1. Release Notes 10.04.X Build XXX 1.1. V 10.04.5 Build 007 Release Date Version 10.04.5 Build 007 – 25 November, 2013 Release Informati on Release Type: Enhancement Release Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license Applicable to Cyberoam Version: V 10.01.0XXX or 10.01.X Build XXX All the versions V 10.02.0 Build XXX 047, 174, 176, 192, 206, 224, 227, 409, 473 V 10.04.0 Build XXX 214, 304, 311, 338, 433 V 10.04.1 Build XXX 451 V 10.04.2 Build XXX 527 V 10.04.3 Build XXX 543 V 10.04.4 Build XXX 028 Upgrade procedure To upgrade the existing CyberoamAppliance follow the procedure below: · Logon to https://customer.cyberoam.com · Click “Upgrade” link under Upgrade URL. · Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”. For Cyberoam versions prior to 10.01.0472 For Cyberoam version 10.01.0472 or higher Upgrade the Cyberoamto 10.01.0472 selecting option “ Below 10.01.0472” and follow on-screen instruction. By doing this, the customer will not be able to roll back. Upgrade Cyberoam to the latest version by selecting option “ 10.01.0472 or higher” and follow on-screen instruction. Compatibility Annotations Firmware is Appliance Model-specific. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you are trying to upgrade Appliance model CR50iNG with firmware for model CR100iNG. This release is compatible with Cyberoam Virtual Appliances. This Cyberoamversion is compatible with the Cyberoam Central Console version 02.02.0 Build 203. Please check http://docs.cyberoam.comfor availability of latest CCC firmware to deal with compatibility issues. Revision History Sr. No. Old Revision Number New Revision Number Reference Section Revision Details - - - - - Introducti on This document contains the release notes for CyberoamVersion 10.04.5 Build 007. The following sections describe the release in detail. This release comes with several bug fixes to improve quality, reliability, and performance. Bugs Sol ved Access Server Bug ID – 14949 Description – L2TPclient does not get authenticated to Cyberoamvia Local Authentication, if CHAP or MS-CHAP protocol is used for authentication and CyberoamFirmware is upgraded to Version 10.04.4.028. Anti Virus CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 1 of 36 04-02-2014 3:34 PM Bug ID – 14766 Description – FTP session needs to be disconnected manually once the file is successfully uploaded, if FTP scanning is enabled from Firewall Rule page and the size of the file to be uploaded is greater than the value specified in the parameter "Files Greater Than Size Should not be scanned" from FTP page of Anti Virus. GUI Bug ID – 12337 Description – Application names are not displayed while viewing Application Filter logs on the Log Viewer page. Bug ID – 14961 Description – The word “Login” is mis-spelled as “Logoin” in an error message displayed on Notification page of SystemConfiguration. Network Bug ID – 15006 Description – 3G modemD-Link DWM-156 is not compatible with CyberoamAppliance. Bug ID – 15084 Description – HUAWEI Mobile E3276 does not connect to Cyberoam, if “IP Assignment” mode is selected as DHCP from Wireless WAN Setting page. Bug ID – 15181 Description – Huawei HB4F1 3G modem is not compatible with CyberoamAppliance. 1.2. V 10.04.4 Build 028 Release Date Version 10.04.4 Build 028 – 10 September, 2013 Release Informati on Release Type: Enhancement Release Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license Applicable to Cyberoam Version: V 10.01.0XXX or 10.01.X Build XXX All the versions V 10.02.0 Build XXX 047, 174, 176, 192, 206, 224, 227, 409, 473 V 10.04.0 Build XXX 214, 304, 311, 338, 433 V 10.04.1 Build XXX 451 V 10.04.2 Build XXX 527 V 10.04.3 Build XXX 543 Upgrade procedure To upgrade the existing CyberoamAppliance follow the procedure below: · Logon to https://customer.cyberoam.com · Click “Upgrade” link under Upgrade URL. · Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”. For Cyberoam versions prior to 10.01.0472 For Cyberoam version 10.01.0472 or higher Upgrade the Cyberoamto 10.01.0472 selecting option “ Below 10.01.0472” and follow on-screen instruction. By doing this, the customer will not be able to roll back. Upgrade Cyberoam to the latest version by selecting option “ 10.01.0472 or higher” and follow on-screen instruction. Compatibility Annotations Firmware is Appliance Model-specific. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you are trying to upgrade Appliance model CR50iNG with firmware for model CR100iNG. This release is compatible with Cyberoam Virtual Appliances. This Cyberoamversion is compatible with the Cyberoam Central Console version 02.02.0 Build 203. Please check http://docs.cyberoam.comfor availability of latest CCC firmware to deal with compatibility issues. Revision History CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 2 of 36 04-02-2014 3:34 PM Sr. No. Old Revision Number New Revision Number Reference Section Revision Details 1 1.00-10/09/2013 1.01-18/09/2013 Bug Solved Bug Detail Updated CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 3 of 36 04-02-2014 3:34 PM Introducti on This document contains the release notes for CyberoamVersion 10.04.4 Build 028. The following sections describe the release in detail. This release comes with enhancements, and several bug fixes to improve quality, reliability, and performance. Enhancements 1. Guest User Enhancements Apart fromGuest Users registering themselves using Guest User Portal, Cyberoamnow allows the Administrator to configure Guest Users fromWeb Admin Console. While creating Guest Users fromWeb Admin Console, Administrator has an option to configure a single user or multiple guest users. The auto-generated credentials and the Internet access details so created can be printed. The following details can be printed: · Username · Password · Expiry Date · Validity (Time duration in days) · Disclaimer message (Once configured, it can be edited but cannot be removed) The credentials and Internet access details of guest users registered via Guest User Portal can either be sent via SMS or can be printed. However, the guest users created fromWeb Admin Console can only be printed. An Administrator can also choose since when to consider the Guest User to be active i.e. either immediately after registration or after the first login. Prior to this version, only the Guest User could register themself on Guest User Portal using the Internet access details received via SMS on their mobile phones. To create Guest Users go to Identity > Guest Users > Guest Users and click Add Single or Add Multiple to add a single or multiple Guest Users respectively. On the same page click Print to print the Guest User details. Further, to add and manage guest users, permissions are to be set for two new entities Guest Users Management and Other Guest Settings from Profile under Identity Administration. 2. Extended Two Factor Authentication Support Fromthis version onwards, the two factor authentication support for CyberoamCaptive Portal is extended to SSL VPN Portal, SSL VPN Client, CyberoamWeb Admin Console, My Account, Reports, 4-Eye Authentication and Open VPN Client for iPhone and Android. When two factor authentication is configured on the third-party Authentication Server, the user needs to provide two means of identification on the clients that support two factor authentication. The user will either have to provide One-Time Password (OTP), PIN or challenge-response token as well as the fixed password to log on into two factor authentication supported cyberoamclients as configured in third party authentication servers like RSA or FreeRadius server. For further details, refer to How to Login in a Two Factor Authentication Environment. 3. Secure Connection over SMTP Mail Notification With more and more people using the Internet for socializing, personal and professional use, the information shared via Email may not always be secured. Information within Email can be intercepted and/or altered if not encrypted. Privacy and security of confidential and sensitive information has therefore been a growing concern. A security protocol, Transport Layer Security (TLS) secures the information sent via Email by encrypting Email communication and thereby providing privacy and integrity between SMTP Client and a SMTP Server. Cyberoamsupports TLS protocol to provide security over SMTP Mail Notification. With TLS protocol for connection security, Cyberoamautomatically encrypts all the Email communications, ensuring the confidentiality for SMTP Mail Notification and hampering the risk of eaves-dropping, interception and alteration. Security setting for mail servers can be done by configuring the attributes “Connection Security” and “Certificates” fromWeb Admin Console or using the Wizard. The “Connection Security” attribute can be configured with one of the following options: · None – Should be selected if TLS protocol is not supported by mail serves and a normal TCP connection must be established without any security. · STARTTLS – If the server supports STARTTLS, the connection is upgraded to TLS else continues as a TCP connection without any security. · SSL/TLS – Should be selected to establish a secured TCP connection using TLS protocol. By default, option “None” is configured for parameter Connection Security. Cyberoamuses certificates to encrypt the data sent over a TLS supported TCP connection. An Administrator can choose to use a default certificate or select a custom certificate. By default, “ApplianceCertificate” is used for data encryption for secured TCP connection. On Factory Reset, the “ Connection Security” and “ Certificate” parameters are set to its default values i.e. “ None” and “ Select Certificate” respectively. Prior to this version, a normal TCP connection was used for communication between the SMTP Client and a SMTP Server for SMTP Mail Notification. To configure security settings for mail server fromWeb Admin Console, go to System > Configuration > Notification and configure Connection Security and Certificate. Alternately Connection Security and Certificate can be configured fromWizard page of Configure Mail Settings. CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 4 of 36 04-02-2014 3:34 PM Mi scel l aneous Changes 1. Spam Digest is renamed to Quarantine Digest Fromthis version onwards, the word “SpamDigest” is renamed to “Quarantine Digest” in the Anti Spam, Identity and My Account modules. Quarantine Digest will quarantine spamEmails. However, the legitimate Emails may be quarantined due to user-defined configurations. 2. Chinese Character Encoding support CyberoamOS, henceforth supports Chinese character encoding method for Traditional Chinese characters used in Taiwan, Hong Kong and Macau. Bugs Sol ved Anti Spam Bug ID – 14293 Description – Quarantine Mails cannot be released, if the number of connections in Web GUI daemon exceeds its limit of 10. DNS Bug ID – 14043 Description – Cyberoamis unable to resolve “CNAME”query, if Cyberoamis configured as a DNS server in client machine and root server is used for resolving the “CNAME” query instead of the configured DNS server. Firewall Bug ID – 14180 Description – The value “Load Balance” of parameter “Backup Gateway” gets automatically changed to the first value that appears in the list, while editing an existing Firewall Rule. Bug ID – 14638 Description – The RTP communication gets disrupted during a SIP call in appliances above CR200iNG and CR200iNG-XP. Bug ID – 14828 Description – Firewall Rule logs are not displayed in the Log Viewer, though “Firewall Rules” is enabled fromConfiguration “Log Settings” page of Logs & Reports. Network Bug ID – 11506 Description – 4G-Huawei E3276s-150 LTE modemis not compatible with CyberoamAppliance. Bug ID – 13654 Description – AirCard 340U modemis not compatible with CyberoamAppliance. Online Help Bug ID – 13890 Description – An error “Error! Unknown document property name.” is displayed on IPS page of Online Help. System Bug ID – 11554 Description – Cyberoamceases to function when deployed in Bridge Mode with STP enabled environment. VPN Bug ID – 11261 Description – NATing over VPN functions improperly, if a classless subnet is configured and first IP Address of host range does not map with the first valid IP Address of the subnet. Example: Site A: Real Network: 10.0.0.0/255.255.252.0 NATted Network: 172.16.20.0/22 Site B: Real Network: 10.0.0.0/255.255.255.248 NATted Network: 192.168.19.216/255.255.255.248 If 10.0.0.2 is pinged fromSite A to Site B, CyberoamNATs with 192.168.19.2 instead of 192.168.19.218. Bug ID – 12825 Description – Modified IP Address of “IP Host”configured against NATted IP Address does not come into effect and the Site to Site VPN traffic CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 5 of 36 04-02-2014 3:34 PM passes with previously configured NATted IP Address, though the Web Admin Console displays the IP host updated with the modified configuration. Wireless LAN Bug ID – 8005 Description – Wireless Clients get disconnected frequently fromWi-Fi in CRXXwi appliances. Bug ID – 11018 Description – A client is unable to get authenticated via external RADIUS server, if the Wireless LAN Network Access Point parameter “Security Mode” is configured either as “WPA-Enterprise or as “WPA2-Enterprise” for CR25wi or CR35wi appliances. Bug ID – 12177 Description – Wireless Clients get disconnected frequently fromWi-Fi in CRXXwiNG appliances. Bug ID – 12637 Description – The tab “Connected Client” of Network Wireless LAN is inaccessible frequently in CRXXwiNG appliances. 