Network rules let you steer and prioritize traffic across your WAN and Internet connections, giving you fine-grained control over performance, routing, and link usage. By creating rules based on application, source, and destination, you can ensure critical traffic receives the right QoS, optimize for latency or packet loss, and select the best transport paths. Use the Network Rules page to define rule order, apply acceleration settings, and configure advanced routing behaviors that align with your business and technical requirements.
For more about network rules and Cato, see What are Network Rules?.
The Source, App/Category, and Destination columns form an AND relationship: the rule is triggered only if traffic matches the criteria defined in all three columns.
When there are multiple items within one column, there is an OR relationship: the rule is applied if traffic matches the criteria defined for any of the items. For example, a rule that defines App/Category with Service for TCP and for UDP, this rule matches TCP or UDP traffic.
The Network Rules page lets different admins edit the policy in parallel. Each admin can edit rules and save the changes to the rulebase in their own private revision and then publish them to the account policy (the published revision). For more information on how to manage policy revisions, see Working with Policy Revisions.
Control whether the Network Rule policy is enforced by using the Network Rules Enabled toggle in the Network Rules page. When the policy is enabled, the configured rules are applied to route and prioritize traffic in your account. Disabling the policy immediately stops the enforcement of these rules.
To apply custom traffic steering or QoS to specific WAN or Internet traffic flows, create a network rule that defines the traffic and how it should be handled. Network Rules is an ordered policy, and they are evaluated according to their order. Create a new rule in the correct position, such as before or after an existing rule.
When configuring the Source, you define which traffic the rule applies to. You can select from a variety of global objects, such as IP ranges, application categories, or user groups, to match the relevant traffic.
Each rule includes the following configuration options:
- Bandwidth priority - Assigns a QoS priority to the traffic to ensure performance for business-critical flows during congestion
- Acceleration and optimization - Enables TCP acceleration and packet duplication to reduce latency and packet loss
- Primary and Secondary Transport - Defines the preferred transport types for routing traffic (Cato Cloud, Off-Cloud, or Alt. WAN)
- Routing Method - Egress traffic from specific PoPs, allocate NAT IPs, or backhaul Internet traffic through gateway sites
To create a WAN or Internet network rule:
- From the navigation menu, click Network > Network Rules.
- Click New > New Rule. The Add Network Rule panel opens.
- From the General section, configure the following settings for the rule:
- Enter the Name for the rule.
- Enable or disable the rule using the slider (green is enabled, grey is disabled).
- Select the Position for the new rule.
- In the Rule Type drop-down menu, select whether this rule is for WAN or Internet traffic.
- Expand the Source section and select one or more objects for the traffic source for this rule (or you can enter an IP address).
- Select the type (for example: Host, Network Interface, IP, IP Range, or Any). The default value is Any.
- When needed, select a specific object from the drop-down list for that type.
- Expand the Criteria section and add the device conditions to the rule. For more information, see Adding Device Conditions to Firewall Rules. The default values are Any.
- For WAN traffic rules, expand the Destination section and select one or more objects for the traffic destination for this rule.
-
Expand the App/Category section and select one or more applications for the rule.
When there is more than one App/Category object in a rule, there is an OR relationship between them. The default value is Any.
For a detailed explanation of each of the options in App/Category section, see Reference for Rule Objects.
-
In the Configuration section, you can configure the following settings for the network rule (see explanations below):
- Bandwidth Priority
- Primary Transport and Secondary Transport
-
Click Save. The panel closes, and the settings are updated in the rulebase.
The changes are saved to your unpublished revision and are available for editing until they are published or discarded.
- Click Publish. A confirmation window opens, click Publish.
By default, new rules are assigned the default priority (p255), which you can change according to the QoS needs of your network.
The lower the priority number, the higher the QoS priority for the rule. For example, a rule with priority 10 has a higher QoS priority than a rule with priority 40.
For more about defining the bandwidth policies for your account, see Configuring Bandwidth Management Profiles.
