1. FAQ
1.1. Answers to your Needs
1.1.1. Anti Spam
1.1.1.1. Why is the Sender email id blank for some of the Emails in AntiSpam Quarantine report?

Sender email-id might be missing in following cases:

1. Email is a notification mail sent by the Mail server, for example: Undelivered email

Cyberoam follows RFC 2821 which states that notification mail sent by the Mail server does not send the sender email id as it does not expect recipient 
to reply to that mail. Hence Cyberoam does not display any email id in the “Sender” column of the Anti Spam Quarantine report
.
   

2. Invalid email composition (Spoofed)
 
Spammers spoof the email content by sending spoofed email header (MIME Header) and valid email-id in the SMTP Protocol connection. To provide correct information, Cyberoam does not use the information provided in MIME header as there are chances header content spoofing .  
 

Refer to http://www.ietf.org/rfc/rfc2821.txt?number=2821 section 6.1 Reliable Delivery and Replies by Email

 

1.1.1.2. How Cyberoam RPD (Recurrent Patterns Detection) technology distinguishes legitimate mass email, such as Microsoft security advisories from spam emails?
RPD (Recurrent Patterns Detection) technology is designed to distinguish between the distribution patterns of solicited bulk emails which represent legitimate business correspondence, from those of unsolicited bulk emails by applying a reverse analysis. The results of this analysis are ‘bleached’ message patterns belonging to ‘good’ messages such as popular newsletters, mailing lists, etc.
1.1.1.3. Why Cyberoam is not detecting any spam mails as well as giving error "X-CTCH-Error: Failed to get machine IP. Error 34 - Error (34)" in mail header?
You are receiving this error because Cyberoam is not able resolve the host name and so it will not even detect any spam mails.

Follow the steps in the sequence given below to solve your problem

  1. Run Network Configuration Wizard from Web Admin Console
  2. Ping manage.cyberoam. If ping is successful, problem is solved
  3. If ping is not successful, go to Web Admin Console and restart Cyberoam server from System, Manage Servers
  4. After successful restart, ping manage.cyberoam. If ping is successful, problem is solved


If problem still persists, contact Cyberoam support at support@cyberoam.com or +91-79-66065777.
 
1.1.1.4. How do I report a False Positive?
All False Positives - clean mail falsely detected as spam - should be submitted to
notspam@cyberoam.com.
 
False Positives can be reported by :

       a )  Sending the False Positives ( Spam mails ) as an attachment
       b )  Sending the reference Id which can be viewed in the email header
 
a ) Depending on the Email Client you are using, follow the below given procedure to send spam mails as Attachements: 
 
If you are using Microsoft Outlook Express, right-click spam message and select the option "Forward as attachment."

If you are using Microsoft Outlook
  • For forwarding multiple messages in one email, highlight all of the messages and click 'forward.' This automatically includes all the messages as an attachment.
  • For forwarding individual message: a) create a new message b) select the message you wish to forward and drag it into the body of the message you just created. This will attach the dragged message inside the new message.
If you are using Mozilla Thunderbird, select/highlight the spam messages and select the Message -> Forward As -> Attachment menu to send the message

Elm users (requires mutt) follow these instructions:
"spam submission" will be the subject of the submission.

The file ./spamfile will be attached to the submission the file ./spambody will appear as text prepending the attached spamfile From elm, do: | cat > spamfile ; mutt -a spamfile -s "spam submission" | notspam@cyberoam.com< spambody ; rm spamfile

b )  In case of privacy concern , if you do not wish to send the false positives as an attachment,then send the reference id of the emails which can be viewed in the email headers.

If you are using Microsoft Outlook, go to the view-->options and in the internet headers you will find the following string

X-CTCH-RefID: str=0001.0A090205.465EBF08.006A,ss=1,fgs=0.

If you are using
Mozilla Thunderbird ,click on view--> headers-->all



 
1.1.1.5. How do I stop spam scanning?
To stop spam scanning, disable protocol scanning from Firewall rule.
1.1.1.6. Why I am not able to send and receive mails after I stopped Antispam server to stop spam scanning?

You are not able to send or receive mails after stopping Antispam server because you must have not disabled spam scanning from firewall rule. Edit the required firewall rule and disable protocol scanning from the firewall rule.

To stop spam scanning, thers is no need to stop the Antispam server, just disable protocol scanning from the firewall rule.

1.1.1.7. How often does Cyberoam upgrade Anti Spam definitions?
Prior to version 9 4 1 build 0 , Cyberoam was using signature based Anti Spam technology under which periodic update of definitions was required at interval of every 30 minutes

From version 9410 onwards , Cyberoam is using signature less technology called Recurrent Pattern Detection ( RPD ) . Periodic definition update concept is not there in Cyberoam .
1.1.1.8. What should I do so that Cyberoam’s WAN IP address does not get listed in any RBL?

 For not getting Cyberoam’s WAN IP address listed in any of the RBLs, make sure:

1. You have not specified SNAT policy in Firewall rule for mail server. If Cyberoam WAN IP is configured as a MX Pointer for any mail server to forward incoming SMTP traffic to internal server and both DNAT & SNAT are being used. SNAT will make server open relay and due to that it will get black listed in RBL.

2. Your Service provider (ISP) has defined reverse DNS entry for the Cyberoam WAN Port IP address if Cyberoam WAN IP address is configured as a MX Pointer for mail server. Every mail server IP address must have reverse DNS entry.

3. You have enabled SMTP Scanning for mail traffic from firewall rule. It is possible that Cyberoam might      get listed in RBL if SMTP scanning is disabled.

1.1.1.9. Why my Cyberoam server gets listed in RBL and acts as an Open Relay server? I have configured Cyberoam version 9.x.x.x as follows:

Two different WAN links are terminated on Cyberoam server.
Mail server in internal network & MX IP is assigned on WAN interface of Cyberoam server.

Port forward rule:
Source: WAN, Any Host
Destination: Local, MX IP
Service: SMTP
Schedule: All the time
Action: Allow
Source NAT: MAS
DNAT: 192.168.1.5:25
Scan protocol(s): SMTP

 Remove SNAT policy. SNAT will send Cyberoam Internal IP address and not the requester’s IP address and hence Cyberoam server gets listed in RBL and becomes an open relay system if source NATting is done.

Send the removal request to all RBLs to remove your IP address from black list.

1.1.2. Anti Virus
1.1.2.1. Does Cyberoam Anti Virus Engine scan the uncategorized sites also?

Yes, Cyberoam scans both categorized and uncategorized sites for viruses.
1.1.2.2. How do I update my Anti Virus definitions?

Cyberoam automatically updates its Anti Virus definitions every 30 minutes.

You can check the database version used by your Cyberoam from Web Admin Console AntiVirus>Mail>General Configuration page. You can also check the latest available database version from http://csc.cyberoam.com

1.1.2.3. How do I add a signature or disclaimer to all outgoing (SMTP) email?
You can add signature or disclaimer to all the outgoing SMTP emails from:
  1. Log on to Web Admin Console
  2. Go to Antivirus>General Configuration
  3. Enable "Add Signature to all the emails" and the required contents

 

1.1.2.4. How do I Quarantine files?
Quarantine can be enabled from the Virus Scan policy. You can enable quaratine from custom scan policy or default scan policy.
1.1.2.5. How do I set a file size limit for virus scanning?
 
You can configure different file size threshold for HTTP and FTP protocol from Web Admin Console:
For HTTP: Antivirus>HTTP>Configuration
For FTP: Antivirus>FTP>Configuration
1.1.2.6. How do I enable virus scanning?
Virus scanning for the required protocol i.e. SMTP, POP3, IMAP, IMAP, FTP and HTTP can be enabled from firewall rule.
1.1.2.7. From where do I set a Email size limit for virus scanning?

To set a Email size limit for virus scanning:

  1. Log on to Web Admin Console
  2. Go to Antivirus>General Configuration page
  3. Under File Size Restriction, set the limit for each protocol as required
  4. Click Update button
1.1.2.8. How do I enable antivirus scanning for the users who have configured Cyberoam as an HTTP Proxy through the Web browser?
Go to Anti Virus > HTTP > Configuration from Web Admin Console and under HTTP Configuration, click "Enable Direct Proxy Scanning" checkbox.

Do not forget to click "Update" button to save the setting.
1.1.2.9. Does the antivirus scan compressed files?
 Yes, the antivirus scans the following file formats: ARJ, CAB, GZIP, LHA/LHZ, LZEXE, MIME/UU, PKLite, TAR, and Zip.
1.1.2.10. What type of antivirus protection Cyberoam offers?
Cyberoam provides gateway level antivirus protection from all the file based viruses send through the gateway over SMTP (email), HTTP (download and web mail), POP3/IMAP (personal emails) and FTP (file downloads).
1.1.2.11. How do I keep Anti Virus definitions updated?
If you have subscribed for Anti Virus module, Cyberoam will automatically update every 30 minutes. If the updation attempt was not successful, you can manually update the definitions from  Anti Virus > Mail > General Configuration page of Web Admin Console. .
1.1.2.12. Can I notify the mail sender about the infected mail? How?
 Yes, you can notify the mail sender about the infected mail. Create a Virus scan policy and enable the ‘Notify Sender’ action.
1.1.2.13. Does Cyberoam scan password protected files for virus?
No, Cyberoam does not scan password protected files. Mails with the protected attachments can be delivered without scanning or after removing the attachment.
1.1.2.14. How do I block messages which has Video file as attachment?

 To block mails which have video files as an attachment, select ‘Video Files’ in the Block File Types list while creating a virus scan policy from Web Admin console.

Similarly, you can also block Audio Files, Dynamic Files, Executable Files and Image Files.

1.1.2.15. Will the quarantined mails of all the users be stored in a single quarantine folder?
 No, Cyberoam provides individual quarantine space for each user and is to be managed by the individual user.
1.1.2.16. From where can I check my quarantined mails ?

Cyberoam quarantines virus infected mails.

If you are Network Administrator, you can view from Anti Virus à Mail à General Configuration. As a Network Administrator, you can also educate your network users to view and manage their own quarantine space.

Individual network user can log on to User My Account and go to Quarantine Mails option and view the list of their quarantined mails
.
1.1.2.17. Why users are either receiving time out error or taking too much time to download mails after enabling virus and spam scanning? I am using Version 9.x.x.x, mail server is at ISP and all users are downloading mails from Mail server.

Cyberoam Anti virus engine scans mail only after it is downloaded entirely and delivers after scanning.

Users receive time out error from mail client if the mail is big in size and takes more than 5 minutes to download the entire mail and scan the mail. Till the mail is downloaded and scanned, user does not receive any response and hence feel downloading is slow.

Alternately you block the SMTP, POP3/IMAP mail traffic above the 512 KB from Anti Virus > Mail > General Configuration to overcome the above problem.

1.1.3. Authentication
1.1.3.1. Do I need to add all the controllers for a single Active Directory Domain?
Yes, if the users are authenticating to multiple controllers in a single domain, you need to add all the controllers under User > Authentication Settings (AD) page.  Because it is the same domain, you will not be able to add Domain Name under Domain details for additional controllers.
1.1.3.2. In Clientless SSO Configuration, why do I receive DCOM error with Event Id 10009 after running CTAS service?

DCOM error with event ID 10009 is generated when Cyberoam Transparent Authentication Suite (CTAS) does not connect the system over WMI,
WMI works on DCOM and RPC, if remote system does not respond WMI query then this event is logged by AD under Event Viewer. 
Such errors are information provided to the user by Microsoft Service, and hence user can ignore such events.
For further information on DCOM error, refer to http://support.microsoft.com/kb/298095.

 

Document Version: 1.0 06/06/2009

1.1.3.3. How do I enable User/MAC binding?
Applicable to: V 9.5.8.xx onwards
 
By default User/MAC binding is disabled. To enable:
  1. Logon to CLI using SSH or Telnet
  2. Go to Option 4 Cyberoam Console and execute following command:
    corporate> set usermac on
  3. Restart Management Services from the Main Menu.
After enabling User/MAC binding from CLI, you can configure the MAC address for individual user or group of users from Web Admin Console.
 
Please note that binding more number of MAC addresses per user may slow down the authentication process resulting into authentication request timeout.
1.1.3.4. Why LAN users are not leased IP address from the DHCP server when Cyberoam is deployed as Bridge with DHCP server configured on WAN side and strict policy is implemented?


