release date release information - cyberoam · release notes: cybero amos version 10.6.1 document...

Release Date

Date: 26 May 2014

Release Information

Release Type: General Availability (GA), Major Feature Release

Applicable to CyberoamOS Version

V 10.01.0XXX or 10.01.X Build XXX All the versions

V 10.02.0 Build XXX • 047, 174, 176, 192, 206, 224, 227, 409, 473

V 10.04.X Build XXX

• 0 Build 214, 0 Build 304, 0 Build 311, 0 Build 338, 0 Build 433

• 1 Build 451 • 2 Build 527 • 3 Build 543 • 4 Build 028 • 5 Build 007 • 6 Build 032

V 10.5.3 • Common Criteria Certificate (EAL4+) Compliant

V 10.6.X

• 0 Beta-1 • 0 Beta-2 • 0 Beta-3 • 1 RC-1, 1 RC-3, 1 RC-4

Upgrade procedure

To upgrade the existing Cyberoam Appliance follow the procedure below:

• Logon to https://customer.cyberoam.com • Click “Upgrade” link under Upgrade URL. • Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”.

For Cyberoam versions prior to 10.01.0472 For Cyberoam version 10.01.0472 or higher Upgrade Cyberoam to 10.01.0472 selecting option “Below 10.01.0472” and follow on-screen instruction. By doing this, the customer will not be able to roll back.

Upgrade Cyberoam to the latest version by selecting option “10.01.0472 or higher” and follow on-screen instruction.

Compatibility Annotations

This version of CyberoamOS is Appliance Model-specific. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you try to upgrade Appliance model CR50iNG-XP with firmware for model CR100iNG-XP.

This release is compatible with all Cyberoam Virtual Appliances.

This Cyberoam version is compatible with the Cyberoam Central Console (CCC) version 02.02.1185 and above. Please check http://docs.cyberoam.com for availability of latest CCC firmware to deal with compatibility issues.

Version: 10.6.1 Date: 26 May 2014 Release Notes

https://customer.cyberoam.com/http://docs.cyberoam.com/default.asp?id=174&Lang=1&SID=

Release Notes: CyberoamOS Version 10.6.1

Document Version – 1.01-29/05/2014 2

Revision History

Sr. No.

Old Revision Number

New Revision Number

Reference Section Revision Details

1 1.00-23/05/2014 1.01-29/05/2014 Features

Modified: Cyberoam SSL VPN Client for Windows 8 OS

2 1.00-23/05/2014 1.01-29/05/2014 Features

Modified: Support of ICAP to Integrate Third-Party DLP, Web Filtering and AV Applications

3 1.00-23/05/2014 1.01-29/05/2014 Features

Added: Support for 32 bit ASN in BGP

4 1.00-23/05/2014 1.01-29/05/2014 Features

Modified: Cyberoam as a Dynamic DNS (DDNS)

5 1.00-23/05/2014 1.01-29/05/2014 Enhancements

Modified: Inbound Load Balancing

6 1.00-23/05/2014 1.01-29/05/2014 Enhancements

Modified: Remodeled IPS Policy Configuration



Contents Release Information.................................................................................................. 1

Introduction ............................................................................................................... 5 Features ................................................................................................................... 5

1. IPv6 Support in CyberoamOS ............................................................................................................................. 5 a. Dual Stack Implementation ............................................................................................................................ 6 b. Tunnels: 6in4, 6to4, 6rd, 4in6 ........................................................................................................................ 7 c. Static IPv6 Address Assignment for Interfaces ........................................................................................... 7 d. Dynamic IPv6 Address Assignment.............................................................................................................. 7 e. DNSv6 Support................................................................................................................................................ 8 f. Security over IPv6 ........................................................................................................................................... 9 g. Denial of Service (DoS) Attack Mitigation .................................................................................................... 9 h. Spoof Prevention through IPv6 and MAC Binding...................................................................................... 9 i. Static Neighbour Configuration support ....................................................................................................... 9 j. IPv6 Multi-Link Management Support ........................................................................................................ 10 k. DHCPv6 Relay support ................................................................................................................................ 10 l. QoS Support .................................................................................................................................................. 10 m. Diffserve-based QoS Support..................................................................................................................... 10 n. Miscellaneous CLI Commands for IPv6 Related Configurations............................................................ 10

