1. Cyberoam Security Appliances (UTM and NGFW)
1.1. Common Criteria (EAL4+) Compliant CyberoamOS
1.1.1. Release Notes
1.1.1.1. Release Notes 10.5.3

 

Release Dates

Version 10.5.3 – 05th July, 2013

Release Information

Release Type: General Availability

Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license

Upgrade Supported for Cyberoam Versions:

V 10.01.0XXX or 10.01.X Build XXX

All the versions

V 10.02.0 Build XXX

047, 174, 176, 192, 206, 224, 227, 409, 473

V 10.04.0 Build XXX

214, 304, 311

Upgrade procedure

To upgrade the existing Cyberoam Appliance

1.     Logon to https://customer.cyberoam.com

2.     The user will be provided with a link to the latest firmware and a link to firmware version 10.5.1 (Common Criteria Certified firmware for EAL4+) with its corresponding MD5 Checksum, which has to be verified by the user after downloading the firmware.

3.     Follow the relevant on-screen option to upgrade the appliance.

For Cyberoam versions prior to 10.01.0472

For Cyberoam version 10.01.0472 or higher

For Cyberoam version 10.5.3 (Common Criteria Certified firmware for EAL4+)

Upgrade Cyberoam to 10.01.0472 selecting option Below 10.01.0472” and follow on-screen instruction.

By doing this, the customer will not be able to roll back.

Upgrade Cyberoam to latest version by selecting option “10.01.0472 or higher” and follow on-screen instruction.

Upgrade Cyberoam to firmware 10.5.3 version by selecting option “10.5.3” and follow on-screen instruction.

On applying the firmware version 10.5.3 over a newer firmware version, the appliance will boot in factory default configuration.

Compatibility Annotations

Firmware is Appliance model-specific firmware. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you are trying to upgrade Appliance model CR100ia with firmware for model CR500ia.

This Cyberoam version release is not compatible with the Cyberoam Central Console.

Please always check http://docs.cyberoam.com for availability of latest CCC firmware to deal with this compatibility issue.


Revision History

Sr. No.

Old Revision Number

New Revision Number

Reference Section

Revision Details

-

-

-

-

-


 

Introduction

This document contains the release notes for Cyberoam Version 10.5.3. The following sections describe the release in detail.

This release comes with a few enhancements and a behavior change to improve quality, reliability and performance.

Enhancements

1. Opt-out Option for Hot-Fix and Product Optimization Configuration

Cyberoam provides the Administrator a choice to opt-out from following options:

·     Hot-Fix that resolves an issue occurring in the appliance.

·     Sending usage statistics and performance data (non-personal technical information) to Cyberoam servers.

To configure these options, go to Systems > Maintenance > Updates > Hot-Fix and Product Optimization Configuration.
 

2. Hot-Fix Version Information on CLI

The Hot-Fix version number is now displayed on the CLI as shown in table below:

Prior to Cyberoam Version 10.5.1

In Cyberoam Version 10.5.1

Hot Fix version: 10.04.0 build 311 #3

Hot Fix version: 3



CLI Commands
1.     Command: cyberoam diagnostics show version-info
Displays the Appliance information.
 

3. Audit of Appliance Shut-Down Event

Cyberoam provides audit support to the Appliance Shut-Down event. The logs of this event can be viewed over Syslog.

 
1.2. Version 10.X
1.2.1. Migrating to V 10.X

 

Release Information

Release Type: General Availability
Compatible versions: 9.6.0.78 for all CRs except CR15i; 9.5.8.68 for CR15i
Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license
Applicable to: All the Cyberoam Appliance models

Upgrade procedure

Refer Migrate from v9.6.x.x to v10 document.

Compatibility issues

Appliance model-specific firmware and hence firmware of one model will not be applicable on another model. Upgrade will not be successful and error message will be given if your Appliance model is CR100i and you are upgrading it with firmware for model CR500i.
 

Introduction

With version 10, Cyberoam has moved to firmware-based solution with the configuration and behavioral changes as given in the document. Document also lists various functionalities added in version 10. For details on new features added in Version 10, please refer to Version 10 Release Notes.

Changes from V 9

1.      Logical flow change

The basic building blocks in Cyberoam are Zones, Interfaces and (Network/Address) objects. This structure is used in defining firewall rules to allow or deny the access.

Zone is the logical grouping of Interface, which includes:

  • predefined zones - LAN, WAN, DMZ, LOCAL, VPN
  • custom zone

Interface includes:

  • actual physical Ethernet interfaces or ports i.e. Port A through Port J depending on the appliance model
  • subinterfaces - VLAN
  • PPPoE interfaces
  • interface aliases and
  • WWAN interface if Wireless WAN functionality is enabled

Objects are the logical building blocks of the firewall rule, which includes:

  • host - IP and MAC addresses
  • services which represent specific protocol and port combination e.g. DNS service for TCP protocol on 53 port
  • schedule to control when the rule will be in effect e.g. All Days, Work Hours
  • certificates
  • file types

2.      Internet Access control configuration change

Now Internet access can be controlled by filtering web and application separately. This provides granular control over Internet access. This is achieved by splitting Internet Access policy in two policies – Web filter policy and Application filter policy.

The traffic coming from the web is filtered by various policies and categories through Web filter policy while application filter policy controls user’s application access. It specifies which user has access to which applications.

3.      Behavior change

  1. Wizard behavior change: (Wizard is now deployment wizard)
If wizard is re-run, it will flush following configurations:
  • dhcp server/relay configurations
  • unicast/multicast routing
  • vpn, l2tp, pptp
  • static/proxy arp
  • VH/ Bypass firewall / firewall rules/ gateway
  • pppoe
  • custom zones
  • local acls
  • Interface based hosts/hostgroup
  1. Deleting Interface – Alias and Virtual host will also remove all its dependent configurations including:
  • Interface-Zone binding
  • DHCP Server or Relay 
  • Alias based Firewall rules
  • ARP - static and proxy 
  • Virtual hosts and VH based firewall rules
  • Interface based Hosts and reference from host groups
  • Routes - Unicast, Multicast
  1. Updating Interface details will also update all its dependent configurations including:
  • Interface-Zone binding
  • DNS
  • Stops the DHCP Server and updates the details. You will have to manually restart the server
  • Gateway
  • Interface based Hosts
  • Disconnects all the tunnels and updates all the VPN policies. You will have to manually reconnect the tunnels.
  • VLAN Interfaces
  • Dynamic DNS Client
  1. Except for WAN zone, Zone-Interface membership can be changed from Manage Interface page as well as Edit Zone page. In previous versions, it was possible only from Edit Zone page. While for WAN zone, it can be changed only from Manage Interface page.

  5.       Appliance Access can be configured from Zone as well as from Administration page.

 6.       Automatic addition of gateway, no need to add gateway manually. Gateway will be added and removed automatically when any Interface in WAN zone is added or removed.

  1. Deleting VLAN interface will delete its firewall rule also.
  2. Default Administrator user “cyberoam” can be deleted as now Cyberoam is shipped with a global Administrator.
  3. Cyberoam must be rebooted after modifying time zone.
  4. Internet Access policy is divided into two policies
    • Web filter policy – Can be configured to filter HTTP traffic only
    • Application filter policy – Can be configured to filter application traffic
  5. System Health Graphs can be accessed from Web Admin Console using System Graph Page.
  6. Any modifications in user login restriction will be applied on next login.
  7. Service group - PPTP_Group automatically added.

14.   L2TP and PPTP access for the user can be configured through User page as well as L2TP and PPTP Configuration page.

15.   Live Connections Page to display live IPSec connections and live SSL VPN users

4.      Redesigned UI - Menu and pages regrouping

To reflect the above changes, GUI pages are reorganized and menus are renamed as:

  • System
  • Objects
  • Network
  • Identity
  • Firewall
  • VPN
  • IPS
  • Web filter
  • Application filter
  • QoS
  • Anti Virus
  • Anti Spam
  • Logging & Reporting

5.      Renamed features

Old name

New name

Local ACL

Appliance Access

Host

IP host

User

Identity

Bandwidth policy

QoS policy

Surfing quota policy – Allotted hours

Maximum hours

HTTP Proxy

Web Proxy

Web Client

Captive Portal

Full Access (SSL VPN Access mode)

Tunnel Access

Road Warrior

Remote Access

Net-to-Net (IPSec policy)

Site-to-Site

6.      Functionality moved from CLI to Web Admin Console

  1. Packet capture
  2. Unicast and Multicast (can be configured from both the Consoles)
  3. Interface speed, MSS and MTU (can be configured and updated from both the Consoles)
  4. Live Graphs of CPU usage, Memory usage, Load average and Interface statistics for last hours. Graphs will be refreshed automatically at the interval of 30 seconds.
  5. View Access Logs
  6. View Audit logs
  7. Rollback to Previous version – supported through multiple firmwares

Discontinued features of version 9.x

Following features of V 9.6.x.x will not be supported from V X onwards:

  1. Add/Delete Gateway button removed from Manage Gateway page as Gateway will be added/deleted automatically.
  2. User Type – Manager. Same as the Admin user with Audit Admin Profile i.e. view reports
  3. Shared Policy is removed from Surfing Quota and Data Transfer Policy
  4. Surfing quota policy – Cycle hours can be configured in hours only, minutes option is removed
  5. Manage HTTP Proxy page is removed but functionality is included in Web proxy
  6. Regenerate button has been removed from Update Certificate page as Certificate will be regenerated automatically whenever updated.
  7. Data Transfer Limit alerts as on Customize Client Messages page
  8. SNMP service start/stop option is removed as it will always be ON once Agent is configured.
  9. RMS (Restart Management Services) as now it is now not required for any changes in Network configuration including Alias and Virtual Interface creation.
  10. Custom Login messages as it is now included on Captive portal page
  11. Antivirus Scan policy (default and custom) for SMTP - now part of Scanning Rule
  12. Global and Default Antispam policy
  13. Antispam Custom policy - now part of Spam Rule
  14. User Migration Utility as Export/Import functionality is added on User page
  15. Manual purge of reports. Auto purge will get-in in Stability-1.
  16. Service creation – “ICPM Type – Other” will not be available.
  17. SNMP Version v3 Protocol support
  18. User maximum session timeout option is given globally, however, per group is missing.
  19. System Modules Configuration on GUI is not available. It is available on CLI only.
  20. DHCP server "Enable Auto Start" Button

Features expected in version-10 Stability-1

  1. Traffic discovery – Only live connections will be provided.
  2. AV version information is missing - To be made available for all models on update page. Current availability is on 15i and 25i only.
  3. AV & AS Quarantine Area – total utilization
  4. Web Category - Search URL
  5. Corporate Client Download – for all the Cyberoam Clients – Will be available in the form of links in Stability-1. Pre-requisite will be that the download site will need to be allowed for all.
  6. Dashboard doclets -

System Resource (CPU, Memory, Disk Usage) Post Stability-I,

Usage Summary (HTTP hits, Search Engine Queries) In Stability-1 ,

User Surfing Pattern Post Stability-1 ,

HTTP Traffic Analysis (Distribution by Hits, Distribution by Data Transfer) – Post Stability-1

  1. Backup over Mail
  2. IPS Signature details link
  3. Editable IP address of Clientless user : Editable IP address will be available as part of Stability-1.
  4. “Show All” link on Live Users page – In Stability-1, default 50 live users will be shown.
  5. L2TP connection report - User information and data transfer details
  6. Web Category – “IPAddress” category
  7. Tool tip Firewall rule page for:, host, host group and Identity columns – Except for IPS, tool tip for all others will be available in Stability-1.
  8. User search (rather filter for v10) is not available for IP.
  9. Reports
    1. Web Surfing Report

                                                               i.      Category type (by hits)Wise – Will be available post Stability-1.  

                                                             ii.      Category type data transfer – Will be available post Stability-1.

                                                            iii.      Group wise Site wise/HTTP data Transfer /HTTP hits by content / HTTP File upload – Will be available post Stability-1.

                                                            iv.      User wise Site wise/HTTP data Transfer /HTTP hits by content type / HTTP File upload

    1. Gateway wise b/w usage and composite b/w usage graphs on GUI – Will be available post Stability-1.
  1. Audit Logs
    1. GUI Audit logs
    2. SSL VPN logs – Will be available post Stability-1.
    3. Appliance Audit logs (RESET/Backup/Restore/Upgradeauto-manaul/reboot) .– Will be available in Stability-1 and will be part of GUI audit logs.
    4. Service Restart Logs – Will be available in Stability-1 and will be part of GUI audit logs
    5. Firmware apply/bootup logs – Will be available in Stability-1 and will be part of GUI audit logs

Features expected Post version-10 Stability-1

  1. Dashboard doclets –
    1. User Surfing Pattern,
    2. HTTP Traffic Analysis (Distribution by Hits, Distribution by Data Transfer)
    3. System Resource (CPU, Memory, Disk Usage)
  2. ARP Cache
  3. Auto purge
  4. Application Filter Logs on the Logging Server
  5. Upload Corporate image in Web Filter Category custom messages
  6. Bandwidth Usage Graphs
  7. Proactive Reports – Category wise Trends, Google Search Keywords – Category wise trends availability to be confirmed eventually. Google Search Keywords will be available post Stability-1.
  8. Dashboard alerts
  9. Antivirus Engine Information update time
  10. Antispam center connectivity status
  11. Last upgrade status and timestamp for AV/IPS/Webcat
  12. Mail Notification on change of gateway status
  13. Language support - Turkish, French
  14. Multiple domain support for authentication
  15. Zone – Description field, Description field will be removed from manage page
  16. Firewall rule – Bandwidth usage (upload and download)
  17. IPS Policy - "Select All" for selecting all the Categories
  18. Persistent Logs (including VPN logs)  
  19. Clientless users--> Active and Inactive list cannot be displayed separately: – Will be available post Stability-1 in the form of filter support on “Active/Inactive”.
  20. Static route in bridge and IPSEC and http proxy host entry is not there.
  21. Console Audit logs 
  22. Reports
    1. Web Surfing Report

                                                               i.      Category type (by hits)Wise

                                                             ii.      Category type data transfer

                                                            iii.      Group wise Site wise/HTTP data Transfer /HTTP hits by content / HTTP File upload

    1. Gateway wise b/w usage and composite b/w usage graphs on GUI
    1. Internet Usage Report

                                                               i.      User/Group wise Internet Usage Reports

                                                             ii.      User/Group wise Surfing Time Report

    1. Trend

                                                               i.      Hourly based Trend Reports

    1. Audit log

                                                               i.      Appliance Audit log

Features availability to be confirmed eventually

  1. Customizing Client Preferences - HTTP Client option (Page, Pop-up, None) and default URL & customize Login Message
  2. System->Configure->Customize Client Preferences, URL to open a site after client logs on to server.
  3. Custom Application Category – Destination IP is not available. Otherwise, service group can be used. Availability of destination IP to be confirmed eventually.
  4. Client Login Links from Customize Login Messages page
  5. Clientless User – IP address based Sorting and Searching
  6. User MyAccount access from Users page
  7. Restart Servers option – SMTP, POP3, IMAP, FTP, Cyberoam server from Manage
  8. Diagnostic tool
  9. Servers page
  10. Group wise HTTP keep alive enable/disable
  11. User maximum session timeout per group
  12. Logon script updation download link in case of SSO. It was available in v9 as part of users | Migrate Users menu:
  13. Simultaneous user login option available for user only not for group

CLI features

Menu - System Configuration:

  • Trace Route Utility
  • Set Module Info
  • Bandwidth Graph Settings
  • Disable LAN Bypass

 Menu - Cyberoam Management:

  • Database Utilities
  • DHCP Client Settings
  • Download backup
  • Restore backup
  • View audit logs 
  • Check and upgrade cyberoam new version 
  • Cyberoam auto upgrade status 
  • Webcat auto upgrade status 
  • Rollback to previous version 
  • HA configuration
  • ReBuild firewall rule

  Menu Route Configuration

  • Configure Unicast Routing {Configure Static-routes/ACLs}

Menu Upgrade version

  Menu VPN Management
  • View VPN logs 
  • View connection wise VPN logs 
  • Advance VPN logs 
  • PPTP VPN logs

    Commands (All the parameters except mentioned here are available)

             ping: record-route | numeric | tos | ttl

cyberoam: check_disk | cpu_burn_test | dgd | ips_autoupgrade | repair_disk | service | system_monitor | view | services

httpclient

devicemap

dnslookup: server

ip

ips

route: add | delete

set: advanced-configuration: tcp-window-scaling, cr-traffic-nat

set: cache | usermac

set:   bandwidth: guarantee | graph

set:    http_proxy: av_sessions | client_sessions | core_dump | debug | deny_unkown_proto | multiple_webcategory | delete | relay_http_invalid_traffic | rw_buffer_size | x_forwarded_for

set: usermac

set:       secure-scanning (as included in set service-parameter command)

set:       sslvpn: max-clients | max-connections | owa-basic-mode

show: access-log | | antispam | antivirus | firewall-rule-log | ftp | login | mail | monitor | reboot

show: system: logs | devices | dma | filesystems| iomem | ioports | partitions | pci | processes | statistics | modules | uptime

show: http_proxy

show: monitor, ftp, login, access-log

show: system

                        packet-capture

                        telnet: tos | source

1.2.2. Release Notes
1.2.2.1. Release Notes 10.04.X Build XXX
1.2.2.1.1. V 10.04.6 Build 032
 

Release Date

Version 10.04.6 Build 032 – 04 March 2014

Release Information

Release Type: Maintenance Release

Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license

Applicable to Cyberoam Version:

V 10.01.0XXX or 10.01.X Build XXX

All the versions

V 10.02.0 Build XXX

047, 174, 176, 192, 206, 224, 227, 409, 473

V 10.04.0 Build XXX

214, 304, 311, 338, 433

V 10.04.X Build XXX

1 Build 451, 2 Build 527, 3 Build 543,

4 Build 028, 5 Build 007

Upgrade procedure

To upgrade the existing Cyberoam Appliance follow the procedure below:

· Logon to https://customer.cyberoam.com

· Click “Upgrade” link under Upgrade URL.

· Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”.

For Cyberoam versions prior to 10.01.0472

For Cyberoam version 10.01.0472 or higher

Upgrade the Cyberoam to 10.01.0472 selecting option Below 10.01.0472” and follow on-screen instruction.

By doing this, the customer will not be able to roll back.

Upgrade Cyberoam to the latest version by selecting option “10.01.0472 or higher” and follow on-screen instruction.

Compatibility Annotations

Firmware is Appliance Model-specific. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you are trying to upgrade Appliance model CR50iNG with firmware for model CR100iNG.

This release is compatible with Cyberoam Virtual Appliances.

This Cyberoam version is compatible with the Cyberoam Central Console version 02.02.0 Build 116. Please check http://docs.cyberoam.com for availability of latest CCC firmware to deal with compatibility issues.


Revision History

Sr. No.

Old Revision Number

New Revision Number

Reference Section

Revision Details

-

-

-

-

-

 

Introduction

This document contains the release notes for Cyberoam Version 10.04.6 Build 032. The following sections describe the release in detail.

This release comes with enhancement to improve quality, reliability, and performance.

Enhancements

1. Signature and Updates Distribution Support for Non-Centrally Managed Appliances

Cyberoam Central Console (CCC) can centrally manage multiple Cyberoam appliances. From this version, Cyberoam Central Console (CCC) can act as a Signature and Updates Distribution server for those security appliances that are not managed by it.

For previous versions, the security appliance had to be managed by CCC to act as a Signature and Updates Distribution server.

To enable CCC to work as a Signature Distribution server, navigate to System > Administration > Central Management and select the relevant option.

2. Anti Virus Engine Optimization

From this version, Cyberoam Anti Virus Engine has been optimized for better resource utilization in CR15i, CR15wi and CR25i appliances.


1.2.2.1.2. V 10.04.5 Build 007

 

Release Date

Version 10.04.5 Build 007 – 25 November, 2013 

Release Information

Release Type: Enhancement Release

Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license

Applicable to Cyberoam Version:

V 10.01.0XXX or 10.01.X Build XXX

All the versions

V 10.02.0 Build XXX

047, 174, 176, 192, 206, 224, 227, 409, 473

V 10.04.0 Build XXX

214, 304, 311, 338, 433

V 10.04.1 Build XXX

451

V 10.04.2 Build XXX

527

V 10.04.3 Build XXX

543

V 10.04.4 Build XXX

028

Upgrade procedure

To upgrade the existing Cyberoam Appliance follow the procedure below:

· Logon to https://customer.cyberoam.com

· Click “Upgrade” link under Upgrade URL.

· Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”.

For Cyberoam versions prior to 10.01.0472

For Cyberoam version 10.01.0472 or higher

Upgrade the Cyberoam to 10.01.0472 selecting option Below 10.01.0472” and follow on-screen instruction.

By doing this, the customer will not be able to roll back.

Upgrade Cyberoam to the latest version by selecting option “10.01.0472 or higher” and follow on-screen instruction.

   Compatibility Annotations

Firmware is Appliance Model-specific. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you are trying to upgrade Appliance model CR50iNG with firmware for model CR100iNG.

This release is compatible with Cyberoam Virtual Appliances.

This Cyberoam version is compatible with the Cyberoam Central Console version 02.02.0 Build 203. Please check http://docs.cyberoam.com for availability of latest CCC firmware to deal with compatibility issues.

   Revision History
 

Sr. No.

Old Revision Number

New Revision Number

Reference Section

Revision Details

-

-

-

-

-

 
 

Introduction

This document contains the release notes for Cyberoam Version 10.04.5 Build 007. The following sections describe the release in detail.

This release comes with several bug fixes to improve quality, reliability, and performance.
 

Bugs Solved

Access Server

Bug ID – 14949
Description – L2TPclient does not get authenticated to Cyberoam via Local Authentication, if CHAP or MS-CHAP protocol is used for authentication and Cyberoam Firmware is upgraded to Version 10.04.4.028.
 

Anti Virus

Bug ID – 14766
Description – FTP session needs to be disconnected manually once the file is successfully uploaded, if FTP scanning is enabled from Firewall Rule page and the size of the file to be uploaded is greater than the value specified in the parameter "Files Greater Than Size Should not be scanned" from FTP page of Anti Virus.
 

GUI

Bug ID – 12337
Description – Application names are not displayed while viewing Application Filter logs on the Log Viewer page.

Bug ID – 14961
Description – The word “Login” is mis-spelled as “Logoin” in an error message displayed on Notification page of System Configuration.
 

Network

Bug ID – 15006
Description – 3G modem D-Link DWM-156 is not compatible with Cyberoam Appliance.

Bug ID – 15084
Description – HUAWEI Mobile E3276 does not connect to Cyberoam, if “IP Assignment” mode is selected as DHCP from Wireless WAN Setting page.

Bug ID – 15181
Description – Huawei HB4F1 3G modem is not compatible with Cyberoam Appliance.
 
1.2.2.1.3. V 10.04.4 Build 028

 

Release Date

Version 10.04.4 Build 028 – 10 September, 2013

Release Information

Release Type: Enhancement Release

Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license

Applicable to Cyberoam Version: 

V 10.01.0XXX or 10.01.X Build XXX

All the versions

V 10.02.0 Build XXX

047, 174, 176, 192, 206, 224, 227, 409, 473

V 10.04.0 Build XXX

214, 304, 311, 338, 433

V 10.04.1 Build XXX

451

V 10.04.2 Build XXX

527

V 10.04.3 Build XXX

543

Upgrade procedure

To upgrade the existing Cyberoam Appliance follow the procedure below:

· Logon to https://customer.cyberoam.com

· Click “Upgrade” link under Upgrade URL.

· Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”.

For Cyberoam versions prior to 10.01.0472

For Cyberoam version 10.01.0472 or higher

Upgrade the Cyberoam to 10.01.0472 selecting option Below 10.01.0472” and follow on-screen instruction.

By doing this, the customer will not be able to roll back.

Upgrade Cyberoam to the latest version by selecting option “10.01.0472 or higher” and follow on-screen instruction.

Compatibility Annotations

Firmware is Appliance Model-specific. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you are trying to upgrade Appliance model CR50iNG with firmware for model CR100iNG.

This release is compatible with Cyberoam Virtual Appliances.

This Cyberoam version is compatible with the Cyberoam Central Console version 02.02.0 Build 203. Please check http://docs.cyberoam.com for availability of latest CCC firmware to deal with compatibility issues.
 
Revision History
 

Sr. No.

Old Revision Number

New Revision Number

Reference Section

Revision Details

1

1.00-10/09/2013

1.01-18/09/2013

Bug Solved

Bug Detail Updated


 

Introduction

This document contains the release notes for Cyberoam Version 10.04.4 Build 028. The following sections describe the release in detail.

This release comes with enhancements, and several bug fixes to improve quality, reliability, and performance.
 

Enhancements

1. Guest User Enhancements

Apart from Guest Users registering themselves using Guest User Portal, Cyberoam now allows the Administrator to configure Guest Users from Web Admin Console. While creating Guest Users from Web Admin Console, Administrator has an option to configure a single user or multiple guest users. The auto-generated credentials and the Internet access details so created can be printed. The following details can be printed:

·        Username

·        Password

·        Expiry Date

·        Validity (Time duration in days)

·        Disclaimer message (Once configured, it can be edited but cannot be removed)

The credentials and Internet access details of guest users registered via Guest User Portal can either be sent via SMS or can be printed. However, the guest users created from Web Admin Console can only be printed.

An Administrator can also choose since when to consider the Guest User to be active i.e. either immediately after registration or after the first login.

Prior to this version, only the Guest User could register themself on Guest User Portal using the Internet access details received via SMS on their mobile phones.

To create Guest Users go to Identity > Guest Users > Guest Users and click Add Single or Add Multiple to add a single or multiple Guest Users respectively. On the same page click Print to print the Guest User details.
 
Further, to add and manage guest users, permissions are to be set for two new entities Guest Users Management and Other Guest Settings from Profile under Identity Administration.
 

2. Extended Two Factor Authentication Support

From this version onwards, the two factor authentication support for Cyberoam Captive Portal is extended to SSL VPN Portal, SSL VPN Client, Cyberoam Web Admin Console, My Account, Reports, 4-Eye Authentication and Open VPN Client for iPhone and Android. When two factor authentication is configured on the third-party Authentication Server, the user needs to provide two means of identification on the clients that support two factor authentication. The user will either have to provide One-Time Password (OTP), PIN or challenge-response token as well as the fixed password to log on into two factor authentication supported cyberoam clients as configured in third party authentication servers like RSA or FreeRadius server.

 

3. Secure Connection over SMTP Mail Notification

With more and more people using the Internet for socializing, personal and professional use, the information shared via Email may not always be secured. Information within Email can be intercepted and/or altered if not encrypted. Privacy and security of confidential and sensitive information has therefore been a growing concern.

A security protocol, Transport Layer Security (TLS) secures the information sent via Email by encrypting Email communication and thereby providing privacy and integrity between SMTP Client and a SMTP Server. Cyberoam supports TLS protocol to provide security over SMTP Mail Notification. With TLS protocol for connection security, Cyberoam automatically encrypts all the Email communications, ensuring the confidentiality for SMTP Mail Notification and hampering the risk of eaves-dropping, interception and alteration.

Security setting for mail servers can be done by configuring the attributes “Connection Security” and “Certificates” from Web Admin Console or using the Wizard. The “Connection Security” attribute can be configured with one of the following options:

·        None – Should be selected if TLS protocol is not supported by mail serves and a normal TCP connection must be established without any security.

·        STARTTLS – If the server supports STARTTLS, the connection is upgraded to TLS else continues as a TCP connection without any security.

·        SSL/TLS – Should be selected to establish a secured TCP connection using TLS protocol.

By default, option “None” is configured for parameter Connection Security.

Cyberoam uses certificates to encrypt the data sent over a TLS supported TCP connection. An Administrator can choose to use a default certificate or select a custom certificate.  

By default, “ApplianceCertificate” is used for data encryption for secured TCP connection.

On Factory Reset, the “Connection Security” and “Certificate” parameters are set to its default values i.e. “None” and “Select Certificate” respectively.

Prior to this version, a normal TCP connection was used for communication between the SMTP Client and a SMTP Server for SMTP Mail Notification.

To configure security settings for mail server from Web Admin Console, go to System > Configuration > Notification and configure Connection Security and Certificate.

Alternately Connection Security and Certificate can be configured from Wizard page of Configure Mail Settings.
 
Miscellaneous Changes

1. Spam Digest is renamed to Quarantine Digest

From this version onwards, the word “Spam Digest” is renamed to “Quarantine Digest” in the Anti Spam, Identity and My Account modules. Quarantine Digest will quarantine spam Emails. However, the legitimate Emails may be quarantined due to user-defined configurations.

