Release Date Version 10.6.2; 12 th January, 2015 Release Information Release Type: Major Feature Release Applicable to CyberoamOS Version V 10.01.0XXX or 10.01.X Build XXX All the versions V 10.02.0 Build XXX 047, 174, 176, 192, 206, 224, 227, 409, 473 V 10.04.X Build XXX 0 Build 214, 0 Build 304, 0 Build 311, 0 Build 338, 0 Build 433 1 Build 451 2 Build 527 3 Build 543 4 Build 028 5 Build 007 6 Build 032 V 10.5.3 Common Criteria Certificate (EAL4+) Compliant V 10.6.X Beta/RC/GA/MR X 0 Beta-1 0 Beta-2 0 Beta-3 1 RC-1, 1 RC-3, 1 RC-4, 1 GA, 1 MR-1, 1 MR-2, 1 MR-3 2 Beta-1, 2 Beta-2, 2 RC-1 Upgrade procedure To upgrade the existing Cyberoam Appliance follow the procedure below: Logon to https://customer.cyberoam.com Click “Upgrade” link under Upgrade URL. Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”. For Cyberoam versions prior to 10.01.0472 For Cyberoam version 10.01.0472 or higher Upgrade Cyberoam to 10.01.0472 selecting option “Below 10.01.0472” and follow on- screen instruction. By doing this, the customer will not be able to roll back. Upgrade Cyberoam to the latest version by selecting option “10.01.0472 or higher” and follow on-screen instruction. Compatibility Annotations This version of CyberoamOS is Appliance Model-specific. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you try to upgrade Appliance model CR50iNG with firmware for model CR100iNG. This release is compatible with all Cyberoam Virtual Appliances. This Cyberoam version is compatible with the Cyberoam Central Console (CCC) version 02.02.1185 and above. Please check http://docs.cyberoam.com for availability of latest CCC firmware to deal with compatibility issues. Version: 10.6.2 Date: 12th January, 2015 Release Notes
Transcript
Release Date
Version 10.6.2; 12th January, 2015
Release Information
Release Type: Major Feature Release
Applicable to CyberoamOS Version
V 10.01.0XXX or 10.01.X Build XXX All the versions
To upgrade the existing Cyberoam Appliance follow the procedure below:
Logon to https://customer.cyberoam.com
Click “Upgrade” link under Upgrade URL.
Choose option “Select for Version 10.00.0xxx to current GA Version 10.00.0xxx Firmware”.
For Cyberoam versions prior to 10.01.0472 For Cyberoam version 10.01.0472 or higher
Upgrade Cyberoam to 10.01.0472 selecting option “Below 10.01.0472” and follow on-
screen instruction. By doing this, the customer will not be able to roll back.
Upgrade Cyberoam to the latest version by selecting option “10.01.0472 or higher” and follow on-screen instruction.
Compatibility Annotations
This version of CyberoamOS is Appliance Model-specific. Hence, firmware of one model will not be applicable on another model and upgrade will not be successful. You will receive an error if you try to upgrade Appliance model CR50iNG with firmware for model CR100iNG.
This release is compatible with all Cyberoam Virtual Appliances.
This Cyberoam version is compatible with the Cyberoam Central Console (CCC) version 02.02.1185 and above. Please check http://docs.cyberoam.com for availability of latest CCC firmware to deal with compatibility issues.
General Information ........................................................................................................................ 27
Release Notes: CyberoamOS Version 10.6.2
Document Version – 1.01-13/02/2015 5
Introduction
This document contains the release notes for CyberoamOS Version 10.6.2. The following sections describe the release in detail.
This release comes with several new features, enhancements and bug fixes to improve quality, reliability, and performance.
For information about the changes included in any specific version of CyberoamOS, please see the release notes archives.
For detailed information on using any of the CyberoamOS's features, please refer to the Technical Documentation Repository or Online Help.
Performance Improvements
CyberoamOS 10.6.2 offers major performance improvements by optimizing the high resource-intensive processes.
Firewall - Optimized path for known traffic has resulted in more than 100 Gbps throughput for Enterprise-level Appliances - CR1000iNG-XP, CR1500iNG-XP, CR2500iNG-XP.
IPS - Throughput enhanced for CRiNG and CRiNG-XP series models.
Fully Protected Throughput - Throughput enhanced for all models above CR500iNG and above.
UTM – Throughput enhanced for CRiNG and CRiNG-XP series models.
AV – Substantial throughput increase for all CRiNG and CRiNG-XP series models.
Refer to Datasheet of the respective model for the latest throughput.
Cyberoam can now be deployed as a bridge to interconnect multiple LAN segments without making changes to existing network. This can be achieved by configuring multiple ports in a single bridge and traffic will be routed through the bridged port. Previously, only two LAN segments could be interconnected.
Minimum two and maximum all the ports available on the Appliance can be part of a single bridge. Before deleting Bridge, make sure to unbind at least one of the ports, if all the ports are member of the Bridge otherwise Appliance will become inaccessible. Same Interface cannot be part of multiple bridge.
It can implemented in both IPv4 and IPv6 networks.
