Professional Documents
Culture Documents
Release Notes
Release Information
Release Type: General Availability
Compatible versions: 9.6.0.78
Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license
Applicable to: All the Cyberoam Appliance models except CR15i and CR25i
Upgrade procedure
1. Go to Web Admin Console and take backup of v 9.6.x.x from System > Manage Data >
Backup Data. For real-time conversion of v9 backup to v10 compatible backup, browse
to data migration site (http://v9migration.cyberoam.com) and upload v9 backup file.
Note: If you are upgrading fresh v9.x appliance i.e. without custom configuration
and data, skip step 1.
2. Download Appliance model-specific firmware from http://customer.cyberoam.com.
3. Upload the firmware (downloaded in step 2) from Web Admin console (menu Help >
Upload Upgrade).
4. Once the file is uploaded successfully, log on to CLI console and go to the menu
Option 6 Upgrade Version and follow the on-screen instructions to upgrade.
5. Appliance will be uploaded with factory default firmware i.e. appliance will come up with
the factory default setting.
Note: If you are upgrading fresh v9.x appliance i.e. without custom configuration
and data, skip rest of the steps. After this step, your appliance is ready for use.
6. Restore the v10 compatible backup from Web Admin console (menu System >
Maintenance > Backup & Restore)
7. To view the version 9.x reports, browse to http://<Cyberoam IP>/reports and to view
reports generated after version upgrade go to Logs & Reports > View Reports. This
option will not be available for CR15i models.
8. To view the version 9.x quarantined mails go to Antivirus > Quarantine > V 9 Quarantine
while to view the mails quarantined after version upgrade go to Antivirus > Quarantine >
Quarantine.
For further details on migration, refer Migrate from v9.6.x.x to v10 document.
Compatibility issues
Appliance model-specific firmware and hence firmware of one model will not be applicable
on another model. Upgrade will not be successful and you will receive error if you are trying
to upgrade Appliance model CR100i with firmware for model CR500i.
Contents
18.9
Automatic Certificate regeneration on modification..........................12
General Information.................................................................................................13
Technical Assistance...............................................................................................13
Technical Support Documents ................................................................................13
Introduction
This document contains the release notes for Cyberoam version 10.00 build 0227. The
following sections describe the release in detail.
This will be a key release with architectural changes, new features, and several bug fixes
that improves quality, reliability, and performance.
Firmware-based Upgrades
All the upgrades after this version will now be firmware based i.e. version can be upgraded
directly to the latest version. Firmware will be Appliance-specific and hence firmware of one
model will not be applicable on another model.
For example, if the latest released version is 10.1.0.16 and current version in your Appliance
is 10.0.0.2 then with this upgrade you will be able to directly upgrade to the latest version
10.1.0.16 instead of upgrading each intermediate version individually.
There will be support of multiple firmware residing on the appliance, so the Administrator will
be able to switch between the firmware if needed. Apart from that, upgrade and downgrade
will now also be more stable and robust as entire Operating system is converted into
bootable firmware (Starting from boot up sequence / BIOS).
2.
GUI Revamp
To improvise usability, a good portion of Web UI has been re-organized. This will also
provide a more user-friendly approach to layout, menu and screens. New GUI will be based
on Web 2.0 concept and components.
3.
GUI Themes
Cyberoam now provides Themes page to quickly switch between predefined themes. Each
theme comes with its own custom skin, which provides the color scheme and font style for
entire GUI i.e. navigation frame, tabs and buttons.
You can choose from 2 themes Cyberoam Standard and Cyberoam Classic.
Configuration
The default Cyberoam Standard theme can be changed from Options under System menu
from Web Admin Console.
4.
Security Admin read-write privileges for all features except Profiles and Log & Reports
Configuration
1. Custom profiles can be created and managed from the Profile page of Administration
menu
2. Assign profile (created in step 1) to user from the User page of Identity menu
5.
Configuration
1. Configure authentication server i.e. RADIUS, LDAP or Active Directory
2. Integrate external authentication server with Cyberoam and configure primary and
secondary authentication method for Firewall, VPN and SSL VPN traffic from
Authentication page of Identity menu from Web Admin console.
6.
Configuration
1. Download Client from http://download.cyberoam.com/beta/catc and install on Microsoft
Terminal Server (Microsoft TSE) or Citrix Presentation Server
Document version 1.1-17/04/2010
2. Configure Cyberoam for communication between the two from CLI using the command:
cyberoam auth thin-client add citrix-ip <ip address of citrix server>
7.
