-
Release Date
Date: 26 May 2014
Release Information
Release Type: General Availability (GA), Major Feature
Release
Applicable to CyberoamOS Version
V 10.01.0XXX or 10.01.X Build XXX All the versions
V 10.02.0 Build XXX • 047, 174, 176, 192, 206, 224, 227, 409,
473
V 10.04.X Build XXX
• 0 Build 214, 0 Build 304, 0 Build 311, 0 Build 338, 0 Build
433
• 1 Build 451 • 2 Build 527 • 3 Build 543 • 4 Build 028 • 5
Build 007 • 6 Build 032
V 10.5.3 • Common Criteria Certificate (EAL4+) Compliant
V 10.6.X
• 0 Beta-1 • 0 Beta-2 • 0 Beta-3 • 1 RC-1, 1 RC-3, 1 RC-4
Upgrade procedure
To upgrade the existing Cyberoam Appliance follow the procedure
below:
• Logon to https://customer.cyberoam.com • Click “Upgrade” link
under Upgrade URL. • Choose option “Select for Version 10.00.0xxx
to current GA Version 10.00.0xxx Firmware”.
For Cyberoam versions prior to 10.01.0472 For Cyberoam version
10.01.0472 or higher Upgrade Cyberoam to 10.01.0472 selecting
option “Below 10.01.0472” and follow on-screen instruction. By
doing this, the customer will not be able to roll back.
Upgrade Cyberoam to the latest version by selecting option
“10.01.0472 or higher” and follow on-screen instruction.
Compatibility Annotations
This version of CyberoamOS is Appliance Model-specific. Hence,
firmware of one model will not be applicable on another model and
upgrade will not be successful. You will receive an error if you
try to upgrade Appliance model CR50iNG-XP with firmware for model
CR100iNG-XP.
This release is compatible with all Cyberoam Virtual
Appliances.
This Cyberoam version is compatible with the Cyberoam Central
Console (CCC) version 02.02.1185 and above. Please check
http://docs.cyberoam.com for availability of latest CCC firmware to
deal with compatibility issues.
Version: 10.6.1 Date: 26 May 2014 Release Notes
https://customer.cyberoam.com/http://docs.cyberoam.com/default.asp?id=174&Lang=1&SID=
-
Release Notes: CyberoamOS Version 10.6.1
Document Version – 1.01-29/05/2014 2
Revision History
Sr. No.
Old Revision Number
New Revision Number
Reference Section Revision Details
1 1.00-23/05/2014 1.01-29/05/2014 Features
Modified: Cyberoam SSL VPN Client for Windows 8 OS
2 1.00-23/05/2014 1.01-29/05/2014 Features
Modified: Support of ICAP to Integrate Third-Party DLP, Web
Filtering and AV Applications
3 1.00-23/05/2014 1.01-29/05/2014 Features
Added: Support for 32 bit ASN in BGP
4 1.00-23/05/2014 1.01-29/05/2014 Features
Modified: Cyberoam as a Dynamic DNS (DDNS)
5 1.00-23/05/2014 1.01-29/05/2014 Enhancements
Modified: Inbound Load Balancing
6 1.00-23/05/2014 1.01-29/05/2014 Enhancements
Modified: Remodeled IPS Policy Configuration
-
Release Notes: CyberoamOS Version 10.6.1
Document Version – 1.01-29/05/2014 3
Contents Release
Information..................................................................................................
1
Introduction
...............................................................................................................
5 Features
...................................................................................................................
5
1. IPv6 Support in CyberoamOS
.............................................................................................................................
5 a. Dual Stack Implementation
............................................................................................................................
6 b. Tunnels: 6in4, 6to4, 6rd, 4in6
........................................................................................................................
7 c. Static IPv6 Address Assignment for Interfaces
...........................................................................................
7 d. Dynamic IPv6 Address
Assignment..............................................................................................................
7 e. DNSv6
Support................................................................................................................................................
8 f. Security over IPv6
...........................................................................................................................................
9 g. Denial of Service (DoS) Attack Mitigation
....................................................................................................
9 h. Spoof Prevention through IPv6 and MAC
Binding......................................................................................
9 i. Static Neighbour Configuration support
.......................................................................................................
9 j. IPv6 Multi-Link Management Support
........................................................................................................
10 k. DHCPv6 Relay support
................................................................................................................................
10 l. QoS Support
..................................................................................................................................................
10 m. Diffserve-based QoS
Support.....................................................................................................................
10 n. Miscellaneous CLI Commands for IPv6 Related
Configurations............................................................
10
2. Link Aggregation: Dynamic (802.3ad) and Static
...........................................................................................
11 3. High Availability (Active-Active / Active-Passive)
in Bridge / Mixed Mode
.................................................. 12 4.
On-Cloud Web Categorization
..........................................................................................................................
12 5. External Web Categorization database
Support.............................................................................................
12 6. Support of ICAP to Integrate Third-Party DLP, Web
Filtering and AV Applications ..................................
13 7. Support of Secure LDAP/Active Directory
(SSL/TLS)....................................................................................
13 8. Cyberoam- iView Features
................................................................................................................................
14
a. Zone Based Application
Reports.................................................................................................................
14 b. Client Types Report including BYOD Client Types
..................................................................................
14 c. Export Reports in HTML Format
.................................................................................................................
14 d. Custom Logo for HTML Reports
.................................................................................................................
15
9. Seeking User Participation for Sustained Product
Improvement
.................................................................
15 10. Support of User Log on and Log off APIs
........................................................................................................
15 11. iAccess: Account Status, Quarantine Management
and Authentication for iOS Users ............................
15 12. Cyberoam SSL VPN Client for Windows 8 OS
...............................................................................................
16 13. Cyberoam as a Dynamic DNS
(DDNS)............................................................................................................
16 14. Inbound Load Balancing
....................................................................................................................................
16
Enhancements.........................................................................................................
17
1. Dynamic Routing Configuration via GUI
..........................................................................................................
17 2. Third Party Certificate Support
..........................................................................................................................
17 3. Third Party Certificate Authority (CA) Support for
HTTPS
Scanning...........................................................
17 4. Certificate Enhancements
..................................................................................................................................
17 5. i18n Support for Default Configuration Language
..........................................................................................
17 6. i18n Language support for SSL VPN Web
Portal...........................................................................................
17 7. SSL VPN: User Certificate Encryption
.............................................................................................................
18 8. Multiple Email Addresses Support for
User.....................................................................................................
18 9. Network Adapter support for Hyper-V based Cyberoam
Virtual Appliance ................................................
18 10. Soft Reboot Option Removed from Hyper-V based
Cyberoam Virtual Appliance .....................................
18 11. Architectural Enhancements for Cyberoam Central
Console
.......................................................................
18 12. Enhanced Browsing Experience
.......................................................................................................................
18 13. Support for 32 bit ASN in BGP
..........................................................................................................................
18 14. Multiple DHCP Servers support in DHCP
Relay.............................................................................................
18 15. PPPoE Enhancements
.......................................................................................................................................
19
-
Release Notes: CyberoamOS Version 10.6.1
Document Version – 1.01-29/05/2014 4
16. Support of Importing Active Directory Organization
Unit (OU) and Implementing OU-based Security Policies
.................................................................................................................................................................
19
17. Sender IP Reputation Optimization
..................................................................................................................
19 18. Dynamic Routing Information on
GUI...............................................................................................................
20 19. Remodeled IPS Policy Configuration
...............................................................................................................
20
a. Policy Configuration Optimizations
.............................................................................................................
20 b. New Pre-Configured IPS Policies
...............................................................................................................
21
20. Zero Downtime Upgrade for HA Cluster
Appliances......................................................................................
21 21. LAG support in High
Availability........................................................................................................................
21 22. Usability Enhancements in VPN Tunnel Management
..................................................................................
21 23. DNS Enhancements
...........................................................................................................................................
22 24. Kernel Based Virtual Machine Support
............................................................................................................
22 25. Enhanced Gateway Load Balancing through Multiple
Source NAT (SNAT) ..............................................
22 26. Optimization in On-Appliance iView
.................................................................................................................
23 27. Cyberoam-iView: Enhanced Report Analysis and
Correlation
.....................................................................
23 28. Cyberoam-iView: Increased Log Retention Period
........................................................................................
23 29. Enhancements in Context Sensitive Online Help
...........................................................................................
23 30. Enhanced Security over NTLM Authentication
...............................................................................................
23
Miscellaneous..........................................................................................................
24 Bugs Solved
............................................................................................................
25 Known
Behavior......................................................................................................
25 General Information
................................................................................................
26
-
Release Notes: CyberoamOS Version 10.6.1
Document Version – 1.01-29/05/2014 5
Introduction
This document contains the release notes for CyberoamOS Version
10.6.1. The following sections describe the release in detail.
This release comes with several new features, enhancements and
bug fixes to improve quality, reliability, and performance.
Features
1. IPv6 Support in CyberoamOS
Internet Protocol version 6 (IPv6) is the latest revision of the
Internet Protocol (IP). It is a routable protocol, that provides
identification and location system for devices on networks and
routes traffic across the Internet. The Internet Engineering Task
Force (IETF) developed IPv6 to deal with the long-anticipated
problem of IPv4 address exhaustion.
IPv6 replaces IPv4, the existing Internet Protocol.
