- Computers & electronics
- Software
- Computer utilities
- Security management software
- Cyberoam
- UTM Appliance
- User manual
The Cyberoam Console Guide provides functional and technical information about Cyberoam software. This guide is designed to serve as both a technical reference and a description of features specific to the Console. It also provides a brief summary on using Console commands. This guide is intended for Network Administrators and Support personnel who perform tasks like configuring systems and networks, managing and maintaining networks, managing various services, and troubleshooting.
advertisement
Console Guide Version 10
Version 7
Document Version 10.04.4.0028 - 08/10/2013 Document Version 10.04.4.0028 - 08/10/2013
Document version 7400-1.0-16/11/2005
Document version 7400-1.0-16/11/2005
Version 7
Cyberoam Console Guide
Important Notice
Cyberoam Technologies Pvt. Ltd. has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. Cyberoam Technologies Pvt. Ltd. assumes no responsibility for any errors that may appear in this document.
Cyberoam Technologies Pvt. Ltd. reserves the right, without notice to make changes in product design or specifications.
Information is subject to change without notice.
USER’S LICENSE
Use of this product and document is subject to acceptance of the terms and conditions of Cyberoam End User License
Agreement (EULA) and Warranty Policy for Cyberoam UTM Appliances.
You will find the copy of the EULA at http://www.cyberoam.com/documents/EULA.html
and the Warranty Policy for Cyberoam
UTM Appliances at http://ikb.cyberoam.com
.
RESTRICTED RIGHTS
Copyright 1999 - 2013 Cyberoam Technologies Private Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of
Cyberoam Technologies Pvt. Ltd.
Corporate Headquarters
Cyberoam Technologies Pvt. Ltd.
901, Silicon Tower, Off. C.G. Road,
Ahmedabad
– 380006, INDIA
Phone: +91-79-66065606
Fax: +91-79-26407640
Web site: www.cyberoam.com
Cyberoam Console Guide
Content
Cyberoam Console Guide
Preface
Welcome to Cyberoam‘s – Console guide.
Cyberoam is an Identitybased UTM Appliance. Cyberoam‘s solution is purpose-built to meet the security needs of corporate, government organizations, and educational institutions.
Cyberoam‘s perfect blend of best-of-breed solutions includes user based Firewall, Content filtering,
Anti Virus, Anti Spam, Intrusion Prevention System (IPS), and VPN
– IPSec and SSL.
Cyberoam provides increased LAN security by providing separate port for connecting to the publicly accessible servers like Web server, Mail server, FTP server etc. hosted in DMZ which are visible the external world and still have firewall protection.
Cyberoam Console guide helps you administer, monitor and manage Cyberoam with the help of
Console.
Note that by default, Cyberoam Console password is ‗admin‘. It is recommended to change the default password immediately after deployment.
Guide Audience
Cyberoam Console Guide provides functional and technical information of the Cyberoam Software.
This Guide is written to serve as a technical reference and describes features that are specific to the Console.
Guide also provides the brief summary on using the Console commands.
This guide is intended for the Network Administrators and Support personnel who perform the following tasks:
Configure System & Network
Manage and maintain Network
Manage various services
Troubleshooting
This guide is intended for reference purpose and readers are expected to possess basic-toadvanced knowledge of systems networking.
Note
The Corporate and individual names, data and images in this guide are for demonstration purposes only and does not reflect the real data.
If you are new to Cyberoam, use this guide along with the ‗Cyberoam User Guide‘
Page 1 of 62
Cyberoam Console Guide
Technical Support
You may direct all questions, comments, or requests concerning the software you purchased, your registration status, or similar issues to Customer care/service department at the following address:
Corporate Office
Cyberoam Technologies Pvt. Ltd.
901, Silicon Tower
Off C.G. Road
Ahmedabad
– 380006
Gujarat, India.
Phone: +91-79-66065606
Fax: +91-79-26407640
Web site: www.cyberoam.com
Cyberoam contact:
Technical support (Corporate Office): +91-79- 26400707
Email: [email protected]
Web site: www.cyberoam.com
Visit www.cyberoam.com
for the regional and latest contact information.
Page 2 of 62
Cyberoam Console Guide
Typographic Conventions
Material in this manual is presented in text, screen displays, or command-line notation.
Item
Server
Client
User
Username
Topic titles
Convention
Example
Machine where Cyberoam Software - Server component is installed
Machine where Cyberoam Software - Client component is installed
The end user
Username uniquely identifies the user of the system
Shaded font typefaces
Introduction
Subtitles
Navigation link
Notes & points to remember
Bold and
Black typefaces
Bold typeface
Bold typeface between the black borders
Notation conventions
Group Management
Groups
Create
it means, to open the required page click on Group management then on Groups and finally click Create tab
Note
Page 3 of 62
Cyberoam Console Guide
Introduction
Cyberoam CLI console provides a collection of tools to administer, monitor and control certain
Cyberoam components.
Accessing Cyberoam CLI Console
Two ways to access Cyberoam CLI console:
Connecting over Serial RS232 - attaching a keyboard and monitor directly to the Cyberoam
Remote connection a) Using remote login utility
– TELNET b) Using SSH client
Accessing CLI Console via remote login utility - TELNET
To use TELNET, IP Address of the Cyberoam is required.
Use command ―telnet <Cyberoam IP address>‖ to start TELNET utility from command prompt and log on with default password ―admin‖
Screen - Console login screen
Accessing CLI Console using SSH client
Access Cyberoam CLI console using any of the SSH client. Cyberoam IP Address is required.
Start SSH client and create new Connection with the following parameters:
Hostname - <Cyberoam IP Address>
Username
– admin
Password
– admin
On successful login, following Main menu screen will be shown.
Page 4 of 62
Cyberoam Console Guide
Screen
– Main Menu screen
To access any of the menu items, type the number corresponding to the menu item against ‗Select
Menu Number‘ and press <Enter> key.
Example
To access
System Configuration
VPN Management
Exit
Type
2
6
0 or Ctrl -C
Page 5 of 62
Cyberoam Console Guide
1. Network configuration
Use this menu to
View & change network setting
Set IP address
Set Netmask
Set Gateway
For Gateway mode
Following screen displays the current Network setting like IP address & Netmask for all the Ports.
In addition, it also displays IP address and Netmask of Aliases if configured.
Note
VLAN and WLAN Interfaces are not displayed here.
Set IP Address
Following screen allows setting or modifying the IP address for any port. Type ‗y‘ and press
<Enter> to set IP address
Page 6 of 62
Cyberoam Console Guide
Displays the IP address, Netmask and Zone and prompts for the new IP address and Netmask for each Port.
Press <Enter> if you do not want to change any details.
Note
Aliases, VLANS, DHCP, PPPoE, WLAN and WWAN settings cannot be configured/modified through
Cyberoam Console.
Press <Enter> to return to the Main menu.
Page 7 of 62
2. System Settings
Use this menu to
View & change various system properties
Cyberoam Console Guide
2.1 Set Password for User Admin
Use to change the password of the user ―admin‖
Type new password, retype for confirmation, and press <Enter>
Displays successful completion message.
Press <Enter> to return to the System Setting Menu.
2.2 Set System Date
Use to change time zone and system date
Type ‗y‘ to set new time and press <Enter>
If NTP server is configured for synchronizing date and time, screen with the warning message as given below will be displayed. If you set date manually, NTP server will be disabled automatically.
Page 8 of 62
Cyberoam Console Guide
Type Month, Day, Year, Hour, Minutes
Press <Enter> to return to the System Menu
2.3 Set Email ID for system notification
Use to set the Email ID for system notifications. Cyberoam sends system alert mails on the specified Email ID.
Type Email ID and press <Enter>. It displays the new Email ID.
Press <Enter> to return to the System Setting Menu
2.4 Reset Default Web Admin Certificate
Use to reset the Web Admin certificate back to default.
Type ‗y‘ to set new time and press <Enter>
Page 9 of 62
Cyberoam Console Guide
2.0 Exit
Type ‗0‘ to exit from System Setting menu and return to the Main Menu.
Page 10 of 62
Cyberoam Console Guide
3. Route Configuration
Use this menu to configure static routes, RIP, OSPF and enable or disable multicast forwarding.
Cyberoam adheres to Cisco terminology for routing configuration and provides Cisco-compliant
CLI to configure static routes and dynamic routing protocols.
Traditionally, IP packets are transmitted in one of either two ways
– Unicast (1 sender – 1 receiver) or Broadcast (1 sender
– everybody on the network). Multicast delivers IP packets simultaneously to a group of hosts on the network and not everybody and not just 1.
3.1 Configure Unicast Routing
Options Configure RIP, Configure OSPF and Configure BGP are not available when Cyberoam is deployed in transparent mode.
3.1.1 Configure RIP
This option is available only when Cyberoam is deployed in Gateway mode.
Routing Information Protocol (RIP) is a distance-vector routing protocol documented in RFC 1058.
RIP uses broadcast User Datagram Protocol (UDP) data packets to exchange routing information.
The Cyberoam implementation of RIP supports
RIP version 1 (as described in RFC 1058)
RIP version 2 (as described in RFC 2453)
Plain text and Message Digest 5 (MD5) authentication for RIP Version 2
Page 11 of 62
Cyberoam Console Guide
RIP configuration Task List
Prerequisite
Interface IP addresses configured from Network Configuration Wizard
RIP must be enabled before carrying out any of the RIP commands. To configure RIP, use the following commands from CLI Console:
1. Go to Option 3 (Route Configuration)
2. Go to Option 1 (Configure Unicast Routing)
3. Go to Option 1(Configure RIP)
4. To configure RIP, perform the tasks described in the following table.
Steps
Enable RIP
Command
rip> enable
Specify a list of networks for the
Routing
Information
Protocol (RIP) routing process rip# configure terminal rip(config)# router rip
Configure
Authentication
Purpose
Enables a RIP routing process and places you in Global Configuration mode.
Enables the RIP configuration mode which places you in the Router
Configuration mode and allows you to configure from the terminal. rip(config-router)# network ip-address
Specify ip-address with the subnet information
For example, if the network for
10.0.0.0/24 is RIP enabled, this would result in all the addresses from 10.0.0.0 to 10.0.0.255 being enabled for RIP. rip(config-router)#end rip# configure terminal
To set authentication mode as text and set the authentication string rip(config)# interface ifname rip(config-if)# ip rip authentication mode {text [string]}
For example, rip(config)# interface A rip(config-if)# ip rip authentication mode text
Allows to configure and start RIP routing process
Enables RIP interfaces between specified network address.
