Configuring TLS Inspection Policy for the Account

This article discusses how to configure and customize the TLS Inspection policy to meet the specific requirements of your network.

Overview of the Cato TLS Inspection Policy

Today most network traffic is encrypted (TLS, HTTPS), which often minimizes the benefit of scanning traffic with IPS, Internet firewall, Application Control Policy, and Anti-Malware traffic. If the traffic contains malicious content, it is also encrypted and the Cato security engines can't inspect or scan it.

When you enable TLS Inspection for your account, Cato securely decrypts traffic that passes through a PoP and the Cato security engines inspect it for malware and scan downloaded files. If the content of the traffic is confirmed as safe, Cato then re-encrypts the traffic and forwards it to the destination. However, if the content contains actual or suspected malware, then the Cato security engines block the traffic.

You can choose to use the default Cato policy that inspects all traffic. You can also create specific TLS Inspection rules that define which traffic is inspected and which traffic bypasses TLS Inspection.

tlsinspection.png

Note

Note: By default, TLS Inspection is bypassed for these operating systems:

  • Android (due to issues related to certificate pinning)

  • Linux

  • Unknown operating systems

Cato Implicit Bypass Rule for Applications

Cato includes several applications in an implicit bypass rule that are automatically excluded from TLS Inspection. For a list of these applications, see below Implicitly Bypassed Applications.

Latency for TLS Inspection

Some minimal latency is expected at initial connection due to the TCP and TLS handshakes that occur before data can flow to the appropriate network or security engine in the PoP. This latency is up to 8 milliseconds per packet.

Working with an Ordered TLS Inspection Rule Base

The TLS Inspection engine inspects connections sequentially, and checks to see if the connection matches a rule. The final rule in the rule base is a default implicit ANY - ANY Inspect rule - so if a connection does NOT match a rule, then it is automatically inspected.

You can review the default rule settings in the Default Rules section at the end of the rulebase. The rule settings can't be edited except for the Untrusted Server Certificate action. For more about the Untrusted Server Certificate action, see below Adding Rules to Customize the TLS Inspection Policy.

Rules that are at the top of the rule base have a higher priority because they are applied to connections before the rules lower down in the rule base. For example, if a connection matches on rule #2, the action for this rule is applied to the connection and the TLS Inspection engine stops applying the policy to this connection. This means that rules #3 and below aren't applied to the connection.

Understanding the Actions for TLS Inspection Rules

The TLS Inspection rules let you use an inspect or bypass action for the TLS traffic.

Using Rules that Inspect TLS Traffic

Use the Inspect action to define TLS Inspection rules that decrypt connections and let the relevant security engines inspect the traffic for malicious content.

Using Rules that Bypass TLS Traffic

Use the Bypass action to define the traffic that bypasses TLS Inspection rules. Bypassed traffic isn't decrypted for inspection by the Cato security engines. Remember that a bypass rule only excludes a connection that does NOT match an inspect rule higher in the rule base.

You can change the priority of a bypass rule so that it has a higher priority than an inspect rule.

Configuring the TLS Inspection Policy

Use the TLS Inspection Policy window to configure the TLS Inspection policy for all traffic in your account. You can choose to use the default policy that inspects all traffic, or add inspection and bypass rules to create a custom policy.

Working with Multiple Items

When there are multiple items in a Source, or a What field, such as two groups or categories, then there is an OR relationship between these items.

multi-tlsrules.png

Installing the Cato Root Certificate on End-user Devices

The Cato root certificate must be installed as a trusted certificate on every device and computer that connects to the Cato Cloud. For more information about installing the Cato certificate, see Installing the Root Certificate for TLS Inspection.

  • The Cato certificate can't be installed on most embedded operating systems (OS), therefore many devices using embedded OS lose connectivity when TLS Inspection is enabled. For more about which OS Cato supports for TLS Inspection, see Best Practices for TLS Inspection.

Blocking QUIC and GQUIC Traffic for TLS Inspection

QUIC and GQUIC are transport protocols developed by Google that don't operate over TCP connections, and traffic using these protocols can't be inspected by the TLS Inspection service. Therefore we recommend that accounts that enable TLS Inspection block QUIC and GQUIC traffic using Internet Firewall rules. The rules that block this traffic force the flow to only connect using protocols that can be inspected by the TLS Inspection service. If you allow traffic using the QUIC and GQUIC protocols, the flows can't be inspected and are unnecessarily blocked.