1.3. V 10.04.3 Build 543 Release Dates Version 10.04.3 Build 543 – 6th J une, 2013 Release Informati on Release Type: Maintenance Release Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license Applicable to Cyberoam Version: V 10.01.0XXX or 10.01.X Build XXX All the versions V 10.02.0 Build XXX 047, 174, 176, 192, 206, 224, 227, 409, 473 V 10.04.0 Build XXX 214, 304, 311, 338, 433 V 10.04.1 Build XXX 451 V 10.04.2 Build XXX 527 Upgrade procedure To upgrade the existing CyberoamAppliance follow the procedure below: · Logon to https://customer.cyberoam.com · Click “Upgrade” link under Upgrade URL. · Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”. For Cyberoam versions prior to 10.01.0472 For Cyberoam version 10.01.0472 or higher Upgrade the Cyberoamto 10.01.0472 selecting option “ Below 10.01.0472” and follow on-screen instruction. By doing this, the customer will not be able to roll back. Upgrade Cyberoam to the latest version by selecting option “ 10.01.0472 or higher” and follow on-screen instruction. Compatibility Annotations Firmware is Appliance Model-specific. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you are trying to upgrade Appliance model CR50iNG with firmware for model CR100iNG. This release is compatible with Cyberoam Virtual Appliances. This Cyberoamversion is compatible with the Cyberoam Central Console version 02.02.0 build 065. Please check http://docs.cyberoam.com for availability of latest CCC firmware to deal with compatibility issues. CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 6 of 36 04-02-2014 3:34 PM Revision History Sr. No. Old Revision Number New Revision Number Reference Section Revision Details 1 2.00-12/06/2013 2.01-19/06/2013 Enhancements Data Accounting Exception – fine tuned 2 1.00-07/06/2013 2.00-12/06/2013 Enhancements Revamped the entire section 3 1.00-07/06/2013 2.00-12/06/2013 Miscellaneous Changes Revamped the entire section 4 1.00-07/06/2013 2.00-12/06/2013 Behavior Change Revamped the entire section 5 1.00-07/06/2013 2.00-12/06/2013 Known Behavior Revamped the entire section CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 7 of 36 04-02-2014 3:34 PM Introducti on This document contains the release notes for CyberoamVersion 10.04.3 Build 543. The following sections describe the release in detail. This release comes with enhancements, and several bug fixes to improve quality, reliability, and performance. Enhancements 1. Location-aware and Device-aware Identity-based Access Control Policy With the growing use of wireless networks and mobile devices, companies with offices spread across geographic locations, and increasing mobile workforce, the always-connected world is moving towards an era where location information becomes necessary for access control. To cater to this need of the enterprises, Cyberoam, fromthis version onwards, supports configuring specific access policies to the users according to location and network parameters like IP Address or MAC address of the device. Administrator even has an option to schedule the access time per location. The administrator can monitor and analyze the usage through Cyberoam’s user-based reports and re-align access and security policies to match the business interests. The feature is very useful for organizations where role-based access policy is required for employees and its guest users. Steps to implement location-aware policy: 1. Create Application Filter policy for the applications, which you want to allow/deny if the user is accessing froma specific zone. 2. Create Web Filter policy for the Web categories which you want to allow/deny if the user is accessing froma specific zone. 3. Create Identity-based Firewall for the specific zones. 4. Attach an Application Filter and Web Filter policy created in step 1 and 2. By default, the Group's Application and Web Filter policy is applied to the user. Until previous version it was not possible to override these policies. Steps to implement device-aware policy: 1. Create Application Filter policy for the applications, which you want to allow/deny if the user is accessing fromthe specific IP Address. 2. Create Web Filter policy for the web categories which you want to allow/deny if the user is accessing from the specific IP Address. 3. Create Identity-based Firewall for the specific IP Address. 4. Attach an Application Filter and Web Filter policy created in step 1 and 2. By default, the Group's Application and Web Filter policy is applied to the user. Until previous version it was not possible to override these policies. Refer how to configure location-aware Identity-based access control policy for a head office employee who is visiting branch office. The employee’s access control policy will change as per location. To configure access policies to the users according to location, go to Firewall à Rule à Rule. 2. Password Strength Enforcement for Guest User To use password as an effective authentication mechanism, it is necessary that password is strong enough to reduce the risk of a security breach. Cyberoamprovides a configurable password strength policy whereby Administrator can enforce password length and complexity making it difficult for an attacker to guess Cyberoam’s auto-generated password. This helps protect the user account frombeing compromised. The administrator can configure password length and complexity fromIdentity à Guest Users à General Settings. The password can be of three (3) to sixty (60) characters in length. The password can be numeric, alphabetic or a combination of alpha-numeric and special charaters. The default password is alpha-numeric and eight (8) characters long. The password strength configuration is applicable only when a new password is generated. 3. Data Accounting Exceptions By default user’s network traffic is considered in data accounting. From this version onwards, the Administrator has the flexibility of excluding certain traffic fromthe user data accounting. The option to exclude accounting is provided in the Firewall rule and is visible only when identity is selected. When an administrator creates a user-based firewall rule and excludes the traffic from accounting, the traffic allowed through this firewall rule will not be accounted towards data transfer for the user. Traffic allowed through the non-identity based firewall rule will not be accounted. This traffic will not be included in the user accounting reports - Internet Usage report and My Account reports, but will be included in the firewall activity reports. This feature is useful in enterprises that have application servers hosted at the head office or in the Cloud and, the CyberoamAdministrator wants to exclude this traffic from data accounting. To exclude traffic fromdata accounting, go to Firewall à Rule à Rule and enable “Bypass User Data Transfer Accounting”. 4. Visibility and Protection Within Trusted Zones CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 8 of 36 04-02-2014 3:34 PM From this version onwards, an Administrator can monitor and block traffic within trusted zones (LAN and DMZ) and outbound traffic using the Application Filter and Web Filter policies configured in Firewall Rule. For example, it is possible to block the use of the J abber instant messaging (IM) within the organization. With this enhancement, an Administrator can apply Application Filter and Web Filter policies on the following Firewall Rules: Destination Zone è Source Zone ê LAN DMZ Local VPN WAN LAN P P O P P DMZ P P O P P VPN P P O P P WAN O O O O O Prior to this version, Application Filter and the Web Filter policy could be configured only on web traffic (LAN to WAN) in a Firewall Rule. To configure Application Filter Policy and Web Filter Policy for internal traffic, go to Firewall à Rule à Rule. 5. Optimized Virtual Machine Image Size Cyberoam’s Virtual UTM image size is now approximately 350MB - reduced by approx 600MB to save bandwidth and download time. Customers can download Virtual UTM distribution package fromthe customer portal. 6. Granular Outbound Spam Configuration from Web Admin Console Now Administrator can configure Outbound SpamFilter policies from Web Admin Console. The administrator can configure granular control in terms of blocking, allowing or quarantining mails from specific email addresses, IP Address or Domain. The administrator also has a flexibility to reject, drop, or change the mail receiver if the email is identified as spam. These configurations are available through Anti Spammenu. Subscription details Prior to this version, it was not possible to configure Inbound and Outbound spam filtering simultaneously. From this version onwards, Cyberoam can scan both inbound and outbound SMTP emails for spamto stop wasting employee’s time and mail server’s resource and stop your mail server from getting blacklisted. Changes on the Web Admin Console Once the Outbound Spam module is subscribed, to differentiate between inbound and outbound configuration word ‘Inbound’ will be prefixed to all the UI labels, for example, label ‘Anti Spam Module Has Identified Mail As’ will be displayed as ‘Inbound Anti Spam Module Has Identified Mail As’. Changes in Reports Following reports will be renamed to represent the Inbound spam activity: Report Name (when only Anti Spam module is subscribed) Report Name (when both Anti Spam and Outbound Spam modules are subscribed) Top Spam Recipients Top Inbound SpamRecipients Top Spam Senders Top Inbound SpamSenders Spam Reports Cyberoam-iView provides reports for Outbound spamactivities taking place in organization network. The report includes senders, recipients, and countries. It helps the administrator to identify compromised accounts and zombie computers in the network and take a corrective action. View following outbound spamreports from Reports à Spam: 1) Top Outbound Spam Recipients 2) Top Outbound Spam Senders 3) Top SpamReceiving Countries To configure Outbound Spam Filter policies, go to Anti Spam à Spam Rules à Spam Rules. 7. Protection against Abuse of Administrative Privileges Fromthis version Cyberoam supports a new entity named Administrator User - added in Profile under Identity Configuration. The administrator with Read-Write permission for this new entity will be able to create new administrator accounts, change password of other administrator accounts and control their permission levels. The administrator with Read-Only permission will only be able to change their own password and Email Address. Go to the System à Administration à Profile and under Identity Configuration, configure access rights of the entity Administrator Users. After migrating or upgrading to this version, original permissions will be retained for all the profiles except Security Admin profile. Read-Only permission is set for Administrator User entity in Security Admin profile. 