1. Cyberoam Security Appliances (UTM and NGFW)
1.1. Common Criteria (EAL4+) Compliant CyberoamOS
1.1.1. Release Notes
1.1.1.1. Release Notes 10.5.3

 

Release Dates

Version 10.5.3 – 05th July, 2013

Release Information

Release Type: General Availability

Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license

Upgrade Supported for Cyberoam Versions:

V 10.01.0XXX or 10.01.X Build XXX

All the versions

V 10.02.0 Build XXX

047, 174, 176, 192, 206, 224, 227, 409, 473

V 10.04.0 Build XXX

214, 304, 311

Upgrade procedure

To upgrade the existing Cyberoam Appliance

1.     Logon to https://customer.cyberoam.com

2.     The user will be provided with a link to the latest firmware and a link to firmware version 10.5.1 (Common Criteria Certified firmware for EAL4+) with its corresponding MD5 Checksum, which has to be verified by the user after downloading the firmware.

3.     Follow the relevant on-screen option to upgrade the appliance.

For Cyberoam versions prior to 10.01.0472

For Cyberoam version 10.01.0472 or higher

For Cyberoam version 10.5.3 (Common Criteria Certified firmware for EAL4+)

Upgrade Cyberoam to 10.01.0472 selecting option Below 10.01.0472” and follow on-screen instruction.

By doing this, the customer will not be able to roll back.

Upgrade Cyberoam to latest version by selecting option “10.01.0472 or higher” and follow on-screen instruction.

Upgrade Cyberoam to firmware 10.5.3 version by selecting option “10.5.3” and follow on-screen instruction.

On applying the firmware version 10.5.3 over a newer firmware version, the appliance will boot in factory default configuration.

Compatibility Annotations

Firmware is Appliance model-specific firmware. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you are trying to upgrade Appliance model CR100ia with firmware for model CR500ia.

This Cyberoam version release is not compatible with the Cyberoam Central Console.

Please always check http://docs.cyberoam.com for availability of latest CCC firmware to deal with this compatibility issue.


Revision History

Sr. No.

Old Revision Number

New Revision Number

Reference Section

Revision Details

-

-

-

-

-


 

Introduction

This document contains the release notes for Cyberoam Version 10.5.3. The following sections describe the release in detail.

This release comes with a few enhancements and a behavior change to improve quality, reliability and performance.

Enhancements

1. Opt-out Option for Hot-Fix and Product Optimization Configuration

Cyberoam provides the Administrator a choice to opt-out from following options:

·     Hot-Fix that resolves an issue occurring in the appliance.

·     Sending usage statistics and performance data (non-personal technical information) to Cyberoam servers.

To configure these options, go to Systems > Maintenance > Updates > Hot-Fix and Product Optimization Configuration.
 

2. Hot-Fix Version Information on CLI

The Hot-Fix version number is now displayed on the CLI as shown in table below:

Prior to Cyberoam Version 10.5.1

In Cyberoam Version 10.5.1

Hot Fix version: 10.04.0 build 311 #3

Hot Fix version: 3



CLI Commands
1.     Command: cyberoam diagnostics show version-info
Displays the Appliance information.
 

3. Audit of Appliance Shut-Down Event

Cyberoam provides audit support to the Appliance Shut-Down event. The logs of this event can be viewed over Syslog.

 
1.2. Version 10.X
1.2.1. Migrating to V 10.X

 

Release Information

Release Type: General Availability
Compatible versions: 9.6.0.78 for all CRs except CR15i; 9.5.8.68 for CR15i
Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license
Applicable to: All the Cyberoam Appliance models

Upgrade procedure

Refer Migrate from v9.6.x.x to v10 document.

Compatibility issues

Appliance model-specific firmware and hence firmware of one model will not be applicable on another model. Upgrade will not be successful and error message will be given if your Appliance model is CR100i and you are upgrading it with firmware for model CR500i.
 

Introduction

With version 10, Cyberoam has moved to firmware-based solution with the configuration and behavioral changes as given in the document. Document also lists various functionalities added in version 10. For details on new features added in Version 10, please refer to Version 10 Release Notes.

Changes from V 9

1.      Logical flow change

The basic building blocks in Cyberoam are Zones, Interfaces and (Network/Address) objects. This structure is used in defining firewall rules to allow or deny the access.

Zone is the logical grouping of Interface, which includes:

  • predefined zones - LAN, WAN, DMZ, LOCAL, VPN
  • custom zone

Interface includes:

  • actual physical Ethernet interfaces or ports i.e. Port A through Port J depending on the appliance model
  • subinterfaces - VLAN
  • PPPoE interfaces
  • interface aliases and
  • WWAN interface if Wireless WAN functionality is enabled

Objects are the logical building blocks of the firewall rule, which includes:

  • host - IP and MAC addresses
  • services which represent specific protocol and port combination e.g. DNS service for TCP protocol on 53 port
  • schedule to control when the rule will be in effect e.g. All Days, Work Hours
  • certificates
  • file types

2.      Internet Access control configuration change

Now Internet access can be controlled by filtering web and application separately. This provides granular control over Internet access. This is achieved by splitting Internet Access policy in two policies – Web filter policy and Application filter policy.

The traffic coming from the web is filtered by various policies and categories through Web filter policy while application filter policy controls user’s application access. It specifies which user has access to which applications.

3.      Behavior change

  1. Wizard behavior change: (Wizard is now deployment wizard)
If wizard is re-run, it will flush following configurations:
  • dhcp server/relay configurations
  • unicast/multicast routing
  • vpn, l2tp, pptp
  • static/proxy arp
  • VH/ Bypass firewall / firewall rules/ gateway
  • pppoe
  • custom zones
  • local acls
  • Interface based hosts/hostgroup
  1. Deleting Interface – Alias and Virtual host will also remove all its dependent configurations including:
  • Interface-Zone binding
  • DHCP Server or Relay 
  • Alias based Firewall rules
  • ARP - static and proxy 
  • Virtual hosts and VH based firewall rules
  • Interface based Hosts and reference from host groups
  • Routes - Unicast, Multicast
  1. Updating Interface details will also update all its dependent configurations including:
  • Interface-Zone binding
  • DNS
  • Stops the DHCP Server and updates the details. You will have to manually restart the server
  • Gateway
  • Interface based Hosts
  • Disconnects all the tunnels and updates all the VPN policies. You will have to manually reconnect the tunnels.
  • VLAN Interfaces
  • Dynamic DNS Client
  1. Except for WAN zone, Zone-Interface membership can be changed from Manage Interface page as well as Edit Zone page. In previous versions, it was possible only from Edit Zone page. While for WAN zone, it can be changed only from Manage Interface page.

  5.       Appliance Access can be configured from Zone as well as from Administration page.

 6.       Automatic addition of gateway, no need to add gateway manually. Gateway will be added and removed automatically when any Interface in WAN zone is added or removed.

  1. Deleting VLAN interface will delete its firewall rule also.
  2. Default Administrator user “cyberoam” can be deleted as now Cyberoam is shipped with a global Administrator.
  3. Cyberoam must be rebooted after modifying time zone.
  4. Internet Access policy is divided into two policies
    • Web filter policy – Can be configured to filter HTTP traffic only
    • Application filter policy – Can be configured to filter application traffic
  5. System Health Graphs can be accessed from Web Admin Console using System Graph Page.
  6. Any modifications in user login restriction will be applied on next login.
  7. Service group - PPTP_Group automatically added.

14.   L2TP and PPTP access for the user can be configured through User page as well as L2TP and PPTP Configuration page.

15.   Live Connections Page to display live IPSec connections and live SSL VPN users

4.      Redesigned UI - Menu and pages regrouping

To reflect the above changes, GUI pages are reorganized and menus are renamed as:

  • System
  • Objects
  • Network
  • Identity
  • Firewall
  • VPN
  • IPS
  • Web filter
  • Application filter
  • QoS
  • Anti Virus
  • Anti Spam
  • Logging & Reporting

5.      Renamed features

Old name

New name

Local ACL

Appliance Access

Host

IP host

User

Identity

Bandwidth policy

QoS policy

Surfing quota policy – Allotted hours

Maximum hours

HTTP Proxy

Web Proxy

Web Client

Captive Portal

Full Access (SSL VPN Access mode)

Tunnel Access

Road Warrior

Remote Access

Net-to-Net (IPSec policy)

Site-to-Site

6.      Functionality moved from CLI to Web Admin Console

  1. Packet capture
  2. Unicast and Multicast (can be configured from both the Consoles)
  3. Interface speed, MSS and MTU (can be configured and updated from both the Consoles)
  4. Live Graphs of CPU usage, Memory usage, Load average and Interface statistics for last hours. Graphs will be refreshed automatically at the interval of 30 seconds.
  5. View Access Logs
  6. View Audit logs
  7. Rollback to Previous version – supported through multiple firmwares

Discontinued features of version 9.x

Following features of V 9.6.x.x will not be supported from V X onwards:

  1. Add/Delete Gateway button removed from Manage Gateway page as Gateway will be added/deleted automatically.
  2. User Type – Manager. Same as the Admin user with Audit Admin Profile i.e. view reports
  3. Shared Policy is removed from Surfing Quota and Data Transfer Policy
  4. Surfing quota policy – Cycle hours can be configured in hours only, minutes option is removed
  5. Manage HTTP Proxy page is removed but functionality is included in Web proxy
  6. Regenerate button has been removed from Update Certificate page as Certificate will be regenerated automatically whenever updated.
  7. Data Transfer Limit alerts as on Customize Client Messages page
  8. SNMP service start/stop option is removed as it will always be ON once Agent is configured.
  9. RMS (Restart Management Services) as now it is now not required for any changes in Network configuration including Alias and Virtual Interface creation.
  10. Custom Login messages as it is now included on Captive portal page
  11. Antivirus Scan policy (default and custom) for SMTP - now part of Scanning Rule
  12. Global and Default Antispam policy
  13. Antispam Custom policy - now part of Spam Rule
  14. User Migration Utility as Export/Import functionality is added on User page
  15. Manual purge of reports. Auto purge will get-in in Stability-1.
  16. Service creation – “ICPM Type – Other” will not be available.
  17. SNMP Version v3 Protocol support
  18. User maximum session timeout option is given globally, however, per group is missing.
  19. System Modules Configuration on GUI is not available. It is available on CLI only.
  20. DHCP server "Enable Auto Start" Button

Features expected in version-10 Stability-1

  1. Traffic discovery – Only live connections will be provided.
  2. AV version information is missing - To be made available for all models on update page. Current availability is on 15i and 25i only.
  3. AV & AS Quarantine Area – total utilization
  4. Web Category - Search URL
  5. Corporate Client Download – for all the Cyberoam Clients – Will be available in the form of links in Stability-1. Pre-requisite will be that the download site will need to be allowed for all.
  6. Dashboard doclets -

System Resource (CPU, Memory, Disk Usage) Post Stability-I,

Usage Summary (HTTP hits, Search Engine Queries) In Stability-1 ,

User Surfing Pattern Post Stability-1 ,

HTTP Traffic Analysis (Distribution by Hits, Distribution by Data Transfer) – Post Stability-1

  1. Backup over Mail
  2. IPS Signature details link
  3. Editable IP address of Clientless user : Editable IP address will be available as part of Stability-1.
  4. “Show All” link on Live Users page – In Stability-1, default 50 live users will be shown.
  5. L2TP connection report - User information and data transfer details
  6. Web Category – “IPAddress” category
  7. Tool tip Firewall rule page for:, host, host group and Identity columns – Except for IPS, tool tip for all others will be available in Stability-1.
  8. User search (rather filter for v10) is not available for IP.
  9. Reports
    1. Web Surfing Report

                                                               i.      Category type (by hits)Wise – Will be available post Stability-1.  

                                                             ii.      Category type data transfer – Will be available post Stability-1.

                                                            iii.      Group wise Site wise/HTTP data Transfer /HTTP hits by content / HTTP File upload – Will be available post Stability-1.

                                                            iv.      User wise Site wise/HTTP data Transfer /HTTP hits by content type / HTTP File upload

    1. Gateway wise b/w usage and composite b/w usage graphs on GUI – Will be available post Stability-1.
  1. Audit Logs
    1. GUI Audit logs
    2. SSL VPN logs – Will be available post Stability-1.
    3. Appliance Audit logs (RESET/Backup/Restore/Upgradeauto-manaul/reboot) .– Will be available in Stability-1 and will be part of GUI audit logs.
    4. Service Restart Logs – Will be available in Stability-1 and will be part of GUI audit logs
    5. Firmware apply/bootup logs – Will be available in Stability-1 and will be part of GUI audit logs

Features expected Post version-10 Stability-1

  1. Dashboard doclets –
    1. User Surfing Pattern,
    2. HTTP Traffic Analysis (Distribution by Hits, Distribution by Data Transfer)
    3. System Resource (CPU, Memory, Disk Usage)
  2. ARP Cache
  3. Auto purge
  4. Application Filter Logs on the Logging Server
  5. Upload Corporate image in Web Filter Category custom messages
  6. Bandwidth Usage Graphs
  7. Proactive Reports – Category wise Trends, Google Search Keywords – Category wise trends availability to be confirmed eventually. Google Search Keywords will be available post Stability-1.
  8. Dashboard alerts
  9. Antivirus Engine Information update time
  10. Antispam center connectivity status
  11. Last upgrade status and timestamp for AV/IPS/Webcat
  12. Mail Notification on change of gateway status
  13. Language support - Turkish, French
  14. Multiple domain support for authentication
  15. Zone – Description field, Description field will be removed from manage page
  16. Firewall rule – Bandwidth usage (upload and download)
  17. IPS Policy - "Select All" for selecting all the Categories
  18. Persistent Logs (including VPN logs)  
  19. Clientless users--> Active and Inactive list cannot be displayed separately: – Will be available post Stability-1 in the form of filter support on “Active/Inactive”.
  20. Static route in bridge and IPSEC and http proxy host entry is not there.
  21. Console Audit logs 
  22. Reports
    1. Web Surfing Report

                                                               i.      Category type (by hits)Wise

                                                             ii.      Category type data transfer

                                                            iii.      Group wise Site wise/HTTP data Transfer /HTTP hits by content / HTTP File upload

    1. Gateway wise b/w usage and composite b/w usage graphs on GUI
    1. Internet Usage Report

                                                               i.      User/Group wise Internet Usage Reports

                                                             ii.      User/Group wise Surfing Time Report

    1. Trend

                                                               i.      Hourly based Trend Reports

    1. Audit log

                                                               i.      Appliance Audit log

Features availability to be confirmed eventually

  1. Customizing Client Preferences - HTTP Client option (Page, Pop-up, None) and default URL & customize Login Message
  2. System->Configure->Customize Client Preferences, URL to open a site after client logs on to server.
  3. Custom Application Category – Destination IP is not available. Otherwise, service group can be used. Availability of destination IP to be confirmed eventually.
  4. Client Login Links from Customize Login Messages page
  5. Clientless User – IP address based Sorting and Searching
  6. User MyAccount access from Users page
  7. Restart Servers option – SMTP, POP3, IMAP, FTP, Cyberoam server from Manage
  8. Diagnostic tool
  9. Servers page
  10. Group wise HTTP keep alive enable/disable
  11. User maximum session timeout per group
  12. Logon script updation download link in case of SSO. It was available in v9 as part of users | Migrate Users menu:
  13. Simultaneous user login option available for user only not for group

CLI features

Menu - System Configuration:

  • Trace Route Utility
  • Set Module Info
  • Bandwidth Graph Settings
  • Disable LAN Bypass

 Menu - Cyberoam Management:

  • Database Utilities
  • DHCP Client Settings
  • Download backup
  • Restore backup
  • View audit logs 
  • Check and upgrade cyberoam new version 
  • Cyberoam auto upgrade status 
  • Webcat auto upgrade status 
  • Rollback to previous version 
  • HA configuration
  • ReBuild firewall rule

  Menu Route Configuration

  • Configure Unicast Routing {Configure Static-routes/ACLs}

Menu Upgrade version

  Menu VPN Management
  • View VPN logs 
  • View connection wise VPN logs 
  • Advance VPN logs 
  • PPTP VPN logs

    Commands (All the parameters except mentioned here are available)

             ping: record-route | numeric | tos | ttl

cyberoam: check_disk | cpu_burn_test | dgd | ips_autoupgrade | repair_disk | service | system_monitor | view | services

httpclient

devicemap

dnslookup: server

ip

ips

route: add | delete

set: advanced-configuration: tcp-window-scaling, cr-traffic-nat

set: cache | usermac

set:   bandwidth: guarantee | graph

set:    http_proxy: av_sessions | client_sessions | core_dump | debug | deny_unkown_proto | multiple_webcategory | delete | relay_http_invalid_traffic | rw_buffer_size | x_forwarded_for

set: usermac

set:       secure-scanning (as included in set service-parameter command)

set:       sslvpn: max-clients | max-connections | owa-basic-mode

show: access-log | | antispam | antivirus | firewall-rule-log | ftp | login | mail | monitor | reboot

show: system: logs | devices | dma | filesystems| iomem | ioports | partitions | pci | processes | statistics | modules | uptime

show: http_proxy

show: monitor, ftp, login, access-log

show: system

                        packet-capture

                        telnet: tos | source

1.2.2. Release Notes
1.2.2.1. Release Notes 10.6.X Build XXX
1.2.2.1.1. V 10.6.1 MR-2


Release Date

Version 10.6.1 MR-2 – 20 August, 2014 

Release Information

Release Type: Maintenance Release
 
Applicable to CyberoamOS Version 
 

V 10.01.0XXX or 10.01.X Build XXX

 
All the versions
 

V 10.02.0 Build XXX

·     047, 174, 176, 192, 206, 224, 227, 409, 473

V 10.04.X Build XXX

·     0 Build 214, 0 Build 304, 0 Build 311, 0 Build  338, 0  Build 433
·     1Build 451
·     2Build 527
·     3Build 543
·     4Build 008
·     5 Build 007
·     6 Build 032

V 10.5.3

·     Common Criteria Certificate (EAL4+) Compliant

V 10.6.X

·     0 Beta-1
·     0 Beta-2
·     0 Beta-3 
·     1 RC-1, 1 RC-3, 1 RC-4, 1 GA, 1 MR-1
 

Upgrade procedure

To upgrade the existing Cyberoam Appliance follow the procedure below:

· Logon to https://customer.cyberoam.com

· Click “Upgrade” link under Upgrade URL.

· Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”.

For Cyberoam versions prior to 10.01.0472

For Cyberoam version 10.01.0472 or higher

Upgrade Cyberoam to 10.01.0472 selecting option Below 10.01.0472” and follow on-screen instruction.

By doing this, the customer will not be able to roll back.

Upgrade Cyberoam to the latest version by selecting option “10.01.0472 or higher” and follow on-screen instruction.

 
 

Compatibility Annotations

This version of CyberoamOS is Appliance Model-specific. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you try to upgrade Appliance model CR50iNG-XP with firmware for model CR100iNG-XP.

This release is compatible with all Cyberoam Virtual Appliances.

This Cyberoam version is compatible with the Cyberoam Central Console (CCC) version 02.02.1185 and above. Please check http://docs.cyberoam.com for availability of latest CCC firmware to deal with compatibility issues.
  
Revision History
 
 

Sr. No.

Old Revision Number

New Revision Number

Reference Section

Revision Details

-

-
-

-

-

 
 
  

Introduction

This document contains the release notes for Cyberoam Version 10.6.1 MR-2. The following section describes the release in detail.  
 
This release comes with an enhancement and number of bug fixes to improve quality, reliability and performance. 
 
Enhancements
          
          In On-Appliance iView, by default, 5 records are displayed for all the second-level reports.
 
          From this version onwards, “View All” option is provided to view all the available records. With this enhancement, viewing all the available records in a Report is just
          a click away for an Administrator.
 
         Prior to this version,  the administrator had to configure more records in “Show records per page” option and navigate page by page to view all the available
         records in a Report.
 
 Bugs Solved

Anti Virus

Bug ID –17690
Description – In firmware version 10.6.1 MR-1, YouTube Videos does not play when accessed over HTTPS, if "Deny Unknown Protocol" under Anti Virus > HTTP/S > Configuration is enabled.
 

Application Filter

           Bug ID – 17754
           Description -In firmware version 10.6.1 MR-1,Torrent Application is bypassed from Application Filtering and IPS inspection if there is time delay 
           between received packets in a session.

Firewall

Bug ID – 17893
Description – From firmware version 10.6.1 GA onwards, ARP entries are not added to ARP Cache even after a host replies to an ARP request if the ARP request is broadcasted over a VLAN with ID as a number > 1000.

 
GUI

Bug ID – 17829
Description - In firmware version 10.6.1 MR-1, Log Viewer does not display Firewall logs when action is configured as REJECT in firewall rule.
 
Bug ID – 17806
Description -Incorrect total page count is displayed when filtering “Live Users” under Identity > Live Users.
 
Bug ID – 17737
Description –  When "%" is included in Login Page Message or Home Page Message then on clicking "Portal" tab on Web Admin Console VPN > SSL page, it gives error "URIError: URI malformed".

Bug ID – 17640
Description - It is not possible to bind an Interface to a zone if zone description includes single quote.

Different behaviour is observed for different versions as given below:
1.  For firmware version 10.6.1 MR-1,"None" is displayed in the Network Zone field of Network > Interface for that Interface. 
2.  For firmware version 10.4.x the error "Interface Port could not be updated” is displayed on the Network > Interface page.

Bug ID – 16923
Description – User/Group cannot be added or edited when the user logs on to Cyberoam with non-English languages.
 


High Availability

Bug ID – 17500
Description – User is not able to log on or log off through Captive Portal in single attempt when Cyberoam is deployed as direct proxy and running firmware is 10.6.1 in HA Active-Active mode. This is observed only when 'URL Redirection after Login' and 'Preserve Captive Portal after login' options are enabled on the Firewall page of Identity Authentication.

Network

Bug ID – 17532
Description – A DHCP Server does not lease IP address to DHCP client when the Client and Server are configured on either side of a bridge interface and Cyberoam Transparent Authentication (CTA) settings are enabled from CLI. This is observed only in appliance firmware version 10.6.1. GA.

Bug ID – 17352
Description – 3G modem Huawei K4201 is not compatible with Cyberoam Appliance.
 
Bug ID 17205
Description – 3G modem Vodafone is not compatible with Cyberoam Appliance. 

Bug ID – 16608
Description – 3G modem Huawei H3131 is not compatible with Cyberoam Appliance.
 
Bug ID – 15006
Description – 3G modem D-Link DWM-156 is not compatible with Cyberoam Appliance.
 
Bug ID – 13895
Description – The prefixes “127 or 128” and “31 or 32”cannot be added in IPv6 and IPv4 Netmask respectively on Network Interface page.


Network Wizard

           
Bug ID – 17843

           Description – Configurations done through the Network Wizard does not get applied when NTP Server is configured.

Proxy

Bug ID –17569
Description – The website www.portal.gsi.gov.in does not open, if web filter policy is configured as "Allow All" in Firewall Rule.

Bug ID – 17284
Description – SMTP scanning service interrupts when an Address Group configured in “Anti Spam” containing an Email Address beginning with special character “*” is migrated and Cyberoam is upgraded to firmware Version 10.6.1.

Bug ID – 17060
Description – Facebook game ‘Kelimelik’ does not work and an error message “Check your internet connection settings. Connection failed.” is displayed, if Web Filter Policy is applied in the Firewall Rule.


Bug ID – 15470
Description – A cloud based application “CentraStage” ceases to function, if “Allow All” Web Filter Policy is configured from Firewall Rule.

Bug ID – 14333
Description – User is unable to upload a photo on Facebook, if HTTPS scanning is enabled from Firewall Rule page.
 
Bug ID – 11426
Description – SMTP service does not function when a Group that contains an email address/domain in the form of *@example.com is configured as an Address Group under Anti Spam > Configuration.

Bug ID – 9932
Description – Cyberoam allows uploading files on "mail.clickurdeals.com", if HTTP Upload category's "HTTP Action" and "HTTPS Action" is configured as "Deny" in Web Filter Policy. 

Bug ID – 9641
Description – Cyberoam allows files of size 10KB to get uploaded, if HTTP Upload category's "HTTP Action" and "HTTPS Action" is configured as "Deny" in Web Filter Policy.

Reports

           
Bug ID – 9581
           Description – Files of size more than 2 KB that are uploaded via HTTPS are not displayed in "Top File Upload" reports of On-Appliance iView.


SSL VPN

  Bug ID – 17842
  Description – Certificate does not get generated for SSL VPN users having multiple Email IDs even though “Per User Certificate” is enabled for that user.
 
  Bug ID – 17631
  Description – It is not possible to disconnect filtered Live SSL VPN users under VPN Live Connections.


VPN

Bug ID – 17636
Description – An IPsec VPN tunnel created on a PPPoE Interface does not connect when that Interface IP is updated.

Bug ID – 11255
Description – An error message "Unable to activate IPSec connection" is displayed, if an IPSec VPN Tunnel is configured on 3G WAN interface and the IP Address leased to it is same as that of its Gateway IP Address.
 
Known Behavior
Web Filter category containing domain with special character "@" cannot be deleted or modified. This behaviour is observed only after migrating from v10.04.6.032 or prior to v10.6.1 MR-1.
 
 
1.2.2.1.2. V 10.6.1 MR-1

Release Date

Version 10.6.1 MR-1 – 27 June, 2014 

Release Information

Release Type: Maintenance Release
 
Applicable to CyberoamOS Version
 
 
 
 

V 10.01.0XXX or 10.01.X Build XXX

 
All the versions
 

V 10.02.0 Build XXX

·     047, 174, 176, 192, 206, 224, 227, 409, 473

V 10.04.X Build XXX

·     0 Build 214, 0 Build 304, 0 Build 311, 0 Build 338,
 0  Build 433
·     1 Build 451
·     2 Build 527
·     3 Build 543
·     4 Build 028
·     5 Build 007
·     6 Build 032

V 10.5.3

·     Common Criteria Certificate (EAL4+) Compliant

V 10.6.X

·    0 Beta-1
·     0 Beta-2
·     0 Beta-3 
·     1 RC-1, 1 RC-3, 1 RC-4, 1 GA
 

Upgrade procedure

To upgrade the existing Cyberoam Appliance follow the procedure below:

· Logon to https://customer.cyberoam.com

· Click “Upgrade” link under Upgrade URL.

· Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”.

For Cyberoam versions prior to 10.01.0472

For Cyberoam version 10.01.0472 or higher

Upgrade Cyberoam to 10.01.0472 selecting option Below 10.01.0472” and follow on-screen instruction.

By doing this, the customer will not be able to roll back.

Upgrade Cyberoam to the latest version by selecting option “10.01.0472 or higher” and follow on-screen instruction.

 
 

Compatibility Annotations

This version of CyberoamOS is Appliance Model-specific. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you try to upgrade Appliance model CR50iNG-XP with firmware for model CR100iNG-XP.

This release is compatible with all Cyberoam Virtual Appliances.

