Configuring Network Rules

This article discusses how to use the Network Rules page to manage and prioritize traffic in your account.

For more about Network Rules and Cato, see What is the Cato Network Rulebase.

Working with Multiple Objects in a Single Rule

The Source, App/Category and Destination columns form an AND relationship: the rule is triggered only if traffic matches the criteria defined in all three columns.

When there are multiple items within one column, there is an OR relationship: the rule is applied if traffic matches the criteria defined for any of the items. For example, a rule that defined App/Category as TCP with port 443, this rule matches all TCP traffic OR traffic that uses port 443 both TCP and UDP.

Creating a Network Rule

Network Rules are evaluated according to their order of appearance in the network rules list, the best practice is to scroll through the list to the required position of the new rule and add it above or below an existing rule. Alternately, you can add a new rule to the end of the list and move it to the required position.

When you configure the Source (traffic type) for a network rule you can use global objects, such as application categories or global ranges, to define the type of traffic that matches the rule.

NetworkRules.png

To create a WAN or Internet network rule:

  1. From the navigation menu, click Network > Network Rules.

  2. Click New. The Add Network Rule panel opens.

  3. From the General section, configure the following settings for the rule:

    1. Enter the Name for the rule.

    2. In the Rule Type drop-down menu, select if this rule is for WAN or Internet traffic.

    3. Enable or disable the rule using the slider (green is enabled, grey is disabled).

    4. Configure the Rule Order which defines where the rule appears in the network rule base.

      New rules are added to the bottom of the rulebase. You can change the order in which this rule is applied.

  4. Expand the Source section and select one or more objects for the traffic source for this rule (or you can enter an IP address).

    1. Select the type (for example: Host, Network Interface, IP, IP Range, or Any). The default value is Any.

      • Floating Subnet - Global IP ranges that are not connected to a specific site, but can be learned from any site with a BGP neighbor.

      • Global Range - Native range for the LAN interface of a site

      • Group - A group of assets from your inventory as defined in the Groups page

      • Host - Hosts and servers defined in the site

      • Interface Subnet - VLAN, routed, or direct ranges, or a secondary AWS vSocket native range

      • IP - A specific IP address within the network

      • IP Range - A range of IP addresses within the network

      • Network Interface -  Subnets and network ranges defined for the LAN interfaces of a site

      • Site - A specific location or network edge that is connected to a PoP in the Cato Cloud

      • System Group - A pre-defined group of users as defined in the System Groups tab of the User Groups page. For example, All SDP Users.

      • User - A specific user listed in the Users Directory tab of the Users page

      • User Group - A group of users as defined in the User Groups page

      • SDP User - A user with permissions to connect via the Cato Client

      • Any - Any source or destination within the site.

    2. When needed, select a specific object from the drop-down list for that type.

  5. For WAN traffic rules, expand the Destination section and select one or more objects for the traffic destination for this rule.

  6. Expand the App/Category section and select one or more applications for the rule.

    When there is more than one App/Category object in a rule, there is an OR relationship between them. The default value is Any.

  7. In the Configuration section, you can configure the following settings for the network rule (see explanations below):

  8. Click Apply. The panel closes and the settings are updated in the rulebase.

  9. Click Save. The new network rule is saved.

Changing the Bandwidth Priorities (QoS) for a Rule

By default, new rules are assigned the default priority, which you can change according to the QoS needs of your network.

The lower the priority number, the higher the QoS priority for the rule. For example, a rule with priority 10, has a higher QoS priority than a rule with priority 40.

For more about defining the bandwidth policies for your account, see Configuring Bandwidth Management Profiles.

To change the bandwidth priority for a rule:

  1. From the navigation menu, click Network > Network Rules.

  2. Click the network rule. The Edit Network Rule panel opens.

  3. Expand the Configuration section.

  4. In the Bandwidth Management section, from the Bandwidth Priority drop-down menu, select the QoS priority for this rule.

  5. Click Apply. The panel closes and the settings are updated in the rulebase.

  6. Click Save. The bandwidth priority for the rule is saved.

Configuring the Transport and Routing Options

This section explains how to configure the transport options for a network rule and to egress traffic to a specific location or IP address.

For more information about routing options, you can also watch this video tutorial.

Customizing the Transport Options for a Rule

Network rules are configured globally. If a specific site does not have the specified transport, Cato Socket treats such a configuration as if was configured for Automatic. For WAN traffic with a destination Socket interface, if the specified interface is not available, then the Cato Cloud automatically selects the best Socket interface.

