Managing the Internet Firewall Policy

This article explains how to manage the Internet firewall policy to control Internet access for your organization.

For more information about the Internet firewall policy in Cato, see What is the Cato Internet Firewall?.

Editing the Internet Firewall Policy

This section describes workflows for editing the Internet Firewall policy in the following use cases:

  • When the policy isn't being edited by any other admin and no rules are locked

  • When another admin is concurrently editing rules and they are locked

For more about concurrent editing of the policy by multiple admins, see What is the Cato Internet Firewall?.

Editing an Internet Firewall Policy with No Locked Rules

When no other admin saved changes to their private revision, you can create and edit rules with no restrictions, save the changes to your private revision, and then publish them to the account policy (the published revision).

Internet_Firewall_Revisions_no_lock.png

To edit the Internet Firewall policy with no locked rules:

  1. From the navigation menu, select Security > Internet Firewall.

    The Internet Firewall page opens to your existing unpublished revision, or to the newest published revision.

  2. Create or edit rules. See below Creating New Internet Firewall Rules .

  3. Click Apply. The new rule is added to the rulebase.

  4. Click Save.

    The changes are saved to your unpublished revision.

  5. Click Publish.

  6. In the Publish Revision confirmation window, click Publish. Your revision is applied to the account policy.

Editing an Internet Firewall Policy that Includes Locked Rules

Internet_Firewall_Revisions.png

When you are required to edit the Internet Firewall policy including making changes to locked rules, you can override locks to edit the rules, save the changes to your private revision, and then publish them to the account policy.

For more about locked rules, see What is the Cato Internet Firewall?

To edit the Internet Firewall policy including locked rules:

  1. From the navigation menu, select Security > Internet Firewall.

    The Internet Firewall page opens to your existing unpublished revision, or to the newest published revision.

  2. Create or edit rules. See below Creating New Internet Firewall Rules.

    • For a locked rule, override the lock. See below Overriding the Lock for a Rule.

      Note: Overriding the lock for a rule discards the other admin's entire unpublished revision, and can't be undone.

  3. Click Apply. The new rule is added to the rulebase.

  4. Click Save.

    The changes are saved to your unpublished revision.

  5. Click Publish.

  6. In the Publish Revision confirmation window, click Publish. Your revision is applied to the account policy.

Configuring the Internet Firewall Policy

This section explains the procedures for creating Internet firewall rules, overriding locks to edit rules, and publishing or discarding an unpublished revision.

Creating New Internet Firewall Rules

Create Internet Firewall rules and save the changes to your unpublished revision.

For more about Source, App, and Category items for a rule, see Reference for Rule Objects.

The Time options define the time range that the rule is enabled. You can configure custom options for a rule, or choose the default working hours that are defined for the account.

To create a new rule for the Internet firewall:

  1. From the navigation menu, select Security > Internet Firewall.

    The Internet Firewall page opens to your existing unpublished revision, or to the newest published revision.

  2. Click New.

  3. Enter the Name for the rule.

  4. Enable or disable the rule using the slider (green is enabled, grey is disabled).

  5. Configure the Rule Order for this rule.

    For more about the rule order options, see What is the Cato Internet Firewall?.

  6. Expand Source and select the source type.

    • Select the type (for example: Host, Network Interface, IP, Any). The default value is Any.

    • When needed, select a specific object from the drop-down list for that type.

  7. Expand the Device section and add the device conditions to the rule. For more information, see Adding Device Conditions to Firewall Rules. The default values are Any.

  8. Expand the App/Category section and select one or more applications for the rule.

    When there is more than one App/Category object in a rule, there is an OR relationship between them. The default value is Any.

  9. Expand the Service/Port section and define the type or types (Service, Port/Protocol, Any) that are applied to this rule.

    When there is more than one Service/Ports object in a rule, there is an OR relationship between them. The default value is Any.

  10. Select the Action for this rule. The options are Allow, Block, Prompt.

  11. (Optional) Configure tracking options to generate Events and Send Notification.

    For more information about notifications, see the relevant article for Subscription Groups, Mailing Lists, and Alert Integrations in the Alerts section.

  12. (Optional) Configure the Time options that define when this rule is enabled.

