Cyberoam Central Console Administrator Guide Cyberoam Central Console Administrator Guide

Transcription

1 Cyberoam Central Console Administrator Guide Cyberoam Central Console Administrator Guide Cyberoam Anti Spam Implementation Guide Version 10 Document version /11/2017

2 Important Notice Cyberoam Technologies Pvt. Ltd. has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. Cyberoam Technologies Pvt. Ltd. assumes no responsibility for any errors that may appear in this document. Cyberoam Technologies Pvt. Ltd. reserves the right, without notice to make changes in product design or specifications. Information is subject to change without notice. USER S LICENSE Use of this product and document is subject to acceptance of the terms and conditions of Cyberoam End User License Agreement (EULA) and Warranty Policy for Cyberoam UTM Appliances. You will find the copy of the EULA at and the Warranty Policy for Cyberoam UTM Appliances at RESTRICTED RIGHTS Copyright Cyberoam Technologies Pvt. Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of Cyberoam Technologies Pvt. Ltd. Corporate Headquarters Cyberoam House, Saigulshan Complex, Opp. Sanskruti, Beside White House, Panchwati Cross Road, Ahmedabad , GUJARAT, INDIA. Tel: Web site: Page 1 of 43

3 Contents Preface... 3 Introduction... 5 Appliance Administrative Interfaces... 6 Web Admin Console... 6 Command Line Interface (CLI) Console... 7 Cyberoam Central Console (CCC)... 7 Web Admin Console... 8 Web Admin Language... 8 Supported Browsers... 9 Login procedure Log out procedure Menus and Pages Page Icon bar List Navigation Controls Tool Tips Status Bar Common Operations Spam Cyberoam Gateway Anti Spam Configuration Address Group Archiver Spam Rules Manage Spam Rules Quarantine Quarantine Digest Settings Quarantine Area Trusted Domain Page 2 of 43

4 Preface Cyberoam Unified Threat Management appliances offer identity-based comprehensive security to organizations against blended threats - worms, viruses, malware, data loss, identity theft; threats over applications viz. Instant Messengers; threats over secure protocols viz. HTTPS; and more. They also offer wireless security (WLAN) and 3G wireless broadband and analog modem support can be used as either Active or Backup WAN connection for business continuity. Cyberoam integrates features like stateful inspection firewall, VPN, Gateway Anti-Virus and Anti- Spyware, Gateway Anti-Spam, Intrusion Prevention System, Content & Application Filtering, Data Leakage Prevention, IM Management and Control, Layer 7 visibility, Bandwidth Management, Multiple Link Management, Comprehensive Reporting over a single platform. Cyberoam has enhanced security by adding an 8th layer (User Identity) to the protocol stack. Advanced inspection provides L8 user-identity and L7 application detail in classifying traffic, enabling Administrators to apply access and bandwidth policies far beyond the controls that traditional UTMs support. It thus offers security to organizations across layer 2 - layer 8, without compromising productivity and connectivity. Cyberoam UTM appliances accelerate unified security by enabling single-point control of all its security features through a Web 2.0-based GUI. An extensible architecture and an IPv6 Ready Gold logo provide Cyberoam the readiness to deliver on future security requirements. Cyberoam provides increased LAN security by providing separate port for connecting to the publicly accessible servers like Web server, Mail server, FTP server etc. hosted in DMZ which are visible the external world and still have firewall protection. Note Default Web Admin Console username is admin and password is admin Cyberoam recommends that you change the default password immediately after installation to avoid unauthorized access. Page 3 of 43

5 Technical Support You may direct all questions, comments, or requests concerning the software you purchased, your registration status, or similar issues to Customer care/service department at the following address: Cyberoam House Saigulshan Complex, Opp. Sanskruti, Beside White House, Panchwati Cross Road, Ahmedabad , GUJARAT, INDIA. Ahmedabad Gujarat, India. Tel: Web site: Cyberoam contact: Technical support (Corporate Office): support@cyberoam.com Web site: Visit for the regional and latest contact information. Page 4 of 43

6 Introduction Welcome to Cyberoam s Anti Spam User guide. This Guide provides information on how to configure Cyberoam Anti Spam solution and helps you manage and customize Cyberoam to meet your organization s various requirements including restriction of spam mails, creation of groups and archiving s to control web as well as application access. Anti Spam module is an add-on module which needs to be subscribed before use. Note All the screen shots in this Guide have been taken from NG series of appliances. The feature and functionalities however remains unchanged across all Cyberoam appliances. Page 5 of 43

