Cato Networks Knowledge Base

Internet and WAN Firewall Policies – Best Practices

Introducing Cato Networks Firewall Best Practices

Firewalls are the key component to help you secure the corporate networks and protect internal resources. This article contains recommendation and best practices to help you create the strongest security policy for your organization. The Cato Management Application lets you easily manage the firewalls for Internet and WAN traffic.

The Internet firewall helps you to manage the Internet access from users and devices in your sites to a wide variety of services, applications, and web content. The WAN firewall lets you manage the WAN traffic for internal resources, and between users and sites. Configure and fine-tune the rules in each firewall to maximize the effectiveness of the security policy.

Planning the Firewall Security Policy

There are two approaches to firewall rulebases, allowlist and blocklist. Allowlisting the firewall rulebase means that the rules define which traffic the firewall allows. All other traffic is blocked by the firewall. Blocklisting the firewall rulebase is the opposite, the rules define the traffic that is blocked. All other traffic is allowed by the firewall. Organizations choose the approach that is the best fit for their specific needs and situations.

  • An allowlist security policy has an ANY ANY Block rule as the final rule to block all traffic that doesn't match an allow rule

  • A blocklist security policy has an ANY ANY Allow rule as the final rule to allow all traffic that doesn't match a block rule

The recommendations for each approach are discussed below in the respective sections for the Internet and WAN firewalls.

Best Practices for Internet and WAN Traffic

This section contains best practices for a strong security policy that are relevant to the Internet and WAN firewalls.

Ordering the Firewall Rules

The WAN and Internet firewalls in Cato Networks are ordered firewalls. The firewall inspects connections sequentially and checks to see if the connection matches a rule. For example, if a connection matches on rule #3, the action is applied to the connection and the firewall stops inspecting it. The firewall does not continue to apply rules #4 and below to the connection.

When the firewall rules are in the wrong order, then you can accidentally block or allow traffic. This can lead to a bad user experience or create security risks. For more about ordering the firewall rules, see:

Generally, the recommended rulebase order should be as the following:

  • Specific block rules

  • General allow rules

  • Specific allow rules

  • ANY ANY rule

    • Allowlist (default WAN firewall) uses a final block rule

    • Blocklist (default Internet firewall) users a final allow rule

Monitoring Traffic

The Track option for firewall rules helps you monitor and analyze the firewall traffic events and notifications. We recommend that you configure rules to generate events for the block action, and easily monitor the sources that are trying to reach restricted content. Also, you can add events and notifications for rules that handle traffic with significant security risks.

When traffic matches a rule, you can configure the Cato Management Application to generate:

  • Events that you can review in the Analytics section and also export for third-party tools.

  • Email notifications to the specified recipients.

The Track column shows when events and email notifications are enabled.

You can use the View Rule Events option in the more icon More_icon.png menu to open the Events screen pre-filtered for all the events generated by this firewall rule.

The following screenshot shows the Track section in the rule's edit panel:

track.png

For more information about email notifications and events, see Working with Email Notifications for the Account.

Scheduling Time Constraints for Rules

The Time Constraint feature lets you define a specific time range that the firewall rule is enabled. Outside of the time range, the firewall ignores this rule. This feature lets you limit Internet access and improve access control in your network. For example, you can define a rule in the Internet firewall that only blocks access to the Social category during regular working hours. Or you can create a rule in the WAN firewall that only allows access to a cloud data center during the same working hours. Edit the Actions section for a rule to schedule the time constraints.

The following screenshot shows an example of a rule with time constraint limited to the working hours for the account:

time_constraint.png

Note

Note: Time-Constrained Firewall rules have different classifications based on the user type:

  • For sites, the configured time-zone will be used to enforce time-constrained firewall rules

  • For SDP users, the time-constrained firewall rules will be based on the geo-location of their public IP address

Simplifying Firewall Management

A simplified firewall rulebase is part of a strong security policy because it’s easier to manage and reduces confusion. The recommendations in this section help you to implement a clear and consistent security policy and avoid mistakes.

Avoid Confusing Rule Names

When you create a rule, give it a specific and unique name. Self-explanatory rule names let other administrators on the team easily understand the purpose of the rule. Poorly named rules can cause mistakes and create confusion.

