IMPORTANT NOTICE
Elitecore has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented
without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any
products. Elitecore assumes no responsibility for any errors that may appear in this document. Elitecore reserves the
right, without notice to make changes in product design or specifications. Information is subject to change without
notice.
USERS LICENSE
The Appliance described in this document is furnished under the terms of Elitecores End User license agreement.
Please read these terms and conditions carefully before using the Appliance. By using this Appliance, you agree to
be bound by the terms and conditions of this license. If you do not agree with the terms of this license, promptly
return the unused Appliance and manual (with proof of payment) to the place of purchase for a full refund.
LIMITED WARRANTY
Software: Elitecore warrants for a period of ninety (90) days from the date of shipment from Elitecore: (1) the media
on which the Software is furnished will be free of defects in materials and workmanship under normal use; and (2)
the Software substantially conforms to its published specifications except for the foregoing, the software is provided
AS IS. This limited warranty extends only to the customer as the original licenses. Customers exclusive remedy and
the entire liability of Elitecore and its suppliers under this warranty will be, at Elitecore or its service centers option,
repair, replacement, or refund of the software if reported (or, upon, request, returned) to the party supplying the
software to the customer. In no event does Elitecore warrant that the Software is error free, or that the customer will
be able to operate the software without problems or interruptions. Elitecore hereby declares that the anti virus and
anti spam modules are powered by Kaspersky Labs and Commtouch respectively and the performance thereof is
under warranty provided by Kaspersky Labs and by Commtouch. It is specified that Kaspersky Lab does not warrant
that the Software identifies all known viruses, nor that the Software will not occasionally erroneously report a virus in
a title not infected by that virus.
Hardware: Elitecore warrants that the Hardware portion of the Elitecore Products excluding power supplies, fans and
electrical components will be free from material defects in workmanship and materials for a period of One (1) year.
Elitecore's sole obligation shall be to repair or replace the defective Hardware at no charge to the original owner. The
replacement Hardware need not be new or of an identical make, model or part; Elitecore may, in its discretion,
replace the defective Hardware (or any part thereof) with any reconditioned product that Elitecore reasonably
determines is substantially equivalent (or superior) in all material respects to the defective Hardware.
DISCLAIMER OF WARRANTY
Except as specified in this warranty, all expressed or implied conditions, representations, and warranties including,
without limitation, any implied warranty or merchantability, fitness for a particular purpose, non-infringement or arising
from a course of dealing, usage, or trade practice, and hereby excluded to the extent allowed by applicable law.
In no event will Elitecore or its supplier be liable for any lost revenue, profit, or data, or for special, indirect,
consequential, incidental, or punitive damages however caused and regardless of the theory of liability arising out of
the use of or inability to use the product even if Elitecore or its suppliers have been advised of the possibility of such
damages. In no event shall Elitecores or its suppliers liability to the customer, whether in contract, tort (including
negligence) or otherwise, exceed the price paid by the customer. The foregoing limitations shall apply even if the
above stated warranty fails of its essential purpose.
In no event shall Elitecore or its supplier be liable for any indirect, special, consequential, or incidental damages,
including, without limitation, lost profits or loss or damage to data arising out of the use or inability to use this manual,
even if Elitecore or its suppliers have been advised of the possibility of such damages.
RESTRICTED RIGHTS
Copyright 1999-2009 Elitecore Technologies Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of
Elitecore Technologies Ltd.
CORPORATE HEADQUARTERS
Elitecore Technologies Ltd.
904 Silicon Tower, Off. C.G. Road,
Ahmedabad 380015, INDIA
Phone: +91-79-66065606
Fax: +91-79-26407640
Web site: www.elitecore.com , www.cyberoam.com
2
Cyberoam User Guide
Contents
3
Cyberoam User Guide
4
Cyberoam User Guide
5
Cyberoam User Guide
Technical Support
You may direct all questions, comments, or requests concerning the software you purchased, your
registration status, or similar issues to Customer care/service department at the following address:
Corporate Office
eLitecore Technologies Ltd.
904, Silicon Tower
Off C.G. Road
Ahmedabad 380015
Gujarat, India.
Phone: +91-79-66065606
Fax: +91-79-26407640
Web site: www.elitecore.com
Cyberoam contact:
Technical support (Corporate Office): +91-79-26400707
Email: support@cyberoam.com
Web site: www.cyberoam.com
6
Cyberoam User Guide
Typographic Conventions
Report
shaded font
typefaces
Name of a Lowercase Enter policy name, replace policy name with the specific
particular italic type name of a policy
parameter / Or
field / command Click Name to select where Name denotes command button
button text text which is to be clicked
Cross Hyperlink in refer to Customizing User database Clicking on the link will
references different color open the particular topic
7
Cyberoam User Guide
Preface
Welcome to Cyberoams - User guide.
Cyberoam is an Identity-based UTM Appliance. Cyberoams solution is purpose-built to meet the security
needs of corporates, government organizations, and educational institutions.
Cyberoams perfect blend of best-of-breed solutions includes User based Firewall, Content filtering, Anti
Virus, Anti Spam, Intrusion Prevention System (IPS), and VPN.
Cyberoam provides increased LAN security by providing separate port for connecting to the publicly
accessible servers like Web server, Mail server, FTP server etc. hosted in DMZ which are visible the
external world and still have firewall protection.
Cyberoam recommends to change the default password immediately after installation to avoid unauthorized
access.
Guide Organization
This Guide provides information regarding the administration, maintenance, and customization of
Cyberoam and helps you manage and customize Cyberoam to meet your organizations various
requirements including creating groups and users and assigning policies to control internet access.
For help on a specific menu or screen function use Menu wise Screen and Table Index
Part II Management
It describes how to define groups and users to meet the specific requirements of your Organization. It
also describes how to manage and customize Cyberoam.
Customize Services, Schedules and Categories. Describes how to create and manage Categories,
Schedules and Services and Cyberoam upgrade process.
8
Cyberoam User Guide
Cyberoam Basics
Cyberoam is an Identity-based UTM Appliance. Cyberoams solution is purpose-built to meet the security
needs of corporate, government organizations, and educational institutions.
Cyberoams perfect blend of best-of-breed solutions includes Identity based Firewall, Content filtering,
Anti Virus, Anti Spam, Intrusion Prevention System (IPS), and VPN.
Cyberoam provides increased LAN security by providing separate port for connecting to the publicly
accessible servers like Web server, Mail server, FTP server etc. hosted in DMZ which are visible the
external world and still have firewall protection.
It also provides assistance in improving Bandwidth management, increasing Employee productivity and
reducing legal liability associated with undesirable Internet content access.
Benefits of Cyberoam
1. Boost Employee productivity by
a. Blocking access to the sites like Gaming, Shopping, news, Pornography
2. Conserve bandwidth by
a. Controlling access to non-productive site access during working hours
b. Controlling rate of uploading & downloading of data
3. Load balancing over multiple links
a. Improved User response time
b. Failover solution
c. Continuous availability of Internet
d. Reduced bandwidth bottlenecks
4. Enforce acceptable Internet usage policies
5. Comprehensive, easy-to-use reporting tool enabling the IT managers to compile reports on Internet
and other resources usage and consumption patterns
Accessing Cyberoam
Two ways to access Cyberoam:
1. Web Admin Console
General Administration using Web Admin Console
Following configurations can be performed only from Web Admin Console:
DNS and DHCP
firewall rules
content filtering categories and policies
user authentication method and integration with external authentication servers
access control
antivirus and anti spam filtering policies
VPN connection policies
multiple gateways
user and user groups
bandwidth and internet access policy
IPS policies and signature
In addition, Dashboard, reports including traffic discovery and bandwidth usage graphs can be viewed
only from Web Admin Console.
2. CLI Console
9
Cyberoam User Guide
Use command telnet <Cyberoam IP address> to start TELNET utility from command prompt and log on
with default password admin
Start SSH client and create new Connection with the following parameters:
Hostname - <Cyberoam server IP Address>
Username admin
Password admin
10
Cyberoam User Guide
Log on & log off from the Cyberoam Web Admin Console
The Log on procedure verifies validity of user and creates a session until the user logs off.
Log on procedure
To get the log in window, open the browser and type IP Address in browsers URL box. A dialog box
appears prompting you to enter username and password to log on. Use the default user name
cyberoam and password cyber if you are logging in for the first time after installation.
HTTP log in
To open unencrypted login page, in the browsers Address box, type
http://<IP address of Cyberoam>
The secure Hypertext Transfer Protocol (HTTPS) is a communication protocol designed to transfer
encrypted information between computers over the World Wide Web. HTTPS is http using a Secure
Socket Layer (SSL). A secure socket layer is an encryption protocol invoked on a Web server that uses
HTTPS.
11
Cyberoam User Guide
HTTPS protocol opens a secure hypertext transfer session with the specified site address.
If you are logging on for the first time after installation, please use
default username cyberoam
Password Specify user account Password
12
Cyberoam User Guide
If you are logging on for the first time after installation, please use
default password cyber
Log on to To administer Cyberoam, select Web Admin Console
Login button Logs on to Web Admin Console
Click Login
Table - Login screen elements
Screen Components
Cyberoam displays Dashboard as soon as you logon to the Web Admin Console. Dashboard provides a
quick and fast overview of all the important parameters of Cyberoam appliance.
Navigation menu
Navigation menu on the leftmost side provides access to various configuration pages. Menu consists of
sub-menus and tabs. On clicking menu item, submenu is displayed. On clicking submenu item, the
associated tabs are displayed. To view page associated with tab, click the required tab.
Button bar
The button bar on the upper rightmost corner provides access to several features like:
Dashboard
Console It provides immediate access to CLI by initiating a telnet connection with CLI
without closing Web Admin console. It avoids toggling between consoles especially when
management service is to be restarted (RMS).
Support - Open a customer login page for creating a Technical Support Ticket. It is fast, easy
and puts your case right into the Technical Support queue.
Wizard Network Configuration wizard will guide you step-by-step through configuration of the
network parameters like IP address, subnet mask and default gateway for Cyberoam.
Online help
Logout - Use button to log out from the Web Admin Console.
13
Cyberoam User Guide
User group User is the user who accesses the resources through Cyberoam.
Clientless group
Clientless User group User who can bypass Cyberoam Client login to access resources. Cyberoam itself
takes care of login of this level user.
14
Cyberoam User Guide
PART
Getting Started
Once you have configured network, you can start using Cyberoam.
1. Start monitoring
Once you have installed Cyberoam successfully, you can monitor user activity in your Network.
Depending on the Internet Access policy configured at the time of installation, certain categories will be
blocked or allowed for LAN to WAN traffic with or without authentication.
To view Reports, log on to Reports from Web Admin Console using following URL: http://<Internal IP
Address> and log on with default username cyberoam and password cyber.
View your organizations surfing pattern from Web Surfing Organization wise report
View your organizations general surfing trends from Trends Web Trends report
View your organizations Category wise surfing trends from Trends Category Trends report
Detect your network traffic i.e. applications and protocols accessed by your users.
To view traffic pattern of your network, log on to Cyberoam Web Admin Console using following URL:
http://<Internal IP Address> and log on with default username cyberoam and password cyber.
View amount of network traffic generated by various applications from Traffic Discovery Live
Connections Application wise
As Cyberoam monitors and logs user activity based on IP address, all the reports generated are also IP
address based. To monitor and log user activities based on User names, you have to configure
Cyberoam for integrating user information and authentication process.
Integration will identify access request based on User names and generate reports based on Usernames.
If your Network uses Active Directory Services, configure Cyberoam to communicate your ADS. Refer to
Integrate Cyberoam with Active Directory for more details.
If your Network uses LDAP, configure Cyberoam to communicate your LDAP. Refer to Integrate
Cyberoam with LDAP for more details.
If your Network uses Windows NT Domain Controller, configure for Cyberoam to communicate with
Windows Domain Controller.
If your Network uses RADIUS, configure for Cyberoam to communicate with RADIUS. Refer to Integrate
15
Cyberoam User Guide
5. Customize
Cyberoam creates default firewall rules based on the Internet Access configuration done at the time of
installation.
You can create additional firewall rules and other policies to meet your organizations requirement.
16
Cyberoam User Guide
Dashboard
Cyberoam displays Dashboard as soon as you logon to the Web Admin Console.
Dashboard provides a quick and fast overview of all the important parameters of Cyberoam appliance
that requires special attention such as password, access to critical security services, system resources
usage, IPS alerts, and notifications of subscription expirations etc. are displayed.
Dashboard page is completely customizable. Minimize or reposition each section (System Information,
License Information, Gateway status information, Usage summary etc.) by dragging and dropping. Each
section has an icon associated with it for easy recognition when minimized. Optionally click Reset to
restore the default dashboard setting.
Customizable Dashboard allows to place the sections that are pertinent to the user and requires special
attention for managing Cyberoam on the top and the information used less often moved to the bottom.
Section Recent Spyware Alerts doclet is added on the Dashboard to provide a level of visibility to
spyware infected hosts to help stop the further propagation of spyware outside your network.
Apart from preventing spyware from entering and infecting your network, the Cyberoam can now also
detect any unwanted applications and Spyware infected hosts that are already there in the network i.e.
network infected before Cyberoam was deployed and provides alert on Dashboard.
17
Cyberoam User Guide
Note
Screen - Dashboard
18
Cyberoam User Guide
PART
Management
Setting up Zones
A Zone is a logical grouping of ports/physical interfaces and/or virtual subinterfaces if defined.
Zones provide flexible layer of security for the firewall. With the zone-based security, the administrator
can group similar ports and apply the same policies to them, instead of having to write the same policy
for each interface.
LAN Depending on the appliance in use and on your network design, Cyberoam allows to group one to
six physical ports in this zone. Group multiple interfaces with different network subnets to manage them
as a single entity. Group all the LAN networks under this zone.
By default the traffic to and from this zone is blocked and hence the highest secured zone. However,
Cyberoam allows traffic between the ports belonging to the same zone.
DMZ (DeMilitarized Zone) - This zone is normally used for publicly accessible servers. Depending on the
appliance in use and on your network design, Cyberoam allows to group one to five physical ports in this
zone.
WAN Zone used for Internet services. It can also be referred as Internet zone.
Local - Entire set of physical ports available on the Cyberoam appliance including their configured
aliases are grouped in LOCAL zone. In other words, IP addresses assigned to all the ports fall under the
LOCAL zone.
VPN - This zone is used for simplifying secure, remote connectivity. It is the only zone that does not have
any assigned physical port/interface. Whenever the VPN connection is established, port/interface used
by the connection is automatically added to this zone and on disconnection; port is automatically
removed from the zone. Like all other default zones, scanning and access policies can be applied on the
traffic for this zone.
Cyberoam provides single zone of each type. These are called System Zones. Administrator can add
LAN and DMZ zone types.
By default, entire traffic except LAN to Local zone service likes Administration, Authentication and
Network is blocked.
19
Cyberoam User Guide
Create Zone
Select System Zone Create to open the create page
LAN Depending on the appliance in use and network design, one can group
one to six physical ports in this zone. Group multiple interfaces with different
network subnets to manage them as a single entity. Group all the LAN
networks under this zone.
By default the traffic to and from this zone is blocked and hence the highest
secured zone. However, same zone traffic is allowed.
DMZ (DeMilitarized Zone) - Zone ormally used for publicly accessible servers.
Depending on the appliance in use and network design, once can group one
to five physical ports in this zone.
WAN Zone for the Internet services. Only one WAN zone is allowed, hence
additional WAN zones cannot be created.
VPN - Zone for simplifying secure and remote connectivity. Not assigned to
any physical port/interface but whenever VPN connection is established,
port/interface used by the connection is automatically added to this zone and
on disconnection; port is automatically removed from the zone.
When deployed as bridge, creation of multiple LAN zones are not possible.
Select Port
Click the port to be included in from the Available Port(s) list and click to
move to the Member Port(s) list. Selected port will be the member of the
zone. Virtual Interfaces will also be available for selection if defined.
Description Specify zone description
Create button Saves the configuration and creates zone
Table Create Zone
20
Cyberoam User Guide
Setting up Users
Define Authentication
Cyberoam provides policy-based filtering that allows defining individual filtering plans for various users of
your organization. You can assign individual policies to users (identified by IP address), or a single policy
to number of users (Group).
Cyberoam detects users as they log on to Windows domains in your network via client machines.
Cyberoam can be configured to allow or disallow users based on username and password. In order to
use User Authentication, you must select at least one database against which Cyberoam should
authenticate users.
To filter Internet requests based on policies assigned, Cyberoam must be able to identify a user making a
request.
When the user attempts to access, Cyberoam requests a user name and password and authenticates the
user's credentials before giving access. User level authentication can be performed using the local user
database on the Cyberoam, an External ADS server, RADIUS server, LDAP or Windows NT Domain
Controller.
For external authentication, integrate Cyberoam with ADS, LDAP or Windows NT Domain Controller.
If your network uses an Active Directory service, configure Cyberoam to communicate with ADS.
Refer to Integrate Cyberoam with Active Directory for more details
If your network uses a Windows Domain controller, configure Cyberoam to communicate with Domain
controller.
If your Network uses LDAP, configure Cyberoam to communicate with LDAP server. Integrate
Cyberoam with LDAP for more details
If your Network uses RADIUS server, configure Cyberoam to communicate with RADIUS server.
Integrate Cyberoam with RADIUS for more details
Cyberoam can prompt for user identification if your network does not use Windows environment.
Cyberoam Authentication
It is necessary to create users and groups in Cyberoam if installed Non PDC environment.
Before users log on to Cyberoam, Administrator has to create all the users in Cyberoam, assign them to
a Group and configure for Cyberoam authentication. Refer to Define Group and Define User for details
on creating groups and users.
21
Cyberoam User Guide
22
Cyberoam User Guide
Define User
User
Users are identified by an IP address or a user name and assigned to a group. All the users in a group
inherit all the group policies. Refer to Policy Management to define new policies.
User types
Cyberoam supports three types of Users:
1. Normal
2. Clientless
3. Single Sign on
Normal User has to logon to Cyberoam. Requires Cyberoam client (client.exe) on the User machine or
user can use HTTP Client component and all the policy-based restriction can be applied.
Clientless Does not require Cyberoam client component (client.exe) on the User machines. Symbolically
represented as User name (C)
Single Sign On They are the normal users but if configured for Single Sign On, whenever user logs on to
Windows, user will automatically get logged on to the Cyberoam. They are part of normal users.
Symbolically represented as User name (S)
Use the given decision matrix below to decide which type of the user should be created.
23
Cyberoam User Guide
Add a User
Prerequisite
Group created for Normal Users only
24
Cyberoam User Guide
OR
Allows unlimited concurrent logins to the user
For example,
If in Client preferences, the number of concurrent logins allowed is 5
and here you have specified 3, then this particular user will be allowed
to login from 3 machines concurrently and not from 5 machines.
Spam Digest Spam digest is an email that contains a list of quarantined spam
messages filtered by Cyberoam and held in the user quarantine area.
Only if Gateway Anti-
spam module is If configured, Cyberoam will mail the spam digest every day to the user.
subscribed One can configure digest email frequency from the general Anti spam
configuration.
Digest provides a link to User My Account from where user can access
his quarantined messages and take the required action.
Actions
Enable User will receive the spam digest daily and overrides Group
setting
Disable User will not receive spam digest and overrides Group setting
This will prevent anyone from impersonating someone else even if they
have changed their IP address.
MAC address list Specify MAC addresses e.g. 01:23:45:67:89:AB
Once you enable MAC bindng user will be able to login through pre-
specified machines only.
