.

 

•  When will I get my appliance replacement?

   Appliance replacement will depend on the type of support subscription.

 

•  What will happen to my existing subscription after getting RMA unit?

   All existing subscriptions will be transferred to a new unit. Please refer our RMA Policy Document for more details.

 

•  Who will bear the Freight cost?

   Customers are responsible for all shipping charges for items returned to and Cyberoam will pay the shipping charges on the replacement or exchange 
   item(s) sent back.

 

 

Prepare the package for shipping by printing the RMA number clearly outside the package, and address the package to be shipped to:
 
   

Contact Point

RMA – India

 

Shipping Address

Cyberoam Technologies Pvt Ltd.

Ground Floor, Avdhesh House

Nr.Sudama Resort, Pritamnagar,

Ahmedabad - 380006

Contact No: +91-9727794696 / +91- 09099973411

Contact Person: Mr. Anup Nair/Mr. Kiran Prajapati

E-mail:scm@cyberoam.com

Contact Point

RMA - USA

 

Cyberoam Inc.

115 Glendale Ave, Edison,

NJ 08817,   

USA

Contact Person: Mr. Sanjay Patel

Phone: 001-781-460-2080

E-mail:scm.intl@cyberoam.com 

Contact Point

RMA – Rest of the World
When an Online RMA is requested, the address will be provided to the customer by email.

Please refer Cyberoam RMA Policy for more detail.

 

2.2.3. Sample Acceptable Internet and E-mail Use Policy

The following Internet and e-mail rules (policy statement/rules) require strict adherence. Any infraction thereof could result in disciplinary action/s, which may range from verbal warnings to termination; the severity of the misbehavior governs the severity of the disciplinary action.

The rules apply to all employees when they are using computers or Internet connections supplied by <Organization Name>, whether or not during work hours, and whether or not from <Organization Name> premises.

1.   Internet Usage: Internet use, on company time, is authorized to conduct company business only. Internet use brings the possibility of breaches to the security of confidential company information. Internet use also creates the possibility of contamination to our system via viruses or spyware. Spyware allows unauthorized people, outside the company, potential access to company passwords and other confidential information.

2.      No Privacy: Company provides computers and Internet connections ("facilities") to further its business interests. The company has the right, but not the duty, at its sole discretion, to monitor all Internet searches, communications and downloads that pass through its facilities. Any information retained on the company’s facilities may be disclosed by the company to outside parties or to law enforcement authorities. You are obligated to co-operate with any investigation regarding the use of your computer equipment and which your supervising officer has authorized.

The Company reserves the right to inspect an employee’s computer system for violations of this policy.

3.      Username and Password: Personal use of Internet for personal gain is strictly prohibited. Authorization for Internet access must be obtained through your immediate supervisor with the approval of the supervising authority. Once authorization is approved you shall be responsible for the security of your account password. The employee will be held responsible for all use or misuse of his/her account. The employee must maintain secure passwords and never use any account assigned to another user.

4.      Organizational Representation: Employees using company’s accounts are acting as representatives of the organization. As such, employees should act accordingly so as to not to damage the reputation of the organization.

5.      Internet Downloads: Files which are downloaded from the Internet must be authorized and checked for copy-rights, and necessary permissions should be obtained. They should also be scanned for virus contaminations prior to their use. All appropriate precautions should be taken to detect any virus and, if necessary, to prevent its spread.

Removing of such programs from the Company network requires IT staff to invest time and attention that can be better devoted to progress. For this reason, and to assure the use of work time appropriately for work, employee should limit Internet use.

6.      No Pornography: Under no circumstances may Company computers or other electronic equipment be used to obtain, view, or reach any pornographic, or otherwise immoral, unethical, or non-business-related Internet sites.

You may not disseminate or knowingly receive harassing, sexually explicit, threatening or illegal information by use of company’s facilities, including offensive jokes or cartoons.

Any of above actions of employee can lead to disciplinary action up to and including termination of employment.

7.      Maintain Confidentiality: Employees shall not place, discuss or send any business material or related information (copyrighted software, internal correspondence, etc.) on any publicly accessible Internet computer without prior permission.

The Internet does not guarantee the privacy and confidentiality of information. Sensitive material transferred over the Internet may be at risk of detection by a third-party. Employees must desist transferring such material in any form. Any business information exchanged over the Internet, without prior permission will be treated as a breech of privacy and shall be dealt with severely.

8.      Hacking is Unauthorized: Hacking is an unauthorized attempt or entry into any other computer. Never make an unauthorized attempt to enter any computer. Any infringing activity by an employee may attract liability on the organization. Therefore, this organization may choose to hold the employee liable for their actions.

9.      Importance of E-Mail: E-mail resembles speech in its speed and lack of formality. Unlike speech, e-mail leaves a record that is often retrievable even after the sender and recipient delete it.  

10. Email Ownership: Keep in mind that the Company owns any communication sent via e-mail or stored on any company equipment. Management and other authorized staff have the right to access any material in your email or on your computer at any time. Employee/User shall not consider his/her electronic communication, storage or access to be private if it is created or stored at work. Forwarding of any non-business emails to associates, family or friends shall be viewed as wastage of company time and resources.

11. Regular Deletion of E-Mail. Company strongly discourages storage of large numbers of e-mail messages. As a general rule, after a mail is read, the employee should promptly delete it. If you need to keep a message for longer than a week, save it to your hard disk, or print it out and save the paper copy. The Systems Administrator will regularly purge all messages in employee inboxes and all copies of sent messages that are older than 30 days.

12. Be careful when sending replies: The employee should take extra care when he/she is mailing to a group or an individual. It should be addressed directly to the intended addressee(s). Check carefully, the "To", "CC" and “BCC” before sending mail. It can prevent unintentional errors and embarrassments.

13. Provide your Identity: It is mandatory to include a signature (an identifier that automatically appends to the e-mail message) that contains the method(s) by which others can contact the employee. (Usually e-mail address, phone numbers, fax numbers, etc.).

Representing as someone else, real or fictional, or a message sent anonymously is strictly prohibited.

14. Observe Email Etiquettes: Watch punctuation and spelling. It can reflect on the employee’s professionalism. Please use automatic checking programs if available.

DO NOT SEND MESSAGES ALL IN CAPITALS. It looks as if you are shouting. Use initial capitals or some other symbol for emphasis. For example: That IS what I meant. That *is* what I meant.

15. Judicious use of Auto-Reply feature: The employee belonging to mailing lists should be careful when using auto-reply features in e-mail. Auto-reply replies are often sent to the entire list indiscriminately and the reply may not be important to all on the list; e.g. most do not care if an employee is on vacation, and worse, the message may have been intended for only one recipient.

By using the auto-reply feature the employee might give out the Company’s domain name and the employee’s identity to hackers and spammers, inadvertently.

16. No Spam: Spam/Chain letters are strictly illegal and should not be transmitted through any e-mail.

17. Sexual Harassment and Discrimination: The Company is committed to providing a workplace that is free from sexual harassment, as well as unlawful harassment based on ancestry, race, age, color, marital status, medical condition, mental disability, physical disability, pregnancy, childbirth or related medical conditions, national origin, religious creed, gender, sexual orientation, gender identity, or any other basis protected by federal, state, or local law, ordinance, or regulation. It also prohibits unlawful harassment based on the perception that anyone has any of those characteristics, or is associated with a person who has or is perceived as having any of those characteristics. All such harassment is unlawful.

Any email that discriminate against employee/s by virtue of any protected classification including race, gender, nationality, religion, and so forth, will be dealt with according to the harassment policy.

2.2.4. VPN - Things to Remember

1.    
IPSec and L2TP connection cannot be created with the same name as they are treated as the same connection.

 

2.    The IP Address range in L2TP and PPTP configuration cannot be the same. 

 

3.    For L2TP connection, uninstall Cyberoam VPN Client, if configured. This is because if Cyberoam VPN Client is configured, then L2TP Client will not be able to initiate the Connection.

4.    If multiple IPSec/L2TP connections are configured with the same local and remote end points, they should have the same authentication type (Preshared Key/Digital Certificate/RSA Key). 

 

5.    L2TP connection will live till the Key Life specified in the Connection. On key expiry, Server will disconnect the Connection immediately but Client will take few minutes to get disconnected.  

 

6.    In Windows 2000, only Digital Certificate Authentication type is supported for L2TP connection. 

 

7.    In Windows 2000, Preshared Key Authentication type is not supported for L2TP connection. 

 

8.    Both Digital Certificate and Preshared key Authentication type is supported for L2TP connection in Windows XP and above. 

 

9.    Cyberoam IPSec VPN Client requires:

o   Service pack(sp) 4 for Windows 2000

o   Service pack(sp) 2 for Windows XP 

 

10.    If two Connections are created with different Authentication types i.e. Preshared key and Certificate then only one connection can be ‘Active’ at a time.

 

11.  Do not include blank (space) as the leading character in preshared key. Cyberoam will not consider the blank (space), if included. 

 

12.  Certificate Authority and Certificates are generated in tar.gz form. Unzip/extract using WINRaR before use. 

 

13.  Mail only that Certificate to the Remote peer whose Certificate ID is same as the one specified as Remote ID in the Connection. 

 

14.  When Cyberoam is behind the NAT box

o   Create Port Forward rule for UDP ports 500 and 4500.

o   Configure Local and Remote ID to avoid the “invalid id information or no proposal chosen” error. 

 

15.  It is very important that Local and Remote VPN servers have the same time zone and time settings. Without these, keys expiration is not handled properly. 

 

16.  Set ‘Re-Key’ to ‘Yes’ on both or either of the servers to reduce the chances of Site-to-Site disconnection on key expiry. 

 

17. To re-establish the Site-to-Site connection automatically on Cyberoam restart, set ‘Action on VPN Restart’ to ‘Initiate’ in VPN Connection.
 

18.  VPN connectivity between Cyberoam and IPSec VPN server (remote server) can be established only when Cyberoam is functioning as a Gateway and IPSec VPN server’s WAN Interface is bound with a Public IP address. 

 

19.  For Site-to-Site connection, network subnet configured on both the VPN servers must be different.

 

20.  For Road Warrior connectivity with Cyberoam, if road warrior is behind a NAT box, then configure different Internal network subnets for both the ends. 

 

21.  Use different remote-IDs, if you are creating multiple Site-to-Site connections using different preshared keys. If the same remote-IDs are used, following errors will be received:

o   "Jan 27 08:04:44 1169870684 pluto[29773]: "JafztoBurdxb-1" #264: multiple ipsec.secrets entries with distinct secrets match endpoints:first secret used"

o   Error received at the peer end "Jan 30 19:00:08 1170163808 pluto[7271]: "cr15183-1"
       #25: probable authentication failure (mismatch of preshared secrets?):

       malformed payload in packet" 

 

22. To avoid frequent VPN disconnection when DoS is enabled, bypass VPN peer’s IP Address at both ends. If Peer IP Address is not bypassed, Dead Peer Detection functionality blocks it and hence the connection is frequently dropped.

 

23.  If Dead Peer Detection is enabled in VPN IPSec Policy, set ‘Action When Peer Unreachable” to:

·        ‘Re-Initiate' for Site-to-Site connection when either or both of the peers is assigned dynamic IP address.(Recommended)

·        ‘Hold’ for Site-to-Site connection when both the peers are assigned static IP address OR when manual intervention is preferred in case of VPN outage.

 
      24.  For Road Warrior connection with Cyberoam, it is recommended to enable Dead Peer Detection.
 

25.  All Remote Access VPN connections (Road Warrior or L2TP) should have the same Preshared Key (PSK). Cyberoam does not allow you to add a new Remote Access VPN connection with a different PSK than existing connections. If you update the PSK of an existing connection, then PSK of all the other existing connections gets updated to the new PSK.

 

For example, consider the Remote Access VPN connections IPSec1, IPSec2 and L2TP1 with PSK ‘abc’.

 

Action 1: Add another connection L2TP2 with PSK ‘xyz’.

Result: Error. Cyberoam will reject the action.

 

Action 2: Update IPSec2 with PSK xyz.

Result: PSK of all Connections (IPSec1, IPSec2 and L2TP1) will be updated to ‘xyz’.

 

 

                                                                                                                                                                                                Document Version 3.3 - 16 June, 2014

 

2.3. Protect Your Cyberoam Appliances from Power Fluctuations
2.4. Technical Library
2.4.1. Deployment
2.4.1.1. Why does a Routing Loop occur when Cyberoam is deployed as a Parent Proxy?

Applicable Version: 10.00 onwards

Scenario

If Cyberoam is deployed as a Parent Proxy, a Routing Loop occurs when: 

-    The Proxy Server is deployed in Cyberoam’s LAN or DMZ Zone.
-    Web Filter Policy is applied OR HTTP/HTTPS scanning is enabled.

Solution

This happens because the parent proxy configuration forces Cyberoam to process the same web traffic over and over again causing a routing loop. 

How the loop occurs: 

1.    When a web request is initiated, the web traffic hits Cyberoam.
2.    Cyberoam forwards this traffic to the Proxy Server in the LAN/DMZ.
3.    Once Proxy Server processes the traffic, it initiates a new request to the website.
4.    When this traffic hits Cyberoam, it once again forwards the traffic to the Proxy Server.
5.    This cycle repeats again and again. 

To avoid this loop, configure Cyberoam to bypass traffic originating from the Proxy Server such that no Web Filter Policies or HTTP/HTTPS scanning is applied on it. To bypass the traffic, create a firewall rule as shown below.
 
 

The above rule makes sure that Proxy Server traffic is not re-processed by Cyberoam in order to avoid any routing loop. 

 

 

 

 

                                                                                                                                                             Document Version: 1.0 – 18 March, 2014

2.4.1.2. Deploy Cyberoam in Gateway Mode

Applicable to Version: 10.00 onwards

Cyberoam appliance can be deployed in network in two modes:

·         Gateway mode - Popularly known as Route mode

·         Bridge mode - Popularly known as Transparent mode

Article provides step-by-step procedure to configure Cyberoam in Gateway mode. Configuration steps are provided assuming that you have not configured Cyberoam appliance and are using factory default settings of the appliance. If your appliance has any custom settings, rollback to factory default setting before following the steps provided in the article.

We are going to consider a hypothetical network example with firewall serving as a Gateway. We will replace the existing firewall with Cyberoam without changing the existing network LAN schema.

Article covers:
 
 
·         Features supported in gateway mode
·         Deployment steps
·         How to verify configuration
·        Advance configuration
 


Overview

 

Gateway
 
Gateway is a network point that acts as an entry point to another network or subnet to access the resources. In Enterprises, the gateway is the appliance that routes the traffic from a workstation to the outside network. In homes, the gateway is the ISP that connects the user to the Internet.
 

