Internet resources and business partners may use egress public IPs for access control lists (ACLs) to allow access to Internet hosted resources.
When connected to a PoP, Internet traffic may use any of the PoP's external IP addresses for NAT. A static public IP address is required when a customer needs to egress from a PoP with a specific public IP to be used in an ACL. Define the routing options for a Network Rule to NAT specific traffic with a static public IP address. The IP address is available for your account only and does not change (unless you change it yourself).
Use the Network Rules policy to define outbound NAT behavior. A rule that uses the NAT Routing method lets you translate traffic to one or more static public IP addresses allocated to your account. These IPs provide stable egress identities for services that require allowlisting.
Before creating the rule, make sure that the required public IP addresses are allocated on the IP Allocation page, and (if needed) that the relevant hosts are defined for the site.
When you configure a Network Rule with multiple allocated IPs, the PoP selects the egress IP address based on availability and routing conditions.
Select the Cato-allocated public IP address you want to translate with NAT in the egress rule. The default license for each account includes 3 unique IPs that can be used by any PoP. If you need additional IP addresses, contact your partner or Sales Engineer.
To allocate an IP for egressing traffic:
-
From the navigation menu, click Network > IP Allocation.
-
From the drop-down menu, select the PoP location to which you are allocating an IP address. The IP address is automatically added to your account.
-
Click Save.
When you are egressing traffic for a specific number of devices, configure the static hosts behind the relevant site. Then add the hosts as the Source in a Network Rule.
For accounts that use the Cato DHCP server, you need to enter the MAC address for the host to reserve the IP.
Note: If you are not using Cato DHCP, make sure the source device has a static IP or a DHCP reservation in the local DHCP server. If the IP address of the device changes, the Network Rule will not use the Cato IP address to egress traffic for the device.
Translated IP shows the IP address that the PoP translates for the internal host IP address. When Static Range Translation (Administration > System Settings) is enabled for the account, you can define the translated IP range in the Networks screen.
To create a static host for egressing traffic:
-
From the navigation menu, click Network > Sites > {site name} > Site Configuration > Static Host Reservations.
-
Click New.
-
Enter the Name for the device.
-
Enter the IP address of the device.
-
If you are using Cato for DHCP, enter the MAC address. This creates a DHCP reservation to assign a static IP for this host.
-
Click Apply, and then click Save.
-
For a new or existing Network Rule, add the static hosts as the Source.
Create a network rule to define the traffic that you are egressing to the Cato public IP address.
When a Network Rule is configured with multiple egress IPs/Route Via PoPs is configured, the Cato Cloud identifies the PoP to which the egress IP belongs and builds a list of candidate PoPs around it. Then it searches for the nearest PoP and uses it to egress the traffic. If both IPs belong to the same PoP, the first IP in the list is used.
To create a Network Rule that egresses to an allocated IP:
-
From the navigation menu, click Network > Network Rules.
-
Click New > New Rule. The Add Network Rule panel opens.
-
From the General section, configure the following settings for the rule:
-
Enter the Name for the rule.
-
Enable or disable the rule using the slider (green is enabled, grey is disabled).
-
Select the Position for the new rule.
-
Under the Rule Type drop-down, select Internet.
-
-
In the Source section, select the source of the traffic the egress rule applies to.
If necessary, add hosts that you defined above in Egressing Traffic for Static Hosts (Optional).
-
Expand the App/Category section and select one or more applications for the rule.
-
In the Configuration section, under Routing Method, select NAT.
-
Under Allocated IPs, select the IP address(es) to egress the traffic to.
-
Click Save. The panel closes, and the settings are updated in the rulebase.
The changes are saved to your unpublished revision and are available for editing until they are published or discarded.
-
Click Publish. A confirmation window opens, click Publish.
We recommend these best practices when you configure Network Rules that egress traffic with the following Routing Methods:
-
NAT traffic via IPs:
-
Use at least two egress IP addresses from 2 different PoP locations in the Network Rule to provide failover in case the destination isn’t reachable from the first IP
Note: For Network Rules that only route traffic with sensitive applications, such as VoIP, configure one egress IP address (see below Using Egress IPs for VoIP Traffic)
-
-
Route traffic via a PoP location:
-
Use two different PoP locations in the Network Rule to provide failover in case the destination isn’t reachable from the first PoP
-
When a Network Rule is configured with multiple egress IPs/Route Via PoPs is configured, the Cato Cloud identifies the PoP to which the egress IP belongs and builds a list of candidate PoPs around it. Then it searches for the nearest PoP and uses it to egress the traffic. If both IPs belong to the same PoP, the first IP in the list is used.
For network rules that only route traffic with sensitive applications, such as VoIP or ERP, we recommend that you configure these settings:
-
Only ONE egress IP address
-
Enable the Preferred IP for SIP Traffic advanced setting to always use the same egress IP address
These settings force the PoP to only use the egress IP. If that IP isn't available, it waits until the egress IP address is reachable again and makes sure that the connection state is maintained.
Some applications might block access if the same NAT IP is used by many users or sites at once. Cato recommends that if there is no need for a specific NAT IP for a specific domain, you should use Route Via, which will route the traffic using dynamic PoP IPs for the connections.
Question: When there is a Network Rule configured with an egress NAT IP, is there a limit of 64K concurrent flows for each egress IP address (assuming that each flow consumes a single TCP/UDP port)?
Answer: No. For each egress IP address, the PoP creates a unique NAT translation entry for every four-tuple hash (SRC IP, SRC port, DEST IP, and DEST port). This means that the 64K concurrent flows limit applies to each pair (ie. source IP, destination IP). For example, if two LAN hosts communicate with two public destinations using destination port TCP/443, the PoP can allocate up to 128K ports to support the concurrent flows (64K ports for each SRC/DST IP and SRC/DST port).
4 comments
For availability, consider multiple IP address in your NAT and Route rule. We've lost connectivity when our Cato socket fails to another site and therefore a single IP at the failed site is not available until it comes back online.
There's no egress rule option under the global settings.
Rules are under Networking | Network Rules
Can this define exactly what is matched under the various categories and for what protocols.
I have a question regarding the following KB article:
https://support.catonetworks.com/hc/en-us/articles/360000163245-How-to-Configure-a-Network-Rule-to-Egress-Traffic#h_01KCP0FGHTJ74DPKFMN6EB29RV
In the article, the following statement appears:
However, earlier in the article it is stated that the 64K concurrent flows limit applies to each pair of source IP and destination IP.
To avoid misunderstanding, could you please clarify the following points:
Thank you in advance for your clarification.
Best regards,
Please sign in to leave a comment.