25
Cyberoam User Guide
Available options
All Nodes - select to allow user to login from all the nodes in the network
Group Node(s) only Select to allow user to login only from the nodes
assigned to the group
Selected Node(s) only Select to allow user to login from the specified
nodes only. Specify IP address and click Add button
Click to select
Add button Click to add user
Cancel button Click Cancel to return to the Manage User page
Table - Add User screen elements
View Group details table
Prerequisite
Clientless Group created
26
Cyberoam User Guide
Select User Clientless Users Add Range to open create user page and add multiple
clientless users in one go but with the IP addresses in the continuous range.
Prerequisite
Group created
Select User Clientless Users Add Users to open create user page and add single user or
multiple clientless users with the arbitrary range of IP address.
27
Cyberoam User Guide
Actions
Enable User will receive the spam digest daily and overrides Group setting
Disable User will not receive spam digest and overrides Group setting
NOTE
Duplicate Usernames cannot be created
Only bandwidth and Internet access policy can be applied to clientless users
Unlimited surfing quota and access time policy are applied automatically
Data transfer policy is not applicable
28
Cyberoam User Guide
Setting up Groups
Group
Group is a collection of users having common policies and a mechanism of assigning access of
resources to a number of users in one operation/step.
Instead of attaching individual policies to the user, create group of policies and simply assign the
appropriate Group to the user and user will automatically inherit all the policies added to the group. This
simplifies user configuration.
1. Surfing Quota policy which specifies the duration of surfing time and the period of subscription
2. Access Time policy which specifies the time period during which the user will be allowed access
3. Internet Access policy which specifies the access strategy for the user and sites
4. Bandwidth policy which specifies the bandwidth usage limit of the user
5. Data Transfer policy which specifies the data transfer quota of the user
Refer to Policy Management for more details on various policies.
Group types
Two types of groups:
1. Normal
2. Clientless
Normal A user of this group need to logon to Cyberoam using the Cyberoam Client to access the
Internet
Clientless A user of this group need not logon to Cyberoam using the Cyberoam Client to access the
Internet. Access control is placed on the IP address. Symbolically represented as Group name (C)
Use the below given decision matrix to decide which type of group will best suited for your network
configuration.
29
Cyberoam User Guide
Prerequisite
All the policies that are to be added to the Group are created
30
Cyberoam User Guide
is Normal
By default, Unlimited policy is assigned to the Clientless Group
type
Only if Gateway Spam digest is an email that contains a list of quarantined spam
Anti-spam module messages filtered by Cyberoam and held in the user quarantine area.
is subscribed
Spam digest will be mailed as per the configured frequency to the user.
Configure digest email frequency from the general Anti spam
configuration.
Digest provides a link to User My Account from where user can access his
quarantined messages and take the required action.
Actions
Enable User will receive the spam digest daily and overrides Group
setting
Disable User will not receive spam digest and overrides Group setting
31
Cyberoam User Guide
Selected Nodes only Enter IP address if you want to allow Group users
to login from the specified nodes only
Click to select
Create button Click tp create Group
Cancel button Cancels the current operation and returns to the Manage Group page
Table - Create Group screen elements
Note
One can add users to the group even after the creation of group.
32
Cyberoam User Guide
33
Cyberoam User Guide
If multiple custom containers are created, repeat the entire process for each container.
Step 2. Select Groups that are to be imported in Cyberoam. Use <Ctrl> + Click to select multiple groups.
All the groups (both imported and not imported groups) created in AD are displayed. * besides the group
name indicates that the group is already imported to Cyberoam.
34
Cyberoam User Guide
Step 3. Select various policies (Surfing Quota, Access time, Bandwidth, Internet Access and Data
transfer) and user authentication time out to be applied on the group members.
By default, Attach to all the Groups is enabled, hence Cyberoam will attach same policies to all the
imported Groups i.e. common policies across the imported groups.
Do not enable Attach to all the Groups for the policy if you want to specify:
different policy for all the groups
specific policy to all the groups
specific policy to a specific group
. For example if you want to specify different Internet Access policy to different groups, do not enable
Attach to all the Groups
35
Cyberoam User Guide
Step 4. If you have disabled Attach to all the Groups, specify policies to be applied to each group
Step 5. View Results page displays successful message if groups are imported and policies are
successfully attached else appropriate error message will be displayed. Once you close the Wizard,
Manage Groups page will be opened. All the imported groups are appended at the end of the list.
36
Cyberoam User Guide
All the imported groups are appended at the end of the list on the Manage Group page.
37
Cyberoam User Guide
If user is the member of multiple AD groups, Cyberoam will decide the user group based on the order of
the groups defined in Cyberoam. Cyberoam searches Group ordered list from top to bottom to determine
the user group membership. The first group that matches is considered as the group of the user and that
group policies are applied to the user.
38
Cyberoam User Guide
Firewall
A firewall protects the network from unauthorized access and typically guards the LAN and DMZ
networks against malicious access; however, firewalls may also be configured to limit the access to
harmful sites for LAN users.
The responsibility of firewall is to grant access from Internet to DMZ or Service Network according to the
Rules and Policies configured. It also keeps watch on state of connection and denies any traffic that is
out of connection state.
Firewall rules control traffic passing through the Cyberoam. Depending on the instruction in the rule,
Cyberoam decides on how to process the access request. When Cyberoam receives the request, it
checks for the source address, destination address and the services and tries to match with the firewall
rule. If Identity match is also specified then firewall will search in the Live Users Connections for the
Identity check. If Identity (User) found in the Live User Connections and all other matching criteria fulfills
then action specified in the rule will be applied. Action can be allow or deny.
You can also apply different protection settings to the traffic controlled by firewall:
Enable load balancing between multiple links
Configure antivirus protection and spam filtering for SMTP, IMAP, POP3, and HTTP traffic. To apply
antivirus protection and spam filtering, you need to subscribe for Gateway Anti Virus and Gateway
Anti Spam modules individually. Refer to Licensing section for details.
Implement Intrusion Prevention System. To apply IPS policy you need to subscribe for Intrusion
Prevention System module. Refer to Licensing section for details.
Enable VPN traffic scanning
Configure content filtering policies. To apply content filtering you need to subscribe for Web and
Application Filter module. Refer to Licensing section for details.
Apply bandwidth policy restriction
2. Masquerade and allow entire LAN to WAN traffic for all the users without scanning SMTP, POP3,
IMAP and HTTP traffic
39
Cyberoam User Guide
1. Masquerade and sllow entire LAN to WAN traffic for all the authenticated users after applying
following policies:
Internet Access policy User specific
Bandwidth policy User specific
Anti Virus & Anti Spam policy - Scan SMTP, POP3, IMAP and HTTP traffic
2. Masquerade and allow entire LAN to WAN traffic for all the users after applying following policies:
Internet Access policy Applies General Corporate Policy to block Porn, Nudity, AdultContent,
URL TranslationSites, Drugs, CrimeandSuicide, Gambling, MilitancyandExtremist,
PhishingandFraud, Violence, Weapons categories
Anti Virus & Anti Spam policy - Scan SMTP, POP3, IMAP and HTTP traffic
1. Masquerade and allow entire LAN to WAN traffic for all the authenticated users after applying
following policies:
Internet Access policy User specific
Bandwidth policy User specific
IPS policy General policy
Anti Virus & Anti Spam policy - Scan SMTP, POP3, IMAP and HTTP traffic
Note
Default Firewall rules can be modified as per the requirement but cannot be deleted
IPS policy will not be effective until the Intrusion Prevention System (IPS) module is subscribed.
Virus and Spam policy will not be effective until the Gateway Anti Virus and Gateway Anti-spam modules are
subscribed respectively.
If Internet Access Policy is not set through Network Configuration Wizard at the time of deployment, the entire
traffic is dropped.
On upgrading to V 9.5.8 build 03, Cyberoam also automatically creates following default rules for VPN
zone to allow VPN traffic as:
VPN to LAN and LAN to VPN
VPN to DMZ and DMZ to VPN
VPN to WAN and WAN to VPN
VPN to Custom zone and Custom zone to VPN
You can update the default VPN policies to enable virus scanning and apply IPS to the VPN traffic.
40
Cyberoam User Guide
Additional firewall rules can be defined to extend or override the default rules. For example, rules can be
created that block certain types of traffic such as FTP from the LAN to the WAN, or allow certain types of
traffic from specific WAN hosts to specific LAN hosts, or restrict use of certain protocols such as Telnet to
authorized users on the LAN.
Custom rules evaluate network traffics source IP addresses, destination IP addresses, User, IP protocol
types, and compare the information to access rules created on the Cyberoam appliance. Custom rules
take precedence, and override the default Cyberoam firewall rules.
Prior to this version, all the Unified Threat Control policies were to be enabled individually from their
respective pages. Now one can attach the following policies to the firewall rule as per the defined
matching criteria:
Intrusion Prevention
Anti Virus
Anti Spam
Internet Access
Bandwidth Management
Routing policy i.e. define user and application based routing
Processing of firewall rules is top downwards and the first suitable rule found is applied.
Hence, while adding multiple rules, it is necessary to put specific rules before general rules. Otherwise, a
general rule might allow a packet that you specifically have a rule written to deny later in the list. When a
packet matches the rule, the packet is immediately dropped or forwarded without being tested by the rest
of the rules in the list.
41
Cyberoam User Guide
Host dropdown list also displays MAC based host and dynamic hosts and host
groups which are automatically added on creation of VPN Road warrior
connections(IPSec and SSL). It will also display the default hosts created for road
warrior connection - ##ALL_RW, ##ALL_IPSEC_RW, ##ALL_SSLVPN_RW
To configure host group based firewall rule you need to define host group. Under
Select Address dropbox, click Create Host Group to define host group from
42
Cyberoam User Guide
firewall rule itself or you can also define from Firewall Host Group
Create
Under Select Address dropbox, click Add Host to define host group from
firewall rule itself rule itself or you can also define from Firewall Host
Add Host
Check Identity Check identity allows you to check whether the specified user/user group from
(Only if source the selected zone is allowed the access of the selected service or not.
zone is
LAN/DMZ/VPN) Click to check the user identity.
Host dropdown list also displays dynamic hosts and host groups which are
automatically added on creation of VPN Road warrior connections (IPSec and
SSL). It will also display the default hosts created for road warrior connection -
##ALL_RW, ##ALL_IPSEC_RW, ##ALL_SSLVPN_RW
Under Select Address dropbox, click Create Host Group to define host group
from firewall rule itself or you can also define from Firewall Host Group
Create
Under Select Address dropbox, click Add Host to define host group from firewall
rule itself rule itself or you can also define from Firewall Host Add
Host
Service/Service Services represent types of Internet data transmitted via particular protocols or
group applications.
43
Cyberoam User Guide
Under Select Here, click Create Service Group to define service group from
firewall rule itself rule itself or you can also define from Firewall Service
Create Service Group
Cyberoam provides several standard services and allows creating the custom
services also. Under Select Here, click Create Service to define service from
firewall rule itself rule itself or you can also define from Firewall Service
Create Service
Reject Denies access and ICMP port unreachable message will be sent to the
source
For example,
If the request is received on the LAN port using a spoofed IP address (public IP
address or the IP address not in the LAN zone network) and specific route is not
defined, Cyberoam will send a response to these hosts using default route.
Hence, response will be sent through the WAN port.
Apply NAT (Only Select the NAT policy to be applied
if Action is
ACCEPT) It allows access but after changing source IP address i.e. source IP address is
substituted by the IP address specified in the NAT policy.
You can create NAT policy from firewall rule itself or from Firewall NAT
Policy Create
44
Cyberoam User Guide
Configure antivirus protection and spam filtering for SMTP, IMAP, POP3, and HTTP policies. To
apply antivirus protection and spam filtering, you need to subscribe for Gateway Anti Virus and
Gateway Anti Spam modules individually. Refer to Licensing section for details.
Implement Intrusion Prevention System. To apply IPS policy you need to subscribe for Intrusion
Prevention System module. Refer to Licensing section for details.
Configure content filtering policies. To apply content filtering you need to subscribe for Web and
Application Filter module. Refer to Licensing section for details.
Apply bandwidth policy
Policy Settings
IPS Policy Select IPS policy for the rule.
To use IPS, you have to subscribe for the module. Refer to Licensing for more
details.
Refer to Policies, Internet Access Policy for details on creating Internet Access
policy.
Bandwidth Policy Select Bandwidth policy for the rule. Only the Firewall Rule based Bandwidth
policy can be applied.
Bandwidth policy allocates & limits the maximum bandwidth usage of the user.
Above configured bandwidth policy will be applicable, whenever the URL falling
under the Web category is accessed
Route Through Select routing policy
Gateway
This option is not available if Cyberoam is deployed as Bridge
only if more than
one gateway is Refer to Multiple Gateway Implementation Guide for more details.
configured
Backup Gateway Specify the backup gateway.
Only if Load The traffic will be routed through the configured gateway incase gateway
Balance is not configured in Route Through Gateway goes down.
selected for
Route Through
Gateway
Virus & Spam Settings
Scan Protocol(s) Click the protocol for which the virus and spam scanning is to be enabled
45
Cyberoam User Guide
To implement Anti Virus and Anti Spam scanning, you have to subscribe for the
Gateway Anti Virus and Anti Spam modules individually. Refer to Licensing for
more details.
Refer to Anti Virus Implementation Guide and Anti Spam Implementation Guide
for details.
Log Traffic
Log Traffic Click to enable traffic logging for the rule i.e. traffic permitted and denied by the
firewall rule.
Description
Description Specify full description of the rule
Save button Click to create and save the rule
Table - Create Firewall rule screen elements
46
Cyberoam User Guide
Manage Firewall
Use to:
Enable/disable SMTP, POP3, IMAP, FTP and HTTP scanning
Deactivate rule
Delete rule
Change rule order
Append rule (zone to zone)
Insert rule
View selected firewall rules by zones
Select display columns
Note
From version 9.5.3.07, Cyberoam does not support of DNAT policy. On upgrading to this version, Cyberoam
will preserve all the DNAT policy but will not allow to modify them. This will not affect functioning of Cyberoam.
Firewall rule for Virtual host will take precedence if firewall rule for DNAT policy is not deleted.
Page displays total number of configured firewall rules and number of configured firewall rules in the
selected zone if you have selected any zone using Select Zones button
47
Cyberoam User Guide
Screen components
Select Zones - Click and select zones to view firewall rules of the selected zones only
Subscription icon - Indicates subscription module. To implement the functionality of the subscription
module you need to subscribe the respective module. Click to open the licensing page.
Toggle Drill Down icon - Click to view the list of rules defined for the said source and destination zone
Enable/Disable rule icon - Click to activate/deactivate the rule. If you do not want to apply the firewall
rule temporarily, disable rule instead of deleting.
Green Active Rule
Red De-active Rule
Edit icon - Click to edit the rule. Refer to Edit Firewall rule for more details.
Insert icon - Click to insert a new rule before the existing rule. Refer to Define Firewall Rule for more
details.
Move icon - Click to change the order of the selected rule. Refer to Change the firewall rule order for
details.
Delete icon - Click to delete the rule. Refer to Delete Firewall Rule for more details.
Update Rule
Select Firewall Manage Firewall to view the list of rules. Click the rule to be modified.
48
Cyberoam User Guide
Host dropdown list also displays dynamic hosts and host groups which are
automatically added on creation of VPN Road warrior connections (IPSec and
SSL). It will also display the default hosts created for road warrior connection -
##ALL_RW, ##ALL_IPSEC_RW, ##ALL_SSLVPN_RW
49
Cyberoam User Guide
To configure host group based firewall rule you need to define host group. Under
Select Address dropbox, click Create Host Group to define host group from firewall
rule itself or you can also define from Firewall Host Group Create
Under Select Address dropbox, click Add Host to define host group from firewall
rule itself rule itself or you can slo define from Firewall Host Add Host
Check Identity Check identity allows you to check whether the specified user/user group from the
(Only if source selected zone is allowed the access of the selected service or not.
zone is LAN or
DMZ or VPN) Click Enable to check the user identity
Destination Displays destination zone and host IP address /network address to which the rule
applies.
Host dropdown list also displays dynamic hosts and host groups which are
automatically added on creation of VPN Road warrior connections (IPSec and
SSL). It will also display the default hosts created for road warrior connection -
##ALL_RW, ##ALL_IPSEC_RW, ##ALL_SSLVPN_RW
To define host group based firewall rule you need to define host group. Under
Select Address dropbox, click Create Host Group to define host group from firewall
rule itself or you can also define from Firewall Host Group Create
Under Select Address dropbox, click Add Host to define host group from firewall
rule itself rule itself or you can also define from Firewall Host Add Host
Service/Service Services represent types of Internet data transmitted via particular protocols or
group applications.
If Virtual host is selected as Destination host, you will be able to configure services
only if the selected virtual host is not port forwarded.
Under Select Here dropbox, click Create Service Group to define service group
from firewall rule itself rule itself or you can also define from Firewall Service
Create Service
Cyberoam provides several standard services and allows creating the custom
services also. Under Select Here dropbox, click Create Service to define service
from firewall rule itself rule itself or you can also define from Firewall Service
Create Service
50
Cyberoam User Guide
You can create NAT policy from firewall rule itself or you can also define from
Firewall NAT Policy Create
To use IPS, you have to subscribe for the module. Refer to Licensing for more
details.
Bandwidth policy allocates & limits the maximum bandwidth usage of the user.
51
Cyberoam User Guide
Category Based
Bandwidth Policy A three step configuration is required as follows:
4. Create Bandwidth policy from menu item Policies Bandwidth Policy
Create Policy
5. Assign above created bandwidth policy to the Web category from menu
item Categories Web Category Manage Default. Policy can be
assigned to the default as well as custom web categories.
6. Enable Web Category based Bandwidth Policy from Firewall rule
Above configured bandwidth policy will be applicable, whenever the URL falling
under the Web category is accessed
Route Through Select routing policy
Gateway
This option is not available if Cyberoam is deployed as Bridge
only if more than
one gateway is Refer to Multiple Gateway Implementation Guide for more details.
configured
Backup Gateway Specify the backup gateway.
Only if Load The traffic will be routed through the configured gateway incase gateway
Balance is not configured in Route Through Gateway goes down.
selected for
Route Through
Gateway
Virus & Spam Settings
Scan Protocol(s) Displays protocols for which the virus and spam scanning is to be enabled, modify
if required
To implement Anti Virus and Anti Spam scanning, you have to subscribe for the
Gateway Anti Virus and Anti Spam modules individually. Refer to Licensing for
more details.
Refer to Anti Virus Implementation Guide and Anti Spam Implementation Guide for
details.
Log Traffic Click to enable traffic logging for the rule
Description Displays full description of the rule, modify if required
Save button Click to saves the rule
Table Edit Firewall Rule
Hence, while adding multiple rules, it is necessary to put specific rules before general rules. Otherwise, a
general rule might allow a packet that you specifically have a rule written to deny later in the list. When a
packet matches the rule, the packet is immediately dropped or forwarded without being tested by the rest
of the rules in the list.
52
Cyberoam User Guide
Append rule
Append Rule adds the new rule above the default rules if zone-to-zone rule set exists else append new
rule as new zone-to-zone rule set in the end.
For example, consider the screen given below. If the new rule is for DMZ to LAN then a new rule set
DMZ LAN is created at the end and rule is added to it. If the new rule is for LAN to WAN then rule will
be added above Rule ID 4, as Rule ID 3 and ID 4 are default rules.
53
Cyberoam User Guide
Select Firewall Manage Firewall Rules and click the delete icon against the rule to deleted
Note
54
Cyberoam User Guide
Host Management
Firewall rule can be created for the individual host or host groups. By default, the numbers of hosts equal
to the ports in the appliance are already created.
Select Firewall Host Group Manage to view the list of groups created.
Click host group to which host is to be added. Host Group details are displayed.