If you select explicit transports/NICs, the QoS engine monitors packet loss, jitter and latency. if congestion occurs, packets are dropped. If you select automatic transports, the QoS engine monitors congestion in addition to packet loss, jitter and latency.

Alt WAN isn’t supported for Off-Cloud as a secondary transport. You can’t configure a network rule with Alt WAN as the primary transport that fails over to Off-Cloud.

TransportOptions.png
  • WAN rules have the following default settings:

    • Primary Transport: Cato.

    • Secondary Transport: Automatic (accounting for additional transports such as MPLS, if applicable).

    • Primary Interface Role: Automatic.

    • Secondary Interface Role: None (disabled as handled by the Automatic setting for Primary NIC).

    • Route/NAT: - (not applicable for WAN rules).

  • Internet rules have the following default settings:

    • Primary Transport: Cato.

    • Secondary Transport: None (other transports cannot be currently used).

    • Primary Interface Role: Automatic.

    • Secondary Interface Role: None (disabled as handled by the Automatic setting for Primary NIC).

    • Route/NAT: None.

To customize the transport options for a network rule:

  1. From the navigation menu, click Network > Network Rules.

  2. Click the network rule. The Edit Network Rule panel opens.

  3. Expand the Configuration section.

  4. Configure the transport fields as required: to route traffic via a specific transport, you can configure your primary and secondary transports.

    The primary transport will be used as long as it is up and available as determined by the Cato QoS engine. If the primary transport is not available, the secondary transport is used.

  5. Configure the Interface Role fields (applicable only for traffic routed via Cato Cloud) as required.

    To route traffic via a specific link, you can configure your primary and secondary NICs. The primary Interface Role will be used as long as it is up and available as determined by the Cato QoS engine. If the primary Interface Role is not available, the secondary Interface Role is used.

  6. Click Apply. The panel closes and the settings are updated in the rulebase.

  7. Click Save. The transport options for the rule are saved to the account.

Setting the Routing Method for an Internet Network Rule

You can configure an Internet network rule with different options to egress the traffic.

Best Practice: For Internet Network Rules that egress traffic (with the NAT or Route via option), we recommend that you define a specific Source or App/Category for the rule. Selecting Any as the Source or App/Category routes all Internet traffic and can cause unpredictable performance.

  • Route via - Lets you select the egress PoP location from which the traffic is sent to the Internet

  • NAT - Lets you egress traffic via a specific Cato allocated IP address and its PoP location. Traffic that matches this rule is translated to that IP and egressed via the relevant PoP. Both NAT and Route via route traffic via a specific PoP, however NAT lets you specify the IP the traffic is translated to.

  • Backhaul via - Egresses the Internet traffic via one or backauling gateway sites

    For more information, see these articles about Internet Traffic Backhauling.

For Route via and NAT, when you configure multiple egress IPs, the traffic uses the egress IP for the PoP location that is closest to the source.

Routing Method NAT - Preserving the Source Port

By default the when the PoP performs NAT on the Internet traffic, it modifies the source port and source IP in the IP header. In some cases, an application requires preserving the original source port in the IP header, for example SIP traffic. When you select the Preserve source port option, the PoP preserves the original source port in the translated packet's IP header.

Routing_Method_Preserve_Source_Port.png

Note

Note: If there is more than one flow with the same source port, this creates a conflict in preserving the source port for both flows during the NAT translation. In such scenarios, the PoP preserves the source port of the first flow and allocates a random port for the later flow.

To set the Routing Method for an Internet network rule:

  1. From the navigation menu, click Network > Network Rules.

  2. Click the network rule. The Edit Network Rule panel opens.

  3. Expand the Configuration section.

  4. From the Route/NAT drop-down menu, then select the routing option for traffic that matches the rule:

    • Route Via - to route traffic via a specific Cato Cloud PoP location, enter the click Domain_plus.png and select the locations that you are egressing traffic from.

    • NAT - to egress traffic for this rule via a specific IP, click Domain_plus.png and select the allocated IPs that you are egressing traffic from.

  5. (Optional) To use the original source port for the translated traffic, select Preserve source port.

  6. Click Apply. The panel closes and the settings are updated in the rulebase.

  7. Click Save. The routing options for the rule are saved.

Viewing Events for a Rule

You can show the events for a specific Network Rule using View Rule Events. When you select this action, the Events page opens and is pre-filtered for all events that match that rule.

To view events for a rule:

  1. From the navigation menu, click Network > Network Rules.

  2. On the right side, click more.png and select View Event Rules.

The Events page is displayed with the events for the relevant rule already filtered.

rule-event.png

Customizing the Acceleration & Optimization for a Rule

  • TCP acceleration does not affect non-TCP traffic (UDP-based traffic) that is part of a network rule.