7 Appliance Administrative Interfaces Appliance can be accessed and administered through: 1. Web Admin Console 2. Command Line Interface Console 3. Cyberoam Central Console Administrative Access An administrator can connect and access the Appliance through HTTP, HTTPS, telnet, or SSH services. Depending on the Administrator login account profile used for access, an administrator can access number of Administrative Interfaces and Web Admin Console configuration pages. Appliance is shipped with two administrator accounts and four administrator profiles. Administrator Type Super Administrator Login Credentials Console Access Privileges admin/admin Web Admin Console CLI console Default cyberoam/cyber Web Admin console only Full privileges for both the consoles. It provides read-write permission for all the configuration performed through either of the consoles. Full privileges. It provides read-write permission for all the configuration pages of Web Admin console. Note We recommend that you change the password of both the users immediately on deployment. Web Admin Console Web Admin Console is a web-based application that an Administrator can use to configure, monitor, and manage the Appliance. You can connect to and access Web Admin Console of the Appliance using HTTP or a HTTPS connection from any management computer using web browser: 1. HTTP login: IP Address of the Appliance> 2. HTTPS login: IP Address of the Appliance> For more details, refer section Web Admin Console. Page 6 of 43

8 Command Line Interface (CLI) Console Appliance CLI console provides a collection of tools to administer, monitor and control certain Appliance component. The Appliance can be accessed remotely using the following connections: 1. Remote login Utility TELNET login To access Appliance from command prompt using remote login utility Telnet, use command TELNET <LAN IP Address of the Appliance>. Use administrator password to login. Note Default password of TELNET connection for CLI Console is admin. 2. SSH Client (Serial Console) SSH client securely connects to the Appliance and performs command-line operations. CLI console of the Appliance can be accessed via any of the SSH client using LAN IP Address of the Appliance and providing Administrator credentials for authentication. Note Start SSH client and create new Connection with the following parameters: Host <LAN IP Address of the Appliance> Username admin Password admin Use CLI console for troubleshooting and diagnose network problems in details. For more details, refer version specific Console Guide available on Cyberoam Central Console (CCC) Distributed Cyberoam Appliances can be centrally managed using a single Cyberoam Central Console (CCC) Appliance, enabling high levels of security for Managed Security Service Provider (MSSPs) and large enterprises. To monitor and manage Cyberoam using CCC Appliance you must: 1. Configure CCC Appliance in Cyberoam 2. Integrate Cyberoam Appliance with CCC using: Auto Discovery, Manually Once you have added the Appliances and organized them into groups, you can configure single Appliance or groups of Appliances. For more information, please refer CCC Administrator Guide. Page 7 of 43

9 Web Admin Console CyberoamOS uses a Web 2.0 based easy-to-use graphical interface termed as Web Admin Console to configure and manage the Appliance. You can access the Appliance for HTTP and HTTPS web browser-based administration from any of the interfaces. Appliance when connected and powered up for the first time, it will have a following default Web Admin Console Access configuration for HTTP and HTTPS services. Services Interface/Zones Default Port HTTP LAN, WAN TCP Port 80 HTTPS WAN TCP Port 443 The administrator can update the default ports for HTTP and HTTPS services from System > Administration > Settings. Web Admin Language The Web Admin Console supports multiple languages, but by default appears in English. To cater to its non-english customers, apart from English, Chinese-Simplified, Chinese-Traditional, Hindi, Japanese and French languages are also supported. Administrator can choose the preferred GUI language at the time of logging on. Listed elements of Web Admin Console will be displayed in the configured language: Dashboard Doclet contents Navigation menu Screen elements including field & button labels and tips Error messages Page 8 of 43

10 Supported Browsers You can connect to the Web Admin Console of the Appliance using HTTP or a secure HTTPS connection from any management computer using one of the following web browsers: Browser Supported Version Microsoft Internet Explorer Version 8+ Mozilla Firefox Version 3+ Google Chrome All versions Safari 5.1.2( )+ Opera The minimum screen resolution for the management computer is 1024 X 768 and 32-bit true xxcolor. The Administrator can also specify the description for firewall rule, various policies, services and various custom categories in any of the supported languages. All the configuration done using Web Admin Console takes effect immediately. To assist you in configuring the Appliance, the Appliance includes a detailed context-sensitive online help. Page 9 of 43

11 Login procedure The log on procedure authenticates the user and creates a session with the Appliance until the user logs-off. To get to the login window, open the browser and type the LAN IP Address of Cyberoam in the browser s URL box. A dialog box appears prompting you to enter username and password. Screen Login Screen Screen Element Username Password Language Description Enter user login name. If you are logging on for the first time after installation, use the default username. Specify user account password. Dots are the placeholders in the password field. If you are logging on for the first time after installation with the default username, use the default password. Select the language. The available options are Chinese- Simplified, Chinese-Traditional, English, French, and Hindi. Default English To administer Cyberoam, select Web Admin Console Log on to To view logs and reports, select Reports. Login button To login into your account, select My Account. Click to log on the Web Admin Console. Screen Login screen elements The Dashboard appears as soon as you log on to the Web Admin Console. It provides a quick and fast overview of all the important parameters of your Appliance. Page 10 of 43