55
Cyberoam User Guide
Select Firewall Host Group Manage and click host group from which the host is to be
removed
56
Cyberoam User Guide
Add Host
57
Cyberoam User Guide
Manage Host
58
Cyberoam User Guide
59
Cyberoam User Guide
Spoofing prevention
You can configure MAC and/or IP address pair entry in IP-MAC trusted list to improve the security of your
network. Using MAC address filtering makes it more difficult for a hacker to guess and use a random
MAC address or spoof a MAC address to gain access to your network as the traffic does not even reach
your firewall.
Similarly, it is also possible to filter packets based on IP-MAC pair. It prevents hosts that try to violate
trusted IP-MAC. To make the restriction more granular, one can enable restriction on the zones.
Select Firewall Spoof Prevention Add Trusted MAC to open the add page
Available options:
60
Cyberoam User Guide
Use to:
Import IP-MAC list
Remove entry from the trusted IP-MAC list
Instead of creating list of MAC address again in Cyberoam, if you already have MAC details in a CSV file
then you can upload CSV file.
Select Firewall Spoof Prevention Manage Trusted MAC to open the page, specify the
entire path of the CSV file or use Browse button to select the file and click Upload File
61
Cyberoam User Guide
Cyberoam provides three ways to prevent spoofing using trusted IP-MAC list:
MAC filtering Packets will be dropped if the MAC addresses are not configured in the trusted IP-
MAC list.
IP-MAC filtering Packets will be dropped if IP and MAC address do not match with any entry in the
trusted IP-MAC list
IP spoof prevention Packets will be dropped if matching route entry is not available
62
Cyberoam User Guide
For the granular restriction, enable prevention check for the zones
also.
63
Cyberoam User Guide
For the granular restriction, enable prevention check for the zones
also. Click the checkbox for the zone(s) on which the prevention
is to be enabled.
64
Cyberoam User Guide
Virtual Host
Virtual Host maps services of a public IP address to services of a host in a private network.
A Virtual host can be a single IP address or an IP address range or Cyberoam interface itself.
Cyberoam will automatically respond to the ARP request received on the WAN zone for the external IP
address of Virtual host. Default LAN to WAN (Any Host to Any Host) firewall rule will allow traffic to flow
between the virtual host and the network.
65
Cyberoam User Guide
Available option:
Interface IP - Select when any of the Cyberoam Port, Alias or Virtual
LAN (VLAN) subinterface is required to be mapped to the destination
host or network.
Available option:
IP address External IP address is mapped to the specified IP address.
IP address range External IP address range is mapped to the specified
IP Address range
Physical Zone Select zone of the mapped IP address. For example, if mapped IP
address represents any internal server then select the zone in which
server resides physically.
Available options: LAN, WAN, DMZ, VPN and custom zone if created
Select the protocol TCP or UDP that you want the forwarded packets to
use
Specify external port number for which you want to configure port
forwarding.
Once the virtual host is created successfully, Cyberoam automatically creates a loopback firewall rule for
the zone of the mapped IP address. For example, if virtual host is created for the LAN mapped IP zone
then LAN-to-LAN firewall rule is created for the virtual host. Firewall rule is created for the service
66
Cyberoam User Guide
specified in virtual host. If port forwarding is not enabled in virtual host then firewall rule with All
Services is created. Check creation of loopback rule from Firewall Manage Firewall.
For Cyberoam to reply to the ARP requests received on any other zones than WAN zone for External IP
address, create proxy ARP from Cyberoam Console option of Telnet Console.
67
Cyberoam User Guide
Virtual_host2
External IP address - 192.168.1.15
Mapped IP address 10.10.10.2
Port forward - External port 25
Mapped port 25
Note
On deletion of virtual host, Proxy ARP and loopback firewall rule are deleted automatically.
68
Cyberoam User Guide
Traffic Discovery
"Network security" is controlling who can do what on your network. Control is all about detecting and
resolving any activity that does not align with your organization's policies.
Traffic discovery provides a comprehensive, integrated tool to tackle all your Network issues. It performs
network traffic monitoring by aggregating the traffic passing through Cyberoam. It helps in determining
the amount of network traffic generated by an application, IP address or user.
View your network's traffic statistics, including protocol mix, top senders, top broadcasters, and error
sources. Identify and locate bandwidth hogs and isolate them from the network if necessary. Analyze
performance trends with baseline data reports.
Apart from details of live connections traffic pattern, Cyberoam also provides current dates connection
history.
Application wise
Application wise Live Connections displays list of Applications running on the network currently. It also
displays which user is using the application currently and total data transferred using the application.
69
Cyberoam User Guide
Click to view the connection details for the respective Application for each
connection
LAN Initiated Displays number of connections initiated by LAN IP Address for the
Application
WAN Initiated Displays number of connections initiated by WAN IP Address for the
Application
Table Application wise Live connections screen elements
70
Cyberoam User Guide
71
Cyberoam User Guide
User wise
User wise Live Connections displays which user is using which Application and is consuming how much
bandwidth currently.
Click Total Connections to view the connection details for selected User.
Click Total Connections to view the connection details for selected User
72
Cyberoam User Guide
and Application
Click to view connection details initiated by the User for each connection
LAN Initiated Displays number of connections initiated from LAN IP Address by the
User
WAN Initiated Displays number of connections initiated from WAN IP Address by the
User
Table User wise Live connections screen elements
Click Total Connections to view the connection details for selected LAN
73
Cyberoam User Guide
IP Address.
Click Total Connections to view the connection details for selected LAN
IP Address and Application
Click to view connection details initiated by the LAN IP Address for each
connection
LAN Initiated Displays number of connections initiated from LAN IP Address
WAN Initiated Displays total number of connections initiated from WAN IP Address
Table LAN IP Address wise Live connection screen elements
Apart from the live connection details, details of the connections that are closed can be also be viewed.
The details for all the connections that are closed during last 24 hours are shown. You can also select the
history duration.
74
Cyberoam User Guide
Application wise
It displays list of Applications accessed during the selected duration and by user and/or LAN IP Address.
Click Total Connections to view the connection details for selected LAN IP
Address and Application. Refer to Connection details for selected LAN IP
Address and Application
75
Cyberoam User Guide
Click to view the connection details for the respective Application for each
connection
LAN Initiated Displays number of connections initiated by LAN IP Address for the
Application
WAN Initiated Displays number of connections initiated by WAN IP Address for the
Application
Table Todays Connection History Application screen elements
User wise
It displays list of Users who has logged on to network during the selected duration and accessed which
applications.
Click Total Connections to view the connection details for selected User.
Click Total Connections to view the connection details for selected User
and Application
76
Cyberoam User Guide
Click to view connection details initiated by the User for each connection
LAN Initiated Displays number of connections initiated from LAN IP Address by the
User
WAN Initiated Displays number of connections initiated from WAN IP Address by the
User
Table Todays Connection History User wise screen elements
Click Total Connections to view the connection details for selected LAN IP
Address.
77
Cyberoam User Guide
Address
Click Total Connections to view the connection details for selected LAN IP
Address and Application
Click to view Destination ports wise Connection details for selected LAN
IP Address
Data Transfer details
Upload Transfer Displays data uploaded from the LAN IP Address
Download Transfer Displays data downloaded from the LAN IP Address
Upstream Bandwidth Displays upstream bandwidth used by LAN IP Address
(Kbit/sec)
Downstream Bandwidth Displays downstream bandwidth used by the LAN IP Address
(Kbits/sec)
Connection Details
Total Connections Displays number of connections initiated by the LAN IP Address
Click to view connection details initiated by the LAN IP Address for each
connection
LAN Initiated Displays number of connections initiated from LAN IP Address
WAN Initiated Displays total number of connections initiated from WAN IP Address
Table Todays Connection History LAN IP Address wise screen elements
78
Cyberoam User Guide
Policy Management
Cyberoam allows controlling access to various resources with the help of Policy.
Cyberoam comes with several predefined policies. These predefined policies are immediately available
for use until configured otherwise.
Cyberoam also lets you define customized policies to define different levels of access for different users
to meet your organizations requirements.
79
Cyberoam User Guide
Cyberoam comes with several predefined policies. These predefined policies are immediately available
for use until configured otherwise. Cyberoam also lets you define customized policies to define different
levels of access for different users to meet your organizations requirements.
Select Policies Surfing Quota Policy Create policy to open the create page
Available options
Daily restricts surfing hours up to cycle hours defined on daily basis
Weekly restricts surfing hours up to cycle hours defined on weekly basis
Monthly restricts surfing hours up to cycle hours defined on monthly basis
Yearly restricts surfing hours up to cycle hours defined on yearly basis
Non-cyclic no restriction
Cycle hours Specify upper limit of surfing hours for cyclic type policies
Only if cycle type
is not Non cyclic At the end of each Cycle, cycle hours are reset to zero i.e. for Weekly Cycle
type, cycle hours will to reset to zero every week even if cycle hours are
unused
Allotted Days Restricts surfing days
80
Cyberoam User Guide
Click Unlimited Days if you do not want to restrict surfing days and create
Unlimited Surfing Quota policy.
Allotted Time Allotted time defined the upper limit of the total surfing time allowed i.e.
restricts total surfing time to allotted time
Click Unlimited Time if you do not want to restrict the total surfing time
Shared allotted Specify whether the allotted time will be shared among all the group
time with group members or not
members
Click to share
Policy Description Specify full description of the policy
Create button Click to create and save policy
Table - Create Surfing Quota policy screen elements
Select Policies Surfing Quota policy Manage policy and click Policy name to be
modified
81
Cyberoam User Guide
Prerequisite
Not assigned to any User or Group
Select Policies Surfing Quota policy Manage policy to view list of policies
82
Cyberoam User Guide
Access time policy enables to set time interval - days and time - for the Internet access with the help of
schedules. See Schedules for more details.
A time interval defines days of the week and times of each day of the week when the user will be allowed
or denied the Internet access.
Prerequisite
Schedule created
Select Policies Access Time Policy Create policy to open create policy page
83
Cyberoam User Guide
Schedule
Allow Allows the Internet access during the scheduled time interval
Disallow - Does not allow the Internet access during the scheduled time
interval
Click to select
Description Specify full description of policy
Create button Creates policy
Table - Create Access Time policy screen elements
Select Policies Access Time policy Manage policy and Click Policy name to be modified
84
Cyberoam User Guide
To modify,
Click Schedule list and select new schedule
Prerequisite
Not assigned to any User or Group
Select Policies Access Time policy Manage policy to view the list of policies
85
Cyberoam User Guide
When defining a policy, you can deny or allow access to an entire application category, or to individual
file extensions within a category. For example, you can define a policy that blocks access to all audio files
with .mp3 extensions.
Select Policies Internet Access Policy Create Policy to open the create policy page
86
Cyberoam User Guide
Select Blank template, if you want to create a fresh policy without any
restrictions. After creation, you can always customize the category
restrictions according to the requirement.
Policy Type Select default policy type
Only for Blank
option in Using Available options
Template field Allow Allows access to all the Internet sites except the sites and files
specified in the Categories
Deny Allows access to only those sites and files that are specified in the
Categories
Description Specify full description of policy
Certificate Based Select the Cetificate Based Categorization check box to enable filtering of
Categorization HTTPS traffic based on domain names using site X.509 certificates. If
enabled, users will not be able to bypass and access blocked sites using
URL translation or HTTP proxy websites hosted on HTTPS. In other word, if
enabled, Cyberoam will block attempts to bypass web content filtering and
sites hosted on SSLv2, SSLv3 and TLS protocols.
By default, it is enabled.
Enabling categorization from Web Admin Console will not have any effect if
it is disabled from CLI console. By default, the categorization from CLI is
enabled. Use CLI command: show secure-scanning HTTPS to confirm. For
more details, check Cyberoam Console Guide.
87
Cyberoam User Guide
Reporting By default, Internet usage report is generated for all the users. However,
Cyberoam allows to bypass reporting of certain users.
Click Off to create Bypass reporting Internet access policy. Internet usage
reports will not include access details of all the users to whom this policy will
be applied.
Click On to create policy that will include access details of all the users in
Internet usage reports to whom this policy is applied.
Download File Size Specify the maximum allowed file download size in MB. It would not be
Restriction possible to download a file greater than the configured size.
Click to add
88
Cyberoam User Guide
If Web and Application Filter subscription module is registered, all the default
categories will also be listed and can be for restriction.
Strategy Allows/Disallows access to the selected Categories during the period defined in
the schedule
Click to view
Click Close to close the window
Add button Add rule to Internet Access policy
Select Policy Internet Access policy Manage Policy and click policy name to be
modified
89
Cyberoam User Guide
By default, it is enabled.
Enabling categorization from Web Admin Console will not have any
effect if it is disabled from CLI console. By default, the categorization
from CLI is enabled. Use CLI command: show secure-scanning HTTPS
to confirm. For more details, check Cyberoam Console Guide
Reporting By default, Internet usage report is generated for all the users. However,
Cyberoam allows to bypass reporting of certain users.
Click Off to bypass reporting. Internet usage reports will not include
access details of all the users to whom this policy will be applied.
Click On to create policy that will include access details of all the users
in Internet usage reports to whom this policy is applied.
Download File Size Specify the maximum allowed file download size in MB. It would not be
Restriction possible to download a file greater than the configured size.
90
Cyberoam User Guide
Click to add
91
Cyberoam User Guide
Note
Do not forget to update after changing the order
Prerequisite
Not assigned to any User or Group
92
Cyberoam User Guide
Bandwidth policy
Bandwidth is the amount of data passing through a media over a period of time and is measured in terms
of kilobytes per second (kbps) or kilobits per second (kbits) (1 Byte = 8 bits).
The primary objective of bandwidth policy is to manage and distribute total bandwidth on certain
parameters and user attributes. Bandwidth policy allocates & limits the maximum bandwidth usage of the
user and controls web and network traffic.
In this type of bandwidth restriction, user cannot exceed the defined bandwidth limit. Two ways to
implement strict policy:
Total (Upstream + Downstream)
Individual Upstream and Individual Downstream
Committed
In this type of bandwidth restriction, user is allocated the guaranteed amount of bandwidth and user can
draw bandwidth up to the defined burstable limit, if available.
It enables to assign fixed minimum and maximum amounts of bandwidth to users. By borrowing excess
bandwidth when it is available, users are able to burst above guaranteed minimum limits, up to the burst-
able rate. Guaranteed rates also assure minimum bandwidth to critical users to receive constant levels of
bandwidth during peak and non-peak traffic periods.
93
Cyberoam User Guide
Guaranteed represents the minimum guaranteed bandwidth and burstable represents the maximum
bandwidth that a user can use, if available.
94
Cyberoam User Guide
Select Policies Bandwidth Policy Create policy to open the create policy pane
Firewall Rule policy restricts the bandwidth of any entity to which firewall rule
is applied.
Web category policy restricts the bandwidth for the URL categorized under
the Web category.
Policy Type Based on the selection bandwidth restriction will be applied
Only for User and In Strict type of bandwidth restriction, user cannot exceed the defined
Firewall rule based bandwidth limit
policy
In Committed type of bandwidth restriction, user is allocated the guaranteed
amount of bandwidth and can draw bandwidth up to the defined burst-able
limit, if available.
95
Cyberoam User Guide
Set the priority for SSH/Voice/Telnet traffic to be highest as this traffic is more
of the interaction
Total bandwidth Specify maximum amount of Total bandwidth, expressed in terms of kbps
(Only for TOTAL
implementation type) Minimum bandwidth allowed is 2 kbps and maximum is 4096 kbps
Upload Bandwidth Specify maximum amount of Upstream Bandwidth, expressed in terms of
(Only for INDIVIDUAL kbps
implementation type
and User and Firewall Minimum bandwidth allowed is 2 kbps and maximum is 4096 kbps
rule policy)
Download Bandwidth Specify maximum amount of Downstream Bandwidth, expressed in terms of
(Only for INDIVIDUAL kbps
implementation type
and User and Firewall Minimum bandwidth allowed is 2 kbps and maximum is 4096 kbps
rule policy)
Bandwidth usage Specify whether the Bandwidth allocated is for particular user or shared
among all the policy users
(Only User and
Firewall rule policy)
Description Specify full description of policy
Create button Creates policy
Cancel button Cancels the current operation
Add Detail button Click and configure bandwidth to override the default bandwidth restriction
during the specified time.
Table - Create Bandwidth policy screen elements
Use to
Add/remove schedule based details to User/IP address based policy
Update bandwidth values
Select Policies Bandwidth policy Manage policy and click Policy name to be updated
96
Cyberoam User Guide
Cannot be modified
Description Displays description, modify if required.
Default values to be applied all the time
Implementation on Displays implementation type of policy
Cannot be modified
Total Bandwidth Displays total bandwidth assigned, modify if required
(Only for TOTAL implementation type)
Upload Bandwidth (in KB) Modify Upstream bandwidth value
(Only for STRICT policy type and
INDIVIDUAL implementation type)
Download Bandwidth (in KB) Modify Downstream bandwidth value
(Only for STRICT policy type and
INDIVIDUAL implementation type)
Guaranteed Brustable Upload Bandwidth (in Modify Upstream bandwidth value
KB)
(Only for COMMITTED policy type and
INDIVIDUAL implementation type)
Guaranteed Brustable Download Bandwidth Modify Downstream bandwidth value
(in KB)
(Only for COMMITTED policy type and
INDIVIDUAL implementation type)
Policy type Displays policy type i.e. committed or strict which
cannot be modified
Schedule Specify Schedule
97
Cyberoam User Guide
Prerequisite
Bandwidth policy not attached to any user or IP address
Select Policies Bandwidth policy Manage policy to view the list of policies
98
Cyberoam User Guide
Cyberoam provides several predefined policies, which are available for use until configured otherwise.
You can also define customized policies to define different limit for different users to meet your
organizations requirements.
Select Policies Data Transfer Policy Create Policy to open the create policy page
Available options
Daily restricts data transfer up to cycle hours defined on daily basis
Weekly restricts data transfer up to cycle hours defined on weekly basis
Monthly restricts data transfer up to cycle hours defined on monthly basis
Yearly restricts data transfer up to cycle hours defined on yearly basis
Non-cyclic data restriction is defined by the Total data transfer limit
Restriction based on Specify whether the data transfer restriction is on total data transfer or on
individual upload or download
99
Cyberoam User Guide
Click Total Data Transfer to apply data transfer restriction on the Total
(Upload + Download) data transfer
100
Cyberoam User Guide
Select Policies Data transfer policy Manage policy and click Policy name to be modified
101
Cyberoam User Guide
It is the data transfer allowed to the user and if the limit is reached user
Only if Restriction is will not be able to log on until the policy is renewed.
based on Total Data
Transfer
Upload Data Transfer Limit Displays Upload Data transfer limit.
(MB)
It is the total upload data transfer allowed to the user and if the limit is
Only if Restriction is reached user will not be able to log on until the policy is renewed.
based on Individual Data
Transfer
Download Data Transfer Displays Download Data transfer limit.
Limit (MB)
It is the upper download data transfer allowed to the user and if the
Only if Restriction is limit is reached user will not be able to log on until the policy is
based on Individual Data renewed.
Transfer
Update button Click to save the policy changes
Cancel button Cancels the current operation and returns to Manage Data transfer
policy page
Table Update Data transfer policy screen elements
Prerequisite
Not assigned to any User or Group
Select Policies Data transfer policy Manage policy to view list of policies
102
Cyberoam User Guide
NAT Policy
NAT policy tells firewall rule to allow access but after changing source IP address i.e. source IP address
is substituted by the IP address specified in the NAT policy.
Select Firewall NAT policy Manage to view the list of polices. Click the policy to be modified.
103
Cyberoam User Guide
104
Cyberoam User Guide
Zone Management
Use to
Update Zone details
Delete Zone
Manage Zone
Select System Zone Manage to open the manage zone page
By default the traffic to and from this zone is blocked and hence the
highest secured zone.
WAN Zone for the Internet services. Only one WAN zone is allowed,
hence additional WAN zones cannot be created.
