29 Cyberoam Best Practices 602p4m

Cyberoam Best Practices

Cyberoam Best Practices The Cyberoam Best Practices is a collection of guidelines to ensure the most secure and reliable operation of Cyberoam units in a customer environment. It is updated periodically as new issues are identified. General Considerations 1. Always check output of the following commands from Cyberoam Telnet Console after making changes in configuration and confirm: •

show network interface – to view the IP address details

•

ip route list table 221 – to view the details of the gateway configured in Cyberoam

• route show – to view routing information 2. To monitor and diagnose network problems and to help minimize database bottlenecks quickly and efficiently, check health of your application using diagnostic tool every 15 days. Access diagnostic tool with name as ‘cyberoam’ and as ‘cyber’ from http:// /dg.html 3. Always connect Cyberoam WAN interface and Router via hub or switch and not with cross over cable to avoid •

auto negotiation problem between Cyberoam WAN interface and Router

• gateway ping problem 4. Create Clientless or firewall rule to allow the Internet access for DNS IP address in case of “Deny All” policy when desktops are configured for Internal DNS IP address to avoid: •

DNS resolution problem

• HTTP client page display problem 5. Make sure HTTP proxy port configured is same in both Cyberoam and desktop browser if s have browser based proxy setting. 6. For security purposes, Gateway mode is preferred because all the internal or DMZ networks can have secure private addresses. Gateway mode policies use network address translation to hide the addresses from s in a less secure zone. 7. While creating Clientless , assign only those IP addresses as the Node restriction which belongs to Local zone. If these IP address does not belong the Local zone, then clientless s will not be displayed in Live s list. Local ACL 1. Do not use Class A IP addresses for networks defined under Auth Network. 2. Do not allow access of proxy port of WAN interface. 3. You must add all the internal routed networks under Auth Network for authentication. Make sure to do RMS (Restart Management Service) after adding or updating. 4. If LAN zone has routed networks like branch office network connected via Point-to-Point connectivity or Layer3 switch then create static routes in Cyberoam to forward request for routed networks on respective next hop. 5. From Local ACL, enable all the services which are running on Cyberoam to allow access from LAN, WAN and DMZ. 6. You must add all the nodes from which the Clientless s will log on under Auth Network. If these nodes are not added in Auth Network, clientless s will not be displayed in Live s list. Firewall 1. Create Host, Host group (IP Address, range of IP Address or subnet), Service or Service group to create Firewall rule for specific IP Address, Range IP Address, Service or Service group. 2. Create Firewall rule for DNS IP Address if desktops are configured with public DNS IP address and “Deny All” default policy. 3. Create firewall rule to allow required and critical traffic across each zone as except for LAN to

Cyberoam Best Practices

WAN traffic, complete traffic across each zone will be dropped by Cyberoam. This will be applicable in both bridge and gateway mode. For example: If Mail server is placed in the DMZ zone then Cyberoam will not allow access of Mail server from LAN and WAN zone: •

4. 5.

6.

7.

To access specific applications running on mail server, create necessary firewall rule from each zone.

• Create firewall rule to give external world access to the Mail server. Create Firewall rule to allow applications running on DMZ as entire traffic from LAN to DMZ is dropped. If Cyberoam is configured in Bridge mode and DH server is running in WAN zone of Cyberoam then create firewall rule to allow packets from DH server to LAN to lease IP addresses on desktop. If Alias IP address configured on Cyberoam WAN port, create SNAT and DNAT rule to map Alias IP address with the private IP address. For example, MX IP is assigned as alias IP address on WAN port of Cyberoam than create SNAT and DNAT rules to map private IP address of mail server with the public IP address. If Cyberoam is configured for multiple Internet service providers i.e. multiple gateways then: •

To improve the browsing speed and reduce the latency, create firewall rule to route the DNS IP address request on a specific Gateway. Due to load balancing if DNS IP address is from ISP1 and DNS request is going from ISP2 then latency will increase and time taken to resolve the site name will also increase.

•

If access to certain application like VPN application, SAP or ERP application is allowed from specific IP address, create firewall rule to route the application request from the specific IP address only.

•

Create source based explicit routing for specific IP address. For example, Mail server is placed in the Internal network and DNAT rule is created on Cyberoam. Now when mail server is accessed from the external world, mail server request will go from any of the configured gateways. In this situation, connection will not be established. To avoid this situation, create source based routing to forward request originated by Mail server IP address to a specific gateway. This will establish connection as well as reduce chances of returnmxcheck problem.

Document Version – 1.0 – 06/02/2007