Overview of Cato's IPS Policy
Cato's IPS service is comprised of several layers of security including:
Behavioral Signatures: Protecting against deviation from normal, expected behavior of the system or the user. Normal behavior is identified using Cato Networks' big data analytics and deep visibility across many traffic flows over the Cato Cloud.
Reputation Analysis: Protecting against inbound / outbound communication with compromised or malicious resources.
Known Vulnerabilities: Protecting against known CVEs, rapidly adapting to incorporate new ones.
Anti-Bot: Protecting against outbound traffic to C&C servers based on reputation feeds, and network behavioral analysis.
Network Behavioral Analysis: Protecting against inbound / outbound network scans.
Protocol Validation: Protecting against invalid packet (conformance to the protocol wise), reducing attack surface from exploits using anomalous traffic.
Geo Restriction: Enforce a custom geo-restriction policy to block inbound, outbound, or all traffic to specific countries.
Cato's IPS and Geo Restriction
This section is an example of creating IPS policy to block WAN and Inbound traffic. It also contains a geo-restriction policy to block traffic for Iran and North Korea.
Note: If you want to block traffic from a country, but allow a specific FQDN, use the Internet Firewall. For more information, see Recommendations for Internet and WAN Firewall Policies.
Defining the IPS Protection Policy
For WAN, Inbound, and Outbound traffic, you can define the actions for the IPS engine and the relevant email notifications. It is possible that the matching traffic is a false-positive and is actually legitimate traffic.
These are the available actions:
Block - Blocks the traffic and it doesn't continue to its destination. When applicable, redirects the user to a dedicated blocking web page. An event is generated for the Events screen (Home > Events).
Monitor - The traffic is allowed to continue to the destination and an event is generated for the Events screen (Home > Events).

To configure actions for the IPS policy:
From the navigation menu, click Security > IPS.
In the IPS page, click the Protection Policy tab.
Click the slider
to enable the IPS policy.The toggle is green
when enabled.In the Protection Policy section, configure the following settings for each Protection Scope:
For WAN traffic, IPS blocks matched protections and generates an email notification:
Click WAN Traffic.
The Edit panel opens.
In Action, from the drop-down menu select Block.
In Track, select Email Notification.
Click Apply.
For Inbound Internet traffic, IPS blocks matched protections and generates an email notification:
Click Inbound Traffic.
The Edit panel opens.
In Action, from the drop-down menu select Block.
In Track, select Email Notification.
Click Apply.
For Outbound Internet traffic, IPS monitors matched protections and doesn't generate an email notification:
Click Outbound Traffic.
The Edit panel opens.
In Action, from the drop-down menu select Monitor.
In Track, make sure that Email Notification is cleared.
Click Apply.
Click Save. The IPS policy settings are saved for the account.
Managing Geo Restriction Rules
You can define Geo restriction rules for IPS. Geo restriction rules for IPS are based on the IP address geolocation and not on the domain. You can define the rule to apply to inbound, outbound, or both directions of traffic.
Note:
If you configure a Geo Restriction rule for inbound traffic, this applies also to RPF resources. However, IPS Geo Restriction rules are not applied to traffic from Cato SDP Clients. To block Client connections from specific regions, you can configure rules in the Client Connectivity Policy.

To define a Geo restriction rule:
From the navigation menu, click Security > IPS.
In the IPS page, click the Geo Restriction tab or expand the section.
Click New.
The Add panel opens.
Enter the Name for the rule, and in Direction, select Both Directions to configure the rule to apply to all traffic.
In the Countries section, add Iran and Korea, Democratic People's Republic of (North Korea).
In Action, select Block to block all traffic to and from Iran and North Korea.
In Track select Event and Email Notification, to have the maximum visibility for traffic to and from Iran and North Korea.
Click Apply and then click Save.