Certified Network
& Security
Professional
(CCNSP)
Certified
Network
& Security
Profess
Module 3
Firewall
training.cyberoam.com
training.cyberoam.com
training.cyberoam.com
training.cyberoam.com
training.cyberoam.com
When Cyberoam appliance is powered up for the first time, it will have a
default Access configuration as specified below:
Admin Services
HTTPS (TCP port 443) and SSH (TCP port 22) services will be open for
administrative functions for LAN zone
Authentication Services
Cyberoam (UDP port 6060) and Captive Portal (TCP port 8090) will be open
for User Authentication Services for LAN zone.
User Authentication services are used by Layer-8 engine to authenticate and
authorize user to apply Layer-8 controls.
training.cyberoam.com
training.cyberoam.com
training.cyberoam.com
LAN
WAN
VPN
Local
WAN Zone
Local Zone
DMZ Zone
LAN Zone
training.cyberoam.com
For an example: different policies for Wifi Zone, LAN Zone, etc. This can be
achieved from firewall rule page which is discussed in the later part of this module.
training.cyberoam.com
training.cyberoam.com
Insert Rule - Click to insert a new rule before the existing rule.
training.cyberoam.com
training.cyberoam.com
training.cyberoam.com
There are no IPv6 rules by default, User needs to create IPv6 as required by the
network
training.cyberoam.com
training.cyberoam.com
training.cyberoam.com
training.cyberoam.com
training.cyberoam.com
training.cyberoam.com
FQDN (Fully Qualified Domain Name) host can be added to Cyberoam appliance.
The necessity for adding this host also makes it possible that a firewall rule can be
made to a particular FQDN.
training.cyberoam.com
Cyberoam allows adding country based host to filter the traffic at the country level.
training.cyberoam.com
training.cyberoam.com
Cyberoam has a predefined NAT policy called MASQ which NATs the outgoing
traffic with the outgoing ports IP Address.
Use NAT when you want to map a specific outbound traffic with a specific IP/IP
Range.
Cyberoam allows creating a NAT policy, which can be bound to a firewall rule.
training.cyberoam.com
Example: Web Server configured in LAN zone with 1.1.1.1, from internet users
are accessing www.abc.com which is resolving on 10.103.4.213.
Default LAN to WAN (Any Host to Any Host) firewall rule will allow traffic to
flow between the virtual host and the network.
training.cyberoam.com
training.cyberoam.com
training.cyberoam.com
Round Robin
Request will be served in sequential order where first request will go to first
server then to next and so on.
It will not consider any other parameter
First Alive
All requests will be served by first internal server.
The request will only go to next server if previous one is dead and so on.
Random
Request will be served in random order or rather we can say uniform random
method where all requests will be distributed evenly.
Sticky IP
Maps single source IP to a destination server. Any request from the same
source IP will always go to the same server.
training.cyberoam.com
Create firewall rules to allow external host (from the Internet) to access a virtual
host that maps to internal servers.
You must add the virtual host to a firewall policy to actually implement the
mapping configured in the virtual host i.e. create firewall rule that allows or denies
inbound traffic to virtual host.
training.cyberoam.com
Loopback firewall rule is created for the service specified in virtual host.
If port forwarding is not enabled in virtual host then firewall rule with All Services
is created.
Loopback rules allow internal users to access the internal resources using its
public IP (external IP) or FQDN.
training.cyberoam.com
In general scenario when any traffic is initiated from DMZ to WAN, there is a need
for reflexive rule.
For an example, in case of an email server, the private IP of the email server is
mapped with the public IP on the Internet. When an email is received (inbound)
the virtual host rule for inbound works, but when an email is sent (outbound) there
is a requirement to create a reflexive rule.
By Default, Cyberoam prompts for this rule while creating the virtual host.
training.cyberoam.com
Example: Webserver is published over two WAN links, Port B(10.206.1.12) & Port
C (10.10.1.2)
training.cyberoam.com
Create DNS Host Entry for server from Network DNS DNS Host Entry
Upon Failure of any WAN link (Port B or Port C), Cyberoam will do failover.
When both WAN links are functional, Cyberoam will do Load Balancing
training.cyberoam.com
training.cyberoam.com
When you want to route traffic destined for specific network/host via a different
next hop instead of a default route.
A static route causes packets to be forwarded to a different next hop other than
the configured default gateway.
training.cyberoam.com
training.cyberoam.com
VLAN ID 101
VLAN ID 102
training.cyberoam.com
training.cyberoam.com
Policy based routing extends static routes which provide more flexible traffic
handling capabilities.
It offers granular control for forwarding packets based upon a number of user
defined variables like:
Destination
Source
Application
Combination of all of the above
training.cyberoam.com
training.cyberoam.com
training.cyberoam.com
Lab #11 Create Virtual Host to Publish a RDP Server residing in the LAN (Using
IPv4 & IPv6 address for RDP Server)
training.cyberoam.com
training.cyberoam.com