Blocking TLD (Top Level Domain) or a Specific Country

• Use Case 1- How do I block traffic to all *.info websites using TLD?
• Use Case 2- How do I block traffic to and form a country?

Security > IPS > Geo

Cato has a very powerful IPS feature to block both inbound and outbound traffic to a specific country which some of our competitors can't do. They usually will only block outbound traffic to a country based on their ( obsolete) web proxy feature. Cato can do both directions! True power of UZTNA vs the rudimentary ZTNA solutions out there.

How? - CMA > Security > IPS > Geo

Internet rule > category country > Congo

Internet rule > Category > domain > “cg”.

Use case 1: Cato makes blocking top level domain as easy as creating an Internet rule with category domain and specifying e.g. "info" as the domain (Yes even the TLD). Subdomains are blocked without specifying the wildcard character automatically.

Use case 2: Now you would think if I create an Internet rule with "cg" it will block all traffic to Congo? Yes that works too. Some of our competitors today can't block TLDs (to level domains). This method though only prevents outbound traffic to that TLD (destination country).

Going one level further if your use case is to block all traffic to a country, you don't just want to rely on a SWG (RIP the Secure Web Gateway) rule like above. Cato has a very powerful Geo-ip feature that works at the firewall rule level for both inbound and outbound (see the screenshot on the top)!

In summary here are 3 ways to do this-

1. Security > IPS > Geo Restriction > Select the country and the direction. Refer to the top screenshot, we have bi-directional support (Cato Differentiator)
2. Internet rule > category country > Congo (SWG / Proxy)
3. Internet rule > Category > domain > “cg”.  (TLD - Cato Differentiator)

Internet FW Policy

Supporting articles: https://support.catonetworks.com/hc/en-us/articles/360012276478-Configuring-IPS-and-Geo-Restriction

Note:

• Most companies follow their corporate policies or some regulations / embargo in effect to maintain a list of countries to block
• Make sure you have no users / partners / businesses in the destination country before you put a blanket block
• While this is as full-proof as it can get there is a gotcha: what happens if the site is using an Anycast service or a CDN service hosted outside the country?