Cyberoam cannot authenticate users without IP address while as per the strict policy, unauthenticated users will not be leased IP address. And hence, even the DHCP traffic is dropped.

To avoid this situation,create following firewall rule to permit DHCP traffic without authentication:

LAN: Any Host
WAN: Any Host
Service: DHCP
Action: Accept

1.1.3.5. From where can I get Windows Vista Single Sign On client?

Windows Vista SSO Client is bundled in SSO Auto Setup. SSO Auto Setup can be downloaded from Web Admin Console (Help > Downloads).
 
1.1.3.6. Does Cyberoam Corporate client support Windows Vista?

Yes, Cyberaom Corporate client supports Windows Vista (both 32-bit and 64-bit).

1.1.3.7. Can I migrate Windows 2003 Active Directory Server users from Cyberoam after re-installation of Windows 2003 Active Directory Server?
No, you cannot reverse migrate users from Cyberoam to Windows 2003 Active Directory Server. You will have to re-create all the users in Windows 2003 Active Directory Server.
1.1.3.8. How do I bypass authentication for an IP address when Cyberoam is configured as Proxy server?
To bypass authentication of a particular IP address, create clientless user.
1.1.3.9. Can I define both Windows NT PDC and Active Directory Domain Controller as Authentication server?
No, at a time only one can be defined as an authentication server. But multiple servers in each can be defined, for example, if you define Active Directory authentication then you can define multiple ADS servers.
1.1.3.10. Why users are not able to access the Internet when Cyberoam is configured with “Monitor only” policy? Users are receiving messages like time out or web server is down, while trying to access the Internet.
 This problem occurs when Internal/LAN IP addresses are not configured under Auth Network in Local ACL. Go to Firewall ? Local ACLs and configure all the internal networks in auth network.
1.1.3.11. Why HTTP Client login page is not displayed to the users’ while trying to access Internet when default ‘deny all’ policy is applied?

Although this problem can be specific to your installation and can occur in multiple situations, it is most likely that it is External DNS problem. To display the HTTP Client page, Cyberoam should receive the http request from the user machine.

Cyberoam will not receive the http request if “deny all” policy is applied when External DNS is defined. Due to this, Cyberoam does not display the HTTP Client page. Create following firewall rule with following parameters to solve the above problem:

Source: LAN, Any Host
Destination: WAN, Any Host
Service/ Service Group: DNS
Apply Schedule: All the time
Action: Accept
Apply Source NAT: Enable, MAS

1.1.3.12. Why at the time of log on “Login request unsuccessful, Contact Administrator” error message is displayed to the user when I am using Cyberoam database for authentication?

This is Database corruption problem. Follow the steps to repair database from Telnet Console:
1.      Select option 5 Cyberoam Management
2.      Select option 4 Database Utilities
3.      Select option 1 Database Quick Repair

If problem persists even after repairing database then log on to Web Admin Console and purge Web Surfing logs from System > Manage Data > Purge Logs. After purging logs, restart management services from Telnet Console.

1.1.3.13. What should I do to provide Internet access to the UNIX machine users using HTTP browser like Mozilla and get the reports?
Create clientless users and use HTTP client for authentication.
1.1.3.14. Why Clientless user is not displayed in Manage Clientless user list as well as Live Users list?

One of the reasons for this could be that the node from which the Clientless user is logged on to Cyberoam is not defined under Auth Network of Local ACL. Go to Firewall > Local ACLs and add the node from which Clientless is logged on to Cyberoam.

Please note that in Manage Clientless user list; only deactive clientless users will be listed. By default, Clientless user will always be active and will be displayed in the Live User list.

1.1.3.15. How do I delete Clientless user?
 By default, Clientless user will always be active and will be displayed in the Live User list. As active user cannot be deleted, you will have to deactivate the user and then delete. Follow the below given procedure from Web Admin Console to delete clientless user:
1.      Go to User > Manage Live Users and disconnect the user which is to be deleted
2.      Go to User > Clientless Users > Manage and delete the required user
1.1.3.16. When do I create Clientless user?
Create Clientless user when you need:
  • to apply user specific Bandwidth policy and Internet Access policy
  • to allow Internet access from certain IP addresses without Authentication when Cyberoam is configured as Proxy server
  • reports based on User names instead of IP addresses
1.1.3.17. Why I am receiving "You are not allowed to login from this machine" error when I try to activiate Clientless user?
You are receiving this error because the IP address of Clientless user is not added in the Local ACL.

Go to Firewall, Local ACL and add the IP address assigned to the Clientless user. After adding IP address, restart management services from the Telnet console.
1.1.3.18. Why Cyberoam displays “Access Denied” message even after authentication when I use Class A IP addresses for LAN?

This message is displayed when Class A IP addresses are configured for LAN as Cyberoam doesnot support Class A IP addresses. Follow the below given steps to resolve the problem:

  1. Logon to Web Admin Console
  2. Go to Firewall > Local ACL
  3. From Auth. Network: Delete the Class A IP addresses
  4. Add Class B IP addresses e.g. 10.1.0.0/255.255.0.0
  5. Logon to CLI using SSH or Telnet and restart management services from Main menu
From version 9.5.4 onwards, it is not required to restart management services after re-configuring IP address.
 
1.1.3.19. I have implemented SSO with ADS without any error during configuration. But while login using SSO Client it gives me error "The system could not log you on. Make sure your password is correct".

Please follow below steps to verify SSO integration:

1. Try login using Cyberoam HTTP Client with Active Directory Username / Password to make sure its getting authenticated. If it authenticate user successfully then proceed next step, if not then verify your authentication settings or user information in the ADS server.

2. If step 1 completed successfully then there is no configuration problem in the Cyberoam. Now check the SSO configuration file "SSCyberoamConfig.ini" which is located in the Netlogon share of Domain Controller, this file must have correct parameters as mentioned follow:

    Domain Name=XYZ.com
    Server=aaa.bbb.ccc.ddd
    Domain Controller=ADS or PDC

     Where

    Domain Name (FQDN Domain Name) is the domain from where users will log on
    Server is the IP address of the Cyberoam Interface which is connected to the ADS server
    Domain controller is either ADS or PDC


1.1.4. Categorization
1.1.4.1. From where do I enable safe search?

Safe search can be enabled from System > HTTP Proxy > Configure HTTP Proxy page of Web Admin Console and deny access to Porn, AdultContent and Nudity categories from Internet Access policy.
If enabled, web sites containing pornography and explicit sexual content are blocked from the Google, Yahoo and Altavista search results.
 
Only for appliance model CR15i - from version 9.5.8 build 60, safe search includes Bing search result also apart from Google, Yahoo, Altavista.
1.1.4.2. Does Cyberoam automatically send the list of sites (URLs) grouped under "None" category to its central categorization server for categorization?

Yes, Cyberoam automatically send the list of sites grouped under "None" category to its central categorization server for categorization.

Cyberoam's Web Catagorization Engine with its automated process, categorizes sites and will include in Category database which is automatically upgraded twice a week.

Human reviewers take over and manually categorize when WebCat engine fails to categorize. Manual categorization takes approximate 10 days.

1.1.4.3. How do I block sites which are not categorized by Cyberoam?

All the uncategorized sites are categorized under "None" category. To block all the uncategorized sites, deny access "None" web category through Internet Access policy.

1.1.4.4. How do I update the Web categorization database?

Cyberoam automatically updates Web categorization (WebCat) database twice a week (Tuesday and Friday).
 
If you need to manually upgrade the database, follow the below given steps:
  1. Logon to CLI using SSH or Telnet
  2. Go to Option 5 Cyberoam Management > Option 11 Check and Upgrade Webcat Latest Database
  3. Follow the on-screen instructions. It will check and automatically upgrade to the latest version, if available.

    You can check the database version used by your Cyberoam from Dashboard. You can also check the latest available database version from http://csc.cyberoam.com
1.1.4.5. How often Categories database (WebCat) is updated?
Categories database (WebCat) is updated twice a week - scheduled on every Tuesday and Friday.
1.1.4.6. From where can I check for the availbility of latest Web Category Database version?
http://csc.cyberoam.com/cyberoamsupport/webpages/common/cschomepage.jsp displays the latest available version of Web Category database.
1.1.4.7. From where can I check the Web Category Database version installed and used by my Cyberoam?
Installation Information section of Dashboard displays the version of Web Category Database installed and used by your Cyberoam.
 
Version of Web Category Database is appliance specific.
 
Please note Web Category Database version will be displayed on the Dashboard only if Web and Application Filter module is subscribed.
1.1.4.8. Why Web Category Database version is not displayed on Dashboard?
Web Category Database version is displayed on the Dashboard only if Web and Application Filter module is subscribed.
1.1.4.9. Is Web Category Database version appliance specific?
Yes, Web Category Database version is appliance specific.

Web Category Database version for CR 25i is 1.1.x.x
Web Category Database version for CR 50i - 1500i appliances is 1.0.x.x
1.1.4.10. How can I know under which category Cyberoam has classified Orkut.com?
Use Search URL functionality option from Categories, Web Category of Web Admin Console to know the category of any URL.
1.1.4.11. Which filtering will be applied to a user if both custom and default web category are applied?
Custom web category is given priority over default category while allowing/restricting the access.
1.1.4.12. Can I delete default web categories?
No, default web categories cannot be deleted or modified.
1.1.4.13. How do I block Chikka messenger?
Refer to How To – Block Chikka Mobile Instant Messenger from kb.cyberoam.com.
1.1.4.14. I have blocked MSN messenger from Application protocol i.e. signature based but users are still able to access MSN messenger. How do I block MSN messenger completely?

To block MSN messenger completely, you need to block 2 categories:
•      MSN Messenger Application protocol category
•      Chat Web category

This is required as MSN messenger will first try to connect via 1863 port and if 1863 port is blocked then it will send request on http.

1.1.4.15. How do I block a domain but allow some specific email-ids of the blocked domains?
You can block for SMTP protocol only. Follow the below given steps from the Web Admin Console to block:

1.      Go to Anti Spam > Spam Policy > Create Custom Policy
2.      Click ‘Add’ under Advanced Rules and add 2 rules

  • Rule 1 - Click ‘From Domain’ and specify domain name to be blocked, specify ‘Reject’ as ‘SMTP Action’
  • Rule 2 - Click ‘From Email Address’ and specify email address to be allowed from the blocked domain, specify ‘Accept’ as ‘SMTP Action’

Please note that the Accept rule should be the very first firewall rule i.e. Accept rule should be above Deny rule. As firewall rules are executed from top to bottom, entire domain will get blocked if Deny rule is placed above the Accept rule.
1.1.4.16. How do I block a domain but allow access to certain pages from the blocked domain?
Follow the below given steps from the Web Admin Console to allow the access to certain pages from the blocked domain:
  1. Go to Categories > Web Category > Create Custom and create two categories with names ‘Allowcategory’ and ‘Blockcategory’.
  2. In Blockcategory, under Domain Management, specify the domain e.g. Cyberoam.com to be blocked and in Allowcategory, under Domain Management, specify all the pages that are to be allowed access from the blocked domain e.g. www.cyberoam.com/help.html
  3. Go to Policies > Internet Access Policy > Create Policy with the following parameters:
    Policy Type: Allow
    Internet Access Policy rule 1: Category name – Blockcategory, Strategy – Deny
    Internet Access Policy rule 2: Category name – Allowcategory, Strategy – Allow
  4. Go to Firewall > Create rule and create LAN to WAN rule and attach Internet Access policy created in step 2.

Please note that the rule 2 (Allow Strategy rule) should be above all the rules. This will allow www.cyberoam.com/help.htmlpage only while rest of the pages of Cyberoam.com will be blocked.

1.1.4.17. How do I control Pharming?
From Web Admin Console, go to System > HTTP Proxy > Configure HTTP Proxy and enable pharming protection. This is applicable to both http proxy and non proxy users.
1.1.4.18. How do I block phishing?
Cyberoam does not require any specific configuration to block phishing. Cyberoam’s Anti-Virus and Anti-Spam Engine controls SMTP, POP2 and IMAP phishing. Cyberoam’s Anti-Spam and Anti-Virus Engine analyze contents of each mail and detects if mail contains any fraud/hacker/illegal URL. If mail is a phishing mail, Cyberoam will automatically update the filtering database and the mail will be discarded.
1.1.5. Deployment
1.1.5.1. In transparent (bridge) mode, why does Cyberoam need a gateway and an IP Address?
Applicable to Version: 9.5.X.X
Cyberoam is a security solution that needs regular update for its IDP, Anti Virus, Anti-Spam and Web content filtering modules through the Internet, hence a gateway is needed in transparent (bridge) mode.
 
