Cato provides full layer 7 application and service awareness that can be used across the Cato Management Application (such as in analytics, security rules, networking rules).
Custom apps enable you to define a proprietary or unique app/service used by your organization that isn't predefined in the Cato Management Application (CMA). Once defined, you can use the custom app in Security or Network Rules and analytics like any other global object.
Custom apps are descendants of matching predefined applications. The first matching firewall or network rule is applied to the custom or predefined application. If you want to apply the rule action for a specific application, make sure that this rule is placed above any other rule that contains matching predefined applications.
Note
Note: Although Cato Networks continuously updates its predefined application and service list, in some cases, you may not find a commonly-used application/service for which you are searching. If this occurs, please open a support ticket so that Cato adds the application/service to the predefined list. While you are waiting for the predefined application, you can create the specific application/service as a custom application as a workaround until it is available in the CMA.
When the Cato Cloud processes traffic flows, the real-time classification of custom applications matches one application per flow. However, if the applications are not defined according to best practices, then they can overlap which can cause unpredictable behavior regarding which custom application matches a traffic flow.
To help make sure that the applications function correctly in your account, we strongly recommend that you define the custom applications as specifically as possible. This means that you define all the applicable items for the rule for the custom application. For example, configure the custom application with defined Destination IP, Domains, and Ports instead of only defining the Ports.
The following example shows a custom application configured according to Cato's best practices:
When defining a new custom app, you can assign one or more categories that the app belongs to as well as create rules that define the app.
-
When specifying multiple categories (for example: Advertisements, Gambling, or News), to define the custom application, the categories have an OR relationship. This means that the custom app belongs to all of the categories.
The Member of category setting does not impact the traffic that matches the custom app.
-
When adding a rule to the custom application, the settings for Protocol, Ports, Destination IPs, and Domains have an AND relationship. This means that the custom app is recognized only if traffic matches the all the criteria defined in the rule.
To add a custom app:
-
In the navigation menu, click Assets > Custom Apps.
-
Click New. The New Custom Application panel opens.
-
Enter a Name and Description (optional) for the application.
-
In the Member of categories section, search for an existing application category from the drop-down menu.
You can add multiple categories.
-
In the Rules section, click New to add a rule for the custom app.
The Add Rule panel opens.
-
In the Protocol section, select the appropriate protocol for the rule.
-
In the Ports section, from the drop-down menu select Port or Port Range, and then enter the value.
Click (Add) to add the ports to the application rule.
-
In the Destination IP section, enter the IP address or IP range.
You can also paste a comma separated list with multiple IP addresses and ranges, for example: 10.1.1.1, 10.2.1.1-10.2.1.105
Click (Add) to add the destination IPs to the application rule.
-
In the Domains section, from the drop-down menu select if the rule should include matching traffic based on Domain or FQDN and then enter the domains or FQDNs.
Click (Add) to add the domains to the application rule.
-
Click Apply. The rule is added to the custom application.
-
-
Click Apply. The custom app is added to the page.
-
Click Save. The custom app is saved to your account.
4 comments
Hello,
If we are trying to block all domains within the TLD of "*.cam", then within the custom application rule - we add "cam" and this will allow us to accomplish that restriction?
Thanks!
Hello JR!
Thank you for seeking clarification about the information conveyed in this section of the documentation.
The rule you are defining should work and match up all traffic associated with the Top Level Domain of "cam". However, the best practice to use when defining a Custom Application is to define it as specifically as possible.
I hope that this helps, but if it does not I would recommend that you open a support ticket with Cato. This would be the best channel to use if you are having problems creating the kind of Custom Application you desire.
Kind Regards,
Dermot Doran
Cato Networks
I was trying to exclude Microsoft domains and IPs creating custom applications, what I cannot find is managment of IPv6 addresses (as Microsoft requests). How this is managed? Is IPv6 traffic allowed/blocked by default or not handled at all?
thanks
Amel Dzehverovic After checking with RnD, it seems that IPv6 traffic is not handled at all. Thanks!
Please sign in to leave a comment.