Cato Networks Knowledge Base

Best Practices for the Ordered Internet Firewall

  • Updated


With the introduction of the new ordered firewall, the previous Internet Firewall and URL Filtering windows are now consolidated into one security rulebase.

The major change is that now rules are processed according their order in the policy (top/down). If rule #2 blocks specific traffic, then the firewall doesn’t continue to the next rules for further processing. The same process is used for allow rules - if rule #2 allows a connection, then rule #3 is completely ignored and can’t block it.

Ordered firewall rulebases are the industry standard, however Cato's advantage is that in the same rule you can also define an Application or URL Category. In general, firewalls require that you configure layer 7 security in a different tab or window. In other words, most firewalls have a layer 4 security tab for network rules, and additional layer 7 tabs for application awareness and URL filtering. In Cato there's one window and policy for layer 4 – layer 7 security. You can also choose for each rule to log traffic (allowed and/or blocked).

 Ordered Internet Firewall Best Practices 

Below are the Cato Networks’ recommendations and best practices for working with the new ordered firewalls and security policy:

  1. WAN Firewall - Define groups that contain the corporate networks and allow traffic only between them. You can find additional information in the WAN Firewall article.
  2. Use Custom Categories as profiles and assign them to rules. Try to avoid adding many categories to one rule, it becomes really hard to manage. Instead of having many categories in one rule, create one Custom Category, that includes all the relevant categories. Give the rule a name like Internet Profile, and then assign it to the appropriate firewall rule.
    Essentially, the firewall rule has only one object, which includes many categories and apps. Then, if you need to edit the behavior of this rule, you edit the Custom Category. Now you have simplified the rule base and made it easy to ready and search.
  3. Have a dedicated rule for traffic that uses the Prompt action. Similar to the previous recommendation (number 2), create a Custom Category called “Prompt Sites and include all relevant URLs and categories. The firewall includes a list of default recommended websites that use the Prompt action. Nevertheless, it’s super easy to edit this list and then migrate it to a "profile type rule". Enable tracking for this rule to generate events for matching traffic.
    Recommended categories for the Prompt action include: Cheating, Gambling, Violence and Hate, Tasteless, Parked Domains, Weapons, Sex Education, Cults, Anonymizers.
  4. Similar to the previous recommendation (number #3), create a dedicated rule for Blocked sites. Enable tracking for this rule.
    Recommended categories to block include: Botnets, Compromised, Porn, Keyloggers, Malware, Phishing, Spyware, Illegal Drugs, Hacking, SPAM, Questionable.
  5. The final rule in the Internet firewall is an implicit Any - Any - Allow rule, nevertheless we recommend that you add an explicit Any - Any - Allow rule as the final rule. This way you can easily log ALL Internet traffic, just select track Events for all the rules.

Was this article helpful?

2 out of 2 found this helpful



Please sign in to leave a comment.