Professional Documents
Culture Documents
Cyberoam Release Notes V 10 CR15wi, CR15i & CR25i
Cyberoam Release Notes V 10 CR15wi, CR15i & CR25i
Release Dates
Version 10.00 Build 232 – 23rd April, 2010 (CR15i appliances)
Version 10.00 Build 231 – 20th April, 2010 (CR15wi appliances)
Version 10.00 Build 230 – 17th April, 2010 (CR25i appliances)
Release Information
Release Type: General Availability
Compatible versions: 9.6.0.78 – CR25i
9.5.8.68 – CR15i
CR15wi models will be shipped with this version only.
Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license
Applicable to: Cyberoam Appliance models – CR15wi, CR15i and CR25i
Upgrade procedure
1. Go to Web Admin Console and take backup of v 9.6.x.x from System > Manage Data >
Backup Data. For real-time conversion of v9 backup to v10 compatible backup, browse
to data migration site (http://v9migration.cyberoam.com) and upload v9 backup file.
Note: If you are upgrading fresh v9.x appliance i.e. without custom configuration
and data, skip step 1.
2. Download Appliance model-specific firmware from http://customer.cyberoam.com.
3. Upload the firmware (downloaded in step 2) from Web Admin console (menu Help >
Upload Upgrade).
4. Once the file is uploaded successfully, log on to CLI console and go to the menu
“Option 6 Upgrade Version” and follow the on-screen instructions to upgrade.
5. Appliance will be uploaded with factory default firmware i.e. appliance will come up with
the factory default setting.
Note: If you are upgrading fresh v9.x appliance i.e. without custom configuration
and data, skip rest of the steps. After this step, your appliance is ready for use.
6. Restore the v10 compatible backup from Web Admin console (menu System >
Maintenance > Backup & Restore)
7. To view the version 9.x reports, browse to http://<Cyberoam IP>/reports and to view
reports generated after version upgrade go to Logs & Reports > View Reports. This
option will not be available for CR15i models.
8. To view the version 9.x quarantined mails go to Antivirus > Quarantine > V 9 Quarantine
while to view the mails quarantined after version upgrade go to Antivirus > Quarantine >
Quarantine. This option will not be available for CR15i models.
Compatibility issues
Appliance model-specific firmware and hence firmware of one model will not be applicable
on another model. Upgrade will not be successful and you will receive error if you are trying
to upgrade Appliance model CR100i with firmware for model CR500i.
Contents
Introduction
This document contains the release notes for Cyberoam version 10.00. The following
sections describe the release in detail.
This will be a key release with architectural changes, new features and enhancements that
improves quality, reliability, and performance.
Apart from the access point, by integrating with firewall, CR15wi delivers comprehensive
protection to small, remote and branch office users from threats like malware, virus, spam,
phishing, and pharming attacks.
CR15wi models, by default include one wireless interface called WLAN1. When deployed in
gateway mode it can support up to seven additional wireless interfaces while in bridge mode
no additional wireless interface can be added. Wireless interface can also act as a DHCP
server or relay for its clients.
Configuration
1. Configure Wireless LAN General Settings from Settings page. These general
configurations are common to all the access points including the default WLAN1.
2. Please note that as Wireless Interface is member of LAN zone all the firewall rules
applicable to LAN zone will be applicable to the traffic for this interface also. Appliance
Access set for the LAN will be applicable to this interface also.
With Cyberoam, Administrator can now archive all the email, emails of a specific recipient or
a group of recipients coming into the organization. This will help in preventing data leakage.
Document version –3.0-23/04/2010
Cyberoam Release Notes
Cyberoam can archive all emails intended for a single or multiple recipients and can be
forwarded to the single administrator or multiple administrators.
Configuration
1. Configure Email Archiving rule for a single mail recipient or all the recipients and the
email address at which all the mails are to be forwarded for archiving.
The DHCP event log contains events that are associated with activities of the DHCP service
and DHCP server, such as DHCP leases, renewal and expiry.
As DHCP logs are included in System logs they can be viewed from System logs under Log
Viewer page of Web Admin console.
4. Firmware-based Upgrades
All the upgrades after this version will now be firmware based i.e. version can be upgraded
directly to the latest version. Firmware will be Appliance-specific and hence firmware of one
model will not be applicable on another model.
For example, if the latest released version is 10.1.0.16 and current version in your Appliance
is 10.0.0.2 then with this upgrade you will be able to directly upgrade to the latest version
10.1.0.16 instead of upgrading each intermediate version individually.
There will be support of multiple firmware residing on the appliance, so the Administrator will
be able to switch between the firmware if needed. Apart from that, upgrade and downgrade
will now also be more stable and robust as entire Operating system is converted into
bootable firmware (Starting from boot up sequence / BIOS).
