Firewalls are the key component to help you secure the corporate networks and protect internal resources. This article contains recommendation and best practices to help you create the strongest security policy for your organization. The Cato Management Application lets you easily manage the firewalls for Internet and WAN traffic.
The Internet firewall helps you to manage the Internet access from users and devices in your sites to a wide variety of services, applications, and web content. The WAN firewall lets you manage the WAN traffic for internal resources, and between users and sites. Configure and fine-tune the rules in each firewall to maximize the effectiveness of the security policy.
There are two approaches to firewall rulebases, allowlist and blocklist. Allowlisting the firewall rulebase means that the rules define which traffic the firewall allows. All other traffic is blocked by the firewall. Blocklisting the firewall rulebase is the opposite, the rules define the traffic that is blocked. All other traffic is allowed by the firewall. Organizations choose the approach that is the best fit for their specific needs and situations.
An allowlist security policy has an ANY ANY Block rule as the final rule to block all traffic that doesn't match an allow rule
A blocklist security policy has an ANY ANY Allow rule as the final rule to allow all traffic that doesn't match a block rule
The recommendations for each approach are discussed below in the respective sections for the Internet and WAN firewalls.
This section contains best practices for a strong security policy that are relevant to the Internet and WAN firewalls.
The WAN and Internet firewalls in Cato Networks are ordered firewalls. The firewall inspects connections sequentially and checks to see if the connection matches a rule. For example, if a connection matches on rule #3, the action is applied to the connection and the firewall stops inspecting it. The firewall does not continue to apply rules #4 and below to the connection.
When the firewall rules are in the wrong order, then you can accidentally block or allow traffic. This can lead to a bad user experience or create security risks. For more about ordering the firewall rules, see:
Generally, the recommended rulebase order should be as the following:
Specific block rules
General allow rules
Specific allow rules
ANY ANY rule
Allowlist (default WAN firewall) uses a final block rule
Blocklist (default Internet firewall) users a final allow rule
The Track option for firewall rules helps you monitor and analyze the firewall traffic events and notifications. We recommend that you configure rules to generate events for the block action, and easily monitor the sources that are trying to reach restricted content. Also, you can add events and notifications for rules that handle traffic with significant security risks.
When traffic matches a rule, you can configure the Cato Management Application to generate:
Events that you can review in the Analytics section and also export for third-party tools.
Email notifications to the specified recipients.
The Track column shows when events and email notifications are enabled.
You can use the View Rule Events option in the more icon menu to open the Events screen pre-filtered for all the events generated by this firewall rule.
The following screenshot shows the Track section in the rule's edit panel:
For more information about email notifications and events, see Working with Email Notifications for the Account.
The Time Constraint feature lets you define a specific time range that the firewall rule is enabled. Outside of the time range, the firewall ignores this rule. This feature lets you limit Internet access and improve access control in your network. For example, you can define a rule in the Internet firewall that only blocks access to the Social category during regular working hours. Or you can create a rule in the WAN firewall that only allows access to a cloud data center during the same working hours. Edit the Actions section for a rule to schedule the time constraints.
The following screenshot shows an example of a rule with time constraint limited to the working hours for the account:
Note: Time-Constrained Firewall rules have different classifications based on the user type:
For sites, the configured time-zone will be used to enforce time-constrained firewall rules
For SDP users, the time-constrained firewall rules will be based on the geo-location of their public IP address
A simplified firewall rulebase is part of a strong security policy because it’s easier to manage and reduces confusion. The recommendations in this section help you to implement a clear and consistent security policy and avoid mistakes.
When you create a rule, give it a specific and unique name. Self-explanatory rule names let other administrators on the team easily understand the purpose of the rule. Poorly named rules can cause mistakes and create confusion.
The following screenshot shows Internet firewall rules that block gambling websites for any site or users. An example of a confusing name for this rule is Blocked Websites.
The more menu in the screenshot below lets you easily enable or disable a firewall rule. However, we recommend that you only disable rules for a short period of time. For rules that are obsolete and no longer in use, delete them from the rulebase instead of disabling them. Disabled rules make the rulebase more complex and harder to manage.
When you create a firewall rule, use a Group of users or sites and restrict network access for the members of this group. For example, you can create a group of users (Assets > Groups) and block the internet access for this group only.