2. Link Aggregation: Dynamic (802.3ad) and Static ........................................................................................... 11 3. High Availability (Active-Active / Active-Passive) in Bridge / Mixed Mode .................................................. 12 4. On-Cloud Web Categorization .......................................................................................................................... 12 5. External Web Categorization database Support............................................................................................. 12 6. Support of ICAP to Integrate Third-Party DLP, Web Filtering and AV Applications .................................. 13 7. Support of Secure LDAP/Active Directory (SSL/TLS).................................................................................... 13 8. Cyberoam- iView Features ................................................................................................................................ 14

a. Zone Based Application Reports................................................................................................................. 14 b. Client Types Report including BYOD Client Types .................................................................................. 14 c. Export Reports in HTML Format ................................................................................................................. 14 d. Custom Logo for HTML Reports ................................................................................................................. 15

9. Seeking User Participation for Sustained Product Improvement ................................................................. 15 10. Support of User Log on and Log off APIs ........................................................................................................ 15 11. iAccess: Account Status, Quarantine Management and Authentication for iOS Users ............................ 15 12. Cyberoam SSL VPN Client for Windows 8 OS ............................................................................................... 16 13. Cyberoam as a Dynamic DNS (DDNS)............................................................................................................ 16 14. Inbound Load Balancing .................................................................................................................................... 16

Enhancements......................................................................................................... 17

1. Dynamic Routing Configuration via GUI .......................................................................................................... 17 2. Third Party Certificate Support .......................................................................................................................... 17 3. Third Party Certificate Authority (CA) Support for HTTPS Scanning........................................................... 17 4. Certificate Enhancements .................................................................................................................................. 17 5. i18n Support for Default Configuration Language .......................................................................................... 17 6. i18n Language support for SSL VPN Web Portal........................................................................................... 17 7. SSL VPN: User Certificate Encryption ............................................................................................................. 18 8. Multiple Email Addresses Support for User..................................................................................................... 18 9. Network Adapter support for Hyper-V based Cyberoam Virtual Appliance ................................................ 18 10. Soft Reboot Option Removed from Hyper-V based Cyberoam Virtual Appliance ..................................... 18 11. Architectural Enhancements for Cyberoam Central Console ....................................................................... 18 12. Enhanced Browsing Experience ....................................................................................................................... 18 13. Support for 32 bit ASN in BGP .......................................................................................................................... 18 14. Multiple DHCP Servers support in DHCP Relay............................................................................................. 18 15. PPPoE Enhancements ....................................................................................................................................... 19



16. Support of Importing Active Directory Organization Unit (OU) and Implementing OU-based Security Policies ................................................................................................................................................................. 19

17. Sender IP Reputation Optimization .................................................................................................................. 19 18. Dynamic Routing Information on GUI............................................................................................................... 20 19. Remodeled IPS Policy Configuration ............................................................................................................... 20

a. Policy Configuration Optimizations ............................................................................................................. 20 b. New Pre-Configured IPS Policies ............................................................................................................... 21

20. Zero Downtime Upgrade for HA Cluster Appliances...................................................................................... 21 21. LAG support in High Availability........................................................................................................................ 21 22. Usability Enhancements in VPN Tunnel Management .................................................................................. 21 23. DNS Enhancements ........................................................................................................................................... 22 24. Kernel Based Virtual Machine Support ............................................................................................................ 22 25. Enhanced Gateway Load Balancing through Multiple Source NAT (SNAT) .............................................. 22 26. Optimization in On-Appliance iView ................................................................................................................. 23 27. Cyberoam-iView: Enhanced Report Analysis and Correlation ..................................................................... 23 28. Cyberoam-iView: Increased Log Retention Period ........................................................................................ 23 29. Enhancements in Context Sensitive Online Help ........................................................................................... 23 30. Enhanced Security over NTLM Authentication ............................................................................................... 23

Miscellaneous.......................................................................................................... 24 Bugs Solved ............................................................................................................ 25 Known Behavior...................................................................................................... 25 General Information ................................................................................................ 26



Introduction

This document contains the release notes for CyberoamOS Version 10.6.1. The following sections describe the release in detail.

This release comes with several new features, enhancements and bug fixes to improve quality, reliability, and performance.

Features

1. IPv6 Support in CyberoamOS

Internet Protocol version 6 (IPv6) is the latest revision of the Internet Protocol (IP). It is a routable protocol, that provides identification and location system for devices on networks and routes traffic across the Internet. The Internet Engineering Task Force (IETF) developed IPv6 to deal with the long-anticipated problem of IPv4 address exhaustion.