Gateway Mode

Cyberoam when deployed in Gateway mode acts as a Gateway for the networks to route the traffic.

Gateway mode provides an ideal solution for networks that already have an existing firewall, and plans to replace their existing firewall and wish to add the security through Cyberoam’s stateful and deep-packet inspection Firewall, Intrusion Prevention System Services, Gateway Anti Virus, and Gateway Anti spam. If you do not have Cyberoam security modules subscriptions, you may register for free trial.
 

Features supported in Gateway mode

All the features except Hardware bypass (LAN bypass) are available in Gateway mode.

VLAN support in Gateway mode
 
While the network depicted in the example is simple, it is not uncommon for large networks to use VLANs for segmentation of traffic. If the existing firewall was configured for VLAN, refer Virtual LAN Configuration Guide for configuring VLAN in Cyberoam.

High Availability support in Gateway mode
 
HA, refer High Availability Guide for configuring HA cluster in Cyberoam.
 
 

Sample Schema

 
Throughout the article we will use the network parameters displayed in the below given network diagram.
 

The below given network diagram depicts a network where Cyberoam is added to the perimeter for the purpose of providing security services.

Traffic from hosts connected to the LAN would be permitted outbound through the Cyberoam to the gateways, while traffic from the WAN would, by default, not be permitted inbound.

The public servers, a mail, web and database server, on the DMZ, an access Rule allowing WAN-to-LAN traffic for the appropriate IP addresses and services will be added to allow inbound traffic to those servers. 
 
 

Preparing to configure

Cyberoam Appliance is shipped with the following default configuration:

Port A IP address (LAN zone):172.16.16.16/255.255.255.0

Port B IP address (WAN zone): 192.168.2.1/255.255.240.0 

Collect DNS IP address, date and time zone and well as administrator email address.
 

Deployment steps

 

Connecting Appliance

Connect port A of the Appliance to a management computer’s Ethernet interface. You can use a cross-over Ethernet cable to connect directly or use straight-through Ethernet cable to connect through hub or switch. Both the cables are provided along with the Appliance.

By connecting management computer to port A, we are assigning port A to LAN zone.

Set the IP address of the management system to 172.16.16.2/24.
 

Connecting to Cyberoam Web Admin Console

Browse to https://172.16.16.16 to access Cyberoam Web Admin Console (GUI). Cyberoam login page is displayed and you are prompted to enter login credentials. Use default username and password to log on.

 

Note:

Internet Explorer 5.5+ or Mozilla Firefox 1.5+ is required to access Cyberoam Web Admin Console.

If you cannot log on, verify the following configurations:

·         Did you plug your management workstation into the port A on the appliance? - Deployment can only be performed through 
      port A.

·         Is the link light glowing on both the management computer and the Appliance? – If not, check and replace the cable

·         Is your management computer set to a static IP address of 172.16.16.16 and subnet as 255.255.255.0? If your 
      management computer IP is set to same IP as Cyberoam then you need to change IP of your management computer.
 
·         ·         If you change the LAN IP address (Gateway Mode), you must use this address to reconnect to the Web Admin Console. 
      You might also have to change the IP address of the management computer to be on the same subnet as the new IP address.

·         Did you enter correct IP address in your Web browser?


Starting Network Configuration Wizard
 
Click Wizard button on the top right of the Dashboard to start Network Configuration Wizard and click Start.
 
 
 
Configuring deployment mode and IP addresses
 
 
 
 
 

Configuring Default Internet Access policy (IAP)

For your convenience, Cyberoam provides 3 pre-defined Internet Access policy. Based on the Internet Access policy, Cyberoam decided which outbound traffic is to be allowed or dropped.

Monitor Only - Allows entire outbound traffic i.e. all the sessions originating from LAN to WAN.

General Internet Policy - Allows entire unauthenticated outbound traffic after scanning HTTP traffic for virus. But, blocks traffic from the URLs categorized under following Web categories: Porn, Nudity, Adult Content, URL Translation Sites, Drugs, Crime and Suicide, Gambling, Militancy and Extremist, Phishing and Fraud, Violence, Weapons categories

Strict Internet Policy - Allows only authenticated outbound traffic i.e. all the sessions originating from LAN to WAN after user is authenticated.

As IAP can altogether disable protection or block all access to the Internet, hence it is recommended to apply Monitor Only policy.

Please note, if you apply General Internet policy, certain access to certain URLs will be blocked.
 
 

Configuring Mail Settings 

Configure mail server IP address, administrator email address from where the notification mails will be send and the email address of the notification recipient.
 
 
Configuring Date and Time zone
 
 
 
Cyberoam will take time to restart, please wait for some time before clicking to access the Cyberoam Web Admin Console.
 
 

Note:

After changing the LAN IP address, you must use this IP address to reconnect to the web admin console. You might also have to change the IP address of the management station to be on the same subnet as the new IP address.

This finishes the basic configuration of Cyberoam and now you are ready to use the Appliance.


Verifying configuration using Dashboard

Browse to http://192.168.0.1 and log on to Cyberoam Web Admin Console using default username and password. Dashboard page is displayed on successful log on.
 
 
1.     Verify appliance information
 
     Check the Appliance Information section of Dashboard to verify configuration.
  
 
 
2. Verify gateway status
 
     Check the Gateway Status of Dashboard and verify that the status of the gateway green i.e. UP.
 
 
 
3.  Verify IP assignments
 
      Go to Network à Interface à Interface page and check IP address assigned to Interfaces. If you have not configured IP scheme properly, 
      you can run the Network Configuration wizard and change the IP address.
 
 

4.   If due to incorrect IP address configuration, you are not able to access appliance, rollback to factory default settings and re-configure Cyberoam 
    by repeat the entire deployment steps given in this document.
 

What next?

If Cyberoam is up and running, you are now ready to use the Appliance. You can now:

·         Monitor network activities using Cyberoam Reports.

·         Detect your network traffic i.e. applications and protocols accessed by your users.

·         Configure authentication to monitor and log user activities based on User names


Rollback to factory default settings

Please, refer the below Related Article "How To - Do Factory Reset" for rolling back to factory default settings.

                                                                                                                                    Document Version: 1.0 – 03/06/2011

 

 
 
 
 
 
2.4.1.3. Parent Proxy Deployment Scenarios in Gateway Mode

Applicable Version: 10.00 onwards

Overview

In some countries it is required that the Internet access be routed through a government-approved proxy server. In this situation, it is necessary that the security appliance routes the user access request through the government-approved proxy server.

 

Apart from this, certain proxy servers are used for Web Caching and it is required that the user request is routed through such proxy servers.

 

In above mentioned cases, it is necessary to configure a security appliance as a proxy server. In other words, the security appliance must act as a proxy server for another proxy server.

 

The Proxy server through which the security appliance routes the user request is called Parent proxy. Alternate popular terms used for parent proxy are Upstream proxy and Forward Proxy.

 

The above mentioned needs are satisfied by Cyberoam by simply configuring the Parent proxy IP address in Cyberoam.

Scenario

There are Two (2) scenarios for Parent Proxy Deployment.


1.  
Parent Proxy deployed in the Internet
2.  Parent Proxy deployed in the Internal network (LAN or DMZ)

1.  Parent Proxy in Internet

When Parent proxy is deployed in the Internet, Cyberoam is to be configured as a proxy server for the LAN users. Cyberoam routes all the outbound requests through parent proxy. 

Configuration

You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant feature(s).

Configure Parent Proxy

Go to System > Configuration > Parent Proxy and configure Parent Proxy according to parameters given below.

 

Parameters

Value

Description

Parent Proxy

Enable

Click to enable the Parent Proxy if the web traffic is blocked by the upstream Gateway. If enabled, appliance forwards all the HTTP requests to parent proxy server.

Domain Name/IPv4 Address

203.1.23.5

Specify Domain Name or IPv4 Address for the Parent Proxy.

Port

3128

Specify Port number, which is to be used for Parent Proxy.

Default port - 3128

Username & Password

<username and password to access parent proxy>

Specify Username & Password for authentication.

 

Click Apply to save Parent Proxy Configuration.           

2.  Parent Proxy in Internal Network (LAN/DMZ)

When Parent proxy is deployed in the LAN or DMZ, Cyberoam is to be configured as a proxy server for the LAN/DMZ users. Cyberoam routes all the outbound requests through parent proxy. Here, we have demonstrated configuration when parent proxy is deployed in LAN Zone. Similar configuration is required when Parent Proxy is deployed in DMZ.
 

 

Configuration

You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant feature(s).

Step 1: Configure Parent Proxy

Go to System > Configuration > Parent Proxy and configure Parent Proxy according to parameters given below.

 

Parameters

Value

Description

Parent Proxy

Enable

Click to enable the Parent Proxy if the web traffic is blocked by the upstream Gateway. If enabled, appliance forwards all the HTTP requests to parent proxy server.

Domain Name/IPv4 Address

192.168.1.10

Specify Domain Name or IPv4 Address for the Parent Proxy.

Port

3128

Specify Port number, which is to be used for Parent Proxy.

Default port - 3128

Username & Password

<username and password to access parent proxy>

Specify Username & Password for authentication.

 

Click Apply to save Parent Proxy Configuration.

Step 2: Create Firewall Rule to Masquerade Outgoing Traffic from Parent Proxy

Go to Firewall > Rule > Rule and create firewall rule to Masquerade outgoing traffic, as shown below.
 
 

Click OK to save rule.

 

Note:

 

If Parent Proxy is deployed in DMZ, create Firewall Rule to Masquerade outgoing traffic from DMZ to WAN. 

Step 3: Create LAN-LAN Firewall Rule to allow traffic within Network

Go to Firewall > Rule > Rule and create a firewall rule to allow traffic between internal hosts and parent proxy.
 
 

Click
OK to save rule.

 

Note:

 

If Parent Proxy is deployed in DMZ, create Firewall Rule for DMZ-DMZ traffic.
 











                                                                                                                                                            Document Version: 2.0 – 9 April, 2014
2.4.1.4. Deploy Cyberoam in Bridge Mode

Applicable Version: 10.02.0224 onwards
 
 

Overview

Cyberoam when deployed in bridge mode can work as a layer 2 (transparent bridge) or layer 3 bridge. 
 
Cyberoam, as a Layer 2 Bridge, facilitates features like deep-packet inspection, Intrusion Prevention System, Gateway Anti Virus, and Gateway Anti Spam without changing any configuration or IP Schema of the network. When the customer wants to add security without changing any configurations Cyberoam can be deployed in Bridge Mode. 

Cyberoam, when configured as a Layer 3 Bridge, allows you harness all its security features as well as facilitates routing.

Note:
High Availability feature is not supported in Bridge Mode. 

Prerequisite

Cyberoam appliance is configured using factory default settings. 

Scenario

The following network diagram depicts a network where the existing Firewall or Router is present at the perimeter of the network. Cyberoam is to be deployed in Bridge Mode for providing the Security services.
 

This article shows how you can configure Cyberoam in Bridge Mode using Two (2) methods:
-         Using Bridge Pair
 

Deploying Cyberoam in Bridge Mode using Network Configuration Wizard

To deploy Cyberoam in Bridge Mode using Network Configuration Wizard, follow the steps given below.

1.     Click Wizard button on the top right corner of the Dashboard.

 
 
2.   The Network Configuration Wizard appears. Click Start to initialize the network configuration process.  
 
 
 
3.    In the first screen, select Bridge Mode as mode of deployment.
 
      Click Next.
 
 
 
 4.     In Zone Configuration screen, select Port A as LAN Port and Port B as WAN Port.

Click Next. 

 
 
5.     In the Network Configuration screen, mention Bridge Configuration parameters for Port B (WAN), as shown below.

     Click Next.

 

6.     In the Internet Access Configuration screen, select the desired policy for LAN to WAN traffic.

Click Next.

 

Configuring Default Internet Access Policy (IAP)

For your convenience, Cyberoam provides 3 pre-defined Internet Access Policies. Based on the

Internet Access Policy, Cyberoam decides which outbound traffic is to be allowed or dropped.

Monitor Only Policy

·         Allows all outbound traffic without any authentication.

·         No scanning.

·         No content filtering.

General Internet Policy

·         Allow all outbound traffic without any authentication.

·         Web traffic will be scanned for virus / malware / spyware.

·         Content filtering will be “ON” by using default content filtering policy “General Corporate Policy” which blocks below web URL categories:

o    Porn, Nudity, Adult Content, URL Translation Sites, Drugs, Crime and Suicide, Gambling, Militancy and Extremist, Phishing and Fraud, Violence, Weapons

Strict Internet Policy

·         Block all outbound unauthenticated traffic.

·         Web traffic will be scanned for virus / malware / spyware.

·         All traffic will be scanned by IPS engine.
 

7.     In the Configure Mail Settings, configure the following parameters:

·         Email Address on which the notification must be sent.

·         Mail server IP Address and Port Number.

·         Email Address of the administrator from where the notification emails will be sent.

Click Next.
 
 
 
8.     In the Date & Time Configuration screen, select the Time Zone according to the current location and enter the Date and Time accordingly. You can even synchronize Cyberoam with NTP server.
 
     Click Next.
 
 
 
9.     The Configuration Overview screen appears displaying the summary of Bridge Mode configuration.

Click Finish.
 
 
10.     Click OK to confirm and continue with Bridge Mode configurations.
 
 
11.     A screen displaying processing of Bridge Mode configuration appears. Wait until the process is complete.
 
 
 
12.   On successful deployment of the Cyberoam Appliance, the following screen appears.
 
 
 

Note:
After changing the LAN IP Address, you must use this IP Address to reconnect to the Web Admin Console. You might also need to change the IP Address of the management computer to be on the same subnet as the new IP Address.

This completes the basic configuration of Cyberoam using Network Configuration Wizard and now it is ready to be used.

Note:
Create a WAN to LAN Firewall Rule for allowing inbound traffic. 
 

Deploying Cyberoam in Bridge Mode using Bridge-Pair button

Go to Network > Interface > Interface and click Add Bridge Pair. Specify the parameters as shown in the table below.
 

Click OK to create the Bridge Pair.
 
 
This configures Cyberoam in bridge mode.
 
Note:
 
RSTP packets, Mutlicast routing packets and spanning tree and STP packets are forwarded.
 
 
                                                                                                                                                                                 Document Version: 1.1 – 22 September, 2014
 
2.4.1.5. Is Multi-link Management supported in Cyberoam when deployed in Mixed Mode?

Applicable Version: 10.02.0 Build 224

In Mixed Mode, Cyberoam supports Multi-link Management (MLM) only if it is deployed as a Layer 3 Bridge, i.e., if Routing is enabled on the Bridge Pair configured. If deployed as a True Bridge (Layer 2), then MLM is not supported.

