This article provides background information about the Internet firewall for your account.
For more information about configuring the Internet firewall, see Managing the Internet Firewall Policy.
The Internet firewall inspects traffic between the WAN and the Internet and lets you create rules to control this traffic. Similar to the WAN firewall, the Internet firewall uses an ordered rulebase, starting from the first rule, connections are inspected according to each rule. The Internet firewall uses a blacklist approach. This means that there is an implicit ANY - ANY rule to allow any traffic and connections that are not explicitly blocked in the rulebase. The Internet firewall also includes full layer 7 functionality with User Awareness, and you can create rules for specific applications. For example, you can use the Internet firewall to:
-
Block specific website, such as Facebook or LinkedIn
-
Block categories of inappropriate websites, such as Guns, Alcohol, and Gambling
-
Allow only the IT department to use remote administration applications (SaaS and IaaS)
The Autonomous Firewall Insights are a list of best practices that evaluate your Internet Firewall policy and show how they comply with Cato’s recommendations. Following these recommendations optimizes your firewall configurations and improves security posture.
There are two types of insights:
-
Star icon (powered by AI): Enabled rules in your Internet Firewall policy are automatically analyzed by Artificial Intelligence (AI) to detect issues, for example, rules that can be discarded or modified such as:
-
Expired Rule or Rule with Future Expiration Date: Rules created to address a specific need and have a desirable cutoff date that has already passed or that has not yet been reached or cannot be proven/evaluated.
-
Temporary Rule: Introduced as a short-term solution to address an immediate need. These rules are mostly created to function temporarily while a proper or permanent solution is being deployed or developed.
-
Testing Rule: Rules explicitly created for validating, debugging, or experimenting with a specific feature or scenario.
-
Unused Rule: Identifies firewall rules with an Allow action that have not generated any events in the past 30 days
-
Contradicting Rules Check: Identifies firewall rules with identical predicates but different actions, which can create conflicts that prevent lower-priority rules from being applied
-
-
Configuration-based: The configurations and settings in your Internet Firewall policy are to ensure they follow best practices.
The Internet Firewall Configuration Wizard autonomously reviews your policy using these checks and insights. When a check fails, you can review and update your policy directly in the Wizard without editing individual rules. This helps you stay secure while simplifying policy management.
One of the basic functionalities of an NGFW is to protect against anti-spoofing attacks. The security engines in the Cato Cloud implicitly drop any connection where the source IP is outside the scope of the configured entity (such as site, network range, device, or user). This blocks anti-spoofing attacks and prevents violations of the configured logical topology.
The Internet firewall inspects connections sequentially, and checks to see if the connection matches a rule. The final rule in the rulebase is an implicit ANY - ANY allow rule - so if a connection does not match a rule, then it is allowed by the final implicit rule.
Rules that are at the top of the rulebase have a higher priority because they are applied to connections before the rules lower down in the rulebase. If a connection matches on rule #3, the action is applied to the connection and the firewall stops inspecting it. The firewall does not continue to apply rules #4 and below to the connection.
When there is a rule with objects in multiple columns, such as an application and a service, then there is an AND relationship between them. For example, if there is a rule that blocks the Netflix application for port 443, then the traffic is blocked when it matches both the application and the port.
For rules that use multiple objects in a single column, such as more than one application, then there is an OR relationship between them. For example, if there is a rule that blocks access to the Netflix, iTunes, and YouTube applications, then the traffic is blocked when it matches any of the applications.
Note
Note: Each rule can have a maximum of 64 conditions with an AND relationship between them, and a rule's exceptions are included in the rule limit. For example, if there is a rule with two AND conditions (such as a source and a service), and the rule has 25 exceptions with 3 AND conditions each (such as a source, an app, and a service), then the rule has 77 conditions. This exceeds the supported limit of 64 conditions and the rule might not function properly. However, you can assign more than 64 objects within the same column of a rule, since there is an OR relationship between them. For example, you can assign more than 64 apps in one rule.
The hit count helps you identify unused rules that can be removed from a policy, and optimize rule configuration to better match the required traffic scope. The hit count for a rule is based on the number of events generated by the rule. If a rule does not generate events, the hit count is zero.
The hit count contains two numbers:
-
The approximate number of events generated by each rule in the policy
-
How often the rule is hit relative to other rules (ranked by percentile)
These values are updated once every 24 hours and are based on the past 14 days of traffic.
