Cato Networks Knowledge Base

Allowlisting IPS Signatures

  • Updated

This article discusses how to create an allowlist rule to allow traffic with a specific IPS signature to bypass the IPS inspection engine.

Overview of IPS Allowlisting

The Cato Intrusion Prevention System (IPS) engine inspects WAN and Internet traffic for a variety of network attacks and uses different prevention techniques to protect the network. Some of the IPS protections are based on traffic signatures that define the type of potential network attack. Whenever a traffic pattern matches an IPS signature, the IPS engine applies the IPS policy action to the traffic (block, monitor, or allow).

For the IPS block action, you can use IPS allowlist rules to configure the IPS engine to ignore the matching traffic. For example, you can create an IPS allowlist rule directly from an IPS block event in the Event screen.

Note

Note: For accounts with IPS allowlisted settings that were previously configured by Support, these settings are migrated to the IPS allowlist rulebase.

Network Traffic and the IPS Protection Scope

You can create rules to allowlist traffic for the IPS engine according to a specific scope of the network traffic. The traffic from the source (From) and to the destination (To) is only allowlisted according to one of these types of network traffic:

  • WAN - WAN traffic between sites and hosts over the Cato Cloud

  • Inbound - Traffic from the Internet to the internal customer network

  • Outbound - Traffic from the internal customer network to the Internet

  • Any - Any network traffic

AllowList_Rulebase.png

Items in an IPS Allowlist Rule

The following table explains the items that you can use to define the settings for an IPS allowlist rule:

Item

Description

Name

Name for the IPS allowlist rule.

Scope

Protection scope for the traffic that the IPS allowlist applies to.

You can't edit the Scope for a rule.

Source

Source of the traffic for this rule.

Destination

Destination of the traffic for this rule.

Protocol/Port

Only applies to traffic that matches the specified protocol and ports. You can define a single port or range of ports for each rule. Use separate rules to define multiple ports, for example one rule for TCP port 80 and a second rule for TCP port 200.

Signature ID

The IPS signature that is allowlisted and any traffic that with this signature that matches this rule is allowed by the IPS engine.

You can enter Any to configure the IPS engine to allow all traffic that matches this rule.

Track

When the rule is matched, an event is generated or an email notification alert is sent to the specified list.

More_icon.png

Options to Enable, Disable or Delete

Working with the IPS Allowlist Rulebase

The IPS allowlist rulebase contains all the rules that allowlist traffic for the IPS engine. All the matching IPS allowlist rules are applied to the traffic, this behavior is different from the ordered firewall rulebase where only the first matching rule is applied. This means that if a connection matches multiple allowlist rules, then each matching rule generates an event.

For example, a connection with a blocked IPS signature matches IPS allowlist rules 2 and 4. The connection is allowlisted and allowed by the IPS engine. The connection generates two separate events, one for rule 2 and one for rule 4.

Creating an IPS Allowlist Rule from a Block Event

You can use Event Discovery to identify the IPS signature that is blocking traffic and then create an IPS allowlist rule from the block event. You can click the signature ID in an event to open a window that lets you configure the settings for a new IPS allowlist rule. The rule is then added to the IPS allowlist rulebase in the IPS policy (Security > Threat Protection > IPS Policy).

To create an IPS allowlist rule from an event:

  1. From Monitoring > Events, show the IPS event for the blocked traffic. This is a sample procedure to show an IPS event:

    1. From the Select Preset drop-down menu, select IPS.

    2. Locate the event for the IPS signature ID.

    3. Expand the event.

  2. In signature id, click the link for the signature.

    The New Allow List panel opens. The settings for the rule are based on the data for the the event.

    IPS_allow_from_event.png
  3. Review the settings for the IPS allowlist rule. The Scope matches the traffic direction for the event and you can't change it.

  4. In the Track section, you can choose to generate an Event and Email Notification when this signature is allowed.

  5. Click Save. The rule is added to the IPS allowlist rulebase.

  6. To show the IPS allowlist rulebase, from the navigation menu click Security > IPS Policy and select the Allow List tab.

Managing IPS Allowlist Rules

Use the IPS Allowlist section in the IPS Policy screen to manually create, edit, and delete IPS allowlist rules.

Showing the IPS Allowlist Rulebase

The IPS allowlist rulebase is in the IPS Policy screen .

To show the IPS allowlist rulebase:

  1. From the navigation menu, click Security > IPS.

  2. Select the Allow List tab. The IPS allowlist rulebase is displayed.

Manually Creating an IPS Allowlist Rule

You can add a new rule to the IPS allowlist rulebase and define the settings for the rule. You can't edit the scope of a rule.

The IPS Signature ID is a custom signature that Cato uses for the IPS engine. You can only see the Signature IDs in IPS events.

Allowlist rules for the GEO_RESTRICTION Signature ID must define an IP Range in the Destination field. If the rule is defined based on a Domain, the traffic doesn't bypass the IPS inspection engine.

To manually create an IPS allowlist rule:

  1. From the navigation menu, click Security > IPS.

  2. Click New. The New Allow List panel opens.

  3. Enter the Name for the rule.

  4. Select the Scope of the rule.

  5. Define the Signature ID for the rule, see above Items in an IPS Allowlist Rule.

    If you set Signature ID to Any, then the IPS engine allows all matching traffic.

  6. Click Apply. The IPS allowlist rule is added to the rulebase.

  7. Click Save.

Enabling/Disabling an IPS Allowlist Rule

  1. From the navigation menu, click Security > IPS.

  2. Locate the rule. Click More_icon.png and select Enable to enable a disabled rule or Disable to disable an enabled rule.

  3. Click Save. The rule is enabled or disabled.

Deleting an IPS Allowlist Rule

When you are no longer using an IPS allowlist rule, we recommend that you delete from the rulebase instead of disabling it. Deleting a rule prevents another admin enabling it by accident.

To delete an IPS allowlist rule:

  1. From the navigation menu, click Security > IPS.

  2. Click More_icon.png and select Delete.

  3. In the confirmation window, click Delete. The rule is removed.

  4. Click Save. The rule is deleted.

Was this article helpful?

1 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.