Platforms, Countries, and Origin of Connection: Advanced Device Criteria in Cato Firewall

As enterprises move toward Zero Trust architectures, enforcing security based only on IP addresses or network locations is no longer sufficient. Modern access decisions must consider who is connecting, from where, using what device, and under which conditions.
 

In Cato Networks SASE, firewall enforcement extends beyond traditional device attributes. The platform allows administrators to apply advanced device criteria - including Platform, Country, and Origin of Connection - to both WAN and Internet firewall policies.
 

These criteria enable organizations to build context-aware access controls that adapt to user mobility, hybrid work, and global operations—without fragmenting policy design.

This blog explains how these advanced criteria work, how they differ from device attributes and posture, and how they strengthen policy enforcement across the Cato SASE fabric.

Why Advanced Device Criteria Matter in Modern Firewall Policies

Enterprise traffic today originates from multiple contexts:

• Users working remotely or behind sites
• Devices moving between corporate and external networks
• Applications accessed from different geographic regions
• Mixed environments of managed and unmanaged endpoints

Firewall policies that rely only on device type or IP range cannot reliably handle this complexity.

Cato addresses this gap by allowing firewall rules to evaluate how and from where a connection originates—adding a critical layer of context to access decisions.

Understanding Platform-Based Enforcement in Cato Firewall

The Platform criterion allows firewall rules to evaluate traffic based on the operating system of the connecting device.

Supported platforms include:

• Windows
• macOS
• Linux
• iOS
• Android

How Platform Criteria Are Used

Platform conditions can be applied to:

• WAN firewall rules (internal traffic)
• Internet firewall rules (outbound access)

Typical use cases include:

• Allowing administrative access only from desktop operating systems
• Restricting sensitive applications from mobile platforms
• Applying different controls to BYOD vs corporate endpoints

Platform-based rules help organizations align access with device capability and risk profile, without relying on static network segmentation.

Country-Based Enforcement for Geographic Control

The Country criterion enables firewall rules to evaluate the geographic location of the device at the time of connection.

This is particularly relevant for:

• Remote users connecting from outside corporate regions
• Organizations with region-specific access requirements
• Reducing exposure from high-risk or unexpected locations

Documented Country Enforcement Behavior

• Country conditions can be combined with other device criteria
• Multiple countries within a rule follow OR logic
• Country criteria apply consistently across WAN and Internet firewall policies

This allows enterprises to:

• Restrict access to internal resources based on user location
• Apply tighter controls for connections originating outside approved regions

Origin of Connection: Remote vs Behind-Site Context

One of the most powerful and often misunderstood criteria in Cato firewall policies is Origin of Connection.

This condition distinguishes how traffic enters the Cato fabric, not just where it comes from.

Supported Origins

• Behind Site – Traffic originating from devices behind a Cato Socket
• Remote User – Traffic originating from a device using the Cato Client

This distinction allows organizations to apply different security policies depending on whether a device is:

• On a corporate network
• Accessing resources remotely
• Moving between office and remote contexts

How These Criteria Differ from Device Attributes and Posture

To design effective policies, it’s important to understand the roles of each control type:

Device Attributes

• Describe what the device is
• Derived from Device Inventory
• Used heavily for segmentation and classification

Device Posture Profiles

• Validate device compliance
• Enforced through the Cato Client
• Focus on security state (encryption, malware, processes)

Platform, Country, Origin

• Describe connection context
• Independent of inventory classification
• Evaluate environment, location, and access path

These controls are complementary not interchangeable and together enable layered Zero Trust enforcement.

Logical Evaluation in Firewall Rules

Cato applies consistent logic when evaluating firewall rules:

• AND logic between different criteria
  • Platform + Country + Origin + Device Attributes
• OR logic within a single criterion
  • Multiple platforms
  • Multiple countries

This ensures predictable, auditable enforcement across complex policies.

Practical Policy Design Examples

Example 1: Remote Access Control

Allow access to internal systems only if:

• Platform = Windows or macOS
• Origin = Remote User
• Country = Approved regions

Example 2: Office-Only Application Access

Allow application access only if:

• Origin = Behind Site
• Platform = Desktop OS

Example 3: Reduced Risk Exposure

Block internet access if:

• Origin = Remote User
• Country = Unapproved regions

Each of these examples relies on documented, supported Cato firewall behavior.
 

Operational Benefits for Security Teams

Using advanced device criteria provides:

• Clear separation between remote and on-site access
• Reduced policy sprawl through reusable conditions
• Improved audit readiness with explicit contextual rules
• Consistent enforcement across WAN and Internet traffic

Because all rules are enforced centrally, teams gain global visibility and control without managing multiple firewall layers.

Strategic Value: Context-Aware Security Without Complexity

By incorporating Platform, Country, and Origin of Connection into firewall policies, Cato SASE enables enterprises to:

• Enforce Zero Trust consistently across all access paths
• Adapt security to user mobility and global operations
• Reduce reliance on brittle network-based controls

This approach allows security teams to focus on policy intent, not infrastructure constraints.

Secure remote and on-site access with smarter firewall criteria → Schedule a free 30-minute Cato Firewall strategy session.
 

FAQs

How does Cato SASE use Platform criteria in firewall rules?

Cato SASE firewall rules can evaluate the operating system of a device (Platform) to apply access controls based on device capability and risk profile.

Can Cato firewall policies restrict access based on country?

Yes. Cato firewall rules support Country conditions, allowing enforcement based on the geographic location of the connecting device.

What does Origin of Connection mean in Cato firewall rules?

Origin of Connection identifies whether traffic originates from behind a Cato site or from a remote user using the Cato Client.

How is Origin of Connection different from Platform in Cato SASE?

Platform describes the device’s operating system, while Origin of Connection describes how the device connects to the Cato fabric (remote vs behind site).

Can Platform, Country, and Origin be combined in Cato firewall rules?

Yes. Cato firewall rules evaluate these criteria together using AND logic across conditions and OR logic within each condition.

Do these criteria apply to both WAN and Internet firewall policies in Cato?

Yes. Platform, Country, and Origin of Connection are supported in both WAN and Internet firewall policies.

How do these advanced criteria support Zero Trust in Cato SASE?

They enable context-aware access decisions that consider device environment, location, and connection path—key pillars of Zero Trust enforcement.