The Cato Internet firewall inspects the Internet traffic and lets you create rules to control Internet access. The Internet firewall is based on a set of security rules that let you allow or block access from sites and users to websites, categories, applications, and so on. The default approach of the Internet firewall is blocklist (ANY ANY Allow).
The following screenshot shows a sample Internet firewall in the Cato Management Application (Security > Internet Firewall):
Implementing an Internet firewall with allowlist behavior means that by default the firewall blocks all Internet traffic. Add rules to the firewall that specifically allow Internet traffic according to the needs of the corporate security policy.
To implement an allowlist Internet firewall in the Cato Management Application, the final rule at the bottom of the rulebase must be an explicit rule that blocks any traffic from any source to any destination. See the example below:
We also recommend that you enable tracking for the final rule, it helps you analyze and monitor the alerts.
This section discusses rules that we recommend that you include in rulebases for the Internet firewall that use the allowlist approach.
When allowing HTTP and HTTPS traffic, we recommend that you block websites that contain risky and inappropriate content. These websites are typically blocked by businesses and can also be potential sources of malware. Each category (Assets > Categories) contains a variety of websites and applications that you can easily add to rules, for example, Botnets, Compromised, Porn, Keyloggers, Malware, Phishing, Spyware, Illegal Drugs, Hacking, SPAM, Questionable.
At the top of the rulebase, make sure that there’s a rule to allow all DNS services as part of the Internet traffic.
The following screenshot shows an example of a rule that allows DNS traffic:
Create a rule to allow the services that are used by your account and require access to the Internet. In addition, if there are services that are only used for specific sites, then you can create a separate rule that only allows access for those sites.
The following screenshot shows the Services drop-down menu:
Add the applications that are used by your organization to the Internet firewall rules from the predefined applications list. Cato continuously updates this list with new applications. If you need an application that doesn’t appear in that list, you can define a custom application, for more information see Working with Custom Applications.
The following screenshot shows the Applications drop-down menu:
Implementing an Internet firewall with blocklist behavior means that by default the firewall allows all Internet traffic. Add rules to the firewall that specifically block Internet traffic according to the needs of the corporate security policy. Blocklisting is the default structure for the Internet firewall, it allows any traffic that isn’t blocked by a rule.
In addition, we recommend that you use a learning period to identify unwanted Internet traffic. During this learning period, temporarily add a rule at the bottom of the rulebase that allows any traffic from any source to any destination with tracking enabled. This rule generates an event for every connection that is allowed to access the Internet. When you review the Internet traffic for your account, if you identify unwanted traffic - you can then add a rule to block it.
You can use the Events screen (Monitor > Events) to analyze firewall events. For more information, see Analyzing Events in Your Network.
This section discusses rules that we recommend that you include in rulebases for the Internet firewall that use the blocklist approach.
Services such as Telnet and SNMP v1 & v2 are potential security risks, and they can be blocked in Internet rulebases. If your organization requires access to these services, we recommend that you add an exception to the block rule for those specific users or groups.
The following screenshot shows a sample rule blocking Telnet and SNMP traffic, with an exception that allows access for the IT Department:
The category Uncategorized contains websites that are not assigned to an existing category from the list of categories. These websites can be a potential security risk for your network. Create a rule that blocks the category Uncategorized for all Internet traffic.
There are a few countries that are known to generate malicious traffic. If your organization doesn’t have business with these countries, we recommend that you block Internet access to them and reduce potential malicious traffic. You can create a rule that uses the Country in the App / Category option to block Internet traffic.
The following screenshot shows the countries in the App / Category drop-down menu:
The section contains best practices to help you secure Internet access for your account.
For rules that allow Internet access, we recommend that you select a specific site, host or user in the Source column, instead of using the option Any. Rules that allow any traffic to the Internet are a potential security risk because you are allowing traffic from unexpected sources.
The following screenshot shows a rule where the Source column is set to the groups All Sites and All SDP Users instead of Any:
When it is necessary that you use firewall rules that allow any Internet outbound traffic, for a specific service or port, we recommend that you block categories or applications that are potential security risks.
