Cato Networks Scanners or Penetration Testing

Preparing for a Penetration Test with Cato

This article explains the requirements for a penetration test based on the Cato Networks Terms of Use (TOU) -

Every customer planning to conduct any kind of security activity such as penetration testing or running scanners on Cato's public IPs, must coordinate this via Support team at least 30 days before the test. In addition, provide the following details before actually running the tests, this is to ensure no impact to Cato's service we provide to our customers nor to avoid violating the terms of use.

The information should include:

  • SRC IPs of the Scanners/Pentest machines/hosts.

  • DST IPs that are relevant (Cato's IPs assigned to the customer).

  • Short activity description - Please provide information of what is planned to be scanned or what vulnerabilities planned to be checked.

  • Timelines and duration of the scan/test.

  • Tools to be used - List all the tools and versions to be used to conduct the test.

  • Written confirmation DDOS or Stress Testing are not part of the Penetration Test.

If IPS is enabled on your account with the Block action, use the IPS Policy Allow List to allow the following signatures:

  • cid_scan_attack_tools_inbound

  • cid_scan_attack_tools_wanbound

  • cid_scan_attack_tools_outbound

For more information, see Allowlisting IPS Signatures .

After you complete the tests, remember to disable or delete the signatures from the IPS Policy Allow List.

DNS Traffic with Penetration Testing

Penetration testing may detect that UDP Port 53 (DNS traffic) is open on a PoP in the Cato Cloud. The DNS service on the PoPs uses this port only to allow Sockets and SDP Clients to determine the closest available PoP. The PoP DNS service does not provide any other DNS functionality over UDP Port 53.

Was this article helpful?


Add your comment