Forum Discussion

Rneal1973's avatar
2 months ago

Allow List

Hello,

I'm new to the community and the CATO environment and had a question regarding allow listing. I can see my public IP is from the Ashburn, VA PoP location.

As we migrate away from traditional premise-based firewalls I'm unclear how broadly I should ask our vendor partners to allow list. Traditionally, I'd simply provide the IP range for the circuit coming into the site (Lumen, Comcast, etc.).

But with CATO, there are numerous PoP locations. I recognize I wouldn't need to provide something that doesn't make sense (e.g., PoPs in Asia). But what is the recommendation otherwise? Should I provide all the IP ranges in Ashburn, VA since we're in central Virginia. Should I continue providing the IP ranges for the physical circuit coming into the buildings too?

Thank you,

Rob

1 Reply

  • Hey Rob,

    Welcome to the world of Cato!

    Thank you for the post and query.

    A great question for sure, so you're correct, what you can do (again depending on your network configuration), is allow the specific PoP ranges on your services for access, please see here our KB with regards to the specific PoP ranges:

    https://support.catonetworks.com/hc/en-us/articles/7784334332317-Production-PoP-Guide

    Now, something you need to consider is the configuration of your network rule policies, as by default (again depending on the location of your users, and what PoP they are connected too), when the specific source matches the respective network rule policy without a specific PoP configured. The traffic will always attempt to route via the connected PoP of the SDP VPN user or the socket that the users are behind. 

    However, it is important to note that depending on the location of the service that you're attempting to connect, the traffic may need to be routed over multiple PoPs, meaning that the egress PoP IP that the service/servers will see could be different to the ingress PoP used for the tunnel between the VPN user/socket.

    Again, an important caveat above is this is not always the case. Sometimes the ingress PoP will egress from its external IP to the internet without needing to send the traffic to a different PoP for egress. 

    So, depending on your requirements, you can configure your Network Rules to be very specific in the sense of how you want the traffic to be routed.

    Please see our KBs below, which explain network rules in Cato and how they can be configured:

    https://support.catonetworks.com/hc/en-us/articles/4413265638289-What-is-the-Cato-Network-Rulebase

    https://support.catonetworks.com/hc/en-us/articles/7785698733341-Configuring-Network-Rules

    In particular here: https://support.catonetworks.com/hc/en-us/articles/7785698733341-Configuring-Network-Rules#h_01JKQEDGVCZHYEMEJCHZXKZNR7

    I've added a KB which goes into detail about the packet flow over our PoPs:

    https://support.catonetworks.com/hc/en-us/articles/12545093882909-Understanding-Packet-Flow-with-Cato-SPACE-Architecture

     

    I hope the above helps, please do reach out if you have any further questions.

    Thanks!