This Cyberoam version is compatible with the Cyberoam Central Console (CCC) version 02.02.1185 and above. Please check http://docs.cyberoam.com for availability of latest CCC firmware to deal with compatibility issues.
 
 
Revision History
 
 

Sr. No.

Old Revision Number

New Revision Number

Reference Section

Revision Details

1

1.00-
27/06/2014
1.01-
02/07/2014

Enhancements


Added:

XenServer Support
 
 
  

Introduction

This document contains the release notes for Cyberoam Version 10.6.1 MR-1. The following sections describe the release in detail.  
 
This release comes with a couple of enhancements and a number of bug fixes to improve quality, reliability and performance. 
 

Enhancements

1. LAN Bypass Support for Enterprise – level Appliances

The LAN Bypass feature is now broadened to cover the entire appliance spectrum. From this version the feature support is extended to cover CR1000iNG-XP, CR1500iNG-XP and CR2500iNG-XP Appliances. A 4-port, 1 GbE Copper FleXi Port Module supporting LAN Bypass needs to be plugged in to the Appliance to use this feature. For technical specification, refer to respective XP data sheet on Cyberoam Docs. 
 
For module availability, please contact Cyberoam Support at support@cyberoam.com.
 
 
The following optimizations have further fortified the API feature: 

·        As third-party Solution Providers like ISPs, System Integrators use CyberoamOS’s XML-based API to integrate/automate Cyberoam User Log on and Log off process, it is necessary that only authorized providers have the privilege to access this feature.
In order to allow only the authorized providers to initiate an API operation, the Administrator can configure IP Address of the authorized providers through which the API operations will be allowed.

Configure the authorized IP Address from System > Administration > API and enable the API Configuration option from the Web Admin Console.

   ·         The Administrator can filter Admin Logs based on the API component to view  API events.
 
3. XenServer Support
From this version CyberoamOS supports XenServer.

XenServer is a server virtualization platform that offers bare-metal virtualization performance for virtualized operating systems. XenServer uses the Xen hypervisor to virtualize each server on which it is installed, enabling each to host multiple Virtual Machines simultaneously.

Prior to this firmware, VMware ESX/ESXi, VMware Workstation, VMware Player, Microsoft Hyper-V and KVM platforms were supported.

To reach the install guide, please click here.
 
Bugs Solved
Anti Virus
Bug ID –17412
Description – Incorrect tool tip message is displayed for “Notify Sender” under “SMTP Scanning Rules” of Anti Virus Email in firmware version 10.6.1.

Bug ID – 3488
Description – When FTP scanning is enabled, MLSD command of FileZilla FTP Client does not work.
 
Anti Spam

Bug ID – 11687
Description – Anti Spam Address Group Configuration cannot be updated, if the imported file contains Email Address/Domain names ending with a string of special characters like comma (,,,,).

Bug ID – 11247
Description –  A csv file containing comma separated Email Addresses / Domains can be successfully imported for an Address Group within Anti Spam.
 
 
Application Filter Policy 
Bug ID – 16373
Description – 
Even when Squirrelmail WebMail Application Category is denied, website www.mail4india.com was accessible.

CLI 
Bug ID – 17407
Description - Administrator is unable to add Citrix IP Address for Cyberoam Authentication Thin Client (CATC) from Cyberoam CLI console “cyberoam auth thin-client add citrix-ip” command.

Bug ID – 17363
Description - A route configured using the CLI command “set advanced-firewall bypass-stateful-firewall-config” with Source Network and Destination Host cannot be deleted.  

Bug ID – 11045
Description – An error message "Authentication Failed" is displayed on Cyberoam CLI Console, if the password includes special character Hash (#). 


CTAS – Cyberoam Transparent Authenticate Suite    

          Bug ID – 16273
             Description – After upgrading Cyberoam firmware to 10.6.1 RC-1, users cannot be authenticated through CTAS.
  


Firewall

Bug ID – 14760
Description – The values of attributes "Upload Data Transfer" and "Download Data Transfer" displayed in the Data Transfer Report for a Gateway Interface does not match with the values displayed on the Firewall Rule page.  

Bug ID – 12148
Description – The public port values do not match with the mapped port values for a Virtual Host configured from Firewall, if the public port exceeds the limit of 60 characters.

 
GUI

Bug ID – 17267
Description – Users imported through csv file cannot be deleted, if their credentials contain spaces.

Bug ID – 16268
Description – "One Time" Schedule remains active on firewall page even though the configured "Days" Schedule period is expired from the Object > Schedule page.

Bug ID – 11185
Description – Any user with one of the available Administrative profiles can access Cyberoam Web Admin Console.  

Bug ID – 10997
Description – A User cannot be deleted, if parameter "User Type" is selected as "Administrator" and parameter "Profile" is selected as "Crypto Admin, Security Admin, Audit Admin or HAProfile", while configuring a user from Identity page.

Bug ID – 9928
Description – The scroll bar do not appear when the console is accessed via Web Admin Console.

 
Guest User

Bug ID – 17146
Description – An Administrative Profile user is unable to view the “Guest Users” tab under Identity and an error message “You do not have privilege to access the page or perform the operation” is displayed even though Read-write permission is assigned to the user.


High Availability

Bug ID – 9467
Description – Auxiliary Appliance generates a blank report notification mail for all the events when HA is configured in Active – Passive mode.


Web Filter

Bug ID - 17295
Description - A  Web Filter Policy configured by the Administrator is not applied if Cyberoam fails to connect to the Web Cloud Signature database.

Bug ID – 8135
Description – A login page is not displayed for "Market Boomer" application when Web Filter policy is applied.

 
Log Viewer

Bug ID – 7671
Description – User password change event does not get logged in log viewer when user modifies his password from 'My Account'.


Network

Bug ID - 17205
Description – 3G modem Vodafone is not compatible with Cyberoam Appliance.

Bug ID – 11494
Description – Internet traffic gets dropped, if DHCP leased IP Address of WAN interface and its Gateway IP Address both are in different subnets.

Bug ID – 11336
Description – A key with hexadecimal characters must be provided each time while updating a Wireless LAN Access Point with security mode method selected as WEP-Auto or WEP-Shared or WEP-Open.


Bug ID – 11240
Description – A scan resultant message “Wireless Access Point Scanning failed” is displayed on the Web Admin Console of CR15wiNG, CR25wiNG and CR35wiNG appliances, if “Scan Now” is clicked on Wireless LAN Rogue AP Scan page.


Objects

Bug ID - 12644
Description – FQDN service ceases to function on adding more than 1024 FQDN hosts.


Proxy

Bug ID – 15361
Description – Cyberoam allows uploading on the Gmail and webmail websites, though “Deny HTTP Upload” Web Filter Policy is configured and HTTPS scanning is applied from Firewall Rule.

Bug ID – 9939
Description – Documents on Google Docs cannot be edited, if HTTP/HTTPS scanning is applied via Firewall Rule.

Bug ID – 9381
Description – A Web Application from website 
www.amadeusvista.com cannot be accessed when Web Filter Policy is configured as "Allow All".

Bug ID – 8398
Description – Proxy stops functioning, if any custom category contains more than 16,479 URL's. 

Bud ID - 7187
Description – The website 
www.tickerplantindia.com do not open if web filter policy is configured as "Allow All".

Bug ID – 7370
Description – An application “eToro Trading” will not work when Web Filter Policy is configured as “Allow All” or scanning is enabled.

 
QoS

Bug ID – 10731
Description – The Bandwidth Management service ceases to function after rebooting, if the parameter "Total Bandwidth" in QoS policy is configured with maximum value "10240000".

 
Report

Bug ID – 16296
Description – After upgrading Cyberoam firmware to 10.6.1 RC-1, report notifications are not mailed.

Bug ID – 12980
Description – A mismatch for severity levels “Notice” and “Information” is observed between “Count” and “Total Records” values displayed on On-Appliance iView Event Summary Report page and Exported Excel sheet respectively.

Bug ID – 12619
Description – Reports based on Domain are displayed in Search Web Surfing Reports for a user though the parameter “Search Type” is selected as URL.

Bug ID – 12142
Description – Administrator receives a blank Email Report Notification, if a Search Report Bookmark containing a URL with special encoded characters, is configured for the parameter “Bookmark” on the System Report Notification page.

Bug ID – 11692
Description – Only few out of all Custom View Report Names are displayed in the navigation bar of On-Appliance iView.

Bug ID – 11817
Description – Same logs are displayed in two different Web Surfing Summary Reports, even if different time periods are selected.

Bug ID – 11786
Description – A string "User {0}, Domain {1}, Host {2} > Detail Report” is displayed on On-Appliance iView for the Web Usage Host Detail report.


Spoof Prevention
Bug ID – 17154
Description –  DHCP Server does not lease IP over bridge interface, if Spoof Prevention is enabled in “Firewall”.
 
Bug ID – 16745
Description – Even when spoof prevention is enabled for custom zone, MAC address filtering and IP-MAC address filtering is not applied.


SSL VPN

Bug ID – 17171
Description – SSL VPN connection configured in Tunnel Access mode does not get established, if SSL Client Certificate name contains space.

Bug ID – 9959
Description – A user specific SSL VPN Policy is over-ridden by the Group SSL VPN Policy to which the user belongs to.
 
System
Bug ID – 17389
Description – The SSL/TLS MITM vulnerability (CVE-2014-0224) has been averted. For more information on the Security Advisory for the vulnerability, click here.  

IPSec VPN

Bug ID – 17372
Description - An established IPSec VPN Connection disconnects randomly and the Administrator is unable to re-establish it if the connection is configured on PPPoE or DHCP type WAN interfaces.

Bug ID – 17202
Description – IPSec VPN does not get established, if more than 9 WAN interfaces are configured.

Bug ID – 12655
Description – A single Remote LAN Network is listed for Site to Site connection on VPN IPSec page while adding an IP Network, though multiple Remote LAN Networks are selected.

 

 
 
1.2.2.1.3. V 10.6.1
 

Release Date

Version 10.6.1 GA – 26 May 2014 

Release Information

Release Type: General Availability (GA), Major Feature Release

Applicable to CyberoamOS Version:

V 10.01.0XXX or 10.01.X Build XXX

All the versions

V 10.02.0 Build XXX

047, 174, 176, 192, 206, 224, 227, 409, 473

V 10.04.0 Build XXX

·   0 Build 214, 0 Build 304, 0 Build 311, 0 Build 338, 0 Build 433
 
·   1 Build 451
·   2 Build 527
·   3 Build 543
·   4 Build 028
·   5 Build 007  
·   6 Build 032 

V 10.5.3

Common Criteria Certificate (EAL4+) Compliant

 V 10.6.X
·  0 Beta-1 
·   0 Beta-2
·   0 Beta-3 
·   1 RC-1, 1 RC-3, 1 RC-4

Upgrade procedure

To upgrade the existing Cyberoam Appliance follow the procedure below:

· Logon to https://customer.cyberoam.com

· Click “Upgrade” link under Upgrade URL.

· Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”.

For Cyberoam versions prior to 10.01.0472

For Cyberoam version 10.01.0472 or higher

Upgrade Cyberoam to 10.01.0472 selecting option Below 10.01.0472” and follow on-screen instruction.

By doing this, the customer will not be able to roll back.

Upgrade Cyberoam to the latest version by selecting option “10.01.0472 or higher” and follow on-screen instruction.


Compatibility Annotations

This version of CyberoamOS is Appliance Model-specific. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you try to upgrade Appliance model CR50iNG-XP with firmware for model CR100iNG-XP.

This release is compatible with Cyberoam Virtual Appliances.

This Cyberoam version is compatible with the Cyberoam Central Console (CCC) version 02.02.1185 and above. Please check http://docs.cyberoam.com for availability of latest CCC firmware to deal with compatibility issues.


Revision History

Sr. No.

Old Revision Number

New Revision Number

Reference Section

Revision Details

1

1.00-
23/05/2014
1.01-
29/05/2014

Features


Modified:
Cyberoam SSL VPN Client Support for Windows 8

2

1.00-
23/05/2014
1.01-
29/05/2014

Features

Modified:
Support of ICAP to Integrate Third-Party DLP, Web Filtering and AV Applications

3

1.00-
23/05/2014
1.01-
29/05/2014

Features

Added:
Support for 32 bit ASN in BGP

4

1.00-
23/05/2014
1.01-
29/05/2014

Features

Modified:
Cyberoam as a Dynamic DNS (DDNS)

5

1.00-
23/05/2014
1.01-
29/05/2014

Enhancements

Modified:
Inbound Load Balancing

6

1.00-
23/05/2014
1.01-
29/05/2014

Enhancements

Modified:
Remodelled IPS Policy Configuration

 

Introduction

This document contains the release notes for CyberoamOS Version 10.6.1. The following sections describe the release in detail.

This release comes with several new features, enhancements and bug fixes to improve quality, reliability, and performance.

Features

1. IPv6 Support in CyberoamOS

Internet Protocol version 6 (IPv6) is the latest revision of the Internet Protocol (IP). It is a routable protocol, that provides identification and location system for devices on networks and routes traffic across the Internet. The Internet Engineering Task Force (IETF) developed IPv6 to deal with the long-anticipated problem of IPv4 address exhaustion.

IPv6 replaces IPv4, the existing Internet Protocol.

The compelling reasons to replace IPv4 were: 

·         Billions of new devices

·         Billions of new users

·         “Always-on” Internet access

A Comparison: IPv4 vs. IPv6


IPv4

IPv6

Uses 32 bits Address 

Uses 128 bits Address

Theoretical limit of addresses 232: 429m x 10 to the power 7

Theoretical limit of number of addresses 2128: 340 x 10 to the power 36
Address Format: 192.168.1.1 Address Format: fe80:0:0:0:0:0:c0a8:101


 The principle benefits of IPv6 are:

·         Large address space

·         New and simplified header format

·         Efficient and hierarchical addressing and routing

·         Stateless and stateful address configuration

·         Built-in security and interoperability

·         In-built mobility

·         Mandatory Multicast support

·         Better support for QoS

·         ICMPv6-based new protocol for neighboring node interaction

·         Extensibility in packet headers
 
  IPv6 Features Supported In CyberoamOS

 The Administrator can configure IPv6 Addresses for the following features: 

·         IPv6 Networking 

o   Dual Stack Architecture: Support for IPv4 and IPv6 Protocols

o    Tunnels: 6in4, 6to4, 6rd, 4in6

o    Alias and VLAN (Alias and VLAN must be configured with same IP Address family that is used to configure the respective physical interface.)

o    Route – Static and Source

o    DNSv6 and DHCPv6 Services

o    Router Advertisement

 ·         Firewall Security 

 o   IPv6 Services

o    IP Host, IP Host Group, MAC Host

o    IPv6 Firewall Rule Schedule

o    QoS and Routing Policy

o    Virtual Host

o    NAT Policy (NAT66)

o    Spoof Prevention

o    DoS

·         Layer 8 Identity over IPv6  

o    Authentication – AD, LDAP, Radius

o    Clientless Users

o    Authentication using Captive Portal

·         Logging and Reporting

o    Traffic Discovery (For User and Source IP Address)

o    Logs and Reports

o   
4-eye Authentication

o    SNMP

o    SYSLOG

·         Diagnostics

o    Packet Capture

o   Connection List

o    Ping6

o    Tracert6

o    Name Lookup

o    Route Lookup

o    System Graphs

·         NTP

·         Self-Signed Certificate

·         Scheduled Backup on IPv6 Server

·         Backup Restore
  a.    Dual Stack Implementation

Cyberoam can now be configured with an IPv4 address and an IPv6 address and can process both IPv4 and IPv6 packets. An application that supports both, prefers IPv6 traffic at the network layer. Dual stack implementation enables communication between IPv4 and IPv6 devices and is the basis for all transition technologies.

CyberoamOS uses Dual stack as the direct transition approach for IPv6 implementation. For an Administrator, IPv6 works almost the same way as IPv4. Connecting a Cyberoam appliance to an IPv6 network is the same as connecting it to an IPv4 network, the only difference lies in the usage of IPv6 addresses. 

  b.    Tunnels: 6in4, 6to4, 6rd, 4in6

CyberoamOS supports four (4) methods of IP tunneling to promote interoperability between IPv4 and IPv6. It is a mechanism to encapsulate one network protocol as payload for another network protocol i.e. either an IPv6 packet is encapsulated in to an IPv4 packet, for communication between IPv6 enabled hosts/networks via an IPv4 network or vice-versa. CyberoamOS supports following types of IP Tunneling methods:


    • 6in4 Tunnel: It is commonly referred to as Manual Tunnel and used for IPv6 to IPv6 communication over IPv4 backbone. The source and destination IPv4 addresses must be manually configured. It is recommended for point-to-point communication.

    • 6to4 Tunnel: It is commonly referred to as Automatic Tunnel and used for IPv6 to IPv6 communication over IPv4 backbone. The destination IPv4 address of the tunnel can be automatically acquired, but the source address needs to be provided manually. It is recommended for point-to-multi point communication.

    • 6rd Tunnel: It is used for IPv6 to IPv6 communication over IPv4 backbone. The 6RD tunnel is an extension of the 6to4 Automatic Tunnel. The tunnel can be established by pre-defined ISP provided prefix.

    • 4in6 Tunnel: It is used for IPv4 to IPv4 communication over IPv6 backbone, the source and destination IPv6 addresses must be manually configured. It is recommended for point-to-point communication.  

Point to note

    • The devices at the ends of an IPv6 over IPv4 tunnel or IPv4 over IPv6 tunnel must support IPv4/IPv6 dual stack. 
To configure IP Tunnels, go to Network > Interface > IP Tunnel and click Add. 


  c.    Static IPv6 Address Assignment for Interfaces

CyberoamOS supports static assignment of IPv6 Addresses to various Interfaces like Bridge-Pair, Alias, and VLAN. Administrator can now assign either or both of IPv6 and IPv4 addresses to a single Interface.

Maximum Alias limit on single interface is 64 for IPv6 Family.

For related CLI Commands, please refer to the attached Appendix - 1.
 

  d.    Dynamic IPv6 Address Assignment for Interfaces

CyberoamOS supports stateless and stateful method of dynamically assigning IPv6 Addresses to the hosts.   

Choosing a method depends on Managed (M) Address Configuration and Other (O) Configuration flag in the advertised Router Advertisement message.

Cyberoam as DHCPv6 server supports both dynamic and static IPv6 address assignments to DHCPv6 Clients. 


DHCPv6 Stateful Mode

DHCPv6 clients require IPv6 address together with other network parameters (like DNS Server, Domain Name).

    • To configure DHCPv6, go to Network > DHCP > Server and click Add > IPv6.
    • For related CLI Commands, please refer to the attached Appendix - 1. 
DHCPv6 Stateless Mode

Stateless Address Auto-Configuration (SLAAC) is stateless address assignment method through which host on same link can auto configure their IPv6 Addresses through the prefix advertised by Cyberoam. CyberoamOS’s router advertisements contain prefixes that are used for hosts address configuration, and other configuration parameters like default Gateway, MTU, Reachable time, Retransmit time, Hop limit.

CyberoamOS's Routers advertisements are either periodic or in response to a router solicitation message from Hosts.  

DHCPv6 client obtains network parameters other than IPv6 address.

To add Router Advertisement for SLAAC, go to Network > Router Advertisement > Router Advertisement.
 

e.    DNSv6 Support

CyberoamOS now provides simultaneous support for both, traditional 32 bit IPv4 Addresses format and the latest 128 bit IPv6 Address format of IPv6 addresses for external DNS Resolver through Domain Name Server (DNSv6) support. Thus, DNS servers can be configured for IPv6 networks to which the appliance can request for name resolution. Also, Administrator can choose one of the below four options, according to which CyberoamOS's DNS server selects the external DNS IPv6 and/or IPv4 servers:

    • Choose server based on incoming requests record type 
    • Choose IPv6 DNS server over IPv4
    • Choose IPv4 DNS server over IPv6
    • Choose IPv6 if request originator address is IPv6, else IPv4

To configure IPv6 Addresses for DNS server, go to Network > DNS > DNS.

To handle internal DNS queries, CyberoamOS allows to add DNS Host Entries. To add a DNS Host Entry for IPv6 Address, go to Network > DNS > DNS Host Entry.

Further, CyberoamOS now allows Name Lookup and Reverse DNS lookup for IPv6 Addresses. Name Lookup and Reverse DNS Lookup are used to query the DNS for information about domain name and IPv6 Address.

For related CLI Commands, please refer to the attached Appendix - 1.


f.    Security over IPv6

CyberoamOS Firewall is capable of filtering IPv6 traffic. Administrator can configure IPv6 specific Firewall Rules to manage and control the network traffic. Furthermore, Administrator can create separate Firewall Rules for IPv4 and IPv6 traffic.

IPv6 Firewall Rules supports configuring following types of Objects:

    • IPv6 Hosts
    • IPv6 Host Groups
    • MAC Hosts
    • Virtual Hosts 
To configure IPv6 Firewall Rules, go to Firewall > Rule > IPv6 Rule and click Add. 


g.   
Denial of Service (DoS) Attack Mitigation

CyberoamOS provides support to prevent TCP, UDP, SYN, and ICMPv6 based DoS attack by dropping the excess IPv6 packet from the particular source/destination. CyberoamOS drops packets from the source/destination till the burst rate goes below the threshold and re-allows traffic only after 30 seconds once the attack subsides.

To configure DoS settings, go to Firewall > DoS > Settings.

On migration, existing DoS configuration will be applicable to both IPv4 DoS and IPv6 DoS.

Administrator can also choose to bypass ICMPv6 redirect messages and IPv6 source routed packets destined for Cyberoam, if the Administrator is sure that the specified source is not used for flooding.

To bypass DoS for a specific IPv6 source route, go to Firewall > DoS > Bypass Rules.


h.    Spoof Prevention through IPv6 and MAC Binding

To abate the obfuscation risk, CyberoamOS imposes Spoof Prevention using reverse path filtering technique to make sure the packets received throughout the network are coming from an authorized location.

To enable IPv6 Spoof Prevention, go to Firewall > Spoof Prevention > General Settings and select Enable Spoof Prevention.

By default, Spoof Prevention is disabled.

In addition, the Administrator can configure trusted MAC Address and IPv6 Address. User gets access to the network only if the MAC Address and IPv6 Address are on the Trusted MAC list.

To add trusted MAC Address and IPv6 Address, go to Firewall > Spoof Prevention > Trusted MAC and click Add.
 
i.    Static Neighbour Configuration support

Host and routers use NDP to determine the link-layer addresses of peers known to be on attached links and quickly clear the invalid cache values. Host use Neighbor Discovery (ND) to search neighboring routers that are willing to forward packets on their behalf. Also, the protocol is used to keep track if the neighbors are reachable or not and to detect any change in link-layer addresses. A host looks-up for alternative, if a router or the route to reach router fails.

NDP has Neighbor Solicitations similar to ARP request and Neighbor Advertisements similar to ARP replies. Unsolicited neighbor advertisements in IPv6 correspond to gratuitous ARP replies in IPv4.

CyberoamOS supports configuring static and dynamic neighbor entries for IPv6. This allows static neighbor configuration for trusted/vulnerable machines in network. Static neighbor helps solicit request for configured entries and ignores any incoming solicit/advertised ND for configured entries.

To configure Static ND, go to Network > ARP-NDP > Neighbor > Add Static Neighbor and select IPv4 or IPv6 to add IPv4 and IPv6 Addresses respectively.

Also, CyberoamOS supports mitigating both IPv4 and IPv6 poisoning attacks by logging the attempts to insert the entries. To mitigate poisoning attacks, go to Network > ARP-NDP > Neighbor and enable Log Possible Neighbor Poisoning Attempts. 


j.
   
IPv6 Multi-Link Management Support

Load balancing between the links optimizes its utilization by distributing the traffic among various links and thus improves performance and reduces the operational cost.

From this version onwards, CyberoamOS supports weighted load balancing for IPv6 traffic to enable maximum utilization of capacities across the various gateway/links.

To configure IPv6 Load Balancing, go to Firewall > Rule > IPv6 Rule > Add/Edit Rule > Advance Settings (QoS, Routing Policy, Log Traffic) and select Load Balance option for parameter Route Through Gateway.


k.
   
DHCPv6 Relay support

DHCP relay is used to receive the multicast packets from clients and forward it to the DHCP server that is not in the subnet range. CyberoamOS now supports DHCPv6 relays to cater the client requesting an IPv6 Address.

Cyberoam Appliance can act as DHCP Server and DHCP Relay, if configured for different IP families.

To configure DHCPv4 or DHCPv6 Relay, go to Network > DHCP > Relay > Add > IPv6. 


 l.    QOS Support

From this version onwards, Cyberoam Administrator can configure user-based and firewall-based QoS policy for IPv6 traffic.

To configure QoS based IPv6 Firewall Rule, go to Firewall > IPv6 Rule > Add > Advance Settings > QoS & Routing Policy > QoS. 

m.  Diffserve-based QoS  Support

From this version, CyberoamOS supports Differentiated Services Code Point (DSCP) for IPv6 traffic.

To configure DSCP, go to Firewall > IPv6 Rule > Add > Advance Settings > QoS & Routing Policy > DSCP Marking.
 
n.    Miscellaneous CLI Commands for IPv6 Related Configurations

For related CLI Commands, please refer to the attached Appendix - 1. 

2. Link Aggregation: Dynamic (802.3ad) and Static

From this version, CyberoamOS supports Link Aggregation (LAG) for aggregating (combining) multiple network connections into a single connection. It is also called port trunking, link bundling, Ethernet /NIC bonding or NIC teaming.

Advantages of LAG

·         Linear increase (Aggregated) in bandwidth according to the number of links used in group

·         Link Redundancy by failover and failback in a continous session

·         Load Sharing across links according to the applied algorithm in xmit hash policy

·         No change in the existing network deployment /hardware

CyberoamOS supports LAG Deployment Modes:

·         Dynamic Link Aggregation (802.3ad)

o    Requires Switch-side configuration (with LACP support)

o    Supports Load-sharing and Fault – tolerance

·         Active-Backup

o     Does not require Switch-side configuration

o     Supports Fault-tolerance mode

·         Static Link Aggregation

o    Does not require Switch-side configuration

o    Supports Load-sharing and Fault–tolerance

Prerequisites

·         The other end point of Cyberoam (e.g. switch) should support LACP 802.3ad mode

·         All member interfaces must have same physical characteristics like Interface speed and Full-Duplex (applicable to LACP 802.3ad)
 
·         Refer switch manual for its propritery configurations

·         Only unbound physical interfaces can be member of the LAG Group

Note

·         Maximum 4 ports can be configured on a single LAG interface

·         LAG is not supported with Appliance deployed in Transparent mode.

·         Interfaces on which PPPoE, WWAN and WLAN are configured, cannot participate in LAG

·         IPv6 and PAGP is not supported

·         Bridge Pair cannot be created on LAG interface

To configure LAG, go to Network > Interface > Interface and click Add LAG.

For related CLI Commands, please refer to the attached Appendix - 1.

