Enforcing Firewall and Threat Protection Policies in Cato

Introduction

Securing users, apps, and devices at scale begins with the right policy enforcement strategy. With Cato’s converged platform, firewall rules, threat prevention, and advanced security layers like IPS and anti-malware are all unified within a single policy engine. This eliminates fragmented security stacks and makes real-time policy enforcement intuitive for IT teams.
 

Cato’s cloud-native architecture allows these policies to be managed centrally via the Cato Management Application (CMA), with enforcement executed at the nearest PoP, ensuring minimum latency and optimal performance. Whether managing hybrid networks or protecting remote workers, Cato’s security policies are flexible, identity-aware, and integrated into the broader SASE framework.
 

In this blog, we’ll walk through how to configure, test, and monitor security policies using the new CMA UI, along with practical tips for applying Zero Trust principles and responding to real threats faster.
 

Key Takeaways

• Use Internet Firewall to enforce L3/L4 rules for outbound traffic
• Secure internal apps and traffic using WAN Firewall policies
• Enable IPS, Anti-Malware, and Next-Gen Threat Prevention in one click
• Monitor security events with context using Threats and Events dashboards
• Apply identity-based rules using AD or IdP integration
• Leverage geo-location and TLS inspection for enhanced control
   

Where to Start: Navigating to Security Policies in CMA

In the updated CMA interface: - Go to Security > Internet Firewall to manage outbound access control rules - Use Security > WAN Firewall for east-west traffic segmentation between sites, users, and VLANs - Configure advanced threat prevention under Security > Threat Protection > Profiles - Track and investigate incidents using Security > Threats and Security > Events - Configure inspection of encrypted traffic under Threat Protection > TLS Inspection

Internet Firewall – Controlling Outbound Access

Use Cases

• Prevent access to malicious domains and unsanctioned SaaS apps
• Apply browsing restrictions based on content categories
• Enforce geo-blocking for compliance and threat reduction

Configuration

• Define policies based on:
  • User identity or groups (via integrated IdP or AD)
  • Network attributes (site, subnet, device type)
  • Destination and service/port
• Use Category Filtering (e.g., block ‘Gambling’, ‘Streaming Media’, ‘Proxy/Anonymizer’)
• Schedule time-based rules (e.g., permit YouTube only during lunch hours)

Real-World Tip

Use identity-based access to tailor policies for different roles: allow DevOps teams full Git access while limiting interns to core documentation sites only.

WAN Firewall – Secure Site-to-Site and Intra-org Traffic

Use Cases

• Restrict lateral movement to contain potential breaches
• Limit cross-departmental access (e.g., Finance to HR)
• Protect sensitive internal systems (e.g., ERP, SCADA) from generic LAN access

Configuration

• Rules can be scoped per:
  • Source/destination site or network object
  • Application or port
  • User or user group
• Apply rules per VLAN or tag traffic using Cato-defined attributes

Best Practice

Augment WAN Firewall rules with posture-based ZTNA policies to enforce access only from healthy, compliant devices.
 

Threat Protection – One Click, Multi-Layer Defense

Core Capabilities

• IPS (Intrusion Prevention System): Detects and blocks known and unknown threats via behavioral signatures and heuristics
• Next-Gen Anti-Malware: Uses multiple AV engines and Cato’s ML layer to detect evasive malware
• DNS Security: Stops command-and-control callbacks and domain generation algorithms (DGAs)
• TLS Inspection: Analyzes encrypted traffic to uncover hidden threats

Enabling Protection

• Navigate to Threat Protection > Profiles
• Select a profile (Strict, Balanced, Custom)
• Enable/disable protections per site, user group, or traffic type

Field-Proven Strategy

For finance and legal departments, apply Strict protection with full TLS inspection. For R&D and testing environments, use Custom to avoid false positives and performance concerns.
 

Monitoring Threats and Fine-Tuning Rules

• Threats Dashboard shows:
  • Detection counts by type (Malware, Intrusion, Botnet)
  • Source site/user and action taken
  • Top destinations and categories blocked
• Events provides:
  • Timestamped logs for every action
  • Drill-down capabilities to full session trace
     

Expert Tip

Export logs to external SIEM platforms using Syslog or REST API for extended analytics. Correlate user behavior with threat detection to identify insider threats early.
 

Next Steps

1. Review and update existing Internet Firewall rules to reflect identity-aware and location-aware policies.
2. Enable a Balanced Threat Protection profile organization-wide, then gradually adopt Strict mode for sensitive user groups.
3. Simulate threat scenarios using public test files or Cato’s provided testing suite.
4. Regularly audit the Security > Events logs for anomalies.
5. Conduct quarterly reviews of WAN Firewall rules for segmentation compliance.
    

FAQ Summary

Can I create different firewall rules per user group?

Yes. Use identity-based filtering integrated with AD or SAML IdPs.
 

What happens when a threat is blocked?

The incident is logged in the Threats dashboard and the user is immediately disconnected from the malicious domain or flow.
 

Does threat protection slow down performance?

Minimal. Inspection occurs at the nearest PoP using Cato’s optimized DPI engines.
 

Can I import rules from existing firewalls?

Not directly, but Cato offers templates and migration assistance.
 

Is TLS inspection supported and safe for privacy-sensitive environments?

Yes. You can enable inspection selectively and apply exceptions for banking or health services.
 

How do I test if a firewall rule is working?

Use the Network > Tools > Firewall Tester in CMA to validate rule behavior.