The power of Smart SASE - Cato Remote Port Forwarding

Use case: Allow inbound traffic using Cato Public IP

Overview

If I interpret the latest comments on SSE Gartner MQ '25, SASE is going to devour the SSE soon. Use case mentioned here is one such instance that SSE alone can't implement without fancy private access or ZTNA or steering hooks. Let alone the publishers that are required to be hosted and maintained by the customers for inbound access.

Cato RPF (Remote Port Forwarding) functionality allows you to open up your servers or internal resources to the internet with following quick 3 steps.

How? Quick and easy 3 steps:

Check how many public IP’s you are licensed for

Account > License > IP's

Number of IP's licensed

Assign an IP from the available Cato Public IP’s for your preferred location

Network > Network Configuration > IP Allocation

Create RPF rule using the IP you allocated in last step

Security> Firewall > Remote Port Forwarding

RPF Rule

The intrigued users may ask, can I use this for my WAN to WAN traffic? Yes, you can. The documentation does not call it out as an officially supported feature but it works based on my testing. Question before you consider this option: Wouldn't you rather use WAN firewall rules though to control the same though instead of having the internal users to access this resource using public IP? I would leverage WAN firewall and WAN Network rules for the internal traffic crossing sites.

Best Practices around RPF

Tightly control the rule by limiting access to source IP’s. If you see exclamation mark like the one in the first rule in the screenshot, take an action!
Host your critical servers behind DDoS/WAF protection if you must allow 0/0.
RPF traffic is automatically assigned the lowest priority (P255). For WAN to WAN you can use a special network rule on the source site though (that would work only for WAN to WAN traffic using an Internet Type Network rule with higher priority, P8 for example)

References

Updated 27 days ago

Version 8.0

Knowledge Base Article