For example, if you have a rule that allows all HTTP traffic, add an exception to the rule for categories such as: Cheating, Gambling, Violence and Hate, Parked Domains, Nudity, Weapons, Sex Education, Cults, and Anonymizers. These are examples of categories that can contain malicious content, and the exception blocks Internet access for these categories.
In general, we recommend that for rules that allow Internet traffic, use secure encrypted protocols instead of regular plain text protocols. For example, use FTPS instead of FTP, or SSH instead of Telnet or SNMP. Internet traffic that is allowed with secured protocols, is encrypted and is very difficult for hackers to intercept and decrypt.
If you have a rule that allows access to risky websites with a minor security risk, we recommend that you use the Prompt action instead of Allow. When users try to access one of these websites, the Prompt action redirects the users to a web page where they decide whether to continue or not. Because these websites add a security risk for your network, we recommend that you track events for traffic that matches this rule.
For the Prompt action, we recommend that you install the Cato certificate on all supported devices.
The following screenshot shows the default categories with the Prompt action for new Cato accounts:
Cato’s WAN firewall is responsible for controlling the traffic between the different network elements that are connected to the Cato Cloud. With the WAN firewall, you can control the WAN traffic over your network and achieve optimal network security.
The WAN firewall uses the ANY ANY Block (allowlist) approach by default. This means that any connectivity between sites and users is blocked unless you define specific WAN firewall rules that allow the connections.
The following screenshot shows the WAN firewall rules configuration window in the Cato Management Application (Security > WAN Firewall)
Implementing a WAN firewall with allowlist behavior means that by default the firewall blocks all WAN connectivity between sites, servers, users, and so on. Add rules to the firewall that specifically allow WAN traffic connectivity in your network. Allowlisting is the default structure for the Cato WAN firewall, the implicit final rule of the WAN rulebase is ANY ANY Block.
We strongly recommend that you don’t add a rule that allows connectivity from any source to any destination in the WAN. This ANY ANY Allow rule exposes your network to significant security risks.
A strong security policy for an allowlist WAN firewall includes rules that only allow the specific services and applications that are used by your organization. Instead of using rules that allow ANY service for traffic between sites, add the services or applications to this rule. These are some examples of how you can limit the WAN firewall rules:
Services that are often used by organizations include: DNS, DHCP, SMB, Databases, Citrix, RDP, DCE/RPC, SMTP, FTP, ICMP, NetBIOS, NTP, SNMP, and so on.
The following list shows example services:
Ports - DNS = 53/UDP or 53/TCP
Destination IP addresses - 22.214.171.124 is a Google DNS server
Applications - Cato classifies applications based on the TCP handshake
Services are more specific than ports, therefore we recommend that you use Services in the firewall rulebase for more restricted rules.
Applications that are often used by organizations include: SharePoint, Slack, Citrix ShareFile, and so on.
You can also create a custom category that contains all the applications and services for the WAN firewall, and then add this custom category to the relevant rules. Use the Custom Applications for applications or services that are not predefined in the firewall. It also allows the Events to contain the application name for better analysis.
Implementing a WAN firewall with blocklist behavior means that by default the firewall allows all WAN connectivity between sites, servers, users, and so on. Add rules to the firewall that specifically block WAN traffic according to the needs of the corporate security policy. We don’t recommend using this approach for a WAN security policy. However, if your organization does use it, then make sure that you block undesired WAN traffic.
To implement a blocklist WAN firewall in the Cato Management Application, the rulebase contains an ANY ANY Allow rule at the bottom.
For blocklist WAN firewalls, we recommend that you add the following rules above this rule to help create a strong security policy:
Block services that are security risks and have known vulnerabilities, such as SMBv1
Rules that block connectivity between sites that don’t need to communicate
This section contains best practices to help you secure the WAN connectivity for your account.
The golden rule for the WAN firewall is to allow only the desired traffic. For these allow rules, add specific services and ports that are used and provide enhanced secured connectivity for the WAN firewall.
The following screenshot shows a sample WAN firewall rule that allows all SDP users to access the datacenter site. This rule improves security because it only allows RDP traffic for SDP users.
WAN firewall rules that give access to ANY Source or Destination are less secure than specific sites and users. The more specific settings give you increased control for the WAN connectivity for the account.
The following screenshot shows an example of a WAN firewall rule that uses specific sites in the Source and Destination settings: