Configuring IPS and Geo Restriction

Overview of Cato's IPS Policy

Cato's IPS and Geo Restriction

This section is an example of creating IPS policy to block WAN and Inbound traffic. It also contains a geo-restriction policy to block traffic for Iran and North Korea.

Defining the IPS Protection Policy

For WAN, Inbound, and Outbound traffic, you can define the actions for the IPS engine and the relevant email notifications. It is possible that the matching traffic is a false-positive and is actually legitimate traffic.

These are the available actions:

  • Block - Blocks the traffic and it doesn't continue to its destination. When applicable, redirects the user to a dedicated blocking web page. An event is generated for the Events screen (Monitoring > Events).

  • Monitor - The traffic is allowed to continue to the destination and an event is generated for the Events screen (Monitoring > Events).

  • Allow - The traffic is allowed to continue to the destination with no actions taken.

IPS_Policy_getting_started.png

To configure actions for the IPS policy:

  1. From the navigation menu, click Security > IPS.

  2. In the IPS screen, click the Protection Policy tab or expand the section.

  3. Click the slider toggle.png to enable the IPS policy.

    The toggle is green toggle.png when enabled.

  4. In the Protection Policy section, configure the following settings for each Protection Scope:

    1. For WAN traffic, IPS blocks matched protections and generates an email notification:

      1. Click WAN Traffic.

        The Edit panel opens.

      2. In Action, from the drop-down menu select Block.

      3. In Track, select Email Notification.

      4. Click Apply.

    2. For Inbound Internet traffic, IPS blocks matched protections and generates an email notification:

      1. Click Inbound Traffic.

        The Edit panel opens.

      2. In Action, from the drop-down menu select Block.

      3. In Track, select Email Notification.

      4. Click Apply.

    3. For Outbound Internet traffic, IPS monitors matched protections and doesn't generate an email notification:

      1. Click Outbound Traffic.

        The Edit panel opens.

      2. In Action, from the drop-down menu select Monitor.

      3. In Track, make sure that Email Notification is cleared.

      4. Click Apply.

  5. Click Save. The IPS policy settings are saved for the account.

Managing Geo Restriction Rules

You can define Geo restriction rules for IPS. Geo restriction rules for IPS are based on the IP address geolocation and not on the domain. You can define the rule to apply to inbound, outbound, or both directions of traffic.

Note

Notes:

  • If you configure a Geo Restriction rule for inbound traffic, this applies also to RPF resources. However, IPS Geo Restriction rules are not applied to traffic from Cato SDP Clients. To block Client connections from specific regions, you can configure rules in the Client Connectivity Policy.
  • Events for IPS Geo Restriction rules have a Threat Type and Threat Name of Geo Restriction and do not show a Signature ID.
IPS_Geo_Restriction.png

To define a Geo restriction rule:

  1. From the navigation menu, click Security > IPS.

  2. In the IPS screen, click the Geo Restriction tab or expand the section.

  3. Click New.

    The Add panel opens.

  4. Enter the Name for the rule, and in Direction, select Both Directions to configure the rule to apply to all traffic.

  5. In the Countries section, add Iran and Korea, Democratic People's Republic of (North Korea).

  6. In Action, select Block to block all traffic to and from Iran and North Korea.

  7. In Track select Event and Email Notification, to have the maximum visibility for traffic to and from Iran and North Korea.

  8. Click Apply and then click Save.

Was this article helpful?

3 out of 3 found this helpful

6 comments

  • Comment author
    Mohammad Azad

    How does the allow list works ?

    if you block a country through Geo can you allow a domain in that country ?

  • Comment author
    Yaakov Simon
    • Edited

    Mohammad,

    Thanks for your question! Yes, if you block a country with IPS Geo Restriction, you can use the IPS Allowlist feature to allow inbound traffic for an IP range or domain for that country. For more details, see (New) Allowlisting IPS Signatures 

    Yaakov

  • Comment author
    Nathan

    Hi Yaakov.  Your reply to Mohammad said when a country is blocked with ISP Geo Restriction you can use the IPS Allowlist to allow inbound traffic for a domain.  But the link you put says, "To allowlist IPS protections based on Geo Restriction settings, you must use the IP address or range. You can't allowlist Geo Restriction based on the domain."

    Please could you clarify if we can use domains, and if it is inbound or outbound?  Thanks.

  • Comment author
    Yaakov Simon

    Nathan,

    Great point! We updated the article  (New) Allowlisting IPS Signatures to clearly show which parameters for allowlist rules are supported for the different Protection Scopes.

    Thanks,

    Yaaov

  • Comment author
    aiman mesbahi

    I was not able to view the signature; it shows as ( signature ID : Geo ) in the event

  • Comment author
    Jonathan Rabinowitz

    Hi aiman mesbahi, 

    Thank you for your comment! This is expected behavior, as events for IPS Geo Restriction rules do not show a specific signature ID. We added a note above in the section Managing Geo Restriction Rules to clarify this.

    Thanks,

    Jon

Add your comment