How to Apply Cyberoam 10 Firmware Updates

A few times a year a notification on your Cyberoam’s dashboard that looks like this:

Cyberoam Update Notification

The update can be downloaded directly from the link and the update process is fairly painless. I’ve done this for two dozen or more units and never had one brick, so there’s very little worry here. Also the Cyberoam keeps two firmware images in memory so that if something goes wrong, it just boots from the last valid image (i.e. the one it’s running now). Still, I’d do this after hours and take a configuration backup first.

I recommend that you check my article on Automatic Cyberoam Backups and add them before going further.

Applying Cyberoam Firmware Updates

Step 1 – Take a manual backup of your Cyberoam. It’s fairly easy to do. Go to the Maintenance Menu under the System Menu on the left. Select the Backup and Restore tab and click the “Download Now” button. A file download of the configuration file will start. It’s a small file so even if you’re doing this over the internet, it shouldn’t take too long to finish.

Cyberoam E-mail Backup Configuration

Step 2 – Download the Firmware update. You can either get it from the message on your dashboard or from Cyberoam’s website directly. You’ll need to log into your customer account to get the download. I don’t suggest doing this because you have to answer a few questions about your device and if you make the wrong choice, this at best won’t work.

Step 3 – Go to the Mantenance Menu under the System Menu and select the Firmware Tab. You’ll see the two, or possibly more firmware images being stored on your device. The top one on the list will have an upwards pointing arrow next to it. See the image below. Note that the bottom one on the list is the one being used by the unit.

Cyberoam Firmware Update Screen Upload Icon Marked

Click on that upload icon.

Step 4 – Find the firmware file you downloaded in the second step with the “Choose File” button.

Cyberoam Upload Screen

Step 5 – You have two options at this point. You can click the “Upload and Boot” button and it will apply it immediately, or you can just click the upload firmware button. If you choose the latter, you can wait until a later time to apply the firmware. Note that when you just upload the firmware, it replaces the non-active image on your device.

Step 6 – If you clicked the “Upload and Boot” button, then as soon as the unit reboots, you are done. If you clicked the “Upload Firmware Button” you will have to tell it when to boot to the new image. To do so, click the two arrows icon on the top item on the list (the non-active image). See the image below:

Cyberoam Firmware Update Screen Boot Image Icon Marked

Once the Cyberoam has rebooted in either case you’ve updated the firmware. Most of the time if the image was bad, or something else goes wrong it just boots into the last working image. Most of the time if you just download the file again and try again this will resolve itself. If not you may either need to call customer support or wait for the next firmware image to come out.

Cyberoam Automatic Backups

It’s about that time again for a new firmware update on your Cyberoam devices and with firmware updates come configuration backups. I’m a big believer in automation, with backups.

One of the methods I implemented with my Cyberoam was the automatic e-mail backup. I am not a fan of the FTP backup as it sends a password to your FTP server in plain text over your LAN or the internet, which is no good. The e-mailed attachment backup is, in my opinion, much more secure.

Unlike Cisco backup files, Cyberoam encrypts the configuration file it sends out so even if someone breaks into you e-mail account, the passwords and other configuration data is secure. I have no idea what key they use, and when I opened the file up the first line looks like this:

Salted__tÐ ð8¸Y°×Ç­uùMúý1´ªeM@•ªøÙзRê8Ù%®Õ µd¾

That likely means that not only is the file encrypted but it’s got some extra random ‘salt’ data tacked on somewhere in the file, or in the key itself. This makes it harder to decrypt even if you know some text in the file because you have to know what the random data is too.

E-mailing the configuration file also lets you have a fairly secure off-site backup of your firewall. The file is relatively small so most e-mail systems will gladly accept the attachment. Mine for instance is about 430k in size.

How to Set Up Automated E-mailed Backups In Cyberoam 10

Step 1 – You should have already set up your SMTP server for notifications. If not, you’ll need to do so now. Click on the Configuration Menu, and then select the “Notifications” tab. Put the IP address of your SMTP server in the text box, as well as the port number (it’s usually 25, but check with your e-mail provider). If you need a username and password, check the authentication box and enter it. You’ll also need to provide the “From” email address, and the address you want the notifications to go to. Typically the From e-mail can be anything on your own server, but might need to be a valid e-mail address if you don’t host your own e-mail.

Here’s a sample configuration:

Cyberoam SMTP Settings

Click save, and you should be good to go. One way to test if this is working is to unplug one of your cables for a minute or two and plug them back in. You should get a Gateway down/up notification. I have looked for a ‘test’ button but have not found one anywhere.

Step 2 – Go to the Maintenance menu and select the “Backup and Restore Tab”.

You’ll see a few options here. If you click the “Download Now” button, you’ll immediately get a download of the backup. That’s how you do a manual backup.

For a scheduled backup decide how often you want the backup. Daily, Weekly, or Monthly. If you choose Weekly or Monthly you’ll get an email on the first day of that time period. So, Sunday or Monday for weekly, and the first day of the month for Monthly.

Select the E-Mail radio button, and enter the e-mail address you want it to go to. Please be aware that your SMTP server in the notifications menu has to be able to e-mail to the e-mail address you enter here, or it won’t work. Remember to hit the save button when you are done.

