Configuring IPS and Geo Restriction on Cato Cloud

Why IPS and Geo Restriction Are Non-Negotiable?

Cyber threats do not wait for organizations to be ready. Every unprotected network segment, every unvalidated packet, every connection to a known malicious resource is an opportunity for attackers — and the window between vulnerability disclosure and active exploitation is measured in hours, not weeks.

Intrusion Prevention Systems (IPS) exist precisely to close that window. Where firewalls control which traffic is permitted based on rules, IPS analyzes permitted traffic for signs of malicious behavior, known exploit patterns, protocol anomalies, and communication with compromised infrastructure — blocking threats that rule-based firewalls were never designed to catch.

Geo Restriction adds a complementary layer of control. When an organization has no legitimate business reason to communicate with specific countries or regions, blocking all traffic to and from those locations at the network level eliminates an entire category of threat surface — inbound attacks, outbound data exfiltration, and command-and-control communications — before any payload-level analysis is even required.

Cato Cloud delivers both capabilities as integrated cloud-native services, managed through a single interface and applied consistently across all sites, remote users, and network segments. This guide explains how Cato's IPS service works, what protection layers it provides, and walks through the exact configuration steps for IPS Protection Policy and Geo Restriction rules — including a practical example blocking traffic to and from Iran and North Korea.

Get started with Cato SASE

What is Cato IPS? A Multi-Layer Security Architecture

Cato's IPS service is not a single detection mechanism — it is a multi-layer security architecture that combines several distinct protection capabilities, each addressing a different category of threat. Understanding what each layer does clarifies why IPS catches threats that other security controls miss.

Behavioral Signatures

Behavioral signatures protect against deviations from normal, expected behavior at the system or user level. Rather than matching traffic against a static list of known bad patterns, behavioral analysis establishes what normal looks like for a given environment — and flags anything that deviates meaningfully from that baseline.

Cato's behavioral analysis is powered by big data analytics and deep visibility across traffic flows across the entire Cato Cloud — a scale that individual enterprise security deployments cannot replicate. Patterns that look innocuous in isolation become clearly malicious when viewed across millions of concurrent flows, and Cato's global visibility enables detection at that level.

Reputation Analysis

Reputation analysis protects against inbound and outbound communication with compromised or malicious resources. Every connection attempt — whether initiated from inside the network to an external resource, or from an external source to internal resources — is evaluated against reputation feeds that identify known malicious IP addresses, domains, and infrastructure.

This layer catches communications with known command-and-control servers, known malware distribution points, compromised hosting infrastructure, and other resources whose reputation has been established through global threat intelligence. It is particularly effective at blocking the initial stages of an attack before any payload is delivered.

Known Vulnerabilities (CVE Protection)

Known vulnerability protection targets traffic that matches patterns associated with specific CVEs — documented vulnerabilities in operating systems, applications, network services, and infrastructure components. Cato maintains and continuously updates its CVE signature database, rapidly incorporating new vulnerabilities as they are disclosed and as exploit code becomes available in the wild.

This protection layer is critical because the gap between CVE disclosure and active exploitation is shrinking. Organizations that rely on patch cycles alone to address vulnerabilities leave themselves exposed during the window between disclosure and remediation. IPS CVE protection provides a network-level shield during that window, blocking exploit attempts even against unpatched systems.

Anti-Bot Protection

Anti-Bot protection specifically targets outbound traffic to command-and-control (C&C) servers — the infrastructure that malware uses to receive instructions, exfiltrate data, and propagate through the network after an initial compromise. This protection layer is based on a combination of C&C reputation feeds and network behavioral analysis.

Detecting and blocking C&C communications is particularly valuable because it can identify and contain a compromise even after an endpoint has been infected. A device that has been compromised but cannot communicate with its C&C server is significantly limited in what damage it can do — and the C&C communication attempt itself is a high-confidence indicator that triggers investigation and response.

Network Behavioral Analysis

Network behavioral analysis protects against inbound and outbound network scanning — reconnaissance activity that precedes most targeted attacks. Port scans, host discovery sweeps, and service enumeration attempts are detected based on behavioral patterns rather than static signatures, catching scanning activity regardless of the specific tools or techniques used.

Early detection of scanning activity is valuable because it identifies potential attack precursors before any exploitation attempt occurs, providing an opportunity to investigate the source and take preventive action.

Protocol Validation

Protocol validation protects against invalid or malformed packets — traffic that does not conform to the expected specification for its protocol. Many exploits depend on protocol anomalies to trigger vulnerabilities in parsing code, bypass inspection systems, or deliver payloads through channels that security controls do not expect to carry executable content.

By enforcing protocol conformance, Cato IPS reduces the attack surface available to exploit developers who rely on anomalous traffic to evade detection or trigger vulnerable code paths.

Geo Restriction

Geo Restriction enforces a custom country-level traffic policy — blocking inbound traffic, outbound traffic, or both, for specific countries based on IP address geolocation. This is a coarse but highly effective control for organizations that have no legitimate business need to communicate with specific regions and want to eliminate that traffic category entirely rather than analyzing it for threats.