The first time you enable the TLS Inspection policy, rules to block QUIC and GQUIC traffic are automatically added to the Internet Firewall policy. If the Internet Firewall policy already blocks QUIC traffic so that it can be correctly inspected, then no new rules are added.

For more about QUIC and GQUIC traffic, see Internet and WAN Firewall Policies – Best Practices.

Using the Default TLS Inspection Policy

The default Cato TLS Inspection policy inspects all traffic (except for the applications that are automatically bypassed). You can use the default policy by enabling TLS Inspection and there is no need to add any rules to the policy.

There is a final implicit rule that matches all traffic with the Inspect action.

To use the default Cato TLS Inspection policy:

  1. From the navigation menu, click Security > TLS Inspection.

  2. Click the Enable TLS Inspection slider.

  3. Click Save. TLS inspection is enabled using the default policy.

Adding Rules to Customize the TLS Inspection Policy

You can customize the TLS Inspection policy to only inspect the specific traffic types according to the needs of your organization. Add rules to the policy with Inspect and Bypass actions to define which traffic is decrypted and inspected.

  • Create rules with the Inspect action to define traffic that the Cato Cloud inspects for suspicious and malicious content.

  • Create rules with the Bypass action to exclude specific traffic from the Cato TLS inspection engines. For example, you can add a bypass rule for the RingCentral application to exclude RingCentral traffic from TLS Inspection.

When creating rules, use Source and What to define the scope of the TLS traffic and Action to configure whether the rule inspects or bypasses traffic. Make sure that the bypass rule has a higher priority (closer to the top of the rulebase) than an inspect rule that matches the same traffic. Traffic that matches a TLS Inspection bypass rule is also excluded from security scans by the Anti-Malware engines.

When you configure a rule with the Inspect action, you also must define the behavior for how the rule handles untrusted server certificates.

TLSi_Untrusted_Cert_New.png

These are the options for this setting:

  • Allow - The traffic is allowed to the site with an untrusted certificate, and inspected (this is the default setting).

  • Prompt - The users are shown a prompt asking them to confirm that they want to continue and go to the site with an untrusted certificate. If the user continues to the site, the traffic is inspected

  • Block - Traffic to the site with an untrusted certificate is blocked

Note

Note: For applications that use certificate pinning to prevent TLS inspection, add them to a bypass rule so they will function correctly for the end users.

To add rules to the TLS inspection policy:

  1. From the navigation menu, click Security > TLS Inspection.

  2. Click New.

  3. Enter a Name for the rule.

  4. Use the Enabled toggle to enable or disable the rule.

    The toggle is green toggle.png when enabled.

  5. Configure the Rule Order for this rule.

  6. Expand Source and select the source type.

    • Select the type (for example: Host, Network Interface, IP, Any). The default value is Any.

    • When needed, select a specific object from the drop-down list for that type.

  7. In the Device section, configure the Platforms, Countries, Device Posture Profiles , and Connection Origin required to match this rule.

    For more about Device Conditions, see Adding Device Conditions for TLS Inspection.

  8. Define What the rule applies to. For example, a service, an application, a custom or predefined category.

  9. Configure the Action by selecting Inspect or Bypass.

    • If you select Inspect, from the Untrusted Server Certificates drop-down menu, select the action for traffic with problematic certificates: Allow, Block, or Prompt. The default value is Allow.

  10. Click Apply.

  11. Click Save. The TLS Inspection rule is saved in the rulebase.

Managing the TLS Inspection Policy

This section explains how to manage the rules in the TLS Inspection policy, including: changing the rule priority, enabling, and deleting rules.

Changing the Rule Priority

Change the priority of a rule to determine when the rule action is applied to a matching connection. Rules are applied sequentially to each connection, once a connection matches a rule, the rules with lower priority aren't applied to it.

Enabling and Disabling TLS Inspection Rules

Use the slider to enable and disable individual rules in the TLS Inspection policy.

Deleting Rules

You can delete one or more rules from the TLS Inspection rule base. After you delete the rules, you cannot undo or restore them.

Implicitly Bypassed Applications

The following table lists the applications that are included in an implicit bypass rule for TLS Inspection. This rule is at the top of the rulebase and these applications automatically bypass TLS Inspection (even if you add them to an inspect rule).

