Blocking TLD (Top Level Domain) or a Specific Country
Use Case 1- How do I block traffic to all *.info websites using TLD? Use Case 2- How do I block traffic to and form a country? > IPS > Geo Cato has a very powerful IPS feature to block both inbound and outbound traffic to a specific country which some of our competitors can't do. They usually will only block outbound traffic to a country based on their ( obsolete) web proxy feature. Cato can do both directions! True power of UZTNA vs the rudimentary ZTNA solutions out there. How? - CMA > Security > IPS > Geo Internet rule > category country > Congo Internet rule > Category > domain > “cg”. Use case 1: Cato makes blocking top level domain as easy as creating an Internet rule with category domain and specifying e.g. "info" as the domain (Yes even the TLD). Subdomains are blocked without specifying the wildcard character automatically. Use case 2: Now you would think if I create an Internet rule with "cg" it will block all traffic to Congo? Yes that works too. Some of our competitors today can't block TLDs (to level domains). This method though only prevents outbound traffic to that TLD (destination country). Going one level further if your use case is to block all traffic to a country, you don't just want to rely on a SWG (RIP the Secure Web Gateway) rule like above. Cato has a very powerful Geo-ip feature that works at the firewall rule level for both inbound and outbound (see the screenshot on the top)! In summary here are 3 ways to do this- Security > IPS > Geo Restriction > Select the country and the direction. Refer to the top screenshot, we have bi-directional support (Cato Differentiator) Internet rule > category country > Congo (SWG / Proxy) Internet rule > Category > domain > “cg”. (TLD - Cato Differentiator) Supporting articles: https://support.catonetworks.com/hc/en-us/articles/360012276478-Configuring-IPS-and-Geo-Restriction Note: Most companies follow their corporate policies or some regulations / embargo in effect to maintain a list of countries to block Make sure you have no users / partners / businesses in the destination country before you put a blanket block While this is as full-proof as it can get there is a gotcha: what happens if the site is using an Anycast service or a CDN service hosted outside the country?Enhanced Block / Warning Message - Event Reference ID
Last week a very powerful troubleshooting and event monitoring feature "Event Reference ID" was introduced. It will make troubleshooting easier for the admins. Now you can customize the block and warning page to display an external event ID that a user will see in the browser. You can use this to further co-relate the event in the CMA using the Event Reference ID https://support.catonetworks.com/hc/en-us/articles/4413280530449-Customizing-the-Warning-Block-Page#heading-3 How to enable this feature? Enable this for Warning and Block page separately. CMA > Administration > Branding > Warning / Block Page How to co-relate using Event Reference ID? -From CMA > Event Monitoring you can use this reference ID to pivot directly to the eventThe power of Smart SASE - Cato Remote Port Forwarding
Overview If I interpret the latest comments on SSE Gartner MQ '25, SASE is going to devour the SSE soon. Use case mentioned here is one such instance that SSE alone can't implement without fancy private access or ZTNA or steering hooks. Let alone the publishers that are required to be hosted and maintained by the customers for inbound access. Cato RPF (Remote Port Forwarding) functionality allows you to open up your servers or internal resources to the internet with following quick 3 steps. How? Quick and easy 3 steps: Check how many public IP’s you are licensed for Account > License > IP's Assign an IP from the available Cato Public IP’s for your preferred location Network > Network Configuration > IP Allocation Create RPF rule using the IP you allocated in last step Security> Firewall > Remote Port Forwarding The intrigued users may ask, can I use this for my WAN to WAN traffic? Yes, you can. The documentation does not call it out as an officially supported feature but it works based on my testing. Question before you consider this option: Wouldn't you rather use WAN firewall rules though to control the same though instead of having the internal users to access this resource using public IP? I would leverage WAN firewall and WAN Network rules for the internal traffic crossing sites. Best Practices around RPF Tightly control the rule by limiting access to source IP’s. If you see exclamation mark like the one in the first rule in the screenshot, take an action! Host your critical servers behind DDoS/WAF protection if you must allow 0/0. RPF traffic is automatically assigned the lowest priority (P255). For WAN to WAN you can use a special network rule on the source site though (that would work only for WAN to WAN traffic using an Internet Type Network rule with higher priority, P8 for example) References https://support.catonetworks.com/hc/en-us/articles/7784979714333-Configuring-Remote-Port-Forwarding-for-the-Account https://support.catonetworks.com/hc/en-us/articles/360004514358-Security-and-QoS-Recommendations-for-RPF https://support.catonetworks.com/hc/en-us/articles/9299509375517-How-to-Integrate-Third-Party-DDoS-Services-for-Internet-Facing-RPF-Traffic https://support.catonetworks.com/hc/en-us/articles/19516873839005-Integrating-Imperva-Cloud-WAF-DDoS-Services-for-Internet-Facing-RPF-Traffic