12 Log out procedure To avoid un-authorized users from accessing Cyberoam, log off after you have finished working. This will end the session and exit from Cyberoam. To log off from the Appliance, click the Admin Console pages. button located at the top right of any of the Web Page 11 of 43

13 Menus and Pages The Navigation bar on the leftmost side provides access to various configuration pages. This menu consists of sub-menus and tabs. On clicking the menu item in the navigation bar, related management functions are displayed as submenu items in the navigation bar itself. On clicking submenu item, all the associated tabs are displayed as the horizontal menu bar on the top of the page. To view a page associated with the tab, click the required tab. The left navigation bar expands and contracts dynamically when clicked on without navigating to a submenu. When you click on a top-level heading in the left navigation bar, it automatically expands that heading and contracts the heading for the page you are currently on, but it does not navigate away from the current page. To navigate to a new page, first click on the heading, and then click on the submenu you want navigate to. On hovering the cursor upon the up-scroll icon or the downscroll icon, automatically scrolls the navigation bar up or down respectively. The navigation menu includes following modules: System System administration and configuration, firmware maintenance, backup - restore Objects Configuration of various policies for hosts, services, schedules and file type Networks Network specific configuration viz., Interface speed, MTU and MSS settings, Gateway, DDNS Identity Configuration and management of User and user groups Firewall Firewall Rule Management VPN VPN and SSL VPN access configuration IPS IPS policies and signature Page 12 of 43

14 Web Filter Web filtering categories and policies configuration Application Filter Application filtering categories and policies configuration WAF Web Application Filtering policies configuration. Available in all the models except CR15iNG and CR15wiNG. IM IM controls QoS Policy management viz., surfing quota, QoS, access time, data transfer Anti Virus Antivirus filtering policies configuration Anti Spam Anti Spam filtering policies configuration Traffic Discovery Traffic monitoring Logs & Reports Logs and reports configuration Note Use F1 key for page-specific help. Use F10 key to return to Dashboard. Each section in this guide shows the menu path to the configuration page. For example, to reach the Zone page, choose the Network menu, then choose Interface sub-menu from the navigation bar, and then choose Zone tab. Guide mentions this path as Network > Interface > Zone. Page 13 of 43

15 Page A typical page looks as shown in the below given image: Screen Page Page 14 of 43

16 Icon bar The Icon bar on the upper rightmost corner of every page provides access to several commonly used functions like: 1. Dashboard Click to view the Dashboard 2. Wizard Opens a Network Configuration Wizard for a step-by-step configuration of the network parameters like IP Address, subnet mask and default gateway for your Appliance. 3. Report Opens a Reports page for viewing various usage reports. Integrated Logging and Reporting solution - iview, to offer wide spectrum of unique user identity-based reporting across applications and protocols and provide in-depth network visibility to help organizations take corrective and preventive measures. This feature is not available for CR15xxxx series of Appliances. 4. Console Provides immediate access to CLI by initiating a telnet connection with CLI without closing Web Admin console. 5. Logout Click to log off from the Web Admin Console. 6. More Options Provides options for further assistance. The available options are as follows: Support Opens the customer login page for creating a Technical Support Ticket. It is fast, easy and puts your case right into the Technical Support queue. About Product Opens the Appliance registration information page. Help Opens the context sensitive help page. Reset Dashboard Resets the Dashboard to factory default settings. Lock Locks the Web Admin Console. Web Admin Console is automatically locked if the Appliance is in inactive state for more than 3 minutes. To unlock the Web Admin Console you need to re-login. By default, Lock functionality is disabled. Enable Admin Session Lock from System > Administration > Settings. Reboot Appliance Reboots the Appliance. Shutdown Appliance Shut downs the Appliance. Page 15 of 43

17 List Navigation Controls The Web Admin Console pages display information in the form of lists that are spread across the multiple pages. Page Navigation Control Bar on the upper right top corner of the list provides navigation buttons for moving through the list of pages with a large number of entries. It also includes an option to specify the number entries/records displayed per page. Tool Tips To view the additional configuration information use tool tip. Tool tip is provided for many configurable fields. Move the pointer over the icon to view the brief configuration summary. Status Bar The Status bar at the bottom of the page displays the action status. Page 16 of 43

18 Common Operations Adding an Entity You can add a new entity like policy, group, user, rule, ir host by clicking the Add button available on most of the configuration pages. Clicking this button either opens a new page or a pop-up window. Editing an Entity All the editable entities are hyperlinked. You can edit any entity by clicking either the hyperlink or the Edit icon under the Manage column. Deleting an Entity You can delete an entity by selecting the checkbox and clicking the Delete button or Delete icon. To delete multiple entities, select individual entity and click the Delete button. To delete all the entities, select in the heading column and click the Delete button. Page 17 of 43