3. 
High Availability (Active-Active / Active-Passive) in Bridge / Mixed Mode
 

From this version onwards, CyberoamOS supports High Availability (HA) in Mixed Mode. Up till now, HA was supported only in Route mode. Both the HA modes: Active-Active and Active-Passive are supported in Bridge / Mixed Mode.

Pre-requisites

·         In HA, the traffic on all bridge member interfaces (physical) can be monitored

·         Once a pair of interfaces are configured as a bridge pair, they cannot be configured as HA Monitoring Ports.

·         Logical bridge interface or physical member interfaces cannot be configured as Dedicated Port.

·         Bridge member physical interface can be configured as Peer Administration Port.

To configure HA in Mixed Mode, go to System > HA > HA.

 
4. On-Cloud Web Categorization

 From this version, URL categorization database has migrated to the Cloud. This will ensure that there is a central and common database for all CyberoamOS appliances world over. The appliance will use the ports 443, 80, 6060 and 6061 to communicate with Cloud server.

 Advantages:

·         Unlimited number of URLs in the categorization database

·         Real time categorization

5.  External Web Categorization database Support
 
Enterprises often like to have their own categorization database to reap the advantages of multiple databases, better categorization and custom categorization.

From this version onwards, CyberoamOS allows using an external Web categorization database for web filtering. An external Web Categorization database containing URLs is imported as a custom web category.

Administrator needs to configure URL - HTTP or FTP, of external Web Category URL database. The appliance will fetch database from the specified URL. The database of URLs should be in following file types: .tar, .tar.gz, .gz, .bz2, or plain text file.

Points to note:

·         On a successful backup–restore; the external database needs to be updated.
 
·         If a categorized URL is appended, edited or deleted, the database will be downloaded again for other existing URL’s.

·         Multiple external Web Category databases can be added.

To import the external Web Category database, go to Web Filter > Category > Category > Add and select External URL Database for parameter Configure Category. Specify HTTP or FTP URL to add the external Web Category database.
 

6. 
Support of ICAP to Integrate Third-Party DLP, Web Filtering and AV Applications
 
Internet Content Adaption Protocol (ICAP) is a lightweight protocol supporting HTTP content inspection and adaption functionality. It offloads the primary server by redirecting specific Internet based content to dedicated ICAP Servers. These ICAP servers are focused on a specific function, for example, ad insertion, virus scanning, or content filtering.

With newly added support for ICAP 1.0, Cyberoam can be deployed in heterogeneous enterprise environments and can hand over HTTP traffic to ICAP Server for malware scanning, content filtering and Data Loss Prevention (DLP) scanning or other processing. Cyberoam after applying its Web Filter Policy will forward the Web traffic to ICAP server which in turn can apply DLP, antivirus scanning policies or content filtering policies. Depending on the services configured in the ICAP server, user either receives access denied message and virus detection message from Cyberoam or ICAP server.   

Currently, CyberoamOS supports single ICAP profile with Request, Response and Options mode and can be configured from CLI. All the events are logged under System Logs and Administrator can view all the events logs from the Log Viewer.

Cyberoam can be seamlessly integrated using ICAP-compliant DLP/AV Scanning/Web Filtering applications:

·         Symantec DLP

·         Symantec Protection Engine 7.0

·         Trend Micro Interscan Web Security Virtual Appliance

·         Sophos Anti Virus

·         Commtouch Anti Virus

Points to note:

·         This feature is supported in Cyberoam ‘iNG’ series Appliances CR50iNG and above.

·         This feature is released as BETA. 

·       Enable Https scanning on Cyberoam to forward Https traffic to ICAP server.

For related CLI Commands, please refer to the attached Appendix - I.
 

7.  Support of Secure LDAP/Active Directory (SSL/TLS)

 From this version, the communication between Cyberoam and AD / LDAP server has become more secure.

CyberoamOS now supports:

·         LDAP, also known as LDAPS/SLDAP, over Secure Sockets Layer (SSL) / Transport Layer Security (TLS). CyberoamOS supports SSL2.0, SSL3.0, TLS1.0, TLS1.1 and TLS1.2.
 
·         The use of FQDN is mandatory when the certificate used for Secure AD/LDAP communication is generated by the Active Directory CA.

·         FQDN has to be configured as Common Name in Third Party CA/Certificate.

·         If IP address is configured as Certificate ID then instead of FQDN, IP Address can be configured as Server IP/Domain in External Authentication Server.

To configure LDAP, go to Identity > Authentication > Authentication Server, click Add and select the LDAP for parameter Server Type.   

 
8.  Cyberoam- iView Features

a.  Zone Based Application Reports

 With this version, Cyberoam-iView offers source and destination zone based application reports. Zone-based reports enable the administrator view zone-wise application traffic and amount of data transfer per zone through a particular application. These reports also provide zone based information regarding application categories, application users, technologies, application risk, destination countries, and firewall rules.

Using these reports, the administrator can analyse zone wise traffic trends and take corrective actions to meet the security needs of the organization.
To view zone wise application usage reports, go to Reports > Application > Top Source Zones/Top Destination Zones.
 

b.  Client Types Report including BYOD Client Types

With this version onwards, Cyberoam-iView has introduced a new report Top Client Types under Internet Usage reports. This report gives visibility of traffic generated by various clients including BYOD clients in your organization.

Cyberoam-iView offers logging of following general purpose client types:

·         General Authentication Client (Corporate Client for Windows, Linux or MAC)

·         Web Client (Captive Portal excluding iOS and Android OS types)

·         Client Based SSO

·         Clientless SSO(CTA)

·         Thin Client

·         NTLM Client
 
In addition it offers visibility of various BYOD client types. Now-a-days every organization is adapting Bring Your Own Device (BYOD) concept to reduce the cost of infrastructure and provide more flexibility to its employees.

BYOD enables employees to use their personal devices for business purpose. In this case it is vital to keep track of traffic passing through those devices to ensure network security of the organization.

Cyberoam - iView provides logging of following BYOD client types:

·         Android Client (Cyberoam Android Client)

·         Android Web Client (Android device login through Captive Portal)

·         iOS Client (Cyberoam iOS Client)

·         iOS Web Client (iOS device login through Captive Portal)
 
To view client type based Internet usage report go to Reports > Internet Usage > Top Client Types.

c.    Export Reports in HTML Format

Cyberoam-iView now allows exporting generated reports in HTML format. Previously it was limited to industry standard PDF or MS-Excel format. Click   given at the top right of the report to export the report in HTML format.

HTML export is supported from the following browsers:
 

·         Internet Explorer v9 and above

·         Mozilla Firefox v24 and above

·         Google Chrome v28 and above

·         Safari v5.1 and above

·         Thin Client

·         Opera v15 and above 
 

d.    Custom Logo for HTML Reports

Cyberoam- iView now allows the administrator to configure a custom logo for HTML reports. By default reports are generated with Cyberoam logo but now with this feature the reports can be generated with organization’s logo. This feature helps administrator to customize appearance of the generated HTML reports.

The selected logo is displayed on the top left corner of the HTML report and the maximum allowed size of the logo file is 50 KB.

To configure custom logo for the reports, go to System > Configuration > Custom Logo


9.  Seeking User Participation for Sustained Product Improvement
We, at Cyberoam believe that the best products are the ones that are optimized according to their fullest potential to meet customer requirements. Product optimization is a continuous process and improvement could be achieved with active participation from the customer side.
Cyberoam continuously strives to understand and anticipate customer needs in order to deliver world-class products.

From this version onwards, CyberoamOS will seek the appliance hardware, configuration, and usage statistics periodically in an encrypted form. Periodic Over-the-Air Hotfixes based on the analysis of the collected data will be sent to the customer.

Though this feature is enabled by default, the Administrator may choose to not be a part of this program.

To configure Over-the-air Hotfix and  Product Improvement Program, go to System > Maintenance > Updates and select the Allow Over-the-Air Hotfix or the Participate in the Product Improvement Program option(s).


10.  Support of User Log on and Log off APIs

From this version onwards, third-party Solution Providers like ISPs, System Integrators can integrate/automate Cyberoam User Log on and Log off process with the help of CyberoamOS’s XML-based API. User logged on through API is considered as a Live User.

This functionality will be most helpful for those Cyberoam customers who provide Internet access through hotspots. It can also be used to achieve SSO with third party Access Control devices.

Log on and Log off requests can be verified from System > Administration > API Explorer.

11.  iAccess: Account Status, Quarantine Management and Authentication for iOS Users

Cyberoam's iAccess for iOS is an application for iPhone, iPod touch, and iPad that authenticates users with Cyberoam, integrated with local or external authentication servers. Cyberoam “iAccess” features are listed below:

·         Client Authentication.

·         Access to the user's "Account Status” and manage quarantined mails. 

·         Periodic “Push Notifications” to be sent to the iOS device. For example the user will be prompted to re-login prior to session expiry. 

The Cyberoam iAccess application can be downloaded from the iTunes App Store using the following link: https://itunes.apple.com/au/app/cyberoam-iaccess/id849010386.
 
 
12.  Cyberoam SSL VPN Client Support for Windows 8
Cyberoam has released an SSL VPN Client v 1.3.0.5 for Windows 8 OS. This can be downloaded from the below link:
http://download.cyberoam.com/solution/optionals/i18n/CrSSL_v1.3.0.5.exe.
 

The installation guide for the client can be downloaded from the below link:
http://docs.cyberoam.com/default.asp?SID=&Lang=1&id=1310&Lang=1&SID=

Please note that this client is not available for download from Cyberoam SSL VPN
Portal. 

Cyberoam SSL VPN Client also works when the “Run in Compatibility Mode” option is enabled on the following operating systems as listed below: 

 

 

Operating System

Compatibility Mode

Windows 8 (32 bit) 

Windows XP SP3, Windows 7

Windows 8.1 (64 bit)   Windows XP SP3, Windows 7
Windows Server 2012 Standard Edition   Windows XP SP3, Windows 7



13.  Cyberoam as a Dynamic DNS (DDNS)
CyberoamOS can now be configured as a Dynamic DNS (DDNS) service provider.

To configure Cyberoam as a Service Provider, provide host name in the <host name>.ddns.cyberoam.com format. For example, mycompany.ddns.cyberoam.com
 
To configure Dynamic DNS, go to Network > Dynamic DNS > Dynamic DNS and click Add.
 
Note: This feature is not supported in HA.


14. Inbound Load Balancing
 
Cyberoam now provides DNS-based inbound load balancing.

With introduction of this feature, inbound traffic can be distributed over multiple WAN links to achieve load balancing for the internally hosted servers like mail server, web server. Cyberoam will balance incoming load and provide redundancy by allowing the host on the LAN to be accessible through multiple links. The host appears to be a different IP address at different times, thus using all available links.

When client makes a DNS query to resolve the IP address of the server, the query is resolved based upon the weight or availability of the link through which each server can be reached.

Fully Qualified Domain Name (FQDN) can also be mapped to static IP address.



Enhancements

1.   Dynamic Routing Configuration via GUI

From this version onwards, dynamic routing using RIP, OSPF and BGP protocols can also be configured from Web Admin Console.

Prior to this version, dynamic routing could be configured only from CLI.

To configure dynamic routes using Web Admin Console, go to Network > Dynamic Routing > RIP / OSPF / BGP.

2. Third Party Certificate Support

From this version, CyberoamOS supports Third Party Certificate for:

·         Captive Portal

·         My Account

To upload a Certificate, go to System > Certificate > Certificate.

3. Third Party Certificate Authority (CA) Support for HTTPS Scanning  

From this version, CyberoamOS supports Third Certificate Authority (CA) for HTTPS Scanning. Uploaded CA needs to have CA Passphrase and Private Key to be utilized for HTTPS Scanning.

To configure CA for HTTPS Scanning, go to Antivirus > HTTP/S > Configuration.

4. Certificate Enhancements

  From this version, CyberoamOS supports:

·         Support of different certificate file extensions like: .pem, .cer, .der, .p7b, .p12, .pfx

·         Regeneration of Cyberoam Self-signed Appliance CA

·         Regeneration of Cyberoam Self-signed Appliance Certificate

To configure certificates, go to System > Certificates > Certificates.

For CA, Cyberoam supports standard - .pem and .der file extensions.

 5i18n Support for Default Configuration Language

Using this enhancement, the administrator would be able to change the language of default configurations. On changing this, the appliance will boot with Factory Default Configuration and the existing configuration will be lost.

To change the default language for Cyberoam configuration, go to System > Administration > Settings > Language Settings.

6.   i18n Language support for SSL VPN Web Portal

From this version, i18n language support has been added for SSL VPN Web Portal.

To change the default language for SSL VPN Web Portal, go to System > Administration > Settings > SSL VPN Settings.

7.   SSL VPN: User Certificate Encryption

From this version onwards, CyberoamOS allows the Administrator to enable or disable per user certificate encryption in SSL VPN. This can override the predefined SSL VPN Settings provided the user is registered user or is added after upgrading the appliance. If per user encryption is required, the Administrator needs to manually enable this feature for the required users.

To configure this option, go to System > Administration > Settings > SSL VPN Settings and enable Per User Certificate Encryption.

To use the encrypted certificate for a specific user, go to VPN > SSL > Tunnel Access and enable Per User Certificate, select the user.

8.   Multiple Email Addresses Support for User

 From this version, Cyberoam supports multiple Email Addresses for a user.

To configure this option, go to Identity > Users > Users > Add.

9.   Network Adapter support for Hyper-V based Cyberoam Virtual Appliance

 From this version, Hyper-V based Cyberoam Virtual Appliances have an added support for Virtual / Synthetic Network Adapters along with existing Legacy Network Adapters.

10. Soft Reboot Option Removed from Hyper-V based Cyberoam Virtual Appliance

From this version, Soft Reboot option from CLI has been removed for Hyper-V based Cyberoam Virtual Appliances.

11.  Architectural Enhancements for Cyberoam Central Console

From this version onwards, CyberoamOS has been architecturally enhanced to support the Forward Compatibility feature of Cyberoam Central Console (CCC). With this enhancement, all upcoming CyberoamOS versions can be managed by CCC without upgrading it.

Prior to this version, it was mandatory to upgrade the existing CCC firmware to manage the new CyberoamOS versions.


12. 
Enhanced Browsing Experience

From this version, CyberoamOS also supports TLS1.1 and TLS1.2, along with TLS1.0 and SSL3.0 for Web proxy. This will enable seamless end-user browsing experience.


13. Support for 32 bit ASN in BGP 

CyberoamOS now supports 32 bit ASN number in BGP. Prior to this version, 16 bit ASN number was supported.


14. 
Multiple DHCP Servers support in DHCP Relay
 

From this version, multiple servers can be configured for a single DHCP Relay Interface. This ensures the high availability of DHCP servers. A maximum of eight (8) servers can be configured. Prior to this version, only one DHCP Server could be configured over a DHCP relay.

This enhancement is supported for both IPv4 and IPv6 Families.

To configure multiple DHCP servers on a single DHCP Relay interface, go to Network > DHCP > Relay > Add/Edit an existing DHCP Relay and configure DHCP Server IP Addresses.


15. 
PPPoE Enhancements

This version of CyberoamOS is laced with the following PPPoE enhancements:

·         CyberoamOS now supports assigning preferred (static) IP address to PPP Interface. This support will mainly help customers from the countries where ISPs assigns a block of IP addresses for PPPoE connection.

·         To configure a preferred IP Address for PPPoE interface, go to Interface > Interface > Edit PPPoE interface and provide Preferred IP Address.

·         PPPoE connection gets terminated once the IP address lease expires and reconnects automatically. It may happen that connection re-establishes at the time when not required. To avoid this untimely re-connection, CyberoamOS now allows to schedule the re-connection time. Administrator can choose to schedule the PPPoE reconnection on daily or weekly basis on the configured time.

·         To configure reconnection schedule, go to Interface > Interface > Edit PPPoE interface and configure week day(s) and time (HH:MM) for parameter Schedule Time For Reconnect.  By default, reconnection schedule is disabled. When enabled, the default schedule is All days of week at 00:00 hours.

To facilitate the Administrator to connect/disconnect PPPoE connection manually, a Connect/Disconnect button is provided.

16. Support of Importing Active Directory Organization Unit (OU) and Implementing OU-based Security Policies

Based on business requirements, organizations divide the objects of the Active Directory to form Organizational Units (OU). From this version onwards, one can also import entire OU rather than importing groups individually. OUs can be imported the same way AD groups are imported using Active Directory Import Group Wizard. OU is imported in Cyberoam as a group and all the security policies can be applied on OU group. Once the OU is imported, OU is listed on the Web Admin Console Groups page in the format for example,OU=sales,DC=example,DC=com where OU=<ou name as defined in AD>,DC=<DC as defined in AD>. 

User belonging to OU will be a member of OU group in Cyberoam. Group priority will depend on the group sequence implemented in CyberoamOS. OU group sequence in CyberoamOS will be according to the OU selected in the Import wizard.

When user is a member of multiple groups, policies applied to the user will depend on the group priority defined in CyberoamOS.

This feature is supported only when Active Directory is tightly integrated with CyberoamOS.

To import OUs, go to Identity > Authentication > Authentication Server, click Import icon against AD server and follow the on-screen steps appearing on Import Group Wizard.

To view the imported OU groups, go to Identity > Groups > Groups.

17. Sender IP Reputation Optimization

Spammers forge the Email signatures to obfuscate their real IP Addresses. IP Address Reputation technique is used to combat such Emails received from the spammers by looking up the reputation of sender’s IP Address and taking appropriate action. However, in case of a Mail Server that is freshly deployed, IP reputation information may not be  available yet. If sender IP Address verification is enabled, there is a possibility, in absence of reputation information, a legitimate Email from this server might be dropped. Therefore, from this version onwards CyberoamOS allows the Administrator to configure action that is based on a reputation of specific source IP Address that is, action on an IP Address that has been confirmed as a “bad” source IP Address and an IP Address is classified as probable “bad” source IP Address. Based on this, Administrator could choose from one of the following action(s):

·         Accept – all the spam Emails are forwarded to the recipient after scanning as per the configuration.

·         Reject – all the spam Emails are rejected and notification is displayed to the user.

·         Drop – all the spam Emails are dropped.

To configure action for confirmed spam Emails, go to Anti Spam > Configuration > Configuration > Enable “Verify Sender’s IP Reputation” and  configure Confirm Spam Action.

To configure action for probable spam Emails, go to Anti Spam > Configuration > Configuration > enable “Verify Sender’s IP Reputation” and configure Probable Spam Action.

CyberoamOS also allows configuring a FQDN in trusted mail server list to support Mail Servers that have dynamic IP Addresses.

To configure FQDN, go to Anti Spam > Trusted Domain > Trusted Domain and add the Domain Name.

18. Dynamic Routing Information on GUI

The Routing Information is the current configuration of dynamic routes when the Appliance is up and running. From this version, CyberoamOS facilitates Administrator to view Routing Information of any dynamic routes configured using RIP, OSPF, and BGP protocols. The read-only Routing Information section includes information like, routes, border routers, database summary, and neighbors. It also provides information about the information like, status of the dynamic route and neighbor status, if there exists a neighbor. This overview of the dynamic route information will be useful for further configurations and/or debugging.

To view the routing information, go to Network > Dynamic Route > Routing Information.

19. Remodelled IPS Policy Configuration

a.  Policy Configuration Optimizations

In a bid to simplify the IPS policy creation, from this version, the IPS Policy page has been revamped. The new design is intended to guide an SMB/SME administrator as to which particular set of signatures are useful for their organization rather than choosing unwanted signatures. The revamp is intended to improve the IPS efficacy and overall device performance.

The page is now divided into of three (3) base attributes to configure an IPS Policy:

Signature Criteria: An IPS Policy can be created either using the available default signatures or using the configured custom signatures. The default IPS signatures are grouped and displayed based on the signature category, level of severity, platform and target.

• List of Signatures: A list of IPS signatures is updated dynamically and displayed based on the matching the criteria. By default, all the categories and relevant information is displayed. The User can select to desired signature/s along with its recommended action. As the user scrolls through the signatures, the signatures record count is dynamically updated in “List of Matching Signature” bar.          

• Action: If the Administrator wishes to override the recommended action by a custom action it can be configured from here. The default action for all signatures is “Drop Packet”.

To configure IPS Rule, go to IPS > Policy > Policy and click edit icon in the Manage column against an existing IPS Policy, click Add.

b.  New Pre-Configured IPS Policies

In a bid to simplify and speed up the IPS policy deployment the CyberoamOS has added six (6) new pre-configured IPS policies that can be directly attached to the relevant firewall rule. The policies are:

DMZ to LAN, DMZ to WAN, LAN to DMZ, LAN to WAN, WAN to DMZ, WAN to LAN.

These policies can be viewed from IPS > Policy. To attach it to the relevant firewall rule Firewall > Rule > IPv4 or IPv6 > Add or Edit > Advance Setting > IPS.

20. Zero Downtime Upgrade for HA Cluster Appliances

To achieve uninterrupted traffic flow for the mission-critical application, most organizations deploy Cyberoam appliances in High Availability Cluster. CyberoamOS from this version provides zero downtime upgrade for HA Cluster Appliances to ensure uninterrupted traffic flow. At the time of upgrading the firmware for the appliances in the Cluster, the appliances will reboot one by one so that at least one appliance in the cluster is available for the traffic flow. In the upgrade process, Auxiliary appliance will be upgraded and rebooted first and till the auxiliary appliance is upgraded, primary appliance will serve all the requests.

This feature is not supported when Cyberoam is deployed with IPv6 features.

21. LAG support in High Availability 

In order to reduce redundancy, CyberoamOS supports Link Aggregation (LAG) Interfaces to be configured in a HA cluster. HA clusters can now be connected to a network using redundant interface connections and networking devices like switches and routers, thereby reducing the single point of failures. If a connection or component failure occurs, the traffic automatically redirects to the redundant component or interface connection, resuming the traffic flow.

Points to note:

·         LAG Interface can be configured for Auxiliary Administration Interface.

·         An interface that is a LAG member cannot be configured as a HA monitoring Link.

·         LAG interface is not supported over dedicated links.

·         This feature is not supported when Cyberoam is configured as a Bridge interface.

·         This feature is not supported when Cyberoam is configured with IPv6 features.

To add redundancy in HA cluster configuration, go to System > HA > HA and select LAG Interface for Peer Administration Port.

22. Usability Enhancements in VPN Tunnel Management  

From this version onwards, the following are the enhancements done to make VPN Tunnel Manage page ergonomic:

As part of Web Admin Console optimization process the IPSec VPN Tunnel connection loading time on Manage page has been reduced by approximately 40%.

Search filters are provided on following pages and columns on respective pages:

·         VPN > IPSec > Connection – Group Name, Policy, Connection Type, Active, Connection, Local ID, Local Subnet, Remote Gateway, Remote ID, and Remote Subnet

·         VPN > Live Connections > IPSec Connections – Local Server, Local Subnet, User Name, Remote Server/Host and Remote Subnet

·         VPN > Live Connections > SSL VPN Users – Connection Since, User Name, Source IP, and Leased IP

Connection Detail Icon is added for Site-to-Site connection. Clicking the Connection Detail icon displays information for all the sub-connection for each subnet.

This icon appears only against active Site-to-Site connection.


23. 
DNS Enhancements 
To enable or disable DNS service, go to System > Administration > Appliance Access. By default, the DNS service is disabled.

Further, interface can be configured for DNS Host entry instead of static IP Address. Thus if interface IP Address is changed either by interface update or by DHCP or by PPPoE, the same will be reflected in DNS host entry.

Other pertinent points include:

To configure static DNS, go to Network > DNS > DNS Host Entry > click Add and select Manual to provide IP Address or Interface IP to select from the available Interface.

24. Kernel Based Virtual Machine Support

Kernel Based Virtual Machine (KVM) is an open source full virtualization solution for Linux on x86 hardware containing virtualization extensions (Intel VT or AMD-V). From this version onwards, Cyberoam supports a KVM Hypervisor.

Prior to this, VMware ESX/ESXi, VMware Workstation, VMware Player, Microsoft Hyper-V platforms were supported by CyberoamOS.

To reach the install guide, please click here.

25. Enhanced Gateway Load Balancing through Multiple Source NAT (SNAT)

Load balancing over a gateway is affected by the NAT policy configured on it. Gateway specific NATing methods such as Masquerade are less efficient in load balancing as they are focused on the available gateways only, and cannot cater to a source (server/host) that is to be NATed in a specific manner irrespective of the gateway NAT policy. A Gateway specific policy defeats this purpose.

From this version, load balancing in enhanced in CyberoamOS through Multiple Source NAT. A NAT policy defined for a specific source (host/server) can override the default NAT policy specific to the Gateway. CyberoamOS NAT policy is now enhanced to allow the Administrator to configure:

·         Multiple SNAT policies in a single firewall rule

·         Default NAT policy for a gateway from Network > Gateway > Gateway

·         Override Default NAT policy of a gateway from Firewall Rule

This allows the host/server to be NATed with desired IP Address and ensures efficient load balancing.
  

26. Optimization in On-Appliance iView

From this version, Cyberoam - iView report rendering logic has been optimized. This enhancement results quicker data fetching and graph rendering for a better end-user experience.

27. Cyberoam-iView: Enhanced Report Analysis and Correlation

With this version, Cyberoam-iView has introduced important navigational changes in reports to improve the analytical usage of reports.

Now the administrator can get complete visibility of all reports available in a report category at one glance in the form of widget group. These widgets are grouped under Report Dashboard.

Each report dashboard can be further filtered to get the reports specific to the filtering criteria or one can directly go to the specific report from the navigation tree.

For example, clicking the User hyperlink from the Top Users widget will display all the reports specific to the selected user or you can access user specific Application reports by navigating through Reports > Application > Top Users > User.

All filtering criteria are displayed at the top of the report with an option to remove the criterion. This helps the administrator to view reports without navigating back through GUI and also empowers the administrator to take appropriate actions based on the correlated information provided by Cyberoam-iView reports.

With this version, On-Appliance Cyberoam-iView allows the administrator to retain Appliance Audit Logs for upto 1 (one) year. Previously it was limited to 1 (one) month.

To configure log retention period go to System > Configuration > Data Management.

On-Cloud Online Help

A revamped Context Sensitive Online Help is now shifted to the Cloud for the following:

·         Cyberoam

·         iView

·         My Account

Closer Integration of Knowledge Base and Context Sensitive Help

In a bid to achieve better user experience, a list of relevant articles has been provided on every page of Online Help. This is meant to foster a tighter bond between both the help collaterals, ultimately empowering the user to take maximum advantage of Cyberoam.

30Enhanced Security over NTLM Authentication

When any site hosted on the internet initiates the NTLM web proxy challenge for authentication, the client is transparently authenticated by the browser through Cyberoam by sending credentials over the internet.

To secure and to prevent the user credential from going out on the Internet, from this version onwards, Cyberoam will redirect NTLM authentication challenge on Intranet Zone. Client will be transparently authenticated through Cyberoam’s Local Interface IP and credentials will be exchanged in Intranet zone only.