2. Chinese Character Encoding support

CyberoamOS, henceforth supports Chinese character encoding method for Traditional Chinese characters used in Taiwan, Hong Kong and Macau.
 
Bugs Solved

Anti Spam

Bug ID – 14293
Description – Quarantine Mails cannot be released, if the number of connections in Web GUI daemon exceeds its limit of 10.
 

DNS

Bug ID – 14043
Description – Cyberoam is unable to resolve “CNAME” query, if Cyberoam is configured as a DNS server in client machine and root server is used for resolving the “CNAME” query instead of the configured DNS server.
 

Firewall

Bug ID – 14180
Description – The value “Load Balance” of parameter “Backup Gateway” gets automatically changed to the first value that appears in the list, while editing an existing Firewall Rule.
 
Bug ID – 14638
Description – The RTP communication gets disrupted during a SIP call in appliances above CR200iNG and CR200iNG-XP.
 
Bug ID – 14828
Description – Firewall Rule logs are not displayed in the Log Viewer, though “Firewall Rules” is enabled from Configuration “Log Settings” page of Logs & Reports.
 

Network

Bug ID – 11506
Description – 4G-Huawei E3276s-150 LTE modem is not compatible with Cyberoam Appliance.
 
Bug ID – 13654
Description – AirCard 340U modem is not compatible with Cyberoam Appliance. 
 

Online Help

Bug ID – 13890
Description – An error “Error! Unknown document property name.” is displayed on IPS page of Online Help.
 

System

Bug ID – 11554
Description – Cyberoam ceases to function when deployed in Bridge Mode with STP enabled environment.
 

VPN

Bug ID – 11261
Description –  NATing over VPN functions improperly, if a classless subnet is configured and first IP Address of host range does not map with the first valid IP Address of the subnet.

Example:
Site A:
 
Real Network: 10.0.0.0/255.255.252.0
NATted Network: 172.16.20.0/22
 
Site B:
Real Network: 10.0.0.0/255.255.255.248
NATted Network: 192.168.19.216/255.255.255.248
 
If 10.0.0.2 is pinged from Site A to Site B, Cyberoam NATs with 192.168.19.2 instead of 192.168.19.218.
 
Bug ID – 12825
Description – Modified IP Address of “IP Host” configured against NATted IP Address does not come into effect and the Site to Site VPN traffic passes with previously configured NATted IP Address, though the Web Admin Console displays the IP host updated with the modified configuration.  
 

Wireless LAN

Bug ID – 8005
Description – Wireless Clients get disconnected frequently from Wi-Fi in CRXXwi appliances.
 
Bug ID – 11018
Description – A client is unable to get authenticated via external RADIUS server, if the Wireless LAN Network Access Point parameter “Security Mode” is configured either as “WPA-Enterprise or as “WPA2-Enterprise” for CR25wi or CR35wi appliances.
 
Bug ID – 12177
Description – Wireless Clients get disconnected frequently from Wi-Fi in CRXXwiNG appliances.
 
Bug ID – 12637
Description – The tab “Connected Client” of Network Wireless LAN is inaccessible frequently in CRXXwiNG appliances.
 
 
 
1.2.2.1.4. V 10.04.3 Build 543


Release Dates

Version 10.04.3 Build 543 – 6th June, 2013

Release Information

Release Type: Maintenance Release

Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license

Applicable to Cyberoam Version:
 

V 10.01.0XXX or 10.01.X Build XXX

All the versions

V 10.02.0 Build XXX

047, 174, 176, 192, 206, 224, 227, 409, 473

V 10.04.0 Build XXX

214, 304, 311, 338, 433

V 10.04.1 Build XXX

451

V 10.04.2 Build XXX

527

Upgrade procedure

To upgrade the existing Cyberoam Appliance follow the procedure below:

· Logon to https://customer.cyberoam.com

· Click “Upgrade” link under Upgrade URL.

· Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”.

For Cyberoam versions prior to 10.01.0472

For Cyberoam version 10.01.0472 or higher

Upgrade the Cyberoam to 10.01.0472 selecting option Below 10.01.0472” and follow on-screen instruction.

By doing this, the customer will not be able to roll back.

Upgrade Cyberoam to the latest version by selecting option “10.01.0472 or higher” and follow on-screen instruction.

Compatibility Annotations

Firmware is Appliance Model-specific. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you are trying to upgrade Appliance model CR50iNG with firmware for model CR100iNG.

This release is compatible with Cyberoam Virtual Appliances.

This Cyberoam version is compatible with the Cyberoam Central Console version 02.02.0 build 065. Please check http://docs.cyberoam.com for availability of latest CCC firmware to deal with compatibility issues.


Revision History
 
 

Sr. No.

Old Revision Number

New Revision Number

Reference Section

Revision Details

1

2.00-12/06/2013

2.01-19/06/2013

Enhancements

Data Accounting Exception – fine tuned

2

1.00-07/06/2013

2.00-12/06/2013

Enhancements

Revamped the entire section

3

1.00-07/06/2013

2.00-12/06/2013

Miscellaneous Changes

Revamped the entire section

4

1.00-07/06/2013

2.00-12/06/2013

Behavior Change

Revamped the entire section

5

1.00-07/06/2013

2.00-12/06/2013

Known Behavior

Revamped the entire section

      
 

Introduction

This document contains the release notes for Cyberoam Version 10.04.3 Build 543. The following sections describe the release in detail.

This release comes with enhancements, and several bug fixes to improve quality, reliability, and performance.

Enhancements

1. Location-aware and Device-aware Identity-based Access Control Policy

With the growing use of wireless networks and mobile devices, companies with offices spread across geographic locations, and increasing mobile workforce, the always-connected world is moving towards an era where location information becomes necessary for access control. To cater to this need of the enterprises, Cyberoam, from this version onwards, supports configuring specific access policies to the users according to location and network parameters like IP Address or MAC address of the device. Administrator even has an option to schedule the access time per location.

The administrator can monitor and analyze the usage through Cyberoam’s user-based reports and re-align access and security policies to match the business interests.

The feature is very useful for organizations where role-based access policy is required for employees and its guest users. 

Steps to implement location-aware policy:

1.     Create Application Filter policy for the applications, which you want to allow/deny if the user is accessing from a specific zone.

2.     Create Web Filter policy for the Web categories which you want to allow/deny if the user is accessing from a specific zone.

3.     Create Identity-based Firewall for the specific zones.

4.     Attach an Application Filter and Web Filter policy created in step 1 and 2. By default, the Group's Application and Web Filter policy is applied to the user. Until previous version it was not possible to override these policies.

Steps to implement device-aware policy:

1.     Create Application Filter policy for the applications, which you want to allow/deny if the user is accessing from the specific IP Address.

2.     Create Web Filter policy for the web categories which you want to allow/deny if the user is accessing from the specific IP Address.

3.     Create Identity-based Firewall for the specific IP Address.

4.     Attach an Application Filter and Web Filter policy created in step 1 and 2. By default, the Group's Application and Web Filter policy is applied to the user. Until previous version it was not possible to override these policies.

Refer how to configure location-aware Identity-based access control policy for a head office employee who is visiting branch office. The employee’s access control policy will change as per location.  
 
To configure access policies to the users according to location, go to Firewall à Rule à Rule.

2. Password Strength Enforcement for Guest User

To use password as an effective authentication mechanism, it is necessary that password is strong enough to reduce the risk of a security breach.

Cyberoam provides a configurable password strength policy whereby Administrator can enforce password length and complexity making it difficult for an attacker to guess Cyberoam’s auto-generated password. This helps protect the user account from being compromised.

The administrator can configure password length and complexity from Identity à Guest Users à General Settings.

The password can be of three (3) to sixty (60) characters in length. The password can be numeric, alphabetic or a combination of alpha-numeric and special charaters. The default password is alpha-numeric and eight (8) characters long.

The password strength configuration is applicable only when a new password is generated.

3. Data Accounting Exceptions

By default user’s network traffic is considered in data accounting. From this version onwards, the Administrator has the flexibility of excluding certain traffic from the user data accounting.

The option to exclude accounting is provided in the Firewall rule and is visible only when identity is selected. When an administrator creates a user-based firewall rule and excludes the traffic from accounting, the traffic allowed through this firewall rule will not be accounted towards data transfer for the user. Traffic allowed through the non-identity based firewall rule will not be accounted.

This traffic will not be included in the user accounting reports - Internet Usage report and My Account reports, but will be included in the firewall activity reports.

This feature is useful in enterprises that have application servers hosted at the head office or in the Cloud and, the Cyberoam Administrator wants to exclude this traffic from data accounting.
 
To exclude traffic from data accounting, go to  Firewall à Rule à Rule and enable Bypass User Data Transfer Accounting”.

4. Visibility and Protection Within Trusted Zones

From this version onwards, an Administrator can monitor and block traffic within trusted zones (LAN and DMZ) and outbound traffic using the Application Filter and Web Filter policies configured in Firewall Rule. For example, it is possible to block the use of the Jabber instant messaging (IM) within the organization.

With this enhancement, an Administrator can apply Application Filter and Web Filter policies on the following Firewall Rules:   

Destination Zone è 

 Source Zone  ê

LAN

DMZ

Local

VPN

WAN

LAN

P

P

O

P

P

DMZ

P

P

O

P

P

VPN

P

P

O

P

P

WAN

O

O

O

O

O

Prior to this version, Application Filter and the Web Filter policy could be configured only on web traffic (LAN to WAN) in a Firewall Rule.

To configure Application Filter Policy and Web Filter Policy for internal traffic, go to Firewall à Rule à Rule.

5. Optimized Virtual Machine Image Size

Cyberoam’s Virtual UTM image size is now approximately 350MB - reduced by approx 600MB to save bandwidth and download time.

Customers can download Virtual UTM distribution package from the customer portal.

6. Granular Outbound Spam Configuration from Web Admin Console

Now Administrator can configure Outbound Spam Filter policies from Web Admin Console. The administrator can configure granular control in terms of blocking, allowing or quarantining mails from specific email addresses, IP Address or Domain. The administrator also has a flexibility to reject, drop, or change the mail receiver if the email is identified as spam. These configurations are available through Anti Spam menu.

Subscription details

Prior to this version, it was not possible to configure Inbound and Outbound spam filtering simultaneously. From this version onwards, Cyberoam can scan both inbound and outbound SMTP emails for spam to stop wasting employee’s time and mail server’s resource and stop your mail server from getting blacklisted.  

Changes on the Web Admin Console

Once the Outbound Spam module is subscribed, to differentiate between inbound and outbound configuration word ‘Inbound’ will be prefixed to all the UI labels, for example, label ‘Anti Spam Module Has Identified Mail As’ will be displayed as ‘Inbound Anti Spam Module Has Identified Mail As’.

Changes in Reports

Following reports will be renamed to represent the Inbound spam activity:

Report Name

(when only Anti Spam module is subscribed)

Report Name

(when both Anti Spam and Outbound Spam modules are subscribed)

Top Spam Recipients

Top Inbound Spam Recipients

Top Spam Senders

Top Inbound Spam Senders

Spam Reports

Cyberoam-iView provides reports for Outbound spam activities taking place in organization network. The report includes senders, recipients, and countries. It helps the administrator to identify compromised accounts and zombie computers in the network and take a corrective action. View following outbound spam reports from Reports à Spam:

1)     Top Outbound Spam Recipients

2)     Top Outbound Spam Senders

To configure Outbound Spam Filter policies, go to Anti Spam à Spam Rules à Spam Rules.

7. Protection against Abuse of Administrative Privileges

From this version Cyberoam supports a new entity named Administrator User - added in Profile under Identity Configuration. The administrator with Read-Write permission for this new entity will be able to create new administrator accounts, change password of other administrator accounts and control their permission levels. The administrator with Read-Only permission will only be able to change their own password and Email Address.

Go to the System à Administration à Profile and under Identity Configuration, configure access rights of the entity Administrator Users.

After migrating or upgrading to this version, original permissions will be retained for all the profiles except Security Admin profile. Read-Only permission is set for Administrator User entity in Security Admin profile. 

8. ConnectWise – Third-Party Integration

ConnectWise enables the organizations to connect and communicate through one unified and integrated operational platform. It provides organizations with integration and management of Help Desk, Services, Sales, Marketing, Finance, Project etc. through a single operational platform. 

With this version, Cyberoam-iView allows the administrator to send a set of data to the ConnectWise server. The administrator can now view this data as reports on the ConnectWise server without logging into Cyberoam UTM.

To integrate ConnectWise with Cyberoam-iView, log on to Cyberoam-iView and go to System à Configuration à ConnectWise. To know more, refer to Cyberoam Integration with ConnectWise.

Once integrated, the following Cyberoam reports will be displayed on the ConnectWise server:

Cyberoam Reports

ConnectWise Reports

Web Usage à Top Domains

Top Sites

Blocked Web Attempts à Top Denied Domains

Filtered Sites

Internet Usage à Top Users

Bandwidth

Attacks à Top Attacks

Intrusion

9. Two Factor Authentication Support for Captive Portal

From this version Cyberoam supports two factor authentication for the Captive Portal users. When two factor authentication is configured on the third-party Authentication Server, the user has to provide two means of identification. The user will either have to provide One-Time Password (OTP), PIN or challenge-response token as well as the fixed password to log on into Cyberoam Captive Portal as configured in third party authentication servers like RSA or FreeRadius server.

10. Controlled Access to a Specific Page on a Web Site

From this version onwards, Cyberoam allows the Administrator to provide the complete URI of specific domain to be allowed or blocked. This will facilitate the Administrator to control a specific page on a website, without using a blanket-blocking rule to block the full Website.

A URI is a combination of a Uniform Resource Locator (URL) and a Uniform Resource Name (URN).

Example:

·         URI – http://www.testofuri.com/url/name-of-domain.html

·         URL – http://www.testofuri.com/url/

·         URN – name-of-domain.html

Prior to this version, only URL’s were supported in the “Domain” field of parameter “Domain/Keyword”.

To add a URL in the Web Category, go to Web Filter à Category à Category and add URI in the “Domain” field of the parameter “Domain/Keyword”.
  

Miscellaneous Changes

1. Configure Mail Server Address as a FQDN or an IP Address

From this version onwards, configure Mail Server Address as a FQDN or an IP Address.

This flexibility will help the Administrator to change the IP Address of a host without affecting name-based queries to the machine.

To configure go to the System à Configuration à Notification.

2. Validate Mail Server Configuration

Use Test Mail option to send a test mail to validate the mail server configuration and connectivity. Administrator can check the System Logs from Log Viewer to ascertain the reason of failure if Cyberoam is not able to send the test mail.

To configure go to the System à Configuration à Notification. 

3. Usability Improvement - Labeled Buttons

For ease of use following icons on the top left panel on the Cyberoam screen are labeled:

·         Dashboard

·         Wizard

·         Report

·         Console
 

Behaviour Change

VPN Services

Minimum one policy is required to access VPN services like SSL / IPSec / L2TP / PPTP. On deleting all the policies, the respective service will not be available.

To use GRE tunnel, service should be enabled. 

Guest User Registration Portal

Guest User Registration portal now uses on port 8090 instead of port 80. 
 
 

Known Behaviour

SSL VPN Client Version 1.2.7

The user automatically is logged into Cyberoam even when “Autologin” and “Save Username and Password” options are disabled. 

Bugs Solved

Anti Spam

Bug ID – 13461
Description – User does not receive Spam Digest Emails from Cyberoam as per the Quarantine Email Frequency configured from Anti Spam Digest Settings page.

CLI

Bug ID – 8755
Description – DHCP name value gets truncated after space or special characters, on configuring it from Cyberoam Console.

GUI

Bug ID – 12823
Description – CPU utilization is high in CR35XXXX and lower appliances, if the parameter “Update Mode” is selected as “Appliance will fetch updates from Central Management” and Connection protocol as “HTTPS” on the Central Management page of System Administration.

Bug ID – 12958
Description – The default country code selected at Guest Users General Settings page is not reflected on the Guest User Registration page, if there exists more than one country having same country code.

Bug ID – 13459
Description – IPSec VPN Tunnel Connection "Status" button for indicating partial connection is blue in color instead of yellow in iNG appliances.

IPS

Bug ID – 11754
Description – Categories cannot be edited while adding a new IPS Policy.

Network

Bug ID – 12440
Description – PPPoE interface do not receive an IP Address, if Cyberoam sends a connection request to the PPPoE server before the interface turns on.

Proxy

Bug ID – 11433
Description – Windows updates are getting failed, if Cyberoam is configured as a direct proxy or HTTPS scanning is enabled from Firewall Rule. 

Report           

Bug ID – 12647
Description – An error message “Internal server error” is displayed for Version 9 reports, on upgrading the Cyberoam Firmware to Version 10.04.1 Build 451.

SSL VPN

Bug ID – 112
Description – A warning message “Glob.mdb file not found. Localization will not be available.” is displayed on rebooting the Windows machine, though the SSL VPN Client is successfully installed on it.
 
Bug ID – 151
Description – SSL VPN tunnel gets disconnected after 60 minutes in Windows XP, 7 and 8 with SSL VPN Client Version 1.1.7.
 
Bug ID – 160
Description – SSL VPN Client cannot add more than 54 routes.
 
Bug ID – 13377
Description – SSL VPN Application Access Mode does not get initiated, on upgrading Java to Version 7 update 21.

User

Bug ID – 12898
Description – User accounting does not reset on clicking “Reset User Accounting” from Users Identity page, if multiple users log into Cyberoam using Web Portal, Corporate Client and iOS Web Client. 

Virtual CR

Bug ID – VCR-51
Description – At the time of shut down, HyperV halted. 

VPN

Bug ID – 10469
Description – Avaya phone fails to reconnect to VPN, when the phone restarts while the VPN connection is live.

Bug ID – 11066
Description – Multiple IPSec VPN tunnels could not be created for different local subnets having same remote network using different IPS links.

Bug ID – 13152
Description – Administrator does not receive an Email Alert when IPSec Tunnel connection flaps and fails to re-establish connection after detecting a dead peer, even if the parameter “Action When Peer Unreachable” is selected as “Re-initiate” on VPN Policy page. 

WAF

Bug ID – 11024
Description – A website opens partially, if the website’s HTML data includes incomplete end tags and WAF is enabled from the Firewall Rule.

Bug ID – 12162
Description – The website http://gozaresh.shaparak.com does not open, if WAF is enabled from Firewall Rule. 
 
 
1.2.2.1.5. V 10.04.2 Build 527
 

Upgrade procedure

To upgrade the existing Cyberoam Appliance follow the below given steps:

· Logon to https://customer.cyberoam.com

· Click “Upgrade” link under Upgrade URL.

· Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”.

For Cyberoam versions prior to 10.01.0472

For Cyberoam version 10.01.0472 or higher

Upgrade the Cyberoam to 10.01.0472 selecting option Below 10.01.0472” and follow on-screen instruction.

By doing this, the customer will not be able to roll back.

Upgrade Cyberoam to latest version by selecting option “10.01.0472 or higher” and follow on-screen instruction.


Compatibility Annotations

Firmware is Appliance model-specific firmware. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you are trying to upgrade Appliance model CR50iNG with firmware for model CR100iNG.

This release is compatible with Cyberoam Virtual Appliances.

This Cyberoam version release is compatible with the Cyberoam Central Console V 02.02.0 Build 051.

Please always check http://docs.cyberoam.com for availability of latest CCC firmware to deal with this compatibility issue.


Revision History

 
 

Sr. No.

Old Revision Number

New Revision Number

Reference Section

Revision Details

-

-

-

-

-

 

 

Introduction

This document contains the release notes for Cyberoam Version 10.04.2 Build 527. The following sections describe the release in detail.

This release comes with a few enhancements and a bug fix to improve quality, reliability and performance.
 
Enhancements
 
1. USB Support for Dial-In (CR15iNG & CR15wiNG models only)
From this version onwards, Cyberoam supports DB9 modem with USB port. Further, USB modem can also be connected directly to the USB port of the Appliance.

Cyberoam supports following ports across CR15XXX Appliances:

Type of Port

Cyberoam Appliance

Behavior

Serial Port

CR15i

The appliance will reboot automatically on serial dial-in enable/disable.

CR15wi

USB Port

CR15iNG

The appliance will not reboot automatically on serial dial-in enable/disable.

CR15wiNG

DB9 and USB modem both can be physically connected to the USB ports simultaneously. But, request will be served only through the modem which is detected first by Cyberoam.
 
 
2. Power Management Support for Virtual Cyberoam

From this version onwards, graceful shut down is supported for VMware Workstation and ESX. One can shut down using options “Shut Down Guest” or “Restart Guest”.

Prior to this version, using these options from the VMware brought the system to an abrupt halt.
 
 
3. Static IP Address Assignment Support for L2TP and PPTP VPN Users

From this version onwards, static IP Addresses can be assigned to L2TP and PPTP users.

Prior to this version, IP Address was leased from the configured IP Address range.         

To configure Static IP Address for L2TP and PPTP users, go to Identity à Users à Users.
 
 
4. Lease IP Address Through RADIUS Server to L2TP And PPTP VPN Users

From this version onwards, apart from authenticating users, Radius Server can now also be used to lease IP Address to L2TP and PPTP users.

If the option “Allow leasing IP Address from Radius server” is enabled, the configured IP Address is overridden with the IP Address provided by the Radius Server.

Prior to this version, Radius Server was used only for authentication.

To allow Radius Server to lease IP Address to L2TP user, go to VPN à L2TP à Configuration and enable “Allow leasing IP Address from Radius server”. By default, it is in disable mode.

To allow Radius Server to lease IP Address to PPTP user, go to VPN à PPTP à Configuration and enable “Allow leasing IP Address from Radius server”. By default, it is in disable mode.
 
In no IP Addresses are configured on the Radius Server, the Static IP Address configured for the user will be assigned, else IP Address will be leased from configured IP Address Range.

 
5. Guest User Registration Enhancements

Configure default country code

From this version onwards, Cyberoam allows the Administrator to configure a default country code on the Guest User Registration page.

To configure default Country Code, go to Identity à Guest Users à General Settings and select “Default Country Code”.
 

Option to Disable CAPTCHA Verification For Guest User Registration

Cyberoam now allows the Administrator to Enable or Disable CAPTCHA (Completely Automated Public Turing Test To Tell Computers and Humans Apart) verification on Guest User Registration page. By enabling CAPTCHA Verification the administrator can protect Cyberoam against attacks generated by automated programs.


By default, CAPTCHA Verification is enabled.

To disable CAPTCHA Verification on Guest User Registration page, go to Identity à Guest Users à General Settings and enable/disable “CAPTCHA Verification”.
 
 
6. Captive Portal Enhancements

From this version onwards, the tab-title on the Captive Portal login screen of HTTP/HTTPS Web Client User Portal is renamed as “Captive Portal”.

In previous versions, the tab-title was “Cyberoam”.
 
 
7. SMS Gateway Enhancement

Cyberoam now supports using both HTTP and HTTPS URL to send an SMS request to external SMS Gateway. The service provider defines the URL protocol.

Prior to this version, Cyberoam supported only HTTP URLs.

To configure URL for SMS Gateway, go to Identity à Guest Users à SMS Gateway.
 
 
8.  OpenVPN Connect Support for Apple iOS

From this version onwards, Cyberoam supports OpenVPN Connect application in iOS. Using this application the user can connect to Cyberoam using SSL VPN.

Bugs Solved

SSL VPN

Bug ID – 12429
Description – Active Directory User cannot log in through the SSL VPN Portal and SSL VPN Client, if the user has a domain name with i18n characters.
 
1.2.2.1.6. V 10.04.1 Build 451


Release Dates
Version 10.04.1 Build 451 – 7th March, 2013
Release Information
Release Type: Maintenance Release
 
Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license
 
Applicable to Cyberoam Version:
 
V 10.01.0XXX or 10.01.X Build XXX

All the versions

V 10.02.0 Build XXX

047, 174, 176, 192, 206, 224, 227, 409, 473

V 10.04.0 Build XXX

214, 304, 311, 338, 433

Upgrade procedure
To upgrade the existing Cyberoam Appliance follow the procedure below:

· Logon to https://customer.cyberoam.com

· Click “Upgrade” link under Upgrade URL.

· Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”.

For Cyberoam versions prior to 10.01.0472

For Cyberoam version 10.01.0472 or higher

Upgrade the Cyberoam to 10.01.0472 selecting option Below 10.01.0472” and follow on-screen instruction.

By doing this, the customer will not be able to roll back.

Upgrade Cyberoam to latest version by selecting option “10.01.0472 or higher” and follow on-screen instruction.


Compatibility Annotations
Firmware is Appliance model-specific firmware. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you are trying to upgrade Appliance model CR50iNG with firmware for model CR100iNG.
 
This release is compatible with Cyberoam Virtual Appliances.

This Cyberoam version release is not compatible with the Cyberoam Central Console. 

Please always check http://docs.cyberoam.com for availability of latest CCC firmware to deal with this compatibility issue.
 

Revision History

 

Sr. No.

Old Revision Number

New Revision Number

Reference Section

Revision Details

1.

1.04 -06/03/2013

1.05 -14/03/2013

Compatibility Annotations No Cyberoam Central Console Support for this Cyberoam Firmware.
2.  1.04 -06/03/2013  1.05 -14/03/2013 Enhancement: Backup Restore Compatibility for Cyberoam Wi-Fi Appliances Removed the mention of “wi” and “wiNG” series of appliances in Note.
Introduction

This document contains the release notes for Cyberoam Version 10.04.1 Build 451. The following sections describe the release in detail.

This release comes with new features, few enhancements and several bug fixes to improve quality, reliability and performance.
 
Enhancements 
1. Backup Restore Compatibility for Cyberoam Wi-Fi Appliances

From this version onwards, the backup of CR (i or ia or iNG) series can be restored on CR (wi or wiNG) series, but vice-versa is not true.

Also, the backup of Cyberoam Virtual Appliance can be restored on CR wi series and CR wiNG series, but vice-versa is not true.

The facility to restore backup of CR i series on CR wi series is applicable from Version 10.01.0.667 and above.

To restore backup of physical appliance (i series, ia series, iNG series) to Virtual Appliance, equal or more number of ports must be created in Virtual Cyberoam Appliance.

For further information, refer Backup Restore Compatibility Matrix.
 
 

2. Time and Data Transfer Threshold based iOS User Logout

From this version onwards, Cyberoam supports data transfer and inactivity timeout thresholds to logout iOS Web Client user.

With this enhancement, once the user logins in Cyberoam using Captive Portal, a periodic check for the total data transferred is done at every three (3) minutes of the configured time period. If the total data transferred in the given time period is equal or more than the configured data transfer value, the user continues to remain logged in and the timer is reset. However, if the total data transferred is less than the configured value, the user will be logged out.  

Prior to this version, the user had to login every time from iOS device for accessing Internet, if the device was kept idle.

Example:

Inactivity Timeout = 13 minutes

Data Transferred Threshold = 2500 Bytes

In this case, the user is logged out if the data transferred is less than 2500 Bytes for 5 consecutive cycles of 3 minutes each. Here the number of consecutive cycles is derived:

Number of consecutive cycles = (Inactivity Timeout value / 3 minutes)

        = 13 minutes/3 minutes

        = 4.33

        ~ 5 (Ceiling Value)

Logout on Browser close and Keep Alive Request for Captive Portal is not supported with iOS device.  

Client type – “iOS Web Client”, is displayed on Web Admin Console of Cyberoam Live Users page. 

 

Known Behavior

A user cannot logout once authenticated with Cyberoam using Captive Portal, if the device uses following iOS and MAC OS platforms:

iOS

MAC OS X

6, 6.0.1, 6.1 and onwards

10.7 Lion

10.8 Mountain Lion

This behavior is due to the Apple OS feature “Captive Network Assistant”. The user will be logged out in case of following events:

·         Inactivity time-out

·         Administrator disconnects the User from Live User Page

To configure logout based on data transfer and inactivity on iOS device, go to Identity à Authentication à Firewall and specify “Inactivity Time” and “Data Transfer Threshold” in the section iOS Web Client Settings.
 
 

3. SMS Gateway Enhancements

From this version onwards, Cyberoam supports sending SMS request to SMS Gateways that uses one of the following HTTP methods:

· Get

· Post

By default, Cyberoam supports SMS Gateways with HTTP method “Post”.

The service provider defines the method to be used for sending SMS request.

Prior to this version, only HTTP Method “Post” was supported for sending SMS request to SMS Gateway.

To configure HTTP Method for SMS Gateway, go to Identity à Guest Users à SMS Gateway. 


Also, from this version onwards, Administrator is allowed to configure the prefix value to be used with the cell number.

Number Prefix precedes the Country Code and the cell number, in case service provider defines to use both, the Number prefix and the Country Code.

