Using Device Conditions in Cato Internet Firewall Rules for Granular Access Control

Modern internet security is no longer just about who the user is or what application they are accessing. In distributed enterprises, security decisions increasingly depend on the device itself -its type, operating system, manufacturer, and context.
 

The Cato Networks SASE platform addresses this need by allowing administrators to apply device-aware conditions directly inside Internet Firewall rules. By combining Cato’s Device Inventory intelligence with firewall policy enforcement, organizations gain precise, scalable control over internet access-without adding agents, tools, or manual classification workflows.

This blog explains how device conditions work in the Cato Internet Firewall, why they matter, and how they support Zero Trust and enterprise security outcomes.

Why Device-Aware Internet Firewall Policies Matter in Cato SASE

Traditional firewall policies rely on static constructs like IP ranges, users, or application categories. In contrast, Cato SASE enables security teams to enforce policies using real-world device context, including:

• Device operating system
• Manufacturer and model
• Device category and type
• OS version and platform
   

This approach allows organizations to:

• Apply different internet access rules to corporate laptops vs unmanaged devices
• Restrict sensitive SaaS access to approved device types
• Reduce risk exposure without over-blocking productivity tools

All of this is done natively inside the Cato Management Application (CMA).

How Device Conditions Work in the Cato Internet Firewall

Device conditions are configured directly inside Internet Firewall rules under the Device criteria section.

Where Device Conditions Are Applied

Administrators configure these rules in:

• Security → Internet Firewall in the CMA

Once added, device conditions become part of the rule-matching logic, evaluated for every internet session.

Device Attributes Available for Internet Firewall Policies

Cato populates device attributes through its Device Inventory engine, which passively analyzes network traffic and enriches it with metadata.

The following officially supported device attributes can be used in Internet Firewall rules:

• Category (e.g., IT, IoT, OT)
• Type (e.g., Workstation, Mobile, Printer)
• Operating System
• OS Version
• Manufacturer
• Model
   

These attributes are visible in:

• Home → Devices → Inventory
   and can be referenced directly in firewall policies.

Policy Logic: How Device Conditions Are Evaluated

Understanding the evaluation logic is essential to building effective Cato firewall rules.

Logic Between Device Conditions (AND)

When multiple different device conditions are configured in a single rule, they are evaluated using AND logic.

Example:
 A rule matches only if:

• OS = Windows
   AND
• Manufacturer = Dell
   AND
• Device Type = Workstation

Logic Within a Single Condition (OR)

When multiple values are selected within the same condition, they are evaluated using OR logic.

Example:

• OS = Windows OR macOS
• Manufacturer = Dell OR HP

Combining Device Conditions with Other Firewall Criteria

Device conditions can be combined with:

• Application or category
• User or user group
• Country
• Action (Allow / Block)

All conditions together must match for the rule to apply.

Cato documents several practical and enterprise-ready use cases for device-based enforcement.

Restricting Internet Access by Device Type

Organizations can allow access to specific SaaS applications only from approved device types, while blocking the same access from unmanaged or unknown devices.

Enforcing Manufacturer-Based Security Policies

Device manufacturer attributes can be used to ensure only approved hardware vendors are allowed to access specific internet resources.

Applying Consistent Policy Across Locations

Because device attributes are evaluated regardless of user location, the same Internet Firewall policy applies whether users are remote or onsite—supporting hybrid work securely.

Licensing and Prerequisites

Device Inventory License Requirement

Using device attributes in Internet Firewall rules requires a Device Inventory license, which is part of Cato’s IoT/OT Security capabilities.

MAC Address Detection Dependency

Firewall rules using device attributes are enforced only for devices whose MAC address has been detected.
 Cato recommends:

• Using Cato DHCP services
• Enabling traffic visibility for accurate detection
   

Operational Visibility and Monitoring

Administrators can verify device-based enforcement using:

• Device Inventory Page – confirms attribute values and data sources
• Device Dashboard – summarizes device activity and firewall events
• Events Page – shows Internet Firewall policy hits involving devices

This ensures device-aware policies are transparent, auditable, and easy to validate.

Strategic Value: Device-Aware Security in Cato SASE

By enabling device conditions in Internet Firewall rules, Cato SASE delivers:

• Stronger Zero Trust enforcement
• Reduced attack surface
• More accurate access decisions
• Unified policy control across users, devices, and locations

All without deploying additional agents or maintaining parallel security systems.

Enforce Zero Trust where it matters - at the device level → Schedule a free Cato Internet Firewall strategy session Now.

Frequently Asked Questions

How does Cato SASE use device conditions in Internet Firewall rules?

Cato SASE allows administrators to apply device attributes—such as OS, manufacturer, and device type—directly inside Internet Firewall rules, enabling granular, context-aware access control.

Which device attributes can be used in Cato Internet Firewall policies?

Cato Internet Firewall rules support attributes including device category, type, operating system, OS version, manufacturer, and model, sourced from the Cato Device Inventory engine.

Do device conditions in Cato SASE require the Cato Client?

No. Device attributes are derived from passive network detection. However, accurate enforcement depends on MAC address detection and Device Inventory licensing.

How does Cato SASE evaluate multiple device conditions in firewall rules?

Different device conditions use AND logic, while multiple values within the same condition use OR logic, ensuring flexible and precise policy design.

Is a Device Inventory license required for device-based firewall rules in Cato?

Yes. Using device attributes in Cato Internet Firewall rules requires a Device Inventory license as part of the IoT/OT Security service.

Where can administrators monitor device-based Internet Firewall enforcement in Cato SASE?

Admins can monitor enforcement via the Device Inventory page, Device Dashboard, and Events page within the Cato Management Application.

How do device conditions support Zero Trust in the Cato SASE platform?

By enforcing internet access based on verified device context—not just user identity—Cato SASE ensures continuous, device-aware Zero Trust enforcement.

Closing Note

Device conditions transform the Cato Internet Firewall from a traditional policy engine into a context-aware security control point. By combining device intelligence with unified SASE enforcement, Cato enables organizations to protect internet access with precision, simplicity, and scale.