The compelling reasons to replace IPv4 were:
• Billions of new devices • Billions of new users • “Always-on”
Internet access
A Comparison: IPv4 vs. IPv6
IPv4 IPv6 Uses 32 bits Address Uses 128 bits Address Theoretical
limit of addresses 232: 429m x 10 to the power 7
Theoretical limit of number of addresses 2128: 340 x 10 to the
power 36
Address Format: 192.168.1.1 Address Format:
fe80:0:0:0:0:0:c0a8:101
The principle benefits of IPv6 are:
• Large address space • New and simplified header format •
Efficient and hierarchical addressing and routing • Stateless and
stateful address configuration • Built-in security and
interoperability • In-built mobility • Mandatory Multicast support
• Better support for QoS • ICMPv6-based new protocol for
neighboring node interaction • Extensibility in packet headers IPv6
Features Supported In CyberoamOS
The Administrator can configure IPv6 Addresses for the following
features:
• IPv6 Networking o Dual Stack Architecture: Support for IPv4
and IPv6 Protocols
-
Release Notes: CyberoamOS Version 10.6.1
Document Version – 1.01-29/05/2014 6
o Tunnels: 6in4, 6to4, 6rd, 4in6 o Alias and VLAN (Alias and
VLAN must be configured with same IP Address family
that is used to configure the respective physical interface.) o
Route – Static and Source o DNSv6 and DHCPv6 Services o Router
Advertisement
• Firewall Security o IPv6 Services o IP Host, IP Host Group,
MAC Host o IPv6 Firewall Rule Schedule o QoS and Routing Policy o
Virtual Host o NAT Policy (NAT66) o Spoof Prevention o DoS
• Layer 8 Identity over IPv6 o Authentication – AD, LDAP, Radius
o Clientless Users o Authentication using Captive Portal
• Logging and Reporting o Traffic Discovery (For User and Source
IP Address) o Logs and Reports o 4-eye Authentication o SNMP o
SYSLOG
• Diagnostics o Packet Capture o Connection List o Ping6 o
Tracert6 o Name Lookup o Route Lookup o System Graphs
• NTP • Self-Signed Certificate • Scheduled Backup on IPv6
Server • Backup Restore
a. Dual Stack Implementation
Cyberoam can now be configured with an IPv4 address and an IPv6
address and can process both IPv4 and IPv6 packets. An application
that supports both, prefers IPv6 traffic at the network layer. Dual
stack implementation enables communication between IPv4 and IPv6
devices and is the basis for all transition technologies.
CyberoamOS uses Dual stack as the direct transition approach for
IPv6 implementation. For an
-
Release Notes: CyberoamOS Version 10.6.1
Document Version – 1.01-29/05/2014 7
Administrator, IPv6 works almost the same way as IPv4.
Connecting a Cyberoam appliance to an IPv6 network is the same as
connecting it to an IPv4 network, the only difference lies in the
usage of IPv6 addresses.
b. Tunnels: 6in4, 6to4, 6rd, 4in6
CyberoamOS supports four (4) methods of IP tunneling to promote
interoperability between IPv4 and IPv6. It is a mechanism to
encapsulate one network protocol as payload for another network
protocol i.e. either an IPv6 packet is encapsulated in to an IPv4
packet, for communication between IPv6 enabled hosts/networks via
an IPv4 network or vice-versa. CyberoamOS supports following types
of IP Tunneling methods:
• 6in4 Tunnel: It is commonly referred to as Manual Tunnel and
used for IPv6 to IPv6 communication over IPv4 backbone. The source
and destination IPv4 addresses must be manually configured. It is
recommended for point-to-point communication.
• 6to4 Tunnel: It is commonly referred to as Automatic Tunnel
and used for IPv6 to IPv6 communication over IPv4 backbone. The
destination IPv4 address of the tunnel can be automatically
acquired, but the source address needs to be provided manually. It
is recommended for point-to-multi point communication.
• 6rd Tunnel: It is used for IPv6 to IPv6 communication over
IPv4 backbone. The 6RD tunnel is an extension of the 6to4 Automatic
Tunnel. The tunnel can be established by pre-defined ISP provided
prefix.
• 4in6 Tunnel: It is used for IPv4 to IPv4 communication over
IPv6 backbone, the source and destination IPv6 addresses must be
manually configured. It is recommended for point-to-point
communication.
Point to note:
• The devices at the ends of an IPv6 over IPv4 tunnel or IPv4
over IPv6 tunnel must support IPv4/IPv6 dual stack.
To configure IP Tunnels, go to Network > Interface > IP
Tunnel and click Add.
c. Static IPv6 Address Assignment for Interfaces
CyberoamOS supports static assignment of IPv6 Addresses to
various Interfaces like Bridge-Pair, Alias, and VLAN. Administrator
can now assign either or both of IPv6 and IPv4 addresses to a
single Interface.
Maximum Alias limit on single interface is 64 for IPv6
Family.
For related CLI Commands, please refer to the attached Appendix
- I.
d. Dynamic IPv6 Address Assignment
CyberoamOS supports both stateless and stateful method of
dynamically assigning IPv6 Addresses to the hosts.
Choosing a method depends on Managed (M) Address Configuration
and Other (O) Configuration flag in the advertised Router
Advertisement message.
Cyberoam as DHCPv6 server supports both dynamic and static IPv6
address assignments to DHCPv6 Clients.
-
Document Version – 1.00-28/05/2014 1
1. IPv6 Interface Configuration
a. Command: show network static-route6
To display static routes
2. Dynamic Address Assignment for IPv6 Hosts
b. Command: cyberoam dhcpv6 dhcpv6-options add optioncode
To add the custom DHCPv6 option
c. Command: cyberoam dhcpv6 dhcpv6-options binding add
dhcpname
To add DHCPv6 options of a DHCPv6 server
d. Command: cyberoam dhcpv6 dhcpv6-options binding delete
dhcpname
To delete DHCPv6 options of a DHCPv6 server
e. Command: cyberoam dhcpv6 dhcpv6-options binding show
dhcpname
To display all the DHCPv6 options of a DHCPv6 Server
f. Command: cyberoam dhcpv6 dhcpv6-options delete optionname
To delete the custom DHCPv6 option
g. Command: cyberoam dhcpv6 dhcpv6-options list
To display all the configurable DHCPv6 options
3. Resolve IPv6 Domains: DNS Support
a. Command: dnslookup6 host
To query Internet Domain Name Server for Host to be searched
b. Command: dnslookup6 host
To query Internet Domain Name Server for Host to be searched
4. Miscellaneous CLI Commands for IPv6 Related
Configurations
For Network Interface
a. Command: show network interfaces
To display information about network interfaces
Version: 10.6.1 Appendix: CLI Commands
-
Appendix - I - CLI Commands
Document Version – 1.00-28/05/2014 2
For Diagnostics
b. traceroute6
Use to trace the path taken by an IPv6 packet from the source
system to the destination system, over the Internet.
Syntax
traceroute6 [ | | first-ttl | max-ttl | probes | source |
timeout | tos]
c. telnet6
Use telnet protocol to connect to another remote computer.
Syntax
telnet6
d. ping6
Sends ICMPv6 ECHO_REQUEST packets to network hosts.
Syntax
ping6 [ | count | interface | quiet | size ]
For Proxy ARP (IPv6 Virtual Host)
e. Command: show proxy-arp
To displays proxy ARP entries.
5. Link Aggregation: Dynamic (802.3ad), Static &
Active-Backup
a. Command: show network lag-interface
To display the details of particular LAG interface
parameters
b. Command: show network lag-interface runconfig
To display LAG configurations in detail
c. Command: set network lag-interface lag-mgt mode
active-backup
To configure the LAG mode as active-backup to provide fault
tolerance.
E.G. set network lag-interface CyberLAG lag-mgt mode
active-backup
-
Appendix - I - CLI Commands
Document Version – 1.00-28/05/2014 3
d. Command: set network lag-interface lag-mgt mode 802.3ad
(LACP)
To configure the LAG mode as 802.3ad (LACP) to load balance the
traffic and provide fault tolerance.
E.G. set network lag-interface CyberLAG lag-mgt mode 802.3ad
(LACP)
e. Command: set network lag-interface lag-mgt active-backup
primary-interface (Auto, Member Interfaces) failback-policy
none
Allow the primary slave to become active only if the current
active slave fails and the primary is up.
f. Command: set network lag-interface lag-mgt active-backup
primary-interface (Auto, Member Interfaces) failback-policy
takeover
Allow the primary to become active when it comes up again and
currently active slave becomes de-active.
g. Command: set network lag-interface lag-mgt active-backup
primary-interface (Auto, Member Interfaces) failback-policy
link-speed
Allow the primary to become active when it comes up again, only
if the speed and duplex of the primary slave is better than speed
and duplex of currently active slave.
h. Command: set network lag-interface lag-mgt lacp lacp-rate
slow
Request partner (Switch) to transmit LACPDUs every 30
seconds
i. Command: set network lag-interface lag-mgt lacp lacp-rate
fast
Request partner(Switch) to transmit LACPDUs every 1 second
j. Command: set network lag-interface lag-mgt lacp static-mode
enable
To enable the static mode.
k. Command: set network lag-interface lag-mgt lacp static-mode
disable
To disable the static mode.
l. Command: set network lag-interface lag-mgt lacp
xmit-hash-policy layer2
Specifies that for 802.3ad and static mode, load sharing is done
using Source MAC Address and Destination MAC Address.
m. Command: set network lag-interface lag-mgt lacp
xmit-hash-policy layer2+3
Specifies that for 802.3ad and static mode, load sharing is done
using Source MAC Address, Destination MAC Address, Source IP
Address, and Destination IP Address.
n. Command: set network lag-interface lag-mgt lacp
xmit-hash-policy layer3+4
Specifies that for 802.3ad and static mode, load sharing is done
using Source Port, Destination Port, Source IP Address, and
Destination IP Address.
