Managing the Socket Next Gen LAN Firewall Policy

This article explains how to configure Socket Next Gen LAN Firewall rules to route and control site traffic locally in the Socket. For more about the Socket Next Gen LAN Firewall, see What is the Socket Next Gen LAN Firewall.

Note

Note: Please contact cato-releases@catonetworks.com for more information about enabling and using this feature.

Overview

Configure LAN Network rules to define the traffic to be routed locally with LAN transport, then create related LAN Firewall rules to enforce security policy for the traffic.

This is an example high-level workflow for configuring the policy:

  1. Determine which sites require Layer 7 enforcement capabilities and configure them in the policy.

    This enables Layer 7 enforcement for LAN Firewall rules, as well as events with Layer 7 data for the site.

  2. Monitor Socket CPU performance and events for the sites to assess the impact of enabling Layer 7.

  3. Create LAN Network rules to define which site traffic is routed locally through the Socket instead of through the WAN.

  4. For each LAN Network rule, create LAN Firewall rules to enforce security policy for the traffic.

Enabling Layer 7 Capability for a Site

Enable Layer 7 inspection capabilities for traffic for a site. After enabling, the Socket performs deep packet inspection on traffic whether or not a LAN Firewall rule is configured, as long as there is traffic defined to use LAN transport (see What is the Socket Next Gen LAN Firewall). This means that Layer 7 data appears in events for the site traffic, including fields such as Application, App Risk, and Custom App. This also impacts the Socket CPU usage.

LAN_Firewall_L7_Sites.png

To enable Layer 7 capability for a site:

  1. From the navigation menu, click Security > LAN Firewall.

    The LAN Firewall page opens to your existing unpublished revision, or to the newest published revision.

  2. Select the Layer 7 Sites tab.

  3. Click New. The Add Site panel opens.

  4. Under Site, select one or more sites from the drop-down list of Socket sites.

  5. Click Apply. The site is added to the list of Layer 7 sites.

  6. Click Save. Layer 7 functionality is configured for the site.

Creating LAN Network Rules

Create a new LAN Network rule and configure the settings to define the transport for the traffic. For rules defined with LAN transport, you can add LAN Firewall rules to manage access control for the traffic. For more information, see below Creating LAN Firewall Rules.

LAN_Firewall.png

To create a LAN Network rule:

  1. From the navigation menu, click Security > LAN Firewall.

    The LAN Firewall page opens to your existing unpublished revision, or to the newest published revision.

  2. Click New and from the drop-down menu select New LAN Network Rule. The New Network Rule panel opens.

  3. Enter the Name for the rule.

  4. Enable or disable the rule using the slider (green is enabled, grey is disabled).

  5. Configure the Position and Direction for the new rule.

    • By default, the rule is applied in one direction, from the source To the destination. Click the Direction drop-down menu to set the rule to operate in Both directions.

  6. Expand the Site section and select one or more sites or site groups that the rule applies to. The default value is Any.

  7. Expand the Source section and select one or more objects for the traffic source for this rule.

    1. Select the type (for example: Host, Network Interface, IP, Any). The default value is Any.

    2. When needed, select a specific object from the drop-down list for that type.

  8. Expand the Destination section and select one or more destination objects for this rule.

    1. Select the type (for example: Host, Network Interface, IP, Any). The default value is Any.

    2. When needed, select a specific object from the drop-down list for that type.

  9. Expand the Service/Port section, and select the protocols that the rule applies with one of the following options:

    • Simple Service - Select the relevant Layer 4 services from the list.

      The predefined services list is based on the RFC definition of each service.

    • ICustom Service - Enter the relevant port and protocol in the "Protocol/Port" format (e.g. TCP/80-88, UDP/53, ICMP)

    The default value is Any.

  10. (Optional) Expand the NAT section to enable NAT on the outgoing interface. This translates all originating IPs to one NAT IP.

    image.png

  11. Select the Transport for traffic matching the rule. The options are:

    • LAN - The traffic is routed locally by the Socket and not sent to the PoP

    • WAN - The traffic is sent over the WAN to the PoP for inspection

  12. Click Save.

    The changes are saved to your unpublished revision, and are available for editing until they are published or discarded.

Creating LAN Firewall Rules

Create a new LAN Firewall rule and configure the settings to manage access control for the traffic. A LAN Firewall rule can only be configured with objects within the scope of its parent LAN Network rule.

