This section is an example of creating IPS policy to block WAN and Inbound traffic. It also contains a geo-restriction policy to block traffic for Iran and North Korea.
For WAN, Inbound, and Outbound traffic, you can define the actions for the IPS engine and the relevant email notifications. It is possible that the matching traffic is a false-positive and is actually legitimate traffic.
These are the available actions:
-
Block - Blocks the traffic and it doesn't continue to its destination. When applicable, redirects the user to a dedicated blocking web page. An event is generated for the Events screen (Monitoring > Events).
-
Monitor - The traffic is allowed to continue to the destination and an event is generated for the Events screen (Monitoring > Events).
-
Allow - The traffic is allowed to continue to the destination with no actions taken.
To configure actions for the IPS policy:
-
From the navigation menu, click Security > IPS.
-
In the IPS screen, click the Protection Policy tab or expand the section.
-
Click the slider to enable the IPS policy.
The toggle is green when enabled.
-
In the Protection Policy section, configure the following settings for each Protection Scope:
-
For WAN traffic, IPS blocks matched protections and generates an email notification:
-
Click WAN Traffic.
The Edit panel opens.
-
In Action, from the drop-down menu select Block.
-
In Track, select Email Notification.
-
Click Apply.
-
-
For Inbound Internet traffic, IPS blocks matched protections and generates an email notification:
-
Click Inbound Traffic.
The Edit panel opens.
-
In Action, from the drop-down menu select Block.
-
In Track, select Email Notification.
-
Click Apply.
-
-
For Outbound Internet traffic, IPS monitors matched protections and doesn't generate an email notification:
-
Click Outbound Traffic.
The Edit panel opens.
-
In Action, from the drop-down menu select Monitor.
-
In Track, make sure that Email Notification is cleared.
-
Click Apply.
-
-
-
Click Save. The IPS policy settings are saved for the account.
You can define Geo restriction rules for IPS. Geo restriction rules for IPS are based on the IP address geolocation and not on the domain. You can define the rule to apply to inbound, outbound, or both directions of traffic.
Note
Notes:
- If you configure a Geo Restriction rule for inbound traffic, this applies also to RPF resources. However, IPS Geo Restriction rules are not applied to traffic from Cato SDP Clients. To block Client connections from specific regions, you can configure rules in the Client Connectivity Policy.
- Events for IPS Geo Restriction rules have a Threat Type and Threat Name of Geo Restriction and do not show a Signature ID.
To define a Geo restriction rule:
-
From the navigation menu, click Security > IPS.
-
In the IPS screen, click the Geo Restriction tab or expand the section.
-
Click New.
The Add panel opens.
-
Enter the Name for the rule, and in Direction, select Both Directions to configure the rule to apply to all traffic.
-
In the Countries section, add Iran and Korea, Democratic People's Republic of (North Korea).
-
In Action, select Block to block all traffic to and from Iran and North Korea.
-
In Track select Event and Email Notification, to have the maximum visibility for traffic to and from Iran and North Korea.
-
Click Apply and then click Save.
6 comments
How does the allow list works ?
if you block a country through Geo can you allow a domain in that country ?
Mohammad,
Thanks for your question! Yes, if you block a country with IPS Geo Restriction, you can use the IPS Allowlist feature to allow inbound traffic for an IP range or domain for that country. For more details, see (New) Allowlisting IPS Signatures
Yaakov
Hi Yaakov. Your reply to Mohammad said when a country is blocked with ISP Geo Restriction you can use the IPS Allowlist to allow inbound traffic for a domain. But the link you put says, "To allowlist IPS protections based on Geo Restriction settings, you must use the IP address or range. You can't allowlist Geo Restriction based on the domain."
Please could you clarify if we can use domains, and if it is inbound or outbound? Thanks.
Nathan,
Great point! We updated the article (New) Allowlisting IPS Signatures to clearly show which parameters for allowlist rules are supported for the different Protection Scopes.
Thanks,
Yaaov
I was not able to view the signature; it shows as ( signature ID : Geo ) in the event
Hi aiman mesbahi,
Thank you for your comment! This is expected behavior, as events for IPS Geo Restriction rules do not show a specific signature ID. We added a note above in the section Managing Geo Restriction Rules to clarify this.
Thanks,
Jon
Please sign in to leave a comment.