-
Appendix - I - CLI Commands
Document Version – 1.00-28/05/2014 4
o. Command: set network lag-interface link-mgt
monitor-interval
To configure link monitoring frequency time in milliseconds.
p. Command: set network lag-interface link-mgt up-time
To configure Up-Delay time in milliseconds i.e. the wait time
before enabling a slave after link recovery detection.
q. Command: set network lag-interface link-mgt down-time
To configure Down-Delay time in milliseconds i.e. the wait time
before disabling a slave after link failure detection.
r. Command: set network lag-interface link-mgt garp-count
To configure the number of peer notifications – gratuitous ARPs
to be issued after failover event.
6. ICAP – Extended Security Service Support
a. Command: show icap
Displays the ICAP Server configurations.
b. Command: set icap apply-change
For applying the configuration modification executed using Edit
commands of Request Mode or Response Mode.
To apply modifications using any of the below edit commands, use
command - set icap apply-change
c. Command: set icap edit reqmod IP-address
Example: set icap edit reqmod IP-address 192.168.1.2
For configuring ICAP Server Request Mode IP Address.
d. Command: set icap edit reqmod port
Example: set icap edit reqmod port 1344
For configuring ICAP Server Request Mode Port number. Any port
number compatible with Cyberoam and ICAP Server can be configured
as Request Port.
e. Command: set icap edit reqmod service-name
Example: set icap edit reqmod service-name xyz
For configuring ICAP Server Request Mode Service Name. Only
those services that are offered and configured by ICAP Request
Server Administrator are accessible by Cyberoam.
f. Command: set icap edit reqmod reset
-
Appendix - I - CLI Commands
Document Version – 1.00-28/05/2014 5
All Request Mode parameters, IP Address, port and service-name
are reset to respective default value. By default, the value is
none. The Request Mode for the respective ICAP Server will be
flushed.
g. Command: set icap edit respmod IP-address
Example: set icap edit respmod IP-address 192.168.1.2
For configuring ICAP Server Response Mode IP Address.
h. Command: set icap edit respmod port
Example: set icap edit respmod port 1344
For configuring ICAP Server Response Mode Port number. Any port
number compatible with Cyberoam and ICAP Server can be configured
as Request Port.
i. Command: set icap edit respmod service-name
Example: set icap edit respmod service-name xyz
For configuring ICAP Server Response Mode Service Name. Only
those services that are offered and configured by ICAP Response
Server Administrator are accessible by Cyberoam.
j. Command: set icap edit respmod reset
All Response Mode parameters, IP Address, port and service-name
are reset to respective default value. By default, the value is
none. The Response Mode for the respective ICAP
Server shall be flushed.
k. Command: set icap edit options body limit
Example: set icap edit options body limit 10485760
To configure the inbound and outbound content body limit in
bytes.
l. Command: set icap edit options connections
Example: set icap edit options connections 1
To configure the number of connections.
m. Command: set icap edit options mode_dlp
For switching on or switching off the DLP mode.
In case of Request Mode, only POST and PUT method traffic are
sent to ICAP server.
1. IPv6 Interface Configuration
2. Dynamic Address Assignment for IPv6 Hosts
3. Resolve IPv6 Domains: DNS Support
4. Miscellaneous CLI Commands for IPv6 Related
Configurations
5. Link Aggregation: Dynamic (802.3ad), Static &
Active-Backup
6. ICAP – Extended Security Service Support
Cyberoam Technologies Pvt. Ltd.File AttachmentAppendix - I - CLI
Commands - 10.6.1.pdf
-
Release Notes: CyberoamOS Version 10.6.1
Document Version – 1.01-29/05/2014 8
• DHCPv6 Stateful Mode: DHCPv6 clients require IPv6 address
together with other network parameters (like DNS Server, Domain
Name). To configure DHCPv6, go to Network > DHCP > Server and
click Add > IPv6. For related CLI Commands, please refer to the
attached Appendix - I.
• DHCPv6 Stateless Mode: Stateless Address Auto-Configuration
(SLAAC) is stateless address
assignment method through which host on same link can auto
configure their IPv6 Addresses through the prefix advertised by
Cyberoam. CyberoamOS’s router advertisements contain prefixes that
are used for hosts address configuration, and other configuration
parameters like default Gateway, MTU, Reachable time, Retransmit
time, Hop limit.
CyberoamOS’s Routers advertisements are either periodic or in
response to a router solicitation message from Hosts.
DHCPv6 client obtains network parameters other than IPv6
address.
To add Router Advertisement for SLAAC, go to Network > Router
Advertisement > Router Advertisement.
e. DNSv6 Support
CyberoamOS now provides simultaneous support for both,
traditional 32 bit IPv4 Addresses format and the latest 128 bit
IPv6 Address format of IPv6 addresses for external DNS Resolver
through Domain Name Server (DNSv6) support. Thus, DNS servers can
be configured for IPv6 networks to which the appliance can request
for name resolution. Also, Administrator can choose one of the
below four options, according to which CyberoamOS‘s DNS server
selects the external DNS IPv6 and/or IPv4 servers:
• Choose server based on incoming requests record type • Choose
IPv6 DNS server over IPv4 • Choose IPv4 DNS server over IPv6 •
Choose IPv6 if request originator address is IPv6, else IPv4 To
configure IPv6 Addresses for DNS server, go to Network > DNS
> DNS.
To handle internal DNS queries, CyberoamOS allows to add DNS
Host Entries. To add a DNS Host Entry for IPv6 Address, go to
Network > DNS > DNS Host Entry.
Further, CyberoamOS now allows Name Lookup and Reverse DNS
lookup for IPv6 Addresses. Name Lookup and Reverse DNS Lookup are
used to query the DNS for information about domain name and IPv6
Address.
For related CLI Commands, please refer to the attached Appendix
- I.
-
Document Version – 1.00-28/05/2014 1
1. IPv6 Interface Configuration
a. Command: show network static-route6
To display static routes
2. Dynamic Address Assignment for IPv6 Hosts
b. Command: cyberoam dhcpv6 dhcpv6-options add optioncode
To add the custom DHCPv6 option
c. Command: cyberoam dhcpv6 dhcpv6-options binding add
dhcpname
To add DHCPv6 options of a DHCPv6 server
d. Command: cyberoam dhcpv6 dhcpv6-options binding delete
dhcpname
To delete DHCPv6 options of a DHCPv6 server
e. Command: cyberoam dhcpv6 dhcpv6-options binding show
dhcpname
To display all the DHCPv6 options of a DHCPv6 Server
f. Command: cyberoam dhcpv6 dhcpv6-options delete optionname
To delete the custom DHCPv6 option
g. Command: cyberoam dhcpv6 dhcpv6-options list
To display all the configurable DHCPv6 options
3. Resolve IPv6 Domains: DNS Support
a. Command: dnslookup6 host
To query Internet Domain Name Server for Host to be searched
b. Command: dnslookup6 host
To query Internet Domain Name Server for Host to be searched
4. Miscellaneous CLI Commands for IPv6 Related
Configurations
For Network Interface
a. Command: show network interfaces
To display information about network interfaces
Version: 10.6.1 Appendix: CLI Commands
-
Appendix - I - CLI Commands
Document Version – 1.00-28/05/2014 2
For Diagnostics
b. traceroute6
Use to trace the path taken by an IPv6 packet from the source
system to the destination system, over the Internet.
Syntax
traceroute6 [ | | first-ttl | max-ttl | probes | source |
timeout | tos]
c. telnet6
Use telnet protocol to connect to another remote computer.
Syntax
telnet6
d. ping6
Sends ICMPv6 ECHO_REQUEST packets to network hosts.
Syntax
ping6 [ | count | interface | quiet | size ]
For Proxy ARP (IPv6 Virtual Host)
e. Command: show proxy-arp
To displays proxy ARP entries.
5. Link Aggregation: Dynamic (802.3ad), Static &
Active-Backup
a. Command: show network lag-interface
To display the details of particular LAG interface
parameters
b. Command: show network lag-interface runconfig
To display LAG configurations in detail
c. Command: set network lag-interface lag-mgt mode
active-backup
To configure the LAG mode as active-backup to provide fault
tolerance.
E.G. set network lag-interface CyberLAG lag-mgt mode
active-backup
-
Appendix - I - CLI Commands
Document Version – 1.00-28/05/2014 3
d. Command: set network lag-interface lag-mgt mode 802.3ad
(LACP)
To configure the LAG mode as 802.3ad (LACP) to load balance the
traffic and provide fault tolerance.
