Using IP Ranges in Policies

This article explains how to use Global IP Ranges across multiple policies.


The Global IP Range entity is a global object in the Cato Management Application that you define and then use in rules across multiple policies. For example, you can use the same range for servers in WAN Firewall, Network Rules, and other policies. If at some point the range changes, you only need to update the object once, and all the policies are automatically updated.

You can also a use Custom IP Range for situations where the IP range is only used in the specific rule.


Note: The Cato Management Application also supports Floating Ranges, which are only applied to traffic routed via BGP, and when the advertised route is an exact match to the Floating Range.

Creating IP Ranges

Create the IP Ranges and define the range of IP addresses for each object. In addition, you can provide a name and description so they can be easily identified in the policies. You can use a single IP address, range, or a CIDR block for the IP Range.

Then you can use the IP Range as a global object in one or more of these policies:

  • Network Rules
  • Internet Firewall

  • WAN Firewall

  • IPS (only in the outbound direction as the ​Destination​​)

  • Anti-Malware

  • Application Control (CASB and DLP)

  • TLS Inspection


To create an IP Range:

  1. From the navigation menu, click Network > IP Ranges.

  2. Click New. The New IP Range panel opens.

  3. Define the settings for the IP range.

  4. Click Apply, and then click Save.

  5. To edit an IP range:

    1. Click the Name for the range. The Edit IP Range panel opens.

    2. Edit the settings.

    3. Click Apply, and then click Save.

Using IP Ranges in Rules

These are the IP ranges that you can use for the relevant settings in rules, such as Source or Destination:

  • Global IP Range - a global object that was created using the section above

  • Custom IP Range - Define the IP addresses that only apply to the specific rule


To use IP Ranges in a rule:

  1. In the relevant section of the rule, select the IP Range item.

  2. Select if the rule is using a Global or Custom range.

    • For Global ranges, select the IP range you are adding to the rule.

    • For Custom ranges, enter the IP address or range of IPs you are adding to the rule.

  3. Click Apply, and then click Save.

Was this article helpful?

1 out of 1 found this helpful


  • Comment author

    I had high hopes for this feature, but was sadly disappointed when I discovered that it only supports a single block of contiguous IP addresses. This limits its usefulness significantly. Why not a list of IPs or IP ranges?

  • Comment author
    Dermot - Community Manager Only 42 of these badges will be awarded.  They are reserved for people who have played a key role in helping build the Cato Community through their contributions! Community Pioneer The chief of community conversations. Community manager

    Thank you for the feedback, JM!

    It has been passed on to our Product Management team. 

    This feature is under continuing development, and the intention is to extend the feature to make it possible to define IP ranges that can then be assigned to groups.  

    Kind Regards,

    Dermot Doran

  • Comment author
    akei hsu

    Indeed, agree: ip-range should be consist of/contain other ip ranges. Now, it is partly handy for our functional application, not fully. Thx

  • Comment author
    Yaakov Simon

    Updated to include support for Network Rules

  • Comment author
    Koen Vandenabeele

    Also nice to have would be the ability to add IP Ranges as members of groups.

Add your comment