19 Sorting Lists To organize a list spread over multiple pages, sort the list in ascending or descending order of a column attribute. You can sort a list by clicking a column heading. Ascending Order icon in a column heading indicates that the list is sorted in ascending order of the column attribute. Descending Order icon order of the column attribute. in a column heading indicates that the list is sorted descending Filtering Lists To search specific information within the long list spread over multiple pages, filter the lists. Filtering criteria vary depending on a column data and can be a number or an IP address or part of an address, or any text string combination. To create filter, click the Filter icon in a column heading. When a filter is applied to a column, the Filter icon changes to. Configuring Column Settings By default on every page all columnar information is displayed but on certain pages where a large number of columnar information is available, all the columns cannot be displayed. It is also possible that some content may not be of use to everyone. Using column settings, you can configure to display only those numbers of columns which are important to you. To configure column settings, click Select Column Settings and select the checkbox against the columns you want to display and clear the checkbox against the columns which you do not want to display. All the default columns are greyed and not selectable. Page 18 of 43

20 Spam Spam refers to electronic junk mail or junk newsgroup postings. Some people define spam even more generally as any unsolicited . Spamming is to indiscriminately send unsolicited, unwanted, irrelevant, or inappropriate messages, especially commercial advertising in mass quantities. In other words, it is an inappropriate attempt to use a mailing list, or other networked communications facility as a broadcast medium by sending the same message to a large number of people who did not ask for it. In addition to being a nuisance, it also eats up a lot of network bandwidth. Because the Internet is a public network, little can be done to prevent spam, just as it is impossible to prevent junk mail. However, the use of software filters in programs can be used to remove most spam sent through to certain extent. With the number of computer users growing and the exchange of information via the Internet and increases in volume, spamming has become an almost everyday occurrence. Apart from network bandwidth, it also affects the employees productive as deletion of such mails is a huge task. Anti spam protection is therefore a priority for anyone who uses a computer. Page 19 of 43

21 Cyberoam Gateway Anti Spam Cyberoam Gateway Anti Spam provides a powerful tool for scanning and detecting infection and Spam in the mail traffic (SMTP, SMTP over SSL, POP3, and IMAP) as well as web (HTTP) traffic that passes through the appliance. Cyberoam Anti Spam as a part of unified solution along with Anti Virus and IPS (Intrusion Prevention System) provides real time virus scanning that protects all network nodes workstations, files servers, mail system from known and unknown attacks by worms and viruses, Trojans, spyware, adware, spam, hackers and all other cyber threats. Cyberoam detects spam mails based on: RBL (Real time Blackhole List) Mass distribution pattern using RPD (Recurrent Pattern Detection) technology for which Gateway Anti Spam module subscription is required. RPD technology responsible for proactively probing the Internet to gather information about massive spam outbreaks from the time they are launched. This technology is used to identify recurrent patterns that characterize massive spam outbreaks. SMTP/S means both SMTP and SMTP over SSL. Entire configurations done will be applicable to both the traffic. Also, SMTP over SSL and SMTP/S terms are used interchangeably but they mean the same. Cyberoam Gateway Anti Spam solution provides a powerful tool for scanning and detecting infection and Spam in the mail traffic (SMTP, SMTP over SSL, POP3, and IMAP) as well as web (HTTP) traffic that passes through the appliance. It inspects all the inbound mails i.e., incoming s SMTP/S, POP3, and IMAP traffic - before the messages are delivered to the receiver's mail box and all outbound mails i.e., outgoing s SMTP/S traffic - sent by the user from an Client. Two separate policies and firewall rules must be configured for inbound and outbound mail traffic. If Spam is detected, depending on the policy and the rules set, action is taken on . On detecting a Spam in incoming traffic, s are processed and delivered to the recipient unaltered, reject and generate a notification on the message rejection, add or change subject or change the receiver. If Spam is detected in an outgoing SMTP/S traffic, s are rejected and generate a notification on the message rejection, dropped and a notification is generated or changes the receiver. Integration into existing network is easy as it is fully compatible with all the mail systems. Note Outbound Anti Spam is a subscription based module. Cyberoam Anti Spam allows to: Scan messages for spamming by protocols namely SMTP, SMTP over SSL, POP3, IMAP Monitor and proactively detect recurrent patterns in spam mails and combat multi-format text, images, HTML etc. and multi-language threats Monitor mails received from Domain/IP Address Detect spam mails using RBLs. If Anti Spam module is not subscribed, Cyberoam will detect spam mails based on RBL only and not on recurrent patterns in mails. Accept/Reject messages based on message size and message header Customize protection of incoming and outgoing messages by defining scan policies Page 20 of 43

22 Set different actions for SMTP/S, POP and IMAP spam mails Configure action for individual Address Notify receivers about spam messages Configuration Spam Rules Quarantine Trusted Domain Page 21 of 43