Configuration
1. Add IM contacts or IM Group for whom rules are to be created
2. Define Conversation rule to allow or deny 1-to-1 or group Chat conversation between IM
contacts added in step 1
3. Define File transfer rule to allow or deny file transfers between IM contacts added in
step 1
4. Define Webcam rule to allow or deny the usage of Web camera between IM contacts
added in step 1
5. Define Login rules to allow specific Yahoo/MSN contacts to login to their servers. By
default, access to Yahoo and MSN chat is denied to all the contacts.
6. Define content filtering rules
The scanned IM logs can be viewed from Log Viewer page.
Limitations
1.
2.
3.
4.
8.
File transfer and web camera usage not supported for Windows Live Messenger v 2009
No support for File transfer logging
No file archive support
Yahoo traffic will be scanned only if HTTP scanning is enabled.
Compressed
notation
For example
3f2e:6c8b:78a3:0000:1725:6a2f:0370:6234 can be written as
3f2e:6c8b:78a3::1725:6a2f:0370:6234
4f7e:6c8b:79a3:0000:1725:0000:0370:6234 can be written as
4f7e:6c8b:79a3::1725::0370:6234
Mixed
notation
Configuration
To Implement IPv6, one simply needs to assign IPv6 IP addresses to an Interfaces
using CLI command as
cyberoam ipv6 interface Port <port number> <ip address>
E.g. cyberoam ipv6 interface PortB address add 3ffe:501:ffff:101:290:fbff:fe18:5968/64
Additional commands
1. Create Prefix list for the Interface
cyberoam ipv6 interface Port <port number> prefix add <ip address>
e.g.
cyberoam ipv6 interface PortC prefix add 3ffe:501:ffff:101::/64
2. Configure IPv6 Routing
Add Router
cyberoam ipv6 route add <ip address>
e.g.
cyberoam
ipv6
route
add
fe80::210:f3ff:fe08:7d6c interface PortC
3ffe:501:ffff:101::/64
gateway
9.
Admin Rights Required Remote user must be logged on as Admin user or should
have Admin privilege.
9.2
To remove the hassles to type username and password every time for login, option to save
username and password is provided on the SSL VPN client.
9.3
Auto-start SSL VPN option is provided to automatically establish the SSL VPN connection
whenever Client system starts. One needs to save username and password to enable autostart functionality.
10.
With introduction of 3G (Third Generation) support, Cyberoam now delivers twin protection
for high-speed secure wireless WAN (WWAN) combined with high-performance UTM. It not
only secures the wireless connection but also inspects and encrypts the traffic over the
wireless network. Hence, Cyberoam now supports set of security policies over both wired as
well as wireless networks.
It works with wireless access points from any vendor to provide security and hence achieve
Document version 1.1-17/04/2010
Configuration
1.
2.
3.
4.
5.
11.
Cyberoam is now integrated with Cyberoam-iView to offer wide spectrum of 1000+ unique
user identity-based reporting across applications and protocols and provide in-depth
network visibility to help organizations take corrective and preventive measures.
It provides network administrators with the information they need to enable the best
protection and security for their networks against attacks and vulnerabilities.
Cyberoam Administrator can also choose to restrict visibility of logs and reports to an
administrator who manages Cyberaom-iView through Role base Access Control. For
example, create a profile with read-write access for Log & Reports pages and assign to an
Administrator who is required to manage reports through Cyberoam-iView. This feature can
be very useful in an MSSP scenario.
Cyberoam-iView can be accessed by clicking Reports on the topmost button bar on each
page or from View Reports page under Logs & Reports menu.
Administrator has to login to Cyberoam-iView with the default username & password for
Cyberoam-iView admin, admin and not with the Cyberoam username and password.
12.
13.
Cyberoam Administrators can now be authenticated by the external authentication server RADIUS, LDAP, Active Directory. With the support of configuring multiple authentication
servers, it is also possible to configure combination of external and local authentication for
the administrators.
In case of multiple servers, administrator can designate primary and optionally the
secondary server. If primary server cannot authenticate the user then only secondary server
will try to authenticate. If secondary server also cannot authenticate the user then Cyberoam
refuses the access.
By default, primary authentication method is Local while secondary authentication method
is None.
14.
DoS attacks to Web services known as HTTP flood attack pose a serious threat to Web site
owners and hosting providers. In this type of attacks, malicious clients send a large number
of HTTP-GET requests to the target Web server automatically making it difficult or
impossible for legitimate visitors to access it, disrupt server operation and apparently cause
costly data transfer and bandwidth overages and can negatively impact the confidence of
that site's visitors, doing incalculable damage to the site's reputation.
