The default behavior for the Socket is to forward all WAN and Internet traffic to the PoP for security inspection. This includes LAN traffic between adjacent network segments within a site (e.g. VLANs). In some scenarios, you may want to override the default behavior, and configure the Socket in a site to allow or block communication between two network segments or hosts, directly on the Socket, without sending the traffic to the Cato PoP. With the LAN Firewall policy, you can configure rules for allowing or blocking LAN traffic directly on the Socket. Optionally, you can enable tracking (events) for each rule.
Note
Note: The LAN Firewall is an enhancement to the Local Routing policy. For more information see below Prerequisites for Using The LAN Firewalland Upgrading the Local Routing Policy to the LAN Firewall.
The LAN Firewall allows you to block or allow certain types of traffic at the Socket level, by creating policies according to your needs.
The following diagram below shows a LAN Firewall rule that allows traffic from LAN1 to LAN2.
This diagram shows a LAN Firewall rule that blocks traffic blocks traffic from LAN1 to LAN2.
The following is a LAN Firewall configuration rulebase sample. Each rule is explained below:
Rule 1 - 'Block guest' - This rule prevents hosts who are using the 'Guest-Wifi' network from accessing any other hosts or internal resources in the site while tracking these events. The hosts can still access the internet.
Rule 2 - 'Allow file share' - This rule allows only hosts connected to the 'Corp-Users' network to connect to servers in the 'File-Servers' local network over HTTPS or SMB (TCP/445). Each flow is tracked in the events. With this allow locally policy, tunnel overhead for SMB and HTTPS between the networks is decreased since traffic is managed locally on the site and does not traverse the tunnel.
Rule 3 - 'Allow CCTV server' - This rule allows hosts from the 'IOT-Cameras' network to connect to the 'IOT-File-Servers' network over HTTPS only. Each flow is tracked in the events.
Implicit behavior - Any other host traffic that is not defined in the rulebase will be sent to the Cato PoP for inspection before reaching back to 'File-Servers'. For example, any traffic from 'Corp-Users' to 'File-Servers' over TCP/21 (FTP) will not match the sample rulebase and trigger the default behavior (send traffic to Cato PoP).
The LAN firewall policy is processed in an order from the first to the last configured rule. Once a rule is matched an action is applied. Else, traffic is sent to the Cato PoP by default.
Rules at the top of the rulebase have a higher priority because they are applied to connections before the rules lower down in the rulebase. For example, if a connection matches on rule #3, the action is applied to the connection and the firewall stops inspecting it. The firewall does not continue to apply rules #4 and below to the connection. You can increase the efficiency of the LAN firewall and give a high priority to rules that match the largest number of connections.
The following table represents supported throughput over the LAN Firewall for each Socket model.
Note: The values represented below are based on Socket v19.0 uni-dimensional tests in lab environment.
Socket Model |
TCP BW |
UDP BW |
---|---|---|
X1500 |
up to 1Gb/sec |
up to 2Gb/sec |
X1600 |
up to 8Gb/sec |
up to 8.5Gb/sec |
X1700 |
up to 10Gb/sec |
up to 12Gb/sec |
The LAN Firewall is an enhancement of the existing Local Routing policy. This feature is enabled per site.
Make sure that all Sockets in the site are running Socket version 18.0 or higher.
-
If there are no Local Routing rules configured for the site, you can immediately upgrade it to the LAN Firewall policy
-
If there are Local Routing rules configured for the site, migrate the Local Routing rules to the LAN firewall, see Upgrading the Local Routing Policy to the LAN Firewall
-
After you upgrade to the LAN Firewall, enable the feature (LAN Firewall Enabled toggle on the top right of the screen).
When this feature is disabled, all traffic is sent to the PoP.
This section explains how to define rules for the LAN Firewall and the objects, ports, and services that you can configure.
Create a new LAN Firewall rule and configure the settings for the rule to manage routing for the LAN traffic. Use the Add Rule Below option to easily add a rule to the correct place in the rulebase.
Note
Note: Applying the new configuration to the Socket may take up to a minute.
