Centralized Management of IP Allocation (IP Allocation Policy) - (EA - Ordered Rulebase)

This article explains how to use the IP Allocation Policy to define Default, Dynamic, and Static IP ranges that are allocated to remote users in your account.

Note

Note: Dynamic IP allocation in an ordered rule base is an Early Availability (EA) feature that is only available for limited release. For more information, contact your Cato Networks representative or send an email to ea@catonetworks.com.

Overview

The IP Allocation Policy defines the IP ranges that Cato allocates to Cato Clients when they connect a device to the network. Remote users are allocated IP addresses or ranges in one of these ways:

  • Dynamic IP Allocation: IP ranges are allocated to users or groups based on an ordered rulebase

  • Static IP Allocation: A fixed IP address allocated to specific users

  • Default IP Allocation: The default range, allocated to a user that:

    • Does not meet a Dynamic IP Allocation rule

    • Is not allocated a static IP address

    • Matches a rule where the IP range is exhausted

    By default, this range is 10.41.0.0/16. You can update this to a range you choose.

This feature is only for remote users, and not for users located in an office behind a Socket.

Use Case

For accounts with equipment that uses fixed IP addresses, for example routers with an Access Control List (ACL), some users are defined specific IPs for the router. This means that they are only allowed to access the network from that IP address.

Customers can use the IP Allocation Policy to allocate a Static IP for a user that matches the IP in the ACL. Then the Client is always allocated the same IP, and the router allows the user to access the network.

Known Limitations

  • If a user switches between an IP allocated in these scenarios, the IP of the Client only changes after the user manually disconnects and reconnects:

    • The default range to a dynamically allocated IP, or vice versa

    • A rule in the dynamic range to a new higher priority rule

  • This feature is not supported if Pre-login is enabled

Allocating IPs to Remote Users

Follow these steps to allocate IP addresses to remote users:

  1. Add IP ranges to your account

  2. Define the IP Ranges for each IP allocation method

  3. Define users or user groups to be allocated IP addresses dynamically or statically

Step 1: Add IP Ranges to your Account

Remote users can only be assigned IP ranges that are within the Global IP Range entity for your account. For more information about how to add an IP range to the Global IP Range entity, see Using IP Ranges in Policies.

Step 2: Define the IP Ranges for Each IP Allocation Method

Define the IP ranges allocated to remote users with each allocation method. Each range must be a unique network range and can’t overlap with any other network range defined in your account.

Note

Note: Best practice is to configure the largest Client IP range possible to decrease the chances of an IP conflict that causes the Client to disconnect.

IP_allocation_policy.png

To define the IP Ranges for each IP allocation method:

  1. From the navigation menu, click Access > IP Allocation Policy.

  2. Click the Settings tab.

  3. Enter the IP for each IP allocation method.

  4. Click Save.

Step 3: Define Users or User Groups to be Allocated IP Addresses Dynamically or Statically

You can allocate IPs to specific users or user groups either dynamically or statically. If a user is in a rule for a dynamically allocated IP and is allocated a static IP, the static IP takes priority. After you allocate IPs, the Client automatically disconnects and reconnects with the new IP if a user switches between an IP from:

  • A dynamically allocated IP to a static IP, or vice versa

  • The default range to a static IP, or vice versa

If you are only updating the Default IP range for your account. This step is not required

Allocating IPs to Users or User Groups Dynamically

You can dynamically allocate IPs using an ordered rulebase that sequentially checks if a user or user group match a rule. Once a rule is matched, IPs are allocated from the Allocated Range configured in the rule. Rules that are listed in the policy after the matching rule are not applied. If no rule is matched, an IP is allocated from the default range. The lease time for the dynamically allocated IP addresses is 2 minutes, and afterwards the IP address is available for other users.

Different admins can edit the policy in parallel and save the changes in their own private revision before the rule is published. For more information, see Working with Policies.

Dynamic.png

To allocate IPs to users or user groups dynamically:

  1. From the navigation menu, click Access > IP Allocation Policy.

  2. Click New.

    The New Rule panel opens.

  3. Enter a name for the rule and define the rules position.

  4. Define the User/Groups, Platforms, Countries, and the IP Range.

  5. Click Save.

  6. Repeat steps 2-6 for each rule.

  7. Click Publish.

  8. Enable Dynamic IP Allocation.

    The slider toggle.png is green when the rule is enabled, and gray when the rule is disabled.

Allocating Static IPs to Users

For users, you can define a static IP that is allocated to them when they use the Client to connect to the network. Each static IP can only be allocated to one device at a time. If a user connects to the network with multiple devices, the first device is allocated the static IP address. Other devices are allocated IPs from the Dynamic IP Range or the Default IP Range.

Static_IP.png

To allocate static IPs to users:

  1. From the navigation menu, click Access > IP Allocation Policy.

  2. Click the Static IP Allocation tab.

  3. Select the User and enter the static IP address.

  4. Repeat the previous step for additional users.

  5. Set the Enable Static IPs toggle to Enabled.

    The toggle is green toggle.png when enabled.

  6. Click Save.

Was this article helpful?

0 out of 0 found this helpful

0 comments

Add your comment