While simplistic packet-based attacks can be more easily mitigated upstream, with an
HTTP-based attack it is often difficult to distinguish attack traffic from legitimate HTTP
requests as these HTTP-GET requests have legitimate formats and are sent through normal
TCP connections. Hence, Intrusion Detection Systems also cannot detect them.
To detect such attacks, Cyberoam identifies such attacks based on rate of HTTP requests
per source IP or number of HTTP requests per TCP connection. Number of requests higher
than the configured rate is considered as attack and the traffic is from the said source is
dropped. One can either configure allowed number of connections or for granular controls
can configure allowed number of requests per Method GET and PUT.
Configuration
From CLI, set number of connections and HTTP method with the commands:
set http_proxy dos add connection <number of connections>
set http_proxy dos add method <GET | POST> <number of requests>
15.
By default, Cyberoam inspects all inbound HTTP, HTTPS, FTP, SMTP, POP and IMAP
traffic on the standard ports. However, many applications scan for open ports for malicious
purposes. For example, worms and trojans often use non-standard HTTP port to pass
remoet commands and fetch data from remote sites. For phishing attempts, fraudulent
websites hosted on non-standard HTTP ports to lure customers to submit and disclose their
personal information.
To protect from such attacks, Cyberoam now provides option to enable inspection of HTTP,
Document version 1.1-17/04/2010
HTTPS, FTP, SMTP, POP, IMAP, IM MSN and Yahoo traffic on non-standard port also.
Configuration
From CLI, use the command
set service-param <service> <add | delete> <port number>
1. Maximum 16 ports can be configured per service
2. Same port cannot be configured for across the services e.g. if HTTP is configured for
port 8080 then it cannot be configured for any other service.
3. Following default ports cannot be configured for any services: 21, 25, 80, 110, 143
16.
Since BGP uses TCP as its transport protocol, it is vulnerable to all security weaknesses of
the TCP protocol itself. For a determined attacker, it is possible to forcibly close a BGP
session or even hijack it and insert malicious routing information into the BGP data stream.
TCP MD5 Signature is used to secure the BGP session and protect against the introduction
of spoofed TCP segments into the connection stream and connection resets.
MD5 checksum added to every packet of a TCP session makes it difficult for the attacker as
to hijack the session MD5 key as well as TCP sequence number is needed.
Configuration
From CLI console, go to menu Option 3. Route Configuration > 1. Configuration Unicast
Routing > 3. Configure BGP
At the prompt, using the following command to enable MD5 support:
enable
configure terminal
router bgp <AS number>
network <network>
neighbor <neighbor address> remote remote-as <AS no of neighbor BGP router>
neighbor <neighbor address> password < MD5 Key >
Currently only ipv4 address are supported.
17.
From this version, it will be possible to view logs - Admin, Antivirus, Antispam,
Authentication, Firewall, IPS, IM, System, Web Filter, from the Web Admin console. To help
diagnose the problem, all the configuration changes will also be logged.
18.2
Cyberoam provides web filtering as a means to control access over the Internet use and
improvise on network security and employees productivity.
Cyberoam groups hundreds of web sites into default categories and allows to add custom
category as per the network requirement to prevent the access to malicious sites, protect
your network from malware, worms, spyware, trojans etc.
Cyberoam also allows allocating bandwidth based on the Web category apart from
allocating and prioritizing bandwidth based on users. It will not only improve the network
productivity by limiting the bandwidth used by the recreational applications but also
guarantee the performance of the critical business application.
18.3
Automatic updates of Web categories and IPS signature database can now be disabled. By
default they are enabled and can be disabled from System > Maintenance > Updates page
of Web Admin console.
18.4
In the networks where more number of firewall rules are required, it became difficult to
identify the firewall rule with its numbered ids. Hence, to easily identify the firewall rule, they
can now be named like all other security policies of Cyberoam.
18.5
For ease of use, rebooting appliance and shutting down appliance option are provided on
Dashboard. In version 9.x, one had to either do it from Manage Server page of Web Admin
console or CLI.
18.6
Apart from the default super admin cyberoam, Cyberoam is now shipped with one global
superadmin with the credentials username & password as admin. Both the consoles
Web Admin console and CLI, can be access with the same credentials. This administrator is
always authenticated locally i.e. by Cyberoam itself. We recommend changing the password
for this username immediately after deployment.
In case multiple external authentication servers are configured and both the servers go
down, Administrator will not be able to access Web Admin console with default admin
cyberoam. In such situation, administrator can login with credentials admin/admin.
