Cato Networks Knowledge Base

Allowlisting Anti-Malware Traffic

  • Updated

This article discusses how to create Anti-Malware allowlist rules to bypass the Anti-Malware inspection engines (for Anti-Malware and Next Gen Anti-Malware).

Overview of Anti-Malware Allowlisting

The Cato Anti-Malware engines inspect WAN and Internet traffic to protect the network and block downloading malicious files. The Allowlist lets you define the traffic that bypasses Anti-Malware inspection.

Rules in the allowlist are applied to the Anti-Malware engines before the rules in the Anti-Malware Protection Policy. Any traffic that matches a rule in the Allowlist policy will definitely bypass the scans by the Anti-Malware engines.

Network Traffic and the Anti-Malware Scope

The Anti-Malware allowlist rules are defined according to a specific scope of the network traffic. The traffic from the Source is only allowlisted according to one of these types of network traffic:

  • WAN - WAN traffic between sites and hosts over the Cato Cloud

  • Internet - Traffic to and from the Internet

  • Any - Any network traffic

AM_Allowlist_Rulebase.png

Items in an Anti-Malware Allowlist Rule

The following table explains the items that you can use to define the settings for an Anti-Malware allowlist rule:

Item

Description

Name

Enter a Name for the rule

Enabled

The slider toggle.png is green when the rule is enabled, and gray when the rule is disabled

Rule Order

The order and priority of the rule in the rulebase

Scope

Traffic that is bypassing Anti-Malware: WAN, Internet, or All

Source

Source of the traffic for this rule

What

Only bypasses traffic that matches the traffic type, such as an Application, Category, or Domain

Action

Bypass - shows that the traffic is bypassed (no other actions are supported)

Creating an Anti-Malware Allowlist Rule

You can add a new rule to the Anti-Malware allowlist rulebase and define the settings for the traffic that bypasses Anti-Malware inspection.

To create an Anti-Malware allowlist rule:

  1. From the navigation menu, click Security > Anti-Malware

  2. Select or expand the Allow List section, and click New. The New Allow List panel opens.

    AM_Allowlist.png
  3. Configure the General settings for the rule.

    1. Enter the Name for the rule.

    2. Select the Scope of the rule.

  4. Select one or more items as the Source for the rule.

    The default setting is Any, which matches all traffic.

  5. In the What section, set the type of traffic for the rule (such as applications, categories or services).

    The default setting is Any, which matches all traffic.

  6. Click Apply. The Anti-Malware allowlist rule is added to the rulebase.

  7. Click Save. The rule is saved.

Managing Anti-Malware Allowlist Rules

Use the Allowlist section in the Anti-Malware screen to manually create, edit, and delete Anti-Malware allowlist rules.

Showing the Anti-Malware Allowlist Rulebase

The Anti-Malware allowlist rulebase is in the Anti-Malware screen .

To show the Anti-Malware allowlist rulebase:

  1. From the navigation menu, click Security > Anti-Malware

  2. Select the Allow List tab. The Anti-Malware allowlist rulebase is displayed.

Enabling/Disabling an Anti-Malware Allowlist Rule

  1. From the navigation menu, click Security > Anti-Malware

  2. Locate the rule. Click More_icon.png and select Enable to enable a disabled rule or Disable to disable an enabled rule.

  3. Click Save. The rule is enabled or disabled.

Deleting an Anti-Malware Allowlist Rule

When you are no longer using an Anti-Malware allowlist rule, we recommend that you delete from the rulebase instead of disabling it. Deleting a rule prevents another admin enabling it by accident.

To delete an Anti-Malware allowlist rule:

  1. From the navigation menu, click Security > Anti-Malware

  2. Click More_icon.png and select Delete.

  3. In the confirmation window, click Delete. The rule is removed.

  4. Click Save. The rule is deleted.

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.