Firewall-as-a-Service (FWaaS)

Cato inspects network traffic from all sources and to all destinations across the internet (north-south) and the WAN (east-west). This includes traffic over all ports and protocols, and is not limited to HTTP/S traffic only.
Cato helps enterprises retire both branch and datacenter firewall appliances and replaces them with Cato FWaaS. Firewall elimination is possible because Cato can deliver all legacy firewall capabilities in a network (and not proxy) architecture, from the cloud, with multi-gig throughput.
Using Cato FWaaS enterprises avoid configuration gaps, blind spots, and reduce the risk of data breaches

Cato FWaaS processes rules based on their order in the ruleset, stopping at first hit. To avoid flooding the ruleset with numerous rules, each rule can be set with specific exceptions. Cato allows admins to group rules into sections for better readability and efficient review by 3rd party auditors.
Cato offers a rich set of objects (user identity, organization unit, device, host, application, protocol, location, network, VLAN, and many more) that can be used in the rules, and the ability manage them in logical groups that can combine multiple object types.

All rules and actions in the Cato FWaaS can be set to record an event and store it on the Cato SASE Cloud Platform for an agreed upon retention period.
Email notifications can be configured to alert on selected event that repeat during a defined period and at a defined urgency.
Event monitoring and analysis is available through dedicated dashboards and through the event monitoring interface which provides easy-to-use searching and filtering.
An audit trail records all admin activities for tracking, monitoring and auditing.

Microsegmentation can be easily configured to restrict access to sensitive resources. Policies can be set based on groups, networks, VLANs and individual objects such as hosts and users to govern granular access that meets business requirements. For zero trust, Cato allows admin to set identity-to-identity, identity-to-app, and app-to-app access policies that factor in not only the identity of a user, but also their geo location, method of connectivity, security posture and more.

Cato FWaaS includes built-in awareness to thousands of applications across all ports and protocols and the ability to define custom applications. A DPI engine identifies the application or service as early as the first packet and without having to decrypt the payload.
Cato allows policy configuration and enforcement that factors the identity of the users and the organization units they belong to. By synchronizing with the user directory, and using the identity agent in the Cato Client, a user identity is associated with every network flow.