8. ConnectWise – Third-Party Integration ConnectWise enables the organizations to connect and communicate through one unified and integrated operational platform. It provides CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 9 of 36 04-02-2014 3:34 PM organizations with integration and management of Help Desk, Services, Sales, Marketing, Finance, Project etc. through a single operational platform. With this version, Cyberoam-iView allows the administrator to send a set of data to the ConnectWise server. The administrator can now view this data as reports on the ConnectWise server without logging into CyberoamUTM. To integrate ConnectWise with Cyberoam-iView, log on to Cyberoam-iView and go to System à Configuration à ConnectWise. To know more, refer to CyberoamIntegration with ConnectWise. Once integrated, the following Cyberoam reports will be displayed on the ConnectWise server: Cyberoam Reports ConnectWise Reports Web Usage à Top Domains Top Sites Blocked Web Attempts à Top Denied Domains Filtered Sites Internet Usage à Top Users Bandwidth Attacks à Top Attacks Intrusion 9. Two Factor Authentication Support for Captive Portal Fromthis version Cyberoam supports two factor authentication for the Captive Portal users. When two factor authentication is configured on the third-party Authentication Server, the user has to provide two means of identification. The user will either have to provide One-Time Password (OTP), PIN or challenge-response token as well as the fixed password to log on into Cyberoam Captive Portal as configured in third party authentication servers like RSA or FreeRadius server. 10. Controlled Access to a Specific Page on a Web Site Fromthis version onwards, Cyberoam allows the Administrator to provide the complete URI of specific domain to be allowed or blocked. This will facilitate the Administrator to control a specific page on a website, without using a blanket-blocking rule to block the full Website. A URI is a combination of a Uniform Resource Locator (URL) and a Uniform Resource Name (URN). Example: · URI – http://www.testofuri.com/url/name-of-domain.html · URL – http://www.testofuri.com/url/ · URN – name-of-domain.html Prior to this version, only URL’s were supported in the “Domain” field of parameter “Domain/Keyword”. To add a URL in the Web Category, go to Web Filter à Category à Category and add URI in the “Domain”field of the parameter “Domain/Keyword”. Mi scel l aneous Changes 1. Configure Mail Server Address as a FQDN or an IP Address Fromthis version onwards, configure Mail Server Address as a FQDN or an IP Address. This flexibility will help the Administrator to change the IP Address of a host without affecting name-based queries to the machine. To configure go to the System à Configuration à Notification. 2. Validate Mail Server Configuration Use Test Mail option to send a test mail to validate the mail server configuration and connectivity. Administrator can check the System Logs from Log Viewer to ascertain the reason of failure if Cyberoam is not able to send the test mail. To configure go to the System à Configuration à Notification. 3. Usability Improvement - Labeled Buttons For ease of use following icons on the top left panel on the Cyberoam screen are labeled: · Dashboard · Wizard · Report · Console Behaviour Change VPN Services Minimum one policy is required to access VPN services like SSL / IPSec / L2TP / PPTP. On deleting all the policies, the respective service will not be available. CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 10 of 36 04-02-2014 3:34 PM To use GRE tunnel, service should be enabled. Guest User Registration Portal Guest User Registration portal now uses on port 8090 instead of port 80. Known Behaviour SSL VPN Client Version 1.2.7 The user automatically is logged into Cyberoam even when “Autologin” and “Save Username and Password”options are disabled. Bugs Sol ved Anti Spam Bug ID – 13461 Description – User does not receive Spam Digest Emails fromCyberoamas per the Quarantine Email Frequency configured from Anti SpamDigest Settings page. CLI Bug ID – 8755 Description – DHCP name value gets truncated after space or special characters, on configuring it from Cyberoam Console. GUI Bug ID – 12823 Description – CPU utilization is high in CR35XXXX and lower appliances, if the parameter “Update Mode” is selected as “Appliance will fetch updates fromCentral Management” and Connection protocol as “HTTPS” on the Central Management page of System Administration. Bug ID – 12958 Description – The default country code selected at Guest Users General Settings page is not reflected on the Guest User Registration page, if there exists more than one country having same country code. Bug ID – 13459 Description – IPSec VPN Tunnel Connection "Status" button for indicating partial connection is blue in color instead of yellow in iNG appliances. IPS Bug ID – 11754 Description – Categories cannot be edited while adding a new IPS Policy. Network Bug ID – 12440 Description – PPPoE interface do not receive an IP Address, if Cyberoam sends a connection request to the PPPoE server before the interface turns on. Proxy Bug ID – 11433 Description – Windows updates are getting failed, if Cyberoam is configured as a direct proxy or HTTPS scanning is enabled from Firewall Rule. Report Bug ID – 12647 Description – An error message “Internal server error” is displayed for Version 9 reports, on upgrading the Cyberoam Firmware to Version 10.04.1 Build 451. SSL VPN Bug ID – 112 Description – A warning message “Glob.mdb file not found. Localization will not be available.” is displayed on rebooting the Windows machine, though the SSL VPN Client is successfully installed on it. Bug ID – 151 Description – SSL VPN tunnel gets disconnected after 60 minutes in Windows XP, 7 and 8 with SSL VPN Client Version 1.1.7. Bug ID – 160 Description – SSL VPN Client cannot add more than 54 routes. Bug ID – 13377 Description – SSL VPN Application Access Mode does not get initiated, on upgrading J ava to Version 7 update 21. CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 11 of 36 04-02-2014 3:34 PM User Bug ID – 12898 Description – User accounting does not reset on clicking “Reset User Accounting” from Users Identity page, if multiple users log into Cyberoam using Web Portal, Corporate Client and iOS Web Client. Virtual CR Bug ID – VCR-51 Description – At the time of shut down, HyperV halted. VPN Bug ID – 10469 Description – Avaya phone fails to reconnect to VPN, when the phone restarts while the VPN connection is live. Bug ID – 11066 Description – Multiple IPSec VPN tunnels could not be created for different local subnets having same remote network using different IPS links. Bug ID – 13152 Description – Administrator does not receive an Email Alert when IPSec Tunnel connection flaps and fails to re-establish connection after detecting a dead peer, even if the parameter “Action When Peer Unreachable” is selected as “Re-initiate” on VPN Policy page. WAF Bug ID – 11024 Description – A website opens partially, if the website’s HTML data includes incomplete end tags and WAF is enabled from the Firewall Rule. Bug ID – 12162 Description – The website http://gozaresh.shaparak.com does not open, if WAF is enabled fromFirewall Rule. 1.4. V 10.04.2 Build 527 Release Dates Version 10.04.2 Build 527 – 25th March, 2013 Release Informati on Release Type: Maintenance Release Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license Applicable to Cyberoam Version: V 10.01.0XXX or 10.01.X Build XXX All the versions V 10.02.0 Build XXX 047, 174, 176, 192, 206, 224, 227, 409, 473 V 10.04.0 Build XXX 214, 304, 311, 338, 433 V 10.04.1 Build XXX 451 Upgrade procedure To upgrade the existing CyberoamAppliance follow the below given steps: · Logon to https://customer.cyberoam.com · Click “Upgrade” link under Upgrade URL. · Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”. For Cyberoam versions prior to 10.01.0472 For Cyberoam version 10.01.0472 or higher Upgrade the Cyberoam to 10.01.0472 selecting option “ Below 10.01.0472” and follow on-screen instruction. By doing this, the customer will not be able to roll back. Upgrade Cyberoam to latest version by selecting option “ 10.01.0472 or higher” and follow on-screen instruction. Compatibility Annotations Firmware is Appliance model-specific firmware. Hence, firmware of one model will not be applicable on another model and upgrade will not be CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 12 of 36 04-02-2014 3:34 PM successful. You will receive an error if you are trying to upgrade Appliance model CR50iNG with firmware for model CR100iNG. This release is compatible with Cyberoam Virtual Appliances. This Cyberoamversion release is compatible with the Cyberoam Central Console V 02.02.0 Build 051. Please always check http://docs.cyberoam.comfor availability of latest CCC firmware to deal with this compatibility issue. CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 13 of 36 04-02-2014 3:34 PM Revision History Sr. No. Old Revision Number New Revision Number Reference Section Revision Details - - - - - CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 14 of 36 04-02-2014 3:34 PM Introducti on This document contains the release notes for CyberoamVersion 10.04.2 Build 527. The following sections describe the release in detail. This release comes with a few enhancements and a bug fix to improve quality, reliability and performance. Enhancements 1. USB Support for Dial-In (CR15iNG & CR15wiNG models only) Fromthis version onwards, Cyberoam supports DB9 modemwith USB port. Further, USB modem can also be connected directly to the USB port of the Appliance. Cyberoamsupports following ports across CR15XXX Appliances: Type of Port Cyberoam Appliance Behavior Serial Port CR15i The appliance will reboot automatically on serial dial-in enable/disable. CR15wi USB Port CR15iNG The appliance will not reboot automatically on serial dial-in enable/disable. CR15wiNG DB9 and USB modem both can be physically connected to the USB ports simultaneously. But, request will be served only through the modem which is detected first by Cyberoam. 2. Power Management Support for Virtual Cyberoam Fromthis version onwards, graceful shut down is supported for VMware Workstation and ESX. One can shut down using options “Shut Down Guest” or “Restart Guest”. Prior to this version, using these options fromthe VMware brought the system to an abrupt halt. 3. Static IP Address Assignment Support for L2TP and PPTP VPN Users Fromthis version onwards, static IP Addresses can be assigned to L2TP and PPTP users. Prior to this version, IP Address was leased from the configured IP Address range. To configure Static IP Address for L2TP and PPTP users, go to Identity à Users à Users. 4. Lease IP Address Through RADIUS Server to L2TP And PPTP VPN Users Fromthis version onwards, apart fromauthenticating users, Radius Server can now also be used to lease IP Address to L2TP and PPTP users. If the option “Allow leasing IP Address from Radius server” is enabled, the configured IP Address is overridden with the IP Address provided by the Radius Server. Prior to this version, Radius Server was used only for authentication. To allow Radius Server to lease IP Address to L2TP user, go to VPN à L2TP à Configuration and enable “Allow leasing IP Address from Radius server”. By default, it is in disable mode. To allow Radius Server to lease IP Address to PPTP user, go to VPN à PPTP à Configuration and enable “Allow leasing IP Address from Radius server”. By default, it is in disable mode. In no IP Addresses are configured on the Radius Server, the Static IP Address configured for the user will be assigned, else IP Address will be leased from configured IP Address Range. 5. Guest User Registration Enhancements Configure default country code Fromthis version onwards, Cyberoam allows the Administrator to configure a default country code on the Guest User Registration page. To configure default Country Code, go to Identity à Guest Users à General Settings and select “Default Country Code”. Option to Disable CAPTCHA Verification For Guest User Registration Cyberoam now allows the Administrator to Enable or Disable CAPTCHA (Completely Automated Public Turing Test To Tell Computers and Humans Apart) verification on Guest User Registration page. By enabling CAPTCHA Verification the administrator can protect Cyberoamagainst CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 15 of 36 04-02-2014 3:34 PM attacks generated by automated programs. By default, CAPTCHA Verification is enabled. To disable CAPTCHA Verification on Guest User Registration page, go to Identity à Guest Users à General Settings and enable/disable “CAPTCHA Verification”. 6. Captive Portal Enhancements Fromthis version onwards, the tab-title on the Captive Portal login screen of HTTP/HTTPS Web Client User Portal is renamed as “Captive Portal”. In previous versions, the tab-title was “Cyberoam”. 