Working with Custom Applications

Overview of Custom Applications

Cato provides full layer 7 application and service awareness that can be used across the Cato Management Application (such as in analytics, security rules, networking rules).

Custom applications enable you to define a proprietary or unique application/service used by your organization that isn't predefined in the Cato Management Application. Once defined, you can use the custom application in security or network rules and analytics like any other global object.

Custom applications are descendants of matching predefined applications. The first matching firewall or network rule is applied to the custom or predefined application. If you want to apply the rule action for a specific application, make sure that this rule is placed above any other rule that contains matching predefined applications.

Note

Note: Although Cato Networks continuously updates its predefined application and service list, in some cases, you may not find a commonly-used application/service for which you are searching. If this occurs, please open a support ticket so that Cato adds the application/service to the predefined list. While you are waiting for the predefined application, you can create the specific application/service as a custom application as a workaround until it is available in the Cato Management Application.

Best Practices for Creating Custom Applications

When the Cato Cloud processes traffic flows, the real-time classification of custom applications matches one application per flow. However, if the applications are not defined according to best practices, then they can overlap which can cause unpredictable behavior regarding which custom application matches a traffic flow.

To help make sure that the applications function correctly in your account, we strongly recommend that you define the custom applications as specifically as possible. This means that you define all the applicable items for the rule for the custom application. For example, configure the custom application with defined Destination IP, Domains, and Ports instead of only defining the Ports.

The following example shows a custom application configured according to Cato's best practices:

CustomApplication_Items.png

Adding Custom Applications

When defining a new custom application, you can assign one or more categories as well as create rules.

  • When specifying multiple categories (for example: Advertisements, Gambling, or News), to define the custom application, the categories form an OR relationship. This means that the custom application is recognized if traffic matches any of the selected categories.

  • When adding a rule to the custom application, the settings for Protocol, Ports, Destination IPs, and Domains form an AND relationship. This means that the custom application is recognized only if traffic matches the criteria defined in all of the sections.

customapps.png

To add a custom application:

  1. In the navigation menu, click Assets > Custom Apps.

  2. Click New. The New Custom Application panel opens.

  3. Enter a Name and Description (optional) for the application.

  4. In the Member of categories section, search for an existing application category from the drop-down menu.

    You can add multiple categories.

  5. In the Rules section, click New to add a rule for the custom app.

    The Add Rule panel opens.

    1. In the Protocol section, select the appropriate protocol for the rule.

    2. In the Ports section, from the drop-down menu select Port or Port Range, and then enter the value.

      Click add.png (Add) to add the ports to the application rule.

    3. In the Destination IP section, from the drop-down menu select IP or IP Range and then enter the value.

      You can also paste a comma separated list with multiple IP addresses and ranges, for example: 10.1.1.1, 10.2.1.1-10.1.2.5

      Click add.png (Add) to add the destination IPs to the application rule.

    4. In the Domains section, from the drop-down menu select if the rule should include matching traffic based on Domain or FQDN and then enter the domains or FQDNs.

      Click add.png (Add) to add the domains to the application rule.

  6. Click Apply. The rule is added to the custom application.

  7. Click Apply. The custom application is added.

  8. Click Save. The custom application is saved.

Deleting Custom Applications

Note

Important! You cannot undo a deletion.

To delete a custom application:

  1. In the navigation menu, click Assets > Custom Apps.

  2. Click Delete.png (Delete) next to the custom application you wish to delete.

    The custom application is removed.

  3. Click Save. The custom application is deleted.

Was this article helpful?

1 out of 1 found this helpful

4 comments

  • Comment author
    Winston Washington

    Hello,

    If we are trying to block all domains within the TLD of "*.cam", then within the custom application rule - we add "cam" and this will allow us to accomplish that restriction?

    Thanks!

  • Comment author
    Dermot - Community Manager Only 42 of these badges will be awarded.  They are reserved for people who have played a key role in helping build the Cato Community through their contributions! Community Pioneer The chief of community conversations. Community manager

    Hello JR!

    Thank you for seeking clarification about the information conveyed in this section of the documentation.  

    The rule you are defining should work and match up all traffic associated with the Top Level Domain of "cam".  However, the best practice to use when defining a Custom Application is to define it as specifically as possible. 

    I hope that this helps, but if it does not I would recommend that you open a support ticket with Cato.  This would be the best channel to use if you are having problems creating the kind of Custom Application you desire.

    Kind Regards,

    Dermot Doran

    Cato Networks

  • Comment author
    Amel Dzehverovic

    I was trying to exclude Microsoft  domains and IPs creating custom applications, what I cannot find is managment of IPv6 addresses (as Microsoft requests). How this is managed? Is IPv6 traffic allowed/blocked by default or not handled at all?

    thanks

  • Comment author
    Yaakov Simon

    Amel Dzehverovic  After checking with RnD, it seems that IPv6 traffic is not handled at all. Thanks!

Add your comment