Вы находитесь на странице: 1из 293

User Guide Version 9

Document version 96060-1.0-06/11/2009


Cyberoam User Guide

IMPORTANT NOTICE
Elitecore has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented
without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any
products. Elitecore assumes no responsibility for any errors that may appear in this document. Elitecore reserves the
right, without notice to make changes in product design or specifications. Information is subject to change without
notice.

USERS LICENSE
The Appliance described in this document is furnished under the terms of Elitecores End User license agreement.

Please read these terms and conditions carefully before using the Appliance. By using this Appliance, you agree to
be bound by the terms and conditions of this license. If you do not agree with the terms of this license, promptly
return the unused Appliance and manual (with proof of payment) to the place of purchase for a full refund.

LIMITED WARRANTY
Software: Elitecore warrants for a period of ninety (90) days from the date of shipment from Elitecore: (1) the media
on which the Software is furnished will be free of defects in materials and workmanship under normal use; and (2)
the Software substantially conforms to its published specifications except for the foregoing, the software is provided
AS IS. This limited warranty extends only to the customer as the original licenses. Customers exclusive remedy and
the entire liability of Elitecore and its suppliers under this warranty will be, at Elitecore or its service centers option,
repair, replacement, or refund of the software if reported (or, upon, request, returned) to the party supplying the
software to the customer. In no event does Elitecore warrant that the Software is error free, or that the customer will
be able to operate the software without problems or interruptions. Elitecore hereby declares that the anti virus and
anti spam modules are powered by Kaspersky Labs and Commtouch respectively and the performance thereof is
under warranty provided by Kaspersky Labs and by Commtouch. It is specified that Kaspersky Lab does not warrant
that the Software identifies all known viruses, nor that the Software will not occasionally erroneously report a virus in
a title not infected by that virus.
Hardware: Elitecore warrants that the Hardware portion of the Elitecore Products excluding power supplies, fans and
electrical components will be free from material defects in workmanship and materials for a period of One (1) year.
Elitecore's sole obligation shall be to repair or replace the defective Hardware at no charge to the original owner. The
replacement Hardware need not be new or of an identical make, model or part; Elitecore may, in its discretion,
replace the defective Hardware (or any part thereof) with any reconditioned product that Elitecore reasonably
determines is substantially equivalent (or superior) in all material respects to the defective Hardware.

DISCLAIMER OF WARRANTY
Except as specified in this warranty, all expressed or implied conditions, representations, and warranties including,
without limitation, any implied warranty or merchantability, fitness for a particular purpose, non-infringement or arising
from a course of dealing, usage, or trade practice, and hereby excluded to the extent allowed by applicable law.
In no event will Elitecore or its supplier be liable for any lost revenue, profit, or data, or for special, indirect,
consequential, incidental, or punitive damages however caused and regardless of the theory of liability arising out of
the use of or inability to use the product even if Elitecore or its suppliers have been advised of the possibility of such
damages. In no event shall Elitecores or its suppliers liability to the customer, whether in contract, tort (including
negligence) or otherwise, exceed the price paid by the customer. The foregoing limitations shall apply even if the
above stated warranty fails of its essential purpose.
In no event shall Elitecore or its supplier be liable for any indirect, special, consequential, or incidental damages,
including, without limitation, lost profits or loss or damage to data arising out of the use or inability to use this manual,
even if Elitecore or its suppliers have been advised of the possibility of such damages.

RESTRICTED RIGHTS
Copyright 1999-2009 Elitecore Technologies Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of
Elitecore Technologies Ltd.

CORPORATE HEADQUARTERS
Elitecore Technologies Ltd.
904 Silicon Tower, Off. C.G. Road,
Ahmedabad 380015, INDIA
Phone: +91-79-66065606
Fax: +91-79-26407640
Web site: www.elitecore.com , www.cyberoam.com

2
Cyberoam User Guide

Contents

Technical Support _________________________________________________________________________ 6


Typographic Conventions___________________________________________________________________ 7
Preface ____________________________________________________________________________ 8
Guide Organization ________________________________________________________________________ 8
Cyberoam Basics___________________________________________________________________ 9
Benefits of Cyberoam ______________________________________________________________________ 9
Accessing Cyberoam ______________________________________________________________________ 9
Accessing the Web Admin Console _________________________________________________________ 11
Getting Started ______________________________________________________________________________ 15
Dashboard ______________________________________________________________________________ 17
Management ________________________________________________________________________________ 19
Setting up Zones __________________________________________________________________ 19
Create Zone _____________________________________________________________________________ 20
Setting up Users __________________________________________________________________ 21
Define Authentication _____________________________________________________________________ 21
Define User______________________________________________________________________________ 23
Setting up Groups _________________________________________________________________ 29
Firewall ___________________________________________________________________________ 39
Create Firewall rule _______________________________________________________________________ 41
Manage Firewall__________________________________________________________________________ 47
Host Management ________________________________________________________________________ 55
Spoofing prevention ______________________________________________________________________ 60
Virtual Host _______________________________________________________________________ 65
Create Virtual host________________________________________________________________________ 65
Delete Virtual host ________________________________________________________________________ 68
Traffic Discovery __________________________________________________________________ 69
Live Connections report ___________________________________________________________________ 69
Todays Connection History ________________________________________________________________ 75
Policy Management________________________________________________________________ 79
Surfing Quota policy ______________________________________________________________________ 80
Access Time policy _______________________________________________________________________ 83
Internet Access policy _____________________________________________________________________ 86
Bandwidth policy _________________________________________________________________________ 93
Data Transfer policy ______________________________________________________________________ 99
NAT Policy _____________________________________________________________________________ 103
Zone Management ________________________________________________________________ 105
Manage Zone ___________________________________________________________________________ 105
Delete Zone ____________________________________________________________________________ 106
Group Management_______________________________________________________________ 107
Manage Group __________________________________________________________________________ 107
User Management ________________________________________________________________ 115
Search User ____________________________________________________________________________ 115
Live User _______________________________________________________________________________ 116
Manage User ___________________________________________________________________________ 117
System Management _____________________________________________________________ 128
Configure Network_______________________________________________________________________ 128
Configure DNS __________________________________________________________________________ 128

3
Cyberoam User Guide

Dynamic Host Configuration Protocol (DHCP) _______________________________________________ 130


Configure DHCP relay agent ______________________________________________________________ 134
View Interface details ____________________________________________________________________ 136
Configuring Dynamic DNS service _________________________________________________________ 138
PPPoE _________________________________________________________________________________ 140
Manage Gateway________________________________________________________________________ 142
DoS Settings____________________________________________________________________________ 144
Bypass DoS Settings ____________________________________________________________________ 148
Reset Console Password _________________________________________________________________ 150
ARP ___________________________________________________________________________________ 151
System Module Configuration _____________________________________________________________ 153
Manage Data _____________________________________________________________________ 154
Client Services __________________________________________________________________________ 160
Customize Access Deny messages ________________________________________________________ 165
Upload Corporate logo ___________________________________________________________________ 166
Customize Login message ________________________________________________________________ 167
Disable Warning messages _______________________________________________________________ 168
HTTP Client Login page template __________________________________________________________ 169
GUI Language Settings __________________________________________________________________ 170
Time settings ___________________________________________________________________________ 171
Certificate Management ___________________________________________________________ 172
Certificate Revocation List ________________________________________________________ 180
HTTP Proxy Management _________________________________________________________ 183
Manage HTTP Proxy_____________________________________________________________________ 183
Configure HTTP Proxy ___________________________________________________________________ 184
Manage Servers __________________________________________________________________ 186
Monitoring Bandwidth Usage______________________________________________________ 187
Migrate Users ____________________________________________________________________ 192
Migration from PDC server________________________________________________________________ 192
Migration from External file________________________________________________________________ 193
Customization _____________________________________________________________________________ 195
Schedule ________________________________________________________________________ 195
Define Schedule_________________________________________________________________________ 195
Manage Schedule _______________________________________________________________________ 197
Services _________________________________________________________________________ 199
Define Custom Service ___________________________________________________________________ 199
Manage Custom Service _________________________________________________________________ 200
Create Service Group ____________________________________________________________________ 202
Update Service Group ___________________________________________________________________ 203
Delete Service Group ____________________________________________________________________ 204
Categories _______________________________________________________________________ 205
Web Category __________________________________________________________________________ 206
File Type Category ______________________________________________________________________ 214
Application Protocol Category _____________________________________________________________ 217
Access Control___________________________________________________________________ 222
Logging _________________________________________________________________________ 224
Syslog Configuration _____________________________________________________________________ 225
Log configuration ________________________________________________________________________ 227
Product Licensing & Updates _____________________________________________________ 230
Product Version information_______________________________________________________________ 230
Upgrade Cyberoam ______________________________________________________________________ 231
Download ________________________________________________________________________ 234

4
Cyberoam User Guide

Clients _________________________________________________________________________________ 234


Appendix A Audit Log___________________________________________________________ 235
Appendix B Logs _______________________________________________________________ 242
Appendix C Web Categories _____________________________________________________ 278
Appendix D Services ____________________________________________________________ 282
Appendix E Application Protocols _______________________________________________ 284
Menu wise Screen and Table Index ________________________________________________ 285

5
Cyberoam User Guide

Technical Support
You may direct all questions, comments, or requests concerning the software you purchased, your
registration status, or similar issues to Customer care/service department at the following address:

Corporate Office
eLitecore Technologies Ltd.
904, Silicon Tower
Off C.G. Road
Ahmedabad 380015
Gujarat, India.
Phone: +91-79-66065606
Fax: +91-79-26407640
Web site: www.elitecore.com

Cyberoam contact:
Technical support (Corporate Office): +91-79-26400707
Email: support@cyberoam.com
Web site: www.cyberoam.com

Visit www.cyberoam.com for the regional and latest contact information.

6
Cyberoam User Guide

Typographic Conventions

Material in this manual is presented in text, screen displays, or command-line notation.

Item Convention Example


Server Machine where Cyberoam Software - Server component is
installed
Client Machine where Cyberoam Software - Client component is
installed
User The end user
Username Username uniquely identifies the user of the system
Part titles Bold and

Report
shaded font
typefaces

Topic titles Shaded font


typefaces
Introduction
Subtitles Bold & Black
typefaces Notation conventions

Navigation link Bold typeface Group Management Groups Create


it means, to open the required page click on Group
management then on Groups and finally click Create tab

Name of a Lowercase Enter policy name, replace policy name with the specific
particular italic type name of a policy
parameter / Or
field / command Click Name to select where Name denotes command button
button text text which is to be clicked
Cross Hyperlink in refer to Customizing User database Clicking on the link will
references different color open the particular topic

Notes & points Bold typeface Note


to remember between the
black borders
Prerequisites Bold typefaces Prerequisite
between the Prerequisite details
black borders

7
Cyberoam User Guide

Preface
Welcome to Cyberoams - User guide.

Cyberoam is an Identity-based UTM Appliance. Cyberoams solution is purpose-built to meet the security
needs of corporates, government organizations, and educational institutions.

Cyberoams perfect blend of best-of-breed solutions includes User based Firewall, Content filtering, Anti
Virus, Anti Spam, Intrusion Prevention System (IPS), and VPN.

Cyberoam provides increased LAN security by providing separate port for connecting to the publicly
accessible servers like Web server, Mail server, FTP server etc. hosted in DMZ which are visible the
external world and still have firewall protection.

Default Web Admin Console username is cyberoam and password is cyber

Cyberoam recommends to change the default password immediately after installation to avoid unauthorized
access.

Guide Organization
This Guide provides information regarding the administration, maintenance, and customization of
Cyberoam and helps you manage and customize Cyberoam to meet your organizations various
requirements including creating groups and users and assigning policies to control internet access.

How do I search for relevant content?

For help on how to perform certain task use Contents

For help on a specific menu or screen function use Menu wise Screen and Table Index

This Guide is organized into three parts:


Part I Getting started

It describes how to start using Cyberoam after successful installation.

Part II Management

It describes how to define groups and users to meet the specific requirements of your Organization. It
also describes how to manage and customize Cyberoam.

1. Define Authentication process and firewall rule.


2. Manage Groups and Users. Describes how to add, edit and delete Users and User Groups
3. Manage & Customize Policies. Describes how to define and manage Surfing Quota policy, Access
Time policy, Internet Access policy, Bandwidth policy and Data transfer policy
4. Manage Cyberoam server

Part III Customization

Customize Services, Schedules and Categories. Describes how to create and manage Categories,
Schedules and Services and Cyberoam upgrade process.

8
Cyberoam User Guide

Cyberoam Basics
Cyberoam is an Identity-based UTM Appliance. Cyberoams solution is purpose-built to meet the security
needs of corporate, government organizations, and educational institutions.

Cyberoams perfect blend of best-of-breed solutions includes Identity based Firewall, Content filtering,
Anti Virus, Anti Spam, Intrusion Prevention System (IPS), and VPN.

Cyberoam provides increased LAN security by providing separate port for connecting to the publicly
accessible servers like Web server, Mail server, FTP server etc. hosted in DMZ which are visible the
external world and still have firewall protection.

It also provides assistance in improving Bandwidth management, increasing Employee productivity and
reducing legal liability associated with undesirable Internet content access.

Benefits of Cyberoam
1. Boost Employee productivity by
a. Blocking access to the sites like Gaming, Shopping, news, Pornography
2. Conserve bandwidth by
a. Controlling access to non-productive site access during working hours
b. Controlling rate of uploading & downloading of data
3. Load balancing over multiple links
a. Improved User response time
b. Failover solution
c. Continuous availability of Internet
d. Reduced bandwidth bottlenecks
4. Enforce acceptable Internet usage policies
5. Comprehensive, easy-to-use reporting tool enabling the IT managers to compile reports on Internet
and other resources usage and consumption patterns

Accessing Cyberoam
Two ways to access Cyberoam:
1. Web Admin Console
General Administration using Web Admin Console
Following configurations can be performed only from Web Admin Console:
DNS and DHCP
firewall rules
content filtering categories and policies
user authentication method and integration with external authentication servers
access control
antivirus and anti spam filtering policies
VPN connection policies
multiple gateways
user and user groups
bandwidth and internet access policy
IPS policies and signature

In addition, Dashboard, reports including traffic discovery and bandwidth usage graphs can be viewed
only from Web Admin Console.

2. CLI Console

9
Cyberoam User Guide

a) Using Console Interface via remote login utility TELNET


b) Direct Console connection - attaching a keyboard and monitor directly to Cyberoam server

General Administration using CLI Console


Use CLI console for troubleshooting and diagnose network problems in details. Additionally you can also:
Restart management services
Restart and shutdown Cyberoam
View log information
Update MTU and MSS value
Configure static and dynamic routes
Upgrade Cyberoam and restore backup
Restore to factory default settings
Reset and change password
Enable/disable LAN Bypass (only if Cyberoam is deployed as Bridge)

Accessing CLI Console via remote login utility - TELNET


Access Cyberoam Console with the help of TELNET utility. To use TELNET, IP Address of the Cyberoam
server is required.

Use command telnet <Cyberoam IP address> to start TELNET utility from command prompt and log on
with default password admin

Screen - Console login screen

Accessing CLI Console using SSH client


Access Cyberoam Console using any of the SSH client. Cyberoam server IP Address is required.

Start SSH client and create new Connection with the following parameters:
Hostname - <Cyberoam server IP Address>
Username admin
Password admin

10
Cyberoam User Guide

Accessing the Web Admin Console


Cyberoam Web Admin Console (GUI) access requires Microsoft Internet Explorer 5.5+ or Mozilla Firefox
1.5+ and Display settings as True color (32 bits)

Log on & log off from the Cyberoam Web Admin Console
The Log on procedure verifies validity of user and creates a session until the user logs off.

Log on procedure
To get the log in window, open the browser and type IP Address in browsers URL box. A dialog box
appears prompting you to enter username and password to log on. Use the default user name
cyberoam and password cyber if you are logging in for the first time after installation.

Asterisks are the placeholders in the password field.


Log on Methods

HTTP log in
To open unencrypted login page, in the browsers Address box, type
http://<IP address of Cyberoam>

Screen - HTTP login screen


HTTPS log in
Cyberoam provides secured communication method which encrypts the User log on information and
which prevents unauthorized users from viewing the user information. For this, Cyberoam uses https
protocol.

The secure Hypertext Transfer Protocol (HTTPS) is a communication protocol designed to transfer
encrypted information between computers over the World Wide Web. HTTPS is http using a Secure
Socket Layer (SSL). A secure socket layer is an encryption protocol invoked on a Web server that uses
HTTPS.

11
Cyberoam User Guide

HTTPS protocol opens a secure hypertext transfer session with the specified site address.

To open login over secure HTTP, type


https://<LAN IP address of Cyberoam>

Screen - HTTPS login

Screen Elements Description


Login
User name Specify user login name.

If you are logging on for the first time after installation, please use
default username cyberoam
Password Specify user account Password

12
Cyberoam User Guide

If you are logging on for the first time after installation, please use
default password cyber
Log on to To administer Cyberoam, select Web Admin Console
Login button Logs on to Web Admin Console

Click Login
Table - Login screen elements

Screen Components
Cyberoam displays Dashboard as soon as you logon to the Web Admin Console. Dashboard provides a
quick and fast overview of all the important parameters of Cyberoam appliance.

Navigation menu
Navigation menu on the leftmost side provides access to various configuration pages. Menu consists of
sub-menus and tabs. On clicking menu item, submenu is displayed. On clicking submenu item, the
associated tabs are displayed. To view page associated with tab, click the required tab.

Button bar
The button bar on the upper rightmost corner provides access to several features like:

Dashboard

Console It provides immediate access to CLI by initiating a telnet connection with CLI
without closing Web Admin console. It avoids toggling between consoles especially when
management service is to be restarted (RMS).

Support - Open a customer login page for creating a Technical Support Ticket. It is fast, easy
and puts your case right into the Technical Support queue.

Wizard Network Configuration wizard will guide you step-by-step through configuration of the
network parameters like IP address, subnet mask and default gateway for Cyberoam.

Cyberoam Appliance and Registration information

Online help

Logout - Use button to log out from the Web Admin Console.

Use F1 key for page specific help


Use F2 key to return to home page
Use F10 key to return to Dashboard

13
Cyberoam User Guide

Web console Authorization and Access control


By default, Cyberoam has four types of user groups:
Administrator group

Log in as Administrator group User to maintain, control and administer Cyberoam.


Administrator group User can create, update and delete system configuration and user information.
Administrator can create multiple administrator level users.
Manager group

Manager group User can only view the reports.


User group

User group User is the user who accesses the resources through Cyberoam.
Clientless group

Clientless User group User who can bypass Cyberoam Client login to access resources. Cyberoam itself
takes care of login of this level user.

Refer to Access Configuration to implement IP address based access restriction/control for


administrators and managers.

Log out procedure


To avoid un-authorized users from accessing Cyberoam, log off after you have finished working. This will
end the session and exit from Cyberoam.

14
Cyberoam User Guide

PART
Getting Started
Once you have configured network, you can start using Cyberoam.

1. Start monitoring

Once you have installed Cyberoam successfully, you can monitor user activity in your Network.
Depending on the Internet Access policy configured at the time of installation, certain categories will be
blocked or allowed for LAN to WAN traffic with or without authentication.

2. View Cyberoam Reports

Monitor your Network activities using Cyberoam Reports.

To view Reports, log on to Reports from Web Admin Console using following URL: http://<Internal IP
Address> and log on with default username cyberoam and password cyber.

View your organizations surfing pattern from Web Surfing Organization wise report
View your organizations general surfing trends from Trends Web Trends report
View your organizations Category wise surfing trends from Trends Category Trends report

3. Discover Network Application Traffic

Detect your network traffic i.e. applications and protocols accessed by your users.

To view traffic pattern of your network, log on to Cyberoam Web Admin Console using following URL:
http://<Internal IP Address> and log on with default username cyberoam and password cyber.

View amount of network traffic generated by various applications from Traffic Discovery Live
Connections Application wise

4. Configure for User name based monitoring

As Cyberoam monitors and logs user activity based on IP address, all the reports generated are also IP
address based. To monitor and log user activities based on User names, you have to configure
Cyberoam for integrating user information and authentication process.

Integration will identify access request based on User names and generate reports based on Usernames.

If your Network uses Active Directory Services, configure Cyberoam to communicate your ADS. Refer to
Integrate Cyberoam with Active Directory for more details.

If your Network uses LDAP, configure Cyberoam to communicate your LDAP. Refer to Integrate
Cyberoam with LDAP for more details.

If your Network uses Windows NT Domain Controller, configure for Cyberoam to communicate with
Windows Domain Controller.

If your Network uses RADIUS, configure for Cyberoam to communicate with RADIUS. Refer to Integrate

15
Cyberoam User Guide

Cyberoam with RADIUS for more details

5. Customize
Cyberoam creates default firewall rules based on the Internet Access configuration done at the time of
installation.

You can create additional firewall rules and other policies to meet your organizations requirement.

Cyberoam allows you to:


1. Control user based per zone traffic by creating firewall rule. Refer to Firewall for more details.
2. Control individual user surfing time by defining Surfing quota policy. Refer to Policy Management-
Surfing Quota policy for more details.
3. Schedule Internet access for individual users by defining Access time policy. Refer to Policy
Management-Access time policy for more details.
4. Control web access by defining Internet Access policy. Refer to Policy Management-Internet Access
policy for more details.
5. Allocate and restrict the bandwidth usage by defining Bandwidth policy. Refer to Policy Management-
Bandwidth policy for more details.
6. Limit total as well as individual upload and/or download data transfer by defining data transfer policy.
Refer Data transfer policy for more details.

16
Cyberoam User Guide

Dashboard
Cyberoam displays Dashboard as soon as you logon to the Web Admin Console.

Dashboard provides a quick and fast overview of all the important parameters of Cyberoam appliance
that requires special attention such as password, access to critical security services, system resources
usage, IPS alerts, and notifications of subscription expirations etc. are displayed.

Dashboard page is completely customizable. Minimize or reposition each section (System Information,
License Information, Gateway status information, Usage summary etc.) by dragging and dropping. Each
section has an icon associated with it for easy recognition when minimized. Optionally click Reset to
restore the default dashboard setting.

Customizable Dashboard allows to place the sections that are pertinent to the user and requires special
attention for managing Cyberoam on the top and the information used less often moved to the bottom.

Available sections on Dashboard are as follows:


Alert Messages
Appliance Information
License Information
Installation Information. Use Check for Upgrades link to check for the upgrade availability.
DoS attack status
Recent IPS Alerts
Recent Spyware Alerts
HTTP Traffic Analysis
User Surfing pattern
Usage Summary
Recent Mail Viruses detected
Recent HTTP and FTP Viruses detected
System Resources
System Status
Gateway status
HA Details (if High availability is configured)

Section Recent Spyware Alerts doclet is added on the Dashboard to provide a level of visibility to
spyware infected hosts to help stop the further propagation of spyware outside your network.

Apart from preventing spyware from entering and infecting your network, the Cyberoam can now also
detect any unwanted applications and Spyware infected hosts that are already there in the network i.e.
network infected before Cyberoam was deployed and provides alert on Dashboard.

Dashboard displays following Alerts:


The default Web Admin Console password has not been changed.
Default Telnet Console password is not changed.
<Service name(s)> base management is allowed from WAN. This is not a secure configuration. We
recommend to use a good password.
Your Cyberoam Appliance is not registered.
<module name(s)> modules will expire within 5/10/20 days. Be sure to buy the subscription to stay
protected.
<module name(s)> module(s) expired

17
Cyberoam User Guide

Note

Use F10 key to return to Dashboard from any of the pages


The button bar on the upper rightmost corner of all the pages also provides access to Dashboard.

Screen - Dashboard

18
Cyberoam User Guide

PART
Management
Setting up Zones
A Zone is a logical grouping of ports/physical interfaces and/or virtual subinterfaces if defined.

Zones provide flexible layer of security for the firewall. With the zone-based security, the administrator
can group similar ports and apply the same policies to them, instead of having to write the same policy
for each interface.

Default Zones Types

LAN Depending on the appliance in use and on your network design, Cyberoam allows to group one to
six physical ports in this zone. Group multiple interfaces with different network subnets to manage them
as a single entity. Group all the LAN networks under this zone.

By default the traffic to and from this zone is blocked and hence the highest secured zone. However,
Cyberoam allows traffic between the ports belonging to the same zone.

DMZ (DeMilitarized Zone) - This zone is normally used for publicly accessible servers. Depending on the
appliance in use and on your network design, Cyberoam allows to group one to five physical ports in this
zone.

WAN Zone used for Internet services. It can also be referred as Internet zone.

Local - Entire set of physical ports available on the Cyberoam appliance including their configured
aliases are grouped in LOCAL zone. In other words, IP addresses assigned to all the ports fall under the
LOCAL zone.

VPN - This zone is used for simplifying secure, remote connectivity. It is the only zone that does not have
any assigned physical port/interface. Whenever the VPN connection is established, port/interface used
by the connection is automatically added to this zone and on disconnection; port is automatically
removed from the zone. Like all other default zones, scanning and access policies can be applied on the
traffic for this zone.

Cyberoam provides single zone of each type. These are called System Zones. Administrator can add
LAN and DMZ zone types.

By default, entire traffic except LAN to Local zone service likes Administration, Authentication and
Network is blocked.

19
Cyberoam User Guide

Create Zone
Select System Zone Create to open the create page

Screen - Create Zone

Screen Elements Description


Create Zone
Zone Name Specify name of the Zone
Zone Type Select zone type

LAN Depending on the appliance in use and network design, one can group
one to six physical ports in this zone. Group multiple interfaces with different
network subnets to manage them as a single entity. Group all the LAN
networks under this zone.

By default the traffic to and from this zone is blocked and hence the highest
secured zone. However, same zone traffic is allowed.

DMZ (DeMilitarized Zone) - Zone ormally used for publicly accessible servers.
Depending on the appliance in use and network design, once can group one
to five physical ports in this zone.

WAN Zone for the Internet services. Only one WAN zone is allowed, hence
additional WAN zones cannot be created.

VPN - Zone for simplifying secure and remote connectivity. Not assigned to
any physical port/interface but whenever VPN connection is established,
port/interface used by the connection is automatically added to this zone and
on disconnection; port is automatically removed from the zone.

When deployed as bridge, creation of multiple LAN zones are not possible.
Select Port
Click the port to be included in from the Available Port(s) list and click to
move to the Member Port(s) list. Selected port will be the member of the
zone. Virtual Interfaces will also be available for selection if defined.
Description Specify zone description
Create button Saves the configuration and creates zone
Table Create Zone

20
Cyberoam User Guide

Setting up Users
Define Authentication
Cyberoam provides policy-based filtering that allows defining individual filtering plans for various users of
your organization. You can assign individual policies to users (identified by IP address), or a single policy
to number of users (Group).

Cyberoam detects users as they log on to Windows domains in your network via client machines.

Cyberoam can be configured to allow or disallow users based on username and password. In order to
use User Authentication, you must select at least one database against which Cyberoam should
authenticate users.

Cyberoam supports user authentication against:


an Active Directory
an Windows NT Domain controller
an LDAP server
an RADIUS server
an internal database defined in Cyberoam

To filter Internet requests based on policies assigned, Cyberoam must be able to identify a user making a
request.

When the user attempts to access, Cyberoam requests a user name and password and authenticates the
user's credentials before giving access. User level authentication can be performed using the local user
database on the Cyberoam, an External ADS server, RADIUS server, LDAP or Windows NT Domain
Controller.

For external authentication, integrate Cyberoam with ADS, LDAP or Windows NT Domain Controller.
If your network uses an Active Directory service, configure Cyberoam to communicate with ADS.
Refer to Integrate Cyberoam with Active Directory for more details
If your network uses a Windows Domain controller, configure Cyberoam to communicate with Domain
controller.
If your Network uses LDAP, configure Cyberoam to communicate with LDAP server. Integrate
Cyberoam with LDAP for more details
If your Network uses RADIUS server, configure Cyberoam to communicate with RADIUS server.
Integrate Cyberoam with RADIUS for more details
Cyberoam can prompt for user identification if your network does not use Windows environment.

Cyberoam Authentication
It is necessary to create users and groups in Cyberoam if installed Non PDC environment.

Before users log on to Cyberoam, Administrator has to create all the users in Cyberoam, assign them to
a Group and configure for Cyberoam authentication. Refer to Define Group and Define User for details
on creating groups and users.

When user attempts to log on, Cyberoam authenticates user.

21
Cyberoam User Guide

Select User Authentication Settings to open configuration page

Screen Cyberoam Authentication

Screen Elements Description


Configure Authentication & Integration parameters
Integrate with Select Cyberoam as the authentication server
Default Group Allows to select default group for users

Click Default Group list to select


Update button Updates and saves the configuration
Table Cyberoam Authentication screen elements

22
Cyberoam User Guide

Define User

User
Users are identified by an IP address or a user name and assigned to a group. All the users in a group
inherit all the group policies. Refer to Policy Management to define new policies.

User types
Cyberoam supports three types of Users:
1. Normal
2. Clientless
3. Single Sign on

Normal User has to logon to Cyberoam. Requires Cyberoam client (client.exe) on the User machine or
user can use HTTP Client component and all the policy-based restriction can be applied.

Clientless Does not require Cyberoam client component (client.exe) on the User machines. Symbolically
represented as User name (C)

Single Sign On They are the normal users but if configured for Single Sign On, whenever user logs on to
Windows, user will automatically get logged on to the Cyberoam. They are part of normal users.
Symbolically represented as User name (S)

Use the given decision matrix below to decide which type of the user should be created.

Decision matrix for creation of User

Feature Normal User Clientless User Single Sign on User


User Login required Yes No No
Type of Group
Normal Yes No Yes
Clientless No Yes No
Apply Login restriction Yes Yes Yes
Apply Surfing Quota policy Yes No No
Apply Access Time policy Yes No No
Apply Bandwidth policy Yes Yes Yes
Apply Internet Access policy Yes Yes Yes
Apply Data Transfer policy Yes No Yes
Table - Create User - Decision matrix

23
Cyberoam User Guide

Add a User

Prerequisite
Group created for Normal Users only

Select User User Add User to open add user page

Screen - Add User

Screen Elements Description


User Information
Name Specify name of the User
Username Specify a name that uniquely identifies user & used for logging
Password Specify Password
Confirm Password Specify password again for conformation

Should be same as typed in the Password field


Birth date Specify date of birth of user

24
Cyberoam User Guide

Click Calendar to select date


Email Specify Email Id of User
Windows Domain Displays Authentication Server IP Address
Controller
Only if Authentication is
done by Windows NT
Domain Controller
User Type Specify the user group type. Depending on the user group type, default
web console access control will be applied. Refer to Web console
Authorization and Access control for more details.

Available option: Administrator, Manager, User

Click User type list to select

Refer to Add Clientless User on how to create clientless user


Number of simultaneous Customize the maximum number of concurrent logins allowed to the
login(s) allowed user
OR
Unlimited Specify number of concurrent logins allowed to the user

OR
Allows unlimited concurrent logins to the user

The setting specified will override the setting specified in client


preference.

For example,
If in Client preferences, the number of concurrent logins allowed is 5
and here you have specified 3, then this particular user will be allowed
to login from 3 machines concurrently and not from 5 machines.
Spam Digest Spam digest is an email that contains a list of quarantined spam
messages filtered by Cyberoam and held in the user quarantine area.
Only if Gateway Anti-
spam module is If configured, Cyberoam will mail the spam digest every day to the user.
subscribed One can configure digest email frequency from the general Anti spam
configuration.

Digest provides a link to User My Account from where user can access
his quarantined messages and take the required action.

Actions
Enable User will receive the spam digest daily and overrides Group
setting

Disable User will not receive spam digest and overrides Group setting

Apply Group setting Inherit Group Spam Digest setting


SSL VPN Policy Select SSL VPN policy from the dropdown list. If user is not to be
provided the SSL VPN access then select No Policy Applied
User MAC Binding
Bind to MAC address By binding User to MAC address, you are mapping user with a group of
MAC addresses hence user will be able to login and access the Internet
only from the specific machines.

This will prevent anyone from impersonating someone else even if they
have changed their IP address.
MAC address list Specify MAC addresses e.g. 01:23:45:67:89:AB
Once you enable MAC bindng user will be able to login through pre-
specified machines only.

25
Cyberoam User Guide

To configure multiple MAC addresses use comma e.g.


01:23:45:67:89:AB, 01:23:45:67:89:AC or specify each address in a
new line.
Group Information
Group Specify in Group in which user is to be added. User will inherit all the
group policies.

Click Group list to select


View details link Open a new Window and displays details of the selected Group

Refer to View Group details table for more details


Login Restriction
Select any one option Allows to apply login restriction

Available options
All Nodes - select to allow user to login from all the nodes in the network

Group Node(s) only Select to allow user to login only from the nodes
assigned to the group

Selected Node(s) only Select to allow user to login from the specified
nodes only. Specify IP address and click Add button

Click to select
Add button Click to add user
Cancel button Click Cancel to return to the Manage User page
Table - Add User screen elements
View Group details table

Screen Elements Description


Group name Displays name of the Group
Surfing Quota policy Displays name of the Surfing Quota policy assigned to the group
Access Time policy Displays name of the Access Time policy assigned to the group
Internet Access policy Displays name of the Internet Access policy assigned to the group
Bandwidth policy Displays name of the Bandwidth policy assigned to the group
Data transfer policy Displays name of the Data Transfer policy assigned to the group
Allotted time (HH:mm) Displays total allotted surfing time to User
Expiry date Displays User policy Expiry date
Used minutes Displays total time used by the user in minutes

At the time of creation of user, it will be displayed as 0:0


Close button Closes window
Table - View Group details screen elements

Add Clientless users


Clientless Users are the users who can bypass Cyberoam Client login to access resources. It is possible
to add a single clientless user as well as more than one clientless user at a time. When you add multiple
clientless users, users are represented by IP addresses and not by the name.

Add multiple clientless users

Prerequisite
Clientless Group created

26
Cyberoam User Guide

Select User Clientless Users Add Range to open create user page and add multiple
clientless users in one go but with the IP addresses in the continuous range.

Screen - Add multiple Clientless users

Screen Elements Description


Host Group Details
From To Specify range of IP Address that will be used by users to login
Group Specify group in which users are to be added

Click Group list to select


Create button Click to add multiple Clientless Users. Registers Clientless users with given
IP addresses as their username.
Table - Add multiple Clientless users screen elements

Add single Clientless user

Prerequisite
Group created

Select User Clientless Users Add Users to open create user page and add single user or
multiple clientless users with the arbitrary range of IP address.

Screen - Add single Clientless user

Screen Elements Description


Username Specify a unique name used for logging
IP Address Specify IP address. Cyberoam will suggest IP address in the drop down the
moment you type the initial digits of IP address. For example, when you type
192.168, Cyberoam will display list of IP addresses starting with 192.168 that
can be allowed to the user for logging.
Group Specify Group in which user is to be added. User will inherit all the group
policies.

27
Cyberoam User Guide

Click Group list to select


Name Specify actual name of the user
Email Specify Email Id of User
Spam Digest Spam digest is an email that contains a list of quarantined spam messages
filtered by Cyberoam and held in the user quarantine area.
Only if Gateway
Anti-spam Spam digest will be mailed as per the configured frequency to the user.
module is Configure digest email frequency from the general Anti spam configuration.
subscribed
Digest provides a link to User My Account from where user can access his
quarantined messages and take the required action.

Actions
Enable User will receive the spam digest daily and overrides Group setting

Disable User will not receive spam digest and overrides Group setting

Apply Group setting Inherit Group Spam Digest setting


Add User button Click to add more than one user. Use to remove user details from the list.
Create User(s) Click to register user
button
Table - Create single Clientless user screen elements

NOTE
Duplicate Usernames cannot be created
Only bandwidth and Internet access policy can be applied to clientless users
Unlimited surfing quota and access time policy are applied automatically
Data transfer policy is not applicable

28
Cyberoam User Guide

Setting up Groups
Group
Group is a collection of users having common policies and a mechanism of assigning access of
resources to a number of users in one operation/step.

Instead of attaching individual policies to the user, create group of policies and simply assign the
appropriate Group to the user and user will automatically inherit all the policies added to the group. This
simplifies user configuration.

A group can contain default as well as custom policies.

Various policies that can be grouped are:

1. Surfing Quota policy which specifies the duration of surfing time and the period of subscription
2. Access Time policy which specifies the time period during which the user will be allowed access
3. Internet Access policy which specifies the access strategy for the user and sites
4. Bandwidth policy which specifies the bandwidth usage limit of the user
5. Data Transfer policy which specifies the data transfer quota of the user
Refer to Policy Management for more details on various policies.

Group types
Two types of groups:
1. Normal
2. Clientless

Normal A user of this group need to logon to Cyberoam using the Cyberoam Client to access the
Internet

Clientless A user of this group need not logon to Cyberoam using the Cyberoam Client to access the
Internet. Access control is placed on the IP address. Symbolically represented as Group name (C)

Use the below given decision matrix to decide which type of group will best suited for your network
configuration.

Decision matrix for creation of Group

Feature Normal Group Clientless Group


Logon into Cyberoam required Yes No
Type of User
Normal Yes No
Clientless No Yes
Apply Login restriction Yes No
Apply Surfing Quota policy Yes No
Apply Access Time policy Yes No
Apply Bandwidth policy Yes Yes
Apply Internet Access policy Yes Yes
Apply Data transfer policy Yes No
Table - Group creation - Decision matrix

29
Cyberoam User Guide

Add a New Group

Prerequisite
All the policies that are to be added to the Group are created

Select Group Add Group to open add group page

Screen - Create Group

Screen Elements Description


Create Group
Group name Specify Group name. Choose a name that best describes the Group.
Group type Specify type of Group

Click Group type to select

Select Normal if Group members are required to log on using Cyberoam


Client

Select Clientless if Group members are not required to log on using


Cyberoam Client
Surfing Quota Policy Specify Surfing Quota Policy for Group

Only if Group type Click Surfing Quota Policy list to select

30
Cyberoam User Guide

is Normal
By default, Unlimited policy is assigned to the Clientless Group
type

Refer to Surfing Quota Policy for details


Access Time Policy Specify Access Time policy for Group

Only if Group type Click Access Time Policy list to select


is Normal
By default, Unlimited policy is assigned to Clientless Group type

Refer to Access Time Policy for details


Internet Access Specify Internet Access policy for Group
policy
Click Internet Access policy list to select

Refer Internet Access policy for details


Bandwidth Policy Specify Bandwidth Policy for Group

Click Bandwidth Policy list to select

Refer Bandwidth Policy for details


Data Transfer policy Specify data transfer policy for Group
Only if Group type is
Normal Click Data Transfer policy list to select

Refer Data Transfer Policy for details


MAC Binding Enable MAC binding if required. By binding MAC, all the group users will
be mapped with MAC addresses defined in User configuration and user
will be able to login through pre-specified machines only.
SPAM Digest Enable Spam digest for all the group members if required.

Only if Gateway Spam digest is an email that contains a list of quarantined spam
Anti-spam module messages filtered by Cyberoam and held in the user quarantine area.
is subscribed
Spam digest will be mailed as per the configured frequency to the user.
Configure digest email frequency from the general Anti spam
configuration.

Digest provides a link to User My Account from where user can access his
quarantined messages and take the required action.

Actions
Enable User will receive the spam digest daily and overrides Group
setting

Disable User will not receive spam digest and overrides Group setting

Apply Group setting Inherit Group Spam Digest setting


SSL VPN Policy Select SSL VPN policy from the dropdown list. If user is not to be provided
the SSL VPN access then select No Policy Applied
User Authentication Settings
User Authentication Authentication Session timeout is the number of minutes that an
Session time out authenticated connection can be idle before the user must authenticate
again.

Click to enable session timeout on group basis.


By default, this option is disabled.

The minimum timeout that can be configured is 3 minutes and maximum is

31
Cyberoam User Guide

1440 minutes (24 hours)


Keep Alive Request Keep-Alive requests are constantly exchanged between server and client
for HTTP Client to check the connectivity between them. More number of concurrent HTTP
client users, more number of keep-alive requests. Hence, Cyberoam
recommends to disable Keep-alive request if there are more number of
concurrent HTTP client users.

By default, this option is enabled.


Login Restriction
Select any one Apply login restriction if required for the users defined under the Group
option
Available options
All Nodes Select if you want to allow Group users to login from all the
nodes

Selected Nodes only Enter IP address if you want to allow Group users
to login from the specified nodes only

Click to select
Create button Click tp create Group
Cancel button Cancels the current operation and returns to the Manage Group page
Table - Create Group screen elements

Note

One can add users to the group even after the creation of group.

Import AD group (only if Active Directory authentication is implemented)


Import Active Directory user groups once AD authentication is implemented and Cyberoam is configured
to communicate with AD. Once you have configured and added AD details, select User
Authentication Settings and click Import Group (s) link against the AD server from which you want
to import AD groups.

32
Cyberoam User Guide

Screen Import Group Wizard

Follow the on-screen steps:


Step 1. Specify Base DN. Cyberoam will fetch AD groups from the specified Base DN.

To import users from default AD Container:

33
Cyberoam User Guide

To import users from custom AD Container:

If multiple custom containers are created, repeat the entire process for each container.

Step 2. Select Groups that are to be imported in Cyberoam. Use <Ctrl> + Click to select multiple groups.
All the groups (both imported and not imported groups) created in AD are displayed. * besides the group
name indicates that the group is already imported to Cyberoam.

Use arrows to move groups across the group lists.

34
Cyberoam User Guide

Step 3. Select various policies (Surfing Quota, Access time, Bandwidth, Internet Access and Data
transfer) and user authentication time out to be applied on the group members.

By default, Attach to all the Groups is enabled, hence Cyberoam will attach same policies to all the
imported Groups i.e. common policies across the imported groups.

Do not enable Attach to all the Groups for the policy if you want to specify:
different policy for all the groups
specific policy to all the groups
specific policy to a specific group

. For example if you want to specify different Internet Access policy to different groups, do not enable
Attach to all the Groups

Screen Define same policy to all the imported Groups

35
Cyberoam User Guide

Screen Define different policies to different Groups

Step 4. If you have disabled Attach to all the Groups, specify policies to be applied to each group

Screen Define specific policy for a Group

Step 5. View Results page displays successful message if groups are imported and policies are
successfully attached else appropriate error message will be displayed. Once you close the Wizard,
Manage Groups page will be opened. All the imported groups are appended at the end of the list.

36
Cyberoam User Guide

Screen Groups imported and common policies attached successfully

Screen Groups imported and specific policies attached to specific Group

All the imported groups are appended at the end of the list on the Manage Group page.

37
Cyberoam User Guide

If user is the member of multiple AD groups, Cyberoam will decide the user group based on the order of
the groups defined in Cyberoam. Cyberoam searches Group ordered list from top to bottom to determine
the user group membership. The first group that matches is considered as the group of the user and that
group policies are applied to the user.

Re-ordering of groups to change the membership preference is possible using Wizard.

38
Cyberoam User Guide

Firewall
A firewall protects the network from unauthorized access and typically guards the LAN and DMZ
networks against malicious access; however, firewalls may also be configured to limit the access to
harmful sites for LAN users.

The responsibility of firewall is to grant access from Internet to DMZ or Service Network according to the
Rules and Policies configured. It also keeps watch on state of connection and denies any traffic that is
out of connection state.

Firewall rules control traffic passing through the Cyberoam. Depending on the instruction in the rule,
Cyberoam decides on how to process the access request. When Cyberoam receives the request, it
checks for the source address, destination address and the services and tries to match with the firewall
rule. If Identity match is also specified then firewall will search in the Live Users Connections for the
Identity check. If Identity (User) found in the Live User Connections and all other matching criteria fulfills
then action specified in the rule will be applied. Action can be allow or deny.

You can also apply different protection settings to the traffic controlled by firewall:
Enable load balancing between multiple links
Configure antivirus protection and spam filtering for SMTP, IMAP, POP3, and HTTP traffic. To apply
antivirus protection and spam filtering, you need to subscribe for Gateway Anti Virus and Gateway
Anti Spam modules individually. Refer to Licensing section for details.
Implement Intrusion Prevention System. To apply IPS policy you need to subscribe for Intrusion
Prevention System module. Refer to Licensing section for details.
Enable VPN traffic scanning
Configure content filtering policies. To apply content filtering you need to subscribe for Web and
Application Filter module. Refer to Licensing section for details.
Apply bandwidth policy restriction

By default, Cyberoam blocks any traffic to LAN.

Default Firewall rules


At the time of deployment, Cyberoam allows to define one of the following Internet Access policies using
Network Configuration Wizard:
Monitor only
General Internet policy
Strict Internet policy

Depending on the IAP, Cyberoam creates two default firewall rules.