7. SMS Gateway Enhancement Cyberoamnow supports using both HTTP and HTTPS URL to send an SMS request to external SMS Gateway. The service provider defines the URL protocol. Prior to this version, Cyberoamsupported only HTTP URLs. To configure URL for SMS Gateway, go to Identity à Guest Users à SMS Gateway. 8. OpenVPN Connect Support for Apple iOS Fromthis version onwards, Cyberoam supports OpenVPN Connect application in iOS. Using this application the user can connect to Cyberoamusing SSL VPN. For further details, refer to How To – Configure SSL VPN for iPhone/iPad using OpenVPN Connect. Bugs Sol ved SSL VPN Bug ID – 12429 Description – Active Directory User cannot log in through the SSL VPN Portal and SSL VPN Client, if the user has a domain name with i18n characters. 1.5. V 10.04.1 Build 451 Release Dates Version 10.04.1 Build 451 – 7th March, 2013 Release Informati on Release Type: Maintenance Release Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license Applicable to Cyberoam Version: V 10.01.0XXX or 10.01.X Build XXX All the versions V 10.02.0 Build XXX 047, 174, 176, 192, 206, 224, 227, 409, 473 V 10.04.0 Build XXX 214, 304, 311, 338, 433 Upgrade procedure To upgrade the existing CyberoamAppliance follow the procedure below: · Logon to https://customer.cyberoam.com · Click “Upgrade” link under Upgrade URL. · Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”. For Cyberoam versions prior to 10.01.0472 For Cyberoam version 10.01.0472 or higher Upgrade the Cyberoam to 10.01.0472 selecting option “ Below 10.01.0472” and follow on-screen instruction. Upgrade Cyberoamto latest version by selecting option “ 10.01.0472 or higher” and follow on-screen instruction. CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 16 of 36 04-02-2014 3:34 PM By doing this, the customer will not be able to roll back. Compatibility Annotations Firmware is Appliance model-specific firmware. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you are trying to upgrade Appliance model CR50iNG with firmware for model CR100iNG. This release is compatible with Cyberoam Virtual Appliances. This Cyberoamversion release is not compatible with the Cyberoam Central Console. Please always check http://docs.cyberoam.comfor availability of latest CCC firmware to deal with this compatibility issue. Revision History Sr. No. Old Revision Number New Revision Number Reference Section Revision Details 1. 1.04 -06/03/2013 1.05 -14/03/2013 Compatibility Annotations No CyberoamCentral Console Support for this Cyberoam Firmware. 2. 1.04 -06/03/2013 1.05 -14/03/2013 Enhancement: Backup Restore Compatibility for CyberoamWi-Fi Appliances Removed the mention of “wi”and “wiNG”series of appliances in Note. Introducti on This document contains the release notes for CyberoamVersion 10.04.1 Build 451. The following sections describe the release in detail. This release comes with new features, few enhancements and several bug fixes to improve quality, reliability and performance. Enhancements 1. Backup Restore Compatibility for Cyberoam Wi-Fi Appliances Fromthis version onwards, the backup of CR (i or ia or iNG) series can be restored on CR (wi or wiNG) series, but vice-versa is not true. Also, the backup of CyberoamVirtual Appliance can be restored on CR wi series and CR wiNG series, but vice-versa is not true. The facility to restore backup of CR i series on CR wi series is applicable fromVersion 10.01.0.667 and above. To restore backup of physical appliance (i series, ia series, iNG series) to Virtual Appliance, equal or more number of ports must be created in Virtual Cyberoam Appliance. For further information, refer Backup Restore Compatibility Matrix. 2. Time and Data Transfer Threshold based iOS User Logout Fromthis version onwards, Cyberoam supports data transfer and inactivity timeout thresholds to logout iOS Web Client user. With this enhancement, once the user logins in Cyberoam using Captive Portal, a periodic check for the total data transferred is done at every three (3) minutes of the configured time period. If the total data transferred in the given time period is equal or more than the configured data transfer value, the user continues to remain logged in and the timer is reset. However, if the total data transferred is less than the configured value, the user will be logged out. Prior to this version, the user had to login every time from iOS device for accessing Internet, if the device was kept idle. Example: Inactivity Timeout =13 minutes Data Transferred Threshold =2500 Bytes In this case, the user is logged out if the data transferred is less than 2500 Bytes for 5 consecutive cycles of 3 minutes each. Here the number of consecutive cycles is derived: Number of consecutive cycles =(Inactivity Timeout value / 3 minutes) =13 minutes/3 minutes =4.33 ~5 (Ceiling Value) Logout on Browser close and Keep Alive Request for Captive Portal is not supported with iOS device. CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 17 of 36 04-02-2014 3:34 PM Client type – “ iOS Web Client” , is displayed on Web Admin Console of Cyberoam Live Users page. Known Behavior A user cannot logout once authenticated with Cyberoam using Captive Portal, if the device uses following iOS and MAC OS platforms: iOS MAC OS X 6, 6.0.1, 6.1 and onwards 10.7 Lion 10.8 Mountain Lion This behavior is due to the Apple OS feature “Captive Network Assistant”. The user will be logged out in case of following events: · Inactivity time-out · Administrator disconnects the User from Live User Page To configure logout based on data transfer and inactivity on iOS device, go to Identity à Authentication à Firewall and specify “Inactivity Time” and “Data Transfer Threshold” in the section iOS Web Client Settings. 3. SMS Gateway Enhancements Fromthis version onwards, Cyberoam supports sending SMS request to SMS Gateways that uses one of the following HTTP methods: · Get · Post By default, Cyberoam supports SMS Gateways with HTTP method “ Post” . The service provider defines the method to be used for sending SMS request. Prior to this version, only HTTP Method “Post” was supported for sending SMS request to SMS Gateway. To configure HTTP Method for SMS Gateway, go to Identity à Guest Users à SMS Gateway. Also, from this version onwards, Administrator is allowed to configure the prefix value to be used with the cell number. Number Prefix precedes the Country Code and the cell number, in case service provider defines to use both, the Number prefix and the Country Code. Example: Number Prefix Country Code Cell Number Cell Number Format û û 99XXXXXXXX 99XXXXXXXX û ü (Country: India=91) 99XXXXXXXX 9199XXXXXXXX ü (Number Prefix: +) û 99XXXXXXXX +99XXXXXXXX ü (Number Prefix: +) ü (Country: India) 99XXXXXXXX +9199XXXXXXXX Number Prefix can include alpha-numeric and ASCII special characters. It can be up to 4 characters long. The service provider defines the prefix value to be used. To configure Number Prefix for SMS Gateway, go to Identity à Guest Users à SMS Gateway. 4. Captive Portal Enhancements Fromthis version onwards, Administrator can use up to 6000 characters to configure the Captive Portal Login Page Header or Footer. Prior to this version, upper threshold limit was 3000 characters. To configure the Header or Footer of Captive Portal Login Page, go to System à Configuration à Captive Portal. Further, from this version onwards, Cyberoam allows the Administrator to customize the availability of the “User My Account”link on Captive Portal page. CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 18 of 36 04-02-2014 3:34 PM To customize “User My Account Link”on Captive Portal page, go to Identity à Authentication à Firewall and enable/disable “My Account Link”. By default, it is in enable mode. Prior to this version, “My Account Link”was not configurable and the “User My Account” link was available on the Captive Portal page. 5. i18n Support for SSL VPN Client Fromthis version onwards, Cyberoam provides i18n support for SSL VPN Client. Bugs Sol ved Anti Spam Bug ID – 11223 Description – Emails rejected by CyberoamIP Reputation are not filtered with Action selected as “Reject”in Log Viewer Anti Spam, due to mismatch in the case of word “REJ ECT”. Bug ID – 11414 Description – Emails scanned by Cyberoamare converted into unreadable text, on upgrading the CyberoamFirmware from Version 10.02.0.224 to Version 10.04.0.304, if SMTP protocol is integrated with DKIM. Anti Virus Bug ID – 10940 Description – A file “eicar.com.txt” attached in an Email over SMTP protocol is not detected by Anti Virus module. Backup-Restore Bug ID – 11814 Description – Backup fromCR15iNG and CR15wiNG cannot be restored on CR15i and CR15wi, if backup is configured with SSL VPN Bookmark. NTLM Bug ID – 9436 Description – User do not get authenticated via NTLM, if Active Directory is installed on VMware workstation. Proxy Bug ID – 3943 Description – YouTube videos integrated on any website cease to function, if the parameter “Enforce Safe Search” is enabled fromWeb Filter Settings page. Bug ID – 7073 Description – The website http://www.treasury.gov/ofac/downloads/t11sdn.pdf cannot be opened in direct proxy deployment mode. Bug ID – 10867 Description – NTLM authentication fails and HTTP/S based Web Access often drops, if NTLM reinitializes due to flapping of Active Directory connection. Reports Bug ID – 10309 Description – Administrator receives a blank Email, if a parameter "Send email at" of Email Frequency is configured between 1amto 3am in On-Appliance iView. Bug ID – 10931 Description – On-Appliance iView Report Notification ceases to function, if a CustomView report having a bookmark is configured for parameter "Report Group" from Add Report Notification page. Bug ID – 10958 Description – Report Notification cannot be edited on migrating to Cyberoam Firmware Version 10.02.0.0473 or higher, if description was not provided while adding an On-Appliance iView Report Notification in the Firmware Version older than 10.01.0.0667. Bug ID – 11262 Description – Administrator receives blank Report Notification Emails for Web Usage, Top Attack and Block Attempts, if multiple report notifications are configured with the same time from the Report Notification of System in On-Appliance iView. Bug ID – 11360 Description – The Virus Report Notification Mail do not display logs for “Top Users-Web Virus Reports”on upgrading the Cyberoam Appliance Firmware to Version 10.02.0473 or above. CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 19 of 36 04-02-2014 3:34 PM SSL VPN Client Bug ID – 11698 Description – Resources cannot be accessed, if the username does not have proper case while logging into SSL VPN Client. VPN Bug ID – 11977 Description – Site to Site VPN ceases to function, on upgrading the Cyberoam Firmware from Version 10.02.0.473 to Version 10.04.0.311, if a Local Subnet is NATted with a single IP Host fromIPSec VPN Connection page. Web Filter Bug ID – 3553 Description – An improper message is displayed on Web Admin Console while adding a domain if the keyword for it is already existing. 1.6. V 10.04.0 Build 433 Release Dates Version 10.04.0 Build 433 – 11th J anuary, 2013 Release Informati on Release Type: Maintenance Release Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license Applicable to Cyberoam Version: V 10.01.0XXX or 10.01.X Build XXX All the versions V 10.02.0 Build XXX 047, 174, 176, 192, 206, 224, 227, 409, 473 V 10.04.0 Build XXX 214, 304, 311, 338 Upgrade procedure To upgrade the existing CyberoamAppliance follow the procedure below: · Logon to https://customer.cyberoam.com · Click “Upgrade” link under Upgrade URL. · Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”. For Cyberoam versions prior to 10.01.0472 For Cyberoam version 10.01.0472 or higher Upgrade the Cyberoam to 10.01.0472 selecting option “ Below 10.01.0472” and follow on-screen instruction. By doing this, the customer will not be able to roll back. Upgrade Cyberoamto latest version by selecting option “ 10.01.0472 or higher” and follow on-screen instruction. Compatibility Annotations Firmware is Appliance model-specific firmware. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you are trying to upgrade Appliance model CR100ia with firmware for model CR500ia. This Cyberoamversion release is compatible with the Cyberoam Central Console. Please always check http://docs.cyberoam.comfor availability of latest CCC firmware to deal with this compatibility issue. Revision History Sr. No. Old Revision Number New Revision Number Reference Section Revision Details CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 20 of 36 04-02-2014 3:34 PM 1. 