 

 
 
 
 
 
 
                                                                                                                                                Document Version: 1.0 – 17/09/2013
2.4.1.6. Can Cyberoam be deployed in the existing Network Infrastructure?

 

Yes, Cyberoam can be deployed as gateway, bridge or proxy in the existing Network Infrastructure viz. routers, switches, servers, etc.

2.4.1.7. Which features are not supported in Bridged Interface/Port?

Applicable Version: 10.00 onwards

Bridged Interfaces do not support the following features: 

1.    VLANs

2.    Virtual Host

3.    VPN (Except SSL VPN)

4.    High Availability

 

 

                                                                                                  Document Version 2.2 – 04 July, 2014

2.4.1.8. Points to Note when Configuring a Bridge Pair

Applicable Version: 10.02.0 Build 224 onwards
 
1.    Cyberoam contains default LAN-to-WAN Firewall Rules, namely AnyTraffic (Firewall Rule No. 1) and LiveUserTraffic (Firewall Rule No. 2). 
       But, if external users are required to access LAN resources over the Bridge Interface, create corresponding WAN-to-LAN Firewall Rules.
 
2.    If Cyberoam is deployed between a DHCP Server and LAN users who obtain IP Addresses from DHCP Server, create appropriate Firewall 
      Rules to allow DHCP services. Refer to
Article for further details.
 
3.    If Bridge Interface IP is set as proxy in LAN computers, configure static routes for traffic related to subnets other than the Bridge Interface 
       IP subnet.

4.    If Cyberoam Bridge Interface IP is set as proxy in LAN computers, and NATting is NOT enabled in Firewall Rule, then upstream device must 
       be configured to accept traffic for all client IP addresses. In this case, Cyberoam does not MASQ the source IP of client originated packet. 
       Cyberoam sends the client IP Address as a source while forwarding the same to upstream device.
 
5.    If there is an Asymmetric Routing issue, then configure the affected IP or subnet to be bypassed from Stateful Inspection using the following command.


console> set advanced-firewall bypass-stateful-firewall-config


6.    
Select appropriate network interface/port pairs to avail the hardware bypass functionality as selected models and pair of ports support this feature.

7.    
To minimize downtime and avoid interruption in existing TCP connections, enable Midstream Connection Pickup using the following command to.

 

       console> set advanced-firewall midstream-connection-pickup on

 

 Enabling midstream pickup allows Cyberoam toautomatically learn the state table for existing TCP connections.This helps in handling network behaviour 
 due to peculiar network design and configuration. E.g. typical routing configurations leading to ICMP redirect messages.

 

 

 

 

 

 
                                                                                                                                                                       Document Version: 2.0 – 04/09/2013
2.4.2. Registration & Licensing
2.4.2.1. How do I view my Registration and Subscription details on Cyberoam?

Applicable Version: 10.00 onwards

You can view the Registration and Subscription details in Two (2) ways:

1.    
From the Dashboard 

       All the Licensing information can be viewed on the dashboard in the doclet License Information


2.    From the page System > Maintenance > Licensing 
 
      All licensing information can also be viewed from System > Maintenance > Licensing.
 









                                                               Document Version: 1.0 – 4 September, 2014
2.4.2.2. Can I migrate configuration of my SonicWall Appliance to my Cyberoam Appliance?


Yes. To know how to migrate SonicWall configuration to Cyberoam, refer to the Cyberoam Migration Assistant Guide.

 

    





                                                                                                                           Document Version: 1.0 - 10 April, 2014 

2.4.2.3. Upgrade Cyberoam with EAL4+ Compliant Firmware

Applicable Version: 10.00 onwards

Scenario

Upgrade Cyberoam with EAL4+ Compliant Firmware.

 

Note:


-    Before initializing the upgrade procedure, make sure that the appliance holds a valid support subscription.
-    Cyberoam reboots during the upgrade process. Hence, schedule the upgrade to suit your network’s maintenance window.
-    It is recommended that you take backup of your appliance before as well as after upgrading. 

Procedure

You can upgrade Cyberoam Firmware to EAL4+ Compliant Firmware by following the steps given below.

Step 1: Download EAL4+ Compliant Firmware
 
To download from Customer My Account:
 
•   Browse to https://customer.cyberoam.com and login using your credentials (Email Address and Password) used to register the appliance.
 

 
     Alternately, click Get Appliance Upgrade URL on the login page to directly download the firmware without logging in. Enter the Appliance Key 
     of the appliance which is to be upgraded and click
Submit.

•  
Click Upgrade to upgrade your appliance.
 
 

 

 

•   The screen shown below appears. Select Upgrade to EAL4+ Compliant Firmware to upgrade to the latest firmware.
 
 

 
• 
 
The screen, as shown below, expands showing further instructions.Check I have read and understood the steps involved in upgrading 
     to Version EAL4
and click Download Version EAL4 Firmware.
 
 
 
  

Save the downloaded firmware to your local machine.

 

Note:

 

It is recommended that you verify the integrity of the downloaded firmware using the MD5 checksum. For details, refer to the article Verify the Integrity of Cyberoam Upgrade File using MD5 checksum.     


Step 2: Upload and Boot Latest Firmware on Cyberoam
 
•    Login to Cyberoam Web Admin Console using profile having read/write administrative rights over relevant features.
 
•   Go to System > Maintenance > Firmware and click    to upload the firmware downloaded in step 1.
 
 

 

•    The Firmware Upgrade/Downgrade screen appears.Browse the downloaded file and click Upload & Boot.
 
 

  

      If Upload & Boot is clicked, Cyberoam performs the following actions:


-     Firmware is uploaded onto the appliance

-    All active sessions on Cyberoam are closed

-    Cyberoam undergoes a soft reboot, booting up with the uploaded latest firmware

 

 
Alternately, click Upload firmware if you want to simply upload the firmware and reboot later, at a convenient time. On reboot, the Appliance boots
up with the new firmware. Go to
System > Maintenance > Firmware and click  to reboot.
 
 

 

 

Note:


-      For Appliances in HA, if Upload firmware option is used, the Appliances do not boot up with the new firmware on a normal reboot. To boot with 
       the new firmware, administrator has
to go toSystem > Maintenance > Firmwareand click  against the newly uploaded firmware. 
-      Settings configured on a firmware are not carried over if you boot Cyberoam with an earlier firmware. For example, the configurations of Cyberoam 
       with active firmware 10.04.2 Build 527 will not be carried over if you boot the Cyberoam with firmware 10.04.1 Build 451.

 

 

 

 

                                                                                                                                                                           Document Version: 1.2 – 25 February, 2014
2.4.2.4. Verify the Integrity of Cyberoam Upgrade File using MD5 checksum

Applicable Version: 10.00 onwards

Overview

The MD5 checksum (also called MD5 digest) for a file is a 128-bit value, which can be thought of as a fingerprint of the file. There is a very small possibility of getting two identical checksums of two different files. This feature can be useful both for comparing the files and their integrity control.

 

No network delivers content absolutely faultless. Hence it becomes necessary to verify the data integrity of downloaded files. MD5 checksum provides the means to do that.


There are a number of MD5 checking tools available on the Internet. Some popular MD5 checking tools areMicrosoft File Checksum Integrity VerifierandMD5Summer

 

When you download a Cyberoam upgrade file from the Cyberoam Customer Portal, you can verify the integrity of the downloaded file using the MD5 checksum provided. This article demonstrates how you can verify the integrity of a Cyberoam upgrade file usingMicrosoft File Checksum Integrity Verifier.


 

Demonstration

 Step 1: Download and Install MD5 Checking Tool

 Download the MD5 checking tool, i.e.,Microsoft File Checksum Integrity Verifier from http://www.microsoft.com/en-us/download/details.aspx?id=11533 and install it in your system.

 Step 2: Generate MD5 Checksum of Downloaded File


Go to command prompt and execute the following command to generate MD5 checksum of downloaded upgrade file.

 

fciv.exe <absolute path of file whose MD5 checksum is to be generated>

 

 

 

 


Step 3: Verify Checksum

 

Compare the generated checksum with the checksum provided at the location from where the file is downloaded, i.e., the Cyberoam Upgrade window in Cyberoam Customer Account.

 

 

 

 

As shown above, the checksum generated by the MD5 checking tool and that provided at the download site match. Hence, the integrity of the downloaded file is maintained.

 

In case there is a mismatch in the MD5 checksums, try downloading the Upgrade file again.

 

 

Note:

 

For detailed information on how you can upgrade Cyberoam firmware, refer to the article How To – Upgrade Firmware of Cyberoam Appliance.

 

 

 




                                                                                                                                                                  Document Version: 2.1 – 26 February, 2014

2.4.2.5. Cyberoam Registration and Subscription Guide
Applicable to Version: 10.00 onwards
 
Overview
 
This document provides an overview of the Customer My Account (CMA) portal and how it can be used to:
 

Before you begin configuring and customizing features, register your Cyberoam Appliance from the Customer My Account (CMA) portal, https://customer.cyberoam.com.

Many Cyberoam customer services, like firmware upgrades, technical support and other services available through Subscription modules, require product registration.
 

Cyberoam Basics
 
Cyberoam consists of 2 types of licenses: Basic Licenses and Subscription-based Licenses. Refer to the Subscription Matrix for details about these Modules.
 
Cyberoam Appliances are pre-subscribed to the basic licenses indefinitely, while Subscription-based Modules are to be subscribed to before use.
 
You need to register your appliance if you want to:
 
·         Subscribe to any of the Subscription-based modules
·         Subscribe for FREE 15-day trial of any of the Subscription modules
·         Register for 8 X 5 or 24 x 7 Support


Register Customer Account and Appliance

To avail subscriptions, you need to register your Cyberoam Appliance. Following are details about how you can register:
 
-         NG or ia Series Appliance
-         Virtual UTM Appliance
 

Note:

 

To register your Appliance:


-    
You need to provide the Appliance Key. Refer to the article From where can I find Cyberoam’s Appliance Key?
-    
Supplier details are mandatory for each new appliance being registered.

Registration of NG or ia Series Appliance

Step 1: Browse to https://customer.cyberoam.com and click Register your Appliance. 
 
  
 Fill up the registration form and click I Agree to register your appliance as well as for a customer account. 
 
 
 
 
 
 
This creates your customer account with the username as specified in Email ID and also registers your Appliance.
 
 
Step 2: Browse to http://<LAN IP address of Cyberoam>
 
Go to System > Maintenance > Licensing and click Synchronize. It fetches the licensing details from the registration server and shows the details on Web Admin console. 
 
 

Registration of Virtual UTM Appliance

You can register your purchased as well as trial Virtual UTM Appliance by following the steps below.

Step 1: Browse to https://customer.cyberoam.com and click Register your Appliance. 
 
 
 
Fill up the registration form and click I Agree to register your appliance as well as for a customer account.
 
 
 
On clicking I Agree you receive an email confirming your registration.  

It takes a few minutes for the OVF file, corresponding to your registered key, to be generated. Once the file is generated, you receive a second email indicating that your file is ready to be downloaded from your customer account. 


Step 2: Login to your Customer Account to download OVF 
 
 
 
Under Model section click Download to download the OVF file.  
 
 
 
 The Virtual UTM Download screen appears. Select the Platform where the virtual appliance is to be mounted. As an example, here we have selected VMWare.
 
Available Platforms are:

-   VMWare
-   Hyper-V  

Click Download to download the Virtual Appliance.
 
Once the file is downloaded, install it onto your hypervisor. For installation details, refer to the Virtual UTM Installation Guides.
 
Note

In case of a Trial Virtual UTM Appliance, keep the following things in mind:

-       You receive a 30-day trial on the virtual appliance. The 30 days start from the Date of Registration of the Appliance NOT from the day when you download it. For 
     example, if you have registered the virtual appliance on 1st April, 2012 and downloaded the OVF file on 5th April 2012, then the Trial Period would end on 1st May, 2012, 
     i.e., 30 days after you registered your appliance, NOT on 5th May.
-       After 30-days of the Trial Period, the appliance gets deactivated automatically. If you want to register for another Trial or purchase a Cyberoam Virtual UTM Appliance, 
     contact Cyberoam Customer Support at support@cyberoam.com.

 
Subscribe Module  for Trial

When subscribing to a Trial License, the following points should be kept in mind:


-        
You can subscribe to a Trial License when you have a Try & Buy or Demo/NFR (Not For Resell) Appliance
-         The trial is available for 15 days.
-         You can avail a maximum of Three (3) trials on a single appliance. The appliance should already be registered to subscribe to a trial license.


Steps to Subscribe To Trial License
 
Step 1: Browse to https://customer.cyberoam.com and login with your credentials – Email id and password, provided at the time of registering customer account. 
 
 
 
Step 2: Page displays the list of appliances registered. Click Subscribe to view the list of subscriptions available for the appliance. 
 
 
 
Step 3: Click Trial against the module whose trial is to be subscribed. Here, we have subscribed to the trial of Gateway Anti Virus module. 
 
 

Step 4:
If the module is subscribed successfully, status of the module will change to “Trial”. 
 
 
 
Step 5: Browse to http://<LAN IP address of Cyberoam>
 
Go to System > Maintenance > Licensing and click Synchronize. It fetches the licensing details from the registration server and shows the details on Web Admin console.
 
 
Note:

Cyberoam Virtual UTM Appliance comes with all modules subscribed. 


Subscribe Module with License Keys
 
You can subscribe to any subscription-based modules by following the steps below. The appliance should already be registered to subscribe to any license.
 
Step 1: Browse to https://customer.cyberoam.com and login with your credentials – Email id and password, provided at the time of registering customer account. 
 
 
 
Step 2: Page displays the list of appliances registered. Click Subscribe to view the list of subscriptions available for the appliance. 
 
 
 
Step 3: Click Subscribe to subscribe to any module.  
 
 

Step 4:
Enter the subscription key and Click Verify to verify the key.
 
 
 
Step 5: On clicking Verify the key you entered is verified and then, if the key is found valid, you can subscribe to the module. Click Subscribe to subscribe to the module. 
 
 
 
 
 
Step 5: Browse to http://<LAN IP address of Cyberoam>
 
Go to System > Maintenance > Licensing and click Synchronize. It fetches the licensing details from the registration server and shows the details on Web Admin console.

Note
:
 
To renew existing subscription of module(s), order for a Renewal Key for that module. Once Renewal Key is received, follow the steps above to renew the subscription.To order for any renewal, contact your Channel Partner, any other Partner in your region or Corporate Office. Visit www.cyberoam.com to get the latest contact information of your Channel Partner, to locate any other Channel Partner or Corporate Office.
 

