ArticlesArticles Most Popular ArticlesMost Popular Articles Most Helpful ArticlesMost Helpful Articles
RSS Feeds
DrillDown Icon Table of Contents Back
 . . . . . . . . . . . . .
DrillDown Icon Home
DrillDown Icon Cyberoam Security Appliances (UTM and NGFW)
DrillDown Icon Common Criteria (EAL4+) Compliant CyberoamOS
DrillDown Icon Version 10.X
DrillDown Icon Migrating to V 10.X
DrillDown Icon Release Notes
DrillDown Icon Release Notes 10.6.X Build XXX
DrillDown Icon Release Notes 10.04.X Build XXX
DrillDown Icon V 10.04.6 Build 052
DrillDown Icon V 10.04.6 Build 032
DrillDown Icon V 10.04.5 Build 007
DrillDown Icon V 10.04.4 Build 028
DrillDown Icon V 10.04.3 Build 543
DrillDown Icon V 10.04.2 Build 527
DrillDown Icon V 10.04.1 Build 451
DrillDown Icon V 10.04.0 Build 433
DrillDown Icon V 10.04.0 Build 214, 304, 311, 338
DrillDown Icon Release Notes 10.02.X Build XXX
DrillDown Icon Release Notes 10.01.X Build XXX
DrillDown Icon Guides
DrillDown Icon Virtual Security on the Amazon Cloud
DrillDown Icon Quick Start Guides
DrillDown Icon Cyberoam CA Certificate Management
DrillDown Icon Product Datasheets & Techsheets
DrillDown Icon Version 9.x
DrillDown Icon IPS Release Notes
DrillDown Icon Application Filter Release Notes
DrillDown Icon Cyberoam Migration Assistant Guide
DrillDown Icon Cyberoam Virtual Appliances
DrillDown Icon Cyberoam Central Console
DrillDown Icon Cyberoam's On-Cloud Management Service
DrillDown Icon Cyberoam iView – Logging & Reporting
DrillDown Icon Clients
  Email This ArticlePrint PreviewPrint Current Article and All Sub-Articles
Rate Icon Rate Icon Rate Icon Rate Icon Rate Icon
 
V 10.04.0 Build 214, 304, 311, 338


Release Dates
Version 10.04.0 Build 214 – 24th September, 2012
Version 10.04.0 Build 304 – 19th November, 2012
Version 10.04.0 Build 311 – 04th December, 2012
Version 10.04.0 Build 338 – 12th December, 2012
Release Information
Release Type: General Availability
 
Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license
 
Applicable to Cyberoam Version: 
 
   

V 10.01.0XXX or 10.01.X Build XXX

All the versions

V 10.02.0 Build XXX

047, 174, 176, 192, 206, 224, 227, 409, 473

V 10.04.0 Build XXX

Upgrade procedure
To upgrade the existing Cyberoam Appliance follow the procedure below:

· Logon to https://customer.cyberoam.com

· Click “Upgrade” link under Upgrade URL.

· Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”. 

For Cyberoam versions prior to 10.01.0472

For Cyberoam version 10.01.0472 or higher

Upgrade the Cyberoam to 10.01.0472 selecting option Below 10.01.0472” and follow on-screen instruction.

By doing this, the customer will not be able to roll back.

Upgrade Cyberoam to latest version by selecting option “10.01.0472 or higher” and follow on-screen instruction.

 
 

Compatibility Annotations
Firmware is Appliance model-specific firmware. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you are trying to upgrade Appliance model CR100ia with firmware for model CR500ia.
 
This Cyberoam version release is compatible with the Cyberoam Central Console.
 
Please always check http://docs.cyberoam.com for availability of latest CCC firmware to deal with this compatibility issue.
 
Revision History
 
        

Sr. No.

Old Revision Number

New Revision Number

Reference Section

Revision Details

1.

1.00 -24/09/2012

1.00 -19/11/2012

Enhancement

Added enhancement “Access Denied Page Optimization”

2.

1.00 -24/09/2012

1.00 -19/11/2012

Bugs Solved

A bug (Bug ID – 11463) is added to Certificate. 

3.

1.00 -19/11/2012

1.00 -04/12/2012

-

Added LAN Bypass support for Cyberoam Appliances CR50iNG and CR100iNG.

4.

1.00 -04/12/2012

1.00 -12/12/2012

Features

Appliances not supporting Outbound Spam list now includes:

CR15iNG, CR15wiNG, CR25ia, CR35ia and CR1000i

  
 
Introduction
This document contains the release notes for Cyberoam Version 10.04.0 Build 214, Version 10.04.0 Build 304, Version 10.04.0 Build 311 and Version 10.04.0 Build 338. The following sections describe the release in detail.
 
This release comes with new features, few enhancements and several bug fixes to improve quality, reliability and performance.
 
Features

1. Compatibility with CISCO™ VPN Client

From this version onwards, Cyberoam is compatible with Cisco IPSEC VPN client.

This feature enables Cisco IPSec VPN clients to establish an IPSec connection with Cyberoam.