Default firewall rules for Monitor only IAP


1. Masquerade and allow entire LAN to WAN traffic for all the authenticated users after applying
following policies:
Internet Access policy User specific
Bandwidth policy User specific
Anti Virus & Anti Spam policy Allows SMTP, POP3, IMAP and HTTP traffic without scanning

2. Masquerade and allow entire LAN to WAN traffic for all the users without scanning SMTP, POP3,
IMAP and HTTP traffic

39
Cyberoam User Guide

Default firewall rules for General Internet policy IAP

1. Masquerade and sllow entire LAN to WAN traffic for all the authenticated users after applying
following policies:
Internet Access policy User specific
Bandwidth policy User specific
Anti Virus & Anti Spam policy - Scan SMTP, POP3, IMAP and HTTP traffic

2. Masquerade and allow entire LAN to WAN traffic for all the users after applying following policies:
Internet Access policy Applies General Corporate Policy to block Porn, Nudity, AdultContent,
URL TranslationSites, Drugs, CrimeandSuicide, Gambling, MilitancyandExtremist,
PhishingandFraud, Violence, Weapons categories

IPS General policy

Anti Virus & Anti Spam policy - Scan SMTP, POP3, IMAP and HTTP traffic

Default firewall rules for Strict Internet policy IAP

1. Masquerade and allow entire LAN to WAN traffic for all the authenticated users after applying
following policies:
Internet Access policy User specific
Bandwidth policy User specific
IPS policy General policy
Anti Virus & Anti Spam policy - Scan SMTP, POP3, IMAP and HTTP traffic

2. Drop entire LAN to WAN traffic for all the users

Note
Default Firewall rules can be modified as per the requirement but cannot be deleted

IPS policy will not be effective until the Intrusion Prevention System (IPS) module is subscribed.

Virus and Spam policy will not be effective until the Gateway Anti Virus and Gateway Anti-spam modules are
subscribed respectively.

If Internet Access Policy is not set through Network Configuration Wizard at the time of deployment, the entire
traffic is dropped.

Default VPN firewall rules

On upgrading to V 9.5.8 build 03, Cyberoam also automatically creates following default rules for VPN
zone to allow VPN traffic as:
VPN to LAN and LAN to VPN
VPN to DMZ and DMZ to VPN
VPN to WAN and WAN to VPN
VPN to Custom zone and Custom zone to VPN

You can update the default VPN policies to enable virus scanning and apply IPS to the VPN traffic.

40
Cyberoam User Guide

Additional firewall rules can be defined to extend or override the default rules. For example, rules can be
created that block certain types of traffic such as FTP from the LAN to the WAN, or allow certain types of
traffic from specific WAN hosts to specific LAN hosts, or restrict use of certain protocols such as Telnet to
authorized users on the LAN.

Custom rules evaluate network traffics source IP addresses, destination IP addresses, User, IP protocol
types, and compare the information to access rules created on the Cyberoam appliance. Custom rules
take precedence, and override the default Cyberoam firewall rules.

Create Firewall rule


Previous versions allowed creating firewall rules based on source and destination IP addresses and
services but now Cyberoams Identity based firewall allows to create firewall rules embedding user
identity into the firewall rule matching criteria.

Firewall rule matching criteria now includes:


Source and Destination Zone and Host
User
Service

Prior to this version, all the Unified Threat Control policies were to be enabled individually from their
respective pages. Now one can attach the following policies to the firewall rule as per the defined
matching criteria:
Intrusion Prevention
Anti Virus
Anti Spam
Internet Access
Bandwidth Management
Routing policy i.e. define user and application based routing

To create a firewall rule, you should:


Define matching criteria
Associate action to the matching criteria
Attach the threat management policies

For example, now you can:


Restrict the bandwidth usage to 256kb for the user John every time he logs on from the IP
192.168.2.22
Restrict the bandwidth usage to 1024kb for the user Mac if he logs on in working hours from the IP
192.168.2.22

Processing of firewall rules is top downwards and the first suitable rule found is applied.

Hence, while adding multiple rules, it is necessary to put specific rules before general rules. Otherwise, a
general rule might allow a packet that you specifically have a rule written to deny later in the list. When a
packet matches the rule, the packet is immediately dropped or forwarded without being tested by the rest
of the rules in the list.

Select Firewall Create Rule

41
Cyberoam User Guide

Screen - Create Firewall rule

Screen Elements Description


Matching Criteria
Source Specify source zone and host IP address/network address to which the rule
applies.

Host dropdown list also displays MAC based host and dynamic hosts and host
groups which are automatically added on creation of VPN Road warrior
connections(IPSec and SSL). It will also display the default hosts created for road
warrior connection - ##ALL_RW, ##ALL_IPSEC_RW, ##ALL_SSLVPN_RW

To configure host group based firewall rule you need to define host group. Under
Select Address dropbox, click Create Host Group to define host group from

42
Cyberoam User Guide

firewall rule itself or you can also define from Firewall Host Group
Create

Under Select Address dropbox, click Add Host to define host group from
firewall rule itself rule itself or you can also define from Firewall Host
Add Host

Check Identity Check identity allows you to check whether the specified user/user group from
(Only if source the selected zone is allowed the access of the selected service or not.
zone is
LAN/DMZ/VPN) Click to check the user identity.

Enable check identity to apply following policies per user:


Internet Access policy for Content Filtering (Users Internet access policy
will be applied automatically but will not be effective till the Web and
Application Filtering module is subscribed)
Schedule Access
IPS (Users IPS policy will be applied automatically but will not be effective
till the IPS module is subscribed)
Anti Virus scanning (Users anti virus scanning policy will be applied
automatically but it will not be effective till the Gateway Anti Virus module is
subscribed)
Anti Spam scanning (Users anti spam scanning policy will be applied
automatically but it will not be effective till the Gateway Anti Spam module
is subscribed)
Bandwidth policy - Users bandwidth policy will be applied automatically
policy selected in the Route through Gateway field is the static routing
policy that is applicable only if more then one gateway is defined and used
for load balancing.
limit access to available services.
Destination Specify destination zone and host IP address /network address to which the rule
applies.

Host dropdown list also displays dynamic hosts and host groups which are
automatically added on creation of VPN Road warrior connections (IPSec and
SSL). It will also display the default hosts created for road warrior connection -
##ALL_RW, ##ALL_IPSEC_RW, ##ALL_SSLVPN_RW

Under Select Address dropbox, click Create Host Group to define host group
from firewall rule itself or you can also define from Firewall Host Group
Create

Under Select Address dropbox, click Add Host to define host group from firewall
rule itself rule itself or you can also define from Firewall Host Add
Host
Service/Service Services represent types of Internet data transmitted via particular protocols or
group applications.

Select service/service group to which the rule applies.

43
Cyberoam User Guide

If Virtual host is selected as Destination host, you will be able to configure


services only if the selected virtual host is not port forwarded.

Under Select Here, click Create Service Group to define service group from
firewall rule itself rule itself or you can also define from Firewall Service
Create Service Group

Cyberoam provides several standard services and allows creating the custom
services also. Under Select Here, click Create Service to define service from
firewall rule itself rule itself or you can also define from Firewall Service
Create Service

Protect by configuring rules to


block services at specific zone
limit some or all users from accessing certain services
allow only specific user to communicate using specific service
Apply Schedule Select Schedule for the rule
Firewall Action When Criteria Match
Action Select rule action

Accept Allow access

Drop Silently discards

Reject Denies access and ICMP port unreachable message will be sent to the
source

When sending response it might be possible that response is sent using a


different interface than the one on which request was received. This may happen
depending on the Routing configuration done on Cyberoam.

For example,
If the request is received on the LAN port using a spoofed IP address (public IP
address or the IP address not in the LAN zone network) and specific route is not
defined, Cyberoam will send a response to these hosts using default route.
Hence, response will be sent through the WAN port.
Apply NAT (Only Select the NAT policy to be applied
if Action is
ACCEPT) It allows access but after changing source IP address i.e. source IP address is
substituted by the IP address specified in the NAT policy.

You can create NAT policy from firewall rule itself or from Firewall NAT
Policy Create

This option is not available if Cyberoam is deployed as Bridge


Advanced Settings
Click to apply different protection settings to the traffic controlled by firewall. You can:
Enable load balancing and failover when multiple links are configured. Applicable only if
Destination Zone is WAN

44
Cyberoam User Guide

Configure antivirus protection and spam filtering for SMTP, IMAP, POP3, and HTTP policies. To
apply antivirus protection and spam filtering, you need to subscribe for Gateway Anti Virus and
Gateway Anti Spam modules individually. Refer to Licensing section for details.
Implement Intrusion Prevention System. To apply IPS policy you need to subscribe for Intrusion
Prevention System module. Refer to Licensing section for details.
Configure content filtering policies. To apply content filtering you need to subscribe for Web and
Application Filter module. Refer to Licensing section for details.
Apply bandwidth policy
Policy Settings
IPS Policy Select IPS policy for the rule.

To use IPS, you have to subscribe for the module. Refer to Licensing for more
details.

Refer to IPS, Policy for details on creating IPS policy


Internet Access Select Internet access policy for the rule. One can apply IAP on LAN to WAN rule
Policy only.

Internet Access policy controls web access.

Refer to Policies, Internet Access Policy for details on creating Internet Access
policy.
Bandwidth Policy Select Bandwidth policy for the rule. Only the Firewall Rule based Bandwidth
policy can be applied.

Bandwidth policy allocates & limits the maximum bandwidth usage of the user.

Refer to Policies, Bandwidth Policy for details on creating Bandwidth policy.


Apply Web Click to restrict bandwidth for the URLs categorized under the Web category.
Category Based
Bandwidth Policy A three step configuration is required as follows:
1. Create Bandwidth policy from menu item Policies Bandwidth Policy
Create Policy
2. Assign above created bandwidth policy to the Web category from menu
item Categories Web Category Manage Default. Policy can be
assigned to the default as well as custom web categories.
3. Enable Web Category based Bandwidth Policy from Firewall rule

Above configured bandwidth policy will be applicable, whenever the URL falling
under the Web category is accessed
Route Through Select routing policy
Gateway
This option is not available if Cyberoam is deployed as Bridge
only if more than
one gateway is Refer to Multiple Gateway Implementation Guide for more details.
configured
Backup Gateway Specify the backup gateway.

Only if Load The traffic will be routed through the configured gateway incase gateway
Balance is not configured in Route Through Gateway goes down.
selected for
Route Through
Gateway
Virus & Spam Settings
Scan Protocol(s) Click the protocol for which the virus and spam scanning is to be enabled

By default, HTTP scanning is enabled.

45
Cyberoam User Guide

To implement Anti Virus and Anti Spam scanning, you have to subscribe for the
Gateway Anti Virus and Anti Spam modules individually. Refer to Licensing for
more details.

Refer to Anti Virus Implementation Guide and Anti Spam Implementation Guide
for details.
Log Traffic
Log Traffic Click to enable traffic logging for the rule i.e. traffic permitted and denied by the
firewall rule.
Description
Description Specify full description of the rule
Save button Click to create and save the rule
Table - Create Firewall rule screen elements

46
Cyberoam User Guide

Manage Firewall
Use to:
Enable/disable SMTP, POP3, IMAP, FTP and HTTP scanning
Deactivate rule
Delete rule
Change rule order
Append rule (zone to zone)
Insert rule
View selected firewall rules by zones
Select display columns

Note
From version 9.5.3.07, Cyberoam does not support of DNAT policy. On upgrading to this version, Cyberoam
will preserve all the DNAT policy but will not allow to modify them. This will not affect functioning of Cyberoam.

To stop the usage of DNAT policy:


1. Create Virtual host to forward the request i.e. for the same service/server for which DNAT policy is created
2. Create firewall rule for Virtual host
3. Delete firewall rule for DNAT policy

Firewall rule for Virtual host will take precedence if firewall rule for DNAT policy is not deleted.

Select Firewall Manage Firewall to display the list of rules

Page displays total number of configured firewall rules and number of configured firewall rules in the
selected zone if you have selected any zone using Select Zones button

47
Cyberoam User Guide

Screen components

Append Rule button - Click to add zone to zone rule


Select Column button Click to customize the number of columns to be displayed on
the page

Select Zones - Click and select zones to view firewall rules of the selected zones only

Subscription icon - Indicates subscription module. To implement the functionality of the subscription
module you need to subscribe the respective module. Click to open the licensing page.
Toggle Drill Down icon - Click to view the list of rules defined for the said source and destination zone
Enable/Disable rule icon - Click to activate/deactivate the rule. If you do not want to apply the firewall
rule temporarily, disable rule instead of deleting.
Green Active Rule
Red De-active Rule
Edit icon - Click to edit the rule. Refer to Edit Firewall rule for more details.
Insert icon - Click to insert a new rule before the existing rule. Refer to Define Firewall Rule for more
details.
Move icon - Click to change the order of the selected rule. Refer to Change the firewall rule order for
details.
Delete icon - Click to delete the rule. Refer to Delete Firewall Rule for more details.

Update Rule

Select Firewall Manage Firewall to view the list of rules. Click the rule to be modified.

48
Cyberoam User Guide

Screen- Edit Firewall Rule

Screen Elements Description


Matching Criteria
Source Displays source zone and host IP address /network address to which the rule
applies.

Zone Type cannot be modified


Modify host/network address if required

Host dropdown list also displays dynamic hosts and host groups which are
automatically added on creation of VPN Road warrior connections (IPSec and
SSL). It will also display the default hosts created for road warrior connection -
##ALL_RW, ##ALL_IPSEC_RW, ##ALL_SSLVPN_RW

49
Cyberoam User Guide

To configure host group based firewall rule you need to define host group. Under
Select Address dropbox, click Create Host Group to define host group from firewall
rule itself or you can also define from Firewall Host Group Create

Under Select Address dropbox, click Add Host to define host group from firewall
rule itself rule itself or you can slo define from Firewall Host Add Host

Check Identity Check identity allows you to check whether the specified user/user group from the
(Only if source selected zone is allowed the access of the selected service or not.
zone is LAN or
DMZ or VPN) Click Enable to check the user identity
Destination Displays destination zone and host IP address /network address to which the rule
applies.

Zone Type cannot be modified


Modify host/network address if required.

Host dropdown list also displays dynamic hosts and host groups which are
automatically added on creation of VPN Road warrior connections (IPSec and
SSL). It will also display the default hosts created for road warrior connection -
##ALL_RW, ##ALL_IPSEC_RW, ##ALL_SSLVPN_RW

To define host group based firewall rule you need to define host group. Under
Select Address dropbox, click Create Host Group to define host group from firewall
rule itself or you can also define from Firewall Host Group Create

Under Select Address dropbox, click Add Host to define host group from firewall
rule itself rule itself or you can also define from Firewall Host Add Host
Service/Service Services represent types of Internet data transmitted via particular protocols or
group applications.

Displays service/service group to which the rule applies, modify if required

If Virtual host is selected as Destination host, you will be able to configure services
only if the selected virtual host is not port forwarded.

Under Select Here dropbox, click Create Service Group to define service group
from firewall rule itself rule itself or you can also define from Firewall Service
Create Service

Cyberoam provides several standard services and allows creating the custom
services also. Under Select Here dropbox, click Create Service to define service
from firewall rule itself rule itself or you can also define from Firewall Service
Create Service

50
Cyberoam User Guide

Protect by configuring rules to


block services at specific zone
limit some or all users from accessing certain services
allow only specific user to communicate using specific service
Apply Schedule Displays rules schedule, modify if required
Firewall Action When Criteria Match
Action Displays rule action, modify if required

Accept Allow access


Drop Silently discards i.e. without sending ICMP port unreachable message to
the source
Reject Denies access and sends ICMP port unreachable message to the source
Apply NAT (Only Displays the NAT policy applied to the rule, modify if required
if Action is
ACCEPT) It allows access but after changing source IP address i.e. source IP address is
substituted by the specified IP address in the NAT policy.

You can create NAT policy from firewall rule itself or you can also define from
Firewall NAT Policy Create

This option is not available if Cyberoam is deployed as Bridge


Advanced Settings
Click to apply different protection settings to the traffic controlled by firewall. You can:
Enable load balancing between multiple links
Configure antivirus protection and spam filtering for SMTP, IMAP, POP3, and HTTP policies
Apply bandwidth policy
Configure content filtering policies
Policy Settings
IPS Policy Displays IPS policy for the rule, modify if required

To use IPS, you have to subscribe for the module. Refer to Licensing for more
details.

Refer to IPS, Policy for details on creating IPS policy


Internet Access Displays Internet access policy for the rule, modify if required
Policy
(Only if source Internet Access policy controls web access.
zone is LAN)
Refer to Policies, Internet Access Policy for details on creating Internet Access
policy.
Bandwidth Policy Displays Bandwidth policy for the rule, modify if required. Only the Firewall Rule
based Bandwidth policy can be applied.

Bandwidth policy allocates & limits the maximum bandwidth usage of the user.

Refer to Policies, Bandwidth Policy for details on creating Bandwidth policy.


Apply Web Click to restrict bandwidth for the URLs categorized under the Web category.

51
Cyberoam User Guide

Category Based
Bandwidth Policy A three step configuration is required as follows:
4. Create Bandwidth policy from menu item Policies Bandwidth Policy
Create Policy
5. Assign above created bandwidth policy to the Web category from menu
item Categories Web Category Manage Default. Policy can be
assigned to the default as well as custom web categories.
6. Enable Web Category based Bandwidth Policy from Firewall rule

Above configured bandwidth policy will be applicable, whenever the URL falling
under the Web category is accessed
Route Through Select routing policy
Gateway
This option is not available if Cyberoam is deployed as Bridge
only if more than
one gateway is Refer to Multiple Gateway Implementation Guide for more details.
configured
Backup Gateway Specify the backup gateway.

Only if Load The traffic will be routed through the configured gateway incase gateway
Balance is not configured in Route Through Gateway goes down.
selected for
Route Through
Gateway
Virus & Spam Settings
Scan Protocol(s) Displays protocols for which the virus and spam scanning is to be enabled, modify
if required

By default, HTTP scanning is enabled.

To implement Anti Virus and Anti Spam scanning, you have to subscribe for the
Gateway Anti Virus and Anti Spam modules individually. Refer to Licensing for
more details.

Refer to Anti Virus Implementation Guide and Anti Spam Implementation Guide for
details.
Log Traffic Click to enable traffic logging for the rule
Description Displays full description of the rule, modify if required
Save button Click to saves the rule
Table Edit Firewall Rule

Change Firewall Rule order


Rule order defines the rule processing priority. When the rules are applied, they are processed from the
top down and the first suitable rule found is applied.

Hence, while adding multiple rules, it is necessary to put specific rules before general rules. Otherwise, a
general rule might allow a packet that you specifically have a rule written to deny later in the list. When a
packet matches the rule, the packet is immediately dropped or forwarded without being tested by the rest
of the rules in the list.

Select Firewall Manage Firewall


Click the Move button against the rule whose order is to be changed

52
Cyberoam User Guide

Select Before or After as per the need


Click the rule to be moved and then click where it is to be moved.
Click Done button to save the order

Append rule
Append Rule adds the new rule above the default rules if zone-to-zone rule set exists else append new
rule as new zone-to-zone rule set in the end.

For example, consider the screen given below. If the new rule is for DMZ to LAN then a new rule set
DMZ LAN is created at the end and rule is added to it. If the new rule is for LAN to WAN then rule will
be added above Rule ID 4, as Rule ID 3 and ID 4 are default rules.

Select Firewall Manage Firewall Rules and click Append Rule

Customize Display Columns


By default, Manage Firewall Rules page displays details of the rule in the following eight columns: ID,
Enable, Source, Identity, Destination, Service, Action and Manage. You can customize the number of
columns to be displayed as per your requirement.

53
Cyberoam User Guide

Select Firewall Manage Firewall to open the manage page.


Click Select Columns. It opens the new window. Available Columns list displays the columns that can be
displayed on the page. Click the required column and use Right arrow button to move the selected
column to the Selected Columns list and Click Done button

Screen Customized Screen Display of Manage Firewall Rules page

Delete Firewall Rule

Select Firewall Manage Firewall Rules and click the delete icon against the rule to deleted

Screen - Delete Firewall rule

Note

Default rules cannot be deleted or deactivated.

54
Cyberoam User Guide

Host Management
Firewall rule can be created for the individual host or host groups. By default, the numbers of hosts equal
to the ports in the appliance are already created.

Create Host Group


Host group is the grouping on hosts.
Select Firewall Host Group Create to open the create page

Screen Create Host Group

Screen Elements Description


Create Host Group
Host Group Name Specify host group name
Description Specify full description
Create button Add a new host.
If host group is created successfully, click Add button to add
hosts to the host group. Host list is displayed for selection.

Refer to Manage Host Groups for details.


Table Create Host Group screen elements

Manage Host Group


Use to:
Add host to Group
Remove host from the Group
Delete Host Group

Add Host to Host Group

Select Firewall Host Group Manage to view the list of groups created.
Click host group to which host is to be added. Host Group details are displayed.

55
Cyberoam User Guide

Click Add button. Host list displayed.


Click Sel checkbox against the host to be added. Host can be member of multiple host groups.
Click Add button

Remove Host from Host Group

Select Firewall Host Group Manage and click host group from which the host is to be
removed

56
Cyberoam User Guide

Screen Remove Host from Host Group

Screen Elements Description


Del checkbox Click against the host(s) to be removed from the
host group
Select All checkbox Click to select all the hosts
Delete button Click to remove all the selected host(s) from the
host group
Table Remove Host from Host Group screen elements

Delete Host Group

Select Firewall Host Group Manage

Screen Delete Host Group

Screen Elements Description


Del checkbox Click against the host group(s) to be deleted
Select All checkbox Click to select all the hosy groups for deletion
Delete button Deletes all the selected host group(s)
Table Delete host Group screen elements

Add Host

Select Firewall Host Add to open the add page

57
Cyberoam User Guide

Screen Add Host

Screen Elements Description


Add Host
Host Name Specify host name
Host Type Select host type
Available options

IP/Subnet Single IP with subnet

Range Continuous range of IP addresses

IP List Assorted IP addresses. Use comma or Enter key to specify


assorted multiple IP addresses. Create IP list when you want to create
single firewall rule for multiple IP address that are not in a range. Please
note only Class B IP addresses can be added in IP list.

MAC Address Single MAC address in the form of


00:16:76:49:33:CE,00:16:74:46:34:CE or 00-16-76-49-33-CE,00-16-74-46-
34-CE

MAC List List of MAC addresses 00:16:76:49:33:CE, 00:16:74:46:34:CE


or 00-16-76-49-33-CE,00-16-74-46-34-CE. Use comma to configure
multiple addresses.
Network Specify network address or range of IP address
Select Host Group Select host group from the list
dropdown list
Create button Adds a new host
Table Add Host screen elements

Manage Host

Select Firewall Host Manage to view the list of hosts

58
Cyberoam User Guide

Screen Delete Host

Screen Elements Description


Del checkbox Click against the host(s) to be deleted
Select All checkbox Select all the hosts for deletion
Delete button Deletes all the selected hosts

Checkbox against the system hosts are greyed as


they cannot be deleted.
Table Delete Host screen elements

59
Cyberoam User Guide

Spoofing prevention
You can configure MAC and/or IP address pair entry in IP-MAC trusted list to improve the security of your
network. Using MAC address filtering makes it more difficult for a hacker to guess and use a random
MAC address or spoof a MAC address to gain access to your network as the traffic does not even reach
your firewall.

Similarly, it is also possible to filter packets based on IP-MAC pair. It prevents hosts that try to violate
trusted IP-MAC. To make the restriction more granular, one can enable restriction on the zones.

Create trusted IP-MAC list


You can enable MAC address and/or IP address pair filtering to improve security. By enabling filtering,
you define the devices that can access your network. It is also possible to import the trusted list through
CSV (Comma Separated Value) file. When a user attempts to access the network, Cyberoam checks the
MAC address and/or IP address to the list. User gets the access to the network only if the MAC address
and/or IP address is on the trusted list else the request is rejected.

Select Firewall Spoof Prevention Add Trusted MAC to open the add page

Screen Create Trusted MAC/IP list

Screen Elements Description


Trusted MAC
MAC Address Specify MAC address of the device whose access is to be provided
IP Association Specify IP address if you want to implement MAC/IP pair filtering

Available options:

None No IP address is binded with the MAC address.

Static Configure IP address to be binded to the MAC address.


Packets will be rejected if either MAC or IP address does not match.

DHCP MAC will be binded to the IP address leased by the Cyberoam


DHCP server as and when the IP is leased. Entry will be updated
automatically when the leased IP address is updated.
IP address Specify IP address.
(Only if IP Association
is Static) Use comma as a seperator to configure multiple IP address.
Add button Adds entry to a trusted list
Table Create Trusted MAC/IP list screen elements

60
Cyberoam User Guide

Manage Trusted IP-MAC list

Use to:
Import IP-MAC list
Remove entry from the trusted IP-MAC list

Import MAC List


Cyberoam provides a facility to import MAC definition from an external file (CSV format file).

Instead of creating list of MAC address again in Cyberoam, if you already have MAC details in a CSV file
then you can upload CSV file.

CSV file should be in the following format:


1. Header (first) row should contain field names. Format of header row:
Compulsory first field: MAC Address, IP Association
Optional fields in any order: IP address
2. IP Assocation values: Static, DHCP, None.
For Static IP address is to be provided, use comma to provide list of IP addresses
For DHCP/None - IP address is not required, will be ignored if specified
3. Subsequent rows should contain values corresponding to the each field in header row
4. Number of fields in each row should be same as in the header row
5. Error will be displayed if data is not provided for any field specified in the header
6. Blank rows will be ignored
7. Invalid entry will be discarded

Select Firewall Spoof Prevention Manage Trusted MAC to open the page, specify the
entire path of the CSV file or use Browse button to select the file and click Upload File

Screen Import MAC address

61
Cyberoam User Guide

Delete entry from Trusted IP-MAC list

Select Firewall Spoof Prevention Manage Trusted MAC

Screen Delete MAC address

Screen Elements Description


Delete checkbox Click against the MAC addresses to be deleted

More than one MAC address can also be selected


Select All checkbox Select all the addresses for deletion

Click to select all the addresses


Delete button Deletes all the selected addresses
Table Delete MAC address screen elements

Configure Spoofing Prevention settings


Once the IP-MAC trusted list is defined, the spoofing prevention setting can be configured from Select
Firewall Spoof Prevention Settings

Cyberoam provides three ways to prevent spoofing using trusted IP-MAC list:
MAC filtering Packets will be dropped if the MAC addresses are not configured in the trusted IP-
MAC list.
IP-MAC filtering Packets will be dropped if IP and MAC address do not match with any entry in the
trusted IP-MAC list
IP spoof prevention Packets will be dropped if matching route entry is not available

62
Cyberoam User Guide

Screen Configure Spoof Prevention Settings

Screen Elements Description


Spoof Prevention Settings
Enable Spoof Click the checkbox to enable several spoofing prevention
Prevention technique
Enable MAC Click the checkbox to restrict the access of your network to the
Filtering external hosts. As Cyberoam will drop all the requests from the
MAC address not configured in the trusted list, please make sure
to include MAC addresses of all your internal devices.

For the granular restriction, enable prevention check for the zones
also.

Click the checkbox against the zone(s) on which the prevention is


to be enabled.

If enabled, it should be enabled for atleast one zone.

By default, it is not enabled for any zone.


Enable IP-MAC Click the checkbox to restrict the access of your network based
Pair Filtering on the MAC/IP pair. Cyberoam will drop the request considering it
as a spoofed request if
MAC address differes for the trusted IP address
IP address differs for the trusted MAC address

But, the request will be allowed if IP or MAC address does not


exist at all in the list.

63
Cyberoam User Guide

Request is dropped if IP-MAC pair does not exist in the trusted


list.

For the granular restriction, enable prevention check for the zones
also. Click the checkbox for the zone(s) on which the prevention
is to be enabled.

If enabled, it is to be enabled for atleast one zone.

By default, it is not enabled for any zone.

Enable Restrict Unknown IP on trusted MAC if you want to drop


traffic from any IP address not in the trusted list for the trusted
MAC address.

By default, it is disabled. When disabled, traffic from any IP


address not in the trusted list will be allowed even if it is coming
from the trusted MAC address.
Enable IP Spoof Click the checkbox.
Prevention
If enabled, Cyberoam will reverse lookup for the route of source
network and if not available, packets will be dropped and logged.

If enabled, it is to be enabled for atleast one zone.

By default, it is not enabled for any zone


Save button Click to save the configuation
Table Configure Spoof Prevention Settings screen elements

64
Cyberoam User Guide

Virtual Host
Virtual Host maps services of a public IP address to services of a host in a private network.

A Virtual host can be a single IP address or an IP address range or Cyberoam interface itself.
Cyberoam will automatically respond to the ARP request received on the WAN zone for the external IP
address of Virtual host. Default LAN to WAN (Any Host to Any Host) firewall rule will allow traffic to flow
between the virtual host and the network.

Create Virtual host


Select Firewall Virtual Host Create

Screen Create Virtual host

Screen Elements Description


Create Virtual Host
Virtual Host Name Specify unique name to identify virtual host
Description Specify description
External IP
Address Type and External IP address is the IP address through which Internet users
Public IP Address access internal server/host.

65
Cyberoam User Guide

Select Address Type and configure IP address. The configured IP


address is mapped to the destination host/network.

Available option:
Interface IP - Select when any of the Cyberoam Port, Alias or Virtual
LAN (VLAN) subinterface is required to be mapped to the destination
host or network.

IP - Specified IP address is mapped to a corresponding mapped single or


range of IP address. If single IP address is mapped to a range of IP
address, Cyberoam uses round robin algorithm to load balance the
requests.

IP Range - Specified IP address range is mapped to a corresponding


range of mapped IP address. The IP range defines the start and end of
an address range. The start of the range must be lower than the end of
the range.

Cyberoam automatically responds to the ARP request received on


the WAN zone for the external IP address only if IP or IP Range
option is selected.
Mapped IP
Address Type and Mapped IP address is the IP address of the internal server/host.
IP Address
Select Address Type and configure IP address. The external IP
address is mapped to the specified IP address. This is the actual private
IP address of the host being accessed using the virtual host.

Available option:
IP address External IP address is mapped to the specified IP address.
IP address range External IP address range is mapped to the specified
IP Address range
Physical Zone Select zone of the mapped IP address. For example, if mapped IP
address represents any internal server then select the zone in which
server resides physically.

Available options: LAN, WAN, DMZ, VPN and custom zone if created

By default, LAN zone is configured but can be changed if required.


Port Forwarding
Port Forward Click Port Forward to enable port forwarding

Following configuration is available only if port forwarding is


enabled

Select the protocol TCP or UDP that you want the forwarded packets to
use

Click to specify whether port mapping should be single or range of ports.

Specify external port number for which you want to configure port
forwarding.

Specify mapped port number on the destination network to which the


external port number is mapped.
Create button Creates a virtual host

Once the virtual host is created successfully, Cyberoam automatically creates a loopback firewall rule for
the zone of the mapped IP address. For example, if virtual host is created for the LAN mapped IP zone
then LAN-to-LAN firewall rule is created for the virtual host. Firewall rule is created for the service

66
Cyberoam User Guide

specified in virtual host. If port forwarding is not enabled in virtual host then firewall rule with All
Services is created. Check creation of loopback rule from Firewall Manage Firewall.

For Cyberoam to reply to the ARP requests received on any other zones than WAN zone for External IP
address, create proxy ARP from Cyberoam Console option of Telnet Console.

Virtual host restrictions:

Virtual host name cannot be same as host or host group name.


External IP address range cannot be mapped with a single Mapped IP address.
The number of IP addresses in External IP address range and Mapped IP address range must be
same.
The number of ports in External ports range and Mapped port range must be same.
Virtual host with the same pair of External IP and Port cannot be created.
Different virtual hosts can have same External IP address only if port forwarding is enabled for
different external port. For example,
Virtual_host1
External IP address - 192.168.1.1
Mapped IP address 10.10.10.12
Port forward External port 25
Mapped port 35
Virtual_host2
External IP address - 192.168.1.1
Mapped IP address 10.10.10.1
Port forward External port 42
Mapped port - 48
Different virtual hosts cannot have same external IP address if port forwarding in enabled in one
virtual host and disabled for another virtual host. For example, Cyberoam will not allow you to create:
Virtual_host1
External IP address - 192.168.1.15
Mapped IP address 10.10.10.1
Virtual_host2
External IP address - 192.168.1.15
Mapped IP address 10.10.10.2
Port forward External port 42
Mapped port - 48
Virtual host cannot be created with overlapping IP address. For example, Cyberoam will not allow you
to create:
Virtual_host1
External IP address - 192.168.1.15-192.168.1.20
Mapped IP address 10.10.10.15-10.10.10.20
Virtual_host2
External IP address - 192.168.1.18
Mapped IP address 10.10.10.18
Virtual host cannot be created with overlapping ports. For example, Cyberoam will not allow you to
create:
Virtual_host1
External IP address - 192.168.1.15
Mapped IP address 10.10.10.1
Port forward - External port 20-80
Mapped port 20-80

67
Cyberoam User Guide

Virtual_host2
External IP address - 192.168.1.15
Mapped IP address 10.10.10.2
Port forward - External port 25
Mapped port 25

Delete Virtual host


Select Firewall Virtual Host Manage

Screen Delete Virtual Host

Screen Elements Description


Del checkbox Click against the virtual host(s) to be deleted
Select All checkbox Click to select all the virtual hosts for deletion
Delete button Deletes all the selected virtual host(s)
Table Delete Virtual host screen elements

Note

Virtual host can be deleted but cannot be updated.

On deletion of virtual host, Proxy ARP and loopback firewall rule are deleted automatically.

68
Cyberoam User Guide

Traffic Discovery
"Network security" is controlling who can do what on your network. Control is all about detecting and
resolving any activity that does not align with your organization's policies.

Traffic discovery provides a comprehensive, integrated tool to tackle all your Network issues. It performs
network traffic monitoring by aggregating the traffic passing through Cyberoam. It helps in determining
the amount of network traffic generated by an application, IP address or user.

View your network's traffic statistics, including protocol mix, top senders, top broadcasters, and error
sources. Identify and locate bandwidth hogs and isolate them from the network if necessary. Analyze
performance trends with baseline data reports.

The discovered traffic pattern is presented in terms of


Application
User
LAN IP Address

Apart from details of live connections traffic pattern, Cyberoam also provides current dates connection
history.

Live Connections report

Application wise
Application wise Live Connections displays list of Applications running on the network currently. It also
displays which user is using the application currently and total data transferred using the application.

Select Traffic Discovery Live Connections Application wise

Screen Application wise Live connections

69
Cyberoam User Guide

Screen Elements Description


Application Name Applications running on network

Click Total Connections to view the connection details for selected


Application. Refer to Connection details for selected Application

Click to view list of Users using respective Applications

Click Total Connections to view the connection details for selected


Application. Refer to Connection details for selected Application

Click to view WAN IP Address wise Connection details for selected


Application

Click to view Destination Port wise Connection details for selected


Application
Data Transfer details
Upload Transfer Displays data uploaded using the Application
Download Transfer Displays data downloaded using the Application
Upstream Bandwidth Displays upstream bandwidth used by Application
(Kbit/sec)
Downstream Bandwidth Displays downstream bandwidth used by Application
(Kbits/sec)
Connection Details
Total Connections Displays number of connections initiating/requesting the Application

Click to view the connection details for the respective Application for each
connection
LAN Initiated Displays number of connections initiated by LAN IP Address for the
Application
WAN Initiated Displays number of connections initiated by WAN IP Address for the
Application
Table Application wise Live connections screen elements

Connection details for selected Application

Report columns Description


Established Time Time when connection was established
LAN IP Address LAN IP Address from which the connection for the application was
established
LAN PORT LAN port through which connection was established for the
application
WAN IP Address WAN IP Address to which connection was established
WAN PORT WAN port to which connection was established for the application
Direction Traffic direction
Upload Transfer Data uploaded using the Application

70
Cyberoam User Guide

Download Transfer Data downloaded using the Application


Upstream Bandwidth Upstream bandwidth used by Application
Downstream Bandwidth Downstream bandwidth used by Application

Connection details for selected LAN IP Address and Application

Report columns Description


Established Time Time when connection was established
LAN IP Address LAN IP Address from which the connection for the application
was established
LAN Port LAN port through which connection was established for the
application
WAN IP Address WAN IP Address to which connection was established
WAN Port WAN port to which connection was established for the application
Direction Traffic direction
Upload Transfer Data uploaded using the Application
Download Transfer Data downloaded using the Application
Upstream Bandwidth Upstream bandwidth used by Application
Downstream Bandwidth Downstream bandwidth used by Application

WAN IP Address wise Connection details for selected Application

Report columns Description


WAN IP Address WAN IP Addresses to which Connection was established by the
selected Application
Total Connections Number of connections established to the WAN IP Address
LAN Initiated Number of connections initiated from LAN
WAN Initiated Number of connections initiated from WAN
Upload Transfer Data uploaded during the connection
Download Transfer Data downloaded during the connection
Upstream Bandwidth Upstream bandwidth used by Application
Downstream Bandwidth Downstream bandwidth used by Application

71
Cyberoam User Guide

Destination Port wise Connection details for selected Application

Report columns Description


Destination Port Destination ports to which Connection was established by the
selected Application
Total Connections Number of connections established through the destination port
LAN Initiated Number of connections initiated from LAN
WAN Initiated Number of connections initiated from WAN
Upload Transfer Data uploaded during the connection
Download Transfer Data downloaded using the connection
Upstream Bandwidth Upstream bandwidth used by Application
Downstream Bandwidth Downstream bandwidth used by Application

User wise
User wise Live Connections displays which user is using which Application and is consuming how much
bandwidth currently.

Select Traffic Discovery Live Connections User wise

Screen User wise Live connections

Screen Elements Description


User Name Network Users requesting various Applications

Click Total Connections to view the connection details for selected User.

Click to view list of Applications used by the respective users

Click Total Connections to view the connection details for selected User

72
Cyberoam User Guide

and Application

Click to view WAN IP Addresses wise Connection details for selected


User

Click to view Destination ports wise Connection details for selected


User
Data Transfer details
Upload Transfer Displays data uploaded by the User
Download Transfer Displays data downloaded by the User
Upstream Bandwidth Displays upstream bandwidth used by User
(Kbit/sec)
Downstream Bandwidth Displays downstream bandwidth used by User
(Kbits/sec)
Connection Details
Total Connections Displays number of connections initiated by the User

Click to view connection details initiated by the User for each connection
LAN Initiated Displays number of connections initiated from LAN IP Address by the
User
WAN Initiated Displays number of connections initiated from WAN IP Address by the
User
Table User wise Live connections screen elements

LAN IP Address wise


LAN IP Address wise Live Connections displays list of Applications currently accessed by LAN IP
Address.

Select Traffic Discovery Live Connections LAN IP Address wise

Screen LAN IP Address wise Live connections

Screen Elements Description


LAN IP Address LAN IP Address requesting various Applications

Click Total Connections to view the connection details for selected LAN

73
Cyberoam User Guide

IP Address.

Click to view list of Applications requested by the respective LAN IP


Address

Click Total Connections to view the connection details for selected LAN
IP Address and Application

Click to view WAN IP Addresses wise Connection details for selected


LAN IP Address

Click to view Destination ports wise Connection details for selected


LAN IP Address
Data Transfer details
Upload Transfer Displays data uploaded from the LAN IP Address
Download Transfer Displays data downloaded from the LAN IP Address
Upstream Bandwidth Displays upstream bandwidth used by LAN IP Address
(Kbit/sec)
Downstream Bandwidth Displays downstream bandwidth used by the LAN IP Address
(Kbits/sec)
Connection Details
Total Connections Displays number of connections initiated by the LAN IP Address

Click to view connection details initiated by the LAN IP Address for each
connection
LAN Initiated Displays number of connections initiated from LAN IP Address
WAN Initiated Displays total number of connections initiated from WAN IP Address
Table LAN IP Address wise Live connection screen elements

Apart from the live connection details, details of the connections that are closed can be also be viewed.
The details for all the connections that are closed during last 24 hours are shown. You can also select the
history duration.

74
Cyberoam User Guide

Todays Connection History

Application wise
It displays list of Applications accessed during the selected duration and by user and/or LAN IP Address.

Select Traffic Discovery Todays Connection History Application wise

Screen Todays Connection History Application wise

Screen Elements Description


Select Start time and Stop time
Start time & Stop time Select the history duration
Refresh Data button Click to refresh the data after the start time or stop time is changed to get
the latest data
Application Name Applications running on network

Click Total Connections to view the connection details for selected


Application. Refer to Connection details for selected Application

Click to view list of users using respective Applications

Click Total Connections to view the connection details for selected LAN IP
Address and Application. Refer to Connection details for selected LAN IP
Address and Application

Click to view WAN IP Address wise Connection details for selected


Application

Click to view Destination Port wise Connection details for selected


Application
Data Transfer details
Upload Transfer Displays data uploaded using the Application
Download Transfer Displays data downloaded using the Application
Upstream Bandwidth Displays upstream bandwidth used by Application
(Kbit/sec)
Downstream Bandwidth Displays downstream bandwidth used by Application
(Kbits/sec)
Connection Details
Total Connections Displays number of connections initiating/requesting the Application

75
Cyberoam User Guide

Click to view the connection details for the respective Application for each
connection
LAN Initiated Displays number of connections initiated by LAN IP Address for the
Application
WAN Initiated Displays number of connections initiated by WAN IP Address for the
Application
Table Todays Connection History Application screen elements

User wise
It displays list of Users who has logged on to network during the selected duration and accessed which
applications.

Select Traffic Discovery Todays Connection History User wise

Screen Todays Connection History User wise

Screen Elements Description


Select Start time and Stop time
Start time & Stop time Select the history duration
Refresh Data button Click to refresh the data after the start time or stop time is changed to get
the latest data
User Name Network Users requesting various Applications

Click Total Connections to view the connection details for selected User.

Click to view list of Applications used by the respective users

Click Total Connections to view the connection details for selected User
and Application

Click to view WAN IP Addresses wise Connection details for selected


User

76
Cyberoam User Guide

Click to view Destination ports wise Connection details for selected


User
Data Transfer details
Upload Transfer Displays data uploaded by the User
Download Transfer Displays data downloaded by the User
Upstream Bandwidth Displays upstream bandwidth used by User
(Kbit/sec)
Downstream Bandwidth Displays downstream bandwidth used by User
(Kbits/sec)
Connection Details
Total Connections Displays number of connections initiated by the User

Click to view connection details initiated by the User for each connection
LAN Initiated Displays number of connections initiated from LAN IP Address by the
User
WAN Initiated Displays number of connections initiated from WAN IP Address by the
User
Table Todays Connection History User wise screen elements

LAN IP Address wise


It displays list of Applications accessed during the selected duration by each LAN IP Address.

Select Traffic Discovery Todays Connection History LAN IP Address wise

Screen Todays Connection History LAN IP Address wise

Screen Elements Description


Select Start time and Stop time
Start time & Stop time Select the history duration
Refresh Data button Click to refresh the data after the start time or stop time is changed to get
the latest data
LAN IP Address LAN IP Address requesting various Applications

Click Total Connections to view the connection details for selected LAN IP
Address.

Click to view list of Applications requested by the respective LAN IP

77
Cyberoam User Guide

Address

Click Total Connections to view the connection details for selected LAN IP
Address and Application

Click to view WAN IP Addresses wise Connection details for selected


LAN IP Address

Click to view Destination ports wise Connection details for selected LAN
IP Address
Data Transfer details
Upload Transfer Displays data uploaded from the LAN IP Address
Download Transfer Displays data downloaded from the LAN IP Address
Upstream Bandwidth Displays upstream bandwidth used by LAN IP Address
(Kbit/sec)
Downstream Bandwidth Displays downstream bandwidth used by the LAN IP Address
(Kbits/sec)
Connection Details
Total Connections Displays number of connections initiated by the LAN IP Address

Click to view connection details initiated by the LAN IP Address for each
connection
LAN Initiated Displays number of connections initiated from LAN IP Address
WAN Initiated Displays total number of connections initiated from WAN IP Address
Table Todays Connection History LAN IP Address wise screen elements

78
Cyberoam User Guide

Policy Management
Cyberoam allows controlling access to various resources with the help of Policy.

Cyberoam allows defining following types of policies:


1. Control individual user surfing time by defining Surfing quota policy. See Surfing Quota policy for
more details.
2. Schedule Internet access for individual users by defining Access time policy. See Access time policy
for more details.
3. Control web access by defining Internet Access policy. See Internet Access policy for more details.
4. Allocate and restrict the bandwidth usage by defining Bandwidth policy. See Bandwidth policy for
more details.
5. Limit total as well as individual upload and/or download data transfer by defining data transfer policy.
See Data Transfer policy for more details.

Cyberoam comes with several predefined policies. These predefined policies are immediately available
for use until configured otherwise.

Cyberoam also lets you define customized policies to define different levels of access for different users
to meet your organizations requirements.

79
Cyberoam User Guide

Surfing Quota policy


Surfing quota policy defines the duration of Internet surfing time. Surfing time duration is the allowed time
in hours for a Group or an Individual User to access Internet.

Surfing quota policy:


Allocates Internet access time on cyclic or non-cyclic basis
Single policy can be applied to number of Groups or Users

Cyberoam comes with several predefined policies. These predefined policies are immediately available
for use until configured otherwise. Cyberoam also lets you define customized policies to define different
levels of access for different users to meet your organizations requirements.