Here’s a sample configuration:

Cyberoam E-mail Backup Configuration

Cyberoam FleXi Port Devices

Cyberoam just put out a press release on their new FleXi Port devices. This is the sort of device large sites really need. You can plug your fiber, and high bandwidth copper lines directly into the firewall device, instead of doing ‘creative routing’ that the Cyberoam is so sensitive about.

It’s a good practice to hook your remote connectivity lines directly into the Cyberoam in my opinion. This insures all your data coming into your network is scanned before it gets anywhere that could cause damage. This eliminates having to put your firewall between your router and your network, making the Cyberoam a true Gateway device.

Anyway, here’s a link to Cyberoam’s page on the device.

http://www.cyberoam.com/flexiports.html

Cyberoam PPTP VPN For Telecommuters

Have recently done some experimenting with the Cyberoam PPTP VPN for road warrior connections. We were having a LOT of instability issues with L2TP VPN. The biggest reason for using L2TP is security as it encrypts all traffic, but if your user’s apps and everything are encrypted anyway, this can cause a bottleneck.

Another issue that comes up with Cyberoam L2TP VPN is that it’s not easy to use their Windows Domain login, or even LDAP login so far as I’ve tested. This isn’t a problem with any OS before Windows 7, but Windows 7 doesn’t always send the correct credentials to the domain. This will cause password dialog boxes to pop up all over the place, many times for no reason.

Set Up Cyberoam PPTP VPN

I have run PPTP and L2TP VPN at the same time but never had much chance to see if they didn’t conflict with each other if people are connecting to both. I think as long as the IP addresses it gives out are different it’s likely not a problem.

Step 1 – Go to the VPN section in the GUI and Click on PPTP. Fill in the form. You’ll want to select a LAN port for the local IP address. You will also need to provide an IP address range, these need to be IP addresses on your local network that won’t be used for anything else.

Fill in your local DNS servers here, not your ISP’s so your users can get access to things on the local network easier.

Step 2 – Go ahead and click OK and then click “Add Members” and select which users you want to be able to use the PPTP VPN connection. These CAN be Windows users from AD. It works fine.

Step 3 – Set up your VPN client. I ran the VPN wizard in windows Vista and the only thing I had to change in the settings to get this to work right was I selected “Optional  Encryption” under the security settings. I also made sure the “Unencrypted password (PAP)” was selected under the “Allow these protocols” section at the bottom.

Keep in mind this method will not encrypt traffic. So you may be blasting login information over the internet. This is a good method to use if you need to connect to already secure services on your network. If it’s encrypted on your LAN it’s encrypted over your PPTP connection too.

Personally I would only use this for a highly locked down username with no access to anything but local network. This is also not a terrible way to connect back to your phone system for VOIP service.

Bypass Stateful Inspection Between Networks Cyberoam

If you have a Cyberoam, multiple networks, and/or a ShoreTel system, you’ll run into problems where one network might not pass traffic to another for inexplicable reasons. You can also get one way voice traffic with ShoreTel because of this.

Typically this is due to something called “Asymmetric Routing”. Any number of things can cause this, and it’s not always problem with your network. What happens is a packet takes a different route from point A to point B than it does coming back from point B to point A. The Cyberoam will by default drop the return traffic as it didn’t come back the same way it went out. This is a good security measure.

Sometimes you can fix your network topology, sometimes you can’t but the Cyberoam will still drop that traffic. A firewall rule will not always fix the problem either. If you’re sure that what is getting dropped is not a security risk, here’s how to bypass it.

If there’s one major complaint about Cyberoam ‘not working’ it’s this problem right here. Fortunately their support will fix the problem for you but it can be a huge time waster if you have a bunch of units needing fixed.

There is one other thing they almost always do to resolve a problem with two networks talking to each other. I will go over that in another article.

Bypass Stateful Inspection

Step 1 – Log into your Cyberoam CLI. You can telnet/SSH into the Cyberoam, or click the “Console Link” at the top of your Web GUI. 

Step 2 – Put your username and password in. If you logged in through the Web GUI, just the console password will do.

Step 3 – Type 4 for “Cyberoam Console” in the CLI

Step 4 – To bypass the inspection from one network to another type the following:

set advanced-firewall bypass-stateful-firewall-config add source_network [source network IP] source_netmask [source subnet mask] dest_network [destination network IP] dest_netmask [destination subnet mask]

Note: You don’t have to type the command out. You can just start each parameter that is in bold and hit tab, the Cyberoam will fill it in for you.

Example: You want to bypass traffic inspection from 192.168.1.0 to 192.168.2.0 you’d type this: “set advanced-firewall bypass-stateful-firewall-config add source_network 192.168.1.0 source_netmask 255.255.255.0 dest_network 192.168.2.0 dest_netmask 255.255.255.0”

Step 5 – If  you need to bypass traffic inspection both ways, type the above command again, only reverse the source and destination networks.

Caution: It is extremely easy to mistype IP addresses. I’ve transposed digits dozens of times, causing the problem to be worse in some cases. You can check your work by typing “show advanced-firewall” in the console. If you need to remove an entry use “del” instead of “add” after the “bypass-stateful-firewall-config” part of the command. You can usually use the up arrow on most telnet clients to cycle back through commands and replace just that word in the line.