Configuring the RBI Service for Secure Web Browsing

This article explains how to configure the Remote Browser Isolation (RBI) service to protect against web-based threats.

For more information about the RBI service, see Securing Browsing Sessions Through Remote Browser Isolation (RBI).

Overview of the RBI Service

RBI protects devices from web-targeted threats and malicious content that can be embedded in Internet sites and services. RBI runs as an isolated Cato service that emulates browsing activity for users and then streams the emulated traffic to the user device. This keeps the device safe from malware threats by making sure that all in-browser code is executed remotely and never on the device.

For situations where the RBI service can't emulate traffic, you can configure a Fallback Action that determines how the traffic is handled. For example, if you temporarily disable the RBI service, or if the service is momentarily unreachable.

Note

Note: RBI functionality is not available for Cato PoPs located in China. These PoPs will always apply the Fallback Action for the relevant traffic.

Customizing RBI Security Controls

You can customize the security settings for RBI sessions with granular definition of the actions a user can perform on a site. For example, you can block users from typing or pasting text into web forms, and prevent them from leaking credentials and other sensitive data.

These are the actions you can allow or block for RBI sessions:

  • Upload - Uploading any file

  • Download - Downloading any file

  • Printing - Printing web content

  • Copy/Paste - Copying data from the site or pasting data into the site

  • Typing - Typing text in the site

Continuous RBI Sessions

To enhance browsing security and improve end-user experience, you can configure RBI to let users continue browsing to multiple destinations within the same RBI session. This ensures that destinations that you define aren't opened in a non-isolated session or in a different RBI session. These are example use cases for continuous RBI sessions:

  • Prevent non-isolated browsing to risky domains - Create an extensive domain list using wildcards to ensure the user’s entire browsing session takes place in an isolated environment, even if the user navigates away from Uncategorized or Undefined domains

  • Authentication to a site - Configure a list of domains including all subdomains of a file-sharing app to let users sign in when they are redirected to a different domain to authenticate

Using RBI with the Internet Firewall

Use the Internet Firewall policy to implement what traffic is emulated by the RBI service. Only rules for application categories Uncategorized or Undefined, or a Custom Category, can be configured for remote browsing. All other traffic is protected by Cato's broad range of additional security services.

Implementing RBI for Your Network

This is a sample workflow for implementing RBI:

  1. Enable the RBI service.

  2. Configure the user actions that are blocked during an RBI session.

  3. Configure continuous RBI sessions for required destinations.

  4. Define a Fallback Action.

  5. Configure an Internet Firewall rule with the Remote Browsing action.

Troubleshooting the RBI Service

You can use the Administrator RBI Simulator to help diagnose issues that end-users experience when trying to browse destinations configured for RBI emulation. The utility can help isolate the cause of the issue, and helps you provide useful information to Support to find a resolution.

Note

Note: After 30 minutes of inactivity, the RBI session automatically ends and the browser tab closes. To continue browsing, the user must re-open the site in their browser.

Prerequisites for the RBI Service

  • Enabling the RBI service requires an RBI license. For more about purchasing the RBI license, please contact your Cato representative.

  • TLS Inspection must be enabled for traffic configured for RBI

  • For the RBI service to function properly, the Internet Firewall must allow access to the URL http://securebrowsing.catonetworks.com/. If your Internet Firewall has an ANY-ANY Block rule at the bottom, add an explicit rule with higher priority allowing traffic to this URL.

Known Limitations

  • The RBI service has limited support for localization

Working with RBI

This section explains how to configure the RBI service to provide secure web browsing for end-users.

RBI.png

Enabling and Disabling the RBI Service

When you enable the RBI service, the Remote Browsing action for the Internet Firewall is now available, and you can then create rules to direct traffic to the service. By default, RBI is disabled.

To enable or disable RBI for your account:

  1. From the navigation panel, select Security > RBI.

  2. Click the slider to enable (green) or disable (gray) the RBI service for the account.

  3. Click Save.

Defining the Blocked User Actions for RBI Sessions

Define the user actions that are blocked for RBI sessions. These settings apply to all RBI sessions for your account. By default, typing is allowed and all the other actions are blocked.

To define the blocked actions for RBI sessions:

  1. From the navigation panel, select Security > RBI.

  2. Under RBI Account Preferences, select the actions to block.

  3. Click Save.

    The blocked actions are configured.

Defining the Fallback Action for Rules Configured with RBI

The Fallback Action defines what happens when the RBI action can't be carried out for an Internet Firewall rule. You can set the fallback to Block the traffic, or to Prompt the user to decide whether or not to continue.

To define the Fallback Action for the RBI service:

  1. From the navigation panel, select Security > RBI.

  2. From the Fallback Action drop-down menu, select Block or Prompt.

  3. Click Save.

    The Fallback Action is configured.

Configuring Continuous RBI Sessions

Select the option to continue RBI sessions. Then set the destinations that open within the current RBI session by defining Value Sets of domains and URLs and adding them to the Allow List.

For more about Value Sets, see Working with Categories.

RBI_Continue_Session.png

To configure continuous RBI sessions:

  1. From the navigation panel, select Security > RBI.

  2. Under RBI Account Preferences, select the Continue RBI Session option.

  3. Click on the Allow List Value Set dropdown and select one or more existing value sets from the list, or configure a new value set as follows:

    1. In the dropdown, click Create New Set. The Create New Set panel opens.

      RBI_Create_new_set_panel.png
    2. Enter the Name and Description for the Value Set.

