Using Network Rules with Multiple Egress IPs

You can configure Internet network rules to NAT the specific type of traffic and egress from a static public IP address for a PoP. All traffic that matches this rule egresses from that static IP address towards the destination.

Best Practices for Egressing Traffic

We recommend these best practices when you configure network rules with NAT egress IP addresses:

• Generally, use at least two egress IP addresses for a network rule to provide failover in case the destination isn’t reachable from the first priority.
• For network rules that only route traffic with sensitive applications, such as VoIP, configure one egress IP address. 

Multiple Egress IPs – Closest to the Source

When you have a rule that is configured with more than one egress IP address, how do you know which one is used? The following screenshot shows an example of a network rule with two egress IP addresses:

For network rules with multiple egress IP addresses, the Cato Cloud uses the egress IP address for the PoP that is geographically closest to the source. If the client can’t reach the destination via the first egress IP address, then it uses the second egress IP address.

For example, a network rule can egress the traffic from the New York PoP or from the Los Angeles PoP and the source is physically closer to the New York PoP. Cato tries to egress the specific traffic for this rule from the PoP in New York. If the destination isn’t reachable from the New York PoP, then Cato egresses the traffic from the Los Angeles PoP.

If you want to route all egress rules for the account via the PoP that is closest to the destination, instead of closest to the source, please contact Cato Networks Support.

Using Egress IPs for VoIP Traffic

For network rules that only route traffic with sensitive applications, such as VoIP or ERP, we recommend that you configure only ONE egress IP address. The behavior for this rule is in case this PoP can’t reach the destination, the traffic isn’t switched to a second egress IP address. Instead, it waits until the egress IP address is reachable again and makes sure that the connection state is maintained.