CCNSP V3.0el Module 2

Introduction ...........................................................................................................................................................
1
Package Contents .................................................................................................................................................. 1
Factory Default Settings ......................................................................................................................................... 1
Web Admin Console .................................................................................................................................................. 1
Port Configuration ..................................................................................................................................................... 2
IPv4 Configuration ................................................................................................................................................. 2
IPv6 Configuration ................................................................................................................................................. 2
Text Based Administration Console ........................................................................................................................... 2
SSH ............................................................................................................................................................................. 2
Deployment modes ............................................................................................................................................... 2
Deployment Scenarios ........................................................................................................................................... 2
Deployment wizard .................................................................................................................................................... 2
Bridge ......................................................................................................................................................................... 3
When to use Bridge Mode: .................................................................................................................................... 3
Scenario to place Cyberoam in bridge mode ............................................................................................................. 7
Before Deployment ............................................................................................................................................... 7
After Deployment .................................................................................................................................................. 8
Gateway ..................................................................................................................................................................... 8
When to use Gateway Mode ................................................................................................................................. 8
Scenario to place Cyberoam in Gateway Mode ...................................................................................................... 12
Before Deployment ............................................................................................................................................. 12
After Deployment ................................................................................................................................................ 13
Mixed Mode (Gateway & Bridge) ............................................................................................................................ 13
As a Proxy ................................................................................................................................................................ 14
Web Proxy Configuration..................................................................................................................................... 14
Under Parent proxy setting ................................................................................................................................. 14
When do we require Cyberoam to be configured in Web proxy mode? ............................................................ 14
Web Proxy Deployment Scenario ........................................................................................................................ 15
Link Aggregation ...................................................................................................................................................... 16
LACP ..................................................................................................................................................................... 16
LAG Modes........................................................................................................................................................... 16
Scenario ............................................................................................................................................................... 16
Registration & Subscription ................................................................................................................................. 17
CyberoamOS Update ........................................................................................................................................... 17
Labs ..................................................................................................................................................................... 19
Lab #1 Factory Reset ................................................................................................................................................ 19
Web Admin Console of the appliance ................................................................................................................. 19
CLI of Appliance ................................................................................................................................................... 19
Lab #2 Deployment in Bridge Mode (Optional) ....................................................................................................... 21
Lab #3 Deployment in Gateway Mode .................................................................................................................... 25
Lab #4 Registration & Subscription.......................................................................................................................... 27
Lab #5 Upgrade (Optional) ...................................................................................................................................... 30
Deploying Cyberoam Cyberoam Certified Network & Security Professional

1
Introduction
After knowing the basics of the Cyberoam appliance and the entire product family, this module shows
how Cyberoam can be deployed in various network scenarios.
Package Contents
The Cyberoam package when opened, contains the following:
One Cyberoam Appliance
One Serial Cable (Null-Modem Cable)
One Straight-through Ethernet Cable
One AC Adapter Cable
One Crossover Ethernet Cable
One Cyberoam Quick Start Guide
Documentation CD
Rack Mounting Brackets (Optional)

Factory Default Settings
The Cyberoam appliance when taken out from the box has the following settings
Web Admin Console
On the Web Admin Console, there are two username/password combinations activated
Username/Password : admin/admin (this is the device administrator account)
The password for this account should be changed immediately on booting the appliance
This account cannot be deleted
Cyberoam Certified Network & Security Professional Deploying Cyberoam