IPv6 replaces IPv4, the existing Internet Protocol.

The compelling reasons to replace IPv4 were:

• Billions of new devices • Billions of new users • “Always-on” Internet access

A Comparison: IPv4 vs. IPv6

IPv4 IPv6 Uses 32 bits Address Uses 128 bits Address Theoretical limit of addresses 232: 429m x 10 to the power 7

Theoretical limit of number of addresses 2128: 340 x 10 to the power 36

Address Format: 192.168.1.1 Address Format: fe80:0:0:0:0:0:c0a8:101

The principle benefits of IPv6 are:

• Large address space • New and simplified header format • Efficient and hierarchical addressing and routing • Stateless and stateful address configuration • Built-in security and interoperability • In-built mobility • Mandatory Multicast support • Better support for QoS • ICMPv6-based new protocol for neighboring node interaction • Extensibility in packet headers IPv6 Features Supported In CyberoamOS

The Administrator can configure IPv6 Addresses for the following features:

• IPv6 Networking o Dual Stack Architecture: Support for IPv4 and IPv6 Protocols



o Tunnels: 6in4, 6to4, 6rd, 4in6 o Alias and VLAN (Alias and VLAN must be configured with same IP Address family

that is used to configure the respective physical interface.) o Route – Static and Source o DNSv6 and DHCPv6 Services o Router Advertisement

• Firewall Security o IPv6 Services o IP Host, IP Host Group, MAC Host o IPv6 Firewall Rule Schedule o QoS and Routing Policy o Virtual Host o NAT Policy (NAT66) o Spoof Prevention o DoS

• Layer 8 Identity over IPv6 o Authentication – AD, LDAP, Radius o Clientless Users o Authentication using Captive Portal

• Logging and Reporting o Traffic Discovery (For User and Source IP Address) o Logs and Reports o 4-eye Authentication o SNMP o SYSLOG

• Diagnostics o Packet Capture o Connection List o Ping6 o Tracert6 o Name Lookup o Route Lookup o System Graphs

• NTP • Self-Signed Certificate • Scheduled Backup on IPv6 Server • Backup Restore

a. Dual Stack Implementation

Cyberoam can now be configured with an IPv4 address and an IPv6 address and can process both IPv4 and IPv6 packets. An application that supports both, prefers IPv6 traffic at the network layer. Dual stack implementation enables communication between IPv4 and IPv6 devices and is the basis for all transition technologies.

CyberoamOS uses Dual stack as the direct transition approach for IPv6 implementation. For an



Administrator, IPv6 works almost the same way as IPv4. Connecting a Cyberoam appliance to an IPv6 network is the same as connecting it to an IPv4 network, the only difference lies in the usage of IPv6 addresses.

b. Tunnels: 6in4, 6to4, 6rd, 4in6

CyberoamOS supports four (4) methods of IP tunneling to promote interoperability between IPv4 and IPv6. It is a mechanism to encapsulate one network protocol as payload for another network protocol i.e. either an IPv6 packet is encapsulated in to an IPv4 packet, for communication between IPv6 enabled hosts/networks via an IPv4 network or vice-versa. CyberoamOS supports following types of IP Tunneling methods:

• 6in4 Tunnel: It is commonly referred to as Manual Tunnel and used for IPv6 to IPv6 communication over IPv4 backbone. The source and destination IPv4 addresses must be manually configured. It is recommended for point-to-point communication.

• 6to4 Tunnel: It is commonly referred to as Automatic Tunnel and used for IPv6 to IPv6 communication over IPv4 backbone. The destination IPv4 address of the tunnel can be automatically acquired, but the source address needs to be provided manually. It is recommended for point-to-multi point communication.

• 6rd Tunnel: It is used for IPv6 to IPv6 communication over IPv4 backbone. The 6RD tunnel is an extension of the 6to4 Automatic Tunnel. The tunnel can be established by pre-defined ISP provided prefix.

• 4in6 Tunnel: It is used for IPv4 to IPv4 communication over IPv6 backbone, the source and destination IPv6 addresses must be manually configured. It is recommended for point-to-point communication.

Point to note:

• The devices at the ends of an IPv6 over IPv4 tunnel or IPv4 over IPv6 tunnel must support IPv4/IPv6 dual stack.