Example:

Number Prefix

Country Code

Cell Number

Cell Number Format

û

û

99XXXXXXXX

99XXXXXXXX

û

ü

(Country: India=91)

99XXXXXXXX

9199XXXXXXXX

ü

(Number Prefix: +)

û

99XXXXXXXX

+99XXXXXXXX

ü

(Number Prefix: +)

ü

(Country: India)

99XXXXXXXX

+9199XXXXXXXX

Number Prefix can include alpha-numeric and ASCII special characters. It can be up to 4 characters long.

The service provider defines the prefix value to be used.

To configure Number Prefix for SMS Gateway, go to Identity à Guest Users à SMS Gateway.
 
 

4. Captive Portal Enhancements

From this version onwards, Administrator can use up to 6000 characters to configure the Captive Portal Login Page Header or Footer.

Prior to this version, upper threshold limit was 3000 characters.

To configure the Header or Footer of Captive Portal Login Page, go to System à Configuration à Captive Portal.

Further, from this version onwards, Cyberoam allows the Administrator to customize the availability of the “User My Account” link on Captive Portal page.

To customize “User My Account Link” on Captive Portal page, go to Identity à Authentication à Firewall and enable/disable “My Account Link”. By default, it is in enable mode.

Prior to this version, “My Account Link” was not configurable and the “User My Account” link was available on the Captive Portal page.
 
 

5. i18n Support for SSL VPN Client

From this version onwards, Cyberoam provides i18n support for SSL VPN Client.
 

Bugs Solved

Anti Spam

Bug ID – 11223
Description – Emails rejected by Cyberoam IP Reputation are not filtered with Action selected as “Reject” in Log Viewer Anti Spam, due to mismatch in the case of word “REJECT”.
 
Bug ID – 11414
Description – Emails scanned by Cyberoam are converted into unreadable text, on upgrading the Cyberoam Firmware from Version 10.02.0.224 to Version 10.04.0.304, if SMTP protocol is integrated with DKIM.
 

Anti Virus

Bug ID – 10940
Description – A file “eicar.com.txt” attached in an Email over SMTP protocol is not detected by Anti Virus module.
 

Backup-Restore

Bug ID – 11814
Description – Backup from CR15iNG and CR15wiNG cannot be restored on CR15i and CR15wi, if backup is configured with SSL VPN Bookmark.
 

NTLM

Bug ID – 9436
Description – User do not get authenticated via NTLM, if Active Directory is installed on VMware workstation.
 
Proxy
Bug ID – 3943
Description – YouTube videos integrated on any website cease to function, if the parameter “Enforce Safe Search” is enabled from Web Filter Settings page.

Bug ID – 7073
Description – The website http://www.treasury.gov/ofac/downloads/t11sdn.pdf  cannot be opened in direct proxy deployment mode.
 
Bug ID – 10867
Description – NTLM authentication fails and HTTP/S based Web Access often drops, if NTLM reinitializes due to flapping of Active Directory connection.
 

Reports

Bug ID – 10309
Description – Administrator receives a blank Email, if a parameter "Send email at" of Email Frequency is configured between 1am to 3am in On-Appliance iView.
 
Bug ID – 10931
Description – On-Appliance iView Report Notification ceases to function, if a Custom View report having a bookmark is configured for parameter "Report Group" from Add Report Notification page.
 
Bug ID – 10958
Description – Report Notification cannot be edited on migrating to Cyberoam Firmware Version 10.02.0.0473 or higher, if description was not provided while adding an On-Appliance iView Report Notification in the Firmware Version older than 10.01.0.0667.
 
Bug ID – 11262
Description – Administrator receives blank Report Notification Emails for Web Usage, Top Attack and Block Attempts, if multiple report notifications are configured with the same time from the Report Notification of System in On-Appliance iView.
 
Bug ID – 11360
Description – The Virus Report Notification Mail do not display logs for “Top Users-Web Virus Reports” on upgrading the Cyberoam Appliance Firmware to Version 10.02.0473 or above.
 

SSL VPN Client

Bug ID – 11698
Description – Resources cannot be accessed, if the username does not have proper case while logging into SSL VPN Client.
 

VPN

Bug ID – 11977
Description – Site to Site VPN ceases to function, on upgrading the Cyberoam Firmware from Version 10.02.0.473 to Version 10.04.0.311, if a Local Subnet is NATted with a single IP Host from IPSec VPN Connection page.
 

Web Filter

Bug ID – 3553
Description – An improper message is displayed on Web Admin Console while adding a domain if the keyword for it is already existing.
 
 
1.2.2.1.7. V 10.04.0 Build 433


Release Dates
Version 10.04.0 Build 433 – 11th January, 2013 
Release Information
Release Type: Maintenance Release
 
Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license
 
Applicable to Cyberoam Version:
 
  

V 10.01.0XXX or 10.01.X Build XXX

All the versions

V 10.02.0 Build XXX

047, 174, 176, 192, 206, 224, 227, 409, 473

V 10.04.0 Build XXX

214, 304, 311, 338

Upgrade procedure
To upgrade the existing Cyberoam Appliance follow the procedure below:

· Logon to https://customer.cyberoam.com

· Click “Upgrade” link under Upgrade URL.

· Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”.

  

For Cyberoam versions prior to 10.01.0472

For Cyberoam version 10.01.0472 or higher

Upgrade the Cyberoam to 10.01.0472 selecting option Below 10.01.0472” and follow on-screen instruction.

By doing this, the customer will not be able to roll back.

Upgrade Cyberoam to latest version by selecting option “10.01.0472 or higher” and follow on-screen instruction.

 

Compatibility Annotations

Firmware is Appliance model-specific firmware. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you are trying to upgrade Appliance model CR100ia with firmware for model CR500ia.

This Cyberoam version release is compatible with the Cyberoam Central Console.

Please always check http://docs.cyberoam.com for availability of latest CCC firmware to deal with this compatibility issue.
 

Revision History

Sr. No.

Old Revision Number

New Revision Number

Reference Section

Revision Details

1. 1.00 -10/01/2013 1.01 -25/01/2013 Enhancements Modes for SSL VPN Passphrase Reception
 

Introduction

This document contains the release notes for Cyberoam Version 10.04.0 Build 433. The following sections describe the release in detail.

This release comes with new features, few enhancements and several bug fixes to improve quality, reliability and performance.
 
Enhancements
 

1. Modes for SSL VPN Passphrase Reception
From this version onwards, Cyberoam provides option to select a mode using which the Administrator receives SSL VPN Certificate Passphrase. The Administrator can select from one of the following modes to receive the SSL VPN Passphrase:
 
  1. Client Bundle
  2. On-screen Link
  3. Email

SSL VPN tunnel is established once the user is authenticated with SSL VPN Client and the Certificate is authenticated using the Passphrase.

If SSL VPN Passphrase is chose to be received via Email, it is mandatory to configure Email Address from Identity àUsers à Users and SMTP Mail Server from System à Configuration à Notification in the section Mail Server Settings.

To configure the mode for receiving the Passphrase, go to System à  Administration à Settings and select from the options available against parameter "Receive Passphrase via" of section SSL VPN Settings.

By default, the Administrator receives the Passphrase in the SSL VPN Client Bundle.

Prior to this version, passphrase for certificate authentication was delivered in SSL VPN client bundle.


1. Manage Cyberoam Appliance(s) behind any NATed Device Through CCC
From this version onwards, the administrator can configure and manage Cyberoam appliance(s) which are deployed behind any NATed device. This feature was not available in prior versions.
 
To manage configuration updates, go to System à Administration à Central Management
 

CCC Firmware Version Supported: 02.01.4 Build 072

 

2. Report Export Customization

With this version, Cyberoam iView allows the administrator to customize maximum limit of records to be exported to MS-Excel.

Prior to this version, the administrator was allowed to export a maximum of 1000 records at a time. Now this limit can be set as follows:

Model Number

Maximum Records per Widget

·         CR 25ia/25wi

·         CR 25iNG/6P

·         CR 25wiNG/6P

·         CR 35ia/35wi

·         CR 35iNG/35wiNG

·         CR 50ia

·         CR 100ia

10000

·         CR 50iNG

·         CR 100iNG

·         CR 200i

·         CR 300i

25000

·         CR 500ia/RP/F/10F

·         CR 750ia/1F/10F

·         CR1000ia/10F

·         CR 1500ia/10F

·         CR 2500iNG

50000

 


The administrator can also configure ‘Start Record’ number and ‘End Record’ number to be exported if all the records are not needed.

To enable Export Customization option, go to System → Configuration → Data Management and enable ‘Export to Excel Parameters Customization’.

By default this option is disabled and the record export limit is 1000 records, per report type. 

It is recommended to export the records during the time interval when the network traffic is minimal as this process will increase system resource utilization and it might adversely affect the appliance performance. 

Bugs Solved

Anti Spam

Bug ID – 11388
Description – Commtouch (CTCH) headers are displayed in the auto generated Emails, if SMTP or POP3 or IMAP scanning is enabled from the Firewall Rule.
 

DHCP Relay

Bug ID – 10645
Description – DHCP Relay service do not start when IPSec VPN is configured on dynamic interface and DHCP Relay is configured on it.
  

Firewall

Bug ID – 11328
Description – Virtual Host for VPN zone cannot be created on migration from Version 9 to Version X, if there exist customized zones before the migration, leading to a mismatch in zone type and zone ID.
 
Bug ID – 11564
Description – Virtual Host ceases to function on migrating Cyberoam appliance to 10.04.0.304, if it is configured on multiple WAN PPPoE interfaces to single mapped IP Address.
 

GUI

Bug ID – 9010
Description – Web Admin Console is accessible if user navigates to it using "Back" and "Forward" button in succession, even though option "Lock Admin Session" is selected.
 
Bug ID – 9494
Description – The parameter “QoS” on the Firewall Rule page displays “None”, on editing a Firewall Rule having QoS policy already applied to it.
 
Bug ID – 10443
Description – Test connection result for Guest User SMS Gateway displays the country code of Afghanistan, if it is tested without providing a country code.
 
Bug ID – 10499
Description – An error message “Web Server not exists to Add Exception” is displayed while configuring an exception from the WAF Alert page, if the Web Server name contains a special character “underscore ( _ )”.
 
Bug ID – 11145
Description – A keyword configured with space in Custom Web Filter Category of Web Filter prior to firmware version 10.04.0.214 cannot be deleted, if Cyberoam firmware is upgraded to firmware version 10.04.0.214.
 
Bug ID – 11533
Description – Background colors are not reflected on Captive Portal header and footer while viewing the preview of its configuration.
 
Bug ID – 11555
Description – The Category parameter “Action” do not get updated to “Allow Packet” on editing, if the “Recommended Action” against the signature is “Drop Packet” in the IPS Policy.
 
Bug ID – 11586
Description – The words “Anti Virus” and “Definition” are mis-spelled as “Antivurs” and “Defination” on the Log Viewer page of Logs & Reports.
 
Bug ID – 11602
Description – The Web Admin Console becomes inaccessible and an error message “Internal server Error” is displayed, if the backup file of CR25ia is restored on CR25iNG and both of the appliances have different themes configured.
 

High Availability

Bug ID – 11345
Description – IP Address based Virtual Host ceases to function when the WAN interface is configured as a monitoring port in Active-Active mode of HA and both the appliances are rebooted simultaneously.
 

Network

Bug ID – 11383
Description – 3G Gateway status is displayed as “Active” although, the 3G modem is unplugged.
 
Bug ID – 11545
Description – DHCP Server do not lease IP Address to WLAN Clients, if the LAN and WLAN are in same subnet.
 

SSL VPN

Bug ID – 11486
Description – Application Access Mode fails to initiate, if the parameter “Select Client Certificate” is blank while configuring Tunnel Access from SSL VPN.
 

System

Bug ID – 11448
Description – Picture fails to appear during a video conference, if the number of channels exceeds the protocol h323’s default unidirectional channel limit of 4.
 

User

Bug ID – 10286
Description – Guest users do not get purged automatically on expiry of user validity though the option "auto purge" is enabled.
 
Bug ID – 11403
Description – An error message is displayed while testing the Authentication Server connection on the French language Web Admin Console, if the parameter “Display Name Attribute” is left blank while adding it.
 

VPN

Bug ID – 5438
Description – Branch office does not re-initiate the connection automatically once disconnected even when Action on VPN Restart is set to “Initiate”. One has to manually re-connect or set re-key margin as zero.
 
Bug ID – 9935
Description – Cyberoam do not allow opening the configuration management of L2 switch while deploying Cyberoam in Bridge Mode, if L2 switch is configured in LAN Network of the Head Office and is accessed via the Branch Office.
 
Bug ID – 11444
Description – VPN to Static link failover occurs 10 minutes after the tunnel goes down, if IPSec routes do not get flushed from Cyberoam on Dead Peer Detection (DPD).
 
Bug ID – 11557
Description – Connection list of IPSec-VPN traffic do not get flushed on disabling an IPSec-VPN connection from any peer end.
 
Bug ID – 11640
Description – Dead Gateway Detection (DGD) service ceases to function, if VPN Connection is configured with name as VPN and added in VPN Failover Group.
1.2.2.1.8. V 10.04.0 Build 214, 304, 311, 338


Release Dates
Version 10.04.0 Build 214 – 24th September, 2012
Version 10.04.0 Build 304 – 19th November, 2012
Version 10.04.0 Build 311 – 04th December, 2012
Version 10.04.0 Build 338 – 12th December, 2012
Release Information
Release Type: General Availability
 
Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license
 
Applicable to Cyberoam Version: 
 
   

V 10.01.0XXX or 10.01.X Build XXX

All the versions

V 10.02.0 Build XXX

047, 174, 176, 192, 206, 224, 227, 409, 473

V 10.04.0 Build XXX

Upgrade procedure
To upgrade the existing Cyberoam Appliance follow the procedure below:

· Logon to https://customer.cyberoam.com

· Click “Upgrade” link under Upgrade URL.

· Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”. 

For Cyberoam versions prior to 10.01.0472

For Cyberoam version 10.01.0472 or higher

Upgrade the Cyberoam to 10.01.0472 selecting option Below 10.01.0472” and follow on-screen instruction.

By doing this, the customer will not be able to roll back.

Upgrade Cyberoam to latest version by selecting option “10.01.0472 or higher” and follow on-screen instruction.

 
 

Compatibility Annotations
Firmware is Appliance model-specific firmware. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you are trying to upgrade Appliance model CR100ia with firmware for model CR500ia.
 
This Cyberoam version release is compatible with the Cyberoam Central Console.
 
Please always check http://docs.cyberoam.com for availability of latest CCC firmware to deal with this compatibility issue.
 
Revision History
 
        

Sr. No.

Old Revision Number

New Revision Number

Reference Section

Revision Details

1.

1.00 -24/09/2012

1.00 -19/11/2012

Enhancement

Added enhancement “Access Denied Page Optimization”

2.

1.00 -24/09/2012

1.00 -19/11/2012

Bugs Solved

A bug (Bug ID – 11463) is added to Certificate. 

3.

1.00 -19/11/2012

1.00 -04/12/2012

-

Added LAN Bypass support for Cyberoam Appliances CR50iNG and CR100iNG.

4.

1.00 -04/12/2012

1.00 -12/12/2012

Features

Appliances not supporting Outbound Spam list now includes:

CR15iNG, CR15wiNG, CR25ia, CR35ia and CR1000i

  
 
Introduction
This document contains the release notes for Cyberoam Version 10.04.0 Build 214, Version 10.04.0 Build 304, Version 10.04.0 Build 311 and Version 10.04.0 Build 338. The following sections describe the release in detail.
 
This release comes with new features, few enhancements and several bug fixes to improve quality, reliability and performance.
 
Features

1. Compatibility with CISCO™ VPN Client

From this version onwards, Cyberoam is compatible with Cisco IPSEC VPN client.

This feature enables Cisco IPSec VPN clients to establish an IPSec connection with Cyberoam.

To support this feature, a new page “CISCO™ VPN Client” is added on Web Admin Console. An IPSec connection that would serve Cisco IPSec VPN Clients must be created using this page.
 
 
Compatibility
1. At present only the native Cisco IPSEC client, present in Apple iOS (iPhone and iPad) and Windows are supported. The details of the versions supported are as provided below:  

Apple iOS

Windows

Windows OS

Cisco Desktop Client

4.3

Win XP- all service packs

V 4.1 and 4.8

5.0.1

Win 7

V 5.0 – Beta Version

5.1.1

Windows Vista

V 5.0 – Beta Version

 Known Behavior

1. Apple iOS versions 5.0 onwards do not send any notification to Cyberoam when IPSec connection serving Cisco IPSec VPN Clients gets disconnected. The connection and route will be cleared from Cyberoam using Dead Peer Detection (DPD) after approximately 20 seconds and then the same client will be able to reconnect.

2. When there is no data transfer, Apple iPhone disconnects the IPSec connection serving Cisco IPSec VPN Clients.

3. When any clients are already connected and the CISCO™ VPN Client page is submitted, they will be disconnected and IP Address pool will be reinitialized.

CISCO VPN Client is available for download only to users that are authorized by the Administrator. 

IPSec connection serving Cisco IPSec VPN Clients can be configured from VPN ® Cisco™ VPN Client ® CISCO™ VPN Client.


2. L2TP Over IPSec VPN Support for Android Devices
From this version onwards, Android device as a L2TP/IPSec Client will be supported by Cyberoam. 

User will be able to connect and access Cyberoam L2TP/IPSec via an Android device using Pre-Shared Key authentication. 

No special configuration is required in Cyberoam Web Admin Console or CLI.

Android Compatible Version: 2.1 Éclair, 2.2.x Froyo, 2.3.x Gingerbread, 3.x Honeycomb

Enable “Add L2TP/IPSec PSK VPN” option of Android device to configure VPN tunnel.
 
This feature has a backward compatibility support from version 10.01.0 Build 667 onwards. 
 
 
3. Outbound Spam

From this version onwards, Cyberoam will provide Outbound Spam to identify internal Spam. This feature will help the Internet Service Providers (ISPs) to identify and block any user trying to send spam mails by utilizing their network.

Outbound Spam filtering is a subscription module.

Inbound Spam filtering and Outbound Spam filtering are mutually exclusive. On subscribing to Outbound Spam, Inbound Spam filtering will stop. Inbound Spam filtering will resume when the subscription of Outbound Spam expires.

This feature is not available in Cyberoam Models CR15i, CR15wi, CR15iNG, CR15wiNG, CR25i, CR25ia, CR25wi, CR35ia, CR35wi, CR50i, CR100i, CR250i, CR500i, CR500i-8P, CR1000i, CR1500i.

To view logs, go to Logs & Reports ® Logs Viewer and select option “Anti Spam” for parameter “View logs for”
 
 
4. YouTube Education Filter

From this version onwards, Cyberoam will allow access to YouTube videos deemed as “educational” via a special portal “YouTube EDU” while being within a school network.

YouTube EDU consists of two sections, “YouTube.com/Teachers” and “YouTube for Schools”.

“YouTube.com/Teachers” educates teachers how to make optimum use of YouTube within the classroom. On the other hand, “YouTube for Schools” is a network setting, which redirects the video traffic, making it possible for schools that block YouTube to unblock and allow access to YouTube EDU (Youtube.com/education). The teachers and Administrators decide what videos must be made available to the students, making a safe and a controlled environment for students.

To allow educational videos via Cyberoam, school authority is required to get the school registered for "YouTube for School". On registration, a custom HTTP Header with a unique ID will be displayed on the browser page.

E.g. X-YouTube-Edu-Filter:HMtp1sI9lxt0KAVpcg88kQ
1. Field Name: X-YouTube-Edu-Filter
2. Field Value Format: Alphanumeric [a-z][A-Z][0-9]
3. Field Value Length: up to 44 characters

To allow YouTube EDU via Cyberoam, go to Web Filter ® Policy ® Policy and specify the unique ID in the textbox against parameter “YouTube Education Filter”.

As per recommendations of YouTube, it is mandatory to ensure the videos and following top-level domains are not blocked:
1. youtube.com
2. ytimg.com
 
To access https://www.youtube.com, HTTPS scanning must be enabled.
 
 
 5. 4G LTE Modem 
Cyberoam will now support DHCP enabled 4G LTE services on Wi-Fi modems. With this feature, Cyberoam provides support for the following:
1. Connection to 3G/4G networks

2. DHCP Modems

3. Modem plug-in and plug-out auto detection

4. Auto Connect type of behavior if the same modem is re-plugged in
Further, Cyberoam provides recommended values (auto detected) for modem configuration.
To configure a 4G modem, go to Network ® Wireless WAN ® Settings.
 
CLI Commands
1. Command: cyberoam wwan query serialport <serialport>  ATcommand <AT command> 
To view the Wi-Fi modem information (if plugged - in)
E.G. cyberoam wwan query serialport 0 ATcommand ati
 
2. Command: cyberoam wwan show
To view the Wi-Fi modem information and the recommended configuration (if plugged - in)  
 
 
Enhancements

1. DHCP Server Optimization 

Support for Diverse Topologies

Cyberoam now adds the capability of configuring DHCP for downstream networks that are connected to Cyberoam through relay, or through IPSec VPN. With this enhancement, Cyberoam will be able to assign IP Addresses to:

· Directly connected primary or alias networks

· Connected through relay

· Connected over IPSec VPN

Prior to this version, Cyberoam support DHCP configuration only for a primary network only.  

Lease Report Enhancement

Cyberoam’s Lease report now displays the type of lease, i.e. Static or Dynamic, for a given IP Address.

To view these reports, go to Network ® DHCP ® Lease

CLI Commands

1. Command: cyberoam dhcp lease-over-IPSec enable
To enable IP Lease over IPSec for all the DHCP servers.
 
2. Command: cyberoam dhcp lease-over-IPSec disable
To disable IP Lease over IPSec for all the DHCP servers (Default Value).
 
3.     Command: cyberoam dhcp lease-over-IPSec show
To display all the IP Lease over IPSec configuration.
  
2. Multicast over IPSec VPN tunnel
From this version onwards, Cyberoam will support secure transport of multicast traffic over un-trusted network using IPSec/VPN connection.

With this enhancement, now it is possible to send/receive both unicast and multicast traffic between two or more VPN sites connected through public Internet. This removes the dependency of multicast aware routers between the sites connecting via IPSec/VPN.
Prior to this version, this was possible using GRE tunneling however, the packets could not be encrypted.

Any unicast host wanting to access a multicast host shall require to be configured as an explicit host (with netmask /32) in VPN configuration.

Known Behavior
CLI shows only static interfaces as input and output interface whereas Web Admin Console shows both, static as well as dynamic interfaces (PPPoE, DHCP).
To configure Multicast over IPSec/VPN connection go to Network ® Static Route ® Multicast.
 
CLI Commands
1. Command: mroute add input-interface Port<port number> source-ip <ipaddress> dest-ip <ipaddress> output-interface Port<port number>  
To forward multicast traffic coming from a given interface to another interface.
E.G. mroute add input-interface PortA source-ip 192.168.1.2 dest-ip 239.0.0.55 output-interface PortB
 
2. Command: mroute add input-interface Port<port number> source-ip <ipaddress> dest-ip <ipaddress> output-tunnel gre name <gre tunnel name>  
To forward multicast traffic coming from a given interface to GRE tunnel.
E.G. mroute add input-interface PortA source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel gre name Elitecore 
 
3. Command: mroute add input-interface Port<port number> source-ip <ipaddress> dest-ip <ipaddress> output-tunnel ipsec
To forward multicast traffic coming from a given interface to IPSec tunnels. Cyberoam automatically selects an appropriate tunnel to be used depending upon the Local Network and Remote Network configuration.
E.G. mroute add input-interface PortA source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel ipsec
 
4. Command: mroute add input-tunnel ipsec name <ipsec connection name> source-ip <ipaddress> dest-ip <ipaddress> output-interface Port<port number> 
To forward multicast traffic coming from IPSec tunnel to an interface.
E.G. mroute add input-tunnel ipsec name Net2Net source-ip 192.168.1.2 dest-ip 239.0.0.55 output-interface PortB
 
5. Command: mroute add input-tunnel ipsec name <ipsec connection name> source-ip <ipaddress> dest-ip <ipaddress> output-tunnel ipsec
To forward multicast traffic coming from a given IPSec tunnel to other IPSec tunnels. Cyberoam automatically selects an appropriate tunnel to be used depending upon the Local Network and Remote Network configuration
E.G. mroute add input-tunnel ipsec name Net2Net source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel ipsec
 
6. Command: mroute add input-tunnel ipsec name <ipsec connection name> source-ip <ipaddress> dest-ip <ipaddress> output-tunnel gre name <gre tunnel name>
To forward multicast traffic coming from a given IPSec tunnel to GRE tunnel.
E.G. mroute add input-tunnel ipsec name Net2Net source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel  gre name Elitecore
 
7. Command: mroute add input-tunnel gre name <gre tunnel name> source-ip <ipaddress> dest-ip <ipaddress> output-interface Port<port number> 
To forward multicast traffic coming from a GRE tunnel to an interface.
E.G. mroute add input-tunnel gre name Elitecore source-ip 192.168.1.2 dest-ip 239.0.0.55 output-interface PortB
 
8. Command: mroute add input-tunnel gre name <gre tunnel name> source-ip <ipaddress> dest-ip <ipaddress> output-tunnel gre name <gre tunnel name> 
To forward multicast traffic coming from a GRE tunnel to another GRE tunnel.
E.G. mroute add input-tunnel gre name Elitecore source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel gre name Terminal1
 
9. Command: mroute add input-tunnel gre name <gre tunnel name> source-ip <ipaddress> dest-ip <ipaddress> output-tunnel ipsec 
To forward multicast traffic coming from a given GRE tunnel to IPSec tunnels. Cyberoam automatically selects an appropriate tunnel to be used depending upon the Local Network and Remote Network configuration.
E.G. mroute add input-tunnel gre name Elitecore source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel ipsec
 
10. Command: mroute del source-ip <ipaddress> dest-ip <ipaddress>
To delete multicast route.
E.G. mroute del source-ip 192.168.1.2 dest-ip 239.0.0.


 

3. E-mail Alert for IPSec Tunnel Connection Flapping

From this version onwards, if the IPSec VPN tunnel connectivity is lost, Cyberoam will notify the Administrator via an E-mail alert, specifying the reason for the connection loss. E-mail alert will be sent on the configured E-mail Address.

Upon configuring E-mail alerts via the available single central configurable option, it will automatically be applicable on all the IPSec tunnels.

An E-mail will be sent only for Host to Host and Site to Site tunnel connections; if it flaps due to one of the following reasons:

1.      A peer is found to be dead during Dead Peer Detection (DPD) phase.

2.      Failed to re-establish connection after Dead Peer Detection (DPD)

3.      IPSec Security Association (SA) is expired and is required to be re-established.

4.      IPSec Tunnel comes up without administrator intervention after losing the connectivity 

E-mail sent to the administrator shall contain following basic information:

1.     IPSec Connection name

2.     IP Addresses of both participating hosts/network

3.     Current state of the IPSec Tunnel connection, viz., Up or Down

4.     Exact Time when the IPSec Tunnel connection was lost

5.     Reason for lost of IPSec Tunnel connection

6.     Appliance Model Number

7.     Firmware version and build number

8.     Appliance Key (if registered)

9.     Appliance LAN IP Address

10. HA configuration – Primary/Auxiliary (if configured)   

An E-mail will be sent for each subnet pair in case of Site to Site connections, having multiple local/remote networks.

An E-mail sent with respect to IPSec Tunnel coming up shall not have any reason mentioned within.

Description of IPSec Tunnel connection shall be included in the E-mail, only if information for same is provided by the administrator.

To enable E-mail alerts for IPSec tunnels, go to System ® Configuration ® Notification ® E-mail Notification and check option “IPSec Tunnel UP/Down”.
 
 
4. Enhancement in AD Integration

From this version onwards, Administrator is given an option to delete users from Cyberoam if they do not exist in any of the configured External Active Directory servers at a push of Purge AD Users button. Prior to purging, connectivity and authentication of all the configured External Active Directory servers is verified. If a user’s entry is not found in any of the external server(s), it is purged from Cyberoam too.

The purge operation will not interrupt user login/logout and accounting events.

While the purge activity is in progress and if the server connectivity is lost, the activity will be aborted.

If a user entry is purged, it will be deleted from both, Primary and Auxiliary Cyberoam Appliance.
 
To purge the users, go to Identity ® Users ® Users and click “Purge Users” button.

