Forum Discussion
- bizzle90Cato Employee
Hi Soon,
Thank you for your comment and query in the Cato Community channel!
So as you have stated correctly, you cannot use Application Control Policy with a block INET FW rule, this is because the traffic needs to be allowed before we can process the traffic further within the Cato stack.
Also at this time (I have also attempted to lab this myself to confirm), you cannot use a Full Path URL in the INET FW stack, as I was attempting to create an exception rule and add the Full Path URL which was not accepted.
I would politely suggest in this use case is to create an RFE and raise it with your respective Cato customer service representative.
Or raise a support ticket (if not already done so), and request an RFE for Full Path URL to be added into INET FW stack.
- bizzle90Cato Employee
Hey Soon,
Just to further add, please see this KB which providers some understanding of the Cato SPACE architecture:
https://support.catonetworks.com/hc/en-us/articles/12545093882909-Understanding-Packet-Flow-with-Cato-SPACE-Architecture
- yaakov_simonCato Employee
Soon,
The Application Control policy (CASB), is a licensed service that provides the type of granular control that you are looking for, this granular control is not supported by the Int FW policy.
You can create an Application Control rule that allows the Full Path URL for the specific videos, and then the rule after which blocks the YouTube app.
Thanks!
Yaakov Simon
- Robin_JohnsCato Employee
If you're going to leverage the Application Control Policy to do this; you could additionally create a value set of all allowed URL paths and use this in a single rule. It would reduce the administrative headache in the future, and put all 'allowed youtube videos' in a single place for you to monitor
Related Content
- 21 days ago