Cato provides full layer 7 application and service awareness that can be used across the Cato Management Application (such as in analytics, security rules, networking rules).
Custom applications enable you to define a proprietary or unique application/service used by your organization that isn't predefined in the Cato Management Application. Once defined, you can use the custom application in security or network rules and analytics like any other global object.
Custom applications are descendants of matching predefined applications. The first matching firewall or network rule is applied to the custom or predefined application. If you want to apply the rule action for a specific application, make sure that this rule is placed above any other rule that contains matching predefined applications.
Note: Although Cato Networks continuously updates its predefined application and service list, in some cases, you may not find a commonly-used application/service for which you are searching. If this occurs, please open a support ticket so that Cato adds the application/service to the predefined list. While you are waiting for the predefined application, you can create the specific application/service as a custom application as a workaround until it is available in the Cato Management Application.
When the Cato Cloud processes traffic flows, the real-time classification of custom applications matches one application per flow. However, if the applications are not defined according to best practices, then they can overlap which can cause unpredictable behavior regarding which custom application matches a traffic flow.
To help make sure that the applications function correctly in your account, we strongly recommend that you define the custom applications as specifically as possible. This means that you define all the applicable items for the rule for the custom application. For example, configure the custom application with defined Destination IP, Domains, and Ports instead of only defining the Ports.
The following example shows a custom application configured according to Cato's best practices:
When defining a new custom application, you can assign one or more categories as well as create rules.
When specifying multiple categories (for example: Advertisements, Gambling, or News), to define the custom application, the categories form an OR relationship. This means that the custom application is recognized if traffic matches any of the selected categories.
When adding a rule to the custom application, the settings for Protocol, Ports, Destination IPs, and Domains form an AND relationship. This means that the custom application is recognized only if traffic matches the criteria defined in all of the sections.
To add a custom application:
In the navigation menu, click Assets > Custom Apps.
Click New. The New Custom Application panel opens.
Enter a Name and Description (optional) for the application.
In the Member of categories section, search for an existing application category from the drop-down menu.
You can add multiple categories.
In the Rules section, click New to add a rule for the custom app.
The Add Rule panel opens.
In the Protocol section, select the appropriate protocol for the rule.
In the Ports section, from the drop-down menu select Port or Port Range, and then enter the value.
Click (Add) to add the ports to the application rule.
In the Destination IP section, from the drop-down menu select IP or IP Range and then enter the value.
You can also paste a comma separated list with multiple IP addresses and ranges, for example: 10.1.1.1, 10.2.1.1-10.1.2.5
Click (Add) to add the destination IPs to the application rule.
In the Domains section, from the drop-down menu select if the rule should include matching traffic based on Domain or FQDN and then enter the domains or FQDNs.
Click (Add) to add the domains to the application rule.
Click Apply. The rule is added to the custom application.
Click Apply. The custom application is added.
Click Save. The custom application is saved.
Important! You cannot undo a deletion.
If we are trying to block all domains within the TLD of "*.cam", then within the custom application rule - we add "cam" and this will allow us to accomplish that restriction?
Thank you for seeking clarification about the information conveyed in this section of the documentation.
The rule you are defining should work and match up all traffic associated with the Top Level Domain of "cam". However, the best practice to use when defining a Custom Application is to define it as specifically as possible.
I hope that this helps, but if it does not I would recommend that you open a support ticket with Cato. This would be the best channel to use if you are having problems creating the kind of Custom Application you desire.
Please sign in to leave a comment.