To change the bandwidth priority for a rule:
- From the navigation menu, click Network > Network Rules.
- Click the network rule. The Edit Network Rule panel opens.
- Expand the Configuration section.
- In the Bandwidth Management section, from the Bandwidth Priority drop-down menu, select the QoS priority for this rule.
-
Click Save. The panel closes, and the settings are updated in the rulebase.
The changes are saved to your unpublished revision and are available for editing until they are published or discarded.
- Click Publish. A confirmation window opens, click Publish.
This section explains how to configure the transport options for a network rule and to egress traffic to a specific location or IP address.
Network rules are configured globally. If a specific site does not have the specified transport, the Socket treats such a configuration as if it were configured for Automatic.
If you select explicit transports/NICs, the QoS engine monitors packet loss, jitter, and latency. If congestion occurs, packets are dropped. Selecting Automatic for transports, then the QoS engine monitors congestion in addition to packet loss, jitter, and latency.
Alt-WAN isn’t supported for Off-Cloud as a secondary transport. You can’t configure a network rule with Alt-WAN as the primary transport that fails over to Off-Cloud.
-
WAN rules have the following default settings:
- Primary Transport: Cato
- Secondary Transport: Automatic (accounting for additional transports such as MPLS, if applicable)
- Primary Interface Role: Automatic
- Secondary Interface Role: None (disabled as handled by the Automatic setting for Primary NIC)
- Route/NAT: - (not applicable for WAN rules)
-
Internet rules have the following default settings:
- Primary Transport: Cato
- Secondary Transport: None (don't use other transports)
- Primary Interface Role: Automatic
- Secondary Interface Role: None (disabled as handled by the Automatic setting for Primary NIC)
- Route/NAT: None
To customize the transport options for a network rule:
- From the navigation menu, click Network > Network Rules.
- Click the network rule. The Edit Network Rule panel opens.
- Expand the Configuration section.
-
Configure the transport fields as required: to route traffic via a specific transport, you can configure your primary and secondary transports.
The primary transport will be used as long as it is up and available, as determined by the Cato QoS engine. If the primary transport is not available, the secondary transport is used.
-
Configure the Interface Role fields (applicable only for traffic routed via Cato Cloud) as required.
To route traffic via a specific link, you can configure your primary and secondary NICs. The Primary Interface Role is used as long as it is up and available, as determined by the Cato QoS engine.
If the Primary Interface Role is not available, the Secondary Interface Role is used. When the Secondary Interface Role is set to None, the behavior is based on the setting for the Primary Interface Role:
- Automatic - the Socket makes a best effort to send the traffic over the primary transport
- Any other interface role - the Socket drops the traffic when the primary transport is not available
-
Click Save. The panel closes, and the settings are updated in the rulebase.
The changes are saved to your unpublished revision and are available for editing until they are published or discarded.
- Click Publish. A confirmation window opens, click Publish.
You can configure an Internet Network Rule with different options to egress the traffic.
Best Practice: For Internet Network Rules that egress traffic (with the NAT or Route via option), we recommend that you define a specific Source or App/Category for the rule. Selecting Any as the Source or App/Category routes all Internet traffic and can cause unpredictable performance.
-
Route via - Lets you select the egress PoP location from which the traffic is sent to the Internet.
Note: When egressing traffic to Tokyo, selecting one Tokyo PoP location (such as Tokyo_DC2), all the Tokyo PoP locations are automatically added to the Network Rule. The IP ranges are shared across the Tokyo PoP locations and ensure a seamless experience for accounts.
- NAT - Lets you egress traffic via a specific Cato allocated IP address and its PoP location. Traffic that matches this rule is translated to that IP and egressed via the relevant PoP. Both NAT and Route via route traffic via a specific PoP, however, NAT lets you specify the IP the traffic is translated to.