E.G. set network lag-interface CyberLAG lag-mgt mode 802.3ad
(LACP)
e. Command: set network lag-interface lag-mgt active-backup
primary-interface (Auto, Member Interfaces) failback-policy
none
Allow the primary slave to become active only if the current
active slave fails and the primary is up.
f. Command: set network lag-interface lag-mgt active-backup
primary-interface (Auto, Member Interfaces) failback-policy
takeover
Allow the primary to become active when it comes up again and
currently active slave becomes de-active.
g. Command: set network lag-interface lag-mgt active-backup
primary-interface (Auto, Member Interfaces) failback-policy
link-speed
Allow the primary to become active when it comes up again, only
if the speed and duplex of the primary slave is better than speed
and duplex of currently active slave.
h. Command: set network lag-interface lag-mgt lacp lacp-rate
slow
Request partner (Switch) to transmit LACPDUs every 30
seconds
i. Command: set network lag-interface lag-mgt lacp lacp-rate
fast
Request partner(Switch) to transmit LACPDUs every 1 second
j. Command: set network lag-interface lag-mgt lacp static-mode
enable
To enable the static mode.
k. Command: set network lag-interface lag-mgt lacp static-mode
disable
To disable the static mode.
l. Command: set network lag-interface lag-mgt lacp
xmit-hash-policy layer2
Specifies that for 802.3ad and static mode, load sharing is done
using Source MAC Address and Destination MAC Address.
m. Command: set network lag-interface lag-mgt lacp
xmit-hash-policy layer2+3
Specifies that for 802.3ad and static mode, load sharing is done
using Source MAC Address, Destination MAC Address, Source IP
Address, and Destination IP Address.
n. Command: set network lag-interface lag-mgt lacp
xmit-hash-policy layer3+4
Specifies that for 802.3ad and static mode, load sharing is done
using Source Port, Destination Port, Source IP Address, and
Destination IP Address.
-
Appendix - I - CLI Commands
Document Version – 1.00-28/05/2014 4
o. Command: set network lag-interface link-mgt
monitor-interval
To configure link monitoring frequency time in milliseconds.
p. Command: set network lag-interface link-mgt up-time
To configure Up-Delay time in milliseconds i.e. the wait time
before enabling a slave after link recovery detection.
q. Command: set network lag-interface link-mgt down-time
To configure Down-Delay time in milliseconds i.e. the wait time
before disabling a slave after link failure detection.
r. Command: set network lag-interface link-mgt garp-count
To configure the number of peer notifications – gratuitous ARPs
to be issued after failover event.
6. ICAP – Extended Security Service Support
a. Command: show icap
Displays the ICAP Server configurations.
b. Command: set icap apply-change
For applying the configuration modification executed using Edit
commands of Request Mode or Response Mode.
To apply modifications using any of the below edit commands, use
command - set icap apply-change
c. Command: set icap edit reqmod IP-address
Example: set icap edit reqmod IP-address 192.168.1.2
For configuring ICAP Server Request Mode IP Address.
d. Command: set icap edit reqmod port
Example: set icap edit reqmod port 1344
For configuring ICAP Server Request Mode Port number. Any port
number compatible with Cyberoam and ICAP Server can be configured
as Request Port.
e. Command: set icap edit reqmod service-name
Example: set icap edit reqmod service-name xyz
For configuring ICAP Server Request Mode Service Name. Only
those services that are offered and configured by ICAP Request
Server Administrator are accessible by Cyberoam.
f. Command: set icap edit reqmod reset
-
Appendix - I - CLI Commands
Document Version – 1.00-28/05/2014 5
All Request Mode parameters, IP Address, port and service-name
are reset to respective default value. By default, the value is
none. The Request Mode for the respective ICAP Server will be
flushed.
g. Command: set icap edit respmod IP-address
Example: set icap edit respmod IP-address 192.168.1.2
For configuring ICAP Server Response Mode IP Address.
h. Command: set icap edit respmod port
Example: set icap edit respmod port 1344
For configuring ICAP Server Response Mode Port number. Any port
number compatible with Cyberoam and ICAP Server can be configured
as Request Port.
i. Command: set icap edit respmod service-name
Example: set icap edit respmod service-name xyz
For configuring ICAP Server Response Mode Service Name. Only
those services that are offered and configured by ICAP Response
Server Administrator are accessible by Cyberoam.
j. Command: set icap edit respmod reset
All Response Mode parameters, IP Address, port and service-name
are reset to respective default value. By default, the value is
none. The Response Mode for the respective ICAP
Server shall be flushed.
k. Command: set icap edit options body limit
Example: set icap edit options body limit 10485760
To configure the inbound and outbound content body limit in
bytes.
l. Command: set icap edit options connections
Example: set icap edit options connections 1
To configure the number of connections.
m. Command: set icap edit options mode_dlp
For switching on or switching off the DLP mode.
In case of Request Mode, only POST and PUT method traffic are
sent to ICAP server.
1. IPv6 Interface Configuration
2. Dynamic Address Assignment for IPv6 Hosts
3. Resolve IPv6 Domains: DNS Support
4. Miscellaneous CLI Commands for IPv6 Related
Configurations
5. Link Aggregation: Dynamic (802.3ad), Static &
Active-Backup
6. ICAP – Extended Security Service Support
Cyberoam Technologies Pvt. Ltd.File AttachmentAppendix - I - CLI
Commands - 10.6.1.pdf
-
Document Version – 1.00-28/05/2014 1
1. IPv6 Interface Configuration
a. Command: show network static-route6
To display static routes
2. Dynamic Address Assignment for IPv6 Hosts
b. Command: cyberoam dhcpv6 dhcpv6-options add optioncode
To add the custom DHCPv6 option
c. Command: cyberoam dhcpv6 dhcpv6-options binding add
dhcpname
To add DHCPv6 options of a DHCPv6 server
d. Command: cyberoam dhcpv6 dhcpv6-options binding delete
dhcpname
To delete DHCPv6 options of a DHCPv6 server
e. Command: cyberoam dhcpv6 dhcpv6-options binding show
dhcpname
To display all the DHCPv6 options of a DHCPv6 Server
f. Command: cyberoam dhcpv6 dhcpv6-options delete optionname
To delete the custom DHCPv6 option
g. Command: cyberoam dhcpv6 dhcpv6-options list
To display all the configurable DHCPv6 options
3. Resolve IPv6 Domains: DNS Support
a. Command: dnslookup6 host
To query Internet Domain Name Server for Host to be searched
b. Command: dnslookup6 host
To query Internet Domain Name Server for Host to be searched
4. Miscellaneous CLI Commands for IPv6 Related
Configurations
For Network Interface
a. Command: show network interfaces
To display information about network interfaces
Version: 10.6.1 Appendix: CLI Commands
-
Appendix - I - CLI Commands
Document Version – 1.00-28/05/2014 2
For Diagnostics
b. traceroute6
Use to trace the path taken by an IPv6 packet from the source
system to the destination system, over the Internet.
Syntax
traceroute6 [ | | first-ttl | max-ttl | probes | source |
timeout | tos]
c. telnet6
Use telnet protocol to connect to another remote computer.
Syntax
telnet6
d. ping6
Sends ICMPv6 ECHO_REQUEST packets to network hosts.
Syntax
ping6 [ | count | interface | quiet | size ]
For Proxy ARP (IPv6 Virtual Host)
e. Command: show proxy-arp
To displays proxy ARP entries.
5. Link Aggregation: Dynamic (802.3ad), Static &
Active-Backup
a. Command: show network lag-interface
To display the details of particular LAG interface
parameters
b. Command: show network lag-interface runconfig
To display LAG configurations in detail
c. Command: set network lag-interface lag-mgt mode
active-backup
To configure the LAG mode as active-backup to provide fault
tolerance.
E.G. set network lag-interface CyberLAG lag-mgt mode
active-backup
-
Appendix - I - CLI Commands
Document Version – 1.00-28/05/2014 3
d. Command: set network lag-interface lag-mgt mode 802.3ad
(LACP)
To configure the LAG mode as 802.3ad (LACP) to load balance the
traffic and provide fault tolerance.
E.G. set network lag-interface CyberLAG lag-mgt mode 802.3ad
(LACP)
e. Command: set network lag-interface lag-mgt active-backup
primary-interface (Auto, Member Interfaces) failback-policy
none
Allow the primary slave to become active only if the current
active slave fails and the primary is up.
f. Command: set network lag-interface lag-mgt active-backup
primary-interface (Auto, Member Interfaces) failback-policy
takeover
Allow the primary to become active when it comes up again and
currently active slave becomes de-active.
g. Command: set network lag-interface lag-mgt active-backup
primary-interface (Auto, Member Interfaces) failback-policy
link-speed
Allow the primary to become active when it comes up again, only
if the speed and duplex of the primary slave is better than speed
and duplex of currently active slave.
h. Command: set network lag-interface lag-mgt lacp lacp-rate
slow
Request partner (Switch) to transmit LACPDUs every 30
seconds
i. Command: set network lag-interface lag-mgt lacp lacp-rate
fast
Request partner(Switch) to transmit LACPDUs every 1 second
j. Command: set network lag-interface lag-mgt lacp static-mode
enable
To enable the static mode.
k. Command: set network lag-interface lag-mgt lacp static-mode
disable
To disable the static mode.
l. Command: set network lag-interface lag-mgt lacp
xmit-hash-policy layer2
Specifies that for 802.3ad and static mode, load sharing is done
using Source MAC Address and Destination MAC Address.
m. Command: set network lag-interface lag-mgt lacp
xmit-hash-policy layer2+3
Specifies that for 802.3ad and static mode, load sharing is done
using Source MAC Address, Destination MAC Address, Source IP
Address, and Destination IP Address.
n. Command: set network lag-interface lag-mgt lacp
xmit-hash-policy layer3+4
Specifies that for 802.3ad and static mode, load sharing is done
using Source Port, Destination Port, Source IP Address, and
Destination IP Address.