1.00 -10/01/2013 1.01 -25/01/2013 Enhancements Modes for SSL VPN Passphrase Reception Introducti on This document contains the release notes for CyberoamVersion 10.04.0 Build 433. The following sections describe the release in detail. This release comes with new features, few enhancements and several bug fixes to improve quality, reliability and performance. Enhancements 1. Modes for SSL VPN Passphrase Reception Fromthis version onwards, Cyberoam provides option to select a mode using which the Administrator receives SSL VPN Certificate Passphrase. The Administrator can select fromone of the following modes to receive the SSL VPN Passphrase: Client Bundle 1. On-screen Link 2. Email 3. SSL VPN tunnel is established once the user is authenticated with SSL VPN Client and the Certificate is authenticated using the Passphrase. If SSL VPN Passphrase is chose to be received via Email, it is mandatory to configure Email Address from Identity àUsers à Users and SMTP Mail Server from System à Configuration à Notification in the section Mail Server Settings. To configure the mode for receiving the Passphrase, go to System à Administration à Settings and select fromthe options available against parameter "Receive Passphrase via" of section SSL VPN Settings. By default, the Administrator receives the Passphrase in the SSL VPN Client Bundle. Prior to this version, passphrase for certificate authentication was delivered in SSL VPN client bundle. 1. Manage Cyberoam Appliance(s) behind any NATed Device Through CCC Fromthis version onwards, the administrator can configure and manage Cyberoam appliance(s) which are deployed behind any NATed device. This feature was not available in prior versions. To manage configuration updates, go to System à Administration à Central Management. CCC Firmware Version Supported: 02.01.4 Build 072 2. Report Export Customization With this version, CyberoamiView allows the administrator to customize maximumlimit of records to be exported to MS-Excel. Prior to this version, the administrator was allowed to export a maximumof 1000 records at a time. Now this limit can be set as follows: Model Number Maximum Records per Widget · CR 25ia/25wi · CR 25iNG/6P · CR 25wiNG/6P · CR 35ia/35wi · CR 35iNG/35wiNG · CR 50ia · CR 100ia 10000 · CR 50iNG · CR 100iNG · CR 200i · CR 300i 25000 · CR 500ia/RP/F/10F · CR 750ia/1F/10F 50000 CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 21 of 36 04-02-2014 3:34 PM · CR1000ia/10F · CR 1500ia/10F · CR 2500iNG The administrator can also configure ‘Start Record’ number and ‘End Record’ number to be exported if all the records are not needed. To enable Export Customization option, go to System → Configuration → Data Management and enable ‘ Export to Excel Parameters Customization’. By default this option is disabled and the record export limit is 1000 records, per report type. It is recommended to export the records during the time interval when the network traffic is minimal as this process will increase system resource utilization and it might adversely affect the appliance performance. CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 22 of 36 04-02-2014 3:34 PM Bugs Sol ved Anti Spam Bug ID – 11388 Description – Commtouch (CTCH) headers are displayed in the auto generated Emails, if SMTP or POP3 or IMAP scanning is enabled from the Firewall Rule. DHCP Relay Bug ID – 10645 Description – DHCP Relay service do not start when IPSec VPN is configured on dynamic interface and DHCP Relay is configured on it. Firewall Bug ID – 11328 Description – Virtual Host for VPN zone cannot be created on migration fromVersion 9 to Version X, if there exist customized zones before the migration, leading to a mismatch in zone type and zone ID. Bug ID – 11564 Description – Virtual Host ceases to function on migrating Cyberoamappliance to 10.04.0.304, if it is configured on multiple WAN PPPoE interfaces to single mapped IP Address. GUI Bug ID – 9010 Description – Web Admin Console is accessible if user navigates to it using "Back" and "Forward" button in succession, even though option "Lock Admin Session" is selected. Bug ID – 9494 Description – The parameter “QoS”on the Firewall Rule page displays “None”, on editing a Firewall Rule having QoS policy already applied to it. Bug ID – 10443 Description – Test connection result for Guest User SMS Gateway displays the country code of Afghanistan, if it is tested without providing a country code. Bug ID – 10499 Description – An error message “Web Server not exists to Add Exception”is displayed while configuring an exception from the WAF Alert page, if the Web Server name contains a special character “underscore ( _ )”. Bug ID – 11145 Description – A keyword configured with space in CustomWeb Filter Category of Web Filter prior to firmware version 10.04.0.214 cannot be deleted, if Cyberoamfirmware is upgraded to firmware version 10.04.0.214. Bug ID – 11533 Description – Background colors are not reflected on Captive Portal header and footer while viewing the preview of its configuration. Bug ID – 11555 Description – The Category parameter “Action” do not get updated to “Allow Packet” on editing, if the “Recommended Action” against the signature is “Drop Packet” in the IPS Policy. Bug ID – 11586 Description – The words “Anti Virus” and “Definition” are mis-spelled as “Antivurs” and “Defination” on the Log Viewer page of Logs & Reports. Bug ID – 11602 Description – The Web Admin Console becomes inaccessible and an error message “Internal server Error” is displayed, if the backup file of CR25ia is restored on CR25iNG and both of the appliances have different themes configured. High Availability Bug ID – 11345 Description – IP Address based Virtual Host ceases to function when the WAN interface is configured as a monitoring port in Active-Active mode of HA and both the appliances are rebooted simultaneously. Network Bug ID – 11383 Description – 3G Gateway status is displayed as “Active” although, the 3G modem is unplugged. Bug ID – 11545 CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 23 of 36 04-02-2014 3:34 PM Description – DHCP Server do not lease IP Address to WLAN Clients, if the LAN and WLAN are in same subnet. SSL VPN Bug ID – 11486 Description – Application Access Mode fails to initiate, if the parameter “Select Client Certificate” is blank while configuring Tunnel Access from SSL VPN. System Bug ID – 11448 Description – Picture fails to appear during a video conference, if the number of channels exceeds the protocol h323’s default unidirectional channel limit of 4. User Bug ID – 10286 Description – Guest users do not get purged automatically on expiry of user validity though the option "auto purge" is enabled. Bug ID – 11403 Description – An error message is displayed while testing the Authentication Server connection on the French language Web Admin Console, if the parameter “Display Name Attribute” is left blank while adding it. VPN Bug ID – 5438 Description – Branch office does not re-initiate the connection automatically once disconnected even when Action on VPN Restart is set to “Initiate”. One has to manually re-connect or set re-key margin as zero. Bug ID – 9935 Description – Cyberoamdo not allow opening the configuration management of L2 switch while deploying Cyberoam in Bridge Mode, if L2 switch is configured in LAN Network of the Head Office and is accessed via the Branch Office. Bug ID – 11444 Description – VPN to Static link failover occurs 10 minutes after the tunnel goes down, if IPSec routes do not get flushed fromCyberoamon Dead Peer Detection (DPD). Bug ID – 11557 Description – Connection list of IPSec-VPN traffic do not get flushed on disabling an IPSec-VPN connection from any peer end. Bug ID – 11640 Description – Dead Gateway Detection (DGD) service ceases to function, if VPN Connection is configured with name as VPN and added in VPN Failover Group. 1.7. V 10.04.0 Build 214, 304, 311, 338 Release Dates Version 10.04.0 Build 214 – 24th September, 2012 Version 10.04.0 Build 304 – 19th November, 2012 Version 10.04.0 Build 311 – 04th December, 2012 Version 10.04.0 Build 338 – 12th December, 2012 Release Informati on Release Type: General Availability Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license Applicable to Cyberoam Version: V 10.01.0XXX or 10.01.X Build XXX All the versions V 10.02.0 Build XXX 047, 174, 176, 192, 206, 224, 227, 409, 473 V 10.04.0 Build XXX Upgrade procedure To upgrade the existing CyberoamAppliance follow the procedure below: · Logon to https://customer.cyberoam.com · Click “Upgrade” link under Upgrade URL. CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 24 of 36 04-02-2014 3:34 PM · Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”. For Cyberoam versions prior to 10.01.0472 For Cyberoam version 10.01.0472 or higher Upgrade the Cyberoam to 10.01.0472 selecting option “ Below 10.01.0472” and follow on-screen instruction. By doing this, the customer will not be able to roll back. Upgrade Cyberoamto latest version by selecting option “ 10.01.0472 or higher” and follow on-screen instruction. Compatibility Annotations Firmware is Appliance model-specific firmware. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you are trying to upgrade Appliance model CR100ia with firmware for model CR500ia. This Cyberoamversion release is compatible with the Cyberoam Central Console. Please always check http://docs.cyberoam.comfor availability of latest CCC firmware to deal with this compatibility issue. Revision History Sr. No. Old Revision Number New Revision Number Reference Section Revision Details 1. 1.00 -24/09/2012 1.00 -19/11/2012 Enhancement Added enhancement “Access Denied Page Optimization” 2. 1.00 -24/09/2012 1.00 -19/11/2012 Bugs Solved A bug (Bug ID – 11463) is added to Certificate. 3. 1.00 -19/11/2012 1.00 -04/12/2012 - Added LAN Bypass support for CyberoamAppliances CR50iNG and CR100iNG. 4. 1.00 -04/12/2012 1.00 -12/12/2012 Features Appliances not supporting Outbound Spam list now includes: CR15iNG, CR15wiNG, CR25ia, CR35ia and CR1000i Introducti on This document contains the release notes for CyberoamVersion 10.04.0 Build 214, Version 10.04.0 Build 304, Version 10.04.0 Build 311 and Version 10.04.0 Build 338. The following sections describe the release in detail. This release comes with new features, few enhancements and several bug fixes to improve quality, reliability and performance. Features 1. Compatibility with CISCO™ VPN Client Fromthis version onwards, Cyberoam is compatible with Cisco IPSEC VPN client. This feature enables Cisco IPSec VPN clients to establish an IPSec connection with Cyberoam. To support this feature, a new page “CISCO™ VPN Client”is added on Web Admin Console. An IPSec connection that would serve Cisco IPSec VPN Clients must be created using this page. Compatibility 1. At present only the native Cisco IPSEC client, present in Apple iOS (iPhone and iPad) and Windows are supported. The details of the versions supported are as provided below: Apple iOS Windows Windows OS Cisco Desktop Client 4.3 Win XP- all service packs V 4.1 and 4.8 5.0.1 Win 7 V 5.0 – Beta Version 5.1.1 Windows Vista V 5.0 – Beta Version Known Behavior CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 25 of 36 04-02-2014 3:34 PM 1. Apple iOS versions 5.0 onwards do not send any notification to Cyberoam when IPSec connection serving Cisco IPSec VPN Clients gets disconnected. The connection and route will be cleared from Cyberoam using Dead Peer Detection (DPD) after approximately 20 seconds and then the same client will be able to reconnect. 2. When there is no data transfer, Apple iPhone disconnects the IPSec connection serving Cisco IPSec VPN Clients. 3. When any clients are already connected and the CISCO™ VPN Client page is submitted, they will be disconnected and IP Address pool will be reinitialized. CISCO VPN Client is available for download only to users that are authorized by the Administrator. IPSec connection serving Cisco IPSec VPN Clients can be configured from VPN ® Cisco™ VPN Client ® CISCO™ VPN Client. 