105
Cyberoam User Guide
the only zone that does not have an assigned physical port/interface.
Whenever the VPN connection is established, port/interface used by the
connection is automatically added to this zone and on disconnection; port
is automatically removed from the zone.
Available Ports list displays the list of ports that can be included in the
selected zone.
Member Port list displays the list of ports included in the zone
Delete Zone
Prerequisite
No hosts attached to the zone
Note
Default Zones cannot be deleted
106
Cyberoam User Guide
Group Management
Manage Group
Update Group to:
Order of the group
Change policies - Surfing time policy, Access time policy, Internet Access policy, Bandwidth policy
and Data transfer policy
Change the login restriction for the users of the group
Add new users to the group
Screen components
Cyberoam searches Group ordered list from top to bottom and determines the user group membership.
The first group that matches is considered as the group of the user and that group policies are applied to
the user.
107
Cyberoam User Guide
Update Group
Need may arise to change the Group setting after the creation of Group. Select Group Manage
Group and click the Group to be modified
To Click
Show Group Members Show Group Members button
108
Cyberoam User Guide
Surfing quota policy, Time allotted & Expiry date changes accordingly
Time allotted Displays total surfing time allotted by Surfing Quota policy to the Group
(HH:mm) Cannot be modified
Expiry date Displays Expiry date of the Surfing Quota policy
109
Cyberoam User Guide
Cannot be modified
Period Time Displays cycle hours
(HH:mm)
Only if Surfing Cannot be modified
Quota policy is
Non-Cyclic
Period Cycle Displays type of cycle
Only if Surfing
Quota policy is Cannot be modified
Non-Cyclic
Used Surfing Time Displays total time used by the Group members
Cannot be modified
Access Time policy Displays currently attached Access Time policy to the Group
Only for Normal
Group type To change
Click Access Time policy list to select
To change
Click Bandwidth policy list to select
To change
Click Data Transfer policy list to select
Only if Gateway Spam digest is an email that contains a list of quarantined spam messages
Anti-spam module filtered by Cyberoam and held in the user quarantine area.
is subscribed
If configured, Cyberoam will mail the spam digest every day to the user. One
can configure digest email frequency from the general Anti spam
configuration.
Digest provides a link to User My Account from where user can access his
quarantined messages and take the required action.
Actions
Enable User will receive the spam digest daily and overrides Group setting
Disable User will not receive spam digest and overrides Group setting
110
Cyberoam User Guide
Selected Nodes only Enter IP address if you want to allow Group users to
login from the specified nodes only
Click to select
Update button Saves the modified details. Any changes made are applicable to all the
group members.
Add Members Click to add members to the group
111
Cyberoam User Guide
Select Group Manage Group and click the Group in which user is to be added. Click Add
Member(s)
112
Cyberoam User Guide
113
Cyberoam User Guide
Delete Group
Prerequisite
No Group members defined
Select Group Manage Group and click the delete icon against the rule to deleted
114
Cyberoam User Guide
User Management
Search User
You can search user based on username/login name, IP address or user ID. It searches from all the
registered users i.e. Normal and Clientless active/de-active users.
For the fast searching, Cyberoam provides Auto-completion feature for username and IP address
which uses AJAX Suggest Technology by which Cyberoam will offer suggestion for the value as you key-
in the input data.
IP suggestion box:
Similarly, Cyberoam will suggest IP address in the drop down the moment you type the initial digits of IP
address. For example, when you type 192.168, Cyberoam will display list of IP addresses starting with
192.168 that can be allowed to the user for logging.
It searches the specified name and displays user details along with the status. You can change status,
delete user, or update user details.
115
Cyberoam User Guide
Live User
Use Live users page to
view list of all the currently logged on Users
modify user details
disconnect any live user
Click to change the display order Click User name link to View/Update user details
Name Displays User name
116
Cyberoam User Guide
Manage User
Update User
Manage Normal & Single Sign on Client Users
Select User User Manage Active to view the list of Users and click User name to be modified
OR
Select User User Manage Inactive to view the list of Users and click User name to be
modified
Need may arise to change the User setting after the creation of User.
To Click
Change the personal details or password Edit personal details/Change Password
117
Cyberoam User Guide
Cannot be modified
Edit Personal details/Change Allows to change the Users personal details and login
Password button password
Cannot be modified
Birth date Displays Birth date of User
118
Cyberoam User Guide
Cannot be modified
Number of simultaneous login(s) Displays whether simultaneous login is allowed or not,
allowed modify if required
Spam Digest Configure Spam Digest.
Only if Gateway Anti-spam Spam digest is an email that contains a list of quarantined
module is subscribed spam messages filtered by Cyberoam and held in the user
quarantine area.
Actions
Enable User will receive the spam digest daily and
overrides Group setting
Cannot be modified
User Policy Expiry Date Displays Expiry date
Cannot be modified
Time used (HH:mm) Displays total time used by the User in the format Hours:
Minutes
Cannot be modified
Period time Displays allowed total cycle hours
Period Cycle Displays cycle type
Cycle Time used Displays cycle time used
119
Cyberoam User Guide
Access Time Policy Displays currently assigned Access Time policy to the
User, modify if required
Available options
All Nodes - select to allow user to login from all the nodes
in the network
Click to select
Save button Saves the modified details
Re-apply Current policy button Reapplies all the current policies at the time of renewal
Cancel button Cancels the current operation
Table - Edit User screen elements
120
Cyberoam User Guide
User My Account gives details like Personal details and Internet usage of a particular user. User can
change his/her password using this tab.
121
Cyberoam User Guide
In the task bar, double click the Cyberoam client icon and click My Account. It opens a new window
and prompts for MyAccount login Username and Password.
Opens a new window with following sub modules: Personal, Client, Account status, Logout
Personal
Allows viewing and updating password and personal details of the user
Change Password
Select Personal Change Password
122
Cyberoam User Guide
Cannot be modified
Name Displays User name, modify if required
Birth Date Displays birth date
Cannot be modified
Update Update the changes made
Table - Change Personal details screen elements
Account status
Allows viewing Internet usage of the user
Internet Usage
123
Cyberoam User Guide
(HH:mm) policy
Expiry date Displays Expiry date
Time used by User Displays total time used by the User
(HH:mm)
Usage Information
Upload Data transfer Displays allotted, used and remaining upload data transfer
Report displays IP address from where user had logged in, session start and stop time, total used time,
data uploaded and downloaded during the session and total data transferred during the session.
Change Group
124
Cyberoam User Guide
Delete User
User can be deleted from Active list as well as from Inactive list
To delete Clientless user, click User Clientless User Manage Clientless User
125
Cyberoam User Guide
Inactivate User
User is de-activated automatically in case he has overused one of the resources defined by policies
assigned to him/her. In case, need arises to de-activate user manually, select User User
Manage Active
Activate User
To activate normal and single sign on Client user, click User User Manage Inactive
To activate Clientless user, click User Clientless Users Manage Clientless Users
126
Cyberoam User Guide
127
Cyberoam User Guide
System Management
Configure Network
Network setting consists of Interface Configuration, DHCP Configuration and DNS Configuration.
Configure DNS
A Domain Name Server translates domain names to IP addresses and is configured at the time of
installation.
You can add additional IP addresses of the DNS servers to which Cyberoam can connect for name
resolution. In case of multiple DNS, they are queried in the order as they are entered.
List order indicates preference of DNS. If more than one Domain name server exists, query will be
resolved according to the order specified. Use Move Up & Move Down buttons to change the order of
DNS.
128
Cyberoam User Guide
129
Cyberoam User Guide
Cyberoam acts as a DHCP server and assigns a unique IP address to a host, releases the address as
host leaves and re-joins the network. Host can have different IP address every time it connects to the
network. In other words, it provides a mechanism for allocating IP address dynamically so that addresses
can be re-used.
130
Cyberoam User Guide
Specify host name, MAC and IP address and click Add button to add the
MAC-IP mapping.
Default lease time is 10 minutes while maximum lease time is 120 minutes.
Conflict Detection Enable IP conflict detection to check the IP before leasing i.e. if enabled
the already leased IP will not be leased again.
(only if lease type is
Dynamic)
DNS server Click Use Cyberoams DNS settings or enter IP address of one or two
DNS servers
WINS server Specify IP address of one or two WINS servers
Save button Saves details
Cancel button Canels the current operation and retursn to the Manage DHCP sever page
Table - Configure DHCP screen elements
View a list of leased IP addresses from System Configure Network Configure DHCP
server and click Show Leased IP List button
131
Cyberoam User Guide
132
Cyberoam User Guide
Cannot be modified
Lease Type Available options
Static - If you always want to assign specific IP addresses to some or all
clients, you can define static MAC address to IP address mappings. For
defining, MC-IP mapping, you should know the MAC address of the clients
network card. The MAC address is usually specified in a hexadecimal digits
separated by colons (e.g., 00:08:76:16:BC:21).
Specify host name, MAC and IP address and click Add button to add the
MAC-IP mapping.
Dynamic - Specify range of IP address from which DHCP server must assign
to the clients and subnet mask for the IP address range. It is also possible to
configure multiple IP range for a same interface.
Subnet Mask Displays subnet mask for the client/network, modify if required
Domain name Displays domain name for the specified subnet, modify if required
Gateway Displays IP address of default Gateway or click Use Interface IP as
Gateway, modify if required
Default Lease Time DHCP client must ask the DHCP server for new settings after the specified
and Max Lease Time maximum lease time. The lease time can range from 1 to 43200 seconds (30
days).
Default lease time is 10 minutes while maximum lease time is 120 minutes.
Conflict Detection Enable IP conflict detection to check the IP before leasing i.e. if enabled the
already leased IP will not be leased again.
(only if lease type is
Dynamic) Modify if required
DNS server Click Use Cyberoams DNS settings or enter IP address of one or two DNS
servers
Modify if required
WINS server Displays configured IP address of WINS servers, modify if required
Update button Saves details
Cancel button Canels the current operation and retursn to the Manage DHCP sever page
133
Cyberoam User Guide
The DHCP Relay Agent makes it possible for DHCP broadcast messages to be sent over routers that do
not support forwarding of these types of messages. The DHCP Relay Agent enables DHCP clients to
obtain IP addresses from a DHCP server on a remote subnet, or which is not located on the local subnet.
If DHCP Relay Agent is not configured, clients would only be able to obtain IP addresses from the DHCP
server which is on the same subnet.
Cyberoam can act as a Relay Agent and agent can be configured from System Configure
Network DHCP Relay. Page allows to configure Cyberoams Internal Interface as a DHCP relay
agent, view the list of interfaces configured to serve as a DHCP relay agent, and delete agent.
Cyberoam cannot act as DHCP server and DHCP Relay Agent simultaneously. Hence if Cyberoam is
configured as DHCP Relay Agent, you will not be able to configure it as a server and vice-versa.
To update the DHCP relay agent, go to System Configure Network Configure DHCP
Relay and click the Interface
134
Cyberoam User Guide
Cannot be modified.
DHCP server IP Displays DHCP server IP address. DHCP requests arriving on the
above selected interface will be forwarded to this DHCP server.
Modify if required.
Update button Saves details
Cancel button Cancels the current operation and returns to the Manage DHCP
Relay page
Screen Modify DHCP Relay Agent screen elements
135
Cyberoam User Guide
Manage Interface
Select System Configure Network Manage Interface to view port wise network
(physical interface) and zone details. If virtual subinterfaces are configured for VLAN implementation,
they are also nested and displayed beneath the physical interface.
Interface - Physical interfaces/ports available on Cyberoam. If virtual subinterface is configured for the
physical interface, it also displayed beneath the physical interface. Virtual subinterface configuration can
be updated or deleted.
Add Alias button - Click to specify alias IP address for the interface. Refer Configure Alias IP
address for more details
Add VLAN Subinterface button Click to add VLAN interface. Refer Define
VLAN for more details
Toggle Drill Down icon - Click to few the virtual subinterfaces defined for the said physical interface
Edit icon - Click to edit IP address and netmask of physical or virtual subinterface
Delete icon - Click to delete virtual subinterface. Virtual subinterface cannot be deleted, if virtual
subinterface is member of any zone or firewall rule is defined for the virtual subinterface.
Zone and Zone Type - Displays port to zone relationship i.e. zone membership of port. If PPPoE is
configured, WAN port will be displayed as the PPPoE Interface.
136
Cyberoam User Guide
Select System Configure Network Manage Interface to open page and click Delete
icon against the alias to be deleted
137
Cyberoam User Guide
Powered by Dynamic Domain Name System (DDNS), you can now access your Cyberoam server by the
domain name, not the dynamic IP address. DDNS will tie a domain name (e.g. mycyberoam.com, or
elitecore.cyberoam.com) to your dynamic IP address.
138
Cyberoam User Guide
Check IP address Specify whether DDNS should check for server IP address update
using through standard or non-standard port.
IP Update Enter the time interval after which DDNS server should check and
Checking Interval update the IP address of your server if changed.
Manage Account
Check the IP address updation status from the Manage Account page. It also displays the reason incase
updation was not successful.
139
Cyberoam User Guide
PPPoE
PPPoE Client is a network protocol that uses Point to Point Protocol over Ethernet to connect with a
remote site using various Remote Access Service products. This protocol is typically founding broadband
network of service provider. The ISP may then allow you to obtain an IP address automatically or give
you a specific IP address.
PPPoE Access Concentrator is a router that acts as a server in a Point-to-Point Protocol over Ethernet
(PPPoE) session and is used to:
For Ethernet LANs, to assign IP addresses to workstations, e.g. Multi-apartment buildings, Offices, to
provide user authentication and accounting
Schools and universities, computer classes
Connections to Wireless ISPs
Connections to xDSL providers
Access Concentrators (AC) also known as PPPoE Termination units, answer the PPPoE request coming
from a client site PPPoE application for PPP negotiation and authentication.
When using Cyberoam as a PPPoE client, computers on LAN are transparent to WAN side PPPoE link.
This alleviates Administrator from having to manage the PPPoE clients on the individual computers.
Note:
A new dynamic IP address will be leased to the PPPoE Interface, each time a new PPP session is
establish with Access Concentrator
IP address in Firewall rules will automatically change when the new IP address is leased
If multiple gateways are defined then IP address in the failover condition will automatically change
when the new IP address is leased
As IP address to PPPoE interface is assigned dynamically:
a) Network Configuration from Telnet Console will not display the PPPoE interface configuration
b) You will not be able to change the IP address of the PPPoE interface from Telnet Console using
Network Configuration
Select System Configure Network View Interface Details and click PPPoE Interface
140
Cyberoam User Guide
Cyberoam will initiate only those sessions with Access Concentrator, which can
provide the specified service. In most of the cases, you can leave this field
blank. Use it only if you need a specific service.
LCP Interval Specify LCP interval in seconds. Default is 20 seconds. Every 20 seconds LCP
echo request is send to check whether the link is alive or not.
LCP echo request and reply can be disabled by setting LCP Interval and LCP
Failure as zero
LCP Failure Specify Failure. Default is 3 attempts. Cyberoam will wait for the LCP echo
request response for the LCP interval defined after every attempt. Cyberoam
declares PPPoE link as closed if it does not receive response after defined
attempts.
Update button Click Update to save the configuration
Table PPPoE configuration screen elements
141
Cyberoam User Guide
Manage Gateway
Gateway routes traffic between the networks and if gateway fails, communication with outside Network is
not possible. In this case, organization and its customers face significant downtime and financial loss.
By default, Cyberoam supports only one gateway. However, since organizations opt for multiple
gateways to cope with gateway failure problems, Cyberoam also provides an option for supporting
multiple gateways. However, simply adding one more gateway is not an end to the problem. Optimal
utilization of all the gateways is also necessary.
Cyberoam not only supports multiple gateways but also provides a way to utilize total bandwidth of all the
gateways optimally.
At the time of installation, you configured the IP address for a default gateway through Network
Configuration Wizard. You can change this configuration any time and configure additional gateways.
You can use Multi Link Manger to configure multiple gateways for load balancing and failover.
By default, all the gateways defined through Network Configuration Wizard are Active gateways.
If more then one link is terminating on Cyberoam and you want to configure traffic load balancing or
failover, refer to Multi link Configuration Guide. Policy based routing can be done from firewall rule.
142
Cyberoam User Guide
Click to save
Cancel button Cancels the current operation and returns to Manage Gateway page
Click to cancel
Table - Gateway Configuration screen elements
143
Cyberoam User Guide
DoS Settings
Cyberoam provides several security options that cannot be defined by the firewall rules. This
includes protection from several kinds of Denial of Service attacks. These attacks disable
computers and circumvent security.
Denial of Service (DoS) attack is a method hackers use to prevent or deny legitimate users access
to a service.
DoS attacks are typically executed by sending many request packets to a targeted server (usually
Web, FTP, or Mail server), which floods the server's resources, making the system unusable. Their
goal is not to steal the information but disable or deprive a device or network so that users no
longer have access to the network services/resources.
All servers can handle traffic volume up to a maximum, beyond which they become disabled.
Hence, attackers send a very high volume of redundant traffic to a system so it cannot examine
and allow permitted network traffic. Best way to protect against the DoS attack is to identify and
block such redundant traffic.
How it works
When the brust rate is crossed, Cyberoam considers it as an attack. Cyberoam provides DoS
attack protection by dropping all the excess packets from the particular source/destination.
Cyberoam will continue to drop the packets till the attack subsides. Because Cyberoam applies
threshold value per IP address, traffic from the particular source/destination will only be dropped
while the rest of the network traffic will not be dropped at all i.e. traffic from the remaining IP
addresses will not be affected at all.
Time taken to re-allow traffic from the blocked source/destination = time taken to subside the
attack + 30 seconds
For example
Packet rate per Source 100 packets per second
Burst rate per Source 200 packets per second
When user starts sending requests, initially user will be able to send 200 packets per second but
once the 200 packets are received, in the next phase user will be able to send only 100 packets
per second. So in the next phase, if user sends 150 packets per second, Cyberoam will consider it
as an attack and drop 50 (150 -100) packets. Cyberoam will accept traffic from the user only after
144
Cyberoam User Guide
Threshold values
Cyberoam uses packet rate and brust rate values as a threshold value to detect DoS attack. These
values depend on various factors like:
Network bandwidth
Nature of traffic
Capacity of servers in the network
These values are applicable to the individual source or destination i.e. requests per user/IP
address and not globally to the entire network traffic. For example, if source rate is 2500
packets/minute and the network consists of 100 users then each user is allowed packet rate of
2500 packets per minute.
Configuring high values will degrade the performance and too low values will block the regular
requests. Hence it is very important to configure appropriate values for both source and destination
IP address.
Click Apply Flag checkbox to apply the SYN flood definition and control the allowed number
of packets.
Click SYN Flood to view the real time updates on flooding. It displays the source IP address -
which was used for flooding and IP address which was targeted.
145
Cyberoam User Guide
SYN Flood is the attack in which large numbers of connections are send so that the backlog
queue overflows. The connection is created when the victim host receives a connection
request and allocates for it some memory resources. A SYN flood attack creates so many
half-open connections that the system becomes overwhelmed and cannot handle incoming
requests any more.
Click Apply Flag checkbox to apply the UDP flood definition and control the allowed number
of packets.
Click UDP Flood to view the real time updates on flooding. It displays the source IP address
- which was used for flooding and IP address which was targeted.
User Datagram Protocol (UDP) Flood links two systems. It hooks up one systems UDP
character-generating service, with another systems UDP echo service. Once the link is
made, the two systems are tied up exchanging a flood of meaningless data
Click Apply Flag checkbox to apply the TCP flood definition and control the allowed number
of packets.
TCP attack sends huge amount of TCP packet so that the host/victim computer cannot
handle.
Click Apply Flag checkbox to apply the ICMP flood definition and control the allowed number
of packets.
