Knowledge Base Article

How to Block a TLD (Top Level Domain) or a Specific Country

Power of UZTNA vs the ZTNA! 

  • Use Case 1- How do I block traffic to all *.info websites using TLD?
  • Use Case 2- How do I block traffic to and form a country?
Security > IPS > Geo
Cato has a very powerful IPS feature to block both inbound and outbound traffic to a specific country which some of our competitors can't do. They usually will only block outbound traffic to a country based on their ( obsolete) web proxy feature. Cato can do both directions!

This is the true power of UZTNA vs the rudimentary ZTNA solutions out there!

 

How? -

CMA > Security > IPS > Geo

Internet rule > category country > Congo

Internet rule > Category > domain > “cg”.

Use case 1Cato makes blocking top level domain as easy as creating an Internet rule with category domain and specifying e.g. "info" as the domain (Yes even the TLD!). Subdomains are blocked without specifying the wildcard character automatically.

Use case 2: Now you would think if I create an Internet rule with "cg" it will block all traffic to Congo? You guess it right. That works too. Some of our competitors today can't block TLDs (top level domains). Note that this method though only prevents outbound traffic to that TLD (destination country). Augment this with Geo block using IPS.

Going one level further if your use case is to block all traffic to a country, you don't just want to rely on a SWG (RIP, the Secure Web Gateway!) rule like above. Cato has a very powerful Geo-ip feature that works at the firewall rule level for both inbound and outbound (see the screenshot on the top)!

In summary here are 3 ways to do this-

  1. Security > IPS > Geo Restriction > Select the country and the direction. Refer to the top screenshot, we have bi-directional support (Cato Differentiator)
  2. Internet rule > category country > Congo (SWG / Proxy)
  3. Internet rule > Category > domain > “cg”.  (TLD - Cato Differentiator)
Internet FW Policy

Supporting articles: https://support.catonetworks.com/hc/en-us/articles/360012276478-Configuring-IPS-and-Geo-Restriction

Note / Best Practices: 

  • Most companies follow their corporate policies or some regulations / embargo in effect to maintain a list of countries to block (e.g. ITAR or Arms Control).
  • Make sure you have no users / partners / businesses in the destination country before you put a blanket block.
  • While this is as full-proof as it can get there is a gotcha: what happens if the site is using an Anycast service or a CDN service hosted outside the country?
Updated 3 months ago
Version 20.0
sase
SWG
UZTNA
ZTNA

1 Comment

  • Nath's avatar
    Nath
    Icon for Staying Involved rankStaying Involved
    18 hours ago

    Very powerful.  I wouldn't like to make a typo and enter com by mistake!

    Our organisation has a standardised geo-blocking policy and Cato is one of the products we use that this applies to.  I like how Cato can have separate country blocking rules for Outbound and Inbound.  We restrict a lot more inbound Remote Port Forwarding traffic compared to Outbound.

    Hong Kong is one country we block Outbound.  We do see some blocked CDN traffic in our logs for Hong Kong, but this doesn't have a negative impact on users.  it does highlight the need to be cautious.  Therefore, it would be more useful to be able to be more granular in the rules as to which traffic this applies to.  Most other Cato policies follow the standard rulebase, where you specify the Source and What etc.   But the IPS policies are a lot more simpler.