Understanding Threat Prevention Policies in Cato

Introduction

Cyberattacks are growing more sophisticated, and protecting your network requires more than just traditional firewalls. Cato SASE integrates advanced threat prevention policies natively into its global backbone. These policies combine next-generation firewalling, IPS (Intrusion Prevention System), Anti-Malware, DNS Security, and cloud-delivered intelligence to stop threats before they reach your users or applications.
 

This blog explores how to configure and manage Cato’s threat prevention policies, leverage Managed Threat Intelligence, monitor blocked traffic, and align controls with your organization’s security posture.

Key Takeways

• What threat prevention policies in Cato are and how they work
• Key inspection engines (IPS, Anti-Malware, DNS Security, TLS Inspection)
• How Managed Threat Intelligence enhances protection
• Configuring prevention profiles per site, user, or application
• Using policy exceptions for business needs
• Monitoring security events and threat logs
• Real-world example of blocking ransomware traffic

Core Elements of Threat Prevention in Cato

Cato delivers multi-layered security across all traffic (WAN and internet) with the following engines:

• Next-Gen Firewall (NGFW) – App- and identity-aware access controls.
• IPS (Intrusion Prevention System) – Blocks exploits, vulnerabilities, tunneling, stealth protocols, and suspicious activity in real time.
• Anti-Malware – Detects and prevents malware, ransomware, and file-based attacks using cloud signatures and heuristics.
• DNS Security – Stops access to malicious, phishing, and newly registered domains; supports sinkholing.
• TLS/SSL Inspection – Decrypts and inspects encrypted traffic for hidden threats.

These engines operate inline, enforcing policies without adding noticeable latency.
 

Managed Threat Intelligence

Cato’s backbone leverages Managed Threat Intelligence (MTI) to strengthen prevention:

• Ingests data from ~250 global sources.
• Tracks 20 million IOCs (Indicators of Compromise).
• Filters ~10% as false positives, enforcing ~18 million validated IOCs.
• Updates continuously, approximately every 3 hours.

This intelligence directly feeds IPS, DNS Security, Anti-Malware, and XDR for proactive protection.

Configuring Threat Prevention Policies

Threat prevention in Cato is profile-driven. Each site, socket, or user can inherit a prevention profile, which defines:

• Which engines are enabled (IPS, DNS, Malware, TLS)
• Enforcement action (Block, Alert, Allow)
• Logging preferences for blocked/allowed traffic
• Custom exceptions to allow trusted applications or domains

Steps to configure:

1. Navigate to Security > Threat Prevention in the management console.
2. Select or create a Prevention Profile.
3. Toggle engines such as IPS and Anti-Malware.
4. Configure actions: Block, Alert, or Allow + Logging.

5. Apply the profile to sites, users, or groups.

    

Managing Exceptions

Sometimes, legitimate applications may trigger false positives. To handle this:

• Add exceptions for trusted apps, file hashes, or domains.
• Narrow exceptions by user group or site instead of global.
• Review exceptions quarterly to minimize exposure.

DNS Protections Under IPS

Cato’s IPS policy includes DNS protections for advanced control:

• Block or sinkhole queries to malicious domains.
• Enforce restrictions on **newly registered domains **
• Allowlist trusted domains or DNS signatures to reduce false positives.
   

Monitoring Security Events

Cato provides detailed visibility into all blocked or allowed threats via:

• Events > Security Events – Shows IPS hits, malware blocks, DNS queries, TLS anomalies.
• Analytics > Threat Analytics – Trends, top affected sites, and user breakdowns.
• System Events – High-level prevention actions across the backbone.

Real-World Use Case: Blocking Ransomware Traffic

A financial services firm in Dubai deployed Cato SASE with IPS + Anti-Malware + DNS Security enabled. Within days:

• IPS blocked exploit attempts against an outdated VPN service.
• Anti-Malware prevented a ransomware dropper from downloading its payload.
• DNS Security sinkholed traffic to a known C2 domain, allowing quick host identification.

The SOC team used Threat Analytics to review all blocked attempts and reported zero successful breaches.
 

Tips for Effective Threat Prevention

• Enable TLS inspection for full visibility into encrypted traffic.
• Apply different prevention profiles for HQ/datacenters vs. branch sites.
• Use custom exceptions sparingly and review quarterly.
• Correlate threat prevention logs with your SIEM for end-to-end visibility.
• Test policies by running controlled red-team simulations.

Book a free consultation with our experts to explore how Cato’s IPS, DNS Security, and TLS inspection can safeguard your network. Book Now

FAQ 

What is Managed Threat Intelligence and how often is it updated?

Cato ingests ~250 sources, totaling ~20 million IOCs. After filtering false positives, ~18 million validated IOCs are enforced, updated automatically every ~3 hours.
 

Can I run IPS in monitor-only mode?

Yes. IPS can be configured to alert without blocking, useful for testing before enforcement.
 

How does DNS sinkholing help in threat response?

When a domain is sinkholed, the malicious query resolves to an internal IP, enabling administrators to trace the compromised host and respond quickly.
 

How are Anti-Malware exceptions configured?

You can allow trusted domains, file hashes, or applications in the Anti-Malware policy. Exceptions should be reviewed regularly to avoid exposure.
 

Does TLS inspection improve threat prevention?

Yes. TLS inspection enables detection of hidden exploits, malware downloads, and stealth tunneling protocols inside encrypted traffic.