Managing the Internet Firewall Policy

This article explains how to manage the Internet firewall policy to control Internet access for your organization.

For more information about the Internet firewall policy in Cato, see What is the Cato Internet Firewall?.

Note

Note: Starting on June 16, 2024, Cato is gradually enabling some of the features in the article on accounts over a period of several weeks. It is possible that it may not be available in the Cato Management Application for your account.

Working with Internet Firewall Policy Revisions

Internet_Firewall_Revisions.png

When you create or edit Internet Firewall rules, the changes are first saved to your personal unpublished revision and aren’t immediately applied to the account policy, which is the published revision. If you log out of the Cato Management Application, your unpublished revision is saved and is automatically opened for editing the next time you log in and navigate to the page. No other admin can access your unpublished revision, the published revision is available to all admins.

When you save changes to an unpublished revision, the following indicators appear on the page:

  • For the admin editing the revision, the Edit_rule.png icon indicates the rules that are currently being edited, and the changes are part of an unpublished revision

  • The Lock_rule.png icon indicates rules that are locked for editing by a different admin

    • If an edited rule is defined with a rule order relative to a different rule, then both rules are locked. For example, if you assign a rule position to be before a specific rule, that rule is also locked. For more about locked rules, see below Overriding the Lock for a Rule.

  • The label Unpublished Revision appears above the rulebase

  • The number of rules with changes appears on the Publish button

After saving changes to rules, you can Discard or Publish your unpublished revision. This is what happens for each of these actions:

  • Discard - All changes are discarded and the unpublished revision is no longer accessible

    Note

    Note: The Discard action can't be undone.

  • Publish - All changes in the unpublished revision are applied to the account policy and appear in the published revision, as well as in the unpublished revisions of other admins

    Note

    Note: The Publish action can't be undone.

Additionally, after you Discard or Publish a revision:

  • Rules are no longer locked for other admins

  • The page shows the published revision of the policy

Creating Rules in an Unpublished Revision

Create Internet Firewall rules and save the changes to your unpublished revision.

For more about Source, App, and Category items for a rule, see Reference for Rule Objects.

The Time options define the time range that the rule is enabled. You can configure custom options for a rule, or choose the default working hours that are defined for the account.

To create rules in an unpublished revision:

  1. From the navigation menu, select Security > Internet Firewall.

    The Internet Firewall page opens to your existing unpublished revision, or to the newest published revision.

  2. Click New.

  3. Enter the Name for the rule.

  4. Enable or disable the rule using the slider (green is enabled, grey is disabled).

  5. Configure the Rule Order for this rule.

    For more about the rule order options, see What is the Cato Internet Firewall?.

  6. Expand Source and select the source type.

    • Select the type (for example: Host, Network Interface, IP, Any). The default value is Any.

    • When needed, select a specific object from the drop-down list for that type.

  7. Expand the Device section and add the device conditions to the rule. For more information, see Adding Device Conditions to Firewall Rules. The default values are Any.

  8. Expand the App/Category section and select one or more applications for the rule.

    When there is more than one App/Category object in a rule, there is an OR relationship between them. The default value is Any.

  9. Expand the Service/Port section and define the type or types (Service, Port/Protocol, Any) that are applied to this rule.

    When there is more than one Service/Ports object in a rule, there is an OR relationship between them. The default value is Any.

  10. Select the Action for this rule. The options are Allow, Block, Prompt.

  11. (Optional) Configure tracking options to generate Events and Send Notification.

    For more information about notifications, see the relevant article for Subscription Groups, Mailing Lists, and Alert Integrations in the Alerts section.

  12. (Optional) Configure the Time options that define when this rule is enabled.

  13. Click Apply. The new rule is added to the rulebase.

  14. Click Save.

    The changes are saved to your unpublished revision and are available for editing until they are published or discarded.

Publishing an Unpublished Revision to the Account Policy

Publish your unpublished changes to apply them to the account policy.

To publish an unpublished revision:

  1. From the navigation menu, select Security > Internet Firewall.

    The Internet Firewall page opens to your existing unpublished revision.

  2. Click Publish.

  3. In the Publish Revision confirmation window, click Publish. Your revision is applied to the account policy.

Discarding an Unpublished Revision

Discard your unpublished changes and revert to showing the published account policy.

To discard your unpublished revision:

  1. From the navigation menu, select Security > Internet Firewall.

    The Internet Firewall page opens to your existing unpublished revision.

  2. Click Discard.

  3. In the Discard Revision confirmation window, click Discard. Your revision is discarded and the page shows the published account policy.

