This article explains how to configure the Remote Browser Isolation (RBI) service to protect against web-based threats in unknown destinations.
For more information about the RBI service, see Securing Browsing Sessions Through Remote Browser Isolation.
RBI protects devices from web-targeted threats and malicious content that can be embedded in unknown Internet sites and services. RBI runs as an isolated Cato service that emulates browsing activity for users and then streams the emulated traffic to the user device. This keeps the device safe from malware threats by making sure that all in-browser code is executed remotely and never on the device.
For situations where the RBI service can't emulate traffic, you can configure a Fallback Action that determines how the traffic is handled. For example, if you temporarily disable the RBI service, or if the service is momentarily unreachable.
Note
Note: RBI functionality is not available for Cato PoPs located in China. These PoPs will always apply the Fallback Action for the relevant traffic.
Use the Internet Firewall policy to implement what traffic is emulated by the RBI service. Only rules for application categories Uncategorized or Undefined can be configured for remote browsing. All other traffic is protected by Cato's broad range of additional security services.
This is a sample workflow for implementing RBI:
-
Enable the RBI service.
-
Define a Fallback Action .
-
Configure an Internet Firewall rule with the Remote Browsing action.
You can use the Admin RBI Utility to help diagnose issues that end-users experience when trying to browse destinations configured for RBI emulation. The utility can help isolate the cause of the issue, and helps you provide useful information to Support to find a resolution.
- Note: After 30 minutes of inactivity, the RBI session automatically ends and the browser tab closes. To continue browsing, the user must re-open the site in their browser.
-
Enabling the RBI service requires an RBI license. For more about purchasing the RBI license, please contact your Cato representative.
-
TLS Inspection must be enabled for traffic configured for RBI
-
For the RBI service to function properly, the Internet Firewall must allow access to the URLĀ http://securebrowsing.catonetworks.com/. If your Internet Firewall has an ANY-ANY Block rule at the bottom, add an explicit rule with higher priority allowing traffic to this URL.
This section explains how to configure the RBI service to provide secure web browsing for end-users.

When you enable the RBI service, the Remote Browsing action for the Internet Firewall is now available, and you can then create rules to direct traffic to the service. By default, RBI is disabled.
The Fallback Action defines what happens when the RBI action can't be carried out for an Internet Firewall rule. You can set the fallback to Block the traffic, or to Prompt the user to decide whether or not to continue.
You can use Internet Firewall rules to define when Cato directs Uncategorized or Undefined , traffic to the RBI service. The rules must be configured with the Application Category set as Uncategorized or Undefined, with no other apps or categories configured. For more about configuring Internet Firewall rules, see Managing Internet Firewall Rules.
To create an Internet Firewall rule for remote browsing:
-
From the navigation menu, select Security > Internet Firewall.
-
Click New.
-
Enter the Name for the rule.
-
Enable or disable the rule using the slider (green is enabled, grey is disabled).
-
Configure the Rule Order for this rule.
New rules are added to the bottom of the rulebase. You can change the order in which this rule is applied.
-
Expand Source and select the source type.
-
Select the type (for example: Host, Network Interface, IP, Any). The default value is Any.
-
When needed, select a specific object from the drop-down list for that type.
-
-
Expand the App/Category section and select Application Category.
Select Uncategorized or Undefined, or both, from the Application Category drop-down list. When there is more than one App/Category object in a rule, there is an OR relationship between them.
-
Set the Action for this rule as Remote Browsing (RBI).
-
(Optional) Configure Track options to generate Event and Email Notifications and set the time when the rule is active. For more information, see: Working with Email Notifications for the Account.
-
Click Apply. The new rule is added to the rulebase.
-
Click Save.
The rule is saved.
We recommend gradually implementing your RBI policy with specific scopes, to avoid potential misconfiguration of policy rules that can result in using RBI for traffic that should have direct access to destinations. These are examples of recommended best practices for implementing RBI, depending on if you already have a rule configured for the categories Uncategorized and Undefined:
-
If there is already an Internet Firewall rule configured for the application categories Uncategorized and Undefined :
-
Start keeping track of events for the configured rule to identify specific Uncategorized or Undefined destinations that are essential for your users.
-
Add a higher priority rule with the action Remote Browsing defined for a specific scope of essential Uncategorized and Undefined sites.
-
-
If there is no rule configured for the categories Uncategorized and Undefined:
-
Add a rule covering Uncategorized and Undefined destinations with the action Allow or Prompt, and set it to track Events.
-
Start keeping track of the events to identify specific Uncategorized or Undefined destinations that are essential for your users.
-
Create a higher priority rule with the Allow or Prompt action, and gradually add the specific essential destinations you identify, until all essential destinations are added.
-
Set the higher priority rule to the Remote Browsing action.
-
You can review Security events in Monitoring > Events and find the logs related to RBI emulation sessions carried out for a connection that matched a firewall rule with the Remote Browsing action. These events are labeled with the Sub-Type Internet Firewall and the Action RBI.
When the RBI session can't be executed and the Fallback Action is invoked, the relevant events have the Action Block or Prompt depending on your configuration.
This is an example of a filter you can create to view events related to RBI:

This is an example of an event related to an RBI session:

If a user experiences an issue browsing a certain URL, you can generate a test RBI emulation session for the URL with the Admin RBI Utility . Enter the valid HTTP or HTTPS URL and then follow the resulting link to view the site in an RBI session. The utility sends this traffic directly to the RBI service without passing through the Cato Cloud. This can help determine if a user's issue relates to the RBI service itself, or is caused by other issues such as account configuration or Cato infrastructure connectivity. For example, a user connected to Cato can't browse to an Uncategorized website configured for RBI, but the admin is able to reach the site using the utility. This may indicate that the RBI service is functioning properly and the issue is related to connectivity between a PoP and the service.
After running an RBI session from the utility, you can report the results to Support to help them resolve the issue.

Comments
0 comments
Article is closed for comments.