The following screenshot shows Internet firewall rules that block gambling websites for any site or users. An example of a confusing name for this rule is Blocked Websites.

gambling_rule.png

Don’t Disable, Delete

The more menu in the screenshot below lets you easily enable or disable a firewall rule. However, we recommend that you only disable rules for a short period of time. For rules that are obsolete and no longer in use, delete them from the rulebase instead of disabling them. Disabled rules make the rulebase more complex and harder to manage.

disableRule.png

Use Groups

When you create a firewall rule, use a Group of users or sites and restrict network access for the members of this group. For example, you can create a group of users (Assets > Groups) and block the internet access for this group only.

Naming Exceptions to Rules

Exceptions are powerful for firewall rules, but they can make the rulebase difficult to read. In the cases that you use exceptions in rules, name the rules so that it's obvious they contain exceptions (for example, Block Social (with except)).

Securing Internet Traffic

The Cato Internet firewall inspects the Internet traffic and lets you create rules to control Internet access. The Internet firewall is based on a set of security rules that let you allow or block access from sites and users to websites, categories, applications, and so on. The default approach of the Internet firewall is blocklist (ANY ANY Allow).

The following screenshot shows a sample Internet firewall in the Cato Management Application (Security > Internet Firewall):

DefaultInternetFirewall.png

Implementing an Internet firewall with allowlist behavior means that by default the firewall blocks all Internet traffic. Add rules to the firewall that specifically allow Internet traffic according to the needs of the corporate security policy.

To implement an allowlist Internet firewall in the Cato Management Application, the final rule at the bottom of the rulebase must be an explicit rule that blocks any traffic from any source to any destination. See the example below:

any_any_block_int.png

We also recommend that you enable tracking for the final rule, it helps you analyze and monitor the alerts.

Recommended Rules for an Allowlist Internet Firewall

This section discusses rules that we recommend that you include in rulebases for the Internet firewall that use the allowlist approach.

Restricting Websites and Apps

When allowing HTTP and HTTPS traffic, we recommend that you block websites that contain risky and inappropriate content. These websites are typically blocked by businesses and can also be potential sources of malware. Each category (Assets > Categories) contains a variety of websites and applications that you can easily add to rules, for example, Botnets, Compromised, Porn, Keyloggers, Malware, Phishing, Spyware, Illegal Drugs, Hacking, SPAM, Questionable.

Allowing DNS Traffic

At the top of the rulebase, make sure that there’s a rule to allow all DNS services as part of the Internet traffic.

The following screenshot shows an example of a rule that allows DNS traffic:

DNS_rule.png

Allowing Services

Create a rule to allow the services that are used by your account and require access to the Internet. In addition, if there are services that are only used for specific sites, then you can create a separate rule that only allows access for those sites.

The following screenshot shows the Services drop-down menu:

services.png

Allowing Applications

Add the applications that are used by your organization to the Internet firewall rules from the predefined applications list. Cato continuously updates this list with new applications. If you need an application that doesn’t appear in that list, you can define a custom application, for more information see Working with Custom Applications.

The following screenshot shows the Applications drop-down menu:

applications.png

Blocklisting Internet Traffic

Implementing an Internet firewall with blocklist behavior means that by default the firewall allows all Internet traffic. Add rules to the firewall that specifically block Internet traffic according to the needs of the corporate security policy. Blocklisting is the default structure for the Internet firewall, it allows any traffic that isn’t blocked by a rule.

In addition, we recommend that you use a learning period to identify unwanted Internet traffic. During this learning period, temporarily add a rule at the bottom of the rulebase that allows any traffic from any source to any destination with tracking enabled. This rule generates an event for every connection that is allowed to access the Internet. When you review the Internet traffic for your account, if you identify unwanted traffic - you can then add a rule to block it.

You can use the Events screen (Monitor > Events) to analyze firewall events. For more information, see Analyzing Events in Your Network.

Recommended Rules for Blocklist Internet Firewall

This section discusses rules that we recommend that you include in rulebases for the Internet firewall that use the blocklist approach.

Blocking Services with Known Vulnerabilities

Services such as Telnet and SNMP v1 & v2 are potential security risks, and they can be blocked in Internet rulebases. If your organization requires access to these services, we recommend that you add an exception to the block rule for those specific users or groups.

