Recent Content
Wireless Traffic Identified as DSCP18
This is driving me up the wall and I don't see a lot of good options, aside from pester support. We're an Aruba wireless shop and we have some WMM/QoS configured. This ends up with a bunch of events where the Application/Service detected is dscp18 because Cato is picking up on the QoS value from the access point. It makes my life difficult when we try to create WAN Firewall rules based on a service on a given destination(s). Aside from de-allocating that DSCP value on my production SSID's, what can I do? Has anyone else encountered this before?22Views0likes4CommentsReporting on Max amount of licenses reached
It's rather embarrassing to run out of SDP licenses as it provides for a negative new joiner experience when their Cato connection won't come up as expected. As Cato in their wisdom has decided there is no need to alert admins when the license count is reached (they'd probably rather we waste money purchasing a sufficient surplus of said licenses), is there a way to use the API to query for this status? Yes, I submitted an RMA for this last year that went nowhere. And yes, I know we can probably hack something together on our end that statically compares the number of licenses to the membership count in our provisioning groups. But this feels like it should be a basic feature of a SaaS service, especially as there is a hard stop when the license count is reached.35Views0likes3CommentsEvent Integration - Secureworks Taegis
I opened a support case and was directed to post here instead. We are attempting to setup an event integration from Cato to Secureworks Taegis following this KB: Integrating Cato Events with AWS S3 – Cato Learning Center but when we get to the point of entering the bucket name, we are unable because Secureworks provides an S3 alias and not a bucket name. The Cato portal specifically prevents using an alias. How can we get this integration configured?39Views1like2CommentsCato Connect Event: AMA with Professional Services
Ever wish you could get direct time with the experts? On June 3rd, 2025 at 11:00 AM EDT, you’ll get just that — a live AMA with two of our Principal Consultants from the Cato Professional Services team. We’ll cover topics like: Designing and implementing a CMA deployment Best practices we’ve seen across real-world environments Your questions — seriously, bring them Here’s how to get the most out of it: Click here to register and get the calendar invite and join us live Post your questions below in the comments — we’ll answer pre-submitted ones first, before tackling live chat during the session + See a question you like? Give it a “like” to help it rise to the top Note: We won’t be able to look at specific CMA instances — demos will be done using internal environments. That’s it — register, post your questions, and we’ll see you there! Presenters: Principal Consultant Professional Services, Italy Principal Consultant Professional Services, USA If you run into any issues, @mention me or email us at community@catonetworks.com241Views5likes0CommentsCato Windows SDP Client - TCP443 only
I've got a support ticket in - and am working on this. But I figure I'll throw this out here too: I have an instance of needing Cato SDP Client access - and the vendor's security team is allowing tcp443, but not udp443 nor udp1337. I saw the following recently: https://support.catonetworks.com/hc/en-us/articles/360002577917-Client-TCP-Fallback-for-UDP-Tunnel I have tested this with my own laptop that already has a user and was previously connected. Blocking all ports except TCP443 outbound from my infrastructure for my laptop caused the client after about 90 seconds to connect, and only via TCP. Success! Installed a quick VM (win 11, same cato client version fresh) and performed the same thing. Blocking all access except tcp443 (local DNS is still allowed, as well as ICMP outbound) and the client does not ever fail over as described in the article. Any thoughts? I figure there could be a hidden "registry setting" similar to what they have for changing the UDP ports in use by the client, but my searching has resulted in nothing. Additionally the support rep states they can force TCP at an account or site level, but that isn't what I need - I don't have sockets at these affected sites, just workstations on the internet (firewalled).47Views0likes3CommentsLocal VLAN routing
I have configured multiple VLANs at site. Client on VLAN A is unable to ping VLAN B interface on the same socket. Decided to use the Local Firewall rules to allow Any Any between VLAN A and B but still unable to ping. Note: No issue with IP assignment and Clients can ping their gateways. What could I be missing? Another question. From the KB, the default behavior for the Socket is to forward all traffic to the PoP for security inspection. My question is - what is the default policy on the PoP side if a LAN firewall rule is not configured?Solved42Views0likes5CommentsPull network rules via API
Hi community, I am trying to pull network settings for several sites. To be more precise, I would like to create a list of bypass rules per site. I tried the following query with empty results: query entityLookup ($accountID: ID!, $type: EntityType!, $parent: EntityInput!) { entityLookup (accountID: $accountID, type: $type, parent: $parent) { items { entity { id name type } description helperFields } } } { "accountID": "{{accountID}}", "type": "localRouting", "parent": { "id": 0, "type": "site" } } Other "type" like lanFirewall worked. Any suggestions how to proceed and get details about bypass ruleset per site?16Views0likes1CommentCato SDP Client - Always On / Prelogin questions
We are switching from another VPN solution and I have some questions about the always-on / pre-login features. Is there any way to see always-on or pre-login connections in the CMA? Do the pre-login sessions use machine credentials? Can we access the machines remotely during pre-login? Use cases / background if we were working on an issue we could restart the machine and login again after the reboot. If the user had an issue we could remote to the machines, do an admin login and resolve issues. with our previous solution we could see the machine/device connections and IP information in the management console. We may be able to use teamviewer remote access but i don't think you can allow pre-login destinations via FQDN. Basically, we would like to be able to see and manage our on-line devices even if they are not logged in. Do split tunnel exceptions work pre-login for something like Teamviewer?64Views1like3CommentsBlock specific action(e.g upload,download) in whatsapp desktop application
Hi Folks, I want to block specific action(e.g upload,download) in whatsapp desktop application but it seems does not work as expected. However, it is block successfully in whatsapp web. Does anyone has achieve the same goal in whatsapp desktop app? Thanks.23Views1like1Comment