To configure IP Tunnels, go to Network > Interface > IP Tunnel and click Add.

c. Static IPv6 Address Assignment for Interfaces

CyberoamOS supports static assignment of IPv6 Addresses to various Interfaces like Bridge-Pair, Alias, and VLAN. Administrator can now assign either or both of IPv6 and IPv4 addresses to a single Interface.

Maximum Alias limit on single interface is 64 for IPv6 Family.

For related CLI Commands, please refer to the attached Appendix - I.

d. Dynamic IPv6 Address Assignment

CyberoamOS supports both stateless and stateful method of dynamically assigning IPv6 Addresses to the hosts.

Choosing a method depends on Managed (M) Address Configuration and Other (O) Configuration flag in the advertised Router Advertisement message.

Cyberoam as DHCPv6 server supports both dynamic and static IPv6 address assignments to DHCPv6 Clients.


1. IPv6 Interface Configuration

a. Command: show network static-route6

To display static routes

2. Dynamic Address Assignment for IPv6 Hosts

b. Command: cyberoam dhcpv6 dhcpv6-options add optioncode

To add the custom DHCPv6 option

c. Command: cyberoam dhcpv6 dhcpv6-options binding add dhcpname

To add DHCPv6 options of a DHCPv6 server

d. Command: cyberoam dhcpv6 dhcpv6-options binding delete dhcpname

To delete DHCPv6 options of a DHCPv6 server

e. Command: cyberoam dhcpv6 dhcpv6-options binding show dhcpname

To display all the DHCPv6 options of a DHCPv6 Server

f. Command: cyberoam dhcpv6 dhcpv6-options delete optionname

To delete the custom DHCPv6 option

g. Command: cyberoam dhcpv6 dhcpv6-options list

To display all the configurable DHCPv6 options

3. Resolve IPv6 Domains: DNS Support

a. Command: dnslookup6 host

To query Internet Domain Name Server for Host to be searched

b. Command: dnslookup6 host


4. Miscellaneous CLI Commands for IPv6 Related Configurations

For Network Interface

a. Command: show network interfaces

To display information about network interfaces

Version: 10.6.1 Appendix: CLI Commands

Appendix - I - CLI Commands


For Diagnostics

b. traceroute6

Use to trace the path taken by an IPv6 packet from the source system to the destination system, over the Internet.

Syntax

traceroute6 [ | | first-ttl | max-ttl | probes | source | timeout | tos]

c. telnet6

Use telnet protocol to connect to another remote computer.

Syntax

telnet6

d. ping6

Sends ICMPv6 ECHO_REQUEST packets to network hosts.

Syntax

ping6 [ | count | interface | quiet | size ]

For Proxy ARP (IPv6 Virtual Host)

e. Command: show proxy-arp

To displays proxy ARP entries.

5. Link Aggregation: Dynamic (802.3ad), Static & Active-Backup

a. Command: show network lag-interface

To display the details of particular LAG interface parameters

b. Command: show network lag-interface runconfig

To display LAG configurations in detail

c. Command: set network lag-interface lag-mgt mode active-backup

To configure the LAG mode as active-backup to provide fault tolerance.

E.G. set network lag-interface CyberLAG lag-mgt mode active-backup



d. Command: set network lag-interface lag-mgt mode 802.3ad (LACP)

To configure the LAG mode as 802.3ad (LACP) to load balance the traffic and provide fault tolerance.

E.G. set network lag-interface CyberLAG lag-mgt mode 802.3ad (LACP)

e. Command: set network lag-interface lag-mgt active-backup primary-interface (Auto, Member Interfaces) failback-policy none

Allow the primary slave to become active only if the current active slave fails and the primary is up.

f. Command: set network lag-interface lag-mgt active-backup primary-interface (Auto, Member Interfaces) failback-policy takeover

Allow the primary to become active when it comes up again and currently active slave becomes de-active.

g. Command: set network lag-interface lag-mgt active-backup primary-interface (Auto, Member Interfaces) failback-policy link-speed

Allow the primary to become active when it comes up again, only if the speed and duplex of the primary slave is better than speed and duplex of currently active slave.

