This article explains how to use Global IP Ranges across multiple policies.
The Global IP Range entity is a global object in the Cato Management Application (CMA) that you define and then use in rules across multiple policies. For example, you can use the same range for servers in WAN Firewall, Network Rules, and other policies. If at some point you update a setting in the IP range object, these changes are automatically applied to all the relevant policies. No manual changes are required.
You can also use Custom IP Range for situations where the IP range is only used in the specific rule.
Notes:
- The CMA also supports Floating Ranges, which are only applied to traffic routed via BGP, and when the advertised route is an exact match to the Floating Range. IP range objects support all traffic, including BGP.
- For more information about using IP Ranges in Advanced Group objects, see Working with CMA Advanced Groups and Groups.
Create the IP Ranges and define the range of IP addresses for each object. In addition, you can provide a name and description so they can be easily identified in the policies. You can use a single IP address, range, or a CIDR block for the IP Range.
Then you can use the IP Range as a global object in one or more of these policies:
- Network Rules
- Internet Firewall
- WAN Firewall
- IPS (only in the outbound direction as the Destination)
- Anti-Malware
- Application Control (CASB and DLP)
- TLS Inspection
These are the IP ranges that you can use for the relevant settings in rules, such as Source or Destination:
- Global IP Range - a global object that was created using the section above
- Custom IP Range - Define the IP addresses that only apply to the specific rule
To use IP Ranges in a rule:
- In the relevant section of the rule, select the IP Range item.
-
Select if the rule is using a Global or Custom range.
- For Global ranges, select the IP range you are adding to the rule.
- For Custom ranges, enter the IP address or range of IPs you are adding to the rule.
- Click Apply.
10 comments
I had high hopes for this feature, but was sadly disappointed when I discovered that it only supports a single block of contiguous IP addresses. This limits its usefulness significantly. Why not a list of IPs or IP ranges?
Thank you for the feedback, JM!
It has been passed on to our Product Management team.
This feature is under continuing development, and the intention is to extend the feature to make it possible to define IP ranges that can then be assigned to groups.
Kind Regards,
Dermot Doran
Indeed, agree: ip-range should be consist of/contain other ip ranges. Now, it is partly handy for our functional application, not fully. Thx
Updated to include support for Network Rules
Also nice to have would be the ability to add IP Ranges as members of groups.
Would be nice if we could use these IP ranges for events as well.
Cato is still missing the ability to assign defined IP ranges that can then be assigned to groups. Is there any progress towards bringing this to production?
Are there any plans to be able to add ip ranges into an “object group” and then apply the object-group to rules, as is done with Cisco and Palo Alto firewalls?
Koen Vandenabeele {Left Company} , Praneeth Palukuru , Gordon Sandlin - I checked with Product Management, and adding IP ranges to groups is on the roadmap for 2025.
I suggest that you follow the Roadmap article to receive an email update when this enhancement is getting close to being released.
I have the same question…I'm new to the solution but it's unexpected I can create IP ranges under Resources > IP Ranges which the documentation seems to name this as a Global Range, as does the AI Assistant. Yet when I go to Members of a group, I have the option for Global Range, but the only thing enumerated in the UI when clicked is the Native Ranges of all my sites.
Please sign in to leave a comment.