The Network Rules policy is an ordered rulebase that defines the networking policy for the account. Once the traffic matches the criteria for that specific rule, then the actions are applied to the traffic. Rules that are listed after the matching rule are not applied to the traffic.
Note
Note: The Cato Cloud and Sockets don't support PIM protocol or multicast routing. To use multicast routing over the Cato Cloud, you need to establish point-to-point tunnels between the PIM routers using GRE (or equivalent) protocol.
For more about working with network rules for your account, see Configuring Network Rules.
The following settings define the match criteria for a network rule:
-
Type - WAN or Internet traffic
-
Source - Cato Management Application entity (default is Any traffic)
-
Destination - Cato Management Application entity or Internet
-
App/Category - specific applications, categories, and other objects
-
Criteria for device conditions - Define rules that route or prioritize traffic only when it originates from devices that meet specific criteria, such as device type, operating system, device profile compliance, or geographic location. For more information about device criteria, see Adding Device Conditions to Firewall Rules.
-
Bandwidth - Bandwidth Management profile assigned to this rule (QoS)
Note
Note: When you configure Route/NAT settings for a rule, the rule must use Active TCP Acceleration. This feature is automatically enabled for the rule, and you can't disable it.
The Network Rules page lets different admins edit the policy in parallel. Each admin can edit rules and save the changes to the rulebase in their own private revision and then publish them to the account policy (the published revision). For more information on how to manage policy revisions, see Working with Policy Revisions.
The hit count helps you identify unused rules that can be removed from a policy, and optimize rule configuration to better match the required traffic scope. The hit count for a rule is based on the number of events generated by the rule. If a rule does not generate events, the hit count is zero.
The hit count contains two numbers:
-
The approximate number of events generated by each rule in the policy
-
How often the rule is hit relative to other rules (ranked by percentile)
These values are updated once every 24 hours and are based on the past 14 days of traffic.
You can quickly identify the rules with the highest and lowest hit count, based on the color of the status bar. This color reflects how often the rule is hit relative to other rules:
-
Blue: 0 - 24th percentile
-
Green: 25th - 49th percentile
-
Orange: 50th - 74th percentile
-
Red: 75th -100th percentile
The hit count values are updated automatically every 24 hours and are based on the past 14 days of traffic. From the three dots at the end of each rule, you can reset or refresh the hit count for up-to-date visibility. This lets you accurately measure rule effectiveness and immediately validate rule activity.
-
Resetting the hit counter for a specific rule returns the hit count to 0
-
Refreshing the hit counter updates the hit count on demand for all policy rules
Cato provides a set of network rules that are specifically tailored to provide the best user experience by prioritizing certain traffic over others. You can modify the default predefined network rules.
Cato's implicit network default rule is configured to perform TCP Proxy. As such, if no prior rule caught the traffic, TCP proxy is applied.
The following table explains the predefined network rules:
|
Rule Order |
Rule name |
Purpose |
Priority |
PBR and Accelerations & Optimizations |
|---|---|---|---|---|
|
#1 |
WAN Voice & Video - Predefined |
Prioritize voice and video traffic across the WAN |
P10 |
Transport - Primary: Cato, Secondary: Automatic |
|
#2 |
Internet Voice & Video - Predefined |
Prioritize voice and video traffic towards the Internet |
P10 |
Transport - Primary: Cato, Secondary: None |
|
#3 |
WAN RDP - Predefined |
2nd-level priority for RDP traffic across the WAN |
P20 |
Transport - Primary: Cato, Secondary: Automatic Active TCP Acceleration enabled |
|
#4 |
Internet RDP - Predefined |
2nd-level priority for RDP traffic towards the Internet |
P20 |
Transport - Primary: Cato, Secondary: None Active TCP Acceleration enabled |
|
#5 |
WAN SMB - Predefined |
3rd-level priority for SMB traffic across the WAN |
P30 |
Transport - Primary: Cato, Secondary: Automatic Active TCP Acceleration enabled |
|
#6 |
Internet SMB - Predefined |
3rd-level priority for SMB traffic towards the Internet |
P30 |
Transport - Primary: Cato, Secondary: None Active TCP Acceleration enabled |
|
#7 |
WAN Data - Predefined |
4th-level priority for data traffic across the WAN |
P40 |
Transport - Primary: Cato, Secondary: Automatic Active TCP Acceleration enabled |
|
#8 |
Internet Traffic - Predefined |
Lowest priority for traffic towards the Internet |
P255 - Default |
Transport - Primary: Cato, Secondary: None Active TCP Acceleration enabled |
For each rule, these are the PBR settings:
-
NIC: Automatic
-
Route/NAT: None
-
Packet Loss Mitigation: Disabled
0 comments
Please sign in to leave a comment.