Create Surfing Quota policy

Select Policies Surfing Quota Policy Create policy to open the create page

Screen - Create Surfing Quota policy

Screen Elements Description


Create Surfing Quota policy
Name Specify policy name. Choose a name that best describes the policy. One
cannot create multiple policies with the same name.
Cycle type Specify cycle type

Available options
Daily restricts surfing hours up to cycle hours defined on daily basis
Weekly restricts surfing hours up to cycle hours defined on weekly basis
Monthly restricts surfing hours up to cycle hours defined on monthly basis
Yearly restricts surfing hours up to cycle hours defined on yearly basis
Non-cyclic no restriction
Cycle hours Specify upper limit of surfing hours for cyclic type policies
Only if cycle type
is not Non cyclic At the end of each Cycle, cycle hours are reset to zero i.e. for Weekly Cycle
type, cycle hours will to reset to zero every week even if cycle hours are
unused
Allotted Days Restricts surfing days

Specify total surfing days allowed to limit surfing hours

80
Cyberoam User Guide

Click Unlimited Days if you do not want to restrict surfing days and create
Unlimited Surfing Quota policy.
Allotted Time Allotted time defined the upper limit of the total surfing time allowed i.e.
restricts total surfing time to allotted time

Specify surfing time in Hours & minutes

Click Unlimited Time if you do not want to restrict the total surfing time
Shared allotted Specify whether the allotted time will be shared among all the group
time with group members or not
members
Click to share
Policy Description Specify full description of the policy
Create button Click to create and save policy
Table - Create Surfing Quota policy screen elements

Update Surfing Quota policy

Select Policies Surfing Quota policy Manage policy and click Policy name to be
modified

Screen - Update Surfing Quota policy

81
Cyberoam User Guide

Screen Elements Description


Edit Surfing Quota policy
Name Displays policy name, modify if required
Cycle Type Displays Cycle type, modify if required
Cycle Hours Displays allotted Cycle hours
Allotted Days Displays allotted days, modify if required
Or
Unlimited Days
Allotted time Displays allotted time in hours, minutes, modify if required
Or
Unlimited time
Shared allotted time Displays whether the total allotted time is shared among the
with group members group members or not, modify if required
Policy Description Displays description of the policy, modify if required
Update button Updates and saves the policy. The changes made in the policy
become effective immediately on updating the changes.
Cancel button Cancels the current operation and returns to Manage Surfing
Quota policy page
Table - Update Surfing Quota policy screen elements

Delete Surfing Quota policy

Prerequisite
Not assigned to any User or Group

Select Policies Surfing Quota policy Manage policy to view list of policies

Screen - Delete Surfing Quota policy

Screen Elements Description


Del checkbox Click against the policy(s) to be deleted
Select All checkbox Click to select all the policies for deletion
Delete button Deletes all the selected policy(s)
Table - Delete Surfing Quota policy screen elements

82
Cyberoam User Guide

Access Time policy


Access time is the time period during which user is allowed/denied the Internet access. An example
would be only office hours access for a certain set of users.

Access time policy enables to set time interval - days and time - for the Internet access with the help of
schedules. See Schedules for more details.

A time interval defines days of the week and times of each day of the week when the user will be allowed
or denied the Internet access.

Access time policy strategies:


Allow strategy - By default, allows access during the schedule
Deny strategy - By default, disallows access during the schedule

Create Access Time policy

Prerequisite
Schedule created

Select Policies Access Time Policy Create policy to open create policy page

Screen - Create Access Time policy

Screen Elements Description


Access Time policy details
Name Specify policy name. Choose a name that best describes the policy to
be created. One cannot create multiple policies with the same name.
Schedule Specify policy schedule

Users will be allowed/disallowed access during the time specified in the


schedule.

Click Schedule list to select

Click View details link to view the details of selected schedule

Refer to Define Schedule on how to create a new schedule


Strategy for selected Specify strategy to policy

83
Cyberoam User Guide

Schedule
Allow Allows the Internet access during the scheduled time interval

Disallow - Does not allow the Internet access during the scheduled time
interval

Click to select
Description Specify full description of policy
Create button Creates policy
Table - Create Access Time policy screen elements

Update Access Time policy

Select Policies Access Time policy Manage policy and Click Policy name to be modified

Screen - Update Access Time policy

84
Cyberoam User Guide

Screen Elements Description


Access Time policy details
Name Displays policy name, modify if required
Schedule Displays selected policy schedule

To modify,
Click Schedule list and select new schedule

Click View details link to view details of the selected schedule


Strategy for selected Displays Schedule strategy
Schedule
Cannot be modified
Description Displays description of the policy, modify if required
Save button Saves the modified details. Changes made in the policy become
effective immediately on saving the changes.
Cancel button Cancels current operation and returns to Manage Access Time
policy
Table - Update Access Time policy screen elements

Delete Access Time policy

Prerequisite
Not assigned to any User or Group

Select Policies Access Time policy Manage policy to view the list of policies

Screen - Delete Access Time policy

Screen Elements Description


Del checkbox Click against the policy(s) to be deleted
Select All checkbox Click to select all the policies for deletion
Delete button Deletes all the selected policy(s)
Table - Delete Access Time policy screen elements

85
Cyberoam User Guide

Internet Access policy


Internet Access policy controls users web access. It helps to manage web access specific to the
organizations need. It specifies which user has access to which sites or applications and allows defining
policy based on almost limitless parameters like:
Individual users
Groups of users
Time of day
Location/Port/Protocol type
Content type
Bandwidth usage (for audio, video and streaming content)

When defining a policy, you can deny or allow access to an entire application category, or to individual
file extensions within a category. For example, you can define a policy that blocks access to all audio files
with .mp3 extensions.

Internet Access policy types:


Allow - By default, allows user to view everything except the sites and files specified in the web
categories. E.g. To allow access to all sites except Mail sites
Disallow - By default, prevents user from viewing everything except the sites and files specified in the
web categories. E.g. To disallow access to all sites except certain sites

It is not possible to allow Application categories in Deny All policy

Create a new Internet Access policy

Select Policies Internet Access Policy Create Policy to open the create policy page

86
Cyberoam User Guide

Screen - Create Internet Access policy

Screen Elements Description


Internet Access policy details
Name Specify policy name. Choose a name that best describes the policy to be
created. One cannot create multiple policies with the same name.
Using Template Select a template if you want to create a new policy based on an existing
policy and want to inherit all the categories restrictions from the existing
policy

Select Blank template, if you want to create a fresh policy without any
restrictions. After creation, you can always customize the category
restrictions according to the requirement.
Policy Type Select default policy type
Only for Blank
option in Using Available options
Template field Allow Allows access to all the Internet sites except the sites and files
specified in the Categories

Deny Allows access to only those sites and files that are specified in the
Categories
Description Specify full description of policy
Certificate Based Select the Cetificate Based Categorization check box to enable filtering of
Categorization HTTPS traffic based on domain names using site X.509 certificates. If
enabled, users will not be able to bypass and access blocked sites using
URL translation or HTTP proxy websites hosted on HTTPS. In other word, if
enabled, Cyberoam will block attempts to bypass web content filtering and
sites hosted on SSLv2, SSLv3 and TLS protocols.
By default, it is enabled.

Enabling categorization from Web Admin Console will not have any effect if
it is disabled from CLI console. By default, the categorization from CLI is
enabled. Use CLI command: show secure-scanning HTTPS to confirm. For
more details, check Cyberoam Console Guide.

87
Cyberoam User Guide

Reporting By default, Internet usage report is generated for all the users. However,
Cyberoam allows to bypass reporting of certain users.

Click Off to create Bypass reporting Internet access policy. Internet usage
reports will not include access details of all the users to whom this policy will
be applied.

Click On to create policy that will include access details of all the users in
Internet usage reports to whom this policy is applied.
Download File Size Specify the maximum allowed file download size in MB. It would not be
Restriction possible to download a file greater than the configured size.

By default, it is configured as 0 (zero) MB, which means no restriction on file


download size.
Create button Creates policy and allows to add Category restriction

Refer to Add Category for more details


Internet Access policy Rules
Add button Allows to define Internet Access policy rules and assign Web, File Type and
Application Protocol Categories to Internet Access policy

Click to add

Refer to Add Internet Access policy rule for more details


Save button Saves policy
Show Policy Opens a new page and displays list of policy members
Members button
Cancel button Cancels the current operation and return to Manage Internet Access policy
page
Table - Create Internet Access policy screen elements

Add Internet Access policy rule

Screen Add Internet Access policy rule

Screen Elements Description


Rule details
Select Category Displays list of custom Web, File Type and Application Protocol Categories

Displays list of Categories assigned to policy

88
Cyberoam User Guide

In Category Name column,


W represents Web Category
F represents File Type Category
A represents Application Protocol Category

D represents Default Category


C represents Customized i.e. User defined Category

Select Categories to be assigned to policy.

In Web Category list, click to select


In File Type list, click to select
In Application Protocol list, click to select

Use Ctrl/Shift and click to select multiple Categories

If Web and Application Filter subscription module is registered, all the default
categories will also be listed and can be for restriction.
Strategy Allows/Disallows access to the selected Categories during the period defined in
the schedule

Click Strategy box to see options and select


During Schedule Allows/Disallows access to the selected Categories according to the strategy
defined during the period defined in the schedule

Allow/Disallow will depend on the strategy selected

Click Schedule box to see options and select


View details link Opens a new window and displays details of the selected schedule

Click to view
Click Close to close the window
Add button Add rule to Internet Access policy

Click to add rule


Cancel button Cancels the current operation
Table Add Internet Access policy rule screen elements

Update Internet Access policy

Select Policy Internet Access policy Manage Policy and click policy name to be
modified

89
Cyberoam User Guide

Screen - Update Internet Access policy

Screen Elements Description


Internet Access policy details
Name Displays policy name which cannot be modified
Policy Type Displays policy type which cannot be modified
Description Displays policy description, modify if required
Certificate Based Select the Certificate Based Categorization check box to enable filtering
Categorization of HTTPS traffic based on domain names using site X.509 certificates. If
enabled, users will not be able to bypass and access blocked sites using
URL translation or HTTP proxy websites hosted on HTTPS. In other
word, if enabled Cyberoam will block attempts to bypass web content
filtering and sites hosted on SSLv2, SSLv3 and TLS protocols.

By default, it is enabled.

Enabling categorization from Web Admin Console will not have any
effect if it is disabled from CLI console. By default, the categorization
from CLI is enabled. Use CLI command: show secure-scanning HTTPS
to confirm. For more details, check Cyberoam Console Guide
Reporting By default, Internet usage report is generated for all the users. However,
Cyberoam allows to bypass reporting of certain users.

Click Off to bypass reporting. Internet usage reports will not include
access details of all the users to whom this policy will be applied.

Click On to create policy that will include access details of all the users
in Internet usage reports to whom this policy is applied.
Download File Size Specify the maximum allowed file download size in MB. It would not be
Restriction possible to download a file greater than the configured size.

By default, it is configured as 0 (zero) MB, which means no restriction on


file download size.

90
Cyberoam User Guide

Internet Access policy Rules


Displays list of Categories assigned to policy

In Category Name column,


W represents Web Category
F represents File Type Category
A represents Application Protocol Category

D represents Default Category


C represents Customized i.e. User defined Category
Add button Allows to define a new rule

Click to add

Refer to Add Internet Access policy rule for more details


Delete button Allows to delete the selected rule(s)

Refer to Delete Internet Access policy rule for more details


MoveUp & Moves the selected rule one step up or down
MoveDown button
Only when more Click rule that is to be moved. This will highlight selected rule.
than one rule is
defined Click to move the selected rule one step upwards or downwards

Update button Saves the modified sequence of the rules


Only when more
than one rule is
defined
Save button Saves the modifications
Show Policy members Opens a new page and displays list of policy members
button
Cancel button Cancels the current operation and returns to Manage Internet Access
policy page
Table - Update Internet Access policy screen elements

Delete Internet Access policy rule

Screen - Delete Internet Access policy rule

Screen Elements Description


Del checkbox Click against the policy(s) to be deleted
Select All checkbox Click to select all the policies for deletion

91
Cyberoam User Guide

Delete button Deletes all the selected policy(s)


Table - Delete Internet Access policy rule screen elements

Note
Do not forget to update after changing the order

Delete Internet Access policy

Prerequisite
Not assigned to any User or Group

Select Policies Internet Access policy Manage Policy

Screen - Delete Internet Access policy

Screen Elements Description


Del checkbox Click against the policy(s) to be deleted
Select All checkbox Click to select all the policies for deletion
Delete button Deletes all the selected policy(s)
Table - Delete Internet Access policy screen elements

92
Cyberoam User Guide

Bandwidth policy
Bandwidth is the amount of data passing through a media over a period of time and is measured in terms
of kilobytes per second (kbps) or kilobits per second (kbits) (1 Byte = 8 bits).

The primary objective of bandwidth policy is to manage and distribute total bandwidth on certain
parameters and user attributes. Bandwidth policy allocates & limits the maximum bandwidth usage of the
user and controls web and network traffic.

Policy can be defined/created for:


User - It restricts the bandwidth of a particular user.
Firewall Rule - It restricts the bandwidth of any entity to which the firewall rule is applied.
Web Category It restricts the bandwidth for the URL categorized under the Web category. To
implement restriction, policy is to be assigned through firewall rule.

User based bandwidth policy


Policy restricts the bandwidth for a particular user. There are two types of bandwidth restriction
Strict
Committed
Strict

In this type of bandwidth restriction, user cannot exceed the defined bandwidth limit. Two ways to
implement strict policy:
Total (Upstream + Downstream)
Individual Upstream and Individual Downstream

Implementation on Bandwidth specified Example


Total Total bandwidth Total bandwidth is 20 kbps and
(Upstream + upstream and downstream combined
Downstream) cannot cross 20 kbps
Individual Upstream Individual bandwidth i.e. Upstream and Downstream
and Individual separate for both bandwidth is 20 kbps then either
Downstream cannot cross 20 kbps
Table - Implementation types for Strict - Bandwidth policy

Strict policy Bandwidth usage

Bandwidth usage Bandwidth specified


Individual For a particular user
Shared Shared among all the users who have been assigned this policy
Table - Bandwidth usage for Strict - Bandwidth policy

Committed

In this type of bandwidth restriction, user is allocated the guaranteed amount of bandwidth and user can
draw bandwidth up to the defined burstable limit, if available.

It enables to assign fixed minimum and maximum amounts of bandwidth to users. By borrowing excess
bandwidth when it is available, users are able to burst above guaranteed minimum limits, up to the burst-
able rate. Guaranteed rates also assure minimum bandwidth to critical users to receive constant levels of
bandwidth during peak and non-peak traffic periods.

93
Cyberoam User Guide

Guaranteed represents the minimum guaranteed bandwidth and burstable represents the maximum
bandwidth that a user can use, if available.

Two ways to implement committed policy:


Total (Upstream + Downstream)
Individual Upstream and Individual Downstream

Implementation on Bandwidth specified Example


Total Guaranteed bandwidth Guaranteed bandwidth is 20 kbps then
(Upstream + upstream and downstream combined will
Downstream) get 20 kbps guaranteed (minimum)
bandwidth

Burstable bandwidth is 50 kbps then


Burstable bandwidth upstream and downstream combined can
get up to 50 kbps of bandwidth
(maximum), if available
Individual Upstream Individual Guaranteed and Individual guaranteed bandwidth is 20
and Individual Brustable bandwidth i.e. kbps then upstream and downstream
Downstream separate for both get 20 kbps guaranteed (minimum)
bandwidth individually

Individual burstable bandwidth is 50 kbps


then upstream and downstream get
maximum bandwidth up to 50 kbps, if
available individually
Table - Implementation types for Committed - Bandwidth policy

Committed policy Bandwidth usage

Bandwidth usage Bandwidth specified


Individual For a particular user
Shared Shared among all the users who have been assigned this policy
Table - Bandwidth usage for Committed - Bandwidth policy

Firewall Rule based bandwidth policy


Policy restricts the bandwidth for a particular IP address. It is similar to the User based policy with the
same type of restrictions on Implementation type & Bandwidth usage.

94
Cyberoam User Guide

Create Bandwidth policy

Select Policies Bandwidth Policy Create policy to open the create policy pane

Screen - Create Bandwidth policy

Screen Elements Description


Bandwidth Policy Details
Name Specify policy name. Choose a name that best describes the policy to be
created. One cannot create multiple policies with the same name.
Policy based on Based on the selection creates policy for User, firewall or web category

User based policy restricts the bandwidth of a particular user.

Firewall Rule policy restricts the bandwidth of any entity to which firewall rule
is applied.

Web category policy restricts the bandwidth for the URL categorized under
the Web category.
Policy Type Based on the selection bandwidth restriction will be applied

Only for User and In Strict type of bandwidth restriction, user cannot exceed the defined
Firewall rule based bandwidth limit
policy
In Committed type of bandwidth restriction, user is allocated the guaranteed
amount of bandwidth and can draw bandwidth up to the defined burst-able
limit, if available.

It enables to assign fixed minimum and maximum amounts of bandwidth to


the users. By borrowing excess bandwidth when available, users are able to
burst above guaranteed minimum limits, up to the burstable rate. Guaranteed
rates also assure minimum bandwidth to critical users to receive constant
levels of bandwidth during peak and non-peak traffic periods.

Guaranteed represents the minimum guaranteed bandwidth and burstable


represents the maximum bandwidth that the user can use, if available
Implementation on Specify implementation type of Bandwidth restriction

Click Total to implement bandwidth restriction on the Total usage

95
Cyberoam User Guide

Click Individual to implement bandwidth restriction on the Individual


Upstream and Individual Downstream bandwidth usage. Available only for
User and Firewall rule policy.
Priority Set the bandwidth priority

Priority can be set from 0 (highest) to 7 (lowest)

Set the priority for SSH/Voice/Telnet traffic to be highest as this traffic is more
of the interaction
Total bandwidth Specify maximum amount of Total bandwidth, expressed in terms of kbps
(Only for TOTAL
implementation type) Minimum bandwidth allowed is 2 kbps and maximum is 4096 kbps
Upload Bandwidth Specify maximum amount of Upstream Bandwidth, expressed in terms of
(Only for INDIVIDUAL kbps
implementation type
and User and Firewall Minimum bandwidth allowed is 2 kbps and maximum is 4096 kbps
rule policy)
Download Bandwidth Specify maximum amount of Downstream Bandwidth, expressed in terms of
(Only for INDIVIDUAL kbps
implementation type
and User and Firewall Minimum bandwidth allowed is 2 kbps and maximum is 4096 kbps
rule policy)
Bandwidth usage Specify whether the Bandwidth allocated is for particular user or shared
among all the policy users
(Only User and
Firewall rule policy)
Description Specify full description of policy
Create button Creates policy
Cancel button Cancels the current operation
Add Detail button Click and configure bandwidth to override the default bandwidth restriction
during the specified time.
Table - Create Bandwidth policy screen elements

Update Bandwidth policy

Use to
Add/remove schedule based details to User/IP address based policy
Update bandwidth values

Select Policies Bandwidth policy Manage policy and click Policy name to be updated

Screen - Update Bandwidth policy

96
Cyberoam User Guide

Screen - Update Bandwidth policy

Screen Elements Description


Bandwidth Policy Details
Name Displays policy name
Policy Based On Displays Type of bandwidth restriction

Cannot be modified
Description Displays description, modify if required.
Default values to be applied all the time
Implementation on Displays implementation type of policy

Cannot be modified
Total Bandwidth Displays total bandwidth assigned, modify if required
(Only for TOTAL implementation type)
Upload Bandwidth (in KB) Modify Upstream bandwidth value
(Only for STRICT policy type and
INDIVIDUAL implementation type)
Download Bandwidth (in KB) Modify Downstream bandwidth value
(Only for STRICT policy type and
INDIVIDUAL implementation type)
Guaranteed Brustable Upload Bandwidth (in Modify Upstream bandwidth value
KB)
(Only for COMMITTED policy type and
INDIVIDUAL implementation type)
Guaranteed Brustable Download Bandwidth Modify Downstream bandwidth value
(in KB)
(Only for COMMITTED policy type and
INDIVIDUAL implementation type)
Policy type Displays policy type i.e. committed or strict which
cannot be modified
Schedule Specify Schedule

Click Schedule list to select


View details link Opens the new browser window and displays the
details of the schedule selected

Click Close to close the window


Update button Updates the changes made in Bandwidth restriction
details and Default values to be applied all the time

97
Cyberoam User Guide

Add details button Allows to attach schedule to override default


bandwidth restriction

Refer to Attach Schedule details for more details


Table - Update Bandwidth policy screen elements
Remove Schedule details

Screen - Remove Schedule from Bandwidth policy

Screen Elements Description


Select checkbox Click against the schedule to be deleted
Select All checkbox Select all details for deletion
Remove Detail button Removes the selected schedule detail(s)
Table - Remove Schedule from User based Bandwidth policy screen elements

Delete Bandwidth policy

Prerequisite
Bandwidth policy not attached to any user or IP address

Select Policies Bandwidth policy Manage policy to view the list of policies

Screen - Delete Bandwidth policy

Screen Elements Description


Del checkbox Click against the policy(s) to be deleted
Select All checkbox Click to select all the policies for deletion
Delete button Deletes all the selected policy(s)
Table - Delete Bandwidth policy screen elements

98
Cyberoam User Guide

Data Transfer policy


Data transfer policy:
Limits data transfer on a cyclic or non-cyclic basis.
Single policy can be applied to number of Groups or Users.

Data transfer restriction can be based on:


Total Data transfer (Upload + Download)
Individual Upload and/or Download

Cyberoam provides several predefined policies, which are available for use until configured otherwise.
You can also define customized policies to define different limit for different users to meet your
organizations requirements.

Create Data transfer policy

Select Policies Data Transfer Policy Create Policy to open the create policy page

Screen Create Data transfer policy

Screen Elements Description


Create Data Transfer policy
Name Specify policy name. Choose a name that best describes the policy
Cycle type Specify cycle type

Available options
Daily restricts data transfer up to cycle hours defined on daily basis
Weekly restricts data transfer up to cycle hours defined on weekly basis
Monthly restricts data transfer up to cycle hours defined on monthly basis
Yearly restricts data transfer up to cycle hours defined on yearly basis
Non-cyclic data restriction is defined by the Total data transfer limit
Restriction based on Specify whether the data transfer restriction is on total data transfer or on
individual upload or download

99
Cyberoam User Guide

Click Total Data Transfer to apply data transfer restriction on the Total
(Upload + Download) data transfer

Click Individual Data Transfer to apply data transfer restriction on the


Individual Upload and Individual Download data transfer
Shared allotted data Specify whether the allotted data transfer will be shared among all the
transfer with group group members or not
members
Only if Cycle Type is Click to share
Non-cyclic
Policy Description Specify full description of the policy
Restriction Details
Cycle Total Data Specify Cycle Total Data transfer limit
Transfer Limit (MB)
It is the upper limit of total data transfer allowed to the user per cycle. User
Only if Cycle Type is gets disconnected if limit is reached.
not Non-cyclic and
Restriction is based on
Total Data Transfer
Cycle Upload Data Specify Cycle Upload Data transfer limit.
Transfer Limit (MB)
It is the upper limit of upload data transfer allowed to the user per cycle.
Only if Cycle Type is User will be disconnected if limit is reached OR if you do not want to
not Non-cyclic and restrict upload data transfer per cycle, click Unlimited Cycle Upload Data
Restriction is based on transfer
Individual Data
Transfer
Cycle Download Data Enter Cycle Download Data transfer limit.
Transfer Limit (MB)
It is the upper limit of download data transfer allowed to the user per cycle.
Only if Cycle Type is User will be disconnected if limit is reached OR if you do not want to
not Non-cyclic and restrict download data transfer per cycle, click Unlimited Cycle Download
Restriction is based on Data transfer
Individual Data
Transfer
Total Data Transfer Limit Specify Total Data transfer limit.
(MB)
It is the data transfer allowed to the user and if the limit is reached user will
Only if Restriction is not be able to log on until the policy is renewed OR if you do not want to
based on Total Data restrict total data transfer, click Unlimited Total Data Transfer
Transfer
Upload Data Transfer Specify Upload Data transfer limit.
Limit (MB)
It is the total upload data transfer allowed to the user and if the limit is
Only if Restriction is reached user will not be able to log on until the policy is renewed OR if you
based on Individual do not want to restrict total upload data transfer, click Unlimited Upload
Data Transfer Data Transfer
Download Data Transfer Specify Download Data transfer limit.
Limit (MB)
It is the upper download data transfer allowed to the user and if the limit is
Only if Restriction is reached user will not be able to log on until the policy is renewed OR if you
based on Individual do not want to restrict total download data transfer, click Unlimited
Data Transfer Download Data Transfer
Create button Click to create policy
Cancel button Cancels the current operation and returns to Manage Data transfer policy
page
Table Create Data transfer policy screen elements

100
Cyberoam User Guide

Update Data transfer policy

Select Policies Data transfer policy Manage policy and click Policy name to be modified

Screen Update Data transfer policy screen

Screen Elements Description


Edit Data Transfer policy
Name Displays policy name, modify if required.
Cycle type Displays cycle type
Restriction based on Displays whether the data transfer restriction is on total data transfer or
on individual upload or download
Shared allotted data Displays whether the allotted data transfer is shared among all the
transfer with group group members or not
members
Policy Description Displays full description of the policy, modify if required.
Restriction Details
Cycle Total Data Transfer Displays Cycle Total Data transfer limit
Limit (MB)
Only if Restriction is It is the upper limit of total data transfer allowed to the user per cycle.
based on Total Data User will be disconnected if limit is reached.
Transfer
Cycle Upload Data Transfer Displays Cycle Upload Data transfer limit.
Limit (MB)
It is the upper limit of upload data transfer allowed to the user per
Only if Restriction is cycle. User will be disconnected if limit is reached.
based on Individual Data
Transfer
Cycle Download Data Displays Cycle Download Data transfer limit.
Transfer Limit (MB)
It is the upper limit of download data transfer allowed to the user per
Only if Restriction is cycle. User will be disconnected if limit is reached.
based on Individual Data
Transfer
Total Data Transfer Limit Displays Total Data transfer limit.
(MB)

101
Cyberoam User Guide

It is the data transfer allowed to the user and if the limit is reached user
Only if Restriction is will not be able to log on until the policy is renewed.
based on Total Data
Transfer
Upload Data Transfer Limit Displays Upload Data transfer limit.
(MB)
It is the total upload data transfer allowed to the user and if the limit is
Only if Restriction is reached user will not be able to log on until the policy is renewed.
based on Individual Data
Transfer
Download Data Transfer Displays Download Data transfer limit.
Limit (MB)
It is the upper download data transfer allowed to the user and if the
Only if Restriction is limit is reached user will not be able to log on until the policy is
based on Individual Data renewed.
Transfer
Update button Click to save the policy changes
Cancel button Cancels the current operation and returns to Manage Data transfer
policy page
Table Update Data transfer policy screen elements

Delete Data transfer policy

Prerequisite
Not assigned to any User or Group

Select Policies Data transfer policy Manage policy to view list of policies

Screen Delete Data transfer policy screen

Screen Elements Description


Del checkbox Click against the policy(s) to be deleted
Select All checkbox Click to select all the policies for deletion
Delete button Deletes all the selected policy(s)
Table - Delete Data transfer policy screen element

102
Cyberoam User Guide

NAT Policy
NAT policy tells firewall rule to allow access but after changing source IP address i.e. source IP address
is substituted by the IP address specified in the NAT policy.

Create NAT policy

Select Firewall NAT policy Create to open the create page

Screen Create NAT policy

Screen Elements Description


NAT policy
NAT Policy Name Specify policy name. One cannot create multiple policies with the same
name.
Description Specify description
Source Translation
Map Source IP with Specify IP address

MASQUERADE will replace source IP address with Cyberoams


WAN IP address
IP will replace source IP address with the specified IP address
IP Range will replace source IP address with any of the IP address
from the specified range
Create button Creates NAT policy
Table Create NAT policy screen elements

Update NAT policy

Select Firewall NAT policy Manage to view the list of polices. Click the policy to be modified.

103
Cyberoam User Guide

Screen Update NAT policy

Screen Elements Description


NAT policy
NAT Policy Name Displays policy name, modify if required
Description Displays description, modify if required
Source Translation
Map Source IP with Specify IP address

MASQUERADE will replace source IP address with Cyberoams


WAN IP address
IP will replace source IP address with the specified IP address
IP Range will replace source IP address with any of the IP address
from the specified range
Update button Saves the modifications
Table Update NAT policy screen elements

Delete NAT policy

Select Firewall NAT policy Manage to view the list of polices.

Screen Delete NAT policy

Screen Elements Description


Del checkbox Click against the policy(s) to be deleted
Select All checkbox Click to select all the policies for deletion
Delete button Deletes all the selected policy(s)
Table Delete NAT policy screen elements

104
Cyberoam User Guide

Zone Management
Use to
Update Zone details
Delete Zone

Manage Zone
Select System Zone Manage to open the manage zone page

Screen Edit Zone

Screen Elements Description


Create Zone
Zone Name Displays zone name
Zone Type Displays zone type

LAN Depending on the appliance in use and network design, Cyberoam


allows to group one to six physical ports in this zone. Group multiple
interfaces with different network subnets to manage them as a single
entity. Group all the LAN networks under this zone.

By default the traffic to and from this zone is blocked and hence the
highest secured zone.

DMZ (DeMilitarized Zone) - This zone is normally used for publicly


accessible servers. Depending on the appliance in use and network
design, Cyberoam allows to group one to five ports in this zone.

WAN Zone for the Internet services. Only one WAN zone is allowed,
hence additional WAN zones cannot be created.

VPN - This zone is used for simplifying secure, remote connectivity. It is

105
Cyberoam User Guide

the only zone that does not have an assigned physical port/interface.
Whenever the VPN connection is established, port/interface used by the
connection is automatically added to this zone and on disconnection; port
is automatically removed from the zone.

Multiple LAN zones are not possible if Cyberoam is deployed as Bridge.


Select Port Displays the ports bound to the zone, modify if required

Available Ports list displays the list of ports that can be included in the
selected zone.

Member Port list displays the list of ports included in the zone

Using arrow buttons to move ports between the lists


Description Displays zone description, modify if required
Save button Saves the zone configuration
Table Edit Zone

Delete Zone

Prerequisite
No hosts attached to the zone

Select System Zone Manage to open the manage zone page

Screen Delete Zone

Screen Elements Description


Del checkbox Click against the Zone(s) to be deleted
Select All checkbox Click to delete all the zones
Delete Group button Delete the selected zone(s)
Table Delete Zone

Note
Default Zones cannot be deleted

106
Cyberoam User Guide

Group Management
Manage Group
Update Group to:
Order of the group
Change policies - Surfing time policy, Access time policy, Internet Access policy, Bandwidth policy
and Data transfer policy
Change the login restriction for the users of the group
Add new users to the group

Select Group Manage Group to view the list of groups

Screen components

Select Column button Click to customize the number of columns to be displayed on


the page
Edit icon - Click to edit the group details. Refer to Update Group for more details.
Insert icon - Click to insert a new group before the existing group. Refer to Add a new Group for more
details.
Move icon - Click to change the order of the selected group. Refer to Change the group order for
details.
Delete icon - Click to delete the group. Refer to Delete Group for more details.

Change Group order


Ordering of group is important when Active Directory users are members of multiple groups. Cyberoam
decides the group membership of the authenticated users based on group order. Based on the group
membership the respective access control policies are applied to the users.

Cyberoam searches Group ordered list from top to bottom and determines the user group membership.
The first group that matches is considered as the group of the user and that group policies are applied to
the user.

107
Cyberoam User Guide

Select Group Manage Group


Click the move button against the rule whose order is to be changed

Select Before or After as per the need


Click the rule to be moved and then click where it is to be moved.
Click Done button to save the order

Update Group

Need may arise to change the Group setting after the creation of Group. Select Group Manage
Group and click the Group to be modified

To Click
Show Group Members Show Group Members button

Refer to View Group members for details


Change Surfing Quota Policy Change Policy button

Only for Normal Group type


Change Access Time Policy Access Time Policy list
Change Internet Access policy Internet Access policy list
Change Bandwidth Policy Bandwidth Policy list
Change Data transfer policy Data transfer policy list
Table - Need to Update group

108
Cyberoam User Guide

Screen - Manage Group

Screen Elements Description


Group Information
Group Name Displays Group name, modify if required
Show Group Opens a new window and displays list of group members
Members button
Surfing Quota policy Displays currently attached Surfing Quota policy to the Group
Change policy Click to change the attached Surfing Quota policy
button
Only for Normal Opens a new window and allows to select a new Surfing Quota policy
Group type
Click Change policy
Click Select to select from available policy
Click Done to confirm the selection
Click Cancel to cancel the operation

Surfing quota policy, Time allotted & Expiry date changes accordingly
Time allotted Displays total surfing time allotted by Surfing Quota policy to the Group
(HH:mm) Cannot be modified
Expiry date Displays Expiry date of the Surfing Quota policy

109
Cyberoam User Guide

Cannot be modified
Period Time Displays cycle hours
(HH:mm)
Only if Surfing Cannot be modified
Quota policy is
Non-Cyclic
Period Cycle Displays type of cycle
Only if Surfing
Quota policy is Cannot be modified
Non-Cyclic
Used Surfing Time Displays total time used by the Group members

Cannot be modified
Access Time policy Displays currently attached Access Time policy to the Group
Only for Normal
Group type To change
Click Access Time policy list to select

Click View details to view the details of the policy


Internet Access Displays currently attached Internet Access policy to the Group
policy
To change
Click Internet Access policy list to select

Click View details to view the details of the policy


Bandwidth policy Displays currently attached Bandwidth policy to the Group

To change
Click Bandwidth policy list to select

Click View details to view the details of the policy


Data Transfer policy Displays currently attached Data Transfer policy to the Group

To change
Click Data Transfer policy list to select

Click View details to view the details of the policy


MAC Binding Enable MAC binding if required. By binding MAC, all the group users will be
mapped with MAC addresses defined in User configuration and user will be
able to login through pre-specified machines only.
SPAM Digest Enable Spam digest for all the group members if required.

Only if Gateway Spam digest is an email that contains a list of quarantined spam messages
Anti-spam module filtered by Cyberoam and held in the user quarantine area.
is subscribed
If configured, Cyberoam will mail the spam digest every day to the user. One
can configure digest email frequency from the general Anti spam
configuration.

Digest provides a link to User My Account from where user can access his
quarantined messages and take the required action.

Actions
Enable User will receive the spam digest daily and overrides Group setting

Disable User will not receive spam digest and overrides Group setting

Apply Group setting Inherit Group Spam Digest setting


SSL VPN Policy Select SSL VPN policy from the dropdown list

110
Cyberoam User Guide

User Authentication Settings


User Authentication Authentication Session timeout is the number of minutes that an
Session time out authenticated connection can be idle before the user must authenticate
again.

Click to enable session timeout on group basis.


By default, this option is disabled.

The minimum timeout that can be configured is 3 minutes and maximum is


1440 minutes (24 hours)
Keep Alive Request Keep-Alive requests are constantly exchanged between server and client to
for HTTP Client check the connectivity between them. More number of concurrent HTTP
client users, more number of keep-alive requests. Hence, Cyberoam
recommends to disable Keep-alive request if there are more number of
concurrent HTTP client users.

By default, this option is enabled.


Login Restriction
Select any one Apply login restriction if required for the users defined under the Group
option
Available options
All Nodes Select if you want to allow Group users to login from all the
nodes

Selected Nodes only Enter IP address if you want to allow Group users to
login from the specified nodes only

Click to select
Update button Saves the modified details. Any changes made are applicable to all the
group members.
Add Members Click to add members to the group

Refer to Add Group Members for details


Renew Data Renews data transfer policy of all the group members
Transfer
(Only if Data transfer policy is Non-cyclic and shared)
Cancel button Cancels the current operation
Table - Manage Group screen elements
Show Group Members

Screen - Show Group Members

Screen Elements Description


Group name Displays Group name
Total members Displays Total Group members/users
User Name User name

Name with which the Employee logs in

111
Cyberoam User Guide

Employee Name Employee name


Allotted Time Total Allotted time to the user

Refer to Access Time policy for details


Expiry Date Expiry date of the policy attached to the User

Refer to Surfing time policy for details


Used Time Total time used by the User
Close button Closes the window
Table - Show Group Members screen elements

Add Group Member(s)

Select Group Manage Group and click the Group in which user is to be added. Click Add
Member(s)

112
Cyberoam User Guide

Screen Add Group Member

Screen Elements Description


Select Group List of members belonging to the selected group will be
displayed

Click to select the Group


Username/Name Search user
starting with (* for All)
Specify username or * to display all the users
Search button Search user from the selected Group
Displays list of users in the selected Group

Click Add against the user to be added


Add button Adds selected user(s) to the group
Close button Closes the window and returns to Edit Group page
Table Add Group Member screen elements

Change Login Restriction

Select Group Manage Group and click the Group

113
Cyberoam User Guide

Screen - Change Login Restriction

Screen Elements Description


Login Restriction
Displays the current login restriction - Click to change the current restriction
Save button Saves if the restriction is changed
Cancel button Cancels the current operation
Select Node(s) button Click to select the Node for restriction
Only if the option Allowed login
from selected nodes is selected
IP address Displays IP address
Machine name Displays Machine name if given
Allowed from Click to select

Multiple nodes can be selected


Apply Restriction button Applies the login restriction for the group
members i.e. Group members will be able to
login from the above selected nodes only
Cancel button Cancels the current operation
Table - Change Login Restriction screen elements

Delete Group

Prerequisite
No Group members defined

Select Group Manage Group and click the delete icon against the rule to deleted

114
Cyberoam User Guide

User Management
Search User
You can search user based on username/login name, IP address or user ID. It searches from all the
registered users i.e. Normal and Clientless active/de-active users.

For the fast searching, Cyberoam provides Auto-completion feature for username and IP address
which uses AJAX Suggest Technology by which Cyberoam will offer suggestion for the value as you key-
in the input data.

Username suggestion box:


Cyberoam will suggest username in the drop down the moment you type the initial characters for the
username. For example, when you type ma, Cyberoam will display list of usernames starting with ma.

IP suggestion box:
Similarly, Cyberoam will suggest IP address in the drop down the moment you type the initial digits of IP
address. For example, when you type 192.168, Cyberoam will display list of IP addresses starting with
192.168 that can be allowed to the user for logging.

It searches the specified name and displays user details along with the status. You can change status,
delete user, or update user details.

Select User Search User

Screen - Search User

Screen - Search User result

115
Cyberoam User Guide

Live User
Use Live users page to
view list of all the currently logged on Users
modify user details
disconnect any live user

Select User Manage Live Users

Screen Manage Live Users

Report Columns Description


Concurrent Sessions Displays currently connected total users (Normal, Clientless,
and Single sign on client Users)
Current System time Displays current system time in the format - Day, Month
Date,HH:MM
Disconnect button Disconnects the selected User(s)
ID and User name Displays ID and name with which user has logged in

Click to change the display order Click User name link to View/Update user details
Name Displays User name

Click Name link to view Group and policies details attached to


the User
Connected from Displays IP address of the machine from which user has logged
in
Click to change the display order
MAC address Displays MAC address of the machine from which user has
connected. It will be displayed only if configured.
Start time Displays login time

Click to change the display order


Time (HH:mm) Displays total time used in hours and minutes
Upload Data transfer Displays Data uploaded

Click to change the display order


Download Data transfer Displays Data downloaded

Click to change the display order


Bandwidth (bits/sec) Displays Bandwidth used
Spam Digest Spam Digest configuration of the user i.e. whether enabled,
disabled or group setting is inherited
Select Click to disconnect user

More than one User can be selected


Table Manage Live User screen elements

116
Cyberoam User Guide

Manage User

Update User
Manage Normal & Single Sign on Client Users
Select User User Manage Active to view the list of Users and click User name to be modified
OR
Select User User Manage Inactive to view the list of Users and click User name to be
modified

Manage Clientless Users


Select User Clientless Users Manage Clientless Users to view list of Users and click
User name to be modified

Need may arise to change the User setting after the creation of User.

To Click
Change the personal details or password Edit personal details/Change Password

Refer to Change Personal details for details


View User Accounts details User My Account

Refer to User My Account for details


Change the User Group Change Group

Refer to Change Group for details


Change Access Time Policy assigned to Access Time policy list
the User
Refer to Change Individual Policy for details
Change Internet Access Policy assigned Internet Access policy list
to the User
Refer to Change Individual Policy for details
Change Bandwidth Policy assigned to the Bandwidth policy list
User
Refer to Change Individual Policy for details
Change Data Transfer policy assigned to Data Transfer policy list
the User
Refer to Change Individual Policy for details
Change Login Restriction of the User Change Login restriction button

Refer to Change Login Restriction for details


Table - Need to Update User

117
Cyberoam User Guide

Screen - Manage User

Screen Elements Description


Personal Information
Username Displays username with which the user logs on

Cannot be modified
Edit Personal details/Change Allows to change the Users personal details and login
Password button password

Click Edit Personal details to change

Refer to Personal details table for more details


Name Displays User/Employee name

Cannot be modified
Birth date Displays Birth date of User

118
Cyberoam User Guide

Email Displays Email ID of User


User My Account button Click to view/update the my account details

Refer to User My Account


Windows Domain Controller Displays Authentication server address, modify if required
Only if Authentication is done
by Windows Domain
Controller
User type Displays User type

Cannot be modified
Number of simultaneous login(s) Displays whether simultaneous login is allowed or not,
allowed modify if required
Spam Digest Configure Spam Digest.

Only if Gateway Anti-spam Spam digest is an email that contains a list of quarantined
module is subscribed spam messages filtered by Cyberoam and held in the user
quarantine area.

If configured, Cyberoam will mail the spam digest every


day to the user. One can configure digest email frequency
from the general Anti spam configuration.

Digest provides a link to User My Account from where user


can access his quarantined messages and take the
required action.

Actions
Enable User will receive the spam digest daily and
overrides Group setting

Disable User will not receive spam digest and overrides


Group setting

Apply Group setting Inherit Group Spam Digest setting


SSL VPN Policy Select SSL VPN policy from the dropdown list. If user is not
to be provided the SSL VPN access then select No Policy
Applied.
Policy Information
Group Displays Group in which User is defined
Change Group button Allows to change Group of the User

Opens a new window and allows to select a new Group


Time Allotted to User (HH:mm) Displays total time allotted to User in the format Hours:
Minutes

Cannot be modified
User Policy Expiry Date Displays Expiry date

Cannot be modified
Time used (HH:mm) Displays total time used by the User in the format Hours:
Minutes

Cannot be modified
Period time Displays allowed total cycle hours
Period Cycle Displays cycle type
Cycle Time used Displays cycle time used

119
Cyberoam User Guide

Access Time Policy Displays currently assigned Access Time policy to the
User, modify if required

To view the details of the policy


Click View details

Refer to Change Individual Policy on how to change the


assigned policy
Internet Access policy Displays currently assigned Internet Access policy to the
User

To view the details of the policy


Click View details

Refer to Change Individual Policy on how to change the


assigned policy
Bandwidth policy Displays currently assigned Bandwidth policy to the User

To view the details of the policy


Click View details

Refer to Change Individual Policy on how to change the


assigned policy
Data Transfer policy Displays currently assigned Data Transfer policy to the
User

To view the details of the policy


Click View details

Refer to Change Individual Policy on how to change the


assigned policy
MAC address list Displays MAC addresses list if enabled e.g.
01:23:45:67:89:AB
Once you enable MAC bindng user will be able to login
through pre-specified machines only.

To configure multiple MAC addresses use comma e.g.


01:23:45:67:89:AB, 01:23:45:67:89:AC or specify each
address in a new line.
Login Restriction
Select any one option Allows to apply login restriction

Available options
All Nodes - select to allow user to login from all the nodes
in the network

Group Node(s) only Select to allow user to login only


from the nodes assigned to the group

Selected Node(s) only Select to allow user to login from


the specified nodes only. Specify IP address and click
Add button

Click to select
Save button Saves the modified details
Re-apply Current policy button Reapplies all the current policies at the time of renewal
Cancel button Cancels the current operation
Table - Edit User screen elements

120
Cyberoam User Guide

Change Personal details

Screen - Change User Personal details

Screen Elements Description


Personal Information
Username Displays the name with which user has logged in
Name User name, modify if required
New password Type the new password
Re-enter New password Re-enter new password

Should be same as typed in new password


Birth date Displays birth date, modify if required

Use Popup Calendar to change


Email Displays Email ID of the user, modify if required
User type Displays User type, modify if required
Update button Updates the changes made
Cancel button Cancels the current operation and returns to Edit User page
Table - Change User personal details screen elements
User My Account

User My Account gives details like Personal details and Internet usage of a particular user. User can
change his/her password using this tab.

Administrator and User both can view these details.


1. Administrator can view details of various users from User User Manage Active and click
Username whose detail is to be checked. Click User My Account, it opens a new browser window.

Screen - User My Account


2. Normal Users can view their MyAccount details from task bar.

121
Cyberoam User Guide

In the task bar, double click the Cyberoam client icon and click My Account. It opens a new window
and prompts for MyAccount login Username and Password.

