How To Deploy Cyberoam in Discover Mode using

How To Deploy Cyberoam in Discover Mode using TAP Interface

TAP Interface

Applicable Version: 10.6.2 onwards

Overview
For organizations looking to deploy a new or replace their existing network security solution, it is usual
to evaluate a number of vendors. Cyberoam facilitates such evaluation or demo by providing an easy
and seamless Proof of Concept (PoC) to such organizations using its Discover Mode.
Discover Mode popularly known as Test Access Point (TAP) Mode, Port Mirroring or SPAN (Switched
Port Analyzer) wherein administrator can deploy the Cyberoam appliance at a point in the network
where it can monitor all network traffic without the hassle of doing any changes in the existing network
schema. The device to which Cyberoam is connected (mostly a switch) forwards a copy of every packet
that passes through it for Cyberoam to monitor.
Cyberoam, in turn, passively monitors all the traffic across the network and uses the gathered data to
generate a Security Assessment Report (SAR). This report aims to provide visibility into potential risks
prevailing within the corporate network like application and web risks, risky users and intrusion risks,
due to absence or inefficiency of the security device deployed at the organizations Gateway. The report
provides a high level overview of an organizations network that covers:
-

Report Summary
User Behaviour
Application Risks & Usage
Web Risks & Usage
Intrusion attacks

Note:
The SAR can also be generated by existing users of Cyberoam, who have deployed the appliance in
one of the in-line modes: Route Mode, Bridge Mode or Mixed Mode. The SAR for in-line modes gives
visibility into risks averted by Cyberoam and potential risks, if any, prevailing within the network, which
can be addressed by configuring Cyberoam more effectively.

Prerequisite

IPS, Web & App Filter, Anti-virus, Anti-spam.

Cyberoam appliance should be connected to Internet for web classification, IPS updates and SAR
generation on Cloud.
To get Users specific data in the report, Appliance needs to be Integrated with External
authentication servers like Active Directory (AD), RADIUS, LDAP, Apple Directory or Novell
eDirectory.

How To Deploy Cyberoam in Discover Mode using TAP Interface

Scenario
Connect One (1) interface of Cyberoam to the network switch through which all network traffic passes.

Configuration
This article contains Two (2) sections which have instructions to:
-

Deploy Cyberoam in Discover Mode

Generate Security Assessment Report (SAR)

Deploy Cyberoam in Discover Mode

To deploy Cyberoam in Discover Mode, follow the steps below

Step 1: Connect and Access Cyberoam

Connect one end of the straight-through cable into Port A of the Appliance and the other end into
the Ethernet Adapter port of the Network Switch.

Change the IP address of the LAN computer from which you wish to access Cyberoam
(Management Computer) to 172.16.16.2 and the subnet mask to 255.255.255.0.

In the Management Computer, open a web browser and browse to https://172.16.16.16. Logon to
the Cyberoam Web Admin Console using default username "admin" and password "admin".

How To Deploy Cyberoam in Discover Mode using TAP Interface

Step 2: Connect and Enable Discover Mode on any Unbound Interface

Please note that Discover Mode can be enabled ONLY on an unbound interface.
By default, Ports A, B and C are bound to LAN, DMZ and WAN zones respectively while the rest of the
ports are unbound. However, administrator can bind any port, including the Ports A, B and C, to other
zones at any time.
You can enable Discover Mode on any unbound port as instructed below. Here, as an example, we
have enabled Discover Mode on Port D.

Connect another cable between an unbound Cyberoam port and a port on the Network Switch on
which you will configure Port Mirroring (refer step 3).

Logon to CLI Console via Telnet or SSH. You can also access the CLI Console by clicking
on the upper right corner of the Web Admin Console screen.

Choose option 4. Cyberoam Console.

Execute the following command to enable discover mode on unbound PortD:

console> cyberoam discover-mode tap add PortD
Note:
If you want to enable Discover Mode on a previously bound interface, you need to unbind it. To
unbind an interface, go to Network > Interface > Interface, select the required Interface and set
Network Zone as None.

Step 3: Configure Port Mirroring on Network Switch

Access the Network Switch and configure Port Mirroring on the port connected to Cyberoam's Discover
Mode enabled port. For details on this configuration, refer to the respective vendor's documentation.
The above configuration deploys a Cyberoam Appliance in Discover Mode.
Note:
When deployed in Discover Mode, Cyberoam functions ONLY in a promiscuous mode and, hence,
none of the security policies will be applied.

Schedule Security Assessment Report (SAR) Emails

Once Appliance is deployed in Discover Mode, configure it to generate the SAR and Email them to the
administrator at regular intervals.
To schedule regular SAR Emails, follow instructions below.

Logon to iView Web Admin Console. You can logon using one of the following ways:
a. Logon to Cyberoam Web Admin Console and either go to Logs & Reports > View Reports
or click
.
b. Log on to Reports from Cyberoam Web Admin Console login page.

How To Deploy Cyberoam in Discover Mode using TAP Interface

Go to System > Configuration > Report Notification and click Add to add a Report Notification.
On the Add Report Notification screen select Security Assessment Report and fill in details as
shown below.

Click OK to save notification settings.

Note:
SAR can also be generated by Cyberoam Appliance deployed in any of the in-line modes: Route Mode,
Bridge Mode or Mixed Mode.

Document Version: 1.1 17 February, 2015