Multiple CMA Events Are Generated For The Same Traffic Flow

Issue

Multiple CMA events, such as Internet/WAN Firewall, IPS, RPF, or Anti-Malware are generated for the same traffic flow. Having multiple events for the same traffic can be confusing when troubleshooting allowed or blocked actions over the Cato Cloud.

Troubleshooting

This behavior may be observed across various types of CMA events. Below are some possible scenarios that can occur:

Same Event Actions

In this scenario, the traffic flow was blocked by the Firewall engine because it was categorized as "Botnet", which is a category blocked in an Internet Firewall rule. Simultaneously, the IPS engine also blocked the traffic since it matches the IPS signature "cid_heur_suspicious", which is also based on the website's category. 

Different Event Actions

In this scenario, the traffic flow is initially blocked by the IPS engine due to a geo-restriction policy. However, the TLS/HTTP connection is established with the client to get traffic information so the Firewall engine can make a decision, which in this case is to allow (Action: Monitor) the traffic flow. Traffic is ultimately blocked by the IPS engine and no packets reach the destination IP.

Explanation

As explained in Understanding Packet Flow with Cato, the Cato Cloud includes multiple networking and security engines that operate in parallel. This means there is no prioritization for one engine to evaluate traffic over another.

Furthermore, the block/allow decisions are not performed immediately. The PoP waits until a specific request/response stage is reached (e.g., HTTP request), and each engine performs a definitive block or allow action. This is why we might observe multiple events generated in CMA with the same or different block/allow conclusions.

When different actions are seen in various events, the block action will take precedence over an allow action.

Was this article helpful?

0 out of 0 found this helpful

0 comments

Add your comment