To configure multiport bridge, go to Network > Interface > Interface > Add Bridge.
2. Static MAC Configuration in Bridge Mode
From this version onwards, Static MAC Configuration is possible in Bridge Mode. Bridge forwarding table stores all the MAC addresses learned by the Bridge and is used to determine where to forward the packets.
In network environments where High Availability is configured or static ARP is configured on servers and servers do not initiate the traffic, it is not possible to learn the MAC address of the host. In such cases, MAC address can be added manually in the Bridge Forwarding table from the CLI.
3. Actionable Intelligence: User Threat Quotient Report
With this version CyberoamOS has introduced User Threat Quotient (UTQ) report - Providing actionable security intelligence, helping Administrators identify risky users with ease within the organization’s network.
Correlating data from various logs and reports to identify risky users takes time and analytical skills for security administrators.
UTQ is intended to minimize incidents of human oversight in correlating data from various logs and reports, by enabling the Administrator to identify risky users at a glance. It also helps further investigate the cause to take appropriate actions by fine-tuning security controls, security awareness training or more.
Cyberoam calculates UTQ score by studying users’ web behavior by analyzing massive data of allowed as well as denied web traffic
UTQ report is available as a separate tab on Main Dashboard of Cyberoam-iView along with Traffic Dashboard and Security Dashboard. The report is displayed in the form of bubble graph as well as in a tabular format.
To view UTQ report, go to Main Dashboard > UTQ.
After upgrading from 10.6.2 RC-1, Last 7 Days and Last 14 Days report for a date prior to the upgrade date will not be available and option for viewing UTQ report for Last 3 Days has been removed.
For more details, please refer On-Appliance iView Help.
4. High Availability (HA) with IPv6 Schema
Now HA Active-Active and Active-Passive can be configured for IPv6 networks.
5. Support of Dynamic Multicast Routing Protocol: PIM-SM
Cyberoam now supports PIM-SM for multicast dynamic routing for IPv4 multicast (multicast4) traffic and is compliant with RFC 2362: Protocol Independent Multicast - Sparse Mode (PIM-SM) and IGMPv3 as defined in RFC 3376.
PIM is a multicast routing protocol that runs between routers. Whereas the Internet Group Management Protocol (IGMP) runs between hosts and routers to exchange multicast group membership information, PIM runs between routers to forward multicast traffic to multicast group members throughout the network.
PIM-SM forwards multicast traffic only to those receivers that request it. Routers running PIM-SM can use the shared path tree or shortest path tree (SPT) to forward multicast information.
PIM-SM uses the route table of the router on which it is configured to look up the reverse path forwarding (RPF) interface and next-hop IP address. Therefore to run PIM-SM, you must first configure either static routes or a dynamic routing protocol on a router, and then configure PIM-SM on the same virtual router.
Cyberoam supports PIM version 2 and IGMP version 1, version 2 and version 3.
To configure PIM, go to Network > Dynamic Route > PIM.
6. Scanning of Secure SMTP Email Communication
Cyberoam now supports Transport Layer Security (TLS) and Secure SMTP (SMTPS) to scan encrypted mail traffic.
Cyberoam provides secure connection methods as below:
STARTTLS ESMTP extension on port 25/587
SSL/TLS for SMTP on port 465.
STARTTLS is an extension to plain text communication protocols. To provide authenticated email communication over the Internet, STARTTLS is used. It enables plain text unsecured SMTP connection to be upgraded to a SSL/TLS encrypted session on the same port.
SMTPS is basically SMTP over SSL/TLS session. Encrypted SMTP data from the client is sent to the server over a SSL/TLS session.
Two-step Configuration:
1. Configure Certificate Authority from Anti Virus > Email > Configuration > SMTPS Configuration Default Certificate Authority is “Cyberoam_SSL_CA”.
2. Enable Anti Virus protection and Spam filtering from Firewall > Rule > IPv4 Rule and enable the option SMTPS under Security Policies. By default it is disabled.
Scanning of traffic on Non-Standard ports is supported. Non-Standard ports can be configured from CLI commands.
Command: set service-param SMTPS add port <port value>
Description: To add Non-Standard port value for SMTP over SSL/TLS scanning.
Command: show service-param
Description: Displays the list of Non-Standard ports configured for SMTP over SSL/TLS scanning.
Command: set service-param SMTPS invalid-certificate <action>
Release Notes: CyberoamOS Version 10.6.2
Document Version – 1.01-13/02/2015 9
Description: To allow/block invalid certificate for SMTP over SSL/TLS scanning.
Note:
CA certificate used by Cyberoam to sign certificate should be added in the Email client's certificate store.
7. Single Sign-On (SSO) Support for VPN Users
Cyberoam VPN provides remote workers secure access to Corporate Networks without the need for logging on to Cyberoam through Captive portal or Client.
Administrator can now provide authorized access to Corporate Applications behind the Firewall from outside Corporate Network by simply enabling Single Sign-on at the time VPN authentication making Cyberoam authentication completely transparent to users. As soon as the VPN tunnel is established User automatically logs on to the Cyberoam and the moment tunnel is disconnected User automatically logs off from the Cyberoam. This eliminates the need of logging on multiple times before VPN users could access Corporate Applications.