h. Command: set network lag-interface lag-mgt lacp lacp-rate slow

Request partner (Switch) to transmit LACPDUs every 30 seconds

i. Command: set network lag-interface lag-mgt lacp lacp-rate fast

Request partner(Switch) to transmit LACPDUs every 1 second

j. Command: set network lag-interface lag-mgt lacp static-mode enable

To enable the static mode.

k. Command: set network lag-interface lag-mgt lacp static-mode disable

To disable the static mode.

l. Command: set network lag-interface lag-mgt lacp xmit-hash-policy layer2

Specifies that for 802.3ad and static mode, load sharing is done using Source MAC Address and Destination MAC Address.

m. Command: set network lag-interface lag-mgt lacp xmit-hash-policy layer2+3

Specifies that for 802.3ad and static mode, load sharing is done using Source MAC Address, Destination MAC Address, Source IP Address, and Destination IP Address.

n. Command: set network lag-interface lag-mgt lacp xmit-hash-policy layer3+4

Specifies that for 802.3ad and static mode, load sharing is done using Source Port, Destination Port, Source IP Address, and Destination IP Address.



o. Command: set network lag-interface link-mgt monitor-interval

To configure link monitoring frequency time in milliseconds.

p. Command: set network lag-interface link-mgt up-time

To configure Up-Delay time in milliseconds i.e. the wait time before enabling a slave after link recovery detection.

q. Command: set network lag-interface link-mgt down-time

To configure Down-Delay time in milliseconds i.e. the wait time before disabling a slave after link failure detection.

r. Command: set network lag-interface link-mgt garp-count

To configure the number of peer notifications – gratuitous ARPs to be issued after failover event.

6. ICAP – Extended Security Service Support

a. Command: show icap

Displays the ICAP Server configurations.

b. Command: set icap apply-change

For applying the configuration modification executed using Edit commands of Request Mode or Response Mode.

To apply modifications using any of the below edit commands, use command - set icap apply-change

c. Command: set icap edit reqmod IP-address

Example: set icap edit reqmod IP-address 192.168.1.2

For configuring ICAP Server Request Mode IP Address.

d. Command: set icap edit reqmod port

Example: set icap edit reqmod port 1344

For configuring ICAP Server Request Mode Port number. Any port number compatible with Cyberoam and ICAP Server can be configured as Request Port.

e. Command: set icap edit reqmod service-name

Example: set icap edit reqmod service-name xyz

For configuring ICAP Server Request Mode Service Name. Only those services that are offered and configured by ICAP Request Server Administrator are accessible by Cyberoam.

f. Command: set icap edit reqmod reset



All Request Mode parameters, IP Address, port and service-name are reset to respective default value. By default, the value is none. The Request Mode for the respective ICAP Server will be flushed.

g. Command: set icap edit respmod IP-address

Example: set icap edit respmod IP-address 192.168.1.2

For configuring ICAP Server Response Mode IP Address.

h. Command: set icap edit respmod port

Example: set icap edit respmod port 1344

For configuring ICAP Server Response Mode Port number. Any port number compatible with Cyberoam and ICAP Server can be configured as Request Port.

i. Command: set icap edit respmod service-name

Example: set icap edit respmod service-name xyz

For configuring ICAP Server Response Mode Service Name. Only those services that are offered and configured by ICAP Response Server Administrator are accessible by Cyberoam.

j. Command: set icap edit respmod reset

All Response Mode parameters, IP Address, port and service-name are reset to respective default value. By default, the value is none. The Response Mode for the respective ICAP

Server shall be flushed.

k. Command: set icap edit options body limit

Example: set icap edit options body limit 10485760

To configure the inbound and outbound content body limit in bytes.

l. Command: set icap edit options connections

Example: set icap edit options connections 1

To configure the number of connections.

m. Command: set icap edit options mode_dlp

For switching on or switching off the DLP mode.

In case of Request Mode, only POST and PUT method traffic are sent to ICAP server.







Cyberoam Technologies Pvt. Ltd.File AttachmentAppendix - I - CLI Commands - 10.6.1.pdf



• DHCPv6 Stateful Mode: DHCPv6 clients require IPv6 address together with other network parameters (like DNS Server, Domain Name). To configure DHCPv6, go to Network > DHCP > Server and click Add > IPv6. For related CLI Commands, please refer to the attached Appendix - I.