You can quickly identify the rules with the highest and lowest hit count, based on the color of the status bar. This color reflects how often the rule is hit relative to other rules:
-
Blue: 0 - 24th percentile
-
Green: 25th - 49th percentile
-
Orange: 50th - 74th percentile
-
Red: 75th -100th percentile
The Internet Firewall lets different admins edit the policy in parallel. Each admin can edit rules and save the changes to the rulebase in their own private revision, and then publish them to the account policy (the published revision). For more information on how to manage policy revisions, see Working with Policy Revisions.
You can configure the time settings for a rule so that it is enabled or disabled at a defined date and time. In the Time drop down, you can configure the Daily Schedule and/or the Active Period.
You can configure both this options so that, for example, the rule is active on weekdays during the month of May 2025. Alternatively you can configure each option independently to meet your requirements.
The Daily Schedule defines the schedule for when the rule is active. If a schedule is configured for a rule, in the rule table, a clock symbol is displayed in the Action column.
The options for the Daily Schedule are:
-
No time constraint: There is no schedule for the rule. This is the default behavior of the rules.
-
Limit to working hours: The rule is active only during the working hours configured in the Cato Management Application. For more about working hours, see Defining Default Working Hours for the Account.
-
Custom: Select the time of the day and the days of the week when the rule is active. Uncheck the Recurring option, and select the Date the time setting for the rule.
-
Recurring: The time setting will be applied more than once, for example, every Tuesday from 9:00am to 5:00pm.
-
The Active Period defines the date and time period the rule is active in UTC. If the Effective From field is not selected the rule is active immediately after the rule is saved and published.
On the rule table, if an Active Period is defined, an hour glass symbol is displayed in the Action column. The color of the symbol reflects the status:
-
Black: The rule is not active and will become active in the future
-
Green: The rule is active
-
Red: The rule has expired
The Cato Networks Master Service Agreement (MSA) defines traffic that is potentially illegal or malicious that is automatically blocked. There is a hidden implicit rule at the top of the Internet firewall rulebase that blocks these connections.
For more about the MSA, see Cato Networks MSA.
This section explains the fields and settings for the rules in the Internet firewall rule base. A thorough understanding of the Internet firewall helps to successfully manage access control for the corporate network.
The following table describes the actions that each firewall rule can apply to the network traffic. For actions that generate events, you can show event logs in Home > Events.
|
Item |
Description |
|---|---|
|
Allow |
Firewall allows matching traffic. |
|
Block |
Firewall blocks matching traffic. |
|
Prompt |
Firewall redirects matching traffic to a web page with a message. The user is prompted to decide whether or not to continue. You can customize the prompt web page, see Customizing the Warning / Block Page. The Cato prompt page is an HTML page that uses JavaScript and session cookies to manage user consent. These cookies are domain-specific, temporary, and typically deleted when the browser is closed. Cato currently uses three cookie name prefixes, ( To review events for when a user chooses to proceed after a prompt page, filter the Events page to show events with the Prompt Action field set with the value Proceed. |
|
Remote Browsing (RBI) |
Matching traffic is delivered by RBI. |
|
Captive Portal |
Matching traffic is directed to the captive portal. |
For a description of the different rulebase columns and Source, App, and Category items for rules, see What is the Cato WAN Firewall? and Reference for Rule Objects. Unlike the WAN firewall, the Destination for the Internet firewall is always the Internet. When there are multiple columns configured for a rule, then there is an AND relationship between them.
Rule order is defined by setting a rule’s position relative to other rules. For example, set a rule to follow a specific rule, or to be first in a section.
These are the options for defining the rule order:
-
Before Rule - The rule is positioned immediately before the selected rule
-
After Rule - The rule positioned immediately after the selected rule
-
First in Section - The rule is positioned first in the selected section
-
Last in Section - The rule is positioned last in the selected section
-
First - The rule is positioned at the top of the rulebase
-
Last - The rule is positioned at the bottom of the rulebase
4 comments
From June 16, 2024, these features will be gradually enabled on accounts:
Still waiting on the firewall rule Time Setting schedule feature improvement. Is there an ETA on when it will be fully rolled out?
Gordon Sandlin - Features are rolled-out over a two-week period. I believe that this feature should now be activated on your account.
For more information about Cato's gradual rollout, see this article.
Sounds like I need to open a support ticket, then. The feature is not yet in my account as of yesterday,
Thanks
Please sign in to leave a comment.