Controlling Inbound Traffic with Remote Port Forwarding

Remote Port Forwarding helps to open inbound connections from the Internet. It directs TCP/UDP traffic from the Internet to specific internal resources in your organization through the Cato Cloud. Remote Port Forwarding allows the defined external IP addresses to access the internal resources.

Use the Cato Management Application (Network > Remote Port Forwarding) to configure remote port forwarding rules for your account. When you create a remote port forwarding rule, select the allocate IP address for this rule. And then define the internal IP address and port of the resource, and the allowed remote IPs. You can also use the Tracking option to generate email notifications for forwarded traffic.

Since these rules allow inbound traffic from the Internet, we strongly recommend that you configure an IP address (or IP range) for the Allowed Remote IPs. Using the setting allows ANY inbound traffic and is a significant security risk. Therefore, if there is a requirement to expose a resource, Cato recommends deploying a DDoS service in front of that resource.

The following screenshot shows an example of a rule that enables connectivity for all inbound traffic to an FTP server:


This screenshot shows the same rule that has been made secure and only allows access from the IP address to the FTP server:


Cato Networks lets you manage the network bandwidth and QoS by assigning priority for different types of traffic. If you configure a Remote Port Forwarding (RPF) for your account, the RPF traffic is assigned automatically with the default QoS priority which is the lowest - 255.  The reason that RPF is assigned the default priority is to let you easily assign higher priority to other types of traffic. You can't change the default priority for the RPF rule. For more details about bandwidth Management, see What are the Cato Bandwidth Management Profiles.

For more information about remote port forwarding, see Configuring Remote Port Forwarding for the Account.


Note: Remote Port Forwarding isn't supported for PoPs that are located in China. You can choose to use allocated IPs in China to egress traffic in network rules or for IPsec sites.

Was this article helpful?

2 out of 2 found this helpful


  • Comment author
    Yaakov Simon

    Jørn-Morten - thanks for the comment!

    We updated the screenshot and the references to the new Cato Management Application.

  • Comment author
    • Edited

    It would be really useful if you could create an Asset Group containing hosts with Public IP addresses and then the Allow/Block list could be pointed to that group. This would make it easier to identify the allowed/blocked IPs when checking the list is up-to-date.

    Or at least be able to label to IPs/Ranges within the existing list.

  • Comment author

     James.Abdale Totally agree

  • Comment author
    Josh Anaya

    Asset Groups should be must!!!

Add your comment