18.7
As Captive Portal is an entry point to the Corporate network, Cyberoam provides flexibility to
customize the Portal page to offer consistent logon/log off page. This page can be exclusive
to your business including your business name and logo. It also provides flexibility to
customize page color scheme as per your companys Website.
18.8
Packet Capture log now includes details of all the packets and not just the Denied packets
details.
18.9
General Information
Technical Assistance
If you have problems with your system, contact customer support using one of the following
methods:
Email id: support@cyberoam.com
Telephonic support (Toll free)
Europe: +44-808-120-3958
India: 1-800-301-00013
Please have the following information available prior to contacting support. This helps to
ensure that our support staff can best assist you in resolving problems:
Description of the problem, including the situation where the problem occurs and its
impact on your operation
Product version, including any patches and other software that might be affecting the
problem
Detailed steps on the methods you have used to reproduce the problem
Important Notice
Elitecore has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented
without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any
products. Elitecore assumes no responsibility for any errors that may appear in this document. Elitecore reserves the
right, without notice to make changes in product design or specifications. Information is subject to change without
notice.
USERS LICENSE
The Appliance described in this document is furnished under the terms of Elitecores End User license agreement.
Please read these terms and conditions carefully before using the Appliance. By using this Appliance, you agree to be
bound by the terms and conditions of this license. If you do not agree with the terms of this license, promptly return the
unused Appliance and manual (with proof of payment) to the place of purchase for a full refund.
LIMITED WARRANTY
Software: Elitecore warrants for a period of ninety (90) days from the date of shipment from Elitecore: (1) the media on
which the Software is furnished will be free of defects in materials and workmanship under normal use; and (2) the
Software substantially conforms to its published specifications except for the foregoing, the software is provided AS IS.
This limited warranty extends only to the customer as the original licenses. Customers exclusive remedy and the entire
liability of Elitecore and its suppliers under this warranty will be, at Elitecore or its service centers option, repair,
replacement, or refund of the software if reported (or, upon, request, returned) to the party supplying the software to the
customer. In no event does Elitecore warrant that the Software is error free, or that the customer will be able to operate
the software without problems or interruptions. Elitecore hereby declares that the anti virus and anti spam modules are
powered by Kaspersky Labs and Commtouch respectively and the performance thereof is under warranty provided by
Kaspersky Labs and Commtouch. It is specified that Kaspersky Lab does not warrant that the Software identifies all
known viruses, nor that the Software will not occasionally erroneously report a virus in a title not infected by that virus.
Hardware: Elitecore warrants that the Hardware portion of the Elitecore Products excluding power supplies, fans and
electrical components will be free from material defects in workmanship and materials for a period of One (1) year.
Elitecore's sole obligation shall be to repair or replace the defective Hardware at no charge to the original owner. The
replacement Hardware need not be new or of an identical make, model or part; Elitecore may, in its discretion, replace
the defective Hardware (or any part thereof) with any reconditioned product that Elitecore reasonably determines is
substantially equivalent (or superior) in all material respects to the defective Hardware.
DISCLAIMER OF WARRANTY
Except as specified in this warranty, all expressed or implied conditions, representations, and warranties including,
without limitation, any implied warranty or merchantability, fitness for a particular purpose, non-infringement or arising
from a course of dealing, usage, or trade practice, and hereby excluded to the extent allowed by applicable law.
In no event will Elitecore or its supplier be liable for any lost revenue, profit, or data, or for special, indirect,
consequential, incidental, or punitive damages however caused and regardless of the theory of liability arising out of
the use of or inability to use the product even if Elitecore or its suppliers have been advised of the possibility of such
damages. In no event shall Elitecores or its suppliers liability to the customer, whether in contract, tort (including
negligence) or otherwise, exceed the price paid by the customer. The foregoing limitations shall apply even if the above
stated warranty fails of its essential purpose.
In no event shall Elitecore or its supplier be liable for any indirect, special, consequential, or incidental damages,
including, without limitation, lost profits or loss or damage to data arising out of the use or inability to use this manual,
even if Elitecore or its suppliers have been advised of the possibility of such damages.
RESTRICTED RIGHTS
Copyright 1999-2010 Elitecore Technologies Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of
Elitecore Technologies Ltd.
CORPORATE HEADQUARTERS
Elitecore Technologies Ltd.
904 Silicon Tower,
Off. C.G. Road,
Ahmedabad 380015, INDIA
Phone: +91-79-66065606
Fax: +91-79-26407640
Web site: www.elitecore.com, www.cyberoam.com