To support this feature, a new page “CISCO™ VPN Client” is added on Web Admin Console. An IPSec connection that would serve Cisco IPSec VPN Clients must be created using this page.
 
 
Compatibility
1. At present only the native Cisco IPSEC client, present in Apple iOS (iPhone and iPad) and Windows are supported. The details of the versions supported are as provided below:  

Apple iOS

Windows

Windows OS

Cisco Desktop Client

4.3

Win XP- all service packs

V 4.1 and 4.8

5.0.1

Win 7

V 5.0 – Beta Version

5.1.1

Windows Vista

V 5.0 – Beta Version

 Known Behavior

1. Apple iOS versions 5.0 onwards do not send any notification to Cyberoam when IPSec connection serving Cisco IPSec VPN Clients gets disconnected. The connection and route will be cleared from Cyberoam using Dead Peer Detection (DPD) after approximately 20 seconds and then the same client will be able to reconnect.

2. When there is no data transfer, Apple iPhone disconnects the IPSec connection serving Cisco IPSec VPN Clients.

3. When any clients are already connected and the CISCO™ VPN Client page is submitted, they will be disconnected and IP Address pool will be reinitialized.

CISCO VPN Client is available for download only to users that are authorized by the Administrator. 

IPSec connection serving Cisco IPSec VPN Clients can be configured from VPN ® Cisco™ VPN Client ® CISCO™ VPN Client.


2. L2TP Over IPSec VPN Support for Android Devices
From this version onwards, Android device as a L2TP/IPSec Client will be supported by Cyberoam. 

User will be able to connect and access Cyberoam L2TP/IPSec via an Android device using Pre-Shared Key authentication. 

No special configuration is required in Cyberoam Web Admin Console or CLI.

Android Compatible Version: 2.1 Éclair, 2.2.x Froyo, 2.3.x Gingerbread, 3.x Honeycomb

Enable “Add L2TP/IPSec PSK VPN” option of Android device to configure VPN tunnel.
 
This feature has a backward compatibility support from version 10.01.0 Build 667 onwards. 
 
 
3. Outbound Spam

From this version onwards, Cyberoam will provide Outbound Spam to identify internal Spam. This feature will help the Internet Service Providers (ISPs) to identify and block any user trying to send spam mails by utilizing their network.

Outbound Spam filtering is a subscription module.

Inbound Spam filtering and Outbound Spam filtering are mutually exclusive. On subscribing to Outbound Spam, Inbound Spam filtering will stop. Inbound Spam filtering will resume when the subscription of Outbound Spam expires.

This feature is not available in Cyberoam Models CR15i, CR15wi, CR15iNG, CR15wiNG, CR25i, CR25ia, CR25wi, CR35ia, CR35wi, CR50i, CR100i, CR250i, CR500i, CR500i-8P, CR1000i, CR1500i.

To view logs, go to Logs & Reports ® Logs Viewer and select option “Anti Spam” for parameter “View logs for”
 
 
4. YouTube Education Filter

From this version onwards, Cyberoam will allow access to YouTube videos deemed as “educational” via a special portal “YouTube EDU” while being within a school network.

YouTube EDU consists of two sections, “YouTube.com/Teachers” and “YouTube for Schools”.

“YouTube.com/Teachers” educates teachers how to make optimum use of YouTube within the classroom. On the other hand, “YouTube for Schools” is a network setting, which redirects the video traffic, making it possible for schools that block YouTube to unblock and allow access to YouTube EDU (Youtube.com/education). The teachers and Administrators decide what videos must be made available to the students, making a safe and a controlled environment for students.

To allow educational videos via Cyberoam, school authority is required to get the school registered for "YouTube for School". On registration, a custom HTTP Header with a unique ID will be displayed on the browser page.

E.g. X-YouTube-Edu-Filter:HMtp1sI9lxt0KAVpcg88kQ
1. Field Name: X-YouTube-Edu-Filter
2. Field Value Format: Alphanumeric [a-z][A-Z][0-9]
3. Field Value Length: up to 44 characters

To allow YouTube EDU via Cyberoam, go to Web Filter ® Policy ® Policy and specify the unique ID in the textbox against parameter “YouTube Education Filter”.

As per recommendations of YouTube, it is mandatory to ensure the videos and following top-level domains are not blocked:
1. youtube.com
2. ytimg.com
 
To access https://www.youtube.com, HTTPS scanning must be enabled.
 
 
 5. 4G LTE Modem 
Cyberoam will now support DHCP enabled 4G LTE services on Wi-Fi modems. With this feature, Cyberoam provides support for the following:
1. Connection to 3G/4G networks

2. DHCP Modems

3. Modem plug-in and plug-out auto detection

4. Auto Connect type of behavior if the same modem is re-plugged in
Further, Cyberoam provides recommended values (auto detected) for modem configuration.
To configure a 4G modem, go to Network ® Wireless WAN ® Settings.
 