• DHCPv6 Stateless Mode: Stateless Address Auto-Configuration (SLAAC) is stateless address

assignment method through which host on same link can auto configure their IPv6 Addresses through the prefix advertised by Cyberoam. CyberoamOS’s router advertisements contain prefixes that are used for hosts address configuration, and other configuration parameters like default Gateway, MTU, Reachable time, Retransmit time, Hop limit.

CyberoamOS’s Routers advertisements are either periodic or in response to a router solicitation message from Hosts.

DHCPv6 client obtains network parameters other than IPv6 address.

To add Router Advertisement for SLAAC, go to Network > Router Advertisement > Router Advertisement.

e. DNSv6 Support

CyberoamOS now provides simultaneous support for both, traditional 32 bit IPv4 Addresses format and the latest 128 bit IPv6 Address format of IPv6 addresses for external DNS Resolver through Domain Name Server (DNSv6) support. Thus, DNS servers can be configured for IPv6 networks to which the appliance can request for name resolution. Also, Administrator can choose one of the below four options, according to which CyberoamOS‘s DNS server selects the external DNS IPv6 and/or IPv4 servers:

• Choose server based on incoming requests record type • Choose IPv6 DNS server over IPv4 • Choose IPv4 DNS server over IPv6 • Choose IPv6 if request originator address is IPv6, else IPv4 To configure IPv6 Addresses for DNS server, go to Network > DNS > DNS.

To handle internal DNS queries, CyberoamOS allows to add DNS Host Entries. To add a DNS Host Entry for IPv6 Address, go to Network > DNS > DNS Host Entry.

Further, CyberoamOS now allows Name Lookup and Reverse DNS lookup for IPv6 Addresses. Name Lookup and Reverse DNS Lookup are used to query the DNS for information about domain name and IPv6 Address.




For Diagnostics

b. traceroute6


Syntax


c. telnet6


Syntax

telnet6

d. ping6


Syntax















f. Security over IPv6

CyberoamOS Firewall is capable of filtering IPv6 traffic. Administrator can configure IPv6 specific Firewall Rules to manage and control the network traffic. Furthermore, Administrator can create separate Firewall Rules for IPv4 and IPv6 traffic.

IPv6 Firewall Rules supports configuring following types of Objects:

• IPv6 Hosts • IPv6 Host Groups • MAC Hosts • Virtual Hosts To configure IPv6 Firewall Rules, go to Firewall > Rule > IPv6 Rule and click Add.

g. Denial of Service (DoS) Attack Mitigation

CyberoamOS provides support to prevent TCP, UDP, SYN, and ICMPv6 based DoS attack by dropping the excess IPv6 packet from the particular source/destination. CyberoamOS drops packets from the source/destination till the burst rate goes below the threshold and re-allows traffic only after 30 seconds once the attack subsides.

To configure DoS settings, go to Firewall > DoS > Settings.

On migration, existing DoS configuration will be applicable to both IPv4 DoS and IPv6 DoS.

Administrator can also choose to bypass ICMPv6 redirect messages and IPv6 source routed packets destined for Cyberoam, if the Administrator is sure that the specified source is not used for flooding.

To bypass DoS for a specific IPv6 source route, go to Firewall > DoS > Bypass Rules.

h. Spoof Prevention through IPv6 and MAC Binding

To abate the obfuscation risk, CyberoamOS imposes Spoof Prevention using reverse path filtering technique to make sure the packets received throughout the network are coming from an authorized location.

To enable IPv6 Spoof Prevention, go to Firewall > Spoof Prevention > General Settings and select Enable Spoof Prevention.

By default, Spoof Prevention is disabled.

In addition, the Administrator can configure trusted MAC Address and IPv6 Address. User gets access to the network only if the MAC Address and IPv6 Address are on the Trusted MAC list.

To add trusted MAC Address and IPv6 Address, go to Firewall > Spoof Prevention > Trusted MAC and click Add.

i. Static Neighbour Configuration support

Host and routers use NDP to determine the link-layer addresses of peers known to be on attached links and quickly clear the invalid cache values. Host use Neighbor Discovery (ND) to search neighboring routers that are willing to forward packets on their behalf. Also, the protocol is used to keep track if the neighbors are reachable or not and to detect any change in link-layer addresses. A host looks-up for alternative, if a router or the route to reach router fails.

NDP has Neighbor Solicitations similar to ARP request and Neighbor Advertisements similar to ARP replies. Unsolicited neighbor advertisements in IPv6 correspond to gratuitous ARP replies in IPv4.