-
Appendix - I - CLI Commands
Document Version – 1.00-28/05/2014 4
o. Command: set network lag-interface link-mgt
monitor-interval
To configure link monitoring frequency time in milliseconds.
p. Command: set network lag-interface link-mgt up-time
To configure Up-Delay time in milliseconds i.e. the wait time
before enabling a slave after link recovery detection.
q. Command: set network lag-interface link-mgt down-time
To configure Down-Delay time in milliseconds i.e. the wait time
before disabling a slave after link failure detection.
r. Command: set network lag-interface link-mgt garp-count
To configure the number of peer notifications – gratuitous ARPs
to be issued after failover event.
6. ICAP – Extended Security Service Support
a. Command: show icap
Displays the ICAP Server configurations.
b. Command: set icap apply-change
For applying the configuration modification executed using Edit
commands of Request Mode or Response Mode.
To apply modifications using any of the below edit commands, use
command - set icap apply-change
c. Command: set icap edit reqmod IP-address
Example: set icap edit reqmod IP-address 192.168.1.2
For configuring ICAP Server Request Mode IP Address.
d. Command: set icap edit reqmod port
Example: set icap edit reqmod port 1344
For configuring ICAP Server Request Mode Port number. Any port
number compatible with Cyberoam and ICAP Server can be configured
as Request Port.
e. Command: set icap edit reqmod service-name
Example: set icap edit reqmod service-name xyz
For configuring ICAP Server Request Mode Service Name. Only
those services that are offered and configured by ICAP Request
Server Administrator are accessible by Cyberoam.
f. Command: set icap edit reqmod reset
-
Appendix - I - CLI Commands
Document Version – 1.00-28/05/2014 5
All Request Mode parameters, IP Address, port and service-name
are reset to respective default value. By default, the value is
none. The Request Mode for the respective ICAP Server will be
flushed.
g. Command: set icap edit respmod IP-address
Example: set icap edit respmod IP-address 192.168.1.2
For configuring ICAP Server Response Mode IP Address.
h. Command: set icap edit respmod port
Example: set icap edit respmod port 1344
For configuring ICAP Server Response Mode Port number. Any port
number compatible with Cyberoam and ICAP Server can be configured
as Request Port.
i. Command: set icap edit respmod service-name
Example: set icap edit respmod service-name xyz
For configuring ICAP Server Response Mode Service Name. Only
those services that are offered and configured by ICAP Response
Server Administrator are accessible by Cyberoam.
j. Command: set icap edit respmod reset
All Response Mode parameters, IP Address, port and service-name
are reset to respective default value. By default, the value is
none. The Response Mode for the respective ICAP
Server shall be flushed.
k. Command: set icap edit options body limit
Example: set icap edit options body limit 10485760
To configure the inbound and outbound content body limit in
bytes.
l. Command: set icap edit options connections
Example: set icap edit options connections 1
To configure the number of connections.
m. Command: set icap edit options mode_dlp
For switching on or switching off the DLP mode.
In case of Request Mode, only POST and PUT method traffic are
sent to ICAP server.
1. IPv6 Interface Configuration
2. Dynamic Address Assignment for IPv6 Hosts
3. Resolve IPv6 Domains: DNS Support
4. Miscellaneous CLI Commands for IPv6 Related
Configurations
5. Link Aggregation: Dynamic (802.3ad), Static &
Active-Backup
6. ICAP – Extended Security Service Support
Cyberoam Technologies Pvt. Ltd.File AttachmentAppendix - I - CLI
Commands - 10.6.1.pdf
-
Release Notes: CyberoamOS Version 10.6.1
Document Version – 1.01-29/05/2014 9
f. Security over IPv6
CyberoamOS Firewall is capable of filtering IPv6 traffic.
Administrator can configure IPv6 specific Firewall Rules to manage
and control the network traffic. Furthermore, Administrator can
create separate Firewall Rules for IPv4 and IPv6 traffic.
IPv6 Firewall Rules supports configuring following types of
Objects:
• IPv6 Hosts • IPv6 Host Groups • MAC Hosts • Virtual Hosts To
configure IPv6 Firewall Rules, go to Firewall > Rule > IPv6
Rule and click Add.
g. Denial of Service (DoS) Attack Mitigation
CyberoamOS provides support to prevent TCP, UDP, SYN, and ICMPv6
based DoS attack by dropping the excess IPv6 packet from the
particular source/destination. CyberoamOS drops packets from the
source/destination till the burst rate goes below the threshold and
re-allows traffic only after 30 seconds once the attack
subsides.
To configure DoS settings, go to Firewall > DoS >
Settings.
On migration, existing DoS configuration will be applicable to
both IPv4 DoS and IPv6 DoS.
Administrator can also choose to bypass ICMPv6 redirect messages
and IPv6 source routed packets destined for Cyberoam, if the
Administrator is sure that the specified source is not used for
flooding.
To bypass DoS for a specific IPv6 source route, go to Firewall
> DoS > Bypass Rules.
h. Spoof Prevention through IPv6 and MAC Binding
To abate the obfuscation risk, CyberoamOS imposes Spoof
Prevention using reverse path filtering technique to make sure the
packets received throughout the network are coming from an
authorized location.
To enable IPv6 Spoof Prevention, go to Firewall > Spoof
Prevention > General Settings and select Enable Spoof
Prevention.
By default, Spoof Prevention is disabled.
In addition, the Administrator can configure trusted MAC Address
and IPv6 Address. User gets access to the network only if the MAC
Address and IPv6 Address are on the Trusted MAC list.
To add trusted MAC Address and IPv6 Address, go to Firewall >
Spoof Prevention > Trusted MAC and click Add.
i. Static Neighbour Configuration support
Host and routers use NDP to determine the link-layer addresses
of peers known to be on attached links and quickly clear the
invalid cache values. Host use Neighbor Discovery (ND) to search
neighboring routers that are willing to forward packets on their
behalf. Also, the protocol is used to keep track if the neighbors
are reachable or not and to detect any change in link-layer
addresses. A host looks-up for alternative, if a router or the
route to reach router fails.
NDP has Neighbor Solicitations similar to ARP request and
Neighbor Advertisements similar to ARP replies. Unsolicited
neighbor advertisements in IPv6 correspond to gratuitous ARP
replies in IPv4.
-
Release Notes: CyberoamOS Version 10.6.1
Document Version – 1.01-29/05/2014 10
CyberoamOS supports configuring static and dynamic neighbor
entries for IPv6. This allows static neighbor configuration for
trusted/vulnerable machines in network. Static neighbor helps
solicit request for configured entries and ignores any incoming
solicit/advertised ND for configured entries.
To configure Static ND, go to Network > ARP-NDP > Neighbor
> Add Static Neighbor and select IPv4 or IPv6 to add IPv4 and
IPv6 Addresses respectively.
Also, CyberoamOS supports mitigating both IPv4 and IPv6
poisoning attacks by logging the attempts to insert the entries. To
mitigate poisoning attacks, go to Network > ARP-NDP >
Neighbor and enable Log Possible Neighbor Poisoning Attempts.
j. IPv6 Multi-Link Management Support
Load balancing between the links optimizes its utilization by
distributing the traffic among various links and thus improves
performance and reduces the operational cost.
From this version onwards, CyberoamOS supports weighted load
balancing for IPv6 traffic to enable maximum utilization of
capacities across the various gateway/links.
To configure IPv6 Load Balancing, go to Firewall > Rule >
IPv6 Rule > Add/Edit Rule > Advance Settings (QoS, Routing
Policy, Log Traffic) and select Load Balance option for parameter
Route Through Gateway.
k. DHCPv6 Relay support
DHCP relay is used to receive the multicast packets from clients
and forward it to the DHCP server that is not in the subnet range.
CyberoamOS now supports DHCPv6 relays to cater the client
requesting an IPv6 Address.
Cyberoam Appliance can act as DHCP Server and DHCP Relay, if
configured for different IP families.
To configure DHCPv4 or DHCPv6 Relay, go to Network > DHCP
> Relay > Add > IPv6.
l. QoS Support
From this version onwards, Cyberoam Administrator can configure
user-based and firewall-based QoS policy for IPv6 traffic.
To configure QoS based IPv6 Firewall Rule, go to Firewall >
IPv6 Rule > Add > Advance Settings > QoS & Routing
Policy > QoS.
m. Diffserve-based QoS Support
From this version, CyberoamOS supports Differentiated Services
Code Point (DSCP) for IPv6 traffic.
To configure DSCP, go to Firewall > IPv6 Rule > Add >
Advance Settings > QoS & Routing Policy > DSCP
Marking.
n. Miscellaneous CLI Commands for IPv6 Related
Configurations
For related CLI Commands, please refer to the attached Appendix
- I.
-
Document Version – 1.00-28/05/2014 1
1. IPv6 Interface Configuration
a. Command: show network static-route6
To display static routes
2. Dynamic Address Assignment for IPv6 Hosts
b. Command: cyberoam dhcpv6 dhcpv6-options add optioncode
To add the custom DHCPv6 option
c. Command: cyberoam dhcpv6 dhcpv6-options binding add
dhcpname
To add DHCPv6 options of a DHCPv6 server
d. Command: cyberoam dhcpv6 dhcpv6-options binding delete
dhcpname
To delete DHCPv6 options of a DHCPv6 server
e. Command: cyberoam dhcpv6 dhcpv6-options binding show
dhcpname
To display all the DHCPv6 options of a DHCPv6 Server
f. Command: cyberoam dhcpv6 dhcpv6-options delete optionname
To delete the custom DHCPv6 option
g. Command: cyberoam dhcpv6 dhcpv6-options list
To display all the configurable DHCPv6 options
3. Resolve IPv6 Domains: DNS Support
a. Command: dnslookup6 host
To query Internet Domain Name Server for Host to be searched
b. Command: dnslookup6 host
To query Internet Domain Name Server for Host to be searched
4. Miscellaneous CLI Commands for IPv6 Related
Configurations
For Network Interface
a. Command: show network interfaces
To display information about network interfaces
Version: 10.6.1 Appendix: CLI Commands
-
Appendix - I - CLI Commands
Document Version – 1.00-28/05/2014 2
For Diagnostics
b. traceroute6
Use to trace the path taken by an IPv6 packet from the source
system to the destination system, over the Internet.
