Allow List
Hello, I'm new to the community and the CATO environment and had a question regarding allow listing. I can see my public IP is from the Ashburn, VA PoP location. As we migrate away from traditional...
Forum Discussion
bizzle90
Cato Employee
Cato EmployeeHey Rob,
Welcome to the world of Cato!
Thank you for the post and query.
A great question for sure, so you're correct, what you can do (again depending on your network configuration), is allow the specific PoP ranges on your services for access, please see here our KB with regards to the specific PoP ranges:
https://support.catonetworks.com/hc/en-us/articles/7784334332317-Production-PoP-Guide
Now, something you need to consider is the configuration of your network rule policies, as by default (again depending on the location of your users, and what PoP they are connected too), when the specific source matches the respective network rule policy without a specific PoP configured. The traffic will always attempt to route via the connected PoP of the SDP VPN user or the socket that the users are behind.
However, it is important to note that depending on the location of the service that you're attempting to connect, the traffic may need to be routed over multiple PoPs, meaning that the egress PoP IP that the service/servers will see could be different to the ingress PoP used for the tunnel between the VPN user/socket.
Again, an important caveat above is this is not always the case. Sometimes the ingress PoP will egress from its external IP to the internet without needing to send the traffic to a different PoP for egress.
So, depending on your requirements, you can configure your Network Rules to be very specific in the sense of how you want the traffic to be routed.
Please see our KBs below, which explain network rules in Cato and how they can be configured:
https://support.catonetworks.com/hc/en-us/articles/4413265638289-What-is-the-Cato-Network-Rulebase
https://support.catonetworks.com/hc/en-us/articles/7785698733341-Configuring-Network-Rules
In particular here: https://support.catonetworks.com/hc/en-us/articles/7785698733341-Configuring-Network-Rules#h_01JKQEDGVCZHYEMEJCHZXKZNR7
I've added a KB which goes into detail about the packet flow over our PoPs:
https://support.catonetworks.com/hc/en-us/articles/12545093882909-Understanding-Packet-Flow-with-Cato-SPACE-Architecture
I hope the above helps, please do reach out if you have any further questions.
Thanks!