The following screenshot shows a sample rule blocking Telnet and SNMP traffic, with an exception that allows access for the IT Department:

Block_Telnet.png

Blocking Uncategorized Web Content

The category Uncategorized contains websites that are not assigned to an existing category from the list of categories. These websites can be a potential security risk for your network. Create a rule that blocks the category Uncategorized for all Internet traffic.

Using Geo-Location to Block Countries

There are a few countries that are known to generate malicious traffic. If your organization doesn’t have business with these countries, we recommend that you block Internet access to them and reduce potential malicious traffic. You can create a rule that uses the Country in the App / Category option to block Internet traffic.

The following screenshot shows the countries in the App / Category drop-down menu:

countries.png

Note

Note: To block all Internet access to a country, make sure that the geo-location rule is higher in the rulebase than rules with an allow or prompt action.

Best Practices for Cato Internet Firewall Policy

The section contains best practices to help you secure Internet access for your account.

Avoiding ANY in Internet Rules

For rules that allow Internet access, we recommend that you select a specific site, host or user in the Source column, instead of using the option Any. Rules that allow any traffic to the Internet are a potential security risk because you are allowing traffic from unexpected sources.

The following screenshot shows a rule where the Source column is set to the groups All Sites and All SDP Users instead of Any:

group_rule.png

Note

Note: If you add new sites to your account, remember to also add them to the relevant Internet firewall rules.

Limiting Outbound Internet Traffic

When it is necessary that you use firewall rules that allow any Internet outbound traffic, for a specific service or port, we recommend that you block categories or applications that are potential security risks.

For example, if you have a rule that allows all HTTP traffic, add an exception to the rule for categories such as: Cheating, Gambling, Violence and Hate, Parked Domains, Nudity, Weapons, Sex Education, Cults, and Anonymizers. These are examples of categories that can contain malicious content, and the exception blocks Internet access for these categories.

Using Secured Protocols

In general, we recommend that for rules that allow Internet traffic, use secure encrypted protocols instead of regular plain text protocols. For example, use FTPS instead of FTP, or SSH instead of Telnet or SNMP. Internet traffic that is allowed with secured protocols, is encrypted and is very difficult for hackers to intercept and decrypt.

Prompting Users for Access to Risky Websites

If you have a rule that allows access to risky websites with a minor security risk, we recommend that you use the Prompt action instead of Allow. When users try to access one of these websites, the Prompt action redirects the users to a web page where they decide whether to continue or not. Because these websites add a security risk for your network, we recommend that you track events for traffic that matches this rule.

For the Prompt action, we recommend that you install the Cato certificate on all supported devices.

The following screenshot shows the default categories with the Prompt action for new Cato accounts:

PromptRule.png

Securing WAN Traffic

Cato’s WAN firewall is responsible for controlling the traffic between the different network elements that are connected to the Cato Cloud. With the WAN firewall, you can control the WAN traffic over your network and achieve optimal network security.

The WAN firewall uses the ANY ANY Block (allowlist) approach by default. This means that any connectivity between sites and users is blocked unless you define specific WAN firewall rules that allow the connections.

The following screenshot shows the WAN firewall rules configuration window in the Cato Management Application (Security > WAN Firewall)

wan_fw.png

Allowlisting WAN Traffic

Implementing a WAN firewall with allowlist behavior means that by default the firewall blocks all WAN connectivity between sites, servers, users, and so on. Add rules to the firewall that specifically allow WAN traffic connectivity in your network. Allowlisting is the default structure for the Cato WAN firewall, the implicit final rule of the WAN rulebase is ANY ANY Block.

We strongly recommend that you don’t add a rule that allows connectivity from any source to any destination in the WAN. This ANY ANY Allow rule exposes your network to significant security risks.

Limiting Traffic with Services and Applications

A strong security policy for an allowlist WAN firewall includes rules that only allow the specific services and applications that are used by your organization. Instead of using rules that allow ANY service for traffic between sites, add the services or applications to this rule. These are some examples of how you can limit the WAN firewall rules:

Services that are often used by organizations include: DNS, DHCP, SMB, Databases, Citrix, RDP, DCE/RPC, SMTP, FTP, ICMP, NetBIOS, NTP, SNMP, and so on.