To enable Single Sign-on feature for individual VPN type, go to Identity > Authentication > VPN
8. Single Sign-On using RADIUS Accounting
Cyberoam can now authenticate users transparently who have already authenticated on an external RADIUS server.
Best use case of this feature is Wireless LAN Controllers (WLC) to transparently authenticate users as soon as they get connected with Wireless Access Points.
Cyberoam authenticates user by monitoring RADIUS accounting records received from WLC. RADIUS accounting records must contain user name and IP address.
WLC must configure Cyberoam as a RADIUS accounting server and in Cyberoam, WLC needs to be added as a RADIUS client.
It can be implemented for Wireless users or for users logging through any of the login Client. Cyberoam classifies such users under Client Type - RADIUS SSO in its various Logs.
To configure Radius Client Configurations for Single Sign-On Server, go to Identity > Authentication > Firewall. New Authentication Service “Radius SSO” needs to be enabled for the feature to work.
Currently it supports IPv4 Clients only.
Release Notes: CyberoamOS Version 10.6.2
Document Version – 1.01-13/02/2015 10
9. Security over Wireless through Client Isolation
Cyberoam Wireless Appliances now offers higher security to Wireless Clients by preventing inter-communication between Wireless Clients connected using the same SSID. This wireless client isolation is required for public Wi-Fi networks like Hot spots or Corporate environments requiring higher security.
Cyberoam supports complete isolation by dropping the entire intra-SSID traffic or granular control whereby controlling only specific intra-SSID traffic. Administrator can allow or deny traffic of specific service between wireless clients through firewall rule.
To configure complete isolation, go to Network > Wireless LAN > Access Point and select the isolation method from the drop-down ‘Intra SSID Traffic’ as ‘Drop’. By default, Client isolation will be OFF i.e. Allow.
For more granular control, select ‘Firewall’ for ‘Intra SSID Traffic’ drop-down and configure firewall rule to allow/deny services between the wireless clients within the same SSID.
10. Application Visibility and Controls for HTTPS based Micro-Apps
From this version onwards, application classification engine is being enhanced to discover HTTPS based Micro-Apps such as Facebook chat, Facebook video upload, and Google chat. With help of Application Filter, one can control such applications to allow, deny and apply QoS.
Two steps configuration required:
1. Turn on application classification for Micro-Apps using below CLI command:
cyberoam application_classification microapp-discovery on
2. Configure Application Filter policy with "Enable Micro App Discovery".
To enable HTTPS scanning for Micro-apps, go to Application Filter > Policy > Policy and click “Enable Micro App Discovery”.
Note:
The above command is dependent on “Cyberoam application_classification” command. One can enable Micro-apps discovery only when application classification in “ON”. If it is disabled then Micro-apps discovery also will be set to “OFF”.
11. NetFlow support for Bandwidth Monitoring & Firewall Traffic Analysis
From this version onwards, Cyberoam provides NetFlow v5 Support. Details of the traffic passing through the firewall rule can be exported as NetFlow Records to the NetFlow Server. Cyberoam Administrators and Managed Service Providers (MSP) using third-party network monitoring software/data analyzer tools can now generate reports based on the records received on the NetFlow
Release Notes: CyberoamOS Version 10.6.2
Document Version – 1.01-13/02/2015 11
Server. Also, it will enable the administrator to have in depth details of the IP traffic passing through the firewall rule and provide real time traffic visibility.
To configure NetFlow, navigate to Logs & Reports > Configuration > Netflow.
For sending logs of Firewall traffic flow to the configured NetFlow Server, you need to enable "Log Firewall Traffic" option for the firewall rule.
Note:
Maximum of 5 NetFlow Servers can be configured.
Traffic of Firewall rules where "Log Firewall Traffic" option is enabled will only be sent to the NetFlow Server.
12. Discover Mode using TAP Interface for Proof-of-Concept Deployments
In order to help sales engineers and partners demonstrate Cyberoam capabilities to potential customers during proof-of-concept (POC) or demo, Cyberoam can now be deployed in Discover mode using TAP Interface without making any changes in their existing network schema. Thus making demonstration or evaluation task simpler, easier and faster.
Generate and View Security Assessment Report from Cyberoam-iView: Cyberoam passively monitors the traffic flowing across the network and emails the generated report in PDF format to the Administrator. The report provides a high level overview of an organization’s network that covers:
User Behaviour
Application Risks & Usage
Web Risks & Usage
Intrusion attacks
Administrator can also configure the report mailing frequency from System > Report Notification > Add > Security Assessment Report. In addition, inline PoC deployments can also take benefit of a similar SAR which provides two additional reports - spam and virus reports. For more details on Discover Mode deployment and Security Assessment Report (SAR), refer Deploy Cyberoam in Discover Mode using TAP interface.
Cyberoam now allows assigning static IP Address Alias for VLAN and WLAN Interfaces. Till date, only physical Interfaces, bridge Interfaces, and LAG Interfaces supported Alias.