To configure this feature on Web Admin Console, go to Identity > Authentication > Firewall and enable the “HTTP challenge redirect on Intranet Zone” option from the NTLM Settings.


Miscellaneous
CyberoamOS has the following miscellaneous changes
  • Tab name ARP is renamed to ARP-NDP. To view the details within the tab, go to Network > ARP-NDP > Neighbors          
  • On Access Denied page, a link is added to submit a blocked URL for re-evaluation, if the website is categorized under a wrong category or is erroneously blocked.

  •  In case of Anti Spam Qurantine Area page, log color will change if that specific mail is released to the user’s inbox. Also Rule Name following which the Email was considered as a spam is displayed for more information.

  • Anti Spam Rules can now be created for exactly matching Email ID in Recepient/Senders Email Address/domain. Prior to this release, the support was only for searching Email ID that “contains” a specific string.

  • HTTPS traffic will be load balanced in HA. Previously HTTP, SMTP, POP3, IMAP traffic was load balanced. 

  • DNS input fields have been removed from Network > Interface > Interface Edit page.

  • Cyberoam now supports latest standard for CSS. CSS3 style and layout support is added so that header and footer file code can be added which can be compatible with IE8 and IE9.


  • List of Zone to Zone Firewall Rule shows a Tool Tip for truncated Zone Names. Vertical Scrollbar is provided to complete the list.

  • Static DNS Host Entry Name can now include special characters “_” and “-“.

  • "External IP" search option in Virtual Host Section of Firewall is enhanced to show the Interface IP Address of a Virtual Host configured on a Physical/Virtual Interface.

Bugs Solved

Refer Appendix 2 for Bugs Solved.
 Known Behaviour

Following is the list of Known Behavior

  ·     For IE version 8,9 and 10, disable TLS 1.1 or 1.2.

If enabled following portals will not be opened on HTTPS:

Cyberoam Web Admin Console will not be accessible.

Cyberoam will not throw Captive Portal for unauthenticated user.

Users will not be able to access SSL VPN Web Portal.

The above mentioned behavior is not observed when TLS 1.1 or 1.2 is enabled on IE version 11. 

·     Secure sites hosted on the servers which have legacy SSL implementation for TLS1.2 is not accessible if Cyberoam does not receive SSL Handshaking response from the server. This situation is observed only when Cyberoam is used as direct proxy and parent proxy is configured within CyberoamOS and HTTPS scanning is enabled.

·     Only single login attempt is allowed for Web-based CLI console.

·     User will not be able to log on to Cyberoam when login restriction is applied for a user in Active Directory.

·     L2TP VPN connection displays as “connected” on "Connection" page of "VPN L2TP" even though user is disconnected from Android device.

·     Records for the traffic of the ‘Drop’ firewall rule is displayed in iView even though “Log Firewall Traffic” option is disabled on “Firewall Rule” page.

·     “cyberoamselfsignedCA” certificate generates with peer appliance key of HA cluster, on disabling HA state.

·     Cyberoam allows to generate “Self Signed Certificate” with same common name as “Default Certificate Authority” and due to that Certificate verification gets failed while establishing Cisco VPN connection to Cyberoam.

·     If child domain or sub-domain is not categorized in Cyberoam then it falls under the parent Website Domain Category.

          In such cases if you want to implement different access control policies for child domain and parent domain then create a custom category for the child domain. 

 
You can submit URL for categorization or correction at webcat@cyberoam.com.
 
 

 


1.2.2.2. Release Notes 10.04.X Build XXX
1.2.2.2.1. V 10.04.6 Build 052

Release Date

Version 10.04.6 Build 052 – 14 July 2014

Release Information

Release Type: Maintenance Release

Applicable to Cyberoam Version:

V 10.01.0XXX or 10.01.X Build XXX

All the versions

V 10.02.0 Build XXX

047, 174, 176, 192, 206, 224, 227, 409, 473

V 10.04.0 Build XXX

214, 304, 311, 338, 433

V 10.04.X Build XXX

1 Build 451, 2 Build 527, 3 Build 543,

4 Build 028, 5 Build 007, 6 Build 032 

Upgrade procedure

To upgrade the existing Cyberoam Appliance follow the procedure below:

· Logon to https://customer.cyberoam.com

· Click “Upgrade” link under Upgrade URL.

· Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”.

For Cyberoam versions prior to 10.01.0472

For Cyberoam version 10.01.0472 or higher

Upgrade the Cyberoam to 10.01.0472 selecting option Below 10.01.0472” and follow on-screen instruction.

By doing this, the customer will not be able to roll back.

Upgrade Cyberoam to the latest version by selecting option “10.01.0472 or higher” and follow on-screen instruction.

Compatibility Annotations

Firmware is Appliance Model-specific. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you are trying to upgrade Appliance model CR50iNG with firmware for model CR100iNG.

This release is compatible with Cyberoam Virtual Appliances.

This Cyberoam version is compatible with the Cyberoam Central Console version 02.02.2 Build 116. Please check http://docs.cyberoam.com for availability of latest CCC firmware to deal with compatibility issues.


Revision History

Sr. No.

Old Revision Number

New Revision Number

Reference Section

Revision Details

-

-

-

-

-

 

Introduction

This release addresses the SSL/TLS MITM vulnerability (CVE-2014-0224) for Appliances running on firmware versions mentioned in the Applicable to Cyberoam Version Section. For more information on the Security Advisory, click here.

 

1.2.2.2.2. V 10.04.6 Build 032
 

Release Date

Version 10.04.6 Build 032 – 04 March 2014

Release Information

Release Type: Maintenance Release

Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license

Applicable to Cyberoam Version:

V 10.01.0XXX or 10.01.X Build XXX

All the versions

V 10.02.0 Build XXX

047, 174, 176, 192, 206, 224, 227, 409, 473

V 10.04.0 Build XXX

214, 304, 311, 338, 433

V 10.04.X Build XXX

1 Build 451, 2 Build 527, 3 Build 543,

4 Build 028, 5 Build 007

Upgrade procedure

To upgrade the existing Cyberoam Appliance follow the procedure below:

· Logon to https://customer.cyberoam.com

· Click “Upgrade” link under Upgrade URL.

· Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”.

For Cyberoam versions prior to 10.01.0472

For Cyberoam version 10.01.0472 or higher

Upgrade the Cyberoam to 10.01.0472 selecting option Below 10.01.0472” and follow on-screen instruction.

By doing this, the customer will not be able to roll back.

Upgrade Cyberoam to the latest version by selecting option “10.01.0472 or higher” and follow on-screen instruction.

Compatibility Annotations

Firmware is Appliance Model-specific. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you are trying to upgrade Appliance model CR50iNG with firmware for model CR100iNG.

This release is compatible with Cyberoam Virtual Appliances.

This Cyberoam version is compatible with the Cyberoam Central Console version 02.02.0 Build 116. Please check http://docs.cyberoam.com for availability of latest CCC firmware to deal with compatibility issues.


Revision History

Sr. No.

Old Revision Number

New Revision Number

Reference Section

Revision Details

-

-

-

-

-

 

Introduction

This document contains the release notes for Cyberoam Version 10.04.6 Build 032. The following sections describe the release in detail.

This release comes with enhancement to improve quality, reliability, and performance.

Enhancements

1. Signature and Updates Distribution Support for Non-Centrally Managed Appliances

Cyberoam Central Console (CCC) can centrally manage multiple Cyberoam appliances. From this version, Cyberoam Central Console (CCC) can act as a Signature and Updates Distribution server for those security appliances that are not managed by it.

For previous versions, the security appliance had to be managed by CCC to act as a Signature and Updates Distribution server.

To enable CCC to work as a Signature Distribution server, navigate to System > Administration > Central Management and select the relevant option.

2. Anti Virus Engine Optimization

From this version, Cyberoam Anti Virus Engine has been optimized for better resource utilization in CR15i, CR15wi and CR25i appliances.


1.2.2.2.3. V 10.04.5 Build 007

 

Release Date

Version 10.04.5 Build 007 – 25 November, 2013 

Release Information

Release Type: Enhancement Release

Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license

Applicable to Cyberoam Version:

V 10.01.0XXX or 10.01.X Build XXX

All the versions

V 10.02.0 Build XXX

047, 174, 176, 192, 206, 224, 227, 409, 473

V 10.04.0 Build XXX

214, 304, 311, 338, 433

V 10.04.1 Build XXX

451

V 10.04.2 Build XXX

527

V 10.04.3 Build XXX

543

V 10.04.4 Build XXX

028

Upgrade procedure

To upgrade the existing Cyberoam Appliance follow the procedure below:

· Logon to https://customer.cyberoam.com

· Click “Upgrade” link under Upgrade URL.

· Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”.

For Cyberoam versions prior to 10.01.0472

For Cyberoam version 10.01.0472 or higher

Upgrade the Cyberoam to 10.01.0472 selecting option Below 10.01.0472” and follow on-screen instruction.

By doing this, the customer will not be able to roll back.

Upgrade Cyberoam to the latest version by selecting option “10.01.0472 or higher” and follow on-screen instruction.

   Compatibility Annotations

Firmware is Appliance Model-specific. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you are trying to upgrade Appliance model CR50iNG with firmware for model CR100iNG.

This release is compatible with Cyberoam Virtual Appliances.

This Cyberoam version is compatible with the Cyberoam Central Console version 02.02.0 Build 203. Please check http://docs.cyberoam.com for availability of latest CCC firmware to deal with compatibility issues.

   Revision History
 

Sr. No.

Old Revision Number

New Revision Number

Reference Section

Revision Details

-

-

-

-

-

 
 

Introduction

This document contains the release notes for Cyberoam Version 10.04.5 Build 007. The following sections describe the release in detail.

This release comes with several bug fixes to improve quality, reliability, and performance.
 

Bugs Solved

Access Server

Bug ID – 14949
Description – L2TPclient does not get authenticated to Cyberoam via Local Authentication, if CHAP or MS-CHAP protocol is used for authentication and Cyberoam Firmware is upgraded to Version 10.04.4.028.
 

Anti Virus

Bug ID – 14766
Description – FTP session needs to be disconnected manually once the file is successfully uploaded, if FTP scanning is enabled from Firewall Rule page and the size of the file to be uploaded is greater than the value specified in the parameter "Files Greater Than Size Should not be scanned" from FTP page of Anti Virus.
 

GUI

Bug ID – 12337
Description – Application names are not displayed while viewing Application Filter logs on the Log Viewer page.

Bug ID – 14961
Description – The word “Login” is mis-spelled as “Logoin” in an error message displayed on Notification page of System Configuration.
 

Network

Bug ID – 15006
Description – 3G modem D-Link DWM-156 is not compatible with Cyberoam Appliance.

Bug ID – 15084
Description – HUAWEI Mobile E3276 does not connect to Cyberoam, if “IP Assignment” mode is selected as DHCP from Wireless WAN Setting page.

Bug ID – 15181
Description – Huawei HB4F1 3G modem is not compatible with Cyberoam Appliance.
 
1.2.2.2.4. V 10.04.4 Build 028

 

Release Date

Version 10.04.4 Build 028 – 10 September, 2013

Release Information

Release Type: Enhancement Release

Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license

Applicable to Cyberoam Version: 

V 10.01.0XXX or 10.01.X Build XXX

All the versions

V 10.02.0 Build XXX

047, 174, 176, 192, 206, 224, 227, 409, 473

V 10.04.0 Build XXX

214, 304, 311, 338, 433

V 10.04.1 Build XXX

451

V 10.04.2 Build XXX

527

V 10.04.3 Build XXX

543

Upgrade procedure

To upgrade the existing Cyberoam Appliance follow the procedure below:

· Logon to https://customer.cyberoam.com

· Click “Upgrade” link under Upgrade URL.

· Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”.

For Cyberoam versions prior to 10.01.0472

For Cyberoam version 10.01.0472 or higher

Upgrade the Cyberoam to 10.01.0472 selecting option Below 10.01.0472” and follow on-screen instruction.

By doing this, the customer will not be able to roll back.

Upgrade Cyberoam to the latest version by selecting option “10.01.0472 or higher” and follow on-screen instruction.

Compatibility Annotations

Firmware is Appliance Model-specific. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you are trying to upgrade Appliance model CR50iNG with firmware for model CR100iNG.

This release is compatible with Cyberoam Virtual Appliances.

This Cyberoam version is compatible with the Cyberoam Central Console version 02.02.0 Build 203. Please check http://docs.cyberoam.com for availability of latest CCC firmware to deal with compatibility issues.
 
Revision History
 

Sr. No.

Old Revision Number

New Revision Number

Reference Section

Revision Details

1

1.00-10/09/2013

1.01-18/09/2013

Bug Solved

Bug Detail Updated


 

Introduction

This document contains the release notes for Cyberoam Version 10.04.4 Build 028. The following sections describe the release in detail.

This release comes with enhancements, and several bug fixes to improve quality, reliability, and performance.
 

Enhancements

1. Guest User Enhancements

Apart from Guest Users registering themselves using Guest User Portal, Cyberoam now allows the Administrator to configure Guest Users from Web Admin Console. While creating Guest Users from Web Admin Console, Administrator has an option to configure a single user or multiple guest users. The auto-generated credentials and the Internet access details so created can be printed. The following details can be printed:

·        Username

·        Password

·        Expiry Date

·        Validity (Time duration in days)

·        Disclaimer message (Once configured, it can be edited but cannot be removed)

The credentials and Internet access details of guest users registered via Guest User Portal can either be sent via SMS or can be printed. However, the guest users created from Web Admin Console can only be printed.

An Administrator can also choose since when to consider the Guest User to be active i.e. either immediately after registration or after the first login.

Prior to this version, only the Guest User could register themself on Guest User Portal using the Internet access details received via SMS on their mobile phones.

To create Guest Users go to Identity > Guest Users > Guest Users and click Add Single or Add Multiple to add a single or multiple Guest Users respectively. On the same page click Print to print the Guest User details.
 
Further, to add and manage guest users, permissions are to be set for two new entities Guest Users Management and Other Guest Settings from Profile under Identity Administration.
 

2. Extended Two Factor Authentication Support

From this version onwards, the two factor authentication support for Cyberoam Captive Portal is extended to SSL VPN Portal, SSL VPN Client, Cyberoam Web Admin Console, My Account, Reports, 4-Eye Authentication and Open VPN Client for iPhone and Android. When two factor authentication is configured on the third-party Authentication Server, the user needs to provide two means of identification on the clients that support two factor authentication. The user will either have to provide One-Time Password (OTP), PIN or challenge-response token as well as the fixed password to log on into two factor authentication supported cyberoam clients as configured in third party authentication servers like RSA or FreeRadius server.

 

3. Secure Connection over SMTP Mail Notification

With more and more people using the Internet for socializing, personal and professional use, the information shared via Email may not always be secured. Information within Email can be intercepted and/or altered if not encrypted. Privacy and security of confidential and sensitive information has therefore been a growing concern.

A security protocol, Transport Layer Security (TLS) secures the information sent via Email by encrypting Email communication and thereby providing privacy and integrity between SMTP Client and a SMTP Server. Cyberoam supports TLS protocol to provide security over SMTP Mail Notification. With TLS protocol for connection security, Cyberoam automatically encrypts all the Email communications, ensuring the confidentiality for SMTP Mail Notification and hampering the risk of eaves-dropping, interception and alteration.

Security setting for mail servers can be done by configuring the attributes “Connection Security” and “Certificates” from Web Admin Console or using the Wizard. The “Connection Security” attribute can be configured with one of the following options:

·        None – Should be selected if TLS protocol is not supported by mail serves and a normal TCP connection must be established without any security.

·        STARTTLS – If the server supports STARTTLS, the connection is upgraded to TLS else continues as a TCP connection without any security.

·        SSL/TLS – Should be selected to establish a secured TCP connection using TLS protocol.

By default, option “None” is configured for parameter Connection Security.

Cyberoam uses certificates to encrypt the data sent over a TLS supported TCP connection. An Administrator can choose to use a default certificate or select a custom certificate.  

By default, “ApplianceCertificate” is used for data encryption for secured TCP connection.

On Factory Reset, the “Connection Security” and “Certificate” parameters are set to its default values i.e. “None” and “Select Certificate” respectively.

Prior to this version, a normal TCP connection was used for communication between the SMTP Client and a SMTP Server for SMTP Mail Notification.

To configure security settings for mail server from Web Admin Console, go to System > Configuration > Notification and configure Connection Security and Certificate.

Alternately Connection Security and Certificate can be configured from Wizard page of Configure Mail Settings.
 
Miscellaneous Changes

1. Spam Digest is renamed to Quarantine Digest

From this version onwards, the word “Spam Digest” is renamed to “Quarantine Digest” in the Anti Spam, Identity and My Account modules. Quarantine Digest will quarantine spam Emails. However, the legitimate Emails may be quarantined due to user-defined configurations.

2. Chinese Character Encoding support

CyberoamOS, henceforth supports Chinese character encoding method for Traditional Chinese characters used in Taiwan, Hong Kong and Macau.
 
Bugs Solved

Anti Spam

Bug ID – 14293
Description – Quarantine Mails cannot be released, if the number of connections in Web GUI daemon exceeds its limit of 10.
 

DNS

Bug ID – 14043
Description – Cyberoam is unable to resolve “CNAME” query, if Cyberoam is configured as a DNS server in client machine and root server is used for resolving the “CNAME” query instead of the configured DNS server.
 

Firewall

Bug ID – 14180
Description – The value “Load Balance” of parameter “Backup Gateway” gets automatically changed to the first value that appears in the list, while editing an existing Firewall Rule.
 
Bug ID – 14638
Description – The RTP communication gets disrupted during a SIP call in appliances above CR200iNG and CR200iNG-XP.
 
Bug ID – 14828
Description – Firewall Rule logs are not displayed in the Log Viewer, though “Firewall Rules” is enabled from Configuration “Log Settings” page of Logs & Reports.
 

Network

Bug ID – 11506
Description – 4G-Huawei E3276s-150 LTE modem is not compatible with Cyberoam Appliance.
 
Bug ID – 13654
Description – AirCard 340U modem is not compatible with Cyberoam Appliance. 
 

Online Help

Bug ID – 13890
Description – An error “Error! Unknown document property name.” is displayed on IPS page of Online Help.
 

System

Bug ID – 11554
Description – Cyberoam ceases to function when deployed in Bridge Mode with STP enabled environment.
 

VPN

Bug ID – 11261
Description –  NATing over VPN functions improperly, if a classless subnet is configured and first IP Address of host range does not map with the first valid IP Address of the subnet.

Example:
Site A:
 
Real Network: 10.0.0.0/255.255.252.0
NATted Network: 172.16.20.0/22
 
Site B:
Real Network: 10.0.0.0/255.255.255.248
NATted Network: 192.168.19.216/255.255.255.248
 
If 10.0.0.2 is pinged from Site A to Site B, Cyberoam NATs with 192.168.19.2 instead of 192.168.19.218.
 
Bug ID – 12825
Description – Modified IP Address of “IP Host” configured against NATted IP Address does not come into effect and the Site to Site VPN traffic passes with previously configured NATted IP Address, though the Web Admin Console displays the IP host updated with the modified configuration.  
 

Wireless LAN

Bug ID – 8005
Description – Wireless Clients get disconnected frequently from Wi-Fi in CRXXwi appliances.
 
Bug ID – 11018
Description – A client is unable to get authenticated via external RADIUS server, if the Wireless LAN Network Access Point parameter “Security Mode” is configured either as “WPA-Enterprise or as “WPA2-Enterprise” for CR25wi or CR35wi appliances.
 
Bug ID – 12177
Description – Wireless Clients get disconnected frequently from Wi-Fi in CRXXwiNG appliances.
 
Bug ID – 12637
Description – The tab “Connected Client” of Network Wireless LAN is inaccessible frequently in CRXXwiNG appliances.
 
 
 
1.2.2.2.5. V 10.04.3 Build 543


Release Dates

Version 10.04.3 Build 543 – 6th June, 2013

Release Information

Release Type: Maintenance Release

Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license

Applicable to Cyberoam Version:
 

V 10.01.0XXX or 10.01.X Build XXX

All the versions

V 10.02.0 Build XXX

047, 174, 176, 192, 206, 224, 227, 409, 473

V 10.04.0 Build XXX

214, 304, 311, 338, 433

V 10.04.1 Build XXX

451

V 10.04.2 Build XXX

527

Upgrade procedure

To upgrade the existing Cyberoam Appliance follow the procedure below:

· Logon to https://customer.cyberoam.com

· Click “Upgrade” link under Upgrade URL.

· Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”.

For Cyberoam versions prior to 10.01.0472

For Cyberoam version 10.01.0472 or higher

Upgrade the Cyberoam to 10.01.0472 selecting option Below 10.01.0472” and follow on-screen instruction.

By doing this, the customer will not be able to roll back.

Upgrade Cyberoam to the latest version by selecting option “10.01.0472 or higher” and follow on-screen instruction.

Compatibility Annotations

Firmware is Appliance Model-specific. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you are trying to upgrade Appliance model CR50iNG with firmware for model CR100iNG.

This release is compatible with Cyberoam Virtual Appliances.

This Cyberoam version is compatible with the Cyberoam Central Console version 02.02.0 build 065. Please check http://docs.cyberoam.com for availability of latest CCC firmware to deal with compatibility issues.


Revision History
 
 

Sr. No.

Old Revision Number

New Revision Number

Reference Section

Revision Details

1

2.00-12/06/2013

2.01-19/06/2013

Enhancements

Data Accounting Exception – fine tuned

2

1.00-07/06/2013

2.00-12/06/2013

Enhancements

Revamped the entire section

3

1.00-07/06/2013

2.00-12/06/2013

Miscellaneous Changes

Revamped the entire section

4

1.00-07/06/2013

2.00-12/06/2013

Behavior Change

Revamped the entire section

5

1.00-07/06/2013

2.00-12/06/2013

Known Behavior

Revamped the entire section

      
 

Introduction

This document contains the release notes for Cyberoam Version 10.04.3 Build 543. The following sections describe the release in detail.

This release comes with enhancements, and several bug fixes to improve quality, reliability, and performance.

Enhancements

1. Location-aware and Device-aware Identity-based Access Control Policy

With the growing use of wireless networks and mobile devices, companies with offices spread across geographic locations, and increasing mobile workforce, the always-connected world is moving towards an era where location information becomes necessary for access control. To cater to this need of the enterprises, Cyberoam, from this version onwards, supports configuring specific access policies to the users according to location and network parameters like IP Address or MAC address of the device. Administrator even has an option to schedule the access time per location.

The administrator can monitor and analyze the usage through Cyberoam’s user-based reports and re-align access and security policies to match the business interests.

The feature is very useful for organizations where role-based access policy is required for employees and its guest users. 

Steps to implement location-aware policy:

1.     Create Application Filter policy for the applications, which you want to allow/deny if the user is accessing from a specific zone.

2.     Create Web Filter policy for the Web categories which you want to allow/deny if the user is accessing from a specific zone.

3.     Create Identity-based Firewall for the specific zones.

4.     Attach an Application Filter and Web Filter policy created in step 1 and 2. By default, the Group's Application and Web Filter policy is applied to the user. Until previous version it was not possible to override these policies.

Steps to implement device-aware policy:

1.     Create Application Filter policy for the applications, which you want to allow/deny if the user is accessing from the specific IP Address.

2.     Create Web Filter policy for the web categories which you want to allow/deny if the user is accessing from the specific IP Address.

3.     Create Identity-based Firewall for the specific IP Address.

4.     Attach an Application Filter and Web Filter policy created in step 1 and 2. By default, the Group's Application and Web Filter policy is applied to the user. Until previous version it was not possible to override these policies.

Refer how to configure location-aware Identity-based access control policy for a head office employee who is visiting branch office. The employee’s access control policy will change as per location.  
 
To configure access policies to the users according to location, go to Firewall à Rule à Rule.

2. Password Strength Enforcement for Guest User

To use password as an effective authentication mechanism, it is necessary that password is strong enough to reduce the risk of a security breach.

Cyberoam provides a configurable password strength policy whereby Administrator can enforce password length and complexity making it difficult for an attacker to guess Cyberoam’s auto-generated password. This helps protect the user account from being compromised.

The administrator can configure password length and complexity from Identity à Guest Users à General Settings.

The password can be of three (3) to sixty (60) characters in length. The password can be numeric, alphabetic or a combination of alpha-numeric and special charaters. The default password is alpha-numeric and eight (8) characters long.

The password strength configuration is applicable only when a new password is generated.

3. Data Accounting Exceptions

By default user’s network traffic is considered in data accounting. From this version onwards, the Administrator has the flexibility of excluding certain traffic from the user data accounting.

The option to exclude accounting is provided in the Firewall rule and is visible only when identity is selected. When an administrator creates a user-based firewall rule and excludes the traffic from accounting, the traffic allowed through this firewall rule will not be accounted towards data transfer for the user. Traffic allowed through the non-identity based firewall rule will not be accounted.

This traffic will not be included in the user accounting reports - Internet Usage report and My Account reports, but will be included in the firewall activity reports.

This feature is useful in enterprises that have application servers hosted at the head office or in the Cloud and, the Cyberoam Administrator wants to exclude this traffic from data accounting.
 
To exclude traffic from data accounting, go to  Firewall à Rule à Rule and enable Bypass User Data Transfer Accounting”.

4. Visibility and Protection Within Trusted Zones

From this version onwards, an Administrator can monitor and block traffic within trusted zones (LAN and DMZ) and outbound traffic using the Application Filter and Web Filter policies configured in Firewall Rule. For example, it is possible to block the use of the Jabber instant messaging (IM) within the organization.

With this enhancement, an Administrator can apply Application Filter and Web Filter policies on the following Firewall Rules:   

Destination Zone è 

 Source Zone  ê

LAN

DMZ

Local

VPN

WAN

LAN

P

P

O

P

P

DMZ

P

P

O

P

P

VPN

P

P

O

P

P

WAN

O

O

O

O

O

Prior to this version, Application Filter and the Web Filter policy could be configured only on web traffic (LAN to WAN) in a Firewall Rule.

To configure Application Filter Policy and Web Filter Policy for internal traffic, go to Firewall à Rule à Rule.

5. Optimized Virtual Machine Image Size

Cyberoam’s Virtual UTM image size is now approximately 350MB - reduced by approx 600MB to save bandwidth and download time.

Customers can download Virtual UTM distribution package from the customer portal.

6. Granular Outbound Spam Configuration from Web Admin Console

Now Administrator can configure Outbound Spam Filter policies from Web Admin Console. The administrator can configure granular control in terms of blocking, allowing or quarantining mails from specific email addresses, IP Address or Domain. The administrator also has a flexibility to reject, drop, or change the mail receiver if the email is identified as spam. These configurations are available through Anti Spam menu.

Subscription details

Prior to this version, it was not possible to configure Inbound and Outbound spam filtering simultaneously. From this version onwards, Cyberoam can scan both inbound and outbound SMTP emails for spam to stop wasting employee’s time and mail server’s resource and stop your mail server from getting blacklisted.  