Further, when the User logs in to the Cyberoam, and if the E-mail Address of that User is configured on the external Active Directory server/LDAP server then the User’s E-mail Address within the Cyberoam gets sync with the E-mail Address on the external Active Directory server/LDAP server. Every time a user logs in, the corresponding E-mail ID will be updated. If the E-mail ID is null on the External Active Directory Server/LDAP, there will be no updates.  
  
 5. Multicast Route Failover

From this version onwards, Cyberoam supports Link Failover for Multicast Traffic using IPSec/VPN connection or GRE Tunnel.

If a user has multicast routes configured on a port then a Link Failover can be configured for same using IPSec/VPN or GRE configuration. Now if the port goes down, all multicast routes configured on it will automatically fail over to given IPSec/VPN connection or GRE Tunnel.

Prior to this version, link failover was supported only for static unicast routes.  

CLI Commands

1. Command: cyberoam link_failover add primarylink Port<Port number> backuplink gre tunnel <gre tunnel name> monitor PING host <ip address>
To configure a GRE Tunnel as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given GRE Tunnel.
E.G. cyberoam link_failover add primarylink PortB backuplink gre tunnel Elitecore monitor PING host 192.168.1.2
 
2. Command: cyberoam link_failover add primarylink Port<Port number> backuplink gre tunnel <gre tunnel name> monitor UDP host <ip address> Port <Port Number>
To configure a GRE Tunnel as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given GRE Tunnel.
E.G. cyberoam link_failover add primarylink PortB backuplink gre tunnel Elitecore monitor UDP host 192.168.1.2 Port 100
 
3. Command: cyberoam link_failover add primarylink Port<Port number> backuplink gre tunnel <gre tunnel name> monitor TCP host <ip address> Port <Port Number>
To configure a GRE Tunnel as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given GRE Tunnel.
E.G. cyberoam link_failover add primarylink PortB backuplink gre tunnel Elitecore monitor TCP host 192.168.1.2 Port 100
 
4. Command: cyberoam link_failover add primarylink Port<Port number> backuplink vpn tunnel <ipsec connection name> monitor PING host <ip address>
To configure an IPSec/VPN connection as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given IPSec/VPN connection.
E.G. cyberoam link_failover add primarylink PortB backuplink vpn tunnel Net2Net monitor PING host 192.168.1.2
 
5. Command: cyberoam link_failover add primarylink Port<Port number> backuplink vpn tunnel <ipsec connection name> monitor UDP host <ip address> Port <Port Number>
To configure an IPSec/VPN connection as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given IPSec/VPN connection.
E.G. cyberoam link_failover add primarylink PortB backuplink vpn tunnel Net2Net monitor UDP host 192.168.1.2 Port 100
 
6. Command: cyberoam link_failover add primarylink Port<Port number> backuplink vpn tunnel <ipsec connection name> monitor TCP host <ip address> Port <Port Number>
To configure an IPSec/VPN connection as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given IPSec/VPN connection.
E.G. cyberoam link_failover add primarylink PortB backuplink vpn tunnel Net2Net monitor TCP host 192.168.1.2 Port 100
 
7. Command: cyberoam link_failover del primarylink <Port name>
To delete link failover configuration.
E.G. cyberoam link_failover del primarylink PortC
 
8. Command: cyberoam link_failover show
To see all the link failover configurations.

6. Support of SSL-VPN for MAC-OS Tunnelblick

From this version, SSL VPN will be functional with Tunnelblicks; a free, open source graphic user interface for OpenVPN on Mac OS X.

The user can download the SSL VPN Client Configuration - MAC Tunnelblick from Cyberoam SSL VPN User Portal.
 
 

7. Version 9 Catch-up Feature – Search Engine Cache Control

From this version onwards, Cyberoam will be able to categorize actual URL contents that are accessed via cache option available in search engines Google, Yahoo, Bing based on the existing Web Filter Policy.
 
  

8. Version 9 Catch-up Feature – Internet Watch Foundation Support

From this version onwards, Cyberoam’s General Internet Policy by default, supports filtering of URL based on Internet Watch Foundation (IWF) categorization.

The filtering logs are displayed in the Log Viewer and iView Reports

The Internet Watch Foundation provides the list of accurate and current URLs to minimize the availability of potentially criminal Internet content as mentioned below:

1.     Child sexual abuse content hosted anywhere in the world.

2.     Criminally obscene adult content hosted in the UK.

3.     Non-photographic child sexual abuse images hosted in the UK.
 
 
 

9. Captive Portal Enhancements

From this version onwards, Cyberoam Captive Portal is esthetically optimized.

Further it supports the following functionalities:

  1.     Hyperlinked logo

  2.     Obtaining username and password for unauthenticated users (Only when Guest Users functionality is enabled).

To configure them, go to System ® Configuration ® Captive Portal. 

Also, Administrator can choose redirect unauthorized user either to Captive Portal or display a customized message. To customize the Captive Portal response, go to Identity ® Authentication ® Firewall.
 
 

10. URL Import List

From this version onwards, while adding or updating a Web Category, Cyberoam facilitates to import a file (.txt or csv) consisting of all the configured URL/Keyword from the white list domain of an existing web categorization solution to Cyberoam instead of copying and pasting the same into Cyberoam. 
 
To add white listed URL file, go to Web Filter ® Category ® Category and click Add button. 

 
11. Optimization in Virtual Host Configuration
From this version onwards, while a virtual host is created and port forwarding is enabled, Cyberoam allows configuring a Port list. The ports within the list can be comma separated. It can be mapped against a Port List or a Port. Further a Port Range can now also be mapped against a single port. This creates one to one mapping or many to one mapping between the external port and the mapped port.

Example: 
 
Port Forwarding Type
(External Port Type to Mapped Port Type)

External Ports

Mapped Ports

Port List to Port List

22, 24, 26, 28, 30

42, 44, 46, 48, 50

Port List to a Port

22, 24, 26, 28, 30

20

Port Range to a Port

21 - 26

28


In case of Port List to Port List mapping, number of ports must be same for both, External Ports and Mapped Ports. Request received on first external port will be redirected to first mapped port; second request on external port will be redirected to second mapped port and so on. From the example above, for Port List to Port List type of configuration, any request received for external ports 22, 24, 26, 28, 30 will be forwarded respectively to mapped ports 42, 44, 46, 48, 50.  

For a single virtual host, a maximum of 16 ports can be configured in a Port List.

All the ports within a Port List support single protocol viz., either a TCP or a UDP protocol as per the configuration. A combination of both of these protocols within a Port List is not allowed.

Prior to this version, only Single Port to Single Port and Port Range to Port Range Type for port forwarding were allowed.

Also, from this version onwards, for Firewall, when any virtual host is created without port forwarding, one can select multiple services instead of a single service.

Prior to this version, selecting multiple services was not allowed within a Firewall Rule configured with a virtual host having port forwarding disabled.

To configure multiple ports separated by comma, go to Firewall ® Virtual Host ® Virtual Host.
 
 
12. Optimized IPSec Failover Configuration
From this version onwards, Cyberoam IPSec connection configuration for failover can be done while configuring the IPSec connection itself.  This optimization will facilitate configuring failover connection with minimum inputs for commonly used failover conditions. Also the previously available method of configuration remains intact.
 
Failover connection configurations can be done only “Connection Type”- Site – to – Site and Host – to – Host type of IPSec connections.
 
Maximum of four (4) failover connections can be added while configuring a new failover group. More connections can be configured later by editing the failover group configuration.
 
To configure an IPSec failover connection for Site – to – Site and Host – to – Host type of IPSec connections, go to VPN ® IPSec ® Connection. Click add icon under “Endpoints Details”, only after which IPSec failover connection can be configured.
 
 
13. Access Denied Page Optimization

From this version onwards, to optimize the loading time of Access Denied Page, the maximum size for the image allowed is as follows:

1.     Top Image – 125 x 70 pixels (.jpg, .jpeg)       

2.     Bottom Image – 70 x 60 pixels (.jpg, .jpeg)

If the Appliance is running on an older version, and if the image size is greater than the above specified dimensions, it is mandatory to reduce the size of images for appropriate display.

To upload an image, go to Web Filter à Settings àSettings.
 

14. DNS Status Check support in Diagnostic Tool 
From this version onwards, Cyberoam will provide an option to view the list of all the available DNS servers configured in Cyberoam. It also provides information about the time taken to connect to each of the DNS server. Based on the least response time, one can prioritize the DNS server.
 
To view the list of DNS server available for an IP Address/host name, go to System ® Diagnostics ® Tools ® Name Lookup, provide the IP Address/Host Name, select option “Lookup Using All Configured Server” from the dropdown box and click “Name Lookup”.
 
 
15. Certificate with FQDN/IP Address as a Common Name

From this version onwards, Cyberoam will allow using FQDN or IP Address as a common name while generating a Self Signed Certificate.

Prior to this version certificate name was used as a common name.

To configure common name for a certificate, go to System ® Certificate ® Certificate and click Add to generate a certificate.
 
 

16. User Defined Certificate

From this version onwards, Cyberoam supports generation of Self-Signed Certificates with Identification Attribute details to meet the needs of compliance criteria.

To generate a Self-Signed Certificate, go to System ® Certificate ® Certificate.
 
 

17. Quick Access to On-Appliance Reports

From this version onwards, Cyberoam supports quick access to On-Appliance Reports from login page of the Appliance.

To access the On-Appliance Reports directly, select “Reports” for parameter “Log on to” on Appliance login page at the time of authentication.
 
18. iView Enhancement – Dual Dashboard Support
 From this version onwards, Cyberoam iView main dashboard has been bifurcated into two.
 
1. Traffic Dashboard
Traffic dashboard is a collection of widgets displaying information regarding total network traffic.

This dashboard gives complete visibility of network traffic in terms of applications, web categories, users, hosts, source and destination countries, mail traffic and FTP activities.
 
Traffic dashboard consists of following widgets:
• Top Applications – List of top applications along with percentage wise data transfer

• Top Categories – List of top accessed web categories with number of hits and amount of data transfer

• Top Users – List of top users along with percentage wise data transfer

• Top Hosts – List of top hosts along with percentage wise data transfer

• Top Source Countries – List of top source countries along with percentage wise data transfer

• Top Destination Countries – List of top destination countries along with percentage wise data transfer

• Top Rule ID – List of top firewall rules along with percentage wise data transfer

• Top Domains – List of top domains along with percentage wise data transfer

• Top File Upload – List of top uploaded files along with date, user, source IP, domain name , file name and file size

• Top Files Uploaded via FTP – List of top uploaded files via FTP along with percentage wise amount of data transfer

• Top Files Downloaded via FTP– List of top downloaded files via FTP along with percentage wise amount of data transfer

• Top FTP Servers – List of top FTP servers

• Mail Traffic Summary – Email traffic with type of traffic and amount of data transfer

• Top Mail Senders – List of top email senders along with percentage wise data transfer

• Top Mail Recipients – List of top email recipients along with percentage wise data transfer

2. Security Dashboard
Security dashboard is a collection of widgets displaying information regarding denied network activities and traffic. It also gives an overview of malwares and spam along with source and destination countries.
 
Security dashboard consists of following widgets:
• Top Denied Hosts – List of top denied hosts along with number of hits

• Top Denied Users – List of top denied users along with number of hits

• Top Denied Applications – List of top denied applications along with number of hits

• Top Denied Destination Countries – List of top denied destination countries along with number of hits

• Top Denied Source Countries – List of top denied source countries along with number of hits

• Top Denied Rule ID – List of top denied firewall rules along with number of hits
 
• Top Denied Categories – List of top denied web categories along with number of hits

• Top Denied Domains – List of top denied domains along with number of hits

• Top Attacks –  List of top attacks launched at network

• Top Viruses –  List of top viruses blocked by Cyberoam

• Top Spam Senders –  List of top spam senders

• Top Spam Recipients –  List of top spam recipients

All these widgets can be drilled down for next level reports.

 

19. iView Enhancement – Better Visibility and Presentation
From this version onwards, Cyberoam iView has introduced few enhancements to increase visibility and improve presentation of the reports.
1. Chart Preferences
Now the administrator can select the type of charts to show reports. The administrator can choose between Bar charts and Pie-Doughnut charts.

To choose the chart type and palette, go to System ® Configuration ® Chart Preferences.

2. Records per Page Control
Now the user has option to set number of records to be displayed for report groups also. Previously this control was available for individual reports only.
3. Inline Charts
If the number of records to be displayed is more than 10, then Cyberoam iView shows them in the form of inline charts i.e. a bar diagram for number of bytes and percentage respectively will be displayed in the same column.
4. Animated Charts
With this version, Cyberoam iView has introduced animated bar charts and pie charts to improve user experience and data presentation.
5. Report Group Dashboard
With this version, all the report group dashboards show collection of reports available under the selected report group. 
 
 
20. iView Enhancement - Top Users Widget
From this version onwards, a new widget ‘Top Users’ has been added under risk reports. This widget displays list of users who imposed risk on organization network. This report can further be drilled down to view list of applications, hosts, source countries, destination countries and firewall rules associated with the selected user and risk level. 
To view reports, go to Reports ® Applications ® Top Risks ® Risk.
 
 
21. iView Enhancement - Report Filter
From this version onwards, Cyberoam iView provides option to filter dashboard reports. When the user selects any record from dashboard report widgets, the selection is displayed on the next level of reports i.e. on the resultant reports page. The user can apply multiple filters one by one to get appropriate report.
All the filters are displayed on the top of the resultant report in the form of rowed text box(es) with the option to remove filter.

 
22. iView Enhancement - Country Map
From this version onwards, Cyberoam iView introduces a new report – Country Map under Application report menu. This report gives geographical overview of network traffic along with amount of data transfer and risk.

To view reports, go to Reports ® Applications ® Country Map.

 

Known Behaviour

1. SSL VPN support with passcode

From this version onwards, Cyberoam supports key encryption with password in certificates. If certificates are being generated with encryption enabled then user will be prompted to provide a password in the form of a passcode.

If the parameter “Per User Certificate” is configured then new certificates will get generated with key encryption and password.

2. Gateway specific routing for Reflexive Rule

To allow the traffic to route through a specific gateway with a reflexive rule selected while configuring a virtual host, parameter “Route Through Gateway” in Firewall Rule must have Source NAT selected as a Routing Policy.


 
Bugs Solved

Anti Spam
Bug ID – 6533
Description – Irrespective of the date range selected, the spam mails of last seven days are displayed.


Bug ID – 9597
Description – Mail of size greater than 3Mb do not get released from Anti Spam Quarantine Area if the send mail client do not release them within the configured time.

Bug ID – 9599
Description – An error message “Data Error” is displayed for a log on Anti Spam Quarantine Area, if the subject of the mail contains special characters like double quotes (“”) or a backslash (“\”).

Bug ID – 9989
Description – Quarantine mails having a space in subject line do not get released.
 
Anti Virus
Bug ID – 8029

Description – Adobe flash player exe cannot be downloaded from http://get.adobe.com/flashplayer with HTTP scanning enabled.
 
 
Certificate
Bug ID – 5300
Description – Cyberoam allows uploading a certificate with a different password or private key than that of the original password or private key of Generated Certificate Signing Request (CSR).
 
Bug ID – 8054
Description – Certificate Sending Request (CSR) generated from version 10 Cyberoam Appliance cannot be uploaded at third party Certificate Authority (CA) end.
Bug ID – 8191
Description – Certificate having encrypted private key cannot be upload from Web Admin Console.

Bug ID – 10001
Description – Value of parameter “Valid From” do not change on regenerating a new Cyberoam_SSL_CA certificate from Certificate page of the System.

Bug ID – 10045
Description – A certificate error message “secure connection failed” is displayed on the Mozilla browser page if Cyberoam is accessed via HTTPS and a default Cyberoam Appliance Certificate is stored in the browser.
 
 
Bug ID – 11463
Description – Cyberoam Web Admin Console is not accessible over HTTPS after upgrading to firmware version 10.04.0.build  304, if the Appliance Time Zone is earlier than GMT and Firmware Upgrade Time is between (00:00:00 – X) and 00:00:00. X here represents the difference between the Appliance Time Zone and the GMT.
  

CLI
Bug ID – 10122
Description – Default routing precedence do not get displayed on Cyberoam console when command "cyberoam route_precedence show" is executed.
 
DHCP Server
Bug ID – 10245
Description – An error message is displayed when a host name of parameter “IP MAC Mapping List” contains a space while configuring a static DHCP.
 
Firewall
Bug ID – 9658
Description – A false error message “user.err kernel: outdev_target: ERRORRRRR skb-> rtable is already initialized <192.168.141.255>...” is displayed in System - Log Viewer.
 
Bug ID – 10870
Description – A reflexive rule is created for a virtual host with NAT Policy as Masquerade instead of IP Host.
 
GUI
Bug ID – 9810
Description – A Web Filter policy do not function in a non-english version of Cyberoam on configuring an URL Group within the Web Filter Policy.

Bug ID – 9985
Description – In captive portal settings and CTAS settings, the parameter “User Inactivity Timeout” do not accept number beyond 99 on Web Admin Console from Authentication page of Identity.

Bug ID – 10109
Description – Heart Beat port in System configured to sync with CCC, do not change if the Heart Beat Protocol is HTTP for Central Management.

Bug ID – 10165
Description – Dashboard and System Graph continues to remain in processing due to internal error for Cyberoam Version 10.02.0 Build 227.

Bug ID – 10307
Description – VPN – IPSec connection list takes a long time while loading, if the number of IPSec connections is more than 2000.
 
HA
Bug ID – 10573
Description – IPS service stops functioning in the HA deployment, when two Appliances are configured with different versions of IPS are enabled in HA.
 
Identity
Bug ID – 9756
Description – Special characters “_” and “.” are not allowed to be used consecutively while adding an Email Address on the User page for Identity.
 
IM
Bug ID – 9866
Description – IM Policy do not displayed in Log Viewer with Yahoo ! Messenger (Version 11.5.0.228-in).
 
Intrusion Prevention System (IPS)
Bug ID – 9327
Description – Search option is available only while editing IPS Policy.
  
Log Viewer
Bug ID – 9880
Description – No records are displayed when the language selected for Web Admin Console is French in Cyberoam and multiple filters are used while viewing logs of “Application Filter” in Log Viewer.
 
Network Interface
Bug ID – 8002
Description – STC 3G modem is not compatible with Cyberoam Appliance.
 
 
Bug ID – 8457
Description – ZTE MF688a 3G modem is not compatible with Cyberoam Appliance.

Bug ID – 10921
Description – Modem Sierra 320U is not supported by Cyberoam Appliance.
 
Bug ID – 10939
Description – Modem IG Huawai E177 is not supported by Cyberoam Appliance.
  
Proxy
Bug ID – 9115
Description – Proxy services do not function, if a HTTP Upload Web Category is added in HTTPS scanning exceptions.

Bug ID – 9848
Description – An error is received while accessing hotmail.com, http://google.com.au when HTTPS scanning is enabled in Firewall Rule.

Bug ID – 10046
Description – Web Proxy service do not restart when Administrator restarts it from Maintenance page of System.

Bug ID – 10135
Description – Some of the components with the YouTube website do not get displayed with HTTPS scanning applied.

Bug ID – 10244
Description – Browsing becomes slow when external proxy is implemented in the network while Cyberoam is deployed in Bridge mode.
  
 
Bug ID – 10936
Description – In Cyberoam firmware version 10.04.0.0214, mails are dropped for mail servers that are configured to support BDAT as an optional parameter.
 
Reports
Bug ID – 7818
Description – The data transfer reports of top web host and traffic discovery displayed in On-Appliance iView are not identical.

Bug ID – 9993
Description – All the logs of the selected period are displayed in Web Surfing reports for IP Address based filtering, if “Search Type” is “IP Address” and “Report Type” as “Detail”.

Bug ID – 10427
Description – Only current day’s report details are displayed in the Application Reports of On-Appliance iView on migrating to Cyberoam Version 10.02.0 Build 473.
 
 
System
Bug ID – 9927
Description – Error messages are displayed on executing command “tcpdump ‘port80’filedump” on Cyberoam Console.
 
SSL VPN
Bug ID – 6523
Description – Once the User certificates are updated manually, they do not get updated automatically.
Bug ID – 10171
Description – SSL VPN RDP Bookmark cannot be accessed in Version 10.02.0 Build 473 if RDP bookmark has a “/” at the end (e.g. rdp://10.102.1.152).
 
 
Bug ID – 11198
Description – SSL VPN bookmark URL with RDP, TELNET, SSH & FTP protocol having backslash ('/') as last character cannot be accessed after migrating Appliance firmware from 10.02.0 Build 224 to 10.04.0 Build 214.
 
User
Bug ID – 6141
Description – When special characters are included in the login message, the user receives a continuous process icon on the Captive Portal page in spite of logging in successfully.
Bug ID – 9920
Description – Cyberoam supports only SMS Gateway’s that uses Post method.
 
VPN
Bug ID – 9812
Description – An error message “We cannot identify ourselves with either end of this connection” is received when VPN connection with VLAN over WAN is configured with PPPoE link and VLAN ID is more than 2 digits.
Bug ID – 10191
Description – VPN service do not restart when head office and branch office are using default head office and default branch office policy respectively and an if an intermediate device between them is switched off.
 
 
Bug ID – 11202
Description – Manual intervention is required to activate the tunnel, if the default value of parameter "Rekey Margin" is configured below 100 seconds from VPN Policy page and the Appliance is rebooted.
 
Web Filter
Bug ID – 9840
Description – “Denied Message” is updated to default message, if an existing Web Filter Category having configured for customized message is edited without opening “Advance Settings” of it.
Bug ID – 10092
Description – Webcat do not get upgraded to latest version while performing manual sync after auto Webcat upgrade has failed.
 
Wireless WAN
Bug ID – 5315
Description – 3G Modem LW272 is not compatible with Cyberoam Appliance.
 
1.2.2.2. Release Notes 10.02.X Build XXX
1.2.2.2.1. V 10.02.0 Build 473

 

Release Dates

Version 10.02.0 Build 473 – 08th August, 2012

Release Information

Release Type: General Availability

Applicable to:
 

Version 10.01.0XXX or 10.01.X Build XXX

All the versions

Version 10.02.0 Build XXX

047, 174, 176, 192, 206, 224, 227, 409

 

Upgrade procedure

To upgrade the existing Cyberoam Appliance follow the procedure below:

· Logon to https://customer.cyberoam.com

· Click “Upgrade” link under Upgrade URL.

· Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”.

For Cyberoam versions prior to 10.01.0472

For Cyberoam version 10.01.0472 or higher

Upgrade the Cyberoam to 10.01.0472 selecting option Below 10.01.0472” and follow on-screen instruction.

By doing this, the customer will not be able to roll back.

Upgrade Cyberoam to latest version by selecting option “10.01.0472 or higher” and follow on-screen instruction.



Compatibility Annotations

Firmware is Appliance model-specific firmware. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you are trying to upgrade Appliance model CR100i with firmware for model CR500i.

This Cyberoam version release is not compatible with the Cyberoam Central Console.

Please always check http://docs.cyberoam.com for availability of latest CCC firmware to deal with this compatibility issue.
 
Revision History
 
 
Sr. No.
Old Revision Number
New Revision Number
Reference Section
Revision Details
-
-
-
-
-
 
 

Introduction

This document contains the release notes for Cyberoam Version 10.02.0 Build 473. The following sections describe the release in detail.

This release comes with new features, few enhancements and several bug fixes to improve quality, reliability, and performance.
 

Features

1.   Enhanced Inbound Server Load Balancing and Failover Detection

Cyberoam now supports Virtual Host Load Balancing for distributing the incoming traffic to more than one internal server. For this, following new methods are introduced:

·         Round Robin

·         Random

·         First Alive

Prior to this version, Cyberoam by default used Sticky IP Load Balancing method for virtual host load balancing.

Further, Cyberoam now also supports Failover Detection. This keeps a check on servers and sends a notification to the user whenever a server goes down or comes up. This ensures, the received requests are forwarded for Load Balancing only to servers that are up and running. To ensure Failover Detection, Cyberoam uses two methods,

·         ICMP Method

·         TCP Method

To configure this feature, go to Firewall ® Virtual Hosts.

 

2.   LCD panel support for System Configuration and Auto Scrolling

Cyberoam information can now be viewed and modified from Appliance’s LCD panel. The LCD panel displays menu/submenu. The following are menu/submenu’s Cyberoam that can be viewed and modified.

Sr. No.

Menu

Submenu

1.

System

Date, Uptime, CPU (usage), Memory (Usage), LoadAvg, Disk (Usage), Live Users

2.

Network

Show Gateway

3.

Firmware

Show Firmware, Factory RST, Halt/Reboot

4.

HA

-


To navigate through this menu/submenu, following keys and their respective functionality is described in table below:

Sr. No.

Key

Functionality

1.

Up Arrow

Navigates and displays the previous item on the menu.

If Up Key is pressed while being on the first item of the menu, the same item will be displayed on LCD.

2.

Down Arrow

Navigates and displays the next item on the menu.

If Down Key is pressed while being on the last item of the menu, the same item will be displayed on LCD.

3.

Enter

To enter in the sub-menu of the item or to display the content of the item.

4.

ESC

To go back to the previous menu.

If ESC key is pressed while being on main menu, Cyberoam banner will be displayed.

Cyberoam also supports auto scrolling on the LCD panel. Auto scrolling is initialized, if no input on LCD panel is received up till 30 seconds. During auto scrolling, Cyberoam information will be displayed on LCD panel. Information gets scrolled every 5 seconds. On ESC key input, auto scrolling will stop and Cyberoam banner will be displayed on LCD panel screen.

Note

· This feature is available on CR1500i, CR1500ia, CR1500ia-10F, CR1000i, CR1000ia, CR1000ia-10F, CR750i, CR750ia-1F, CR750ia-10F, CR500i, CR500ia-1F, CR500ia-10F, CR500ia-RP Cyberoam Appliances.

·         Auto scrolling, by default is in Off mode.

·         On factory reset, auto scrolling is disabled.

·         Auto scrolling on/off decision is taken during backup and restore process.
 

CLI Commands

1.     Command: show lcd auto-scroll

 To view the current configuration of Cyberoam Appliance.

2.     Command: set lcd auto-scroll On/Off

 To turn On or turn Off the auto scrolling.


Enhancements

1.   CTAS: More Resilient Transparent Authentication

 

From this version onwards, CTAS Fault Tolerance capability is optimized by:

·         Providing a high availability of collectors and agents.

·         Minimizing authentication delay due to AD Server failure.

·      Automatic recovery mode support, thus when CTAS service crashes or fails, it will restart automatically.

Modus operandi

The CTAS Agent can be:

·         Installed on every domain controller.

·         Configured to support group of collectors. One of these collectors act as a primary collector, while remaining shall be backup collectors. A maximum 5 collectors can be added to a group 

·        If the primary collector goes down, one of the backup collectors shall become primary collector.
 

Note

·         Unlike prior, list of collectors will now be available, if CTAS Agent and CTAS Collector are on same machine.

·         It is now possible to add multiple collectors, if only CTAS Agent is available on the machine. Prior, in absence of CTAS Collector, only one machine could be configured.

·         While using NETAPI mode, if CTAS HA mode is enabled, IP Address of primary collector and port number on which the backup collector listens to the primary collector must be configured.

·         A Group Number along with IP Address and Port number is required to add a Collector.
 

CLI Command

1.      Command: cyberoam auth cta collector add collector-ip  <ip-address>  collector-port  <port>  create-new-collector-group

To add a collector in new group.

2.      Command: cyberoam auth cta collector add collector-ip  <ip-address> collector-port  <port>  collector-group  <group-number>

To add a collector in an existing collector group.

Prior to this enhancement, to support multiple domain controllers, CTAS Agent was installed on every domain controller and a single collector on any one of the domain controller.

 

2.   WAF Reports

From this version onwards, Cyberoam iView provides reports for WAF module of Cyberoam UTM.
 
WAF reports provide snapshot of attacks on protected Web servers. The administrator can view list of attacks and attack sources for per Web server, which can be drilled down to view details like user agent, HTTP method, HTTP request, query string etc.
 
WAF reports also give snapshot of the protected Web servers with maximum amount of data transfer. Data transfer reports can be drilled down to view domain wise data transfer per server.
To view these reports go to Reports ® WAF.
 
 

3.   Application Reports

From this version onwards, Cyberoam iView provides following new reports under Application reports:

a.  Top Application Categories

Top Application Categories reports provide snapshot of various application categories accessed by users and amount of Internet traffic generated by them. Administrator can view application category reports for various applications, users and hosts.

To view these reports, go to Reports ® Applications ® Top Application Categories.
 

b.  Top Risk wise Applications

Top Risk wise Applications reports provide snapshot of various applications and associated risk. These reports help administrator to monitor applications with higher risk and then take corrective actions to protect corporate network from any posed threats.