Rules for sites enabled with Layer 7 capabilities can include conditions with application layer objects such as Application and Domain. If rules for sites without Layer 7 capabilities include these objects, the rules won't function properly.

To create a LAN Firewall rule:

  1. From the navigation menu, click Security > LAN Firewall.

    The LAN Firewall page opens to your existing unpublished revision, or to the newest published revision.

  2. Click New and from the drop-down menu select New LAN Firewall Rule. The New Firewall Rule panel opens.

  3. Enter the Name for the rule.

  4. Enable or disable the rule using the slider (green is enabled, grey is disabled).

  5. Configure the Position for the rule, and from the Rules drop-down select the relevant reference rule, as follows:

    • For the Before Rule and After Rule options, select from the Rules drop-down a LAN Firewall rule under the relevant LAN Network rule.

    • For the First in Rule and Last in Rule options, select from the Rules drop-down the parent LAN Network rule for this rule.

  6. Configure the Direction for the rule.

    • By default, the rule is applied in one direction, from the source To the destination. Click the Direction drop-down menu to set the rule to operate in Both directions.

  7. Expand the Source section and select one or more objects for the traffic source for this rule.

    1. Select the type (for example: Host, Network Interface, IP, Any). The default value is Any.

    2. When needed, select a specific object from the drop-down list for that type.

  8. Expand the Destination section and select one or more destination objects for this rule.

    1. Select the type (for example: Host, Network Interface, IP, Any). The default value is Any.

    2. When needed, select a specific object from the drop-down list for that type.

  9. Expand the App/Category section and select one or more applications for the rule.

    When there is more than one App/Category object in a rule, there is an OR relationship between them. The default value is Any.

    Note: Only configure App/Category objects for rules for sites with Layer 7 capabilities enabled. Otherwise the rule won't function properly.

  10. Expand the Service/Port section, and select the protocols that the rule applies with one of the following options:

    • Simple Service - Select the relevant Layer 4 services from the list

      The predefined services list is based on the RFC definition of each service.

    • Service - Select the relevant Layer 7 services from the list

    • ICustom Service - Enter the relevant port and protocol in the "Protocol/Port" format (e.g. TCP/80-88, UDP/53, ICMP)

    The default value is Any.

  11. Select the Action for this rule. The options are Allow and Block.

  12. (Optional) Configure tracking options to generate Events and Send Notification. The frequency starts counting after the first notification is sent.

    For more information about notifications, see the relevant article for Subscription Groups, Mailing Lists, and Alert Integrations in the Alerts section.

  13. Click Save.

    The changes are saved to your unpublished revision, and are available for editing until they are published or discarded.

Monitoring and Events

You can optionally enable event tracking for each defined rule in the Next Gen LAN Firewall policy.

Note

Note: LAN firewall traffic will not be visible in app and network analytics dashboards.

The events appear under Site Monitoring > Events.

  • Event Type - Security

  • Sub-Type - LAN Firewall

To filter for LAN Firewall events:

  1. Go to Home > Events.

  2. Click on Filter and select the relevant field, operator and value.

    1. Field - Multiple fields can be selected as a filter. For example we may opt to filter for "Source site" or "Sub-Type" (LAN Firewall)

    2. Operator - Choose to include or exclude specific values (Is, Is not) or multiple values (In, Not in), for example "Source site" with operator "In" allows to select multiple source sites as values.

    3. Value - The value for the field.

  3. Click Add filter.

    image.png
image.png

In the following example, you can see the details for a LAN Firewall event.

  • Action - Block or Monitor. (Traffic was blocked or allowed locally by the LAN Firewall)

  • Configured Host Name - Additional host information on the source IP, if available.

  • Sub-Type - LAN Firewall.  All events generated by the LAN Firewall will have this sub-type.

  • Network Rule - The parent LAN Network rule for the LAN Firewall rule that generated the event.

  • Rule Name - The name of the LAN Firewall rule that generated the event.

LAN_FW_L7_Event.png

Unlike the WAN or Internet Firewall, where events are generated by the Cato PoP, LAN Firewall events are generated on the Socket itself. These events are sent over the site tunnel to be stored in the Cato Management Application. 

All flow traffic over the tunnel is prioritized before LAN Firewall events, which have a default QoS priority of 255 and may generate additional overhead. 

Cato recommends tracking only high-priority LAN Firewall rules to avoid additional overhead over the tunnel.

Was this article helpful?

0 out of 0 found this helpful

0 comments