    3. Under Type, select Domain List.

      Note: For the RBI Allow List you can only configure value sets of the Domain List type. Other types can't be configured.

    4. Enter one or more domains or URLs separated by commas and click Add. The values must be valid domains or URLs, and you can include one wildcard in a value.

    5. Click Apply. The Value Set is created and can be selected from the RBI Allow List dropdown.

  4. Click Save. The Value Sets for continuing RBI sessions are configured.

Creating an Internet Firewall Rule for Remote Browsing

You can use Internet Firewall rules to define when Cato directs traffic to the RBI service. The rules must be configured with the Application Category set as Uncategorized, Undefined, or Custom Category with no other apps or categories configured. For more about configuring Internet Firewall rules, see Managing the Internet Firewall Policy.

To create an Internet Firewall rule for remote browsing:

  1. From the navigation menu, select Security > Internet Firewall.

  2. Click New.

  3. Enter the Name for the rule.

  4. Enable or disable the rule using the slider (green is enabled, grey is disabled).

  5. Configure the Rule Order for this rule.

    New rules are added to the bottom of the rulebase. You can change the order in which this rule is applied.

  6. Expand Source and select the source type.

    • Select the type (for example: Host, Network Interface, IP, Any). The default value is Any.

    • When needed, select a specific object from the drop-down list for that type.

  7. Expand the App/Category section and select Application Category.

    Select one or more of Uncategorized, Undefined, or a Custom Category from the Application Category drop-down list. When there is more than one App/Category object in a rule, there is an OR relationship between them.

  8. Set the Action for this rule as Remote Browsing (RBI).

  9. (Optional) Configure tracking options to generate Events and Send Notification.

    For more information about notifications, see the relevant article for Subscription Groups, Mailing Lists, and Alert Integrations in the Alerts section.

  10. Click Apply. The new rule is added to the rulebase.

  11. Click Save.

    The rule is saved.

Best Practices for Implementing RBI with the Internet Firewall

We recommend gradually implementing your RBI policy with specific scopes, to avoid potential misconfiguration of policy rules that can result in using RBI for traffic that should have direct access to destinations. These are examples of recommended best practices for implementing RBI.

Best Practices for Implementing RBI for Uncategorized and Undefined Destinations:

  • If there is already an Internet Firewall rule configured for the application categories Uncategorized and Undefined :

    1. Start keeping track of events for the configured rule to identify specific Uncategorized or Undefined destinations that are essential for your users.

    2. Add a higher priority rule with the action Remote Browsing defined for a specific scope of essential Uncategorized and Undefined sites.

  • If there is no rule configured for the categories Uncategorized and Undefined:

    1. Add a rule covering Uncategorized and Undefined destinations with the action Allow or Prompt, and set it to track Events.

    2. Start keeping track of the events to identify specific Uncategorized or Undefined destinations that are essential for your users.

    3. Create a higher priority rule with the Allow or Prompt action, and gradually add the specific essential destinations you identify, until all essential destinations are added.

    4. Set the higher priority rule to the Remote Browsing action.

  • Since RBI is only supported for browsers, if you are concerned about non-browser traffic to Uncategorized and Undefined domains, we recommend creating an Internet Firewall Block rule for Uncategorized and Undefined traffic. Position this rule at a lower priority than the RBI rule for these domains.

    This secures traffic to these suspicious domains that originates from non-browser clients (for example, cURL scripts).

Reviewing RBI Events

You can review Security events in Home > Events and find the logs related to RBI emulation sessions carried out for a connection that matched a firewall rule with the Remote Browsing action. These events are labeled with the Sub-Type Internet Firewall and the Action RBI.

When the RBI session can't be executed and the Fallback Action is invoked, the relevant events have the Action Block or Prompt depending on your configuration.

This is an example of a filter you can create to view events related to RBI:

RBI_Event_Filter.png

This is an example of an event related to an RBI session:

RBI_Event.png

Troubleshooting the RBI Service for a URL

If a user experiences an issue browsing a certain URL, you can generate a test RBI emulation session for the URL with the Administrator RBI Simulator. Enter the valid HTTP or HTTPS URL and then follow the resulting link to view the site in an RBI session. The utility sends this traffic directly to the RBI service without passing through the Cato Cloud. This can help determine if a user's issue relates to the RBI service itself, or is caused by other issues such as account configuration or Cato infrastructure connectivity. For example, a user connected to Cato can't browse to an Uncategorized website configured for RBI, but the admin is able to reach the site using the utility. This may indicate that the RBI service is functioning properly and the issue is related to connectivity between a PoP and the service.

The Administrator RBI Simulator applies the RBI security controls defined in the RBI Account Preferences.

After running an RBI session from the utility, you can report the results to Support to help them resolve the issue.

RBI_Admin_Utility.png

To troubleshoot with the Administrator RBI Simulator:

  1. From the navigation panel, select Security > RBI.

  2. Under Administrator RBI Simulator, enter a valid HTTP or HTTPS URL. For example: https://maps.google.com

  3. Click Generate. A URL is created for the RBI session.

  4. Click the link next to the URL. The RBI session opens in your default browser.

Was this article helpful?

3 out of 4 found this helpful

0 comments