Management of Cyberoam appliance over the Web requires an IP Address assigned to it.
Document Version: 1.1-23/11/2007
1.1.5.2. How do I use DHCP services of Cyberoam server when deployed in Bridge mode?
Cyberoam does not support DHCP services in bridge Mode.
1.1.5.3. I have deployed Cyberoam in bridge mode, how do I change the deployment mode to route mode & vice versa?
Use Wizard option from Cyberoam Main menu, to change mode of deployment from Bridge mode to Route mode & vice versa.
1.1.5.4. Can I use Cyberoam as an Proxy server if deployed in Bridge mode?
Yes, you can use Cyberoam as an Proxy server even if cyberoam is deployed in Bridge mode, but you have to NAT the entire Network's traffic including Cyberoam's WAN IP address.
1.1.5.5. How do I find out on which interfaces/ports the bridge is configured?

 Use the ‘show network interface’ command from Telnet Console to get the interface information.

If command displays br0 eth0 & eth1 then eth0 (Port A) is Internal & eth1 (Port B) is External interface.

If it displays br0 eth2 & eth3 then eth2 (Port C) is Internal & eth3 (Port D) is External interface.

1.1.5.6. How to disable LAN/Hardware Bypass?

Applicable to Version: 9.6.0 build 78 onwards

By default LAN/Hardware Bypass is enabled in Cyberoam.

Follow the below mentioned steps to disable LAN/Hardware Bypass:

  1. Login to CLI Console (Telnet or SSH)
  1. Choose Option 2 – System Configuration and press Enter
  1. Choose Option 8 – Disable LAN Bypass to disable LAN/Hardware Bypass.

Note:

  • LAN bypass is only supported in Bridge mode.
  • LAN bypass is only supported for 50ia and above models.

                                                                                                                           Document Version: - 1.0 – 12/08/2011

1.1.5.7. I placed Cyberoam server in bridge mode between LAN & ADSL router. Now my setup is LAN - Cyberoam in bridge mode - ADSL router. Why users are not getting IP address from DHCP server?
By default, Cyberoam blocks all requests originated from WAN to LAN. To lease IP address from DHCP server you need to allow BOOTP Protocol from WAN (ADSL router IP) to LAN or you can allow “All services” originated from ADSL router IP towards LAN.
1.1.5.8. How do I setup Cyberoam with existing proxy server and use Cyberoam for content filtering? My current setup is LAN -> ADSL and proxy server for caching in LAN. All the users have configured proxy settings in browser.

If you want to use proxy server as well as Cyberoam for content filtering, you have to setup Cyberoam server as the default gateway of Proxy server. Due to this all the request will first come to Cyberoam and then to proxy sever. Assign proxy server IP address to Cyberoam Internal interface so that you do not have to change the settings for individual user.

You can setup Cyberoam as
LAN -> Cyberoam in Route mode -> Proxy server (with 2 NIC) -> ADSL router

Before Cyberoam was deployed
Proxy server IP address – 192.168.1.1 Port 3128

After Cyberoam was deployed
LAN – 192.168.1.x
Cyberoam – Internal IP address 192.168.1.1
                External IP address 10.10.10.1
                Gateway IP address 10.10.10.2
 
Proxy Server – Internal IP address 10.10.10.2
                    External IP address 172.16.1.1
                    Gateway IP address 172.16.1.2
 
ADSL router – IP address 172.16.1.2
 
Setting in Proxy server
Enable IP forwarding
Enable transparent proxy
 
Setting in ADSL router
Create static to forward requests on External interface

1.1.5.9. From where can I update TCP MSS size?

Update TCP MSS size for the required Interface from Telnet console:

  • Cyberoam Console option, Set network command (version 9.5.4 onwards)
  • Network Configuration option (version 9.5.0 build 21 onwards)
1.1.5.10. Can I use Cyberoam as Proxy server?
Yes, you can configure Cyberoam as a Normal Proxy server.
1.1.5.11. What is the default TCP MSS size?
Default TCP MSS size is 1460
1.1.5.12. What is the default MTU value set in Cyberoam?
Default MTU value is 1500.
1.1.5.13. Why is it required to change MTU value of Cyberoam?
You need to change the MTU value of Cyberoam whenever Cyberoam is connected with any device which uses PPPoE such as ADSL. This change is required due to PPPoE architecture.

Maximum Ethernet payload size is 1500 octets but in PPPoE transaction, PPPoE header size (6 octets) and PPP protocol ID size (2 octets) is added to the Ethernet payload which increases MTU value to 1508 octets. This increased MTU is not acceptable; hence it is necessary to reduce MTU value.

Reduce MTU value of Cyberoam to 1492 so as to make the maximum payload size to 1500 octets (TCP/IP payload: 1492 + PPPoE header size (6 octets) + PPP protocol ID size (2 octets)).
1.1.5.14. How do I change the default MTU value?
Default MTU value is 1500

Applicable to: Version 9.5.4.2 build 66 or higher 

Follow below steps to change default MTU of network interface:

1. Log on to Cyberoam Console (CLI Interface) with telnet / ssh / serial console.
2. Go to Option 4 Network Configuration
3. Execute following command: set network MTU <interface> <number>


Applicable to: Version 9.4.2 build 0 or higher

Follow below steps to change default MTU of network interface:

1. Log on to Cyberoam Console (CLI Interface) with telnet / ssh / serial console.
2. Go to Option 1 Network Configuration
3. Press "y" when it prompt for "Set IP address". Network configuration of each port/interface will be displayed. Update MTU value when prompted for "New MTU:" for the required interface


1.1.5.15. Can multiple subnets be assigned to the DHCP pool of Cyberoam?
Yes, Cyberoam supports multiple subnets in its DHCP pool from version 9.6.xx onwards.
 

1.1.5.16. Can Cyberoam act as a DHCP server to allocate dynamic IP addresses?
 Yes, Cyberoam can act as a DHCP server only for the VLAN or LAN interface.
1.1.5.17. Under what circumstances should I enable LAN Bypass?

You will need to enable LAN Bypass when Cyberoam fails to respond due to hardware failure or when Operating system has crashed. When LAN is bypassed, Cyberoam acts as Hub or Switch and Internet Access policy or firewall rules are not be applicable.

It is possible to bypass LAN only if Cyberoam is deployed in Bridge mode.

1.1.5.18. Why I am not able to ping the Router IP address from Cyberoam when Cyberoam is deployed in Bridge mode and Cyberoam’s external interface is connected Router via Cross cable?
This is an Auto negotiation problem between Cyberoam & Router. This problem normally occurs with ADSL modem or router. Instead of cross cable, connect Cyberoam external interface & Router via hub or switch.
1.1.5.19. Why I am not able to access Internet from all the networks when Cyberoam is deployed as Bridge with the following configuration?

Setup:
Users (192.168.1.x & 192.168.2.x) ? Cyberoam (192.168.1.5) ? Firewall (192.168.1.1 & 192.168.2.1)

Bridge IP - 192.168.1.5

     
Network in LAN zone  Default Gateway
192.168.1.x 192.168.1.1
192.168.2.x   192.168.2.1

I am able to access Internet from 192.168.1.x but not from 192.168.2.x

 Contact Cyberoam support team or mail at support@cyberoam.com to resolve this problem.

1.1.6. DNS
1.1.6.1. What is the use of DNS redirection in Cyberoam and when it should be enabled?
Applicable - upto versions 9.4.3.4

Use DNS redirection when you want to redirect complete DNS traffic on the Cyberoam loop back IP address. Enable DNS redirection:
  • if all the desktops in your network are configured with different DNS IP address. In this case, to avoid the chance of inconsistency in browsing speed or no browsing at all, enable DNS redirection. It will redirect all DNS queries to Cyberoam and Cyberoam itself will resolve the query and not send the request to the external world. 
  • if you are using multiple internet connectivity on Cyberoam.

Please note, this feature is discontinued from version 9.5.0 build 21 onwards
1.1.6.2. Is it necessary to set Cyberoam IP address as DNS in all the desktops machines in my network?
 No, it is not necessary to set Cyberoam IP address as DNS in all the desktops; you can always set DNS IP address provided by your Internet Service Provider. However, to avoid browsing inconsistency problem, set Cyberoam IP address as DNS.
1.1.6.3. How many DNS addresses can be specified in Cyberoam?
It is advisable to set 2 or 3 DNS address so if the first DNS server is not reachable then DNS query can be served by the second DNS server.
1.1.6.4. If I set multiple DNS address, will it affect browsing speed?
  No, browsing speed will not be effected.
1.1.7. Firewall
1.1.7.1. How to check packet drop on Cyberoam for specific IP address?

Applicable to Version: 9.0 onwards

Follow the below mentioned steps to check packet drop on Cyberoam for specific IP address:

   1.  Login to CLI Console.

   2.  Go to Option 4 – Cyberoam Console and type the below mentioned command:

         corporate> packet-capture ' host <ipaddress>
 
 
         where 172.16.16.20 is the <ipaddress> for which Cyberoam will show the dropped packets.
 
                                                                                                                                 Document Version: 1.0 - 03/01/2012 
1.1.7.2. Is it possible to remove firewall rules?
Applicable Version: 9.0 onwards

Yes, firewall rules can temporarily be disabled from Telnet Console (Option 5 Cyberoam Management > Option 2 Remove Firewall Rules) but it will not not delete firewall rules.

Please note that it is not advisable to remove firewall rules for the security purpose as disabling firewall rules will:
1. allow access to Cyberaom Web Admin Console from all the zones
2. allow inter zone traffic without NATting

Restarting management services (Option R Restart Management Services) or rebuilding firewall state (Option 5 Cyberoam Management > Option 17 Rebuild New Firewall State) from Telnet Console will re-apply firewall rules.

1.1.7.3. When do I remove firewall rules from Telnet Console?
You will need to remove firewall rules if you have locked yourself outside Cyberoam i.e. are not able to access Web Admin console.
1.1.7.4. What will happen if I flush or remove firewall rules from Telnet Console?

Removing firewall rules will bypass firewall and allow traffic without any restriction and inter-zone traffic without NATting. Cyberoam Web Admin Console will be accessible from all the zones.

Please note that for security reasons it is not advisable to remove firewall rules. Removing firewall rules will not delete firewall rules but will disable firewall rules temporarily till the firewall state is rebuilt.

Remove firewall rules only if you have locked yourself outside Cyberoam i.e. are not able to access Web Admin console.

1.1.7.5. How do I re-apply firewall rules after removing them?
Restarting management services (Option R Restart Management Services) or rebuilding firewall state (Option 5 Cyberoam Management > Option 17 Rebuild New Firewall State) from Telnet Console will re-apply firewall rules. 
 
1.1.7.6. Why servers placed in DMZ are not able to ping Cyberoam even after enabling ICMP Network service for DMZ from local ACL?

This might happen if incorrect port is mapped to DMZ. This is possible only if you have configured port IP address from Telnet console instead of Network Configuration wizard.

To solve this problem, go to System -> Zone -> Manage page from Web Admin console and click DMZ to change to the port mapping.

1.1.7.7. Why Port forward rule for mail server is working randomly when I configure multiple gateways?

The problem you are facing is due to multiple gateways and not due to Port forwarding rule.

When multiple gateways are defined, because of multiple link load balancing outbound mail traffic is routed through any of the WAN link. To avoid this, define the preferred interface/link i.e. explicit source based routing for the mail server

Once the source based routing is defined, traffic from the mail server will be routed through the specified link/server only.

