What is the Cato WAN Firewall?

This article provides background information about the WAN firewall for your account.

For more information about working with the WAN firewall, see Managing the WAN Firewall Rules.

Overview of the Cato WAN Firewall

The WAN firewall in the Cato Cloud controls access to objects and entities in your Wide Area Network (WAN). Configure the WAN firewall rulebase to create a secure access control policy and protect the network.

The WAN firewall is part of the Next Gen Firewall (NGFW) that is integrated in the Cato Cloud and lets you create rules to prevent unauthorized access to the network. The WAN firewall uses a whitelist approach and there is an implicit ANY - ANY block rule to drop all connections which are not explicitly allowed in the rulebase.

Use the rules to configure the firewall to inspect all connections and only allow the ones that match its configured settings. The firewall uses an ordered rulebase. This means that it starts inspecting the connection checks to see if it matches the first rule. If not, then it continues to sequentially apply each rule to the connection until a rule matches the connection.

The WAN firewall also includes full layer 7 functionality with User Awareness, and you can create rules for specific applications.

Anti-Spoofing Protections in the Cato Firewall

One of the basic functionalities of an NGFW is to protect against anti-spoofing attacks. The security engines in the Cato Cloud implicitly drop any connection where the source IP is outside the scope of the configured entity (such as site, network range, device, or user). This blocks anti-spoofing attacks and prevents violations of the configured logical topology.

Working with Ordered Rules

The WAN firewall inspects connections sequentially, and checks to see if the connection matches a rule. The final rule in the rulebase is an implicit ANY - ANY block rule - so if a connection does not match a rule, then it is blocked by the final implicit rule. A strong access control policy contains firewall rules that allow specific connections and traffic in the WAN.

Rules that are at the top of the rulebase have a higher priority because they are applied to connections before the rules lower down in the rulebase. For example, if a connection matches on rule #3, the action is applied to the connection and the firewall stops inspecting it. The firewall does not continue to apply rules #4 and below to the connection. You can increase the efficiency of the WAN firewall and give a high priority to rules that match the largest number of connections.

Working with Multiple Objects in a Single Rule

When there is a rule with objects in multiple columns, such as an application and a service, then there is an AND relationship between them. For example, if there is a rule that allows the Backup Services application for port 443, then the traffic is allowed when it matches both the application and the port.

For rules that use multiple objects in a single column, such as more than one port, then there is an OR relationship between them. For example, if there is a rule that allows access to the mail server for service SMTP and ports 25, 265, 587, and 2525, then the traffic is allowed when it matches the SMTP service, or any one of the ports.

Note

Note: Each rule can have a maximum of 64 conditions with an AND relationship between them, and a rule's exceptions are included in the rule limit. For example, if there is a rule with two AND conditions (such as a source and a service), and the rule has 25 exceptions with 3 AND conditions each (such as a source, an app, and a service), then the rule has 77 conditions. This exceeds the supported limit of 64 conditions and the rule might not function properly. However, you can assign more than 64 objects within the same column of a rule, since there is an OR relationship between them. For example, you can assign more than 64 apps in one rule.

Understanding the Settings for WAN Firewall Rules

This section explains the fields and settings for the rules in the WAN firewall rule base. A thorough understanding of the WAN firewall helps to successfully manage access control for the corporate network.

Rule Actions

The following table describes the actions that each firewall rule can apply to the network traffic. For actions that generate events, you can show event logs in Monitoring > Events.

Item

Description

allow.svg Allow

Firewall allows matching traffic.

block.svg Block

Firewall blocks matching traffic.

prompt.svg Prompt

Firewall redirects matching traffic to a web page with a message. The user is prompted to decide whether or not to continue. You can customize the prompt web page, see Customizing the Block/Prompt Page.

Rulebase Columns

The following table describes each column in the WAN firewall rulebase. When there are multiple columns configured for a rule, then there is an AND relationship between them.

Item

Description

#

Shows the priority of the rule in the WAN firewall rule base.

  • Use the Rule Order field to change the priority of the rule.