2
Username/Password : cyberoam/cyber (this is the database administrator account)
The password for this account should be changed immediately on booting the appliance
This account can be deleted if required.
Port Configuration
When first booted the appliance has following configuration on the ports
IPv4 Configuration
Port A (LAN) IP Address : 172.16.16.16/24
This port has the DHCP Server service running
Port B (WAN) IP Address : Unassigned
This port has the DHCP Client service running
Port C (DMZ) IP Address : 10.10.1.1/24
IPv6 Configuration
By Default, Cyberoam does not have any IPv6 address assigned.
Dual stack implementation allows IPv6 as well as IPv4 address on each port.
Text Based Administration Console
On the Text based Administration console when opened will prompt for the administrator password
(the password for the account admin)
SSH
When SSH is done on the appliance, it will prompt for password. Here, the only password that can be
used is the password for admin account.
Deployment modes
A Cyberoam appliance can be deployed into two modes from the wizard viz. Gateway mode and
bridge mode. By default, the factory setting is always in the gateway mode. In bridge mode the
appliance is transparent to all the traffic, however the Cyberoam appliance can monitor and scan all
the traffic (Monitoring and Scanning is explained in the modules to follow).
In Bridge mode, features like DMZ, Custom zones, Multiple WAN links, Load balancing, VPN, and high
Availability are not available. Bridge mode exclusively supports features like LAN Failsafe.
In Gateway mode, Cyberoam does not support LAN Failsafe.
Note: High Availability and LAN Failsafe are features provided by Cyberoam appliance in different
modes. However they have a similar functionality. The major functionality offered by both the
features is the maximum availability of network.
Deployment Scenarios
This section exhibits the various scenarios in which Cyberoam appliance can be deployed. Practically
each scenario is different and needs to be understood before placing the appliance. It is always
recommended that major changes are not done in the customers network unless there is actually a
requirement to do so.
Deployment wizard
All Cyberoam appliances come with a built in wizard for the ease of deployment. A wizard can be

3
started from the dashboard by logging into web admin console of the Cyberoam appliance. The screen
below shows the wizard button on the dashboard.

On clicking the wizard button a new browser window is opened which guides the user on the
deployment scenario. Cyberoam appliance can be deployed in bridge mode or gateway mode. By
Default the Cyberoam appliance is always in the Gateway mode.

Shown above is the first screen from the deployment wizard, on clicking the start button the wizard
asks for the deployment mode.
Note: The wizard option can be used, the first time Cyberoam is deployed in the network. On
running the wizard again, all configuration and settings on Cyberoam appliance will be flushed.
Bridge
Cyberoam when deployed in Bridge mode acts as a Transparent for the networks. Device will act as a
transparent bridge.
When to use Bridge Mode:
Bridge mode provides the ideal solution for networks that already have an existing firewall or router
acting as a Gateway and customer dont want to replace the firewall, but still wish to add the security
through Cyberoams deep-packet inspection, Intrusion Prevention System Services, Gateway Anti
Virus, and Gateway Anti spam. If you do not have Cyberoam security modules subscriptions, you may
register for free trial. This mode of deployment is agreed without changing any network schema of the
organisations internal infrastructure.
On choosing the bridge mode on the deployment wizard, it shows the bridge mode scenario and
diagram.

4

From this screen onwards, the bridge mode configuration starts.
On clicking the next icon it shows the bridge pair highlighted on the appliance model. This is important
as we know that in the bridge mode, Cyberoams LAN Failsafe feature is applicable. So it is
appropriate to choose the corresponding bridge pair from the appliance and model documentation.

After selecting the port pair (LAN & WAN) for the bridge, on the next screen Cyberoam will ask for the
network parameters to be entered.

5

Enter the network parameters like IP Address and Subnet mask of Cyberoam appliance, Gateway
name (ISP Name) and IP Address of the gateway. Lastly enter the primary and secondary DNS and
click on next arrow.

The Cyberoam will ask Internet access configuration, which will apply default policies (These policies
are discussed in the later module).
A monitor only policy will monitor all the traffic and does not block any traffic.
The general Internet Policy blocks all unhealthy web traffic like porn, etc. It will also scan the
traffic for Viruses and malwares
The Strict Internet Policy is same as general Internet policy, except for the fact that each user will

6
have to be authenticated by Cyberoam device to access the Internet.
After this configuration, mail notification configuration wizard screen will appear

Here all the mail settings for the primary email address to be used by the Cyberoam appliance for
reporting and alerting the network administrator is used.

