Cato Networks Knowledge Base

How to Configure an Egress Rule

Why use an Egress Rule?

Some internet services use ACLs to restrict connections from only allowed source IP addresses. When connected to a PoP, your internet traffic may use any of that PoP's external IP addresses for NAT. Therefore, when using an IP-restricted internet service, it's important that the NAT IP remain static and is not shared with other Cato customers.

This is where Egress Rules come in. Egress Rules allow you to NAT specific traffic with a static public IP address. The IP address is available for use by your account only and will not change (unless you change it yourself).

Step-by-step Guide to Configure an Egress Rule

I. Select the IP address that will be used in the Egress Rule.

  • Note: Each account has the ability to allocate three IPs by default with the option to add more. If you need more IPs, please contact your reseller or sales engineer.
  1. In the Cato Management Application, navigate to Configuration > Global Settings > IP Allocation.
  2. In the drop-down menu, select the location of the PoP from which you would like to allocate an IP address. The IP address will populate as soon as soon as you select the location. You can select multiple IPs from the same PoP location.
  3. Once you've allocated as many IP addresses as you need, click the Save button.

Figure 1. Example IP Allocation configuration with two IP addresses from the same PoP location.

II. (Optional) Create Host(s) for the source computer(s)

If you need to create an Egress Rule for only one source computer, or a fraction of computers on a network, you'll need to configure Hosts for them under the site configuration. 

  1. In the Cato Management Application, navigate to Configuration > Sites > [Site Name] > Hosts.
  2. Click the green + button.
  3. Under Name, enter any name for the source computer. 
  4. Under IP, enter the IP address of the computer. 
  5. If using Cato for DHCP, under MAC, enter the MAC address of the computer. This will create a DHCP reservation for the computer.
  6. Click the green + button to add additional Hosts if necessary
  7. Click Save.
  • Note: if not using Cato DHCP, make sure that the source computer has a static IP or DHCP reservation in the local DHCP server. The Egress Rule will not work as intended if the IP address of the computer changes.

Figure 2. Example Hosts configuration without a Cato DHCP reservation.


III. Create the Egress Rule

  1. In the Cato Management Application, navigate to Networking > Network Rules.
  2. Click the green + button.
  3. Under Name, enter a name for the rule.
  4. Under What, select the traffic type that the Egress Rule will be applied. The options are:
    • Categories
    • Services
    • Custom Apps (if enabled in your account)
    • Custom Services (by IP)
    • TLD
    • FQDN
    • Ports
    • Any
  5. Under From, select the source of the traffic to which the Egress Rule will be applied. The options are:
    • Groups
    • Sites
    • Hosts
    • VPN Users
    • Networks
    • Floating Ranges
    • Users
    • Any
  6. (Optional) Click the red Exception field to exclude traffic (What) or sources (From) from the Egress Rule. 
  7. Click the green Routing field to expand the options.
  8. Undrt Route/NAT, select NAT.
  9. Select the IP address(es) that you allocated previously. If you select multiple IP addresses, the IP address used for egress will be the one belonging to the PoP that is closest to the source. 
  10. Click Save.

Figure 3. Example of an Egress Rule.


Was this article helpful?

4 out of 7 found this helpful



  • Comment author
    Dan Park Park

    For availability, consider multiple IP address in your NAT and Route rule.  We've lost connectivity when our Cato socket fails to another site and therefore a single IP at the failed site is not available until it comes back online.  

  • Comment author
    Faisal Johari

    There's no egress rule option under the global settings.

  • Comment author
    Adrian Horne

    Rules are under Networking | Network Rules

    Can this define exactly what is matched under the various categories and for what protocols.


Please sign in to leave a comment.