Bypass Stateful Inspection Between Networks Cyberoam

If you have a Cyberoam, multiple networks, and/or a ShoreTel system, you’ll run into problems where one network might not pass traffic to another for inexplicable reasons. You can also get one way voice traffic with ShoreTel because of this.

Typically this is due to something called “Asymmetric Routing”. Any number of things can cause this, and it’s not always problem with your network. What happens is a packet takes a different route from point A to point B than it does coming back from point B to point A. The Cyberoam will by default drop the return traffic as it didn’t come back the same way it went out. This is a good security measure.

Sometimes you can fix your network topology, sometimes you can’t but the Cyberoam will still drop that traffic. A firewall rule will not always fix the problem either. If you’re sure that what is getting dropped is not a security risk, here’s how to bypass it.

If there’s one major complaint about Cyberoam ‘not working’ it’s this problem right here. Fortunately their support will fix the problem for you but it can be a huge time waster if you have a bunch of units needing fixed.

There is one other thing they almost always do to resolve a problem with two networks talking to each other. I will go over that in another article.

Bypass Stateful Inspection

Step 1 – Log into your Cyberoam CLI. You can telnet/SSH into the Cyberoam, or click the “Console Link” at the top of your Web GUI. 

Step 2 – Put your username and password in. If you logged in through the Web GUI, just the console password will do.

Step 3 – Type 4 for “Cyberoam Console” in the CLI

Step 4 – To bypass the inspection from one network to another type the following:

set advanced-firewall bypass-stateful-firewall-config add source_network [source network IP] source_netmask [source subnet mask] dest_network [destination network IP] dest_netmask [destination subnet mask]

Note: You don’t have to type the command out. You can just start each parameter that is in bold and hit tab, the Cyberoam will fill it in for you.

Example: You want to bypass traffic inspection from 192.168.1.0 to 192.168.2.0 you’d type this: “set advanced-firewall bypass-stateful-firewall-config add source_network 192.168.1.0 source_netmask 255.255.255.0 dest_network 192.168.2.0 dest_netmask 255.255.255.0”

Step 5 – If  you need to bypass traffic inspection both ways, type the above command again, only reverse the source and destination networks.

Caution: It is extremely easy to mistype IP addresses. I’ve transposed digits dozens of times, causing the problem to be worse in some cases. You can check your work by typing “show advanced-firewall” in the console. If you need to remove an entry use “del” instead of “add” after the “bypass-stateful-firewall-config” part of the command. You can usually use the up arrow on most telnet clients to cycle back through commands and replace just that word in the line.

 

One Reply to “Bypass Stateful Inspection Between Networks Cyberoam”

  1. Thanxs!I changed the web port back to 80, wasn’t in use. Don’t know why this was.After that rarsett VC service and the Update Manager service and it works again.

Leave a Reply