-
Backhaul via - Egresses the Internet traffic via one or backhauling gateway sites
For more information, see these articles about Internet Traffic Backhauling.
Note: Sometimes, all the egress IPs in the Network Rule are not available, such as during the PoP maintenance window, and the PoP uses a different IP address for the traffic flow. This scenario can impact user connectivity and experience. We recommend that you define multiple egress IPs for a rule to minimize the impact.
For Route via and NAT, when you configure multiple egress IPs, the traffic uses the egress IP for the PoP location that is closest to the source.
Routing Method NAT - Preserving the Source Port
By default, when the PoP performs NAT on the Internet traffic, it modifies the source port and source IP in the IP header. In some cases, an application requires preserving the original source port in the IP header, for example, SIP traffic. When you select the Preserve source port option, the PoP preserves the original source port in the translated packet IP header.
Note: If there is more than one flow with the same source port, this creates a conflict in preserving the source port for both flows during the NAT translation. In such scenarios, the PoP preserves the source port of the first flow and allocates a random port for the later flow.
To set the Routing Method for an Internet Network Rule:
- From the navigation menu, click Network > Network Rules.
- Click the network rule. The Edit Network Rule panel opens.
- Expand the Configuration section.
-
From the Route/NAT drop-down menu, select the routing option for traffic that matches the rule:
- Route Via - to route traffic via a specific Cato Cloud PoP location, select the Locations which you are egressing traffic from.
-
NAT - to egress traffic for this rule via a specific IP via NAT, select the Allocated IPs that you are egressing traffic from.
(Optional) To use the original source port for the translated traffic, select Preserve source port.
-
Click Save. The panel closes, and the settings are updated in the rulebase.
The changes are saved to your unpublished revision and are available for editing until they are published or discarded.
- Click Publish. A confirmation window opens, click Publish.
Routing with PoPs for 10Gbps Throughput
For sites that are connected to PoP locations that support 10Gbps throughput, we recommend that you configure Route Via or NAT Network Rules to egress traffic via another 10Gbps PoP location. Otherwise, there can be an impact on the site throughput.
You can show the events for a specific Network Rule using View Rule Events. When you select this action, the Events page opens and is pre-filtered for all events that match that rule.
To view events for a rule:
- From the navigation menu, click Network > Network Rules.
- On the right side, click
and select View Rule Events.
The Events page is displayed with the events for the relevant rule already filtered.
- TCP acceleration does not affect non-TCP traffic (UDP-based traffic) that is part of a network rule.
- When Route/NAT settings or TLS inspection is in effect, it implies that Cato enables TCP proxy on the traffic.
- The implicit network default rule for the Cato Cloud is to act as a TCP proxy. As such, if no prior rule matches the traffic, the TCP proxy is applied.
- TCP Acceleration is disabled (grayed out) for rules that use Alternative WAN as the primary or secondary transport.
For more about accelerating traffic in the Cato Cloud, see Accelerating and Optimizing Traffic.
For more about packet loss mitigation, see Packet Loss Mitigation for Multi-Tunnel Links.
To set the acceleration and optimization for a rule:
- From the navigation menu, click Network > Network Rules.
- Click the network rule. The Edit Network Rule panel opens.
- Expand the Configuration section.
- Select Active TCP Acceleration to enable the PoP to act as a TCP proxy server for traffic that matches this rule.
- Select Packet Loss Mitigation, to enable packet duplication to help mitigate the impact of packet loss for traffic that matches this rule.
-
Click Save. The panel closes, and the settings are updated in the rulebase.
The changes are saved to your unpublished revision and are available for editing until they are published or discarded.
- Click Publish. A confirmation window opens, click Publish.
You define traffic that is an exception to the Network Rule, and the rule is not applied to that traffic. Define the traffic exception with the object (entity) for the Source, App/Category, and Destination. Exceptions with multiple objects have the same behavior as Network Rules, see above Working with Multiple Objects in a Single Rule.