Screen - User My Account

Opens a new window with following sub modules: Personal, Client, Account status, Logout

Personal
Allows viewing and updating password and personal details of the user
Change Password
Select Personal Change Password

Screen - Change Password

Screen Elements Description


Change Password
Username Displays the name with which user has logged in
Current Password Type the current password
New password Type the new password
Re-enter New password Re-enter new password

Should be same as new password


Update Update the changes made
Table - Change password screen elements
Change Personal details
Select Personal Personal Detail

122
Cyberoam User Guide

Screen - Change Personal details

Screen Elements Description


Personal Information
Username Displays the name with which user logs in

Cannot be modified
Name Displays User name, modify if required
Birth Date Displays birth date

Use Popup Calendar to change


Email Displays Email ID of the user

Cannot be modified
Update Update the changes made
Table - Change Personal details screen elements

Account status
Allows viewing Internet usage of the user
Internet Usage

Screen - Internet Usage Status

Screen Elements Description


Policy Information
Username Displays the name with which user has logged in
Group Displays the name of the User Group
Time allotted to User Displays total surfing time allotted to the user in the Surfing time

123
Cyberoam User Guide

(HH:mm) policy
Expiry date Displays Expiry date
Time used by User Displays total time used by the User
(HH:mm)
Usage Information
Upload Data transfer Displays allotted, used and remaining upload data transfer

Allotted upload data transfer is configured from Data transfer


policy
Download Data transfer Displays allotted, used and remaining download data transfer

Allotted download data transfer is configured from Data transfer


policy
Total Data transfer Displays allotted, used and remaining total data transfer

Allotted total data transfer is configured from Data transfer policy


Get Internet Usage Select Month and Year
information for month
Submit button Click to view the Internet usage report for the selected period
Table - Internet Usage screen elements

Report displays IP address from where user had logged in, session start and stop time, total used time,
data uploaded and downloaded during the session and total data transferred during the session.

Change Group

Screen - Change Group

Screen Elements Description


Policy Information
Change Group button Opens a new window and displays list of Groups

Click to change the User group


Select Click to select
Done button Adds User to the Group
Cancel button Cancels the current operation
Table - Change Group screen elements
Change Individual Policy

Screen Elements Description


Policy Information
Access Time policy Specify Access Time policy. It overrides the assigned Group
Access time policy.

Click Access policy list to select


Internet Access policy Specify Internet Access policy. It overrides the assigned Group
Internet Access policy.

124
Cyberoam User Guide

Click Internet Access policy list to select


Bandwidth policy Specify Bandwidth policy. It overrides the assigned Group
Bandwidth policy

Click Bandwidth policy list to select


Data Transfer policy Specify Data Transfer policy. It overrides the assigned Group
Data Transfer policy

Click Data Transfer policy list to select


Save Saves the changes
Table - Change Individual policy

Delete User
User can be deleted from Active list as well as from Inactive list

To delete active user, click User User Manage Active

Screen - Delete Active User

To delete inactive user, click User User Manage Inactive

Screen - Delete Inactive User

To delete Clientless user, click User Clientless User Manage Clientless User

Screen - Delete Clientless User

125
Cyberoam User Guide

Screen Elements Description


Sel checkbox Click against the User to be deleted

More than one user can also be selected


Select All checkbox Selects all the users for deletion

Click to select all


Delete button Deletes all the selected User(s)
Table - Delete clientless User screen elements

Inactivate User
User is de-activated automatically in case he has overused one of the resources defined by policies
assigned to him/her. In case, need arises to de-activate user manually, select User User
Manage Active

Screen - Deactivate User

Screen Elements Description


Sel checkbox Click against the user to be inactivated

More than one user can be selected


Select All checkbox Select all the users
Deactivate button Inactivates all the selected User(s)
Table - Deactivate User screen elements

View the list of deactivated users by User User Manage Inactive

Activate User

To activate normal and single sign on Client user, click User User Manage Inactive

To activate Clientless user, click User Clientless Users Manage Clientless Users

Screen - Activate Normal User

126
Cyberoam User Guide

Screen - Activate Clientless User

Screen Elements Description


Sel checkbox Click against the user to be activated
Select All checkbox Selects all the users
Activate button Activates all the selected User(s)
Table - Activate User screen elements

127
Cyberoam User Guide

System Management
Configure Network
Network setting consists of Interface Configuration, DHCP Configuration and DNS Configuration.

Configure DNS
A Domain Name Server translates domain names to IP addresses and is configured at the time of
installation.
You can add additional IP addresses of the DNS servers to which Cyberoam can connect for name
resolution. In case of multiple DNS, they are queried in the order as they are entered.

Select System Configure Network Configure DNS

Screen Configure DNS

To add DNS Server IP address


1. Select System Configure Network Configure DNS
2. Click Obtain DNS from DHCP to override the appliance DNS with the DNS address received from
DHCP server. Option is available only if enabled from Network Configuration Wizard.
3. Click Add button.
4. Enter DNS server IP address
5. Click OK buton
6. Click Save button to save the configuration

List order indicates preference of DNS. If more than one Domain name server exists, query will be
resolved according to the order specified. Use Move Up & Move Down buttons to change the order of
DNS.

To add multiple DNS repeat the above-described procedure.

128
Cyberoam User Guide

To change the DNS order


1. Select System Configure Network Configure DNS
2. Click the Server IP address whose order is to be changed
3. Click Move up or Move Down button as per the requirement
4. Click Save button to save the changes

To remove DNS Server


1. Select System Configure Network Configure DNS
2. Click the Server IP address you want to remove
3. Click Remove button
4. Click Save button to save the changes

129
Cyberoam User Guide

Dynamic Host Configuration Protocol (DHCP)


Dynamic Host Configuration Protocol (DHCP) automatically assigns IP address for the hosts on a
network reducing the Administrators configuration task. Instead of requiring administrators to assign,
track and change (when necessary) for every host on a network, DHCP does it all automatically.
Furthermore, DHCP ensures that duplicate addresses are not used.

Cyberoam acts as a DHCP server and assigns a unique IP address to a host, releases the address as
host leaves and re-joins the network. Host can have different IP address every time it connects to the
network. In other words, it provides a mechanism for allocating IP address dynamically so that addresses
can be re-used.

This section describes:


Configuring DHCP services
Viewing current IP leases
Disabling DHCP services
Updating DHCP services

Enable DHCP service on an Interface

Select System Configure Network Configure DHCP server

Screen - Configure DHCP

130
Cyberoam User Guide

Screen Elements Description


DHCP Server Details
Interface Select the internal interface LAN, DMZ or virtual sub interface that is to
be used for leasing IP addresses i.e. act as a DHCP server.

DHCP service cannot be configured on Interface alias.


Lease Type Available options
Static - If you always want to assign specific IP addresses to some or all
clients, you can define static MAC address to IP address mappings. For
defining, MC-IP mapping, you should know the MAC address of the clients
network card. The MAC address is usually specified in a hexadecimal
digits separated by colons (e.g., 00:08:76:16:BC:21).

Specify host name, MAC and IP address and click Add button to add the
MAC-IP mapping.

Dynamic - Specify range of IP address from which DHCP server must


assign to the clients and subnet mask for the IP address range. It is also
possible to configure multiple IP range for a same interface.
Subnet Mask Specify subnet mask for the client/network
Domain name Specify domain name for the specified subnet
Gateway Specify IP address of default Gateway or click Use Interface IP as
Gateway
Default Lease Time DHCP client must ask the DHCP server for new settings after the specified
and Max Lease Time maximum lease time. The lease time can range from 1 to 43200 seconds
(30 days).

Default lease time is 10 minutes while maximum lease time is 120 minutes.
Conflict Detection Enable IP conflict detection to check the IP before leasing i.e. if enabled
the already leased IP will not be leased again.
(only if lease type is
Dynamic)
DNS server Click Use Cyberoams DNS settings or enter IP address of one or two
DNS servers
WINS server Specify IP address of one or two WINS servers
Save button Saves details
Cancel button Canels the current operation and retursn to the Manage DHCP sever page
Table - Configure DHCP screen elements

View DHCP leased IP address list


Cyberoam acting as a DHCP server assigns or leases an IP address from an address pool to a host
DHCP client. The IP address is leased for a determined period of time or until the client relinquishes the
address.

View a list of leased IP addresses from System Configure Network Configure DHCP
server and click Show Leased IP List button

The following information is available in the leased IP list:


Leased IP address
Lease start and end time
Physical address or MAC address and name of the host

131
Cyberoam User Guide

Screen View DHCP leased IP list

Update DHCP configuration

To update the DHCP services, go to System Configure Network Configure DHCP


server and click the Interface

Screen Update DHCP configuration

132
Cyberoam User Guide

Screen Elements Description


DHCP Server Details
Interface Displays the internal interface LAN, DMZ or virtual sub interface that is to
be used for leasing IP addresses i.e. act as a DHCP server.

DHCP service cannot be configured on Interface alias.

Cannot be modified
Lease Type Available options
Static - If you always want to assign specific IP addresses to some or all
clients, you can define static MAC address to IP address mappings. For
defining, MC-IP mapping, you should know the MAC address of the clients
network card. The MAC address is usually specified in a hexadecimal digits
separated by colons (e.g., 00:08:76:16:BC:21).

Specify host name, MAC and IP address and click Add button to add the
MAC-IP mapping.

Dynamic - Specify range of IP address from which DHCP server must assign
to the clients and subnet mask for the IP address range. It is also possible to
configure multiple IP range for a same interface.
Subnet Mask Displays subnet mask for the client/network, modify if required
Domain name Displays domain name for the specified subnet, modify if required
Gateway Displays IP address of default Gateway or click Use Interface IP as
Gateway, modify if required
Default Lease Time DHCP client must ask the DHCP server for new settings after the specified
and Max Lease Time maximum lease time. The lease time can range from 1 to 43200 seconds (30
days).

Default lease time is 10 minutes while maximum lease time is 120 minutes.
Conflict Detection Enable IP conflict detection to check the IP before leasing i.e. if enabled the
already leased IP will not be leased again.
(only if lease type is
Dynamic) Modify if required
DNS server Click Use Cyberoams DNS settings or enter IP address of one or two DNS
servers

Modify if required
WINS server Displays configured IP address of WINS servers, modify if required
Update button Saves details
Cancel button Canels the current operation and retursn to the Manage DHCP sever page

Disable DHCP services

To disable the DHCP services from an interface, go to System Configure Network


Configure DHCP server and click Del checkbox against the Interface and click Delete button.

Screen - Disable DHCP service

133
Cyberoam User Guide

Configure DHCP relay agent


The DHCP Relay Agent allows place DHCP clients and DHCP servers on different networks. Deploying
DHCP in a single segment network is easy. All DHCP messages are IP broadcast messages, and
therefore all the computers on the segment can listen and respond to these broadcasts. But things get
complicated when there is more than one subnet on the network. This is because the DHCP broadcast
messages do not, by default, cross the router interfaces.

The DHCP Relay Agent makes it possible for DHCP broadcast messages to be sent over routers that do
not support forwarding of these types of messages. The DHCP Relay Agent enables DHCP clients to
obtain IP addresses from a DHCP server on a remote subnet, or which is not located on the local subnet.
If DHCP Relay Agent is not configured, clients would only be able to obtain IP addresses from the DHCP
server which is on the same subnet.

Cyberoam can act as a Relay Agent and agent can be configured from System Configure
Network DHCP Relay. Page allows to configure Cyberoams Internal Interface as a DHCP relay
agent, view the list of interfaces configured to serve as a DHCP relay agent, and delete agent.

Cyberoam cannot act as DHCP server and DHCP Relay Agent simultaneously. Hence if Cyberoam is
configured as DHCP Relay Agent, you will not be able to configure it as a server and vice-versa.

Screen Configure DHCP Relay Agent

Screen Elements Description


DHCP Relay Settings
Interface Select the internal interface LAN, DMZ or virtual sub interface that
should act as a DHCP relay agent.

Interface alias cannot be configured as relay agent.


DHCP server IP Specify DHCP server IP address. DHCP requests arriving on the
above selected interface will be forwarded to this DHCP server.
Save button Saves details
Cancel button Canels the current operation and retursn to the Manage DHCP Relay
page
Screen Configure DHCP Relay Agent screen elements

Update DHCP Relay Agent

To update the DHCP relay agent, go to System Configure Network Configure DHCP
Relay and click the Interface

134
Cyberoam User Guide

Screen Modify DHCP Relay Agent

Screen Elements Description


DHCP Relay Settings
Interface Displays the internal interface LAN, DMZ or virtual sub interface
that act as a DHCP relay agent.

Interface alias cannot be configured as relay agent.

Cannot be modified.
DHCP server IP Displays DHCP server IP address. DHCP requests arriving on the
above selected interface will be forwarded to this DHCP server.

Modify if required.
Update button Saves details
Cancel button Cancels the current operation and returns to the Manage DHCP
Relay page
Screen Modify DHCP Relay Agent screen elements

135
Cyberoam User Guide

View Interface details


Use to
view the Interface configuration
add interface alias

Manage Interface

Select System Configure Network Manage Interface to view port wise network
(physical interface) and zone details. If virtual subinterfaces are configured for VLAN implementation,
they are also nested and displayed beneath the physical interface.

Interface - Physical interfaces/ports available on Cyberoam. If virtual subinterface is configured for the
physical interface, it also displayed beneath the physical interface. Virtual subinterface configuration can
be updated or deleted.

Add Alias button - Click to specify alias IP address for the interface. Refer Configure Alias IP
address for more details

Add VLAN Subinterface button Click to add VLAN interface. Refer Define
VLAN for more details

Toggle Drill Down icon - Click to few the virtual subinterfaces defined for the said physical interface
Edit icon - Click to edit IP address and netmask of physical or virtual subinterface
Delete icon - Click to delete virtual subinterface. Virtual subinterface cannot be deleted, if virtual
subinterface is member of any zone or firewall rule is defined for the virtual subinterface.

Zone and Zone Type - Displays port to zone relationship i.e. zone membership of port. If PPPoE is
configured, WAN port will be displayed as the PPPoE Interface.

Screen Manage Interface

Add Interface Alias

Select System Configure Network Manage Interface to open page

Screen Add Alias

136
Cyberoam User Guide

Screen Elements Description


Add Alias
Physical Interface Select the physical interface for which Alias is to be
added.

Alias cannot be added for the virtual interface.


Alias Click Single or Range to define one or multiple IP
address for the Alias
IP Address and netmask Specify IP address and Netmask
Add button Click to save the details
Table Add Alias screen elements

Edit Interface Alias details

Select System Configure Network Manage Interface to open page

Screen Edit Alias

Screen Elements Description


Update Alias
Interface Displays physical interface for which Alias is added
IP Address and netmask Modify IP address and Netmask
Update button Click to save the details
Table Edit Alias screen elements

Delete Interface Alias details

Select System Configure Network Manage Interface to open page and click Delete
icon against the alias to be deleted

Screen Delete Alias

137
Cyberoam User Guide

Configuring Dynamic DNS service


Dynamic DNS (Domain Name Service) is a method of keeping a static domain/host name linked to a
dynamically assigned IP address allowing your server to be more easily accessible from various locations
on the Internet.

Powered by Dynamic Domain Name System (DDNS), you can now access your Cyberoam server by the
domain name, not the dynamic IP address. DDNS will tie a domain name (e.g. mycyberoam.com, or
elitecore.cyberoam.com) to your dynamic IP address.

Register hostname with DDNS service provider

Select System Dynamic DNS Configuration Create Account to open configuration


page

Screen Register Hostname with DDNS

Screen Elements Description


Host Name Detail
Hostname Specify hostname you want to use on DDNS server i.e. domain name
that you registered with your DDNS service provider
Description Specify description
Service Providers details
Service name Select Service provider with whom you have registered your hostname.
Login Name and Specify your DDNS accounts login name and password
Password
IP detail
IP address Select WAN Interface if Cyberoam WAN interface is assigned Public IP
address. IP address of the selected interface will be binded with the
specified host name.

Select NATed Public IP if Cyberoam WAN interface is assigned private


IP address and is behind NAT box.

138
Cyberoam User Guide

Check IP address Specify whether DDNS should check for server IP address update
using through standard or non-standard port.
IP Update Enter the time interval after which DDNS server should check and
Checking Interval update the IP address of your server if changed.

For example if time interval is set to 10 minutes, after every 10 minutes,


DDNS server will check for any changes in your server IP address
Create button Click Create to save the configuration
Table Register hostname with DDNS

Testing your Dynamic DNS configuration

You can test your Dynamic DNS by:


Access your Cyberoam server using the host name you have registered with DDNS service provider -
If you are able to access Cyberoam then your configuration is correct and DDNS is working properly.
Ping your host - If you get the IP address of your external interface then your configuration is correct
and DDNS is working properly.

Manage Account
Check the IP address updation status from the Manage Account page. It also displays the reason incase
updation was not successful.

Select System Dynamic DNS Configuration Manage Account to open configuration


page and click the hostname to be updated.

139
Cyberoam User Guide

PPPoE
PPPoE Client is a network protocol that uses Point to Point Protocol over Ethernet to connect with a
remote site using various Remote Access Service products. This protocol is typically founding broadband
network of service provider. The ISP may then allow you to obtain an IP address automatically or give
you a specific IP address.

PPPoE Access Concentrator is a router that acts as a server in a Point-to-Point Protocol over Ethernet
(PPPoE) session and is used to:
For Ethernet LANs, to assign IP addresses to workstations, e.g. Multi-apartment buildings, Offices, to
provide user authentication and accounting
Schools and universities, computer classes
Connections to Wireless ISPs
Connections to xDSL providers

Access Concentrators (AC) also known as PPPoE Termination units, answer the PPPoE request coming
from a client site PPPoE application for PPP negotiation and authentication.

When using Cyberoam as a PPPoE client, computers on LAN are transparent to WAN side PPPoE link.
This alleviates Administrator from having to manage the PPPoE clients on the individual computers.

To configure PPPoE Interface


Before configuring the Interface for PPPoE:
1. Run Wizard from Web Admin Console
2. In the Network Configuration, for the WAN port:
Enable option Obtain an IP from PPPoE
Under PPPoE Details, specify PPPoE username and password
3. Click Finish to exit from Wizard
4. To confirm log on to Web Admin Console, go to System Configure Network View Interface
Details. PPPoE Interface will be defined under the WAN zone.

Note:
A new dynamic IP address will be leased to the PPPoE Interface, each time a new PPP session is
establish with Access Concentrator
IP address in Firewall rules will automatically change when the new IP address is leased
If multiple gateways are defined then IP address in the failover condition will automatically change
when the new IP address is leased
As IP address to PPPoE interface is assigned dynamically:
a) Network Configuration from Telnet Console will not display the PPPoE interface configuration
b) You will not be able to change the IP address of the PPPoE interface from Telnet Console using
Network Configuration

Select System Configure Network View Interface Details and click PPPoE Interface

140
Cyberoam User Guide

Screen PPPoE configuration

Screen Elements Description


PPPoE Configuration
Interface Displays the Port which configured as PPPoE Interface from Wizard
User and Specify username and password. Username and password should be same as
Password specified in the Network Configuration using Wizard
Access Specify Access Concentrator name (PPPoE server).
Concentrator
Name Cyberoam will initiate sessions with the specified Access Concentrator only. In
most of the cases, you can leave this field blank. Use it only if you know that
there are multiple Access Concentrators.
Service name Specify Service Name.

Cyberoam will initiate only those sessions with Access Concentrator, which can
provide the specified service. In most of the cases, you can leave this field
blank. Use it only if you need a specific service.
LCP Interval Specify LCP interval in seconds. Default is 20 seconds. Every 20 seconds LCP
echo request is send to check whether the link is alive or not.

LCP echo request and reply can be disabled by setting LCP Interval and LCP
Failure as zero
LCP Failure Specify Failure. Default is 3 attempts. Cyberoam will wait for the LCP echo
request response for the LCP interval defined after every attempt. Cyberoam
declares PPPoE link as closed if it does not receive response after defined
attempts.
Update button Click Update to save the configuration
Table PPPoE configuration screen elements

Establish PPPoE session


1. Select System Configure Network View Interface Details and click PPPoE Interface through
which you want to establish connection
2. Click Reconnect. It establishes 128-bit tunnel with Access Concentrator. Cyberoam will automatically
detect the presence of PPPoE server on the WAN interface.

Remove PPPoE Interface configuration


1. Run Wizard from Web Admin Console
2. In the Network Configuration, for the WAN port: Enable option Use Static IP
3. Click Finish to exit from Wizard. To confirm log on to Web Admin Console, go to System Configure
Network View Interface Details and check under WAN zone

141
Cyberoam User Guide

Manage Gateway
Gateway routes traffic between the networks and if gateway fails, communication with outside Network is
not possible. In this case, organization and its customers face significant downtime and financial loss.

By default, Cyberoam supports only one gateway. However, since organizations opt for multiple
gateways to cope with gateway failure problems, Cyberoam also provides an option for supporting
multiple gateways. However, simply adding one more gateway is not an end to the problem. Optimal
utilization of all the gateways is also necessary.

Cyberoam not only supports multiple gateways but also provides a way to utilize total bandwidth of all the
gateways optimally.

At the time of installation, you configured the IP address for a default gateway through Network
Configuration Wizard. You can change this configuration any time and configure additional gateways.
You can use Multi Link Manger to configure multiple gateways for load balancing and failover.

By default, all the gateways defined through Network Configuration Wizard are Active gateways.

If more then one link is terminating on Cyberoam and you want to configure traffic load balancing or
failover, refer to Multi link Configuration Guide. Policy based routing can be done from firewall rule.

To view the Gateway details, select System Gateway Manage Gateway(s)

Screen Gateway Configuration

142
Cyberoam User Guide

Screen Elements Description


Gateway Details
Gateway Name Displays Gateway name
Gateway IP Displays IP address and port of the Gateway configured
address and port
IP address of a device Cyberoam uses to reach devices on different
Network, typically a router
Gateway Type Gateway type specifies whether traffic will be routes through the
gateway or not.

Active Default gateway


Backup A gateway that can be used in an active/passive setup,
where traffic is routed through Backup gateway only when Active
gateway is down

By default, all the gateways defined through Network Configuration


Wizard are Active gateways. To add gateway and configure load
balancing and failover, refer to Multi link Configuration Guide.

Failover condition will be effective only if more than one gateway is


cofigured.
Save button Saves the modified details

Click to save
Cancel button Cancels the current operation and returns to Manage Gateway page

Click to cancel
Table - Gateway Configuration screen elements

143
Cyberoam User Guide

DoS Settings
Cyberoam provides several security options that cannot be defined by the firewall rules. This
includes protection from several kinds of Denial of Service attacks. These attacks disable
computers and circumvent security.

Denial of Service (DoS) attack is a method hackers use to prevent or deny legitimate users access
to a service.

DoS attacks are typically executed by sending many request packets to a targeted server (usually
Web, FTP, or Mail server), which floods the server's resources, making the system unusable. Their
goal is not to steal the information but disable or deprive a device or network so that users no
longer have access to the network services/resources.

All servers can handle traffic volume up to a maximum, beyond which they become disabled.
Hence, attackers send a very high volume of redundant traffic to a system so it cannot examine
and allow permitted network traffic. Best way to protect against the DoS attack is to identify and
block such redundant traffic.

Packet rate per Source


Total number of connections or packets allowed to a particular user.

Burst rate per Source


Maximum number of packets allowed to a particular user at a given time.

Packet rate per Destination


Total number of connections or packets allowed from a particular user.

Packet rate per Destination


Maximum of packets allowed from a particular user at a given time.

How it works
When the brust rate is crossed, Cyberoam considers it as an attack. Cyberoam provides DoS
attack protection by dropping all the excess packets from the particular source/destination.
Cyberoam will continue to drop the packets till the attack subsides. Because Cyberoam applies
threshold value per IP address, traffic from the particular source/destination will only be dropped
while the rest of the network traffic will not be dropped at all i.e. traffic from the remaining IP
addresses will not be affected at all.

Time taken to re-allow traffic from the blocked source/destination = time taken to subside the
attack + 30 seconds

For example
Packet rate per Source 100 packets per second
Burst rate per Source 200 packets per second

When user starts sending requests, initially user will be able to send 200 packets per second but
once the 200 packets are received, in the next phase user will be able to send only 100 packets
per second. So in the next phase, if user sends 150 packets per second, Cyberoam will consider it
as an attack and drop 50 (150 -100) packets. Cyberoam will accept traffic from the user only after

144
Cyberoam User Guide

30 seconds of dropping the packets.

Threshold values
Cyberoam uses packet rate and brust rate values as a threshold value to detect DoS attack. These
values depend on various factors like:
Network bandwidth
Nature of traffic
Capacity of servers in the network

These values are applicable to the individual source or destination i.e. requests per user/IP
address and not globally to the entire network traffic. For example, if source rate is 2500
packets/minute and the network consists of 100 users then each user is allowed packet rate of
2500 packets per minute.

Configuring high values will degrade the performance and too low values will block the regular
requests. Hence it is very important to configure appropriate values for both source and destination
IP address.

Configure DoS Settings

Select Firewall DoS Setting

Screen DoS Settings

Define the attack definition from Firewall DoS Settings


(Attack definition can be defined both for source and destination)

4. Define SYN flood.


Configure Packet Rate (packets/minute) and Burst Rate (packets/second) for source and
destination.

Click Apply Flag checkbox to apply the SYN flood definition and control the allowed number
of packets.

Click SYN Flood to view the real time updates on flooding. It displays the source IP address -
which was used for flooding and IP address which was targeted.

145
Cyberoam User Guide

SYN Flood is the attack in which large numbers of connections are send so that the backlog
queue overflows. The connection is created when the victim host receives a connection
request and allocates for it some memory resources. A SYN flood attack creates so many
half-open connections that the system becomes overwhelmed and cannot handle incoming
requests any more.

5. Define UDP flood


Configure Packet Rate (packets/minute) and Burst Rate (packets/second) for source and
destination.

Click Apply Flag checkbox to apply the UDP flood definition and control the allowed number
of packets.

Click UDP Flood to view the real time updates on flooding. It displays the source IP address
- which was used for flooding and IP address which was targeted.

User Datagram Protocol (UDP) Flood links two systems. It hooks up one systems UDP
character-generating service, with another systems UDP echo service. Once the link is
made, the two systems are tied up exchanging a flood of meaningless data

6. Define TCP flood


Configure Packet Rate (packets/minute) and Burst Rate (packets/second) for source and
destination.

Click Apply Flag checkbox to apply the TCP flood definition and control the allowed number
of packets.

TCP attack sends huge amount of TCP packet so that the host/victim computer cannot
handle.

7. Define ICMP flood


Configure Packet Rate (packets/minute) and Burst Rate (packets/second) for source and
destination.

Click Apply Flag checkbox to apply the ICMP flood definition and control the allowed number
of packets.

Click ICMP Flood to view the real time updates on flooding. It displays the source IP address
- which was used for flooding and IP address which was targeted.

ICMP attack sends huge amount of packet/traffic so that the protocol implementation of the
host/victim computer cannot handle.

8. Drop Source Routed Packets


Click Apply Flag checkbox to enable. This will block any source routed connections or any
packets with internal address from entering your network.

9. Disable ICMP redirect packet


An ICMP redirect packet is used by routers to inform the hosts what the correct route should
be. If an attacker is able to forge ICMP redirect packets, he or she can alter the routing tables

146
Cyberoam User Guide

on the host and possibly weaken the security of the host by causing traffic to flow via another
path.

Set the flag to disable the ICMP redirection.

10. Disable ARP flooding


ARP attack sends ARP requests at a very high rate to the server. Because of this, server is
overloaded with requests and will not be able to respond to the valid requests. Cyberoam
protects by dropping such invalid ARP requests.

11. Click Update button to save the configuration

147
Cyberoam User Guide

Bypass DoS Settings


Cyberoam allows bypassing the DoS rule in case you are sure that the specified
source/destination will never be used for flooding or want to ignore if flooding occurs from the
specified source.

Create DoS bypass rule

Select Firewall Bypass DoS

Screen Create DoS bypass rule

Screen Elements Description


Source and Destination Information
Source Domain Source Domain name, IP address or Network on which the DoS rule is not
name/IP Address to be applied

Specify source information


Specify * if you want to bypass the complete network
Source Port Specify source port address.

Specify * if you want to bypass all the ports

DoS will not be applied on all the requests from the specified source IP
address and port
Destination Destination Domain name or IP address on which the DoS rule is not to be
Domain name/IP applied
Address
Specify destination information

148
Cyberoam User Guide

Specify * if you want to bypass the complete network


Destination Port Specify destination port address.

Specify * if you want to bypass all the ports

DoS will not be applied on all the requests from the specified destination IP
address and port
Network Protocol
Select protocol whose traffic is to be bypassed for specified source to
destination.

For example,
If you select TCP protocol then DoS rules will not be applied on the TCP
traffic from the specified source to destination.
Create button Creates the bypass rule
Table Create DoS bypass rule screen elements

Delete DoS bypass rule

Select Firewall Bypass DoS

Screen Delete DoS bypass rule

Screen Elements Description


Del checkbox Click against the rule to be deleted
Select All checkbox Click to select all the rules for deletion
Delete button Click to delete all the selected rules
Table Delete DoS bypass rule screen elements

149
Cyberoam User Guide

Reset Console Password


You can change Telnet Console password from Web based Console or Telnet Console itself. To
change password from Telnet Console, refer to Cyberoam Console guide.

Select System Reset Console Password

Screen - Reset Console Password

Screen Elements Description


Reset Console Password
GUI Admin Password Specify current Web Admin Console password
i.e. the password with which Administrator has
logged on to Web Admin Console
New password Specify new console password
Confirm New password Type again the same password as entered in the
New password field
Submit button Saves new password

Click Submit
Table - Reset Console Password screen elements

150
Cyberoam User Guide

ARP
ARP (Address resolution protocol is a protocol that TCP/IP uses to translate IP address into MAC
address (physical network address). In other words, it maps layer 3 (IP addresses) to layer 2
(physical or MAC addresses) to enable communications between hosts residing on the same
subnet.

It is used by hosts that are directly connected on a local network and uses either or both unicast
and broadcast transmissions directly to each other. Host finds the physical address of another host
on its network by sending an ARP query packet that includes the IP address of the receiver. As a
broadcast protocol, it can create excessive amounts of network traffic on your network. To
minimize the broadcast traffic, an ARP cache is maintained to store and reuse previously learned
ARP information.

Add Static ARP


ARP traffic is vital to communication on a network and is enabled on Cyberoam interfaces by
default.

Static ARP entry allows to bind the MAC address to the designated IP address and port. This can
be used to ensure that a particular machine can only be used on a specified port on the Cyberoam
appliance. Once the MAC address is bound to a port, the Cyberoam appliance will not respond to
that MAC address on any other port. It will also remove any dynamically cached references to that
MAC address that might be present, and will not allow additional static mappings of that MAC
address.

These entries will be stored in static ARP as well as ARP Cache table. When the Cyberoam
appliance receives the ARP request on a particular port, Cyberoam performs the ARP lookup in
the static ARP table. If there is any mismatch in IP address or port Cyberoam considers it as an
ARP poisoning attempt and does not update its ARP Cache.

If entry is not available in the table, Cyberoam will lookup in the ARP Cache and adds MAC
address to ARP Cache if required.

Select System ARP Add

Screen Add Static ARP

151
Cyberoam User Guide

Screen Elements Description


Add Static ARP
IP address Specify IP address of the host outside the firewall
MAC address Specify MAC address of the host
Port Select port
Add as Trusted Entry Click checkbox to add the MAC/IP pair in the
checkbox trusted list
Add button Adds static ARP entry

Click Add

Manage ARP list


Cyberoam maintains two types of table for ARP entries: ARP Cache and Static ARP

ARP Cache table


ARP Cache table stores static and dynamic ARP entries. Static ARP entries are defined by
Administrators and are permanent while dynamic ARP entries are the learned entries and are
updated dynamically. Such entries are flushed when cache is cleared at regular time interval.

Go to System ARP Manage to view the large number of ARP entries. Page allows to
navigate and manage ARP entries in both the tables. Select the table type from the dropdown list
to view the ARP entries in the respective table. It lists IP address, MAC address, port and type of
the entry. Entry type can be static and dynamic. If everything is working properly with ARP,
dynamic ARP entry will be displayed as Dynamic-Complete i.e. both MAC and IP values are
there while Dynamic-Incomplete just means that the ARP request was sent but no reply has yet
been received.

Configure ARP Cache entry timeout


It becomes necessary to flush the ARP cache if the host IP address on the network changes. As
the IP address is linked to a physical address, it can change but can still be associated with the
physical address in the ARP Cache. Flushing the ARP Cache allows new information to be
gathered and stored in the ARP Cache.

Go to System ARP Manage and configure time interval after which the entries in the
cache should be flushed. Time interval should be in the range of 1 to 500 minutes.

If you want to log the poisoning attempts, click LOG possible ARP Poisoning attempt checkbox.

Delete ARP
Select System ARP Manage to view the list of ARP entries and click Del icon against
the IP address to be deleted.

152
Cyberoam User Guide

Screen Manage ARP

System Module Configuration


Enable/disable services to enhance the network performance and reduce the potential security
risk. Do not enable any local services that are not in use. Any enabled services could present a
potential security risk. A hacker might find a way to misuse the enabled services to access your
network.

By default, all the services are enabled.

Cyberoam allows enabling/disabling of following services and VPN and Traffic Discovery modules:
TFTP - Trivial File Transfer Protocol (TFTP) is a simple form of the File Transfer Protocol (FTP).
TFTP uses the User Datagram Protocol (UDP) and provides no security features.

PPTP - PPTP (Point-to-Point Tunneling Protocol) is a network protocol that enables secure
transfer of data from a remote client to a private server, creating a VPN tunnel using a TCP/IP
based network

IRC - IRC (Internet Relay Chat) is a multi-user, multi-channel chatting system based on a client-
server model. Single Server links with many other servers to make up an IRC network, which
transport messages from one user (client) to another. In this manner, people from all over the
world can talk to each other live and simultaneously. DoS attacks are very common as it is an
open network and with no control on file sharing, performance is affected.

H323 - The H.323 standard provides a foundation for audio, video, and data communications
across IP-based networks, including the Internet. H.323 is an umbrella recommendation from the
International Telecommunications Union (ITU) that sets standards for multimedia communications
over Local Area Networks (LANs) that do not provide a guaranteed Quality of Service (QoS). It
enables users to participate in the same conference even though they are using different
videoconferencing applications.

P2P Traffic Modules - Identifies peer-to-peer (P2P) data in IP traffic. It works together with
connection tracking and connection marking which helps in identifying the bigger part of all P2P
packets and limit the bandwidth rate.

SIP SIP (Session Initiation Protocol) is a signaling protocol, which enables the controlling of
media communications such as VOIP. The protocol is generally used for maintaining unicast and

153
Cyberoam User Guide

multicast sessions consisting of several media systems. SIP is a text based and TCP/IP supported
Application layer protocol.

Select Firewall System Modules and enable or disable the required service and modules.

Screen System Modules Configuration

Manage Data
Backup data
Backup is the essential part of data protection. No matter how well you treat your system, no
matter how much care you take, you cannot guarantee that your data will be safe if it exists in only
one place.

Backups are necessary in order to recover data from the loss due to the disk failure, accidental
deletion or file corruption. There are many ways of taking backup and just as many types of media
to use as well.

Cyberoam provides facility of taking regular and reliable data backup. Backup consists of all the
policies, logs and all other user related information.

Cyberoam maintains five logs:


Web surfing log This log stores the information of all the websites visited by all the users

User session log Every time the user logs in, session is created. This log stores the session
entries of all the users and specifies the login and logout time.

Audit log This log stores the details of all the actions performed the User administrating
Cyberoam. Refer to Appendix A Audit Log for more details.

Virus log This log stores the details of malicious traffic requests received.

154
Cyberoam User Guide

Set Backup Schedule

Select System Manage Data Set Backup Schedule

Screen Set Backup schedule

Screen Elements Description


Backup of Data only (Does not include Logs)
Backup Frequency Backup schedule. Only data backup will be taken.

Select any one


Daily backup will be send daily
Weekly backup will be send weekly
Monthly backup will be send monthly
Never backup will never be send

In general, it is best to schedule backup on regular basis.


Depending on how much information you add or change will
help you determine the schedule
Incremental Backup of Log files only (in CSV format)
Backup process only copies what has changed since the last backup. This creates
a much smaller backup file.
Log Select the logs for backup. Backup of log files will be taken in
CSV format.

Available logs for backup: Web surfing, Audit


Backup Frequency Select any one
Daily backup will be send daily
Weekly backup will be send weekly
Never backup will never be send
Set Backup Mode
Backup mode Specifies how backup should be taken and send

If backup is to be stored on FTP server, configure FTP server


IP address, username and password to be used.

If backup is to be mailed, specify email id at which backup files


is to be sent. If email id field is kept blank, backup will be taken
but will not be send to anyone

155
Cyberoam User Guide

If backup is to be send to the Cyberoam Central Console


(CCC), configure CCC IP address.
Save button Saves the configuration
Table Set Backup Schedule screen elements

Backup Data

Select System Manage Data Backup Data

Screen Backup Data

Screen Elements Description


Backup System Data
(Does not include logs)
Backup button Takes the recent backup and allows to download

Click Backup data to take backup


Download button Download the backup already taken. Also displays date and
Only if backup is taken time of backup
previously
Click Download to download
To download follow the screen instructions
Backup Log (in CSV format)
Logs Backup of selected logs will be taken

Select the logs for backup: Web surfing, Audit


Backup button Takes the recent backup of logs and allows to download

Click to take the recent backup


Download button Download the backup of logs already taken. Also displays
Only if backup is taken date and time of backup
previously
Click to download
To download follow the screen instructions
Table Backup Data screen elements

Restore Data
With the help of restore facility, restore data from the backup taken. Restoring data older than the
current data will lead to the loss of current data.

156
Cyberoam User Guide

Select System Manage Data Restore Data

Screen Restore Data screen

Screen Elements Description


Upload Backup
File to upload Specify name of backup file to be uploaded
Browse button Select the backup file
Upload button Uploads the backup file
Table - Restore Data screen elements

Note

Restore facility is version dependant i.e. it will work only if the backup and restore versions are same

157
Cyberoam User Guide

Purge
Purging of data means periodic deletion of the data. Cyberoam provides Auto purge and Manual purge
facility for deleting log records. Additionally, Auto purge utility also provides an option to enable or disable
log archiving.

Cyberoam allows to retain following logs:


Web surfing
Mail virus
Mail spam
Traffic discovery
IPS
FTP
Appliance Audit log

Configure Auto purge Utility

Go to System Manage Data Configure Auto purge utility and click against the log to
enable archiving and specify the time period to retain log. By default, Cyberoam will not archive IPS logs.
One has to manually enable the archiving of IPS logs.

Log Retention period (days)


Log (if enabled)
Default Configurable up to
Web Surfing 60 365
Mail Virus 30 90
Mail Spam 30 90
Traffic Discovery 7 7
IPS 0 90
FTP 30 90
Appliance Audit 30 90

If disabled, Cyberoam will keep log of current date only and delete records every night.

Earlier versions of Cyberoam supported retention of Web Surfing and Appliance Audit logs only.
Cyberoam will retain the configured retention period of Web Surfing logs and Appliance Audit Logs after
upgrading to the latest version.

Screen Configure Auto purge Utility screen

158
Cyberoam User Guide

Manual purge
Use manual purge to delete log records manually

Select System Manage Data Purge Logs

Screen Purge Logs screen

Screen Elements Description


Purge
Select log for purging
Web surfing logs
User session logs
Audit logs
Appliance Audit logs
Till Date Select the date from Calendar till which the selected
log(s) is to be purged
Purge button Purges the selected log till the specified date

Click Purge to purge


Table - Purge Logs screen elements

Note

Auto purge option is always on

159
Cyberoam User Guide

Client Services

Client Messages
Message Management tab allows Administrator to send messages to the various users. Messages help
Administrator to notify users about problems as well as Administrative alerts in areas such as access,
user sessions, incorrect password, and successful log on and log off etc.

Message is send to the User whenever the event occurs.

Message can be up to 256 characters and send to the number of users at a time.

Select System Configure Client Settings Customize Client Message

Screen Customized Client Messages screen

Screen Elements Description


Message Key Message code

Click Message link to customize the message which will be received by


user

Click Save to save the changes


Click Cancel to cancel the current operation
Message Message description
Configure Usage to Alert User before Expiration
Enter Remaining Alert will be displayed to all the users when the specified data transfer is
Usage in remaining

Remaining usage can be entered in absolute value or in percentage


Data Transfer (MB) Specify remaining data transfer usage when all the users should receive

160
Cyberoam User Guide

alert.

E.g. Absolute Remaining data transfer usage: 20 MB


User1: Total Data transfer limit (as defined in Data transfer policy): 150
MB
User2: Total Data transfer limit (as defined in Data transfer policy): 640
MB

User1 will receive alert when he is left with 20 MB of data transfer i.e.
has done total data transfer of 130 MB

User2 will receive alert when he is left with 20 MB of data transfer i.e.
has done total data transfer of 620 MB

Percentage Remaining data transfer usage: 20%


User1: Total Data transfer limit (as defined in Data transfer policy): 150
MB
User2: Total Data transfer limit (as defined in Data transfer policy): 640
MB

User1 will receive alert when he is left with 30 MB (20% of 150 MB) of
data transfer i.e. has done data transfer of 120 MB

User2 will receive alert when he is left with 128 MB (20% of 640 MB) of
data transfer i.e. has done data transfer of 512 MB
Cycle Data Transfer Specify remaining cycle data transfer usage when all the users should
(MB) receive alert.

Cycle data transfer is the upper limit of total data transfer allowed to the
user per cycle. User will be disconnected if the limit is reached. It is
applicable the users to whom the cyclic data transfer policies are
applied.

E.g. Absolute Remaining cycle data transfer usage: 20 MB


User1: Cycle Total Data transfer limit (as defined in Data transfer policy):
150 MB
User2: Cycle Total Data transfer limit (as defined in Data transfer policy):
640 MB

User1 will receive alert when he is left with 20 MB of data transfer per
cycle i.e. has done data transfer of 130 MB

User2 will receive alert when he is left with 20 MB of data transfer per
cycle i.e. has done data transfer of 620 MB

Percentage Remaining cycle data transfer usage: 20%


User1: Cycle Total Data transfer limit (as defined in Data transfer policy):
150 MB
User2: Cycle Total Data transfer limit (as defined in Data transfer policy):
640 MB

User1 will receive alert when he is left with 30 MB (20% of 150 MB) of
data transfer per cycle i.e. has done data transfer of 120 MB

User2 will receive alert when he is left with 128 MB (20% of 640 MB) of
data transfer per cycle i.e. has done data transfer of 512 MB
Save details button Saves the data transfer alert configuration
Table - Customized Client Message screen elements

161
Cyberoam User Guide

List of Predefined messages

Messages Description/Reason
AlertMessageWithCycleData Message is sent to the user when the remaining cycle data
transfer is equal to the configured value.

Value can be configured from Customize Client Messages page.


Refer to Client Messages for more details
AlertMessageWithData Message is sent to the user when the remaining data transfer is
equal to the configured value.

Value can be configured from Customize Client Messages page.


Refer to Client Messages for more details
InactiveUser Administrator has deactivated the User and the User will not be
able to log on
DisconnectbyAdmin When the administrator disconnects the user from the live users
page
InvalidMachine Message is sent if User tries to login from the IP address not
assigned to him/her
LoggedoffsuccessfulMsg Message is sent when User logs off successfully
LoggedonsuccessfulMsg Message is sent when User logs on successfully
Loggedinfromsomewhereelse Message is sent if User has already logged in from other
machine
MaxLoginLimit Message is sent if User has reached the maximum login limit
MultipleLoginnotallowed Message is sent if User is not allowed multiple login
NotAuthenticate Message is sent if User name or password are incorrect
NotCurrentlyAllowed Message is sent if User is not permitted to access at this time

Access Time policy applied to the User account defines the


allowed access time and not allowed access at any other time.
Someoneloggedin Message is sent if someone has already logged in on that
particular machine
SurfingtimeExhausted Message is sent when User is disconnected because his/her
allotted surfing time is exhausted

The surfing time duration is the time in hours the User is allowed
Internet access that is defined in Surfing time policy. If hours are
exhausted, User is not allowed to access
SurfingtimeExpired Administrator has temporarily deactivated the User and will not
be able to log in because User surfing time policy has expired
liveIPinuse Message is sent if connection is requesting a public IP Address
from the server that is already in use
nmpoolexceedlimit Message is sent if the maximum number of IP Addresses in the
Live IPHost Group at any given time has exceeded the limit
Table - List of predefined messages

162
Cyberoam User Guide

Client preferences
Use Client preference to specify
which page to open every time user logs on to Cyberoam
whether HTTP client log on page should pop up if user tries to surf without logging in
port from which Web Administration Console can be accessed
number of concurrent log on allowed

Select System Configure Client Settings Customize Client preferences

Screen Customized Client Preferences screen

Screen Elements Description


Open following site after client logs on to the server
URL Specify URL which is to be opened every time user logs
on

Leave this field blank, if you do not want to open any


specific page every time user logs in
Update button Updates configuration
HTTP Client
Pop up HTTP client Whenever User tries to surf without logging, page with a
message Cyberoam Access Denied displayed

If HTTP client pop up option is selected, User will get a


HTTP Client pop up along with the Cyberoam Access
Denied' page.

Once User logs on successfully using the HTTP client,

163
Cyberoam User Guide

user will be able to surf the requested site.


Update button Updates configuration
Web Admin Console
Web Admin Console Specify Port number on which Web Admin Console is
Port running
Secure Web Admin Specify Port number to access Web Admin Console
Console Port securely (HTTPS)

Default : 443
Update button Updates configuration
User Authentication setting
Number of Logins Specify number of concurrent logins allowed to all the
Allowed users
OR
Unlimited Login OR
Allows unlimited concurrent logins
User Inactivity Timeout Enter the timeout duration in minutes. After this period of
inactivity (no data transfer), user will be logged out
automatically.