Changes on the Web Admin Console

Once the Outbound Spam module is subscribed, to differentiate between inbound and outbound configuration word ‘Inbound’ will be prefixed to all the UI labels, for example, label ‘Anti Spam Module Has Identified Mail As’ will be displayed as ‘Inbound Anti Spam Module Has Identified Mail As’.

Changes in Reports

Following reports will be renamed to represent the Inbound spam activity:

Report Name

(when only Anti Spam module is subscribed)

Report Name

(when both Anti Spam and Outbound Spam modules are subscribed)

Top Spam Recipients

Top Inbound Spam Recipients

Top Spam Senders

Top Inbound Spam Senders

Spam Reports

Cyberoam-iView provides reports for Outbound spam activities taking place in organization network. The report includes senders, recipients, and countries. It helps the administrator to identify compromised accounts and zombie computers in the network and take a corrective action. View following outbound spam reports from Reports à Spam:

1)     Top Outbound Spam Recipients

2)     Top Outbound Spam Senders

To configure Outbound Spam Filter policies, go to Anti Spam à Spam Rules à Spam Rules.

7. Protection against Abuse of Administrative Privileges

From this version Cyberoam supports a new entity named Administrator User - added in Profile under Identity Configuration. The administrator with Read-Write permission for this new entity will be able to create new administrator accounts, change password of other administrator accounts and control their permission levels. The administrator with Read-Only permission will only be able to change their own password and Email Address.

Go to the System à Administration à Profile and under Identity Configuration, configure access rights of the entity Administrator Users.

After migrating or upgrading to this version, original permissions will be retained for all the profiles except Security Admin profile. Read-Only permission is set for Administrator User entity in Security Admin profile. 

8. ConnectWise – Third-Party Integration

ConnectWise enables the organizations to connect and communicate through one unified and integrated operational platform. It provides organizations with integration and management of Help Desk, Services, Sales, Marketing, Finance, Project etc. through a single operational platform. 

With this version, Cyberoam-iView allows the administrator to send a set of data to the ConnectWise server. The administrator can now view this data as reports on the ConnectWise server without logging into Cyberoam UTM.

To integrate ConnectWise with Cyberoam-iView, log on to Cyberoam-iView and go to System à Configuration à ConnectWise. To know more, refer to Cyberoam Integration with ConnectWise.

Once integrated, the following Cyberoam reports will be displayed on the ConnectWise server:

Cyberoam Reports

ConnectWise Reports

Web Usage à Top Domains

Top Sites

Blocked Web Attempts à Top Denied Domains

Filtered Sites

Internet Usage à Top Users

Bandwidth

Attacks à Top Attacks

Intrusion

9. Two Factor Authentication Support for Captive Portal

From this version Cyberoam supports two factor authentication for the Captive Portal users. When two factor authentication is configured on the third-party Authentication Server, the user has to provide two means of identification. The user will either have to provide One-Time Password (OTP), PIN or challenge-response token as well as the fixed password to log on into Cyberoam Captive Portal as configured in third party authentication servers like RSA or FreeRadius server.

10. Controlled Access to a Specific Page on a Web Site

From this version onwards, Cyberoam allows the Administrator to provide the complete URI of specific domain to be allowed or blocked. This will facilitate the Administrator to control a specific page on a website, without using a blanket-blocking rule to block the full Website.

A URI is a combination of a Uniform Resource Locator (URL) and a Uniform Resource Name (URN).

Example:

·         URI – http://www.testofuri.com/url/name-of-domain.html

·         URL – http://www.testofuri.com/url/

·         URN – name-of-domain.html

Prior to this version, only URL’s were supported in the “Domain” field of parameter “Domain/Keyword”.

To add a URL in the Web Category, go to Web Filter à Category à Category and add URI in the “Domain” field of the parameter “Domain/Keyword”.
  

Miscellaneous Changes

1. Configure Mail Server Address as a FQDN or an IP Address

From this version onwards, configure Mail Server Address as a FQDN or an IP Address.

This flexibility will help the Administrator to change the IP Address of a host without affecting name-based queries to the machine.

To configure go to the System à Configuration à Notification.

2. Validate Mail Server Configuration

Use Test Mail option to send a test mail to validate the mail server configuration and connectivity. Administrator can check the System Logs from Log Viewer to ascertain the reason of failure if Cyberoam is not able to send the test mail.

To configure go to the System à Configuration à Notification. 

3. Usability Improvement - Labeled Buttons

For ease of use following icons on the top left panel on the Cyberoam screen are labeled:

·         Dashboard

·         Wizard

·         Report

·         Console
 

Behaviour Change

VPN Services

Minimum one policy is required to access VPN services like SSL / IPSec / L2TP / PPTP. On deleting all the policies, the respective service will not be available.

To use GRE tunnel, service should be enabled. 

Guest User Registration Portal

Guest User Registration portal now uses on port 8090 instead of port 80. 
 
 

Known Behaviour

SSL VPN Client Version 1.2.7

The user automatically is logged into Cyberoam even when “Autologin” and “Save Username and Password” options are disabled. 

Bugs Solved

Anti Spam

Bug ID – 13461
Description – User does not receive Spam Digest Emails from Cyberoam as per the Quarantine Email Frequency configured from Anti Spam Digest Settings page.

CLI

Bug ID – 8755
Description – DHCP name value gets truncated after space or special characters, on configuring it from Cyberoam Console.

GUI

Bug ID – 12823
Description – CPU utilization is high in CR35XXXX and lower appliances, if the parameter “Update Mode” is selected as “Appliance will fetch updates from Central Management” and Connection protocol as “HTTPS” on the Central Management page of System Administration.

Bug ID – 12958
Description – The default country code selected at Guest Users General Settings page is not reflected on the Guest User Registration page, if there exists more than one country having same country code.

Bug ID – 13459
Description – IPSec VPN Tunnel Connection "Status" button for indicating partial connection is blue in color instead of yellow in iNG appliances.

IPS

Bug ID – 11754
Description – Categories cannot be edited while adding a new IPS Policy.

Network

Bug ID – 12440
Description – PPPoE interface do not receive an IP Address, if Cyberoam sends a connection request to the PPPoE server before the interface turns on.

Proxy

Bug ID – 11433
Description – Windows updates are getting failed, if Cyberoam is configured as a direct proxy or HTTPS scanning is enabled from Firewall Rule. 

Report           

Bug ID – 12647
Description – An error message “Internal server error” is displayed for Version 9 reports, on upgrading the Cyberoam Firmware to Version 10.04.1 Build 451.

SSL VPN

Bug ID – 112
Description – A warning message “Glob.mdb file not found. Localization will not be available.” is displayed on rebooting the Windows machine, though the SSL VPN Client is successfully installed on it.
 
Bug ID – 151
Description – SSL VPN tunnel gets disconnected after 60 minutes in Windows XP, 7 and 8 with SSL VPN Client Version 1.1.7.
 
Bug ID – 160
Description – SSL VPN Client cannot add more than 54 routes.
 
Bug ID – 13377
Description – SSL VPN Application Access Mode does not get initiated, on upgrading Java to Version 7 update 21.

User

Bug ID – 12898
Description – User accounting does not reset on clicking “Reset User Accounting” from Users Identity page, if multiple users log into Cyberoam using Web Portal, Corporate Client and iOS Web Client. 

Virtual CR

Bug ID – VCR-51
Description – At the time of shut down, HyperV halted. 

VPN

Bug ID – 10469
Description – Avaya phone fails to reconnect to VPN, when the phone restarts while the VPN connection is live.

Bug ID – 11066
Description – Multiple IPSec VPN tunnels could not be created for different local subnets having same remote network using different IPS links.

Bug ID – 13152
Description – Administrator does not receive an Email Alert when IPSec Tunnel connection flaps and fails to re-establish connection after detecting a dead peer, even if the parameter “Action When Peer Unreachable” is selected as “Re-initiate” on VPN Policy page. 

WAF

Bug ID – 11024
Description – A website opens partially, if the website’s HTML data includes incomplete end tags and WAF is enabled from the Firewall Rule.

Bug ID – 12162
Description – The website http://gozaresh.shaparak.com does not open, if WAF is enabled from Firewall Rule. 
 
 
1.2.2.2.6. V 10.04.2 Build 527
 

Upgrade procedure

To upgrade the existing Cyberoam Appliance follow the below given steps:

· Logon to https://customer.cyberoam.com

· Click “Upgrade” link under Upgrade URL.

· Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”.

For Cyberoam versions prior to 10.01.0472

For Cyberoam version 10.01.0472 or higher

Upgrade the Cyberoam to 10.01.0472 selecting option Below 10.01.0472” and follow on-screen instruction.

By doing this, the customer will not be able to roll back.

Upgrade Cyberoam to latest version by selecting option “10.01.0472 or higher” and follow on-screen instruction.


Compatibility Annotations

Firmware is Appliance model-specific firmware. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you are trying to upgrade Appliance model CR50iNG with firmware for model CR100iNG.

This release is compatible with Cyberoam Virtual Appliances.

This Cyberoam version release is compatible with the Cyberoam Central Console V 02.02.0 Build 051.

Please always check http://docs.cyberoam.com for availability of latest CCC firmware to deal with this compatibility issue.


Revision History

 
 

Sr. No.

Old Revision Number

New Revision Number

Reference Section

Revision Details

-

-

-

-

-

 

 

Introduction

This document contains the release notes for Cyberoam Version 10.04.2 Build 527. The following sections describe the release in detail.

This release comes with a few enhancements and a bug fix to improve quality, reliability and performance.
 
Enhancements
 
1. USB Support for Dial-In (CR15iNG & CR15wiNG models only)
From this version onwards, Cyberoam supports DB9 modem with USB port. Further, USB modem can also be connected directly to the USB port of the Appliance.

Cyberoam supports following ports across CR15XXX Appliances:

Type of Port

Cyberoam Appliance

Behavior

Serial Port

CR15i

The appliance will reboot automatically on serial dial-in enable/disable.

CR15wi

USB Port

CR15iNG

The appliance will not reboot automatically on serial dial-in enable/disable.

CR15wiNG

DB9 and USB modem both can be physically connected to the USB ports simultaneously. But, request will be served only through the modem which is detected first by Cyberoam.
 
 
2. Power Management Support for Virtual Cyberoam

From this version onwards, graceful shut down is supported for VMware Workstation and ESX. One can shut down using options “Shut Down Guest” or “Restart Guest”.

Prior to this version, using these options from the VMware brought the system to an abrupt halt.
 
 
3. Static IP Address Assignment Support for L2TP and PPTP VPN Users

From this version onwards, static IP Addresses can be assigned to L2TP and PPTP users.

Prior to this version, IP Address was leased from the configured IP Address range.         

To configure Static IP Address for L2TP and PPTP users, go to Identity à Users à Users.
 
 
4. Lease IP Address Through RADIUS Server to L2TP And PPTP VPN Users

From this version onwards, apart from authenticating users, Radius Server can now also be used to lease IP Address to L2TP and PPTP users.

If the option “Allow leasing IP Address from Radius server” is enabled, the configured IP Address is overridden with the IP Address provided by the Radius Server.

Prior to this version, Radius Server was used only for authentication.

To allow Radius Server to lease IP Address to L2TP user, go to VPN à L2TP à Configuration and enable “Allow leasing IP Address from Radius server”. By default, it is in disable mode.

To allow Radius Server to lease IP Address to PPTP user, go to VPN à PPTP à Configuration and enable “Allow leasing IP Address from Radius server”. By default, it is in disable mode.
 
In no IP Addresses are configured on the Radius Server, the Static IP Address configured for the user will be assigned, else IP Address will be leased from configured IP Address Range.

 
5. Guest User Registration Enhancements

Configure default country code

From this version onwards, Cyberoam allows the Administrator to configure a default country code on the Guest User Registration page.

To configure default Country Code, go to Identity à Guest Users à General Settings and select “Default Country Code”.
 

Option to Disable CAPTCHA Verification For Guest User Registration

Cyberoam now allows the Administrator to Enable or Disable CAPTCHA (Completely Automated Public Turing Test To Tell Computers and Humans Apart) verification on Guest User Registration page. By enabling CAPTCHA Verification the administrator can protect Cyberoam against attacks generated by automated programs.


By default, CAPTCHA Verification is enabled.

To disable CAPTCHA Verification on Guest User Registration page, go to Identity à Guest Users à General Settings and enable/disable “CAPTCHA Verification”.
 
 
6. Captive Portal Enhancements

From this version onwards, the tab-title on the Captive Portal login screen of HTTP/HTTPS Web Client User Portal is renamed as “Captive Portal”.

In previous versions, the tab-title was “Cyberoam”.
 
 
7. SMS Gateway Enhancement

Cyberoam now supports using both HTTP and HTTPS URL to send an SMS request to external SMS Gateway. The service provider defines the URL protocol.

Prior to this version, Cyberoam supported only HTTP URLs.

To configure URL for SMS Gateway, go to Identity à Guest Users à SMS Gateway.
 
 
8.  OpenVPN Connect Support for Apple iOS

From this version onwards, Cyberoam supports OpenVPN Connect application in iOS. Using this application the user can connect to Cyberoam using SSL VPN.

Bugs Solved

SSL VPN

Bug ID – 12429
Description – Active Directory User cannot log in through the SSL VPN Portal and SSL VPN Client, if the user has a domain name with i18n characters.
 
1.2.2.2.7. V 10.04.1 Build 451


Release Dates
Version 10.04.1 Build 451 – 7th March, 2013
Release Information
Release Type: Maintenance Release
 
Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license
 
Applicable to Cyberoam Version:
 
V 10.01.0XXX or 10.01.X Build XXX

All the versions

V 10.02.0 Build XXX

047, 174, 176, 192, 206, 224, 227, 409, 473

V 10.04.0 Build XXX

214, 304, 311, 338, 433

Upgrade procedure
To upgrade the existing Cyberoam Appliance follow the procedure below:

· Logon to https://customer.cyberoam.com

· Click “Upgrade” link under Upgrade URL.

· Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”.

For Cyberoam versions prior to 10.01.0472

For Cyberoam version 10.01.0472 or higher

Upgrade the Cyberoam to 10.01.0472 selecting option Below 10.01.0472” and follow on-screen instruction.

By doing this, the customer will not be able to roll back.

Upgrade Cyberoam to latest version by selecting option “10.01.0472 or higher” and follow on-screen instruction.


Compatibility Annotations
Firmware is Appliance model-specific firmware. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you are trying to upgrade Appliance model CR50iNG with firmware for model CR100iNG.
 
This release is compatible with Cyberoam Virtual Appliances.

This Cyberoam version release is not compatible with the Cyberoam Central Console. 

Please always check http://docs.cyberoam.com for availability of latest CCC firmware to deal with this compatibility issue.
 

Revision History

 

Sr. No.

Old Revision Number

New Revision Number

Reference Section

Revision Details

1.

1.04 -06/03/2013

1.05 -14/03/2013

Compatibility Annotations No Cyberoam Central Console Support for this Cyberoam Firmware.
2.  1.04 -06/03/2013  1.05 -14/03/2013 Enhancement: Backup Restore Compatibility for Cyberoam Wi-Fi Appliances Removed the mention of “wi” and “wiNG” series of appliances in Note.
Introduction

This document contains the release notes for Cyberoam Version 10.04.1 Build 451. The following sections describe the release in detail.

This release comes with new features, few enhancements and several bug fixes to improve quality, reliability and performance.
 
Enhancements 
1. Backup Restore Compatibility for Cyberoam Wi-Fi Appliances

From this version onwards, the backup of CR (i or ia or iNG) series can be restored on CR (wi or wiNG) series, but vice-versa is not true.

Also, the backup of Cyberoam Virtual Appliance can be restored on CR wi series and CR wiNG series, but vice-versa is not true.

The facility to restore backup of CR i series on CR wi series is applicable from Version 10.01.0.667 and above.

To restore backup of physical appliance (i series, ia series, iNG series) to Virtual Appliance, equal or more number of ports must be created in Virtual Cyberoam Appliance.

For further information, refer Backup Restore Compatibility Matrix.
 
 

2. Time and Data Transfer Threshold based iOS User Logout

From this version onwards, Cyberoam supports data transfer and inactivity timeout thresholds to logout iOS Web Client user.

With this enhancement, once the user logins in Cyberoam using Captive Portal, a periodic check for the total data transferred is done at every three (3) minutes of the configured time period. If the total data transferred in the given time period is equal or more than the configured data transfer value, the user continues to remain logged in and the timer is reset. However, if the total data transferred is less than the configured value, the user will be logged out.  

Prior to this version, the user had to login every time from iOS device for accessing Internet, if the device was kept idle.

Example:

Inactivity Timeout = 13 minutes

Data Transferred Threshold = 2500 Bytes

In this case, the user is logged out if the data transferred is less than 2500 Bytes for 5 consecutive cycles of 3 minutes each. Here the number of consecutive cycles is derived:

Number of consecutive cycles = (Inactivity Timeout value / 3 minutes)

        = 13 minutes/3 minutes

        = 4.33

        ~ 5 (Ceiling Value)

Logout on Browser close and Keep Alive Request for Captive Portal is not supported with iOS device.  

Client type – “iOS Web Client”, is displayed on Web Admin Console of Cyberoam Live Users page. 

 

Known Behavior

A user cannot logout once authenticated with Cyberoam using Captive Portal, if the device uses following iOS and MAC OS platforms:

iOS

MAC OS X

6, 6.0.1, 6.1 and onwards

10.7 Lion

10.8 Mountain Lion

This behavior is due to the Apple OS feature “Captive Network Assistant”. The user will be logged out in case of following events:

·         Inactivity time-out

·         Administrator disconnects the User from Live User Page

To configure logout based on data transfer and inactivity on iOS device, go to Identity à Authentication à Firewall and specify “Inactivity Time” and “Data Transfer Threshold” in the section iOS Web Client Settings.
 
 

3. SMS Gateway Enhancements

From this version onwards, Cyberoam supports sending SMS request to SMS Gateways that uses one of the following HTTP methods:

· Get

· Post

By default, Cyberoam supports SMS Gateways with HTTP method “Post”.

The service provider defines the method to be used for sending SMS request.

Prior to this version, only HTTP Method “Post” was supported for sending SMS request to SMS Gateway.

To configure HTTP Method for SMS Gateway, go to Identity à Guest Users à SMS Gateway. 


Also, from this version onwards, Administrator is allowed to configure the prefix value to be used with the cell number.

Number Prefix precedes the Country Code and the cell number, in case service provider defines to use both, the Number prefix and the Country Code.

Example:

Number Prefix

Country Code

Cell Number

Cell Number Format

û

û

99XXXXXXXX

99XXXXXXXX

û

ü

(Country: India=91)

99XXXXXXXX

9199XXXXXXXX

ü

(Number Prefix: +)

û

99XXXXXXXX

+99XXXXXXXX

ü

(Number Prefix: +)

ü

(Country: India)

99XXXXXXXX

+9199XXXXXXXX

Number Prefix can include alpha-numeric and ASCII special characters. It can be up to 4 characters long.

The service provider defines the prefix value to be used.

To configure Number Prefix for SMS Gateway, go to Identity à Guest Users à SMS Gateway.
 
 

4. Captive Portal Enhancements

From this version onwards, Administrator can use up to 6000 characters to configure the Captive Portal Login Page Header or Footer.

Prior to this version, upper threshold limit was 3000 characters.

To configure the Header or Footer of Captive Portal Login Page, go to System à Configuration à Captive Portal.

Further, from this version onwards, Cyberoam allows the Administrator to customize the availability of the “User My Account” link on Captive Portal page.

To customize “User My Account Link” on Captive Portal page, go to Identity à Authentication à Firewall and enable/disable “My Account Link”. By default, it is in enable mode.

Prior to this version, “My Account Link” was not configurable and the “User My Account” link was available on the Captive Portal page.
 
 

5. i18n Support for SSL VPN Client

From this version onwards, Cyberoam provides i18n support for SSL VPN Client.
 

Bugs Solved

Anti Spam

Bug ID – 11223
Description – Emails rejected by Cyberoam IP Reputation are not filtered with Action selected as “Reject” in Log Viewer Anti Spam, due to mismatch in the case of word “REJECT”.
 
Bug ID – 11414
Description – Emails scanned by Cyberoam are converted into unreadable text, on upgrading the Cyberoam Firmware from Version 10.02.0.224 to Version 10.04.0.304, if SMTP protocol is integrated with DKIM.
 

Anti Virus

Bug ID – 10940
Description – A file “eicar.com.txt” attached in an Email over SMTP protocol is not detected by Anti Virus module.
 

Backup-Restore

Bug ID – 11814
Description – Backup from CR15iNG and CR15wiNG cannot be restored on CR15i and CR15wi, if backup is configured with SSL VPN Bookmark.
 

NTLM

Bug ID – 9436
Description – User do not get authenticated via NTLM, if Active Directory is installed on VMware workstation.
 
Proxy
Bug ID – 3943
Description – YouTube videos integrated on any website cease to function, if the parameter “Enforce Safe Search” is enabled from Web Filter Settings page.

Bug ID – 7073
Description – The website http://www.treasury.gov/ofac/downloads/t11sdn.pdf  cannot be opened in direct proxy deployment mode.
 
Bug ID – 10867
Description – NTLM authentication fails and HTTP/S based Web Access often drops, if NTLM reinitializes due to flapping of Active Directory connection.
 

Reports

Bug ID – 10309
Description – Administrator receives a blank Email, if a parameter "Send email at" of Email Frequency is configured between 1am to 3am in On-Appliance iView.
 
Bug ID – 10931
Description – On-Appliance iView Report Notification ceases to function, if a Custom View report having a bookmark is configured for parameter "Report Group" from Add Report Notification page.
 
Bug ID – 10958
Description – Report Notification cannot be edited on migrating to Cyberoam Firmware Version 10.02.0.0473 or higher, if description was not provided while adding an On-Appliance iView Report Notification in the Firmware Version older than 10.01.0.0667.
 
Bug ID – 11262
Description – Administrator receives blank Report Notification Emails for Web Usage, Top Attack and Block Attempts, if multiple report notifications are configured with the same time from the Report Notification of System in On-Appliance iView.
 
Bug ID – 11360
Description – The Virus Report Notification Mail do not display logs for “Top Users-Web Virus Reports” on upgrading the Cyberoam Appliance Firmware to Version 10.02.0473 or above.
 

SSL VPN Client

Bug ID – 11698
Description – Resources cannot be accessed, if the username does not have proper case while logging into SSL VPN Client.
 

VPN

Bug ID – 11977
Description – Site to Site VPN ceases to function, on upgrading the Cyberoam Firmware from Version 10.02.0.473 to Version 10.04.0.311, if a Local Subnet is NATted with a single IP Host from IPSec VPN Connection page.
 

Web Filter

Bug ID – 3553
Description – An improper message is displayed on Web Admin Console while adding a domain if the keyword for it is already existing.
 
 
1.2.2.2.8. V 10.04.0 Build 433


Release Dates
Version 10.04.0 Build 433 – 11th January, 2013 
Release Information
Release Type: Maintenance Release
 
Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license
 
Applicable to Cyberoam Version:
 
  

V 10.01.0XXX or 10.01.X Build XXX

All the versions

V 10.02.0 Build XXX

047, 174, 176, 192, 206, 224, 227, 409, 473

V 10.04.0 Build XXX

214, 304, 311, 338

Upgrade procedure
To upgrade the existing Cyberoam Appliance follow the procedure below:

· Logon to https://customer.cyberoam.com

· Click “Upgrade” link under Upgrade URL.

· Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”.

  

For Cyberoam versions prior to 10.01.0472

For Cyberoam version 10.01.0472 or higher

Upgrade the Cyberoam to 10.01.0472 selecting option Below 10.01.0472” and follow on-screen instruction.

By doing this, the customer will not be able to roll back.

Upgrade Cyberoam to latest version by selecting option “10.01.0472 or higher” and follow on-screen instruction.

 

Compatibility Annotations

Firmware is Appliance model-specific firmware. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you are trying to upgrade Appliance model CR100ia with firmware for model CR500ia.

This Cyberoam version release is compatible with the Cyberoam Central Console.

Please always check http://docs.cyberoam.com for availability of latest CCC firmware to deal with this compatibility issue.
 

Revision History

Sr. No.

Old Revision Number

New Revision Number

Reference Section

Revision Details

1. 1.00 -10/01/2013 1.01 -25/01/2013 Enhancements Modes for SSL VPN Passphrase Reception
 

Introduction

This document contains the release notes for Cyberoam Version 10.04.0 Build 433. The following sections describe the release in detail.

This release comes with new features, few enhancements and several bug fixes to improve quality, reliability and performance.
 
Enhancements
 

1. Modes for SSL VPN Passphrase Reception
From this version onwards, Cyberoam provides option to select a mode using which the Administrator receives SSL VPN Certificate Passphrase. The Administrator can select from one of the following modes to receive the SSL VPN Passphrase:
 
  1. Client Bundle
  2. On-screen Link
  3. Email

SSL VPN tunnel is established once the user is authenticated with SSL VPN Client and the Certificate is authenticated using the Passphrase.

If SSL VPN Passphrase is chose to be received via Email, it is mandatory to configure Email Address from Identity àUsers à Users and SMTP Mail Server from System à Configuration à Notification in the section Mail Server Settings.

To configure the mode for receiving the Passphrase, go to System à  Administration à Settings and select from the options available against parameter "Receive Passphrase via" of section SSL VPN Settings.

By default, the Administrator receives the Passphrase in the SSL VPN Client Bundle.

Prior to this version, passphrase for certificate authentication was delivered in SSL VPN client bundle.


1. Manage Cyberoam Appliance(s) behind any NATed Device Through CCC
From this version onwards, the administrator can configure and manage Cyberoam appliance(s) which are deployed behind any NATed device. This feature was not available in prior versions.
 
To manage configuration updates, go to System à Administration à Central Management
 

CCC Firmware Version Supported: 02.01.4 Build 072

 

2. Report Export Customization

With this version, Cyberoam iView allows the administrator to customize maximum limit of records to be exported to MS-Excel.

Prior to this version, the administrator was allowed to export a maximum of 1000 records at a time. Now this limit can be set as follows:

Model Number

Maximum Records per Widget

·         CR 25ia/25wi

·         CR 25iNG/6P

·         CR 25wiNG/6P

·         CR 35ia/35wi

·         CR 35iNG/35wiNG

·         CR 50ia

·         CR 100ia

10000

·         CR 50iNG

·         CR 100iNG

·         CR 200i

·         CR 300i

25000

·         CR 500ia/RP/F/10F

·         CR 750ia/1F/10F

·         CR1000ia/10F

·         CR 1500ia/10F

·         CR 2500iNG

50000

 


The administrator can also configure ‘Start Record’ number and ‘End Record’ number to be exported if all the records are not needed.

To enable Export Customization option, go to System → Configuration → Data Management and enable ‘Export to Excel Parameters Customization’.

By default this option is disabled and the record export limit is 1000 records, per report type. 

It is recommended to export the records during the time interval when the network traffic is minimal as this process will increase system resource utilization and it might adversely affect the appliance performance. 