Due to certificate pinning, the native client for some applications is included in the implicit bypass rule. However, it is possible to perform TLS inspection when the application is accessed with a browser.

Application

Comments

AIM

 

Apple Account

 

Apple App Store

 

Apple iCloud

 

Asana

 

Bitbucket

 

Bitdefender

 

Bluejeans

 

Cato Management Application

 

ChatGPT

 

Codeload GitHub

 

Demandbase

 

Dropbox

Native client is bypassed, only browsers are inspected

FilesAnywhere

 

Google Apps

The Google Apps application can impact the following services: Google Search, Google Maps, Google Drive, Google Docs, Google Calendar, Google Hangouts

Native client is bypassed, only browsers are inspected. However, browsers are bypassed for Google Search queries as part of complying with GPDR.

Google+

 

GoToAssist

 

GoToMeeting

 

GoToMyPC

 

Grammarly

 

HBO

 

iTunes Streaming

 

JetBrains

 

KakaoTalk

 

MEGA

 

Microsoft Azure

Native client is bypassed, only browsers are inspected

Microsoft Live

Native client is bypassed, only browsers are inspected

Naver Line

 

Netflix

 

Netsuite

Native client is bypassed, only browsers are inspected

npm

 

OpenAI

 

Outlook

The Outlook application is bypassed only on iOS and macOS

Periscope

 

Sugarsync

 

TigerText

 

Ubuntu

 

Visual Studio

 

Vudu

 

Webex

 

WhatsApp

 

Windows Update

 

Wiredrive

 

Zoom

 

 

 

 

 

BREAK

 

Codeload Github

All clients are bypassed except for the following: Firefox (Windows), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

WhatsApp

All clients are bypassed except for the following: Firefox (Windows), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

Microsoft General

All clients are bypassed except for the following: Firefox (Windows), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

Microsoft Live

All clients are bypassed except for the following: Firefox (Windows), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

Microsoft Azure

All clients are bypassed except for the following: Firefox (Windows), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

Google applications

All clients are bypassed except for the following: Firefox (Windows), Safari (Mac), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

Only the following operating systems are skipped from inspection: iPhone, iOS

Google Drive

All clients are bypassed except for the following: Firefox (Windows), Safari (Mac), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

Only the following operating systems are skipped from inspection: iPhone, iOS

Dropbox

All clients are bypassed except for the following: Firefox (Windows), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

WebEx

All clients are bypassed except for the following: Firefox (Windows), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

Bitbucket

All clients are bypassed except for the following: Firefox (Windows), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

Apple iCloud

All clients are bypassed except for the following: Firefox (Windows), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

Apple Cloudkit

All clients are bypassed except for the following: Firefox (Windows), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

Siri

 

Facetime and iMessage

All clients are bypassed except for the following: Firefox (Windows), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

Kandji

 

OneNote

All clients are bypassed except for the following: Firefox (Windows), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

Outlook

All clients are bypassed except for the following: Firefox (Windows), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

Only the following operating systems are skipped from inspection: iPhone, iOS

X (formerly Twitter)

All clients are bypassed except for the following: Firefox (Windows), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

Only the following operating systems are skipped from inspection: iPhone, iOS

Google Maps

All clients are bypassed except for the following: Firefox (Windows), Safari (Mac), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

Only the following operating systems are skipped from inspection: iPhone, iOS

Google+

All clients are bypassed except for the following: Firefox (Windows), Safari (Mac), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

Only the following operating systems are skipped from inspection: iPhone, iOS

Google Docs

All clients are bypassed except for the following: Firefox (Windows), Safari (Mac), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

Only the following operating systems are skipped from inspection: iPhone, iOS

Google Calendar

All clients are bypassed except for the following: Firefox (Windows), Safari (Mac), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

Only the following operating systems are skipped from inspection: iPhone, iOS

Hangouts for desktop

All clients are bypassed except for the following: Firefox (Windows), Safari (Mac), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

Only the following operating systems are skipped from inspection: iPhone, iOS

Google Search

 

Google AdWords

 

DoubleClick

 

Gmail

Only the following operating systems are skipped from inspection: iPhone, iOS, Android, Linux

YouTube

Only the following operating systems are skipped from inspection: iPhone, iOS

GoToAssist

 

GoToMeeting

 

GoToMyPC

 

Elicit AI

 

Poe AI

 