RIP routing updates will be sent and received only through interfaces on this network.
Also, if the network of an interface is not specified, the interface will not be advertised in any RIP update.
The interfaces which have addresses matching with network are enabled.
Exits from the Router Configuration mode and places you into the
Enable mode.
Enables the RIP configuration mode which places you in the Router
Configuration mode and allows you to configure from the terminal.
Defines authentication mode for the each interface. By, default, authentication is on for all the interfaces. If authentication is not required for any of the interface, it is to be explicitly disabled.
RIP Version 1 does not support authentication.
Page 12 of 62
Cyberoam Console Guide rip(config-if)# ip rip authentication string
teststring
To set authentication mode as MD5 and set the authentication string rip(config)# interface ifname rip(config-if)# ip rip authentication mode {md5 [key-chain name of key
chain]}
For example, rip(config)# interface A rip(config-if)# ip rip authentication mode md5 key-chain testkeychain
To disable authentication rip(config)# interface ifname rip(config-if)# no ip rip authentication mode
For example, disable authentication for interface A rip(config)# interface A rip(config-if)# no ip rip authentication mode rip(config-if)# end
RIP Version 2 supports Clear Text
(simple password) or Keyed
Message Digest 5 (MD5) authentication.
To enable authentication for RIP
Version 2 packets and to specify the set of keys that can be used on an interface, use the ip rip authentication key-chain command in interface configuration mode.
If authentication is not required for any of the interface, use the no form of this command.
Exit to Router
Management
Menu rip(config-if)# exit
Exits from the Router Configuration mode and places you into the
Enable mode.
Exits to the Router Management
Menu
Removing routes
To remove route configuration, execute the ‗no network‘ command from the command prompt as below: rip(config-router)# no network <ip address>
Disabling RIP
To disable RIP routing configuration, execute the ‗no router‘ command from the command prompt as below: rip(config)# no router rip
Execute ‗exit‘ command to return to the previous mode.
Page 13 of 62
Cyberoam Console Guide
3.1.3 Configure OSPF
This option is available only when Cyberoam is deployed in Gateway mode.
OSPF is one of IGPs (Interior Gateway Protocols). Compared with RIP, OSPF can serve much more networks and period of convergence is very short. OSPF is widely used in large networks such as ISP backbone and enterprise networks.
The Cyberoam implementation of OSPF supports:
OSPF version 2 (as described in RFC 2328)
Plain text and Message Digest 5 (MD5) authentication
How OSPF works
OSPF keeps track of a complete topological database of all connections in the local network. It is typically divided into logical areas linked by area border routers. An area comprises a group of contiguous networks. An area border router links one or more areas to the OSPF network backbone.
Cyberoam participates in OSPF communications, when it has an interface to an OSPF area.
Cyberoam uses the OSPF Hello protocol to acquire neighbors in an area. A neighbor is any router that has an interface to the same area as the Cyberoam. After initial contact, the Cyberoam exchanges Hello packets with its OSPF neighbors at regular intervals to confirm that the neighbors can be reached.
OSPF-enabled routers generate link-state advertisements and send them to their neighbors whenever the status of a neighbor changes or a new neighbor comes online. If OSPF network is stable, link-state advertisements between OSPF neighbors does not occur. A Link-State
Advertisement (LSA) identifies the interfaces of all OSPF-enabled routers in an area, and provides information that enables OSPF-enabled routers to select the shortest path to a destination. All LSA exchanges between OSPF-enabled routers are authenticated. The Cyberoam maintains a database of link-state information based on the advertisements that it receives from OSPFenabled routers. To calculate the shortest path to a destination, the Cyberoam applies the Shortest
Path First (SPF) algorithm to the accumulated link-state information.
The Cyberoam updates its routing table dynamically based on the results of the SPF calculation to ensure that an OSPF packet will be routed using the shortest path to its destination.
OSFP configuration Task List
Prerequisite
Interface IP addresses configured from Network Configuration Wizard
OSPF must be enabled before carrying out any of the OSPF commands. To configure OSPF, use the following commands from CLI Console:
Go to Option 3 (Route Configuration)
Go to Option 1 (Configure Unicast Routing)
Go to Option 2 (Configure OSPF)
Page 14 of 62
Cyberoam Console Guide
To configure OSPF, perform the tasks described in the following table:
Steps
Enable OSPF
Specify a list of networks for the
Routing
Information
Protocol (OSPF) routing process
Command
ospf> enable ospf# configure terminal
Purpose
Enables OSPF routing process and places you in the Global
Configuration mode.
Enables the OSPF configuration mode which places you in the Router
Configuration mode and allows you to configure from the terminal. ospf(config)# router ospf ospf(config-router)# network ip-address area area-id
Specify ip-address with the subnet information
Allows to configure and start OSPF routing process
Assigns an interface to an area.
The area-id is the area number we want the interface to be in. The areaid can be an integer between 0 and
4294967295 or can take a form similar to an IP address A.B.C.D.
Interfaces that are part of the network are advertised in OSPF linkstate advertisements.
View configuration ospf(config-router)# show runningconfig ospf(config-router)#end
Exit to Router
Management
Menu ospf(config-if)# exit
Exits from the Router Configuration mode and places you into the
Enable mode.
Exits to the Router Management
Menu
Removing routes
To remove route configuration, execute the ‗no network‘ command from the command prompt as below: ospf(config-router)# no network <ip address> area <area-id>
Disabling OSPF
To disable OSPF routing configuration, execute the ‗no router‘ command from the command prompt as below: ospf(config)# no router ospf
Page 15 of 62
Cyberoam Console Guide
3.1.3 Configure Border Gateway Protocol (BGP)
This option is available only when Cyberoam is deployed in Gateway mode.
BGP is a path vector protocol that is used to carry routing between routers that are in the different administrative domains (Autonomous Systems) e.g. BGP is typically used by ISPs to exchange routing information between different ISP networks.
The Cyberoam implementation of OSPF supports:
Version 4 (RFC 1771)
Communities Attribute (RFC 1997)
Route Reflection (RFC 2796)
Multiprotocol extensions (RFC 2858)
Capabilities Advertisement (RFC 2842)
Additionally, a firewall rule is to be configured for the zone for which the BGP traffic is to be allowed i.e. LAN to LOCAL or WAN to LOCAL.
How BGP works
When BGP is enabled, the Cyberoam advertises routing table updates to neighboring autonomous systems whenever any part of the Cyberoam routing table changes. Each AS, including the local
AS of which the Cyberoam unit is a member, is associated with an AS number. The AS number references a particular destination network.
BGP updates advertise the best path to a destination network. When the Cyberoam unit receives a
BGP update, the Cyberoam examines potential routes to determine the best path to a destination network before recording the path in the Cyberoam routing table.
BGP configuration Task List
Prerequisite
Interface IP addresses configured from Network Configuration Wizard
BGP must be enabled before carrying out any of the BGP commands. To configure BGP, use the following commands from CLI Console:
1. Go to Option 3 (Route Configuration)
2. Go to Option 1 (Configure Unicast Routing)
3. Go to Option 3 (Configure BGP)
4. To configure BGP, perform the tasks described in the following table.
Steps
Enable BGP
Command
bgp> enable
Purpose
Enables BGP routing process and places you in the Global
Configuration mode.
Enables the BGP configuration Specify a list of bgp# configure terminal
Page 16 of 62
Cyberoam Console Guide networks for the
Routing
Information
Protocol (BGP) routing process bgp(config)# router bgp AS number mode which places you in the Router
Configuration mode and allows you to configure from the terminal. bgp(config-router)# network ip-address
Specify ip-address with the subnet information of the network to be advertised bgp(config-router)# config show bgp(config-router)#end running-
Allows to configure and start BGP routing process
AS number the number of the local
AS that the Cyberoam unit is a member of.
The IP addresses and network masks of networks to advertise to
BGP peers. The Cyberoam may have a physical or VLAN interface connected to those networks.
View configuration
By default, router ID is Cyberoam IP address. Router ID is used to identify the Cyberoam to other BGP routers.
You can change the router ID using the following command: bgp(config-router)#bgp router-id IP
address
The router-id can be an integer or can take a form similar to an IP address A.B.C.D
Exits from the Router Configuration mode.
Exits to the Router Management
Menu
Exit to Router
Management
Menu bgp# exit
Removing routes
To remove route configuration, execute the ‗no network‘ command from the command prompt as below: bgp(config-router)# no network <ip address>
Disabling BGP
To disable BGP routing con figuration, execute the ‗no router‘ command from the command prompt as below: bgp(config)# no router bgp AS number
3.1.0 Exit
Type ‗0‘ to exit from Unicast Routing configuration menu and return to Router Management.
Page 17 of 62
Cyberoam Console Guide
3.2 Configure Multicast Routing
IP Multicast
Internet Protocol (IP) multicast is a bandwidth-conserving technology that reduces traffic by simultaneously delivering a single stream of information to thousands of recipients and homes. IP
Multicast delivers source traffic to multiple receivers without adding any additional burden on the source or the receivers.
Applications like videoconferencing, corporate communications, distance learning, and distribution of software, stock quotes, and news use IP multicasting.
If IP multicast is not used, source is required to send more than one copy of a packet or individual copy to each receiver. In such case, high-bandwidth applications like Video or Stock where data is to be send more frequently and simultaneously, uses large portion of the available bandwidth. In these applications, the only efficient way of sending information to more than one receiver simultaneously is by using IP Multicast.
Multicast Group
Multicast is based on the concept of a group. An arbitrary group of receivers expresses an interest in receiving a particular data stream. This group does not have any physical or geographical boundaries
—the hosts can be located anywhere on the Internet. Hosts that are interested in receiving data flowing to a particular group must join the group. Hosts must be a member of the group to receive the data stream.
IP Multicast Addresses
Multicast addresses specify an arbitrary group of IP hosts that have joined the group and want to receive traffic sent to this group.