  13. Click Apply. The new rule is added to the rulebase.

  14. Click Save.

    The changes are saved to your unpublished revision, and are available for editing until they are published or discarded.

Overriding the Lock for a Rule

Override the lock for a rule and unlock it for editing. For more about locked rules, see What is the Cato Internet Firewall?.

Note

Note: Overriding the lock for a rule discards the other admin's entire unpublished revision, and can't be undone.

Override_Lock_hover2.png

To override the lock for a rule:

  1. Hover the mouse over the Lock_rule.png in the row of the rule you want to edit. A window is shown with information about the rule's edit history.

  2. Click Override Lock.

    Note: Overriding the lock for a rule discards the other admin's entire unpublished revision, and can't be undone.

  3. In the confirmation window, click Override and Discard. The other admin's unpublished revision is discarded and the rule is unlocked for editing.

Publishing an Unpublished Revision to the Account Policy

Publish your unpublished changes to apply them to the account policy.

To publish an unpublished revision:

  1. From the navigation menu, select Security > Internet Firewall.

    The Internet Firewall page opens to your existing unpublished revision.

  2. Click Publish.

  3. In the Publish Revision confirmation window, click Publish. Your revision is applied to the account policy.

Discarding an Unpublished Revision

Discard your unpublished changes and revert to showing the published account policy.

To discard your unpublished revision:

  1. From the navigation menu, select Security > Internet Firewall.

    The Internet Firewall page opens to your existing unpublished revision.

  2. Click Discard.

  3. In the Discard Revision confirmation window, click Discard. Your revision is discarded and the page shows the published account policy.

Using Exceptions to Allow Internet Connections

You can use exceptions in the Internet firewall rulebase to ignore a specific rule and continue with the lower priority rules. Remember to make sure that a lower priority rule doesn't match and block the traffic. The final implicit ANY ANY Allow rule allows all traffic. For example, if rule #3 blocks access to the Hiring category, you can create an exception that does not block access for the Human Resources (HR) department.

The exception for a rule is a sub-set of the rule, and some settings apply to both the rule and the exception:

  • When you disable the rule, the exception is also disabled

  • When you move the rule and change the priority, the exception is also moved

To add an exception to a firewall rule:

  1. From the navigation menu, select Security > Internet Firewall.

  2. On the right of the rule, click More_icon.png and select Add Exception.

    The Add Exception panel opens.

  3. Expand and configure the settings for the rule exception.

    The Action for the parent rule is not applied to the rule exception.

  4. Click Apply. The exception is added below the rule.

  5. Click Save. The exception is saved to your unpublished revision and is available for editing until it is published or discarded.

To remove an exception from a firewall rule:

  1. From the navigation menu, select Security > Internet Firewall.

  2. From the right-hand column of the rule, click More_icon.png and in the pop-up window select Delete Exception.

    The exception is removed from the rule.

  3. Click Save. The exception is deleted from your unpublished revision, and you can publish the revision to remove the exception from the account policy.

Known Limitations

  • For the Facebook Messenger app, it's not possible to use the Internet Firewall to block the Messenger app and allow the Facebook app because Messenger shares the same domain as Facebook to load resources. You can use the CASB Application Control policy to manage access to these apps.

Was this article helpful?

1 out of 1 found this helpful

3 comments

  • Comment author
    Joe Guarino

    How would you go about blocking a specific URL path?

    For example, I want to block ESPN Plus streaming https://www.espn.com/watch/espnplus/ or https://www.espn.com/watch/player/* but not the core ESPN website itself, https://www.espn.com

    I only see options to create rules for the full domain. 

  • Comment author
    Jonathan Rabinowitz

    From June 16, 2024, these features will be gradually enabled on accounts:

    • Unpublished draft revisions for each admin
    • Locked rules to prevent editing by other admins
    • Defining rule order based on position relative to other rules

     

  • Comment author
    Yaakov Simon

    Joe Guarino  thanks for the question!

    You can't use the Internet Firewall to block a URL path, only the full domain (as you correctly observed). The granularity to control access for a specific URL path is part of Cato's Application Control policy (CASB) service. You can read this article for more information, What is the Cato CASB Solution

Add your comment