Agent GPT Reworkd AI

 

MagicPen AI

 

Google Gemini (Bard)

 

Apple

 

iTunes streaming

 

Apple App store

 

Apple software update

 

Apple iCloud Private Relay

 

Skype and MS Teams

All clients are bypassed except for the following: Firefox (Windows), Safari (Mac), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

Only the following operating systems are skipped from inspection: iPhone, iOS

Windows Update

 

Microsoft Login

Only the following operating systems are skipped from inspection: iPhone, iOS

Ubuntu

 

Sugersync

 

Periscope

 

Hbo

 

Netflix

 

Demandbase

 

Facebook

Only the following operating systems are skipped from inspection: iPhone, iOS, Android, Linux

Kakaotalk

 

LINE

 

TigerText

 

Zoom

 

Bluejeans

 

Filesanywhere

 

Wiredrive

 

Vudu

 

AIM - deprecated

 

Asana

 

Grammarly

 

Cato Management Application

 

Cato Endpoint Protection

 

Mega io

All clients are bypassed except for the following: Firefox (Windows), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

Apple Account

 

Visual Studio

 

npm

 

JetBrains

 

Bitdefender

 

Wire

 

Lifesize

 

Centrify IAM

 

Reddit

Only the following operating systems are skipped from inspection: iPhone

PCoIP

 

XMPP

 

Instagram

Only the following operating systems are skipped from inspection: iPhone, iOS, Android

Python PyPi

 

Adobe

 

Kaspersky

 

Avast

 

Carbon Black

 

Symantec End-Point Protection

 

Sophos

 

Mcafee Updater

 

Signal Messenger LLC.

 

Amazon AWS

All clients are bypassed except for the following: Firefox (Windows), Safari (Mac), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

Only the following operating systems are skipped from inspection: iPhone, iOS

Amazon Chime

All clients are bypassed except for the following: Firefox (Windows), Safari (Mac), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

Remotepc

 

Splashtop

 

Solar Winds N-Central & MSPC

 

Crowdstrike

 

AnyDesk Software GmbH

 

Fortinet

All clients are bypassed except for the following: Firefox (Windows), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

Office365

Bypassed except for the tld(root.selected_host_name, false): onmicrosoft.com

Logitech

All clients are bypassed except for the following: Firefox (Windows), Safari (Mac), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

Canon

Only the following operating systems are skipped from inspection: OS_EMBEDDED

Zebra Technologies Corporation

All clients are bypassed except for the following: Firefox (Windows), Safari (Mac), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

Datadog, Inc.

All clients are bypassed except for the following: Firefox (Windows), Safari (Mac), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

GMO Insight

All clients are bypassed except for the following: Firefox (Windows), Safari (Mac), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

Microsoft Intune

 

Windows AutoPilot

 

Zscaler

All clients are bypassed except for the following: Firefox (Windows), Safari (Mac), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

VNC Web

 

mycloud

 

VMware, Inc

All clients are bypassed except for the following: Firefox (Windows), Safari (Mac), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

Rapid7, Inc., Rapid7 LLC

All clients are bypassed except for the following: Firefox (Windows), Safari (Mac), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

Tenable

All clients are bypassed except for the following: Firefox (Windows), Safari (Mac), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Python urllib (Linux), Chrome (MacOS), Chrome (Windows), Edge

Ui

All clients are bypassed except for the following: Firefox (Windows), Safari (Mac), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

Yealink

All clients are bypassed except for the following: Firefox (Windows), Safari (Mac), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

Huawei Technologies Co. Ltd

All clients are bypassed except for the following: Firefox (Windows), Safari (Mac), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

Spotify

Bypassed except for the root.selected_host_name: dealer.spotify.com

Cisco General

All clients are bypassed except for the following: Firefox (Windows), Safari (Mac), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

Cisco Intersight

All clients are bypassed except for the following: Firefox (Windows), Safari (Mac), Chrome (Windows 10 Pro), Firefox (Mac), Firefox (Unix), Chrome (MacOS), Chrome (Windows), Edge

iOS Bypassed Applications

The applications in this section are bypassed only on iOS:

Application

Comments

Amazon AWS

 

Facebook

 

Gmail

 

microsoft_office_login

 

Skype

 

Teams

 

YouTube

 

Was this article helpful?

4 out of 4 found this helpful

0 comments

Add your comment