Click ICMP Flood to view the real time updates on flooding. It displays the source IP address
- which was used for flooding and IP address which was targeted.
ICMP attack sends huge amount of packet/traffic so that the protocol implementation of the
host/victim computer cannot handle.
146
Cyberoam User Guide
on the host and possibly weaken the security of the host by causing traffic to flow via another
path.
147
Cyberoam User Guide
DoS will not be applied on all the requests from the specified source IP
address and port
Destination Destination Domain name or IP address on which the DoS rule is not to be
Domain name/IP applied
Address
Specify destination information
148
Cyberoam User Guide
DoS will not be applied on all the requests from the specified destination IP
address and port
Network Protocol
Select protocol whose traffic is to be bypassed for specified source to
destination.
For example,
If you select TCP protocol then DoS rules will not be applied on the TCP
traffic from the specified source to destination.
Create button Creates the bypass rule
Table Create DoS bypass rule screen elements
149
Cyberoam User Guide
Click Submit
Table - Reset Console Password screen elements
150
Cyberoam User Guide
ARP
ARP (Address resolution protocol is a protocol that TCP/IP uses to translate IP address into MAC
address (physical network address). In other words, it maps layer 3 (IP addresses) to layer 2
(physical or MAC addresses) to enable communications between hosts residing on the same
subnet.
It is used by hosts that are directly connected on a local network and uses either or both unicast
and broadcast transmissions directly to each other. Host finds the physical address of another host
on its network by sending an ARP query packet that includes the IP address of the receiver. As a
broadcast protocol, it can create excessive amounts of network traffic on your network. To
minimize the broadcast traffic, an ARP cache is maintained to store and reuse previously learned
ARP information.
Static ARP entry allows to bind the MAC address to the designated IP address and port. This can
be used to ensure that a particular machine can only be used on a specified port on the Cyberoam
appliance. Once the MAC address is bound to a port, the Cyberoam appliance will not respond to
that MAC address on any other port. It will also remove any dynamically cached references to that
MAC address that might be present, and will not allow additional static mappings of that MAC
address.
These entries will be stored in static ARP as well as ARP Cache table. When the Cyberoam
appliance receives the ARP request on a particular port, Cyberoam performs the ARP lookup in
the static ARP table. If there is any mismatch in IP address or port Cyberoam considers it as an
ARP poisoning attempt and does not update its ARP Cache.
If entry is not available in the table, Cyberoam will lookup in the ARP Cache and adds MAC
address to ARP Cache if required.
151
Cyberoam User Guide
Click Add
Go to System ARP Manage to view the large number of ARP entries. Page allows to
navigate and manage ARP entries in both the tables. Select the table type from the dropdown list
to view the ARP entries in the respective table. It lists IP address, MAC address, port and type of
the entry. Entry type can be static and dynamic. If everything is working properly with ARP,
dynamic ARP entry will be displayed as Dynamic-Complete i.e. both MAC and IP values are
there while Dynamic-Incomplete just means that the ARP request was sent but no reply has yet
been received.
Go to System ARP Manage and configure time interval after which the entries in the
cache should be flushed. Time interval should be in the range of 1 to 500 minutes.
If you want to log the poisoning attempts, click LOG possible ARP Poisoning attempt checkbox.
Delete ARP
Select System ARP Manage to view the list of ARP entries and click Del icon against
the IP address to be deleted.
152
Cyberoam User Guide
Cyberoam allows enabling/disabling of following services and VPN and Traffic Discovery modules:
TFTP - Trivial File Transfer Protocol (TFTP) is a simple form of the File Transfer Protocol (FTP).
TFTP uses the User Datagram Protocol (UDP) and provides no security features.
PPTP - PPTP (Point-to-Point Tunneling Protocol) is a network protocol that enables secure
transfer of data from a remote client to a private server, creating a VPN tunnel using a TCP/IP
based network
IRC - IRC (Internet Relay Chat) is a multi-user, multi-channel chatting system based on a client-
server model. Single Server links with many other servers to make up an IRC network, which
transport messages from one user (client) to another. In this manner, people from all over the
world can talk to each other live and simultaneously. DoS attacks are very common as it is an
open network and with no control on file sharing, performance is affected.
H323 - The H.323 standard provides a foundation for audio, video, and data communications
across IP-based networks, including the Internet. H.323 is an umbrella recommendation from the
International Telecommunications Union (ITU) that sets standards for multimedia communications
over Local Area Networks (LANs) that do not provide a guaranteed Quality of Service (QoS). It
enables users to participate in the same conference even though they are using different
videoconferencing applications.
P2P Traffic Modules - Identifies peer-to-peer (P2P) data in IP traffic. It works together with
connection tracking and connection marking which helps in identifying the bigger part of all P2P
packets and limit the bandwidth rate.
SIP SIP (Session Initiation Protocol) is a signaling protocol, which enables the controlling of
media communications such as VOIP. The protocol is generally used for maintaining unicast and
153
Cyberoam User Guide
multicast sessions consisting of several media systems. SIP is a text based and TCP/IP supported
Application layer protocol.
Select Firewall System Modules and enable or disable the required service and modules.
Manage Data
Backup data
Backup is the essential part of data protection. No matter how well you treat your system, no
matter how much care you take, you cannot guarantee that your data will be safe if it exists in only
one place.
Backups are necessary in order to recover data from the loss due to the disk failure, accidental
deletion or file corruption. There are many ways of taking backup and just as many types of media
to use as well.
Cyberoam provides facility of taking regular and reliable data backup. Backup consists of all the
policies, logs and all other user related information.
User session log Every time the user logs in, session is created. This log stores the session
entries of all the users and specifies the login and logout time.
Audit log This log stores the details of all the actions performed the User administrating
Cyberoam. Refer to Appendix A Audit Log for more details.
Virus log This log stores the details of malicious traffic requests received.
154
Cyberoam User Guide
155
Cyberoam User Guide
Backup Data
Restore Data
With the help of restore facility, restore data from the backup taken. Restoring data older than the
current data will lead to the loss of current data.
156
Cyberoam User Guide
Note
Restore facility is version dependant i.e. it will work only if the backup and restore versions are same
157
Cyberoam User Guide
Purge
Purging of data means periodic deletion of the data. Cyberoam provides Auto purge and Manual purge
facility for deleting log records. Additionally, Auto purge utility also provides an option to enable or disable
log archiving.
Go to System Manage Data Configure Auto purge utility and click against the log to
enable archiving and specify the time period to retain log. By default, Cyberoam will not archive IPS logs.
One has to manually enable the archiving of IPS logs.
If disabled, Cyberoam will keep log of current date only and delete records every night.
Earlier versions of Cyberoam supported retention of Web Surfing and Appliance Audit logs only.
Cyberoam will retain the configured retention period of Web Surfing logs and Appliance Audit Logs after
upgrading to the latest version.
158
Cyberoam User Guide
Manual purge
Use manual purge to delete log records manually
Note
159
Cyberoam User Guide
Client Services
Client Messages
Message Management tab allows Administrator to send messages to the various users. Messages help
Administrator to notify users about problems as well as Administrative alerts in areas such as access,
user sessions, incorrect password, and successful log on and log off etc.
Message can be up to 256 characters and send to the number of users at a time.
160
Cyberoam User Guide
alert.
User1 will receive alert when he is left with 20 MB of data transfer i.e.
has done total data transfer of 130 MB
User2 will receive alert when he is left with 20 MB of data transfer i.e.
has done total data transfer of 620 MB
User1 will receive alert when he is left with 30 MB (20% of 150 MB) of
data transfer i.e. has done data transfer of 120 MB
User2 will receive alert when he is left with 128 MB (20% of 640 MB) of
data transfer i.e. has done data transfer of 512 MB
Cycle Data Transfer Specify remaining cycle data transfer usage when all the users should
(MB) receive alert.
Cycle data transfer is the upper limit of total data transfer allowed to the
user per cycle. User will be disconnected if the limit is reached. It is
applicable the users to whom the cyclic data transfer policies are
applied.
User1 will receive alert when he is left with 20 MB of data transfer per
cycle i.e. has done data transfer of 130 MB
User2 will receive alert when he is left with 20 MB of data transfer per
cycle i.e. has done data transfer of 620 MB
User1 will receive alert when he is left with 30 MB (20% of 150 MB) of
data transfer per cycle i.e. has done data transfer of 120 MB
User2 will receive alert when he is left with 128 MB (20% of 640 MB) of
data transfer per cycle i.e. has done data transfer of 512 MB
Save details button Saves the data transfer alert configuration
Table - Customized Client Message screen elements
161
Cyberoam User Guide
Messages Description/Reason
AlertMessageWithCycleData Message is sent to the user when the remaining cycle data
transfer is equal to the configured value.
The surfing time duration is the time in hours the User is allowed
Internet access that is defined in Surfing time policy. If hours are
exhausted, User is not allowed to access
SurfingtimeExpired Administrator has temporarily deactivated the User and will not
be able to log in because User surfing time policy has expired
liveIPinuse Message is sent if connection is requesting a public IP Address
from the server that is already in use
nmpoolexceedlimit Message is sent if the maximum number of IP Addresses in the
Live IPHost Group at any given time has exceeded the limit
Table - List of predefined messages
162
Cyberoam User Guide
Client preferences
Use Client preference to specify
which page to open every time user logs on to Cyberoam
whether HTTP client log on page should pop up if user tries to surf without logging in
port from which Web Administration Console can be accessed
number of concurrent log on allowed
163
Cyberoam User Guide
Default : 443
Update button Updates configuration
User Authentication setting
Number of Logins Specify number of concurrent logins allowed to all the
Allowed users
OR
Unlimited Login OR
Allows unlimited concurrent logins
User Inactivity Timeout Enter the timeout duration in minutes. After this period of
inactivity (no data transfer), user will be logged out
automatically.
OR
Click Unlimited
Update button Updates configuration
Table Customized Client Preferences screen elements
Note
The preferences set are applicable to all the users by default. All the set preferences will be applicable
when the user is created. Refer to Create User, for customizing number of concurrent logins allowed to
a particular user.
164
Cyberoam User Guide
This customized message will be displayed when user tries to access the site, which is not
allowed.
Select a particular category for which you want to display a different message
By default, the message specified for All Web Categories is displayed.
Disable Use Default Message, if you want to display a different message for a particular
category and modify the message
Select All File type category to customize the access deny message for all the file type
categories
3. In Denied Message, modify the message contents
4. Click Update button to save if any changes are made
165
Cyberoam User Guide
Use to display your companys logo in all the messages displayed to the user.
Note
Dimension of Image should be 700 * 80 and jpg file only
166
Cyberoam User Guide
In the Login message box, specify the message to be displayed. You can further customize
the message by using clientip address, category and URL
3. Enable Blink Message to display blinking message
4. Before saving the configuration, click Preview and see how message will be displayed to the
user
5. Click Save button to save the configuration
167
Cyberoam User Guide
Alert messages displayed on the Dashboard Alert Messages section can be enabled or disabled
as per the need. By default, all the messages are enabled.
168
Cyberoam User Guide
Cyberoam has included a fully integrated Template Editor to design the page. It supports
numerous placement and arrangement options for each field and a provision to add a personalized
message or inserting logo or any other image.
Cyberoam provides a default template that can be modified to customize the HTTP Client login
page.
169
Cyberoam User Guide
Listed elements of Web Admin Console will be displayed in the configured language:
Dashboard alerts
Dashboard Doclet contents
Navigation menu
Screen elements including field & button labels and tips
Error messages
Administrator can also specify description for firewall rule, various policies, services and various
custom categories in Hindi, French or Chinese language.
170
Cyberoam User Guide
Time settings
Current date and time can be set according to the Cyberoams internal clock or Cyberoam can be
configured to synchronize its internal clock with an NTP server. Cyberoams clock can be tuned to
show the right time using global Time servers so that logs show the precise time and Cyberoam
activities can also happen at a precise time.
171
Cyberoam User Guide
Certificate Management
Digital Certificates are used for authentication purpose. Certificates are generated by the third
party trusted Certificate Authorities. They create certificates by signing public keys and identify the
information of the communicating parties with their own private keys. This way it is possible to
verify that a public key really belongs to the communicating party only and not been forged by
someone with malicious intentions.
A certificate signed by a CA identifies the owner of a public key. Each communicating party may
be required to present its own certificate signed by a CA verifying the ownership of the
corresponding private key. Additionally, the communicating parties need to have a copy of the
CAs public key. In case private key is lost or stolen or the information is changed CA is
responsible for revoking the certificate.
Cyberoam provides a facility to generate a local certificate authority as well as import certificates,
signed by commercial providers.
If the remote peer is using certificate issued by the following 3rd party CA then you are not required
to upload CA in Cyberoam:
VeriSign
Entrust
Microsoft
172
Cyberoam User Guide
Click to generate
173
Cyberoam User Guide
174
Cyberoam User Guide
Upload Certificate
175
Cyberoam User Guide
Prerequisite
Certificate Authority generated
Displays the number of bits used to construct the key. Generally the
larger the key, the less chance that it will be compromised but
requires more time to encrypt and decrypt data than smaller keys.
Password Specify password and confirm by re-typing
Click to generate
Cancel button Cancels the current operation
Table Generate Self Signed Certificate screen elements
176
Cyberoam User Guide
Displays the number of bits used to construct the key. Generally the
larger the key, the less chance that it will be compromised but
requires more time to encrypt and decrypt data than smaller keys.
Password specify password and confirm by re-typing
177
Cyberoam User Guide
IP address
Email address
DER ASN1 DN/X.509 (applicable when Authentication Type is
Digital Certificate)
Country Name Select the Country for which the Certificate will be used.
Click to generate
Cancel button Cancels the current operation
Table Generate CSR screen elements
Download Certificate
Certificate Signing Request is downloaded in zip format, unzip the file. It contains three file:
certificatename.csr, certificatename.key, password.txt
Cyberoam supports certificate in two formats: p12 and pem format. Certificate is downloaded in
tar.gz format; unzip the file winzip or winrar. It contains:
Certificatename.p12 (certificate in p12 format)
Password.txt
PEM folder which contains certificate in pem format as: certificatename.pem,
certificatename.key
178
Cyberoam User Guide
Delete Certificate
Prerequisite
Not used by any Connection
Note
Deleted certificate will be revoked
179
Cyberoam User Guide
Revoke certificate
Validity period is the certificate life i.e. period up to which the certificate
will be considered as valid
Key Length Displays key length, modify if required.
Displays the number of bits used to construct the key. Generally the
larger the key, the less chance that it will be compromised but requires
180
Cyberoam User Guide
Click to revoke
Download CRL
Once you revoke the certificate, the details of the revoked certificate are added to the default CRL
file generated by Cyberoam. You can download and distribute if required.
Select System Certificate Management Manage CRL and to view the list of CRLs.
Click Download against the CRL name to be downloaded. It downloads the zip file, unzip the file to
check the details.
181
Cyberoam User Guide
Upload CRL
If you are using External Certificate Authority, you need to upload the CRL obtained from External
Certificate Authority.
Delete CRL
Select System Certificate Management Manage CRL and to view the list of CRLs.
Note
Default CRL cannot be deleted
182
Cyberoam User Guide
Note
HTTP proxy will enforce the Internet Access Policy and Anti Virus policy as configured in the User and the
Firewall policy.
IPS policy will be applicable on the traffic between proxy and the WAN, but not between the user and the
proxy.
183
Cyberoam User Guide
184
Cyberoam User Guide
configuration
HTTP Direct Proxy Configuration
HTTP Proxy port Specify proxy port to be used ans click Save button to save the
configuration
HTTP Trusted ports Cyberoam allows the access to those sites that are hosted on
standard port only if deployed as HTTP proxy.
Click to enable
IP address Specify IP address of Parent proxy
HTTP Proxy Port Specify parent proxy port
Save button Click to save the port setting
Table - Configure HTTP Proxy screen elements
185
Cyberoam User Guide
Manage Servers
Use Services tab to Start/Stop and Enable/Disable Autostart various configured servers. According to the
requirement, one can Start, Stop, Enable or Disable the services.
Running if server is on
Stopped if server is off
Commands Starts or stops the respective servers
Enables or disables Autostart
Button Usage
Start Starts the Server whose status is Stopped
Stop Stops the server whose status is Started
Enable Autostart Automatically starts the configured server with the startup of Cyberoam
Disable Autostart Disables the Autostart process
Restart Restarts Cyberoam
186
Cyberoam User Guide
Bandwidth usage graphical report allows Administrator to monitor the amount of data uploaded or
downloaded by the Users. Administrator can use this information to help determine:
Whether to increase or decrease the bandwidth limit?
Whether all the gateways are utilized optimally?
Which gateway is underutilized?
What type of traffic is consuming the majority of the Bandwidth?
Which inbound/ outbound traffic has consumed the most Bandwidth in the last week/month?
Total Generates total (all gateways) data transfer report. Also generates
Live user report
187
Cyberoam User Guide
1. Live users - Graph shows time and live users connected to Internet. In addition, shows minimum,
maximum and average no. of users connected during the selected graph period. This will help in
knowing the peak hour of the day.
X axis Hours
Y axis No. of users
Peak hour Maximum no. of live users
2. Total data transfer Graph shows total data transfer (upload + download) during the day. In addition,
shows minimum, maximum and average data transfer.
X axis Hours
Y-axis Total data transfer (upload + download) in KB/Second
Maximum
data transfer
Minimum
data
188
Cyberoam User Guide
3. Composite data transfer Combined graph of Upload & Download data transfer. Colors differentiate
upload & download data traffic. In addition, shows the minimum, maximum and average data transfer
for upload & download individually
X axis Hours
Y-axis Upload + Download in Bits/Second
4. Download data transfer Graph shows only download traffic during the day. In addition, shows the
minimum, maximum and average download data transfer.
X axis Hours
Y-axis Download data transfer in Bits/Second
189
Cyberoam User Guide
5. Upload data transfer - Graph shows only upload traffic during the day. In addition, shows minimum,
maximum and average upload data transfer.
X axis Hours
Y-axis Upload data transfer in Bits/Second
6. Integrated total data transfer for all Gateways Combined graph of total (Upload + Download) data
transfer for all the gateways. Colors differentiate gateways. In addition, shows the minimum,
maximum and average data transfer of individual gateway
X axis Hours
Y-axis Total (Upload + Download) data transfer in Bits/Second
190
Cyberoam User Guide
7. Integrated Download data transfer of all Gateways Graph shows only the download traffic of all the
gateways during the day. In addition, shows the minimum, maximum and average download data
transfer.
X axis Hours
Y-axis Download data transfer in Bits/Second
8. Integrated Upload data transfer for all the Gateways - Graph shows only the upload traffic of all the
gateways during the day. In addition, shows minimum, maximum and average upload data transfer.
X axis Hours
Y-axis Upload data transfer in Bits/Second
191
Cyberoam User Guide
Migrate Users
Cyberoam provides a facility to migrate the existing users from PDC or LDAP server. Alternately, you can
also import user definition from an external file (CSV format file).
If you do not want to migrate users, configure for Automatic User creation. This reduces Administrators
burden of creating the same users again in Cyberoam.
Step 2: Opens the File Download window and prompts to run or save the utility. Select the appropriate
option and click OK button
192
Cyberoam User Guide
Step 3: Opens a new browser window and prompts for the login. Provide the administrator username and
password. E.g. Username: cyberoam and password: cyber
Step 4: On successful authentication, following screen will be shown. Upload the specified file.
Step 5: Change the group or status of the user at this stage, if required. To migrate all the users, click
Select All or select the individual users and click Migrate Users.
Note
After migration, for Cyberoam login password will be same as the username
Once the users are migrated, configure for single sign on login utility. The configuration is required to be
done on the Cyberoam server.
193
Cyberoam User Guide
Step 2 Change Group or Active status of user at this stage, if required. To migrate all the users, click
Select All or select the individual users and click Migrate Users.
