For Socket sites, you can configure traffic between local network ranges and/or local host to be routed locally by the Socket and prevent it from going to the Cato Cloud and back. Traffic routed locally is NOT inspected and WAN Firewall rules are not applied to it.
The direction of a rule indicates to which direction the rule applies. For example, an allow rule in one direction from Host A to Host B, locally routes communication initiated by Host A only. An allow rule in both directions from Host A to Host B, routes communication locally initiated by either host.
To define a local routing rule:
-
From the navigation menu, click Network > Sites and select the site.
-
From the navigation menu, click Site Settings > Local Routing.
-
Click New. The Add Rule panel opens.
-
In the General section:
-
Enter a Name for the new rule.
-
By default, the rule is Enabled. You can disable the rule using the slider.
-
Under Direction, select To to enable traffic in one direction only, or Both to enable traffic in both directions
-
-
In the Source and Destination sections, define the traffic source and destination entities for this rule.
For more information, see Source and Destination Objects.
-
In the Protocols section, select the protocols that this rule applies to (TCP, UDP, or ICMP).
-
In the Ports section, enter the port or port range for this rule.
-
Click Apply, and then click Save.
There are scenarios that require using NAT between the LAN networks within a site, this can be between two (or more) directly connected networks, or between routed networks (static routes or BGP routes).
Configure a Local Routing rule with Dynamic NAT overload (Port Address Translation - PAT), so that the Socket translates the source IP address of a packet to the egress network range interface IP address and a random port number. The egress interface must belong to a network range (native range, routed range, or VLAN range).
Requirements for Local Routing Rules with NAT:
-
Supported for sites with Sockets version 13.0 and higher
-
You can only configure the rule in the To direction
-
For SNAT configuration, you must use one of the following predicates as the Destination of the rule: Global Range, Interface Subnet, or a Host
-
After you save the configuration for the rule, the Cato Management Application automatically calculates the Outbound Network and Outbound IP for the rule
-
Known limitation: For local routing rules with NAT for FTP traffic, you must configure the Ports to Any
These are the fields in the NAT column:
-
Outbound Network - name of the network range in this site
-
Outbound IP - translated egress IP address for this rule
To configure NAT for a local routing rule:
-
From the navigation menu, click Network > Sites and select the site.
-
From the navigation menu, click Site Settings > Local Routing.
-
Click New. The Add Rule panel opens.
-
Configure the settings for the rule as explained in the section above.
-
Configure the NAT settings for the rule:
-
Expand the NAT section.
-
Click Enable NAT.
-
For NAT Type, select Dynamic NAT (PAT).
-
-
Click Apply, and then click Save.
The local routing rule shows the Outbound IP (translated IP address) for the rule.
You can disable a rule to temporarily disable local routing for that traffic and resume sending it to the Cato Cloud. Cato recommends that you delete rules that you are no longer planning to use.
2 comments
Has local routing been replaced with LAN firewall?
Brett Howard Socket sites support the Local Routing or the LAN Firewall policy. It's possible that some sites are upgraded to the LAN Firewall, while some continue to use the Local Routing page.
Starting on October 22, 2024, Cato will gradually replace Local Routing with the LAN Firewall for all accounts. For more information, see this Product Update.
Please sign in to leave a comment.