CyberoamOS supports configuring static and dynamic neighbor entries for IPv6. This allows static neighbor configuration for trusted/vulnerable machines in network. Static neighbor helps solicit request for configured entries and ignores any incoming solicit/advertised ND for configured entries.

To configure Static ND, go to Network > ARP-NDP > Neighbor > Add Static Neighbor and select IPv4 or IPv6 to add IPv4 and IPv6 Addresses respectively.

Also, CyberoamOS supports mitigating both IPv4 and IPv6 poisoning attacks by logging the attempts to insert the entries. To mitigate poisoning attacks, go to Network > ARP-NDP > Neighbor and enable Log Possible Neighbor Poisoning Attempts.

j. IPv6 Multi-Link Management Support

Load balancing between the links optimizes its utilization by distributing the traffic among various links and thus improves performance and reduces the operational cost.

From this version onwards, CyberoamOS supports weighted load balancing for IPv6 traffic to enable maximum utilization of capacities across the various gateway/links.

To configure IPv6 Load Balancing, go to Firewall > Rule > IPv6 Rule > Add/Edit Rule > Advance Settings (QoS, Routing Policy, Log Traffic) and select Load Balance option for parameter Route Through Gateway.

k. DHCPv6 Relay support

DHCP relay is used to receive the multicast packets from clients and forward it to the DHCP server that is not in the subnet range. CyberoamOS now supports DHCPv6 relays to cater the client requesting an IPv6 Address.

Cyberoam Appliance can act as DHCP Server and DHCP Relay, if configured for different IP families.

To configure DHCPv4 or DHCPv6 Relay, go to Network > DHCP > Relay > Add > IPv6.

l. QoS Support

From this version onwards, Cyberoam Administrator can configure user-based and firewall-based QoS policy for IPv6 traffic.

To configure QoS based IPv6 Firewall Rule, go to Firewall > IPv6 Rule > Add > Advance Settings > QoS & Routing Policy > QoS.

m. Diffserve-based QoS Support

From this version, CyberoamOS supports Differentiated Services Code Point (DSCP) for IPv6 traffic.

To configure DSCP, go to Firewall > IPv6 Rule > Add > Advance Settings > QoS & Routing Policy > DSCP Marking.

n. Miscellaneous CLI Commands for IPv6 Related Configurations




For Diagnostics

b. traceroute6


Syntax


c. telnet6


Syntax

telnet6

d. ping6


Syntax















2. Link Aggregation: Dynamic (802.3ad) and Static

From this version, CyberoamOS supports Link Aggregation (LAG) for aggregating (combining) multiple network connections into a single connection. It is also called port trunking, link bundling, Ethernet /NIC bonding or NIC teaming.

Advantages of LAG

• Linear increase (Aggregated) in bandwidth according to the number of links used in group • Link Redundancy by failover and failback in a continous session • Load Sharing across links according to the applied algorithm in xmit hash policy • No change in the existing network deployment /hardware

CyberoamOS supports LAG Deployment Modes:

• Dynamic Link Aggregation (802.3ad) o Requires Switch-side configuration (with LACP support) o Supports Load-sharing and Fault – tolerance

• Active-Backup o Does not require Switch-side configuration o Supports Fault-tolerance mode

• Static Link Aggregation o Does not require Switch-side configuration o Supports Load-sharing and Fault–tolerance

Prerequisites

• The other end point of Cyberoam (e.g. switch) should support LACP 802.3ad mode • All member interfaces must have same physical characteristics like Interface speed and Full-

Duplex (applicable to LACP 802.3ad) • Refer switch manual for its propritery configurations • Only unbound physical interfaces can be member of the LAG Group Note:

• Maximum 4 ports can be configured on a single LAG interface • LAG is not supported with Appliance deployed in Transparent mode. • Interfaces on which PPPoE, WWAN and WLAN are configured, cannot participate in LAG • IPv6 and PAGP is not supported • Bridge Pair cannot be created on LAG interface To configure LAG, go to Network > Interface > Interface and click Add LAG.




For Diagnostics

b. traceroute6


Syntax


c. telnet6


Syntax

telnet6

d. ping6


Syntax















3. High Availability (Active-Active / Active-Passive) in Bridge / Mixed Mode

From this version onwards, CyberoamOS supports High Availability (HA) in Mixed Mode. Up till now, HA was supported only in Route mode. Both the HA modes: Active-Active and Active-Passive are supported in Bridge / Mixed Mode.