OR
Click Unlimited
Update button Updates configuration
Table Customized Client Preferences screen elements

Note
The preferences set are applicable to all the users by default. All the set preferences will be applicable
when the user is created. Refer to Create User, for customizing number of concurrent logins allowed to
a particular user.

164
Cyberoam User Guide

Customize Access Deny messages

Use to customize Access deny message for:


all web categories
individual web category
all file type categories

This customized message will be displayed when user tries to access the site, which is not
allowed.

Screen Customize Denied message screen elements

1. Select System Configure Customize Denied Message


2. Select category for which you want to customize access deny message
Select All Web categories to display the same access deny message for all the web
categories. The message specified for All Web Categories becomes the default message.

Select a particular category for which you want to display a different message
By default, the message specified for All Web Categories is displayed.
Disable Use Default Message, if you want to display a different message for a particular
category and modify the message

Select All File type category to customize the access deny message for all the file type
categories
3. In Denied Message, modify the message contents
4. Click Update button to save if any changes are made

165
Cyberoam User Guide

Upload Corporate logo

Use to display your companys logo in all the messages displayed to the user.

1. Select System Configure Customize Denied Message


2. In Top Bar, specify the image to be displayed at the top of the message page.
3. In the Bottom Bar, specify the image to be displayed at the bottom of the message page
4. Click Upload

Note
Dimension of Image should be 700 * 80 and jpg file only

166
Cyberoam User Guide

Customize Login message


Use to customize login page messages and client login links provided on login page.

Screen Customize Login message

1. Select System Configure Customize Login Message


2. Under Client Login Links, select Login Clients that you want to be displayed on Login page.
In the login page, download links are provided so that user can download the required login
client. If you do not want user to download a particular login client, deselect the link

In the Login message box, specify the message to be displayed. You can further customize
the message by using clientip address, category and URL
3. Enable Blink Message to display blinking message
4. Before saving the configuration, click Preview and see how message will be displayed to the
user
5. Click Save button to save the configuration

167
Cyberoam User Guide

Disable Warning messages

Alert messages displayed on the Dashboard Alert Messages section can be enabled or disabled
as per the need. By default, all the messages are enabled.

Messages can be enabled/disabled from System Configure Warning Messaging

- indicates that alert is disabled


- indicates that alert is enabled

Screen Warning messages

168
Cyberoam User Guide

HTTP Client Login page template


Cyberoam provides flexibility to customize the HTTP Client Login page. This page can include
your organization name and logo.

Cyberoam has included a fully integrated Template Editor to design the page. It supports
numerous placement and arrangement options for each field and a provision to add a personalized
message or inserting logo or any other image.

Cyberoam also supports customized page in languages other then English.

Cyberoam provides a default template that can be modified to customize the HTTP Client login
page.

Screen Client Login Template

169
Cyberoam User Guide

GUI Language Settings


To cater to its non-English customers, Cyberoam supports the Chinese and Hindi. Administrator
can configure the preferred GUI language.

Listed elements of Web Admin Console will be displayed in the configured language:
Dashboard alerts
Dashboard Doclet contents
Navigation menu
Screen elements including field & button labels and tips
Error messages

Administrator can also specify description for firewall rule, various policies, services and various
custom categories in Hindi, French or Chinese language.

Screen GUI Language Setting

170
Cyberoam User Guide

Time settings
Current date and time can be set according to the Cyberoams internal clock or Cyberoam can be
configured to synchronize its internal clock with an NTP server. Cyberoams clock can be tuned to
show the right time using global Time servers so that logs show the precise time and Cyberoam
activities can also happen at a precise time.

Screen Time settings

1. Select System Configure Time Settings


2. Select time zone according to the geographical region in which Cyberoam is deployed.
3. Select System Date & Time if you want to set Cyberoams internal clock and set correct time
and date
4. Select Synchronize with NTP server if you want Cyberoam to get time from an NTP server.
Specify NTP server IP address if you want to synchronize time with a specific NTP server else
use the pre-defined NTP servers.
5. Click Update button to save the configuration

171
Cyberoam User Guide

Certificate Management
Digital Certificates are used for authentication purpose. Certificates are generated by the third
party trusted Certificate Authorities. They create certificates by signing public keys and identify the
information of the communicating parties with their own private keys. This way it is possible to
verify that a public key really belongs to the communicating party only and not been forged by
someone with malicious intentions.

A certificate signed by a CA identifies the owner of a public key. Each communicating party may
be required to present its own certificate signed by a CA verifying the ownership of the
corresponding private key. Additionally, the communicating parties need to have a copy of the
CAs public key. In case private key is lost or stolen or the information is changed CA is
responsible for revoking the certificate.

Cyberoam provides a facility to generate a local certificate authority as well as import certificates,
signed by commercial providers.

If the remote peer is using certificate issued by the following 3rd party CA then you are not required
to upload CA in Cyberoam:
VeriSign
Entrust
Microsoft

Generate Certificate Authority

Select System Certificate Management Manage Certificate Authority and


click Default

Screen Generate Certificate Authority

172
Cyberoam User Guide

Screen Elements Description


Certificate Authority Details
Certificate Authority Displays certificate authority name
Name
Country Name Select the Country for which the Certificate will be used.

Generally this would be the name of the country where Cyberoam is


installed.
State/Province Select the State/Province for which the Certificate will be used.
Name
Generally this would be the name of the state where Cyberoam is
installed.
Locality Name Specify the locality/City.

Generally this would be the name of the city where Cyberoam is


installed.
Organization Name Specify your organization name
Organizational Unit Specify department/section name which will use this certificate
Name
Common Name Specify domain name. This domain will be certified to use the
Certificate.
Email Address Specify Email address
CA Password Specify password and confirm by re-typing the password
Generate button Generates the certificate with the above specified details

Click to generate

If the certificate is already generated, it will re-generate the certificate


with the above specified details
Cancel button Cancels the current operation
Table Generate Certificate Authority screen elements

173
Cyberoam User Guide

Import external Certificate Authority

Select System Certificate Management Upload Certificate Authority

Screen Define external Certificate Authority

Screen Elements Description


Certificate
Certificate Authority Specify Certificate authority name
Name
Certificate Format Cyberoam supports certificates in two formats: PEM and DER

PEM (Privacy Enhanced Mail): A format encoding the certificate in


ASCII code. The certificate, request, and private key are stored in
separate files.

DER: A binary format for encoding certificates. The certificate,


request, and private key are stored in separate files.
Certificate Specify certificate to be uploaded

Use Browse to select the complete path


Upload button Uploads the specified certificate
Cancel button Cancels the current operation
Table Define external Certificate Authority screen elements

174
Cyberoam User Guide

Upload Certificate

Select System Certificate Management New Certificate

Screen Upload Certificate

Screen Elements Description


Certificate
Action Select Upload Certificate
Certificate Name Specify certificate name
Password Specify password and confirm by re-typing the password
Certificate Specify certificate to be uploaded

Use Browse to select the complete path


Private key Specify private key for the certificate

Use Browse to select the complete path


Upload button Uploads the specified certificate
Cancel button Cancels the current operation
Table Upload Certificate screen elements

175
Cyberoam User Guide

Generate Self signed certificate


You can use Cyberoam to act as a certificate authority and sign its own certificates. This
eliminates the need of having your own certificate authority.

Prerequisite
Certificate Authority generated

Select System Certificate Management New Certificate

Screen Generate Self Signed Certificate

Screen Elements Description


Certificate
Action Select Generate Self Signed Certificate
Certificate Name Specify Certificate name
Valid upto Specify certificate validity period using Calendar

Validity period is the certificate life i.e. period up to which the


certificate will be considered as valid

Minimum validity period is one day


Key Length Select key length

Displays the number of bits used to construct the key. Generally the
larger the key, the less chance that it will be compromised but
requires more time to encrypt and decrypt data than smaller keys.
Password Specify password and confirm by re-typing

Password must be at least 10 character long


Certificate ID Specify certificate ID. You can specify any one of the following:
DNS
IP address
Email address
DER ASN1 DN/X.509 (applicable when Authentication Type is
Digital Certificate)
Generate button Generates certificate with the specified details

Click to generate
Cancel button Cancels the current operation
Table Generate Self Signed Certificate screen elements

176
Cyberoam User Guide

Generate Certificate Signing Request


If you are using third party CA, you have to submit the request to CA, CA will verify the details then
sign and send the signed certificate.

Cyberoam provides a way for you to generate the request.

Select System Certificate Management New Certificate

Screen Generate CSR

Screen Elements Description


Certificate
Action Select Generate Certificate Signing Request (CSR)
Certificate Name Specify Certificate name
Valid upto Specify certificate validity period using Calendar

Validity period is the certificate life i.e. period up to which the


certificate will be considered as valid

Minimum validity period is one day


Key Length Select key length

Displays the number of bits used to construct the key. Generally the
larger the key, the less chance that it will be compromised but
requires more time to encrypt and decrypt data than smaller keys.
Password specify password and confirm by re-typing

Password must be at least 10 character long


Certificate ID Specify certificate ID. You can specify any one of the following:
DNS

177
Cyberoam User Guide

Screen Elements Description

IP address
Email address
DER ASN1 DN/X.509 (applicable when Authentication Type is
Digital Certificate)
Country Name Select the Country for which the Certificate will be used.

Generally this would be the name of the country where Cyberoam is


installed.
State/Province Select the State/Province for which the Certificate will be used.
Name
Generally this would be the name of the state where Cyberoam is
installed.
Locality Name Specify the locality/City.

Generally this would be the name of the city where Cyberoam is


installed.
Organization Name Specify your organization name
Organizational Unit Specify department/section name which will use this certificate
Name
Common Name Specify domain name. This domain will be certified to use the
Certificate.

Domain name has to be unique


Email Address Specify Email address
Generate button Generates certificate request with the details specified which you can
send to your CA for Certificate

Click to generate
Cancel button Cancels the current operation
Table Generate CSR screen elements

Download Certificate

Select System Certificate Management Manage Certificate, click the certificate


to be downloaded and follow the screen steps.

Certificate Signing Request is downloaded in zip format, unzip the file. It contains three file:
certificatename.csr, certificatename.key, password.txt

Cyberoam supports certificate in two formats: p12 and pem format. Certificate is downloaded in
tar.gz format; unzip the file winzip or winrar. It contains:
Certificatename.p12 (certificate in p12 format)
Password.txt
PEM folder which contains certificate in pem format as: certificatename.pem,
certificatename.key

178
Cyberoam User Guide

Screen Download Certificate

Delete Certificate

Prerequisite
Not used by any Connection

Select System Certificate Management Manage Certificate

Screen Delete Certificate

Screen Elements Description


Del checkbox Click against the certificate(s) to be deleted
Select All checkbox Click to delete all certificates
Delete button Deletes all the selected certificate(s)
Table Delete Certificate screen elements

Note
Deleted certificate will be revoked

179
Cyberoam User Guide

Certificate Revocation List


CA maintains the list of valid and revoked certificates. Certificates which are stolen, lost or updated
are revoked by CA. Revocation list is the list of certificates which are revoked by CA.

Revoke certificate

Select System Certificate Management Manage Certificate and click the


certificate to be revoked

Screen Revoke Certificate

Screen Elements Description


Certificate
Certificate Name Displays Certificate name
Valid upto Displays certificate validity period, modify if required.

Validity period is the certificate life i.e. period up to which the certificate
will be considered as valid
Key Length Displays key length, modify if required.

Displays the number of bits used to construct the key. Generally the
larger the key, the less chance that it will be compromised but requires

180
Cyberoam User Guide

Screen Elements Description


more time to encrypt and decrypt data than smaller keys.
Password Displays password

Click Change Password to modify the password

Password must be at least 10 character long


Regenerate button Regenerates the certificate
Revoke button Revoke certificate if lost, stolen or updated

Click to revoke

If the certificate is revoked it is automatically added to the Certificate


Revocation List (CRL). You can download and circulate if required.
Cancel button Cancels the current operation
Table Revoke Certificate screen elements

Download CRL
Once you revoke the certificate, the details of the revoked certificate are added to the default CRL
file generated by Cyberoam. You can download and distribute if required.

Select System Certificate Management Manage CRL and to view the list of CRLs.
Click Download against the CRL name to be downloaded. It downloads the zip file, unzip the file to
check the details.

181
Cyberoam User Guide

Upload CRL
If you are using External Certificate Authority, you need to upload the CRL obtained from External
Certificate Authority.

Select System Certificate Management Upload CRL


Enter CRL name and specify the full path of the file to be uploaded
Click Upload

Delete CRL

Select System Certificate Management Manage CRL and to view the list of CRLs.

Screen Delete CRL

Screen Elements Description


Del checkbox Click against the CRL(s) to be deleted
Select All checkbox Click to delete all CRL
Delete button Deletes all the selected CRL(s)
Table Delete CRL screen elements

Note
Default CRL cannot be deleted

182
Cyberoam User Guide

HTTP Proxy Management


Cyberoam can also act as a HTTP proxy server and enable access to the HTTP proxy services from the
local ACL section.
You can configure Cyberoam's LAN IP address as a proxy server IP address in your browser settings.

Note
HTTP proxy will enforce the Internet Access Policy and Anti Virus policy as configured in the User and the
Firewall policy.

IPS policy will be applicable on the traffic between proxy and the WAN, but not between the user and the
proxy.

Bandwidth policy will not be applicable on the direct proxy traffic.

Manage HTTP Proxy


Select System HTTP Proxy Manage HTTP Proxy

Screen - Manage HTTP Proxy

Screen Elements Description


Server Status
Displays current status of Proxy server
Start button Click to start Proxy server
Only if Current Status is Stopped
Stop button Click to stop Proxy server
Only if Current Status is Running
Restart button Click to restart Proxy server
Table - Manage HTTP Proxy screen elements

183
Cyberoam User Guide

Configure HTTP Proxy


Use to
configure http proxy port
configure trusted ports

Select System HTTP Proxy Configure HTTP Proxy

Screen - Configure HTTP Proxy

Screen Elements Description


Enforcing Safe Search
Enable Safe Search Enable safe search so that web sites containing pornography
and explicit sexual content are blocked from the Google, Yahoo,
Altavista and Bing search results. This will be applicable only
when access to Porn, AdultContent and Nudity categories is
denied in Internet Access policy.

Click Save button after configuration


Pharming Protection Configuration
Enable Pharming Pharming attacks require no additional action from the user from
Protection their regular web surfing activities. Pharming attack succeeds by
redirecting the users from legitimate web sites instead of similar
fraudulent web sites that has been created to look like the
legitimate site.

Enable to protect against pharming attacks and direct users to


the legitimate web sites instead of fraudulent web sites.

Click to enable/disable followed by Save to update the

184
Cyberoam User Guide

configuration
HTTP Direct Proxy Configuration
HTTP Proxy port Specify proxy port to be used ans click Save button to save the
configuration
HTTP Trusted ports Cyberoam allows the access to those sites that are hosted on
standard port only if deployed as HTTP proxy.

To allow access to the sites hosted on the non-standard ports,


you have to define non-standard ports as trusted ports.

You can define individual port or range of ports.

Click Add to define non-standard ports


Parent Proxy Setting
Enable Parent Proxy If enabled all the HTTP requests will be sent to HTTP Proxy
Server via Cyberoam. One needs to configure Parent Proxy
when the HTTP traffic is blocked by the upstream Gateway.

Click to enable
IP address Specify IP address of Parent proxy
HTTP Proxy Port Specify parent proxy port
Save button Click to save the port setting
Table - Configure HTTP Proxy screen elements

185
Cyberoam User Guide

Manage Servers
Use Services tab to Start/Stop and Enable/Disable Autostart various configured servers. According to the
requirement, one can Start, Stop, Enable or Disable the services.

Types of the servers available:


DHCP
Domain Name Server
Cyberoam server
Proxy servers HTTP, SMTP, POP3, IMAP, FTP

Select System Manage Servers

Screen - Manage Services

Screen Elements Description


Service name Name of the server
Status Status of the respective server

Running if server is on
Stopped if server is off
Commands Starts or stops the respective servers
Enables or disables Autostart

Refer to Action table for details


Table - Manage Control Service screen elements
Action table

Button Usage
Start Starts the Server whose status is Stopped
Stop Stops the server whose status is Started
Enable Autostart Automatically starts the configured server with the startup of Cyberoam
Disable Autostart Disables the Autostart process
Restart Restarts Cyberoam

All the servers with Enable Autostart will restart


Shutdown Shuts down Cyberoam server and all the servers will be stopped
Table - Manage Control Service Action

186
Cyberoam User Guide

Monitoring Bandwidth Usage


Bandwidth is the amount of data passing through a media over a period. In other words, it is the amount
of data accessed by the Users. Each time the data is accessed uploaded or downloaded, the amount is
added to the total bandwidth. Because of the limited resource, it needs periodic monitoring.

Bandwidth usage graphical report allows Administrator to monitor the amount of data uploaded or
downloaded by the Users. Administrator can use this information to help determine:
Whether to increase or decrease the bandwidth limit?
Whether all the gateways are utilized optimally?
Which gateway is underutilized?
What type of traffic is consuming the majority of the Bandwidth?
Which inbound/ outbound traffic has consumed the most Bandwidth in the last week/month?

Select System View Bandwidth usage

Screen View Bandwidth Usage

Screen Elements Description


Bandwidth report
Graph type Generates graph

Select any one

Gateway wise Displays list of Gateways defined, click the Gateway


whose data transfer report is to be generated

Total Generates total (all gateways) data transfer report. Also generates
Live user report

Gatewaywise breakup - Generates total (all gateways) data transfer report.


Graph period Generates graph based on time interval selected

Click Graph period to select


Table - Bandwidth usage screen elements

187
Cyberoam User Guide

It generates eight types of graphical reports:

1. Live users - Graph shows time and live users connected to Internet. In addition, shows minimum,
maximum and average no. of users connected during the selected graph period. This will help in
knowing the peak hour of the day.

X axis Hours
Y axis No. of users
Peak hour Maximum no. of live users

Screen - Bandwidth usage - Live Users graph

2. Total data transfer Graph shows total data transfer (upload + download) during the day. In addition,
shows minimum, maximum and average data transfer.

X axis Hours
Y-axis Total data transfer (upload + download) in KB/Second

Maximum
data transfer

Minimum
data

Screen - Bandwidth usage - Total Data transfer graph

188
Cyberoam User Guide

3. Composite data transfer Combined graph of Upload & Download data transfer. Colors differentiate
upload & download data traffic. In addition, shows the minimum, maximum and average data transfer
for upload & download individually
X axis Hours
Y-axis Upload + Download in Bits/Second

Orange Color - Upload traffic


Blue Color Download traffic

Screen - Bandwidth usage - Composite Data transfer graph

4. Download data transfer Graph shows only download traffic during the day. In addition, shows the
minimum, maximum and average download data transfer.

X axis Hours
Y-axis Download data transfer in Bits/Second

Screen - Bandwidth usage - Download Data transfer graph

189
Cyberoam User Guide

5. Upload data transfer - Graph shows only upload traffic during the day. In addition, shows minimum,
maximum and average upload data transfer.
X axis Hours
Y-axis Upload data transfer in Bits/Second

Screen - Bandwidth usage - Upload Data transfer graph

6. Integrated total data transfer for all Gateways Combined graph of total (Upload + Download) data
transfer for all the gateways. Colors differentiate gateways. In addition, shows the minimum,
maximum and average data transfer of individual gateway
X axis Hours
Y-axis Total (Upload + Download) data transfer in Bits/Second

Orange Color Gateway1


Blue Color Gateway2

190
Cyberoam User Guide

7. Integrated Download data transfer of all Gateways Graph shows only the download traffic of all the
gateways during the day. In addition, shows the minimum, maximum and average download data
transfer.

X axis Hours
Y-axis Download data transfer in Bits/Second

Orange Color Gateway1


Blue Color Gateway2

8. Integrated Upload data transfer for all the Gateways - Graph shows only the upload traffic of all the
gateways during the day. In addition, shows minimum, maximum and average upload data transfer.
X axis Hours
Y-axis Upload data transfer in Bits/Second

Orange Color Gateway1


Blue Color Gateway2

191
Cyberoam User Guide

Migrate Users
Cyberoam provides a facility to migrate the existing users from PDC or LDAP server. Alternately, you can
also import user definition from an external file (CSV format file).

If you do not want to migrate users, configure for Automatic User creation. This reduces Administrators
burden of creating the same users again in Cyberoam.

Migration from PDC server


All the migrated users will be created under Group type Normal and default policies will be applied.
Administrator can change the assigned group or status at the time of migration or later.

After migration, Username will be set as password in Cyberoam.

Select User Migrate Users to open migration page

Step 1: Click Download User Migration Utility link

Screen - Download User Migration Utility

Step 2: Opens the File Download window and prompts to run or save the utility. Select the appropriate
option and click OK button

Screen - Save User Migration Utility

192
Cyberoam User Guide

Step 3: Opens a new browser window and prompts for the login. Provide the administrator username and
password. E.g. Username: cyberoam and password: cyber

Step 4: On successful authentication, following screen will be shown. Upload the specified file.

Screen Upload downloaded User Migration Utility

Step 5: Change the group or status of the user at this stage, if required. To migrate all the users, click
Select All or select the individual users and click Migrate Users.

Note
After migration, for Cyberoam login password will be same as the username

Once the users are migrated, configure for single sign on login utility. The configuration is required to be
done on the Cyberoam server.

Migration from External file


Instead of creating user again in Cyberoam, if you already have User details in a CSV file then you can
upload CSV file.

CSV file should be in the following format:


1. Header (first) row should contain field names. Format of header row:
Compulsory first field: username
Optional fields in any order: password, name, groupname
2. Subsequent rows should contain values corresponding to the each field in header row
3. Number of fields in each row should be same as in the header row
4. Error will be displayed if data is not provided for any field specified in the header
5. Blank rows will be ignored
6. If password field is not included in the header row then it will set same as username
7. If name field is not included in the header row then it will set same as username
8. If groupname is not included in the header row, administrator will be able to configure group at the
time of migration

Step 1 Upload CSV file


Select System Migrate User to open migration page

193
Cyberoam User Guide

Screen Upload CVS file

Step 2 Change Group or Active status of user at this stage, if required. To migrate all the users, click
Select All or select the individual users and click Migrate Users.

Screen - Register migrated users from External file

If migration is successful, Manage Active User page will be displayed with all the migrated users as
Active users.

194
Cyberoam User Guide

PART
Customization
Schedule
Schedule defines a time schedule for applying firewall rule or Internet Access policy i.e. used to control
when firewall rules or Internet Access policies are active or inactive.

Types of Schedules:
Recurring use to create policies that are effective only at the specified times of the day or on
specified days of the week.
One-time - use to create firewall rules/policies that are effective once for the period of time specified in
the schedule.

Define Schedule
Select Firewall Schedule Define Schedule to open define schedule page

Screen - Define One Time Schedule

Screen Elements Description


Schedule details
Name Specify schedule name. Choose a name that best describes schedule
Schedule Type Specify type of schedule

Recurring Use to create access time policies that are effective only at
specified times of the day or on specified days of the week.

One time use to create firewall rules that are effective once for the period
of time specified in the schedule. It cannot be applied to any of the policies
but can be implemented through firewall rule only.
Start time & Stop Defines start and stop time for the schedule
time (only if
Schedule Type is Start & stop time cannot be same
One Time)
Description Specify full description of schedule
Create button Creates schedule

Refer to Add Schedule Entry details to add time details


Table - Define Schedule screen elements

195
Cyberoam User Guide

Add Schedule Entry details

Select Firewall Schedule Manage Schedule to view the list of schedule and click the
Schedule name in which the schedule entry details are to be added.

Screen Add Schedule Entry details

Screen Elements Description


Schedule Entry
Weekday Select the schedule occurrence i.e. on which
weekdays and at what time schedule will be
applicable

Weekdays Schedule will be applied from


Monday to Friday

Weekdays including Saturday Schedule will be


applied from Monday to Saturday

All Days of Week Schedule will be applied from


Monday to Sunday

Selected Weekday(s) - Schedule will be applied


on selected days only
Start time & Stop time Defines the access hours/duration

Start & stop time cannot be same


Add Schedule detail button Attaches the schedule details for the selected
weekday to the schedule
Cancel button Cancels the current operation
Table Add Schedule Entry details screen elements

196
Cyberoam User Guide

Manage Schedule
Use to modify:
Schedule Name
Description
Add Schedule Entry details
Delete Schedule Entry details

Select Firewall Schedule Manage Schedule and click Schedule name to be updated

Screen - Manage Schedule

Screen Elements Description


Schedule details
Schedule name Displays schedule name, modify if required
Schedule description Displays schedule description, modify if required
Schedule Entry
Add button Allows to add the schedule entry details

Refer to Add Schedule Entry details for more details


Delete button Allows to delete the schedule entry details

Refer to Delete Schedule Entry details for more details


Save button Saves schedule
Cancel button Cancels the current operation and returns to Manage
Schedule page
Table - Manage Schedule screen elements

197
Cyberoam User Guide

Delete Schedule Entry details

Screen Delete Schedule Entry details

Screen Elements Description


Del checkbox Click against the Schedule Entry(s) to be deleted
Select All checkbox Click to delete all Schedule Entry
Delete button Deletes all the selected Schedule Entry(s)
Table - Delete Schedule Entry details screen elements

Delete Schedule

Select Firewall Schedule Manage Schedule to view the list of Schedules

Screen - Delete Schedule

Screen Elements Description


Del checkbox Click against the schedule(s) to be deleted
Select All checkbox Click to delete all schedules
Delete button Deletes all the selected Schedule(s)
Table - Delete Schedule screen elements

198
Cyberoam User Guide

Services
Services represent types of Internet data transmitted via particular protocols or applications.

Protect your network by configuring firewall rules to


block services for specific zone
limit some or all users from accessing certain services
allow only specific user to communicate using specific service

Cyberoam provides several standard services and allows creating:


Customized service definitions
Firewall rule for customized service definitions

Define Custom Service


Select Firewall Services Create to open the create page

Screen - Define Custom Service

Screen Elements Description


Create Service
Service Name Specify service name
Select Protocol Select the type of protocol

For IP - Select Protocol No.


For TCP - Specify Source and Destination port
For UDP - Specify Source and Destination port
For ICMP Select ICMP Type and Code
Description Specify service description
Create button Creates a new service
Cancel button Cancels the current operation and returns Manage Service
Table Define Custom Service screen elements

199
Cyberoam User Guide

Manage Custom Service


Use to modify:
Description
Add Protocol details
Delete Protocol details

Select Firewall Services Manage to view the list of custom services. Click service to be
modified

Screen - Update Custom Service

Screen Elements Description


Custom Service
Service Name Displays service name
Description Displays description, modify if required
Protocol Details
Add button Click to add protocol details

Select protocol
For IP - Select Protocol No.
For TCP - Specify Source and Destination port
For UDP - Specify Source and Destination port
For ICMP Select ICMP Type and Code
Delete button Allows to delete protocol details

Click to delete against the protocol details to be deleted


Click Delete
Save button Updates the modified details
Cancel button Cancels the current operation
Table - Update Custom Service screen elements

Delete Custom Service

Select Firewall services Manage to view the list of services.

200
Cyberoam User Guide

Screen - Delete Custom Service

Screen Elements Description


Del checkbox Click against the service(s) to be deleted
Select All checkbox Click to delete all service
Delete button Deletes all the selected service(s)
Table - Delete Custom Service screen elements

Note
Default Services cannot be deleted

201
Cyberoam User Guide

Create Service Group


Service Group is the grouping of services. Custom and default services can be grouped in a single group.

Use to configure firewall rules to


block group of services for specific zone
limit some or all users from accessing group of services
allow only specific user to communicate using group of service

Select Firewall Service Group Create to open the create page

Screen Create Service Group screen

Screen Elements Description


Create Service Group
Service Group Name Specify service group name
Select Service Select the services to be grouped.

Available Services column displays the services that can be


grouped

Using arrow buttons to move services between the lists

Member Services column displays the services that will be


grouped
Description Specify group description
Create button Creates a new service group
Cancel button Cancels the current operation and returns Manage Service
Group page
Table Create Service Group screen elements

202
Cyberoam User Guide

Update Service Group


Select Firewall Service Group Manage to view the list of groups created. Click the group to
be modified

Screen Edit Service Group

Screen Elements Description


Edit Service Group
Service Group Name Displays service group name
Select Service Displays grouped services

Available Services column displays the services that can


be grouped

Using arrow buttons to move services between the lists

Member Services column displays the services that will


be grouped
Description Displays group description, modify if required
Save button Saves the modified details
Cancel button Cancels the current operation and returns Manage
Service Group page
Table Edit Service Group screen elements

203
Cyberoam User Guide

Delete Service Group


Select Firewall Service Group Manage to view the list of groups created.

Screen Delete Service Group

Screen Elements Description


Del checkbox Click against the service group(s) to be deleted
Select All checkbox Click to delete all service group
Delete button Deletes all the selected service group(s)
Table Delete Service Group

204
Cyberoam User Guide

Categories
Cyberoams content filtering capabilities prevent Internet users from accessing non-productive or
objectionable websites that take valuable system resources from your network at the same time prevents
hackers and viruses that can gain access to your network through their Internet connections.

Cyberoam lets you prevent Internet users from accessing URLs that contain content the company finds
objectionable. Cyberoams Categories Database contains categories covering Web page subject matter
as diverse as adult material, astrology, games, job search, and weapons. It is organized into general
categories, many of which contain collections of related Internet sites with specific content focus. In other
words, database is a collection of site/host names that are assigned a category based on the major
theme or content of the site.

Categories Database consists of three types:

Web category Grouping of Domains and Keywords. Default web categories are available for use only if
Web and Application Filter subscription module is registered.

File Type category Grouping of File extensions

Application protocol Grouping of protocols. Standard protocol definitions are available for use only if
Web and Application Filter subscription module is registered.

Apart from the default categories provided by Cyberoam, custom category can also be created if
required. Creating custom category gives increased flexibility in managing Internet access for your
organization. After creating a new category, it must be added to a policy so that Cyberoam knows when
to enforce it and for which groups/users.

205
Cyberoam User Guide

Web Category
Web category is the grouping of Domains and Keywords used for Internet site filtering. Domains and any
URL containing the keywords defined in the Web category will be blocked.

Each category is grouped according to the type of sites. Categories are grouped into four types and
specify whether accessing sites specified those categories are considered as productive or not:
Neutral
Productive
Non-working
Un-healthy

For your convenience, Cyberoam provides a database of default Web categories. You can use these or
even create new web categories to suit your needs. To use the default web categories, the subscription
module Web and Application Filter should be registered.

Depending on the organization requirement, allow or deny access to the categories with the help of
policies by groups, individual user, time of day, and many other criteria.

Custom web category is given priority over default category while allowing/restricting the access.

Search URL
Use Search URL to search whether the URL is categorized or not. It searches the specified URL and
displays Category name under which the URL is categorized and category description.

When a custom category is created with a domain/URL which is already categorized in default category
then the custom category overrides the default category and the search result displays custom category
name and not the default category name.

Select Categories Web Category Search URL

Screen Search URL

206
Cyberoam User Guide

Manage Default Web Category


Default Web categories are available for use only if Web and Application Filter module is subscribed.
Database of web categories is constantly updated by Cyberoam.

If the module is not subscribed, page is displayed with the message Web and Application Filter module
is not registered. See Register Add on Modules for registering Web and Application Filter module. You
can subscribe the trial version of the module, which will expire after 15 days of subscription.

Once the module is subscribed, the default categories can be used in Internet Access for filtering.

Select Categories Web Category Manage Default to view list of default Web Categories

Screen - Manage Default Web Category

Note
Default Web categories cannot be modified or deleted.

Custom web category is given the priority over the default category while allowing/restricting access.

Create Custom Web category

Select Categories Web Category Create Custom to open create page

207
Cyberoam User Guide

Screen - Create Custom Web Category

Screen Elements Description


Create Custom Web Category
Name Specify Web category name
Description Specify full description
Category type Categories are grouped into four types and specifies whether accessing sites
specified in those categories is considered as Neutral, Productive, Non-working
or Un-healthy

Select category type


Bandwidth policy Click to apply bandwidth restriction for the URLs categorized under the Web
category.

Above configured bandwidth policy will be applicable, whenever the URL falling
under the Web category is accessed.

To implement the restriction, one has to enable Web Category based


Bandwidth policy from firewall rule.
Create button Creates a new custom Web Category. Web Category configuration is
incomplete until domain names or keywords are attached

208
Cyberoam User Guide

Domain Management
Add button Use to define domains for the web category. Depending on the users Internet
access policy, accessing specified domain(s) will be allowed or denied.

Click to add

Refer to Add Domain(s) for more details


Keywords Management
Add button Use to define keywords for the web category. Depending on the users Internet
access policy, accessing sites with the specified keyword(s) will be allowed or
denied.

Click to add

Refer to Add Keyword(s) for details


Update button Saves the web category
Cancel button Cancels the current operation and returns to View Web Category page
Table - Create Web Category screen elements

Note
Custom category name cannot be same as default category name.

Add Domain

Screen - Add Domain

Screen Elements Description


Domains Management
Domains Specify domains for the category. Depending upon the Internet
access policy and schedule strategy any site falling under the
specified domain will be allowed or blocked access.
Add Domain button Assigns domains to the web category
Cancel button Cancels the current operation
Table - Add Domain screen elements

Note
Domains can be added at the time of creation of web category or whenever required.

209
Cyberoam User Guide

Add Keyword

Screen - Add keyword

Screen Elements Description


Keywords Management
Keywords Specify domains for the category. Depending on the Internet
access policy and schedule strategy any site falling under the
specified domain will be allowed or blocked access
Add button Assigns keywords to the Web Category
Cancel button Cancels the current operation
Table - Add keyword screen elements

Note
Keywords can be added at the time of creation of web category or whenever required.

Manage Custom Web Category


Use to modify:
Description
Add and delete Domains
Add and delete Keywords

Select Categories Web Category Manage Custom to view the list of Web categories and
click Web Category to be modified

210
Cyberoam User Guide

Screen - Manage Custom Web category

Screen Elements Description


Update Custom Web Category
Name Displays name of the web category, modify if required
Description Displays description of the Category
Category type Categories are grouped into four types and specifies whether accessing
sites specified in those categories is considered as Neutral, Productive,
Non-working or Un-healthy

Select category type


Bandwidth policy Click to apply bandwidth restriction for the URLs categorized under the
Web category.

Above configured bandwidth policy will be applicable, whenever the URL


falling under the Web category is accessed.

To implement the restriction, one has to enable Web Category based


Bandwidth policy from firewall rule.
Domain Management
Add button Allows to add domain name(s) to the web category

Click to add

Refer to Add Domains for details


Delete button Allows to remove domain name(s) from the web category

Click to remove

Refer to Delete Domains for details


Keywords Management
Add button Allows to add keyword(s) to the web category

Click to add

Refer to Add Keywords for details

211
Cyberoam User Guide

Delete button Allows to remove keywords from the web category

Click to remove

Refer to Delete Keywords for details


Update button Modifies and saves the updated details

Click to Update
Cancel button Cancels the current operation and returns to the Manage Custom Web
Category page
Table - Update Custom Web category screen elements
Delete Domain

Screen Delete Domain

Screen Elements Description


Select checkbox Click against the domain(s) to be deleted
Select All checkbox Click to delete all domain
Delete button Deletes all the selected domain(s)
Table Delete Domain screen elements
Delete Keyword

Screen - Delete keyword

212
Cyberoam User Guide

Screen Elements Description


Select checkbox Click against the keyword(s) to be deleted
Select All checkbox Click to delete all keyword
Delete button Deletes all the selected keyword(s)

Table - Delete keywords screen elements

Delete Web Category

Prerequisite
Not attached to any Policy

Select Categories Web Category Manage Custom to view the list of Web Categories.

Screen - Delete Custom Web Category

Screen Elements Description


Del checkbox Click against the web category(s) to be deleted
Select All checkbox Click to delete all web category
Delete button Deletes all the selected web category(s)
Table - Delete Custom Web Category screen elements

213
Cyberoam User Guide

File Type Category


File type is a grouping of file extensions. Cyberoam allows filtering Internet content based on file
extension. For example, you can restrict access to particular types of files from sites within an otherwise-
permitted category.

For your convenience, Cyberoam provides several default File Types categories. You can use these or
even create new categories to suit your needs.

Depending on the organization requirement, allow or deny access to the categories with the help of
policies by groups, individual user, time of day, and many other criteria.

View Default File Type Category


Cyberoam provides five default File Type categories that cannot be modified or deleted. Default
categories include:
Audio Files
Dynamic Files
Executable Files
Image Files
Video Files

Select Categories File Type Category View Default to view the list of default File Type
Categories. Click the Category to view extensions included in the Category.

Screen View Custom File Type Category

214
Cyberoam User Guide

Create Custom File Type Category

Select Categories File Type Category Create Custom to open the create page

Screen - Create Custom File Type Category

Screen Elements Description


Custom File Type details
Name Assign name to File Type Category
File Extensions Specify file extensions to be included in the File Type
Category

Extensions defined here will be blocked or filtered


Description Specify full description
Create button Creates a new File Type Category
Cancel button Cancels the current operation and returns to Manage
Custom File Type Category page
Table - Create Custom File Type screen elements

Manage Custom File Type Category

Select Categories File Type Category Manage Custom to view the list of File Type
Categories and click File Type Category to be modified.

Screen - Manage Custom File Type Category

215
Cyberoam User Guide

Screen Elements Description


Update Custom File Type Category
Name Displays name of the File Type Category, modify if necessary
File Extensions Displays file extension(s) added to the Category, modify if
required
Description Displays description of Category
Update button Modifies and saves the updated details

Click to Update
Cancel button Cancels the current operation and returns to the Manage Custom
File Type Category page
Screen - Manage Custom File Type Category

Delete Custom File Type Category

Prerequisite
Not attached to any Policy

Select Categories File Type Category Manage Custom to view the list of File Type
Categories created

Screen - Delete Custom File Type Category

Screen Elements Description


Del checkbox Click against the category(s) to be deleted
Select All checkbox Click to delete all category
Delete button Deletes all the selected category(s)
Table - Delete Custom File Type screen elements

216
Cyberoam User Guide

Application Protocol Category


Application Protocol Category is the grouping of Application Protocols used for filtering Internet content.

You can also filter Internet requests based on protocols or applications other than HTTP, HTTPS or FTP,
for example those used for instant messaging, file sharing, file transfer, mail, and various other network
operations.

For your convenience, Cyberoam provides a database of default Application Protocol categories. To use
the default Application Protocol categories, the subscription module Web and Application Filter should
be registered.

You can also create:


Customized Application protocol category, if required
Firewall rule based on customized Application protocol category

Manage Default Application Protocol Category


Default Application protocol categories are available for use only if Web and Application Filter
subscription module is registered. Database of protocol category is constantly updated by Cyberoam. If
the module is not registered, page is displayed with the message Web and Application Filter module is
not registered.

Once the module is registered, the default protocol categories can be used in Internet Access for filtering.

Default Application protocol category cannot be modified or deleted.

Select Categories Application Protocol Category View Default to view the list of
default Application protocols Categories

Screen - Manage Default Application Protocol Category

217
Cyberoam User Guide

Create Custom Application Protocol Category

Select Categories Application Protocol Category Create Custom to open the create
page

Screen - Create Custom Application Protocol Category

Screen Elements Description


Custom Application Protocol Category
Name Specify name to Application Protocol Category. Custom category
and default category cannot have same names.
Description Specify full description
Create button Creates a new custom Application Protocol Category
Application Protocol details
Add button Use to assign application protocols to Category for blocking. Select
application protocol you want to include in a Category. Cyberoam
gives access to the Category based on the Schedule.

Allows to add application protocol(s) to Category

Click to add

Refer to Add Custom Application Protocol details for more details


Update button Saves Application Protocol Category
Cancel button Cancels the current operation and returns to View Custom
Application Protocol Category page
Table Create Custom Application Category screen elements

218
Cyberoam User Guide

Add Custom Application Protocol Details

Screen Add Custom Application Protocol Category details

Screen Elements Description


Custom Application Protocol details
Application Select Application Protocols that are to be grouped in the
Category.

Custom and Default both can be grouped in a single


Application Protocol Category
Destination IP Specify destination IP Address
Address
Add button Groups the application protocols in the Category
Cancel button Cancels the current operation
Table Add Custom Application Protocol Category details

Manage Custom Application Protocol Category


Use to modify:
Description
Add Application Protocol details
Delete Application Protocol details

Select Categories Application Protocol Category Manage Custom to view the list of
custom Application Protocol Categories. Click Application Protocol Category to be modified.

Screen Manage Custom Application Protocol Category

219
Cyberoam User Guide

Screen Elements Description


Update Custom Application Protocol Category
Name Displays name of Application Protocol Category, modify if necessary
Description Displays description of the Category
Application Protocol Details
Add button Allows to add Application Protocol(s) to Category

Click to add

Refer to Add Custom Application Protocols for details


Delete button Allows to remove Application Protocol(s) from Category

Click to remove

Refer to Delete Custom Application Protocol for details


Update button Modifies and saves the updated details

Click to Update
Cancel button Cancels the current operation and returns to the Manage Custom
Application Protocol Category page
Table Manage Custom Application Protocol Category screen elements

Delete Custom Application Protocol Category details

Screen Delete Application Protocol Category details

Screen Elements Description


Del checkbox Click against the application(s) to be deleted
Select All checkbox Click to delete all application
Delete button Deletes all the selected application(s)
Table Delete Application Protocol Category screen elements

220
Cyberoam User Guide

Delete Custom Application Protocol Category

Prerequisite
Not attached to any Policy

Select Categories Application Protocol Category Manage Custom to view the list of
Application Protocol Categories created

Screen - Delete Custom Application Protocol Category

Screen Elements Description


Del checkbox Click against the category(s) to be deleted
Select All checkbox Click to delete all category
Delete button Deletes all the selected category(s)
Table - Delete Custom Application Protocol Category screen elements

221
Cyberoam User Guide

Access Control
Use Local ACLs to limit the Administrative access to the following Cyberoam services from LAN, WAN,
DMZ and VPN:
Admin Services
Authentication Services
Proxy Services
Network Services

Default Access Control configuration


When Cyberoam is connected and powered up for the first time, it will have a default Access
configuration as specified below:

Admin Services
HTTPS (TCP port 443) and SSH (TCP port 22) services will be open for administrative functions for
LAN zone

Authentication Services
Cyberoam (UDP port 6060) and HTTP Authentication (TCP port 8090) will be open for User
Authentication Services for LAN zone. User Authentication Services are not required for any of the
Administrative functions but required to apply user based internet surfing, bandwidth and data
transfer restrictions.

Network services
ICMP services is allowed for VPN zone

Customize Access Control configuration


Use access control to limit the access to Cyberoam for administrative purposes from the specific
authenticated/trusted networks only. You can also limit access to administrative services within the
specific authenticated/trusted network.

Select Firewall Local ACL

222
Cyberoam User Guide

Screen Access Configuration

Screen Elements Description


Admin Services
Enable/disable access to Cyberoam using following service from the specified zone and
network:
HTTP
HTTPS
Telnet

Authentication Services
Enable/disable following service from the specified zone and network:
Cyberoam
HTTP

Proxy Services
Enable/disable HTTP service from the specified zone and network
Network Services
Enable/disable following service from the specified zone and network:
DNS
ICMP

Update button Saves configuration


Add button Allows to add the trusted networks from which the above
specified services will be allowed/disallowed

Click Add to add network details


Specify Network IP address and Zone
Click Add
Table Access Configuration screen elements

223
Cyberoam User Guide

Logging
Cyberoam provides extensive logging capabilities for traffic, system and network protection functions.
Detailed log information and reports provide historical as well as current analysis of network activity to
help identify security issues and reduce network abuse.

Cyberoam can either store logs locally or send logs to external syslog servers for storage and archival
purposes.

Cyberoam can log many different network activities and traffic including:
Firewall log
Anti-virus infection and blocking
Web filtering, URL and HTTP content blocking
Signature and anomaly attack and prevention
Spam filtering

Cyberoam supports multiple syslog servers for remote logging. When configuring logging to a Syslog
server, one needs to configure the facility, severity and log file format. One can also specify logging
location if multiple syslog servers are defined.

Maximum five syslog servers can be defined from Logging page of Web Admin Console.

Cyberoam can either store logs locally or send to the syslog servers. Traffic Discovery logs can be stored
locally only.

224
Cyberoam User Guide

Syslog Configuration
Syslog is an industry standard protocol/method for collecting and forwarding messages from devices to a
server running a syslog daemon usually via UDP Port 514. The syslog is a remote computer running a
syslog server. Logging to a central syslog server helps in aggregation of logs and alerts.

Cyberoam appliance can also send a detailed log to an external Syslog server in addition to the standard
event log. The Cyberoam Syslog support requires an external server running a Syslog daemon on any of
the UDP Port.

The Cyberoam captures all log activity and includes every connection source and destination IP address,
IP service, and number of bytes transferred.

A SYSLOG service simply accepts messages, and stores them in files or prints. This form of logging is
the best as it provides a Central logging facility and a protected long-term storage for logs. This is useful
both in routine troubleshooting and in incident handling.