5. GUI Revamp
To improvise usability, a good portion of Web UI has been re-organized. This will also
provide a more user-friendly approach to layout, menu and screens. New GUI will be based
on Web 2.0 concept and components.
6. GUI Themes
Cyberoam now provides Themes page to quickly switch between predefined themes. Each
theme comes with its own custom skin, which provides the color scheme and font style for
entire GUI i.e. navigation frame, tabs and buttons.
You can choose from 2 themes – Cyberoam Standard and Cyberoam Classic.
Configuration
The default “Cyberoam Standard” theme can be changed from Options under System menu
from Web Admin Console.
The profile separates Cyberoam features into access control categories for which you can
enable none, read only, or read-write access.
Configuration
1. Custom profiles can be created and managed from the Profile page of Administration
menu
2. Assign profile (created in step 1) to user from the User page of Identity menu
User level authentication can now be performed using local user database, RADIUS, LDAP,
Active Directory or any combination of these.
Combination of external and local authentication is useful in the large networks where it is
required to provide guest user accounts for temporary access while a different
authentication mechanism like RADIUS for VPN and SSL VPN users provides better
security as password is not exchanged over the wire.
In case of multiple servers, administrator can designate the primary and optionally the
secondary server. If primary server cannot authenticate the user then only secondary server
will try to authenticate. If secondary server cannot authenticate the user then Cyberoam
refuses the access.
Configuration
3. Configure authentication server i.e. RADIUS, LDAP or Active Directory
4. Integrate external authentication server with Cyberoam and configure primary and
secondary authentication method for Firewall, VPN and SSL VPN traffic from
Authentication page of Identity menu from Web Admin console.
Solution can be implemented for all the user types – HTTP, Single Sign On (SSO) and
Clientless SSO (CTAS).
Configuration
5. Download Client from http://download.cyberoam.com/beta/catc and install on Microsoft
Terminal Server (Microsoft TSE) or Citrix Presentation Server
6. Configure Cyberoam for communication between the two from CLI using the command:
cyberoam auth thin-client add citrix-ip <ip address of citrix server>
Configuration
1. Add IM contacts or IM Group for whom rules are to be created
2. Define Conversation rule to allow or deny 1-to-1 or group Chat conversation between IM
contacts added in step 1
3. Define File transfer rule to allow or deny file transfers between IM contacts added in
step 1
4. Define Webcam rule to allow or deny the usage of Web camera between IM contacts
added in step 1
5. Define Login rules to allow specific Yahoo/MSN contacts to login to their servers. By
default, access to Yahoo and MSN chat is denied to all the contacts.
6. Define content filtering rules
Limitations
1. File transfer and web camera usage not supported for Windows Live Messenger v 2009
2. No support for File transfer logging
3. No file archive support
4. Yahoo traffic will be scanned only if HTTP scanning is enabled.
IPv6 is version 6 of the Internet Protocol. It is an Internet Layer protocol for packet-switched
internetworks. It has a larger address space than standard IPv4 hence can provide billions
more unique IP addresses than IPv4. This results from the use of a 128-bit address,
whereas IPv4 uses only 32 bits. The internet is currently in transition from IPv4 to IPv6
addressing.
For example
0:0:0:0:0:0:127.32.67.15
0:0:0:0:0:FFFF:127.32.67.15
::127.32.67.15
::FFFF:127.32.67.15
Configuration
To Implement IPv6, one simply needs to assign IPv6 IP addresses to an Interfaces
using CLI command as
cyberoam ipv6 interface Port <port number> <ip address>
E.g. cyberoam ipv6 interface PortB address add 3ffe:501:ffff:101:290:fbff:fe18:5968/64
Additional commands
1. Create Prefix list for the Interface
cyberoam ipv6 interface Port <port number> prefix add <ip address>
e.g.
cyberoam ipv6 interface PortC prefix add 3ffe:501:ffff:101::/64
Add Router
cyberoam ipv6 route add <ip address>
The feature comprises of an SSL daemon running on the Cyberoam appliance and AAM
Client running at the Client side to establish a secure tunnel. AAM Client is a Java Applet
Thin client which requires JRE 1.4.2.
Application access allows remote access to different TCP based applications like HTTP,
HTTPS, RDP, TELNET e.g. telnet.exe, SSH e.g. putty, secureCRTand FTP (Passive mode)
without installing client.
For administrators, Cyberoam Web Admin console provides SSL VPN management.
Administrator can configure SSL VPN users, access method and policies, user bookmarks
for network resources, and system and portal settings.