2. L2TP Over IPSec VPN Support for Android Devices Fromthis version onwards, Android device as a L2TP/IPSec Client will be supported by Cyberoam. User will be able to connect and access CyberoamL2TP/IPSec via an Android device using Pre-Shared Key authentication. No special configuration is required in CyberoamWeb Admin Console or CLI. Androi d Compati bl e Versi on: 2.1 Éclair, 2.2.x Froyo, 2.3.x Gingerbread, 3.x Honeycomb Enable “Add L2TP/IPSec PSK VPN” option of Android device to configure VPN tunnel. This feature has a backward compatibility support from version 10.01.0 Build 667 onwards. 3. Outbound Spam Fromthis version onwards, Cyberoam will provide Outbound Spam to identify internal Spam. This feature will help the Internet Service Providers (ISPs) to identify and block any user trying to send spam mails by utilizing their network. Outbound Spam filtering is a subscription module. Inbound Spam filtering and Outbound Spam filtering are mutually exclusive. On subscribing to Outbound Spam, Inbound Spam filtering will stop. Inbound Spam filtering will resume when the subscription of Outbound Spam expires. This feature is not available in Cyberoam Models CR15i, CR15wi, CR15iNG, CR15wiNG, CR25i, CR25ia, CR25wi, CR35ia, CR35wi, CR50i, CR100i, CR250i, CR500i, CR500i-8P, CR1000i, CR1500i. To view logs, go to Logs & Reports ® Logs Viewer and select option “ Anti Spam” for parameter “ View logs for” . 4. YouTube Education Filter Fromthis version onwards, Cyberoam will allow access to YouTube videos deemed as “educational” via a special portal “YouTube EDU”while being within a school network. YouTube EDU consists of two sections, “YouTube.com/Teachers”and “YouTube for Schools”. “YouTube.com/Teachers”educates teachers how to make optimum use of YouTube within the classroom. On the other hand, “YouTube for Schools” is a network setting, which redirects the video traffic, making it possible for schools that block YouTube to unblock and allow access to YouTube EDU (Youtube.com/education). The teachers and Administrators decide what videos must be made available to the students, making a safe and a controlled environment for students. To allow educational videos via Cyberoam, school authority is required to get the school registered for "YouTube for School". On registration, a custom HTTP Header with a unique ID will be displayed on the browser page. E.g. X-YouTube-Edu-Filter:HMtp1sI9lxt0KAVpcg88kQ 1. Field Name: X-YouTube-Edu-Filter 2. Field Value Format: Alphanumeric [a-z][A-Z][0-9] 3. Field Value Length: up to 44 characters To allow YouTube EDU via Cyberoam, go to Web Filter ® Policy ® Policy and specify the unique ID in the textbox against parameter “ YouTube Education Filter” . As per recommendations of YouTube, it is mandatory to ensure the videos and following top-level domains are not blocked: 1. youtube.com 2. ytimg.com To access https://www.youtube.com, HTTPS scanning must be enabled. 5. 4G LTE Modem Cyberoamwill now support DHCP enabled 4G LTE services on Wi-Fi modems. With this feature, Cyberoam provides support for the following: 1. Connection to 3G/4G networks 2. DHCP Modems CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 26 of 36 04-02-2014 3:34 PM 3. Modem plug-in and plug-out auto detection 4. Auto Connect type of behavior if the same modemis re-plugged in Further, Cyberoam provides recommended values (auto detected) for modemconfiguration. To configure a 4G modem, go to Network ® Wireless WAN ® Settings. CLI Commands 1. Command: cyberoam wwan query serialport <serialport> ATcommand <AT command> To view the Wi-Fi modeminformation (if plugged - in) E.G. cyberoam wwan query serialport 0 ATcommand ati 2. Command: cyberoam wwan show To view the Wi-Fi modeminformation and the recommended configuration (if plugged - in) Enhancements 1. DHCP Server Optimization Support for Diverse Topologies Cyberoamnow adds the capability of configuring DHCP for downstreamnetworks that are connected to Cyberoam through relay, or through IPSec VPN. With this enhancement, Cyberoamwill be able to assign IP Addresses to: · Directly connected primary or alias networks · Connected through relay · Connected over IPSec VPN Prior to this version, Cyberoamsupport DHCP configuration only for a primary network only. Lease Report Enhancement Cyberoam’s Lease report now displays the type of lease, i.e. Static or Dynamic, for a given IP Address. To view these reports, go to Network ® DHCP ® Lease. CLI Commands 1. Command: cyberoam dhcp lease-over-IPSec enable To enable IP Lease over IPSec for all the DHCP servers. 2. Command: cyberoam dhcp lease-over-IPSec disable To disable IP Lease over IPSec for all the DHCP servers (Default Value). 3. Command: cyberoam dhcp lease-over-IPSec show To display all the IP Lease over IPSec configuration. 2. Multicast over IPSec VPN tunnel Fromthis version onwards, Cyberoam will support secure transport of multicast traffic over un-trusted network using IPSec/VPN connection. With this enhancement, now it is possible to send/receive both unicast and multicast traffic between two or more VPN sites connected through public Internet. This removes the dependency of multicast aware routers between the sites connecting via IPSec/VPN. Prior to this version, this was possible using GRE tunneling however, the packets could not be encrypted. Any unicast host wanting to access a multicast host shall require to be configured as an explicit host (with netmask /32) in VPN configuration. Known Behavior CLI shows only static interfaces as input and output interface whereas Web Admin Console shows both, static as well as dynamic interfaces (PPPoE, DHCP). To configure Multicast over IPSec/VPN connection go to Network ® Static Route ® Multicast. CLI Commands 1. Command: mroute add input-interface Port<port number> source-ip <ipaddress> dest-ip <ipaddress> output-interface Port<port number> To forward multicast traffic coming froma given interface to another interface. E.G. mroute add input-interface PortA source-ip 192.168.1.2 dest-ip 239.0.0.55 output-interface PortB 2. Command: mroute add input-interface Port<port number>source-ip <ipaddress>dest-ip <ipaddress>output-tunnel gre name <gre tunnel name> To forward multicast traffic coming froma given interface to GRE tunnel. E.G. mroute add input-interface PortA source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel gre name Elitecore CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 27 of 36 04-02-2014 3:34 PM 3. Command: mroute add input-interface Port<port number>source-ip <ipaddress>dest-ip <ipaddress>output-tunnel ipsec To forward multicast traffic coming froma given interface to IPSec tunnels. Cyberoam automatically selects an appropriate tunnel to be used depending upon the Local Network and Remote Network configuration. E.G. mroute add input-interface PortA source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel ipsec 4. Command: mroute add input-tunnel ipsec name <ipsec connection name>source-ip <ipaddress>dest-ip <ipaddress>output-interface Port<port number> To forward multicast traffic coming fromIPSec tunnel to an interface. E.G. mroute add input-tunnel ipsec name Net2Net source-ip 192.168.1.2 dest-ip 239.0.0.55 output-interface PortB 5. Command: mroute add input-tunnel ipsec name <ipsec connection name>source-ip <ipaddress>dest-ip <ipaddress>output-tunnel ipsec To forward multicast traffic coming froma given IPSec tunnel to other IPSec tunnels. Cyberoamautomatically selects an appropriate tunnel to be used depending upon the Local Network and Remote Network configuration E.G. mroute add input-tunnel ipsec name Net2Net source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel ipsec 6. Command: mroute add input-tunnel ipsec name <ipsec connection name>source-ip <ipaddress>dest-ip <ipaddress>output-tunnel gre name <gre tunnel name> To forward multicast traffic coming froma given IPSec tunnel to GRE tunnel. E.G. mroute add input-tunnel ipsec name Net2Net source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel gre name Elitecore 7. Command: mroute add input-tunnel gre name <gre tunnel name>source-ip <ipaddress>dest-ip <ipaddress>output-interface Port<port number> To forward multicast traffic coming froma GRE tunnel to an interface. E.G. mroute add input-tunnel gre name Elitecore source-ip 192.168.1.2 dest-ip 239.0.0.55 output-interface PortB 8. Command: mroute add input-tunnel gre name <gre tunnel name>source-ip <ipaddress>dest-ip <ipaddress>output-tunnel gre name <gre tunnel name> To forward multicast traffic coming froma GRE tunnel to another GRE tunnel. E.G. mroute add input-tunnel gre name Elitecore source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel gre name Terminal1 9. Command: mroute add input-tunnel gre name <gre tunnel name>source-ip <ipaddress>dest-ip <ipaddress>output-tunnel ipsec To forward multicast traffic coming froma given GRE tunnel to IPSec tunnels. Cyberoam automatically selects an appropriate tunnel to be used depending upon the Local Network and Remote Network configuration. E.G. mroute add input-tunnel gre name Elitecore source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel ipsec 10. Command: mroute del source-ip <ipaddress> dest-ip <ipaddress> To delete multicast route. E.G. mroute del source-ip 192.168.1.2 dest-ip 239.0.0. 3. E-mail Alert for IPSec Tunnel Connection Flapping Fromthis version onwards, if the IPSec VPN tunnel connectivity is lost, Cyberoamwill notify the Administrator via an E-mail alert, specifying the reason for the connection loss. E-mail alert will be sent on the configured E-mail Address. Upon configuring E-mail alerts via the available single central configurable option, it will automatically be applicable on all the IPSec tunnels. An E-mail will be sent only for Host to Host and Site to Site tunnel connections; if it flaps due to one of the following reasons: 1. A peer is found to be dead during Dead Peer Detection (DPD) phase. 2. Failed to re-establish connection after Dead Peer Detection (DPD) 3. IPSec Security Association (SA) is expired and is required to be re-established. 4. IPSec Tunnel comes up without administrator intervention after losing the connectivity E-mail sent to the administrator shall contain following basic information: 1. IPSec Connection name 2. IP Addresses of both participating hosts/network 3. Current state of the IPSec Tunnel connection, viz., Up or Down 4. Exact Time when the IPSec Tunnel connection was lost 5. Reason for lost of IPSec Tunnel connection 6. Appliance Model Number 7. Firmware version and build number 8. Appliance Key (if registered) 9. Appliance LAN IP Address 10. HA configuration – Primary/Auxiliary (if configured) An E-mail will be sent for each subnet pair in case of Site to Site connections, having multiple local/remote networks. An E-mail sent with respect to IPSec Tunnel coming up shall not have any reason mentioned within. CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 28 of 36 04-02-2014 3:34 PM Description of IPSec Tunnel connection shall be included in the E-mail, only if information for same is provided by the administrator. To enable E-mail alerts for IPSec tunnels, go to System ® Configuration ® Notification ® E-mail Notification and check option “ IPSec Tunnel UP/Down” . 4. Enhancement in AD Integration Fromthis version onwards, Administrator is given an option to delete users fromCyberoamif they do not exist in any of the configured External Active Directory servers at a push of Purge AD Users button. Prior to purging, connectivity and authentication of all the configured External Active Directory servers is verified. If a user’s entry is not found in any of the external server(s), it is purged fromCyberoamtoo. The purge operation will not interrupt user login/logout and accounting events. While the purge activity is in progress and if the server connectivity is lost, the activity will be aborted. If a user entry is purged, it will be deleted from both, Primary and Auxiliary Cyberoam Appliance. To purge the users, go to Identity ® Users ® Users and click “ Purge Users” button. Further, when the User logs in to the Cyberoam, and if the E-mail Address of that User is configured on the external Active Directory server/LDAP server then the User’s E-mail Address within the Cyberoamgets sync with the E-mail Address on the external Active Directory server/LDAP server. Every time a user logs in, the corresponding E-mail ID will be updated. If the E-mail ID is null on the External Active Directory Server/LDAP, there will be no updates. 