Cato Networks Knowledge Base

Traditional vs NG Firewall Rules

  • Updated


Cato Networks’ Internet and WAN firewalls use two different types of firewall rules:

  • Traditional firewall rules

  • Next-Generation (NG) firewall rules

This article describes the differences between these types and the logic that the firewall uses to apply them to network traffic.

Traditional Firewall Rules – Inspecting the First Packet

Cato lets you define a network security policy and configure traditional firewall rules to control incoming and outgoing traffic in your network. Cato’s traditional firewall rules only have one or more of the following settings:

  • IP Range

  • ASN

  • Countries

  • Site

  • Host

  • Protocol/Port

    • Available protocols: TCP, UDP, TCP/UDP and ICMP

The traditional firewall evaluates the traffic on the first packet. For example, network administrators can configure firewall rules that are based on protocols and ports. For this kind of rule, the firewall decides to allow or block the traffic based on the first packet.

The following screenshot shows a sample WAN firewall rule that blocks TCP traffic on port 80:


The following chart shows a TCP connection example from Host A to Host B and the point for the traditional firewall to evaluate a Block rule:



Note: The traditional firewall doesn’t drop the packets. The PoP completes the TCP handshake without sending any packets to the destination (Host B). The reason for that is to display the internet redirect page for block or prompt actions. For more about the redirect page, see Customizing the Internet Redirect Page.

NG Firewall Rules – Deep Packet Inspection

Cato’s NG firewall is stateful and uses application layer data inspection to provide visibility and control for applications and services. It applies deep packet inspection (DPI) and multiple security engines to inspect the traffic. The key element of the NG firewall is application awareness, which lets you define rules that allow, or block traffic based on applications and services. The NG firewall inspects the packet content based on applications, custom applications, categories, custom categories, services, FQDN, domain and more. For example, you can define a rule to block uTorrent application traffic in your network.

The following screenshot shows examples of applications you can add to a firewall rule:


The following chart shows a TCP connection example from Host A to Host B and the point for the NG firewall to evaluate a Block rule:


Best Practices for Ordering Firewall Rules

We recommend that you configure the ordered firewall rulebase with the traditional firewall rules at the top and place the NG firewall rules after them. This section explains the firewall logic for each type of firewall rule and how to order the rules in the rulebase.

The firewall behaves differently for traditional firewall rules and for NG firewall rules.

The traditional firewall rules are inspected immediately, and the firewall applies the action on the first packet.

On the other hand, the DPI engine for the NG firewall inspects the first packet to identify the application or service for this connection. It enforces the NG firewall rules only when the next packet with the payload data arrives.

The Cato firewall uses an ordered rule base and starts from the first rule to see if the rule matches the connection. The connections are inspected according to each rule in order.

In the case that you configure the NG firewall rules before the traditional firewall rules, the DPI engine inspects the traffic to identify the application before it applies the action. This means that the first packet can pass through and reach the destination.

Therefore, we highly recommend that you place the traditional firewall rules before the NG firewall rules in the rulebase.

Example of a Poorly Ordered Firewall Rulebase

The following example shows two Internet firewall rules. The first rule is an NG firewall rule based on application traffic and the second rule is a traditional firewall rule based on protocol and port number:

  1. Allow Facebook (NG firewall rule)

  2. Block TCP port 80 (traditional firewall rule)


In this example, the traditional firewall rule is ordered after the NG firewall rule. Therefore, when the traffic arrives, the firewall on the PoP first waits to identify the application and enforces the rules only after.


Note: Firewall rules with custom applications are considered as NG firewall rules regardless of the application content.

Was this article helpful?

0 out of 0 found this helpful



Please sign in to leave a comment.