Understanding New Logic for Client Connectivity Policy

Starting in September 2022, Cato simplified the rule logic for the Client Connectivity Policy and also added the Block action so this policy now uses the same logic as the firewall security policies. This article explains the previous logic (before Sept. 2022), and the new logic.

Previous Logic for Client Connectivity Policy

According to the previous Client Connectivity Policy logic, if a device that matched the User/Groups, Platforms, and Countries for a rule, then the engine checked to see if the device met the requirements for the Device Posture Profile.

  • Devices that meet the requirements are Allowed to connect to the network

  • Devices that do NOT meet the requirements are blocked and can't connect to the network (even if they meet the requirements for a rule lower in the rulebase)

New Logic for Client Connectivity Policy

According to the new Client Connectivity Policy logic, if a device that matched the User/Groups, Platforms, Countries , and Device Posture Profile for a rule, then the rule action is applied to the device.

  • For rules with the Allow action, devices are allowed to connect to the network

  • For rules with the Block action, devices are blocked and can't connect to the network

    Devices that don't match any rule are blocked by the final implicit ANY ANY Block action

If a device matches the User/Groups, Platforms, and Countries, but does NOT match the Device Posture Profile for a rule, the rule action is not applied to the device. The engine continues to apply the lower priority rules in the Client Connectivity Policy to the device.

Sample Client Connectivity Policy

This section shows an example of a Client Connectivity Policy and how the rules are applied according to the new logic (after September 2022).

ClientConnectivity Policy.png

  1. The scope of rule 1 is the RnD groups for Africa and Europe with Windows devices.

    • When these SDP users try to connect to the Cato Cloud, they are only allowed to connect if they meet the requirements of the RnD Africa profile or the RnD Europe profile.

      Otherwise, the engine checks the user and device for the rule 2.

  2. The scope of rule 2 is the RnD groups for Africa and Europe with Windows devices that did NOT meet the Device Posture Profile requirements in rule 1.

    • When these SDP users try to connect to the Cato Cloud, they match the Device Posture Profile Any, and are blocked. They can't connect to the Cato Cloud.

    • Rule 2 does not apply to users that are not members of the the RnD groups for Africa and Europe, and these users continue with rule 3.

  3. The scope of rule 3 is any user or groups with a Windows device.

    When the users try to connect to the Cato Cloud, they are only allowed to connect if they meet the requirements of the Sample profile.

    Otherwise the users are blocked by the final implicit ANY ANY Block rule.

Was this article helpful?

0 comments

Add your comment