5. Multicast Route Failover From this version onwards, Cyberoam supports Link Failover for Multicast Traffic using IPSec/VPN connection or GRE Tunnel. If a user has multicast routes configured on a port then a Link Failover can be configured for same using IPSec/VPN or GRE configuration. Now if the port goes down, all multicast routes configured on it will automatically fail over to given IPSec/VPN connection or GRE Tunnel. Prior to this version, link failover was supported only for static unicast routes. CLI Commands 1. Command: cyberoam link_failover add primarylink Port<Port number> backuplink gre tunnel <gre tunnel name> monitor PING host <ip address> To configure a GRE Tunnel as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given GRE Tunnel. E.G. cyberoamlink_failover add primarylink PortB backuplink gre tunnel Elitecore monitor PING host 192.168.1.2 2. Command: cyberoam link_failover add primarylink Port<Port number> backuplink gre tunnel <gre tunnel name> monitor UDP host <ip address> Port <Port Number> To configure a GRE Tunnel as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given GRE Tunnel. E.G. cyberoamlink_failover add primarylink PortB backuplink gre tunnel Elitecore monitor UDP host 192.168.1.2 Port 100 3. Command: cyberoam link_failover add primarylink Port<Port number> backuplink gre tunnel <gre tunnel name> monitor TCP host <ip address> Port <Port Number> To configure a GRE Tunnel as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given GRE Tunnel. E.G. cyberoamlink_failover add primarylink PortB backuplink gre tunnel Elitecore monitor TCP host 192.168.1.2 Port 100 4. Command: cyberoam link_failover add primarylink Port<Port number> backuplink vpn tunnel <ipsec connection name> monitor PING host <ip address> To configure an IPSec/VPN connection as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given IPSec/VPN connection. E.G. cyberoamlink_failover add primarylink PortB backuplink vpn tunnel Net2Net monitor PING host 192.168.1.2 5. Command: cyberoam link_failover add primarylink Port<Port number> backuplink vpn tunnel <ipsec connection name> monitor UDP host <ip address> Port <Port Number> To configure an IPSec/VPN connection as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given IPSec/VPN connection. E.G. cyberoamlink_failover add primarylink PortB backuplink vpn tunnel Net2Net monitor UDP host 192.168.1.2 Port 100 6. Command: cyberoam link_failover add primarylink Port<Port number> backuplink vpn tunnel <ipsec connection name> monitor TCP host <ip address> Port <Port Number> To configure an IPSec/VPN connection as a Backup link. With this, whenever primary link fails, traffic will be tunneled through given IPSec/VPN connection. E.G. cyberoamlink_failover add primarylink PortB backuplink vpn tunnel Net2Net monitor TCP host 192.168.1.2 Port 100 7. Command: cyberoam link_failover del primarylink <Port name> To delete link failover configuration. E.G. cyberoamlink_failover del primarylink PortC 8. Command: cyberoam link_failover show To see all the link failover configurations. 6. Support of SSL-VPN for MAC-OS Tunnelblick CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 29 of 36 04-02-2014 3:34 PM Fromthis version, SSL VPN will be functional with Tunnelblicks; a free, open source graphic user interface for OpenVPN on Mac OS X. The user can download the SSL VPN Client Configuration - MAC Tunnelblick from Cyberoam SSL VPN User Portal. 7. Version 9 Catch-up Feature – Search Engine Cache Control Fromthis version onwards, Cyberoam will be able to categorize actual URL contents that are accessed via cache option available in search engines Google, Yahoo, Bing based on the existing Web Filter Policy. 8. Version 9 Catch-up Feature – Internet Watch Foundation Support Fromthis version onwards, Cyberoam’s General Internet Policy by default, supports filtering of URL based on Internet Watch Foundation (IWF) categorization. The filtering logs are displayed in the Log Viewer and iView Reports The Internet Watch Foundation provides the list of accurate and current URLs to minimize the availability of potentially criminal Internet content as mentioned below: 1. Child sexual abuse content hosted anywhere in the world. 2. Criminally obscene adult content hosted in the UK. 3. Non-photographic child sexual abuse images hosted in the UK. 9. Captive Portal Enhancements Fromthis version onwards, Cyberoam Captive Portal is esthetically optimized. Further it supports the following functionalities: 1. Hyperlinked logo 2. Obtaining username and password for unauthenticated users (Only when Guest Users functionality is enabled). To configure them, go to System® Configuration ® Captive Portal. Also, Administrator can choose redirect unauthorized user either to Captive Portal or display a customized message. To customize the Captive Portal response, go to Identity ® Authentication ® Firewall. 10. URL Import List Fromthis version onwards, while adding or updating a Web Category, Cyberoam facilitates to import a file (.txt or csv) consisting of all the configured URL/Keyword from the white list domain of an existing web categorization solution to Cyberoam instead of copying and pasting the same into Cyberoam. To add white listed URL file, go to Web Filter ® Category ® Category and click Add button. 11. Optimization in Virtual Host Configuration Fromthis version onwards, while a virtual host is created and port forwarding is enabled, Cyberoamallows configuring a Port list. The ports within the list can be comma separated. It can be mapped against a Port List or a Port. Further a Port Range can now also be mapped against a single port. This creates one to one mapping or many to one mapping between the external port and the mapped port. Example: Port Forwarding Type (External Port Type to Mapped Port Type) External Ports Mapped Ports Port List to Port List 22, 24, 26, 28, 30 42, 44, 46, 48, 50 Port List to a Port 22, 24, 26, 28, 30 20 Port Range to a Port 21 - 26 28 In case of Port List to Port List mapping, number of ports must be same for both, External Ports and Mapped Ports. Request received on first external port will be redirected to first mapped port; second request on external port will be redirected to second mapped port and so on. Fromthe example above, for Port List to Port List type of configuration, any request received for external ports 22, 24, 26, 28, 30 will be forwarded respectively to mapped ports 42, 44, 46, 48, 50. For a single virtual host, a maximum of 16 ports can be configured in a Port List. All the ports within a Port List support single protocol viz., either a TCP or a UDP protocol as per the configuration. A combination of both of these protocols within a Port List is not allowed. CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 30 of 36 04-02-2014 3:34 PM Prior to this version, only Single Port to Single Port and Port Range to Port Range Type for port forwarding were allowed. Also, from this version onwards, for Firewall, when any virtual host is created without port forwarding, one can select multiple services instead of a single service. Prior to this version, selecting multiple services was not allowed within a Firewall Rule configured with a virtual host having port forwarding disabled. To configure multiple ports separated by comma, go to Firewall ® Virtual Host ® Virtual Host. 12. Optimized IPSec Failover Configuration Fromthis version onwards, Cyberoam IPSec connection configuration for failover can be done while configuring the IPSec connection itself. This optimization will facilitate configuring failover connection with minimuminputs for commonly used failover conditions. Also the previously available method of configuration remains intact. Failover connection configurations can be done only “ Connection Type” - Site – to – Site and Host – to – Host type of IPSec connections. Maximum of four (4) failover connections can be added while configuring a new failover group. More connections can be configured later by editing the failover group configuration. To configure an IPSec failover connection for Site – to – Site and Host – to – Host type of IPSec connections, go to VPN ® IPSec ® Connection. Click add icon under “ Endpoints Details” , only after which IPSec failover connection can be configured. 13. Access Denied Page Optimization Fromthis version onwards, to optimize the loading time of Access Denied Page, the maximumsize for the image allowed is as follows: 1. Top Image – 125 x 70 pixels (.jpg, .jpeg) 2. Bottom Image – 70 x 60 pixels (.jpg, .jpeg) If the Appliance is running on an older version, and if the image size is greater than the above specified dimensions, it is mandatory to reduce the size of images for appropriate display. To upload an image, go to Web Filter à Settings àSettings. 14. DNS Status Check support in Diagnostic Tool Fromthis version onwards, Cyberoam will provide an option to view the list of all the available DNS servers configured in Cyberoam. It also provides information about the time taken to connect to each of the DNS server. Based on the least response time, one can prioritize the DNS server. To view the list of DNS server available for an IP Address/host name, go to System ® Diagnostics ® Tools ® Name Lookup, provide the IP Address/Host Name, select option “ Lookup Using All Configured Server” from the dropdown box and click “ Name Lookup” . 15. Certificate with FQDN/IP Address as a Common Name Fromthis version onwards, Cyberoam will allow using FQDN or IP Address as a common name while generating a Self Signed Certificate. Prior to this version certificate name was used as a common name. To configure common name for a certificate, go to System ® Certificate ® Certificate and click Add to generate a certificate. 16. User Defined Certificate Fromthis version onwards, Cyberoam supports generation of Self-Signed Certificates with Identification Attribute details to meet the needs of compliance criteria. To generate a Self-Signed Certificate, go to System ® Certificate ® Certificate. 17. Quick Access to On-Appliance Reports Fromthis version onwards, Cyberoam supports quick access to On-Appliance Reports fromlogin page of the Appliance. To access the On-Appliance Reports directly, select “Reports” for parameter “Log on to” on Appliance login page at the time of authentication. 18. iView Enhancement – Dual Dashboard Support From this version onwards, Cyberoam iView main dashboard has been bifurcated into two. 1. Traffic Dashboard CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 31 of 36 04-02-2014 3:34 PM Traffic dashboard is a collection of widgets displaying information regarding total network traffic. This dashboard gives complete visibility of network traffic in terms of applications, web categories, users, hosts, source and destination countries, mail traffic and FTP activities. Traffic dashboard consists of following widgets: •Top Applications – List of top applications along with percentage wise data transfer •Top Categories – List of top accessed web categories with number of hits and amount of data transfer •Top Users – List of top users along with percentage wise data transfer •Top Hosts – List of top hosts along with percentage wise data transfer •Top Source Countries – List of top source countries along with percentage wise data transfer •Top Destination Countries – List of top destination countries along with percentage wise data transfer •Top Rule ID – List of top firewall rules along with percentage wise data transfer •Top Domains – List of top domains along with percentage wise data transfer •Top File Upload – List of top uploaded files along with date, user, source IP, domain name , file name and file size •Top Files Uploaded via FTP – List of top uploaded files via FTP along with percentage wise amount of data transfer •Top Files Downloaded via FTP– List of top downloaded files via FTP along with percentage wise amount of data transfer •Top FTP Servers – List of top FTP servers •Mail Traffic Summary – Email traffic with type of traffic and amount of data transfer •Top Mail Senders – List of top email senders along with percentage wise data transfer •Top Mail Recipients – List of top email recipients along with percentage wise data transfer 2. Security Dashboard Security dashboard is a collection of widgets displaying information regarding denied network activities and traffic. It also gives an overview of malwares and spam along with source and destination countries. Security dashboard consists of following widgets: •Top Denied Hosts – List of top denied hosts along with number of hits •Top Denied Users – List of top denied users along with number of hits •Top Denied Applications – List of top denied applications along with number of hits •Top Denied Destination Countries – List of top denied destination countries along with number of hits •Top Denied Source Countries – List of top denied source countries along with number of hits •Top Denied Rule ID – List of top denied firewall rules along with number of hits •Top Denied Categories – List of top denied web categories along with number of hits •Top Denied Domains – List of top denied domains along with number of hits •Top Attacks – List of top attacks launched at network •Top Viruses – List of top viruses blocked by Cyberoam •Top SpamSenders – List of top spamsenders •Top SpamRecipients – List of top spam recipients All these widgets can be drilled down for next level reports. 