Enabling and Working with Anti-Malware and IPS


On top of Cato's Firewall and URL filtering, there are additional security services: Anti-Malware and Intrusion Prevention System (IPS). Both services can be enabled instantly and require nearly zero configuration. Those services provide an additional layer of security for WAN traffic, Internet traffic or both.

  • In brief, Anti-Malware will detect and block malicious files. It can be considered as an Anti-Virus gateway in the cloud.

  • The IPS, on the other hand, will detect and block exploiting vulnerabilities of the host. For example, if a user is using an unpatched version of Windows (without the latest security updates), the remote server can take advantage of a specific vulnerability of the host and execute malicious code on the work station. The IPS is usually considered a "virtual patching" server. Most of the time IT struggles with making sure all hosts have the latest security updates and patches. IPS is the immediate solution for new vulnerabilities.

Best Practice

Enabling Anti-Malware and IPS service is highly recommended. The end-user experiences no delay due to anti-malware processing. When a malicious file is detected, user access will be blocked and the user will be redirected to a block page.

There is no reason not to enable those services. Cato's security team keeps the malware protection database up-to-date at all times based on global threat intelligence databases to ensure effective protection against current threats.

As a best practice for enabling Anti-Malware and IPS services, the following workflow is advised:

  1. Enable Anti-Malware and IPS in Monitor mode for both WAN and Internet traffic. In Monitor mode, malicious traffic is only logged and not stopped.

  2. If required, you can set tracking to receive a notification when malware was detected (but not blocked because it's in Monitor mode).

  3. Review AM and IPS events within a few days and gradually switch the services to Block mode.


Note: For maximum detection results, TLS inspection must be enabled.

TLS inspection allows the security engines to analyze encrypted traffic which might contain malicious files or code. Enabling TLS inspection is the final step in enabling Anti-Malware and IPS. For further information about enabling TLS inspection, see Configuring TLS Inspection Policy for the Account. Guidelines for distributing Cato's certificate using GPO can be found here.

Below is a step-by-step guide for configuring security services and reviewing the results.

Enabling and Configuring Anti-Malware Protection

  1. From the navigation pane, click Security > Anti-Malware.

  2. Click the left slider to enable (green) or disable (gray) Anti-Malware protection for the account.

  3. Click the right slider to enable (green) or disable (gray) the NG Anti-Malware engine.


Now the Anti-Malware engines are enabled. Next step is to configure the malware protection settings.

For each Anti-Malware rule, click in the Action column and select one of the following:

  • Block - Prevent the malicious file from continuing to its destination. When applicable, redirects the user to a dedicated blocking web page.

  • Allow - Let the malicious file continue to its destination.

To monitor without blocking, set the rule to Allow, and in the Tracking section, enable the Event option. This creates event logs that you can review in the Events screen (Monitoring > Events). You can also Send Notifications triggered by the traffic type. In case of a security event (malware detection), a notification will be sent to the predefined Subscription Groups, Mailing Lists, and Alert Integrations. For more information about these notification types, see the relevant article in the Alerts section.

Enabling and Configuring Intrusion Prevention System

  1. From the navigation pane, click Security > IPS.

  2. Click the IPS slider to enable (green) or disable (gray) IPS protection for the account.

Similar to the AM engine, now enable IPS protection for WAN Traffic, Inbound Traffic and Outbound Traffic. WAN would be considered any kind of traffic between the network elements connected to Cato (sites and users). Inbound protection applies to traffic that is coming from the Internet and forwarded to internal hosts using Remote Port Forwarding. Outbound is any kind of traffic originated from the internal hosts to the Internet - regular Internet browsing.

Reviewing Security Events

As mentioned above, once the security services are enabled, the security engine determines which traffic is actually detected and potentially blocked.

The Events screen (Monitoring > Events) displays data about events that have occurred at any or all sites and users during a specific period.

To filter only AM events, from the Select Presets drop-down menu, select Anti-malware.

To filter only IPS events, from the Select Presets drop-down menu, select IPS.

Scroll down and you'll find the events. For each event you can expand to get more details.


* If Anti-Malware and/or IPS is not present, it means no events were generated. In such case, you may filter a larger time frame.

Once Anti-Malware and IPS are enabled, you can test it by trying to download malicious files, see Testing Anti-Malware and IPS Threat Protections

Additional Information about Cato's Advanced Security Services

  1. Network flow is inspected by the WAN Firewall - security admins can allow or block traffic between organizational entities such as sites, users, hosts, subnets and more. By default, Cato’s WAN Firewall follows an allowlist approach, having an implicit any-any block rule.

  2. Internet Firewall - security admins can set allow or block rules between network entities such as sites, individual users, subnets, and more to various applications, services and websites. By default, Cato’s Internet Firewall follows a blocklist approach, having an implicit any-any allow rule. Thus, to block access, you must define rules that explicitly block connections from one or more network entities to applications.

  3. URL Filtering - enhancing the Internet Firewall. Out of the box, Cato provides a predefined policy of dozens of different URL categories including security-oriented categories such as Suspected Spam and Suspected Malware. While the Internet Firewall provides static access prevention to Internet applications, URL filtering completes the Internet security with dynamic protections.

  4. Anti-Malware - can be considered as an anti-virus gateway in the cloud. Customers can use this service to inspect both WAN and Internet traffic for malware. Anti-malware processing includes the following:

    • Deep Packet Inspection of traffic payload for clear and encrypted traffic (if enabled).

    • True Filetype Detection is used to identify the actual type of a file going over the network regardless of its file extension or the content-type header.

    • Malware Detection using signature and heuristics database that is kept up-to-date at all times based on global threat intelligence databases to ensure effective protection against current threats. Cato does NOT share any files or data with cloud-based repositories to ensure customer data remains confidential.

  5. IPS - Cato’s cloud-based Network Intrusion Prevention System (IPS) inspects inbound, outbound and WAN traffic, including SSL traffic. IPS can operate in monitor mode (IDS) with no blocking action taking place. In IDS mode, all traffic is evaluated and security events are generated.

Was this article helpful?

1 out of 1 found this helpful


Add your comment