Syntax
traceroute6 [ | | first-ttl | max-ttl | probes | source |
timeout | tos]
c. telnet6
Use telnet protocol to connect to another remote computer.
Syntax
telnet6
d. ping6
Sends ICMPv6 ECHO_REQUEST packets to network hosts.
Syntax
ping6 [ | count | interface | quiet | size ]
For Proxy ARP (IPv6 Virtual Host)
e. Command: show proxy-arp
To displays proxy ARP entries.
5. Link Aggregation: Dynamic (802.3ad), Static &
Active-Backup
a. Command: show network lag-interface
To display the details of particular LAG interface
parameters
b. Command: show network lag-interface runconfig
To display LAG configurations in detail
c. Command: set network lag-interface lag-mgt mode
active-backup
To configure the LAG mode as active-backup to provide fault
tolerance.
E.G. set network lag-interface CyberLAG lag-mgt mode
active-backup
-
Appendix - I - CLI Commands
Document Version – 1.00-28/05/2014 3
d. Command: set network lag-interface lag-mgt mode 802.3ad
(LACP)
To configure the LAG mode as 802.3ad (LACP) to load balance the
traffic and provide fault tolerance.
E.G. set network lag-interface CyberLAG lag-mgt mode 802.3ad
(LACP)
e. Command: set network lag-interface lag-mgt active-backup
primary-interface (Auto, Member Interfaces) failback-policy
none
Allow the primary slave to become active only if the current
active slave fails and the primary is up.
f. Command: set network lag-interface lag-mgt active-backup
primary-interface (Auto, Member Interfaces) failback-policy
takeover
Allow the primary to become active when it comes up again and
currently active slave becomes de-active.
g. Command: set network lag-interface lag-mgt active-backup
primary-interface (Auto, Member Interfaces) failback-policy
link-speed
Allow the primary to become active when it comes up again, only
if the speed and duplex of the primary slave is better than speed
and duplex of currently active slave.
h. Command: set network lag-interface lag-mgt lacp lacp-rate
slow
Request partner (Switch) to transmit LACPDUs every 30
seconds
i. Command: set network lag-interface lag-mgt lacp lacp-rate
fast
Request partner(Switch) to transmit LACPDUs every 1 second
j. Command: set network lag-interface lag-mgt lacp static-mode
enable
To enable the static mode.
k. Command: set network lag-interface lag-mgt lacp static-mode
disable
To disable the static mode.
l. Command: set network lag-interface lag-mgt lacp
xmit-hash-policy layer2
Specifies that for 802.3ad and static mode, load sharing is done
using Source MAC Address and Destination MAC Address.
m. Command: set network lag-interface lag-mgt lacp
xmit-hash-policy layer2+3
Specifies that for 802.3ad and static mode, load sharing is done
using Source MAC Address, Destination MAC Address, Source IP
Address, and Destination IP Address.
n. Command: set network lag-interface lag-mgt lacp
xmit-hash-policy layer3+4
Specifies that for 802.3ad and static mode, load sharing is done
using Source Port, Destination Port, Source IP Address, and
Destination IP Address.
-
Appendix - I - CLI Commands
Document Version – 1.00-28/05/2014 4
o. Command: set network lag-interface link-mgt
monitor-interval
To configure link monitoring frequency time in milliseconds.
p. Command: set network lag-interface link-mgt up-time
To configure Up-Delay time in milliseconds i.e. the wait time
before enabling a slave after link recovery detection.
q. Command: set network lag-interface link-mgt down-time
To configure Down-Delay time in milliseconds i.e. the wait time
before disabling a slave after link failure detection.
r. Command: set network lag-interface link-mgt garp-count
To configure the number of peer notifications – gratuitous ARPs
to be issued after failover event.
6. ICAP – Extended Security Service Support
a. Command: show icap
Displays the ICAP Server configurations.
b. Command: set icap apply-change
For applying the configuration modification executed using Edit
commands of Request Mode or Response Mode.
To apply modifications using any of the below edit commands, use
command - set icap apply-change
c. Command: set icap edit reqmod IP-address
Example: set icap edit reqmod IP-address 192.168.1.2
For configuring ICAP Server Request Mode IP Address.
d. Command: set icap edit reqmod port
Example: set icap edit reqmod port 1344
For configuring ICAP Server Request Mode Port number. Any port
number compatible with Cyberoam and ICAP Server can be configured
as Request Port.
e. Command: set icap edit reqmod service-name
Example: set icap edit reqmod service-name xyz
For configuring ICAP Server Request Mode Service Name. Only
those services that are offered and configured by ICAP Request
Server Administrator are accessible by Cyberoam.
f. Command: set icap edit reqmod reset
-
Appendix - I - CLI Commands
Document Version – 1.00-28/05/2014 5
All Request Mode parameters, IP Address, port and service-name
are reset to respective default value. By default, the value is
none. The Request Mode for the respective ICAP Server will be
flushed.
g. Command: set icap edit respmod IP-address
Example: set icap edit respmod IP-address 192.168.1.2
For configuring ICAP Server Response Mode IP Address.
h. Command: set icap edit respmod port
Example: set icap edit respmod port 1344
For configuring ICAP Server Response Mode Port number. Any port
number compatible with Cyberoam and ICAP Server can be configured
as Request Port.
i. Command: set icap edit respmod service-name
Example: set icap edit respmod service-name xyz
For configuring ICAP Server Response Mode Service Name. Only
those services that are offered and configured by ICAP Response
Server Administrator are accessible by Cyberoam.
j. Command: set icap edit respmod reset
All Response Mode parameters, IP Address, port and service-name
are reset to respective default value. By default, the value is
none. The Response Mode for the respective ICAP
Server shall be flushed.
k. Command: set icap edit options body limit
Example: set icap edit options body limit 10485760
To configure the inbound and outbound content body limit in
bytes.
l. Command: set icap edit options connections
Example: set icap edit options connections 1
To configure the number of connections.
m. Command: set icap edit options mode_dlp
For switching on or switching off the DLP mode.
In case of Request Mode, only POST and PUT method traffic are
sent to ICAP server.
1. IPv6 Interface Configuration
2. Dynamic Address Assignment for IPv6 Hosts
3. Resolve IPv6 Domains: DNS Support
4. Miscellaneous CLI Commands for IPv6 Related
Configurations
5. Link Aggregation: Dynamic (802.3ad), Static &
Active-Backup
6. ICAP – Extended Security Service Support
Cyberoam Technologies Pvt. Ltd.File AttachmentAppendix - I - CLI
Commands - 10.6.1.pdf
-
Release Notes: CyberoamOS Version 10.6.1
Document Version – 1.01-29/05/2014 11
2. Link Aggregation: Dynamic (802.3ad) and Static
From this version, CyberoamOS supports Link Aggregation (LAG)
for aggregating (combining) multiple network connections into a
single connection. It is also called port trunking, link bundling,
Ethernet /NIC bonding or NIC teaming.
Advantages of LAG
• Linear increase (Aggregated) in bandwidth according to the
number of links used in group • Link Redundancy by failover and
failback in a continous session • Load Sharing across links
according to the applied algorithm in xmit hash policy • No change
in the existing network deployment /hardware
CyberoamOS supports LAG Deployment Modes:
• Dynamic Link Aggregation (802.3ad) o Requires Switch-side
configuration (with LACP support) o Supports Load-sharing and Fault
– tolerance
• Active-Backup o Does not require Switch-side configuration o
Supports Fault-tolerance mode
• Static Link Aggregation o Does not require Switch-side
configuration o Supports Load-sharing and Fault–tolerance
Prerequisites
• The other end point of Cyberoam (e.g. switch) should support
LACP 802.3ad mode • All member interfaces must have same physical
characteristics like Interface speed and Full-
Duplex (applicable to LACP 802.3ad) • Refer switch manual for
its propritery configurations • Only unbound physical interfaces
can be member of the LAG Group Note:
• Maximum 4 ports can be configured on a single LAG interface •
LAG is not supported with Appliance deployed in Transparent mode. •
Interfaces on which PPPoE, WWAN and WLAN are configured, cannot
participate in LAG • IPv6 and PAGP is not supported • Bridge Pair
cannot be created on LAG interface To configure LAG, go to Network
> Interface > Interface and click Add LAG.
For related CLI Commands, please refer to the attached Appendix
- I.