Bugs Solved

Anti Spam

Bug ID – 11388
Description – Commtouch (CTCH) headers are displayed in the auto generated Emails, if SMTP or POP3 or IMAP scanning is enabled from the Firewall Rule.
 

DHCP Relay

Bug ID – 10645
Description – DHCP Relay service do not start when IPSec VPN is configured on dynamic interface and DHCP Relay is configured on it.
  

Firewall

Bug ID – 11328
Description – Virtual Host for VPN zone cannot be created on migration from Version 9 to Version X, if there exist customized zones before the migration, leading to a mismatch in zone type and zone ID.
 
Bug ID – 11564
Description – Virtual Host ceases to function on migrating Cyberoam appliance to 10.04.0.304, if it is configured on multiple WAN PPPoE interfaces to single mapped IP Address.
 

GUI

Bug ID – 9010
Description – Web Admin Console is accessible if user navigates to it using "Back" and "Forward" button in succession, even though option "Lock Admin Session" is selected.
 
Bug ID – 9494
Description – The parameter “QoS” on the Firewall Rule page displays “None”, on editing a Firewall Rule having QoS policy already applied to it.
 
Bug ID – 10443
Description – Test connection result for Guest User SMS Gateway displays the country code of Afghanistan, if it is tested without providing a country code.
 
Bug ID – 10499
Description – An error message “Web Server not exists to Add Exception” is displayed while configuring an exception from the WAF Alert page, if the Web Server name contains a special character “underscore ( _ )”.
 
Bug ID – 11145
Description – A keyword configured with space in Custom Web Filter Category of Web Filter prior to firmware version 10.04.0.214 cannot be deleted, if Cyberoam firmware is upgraded to firmware version 10.04.0.214.
 
Bug ID – 11533
Description – Background colors are not reflected on Captive Portal header and footer while viewing the preview of its configuration.
 
Bug ID – 11555
Description – The Category parameter “Action” do not get updated to “Allow Packet” on editing, if the “Recommended Action” against the signature is “Drop Packet” in the IPS Policy.
 
Bug ID – 11586
Description – The words “Anti Virus” and “Definition” are mis-spelled as “Antivurs” and “Defination” on the Log Viewer page of Logs & Reports.
 
Bug ID – 11602
Description – The Web Admin Console becomes inaccessible and an error message “Internal server Error” is displayed, if the backup file of CR25ia is restored on CR25iNG and both of the appliances have different themes configured.
 

High Availability

Bug ID – 11345
Description – IP Address based Virtual Host ceases to function when the WAN interface is configured as a monitoring port in Active-Active mode of HA and both the appliances are rebooted simultaneously.
 

Network

Bug ID – 11383
Description – 3G Gateway status is displayed as “Active” although, the 3G modem is unplugged.
 
Bug ID – 11545
Description – DHCP Server do not lease IP Address to WLAN Clients, if the LAN and WLAN are in same subnet.
 

SSL VPN

Bug ID – 11486
Description – Application Access Mode fails to initiate, if the parameter “Select Client Certificate” is blank while configuring Tunnel Access from SSL VPN.
 

System

Bug ID – 11448
Description – Picture fails to appear during a video conference, if the number of channels exceeds the protocol h323’s default unidirectional channel limit of 4.
 

User

Bug ID – 10286
Description – Guest users do not get purged automatically on expiry of user validity though the option "auto purge" is enabled.
 
Bug ID – 11403
Description – An error message is displayed while testing the Authentication Server connection on the French language Web Admin Console, if the parameter “Display Name Attribute” is left blank while adding it.
 

VPN

Bug ID – 5438
Description – Branch office does not re-initiate the connection automatically once disconnected even when Action on VPN Restart is set to “Initiate”. One has to manually re-connect or set re-key margin as zero.
 
Bug ID – 9935
Description – Cyberoam do not allow opening the configuration management of L2 switch while deploying Cyberoam in Bridge Mode, if L2 switch is configured in LAN Network of the Head Office and is accessed via the Branch Office.
 
Bug ID – 11444
Description – VPN to Static link failover occurs 10 minutes after the tunnel goes down, if IPSec routes do not get flushed from Cyberoam on Dead Peer Detection (DPD).
 
Bug ID – 11557
Description – Connection list of IPSec-VPN traffic do not get flushed on disabling an IPSec-VPN connection from any peer end.
 
Bug ID – 11640
Description – Dead Gateway Detection (DGD) service ceases to function, if VPN Connection is configured with name as VPN and added in VPN Failover Group.
1.2.2.2.9. V 10.04.0 Build 214, 304, 311, 338


Release Dates
Version 10.04.0 Build 214 – 24th September, 2012
Version 10.04.0 Build 304 – 19th November, 2012
Version 10.04.0 Build 311 – 04th December, 2012
Version 10.04.0 Build 338 – 12th December, 2012
Release Information
Release Type: General Availability
 
Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license
 
Applicable to Cyberoam Version: 
 
   

V 10.01.0XXX or 10.01.X Build XXX

All the versions

V 10.02.0 Build XXX

047, 174, 176, 192, 206, 224, 227, 409, 473

V 10.04.0 Build XXX

Upgrade procedure
To upgrade the existing Cyberoam Appliance follow the procedure below:

· Logon to https://customer.cyberoam.com

· Click “Upgrade” link under Upgrade URL.

· Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”. 

For Cyberoam versions prior to 10.01.0472

For Cyberoam version 10.01.0472 or higher

Upgrade the Cyberoam to 10.01.0472 selecting option Below 10.01.0472” and follow on-screen instruction.

By doing this, the customer will not be able to roll back.

Upgrade Cyberoam to latest version by selecting option “10.01.0472 or higher” and follow on-screen instruction.

 
 

Compatibility Annotations
Firmware is Appliance model-specific firmware. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you are trying to upgrade Appliance model CR100ia with firmware for model CR500ia.
 
This Cyberoam version release is compatible with the Cyberoam Central Console.
 
Please always check http://docs.cyberoam.com for availability of latest CCC firmware to deal with this compatibility issue.
 
Revision History
 
        

Sr. No.

Old Revision Number

New Revision Number

Reference Section

Revision Details

1.

1.00 -24/09/2012

1.00 -19/11/2012

Enhancement

Added enhancement “Access Denied Page Optimization”

2.

1.00 -24/09/2012

1.00 -19/11/2012

Bugs Solved

A bug (Bug ID – 11463) is added to Certificate. 

3.

1.00 -19/11/2012

1.00 -04/12/2012

-

Added LAN Bypass support for Cyberoam Appliances CR50iNG and CR100iNG.

4.

1.00 -04/12/2012

1.00 -12/12/2012

Features

Appliances not supporting Outbound Spam list now includes:

CR15iNG, CR15wiNG, CR25ia, CR35ia and CR1000i

  
 
Introduction
This document contains the release notes for Cyberoam Version 10.04.0 Build 214, Version 10.04.0 Build 304, Version 10.04.0 Build 311 and Version 10.04.0 Build 338. The following sections describe the release in detail.
 
This release comes with new features, few enhancements and several bug fixes to improve quality, reliability and performance.
 
Features

1. Compatibility with CISCO™ VPN Client

From this version onwards, Cyberoam is compatible with Cisco IPSEC VPN client.

This feature enables Cisco IPSec VPN clients to establish an IPSec connection with Cyberoam.

To support this feature, a new page “CISCO™ VPN Client” is added on Web Admin Console. An IPSec connection that would serve Cisco IPSec VPN Clients must be created using this page.
 
 
Compatibility
1. At present only the native Cisco IPSEC client, present in Apple iOS (iPhone and iPad) and Windows are supported. The details of the versions supported are as provided below:  

Apple iOS

Windows

Windows OS

Cisco Desktop Client

4.3

Win XP- all service packs

V 4.1 and 4.8

5.0.1

Win 7

V 5.0 – Beta Version

5.1.1

Windows Vista

V 5.0 – Beta Version

 Known Behavior

1. Apple iOS versions 5.0 onwards do not send any notification to Cyberoam when IPSec connection serving Cisco IPSec VPN Clients gets disconnected. The connection and route will be cleared from Cyberoam using Dead Peer Detection (DPD) after approximately 20 seconds and then the same client will be able to reconnect.

2. When there is no data transfer, Apple iPhone disconnects the IPSec connection serving Cisco IPSec VPN Clients.

3. When any clients are already connected and the CISCO™ VPN Client page is submitted, they will be disconnected and IP Address pool will be reinitialized.

CISCO VPN Client is available for download only to users that are authorized by the Administrator. 

IPSec connection serving Cisco IPSec VPN Clients can be configured from VPN ® Cisco™ VPN Client ® CISCO™ VPN Client.


2. L2TP Over IPSec VPN Support for Android Devices
From this version onwards, Android device as a L2TP/IPSec Client will be supported by Cyberoam. 

User will be able to connect and access Cyberoam L2TP/IPSec via an Android device using Pre-Shared Key authentication. 

No special configuration is required in Cyberoam Web Admin Console or CLI.

Android Compatible Version: 2.1 Éclair, 2.2.x Froyo, 2.3.x Gingerbread, 3.x Honeycomb

Enable “Add L2TP/IPSec PSK VPN” option of Android device to configure VPN tunnel.
 
This feature has a backward compatibility support from version 10.01.0 Build 667 onwards. 
 
 
3. Outbound Spam

From this version onwards, Cyberoam will provide Outbound Spam to identify internal Spam. This feature will help the Internet Service Providers (ISPs) to identify and block any user trying to send spam mails by utilizing their network.

Outbound Spam filtering is a subscription module.

Inbound Spam filtering and Outbound Spam filtering are mutually exclusive. On subscribing to Outbound Spam, Inbound Spam filtering will stop. Inbound Spam filtering will resume when the subscription of Outbound Spam expires.

This feature is not available in Cyberoam Models CR15i, CR15wi, CR15iNG, CR15wiNG, CR25i, CR25ia, CR25wi, CR35ia, CR35wi, CR50i, CR100i, CR250i, CR500i, CR500i-8P, CR1000i, CR1500i.

To view logs, go to Logs & Reports ® Logs Viewer and select option “Anti Spam” for parameter “View logs for”
 
 
4. YouTube Education Filter

From this version onwards, Cyberoam will allow access to YouTube videos deemed as “educational” via a special portal “YouTube EDU” while being within a school network.

YouTube EDU consists of two sections, “YouTube.com/Teachers” and “YouTube for Schools”.

“YouTube.com/Teachers” educates teachers how to make optimum use of YouTube within the classroom. On the other hand, “YouTube for Schools” is a network setting, which redirects the video traffic, making it possible for schools that block YouTube to unblock and allow access to YouTube EDU (Youtube.com/education). The teachers and Administrators decide what videos must be made available to the students, making a safe and a controlled environment for students.

To allow educational videos via Cyberoam, school authority is required to get the school registered for "YouTube for School". On registration, a custom HTTP Header with a unique ID will be displayed on the browser page.

E.g. X-YouTube-Edu-Filter:HMtp1sI9lxt0KAVpcg88kQ
1. Field Name: X-YouTube-Edu-Filter
2. Field Value Format: Alphanumeric [a-z][A-Z][0-9]
3. Field Value Length: up to 44 characters

To allow YouTube EDU via Cyberoam, go to Web Filter ® Policy ® Policy and specify the unique ID in the textbox against parameter “YouTube Education Filter”.

As per recommendations of YouTube, it is mandatory to ensure the videos and following top-level domains are not blocked:
1. youtube.com
2. ytimg.com
 
To access https://www.youtube.com, HTTPS scanning must be enabled.
 
 
 5. 4G LTE Modem 
Cyberoam will now support DHCP enabled 4G LTE services on Wi-Fi modems. With this feature, Cyberoam provides support for the following:
1. Connection to 3G/4G networks

2. DHCP Modems

3. Modem plug-in and plug-out auto detection

4. Auto Connect type of behavior if the same modem is re-plugged in
Further, Cyberoam provides recommended values (auto detected) for modem configuration.
To configure a 4G modem, go to Network ® Wireless WAN ® Settings.
 
CLI Commands
1. Command: cyberoam wwan query serialport <serialport>  ATcommand <AT command> 
To view the Wi-Fi modem information (if plugged - in)
E.G. cyberoam wwan query serialport 0 ATcommand ati
 
2. Command: cyberoam wwan show
To view the Wi-Fi modem information and the recommended configuration (if plugged - in)  
 
 
Enhancements

1. DHCP Server Optimization 

Support for Diverse Topologies

Cyberoam now adds the capability of configuring DHCP for downstream networks that are connected to Cyberoam through relay, or through IPSec VPN. With this enhancement, Cyberoam will be able to assign IP Addresses to:

· Directly connected primary or alias networks

· Connected through relay

· Connected over IPSec VPN

Prior to this version, Cyberoam support DHCP configuration only for a primary network only.  

Lease Report Enhancement

Cyberoam’s Lease report now displays the type of lease, i.e. Static or Dynamic, for a given IP Address.

To view these reports, go to Network ® DHCP ® Lease

CLI Commands

1. Command: cyberoam dhcp lease-over-IPSec enable
To enable IP Lease over IPSec for all the DHCP servers.
 
2. Command: cyberoam dhcp lease-over-IPSec disable
To disable IP Lease over IPSec for all the DHCP servers (Default Value).
 
3.     Command: cyberoam dhcp lease-over-IPSec show
To display all the IP Lease over IPSec configuration.
  
2. Multicast over IPSec VPN tunnel
From this version onwards, Cyberoam will support secure transport of multicast traffic over un-trusted network using IPSec/VPN connection.

With this enhancement, now it is possible to send/receive both unicast and multicast traffic between two or more VPN sites connected through public Internet. This removes the dependency of multicast aware routers between the sites connecting via IPSec/VPN.
Prior to this version, this was possible using GRE tunneling however, the packets could not be encrypted.

Any unicast host wanting to access a multicast host shall require to be configured as an explicit host (with netmask /32) in VPN configuration.

Known Behavior
CLI shows only static interfaces as input and output interface whereas Web Admin Console shows both, static as well as dynamic interfaces (PPPoE, DHCP).
To configure Multicast over IPSec/VPN connection go to Network ® Static Route ® Multicast.
 
CLI Commands
1. Command: mroute add input-interface Port<port number> source-ip <ipaddress> dest-ip <ipaddress> output-interface Port<port number>  
To forward multicast traffic coming from a given interface to another interface.
E.G. mroute add input-interface PortA source-ip 192.168.1.2 dest-ip 239.0.0.55 output-interface PortB
 
2. Command: mroute add input-interface Port<port number> source-ip <ipaddress> dest-ip <ipaddress> output-tunnel gre name <gre tunnel name>  
To forward multicast traffic coming from a given interface to GRE tunnel.
E.G. mroute add input-interface PortA source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel gre name Elitecore 
 
3. Command: mroute add input-interface Port<port number> source-ip <ipaddress> dest-ip <ipaddress> output-tunnel ipsec
To forward multicast traffic coming from a given interface to IPSec tunnels. Cyberoam automatically selects an appropriate tunnel to be used depending upon the Local Network and Remote Network configuration.
E.G. mroute add input-interface PortA source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel ipsec
 
4. Command: mroute add input-tunnel ipsec name <ipsec connection name> source-ip <ipaddress> dest-ip <ipaddress> output-interface Port<port number> 
To forward multicast traffic coming from IPSec tunnel to an interface.
E.G. mroute add input-tunnel ipsec name Net2Net source-ip 192.168.1.2 dest-ip 239.0.0.55 output-interface PortB
 
5. Command: mroute add input-tunnel ipsec name <ipsec connection name> source-ip <ipaddress> dest-ip <ipaddress> output-tunnel ipsec
To forward multicast traffic coming from a given IPSec tunnel to other IPSec tunnels. Cyberoam automatically selects an appropriate tunnel to be used depending upon the Local Network and Remote Network configuration
E.G. mroute add input-tunnel ipsec name Net2Net source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel ipsec
 
6. Command: mroute add input-tunnel ipsec name <ipsec connection name> source-ip <ipaddress> dest-ip <ipaddress> output-tunnel gre name <gre tunnel name>
To forward multicast traffic coming from a given IPSec tunnel to GRE tunnel.
E.G. mroute add input-tunnel ipsec name Net2Net source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel  gre name Elitecore
 
7. Command: mroute add input-tunnel gre name <gre tunnel name> source-ip <ipaddress> dest-ip <ipaddress> output-interface Port<port number> 
To forward multicast traffic coming from a GRE tunnel to an interface.
E.G. mroute add input-tunnel gre name Elitecore source-ip 192.168.1.2 dest-ip 239.0.0.55 output-interface PortB
 
8. Command: mroute add input-tunnel gre name <gre tunnel name> source-ip <ipaddress> dest-ip <ipaddress> output-tunnel gre name <gre tunnel name> 
To forward multicast traffic coming from a GRE tunnel to another GRE tunnel.
E.G. mroute add input-tunnel gre name Elitecore source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel gre name Terminal1
 
9. Command: mroute add input-tunnel gre name <gre tunnel name> source-ip <ipaddress> dest-ip <ipaddress> output-tunnel ipsec 
To forward multicast traffic coming from a given GRE tunnel to IPSec tunnels. Cyberoam automatically selects an appropriate tunnel to be used depending upon the Local Network and Remote Network configuration.
E.G. mroute add input-tunnel gre name Elitecore source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel ipsec
 
10. Command: mroute del source-ip <ipaddress> dest-ip <ipaddress>
To delete multicast route.
E.G. mroute del source-ip 192.168.1.2 dest-ip 239.0.0.


 

3. E-mail Alert for IPSec Tunnel Connection Flapping

From this version onwards, if the IPSec VPN tunnel connectivity is lost, Cyberoam will notify the Administrator via an E-mail alert, specifying the reason for the connection loss. E-mail alert will be sent on the configured E-mail Address.

Upon configuring E-mail alerts via the available single central configurable option, it will automatically be applicable on all the IPSec tunnels.

An E-mail will be sent only for Host to Host and Site to Site tunnel connections; if it flaps due to one of the following reasons:

1.      A peer is found to be dead during Dead Peer Detection (DPD) phase.

2.      Failed to re-establish connection after Dead Peer Detection (DPD)

3.      IPSec Security Association (SA) is expired and is required to be re-established.

4.      IPSec Tunnel comes up without administrator intervention after losing the connectivity 

E-mail sent to the administrator shall contain following basic information:

1.     IPSec Connection name

2.     IP Addresses of both participating hosts/network

3.     Current state of the IPSec Tunnel connection, viz., Up or Down

4.     Exact Time when the IPSec Tunnel connection was lost

5.     Reason for lost of IPSec Tunnel connection

6.     Appliance Model Number

7.     Firmware version and build number

8.     Appliance Key (if registered)

9.     Appliance LAN IP Address

10. HA configuration – Primary/Auxiliary (if configured)   

An E-mail will be sent for each subnet pair in case of Site to Site connections, having multiple local/remote networks.

An E-mail sent with respect to IPSec Tunnel coming up shall not have any reason mentioned within.

Description of IPSec Tunnel connection shall be included in the E-mail, only if information for same is provided by the administrator.

To enable E-mail alerts for IPSec tunnels, go to System ® Configuration ® Notification ® E-mail Notification and check option “IPSec Tunnel UP/Down”.
 
 
4. Enhancement in AD Integration

From this version onwards, Administrator is given an option to delete users from Cyberoam if they do not exist in any of the configured External Active Directory servers at a push of Purge AD Users button. Prior to purging, connectivity and authentication of all the configured External Active Directory servers is verified. If a user’s entry is not found in any of the external server(s), it is purged from Cyberoam too.

The purge operation will not interrupt user login/logout and accounting events.

While the purge activity is in progress and if the server connectivity is lost, the activity will be aborted.

If a user entry is purged, it will be deleted from both, Primary and Auxiliary Cyberoam Appliance.
 
To purge the users, go to Identity ® Users ® Users and click “Purge Users” button.

Further, when the User logs in to the Cyberoam, and if the E-mail Address of that User is configured on the external Active Directory server/LDAP server then the User’s E-mail Address within the Cyberoam gets sync with the E-mail Address on the external Active Directory server/LDAP server. Every time a user logs in, the corresponding E-mail ID will be updated. If the E-mail ID is null on the External Active Directory Server/LDAP, there will be no updates.  
  
 5. Multicast Route Failover

From this version onwards, Cyberoam supports Link Failover for Multicast Traffic using IPSec/VPN connection or GRE Tunnel.

If a user has multicast routes configured on a port then a Link Failover can be configured for same using IPSec/VPN or GRE configuration. Now if the port goes down, all multicast routes configured on it will automatically fail over to given IPSec/VPN connection or GRE Tunnel.

Prior to this version, link failover was supported only for static unicast routes.  

CLI Commands

1. Command: cyberoam link_failover add primarylink Port<Port number> backuplink gre tunnel <gre tunnel name> monitor PING host <ip address>
To configure a GRE Tunnel as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given GRE Tunnel.
E.G. cyberoam link_failover add primarylink PortB backuplink gre tunnel Elitecore monitor PING host 192.168.1.2
 
2. Command: cyberoam link_failover add primarylink Port<Port number> backuplink gre tunnel <gre tunnel name> monitor UDP host <ip address> Port <Port Number>
To configure a GRE Tunnel as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given GRE Tunnel.
E.G. cyberoam link_failover add primarylink PortB backuplink gre tunnel Elitecore monitor UDP host 192.168.1.2 Port 100
 
3. Command: cyberoam link_failover add primarylink Port<Port number> backuplink gre tunnel <gre tunnel name> monitor TCP host <ip address> Port <Port Number>
To configure a GRE Tunnel as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given GRE Tunnel.
E.G. cyberoam link_failover add primarylink PortB backuplink gre tunnel Elitecore monitor TCP host 192.168.1.2 Port 100
 
4. Command: cyberoam link_failover add primarylink Port<Port number> backuplink vpn tunnel <ipsec connection name> monitor PING host <ip address>
To configure an IPSec/VPN connection as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given IPSec/VPN connection.
E.G. cyberoam link_failover add primarylink PortB backuplink vpn tunnel Net2Net monitor PING host 192.168.1.2
 
5. Command: cyberoam link_failover add primarylink Port<Port number> backuplink vpn tunnel <ipsec connection name> monitor UDP host <ip address> Port <Port Number>
To configure an IPSec/VPN connection as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given IPSec/VPN connection.
E.G. cyberoam link_failover add primarylink PortB backuplink vpn tunnel Net2Net monitor UDP host 192.168.1.2 Port 100
 
6. Command: cyberoam link_failover add primarylink Port<Port number> backuplink vpn tunnel <ipsec connection name> monitor TCP host <ip address> Port <Port Number>
To configure an IPSec/VPN connection as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given IPSec/VPN connection.
E.G. cyberoam link_failover add primarylink PortB backuplink vpn tunnel Net2Net monitor TCP host 192.168.1.2 Port 100
 
7. Command: cyberoam link_failover del primarylink <Port name>
To delete link failover configuration.
E.G. cyberoam link_failover del primarylink PortC
 
8. Command: cyberoam link_failover show
To see all the link failover configurations.

6. Support of SSL-VPN for MAC-OS Tunnelblick

From this version, SSL VPN will be functional with Tunnelblicks; a free, open source graphic user interface for OpenVPN on Mac OS X.

The user can download the SSL VPN Client Configuration - MAC Tunnelblick from Cyberoam SSL VPN User Portal.
 
 

7. Version 9 Catch-up Feature – Search Engine Cache Control

From this version onwards, Cyberoam will be able to categorize actual URL contents that are accessed via cache option available in search engines Google, Yahoo, Bing based on the existing Web Filter Policy.
 
  

8. Version 9 Catch-up Feature – Internet Watch Foundation Support

From this version onwards, Cyberoam’s General Internet Policy by default, supports filtering of URL based on Internet Watch Foundation (IWF) categorization.

The filtering logs are displayed in the Log Viewer and iView Reports

The Internet Watch Foundation provides the list of accurate and current URLs to minimize the availability of potentially criminal Internet content as mentioned below:

1.     Child sexual abuse content hosted anywhere in the world.

2.     Criminally obscene adult content hosted in the UK.

3.     Non-photographic child sexual abuse images hosted in the UK.
 
 
 

9. Captive Portal Enhancements

From this version onwards, Cyberoam Captive Portal is esthetically optimized.

Further it supports the following functionalities:

  1.     Hyperlinked logo

  2.     Obtaining username and password for unauthenticated users (Only when Guest Users functionality is enabled).

To configure them, go to System ® Configuration ® Captive Portal. 

Also, Administrator can choose redirect unauthorized user either to Captive Portal or display a customized message. To customize the Captive Portal response, go to Identity ® Authentication ® Firewall.
 
 

10. URL Import List

From this version onwards, while adding or updating a Web Category, Cyberoam facilitates to import a file (.txt or csv) consisting of all the configured URL/Keyword from the white list domain of an existing web categorization solution to Cyberoam instead of copying and pasting the same into Cyberoam. 
 
To add white listed URL file, go to Web Filter ® Category ® Category and click Add button. 

 
11. Optimization in Virtual Host Configuration
From this version onwards, while a virtual host is created and port forwarding is enabled, Cyberoam allows configuring a Port list. The ports within the list can be comma separated. It can be mapped against a Port List or a Port. Further a Port Range can now also be mapped against a single port. This creates one to one mapping or many to one mapping between the external port and the mapped port.

Example: 
 
Port Forwarding Type
(External Port Type to Mapped Port Type)

External Ports

Mapped Ports

Port List to Port List

22, 24, 26, 28, 30

42, 44, 46, 48, 50

Port List to a Port

22, 24, 26, 28, 30

20

Port Range to a Port

21 - 26

28


In case of Port List to Port List mapping, number of ports must be same for both, External Ports and Mapped Ports. Request received on first external port will be redirected to first mapped port; second request on external port will be redirected to second mapped port and so on. From the example above, for Port List to Port List type of configuration, any request received for external ports 22, 24, 26, 28, 30 will be forwarded respectively to mapped ports 42, 44, 46, 48, 50.  

For a single virtual host, a maximum of 16 ports can be configured in a Port List.

All the ports within a Port List support single protocol viz., either a TCP or a UDP protocol as per the configuration. A combination of both of these protocols within a Port List is not allowed.

Prior to this version, only Single Port to Single Port and Port Range to Port Range Type for port forwarding were allowed.

Also, from this version onwards, for Firewall, when any virtual host is created without port forwarding, one can select multiple services instead of a single service.

Prior to this version, selecting multiple services was not allowed within a Firewall Rule configured with a virtual host having port forwarding disabled.

To configure multiple ports separated by comma, go to Firewall ® Virtual Host ® Virtual Host.
 
 
12. Optimized IPSec Failover Configuration
From this version onwards, Cyberoam IPSec connection configuration for failover can be done while configuring the IPSec connection itself.  This optimization will facilitate configuring failover connection with minimum inputs for commonly used failover conditions. Also the previously available method of configuration remains intact.
 
Failover connection configurations can be done only “Connection Type”- Site – to – Site and Host – to – Host type of IPSec connections.
 