Register Appliance with the existing Customer Account

Step 1: Browse to https://customer.cyberoam.com and login with the credentials – Email id and password, provided at the time of registering customer account. 
 
 
 
Step 2: Page displays the list of appliances registered. Click Register Appliance to register additional appliance. 
 
 
 
Fill in details of the additional appliance in the Register Appliance Form and click Register. 
 
 
 
 
 
 
 




                                                Document version: 5.1 - 28 January, 2014
2.4.2.6. Transfer Appliance on the Specific Registered Email Address

The following article describes the process to Transfer Appliance on the specific registered Email Address.

Step 1

Browse to https://customer.cyberoam.com with the new Email Address and Password. This is the place where the appliance needs to be transferred.
 

Step 2

Specify login name or username of Customer My Account i.e. Email Address which you are using as username for your Customer account and Password and Click Login

A screen will appear as shown below:
 

Click on Transfer Appliance and fill the details as shown in table below:
 

Parameters

Value

Password

Specify password

ApplianceKey

C014400158 – A6CCHB

Appliance Key is a unique identity of the appliance. Specify the Appliance Key of appliance which needs to be transferred.

PublicKey

JYNRVEZ1RFRILLITMC

Public Key is a unique hardware identity of the appliance. Specify the Public Key of the appliance which needs to be transferred.

 

Click on ‘Transfer Appliance’ and you will be redirected to the home page where you can view the appliance which you have transferred to the specified Email address.
 
Note:  

·         Please make sure that you know the Appliance Key and Public Key of the appliance you need to transfer to your email address.

·         Follow the below mentioned steps as mentioned in Step 3 if you do not know the Appliance Key and Public Key of the appliance 
      which you want to transfer.

Step 3

Skip this step if you already know the Appliance Key and Public Key of the appliance.

Follow the below mentioned steps from the CLI Console to retrieve Appliance Key and Public Key of the designated appliance which you want to transfer:

  1. Logon to CLI Console
  2. Choose option 4 – Cyberoam Console
  3. Type command “cyberoam diagnostics show version-info”

 

 

                                                                                  Document Version: 1.0 – 04/07/2011
2.4.2.7. How to update Customer Account details?


You can update your existing Customer Account details by following the steps given below.

You can update:

1.  Personal Details
2.  Password
3.  Registered Email Addresses 

Update Personal Details 

1.  Browse to https://customer.cyberoam.com and logon with the current credentials. 

2.  Go to My Profile > Edit Personal Details to change the registered details.
 
 

3.  
Click Update to save the changes. 

4.  Synchronize changes with the registered Cyberoam Appliance(s).

 

     You can synchronize by logging onto Cyberoam Web Admin Console. Go to System > Maintenance > Licensing and click Synchronize.

 

     This synchronizes registration details of Customer Account with the Appliance. Once synchronization is done, the updated details are displayed on the Appliance.

Update Password 

1.  Browse to https://customer.cyberoam.com and logon with the current credentials. 

2.  Go to My Profile > Change Password to change the password.
 
 

3.  Click Update to save the changes. 
 

4.  Synchronize changes with the registered Cyberoam Appliance(s).

 

     You can synchronize by logging onto Cyberoam Web Admin Console. Go to System > Maintenance > Licensing and click Synchronize.

 

     This synchronizes registration details of Customer Account with the Appliance. Once synchronization is done, the updated details are displayed on the Appliance.

Add Registered Email Addresses 

1.  Browse to https://customer.cyberoam.com and logon with the current credentials. 

2.  Go to My Profile > Manage Email Addresses to manage registered Email Addresses.
 
 

3.  Click Add and mention the new Email Address to be registered.
 
 

4.  
Click Updateto save the changes.
 

5.  Synchronize changes with the registered Cyberoam Appliance(s).

    
     You can synchronize by logging onto Cyberoam Web Admin Console. Go to System > Maintenance > Licensing and click Synchronize.
 

     This synchronizes registration details of Customer Account with the Appliance. Once synchronization is done, the updated details are displayed on the Appliance.

 

 





                                                                                                                                                         Document Version: 2.0 – 4 September, 2014
2.4.2.8. Can I change the registered email address on Cyberoam?
 
To change the registered email address on Cyberoam, you need to drop a mail to scm@cyberoam.com with complete details of Appliance Key, Public Key, Company Name, and Address of the Company.
 
SCM Team may ask further details based on case requirements.
 
                                                                                                                 Document Version: 1.0 - 24/10/2011
2.4.2.9. Can I register my Subscription keys on Demo/NFR (Not for Resale) Cyberoam?
 
No, Subscription Keys are not allowed on NFR device.
 
Please contact your Vendor/Authorized Sales Partners/Resellers for further details.
 
                                                                                                      Document Version : 1.0 - 24/10/2011
 
2.4.2.10. How do I renew Subscription of Modules?

Applicable to Versions 10.00 onwards  
 
Renewal of existing subscription modules can be done in two steps: 
 
1.  Order for Renewal of Subscription Key(s) for the required module
2.  Subscribe the Module using Renewal Key
 
 
 
1.  Order for Renewal of Subscription Key(s) the required module

 

     On ordering a Renewal of Subscription Key(s) for the required module, a Renewal Key of that module would be obtained. To order for any 
     renewal,
contact your Channel Partner, any other Partner in your region or Corporate Office. Visit www.cyberoam.com to get the latest 
     contact information of your Channel P
artner, to locate any other Channel Partner or Corporate Office.

 

2.  Subscribe the Module using Renewal Key

 

     After the Renewal Key is obtained, the module can be subscribed using the same method as that used during first subscription of that module. 
     For details on how to subscribe a Module, refer to Registration and Subscription Guide
 
                                                                                                                                                                 






                                                                                                                                                                                 
Document Version: 1.2 – 28 January, 2014

2.4.2.11. From where can I get Version Information for all the modules of Cyberoam?

Applicable to Version: 10.00 onwards

Follow the below mentioned steps to retrieve Version Information for all the modules of Cyberoam.  

1. Logon to CLI Console
2. Choose option 4 – Cyberoam Console
3. Type command “cyberoam diagnostics show version-info
 
 
                                                                                                               Document Version – 1.0 – 22/06/2011
2.4.2.12. Where can I find the Cyberoam Appliance Key?

Applicable Version: 10.00 onwards

The Appliance Key is a unique identity of the appliance.

 

The Appliance Key is required for purposes like registration of Appliances, password retrieval of Customer Account or while contacting the Cyberoam Support.

You can find the Appliance Key from:

-   Web Admin Console
-   CLI Console

Web Admin Console

Appliance Dashboard is displayed as soon as you logon to the Web Admin Console. It contains several doclets displaying information like Appliance Information, System Status, System Usage, Gateway Status, etc. The Appliance Information doclet contains details of the appliance including the Appliance Key, as shown below.

 

 CLI Console

Follow the steps mentioned below to check the Appliance Key of Cyberoam:

1.    Logon to the CLI Console 

2.    Choose option 4. Cyberoam Console

3.    Execute the following command to check details of the appliance including the Appliance Key:

                 cyberoam diagnostics show version-info

 

 

 

 

                                                                                                              

 

                                                                                                                                                      Document Version: 2.1 – 24 March, 2013

 

2.4.2.13. I have forgotten Email Address for Cyberoam Customer Account. What do I do now?

Applicable Version: 10.00 onwards

To access Cyberoam Customer Account, your Registered Email Address and Password are required. In case you have forgotten the email address, you can conveniently find the email address from the Cyberoam Web Admin Console. Alternatively, the email address can be retrieved through the Cyberoam Customer Account website.

Web Admin Console

·        Log on to the Web Admin Console as an Administrator.

·        On the Dashboard, locate License Information doclet to find your Registered Email Address as shown in the image below.

 

         Alternatively, Go toSystem > Maintenance > Licensing and look under Appliance Registration Details to find the Registered Email Address as shown.

 

Cyberoam Customer Account website

To retrieve the registered email address through Cyberoam Customer Account website, Appliance Key and Public Key are required.

Follow the steps mentioned below to retrieve your login email address.

Step 1.
Retrieve Appliance key and Public Key

·        
Logon to CLI Console using Telnet or SSH.

·        Choose Option 4 – Cyberoam Console from the Main Menu list.

·        Execute command: cyberoam diagnostics show version-info at the console prompt.
 

Step 2.
Open the Forgot Email Address link on Cyberoam Customer Account website.

Step 3
. Specify Appliance key, Public key and the email address on which you want to receive your Customer Account email address. Click Submit.
 

An email containing your Registered Email Address will be sent to the specified email address.

Note:

In case you have forgotten the Password for your Cyberoam Customer Account, refer article I have forgotten password of Cyberoam Customer Account. What do I do now?

 

 

 

                                                                                                                                                                                         Document Version: 2.0 – 27 June, 2014

2.4.2.14. I have forgotten password of Cyberoam Customer Account. What do I do now?

Applicable Version: 10.00 onwards

Follow the steps mentioned below to retrieve the Password of Cyberoam Customer Account in case you have forgotten the password.

Step 1. Go to the URL https://customer.cyberoam.com and select Forgot your password?
 

Step 2.
Specify your registered Email Address for Customer account and click Submit.
 

Step 3.
Specify your security answer provided during registration and click Submit.
 
 
After submitting the security answer, you will get a confirmation message and you will receive an email with instructions to reset your password. 
 

                                                                                                                                               Document Version 2.0 – 27 February, 2014

2.4.2.15. How to unregister a Demo Cyberoam Appliance?

Applicable Version: 10.00 onwards

You can obtain a FREE Demo Cyberoam Appliance to get a hands-on experience of how Cyberoam works, and how it fits into and secures your own network infrastructure. You can get the Demo Appliance either by ordering from a Cyberoam Partner or Distributor, or from www.cyberoam.com. 

On obtaining the Demo Appliance, you have to register it into your Customer Account oncustomer.cyberoam.com. To know how to register the Appliance, refer to the articleRegistration and Subscription Guide.

Remove Registration

Once the demo period is over, you can unregister the demo Cyberoam Appliance by following the steps given below. 

Customer Account    

1.    Logon to your Customer Account into which you have registered the Demo Appliance.
2.    Click the Remove Registration icon  to unregister the Appliance.

Cyberoam Appliance 

1.    Logon to the Web Admin Console of the Demo Appliance. 

2.    Go to System > Maintenance > Licensing and click Synchronize to remove the registration information on the Appliance.
 











                              Document Version: 1.0 – 19 March, 2014
2.4.2.16. From where can I retrieve Public key of my Appliance?

Applicable to Version: 10.00 onwards

Public key is a unique hardware identity of the appliance.
 
You may need this key to retrieve your Customer MyAccount Email address or Appliance registration password if you have forgotten from http://customer.cyberoam.com

Follow the below mentioned steps to retrieve public key of your Appliance:
 
  1. Logon to CLI Console
  2. Choose option 4 – Cyberoam Console
  3. Type command “cyberoam diagnostics show version-info

    2.4.2.17. Migrate Cyberoam Appliance from Version 9 to Version 10
    Applicable Version: 9.5.8.68 onwards for CR15i
                                          9.6.0.78 onwards for CR25ia – CR1500i

    Scenario

    Upgrade the Version 9 firmware on Cyberoam Appliance to the latest Version 10 firmware.


    Prerequisite

    -    Appliance Version:
      o  CR15i Appliances at Version 9.5.8.68
      o  All other Appliances at Version 9.6.0.78
    -   If your appliance is on any other version, upgrade to the above mentioned version. Refer to the article How To – Upgrade Cyberoam (Version 9) for details.
    -    Valid 24x7 or 8x5 Support License.
    -   Cyberoam reboots during the upgrade process. Hence, schedule the upgrade to suite your network’s maintenance window.
    -   Recommendation: Take Backup before migration.
     
    Procedure

    You can upgrade Cyberoam Firmware by following the steps given below.

    Step 1: Download Firmware from Customer My Account

    To download from Customer My Account:


    ·       
    Browse to https://customer.cyberoam.com and login using credentials (Email Address and Password) used to register the appliance.
     
     

     

     Alternately, click Get Appliance Upgrade URL on the login page to directly download the latest firmware version without logging in. Enter the Appliance Key of the appliance which is to be upgraded and click Submit.
     
    ·     Click Upgrade to upgrade your appliance.
     
     
     
    ·    The screen shown below appears. Select Upgrade From Version 9 to Version 10 Firmware.
     
     
     


    ·    Follow the on-screen instructions andclick Download Version 10 Firmware. At this pointfirmware version 10.01.0 Build 674 is downloaded. 

     

     
     

     

         Note:
     
         It is recommended that you verify the integrity of the downloaded firmware using the MD5 checksum. For details, refer to the article Verify the Integrity of Cyberoam Upgrade File using MD5 checksum.

     

    Step 2: Migrate Version 9 Backup to Version 10

    When you upgrade your Appliance, all data configuration is deleted. Hence, it is recommended totake a backup of your configuration before upgrading Cyberoam.

     

    To convert the Version 9 configuration backup file to that of Version 10, refer to the article How To – Migrate Version 9 Configuration Backup to Version X for details. 

    Step 3: Upload Version 10 Firmware on Cyberoam

    The firmware downloaded from Customer My Account is of Version 10.01.0 Build 674 . Upload this firmware by following the instructions given below.


    ·        Logon to Web Admin Console and go to Help > Upload Upgrade to upload the firmware downloaded in Step 1 on the appliance.
     
    ·        Type the file name with full path or select using ‘Browse’ and click Upload.
     
     

     

    ·        Login to the CLI and the choose Option 6. Upgrade Version.
     
     
     
     
     
    ·        Choose Option 1. Uploaded Upgrade to upgrade from the uploaded file and follow on-screen instructions.

    ·        
    The above procedure migrates your appliance to the base firmware 10.01.0 Build 674. Now upgrade this base firmware to the latest available version. Refer to 
            the article
    How To - Upgrade Firmware of Cyberoam Appliance for details on upgrading to latest Version 10 firmware.
     




                                                                                                                                                                                        Document Version: 2.0 – 08/08/2013
    2.4.2.18. Convert Version 9 Configuration Backup to Version 10
    Applicable Version: 9.5.8.68 onwards for CR15i
                                          9.6.0.78 onwards for CR25ia – CR1500i

    Scenario

    Convert the configuration backup of a Version 9 Cyberoam to Version 10. This Version 10 backup can be restored on the Cyberoam Appliance once it has been upgraded to a Version 10 firmware.

    Prerequisite

    Appliance should have the last released Version 9 firmware (for CR15i: 9.5.8.68, and for CR25ia – CR1500i: 9.6.0.78). If your Appliance has a lower version, upgrade your appliance to the last Version 9 firmware, mentioned above. Refer to the article How To – Upgrade Cyberoam (Version 9) 
    for details.