19. iView Enhancement – Better Visibility and Presentation Fromthis version onwards, Cyberoam iView has introduced few enhancements to increase visibility and improve presentation of the reports. 1. Chart Preferences Now the administrator can select the type of charts to show reports. The administrator can choose between Bar charts and Pie-Doughnut charts. CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 32 of 36 04-02-2014 3:34 PM To choose the chart type and palette, go to System ® Configuration ® Chart Preferences. 2. Records per Page Control Now the user has option to set number of records to be displayed for report groups also. Previously this control was available for individual reports only. 3. Inline Charts If the number of records to be displayed is more than 10, then Cyberoam iView shows themin the formof inline charts i.e. a bar diagram for number of bytes and percentage respectively will be displayed in the same column. 4. Animated Charts With this version, Cyberoam iView has introduced animated bar charts and pie charts to improve user experience and data presentation. 5. Report Group Dashboard With this version, all the report group dashboards show collection of reports available under the selected report group. 20. iView Enhancement - Top Users Widget Fromthis version onwards, a new widget ‘Top Users’ has been added under risk reports. This widget displays list of users who imposed risk on organization network. This report can further be drilled down to view list of applications, hosts, source countries, destination countries and firewall rules associated with the selected user and risk level. To view reports, go to Reports ® Applications ® Top Risks ® Risk. 21. iView Enhancement - Report Filter Fromthis version onwards, Cyberoam iView provides option to filter dashboard reports. When the user selects any record from dashboard report widgets, the selection is displayed on the next level of reports i.e. on the resultant reports page. The user can apply multiple filters one by one to get appropriate report. All the filters are displayed on the top of the resultant report in the formof rowed text box(es) with the option to remove filter. 22. iView Enhancement - Country Map Fromthis version onwards, Cyberoam iView introduces a new report – Country Map under Application report menu. This report gives geographical overview of network traffic along with amount of data transfer and risk. To view reports, go to Reports ® Applications ® Country Map. Known Behaviour 1. SSL VPN support with passcode Fromthis version onwards, Cyberoam supports key encryption with password in certificates. If certificates are being generated with encryption enabled then user will be prompted to provide a password in the form of a passcode. If the parameter “Per User Certificate” is configured then new certificates will get generated with key encryption and password. 2. Gateway specific routing for Reflexive Rule To allow the traffic to route through a specific gateway with a reflexive rule selected while configuring a virtual host, parameter “Route Through Gateway”in Firewall Rule must have Source NAT selected as a Routing Policy. Bugs Sol ved Anti Spam Bug ID – 6533 Description – Irrespective of the date range selected, the spam mails of last seven days are displayed. Bug ID – 9597 Description – Mail of size greater than 3Mb do not get released from Anti SpamQuarantine Area if the send mail client do not release them within the configured time. Bug ID – 9599 Description – An error message “Data Error” is displayed for a log on Anti SpamQuarantine Area, if the subject of the mail contains special characters like double quotes (“ ”) or a backslash (“\”). ” CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 33 of 36 04-02-2014 3:34 PM Bug ID – 9989 Description – Quarantine mails having a space in subject line do not get released. Anti Virus Bug ID – 8029 Description – Adobe flash player exe cannot be downloaded fromhttp://get.adobe.com/flashplayer with HTTP scanning enabled. Certificate Bug ID – 5300 Description – Cyberoamallows uploading a certificate with a different password or private key than that of the original password or private key of Generated Certificate Signing Request (CSR). Bug ID – 8054 Description – Certificate Sending Request (CSR) generated fromversion 10 CyberoamAppliance cannot be uploaded at third party Certificate Authority (CA) end. Bug ID – 8191 Description – Certificate having encrypted private key cannot be upload fromWeb Admin Console. Bug ID – 10001 Description – Value of parameter “Valid From” do not change on regenerating a new Cyberoam_SSL_CA certificate from Certificate page of the System. Bug ID – 10045 Description – A certificate error message “secure connection failed” is displayed on the Mozilla browser page if Cyberoam is accessed via HTTPS and a default Cyberoam Appliance Certificate is stored in the browser. Bug ID – 11463 Description – CyberoamWeb Admin Console is not accessible over HTTPS after upgrading to firmware version 10.04.0.build 304, if the Appliance Time Zone is earlier than GMT and Firmware Upgrade Time is between (00:00:00 – X) and 00:00:00. X here represents the difference between the Appliance Time Zone and the GMT. CLI Bug ID – 10122 Description – Default routing precedence do not get displayed on Cyberoam console when command "cyberoamroute_precedence show" is executed. DHCP Server Bug ID – 10245 Description – An error message is displayed when a host name of parameter “IP MAC Mapping List” contains a space while configuring a static DHCP. Firewall Bug ID – 9658 Description – A false error message “user.err kernel: outdev_target: ERRORRRRR skb->rtable is already initialized <192.168.141.255>...” is displayed in System - Log Viewer. Bug ID – 10870 Description – A reflexive rule is created for a virtual host with NAT Policy as Masquerade instead of IP Host. GUI Bug ID – 9810 Description – A Web Filter policy do not function in a non-english version of Cyberoam on configuring an URL Group within the Web Filter Policy. Bug ID – 9985 Description – In captive portal settings and CTAS settings, the parameter “User Inactivity Timeout” do not accept number beyond 99 on Web Admin Console from Authentication page of Identity. Bug ID – 10109 Description – Heart Beat port in System configured to sync with CCC, do not change if the Heart Beat Protocol is HTTP for Central Management. Bug ID – 10165 Description – Dashboard and System Graph continues to remain in processing due to internal error for Cyberoam Version 10.02.0 Build 227. Bug ID – 10307 CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 34 of 36 04-02-2014 3:34 PM Description – VPN – IPSec connection list takes a long time while loading, if the number of IPSec connections is more than 2000. HA Bug ID – 10573 Description – IPS service stops functioning in the HA deployment, when two Appliances are configured with different versions of IPS are enabled in HA. Identity Bug ID – 9756 Description – Special characters “_” and “.” are not allowed to be used consecutively while adding an Email Address on the User page for Identity. IM Bug ID – 9866 Description – IM Policy do not displayed in Log Viewer with Yahoo ! Messenger (Version 11.5.0.228-in). Intrusion Prevention System (IPS) Bug ID – 9327 Description – Search option is available only while editing IPS Policy. Log Viewer Bug ID – 9880 Description – No records are displayed when the language selected for Web Admin Console is French in Cyberoam and multiple filters are used while viewing logs of “Application Filter” in Log Viewer. Network Interface Bug ID – 8002 Description – STC 3G modemis not compatible with Cyberoam Appliance. Bug ID – 8457 Description – ZTE MF688a 3G modem is not compatible with Cyberoam Appliance. Bug ID – 10921 Description – Modem Sierra 320U is not supported by Cyberoam Appliance. Bug ID – 10939 Description – Modem IG Huawai E177 is not supported by Cyberoam Appliance. Proxy Bug ID – 9115 Description – Proxy services do not function, if a HTTP Upload Web Category is added in HTTPS scanning exceptions. Bug ID – 9848 Description – An error is received while accessing hotmail.com, http://google.com.au when HTTPS scanning is enabled in Firewall Rule. Bug ID – 10046 Description – Web Proxy service do not restart when Administrator restarts it from Maintenance page of System. Bug ID – 10135 Description – Some of the components with the YouTube website do not get displayed with HTTPS scanning applied. Bug ID – 10244 Description – Browsing becomes slow when external proxy is implemented in the network while Cyberoam is deployed in Bridge mode. Bug ID – 10936 Description – In Cyberoamfirmware version 10.04.0.0214, mails are dropped for mail servers that are configured to support BDAT as an optional parameter. Reports Bug ID – 7818 Description – The data transfer reports of top web host and traffic discovery displayed in On-Appliance iView are not identical. Bug ID – 9993 Description – All the logs of the selected period are displayed in Web Surfing reports for IP Address based filtering, if “Search Type” is “IP Address” and “Report Type” as “Detail”. Bug ID – 10427 CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 35 of 36 04-02-2014 3:34 PM Description – Only current day’s report details are displayed in the Application Reports of On-Appliance iView on migrating to Cyberoam Version 10.02.0 Build 473. System Bug ID – 9927 Description – Error messages are displayed on executing command “tcpdump ‘port80’filedump” on CyberoamConsole. SSL VPN Bug ID – 6523 Description – Once the User certificates are updated manually, they do not get updated automatically. Bug ID – 10171 Description – SSL VPN RDP Bookmark cannot be accessed in Version 10.02.0 Build 473 if RDP bookmark has a “/” at the end (e.g. rdp://10.102.1.152). Bug ID – 11198 Description – SSL VPN bookmark URL with RDP, TELNET, SSH & FTP protocol having backslash ('/') as last character cannot be accessed after migrating Appliance firmware from 10.02.0 Build 224 to 10.04.0 Build 214. User Bug ID – 6141 Description – When special characters are included in the login message, the user receives a continuous process icon on the Captive Portal page in spite of logging in successfully. Bug ID – 9920 Description – Cyberoamsupports only SMS Gateway’s that uses Post method. VPN Bug ID – 9812 Description – An error message “We cannot identify ourselves with either end of this connection”is received when VPN connection with VLAN over WAN is configured with PPPoE link and VLAN ID is more than 2 digits. Bug ID – 10191 Description – VPN service do not restart when head office and branch office are using default head office and default branch office policy respectively and an if an intermediate device between themis switched off. Bug ID – 11202 Description – Manual intervention is required to activate the tunnel, if the default value of parameter "Rekey Margin" is configured below 100 seconds from VPN Policy page and the Appliance is rebooted. Web Filter Bug ID – 9840 Description – “Denied Message”is updated to default message, if an existing Web Filter Category having configured for customized message is edited without opening “Advance Settings” of it. Bug ID – 10092 Description – Webcat do not get upgraded to latest version while performing manual sync after auto Webcat upgrade has failed. Wireless WAN Bug ID – 5315 Description – 3G Modem LW272 is not compatible with Cyberoam Appliance. CyberoamDocs http://docs.cyberoam.com/print.asp?id=508&Lang=1&SID 36 of 36 04-02-2014 3:34 PM