This article explains how to manage the WAN firewall rulebase, including: create new rules, edit rules, enable and disable a rule, search for a rule, and delete rules.
For more information about the WAN firewall policy in Cato, see What is the Cato WAN Firewall?.
Note
Note: Cato is gradually enabling this feature on accounts over a period of several weeks. It is possible that it may not be available in the Cato Management Application for your account.
The WAN firewall in the Cato Cloud controls access to objects and entities in your WAN and lets you create rules to prevent unauthorized access to the network. It uses an ordered rulebase, inspecting the connection and checking each rule sequentially until a rule matches the connection.
The WAN firewall lets different admins edit the policy in parallel. Each admin can edit rules and save the changes to the rulebase in their own private revision, and then publish them to the account policy (the published revision). For more information on how to manage policy revisions, see Working with Policy Revisions.
Create a new WAN firewall rule and configure the settings for the rule to manage access control for the WAN. Use the Add Rule Below option to easily add a rule to the correct place in the rulebase.
For more about Source, Destination, App, and Category items for a rule, see Reference for Rule Objects.
The Time options define the time range that the rule is enabled. You can configure custom options for a rule, or choose the default working hours that are defined for the account.
To create a new rule for the WAN firewall:
-
From the navigation menu, click Security > WAN Firewall.
The WAN Firewall page opens to your existing unpublished revision, or to the newest published revision.
-
Click New. The New panel opens.
-
Enter the Name for the rule.
-
Enable or disable the rule using the slider (green is enabled, grey is disabled).
-
Configure the Rule Order and Direction for the new rule:
-
New rules are added to the bottom of the rulebase. You can change the order in which this rule is applied.
-
By default, the rule is applied in one direction, from the source To the destination. Click the Direction drop-down menu to set the rule to operate in Both directions.
-
For more about the rule order options, see What is the Cato WAN Firewall?.
-
-
Expand the Source section and select one or more objects for the traffic source for this rule (or you can enter an IP address).
-
Select the type (for example: Host, Network Interface, IP, Any). The default value is Any.
-
When needed, select a specific object from the drop-down list for that type.
-
-
Expand the Destination section enter a string or select one or more destination objects for this rule.
-
Select the type (for example: Host, Network Interface, IP, Any). The default value is Any.
-
When needed, select a specific object from the drop-down list for that type.
-
-
Expand the Device section and add the device conditions to the rule. For more information, see Adding Device Conditions to Firewall Rules. The default values are Any.
-
Expand the App/Category section and select one or more applications for the rule.
When there is more than one App/Category object in a rule, there is an OR relationship between them. The default value is Any.
-
Expand the Service/Port section and define the type or types (Service, Port/Protocol, Any) that are applied to this rule.
When there is more than one Service/Ports object in a rule, there is an OR relationship between them. The default value is Any.
-
Select the Action for this rule. The options are Allow, Block, Prompt.
-
(Optional) Configure tracking options to generate Events and Send Notification.
For more information about notifications, see the relevant article for Subscription Groups, Mailing Lists, and Alert Integrations in the Alerts section.
-
(Optional) Configure the Time options that define when this rule is enabled.
-
Click Apply. The new rule is added to the rulebase.
-
Click Save.
The changes are saved to your unpublished revision, and are available for editing until they are published or discarded.
You can use exceptions in the WAN firewall rulebase to ignore a specific rule and continue with the lower priority rules. For example, if rule #3 allows VPN access to the RnD subnet, you can create an exception that does not allow VPN access for a small subset of SDP users. When creating an exception for a block rule, the traffic must match an allow rule with a lower priority, otherwise the final implicit ANY ANY block rule blocks the traffic.
The exception for a rule is a sub-set of the rule, and some settings apply to both the rule and the exception:
-
When you disable the rule, the exception is also disabled
-
When you move the rule and change the priority, the exception is also moved
To add an exception to a firewall rule:
-
From the navigation menu, click Security > WAN Firewall.
-
On the right of the rule, click and select Add Exception.
The Add Exception panel opens.
-
Expand and configure the settings for the rule exception.
The Action for the parent rule is not applied to the rule exception.
-
Click Apply. The exception is added below the rule.
-
Click Save. The exception is saved to your unpublished revision and is available for editing until it is published or discarded.
To remove an exception from a firewall rule:
-
From the navigation menu, click Security > WAN Firewall.
-
From the right-hand column of the rule, click and in the pop-up window select Delete Exception.
The exception is removed from the rule.
-
Click Save. The exception is deleted from your unpublished revision, and you can publish the revision to remove the exception from the account policy.
Use the WAN Firewall rule search to find the rules you want to work with. The search function finds and shows rules that include the search terms in any of the following fields:
-
Name
-
Source
-
Device
-
Destination
-
App/Category
-
Service/Port
If a rule is part of a section, the results show the rule within the section.
You can edit rules and change the order of the rules in the firewall rulebase.
To edit a rule:
-
From the navigation menu, click Security > WAN Firewall.
-
Click on the rule. The Edit panel opens.
-
Expand any of the sections in the panel to display and edit the current rule settings.
-
Click Apply to change the rule settings. The Edit panel closes.
-
Click Save to save the changes.
The changes are saved to your unpublished revision and are available for editing until they are published or discarded.
You can delete one or more rules from the firewall rulebase. After you delete the rules, you cannot undo or restore them.
0 comments
Please sign in to leave a comment.