Starting in September 2022, Cato simplified the rule logic for the Client Connectivity Policy and also added the Block action so this policy now uses the same logic as the firewall security policies. This article explains the previous logic (before Sept. 2022), and the new logic.
According to the previous Client Connectivity Policy logic, if a device that matched the User/Groups, Platforms, and Countries for a rule, then the engine checked to see if the device met the requirements for the Device Posture Profile.
-
Devices that meet the requirements are Allowed to connect to the network
-
Devices that do NOT meet the requirements are blocked and can't connect to the network (even if they meet the requirements for a rule lower in the rulebase)
According to the new Client Connectivity Policy logic, if a device that matched the User/Groups, Platforms, Countries , and Device Posture Profile for a rule, then the rule action is applied to the device.
-
For rules with the Allow action, devices are allowed to connect to the network
-
For rules with the Block action, devices are blocked and can't connect to the network
Devices that don't match any rule are blocked by the final implicit ANY ANY Block action
If a device matches the User/Groups, Platforms, and Countries, but does NOT match the Device Posture Profile for a rule, the rule action is not applied to the device. The engine continues to apply the lower priority rules in the Client Connectivity Policy to the device.
This section shows an example of a Client Connectivity Policy and how the rules are applied according to the new logic (after September 2022).

-
The scope of rule 1 is the RnD groups for Africa and Europe with Windows devices.
-
The scope of rule 2 is the RnD groups for Africa and Europe with Windows devices that did NOT meet the Device Posture Profile requirements in rule 1.
-
When these SDP users try to connect to the Cato Cloud, they match the Device Posture Profile Any, and are blocked. They can't connect to the Cato Cloud.
-
Rule 2 does not apply to users that are not members of the the RnD groups for Africa and Europe, and these users continue with rule 3.
-
-
The scope of rule 3 is any user or groups with a Windows device.
When the users try to connect to the Cato Cloud, they are only allowed to connect if they meet the requirements of the Sample profile.
Otherwise the users are blocked by the final implicit ANY ANY Block rule.
Comments
0 comments
Please sign in to leave a comment.