Using Exceptions to Allow Internet Connections

You can use exceptions in the Internet firewall rulebase to ignore a specific rule and continue with the lower priority rules. Remember to make sure that a lower priority rule doesn't match and block the traffic. The final implicit ANY ANY Allow rule allows all traffic. For example, if rule #3 blocks access to the Hiring category, you can create an exception that does not block access for the Human Resources (HR) department.

The exception for a rule is a sub-set of the rule, and some settings apply to both the rule and the exception:

  • When you disable the rule, the exception is also disabled

  • When you move the rule and change the priority, the exception is also moved

To add an exception to a firewall rule:

  1. From the navigation menu, select Security > Internet Firewall.

  2. On the right of the rule, click More_icon.png and select Add Exception.

    The Add Exception panel opens.

  3. Expand and configure the settings for the rule exception.

    The Action for the parent rule is not applied to the rule exception.

  4. Click Apply. The exception is added below the rule.

  5. Click Save. The exception is saved to your unpublished revision, and is available for editing until it is published or discarded.

To remove an exception from a firewall rule:

  1. From the navigation menu, select Security > Internet Firewall.

  2. From the right-hand column of the rule, click More_icon.png and in the pop-up window select Delete Exception.

    The exception is removed from the rule.

  3. Click Save. The exception is deleted from your unpublished revision, and you can publish the revision to remove the exception from the account policy.

Working with Internet Firewall Rules

You can search the Internet Firewall rules to easily find the rules you want to work with. The search function finds and shows rules that include the search terms in any of the following fields:

  • Name

  • Source

  • Device

  • App/Category

  • Service/Port

If a rule is part of a section, the results show the rule within the section.

Editing Internet Firewall Rules

You can edit existing rules and save the changes to your unpublished revision. If you are required to edit a locked rule, see below Overriding the Lock for a Rule.

Note

Note: When you edit a rule in the Edit Rule panel, it is possible for a different admin to save changes in their unpublished revision to the same rule before you save your changes. In that case, the rule is locked by the other admin and you can't save your changes.

To edit a rule:

  1. From the navigation menu, select Security > Internet Firewall.

  2. Click on the rule. The Edit panel opens.

  3. Expand any of the sections in the panel to display and edit the current rule settings.

  4. Click Apply to change the rule settings. The Edit panel closes.

  5. Click Save to save the changes.

    The changes are saved to your unpublished revision and are available for editing until they are published or discarded.

Overriding the Lock for a Rule

When an admin saves changes to rules in an unpublished revision, those rules are locked to prevent editing by other admins. If you are required to edit a locked rule, you can hover over the lock to see which admin locked the rule, and contact them so they can discard or publish their revision and unlock the rule. In cases where the admin can't be contacted, it's possible to override the lock and then edit the rule. When you override the lock, you discard the other admin's entire unpublished revision, including changes for all rules, and those changes can't be retrieved. The other admin sees the published revision next time they log in.

Override_Lock_hover2.png

To override the lock for a rule:

  1. Hover the mouse over the Lock_rule.png in the row of the rule you want to edit. A window is shown with information about the rule's edit history.

  2. Click Override Lock.

    Note

    Note: Overriding the lock discards the other admin's entire unpublished revision, and can't be undone.

  3. In the confirmation window, click Override and Discard. The other admin's unpublished revision is discarded and the rule is unlocked for editing.

Known Limitations

  • For the Facebook Messenger app, it's not possible to use the Internet Firewall to block the Messenger app and allow the Facebook app because Messenger shares the same domain as Facebook to load resources. You can use the CASB Application Control policy to manage access to these apps.

Was this article helpful?

1 out of 1 found this helpful

3 comments

  • Comment author
    Joe Guarino

    How would you go about blocking a specific URL path?

    For example, I want to block ESPN Plus streaming https://www.espn.com/watch/espnplus/ or https://www.espn.com/watch/player/* but not the core ESPN website itself, https://www.espn.com

    I only see options to create rules for the full domain. 

  • Comment author
    Jonathan Rabinowitz

    From June 16, 2024, these features will be gradually enabled on accounts:

    • Unpublished draft revisions for each admin
    • Locked rules to prevent editing by other admins
    • Defining rule order based on position relative to other rules

     

  • Comment author
    Yaakov Simon

    Joe Guarino  thanks for the question!

    You can't use the Internet Firewall to block a URL path, only the full domain (as you correctly observed). The granularity to control access for a specific URL path is part of Cato's Application Control policy (CASB) service. You can read this article for more information, What is the Cato CASB Solution

Add your comment