23 Configuration Anti Spam Configuration allows configuring scanning rules for traffic SMTP/S, POP, and IMAP defined on Address Groups or individual s Address or IP Address or RBLs. Administrator is notified for critical events via system warnings and notifications. The administrator can archive almost all the s coming into the organization and thereby keep a close watch over data leakage. Configuration Address Group Archiver Configure restrictions on mails from Anti Spam > Configuration > Configuration. Screen Configure Parameters Screen Elements Bypass Spam Check For SMTP/S Authenticated Connections Verify Sender s IP Reputation Description Click Bypass Spam check for SMTP/S Authenticated Connections to bypass the Spam scanning of the authenticated traffic. If enabled, SMTP/S authenticated connections are bypassed from RBL and RPD based Spam checking. By default, it is disabled. Enable IP Reputation, if you want to verify the reputation of the sender IP Address. Cyberoam dynamically checks the sender IP Address and denies SMTP/S connection if IP Address is found to be responsible for sending spam mails or malicious contents. If enabled, specify action for confirmed Spam s and Probable Spam s. Accept all the spam s are forwarded to the recipient after scanning as per the configuration Reject all the spam mails are rejected and notification is displayed to the user. Drop all the spam mails are dropped. If both Bypass Spam check for SMTP/S authenticated Connections and Verify Sender s IP reputation are Page 22 of 43

24 SMTP/S Mails Greater Than Size enabled, for the authenticated connections, spam scanning based on RBL and RPD will be given the precedence. Specify maximum size (in KB) of the file to be scanned. Files exceeding this size received through SMTP/S will not be scanned. By default, SMTP/S mails exceeding 1024 KB in size are not scanned. Specify 0 to increase default file size restriction for scanning to KB i.e. files exceeding KB will not be scanned if 0 is configured. Note For Cyberoam CR15i models: Specify 0 for default size restriction of 1024 KB i.e. files exceeding 1024 KB will not be scanned if 0 is configured. SMTP/S Oversize Mail Action POP3 / IMAP Mails Greater Than Size Specify the action to be taken on oversize files i.e. Accept, Reject and Drop. Accept all the oversize mails are forwarded to the recipient without scanning. Reject all the oversize mails are rejected and notification is displayed to the user. Drop all the oversize mails are dropped. Specify maximum size (in KB) of the file to be scanned. Files exceeding this size received through POP / IMAP will not be scanned and forwarded to the recipient without scanning. By default, POP3/IMAP mails exceeding 1024 KB in size are not scanned. Specify 0 to increase default file size restriction for scanning to KB i.e. files exceeding KB will not be scanned if 0 is configured. Note For Cyberoam CR15i models: Specify 0 for default size restriction of 1024 KB i.e. files exceeding 1024 KB will not be scanned if 0 is configured. Header To Detect Recipient or POP3 / IMAP Specify Header value to detect recipient for POP3 / IMAP. Click Add icon to add headers and Remove icon to delete the header which is used for detecting the recipient s address. Page 23 of 43

25 Table Configure Parameters screen elements Page 24 of 43

26 Address Group Address Group is the group of Addresses, IP Addresses, or RBLs. An address can be member of multiple groups. To make configuration simpler you can group addresses when applying policy. Policy applied on the address group is applicable on all the group members. To make it easier to add Anti Spam rules, create groups of Addresses or IP Addresses, or RBLs and then add one Spam Rule to take action for all Address in the group. An Address can be member of multiple groups i.e. Address can be included in multiple Address Group. Scanning rule can be defined for individual or group of Address or Domain IP Address RBL (Real time black hole List) (applicable only for the spam mails) RBL is a list of IP Addresses whose owners refuse to stop the proliferation of spam i.e. are responsible for spam or are hijacked for spam relay. This IP Addresses might also be used for spreading virus. Cyberoam will check each RBL for the connecting IP Address. If the IP Address matches to the one on the list then the specified action in policy is taken. Manage Address Group To manage Address Groups, go to Anti Spam > Configuration > Address Group. Screen Manage Address Group Screen Elements Add Button Name Type Description Description Add a new Address Group. Name of the Address Group. Type of Group: RBL, IP Address, Address/Domain. Displays Address Group Description. Import Icon Click to import the Address Groups. Edit Icon Delete Button Edit the Address Group. Delete the Address Group. Alternately, click the Delete icon against the address group to be deleted. Table Manage Address Group screen elements Page 25 of 43

27 Import Address into an existing Address Group Instead of adding addresses again in Cyberoam, if you already have address detail in a file, you can upload file. If the file has multiple addresses then each address must be on the new line. File with comma-separated address will give error at the uploading. Click the Import Button to import CSV or text file. Select the complete path of information file. Address Group Parameters To add or edit an Address Group, go to Anti Spam > Configuration > Address Group. Click Add Button to add a new group or Edit Icon to modify the details. Screen Add Address Group Screen Elements Name Group Type Description Specify a name to identify the Group. Select the Group Type. Available Options: RBL RBL is a list of IP Addresses whose owners refuse to stop the proliferation of spam i.e. are responsible for spam or are hijacked for spam relay. Cyberoam will check each RBL for the connecting IP Address. If the IP Address matches to the one on the list then the specified action in policy is taken. Specify Domain Name to be added as RBLs to the Address Group. Page 26 of 43

