IP Allocation Policy for Remote Users

This article explains how to use the IP Allocation Policy to define Default, Dynamic, and Static IP ranges that are allocated to remote users in your account, and does not apply to users behind a Socket.

Overview

The IP Allocation Policy defines the IP ranges that Cato allocates to Cato Clients when they connect a device to the network. Remote users are allocated IP addresses or ranges in one of these ways:

  • Default IP Allocation: The default range, allocated to a user that:

    • Does not meet a Dynamic IP Allocation rule
    • Is not allocated a static IP address
    • Matches a rule where the IP range is exhausted

    By default, this range is 10.41.0.0/16. You can update this to a range you choose.

  • Dynamic IP Allocation: IP ranges are allocated to users or groups based on an ordered rulebase

    Note

    Note: If you have an Any-Any rule in your rulebase, make sure it is placed correctly, otherwise, it will take precedence over rules below it, and all addresses from that point will be allocated dynamically and not from the default or static IP addresses.

  • Static IP Allocation: A fixed IP address allocated to a specific user

For the Client to allocate an IP address, users must manually disconnect and reconnect when switching between:

  • Default and dynamic allocation, or
  • Different dynamic rules (e.g. when moving to one with higher priority)

Policy Revisions and Concurrent Editing by Multiple Admins

The IP Allocation Policy lets different admins edit the policy in parallel. Each admin can edit rules and save the changes to the rulebase in their own private revision, and then publish them to the account policy (the published revision). For more information on how to manage policy revisions, see Working with Policy Revisions.

Use Case - Static IP Addresses

XYZ Corporation operates equipment that enforces access using Access Control Lists (ACLs), allowing connections only from predefined source IP addresses. For example, a router may only permit access from the IP address 192.168.0.25.

As the system administrator, you configure a static IP assignment in the Cato Management Application (CMA) and apply it in the IP Allocation Policy. When the user connects using the Cato Client, the platform assigns the same static IP address each time, ensuring compliance with the ACL restrictions defined on the router.

Use Case - Dynamic IP Addresses

ABC Company operates as a call center for multiple companies. Each operative must connect to a client’s environment from a specific source IP range, based on that client’s access control requirements. For example, Company X accepts IP addresses from 192.168.0.0/24, and Company Y accepts IP addresses from 10.0.0.0/16.

As the system administrator, you define the dynamic IP ranges 192.168.0.0/24 and 10.0.0.0/16 in the Cato Management Application (CMA) and apply them in the IP Allocation Policy. When operatives connect using the Cato Client, the platform assigns an IP address from the appropriate range according to the policy rules you configure, ensuring compliance with each client’s IP-based restrictions.

Allocating IPs to Remote Users

Follow these steps to allocate IP addresses to remote users:

  1. Add Global IP ranges to your account
  2. Define the IP Ranges for each IP allocation method
  3. Define users or user groups to be allocated IP addresses dynamically or statically

Step 1: Add IP Ranges to your Account

Remote users can only be assigned IP ranges that are within the Global IP Range entity for your account. For more information about how to add an IP range to the Global IP Range entity, see Using IP Ranges in Policies.

Step 2: Define the IP Ranges for Each IP Allocation Method

Define the IP ranges allocated to remote users with each allocation method. Each range must be a unique network range and can’t overlap with any other network range defined in your account.

Note

Note: Best practice is to configure the largest Client IP range possible to decrease the chances of an IP conflict that causes the Client to disconnect.

IP_allocation_policy.png

To define the IP Ranges for each IP allocation method:

  1. From the navigation menu, click Access > IP Allocation Policy.
  2. Click the Settings tab.
  3. Enter the IP ranges for each IP allocation method.
  4. Click Save.

Step 3: Define Users or User Groups to be Allocated IP Addresses Dynamically or Statically

You can allocate IPs to specific users or user groups either dynamically or statically. If a user is in a rule for a dynamically allocated IP and is allocated a static IP, the static IP takes priority. After you allocate IPs, the Client automatically disconnects and reconnects with the new IP if a user switches between an IP from:

  • A dynamically allocated IP to a static IP, or vice versa
  • The default range to a static IP, or vice versa

If you are only updating the Default IP range for your account. This step is not required

Allocating IPs to Users or User Groups Dynamically

You can dynamically allocate IPs using an ordered rulebase that sequentially checks if a user or user group matches a rule. For example, create a rule when accessing customer A that draws an IP address from one IP range, and another rule for customer B that draws an IP address from another IP range. Once a rule is matched, IPs are allocated from the Allocated Range configured in the rule. Rules that are listed in the policy after the matching rule are not applied. If no rule is matched, an IP is allocated from the default range. The lease time for the dynamically allocated IP addresses is 2 minutes after the Client is disconnected. After this time, the IP address is available for other users.

Different admins can edit the policy in parallel and save the changes in their own private revision before the rule is published. For more information, see Working with Policies.

Dynamic.png

To allocate IPs to users or user groups dynamically:

  1. From the navigation menu, click Access > IP Allocation Policy.

  2. Click New.

    The New Rule panel opens.

  3. Enter a name for the rule and define the rules position.
  4. Define the User/Groups, Platforms, Countries, Public ISP IP Range, and the IP Range.
  5. Click Save.
  6. Repeat steps 2-6 for each rule.
  7. Click Publish.

  8. Enable Dynamic IP Allocation.

    The slider toggle.png is green when the rule is enabled, and gray when the rule is disabled.

Allocating Static IPs to Users

For users, you can define a static IP that is allocated to them when they use the Client to connect to the network. Each static IP can only be allocated to one device at a time. If a user connects to the network with multiple devices, the first device is allocated the static IP address. Other devices are allocated IPs from the Dynamic IP Range or the Default IP Range.

Static_IP.png

To allocate static IPs to users:

  1. From the navigation menu, click Access > IP Allocation Policy.
  2. Click the Static IP Allocation tab.
  3. Select the User and enter the static IP address.
  4. Repeat the previous step for additional users.

  5. Set the Enable Static IPs toggle to Enabled.

    The toggle is green toggle.png when enabled.

  6. Click Save.

Was this article helpful?

9 out of 12 found this helpful

0 comments