To view these reports, go to Reports ® Applications ® Top Risk wise Applications.
 

 c.  Top Technology wise Application

Top Technology wise Applications reports provide snapshot of various applications based on following technologies:

·         Browser Based

·         Client Server

·         Mobile

·         Network Protocol

·         P2P

To view these reports, go to Reports ® Applications ® Top Technology wise Applications.
 

d.  Top Source Countries

With this release Cyberoam iView facilitates the administrator to view statistics of top countries which are generating highest amount of Internet traffic through various applications and application categories. These reports help administrator to fine tune country based firewall rules.

To view these reports, go to Reports ® Applications ® Top Source Countries.
 

e.  Top Destination Countries

With this release Cyberoam iView facilitates the administrator to view statistics of top countries which are receiving highest amount of Internet traffic through various applications, application categories, hosts and users. These reports help administrator to fine tune country based firewall rules.

To view these reports, go to Reports ® Applications ® Top Destination Countries.

All these reports help administrator to observe Internet behavior of organization users and take regulatory actions.
 
 

4.   Risk Meter

From this version, all application report pages display ‘Risk Meter’ on the top most right corner of the page. This Risk Meter shows overall risk posed on network through various applications and application categories.

Risk is calculated in terms of number, which ranges from 0 to 5, where higher number shows higher risk.

From this version, Cyberoam iView also provides information regarding risk associated with an individual application.
 
 

5.   DNS support for internally hosted Websites

From this version, Cyberoam Appliance allows adding DNS mapping for Domain / Host with IP Address. Adding static entry(ies) for Domain / Host enables resolving internally hosted sites using Cyberoam rather than relying on a DNS Sever.  

With this feature, Cyberoam Appliance can be utilized toresolvean organization’s internal sites and services on LAN and eliminate DNS dependency.

To resolve client DNS query, Cyberoam will first lookup in static entries if not found then it will check cache, after that it will contact configured DNS severs and at last it will contact root servers.

Note

· Cyberoam will only provide following services:

a. Resolve  IPv4 domain Addresses

b.  Provide reverse resolution for IP Address

· Maximum number of DNS entries allowed is 1024.

· A CLI option “set http_proxy host_entries” is no more available. Instead, a host can now be added using DNS Host Entry available on Web Admin Console. Existing configured DNS host entries will be migrated to static DNS Host Entries and will be available on the Web Admin Console.

DNS servers can be configured from Network ® DNS ® DNS Host Entry.

 

6.   Language support of Cyberoam entities (i18n)

From this version onwards, Cyberoam Web Admin Console supports languages viz., English, Hindi, Chinese – Simplified, Chinese – Traditional as an input.

For this users must have a language supported keyboard.

Note

·    i18n is not supported for CLI, VPN module, DHCP Server, SSLVPN Tunnel client.
 
  

7.   Rename Objects

From this version onwards, Cyberoam allows renaming objects for following modules:

·   Firewall Rule
 
·    All Objects (Host, Custom Service, Schedule, File Type)

·    Virtual Host


 
8.   Multiple selections of Objects of Firewall Rule

From this version onwards a single Firewall Rule can be shared by multiple host / service / user by multiple selections available within objects like user, source host, destination host, service parameter.

With this optimization, the Firewall rule could be directly applied to multiple users without group for same.

Prior to this version, only single selection per object within the Firewall Rule was possible.

Note

·   The maximum limit on the selection within each object shall be 1024.

·   Multiple objects can be selected only if they belong to same type.

  E.g. It is not allowed to select one IP Host and one Host Group, User and User Group, Service and Service Group.

·   Navigation from one type to another will result in losing the configurations of the first type.

  E.g. If two hosts from “IP Address” type are selected and then one navigates to select a MAC host from “MAC Host” type, then previously selected hosts within “IP Address” type will be unchecked  automatically.

To add/edit single rule for multiple selections within an object, go to Firewall ® Rule ® Rule.
 
 

9.   Interface independent L2TP/PPTP

From this version onwards,  L2TP/PPTP, through which road warriors can access internal resource behind Cyberoam, are now interface independent.

Prior to this version, as L2TP/PPTP VPN service was interface dependent, configuring it became a hurdle for Mix Mode deployment that uses 3 physical interfaces, of which two are part of bridge pair and one is configured in the WAN zone.

 

10.   Enhancements in Application Filter

From this version onwards details like Risk, Characteristics, Technology and Description can be viewed for each application.

To view the Application List, go to Application Filter à Application List.

Further, Applications now can be searched for Category, Risk, Characteristics and Technology by selecting options available rather than manually proving string for search.

To search the Application, go to Application Filter à Application List.

Also, the Application Filter Policy Rules page is revamped from this version. I.t now has three (3) sections under it:

·         Application Filter Criteria

The applications can be sorted and views on bases of parameter Risk, Characteristics, Technology and Description.

·         List of Application

Based on the criteria selected, a list of application matching to the criteria is displayed. By default, all the categories and applications are displayed. User can select to display all the application or select individual application on which the action is to be taken. As the user scrolls through the applications, the application record count is dynamically updated in “List of Application” bar.         

·         Action

Action to be taken on the application selected on schedule time can be configured. The default action is “Allow” and, the Schedule is “All the Time”.

To view Application Filter Policy Rules, go to Application Filter à Policy, select manage icon against the application and then click Add button.

Note: The content on “Add Application Filter Policy Rules” pop-up window gets misaligned on resizing the browser window. To restore it close the pop – up window by providing ESC key and reopen it.

 

11.   Run-time Edit of Schedule-based QoS

From this version onwards the user can edit the schedule in a predefined QoS policy during run-time. This will ensure that the QoS can be granularly modified to meet the users’ bandwidth needs.

To edit the Schedule-based QoS, go to QoS à Policy, select manage against the policy and within “Add Schedule wise QoS Policy Details to override default QoS Policy Details” click add
 

12.   DNS support for PPPoE

From this version onwards Cyberoam will provide DNS support for PPPoE. With this enhancement, Cyberoam can be configured to use either Static DNS or DHCP’s DNS or PPPoE’s DNS. This option is available if any interface is configured as PPPoE.

To obtain DNS from PPPoE, go to Network à Interface à DNS.
 
 

13.   NTLM – Multiple Domains in a Single Forest

From this version onwards Cyberoam’s NTLM based Single Sign-On (SSO) authentication functionality now supports:

·   Multiple domains in a single forest

·   Failover among multiple AD Controllers
 
Behavior Change

1.   Risk Level Updation
From this version onwards, application “Yahoo Update” risk level is modified from Level 3: High to Level 2: Low. 
 
2.   Multicast Routing
From this version onwards, Cyberoam will forward multicast traffic only after manually enabling Multicast Taffic forwarding.

To enable it, go to Network   à Static Route à Multicast and check option "Enable Multicast Forwarding".
 
Prior to this version,  Multicast Traffic Forwarding was enabled by default.


Bugs Solved

Access Server

Bug ID – 8468
Description – User's authenticated via CTAS do not get logged off even after disabling CTAS from CLI (console>cyberoam auth cta disable).
 
Bug ID – 9433
Description – Incorrect value of data transfer usage for current session is displayed if user is allowed to login from multiple nodes.
 

Anti Spam

Bug ID – 8693
Description – The last entry gets replaced by the new entry, if more than 400 Email Address or Domain are added in Address Group of Anti Spam.
 
 
Bug ID – 9623
Description – High CPU utilization is recognized on releasing a mail of "(2046 * n) + 5,  n >= 1" bytes size from Quarantine Area of Anti Spam.
E.g.: (2046 * 1) + 5 = 2051 bytes, if n = 1,
        (2046 * 2) + 5 = 4097 bytes, if n = 2 and so on.

 

DHCP Server 

Bug ID – 7577
Description – DHCP server takes approximately 60+sec to lease new IP Address, if the received request is from a network other than the configured network.
 
Bug ID – 8821
Description – An error message “default lease time cannot be greater than max lease time” is displayed on Web Admin Console even though value of parameter “Default Lease Time” is less than parameter “Max Lease Time”.
 

Dynamic Routing

Bug ID – 9321
Description – BGP neighbor relationship could not be formed in Cyberoam when service provider authentication type is set to MD5 BGP.
 

Firewall

Bug ID – 8446
Description – The reply traffic gets load balanced and does not flow through the requested route when Cyberoam is in Mix Mode having multiple gateways configured with one or more bridge and load balancing is enabled and the request passes through one of the bridge interfaces.
 

GUI

Bug ID – 5867
Description – Since application "Meebo Website" is categorized at two places, File Transfer and IM, therefore whichever category is added first will be successful. However, while trying to add same application from other category will result in error message.
 
Bug ID – 8470
Description – The Cyberoam Administrator cannot bind Trusted MAC to IP Addresses having first digit of the fourth octet match with the existing IP-MAC bind entry.
Eg. If IP-MAC Binding configuration contains the entry like AA:BB:CC:DD:EE:FF Static 10.102.1.1, then entries like AA:BB:CC:DD:EE:CC Static 10.102.1.1 or AA:BB:CC:DD:EE:CC Static 10.102.1.11 or similar shall not be allowed to bind.
Bug ID – 8772
Description – “Change Recipient” is incorrectly spelled as “Chnange Receipient” in Action Filter for Anti Spam Log on Log Viewer page.
 
Bug ID – 8809
Description – Filter in the “Message” column of Log Viewer page do not function for “Admin” event logs.
Bug ID – 8909
Description – A filter applied to sort the data on Application Filter page gets removed on navigating to another Tab or refreshing the page.
 
Bug ID – 9960
Description – Web Admin Console for a Firewall Rule page displays that Certificate Based Categorization of a Web Filter policy is configurable although by default, it is enabled and is not available for updating from GUI or CLI.  
 

Identity

Bug ID – 8972
Description – An error message is displayed on Web Admin Console while adding an IP Address for selected node in parameter login restriction, if the group name contains special characters like “&”, “#”.
 

IM

Bug ID – 8042
Description – IM Proxy does not support yahoo messenger version 11.5.0.152 and therefore yahoo messenger login and logout events are not displayed in log viewer.
 

LAN Bypass

Bug ID – 9698
Description – Hardware bypass do not function in Cyberoam Appliance 1000ia.
 

Log Viewer

Bug ID – 8781
Description – The parameter "Username" do not match with the Identity User list while viewing logs of Firewall if multiple groups are deleted.
 

Multicast Route

Bug ID – 9402
Description – Multicast packet flow between two or more interfaces of Cyberoam gets disrupted, if DHCP enabled WAN interface fails to receive IP Address from DHCP server.
 

Network Interface

Bug ID – 9434
Description – Special character “@” is not allowed within the username while configuring PPPoE VLAN interface.
 

Packet Capture

Bug ID – 9186
Description – Administrator needs to refresh the “Packet Capture” page to display BPF string in capture filter after configuring it.
 

Proxy

Bug ID – 8263
Description – Images on website http://charity.othaimmarkets.com/charity/CommonInfo/Index.aspx are not displayed when "Allow All" Web Filter Policy is configured. 
 

Report

Bug ID – 8968
Description – Logs of MSN chats are not available in On-Appliance i-View reports even though they are displayed in Log Viewer page.
 
Bug ID – 8429
Description – No data is displayed on Web Admin Console, when "View all" is clicked on "Custom View Reports" on iView.
 

Scheduled Backup

Bug ID – 6976
Description – Cyberoam mail backup fails, if response of "ehlo" request is sent in multiple parts by mail server
 

SSLVPN 

Bug ID – 6668
Description – SSL VPN application access mode does not work with Windows 7 (German Version).
 
Bug ID – 9170
Description – User cannot login in SSLVPN Web Portal, if the username consist of an alphabet in uppercase.
 

System

Bug ID – 9871
Description – Gateway is marked dead if the failure response to failover condition is received for the first ping/TCP request.
 

Traffic Discovery

Bug ID – 8613
Description – Only 20 records can be viewed on Traffic Discovery Page even though there exist more than 20 records.
 

User 

Bug ID – 4786
Description – DCOM error event is logged in System Event log when remote system does not respond to WMI query.
 
Bug ID – 8586
Description – An Administrator with customized administrator profile cannot create another administrator user but he can delete the existing users with similar profile.
 
Bug ID – 9309
Description – Incorrect value for total data transfer is displayed in “My Account” if total data transferred by a user is more than 2GB.
 
Bug ID – 9443
Description –Tight integration is not supported for L2TP/PPTP VPN user when external authentication is configured.
 

Virtual Host

Bug ID – 8748
Description – "Any" service is displayed, if a firewall rule of virtual host is edited and multiple services are configured for parameter "service".
 

VPN Failover

Bug ID – 9603
Description – Failover groups with its respective connections are not displayed on Web Admin Console of IPSec VPN Connection page, if multiple VPN failover groups are configured (VPN à IPSec à Add Failover Group).
 
Bug ID – 10123
If remote gateway is configured with FQDN within IPSec VPN Failover Groups then Dead Gateway Detection mechanism stops functioning.
 

Web Filter

Bug ID – 7152
Description – Cyberoam is unable to block following Websites

Web Application Firewall

Bug ID – 8736
Description – If Certificate Signing Request (CSR) is configured as web server certificate then WAF ceases to function.
 
Bug ID – 9417
Description – Port 443 cannot be configured for SSL Offloading in WAF (WAF à Web Server à Add à Private IP à configure HTTP Public Port: 443).
 
Bug ID – 9529
Description – All the request to access a website are not allowed on the WAF subscription expiry.
 
Bug ID – 9826
Description – Details within the alert messages are not displayed for a LAN to LAN Firewall Rule, if option “WAF”  is enabled.

 



1.2.2.2.2. V 10.02.0 Build 206, 224, 227

 

Release Dates

Version 10.02.0 Build 206 – 26th April, 2012

Version 10.02.0 Build 224 – 07th June, 2012
 
Version 10.02.0 Build 227 – 30th June, 2012

Release Information

Release Type: General Availability

Note - Web Application Firewall (WAF) is in Beta.

Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license

Applicable to: V 10.01.0472 or V 10.01.0474 or V 10.01.0620 or V 10.01.0665 or V 10.01.0667 or V 10.01.0 Build 674 or V 10.01.0 Build 678 or V 10.01.0 Build739 or V 10.01.1 Build 023 or V 10.01.1 Build 027 or V 10.01.2 Build 010 V 10.01.2 Build 059 or 10.01.2 build 064 or V 10.01.2 Build 065 or V 10.01.2 Build 124 or V 10.01.2 Build 133 or V 10.01.2 Build 158 or V 10.02.0 Build 047 or V 10.02.0 Build 174 or V 10.02.0 Build 176 or V 10.02.0 Build 192 or V 10.02.0 Build 206
 
 

Upgrade procedure

To upgrade the existing Cyberoam Appliance follow the procedure below:

· Click “Upgrade” link under Upgrade URL.
· Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”.
 

For Cyberoam versions prior to 10.01.0472

For Cyberoam version 10.01.0472 or higher

Upgrade the Cyberoam to 10.01.0472 selecting option Below 10.01.0472” and follow on-screen instruction.

By doing this, the customer will not be able to roll back.

Upgrade Cyberoam to latest version by selecting option “10.01.0472 or higher” and follow on-screen instruction.

 

Compatibility Annotations

Firmware is Appliance model-specific firmware. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you are trying to upgrade Appliance model CR100i with firmware for model CR500i.

Release Version Number

Applicable To Cyberoam Appliance Model

Version 10.02.0 Build 224

All except CR15i and CR15wi

Version 10.02.0 Build 227

Only to CR15i and CR15wi

This Cyberoam version release is not compatible with the Cyberoam Central Console.

Please always check http://docs.cyberoam.com for availability of latest CCC firmware to deal with this compatibility issue.
 
Revision History
 
 

Sr. No.

Old Revision Number

New Revision Number

Reference Section

Revision Details

1

1.02-11/06/2012

2.00-30/06/2012

Release Dates

A new Version 10.02.0 Build 227 is added.

2

1.02-11/06/2012

2.00-30/06/2012

Compatibility Annotations


Version 10.02.0 Build 224 and Version 10 02.0 Build 227 are Cyberoam Appliance model specific.





Introduction

This document contains the release notes for Cyberoam Version 10.02.0 Build 206, Version 10.02.0 Build 224 and Version 10.02.0 Build 227. The following sections describe the release in detail.

This release comes with new features, few enhancements and several bug fixes to improve quality, reliability, and performance.

Features

1.   Mix Mode

From this version onwards, Cyberoam Appliance can be deployed in Mix Mode. 

Prior to Mix Mode, Cyberoam Appliance could be deployed in two modes Viz. Bridge Mode (Transparent Mode) and Gateway Mode (Route Mode). Bridge Mode did not support below mentioned features as compared to the Gateway Mode: 

· Network Address Translation (NAT)
· DMZ or Any custom Zone
· Multiple WAN links (Including WWAN) and Load Balancing
· VPN Gateway
· DHCP server or Relay

Now in Mix Mode, Cyberoam supports:

· Both bridge and route modes can be configured on a single Cyberoam appliance simultaneously. The bridged networks can access the Internet and other network traffic through the routed interfaces.
· Multiple bridge pairs can be configured on a single appliance (Maximum number of bridge pairs = N/2, where N is number of physical ports).
· A bridge network can access subnets which are behind other bridge interfaces.
· Network Address Translation (NAT)
· DMZ or Any custom Zone (Within a Bridge Pair)
· Multiple WAN links (Including WWAN) and Load Balancing
· VPN Gateway
· DHCP server or Relay

This mode of deployment provides an ideal solution for an organization’s network that already have an existing firewall or router acting as a Gateway and the organization does not want to replace the firewall, but still wishes to take advantage of UTM security using Cyberoam deep-packet inspection, Intrusion Prevention Services, Gateway Anti Virus, and Gateway Anti spam.

Bridge Pair can be configured from Network ® Interface.
 

2.   FQDN Host and Host Groups

Cyberoam now supports a Fully Qualified Domain Name (FQDN) based Host and Host Groups. Prior to this, IP Addresses were required for Host creation. With this feature,

· User is not required to remember the IP Address.
· FQDN hosts can also resolve to multiple IP Address.
· Cyberoam optimizes security by including policies created in Firewall Rules based on FQDN hosts.

FQDN host do not support multiple domains resolving to single IP address.

To configure this feature, go to Objects ® Hosts.
 

3.   Guest Users

From this version, Cyberoam supports http protocol based SMS services. Cyberoam will allow creating a guest user and sending Internet access credentials using SMS. The guest user is allowed to login and access the Internet without pre-existing user account. By configuring profile for different SMS gateways and creating default group for guest users, a group based policies can be created that shall be applicable on the guest users.

The default length of the text SMS will be of 160 characters.

This feature is specifically useful in Hotspots, Airports, Hotels, Hostels and corporate offices for Guest users.

To configure Guest User, go to Identity ® Guest Users. For further details, refer to How to customize the Default SMS sent to Guest Users?
 

4.    Differentiated Services Code Point (DSCP)

From this version, Cyberoam supports Differentiated Services Code Point (DSCP).

The Differentiated Services (Diffserv) standard is a method for providing precedence to specific traffic types to manage traffic. The precedence or service level of an application can be modified by creating policies to mark the traffic in a particular class with a specific diffserv code point (DSCP) value. Depending upon the DSCP marking in the IP Packet header, the DSCP enabled network devices will apply differentiated grades of service to packets.

To configure DSCP, go to Firewall ® Rule ® Add ® Advance Settings ® QoS & Routing Policy ® DSCP Marking.


5.   Captive Portal URL Redirection

From this version, Cyberoam supports Captive Portal URL Redirection.

A Captive Portal is used to authenticate an existing user in Cyberoam through a web browser interface before granting the Internet access.

Compatibility

Compatible browsers: Internet Explorer, Google Chrome, Mozilla Firefox, Opera and Safari browser.

Note:

The user will not be logged out on closing the browser window in case of Opera and Safari browsers, even if the option “Logout user on browser close” is enabled.

To get the log in window, open the browser and enter the intended URL. Cyberoam will first open Captive Portal page prompting the user to enter valid credentials for authentication.

If the provided username and password are correct,

Case 1: Pop-up is blocked

User will be logged in successfully and an information bar will appear. User is required to open a new window to access the intended site.

Note:

The notification related to blocked pop-ups will not be displayed in Opera browser.

Case 2: Pop-up is allowed

The intended site opens in the same window and the successful login status pops up in a new window.

Also, the administrator can customize URL redirection. Post authentication this feature provides following options:

· Redirecting to originally requested URL
· Redirecting to customized configured URL.
· Minimizing of Captive Portal popup after login.
 
The table below describes the response of different browsers in various conditions:
 

Browserà

Condition â

IE

Firefox

Chrome

Opera

Unsuccessful Login

1. Client login page with login status is displayed in the same window.

1.   Client login page with login status is displayed in the same window.

1. Client login page with login status is displayed in the same window.

1. Client login page with login status is displayed in the same window.

Successful Login and

Pop-up blocked

1. A message "You have to ensure that pop-ups are not blocked" is displayed.

2. Login page with login status opens in the same window.

1.    A message "You have to ensure that pop-ups are not blocked" is displayed.

2. Login page with login status opens in the same window.

1. A message "You have to ensure that pop-ups are not blocked" is displayed.

2. Login page with login status opens in the same window.

1. Login page with login status opens in the same window.

Successful Login and

Pop-up allowed

1.   *Login page with login status opens in a pop-up window.

2.   Intended URL opens in same window.

1.   Login page with login status opens in a pop-up window.

2.   Intended URL opens in same window.

1. Login page with login status opens in a pop-up window.

2. Intended URL opens in same window.

1. Login page with login status opens in a pop-up window..

2. Intended URL opens in same window.

Successful Login and

Captive Portal Pop-up minimized 

1.   Captive portal page will be minimized.

1.       **Captive portal page will be minimized.

1. Captive portal page will ALWAYS be displayed on top.

1.Captive portal page will be minimized.

* - For IE9 a link to the intended URL will be provided on Captive Portal page after successful login.

** - For Firefox 4+ to minimize captive portal popup; go to Tools ®  Option ® Content ® Enable JavaScript (Advance) and enable Raise or lower window.

To configure customized URL go to Identity ® Authentication  ® Firewall.
 
6.   Hit Count in Mail Summary Reports

From this version onwards, the Mail Summary Reports will provide information regarding number of hits for each application.

Prior, Mail Summary reports provided information of data transfer in bytes.
 

7.   Country Based Traffic Control

From this version onwards, Cyberoam will support Country Based Host using which traffic from/to a particular country can be blocked/allowed using the firewall and UTM policies. Multiple countries can be selected using country based host group support.

CLI Commands

1.     Command: show country-host list

To enlist all the countries for which the policies are configured.

2.     Command: show country-host ip2country ipaddress <IP Address>

To verify if the IP Address belongs to a particular country.

E.g: show country-host ip2country ipaddress 203.55.34.194

To configure Country based traffic control, go to Objects ® Host ® Country Host. For further details, refer to How To - Create a Country-based Firewall Rule.
 
8.   WAF – Web Application Firewall

From this version onwards, Cyberoam will support Web Application Firewall using feature WAF – Web Application Firewall. This feature protects Web Server(s) deployed in a network and related applications from any underlying vulnerability exploit.

It is an add-on module requiring a separate subscription.

WAF protects applications accessed via HTTP and HTTPS at the Layer 7 - Application Layer. Besides Layer 7 based attacks, the Web Server is safeguarded against cookie tampering, forceful browsing and hidden field tampering. The WAF also mitigates "user-induced" vulnerability in configured applications or in custom-developed code that leaves Web applications open to attacks, such as cross-site scripting, directory traversal and forced URL browsing.

WAF feature protects the Web Server rather than fixing the underlying vulnerability.

The feature WAF is not available on CR15i, CR15wi, CR25i, CR25ia, CR25wi, CR35ia, CR35wi and CR50i Cyberoam Appliances.
 

9.   NT LAN Manager (NTLM) Authentication Support

Cyberoam has extended its Single Sign-On (SSO) authentication functionality by including support of NT LAN Manager (NTLM).

It is a Microsoft security protocols suite that offers authentication, integrity and confidentiality.

This will lead to:

1. Reduced dependency on any additional software installations throughout the network including every/any domain controllers and work stations across multiple branch offices.
2. Accurate user session logging
3. Quick and easy deployment where existing NTLM supported proxy solutions are being replaced by Cyberoam.
4. To support multiple authentication mechanisms.
5. Minimal network changes and operational costs.

Basic Requirement

1.     Operating System: Client – XP and onwards

  Server – 2003 and onwards

2.     Browser: IE 7 onwards and Firefox 4.0 onwards.

The following features are not supported by NTLM:

1.     Caching
2.     Load balancing and failover between multiple AD controllers
3.     NTLM authentication support for Thin Client (Citrix Servers)
4.     Multiple domains
5.     Multiple domain controllers for single domain

To configure NTLM, go to System ® Administration ® Appliance Access. For further details, refer to

1.     How to configure NTLM in Cyberoam?

2.     How To - Configure NTLM Support in Web Browsers?

3.     How do I enable NTLM in Windows 2003 Server?


Enhancements

1.   GUI Enhancements

From this version onwards, the following are the enhancements done to optimize Web Admin Console:

1.  As part of GUI optimization process the loading time has been reduced by approximately 70%.
2.  In case of any modification in Cyberoam Appliance Firmware (upgradation/roll back), the message indicating the ongoing process is displayed.
3.  From this version onwards, TAB and SPACE keys can be used to navigate within the GUI
·         Tab – For sequential navigation between textbox.
·         Space – To access dropdown menu.
4.Text box shall now have appropriate message, informing about content to be provided by the user.
5.Press Shift + ? on any page to display all the available keyboard shortcuts.
 

2.   DNS Optimization

From this version, if Cyberoam Appliance interface is used as a DNS in client system then, a query to configured DNS servers is sent prior to querying the ROOT severs.

DNS servers can be configured from Network ® DNS.
 

3.   Virtual Host Enhancement

From this version onwards, on configuring Virtual Host using firewall rule, the user can configure following parameters:

1.     Firewall Rule Name
2.     Source Zone
3.     Service
4.     Apply NAT
5.     AV & AS Scanning
6.     Log Traffic
7.     Create Reflexive Rule
These parameters can be configured from the pop-up page that appears when the user adds the Virtual Host from Firewall ® Virtual Host ® Add.
 

4.   IBM server terminal support in SSLVPN

From this version onwards, apart from TELNET, RDP, SSH clients, Cyberoam will now support SSL VPN application utilized to access IBM server remotely.
 

5.   Dynamic Interface Support

From this version onwards, Virtual Host, DHCP and routes can be configured over dynamic interfaces like PPPoE, DB9, WLAN, and WWAN using GUI and CLI console.

This enhancement will aid in configuration and diagnostics.
 

6.   Search using IP Address

From this version onwards, search in the Web Surfing reports can be performed using IP Address.

Search result displays the number of hits on the IP Address along with total data transfer done through it.

To configure search using IP Address, go to Search ® Web Surfing Reports. For further details, refer to How can I view IP-based Web Surfing Reports?
 

7.   Customized Wireless LAN

From this version onwards, user can enable or disable Wireless LAN as per the requirement.

Prior to this version, Wireless LAN by default was in enable mode and was not allowed to be disabled.

To enable or disable Wireless LAN check WLAN Radio, by accessing Network ® Wireless LAN ® Settings.


Behavior Change

1.   DNS Optimization

From this version onwards, if there are multiple configured WAN interfaces on Cyberoam which is deployed as DNS Server then it is recommended to configure Static Route for ISP DNS server to a specific ISP gateway. This will reduce delay in browsing internet.

To add Static Route, go to Network ® Static Route ® Unicast.
 

2.   MIB Modification

Due to Mix Mode support the Cyberoam Opmode object has been removed from the MIB. For further details, refer to Configure Cyberoam as SNMP Agent.


Bugs Solved

Access Server

Bug ID – 8608
Description – A wrong event displaying parameter “Start Time” as “Thur, Jan 01,05:30” and “Used Time” as “15408 days  11:32:54”, is generated when the user logs out of My Account.
 

Anti Spam

Bug ID – 9348
Description – Quarantine Mails are of 0kb value when downloaded from Quarantine Area within Anti Spam if Cyberoam Appliance is upgraded to Version 10.02.0 Build 206.
 

Backup & Restore

Bug ID – 7162
Description – Administrator is unable to download the backup file, if 15i Appliance backup is restored to 25i.
 

CLI

Bug ID – 7171
Description – In CLI submenus of option 6 i.e. VPN Management are not displayed.
 

Dashboard

Bug ID – 7843
Description – An extra word “dashboard” is displayed within the alert message shown on the Web Admin Console.
 