-
Document Version – 1.00-28/05/2014 1
1. IPv6 Interface Configuration
a. Command: show network static-route6
To display static routes
2. Dynamic Address Assignment for IPv6 Hosts
b. Command: cyberoam dhcpv6 dhcpv6-options add optioncode
To add the custom DHCPv6 option
c. Command: cyberoam dhcpv6 dhcpv6-options binding add
dhcpname
To add DHCPv6 options of a DHCPv6 server
d. Command: cyberoam dhcpv6 dhcpv6-options binding delete
dhcpname
To delete DHCPv6 options of a DHCPv6 server
e. Command: cyberoam dhcpv6 dhcpv6-options binding show
dhcpname
To display all the DHCPv6 options of a DHCPv6 Server
f. Command: cyberoam dhcpv6 dhcpv6-options delete optionname
To delete the custom DHCPv6 option
g. Command: cyberoam dhcpv6 dhcpv6-options list
To display all the configurable DHCPv6 options
3. Resolve IPv6 Domains: DNS Support
a. Command: dnslookup6 host
To query Internet Domain Name Server for Host to be searched
b. Command: dnslookup6 host
To query Internet Domain Name Server for Host to be searched
4. Miscellaneous CLI Commands for IPv6 Related
Configurations
For Network Interface
a. Command: show network interfaces
To display information about network interfaces
Version: 10.6.1 Appendix: CLI Commands
-
Appendix - I - CLI Commands
Document Version – 1.00-28/05/2014 2
For Diagnostics
b. traceroute6
Use to trace the path taken by an IPv6 packet from the source
system to the destination system, over the Internet.
Syntax
traceroute6 [ | | first-ttl | max-ttl | probes | source |
timeout | tos]
c. telnet6
Use telnet protocol to connect to another remote computer.
Syntax
telnet6
d. ping6
Sends ICMPv6 ECHO_REQUEST packets to network hosts.
Syntax
ping6 [ | count | interface | quiet | size ]
For Proxy ARP (IPv6 Virtual Host)
e. Command: show proxy-arp
To displays proxy ARP entries.
5. Link Aggregation: Dynamic (802.3ad), Static &
Active-Backup
a. Command: show network lag-interface
To display the details of particular LAG interface
parameters
b. Command: show network lag-interface runconfig
To display LAG configurations in detail
c. Command: set network lag-interface lag-mgt mode
active-backup
To configure the LAG mode as active-backup to provide fault
tolerance.
E.G. set network lag-interface CyberLAG lag-mgt mode
active-backup
-
Appendix - I - CLI Commands
Document Version – 1.00-28/05/2014 3
d. Command: set network lag-interface lag-mgt mode 802.3ad
(LACP)
To configure the LAG mode as 802.3ad (LACP) to load balance the
traffic and provide fault tolerance.
E.G. set network lag-interface CyberLAG lag-mgt mode 802.3ad
(LACP)
e. Command: set network lag-interface lag-mgt active-backup
primary-interface (Auto, Member Interfaces) failback-policy
none
Allow the primary slave to become active only if the current
active slave fails and the primary is up.
f. Command: set network lag-interface lag-mgt active-backup
primary-interface (Auto, Member Interfaces) failback-policy
takeover
Allow the primary to become active when it comes up again and
currently active slave becomes de-active.
g. Command: set network lag-interface lag-mgt active-backup
primary-interface (Auto, Member Interfaces) failback-policy
link-speed
Allow the primary to become active when it comes up again, only
if the speed and duplex of the primary slave is better than speed
and duplex of currently active slave.
h. Command: set network lag-interface lag-mgt lacp lacp-rate
slow
Request partner (Switch) to transmit LACPDUs every 30
seconds
i. Command: set network lag-interface lag-mgt lacp lacp-rate
fast
Request partner(Switch) to transmit LACPDUs every 1 second
j. Command: set network lag-interface lag-mgt lacp static-mode
enable
To enable the static mode.
k. Command: set network lag-interface lag-mgt lacp static-mode
disable
To disable the static mode.
l. Command: set network lag-interface lag-mgt lacp
xmit-hash-policy layer2
Specifies that for 802.3ad and static mode, load sharing is done
using Source MAC Address and Destination MAC Address.
m. Command: set network lag-interface lag-mgt lacp
xmit-hash-policy layer2+3
Specifies that for 802.3ad and static mode, load sharing is done
using Source MAC Address, Destination MAC Address, Source IP
Address, and Destination IP Address.
n. Command: set network lag-interface lag-mgt lacp
xmit-hash-policy layer3+4
Specifies that for 802.3ad and static mode, load sharing is done
using Source Port, Destination Port, Source IP Address, and
Destination IP Address.
-
Appendix - I - CLI Commands
Document Version – 1.00-28/05/2014 4
o. Command: set network lag-interface link-mgt
monitor-interval
To configure link monitoring frequency time in milliseconds.
p. Command: set network lag-interface link-mgt up-time
To configure Up-Delay time in milliseconds i.e. the wait time
before enabling a slave after link recovery detection.
q. Command: set network lag-interface link-mgt down-time
To configure Down-Delay time in milliseconds i.e. the wait time
before disabling a slave after link failure detection.
r. Command: set network lag-interface link-mgt garp-count
To configure the number of peer notifications – gratuitous ARPs
to be issued after failover event.
6. ICAP – Extended Security Service Support
a. Command: show icap
Displays the ICAP Server configurations.
b. Command: set icap apply-change
For applying the configuration modification executed using Edit
commands of Request Mode or Response Mode.
To apply modifications using any of the below edit commands, use
command - set icap apply-change
c. Command: set icap edit reqmod IP-address
Example: set icap edit reqmod IP-address 192.168.1.2
For configuring ICAP Server Request Mode IP Address.
d. Command: set icap edit reqmod port
Example: set icap edit reqmod port 1344
For configuring ICAP Server Request Mode Port number. Any port
number compatible with Cyberoam and ICAP Server can be configured
as Request Port.
e. Command: set icap edit reqmod service-name
Example: set icap edit reqmod service-name xyz
For configuring ICAP Server Request Mode Service Name. Only
those services that are offered and configured by ICAP Request
Server Administrator are accessible by Cyberoam.
f. Command: set icap edit reqmod reset
-
Appendix - I - CLI Commands
Document Version – 1.00-28/05/2014 5
All Request Mode parameters, IP Address, port and service-name
are reset to respective default value. By default, the value is
none. The Request Mode for the respective ICAP Server will be
flushed.
g. Command: set icap edit respmod IP-address
Example: set icap edit respmod IP-address 192.168.1.2
For configuring ICAP Server Response Mode IP Address.
h. Command: set icap edit respmod port
Example: set icap edit respmod port 1344
For configuring ICAP Server Response Mode Port number. Any port
number compatible with Cyberoam and ICAP Server can be configured
as Request Port.
i. Command: set icap edit respmod service-name
Example: set icap edit respmod service-name xyz
For configuring ICAP Server Response Mode Service Name. Only
those services that are offered and configured by ICAP Response
Server Administrator are accessible by Cyberoam.
j. Command: set icap edit respmod reset
All Response Mode parameters, IP Address, port and service-name
are reset to respective default value. By default, the value is
none. The Response Mode for the respective ICAP
Server shall be flushed.
k. Command: set icap edit options body limit
Example: set icap edit options body limit 10485760
To configure the inbound and outbound content body limit in
bytes.
l. Command: set icap edit options connections
Example: set icap edit options connections 1
To configure the number of connections.
m. Command: set icap edit options mode_dlp
For switching on or switching off the DLP mode.
In case of Request Mode, only POST and PUT method traffic are
sent to ICAP server.
1. IPv6 Interface Configuration
2. Dynamic Address Assignment for IPv6 Hosts
3. Resolve IPv6 Domains: DNS Support
4. Miscellaneous CLI Commands for IPv6 Related
Configurations
5. Link Aggregation: Dynamic (802.3ad), Static &
Active-Backup
6. ICAP – Extended Security Service Support
Cyberoam Technologies Pvt. Ltd.File AttachmentAppendix - I - CLI
Commands - 10.6.1.pdf
-
Release Notes: CyberoamOS Version 10.6.1
Document Version – 1.01-29/05/2014 12
3. High Availability (Active-Active / Active-Passive) in Bridge
/ Mixed Mode
From this version onwards, CyberoamOS supports High Availability
(HA) in Mixed Mode. Up till now, HA was supported only in Route
mode. Both the HA modes: Active-Active and Active-Passive are
supported in Bridge / Mixed Mode.
Pre-requisites
• In HA, the traffic on all bridge member interfaces (physical)
can be monitored • Once a pair of interfaces are configured as a
bridge pair, they cannot be configured as HA
Monitoring Ports. • Logical bridge interface or physical member
interfaces cannot be configured as Dedicated Port. • Bridge member
physical interface can be configured as Peer Administration Port.
To configure HA in Mixed Mode, go to System > HA > HA.
4. On-Cloud Web Categorization
From this version, URL categorization database has migrated to
the Cloud. This will ensure that there is a central and common
database for all CyberoamOS appliances world over. The appliance
will use the ports 443, 80, 6060 and 6061 to communicate with Cloud
server.
Advantages:
• Unlimited number of URLs in the categorization database • Real
time categorization
5. External Web Categorization database Support
Enterprises often like to have their own categorization database
to reap the advantages of multiple databases, better categorization
and custom categorization.
From this version onwards, CyberoamOS allows using an external
Web categorization database for web filtering. An external Web
Categorization database containing URLs is imported as a custom web
category.
Administrator needs to configure URL - HTTP or FTP, of external
Web Category URL database. The appliance will fetch database from
the specified URL. The database of URLs should be in following file
types: .tar, .tar.gz, .gz, .bz2, or plain text file.