  • Use the Enabled toggle to enable or disable the rule. The toggle is green toggle.png when enabled.

Name

Enter a Name for the rule

Source

Source of the traffic for this rule

Direction

Indicates the direction of the rule. Options include:

  • To - This rule allows the traffic in only one direction, Source to the Destination. For example, site Alpha is allowed to connect to site Bravo, but site Bravo cannot connect with site Alpha.

  • Both - This rule manages traffic in both directions, to and from the Source and Destination.

Destination

Destination of the traffic for this rule

App/Category

Only applies to matching objects for the specific applications, categories, and other objects

Service/Port

Only applies to traffic that matches the specified services and ports

Action

Apply the specified action to traffic that matches the rule

For example, when the traffic is blocked, the connection is dropped and the lower priority rules are not applied to this connection

Track

When the rule is matched, an event is generated or an email notification alert is sent to the specified list

Time

Define the time period when the rule is active

More_icon.png

Opens a drop-down menu with these options:

  • Add Rule Above - Add a new rule above the selected rule

  • Add Rule Below - Add a new rule below the selected rule

  • Add Exception - Create a new exception to the selected rule

  • Enable/Disable - when a rule is disabled, the firewall doesn't inspect connections for the settings in the rule

  • Delete Rule - Delete the selected rule

  • Duplicate Rule - Create a new identical rule directly below the selected rule, and modify the conditions and parameters as needed.

Source and Destination Objects

The following table describes the objects that you can use in the Source and Destination fields.

Item

Description

Screen Where Defined

Site

Sites defined for the account

Assets > Sites

Host

Hosts and servers defined in the sites

Assets > Sites > Site Settings > Hosts

Interface Subnet

Subnets and network ranges defined for the LAN interfaces of a site

Assets > Sites > Site Settings > Networks

Global Range

Native range for the LAN interface of a site

Assets > Sites > Site Settings > Networks

Network Interface

Networks defined in the sites

Assets > Sites > Site Settings > Networks

Floating Subnet

Global IP ranges that are not connected to a specific site, but can be learned from any site with a BGP neighbor

Network > Floating Ranges

SDP User

Individual users defined for the account

Access > VPN Users

Group

Groups in the account

Assets > Groups

System Group

Predefined groups

N/A

User

Users that are imported with Directory Services

Access > Directory Services

IP

Enter the IP address with the CIDR that is applied to this rule

N/A

IP Range

For the Source of a rule, enter the multiple separate IP addresses or IP range that is applied to this rule, in one of the following formats:

  • 192.168.0.26, 192.168.0.58, 192.168.0.200

  • 192.168.0.1-192.168.0.100

  • 192.168.0.0/24

N/A

Any

Any source or destination

N/A

App/Category Objects

The following table describes the objects that you can use in the App/Category field.

Item

Description

Where Configured

Application

Default applications defined by Cato

Default values, cannot be configured

Custom Application

Custom applications defined for the account

Assets > Custom Apps

Application Category

Default categories defined by Cato

Default values, cannot be configured

Custom Category

Custom categories defined for the account

Assets > Categories

FQDN

FQDN is an exact match of the fully qualified domain (for example, the FQDN example.com only matches example.com)

Setting for this rule

Domain (TLD)

TLD matches all subdomains that end in the TLD (for example, the TLD sample.com matches host.sample.com)

Setting for this rule

IP Range

Enter the IP addresses with the CIDR that are applied to this rule

Setting for this rule

Any

Any web content, application, or category

Default values, cannot be configured

Enabling and Disabling the WAN Firewall

When the WAN firewall is disabled, there is no access control and all WAN resources are accessible to anyone.

WAN-FW-enabled.png

To enable or disable the WAN firewall:

  1. From the navigation menu, click Security > WAN Firewall.

  2. At Firewall Enabled above the rulebase, click the slider toggle.png to enable (green) or disable (gray) the WAN firewall for the account.

  3. Click Save.

Related Resources for the WAN Firewall

Was this article helpful?

1 comment

Date Votes
  • Comment author
    Yaakov Simon

    Added IP Range to the Source and Destination Objects section.

Add your comment