This article provides background information about using the Internet firewall to secure Internet traffic for your account.
For more information about configuring the Internet firewall, see Managing Internet Firewall Rules.
The Internet firewall inspects traffic between the WAN and the Internet and lets you create rules to control this traffic. Similar to the WAN firewall, the Internet firewall uses an ordered rulebase, starting from the first rule, connections are inspected according to each rule. The Internet firewall uses a blacklist approach. This means that there is an implicit ANY - ANY rule to allow any traffic and connections that are not explicitly blocked in the rulebase. The Internet firewall also includes full layer 7 functionality with User Awareness, and you can create rules for specific applications. For example you can use the Internet firewall to:
-
Block specific website such as Facebook or LinkedIn
-
Block categories of inappropriate websites, such as Guns, Alcohol, and Gambling
-
Allow only the IT department to use remote administration applications (SaaS and IaaS)
One of the basic functionalities of an NGFW is to protect against anti-spoofing attacks. The security engines in the Cato Cloud implicitly drop any connection where the source IP is outside the scope of the configured entity (such as site, network range, device, or user). This blocks anti-spoofing attacks and prevents violations of the configured logical topology.
The Internet firewall inspects connections sequentially, and checks to see if the connection matches a rule. The final rule in the rulebase is an implicit ANY - ANY allow rule - so if a connection does not match a rule, then it is allowed by the final implicit rule.
Rules that are at the top of the rulebase have a higher priority because they are applied to connections before the rules lower down in the rulebase. If a connection matches on rule #3, the action is applied to the connection and the firewall stops inspecting it. The firewall does not continue to apply rules #4 and below to the connection.
The Cato Networks Master Service Agreement (MSA) defines traffic which is potentially illegal or malicious that is automatically blocked. There is a hidden implicit rule at the top of the Internet firewall rulebase that blocks these connections. For example, traffic that uses torrents is blocked as part of the MSA.
For more about the MSA, see Cato Networks MSA.
When there is a rule with objects in multiple columns, such as an application and a service, then there is an AND relationship between them. For example, if there is a rule that blocks the Netflix application for port 443, then the traffic is blocked when it matches both the application and the port.
For rules that use multiple objects in a single column, such as more than one application, then there is an OR relationship between them. For example, if there is a rule that blocks access to the Netflix, iTunes, and YouTube applications, then the traffic is blocked when it matches any of the applications.
Note
Note: Each rule can have a maximum of 64 conditions with an AND relationship between them, and a rule's exceptions are included in the rule limit. For example, if there is a rule with two AND conditions (such as a source and a service), and the rule has 25 exceptions with 3 AND conditions each (such as a source, an app, and a service), then the rule has 77 conditions. This exceeds the supported limit of 64 conditions and the rule might not function properly. However, you can assign more than 64 objects within the same column of a rule, since there is an OR relationship between them. For example, you can assign more than 64 apps in one rule.
This section explains the fields and settings for the rules in the Internet firewall rule base. A thorough understanding of the Internet firewall helps to successfully manage access control for the corporate network.
Rule Actions
The following table describes the actions that each firewall rule can apply to the network traffic. For actions that generate events, you can show event logs in Monitoring > Events.
|
Item |
Description |
|---|---|
|
|
Firewall allows matching traffic. |
|
|
Firewall blocks matching traffic. |
|
|
Firewall redirects matching traffic to a web page with a message. The user is prompted to decide whether or not to continue. You can customize the prompt web page, see Customizing the Internet Redirect Page. |
The following table describes each column in the Internet firewall rulebase. Unlike the WAN firewall, the Destination for the Internet firewall is always to the Internet. When there are multiple columns configured for a rule, then there is an AND relationship between them.
For a description of the different rulebase columns and Source items, see What is the Cato WAN Firewall?.
The Internet firewall in the Cato Cloud lets you control Internet access for your corporate network. Easily create an Internet security policy that allows users to access business related web content and blocks inappropriate websites, applications, and so on.
-
For more about the settings in the Internet firewall, see Managing Internet Firewall Rules
-
For more about the applications and categories, see Working with Categories
Comments
0 comments
Please sign in to leave a comment.