This article discusses how to configure and customize the TLS Inspection policy to meet the specific requirements of your network.
Today most network traffic is encrypted (TLS, HTTPS), which often minimizes the benefit of scanning traffic with IPS, Internet firewall, Application Control Policy and Anti-Malware traffic. If the traffic contains malicious content, it is also encrypted and the Cato security engines can't inspect or scan it.
When you enable TLS Inspection for your account, Cato securely decrypts traffic that passes through a PoP and the Cato security engines inspects it for malware and scans downloaded files. If the content of the traffic is confirmed as safe, Cato then re-encrypts the traffic and forwards it to the destination. However, if the content contains actual or suspected malware, then the Cato security engines block the traffic.
You can choose to use the default Cato policy that inspects all traffic. You can also create specific TLS Inspection rules that define which traffic is inspected and which traffic bypasses TLS Inspection.
Note
Note: By default, TLS Inspection is bypassed for these operating systems:
-
Android (due to issues related to certificate pinning)
-
Linux
- Unknown operating systems
Cato includes several applications in an implicit bypass rule that are automatically excluded from TLS Inspection. For a list of these applications, see below Implicitly Bypassed Applications.
Latency for TLS Inspection
Some minimal latency is expected at initial connection due to the TCP and TLS handshakes that occur before data can flow to the appropriate network or security engine in the PoP. This latency is up to 8 milliseconds per packet.
Working with an Ordered TLS Inspection Rule Base
The TLS Inspection engine inspects connections sequentially, and checks to see if the connection matches a rule. The final rule in the rule base is a default ANY - ANY Inspect rule - so if a connection does NOT match a rule, then it is automatically inspected.
You can review the default rule settings in the Default Rules section at the end of the rulebase, but these rules can't be edited.
Rules that are at the top of the rule base have a higher priority because they are applied to connections before the rules lower down in the rule base. For example, if a connection matches on rule #2, the action for this rule is applied to the connection and the TLS Inspection engine stops applying the policy to this connection. This means that rules #3 and below aren't applied to the connection.
The TLS Inspection rules let you use an inspect or bypass action for the TLS traffic.
Use the Inspect action to define TLS Inspection rules that decrypt connections and let the relevant security engines inspect the traffic for malicious content.
Use the Bypass action to define the traffic that bypasses TLS Inspection rules. Bypassed traffic isn't decrypted for inspection by the Cato security engines. Remember that a bypass rule only excludes a connection that does NOT match an inspect rule higher in the rule base.
You can change the priority of a bypass rule so that it has a higher priority than an inspect rule.
Use the TLS Inspection Policy window to configure the TLS Inspection policy for all traffic in your account. You can choose to use the default policy that inspects all traffic, or add inspection and bypass rules to create a custom policy.
Working with Multiple Items
When there are multiple items in a Source, or a What field, such as two groups or categories, then there is an OR relationship between these items. In the example below, the PoP only inspects TLS traffic that originates from the All Sites or the All VPN Users group.
Installing the Cato Root Certificate on End-user Devices
The Cato root certificate must be installed as a trusted certificate on every device and computer that connects to the Cato Cloud. For more information about installing the Cato certificate, see Testing TLS Inspection in the Cato Cloud.
- The Cato certificate can't be installed on most embedded operating systems, therefore many devices using embedded operating systems lose connectivity when TLS Inspection is enabled. For more about supported operating systems, see Best Practices for TLS Inspection.
The default Cato TLS Inspection policy inspects all traffic (except for the applications that are automatically bypassed). You can use the default policy by enabling TLS Inspection and there is no need to add any rules to the policy.
There is a final implicit rule that matches and all traffic with the Inspect action.
You can customize the TLS Inspection policy to only inspect the specific traffic types according to the needs of your organization. Add rules to the policy with Inspect and Bypass actions to define which traffic is decrypted and inspected.
-
Create rules with the Inspect action to define traffic that the Cato Cloud inspects for suspicious and malicious content.
-
Create rules with the Bypass action to exclude specific traffic from the Cato TLS inspection engines. For example, you can add a bypass rule for the RingCentral application to exclude RingCentral traffic from TLS Inspection.
When creating rules, use Source and What to define the scope of the TLS traffic and Action to configure whether the rule inspects or bypasses traffic. Make sure that the bypass rule has a higher priority (closer to the top of the rulebase) then an inspect rule that matches the same traffic. Traffic that matches a TLS Inspection bypass rule is also excluded from security scans by the Anti-Malware engines.
Note
Note: For applications that use certificate pinning to prevent TLS inspection, add them to a bypass rule so they will function correctly for the end users.
To add rules to the TLS inspection policy:
-
From the navigation menu, click Security > TLS Inspection. The TLS Inspection window opens.
-
Click New. The New panel opens.
-
Enter a Name for the rule.
-
Use the Enabled toggle to enable or disable the rule.
The toggle is green
when enabled.
-
Configure the Rule Order for this rule.
-
In the Source section, enter a string or select one or more object types and then click
to define the source.
-
Define What the rule applies to. For example, a service, an application, a custom or predefined category.
-
Configure the Action by selecting Inspect or Bypass.
-
Click Apply. The rule is added.
-
Click Save. The TLS Inspection rule is saved in the rulebase.
This section explains how to manage the rules in the TLS Inspection policy, including: changing the rule priority, enabling and deleting rules.
Change the priority of a rule to determine when the rule action is applied to a matching connection. Rules are applied sequentially to each connection, once a connection matches a rule, the rules with lower priority aren't applied to it.
Use the slider to enable and disable individual rules in the TLS Inspection policy.