For configuring alias over VLAN, go to Network > Interface > Add Alias > Physical Interface
(VLAN interface).
For configuring alias over WLAN, go to Network > Interface > Add Alias > Physical Interface
(WLAN interface).
This feature is applicable for both IPv4 and IPv6.
2. Link Aggregation (LAG) Enhancements
The enhancements in LAG are:
LAG can be configured both for IPv4 and IPv6 networks. To configure IPv6 for LAG interface, go to Network > Interface > Interface and Click ‘Add LAG”.
LAG Interface can be a member of Bridge Pair. This feature is applicable for both IPv4 and IPv6.
3. Certificate and Certificate Authority Passphrase Enhancements
Prior to this version, the minimum passphrase length for Certificate was ten (10) characters and for Certificate Authority it was one (1) character. The enhancements in Certificate and CA Passphrase are as under:
Minimum passphrase length for Certificates:
four (4) characters
eight (8) characters for Self-Signed Certificate if Key Encryption is enabled
four (4) characters for Certificate Signing Request (CSR) if Key Encryption is enabled
Minimum passphrase length for Certificate Authority:
four (4) characters
four (4) characters if Private Key file is uploaded
4. IPSec Road Warrior Enhancements
From this version onwards, following are the IPSec Road Warrior enhancements:
Export VPN Configuration for Cisco VPN Client
Release Notes: CyberoamOS Version 10.6.2
Document Version – 1.01-13/02/2015 13
The users can directly import the configuration file and set up an IPSec connection with a Cisco VPN Client by exporting from Cyberoam. To facilitate this, a new button “Export Connection” has been added on Cisco VPN Client page of VPN.
IP reservation for Cisco VPN Clients
IP Reservation for Cisco VPN Clients can now be done from Radius Server. Thus, the customers with existing Radius Servers in their network can now use Radius IP leasing pools with Cisco VPN Client of Cyberoam. To use Radius IP leasing pools, go to VPN > CISCOTM VPN Client and enable the option “Allow Leasing IP address from Radius server for L2TP, PPTP and CISCO VPN Client”.
Also, Cyberoam can now lease a reserved IP for user connecting with Cisco VPN Clients. IP reservation can be configured from a newly added field "Cisco VPN Client" on the "Edit User" page of Identity.
Automatically Disconnect Tunnel when Idle
To manage IPSec connections, “Disconnect when tunnel is Idle” feature is provided. This will be useful to the customers to keep track of their connections where DPD is not supported. Idle Session time interval can be provided and if there is no traffic flow for the configured time interval then the IPSec tunnel will be disconnected.
Administrator can now see two new options “Disconnect when tunnel is Idle” and “Idle session time interval” under “Advanced Settings” section on “Connection” page of IPSec VPN. The same options are also available for Cisco VPN Client and L2TP VPN connections.
Email notification will not be sent for IPSec connections without DPD support.
5. Multiple Simultaneous Logins for SSL VPN
Now multiple simultaneous logins can be applied for a SSL VPN user and Administrator can also restrict maximum logins allowed.
6. Device-Agnostic Captive Portal and Guest User Portal
In the multi-device age were more and more users access the Internet from various mobile devices to tablets apart from traditional desktops and laptops, it is necessary to provide flexible, adaptive and multi-device login interface. To cater to this need, Cyberoam has redesigned its login interfaces - Captive Portal and Guest portal, as per Responsive Web Designing principle.
The login interface automatically adopts and modifies itself in accordance to the screen type and size for different device type like desktop computers, tablets, mobile phones and renders these login pages flawlessly on any display.
Release Notes: CyberoamOS Version 10.6.2
Document Version – 1.01-13/02/2015 14
7. Options to configure Default QoS parameters from Web Admin Console
From this version onwards QoS settings can done from the Web Admin Console. Prior to this version, default QoS Settings could only be configured using the CLI command “Bandwidth”.
To give the Administrator a quick peek at the allocated bandwidth usage, a button “Show Bandwidth Usage” is added to the Web Admin Console.
Both these enhancements can be reached through QoS > Settings > Settings.
8. New File Type Extension - PDF in Document Files Category
With this version onwards, .pdf extension is added in the predefined ‘Document Files’ file type category for better usability. Rather than creating a custom category to control the access of Adobe PDF files, Administrator can directly use File Type Category - Document Files to allow/block pdf file type documents through web filter policy.
9. IP List and FQDN support for Virtual Host
Virtual host redirects the incoming traffic request on public/external server to internal servers. To configure a Virtual Host where there is a single external IP address but multiple specific internal/mapped IP servers, IP Address Range was the only option.
From this version onwards, Cyberoam provides option of IP List that allows to redirect the traffic coming on single public address to multiple internal IP servers. Further, FQDN can also be bound to internal servers. Hence internal mapped server can be accessed by FQDN using Virtual Host.
There are a few points to keep in mind:
Release Notes: CyberoamOS Version 10.6.2
Document Version – 1.01-13/02/2015 15
IP List option is available for IPv4 and IPv6 Virtual host while FQDN option is available for only IPv4 Virtual Host.
IP List and FQDN options are available only for Mapped IP.