Lastly, the Date and Time configuration can be manually or from the NTP servers. After this step,
Cyberoam deployment will display a summary page.

7

The configuration overview is shown on this page, at this point the configuration is over and you will
have to wait until the Cyberoam appliance configures itself and gives the Successfully Configured
message. From this point onwards, Cyberoam appliance is configured as an L2 Bridge and can be
accessed from (10.10.10.1) in this case.
Scenario to place Cyberoam in bridge mode
Before Deployment


8
After Deployment

Gateway
Gateway is a network point that acts as an entry point to another network or subnet to access the
resources. In Enterprises, the gateway is the appliance that routes the traffic from a workstation to the
outside network. In homes, the gateway is the ISP that connects the user to the Internet.
Cyberoam when deployed in Gateway mode acts as a Gateway for the networks to route the traffic.
Gateway mode provides an ideal solution for networks that already have an existing firewall and plans
to replace their existing firewall and wish to add the security through Cyberoams deep-packet
inspection, Intrusion Prevention System Services, Gateway Anti Virus, and Gateway Anti spam. If you
do not have Cyberoam security modules subscriptions, you may register for free trial.
When to use Gateway Mode
Cyberoam Appliance needs to be deployed in the gateway mode when
You want to replace your existing firewall or router acting as a gateway for your network with
Cyberoam
You want your gateway to act as a VPN concentrator
You want redundancy in your network with by utilizing the multilink and HA (High-Availability)
features of Cyberoam
You want to configure separate DMZ zone to protect servers from LAN & WAN zone.
NOTE: All the features except Hardware bypass (LAN bypass) are available in Gateway mode.
To start the Gateway mode deployment configuration, start the wizard and click on gateway

9

On the next screen, you will asked for the zone and network configuration

As we move ahead, each single port is highlighted in yellow and the configuration of the port is made

10

On clicking the next arrow, the wizard now displays the internet access configuration page, where we
can select from Monitor only, General Internet Policy, or Strict Internet Policy.

Next the wizards ask for email settings


11

In the last step, the wizard now asks for date and time configuration

Lastly, wizard shows the configuration summary page.


12

On this screen, click finish and wait until the wizards configures Cyberoam in gateway mode.
Scenario to place Cyberoam in Gateway Mode
Before Deployment


13
After Deployment

Mixed Mode (Gateway & Bridge)

Mixed mode is a combination of a Gateway as well as Bridge deployment. In a normal bridge scenario,
only one pair can be bridged, however in mixed mode, a pair can be bridged and other ports can be
left to work in gateway mode, or creating more pairs.
Screen below depicts the mixed mode configuration from GUI. Navigate to Network Interface
Interface Add Bridge-Pair

14

An IPv6 bridge can be configured as shown in the diagram below.

As shown in the diagram above, the interface is configured with IPv6 address DEAD:FACE::1/64.
As a Proxy
To use Cyberoam as a Web proxy server, configure Cyberoam LAN IP address as a proxy server IP
address in your browser setting and enable access to Web proxy services from Local ACL section.
Web Proxy Configuration
This configuration is applicable only when Cyberoam is configured as Web Proxy.
Enter Port number which is to be used for Web Proxy and click Save
Under Web Proxy Trusted Ports Setting, click Add to add the trusted ports.
Cyberoam allows the access to those sites which are hosted on standard port only if deployed as Web
proxy. To allow access to the sites hosted on the non-standard ports, you have to define non-standard
ports as trusted ports.
Under Parent proxy setting
Click Enable Parent Proxy. If enabled all the HTTP requests will be sent to HTTP Parent proxy server
via Cyberoam. One needs to configure Parent Proxy in case when network allows web traffic only via
proxy instead of direct gateway.
When do we require Cyberoam to be configured in Web proxy mode?
You would like to replace existing software / appliance based proxy solution
You would like to use Cyberoam Identity based features along with Content Filtering / Bandwidth
Management / Anti-virus / User based Reporting.
You want to use Cyberoam as a drop in solution in proxy mode.
You dont want to make any major changes with you existing proxy setup


