What is the Cato WAN Firewall?

This article provides background information about the WAN firewall for your account.

For more information about working with the WAN firewall, see Managing the WAN Firewall Rules.

Overview of the Cato WAN Firewall

The WAN firewall in the Cato Cloud controls access to objects and entities in your Wide Area Network (WAN). Configure the WAN firewall rulebase to create a secure access control policy and protect the network.

The WAN firewall is part of the Next Gen Firewall (NGFW) that is integrated in the Cato Cloud and lets you create rules to prevent unauthorized access to the network. The WAN firewall uses a whitelist approach and there is a default ANY - ANY block rule to drop all connections which are not explicitly allowed in the rulebase.

Use the rules to configure the firewall to inspect all connections and only allow the ones that match its configured settings. The firewall uses an ordered rulebase. This means that it starts inspecting the connection checks to see if it matches the first rule. If not, then it continues to sequentially apply each rule to the connection until a rule matches the connection.

The WAN firewall also includes full layer 7 functionality with User Awareness, and you can create rules for specific applications.

Anti-Spoofing Protections in the Cato Firewall

One of the basic functionalities of an NGFW is to protect against anti-spoofing attacks. The security engines in the Cato Cloud implicitly drop any connection where the source IP is outside the scope of the configured entity (such as site, network range, device, or user). This blocks anti-spoofing attacks and prevents violations of the configured logical topology.

Working with Ordered Rules

The WAN firewall inspects connections sequentially, and checks to see if the connection matches a rule. The final rule in the rulebase is a default ANY - ANY block rule - so if a connection does not match a rule, then it is blocked by the final default rule. A strong access control policy contains firewall rules that allow specific connections and traffic in the WAN.

You can review the default rule settings in the Default Rules section at the end of the rulebase, but these rules can't be edited.

Rules that are at the top of the rulebase have a higher priority because they are applied to connections before the rules lower down in the rulebase. For example, if a connection matches on rule #3, the action is applied to the connection and the firewall stops inspecting it. The firewall does not continue to apply rules #4 and below to the connection. You can increase the efficiency of the WAN firewall and give a high priority to rules that match the largest number of connections.

Working with Multiple Objects in a Single Rule

When there is a rule with objects in multiple columns, such as an application and a service, then there is an AND relationship between them. For example, if there is a rule that allows the Backup Services application for port 443, then the traffic is allowed when it matches both the application and the port.

For rules that use multiple objects in a single column, such as more than one port, then there is an OR relationship between them. For example, if there is a rule that allows access to the mail server for service SMTP and ports 25, 265, 587, and 2525, then the traffic is allowed when it matches the SMTP service, or any one of the ports.


Note: Each rule can have a maximum of 64 conditions with an AND relationship between them, and a rule's exceptions are included in the rule limit. For example, if there is a rule with two AND conditions (such as a source and a service), and the rule has 25 exceptions with 3 AND conditions each (such as a source, an app, and a service), then the rule has 77 conditions. This exceeds the supported limit of 64 conditions and the rule might not function properly. However, you can assign more than 64 objects within the same column of a rule, since there is an OR relationship between them. For example, you can assign more than 64 apps in one rule.

Understanding the Settings for WAN Firewall Rules

This section explains the fields and settings for the rules in the WAN firewall rule base. A thorough understanding of the WAN firewall helps to successfully manage access control for the corporate network.

Rulebase Columns

The following table describes each column in the WAN firewall rulebase. When there are multiple columns configured for a rule, then there is an AND relationship between them.

For more about Source, Destination, App, and Category items for a rule, see Understanding Source, Destination, App, and Category Objects for Rules.




Shows the priority of the rule in the WAN firewall rule base.

  • Use the Rule Order field to change the priority of the rule.

  • Use the Enabled toggle to enable or disable the rule. The toggle is green toggle.png when enabled.


Enter a Name for the rule


Source of the traffic for this rule


Indicates the direction of the rule. Options include:

  • To - This rule allows the traffic in only one direction, Source to the Destination. For example, site Alpha is allowed to connect to site Bravo, but site Bravo cannot connect with site Alpha.

  • Both - This rule manages traffic in both directions, to and from the Source and Destination.


Destination of the traffic for this rule


Only applies to matching objects for the specific applications, categories, and other objects


Only applies to traffic that matches the specified services and ports


Apply the specified action to traffic that matches the rule

For example, when the traffic is blocked, the connection is dropped and the lower priority rules are not applied to this connection


When the rule is matched, an event is generated or an email notification alert is sent to the specified list


Define the time period when the rule is active


Opens a drop-down menu with these options:

  • Add Rule Above - Add a new rule above the selected rule

  • Add Rule Below - Add a new rule below the selected rule

  • Add Exception - Create a new exception to the selected rule

  • Enable/Disable - when a rule is disabled, the firewall doesn't inspect connections for the settings in the rule

  • Delete Rule - Delete the selected rule

  • Duplicate Rule - Create a new identical rule directly below the selected rule, and modify the conditions and parameters as needed

Enabling and Disabling the WAN Firewall

When the WAN firewall is disabled, there is no access control and all WAN resources are accessible to anyone.


To enable or disable the WAN firewall:

  1. From the navigation menu, click Security > WAN Firewall.

  2. At Firewall Enabled above the rulebase, click the slider toggle.png to enable (green) or disable (gray) the WAN firewall for the account.

  3. Click Save.

Related Resources for the WAN Firewall

Was this article helpful?

0 out of 0 found this helpful


  • Comment author
    Ronny Chan

    Are hosts on the same network subject to WAN firewall rules, or does traffic between the two hosts bypass the WAN FW because they are on the same network?

  • Comment author

    Isn't a TLD just the rightmost segment of the domain name (e.g., .com and .net)? Cato documentation refers to “the TLD sample.com” all over the place, and even in CMA I see this:

  • Comment author
    Yaakov Simon

    Ronny Chan Great question! The engine for the WAN firewall is in a PoP in the Cato Cloud, and WAN firewall rules apply to WAN traffic over the Cato Cloud. The WAN firewall rules do not apply to two hosts behind a site in the same network range.

    You can use the LAN Firewall to create rules for two hosts are on the same network and bypass the WAN firewall.



  • Comment author
    Yaakov Simon

    Added IP Range to the Source and Destination Objects section.

Add your comment