To add the syslog server details, go to System Logging Manage Syslog and click Create
button

Screen Syslog Configuration

Screen Elements Description


Add Syslog server details
Name Specify unique name for syslog server
IP address Specify IP address of the syslog server. Messages from the
Cyberoam will be sent to the server.
Default: 192.168.1.254
Port Specify the port number for communication with the syslog

225
Cyberoam User Guide

server. Cyberoam will send messages using the configured port

Default: 514
Facility Select syslog facility for log messages to be send to the syslog
server.

Facility indicates to the syslog server the source of a log


message. It is defined by the syslog protocol. You can configure
facility to distinguish log messages from different Cyberoams. In
other words, it can be helpful in identifying the device that
recorded the log file.

Cyberoam supports following syslog facilities for log messages


received from remote servers and network devices:

DAEMON - Daemon logs (Information of Services running in


Cyberoam as daemon)

KERNEL Kernel log

LOCAL0 LOCAL7 Log level information

USER - Logging on the basis of users who are connected to


Server
Severity Level Specify severity levels of logged messages.

Severity level is the severity of the message that has been


generated.

Cyberoam logs all messages at and above the logging severity


level you select. For example, select ERROR to log all
messages tagged as ERROR, as well as any messages tagged
with CRITICAL, ALERT and EMERGENCY and select
DEBUG to log all messages.

Cyberoam supports following syslog levels:


EMERGENCY - System is not usable
ALERT - Action must be taken immediately
CRITICAL - Critical condition
ERROR - Error condition
WARNING - Warning condition
NOTICE - Normal but significant condition
INFORMATION - Informational
DEBUG Debug - level messages
Format Cyberoam produces logs in the specified format. Cyberoam
currently produces logs in its own standard format
Create button Click to save the configuration

Once you add the server, go to System Logging Log configuration page and enable all
those logs, which are to be send to the syslog, sever.

226
Cyberoam User Guide

Log configuration
Once you add the server, configure logs to be send to the syslog sever System Logging Log
configuration page. If multiple servers are configured various logs can be send on different servers.

To record logs you must enable the respective log and specify logging location. Administrator can choose
between on-appliance (local) logging, Syslog logging or disabling logging temporarily.

Cyberoam logs many different network activities and traffic including:

Firewall Log
Firewall Log records invalid traffic, local ACL traffic, DoS attack, ICMP redirected packets, source routed
and fragmented traffic. Firewall logs can be disabled or send to the remote syslog server only but cannot
be stored locally.

Invalid Traffic Log


Log records the dropped traffic that does not follow the protocol standards, invalid fragmented traffic
and traffic whose packets Cyberoam is not able to relate to any connection.

Local ACL Log


Log records the entire (allowed and dropped) incoming traffic and traffic for the firewall

DoS attack Log


The DoS Attack Log records attacks detected and prevented by the Cyberoam i.e. dropped TCP,
UDP and ICMP packets.

To generate log, go to Firewall Denial of Service DoS Settings and click Apply Flag against
SYN Flood, UDP flood, TCP flood, and ICMP flood individually

Dropped ICMP Redirected Packet Log


Log records all the dropped ICMP redirect packets.

To generate log, go to Firewall Denial of Service DoS Settings and click Apply Flag against
Disable ICMP redirect Packets'

Dropped Source Routed Packet Log


Log records all the dropped source routed packets.

To generate log, go to Firewall Denial of Service DoS Settings and click Apply Flag against
Drop Source Routed Packets

Dropped Fragmented traffic


Log records the dropped fragmented traffic

IPS reports
Records detected and dropped attacks based on unknown or suspicious patterns (anomaly) and
signatures.

Antivirus Logs
Virus detected in HTTP, SMTP, FTP, POP3 and IMAP4 traffic. Enabling logging for SMTP will also

227
Cyberoam User Guide

enable logging for POP3 and IMAP4 on local server. HTTP and FTP logs can be disabled or send to the
remote log server only.

Antispam Logs
SMTP, POP3, IMAP4 spam and probable spam mails.

Content Filtering reports


HTTP filtering log.

Traffic Discovery reports


Traffic discovery log can be stored locally only.

Local
Log Type Syslog
(On-appliance)
Firewall Firewall Rules No Yes
Invalid Traffic No Yes
Local ACLs No Yes
Dos Attack No Yes
ICMP Redirected packets No Yes
Source Routed packets No Yes
Fragmented traffic No Yes
IPS Anomaly Yes Yes
Signature Yes Yes
Anti Virus HTTP Yes Yes
FTP Yes Yes
SMTP Yes Yes
POP3 Enabling/Disabling SMTP log Yes
will also enable/disable POP3
log
IMAP4 Enabling/Disabling SMTP log Yes
will also enable/disable
IMAP4 log
Anti Spam SMTP Yes Yes
POP3 Enabling/Disabling SMTP log Yes
will also enable/disable POP3
log
IMAP4 Enabling/Disabling SMTP log Yes
will also enable/disable
IMAP4 log
Content HTTP Yes Yes
Filtering
Traffic Yes No
Discovery
HA Yes

By default,
HA logs are
send to
syslog and
no manual
configuration
is required.

228
Cyberoam User Guide

Note
Cyberoam removes entire Syslog configuration on upgrading to V 9.5.3 build 20. Hence, you will have to re-
configure Syslog.

229
Cyberoam User Guide

Product Licensing & Updates


Product Version information
Click Cyberoam icon (on the rightmost corner of the screen) to get the version and appliance key
information.

Screen About Cyberoam

230
Cyberoam User Guide

Upgrade Cyberoam
Cyberoam provides two types of upgrades:
Automatic Correction to any critical software errors, performance improvement or changes in
system behavior leads to automatic upgrade of Cyberoam without manual intervention or notification.
Manual Manual upgrades requires human intervention.

Automatic Upgrade
By default, AutoUpgrade mode is ON. It is possible to disable the automatic upgrades. Follow the
procedure to disable the AutoUpgrade mode:

1. Log on to Telnet Console


2. Go to option 4 Cyberoam Console

3. At the prompt, type the command, cyberoam autoupgrade off

Manual Upgrade

Step 1. Check for Upgrades


Press F10 to go to Dashboard from any of the screens.
Under the Installation Information section, click Check for Upgrades

231
Cyberoam User Guide

Page displays the list of available upgrades and the upgrade details like release date and size. Order
specifies the sequence in which Cyberoam should be upgraded.

Step 2. Download Upgrade


Click Download against the version to be downloaded and follow the on screen instructions to save the
upgrade file.

Step 3. Upload downloaded version to Cyberoam

Select Help Upload Upgrade

Type the file name with full path or select using Browse and click Upload

232
Cyberoam User Guide

Screen - Upload Upgrade version

Step 4. Upgrade
Once the upgrade file is uploaded successfully, log on to Console to upgrade the version.
Log on to Cyberoam Telnet Console.
Type 6 to upgrade from the Main menu and follow the on-screen instructions.
Successful message will displayed if upgraded successfully.

Repeat above steps if more than one upgrade is available. If more than one upgrade is available, please
upgrade in the same sequence as displayed on the Available Upgrades page.

233
Cyberoam User Guide

Download
Clients
Cyberoam Client supports Users using following platforms:
Windows Enables Users using Windows Operating System to log-on to Cyberoam Server

HTTP Enables Users using any other Operating System than Windows & Linux to log-on to Cyberoam
Server

Linux Enables Users using Linux Operating System to log-on to Cyberoam server

Single Sign on Client Enables Windows-migrated Users to log on to Cyberoam using Windows
Username and password.

Single Sign on Client Auto Setup Download the setup.

Guides Opens the Cyberoam Documentation site (http://docs.cyberoam.com) and download or view the
complete documentation set available for all the versions.

Depending on the requirement, download the Cyberoam Client from Help Downloads

Screen Download Clients

234
Cyberoam User Guide

Appendix A Audit Log


Audit logs are an important part of any secure system that provides an invaluable view into the current
and past state of almost any type of complex system, and they need to be carefully designed in order to
give a faithful representation of system activity.

Cyberoam Audit log can identify what action was taken by whom and when. The existence of such logs
can be used to enforce correct user behavior, by holding users accountable for their actions as recorded
in the audit log.

An audit log is the simplest, yet also one of the most effective forms of tracking temporal information. The
idea is that any time something significant happens you write some record indicating what happened and
when it happened.

Audit logs can be accessed in two ways:


1. Log on to Cyberoam Web Admin Console and click Reports to open the reports page in a new
window

2. Log on to Reports, click on the Reports link to open the reports login page in a new window

Screen Reports Login

235
Cyberoam User Guide

Viewing Log details

Tailor the report by setting filters on data by arbitrary date range. Use the Calendar to select the date
range of the report.

Screen Audit Log report

236
Cyberoam User Guide

Screen Sample Audit Log Report

Audit Log Components

Entity Cyberoam Component through which the event was generated/Audit Resource Type
Entity Name Unique Identifier of Entity
Action Operation requested by entity/Audit Action
Action By User who initiated the action/Accessor name
Action Status Action result/Audit Outcome

Action IP
Entity Entity Name Action Action By Message Explanation
Status Address
Report GUI Login <username> Successful - <IP Login attempt to
address> Report GUI by User
<username> was
successful
Report GUI Login <username> Failed Wrong <IP Login attempt to
username or address> Report GUI by User
password <username> was not
successful because of
wrong username and
password
Management Login <username> Successful - <IP Login attempt to
GUI address> Management GUI by
User <username> was
successful
Management Login <username> Failed User not found <IP Login attempt to
GUI address> Management GUI by
User <username> was
not successful
because system did
not find the User
<username>
Management Login <username> Failed User has no <IP Login attempt to
GUI previllege of address> Management GUI by
Administration User <username> was
not successful as user
does not have
administrative
privileges
Configuration Started <username> Successful - <IP User <username>s
Wizard address> request to start
Configuration Wizard
was successful
Configuration Finished <username> Successful - <IP User <username>s
Wizard address> request to close

237
Cyberoam User Guide

Configuration Wizard
was successful
System Started <username> Successful Cyberoam- <IP Cyberoam was
System address> successfully started by
Started the User <username>
SSh authentication <username> Successful User admin, <IP <username> trying to
coming from address> log on from <ip
192.168.1.241, address> using SSH
authenticated. client was successfully
authenticated
SSh authentication <username> Failed Login Attempt <IP Authentication of
failed from address> <username> trying to
192.168.1.241 log on from <ip
by user root address> using SSH
client was not
successful
SSh authentication <username> Failed Password <IP Log on to account
authentication address> <username> using
failed. Login to SSH client was not
account hello successful
not allowed or
account non-
existent
telnet authentication <username> Successful Login <IP Remote Login attempt
Successful address> through Telnet by User
<username> was
successful
telnet authentication <username> Failed Authentication <IP Authentication of
Failure address> <username> trying to
log on remotely
through Telnet was
not successful
console authentication <username> Successful Login ttyS0 Login attempt to
Successful Console using
Console Interface via
remote login utility by
User <username> was
successful
console authentication <username> Successful Login tty1 Login attempt to
Successful Console via direct
Console connection by
User <username> was
successful
console authentication <username> Failed Authentication <IP Login attempt to
Failure address> Console by User
<username> was not
successful
Firewall Started System Successful - <IP Firewall subsystem
address> started successfully
without any error
Firewall Rule <firewall rule Create <username> Successful - <IP Firewall rule <firewall
id> address> rule id> was created
e.g. 7 successfully by user
<username>
Firewall Rule <firewall rule Update <username> Successful - <IP Firewall rule <firewall
id> address> rule id> was updated
e.g. 6 successfully by user
<username>
Firewall Rule <firewall rule Update System Successful - <IP Firewall rule <firewall
id> address> rule id> was updated
e.g. 21 successfully by user
<username>
Firewall Rule <firewall rule Delete System Successful - <IP Firewall rule <firewall
id> address> rule id> was deleted
e.g. 10 successfully by user
<username>
Host N/A Delete <username> Failed - <IP Request to delete Host
address> by user <username>
was not successful
Host <host name> Delete <username> Successful - <IP Host <host name>
e.g. address> was deleted
192.168.1.68, successfully by user
#Port D <username>

238
Cyberoam User Guide

Host <host name> Insert <username> Successful - <IP Host <host name>
e.g. address> was added
192.168.1.66, successfully by user
#Port D <username>
HostGroup <host group Delete <username> Successful - <IP Host Group <host
name> address> group name>
e.g. was deleted
mkt group successfully by user
<username>
HostGroup <host group Update <username> Successful - <IP Host Group <host
name> address> group name>
e.g. was updated
sys group successfully by user
<username>
HostGroup <host group Insert <username> Successful - <IP Host Group <host
name> address> group name>
e.g. was updated
Trainee successfully by user
<username>
Service <service Delete <username> Successful - <IP Service <service
name> address> name>
e.g. was deleted
vypress chat successfully by user
<username>
Service <service Update <username> Successful - <IP Service <service
name> address> name>
e.g. was updated
vypress chat successfully by user
<username>
Service <service Insert <username> Successful - <IP Service <service
name > address> name>
e.g. was inserted
vypress chat successfully by user
<username>
ServiceGroup <service Insert <username> Successful - <IP Service group
group name address> <service group name
> >
e.g. was inserted
Intranet chat successfully by user
<username>
ServiceGroup <service Update <username> Successful - <IP Service group
group name address> <service group name
> >
e.g. was updated
Intranet chat successfully by user
<username>
ServiceGroup <service Delete <username> Successful - <IP Service group
group name address> <service group name
> >
e.g. was deleted
Intranet chat successfully by
NAT Policy <policy Insert <username> Successful - <IP NAT policy <policy
name> address> name> was inserted
successfully by user
<username>
NAT Policy <policy Update <username> Successful - <IP NAT policy <policy
name> address> name> was updated
successfully by user
<username>
NAT Policy <policy Delete <username> Successful - <IP NAT policy <policy
name> address> name> was deleted
successfully by user
<username>
DNAT Policy <policy Insert <username> Successful - <IP DNAT policy <policy
name> address> name> was inserted
successfully by user
<username>
DNAT Policy <policy Update <username> Successful - <IP DNAT policy <policy
name> address> name> was updated
successfully by user
<username>
DNAT Policy <policy Delete <username> Successful - <IP DNAT policy <policy
name> address> name> was deleted

239
Cyberoam User Guide

successfully by user
<username>
Schedule <schedule Insert <username> Successful - <IP Schedule <schedule
name> address> name> was inserted
successfully by user
<username>
Schedule <schedule Update <username> Successful - <IP Schedule <schedule
name> address> name> was updated
successfully by user
<username>
Schedule <schedule Delete <username> Successful - <IP Schedule <schedule
name> address> name> was deleted
successfully by user
<username>
Schedule <schedule Insert <username> Successful - <IP Schedule details to
Detail name> address> Schedule <schedule
name> was inserted
successfully by user
<username>
Local ACLs Local ACLs Update <username> Successful - <IP Local ACL was
address> updated successfully
by user <username>
DoS Bypass DoS Bypass Delete <username> Successful - <IP DoS Bypass rule
address> deleted successfully
by <username>
DoS Bypass DoS Bypass Insert <username> Successful - <IP DoS Bypass rule
address> inserted successfully
by
user <username>
DoS Settings DoS Settings Update <username> Successful - <IP DoS settings updated
address> successfully by
user <username>
Online Register <username> Successful - <IP User <username>
Registration address> successfully registered
Appliance/Subscription
module(s) through
Online Registration
Upload Upload <username> Successful - <IP User <username>
Version Version address> successfully uploaded
the version
Date Update <username> Successful System time <IP Request to update the
changed from address> Date from Console by
2006-06-19 User <username> was
23:15:50 IST successful
to 2006-07-19
23:15:03 IST

Apart from the tabular format, Cyberoam allows to view the log details in:

Printable format Click to open a new window and display the report in the printer
friendly format. Report can be printed from File -> Print.

240
Cyberoam User Guide

Export as CSV (Comma Separated Value) Click to export and save the report in CSV
format. Report can be very easily exported to MS Excel and all the Excel functionalities can be used
to analyze the data.

241
Cyberoam User Guide

Appendix B Logs
Cyberoam provides extensive logging capabilities for traffic, system and network protection functions.
Detailed log information and reports provide historical as well as current analysis of network activity to
help identify security issues and reduce network misuse and abuse.

Cyberoam provides following logs:


DoS Attack Log
Invalid traffic Log
Firewall Rule Log
Local ACL Log
Dropped ICMP Redirected Packet Log
Dropped Source Routed Packet Log
IPS Log - Anomaly and Signature Log
Antivirus Log HTTP, SMTP, FTP, POP3 and IMAP4 traffic
Antispam Log SMTP, POP3, IMAP4 spam and probable spam
Fragmented traffic Log
Invalid fragmented traffic Log
Content filtering Log
HA Log

By default, only the firewall rule logging will be ON i.e. only traffic allowed/denied by the firewall will be
logged. Refer to Cyberoam Console Guide on how to enable/disable logging.

Log ID structure

Log ID Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11c12) e.g. 0101011, 0102011


Where:
c1c2 - Log Type ID
c3c4 - Log Component ID
c5c6 - Log Sub Type ID
c7 - Priority
c8c9c10c11c12 - Message ID

Log Type

Log Type ID Log Type


01 Firewall
02 IDP
03 Anti Virus
04 Anti Spam
05 Content Filtering
06 System Event

Log Component

Log Component ID Log Component

242
Cyberoam User Guide

01 Firewall Rule
02 Invalid Traffic
03 Local ACLs
04 DoS Attack
05 ICMP Redirection
06 Source Routed
07 Anomaly
08 Signatures
09 HTTP
10 FTP
11 SMTP
12 POP3
13 IMAP4
14 Fragmented Traffic
15 Invalid Fragmented Traffic
16 HA
Log Subtype

Log Subtype ID Sub Type


01 Allowed
02 Denied
03 Detect
04 Drop
05 Clean
06 Virus
07 Spam
08 Probable Spam
09 Synchronization
10 Failover
Priority
Priority Description
0 Emergency
1 Alert
2 Critical
3 Error
4 Warning
5 Notice
6 Information
7 Debug

Message ID

Each event is has unique message ID and is included as a part of log id.

Log Component Event Message ID


Firewall rule Traffic allowed according to the firewall rule 00001
Traffic denied/dropped according to the firewall 00002
rule

243
Cyberoam User Guide

Invalid traffic Invalid traffic denied 01001


Local ACLs Traffic allowed according to the configured 02001
Local ACL
Traffic denied according to the configured Local 02002
ACL
DoS Attack DoS attack denied according to the DoS 03001
settings
ICMP Redirection ICMP redirection traffic denied 04001
Source Routed Source routed traffic denied 05001
Fragmented traffic Fragmented traffic denied 01301
Invalid Invalid Fragmented traffic denied 01601
Fragmented traffic
IDP Detected attacks based on unknown or 06001
suspicious patterns (anomaly)
Dropped attacks based on unknown or 06002
suspicious patterns (anomaly)
Detected attacks based on attack signature 07001
Dropped attacks based on attack signature 07002
Antivirus HTTP Virus infected URL blocked 08001
Virus infected FTP data transfer blocked 09001
FTP data transfer completed successfully 09002
Virus infected mail detected in SMTP traffic 10001
Virus infected mail detected in POP3 traffic 11001
Virus infected mail detected in IMAP4 traffic 12001
Antispam Mail detected as SPAM in SMTP traffic and 13001
rejected
Mail detected as SPAM in SMTP traffic and 13004
dropped
Mail detected as SPAM in SMTP traffic but 13005
accepted
Mail detected as SPAM in SMTP traffic but mail 13006
is forwarded after changing the original
recipient address
Mail detected as SPAM in SMTP traffic but 13007
forwarded after tagging the original subject i.e.
adding prefix to the subject
Mail detected as a PROBABLE SPAM in SMTP 13002
traffic and rejected
Mail detected as PROBABLE SPAM in SMTP 13008
traffic and dropped
Mail detected as PROBABLE SPAM in SMTP 13009
traffic but accepted
Mail detected as PROBABLE SPAM in SMTP 13010
traffic but is forwarded after changing the
original recipient address
Mail detected as PROBABLE SPAM in SMTP 13011
traffic but forwarded after tagging the original
subject i.e. adding prefix to the subject
Clean mail in SMTP traffic 13004
Mail detected as SPAM in POP3 traffic but 14001
accepted
Mail detected as PROBABLE SPAM in POP3 14002
traffic but accepted
Clean mail in POP3 traffic 14003

244
Cyberoam User Guide

Mail detected as SPAM in POP3 traffic but mail 14004


is forwarded after changing the original
recipient address
Mail detected as PROBABLE SPAM in POP3 14005
traffic but forwarded after tagging the original
subject i.e. adding prefix to the subject
Mail detected as SPAM in IMAP4 traffic but 15001
accepted
Mail detected as PROBABLE SPAM in IMAP4 15002
traffic but accepted
Clean mail in IMAP4 traffic 15003
Mail detected as SPAM in IMAP4 traffic but 15004
forwarded after tagging the original subject i.e.
adding prefix to the subject
Content Filter Web site/file/application access allowed 16001
according to the Internet Access policy
Web site/file/application access blocked 16002
according to the Internet Access policy
HA Appliance becomes Standalone 60012
Appliance goes in Fault 60013
Appliance becomes Auxiliary 60014
Appliance becomes Primary 60015
Appliance becomes Standalone at Appliance 60016
startup
Appliance goes in Fault at Appliance startup 60017
Appliance becomes Auxiliary at Appliance 60018
startup
Appliance becomes Primary at Appliance 60019
startup

Firewall Log
Cyberoam logs all the packets - dropped or allowed, by the firewall rule.

Event Log sample


Traffic allowed by date=2007-11-16 time=21:20:55 timezone=IST device_name=CR500i
Firewall rule device_id=C010600411 deployment_mode=route log_id=010101600001
log_type=Firewall log_component=Firewall Rule log_subtype=Allowed
priority=Information duration=0 fw_rule_id=85 user_name= user_gp= iap=16
application= application_id= in_interface=Port A out_interface=Port B
src_ip=192.168.15.40 dst_ip=64.233.167.99 protocol=TCP src_port=1293
dst_port=80 icmp_type= icmp_code= sent_pkts=45 recv_pkts=12 sent_bytes=162
recv_bytes=45 tran_src_ip=203.88.135.197 tran_src_port= tran_dst_ip=
tran_dst_port= srczonetype=LAN dstzonetype=WAN dir_disp=org
connevent=start connid=3456 vconnid=
Traffic date=2007-11-17 time=11:09:35 timezone=IST device_name=CR500i device_id=
denied/dropped by C010600411 deployment_mode=route log_id=010102600002 log_type=Firewall
Firewall rule log_component=Firewall Rule log_subtype=Denied priority=Information duration=
fw_rule_id=14 user_name= user_gp= iap= application= application_id=
in_interface=Port A out_interface=Port B src_ip=172.16.16.40
dst_ip=216.109.112.135 protocol=ICMP src_port= dst_port= icmp_type=8
icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=
tran_src_port= tran_dst_ip= tran_dst_port= srczonetype=LAN
dstzonetype=WAN dir_disp=org connevent= connid= vconnid=

245
Cyberoam User Guide

Firewall log fields and description

SR.
DATA FIELDS TYPE DESCRIPTION
No.
1 date date Date (yyyy-mm-dd) when the event occurred

For the allowed traffic - the date on which connection was


started on Cyberoam

For the dropped traffic - the date when the packet was
dropped by Cyberoam
2 time time Time (hh:mm:ss) when the event occurred

For the allowed traffic - the time when the connection was
started on Cyberoam

For the dropped traffic - the time when the packet was
dropped by Cyberoam
3 timezone Time zone set on Cyberoam appliance e.g. IST
4 device_name string Model Number of the Cyberoam Appliance
5 device_id string Unique Identifier of the Cyberoam Appliance
6 deployment_mode string Mode in which Cyberoam is deployed

Possible values: Route, Bridge


7 log_id string Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11)
e.g. 0101011, 0102011

c1c2 - Log Type e.g. 01 for firewall log

c3c4 - Log Component i.e. firewall/local ACL/ DoS Attack


etc.

c5c6 - Log Sub Type i.e. allow/violation

c7 - Priority e.g. 0 for Emergency

C8c9c10c11 - Message ID e.g. 00001 for traffic allowed by


firewall
8 log_type string Type of event occurred in Cyberoam e.g. firewall event
9 log_component string Component responsible for logging e.g. Firewall rule
10 log_subtype string Decision taken on traffic
11 priority string Severity level of traffic
12 duration integer Durability of traffic (seconds)
13 firewall_rule_id integer Firewall rule id i.e. firewall rule id which is applied on the
traffic
14 user_name string User name
15 user_group string Group Id of user
16 iap integer Internet Access policy Id applied on the traffic
17 application string Application name
18 application_id string Application identifier
19 in_interface string Interface for incoming traffic e.g. Port A

Blank for outgoing traffic

246
Cyberoam User Guide

20 out_interface string Interface for outgoing traffic e.g. Port B

Blank for incoming traffic


21 source_ip string Original Source IP address of traffic
22 destination ip string Original Destination IP address of traffic
23 protocol integer Protocol number of traffic
24 source_port integer Original Source Port of TCP and UDP traffic
25 destination_port integer Original Destination Port of TCP and UDP traffic
26 icmp_type integer ICMP type of ICMP traffic
27 icmp_code integer ICMP code of ICMP traffic
28 sent_packets integer Total number of packets sent
29 received_packets integer Total number of packets received
30 sent_bytes integer Total number of bytes sent
31 received_bytes integer Total number of bytes received
32 translated_source_ ip integer Translated source IP address for outgoing traffic. It is
applicable only in route mode.

Possible values:
"" When Cyberoam is deployed in Bridge mode or source
IP address translation is not done
IP Address IP Address with which the original source IP
address is translated
33 translated_source_port integer Translated source port for outgoing traffic. It is applicable
only in route mode.

Possible values:
"" When Cyberoam is deployed in Bridge mode or source
port translation is not done
Port Port with which the original port is translated
34 translated_destination_ip integer Translated Destination IP address for outgoing traffic. It is
applicable only in route mode.

Possible values:
"" When Cyberoam is deployed in Bridge mode or
destination IP address translation is not done
IP Address IP Address with which the original destination
IP address is translated
35 translated_destination_port integer Translated Destination port for outgoing traffic. It is
applicable only in route mode.

Possible values:
"N/A" When Cyberoam is deployed in Bridge mode or
destination port translation is not done
Port Port with which the original port is translated
36 sourcezonetype string Type of source zone e.g. LAN
37 destinationzonetype string Type of destination zone e.g. WAN
38 direction_disposition string Packet direction

Possible values:
org, reply,
39 connection_event Event on which this log is generated
40 connection id integer Unique identifier of connection
41 virtual connection id integer Connection ID of the master connection

247
Cyberoam User Guide

Invalid traffic Log


Cyberoam will filter following traffic as Invalid traffic:
Short IP Packet
IP Packets with bad IP checksum
IP Packets with invalid header and/or data length
Truncated/malformed IP packet
Packets of Ftp-bounce Attack - FTP bounce attack is an exploit of the FTP protocol whereby an
attacker is able to use the PORT command to request access to ports indirectly through the use of the
victim machine as a middle man for the request. This technique can be used to port scan hosts
discreetly, and to access specific ports that the attacker cannot access through a direct connection.
Short ICMP packet
ICMP packets with bad ICMP checksum
ICMP packets with wrong ICMP type/code
Short UDP packet
Truncated/malformed UDP packet
UDP Packets with bad UDP checksum
Short TCP packet
Truncated/malformed TCP packet
TCP Packets with bad TCP checksum
TCP Packets with invalid flag combination
Cyberoam TCP connection subsystem not able to relate TCP Packets to any connection

If Strict Internet Access Policy is applied then Cyberoam will filter following traffic also as Invalid
traffic:
UDP Packets with Destination Port 0
TCP Packets with Source Port and/or Destination Port 0
Land Attack - Attacker forges a SYN packet with the same source and destination IP address that
causes the victim to try to open a connection with itself, causing the system to go into an infinite loop.
Machine becomes slow or hangs until connection times out. An attacker sends a forged packet with
the same source and destination IP address. The victim system will be confused and crashed or
rebooted. Some implementations of TCP/IP are vulnerable to packets that are crafted in a particular
way (a SYN packet in which the source address and port are the same as the destination--i.e.,
spoofed).
Winnuke Attack - This attack sends OOB (Out-of-Band) data to an IP address of a Windows machine
connected to a network and/or Internet. When a Windows machine receives the out-of-band data, it is
unable to handle it and exhibits odd behavior, ranging from a lost Internet connection to a system
crash. This affects Windows 95, NT and 3.11 machines. WinNuke is a ping of death (invalid icmp)
kind of attack, exploiting the vulnerability in the NetBIOS handler in Windows 95. A string of out-of-
band data is sent to TCP port 135-139 of the victim machine, causing it to lock up and display a Blue
Screen of Death.
TCP Syn Packets contains Data
IP Packet with Protocol Number 0
IP Packet with TTL Value 0

Event Log sample


Invalid date=2007-12-19 time=15:33:52 timezone="IST" device_name="CR500i"
traffic device_id=C010600411-YFK5RL deployment_mode="Route" log_id=010202601001
denied log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" priority=Information
duration=0 fw_rule_id= user_name="" user_gp="" iap=0 application="" application_id=
in_interface="Port A" out_interface="" src_ip=192.168.1.100 dst_ip=192.168.13.25
protocol="ICMP" icmp_type=3 icmp_code=3 sent_pkts=0 recv_pkts=0 sent_bytes=0
recv_bytes=0 tran_src_ip=0.0.0.0 tran_src_port=0 tran_dst_ip=0.0.0.0 tran_dst_port=0
srczonetype=LAN dstzonetype=Local dir_disp= connevent= connid= vconnid=

248
Cyberoam User Guide

Log fields and description

SR.
DATA FIELDS TYPE DESCRIPTION
No.
1 date date Date (yyyy-mm-dd) when the event occurred

For the allowed traffic - the date on which connection was


started on Cyberoam

For the dropped traffic - the date when the packet was
dropped by Cyberoam
2 time time Time (hh:mm:ss) when the event occurred

For the allowed traffic - the time when the connection was
started on Cyberoam

For the dropped traffic - the time when the packet was
dropped by Cyberoam
3 timezone Time zone set on Cyberoam appliance e.g. IST
4 device_name string Model Number of the Cyberoam Appliance
5 device_id string Unique Identifier of the Cyberoam Appliance
6 deployment_mode string Mode in which Cyberoam is deployed

Possible values: Route, Bridge


7 log_id string Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11)
e.g. 0101011, 0102011

c1c2 - Log Type e.g. 01 for firewall log

c3c4 - Log Component i.e. firewall/local ACL/ DoS Attack


etc.

c5c6 - Log Sub Type i.e. allow/violation

c7 - Priority e.g. 0 for Emergency

C8c9c10c11 - Message ID e.g. 00001 for traffic allowed by


firewall
8 log_type string Type of event occurred in Cyberoam e.g. firewall event
9 log_component string Component responsible for logging e.g. Firewall rule
10 log_subtype string Decision taken on traffic
11 priority string Severity level of traffic
12 duration integer Durability of traffic (seconds)
13 firewall_rule_id integer Firewall rule id i.e. firewall rule id which is applied on the
traffic
14 user_name string User name
15 user_group string Group Id of user
16 iap integer Internet Access policy Id applied on the traffic
17 application string Application name
18 application_id string Application identifier
19 in_interface string Interface for incoming traffic e.g. Port A

Blank for outgoing traffic


20 out_interface string Interface for outgoing traffic e.g. Port B

249
Cyberoam User Guide

Blank for incoming traffic


21 source_ip string Original Source IP address of traffic
22 destination ip string Original Destination IP address of traffic
23 protocol integer Protocol number of traffic
24 source_port integer Original Source Port of TCP and UDP traffic
25 destination_port integer Original Destination Port of TCP and UDP traffic
26 icmp_type integer ICMP type of ICMP traffic
27 icmp_code integer ICMP code of ICMP traffic
28 sent_packets integer Total number of packets sent
29 received_packets integer Total number of packets received
30 sent_bytes integer Total number of bytes sent
31 received_bytes integer Total number of bytes received
32 translated_source_ ip integer Translated source IP address for outgoing traffic. It is
applicable only in route mode.

Possible values:
"" When Cyberoam is deployed in Bridge mode or source
IP address translation is not done
IP Address IP Address with which the original source IP
address is translated
33 translated_source_port integer Translated source port for outgoing traffic. It is applicable
only in route mode.

Possible values:
"" When Cyberoam is deployed in Bridge mode or source
port translation is not done
Port Port with which the original port is translated
34 translated_destination_ip integer Translated Destination IP address for outgoing traffic. It is
applicable only in route mode.

Possible values:
"" When Cyberoam is deployed in Bridge mode or
destination IP address translation is not done
IP Address IP Address with which the original destination
IP address is translated
35 translated_destination_port integer Translated Destination port for outgoing traffic. It is
applicable only in route mode.

Possible values:
"N/A" When Cyberoam is deployed in Bridge mode or
destination port translation is not done
Port Port with which the original port is translated
36 sourcezonetype string Type of source zone e.g. LAN
37 destinationzonetype string Type of destination zone e.g. WAN
38 direction_disposition string Packet direction

Possible values:
org, reply,
39 connection_event Event on which this log is generated
40 connection id integer Unique identifier of connection
41 virtual connection id integer Connection ID of the master connection

Local ACL

250
Cyberoam User Guide

Event Log sample


Traffic allowed date=2007-12-19 time=15:34:00 timezone="IST" device_name="CR500i"
according to the device_id=C010600411-YFK5RL deployment_mode="Route" log_id=010301602001
configured Local log_type="Firewall" log_component="Local ACLs" log_subtype="Allowed"
ACL priority=Information duration=0 fw_rule_id= user_name="" user_gp="" iap=0
application="" application_id= in_interface="Port A" out_interface=""
src_ip=192.168.15.240 dst_ip=192.168.13.25 protocol="ICMP" icmp_type=8
icmp_code=0 sent_pkts=1 recv_pkts=0 sent_bytes=84 recv_bytes=0
tran_src_ip=0.0.0.0 tran_src_port=0 tran_dst_ip=0.0.0.0 tran_dst_port=0
srczonetype=LAN dstzonetype=Local dir_disp=org connevent=start
connid=1425 vconnid=
Traffic dropped date=2007-12-19 time=15:33:54 timezone="IST" device_name="CR500i"
according to the device_id=C010600411-YFK5RL deployment_mode="Route" log_id=010302602002
configured Local log_type="Firewall" log_component="Local ACLs" log_subtype="Denied"
ACL priority=Information duration=0 fw_rule_id= user_name="" user_gp="" iap=0
application="" application_id= in_interface="Port A" out_interface=""
src_ip=192.168.1.84 dst_ip=192.168.15.255 protocol="UDP" src_port=138
dst_port=138 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=0.0.0.0
tran_src_port=0 tran_dst_ip=0.0.0.0 tran_dst_port=0 srczonetype=LAN
dstzonetype=Local dir_disp=org connevent= connid= vconnid=

Log fields and description

SR.
DATA FIELDS TYPE DESCRIPTION
No.
1 date date Date (yyyy-mm-dd) when the event occurred

For the allowed traffic - the date on which connection was


started on Cyberoam

For the dropped traffic - the date when the packet was
dropped by Cyberoam
2 time time Time (hh:mm:ss) when the event occurred

For the allowed traffic - the time when the connection was
started on Cyberoam

For the dropped traffic - the time when the packet was
dropped by Cyberoam
3 timezone Time zone set on Cyberoam appliance e.g. IST
4 device_name string Model Number of the Cyberoam Appliance
5 device_id string Unique Identifier of the Cyberoam Appliance
6 deployment_mode string Mode in which Cyberoam is deployed

Possible values: Route, Bridge


7 log_id string Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11)
e.g. 0101011, 0102011

c1c2 - Log Type e.g. 01 for firewall log

c3c4 - Log Component i.e. firewall/local ACL/ DoS Attack


etc.

c5c6 - Log Sub Type i.e. allow/violation

c7 - Priority e.g. 0 for Emergency

251
Cyberoam User Guide

C8c9c10c11 - Message ID e.g. 00001 for traffic allowed by


firewall
8 log_type string Type of event occurred in Cyberoam e.g. firewall event
9 log_component string Component responsible for logging e.g. Firewall rule
10 log_subtype string Decision taken on traffic
11 priority string Severity level of traffic
12 duration integer Durability of traffic (seconds)
13 firewall_rule_id integer Firewall rule id i.e. firewall rule id which is applied on the
traffic
14 user_name string User name
15 user_group string Group Id of user
16 iap integer Internet Access policy Id applied on the traffic
17 application string Application name
18 application_id string Application identifier
19 in_interface string Interface for incoming traffic e.g. Port A

Blank for outgoing traffic


20 out_interface string Interface for outgoing traffic e.g. Port B

Blank for incoming traffic


21 source_ip string Original Source IP address of traffic
22 destination ip string Original Destination IP address of traffic
23 protocol integer Protocol number of traffic
24 source_port integer Original Source Port of TCP and UDP traffic
25 destination_port integer Original Destination Port of TCP and UDP traffic
26 icmp_type integer ICMP type of ICMP traffic
27 icmp_code integer ICMP code of ICMP traffic
28 sent_packets integer Total number of packets sent
29 received_packets integer Total number of packets received
30 sent_bytes integer Total number of bytes sent
31 received_bytes integer Total number of bytes received
32 translated_source_ ip integer Translated source IP address for outgoing traffic. It is
applicable only in route mode.

Possible values:
"" When Cyberoam is deployed in Bridge mode or source
IP address translation is not done
IP Address IP Address with which the original source IP
address is translated
33 translated_source_port integer Translated source port for outgoing traffic. It is applicable
only in route mode.

Possible values:
"" When Cyberoam is deployed in Bridge mode or source
port translation is not done
Port Port with which the original port is translated
34 translated_destination_ip integer Translated Destination IP address for outgoing traffic. It is
applicable only in route mode.

Possible values:
"" When Cyberoam is deployed in Bridge mode or
destination IP address translation is not done
IP Address IP Address with which the original destination
IP address is translated

252
Cyberoam User Guide

35 translated_destination_port integer Translated Destination port for outgoing traffic. It is


applicable only in route mode.

Possible values:
"N/A" When Cyberoam is deployed in Bridge mode or
destination port translation is not done
Port Port with which the original port is translated
36 sourcezonetype string Type of source zone e.g. LAN
37 destinationzonetype string Type of destination zone e.g. WAN
38 direction_disposition string Packet direction

Possible values:
org, reply,
39 connection_event Event on which this log is generated
40 connection id integer Unique identifier of connection
41 virtual connection id integer Connection ID of the master connection

DoS Attack log

Event Log sample


DoS attack date=2007-12-11 time=13:48:07 timezone="IST" device_name="CR500i"
denied device_id=C010600411-YFK5RL deployment_mode="Route" log_id=010402403001
according to the log_type="Firewall" log_component="DoS Attack" log_subtype="Denied" priority=Warning
DoS settings duration=0 fw_rule_id= user_name="" user_gp="" iap= application=""
application_id= in_interface="Port A" out_interface="" src_ip=192.168.3.60
dst_ip=192.168.13.25 protocol="ICMP" icmp_type=3 icmp_code=3 sent_pkts=0
recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=0.0.0.0 tran_src_port=0
tran_dst_ip=0.0.0.0 tran_dst_port=0 srczonetype=LAN dstzonetype=Local
dir_disp=org connevent= connid= vconnid=

Log fields and description

SR.
DATA FIELDS TYPE DESCRIPTION
No.
1 date date Date (yyyy-mm-dd) when the event occurred

For the allowed traffic - the date on which connection was


started on Cyberoam

For the dropped traffic - the date when the packet was
dropped by Cyberoam
2 time time Time (hh:mm:ss) when the event occurred

For the allowed traffic - the time when the connection was
started on Cyberoam

For the dropped traffic - the time when the packet was
dropped by Cyberoam
3 timezone Time zone set on Cyberoam appliance e.g. IST

253
Cyberoam User Guide

4 device_name string Model Number of the Cyberoam Appliance


5 device_id string Unique Identifier of the Cyberoam Appliance
6 deployment_mode string Mode in which Cyberoam is deployed

Possible values: Route, Bridge


7 log_id string Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11)
e.g. 0101011, 0102011

c1c2 - Log Type e.g. 01 for firewall log

c3c4 - Log Component i.e. firewall/local ACL/ DoS Attack


etc.

c5c6 - Log Sub Type i.e. allow/violation

c7 - Priority e.g. 0 for Emergency

C8c9c10c11 - Message ID e.g. 00001 for traffic allowed by


firewall
8 log_type string Type of event occurred in Cyberoam e.g. firewall event
9 log_component string Component responsible for logging e.g. Firewall rule
10 log_subtype string Decision taken on traffic
11 priority string Severity level of traffic
12 duration integer Durability of traffic (seconds)
13 firewall_rule_id integer Firewall rule id i.e. firewall rule id which is applied on the
traffic
14 user_name string User name
15 user_group string Group Id of user
16 iap integer Internet Access policy Id applied on the traffic
17 application string Application name
18 application_id string Application identifier
19 in_interface string Interface for incoming traffic e.g. Port A

Blank for outgoing traffic


20 out_interface string Interface for outgoing traffic e.g. Port B

Blank for incoming traffic


21 source_ip string Original Source IP address of traffic
22 destination ip string Original Destination IP address of traffic
23 protocol integer Protocol number of traffic
24 source_port integer Original Source Port of TCP and UDP traffic
25 destination_port integer Original Destination Port of TCP and UDP traffic
26 icmp_type integer ICMP type of ICMP traffic
27 icmp_code integer ICMP code of ICMP traffic
28 sent_packets integer Total number of packets sent
29 received_packets integer Total number of packets received
30 sent_bytes integer Total number of bytes sent
31 received_bytes integer Total number of bytes received
32 translated_source_ ip integer Translated source IP address for outgoing traffic. It is
applicable only in route mode.

Possible values:
"" When Cyberoam is deployed in Bridge mode or source
IP address translation is not done
IP Address IP Address with which the original source IP

254
Cyberoam User Guide

address is translated
33 translated_source_port integer Translated source port for outgoing traffic. It is applicable
only in route mode.

Possible values:
"" When Cyberoam is deployed in Bridge mode or source
port translation is not done
Port Port with which the original port is translated
34 translated_destination_ip integer Translated Destination IP address for outgoing traffic. It is
applicable only in route mode.

Possible values:
"" When Cyberoam is deployed in Bridge mode or
destination IP address translation is not done
IP Address IP Address with which the original destination
IP address is translated
35 translated_destination_port integer Translated Destination port for outgoing traffic. It is
applicable only in route mode.

Possible values:
"N/A" When Cyberoam is deployed in Bridge mode or
destination port translation is not done
Port Port with which the original port is translated
36 sourcezonetype string Type of source zone e.g. LAN
37 destinationzonetype string Type of destination zone e.g. WAN
38 direction_disposition string Packet direction

Possible values:
org, reply,
39 connection_event Event on which this log is generated
40 connection id integer Unique identifier of connection
41 virtual connection id integer Connection ID of the master connection

ICMP Redirection log

Event Log sample


ICMP date=2007-12-12 time=14:48:59 timezone="IST" device_name="CR500i"
redirection device_id=C010600411-YFK5RL deployment_mode="Route" log_id=010502604001
traffic denied log_type="Firewall" log_component="ICMP Redirection" log_subtype="Denied"
priority=Information duration=0 fw_rule_id= user_name="" user_gp="" iap=
application="" application_id= in_interface="" out_interface="" src_ip=192.168.13.25
dst_ip=192.168.15.40 protocol="UDP" src_port=33379 dst_port=514 sent_pkts=0
recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=0.0.0.0 tran_src_port=0
tran_dst_ip=0.0.0.0 tran_dst_port=0 srczonetype= dstzonetype= dir_disp=
connevent= connid= vconnid=

Log fields and description

SR.
DATA FIELDS TYPE DESCRIPTION
No.
1 date date Date (yyyy-mm-dd) when the event occurred

255
Cyberoam User Guide

For the allowed traffic - the date on which connection was


started on Cyberoam

For the dropped traffic - the date when the packet was
dropped by Cyberoam
2 time time Time (hh:mm:ss) when the event occurred

For the allowed traffic - the time when the connection was
started on Cyberoam

For the dropped traffic - the time when the packet was
dropped by Cyberoam
3 timezone Time zone set on Cyberoam appliance e.g. IST
4 device_name string Model Number of the Cyberoam Appliance
5 device_id string Unique Identifier of the Cyberoam Appliance
6 deployment_mode string Mode in which Cyberoam is deployed

Possible values: Route, Bridge


7 log_id string Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11)
e.g. 0101011, 0102011

c1c2 - Log Type e.g. 01 for firewall log

c3c4 - Log Component i.e. firewall/local ACL/ DoS Attack


etc.

c5c6 - Log Sub Type i.e. allow/violation

c7 - Priority e.g. 0 for Emergency

C8c9c10c11 - Message ID e.g. 00001 for traffic allowed by


firewall
8 log_type string Type of event occurred in Cyberoam e.g. firewall event
9 log_component string Component responsible for logging e.g. Firewall rule
10 log_subtype string Decision taken on traffic
11 priority string Severity level of traffic
12 duration integer Durability of traffic (seconds)
13 firewall_rule_id integer Firewall rule id i.e. firewall rule id which is applied on the
traffic
14 user_name string User name
15 user_group string Group Id of user
16 iap integer Internet Access policy Id applied on the traffic
17 application string Application name
18 application_id string Application identifier
19 in_interface string Interface for incoming traffic e.g. Port A

Blank for outgoing traffic


20 out_interface string Interface for outgoing traffic e.g. Port B

Blank for incoming traffic


21 source_ip string Original Source IP address of traffic
22 destination ip string Original Destination IP address of traffic
23 protocol integer Protocol number of traffic
24 source_port integer Original Source Port of TCP and UDP traffic
25 destination_port integer Original Destination Port of TCP and UDP traffic
26 icmp_type integer ICMP type of ICMP traffic

256
Cyberoam User Guide

27 icmp_code integer ICMP code of ICMP traffic


28 sent_packets integer Total number of packets sent
29 received_packets integer Total number of packets received
30 sent_bytes integer Total number of bytes sent
31 received_bytes integer Total number of bytes received
32 translated_source_ ip integer Translated source IP address for outgoing traffic. It is
applicable only in route mode.

