This article provides background information about the WAN firewall for your account.
For more information about working with the WAN firewall, see Managing the WAN Firewall Rules.
The WAN firewall in the Cato Cloud controls access to objects and entities in your Wide Area Network (WAN). Configure the WAN firewall rulebase to create a secure access control policy and protect the network.
The WAN firewall is part of the Next Gen Firewall (NGFW) that is integrated in the Cato Cloud and lets you create rules to prevent unauthorized access to the network. The WAN firewall uses a whitelist approach and there is an implicit ANY - ANY block rule to drop all connections which are not explicitly allowed in the rulebase.
Use the rules to configure the firewall to inspect all connections and only allow the ones that match its configured settings. The firewall uses an ordered rulebase. This means that it starts inspecting the connection checks to see if it matches the first rule. If not, then it continues to sequentially apply each rule to the connection until a rule matches the connection.
The WAN firewall also includes full layer 7 functionality with User Awareness, and you can create rules for specific applications.
One of the basic functionalities of an NGFW is to protect against anti-spoofing attacks. The security engines in the Cato Cloud implicitly drop any connection where the source IP is outside the scope of the configured entity (such as site, network range, device, or user). This blocks anti-spoofing attacks and prevents violations of the configured logical topology.
The WAN firewall inspects connections sequentially, and checks to see if the connection matches a rule. The final rule in the rulebase is an implicit ANY - ANY block rule - so if a connection does not match a rule, then it is blocked by the final implicit rule. A strong access control policy contains firewall rules that allow specific connections and traffic in the WAN.
Rules that are at the top of the rulebase have a higher priority because they are applied to connections before the rules lower down in the rulebase. For example, if a connection matches on rule #3, the action is applied to the connection and the firewall stops inspecting it. The firewall does not continue to apply rules #4 and below to the connection. You can increase the efficiency of the WAN firewall and give a high priority to rules that match the largest number of connections.
When there is a rule with objects in multiple columns, such as an application and a service, then there is an AND relationship between them. For example, if there is a rule that allows the Backup Services application for port 443, then the traffic is allowed when it matches both the application and the port.
For rules that use multiple objects in a single column, such as more than one port, then there is an OR relationship between them. For example, if there is a rule that allows access to the mail server for service SMTP and ports 25, 265, 587, and 2525, then the traffic is allowed when it matches the SMTP service, or any one of the ports.
Note
Note: Each rule can have a maximum of 64 conditions with an AND relationship between them, and a rule's exceptions are included in the rule limit. For example, if there is a rule with two AND conditions (such as a source and a service), and the rule has 25 exceptions with 3 AND conditions each (such as a source, an app, and a service), then the rule has 77 conditions. This exceeds the supported limit of 64 conditions and the rule might not function properly. However, you can assign more than 64 objects within the same column of a rule, since there is an OR relationship between them. For example, you can assign more than 64 apps in one rule.
Understanding the Settings for WAN Firewall Rules
This section explains the fields and settings for the rules in the WAN firewall rule base. A thorough understanding of the WAN firewall helps to successfully manage access control for the corporate network.
The following table describes each column in the WAN firewall rulebase. When there are multiple columns configured for a rule, then there is an AND relationship between them.
Item |
Description |
---|---|
# |
Shows the priority of the rule in the WAN firewall rule base.
|
Name |
Enter a Name for the rule |
Source |
Source of the traffic for this rule |
Direction |
Indicates the direction of the rule. Options include:
|
Destination |
Destination of the traffic for this rule |
App/Category |
Only applies to matching objects for the specific applications, categories, and other objects |
Service/Port |
Only applies to traffic that matches the specified services and ports |
Action |
Apply the specified action to traffic that matches the rule For example, when the traffic is blocked, the connection is dropped and the lower priority rules are not applied to this connection |
Track |
When the rule is matched, an event is generated or an email notification alert is sent to the specified list |
Time |
Define the time period when the rule is active |
|
Opens a drop-down menu with these options:
|
The following table describes the objects that you can use in the Source and Destination fields.
Item |
Description |
Screen Where Defined |
---|---|---|
Site |
Sites defined for the account |
Assets > Sites |
Host |
Hosts and servers defined in the sites |
Assets > Sites > Site Settings > Hosts |
Interface Subnet |
Subnets and network ranges defined for the LAN interfaces of a site |
Assets > Sites > Site Settings > Networks |
Global Range |
Native range for the LAN interface of a site |
Assets > Sites > Site Settings > Networks |
Network Interface |
Networks defined in the sites |
Assets > Sites > Site Settings > Networks |
Floating Subnet |
Global IP ranges that are not connected to a specific site, but can be learned from any site with a BGP neighbor |
Network > Floating Ranges |
SDP User |
Individual users defined for the account |
Access > VPN Users |
Group |
Groups in the account |
Assets > Groups |
System Group |
Predefined groups |
N/A |
User |
Users that are imported with Directory Services |
Access > Directory Services |
IP |
Enter the IP address with the CIDR that is applied to this rule |
N/A |
IP Range |
For the Source of a rule, enter the multiple separate IP addresses or IP range that is applied to this rule, in one of the following formats:
|
N/A |
Any |
Any source or destination |
N/A |
The following table describes the objects that you can use in the App/Category field.
Item |
Description |
Where Configured |
---|---|---|
Application |
Default applications defined by Cato |
Default values, cannot be configured |
Custom Application |
Custom applications defined for the account |
Assets > Custom Apps |
Application Category |
Default categories defined by Cato |
Default values, cannot be configured |
Custom Category |
Custom categories defined for the account |
Assets > Categories |
FQDN |
FQDN is an exact match of the fully qualified domain (for example, the FQDN example.com only matches example.com) |
Setting for this rule |
Domain (TLD) |
TLD matches all subdomains that end in the TLD (for example, the TLD sample.com matches host.sample.com) |
Setting for this rule |
IP Range |
Enter the IP addresses with the CIDR that are applied to this rule |
Setting for this rule |
Any |
Any web content, application, or category |
Default values, cannot be configured |
When the WAN firewall is disabled, there is no access control and all WAN resources are accessible to anyone.
-
For more about the applications and categories, see Working with Categories
-
For more about the settings in the WAN firewall, see Managing the WAN Firewall Rules
1 comment
Added IP Range to the Source and Destination Objects section.
Please sign in to leave a comment.