Sample Configuration
Two WAN links are terminated on Cyberoam.
Mail server is placed in internal network & MX IP is assigned on WAN subnet of Cyberoam server.
Mail server IP address: 192.168.1.5
 
Version: 9.5.3.14 and higher
  • Create Virtual host that maps your WAN IP to internal mail server IP address i.e. 192.168.1.5 and enable port forwarding on port 25
  • Create Firewall rule
Source: WAN, Any Host
Destination: LAN, Virtual host
Schedule: All the time
Action: Allow
  • Configure explicit source based routing for the mail server
Go to System > Gateway > Manage Gateway
Click the Gateway through which the mail server traffic is to be routed
Click Add Network and specify your mail server IP address
 

Versions: 9.1.x.x to 9.5.0 build 29

  • Create Firewall rule (Port forward)

    Source: WAN, Any Host
    Destination: Local, MX IP
    Service: SMTP
    Schedule: All the time
    Action: Allow
    DNAT: 192.168.1.5:25
  •  Configure explicit source based routing for the mail server:

Go to System > Gateway > Manage Gateway
Click the Gateway through which the mail server traffic is to be routed
Click Add Network and specify your mail server IP address

1.1.7.8. What should be the ideal value for each flood under DoS Setting?

 Our recommendation:

1.      Enable only Source based Sync flood, UDP flood & ICMP flood DOS settings with following values:
•      Sync Flood: 500 (Source Base)
•      UDP Flood: 500 (Source Base)
•      ICMP Flood: 32 (Source Base)

2.      Do not enable Source based TCP flood
3.      Do not enable any destination based DOS setting.

Initially check from the DOS setting page whether any genuine traffic is being blocked or not. If genuine packets are being blocked, create DOS bypass rule for particular IP address along with specific application.

In case of Major attack, enable TCP flood with value 5000.

1.1.7.9. What is the difference between Drop and Reject actions?
Drop action will silently discard the connection request i.e. without sending ‘ICMP port unreachable’ message to the source while Reject action will deny access and send ‘ICMP port unreachable’ message to the source.
1.1.7.10. From where can I add Alias?
Alias can be added from Web Admin Console.  To add Alias, go to System > Configure Network > Manage Interface and click Add Alias button.
1.1.7.11. Why I am not able to ping any of the alias IP addresses but able to ping the default IP address when I have assigned one default IP address and 2 alias IP addresses to the WAN interface?

This problem will occur if MAC address is not propagated manually after binding the alias IP address. Log on to Telnet Console, go to Option 4 Cyberoam Console and execute either of following command from the corporate command prompt and Press Ctrl C after 5 minutes:

Command 1
corporate>arp ping interface <interface on which alias IP is binded> <alias IP address>

Command 2
corporate>arp ping source <alias IP address> count 5 interface <alias IP address Interface><Gateway IP address> 
For example: corporate> arp ping source 204.193.139.188 count 5 interface eth1 204.193.139.177
1.1.7.12. How do I assign multiple IP address on WAN interface?
You can assign multiple IP address to any interface from Telnet Console, Network Configuration option.
1.1.7.13. Is it possible to define custom zone?
Yes, it is possible to create custom zone apart from the default zones. A zone is simply a logical grouping of interfaces. You can create custom zone under type LAN and DMZ but not for WAN zone type.
1.1.7.14. How do I restrict access of Cyberoam Web Admin Console (GUI) to certain LAN users only?

Follow the below given steps to restrict access of Cyberoam Web Admin Console to certain LAN users only:
1. To allow access of HTTP and HTTPS services, go to Firewall ? Local ACLs. For the LAN zone, click HTTP and HTTPS under Admin Services.
2. Go to Firewall ? Service Group ? Create and create a service group for HTTP and HTTPS services
3. Create DROP Firewall rule to drop complete http & https traffic from any host of the LAN zone with the following parameters:
      Source Zone - LAN
      Destination Zone – LOCAL
      Service Group – Created in step 2
      Action - Drop
4. Go to Firewall > Host Group > Create and create Host Group and include all the hosts which are to be allowed the access of Cyberoam Web Admin Console
5. Create Allow Firewall rule to allow http & https traffic from the above created host group with the following parameters:
      Source Zone, host – LAN, created in step 4
      Destination Zone – LOCAL
      Service Group – Created in step 2
      Action - Accept

Sequence/order of Firewall rules:
•      Allow rule (created in step 5)
•      Drop rule (created in step 3)

1.1.7.15. My Skype call gets disconnected frequently . What can be the reason?
Skype does voice calling over UDP protocol. Cyberoam Denial of Services (DoS) might drop UDP packets if its default packet rate parameter are changed.

Make sure "Packet rate per source (packets/minute)" is higher then 9000 (Default is 12000)

You can modify DoS parameters from: Firewall -> Denial of Service -> DoS Settings

1.1.8. Hardware
1.1.8.1. Which failure events trigger hardware bypass?
Following failure events triggers hardware bypass: 
  • Device hardware failure
  • Power failure
  • Internal Application failure
  • Operating System crash
1.1.8.2. Does Cyberoam support Fiber Optical networks?
Applicable Version: 9.0 onwards

Yes, Cyberoam provides SFP (Mini GBIC) Ports on CR1000i & CR1500i appliances on which Mini-GBIC transceiver can be connected to terminate the Fiber connections.

To use these ports, you will require additional Fiber patch cords - Mini-GBIC transceivers. Cyberoam does not ship Mini-GBIC transceivers along with the appliances.

Use 1000Base-LX Mini-GBIC Transceiver for Singlemode fiber optic connections.
Use 1000Base-SX Mini-GBIC Transceiver for Multi mode fiber optic connections.

Optionally you can convert these ports to function as Giga Ethernet ports by connecting a Fiber Optic Transceiver.

1.1.8.3. What is UTM?
UTM (Unified Threat Management) is a security appliance that unifies and integrates multiple security features integrated onto a single hardware platform. Appliance requires network firewall capabilities, network intrusion and prevention, gateway anti virus and anti spam, and content filtering functionality.
1.1.8.4. From where can I get the details of various models of Cyberoam UTM Appliance series?
Cyberoam UTM has CRi series appliances. All the appliances deliver the same protection functionality for Firewall, IDP, Anti Virus, Anti Spam and Content filtering in addition to bandwidth management and load balancing with gateway failover for multiple links. They only vary in performance, scaling by number of users supported. You can download datasheets from http://www.cyberoam.com/datasheets.html.
1.1.8.5. How many interfaces does Cyberoam UTM support?
Number of interfaces are dependant on the appliance used. Check individual appliance datasheet for details. You can download datasheets from http://www.cyberoam.com/datasheets.html
1.1.8.6. How many WAN/External interfaces can the appliance support?
Number of interfaces are dependant on the appliance used. Check individual appliance datasheet for details. You can download datasheets from http://www.cyberoam.com/datasheets.html
1.1.8.7. Is Cyberoam Intel based or ASIC based Appliance?
Cyberoam is Intel-based Appliance.
1.1.8.8. What is the internal mapping of the physical interfaces of the Cyberoam Appliance i.e. to which interface, Port A is binded internally?

Total numbers of ports are Appliance dependant. Internally each port is mapped to an interface as follows:

 

Appliance – 50i, 100i, 250i, 500i

 

Port

Physical Interface

A

eth0

B

eth1

C

eth2

D

eth3

 

Appliance – 1000i, 1500i

 

 

Port

Physical Interface

A

eth6

B

eth7

C

eth8

D

eth9

E

eth0

F

eth1

G

eth2

H

eth3

1.1.9. Logs & Reports
1.1.9.1. From where can I purge the Internet Usage reports?

Cyberoam does not provide the purging option for the Internet Usage reports. Cyberoam archives the Internet usage reports for 12 months only.
1.1.9.2. From where do I purge various logs?

You can purge logs from Web Admin Console. Follow the below given steps to purge logs: 

  1. Go to System > Manage Data > Backup Data and take backup of Web Surfing and Audit log in CSV format
  2. Go to System > Manage Data > Purge Logs and purge the required logs. You can purge Web Surfing, User Session, Audit, or Appliance Audit Log
 
1.1.9.3. How do I set auto purging facility?
 By default, Cyberoam preserves records (Log information) for 60 days. After 60 days, it will purge records which are older than 60 days.

From Web Admin Console, go to System > Manage Data > Configure Auto Purge utility and specify for how many days you want to store the logs in the system. It will delete all the records which are older than specified days.
1.1.9.4. What range (days) can be configured for purging logs in Auto-Purge utility?
You can configure 30 to 365 days for Web Surfing log while 1 to 90 days for Appliance Audit log.

For example, if you configure 35 days for Web Surfing log, it means, Cyberoam will retain logs of last 35 days only.
1.1.10. Multiple Gateway - Load Balancing and Failover
1.1.10.1. Routing concepts in Cyberoam
Applicable to versions: 9.5.x.x
Article explains routing concepts implemented in Cyberoam, how to define static routes and route policies. It includes following sections:

What is routing?

Routing is termed as a process of sending packets from network of one device to another network on a different device.

Static routes (Destination based routes)

A static route is a manually configured mapping of an IP address to a next-hop destination.

By default, the Cyberoam routing table contains a single default route. You can add routing information to the routing table by defining additional static routes.

Add static routes when you want to route traffic destined for specific network/host via a different next hope instead of a default route. To add static route it is required to know Destination network/Host, netmask for destination network & Next hope IP address. The gateway address specifies the next-hop router to which traffic will be routed.

A static route causes packets to be forwarded to a different next hope other than the configured default gateway. By specifying through which interface/gateway the packet will leave and to which device the packet should be routed, static routes control the traffic exiting Cyberoam.

Example:

The following example walks you through the process of creating a static route when Cyberoam is deployed as Gateway.

Cyberoam is connected to LAN via switch and configured with multiple links. As Cyberoam is configured with multiple Internet connectivity for load balancing, it will load balance web server traffic via both the gateways – Gateway 1 and 2.

It is required that all the outbound packets destined to externally hosted wed server should be routed through a particular gateway i.e. Gateway 2 only and not through the Gateway 1. To forward the packets for web server through Gateway 2, we need to define a static route.

IP schema
Gateway 1: 1.1.1.2
Gateway 2: 2.2.2.2
Web server hosted externally: 5.5.5.5

 Configuration:

 Step 1. Log on to Console through ssh / telnet.
Select option 3 Route Configuration in Main Menu to go to the Router Management menu.
 
 
 
Step 2. In Route Management, go to option 1 Configure Static-routes/ACLs

 

 
Enable configuration mode and define static route by executing command from the command prompt as below:
router> enable <cr>
router# configure terminal
router(config)#  ip route <destination IP address/netmask> <gateway IP address>
for our example, destination IP address is the IP address of the Web server i.e. 5.5.5.5/32 and gateway IP address is the IP address of the gateway through which the requests are to be routed i.e. 2.2.2.2
router(config)# write

Write command saves the route permanently in the routing table

Firewall based route

A static route specifies how to handle traffic that matches specific criteria, such as destination address, destination mask, gateway to forward traffic, the interface that gateway is located. Static routing method satisfies most of the requirements, but is limited to forwarding based on destination address only.

Firewall based routing is extended static routes which provide more flexible traffic handling capabilities. It allows for matching based upon source address, service/application, and gateway weight for load balancing. Hence, it offers granular control for forwarding packets based upon a number of user defined variables like:

  • Destination
  • Source
  • Application
  • Combination of all of the above 

The following examples walk through how to create routes with the help of Firewall along with other features.

1.    Destination specific route  

Destination specific route is same as the static route creation except that it is created from firewall page of Web Admin Console while static route is created from Console.

Required when:

  • Internal users require access to externally hosted servers
  • Packets for external server should always be routed through a designated gateway and not the default gateway

Example:
Cyberoam is connected to LAN via switch and configured with multiple links. Mail server is deployed in LAN.

LAN user’s requests for the externally hosted server should be routed through designated gateway i.e. Gateway 2 only and should not be load balanced.

IP schema
Gateway 1: 1.1.1.2
Gateway 2: 2.2.2.2
SMTP server (external): 5.5.5.5
Cyberoam WAN IP address:1.1.1.1/24 and 2.2.2.1/24
WAN Alias IP address: 2.2.2.5
Mail server (internal): 172.16.16.100
 
Step 1: Go to Firewall > Host > Add and define a host i.e. IP address for the external server. You can also add from within the firewall rule as shown in the below given screen shot.

 
Step 2: Go to Firewall > Create Rule to add LAN to WAN rule for the host i.e. external server 5.5.5.5 
 

2.    Policy based route  

Required when:

  • Server is hosted internally and required to NAT the outbound packets
  • Packets from internal server should always be routed through a designated gateway and should not be load balanced.
Example:
Cyberoam is connected to LAN via switch and configured with multiple links. Mail server is deployed in LAN.

The traffic originated by mail server should be routed through a designated gateway and request should be forwarded with alias IP address i.e. source NATted.