IP Class D Addresses
The Internet Assigned Numbers Authority (IANA) controls the assignment of IP multicast addresses. Multicast addresses fall in Class D address space ranging from 224.0.0.0 to
239.255.255.255.
This address range is only for the group address or destination address of IP multicast traffic. The source address for multicast datagram is always the unicast source address.
Page 18 of 62
Cyberoam Console Guide
Multicast forwarding
In multicast routing, the source is sending traffic to a group of hosts represented by a multicast group address. The multicast router must determine which direction is upstream (toward the source) and which direction (or directions) is downstream. If there are multiple downstream paths, the router replicates the packet and forwards the traffic down the appropriate downstream paths
— which is not necessarily all paths.
3.2.1 Enable/Disable Multicast forwarding
With multicast forwarding, a router forwards multicast traffic to networks where other multicast devices are listening. Multicast forwarding prevents the forwarding of multicast traffic to networks where there are no nodes listening.
For multicast forwarding to work across inter-networks, nodes and routers must be multicastcapable.
A multicast-capable node must be able to:
Send and receive multicast packets.
Register the multicast addresses being listened to by the node with local routers, so that multicast packets can be forwarded to the network of the node.
IP multicasting applications that send multicast traffic must construct IP packets with the appropriate IP multicast address as the destination IP address. IP multicasting applications that receive multicast traffic must inform the TCP/IP protocol that they are listening for all traffic to a specified IP multicast address.
Setting up IP Multicast forwarding
Configuring multicast forwarding is a two step process:
Enable multicast forwarding (both the modes)
Configure multicast routes (only in gateway mode)
To enable multicast forwarding, go to Option 3 (Route Configuration)> Option 2 (Configure
Multicast Routing), Option 1 (Enable/Disable Multicast forwarding) and execute following command:
Page 19 of 62
Cyberoam Console Guide console>enable multicast-forwarding
3.2.2 Configure Static multicast routes
Go to Option 3 (Route Configuration)> Option 2 (Configure Multicast Routing), Option 2 (Configure
Static-routes) and execute following command:
Multicast routes cannot be added before enabling multicast forwarding. console> mroute add input-interface Port<port number> source-ip <ipaddress> dest-ip
<ipaddress> output-interface Port<port number> where, input-interface - interface from which the multicast traffic is supposed to arrive (interface that leads to the source of multicast traffic).This is the port through which traffic arrives. source-ip
– unicast IP address of source transmitting multicast traffic destination-ip
– class D IP address (224.0.0.0 to 239.255.255.255) output-interface
– interface on which you want to forward the multicast traffic (interface that leads to destination of multicast traffic) This is the port through which traffic goes.
For example, console> mroute add input-interface PortA source-ip 1.1.1.1 dest-ip 230.1.1.2 output-interface
PortB
Cyberoam will forward multicast traffic received on interface PortA from IP address 1.1.1.1 to
230.1.1.2 through interface PortB
If you want to inject multicast traffic to more than one interface, you have to add routes for each destination interface. For example, console> mroute add input-interface PortA source-ip 1.1.1.1 dest-ip 230.1.1.2 output-interface
PortB console> mroute add input-interface PortA source-ip 1.1.1.1 dest-ip 230.1.1.2 output-interface
PortC
Page 20 of 62
Cyberoam Console Guide
Viewing routes
Go to Option 3 (Route Configuration)> Option 2 (Configure Multicast Routing), Option 2 (Configure
Static-routes) and execute following command: console> mroute show
Removing route
Go to Option 3 (Route Configuration)> Option 2 (Configure Multicast Routing), Option 2 (Configure
Static-routes) and execute following command: console> mroute del input-interface PortA source-ip 1.1.1.1 dest-ip 230.1.1.2 output-interface
PortC
Please note
Source and destination interfaces cannot be same for multicast route
Multiple destination interfaces cannot be defined. Route manipulation per interface is required to add/delete such routes.
Non-Ethernet interfaces like - ipsec0, etc. are not supported
Page 21 of 62
Cyberoam Console Guide
Multicast routes over IPSec VPN tunnel
Cyberoam supports secure transport of multicast traffic over un-trusted network using IPSec/VPN connection.
It is possible to send/receive both unicast and multicast traffic between two or more VPN sites connected through public Internet. This removes the dependency of multicast aware routers between the sites connecting via IPSec/VPN.
Any unicast host wanting to access a multicast host shall require to be configured as a explicit host
(with netmask /32) in VPN configuration.
Go to Option 3 (Route Configuration)> Option 2 (Configure Multicast Routing), Option 2 (Configure
Static-routes) and execute following command
CLI Commands
1. Command: mroute add input-interface Port<port number> source-ip <ipaddress> dest-ip
<ipaddress> output-interface Port<port number>
To forward multicast traffic coming from a given interface to another interface
E.G. mroute add input-interface PortA source-ip 192.168.1.2 dest-ip 239.0.0.55 output-interface
PortB
2. Command: mroute add input-interface Port<port number> source-ip <ipaddress> dest-ip
<ipaddress> output-tunnel gre name <gre tunnel name>
To forward multicast traffic coming from a given interface to GRE tunnel.
E.G. mroute add input-interface PortA source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel gre name Elitecore
3. Command: mroute add input-interface Port<port number> source-ip <ipaddress> dest-ip
<ipaddress> output-tunnel ipsec
To forward multicast traffic coming from a given interface to IPSec tunnels. Cyberoam automatically selects the appropriate tunnel to be used depending upon the Local Network and
Remote Network configuration.
E.G. mroute add input-interface PortA source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel ipsec
4. Command: mroute add input-tunnel ipsec name <ipsec connection name> source-ip
<ipaddress> dest-ip <ipaddress> output-interface Port<port number>
To forward multicast traffic coming from IPSec tunnel to an interface.
E.G. mroute add input-tunnel ipsec name Net2Net source-ip 192.168.1.2 dest-ip 239.0.0.55 output-interface PortB
5. Command: mroute add input-tunnel ipsec name <ipsec connection name> source-ip
<ipaddress> dest-ip <ipaddress> output-tunnel ipsec
To forward multicast traffic coming from a given IPSec tunnel to other IPSec tunnels. Cyberoam automatically selects the appropriate tunnel to be used depending upon the Local Network and
Remote Network configuration
E.G. mroute add input-tunnel ipsec name Net2Net source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel ipsec
Page 22 of 62
Cyberoam Console Guide
6. Command: mroute add input-tunnel ipsec name <ipsec connection name> source-ip
<ipaddress> dest-ip <ipaddress> output-tunnel gre name <gre tunnel name>
To forward multicast traffic coming from a given IPSec tunnel to GRE tunnel.
E.G. mroute add input-tunnel ipsec name Net2Net source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel gre name Elitecore
7. Command: mroute add input-tunnel gre name <gre tunnel name> source-ip <ipaddress> dest-ip <ipaddress> output-interface Port<port number>
To forward multicast traffic coming from a GRE tunnel to an interface.
E.G. mroute add input-tunnel gre name Elitecore source-ip 192.168.1.2 dest-ip 239.0.0.55 outputinterface PortB
8. Command: mroute add input-tunnel gre name <gre tunnel name> source-ip <ipaddress> dest-ip <ipaddress> output-tunnel gre name <gre tunnel name>
To forward multicast traffic coming from a GRE tunnel to another GRE tunnel.
E.G. mroute add input-tunnel gre name Elitecore source-ip 192.168.1.2 dest-ip 239.0.0.55 outputtunnel gre name Terminal1
9. Command: mroute add input-tunnel gre name <gre tunnel name> source-ip <ipaddress> dest-ip <ipaddress> output-tunnel ipsec
To forward multicast traffic coming from a given GRE tunnel to IPSec tunnels. Cyberoam automatically selects the appropriate tunnel to be used depending upon the Local Network and
Remote Network configuration.
E.G. mroute add input-tunnel gre name Elitecore source-ip 192.168.1.2 dest-ip 239.0.0.55 outputtunnel ipsec
10. Command: mroute del source-ip <ipaddress> dest-ip <ipaddress>
To delete multicast route
E.G. mroute del source-ip 192.168.1.2 dest-ip 239.0.0.
Known Behavior
CLI shows only static interfaces as input and output interface whereas Web Admin Console shows both, static as well as dynamic interfaces (PPPoE, DHCP).
3.2.0 Exit
Type ‗0‘ to exit from Multicast Routing Configuration menu and return to Router Management.
3.0 Exit
Type ‗0‘ to exit from Routing tables menu and return to Main Menu.
Page 23 of 62
Cyberoam Console Guide
4. Cyberoam Console
Use to perform various checks and view logs for troubleshooting
Generally, when using command line help, one has to remember parameters/arguments of the command or has to go to the help and check for the parameters. Users using command line for the first time face difficulty in both the situation.
To remove the above difficulty, Cyberoam has inbuilt help at the command prompt itself.
Press ‗Tab‘ to view the list of commands supported.
Type command and then press tab to view the list of argument(s) supported or required. For example after typing ping press tab, it shows what all parameters are required or allowed
Type command and then press question mark to view the list of argument(s) supported with its description. For example after typing ping press question mark, it shows what all parameters are required or allowed with description
Type Exit to return to the Main menu
Note
Refer to Annexure A for the detailed help on various commands supported.
Page 24 of 62
Cyberoam Console Guide
5. Cyberoam Management
Use this menu to
Check and Upgrade Webcat Latest Database
Check and Upgrade to latest IPS Signatures
Reset to Factory Defaults
Custom Menu
Flush Appliance Reports
5.1 Check and Upgrade Webcat Latest Database
Use to check and upgrade latest Webcat Database.
5.2 Check and Upgrade to Latest IPS Database
Use to check and upgrade latest IPS database.
Page 25 of 62
Cyberoam Console Guide
5.3 Reset to Factory Defaults
This option resets all the customized configurations to their original state. All customization done after the initial deployment will be deleted including network configuration, HTTP proxy cache, passwords, groups, users and policies.
5.4 Custom Menu
This option is used for client specific customization.
5.5 Flush Appliance Reports
This option will flush all the Cyberoam-iView reports. This will make appliance inaccessible for some time as flushing reports takes time.
Note
This option is not available in Cyberoam model CR 15i, CR 15wi, CR 15iNG and CR 15wiNG.
