Cato Networks Knowledge Base

FAQ - Changes to the Anti-Malware Policy, Trusted Destinations, and TLS Inspection

Overview

As part of Cato's continued product development, we are enhancing how you manage the Anti-Malware and TLS Inspection policies within the Cato Management Application. These changes will not have any impact on traffic and users in your account. This article details the updates to the Cato Management Application and addresses frequently asked questions relating to the change. 

What is Changing?

We are implementing new ordered rulebases for Anti-Malware and the TLS Inspection windows in the Cato Management Application. These rulebases give you greater control and flexibility over the Anti-Malware and TLS Inspection policies. Cato will automatically migrate all your settings for Anti-Malware and TLS Inspection to the new rulebases. In addition, you will now have the ability to add exceptions to rules to allow the specified traffic.

With this change, the Trusted Destinations window will be deprecated and removed from the Cato Management Application. Any Trusted Destinations defined for your account are automatically migrated as exceptions to the Anti-Malware and the TLS Inspection rulebases.

What are the Changes to TLS Inspection?

Before the change, TLS Inspection excluded applications and services that were defined in the Trusted Destinations window (Configuration > Global Settings >TLS Inspection).

TLS_Inspection.png

The new TLS Inspection policy includes rules that let you define the From and What similar to WAN firewall rules:

TLS_Inspection_New.png

To exclude traffic from TLS Inspection, simply create a rule that uses the Bypass action.

What Are the Changes to Anti-Malware?

Before the change, the Unified Anti-Malware policy let you define the actions for Malicious and Suspicious files. In addition, the files that were excluded from Anti-Malware scanning were shown in the Trusted Destinations window.

AM_old.png

The new Unified Anti-Malware policy includes rules that let you define the From and What similar to WAN firewall rules, and control whether a rule generates events:

AM_Rule.png

The File Exceptions for Anti-Malware are now shown in the Unified Anti-Malware Policy window. There is no change to how the File Exception feature works.

How Will These Changes Impact My Account?

These sections describe the changes to each window in the Cato Management Application as part of the automatic migration to the new TLS Inspection and Anti-Malware policies.

Trusted Destinations

  1. The Trusted Destinations defined for your account are automatically added to:
    1. The TLS Inspection policy as bypass rules at the top of the rulebase.
    2. The Anti-Malware policy as 'allow' rules at the top of the rulebase.
  2. The file exceptions for Trusted Destinations are now shown in the Unified Anti-Malware Policy window.
  3. The Trusted Destinations is deprecated and removed from the Cato Management Application.

No action will be required on your part during this migration process.

Anti-Malware

  1. The rules in the Anti-Malware policy are automatically migrated from the previous Anti-Malware window and the Trusted Destinations.
  2. The Anti-Malware policy is now an ordered rulebase with block and allow rules. Make sure that the allow rules are above block rules that match the same traffic.
  3. There is a final implicit rule that matches and all traffic with the Block action.

No action will be required on your part during this migration process.

TLS Inspection

  1. The rules in the TLS Inspection policy are automatically migrated from the previous TLS Inspection window and the Trusted Destinations.
  2. The TLS Inspection policy is now an ordered rulebase with inspect and bypass rules. Make sure that the bypass rules are above inspect rules that match the same traffic.
  3. There is a final implicit rule that matches and all traffic with the Inspect action.

No action will be required on your part during this migration process.

 

In a routine assessment of customer configurations, we have identified that certain accounts currently have TLS Inspection enabled, whilst the necessary pre-requisite function of Anti-Malware is disabled. In this situation, active TLS Inspection is not being conducted on encrypted HTTPS traffic.

To address this, we will be taking steps to ensure all customers are protected moving forward. This will be done by enforcing the enabling of Anti-Malware before TLS Inspection is activated. 

Cato will be actively taking steps to address this matter, and action may be required.

 

The following table details the actions which will be taken by Cato, and the impact it will have on your account: 

 

Scenario Action conducted by Cato Impact on your Account Action required by Customer
TLS Inspection and Anti-Malware Enabled The existing configuration(s) will be migrated automatically. No Impact No Action
TLS Inspection Enabled. Anti-Malware Disabled TLS Inspection will be disabled for your account.  End-Users may be presented with Certificate Warning errors.

Enable TLS Inspection or remove Cato Certificates from endpoint devices.

TLS Inspection and Anti-Malware Disabled No Action No Impact No Action

With the new TLS Inspection policy, it is possible that traffic that was allowed before this change is now blocked. So we recommend that if you enable TLS Inspection, monitor your traffic to make sure that there are no connectivity issues.

 

For more information relating to configuring TLS Inspection, please see the following article:

Can I opt-out of these changes?

These changes are being automatically applied to all customer accounts. If you have any concerns regarding this matter, please contact your Cato Account Representative.

When will this change be applied to my account?

We are gradually rolling this enhancement out across all Cato Customers. You will be notified by e-mail as to when this change will be occurring for your account.

Where can I find more information about these changes?

More information regarding the Unified Anti-Malware Policy configurations can be found here:

Additionally, the following articles may be of interest:

For any other concerns, please contact your Cato account representative.

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.