    Procedure
     
    You can convert Version 9 backup to Version 10 by following the steps given below.

    Step 1: Take Configuration Backup of the Version 9 Firmware

    Refer to the article How To - Backup and Restore Cyberoam Configuration (Version 9) for details on how you can take backup of the Version 9 firmware.


    Step 2: Convert the Version 9 Backup to Version 10
     
    •   Browse to http://migrate.cyberoam.com and login using your customer/partner credentials.
     
     
     
     
    •   Select Cyberoam Version 9 and click Start Migration.
     
     
     
       You are redirected to the V9 migration portal. Login to the portal using your customer/partner credentials and Appliance Key of Cyberoam. 
     
     
     

      
        
    Select your Version 9 backup file and click Upload.
     
     
     
     
     

    •      You are intimated once conversion is complete, as shown below. Download and save the converted backup file.
     
     

     

      

    The above procedure describes how you can convert a Version 9 configuration backup to Version 10. This converted backup can be restored on your Appliance once you have upgraded the Appliance to a Version 10 firmware. For details on how you can upgrade your Version 9 Appliance to Version 10, refer to the article How To – Migrate Cyberoam Appliance from Version 9 to Version 10.

     

     

     

     



                                                                                                                                                                                                                Document Version: 2.0 – 08/08/2013

     

    2.4.3. System
    2.4.3.1. Administration
    2.4.3.1.1. Troubleshoot connectivity issue between Cyberoam Appliance and CCC

    Applicable Version: 02.02.2 Build 116 onwards

    Overview
     
    Cyberoam Central Console (CCC) and the managed Cyberoam appliance communicate through either of the following two methods:

    ·        CCC pushes updates to Appliance OR

    ·        Appliance fetches updates from CCC

    For connectivity using any of the two methods, proper configuration at both CCC and Cyberoam appliance is required. Refer article Add Cyberoam Appliance to CCC for detailed configuration steps on adding Cyberoam appliance to CCC.

    Scenario

    Troubleshoot Connectivity error between Cyberoam and CCC.

     

    Note:

    -      You must be logged on to the CCC Web Admin Console as an administrator with Read-Write permission for relevant feature(s).

    -      Connection status can be verified fromCCC Web Admin Console. Go toManagement Console > Appliance Management > Appliances > Appliances.
     
    Troubleshooting

    You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant feature(s).

    Step 1: Verify Central Management settings

    ·        Go to System > Administration > Central Management.

    ·        Verify IP Address/ Domain of Central Management (CCC).

    ·        Under Appliance Management, verify Communication Details and Configuration Synchronization settings.

     

    In case the Central Management Settings are correct, follow Step 2.

    Step 2: Capture logs based on Heartbeat

    Cyberoam sends Heartbeat to CCC at particular time intervals. If heartbeat is not received by CCC, the Cyberoam Appliance is considered to be disconnected.

    To verify heartbeat connectivity, execute TCPDUMP by following the steps mentioned below:

    ·        Logon to the CLI console using Telnet or SSH. Select option 4. Cyberoam Console from the Main Menu list.

    ·        Execute the following command at the console prompt:

            tcpdump ‘port 6514’

    Where, 6514 is the Heartbeat protocol.

     

    If Cyberoam is sending the heartbeat without any errors as shown in the image, check and confirm if Cyberoam heartbeat is being received by CCC in the following way:

     

    1.     Login to CLI Console (Telnet or SSH)

    2.     Choose option4.CCC Consoleand press Enter.

    3.     Execute the following command at the console prompt:

     

    tcpdump ‘host 10.202.22.2 port 6514’


     

    If Cyberoam heartbeat is being received by CCC without any errors as shown in the image, follow Step 3.

    Note:

    -      To analyse tcpdump output, refer article Monitor Packet Flow in Cyberoam.

    -      TCPDUMP can also be executed using the Web Admin Console from System > Diagnostics > Packet Capture.

    Step 3: Verify forwarded ports on upstream NAT device

    If CCC/Cyberoam is behind a NAT device like router, confirm that the communication and connection ports are forwarded in the NAT device.

     

                                                                                                                                                                   Document Version 1.1 – 20 October, 2014

    2.4.3.1.2. Configure Single Sign On Authentication for Wireless Users in a Network using API


    Applicable Version: 10.6.1 onwards

    Overview

    Organizational networks nowadays consist of a myriad of devices that include PCs, laptops, smartphones, tablets and even music players like iPods. Each user tends to carry multiple devices which they connect to the organization’s wireless network. Hence, at any point of time, the network consists of various types of devices with different Operating Systems, with different Internet access needs. This makes the task of the administrator more difficult who is responsible for providing a seamless authentication experience to users, and ensuring the security and integrity of the network. 

    This article demonstrates how the administrator can configure Single Sign On (SSO) authentication for wireless users such that they would only have to authenticate ONCE to have Internet access. They would just authenticate into the Wireless Controller which would, in turn, send an API Request to Cyberoam to authenticate the user automatically in Cyberoam.

    Scenario

    Wireless users should authenticate with Wireless Access Points, which in turn authenticate with Wireless Controller and Cyberoam simultaneously when they logon to the WLAN. This is done by configuring the Wireless Controller to send an API Request to Cyberoam each time a user authenticates. The API Request authenticates the user in Cyberoam. 

    Similarly, on logout, the user sends the logout request to the Wireless Controller, which forwards it to Cyberoam with the help of an API Request. 

    This process is illustrated in the diagram below.
     
     

     

    Configuration

    To configure SSO authentication using API, follow the steps given below.

    Step 1: Configure Wireless Controller to send API Request to Cyberoam

    Configure the Wireless Controller to generate and send the API Request in the following format to Cyberoam each time a user sends a login or logout request. For details on how to configure the Controller, refer to the documentation of the respective product. 

    Sample API Request Codes:

     

    Login Request

     

    <Request>

    <LiveUserLogin>

    <UserName>cyberoam</UserName>

    <Password>cyber</Password>

    <IPAddress>10.21.18.15</IPAddress>

    <MacAddress>00:0C:29:2D:D3:AC</MacAddress>

    </LiveUserLogin>

    </Request>

     

    Logout Request

     

    <Request>

    <LiveUserLogout>

    <Admin>

    <UserName>admin</UserName>

    <Password>admin</Password>

    </Admin>

    <UserName>cyberoam</UserName>

    <IPAddress>10.21.18.15</IPAddress>

    </LiveUserLogout>

    </Request>

     

     

    Use the below link to trigger the API Request:

     

    https://<CyberoamIP>/corporate/APIController?reqxml=<Add the XML request here>

     

    For example:

     

    https://172.16.16.16/corporate/APIController?reqxml=<Request><LiveUserLogin><UserName>cyberoam</UserName>
    <Password>cyber</Password><IPAddress>10.21.18.15</IPAddress><MacAddress>00:0C:29:2D:D3:AC</MacAddress>
    </LiveUserLogin></Request>


    Step 2: Configure Cyberoam to accept API Request

    •  Logon to Cyberoam Web Admin Console as an Administrator with Read-Write permission of relevant features(s).

    •  Go to System > Administration > API and enable API Configuration.

      Add the IP Address from which Cyberoam is to receive API Requests.
     
     

    Click Apply to save changes. 

    Step 3: Configure User Device to Support Wireless Access Point Settings

    Set the Authentication (802.1X) settings of individual user devices to match that of the Access Point. Here, as an example, we show the settings in a wireless-enabled laptop with Windows 7 OS.

      Go to Network and Sharing Center > Manage Wireless Networks and select the required WLAN SSID.

      Right-click on the SSID and select Properties to display the Properties Page.


      On the Properties Page, switch to the Security tab. Select Security Type as 802.1X and click Advanced Settings for further configuration.

     

    •  Under Advanced Settings, enable Specify authentication mode and set it as User and computer authentication. Also, Enable single sign on for this network and select Perform immediately before user logon.
     
     
     
    Click OK to save changes.
     
     
     
     
     

     

                                                                                                                                                             Document Version: 1.1 - 16 September, 2014 

    2.4.3.1.3. Password Recovery Procedure for Cyberoam
     
    Applicable to Version: 10.00 onwards
     

    Scenario

    Reset Admin Password from Console in case Cyberoam Administrator forgets the password of admin account. 
     

    Configuration

    You can reset the Admin Password by following the steps below.

    Step 1: Access CRLoader

    In order to get CRloader access, Cyberoam requires a hard reboot.

    ·         Access Appliance using Hyper Terminal. You can connect a serial console to the Serial port of any of the Cyberoam appliance models. Refer the article How To - Setup Serial Console Connection using HyperTerminal.

    ·         On receiving the Password Prompt, hard reboot the Appliance and continuously press ‘Enter’ Key on the management Console.

    ·         You are navigated to CRLoader screen. Go to Option 0 – CRLoader and Press Enter. 
     
     

    Step 2: Reset Console Password and Reboot Appliance

    On accessing CRLoader:

    ·         ·         Select Option 2 – Troubleshoot
     
     
     
     
    ·         Select Option 1 - Reset console password
     

           This would reset the admin user password. Press “Ok” to continue.
     

    ·         Select Option 5 - Reboot. This will reboot the appliance. 
     
     
     

    ·         Once Cyberoam is rebooted, Enter the Default Password as “admin” and then CLI access will be available.
     
     


    Note:
     
    It is recommended that you immediately change the default password.To change password, login to Web Admin Console using Administrator profile and go to System > Administration > Password and change the default admin password as per your requirement. 
     
     

    Click Apply to change the password.
     
                                                                                                                                   




                                                                                                                                                                   Document Version: 2.1 – 31/08/2012
      
     
     
    2.4.3.1.4. Change the Default Port in Cyberoam
    Applicable Version: 10.00 onwards

    Overview

    The default ports through which Cyberoam Web Admin Console can be accessed are:

     

    HTTP: port 80

    HTTPS: port 443

    Telnet: port 23

    SSH: port 22

    SSL VPN Login: port 8443

     

    Cyberoam provides the flexibility of changing the default HTTP, HTTPS and SSL VPN Login ports to custom ports, without any change to Cyberoam configuration.

     

    The default ports should be changed in the following situations:
     
    •   To enhance security of Web Admin Console access over untrusted public interfaces like WAN, default ports can be changed 
         to custom.
     
    •   The Web Server/Mail Server behind Cyberoam and the Web Admin Console are assigned a single public IP Address and need
         to be accessed simultaneously. In this situation, Cyberoam can be configured to be accessed over a different port while the
         default port 80 and 443 are kept open for the public Web Server/Mail Server.

     

    Note:


    -   The Telnet and SSH ports cannot be customized.
    -   SSL VPN Port configuration is not available for Cyberoam Model CR15i because SSL VPN feature is not available in CR15i.
    -   Make sure that the custom ports you configure are not already used by other services. It is recommended to use port numbers 
        between1024-65535 because port numbers below 1024 are often reserved by the operating system for other uses. 

    Scenario

    Change the default HTTP, HTTPS and SSL VPN ports to custom ports 8089, 4433 and 8446 respectively.

    Configuration
     

    The entire configuration is to be done from Cyberoam Web Admin Console using profile having read-write administrative rights for relevant feature(s).

    Step 1: Take Backup of Appliance Configuration

    It is recommended to take backup of the Appliance configuration. Refer to the article How To – Backup and Restore Cyberoam Configuration for details. 

    Step 2: Change Default Ports

    Go to System > Administration > Settings. Under Web Admin Settings, mention the HTTP port as 8089, HTTPS port as 4433 and SSL VPN Port as 8446, as shown below.
     

     

     

    Click Apply to save settings.

     

    On clicking Apply, the Web Service is reinitialized due to which access to the Appliance is temporarily lost. You can re-login to Cyberoam from http://<Cyberoam LAN IP>:<Custom Port> or https://<Cyberoam LAN IP>:<Custom Port>.

     

    In the above example:

     

    Web Admin Console can be managed via HTTP from http://172.16.16.2:8089.

     

    Web Admin Console can be managed via HTTPS from https://172.16.16.2:4433.

     

    SSL VPN users can access the SSL VPN Portal from https://172.16.16.2:8446.

     

     

    Note:

     

    If, in case, access to Web Admin Console and Telnet Console is lost, refer Article to resolve the issue.

     

     

     

     
                                                                                                                                                                   Document Version: 2.2 – 17 February, 2014
    2.4.3.1.5. Provide Read-Only access of Cyberoam Web Admin Console

    Applicable Version: 10.00 onwards


    Overview

    Cyberoam provides role-based administration capabilities through profiles to offer granular access control and flexibility. Profiles are a function of an organization's security needs and can be set up for special-purpose administrators in areas such as firewall administration, network administration, and logs administration. Profiles allow assigning permissions to individual administrators depending on their role or job need in organization.

     

    The profile separates Cyberoam features into access control categories for which you can enable none, read only, or read-write access.

     

    This document provides steps to create a profile to give Read-Only access of Cyberoam Web Admin Console to an Administrator.
     
    Configuration

    You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant feature(s).

    Step 1. Create Read-Only Profile

    Go to System > Administration > Profile and click Add to create a custom administrative profile with Read Only access.


    Specify the profile name as ReadOnly and check Read-Only as shown in the image.



    Click OK and the profile with ReadOnly access will be created successfully.

    Step 2: Create user with Read-Only profile

    Go to Identity > Users > User and click Add to create administrative user. Specify the parameters as shown in the table.

    Parameters

    Value

    Description

    Username

    john.smith

    Enter username, which uniquely identifies user and to be used for login.

    Name

    John Smith

    Specify name of the user.

    Password

    cyberoam

    Specify password and re-enter same password for confirmation.

    Password is case sensitive.

    Confirm Password

    cyberoam

    Re-enter same password for confirmation.

    User Type

    Administrator

    Select the type of user from the available options.

     Available Options:

    • User

    • Administrator

    Profile

    ReadOnly

    Select the administrator profile ReadOnly created in Step 1.

    Email

    john.smith@cyberoam.com

    Specify Email Address of the user.

     


     

    Click OK and the user will be assigned the administrator profile with Read-Only access of Web Admin Console.

    Note:

    -       Default profiles cannot be deleted.

    -       Profile assigned to an administrator user cannot be deleted.

     

                                                                                                                                                  Document Version 1.1 – 21 July, 2014

    2.4.3.1.6. Change the Default Password of Super Administrator

    Applicable Version 10.00 onwards

    Overview

    Cyberoam is shipped with Two (2) default profiles:


    -   
    Super Administrator
    -   Default Administrator

     

    Super Administrator

     

    The Super Administrator has the following credentials:

     

    Username: admin

    Password: admin

     

    The Super Administrator has all privileges and access to the Web Admin Console as well as Cyberoam CLI. It is recommended that you change password of this super administrator immediately after deployment. As this account has super admin privileges for both the consoles, please set complex password.