If migration is successful, Manage Active User page will be displayed with all the migrated users as
Active users.
194
Cyberoam User Guide
PART
Customization
Schedule
Schedule defines a time schedule for applying firewall rule or Internet Access policy i.e. used to control
when firewall rules or Internet Access policies are active or inactive.
Types of Schedules:
Recurring use to create policies that are effective only at the specified times of the day or on
specified days of the week.
One-time - use to create firewall rules/policies that are effective once for the period of time specified in
the schedule.
Define Schedule
Select Firewall Schedule Define Schedule to open define schedule page
Recurring Use to create access time policies that are effective only at
specified times of the day or on specified days of the week.
One time use to create firewall rules that are effective once for the period
of time specified in the schedule. It cannot be applied to any of the policies
but can be implemented through firewall rule only.
Start time & Stop Defines start and stop time for the schedule
time (only if
Schedule Type is Start & stop time cannot be same
One Time)
Description Specify full description of schedule
Create button Creates schedule
195
Cyberoam User Guide
Select Firewall Schedule Manage Schedule to view the list of schedule and click the
Schedule name in which the schedule entry details are to be added.
196
Cyberoam User Guide
Manage Schedule
Use to modify:
Schedule Name
Description
Add Schedule Entry details
Delete Schedule Entry details
Select Firewall Schedule Manage Schedule and click Schedule name to be updated
197
Cyberoam User Guide
Delete Schedule
198
Cyberoam User Guide
Services
Services represent types of Internet data transmitted via particular protocols or applications.
199
Cyberoam User Guide
Select Firewall Services Manage to view the list of custom services. Click service to be
modified
Select protocol
For IP - Select Protocol No.
For TCP - Specify Source and Destination port
For UDP - Specify Source and Destination port
For ICMP Select ICMP Type and Code
Delete button Allows to delete protocol details
200
Cyberoam User Guide
Note
Default Services cannot be deleted
201
Cyberoam User Guide
202
Cyberoam User Guide
203
Cyberoam User Guide
204
Cyberoam User Guide
Categories
Cyberoams content filtering capabilities prevent Internet users from accessing non-productive or
objectionable websites that take valuable system resources from your network at the same time prevents
hackers and viruses that can gain access to your network through their Internet connections.
Cyberoam lets you prevent Internet users from accessing URLs that contain content the company finds
objectionable. Cyberoams Categories Database contains categories covering Web page subject matter
as diverse as adult material, astrology, games, job search, and weapons. It is organized into general
categories, many of which contain collections of related Internet sites with specific content focus. In other
words, database is a collection of site/host names that are assigned a category based on the major
theme or content of the site.
Web category Grouping of Domains and Keywords. Default web categories are available for use only if
Web and Application Filter subscription module is registered.
Application protocol Grouping of protocols. Standard protocol definitions are available for use only if
Web and Application Filter subscription module is registered.
Apart from the default categories provided by Cyberoam, custom category can also be created if
required. Creating custom category gives increased flexibility in managing Internet access for your
organization. After creating a new category, it must be added to a policy so that Cyberoam knows when
to enforce it and for which groups/users.
205
Cyberoam User Guide
Web Category
Web category is the grouping of Domains and Keywords used for Internet site filtering. Domains and any
URL containing the keywords defined in the Web category will be blocked.
Each category is grouped according to the type of sites. Categories are grouped into four types and
specify whether accessing sites specified those categories are considered as productive or not:
Neutral
Productive
Non-working
Un-healthy
For your convenience, Cyberoam provides a database of default Web categories. You can use these or
even create new web categories to suit your needs. To use the default web categories, the subscription
module Web and Application Filter should be registered.
Depending on the organization requirement, allow or deny access to the categories with the help of
policies by groups, individual user, time of day, and many other criteria.
Custom web category is given priority over default category while allowing/restricting the access.
Search URL
Use Search URL to search whether the URL is categorized or not. It searches the specified URL and
displays Category name under which the URL is categorized and category description.
When a custom category is created with a domain/URL which is already categorized in default category
then the custom category overrides the default category and the search result displays custom category
name and not the default category name.
206
Cyberoam User Guide
If the module is not subscribed, page is displayed with the message Web and Application Filter module
is not registered. See Register Add on Modules for registering Web and Application Filter module. You
can subscribe the trial version of the module, which will expire after 15 days of subscription.
Once the module is subscribed, the default categories can be used in Internet Access for filtering.
Select Categories Web Category Manage Default to view list of default Web Categories
Note
Default Web categories cannot be modified or deleted.
Custom web category is given the priority over the default category while allowing/restricting access.
207
Cyberoam User Guide
Above configured bandwidth policy will be applicable, whenever the URL falling
under the Web category is accessed.
208
Cyberoam User Guide
Domain Management
Add button Use to define domains for the web category. Depending on the users Internet
access policy, accessing specified domain(s) will be allowed or denied.
Click to add
Click to add
Note
Custom category name cannot be same as default category name.
Add Domain
Note
Domains can be added at the time of creation of web category or whenever required.
209
Cyberoam User Guide
Add Keyword
Note
Keywords can be added at the time of creation of web category or whenever required.
Select Categories Web Category Manage Custom to view the list of Web categories and
click Web Category to be modified
210
Cyberoam User Guide
Click to add
Click to remove
Click to add
211
Cyberoam User Guide
Click to remove
Click to Update
Cancel button Cancels the current operation and returns to the Manage Custom Web
Category page
Table - Update Custom Web category screen elements
Delete Domain
212
Cyberoam User Guide
Prerequisite
Not attached to any Policy
Select Categories Web Category Manage Custom to view the list of Web Categories.
213
Cyberoam User Guide
For your convenience, Cyberoam provides several default File Types categories. You can use these or
even create new categories to suit your needs.
Depending on the organization requirement, allow or deny access to the categories with the help of
policies by groups, individual user, time of day, and many other criteria.
Select Categories File Type Category View Default to view the list of default File Type
Categories. Click the Category to view extensions included in the Category.
214
Cyberoam User Guide
Select Categories File Type Category Create Custom to open the create page
Select Categories File Type Category Manage Custom to view the list of File Type
Categories and click File Type Category to be modified.
215
Cyberoam User Guide
Click to Update
Cancel button Cancels the current operation and returns to the Manage Custom
File Type Category page
Screen - Manage Custom File Type Category
Prerequisite
Not attached to any Policy
Select Categories File Type Category Manage Custom to view the list of File Type
Categories created
216
Cyberoam User Guide
You can also filter Internet requests based on protocols or applications other than HTTP, HTTPS or FTP,
for example those used for instant messaging, file sharing, file transfer, mail, and various other network
operations.
For your convenience, Cyberoam provides a database of default Application Protocol categories. To use
the default Application Protocol categories, the subscription module Web and Application Filter should
be registered.
Once the module is registered, the default protocol categories can be used in Internet Access for filtering.
Select Categories Application Protocol Category View Default to view the list of
default Application protocols Categories
217
Cyberoam User Guide
Select Categories Application Protocol Category Create Custom to open the create
page
Click to add
218
Cyberoam User Guide
Select Categories Application Protocol Category Manage Custom to view the list of
custom Application Protocol Categories. Click Application Protocol Category to be modified.
219
Cyberoam User Guide
Click to add
Click to remove
Click to Update
Cancel button Cancels the current operation and returns to the Manage Custom
Application Protocol Category page
Table Manage Custom Application Protocol Category screen elements
220
Cyberoam User Guide
Prerequisite
Not attached to any Policy
Select Categories Application Protocol Category Manage Custom to view the list of
Application Protocol Categories created
221
Cyberoam User Guide
Access Control
Use Local ACLs to limit the Administrative access to the following Cyberoam services from LAN, WAN,
DMZ and VPN:
Admin Services
Authentication Services
Proxy Services
Network Services
Admin Services
HTTPS (TCP port 443) and SSH (TCP port 22) services will be open for administrative functions for
LAN zone
Authentication Services
Cyberoam (UDP port 6060) and HTTP Authentication (TCP port 8090) will be open for User
Authentication Services for LAN zone. User Authentication Services are not required for any of the
Administrative functions but required to apply user based internet surfing, bandwidth and data
transfer restrictions.
Network services
ICMP services is allowed for VPN zone
222
Cyberoam User Guide
Authentication Services
Enable/disable following service from the specified zone and network:
Cyberoam
HTTP
Proxy Services
Enable/disable HTTP service from the specified zone and network
Network Services
Enable/disable following service from the specified zone and network:
DNS
ICMP
223
Cyberoam User Guide
Logging
Cyberoam provides extensive logging capabilities for traffic, system and network protection functions.
Detailed log information and reports provide historical as well as current analysis of network activity to
help identify security issues and reduce network abuse.
Cyberoam can either store logs locally or send logs to external syslog servers for storage and archival
purposes.
Cyberoam can log many different network activities and traffic including:
Firewall log
Anti-virus infection and blocking
Web filtering, URL and HTTP content blocking
Signature and anomaly attack and prevention
Spam filtering
Cyberoam supports multiple syslog servers for remote logging. When configuring logging to a Syslog
server, one needs to configure the facility, severity and log file format. One can also specify logging
location if multiple syslog servers are defined.
Maximum five syslog servers can be defined from Logging page of Web Admin Console.
Cyberoam can either store logs locally or send to the syslog servers. Traffic Discovery logs can be stored
locally only.
224
Cyberoam User Guide
Syslog Configuration
Syslog is an industry standard protocol/method for collecting and forwarding messages from devices to a
server running a syslog daemon usually via UDP Port 514. The syslog is a remote computer running a
syslog server. Logging to a central syslog server helps in aggregation of logs and alerts.
Cyberoam appliance can also send a detailed log to an external Syslog server in addition to the standard
event log. The Cyberoam Syslog support requires an external server running a Syslog daemon on any of
the UDP Port.
The Cyberoam captures all log activity and includes every connection source and destination IP address,
IP service, and number of bytes transferred.
A SYSLOG service simply accepts messages, and stores them in files or prints. This form of logging is
the best as it provides a Central logging facility and a protected long-term storage for logs. This is useful
both in routine troubleshooting and in incident handling.
To add the syslog server details, go to System Logging Manage Syslog and click Create
button
225
Cyberoam User Guide
Default: 514
Facility Select syslog facility for log messages to be send to the syslog
server.
Once you add the server, go to System Logging Log configuration page and enable all
those logs, which are to be send to the syslog, sever.
226
Cyberoam User Guide
Log configuration
Once you add the server, configure logs to be send to the syslog sever System Logging Log
configuration page. If multiple servers are configured various logs can be send on different servers.
To record logs you must enable the respective log and specify logging location. Administrator can choose
between on-appliance (local) logging, Syslog logging or disabling logging temporarily.
Firewall Log
Firewall Log records invalid traffic, local ACL traffic, DoS attack, ICMP redirected packets, source routed
and fragmented traffic. Firewall logs can be disabled or send to the remote syslog server only but cannot
be stored locally.
To generate log, go to Firewall Denial of Service DoS Settings and click Apply Flag against
SYN Flood, UDP flood, TCP flood, and ICMP flood individually
To generate log, go to Firewall Denial of Service DoS Settings and click Apply Flag against
Disable ICMP redirect Packets'
To generate log, go to Firewall Denial of Service DoS Settings and click Apply Flag against
Drop Source Routed Packets
IPS reports
Records detected and dropped attacks based on unknown or suspicious patterns (anomaly) and
signatures.
Antivirus Logs
Virus detected in HTTP, SMTP, FTP, POP3 and IMAP4 traffic. Enabling logging for SMTP will also
227
Cyberoam User Guide
enable logging for POP3 and IMAP4 on local server. HTTP and FTP logs can be disabled or send to the
remote log server only.
Antispam Logs
SMTP, POP3, IMAP4 spam and probable spam mails.
Local
Log Type Syslog
(On-appliance)
Firewall Firewall Rules No Yes
Invalid Traffic No Yes
Local ACLs No Yes
Dos Attack No Yes
ICMP Redirected packets No Yes
Source Routed packets No Yes
Fragmented traffic No Yes
IPS Anomaly Yes Yes
Signature Yes Yes
Anti Virus HTTP Yes Yes
FTP Yes Yes
SMTP Yes Yes
POP3 Enabling/Disabling SMTP log Yes
will also enable/disable POP3
log
IMAP4 Enabling/Disabling SMTP log Yes
will also enable/disable
IMAP4 log
Anti Spam SMTP Yes Yes
POP3 Enabling/Disabling SMTP log Yes
will also enable/disable POP3
log
IMAP4 Enabling/Disabling SMTP log Yes
will also enable/disable
IMAP4 log
Content HTTP Yes Yes
Filtering
Traffic Yes No
Discovery
HA Yes
By default,
HA logs are
send to
syslog and
no manual
configuration
is required.
228
Cyberoam User Guide
Note
Cyberoam removes entire Syslog configuration on upgrading to V 9.5.3 build 20. Hence, you will have to re-
configure Syslog.
229
Cyberoam User Guide
230
Cyberoam User Guide
Upgrade Cyberoam
Cyberoam provides two types of upgrades:
Automatic Correction to any critical software errors, performance improvement or changes in
system behavior leads to automatic upgrade of Cyberoam without manual intervention or notification.
Manual Manual upgrades requires human intervention.
Automatic Upgrade
By default, AutoUpgrade mode is ON. It is possible to disable the automatic upgrades. Follow the
procedure to disable the AutoUpgrade mode:
Manual Upgrade
231
Cyberoam User Guide
Page displays the list of available upgrades and the upgrade details like release date and size. Order
specifies the sequence in which Cyberoam should be upgraded.
Type the file name with full path or select using Browse and click Upload
232
Cyberoam User Guide
Step 4. Upgrade
Once the upgrade file is uploaded successfully, log on to Console to upgrade the version.
Log on to Cyberoam Telnet Console.
Type 6 to upgrade from the Main menu and follow the on-screen instructions.
Successful message will displayed if upgraded successfully.
Repeat above steps if more than one upgrade is available. If more than one upgrade is available, please
upgrade in the same sequence as displayed on the Available Upgrades page.
233
Cyberoam User Guide
Download
Clients
Cyberoam Client supports Users using following platforms:
Windows Enables Users using Windows Operating System to log-on to Cyberoam Server
HTTP Enables Users using any other Operating System than Windows & Linux to log-on to Cyberoam
Server
Linux Enables Users using Linux Operating System to log-on to Cyberoam server
Single Sign on Client Enables Windows-migrated Users to log on to Cyberoam using Windows
Username and password.
Guides Opens the Cyberoam Documentation site (http://docs.cyberoam.com) and download or view the
complete documentation set available for all the versions.
Depending on the requirement, download the Cyberoam Client from Help Downloads
234
Cyberoam User Guide
Cyberoam Audit log can identify what action was taken by whom and when. The existence of such logs
can be used to enforce correct user behavior, by holding users accountable for their actions as recorded
in the audit log.
An audit log is the simplest, yet also one of the most effective forms of tracking temporal information. The
idea is that any time something significant happens you write some record indicating what happened and
when it happened.
2. Log on to Reports, click on the Reports link to open the reports login page in a new window
235
Cyberoam User Guide
Tailor the report by setting filters on data by arbitrary date range. Use the Calendar to select the date
range of the report.
236
Cyberoam User Guide
Entity Cyberoam Component through which the event was generated/Audit Resource Type
Entity Name Unique Identifier of Entity
Action Operation requested by entity/Audit Action
Action By User who initiated the action/Accessor name
Action Status Action result/Audit Outcome
Action IP
Entity Entity Name Action Action By Message Explanation
Status Address
Report GUI Login <username> Successful - <IP Login attempt to
address> Report GUI by User
<username> was
successful
Report GUI Login <username> Failed Wrong <IP Login attempt to
username or address> Report GUI by User
password <username> was not
successful because of
wrong username and
password
Management Login <username> Successful - <IP Login attempt to
GUI address> Management GUI by
User <username> was
successful
Management Login <username> Failed User not found <IP Login attempt to
GUI address> Management GUI by
User <username> was
not successful
because system did
not find the User
<username>
Management Login <username> Failed User has no <IP Login attempt to
GUI previllege of address> Management GUI by
Administration User <username> was
not successful as user
does not have
administrative
privileges
Configuration Started <username> Successful - <IP User <username>s
Wizard address> request to start
Configuration Wizard
was successful
Configuration Finished <username> Successful - <IP User <username>s
Wizard address> request to close
237
Cyberoam User Guide
Configuration Wizard
was successful
System Started <username> Successful Cyberoam- <IP Cyberoam was
System address> successfully started by
Started the User <username>
SSh authentication <username> Successful User admin, <IP <username> trying to
coming from address> log on from <ip
192.168.1.241, address> using SSH
authenticated. client was successfully
authenticated
SSh authentication <username> Failed Login Attempt <IP Authentication of
failed from address> <username> trying to
192.168.1.241 log on from <ip
by user root address> using SSH
client was not
successful
SSh authentication <username> Failed Password <IP Log on to account
authentication address> <username> using
failed. Login to SSH client was not
account hello successful
not allowed or
account non-
existent
telnet authentication <username> Successful Login <IP Remote Login attempt
Successful address> through Telnet by User
<username> was
successful
telnet authentication <username> Failed Authentication <IP Authentication of
Failure address> <username> trying to
log on remotely
through Telnet was
not successful
console authentication <username> Successful Login ttyS0 Login attempt to
Successful Console using
Console Interface via
remote login utility by
User <username> was
successful
console authentication <username> Successful Login tty1 Login attempt to
Successful Console via direct
Console connection by
User <username> was
successful
console authentication <username> Failed Authentication <IP Login attempt to
Failure address> Console by User
<username> was not
successful
Firewall Started System Successful - <IP Firewall subsystem
address> started successfully
without any error
Firewall Rule <firewall rule Create <username> Successful - <IP Firewall rule <firewall
id> address> rule id> was created
e.g. 7 successfully by user
<username>
Firewall Rule <firewall rule Update <username> Successful - <IP Firewall rule <firewall
id> address> rule id> was updated
e.g. 6 successfully by user
<username>
Firewall Rule <firewall rule Update System Successful - <IP Firewall rule <firewall
id> address> rule id> was updated
e.g. 21 successfully by user
<username>
Firewall Rule <firewall rule Delete System Successful - <IP Firewall rule <firewall
id> address> rule id> was deleted
e.g. 10 successfully by user
<username>
Host N/A Delete <username> Failed - <IP Request to delete Host
address> by user <username>
was not successful
Host <host name> Delete <username> Successful - <IP Host <host name>
e.g. address> was deleted
192.168.1.68, successfully by user
#Port D <username>
238
Cyberoam User Guide
Host <host name> Insert <username> Successful - <IP Host <host name>
e.g. address> was added
192.168.1.66, successfully by user
#Port D <username>
HostGroup <host group Delete <username> Successful - <IP Host Group <host
name> address> group name>
e.g. was deleted
mkt group successfully by user
<username>
HostGroup <host group Update <username> Successful - <IP Host Group <host
name> address> group name>
e.g. was updated
sys group successfully by user
<username>
HostGroup <host group Insert <username> Successful - <IP Host Group <host
name> address> group name>
e.g. was updated
Trainee successfully by user
<username>
Service <service Delete <username> Successful - <IP Service <service
name> address> name>
e.g. was deleted
vypress chat successfully by user
<username>
Service <service Update <username> Successful - <IP Service <service
name> address> name>
e.g. was updated
vypress chat successfully by user
<username>
Service <service Insert <username> Successful - <IP Service <service
name > address> name>
e.g. was inserted
vypress chat successfully by user
<username>
ServiceGroup <service Insert <username> Successful - <IP Service group
group name address> <service group name
> >
e.g. was inserted
Intranet chat successfully by user
<username>
ServiceGroup <service Update <username> Successful - <IP Service group
group name address> <service group name
> >
e.g. was updated
Intranet chat successfully by user
<username>
ServiceGroup <service Delete <username> Successful - <IP Service group
group name address> <service group name
> >
e.g. was deleted
Intranet chat successfully by
NAT Policy <policy Insert <username> Successful - <IP NAT policy <policy
name> address> name> was inserted
successfully by user
<username>
NAT Policy <policy Update <username> Successful - <IP NAT policy <policy
name> address> name> was updated
successfully by user
<username>
NAT Policy <policy Delete <username> Successful - <IP NAT policy <policy
name> address> name> was deleted
successfully by user
<username>
DNAT Policy <policy Insert <username> Successful - <IP DNAT policy <policy
name> address> name> was inserted
successfully by user
<username>
DNAT Policy <policy Update <username> Successful - <IP DNAT policy <policy
name> address> name> was updated
successfully by user
<username>
DNAT Policy <policy Delete <username> Successful - <IP DNAT policy <policy
name> address> name> was deleted
239
Cyberoam User Guide
successfully by user
<username>
Schedule <schedule Insert <username> Successful - <IP Schedule <schedule
name> address> name> was inserted
successfully by user
<username>
Schedule <schedule Update <username> Successful - <IP Schedule <schedule
name> address> name> was updated
successfully by user
<username>
Schedule <schedule Delete <username> Successful - <IP Schedule <schedule
name> address> name> was deleted
successfully by user
<username>
Schedule <schedule Insert <username> Successful - <IP Schedule details to
Detail name> address> Schedule <schedule
name> was inserted
successfully by user
<username>
Local ACLs Local ACLs Update <username> Successful - <IP Local ACL was
address> updated successfully
by user <username>
DoS Bypass DoS Bypass Delete <username> Successful - <IP DoS Bypass rule
address> deleted successfully
by <username>
DoS Bypass DoS Bypass Insert <username> Successful - <IP DoS Bypass rule
address> inserted successfully
by
user <username>
DoS Settings DoS Settings Update <username> Successful - <IP DoS settings updated
address> successfully by
user <username>
Online Register <username> Successful - <IP User <username>
Registration address> successfully registered
Appliance/Subscription
module(s) through
Online Registration
Upload Upload <username> Successful - <IP User <username>
Version Version address> successfully uploaded
the version
Date Update <username> Successful System time <IP Request to update the
changed from address> Date from Console by
2006-06-19 User <username> was
23:15:50 IST successful
to 2006-07-19
23:15:03 IST
Apart from the tabular format, Cyberoam allows to view the log details in:
Printable format Click to open a new window and display the report in the printer
friendly format. Report can be printed from File -> Print.
