Remote Port Forwarding helps to open inbound connections from the Internet. It directs TCP/UDP traffic from the Internet to specific internal resources in your organization through the Cato Cloud. Remote Port Forwarding allows the defined external IP addresses to access the internal resources.
Use the Cato Management Application (Network > Remote Port Forwarding) to configure remote port forwarding rules for your account. When you create a remote port forwarding rule, select to allocate an IP address for this rule. And then define the internal IP address and port of the resource, and the allowed remote IPs. You can also use the Tracking option to generate email notifications for forwarded traffic.
Since these rules allow inbound traffic from the Internet, we strongly recommend that you configure an IP address (or IP range) for the Allowed Remote IPs. Using the setting 0.0.0.0/0 allows ANY inbound traffic and is a significant security risk. Therefore, if there is a requirement to expose a resource, Cato recommends deploying a DDoS service in front of that resource.
The following screenshot shows an example of a rule that enables connectivity for all inbound traffic to an FTP server:
This screenshot shows the same rule that has been made secure and only allows access from the IP address 66.249.66.61 to the FTP server:
Cato Networks lets you manage the network bandwidth and QoS by assigning priority for different types of traffic. If you configure a Remote Port Forwarding (RPF) for your account, the RPF traffic is assigned automatically with the default QoS priority which is the lowest - 255. The reason that RPF is assigned the default priority is to let you easily assign higher priority to other types of traffic. You can't change the default priority for the RPF rule. For more details about bandwidth Management, see What are the Cato Bandwidth Management Profiles.
For more information about remote port forwarding, see Configuring Remote Port Forwarding for the Account.
Note
Note: Remote Port Forwarding isn't supported for PoPs that are located in China. You can choose to use allocated IPs in China to egress traffic in network rules or for IPsec sites.
6 comments
Jørn-Morten - thanks for the comment!
We updated the screenshot and the references to the new Cato Management Application.
It would be really useful if you could create an Asset Group containing hosts with Public IP addresses and then the Allow/Block list could be pointed to that group. This would make it easier to identify the allowed/blocked IPs when checking the list is up-to-date.
Or at least be able to label to IPs/Ranges within the existing list.
James.Abdale Totally agree
Asset Groups should be must!!!
Can I confirm if RPF is still unsupported for China PoPs?
Hi Vivhek - RPF is not supported for China PoPs. You can read more about Cato within China here:
https://support.catonetworks.com/hc/en-us/articles/20381963015581-Understanding-Cato-Networking-in-China
Please sign in to leave a comment.