Forum Discussion

GiuDNica's avatar
GiuDNica
Comet
29 days ago

Policy Rule Not Hitting When Destination is Set to 'Any' – Expected Behavior?

Hi all,

I ran into a situation with a security policy in Cato and would like to hear if anyone else has experienced something similar.

Here is the scenario:

I created a policy where the source site is set to "Site A", the destination is set to "Any", and the application is defined as a specific IP address, for example 192.168.1.1.

In this setup, the rule does not match and traffic is not allowed as expected.

However, when I change the destination from "Any" to the specific site where 192.168.1.1 is located, the rule starts working correctly and the traffic is matched.

My questions:

Is this expected behavior in Cato?

Does using "Any" as the destination somehow prevent matching traffic to a specific internal IP?

Is there something else I might be missing?

Appreciate any insights or experiences. Thanks!

network
security

2 Replies

  • Mihai's avatar
    Mihai
    Icon for Cato Employee rankCato Employee
    26 days ago

    Good morning GiuDNica,

    I would suggest on looking how the Custom app is defined and check for any duplicates (For example APP A has 1.1.1.1 and 192.168.1.1 and APP B has 1.1.1.1 - this creates an overlap). Please create the app definition as detailed as possible (so not only IP's but port ranges and domains as well) as per our KB: https://support.catonetworks.com/hc/en-us/articles/4413265662993-Working-with-Custom-Apps#heading-2
    In my experience this is noted to created app mismatches and as a result confuse the rule set base.

    Let me know if that solved your problem and if it did, please my response as a solution.

    Thanks,

    Mihai 

     

  • GiuDNica's avatar
    GiuDNica
    Comet
    26 days ago

    Hi Mihai,

    thanks for your reply.

    Just to clarify:
    My custom app is defined only with a single IP address (e.g. 192.168.1.1) – no ports, no domains, no overlapping entries, and no duplicates. It’s a super basic app definition.

    My main question is specifically about the policy matching behavior when using “Any” as the destination in combination with this app (single IP only):

    Why does the rule not hit when the destination is set to “Any”,
    but works fine when the destination is set to the specific site where the IP belongs?

    I understand your point about custom app overlaps, but that’s not the case here.
    Is this behavior (not matching with “Any” destination + custom app using single internal IP) expected in Cato?
    If yes, is there an explanation from the policy engine perspective why this is required?

     

    Thanks!

    Best 

    GiuD.Nica