240
Cyberoam User Guide
Export as CSV (Comma Separated Value) Click to export and save the report in CSV
format. Report can be very easily exported to MS Excel and all the Excel functionalities can be used
to analyze the data.
241
Cyberoam User Guide
Appendix B Logs
Cyberoam provides extensive logging capabilities for traffic, system and network protection functions.
Detailed log information and reports provide historical as well as current analysis of network activity to
help identify security issues and reduce network misuse and abuse.
By default, only the firewall rule logging will be ON i.e. only traffic allowed/denied by the firewall will be
logged. Refer to Cyberoam Console Guide on how to enable/disable logging.
Log ID structure
Log Type
Log Component
242
Cyberoam User Guide
01 Firewall Rule
02 Invalid Traffic
03 Local ACLs
04 DoS Attack
05 ICMP Redirection
06 Source Routed
07 Anomaly
08 Signatures
09 HTTP
10 FTP
11 SMTP
12 POP3
13 IMAP4
14 Fragmented Traffic
15 Invalid Fragmented Traffic
16 HA
Log Subtype
Message ID
Each event is has unique message ID and is included as a part of log id.
243
Cyberoam User Guide
244
Cyberoam User Guide
Firewall Log
Cyberoam logs all the packets - dropped or allowed, by the firewall rule.
245
Cyberoam User Guide
SR.
DATA FIELDS TYPE DESCRIPTION
No.
1 date date Date (yyyy-mm-dd) when the event occurred
For the dropped traffic - the date when the packet was
dropped by Cyberoam
2 time time Time (hh:mm:ss) when the event occurred
For the allowed traffic - the time when the connection was
started on Cyberoam
For the dropped traffic - the time when the packet was
dropped by Cyberoam
3 timezone Time zone set on Cyberoam appliance e.g. IST
4 device_name string Model Number of the Cyberoam Appliance
5 device_id string Unique Identifier of the Cyberoam Appliance
6 deployment_mode string Mode in which Cyberoam is deployed
246
Cyberoam User Guide
Possible values:
"" When Cyberoam is deployed in Bridge mode or source
IP address translation is not done
IP Address IP Address with which the original source IP
address is translated
33 translated_source_port integer Translated source port for outgoing traffic. It is applicable
only in route mode.
Possible values:
"" When Cyberoam is deployed in Bridge mode or source
port translation is not done
Port Port with which the original port is translated
34 translated_destination_ip integer Translated Destination IP address for outgoing traffic. It is
applicable only in route mode.
Possible values:
"" When Cyberoam is deployed in Bridge mode or
destination IP address translation is not done
IP Address IP Address with which the original destination
IP address is translated
35 translated_destination_port integer Translated Destination port for outgoing traffic. It is
applicable only in route mode.
Possible values:
"N/A" When Cyberoam is deployed in Bridge mode or
destination port translation is not done
Port Port with which the original port is translated
36 sourcezonetype string Type of source zone e.g. LAN
37 destinationzonetype string Type of destination zone e.g. WAN
38 direction_disposition string Packet direction
Possible values:
org, reply,
39 connection_event Event on which this log is generated
40 connection id integer Unique identifier of connection
41 virtual connection id integer Connection ID of the master connection
247
Cyberoam User Guide
248
Cyberoam User Guide
SR.
DATA FIELDS TYPE DESCRIPTION
No.
1 date date Date (yyyy-mm-dd) when the event occurred
For the dropped traffic - the date when the packet was
dropped by Cyberoam
2 time time Time (hh:mm:ss) when the event occurred
For the allowed traffic - the time when the connection was
started on Cyberoam
For the dropped traffic - the time when the packet was
dropped by Cyberoam
3 timezone Time zone set on Cyberoam appliance e.g. IST
4 device_name string Model Number of the Cyberoam Appliance
5 device_id string Unique Identifier of the Cyberoam Appliance
6 deployment_mode string Mode in which Cyberoam is deployed
249
Cyberoam User Guide
Possible values:
"" When Cyberoam is deployed in Bridge mode or source
IP address translation is not done
IP Address IP Address with which the original source IP
address is translated
33 translated_source_port integer Translated source port for outgoing traffic. It is applicable
only in route mode.
Possible values:
"" When Cyberoam is deployed in Bridge mode or source
port translation is not done
Port Port with which the original port is translated
34 translated_destination_ip integer Translated Destination IP address for outgoing traffic. It is
applicable only in route mode.
Possible values:
"" When Cyberoam is deployed in Bridge mode or
destination IP address translation is not done
IP Address IP Address with which the original destination
IP address is translated
35 translated_destination_port integer Translated Destination port for outgoing traffic. It is
applicable only in route mode.
Possible values:
"N/A" When Cyberoam is deployed in Bridge mode or
destination port translation is not done
Port Port with which the original port is translated
36 sourcezonetype string Type of source zone e.g. LAN
37 destinationzonetype string Type of destination zone e.g. WAN
38 direction_disposition string Packet direction
Possible values:
org, reply,
39 connection_event Event on which this log is generated
40 connection id integer Unique identifier of connection
41 virtual connection id integer Connection ID of the master connection
Local ACL
250
Cyberoam User Guide
SR.
DATA FIELDS TYPE DESCRIPTION
No.
1 date date Date (yyyy-mm-dd) when the event occurred
For the dropped traffic - the date when the packet was
dropped by Cyberoam
2 time time Time (hh:mm:ss) when the event occurred
For the allowed traffic - the time when the connection was
started on Cyberoam
For the dropped traffic - the time when the packet was
dropped by Cyberoam
3 timezone Time zone set on Cyberoam appliance e.g. IST
4 device_name string Model Number of the Cyberoam Appliance
5 device_id string Unique Identifier of the Cyberoam Appliance
6 deployment_mode string Mode in which Cyberoam is deployed
251
Cyberoam User Guide
Possible values:
"" When Cyberoam is deployed in Bridge mode or source
IP address translation is not done
IP Address IP Address with which the original source IP
address is translated
33 translated_source_port integer Translated source port for outgoing traffic. It is applicable
only in route mode.
Possible values:
"" When Cyberoam is deployed in Bridge mode or source
port translation is not done
Port Port with which the original port is translated
34 translated_destination_ip integer Translated Destination IP address for outgoing traffic. It is
applicable only in route mode.
Possible values:
"" When Cyberoam is deployed in Bridge mode or
destination IP address translation is not done
IP Address IP Address with which the original destination
IP address is translated
252
Cyberoam User Guide
Possible values:
"N/A" When Cyberoam is deployed in Bridge mode or
destination port translation is not done
Port Port with which the original port is translated
36 sourcezonetype string Type of source zone e.g. LAN
37 destinationzonetype string Type of destination zone e.g. WAN
38 direction_disposition string Packet direction
Possible values:
org, reply,
39 connection_event Event on which this log is generated
40 connection id integer Unique identifier of connection
41 virtual connection id integer Connection ID of the master connection
SR.
DATA FIELDS TYPE DESCRIPTION
No.
1 date date Date (yyyy-mm-dd) when the event occurred
For the dropped traffic - the date when the packet was
dropped by Cyberoam
2 time time Time (hh:mm:ss) when the event occurred
For the allowed traffic - the time when the connection was
started on Cyberoam
For the dropped traffic - the time when the packet was
dropped by Cyberoam
3 timezone Time zone set on Cyberoam appliance e.g. IST
253
Cyberoam User Guide
Possible values:
"" When Cyberoam is deployed in Bridge mode or source
IP address translation is not done
IP Address IP Address with which the original source IP
254
Cyberoam User Guide
address is translated
33 translated_source_port integer Translated source port for outgoing traffic. It is applicable
only in route mode.
Possible values:
"" When Cyberoam is deployed in Bridge mode or source
port translation is not done
Port Port with which the original port is translated
34 translated_destination_ip integer Translated Destination IP address for outgoing traffic. It is
applicable only in route mode.
Possible values:
"" When Cyberoam is deployed in Bridge mode or
destination IP address translation is not done
IP Address IP Address with which the original destination
IP address is translated
35 translated_destination_port integer Translated Destination port for outgoing traffic. It is
applicable only in route mode.
Possible values:
"N/A" When Cyberoam is deployed in Bridge mode or
destination port translation is not done
Port Port with which the original port is translated
36 sourcezonetype string Type of source zone e.g. LAN
37 destinationzonetype string Type of destination zone e.g. WAN
38 direction_disposition string Packet direction
Possible values:
org, reply,
39 connection_event Event on which this log is generated
40 connection id integer Unique identifier of connection
41 virtual connection id integer Connection ID of the master connection
SR.
DATA FIELDS TYPE DESCRIPTION
No.
1 date date Date (yyyy-mm-dd) when the event occurred
255
Cyberoam User Guide
For the dropped traffic - the date when the packet was
dropped by Cyberoam
2 time time Time (hh:mm:ss) when the event occurred
For the allowed traffic - the time when the connection was
started on Cyberoam
For the dropped traffic - the time when the packet was
dropped by Cyberoam
3 timezone Time zone set on Cyberoam appliance e.g. IST
4 device_name string Model Number of the Cyberoam Appliance
5 device_id string Unique Identifier of the Cyberoam Appliance
6 deployment_mode string Mode in which Cyberoam is deployed
256
Cyberoam User Guide
Possible values:
"" When Cyberoam is deployed in Bridge mode or source
IP address translation is not done
IP Address IP Address with which the original source IP
address is translated
33 translated_source_port integer Translated source port for outgoing traffic. It is applicable
only in route mode.
Possible values:
"" When Cyberoam is deployed in Bridge mode or source
port translation is not done
Port Port with which the original port is translated
34 translated_destination_ip integer Translated Destination IP address for outgoing traffic. It is
applicable only in route mode.
Possible values:
"" When Cyberoam is deployed in Bridge mode or
destination IP address translation is not done
IP Address IP Address with which the original destination
IP address is translated
35 translated_destination_port integer Translated Destination port for outgoing traffic. It is
applicable only in route mode.
Possible values:
"N/A" When Cyberoam is deployed in Bridge mode or
destination port translation is not done
Port Port with which the original port is translated
36 sourcezonetype string Type of source zone e.g. LAN
37 destinationzonetype string Type of destination zone e.g. WAN
38 direction_disposition string Packet direction
Possible values:
org, reply,
39 connection_event Event on which this log is generated
40 connection id integer Unique identifier of connection
41 virtual connection id integer Connection ID of the master connection
257
Cyberoam User Guide
SR.
DATA FIELDS TYPE DESCRIPTION
No.
1 date date Date (yyyy-mm-dd) when the event occurred
For the dropped traffic - the date when the packet was
dropped by Cyberoam
2 time time Time (hh:mm:ss) when the event occurred
For the allowed traffic - the time when the connection was
started on Cyberoam
For the dropped traffic - the time when the packet was
dropped by Cyberoam
3 timezone Time zone set on Cyberoam appliance e.g. IST
4 device_name string Model Number of the Cyberoam Appliance
5 device_id string Unique Identifier of the Cyberoam Appliance
6 deployment_mode string Mode in which Cyberoam is deployed
258
Cyberoam User Guide
Possible values:
"" When Cyberoam is deployed in Bridge mode or source
IP address translation is not done
IP Address IP Address with which the original source IP
address is translated
33 translated_source_port integer Translated source port for outgoing traffic. It is applicable
only in route mode.
Possible values:
"" When Cyberoam is deployed in Bridge mode or source
port translation is not done
Port Port with which the original port is translated
34 translated_destination_ip integer Translated Destination IP address for outgoing traffic. It is
applicable only in route mode.
Possible values:
"" When Cyberoam is deployed in Bridge mode or
destination IP address translation is not done
IP Address IP Address with which the original destination
IP address is translated
35 translated_destination_port integer Translated Destination port for outgoing traffic. It is
applicable only in route mode.
Possible values:
"N/A" When Cyberoam is deployed in Bridge mode or
destination port translation is not done
Port Port with which the original port is translated
36 sourcezonetype string Type of source zone e.g. LAN
37 destinationzonetype string Type of destination zone e.g. WAN
38 direction_disposition string Packet direction
Possible values:
org, reply,
259
Cyberoam User Guide
SR.
DATA FIELDS TYPE DESCRIPTION
No.
1 date date Date (yyyy-mm-dd) when the event occurred
For the dropped traffic - the date when the packet was
dropped by Cyberoam
2 time time Time (hh:mm:ss) when the event occurred
For the allowed traffic - the time when the connection was
started on Cyberoam
For the dropped traffic - the time when the packet was
dropped by Cyberoam
3 timezone Time zone set on Cyberoam appliance e.g. IST
4 device_name string Model Number of the Cyberoam Appliance
5 device_id string Unique Identifier of the Cyberoam Appliance
6 deployment_mode string Mode in which Cyberoam is deployed
260
Cyberoam User Guide
Possible values:
"" When Cyberoam is deployed in Bridge mode or source
IP address translation is not done
IP Address IP Address with which the original source IP
address is translated
33 translated_source_port integer Translated source port for outgoing traffic. It is applicable
only in route mode.
Possible values:
"" When Cyberoam is deployed in Bridge mode or source
port translation is not done
Port Port with which the original port is translated
34 translated_destination_ip integer Translated Destination IP address for outgoing traffic. It is
applicable only in route mode.
Possible values:
"" When Cyberoam is deployed in Bridge mode or
destination IP address translation is not done
IP Address IP Address with which the original destination
261
Cyberoam User Guide
IP address is translated
35 translated_destination_port integer Translated Destination port for outgoing traffic. It is
applicable only in route mode.
Possible values:
"N/A" When Cyberoam is deployed in Bridge mode or
destination port translation is not done
Port Port with which the original port is translated
36 sourcezonetype string Type of source zone e.g. LAN
37 destinationzonetype string Type of destination zone e.g. WAN
38 direction_disposition string Packet direction
Possible values:
org, reply,
39 connection_event Event on which this log is generated
40 connection id integer Unique identifier of connection
41 virtual connection id integer Connection ID of the master connection
SR.
DATA FIELDS TYPE DESCRIPTION
No.
1 date date Date (yyyy-mm-dd) when the event occurred
For the dropped traffic - the date when the packet was
dropped by Cyberoam
2 time time Time (hh:mm:ss) when the event occurred
For the allowed traffic - the time when the connection was
started on Cyberoam
262
Cyberoam User Guide
For the dropped traffic - the time when the packet was
dropped by Cyberoam
3 timezone Time zone set on Cyberoam appliance e.g. IST
4 device_name string Model Number of the Cyberoam Appliance
5 device_id string Unique Identifier of the Cyberoam Appliance
6 deployment_mode string Mode in which Cyberoam is deployed
Possible values:
263
Cyberoam User Guide
Possible values:
"" When Cyberoam is deployed in Bridge mode or source
port translation is not done
Port Port with which the original port is translated
34 translated_destination_ip integer Translated Destination IP address for outgoing traffic. It is
applicable only in route mode.
Possible values:
"" When Cyberoam is deployed in Bridge mode or
destination IP address translation is not done
IP Address IP Address with which the original destination
IP address is translated
35 translated_destination_port integer Translated Destination port for outgoing traffic. It is
applicable only in route mode.
Possible values:
"N/A" When Cyberoam is deployed in Bridge mode or
destination port translation is not done
Port Port with which the original port is translated
36 sourcezonetype string Type of source zone e.g. LAN
37 destinationzonetype string Type of destination zone e.g. WAN
38 direction_disposition string Packet direction
Possible values:
org, reply,
39 connection_event Event on which this log is generated
40 connection id integer Unique identifier of connection
41 virtual connection id integer Connection ID of the master connection
IPS logs
264
Cyberoam User Guide
SR.
DATA FIELDS TYPE DESCRIPTION
No.
1 date Date Date (yyyy-mm-dd) when the event occurred
For the dropped traffic - the date when the packet was
dropped by Cyberoam
2 time Time Time (hh:mm:ss) when the event occurred
For the allowed traffic - the time when the connection was
started on Cyberoam
For the dropped traffic - the time when the packet was
dropped by Cyberoam
3 timezone Time zone set on Cyberoam appliance e.g. IST
4 device_name String Model Number of the Cyberoam Appliance
5 device_id String Unique Identifier of the Cyberoam Appliance
6 deployment_mode String Mode in which Cyberoam is deployed
265
Cyberoam User Guide
266
Cyberoam User Guide
quarantine=/var/quarantine/0x10001f9f.47412e69 src_domainname=core.com
dst_domainname=cnen.com src_ip=192.168.15.40 dst_ip=66.249.89.18 protocol=TCP
src_port=2458 dst_port=80 sent_bytes=162 recv_bytes=45
Virus infected date=2007-11-17 time=08:55:06 timezone=IST device_name=CR500i
mail detected in device_id=C010600411 deployment_mode=Route log_id=031206211001 log_type=Anti
POP3 traffic Virus log_component=POP3 log_subtype=Virus status=Denied priority=Critical
fw_rule_id= user_name= AV_Policy_name=AV common Policy
from_email_address=pooch@core.com to_email_address=sean@cnen.com
subject=Important mailid=001a01c82a19$a9dde620$061c568c@xxx mailsize=420k
virus=redvirus filename=resume.doc virus_status=Infected
virus_action=Quarantined quarantine=/var/quarantine/0x10001f9f.47412e69
src_domainname=core.com dst_domainname=cnen.com src_ip=192.168.15.40
dst_ip=66.249.89.18 protocol=TCP src_port=2458 dst_port=80 sent_bytes=162
recv_bytes=45
Virus infected date=2007-11-17 time=08:55:06 timezone=IST device_name=CR500i
mail detected in device_id=C010600411 deployment_mode=Route log_id=031306212001 log_type=Anti
IMAP4 traffic Virus log_component=IMAP4 log_subtype=Virus status=Denied priority=Critical
fw_rule_id= user_name= AV_Policy_name=AV common Policy
from_email_address=pooch@core.com to_email_address=sean@cnen.com
subject=Important mailid=001a01c82a19$a9dde620$061c568c@xxx mailsize=420k
virus=redvirus filename=resume.doc virus_status=Infected
virus_action=Quarantined quarantine=/var/quarantine/0x10001f9f.47412e69
src_domainname=core.com dst_domainname=cnen.com src_ip=192.168.15.40
dst_ip=66.249.89.18 protocol=TCP src_port=2458 dst_port=80 sent_bytes=162
recv_bytes=45
SR.
