Device-Aware WAN Firewall Policies in Cato SASE

Enforcing Internal Segmentation and Protecting IT & OT Environments

Modern enterprise risk no longer comes only from the internet edge. Lateral movement, unmanaged internal devices, and uncontrolled site-to-site access now represent some of the most serious security gaps inside corporate networks. Traditional WAN firewalls, built around IPs and static zones, struggle to enforce meaningful segmentation once traffic moves inside the network.
 

This is where device-aware WAN firewall policies in Cato Networks SASE fundamentally change how internal security is enforced. By incorporating device context directly into WAN firewall rules, Cato allows enterprises to apply Zero Trust principles inside the network—without introducing complexity or multiple control planes.

This blog explains how Cato’s WAN firewall uses device awareness to secure east-west traffic, protect OT and IT assets, and deliver scalable internal segmentation across sites.

Why WAN Firewall Policies Need Device Context

In most enterprises, internal WAN traffic includes a mix of:

• Corporate user devices
• Servers and infrastructure workloads
• IoT and OT systems that cannot run agents
• Third-party or vendor-managed devices

Traditional WAN firewalls evaluate this traffic using network-centric identifiers such as IP ranges, VLANs, or site objects. These controls break down when:

• Devices move between networks
• IP addresses are reused or reassigned
• OT and IoT devices lack clear ownership
• Multiple device types share the same subnet

Cato’s WAN firewall addresses this by enforcing policies based on what the device is, not just where it sits on the network.

How Device Awareness Works in the Cato WAN Firewall

Cato applies device context to WAN firewall policies through its Device settings in the WAN firewall rule base.

The WAN firewall evaluates traffic using:

• Device Attributes derived from Device Inventory
• Device Posture Profiles (where applicable)
• Platform, Country, and Origin of Connection context

These conditions are evaluated before WAN traffic is allowed between sites, users, or resources.

This enables segmentation decisions such as:

• Which devices can communicate across sites
• Which internal systems are reachable by which device types
• Which OT systems are isolated from general IT traffic

All enforcement happens centrally in the Cato Cloud.

Applying Device Attributes in WAN Firewall Rules

Device Attributes allow WAN firewall rules to match traffic based on classified device characteristics, including:

• Category (IT, IoT, OT, Server)
• Type (Workstation, IP Camera, PLC, Printer)
• Manufacturer
• Model
• Operating System and OS Version

These attributes are populated by Cato’s Device Inventory engine, which passively analyzes WANbound and outbound traffic without requiring agents.

WAN Firewall Use Case: Internal Segmentation by Device Type

An enterprise can create WAN firewall rules such as:

• Allow IT workstations to access internal application servers
• Allow OT engineering stations to access OT controllers
• Block general IT devices from communicating with OT systems
   

Because enforcement is device-aware, segmentation remains intact even if:

• IP addresses change
• Devices move between sites
• Networks are re-architected

Protecting OT Systems with Device-Aware WAN Policies

OT environments are particularly difficult to secure because:

• OT devices cannot run endpoint agents
• Many rely on legacy protocols
• Flat networks are common

Cato’s WAN firewall enables OT protection using agentless device identification.

Documented OT Protection Pattern

Using Device Attributes in WAN firewall rules, administrators can:

• Identify OT devices by category or type
• Restrict which users or devices can access them
• Prevent unauthorized lateral movement into OT zones

For example:

• Allow access to a business-critical OT device only from specific authorized users or systems
• Block all other internal WAN traffic to that OT device

This aligns directly with Zero Trust segmentation principles for OT security.

Combining Device Context with Other WAN Firewall Criteria

Cato WAN firewall rules can combine device context with additional criteria to create precise internal policies.

Logical Evaluation Model

• AND logic between conditions
  • Device Attributes
  • Device Posture Profiles
  • Platforms
  • Countries
  • Origin of Connection
     
• OR logic within a single condition
  • Multiple platforms
  • Multiple manufacturers
  • Multiple attribute values
     

This allows policies such as:

• Allow traffic only if the device matches a specific type and meets posture requirements
• Allow multiple approved device manufacturers using a single rule
   

Device Posture in WAN Firewall Enforcement

For devices that support the Cato Client, WAN firewall rules can also include Device Posture Profiles.

This enables internal access control based on:

• Anti-malware presence
• Disk encryption status
• Required security processes
   

A common enforcement model is:

• Use posture-based allow rules to define the minimum compliance bar
• Let non-compliant devices fall through to deny

This ensures that internal WAN access is granted only to devices that are both recognized and secure.

Operational Advantages for SecOps Teams

Device-aware WAN firewall policies deliver clear operational benefits:

• Reduced reliance on static network segmentation
• Centralized policy management across all sites
• Consistent enforcement for office and remote devices
• Improved visibility into internal device communication
   

Security teams can validate and investigate enforcement using:

• Device Dashboard
• Device Inventory 
• WAN firewall events 

This tight integration simplifies internal threat detection and response.

Strategic Value: Internal Zero Trust Without Complexity

By embedding device context directly into the WAN firewall, Cato enables enterprises to:

• Apply Zero Trust principles inside the network
• Protect OT and legacy systems without agents 
• Scale segmentation across sites without redesigning networks 

Most importantly, this is achieved without deploying additional tools or maintaining parallel policy engines.

Protect IT and OT environments with agentless, device-aware controls → Schedule a free 30-minute Cato WAN Firewall strategy session.

FAQs

How does the Cato WAN Firewall use device context for internal segmentation?

The Cato WAN Firewall uses Device Attributes and Device Posture Profiles as rule conditions, allowing segmentation decisions based on device identity rather than IP addresses.

Can Cato SASE enforce WAN firewall rules for OT devices without agents?

Yes. Cato SASE uses agentless Device Inventory detection to classify OT devices and enforce WAN firewall policies without requiring endpoint agents.

What types of Device Attributes are supported in Cato WAN Firewall rules?

Cato WAN Firewall rules can use Category, Type, Model, Manufacturer, Operating System, and OS Version attributes sourced from Device Inventory.

Can Device Posture Profiles be applied to WAN traffic in Cato SASE?

Yes. For devices running the Cato Client, Device Posture Profiles can be applied in WAN firewall rules to enforce internal access based on endpoint compliance.

How does Cato SASE prevent lateral movement using WAN firewall policies?

By enforcing device-aware rules, Cato SASE limits which devices can communicate across sites, reducing lateral movement even inside trusted networks.

Are WAN firewall device rules enforced centrally in Cato?

Yes. All WAN firewall enforcement is centralized in the Cato Cloud, providing consistent policy application across all locations.

How does Cato WAN Firewall support Zero Trust internal access?

Cato WAN Firewall applies identity, device, posture, and context checks before allowing internal traffic, aligning internal access with Zero Trust principles.