IP schema
Gateway 1: 1.1.1.2
Gateway 2: 2.2.2.2
Cyberoam WAN IP address:1.1.1.1/24 and 2.2.2.1/24
WAN Alias IP address: 2.2.2.5
Mail server (internal): 172.16.16.100

Configuration:

Step 1: Go to Firewall > Host > Add and define a host i.e. IP address for the external server. You can also add from within the firewall rule as shown in the below given screen shot.

 
 
Step 2. Go to Firewall > SNAT Policy > Create to forward the entire outbound traffic from internal mailer to the specified IP address. For our example, specify WAN Alias IP address - 2.2.2.5

 
 
Step 3: Go to Firewall > Create Rule to add LAN to WAN rule to forward the mail server traffic to the external server through designated gateway after natting the packets. 
 
 
 

Explicit Source based routing from Gateway

Required for

  • Half open connections whose information is not available in Cyberoam
Example:
Mail server hosted internally is used by remote users to send and receive mails and the packets from mail server should explicitly be routed through Gateway 2.

IP schema

Gateway 1: 1.1.1.2
Gateway 2: 2.2.2.2
Cyberoam WAN IP address:1.1.1.1/24 and 2.2.2.1/24
WAN Alias IP address: 2.2.2.5
Mail server (internal): 172.16.16.100

Configuration:

To explicitly route the traffic of a particular host/network from a designated gateway, one has to add host/network under the designated gateway.

Step 1: Go to System > Gateway > Manage Gateway(s) and define the all the gateways other than the default gateway. Default gateway is defined at the time of Deployment.


 
 
Step 2: Go to System > Gateway > Manage Gateway(s) and click the gateway for which host/network is to be added

 
 
Traffic from the specified host/network will be routed from the selected gateway.
 
 
 
Note:
If explicit source based routing is not defined then in above mentioned cases, the first return packet (Syn + Ack) from mail server may be routed through either of the gateway, resulting into incomplete 3-way handshake. But incase of TCP packet, firewall maintains session information only when 3-way handshake is complete. Hence it is required to explicitly route such half open connection from the gateway itself.

Routing Order

Cyberoam provides number of ways to define routes when configured to use multiple gateways. When more than one route is configured, Cyberoam processes route in the following order:

  1. Static route (Destination based route)
  2. Firewall based routes (Source, Destination or Application based route)
  3. Explicit source based route
  4.  Default Gateway – Default gateway is defined at the time of deployment.

 

 

 

 

Document version: 2.0-27/12/2007

 

1.1.10.2. How do I add single IP address for explicit source based routing?
For single IP address, you must specify subnet mask as 255.255.255.255.
 
For example, if you want to add explicit source routing for IP address 172.16.3.5 then you have to set Netowrk Id as 172.16.3.5 and Netmask as 255.255.255.255
1.1.10.3. How many ISP/Internet links can I configure?
Number of links that can configured is dependant on number of WAN ports available on your Cyberoam Appliance. On a particlar WAN port, only one link can be configured. For example if you have 3 WAN ports then you can configure maximum 3 links.
1.1.10.4. Why load balancing is not done when I have configured two gateways in Cyberoam?

 To do traffic load balancing between 2 gateways, you need to define failover condition and select ‘Load balance’ policy ‘Route though Gateway’ option of Firewall rule.

Make sure not to configure explicit source based routing for any gateway. If network is routed through a specific gateway then load will not distributed on another gateway.

Check whether:
•      Failover condition for each Gateway is defined or not. If failover condition for any of the gateway is not set properly then Cyberoam will consider the Status of Gateway as unreachable/dead and traffic will not be forwarded through that Gateway. In such circumstances, on the Manage Gateway page, Gateway status will be displayed in RED even though the Gateway is reachable/active.
•      Correct policy is selected in ‘Route though Gateway’ option of Firewall rule or not. If both the gateways are active but proper load balancing policy is not selected then load balancing will not be done. If multiple gateways are configured properly, this option will display Load balance option as well as policy for each gateway. Select Load balance for generic firewall rules.

1.1.10.5. Why traffic is not shifted from the down (unreachable) link to the active link when I have configures two gateways?
 This problem will occur if correct failover condition is not configured. If failover condition is satisfied then Cyberoam will consider the status of the Gateway as unreachable/dead even when it is reachable/active. For example if failover condition is only to check the ping connectivity to next hop (Gateway) then Cyberoam will consider that Gateway is reachable/active even though Gateway is unreachable/dead from Internet service provider side.
1.1.10.6. What points should be considered while assigning weight to the Gateway?
 Consider following points while assigning weight to the Gateway:
•      Link capacity (for links with different bandwidth)
•      Link/Bandwidth cost (for links with varying costs)
1.1.10.7. How does Cyberoam distribute traffic/load across various Gateways/links?

 Cyberoam distributes traffic across all the available links according to the ratio of weights assigned to each Gateway.

Sample configuration:

 

Gateway A

Gateway B

Distribution of traffic

Weight

1

1

Traffic will be distributed equally

Weight

1

2

Traffic will be distributed in 2:1 ratio between Gateway B and Gateway A

Weight

3

1

Traffic will be distributed in 3:1 ratio between Gateway A and Gateway B

Weight

0

Any value above 0

Cyberoam will consider Gateway A as unreachable/dead and complete traffic will pass through Gateway B only

Weight

Any value above 0

0

Cyberoam will consider Gateway B as unreachable/dead and complete traffic will pass through Gateway A only

1.1.10.8. How do I disable load balancing and allow complete traffic to pass through the default Gateway only?
 To disable load balancing, set weight of all the configured gateways as 0(zero). This will allow complete traffic to pass through the default gateway only.
1.1.10.9. When do I add network using the option ‘Add Network’ in a particular Gateway?
 If you want to direct the traffic generated from a particular over a designated link, add a network using the option ‘Add Network’ option in a particular. This is called Source Network Routing. For example, if you want that traffic generated from (source) IP 192.168.1.5 should always route through Gateway1 then go to Manage Gateway, click Gateway1 and add network 192.168.1.5/255.255.255.255 using Add Network option.
1.1.10.10. Why at times I am not able to access a particular site from my internal LAN?
This random behavior is possible incase you have configured multiple gateways and the site which you are accessing is reachable from one gateway but not reachable from another gateway.
1.1.10.11. Which is default failover condition in Cyberoam?
 Default failover condition is: ping to next hop i.e. ping to gateway IP address.
1.1.10.12. What is the meaning of “AND” & “OR” in Failover condition?
‘And’ - Cyberoam will consider Gateway as inactive/down if all the configured failover conditions are satisfied.

‘OR’ – Cyberoam will consider Gateway as inactive/down if any one of the configured failover conditions is satisfied.
1.1.10.13. How can I set the failover condition which does not utilize bandwidth to check the gateway availability?
 No, currently is no such way to set the failover condition which does not utilize the bandwidth to check the Gateway availability. However failover condition does not utilize much bandwidth.
1.1.10.14. I have configured multiple gateways (ISPs). How do I allow access of Web Server hosted in LAN/DMZ via all the IP addresses assigned to each ISP?

Applicable versions - All the versions below 9.5.3 build 14

IP schema:
Web server (private IP addresses) – 192.168.1.1 and 192.168.1.2
ISP1 - 202.x.y.10 (Public IP address)
Gateway1: – 202.x.y.1
ISP2 - 203.x.y.11 (Public IP address)
Gateway2: – 203.x.y.1

 
1. Go to Firewall > DNAT Policy > Create and create 2 DNAT rules to map public IP address of ISP to private IP address of Web server with the following parameters:

DNAT rule for ISP1
DNAT Policy Name: for_ISP1
Map Destination IP with: 192.168.1.1

DNAT rule for ISP2
DNAT Policy Name: for_ISP2
Map Destination IP with: 192.168.1.2

2. Use source based routing to route the request from each private IP address through a particular gateway.
Go to System > Gateway > Manage Gateway(s) and click Gateway1 (202.x.y.1) and add 192.168.1.1
Go to System > Gateway > Manage Gateway(s) and click Gateway2 (203.x.y.1) and add 192.168.2.1

1.1.10.15. What is the use of the option ‘Networks explicitly routed through this Gateway’ in Gateway configuration?
This option is useful if you have defined multiple gateways. If you want to route the traffic generated from a particular source network or host via a particular link, add the required source network under the option ‘Networks explicitly routed through this Gateway’ for that particular gateway. This is called Source Network Routing. For example, if you want traffic generated from (source) IP 192.168.1.5 should always route through Gateway1 then go to Manage Gateway, click Gateway1 and add network 192.168.1.5/255.255.255.255 using Add Network option.
1.1.11. Miscellaneous
1.1.11.1. How do I allow Yahoo Messenger Voice service?

Yahoo Messenger Voice service - Yahoo! Voice, uses UDP packets which do not follow the standard HTTP protocol.  Cyberoam, by default drops traffic which do not follow the standard HTTP protocol. To allow this traffic:
  1. Logon to CLI using Telnet or SSH
  2. Go to Option 4  Cyberoam Console and execute following command:

coporate>set http_proxy deny_unknown_proto no

1.1.11.2. From where do I check signature database versions used by my Cyberoam?

Applicable to version 9.x

Check the versions used by your Cyberoam from Web Admin Console:
  • Anti Virus Signature database version - Anti Virus > Mail > General Configuration
  • IDP Signature database version - IDP > Manage IDP
  • Web Category database from Dashboard (Press F10), Appliance Information doclet
1.1.11.3. From where do I check and download the latest available version of Cyberoam and other signature databases?
Applicable to version: 9.x
 
Download latest version of :

Cyberoam - http://download.cyberoam.com
Web Category database (used for content filtering) - http://csc.cyberoam.com

IDP Signatures - http://csc.cyberoam.com

Anti Virus Signature database - http://csc.cyberoam.com
 
1.1.11.4. How do I implement one-time schedule?

One-time schedule can be implemented through firewall rule only.
 
It cannot be applied to any of the policies where as recurring schedule can be applied from firewall rule as well as policies.
1.1.11.5. Why HTTP Client users are getting error “Somebody is already using IP address xxx.xxx.xxx.xx please check your IP address" while trying to login?

This error occurs when username (login name) is not stored in the Browser’s cookies. Browser’s Privacy setting blocks the cookies and hence user is displayed below given error screen.

Solution: Update the browser security policy to store username in cookies as follows:
 

For Internet Explorer

1. Go to Tools > Internet Options and from Privacy tab, set Settings to below High level
 

2. Go to Tools > Internet Options > Security tab, under Trusted sites, click Sites and add Cyberoam IP address
 

For Mozilla Firefox

Go to Tools > Internet Options, click Privacy tab

Under Cookies tab

·         Enable "Accept cookies from sites” checkbox

·         click “Exceptions” button and add Cyberoam IP address
 
 
 
 
 
 
 
 
 
1.1.11.6. Why does “Page can not be displayed” message appear after the Inbox of Yahoo Mail is clicked?
This problem often occurs when the queried server is MTU sensitive.
Check the value of MTU for WAN interface in Cyberoam. Set it to 1492.
 
Note: 
  1. To modify the MTU value of Cyberoam, please refer to the Console Guide.
  2. This is not an empirical solution.

Document Version: 1.1-23/11/2007

1.1.11.7. From where do I check various logs generated by Cyberoam?
Cyberoam sends entire set of logs to the external Syslog server. You have to configure Cyberoam to send the logs to the syslog server.
 
Cyberoam generates following logs:
  • DoS attack Log
  • Invalid Traffic Log
  • Firewall rule Log
  • Local ACL Log
  • Dropped ICMP Redirected Packet Log
  • Dropped Source Routed Packet Log
If you have not configured Cyberoam to use Syslog server, refer to How To - Configure Cyberoam to send Firewall logs to the external Syslog server.
1.1.11.8. How do I disable Traffic Discovery module?
To disable Traffic Discovery module, go to System, System Modules from Web Admin Console and uncheck 'Select to load the Module' against Traffic Discovery module.
 
Applicable to - Version 9202 onwards
1.1.11.9. I am using Cyberoam V 9402. How do I reject an outside ping request on Cyberoam?

To reject an outside ping request i.e. to disallow the ping request on external/WAN interface of Cyberoam, disable ICMP access of Network services from Local ACL.

By default, Cyberoam does not allow ping request on WAN interface.

1.1.11.10. What does Total Data transfer graph show?
Applicable to: 9.x
 
Total Data transfer graph displays the total data transfer of all the defined gateways. To compare the data transfer for each gateway, view the Gateway wise composite Data transfer graph. If only one gateway is defined, total data transfer and gateway wise composite graph will be same.
 