28 IPv4 Address Specify IP Addresses or Network address that you want to group. Address / Domain Specify Address or Domain Name to be added to the Address Group. On selecting Address/Domain select the type of Address Group from the available options: Description Available Options: Import Select to browse and import a CSV file or a text file to add the Address/Domain to address group. Manual Select to manually add the Address/Domain to address group. Use Add button to add value to the list and value to the list. Provide description for Address Group. Table Add Address Group screen elements to delete Page 27 of 43

29 Archiver If you want Administrator or any other person in the organization to know about incoming mails into the organization, you can specify Address to which you want to forward the copy of such mails. By using Archiver, the administrator can archive almost all the s coming into the organization and thereby keep a close watch over data leakage. s of a specific recipient or a group of recipients can be archived using Archiver. Create multiple archivers to send a copy of s to more than one administrator. Cyberoam can archive all s intended for a single or multiple recipients and can be forwarded to the single administrator or multiple administrators from Anti Spam > Configuration > Archiver. Screen Manage Archives Screen Elements Add Button Name Recipient Send Copy To Edit Icon Delete Button Description Add a new Archive. Archiver name. Address of the recipient whose s are archived. Address to which the copy is sent. This option can be applied to SMTP protocol only. Edit the Archiver. Delete the Archiver. Alternately, click the Delete icon against the Archiver to be deleted. Table Manage Archivers screen elements Add Archiver To add or edit Archiver, go to Anti Spam > Configuration > Archiver. Click the Add button to add an Archiver. To update the details, click on the Archiver or Edit icon in the Manage column against the Archivers you want to modify. Page 28 of 43

30 Screen Add Archiver Screen Elements Name Recipient Description Specify a name for the Archiver. Select Address of the recipient whose s are to be archived. Send Copy Of To You can also add a new Address or domain from the Archiver page itself. Specify Address to which the copy is to be sent. This option can be applied to SMTP protocol only. Table Add Archiver screen elements Page 29 of 43

31 Spam Rules As soon as you subscribe Cyberoam Gateway Anti Spam, Spam Rules can be configured for particular sender and recipients. Spam Rule defines what action is to be taken if the mail is identified as a spam and to which Address the copy of mail is to be sent. These rules can be applied directly to Addresses now and thus, traffic can be directly scanned for Spam mails. To reduce the risk of losing the legitimate messages, spam quarantine repository - a storage location, provides administrators a way to automatically quarantine and remediate messages that are identified as spam. This will help in managing spam and probable spam quarantined mails and you can take appropriate actions on such mails. Detection of Spam attributes Cyberoam uses content filtering and three RBLs - Real time Blackhole Lists to check for the spam attributes in SMTP/S as well as POP3 / IMAP mails: Premium Standard RBL is a list of IP Addresses whose owners refuse to stop the proliferation of spam i.e. are responsible for spam or are hijacked for Spam Relay. Cyberoam will check each RBL for the connecting IP Address. If the IP Address matches to the one on the list then the specified action in policy is taken. Manage Spam Rules To manage Spam Rules, go to Anti Spam > Spam Rules > Spam Rules. Screen Manage Spam Rules Screen Elements Name Sender Recipient Rules Description Displays name of the Spam Rule. Sender ID. Recipient ID. Conditional Rule for restricting spam mails. Page 30 of 43

32 Action SMTP/S POP3/IMAP Conditions applied for the SMTP/S mails. Conditions applied for the POP3 mails. Table Manage Spam Rules screen elements Spam Rule Parameters To add or edit a Spam Rule, go to Anti Spam > Spam Rules > Spam Rules. Click the Add button to add a Spam Rule. To update the rules, click on the Spam Rule or Edit icon in the Manage column against the rule to be modified. Note On subscribing Outbound Spam, parameter Anti Spam Module Has Identified Mail As is renamed as Inbound Anti Spam Module Has Identified Mail As is displayed. Screen Add Spam Rule Screen Elements Name Recipient Description Specify a name for Anti Spam Rule. Select Recipient Address. You can also add a list of Address using Add Address link. Page 31 of 43