All the mapped servers must be bound to same zone.
Multiple external IP mapping to multiple mapped servers is not supported.
Traffic will be dropped for the public Virtual Host/WAF until the IP is resolved.
For configuring IP List or FQDN in mapped IP, go to Firewall > Virtual Host > Virtual Host > Add
10. Backup Feature More User Friendly
To optimize the Backup feature, following functionalities are added:
1. Granular Schedule based Backup
Administrator can define how often and when - day or date, and time backup should be taken automatically without human intervention.
This feature will be very helpful in Organizations where it is mandatory to take backup daily. It will ease Administrative task as backup will be taken automatically at the predefined schedule.
Organizations in which there are frequent configuration changes occurring during the working hours can schedule the backup during off-peak hours to make sure that all the changes are included in backup.
For configuring schedule, go to System > Maintenance > Backup & Restore > Backup Frequency and select from options.
2. Configurable Backup Filename
By default, to identify from which appliance the backup is taken, Cyberoam appends name of the backup file with appliance key and time on which the backup was taken. But in case of multiple appliances deployed in an organization or branch office and head office deployments, it is necessary to identify backup of the each appliance. It also becomes necessary to identify backup of the each appliance in case when backup of multiple appliances are stored on a single FTP server or mailed on a single email address. To satisfy this requirement, from this version onwards, it is possible to specify prefix for the backup file.
Example for File name formats:
Without prefix - Backup_ABCDEY190_26Nov2014_12.09.24
With prefix - BO1_Backup_ABCDEY190_26Nov2014_12.09.24
BO2_Backup_ABCDEY190_26Nov2014_12.09.24
HO_Backup_ABCDEY190_26Nov2014_12.09.24
Dallas_Backup_ABCDEY190_26Nov2014_12.09.24
NY_Backup_ABCDEY190_26Nov2014_12.09.24
For configuring the Backup Prefix, go to System > Maintenance > Backup & Restore.
3. Backup Configuration Verification
Release Notes: CyberoamOS Version 10.6.2
Document Version – 1.01-13/02/2015 16
Email and FTP configurations can now be tested using Backup Now button. This ensures a quick verification of the configurations. An Email will be sent or the backup file will be uploaded on the FTP server immediately on clicking Backup Now button. In case of improper configuration, a proper error message will help the administrator to take corrective measures.
For immediate backup schedule, go to System > Maintenance > Backup & Restore.
Prior to this version, due to lack of such verification for FTP/Email based backup, the administrator had to undergo multiple cycles of trial and error.
4. Configurable Backup File Location on FTP Server
Administrator can now specify the directory path to store the backup files on the FTP server.
For configuring directory path to store backup file on FTP server, go to System > Maintenance > Backup & Restore.
5. Multiple Email ID Support
From this version onwards, backup can be mailed on multiple Email Addresses. Email addresses must be comma (“,”) separated.
For configuring multiple Email Addresses, go to System > Maintenance > Backup & Restore.
Prior to this version, only one (1) Email Address could be configured.
11. Improvised L2TP/PPTP Logs
CyberoamOS has now included information that can help to analyze and troubleshoot PPTP/L2TP VPN connections issues.
These logs will have information corresponding to the connection and error description that resulted in problems for connections either while connecting or after the connection establishment. These logs will be handy to view:
The steps involved in establishment of L2TP and PPTP connections
Error while establishing the connection
The state of the connection - Establishing, Established, Terminated
Further, these logs will also include basic information like:
Authentication method used – CHAP, PAP, MS-CHAP
User who initiated the connection
IP Address allocated to Client
Duration of the connection
Traffic statistics after terminating the connection
For viewing PPTP/L2TP logs, go to Logs & Reports > Log Viewer > Log Viewer > View logs and Select System.
Release Notes: CyberoamOS Version 10.6.2
Document Version – 1.01-13/02/2015 17
12. ICAP Enhancement
From this version onwards, following are the ICAP enhancements:
1. Configuration from Web Admin Console - Web Filter > ICAP > Server
2. Implementation no longer dependent on Web filter policy with the introduction of ICAP policy - create ICAP Policy from Web Filter > ICAP > Policy and apply ICAP Policy to firewall rule from Firewall > Rule > IPv4 Rule.
3. Logs
Enable from Logs & Reports > Configuration > Log Settings
4. ICAP Policy can only be applied on IPv4 traffic.
On migration from 10.6.1 GA, the existing ICAP policy will be migrated with default name “ICAP_Profile_1”. To apply ICAP Policy, one needs to manually apply the migrated ICAP policy on the Firewall rule.
This feature is supported in Cyberoam ‘iNG’ series Appliances - CR50iNG and above.
13. Hybrid DHCP Configuration Support
Cyberoam when configured as DHCP server can now lease both static and dynamic IP address in a single DHCP Configuration. This will enhance usability by providing facility to the administrator to assign static as well as dynamic IP Addresses based on the requirement from a single page. Previously, multiple DHCP servers had to be added if both static and dynamic lease is to be assigned to the interface.
