Cyberoam FleXi Port Devices

Cyberoam just put out a press release on their new FleXi Port devices. This is the sort of device large sites really need. You can plug your fiber, and high bandwidth copper lines directly into the firewall device, instead of doing ‘creative routing’ that the Cyberoam is so sensitive about.

It’s a good practice to hook your remote connectivity lines directly into the Cyberoam in my opinion. This insures all your data coming into your network is scanned before it gets anywhere that could cause damage. This eliminates having to put your firewall between your router and your network, making the Cyberoam a true Gateway device.

Anyway, here’s a link to Cyberoam’s page on the device.

http://www.cyberoam.com/flexiports.html

Bypass Stateful Inspection Between Networks Cyberoam

If you have a Cyberoam, multiple networks, and/or a ShoreTel system, you’ll run into problems where one network might not pass traffic to another for inexplicable reasons. You can also get one way voice traffic with ShoreTel because of this.

Typically this is due to something called “Asymmetric Routing”. Any number of things can cause this, and it’s not always problem with your network. What happens is a packet takes a different route from point A to point B than it does coming back from point B to point A. The Cyberoam will by default drop the return traffic as it didn’t come back the same way it went out. This is a good security measure.

Sometimes you can fix your network topology, sometimes you can’t but the Cyberoam will still drop that traffic. A firewall rule will not always fix the problem either. If you’re sure that what is getting dropped is not a security risk, here’s how to bypass it.

If there’s one major complaint about Cyberoam ‘not working’ it’s this problem right here. Fortunately their support will fix the problem for you but it can be a huge time waster if you have a bunch of units needing fixed.

There is one other thing they almost always do to resolve a problem with two networks talking to each other. I will go over that in another article.

Bypass Stateful Inspection

Step 1 – Log into your Cyberoam CLI. You can telnet/SSH into the Cyberoam, or click the “Console Link” at the top of your Web GUI. 

Step 2 – Put your username and password in. If you logged in through the Web GUI, just the console password will do.

Step 3 – Type 4 for “Cyberoam Console” in the CLI

Step 4 – To bypass the inspection from one network to another type the following:

set advanced-firewall bypass-stateful-firewall-config add source_network [source network IP] source_netmask [source subnet mask] dest_network [destination network IP] dest_netmask [destination subnet mask]

Note: You don’t have to type the command out. You can just start each parameter that is in bold and hit tab, the Cyberoam will fill it in for you.

Example: You want to bypass traffic inspection from 192.168.1.0 to 192.168.2.0 you’d type this: “set advanced-firewall bypass-stateful-firewall-config add source_network 192.168.1.0 source_netmask 255.255.255.0 dest_network 192.168.2.0 dest_netmask 255.255.255.0”

Step 5 – If  you need to bypass traffic inspection both ways, type the above command again, only reverse the source and destination networks.

Caution: It is extremely easy to mistype IP addresses. I’ve transposed digits dozens of times, causing the problem to be worse in some cases. You can check your work by typing “show advanced-firewall” in the console. If you need to remove an entry use “del” instead of “add” after the “bypass-stateful-firewall-config” part of the command. You can usually use the up arrow on most telnet clients to cycle back through commands and replace just that word in the line.

 

Create Facebook Schedule With Cyberoam

I’ve noticed a lot of people asking about how to schedule when a user can or can’t use Facebook. This is pretty easy to do in Cyberoam, you can either do it globally, or on a per user basis. I’ll show you how to do this on a global basis. If you want to do this on a per user basis then you just need to make individual policies for your users. The steps below can apply to any website, not just Facebook.

Step 1 – Log into your Cyberoam and go to the web filter section and select categories. Add one called “ScheduledSafeSites”. This will be for anything you want to allow during a certain time, if you want to block them name the category “ScheduledBlockedSites”. Personally I think only one for safe sites is necessary but I can see blocking say, Hulu.com during the day and let the night guy watch it. I went ahead and added “disney.com” to mine as an example. You can add facebook.com, or whatever you want here. Just like you would add sites to any other category.

Step 2 – Check policy you want this added to and change both settings to “allow”. This is just the HTTP or HTTPS allow/deny settings.

Step 3 – Go into the Policy setting under Web Filter and open up the policy you added the category to. Click the little wrench icon next to the new category.

Step 4 – You can then select an right schedule. This particular example uses work hours, which is by default 10am to 7pm. You can go into the objects menu on the Cyberoam and edit or create any sort of schedule you want.

Step 5 – Hit ok and save your changes, your users will now only be able to get to the site when you want.

Notes: For this to work properly you need to make sure your Cyberoam’s time is correct. I’ve had a couple of instances where the time was off due to someone picking the wrong time zone during the first setup. If you are getting people who can get to the blocked site earlier than normal, go to the system menu and click on configuration. Most of the time it’s the time zone that is wrong, just find the right one.

Sometimes during the initial setup the Cyberoam appliance will figure out what time zone it’s in based on the internet IP address, but if you have a weird ISP it might find the wrong one. It isn’t entirely human error that causes this and it’s really easy to miss.