CLI Commands
1. Command: cyberoam wwan query serialport <serialport>  ATcommand <AT command> 
To view the Wi-Fi modem information (if plugged - in)
E.G. cyberoam wwan query serialport 0 ATcommand ati
 
2. Command: cyberoam wwan show
To view the Wi-Fi modem information and the recommended configuration (if plugged - in)  
 
 
Enhancements

1. DHCP Server Optimization 

Support for Diverse Topologies

Cyberoam now adds the capability of configuring DHCP for downstream networks that are connected to Cyberoam through relay, or through IPSec VPN. With this enhancement, Cyberoam will be able to assign IP Addresses to:

· Directly connected primary or alias networks

· Connected through relay

· Connected over IPSec VPN

Prior to this version, Cyberoam support DHCP configuration only for a primary network only.  

Lease Report Enhancement

Cyberoam’s Lease report now displays the type of lease, i.e. Static or Dynamic, for a given IP Address.

To view these reports, go to Network ® DHCP ® Lease

CLI Commands

1. Command: cyberoam dhcp lease-over-IPSec enable
To enable IP Lease over IPSec for all the DHCP servers.
 
2. Command: cyberoam dhcp lease-over-IPSec disable
To disable IP Lease over IPSec for all the DHCP servers (Default Value).
 
3.     Command: cyberoam dhcp lease-over-IPSec show
To display all the IP Lease over IPSec configuration.
  
2. Multicast over IPSec VPN tunnel
From this version onwards, Cyberoam will support secure transport of multicast traffic over un-trusted network using IPSec/VPN connection.

With this enhancement, now it is possible to send/receive both unicast and multicast traffic between two or more VPN sites connected through public Internet. This removes the dependency of multicast aware routers between the sites connecting via IPSec/VPN.
Prior to this version, this was possible using GRE tunneling however, the packets could not be encrypted.

Any unicast host wanting to access a multicast host shall require to be configured as an explicit host (with netmask /32) in VPN configuration.

Known Behavior
CLI shows only static interfaces as input and output interface whereas Web Admin Console shows both, static as well as dynamic interfaces (PPPoE, DHCP).
To configure Multicast over IPSec/VPN connection go to Network ® Static Route ® Multicast.
 
CLI Commands
1. Command: mroute add input-interface Port<port number> source-ip <ipaddress> dest-ip <ipaddress> output-interface Port<port number>  
To forward multicast traffic coming from a given interface to another interface.
E.G. mroute add input-interface PortA source-ip 192.168.1.2 dest-ip 239.0.0.55 output-interface PortB
 
2. Command: mroute add input-interface Port<port number> source-ip <ipaddress> dest-ip <ipaddress> output-tunnel gre name <gre tunnel name>  
To forward multicast traffic coming from a given interface to GRE tunnel.
E.G. mroute add input-interface PortA source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel gre name Elitecore 
 
3. Command: mroute add input-interface Port<port number> source-ip <ipaddress> dest-ip <ipaddress> output-tunnel ipsec
To forward multicast traffic coming from a given interface to IPSec tunnels. Cyberoam automatically selects an appropriate tunnel to be used depending upon the Local Network and Remote Network configuration.
E.G. mroute add input-interface PortA source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel ipsec
 
4. Command: mroute add input-tunnel ipsec name <ipsec connection name> source-ip <ipaddress> dest-ip <ipaddress> output-interface Port<port number> 
To forward multicast traffic coming from IPSec tunnel to an interface.
E.G. mroute add input-tunnel ipsec name Net2Net source-ip 192.168.1.2 dest-ip 239.0.0.55 output-interface PortB
 
5. Command: mroute add input-tunnel ipsec name <ipsec connection name> source-ip <ipaddress> dest-ip <ipaddress> output-tunnel ipsec
To forward multicast traffic coming from a given IPSec tunnel to other IPSec tunnels. Cyberoam automatically selects an appropriate tunnel to be used depending upon the Local Network and Remote Network configuration
E.G. mroute add input-tunnel ipsec name Net2Net source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel ipsec
 
6. Command: mroute add input-tunnel ipsec name <ipsec connection name> source-ip <ipaddress> dest-ip <ipaddress> output-tunnel gre name <gre tunnel name>
To forward multicast traffic coming from a given IPSec tunnel to GRE tunnel.
E.G. mroute add input-tunnel ipsec name Net2Net source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel  gre name Elitecore
 
7. Command: mroute add input-tunnel gre name <gre tunnel name> source-ip <ipaddress> dest-ip <ipaddress> output-interface Port<port number> 
To forward multicast traffic coming from a GRE tunnel to an interface.
E.G. mroute add input-tunnel gre name Elitecore source-ip 192.168.1.2 dest-ip 239.0.0.55 output-interface PortB
 
8. Command: mroute add input-tunnel gre name <gre tunnel name> source-ip <ipaddress> dest-ip <ipaddress> output-tunnel gre name <gre tunnel name> 
To forward multicast traffic coming from a GRE tunnel to another GRE tunnel.
E.G. mroute add input-tunnel gre name Elitecore source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel gre name Terminal1
 
9. Command: mroute add input-tunnel gre name <gre tunnel name> source-ip <ipaddress> dest-ip <ipaddress> output-tunnel ipsec 
To forward multicast traffic coming from a given GRE tunnel to IPSec tunnels. Cyberoam automatically selects an appropriate tunnel to be used depending upon the Local Network and Remote Network configuration.
E.G. mroute add input-tunnel gre name Elitecore source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel ipsec
 
10. Command: mroute del source-ip <ipaddress> dest-ip <ipaddress>
To delete multicast route.
E.G. mroute del source-ip 192.168.1.2 dest-ip 239.0.0.


