Cato Networks Knowledge Base

Search

How to Configure an Egress Rule

Overview of Egress Rules

Access control lists (ACLs) are used by internet services to determine which IP addresses are granted access to a system resource.

When connected to a PoP, your internet traffic may use any of the PoP's external IP addresses for NAT. When an ACL is used, to ensure access to the PoP is maintained, the NAT IP address must remain static and not shared with other Cato customers.

Egress rules allow to you to NAT specific traffic with a static public IP address. The IP address is available for use by your account only and does not change (unless you change it yourself).

Configuring an Egress Rule

Egress rules are created by first selecting the IP address(s) you want to NAT and then creating the egress rule.

If necessary, create an Egress Rule for only one device, or a specific devices on a network, configure hosts for the devices.

Selecting the IP Address

Select the Cato allocated public IP address you want to translate with NAT in the egress rule. If you need additional IP addresses, contact your reseller or sales engineer.

To select the IP address to use in the egress rule:

  1. From the navigation menu, click Network > IP Allocation.

  2. From the drop-down menu, select the PoP location that you are allocating an IP address. The IP address is automatically supplied.

    360000216125-mceclip4.png

  3. Click Save.

Creating a Host (Optional)

When you are egressing traffic for a specific number of devices, configure the hosts behind the relevant site.

To create host for one or more devices:

  1. From the navigation menu, click Network > Sites > [Site Name] > Site Configuration > Hosts.

  2. Click New.

  3. Enter the Name for the device.

  4. Enter the IP address of the device.

  5. If you are using Cato for DHCP, under MAC, enter the MAC address of the computer. This will create a DHCP reservation for the computer.

    360000220469-mceclip1.png

    Note: If you are not using Cato DHCP, make sure the source computer has a static IP or DHCP reservation in the local DHCP server. If the IP address of the device changes, the egress rule does not work.

  6. Click Apply, and then click Save.

Creating an Egress Rule

Create a network rule to define the the traffic that you are egressing to the Cato public IP address.

When you assign multiple egress IPs to a rule, the IP address that is closest to the source of the traffic is the primary IP address for egressing the traffic. If the primary IP isn't available for any reason, then the IP for PoP location is the next closest to the source used (and so on).

To create an egress rule:

  1. From the navigation menu, click Network > Network Rules.

  2. Click New.

  3. In the General section, enter the Name, and the Rule Order of the egress rule.

  4. Under the Rule Type drop down, select Internet.

  5. In the Source section, select the source of the traffic the egress rule applies to.

  6. In the App/Category section, select the traffic type the egress rule applies to.

  7. In the Configuration section, under Routing Method, select NAT.

  8. Under Allocated IPs, select the IP address(es) to egress the traffic to.

  9. Click Apply, and then click Save.

FAQ for Egress Rules

Question: When there is a network rule configured with an egress NAT IP, is there a limit of 64K concurrent flows for each egress IP address (assuming that each flow consumes a single TCP/UDP port)?

Answer: No. For each egress IP address, the PoP creates a unique NAT translation entry for every four-tuple hash (src IP, src port, dest IP, and dest port). This means the 64K concurrent-flows limit applies to a single four-tuple hash instead of a single egress IP address. This design lets Cato reach a much greater scale for concurrent flows than with traditional NAT implementations. For example, if two LAN hosts communicate with two public destinations using destination port TCP/443, the PoP can allocate up to 256K ports to support the concurrent flows (64K ports for each src/dst IP and src/dst port).

Was this article helpful?

4 out of 7 found this helpful

Comments

3 comments

Date Votes
  • Comment author
    Faisal Johari

    There's no egress rule option under the global settings.

    1
  • Comment author
    Adrian Horne

    Rules are under Networking | Network Rules

    Can this define exactly what is matched under the various categories and for what protocols.

    0
  • Comment author
    Dan Park Park

    For availability, consider multiple IP address in your NAT and Route rule.  We've lost connectivity when our Cato socket fails to another site and therefore a single IP at the failed site is not available until it comes back online.  

    0

Please sign in to leave a comment.