Firewall-as-a-Service Capabilities
Full Traffic Inspection Without Blind Spots
Cato inspects network traffic from all sources and to all destinations across the internet (north-south) and the WAN (east-west). This includes traffic over all ports and protocols, and is not limited to HTTP/S traffic only.
Cato helps enterprises retire both branch and datacenter firewall appliances and replaces them with Cato FWaaS. Firewall elimination is possible because Cato can deliver all legacy firewall capabilities in a network (and not proxy) architecture, from the cloud, with multi-gig throughput.
Using Cato FWaaS enterprises avoid configuration gaps, blind spots, and reduce the risk of data breaches
Scalable Firewall Ruleset Management
Cato FWaaS processes rules based on their order in the ruleset, stopping at first hit. To avoid flooding the ruleset with numerous rules, each rule can be set with specific exceptions. Cato allows admins to group rules into sections for better readability and efficient review by 3rd party auditors.
Cato offers a rich set of objects (user identity, organization unit, device, host, application, protocol, location, network, VLAN, and many more) that can be used in the rules, and the ability manage them in logical groups that can combine multiple object types.
Full Logging and Monitoring for Detailed Analysis and Reporting
All rules and actions in the Cato FWaaS can be set to record an event and store it on the Cato SASE Cloud Platform for an agreed upon retention period.
Email notifications can be configured to alert on selected event that repeat during a defined period and at a defined urgency.
Event monitoring and analysis is available through dedicated dashboards and through the event monitoring interface which provides easy-to-use searching and filtering.
An audit trail records all admin activities for tracking, monitoring and auditing.
Unlimited Processing and Inspection Capacity for Every Need
Cato FWaaS is a cloud service that benefits from a cloud-native software architecture. Features and capabilities are not limited by the underlying hardware, and autonomous and elastic scaling and self-healing ensures high performance and service resiliency.
Cato allow admins to enable all features, including TLS inspection, and use any type and number of objects, groups and rules without worrying about performance or availability.
Cato’s cloud-native software architecture eliminates concerns of increased latency due to CPU load, packet drops, or device failure. Similarly, risk of mid-term appliance replacement due to insufficient compute power is avoided.
Microsegmentation, Access control and Zero Trust for Risk Reduction
Microsegmentation can be easily configured to restrict access to sensitive resources. Policies can be set based on groups, networks, VLANs and individual objects such as hosts and users to govern granular access that meets business requirements. For zero trust, Cato allows admin to set identity-to-identity, identity-to-app, and app-to-app access policies that factor in not only the identity of a user, but also their geo location, method of connectivity, security posture and more.
DPI-based Application and User Awareness
Cato FWaaS includes built-in awareness to thousands of applications across all ports and protocols and the ability to define custom applications. A DPI engine identifies the application or service as early as the first packet and without having to decrypt the payload.
Cato allows policy configuration and enforcement that factors the identity of the users and the organization units they belong to. By synchronizing with the user directory, and using the identity agent in the Cato Client, a user identity is associated with every network flow.