5.0 Exit
Type ‗0‘ to exit from Cyberoam Management menu and return to Main menu
Page 26 of 62
Cyberoam Console Guide
6. VPN Management
Below given menu will be displayed only when Cyberoam is deployed in Gateway mode.
6.1 Regenerate RSA Key
RSA is used as one of the authentication methods to authenticate IPSec end-points in Site-to-Site and Host-to-Host VPN connections.
Use this option to regenerate the RSA Key i.e. New Public-Private Key pair, on the Cyberoam appliance.
Note
As evident from the screen above, every time you regenerate RSA Key, you need to change your RSA
Key at all the remote locations too.
Page 27 of 62
6.2 Restart VPN service
Use to restart VPN Service
Cyberoam Console Guide
6.0 Exit
Type ‗0‘ to exit from VPN menu and return to the Main menu
Page 28 of 62
Cyberoam Console Guide
7. Shutdown/Reboot Cyberoam
Use to shutdown or reboot Cyberoam.
Type ‗s‘ to shutdown the Appliance, ―r‖ to soft reboot the Appliance, ―R‖ to hard reboot the
Appliance and press ―Enter‖ key to exit.
0. Exit
Type ‗0‘ to exit from Cyberoam Console Management
Page 29 of 62
Cyberoam Console Guide
Annexure A
clear
Clears the screen
Syntax
clear
cyberoam
Cyberoam Management
Syntax
cyberoam [appliance_access | application_classification | auth | cr-vlan-tag | dhcp | diagnostics | fsck-on-nextboot | gre | ha | ips_autoupgrade | ipsec_route | ipv6 | link_failover | restart | route_precedence | shutdown | system_modules | wwan | serial_dialin]
Parameter list & description
Keywords & Variables
appliance_access [disable | enable | show] application_classification [off | on | show]
Cyberoam Authentication Options
auth [cta | thin-client]
1. Manage cta options auth [cta {collector | enable | unauthtraffic | disable | show | vpnzonenetwork }]
Description
To override or bypass the configured Appliance Access and allow access to all the Cyberoam services.
Disable to reapply Appliance Access.
By default, it is disabled.
Enable and disable event will be logged in Admin Logs.
If enabled, traffic will be categorized on the basis of application, and traffic discovery live connections that is displayed on Web Admin Console, will be displayed based on the application.
If disabled, traffic will be categorized on port-based applications, and traffic discovery based on applications will not display any signature-based application.
By default, it is ON.
Enable authentication: transparent authentication, thin client authentication for AD users cta - Add and remove CTA collector IP Address for clientless Single Sign On configuration thin-client
– add and remove citrix server ip address for thin-client support
Page 30 of 62
Manage collector options auth cta [collector {add | delete}]
To add a collector in new group
auth cta [collector {add
<collector-ip> collector-port
<port> create-new-collectorgroup}]
To add a collector in an existing collector group
auth cta [collector {add
<collector-ip> collector-port
<port> collector-group
<group-number>}]
To delete a collector IP
auth cta [collector {delete
<collector-ip>}]
To enable cta auth cta [enable]
Manage drop period unauthenticated traffic options for
auth cta [unauth-traffic <drop-period>]
To configure the default drop period unauthenticated traffic for
auth cta [unauth-traffic dropperiod <default>]
To manually configure the drop period for unauthenticated traffic
auth cta [unauth-traffic dropperiod <0-120>]
To disable cta auth cta [disable]
To display all cta configurations auth cta [show]
Manage VPN zone Network options
auth cta [vpnzonenetwork]
Page 31 of 62
Cyberoam Console Guide
Cyberoam Console Guide
To add source-network IP
Address auth cta
[vpnzonenetwork{add source network <ipaddress>}]
To delete source-network
IP Address auth
[vpnzonenetwork{delete cta source network <ipaddress>}]
2. Manage thin-client options auth [thin-client {add | delete | show}]
To add a thin-client IP Address auth [thin-client{
<ipaddress>}] add citrix-ip
To delete a thin-client IP Address auth [thin-client{ delete citrix-ip
<ipaddress>}]
To display thin-client IP Address auth [thin-client{ show}]
Cyberoam VLAN tag
cr-vlan-tag [reset | set | show]
To reset vlanid cr-vlan-tag [reset]
To set vlanid cr-vlan-tag [set]
To display the configured vlanid cr-vlan-tag [show]
DHCP Management
dhcp [dhcp-options | lease-over-
IPSec ]
1. Manage DHCP options dhcp [dhcp-options {add | binding |
Set vlan tag on traffic which is originated by cyberoam and do not fall in any firewall rule. set
– set vlanid <0-4094> on bridge interface. reset - reset or remove vlanid on bridge-interface show
– show configured vlan tags on bridge interface(s).
Cyberoam supports configuration of DHCP options, as defined in RFC 2132. DHCP options allow users to specify additional DHCP parameters in the form of predefined, vendor-specific information that is stored in the options field of a DHCP message. When the DHCP message is sent to clients on the network, it provides vendor-specific configuration and service information.
Appendix A provides a list of DHCP options by RFC-
Page 32 of 62
delete | list}]
To add a custom DHCP option dhcp [dhcp-options {add optioncode
<1-255> optionname <string> optiontype (array-of | one-byte | twobyte | four-byte | ipaddress | string | boolean)}]
To delete a custom DHCP option dhcp [dhcp-options optionname <Option name>}]
{delete
To display all configurable DHCP
option dhcp [dhcp-options{list}]
To manage additional options for
DHCP server
Add option to DHCP Server
dhcp [dhcp-options {binding add (dhcpname <DHCP server name> optionname
<DHCP Options> value
<text>)}]
Delete option from DHCP
Server
dhcp [dhcp-options {binding delete (dhcpname <DHCP server name>)}]
Show options assigned to
DHCP Server
dhcp [dhcp-options {binding show (dhcpname <DHCP server name)}>]
2. Manage IP Lease over IPSec
To disable IP Lease over IPSec for
all DHCP Servers (Default Value) dhcp [lease-over-IPSec {disable}]
To enable IP Lease over IPSec for
all DHCP Servers dhcp [lease-over-IPSec {enable}] assigned option number.
Page 33 of 62
Cyberoam Console Guide
Cyberoam Console Guide
To display all IP Lease over IPSec
configuration dhcp [lease-over-IPSec {show}]
Appliance Diagnostics
diagnostics [ctr-log-lines | purge-oldlogs | subsystems logs | show | utilities]
| purge-all-
1. To take last n lines for Cyberoam
Troubleshoot Report (CTR) diagnostics [ctr-log-lines <250-10000
>]
2. To truncate all rotated logs diagnostics [purge-old-logs]
3. To configure Subsystems diagnostics [subsystems {Access-
Server | Bwm | CSC | IM | IPSEngine
| LoggingDaemon | Msyncd |
POPIMAPFTPDeamon | Pktcapd |
SMTPD | SSLVPN | SSLVPN-RPD |
WebProxy | Wifiauthd}]
Manage Access Server options
diagnostics [subsystems {Access-
Server (debug | purge-log | purge-oldlog)}]
Enable/Disable Access
Server debug
diagnostics [subsystems {Acc ess-Server debug <off | on>}]
To truncate all logs diagnostics [purge-log]
To truncate all rotated logs diagnostics [purge-old-log]
Manage CSC options
diagnostics [subsystems {CSC (debu g | purge-log | purge-old-log)}]
Toggle CSC debug mode
diagnostics [subsystems {CS
Various tools to check appliance health. ctr-log-lines
– set number of lines to display Cyberoam
Troubleshoot Report (CTR) log file.
Default
– 1000. purge-old-logs
– purge all rotated log files subsystems
– configure each subsystem individually.
Configuration options include: debug, purge-logs and purge-old-logs purge-all-logs
– truncate all log files show
– view diagnostics statistics utilities
– view utilities statistics
Page 34 of 62
C debug <off | on>}]
To truncate all logs diagnostics [subsystems
{CSC (purge-log)}]
To purge all rotated logs diagnostics [subsystems
{CSC (purge-old-log)}]
Note:
Here we are showing management options for two subsystems only since all except CSC offers same three configuration options i.e. to enable/disable debug mode, to truncated all logs and to purge old logs.
In case of CSC, the debug mode differs a little. In all the subsystems administrator has an option to enable/disable debug mode, while in CSC the debug mode can only be toggled.
4. To truncate all logs diagnostics [purge-all-logs]
5. To view diagnostic statistics
diagnostics [show]
6. To view utilities statistics
diagnostics [ utilities]
Note:
SSLVPN option will be visible in all the models except
CR15i and CR15wi models.
Wifiauthd option will be visible in CR15wi, CR15wiNG,
CR25wi, CR 25wiNG/6P,
CR35wi and CR35wiNG models only.
Msyncd option will be visible in all the models except
CR15i, CR 15iNG, CR15wi,
CR 15wiNG, CR25wi,
CR25wiNG/6P CR35wi and
CR35wiNG models.
Page 35 of 62
Cyberoam Console Guide
Cyberoam Console Guide fsck-on-nextboot [off | on | show] Check file system integrity of all the partitions. Turning
ON this options forcefully checks the file system integrity on next appliance reboot. By default, check is OFF but whenever appliance goes in failsafe due to following reasons, this check is automatically turned ON:
Unable to start Config/Report/Signature
Database
Unable to Apply migration
Unable to find the deployment mode
Once the check is turned ON, on the next boot, all the partitions will be checked. In addition, check will be turned OFF again on the next boot.
If the option is ON and the appliance boots up due following reasons, then file system check will not be enforced and option will be disabled after boot:
GRE Tunneling
gre [route | tunnel]
1. For GRE tunnel gre tunnel [add | show | set | delete]
To add a GRE Tunnel gre tunnel [add {name <tunnel-name> local-gw <WAN_Interface> remotegw <Remote_WAN_IP> local-ip <
LcalIP > remote-ip <RemoteIP>}]
To list GRE Tunnel gre tunnel [show]
To set TTL for GRE Tunnel gre tunnel [set {name <tunnel-name> ttl<ttlvalue>}]
To set state of GRE Tunnel gre tunnel [set {name <tunnel-name> state (enable | disable)}]
To delete GRE Tunnel
1. gre tunnel [del {name <tunnelname> local-gw
Factory reset
Flush Appliance Report
Configure, delete, set TTL and status of gre tunnel, view route details like tunnel name, local gateway network and netmask, remote gateway network and netmask.
