Cato Networks Knowledge Base

Search

Using IP Ranges in Policies

This article explains how to use Global IP Ranges across multiple policies.

Overview

The Global IP Range entity is a global object in the Cato Management Application that you define and then use in rules across multiple policies. For example, you can use the same range for servers in WAN Firewall, Internet Firewall, and other policies. If at some point the range changes, you only need to update the object once, and all the policies are automatically updated.

You can also a use Custom IP Range for situations where the IP range is only used in the specific rule.

Note

Note: The Cato Management Application also supports Floating Ranges, which are only apply to traffic routed via BGP, and when the advertised route is an exact match to the Floating Range.

Creating IP Ranges

Create the IP Ranges and define the range of IP addresses for each object. In addition, you can provide a name and description they can be easily identified in the policies. You can use a single IP address, range, or a CIDR block for the IP Range.

Then you can use the IP Range as a global object in one or more of these policies:

  • Internet Firewall

  • WAN Firewall

  • IPS

  • Anti-Malware

  • Application Control (CASB and DLP)

  • TLS Inspection

IP_Ranges.png

To create an IP Range:

  1. From the navigation menu, click Network > IP Ranges.

  2. Click New. The New IP Range panel opens.

  3. Define the settings for the IP range.

  4. Click Apply, and then click Save.

  5. To edit an IP range:

    1. Click the Name for the range. The Edit IP Range panel opens.

    2. Edit the settings.

    3. Click Apply, and then click Save.

Using IP Ranges in Rules

These are the IP ranges that you can use for the relevant settings in rules, such as Source or Destination:

  • Global IP Range - a global object that was created using the section above

  • Custom IP Range - Define the IP addresses that only apply to the specific rule

custom_global_ip_range.png

To use IP Ranges in a rule:

  1. In the relevant section of the rule, select the IP Range item.

  2. Select if the rule is using a Global or Custom range.

    • For Global ranges, select the IP range you are adding to the rule.

    • For Custom ranges, enter the IP address or range of IPs you are adding to the rule.

  3. Click Apply, and then click Save.

Was this article helpful?

1 out of 1 found this helpful

Comments

3 comments

Date Votes
  • Comment author
    JM

    I had high hopes for this feature, but was sadly disappointed when I discovered that it only supports a single block of contiguous IP addresses. This limits its usefulness significantly. Why not a list of IPs or IP ranges?

    0
  • Comment author
    Community Manager The chief of community conversations. Community manager

    Thank you for the feedback, JM!

    It has been passed on to our Product Management team. 

    This feature is under continuing development, and the intention is to extend the feature to make it possible to define IP ranges that can then be assigned to groups.  

    Kind Regards,

    Dermot Doran

    0
  • Comment author
    akei hsu

    Indeed, agree: ip-range should be consist of/contain other ip ranges. Now, it is partly handy for our functional application, not fully. Thx

    0

Please sign in to leave a comment.