Forum Discussion

GiuDNica's avatar
GiuDNica
Comet
2 days ago

Does Cato perform application identification based solely on ports?

We'd like to understand how deep Cato's application awareness goes.
For example:

If someone establishes an SSH connection over a non-standard port (e.g., TCP 222), would it still be recognized as SSH?

If we block "SSH" as a service, could a user bypass this by using a custom port?

Does blocking SMTP also cover traffic not using the default ports (25, 465, 587)?

To allow SSH only over port 22, what would be the correct rule setup?

We’re aiming for precise control similar to App-ID behavio.

1 Reply

Sort By
  • bizzle90's avatar
    bizzle90
    Icon for Cato Employee rankCato Employee
    2 days ago

    Hi GiuDNica,

    Thanks for the post.

     So Cato PoPs are able to determine most applications using Layer 7 analysis in our engines. Of course, there are many factors to consider such as TLS inspection, type of application, payload etc etc 

    In fact, Cato uses the SPACE mechanism regarding packet flows and inspection when traffic ingresses the PoPs: 

    https://support.catonetworks.com/hc/en-us/articles/12545093882909-Understanding-Packet-Flow-with-Cato-SPACE-Architecture

    Regarding your concerns, you can leverage the Cato Internet or WAN Firewall configuration. Please see our best practices KB:

    https://support.catonetworks.com/hc/en-us/articles/360004274777-Internet-and-WAN-Firewall-Policies-Best-Practices#UUID-b2dade55-ef58-cdb4-a6b6-e299faa82f58

    You can also  look to use the Application Control Policy via our CASB solution:

    https://support.catonetworks.com/hc/en-us/articles/4405498289053-What-is-the-Unified-CASB-Solution#UUID-25e9f60e-ae77-aac1-37b4-bd151762e33d

    https://support.catonetworks.com/hc/en-us/articles/13314302436253-Managing-the-Application-Control-Policy

    I hope this helps.