Pre-requisites

• In HA, the traffic on all bridge member interfaces (physical) can be monitored • Once a pair of interfaces are configured as a bridge pair, they cannot be configured as HA

Monitoring Ports. • Logical bridge interface or physical member interfaces cannot be configured as Dedicated Port. • Bridge member physical interface can be configured as Peer Administration Port. To configure HA in Mixed Mode, go to System > HA > HA.

4. On-Cloud Web Categorization

From this version, URL categorization database has migrated to the Cloud. This will ensure that there is a central and common database for all CyberoamOS appliances world over. The appliance will use the ports 443, 80, 6060 and 6061 to communicate with Cloud server.

Advantages:

• Unlimited number of URLs in the categorization database • Real time categorization

5. External Web Categorization database Support

Enterprises often like to have their own categorization database to reap the advantages of multiple databases, better categorization and custom categorization.

From this version onwards, CyberoamOS allows using an external Web categorization database for web filtering. An external Web Categorization database containing URLs is imported as a custom web category.

Administrator needs to configure URL - HTTP or FTP, of external Web Category URL database. The appliance will fetch database from the specified URL. The database of URLs should be in following file types: .tar, .tar.gz, .gz, .bz2, or plain text file.

Points to note:

• On a successful backup–restore; the external database needs to be updated. • If a categorized URL is appended, edited or deleted, the database will be downloaded again for

other existing URL’s. • Multiple external Web Category databases can be added. To import the external Web Category database, go to Web Filter > Category > Category > Add and select External URL Database for parameter Configure Category. Specify HTTP or FTP URL to add the external Web Category database.



6. Support of ICAP to Integrate Third-Party DLP, Web Filtering and AV Applications

Internet Content Adaption Protocol (ICAP) is a lightweight protocol supporting HTTP content inspection and adaption functionality. It offloads the primary server by redirecting specific Internet based content to dedicated ICAP (Proxy) Servers. These ICAP servers are focused on a specific function, for example, ad insertion, virus scanning, or content filtering.

With newly added support for ICAP 1.0, Cyberoam can be deployed in heterogeneous enterprise environments and can hand over HTTP traffic to ICAP Server for malware scanning, content filtering and DLP scanning or other processing. Cyberoam after applying its Web Filter Policy will forward the Web traffic to ICAP server which in turn can apply data usage policies, antivirus scanning policies and content filtering policies. Depending on the services configured in the ICAP server, user either receives access denied message and virus detection message from Cyberoam or ICAP server.

Currently, CyberoamOS supports single ICAP profile with Request, Response and Options mode and can be configured from CLI. All the events are logged under System Logs and Administrator can view all the events logs from the Log Viewer.

Cyberoam can be seamlessly integrated using ICAP-compliant DLP/AV Scanning/Web Filtering applications:

• Symantec DLP • Symantec Protection Engine 7.0 • Trend Micro Interscan Web Security Virtual Appliance • Sophos Anti Virus • Commtouch Anti Virus

Points to note:

• This feature is supported in all the appliance models above CR50iNG. • This feature is released as BETA. For related CLI Commands, please refer to the attached Appendix - I.

7. Support of Secure LDAP/Active Directory (SSL/TLS)

From this version, the communication between Cyberoam and AD / LDAP server has become more secure.

CyberoamOS now supports:

• LDAP, also known as LDAPS/SLDAP, over Secure Sockets Layer (SSL) / Transport Layer Security (TLS). CyberoamOS supports SSL2.0, SSL3.0, TLS1.0, TLS1.1 and TLS1.2.

• The use of FQDN is mandatory when the certificate used for Secure AD/LDAP communication is generated by the Active Directory CA.

• FQDN has to be configured as Common Name in Third Party CA/Certificate. • If IP address is configured as Certificate ID then instead of FQDN, IP Address can be configured

as Server IP/Domain in External Authentication Server. To configure LDAP, go to Identity > Authentication > Authentication Server, click Add and select the LDAP for parameter Server Type.



For Diagnostics

b. traceroute6


Syntax


c. telnet6


Syntax

telnet6

d. ping6


Syntax


















For configuring ICAP Server Response Mode IP A

release date release information - cyberoam · release notes: cybero amos version 10.6.1 document...

Documents