Possible values:
"" When Cyberoam is deployed in Bridge mode or source
IP address translation is not done
IP Address IP Address with which the original source IP
address is translated
33 translated_source_port integer Translated source port for outgoing traffic. It is applicable
only in route mode.

Possible values:
"" When Cyberoam is deployed in Bridge mode or source
port translation is not done
Port Port with which the original port is translated
34 translated_destination_ip integer Translated Destination IP address for outgoing traffic. It is
applicable only in route mode.

Possible values:
"" When Cyberoam is deployed in Bridge mode or
destination IP address translation is not done
IP Address IP Address with which the original destination
IP address is translated
35 translated_destination_port integer Translated Destination port for outgoing traffic. It is
applicable only in route mode.

Possible values:
"N/A" When Cyberoam is deployed in Bridge mode or
destination port translation is not done
Port Port with which the original port is translated
36 sourcezonetype string Type of source zone e.g. LAN
37 destinationzonetype string Type of destination zone e.g. WAN
38 direction_disposition string Packet direction

Possible values:
org, reply,
39 connection_event Event on which this log is generated
40 connection id integer Unique identifier of connection
41 virtual connection id integer Connection ID of the master connection

Source Routed log

Event Log sample


Source date=2007-12-12 time=14:10:53 timezone="IST" device_name="CR500i"
routed device_id=C010600411-YFK5RL deployment_mode="Route" log_id=010602605001
traffic log_type="Firewall" log_component="Source Routed" log_subtype="Denied"
denied priority=Information duration=0 fw_rule_id= user_name="" user_gp="" iap= application=""
application_id= in_interface="" out_interface="" src_ip=192.168.1.76 dst_ip=192.168.13.25

257
Cyberoam User Guide

protocol="ICMP" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0


recv_bytes=0 tran_src_ip=0.0.0.0 tran_src_port=0 tran_dst_ip=0.0.0.0 tran_dst_port=0
srczonetype= dstzonetype= dir_disp= connevent= connid= vconnid=

Log fields and description

SR.
DATA FIELDS TYPE DESCRIPTION
No.
1 date date Date (yyyy-mm-dd) when the event occurred

For the allowed traffic - the date on which connection was


started on Cyberoam

For the dropped traffic - the date when the packet was
dropped by Cyberoam
2 time time Time (hh:mm:ss) when the event occurred

For the allowed traffic - the time when the connection was
started on Cyberoam

For the dropped traffic - the time when the packet was
dropped by Cyberoam
3 timezone Time zone set on Cyberoam appliance e.g. IST
4 device_name string Model Number of the Cyberoam Appliance
5 device_id string Unique Identifier of the Cyberoam Appliance
6 deployment_mode string Mode in which Cyberoam is deployed

Possible values: Route, Bridge


7 log_id string Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11)
e.g. 0101011, 0102011

c1c2 - Log Type e.g. 01 for firewall log

c3c4 - Log Component i.e. firewall/local ACL/ DoS Attack


etc.

c5c6 - Log Sub Type i.e. allow/violation

c7 - Priority e.g. 0 for Emergency

C8c9c10c11 - Message ID e.g. 00001 for traffic allowed by


firewall
8 log_type string Type of event occurred in Cyberoam e.g. firewall event
9 log_component string Component responsible for logging e.g. Firewall rule
10 log_subtype string Decision taken on traffic
11 priority string Severity level of traffic
12 duration integer Durability of traffic (seconds)
13 firewall_rule_id integer Firewall rule id i.e. firewall rule id which is applied on the
traffic
14 user_name string User name
15 user_group string Group Id of user

258
Cyberoam User Guide

16 iap integer Internet Access policy Id applied on the traffic


17 application string Application name
18 application_id string Application identifier
19 in_interface string Interface for incoming traffic e.g. Port A

Blank for outgoing traffic


20 out_interface string Interface for outgoing traffic e.g. Port B

Blank for incoming traffic


21 source_ip string Original Source IP address of traffic
22 destination ip string Original Destination IP address of traffic
23 protocol integer Protocol number of traffic
24 source_port integer Original Source Port of TCP and UDP traffic
25 destination_port integer Original Destination Port of TCP and UDP traffic
26 icmp_type integer ICMP type of ICMP traffic
27 icmp_code integer ICMP code of ICMP traffic
28 sent_packets integer Total number of packets sent
29 received_packets integer Total number of packets received
30 sent_bytes integer Total number of bytes sent
31 received_bytes integer Total number of bytes received
32 translated_source_ ip integer Translated source IP address for outgoing traffic. It is
applicable only in route mode.

Possible values:
"" When Cyberoam is deployed in Bridge mode or source
IP address translation is not done
IP Address IP Address with which the original source IP
address is translated
33 translated_source_port integer Translated source port for outgoing traffic. It is applicable
only in route mode.

Possible values:
"" When Cyberoam is deployed in Bridge mode or source
port translation is not done
Port Port with which the original port is translated
34 translated_destination_ip integer Translated Destination IP address for outgoing traffic. It is
applicable only in route mode.

Possible values:
"" When Cyberoam is deployed in Bridge mode or
destination IP address translation is not done
IP Address IP Address with which the original destination
IP address is translated
35 translated_destination_port integer Translated Destination port for outgoing traffic. It is
applicable only in route mode.

Possible values:
"N/A" When Cyberoam is deployed in Bridge mode or
destination port translation is not done
Port Port with which the original port is translated
36 sourcezonetype string Type of source zone e.g. LAN
37 destinationzonetype string Type of destination zone e.g. WAN
38 direction_disposition string Packet direction

Possible values:
org, reply,

259
Cyberoam User Guide

39 connection_event Event on which this log is generated


40 connection id integer Unique identifier of connection
41 virtual connection id integer Connection ID of the master connection

Fragmented Traffic log

Event Log sample


Fragmented date=2007-12-12 time=14:10:53 timezone="IST" device_name="CR500i"
traffic denied device_id=C010600411-YFK5RL deployment_mode="Route" log_id=011402601301
log_type="Firewall" log_component="Fragmented Traffic" log_subtype="Denied"
priority=Information duration=0 fw_rule_id= user_name="" user_gp="" iap=
application="" application_id= in_interface="Port A" out_interface="" src_ip=192.168.1.76
dst_ip=192.168.13.25 protocol="ICMP" icmp_type=8 icmp_code=0 sent_pkts=0
recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=0.0.0.0 tran_src_port=0
tran_dst_ip=0.0.0.0 tran_dst_port=0 srczonetype=LAN dstzonetype=Local dir_disp=
connevent= connid= vconnid=

Log fields and description

SR.
DATA FIELDS TYPE DESCRIPTION
No.
1 date date Date (yyyy-mm-dd) when the event occurred

For the allowed traffic - the date on which connection was


started on Cyberoam

For the dropped traffic - the date when the packet was
dropped by Cyberoam
2 time time Time (hh:mm:ss) when the event occurred

For the allowed traffic - the time when the connection was
started on Cyberoam

For the dropped traffic - the time when the packet was
dropped by Cyberoam
3 timezone Time zone set on Cyberoam appliance e.g. IST
4 device_name string Model Number of the Cyberoam Appliance
5 device_id string Unique Identifier of the Cyberoam Appliance
6 deployment_mode string Mode in which Cyberoam is deployed

Possible values: Route, Bridge


7 log_id string Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11)
e.g. 0101011, 0102011

c1c2 - Log Type e.g. 01 for firewall log

c3c4 - Log Component i.e. firewall/local ACL/ DoS Attack


etc.

c5c6 - Log Sub Type i.e. allow/violation

260
Cyberoam User Guide

c7 - Priority e.g. 0 for Emergency

C8c9c10c11 - Message ID e.g. 00001 for traffic allowed by


firewall
8 log_type string Type of event occurred in Cyberoam e.g. firewall event
9 log_component string Component responsible for logging e.g. Firewall rule
10 log_subtype string Decision taken on traffic
11 priority string Severity level of traffic
12 duration integer Durability of traffic (seconds)
13 firewall_rule_id integer Firewall rule id i.e. firewall rule id which is applied on the
traffic
14 user_name string User name
15 user_group string Group Id of user
16 iap integer Internet Access policy Id applied on the traffic
17 application string Application name
18 application_id string Application identifier
19 in_interface string Interface for incoming traffic e.g. Port A

Blank for outgoing traffic


20 out_interface string Interface for outgoing traffic e.g. Port B

Blank for incoming traffic


21 source_ip string Original Source IP address of traffic
22 destination ip string Original Destination IP address of traffic
23 protocol integer Protocol number of traffic
24 source_port integer Original Source Port of TCP and UDP traffic
25 destination_port integer Original Destination Port of TCP and UDP traffic
26 icmp_type integer ICMP type of ICMP traffic
27 icmp_code integer ICMP code of ICMP traffic
28 sent_packets integer Total number of packets sent
29 received_packets integer Total number of packets received
30 sent_bytes integer Total number of bytes sent
31 received_bytes integer Total number of bytes received
32 translated_source_ ip integer Translated source IP address for outgoing traffic. It is
applicable only in route mode.

Possible values:
"" When Cyberoam is deployed in Bridge mode or source
IP address translation is not done
IP Address IP Address with which the original source IP
address is translated
33 translated_source_port integer Translated source port for outgoing traffic. It is applicable
only in route mode.

Possible values:
"" When Cyberoam is deployed in Bridge mode or source
port translation is not done
Port Port with which the original port is translated
34 translated_destination_ip integer Translated Destination IP address for outgoing traffic. It is
applicable only in route mode.

Possible values:
"" When Cyberoam is deployed in Bridge mode or
destination IP address translation is not done
IP Address IP Address with which the original destination

261
Cyberoam User Guide

IP address is translated
35 translated_destination_port integer Translated Destination port for outgoing traffic. It is
applicable only in route mode.

Possible values:
"N/A" When Cyberoam is deployed in Bridge mode or
destination port translation is not done
Port Port with which the original port is translated
36 sourcezonetype string Type of source zone e.g. LAN
37 destinationzonetype string Type of destination zone e.g. WAN
38 direction_disposition string Packet direction

Possible values:
org, reply,
39 connection_event Event on which this log is generated
40 connection id integer Unique identifier of connection
41 virtual connection id integer Connection ID of the master connection

Invalid Fragmented Traffic log


Cyberoam will filter following traffic as Invalid Fragmented traffic:
Fragment Queue out of memory while reassembling IP fragments
Fragment Queue Timeout while reassembling IP fragments
Fragment too far ahead while reassembling IP fragments
Oversized IP Packet while reassembling IP fragments
Fragmentation failure while creating fragments

Event Log sample


Invalid date=2007-12-12 time=14:10:53 timezone="IST" device_name="CR500i"
Fragmented device_id=C010600411-YFK5RL deployment_mode="Route" log_id=011502601601
traffic denied log_type="Firewall" log_component="Invalid Fragmented Traffic" log_subtype="Denied"
priority=Information duration=0 fw_rule_id= user_name="" user_gp="" iap=
application="" application_id= in_interface="Port A" out_interface=""
src_ip=192.168.1.76 dst_ip=192.168.13.25 protocol="ICMP" icmp_type=3 icmp_code=3
sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=0.0.0.0
tran_src_port=0 tran_dst_ip=0.0.0.0 tran_dst_port=0 srczonetype=LAN
dstzonetype=Local dir_disp= connevent= connid= vconnid=

Log fields and description

SR.
DATA FIELDS TYPE DESCRIPTION
No.
1 date date Date (yyyy-mm-dd) when the event occurred

For the allowed traffic - the date on which connection was


started on Cyberoam

For the dropped traffic - the date when the packet was
dropped by Cyberoam
2 time time Time (hh:mm:ss) when the event occurred

For the allowed traffic - the time when the connection was
started on Cyberoam

262
Cyberoam User Guide

For the dropped traffic - the time when the packet was
dropped by Cyberoam
3 timezone Time zone set on Cyberoam appliance e.g. IST
4 device_name string Model Number of the Cyberoam Appliance
5 device_id string Unique Identifier of the Cyberoam Appliance
6 deployment_mode string Mode in which Cyberoam is deployed

Possible values: Route, Bridge


7 log_id string Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11)
e.g. 0101011, 0102011

c1c2 - Log Type e.g. 01 for firewall log

c3c4 - Log Component i.e. firewall/local ACL/ DoS Attack


etc.

c5c6 - Log Sub Type i.e. allow/violation

c7 - Priority e.g. 0 for Emergency

C8c9c10c11 - Message ID e.g. 00001 for traffic allowed by


firewall
8 log_type string Type of event occurred in Cyberoam e.g. firewall event
9 log_component string Component responsible for logging e.g. Firewall rule
10 log_subtype string Decision taken on traffic
11 priority string Severity level of traffic
12 duration integer Durability of traffic (seconds)
13 firewall_rule_id integer Firewall rule id i.e. firewall rule id which is applied on the
traffic
14 user_name string User name
15 user_group string Group Id of user
16 iap integer Internet Access policy Id applied on the traffic
17 application string Application name
18 application_id string Application identifier
19 in_interface string Interface for incoming traffic e.g. Port A

Blank for outgoing traffic


20 out_interface string Interface for outgoing traffic e.g. Port B

Blank for incoming traffic


21 source_ip string Original Source IP address of traffic
22 destination ip string Original Destination IP address of traffic
23 protocol integer Protocol number of traffic
24 source_port integer Original Source Port of TCP and UDP traffic
25 destination_port integer Original Destination Port of TCP and UDP traffic
26 icmp_type integer ICMP type of ICMP traffic
27 icmp_code integer ICMP code of ICMP traffic
28 sent_packets integer Total number of packets sent
29 received_packets integer Total number of packets received
30 sent_bytes integer Total number of bytes sent
31 received_bytes integer Total number of bytes received
32 translated_source_ ip integer Translated source IP address for outgoing traffic. It is
applicable only in route mode.

Possible values:

263
Cyberoam User Guide

"" When Cyberoam is deployed in Bridge mode or source


IP address translation is not done
IP Address IP Address with which the original source IP
address is translated
33 translated_source_port integer Translated source port for outgoing traffic. It is applicable
only in route mode.

Possible values:
"" When Cyberoam is deployed in Bridge mode or source
port translation is not done
Port Port with which the original port is translated
34 translated_destination_ip integer Translated Destination IP address for outgoing traffic. It is
applicable only in route mode.

Possible values:
"" When Cyberoam is deployed in Bridge mode or
destination IP address translation is not done
IP Address IP Address with which the original destination
IP address is translated
35 translated_destination_port integer Translated Destination port for outgoing traffic. It is
applicable only in route mode.

Possible values:
"N/A" When Cyberoam is deployed in Bridge mode or
destination port translation is not done
Port Port with which the original port is translated
36 sourcezonetype string Type of source zone e.g. LAN
37 destinationzonetype string Type of destination zone e.g. WAN
38 direction_disposition string Packet direction

Possible values:
org, reply,
39 connection_event Event on which this log is generated
40 connection id integer Unique identifier of connection
41 virtual connection id integer Connection ID of the master connection

IPS logs

Event Log sample


Detected attacks date=2007-11-16 time=20:45:20 timezone=IST device_name=CR500i
based on unknown device_id=C010600411 deployment_mode=Route log_id=020703306001
or suspicious log_type=IDP log_component="Anomaly" log_subtype=Detect status="Allowed"
patterns (anomaly) priority=Warning idp_policy_id=1 idp_policy_name=generalpolicy fw_rule_id=85
user_name= signature_id=221 signature_msg="DDOS TFN Probe"
classification="Misc activity" rule_priority=3 src_ip=192.168.15.40
dst_ip=203.88.135.198 protocol=ICMP src_port= dst_port= icmp_type=8
icmp_code=0
Dropped attacks date=2007-11-17 time=12:52:19 timezone=IST device_name=CR500i
based on unknown device_id=C010600411 deployment_mode=Route log_id=020704306002
or suspicious log_type=IDP log_component="Anomaly" log_subtype=Drop status="Denied"
patterns (anomaly) priority=Warning idp_policy_id=1 idp_policy_name=generalpolicy fw_rule_id=88
user_name= signature_id=221 signature_msg="DDOS TFN Probe"
classification="Misc activity" rule_priority=3 src_ip=192.168.15.40
dst_ip=66.94.234.13 protocol=ICMP src_port= dst_port= icmp_type=8
icmp_code=0

264
Cyberoam User Guide

Detected attacks date=2007-11-16 time=20:45:20 timezone=IST device_name=CR500i


based on attack device_id=C010600411 deployment_mode=Route log_id=020803307001
signature log_type=IDP log_component="Signatures" log_subtype=Detect status="Allowed"
priority=Warning idp_policy_id=1 idp_policy_name=generalpolicy fw_rule_id=85
user_name= signature_id=384 signature_msg="ICMP PING" classification="Misc
activity" rule_priority=3 src_ip=192.168.15.40 dst_ip=203.88.135.198
protocol=ICMP src_port= dst_port= icmp_type=8 icmp_code=0
Dropped attacks date=2007-11-17 time=12:52:19 timezone=IST device_name=CR500i
based on attack device_id=C010600411 deployment_mode=Route log_id=020804307002
signature log_type=IDP log_component="Signatures" log_subtype=Drop status="Denied"
priority=Warning idp_policy_id=1 idp_policy_name=generalpolicy fw_rule_id=88
user_name= signature_id=384 signature_msg="ICMP PING" classification="Misc
activity" rule_priority=3 src_ip=192.168.15.40 dst_ip=66.94.234.13 protocol=ICMP
src_port= dst_port= icmp_type=8 icmp_code=0

Log fields and description

SR.
DATA FIELDS TYPE DESCRIPTION
No.
1 date Date Date (yyyy-mm-dd) when the event occurred

For the allowed traffic - the date on which connection was


started on Cyberoam

For the dropped traffic - the date when the packet was
dropped by Cyberoam
2 time Time Time (hh:mm:ss) when the event occurred

For the allowed traffic - the time when the connection was
started on Cyberoam

For the dropped traffic - the time when the packet was
dropped by Cyberoam
3 timezone Time zone set on Cyberoam appliance e.g. IST
4 device_name String Model Number of the Cyberoam Appliance
5 device_id String Unique Identifier of the Cyberoam Appliance
6 deployment_mode String Mode in which Cyberoam is deployed

Possible values: Route, Bridge


7 log_id String Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11)
e.g. 0101011, 0102011

c1c2 - Log Type e.g. 01 for firewall log

c3c4 - Log Component i.e. firewall/local ACL/ DoS Attack


etc.

c5c6 - Log Sub Type i.e. allow/violation

c7 - Priority e.g. 0 for Emergency

C8c9c10c11 - Message ID e.g. 00001 for traffic allowed by


firewall
8 log_type String Type of event occurred in Cyberoam e.g. firewall event
9 log_component String Component responsible for logging e.g. Firewall rule
10 log_subtype String Decision taken on traffic

265
Cyberoam User Guide

11 status String Ultimate status of traffic allowed or denied


12 priority String Severity level of traffic
13 idp_policy_id integer IPS policy id i.e. IPS policy id which is applied on the traffic
14 idp_policy_name integer IPS policy name i.e. IPS policy name which is applied on the
traffic
15 firewall_rule_id integer Firewall rule id i.e. firewall rule id which is applied on the
traffic
16 user_name String User name
17 signature_id String Signature identifier
18 singature_message String Signature message
19 classification String Signature classification
20 rule_priority String Priority of IPS policy
21 source_ip String Original Source IP address of traffic
22 destination ip String Original Destination IP address of traffic
23 protocol integer Protocol number of traffic
24 source_port integer Original Source Port of TCP and UDP traffic
25 destination_port integer Original Destination Port of TCP and UDP traffic
26 icmp_type integer ICMP type of ICMP traffic
27 icmp_code integer ICMP code of ICMP traffic

Anti Virus logs

Event Log sample


HTTP Virus date=2007-11-17 time=07:50:26 timezone=IST device_name=CR500i
infected URL device_id=C010600411 deployment_mode=Route log_id=030906208001 log_type=Anti
blocked Virus log_component=HTTP log_subtype=Virus status=Denied priority=Critical
fw_rule_id= user_name= AV_policy_name=Common Virus Policy virus=eicar
URL=www.eicar.com domainname=eicar.com src_ip=192.168.15.40
dst_ip=66.249.89.18 protocol=TCP src_port=2458 dst_port=80 sent_bytes=162
recv_bytes=45
Virus infected date=2007-11-17 time=10:55:06 timezone=IST device_name=CR500i
FTP data device_id=C010600411 deployment_mode=Route log_id=031006209001 log_type=Anti
transfer blocked Virus log_component=FTP log_subtype=Virus status=Denied priority=Critical
fw_rule_id= user_name= virus=codevirus FTP_URL=ftp.myftp.com
FTP_Direction=download filename=resume.doc file_size=550k
file_path=mike/Shortcut to virus.lnk ftpcommand=RETR src_ip=192.168.15.40
dst_ip=203.88.136.154 protocol=TCP src_port=2458 dst_port=21
dstdomain=myftp.cpm sent_bytes=162 recv_bytes=45
FTP data date=2007-11-17 time=10:55:06 timezone=IST device_name=CR500i
transfer device_id=C010600411 deployement_mode=Route log_id=031005609002
completed log_type=Anti Virus log_component=FTP log_subtype=Clean status=Allowed
successfully priority=Information fw_rule_id= user_name= virus= FTP_URL=ftp.myftp.com
FTP_Direction=download filename=demonstration.doc file_size=470k
file_path=mike/myfile.doc ftpcommand=RETR src_ip=192.168.15.40
dst_ip=203.88.136.154 protocol=TCP src_port=2458 dst_port=21
dstdomain=myftp.com sent_bytes=162 recv_bytes=45
Virus infected date=2007-11-17 time=08:50:06 timezone=IST device_name=CR500i
mail detected in device_id=C010600411 deployment_mode=Route log_id=031106210001 log_type=Anti
SMTP traffic Virus log_component=SMTP log_subtype=Virus status=Denied priority=Critical
fw_rule_id= user_name= AV_Policy_name=AV common Policy
from_email_address=pooch@core.com to_email_address=sean@cnen.com
subject=Important mailid=001a01c82a19$a9dde620$061c568c@xxx mailsize=420k
virus=eicar filename=eicar virus_status=Infected virus_action=Quarantined

266
Cyberoam User Guide

quarantine=/var/quarantine/0x10001f9f.47412e69 src_domainname=core.com
dst_domainname=cnen.com src_ip=192.168.15.40 dst_ip=66.249.89.18 protocol=TCP
src_port=2458 dst_port=80 sent_bytes=162 recv_bytes=45
Virus infected date=2007-11-17 time=08:55:06 timezone=IST device_name=CR500i
mail detected in device_id=C010600411 deployment_mode=Route log_id=031206211001 log_type=Anti
POP3 traffic Virus log_component=POP3 log_subtype=Virus status=Denied priority=Critical
fw_rule_id= user_name= AV_Policy_name=AV common Policy
from_email_address=pooch@core.com to_email_address=sean@cnen.com
subject=Important mailid=001a01c82a19$a9dde620$061c568c@xxx mailsize=420k
virus=redvirus filename=resume.doc virus_status=Infected
virus_action=Quarantined quarantine=/var/quarantine/0x10001f9f.47412e69
src_domainname=core.com dst_domainname=cnen.com src_ip=192.168.15.40
dst_ip=66.249.89.18 protocol=TCP src_port=2458 dst_port=80 sent_bytes=162
recv_bytes=45
Virus infected date=2007-11-17 time=08:55:06 timezone=IST device_name=CR500i
mail detected in device_id=C010600411 deployment_mode=Route log_id=031306212001 log_type=Anti
IMAP4 traffic Virus log_component=IMAP4 log_subtype=Virus status=Denied priority=Critical
fw_rule_id= user_name= AV_Policy_name=AV common Policy
from_email_address=pooch@core.com to_email_address=sean@cnen.com
subject=Important mailid=001a01c82a19$a9dde620$061c568c@xxx mailsize=420k
virus=redvirus filename=resume.doc virus_status=Infected
virus_action=Quarantined quarantine=/var/quarantine/0x10001f9f.47412e69
src_domainname=core.com dst_domainname=cnen.com src_ip=192.168.15.40
dst_ip=66.249.89.18 protocol=TCP src_port=2458 dst_port=80 sent_bytes=162
recv_bytes=45

Log fields and description

SR.
DATA FIELDS TYPE DESCRIPTION
No.
1 date date Date (yyyy-mm-dd) when the event occurred

For the allowed traffic - the date on which connection was


started on Cyberoam

For the dropped traffic - the date when the packet was
dropped by Cyberoam
2 time time Time (hh:mm:ss) when the event occurred

For the allowed traffic - the time when the connection was
started on Cyberoam

For the dropped traffic - the time when the packet was
dropped by Cyberoam
3 timezone Time zone set on Cyberoam appliance e.g. IST
4 device_name string Model Number of the Cyberoam Appliance
5 device_id string Unique Identifier of the Cyberoam Appliance
6 deployment_mode string Mode in which Cyberoam is deployed

Possible values: Route, Bridge


7 log_id string Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11)
e.g. 0101011, 0102011

c1c2 - Log Type e.g. 01 for firewall log

c3c4 - Log Component i.e. firewall/local ACL/ DoS Attack

267
Cyberoam User Guide

etc.

c5c6 - Log Sub Type i.e. allow/violation

c7 - Priority e.g. 0 for Emergency

C8c9c10c11 - Message ID e.g. 00001 for traffic allowed by


firewall
8 log_type string Type of event occurred in Cyberoam e.g. firewall event
9 log_component string Component responsible for logging e.g. Firewall rule
10 log_subtype string Decision taken on traffic
11 status string Ultimate status of traffic allowed or denied
12 priority string Severity level of traffic
13 firewall_rule_id integer Firewall rule id i.e. firewall rule id which is applied on the
traffic
14 user_name string User name
15 av_policy_name integer AV policy name i.e. AV policy name which is applied on the
traffic
16 from_email_address string Sender email address
17 to_email_address string Receipeint email address
18 subject string Signature message
19 mailid string Signature classification
20 mailsize string Priority of IPS policy
21 virus string Virus name
22 filename string Name of the file that contained virus
23 virus_status string Suspicious or infected or protected
24 virus_action string Dropped or Quarantined
25 quarantine string Path and filename of the file quarantined
26 src_domainname string Sender domain name
27 dst_domainname string Receiver domain name
28 source_ip string Original Source IP address of traffic
29 destination ip string Original Destination IP address of traffic
30 protocol integer Protocol number of traffic
31 source_port integer Original Source Port of TCP and UDP traffic
32 destination_port integer Original Destination Port of TCP and UDP traffic
33 send_bytes integer Total number of bytes send
34 received_bytes integer Total number of bytes received

Anti Spam log

Event Sample log


Mail detected as SPAM date=2007-11-17 time=08:15:46 timezone=IST device_name=CR500i
in SMTP traffic and device_id=C010600411 deployment_mode=Route log_id=041107413001
rejected log_type=Anti Spam log_component=SMTP log_subtype=Spam
status=Denied priority=Warning fw_rule_id= user_name=
Spam_Policy_Name=Department Spam Policy
from_email_address=pooch@core.com
to_email_address=hans@elitecore.com email_subject=Promotional
Scheme mailsize=550k mailid=001a01c82a19$a9tte620$061c568c@xxx
spamaction=Reject reason=Cyberoam Anti Spam identifies mail as Spam
quarantine= src_domainname=core.com

268
Cyberoam User Guide

dst_domainname=elitecore.com src_ip=192.168.15.40
dst_ip=203.88.136.154 protocol=TCP src_port=2458 dst_port=21
sent_bytes=162 recv_bytes=45
Mail detected as SPAM date=2007-11-17 time=08:15:46 timezone=IST device_name=CR500i
in SMTP traffic and device_id=C010600411 deployment_mode=Route log_id=041107413004
dropped log_type=Anti Spam log_component=SMTP log_subtype=Spam
status=Denied priority=Warning fw_rule_id= user_name=
Spam_Policy_Name=Department Spam Policy
from_email_address=pooch@core.com
to_email_address=hans@elitecore.com email_subject=Promotional
Scheme mailsize=550k mailid=001a01c82a19$a9tte620$061c568c@xxx
spamaction=Drop reason=Cyberoam Anti Spam identifies mail as Spam
quarantine= src_domainname=core.com
dst_domainname=elitecore.com src_ip=192.168.15.40
dst_ip=203.88.136.154 protocol=TCP src_port=2458 dst_port=21
sent_bytes=162 recv_bytes=45
Mail detected as SPAM date=2007-11-17 time=08:15:46 timezone=IST device_name=CR500i
in SMTP traffic but device_id=C010600411 deployment_mode=Route log_id=041107413005
accepted log_type=Anti Spam log_component=SMTP log_subtype=Spam
status=Allowed priority=Warning fw_rule_id= user_name=
Spam_Policy_Name=Department Spam Policy
from_email_address=pooch@core.com
to_email_address=hans@elitecore.com email_subject=Promotional
Scheme mailsize=550k mailid=001a01c82a19$a9tte620$061c568c@xxx
spamaction=Accept reason=Cyberoam Anti Spam identifies mail as Spam
quarantine= src_domainname=core.com
dst_domainname=elitecore.com src_ip=192.168.15.40
dst_ip=203.88.136.154 protocol=TCP src_port=2458 dst_port=21
sent_bytes=162 recv_bytes=45
Mail detected as SPAM date=2007-11-17 time=08:15:46 timezone=IST device_name=CR500i
in SMTP traffic but mail device_id=C010600411 deployment_mode=Route log_id=041107413006
is forwarded after log_type=Anti Spam log_component=SMTP log_subtype=Spam
changing the original status=Allowed priority=Warning fw_rule_id= user_name=
recipient address Spam_Policy_Name=Department Spam Policy
from_email_address=pooch@core.com
to_email_address=hans@elitecore.com
changed_to_email_address=niis@elitecore.com
email_subject=Promotional Scheme mailsize=550k
mailid=001a01c82a19$a9tte620$061c568c@xxx spamaction=Change
Recipient reason=Cyberoam Anti Spam identifies mail as Spam
quarantine= src_domainname=core.com
dst_domainname=elitecore.com src_ip=192.168.15.40
dst_ip=203.88.136.154 protocol=TCP src_port=2458 dst_port=21
sent_bytes=162 recv_bytes=45
Mail detected as SPAM date=2007-11-17 time=08:15:46 timezone=IST device_name=CR500i
in SMTP traffic but device_id=C010600411 deployment_mode=Route log_id=041107413007
forwarded after tagging log_type=Anti Spam log_component=SMTP log_subtype=Spam
the original subject i.e. status=Allowed priority=Warning fw_rule_id= user_name=
adding prefix to the Spam_Policy_Name=Department Spam Policy
subject from_email_address=pooch@core.com
to_email_address=hans@elitecore.com email_subject=Promotional
Scheme subject_prefix=spam: mailsize=550k
mailid=001a01c82a19$a9tte620$061c568c@xxx spamaction=Prefix
Subject reason=Cyberoam Anti Spam identifies mail as Spam
quarantine= src_domainname=core.com
dst_domainname=elitecore.com src_ip=192.168.15.40
dst_ip=203.88.136.154 protocol=TCP src_port=2458 dst_port=21
sent_bytes=162 recv_bytes=45
Mail detected as a date=2007-11-17 time=10:55:06 timezone=IST device_name=CR500i
PROBABLE SPAM in device_id=C010600411 deployment_mode=Route log_id=041108413002
SMTP traffic and log_type=Anti Spam log_component=SMTP log_subtype=Probable

269
Cyberoam User Guide

rejected Spam status=Denied priority=Warning fw_rule_id= user_name=


Spam_Policy_Name=Custom Spam Policy
from_email_address=pooch@core.com
to_email_address=maan@elitecore.com email_subject=Photos
mailsize=550k mailid=001a01c82a19$a9tte620$061c568c@xxx
spamaction=Reject reason=Cyberoam Anti Spam identifies mail as
Probable Spam src_domainname=core.com
dst_domainname=elitecore.com src_ip=192.168.15.40
dst_ip=203.88.136.154 protocol=TCP src_port=2458 dst_port=21
sent_bytes=162 recv_bytes=45
Mail detected as date=2007-11-17 time=10:55:06 timezone=IST device_name=CR500i
PROBABLE SPAM in device_id=C010600411 deployment_mode=Route log_id=0411084130082
SMTP traffic and log_type=Anti Spam log_component=SMTP log_subtype=Probable
dropped Spam status=Denied priority=Warning fw_rule_id= user_name=
Spam_Policy_Name=Custom Spam Policy
from_email_address=pooch@core.com
to_email_address=maan@elitecore.com email_subject=Photos
mailsize=550k mailid=001a01c82a19$a9tte620$061c568c@xxx
spamaction=Drop reason=Cyberoam Anti Spam identifies mail as Probable
Spam src_domainname=core.com dst_domainname=elitecore.com
src_ip=192.168.15.40 dst_ip=203.88.136.154 protocol=TCP src_port=2458
dst_port=21 sent_bytes=162 recv_bytes=45
Mail detected as date=2007-11-17 time=10:55:06 timezone=IST device_name=CR500i
PROBABLE SPAM in device_id=C010600411 deployment_mode=Route log_id=041108413009
SMTP traffic but log_type=Anti Spam log_component=SMTP log_subtype=Probable
accepted Spam status=Allowed priority=Warning fw_rule_id= user_name=
Spam_Policy_Name=Custom Spam Policy
from_email_address=pooch@core.com
to_email_address=maan@elitecore.com email_subject=Photos
mailsize=550k mailid=001a01c82a19$a9tte620$061c568c@xxx
spamaction=Accept reason=Cyberoam Anti Spam identifies mail as
Probable Spam src_domainname=core.com
dst_domainname=elitecore.com src_ip=192.168.15.40
dst_ip=203.88.136.154 protocol=TCP src_port=2458 dst_port=21
sent_bytes=162 recv_bytes=45
Mail detected as date=2007-11-17 time=10:55:06 timezone=IST device_name=CR500i
PROBABLE SPAM in device_id=C010600411 deployment_mode=Route log_id=041108413010
SMTP traffic but is log_type=Anti Spam log_component=SMTP log_subtype=Probable
forwarded after Spam status=Allowed priority=Warning fw_rule_id= user_name=
changing the original Spam_Policy_Name=Custom Spam Policy
recipient address from_email_address=pooch@core.com
to_email_address=maan@elitecore.com
changed_to_email_address=niis@elitecore.com email_subject=Photos
mailsize=550k mailid=001a01c82a19$a9tte620$061c568c@xxx
spamaction=Change Recipient reason=Cyberoam Anti Spam identifies
mail as Probable Spam src_domainname=core.com
dst_domainname=elitecore.com src_ip=192.168.15.40
dst_ip=203.88.136.154 protocol=TCP src_port=2458 dst_port=21
sent_bytes=162 recv_bytes=45
Mail detected as date=2007-11-17 time=10:55:06 timezone=IST device_name=CR500i
PROBABLE SPAM in device_id=C010600411 deployment_mode=Route log_id=041108413011
SMTP traffic but log_type=Anti Spam log_component=SMTP log_subtype=Probable
forwarded after tagging Spam status=Allowed priority=Warning fw_rule_id= user_name=
the original subject i.e. Spam_Policy_Name=Custom Spam Policy
adding prefix to the from_email_address=pooch@core.com
subject to_email_address=maan@elitecore.com email_subject=Photos
mailsize=550k subject_prefix=probable spam:
mailid=001a01c82a19$a9tte620$061c568c@xxx spamaction=Prefix
Subject reason=Cyberoam Anti Spam identifies mail as Probable Spam
src_domainname=core.com dst_domainname=elitecore.com
src_ip=192.168.15.40 dst_ip=203.88.136.154 protocol=TCP src_port=2458

270
Cyberoam User Guide

dst_port=21 sent_bytes=162 recv_bytes=45


Clean mail in SMTP date=2007-11-17 time=10:55:06 timezone=IST device_name=CR500i
traffic device_id=C010600411 deployement_mode=Route log_id=041105613003
log_type=Anti Spam log_component=SMTP log_subtype=Clean
status=Allowed priority=Information fw_rule_id= user_name=
Spam_Policy_Name=Custom Spam Policy
from_email_address=pooch@core.com
to_email_address=maan@elitecore.com email_subject=Photos
mailsize=550k mailid=001a01c82a19$a9tde620$061c568c@xxx
spamaction= reason= src_domainname=core.com
dst_domainname=elitecore.com src_ip=192.168.15.40
dst_ip=203.88.136.154 protocol=TCP src_port=2458 dst_port=21
sent_bytes=162 recv_bytes=45
Mail detected as SPAM date=2007-11-17 time=08:15:46 timezone=IST device_name=CR500i
in POP3 traffic but device_id=C010600411 deployment_mode=Route log_id=041207414001
accepted log_type=Anti Spam log_component=POP3 log_subtype=Spam
status=Allowed priority=Warning fw_rule_id= user_name=
Spam_Policy_Name=Department Spam Policy
from_email_address=pooch@core.com
to_email_address=hans@elitecore.com email_subject=Promotional
Scheme mailsize=550k mailid=001a01c82a19$a9tte620$061c568c@xxx
spamaction=Accept reason= Cyberoam Anti Spam identifies mail as
Spam quarantine= src_domainname=core.com
dst_domainname=elitecore.com src_ip=192.168.15.40
dst_ip=203.88.136.154 protocol=TCP src_port=2458 dst_port=21
sent_bytes=162 recv_bytes=45
Mail detected as date=2007-11-17 time=08:15:46 timezone=IST device_name=CR500i
PROBABLE SPAM in device_id=C010600411 deployment_mode=Route log_id=041207414004
POP3 traffic but log_type=Anti Spam log_component=POP3 log_subtype=Spam
accepted status=Allowed priority=Warning fw_rule_id= user_name=
Spam_Policy_Name=Department Spam Policy
from_email_address=pooch@core.com
to_email_address=hans@elitecore.com email_subject=Promotional
Scheme subject_prefix=Spam: mailsize=550k
mailid=001a01c82a19$a9tte620$061c568c@xxx spamaction=Prefix
Subject reason= Cyberoam Anti Spam identifies mail as Spam
quarantine= src_domainname=core.com
dst_domainname=elitecore.com src_ip=192.168.15.40
dst_ip=203.88.136.154 protocol=TCP src_port=2458 dst_port=21
sent_bytes=162 recv_bytes=45
Clean mail in POP3 date=2007-11-17 time=10:55:06 timezone=IST device_name=CR500i
traffic device_id=C010600411 deployment_mode=Route log_id=041208414002
log_type=Anti Spam log_component=POP3 log_subtype=Probable
Spam status=Allowed priority=Warning fw_rule_id= user_name=
Spam_Policy_Name=Custom Spam Policy
from_email_address=pooch@core.com
to_email_address=maan@elitecore.com email_subject=Photos
mailsize=550k mailid=001a01c82a19$a9tte620$061c568c@xxx
spamaction=Accept reason=Cyberoam Anti Spam identifies mail as
Probable Spam src_domainname=core.com
dst_domainname=elitecore.com src_ip=192.168.15.40
dst_ip=203.88.136.154 protocol=TCP src_port=2458 dst_port=21
sent_bytes=162 recv_bytes=45
Mail detected as SPAM date=2007-11-17 time=10:55:06 timezone=IST device_name=CR500i
in POP3 traffic but mail device_id=C010600411 deployment_mode=Route log_id=041208414005
is forwarded after log_type=Anti Spam log_component=POP3 log_subtype=Probable
changing the original Spam status=Allowed priority=Warning fw_rule_id= user_name=
recipient address Spam_Policy_Name=Custom Spam Policy
from_email_address=pooch@core.com
to_email_address=maan@elitecore.com email_subject=Photos
subject_prefix=Probable Spam: mailsize=550k

271
Cyberoam User Guide

mailid=001a01c82a19$a9tte620$061c568c@xxx spamaction=Prefix
Subject reason=Cyberoam Anti Spam identifies mail as Probable Spam
src_domainname=core.com dst_domainname=elitecore.com
src_ip=192.168.15.40 dst_ip=203.88.136.154 protocol=TCP src_port=2458
dst_port=21 sent_bytes=162 recv_bytes=45
Mail detected as date=2007-11-17 time=10:55:06 timezone=IST device_name=CR500i
PROBABLE SPAM in device_id=C010600411 deployment_mode=Route log_id=041209614003
POP3 traffic but log_type=Anti Spam log_component=POP3 log_subtype=Clean
forwarded after tagging status=Allowed priority=Information fw_rule_id= user_name=
the original subject i.e. Spam_Policy_Name=Custom Spam Policy
adding prefix to the from_email_address=pooch@core.com
subject to_email_address=maan@elitecore.com email_subject=Photos
mailsize=550k mailid=001a01c82a19$a9tde620$061c568c@xxx
spamaction= reason= src_domainname=core.com
dst_domainname=elitecore.com src_ip=192.168.15.40
dst_ip=203.88.136.154 protocol=TCP src_port=2458 dst_port=21
sent_bytes=162 recv_bytes=45
Mail detected as SPAM date=2007-11-17 time=08:15:46 timezone=IST device_name=CR500i
in IMAP4 traffic but device_id=C010600411 deployement_mode=Route log_id=041307415001
accepted log_type=Anti Spam log_component=IMAP4 log_subtype=Spam
status=Allowed priority=Warning fw_rule_id= user_name=
Spam_Policy_Name=Department Spam Policy
from_email_address=pooch@core.com
to_email_address=hans@elitecore.com email_subject=Promotional
Scheme mailsize=550k mailid=001a01c82a19$a9tte620$061c568c@xxx
spamaction=Accept reason= Cyberoam Anti Spam identifies mail as
Spam quarantine= src_domainname=core.com
dst_domainname=elitecore.com src_ip=192.168.15.40
dst_ip=203.88.136.154 protocol=TCP src_port=2458 dst_port=21
sent_bytes=162 recv_bytes=45
Mail detected as date=2007-11-17 time=08:15:46 timezone=IST device_name=CR500i
PROBABLE SPAM in device_id=C010600411 deployment_mode=Route log_id=041307415001
IMAP4 traffic but log_type=Anti Spam log_component=IMAP4 log_subtype=Spam
accepted status=Allowed priority=Warning fw_rule_id= user_name=
Spam_Policy_Name=Department Spam Policy
from_email_address=pooch@core.com
to_email_address=hans@elitecore.com email_subject=Promotional
Scheme mailsize=550k mailid=001a01c82a19$a9tte620$061c568c@xxx
spamaction=Accept reason= Cyberoam Anti Spam identifies mail as
Spam quarantine= src_domainname=core.com
dst_domainname=elitecore.com src_ip=192.168.15.40
dst_ip=203.88.136.154 protocol=TCP src_port=2458 dst_port=21
sent_bytes=162 recv_bytes=45
Clean mail in IMAP4 date=2007-11-17 time=10:55:06 timezone=IST device_name=CR500i
traffic device_id=C010600411 log_id=041308515002 log_type=Anti Spam
log_component=IMAP4 log_subtype=Probable Spam status=accept
priority=Warning fw_rule_id=85 user_name=rach
Spam_Policy_Name=Custom Spam Policy
from_email_address=pooch@core.com
to_email_address=maan@elitecore.com email_subject=Photos
mailsize=550k mailid=001a01c82a19$a9tte620$061c568c@xxx
spamaction=prefix subject reason=Cyberoam Anti Spam identifies mail as
Probable Spam src_domainname=core.com
dst_domainname=elitecore.com src_ip=192.168.15.40
dst_ip=203.88.136.154 protocol=TCP src_port=2458 dst_port=21
sent_bytes=162 recv_bytes=45
Mail detected as SPAM date=2007-11-17 time=10:55:06 timezone=IST device_name=CR500i
in IMAP4 traffic but device_id=C010600411 log_id=041309715003 log_type=Anti Spam
forwarded after tagging log_component=IMAP4 log_subtype=Clean status=Accept
the original subject i.e. priority=Information fw_rule_id=85 user_name=rach
adding prefix to the Spam_Policy_Name=Custom Spam Policy

272
Cyberoam User Guide

subject from_email_address=pooch@core.com
to_email_address=maan@elitecore.com email_subject=Photos
mailsize=550k mailid=001a01c82a19$a9tde620$061c568c@xxx
spamaction= reason= src_domainname=core.com
dst_domainname=elitecore.com src_ip=192.168.15.40
dst_ip=203.88.136.154 protocol=TCP src_port=2458 dst_port=21
sent_bytes=162 recv_bytes=45

