Segmenting IoT and OT Devices Using Cato WAN and Internet Firewalls

Cato Networks designed Cato SASE to solve a problem nearly every enterprise now faces:
how do you safely segment and control IoT and OT devices that you cannot install agents on-without adding more infrastructure or point products?

From building management systems and cameras to industrial controllers and medical equipment, IoT and OT devices now sit directly on corporate networks. They generate value - but they also expand the attack surface. Traditional network segmentation methods were never built for this scale or diversity.

Cato approaches this challenge differently: by applying device-aware policy enforcement directly inside the WAN and Internet firewalls, using passive discovery and unified policy control.

This blog explains how Cato enables practical IoT and OT segmentation—what traffic is controlled, where enforcement happens, and why this approach scales better than legacy network designs.

Why IoT and OT Segmentation Is Fundamentally Different

Unlike laptops or mobile endpoints, most IoT and OT devices:

• Cannot run agents
• Cannot authenticate users
• Use fixed or limited protocols
• Operate autonomously
• Remain online continuously
   

This makes identity-based or client-based enforcement ineffective.

At the same time, these devices typically generate:

• North–south traffic (device to internet or cloud services)
• East–west traffic (device to internal systems or other devices)

Effective segmentation must control both directions, without relying on VLAN sprawl, ACL complexity, or hardware firewalls at every site.

How Cato Discovers IoT and OT Devices (Agentless by Design)

Cato uses passive device discovery as part of its Device Inventory service.

Instead of relying on agents, Cato identifies devices by analyzing:

• DHCP metadata
• MAC addresses
• Network traffic behavior
• Protocol signatures
• Application patterns
   

Discovered devices are classified into attributes such as:

• Device category (IT, IoT, OT)
• Device type
• Manufacturer
• Model (when identifiable)
• Operating system (when identifiable)

These attributes are then used directly in firewall policy enforcement.

Device-Based Segmentation Using Cato WAN Firewall

The WAN Firewall controls traffic between users, sites, and internal resources across the Cato backbone.

East–West Segmentation for IoT and OT

With WAN Firewall rules, organizations can:

• Allow OT devices to communicate only with required control systems
• Block IoT devices from accessing corporate servers
• Prevent lateral movement between device categories
• Apply identical segmentation policies across all sites

Result: segmentation that follows the device—not the physical network layout.

Controlling Internet Exposure with Cato Internet Firewall

The Internet Firewall governs how devices access the public internet.

For IoT and OT environments, this enables:

• Blocking internet access entirely for sensitive OT devices
• Allowing IoT devices to reach only required destinations
• Preventing unmanaged devices from accessing risky categories
• Enforcing internet policies based on device identity

This eliminates the need for static IP rules or device-specific firewall configurations.

Combining Device Attributes with Firewall Logic

Cato firewall rules apply clear, predictable logic:

• AND logic between different criteria
• OR logic within a single criterion

This allows highly controlled segmentation without complexity.

Example logic:

• Device Category = OT
  AND
• Destination = Internet
   → Block

Or:

• Device Category = IoT
  AND
• Manufacturer = Approved Vendor
  AND
• Destination = Internal Application
   → Allow

Why This Model Scales Better Than Traditional Segmentation

Legacy IoT/OT segmentation depends on:

• VLAN expansion
• Zone-based firewalls
• On-site appliances
• Manual rule replication

Cato replaces this with:

• Centralized policy management
• Global enforcement across WAN and internet paths
• Identity- and device-aware rules
• Reduced operational overhead

Segmentation becomes policy-driven, not topology-driven.

Operational Visibility and Enforcement Confidence

Cato provides visibility through:

• Device Inventory views
• Firewall event logs
• Security dashboards
• Policy hit analysis

Security teams gain confidence by knowing:

• Which devices are active
• Which policies are applied
• What traffic is blocked and why
• Where segmentation boundaries exist
   

Strategic Impact of IoT and OT Segmentation in Cato

By using WAN and Internet firewalls for IoT and OT segmentation, organizations achieve:

• Reduced lateral movement risk
• Controlled internet exposure
• Consistent global enforcement
• Simplified operations
• Stronger audit readiness

Segmentation becomes a core security control, not an operational burden.

Simplify IoT and OT segmentation while strengthening Zero Trust enforcement.

Reserve your 30-minute Cato SASE strategy consultation now.

FAQs – IoT and OT Segmentation in Cato SASE

How does Cato segment IoT and OT devices without installing agents?

Cato uses passive device discovery through its Device Inventory service. Devices are identified and classified based on network traffic patterns, protocols, MAC addresses, and DHCP metadata. This allows segmentation policies to be enforced without installing agents or modifying the devices, which is critical for IoT and OT environments.

What is the difference between WAN Firewall and Internet Firewall for IoT/OT segmentation?

The WAN Firewall controls east–west traffic, such as communication between devices, sites, and internal applications.
The Internet Firewall controls north–south traffic, governing how devices access the public internet.

Together, they provide complete segmentation coverage for IoT and OT devices.

Can Cato prevent lateral movement between IoT, OT, and IT environments?

Yes. Using device-aware WAN Firewall rules, Cato can restrict IoT and OT devices so they communicate only with explicitly allowed systems. This prevents lateral movement into IT environments or between device categories, reducing the blast radius of a compromised device.

Does device-based segmentation in Cato require static IP addresses?

No. Cato enforces policies based on device identity and attributes, not IP addresses. This eliminates the need for static IP management and makes segmentation resilient to network changes.

How does Cato handle internet access for IoT and OT devices that require cloud connectivity?

Cato Internet Firewall rules can allow only specific destinations or categories for IoT devices while blocking all other internet access. OT devices that should not reach the internet can be completely restricted, reducing exposure to external threats.

Where can security teams verify that IoT and OT segmentation policies are working?

Administrators can validate enforcement through:

• Device Inventory pages
• Firewall event logs
• Security dashboards
• Policy hit counts

These views provide clear evidence of which policies are applied and which traffic is allowed or blocked.

Why is Cato’s segmentation approach better than VLAN-based designs?

VLAN-based segmentation depends on physical topology, manual configuration, and ongoing maintenance.
 Cato’s approach is policy-driven and centralized, enabling segmentation that scales across sites, users, and devices without increasing operational complexity.

How does IoT and OT segmentation support Zero Trust principles in Cato?

Zero Trust requires continuous validation and least-privilege access.
 By enforcing device-aware segmentation at the firewall level—regardless of location—Cato ensures that IoT and OT devices can access only what they are explicitly allowed, aligning directly with Zero Trust architecture principles.