Note:
1. GRE tunnel cannot be configured over dynamic
WAN interface such as PPPoE and DHCP.
2. After creating a GRE Tunnel, information regarding same will be displayed on Multicast page.
3. Ping the IP address of remote GRE interface to check status of GRE tunnel.
Page 36 of 62
Cyberoam Console Guide
<WAN_Interface>
<Remote_WAN_IP>}] remote-gw
2. gre tunnel [del {name <tunnelname>}]
3. gre tunnel [del {ALL}]
To check status of GRE Tunnel gre tunnel [show {name <tunnelname>} | {local-gw <WAN_Interface> remote-gw <Remote_WAN_IP>}]
2. Unicast Routing Support in
GRE gre route [add | delete | show]
To add an Unicast Route for
Network gre route [add {net <Network Address
/Mask> tunnelname <Tunnel Name>}]
To add an Unicast Route for Host gre route [add {host <IP> tunnelname
<Tunnel Name>}]
To delete an Unicast Route for
Network gre route [delete {net <Network
Address/Mask> tunnelname <Tunnel
Name>}]
To delete an Unicast Route for
Host gre route [delete {host <IP> tunnelname <Tunnel Name>}]
To see all the networks and hosts
with respective GRE Tunnels gre route [show]
High Availability Options
ha [disable | load-balancing {off | on} | show {details | logs lines <number>}]
1. Configure, delete and verify the details of
Unicast Routes for a network or a host, with respective GRE tunnel. disable - Option to disable HA. One can enable HA from
Web Admin Console
– System > HA load-balancing
– Option to disable traffic load balancing
Page 37 of 62
Cyberoam Console Guide
Appliance IPS Autoupgrade
ips_autoupgrade
[off | on | show]
Manage Static IPSec Routes ipsec_route [add | del | show]
To add an UPSec Route for Host ipsec_route [add {host <IP> tunnelname <Tunnel Name>}]
To add an IPSec Route for Network ipsec_route [add {net <Network
Address/Mask> tunnelname <Tunnel
Name>}]
To delete an IPSec Route for Host ipsec_route [del {host <IP> tunnelname <Tunnel Name>}]
To detele an IPSec Route for
Network ipsec_route [del {net <Network
Address/Mask> tunnelname <Tunnel
Name>}]
To see all the networks and hosts
with respective IPSec Tunnels ipsec_route [show]
IPv6 Configuration
ipv6 [interface | reset-router-adv | tunnel | neighbour | route]
1. Manage IPv6 Interface options
ipv6 [interface{Port <port name> address (add <ipaddress6> | delete
<ipaddress6> | show)}]
To assign an ipv6 address to the
between the cluster appliances. By default, as soon as
Active-Active is configured, traffic load balancing is enabled. show
– Displays HA configuration details like HA status and state, current and peer appliance key, dedicated port and IP address, load balancing and Auxiliary
Administrative port and IP address. It also displays HA logs if HA is configured.
Enable or disable IPS auto-upgrade. One can enable
/disable from Web Admin Console
– System >
Maintenance > Updates also.
Configure IPSec routes and view route details like tunnel name, host/network and netmask
Configure IPv6 protocol address
– add and remove v6 IP address prefix - add and remove v6 IP address prefix default-life
– Router lifetime (0-9000 seconds). Default –
1800 hop-limit
– Current Hop Limit (0-255). Default – 0. link-mtu
– MTU Value (1280 to 1500). Default – 0.
Page 38 of 62
Cyberoam Console Guide
Interface
ipv6 [interface{Port <port name> address (add <ipaddress6>)}]
To delete ipv6 address assigned to the Interface
ipv6 [interface{Port <port name> address (delete <ipaddress6>)}]
To display the ipv6 address assigned to the Interface
ipv6 [interface{Port <port name> address (show)}]
2. Reset Router Advertisement
Configurations
ipv6 [reset-router-adv]
3. Manage IPv6 Tunnel options
ipv6 [tunnel {add | del | show}]
To add an ipv6 tunnel
ipv6 [tunnel {add (tunnel-name
<tunnel name> remote-ip <ip address> local-ip <ip address> localip6 <ipv6 address>)}]
To delete ipv6 tunnel ipv6 [tunnel {del (tunnel-name<tunnel name>)}]
To display all the ipv6 tunnels ipv6 [tunnel {show}]
4. Manage IPv6 Neighbour options
ipv6 [neighbour {clear | show}]
To flush the neighbour information
ipv6 [neighbour {clear}]
To display the neighbour information
ipv6 [neighbour {show]
5. Manage IPv6 Route options
ipv6 [route {add | delete | show}] manage-flag
– Managed address configuration max-interval
– Maximum time interval between sending unsolicited multicast router advertisements. (4-1800 seconds). Default
– 600. min-interval
– Minimum time interval between sending unsolicited multicast router advertisements. (4-1800 seconds). Default
– 198. other-flag
– Other stateful configuration reachable-time
– Reachable Time (0-3600 milliseconds).
Default
– 0. retrans-time
– Retransmission Time (0-60 seconds).
Default
– 0. send-adv
– Send periodic router advertisements and respond to router solicitations show - Show-Router-Advertisement-Configuration
Page 39 of 62
Cyberoam Console Guide
To add an ipv6 route
ipv6 [route {add <ipaddress6>}]
To delete an ipv6 route
ipv6 [route {delete <ipaddress6>}]
To display all the ipv6 routes
ipv6 [route {show}]
Manage link failover over VPN
link_failover [add | del | show]
1. Manage Add Link Fail-over options
link_failover [add {primarylink Port
<Port Name> backuplink (gre | vpn)}]
To configure GRE Tunnel as a
Backup link using PING
link_failover [add {primarylink Port
<Port Number> backuplink gre tunnel
<gre tunnel name> monitor PING host <ip address>}]
To configure GRE Tunnel as a
Backup link using TCP
link_failover [add {primarylink Port
<Port Number> backuplink gre tunnel
<gre tunnel name> monitor TCP host
<ip address> Port <Port Number>}]
To configure an IPSec/VPN connection as a Backup link using
PING
link_failover [add {primarylink Port
<Port Number> backuplink vpn tunnel
<ipsec connection name> monitor
PING host <ip address>}]
To configure an IPSec/VPN connection as a Backup link using
TCP
link_failover [add {primarylink Port
<Port Number> backuplink vpn tunnel
<vpn connection name> monitor TCP host <ip address> Port <Port
Number>}]
2. To delete link failover
VPN can be configured as a Backup link. With this, whenever primary link fails, traffic will be tunneled through VPN connection and traffic will be routed again through the primary link once it is UP again.
Page 40 of 62
Cyberoam Console Guide
configuration link_failover del primarylink <Port name>
3. To display all link failover
configuration link_failover [show] restart
[all ]
Manage Route Precedence
route_precedence [set | show]
1. Manage Set Route Precedence options
route_precedence [set {static | vpn}]
To configure Static Routes
Precedence
route_precedence [set {static vpn}]
To configure VPN Routes
Precedence
route_precedence [set {vpn static}]
2. To display Route Precedence configuration
route_precedence [show] serial_dialin [ enable | disable | modem-nvram ( reset | save-initstring) ]
Restart Cyberoam
Set the route precedence
Shutdown
Load/Unload System Modules
system_modules [h23 {load | unload}
| irc {load | unload} | pptp {load | unload} | show | sip {load | unload} | tftp {load | unload}]
This command is available only in CR15i, CR15iNG,
CR15wi and CR 15wiNG appliances.
Enable/Disable serial dialin or DB9. enable
– Enables serial dial-in feature. Modem cane be connected to cyberoam's serial(COM) port. disable
– Disable serial dial-in feature. modem-nvram to save/reset init string in modem. reset
– Reset init string in modem to factory default value save
– Save pre-configured init string in modem's memory
Shutdown Cyberoam
Load or unload the system modules like h23, irc, sip, tftp
By default, all the modules are loaded.
Load/unload modules to enhance the network performance and reduce the potential security risk.
H323 - The H.323 standard provides a foundation for audio, video, and data communications across IP-based
Page 41 of 62
Cyberoam Console Guide
Wireless WAN
wwan [disable | enable | query | set | show ]
1. To disable WWAN wwan [disable]
2. To enable WWAN
wwan [enable]
3. Manage WWAN Query options
wwan [query {serialport <serial pot number> ATcommand <at command string>}]
4. Manage WWAN Set options
wwan [set {disconnect-onsystemdown (off | on)}] networks, including the Internet. H.323 is an umbrella recommendation from the International
Telecommunications Union (ITU) that sets standards for multimedia communications over Local Area Networks
(LANs) that do not provide a guaranteed Quality of
Service (QoS). It enables users to participate in the same conference even though they are using different videoconferencing applications.
PPTP - PPTP (Point to Point Tunneling Protocol) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Point to Point VPN tunnel using a TCP/IP based network.
IRC - IRC (Internet Relay Chat) is a multi-user, multichannel chatting system based on a client-server model.
Single Server links with many other servers to make up an IRC network, which transport messages from one user (client) to another. In this manner, people from all over the world can talk to each other live and simultaneously. DoS attacks are very common as it is an open network and with no control on file sharing, performance is affected.
SIP
– SIP (Session Initiation Protocol) is a signaling protocol which enables the controlling of media communications such as VOIP. The protocol is generally used for maintaining unicast and multicast sessions consisting of several media systems. SIP is a text based and TCP/IP supported Application layer protocol.
TFTP - Trivial File Transfer Protocol (TFTP) is a simple form of the File Transfer Protocol (FTP). TFTP uses the
User Datagram Protocol (UDP) and provides no security features.
Enable or disable wireless WAN and view information of the Wi-Fi modem information (if plugged - in)
Wireless WAN menu will be available on Web Admin
Console only when wwan is enabled from CLI.