1.1.11.11. What does Gateway wise composite Data transfer graph show?
Composite graph combines and displays the data transfer of each gateway one above the other in a form of single image for comparison. Composite graph displays data transfer of each gateway one above the other rather than in separate columns and represents by a separate color as depicted in the legend.
1.1.11.12. Why Gateway wise composite Data transfer graph and total data transfer graph give different values for total data transfer?
 Both the graphs will never give the same value as they are displaying two different things. Composite graph combines and displays the data transfer of each gateway one above the other in a form of single image for comparison while the total data transfer graph displays data transfer in totality.
1.1.11.13. From where do I change the User Type for a particular user?
 From the Web Admin Console:
•      Go to User > Manage Active OR User > Manage Deactive
•      Click the User whose User Type is to be changed
•      Click Edit Personal Details
1.1.11.14. Does Cyberoam provide QoS?
 Yes, Cyberoam provides QoS via Bandwidth Management.
1.1.11.15. Why I am not able to access a particular site whose access is allowed to me? I am able to access all other sites.
If everything is working properly and you are able to access all the sites except one particular site then this could be the Keep-Alive connection problem. Check whether site requires Keep-Alive connection. If site requires Keep-Alive connection create firewall rule for the required site and do not enable HTTP scanning and do not specify the Internet Access policy in the Firewall rule.
1.1.12. Registration & Licensing
1.1.12.1. Why am I receiving error “Invalid Subscription Key” at the time of registering subscription module?

There are 2 types of Subscription keys:

  1. Bulk Subscription key
  2. Individual module subscription key

Two types of subscription keys are provided for Bundle Subscription - Total Value Subscription (TVS) which includes single subscription key for Anti Virus, Anti Spam, Web and Application Filter and Intrusion Prevention System modules whereas Security Value Subscription (SVS) includes single subscription key for Anti virus, Web and Application Filter and Intrusion Prevention System modules.

Whenever you get an error message as “Invalid Subscription key”, just check the type of subscription you have purchased. These details can be obtained from the invoice.

If you are subscribing individual module with TVS or SVS key then Cyberoam would give this error similarly if you are subscribing bundle with an individual module key then also Cyberoam would give the same error.

1.1.12.2. I have Cyberoam version 9.5.8.x, how can I get Cyberoam bundle subscription?
Disclaimer - Retired KB Content
This article was written for version 9 of Cyberoam which is no longer supported. Therefore, this article is offered "as is" and will no longer be updated.
 
 
Bundle Subscription option is available from version 9.6.0.x. You need to upgrade your Cyberoam to version 9.6.0.x to use this option for subscription.

Subscribers can choose to purchase individual subscription module or a bundle.  Bundle subscription will reduce the task of
subscribing each module individually as all the modules in the bundle can be subscribed in a single step using just one key.

For renewal, you can choose to renew the bundle or individual module.

To subscribe for bundled modules: 

  1. Logon to Web admin console
  2. Go to Help à Licensing.
  3. Click Subscribe link against Bundle Subscription and follow on-screen instructions.


After successful subscription, status of module changes to Subscribed and displays the expiry date of the module.

  

Document Version: 1.0 06/06/2009

1.1.12.3. If I re-register my appliance, will I have to re-subscribe all the modules?

No, all the modules which you had subscribed will be re-subscribed automatically.

1.1.12.4. Will factory reset retain my subscription?


Factory reset will retain the validity period of all the subscribed modules but you will have to re-subscribe all the modules or if you do not re-subscribe manually, they will be automatically re-subscribed after one day.

1.1.12.5. From where can I retrieve Public key of my Appliance?
 Public key is a unique hardware identity of the appliance.

You may need this key to retrieve your Customer MyAccount Email address or Appliance registration password if you have forgotten from http://customer.cyberoam.com or when contacting the (GSMC) Support team for troubleshooting request, you may be asked for the public key.

To retrieve public key of your Appliance, logon to CLI Console, Select option 4 Cyberoam Console and use command ‘show system publickey’.
1.1.12.6. From where can I find Appliance key?

Appliance key is a unique identity of the appliance. You may need this key to retrieve your Customer MyAccount password if you have forgotten or when contacting the (GSMC) Support team for troubleshooting request, you may be asked for the Appliance key.
 

Cyberoam Web Admin Console Dashboard gives you the information of the appliance key and the version as shown in the below screen shot.
 
 
To view the other registration details like contact person, company name and address,  click Cyberoam icon (on the rightmost corner of the screen of the GUI).
 
1.1.12.7. How do I acquire Cyberoam appliance?
You can purchase a Cyberoam appliance from Authorized Sales Partners/Resellers that sell Cyberoam. You can locate the nearest Partner/Reseller from http://www.cyberoam.com/locatepartner.html
You can also request a demo appliance for evaluation purpose by filling up the demo appliance request form from www.cyberoam.com.
1.1.12.8. Which modules are the parts of Cyberoam Appliance itself?

Cyberoam appliance consists of 2 types of modules:
1.      Basic modules – Firewall, VPN, Multiple Gateway and Bandwidth Management
2.      Subscription modules - Gateway Anti Virus, Gateway Anti-spam, Intrusion Detection and Prevention, Web and Application Filtering, 24 X 7 support

Basic Modules are pre-registered modules for the indefinite time period usage while Subscription Modules are to be subscribed before use.

1.1.12.9. Does Cyberoam have any feature wise limitations during the Evaluation period?
No, there are no features limitations, all the functionalities can be used during evaluation period.
1.1.12.10. Do I have to purchase Cyberoam after evaluation?
No, Trial version of Cyberoam includes all the features that are available in the license version hence giving you the idea of all the features supported by Cyberoam. This will help you in making a decision.
1.1.12.11. I have received Demo Appliance, what do I do now?
Refer Quick Start Guide for basic configuration of Cyberoam appliance. You can download appliance specific guide from http://www.cyberoam.com/productguides.html
1.1.12.12. Is it necessary to register Cyberoam Appliance?
You need to register appliance only if you want to:
•      Avail 8 x 5 support
•      Subscribe to any of the Subscription modules
•      Subscribe for FREE 15-day trial of any of the Subscription modules
•      Register for 24 x 7 support
1.1.12.13. Is it necessary to subscribe for subscription modules at the time of registering Cyberoam?
No, you can register add-on modules any time.
1.1.12.14. Will I have to re-register Cyberoam Appliance after registering any of the subscription module(s)?
No, Cyberoam does not need to be re-registered after registering any of the add-on modules.
1.1.12.15. How do I subscribe for the trial version of subscription modules?

To subscribe for trial version of subscription module(s), Cyberoam needs to connect to the Internet. Follow the steps to register:
1.      Log on to Web based Administration Console
2.      Go to Help > Licensing
3.      Click Trial against the module to be subscribed and follow the on-screen instructions
4.      Click Trial

If module is subscribed successfully, status of module will change to “Trial” and module expiration date is displayed.

1.1.12.16. I have forgotten password of my Customer Account. What do I do now?
  1. Browse to
    http://customer.cyberoam.com/customermyaccount/webpages/common/customeraccount.jsp 
  2. Click Forgot Password
  3. Specify your login name or username of your Customer account i.e. email address which you are using as username for your Customer account and Click submit
  4. Specify the same answer you have set while creating Customer Account in the Answer for your secret question field.
  5. Click Submit

    An email containing a password is sent to your email address. You can use your current username and this password to log.
1.1.12.17. I have forgotten login name for my Customer Account. What do I do now?
To retrieve the login name for your Customer Account, you need Public key and Appliance key of the Appliance you have installed.
  1. To get public key, logon to Telnet Console, Select option 4 Cyberoam Management and use command ‘show system publickey’ 
  2. To get appliance key, log on to Web Admin Console and click Cyberoam button on the right hand corner of any the page
  3. Browse to http://customer.cyberoam.com/customermyaccount/webpages/common/customeraccount.jsp and click Forgot Email Address
  4. Specify Appliance key, public key and the email address on which you want to receive your Customer Account details
 An email containing your Customer Account will be sent to your email address specified in step 4.
 
To log on, you will need password of your Customer Account. If you have forgotten password, follow the below given procedure to retrieve password: 
  1. Browse to
    http://customer.cyberoam.com/customermyaccount/webpages/common/customeraccount.jsp 
  2. Click Forgot Password
  3. Specify your login name or username of your Customer account i.e. email address which you are using as username for your Customer account and Click submit
  4. Specify the same answer you have set while creating Customer Account in the Answer for your secret question field.
  5. Click Submit

    An email containing a password will be sent to your email address.
1.1.13. Report
1.1.13.1. How do I disable web-reporting for group of users or a specific user?
 
For version 9.5.3.x onwards
 
To disable reporting for a specific user or a group of users, disable reporting from Internet Access policy attached to the users i.e. edit the policy and disable reporting.

Alternately, go to Policy
à Internet Access Policy and create a new policy with reporting disabled. Attach this policy to the users whose web access reporting is not required.


 
1.1.13.2. How do I generate debug file?

To generate debug file:

  1. Logon to CLI console through telnet or SSH
  2. Go to Option 4 Cyberoam Console
  3. Execure following command
     
    corporate>cyberoam services status

It generates the system’s current status file and contains details like list of all the processes currently running on system, resource usage etc.

Download the generated file from http://<cyberoam ip address>/documents/cyberoam.debug
 
 
 
 
 
1.1.13.3. Why traffic discovery reports are empty i.e. no data?

Traffic discovery reports will be empty if traffic discovery logging is not enabled.
For Cyberam to populate and display data for traffic discovery reports, traffic discovery reports is to be enabled.

For version 9.5.3 build x: Go to System > Logging > Logs Configuration and select "LOCAL"
 
 


For version 9.5.4 build x: Enable from System > Logging > Logs Configuration
 
If enabled, traffic discovery reports are stored locally on the Cyberoam appliance itself.
 
1.1.13.4. Why Dashboard HTTP Traffic Analysis and User Surfing Pattern doclets display empty graphs?
For Cyberam to display graphs in Dashboard HTTP Traffic Analysis and User Surfing Pattern doclets, entire traffic has to pass through Cyberoam. One needs to apply Internet Access policy to the Firewall rule which allows the entire traffic through Cyberoam.
1.1.13.5. Why Dashboard Usage Summary doclet display zero hits?
For Cyberam to display hits details in Dashboard Usage Summary doclet, entire traffic has to pass through Cyberoam. One needs to apply Internet Access policy to the Firewall rule which allows the entire traffic through Cyberoam.
1.1.13.6. From where do I configure email address on which I want to receive Reports?
Follow the below mentioned steps to configure email address on which you want to receive Reports:
  1. Browse to <Cyberoam IP address> and log on to Report Module with default username and password
  2. Go to Configure > Reports Notification
  3. In the Set Recipient(s) field, specify email address. You can specify multiple address seperated by comma. Cyberoam will send reports on all the specified email addresses.
 
Please note that Cyberoam will send only following reports depending on the frequency specified for each report:
  1. Category wise trends for yesterday
  2. Category wise trends for last week
  3. Google search keywords for yesterday
  4. Google search keywords for last week
  5. Blocked Categories for yesterday
  6. Blocked Categories for last week
  7. Application wise traffic details for yesterday
  8. Application wise traffic details for last week
  9. Top IDP Alerts
 
1.1.13.7. Why I am not receiving any Proactive reports?

You will not receive any of the proactive reports if:

1. SMTP Auth is configured on Mail server

2. Domain name is not configured properly on Mail server

3. Mail server does not have relaying permission

1.1.13.8. How do I test whether proactive reports are being sent to the configured Email address or not?

You can check from Telnet Console.  Cyberoam will forward Proactive reports on the email address configured in Network Configuration Wizard.

For example:
Mail server IP address: 192.168.2.5
From Email address: nitin.bas@elitecore.com
Admin Email address: cr_admin@elitecore.com

Log on to Telnet Console and go to Option 4 Cyberoam Console and from command prompt execute following command: telnet <Mail server IP address> 25

Proactive reports will not be forwarded if you receive following messages:

1: If you receive "Trying <mail server IP address> message means Cyberoam is not able to communicate with Mail server through port 25.
corporate> telnet 192.168.2.5 25
Trying 192.168.2.5...

