How to Integrate Third-Party DDoS Services for Internet-Facing RPF Traffic

This article discusses how to integrate third-party DDoS protection solutions with an Internet facing public resource located behind a Cato site.


Cato's Remote Port Forwarding (RPF) is primarily designed to expose corporate resources to known corporate users with the Allow List approach. This means that you can restrict the corporate resource to the specific IP addresses that are allowed to connect, otherwise the traffic is blocked.

Sometimes it's necessary to provide access to unknown users, and expose an internal server via RPF publicly over the Internet. This creates a potential security risk, because you are allowing public access to internal resources. In this situation, we recommend that you secure the RPF traffic with a third-party DDoS cloud service in front of the site. For example, integrating a WAF to protect inbound HTTP traffic.

Diagram of Sample Third-Party Security Solution with RPF


Integrating the Third-Party Solution to Secure RPF Traffic

This section explains how to configure the RPF resource to only allow the security service (such as DDoS) to access it. This adds a significant layer of security to the resource making available over the public Internet.

These are the configurations that you need to make:

  • In the third-party cloud service define:

    • Public IPs that the service uses

    • DNS name for the resource mapped to the public IP address that Cato allocated to your account (Network > IP Allocation)

  • In the Cato Management Application define an RPF rule to forward the traffic to the cloud service

    • The security stack in the Cato Cloud doesn't perform TLS inspection on inbound RPF traffic

To integrate a third-party security service for RPF traffic:

  1. In the third-party security service, define these settings:

    1. Allocate a public IP address for the server.

    2. Configure the IP/CNAME for the IP address for the external RPF rule.

  2. In the DNS provider, configure the domain to forward traffic to the IP/CNAME in the previous step.

  3. Configure the policy for the third-party security service (WAF, inbound TLS inspection, and so on).

  4. In the Cato Management Application define an RPF rule with these settings (Network > Remote Port Forwarding):

    • External IP and External Port Range for Cato public IPs (separate rule for each IP)

    • Internal IP and Internal Port Range for the internal resource

    • Traffic Type is Allow List

    • Traffic Sources are the public IP addresses for the cloud service (publicly advertised by the third-party security service)

Was this article helpful?

0 out of 0 found this helpful


Add your comment