The Actions section lets you define the behavior for server certificates that aren't trusted or are revoked. The default setting is the Prompt action and users are shown a prompt asking them to confirm that they want to continue and go to the site with one of the untrusted certificates.
To configure the settings for traffic with untrusted certificates:
-
From the navigation menu, click Security > TLS Inspection. The TLS Inspection window opens.
-
In the Actions section, from the Untrusted Server Certificates drop-down menu, select the action for traffic with problematic certificates: Allow, Block, or Prompt.
-
Click Save.
The following table lists the applications that are included in an implicit bypass rule for TLS Inspection. This rule is at the top of the rulebase and these applications automatically bypass TLS Inspection (even if you add them to an inspect rule).
For some implicitly bypassed applications, all clients are bypassed except for specific supported browsers for which traffic is inspected, as detailed in the table below.
Application |
Comments |
|
---|---|---|
Adobe |
|
|
Agent GPT Reworkd AI |
|
|
AIM |
|
|
Apple Account |
|
|
Apple App Store |
|
|
Apple iCloud |
All clients are bypassed except for the following: Chrome (Windows), Firefox (Windows), Edge, Chrome (Windows 10 Pro), Chrome (MacOS), Firefox (Unix), Firefox (Mac) |
|
Apple software update |
|
|
Asana |
|
|
Avast |
|
|
Bitbucket |
All clients are bypassed except for the following: Chrome (Windows), Firefox (Windows), Edge, Chrome (Windows 10 Pro), Chrome (MacOS), Firefox (Unix), Firefox (Mac) |
|
Bitdefender |
|
|
Bluejeans |
|
|
Carbon Black |
|
|
Cato Management Application |
|
|
Centrify IAM |
|
|
ChatGPT |
|
|
Codeload GitHub |
All clients are bypassed except for the following: Chrome (Windows), Firefox (Windows), Edge, Chrome (Windows 10 Pro), Chrome (MacOS), Firefox (Unix), Firefox (Mac) |
|
Demandbase |
|
|
DoubleClick |
|
|
Dropbox |
All clients are bypassed except for the following: Chrome (Windows), Firefox (Windows), Edge, Chrome (Windows 10 Pro), Chrome (MacOS), Firefox (Unix), Firefox (Mac) |
|
Elicit AI |
|
|
FilesAnywhere |
|
|
HBO |
|
|
Google AdWords |
|
|
Google Apps |
The Google Apps application can impact the following services: Google Search, Google Maps, Google Drive, Google Docs, Google Calendar, Google Hangouts All clients are bypassed except for the following: Chrome (Windows), Firefox (Windows), Edge, Chrome (Windows 10 Pro), Chrome (MacOS), Firefox (Unix), Firefox (Mac), Safari (Mac) However, browsers are bypassed for Google Search queries as part of complying with GDPR. |
|
Google Bard |
|
|
Google+ |
|
|
Google Search |
Bypassed except for the domain googleusercontent.com |
|
GoToAssist |
|
|
GoToMeeting |
|
|
GoToMyPC |
|
|
Grammarly |
|
|
HBO |
|
|
iTunes Streaming |
|
|
JetBrains |
|
|
KakaoTalk |
|
|
Kaspersky |
|
|
Lifesize |
|
|
LINE |
|
|
MagicPen AI |
|
|
Mcafee Updater |
|
|
MEGA |
|
|
Mega io | All clients are bypassed except for the following: Chrome (Windows), Firefox (Windows), Edge, Chrome (Windows 10 Pro), Chrome (MacOS), Firefox (Unix), Firefox (Mac) | |
Microsoft Azure |
All clients are bypassed except for the following: Chrome (Windows), Firefox (Windows), Edge, Chrome (Windows 10 Pro), Chrome (MacOS), Firefox (Unix), Firefox (Mac) |
|
Microsoft General |
All clients are bypassed except for the following: Chrome (Windows), Firefox (Windows), Edge, Chrome (Windows 10 Pro), Chrome (MacOS), Firefox (Unix), Firefox (Mac) |
|
Microsoft Live |
All clients are bypassed except for the following: Chrome (Windows), Firefox (Windows), Edge, Chrome (Windows 10 Pro), Chrome (MacOS), Firefox (Unix), Firefox (Mac) |
|
Microsoft Login |
|
|
Naver Line |
|
|
Netflix |
|
|
npm |
|
|
OneNote |
All clients are bypassed except for the following: Chrome (Windows), Firefox (Windows), Edge, Chrome (Windows 10 Pro), Chrome (MacOS), Firefox (Unix), Firefox (Mac) |
|
OpenAI |
Bypassed except for the domain auth0.openai.com |
|
Outlook |
The Outlook application is bypassed only on iOS and macOS |
|
PCoIP |
|
|
Poe AI |
|
|
Python PyPi |
|
|
Periscope |
|
|
Signal Messenger LLC |
|
|
Sophos |
|
|
Sugarsync |
|
|
Symantec End-Point Protection |
|
|
TigerText |
|
|
Ubuntu |
|
|
Visual Studio |
|
|
Vudu |
|
|
Webex |
All clients are bypassed except for the following: Chrome (Windows), Firefox (Windows), Edge, Chrome (Windows 10 Pro), Chrome (MacOS), Firefox (Unix), Firefox (Mac) |
|
|
All clients are bypassed except for the following: Chrome (Windows), Firefox (Windows), Edge, Chrome (Windows 10 Pro), Chrome (MacOS), Firefox (Unix), Firefox (Mac) |
|
Windows Update |
|
|
Wire |
|
|
Wiredrive |
|
|
XMPP |
|
|
Zoom |
|
The applications in this section are bypassed only on iOS:
0 comments
Please sign in to leave a comment.