It works with wireless access points from any vendor to provide security and hence achieve
broadband connectivity via high-speed wireless networks where wired-broadband
connections are not available.
Wireless WAN support requires a contract with a wireless service provider. Check Appendix
A for supported wireless service providers.
Configuration
1. Pre-requisite – Cyberoam deployed in gateway mode
2. Enable WWAN from CLI with command: cyberoam wwan enable
3. Re-login to Web Admin console
4. Configure WWAN Interface settings from Network > Wireless WAN > Settings page
5. Once the connection is established, system host - #WWAN1 and WWAN1 Interface will
be automatically added with the IP address 0.0.0.0 and
6. As WWAN1 Interface will be the member of WAN zone, all the firewall rules configured
for the WAN zone will be applicable to WWAN1 Interface.
7. Additional firewall rules can be configured for host - #WWAN1
It provides network administrators with the information they need to enable the best
protection and security for their networks against attacks and vulnerabilities.
Cyberoam Administrator can also choose to restrict visibility of logs and reports to an
administrator who manages Cyberaom-iView through Role base Access Control. For
example, create a profile with read-write access for Log & Reports pages and assign to an
Administrator who is required to manage reports through Cyberoam-iView. This feature can
be very useful in an MSSP scenario.
Cyberoam-iView can be accessed by clicking “Reports” on the topmost button bar on each
page or from View Reports page under Logs & Reports menu.
Administrator has to login to Cyberoam-iView with the default username & password for
Cyberoam-iView – admin, admin and not with the Cyberoam username and password.
In case of multiple servers, administrator can designate primary and optionally the
secondary server. If primary server cannot authenticate the user then only secondary server
will try to authenticate. If secondary server also cannot authenticate the user then Cyberoam
refuses the access.
While simplistic packet-based attacks can be more easily mitigated upstream, with an
HTTP-based attack it is often difficult to distinguish attack traffic from legitimate HTTP
requests as these HTTP-GET requests have legitimate formats and are sent through normal
TCP connections. Hence, Intrusion Detection Systems also cannot detect them.
To detect such attacks, Cyberoam identifies such attacks based on rate of HTTP requests
per source IP or number of HTTP requests per TCP connection. Number of requests higher
than the configured rate is considered as attack and the traffic is from the said source is
dropped. One can either configure allowed number of connections or for granular controls
can configure allowed number of requests per Method – GET and PUT.
Configuration
From CLI, set number of connections and HTTP method with the commands:
set http_proxy dos add connection <number of connections>
set http_proxy dos add method <GET | POST> <number of requests>
traffic on the standard ports. However, many applications scan for open ports for malicious
purposes. For example, worms and trojans often use non-standard HTTP port to pass
remoet commands and fetch data from remote sites. For phishing attempts, fraudulent
websites hosted on non-standard HTTP ports to lure customers to submit and disclose their
personal information.
To protect from such attacks, Cyberoam now provides option to enable inspection of HTTP,
HTTPS, FTP, SMTP, POP, IMAP, IM – MSN and Yahoo traffic on non-standard port also.
Configuration
From CLI, use the command
set service-param <service> <add | delete> <port number>
TCP MD5 Signature is used to secure the BGP session and protect against the introduction
of spoofed TCP segments into the connection stream and connection resets.
MD5 checksum added to every packet of a TCP session makes it difficult for the attacker as
to hijack the session MD5 key as well as TCP sequence number is needed.
Configuration
From CLI console, go to menu Option 3. Route Configuration > 1. Configuration Unicast
Routing > 3. Configure BGP
At the prompt, using the following command to enable MD5 support:
enable
configure terminal
router bgp <AS number>
network <network>
neighbor <neighbor address> remote remote-as <AS no of neighbor BGP router>
neighbor <neighbor address> password < MD5 Key >
applications and network protocols. Rather than controlling access through IPS signatures,
Cyberoam has added 100+ categories to mitigate the risk from unauthorized applications
and reduce bandwidth cost by controlling access to these applications.
One can control access of hundreds of Applications that grouped as per the usage e.g.
Instant Messengers like Yahoo Messenger, QQ Messenger , Gtalk, Webmail Chat Attempt
etc. are grouped under IM category.
Cyberoam groups hundreds of web sites into default categories and allows to add custom
category as per the network requirement to prevent the access to malicious sites, protect
your network from malware, worms, spyware, trojans etc.
Cyberoam also allows allocating bandwidth based on the Web category apart from
allocating and prioritizing bandwidth based on users. It will not only improve the network
productivity by limiting the bandwidth used by the recreational applications but also
guarantee the performance of the critical business application.