     

    Default Administrator

     

    Cyberoam is shipped with another default profile with following credentials:

     

    Username: cyberoam

    Password: cyber

     

    This administrator has full privileges of Web Admin Console, but cannot access Cyberoam CLI. Only the Super Administrator has privileges to modify or delete the Default Administrator profile. 

    Scenario

    This article is divided into Two (2) sections


    -   
    Change factory-default Password of Super Administrator
    -   Reset Password of Super Administrator

    Change factory-default Password of Super Administrator

    To change the factory-default Password, follow the steps given below.


    1.  
    Logon to Web Admin Console using Super Administrator credentials.

    2.  
    Go to System > Administration > Password and specify the Current Password followed by the desired New Password.
     
     

     


    3.    
    Click Apply to save the password.

     

    Reset Password of Super Administrator 

    To reset password, go to System > Administration > Password and click Reset To Default. This will reset the password to factory default password, i.e. “admin”.
     
     

     

     

    The above steps allow you to change Super Administrator Password and to reset it to default.

     

    The Default Administrator password can also be changed. To know how to change the Default Administrator password, refer to the article How to Change the Password of Default Administrator?

     

     

     


                                                                                                                                                                            Document Version: 2.1 – 22 February, 2014
    2.4.3.1.7. How do I set Password Complexity for Administrative users?

    Applicable Version: 10.00 onwards
     
    You can set the desired password complexity from System > Administration > Settings under Administrator Password Complexity Settings. As an example, here we have configured complexity settings such that the Administrator password should have at least 10 characters and it should include at least 1 numeric character.
     
     
     
     
     
     
     

                                                                                                                                                                   Document Version: 1.1 - 22 February, 2014
    2.4.3.1.8. Can I customize the Dashboard Display?

    Applicable Version: 10.00 onwards
     

    Yes, you can customize the Cyberoam Dashboard display or appearance.

     
    Cyberoam Dashboard consists of a number of re-arrangeable doclets. Each doclet displays essential information about the appliance such as the Gateway Status, System Status, Recent Viruses Detected, Recent IPS Alerts, Web Traffic Analysis, etc. You can drag and drop the doclets in the desired position on the Dashboard. You can also remove or close the less often used doclets from the dashboard by clicking  icon on the upper right corner on each doclet.   
     

    The screen shown below is an example of a customized Dashboard.

     
     
     
    You can revert to the default Dashboard by going to More Options  on the upper right corner of the Dashboard and clicking Reset Dashboard.
     
     
     
     
     
     



                                                                                                                                                                                              
    Document Version: 1.1 – 12 March, 2014
    2.4.3.1.9. How Can I Block Admin Login ?

    Applicable Version: 10.01 build 0667 onwards

    Cyberoam allows you to block Admin Login after a pre-configured number of unsuccessful attempts for a particular period of time. In this article, we have configured Admin Login such that if there are 2 unsuccessful attempts within 20 seconds, the Login will be blocked for the next 3 minutes.

    To configure Admin Login, follow the steps given below:

    1.     Login to the Web Admin Console using Administrator profile.

    2.     Go to System > Administration > Settings and enable Block Admin Login. Set the parameters as shown in the screen below:




    Click Apply to save the configurations.

    Document Version: 1.0 – 23/05/2012



     

    2.4.3.1.10. How To Enable Cyberoam Appliance Access?

    Applicable to Version: 10.00 onwards

    Administrator would not be able to access Cyberoam Appliance from the Web Admin Console due to wrong configuration.
     
    Occurrence of following events can result into loss of Cyberoam Appliance Access.
     
    • HTTP or HTTPS options are unchecked under appliance access for LAN / WAN / DMZ zone.
    • Virtual host has been created and forwards all services to internal server which makes Cyberoam inaccessible.
    • If Cyberoam Stateful bypass networks contains Cyberoam IP address as Source and Destination, then Cyberoam would not be accessible.
    • Cyberoam will not be accessible, in case the default ports of Cyberoam has been changed to custom ports and administrator forgets the customized port. To access it on default ports, follow the below mentioned steps.
    If any of the above mentioned events occur, the appliance will not be accessible by any protocol – HTTP, HTTPS, Telnet or SSH and the Cyberoam Telnet Console/Cyberoam Web Admin Console would be locked due to wrong configuration.

    Note

    The below steps 1 to 5 will temporary disable the firewall module and custom configuration i.e. entire traffic would get dropped until the completion of all the steps.

    Configuration

    1.  Connect a serial console to the Serial port of any of the Cyberoam appliance models. Use the HyperTerminal

         to log on to the Cyberoam console.

         For more details on "How to set up a serial console connection using Hyper Terminal", visit the below Related Article.

    2.  Once the connection is successfully established, specify CLI password at the password prompt, press Enter and 

         you will get the following screen:

      
    3.  Choose option 4 – Cyberoam Console and type the command – cyberoam appliance_access enable
     
     
    4.  After performing the above steps, try to access the appliance from Web Admin Console (HTTP or HTTPS) and 
         change the configuration that locked your appliance.
     
    5.  Now, go to the CLI and disable the appliance access by typing the command – cyberoam appliance_access disable
         Cyberoam will restore the previous configuration settings except the changes you have made after enabling Cyberoam 
         appliance access from CLI.
     
     
                                                                                                   Document Version: 1.0 – 02/12/2011

     

    2.4.3.1.11. How can I access Cyberoam on different HTTP/HTTPS port?
     
     
    2.  Go to System > Administration > Settings and go to Web Admin Settings to make modifications 
         in the general port settings
    . Configure Port number on HTTP/HTTPS port to access Cyberoam on different 
         ports.
     
                                                                                                                                                                  Document Version: 1.0 – 17/11/2011
    2.4.3.1.12. Configure Inactivity Timeout for Administrator Logon Session

    Overview

    The administrator logon session can be managed by configuring inactivity timeout duration after which the administrator session is either locked or logged off. If Lock Admin Session is configured, the session is preserved and the administrator can resume the session after providing the password again. In case, Logout Admin Session is configured, the administrator is logged out and the session expires.

    To prevent unauthorized access to the appliance, configure proper Inactivity timeout for administrator logon session.

    Scenario

    Configure Inactivity timeout for Administrator Logon Session.

    Configuration

    You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant feature(s).

    • Go to System > Administration > Settings > Login Security (Remote Admins).

     To change the inactivity timeout duration for locking the admin Session, check Lock Admin Session and specify the newduration in minutes.
     

    The Lock Admin Session configuration is applicable to the following Cyberoam components:

    1.    Web Admin Console

    2.    Telnet Console

    3.    IPSec Connection Wizard

    4.    Network Wizard

    5.    Group Import Wizard

     To change the inactivity timeout duration for logging out the Admin Session, check Logout Admin Session and specify the newduration in minutes.
     

    Note:

    Logout Admin Session duration must be greater than the Lock Admin Session.

    - Default Admin Session Logout duration is 30 minutes.

     

                                                                                                                                                         Document Version 1.1 – 20 May, 2014


     

     

    2.4.3.1.13. What is LAN/Hardware Bypass Mode?
    Applicable Firmware Version
     
    ·    For Firmware version 10.00 onwards, LAN/Hardware Bypass is available ONLY when the Appliance is deployed in Bridge Mode.
    ·    For Firmware version 10.02.00 Build 224 onwards, LAN/Hardware Bypass is available in Bridge Mode. In Mix Mode, it is available
         only if a Bridge Pair is configured on the Appliance.

    Supporting Cyberoam Models
     
    ·    CR 50ia, CR 100ia, CR 200i and CR 300i have One (1) Hardware Bypass Segment, i.e., 2 interfaces support bypass feature,
         forming a single bridge.
    ·    CR 50iNG, CR 100iNG, CR 200iNG/XP, CR 300iNG/XP, CR 500iNG/XP, CR 750iNG-XP, CR500ia, CR 500ia/1F/10F, CR500ia-RP, CR750ia/1F/10F,1000ia/10F,
         1500ia/10F, CR2500iNG have Two (2) Hardware Bypass Segments, i.e., 4 interfaces support bypass feature, forming 2 bridges.

    Overview

    Cyberoam goes into a LAN Bypass Mode (also called Hardware Bypass Mode) in case of a Power Failure or Hardware Malfunction. In Bypass Mode, Cyberoam allows all traffic to pass through uninspected. Two (2) interfaces of the Appliance get bridged, allowing uninterrupted incoming and outgoing traffic flow.The LED on the front panel of the Appliance blinks RED when Bypass Mode is active.

     

    In case of a Power Failure, once power is restored, Cyberoam automatically resumes normal functionality. In case of a Hardware Failure, contact Cyberoam Support.

    Configure LAN Bypass

    By default LAN Bypass is enabled in Cyberoam. You can enable/disable LAN Bypass by following the steps given below.

     
    1.    Login to Cyberoam CLI Console (Telnet or SSH).

    2.    
    Choose Option4. Cyberoam Consoleand press Enter.

    3.    
    Execute the following command to enable/disable bypass. Here, as an example, we have disabled Bypass Mode.
     

                            





                                                                                                                                                                                    Document Version: 2.1 – 24 April, 2014
    2.4.3.1.14. How does Cyberoam take care of the resources in case of high load?

    Cyberoam multi-core technology allows parallel processing of all its security processes. This allows the load to be equally balanced between system resources.
    2.4.3.2. Configuration
    2.4.3.2.1. Customize Messages

    Applicable Version: 10.00 onwards

    Overview

    Cyberoam displays certain pre-defined alert messages to the users. The messages are based on events which are categorized as the Message Keys: Authentication, SMTP, IM, Administration and SMS Customization. These Message Keys contains description of events and each event has a pre-defined message associated with the event. The administrator can customize the messages as per the preference. The size of a message is up to 256 characters.

    Scenario

    Customize default message for the Message Key- User account blocked (AD Policy).

    Configuration

    You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant feature(s).

    Step 1: Go to System > Configuration > Messages.

    Step 2
    : Click  icon to expand the Message key to see the list of events.
     

    Step 3: Click  icon to edit the message corresponding to the message key or event.

    For demonstration purpose, we customize the User account blocked (AD Policy) Message in this example.
     

    Step 4: Enter the new message in the text area. You can copy and paste any text or enter it manually. After entering the new message, click  to save your new message. To reset the message to default, click .



    Note:

    -      
    The default messages in Cyberoam are in the English language only, but the administrator can enter the custom message in other languages as well.
           For custom messages in other languages to be displayed, applicable font must be installed/supported on the user’s machine.
     
    -      The Disclaimer Message in the Administration Message Key has to be enabled before it can be displayed. To enable the Disclaimer Message,
           refer article How to set login disclaimer when you Login to Cyberoam?
     

     

                                                                                                                                                                     Document Version: 1.0 – 11 April, 2014

    2.4.3.2.2. How to set login disclaimer when you Login to Cyberoam?

    Applicable to Version: 10.00 onwards

    Default disclaimer can be customized as per the requirement from the Messages page by navigating to System --> Configuration --> Messages. One can also review the customized message before setting.


    Go to System --> Administrator --> Settings
    and enable it to set the Login Disclaimer when you Login to Cyberoam.
     
     
                                                                                          Document Version: 1.0 - 03/01/2012 
    2.4.3.2.3. Configure NTP Time Server to synchronize Cyberoam Clock

    Applicable to Version: 10.00 onwards

    The Date and Time of the internal clock of Cyberoam Appliance can either be manually set or the Appliance can be configured to synchronize with NTP servers. Appliance clock can be synchronized with global Time Servers so that the time shown in logs and reports is precise and internal activities can be timed accurately.

    Synchronization of the internal clock of Cyberoam Appliance with NTP Server can be done in two ways:

    The configuration is to be done from Web Admin Console using Administrator profile.  
     
    Synchronization with NTP Server using Web Admin Console 
     
    Follow the below mentioned steps to configure NTP Time Server to synchronize Cyberoam clock.

       1.  Go to System > Configuration > Time to configure Time Settings.
     
       2.  Select Sync with NTP Server to enable synchronization of clock.
    • To use predefined server select Use pre-defined. Cyberoam Appliance uses asia.pool.ntp.org and in.pool.ntp.org predefined servers.
    • To synchronize with custom servers select Use Custom. To add NTP server, enter the domain or IP address of the NTP Server and click Add.
              For example, we have added 10.10.10.1 and 10.10.10.2 as Custom NTP Servers. After adding the NTP Servers, Click Sync Now to synchronize
              the Appliance Clock with the configured NTP Servers.
     
     
       3.   Click Apply and the Time Settings will be applied successfully.
     

    Synchronization with NTP Server using Network Configuration Wizard

    At the time of deployment, the date and time can be set using the Date & Time Configuration screen which is a part of the Network Configuration Wizard.
     
     
     
    To synchronize with an NTP server:
     
       1.  Check Automatically Synchronize with NTP Server to enable automatic synchronization of clock.
     
       2.  To use predefined servers, select Use an internal list of predefined NTP Servers. Cyberoam Appliance uses 
            asia.pool.ntp.org and in.pool.ntp.org predefined servers.
     
       3.  To synchronize with a custom server, select Synchronize with NTP server. Provide domain name or IP address 
            of the customized server.
     
                                                                                                                            
                                                                                                                          Document Version: 1.1 – 12 June, 2014
    2.4.3.2.4. Some of the applications are not working when Cyberoam is configured as a proxy server? What can be the reason for the same?

    Applicable to Version: 10.00 onwards

    Appliance can also act as a web proxy server. To use your appliance as a web proxy server, configure your appliance’s LAN IP address as a proxy server IP address in your browser setting and enable access to web proxy services from Appliance access section.

    1. Login to Web Admin Console and Go to System --> Configuration --> Web Proxy to configure Web Proxy Settings.
    1. Specify Port number, which is to be used for Web Proxy. Default port is 3128. Some of the trusted ports are 80, 88, 21, 443, 563, 70, 210, 1025-65565.

    This configuration is applicable only when appliance is configured as Web Proxy. Appliance allows the access to those sites which are hosted on standard port only if deployed as Web Proxy. To allow access to the sites hosted on the non-standard ports, you have to define non-standard ports as trusted ports.

    Click Add icon  to add the HTTP trusted ports and remove icon  to delete the trusted ports.