Maximum of four (4) failover connections can be added while configuring a new failover group. More connections can be configured later by editing the failover group configuration.
 
To configure an IPSec failover connection for Site – to – Site and Host – to – Host type of IPSec connections, go to VPN ® IPSec ® Connection. Click add icon under “Endpoints Details”, only after which IPSec failover connection can be configured.
 
 
13. Access Denied Page Optimization

From this version onwards, to optimize the loading time of Access Denied Page, the maximum size for the image allowed is as follows:

1.     Top Image – 125 x 70 pixels (.jpg, .jpeg)       

2.     Bottom Image – 70 x 60 pixels (.jpg, .jpeg)

If the Appliance is running on an older version, and if the image size is greater than the above specified dimensions, it is mandatory to reduce the size of images for appropriate display.

To upload an image, go to Web Filter à Settings àSettings.
 

14. DNS Status Check support in Diagnostic Tool 
From this version onwards, Cyberoam will provide an option to view the list of all the available DNS servers configured in Cyberoam. It also provides information about the time taken to connect to each of the DNS server. Based on the least response time, one can prioritize the DNS server.
 
To view the list of DNS server available for an IP Address/host name, go to System ® Diagnostics ® Tools ® Name Lookup, provide the IP Address/Host Name, select option “Lookup Using All Configured Server” from the dropdown box and click “Name Lookup”.
 
 
15. Certificate with FQDN/IP Address as a Common Name

From this version onwards, Cyberoam will allow using FQDN or IP Address as a common name while generating a Self Signed Certificate.

Prior to this version certificate name was used as a common name.

To configure common name for a certificate, go to System ® Certificate ® Certificate and click Add to generate a certificate.
 
 

16. User Defined Certificate

From this version onwards, Cyberoam supports generation of Self-Signed Certificates with Identification Attribute details to meet the needs of compliance criteria.

To generate a Self-Signed Certificate, go to System ® Certificate ® Certificate.
 
 

17. Quick Access to On-Appliance Reports

From this version onwards, Cyberoam supports quick access to On-Appliance Reports from login page of the Appliance.

To access the On-Appliance Reports directly, select “Reports” for parameter “Log on to” on Appliance login page at the time of authentication.
 
18. iView Enhancement – Dual Dashboard Support
 From this version onwards, Cyberoam iView main dashboard has been bifurcated into two.
 
1. Traffic Dashboard
Traffic dashboard is a collection of widgets displaying information regarding total network traffic.

This dashboard gives complete visibility of network traffic in terms of applications, web categories, users, hosts, source and destination countries, mail traffic and FTP activities.
 
Traffic dashboard consists of following widgets:
• Top Applications – List of top applications along with percentage wise data transfer

• Top Categories – List of top accessed web categories with number of hits and amount of data transfer

• Top Users – List of top users along with percentage wise data transfer

• Top Hosts – List of top hosts along with percentage wise data transfer

• Top Source Countries – List of top source countries along with percentage wise data transfer

• Top Destination Countries – List of top destination countries along with percentage wise data transfer

• Top Rule ID – List of top firewall rules along with percentage wise data transfer

• Top Domains – List of top domains along with percentage wise data transfer

• Top File Upload – List of top uploaded files along with date, user, source IP, domain name , file name and file size

• Top Files Uploaded via FTP – List of top uploaded files via FTP along with percentage wise amount of data transfer

• Top Files Downloaded via FTP– List of top downloaded files via FTP along with percentage wise amount of data transfer

• Top FTP Servers – List of top FTP servers

• Mail Traffic Summary – Email traffic with type of traffic and amount of data transfer

• Top Mail Senders – List of top email senders along with percentage wise data transfer

• Top Mail Recipients – List of top email recipients along with percentage wise data transfer

2. Security Dashboard
Security dashboard is a collection of widgets displaying information regarding denied network activities and traffic. It also gives an overview of malwares and spam along with source and destination countries.
 
Security dashboard consists of following widgets:
• Top Denied Hosts – List of top denied hosts along with number of hits

• Top Denied Users – List of top denied users along with number of hits

• Top Denied Applications – List of top denied applications along with number of hits

• Top Denied Destination Countries – List of top denied destination countries along with number of hits

• Top Denied Source Countries – List of top denied source countries along with number of hits

• Top Denied Rule ID – List of top denied firewall rules along with number of hits
 
• Top Denied Categories – List of top denied web categories along with number of hits

• Top Denied Domains – List of top denied domains along with number of hits

• Top Attacks –  List of top attacks launched at network

• Top Viruses –  List of top viruses blocked by Cyberoam

• Top Spam Senders –  List of top spam senders

• Top Spam Recipients –  List of top spam recipients

All these widgets can be drilled down for next level reports.

 

19. iView Enhancement – Better Visibility and Presentation
From this version onwards, Cyberoam iView has introduced few enhancements to increase visibility and improve presentation of the reports.
1. Chart Preferences
Now the administrator can select the type of charts to show reports. The administrator can choose between Bar charts and Pie-Doughnut charts.

To choose the chart type and palette, go to System ® Configuration ® Chart Preferences.

2. Records per Page Control
Now the user has option to set number of records to be displayed for report groups also. Previously this control was available for individual reports only.
3. Inline Charts
If the number of records to be displayed is more than 10, then Cyberoam iView shows them in the form of inline charts i.e. a bar diagram for number of bytes and percentage respectively will be displayed in the same column.
4. Animated Charts
With this version, Cyberoam iView has introduced animated bar charts and pie charts to improve user experience and data presentation.
5. Report Group Dashboard
With this version, all the report group dashboards show collection of reports available under the selected report group. 
 
 
20. iView Enhancement - Top Users Widget
From this version onwards, a new widget ‘Top Users’ has been added under risk reports. This widget displays list of users who imposed risk on organization network. This report can further be drilled down to view list of applications, hosts, source countries, destination countries and firewall rules associated with the selected user and risk level. 
To view reports, go to Reports ® Applications ® Top Risks ® Risk.
 
 
21. iView Enhancement - Report Filter
From this version onwards, Cyberoam iView provides option to filter dashboard reports. When the user selects any record from dashboard report widgets, the selection is displayed on the next level of reports i.e. on the resultant reports page. The user can apply multiple filters one by one to get appropriate report.
All the filters are displayed on the top of the resultant report in the form of rowed text box(es) with the option to remove filter.

 
22. iView Enhancement - Country Map
From this version onwards, Cyberoam iView introduces a new report – Country Map under Application report menu. This report gives geographical overview of network traffic along with amount of data transfer and risk.

To view reports, go to Reports ® Applications ® Country Map.

 

Known Behaviour

1. SSL VPN support with passcode

From this version onwards, Cyberoam supports key encryption with password in certificates. If certificates are being generated with encryption enabled then user will be prompted to provide a password in the form of a passcode.

If the parameter “Per User Certificate” is configured then new certificates will get generated with key encryption and password.

2. Gateway specific routing for Reflexive Rule

To allow the traffic to route through a specific gateway with a reflexive rule selected while configuring a virtual host, parameter “Route Through Gateway” in Firewall Rule must have Source NAT selected as a Routing Policy.


 
Bugs Solved

Anti Spam
Bug ID – 6533
Description – Irrespective of the date range selected, the spam mails of last seven days are displayed.


Bug ID – 9597
Description – Mail of size greater than 3Mb do not get released from Anti Spam Quarantine Area if the send mail client do not release them within the configured time.

Bug ID – 9599
Description – An error message “Data Error” is displayed for a log on Anti Spam Quarantine Area, if the subject of the mail contains special characters like double quotes (“”) or a backslash (“\”).

Bug ID – 9989
Description – Quarantine mails having a space in subject line do not get released.
 
Anti Virus
Bug ID – 8029

Description – Adobe flash player exe cannot be downloaded from http://get.adobe.com/flashplayer with HTTP scanning enabled.
 
 
Certificate
Bug ID – 5300
Description – Cyberoam allows uploading a certificate with a different password or private key than that of the original password or private key of Generated Certificate Signing Request (CSR).
 
Bug ID – 8054
Description – Certificate Sending Request (CSR) generated from version 10 Cyberoam Appliance cannot be uploaded at third party Certificate Authority (CA) end.
Bug ID – 8191
Description – Certificate having encrypted private key cannot be upload from Web Admin Console.

Bug ID – 10001
Description – Value of parameter “Valid From” do not change on regenerating a new Cyberoam_SSL_CA certificate from Certificate page of the System.

Bug ID – 10045
Description – A certificate error message “secure connection failed” is displayed on the Mozilla browser page if Cyberoam is accessed via HTTPS and a default Cyberoam Appliance Certificate is stored in the browser.
 
 
Bug ID – 11463
Description – Cyberoam Web Admin Console is not accessible over HTTPS after upgrading to firmware version 10.04.0.build  304, if the Appliance Time Zone is earlier than GMT and Firmware Upgrade Time is between (00:00:00 – X) and 00:00:00. X here represents the difference between the Appliance Time Zone and the GMT.
  

CLI
Bug ID – 10122
Description – Default routing precedence do not get displayed on Cyberoam console when command "cyberoam route_precedence show" is executed.
 
DHCP Server
Bug ID – 10245
Description – An error message is displayed when a host name of parameter “IP MAC Mapping List” contains a space while configuring a static DHCP.
 
Firewall
Bug ID – 9658
Description – A false error message “user.err kernel: outdev_target: ERRORRRRR skb-> rtable is already initialized <192.168.141.255>...” is displayed in System - Log Viewer.
 
Bug ID – 10870
Description – A reflexive rule is created for a virtual host with NAT Policy as Masquerade instead of IP Host.
 
GUI
Bug ID – 9810
Description – A Web Filter policy do not function in a non-english version of Cyberoam on configuring an URL Group within the Web Filter Policy.

Bug ID – 9985
Description – In captive portal settings and CTAS settings, the parameter “User Inactivity Timeout” do not accept number beyond 99 on Web Admin Console from Authentication page of Identity.

Bug ID – 10109
Description – Heart Beat port in System configured to sync with CCC, do not change if the Heart Beat Protocol is HTTP for Central Management.

Bug ID – 10165
Description – Dashboard and System Graph continues to remain in processing due to internal error for Cyberoam Version 10.02.0 Build 227.

Bug ID – 10307
Description – VPN – IPSec connection list takes a long time while loading, if the number of IPSec connections is more than 2000.
 
HA
Bug ID – 10573
Description – IPS service stops functioning in the HA deployment, when two Appliances are configured with different versions of IPS are enabled in HA.
 
Identity
Bug ID – 9756
Description – Special characters “_” and “.” are not allowed to be used consecutively while adding an Email Address on the User page for Identity.
 
IM
Bug ID – 9866
Description – IM Policy do not displayed in Log Viewer with Yahoo ! Messenger (Version 11.5.0.228-in).
 
Intrusion Prevention System (IPS)
Bug ID – 9327
Description – Search option is available only while editing IPS Policy.
  
Log Viewer
Bug ID – 9880
Description – No records are displayed when the language selected for Web Admin Console is French in Cyberoam and multiple filters are used while viewing logs of “Application Filter” in Log Viewer.
 
Network Interface
Bug ID – 8002
Description – STC 3G modem is not compatible with Cyberoam Appliance.
 
 
Bug ID – 8457
Description – ZTE MF688a 3G modem is not compatible with Cyberoam Appliance.

Bug ID – 10921
Description – Modem Sierra 320U is not supported by Cyberoam Appliance.
 
Bug ID – 10939
Description – Modem IG Huawai E177 is not supported by Cyberoam Appliance.
  
Proxy
Bug ID – 9115
Description – Proxy services do not function, if a HTTP Upload Web Category is added in HTTPS scanning exceptions.

Bug ID – 9848
Description – An error is received while accessing hotmail.com, http://google.com.au when HTTPS scanning is enabled in Firewall Rule.

Bug ID – 10046
Description – Web Proxy service do not restart when Administrator restarts it from Maintenance page of System.

Bug ID – 10135
Description – Some of the components with the YouTube website do not get displayed with HTTPS scanning applied.

Bug ID – 10244
Description – Browsing becomes slow when external proxy is implemented in the network while Cyberoam is deployed in Bridge mode.
  
 
Bug ID – 10936
Description – In Cyberoam firmware version 10.04.0.0214, mails are dropped for mail servers that are configured to support BDAT as an optional parameter.
 
Reports
Bug ID – 7818
Description – The data transfer reports of top web host and traffic discovery displayed in On-Appliance iView are not identical.

Bug ID – 9993
Description – All the logs of the selected period are displayed in Web Surfing reports for IP Address based filtering, if “Search Type” is “IP Address” and “Report Type” as “Detail”.

Bug ID – 10427
Description – Only current day’s report details are displayed in the Application Reports of On-Appliance iView on migrating to Cyberoam Version 10.02.0 Build 473.
 
 
System
Bug ID – 9927
Description – Error messages are displayed on executing command “tcpdump ‘port80’filedump” on Cyberoam Console.
 
SSL VPN
Bug ID – 6523
Description – Once the User certificates are updated manually, they do not get updated automatically.
Bug ID – 10171
Description – SSL VPN RDP Bookmark cannot be accessed in Version 10.02.0 Build 473 if RDP bookmark has a “/” at the end (e.g. rdp://10.102.1.152).
 
 
Bug ID – 11198
Description – SSL VPN bookmark URL with RDP, TELNET, SSH & FTP protocol having backslash ('/') as last character cannot be accessed after migrating Appliance firmware from 10.02.0 Build 224 to 10.04.0 Build 214.
 
User
Bug ID – 6141
Description – When special characters are included in the login message, the user receives a continuous process icon on the Captive Portal page in spite of logging in successfully.
Bug ID – 9920
Description – Cyberoam supports only SMS Gateway’s that uses Post method.
 
VPN
Bug ID – 9812
Description – An error message “We cannot identify ourselves with either end of this connection” is received when VPN connection with VLAN over WAN is configured with PPPoE link and VLAN ID is more than 2 digits.
Bug ID – 10191
Description – VPN service do not restart when head office and branch office are using default head office and default branch office policy respectively and an if an intermediate device between them is switched off.
 
 
Bug ID – 11202
Description – Manual intervention is required to activate the tunnel, if the default value of parameter "Rekey Margin" is configured below 100 seconds from VPN Policy page and the Appliance is rebooted.
 
Web Filter
Bug ID – 9840
Description – “Denied Message” is updated to default message, if an existing Web Filter Category having configured for customized message is edited without opening “Advance Settings” of it.
Bug ID – 10092
Description – Webcat do not get upgraded to latest version while performing manual sync after auto Webcat upgrade has failed.
 
Wireless WAN
Bug ID – 5315
Description – 3G Modem LW272 is not compatible with Cyberoam Appliance.
 
1.2.2.3. Release Notes 10.02.X Build XXX
1.2.2.3.1. V 10.02.0 Build 473

 

Release Dates

Version 10.02.0 Build 473 – 08th August, 2012

Release Information

Release Type: General Availability

Applicable to:
 

Version 10.01.0XXX or 10.01.X Build XXX

All the versions

Version 10.02.0 Build XXX

047, 174, 176, 192, 206, 224, 227, 409

 

Upgrade procedure

To upgrade the existing Cyberoam Appliance follow the procedure below:

· Logon to https://customer.cyberoam.com

· Click “Upgrade” link under Upgrade URL.

· Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”.

For Cyberoam versions prior to 10.01.0472

For Cyberoam version 10.01.0472 or higher

Upgrade the Cyberoam to 10.01.0472 selecting option Below 10.01.0472” and follow on-screen instruction.

By doing this, the customer will not be able to roll back.

Upgrade Cyberoam to latest version by selecting option “10.01.0472 or higher” and follow on-screen instruction.



Compatibility Annotations

Firmware is Appliance model-specific firmware. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you are trying to upgrade Appliance model CR100i with firmware for model CR500i.

This Cyberoam version release is not compatible with the Cyberoam Central Console.

Please always check http://docs.cyberoam.com for availability of latest CCC firmware to deal with this compatibility issue.
 
Revision History
 
 
Sr. No.
Old Revision Number
New Revision Number
Reference Section
Revision Details
-
-
-
-
-
 
 

Introduction

This document contains the release notes for Cyberoam Version 10.02.0 Build 473. The following sections describe the release in detail.

This release comes with new features, few enhancements and several bug fixes to improve quality, reliability, and performance.
 

Features

1.   Enhanced Inbound Server Load Balancing and Failover Detection

Cyberoam now supports Virtual Host Load Balancing for distributing the incoming traffic to more than one internal server. For this, following new methods are introduced:

·         Round Robin

·         Random

·         First Alive

Prior to this version, Cyberoam by default used Sticky IP Load Balancing method for virtual host load balancing.

Further, Cyberoam now also supports Failover Detection. This keeps a check on servers and sends a notification to the user whenever a server goes down or comes up. This ensures, the received requests are forwarded for Load Balancing only to servers that are up and running. To ensure Failover Detection, Cyberoam uses two methods,

·         ICMP Method

·         TCP Method

To configure this feature, go to Firewall ® Virtual Hosts.

 

2.   LCD panel support for System Configuration and Auto Scrolling

Cyberoam information can now be viewed and modified from Appliance’s LCD panel. The LCD panel displays menu/submenu. The following are menu/submenu’s Cyberoam that can be viewed and modified.

Sr. No.

Menu

Submenu

1.

System

Date, Uptime, CPU (usage), Memory (Usage), LoadAvg, Disk (Usage), Live Users

2.

Network

Show Gateway

3.

Firmware

Show Firmware, Factory RST, Halt/Reboot

4.

HA

-


To navigate through this menu/submenu, following keys and their respective functionality is described in table below:

Sr. No.

Key

Functionality

1.

Up Arrow

Navigates and displays the previous item on the menu.

If Up Key is pressed while being on the first item of the menu, the same item will be displayed on LCD.

2.

Down Arrow

Navigates and displays the next item on the menu.

If Down Key is pressed while being on the last item of the menu, the same item will be displayed on LCD.

3.

Enter

To enter in the sub-menu of the item or to display the content of the item.

4.

ESC

To go back to the previous menu.

If ESC key is pressed while being on main menu, Cyberoam banner will be displayed.

Cyberoam also supports auto scrolling on the LCD panel. Auto scrolling is initialized, if no input on LCD panel is received up till 30 seconds. During auto scrolling, Cyberoam information will be displayed on LCD panel. Information gets scrolled every 5 seconds. On ESC key input, auto scrolling will stop and Cyberoam banner will be displayed on LCD panel screen.

Note

· This feature is available on CR1500i, CR1500ia, CR1500ia-10F, CR1000i, CR1000ia, CR1000ia-10F, CR750i, CR750ia-1F, CR750ia-10F, CR500i, CR500ia-1F, CR500ia-10F, CR500ia-RP Cyberoam Appliances.

·         Auto scrolling, by default is in Off mode.

·         On factory reset, auto scrolling is disabled.

·         Auto scrolling on/off decision is taken during backup and restore process.
 

CLI Commands

1.     Command: show lcd auto-scroll

 To view the current configuration of Cyberoam Appliance.

2.     Command: set lcd auto-scroll On/Off

 To turn On or turn Off the auto scrolling.


Enhancements

1.   CTAS: More Resilient Transparent Authentication

 

From this version onwards, CTAS Fault Tolerance capability is optimized by:

·         Providing a high availability of collectors and agents.

·         Minimizing authentication delay due to AD Server failure.

·      Automatic recovery mode support, thus when CTAS service crashes or fails, it will restart automatically.

Modus operandi

The CTAS Agent can be:

·         Installed on every domain controller.

·         Configured to support group of collectors. One of these collectors act as a primary collector, while remaining shall be backup collectors. A maximum 5 collectors can be added to a group 

·        If the primary collector goes down, one of the backup collectors shall become primary collector.
 

Note

·         Unlike prior, list of collectors will now be available, if CTAS Agent and CTAS Collector are on same machine.

·         It is now possible to add multiple collectors, if only CTAS Agent is available on the machine. Prior, in absence of CTAS Collector, only one machine could be configured.

·         While using NETAPI mode, if CTAS HA mode is enabled, IP Address of primary collector and port number on which the backup collector listens to the primary collector must be configured.

·         A Group Number along with IP Address and Port number is required to add a Collector.
 

CLI Command

1.      Command: cyberoam auth cta collector add collector-ip  <ip-address>  collector-port  <port>  create-new-collector-group

To add a collector in new group.

2.      Command: cyberoam auth cta collector add collector-ip  <ip-address> collector-port  <port>  collector-group  <group-number>

To add a collector in an existing collector group.

Prior to this enhancement, to support multiple domain controllers, CTAS Agent was installed on every domain controller and a single collector on any one of the domain controller.

 

2.   WAF Reports

From this version onwards, Cyberoam iView provides reports for WAF module of Cyberoam UTM.
 
WAF reports provide snapshot of attacks on protected Web servers. The administrator can view list of attacks and attack sources for per Web server, which can be drilled down to view details like user agent, HTTP method, HTTP request, query string etc.
 
WAF reports also give snapshot of the protected Web servers with maximum amount of data transfer. Data transfer reports can be drilled down to view domain wise data transfer per server.
To view these reports go to Reports ® WAF.
 
 

3.   Application Reports

From this version onwards, Cyberoam iView provides following new reports under Application reports:

a.  Top Application Categories

Top Application Categories reports provide snapshot of various application categories accessed by users and amount of Internet traffic generated by them. Administrator can view application category reports for various applications, users and hosts.

To view these reports, go to Reports ® Applications ® Top Application Categories.
 

b.  Top Risk wise Applications

Top Risk wise Applications reports provide snapshot of various applications and associated risk. These reports help administrator to monitor applications with higher risk and then take corrective actions to protect corporate network from any posed threats.

To view these reports, go to Reports ® Applications ® Top Risk wise Applications.
 

 c.  Top Technology wise Application

Top Technology wise Applications reports provide snapshot of various applications based on following technologies:

·         Browser Based

·         Client Server

·         Mobile

·         Network Protocol

·         P2P

To view these reports, go to Reports ® Applications ® Top Technology wise Applications.
 

d.  Top Source Countries

With this release Cyberoam iView facilitates the administrator to view statistics of top countries which are generating highest amount of Internet traffic through various applications and application categories. These reports help administrator to fine tune country based firewall rules.

To view these reports, go to Reports ® Applications ® Top Source Countries.
 

e.  Top Destination Countries

With this release Cyberoam iView facilitates the administrator to view statistics of top countries which are receiving highest amount of Internet traffic through various applications, application categories, hosts and users. These reports help administrator to fine tune country based firewall rules.

To view these reports, go to Reports ® Applications ® Top Destination Countries.

All these reports help administrator to observe Internet behavior of organization users and take regulatory actions.
 
 

4.   Risk Meter

From this version, all application report pages display ‘Risk Meter’ on the top most right corner of the page. This Risk Meter shows overall risk posed on network through various applications and application categories.

Risk is calculated in terms of number, which ranges from 0 to 5, where higher number shows higher risk.

From this version, Cyberoam iView also provides information regarding risk associated with an individual application.
 
 

5.   DNS support for internally hosted Websites

From this version, Cyberoam Appliance allows adding DNS mapping for Domain / Host with IP Address. Adding static entry(ies) for Domain / Host enables resolving internally hosted sites using Cyberoam rather than relying on a DNS Sever.  

With this feature, Cyberoam Appliance can be utilized toresolvean organization’s internal sites and services on LAN and eliminate DNS dependency.

To resolve client DNS query, Cyberoam will first lookup in static entries if not found then it will check cache, after that it will contact configured DNS severs and at last it will contact root servers.

Note

· Cyberoam will only provide following services:

a. Resolve  IPv4 domain Addresses

b.  Provide reverse resolution for IP Address

· Maximum number of DNS entries allowed is 1024.

· A CLI option “set http_proxy host_entries” is no more available. Instead, a host can now be added using DNS Host Entry available on Web Admin Console. Existing configured DNS host entries will be migrated to static DNS Host Entries and will be available on the Web Admin Console.

DNS servers can be configured from Network ® DNS ® DNS Host Entry.

 

6.   Language support of Cyberoam entities (i18n)

From this version onwards, Cyberoam Web Admin Console supports languages viz., English, Hindi, Chinese – Simplified, Chinese – Traditional as an input.

For this users must have a language supported keyboard.

Note

·    i18n is not supported for CLI, VPN module, DHCP Server, SSLVPN Tunnel client.
 
  

7.   Rename Objects

From this version onwards, Cyberoam allows renaming objects for following modules:

·   Firewall Rule
 
·    All Objects (Host, Custom Service, Schedule, File Type)

·    Virtual Host


 
8.   Multiple selections of Objects of Firewall Rule

From this version onwards a single Firewall Rule can be shared by multiple host / service / user by multiple selections available within objects like user, source host, destination host, service parameter.

With this optimization, the Firewall rule could be directly applied to multiple users without group for same.

Prior to this version, only single selection per object within the Firewall Rule was possible.

Note

·   The maximum limit on the selection within each object shall be 1024.

·   Multiple objects can be selected only if they belong to same type.

  E.g. It is not allowed to select one IP Host and one Host Group, User and User Group, Service and Service Group.

·   Navigation from one type to another will result in losing the configurations of the first type.

  E.g. If two hosts from “IP Address” type are selected and then one navigates to select a MAC host from “MAC Host” type, then previously selected hosts within “IP Address” type will be unchecked  automatically.

To add/edit single rule for multiple selections within an object, go to Firewall ® Rule ® Rule.
 
 

9.   Interface independent L2TP/PPTP

From this version onwards,  L2TP/PPTP, through which road warriors can access internal resource behind Cyberoam, are now interface independent.

Prior to this version, as L2TP/PPTP VPN service was interface dependent, configuring it became a hurdle for Mix Mode deployment that uses 3 physical interfaces, of which two are part of bridge pair and one is configured in the WAN zone.

 

10.   Enhancements in Application Filter

From this version onwards details like Risk, Characteristics, Technology and Description can be viewed for each application.

To view the Application List, go to Application Filter à Application List.

Further, Applications now can be searched for Category, Risk, Characteristics and Technology by selecting options available rather than manually proving string for search.

To search the Application, go to Application Filter à Application List.

Also, the Application Filter Policy Rules page is revamped from this version. I.t now has three (3) sections under it:

·         Application Filter Criteria

The applications can be sorted and views on bases of parameter Risk, Characteristics, Technology and Description.

·         List of Application

Based on the criteria selected, a list of application matching to the criteria is displayed. By default, all the categories and applications are displayed. User can select to display all the application or select individual application on which the action is to be taken. As the user scrolls through the applications, the application record count is dynamically updated in “List of Application” bar.         

·         Action

Action to be taken on the application selected on schedule time can be configured. The default action is “Allow” and, the Schedule is “All the Time”.

To view Application Filter Policy Rules, go to Application Filter à Policy, select manage icon against the application and then click Add button.

Note: The content on “Add Application Filter Policy Rules” pop-up window gets misaligned on resizing the browser window. To restore it close the pop – up window by providing ESC key and reopen it.

