This article provides background information about the WAN firewall for your account.
For more information about working with the WAN firewall, see Managing the WAN Firewall Policy.
The WAN firewall in the Cato Cloud controls access to objects and entities in your Wide Area Network (WAN). Configure the WAN firewall rulebase to create a secure access control policy and protect the network.
The WAN firewall is part of the Next Gen Firewall (NGFW) that is integrated in the Cato Cloud and lets you create rules to prevent unauthorized access to the network. The WAN firewall uses a whitelist approach, and there is a default ANY-ANY block rule to drop all connections that are not explicitly allowed in the rulebase.
Use the rules to configure the firewall to inspect all connections and only allow the ones that match its configured settings. The firewall uses an ordered rulebase. This means that it starts inspecting the connection and checks to see if it matches the first rule. If not, then it continues to sequentially apply each rule to the connection until a rule matches the connection.
The WAN firewall also includes full layer 7 functionality with User Awareness, and you can create rules for specific applications.
One of the basic functionalities of an NGFW is to protect against anti-spoofing attacks. The security engines in the Cato Cloud implicitly drop any connection where the source IP is outside the scope of the configured entity (such as site, network range, device, or user). This blocks anti-spoofing attacks and prevents violations of the configured logical topology.
The Autonomous WAN Firewall Insights are a list of best practices that evaluate your WAN Firewall policy and show how they comply with Cato’s recommendations. Following these recommendations optimizes your firewall configurations and improves security posture.
There are two types of insights:
-
Star icon (powered by AI): Enabled rules in your WAN Firewall policy are automatically analyzed by Artificial Intelligence (AI) to detect issues, for example, rules that can be discarded or modified such as:
-
Temporary Rule: Introduced as a short-term solution to address an immediate need. These rules are mostly created to function temporarily while a proper or permanent solution is being deployed or developed.
-
Testing Rule: Rules explicitly created for validating, debugging, or experimenting with a specific feature or scenario.
-
Expired Rule or Rule with Future Expiration Date: Rules created to address a specific need and have a desirable cutoff date that has already passed or that has not yet been reached or cannot be proven/evaluated.
-
Over Permissive Rules: Rules that may be overly permissive based on users, hosts, apps, or protocols defined for the rule. This insight indicates that we recommend that you remove the extra items from the rule.
For example: restrict user access only to sampleAdmin, limit application to only RDP, and restrict protocol to only TCP.
-
-
Configuration-based: The configurations and settings in your Internet Firewall policy are to ensure they follow best practices.
The WAN firewall inspects connections sequentially and checks to see if the connection matches a rule. The final rule in the rulebase is a default ANY-ANY block rule - so if a connection does not match a rule, then it is blocked by the final default rule. A strong access control policy contains firewall rules that allow specific connections and traffic in the WAN.
You can review the default rule settings in the Default Rules section at the end of the rulebase. These rule settings can't be edited.
Rules that are at the top of the rulebase have a higher priority because they are applied to connections before the rules lower down in the rulebase. For example, if a connection matches rule #3, the action is applied to the connection, and the firewall stops inspecting it. The firewall does not continue to apply rules #4 and below to the connection. You can increase the efficiency of the WAN firewall and give a high priority to rules that match the largest number of connections.
When there is a rule with objects in multiple columns, such as an application and a service, then there is an AND relationship between them. For example, if there is a rule that allows the Backup Services application for port 443, then the traffic is allowed when it matches both the application and the port.
For rules that use multiple objects in a single column, such as more than one port, then there is an OR relationship between them. For example, if there is a rule that allows access to the mail server for service SMTP and ports 25, 265, 587, and 2525, then the traffic is allowed when it matches the SMTP service, or any one of the ports.
-
Note: Each rule can have a maximum of 64 conditions with an AND relationship between them, and a rule's exceptions are included in the rule limit. For example, if there is a rule with two AND conditions (such as a source and a service), and the rule has 25 exceptions with 3 AND conditions each (such as a source, an app, and a service), then the rule has 77 conditions. This exceeds the supported limit of 64 conditions and the rule might not function properly. However, you can assign more than 64 objects within the same column of a rule, since there is an OR relationship between them. For example, you can assign more than 64 apps in one rule.
The hit count helps you identify unused rules that can be removed from a policy, and optimize rule configuration to better match the required traffic scope. The hit count for a rule is based on the number of events generated by the rule. If a rule does not generate events, the hit count is zero.
The hit count contains two numbers:
-
The approximate number of events generated by each rule in the policy
-
How often the rule is hit relative to other rules (ranked by percentile)
These values are updated once every 24 hours and are based on the past 14 days of traffic.