                                                                                                                                  Document Version : 1.0 - 21/10/2011
     
     
    2.4.3.2.5. Why don't I receive Report Notifications from Cyberoam in my inbox?

    Applicable Version: 10.00 onwards
     

    There are a number of reasons why you wouldn't receive report notifications. These include connectivity issues between Cyberoam and Mail Server, misconfiguration of Mail Server in Cyberoam, etc. Following are steps through which you can troubleshoot Mail Server configuration and connectivity with Cyberoam.

    Step 1: Check Mail Server Configuration in Cyberoam

    ·        Login to Cyberoam Web Admin Console as an Administrator with read/write permission for relevant feature(s).

    ·         Go to System > Configuration > Notification and check the following, as shown in the screen below.
     
             -          Mail Server IP Address/FQDN and Port
             -          Authentication Credentials, if any
             -          Email Settings 
     
     

    Step 2: Check Cyberoam’s connectivity with Mail Server

    Check Cyberoam’s connectivity with the Mail Server and whether Mail Server relays Emails from Cyberoam. This can be done in Two (2) ways.
     
    -       By clicking Test Mail in System > Configuration > Notification. This sends a test mail to specified Email Address.
    -       By establishing a telnet session from Cyberoam to Mail Server.

    You can establish the telnet session by following the steps below. 

    ·      Login to Cyberoam CLI Console.

    ·      Go to Option 4. Cyberoam Console and execute the following command.

        console> telnet <Mail Server IP> <port>
     
        
     
        Where 203.88.135.194 is the Mail Server IP address and 25 is the port. Here, the mail server has responded on establishment of the telnet session. If the mail server does not respond, then check server configurations.
     
     
    ·         HELO <FQDN of Mail Server>
     
          
     
     
    ·         MAIL FROM: <Your Email Address>
     
          
     
     
    ·         RCPT TO: <Recipient Email Address>
     
          
     
     
    ·         DATA
          <Enter data>
          . (Single period to end message)
     
          
     
     
    Cyberoam sends an email to your inbox, in this case to john.smith@cyberoam.com. If you do not receive an email, check your Mail Server configuration.




                                                                                                                                               Document Version: 1.2 – 22 October, 2014
    2.4.3.3. Maintenance
    2.4.3.3.1. Upgrade Firmware of Appliances which are NOT deployed or registered

    Applicable Version: 10.00 onwards

    To upgrade the Cyberoam Appliance with the latest firmware, the firmware image is required. The firmware image can be downloaded using the download link present on the Web Admin Console Dashboard or the Customer Account (if your appliance is registered), refer article Upgrade Firmware of Cyberoam Appliance. In case your appliance is not yet deployed or registered, you can still download the latest firmware using the Appliance Key.

    Follow the steps mentioned below to download the latest firmware image based on your Appliance Key.

    Step 1: Go to URL https://customer.cyberoam.com and click Get Appliance Upgrade URL.


    Step 2
    : Enter your Appliance Key and click Submit.
     

    Step 3: Click Download Upgrade.
     
     
    Step 4: Select Upgrade Version 10 Firmware to upgrade to the latest firmware.
     
     
     
    After selecting the Upgrade Latest Version 10 Firmware option, select your current firmware version from the given sub-options. In this example, we select 10.01.0 Build 472 or higher

    Step 5: Check I have read and understood the steps to upgrade to the latest firmware and click Download V 10 latest Firmware to start the download. 

     

     The downloaded firmware can be uploaded on the appliances now. To upload the latest firmware, refer Step 2 in the article Upgrade Firmware of Cyberoam Appliance.

    Note:

    It is recommended that you verify the integrity of the downloaded firmware using the MD5 checksum. For details, refer to the article Verify the Integrity of Cyberoam Upgrade File using MD5 checksum.

     

                                                                                                                                                                                 Document Version 1.0 - 21 April,2014

     

    2.4.3.3.2. Download Cyberoam Firmware

    Applicable Version: 10.00 onwards

    You can download Cyberoam Firmware in Two (2) ways: 

    1.    From Customer MyAccount (Recommended)
    2.    Direct URL 

    1.   Customer MyAccount

    Customers can download Cyberoam firmware by logging into Customer MyAccount. For details on how you can download firmware from Customer MyAccount, refer to the article How to -Upgrade Firmware of Cyberoam Appliance.

    2.   Direct URL

    You can also download the required Cyberoam firmware by directly browsing to the following URL: 

    http://download.cyberoam.com/version10/<CR Model>_<Vendor Code>.<Underscore-separated Firmware Version>

    For example, if you want to download Firmware for version 10.04.4 Build 028 for a CR35iNG Model, then enter the URL:

    http://download.cyberoam.com/version10/CR35iNG_AM02.10_04_4_028


    However, this method of downloading firmware is not user-friendly. The easier way is to login to Customer MyAccount and download the model-specific firmware for the registered appliance(s).

     

     

     

                                                                                                                                      Document Version: 1.0 – 01/11/2013

    2.4.3.3.3. Rollback to Previous Firmware Version

    Applicable Version: 10.00 onwards

    Scenario

    The following article describes the method of rolling back Cyberoam Appliance to the previous firmware version. 

    Note: 

    Before Rollback, it is advisable to take a backup of the Active Firmware Configuration because of the following reasons. 

    -      On Roll Back, the configuration of the previous firmware version will be restored.
    -      After the rollback is done, any changes made to the system will not be carried forward when the non-active firmware becomes active again.

    Configuration

    The entire configuration is to be done from Cyberoam Web Admin Console using profile having read-write administrative rights for relevant feature(s).

    Rollback to Previous Firmware

    •   Go toSystem > Maintenance > Firmware. 

    -   Active icon    indicates the active firmware. In the example given, the active firmware is 10.01.0 build 678.
    -   Upload Firmware icon  allows us to upload a newer firmware version. To know how to upgrade to a newer version, click here.

    -   Boot Firmware icon  allows us to boot Cyberoam Appliance with the selected firmware. The icon corresponding to the required 
        firmware has to be clicked.
    -   Factory Reset icon allows us to restore factory default configuration to Cyberoam Appliance. To know how to restore factory 
        default configuration, click here.
     
    •   Click on ‘Boot Firmware’ icon. Click OK on the corresponding confirmation message to apply the previous firmware to the Appliance. While 
        rebooting, the following message will be displayed in the status bar at the bottom of the screen.

     

     


    It will take several minutes for the system to reboot and apply the previous firmware version. After Rollback, the Appliance can be accessed using the interface configuration of the firmware that has been applied.

     

     


                                                                                                                                                                Document Version: 2.0 – 28/10/2013

     

     

                                                                                                                             

     

     

     

    2.4.3.3.4. Reset Cyberoam Configuration to Factory Default Settings

    Applicable Version: 10.00 onwards

    Overview

    Resetting Cyberoam to Factory Default Configuration removes all user custom configuration from the Appliance and boots it with factory default settings. 

    It is recommended to take backup of the Appliance before performing a factory reset on Cyberoam. To know how to take backup, refer to the article Backup and Restore Cyberoam Configuration.

    Scenario

    Perform Factory Reset on Cyberoam to boot it with Factory Default Configuration. You can perform Factory Reset in Two (2) ways: 

    -   Using Web Admin Console
    -   Using Command Line Interface (CLI)

    Configuration

    Web Admin Console

    The configuration is to be done from Cyberoam Web Admin Console using profile having read-write administrative rights for relevant feature(s). 

    Go to System > Maintenance > Firmware and click on Boot with factory default configuration icon  to reset the Appliance with default configuration.
     
     

    On clicking, the following warning is displayed. Click Boot with factory default.
     
     

    The Appliance reboots with factory default settings.

    Note

    -  It is recommended to take backup of the Appliance before performing a factory reset on Cyberoam. To know how to take backup, refer 
       to the article Backup and Restore Cyberoam Configuration
    .
    -  On factory reset, all configuration of the Appliance is removed, including Interface configuration. Hence, to access the Appliance, change 
       the IP Address of the management machine to bring it in the subnet 172.16.16.0/24 and access the Web Admin Console over port A on 172.16.16.16. 


    Command Line Interface (CLI)

    For firmware version 10.6.1 and below, Factory Reset can be performed from the CLI over a serial connection ONLY. Cyberoam does NOT allow it over Telnet or SSH connections.
     

    To know how to establish a serial connection with Cyberoam, refer to:


    -   Setup Serial Console Connection using PuTTY
    -   Setup Serial Console Connection using HyperTerminal 

    For firmware version 10.6.1 onwards, Factory Reset can be performed from the CLI over any of the Serial, Telnet or SSH connections.


    You can factory reset Cyberoam from the CLI by following the steps given below. 

    1.    Login to Cyberoam CLI 

    2.    Select Option 5. Cyberoam Management.

     
    3.    From the Cyberoam Management Menu, select 2. Reset to Factory Defaults.

     
    4.    Type ‘y’ and pressEnterto reboot the Appliance with factory default settings.

     

    The above steps perform a factory reset on Cyberoam.

     

     

     

     

     

                                                                                                                                                    Document Version: 1.1 – 17 September, 2014 

    2.4.3.3.5. Backup and Restore Cyberoam Configuration
    Applicable Version: 10.00 onwards

    Overview

    Backup plays an essential role in Data Protection. It enables us to recover critical data in the event of disk failures, accidental deletion/corruption of files or system crashes by restoring from the saved backups.

    This article describes how to take backup and restore configuration of Cyberoam. It is advisable to take backup of Cyberoam configuration on a regular basis to ensure that, should the system fail, you can quickly get the system back to its original state with minimal effect to the network. Also, taking backup of configuration before making any changes to the system is a good practice.

    Note: 

    -   Backup of higher firmware versions cannot be restored on lower versions, i.e., backup of version 10.04.5 Build 007 cannot be restored on version 10.02.0 Build 473.
    -   The destination Cyberoam appliance (to which backup is to be restored) must have the same or greater number of ports than the source appliance (from which the backup is taken).
    -   For WiFi models only: Backup of version 10.00.0231 cannot be restored on any versions.

    Scenario

    Take backup of the configuration of a Cyberoam Appliance and then restore it using the saved backup. This article consists of Two (2) sections: 

    -    Backup
    -    Restore

    Configuration

    You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant feature(s). 


    The Backup and Restore of Cyberoam Configuration can be done through the Web Admin Console only.

    Backup

    Backup of Cyberoam Configuration can be taken in Two (2) ways: 

    1.    Manual Backup – taken manually when required
    2.    Scheduled Backup taken automatically as and when scheduled

    Manual Backup

    To take backup manually, go to System > Maintenance > Backup & Restore and click Backup Now in the Backup Restore section.
     
     

    The backup is taken instantly and stored locally on the Appliance hard disk. You can download the backup file on your local system by clicking Download Now.

    Scheduled Backup

    To configure scheduled backup, go to System > Maintenance > Backup & Restore andconfigure backup from the Schedule Backup section, as shown below. Here, we schedule a weekly backup that is to be sent to the configured Email Address. 

    Parameter

    Value

    Description

    Backup Frequency

    Selected Weekly

    Configure frequency in which backup is to be taken.

     

    Available options:
    -  Daily
    -  Weekly

    -  Monthly

    Backup Mode

    Email

    Select the Backup Mode.

     

    Available Options:

    FTP– If backup is to be stored on FTP server, configure FTP server IP address, username and password to be used.

    Email– If back up is to be Emailed, configure email address on which backup is to be mailed.

    Local- If backup is to be stored locally.

     

    Format of Backup File 

    -   When Backup Mode is selected as Local, the backup file is stored as backup.cyberoam.
    -   When Backup Mode is selected as Email, the backup is Emailed with the filename as backup.cyberoam with the subject line 
        as - <daily/weekly/monthly> for <appliance model for which backup is taken> <appliance key>.
    -   WhenBackup Modeis selected as FTP, the filename used for the backup includes the appliance key and timestamp e.g. file name: 
        backup.cyberoam.<appliance key>.<timestamp>. This is useful when several Cyberoams are configured to send the backup to the FTP server. The appliance key in the filename acts as the differentiator.

    Restore

    You can restore a backup instance on Cyberoam from System > Maintenance > Backup & Restore. Click Browse and select the backup file to be uploaded.
     
     

    Click Upload and Restore to restore the selected backup instance. 

    Note: 

    -   When you restore a backed up configuration, the current configuration gets overridden.
    -   Cyberoam reboots due to which all users and VPN tunnels are disconnected.
    -   On reboot, Single Sign On (SSO) and Clientless users are logged in automatically while Captive Portal users need to re-login.
    -   VPN tunnels get reconnected automatically, depending upon configured policy.

     

     

     

     
                                                                                                                                                         

     

                                                                                                                                                                                          Document Version: 1.3 – 24 September, 2014

    2.4.3.3.6. Upgrade Firmware of Cyberoam Appliance
    Applicable Version: 10.00 onwards
     
    Scenario
     
    Upgrade the firmware on Cyberoam Appliance to the latest version.

    Note:

    -         Before initializing the upgrade procedure, make sure that the appliance holds a valid support subscription.
    -         Cyberoam reboots during the upgrade process. Hence, schedule the upgrade to suite your network’s maintenance window.
    -         It is recommended that you take backup of your appliance before as well as after upgrading.

    Procedure

    You can upgrade Cyberoam Firmware by following the steps given below.

    Step 1: Download Latest Firmware

    Cyberoam displays an alert message (as shown below) on the dashboard whenever a newer Firmware is available for download.
     
     
     
     
    You may directly download the latest firmware from the dashboard OR from Customer My Account.
     

    Download Firmware from Customer My Account  

    To download from Customer My Account: 

    ·                   Browse to https://customer.cyberoam.com and login using credentials (Email Address and Password) used to register the appliance.
     
     
     
     
     
          Alternately, click Get Appliance Upgrade URL on the login page to directly download the latest firmware version without logging in. Enter the Appliance Key of the appliance which is to be upgraded and click Submit
     
     
    ·                   Click Upgrade to upgrade your appliance.
     
     
     
     
    ·                   The screen shown below appears. Select Upgrade Version 10 Firmware to upgrade to the latest firmware.
     
     
     
     
    ·                   The screen expands to display further instruction, and to enquire whether the current version of your Cyberoam firmware is below 10.01.0472 or higher. Select 10.01.0472 or higherif the current firmware version of your Cyberoam is higher than 10.01.0 Build 472, else select Below 10.01.0472.
     
     
     
     
    ·                   Check I have read and understood the steps to upgrade to the latest firmware. and click Download V10 latest Firmware.
     
     
     
     
    Save the downloaded firmware to your local machine.
     
    Note:

    It is recommended that you verify the integrity of the downloaded firmware using the MD5 checksum. For details, refer to the article Verify the Integrity of Cyberoam Upgrade File using MD5 checksum.