15
Go configure the Appliance in Web Proxy mode, Navigate System -> Configuration -> Web Proxy

By Default, Cyberoam works on web proxy port 3128.
To Configure Parent proxy on the appliance, go to System -> Configuration -> Parent Proxy

Web Proxy Deployment Scenario


16
Parent Proxy Deployment Scenario

Link Aggregation
Link Aggregation Group (LAG) is a method by which multiple network connections can be combined
into a single connection. It is also known as trunking, NIC teaming, NIC bonding and Ether Channel.
LAG is mostly used for handling LAN traffic.
LACP
Link Aggregation Control Protocol (LACP) is a part of IEEE specification that groups two or more
physical links into a single logical link. LACP must be enabled at both ends of the link to be functional.
Appliance supports LAG to combine multiple physical links into a single logical link so that bandwidth
can be increased and automatic failover is available.
LAG Modes
Active-Backup
Active Backup is the mode which provides automatic link failover facility. In this a single slave
(member of LAG) remains active. If the active slave fails then other slave in the LAG becomes the
active slave.
LACP (802.3ad)
This mode provides load balancing and automatic failover. In this mode all the links are used for
forwarding the traffic.
Scenario
Increase bandwidth of LAN and DMZ zone by making links redundant.

17

Registration & Subscription
Registration is the process which will create customer account in Cyberoam central registration
database.
Registration is a mandatory task without which subscription modules cannot be subscribed.
Registration gives following benefits:
8 x 5 Support as per country time zone
Gateway Anti-Virus
Gateway Anti-Spam
Web & Application Filter
Intrusion Prevention System (IPS)
Access of customer my account for
Support ticket management
Subscription management
Customer my account can be accessed from: http://customer.cyberoam.com
Multiple Cyberoam appliances can be registered using the same customer account so that customer
can manage all support tickets under one customer account.
CyberoamOS Update
Cyberoam releases new Operating system for its devices at definite intervals of time. It is always
recommended to the customer, to install and upgrade the appliances as and when a new Operating
system is released. The update process works in two steps.
First the customer is required to download the CyberoamOS update file from customers account at
customer.cyberoam.com
Log in with the username and password provided when the appliance was registered.

18

Next, upon downloading the CyberOS file, upload the file to the appliance by navigating System->
Maintenance -> Firmware and click on the upload firmware button

Click to specify the location of the firmware image or browse to locate the file. You can simply upload
the image or upload and boot from the image.
The uploaded firmware can only be active after next reboot. The existing firmware will be removed and
the new firmware will be available.

Note: Incase of Upload & Boot, firmware image is uploaded and upgraded to the new version,
closes all sessions, restarts, and displays the login page.
This process may take few minutes as this process also migrates the entire configuration.
All the changes made after new firmware wont be available in previous firmware.
Once the firmware is uploaded, the appliance would undergo a reboot and would be running the
latest build.

19
Labs
Lab #1 Factory Reset
Factory Reset will remove entire user configurations of your Cyberoam appliance, and boot the
appliance with factory default settings. So it is recommended to take back up of the appliance before
factory reset.
There are 2 ways of performing Factory Reset on the appliance:
Web Admin Console of the appliance
Access Web Admin Console with user having Administrator profile
Go to System -> Maintenance -> Firmware and page displays the list of available firmware
versions downloaded. Maximum of two firmware versions are available simultaneously in
Cyberoam and one of the two firmware versions is active i.e. the firmware is deployed.
Click on the icon which you want to boot with factory reset settings as shown below:

Boot with factory default configuration Appliance will be rebooted and will load default
configuration. Entire configuration will be lost if you choose this option.

