How To Configure Zone Settings in

Cyberoam How To Configure Zone settings in Cyberoam

Applicable Version: 10.00 onwards

Overview
Zone or Network-Zone refers to a logical collection of interfaces or ports. In Zone-based security,
firewall policies are applied to the Zones instead of ports. In this way, Zone-based security provides
flexibility and ease of policy deployment because the policies are defined for the zones on a whole
and there is no need to define policies for the interfaces individually.

Cyberoam is pre-configured with five default Zones types:

1. LAN - LAN zone is used for internal networkAn interface or group of interfaces (maximum 6) can
be assigned to the LAN zone. The LAN zone is the most secured zone as all the traffic through
this zone is blocked by default.

2. WAN WAN Zone is used for Internet services. It can also be referred as Internet zone.

3. DMZ (DeMilitarized Zone) - DMZ is used for publicly accessible servers. Depending on the
appliance in use and network design, one can group multiple physical ports in this zone.

4. VPN - VPN zone is used for secure remote connectivity. It does not have any interface assigned
to it. Whenever the VPN connection is established, the interface used by the connection is
automatically added to this zone and, on disconnection, interface is automatically removed from
the zone.

5. Local The entire set of physical interfaces available on your appliance including their Aliases (if
configured) are grouped in Local Zone.

The appliance is pre-configured with single zone for LAN, WAN and DMZ. These zones are called
System Zones. The Administrator can add LAN and DMZ zone types as custom zones as shown in
the section Add a Custom Zone.

Scenario
Configure Zone settings in Cyberoam.

Configuration
You must be logged on to the Web Admin Console as an administrator with Read-Write permission
for relevant feature(s).

Configure default Zone Settings

Go to Network > Interface > Zone to see the list of Zones along with other details like Member ports,
Type and Device Access. Click on any of the zones to change the settings.
 How To Configure Zone settings in Cyberoam

Here, we have selected the LAN Zone for demonstration purpose. In the Edit Zone section, only the
Appliance Access settings can be changed. Interface binding can be done through the Interface
Settings shown in the section Assign Zone Membership to an Unbound Interface or Change Zone
membership of an Interface .

To change the default Appliance Access settings, enable or disable the desired options as shown in
table below.

Appliance Access
HTTP: Enabled Check/Uncheck to
HTTPS: Disabled Enable/Disable Admin Services
Admin Services
TELNET:Disabled that should be allowed through
SSH: Disabled this zone.
Check/Uncheck to
Windows/Linux Client: Disabled Enable/Disable Authentication
Authentication Services
Captive Portal: Enabled Services that should be allowed
through Zone.
Check/Uncheck to
DNS: Enable Enable/Disable Network
Network Services
Ping: Enable Services that should be allowed
through Zone.
Check/Uncheck to
Web Proxy: Disabled Enable/Disable Other Services
Other Services
SSLVPN: Disabled that should be allowed through
Zone as per requirement.
 How To Configure Zone settings in Cyberoam

Add a Custom Zone

You can also can add LAN and DMZ zone types as Custom Zones. Go to Network > Interface >
Zone and click Add to add a Custom Zone. Specify the parameters as shown in the table below.

Parameter Value Description

Specify a name to identify the
Name Custom_Zone Zone. Duplicate names are not
allowed.
Type LAN Select Zone Type : LAN or DMZ
Appliance Access
HTTP: Enabled Check/Uncheck to
HTTPS: Disabled Enable/Disable Admin Services
Admin Services
TELNET:Disabled that should be allowed through
SSH: Disabled this zone.
 How To Configure Zone settings in Cyberoam

Check/Uncheck to
Windows/Linux Client: Disabled
Enable/Disable Authentication
Authentication Services Captive Portal: Enabled
Services that should be allowed
NTLM: Disabled
through Zone.
Check/Uncheck to
DNS: Enabled Enable/Disable Network
Network Services
Ping: Enabled Services that should be allowed
through Zone.
Check/Uncheck to
Web Proxy: Disabled Enable/Disable Other Services
Other Services
SSLVPN: Disabled that should be allowed through
Zone as per requirement.

Click OK to add the Custom Zone. Now, this Zone membership can be assigned to either the
interfaces which are in use or any other unbound Interface.

Assign Zone to an unbound interface

Go to Network > Interface and click on the unbound or disabled interface to which the Zone
membership is to be assigned.
 How To Configure Zone settings in Cyberoam

Specify the parameters as shown in the table below.

Parameter Value Description

Select the Zone from the list of
Network Zone Custom_Zone
available zones
Select the IP assignment method.
Available options:
IP Assignment Static Static
PPPoE
DHCP
Specify the IP address of the
IP Address 192.168.2.1
interface
Netmask /24(255.255.255.0) Select the netmask
Specify the primary DNS IP
Primary DNS 4.2.2.2
address.
Specify the secondary DNS IP
Secondary DNS(Optional) 8.8.8.8
address

Click OK to assign the Zone membership to the Interface. In the above example, we have bound the
interface Port D to the Custom_Zone created earlier.

Change Zone membership of an Interface

Zone membership of an interface belonging to a particular zone can be changed.

 How To Configure Zone settings in Cyberoam

To change Zone membership, go to Network > Interface and click on the desired interface. In this
example, we change the Interface membership of Port A from LAN Zone to Custom_Zone created
earlier.

Under General Settings, click on the drop-down box corresponding to Network-Zone and select
Custom_Zone created earlier.

Click OK to complete.

Document Version 1.0 27 October, 2014