Points to note:
• On a successful backup–restore; the external database needs to
be updated. • If a categorized URL is appended, edited or deleted,
the database will be downloaded again for
other existing URL’s. • Multiple external Web Category databases
can be added. To import the external Web Category database, go to
Web Filter > Category > Category > Add and select External
URL Database for parameter Configure Category. Specify HTTP or FTP
URL to add the external Web Category database.
-
Release Notes: CyberoamOS Version 10.6.1
Document Version – 1.01-29/05/2014 13
6. Support of ICAP to Integrate Third-Party DLP, Web Filtering
and AV Applications
Internet Content Adaption Protocol (ICAP) is a lightweight
protocol supporting HTTP content inspection and adaption
functionality. It offloads the primary server by redirecting
specific Internet based content to dedicated ICAP (Proxy) Servers.
These ICAP servers are focused on a specific function, for example,
ad insertion, virus scanning, or content filtering.
With newly added support for ICAP 1.0, Cyberoam can be deployed
in heterogeneous enterprise environments and can hand over HTTP
traffic to ICAP Server for malware scanning, content filtering and
DLP scanning or other processing. Cyberoam after applying its Web
Filter Policy will forward the Web traffic to ICAP server which in
turn can apply data usage policies, antivirus scanning policies and
content filtering policies. Depending on the services configured in
the ICAP server, user either receives access denied message and
virus detection message from Cyberoam or ICAP server.
Currently, CyberoamOS supports single ICAP profile with Request,
Response and Options mode and can be configured from CLI. All the
events are logged under System Logs and Administrator can view all
the events logs from the Log Viewer.
Cyberoam can be seamlessly integrated using ICAP-compliant
DLP/AV Scanning/Web Filtering applications:
• Symantec DLP • Symantec Protection Engine 7.0 • Trend Micro
Interscan Web Security Virtual Appliance • Sophos Anti Virus •
Commtouch Anti Virus
Points to note:
• This feature is supported in all the appliance models above
CR50iNG. • This feature is released as BETA. For related CLI
Commands, please refer to the attached Appendix - I.
7. Support of Secure LDAP/Active Directory (SSL/TLS)
From this version, the communication between Cyberoam and AD /
LDAP server has become more secure.
CyberoamOS now supports:
• LDAP, also known as LDAPS/SLDAP, over Secure Sockets Layer
(SSL) / Transport Layer Security (TLS). CyberoamOS supports SSL2.0,
SSL3.0, TLS1.0, TLS1.1 and TLS1.2.
• The use of FQDN is mandatory when the certificate used for
Secure AD/LDAP communication is generated by the Active Directory
CA.
• FQDN has to be configured as Common Name in Third Party
CA/Certificate. • If IP address is configured as Certificate ID
then instead of FQDN, IP Address can be configured
as Server IP/Domain in External Authentication Server. To
configure LDAP, go to Identity > Authentication >
Authentication Server, click Add and select the LDAP for parameter
Server Type.
-
Document Version – 1.00-28/05/2014 1
1. IPv6 Interface Configuration
a. Command: show network static-route6
To display static routes
2. Dynamic Address Assignment for IPv6 Hosts
b. Command: cyberoam dhcpv6 dhcpv6-options add optioncode
To add the custom DHCPv6 option
c. Command: cyberoam dhcpv6 dhcpv6-options binding add
dhcpname
To add DHCPv6 options of a DHCPv6 server
d. Command: cyberoam dhcpv6 dhcpv6-options binding delete
dhcpname
To delete DHCPv6 options of a DHCPv6 server
e. Command: cyberoam dhcpv6 dhcpv6-options binding show
dhcpname
To display all the DHCPv6 options of a DHCPv6 Server
f. Command: cyberoam dhcpv6 dhcpv6-options delete optionname
To delete the custom DHCPv6 option
g. Command: cyberoam dhcpv6 dhcpv6-options list
To display all the configurable DHCPv6 options
3. Resolve IPv6 Domains: DNS Support
a. Command: dnslookup6 host
To query Internet Domain Name Server for Host to be searched
b. Command: dnslookup6 host
To query Internet Domain Name Server for Host to be searched
4. Miscellaneous CLI Commands for IPv6 Related
Configurations
For Network Interface
a. Command: show network interfaces
To display information about network interfaces
Version: 10.6.1 Appendix: CLI Commands
-
Appendix - I - CLI Commands
Document Version – 1.00-28/05/2014 2
For Diagnostics
b. traceroute6
Use to trace the path taken by an IPv6 packet from the source
system to the destination system, over the Internet.
Syntax
traceroute6 [ | | first-ttl | max-ttl | probes | source |
timeout | tos]
c. telnet6
Use telnet protocol to connect to another remote computer.
Syntax
telnet6
d. ping6
Sends ICMPv6 ECHO_REQUEST packets to network hosts.
Syntax
ping6 [ | count | interface | quiet | size ]
For Proxy ARP (IPv6 Virtual Host)
e. Command: show proxy-arp
To displays proxy ARP entries.
5. Link Aggregation: Dynamic (802.3ad), Static &
Active-Backup
a. Command: show network lag-interface
To display the details of particular LAG interface
parameters
b. Command: show network lag-interface runconfig
To display LAG configurations in detail
c. Command: set network lag-interface lag-mgt mode
active-backup
To configure the LAG mode as active-backup to provide fault
tolerance.
E.G. set network lag-interface CyberLAG lag-mgt mode
active-backup
-
Appendix - I - CLI Commands
Document Version – 1.00-28/05/2014 3
d. Command: set network lag-interface lag-mgt mode 802.3ad
(LACP)
To configure the LAG mode as 802.3ad (LACP) to load balance the
traffic and provide fault tolerance.
E.G. set network lag-interface CyberLAG lag-mgt mode 802.3ad
(LACP)
e. Command: set network lag-interface lag-mgt active-backup
primary-interface (Auto, Member Interfaces) failback-policy
none
Allow the primary slave to become active only if the current
active slave fails and the primary is up.
f. Command: set network lag-interface lag-mgt active-backup
primary-interface (Auto, Member Interfaces) failback-policy
takeover
Allow the primary to become active when it comes up again and
currently active slave becomes de-active.
g. Command: set network lag-interface lag-mgt active-backup
primary-interface (Auto, Member Interfaces) failback-policy
link-speed
Allow the primary to become active when it comes up again, only
if the speed and duplex of the primary slave is better than speed
and duplex of currently active slave.
h. Command: set network lag-interface lag-mgt lacp lacp-rate
slow
Request partner (Switch) to transmit LACPDUs every 30
seconds
i. Command: set network lag-interface lag-mgt lacp lacp-rate
fast
Request partner(Switch) to transmit LACPDUs every 1 second
j. Command: set network lag-interface lag-mgt lacp static-mode
enable
To enable the static mode.
k. Command: set network lag-interface lag-mgt lacp static-mode
disable
To disable the static mode.
l. Command: set network lag-interface lag-mgt lacp
xmit-hash-policy layer2
Specifies that for 802.3ad and static mode, load sharing is done
using Source MAC Address and Destination MAC Address.
m. Command: set network lag-interface lag-mgt lacp
xmit-hash-policy layer2+3
Specifies that for 802.3ad and static mode, load sharing is done
using Source MAC Address, Destination MAC Address, Source IP
Address, and Destination IP Address.
n. Command: set network lag-interface lag-mgt lacp
xmit-hash-policy layer3+4
Specifies that for 802.3ad and static mode, load sharing is done
using Source Port, Destination Port, Source IP Address, and
Destination IP Address.
-
Appendix - I - CLI Commands
Document Version – 1.00-28/05/2014 4
o. Command: set network lag-interface link-mgt
monitor-interval
To configure link monitoring frequency time in milliseconds.
p. Command: set network lag-interface link-mgt up-time
To configure Up-Delay time in milliseconds i.e. the wait time
before enabling a slave after link recovery detection.
q. Command: set network lag-interface link-mgt down-time
To configure Down-Delay time in milliseconds i.e. the wait time
before disabling a slave after link failure detection.
r. Command: set network lag-interface link-mgt garp-count
To configure the number of peer notifications – gratuitous ARPs
to be issued after failover event.
6. ICAP – Extended Security Service Support
a. Command: show icap
Displays the ICAP Server configurations.
b. Command: set icap apply-change
For applying the configuration modification executed using Edit
commands of Request Mode or Response Mode.
To apply modifications using any of the below edit commands, use
command - set icap apply-change
c. Command: set icap edit reqmod IP-address
Example: set icap edit reqmod IP-address 192.168.1.2
For configuring ICAP Server Request Mode IP Address.
d. Command: set icap edit reqmod port
Example: set icap edit reqmod port 1344
For configuring ICAP Server Request Mode Port number. Any port
number compatible with Cyberoam and ICAP Server can be configured
as Request Port.
e. Command: set icap edit reqmod service-name
Example: set icap edit reqmod service-name xyz
For configuring ICAP Server Request Mode Service Name. Only
those services that are offered and configured by ICAP Request
Server Administrator are accessible by Cyberoam.
f. Command: set icap edit reqmod reset
-
Appendix - I - CLI Commands
Document Version – 1.00-28/05/2014 5
All Request Mode parameters, IP Address, port and service-name
are reset to respective default value. By default, the value is
none. The Request Mode for the respective ICAP Server will be
flushed.
g. Command: set icap edit respmod IP-address
Example: set icap edit respmod IP-address 192.168.1.2
For configuring ICAP Server Response Mode IP A