 

3. E-mail Alert for IPSec Tunnel Connection Flapping

From this version onwards, if the IPSec VPN tunnel connectivity is lost, Cyberoam will notify the Administrator via an E-mail alert, specifying the reason for the connection loss. E-mail alert will be sent on the configured E-mail Address.

Upon configuring E-mail alerts via the available single central configurable option, it will automatically be applicable on all the IPSec tunnels.

An E-mail will be sent only for Host to Host and Site to Site tunnel connections; if it flaps due to one of the following reasons:

1.      A peer is found to be dead during Dead Peer Detection (DPD) phase.

2.      Failed to re-establish connection after Dead Peer Detection (DPD)

3.      IPSec Security Association (SA) is expired and is required to be re-established.

4.      IPSec Tunnel comes up without administrator intervention after losing the connectivity 

E-mail sent to the administrator shall contain following basic information:

1.     IPSec Connection name

2.     IP Addresses of both participating hosts/network

3.     Current state of the IPSec Tunnel connection, viz., Up or Down

4.     Exact Time when the IPSec Tunnel connection was lost

5.     Reason for lost of IPSec Tunnel connection

6.     Appliance Model Number

7.     Firmware version and build number

8.     Appliance Key (if registered)

9.     Appliance LAN IP Address

10. HA configuration – Primary/Auxiliary (if configured)   

An E-mail will be sent for each subnet pair in case of Site to Site connections, having multiple local/remote networks.

An E-mail sent with respect to IPSec Tunnel coming up shall not have any reason mentioned within.

Description of IPSec Tunnel connection shall be included in the E-mail, only if information for same is provided by the administrator.

To enable E-mail alerts for IPSec tunnels, go to System ® Configuration ® Notification ® E-mail Notification and check option “IPSec Tunnel UP/Down”.
 
 
4. Enhancement in AD Integration

From this version onwards, Administrator is given an option to delete users from Cyberoam if they do not exist in any of the configured External Active Directory servers at a push of Purge AD Users button. Prior to purging, connectivity and authentication of all the configured External Active Directory servers is verified. If a user’s entry is not found in any of the external server(s), it is purged from Cyberoam too.

The purge operation will not interrupt user login/logout and accounting events.

While the purge activity is in progress and if the server connectivity is lost, the activity will be aborted.

If a user entry is purged, it will be deleted from both, Primary and Auxiliary Cyberoam Appliance.
 
To purge the users, go to Identity ® Users ® Users and click “Purge Users” button.

Further, when the User logs in to the Cyberoam, and if the E-mail Address of that User is configured on the external Active Directory server/LDAP server then the User’s E-mail Address within the Cyberoam gets sync with the E-mail Address on the external Active Directory server/LDAP server. Every time a user logs in, the corresponding E-mail ID will be updated. If the E-mail ID is null on the External Active Directory Server/LDAP, there will be no updates.  
  
 5. Multicast Route Failover

From this version onwards, Cyberoam supports Link Failover for Multicast Traffic using IPSec/VPN connection or GRE Tunnel.

If a user has multicast routes configured on a port then a Link Failover can be configured for same using IPSec/VPN or GRE configuration. Now if the port goes down, all multicast routes configured on it will automatically fail over to given IPSec/VPN connection or GRE Tunnel.

Prior to this version, link failover was supported only for static unicast routes.  

CLI Commands

1. Command: cyberoam link_failover add primarylink Port<Port number> backuplink gre tunnel <gre tunnel name> monitor PING host <ip address>
To configure a GRE Tunnel as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given GRE Tunnel.
E.G. cyberoam link_failover add primarylink PortB backuplink gre tunnel Elitecore monitor PING host 192.168.1.2
 
2. Command: cyberoam link_failover add primarylink Port<Port number> backuplink gre tunnel <gre tunnel name> monitor UDP host <ip address> Port <Port Number>
To configure a GRE Tunnel as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given GRE Tunnel.
E.G. cyberoam link_failover add primarylink PortB backuplink gre tunnel Elitecore monitor UDP host 192.168.1.2 Port 100
 
3. Command: cyberoam link_failover add primarylink Port<Port number> backuplink gre tunnel <gre tunnel name> monitor TCP host <ip address> Port <Port Number>
To configure a GRE Tunnel as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given GRE Tunnel.
E.G. cyberoam link_failover add primarylink PortB backuplink gre tunnel Elitecore monitor TCP host 192.168.1.2 Port 100
 
4. Command: cyberoam link_failover add primarylink Port<Port number> backuplink vpn tunnel <ipsec connection name> monitor PING host <ip address>
To configure an IPSec/VPN connection as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given IPSec/VPN connection.
E.G. cyberoam link_failover add primarylink PortB backuplink vpn tunnel Net2Net monitor PING host 192.168.1.2
 
