What is the Cato Internet Firewall?

This article provides background information about the Internet firewall for your account.

For more information about configuring the Internet firewall, see Managing the Internet Firewall Policy.

Overview

The Internet firewall inspects traffic between the WAN and the Internet and lets you create rules to control this traffic. Similar to the WAN firewall, the Internet firewall uses an ordered rulebase, starting from the first rule, connections are inspected according to each rule. The Internet firewall uses a blacklist approach. This means that there is an implicit ANY - ANY rule to allow any traffic and connections that are not explicitly blocked in the rulebase. The Internet firewall also includes full layer 7 functionality with User Awareness, and you can create rules for specific applications. For example, you can use the Internet firewall to:

  • Block specific website such as Facebook or LinkedIn

  • Block categories of inappropriate websites, such as Guns, Alcohol, and Gambling

  • Allow only the IT department to use remote administration applications (SaaS and IaaS)

Anti-Spoofing Protections in the Cato Firewall

One of the basic functionalities of an NGFW is to protect against anti-spoofing attacks. The security engines in the Cato Cloud implicitly drop any connection where the source IP is outside the scope of the configured entity (such as site, network range, device, or user). This blocks anti-spoofing attacks and prevents violations of the configured logical topology.

Working with Ordered Rules

The Internet firewall inspects connections sequentially, and checks to see if the connection matches a rule. The final rule in the rulebase is an implicit ANY - ANY allow rule - so if a connection does not match a rule, then it is allowed by the final implicit rule.

Rules that are at the top of the rulebase have a higher priority because they are applied to connections before the rules lower down in the rulebase. If a connection matches on rule #3, the action is applied to the connection and the firewall stops inspecting it. The firewall does not continue to apply rules #4 and below to the connection.

Traffic Blocked Related to the MSA

The Cato Networks Master Service Agreement (MSA) defines traffic that is potentially illegal or malicious that is automatically blocked. There is a hidden implicit rule at the top of the Internet firewall rulebase that blocks these connections.

For more about the MSA, see Cato Networks MSA.

Working with Multiple Objects in a Single Rule

When there is a rule with objects in multiple columns, such as an application and a service, then there is an AND relationship between them. For example, if there is a rule that blocks the Netflix application for port 443, then the traffic is blocked when it matches both the application and the port.

For rules that use multiple objects in a single column, such as more than one application, then there is an OR relationship between them. For example, if there is a rule that blocks access to the Netflix, iTunes, and YouTube applications, then the traffic is blocked when it matches any of the applications.

Note

Note: Each rule can have a maximum of 64 conditions with an AND relationship between them, and a rule's exceptions are included in the rule limit. For example, if there is a rule with two AND conditions (such as a source and a service), and the rule has 25 exceptions with 3 AND conditions each (such as a source, an app, and a service), then the rule has 77 conditions. This exceeds the supported limit of 64 conditions and the rule might not function properly. However, you can assign more than 64 objects within the same column of a rule, since there is an OR relationship between them. For example, you can assign more than 64 apps in one rule.

Policy Revisions and Concurrent Editing by Multiple Admins

The Internet Firewall lets different admins edit the policy in parallel. Each admin can edit rules and save the changes to the rulebase in their own private revision, and then publish them to the account policy (the published revision). Your unpublished revision is saved even if you log out of the Cato Management Application, and you can continue editing the policy in your next session. No other admin can access your unpublished revision, the published revision is available to all admins. Until your changes are published, they have no impact on the account policy and remain available for editing.

When you save changes to an unpublished revision, the following indicators appear on the page:

  • For the admin editing the revision, the Edit_rule.png icon indicates the rules that are currently being edited, and the changes are part of an unpublished revision

  • The Lock_rule.png icon indicates rules that are locked for editing by a different admin

    • If an edited rule is defined with a rule order relative to a different rule, then both rules are locked. For example, if you assign a rule position to be before a specific rule, that rule is also locked. For more about locked rules, see below Locked Rules.

  • The label Unpublished Revision appears above the rulebase

  • The number of rules with changes appears on the Publish button

After saving changes to rules, you can Discard or Publish your unpublished revision. This is what happens for each of these actions:

  • Discard - All changes are discarded and the unpublished revision is no longer accessible

    Note

    Note: The Discard action can't be undone.

  • Publish - All changes in the unpublished revision are applied to the account policy and appear in the published revision, as well as in the unpublished revisions of other admins

    Note

    Note: The Publish action can't be undone.

Additionally, after you Discard or Publish a revision:

  • Rules are no longer locked for other admins

  • The page shows the published revision of the policy

Locked Rules

When an admin saves changes to rules in an unpublished revision, those rules are locked to prevent editing by other admins. If you are required to edit a locked rule, you can hover over the lock to see which admin locked the rule, and contact them so they can discard or publish their revision and unlock the rule. In cases where the admin can't be contacted, it's possible to override the lock and then edit the rule. When you override the lock, you discard the other admin's entire unpublished revision, including changes for all rules, and those changes can't be retrieved. The other admin sees the published revision the next time they log in. For more about overriding locked rules, see Managing the Internet Firewall Policy.

Note

Note: You can only override a lock on a rule from your unpublished revision, not from the published revision. This means at least one other change has to be saved to your revision before you can override the lock on a rule.

Understanding the Settings for Internet Firewall Rules

This section explains the fields and settings for the rules in the Internet firewall rule base. A thorough understanding of the Internet firewall helps to successfully manage access control for the corporate network.

Internet Firewall Rulebase Columns

For a description of the different rulebase columns and Source, App, and Category items for rules, see What is the Cato WAN Firewall? and Reference for Rule Objects. Unlike the WAN firewall, the Destination for the Internet firewall is always the Internet. When there are multiple columns configured for a rule, then there is an AND relationship between them.

Setting the Rule Order

Rule order is defined by setting a rule’s position relative to other rules. For example, set a rule to follow a specific rule, or to be first in a section.

These are the options for defining the rule order:

  • Before Rule - The rule is positioned immediately before the selected rule

  • After Rule - The rule positioned immediately after the selected rule

  • First in Section - The rule is positioned first in the selected section

  • Last in Section - The rule is positioned last in the selected section

  • First - The rule is positioned at the top of the rulebase

  • Last - The rule is positioned at the bottom of the rulebase

Enabling the Ordered Internet Firewall

The Internet firewall in the Cato Cloud lets you control Internet access for your corporate network. Easily create an Internet security policy that allows users to access business-related web content and blocks inappropriate websites, applications, and so on.

InternetFW.png

To enable or disable the Internet firewall:

  1. From the navigation menu, click Security > Internet Firewall.

  2. At Firewall Enabled above the rulebase, click the slider toggle.png to enable (green) or disable (gray) the Internet firewall for the account.

  3. Click Save.

Was this article helpful?

3 out of 3 found this helpful

1 comment

  • Comment author
    Jonathan Rabinowitz

    From June 16, 2024, these features will be gradually enabled on accounts:

    • Unpublished draft revisions for each admin
    • Locked rules to prevent editing by other admins
    • Defining rule order based on position relative to other rules
Add your comment