33 Sender Select Sender Address. You can also add a list of Address using Add Address link. IF Conditions Anti Spam / Inbound Anti Spam Module Has Identified Mail As (Parameter Inbound Anti Spam Module Has Identified Mail As is displayed on Outbound Spam subscription) All the messages that are received by the users those are in a network protected by Appliance are referred as Inbound. On configuring Appliance Inbound Spam, all the messages received by the users are scanned for spam and virus outbreak by the Appliance. Specified action will be taken if the Anti Spam module has identified the Inbound to be one of the following: Spam Probable Spam Virus Outbreak Probable Virus Outbreak You can set different actions for SMTP and POP mails. Outbound Anti Spam Module Has Identified Mail As (Option available only on subscription) Messages that are sent by the user from network protected by the Appliance to a remote user on other mail system are referred as Outbound. On configuring Appliance Outbound Spam, all the messages sent by the users are scanned before being delivered to other users on internet for spam and virus outbreak. Specified action will be taken if the Anti Spam module has identified the Outbound to be one of the following: Spam Probable Spam Virus Outbreak Probable Virus Outbreak Note Outbound Spam is a subscription module. You can set different actions only for SMTP. This feature is not available in Cyberoam Models - CRi series, CRwi series, CR10iNG, CR15i, CR15iNG, CR25i, CR25ia, CR35ia, CR50i, CR100i, CR250i, CR500i, CR500i-8P, CR1000i and CR1500i. Page 32 of 43

34 From IP Address Belongs To Sender IP Address Blacklisted by RBL Message Size Is Select Message Header Specified action will be taken if the mail sender IP Address matches the specified IP Address. You can set different actions for SMTP/S and POP mails. Specified action will be taken if the sender is listed in the specified RBL Group. You can set different actions for SMTP/S and POP mails. Specified action will be taken if the mail size matches the specified size. You can set different actions for SMTP/S and POP mails. Specified action will be taken if the message header contains the specified text or is equal to the specified text. You can set different actions for SMTP/S and POP mails. You can scan message header for spam in: Subject Specified action will be taken when the matching text is found in the headers configured as per the matching criteria. From Specified action will be taken when the matching address is found in the headers configured as per the matching criteria. To Specified action will be taken when the matching address is found in the headers configured as per the matching criteria. Others Specified action will be taken when the matching text is found in the headers configured as per the matching criteria. None Then SMTP/S Action Select None when you want to create a rule between specific sender and recipient without any conditions. You can set actions for SMTP/S and POP3/IMAP mails only on the basis of sender and recipient. Select the Action to be taken for SMTP/S traffic. Available Options: Reject Drop Accept (only for Inbound Spam) Change Recipient Prefix Subject (only for Inbound Spam) POP3/IMAP Action (Only for Inbound Spam) Select the Action to be taken for POP3 / IMAP traffic. Available Options: Accept Prefix Subject Page 33 of 43

35 Table Add Spam Rule screen elements Page 34 of 43

36 Following actions can be taken on the mail identified as the SPAM, Probable SPAM, VIRUS OUTBREAK or Probable VIRUS OUTBREAK. Protocol Action Meaning SMTP/S Reject Mail is rejected and rejection notification is sent to the mail sender. SMTP/S Drop Mail is rejected but rejection notification is not sent to the mail sender. SMTP/S, POP3 SMTP/S Accept Change Recipient Mail is accepted and delivered to the intended receiver. Mail is accepted but is not delivered to the receiver for whom the message was originally sent. Mail is sent to the receiver specified in the spam policy. SMTP/S, POP3 Prefix Subject Mail is accepted and delivered to the intended receiver but after tagging the subject line. Tagging content is specified in spam policy. You can customize subject tagging in such a way that the receiver knows that the mail is a spam mail. For Example Contents to be prefixed to the original subject: Spam notification from Cyberoam Original subject: This is a test Receiver will receive mail with subject line as: Spam notification from Cyberoam - This is a test SMTP/S Quarantine Mail is quarantined and can be viewed or downloaded from the Quarantine Area. Table Manage Actions screen elements Page 35 of 43

37 Quarantine Quarantine Digest is an and contains a list of quarantined messages filtered by Cyberoam and held in the user Quarantine Area. If configured, Cyberoam mails the Quarantine Digest as per the configured frequency to the user. Digest provides a link to User My Account from where user can access his quarantined messages and take the required action. Quarantine Digest Settings Quarantine Area Note Entire Quarantine menu is not available for Cyberoam CR15i models. Page 36 of 43

38 Quarantine Digest Settings Digest service can be configured globally for all the users or for individual users. User receives Quarantine Digest as per the configured frequency. The Quarantine Digest provides following information for each quarantined message: Date and time: Date and time when message was received Sender: Address of the sender Recipient: Address of the receiver Subject: Subject of the message To manage Spam Digest, go to Anti Spam > Quarantine > Quarantine Digest Settings. You can: Configure Change User s Quarantine Digest Settings Manage User s Quarantine Digest Settings Configure Quarantine Digest Screen Spam Digest Settings Screen Elements Description Quarantine Digest Settings (Spam Digest Settings will be applicable only after you subscribe for "Gateway Anti Spam" module.) Enable Quarantine Digest Frequency From Address Enable Quarantine Digest to configure digest service for all the users. Specify the Quarantine Digest mail frequency. Digest can be mailed every hour, every day at configured time or every week on the configured day and time. Specify Address from which the mail should be sent. Digest mail will be sent from the configured mail address. Page 37 of 43