 

11.   Run-time Edit of Schedule-based QoS

From this version onwards the user can edit the schedule in a predefined QoS policy during run-time. This will ensure that the QoS can be granularly modified to meet the users’ bandwidth needs.

To edit the Schedule-based QoS, go to QoS à Policy, select manage against the policy and within “Add Schedule wise QoS Policy Details to override default QoS Policy Details” click add
 

12.   DNS support for PPPoE

From this version onwards Cyberoam will provide DNS support for PPPoE. With this enhancement, Cyberoam can be configured to use either Static DNS or DHCP’s DNS or PPPoE’s DNS. This option is available if any interface is configured as PPPoE.

To obtain DNS from PPPoE, go to Network à Interface à DNS.
 
 

13.   NTLM – Multiple Domains in a Single Forest

From this version onwards Cyberoam’s NTLM based Single Sign-On (SSO) authentication functionality now supports:

·   Multiple domains in a single forest

·   Failover among multiple AD Controllers
 
Behavior Change

1.   Risk Level Updation
From this version onwards, application “Yahoo Update” risk level is modified from Level 3: High to Level 2: Low. 
 
2.   Multicast Routing
From this version onwards, Cyberoam will forward multicast traffic only after manually enabling Multicast Taffic forwarding.

To enable it, go to Network   à Static Route à Multicast and check option "Enable Multicast Forwarding".
 
Prior to this version,  Multicast Traffic Forwarding was enabled by default.


Bugs Solved

Access Server

Bug ID – 8468
Description – User's authenticated via CTAS do not get logged off even after disabling CTAS from CLI (console>cyberoam auth cta disable).
 
Bug ID – 9433
Description – Incorrect value of data transfer usage for current session is displayed if user is allowed to login from multiple nodes.
 

Anti Spam

Bug ID – 8693
Description – The last entry gets replaced by the new entry, if more than 400 Email Address or Domain are added in Address Group of Anti Spam.
 
 
Bug ID – 9623
Description – High CPU utilization is recognized on releasing a mail of "(2046 * n) + 5,  n >= 1" bytes size from Quarantine Area of Anti Spam.
E.g.: (2046 * 1) + 5 = 2051 bytes, if n = 1,
        (2046 * 2) + 5 = 4097 bytes, if n = 2 and so on.

 

DHCP Server 

Bug ID – 7577
Description – DHCP server takes approximately 60+sec to lease new IP Address, if the received request is from a network other than the configured network.
 
Bug ID – 8821
Description – An error message “default lease time cannot be greater than max lease time” is displayed on Web Admin Console even though value of parameter “Default Lease Time” is less than parameter “Max Lease Time”.
 

Dynamic Routing

Bug ID – 9321
Description – BGP neighbor relationship could not be formed in Cyberoam when service provider authentication type is set to MD5 BGP.
 

Firewall

Bug ID – 8446
Description – The reply traffic gets load balanced and does not flow through the requested route when Cyberoam is in Mix Mode having multiple gateways configured with one or more bridge and load balancing is enabled and the request passes through one of the bridge interfaces.
 

GUI

Bug ID – 5867
Description – Since application "Meebo Website" is categorized at two places, File Transfer and IM, therefore whichever category is added first will be successful. However, while trying to add same application from other category will result in error message.
 
Bug ID – 8470
Description – The Cyberoam Administrator cannot bind Trusted MAC to IP Addresses having first digit of the fourth octet match with the existing IP-MAC bind entry.
Eg. If IP-MAC Binding configuration contains the entry like AA:BB:CC:DD:EE:FF Static 10.102.1.1, then entries like AA:BB:CC:DD:EE:CC Static 10.102.1.1 or AA:BB:CC:DD:EE:CC Static 10.102.1.11 or similar shall not be allowed to bind.
Bug ID – 8772
Description – “Change Recipient” is incorrectly spelled as “Chnange Receipient” in Action Filter for Anti Spam Log on Log Viewer page.
 
Bug ID – 8809
Description – Filter in the “Message” column of Log Viewer page do not function for “Admin” event logs.
Bug ID – 8909
Description – A filter applied to sort the data on Application Filter page gets removed on navigating to another Tab or refreshing the page.
 
Bug ID – 9960
Description – Web Admin Console for a Firewall Rule page displays that Certificate Based Categorization of a Web Filter policy is configurable although by default, it is enabled and is not available for updating from GUI or CLI.  
 

Identity

Bug ID – 8972
Description – An error message is displayed on Web Admin Console while adding an IP Address for selected node in parameter login restriction, if the group name contains special characters like “&”, “#”.
 

IM

Bug ID – 8042
Description – IM Proxy does not support yahoo messenger version 11.5.0.152 and therefore yahoo messenger login and logout events are not displayed in log viewer.
 

LAN Bypass

Bug ID – 9698
Description – Hardware bypass do not function in Cyberoam Appliance 1000ia.
 

Log Viewer

Bug ID – 8781
Description – The parameter "Username" do not match with the Identity User list while viewing logs of Firewall if multiple groups are deleted.
 

Multicast Route

Bug ID – 9402
Description – Multicast packet flow between two or more interfaces of Cyberoam gets disrupted, if DHCP enabled WAN interface fails to receive IP Address from DHCP server.
 

Network Interface

Bug ID – 9434
Description – Special character “@” is not allowed within the username while configuring PPPoE VLAN interface.
 

Packet Capture

Bug ID – 9186
Description – Administrator needs to refresh the “Packet Capture” page to display BPF string in capture filter after configuring it.
 

Proxy

Bug ID – 8263
Description – Images on website http://charity.othaimmarkets.com/charity/CommonInfo/Index.aspx are not displayed when "Allow All" Web Filter Policy is configured. 
 

Report

Bug ID – 8968
Description – Logs of MSN chats are not available in On-Appliance i-View reports even though they are displayed in Log Viewer page.
 
Bug ID – 8429
Description – No data is displayed on Web Admin Console, when "View all" is clicked on "Custom View Reports" on iView.
 

Scheduled Backup

Bug ID – 6976
Description – Cyberoam mail backup fails, if response of "ehlo" request is sent in multiple parts by mail server
 

SSLVPN 

Bug ID – 6668
Description – SSL VPN application access mode does not work with Windows 7 (German Version).
 
Bug ID – 9170
Description – User cannot login in SSLVPN Web Portal, if the username consist of an alphabet in uppercase.
 

System

Bug ID – 9871
Description – Gateway is marked dead if the failure response to failover condition is received for the first ping/TCP request.
 

Traffic Discovery

Bug ID – 8613
Description – Only 20 records can be viewed on Traffic Discovery Page even though there exist more than 20 records.
 

User 

Bug ID – 4786
Description – DCOM error event is logged in System Event log when remote system does not respond to WMI query.
 
Bug ID – 8586
Description – An Administrator with customized administrator profile cannot create another administrator user but he can delete the existing users with similar profile.
 
Bug ID – 9309
Description – Incorrect value for total data transfer is displayed in “My Account” if total data transferred by a user is more than 2GB.
 
Bug ID – 9443
Description –Tight integration is not supported for L2TP/PPTP VPN user when external authentication is configured.
 

Virtual Host

Bug ID – 8748
Description – "Any" service is displayed, if a firewall rule of virtual host is edited and multiple services are configured for parameter "service".
 

VPN Failover

Bug ID – 9603
Description – Failover groups with its respective connections are not displayed on Web Admin Console of IPSec VPN Connection page, if multiple VPN failover groups are configured (VPN à IPSec à Add Failover Group).
 
Bug ID – 10123
If remote gateway is configured with FQDN within IPSec VPN Failover Groups then Dead Gateway Detection mechanism stops functioning.
 

Web Filter

Bug ID – 7152
Description – Cyberoam is unable to block following Websites

Web Application Firewall

Bug ID – 8736
Description – If Certificate Signing Request (CSR) is configured as web server certificate then WAF ceases to function.
 
Bug ID – 9417
Description – Port 443 cannot be configured for SSL Offloading in WAF (WAF à Web Server à Add à Private IP à configure HTTP Public Port: 443).
 
Bug ID – 9529
Description – All the request to access a website are not allowed on the WAF subscription expiry.
 
Bug ID – 9826
Description – Details within the alert messages are not displayed for a LAN to LAN Firewall Rule, if option “WAF”  is enabled.

 



1.2.2.3.2. V 10.02.0 Build 206, 224, 227

 

Release Dates

Version 10.02.0 Build 206 – 26th April, 2012

Version 10.02.0 Build 224 – 07th June, 2012
 
Version 10.02.0 Build 227 – 30th June, 2012

Release Information

Release Type: General Availability

Note - Web Application Firewall (WAF) is in Beta.

Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license

Applicable to: V 10.01.0472 or V 10.01.0474 or V 10.01.0620 or V 10.01.0665 or V 10.01.0667 or V 10.01.0 Build 674 or V 10.01.0 Build 678 or V 10.01.0 Build739 or V 10.01.1 Build 023 or V 10.01.1 Build 027 or V 10.01.2 Build 010 V 10.01.2 Build 059 or 10.01.2 build 064 or V 10.01.2 Build 065 or V 10.01.2 Build 124 or V 10.01.2 Build 133 or V 10.01.2 Build 158 or V 10.02.0 Build 047 or V 10.02.0 Build 174 or V 10.02.0 Build 176 or V 10.02.0 Build 192 or V 10.02.0 Build 206
 
 

Upgrade procedure

To upgrade the existing Cyberoam Appliance follow the procedure below:

· Click “Upgrade” link under Upgrade URL.
· Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”.
 

For Cyberoam versions prior to 10.01.0472

For Cyberoam version 10.01.0472 or higher

Upgrade the Cyberoam to 10.01.0472 selecting option Below 10.01.0472” and follow on-screen instruction.

By doing this, the customer will not be able to roll back.

Upgrade Cyberoam to latest version by selecting option “10.01.0472 or higher” and follow on-screen instruction.

 

Compatibility Annotations

Firmware is Appliance model-specific firmware. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you are trying to upgrade Appliance model CR100i with firmware for model CR500i.

Release Version Number

Applicable To Cyberoam Appliance Model

Version 10.02.0 Build 224

All except CR15i and CR15wi

Version 10.02.0 Build 227

Only to CR15i and CR15wi

This Cyberoam version release is not compatible with the Cyberoam Central Console.

Please always check http://docs.cyberoam.com for availability of latest CCC firmware to deal with this compatibility issue.
 
Revision History
 
 

Sr. No.

Old Revision Number

New Revision Number

Reference Section

Revision Details

1

1.02-11/06/2012

2.00-30/06/2012

Release Dates

A new Version 10.02.0 Build 227 is added.

2

1.02-11/06/2012

2.00-30/06/2012

Compatibility Annotations


Version 10.02.0 Build 224 and Version 10 02.0 Build 227 are Cyberoam Appliance model specific.





Introduction

This document contains the release notes for Cyberoam Version 10.02.0 Build 206, Version 10.02.0 Build 224 and Version 10.02.0 Build 227. The following sections describe the release in detail.

This release comes with new features, few enhancements and several bug fixes to improve quality, reliability, and performance.

Features

1.   Mix Mode

From this version onwards, Cyberoam Appliance can be deployed in Mix Mode. 

Prior to Mix Mode, Cyberoam Appliance could be deployed in two modes Viz. Bridge Mode (Transparent Mode) and Gateway Mode (Route Mode). Bridge Mode did not support below mentioned features as compared to the Gateway Mode: 

· Network Address Translation (NAT)
· DMZ or Any custom Zone
· Multiple WAN links (Including WWAN) and Load Balancing
· VPN Gateway
· DHCP server or Relay

Now in Mix Mode, Cyberoam supports:

· Both bridge and route modes can be configured on a single Cyberoam appliance simultaneously. The bridged networks can access the Internet and other network traffic through the routed interfaces.
· Multiple bridge pairs can be configured on a single appliance (Maximum number of bridge pairs = N/2, where N is number of physical ports).
· A bridge network can access subnets which are behind other bridge interfaces.
· Network Address Translation (NAT)
· DMZ or Any custom Zone (Within a Bridge Pair)
· Multiple WAN links (Including WWAN) and Load Balancing
· VPN Gateway
· DHCP server or Relay

This mode of deployment provides an ideal solution for an organization’s network that already have an existing firewall or router acting as a Gateway and the organization does not want to replace the firewall, but still wishes to take advantage of UTM security using Cyberoam deep-packet inspection, Intrusion Prevention Services, Gateway Anti Virus, and Gateway Anti spam.

Bridge Pair can be configured from Network ® Interface.
 

2.   FQDN Host and Host Groups

Cyberoam now supports a Fully Qualified Domain Name (FQDN) based Host and Host Groups. Prior to this, IP Addresses were required for Host creation. With this feature,

· User is not required to remember the IP Address.
· FQDN hosts can also resolve to multiple IP Address.
· Cyberoam optimizes security by including policies created in Firewall Rules based on FQDN hosts.

FQDN host do not support multiple domains resolving to single IP address.

To configure this feature, go to Objects ® Hosts.
 

3.   Guest Users

From this version, Cyberoam supports http protocol based SMS services. Cyberoam will allow creating a guest user and sending Internet access credentials using SMS. The guest user is allowed to login and access the Internet without pre-existing user account. By configuring profile for different SMS gateways and creating default group for guest users, a group based policies can be created that shall be applicable on the guest users.

The default length of the text SMS will be of 160 characters.

This feature is specifically useful in Hotspots, Airports, Hotels, Hostels and corporate offices for Guest users.

To configure Guest User, go to Identity ® Guest Users. For further details, refer to How to customize the Default SMS sent to Guest Users?
 

4.    Differentiated Services Code Point (DSCP)

From this version, Cyberoam supports Differentiated Services Code Point (DSCP).

The Differentiated Services (Diffserv) standard is a method for providing precedence to specific traffic types to manage traffic. The precedence or service level of an application can be modified by creating policies to mark the traffic in a particular class with a specific diffserv code point (DSCP) value. Depending upon the DSCP marking in the IP Packet header, the DSCP enabled network devices will apply differentiated grades of service to packets.

To configure DSCP, go to Firewall ® Rule ® Add ® Advance Settings ® QoS & Routing Policy ® DSCP Marking.


5.   Captive Portal URL Redirection

From this version, Cyberoam supports Captive Portal URL Redirection.

A Captive Portal is used to authenticate an existing user in Cyberoam through a web browser interface before granting the Internet access.

Compatibility

Compatible browsers: Internet Explorer, Google Chrome, Mozilla Firefox, Opera and Safari browser.

Note:

The user will not be logged out on closing the browser window in case of Opera and Safari browsers, even if the option “Logout user on browser close” is enabled.

To get the log in window, open the browser and enter the intended URL. Cyberoam will first open Captive Portal page prompting the user to enter valid credentials for authentication.

If the provided username and password are correct,

Case 1: Pop-up is blocked

User will be logged in successfully and an information bar will appear. User is required to open a new window to access the intended site.

Note:

The notification related to blocked pop-ups will not be displayed in Opera browser.

Case 2: Pop-up is allowed

The intended site opens in the same window and the successful login status pops up in a new window.

Also, the administrator can customize URL redirection. Post authentication this feature provides following options:

· Redirecting to originally requested URL
· Redirecting to customized configured URL.
· Minimizing of Captive Portal popup after login.
 
The table below describes the response of different browsers in various conditions:
 

Browserà

Condition â

IE

Firefox

Chrome

Opera

Unsuccessful Login

1. Client login page with login status is displayed in the same window.

1.   Client login page with login status is displayed in the same window.

1. Client login page with login status is displayed in the same window.

1. Client login page with login status is displayed in the same window.

Successful Login and

Pop-up blocked

1. A message "You have to ensure that pop-ups are not blocked" is displayed.

2. Login page with login status opens in the same window.

1.    A message "You have to ensure that pop-ups are not blocked" is displayed.

2. Login page with login status opens in the same window.

1. A message "You have to ensure that pop-ups are not blocked" is displayed.

2. Login page with login status opens in the same window.

1. Login page with login status opens in the same window.

Successful Login and

Pop-up allowed

1.   *Login page with login status opens in a pop-up window.

2.   Intended URL opens in same window.

1.   Login page with login status opens in a pop-up window.

2.   Intended URL opens in same window.

1. Login page with login status opens in a pop-up window.

2. Intended URL opens in same window.

1. Login page with login status opens in a pop-up window..

2. Intended URL opens in same window.

Successful Login and

Captive Portal Pop-up minimized 

1.   Captive portal page will be minimized.

1.       **Captive portal page will be minimized.

1. Captive portal page will ALWAYS be displayed on top.

1.Captive portal page will be minimized.

* - For IE9 a link to the intended URL will be provided on Captive Portal page after successful login.

** - For Firefox 4+ to minimize captive portal popup; go to Tools ®  Option ® Content ® Enable JavaScript (Advance) and enable Raise or lower window.

To configure customized URL go to Identity ® Authentication  ® Firewall.
 
6.   Hit Count in Mail Summary Reports

From this version onwards, the Mail Summary Reports will provide information regarding number of hits for each application.

Prior, Mail Summary reports provided information of data transfer in bytes.
 

7.   Country Based Traffic Control

From this version onwards, Cyberoam will support Country Based Host using which traffic from/to a particular country can be blocked/allowed using the firewall and UTM policies. Multiple countries can be selected using country based host group support.

CLI Commands

1.     Command: show country-host list

To enlist all the countries for which the policies are configured.

2.     Command: show country-host ip2country ipaddress <IP Address>

To verify if the IP Address belongs to a particular country.

E.g: show country-host ip2country ipaddress 203.55.34.194

To configure Country based traffic control, go to Objects ® Host ® Country Host. For further details, refer to How To - Create a Country-based Firewall Rule.
 
8.   WAF – Web Application Firewall

From this version onwards, Cyberoam will support Web Application Firewall using feature WAF – Web Application Firewall. This feature protects Web Server(s) deployed in a network and related applications from any underlying vulnerability exploit.

It is an add-on module requiring a separate subscription.

WAF protects applications accessed via HTTP and HTTPS at the Layer 7 - Application Layer. Besides Layer 7 based attacks, the Web Server is safeguarded against cookie tampering, forceful browsing and hidden field tampering. The WAF also mitigates "user-induced" vulnerability in configured applications or in custom-developed code that leaves Web applications open to attacks, such as cross-site scripting, directory traversal and forced URL browsing.

WAF feature protects the Web Server rather than fixing the underlying vulnerability.

The feature WAF is not available on CR15i, CR15wi, CR25i, CR25ia, CR25wi, CR35ia, CR35wi and CR50i Cyberoam Appliances.
 

9.   NT LAN Manager (NTLM) Authentication Support

Cyberoam has extended its Single Sign-On (SSO) authentication functionality by including support of NT LAN Manager (NTLM).

It is a Microsoft security protocols suite that offers authentication, integrity and confidentiality.

This will lead to:

1. Reduced dependency on any additional software installations throughout the network including every/any domain controllers and work stations across multiple branch offices.
2. Accurate user session logging
3. Quick and easy deployment where existing NTLM supported proxy solutions are being replaced by Cyberoam.
4. To support multiple authentication mechanisms.
5. Minimal network changes and operational costs.

Basic Requirement

1.     Operating System: Client – XP and onwards

  Server – 2003 and onwards

2.     Browser: IE 7 onwards and Firefox 4.0 onwards.

The following features are not supported by NTLM:

1.     Caching
2.     Load balancing and failover between multiple AD controllers
3.     NTLM authentication support for Thin Client (Citrix Servers)
4.     Multiple domains
5.     Multiple domain controllers for single domain

To configure NTLM, go to System ® Administration ® Appliance Access. For further details, refer to

1.     How to configure NTLM in Cyberoam?

2.     How To - Configure NTLM Support in Web Browsers?

3.     How do I enable NTLM in Windows 2003 Server?


Enhancements

1.   GUI Enhancements

From this version onwards, the following are the enhancements done to optimize Web Admin Console:

1.  As part of GUI optimization process the loading time has been reduced by approximately 70%.
2.  In case of any modification in Cyberoam Appliance Firmware (upgradation/roll back), the message indicating the ongoing process is displayed.
3.  From this version onwards, TAB and SPACE keys can be used to navigate within the GUI
·         Tab – For sequential navigation between textbox.
·         Space – To access dropdown menu.
4.Text box shall now have appropriate message, informing about content to be provided by the user.
5.Press Shift + ? on any page to display all the available keyboard shortcuts.
 

2.   DNS Optimization

From this version, if Cyberoam Appliance interface is used as a DNS in client system then, a query to configured DNS servers is sent prior to querying the ROOT severs.

DNS servers can be configured from Network ® DNS.
 

3.   Virtual Host Enhancement

From this version onwards, on configuring Virtual Host using firewall rule, the user can configure following parameters:

1.     Firewall Rule Name
2.     Source Zone
3.     Service
4.     Apply NAT
5.     AV & AS Scanning
6.     Log Traffic
7.     Create Reflexive Rule
These parameters can be configured from the pop-up page that appears when the user adds the Virtual Host from Firewall ® Virtual Host ® Add.
 

4.   IBM server terminal support in SSLVPN

From this version onwards, apart from TELNET, RDP, SSH clients, Cyberoam will now support SSL VPN application utilized to access IBM server remotely.
 

5.   Dynamic Interface Support

From this version onwards, Virtual Host, DHCP and routes can be configured over dynamic interfaces like PPPoE, DB9, WLAN, and WWAN using GUI and CLI console.

This enhancement will aid in configuration and diagnostics.
 

6.   Search using IP Address

From this version onwards, search in the Web Surfing reports can be performed using IP Address.

Search result displays the number of hits on the IP Address along with total data transfer done through it.

To configure search using IP Address, go to Search ® Web Surfing Reports. For further details, refer to How can I view IP-based Web Surfing Reports?
 

7.   Customized Wireless LAN

From this version onwards, user can enable or disable Wireless LAN as per the requirement.

Prior to this version, Wireless LAN by default was in enable mode and was not allowed to be disabled.

To enable or disable Wireless LAN check WLAN Radio, by accessing Network ® Wireless LAN ® Settings.


Behavior Change

1.   DNS Optimization

From this version onwards, if there are multiple configured WAN interfaces on Cyberoam which is deployed as DNS Server then it is recommended to configure Static Route for ISP DNS server to a specific ISP gateway. This will reduce delay in browsing internet.

To add Static Route, go to Network ® Static Route ® Unicast.
 

2.   MIB Modification

Due to Mix Mode support the Cyberoam Opmode object has been removed from the MIB. For further details, refer to Configure Cyberoam as SNMP Agent.


Bugs Solved

Access Server

Bug ID – 8608
Description – A wrong event displaying parameter “Start Time” as “Thur, Jan 01,05:30” and “Used Time” as “15408 days  11:32:54”, is generated when the user logs out of My Account.
 

Anti Spam

Bug ID – 9348
Description – Quarantine Mails are of 0kb value when downloaded from Quarantine Area within Anti Spam if Cyberoam Appliance is upgraded to Version 10.02.0 Build 206.
 

Backup & Restore

Bug ID – 7162
Description – Administrator is unable to download the backup file, if 15i Appliance backup is restored to 25i.
 

CLI

Bug ID – 7171
Description – In CLI submenus of option 6 i.e. VPN Management are not displayed.
 

Dashboard

Bug ID – 7843
Description – An extra word “dashboard” is displayed within the alert message shown on the Web Admin Console.
 

Firewall

Bug ID – 7595
Description – A MAC Address is not configured as trusted if it is imported from csv file and has a special character like dash (-) as separator.
 
Bug ID – 8748
Description – Selected multiple services for firewall rule are not displayed even though multiple options are selected against the rule.
 
Bug ID – 8832
Description – The checkboxes for Application and Web based QOS Policy in Identity based Firewall Rule are displayed unselected, in spite of being selected while configuring the QOS Policy.
 
GUI
Bug ID – 7211
Description – The geoip command available in CLI console option does not get executed.
 
Bug ID – 8291
Description – IP list is not allowed to be added in IP Host Group.
 
Bug ID - 8897
Description – A host from a host group do not get updated although a success message is displayed on GUI while updating a host for other host group.
 

Log Viewer

Bug ID – 9171
Description – IP Address of events is displayed as 0.0.0.0 in Log Viewer.
 

Identity

Bug ID – 8885
Description – Web Admin Console on IE browser version 8.0.6001.18702 displays processing while adding or editing SMS Gateway.
 
Bug ID – 8913
Description – The first character used for manual search of user group gets appended in the user name, when “Tab” key is used to navigate while creating a user.
 

Network

Bug ID – 9200
Description – Name of the Bridge Pair Interface is editable.
 

Network Interface

Bug ID – 7115
Description – USB modem ZTE MF633+ HSPA is not supported.
 
Bug ID – 9475
Description – Parameters “LCP Echo Interval” or “LCP Failure” of PPPoE interface do not get updated after editing.

Report

Bug ID – 7503
Description – Auxiliary Appliance does not send report notification mail.
 
Bug ID – 9435
Description – Web Surfing reports gets corrupted while exporting excel file from iView, if the records are more than 1000.
 

SSLVPN

Bug ID – 7756
Description – SSL VPN top users report in On Appliance iView displays certificate common name instead of user name if TLS authentication verification fails while establishing peer connection.

User

Bug ID – 9357
Description – The parameter “Simultaneous Logins” on the User page do not get updated to “Unlimited” even if Global Settings parameter “Simultaneous Logins” on firewall page is configured as “Unlimited”.
 

User Group

Bug ID - 3607
Description – Maximum 20 nodes can be added as Group Login Restriction.
 

VPN

Bug ID – 7420
Description – Internet access via IPSec Tunnel from a remote office stops on upgrading Appliance from Version 10.01.1 Build 739 to Version 10.01.1 Build 023.
 
Bug ID – 9293
Description – An error message is displayed on Web Admin Console while editing bookmark type of a SSL VPN Policy in Web Access Mode from HTTP or HTTPS to any other except HTTP and HTTPS.
 
Bug ID – 9347
Description – A message “IP Address of local server has been changed” is displayed on Web Admin Console for PPTP VPN page after upgrading the Cyberoam Appliance from Version 10.01.2 Build 158 to Version 10.02.0 Build 206.  
 

Web Application Firewall (WAF)

Bug ID – 9444
Description – User cannot login within OWA, if it is published via WAF.

Bug ID – 9445
Description – High CPU utilization occurs while publishing HTTPS website via WAF.
 
Bug ID – 9446
Description – Web page content is improperly displayed in web browser since WAF do not support Deflate Type Content Encoding.
 

Web Filter

Bug ID – 9267
Description – An error message is displayed on Web Admin Console when a duplicate domain is added in Web Category or URL Group of a Web Filter.
 

Web Category

Bug ID – 9177
Description – AV & AS Scanning enabled protocols are displayed in following two different ways within “Scan” column of a Firewall Rule, when Standard Theme is applied on Cyberoam:
1.     Red highlight
2.     Red highlight and a square box  
 
 
 
 
1.2.2.4. Release Notes 10.01.X Build XXX
1.2.2.4.1. V 10.01.2 Build 158

 

Release Dates

Version 10.01.2 Build 158 – 01st March, 2012

Release Information