Talk to our Cato SASE Expert

IPS Policy Actions: Block vs Monitor

Before configuring the IPS Protection Policy, it is important to understand the two available actions and when each is appropriate.

Block stops the matched traffic and prevents it from reaching its destination. When applicable, the user is redirected to a dedicated blocking web page. An event is generated in the Events screen for logging and visibility. Block is the appropriate action for any traffic category where the confidence in the IPS detection is high enough that legitimate traffic false-positives are unlikely, or where the risk of allowing a true positive is high enough that occasional false-positives are an acceptable cost.

Monitor allows the matched traffic to continue to its destination but generates an event in the Events screen for visibility and investigation. Monitor is appropriate during initial IPS deployment when false-positive rates are unknown, for traffic categories where the consequences of blocking legitimate traffic are high, or for outbound traffic where the organization wants visibility before committing to a block posture.

A best practice approach — and the one reflected in the configuration example in this guide — is to apply Block to WAN and inbound traffic immediately, while using Monitor for outbound traffic initially. This posture protects against inbound threats from the first day while allowing time to tune outbound detection before moving to a block action.

Step-by-Step: Configuring the IPS Protection Policy

The following configuration creates an IPS Protection Policy that blocks WAN and inbound Internet traffic, monitors outbound Internet traffic, and sends email notifications for all blocked traffic categories.

Step 1: Access the IPS Configuration

From the Cato Management Application navigation menu, click Security, then select IPS. In the IPS page, click the Protection Policy tab.

Step 2: Enable the IPS Policy

Click the slider toggle to enable the IPS policy. The toggle turns green when IPS is active. IPS does not apply to any traffic until the policy is enabled.

Step 3: Configure WAN Traffic — Block with Email Notification

In the Protection Policy section, click WAN Traffic to open the Edit panel.

In the Action drop-down menu, select Block. In the Track field, select Email Notification. Click Apply.

This configuration ensures that any IPS-matched traffic on the WAN — traffic between your sites — is blocked immediately and triggers an email notification. WAN traffic is typically internal enterprise traffic, and IPS matches against WAN traffic are a high-confidence indicator of lateral movement, insider threat activity, or a compromised internal host attempting to spread.

Step 4: Configure Inbound Traffic — Block with Email Notification

Click Inbound Traffic to open the Edit panel.

In the Action drop-down menu, select Block. In the Track field, select Email Notification. Click Apply.

Blocking inbound traffic with email notification provides immediate protection against inbound exploit attempts, scanning, and reputation-matched sources, with full visibility through email alerts for security team review.

Step 5: Configure Outbound Traffic — Monitor without Notification

Click Outbound Traffic to open the Edit panel.

In the Action drop-down menu, select Monitor. In the Track field, ensure Email Notification is cleared. Click Apply.

Monitoring outbound traffic without email notification provides visibility into potential outbound threats — including C&C communications and data exfiltration attempts — without generating alert noise during the initial tuning period. Review Events regularly and adjust to Block once confidence in the detection is established.

Step 6: Save the Policy

Click Save. The IPS Protection Policy settings are saved for the account and take effect immediately across all sites and traffic flows.

Also Read: What is Shadow IT? Why You Need Cato SASE to Defend Your Network

Important Consideration: False Positives and Legitimate Traffic

IPS systems match traffic against signatures, behavioral patterns, and reputation data — all of which carry a small risk of false-positive matches where legitimate traffic is incorrectly identified as malicious.

Before moving any traffic category from Monitor to Block, review the Events screen for IPS-matched traffic in that category and verify that matches represent genuine threats rather than legitimate business traffic. Pay particular attention to custom applications, legacy protocols, and traffic to business partners whose infrastructure may have reputation issues unrelated to your specific relationship with them.

If you need to block traffic from a specific country at the Geo Restriction level while allowing access to a specific FQDN in that country, use the Internet Firewall rather than IPS Geo Restriction. IPS Geo Restriction rules are based on IP address geolocation and do not support FQDN-level exceptions — the Internet Firewall provides the granularity required for that use case.

Step-by-Step: Configuring Geo Restriction Rules

The following configuration creates a Geo Restriction rule that blocks all traffic — inbound and outbound — to and from Iran and North Korea, with maximum visibility through Event and Email Notification tracking.

Step 1: Access the Geo Restriction Configuration

From the navigation menu, click Security, then select IPS. In the IPS page, click the Geo Restriction tab, or expand the Geo Restriction section if it is collapsed.

Step 2: Create a New Rule

Click New. The Add panel opens.

Step 3: Name the Rule and Set Direction

Enter a descriptive name for the rule — for example, "Block Iran and North Korea — Both Directions." In the Direction field, select Both Directions to apply the rule to all traffic regardless of whether it originates inside or outside your network.

Step 4: Select the Target Countries

In the Countries section, add Iran and Korea, Democratic People's Republic of (North Korea). Both countries must be added individually from the country selection list.

Step 5: Set the Action to Block

In the Action field, select Block. This ensures all traffic matching the geolocation criteria — both inbound and outbound — is blocked before it reaches its destination or leaves your network.