Click on the Boot with Factory default configuration and it will ask you to take back up of your
configuration.
Note: All the configurations will be removed after factory reset. Change the IP address of your
machine in the subnet of 172.16.16.0/24, to access the Web Admin Console of Cyberoam over port
A, which is accessible through default IP address 172.16.16.16.
CLI of Appliance
Access Cyberoam CLI using a serial connection. Factory reset from the CLI requires physical
connectivity between the appliance and Management Console. Hence, it can be done using a serial
connection only, and not other remote sessions like Telnet and SSH.
You can connect a serial console to the Serial port of any of the Cyberoam appliance models.
Once the connection is successfully established, specify Cyberoam CLI password i.e. admin at the
prompt, press Enter and you will get the following screen.
Choose Option 5 Cyberoam Management and it will lead you to sub menus, asking about factory
reset option

20

Chose option 3 - Reset to Factory Defaults to factory reset the appliance. Press y to reset appliance
to factory default.

Appliance will reboot, and come with factory default settings.
In a case where the password to CLI and GUI are forgotten, Serial connection can be made to
the appliance and on the password prompt type RESET in upper case without the quotes.
This is show the below menu.

On pressing 1, all the configuration will be reset, but there will be no changes on the signature
and report databases.
On pressing 2, all configuration and signatures will be flushed, but there will be no changes on
the report database.
On pressing 3, all configuration, signatures, and reports will be flushed from the appliance.

21
Lab #2 Deployment in Bridge Mode (Optional)
By default, all Cyberoam appliances are configured to work in gateway mode. We already know the
scenario when an appliance works in the bridge mode.
Connect port A of the appliance to your computer using a cross-over cable.
Connect port B of the appliance to the WAN switch using a straight-through cable.
The lab setup should look like the diagram below. Please note that the diagram represents only
an individual learner.

Every learner now needs to access their Cyberoam appliance web admin console. The appliance
has to following settings
Port A IP Address is 172.16.16.16/24
By default the DHCP server service is on for Port A, therefore each learner will be assigned an IP
Address by their Cyberoam appliance. If Cyberoam has not assigned an IP Address to the
learners computer. The learner may now change his IP Address in range of 172.16.16.x/24.
Browse to https://172.16.16.16 and you should see the Cyberoam Web Admin Console login
page. Enter the credentials, username should be Cyberoam and password is cyber.
If you cannot log on, verify the following configurations:
Did you plug your computer Ethernet cable into the port A on the appliance? - Deployment can
only be performed through port A.
Is the link light glowing on both the computer and the Appliance? If not, check and replace the
cable
Is your computer set to a static IP address of 172.16.16.16 and subnet as 255.255.255.0?
Did you enter correct IP address in your Web browser?
Starting with the configuration: Click the wizard button at the top of the dashboard. This will start
the network configuration wizard.

22

Click start on the network configuration wizard screen and follow the steps listed the screens
below.

Select bridge mode the options shown on the network configuration wizard window

The Network configuration wizard will now show the zone configuration window in which the
learner shall select the ports on which the bridge needs to created.

23

After the zones are configured, the network configuration wizard will now show the network
configuration window. In this window, we shall enter the IP Address of the bridge, gateway IP
Address, and DNS configuration.

After the network configuration, Cyberoam being a firewall device will block the traffic from
different zones. The wizard will give an option the policy we wish to apply to the traffic from LAN -
> WAN. At this point simply select monitor only. We will discuss more on the policies in the
modules to come.
The following are the three pre-defined policies:
Monitor Only:
o Allow all outbound traffic without any authentication.
o No scanning.
o No content filtering.
General Internet Policy:
o Allow all outbound traffic without any authentication.
o Web traffic will be scanned for virus / malware / spyware.
o Content filtering will be ON by using default content filtering policy General
Corporate Policy which blocks below web URL categories:
o Porn, Nudity, Adult Content, URL Translation Sites, Drugs, Crime and Suicide,
Gambling, Militancy and Extremist, Phishing and Fraud, Violence, Weapons

24
Strict Internet Policy:
o Block all outbound unauthenticated traffic.
o Web traffic will be scanned for virus / malware / spyware.
o All traffic will be scanned by IPS engine.