Page 42 of 62
Cyberoam Console Guide
5. To display WWAN configuration
wwan [show]
dnslookup
Query Internet domain name servers for hostname resolving
Syntax
dnslookup [host {<ipaddress> | <string> }]
Parameter list & description
Keywords & Variables
host
[<ipaddress> | <string> ] server
[ <ipaddress> [host]]
Description
Host to be searched
Internet name or address of the name server
Page 43 of 62
Cyberoam Console Guide
ping
Sends ICMP ECHO_REQUEST packets to network hosts
Syntax
ping [<ipaddress> | <string> | count | interface | quiet | size | sourceip | timeout]
Parameter list & description
Keywords & Variables
Description
Ipaddress
String
IP address to be pinged
Domain to be pinged count <number> interface
[Port <port ID> ]
Stop sending packets after count
Set source address
Quiet size <number> sourceip <ipaddress> timeout <number>
Display the summary at startup and end
Number of data bytes to be sent
IP address of the source
Stop sending packets and exit after specified time
route
Use to view / manipulate the IP routing table. Route manipulates the kernel‘s IP routing tables. Its primary use is to set up temporary routes to specific hosts or networks via an interface. When the add or del options are used, route modifies the routing tables. Without these options, route displays the current contents of the routing tables
Syntax
diagnostics [utilities {route (show)}]
Parameter list & description
Keywords & Variables
Show
Description displays the routing table
Routing table
Destination The destination network or destination host
Gateway The gateway address or '*' if not set
Genmask The netmask for the destination net; '255.255.255.255' for a host destination and
'0.0.0.0' for the default route
Flags
U
H
Possible flags include
(route is up)
(target is a host)
G
R
(use gateway)
(reinstate route for dynamic routing)
Page 44 of 62
Cyberoam Console Guide
D
M
A
C
!
(dynamically installed by daemon or redirect)
(modified from routing daemon or redirect)
(installed by addrconf)
(cache entry)
(reject route)
Metric
The ‗distance‘ to the target (usually counted in hops). It is not used by recent kernels, but may be needed by routing daemons.
Ref Number of references to this route. (Not used in the Linux kernel.)
Use Count of lookups for the route. Depending on the use of -F and -C this will be either route cache misses (-F) or hits (-C).
Iface Interface to which packets for this route will be sent
traceroute
Use to trace the path taken by a packet from the source system to the destination system, over the
Internet.
The Internet is a large and complex aggregation of network hardware, connected together by gateways. Tracking the route one's packets follow (or finding the miscreant gateway that is discarding your packets) can be difficult. Traceroute utilizes the IP protocol `time to live' field and attempts to elicit an ICMP TIME_EXCEEDED response from each gateway along the path to some host.
Syntax
traceroute [ <ipaddress> | <string> | first-ttl | icmp | max-ttl | no-frag | probes | source | timeout | tos]
Keywords & Variables
Description
<ipaddress>
[size <number>]
<string>
[size <number>]
Set the IP address to be traced
Set the domain to be traced first-ttl icmp max-ttl no-frag probes
Set the initial time-to-live used in the first outgoing probe packet
Use ICMP ECHO instead of UDP datagrams
Set the max time-to-live
Set the 'don't fragment' bit
Probes are sent at each ttl -default 3 source timeout
Use given IP address as source address
Set the timeout -in seconds for a response to a probe -
Page 45 of 62
Cyberoam Console Guide tos default 5
Set the type-of-service
enableremote
Allows to connect to the Cyberoam remotely i.e. allows to establish remote (SSH) connection. By default remote connection is not allowed
Syntax
enableremote [port <number> | serverip <ipaddress>]
Parameter list & description
Keywords & Parameters
Description port <number> Port through which the remote SSH connection can be established serverip <ipaddress> IP address of the Cyberoam to which the remote connection can be established
disableremote
Disables the remote (SSH) connection, if enabled. By default, it is not allowed. Refer to enable remote to allow to establish the remote connection.
Syntax
disableremote
set
Set entities
Syntax
set [ advanced-firewall | arp-flux | bandwidth | http_proxy | ips | network | on-appliance-reports |
proxy-arp | service-param | sslvpn | vpn | lanbypass | report-disk-usage | fqdn-host | virtualhost | port-affinity]
Parameter list & description
Keywords & Variables
advanced-firewall
[bypass-stateful-firewall-config {add
<dest_host <ipaddress> | dest_network
<ipaddress> | source_host <ipaddress> | source_destination <ipaddress>> | del
<dest_host <ipaddress> | dest_network
Description
Configure advanced firewall setting bypass-stateful-firewall-config
– Add host or network when the outbound and return traffic does not always traverse through Cyberoam
Page 46 of 62
Cyberoam Console Guide
<ipaddress>| source_host <ipaddress> | source_destination <ipaddress>>} | cr-traffic-nat {add (destination
<ipaddress> | interface Port <port name>
| snat <ipaddress>| netmask <netmask> )
| delete (destination <ipaddress>| interface Port <port name> | snat
<ipaddress>| netmask <netmask> ) } | fragmented-traffic <allow | deny> | ftpbounce-prevention <control | data> | midstream-connection-pickup <on | off> | strict-icmp-error-tracking | strict-policy
<on | off> | tcp-appropriate-byte-count
<on | off> | tcp-est-idle-timeout <2700 - 432000> | tcp-frto <on | off> | tcp-selectiveacknowledgement <on | off> | tcp-seqchecking <on | off> | tcp-timestamp <on | off> | tcp-window-scaling <on | off>] fragmented-traffic - Allow or deny fragmented traffic ftpbounce-prevention - Prevent ftp-bounce attack on FTP control and data connection midstream-connection-pickup - Configure midstream connection pickup settings. Enabling midstream pickup of TCP connections will help while plugging in the Cyberoam appliance as a bridge in a live network without any loss of service. It can also be used for handling network behavior due to peculiar network design and configuration. E.g. atypical routing configurations leading to ICMP redirect messages. By default,
Cyberoam is configured to drop all untracked
(mid-stream session) TCP connections in both the deployment modes strict-policy on - Applies strict firewall policy. It drops UDP Dst Port 0, TCP Src Port 0 and/or
Dst Port 0, Land Attack, Winnuke Attack, Data
On TCP Sync, Zero IP Protocol, TTL Value 0 traffic strict-policy off - Disables strict firewall policy tcp-appropriate-byte-count On
–
Controls
Appropriate Byte Count (ABC) settings.
ABC is a way of increasing congestion window
(cwnd) more slowly in response to partial acknowledgments. tcp-est-idle-timeout - Set Idle Timeout between
2700 - 432000 seconds for TCP connections in the established state tcp-frto Off
– Disables Forward RTO-Recovery
(F-RTO). F-RTO is an enhanced recovery algorithm for TCP retransmission timeouts and it is particularly beneficial in wireless environments where packet loss is typically due to random radio interference rather than intermediate router congestion. F-RTO is sender-side only modification. Therefore it does not require any support from the peer. tcp-selective-acknowledgement Off
– Disables selective acknowledgement. Using selective acknowledgments, the data receiver can inform the sender about all segments that have arrived successfully, so the sender need retransmit only the segments that have actually been lost. tcp-seq-checking
–
Every TCP packet contains a Sequence Number
(SYN) and an Acknowledgement Number (ACK).
Cyberoam monitors SYN and ACK numbers within a certain window to ensure that the packet
Page 47 of 62
Cyberoam Console Guide is indeed part of the session.
However, certain application and third party vendors use non-RFC methods to verify a packet's validity or for some other reason a server may send packets in invalid sequence numbers and expect an acknowledgement. For this reason, Cyberoam offers the ability to disable this feature.
By default, this option is ON. tcp-timestamp Off
– Disables timestamps
Timestamp is an TCP option used to calculate the Round Trip Measurement in a better way than the retransmission timeout method. tcp-window-scaling Off
– Disables window scaling. The TCP window scaling increase the
TCP receiving window size above its maximum value of 65,535 bytes. arp-flux
[ on | off ]
ARP flux occurs when multiple ethernet adaptors often on a single machine respond to an ARP query. Due to this, problem with the link layer address to IP address mapping can occur.
Cyberoam may respond to ARP requests from both Ethernet interfaces. On the machine creating the ARP request, these multiple answers can cause confusion. ARP flux affects only when Cyberoam has multiple physical connections to the same medium or broadcast domain. on - Cyberoam may respond to ARP requests from both Ethernet interfaces when Cyberoam has multiple physical connections to the same medium or broadcast domain. off - Cyberoam responds to ARP requests from respective Ethernet interface when Cyberoam has multiple physical connections to the same medium or broadcast domain. bandwidth
[ default-policy {guaranteed <number> burstable <number> priority <number> | graph} | guarantee {enforced | lenient} | max-limit <number>] | [allocationbehavior {normal | realtime} default-policy and guarantee allows to define the bandwidth restriction on the traffic on which the bandwidth policy is not applied while max-limit allows to define the link bandwidth.
To set the link bandwidth i.e. bandwidth provided by Service Provider and can be used as ―set bandwidth max-limit
<number>” and to view the configured limit, use the command ―show bandwidth max-
limit
‖. Default=100mbps
To enforce bandwidth restriction on the traffic on which the bandwidth policy is not applied so that guaranteed bandwidth is available to the users to whom the guaranteed bandwidth policy is applied, configure ―set bandwidth guarantee
Page 48 of 62
Cyberoam Console Guide http_proxy [ add_via_header <on | off > | dos (add {connection <number> | method
(GET <number> | POST <number>) | delete { connection | method (GET |
POST ) } | host-entries (add {host-name <string> | delete {host-name<string>} ) | ips network [interface-speed [Port<port name> <1000fd | 1000hd | 100fd | 100hd
| 10fd | 10hd | auto >] | mtu-mss [port <port name > {mtu
<number> | default | mss ( <number> | default) }]
enforced”.
If guarantee is enforced, default bandwidth policy will be applicable to the traffic on which bandwidth policy is not applied. You can set the guaranteed and burstable bandwidth and priority on this traffic. This bandwidth is applicable on Internal (LAN and
DMZ) to External zone (WAN and VPN) traffic and External to Internal zone traffic.
Default Guaranteed bandwidth = 0 kbps,
Burstable bandwidth = max-limit, priority = 7
(lowest). Guaranteed and burstable bandwidth can be defined as ―set
bandwidth default-policy guaranteed
<number> burstable <number> priority
<number>”
If you do not want to enforce the bandwidth restriction on the traffic on which the bandwidth policy is not applied, configure
―set bandwidth guarantee lenient‖.