2: If you receive message like "Sender Unknown" or "Relaying Denied" means Cyberoam is not able to forward mail using the above configuration

corporate> telnet 192.168.2.5 25
Trying 192.168.2.5...
Connected to 192.168.2.5.
Escape character is '^]'.
220 elitecore.com ESMTP MDaemon 6.8.4; Mon, 02 Apr 2007 13:17:08 +0530
helo elitecore.com
250 elitecore.com Hello elitecore.com, pleased to meet you
550 <nitin.bas@elitecore.com>, Sender unknown
^]
telnet> quit
Connection closed.
corporate>
 
Proactive reports will be forwarded if you receive message "Sender ok" and "Recipient ok":
 
corporate> telnet 203.122.58.131 25
Trying 203.122.58.131...
Connected to 203.122.58.131.
Escape character is '^]'.
220 dragon2.spectranet.com ESMTP Sendmail 8.13.1/8.13.1; Mon, 2 Apr 2007 13:23:23 +0530
helo elitecore.com
250 dragon2.spectranet.com Hello segment-124-30.sify.net [124.30.24.41] (may be forged), pleased to meet you
250 2.1.0 nitin.bas@elitecore.com... Sender ok
250 2.1.5 cr_admin@elitecore.com... Recipient ok
^]
telnet> quit
Connection closed.
corporate>

 

1.1.13.9. Cyberoam generates reports for spam & virus mails only but how do I generate reports for all the mails passing through Cyberoam?
 To generate reports for all the mails, create spam policy with ACCEPT action for SMTP & POP protocol from Anti Spam > Spam Policy > Create Custom Spam policy.
1.1.14. Support
1.1.14.1. Whom do I contact for technical support?
Contact Cyberoam Technical Support at support@cyberoam.com or +91-079-26400707.
1.1.15. System
1.1.15.1. How to get System information?

Applicable to Version: 9.0 onwards (All builds)
 
1.  Login to CLI Console.

2.  Go to Option 4 – Cyberoam Console and type the below mentioned command:

     corporate> show system info
 
 
                                                        Document Version: 1.0 - 06/02/2012
1.1.15.2. How to Obtain Appliance CPU information?

Applicable to Version: 9.0 onwards (All builds)

1.  Login to CLI Console.

2.  Go to Option 4 – Cyberoam Console and type the below mentioned command:

     corporate> show system cpu
 
 
                                                Document Version : 1.0 - 06/02/2012
1.1.15.3. In CTAS logs, I get "ERROR 2/22/2010 10:00:50 AM [0x22f4]: dca_eventlog: Event Log for Source security couldn't open", what does it mean?
Make sure the administrator user used during installation of the CTA agent has the read rights to the security events.

Due to this, even live user page might not display any currently logged in users

1.1.15.4. When I have configured HTTP authentication, “Manage Live Users” page displays users who have already logged off?
 
This can happen if the “Keep alive” option is disabled for the user group. Enable “Keep Alive” from the Web Admin Console, Group -> Manage Group page.
 
 

Keep-Alive requests are constantly exchanged between server and client to check the connectivity between them. More the number of concurrent HTTP client users, greater the number of keep-alive requests. Hence, Cyberoam recommends to disable Keep-Alive request in-case of high number of concurrent HTTP client users.

1.1.15.5. In access logs I am getting error “ERR_ZERO_SIZE_OBJECT” ,what does it means?

Cyberoam gives an ERR_ZERO_SIZE_OBJECT error in access logs when either Client or Server abruptly disconnects the HTTP connection.

 

Document Version: 1.0 02/07/2009

1.1.15.6. Can I change the MAC address of an interface (Port) of Cyberoam?
Applicable to version 9.xx

Following are the steps to change MAC address of an interface:
 
1.      Logon to CLI console using SSH or Telnet
2.      Go to Option 4 Cyberoam Console
3.      At the command prompt, execute the following command: 

Corporate>ip link set <interface> address <MAC Address>

where interface - interface whose MAC address is to be changed

MAC address - MAC address which is to be assigned to the interface

Below given sample screen displays original as well as changed MAC address.
 

This change in MAC address will be effective even after restarting management services (RMS) but changes will be lost after rebooting the appliance.

This feature is also called “MAC Cloning”

 

Note
 
Do not change MAC address if Appliance is configured for HA (High Availability) as Cyberoam High Availability feature works on Virtual MAC (VMAC) address concept.

Document Version: 1.0 16/06/2009

1.1.15.7. How many MAC addresses can be binded to a single user?
 
Cyberoam doesnot place any restriction on number of MAC addresses to be binded to a single user i.e. one can bind unlimited number of MAC addresses.
1.1.15.8. Is the version rollback event logged?

Yes, rollback event is logged in Audit log.
 
Audit log can be viewed from CLI console Option 5 Cyberoam Management > Option 8 View Audit log.
Log will display the current version and the rolled back (previous) version.
 
 
1.1.15.9. How do I find MAC Address of the Cyberoam interfaces?

Following are the steps to find the MAC addresses of Cyberoam interfaces:
  
  • Logon to CLI console 
  • Choose option 4 – ‘Cyberoam Console’
  • Execute command - ‘show network interfaces’
Output
 
1.1.15.10. How do I check gateway status from CLI console?
Go to Option 4 Cyberoam Console
Execute following command at the prompt

corporate> ip route list table  221  
 
Output
 
 
 
 
 
1.1.15.11. Is it possible to allocate IP address based on MAC address in DHCP?

It is possible from version 9.6.0 build 16 onwards.
1.1.15.12. From where do I change administrator password?

To change the password of the Administrator user, log on to Web Admin console and follow the below given steps:

  1. Navigate to User > User> Manage Active page
  2. Click "cyberoam" in the Username column. Page will display details of the administrator user.
  3. Click Edit Personal Details/Change Password button
  4. In the "New-Password" field, enter the new password
  5. In the "Re-enter New-Password" field, enter the same password as you new password
  6. Click "Update" button to save the password.
 
 
1.1.15.13. What do I do if I have forgotten both Web Admin and Telnet Console password?

Disclaimer - Retired KB Content

This article was written for version 9 of Cyberoam which is no longer supported. Therefore, this article is offered "as is" and will no longer be updated.



If you have forgotten both Web Admin and CLI Console password, reset to factory defaults. This will reset password for both the Consoles to the default password.
 
To reset to factory default, type "RESET" as the password at the CLI login prompt. It will reset Web Admin Console password to "cyber" and CLI Console password to "admin"
 
Please note that by resetting to factory default, you will loose all the customized configuration.
 
 
1.1.15.14. What should I do if I do not want to send backup to anyone?
If you do not want to send backup to anyone, do not specify email id in backup schedule.
1.1.15.15. How do I disable automatic upgrade of Cyberoam?
Applicable Version: 9.0 onwards

By default, AutoUpgrade mode is ON/Enabled which will automatically upgrade Cyberoam whenever upgrade is available.
 
Follow the below given procedure to disable automatic upgrading of Cyberoam: 
  • Log on to Telnet Console
  • Go to option 4 Cyberoam Console
  • At the command prompt, issue the following command: cyberoam autoupgrade off 
If automatic upgrade is disabled, you will have to upgrade Cyberoam manually. Refer to How To - Upgrade Cyberoam  for manual upgrade details.
 
 
1.1.15.16. What is the default time out for the Web Admin Console session?

The default session time out for Web Admin Console is 30 minutes.

1.1.15.17. I have forgotten CLIConsole password, what do I do now?
 Log on to Web Admin Console, go to System > Reset Console password. Specify Web Admin password and new password for CLI Console.
1.1.15.18. Why I am not able to connect to the Cyberoam’s serial console?
It is an compatibility issue. Check the version of hyper terminal as Cyberoam supports hyper terminal V 6 only.
1.1.15.19. How do I remove the entire configuration and set to Factory defaults?
To remove the entire configuration and revert back to the factory default settings you can follow the below mentioned steps:


1 ) Connect to the Cyberoam serial console
2 ) Select the option 5 . Cyberoam Management
3 ) Select the option 13 . Reset to factory Defaults


1.1.15.20. From where do I change Web Admin Console port for remote management?
You can change http port but https cannot be changed. From Web Admin Console, go to System > Configure > Customize Client Preferences to change http port to any port above 1024. Default http port is 80 and https is 443.
1.1.15.21. Why do I receive following error page whenever I try to open Cyberoam Web Admin Console from Internet Explorer 7 using secure address i.e. HTTPS:\\<Cyberoam WAN IP address>?
This is the Internet Explorer’s HTTPS certificate warning and not the Cyberoam error page. This warning is specific to IE version 7. Click ‘Continue to this website’ to open the Web Admin Console.
 
1.1.15.22. I have forgotten GUI - Web Admin Console password, what do I do now?

 Log on to Cyberoam Telnet Console, go to option 5 - Cyberoam Management and go to option 3 - Reset Management Password.

This will reset password to the default password. Default password information will be available in Quick Start Guide.

1.1.15.23. How many failed log on attempts are allowed for Administration Interfaces before the connection is terminated?
There is no restriction on log on attempts for Web Admin Console and Serial Console. But for Telnet Console, connection will get terminated after 2 failed log on attempt i.e. after 2 failed attempts, user will have to reconnect and try again.
1.1.15.24. From where can I check whether the site I am accessing needs Keep-Alive support or not?
Check HTTP Headers of site from www.nwtools.com
1.1.16. VLAN
1.1.16.1. How do I configure VLAN when Cyberoam is deployed in transparent mode?

Applicable version - v 9.5.0 build 21 onwards

To configure VLAN in transparent mode, you must add VLAN ID from CLI console.
  1. Logon to CLI console with the default password.
  2. From the Main Menu, go to option 5 VLAN Management > option 1 Add VLAN ID. Please note, VLAN configuration menu will be visible only if Cyberoam is deployed as Bridge i.e. transparent mode.
  3. Screen displays total number of VLANs configured and their VLAN IDs and will prompt to specify new VLAN ID. VLAN ID can be any nymber between 2 to 4094



1.1.16.2. Is it possible to deploy Cyberoam as Bridge between two trunk ports and scan VLAN traffic?

Yes, it is possible to deploy Cyberoam as Bridge i.e. transparent mode between two trunk ports and one can also apply content filtering policy, virus and spam  policy and Intrusion prevention policy to VLAN traffic.
 
Configuration steps:
  1. Deploying Cyberoam as Bridge
  2. Define VLAN ID for the bridge interface from CLI console
  3. Apply filtering and scanning policies. If policies are defined before defining VLAN IDs, VLAN traffic will be dropped.
1.1.16.3. Does Cyberoam preserve VLAN tags in transparent (bridge) mode?
 
From version 9.5.4 build 16 onwards, VLAN (Virtual LAN) tags are preserved even when antivirus scanning, spam filtering and web filtering using Internet Access Policy (IAP) are applied to VLAN tagged traffic in Bridge mode.

In the earlier versions, VLAN tags were not preserved when scanning or Internet Access Policy was applied on the traffic.

 
Document Version: 1.0-29/02/2008
1.1.16.4. Does Cyberoam scan all VLAN Traffic?
Applicable to version 9.5.x.x. onwards
Yes, if the VLAN traffic passes through Cyberoam, all the protocols are scanned.

All the
UTM functionalities are also applicable in case of all inter-VLAN communications passing through Cyberoam.
 

Document Version: 1.0-24/09/2007

1.1.16.5. What is 802.1q specification in VLAN?

The IEEE's 802.1Q standard was developed to address the problem of how to break large networks into smaller parts so that broadcast and multicast traffic can not grab more bandwidth than necessary. The standard also helps provide a higher level of security between segments of internal networks.

The 802.1Q specification establishes a standard method for inserting virtual LAN (VLAN) membership information into Ethernet frames.

1.1.16.6. Are Cyberoam CR series Appliaces VLAN 802.1q capable?
Yes, all CR series appliances are VLAN capable.
1.1.16.7. Does Cyberoam support VLAN construction in both the deployment modes?
Cyberoam supports VLAN constructing VLAN trunks between an IEEE 802.1Q-compliant switch (or router) and the Cyberoam appliances only if Cyberoam is deployed in Gateway Mode.
1.1.16.8. How many VLAN subinterfaces are supported by Cyberoam?
Cyberoam supports 4096 subinterfaces.
1.1.17. VPN
1.1.17.1. Is Cyberoam VPN Client compatible with Microsoft Vista OS?