    Step 2: Upload and Boot Latest Firmware on Cyberoam
     
    ·                   Login to Cyberoam Web Admin Console using Administrator profile.
     
    ·                   Go to System > Maintenance > Firmware and click  to upload the firmware downloaded in step 1.
     
     
     
     
    ·                   The Firmware Upgrade/Downgrade screen appears. Browse the downloaded file and click Upload & Boot.
     
     
     
     
     

          If Upload & Boot is clicked, Cyberoam performs the following actions:

    -                  Firmware is uploaded onto the appliance
    -                  All active sessions on Cyberoam are closed
    -                  Cyberoam undergoes a soft reboot, booting up with the uploaded latest firmware

    Alternately, click Upload firmware if you want to simply upload the firmware and reboot later, at a convenient time. Later, to boot the Appliance with the downloaded firmware,
    go to System > Maintenance > Firmware and click  to reboot.
     
     
      

    Note:

    -   For Appliances in HA, when you upgrade the Primary Appliance, the Auxiliary Appliance gets automatically upgraded. During Upgrade, if Upload firmware 
        option is used, the Appliances do not boot up with the new firmware on a normal reboot. To boot with the new firmware, administrator has to
    go to 
        System > Maintenance > Firmware and click  against the newly uploaded firmware. For details, refer to the article How To – Upgrade Cyberoam Appliances in HA.  
    -   Settings configured on a firmware are not carried over if you boot Cyberoam with an earlier firmware. For example, the configurations of Cyberoam with active 
        firmware 10.04.2 Build 527 will not be carried over if you boot the Cyberoam with firmware 10.04.1 Build 451.
     







                                                                                                                                                                                     Document Version: 2.4 – 06/11/2013
    2.4.3.4. High Availability (HA)
    2.4.3.4.1. Configure High Availability (HA) in Cyberoam

    Applicable Version: 10.00 onwards

    Overview

    High Availability (HA) is a clustering technology which is used to maintain uninterrupted services in the event of power, hardware or software failures. Cyberoam appliances can be configured in Active-Active or Active-Passive HA modes. The Appliances - Primary and Auxiliary Appliance, are physically connected over a dedicated HA link port. 

    In Active-Active mode, both Primary Appliance and Auxiliary Appliance process traffic while the primary unit is in charge of balancing the traffic. Decision of load balancing is taken by the Primary Appliance. Auxiliary Appliance can take over only in case of a primary unit failure. 

    In Active-Passive mode, only the Primary Appliance processes traffic while Auxiliary Appliance remains in stand-by mode, ready to take over if the Primary Appliance failure occurs.

    Note

    HA can also be configured when Cyberoam Appliances are deployed in Mixed Mode.

    Scenario

    Configure HA in Cyberoam.

     

    Prerequisite

    ·        Both the appliances in the HA cluster i.e. Primary Appliance and Auxiliary Appliance should be of the same model.

    ·        Both the member appliances must be registered

    ·        Both the appliances must have same number of interfaces (except Cyberoam XP Appliances in which Flexi Ports are installed in one or both the appliances).

    ·        Both the appliances must have the same firmware version installed on it.

    ·        Same subscription modules should be enabled on both the appliances.

    ·        Cables to all the monitored ports on both the appliances must be connected. It is recommended to connect the dedicated HA link port of both the appliances with crossover cable.

    ·        On both the appliances, the Dedicated HA link port must be the member of DMZ zone only and must have a unique IP Address.

    ·        Appliance Access over SSH on DMZ Zone should be enabled for both the appliances, refer Step 1.

    ·        DHCP, PPPoE, WWAN and WLAN configuration must be disabled before HA configuration. See HA Behaviour for details. 

    Configuration

    You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant feature(s).

    Step 1: Enable SSH

    Go to System > Administration > Appliance Access, under Admin Services, click to enable SSH for DMZ zone.

      

    Enable SSH on the peer appliance similarly.

    Step 2: Configure HA (Primary Appliance)

    Go to System > HA > HA and configure HA parameters as shown in the table below.

    Parameter

    Value

    Description

    HA Configuration Mode

     

    Active-Active

    Select HA Configuration mode for cluster.

    Available Options:

    ·        Active-Active

    ·        Active-Passive

    Dedicated HA Link Port

    PortC

    Select the port to be used as dedicated HA link port. HA link port is the port of the Auxiliary Appliance which is to be used for HA.

    Peer HA link IP

     

    10.10.2.42

    Specify IP Address configured on the HA link port of the peer appliance

    Peer Administration Port

    PortA

    Specify Administration Port for Auxiliary or Peer Appliance.

     

     

    Peer Administration IP

     

    172.16.16.100

    Specify Administration IP Address for Auxiliary Appliance.

     

    With this IP Address, the Admin Console of Auxiliary Appliance can be accessed. Any user accessing Web Admin Console of Auxiliary Appliance will be logged in with HA Profile and haveread-onlyrights.

    Select Ports to be monitored

    PortA, PortB

    Select the ports to be monitored.

    Click Enable HA to complete the settings.

    Note:

    The appliance on which HA is configured becomes the Primary Appliance and the other appliance becomes the Auxiliary Appliance. Once HA is established between the primary and auxiliary appliance, all configuration of the Primary Appliance is synchronized with the Auxiliary Appliance and no additional configuration is required.

    Step 3: Verify HA

    To check the status of HA, go to the Dashboard and locate the HA Details doclet.

     

    HA status can also be verified from the Cyberoam CLI console by following the steps mentioned below:

    1. Log on to Cyberoam CLI Console of the Primary Appliance using administrator credentials.

    2. Select option 4. Cyberoam Console from the Main Menu list.

    3. Execute the following command at the console prompt:

     

    console >cyberoam ha show details

     

     

    HA Behavior

    ·        DHCP, PPPoE, WWAN, WLAN– High Availability (HA) cluster cannot be configured if any one of the Interfaces is dynamically configured using DHCP and PPPoE protocols or WWAN or WLAN is configured.

    ·        Session Failover is not possible for AV Scanned sessions or any other forwarded traffic like ICMP, UDP, multicast and broadcast traffic, traffic passing through Proxy Subsystem - transparent, direct and parent proxy traffic and VPN traffic.

    ·        Masqueraded Connections– In case of the manual synchronization event from any of the HA cluster Appliances, all the masqueraded connections will be dropped.

    ·        HA Load balancing– An Active-Active HA cluster does not load-balance the VPN sessions, UDP, ICMP, multicast and broadcast sessions and scanned FTP traffic. TCP traffic for Web Admin Console or Telnet Console, H323 traffic sessions are also not load-balanced between the cluster Appliances.

    ·        HA Load balancing– An Active-Active HA cluster will load balance the normal Forwarded TCP Traffic, NATed (both SNAT & Virtual Host) Forwarded TCP Traffic and TCP Traffic passing through Proxy Subsystem: 
            Transparent Proxy, Direct Proxy and Parent Proxy and VLAN Traffic.
     
    ·        HA can be disabled from either of the Appliance. If disabled from the Primary Appliance, HA will be disabled on both the Appliance. If disabled from the Auxiliary Appliance,
            HA will not be disabled on the Primary Appliance and Appliance will act as a stand-alone Appliance.

    ·        After disabling HA, the Primary Appliance IP schema will not change.

    ·        After disabling HA for Auxiliary Appliance, all the ports except the dedicated HA link port and Peer Administration port will be disabled. The Peer HA Link IP will be assigned with IP address 
           of the Dedicated HA Link Port while Peer Administration IP will be assigned with the IP Address of the Peer Administration Port.

    ·        If HA is disabled from stand-alone machine, the IP schema will not change.

    ·        Super Administrator privileges are required to access the Auxiliary Appliance Web Admin Console and therefore it can be accessed by “admin” user only.
            Live users/DHCP leases/IPSec live connections pages will not be displayed.
     
    ·        After disabling HA in Auxiliary Appliance, all the administrative services – HTTP, HTTPS, Telnet, SSH are allowed for LAN zone while for DMZ zone,
           only HTTPS and SSH are allowed.

    ·        For the Auxiliary Appliance, Deployment Wizard will not be accessible.

    ·        Dedicated HA link port should be from any of the DMZ interface only. Make sure that the IP Address of the HA link port of Primary and Auxiliary Appliances are in same subnet.

    ·        After enabling HA, if backup without HA configuration is restored then HA will be disabled and Primary Appliance will be accessible as per the backup configuration, 
           while the Auxiliary Appliance will be accessible with the Auxiliary Admin IP Address.

    ·        In Active-Active mode, mails will be quarantined separately on both the appliances as SMTP Proxy traffic is load balanced in round robin manner.

    ·        In Active-Passive mode, mails will be quarantined on Primary Appliance only.

    ·        If Quarantine Digest is configured, both the appliances in the cluster will receive Quarantine Digest.

    ·        Administrator can release quarantined mails of all the users from both the appliances.

    ·        User can release quarantined mails from My Account. My Account displays mails quarantined only on Primary Appliance. Also, user can release them from the
            Quarantine Digest mailed from the Primary Appliance.

    ·        HA is disabled on executing Deployment Wizard.

                             
                                                                                                                                                          Document Version 1.0 – 13 September, 2014
    2.4.3.4.2. Upgrade Cyberoam Appliances in HA

    Applicable Version: 10.01 Build 0270

    Scenario

    Two (2) Cyberoam Appliances are configured in High Availability (HA), as shown in the diagram below. The firmware of both these Appliances is to be upgraded to the latest version.
     

    Note:

    The firmware upgrade procedure is similar in both Active-Active and Active-Passive HA setup, as described in this article.

    Prerequisite

    HA should be enabled and running. You can check if HA is in the normal state from the Web Admin Console dashboard, under the HA Details doclet as shown below.
     

    Configuration

    For Cyberoam Appliances in HA, once you initiate the upgrade process in the Primary Appliance, the same process gets called in the Auxiliary Appliance. In other words, when you upgrade the Primary Appliance, the Auxiliary Appliance gets automatically upgraded.

    Upgrade Primary Appliance

    To upgrade the Primary Cyberoam Appliance, refer to the article How To - Upgrade Firmware of Cyberoam Appliance.

    Verification

    To verify that both primary and auxiliary appliances are upgraded, refer to the Appliance Information doclet in theWeb Admin Console dashboards of the respective appliances.

     

     

                                                                                                                                                                                          Document Version: 2.1 – 14 May, 2014

    2.4.3.5. Certificate
    2.4.3.5.1. Uninstall/Untrust Cyberoam SSL CA Certificate

    Applicable Version:  10.00 onwards 

    Scenario
     
    Uninstall/Untrust Cyberoam SSL CA Certificate from browser and local machine. 

    Configuration

    To untrust or uninstall the Certificate from your browser and local machine, follow the steps giveen blow.  

    Step 1: Untrust Certificate from the Trusted Certification List in your Browser

    Internet Explorer 

    ·         On the Menu Bar, click Tools > Internet Options to display the Internet Options window.
    ·         Switch to Content tab and, under Certificates section, click Certificates to display Certificates Window.
    ·         Switch to Trusted Root Certification Authorities tab and select Cyberoam SSL CA certificate from the list of trusted certificate authorities.  
    ·         Click Remove to untrust Cyberoam SSL CA.
     
    Firefox 
     
    ·         On the Menu Bar, click Tools > Options to display the Options window.
    ·         Switch to Advanced tab under which select Encryption tab
    ·         Click View Certificate to display the Certificate Manager window.
    ·         Switch to Authorities tab and, under Elitecore node, select Cyberoam SSL CA certificate from the list of trusdte certificate authorities.
    ·         Click Delete or Distrust to untrust Cyberoam SSL CA.  
     

          Google Chrome

     
            ·      On the right corner of the Address Bar, click on Chrome Tools button and click Settings.
            ·      Click Show advanced settings... and scroll down to HTTPS/SSL.
            ·      Click Manage Certificates... to display the Certificates window.
            ·      Switch to Trusted Root Certification Authorities tab and select Cyberoam SSL CA certificate from the list of trusted certificate authorities.
            ·      Click Remove to untrust Cyberoam SSL CA.

             

          Mac Safari


    ·        
    Launch Keychain Access and go to login keychain.

    ·        Control+click Cyberoam SSL CA and click Delete Cyberoam SSL CA on the pop-up.

    Step 2: Delete Certificate in Local Machine’s Trusted Root Authority Container

    ·         Open the Microsoft Management Console by typing "MMC" in the run box.
    ·         Add the certificates Snap-in by selecting FILE > ADD/REMOVE SNAP-IN...
    ·         Select Certificates from the list and click Add to display Certificates Snap-in window.
    ·         Select the Computer Account and click Next.
    ·         Click Finish and close the list of snap-ins.
    ·         Click OK to add the certificates snap-in, which should now be visible in the Add/Remove Snap-ins window.
    ·         Expand Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates  and select Cyberoam SSL CA.  
    ·         Right click Cyberoam SSL CA and click Delete to delete Cyberoam SSL CA from the Local Machine’s Trusted Root Authority Container.
     
     
     
                                                                                                                                                                                           
                                                                                                                                                         Document Version: 2.1 – 27 February, 2014
    2.4.3.5.2. SSL CA Certificate Installation Guide
    Applicable Version:  10.00 onwards
     
    Overview
     
    When SSL content inspection for HTTPS traffic is enabled on Cyberoam, the web browsers prompt a warning message if the Certificate Authority (CA) for the certificate used by the Cyberoam SSL inspection is not known by the browser.  For this, you need to import Cyberoam SSL Proxy certificate in Internet Explorer and Firefox Mozilla for decryption on SSL Inspection. 

    All Cyberoam appliances are shipped with a unique SSL CA Certificate which is used in HTTPS Deep Scan Inspection. This article describes how you can download Cyberoam's SSL CA Certificate and install it in your local browser and machine

    Note:

    Cyberoam also provides an option to regenerate the CA Certificate when required. To know how to regenerate a CA Certificate, refer to How To – Regenerate a Unique SSL CA Certificate.  
     
    Configuration

    To download and install the Certificate in your browser and local machine, follow the steps given below.

    Step 1: Download the Certificate to your local machine

    Go to System > Certificate > Certificate Authority and click on the download icon   under Manage column to download the Certificate, as shown below. Save it in your local machine. 
     
     

    Step 2: Install Certificate in Trusted Certification List in your Browser 

    Internet Explorer 

    ·         On the Menu Bar, click Tools > Internet Options to display the Internet Options window.
    ·         Switch to Content tab and, under Certificates section, click Certificates to display Certificates Window.
    ·         Switch to Trusted Root Certification Authorities tab and click the Import button to start Certificate Import Wizard.
    ·         Import the Certificate downloaded in step 1 using this wizard.
     

    Firefox