If you want to normally allocate the excess bandwidth after guaranteed bandwidth allocation, configure
“set bandwidth allocation-
behavior normal”.
If you want to allocate bandwidth for real time traffic having QoS policy with priority 0
(like VOIP), configure
“set bandwidth allocation-
behavior realtime”.
Set proxy parameters add via header - By default, it is ON dos
– Configure number of HTTP requests per source IP or number of HTTP requests per TCP connection. Number of requests higher than the configured rate is considered as attack and the traffic from the said source is dropped. One can either configure allowed number of connections or for granular controls can configure allowed number of requests per Method
– GET and PUT.
Applicable only when Cyberoam is deployed transparent mode.
Configure IPS settings
Configure network interface parameters interface speed - Speed mismatch between
Cyberoam and 3 rd
party routers and switches can result into errors or collisions on interface, no connection or traffic latency, slow performance. mss
– Maximum Segment Size – It defines the amount of data that can be transmitted in a single TCP packet
Range
– 576 – 1460 bytes
Page 49 of 62
Cyberoam Console Guide on-appliance-reports [on | off] mtu - Maximum Transmission Unit - It specifies the largest physical packet size, in bytes, that a network can transmit. This parameter becomes an issue when networks are interconnected and the networks have different MTU sizes. Any packets larger than the MTU value are divided
(fragmented) into smaller packets before being sent.
Default
– 1500 bytes
MTU size is based on addressing mode of the interface.
Range
– 576 – 1500 bytes for static mode
Range
– 576 – 1500 bytes for DHCP mode
Range
– 576 – 1492 bytes for PPPoE mode
Generate on-appliance reports
By default, it is ON proxy-arp[ add [interface Port<port name> | dst_ip <ipaddress> | dst_iprange
(from_ip <ipaddress>]
<ipaddress> ] |
| to_ip del | [interface Port<port number> | dst_ip <ipaddress> | dst_iprange
(from_ip <ipaddress>]
<ipaddress> ] ]
| to_ip service-param [FTP {add | delete} | HTTP
{add | delete}
| SMTP {add | delete}]
| HTTPS
{deny_unknown_proto <on | off> | invalid_certificate <allow | block> } |
IMAP {add | delete} | IM_MSN {add | delete} | IM_YAHOO {add | delete} | POP
Add and delete proxy ARP
By default, Cyberoam inspects all inbound
HTTP, HTTPS, FTP, SMTP, POP and IMAP traffic on the s tandard ports. ―service-param‖ enables inspection of HTTP, HTTPS, FTP,
SMTP, POP, IMAP, IM
– MSN and Yahoo traffic on non-standard ports also. add Port<port name >
– enable inspection for a specified port number. delete Port<port name> - disable inspection for a specified port number. deny_unknown_proto - Allow/deny traffic not following HTTPS protocol i.e. invalid traffic through HTTPS port
By default, it is ON invalid_certificate - If you enable HTTPS scanning, you need to import Cyberoam SSL
Proxy certificate in Internet Explorer, Firefox
Mozilla or any other browsers for decryption on
SSL Inspection otherwise browser will always give a warning page when you try to access any secure site. ―Invalid Certificate error” warning appears when the site is using an invalid SSL certificate. Cyberoam blocks all such sites. Use this command, if you wan to allow access to such sites. sslvpn[proxy-sslv3 <on | off> | webEnable/disable SSL V3 and web access mode
Page 50 of 62
Cyberoam Console Guide access <on | off>] vpn [l2tp {authentication (ANY | CHAP |
MS_CHAPv2 | PAP)} | pptp
{authentication (ANY | CHAP |
MS_CHAPv2 encryption (NONE | SOME
| STRONG | WEAK)| PAP)] lanbypass [off | on] support
Set authentication protocol for l2tp and pptp connections
Enable/disable Lan Bypass report-disk-usage [watermark <number>] Set Watermark in percentage for the Report Disk usage. Watermark represents the allowed level up to which data can be written to the Report
Disk.
Watermark range: 60
– 85
Default
– 80%
In case the Report Disk usage increases more than the set Watermark level, administrator is shown a warning message saying the Report
Disk usage is more than the set Watermark level.
In case the Report Disk usage increases more than 90%, no additional data will be allowed to be written to the Report Disk until the Report
Disk usage is reduced to the set Watermark level. fqdn-host [{cache-ttl <number | default | dns-reply-ttl>}]
Set cache- ttl value for FQDN Host. The cachettl value represents the time (in seconds) after which the cached FQDN Host to IP Address binding will be updated.
Range: 1
– 86400 seconds
Default
– 3600 seconds dns-reply-ttl
– use the ttl value in DNS reply packet as cache-ttl
Enable/disable mail notification for Virtual Host
Fail-over. virtualhost [{failover mail-notification
(disable | enable)}] port-affinity [add {port <Port Name> cpu
<CPU Core>} | defsetup | del { port <Port
Name> } | fwonlysetup]
Configure Port Affinity settings. Administratir can manually assign/unassign a CPU Core to a particular Interface. All the network traffic for the
Interfaces will be handled by the assigned CPU
Cores.
By default, your appliance is shipped with the factory-default Port Affinity settings.
Note:
Port-affinity will be visible in CR 35iNG, CR
35wiNG, CR 50iNG, CR100iNG, CR 200i,
CR200iNG/XP, CR300i, CR300iNG/XP,
CR500ia/RP/1F/10F, CR500iNG-XP,
CR750ia/1F/10F, CR750iNG-XP,
CR1000ia/10F, CR1500ia/10F and CR
2500iNG appliances only.
Page 51 of 62
Cyberoam Console Guide
CPU Cores can be assigned to the binded
Interfaces only.
Portaffinity is not supported with ‗Legacy
Network Adaptors‘, when Cyberoam Virtual
Network Security appliance is deployed in
Microsoft Hyper-V.
ips
Configure IPS settings
Syntax
ips [ lowmem-settings | maxpkts | maxsesbytes-settings | packet-streaming | show-all-settings]
Parameter list & description
Keywords & Parameters
Description lowmem-settings [off | on | show ] Set whether low memory settings to be applied or not.
Low memory settings are applied in case of system having memory issues. show - Displays current status of low memory settings.
By default, it is off. on
– enable low memory settings. off
– disable low memory settings. maxpkts [<number> | all | default] Set number of packets to be sent for Application
Classification number
– any number above 8 all - pass all of the session packets for application classification default - pass first 8 packets of the session of each direction for application classification (total 16) maxsesbytes-settings [ update
<number>] maxsesbytes-settings allows you to set the maximum allowed size. Any file beyond the configured size is bypassed and not scanned.
Update
– set the value for maximum bytes allowed per session packet-streaming [ on | off ] Set whether packet streaming is to be allowed or not. packet-streaming is used to restrict streaming of packets in situations where system is experiencing memory issues. on - Enables packet streaming. off - disable packet streaming.
Page 52 of 62
Cyberoam Console Guide
show
Displays various parameters configured
Syntax
show [advanced-firewall | arp-flux | bandwidth | country-host | date | fqdn-host | http_proxy | ipssettings | lanbypass | network | on-appliance-reports | pppoe | port-affinity | proxy-arp | report-diskusage | service-param | sslvpn | virtualhost | vpn ]
Keywords & Variables
advanced-firewall arp-flux bandwidth
View Country-Host listing and IP Address to
Country mapping
To enlist the countries country-host {list}
To map IP Address to its
country country-host {ip2country ipaddress <IP Address>} date http_proxy ips settings
Lanbypass network [ interface-speed
<interface> | interfaces | macaddr <interface> | mtu-mss <interface> ] on-appliance-reports pppoe [ connection status
]
Description
Shows firewall configuration
1. Strict policy,
2. FtpBounce Prevention
3. TCP Conn. Establishment Idle Timeout
4. Fragmented Traffic Policy
5. Midstream Connection Pickup
6. TCP Seq Checking
7. TCP Window Scaling
8. TCP Appropriate Byte Count
9. TCP Selective Acknowledgements
10. TCP Forward RTO-Recovery[F-RTO]
11. TCP TIMESTAMPS
12. Strict ICMP Error Tracking
Displays ARP
– Flux status
Displays Bandwidth regulation
1. Command: show country-host list
To enlist all the countries for which the policies are configured.
2. Command: show country-host ip2country ipaddress
<IP Address>
Shows the name of country to which the given IP address belongs.
Shows system date and time
Displayes information about HTTP Proxy
Shows IPS engine settings
Shows lan bypass on/off interface-speed
– Shows current interface speed settings. interfaces
– Shows all network interfaces configuration macaddr
– Shows original and overrided mac address of interface. mtu-mss
– Shows mtu and mss of interface.
Shows whether On-Appliance reporting is on/off
Shows all configured PPPoE connection status
Page 53 of 62
Cyberoam Console Guide port-affinity proxy-arp report-disk-usage service-param sslvpn [ log | proxy-sslv3 | web-access ] vpn [connection | IPSeclogs | configuration |
PPTP-logs | L2TP-logs]
Displays network device to CPU mapping
Displays configured pProxy ARP on the interfaces
Reports disk usage configurations
Displays configured non-standard parameters of services
Shows SSL VPN settings log
– Show SSLVPN logs proxy-sslv3
– shows whether https bookmark over access over
SSLv3 is enabled/disabled.
Web-access
– shows whether sslvpn web access servcice is enabled/disabled
tcpdump
tcpdump prints out the headers of packets on a network interface that match the boolean expression. Only packets that match expression will be processed by tcpdump.
Syntax
tcpdump [<text> | count | filedump | hex | interface | llh | no_time | quite | verbose ]
Parameter list & description
Keywords & Variables
<text> count filedump hex interface llh no_time
Description
Packet filter expression. Based on the specified filter, packets are dumped. If no expression is given, all packets are dumped else only packets for which expression is `true' are dumped.
The expression consists of one or more primitives. Primitives usually consist of an id (name or number) proceeded by one or more qualifiers. Refer to the below given table on writing filtering expressions.
Exit after receiving count packets
Tcpdump output can be generated based on criteria required.
Save tcpdump output in a binary file and can be downloaded from http://<cyberoam_interface_ip>/documents/tcpdump.pcap
File contains the troubleshooting information useful to analyze the traffic with advanced tool like ethereal for Cyberoam
Support team.