5. Command: cyberoam link_failover add primarylink Port<Port number> backuplink vpn tunnel <ipsec connection name> monitor UDP host <ip address> Port <Port Number>
To configure an IPSec/VPN connection as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given IPSec/VPN connection.
E.G. cyberoam link_failover add primarylink PortB backuplink vpn tunnel Net2Net monitor UDP host 192.168.1.2 Port 100
 
6. Command: cyberoam link_failover add primarylink Port<Port number> backuplink vpn tunnel <ipsec connection name> monitor TCP host <ip address> Port <Port Number>
To configure an IPSec/VPN connection as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given IPSec/VPN connection.
E.G. cyberoam link_failover add primarylink PortB backuplink vpn tunnel Net2Net monitor TCP host 192.168.1.2 Port 100
 
7. Command: cyberoam link_failover del primarylink <Port name>
To delete link failover configuration.
E.G. cyberoam link_failover del primarylink PortC
 
8. Command: cyberoam link_failover show
To see all the link failover configurations.

6. Support of SSL-VPN for MAC-OS Tunnelblick

From this version, SSL VPN will be functional with Tunnelblicks; a free, open source graphic user interface for OpenVPN on Mac OS X.

The user can download the SSL VPN Client Configuration - MAC Tunnelblick from Cyberoam SSL VPN User Portal.
 
 

7. Version 9 Catch-up Feature – Search Engine Cache Control

From this version onwards, Cyberoam will be able to categorize actual URL contents that are accessed via cache option available in search engines Google, Yahoo, Bing based on the existing Web Filter Policy.
 
  

8. Version 9 Catch-up Feature – Internet Watch Foundation Support

From this version onwards, Cyberoam’s General Internet Policy by default, supports filtering of URL based on Internet Watch Foundation (IWF) categorization.

The filtering logs are displayed in the Log Viewer and iView Reports

The Internet Watch Foundation provides the list of accurate and current URLs to minimize the availability of potentially criminal Internet content as mentioned below:

1.     Child sexual abuse content hosted anywhere in the world.

2.     Criminally obscene adult content hosted in the UK.

3.     Non-photographic child sexual abuse images hosted in the UK.
 
 
 

9. Captive Portal Enhancements

From this version onwards, Cyberoam Captive Portal is esthetically optimized.

Further it supports the following functionalities:

  1.     Hyperlinked logo

  2.     Obtaining username and password for unauthenticated users (Only when Guest Users functionality is enabled).

To configure them, go to System ® Configuration ® Captive Portal. 

Also, Administrator can choose redirect unauthorized user either to Captive Portal or display a customized message. To customize the Captive Portal response, go to Identity ® Authentication ® Firewall.
 
 

10. URL Import List

From this version onwards, while adding or updating a Web Category, Cyberoam facilitates to import a file (.txt or csv) consisting of all the configured URL/Keyword from the white list domain of an existing web categorization solution to Cyberoam instead of copying and pasting the same into Cyberoam. 
 
To add white listed URL file, go to Web Filter ® Category ® Category and click Add button. 

 
11. Optimization in Virtual Host Configuration
From this version onwards, while a virtual host is created and port forwarding is enabled, Cyberoam allows configuring a Port list. The ports within the list can be comma separated. It can be mapped against a Port List or a Port. Further a Port Range can now also be mapped against a single port. This creates one to one mapping or many to one mapping between the external port and the mapped port.

Example: 
 

Port Forwarding Type
(External Port Type to Mapped Port Type)

External Ports

Mapped Ports

Port List to Port List

22, 24, 26, 28, 30

42, 44, 46, 48, 50

Port List to a Port

22, 24, 26, 28, 30

20

Port Range to a Port

21 - 26

28


In case of Port List to Port List mapping, number of ports must be same for both, External Ports and Mapped Ports. Request received on first external port will be redirected to first mapped port; second request on external port will be redirected to second mapped port and so on. From the example above, for Port List to Port List type of configuration, any request received for external ports 22, 24, 26, 28, 30 will be forwarded respectively to mapped ports 42, 44, 46, 48, 50.  

For a single virtual host, a maximum of 16 ports can be configured in a Port List.

All the ports within a Port List support single protocol viz., either a TCP or a UDP protocol as per the configuration. A combination of both of these protocols within a Port List is not allowed.

Prior to this version, only Single Port to Single Port and Port Range to Port Range Type for port forwarding were allowed.

Also, from this version onwards, for Firewall, when any virtual host is created without port forwarding, one can select multiple services instead of a single service.

Prior to this version, selecting multiple services was not allowed within a Firewall Rule configured with a virtual host having port forwarding disabled.

To configure multiple ports separated by comma, go to Firewall ® Virtual Host ® Virtual Host.
 
 
12. Optimized IPSec Failover Configuration
From this version onwards, Cyberoam IPSec connection configuration for failover can be done while configuring the IPSec connection itself.  This optimization will facilitate configuring failover connection with minimum inputs for commonly used failover conditions. Also the previously available method of configuration remains intact.
 