Static IP addresses can be configured from Network > DHCP > Server and lease details can be viewed from the Manage page of DHCP Server by clicking ‘View Detail’ for corresponding lease type.
Note:
If two DHCP Servers with Static and Dynamic lease on a particular Interface are configured, then on migrating to v10.6.2, two DHCP Servers will be created and they will not merge to single DHCP Server on GUI.
14. Dashboard Enhancements
From this version onwards, to provide greater visibility, color coding has been added for the Notification widget on the dashboard. Also, symbolic representations have been added for easier identification of alert messages.
The color coding used for the notifications is as under:
Green: Indicates less severe notifications.
Red: Indicates severe and security related notifications.
Blue: Indicates firmware download notifications.
The icons used for the notifications is as under:
Release Notes: CyberoamOS Version 10.6.2
Document Version – 1.01-13/02/2015 18
: Indicates password related notifications
: Indicates security related notifications
: Indicates Alert messages
: Indicates firmware download notifications.
Refresh functionality also has been added for all the widgets except Alert Widget on the dashboard. The administrator can now refresh individual widget as per the requirement.
15. Security Assessment Report
A new report - Security Assessment Report is added to provide a high level overview of an organization’s network traffic that covers:
User Behaviour
Application Risks & Usage
Web Risks & Usage
Intrusion attacks
Virus attacks
Spam attacks
Administrator can generate and also schedule the report mailing frequency from System > Report Notification > Add > Security Assessment Report. Report is mailed to the Administrator in the PDF format.
For more details on Security Assessment Report (SAR), refer Deploy Cyberoam in Discover Mode using TAP interface.
Behavior Changes
From this version onwards, all the bandwidth related data will be displayed only with unit KB instead of units MB and kb.
CyberoamOS has the following miscellaneous changes:
Search behavior in Cyberoam custom widget has been optimized for better usability. Previously, all selected items were getting displayed in the list even if they didn’t fall under current search criteria.
Admin logs on SSL CA regeneration event can now be viewed in Log Viewer.
Filter options are now provided on Users/Source IP for reports under Reports > Web Usage > Top File Upload in On-Appliance iView.
IP Address based sorting is now provided for DHCP Server static entries after updating DHCP Server.
To improve time efficiency for end users, records that can be viewed per page has been increased. Two options 100 and 200 has been added for drop down Records per Page under Identity > Users > Users and Identity > Users > Clientless Users. Previously, only 50 records per page could be viewed.
Data Transfer Policies can now be edited for the following fields: “Cycle Period”, “Cycle Data Transfer”, “Maximum Data Transfer” and “Description”. Previously, none of the fields were editable.
Screen Resolution 1920*1020 support has been added in SSL VPN RDP bookmark.
To download the SSL VPN Client, SSL VPN Client Installer link on the SSL VPN Portal will now be redirected to Cyberoam website: http://www.cyberoam.com/cyberoamclients.html.
“Manual” Keying method for VPN Policy is now not supported. Option for the same has been removed from the VPN Policy page of UI. On migration to 10.6.2:
a) Previously configured VPN Policy with Manual Keying method will be retained but new policy with Manual keying method cannot be created.
b) On the IPSec Connection Manage page, status of the policy with manual keying will be displayed as Disconnected.
Description – The word “Receiver” is mis-spelled as “Reciever” on the “Quarantine Area” page of Anti Spam.
Bug ID – 16596
Description – In Anti Spam Quarantine Digest Settings, 00 hour is incorrectly displayed for Hourly Email Frequency.
Bug ID – 15558
Description – An error message “Data Error” is displayed while checking the logs of Anti Spam Quarantine Area.
Authentication
Bug ID – 18261 Description – Inactive Android Client users are not logged out even if inactivity timeout has been configured from Identity > Authentication > Firewall > Web Client Settings (iOS, Android and API).
Bug ID – 16730
Description – As username is case sensitive, when user tries to login with the different case then instead of static IP address, IP address is assigned dynamically. This is observed only for PPTP CHAP or MS-CHAPv2 authentication.
Bug ID – 16171
Description – A user gets authenticated on appending asterisk (*) in the actual username while logging in, if LDAP is configured for user authentication from Authentication Server page of Identity.
Backup-Restore
Bug ID – 18505
Description – Backup taken from appliance having firmware version 10.6.2 Beta-2 does not get restored on appliance with firmware version 10.6.2 RC-1.
Certificate
Bug ID – 18251
Description – Cyberoam does not publish Certificate Authority (CA) details to SSL Scanning websites like https://www.sslshopper.com and https://www.digicert.com if a Third Party Certificate, issued by an Intermediate CA, is used in Cyberoam.
Description – If a .pfx certificate signed by Two (2) Certificate Authorities (CA) is uploaded, a cross-mark is displayed under the Authority column against the certificate and it is not displayed in any Certificate selection lists. This is observed ONLY when the first CA is present in Cyberoam’s CA repository while the second CA is not present.
Bug ID – 16869
Description – Cyberoam appliance becomes inaccessible when self-signed certificate with passphrase containing “$” is applied as Web Admin Certificate under System > Administration.
Clientless User
Bug ID – 17422
Description – At the time of deleting a Clientless User attached to a firewall rule, status bar does not display any information.