Log fields and description

SR.
DATA FIELDS TYPE DESCRIPTION
No.
1 date date Date (yyyy-mm-dd) when the event occurred

For the allowed traffic - the date on which connection was


started on Cyberoam

For the dropped traffic - the date when the packet was
dropped by Cyberoam
2 time time Time (hh:mm:ss) when the event occurred

For the allowed traffic - the time when the connection was
started on Cyberoam

For the dropped traffic - the time when the packet was
dropped by Cyberoam
3 timezone Time zone set on Cyberoam appliance e.g. IST
4 device_name string Model Number of the Cyberoam Appliance
5 device_id string Unique Identifier of the Cyberoam Appliance
6 deployment_mode string Mode in which Cyberoam is deployed

Possible values: Route, Bridge


7 log_id string Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11)
e.g. 0101011, 0102011

c1c2 - Log Type e.g. 01 for firewall log

c3c4 - Log Component i.e. firewall/local ACL/ DoS Attack


etc.

c5c6 - Log Sub Type i.e. allow/violation

c7 - Priority e.g. 0 for Emergency

C8c9c10c11 - Message ID e.g. 00001 for traffic allowed by


firewall
8 log_type string Type of event occurred in Cyberoam e.g. firewall event
9 log_component string Component responsible for logging e.g. Firewall rule
10 log_subtype string Decision taken on traffic
11 Status string Ultimate status of traffic allowed or denied
12 Priority string Severity level of traffic
13 firewall_rule_id integer Firewall rule id i.e. firewall rule id which is applied on the
traffic
14 user_name string User name
15 spam_policy_name integer Spam policy name i.e. spam policy name which is applied on

273
Cyberoam User Guide

the traffic
16 from_email_address string Sender email address
17 to_email_address string Receipeint email address
18 smail_subject string Email subject
19 Mailsize string Email size
20 Mailid string Email id
24 spam_action string Action performed on the message

Possible values:
Reject
Drop
Accept
Change Receipient
Prefix subject
25 Reason string Reason why spam was detected as Spam

Possible values for Reason:


Cyberoam Anti Spam identifies mail as Spam/Probable
Spam

From email address/From Domain/From IP Address is


marked as spam in spam policy

From email address/From IP Address belonged to email


group/IP address group marked as spam

Message size is greater/less than <msg_size> MB as


specified in the spam policy

Message header={Message Header| Subject | From | To


| Other=(other header)} contains/equals <value
specified in spam policy>

Sender IP address is blacklisted by RBL=<RBL Group>


specified in the spam policy
26 Quarantine string Path and filename where the message is quarantined
27 src_domainname string Sender domain name
28 dst_domainname integer Receiver domain name
29 source_ip string Original Source IP address of traffic
30 destination ip string Original Destination IP address of traffic
31 protocol integer Protocol number of traffic
32 source_port integer Original Source Port of TCP and UDP traffic
33 destination_port integer Original Destination Port of TCP and UDP traffic
34 send_bytes integer Total number of bytes send
35 received_bytes integer Total number of bytes received

Content filter logs

Event Log sample


Web site/file/application date=2007-11-17 time=08:30:16 timezone=IST device_name=CR500i
access allowed according device_id=C010600411 log_id=050901716001 log_type=Content Filtering
to the Internet Access log_component=HTTP log_subtype=Allowed status=Accept

274
Cyberoam User Guide

policy priority=Information fw_rule_id=75 user_name= user_gp= iap=16


iap_policy_name=General Corporate Policy category=Search Engine
url=www.google.com file= application= contentype=text/html
httpresponsecode=200OK src_ip=192.168.15.40 dst_ip=72.14.235.104
protocol=TCP src_port=2458 dst_port=80 sent_bytes=162 recv_bytes=45
Web site/file/application date=2007-11-17 time=08:28:06 timezone=IST device_name=CR500i
access blocked according device_id=C010600411 log_id=050902716002 log_type=Content Filtering
to the Internet Access log_component=HTTP log_subtype=Denied status=Deny
policy priority=Information fw_rule_id=85 user_name=rach user_gp=1 iap=12
iap_policy_name=Deny Mail Sites category=WebBasedEmail
url=www.gmail.com file= application= contenttype=text/html
httpresponsecode= src_ip=192.168.15.40 dst_ip=66.249.89.18
protocol=TCP src_port=2458 dst_port=80 sent_bytes=162 recv_bytes=45

Log fields and description

SR.
DATA FIELDS TYPE DESCRIPTION
No.
1 date date Date (yyyy-mm-dd) when the event occurred

For the allowed traffic - the date on which connection was


started on Cyberoam

For the dropped traffic - the date when the packet was
dropped by Cyberoam
2 time time Time (hh:mm:ss) when the event occurred

For the allowed traffic - the time when the connection was
started on Cyberoam

For the dropped traffic - the time when the packet was
dropped by Cyberoam
3 timezone Time zone set on Cyberoam appliance e.g. IST
4 device_name string Model Number of the Cyberoam Appliance
5 device_id string Unique Identifier of the Cyberoam Appliance
6 deployment_mode string Mode in which Cyberoam is deployed

Possible values: Route, Bridge


7 log_id string Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11)
e.g. 0101011, 0102011

c1c2 - Log Type e.g. 01 for firewall log

c3c4 - Log Component i.e. firewall/local ACL/ DoS Attack


etc.

c5c6 - Log Sub Type i.e. allow/violation

c7 - Priority e.g. 0 for Emergency

C8c9c10c11 - Message ID e.g. 00001 for traffic allowed by


firewall
8 log_type string Type of event occurred in Cyberoam e.g. firewall event
9 log_component string Component responsible for logging e.g. Firewall rule
10 log_subtype string Decision taken on traffic

275
Cyberoam User Guide

11 status string Ultimate state of traffic accept/deny


12 priority string Severity level of traffic
13 duration integer Durability of traffic (seconds)
14 firewall_rule_id integer Firewall rule id i.e. firewall rule id which is applied on the
traffic
15 user_name string User name
16 user_group string Group Id of user
17 iap integer Internet Access policy Id applied on the traffic
18 iap_policy_name string Name of the Internet Access policy applied on the traffic
19 category string Name of the category under which website/file/application
falls
20 url string URL of the webpage accessed
21 filetype string Type of the file
22 application string Name of the application accessed
23 content_type string Type of the content
24 HTTP response code string code of HTTP response
25 source_ip string Original Source IP address of traffic
26 destination ip string Original Destination IP address of traffic
27 protocol integer Protocol number of traffic
28 source_port integer Original Source Port of TCP and UDP traffic
29 destination_port integer Original Destination Port of TCP and UDP traffic
30 icmp_type integer ICMP type of ICMP traffic
31 icmp_code integer ICMP code of ICMP traffic
32 sent_packets integer Total number of packets sent
33 received_packets integer Total number of packets received
34 sent_bytes integer Total number of bytes sent
35 received_bytes integer Total number of bytes received

HA Log

Event Log sample


Appliance becomes date=2007-11-17 time=08:30:16 timezone=IST device_name=CR500i
Standalone device_id=C010600401 deployment mode=Route log_id=061609760012
log_type=System Event log_component=HA log_subtype=Failover
priority=Information message=Appliance becomes Standalone
Appliance goes in date=2007-11-17 time=08:30:16 timezone=IST device_name=CR500i
Fault device_id=C010600402 deployment mode=Route log_id=061609760013
log_type=System Event log_component=HA log_subtype=Failover
priority=Information message=Appliance goes in Fault
Appliance becomes date=2007-11-17 time=08:30:16 timezone=IST device_name=CR500i
Auxiliary device_id=C010600401 deployment mode=Route log_id=061609760014
log_type=System Event log_component=HA log_subtype=Failover
priority=Information message=Appliance becomes Auxiliary
Appliance becomes date=2007-11-17 time=08:30:16 timezone=IST device_name=CR500i
Primary device_id=C010600402 deployment mode=Route log_id=061609760015
log_type=System Event log_component=HA log_subtype=Failover
priority=Information message=Appliance becomes Primary
Appliance becomes date=2007-11-17 time=08:30:16 timezone=IST device_name=CR500i
Standalone at device_id=C010600401 deployment mode=Route log_id=061610760016
Appliance startup log_type=System Event log_component=HA log_subtype= Failover
priority=Information message=Appliance becomes Standalone at Appliance
startup
Appliance goes in date=2007-11-17 time=08:30:16 timezone=IST device_name=CR500i

276
Cyberoam User Guide

Fault at Appliance device_id=C010600402 deployment mode=Route log_id=061609760017


startup log_type=System Event log_component=HA log_subtype= Failover
priority=Information message=Appliance goes in Fault at Appliance startup
Appliance becomes date=2007-11-17 time=08:30:16 timezone=IST device_name=CR500i
Auxiliary at device_id=C010600401 deployment mode=Route log_id=061610760018
Appliance startup log_type=System Event log_component=HA log_subtype= Failover
priority=Information message=Appliance becomes Auxilisry at Appliance startup
Appliance becomes date=2007-11-17 time=08:30:16 timezone=IST device_name=CR500i
Primary at device_id=C010600402 deployment mode=Route log_id=061610760019
Appliance startup log_type=System Event log_component=HA log_subtype= Failover
priority=Information message=Appliance becomes Primary at Appliance startup

Log fields and description

SR.
DATA FIELDS TYPE DESCRIPTION
No.
1 date date Date (yyyy-mm-dd) when the event occurred
2 time time Time (hh:mm:ss) when the event occurred
3 timezone Time zone set on Cyberoam appliance e.g. IST
4 device_name string Model Number of the Cyberoam Appliance
5 device_id string Unique Identifier of the Cyberoam Appliance
6 deployment_mode string Mode in which Cyberoam is deployed

Possible values: Route, Bridge


7 log_id string Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11)
e.g. 0101011, 0102011

c1c2 - Log Type e.g. 01 for firewall log

c3c4 - Log Component i.e. firewall/local ACL/ DoS Attack


etc.

c5c6 - Log Sub Type i.e. allow/violation

c7 - Priority e.g. 0 for Emergency

C8c9c10c11 - Message ID e.g. 00001 for traffic allowed by


firewall
8 log_type string Type of event occurred in Cyberoam
9 log_component string Component responsible for logging
10 log_subtype string Decision taken on traffic

Possible values: Synchronization, Failover


11 Priority string Possible values: Information

277
Cyberoam User Guide

Appendix C Web Categories


The list includes all categories with a short description of each category.

Visit www.cyberoam.com for latest updates

Category Name Type Description


ActiveX Non Working Includes all ActiveX applications
AdultContent UnHealthy Adult sites not falling in "Porn, Nudity, Swimwear & Lingerie, Sex
Education, and Sexual Health & Medicines" will be included in "Adult
Content" and which may contain material not suitable to be viewed for
audience under 18
Advertisements Non Working Sites providing advertising graphics or other pop ad content files
AlcoholandTobacco Non Working Sites providing information about, promote, or support the sale of
alcoholic beverages or tobacco products or associated paraphernalia
ALLWebTraffic Neutral Any HTTP Traffic
Applets Non Working All web pages containing Applets
ArtsAndHistory Non Working Sites primarily exhibiting artistic techniques like creative painting,
sculpture, poetry, dance, crafts, Literature, and Drama. Sites that
narrate historical details about countries/places; events that changed
the course of history forever; sites providing details and events of all
wars i.e. World Wars, Civil Wars, and important persons of world
historical importance
Astrology Non Working Sites showing predictions about Sun signs and into various subjects
like Education & Career, Love Relationships, etc.
AudioSearch Non Working This category includes URLs that provide audio search.
Blogs Non Working This category includes URLs that allow users to post or edit content
quickly and spontaneously such as Web logs (blogs) or wikis
BusinessAndEconomy Neutral Sites sponsored by or devoted to business firms, business
associations, sites providing details for all types of industrial sector like
Chemicals, Machinery, Factory Automation, Cable and Wire, sites
providing information about couriers and logistics, and Non-Alcoholic
Soft drinks and Beverages
Chat Non Working Sites hosting Web Chat services or providing support or information
about chat via HTTP or IRC
CommercialBanks Neutral Commercial Banks Category includes all Banking Sites i.e.
International / National Public or Private Sector Banks providing a
wide range of services such as all types of Accounts and Cards, Fixed
Deposits, and Loans
Communication Neutral Sites offering telephone, wireless, long distance, and paging services.
It also includes sites providing details about Mobile communications /
cellular communications
ComputerSecurity Neutral Sites providing information about or free downloadable tools for
computer security
Cookies Non Working Includes all cookie based web pages
Cricket Non Working Sites providing Live Scores of cricket matches, Debates on Cricketers,
Top 10 Cricketers, Cricket News, and forthcoming Cricket matches.
Cricket Category is differentiated from Sports Category and solely
devoted to Cricket activities
CrimeAndSuicide UnHealthy Advocating, instructing, or giving advice on performing illegal acts
such as phone, service theft, evading law enforcement, lock-picking,
burglary techniques and suicide
CulturalInstitutions Neutral Sites sponsored by museums, galleries, theatres , libraries, and
similar institutions; also, sites whose purpose is the display of artworks
DatingAndMatrimonials Non Working Sites assisting users in establishing interpersonal relationships,
friendship, excluding those of exclusively gay, or lesbian or bisexual
interest and Matrimonial Sites providing photos and details of
individuals seeking life partners
DownloadFreewareAndShar UnHealthy Sites whose primary purpose is providing freeware and shareware
eware downloads of application, software, tools, screensavers, wallpapers,
and drivers
Drugs UnHealthy Sites providing information about the cultivation, preparation, or use of
prohibited drugs
EducationalInstitutions Productive Sites sponsored by schools, colleges, institutes, online education and
other educational facilities, by non-academic research institutions or
that relate to educational events and activities

278
Cyberoam User Guide

EducationAndReferenceMate Productive Sites offering books, reference-shelf content such as atlases,


rial dictionaries, encyclopedias, formularies, white and yellow pages, and
public statistical data
Electronics Neutral Sites providing information on manufacturing of electronics and
electrical equipments, gadgets, instruments like air conditioners, Semi
conductors, Television, Storage Devices, LCD Projectors, Home
Appliances, and Power Systems etc.
Entertainment Non Working Sites providing entertainment sources for Movies, Celebrities,
Theatres, about or promote motion pictures, non-news radio and
television, humor, Comics, Kids and Teen amusement, Jokes, and
magazines
FashionAndBeauty Non Working This category includes URLs that market clothing, cosmetics, jewelry
and other fashion oriented products, accessories, or services. This
also includes product reviews, comparisons, and general consumer
information
Finance Non Working Sites providing information on Money matters, investment, a wide
range of financial services, economics and accounting related sites
and sites of National & International Insurance companies providing
details for all types of Insurances & Policies
Gambling UnHealthy Sites providing information about or promote gambling or support
online gambling, involving a risk of losing money
Games Non Working Sites providing information about or promote electronic games, video
games, computer games, role-playing games, or online games
Government Neutral Sites sponsored by countries, government, branches, bureaus, or
agencies of any level of government including defence. Government
associated Sites providing comprehensive details on Tax related
issues excluding Government sites providing Visa and Immigration
services
Hacking Neutral Sites that provide information about or promote illegal or questionable
access to or use of computer or communication equipment, software,
or databases
HateAndRacism UnHealthy Sites that foster racial supremacy or vilify/discriminate against groups
or individuals by race, color, ethnic origin, sexual orientation, etc
HealthAndMedicines Productive Sites providing information or advice on personal health and fitness.
Sites of pharmaceutical companies and sites providing information
about Medicines
HobbiesAndRecreation Non Working Sites providing information about or promote private and largely
sedentary pastimes, but not electronic, video, or online games.
Homelife and family-related topics, including parenting tips,
gay/lesbian/bisexual (non-pornographic sites), weddings, births, and
funerals Foreign cultures, socio-cultural information
Homosexuality Non Working This category features subject matter on Gays, Lesbians and
Bisexuals, including non-pornographic related links such as personals,
dating, and on-line shopping.
HTTPUpload Non Working HTTP Upload Restriction
HumanRightsandLiberty Neutral Sites advocating sand protecting Human Rights and Liberty to prevent
discrimination and protect people from inhumane
ImageBanks Non Working Image Banks
ImageSearch Neutral This category includes URLs that provide ImageSearch
InformationTechnology Productive Sites sponsoring or providing information about computers, software
applications, database, operating system. Including sites providing
information of hardware, peripherals, and services. Sites offering
design, flash, graphics, multimedia, and web site designing tutorials,
tools, advice and services
InstantMessages Non Working Sites enabling instant messaging
InternetRadioTV Non Working Websites that broadcast radio or TV communications over the
Internet.
InternetTelephony Neutral This category includes sites that enable users to make telephone
calls via the Internet or obtain information or software for this purpose.
IPAddress Neutral
ISPWebHosting Neutral Sites enabling users to make telephone, lease line, ISDN, Cable, V-
SAT connections via Internet or obtaining information for that purpose.
Sites providing hosting services, or top-level domain pages of Web
communities
JobsSearch UnHealthy Sites offering information about or support the seeking of employment
or employees
Kids Neutral Sites designed specifically for kids
LegalOrganizations Neutral Includes legal resources such as bar organizations, lawyers
committees, legal services, and references.
MilitancyAndExtremist UnHealthy Sites offering information about groups advocating antigovernment

279
Cyberoam User Guide

beliefs or action
MobileEntertainment Non Working This category includes URLs that provide software or utilities for
mobile phones that can downloaded from Websites and delivered to
mobile phones
Music Non Working Sites providing songs and music and supporting downloads of MP3 or
other sound files or that serve as directories of such sites
NatureAndWildLife Non Working Sites providing information about Nature, explorations, discoveries,
wild life, animals, birds, protecting endangered species, habitats,
Animal sanctuaries, etc.
NewsAndMedia Neutral Sites offering current news and opinions, including those sponsored
by newspapers, general-circulation magazines or other media. It also
includes sites of advertising agencies and sites providing details of
weather forecast
None Neutral Uncategorized Traffic
NonGovernmentOrganization Neutral This category includes URLs with content from nongovernmental
s organizations such as clubs, lobbies, communities, nonprofit
organizations, labor unions, and advocacy groups.
Nudity UnHealthy Sites depicting nude or seminude human forms, singly or in groups,
not overtly sexual in intent or effect. It includes Nude images of film
stars, models, nude art and photography
ParkedDomain Neutral This category includes sites that once served content, but their
domains have been sold and are no longer registered. Parked
domains do not host their own unique content, but usually redirect
users to a generic page that states the domain name is for sale or
redirect users to a generic search engine and portal page, some of
which provide valid search engine results.
PersonalStorage Neutral Websites that permit users to utilize Internet servers to store personal
files or for sharing, such as with photos.
PersonalAndBiographySites Non Working Includes personal sites of individuals and biographical sites of ordinary
or famous personalities
PhishingAndFraud UnHealthy Sites gathering personal information (such as name, address, credit
card number, school, or personal schedules) that may be used for
malicious intent
PhotoGallaries Non Working Sites providing photos of celebrities, models, and well-known
personalities Such sites may also contain profiles or additional
elements as long as the primary focus is on multi-celebrity
photographs
Plagiarism UnHealthy Websites that provide, distribute or sell school essays, projects, or
diplomas.
PoliticalOrganizations Neutral Sites sponsored by or providing information about political parties and
interest groups focused on elections or legislation
Porn UnHealthy Sites depicting or graphically describing sexual acts or activity,
including exhibitionism and sites offering direct links to such sites.
Sites providing information or catering Gay, Lesbian, or Bisexual
images and lifestyles are also included in this category
Portals Non Working Portals include web sites or online services providing a broad array of
resources and services such as search engines, free email, shopping,
news, and other features
PropertyAndRealEstate Neutral Sites providing information about renting, buying, selling, or financing
residential, real estate, plots, etc.
Science Productive Sites providing news, research projects, ideas, information of topics
pertaining to physics, chemistry, biology, cosmology, archeology,
geography, and astronomy
SearchEngines Neutral Sites supporting searching the Web, groups, or indices or directories
thereof
SexHealthAndEducation Neutral Sites providing information regarding Sexual Education and Sexual
Health and sites providing Medicines to cure and overcome Sex
related problems and difficulties, with no pornographic intent
SharesAndStockMarket Non Working Sites providing charting, market commentary, forums, prices, and
discussion of Shares and Stock Market. It also includes sites dealing
in online share trading and sites of stockbrokers
Shopping Non Working Sites supporting Online purchases of consumer goods and services
except: sexual materials, lingerie, swimwear, investments,
medications, educational materials, computer software or hardware.
Also Sites of Showrooms, Stores providing shopping of consumer
products
Spirituality Non Working Sites featuring articles on healing solutions in wellness, personal
growth, relationship, workplace, prayer, articles on God, Society,
Religion, and ethics
SPAMURL UnHealthy This category includes URLs that arrive in unsolicited Spam emails.

280
Cyberoam User Guide

Spam URL content ranges from product marketing to potentially


offensive or fraudulent sites.
Sports Non Working Sites providing any information about or promoting sports, active
games, and recreation. All types of Sites providing information about
Sports except Cricket
SpywareandP2P UnHealthy Sites or pages that download software that, without the user's
knowledge, generates http traffic (other than simple user identification
and validation) and Sites providing client software to enable peer-to-
peer file sharing and transfer
SwimwareAndLingerie Non Working Sites showing images of models and magazines offering
lingerie/swimwear but not Nude or sexual images. It also includes Arts
pertaining Adult images and shopping of lingerie
TravelFoodAndImmigration Non Working Sites providing information about traveling i.e. Airlines and Railway
sites. Sites providing details about Hotels, Restaurants, Resorts, and
information about worth seeing places. Sites that list, review,
advertise, or promote food, dining, or catering services. Sites
providing Visa, Immigration, Work Permit and Holiday & Work Visa
details, procedures and services
URLTranslationSites UnHealthy Sites offering Online translation of URLs. These sites access the URL
to be translated in a way that bypasses the proxy server, potentially
allowing unauthorized access
Vehicles Non Working Sites providing information regarding manufacturing and shopping of
vehicles and their parts
Violence UnHealthy Sites featuring or promoting violence or bodily harm, including self-
inflicted harm; or that gratuitously displaying images of death, gore, or
injury; or featuring images or descriptions that are grotesque or
frightening and of no redeeming value. These do not include news,
historical, or press incidents that may include the above criteria
Weapons UnHealthy Sites providing information about, promote, or support the sale of
weapons and related items
WebBasedEmail Non Working Sites providing Web based E-mail services or information regarding
email services

281
Cyberoam User Guide

Appendix D Services
Service Name Details
All Services All Services
Cyberoam UDP (1024:65535) / (6060)
AH IP Protocol No 51 (IPv6-Auth)
AOL TCP (1:65535) / (5190:5194)
BGP TCP (1:65535) / (179)
DHCP UDP (1:65535) / (67:68)
DNS TCP (1:65535) / (53), UDP (1:65535) / (53)
ESP IP Protocol No 50 (IPv6-Crypt)
FINGER TCP (1:65535) / (79)
FTP TCP (1:65535) / (21)
FTP_GET TCP (1:65535) / (21)
FTP_PUT TCP (1:65535) / (21)
GOPHER TCP (1:65535) / (70)
GRE IP Protocol No 47
H323 TCP (1:65535) / (1720), TCP (1:65535) / (1503), UDP (1:65535) / (1719)
HTTP TCP (1:65535) / (80)
HTTPS TCP (1:65535) / (443)
ICMP_ANY ICMP any / any
IKE UDP (1:65535) / (500), UDP (1:65535) / (4500)
IMAP TCP (1:65535) / (143)
INFO_ADDRESS ICMP 17 / any
INFO_REQUEST ICMP 15 / any
IRC TCP (1:65535) / (6660:6669)
Internet-Locator-Service TCP (1:65535) / (389)
L2TP TCP (1:65535) / (1701), UDP (1:65535) / (1701)
LDAP TCP (1:65535) / (389)
NFS TCP (1:65535) / (111),TCP (1:65535) / (2049), UDP (1:65535) / (111), UDP (1:65535) / (2049)
NNTP TCP (1:65535) / (119)
NTP TCP (1:65535) / (123), UDP (1:65535) / (123)
NetMeeting TCP (1:65535) / (1720)
OSPF IP Protocol No 89 (OSPFIGP)
PC-Anywhere TCP (1:65535) / (5631), UDP (1:65535) / (5632)
PING ICMP 8 / any
POP3 TCP (1:65535) / (110)
PPTP IP Protocol No 47, TCP (1:65535) / (1723)
QUAKE UDP (1:65535) / (26000),UDP (1:65535)/(27000),UDP(1:65535)/(27910),UDP (1:65535)/
(27960)
RAUDIO UDP (1:65535) / (7070)
RIP UDP (1:65535) / (520)
RLOGIN TCP (1:65535) / (513)
SAMBA TCP (1:65535) / (139)
SIP UDP (1:65535) / (5060)
SIP-MSNmessenger TCP (1:65535) / (1863)
SMTP TCP (1:65535) / (25)
SNMP TCP (1:65535) / (161:162), UDP (1:65535) / (161:162)
SSH TCP (1:65535) / (22), UDP (1:65535) / (22)
SYSLOG UDP (1:65535) / (514)
TALK TCP (1:65535) / (517:518)
TCP TCP (1:65535) / (1:65535)
TELNET TCP (1:65535) / (23)
TFTP UDP (1:65535) / (69)
TIMESTAMP ICMP 13 / any
UDP UDP (1:65535) / (1:65535)
UUCP TCP (1:65535) / (540)

282
Cyberoam User Guide

VDOLIVE TCP (1:65535) / (7000:7010)


WAIS TCP (1:65535) / (210)
WINFRAME TCP (1:65535) / (1494)
X-WINDOWS TCP (1:65535) / (6000:6063)

PAGE 283 OF 293


Cyberoam User Guide

Appendix E Application Protocols

Group Application Name Definition

Any All Services


File Transfer FTP File Transfer Protocol is a method to transfer files from one location to another, either
on local disks or via the Internet
yahoofilexfer Yahoo Messenger file transfer
File Transfer client gnucleuslan Gnucleuslan P2P client
imesh IMESH P2P client
File sharing Gnutella Gnutella is a system in which individuals can exchange files over the Internet directly
without going through a Web site. Gnutella is often used as a way to download music
files from or share them with other Internet users
Kazaa A decentralized Internet peer-to-peer (P2P) file-sharing program
directconnect peer-to-peer (P2P) file-sharing program
Mail Protocol POP3 Transport protocol used for receiving emails.
SMTP A protocol for transferring email messages from one server to another.

IMAP A protocol for retrieving e-mail messages


Chat ymsgr Yahoo Messenger
msnmessenger MSN Messenger
AOL Chat client
indiatimes Chat client
Media Player wmplayer Windows Media Player
quickplayer Quick Time Player
Voice over IP SIP (Session Initiation Protocol) Protocol for initiating an interactive user session that
involves multimedia elements such as video, voice, chat, gaming, and virtual reality.
SIP works in the Application layer of the OSI communications model.
H323 A standard approved by the International Telecommunication Union (ITU) that defines
how audiovisual conferencing data is transmitted across networks. It enables users to
participate in the same conference even though they are using different
videoconferencing applications.
RTSP (Real Time Streaming Protocol) A standard for controlling streaming data over the
World Wide Web
Printing IPP (Internet Printing Protocol) Protocol used for printing documents over the web. IPP
defines basic handshaking and communication methods, but does not enforce the
format of the print data stream.
Network DHCP Protocol for assigning dynamic IP addresses to devices on a network
SNMP (Simple Network Management Protocol) Protocol for network management software.
Defines methods for remotely managing active network components such as hubs,
routers, and bridges
DNS An Internet service that translates domain names to or from IP addresses, which are
the actual basis of addresses on the Internet.
RDP (Remote Desktop Protocol) Protocol that allows a Windows-based terminal (WBT) or
other Windows-based client to communicate with a Windows XP Professionalbased
computer. RDP works across any TCP/IP connection
nbns NetBIOS Naming Service
Remote logging Telnet Protocol for remote computing on the Internet.
It allows a computer to act as a remote terminal on another machine, anywhere on the
Internet
SSH (Secure Socket Shell) Protocol used for secure access to a remote computer

HTTP Protocol for moving hypertext files across the Internet.


SSL (Secure Socket Layer) Protocol used for secure Internet communications.

ICMP (Internet Control Message Protocol) A message control and error-reporting protocol

PAGE 284 OF 293


Cyberoam User Guide

Menu wise Screen and Table Index

Screen - Console login screen.................................................................................................................................10


Screen - HTTP login screen ......................................................................................................................................11
Screen - HTTPS login .................................................................................................................................................12
Table - Login screen elements.................................................................................................................................13
Screen - Dashboard ....................................................................................................................................................18
Screen - Create Zone ..................................................................................................................................................20
Table Create Zone ....................................................................................................................................................20
Screen Cyberoam Authentication........................................................................................................................22
Table Cyberoam Authentication screen elements ..........................................................................................22
Table - Create User - Decision matrix ....................................................................................................................23
Screen - Add User .......................................................................................................................................................24
Table - Add User screen elements..........................................................................................................................26
Table - View Group details screen elements........................................................................................................26
Screen - Add multiple Clientless users .................................................................................................................27
Table - Add multiple Clientless users screen elements ....................................................................................27
Screen - Add single Clientless user .......................................................................................................................27
Table - Create single Clientless user screen elements .....................................................................................28
Table - Group creation - Decision matrix ..............................................................................................................29
Screen - Create Group................................................................................................................................................30
Table - Create Group screen elements ..................................................................................................................32
Screen Import Group Wizard.................................................................................................................................33
Screen Define same policy to all the imported Groups .................................................................................35
Screen Define different policies to different Groups ......................................................................................36
Screen Define specific policy for a Group.........................................................................................................36
Screen Groups imported and common policies attached successfully....................................................37
Screen Groups imported and specific policies attached to specific Group.............................................37
Screen - Create Firewall rule ....................................................................................................................................42
Table - Create Firewall rule screen elements .......................................................................................................46
Screen- Edit Firewall Rule .........................................................................................................................................49
Table Edit Firewall Rule..........................................................................................................................................52
Screen Customized Screen Display of Manage Firewall Rules page .........................................................54
Screen - Delete Firewall rule.....................................................................................................................................54
Screen Create Host Group.....................................................................................................................................55
Table Create Host Group screen elements .......................................................................................................55

PAGE 285 OF 293


Cyberoam User Guide

Screen Remove Host from Host Group..............................................................................................................57


Table Remove Host from Host Group screen elements ................................................................................57
Screen Delete Host Group .....................................................................................................................................57
Table Delete host Group screen elements ........................................................................................................57
Screen Add Host ......................................................................................................................................................58
Table Add Host screen elements .........................................................................................................................58
Screen Delete Host ..................................................................................................................................................59
Table Delete Host screen elements.....................................................................................................................59
Screen Create Trusted MAC/IP list ......................................................................................................................60
Table Create Trusted MAC/IP list screen elements.........................................................................................60
Screen Import MAC address .................................................................................................................................61
Screen Delete MAC address..................................................................................................................................62
Table Delete MAC address screen elements ....................................................................................................62
Screen Configure Spoof Prevention Settings...................................................................................................63
Table Configure Spoof Prevention Settings screen elements .....................................................................64
Screen Create Virtual host.....................................................................................................................................65
Screen Delete Virtual Host.....................................................................................................................................68
Table Delete Virtual host screen elements........................................................................................................68
Screen Application wise Live connections .......................................................................................................69
Table Application wise Live connections screen elements..........................................................................70
Screen User wise Live connections ....................................................................................................................72
Table User wise Live connections screen elements.......................................................................................73
Screen LAN IP Address wise Live connections................................................................................................73
Table LAN IP Address wise Live connection screen elements.....................................................................74
Screen Todays Connection History Application wise................................................................................75
Table Todays Connection History Application screen elements ............................................................76
Screen Todays Connection History User wise ............................................................................................76
Table Todays Connection History User wise screen elements ...............................................................77
Screen Todays Connection History LAN IP Address wise .......................................................................77
Table Todays Connection History LAN IP Address wise screen elements..........................................78
Screen - Create Surfing Quota policy ....................................................................................................................80
Table - Create Surfing Quota policy screen elements .......................................................................................81
Screen - Update Surfing Quota policy ...................................................................................................................81
Table - Update Surfing Quota policy screen elements ......................................................................................82
Screen - Delete Surfing Quota policy.....................................................................................................................82
Table - Delete Surfing Quota policy screen elements........................................................................................82
Screen - Create Access Time policy.......................................................................................................................83
Table - Create Access Time policy screen elements .........................................................................................84
Screen - Update Access Time policy......................................................................................................................84

PAGE 286 OF 293


Cyberoam User Guide

Table - Update Access Time policy screen elements ........................................................................................85


Screen - Delete Access Time policy .......................................................................................................................85
Table - Delete Access Time policy screen elements..........................................................................................85
Screen - Create Internet Access policy .................................................................................................................87
Table - Create Internet Access policy screen elements ....................................................................................88
Screen Add Internet Access policy rule.............................................................................................................88
Table Add Internet Access policy rule screen elements ...............................................................................89
Screen - Update Internet Access policy ................................................................................................................90
Table - Update Internet Access policy screen elements...................................................................................91
Screen - Delete Internet Access policy rule .........................................................................................................91
Table - Delete Internet Access policy rule screen elements ............................................................................92
Screen - Delete Internet Access policy..................................................................................................................92
Table - Delete Internet Access policy screen elements ....................................................................................92
Table - Implementation types for Strict - Bandwidth policy .............................................................................93
Table - Bandwidth usage for Strict - Bandwidth policy.....................................................................................93
Table - Implementation types for Committed - Bandwidth policy ..................................................................94
Table - Bandwidth usage for Committed - Bandwidth policy ..........................................................................94
Screen - Create Bandwidth policy...........................................................................................................................95
Table - Create Bandwidth policy screen elements .............................................................................................96
Screen - Update Bandwidth policy .........................................................................................................................96
Screen - Update Bandwidth policy .........................................................................................................................97
Table - Update Bandwidth policy screen elements ............................................................................................98
Screen - Remove Schedule from Bandwidth policy...........................................................................................98
Table - Remove Schedule from User based Bandwidth policy screen elements .......................................98
Screen - Delete Bandwidth policy ...........................................................................................................................98
Table - Delete Bandwidth policy screen elements..............................................................................................98
Screen Create Data transfer policy .....................................................................................................................99
Table Create Data transfer policy screen elements ......................................................................................100
Screen Update Data transfer policy screen.....................................................................................................101
Table Update Data transfer policy screen elements .....................................................................................102
Screen Delete Data transfer policy screen ......................................................................................................102
Table - Delete Data transfer policy screen element..........................................................................................102
Screen Create NAT policy....................................................................................................................................103
Table Create NAT policy screen elements.......................................................................................................103
Screen Update NAT policy...................................................................................................................................104
Table Update NAT policy screen elements .....................................................................................................104
Screen Delete NAT policy ....................................................................................................................................104
Table Delete NAT policy screen elements .......................................................................................................104
Screen Edit Zone ....................................................................................................................................................105

PAGE 287 OF 293


Cyberoam User Guide

Table Edit Zone.......................................................................................................................................................106


Screen Delete Zone................................................................................................................................................106
Table Delete Zone ..................................................................................................................................................106
Table - Need to Update group ................................................................................................................................108
Screen - Manage Group ...........................................................................................................................................109
Table - Manage Group screen elements..............................................................................................................111
Screen - Show Group Members.............................................................................................................................111
Table - Show Group Members screen elements ...............................................................................................112
Screen Add Group Member .................................................................................................................................113
Table Add Group Member screen elements....................................................................................................113
Screen - Change Login Restriction.......................................................................................................................114
Table - Change Login Restriction screen elements .........................................................................................114
Screen - Search User................................................................................................................................................115
Screen - Search User result....................................................................................................................................115
Screen Manage Live Users ..................................................................................................................................116
Table Manage Live User screen elements .......................................................................................................116
Table - Need to Update User...................................................................................................................................117
Screen - Manage User ..............................................................................................................................................118
Table - Edit User screen elements ........................................................................................................................120
Screen - Change User Personal details...............................................................................................................121
Table - Change User personal details screen elements..................................................................................121
Screen - User My Account ......................................................................................................................................121
Screen - User My Account ......................................................................................................................................122
Screen - Change Password ....................................................................................................................................122
Table - Change password screen elements .......................................................................................................122
Screen - Change Personal details.........................................................................................................................123
Table - Change Personal details screen elements ...........................................................................................123
Screen - Internet Usage Status ..............................................................................................................................123
Table - Internet Usage screen elements ..............................................................................................................124
Screen - Change Group ...........................................................................................................................................124
Table - Change Group screen elements ..............................................................................................................124
Table - Change Individual policy ...........................................................................................................................125
Screen - Delete Active User ....................................................................................................................................125
Screen - Delete Inactive User .................................................................................................................................125
Screen - Delete Clientless User .............................................................................................................................125
Table - Delete clientless User screen elements.................................................................................................126
Screen - Deactivate User .........................................................................................................................................126
Table - Deactivate User screen elements............................................................................................................126
Screen - Activate Normal User...............................................................................................................................126

PAGE 288 OF 293


Cyberoam User Guide

Screen - Activate Clientless User..........................................................................................................................127


Table - Activate User screen elements ................................................................................................................127
Screen Configure DNS..........................................................................................................................................128
Screen - Configure DHCP........................................................................................................................................130
Table - Configure DHCP screen elements ..........................................................................................................131
Screen View DHCP leased IP list .......................................................................................................................132
Screen Update DHCP configuration..................................................................................................................132
Screen - Disable DHCP service..............................................................................................................................133
Screen Configure DHCP Relay Agent ...............................................................................................................134
Screen Configure DHCP Relay Agent screen elements...............................................................................134
Screen Modify DHCP Relay Agent.....................................................................................................................135
Screen Modify DHCP Relay Agent screen elements.....................................................................................135
Screen Manage Interface......................................................................................................................................136
Screen Add Alias....................................................................................................................................................136
Table Add Alias screen elements ......................................................................................................................137
Screen Edit Alias ....................................................................................................................................................137
Table Edit Alias screen elements.......................................................................................................................137
Screen Delete Alias ...............................................................................................................................................137
Screen Register Hostname with DDNS ............................................................................................................138
Table Register hostname with DDNS................................................................................................................139
Screen PPPoE configuration...............................................................................................................................141
Table PPPoE configuration screen elements .................................................................................................141
Screen Gateway Configuration...........................................................................................................................142
Table - Gateway Configuration screen elements ..............................................................................................143
Screen DoS Settings .............................................................................................................................................145
Screen Create DoS bypass rule .........................................................................................................................148
Table Create DoS bypass rule screen elements ............................................................................................149
Screen Delete DoS bypass rule..........................................................................................................................149
Table Delete DoS bypass rule screen elements.............................................................................................149
Screen - Reset Console Password .......................................................................................................................150
Table - Reset Console Password screen elements ..........................................................................................150
Screen Add Static ARP.........................................................................................................................................151
Screen Manage ARP..............................................................................................................................................153
Screen System Modules Configuration............................................................................................................154
Screen Set Backup schedule ..............................................................................................................................155
Table Set Backup Schedule screen elements ................................................................................................156
Screen Backup Data ..............................................................................................................................................156
Table Backup Data screen elements.................................................................................................................156
Screen Restore Data screen................................................................................................................................157

PAGE 289 OF 293


Cyberoam User Guide

Table - Restore Data screen elements .................................................................................................................157


Screen Configure Auto purge Utility screen ...................................................................................................158
Screen Purge Logs screen ..................................................................................................................................159
Table - Purge Logs screen elements....................................................................................................................159
Screen Customized Client Messages screen .................................................................................................160
Table - Customized Client Message screen elements .....................................................................................161
Table - List of predefined messages ....................................................................................................................162
Screen Customized Client Preferences screen..............................................................................................163
Table Customized Client Preferences screen elements ..............................................................................164
Screen Customize Denied message screen elements .................................................................................165
Screen Customize Login message ....................................................................................................................167
Screen Warning messages..................................................................................................................................168
Screen Client Login Template.............................................................................................................................169
Screen GUI Language Setting.............................................................................................................................170
Screen Time settings ............................................................................................................................................171
Screen - Manage HTTP Proxy.................................................................................................................................183
Table - Manage HTTP Proxy screen elements ...................................................................................................183
Screen - Configure HTTP Proxy.............................................................................................................................184
Table - Configure HTTP Proxy screen elements ...............................................................................................185
Screen - Manage Services.......................................................................................................................................186
Table - Manage Control Service screen elements ............................................................................................186
Table - Manage Control Service Action............................................................................................................186
Screen View Bandwidth Usage...........................................................................................................................187
Table - Bandwidth usage screen elements.........................................................................................................187
Screen - Bandwidth usage - Live Users graph ..................................................................................................188
Screen - Bandwidth usage - Total Data transfer graph ...................................................................................188
Screen - Bandwidth usage - Composite Data transfer graph ........................................................................189
Screen - Bandwidth usage - Download Data transfer graph..........................................................................189
Screen - Bandwidth usage - Upload Data transfer graph ...............................................................................190
Screen - Download User Migration Utility ...........................................................................................................192
Screen - Save User Migration Utility.....................................................................................................................192
Screen Upload downloaded User Migration Utility .......................................................................................193
Screen Upload CVS file ........................................................................................................................................194
Screen - Register migrated users from External file ........................................................................................194
Screen - Define One Time Schedule.....................................................................................................................195
Table - Define Schedule screen elements...........................................................................................................195
Screen Add Schedule Entry details...................................................................................................................196
Table Add Schedule Entry details screen elements .....................................................................................196
Screen - Manage Schedule .....................................................................................................................................197

PAGE 290 OF 293


Cyberoam User Guide

Table - Manage Schedule screen elements ........................................................................................................197


Screen Delete Schedule Entry details ..............................................................................................................198
Table - Delete Schedule Entry details screen elements ..................................................................................198
Screen - Delete Schedule ........................................................................................................................................198
Table - Delete Schedule screen elements...........................................................................................................198
Screen - Define Custom Service............................................................................................................................199
Table Define Custom Service screen elements .............................................................................................199
Screen - Update Custom Service ..........................................................................................................................200
Table - Update Custom Service screen elements .............................................................................................200
Screen - Delete Custom Service............................................................................................................................201
Table - Delete Custom Service screen elements...............................................................................................201
Screen Create Service Group screen................................................................................................................202
Table Create Service Group screen elements ................................................................................................202
Screen Edit Service Group ..................................................................................................................................203
Table Edit Service Group screen elements.....................................................................................................203
Screen Delete Service Group..............................................................................................................................204
Table Delete Service Group.................................................................................................................................204
Screen Search URL................................................................................................................................................206
Screen - Manage Default Web Category..............................................................................................................207
Screen - Create Custom Web Category ...............................................................................................................208
Table - Create Web Category screen elements .................................................................................................209
Screen - Add Domain................................................................................................................................................209
Table - Add Domain screen elements ..................................................................................................................209
Screen - Add keyword ..............................................................................................................................................210
Table - Add keyword screen elements.................................................................................................................210
Screen - Manage Custom Web category .............................................................................................................211
Table - Update Custom Web category screen elements .................................................................................212
Screen Delete Domain ..........................................................................................................................................212
Table Delete Domain screen elements .............................................................................................................212
Screen - Delete keyword..........................................................................................................................................212
Table - Delete keywords screen elements ..........................................................................................................213
Screen - Delete Custom Web Category ...............................................................................................................213
Table - Delete Custom Web Category screen elements ..................................................................................213
Screen View Custom File Type Category ........................................................................................................214
Screen - Create Custom File Type Category ......................................................................................................215
Table - Create Custom File Type screen elements ...........................................................................................215
Screen - Manage Custom File Type Category....................................................................................................215
Screen - Manage Custom File Type Category....................................................................................................216
Screen - Delete Custom File Type Category.......................................................................................................216

PAGE 291 OF 293


Cyberoam User Guide

Table - Delete Custom File Type screen elements ...........................................................................................216


Screen - Manage Default Application Protocol Category ...............................................................................217
Screen - Create Custom Application Protocol Category ................................................................................218
Table Create Custom Application Category screen elements ...................................................................218
Screen Add Custom Application Protocol Category details.......................................................................219
Table Add Custom Application Protocol Category details .........................................................................219
Screen Manage Custom Application Protocol Category .............................................................................219
Table Manage Custom Application Protocol Category screen elements................................................220
Screen Delete Application Protocol Category details ..................................................................................220
Table Delete Application Protocol Category screen elements...................................................................220
Screen - Delete Custom Application Protocol Category.................................................................................221
Table - Delete Custom Application Protocol Category screen elements....................................................221
Screen Access Configuration .............................................................................................................................223
Table Access Configuration screen elements................................................................................................223
Screen Syslog Configuration..............................................................................................................................225
Screen About Cyberoam ......................................................................................................................................230
Screen - Upload Upgrade version .........................................................................................................................233
Screen Download Clients.....................................................................................................................................234
Screen Reports Login ...........................................................................................................................................235
Screen Audit Log report .......................................................................................................................................236
Screen Sample Audit Log Report ......................................................................................................................237

PAGE 292 OF 293


Cyberoam User Guide

Change Log

Revision Topic Description


1.0 Initial Release with following changes in the previous version guide
(v 960)
Internet Acces Added Download file size limit
Policy
Spoof Prevention - Updated description
MAC & IP-MAC
filtering

PAGE 293 OF 293