Firewall

Bug ID – 7595
Description – A MAC Address is not configured as trusted if it is imported from csv file and has a special character like dash (-) as separator.
 
Bug ID – 8748
Description – Selected multiple services for firewall rule are not displayed even though multiple options are selected against the rule.
 
Bug ID – 8832
Description – The checkboxes for Application and Web based QOS Policy in Identity based Firewall Rule are displayed unselected, in spite of being selected while configuring the QOS Policy.
 
GUI
Bug ID – 7211
Description – The geoip command available in CLI console option does not get executed.
 
Bug ID – 8291
Description – IP list is not allowed to be added in IP Host Group.
 
Bug ID - 8897
Description – A host from a host group do not get updated although a success message is displayed on GUI while updating a host for other host group.
 

Log Viewer

Bug ID – 9171
Description – IP Address of events is displayed as 0.0.0.0 in Log Viewer.
 

Identity

Bug ID – 8885
Description – Web Admin Console on IE browser version 8.0.6001.18702 displays processing while adding or editing SMS Gateway.
 
Bug ID – 8913
Description – The first character used for manual search of user group gets appended in the user name, when “Tab” key is used to navigate while creating a user.
 

Network

Bug ID – 9200
Description – Name of the Bridge Pair Interface is editable.
 

Network Interface

Bug ID – 7115
Description – USB modem ZTE MF633+ HSPA is not supported.
 
Bug ID – 9475
Description – Parameters “LCP Echo Interval” or “LCP Failure” of PPPoE interface do not get updated after editing.

Report

Bug ID – 7503
Description – Auxiliary Appliance does not send report notification mail.
 
Bug ID – 9435
Description – Web Surfing reports gets corrupted while exporting excel file from iView, if the records are more than 1000.
 

SSLVPN

Bug ID – 7756
Description – SSL VPN top users report in On Appliance iView displays certificate common name instead of user name if TLS authentication verification fails while establishing peer connection.

User

Bug ID – 9357
Description – The parameter “Simultaneous Logins” on the User page do not get updated to “Unlimited” even if Global Settings parameter “Simultaneous Logins” on firewall page is configured as “Unlimited”.
 

User Group

Bug ID - 3607
Description – Maximum 20 nodes can be added as Group Login Restriction.
 

VPN

Bug ID – 7420
Description – Internet access via IPSec Tunnel from a remote office stops on upgrading Appliance from Version 10.01.1 Build 739 to Version 10.01.1 Build 023.
 
Bug ID – 9293
Description – An error message is displayed on Web Admin Console while editing bookmark type of a SSL VPN Policy in Web Access Mode from HTTP or HTTPS to any other except HTTP and HTTPS.
 
Bug ID – 9347
Description – A message “IP Address of local server has been changed” is displayed on Web Admin Console for PPTP VPN page after upgrading the Cyberoam Appliance from Version 10.01.2 Build 158 to Version 10.02.0 Build 206.  
 

Web Application Firewall (WAF)

Bug ID – 9444
Description – User cannot login within OWA, if it is published via WAF.

Bug ID – 9445
Description – High CPU utilization occurs while publishing HTTPS website via WAF.
 
Bug ID – 9446
Description – Web page content is improperly displayed in web browser since WAF do not support Deflate Type Content Encoding.
 

Web Filter

Bug ID – 9267
Description – An error message is displayed on Web Admin Console when a duplicate domain is added in Web Category or URL Group of a Web Filter.
 

Web Category

Bug ID – 9177
Description – AV & AS Scanning enabled protocols are displayed in following two different ways within “Scan” column of a Firewall Rule, when Standard Theme is applied on Cyberoam:
1.     Red highlight
2.     Red highlight and a square box  
 
 
 
 
1.2.2.3. Release Notes 10.01.X Build XXX
1.2.2.3.1. V 10.01.2 Build 158

 

Release Dates

Version 10.01.2 Build 158 – 01st March, 2012

Release Information

Release Type: Maintenance Release

Applicable to: V 10.01.0472 or V 10.01.0474 or V 10.01.0620 or V 10.01.0665 or V 10.01.0667 or V 10.01.0 Build 674 or V 10.01.0 Build 678 or V 10.01.0 Build 739 or V 10.01.1 Build 023 or V 10.01.1 Build 027 or V 10.01.02 Build 010 or V 10.01.02 Build 059 and V 10.01.02 Build 064 or V 10.01.02 Build 065 or V 10.01.2 Build 124 or V 10.01.2 Build 133

Migrate Procedure

To migrate from Version 9 to Version 10, please follow the link Migrate Cyberoam Appliance from Version 9 to Version 10.

Upgrade procedure
 
To upgrade the existing Cyberoam Appliance follow the procedure below:

Logon to https://customer.cyberoam.com

Click “Upgrade” link under Upgrade URL.

Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”.

For Cyberoam versions prior to 10.01.0472

For Cyberoam version 10.01.0472 or higher


Upgrade the Cyberoam to 10.01.0472 selecting option Below 10.01.0472 and follow on-screen instruction.

By doing this, the customer will not be able to roll back.


Upgrade Cyberoam to latest version by selecting option 10.01.0472 or higher” and follow on-screen instruction.

Compatibility issues

This version release is compatible with the Cyberoam Central Console Release V 02.00.4 Build 007.

Please always check http://docs.cyberoam.com for availability of latest CCC firmware to deal with this compatibility issue.
 

Introduction

This document contains the release notes for Cyberoam Version 10.01.2 Build 158. The following sections describe the release in detail.

This release comes with enhancements to improve quality, reliability, and performance.


Enhancements

1. Database Optimization

Cyberoam database architecture has been fine-tuned for optimal performance and further stability of On-Appliance reports.


2. 
Access Server logs for SSO

From this version onwards, when a client tries authenticated using SSO while already being authenticated by CTAS than a message "CTA collector enabled discarding SSO client request" is displayed in Access Server logs.

Prior to this version, no message was displayed providing a reason about SSO request being discarded.


Bugs Solved

Anti Virus

Bug ID – 7672
Description – Windows fails to update using Lab tech tool if AV scanning is on.

Firewall

Bug ID – 7595
Description – A MAC Address is not configured as trusted, if it is imported from csv file and has a special character like dash (-) as separator.

Hardware Sensor

Bug ID – 7764
Description – Minimum chassis fan speed displayed is higher than the set threshold value.

Bug ID – 6982
Description – A warning log is displayed in log viewer even though chassis fan speed is below the desirable level.

High Availability

Bug ID – 8270
Description – A customized image in denied message is not displayed as it does not get synchronized with Auxiliary appliance, when a Cyberoam is configured in HA Active – Active mode.

Proxy

Bug ID – 8261
Description – Website http://files003.voip.ownmail.com/1555031541/ does not open when Cyberoam is configured as direct proxy.

User

Bug ID – 8095
Description – Inactive users are allowed to login in to Cyberoam My Account. 

Bug ID – 7604
Description – A message “Operation Interrupted” is displayed while navigating through User page if the user name imported from the external authentication server contains special characters like back slash (/).

Bug ID – 8404
Description – Custom Administrator user cannot reboot/shutdown the Cyberoam Appliance in spite of having read-write permission.

VPN

Bug ID – 8319
Description – PPTP connection cannot be established, if static and dynamic WAN interfaces are configured on Cyberoam and PPTP server is configured on the dynamic interface.

1.2.2.3.2. V 10.01.2 Build 124, 133

 

Release Dates

Version 10.01.2 Build 124 – 24th January, 2012

Version 10.01.2 Build 133 – 15th February, 2012


Release Information

Release Type: Maintenance Release

Applicable to: V 10.01.0472 or V 10.01.0474 or V 10.01.0620 or V 10.01.0665 or V 10.01.0667 or V 10.01.0 Build 674 or V 10.01.0 Build 678 or V 10.01.0 Build 739 or V 10.01.1 Build 023 or V 10.01.1 Build 027 or V 10.01.02 Build 010 or V 10.01.02 Build 059 and V 10.01.02 Build 064 or V 10.01.02 Build 065

Migrate Procedure

To migrate from Version 9 to Version 10, please follow the link Migrate Cyberoam Appliance from Version 9 to Version 10.

Upgrade procedure

To upgrade the existing Cyberoam Appliance follow the procedure below:

1.      Logon to https://customer.cyberoam.com

2.      Click “Upgrade” link under Upgrade URL.

3.      Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”.

For Cyberoam versions prior to 10.01.0472

For Cyberoam version 10.01.0472 or higher

1.     Upgrade the Cyberoam to 10.01.0472 selecting option Below 10.01.0472 and follow on-screen instruction.

By doing this, the customer will not be able to roll back.

1.     Upgrade Cyberoam to latest version by selecting option 10.01.0472 or higher” and follow on-screen instruction.

 

Compatibility issues

This version release is not compatible with the Cyberoam Central Console Release V 02.00.2 Build 018.

Please always check http://docs.cyberoam.com for availability of latest CCC firmware to deal with this compatibility issue.
  

Introduction

This document contains the release notes for Cyberoam Version 10.01.2 Build 124and Version 10.01.2 Build 133. The following sections describe the release in detail.

This release comes with enhancements to improve quality, reliability, and performance.


Enhancements

1. Optimization of Access Concentrator String

From this version onwards, the administrator is allowed to provide a PPPoE “Access Concentrator” string of 50 characters long.

Prior to this version, maximum character limit of “Access Concentrator” string was 20 characters

This can be accessed from Network  ® Interface by selecting PPPoE for WAN Zone.

Bugs Solved

For Version 10.01.2.124

Firewall

Bug ID – 7649

Description – The dropdown menu is not displayed properly on clicking “Service” tab while adding or editing any firewall rule.


Bug ID – 7922

Description – Spoof prevention does not function on migrating from V9 to VX if a same MAC address is available in upper case and lower case within cyberoam internal database.

 
GUI

Bug ID – 7934

Description – Spam Rule parameter "Message size is" is displayed as "less than" although it is configured as "Greater than" for Anti Spam. However Anti Spam Rule functions appropriately


Bug ID – 8015

Description – Two entries for same date is displayed for gateway wise data transfer is displayed on GUI.


Bug ID – 8040

Description – Dates cannot be configured for quarantine mails in Chinese Traditional GUI.

 
High Availability

Bug ID – 7401

Description – Thin Client users cannot access Internet when HA is in Active – Active Mode with load balancing on.

 
Logs & Reports

Bug ID – 8016

Description – An alert is not displayed even if disk usage breaches the threshold level.

 
Hardware Sensor

Bug ID – 7634

Description – A false alarm with respect to fan speed is generated for the Appliance that does not have the chassis fan.

 
Network Interface

Bug ID – 6336

Description – 3GModem Sierra Aircard 312AU is not supported by Cyberoam Appliance.


Bug ID –7218

Description – Nokia 3G modem CS 11 is not supported.


Bug ID – 7566

Description – The USB modem of Vodafone ZTE K4505-Z is not supported by Cyberoam Appliance.


Bug ID – 7575

Description – 3G modem Option N.V with model number Globetrotter is not supported by Cyberoam Appliance.


Bug ID – 7652

Description – 3GModem Huawei K4605 is not supported by Cyberoam Appliance.


Bug ID – 7833

Description – 3G Vodafone modem – K3806z is not supported by Cyberoam Appliance.

 
Proxy

Bug ID –7077

Description – User cannot upload PDF File http://www.mca.gov.in on using direct proxy.

 
Report

Bug ID – 7682

Description – Report notification mail content is blank when parameter “Send email at” time set to 00:00 hour.


Bug ID – 7884

Description – “Application Allowed” reports in On-Appliance iView are available for last 24 hours.


Bug ID – 7607

Description – Logs are not displayed in On-Appliance iView reports, if provided start date and end date is same.


Bug ID – 8162

Description – Mismatch in upload data transfer values displayed on firewall page and Gateway page.

 
SSLVPN

Bug ID – 6638

Description – User name displayed as "UNDEF" in SSL VPN reports. 

 

For Version 10.01.2.133

Proxy

Bug ID – 8258

Description – HTTPS sites do not open in Google Chrome and Firefox Version 10.0 (Beta) browsers when HTTPS scanning is on.

Web Access

Bug ID – 8097

Description – SSL Web Portal cannot be opened in IE (9.0.4), Firefox Beta 10 and Google Chrome.

 

 

 
1.2.2.3.3. V 10.01.2 Build 059, 065

 

Release Dates

Version 10.01.2 Build 059 – 01st November, 2011
Version 10.01.2 Build 065 – 26th December, 2011
 

Release Information

Release Type: Maintenance Release

Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license

Applicable to: V 10.01.0472 or V 10.01.0474 or V 10.01.0620 or V 10.01.0665 or V 10.01.0667 or 10.01.0 Build 674 or 10.01.0 Build 678 or 10.01.0 Build 739, Version 10.01.1 Build 023, Version 10.01.1 Build 027 or Version 10.01.2 Build 010
 

Migrate Procedure

To migrate from Version 9 to Version 10, follow the link Migrate Cyberoam Appliance from Version 9 to Version 10.
 

Upgrade procedure

For: V 10.01.0472 or V 10.01.0474 or 10.01.0620 or 10.01.0665 or V 10.01.0667 or 10.01.0 Build 674 or 10.01.0 Build 678 or 10.01.0 Build 739, Version 10.01.1 Build 023, Version 10.01.1 Build 027 or Version 10.01.2 Build 010

1.      Logon to https://customer.cyberoam.com

2.      Click Upgrade URL link, select the appropriate option and follow the on-screen instruction.

3.      High Availability feature included in this upgrade is a GA feature.

For Cyberoam versions prior to 10.01.0472:

Upgrade in two steps:

Upgrade the Cyberoam to 10.01.0472 using Version 10 to Version 10 available on customer’s My Account.

Upgrade Cyberoam to Version 10.01.2 Build 059. By doing this the customer will not be able to roll back to version prior to 10.01.0472.
 

 

Compatibility issues

Firmware is Appliance model-specific.

Release Version Number

Applicable To Cyberoam Appliance Model

Version 10.01.2 Build 059

All Cyberoam Appliance models

Version 10.01.2 Build 065

Only to CR15i and CR15wi

 Version 10.01.2 Build 059 release is not compatible with the Cyberoam Central Console (CCC) Release V 02.00.1 Build 016.

Version 10.01.2 Build 065 release is compatible with the Cyberoam Central Console (CCC) Release V 02.00.1 Build 016.

CCC does not support Cyberoam UTM deployed in HA (High Availability) mode.

Please always check http://docs.cyberoam.com for availability of latest CCC firmware to deal with this compatibility issue.


Introduction

This document contains the release notes for Cyberoam Version Version 10.01.2 Build 059. The following sections describe the release in detail.

This release comes with new features and enhancements to improve quality, reliability, and performance.

Features

1. Unicast Routing Support in GRE

From this version onwards, the Cyberoam GRE Tunnels will support both unicast and multicast traffic.

Previously, only multicast traffic was supported.

CLI Commands

1.     Command: cyberoam gre route add net <IP/Mask> tunnelname <Tunnel Name>

To add a GRE route, connecting a network via a GRE tunnel.

E.g: cyberoam gre route add net 3.3.3.0/255.255.255.0 tunnelname Elitecore

2.     Command: cyberoam gre route add host <IP> tunnelname <Tunnel Name>

To add a GRE route, connecting a host via a GRE tunnel.

E.g: cyberoam gre route add host 192.168.10.2 tunnelname Elitecore

3.     Command: cyberoam gre route delete net <IP/Mask> tunnelname <Tunnel Name>

To delete a GRE route connected to a network via a GRE tunnel.

E.g: cyberoam gre route delete net 3.3.3.0/255.255.255.0 tunnelname Elitecore

4.     Command: cyberoam gre route delete host <IP> tunnelname <Tunnel Name>

To delete a GRE route connected to a host via a GRE tunnel.

E.g: cyberoam gre route delete net 192.168.10.2 tunnelname Elitecore

5.     Command: cyberoam gre route show

To see all the networks and hosts with respective GRE tunnels.


Enhancements

1. SSLVPN Client Access

From this version onwards, user will not require administrative rights to access SSLVPN client application. However, these rights are needed to install SSL VPN client application.

Prior administrative rights were needed for both.
 

2. HTML Support on Captive Portal for Unauthorized Users

When an unauthorized user starts web browsing, he will be provided with HTML link (http://<Cyberaom LAN IP Address:8090>) if it is configured in custom message along with “Access Denied” message. On accessing the link, user will be prompted to provide login credentials to start web browsing.

Alternately, the unauthorized user may start web browsing by manually logging in the captive portal by providing the URL (http://<Cyberaom LAN IP Address:8090>).

Prior when an unauthorized user attempted to browse, “Access Denied” message was displayed as there was no configurable HTML link support and needed manual intervention by the administrator.
 

3. Manual Signature Update 

From this version onwards, the user can manually update the Cyberoam signature databases for Anti Virus, IPS, Web Category modules.

This enhancement facilitates users, especially those who do not have direct Internet access, to manually update the Cyberoam signature modules.

Updates on latest signature version for Anti Virus, IPS, Web Category modules will be available on http://csc.cyberoam.com.

Updating IPS module shall update both, IPS signatures and Application signatures; however their firmware version number shall differ.

To upload and update the signatures, System àMaintenance àUpdates à Manual Signature Updates.

 

4. Gateway wise Data Transfer Graphs

Cyberoam now facilitates administrator to view Gateway wise Data Transfer graphs.

These graphs shall provide following data transfer information:

1.     Upload Data Transfer
 
2.     Download Data Transfer

3.     Total Data Transfer

The user can choose the time period for which he wants to see the graphs. The available options for the time period are as following:

1.     Last Week

2.     Last Month

3.     Custom (Minimum – 7 Days, Maximum – 30 Days)

The data shall be available only for last six (6) months.

By clicking “Show” Button, the user can also view the live data updated every one (1) minute.

This can be accessed from Network à Gateway à Manage.
 

5. Hit Count in Mail Summary Reports

From this version onwards, the Mail Summary Reports provides information regarding number of hits for each application.

Prior, Mail Summary reports provided information of data transfer in bytes.

This can be accessed from Web Admin Console à Report à Main Dashboard (Cyberoam - iView) à Mail Traffic Summary.
 

6. SNMP Manager Port

From this version onwards, default SNMP Manger Port 161 shall be displayed on Web Admin Console.

Prior, SNMP Manager Port field by default appeared blank.

This can be accessed from System à SNMP à Agent Configuration.


Behavior Change

1. Customized SMTP Scanning

From this version onwards, SMTP scanning by default will be in disable mode for General Internet Policy from Cyberoam Wizard. The user may choose to enable scanning of the SMTP traffic using by customizing the Firewall Rule.

Prior, by default SMTP scanning was in enable mode.


Bugs Solved 

For Version 10.01.2.065 

Backup & Restore

Bug ID – 7162
Description – Administrator is unable to download the backup file, if 15i Appliance backup is restored to 25i.

VPN

Bug ID – 7420
Description – Internet access via IPSec Tunnel from a remote office stops on upgrading Appliance from Version 10.01.1 Build 739 to Version 10.01.1 Build 023.

Anti Spam

Bug ID – 6995
Description – In Anti Spam, it is possible to import address groups however, domains cannot be imported.

GUI

Bug ID –7065
Description – The word “protocol” is misspelled as “ptotocol” in log viewer for deny unknown protocol.
 

Bug ID – 7470
Description – Erroneous CPU usage graph is displayed on GUI.

Firewall

Bug ID – 7142
Description – Cyberoam allows selecting a virtual host service while creating a firewall rule even if the virtual host is not selected

Bug ID – 7016
Description – There shall be one way voice on establishing a VoIP call from inside to outside using a Cisco ATA that is registered with public call manager.

Bug ID – 7471

Description – Incorrect Upload & Download data usage displayed in firewall rule page in GUI.

Proxy

Bug ID – 7366
Description – Few webpage’s of websites "Ebay.co.uk" cannot be opened with direct proxy

Bug ID – 7483
Description – Few tabs available on website www.mca.gov.in and http://www.tcs-itontap.com do not function when Appliance is configured as a direct proxy.

VPN

Bug ID – 7544
Description – An IPSec route does not get deleted from CLI and an error message is displayed, if the IPSec tunnel name is more than 32 characters.
  

For Version 10.01.2.065 

Wireless LAN

Bug ID – 7080
Description – On rebooting the Cyberoam, access point key is to be re-entered within Wireless LAN configuration, if parameter "Security Mode" is configured as "None" for one of the multiple WLAN's.
 
 
 
 
 
1.2.2.3.4. V 10.01.1 Build 023, 027
 

Release Dates

Version 10.01.1 Build 023 – 06th September, 2011
Version 10.01.1 Build 027 – 14th September, 2011

Release Information

Release Type: Maintenance Release

Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license

Applicable to: V 10.01.0472 or V 10.01.0474 or V 10.01.0620 or V 10.01.0665 or V 10.01.0667 or 10.01.0 Build 674 or 10.01.0 Build 678 or 10.01.0 Build 739

Migrate Procedure

To migrate from Version 9 to Version 10, please follow the link Migrate Cyberoam Appliance from Version 9 to Version 10.

Upgrade procedure

For: V 10.01.0472 or V 10.01.0474 or 10.01.0620 or 10.01.0665 or V 10.01.0667 or 10.01.0 Build 674 or 10.01.0 Build 678 or 10.01.0 Build 739

1.     Logon to https://customer.cyberoam.com

2.     Click Upgrade URL link, select the appropriate option and follow the on-screen instruction.

3.     High Availability feature included in this upgrade is a GA feature.

For Cyberoam versions prior to 10.01.0472:

Upgrade in two steps:

Upgrade the Cyberoam to 10.01.0472 using Version 10 to Version 10 available on customer’s My Account.

Upgrade Cyberoam to 10.01.1 Build 023. By doing this the customer will not be able to roll back to version prior to 10.01.0472.
 
Compatibility issues
Firmware is Appliance model-specific.
 

Release Version Number

Applicable To Cyberoam Appliance Model

Version 10.01.1 Build 023

All except CR15i and CR15wi

Version 10.01.1 Build 027

Only to CR15i and CR15wi

Both these version releases are not compatible with the Cyberoam Central Console Release V 02.00.0 Build 096

CCC does not support Cyberoam UTM deployed in HA (High Availability) mode.

 

Introduction

This document contains the release notes for Cyberoam Version 10.01.1 Build 023 and Cyberoam Version 10.01.1 Build 027. The following sections describe the release in detail.

This release comes with new features and enhancements to improve quality, reliability, and performance.

Features

1. Hardware Monitoring

Cyberoam now supports hardware monitoring using threshold level for fan speed, CPU and system temperature. A sensor is deployed to continuously monitor and provide the data of respective hardware. By turning on Hardware Monitoring, at a regular time interval of one minute, temperature and fan speed can be tracked using CLI commands. A notification in form of logs shall be generated when any of the hardware devices breach the threshold level. The system report can be viewed from event viewer and local iView.

For CR15i, a log notification shall be coupled with alarm (beep).

The default configurations are:

1.     Hardware monitoring = “ON”

2.     Maximum System /CPU Temperature Limit = 70°C (degree Celsius)

3.     Hysteresis Limit = 65°C

4.     Minimum Fan Speed Limit = 6000 RPM

CLI Commands

1.     Turn hardware monitoring on/off

console> cyberoam diagnostics hardware-monitoring on/off

2.     Show current sensor settings and data.

console> cyberoam diagnostics hardware-monitoring show-sensor-data

Known Behavior

When any threshold is breached an alert will be generated by turning on an alarm. This alarm will only turn off when the threshold limit falls below hysteresis limit.

E.g. Considering the above mentioned default configuration, if the CPU and system temperature rises above 70°C, an alarm is generated. This alarm will continue to remain ON until the temperature falls below the hysteresis limit i.e. 65°C. 
 

1.     This feature is available only for following Appliance:

15i, 15wi, 25ia, 35ia, 25wi, 35wi
 

2.     Hardware monitoring will not be supported in HA Deployment

 


2. Watermark Threshold

Cyberoam now supports Disk Usage Watermark Threshold for monitoring resources. Earlier only an alert log was displayed when the disk usage went above the threshold. However the Reporting was not disabled and it resulted in 100% disk usage.


With Watermark Threshold feature, when a hard disk is utilized beyond the configured threshold an alert log shall be generated in the log viewer. Prior, only a fixed higher threshold level was available for disk usage. Adding Watermark Threshold feature to Disk Usage shall now allow configuring lower threshold level. There shall be a fixed higher threshold level for the resource usage.

The default configurations are:

1.     Lower Threshold = 80%

2.     Higher Threshold = 90%
 

Conditions for alerts:

Action à

Utilization  â

Reporting ON

Alert Log

Reporting OFF

Below lower threshold

ü



Between lower threshold and upper threshold

ü

ü


Between lower threshold and upper threshold for continuous12 hours

ü

ü


Above upper threshold


ü

ü*

Above upper threshold for continuous12 hours


ü

ü*

Drop from upper threshold to below lower threshold

ü

ü


* - Reporting will start only when data is manually purged and disk utilization level falls below lower threshold.

CLI Commands for Lower Threshold

1.     Command: Set report-disk-usage watermark <value_in_%> 

Sets the lower watermark to the given value (must be between 60-85)

2.     Command: Set report-disk-usage watermark default

Sets the lower watermark to the default value (80)

3.     Command: Show report-disk-usage watermark

Show the current value of lower watermark



3. HTML Support for Captive Portal and Web Filter Messages

This version onwards, Cyberoam Appliance now supports HTML tag inputs for Customized Denied Message on Web Filter and Custom Message on the Captive Portal Settings. 

This HTML enhancement will provide links using ‘anchor’ tag and images using ‘.img’ tag.

To use this feature, for Custom Denied Massage in Web Filter go to Web Filter ® Settings ® Denied Message.

To use this feature, for Custom Message in Captive Portal Settings go to Identity ® Authentication ® Firewall ® Custom Message.
 


4. Applications and Blocked Attempts Report

Cyberoam iView now provides two new reports, viz. Applications and Blocked Attempts reports.

A snapshot of various applications accessed by users will be provided by the Application reports. It also gives information on the applications bandwidth usage. This identification will help in fine tuning Internet access policies to ensure optimum bandwidth utilization.

Blocked attempts reports provide a snapshot of denied application access attempts. These report aids the administrator to observe the users’ Internet behavior and take remedial measures.

These reports can be viewed from

1.     Logs & Reports ® View Reports ® Reports ® Applications

2.     Logs & Reports ® View Reports ® Reports ® Blocked Attempts



5. Group Level Dashboards

Cyberoam iView now provides individual dashboard for all report groups in widget format. You can drill down the widget report to view next level reports.

This can be accessed from Logs & Reports ® View Reports ® Dash Boards



6. Pie Charts and Graphs

Cyberoam iView now provides Mail and Web Usage Pie Charts and Graphs.


Enhancements

1. New Widgets in Cyberoam iView Main Dashboard

Two new widgets are added to the Cyberoam iView main dashboard.

1.     Application Allowed: Displays a list of allowed applications along with number of connections and amount of data transferred by that application.

2.     Application Denied: Displays a list of denied applications along with number of connections.

This can be accessed from Logs & Reports ®  View Reports ®  Dash Boards
 
 

2. Manual Purge

The Cyberoam iView manual purge feature has been optimized to aid its performance The administrator can purge all log data or customize the date range to purge the log data manually.

Select purging criteria as ‘Custom’ and then ‘From’ and ‘To’ month from the calendar control to purge the selected report logs.

This can be accessed from Logs & Reports ®  View Reports ®  System ®  Configuration ®  Manual Purge
 
 

3. Data Management

From this version onwards, the administrator can set retention period for ‘Applications’ and ‘Blocked Attempts’ logs. Retention period can be set from 1 month to 1 year as per the compliance requirements.

This can be accessed from Logs & Reports ®  View Reports ®  System ®  Data Management
 
 

4. Anti Spam and Anti Virus Search Reports

From this version onwards, three more columns will be displayed in antivirus and anti spam search reports:

1.     Rule: Spam or Virus rule applicable to the email

2.     Ref ID: Reference ID associated with the email

3.     Action: Action (accept /deny/ drop) against mail defined by the user.

This additional information aids in troubleshooting.
 
 

5. Unauthorized User Traffic Discovery for CTAS

From this version onwards, it is possible to configure the time out value for Unauthorized User Traffic Discovery in CTAS deployment. Earlier, this value was fixed to 120 seconds.

Once the Unauthorized User Traffic Discovery Time is up, an authentication page will be displayed. The time out value can be configured even if CTAS is disabled. In this case, whenever the CTAS is enabled, the configured value will come in effect.