DATA FIELDS TYPE DESCRIPTION
No.
1 date date Date (yyyy-mm-dd) when the event occurred
For the dropped traffic - the date when the packet was
dropped by Cyberoam
2 time time Time (hh:mm:ss) when the event occurred
For the allowed traffic - the time when the connection was
started on Cyberoam
For the dropped traffic - the time when the packet was
dropped by Cyberoam
3 timezone Time zone set on Cyberoam appliance e.g. IST
4 device_name string Model Number of the Cyberoam Appliance
5 device_id string Unique Identifier of the Cyberoam Appliance
6 deployment_mode string Mode in which Cyberoam is deployed
267
Cyberoam User Guide
etc.
268
Cyberoam User Guide
dst_domainname=elitecore.com src_ip=192.168.15.40
dst_ip=203.88.136.154 protocol=TCP src_port=2458 dst_port=21
sent_bytes=162 recv_bytes=45
Mail detected as SPAM date=2007-11-17 time=08:15:46 timezone=IST device_name=CR500i
in SMTP traffic and device_id=C010600411 deployment_mode=Route log_id=041107413004
dropped log_type=Anti Spam log_component=SMTP log_subtype=Spam
status=Denied priority=Warning fw_rule_id= user_name=
Spam_Policy_Name=Department Spam Policy
from_email_address=pooch@core.com
to_email_address=hans@elitecore.com email_subject=Promotional
Scheme mailsize=550k mailid=001a01c82a19$a9tte620$061c568c@xxx
spamaction=Drop reason=Cyberoam Anti Spam identifies mail as Spam
quarantine= src_domainname=core.com
dst_domainname=elitecore.com src_ip=192.168.15.40
dst_ip=203.88.136.154 protocol=TCP src_port=2458 dst_port=21
sent_bytes=162 recv_bytes=45
Mail detected as SPAM date=2007-11-17 time=08:15:46 timezone=IST device_name=CR500i
in SMTP traffic but device_id=C010600411 deployment_mode=Route log_id=041107413005
accepted log_type=Anti Spam log_component=SMTP log_subtype=Spam
status=Allowed priority=Warning fw_rule_id= user_name=
Spam_Policy_Name=Department Spam Policy
from_email_address=pooch@core.com
to_email_address=hans@elitecore.com email_subject=Promotional
Scheme mailsize=550k mailid=001a01c82a19$a9tte620$061c568c@xxx
spamaction=Accept reason=Cyberoam Anti Spam identifies mail as Spam
quarantine= src_domainname=core.com
dst_domainname=elitecore.com src_ip=192.168.15.40
dst_ip=203.88.136.154 protocol=TCP src_port=2458 dst_port=21
sent_bytes=162 recv_bytes=45
Mail detected as SPAM date=2007-11-17 time=08:15:46 timezone=IST device_name=CR500i
in SMTP traffic but mail device_id=C010600411 deployment_mode=Route log_id=041107413006
is forwarded after log_type=Anti Spam log_component=SMTP log_subtype=Spam
changing the original status=Allowed priority=Warning fw_rule_id= user_name=
recipient address Spam_Policy_Name=Department Spam Policy
from_email_address=pooch@core.com
to_email_address=hans@elitecore.com
changed_to_email_address=niis@elitecore.com
email_subject=Promotional Scheme mailsize=550k
mailid=001a01c82a19$a9tte620$061c568c@xxx spamaction=Change
Recipient reason=Cyberoam Anti Spam identifies mail as Spam
quarantine= src_domainname=core.com
dst_domainname=elitecore.com src_ip=192.168.15.40
dst_ip=203.88.136.154 protocol=TCP src_port=2458 dst_port=21
sent_bytes=162 recv_bytes=45
Mail detected as SPAM date=2007-11-17 time=08:15:46 timezone=IST device_name=CR500i
in SMTP traffic but device_id=C010600411 deployment_mode=Route log_id=041107413007
forwarded after tagging log_type=Anti Spam log_component=SMTP log_subtype=Spam
the original subject i.e. status=Allowed priority=Warning fw_rule_id= user_name=
adding prefix to the Spam_Policy_Name=Department Spam Policy
subject from_email_address=pooch@core.com
to_email_address=hans@elitecore.com email_subject=Promotional
Scheme subject_prefix=spam: mailsize=550k
mailid=001a01c82a19$a9tte620$061c568c@xxx spamaction=Prefix
Subject reason=Cyberoam Anti Spam identifies mail as Spam
quarantine= src_domainname=core.com
dst_domainname=elitecore.com src_ip=192.168.15.40
dst_ip=203.88.136.154 protocol=TCP src_port=2458 dst_port=21
sent_bytes=162 recv_bytes=45
Mail detected as a date=2007-11-17 time=10:55:06 timezone=IST device_name=CR500i
PROBABLE SPAM in device_id=C010600411 deployment_mode=Route log_id=041108413002
SMTP traffic and log_type=Anti Spam log_component=SMTP log_subtype=Probable
269
Cyberoam User Guide
270
Cyberoam User Guide
271
Cyberoam User Guide
mailid=001a01c82a19$a9tte620$061c568c@xxx spamaction=Prefix
Subject reason=Cyberoam Anti Spam identifies mail as Probable Spam
src_domainname=core.com dst_domainname=elitecore.com
src_ip=192.168.15.40 dst_ip=203.88.136.154 protocol=TCP src_port=2458
dst_port=21 sent_bytes=162 recv_bytes=45
Mail detected as date=2007-11-17 time=10:55:06 timezone=IST device_name=CR500i
PROBABLE SPAM in device_id=C010600411 deployment_mode=Route log_id=041209614003
POP3 traffic but log_type=Anti Spam log_component=POP3 log_subtype=Clean
forwarded after tagging status=Allowed priority=Information fw_rule_id= user_name=
the original subject i.e. Spam_Policy_Name=Custom Spam Policy
adding prefix to the from_email_address=pooch@core.com
subject to_email_address=maan@elitecore.com email_subject=Photos
mailsize=550k mailid=001a01c82a19$a9tde620$061c568c@xxx
spamaction= reason= src_domainname=core.com
dst_domainname=elitecore.com src_ip=192.168.15.40
dst_ip=203.88.136.154 protocol=TCP src_port=2458 dst_port=21
sent_bytes=162 recv_bytes=45
Mail detected as SPAM date=2007-11-17 time=08:15:46 timezone=IST device_name=CR500i
in IMAP4 traffic but device_id=C010600411 deployement_mode=Route log_id=041307415001
accepted log_type=Anti Spam log_component=IMAP4 log_subtype=Spam
status=Allowed priority=Warning fw_rule_id= user_name=
Spam_Policy_Name=Department Spam Policy
from_email_address=pooch@core.com
to_email_address=hans@elitecore.com email_subject=Promotional
Scheme mailsize=550k mailid=001a01c82a19$a9tte620$061c568c@xxx
spamaction=Accept reason= Cyberoam Anti Spam identifies mail as
Spam quarantine= src_domainname=core.com
dst_domainname=elitecore.com src_ip=192.168.15.40
dst_ip=203.88.136.154 protocol=TCP src_port=2458 dst_port=21
sent_bytes=162 recv_bytes=45
Mail detected as date=2007-11-17 time=08:15:46 timezone=IST device_name=CR500i
PROBABLE SPAM in device_id=C010600411 deployment_mode=Route log_id=041307415001
IMAP4 traffic but log_type=Anti Spam log_component=IMAP4 log_subtype=Spam
accepted status=Allowed priority=Warning fw_rule_id= user_name=
Spam_Policy_Name=Department Spam Policy
from_email_address=pooch@core.com
to_email_address=hans@elitecore.com email_subject=Promotional
Scheme mailsize=550k mailid=001a01c82a19$a9tte620$061c568c@xxx
spamaction=Accept reason= Cyberoam Anti Spam identifies mail as
Spam quarantine= src_domainname=core.com
dst_domainname=elitecore.com src_ip=192.168.15.40
dst_ip=203.88.136.154 protocol=TCP src_port=2458 dst_port=21
sent_bytes=162 recv_bytes=45
Clean mail in IMAP4 date=2007-11-17 time=10:55:06 timezone=IST device_name=CR500i
traffic device_id=C010600411 log_id=041308515002 log_type=Anti Spam
log_component=IMAP4 log_subtype=Probable Spam status=accept
priority=Warning fw_rule_id=85 user_name=rach
Spam_Policy_Name=Custom Spam Policy
from_email_address=pooch@core.com
to_email_address=maan@elitecore.com email_subject=Photos
mailsize=550k mailid=001a01c82a19$a9tte620$061c568c@xxx
spamaction=prefix subject reason=Cyberoam Anti Spam identifies mail as
Probable Spam src_domainname=core.com
dst_domainname=elitecore.com src_ip=192.168.15.40
dst_ip=203.88.136.154 protocol=TCP src_port=2458 dst_port=21
sent_bytes=162 recv_bytes=45
Mail detected as SPAM date=2007-11-17 time=10:55:06 timezone=IST device_name=CR500i
in IMAP4 traffic but device_id=C010600411 log_id=041309715003 log_type=Anti Spam
forwarded after tagging log_component=IMAP4 log_subtype=Clean status=Accept
the original subject i.e. priority=Information fw_rule_id=85 user_name=rach
adding prefix to the Spam_Policy_Name=Custom Spam Policy
272
Cyberoam User Guide
subject from_email_address=pooch@core.com
to_email_address=maan@elitecore.com email_subject=Photos
mailsize=550k mailid=001a01c82a19$a9tde620$061c568c@xxx
spamaction= reason= src_domainname=core.com
dst_domainname=elitecore.com src_ip=192.168.15.40
dst_ip=203.88.136.154 protocol=TCP src_port=2458 dst_port=21
sent_bytes=162 recv_bytes=45
SR.
DATA FIELDS TYPE DESCRIPTION
No.
1 date date Date (yyyy-mm-dd) when the event occurred
For the dropped traffic - the date when the packet was
dropped by Cyberoam
2 time time Time (hh:mm:ss) when the event occurred
For the allowed traffic - the time when the connection was
started on Cyberoam
For the dropped traffic - the time when the packet was
dropped by Cyberoam
3 timezone Time zone set on Cyberoam appliance e.g. IST
4 device_name string Model Number of the Cyberoam Appliance
5 device_id string Unique Identifier of the Cyberoam Appliance
6 deployment_mode string Mode in which Cyberoam is deployed
273
Cyberoam User Guide
the traffic
16 from_email_address string Sender email address
17 to_email_address string Receipeint email address
18 smail_subject string Email subject
19 Mailsize string Email size
20 Mailid string Email id
24 spam_action string Action performed on the message
Possible values:
Reject
Drop
Accept
Change Receipient
Prefix subject
25 Reason string Reason why spam was detected as Spam
274
Cyberoam User Guide
SR.
DATA FIELDS TYPE DESCRIPTION
No.
1 date date Date (yyyy-mm-dd) when the event occurred
For the dropped traffic - the date when the packet was
dropped by Cyberoam
2 time time Time (hh:mm:ss) when the event occurred
For the allowed traffic - the time when the connection was
started on Cyberoam
For the dropped traffic - the time when the packet was
dropped by Cyberoam
3 timezone Time zone set on Cyberoam appliance e.g. IST
4 device_name string Model Number of the Cyberoam Appliance
5 device_id string Unique Identifier of the Cyberoam Appliance
6 deployment_mode string Mode in which Cyberoam is deployed
275
Cyberoam User Guide
HA Log
276
Cyberoam User Guide
SR.
DATA FIELDS TYPE DESCRIPTION
No.
1 date date Date (yyyy-mm-dd) when the event occurred
2 time time Time (hh:mm:ss) when the event occurred
3 timezone Time zone set on Cyberoam appliance e.g. IST
4 device_name string Model Number of the Cyberoam Appliance
5 device_id string Unique Identifier of the Cyberoam Appliance
6 deployment_mode string Mode in which Cyberoam is deployed
277
Cyberoam User Guide
278
Cyberoam User Guide
279
Cyberoam User Guide
beliefs or action
MobileEntertainment Non Working This category includes URLs that provide software or utilities for
mobile phones that can downloaded from Websites and delivered to
mobile phones
Music Non Working Sites providing songs and music and supporting downloads of MP3 or
other sound files or that serve as directories of such sites
NatureAndWildLife Non Working Sites providing information about Nature, explorations, discoveries,
wild life, animals, birds, protecting endangered species, habitats,
Animal sanctuaries, etc.
NewsAndMedia Neutral Sites offering current news and opinions, including those sponsored
by newspapers, general-circulation magazines or other media. It also
includes sites of advertising agencies and sites providing details of
weather forecast
None Neutral Uncategorized Traffic
NonGovernmentOrganization Neutral This category includes URLs with content from nongovernmental
s organizations such as clubs, lobbies, communities, nonprofit
organizations, labor unions, and advocacy groups.
Nudity UnHealthy Sites depicting nude or seminude human forms, singly or in groups,
not overtly sexual in intent or effect. It includes Nude images of film
stars, models, nude art and photography
ParkedDomain Neutral This category includes sites that once served content, but their
domains have been sold and are no longer registered. Parked
domains do not host their own unique content, but usually redirect
users to a generic page that states the domain name is for sale or
redirect users to a generic search engine and portal page, some of
which provide valid search engine results.
PersonalStorage Neutral Websites that permit users to utilize Internet servers to store personal
files or for sharing, such as with photos.
PersonalAndBiographySites Non Working Includes personal sites of individuals and biographical sites of ordinary
or famous personalities
PhishingAndFraud UnHealthy Sites gathering personal information (such as name, address, credit
card number, school, or personal schedules) that may be used for
malicious intent
PhotoGallaries Non Working Sites providing photos of celebrities, models, and well-known
personalities Such sites may also contain profiles or additional
elements as long as the primary focus is on multi-celebrity
photographs
Plagiarism UnHealthy Websites that provide, distribute or sell school essays, projects, or
diplomas.
PoliticalOrganizations Neutral Sites sponsored by or providing information about political parties and
interest groups focused on elections or legislation
Porn UnHealthy Sites depicting or graphically describing sexual acts or activity,
including exhibitionism and sites offering direct links to such sites.
Sites providing information or catering Gay, Lesbian, or Bisexual
images and lifestyles are also included in this category
Portals Non Working Portals include web sites or online services providing a broad array of
resources and services such as search engines, free email, shopping,
news, and other features
PropertyAndRealEstate Neutral Sites providing information about renting, buying, selling, or financing
residential, real estate, plots, etc.
Science Productive Sites providing news, research projects, ideas, information of topics
pertaining to physics, chemistry, biology, cosmology, archeology,
geography, and astronomy
SearchEngines Neutral Sites supporting searching the Web, groups, or indices or directories
thereof
SexHealthAndEducation Neutral Sites providing information regarding Sexual Education and Sexual
Health and sites providing Medicines to cure and overcome Sex
related problems and difficulties, with no pornographic intent
SharesAndStockMarket Non Working Sites providing charting, market commentary, forums, prices, and
discussion of Shares and Stock Market. It also includes sites dealing
in online share trading and sites of stockbrokers
Shopping Non Working Sites supporting Online purchases of consumer goods and services
except: sexual materials, lingerie, swimwear, investments,
medications, educational materials, computer software or hardware.
Also Sites of Showrooms, Stores providing shopping of consumer
products
Spirituality Non Working Sites featuring articles on healing solutions in wellness, personal
growth, relationship, workplace, prayer, articles on God, Society,
Religion, and ethics
SPAMURL UnHealthy This category includes URLs that arrive in unsolicited Spam emails.
280
Cyberoam User Guide
281
Cyberoam User Guide
Appendix D Services
Service Name Details
All Services All Services
Cyberoam UDP (1024:65535) / (6060)
AH IP Protocol No 51 (IPv6-Auth)
AOL TCP (1:65535) / (5190:5194)
BGP TCP (1:65535) / (179)
DHCP UDP (1:65535) / (67:68)
DNS TCP (1:65535) / (53), UDP (1:65535) / (53)
ESP IP Protocol No 50 (IPv6-Crypt)
FINGER TCP (1:65535) / (79)
FTP TCP (1:65535) / (21)
FTP_GET TCP (1:65535) / (21)
FTP_PUT TCP (1:65535) / (21)
GOPHER TCP (1:65535) / (70)
GRE IP Protocol No 47
H323 TCP (1:65535) / (1720), TCP (1:65535) / (1503), UDP (1:65535) / (1719)
HTTP TCP (1:65535) / (80)
HTTPS TCP (1:65535) / (443)
ICMP_ANY ICMP any / any
IKE UDP (1:65535) / (500), UDP (1:65535) / (4500)
IMAP TCP (1:65535) / (143)
INFO_ADDRESS ICMP 17 / any
INFO_REQUEST ICMP 15 / any
IRC TCP (1:65535) / (6660:6669)
Internet-Locator-Service TCP (1:65535) / (389)
L2TP TCP (1:65535) / (1701), UDP (1:65535) / (1701)
LDAP TCP (1:65535) / (389)
NFS TCP (1:65535) / (111),TCP (1:65535) / (2049), UDP (1:65535) / (111), UDP (1:65535) / (2049)
NNTP TCP (1:65535) / (119)
NTP TCP (1:65535) / (123), UDP (1:65535) / (123)
NetMeeting TCP (1:65535) / (1720)
OSPF IP Protocol No 89 (OSPFIGP)
PC-Anywhere TCP (1:65535) / (5631), UDP (1:65535) / (5632)
PING ICMP 8 / any
POP3 TCP (1:65535) / (110)
PPTP IP Protocol No 47, TCP (1:65535) / (1723)
QUAKE UDP (1:65535) / (26000),UDP (1:65535)/(27000),UDP(1:65535)/(27910),UDP (1:65535)/
(27960)
RAUDIO UDP (1:65535) / (7070)
RIP UDP (1:65535) / (520)
RLOGIN TCP (1:65535) / (513)
SAMBA TCP (1:65535) / (139)
SIP UDP (1:65535) / (5060)
SIP-MSNmessenger TCP (1:65535) / (1863)
SMTP TCP (1:65535) / (25)
SNMP TCP (1:65535) / (161:162), UDP (1:65535) / (161:162)
SSH TCP (1:65535) / (22), UDP (1:65535) / (22)
SYSLOG UDP (1:65535) / (514)
TALK TCP (1:65535) / (517:518)
TCP TCP (1:65535) / (1:65535)
TELNET TCP (1:65535) / (23)
TFTP UDP (1:65535) / (69)
TIMESTAMP ICMP 13 / any
UDP UDP (1:65535) / (1:65535)
UUCP TCP (1:65535) / (540)
282
Cyberoam User Guide
ICMP (Internet Control Message Protocol) A message control and error-reporting protocol
Change Log