The next prompt from this window will be the email address settings required to alert the
administrator.

Lastly, the network configuration will ask for updating and setting up the time zone. A summary
page will be displayed at the end of the configuration and the learner will be required to click
finish, to close the window. The Cyberoam appliance will take some time to configure and alert
with the completion window.


25
Lab #3 Deployment in Gateway Mode
Connect port A of the Appliance to your computers Ethernet interface using the crossover Ethernet
cable.

Connect port B of the Appliance to switch for WAN connectivity using the straight Ethernet cable.
1. Connect to the web admin console on 172.16.16.16.
2. Click the Wizard button on the top right of the Dashboard to start Network
Configuration Wizard and click Start.

3. When the network configuration window appears, click start.


26
4. On the next screen, network configuration wizard will be displayed where we will
select the gateway mode.

5. In the next screens to follow, the network configuration wizard will run. This wizard
allows us to configure each port on the appliance.

6. From the above screen, we can see that the appliance allows us to configure the
Port A, however, utmost care has to be taken not to click next until the
configuration is done. Most users make a mistake here by clicking next arrow
instead of the highlighted next button. In the next screens, we choose the
configuration for each port. After configuring all the ports, Internet access
configuration wizard is displayed. This wizard allows setting the predefined policies.

27

7. From the previous lab, we already know what policy is used for what configuration.
The role of each policy will be discussed in the modules and labs to follow. As of
now, the learners can select monitor only. Monitor only will put the Cyberoam
appliance into monitor mode, in this mode the Cyberoam will not block any traffic,
but still will be generating reports of all the traffic. The next screen to follow is the
mail configuration settings.

8. Lastly, the network configuration will ask for updating and setting up the time
zone. A summary page will be displayed at the end of the configuration and the
learner will be required to click finish, to close the window. The Cyberoam
appliance will take some time to configure and alert with the completion window.

Lab #4 Registration & Subscription
To register the Cyberoam appliance, go to customer.cyberoam.com, and open a new account if you
dont have one, and register your appliance. Once registration is done, subscribe to all four modules
using trial license. Firstly, we need to identify if Cyberoam is registered.
1. Go to System Maintenance licensing, there you will find Appliance Registration
Information. It will show you the registration information of the appliance. If the
appliance is not registered, you will get the message for the same.

28
2. To register the appliance, go to customer.cyberoam.com. If you havent created
any account with Cyberoam, click on the register tab on the main page, as shown
in the diagram.

3. As soon as you will click on the tab Registration, you will see below page of
registration. Please, provide proper Email ID, password and Appliance key, to
register the appliance.

4. Please, note that:
5. Registration Email-id will be used as a username to access customer my account.
6. If you already have customer account with Cyberoam then you can provide the
registration details to login into your account, but in Lab create new customer
account.
7. If you already have customer account then login with the user credentials, and
click on Register Appliance button as shown below:


29

8. Once the appliance is registered, you can verify the registration from
SystemMaintenanceLicensing.

9. If the registration information does not appear automatically, click on the
Synchronize button as shown in the screen.

10. To subscribe to any module, go to customer my account and click on the appliance
link and click on subscribe

11. The above screen shows how modules can be subscribed.

30
Lab #5 Upgrade (Optional)
Log in with the username and password provided when the appliance was registered.

Next, upon downloading the CyberoamOS file, upload the file to the appliance by navigating System->
Maintenance -> Firmware and click on the upload firmware button

Click to specify the location of the firmware image or browse to locate the file. You can simply upload
the image or upload and boot from the image.
The uploaded firmware can only be active after next reboot. The existing firmware will be removed and
the new firmware will be available.

CCNSP V3.0el Module 2

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

CCNSP V3.0el Module 2

Încărcat de

Drepturi de autor:

Formate disponibile

Introduction ...........................................................................................................................................................

S-ar putea să vă placă și