The configurations values are:

1.     Default - 120 seconds

2.     Range – 1 – 120 seconds

CLI Commands

1.     console> cyberoam auth cta unauth-traffic drop-period <sec>/default
 
 

Behavior Change

1. IPS

In case 10.01.1.build 023 is rolled back to Version 10.01.0 Build 739 then the IPS services will start either when its signatures are auto upgrade or a manual upgrade is done.
 
 

Bugs Solved

Anti Spam 

Bug ID – 6691
Description – When there are multiple rules for RBL verification of a mail IP Address, on verification with the first rule, the next rule is skipped.
For example, there are two rules of RBL verification:
1. Verify against Premium RBL group
2. Verify against Standard RBL group.
In this case, Cyberoam only verifies with the Premium group. On being validated, the Standard group rule will be skipped.

CLI
Bug ID – 6771
Description – If the packet size of ping6 is greater then 1453, then administrator fails to receive the ping6 response.

Firewall
Bug ID – 6773
Description – Web filter policy is not applied for authenticated users when LAN – Local firewall rule is configured.

Bug ID – 6937
Description – Firewall rule fails if the configured SNAT policies are greater than 255.

GUI

Bug ID –7035
Description – The word “resource” is misspelled as “reosurce” in SSLVPN logs.

High Availability
Bug ID – 6852
Description – VPN traffic in HA deployment gets load balanced, due to which it gets disrupted.

Bug ID – 6722
Description – Administrator can enable HA, even though monitoring interface are not connected on auxiliary machine. A message “one or more monitored ports are disconnected on Aux appliance” is displayed.

Log Viewer
Bug ID – 5778
Description – The Signature Update page displays “Successfully On”, while the Log Viewer page displays “AV definition upgrade failed if Cyberoam has the latest antivirus definition and the user tries to update it.

Network Interface
Bug ID – 6941
Description – Geographical configuration for WLAN is required to be updated manually once upgrading from Version 472 to Version 739 and beyond.
 
Bug ID –7033
Description – Modem “Huawei EC 156 HSIA” is not supported.

Proxy

Bug ID – 5151
Description – When IM scanning is enabled, chatting through Windows Live Messenger 2011 is not supported.

Bug ID – 6926
Description – The website http://www.imi.edu/index.php/placements/studentsearch cannot be opened if Allow All Web Filter Policy is configured.

Bug ID – 6883
Description – Chat messages are not displayed properly in Log Viewer for IM.

Bug ID – 6810
Description – HTTPS sites cannot be accessed if Parent Proxy is configured in Cyberoam and direct proxy is configured in the client browser.

Bug ID –7079
Description – Report Notification is not allowed for custom report group.

Report

Bug ID – 6551
Description – In case of HA, Iview data management configuration does not get synchronized between the primary and the auxiliary appliance.

Bug ID – 6887
Description – Manual purge and Data management option in On-Appliance iView does not get displayed if 4-Eye Authentication is enabled from Logs and Reports.
 
Bug ID –7074
Description – On-Appliance iView displays only the current day Top File upload report.

User 

Bug ID – 6878
Description – Incorrect web surfing policy is applied to a CTAS authenticated user in DHCP enviroment.

Bug ID – 6946
Description – Cyclic data transfer policy does not reset if it is configured as 2GB for CTAS and HTTP Client with "Keep Alive" disable.
 
Bug ID –7066
Description – Usernames are case sensitive in case of PPTP users with MSCHAP-V2.

VPN Failover

Bug ID – 6640
Description – On VPN tunnel failover/failback, tunnel does get reconnected however data cannot be transferred for TCP based applications.

VPN

Bug ID – 4994
Description – Preshared key cannot be changed if there are more than one Road Warrior connections.
Bug ID – 6661
Description – A single host can be added multiple times in VPN local subnet.

Bug ID – 5389
Description – All characters except double quotes (“) are supported for preshared key.

VX - VX Migration

Bug ID – 6603
Description – On migrating from Version 472 to Version 667, if initialization of database service is delayed, then migration scripts flushes the reports.
 
 
1.2.2.3.5. V 10.01.0 Build 739
 

Release Dates

Version 10.01.0 Build 739 – 29th June, 2011

Release Information

Release Type: Maintenance Release

Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license

Applicable to: V 10.01.0472 or V 10.01.0474 or V 10.01.0620 or V 10.01.0665 or V 10.01.0667 or 10.01.0 Build 674 or 10.01.0 Build 678

Migrate Procedure

To migrate from Version 9 to Version 10, please follow the link Migrate Cyberoam Appliance from Version 9 to Version 10. 

Upgrade procedure

For: V 10.01.0472 or V 10.01.0474 or 10.01.0620 or 10.01.0665 or V 10.01.0667 or 10.01.0 Build 674 or 10.01.0 Build 678

1.     Logon to https://customer.cyberoam.com

2. Click Upgrade URL link, select the appropriate option and follow the on-screen instruction.

3. High Availability feature included in this upgrade is a GA feature.


For Cyberoam versions prior to 10.01.0472:

Upgrade in two steps:

Upgrade the Cyberoam to 10.01.0472 using Version 10 to Version 10 available on customer’s My Account.

Upgrade Cyberoam to 10.01.0 Build 739. By doing this the customer will not be able to roll back to version prior to 10.01.0472.



Compatibility issues

Firmware is Appliance model-specific firmware. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive error if you are trying to upgrade Appliance model CR100i with firmware for model CR500i.

This version release is not compatible with the Cyberoam Central Console V 02.00. 0 build 083.

CCC does not support Cyberoam UTM deployed in HA (High Availability) mode.
 
 

Introduction

This document contains the release notes for Cyberoam version 10.01.0 Build 739. The following sections describe the release in detail.

This release comes with new features, few enhancements and several bug fixes to improve quality, reliability, and performance.

Features & Enhancements

1.   GRE Tunnel Support

From this version Cyberoam supports Generic Routing Encapsulation (GRE) VPN tunneling protocol. It is used to encapsulate multicast traffic like OSPF, BGP, and RIPV2. Multicast applications like video, VoIP, and streaming music applications use GRE Tunneling.

From CLI Command the administrator can:

·   Add a GRE tunnel:

cyberoam gre tunnel [add {[name tunnel-name] [{localgw <Local WAN Interface> remotegw <RemoteIP>}] localnet <ip/subnet> remotenet <ip/subnet>} 
  • Show the list all the GRE tunnels:

cyberoam gre tunnel show

  • Set the TTL for GRE tunnel:

cyberoam gre tunnel [set {[name tunnel-name] [ttl<ttlvalue>]}]

  • Set the state of GRE tunnel:
cyberoam gre tunnel [set {[name tunnel-name] [state-up/down]}]

·   Delete a GRE tunnel:

cyberoam gre tunnel delete [ [name tunnel-name] [ {local-gw <WAN_Interface> remote-gw <Remote_WAN_IP>}]]

or

cyberoam gre tunnel [delete {[name tunnel-name]}]

or

cyberoam gre tunnel [delete {[ALL]}]

·   Check the status of a GRE tunnel:

cyberoam gre tunnel show [ [name tunnel-name] [ {local-gw <WAN_Interface> remote-gw <Remote_WAN_IP>}]]



2.   Search in Cyberoam iView

This release includes following enhancements in “Search” functionality of Cyberoam iView, ensuring complete network visibility.

Virus

·   From this version onwards, the user can search Virus logs for following Web and file transfer protocols, along with mail protocols (SMTP, POP3, and IMAP):HTTP

·   HTTPS

·   FTP

Use Search --> Virus to search Virus logs in the reports.

FTP

From this version onwards, the user can search FTP logs to retrieve a summary of file transfer activities within the organization’s network. This helps the administrator to fine-tune Internet access policies thereby preventing leakage of critical business information.

The search can be performed on the bases of file transfer type (download/upload), user or file name.

Search results will be displayed in tabular format, containing the IP Address of client and server machine, the amount of data transferred and the direction of data transfer.

Use Search --> FTP to search summary of file transfer within FTP logs.

 

3.   Backup-Restore in Cyberoam iView

From this version onwards, system configuration backup taken from System à Maintenance --> Backup & Restore will include backup of Bookmarks, Custom Views and Report Notifications created on Cyberoam iView.

Backup of Data Management section of Cyberoam iView is not included in this backup.


Improvements

1.   Report Optimization

With this release, some of the report widgets are removed from Cyberoam iView to optimize report framework and avoid data redundancy since the same reports were available at multiple places. Please refer to Appendix for the list of removed reports.

2.   Menu Rearrangement

This release of includes following Menu rearrangements in Cyberoam iView GUI to enhance the user experience.

Search

‘Search’ menu is now available after ‘Dashboards’ menu in navigation pane.

Calendar Control

Time selection option in calendar control is removed from Report pages. Now only the date range can be set to generate reports. However, this option is available on all ‘Search’ pages.

Dashboard Widgets

As per the frequency of usage, sequence of report widgets is changed on main dashboard of Cyberoam iView. Now ‘Mail Traffic Summary’ widget and ‘User Surfing Pattern’ widget are available next to ‘Top Web Users’ widget.

Behavior Change

1.   iView Archived Logs

To optimize performance and reduce data redundancy, archiving in On-Appliance Cyberoam iView is discontinued. The network traffic information with timestamp can be obtained either using “Search” option provided in navigation panel or from leaf level reports.

2.   Dashboard Alerts

During a successful Cyberoam upgrade, if the reporting migration fails the On-Appliance reporting gets turned off with an appropriate notification on the dashboard.

Bugs Solved

9X to V10 Data Migration

Bug ID – 6611
Description – On migrating from Version 9 to Version 10, groups are not displayed if login restriction parameter value of Web Admin Console and internal database do not match.

 Backup & Restore

Bug ID – 6554
Description – Upgrading Cyberoam from version 10.01.0472 to 10.01.667 fails, if user email id starts with “_” and ends with “.”.

 Anti Spam 

Bug ID – 6667
Description – Erroneous entry in RBL domain results in disruption of mail traffic.

Certificate

Bug ID – 6443
Description – A certificate in SSL VPN configuration cannot be selected or SSL VPN services become inoperative on migrating from Version 9 to Version 667.
Firewall
Bug ID – 6355
Description – Appropriate message does not get displayed when the traffic bypasses the firewall rule because the precedence of appliance access is higher than the system firewall rule.
 
Bug ID – 6116
Description – Host/host group with a special character hyphen “-” cannot be added in firewall rule.
 
Bug ID – 6137
Description – While uploading a large size file FTP connection terminates if no acknowledgement from the FTP server is received in 5 minutes.
GUI
Bug ID – 3070
Description – A message “Too Many Connections Please Try After Some Seconds.” is displayed randomly while navigating through the Web Admin Console.
 
Bug ID – 5145
Description – On-Screen help for extensions required for certificate and certificate authority are not provided.
 
Bug ID – 6433
Description – A user from road warrior X-Auth is not displayed in allowed user list in spite of being selected to be allowed.
 
Bug ID – 6524
Description – Graph is not displayed on Web Admin Console, if VLAN configured on the gateway interface.
 
Bug ID – 6446
Description – In Log viewer, the filter for “message id” is not available for “IPS” component, while it fails to respond in case of “Firewall” and “Antispam”.
 
Bug ID – 6321
Description – Dashboard icon will not be displayed within the Icon Bar while using Internet Explorer 9.
 
Bug ID – 6542
Description – Administrator cannot add more than 97 hosts in host group.
 
Bug ID – 6738
Description – In case of V9 –V10 migration in 25i appliance, the dashboard alert messages displays “vrmodule expired” since User License Period does not contain date value.
High Availability
Bug ID – 5556
Description – Applications that work on multicast traffic are disrupted in HA deployment.
 
Bug ID – 6697
Description – In HA deployment, Antivirus service stops if signature db and config db are reset.

Import – Export

Bug ID – 5683

Description – Administrator cannot import users beyond the recommended limit for the respective appliance. The recommended limit for each appliance is as follows:

Appliance

Recommended number of Users

CR15i, CR15wi, CR50ia, CR100ia ,CR35ia, CR25ia, CR35wi, CR25wi, CR100i, CR50i, CR25i

500

CR250i, CR300i, CR200i

1000

CR1500i, CR1500ia, CR500i, CR1000i, CR500ia, CR750ia, CR1000ia

1500

Others, if exists

500

Log Viewer

Bug ID – 5362
Description – Some web surfing details does not appear in the Cyberoam-iView reports.

 Network Interface

Bug ID – 6301
Description –“Novatel Wireless Ovation MC950D USB HSPA Modem” fails to connect to Internet.
 
Bug ID – 6122
Description – VPN tunnel connectivity gets disrupted if MTU/MSS value is updated on the LAN interface.

Proxy

Bug ID – 4103
Description – When IM scanning is enabled and more than 5000 login requests are received, the users are not able to logon to Microsoft Windows Live Messenger and IM reports are not generated by Cyberoam iView.
 
Bug ID – 5730
Description – When HTTPS scanning is enabled, http://fmcdealer.com fails to display all the widgets on the site.

Bug ID – 6685
Description –When scanning is enabled and If HTTP response does not include the “Content Length” parameter then the appliance becomes unresponsive.

Bug ID – 6503
Description – If HTTPS scanning is enabled, user tries to log in www.costco.com then the browser displays a blank page for Mozilla/Chrome and a message “Page cannot be displayed.” for Internet Explorer.

Bug ID – 6615
Description – The Honda Web application fails to open when Web Filter policy or HTTP scanning are applied.

Bug ID – 6631
Description – Oracle web based application fails to respond if Web Filter policy is configured or HTTP scanning is enabled.

Bug ID – 6734
Description – Ubuntu upgrade fails, if Web Filter policy or HTTP scanning is enabled.

Bug ID – 6302
Description – CCTV Application cannot be accessed if Web Filter policy is enabled.

Bug ID – 6263
Description – Browsing slows down or stops, if the number of HTTP session crosses the threshold level.

QoS

Bug ID – 6126
Description – When a strict bandwidth policy for upload/download is configured, FTP upload stops if HTTP download is started simultaneously.

Reports

Bug ID – 5647
Description – Cyberoam-iView Search reports do not provide time stamp.

Bug ID – 6391
Description – Configured bookmark are lost on flushing the Appliance reports.

Bug ID – 6550
Description – Confirmation message is not received on updating Cyberoam-iView Data Management page.

Bug ID – 3214
Description – “Service Temporary Unavailable” message is displayed randomly while accessing Web Admin Console.

Bug ID – 6720
Description – Cyberoam-iView reports for any day of the previous month are generated for the entire day, irrespective of the configured time.

Bug ID – 6507
Description – Previous month’s reports cannot be manually purged in Cyberoam-iView.
 
Bug ID – 6458
Description – Manual purge option deletes entire month’s reports starting from the upper limit of the month selected in the date range.

Bug ID – 6534
Description – PDF File of web surfing report for a particular user cannot be exported due to non-English characters present in URL‘s accessed by the user.

Bug ID – 6295
Description – Used time in Date wise summary is displayed incorrectly in Cyberoam-iView.

Schedule Backup

Bug ID – 6037
Description – The alert message for scheduled backup is not displayed on Web Admin Console.
SSL VPN
Bug ID – 4974
Description – SSL VPN web application access mode cannot be accessed if SSL VPN certificate at server end and client end are not identical.

Bug ID – 6184
Description – SSL VPN (Full Tunnel Mode) misbehaves when the user tries to re-login..

Time Settings

Bug ID – 6282
Description – The NTP Server custom configuration is lost if the Administrator tries to synchronize with pre-defined configuration.

User

Bug ID – 6655
Description – A user is not allowed to login If a login password contains special characters “&” and “+”.

Bug ID – 6296
Description – The Corporate Client does not work, if the user password length is more than 21 characters.

Bug ID - 6276
Description - Inactivity timeout does not function properly. For E.g. If the idle timeout is set to 30 minutes and the user logs in at 16th minute then, access server checks the idle timeout at 30th minute and user gets logged out in 15 minutes.

VPN

Bug ID – 6043
Description – Authentication details are mandatory to create a VPN policy for Manual Keying method.
 
Bug ID – 5389
Description – If pre-shared key includes special character like single quote (‘), hash (#), double quotes (“) IPSec connection cannot be updated.

VPN – L2TP

Bug ID – 6472
Description – L2TP VPN tunnels does not get established if a firewall rule to accept all services for VPN to Local rule is created.

Web Filter

Bug ID – 6683
Description – The top and bottom images of custom denied message are interchanged.

Appendix

The report widgets are removed from Cyberoam iView are listed below:

1.     Top URLs from Web Usage and Blocked Web Attempt reports

2.     Top Applications

3.     Detailed Attack report

4.     Archives

5.     Web Usage

a.     Top Web Users

                                                i.    Top Applications

                                               ii.    Top Contents

b.    Top Web User Groups

                                                i.    Top Applications

                                               ii.    Top Contents

c.     Top Categories

                                                i.    Top Contents

d.    Top Domains

                                                i.    Top Contents

e.     Top Contents

                                                i.    Top Domains

                                               ii.    Top Categories

f.        Top Web Hosts

                                                i.    Top Applications

                                               ii.    Top Contents

g.    Top Applications

6.     Blocked Web Attempts

a.     Top Denied Web Users

                                                i.    Top Applications

b.    Top Denied Web Hosts

                                                i.    Top Applications

7.     Mail Usage Report

a.     Top Mail Senders

                                                i.    Top Source Hosts

                                               ii.    Top Destination

                                              iii.    Top Applications

                                              iv.    Top Users

b.    Top Mail Recipients

                                                i.    Top Source Hosts

                                               ii.    Top Destination

                                              iii.    Top Applications

                                              iv.    Top Users

c.     Top Mail Users

                                                i.    Top Source Hosts

                                               ii.    Top Destination

                                              iii.    Top Applications

d.    Top Mail Hosts

                                                i.    Top Users

                                               ii.    Top Destination

                                              iii.    Top Applications

e.     Top Mail Applications

                                                i.    Top Hosts

                                               ii.    Top Destination

                                              iii.    Top Users

8.     Anti Spam

a.     Top Spam Senders

                                                i.    Top Source Hosts

                                               ii.    Top Destination

                                              iii.    Top Applications

                                              iv.    Top Users

b.    Top Spam Recipients

                                                i.    Top Source Hosts

                                               ii.    Top Destination

                                              iii.    Top Applications

                                              iv.    Top Users

c.     Top Applications used for Spam

                                                i.    Top Source Hosts

                                               ii.    Top Destination

                                              iii.    Top Applications

9.     Top Attacks

a.     Severity wise break-down

                                                i.    Top Dropped Attacks

                                               ii.    Top Detected Attacks

1.2.2.3.6. V 10.01.0 Build 674, 678

 

Release Dates

Version 10.01.0 Build 678 – 6th June, 2011
Version 10.01.0 Build 674 – 21st May, 2011
  

Release Information

Release Type: Maintenance Release
 

Release Details:
Till version 10.01.Build 0667, the format of the display version was “10.ab.Build 0xyz”.

From Version 10.01.0 Build 674 onwards, the displayed version will be in the format “10.ab.c build xyz,” for example here it is 10.01.0 Build 674 where:

10: Represents architectural release
01: Represents major feature release
0: Represents minor enhancements release
674:Represents Build number

Upgrade prerequisite:
24 x 7 OR 8 x 5 valid Support license


Applicable to:
CR15i with V9.5.8.68 and all other Cyberoam models with V9.6.0.78 (Valid for Version 10.01.0 Build 674).
                       V10.01.0472 or V10.01.0474 or V10.01.0620 or  V10.01.0665 or V10.01.0667

Upgrade procedure

For: 10.01.0472 or 10.01.0474 or 10.01.0620 or 10.01.0665 or 10.01.0667 or 10.01.0 build 0674:

Logon to https://customer.cyberoam.com

Click Upgrade URL link, select the appropriate option and follow the on-screen instruction.
 
 

For Cyberoam versions prior to 10.01.0472:

Upgrade in two steps:

Upgrade the Cyberoam to 10.01.0472 using version 10 to version 10 available on customer My Account.

Upgrade Cyberoam to .01.0 Build 674. By doing this the customer will not be able to roll back to version prior to 10.01.0472.


Compatibility issues
Firmware is Appliance model-specific firmware. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive error if you are trying to upgrade Appliance model CR100i with firmware for model CR500i.
 
 
Bugs Solved
 
  Build 678
 
  Antivirus
Bug ID – 6651
During Antivirus signature updates, under specific internal conditions of SMTP configuration, significant increase in system load leads to high memory usage.
 
   Build 674
   
   Antivirus
Bug ID – 5615
Description – If Antivirus key expires, it results in high CPU utilization.
 

   VPN Certificate

Bug ID – 6443
Description – SSL VPN service stops on migrating from V9 to V10 due to which certificate in SSLVPN configuration cannot be selected.
If the SSL VPN services have stopped on upgrading to Version10, reset the appliance to its factory settings and restore the backup. The services will resume. 
 

   DDNS              

Bug ID – 6200
Description – In case of NATed deployment, when the DDNS server does not respond, the Cyberoam DDNS does not get updated.
 

   GUI

Bug ID – 6321
Description – The dashboard icon was misaligned in IE8 and IE9 in CR15wi. The issue has been solved for default theme.
 

   IPS

Bug ID – 6312
Description – Large number of application configuration in a policy affects the IPS functionality.

Bug ID – 6360
Description – On disconnecting the PPPoE link is required to be enabled manually via Web Admin Console.

Bug ID – 6559
Description – Ultrasurf application is not blocked.
 

   LAN bypass

Bug ID – 6454
Description – LAN bypass does not work with CR50ia and 100ia.
 

   Migration

Bug ID – 6445
Description – Username containing “@” without a top level domain (e.g. .com, .net, .edu) results in configuration migration failure. 
 

   Proxy

Bug ID – 6322
Description – With Antivirus unsubscribed and is in real scanning mode then under specific server behavior, the web server sites with domain such as .pk, .ch, .be, etc do not display the contents of the sites properly.
 

   SNMP

Bug ID – 6369
Description – A message “Client Port having same port number already exists, choose a different port number." is displayed on configuring 161 as Manager Port in SNMP configuration.
 

   User

Bug ID – 4266
Description – When external server is not reachable and authentication server’s internal queue is full, user cannot login and a message “Server Busy” is displayed.

Bug ID – 6111
Description – Upload and download columns in My Account are displayed as download and upload columns respectively in on-appliance iView report.

Bug ID – 6459
Description –When cyclic data transfer policy is configured for day light saving time zone, the daily data transfer policy does not reset.
 
 

   VX – VX Migration

Bug ID – 6309
Description – Configuration migration fails while upgrading to Version 10.01 build 667, if the difference between PPPoE’s MTU and MSS value is not 48. The system then boots up with the factory default settings. 
 
 
1.2.2.3.7. V 10.01 build 0667

 

Release Dates

Version 10.01 Build 0667 – 16th April, 2011

Release Information

Release Type: General Availability
Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license
Applicable to: CR15i with V 9.5.8.68 and all other Cyberoam models with V 9.6.0.78.
                     V 10.01.0472 or V 10.01.0474 or V 10.01.0620 or V 10.01.0665 

Upgrade procedure
For: V 10.01.0472 or V 10.01.0474 or 10.01.0620 or 10.01.0665:
Logon to https://customer.cyberoam.com
Click Upgrade URL link, select the appropriate option and follow the on-screen instruction.


For Cyberoam versions prior to 10.01.0472:
Upgrade in two steps:
Upgrade the Cyberoam to 10.01.0472 using version X to version X available on customer My Account.
Upgrade Cyberoam to 10.01.0667. By doing this the customer will not be able to roll back to version prior to 10.01.0472.


Compatibility issues

Firmware is Appliance model-specific firmware. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive error if you are trying to upgrade Appliance model CR100i with firmware for model CR500i.

 


Introduction

This document contains the release notes for Cyberoam version 10.01.0667. The following sections describe the release in detail.

This release comes with new features, few enhancements and several bug fixes to improve quality, reliability, and performance.

Features & Enhancements

1.    Network Migration for Version 9x to Version 10x
 
Prior to this release, on upgrading from Version 9.x to Version 10.x, the appliance used to go in factory reset mode and it lead to disruption in network connectivity. The administrator was required connect to the appliance locally to complete the migration process. From this version, the upgrade will restore the network configuration so that the migration process can be done remotely, without any local intervention.

From this version Cyberoam provides full network migration (only network migration) from Version 9.x to Version 10.x except VLAN, all/any alias and zone.

Follow the below given steps to upgrade the appliance from version 9.x to version 10.x:

1.     Take the Ver. 9.x backup

2.     Go to http://v9migration.cyberoam.com

3.     Use online tool and migrate the Ver. 9.x backup to Ver. 10.x backup

4.     After upgrading from Ver. 9.x to Ver. 10.x, use the converted Ver. 10 backup to restore the network configurations
 
What will be restored?
1.     Interface IP Addresses

2.     Bridge and Route mode Interfaces

3.     HTTP, HTTPS and SSL VPN Ports

4.     PPPoE Interface configuration
 
What will not be restored?
1.     On migrating for Version 9.x to Version 10.01.0667, the DDNS configuration will not be preserved and the dministrator will not be able to access the appliance using the FQDN. Administrator has to manually configure the DDNS.

2.     Gateway names as assigned in Ver 9.x will not be restored. Name format will be like ‘PortB_gw’ or ‘DHCP_PortB_gw’ or ‘PPPoE_PortB_gw’. In case of bridge it will be ‘Default’.

3.     Gateway Failover Timeout Configuration

4.     Gateway weights

Migration Known Behaviour:

·   “Installing default config” message will be displayed during migration

·   All gateways will be converted to Active mode and default gateway failover rule will be applied.

·   If originally an interface is unbound and an IP address is assigned then the configuration will not be migrated.

 

2.   Restructured Reporting Framework

To optimize performance and minimize database corruption, reporting framework is restructured.


3.
   MAC Cloning support

From this version onwards, Cyberoam provides support to override the default MAC Address for the Interface.

With this feature an ISP can clone a pre-existing MAC Address on an interface leading to a seamless installation of Cyberoam.

On factory reset, it will be set again to the default MAC address.

This functionality is not available for alias, VLAN, virtual interfaces, PPPoE, serial modem interface, dedicated HA link, Wireless LAN, Wireless WAN and bridge interface.

Configuration

Override the default MAC address of the Interface from Network > Interface > Edit Interface


4.
 
  Bandwidth Restructuring for Realtime Traffic
 
From this version onwards, by default, highest priority will be given to the real time traffic and priority can be set from 0 (highest) to 7 (lowest) depending on the traffic required to be shaped.

0 – Real Time e.g. VOIP

1 – Business Critical

2 - Normal

3 - Normal

4 - Normal

5 – Normal

6 – Bulky e.g. FTP

7 – Best Effort e.g. P2P

However, if administrator does not want to set this preference, feature can be disabled using CLI command - set bandwidth allocation-behavior normal. If required, it can be enabled by CLI command - set bandwidth allocation-behavior realtime.

If the bandwidth behavior is set to normal then priority will be applicable only for excess bandwidth i.e. bandwidth remaining after guaranteed bandwidth allocation.

If the bandwidth behavior is set to realtime then Real-time traffic (QoS policy with priority 0) like VOIP will be given precedence over all other traffic.

As priority is given to the real time traffic, it is possible that some non-real time traffic will not get their minimum guaranteed bandwidth. Specifically, if sum of burstable (max allowed) of all bandwidth policies (real time and non real time) is greater than total max-limit then guarantee of real time policies will be fulfilled but non-realtime might not get the minimum guaranteed bandwidth.

On Factory Reset, all the traffic with QoS policy with priority 0 will be given Real Time priority.

On migrating from any previous versions, by default, all the traffic will be given Normal priority.

Any post-upgrade changes done from the CLI shall persist across all future reboots and firmware upgrades.


5.
 
 Automatic VLAN tagging
 
From this version onwards, to scan the VLAN traffic, Cyberoam will automatically tag the VLAN traffic when Cyberoam is deployed as Bridge.

In case of migration from previous versions where VLAN is already configured, vlan-learning will be in manual mode and VLAN IDs will be preserved. In this case, CLI VLAN Management menu will be visible, Administrator can enable auto learning mode through CLI command:

console>cyberoam vlan-learning auto

However, if the gateway is in VLAN then the Cyberoam originated traffic for the gateway can be tagged using CLI menu option 5 - VLAN Management menu.

Administrator can check the vlan-learning mode with CLI command

console>cyberoam vlan-learning show

If required Administrator can toggle between auto and manual learning mode. To switch to manual learning mode use CLI command:

console > cyberoam vlan-learning manual

When Cyberoam is configured as a bridge without VLAN support in Version 10.01.0472 and 10.01.0474 which is subsequently upgraded to Version 10.01.0666 the tagging will be in Auto Mode.
 
