Explore the Community
Cato Cloud
Cato and SASE discussions and best practices.
API
API questions-and-answers, discussions, and best practices.
Recent Content
Visual Bugs in the UI?
Anyone else struggling with visual bugs in the UI? Created Internet FW rules for our VoIP solution to cover softphones on the LAN and hard phones on designated VoIP VLANs. I also created a VLAN supernet to make rule creation easier. My conundrum is visually the LAN and VLAN20 appear as LAN in the rule. Additionally, I have a rule further downstream that blocks any other traffic on VLAN20 that doesn't match an upstream rule -- same visual bug. Anyone else experiencing this?
Anti-Tampering Query- Auto upgrade of client version
In the EA documentation , it is written that :- As part of the Anti-Tampering protections, when Anti-Tampering is enabled, by design, the Client can't be upgraded. To enable an upgrade either manually or using an MDM, there is a specific bypass code that is not connected to disabling Anti-Tampering for the configured duration. My query is as below:- If my policy in client rollout is set as "Automatic by Cato", will the client version get updated or not. If not, then will this create issue in upgrading the version to get benefit and manual upgrade is time consuming
Azure Virtual Desktop - Always on policy
Hello! What is best practise for implementing the always on policy for Windows 11 VMs (hybrid domain joined). At the moment if a user session expires the Cato tunnel seems to break. The AVD shows as unavailable in Azure and the user is no longer able to login. Only workaround so far is using the serial console to disable the Cato network adapter or uninstall Cato altogether. Is there a way for the session to still expire while making the domain and other prerequisite AVD features still accessible? Thanks!
Identifying the Cause of LDAP Synchronization Failure
Hello, We have been synchronizing accounts with an on-premises LDAP server. The synchronization worked normally until July 2nd, but it stopped working from July 3rd. We want to identify the cause, but it is difficult to investigate because the source IP shown in the web UI is different. Does anyone have any ideas on how to perform something like a traceroute from the source IP used for LDAP synchronization? Thank you for your assistance.Azure Virtual Desktop Session Host Routing
Hi, has anyone ever set up a route table on Azure so that the route to Microsoft Login subnets goes out through Cato? When we tried doing this, to make sure our AVD users are protected by Cato, users stopped being able to connect to session hosts through the AVD FQDN (broker). I suspect that its either TLS Inspection being enabled for Microsoft Login app (has never been an issue for our laptop users), or that AVD brokering system needs Microsoft Login traffic to go through the internet instead of a private route for some reason.Endpoint Device DNS Resolution
When Cato is handling DHCP and DNS for all devices within an account across multiple vlans, across multiple sites, is it possible for a device to resolve the IP of a hostname outside of the local subnet that the device is on, using Cato DNS to resolve the hostname? We historically have had on-prem Windows AD providing DHCP/DNS which reliably provided name resolution from hostname to IP, but also reverse DNS for IP back to hostname. We are moving to Entra ID/Intune+Auto Pilot managed devices with the outlook to retire our on-prem servers entirely. We have various use cases where we need to resolve a hostname to have the IP returned, but also for the IP to resolve back to hostname via reverse DNS. This has become difficult for Entra ID managed devices unless the device is on the same local subnet where the site switch manages the resolution via the local mac table. Is mDNS the right approach and where I should focus my attention or is there an alternative I should consider? As is looks like mDNS is restricted to vlans within the same site, it may not work in our scenario where we need to resolve across sites. Any advice or recommendations are greatly appreciated.The power of Smart SASE - Cato Remote Port Forwarding
Overview If I interpret the latest comments on SSE Gartner MQ '25, SASE is going to devour the SSE soon. Use case mentioned here is one such instance that SSE alone can't implement without fancy private access or ZTNA or steering hooks. Let alone the publishers that are required to be hosted and maintained by the customers for inbound access. Cato RPF (Remote Port Forwarding) functionality allows you to open up your servers or internal resources to the internet with following quick 3 steps. How? Quick and easy 3 steps: Check how many public IP’s you are licensed for Account > License > IP's Assign an IP from the available Cato Public IP’s for your preferred location Network > Network Configuration > IP Allocation Create RPF rule using the IP you allocated in last step Security> Firewall > Remote Port Forwarding The intrigued users may ask, can I use this for my WAN to WAN traffic? Yes, you can. The documentation does not call it out as an officially supported feature but it works based on my testing. Question before you consider this option: Wouldn't you rather use WAN firewall rules though to control the same though instead of having the internal users to access this resource using public IP? I would leverage WAN firewall and WAN Network rules for the internal traffic crossing sites. Best Practices around RPF Like what uncle Ben or Voltaire would warn, 'with power comes a great responsibility' Note that there are 10K sessions allowed per RPF. If you have a high volume use case use a load balancer behind RPF to front end the servers Tightly control the rule by limiting access to source IP’s. If you see exclamation mark like the one in the first rule in the screenshot, take an action! Host your critical servers behind DDoS/WAF protection if you must allow 0/0. RPF traffic is automatically assigned the lowest priority (P255). For WAN to WAN you can use a special network rule on the source site though (that would work only for WAN to WAN traffic using an Internet Type Network rule with higher priority, P8 for example) References https://support.catonetworks.com/hc/en-us/articles/7784979714333-Configuring-Remote-Port-Forwarding-for-the-Account https://support.catonetworks.com/hc/en-us/articles/360004514358-Security-and-QoS-Recommendations-for-RPF https://support.catonetworks.com/hc/en-us/articles/9299509375517-How-to-Integrate-Third-Party-DDoS-Services-for-Internet-Facing-RPF-Traffic https://support.catonetworks.com/hc/en-us/articles/19516873839005-Integrating-Imperva-Cloud-WAF-DDoS-Services-for-Internet-Facing-RPF-Traffic