Failover connection configurations can be done only “Connection Type”- Site – to – Site and Host – to – Host type of IPSec connections.
 
Maximum of four (4) failover connections can be added while configuring a new failover group. More connections can be configured later by editing the failover group configuration.
 
To configure an IPSec failover connection for Site – to – Site and Host – to – Host type of IPSec connections, go to VPN ® IPSec ® Connection. Click add icon under “Endpoints Details”, only after which IPSec failover connection can be configured.
 
 
13. Access Denied Page Optimization

From this version onwards, to optimize the loading time of Access Denied Page, the maximum size for the image allowed is as follows:

1.     Top Image – 125 x 70 pixels (.jpg, .jpeg)       

2.     Bottom Image – 70 x 60 pixels (.jpg, .jpeg)

If the Appliance is running on an older version, and if the image size is greater than the above specified dimensions, it is mandatory to reduce the size of images for appropriate display.

To upload an image, go to Web Filter à Settings àSettings.
 

14. DNS Status Check support in Diagnostic Tool 
From this version onwards, Cyberoam will provide an option to view the list of all the available DNS servers configured in Cyberoam. It also provides information about the time taken to connect to each of the DNS server. Based on the least response time, one can prioritize the DNS server.
 
To view the list of DNS server available for an IP Address/host name, go to System ® Diagnostics ® Tools ® Name Lookup, provide the IP Address/Host Name, select option “Lookup Using All Configured Server” from the dropdown box and click “Name Lookup”.
 
 
15. Certificate with FQDN/IP Address as a Common Name

From this version onwards, Cyberoam will allow using FQDN or IP Address as a common name while generating a Self Signed Certificate.

Prior to this version certificate name was used as a common name.

To configure common name for a certificate, go to System ® Certificate ® Certificate and click Add to generate a certificate.
 
 

16. User Defined Certificate

From this version onwards, Cyberoam supports generation of Self-Signed Certificates with Identification Attribute details to meet the needs of compliance criteria.

To generate a Self-Signed Certificate, go to System ® Certificate ® Certificate.
 
 

17. Quick Access to On-Appliance Reports

From this version onwards, Cyberoam supports quick access to On-Appliance Reports from login page of the Appliance.

To access the On-Appliance Reports directly, select “Reports” for parameter “Log on to” on Appliance login page at the time of authentication.
 
18. iView Enhancement – Dual Dashboard Support
 From this version onwards, Cyberoam iView main dashboard has been bifurcated into two.
 
1. Traffic Dashboard
Traffic dashboard is a collection of widgets displaying information regarding total network traffic.

This dashboard gives complete visibility of network traffic in terms of applications, web categories, users, hosts, source and destination countries, mail traffic and FTP activities.
 
Traffic dashboard consists of following widgets:
• Top Applications – List of top applications along with percentage wise data transfer

• Top Categories – List of top accessed web categories with number of hits and amount of data transfer

• Top Users – List of top users along with percentage wise data transfer

• Top Hosts – List of top hosts along with percentage wise data transfer

• Top Source Countries – List of top source countries along with percentage wise data transfer

• Top Destination Countries – List of top destination countries along with percentage wise data transfer

• Top Rule ID – List of top firewall rules along with percentage wise data transfer

• Top Domains – List of top domains along with percentage wise data transfer

• Top File Upload – List of top uploaded files along with date, user, source IP, domain name , file name and file size

• Top Files Uploaded via FTP – List of top uploaded files via FTP along with percentage wise amount of data transfer

• Top Files Downloaded via FTP– List of top downloaded files via FTP along with percentage wise amount of data transfer

• Top FTP Servers – List of top FTP servers

• Mail Traffic Summary – Email traffic with type of traffic and amount of data transfer

• Top Mail Senders – List of top email senders along with percentage wise data transfer

• Top Mail Recipients – List of top email recipients along with percentage wise data transfer

2. Security Dashboard
Security dashboard is a collection of widgets displaying information regarding denied network activities and traffic. It also gives an overview of malwares and spam along with source and destination countries.
 
Security dashboard consists of following widgets:
• Top Denied Hosts – List of top denied hosts along with number of hits

• Top Denied Users – List of top denied users along with number of hits

• Top Denied Applications – List of top denied applications along with number of hits

• Top Denied Destination Countries – List of top denied destination countries along with number of hits

• Top Denied Source Countries – List of top denied source countries along with number of hits

• Top Denied Rule ID – List of top denied firewall rules along with number of hits
 
• Top Denied Categories – List of top denied web categories along with number of hits

• Top Denied Domains – List of top denied domains along with number of hits

• Top Attacks –  List of top attacks launched at network

• Top Viruses –  List of top viruses blocked by Cyberoam

• Top Spam Senders –  List of top spam senders

• Top Spam Recipients –  List of top spam recipients

All these widgets can be drilled down for next level reports.

 

19. iView Enhancement – Better Visibility and Presentation
From this version onwards, Cyberoam iView has introduced few enhancements to increase visibility and improve presentation of the reports.
1. Chart Preferences
Now the administrator can select the type of charts to show reports. The administrator can choose between Bar charts and Pie-Doughnut charts.