39 Display Name Send Test Specify mail sender name. Digest mail will be sent with the configured name. Click Send Test button and provide Address to which the message is to be sent for Address verification i.e. Address is valid or not. Reference My Account IP Select Interface/Port IP from the Reference MyAccount IP dropdown list. Allow Override Change Quarantine Settings User s Digest User My Account link in Digest mail will point to this IP Address. User can click the link to access his quarantined messages and take the required action. The users not falling under the specified Interface will have to access the quarantined mail directly from their MyAccount. Enable Allow User To Override Digest Settings ; if you want each user to override the digest setting i.e. user can disable the digest service so that they do not receive the Quarantine Digest. Click Change User s Quarantine Digest Settings button to change the digest setting of the individual users. It allows selecting group and updating the Quarantine Digest Setting of group members. Table Quarantine Digest screen elements Page 38 of 43

40 Change User s Quarantine Digest Settings Click Change User s Quarantine Digest Settings button to change the digest settings of the individual users. It opens a new page which allows you to search groups and users for updating the Quarantine Digest Settings of group members. You can individually search for user and user groups. Select the checkbox against the user to enable the Quarantine Digest. If enabled, configured Quarantine Digest Settings are applicable for the user. Screen Change User s Spam Digest Settings Manage User s Quarantine Digest Settings Screen Elements User Name Name Group Edit Icon Description Displays username. Displays a name for the User. Displays Group name. Displays Address. Edit Quarantine Digest. To save the modifications done for Address, click Save icon and to cancel the modifications done click Cancel icon. Table Manage Change User s Spam Digest Select the checkbox against the user to enable the Spam Digest. If enabled, configured Spam Digest Settings are applicable for the user. Page 39 of 43

41 Quarantine Area Under Quarantine Area, Quarantined Mails can be searched based on sender Address, receiver Address, and subject. Use Filter section to search for mails from the list of Quarantined Mails. To view and release the Quarantined Mails go to, Anti Spam > Quarantine > Quarantine Area. Cyberoam reserves 5GB for Quarantine Area. Once the quarantine repository is full, older s are purged. Screen Manage Quarantine Mails Screen Elements Filter Result Start Date Description Select the starting date from Calendar by clicking on Calendar icon End Date Sender Receiver Filter Clear Subject Sender Recipient Subject Time Stamp Rule Name Release Icon Select the ending date from Calendar by clicking on Calendar icon Specify a name for the Sender. Specify a name for the Receiver. Click Filter to search mails from the list of Quarantined Mails. Click Clear to reset the details of Filter Result. Specify a Subject. Displays the Sender of the Mail. Displays the Recipient of the Mail. Displays the Mail Subject. Timestamp when the mail was received. Displays a Rule name based on which the Quarantine Mail is considered as Spam. Click on the Release Icon to move the mails from Quarantine Area to recipient s inbox. Log color will change when the selected mail is released to the recipient s inbox. Table Manage Quarantine Mails screen elements Page 40 of 43

42 Release Quarantined Mails Either Administrator or user himself can release the Quarantined Mails. Administrator can release the Quarantined Spam Mails from Quarantine Area while user can release from his My Account. Released Quarantined Mails are delivered to the intended recipient s inbox. Screen Before Releasing Quarantine Mails When the selected mail is released to the recipient s inbox, the log color will change from Violet color to black color as shown in the Screen below. Screen After Releasing Quarantine Mails Administrator can access Quarantine Area from Anti Spam > Quarantine > Quarantine Area, while user can logon to My Account and access Quarantine Area from Quarantine Mails > Spam > Quarantine s. If Quarantine Digest is configured, user will be mailed Digest everyday which consists of all the Quarantined Mails. Page 41 of 43

43 Trusted Domain Cyberoam also allows bypassing RBL scanning of mails from the certain domains. For this, you have to define the domains as the trusted domains. FQDN can also be configured as trusted domain. To manage local domains, go to Anti Spam > Trusted Domain > Trusted Domain. You can: Add Specify the Domain name and click the Add Button. Mails from the specified domains will not be scanned. Delete Click the Delete icon in the Manage column against a Domain to be deleted. A dialog box is displayed asking you to confirm the deletion. Click OK to delete the Domain. To delete multiple domains, select them and click the Delete button. Screen Add/Remove Trusted Domain View the list of Trusted Domains Screen Element Add Button Domain Name Delete Button Description Add a new Trusted Domain. Displays a name for the Trusted Domain. Delete the Trusted Domain. Page 42 of 43