Print each packet (minus its link level header) in hexadecimal notation
Listen on <interface>
View packet contents with Ethernet or other layer 2 header information
Do not print a timestamp on each dump line
Page 54 of 62
Cyberoam Console Guide quite verbose
Print less protocol information so output lines are shorter.
Verbose output. For example, the time to live, identification, total length and options in an IP packet are printed. Also enables additional packet integrity checks such as verifying the
IP and ICMP header checksum.
How to view traffic of the
specific host specific network
tcpdump command
tcpdump ‘host <ipaddress>‘ tcpdump ‘net <network address>‘ specific network specific destination network specific port source tcpdump ‘src net <network address>‘ tcpdump ‘dst net <network address>‘ tcpdump ‘port <port-number>‘ specific source port tcpdump ‘src port <port-number>‘
Example tcpdump ‗host 10.10.10.1‘ tcpdump ‗net 10.10.10.0‘ tcpdump ‗src net 10.10.10.0‘ tcpdump ‗dst net 10.10.10.0‘ tcpdump ‗port 21‘ tcpdump ‗src port 21‘ specific destination port specific host for the particular port the specific host for all the ports except
SSH specific protocol tcpdump ‘dst port <port-number>‘ tcpdump ‗host <ipaddress> and port
<portnumber>‘ tcpdump ‗host <ipaddress> and port not <portnumber>‘ tcpdump ‘proto ICMP‘ tcpdump ‘proto UDP‘ tcpdump ‘proto TCP‘ tcpdump ‗arp‘ paritcular interface tcpdump interface <interface> specific port of a particular interface tcpdump interface <interface> ‗Port
<portnumber>‘ tcpdump ‗dst port 21‘ tcpdump ‗host 10.10.10.1 and port 21‘ tcpdump ‗host 10.10.10.1 and port not 22‘ tcpdump interface PortA tcpdump interface PortA
‗port 21‘
Note: Expression can be combined using logical operators AND or OR and with NOT also. Make sure to use different combinations within single quotes.
telnet
Use telnet protocol to connect to another remote computer.
Syntax
telnet [<ipaddress>]
Parameter list & description
Keywords & Variables
ipaddress
{ <port number> }
Description official name, an alias, or the Internet address of a remote host
Port - indicates a port number (address of an application).
Page 55 of 62
Cyberoam Console Guide
If a number is not specified, the default telnet port is used.
Partition Reset support
File System Integrity check verifies all the partitions for the corruption. Check is enabled automatically when the appliance goes in failsafe mode.
It is required to flush the partitions if appliance comes up in failsafe mode even after the integrity check.
RESET command is extended to include commands to flush the partitions. With these commands, administrator can reset the config, signature and report partition. Entire data will be lost, as the partition will be flushed.
Integrity check repairs the partition while resetting partition removes entire data from the partition.
Command Usage
When you type RESET at the Serial Console Password prompt, menu with 3 options is provided:
1. Reset configuration
2. Reset configuration and signatures
3. Reset configuration, signatures and reports
Page 56 of 62
Appendix A - DHCP options (RFC 2132)
Cyberoam Console Guide
A DHCP server can provide optional configurations to the client. Cyberoam provides support to configure following DHCP Options as defined in RFC 2132. To set the options, refer to DHCP
Server Enhancements section.
16
17
18
19
20
22
26
27
28
29
30
31
32
34
35
36
7
8
9
4
5
10
11
12
13
14
Option
Number
2
23
24
25
Name
Time Offset
Time Ser vers
Name Servers
Log Servers
Cookie Servers
LPR Servers
Impress Servers
RLP Servers
Host Name
Boot File Size
Merit Dump File
Swap Ser ver
Root Path
Extension File
IP Layer Forwarding
Src route enabler
Maximum DG Reassembly
Size
Default IP TTL
Path MTU Aging Timeout
MTU Plateau
Client to dump and name of file to dump to
Swap ser ver addresses
Path name for root disk
Patch name for more BOOTP info
Enable or disable IP forwarding
Enable or disable source routing
Maximum datagram reassembly size
Default IP time-to-live
Path MTU aging timeout
Path MTU plateau table
Interface MTU Size
All Subnets Are Local
Broadcast Address
Perform Mask Discovery
Provide Mask to Others
Trailer Encapsulation
ARP Cache Timeout
Ethernet Encapsulation
Description
Data Type
Time offset in seconds from UTC Four Byte Numeric
Value
N/4 time server addresses
N/4 IEN-116 server addresses
N/4 logging server addresses
N/4 quote server addresses
N/4 printer server addresses
Array of IP-Address
Array of IP-Address
Array of IP-Address
Array of IP-Address
Array of IP-Address
N/4 impress server addresses
N/4 RLP server addresses
Array of IP-Address
Array of IP-Address
Hostname string String
Size of boot file in 512 byte chunks Two Byte Numeric Value
String
Interface MTU size
All subnets are local
Broadcast address
Perform mask discovery
Provide mask to others
Perform Router Discovery Perform router discovery
Router Solicitation Address Router solicitation address
Trailer encapsulation
ARP cache timeout
Ethernet encapsulation
Page 57 of 62
IP-Address
String
String
Boolean
Boolean
Two Byte Numeric Value
One Byte Numeric Value
Four Byte Numeric Value
Array of Two Byte Numeric
Values
Two Byte Numeric Value
Boolean
IP-Address
Boolean
Boolean
Boolean
IP-Address
Boolean
Four Byte Numeric Value
Boolean
71
72
73
74
75
65
66
67
68
69
70
58
59
60
61
62
64
37
38
39
40
41
42
43
45
50
51
52
53
55
46
47
48
49
56
57
Cyberoam Console Guide
Default TCP Time to Live
TCP Keepalive Interval
TCP Keepalive Garbage
NIS Domain Name
NIS Server Addresses
NTP Ser vers Addresses
Vendor Specific
Information
NetBIOS Datagram
Distribution
NetBIOS Node Type
NetBIOS Scope
X Window Font Ser ver
X Window Display
Manager
Requested IP address
IP Address Lease Time
Option Overload
DHCP Message Type
Parameter Request List
Default TCP time to live
TCP keepalive inter val
TCP keepalive garbage
NIS domain name
NIS server addresses
NTP ser vers addresses
Vendor specific information
NetBIOS datagram distribution
NetBIOS node type
NetBIOS scope
X window font ser ver
X window display manager
Requested IP address
IP address lease time
Overload ―sname‖ or ―file‖
DHCP message type
Parameter request list
Message
DHCP Maximum Message
Size
DHCP error message
DHCP maximum message size
Renew Time Value
Rebinding Time Value
Client Identifier
Client Identifier
Home Agent Addresses
Simple Mail Server
Addresses
Post Office Server
Addresses
DHCP renewal (T1) time
DHCP rebinding (T2) time
Client identifier
Client identifier
Netware/IP Domain Name Netware/IP domain name
NIS+ V3 Client Domain
Name
NIS+ V3 Server Address
NIS+ V3 client domain name
NIS+ V3 server address
TFTP Ser ver Name
Boot File Name
TFTP ser ver name
Boot file name
Home agent addresses
Simple mail ser ver addresses
Post office server addresses
Network News Server
Addresses
WWW Server Addresses
Finger Server Addresses
Chat Server Addresses
StreetTalk Ser ver
Addresses
Network news server addresses
WWW server addresses
Finger server addresses
Chat server addresses
StreetTalk server addresses
Page 58 of 62
One Byte Numeric Value
Four Byte Numeric Value
Boolean
String
Array of IP-Address
Array of IP-Address
String
Array of IP-Address
One Byte Numeric Value
String
Array of IP-Address
Array of IP-Address
IP-Address
Four Byte Numeric Value
One Byte Numeric Value
One Byte Numeric Value
Array of One Byte Numeric
Values
String
Two Byte Numeric Value
Four Byte Numeric Value
Four Byte Numeric Value
String
String
String
String
Array of IP-Address
String
String
Array of IP-Address
Array of IP-Address
Array of IP-Address
Array of IP-Address
Array of IP-Address
Array of IP-Address
Array of IP-Address
Array of IP-Address
76 StreetTalk Directory
Assistance Addresses
StreetTalk directory assistance addresses
Cyberoam Console Guide
Array of IP-Address
Page 59 of 62
advertisement
Key Features
- User based Firewall
- Content filtering
- Anti Virus
- Anti Spam
- Intrusion Prevention System (IPS)
- VPN – IPSec and SSL
- Separate port for connecting to publicly accessible servers in DMZ
Related manuals
Frequently Answers and Questions
What is the default password for the Cyberoam Console?
What is the purpose of the Cyberoam Console?
What are some of the tasks that can be performed using the Cyberoam Console?
What is the difference between a soft reboot and a hard reboot of the Cyberoam appliance?
How do I access the Cyberoam Console?
advertisement
Table of contents
- 4 Preface
- 4 Guide Audience
- 5 Technical Support
- 6 Typographic Conventions
- 6 Introduction
- 6 Notation conventions
- 7 Introduction
- 7 Accessing Cyberoam CLI Console
- 9 1. Network configuration
- 9 For Gateway mode
- 11 2. System Settings
- 11 2.1 Set Password for User Admin
- 11 2.2 Set System Date
- 12 2.3 Set Email ID for system notification
- 12 2.4 Reset Default Web Admin Certificate
- 13 2.0 Exit
- 14 3. Route Configuration
- 14 3.1 Configure Unicast Routing
- 21 3.2 Configure Multicast Routing
- 26 3.0 Exit
- 27 4. Cyberoam Console
- 28 5. Cyberoam Management
- 28 5.1 Check and Upgrade Webcat Latest Database
- 28 5.2 Check and Upgrade to Latest IPS Database
- 29 5.3 Reset to Factory Defaults
- 29 5.4 Custom Menu
- 29 5.5 Flush Appliance Reports
- 29 5.0 Exit
- 30 6. VPN Management
- 30 6.1 Regenerate RSA Key
- 31 6.2 Restart VPN service
- 31 6.0 Exit
- 32 7. Shutdown/Reboot Cyberoam
- 32 0. Exit
- 33 Annexure A
- 60 Appendix A - DHCP options (RFC 2132)