To choose the chart type and palette, go to System ® Configuration ® Chart Preferences.

2. Records per Page Control
Now the user has option to set number of records to be displayed for report groups also. Previously this control was available for individual reports only.
3. Inline Charts
If the number of records to be displayed is more than 10, then Cyberoam iView shows them in the form of inline charts i.e. a bar diagram for number of bytes and percentage respectively will be displayed in the same column.
4. Animated Charts
With this version, Cyberoam iView has introduced animated bar charts and pie charts to improve user experience and data presentation.
5. Report Group Dashboard
With this version, all the report group dashboards show collection of reports available under the selected report group. 
 
 
20. iView Enhancement - Top Users Widget
From this version onwards, a new widget ‘Top Users’ has been added under risk reports. This widget displays list of users who imposed risk on organization network. This report can further be drilled down to view list of applications, hosts, source countries, destination countries and firewall rules associated with the selected user and risk level. 
To view reports, go to Reports ® Applications ® Top Risks ® Risk.
 
 
21. iView Enhancement - Report Filter
From this version onwards, Cyberoam iView provides option to filter dashboard reports. When the user selects any record from dashboard report widgets, the selection is displayed on the next level of reports i.e. on the resultant reports page. The user can apply multiple filters one by one to get appropriate report.
All the filters are displayed on the top of the resultant report in the form of rowed text box(es) with the option to remove filter.

 
22. iView Enhancement - Country Map
From this version onwards, Cyberoam iView introduces a new report – Country Map under Application report menu. This report gives geographical overview of network traffic along with amount of data transfer and risk.

To view reports, go to Reports ® Applications ® Country Map.

 

Known Behaviour

1. SSL VPN support with passcode

From this version onwards, Cyberoam supports key encryption with password in certificates. If certificates are being generated with encryption enabled then user will be prompted to provide a password in the form of a passcode.

If the parameter “Per User Certificate” is configured then new certificates will get generated with key encryption and password.

2. Gateway specific routing for Reflexive Rule

To allow the traffic to route through a specific gateway with a reflexive rule selected while configuring a virtual host, parameter “Route Through Gateway” in Firewall Rule must have Source NAT selected as a Routing Policy.


 
Bugs Solved

Anti Spam
Bug ID – 6533
Description – Irrespective of the date range selected, the spam mails of last seven days are displayed.


Bug ID – 9597
Description – Mail of size greater than 3Mb do not get released from Anti Spam Quarantine Area if the send mail client do not release them within the configured time.

Bug ID – 9599
Description – An error message “Data Error” is displayed for a log on Anti Spam Quarantine Area, if the subject of the mail contains special characters like double quotes (“”) or a backslash (“\”).

Bug ID – 9989
Description – Quarantine mails having a space in subject line do not get released.
 
Anti Virus
Bug ID – 8029

Description – Adobe flash player exe cannot be downloaded from http://get.adobe.com/flashplayer with HTTP scanning enabled.
 
 
Certificate
Bug ID – 5300
Description – Cyberoam allows uploading a certificate with a different password or private key than that of the original password or private key of Generated Certificate Signing Request (CSR).
 
Bug ID – 8054
Description – Certificate Sending Request (CSR) generated from version 10 Cyberoam Appliance cannot be uploaded at third party Certificate Authority (CA) end.
Bug ID – 8191
Description – Certificate having encrypted private key cannot be upload from Web Admin Console.

Bug ID – 10001
Description – Value of parameter “Valid From” do not change on regenerating a new Cyberoam_SSL_CA certificate from Certificate page of the System.

Bug ID – 10045
Description – A certificate error message “secure connection failed” is displayed on the Mozilla browser page if Cyberoam is accessed via HTTPS and a default Cyberoam Appliance Certificate is stored in the browser.
 
 
Bug ID – 11463
Description – Cyberoam Web Admin Console is not accessible over HTTPS after upgrading to firmware version 10.04.0.build  304, if the Appliance Time Zone is earlier than GMT and Firmware Upgrade Time is between (00:00:00 – X) and 00:00:00. X here represents the difference between the Appliance Time Zone and the GMT.
  

CLI
Bug ID – 10122
Description – Default routing precedence do not get displayed on Cyberoam console when command "cyberoam route_precedence show" is executed.
 
DHCP Server
Bug ID – 10245
Description – An error message is displayed when a host name of parameter “IP MAC Mapping List” contains a space while configuring a static DHCP.
 
Firewall
Bug ID – 9658
Description – A false error message “user.err kernel: outdev_target: ERRORRRRR skb-> rtable is already initialized <192.168.141.255>...” is displayed in System - Log Viewer.
 
Bug ID – 10870
Description – A reflexive rule is created for a virtual host with NAT Policy as Masquerade instead of IP Host.
 
GUI
Bug ID – 9810
Description – A Web Filter policy do not function in a non-english version of Cyberoam on configuring an URL Group within the Web Filter Policy.

Bug ID – 9985
Description – In captive portal settings and CTAS settings, the parameter “User Inactivity Timeout” do not accept number beyond 99 on Web Admin Console from Authentication page of Identity.