The example above has a network rule for any traffic that matches the VoIP Video category. There is an exception to this rule for traffic that matches BOTH of these conditions:
- Source is the sample 1500 site
- Application is Skype and MS Teams
To add an exception to a network rule:
- From the navigation menu, click Network > Network Rules.
- Identify the rule that you're creating an exception to, and from the end of the rule, click the more icon
- Define the exceptions for the section:
-
From the drop-down menu, select the traffic type for the exception.
The example below shows adding an exception for a specific host.
- Select a specific object from the drop-down list for that type.
-
Repeat the previous two steps to define additional objects for the exception.
Multiple objects in one section have an OR relationship.
-
-
If necessary, repeat step 3 to define exceptions for the other sections.
Objects in multiple sections have an AND relationship.
-
Click Save. The panel closes, and the settings are updated in the rulebase.
The changes are saved to your unpublished revision and are available for editing until they are published or discarded.
- Click Publish. A confirmation window opens, click Publish.
You can generate a CSV file that contains all the data of the network rules per the rulebase of your account.
Note
Note: Only CMA admins with Editor role have permissions to export to a CSV file. For more about configuring admin roles, see Managing Administrators.
To export the Network Rule policy:
- From the navigation menu, click Network > Network Rules.
- Click Export, and in the pop-up window click OK.
- Select the location for the CSV file and save the file.
The top row in the exported CSV file lists the field names and options for rules in the relevant rulebase. Then the rules themselves are listed according to priority, starting with the lowest number value.
The CSV file contains the following columns:
| Item | Description |
|---|---|
| Priority | Rule priority within the rulebase |
| Rule Status | Rule is enabled or disabled |
| Type | Rule type is WAN or Internet |
| Name | Name of the network rule |
| Source | Traffic source for this rule |
| App/Category | Items that apply to this rule (apps, categories, services, etc.) |
| Destination | Traffic destination for this rule |
| BW Priority | The BW Management profile for this rule |
| Routing | The routing type applied for this rule (NAT, Backhauling, etc.). Relevant only for Internet network rules |
| Transport | The transport type for this rule (WAN interface transport, primary and secondary transport) |
| Acceleration & Optimizations | Optimization settings are enabled or disabled (TCP Acceleration and Packet Loss Mitigation) |
Limitation
QoS is not applied to app connector traffic. You can't define a bandwidth profile and Network Rules for the traffic, and it is assigned the lowest network priority.
7 comments
Since there is an OR relationship for items within a column, would the best way to ensure that an AND relationship is created be to use custom apps?
For example, under App/Category, if I add a entry of FQDN of ftp.company.com and an entry of Port 22, if either the FQDN or port 22 matches, the rule would apply (according to this article). If I wanted to make sure the rule only applied if BOTH ftp.company.com AND port 22 are used, should I create a custom application specifying that FQDN and port, then apply that custom application to the rule?
Why am I unable to view the events for the exception rules I created in the Network Rules?
I had forgotten that I posed my question 9 months ago. A response would be appreciated, Cato.
Hi Ronny, sorry for keeping you waiting.
It would be supported to have it configured as a custom App, if you plan to further use this option in various rules, or policies. Using custom apps makes this configuration to be easier to control and govern.
Let me know if you have any other questions, happy to help !
Thanks,
Raz - Product Manager
Hi, Aiman
The logic of “exceptions” means that the exception won't match the rule it is attached to.
Meaning, it's like a “Skip” option, where the settings will not match the rule, and will match the next relevant network rule as a single match rule.
Let me know if it makes sense, or if you have further questions, happy to help.
Thanks,
Raz - Product Manager
Is it possible to set a time constraint to a network rules ? I can't see any options ?
For example, If I have a long S3 backup it would be nice if we could apply QOS on working hours and no qos at night.
regards,
Jeremy DUTTO Currently, you can't add a time setting to a Network Rule.
Please submit an RFE or add a post to the Idea Hub
Please sign in to leave a comment.