You can quickly identify the rules with the highest and lowest hit count, based on the color of the status bar. This color reflects how often the rule is hit relative to other rules:
-
Blue: 0 - 24th percentile
-
Green: 25th - 49th percentile
-
Orange: 50th - 74th percentile
-
Red: 75th -100th percentile
The WAN Firewall lets different admins edit the policy in parallel. Each admin can edit rules and save the changes to the rulebase in their own private revision, and then publish them to the account policy (the published revision). For more information on how to manage policy revisions, see Working with Policy Revisions.
Configure the Time settings for a WAN Firewall rule to define when the rule is active. For example, you can choose to apply a rule during weekdays only. This means that rules with configured time settings are not active outside of the defined hours.
The options for Time settings are:
-
No time constraint: The rule is always active. This is the default behavior of the WAN Firewall rules.
-
Limit to working hours: The rule is active only during the working hours configured in the Cato Management Application. For more about working hours, see Defining Default Working Hours for the Account.
-
Custom: Select the time of the day and the days of the week when the rule is active. Uncheck the Recurring option, and select the Date the time setting for the rule.
-
Recurring: The time setting will be applied more than once, for example, every Tuesday from 9:00am to 5:00pm.
-
To configure the Time settings for an existing rule:
-
From the navigation menu, select Security and then select Internet Firewall or WAN Firewall.
-
Click New > New Rule.
The New Rule panel opens.
-
Expand the Actions section.
-
In Time, select the desired time settings for that rule.
-
Click Apply.
To configure the Time settings for a new rule:
-
From the navigation menu, select Security and then select Internet Firewall or WAN Firewall.
-
Use the mouse to hover over the rule.
-
In either the Source, App/Category, or Service/Port column, click
.
The Edit panel opens.
-
Expand the Actions section.
-
In Time, select the desired time settings for that rule.
-
Click Apply and then click Save.
This section explains the fields and settings for the rules in the WAN firewall rule base. A thorough understanding of the WAN firewall helps to successfully manage access control for the corporate network.
Rule Actions
The following table describes the actions that each firewall rule can apply to the network traffic. For actions that generate events, you can show event logs in Home > Events.
|
Item |
Description |
|---|---|
|
|
Firewall allows matching traffic. |
|
|
Firewall blocks matching traffic. |
|
|
Firewall redirects matching traffic to a web page with a message. The user is prompted to decide whether or not to continue. You can customize the prompt web page, see Customizing the Warning / Block Page. To review events for when a user chooses to proceed after a prompt page, filter the Events page to show events with the Prompt Action field set with the value Proceed. |
The following table describes each column in the WAN firewall rulebase. When there are multiple columns configured for a rule, then there is an AND relationship between them.
For more about Source, Destination, App, and Category items for a rule, see Reference for Rule Objects.
|
Item |
Description |
|---|---|
|
# |
Shows the priority of the rule in the WAN firewall rule base.
|
|
Name |
Enter a Name for the rule |
|
Source |
Source of the traffic for this rule |
|
Direction |
Indicates the direction of the rule. Options include:
|
|
Destination |
Destination of the traffic for this rule |
|
App/Category |
Only applies to matching objects for the specific applications, categories, and other objects |
|
Service/Port |
Only applies to traffic that matches the specified services and ports |
|
Action |
Apply the specified action to traffic that matches the rule For example, when the traffic is blocked, the connection is dropped and the lower priority rules are not applied to this connection |
|
Track |
When the rule is matched, an event is generated or an email notification alert is sent to the specified list |
|
Hit Count |
The hit count for this rule |
|
|
Opens a drop-down menu with these options:
|
Rule order is defined by setting a rule’s position relative to other rules. For example, set a rule to follow a specific rule, or to be first in a section.
These are the options for defining the rule order:
-
Before Rule - The rule is positioned immediately before the selected rule
-
After Rule - The rule positioned immediately after the selected rule
-
First in Section - The rule is positioned first in the selected section
-
Last in Section - The rule is positioned last in the selected section
-
First - The rule is positioned at the top of the rulebase
-
Last - The rule is positioned at the bottom of the rulebase
When the WAN firewall is disabled, there is no access control and all WAN resources are accessible to anyone.
-
For more about the applications and categories, see Working with Categories
-
For more about the settings in the WAN firewall, see Managing the WAN Firewall Policy
4 comments
Added IP Range to the Source and Destination Objects section.
Are hosts on the same network subject to WAN firewall rules, or does traffic between the two hosts bypass the WAN FW because they are on the same network?
Ronny Chan Great question! The engine for the WAN firewall is in a PoP in the Cato Cloud, and WAN firewall rules apply to WAN traffic over the Cato Cloud. The WAN firewall rules do not apply to two hosts behind a site in the same network range.
You can use the LAN Firewall to create rules for two hosts are on the same network and bypass the WAN firewall.
Thanks,
Yaakov
Isn't a TLD just the rightmost segment of the domain name (e.g., .com and .net)? Cato documentation refers to “the TLD sample.com” all over the place, and even in CMA I see this:
Please sign in to leave a comment.