Step 6: Configure Maximum Visibility Tracking

In the Track field, select both Event and Email Notification. This configuration provides the maximum available visibility for traffic matching this rule — every match generates a logged event in the Events screen and triggers an email notification for immediate security team awareness.

Step 7: Apply and Save

Click Apply, then click Save. The Geo Restriction rule takes effect immediately across all sites and traffic flows.

Also Read: What is Cato Business Continuity Planning (BCP)?

Critical Notes on Geo Restriction Behavior

IPS Geo Restriction applies to RPF resources. If you configure a Geo Restriction rule for inbound traffic, that rule also applies to Remotely Published Firewall (RPF) resources. Ensure that any RPF resources that require legitimate inbound access from countries targeted by Geo Restriction rules are handled appropriately before enabling the rule.

IPS Geo Restriction does not apply to SDP Clients. Geo Restriction rules configured in the IPS policy are not applied to traffic from Cato SDP Clients — remote users connecting through the Cato Client application. To block SDP Client connections from specific regions, configure rules in the Client Connectivity Policy, which provides separate geographic access controls for remote users.

Geo Restriction is based on IP address geolocation, not domain. The geolocation determination is made based on the IP address of the traffic source or destination, not on domain name or any application-layer attribute. VPN services and anonymization infrastructure can affect geolocation accuracy. For domain-level controls, use the Internet Firewall.

FQDN exceptions require Internet Firewall. If you need to block traffic from a country but allow access to a specific FQDN hosted in that country, IPS Geo Restriction cannot support that exception. Configure the FQDN allowance in the Internet Firewall, which operates at the domain level and can be used alongside Geo Restriction rules.

Why These Specific Countries? Understanding High-Risk Geo Restriction Targets

Iran and North Korea are among the most frequently cited sources of state-sponsored cyber threats in threat intelligence reporting from governments and private security researchers globally. Both countries have well-documented advanced persistent threat (APT) groups with histories of targeting financial institutions, critical infrastructure, healthcare organizations, defense contractors, and government agencies.

For organizations that have no legitimate business operations requiring communication with these countries, applying Geo Restriction is a straightforward risk reduction measure. The rule eliminates inbound attack traffic from these sources, prevents outbound communication with any infrastructure hosted in these regions — including C&C servers that may be using hosting in those countries — and provides a logged, auditable record of any traffic that matches the rule.

Organisations subject to regulatory compliance requirements — including OFAC sanctions compliance for US-based entities — may also have a legal obligation to prevent transactions and communications with these jurisdictions, making Geo Restriction a compliance control as well as a security control.

Conclusion

In a threat landscape where attackers move faster than patch cycles, where compromised infrastructure is reused across multiple campaigns, and where state-sponsored threat actors target organizations of every size and sector, relying on firewall rules alone is no longer sufficient.

Cato IPS addresses the threats that rule-based firewalls cannot: behavioral anomalies, reputation-matched communications, protocol-level exploits, and bot activity. Geo Restriction addresses the threats that payload-level analysis introduces unnecessary complexity to handle: traffic from regions where no legitimate communication should occur.

Together, they represent a defense-in-depth posture that is both technically comprehensive and operationally straightforward to implement. The configuration described in this guide — blocking WAN and inbound traffic, monitoring outbound traffic, and enforcing Geo Restriction for high-risk countries — can be completed in under fifteen minutes and provides immediate, meaningful improvement to an organization's network security posture.

For security teams looking to strengthen their Cato Cloud deployment, IPS and Geo Restriction are not optional add-ons — they are foundational controls that should be among the first security services configured after initial site provisioning is complete.

Book a Call with Our Experts

Frequently Asked Questions

What is Cato IPS and what does it protect against?

Cato IPS is a multi-layer intrusion prevention service that protects against behavioral anomalies, reputation-matched malicious resources, known CVE exploits, bot and C&C communications, network scanning, and protocol anomalies. It applies to WAN, inbound, and outbound Internet traffic and is managed centrally through the Cato Management Application.

What is the difference between Block and Monitor in Cato IPS?

Block stops matched traffic from reaching its destination and generates an event log entry. Monitor allows matched traffic to continue but generates an event for visibility. Monitor is useful during initial deployment to identify false positives before committing to blocking. Block is appropriate once confidence in the detection is established.

What is Geo Restriction in Cato IPS?

Geo Restriction allows administrators to block all traffic — inbound, outbound, or both directions — to and from specific countries, based on IP address geolocation. It is a coarse but highly effective control for eliminating traffic from countries with which the organization has no legitimate business relationship.

Does IPS Geo Restriction apply to SDP remote users?

No. IPS Geo Restriction rules do not apply to traffic from Cato SDP Clients. To restrict SDP Client connections based on geographic location, configure rules in the Client Connectivity Policy.

Can I block a country but allow a specific website in that country?

Not through IPS Geo Restriction alone, as it operates on IP address geolocation and does not support FQDN-level exceptions. To allow a specific FQDN while blocking the country, configure the FQDN exception in the Internet Firewall alongside the Geo Restriction rule.