Dynamic Routing
Bug ID – 16384
Description – OSPF configuration is not working after upgrading firmware to version 10.6.1 RC-1.
Firewall
Bug ID – 18039
Description – An error message is displayed when “None” is selected for Default NAT Policy on Network > Gateway page, if user is logged on to Cyberoam with any language apart from English.
Bug ID – 15346
Description – VoIP call ceases to function, if Cyberoam SIP module receives fragmented SIP message packets in firmware version 10.04.4.028.
GUI
Bug ID – 18454
Description – Shared Secret String of Identity > Authentication > Firewall > SSO using radius accounting request is truncated at the space character if such a character is present in the string. Only the truncated part is displayed when the Show Shared Secret option is clicked.
Bug ID - 18430
Description – Incorrect Pop-up message “The New Version is available” is displayed when clicking on “Check for Upgrades” link on Dashboard even when no upgrades are available.
Bug ID –17633
Description – “HTTP” is incorrectly selected as default value for “Heartbeat Protocol” in “Communication Details” under System > Administration > Central Management even though Syslog is the Recommended protocol.
Release Notes: CyberoamOS Version 10.6.2
Document Version – 1.01-13/02/2015 22
Bug ID –17626
Description – The abbreviation “AS” incorrectly appears as “As” under the Neighbors and Global Configuration fields of Network > Dynamic Route > BGP.
Bug ID – 17468
Description – Static Unicast Route on PPPoE interface does not get added in appliance’s routing table even though it gets added successfully on GUI. This is observed in firmware version 10.6.1.
Bug ID – 17467
Description – Address Detail filter does not work on “MAC Host” page under Objects > Hosts.
Bug ID – 16485
Description – Network Zone selection drop drown displays “None” twice in the list when an interface is opened for editing.
Bug ID – 14739
Description – Incorrect mapping between Local Subnet to NATed LAN is displayed on Web Admin Console of IPSec VPN Connection page, if an existing IPSec Connection is edited, however the mapping functions as per the actual modification and configuration done by the Administrator.
Bug ID – 14588
Description – “ConnectWise” option of System Configuration is not displayed in the navigation panel on Web Admin Console of On-Appliance iView, when viewed in Internet Explorer Version 10.
Bug ID – 10825
Description – Even when CR15i, CR15wi, CR15iNG and CR15wiNG appliances do not support reporting functionality, Reports option is available on the Login page of Web Admin Console.
HA
Bug ID – 17892
Description – From firmware version 10.6.1 GA onwards, Static ARP entries are NOT synchronized between Primary Appliance and the Auxiliary Appliance in an HA cluster.
Bug ID – 17167
Description –. In firmware version 10.6.1 RC-4, auxiliary appliance goes down when traffic passes through VLAN interface created on WAN zone and HA is enabled.
Identity
Bug ID - 18250 Description - Authentication through LDAP Server will not work if Authentication Attribute for the LDAP
Release Notes: CyberoamOS Version 10.6.2
Document Version – 1.01-13/02/2015 23
Server is configured other than CN. This is observed for firmware version 10.6.1 MR-3 and 10.6.2 Beta-1.
IPS
Bug ID – 18455 Description – Connection packets (GRE Packets) for an established PPTP VPN connection are dropped and no data is transferred if an IPS Policy is applied upon it.
Logs & Reports
Bug ID – 18106
Description – Logs and Reports are not generated if “Secure Communication” is enabled on the Central Management page of System > Administration.
Network
Bug ID – 18024
Description – 3G modem Quanta 1K3 is not compatible with Cyberoam Appliance.
Bug ID – 17190
Description – Error “Could not delete VLAN” is displayed on the status bar when administrator tries to delete a VLAN configured over WAN Zone with an IPv6 Address.
Bug ID – 13632
Description – A dynamic IP Address does not get leased to a device, if it was prior leased a Static IP Address from Cyberoam DHCP server and Cyberoam Appliance is upgraded from Firmware Version 10.02.0.224 to 10.04.2.527.
Bug ID – 10999 Description – Checkbox for “LCP Echo Interval” and “LCP Failure” remains enabled even after disabling it while editing PPPoE interface under Network > Interface.
Proxy
Bug ID – 18302
Description – Cyberoam Web Admin Console Login Screen is displayed when users try to access any
malformed URL like http://www.google or http://mail.google or http://www.youtube, if Cyberoam is
configured as Direct Proxy.
QoS
Bug ID – 17416
Description – Incorrect QoS Policy gets applied to user after updating the QoS policy on Identity “Group”.
Description – Custom Logo, of size less than 50 KB, for HTML Reports cannot be uploaded from On-Appliance iView System > Custom Logo page. This behavior is observed in firmware version 10.6.1 MR-1.
Bug ID – 17134
Description – “Detail Report” icon of “Top Conversation" filtered “IM Usage” Reports is not displayed in NG Series appliances.
Bug ID – 16723
Description – Spam mail notification fails when Outbound Spam module is unsubscribed. Due to this, other report notifications configured after spam notification also fails.