When Cyberoam is configured as a bridge with VLANs support in Version 10.01.0472 and 10.01.0474 and upgraded to Version 10.01.0666 the tagging will be in Manual Mode.
 
 
6.   Central Security Control for multiple Cyberoam V 10 deployments (Cyberoam Central Console (CCC) – Alpha release)
 
Cyberoam Central Console (CCC) is a centralized integrated management and monitoring appliance that allows Enterprises and MSSPs to manage multiple, dispersed Cyberoam UTM deployments across remote / branch offices and clients respectively.

The current version of Cyberoam will be compatible with the CCC’s upcoming version 02.00.0062 (beta) which will be released shortly.

Completely revamped product provides UI with Web 2.0 benefits and enhanced set of features including role based administration, multiple dashboards and centralized logging for monitoring and signature distribution server. For detailed feature set, please refer CCC datasheet.

Configuration

To manage Cyberoam through CCC, Administrator has to configure CCC IP address in Cyberoam from System > Administration > Central Console.


7.
  Enhancing Ease of Deployment
 
On factory reset, now onwards, Cyberoam Network settings will be as follow:

Port A (LAN)

DHCP server running on Port A

Lease range -172.16.16.17- 172.16.16.254

Gateway - Use Interface IP as Gateway. Gateway name changed from Default to DHCP_PortB_GW

Conflict Detection enabled

Use Appliance's DNS Settings

Port B (WAN)

IP Assignment - DHCP Client

DNS - Obtain DNS from Server

On Factory Reset from this version onwards, after a Factory Reset, Cyberoam will boot up in Monitor only mode.
 

8.
  Improved Wireless Security (for Wireless Appliances only)
 
Cyberoam Wireless appliances now have capabilities to recognize and take countermeasures against the illicit wireless activities.

Rogue Access Points (AP) are one of the most serious threats to wireless security. Any access point which is not authorized for use on a network is considered as rogue. They impose threats in a number of different ways including unintentional connections to the rogue device by the employees, transmission of sensitive data over non-secure channels, and unwanted access to LAN resources. Cyberoam can alleviate this weakness by recognizing rogue access points potentially attempting to gain access to your network.

Cyberoam scans for the nearby access points and displays list of all the discovered APs. Administrator can then mark the APs as rogue or authorized. 

Configuration

Go to Network > Wireless LAN > Rogue AP Scan and scan for nearby access points.

From the discovered APs, mark AP as Rogue if it is not authorized to use the LAN resources, else mark it as Authorized.


9.
   Increased Security against Brute-force Attack

To provide the increased security against the brute force attack, Cyberoam has implemented password complexity policy.

Most organizations still use traditional passwords for authentication even when advance and alternative technologies, such as biometrics, and one-time passwords, are available. Therefore it is very important that organizations define and enforce password policies for their computers that include usage of strong passwords.

Brute force attack is nothing but trying every possible combination to crack password which involves running through all the possible permutations of the keys until the correct combination is found. The time required for Brute force attack depends on the password length and used character set.

Strong passwords meet a number of requirements for complexity - including length and characters - that make passwords more difficult for attackers to determine. Establishing strong password policies for your organization can help prevent attackers from impersonating users and help prevent the loss of sensitive information.

Configuration

Go to System > Administration > Settings and enforce

Minimum Password length

Password complexity: Require upper and lower case alphabets, require alphabetic, numeric, and special characters
 

10.
   Administrator Account Login Security
 
For improved security and prevent unauthorized access, Cyberoam has extended its login security and included following features:
  •      Lock Administration Session
  •     Automatic Logout
  •     Lockout Administrator Account after number of failed login attempts
  •     Login Disclaimer

Configuration

Go to System > Administration > Settings and enable

Admin Session locking and configure inactivity time. Administrator Session will be automatically locked after configured inactivity time. Administrator has to re-login to continue with the session. 

Automatic Admin session logout and configure inactivity time. Administrator will be logged out automatically after configured inactivity time. Administrator has to re-login.

Specify number of failed login attempts allowed and seconds from the same IP address and lockout period.

Administrator has to accept the login disclaimer to logon. Disclaimer can be customized as per the organization requirement from System > Administration > Messages page.


11.
   Administrator Profile based Access Controls

Restrictions added for appliance access based on location (IP), time and day (application of pre-defined schedule) for user with authorized administrators’ profile.

Now the Super Administrator can restrict how and where and when an administrator user can log in to and access Cyberoam.

Configuration

This setting can be done from Identity > User > User. Administrator profile has to be selected and the setting are visible at the end of the page under Administrator Advanced Settings section.


12.
 
  Web Browser Lock Support

Cyberoam has added Web Browser lock support to prevent unauthorized access to the user session. Administrators can directly lock their session from the Web Admin console, while for endusers, administrator can configure auto-logout on browser closure. For ease of use, Lock icon is provided on the icon bar on Web Admin Console. When someone tries access the locked page, warning message is displayed and is re-directed to login page.

Configuration

To configure the auto-logout for endusers, go to Identity > authentication > Firewall > Captive Portal Settings and enable Log out user on Browser close.


13.
   Support of DHCP over VPN

The ability to tunnel DHCP over VPNs will allow network administrators to manage their entire IP address space from a central DHCP server. In other words, this feature is required in the networks where a centralized DHCP server is required to lease IP address to all the branch office, for their internal network from this DHCP server over VPN.

As DHCP is a broadcast protocol, it will not cross network boundaries without additional configuration. This configuration is usually enabling DHCP relay on the devices between the network boundaries.

It requires to configure DHCP Relay on the branch offices in which turn relays the DHCP clients’ request over VPN tunnel to DHCP server located at the headoffice. DHCP over VPN allows hosts behind a Cyberoam obtain an IP address lease from a DHCP server at the other end of a VPN tunnel.

Configuration

Create IPSec connection between Branch office(s) and Head office

Configure DHCP Relay on Branch office(s)

Configure DHCP server behind Head office
 
 
14.   Data transfer threshold SSL VPN Tunnel Access
 
SSL VPN tunnel is dropped automatically once the idle timeout has passed and user has have to reconnect. Connection is dropped even if the data transfer is going on through the connection. To overcome this problem, from this version, data transfer threshold support is provided.

With this feature, once the idle timeout is reached, before dropping the connection, Cyberoam will check the data transfer. If data transfer is higher than the configured threshold, connection will not be dropped till the data transfer is complete.

Configuration

Go to VPN > SSL > Tunnel Access and set threshold value.

Default – 250 bytes



15.
   User Creation on VPN Login

From this version user will be created automatically when he is externally authenticated by ADS / LDAP while using L2TP / PPTP / SSL VPN.

The user should either be a part of the default group, or the ADS / LDAP /RADIUS should be tightly integrated with Cyberoam and access to L2TP / PPTP / SSL VPN should be allowed.
 

16.   Special characters support in User name and Domain name

From this version onwards, twelve (12) special character which include ~ ` ! @ # $ ^ - _ { } . will be supported in user names.
 

17.   Multi-lingual support in Import Group Wizard

Import Group wizard used to import all the Active Directory Groups into Cyberoam, now can be displayed in various languages that are supported by Cyberoam. Cyberoam supports
Chinese simplified and traditional, French and hindi language.

Wizard can be access from Identity > Authentication > Settings once AD is configured.

Cyberoam IPSec Client will now work with Cyberoam only and not any other 3rd Party UTM appliances.


18.
  SSL VPN Tunnel Reports
 
System Log will now record tunnel connection and termination (Login / Logout) events when established through SSL Tunnel Access mode. Log can be viewed from Log Viewer of Web Admin Console.

- SSL VPN Report is added below the VPN Report

- For Now, This Report shows Event of SSL VPN Connection for Tunnel Access Only.


19.
   Logs and Reports

Admin log enhanced to include CLI events.

Following CLI events will now be logged in Admin Log and can be viewed from Log Viewer of Web Admin Console:

set advance-firewall

cyberoam application_classification

set http_proxy

cyberoam auth

set network

cyberoam dhcp

set sslvpn

cyberoam diagnostics (Without purge-old-logs & purge-all-logs)

set on-appliance-reports

cyberoam ha

set proxy-arp

cyberoam ips_autoupgrade

set ips

cyberoam ipsec_route

set service-param

cyberoam ipv6 (Without neighbour)

set arp-flux

cyberoam link_failover

set bandwidth

cyberoam route_precedence

set vpn

cyberoam shutdown

set port-affinity

cyberoam system_modules

 

cyberoam wwan

Any event occurring through following CLI menus -

- Network Configuration

- System Configuration

- Cyberoam Management (without Flush Appliance Reports)

- VPN Management (without Restart VPN Service)

Two Top Hosts Reports added in Web Usage Report module
Web Usage - Top Categories > Top Hosts
Web Usage > Top Categories > Top Users > Top Hosts
Signature Upgrade failure logs
System Log will now record IPS, Webcat, AV upgrade failure events. Log can be viewed from Logs & Reports > Log Viewer > System

Improvements

1.   Deny Unknown Protocol

Any unauthorized non-HTTPS protocol over port 443 can now be blocked from Web Admin Console.
By default all unknown protocols over 443 are denied.
 

2.   Allow Invalid Certificate

The administrator can now allow an HTTPS connection even while using an invalid certificate.
By default invalid certificate will not be allowed.
Logs will also get added for appropriate indication if a site is denied due to both these settings in the log viewer.

Configuration
Both these options which were previously available in the CLI can now be accessed in the Web Admin Console from Antivirus > HTTP/S > Configuration.
 
3.   Improved RBL Support

Cyberoam now supports two (2) RBL (Realtime Blackhole List) domains which include zen.spamhaus.org and dnsbl2.uceprotect.net.

This improvement will help enhance the spam delectation and elimination capabilities of the Anti-Spam feature of Cyberoam.

Configuration
This option can be configured from Anti Spam > Configuration > Address Group > Standard RBL Services.

Behavior changes

1. Please refer to Features / Enhancements (3) and (5).

2. While configuring Cyberoam through setup Network Configuration Wizard, by default, HTTPS scanning is now OFF for all selected policies.
 
Version- 9 Catchup Feature
1. Web Traffic Analysis Doclet on Dashboard - displays category-wise total hits and data transfer. Detailed report can be viewed by clicking the report link.

2. All V9 Alert messages on Dashboard for subscription expiry and other admin messages

3. Internet Usage details in MyAccount – displays allotted, used and remaining data transfer quota. Month wise usage details display time spent and data transferred from each URL. Month wise usage details can also be
filtered on IP address accessed.

4. The administrator can now have a better control over the disk by manual purging of the report data. This option can be accessed in the Web Admin Console from Logs & Reports > View Reports. This will open a new window. Here System > Configuration > Manual Purge.

5. Surfing Quota policy is more granular with minutes being displayed. It can be accessed from Identity > Policy > Surfing Quota.

6. Even when a single site is included in multiple categories, it can be searched now. It can be accessed from Web Filter > Category > Search URL.

 

Bugs Solved

Certificate

Bug ID – 4284
Description – SSL VPN did not work when using third party certificate.

Bug ID – 5018
Description – Self signed certificate cannot be applied to captive portal when accessed over HTTPS.

Cyberlite

Bug ID – 5614
Description – Scheduled based policies fail to apply if a schedule is configured for the dates 29th and 30th of any month.
 
Bug ID – 6168
Description – The system auto upgrade stops and reports fail to generate, once the time is updated in accordance to Day Light Saving mode.
 
Firewall
Bug ID – 3820
Description – Firewall page does not open when number of users surpasses the recommended count which leads to high memory utilization.
 
Bug ID – 3300
Description – If you are configuring a schedule period and a part of it has lapsed then firewall rule will be disabled.
E.g. A schedule is configured for period 14.30 to 16.30 and current system timing is 15.00 than the firewall rule shall be disabled.

GUI

Bug ID – 5381
Description – On updating VLAN with zone as “None”, IP address is not updated and “NA” will be displayed on Manage Interface page. 
 
Bug ID – 5333
Description – Preview options is not provided in Web Filter Default denied Message Setting
 
Bug ID – 5444
Description – Application category “Gaming” is incorrectly spelled as “Gamig”. 
HA
Bug ID – 5588
Description – The administrator cannot flush the report database from the Auxiliary Appliance.

Import - Export
Bug ID – 5916
Description – When a file is rejected due to mismatch of password column header and type of password (plain / encrypted), a message “HTTP 404 Page doesn’t exist” appears.  
IPS
Bug ID – 5248
Description – When the IPS Signature search results into more than 2 signatures, it is not possible to disable multiple signatures simultaneously. 
Logs & Report
Bug ID – 4648
Description – History of user's login and logout details is not displayed in MyAccount.
Network Interface
Bug ID – 5316
Description –.Distance value is not reflecting in static route.
Same destination routes with different gateways cannot be added.
 
Bug ID – 5509
Description – Once WWAN is enabled after creation of an IP Address based Virtual Host and then the WWAN cannot be disabled.
PPPoE Client
Bug ID – 5607
Description – User needs to update connection by providing username and password every time to reconnect a non standard PPPoE connection.  
Proxy
Bug ID – 5095
Description – Windows 2008 server update does not work with HTTPS scan on.
 
Bug ID – 4017
Description – Incase high number of configuration and multiple combinations in Web Filter policy the categorization does not work.
 
Bug ID – 5769
Description – Youtube videos are not blocked as MIME type (video/x-flv) not included after denying default Audio and Video File Category.
 
Bug ID – 5644
Description – With Web Filter policy, users can not access site 'www.vinsolutions.com' due to RFC incompatibility.
 
Bug ID – 5566
Description – When the antivirus is configured to scan in real mode and the module is unsubscribed and Cyberoam is configured as direct proxy, a different website then the intended one, opens.

Bug ID – 5910
Description – With connection via MPLS, users will not be able to connect to‘https://adpeet2.adp.com/52iu5e/logon’ and ‘https://hip.chpw.org’.
 
Reports
Bug ID – 4052
Description – Reports will not be displayed in iView and the appliance will go to Fail Safe mode in case of low disk space. User is required to flush the reports manually.
 
Bug ID – 4940
Description – A historical report taken on different days will display dissimilar values.
 
SNMP
Bug ID – 5660
Description – In SNMP client, module sub status incorrectly displays as "3" instead of "1" for a trial subsribed module. 

SSL VPN
  

Bug ID – 5268
Description – SSL VPN User will continue remain live[connected] in case of failing to log out before closing the browser or shutting down the system.
 
Bug ID – 5543
Description – Window could not be resized in case a bookmark is opened from SSL VPN Web Portal.

System

Bug ID – 5325
Description – When space is included in the gateway name, Gateway wise Total Data Transfer graph is not displayed for the gateway name that comes after it.

Bug ID – 5332
Description – Web filter Denied message cannot be displayed in the center of the page.
 
User
Bug ID – 4674
Description – Failed to get the Base DN from the Novell e-Directory server, even when the message appears in Cyberoam that the Base DN was imported successfully.
 
Bug ID – 5149
Description - Account expiry attribute of LDAP server does not work.
 
Bug ID – 5234
Description – When logout and login request is received at the same time from the same IP Address, user is not displayed on the Live User page.
 
Bug ID – 5256
Description – Special characters like hypen (-), underscore ( _ ), comma (,), dot (.) are not supported for a username and domain name.
 
Bug ID – 5361
Description – On changing the group membership of a user in Active Directory server whose domain name includes special character hyphen (-), and is tightly integrated, the user group membership does not change to “default” group.
 
Bug ID – 5480
Description – SSL VPN authentication will fail for AD authentication, if the password contains special character double quotes (“) or backslash (").
 
Bug ID – 5577
Description – Tight integration does not work with novel e-directory.
 
Bug ID – 6077
Description – User Policy details for the user belonging to default group will not be updated in case of tight integration with AD.

 VLAN
Bug ID – 5381
Description – Manage Interface page shows “NA” under IP address column after successfully updating IP address of VLAN Interface, which is not bounded with any Zone. 
VPN 
Bug ID – 5932
Description – Road Warrior connection is not allowed/ working if IPSec connection is configured “Any” in local and in remote network.

Web Filter 
Bug ID – 5332
Description – Web Filter denied message is not centrally aligned.  
  
Bug ID – 5306
Description –HTTPS based websites are inaccessible if executable files are denied for HTTP and HTTPS and Custom Web Filter Policy is created with “Allow All” profile.
 
Bug ID – 5799
Description – A web filter policy cannot be created from template comprising “None” web category.
 
1.2.2.3.8. V 10.01 build 0472

 

Release Dates

Version 10.01 Build 0472 – 25th January, 2011
Version 10.01 Build 0461 – 3rd January, 2011
Version 10.01 Build 0448 – 8th December, 2010

Release Information

Release Type: General Availability
Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license
Applicable to: All the Cyberoam Appliance models

Upgrade procedure

1.     Logon to https://customer.cyberoam.com
2.     Click Upgrade URL link, select the appropriate option and follow the on-screen instruction.
3.     High Availability feature included in this upgrade is an EA feature. As it is a controlled release feature, to enable feature, you need to register your Appliance. Please mail your Appliance Key and current firmware version at support@cyberoam.com. This process is required for each new firmware.
 
Note: It is mandatory to upgrade to verion 10.01 build 472 prior to any further upgrades.
 
Compatibility issues
 
Firmware is Appliance model-specific firmware. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive error if you are trying to upgrade Appliance model CR100i with firmware for model CR500i.

 
Introduction

This document contains the release notes for Cyberoam version 10.01.0472. The following sections describe the release in detail.

This release comes with new features, few enhancements and several bug fixes to improve quality, reliability, and performance.


Features & Enhancements

Build 461

1.   Removed limitation of 6 WAN Interfaces

From this version onwards, limitation of 6 WAN interfaces is removed. Maximum N+VLAN where in N=Available physical interfaces on the appliance and maximum 4092 VLAN sub interfaces can be created on each physical interface. For example, incase of CR25ia (4 physical interfaces), if Port-A is configured as LAN then remaining 3 ports can be configured as a WAN and if required additional 4092 WAN Zone VLAN sub interfaces can be created on each physical interfaces.

2.   DHCP Relay support in HA Cluster

On failover Auxiliary appliance of HA Cluster will now work as DHCP Relay Agent if primary appliance is configured as DHCP Relay.

3.   Support of Authorization Policies for Clientless Single Sign On Users (CTAS)

With this support now, Administrator can restrict Internet access time i.e. total surfing time and control data transfer for the users who are authenticated by CTAS.

4.   Logs and Reports Enhancements

Cyberoam has extended its logging functionality by including:

  • Application Denied log - Log that records all the attempts made to access the application denied through Application Filter policy. Log can be viewed from Logs & Reports > Log Viewer > Application Filter Logs.
  • IPSec VPN log - Events like connection activated, connection fail, ID mismatch will be logged and can be viewed from Logs & Reports > Log Viewer > System Log.

5.   File System Integrity check support

Option is provided in the form of a CLI command to check file system integrity i.e. all the partitions. By default, check is OFF but whenever appliance goes in failsafe due to following reasons, this check is automatically turned ON:

  • Unable to start Config/Report/Signature Database
  • Unable to Apply migration
  • Unable to find the deployment mode

Once the check is turned ON, on the next boot, all the partitions will be checked. In addition, check will be turned OFF again on the next boot.

If the option is ON and the appliance boots up due following reasons, then file system check will not be enforced and option will be disabled after boot:

  • Factory reset
  • Flush Appliance Report

6.   Partition Reset support

File System Integrity check verifies all the partitions for the corruption. Check is enabled automatically when the appliance goes in failsafe mode.

It is required to flush the partitions if appliance comes up in failsafe mode even after the integrity check.

RESET command is extended to include commands to flush the partitions. With these commands, administrator can reset the config, signature and report partition. Entire data will be lost, as the partition will be flushed.

Integrity check repairs the partition while resetting partition removes entire data from the partition.

Command Usage
When you type RESET at the Serial Console Password prompt, menu with 3 options is provided:
1. Reset configuration
2. Reset configuration and signatures
3. Reset configuration, signatures and reports

Miscellaneous changes

1.     Default timeout for switching from storage mode to modem mode is changed from 0 to 10 sec. It can be changed from CLI with command: cyberoam wwan set modem-convert- timeout <number>
 
2.     IPS policy id and Application Filter policy id included in Firewall Rule Logs sent to syslog.

3.     Now Multicast forwarding can be configured when maximum 64 Interfaces are configured. Earlier it was limited up to 32 Interfaces only.

Version- 9 Catchup Feature

1.     Dashboard Alert if password of Super Administrator – admin, is not changed.

2.     RESET, Backup/Restore, Auto Upgrade, Manual Upgrade , Reboot events will be logged and can be viewed from iView (Reports > Event > Admin Events)

3.     IPSec, L2TP, PPTP logs can be viewed from CLI with commands:

show vpn IPSec-logs 
show vpn L2TP-logs
show vpn PPTP-logs

 

Build 448

1.   Four-Eye Authentication support

For legally compliant logging, reporting and archiving, it is important that an organization follows all obligations for keeping relevant information archived and accessible all the time. On one hand to maintain security, for organizations it is necessary to monitor logs related to employee activities while on other hand they must also not invade employee’s privacy.

However, monitoring user-specific activities without the consent or the presence of the employee or their delegate is illegal.

To safeguard the integrity and security of personal activities data collected, Cyberoam has added 4-Eye authentication method in addition to password-based authentication. It offers an added level of control and protection where a single person can access activity logs of other employees and have decision-making potential.

It prevents single administrator from having complete control over the logs and violate the organization’s privacy regulations by having insight to the confidential documents and misuse tracked user activities. It enhances the already existing logging and security mechanisms by adding an additional administrator, without whose permission access cannot be granted.

With 4-Eye authentication, two users – Administrator and Authorizer, are required to view the employee activity reports. Unless Authorizer approves, Administrator cannot view the reports.

Configuration

1.     Enable 4-Eye authentication from Log & Reports > 4-Eye Authentication > Setting. Once enabled, user identities - Username, IP address, MAC address, Email address and IM Contact ID will be encrypted i.e. anonymized, in all the reports.
2.     Configure Authorizer

De-anonymize to view the actual data

1.     Click Reports
2.     Access the report in which you want to de-anonymize user details. Details can be decrypted for the existing session or permanently.
3.     Specify Authorizer Password

2.   Filter HTTP traffic based on MIME header

Cyberoam has significantly enhanced its Content filtering feature by providing powerful function of filtering HTTP traffic based on MIME header in addition to file types. A MIME header list can be used to block traffic with certain types of contents or certain programs in otherwise allowed file type category. Cyberoam compares the MIME header and if a match is found, the corresponding action is taken.

For simplicity, MIME headers are included in the File Type Category along with File Extensions. In addition to default Categories, Cyberoam also has provision for adding custom category with the required MIME header. For default categories, refer Appendix A – Default File Type Categories.

Configuration
 
1.     Go to Objects > File type > File type to add custom category.
2.     Configure file extension and/or MIME header. If both file extension and MIME header are configured, file extension will be checked first.
3.     Implement and configure action from Web Filter policy

3.   VPN Connection Wizard

To speed up the VPN configuration, Cyberoam now provides VPN Connection Wizard for creating VPN Connection.

The VPN Connection Wizard walks you step-by-step through the configuration of VPN Connection. After the configuration is completed, the wizard creates VPN Connection for the selected VPN policy. Once the connection is successfully added, it is listed on VPN > IPSec > Connection page of Web Admin Console and connection details can be updated from the same page.

Wizard can be accessed from VPN > IPSec > Connection page of Web Admin Console.


4.   Domain Name support for NTP server

For ease of use, Cyberoam now provides an option to configure NTP server with FQDN apart from IP address.

Domain name can be configured from System > Configuration > Time page of Web Admin Console.


5.   Multiple NTP server support

To ensure that Cyberoam appliance always maintains the right time, Cyberoam supports use of multiple NTP servers. Cyberoam appliances use NTP Version 3 (RFC 1305). One can configure up to 10 NTP servers. At the time of synchronization, it queries each configured NTP server sequentially. When the query to the first server is not successful, Cyberoam queries second server and so on until it gets a valid reply from one of the NTP servers configured.

Configuration

1.     Go to System > Configuration > Time and Select “Sync with NTP Server”
 
2.     Select “Use Custom” and add IP address or Domain name of NTP server

 
6.   Multiple TSE/ Citrix Server Support in Cyberoam

Cyberoam provides support for transparent authentication of users running Terminal Services or Citrix and apply all the identity-based security policies to monitor and control the access. Now, one can configure up to 64 terminal servers. Up till now, it was possible to configure only one server.

This feature will be useful in the organization where terminal server is deployed in each department.

Configuration

Configure Cyberoam to communicate with Terminal Server from CLI using the command:

cyberoam auth thin-client add citrix-ip <ip address of citrix server>

Remove Terminal Server from CLI using the command:

cyberoam auth thin-client delete citrix-ip <ip address of citrix server>

View list of configured Terminal Servers from CLI using the command:

cyberoam auth thin-client show


7.   Web and FTP Detail Report with Time Stamp

With this version, one more drill down report in the form of Detail report is added for Web Usage and FTP Usage.

Web Usage Detail report added as a leaf (last drill down) report of ‘Top URLs’ report, provides URL access date and time as well as data transfer details. 

FTP Usage Detail report added, as a leaf report to all the FTP Usage reports, provides upload and download date and time along with the size.


8.
   Time Stamp for Anti Virus, Anti Spam, IPS and Mail Usage Reports

Leaf report of Anti Virus, Anti Spam, Mail Usage and Attacks report, now displays time stamp in the YYYY: MM: DD HH:MM:SS format to know the exact time and date of attack and usage.


9.   Firmware Upgrade without disabling HA

To improve the ease of maintenance, HA in v 10.01.04xx supports firmware upgrade without disabling HA


10.   Support of DHCP Custom options

Cyberoam has extended its DHCP Options feature to provide support for custom options as per RFC 2132. DHCP options allow users to specify additional DHCP parameters in the form of pre-defined, vendor-specific information that is stored in the options field of a DHCP message. When the DHCP message is sent to clients on the network, it provides vendor-specific configuration and service information. Prior to this version, only standard options could be configured.

Supported Scalar data types:
array-of - Array of Data Type
one-byte - One Byte Numeric Value
two-byte - Two Byte Numeric Value
four-byte - Four Byte Numeric Value
ipaddress – IP address
string - String
boolean - Boolean
Supported Array data types:
one-byte - Array of One Byte Numeric Values
two-byte - Array of Two Byte Numeric Values
four-byte - Array of Four Byte Numeric Values
ipaddress - Array of IP address

Configuration

1.     Define DHCP Option from CLI console
2.     Attach to DHCP server from CLI console
 
 
Example:
 
1. Define custom dhcp option 176 of the type “string”  
console> cyberoam dhcp dhcp-options add optioncode 176 optionname aphone optiontype string

console> cyberoam dhcp dhcp-options binding add dhcpname dhcptest1 optionname aphone(176) value MCIPADD=192.168.42.1,MCPORT=1719,TFTPSRVR=192.168.42.1

 2. View all DHCP options that are configured for DHCP Server

console> cyberoam dhcp dhcp-options binding show dhcpname dhcptest1

 3. View all DHCP options that can be attached to DHCP server

console> cyberoam dhcp dhcp-options list

 4. Removing definition of custom dhcp option 176 (defined in point 1)

console> cyberoam dhcp dhcp-options delete optionname aphone (176)

5. Delete DHCP options from DHCP Server

console> cyberoam dhcp dhcp-options binding delete dhcpname dhcptest1 optionname aphone(176)

 11.   Increased Bandwidth Maximum Limit of QoS Policy

In QoS Policy, maximum bandwidth limit has been increased to 12500 KB from 4096 KB.

12.   UTF-8 Support in iView

iView reports will now be displayed in UTF-8 characters when details are configured in any language other than English.


13.
   External Authentication support using RADIUS for MSCHAPv2/CHAP for L2TP and PPTP Connections
Now PPTP and L2TP connections established using MSCHAPv2 or CHAP protocol can be authenticated through RADIUS.
 

Known Behavior

Build 472

While performing Upload & Reboot operation, if you receive message “Too Many Connections!, Please Try After Some Seconds”, access Web Admin Console after some time, go to System > Maintenance > Firmware and click “Boot firmware image” against 10_01_0472 firmware .

Bugs Solved

Build 471

High Availability

Bug ID - 5211
Description - HA could not be enabled for the appliance models with more than 6 ports.

Interface

Bug ID – 5314
Description – On removing alias, non-interface based static routes get flushed.

Logs & Report

Bug ID – 5214
Description – Incorrect value is displayed for Allotted, Used and Remaining Data transfer columns in Internet Usage repor