  • When Route/NAT settings or TLS inspection is in effect, it implies that Cato enables TCP proxy on the traffic.

  • The implicit network default rule for the Cato Cloud is to act as a TCP proxy. As such, if no prior rule matched the traffic, the TCP proxy is applied.

  • TCP Acceleration is disabled (grayed out) for rules that use Alternative WAN as the primary or secondary transport.

For more about accelerating traffic in the Cato Cloud, see Accelerating and Optimizing Traffic.

For more about packet loss mitigation, see Packet Loss Mitigation for Multi-Tunnel Links.

To set the acceleration and optimization for a rule:

  1. From the navigation menu, click Network > Network Rules.

  2. Click the network rule. The Edit Network Rule panel opens.

  3. Expand the Configuration section.

  4. Select Active TCP Acceleration to enable the PoP to act as a TCP proxy server for traffic that matches this rule.

  5. Select Packet Loss Mitigation, to enable packet duplication to help mitigate the impact of packet loss for traffic that matches this rule.

  6. Click Apply. The panel closes and the settings are updated in the rulebase.

  7. Click Save. The acceleration and optimization settings are saved.

Adding an Exception

You define traffic that is an exception for the network rule and the rule is not applied to the exception. Define the traffic exception with the object (entity) for the Source, App/Category, and Destination. Exceptions with multiple objects have the same behavior as network rules, see above Working with Multiple Objects in a Single Rule.

NetworkRuleExceptions.png

The example above has a network rule for any traffic that matches the VoIP Video category. There is an exception for this rule for traffic that matches BOTH of these conditions:

  • Source is the sample 1500 site

  • Application is Skype and MS Teams

To add an exception to a network rule:

  1. From the navigation menu, click Network > Network Rules.

  2. Click the network rule. The Edit Network Rule panel opens.

  3. Expand the Source, App/Category or Destination section, and click Add Exceptions.

    Network_Source_Exception.png
  4. Define the exceptions for the section:

    1. From the drop-down menu, select the traffic type for the exception.

      The screenshot above, shows adding an exception for a specific host.

    2. Select a specific object from the drop-down list for that type.

    3. Repeat the previous two steps to define additional objects for the exception.

      Multiple objects in one section have an OR relationship.

  5. If necessary, repeat step 4 to define exceptions for the other sections.

    Objects in multiple sections have an AND relationship.

  6. Click Apply. The panel closes and the settings are updated in the rulebase.

  7. Click Save. The exceptions for the rule are saved.

Exporting Network Rules to a CSV File

You can generate a CSV file that contains all the data of the network rules per the rulebase of your account.

Note

Note: Only Cato Management Application admins with Editor role have permissions to export to a CSV file. For more about configuring admin roles, see Managing Administrators.

To export the Network Rule policy:

  1. From the navigation menu, click Network > Network Rules.

  2. Click Export, and in the pop-up window click OK.

  3. Select the location for the CSV file and save the file.

Understanding the Contents of the Exported File

The top row in the exported CSV file lists the field names and options for rules in the relevant rulebase. Then the rules themselves are listed according to priority, starting with the lowest number value.

The CSV file contains the following columns:

Item

Description

Priority

Rule priority within the rulebase

Rule Status

Rule is enabled or disabled

Type

Rule type is WAN or Internet

Name

Name of the network rule

Source

Traffic source for this rule

App/Category

Items that apply to this rule (apps, categories, services, etc.)

Destination

Traffic destination for this rule

BW Priority

The BW Management profile for this rule

Routing

The routing type applied for this rule (NAT, Backhauling, etc.). Relevant only for Internet network rules

Transport

The transport type for this rule (WAN interface transport, primary and secondary transport)

Acceleration & Optimizations

Optimization settings are enabled or disabled (TCP Acceleration and Packet Loss Mitigation)

Was this article helpful?

0 out of 0 found this helpful

1 comment

  • Comment author
    Ronny Chan

    Since there is an OR relationship for items within a column, would the best way to ensure that an AND relationship is created be to use custom apps?

    For example, under App/Category, if I add a entry of FQDN of ftp.company.com and an entry of Port 22, if either the FQDN or port 22 matches, the rule would apply (according to this article). If I wanted to make sure the rule only applied if BOTH ftp.company.com AND port 22 are used, should I create a custom application specifying that FQDN and port, then apply that custom application to the rule?

Add your comment