To define a LAN Firewall rule:
-
From the navigation menu, click Network > Sites and select the site.
-
From the navigation menu, click Site Settings > LAN Firewall.
-
Click New. The Add Rule panel opens.
-
In the General section:
-
Enter a Name for the new rule.
-
By default, the rule is Enabled. You can disable the rule using the Enabled toggle.
-
Under Direction, select To to enable traffic in one direction only, or Both to enable bidirectional traffic.
-
Choose the Rule Order. We recommend that you define a high rule order for more specific rules and low rule order for less specific rules.
Note: Please see the "Working with The LAN Firewall Rulebase" section for more on rule order configuration.
-
-
Expand the Source and Destination sections, define the traffic source and destination entities for this rule.
-
Expand the Service/Port section, select the protocols that the rule applies to.
-
If selected Port/Protocol, define the relevant port and protocol as you wish in the "Protocol/Port" format (i.e. TCP/80-88, UDP/53, ICMP etc.)
-
If selected Simple Service, select the relevant Layer 4 services as predicated.
The predefined services list is based on the RFC definition of each service.
-
-
NAT section:
-
Enable NAT - Optionally, enable NAT on the outgoing interface. This translates all originating IPs to one NAT IP.
-
-
In the Actions section:
-
Allow locally - This action allows matching local traffic in between the Socket LAN networks.
-
Block locally - This action blocks matching traffic locally in between the Socket LAN networks.
Note: If traffic does not match any of the rules the default action is Send to PoP.
-
-
In the Actions section under Track:
-
Optionally, enable the Event checkbox. When matched, an event is generated for this rule.
-
-
Click Apply, and then click Save.
There are scenarios that require using NAT between the LAN networks within a site, this can be between two (or more) directly connected networks, or between routed networks (static routes or BGP routes).
-
NAT is configurable only in the To direction.
-
After you save the configuration for the rule, the Cato Management Application automatically calculates the Outbound Network and Outbound IP for the rule.
The following source and destination objects can be defined:
-
Global Range - Native range for the LAN interface of a site.
-
Host - Hosts and servers defined in the site.
-
Interface Subnet - VLAN, routed, or direct ranges, or a secondary AWS vSocket native range.
-
Network Interface - Subnets and network ranges defined for the LAN interfaces of a site.
-
Any - Any source or destination within the site.
You can optionally enable event tracking for each defined rule in the LAN Firewall.
Note
Note: LAN firewall traffic will not be visible in app and network analytics dashboards.
The events appear under Site Monitoring > Events.
-
Event Type - Security
-
Sub-Type - LAN Firewall
To filter for LAN Firewall events:
-
Go to Monitoring > Events.
-
Click on Filter and select the relevant field, operator and value.
-
Field - Multiple fields can be selected as a filter. For example we may opt to filter for "Source site" or "Sub-Type" (LAN Firewall)
-
Operator - Choose to include or exclude specific values (Is, Is not) or multiple values (In, Not in), for example "Source site" with operator "In" allows to select multiple source sites as values.
-
Value - The value for the field.
-
-
Click Add filter.
In the following example, you can see the details for a LAN Firewall event.
-
Action - Block or Monitor. (Traffic was blocked or allowed locally by the LAN Firewall)
-
Configured Host Name - Additional host information on the source IP, if available.
-
Sub-Type - LAN Firewall. All events generated by the LAN Firewall will have this sub-type.
-
Rule - The defined rule name which generated this event.
Unlike the WAN or Internet Firewall, where events are generated by the Cato PoP, LAN Firewall events are generated on the Socket itself. These events are sent over the site tunnel to be stored in the Cato Management Application.
All flow traffic over the tunnel is prioritized before LAN Firewall events, which have a default QoS priority of 255 and may generate additional overhead.
Cato recommends tracking high priority LAN Firewall rules only in order to avoid additional overhead over the tunnel.
2 comments
The second column of the throughput table mentions HTTP BW and the third column UDP BW. Is the second column HTTP BW correct or should it be TCP BW?
Hi Gerwin - thank you for your feedback. We have changed the column name to TCP for consistency purposes.
Please sign in to leave a comment.