Cyberoam VPN client is compatible with 32-bit Microsoft Vista OS.
It can be downloaded from www.cyberoam.com
 
1.1.17.2. What does each color of VPN Connection status mean?

Color   Status
 
Red        Connection is activated but is disconnected
Green     Connection is activated and connected
Amber    Connection is activated but connected. When multiple subnets are configured for LAN and/or remote network, 
              Cyberoam creates sub-connection for each subnet. Amber color indicates that one of the sub-connection is
               not active.
1.1.17.3. Was unable to communicate with internal LAN users after connecting a Road Warrior IPSEC VPN connection using Cyberoam VPN client

You will find the following error message in the VPN logs if the NAT-T option is enabled in the Cyberoam VPN client.


In VPN client, under P1 Advanced option, set NAT-T option to "Automatic"  

Error Message:

May 04 15:51:17 1178308277 pluto[23401]: packet from 67.90.120.66:1501: recvfrom 67.90.120.66:1501 too small packet (1)

May 04 15:51:26 1178308286 pluto[23401]: packet from 24.0.158.77:63631: recvfrom 24.0.158.77:63631 too small packet (1)

May 04 15:51:31 1178308291 pluto[23401]: packet from 24.0.158.77:63631: recvfrom 24.0.158.77:63631 has no Non-ESP marker

May 04 15:51:34 1178308294 pluto[23401]: packet from 24.0.158.77:63631: recvfrom 24.0.158.77:63631 has no Non-ESP marker

May 04 15:51:37 1178308297 pluto[23401]: packet from 67.90.120.66:1501: recvfrom 67.90.120.66:1501 too small packet (1)

May 04 15:51:40 1178308300 pluto[23401]: packet from 24.0.158.77:63631: recvfrom 24.0.158.77:63631 has no Non-ESP marker

May 04 15:51:47 1178308307 pluto[23401]: packet from 24.0.158.77:63631: recvfrom 24.0.158.77:63631 too small packet
 
Document Version: 2.0-28/06/2008
1.1.17.4. Why I am not able to access any application even thought the tunnel is established?

This might happen if there is mismatch in the Connection Mode configured at the local and remote end.

Tunnel will be established even if Connection Mode is configured as ‘Tunnel’ mode at the local end and as ‘Transport’ mode at the remote end but remote user will not be able to access any application.

Specify same Connection Mode at both the ends and try again.

1.1.17.5. I am receiving ‘IPsec SA established {ESP=>0x1cb63bdc <0x859e904a xfrm=3DES_0-HMAC_MD5 NATD=none DPD=enabled}’ message in the log, what does it mean?

‘IPsec SA established {ESP=>0x1cb63bdc <0x859e904a xfrm=3DES_0-HMAC_MD5 NATD=none DPD=enabled}’ means tunnel is successfully established

Apr 28 11:54:45 1146205485 pluto[18126]: "rw_psk_1-1"[1] 188.7.7.1 #2: Dead Peer Detection (RFC 3706): enabled
Apr 28 11:54:45 1146205485 pluto[18126]: "rw_psk_1-1"[1] 188.7.7.1 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Apr 28 11:54:45 1146205485 pluto[18126]: "rw_psk_1-1"[1] 188.7.7.1 #2: STATE_QUICK_R2: IPsec SA established {ESP=>0x1cb63bdc <0x859e904a xfrm=3DES_0-HMAC_MD5 NATD=none DPD=enabled}

# xfrm=3DES_0-HMAC_MD5 NATD=none DPD=enabled
# xfrm - encryption algo-authenticationalgo
# NATD - NATraversal is detected or not
# DPD - Dead Peer Detection is enabled or not

1.1.17.6. Can I set up net-to-net VPN tunnels from Cyberoam to third-party VPN devices?

 Yes, Cyberoam VPN is interoperable and compatible with most of the VPN gateways supporting IPSec standards available in the market.

Cyberoam maintains a large number of step-by-step How Tos for VPN interoperability between Cyberoam and third-party VPN devices. How Tos can be accessed from kb.cyberoam.com

1.1.17.7. What should I do so that VPN connection does not get dropped every hour?
Connection duration depends on the Allow Re-keying option and Key life defined in the VPN policy. By default, Allow Re-keying is OFF and Key life is 3600 seconds therefore Connections established using Default policy will be dropped every hour. Create new policy from VPN > Policy > Create Policy and Enable Allow Re-keying option and define Key life as per your requirement.
1.1.17.8. Can I use Cyberoam which is assigned a non-routable/private IP address as a VPN server?
 Yes, you can use but make sure you have to specified local ID and remote ID in the IPSec Connection at both the ends.
1.1.17.9. Can I establish Net-to-Net Connection when Cyberoam is behind an ADSL router?

 Yes, you can, but you have to define:
1.      Port forward rule for UDP port 500 and 4500 on ADSL router
2.      Local ID and remote ID in the IPSec Connection at both the ends.

Please make sure that your ADSL router supports IPSec Passthru.

1.1.17.10. Why I am getting following error while trying to establish Net-to-Net Connection when Cyberoam is behind an ADSL router?

Dec 07 15:47:26 1165486646 pluto[10300]: "pharm2-1" #6: Main mode
peer ID is ID_IPV4_ADDR: '192.168.1.5'

Dec 07 15:47:26 1165486646 pluto[10300]: "pharm2-1" #6: we require peer to have ID '58.95.202.24', but peer declares '192.168.1.5'

Dec 07 15:47:26 1165486646 pluto[10300]: "pharm2-1" #6: sending encrypted notification INVALID_ID_INFORMATION to 58.95.202.24:4500

Dec 07 15:47:26 1165486646 pluto[10300]: "pharm2-1" #6: received 1 malformed payload notifies

 You will get this error if local ID and remote ID are not specified in IPSec Connection at both the ends.

Please make sure that your ADSL router supports IPSec Passthru.

1.1.17.11. Why I am getting following error while trying to establish Net-to-Net Connection when Cyberoam is behind an ADSL router?

Disclaimer - Retired KB Content

This article was written for version 9 of Cyberoam which is no longer supported. Therefore, this article is offered "as is" and will no longer be updated.

 

Dec 09 10:53:53 1165641833 pluto[6562]: "n2n-1" #104: initiating Main Mode

Dec 09 10:53:54 1165641834 pluto[6562]: ERROR: asynchronous network error report on eth1 (sport=500) for message to 58.95.221.237 port 500, complainant 58.95.221.237: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]

 You will get this error if Port forward rule for UDP port 500 and 4500 is not defined on ADSL router.

Please make sure that your ADSL router supports IPSec Passthru.

1.1.17.12. Why I am receiving “Error 050: Impossible to complete activation process.” error while activating VPN Client?
 You are receiving this error because Activation server is not able to generate activation code for this license at the moment of activation. Try to activate after some time and if you receive the same error, browse to http://www.cyberoam.com/osa_manual.php and follow the on-screen steps to register using the manual software activation procedure.

 If you are still not able to activate then contact at support@cyberoam.com

1.1.17.13. Why I am receiving “Error 031: License not found” error while activating VPN Client?
You are receiving this error because License number which you have entered does not exist in the activation server database. There must be some error in entering the license number. Go back to the step 1 of the activation and enter the each digit of license number correctly.
1.1.17.14. Why I am receiving “Error 033: Activation Quota exceeded.” error while activating VPN Client?
 You are receiving this error because number of installations and activations has exceeded for this license number. License cannot be used for more than the allowed limit. Contact your System Administrator.
1.1.17.15. Why I am receiving “Error 034: Wrong Product Code.” error while activating VPN Client?
You are receiving this error because the license number which you have entered is wrong. Please enter the correct license number and try again.
1.1.17.16. Why I am receiving “Error 052: Impossible to complete activation process.” error while activating VPN Client?

You are receiving this error because Activation server is not able to generate activation code for this license at the moment of activation. Try to activate after some time and if you receive the same error, browse to http://www.cyberoam.com/osa_manual.php and follow the on-screen steps to register using the manual software activation procedure.

If you are still not able to activate then contact at support@cyberoam.com

1.1.17.17. If Branch offices are connected to Head office via VPN, will branch offices be able to connect with each other via VPN?
 Yes, if branch offices are connected to head office via Net-to-Net connection.
1.1.17.18. Cyberoam NAT traversal allows IPSec connection through a NAT device. If Cyberoam is behind a NAT device, can it accept more than one incoming VPN connection?
Yes
1.1.17.19. Can I customize encryption/authentication algorithm for each VPN connection?
Yes
1.1.17.20. Can I configure different encryption/authentication algorithm for phase 1 and phase 2?
Yes
1.1.17.21. Can I setup VPN tunnel from Cyberoam to third-party VPN gateways?
Yes, as long as the third-party VPN gateways support IPSec.
1.1.17.22. Which port’s traffic should I check to monitor VPN traffic?

Cyberoam automatically configures VPN IPSec interface for each WAN port configured. For example, if Port B and Port C are configured as WAN ports then Cyberoam will configure ipsec0 and ipsec1 for Port B and Port C respectively.

Use these ipsec ports to monitor VPN traffic e.g. tcpdump “-i ipsec0” will display VPN traffic of ipsec0 port.

 

1.1.17.23. Does Cyberoam support UDP over IPSec tunnel?
Yes
1.1.17.24. Why I am not able to access any application even thought the tunnel is established?

This might happen if there is mismatch in the Connection Mode configured at the local and remote end.

Tunnel will be established even if Connection Mode is configured as ‘Tunnel’ mode at the local end and as ‘Transport’ mode at the remote end but remote user will not be able to access any application.

Specify same Connection Mode at both the ends and try again.

1.1.17.25. From where do I know how many users are using PPTP connection to establish VPN tunnel?
You can get the list of users using PPTP connection to establish VPN tunnel from VPN Report. You can view report from Report > VPN > PPTP Connection Log
1.1.17.26. From where do I view the PPTP logs?
You can view PPTP logs from Telnet Console. You can view date wise logs from option 8 VPN Management > option 6 PPTP VPN Logs
1.1.17.27. From where do I view the PPTP logs related to plugins?
To view the PPTP logs related to plugins, go to Telnet Console option 8 VPN Management > option 6 PPTP VPN Logs and view the debug level logs.
1.1.17.28. How do I know which users are using PPTP connection?
PPTP Connection Log will give the details of all the users using PPTP connection. Log on to Cyberoam Reports and go to VPN > PPTP Connection Log to view the date wise connection details for all the users.
1.1.17.29. From where do I get PPTP connection details?
PPTP Connection Log will give the details of all the PPTP connection. Log on to Cyberoam Reports and go to VPN > PPTP Connection Log to view the date wise connection details for all the users.
1.1.17.30. What does the number appended at the end of the Connection name indicate?

The number appended at the end of the Connection name indicates total number of Private Networks specified in the Connection at the local and remote VPN servers and total number of connections that can be established.
For example,
If for the connection rw_psk, 2 local private networks and 3 remote private networks are specified then 6 (2*3) will be appended to the connection name and will be displayed as rw_psk-6 in the VPN Log.

Total 6 connections can be established and Log entry will be as "rw_psk_1-1", "rw_psk_1-2", "rw_psk_1-3", "rw_psk_1-4", "rw_psk_1-5", "rw_psk_1-6"

1.1.17.31. What does ‘ISAKMP SA established’ message in the VPN Log mean?

‘ISAKMP SA established’ means phase 1 connection is successfully established. Log will also display the parameters defined for the phase 1.

Apr 28 11:54:44 1146205484 pluto[18126]: "rw_psk_1-1"[1] 188.7.7.1 #1: I did not send a certificate because I do not have one.
Apr 28 11:54:44 1146205484 pluto[18126]: "rw_psk_1-1"[1] 188.7.7.1 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr 28 11:54:44 1146205484 pluto[18126]: "rw_psk_1-1"[1] 188.7.7.1 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}

# auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024
# auth - authntication type
# cipher - encryption algorithm used for phase 1
# prf - authentication algorithm
# group - DH Group
      1 = MODP768
      2 = MODP1024
      5 = MODP1536
      14 = MODP2048
      15 = MODP3072
      16 = MODP4096

1.1.17.32. I am receiving ‘inbound IPsec SA installed, expecting QI2’ message in the log, what does it mean?

‘inbound IPsec SA installed, expecting QI2’ means phase 1 connection is successfully established and one way tunnel i.e. incoming data tunnel is established.

Apr 28 11:54:44 1146205484 pluto[18126]: "rw_psk_1-1"[1] 188.7.7.1 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Apr 28 11:54:44 1146205484 pluto[18126]: "rw_psk_1-1"[1] 188.7.7.1 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2