In case multiple external authentication servers are configured and both the servers go
down, Administrator will not be able to access Web Admin console with default admin
“cyberoam”. In such situation, administrator can login with credentials admin/admin.
By default, it is disabled.
Enable and disable event will be logged in Admin Logs.
Feature removed
1. CLI option “Remove Firewall Rules” (for CR15wi, CR 15i, CR25i models
only)
General Information
Technical Assistance
If you have problems with your system, contact customer support using one of the following
methods:
Email id: support@cyberoam.com
Telephonic support (Toll free)
• APAC/EMEA: +1-877-777- 0368
• Europe: +44-808-120-3958
• India: 1-800-301-00013
• USA: +1-877-777- 0368
Please have the following information available prior to contacting support. This helps to
ensure that our support staff can best assist you in resolving problems:
• Description of the problem, including the situation where the problem occurs and its
impact on your operation
• Product version, including any patches and other software that might be affecting the
problem
• Detailed steps on the methods you have used to reproduce the problem
• Any error logs or dumps
Change Log
Important Notice
Elitecore has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented
without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any
products. Elitecore assumes no responsibility for any errors that may appear in this document. Elitecore reserves the
right, without notice to make changes in product design or specifications. Information is subject to change without
notice.
USER’S LICENSE
The Appliance described in this document is furnished under the terms of Elitecore’s End User license agreement.
Please read these terms and conditions carefully before using the Appliance. By using this Appliance, you agree to be
bound by the terms and conditions of this license. If you do not agree with the terms of this license, promptly return the
unused Appliance and manual (with proof of payment) to the place of purchase for a full refund.
LIMITED WARRANTY
Software: Elitecore warrants for a period of ninety (90) days from the date of shipment from Elitecore: (1) the media on
which the Software is furnished will be free of defects in materials and workmanship under normal use; and (2) the
Software substantially conforms to its published specifications except for the foregoing, the software is provided AS IS.
This limited warranty extends only to the customer as the original licenses. Customers exclusive remedy and the entire
liability of Elitecore and its suppliers under this warranty will be, at Elitecore or its service center’s option, repair,
replacement, or refund of the software if reported (or, upon, request, returned) to the party supplying the software to the
customer. In no event does Elitecore warrant that the Software is error free, or that the customer will be able to operate
the software without problems or interruptions. Elitecore hereby declares that the anti virus and anti spam modules are
powered by Kaspersky Labs and Commtouch respectively and the performance thereof is under warranty provided by
Kaspersky Labs and Commtouch. It is specified that Kaspersky Lab does not warrant that the Software identifies all
known viruses, nor that the Software will not occasionally erroneously report a virus in a title not infected by that virus.
Hardware: Elitecore warrants that the Hardware portion of the Elitecore Products excluding power supplies, fans and
electrical components will be free from material defects in workmanship and materials for a period of One (1) year.
Elitecore's sole obligation shall be to repair or replace the defective Hardware at no charge to the original owner. The
replacement Hardware need not be new or of an identical make, model or part; Elitecore may, in its discretion, replace
the defective Hardware (or any part thereof) with any reconditioned product that Elitecore reasonably determines is
substantially equivalent (or superior) in all material respects to the defective Hardware.
DISCLAIMER OF WARRANTY
Except as specified in this warranty, all expressed or implied conditions, representations, and warranties including,
without limitation, any implied warranty or merchantability, fitness for a particular purpose, non-infringement or arising
from a course of dealing, usage, or trade practice, and hereby excluded to the extent allowed by applicable law.
In no event will Elitecore or its supplier be liable for any lost revenue, profit, or data, or for special, indirect,
consequential, incidental, or punitive damages however caused and regardless of the theory of liability arising out of
the use of or inability to use the product even if Elitecore or its suppliers have been advised of the possibility of such
damages. In no event shall Elitecore’s or its supplier’s liability to the customer, whether in contract, tort (including
negligence) or otherwise, exceed the price paid by the customer. The foregoing limitations shall apply even if the above
stated warranty fails of its essential purpose.
In no event shall Elitecore or its supplier be liable for any indirect, special, consequential, or incidental damages,
including, without limitation, lost profits or loss or damage to data arising out of the use or inability to use this manual,
even if Elitecore or its suppliers have been advised of the possibility of such damages.
RESTRICTED RIGHTS
Copyright 1999-2010 Elitecore Technologies Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of
Elitecore Technologies Ltd.
CORPORATE HEADQUARTERS
Elitecore Technologies Ltd.
904 Silicon Tower,
Off. C.G. Road,
Ahmedabad – 380015, INDIA
Phone: +91-79-66065606
Fax: +91-79-26407640
Web site: www.elitecore.com, www.cyberoam.com