Bug ID – 10109
Description – Heart Beat port in System configured to sync with CCC, do not change if the Heart Beat Protocol is HTTP for Central Management.

Bug ID – 10165
Description – Dashboard and System Graph continues to remain in processing due to internal error for Cyberoam Version 10.02.0 Build 227.

Bug ID – 10307
Description – VPN – IPSec connection list takes a long time while loading, if the number of IPSec connections is more than 2000.
 
HA
Bug ID – 10573
Description – IPS service stops functioning in the HA deployment, when two Appliances are configured with different versions of IPS are enabled in HA.
 
Identity
Bug ID – 9756
Description – Special characters “_” and “.” are not allowed to be used consecutively while adding an Email Address on the User page for Identity.
 
IM
Bug ID – 9866
Description – IM Policy do not displayed in Log Viewer with Yahoo ! Messenger (Version 11.5.0.228-in).
 
Intrusion Prevention System (IPS)
Bug ID – 9327
Description – Search option is available only while editing IPS Policy.
  
Log Viewer
Bug ID – 9880
Description – No records are displayed when the language selected for Web Admin Console is French in Cyberoam and multiple filters are used while viewing logs of “Application Filter” in Log Viewer.
 
Network Interface
Bug ID – 8002
Description – STC 3G modem is not compatible with Cyberoam Appliance.
 
 
Bug ID – 8457
Description – ZTE MF688a 3G modem is not compatible with Cyberoam Appliance.

Bug ID – 10921
Description – Modem Sierra 320U is not supported by Cyberoam Appliance.
 
Bug ID – 10939
Description – Modem IG Huawai E177 is not supported by Cyberoam Appliance.
  
Proxy
Bug ID – 9115
Description – Proxy services do not function, if a HTTP Upload Web Category is added in HTTPS scanning exceptions.

Bug ID – 9848
Description – An error is received while accessing hotmail.com, http://google.com.au when HTTPS scanning is enabled in Firewall Rule.

Bug ID – 10046
Description – Web Proxy service do not restart when Administrator restarts it from Maintenance page of System.

Bug ID – 10135
Description – Some of the components with the YouTube website do not get displayed with HTTPS scanning applied.

Bug ID – 10244
Description – Browsing becomes slow when external proxy is implemented in the network while Cyberoam is deployed in Bridge mode.
  
 
Bug ID – 10936
Description – In Cyberoam firmware version 10.04.0.0214, mails are dropped for mail servers that are configured to support BDAT as an optional parameter.
 
Reports
Bug ID – 7818
Description – The data transfer reports of top web host and traffic discovery displayed in On-Appliance iView are not identical.

Bug ID – 9993
Description – All the logs of the selected period are displayed in Web Surfing reports for IP Address based filtering, if “Search Type” is “IP Address” and “Report Type” as “Detail”.

Bug ID – 10427
Description – Only current day’s report details are displayed in the Application Reports of On-Appliance iView on migrating to Cyberoam Version 10.02.0 Build 473.
 
 
System
Bug ID – 9927
Description – Error messages are displayed on executing command “tcpdump ‘port80’filedump” on Cyberoam Console.
 
SSL VPN
Bug ID – 6523
Description – Once the User certificates are updated manually, they do not get updated automatically.
Bug ID – 10171
Description – SSL VPN RDP Bookmark cannot be accessed in Version 10.02.0 Build 473 if RDP bookmark has a “/” at the end (e.g. rdp://10.102.1.152).
 
 
Bug ID – 11198
Description – SSL VPN bookmark URL with RDP, TELNET, SSH & FTP protocol having backslash ('/') as last character cannot be accessed after migrating Appliance firmware from 10.02.0 Build 224 to 10.04.0 Build 214.
 
User
Bug ID – 6141
Description – When special characters are included in the login message, the user receives a continuous process icon on the Captive Portal page in spite of logging in successfully.
Bug ID – 9920
Description – Cyberoam supports only SMS Gateway’s that uses Post method.
 
VPN
Bug ID – 9812
Description – An error message “We cannot identify ourselves with either end of this connection” is received when VPN connection with VLAN over WAN is configured with PPPoE link and VLAN ID is more than 2 digits.
Bug ID – 10191
Description – VPN service do not restart when head office and branch office are using default head office and default branch office policy respectively and an if an intermediate device between them is switched off.
 
 
Bug ID – 11202
Description – Manual intervention is required to activate the tunnel, if the default value of parameter "Rekey Margin" is configured below 100 seconds from VPN Policy page and the Appliance is rebooted.
 
Web Filter
Bug ID – 9840
Description – “Denied Message” is updated to default message, if an existing Web Filter Category having configured for customized message is edited without opening “Advance Settings” of it.
Bug ID – 10092
Description – Webcat do not get upgraded to latest version while performing manual sync after auto Webcat upgrade has failed.
 
Wireless WAN
Bug ID – 5315
Description – 3G Modem LW272 is not compatible with Cyberoam Appliance.
 
Attachments
Article ID: 511