The following list shows example services:

  • Ports - DNS = 53/UDP or 53/TCP

  • Destination IP addresses - 8.8.8.8 is a Google DNS server

  • Applications - Cato classifies applications based on the TCP handshake

Services are more specific than ports, therefore we recommend that you use Services in the firewall rulebase for more restricted rules.

Applications that are often used by organizations include: SharePoint, Slack, Citrix ShareFile, and so on.

You can also create a custom category that contains all the applications and services for the WAN firewall, and then add this custom category to the relevant rules. Use the Custom Applications for applications or services that are not predefined in the firewall. It also allows the Events to contain the application name for better analysis.

Blocklisting WAN Traffic

Implementing a WAN firewall with blocklist behavior means that by default the firewall allows all WAN connectivity between sites, servers, users, and so on. Add rules to the firewall that specifically block WAN traffic according to the needs of the corporate security policy. We don’t recommend using this approach for a WAN security policy. However, if your organization does use it, then make sure that you block undesired WAN traffic.

To implement a blocklist WAN firewall in the Cato Management Application, the rulebase contains an ANY ANY Allow rule at the bottom.

Blocking WAN Traffic for a Blocklist Firewall

For blocklist WAN firewalls, we recommend that you add the following rules above this rule to help create a strong security policy:

  • Block services that are security risks and have known vulnerabilities, such as SMBv1

  • Rules that block connectivity between sites that don’t need to communicate

Best Practices for Cato WAN Firewall Policy

This section contains best practices to help you secure the WAN connectivity for your account.

Allowing Specific Traffic Between Sites and Users

The golden rule for the WAN firewall is to allow only the desired traffic. For these allow rules, add specific services and ports that are used and provide enhanced secured connectivity for the WAN firewall.

The following screenshot shows a sample WAN firewall rule that allows all SDP users to access the datacenter site. This rule improves security because it only allows RDP traffic for SDP users.

mobile_rule_wan.png

Avoiding Any for Source and Destination

WAN firewall rules that give access to ANY Source or Destination are less secure than specific sites and users. The more specific settings give you increased control for the WAN connectivity for the account.

The following screenshot shows an example of a WAN firewall rule that uses specific sites in the Source and Destination settings:

src_and_dest.png

Was this article helpful?

9 out of 9 found this helpful

Comments

4 comments

  • Comment author
    Brett Waddington

    Hi Catonians
    How does the time of day functionality work please?
    Understand Block or prompt time of day function, as its whitelist based which would imply that blocking certain times of the day is fine - and only a single rule is required.

    However, how does it work if Allow with Time constraint instead

    Do i need to create a rule to allow the application for a time period, then create a rule below to block that same at all times.i.e. have to create two rules the first being more specific to allow traffic. Or,

    Should there only be 1 rule - Allow only for the time constraint period would suffice (as it incorporates the block rule for the rest of the time period).

    Cheers,

    Brett..

    0
  • Comment author
    Tamir Eliyahu

    Hi Brett,

    The firewall rulebase is an ordered rulebase. If you allow an application traffic for a specific time range, then outside that time range the firewall will move on to the next rules.

    If the time constraint is configured for a rule, this rule will be applied only during that time, in any other time this rule will be ignored.
    If there is no block rule after in the rulebase, the firewall will not block the traffic (unless it is a WAN firewall).
    Note that for the Internet Firewall, the approach is blacklist so you have to configure rules to block. In contrast to the WAN firewall (ANY ANY block) - so everything is blocked and you have to whitelist the traffic you want to allow.

    0
  • Comment author
    Akei Hsu

    What are the all convention/syntaxis of defining Port numbers: is okay when defining: TCP/20-23  or TCP/20,21,22,23 or TCP/20_23 or TCP23_20 etc. ??? :-)

    0
  • Comment author
    Community Manager The chief of community conversations. Community manager

    Hello Akei!

    My apologies that your question has only been responded to now!  The following conventions should be followed when defining Protocol/Port values in FireWall rules:

    • When defining ranges - TCP/80-85
    • Multiple protocols - TCP_UDP/8080
    • Simple predicate - TCP/80

    Please let me know if this is sufficient information for you.

    Kind Regards,

    Dermot

    0

Please sign in to leave a comment.