Bug ID – 16381
Description – Exported HTML Reports does not open appropriately when it is exported over HTTPS connection.
Bug ID – 15505
Description – Costa Rica’s flag instead of Czech Republic‘s flag is displayed besides country Czech Republic in On-Appliance iView.
Bug ID – 13968
Description – Filtered iView Web Surfing Reports when exported in Excel does not display the filtered results and displays all the results.
SNMP
Bug ID – 16045
Description – Incorrect value is displayed for total number of Live User on SNMP Server if the order of number decreases.
For example: If Live User count value decreases from 100 to 98 i.e. from 3 digits to 2 digits, it displays incorrect value 981 instead of 98.
SSL VPN
Bug ID – 18273
Description – SSL VPN user is not able to login and Error “Maximum Login Limit Reached” is displayed when the User tries to login using SSL VPN Client, if Simultaneous Login for that user is set to “1” from Identity > Users > Users. This is observed in firmware version 10.6.2 Beta-1.
Bug ID – 17790
Description – User is prompted to enter a passphrase even though unencrypted Third Party Certificate is used for “SSL Client Certificate” and “Per User Certificate” is disabled under VPN > SSL > Tunnel Access.
Release Notes: CyberoamOS Version 10.6.2
Document Version – 1.01-13/02/2015 25
Bug ID –17661
Description – SSL VPN web client user remains live on the “Live Connections” page even after the configured idle time has expired. This is observed only if the client logs on the SSL VPN web portal and closes the browser without logging off or the system shuts down.
Bug ID – 17036
Description – User does not get authenticated when accessing SFTP bookmark of SSL VPN Application Access Mode due to which Secure FTP is inaccessible.
Bug ID – 13477
Description – The parameter "Connected Since" against all the connected users becomes blank on SSL VPN Users ”Live Connection” page after one hour of the first connected user. Also, the domain name of each user gets removed after the completion of an hour of the respective user being connected.
Bug ID – 11259
Description – The SSL VPN Group Policy assigned to a user do not reflect on Users Identity page on changing the Group, if Active Directory is integrated with Cyberoam and “Tight Integration” is selected against the parameter “Integration Type”.
User
Bug ID – 16340
Description – “Node Range” option for parameter “Login Restriction” of Identity tab does not allow to configure IP range below /24 subnet. Cyberoam incorrectly displays message “Range from and to field should be of same class” even though the IP range is in the same subnet.
Bug ID – 16295
Description – MAC binding under Identity > Users does not work for Android Client Users.
Bug ID – 15787 Description – Second authentication element One-Time Password (OTP) is not accepted by External Authentication Radius Server Swivel Secure and user authentication session gets terminated, if two factor authentication is enabled and user tries to authenticate and login to the SSL VPN Portal.
Bug ID – 14132
Description – A system message "Authentication Successful" is considered as a group name and user is included in the default "Open Group" list on Identity Firewall page, if a Radius Server with tight integration is used as external authentication method and has parameter "Group Name Attribute" configured as "Reply-Message".
Virtual Host
Bug ID – 14470
Release Notes: CyberoamOS Version 10.6.2
Document Version – 1.01-13/02/2015 26
Description – When Virtual Host is created on a routed wan interface for a Server hosted in LAN,
Server is not accessible from same LAN zone. However the server is accessible from WAN side. This is observed when Cyberoam is deployed in bridge mode.
VX-VX Migration
Bug ID – 18516
Description – Cyberoam Appliance boots up with factory default configuration while migrating to Firmware Version 10.6.2 RC-1. This issue occurs only when .pdf is added to custom web category and that category is used in web filter policy.
WAF
Bug ID – 18480
Description – Configuration of a Web Server from WAF > Web Servers > Web Server fails if Web Server Hosted On is selected as Private IP and the consequent Public IP specified contains the character ‘-‘ in its Name.
Web Filter
Bug ID - 18275
Description - URL "www.google.com" incorrectly falls under a different Web Filter Category Name
instead of "SearchEngines" for firmware version 10.6.2 Beta-1.
Please have the following information available prior to contacting support. This helps to ensure that our support staff can best assist you in resolving problems:
Description of the problem, including the situation where the problem occurs and its impact on your operation
Product version, including any patches and other software that might be affecting the problem
Detailed steps on the methods you have used to reproduce the problem
Important Notice Cyberoam Technologies Pvt. Ltd. has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. Cyberoam Technologies Pvt. Ltd. assumes no responsibility for any errors that may appear in this document. Cyberoam Technologies Pvt. Ltd. reserves the right, without notice to make changes in product design or specifications. Information is subject to change without notice.
USER’S LICENSE Use of this product and document is subject to acceptance of the terms and conditions of Cyberoam End User License Agreement (EULA) and Warranty Policy for Cyberoam UTM Appliances. You will find the copy of the EULA at http://www.cyberoam.com/documents/EULA.html and the Warranty Policy for Cyberoam UTM Appliances at http://kb.cyberoam.com.
RESTRICTED RIGHTS Copyright 1999 - 2015 Cyberoam Technologies Private Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of Cyberoam Technologies Pvt. Ltd.
