Explore the Community
Cato Cloud
Cato and SASE discussions and best practices.
API
API questions-and-answers, discussions, and best practices.
Recent Content
Event Integration - Secureworks Taegis
I opened a support case and was directed to post here instead. We are attempting to setup an event integration from Cato to Secureworks Taegis following this KB: Integrating Cato Events with AWS S3 – Cato Learning Center but when we get to the point of entering the bucket name, we are unable because Secureworks provides an S3 alias and not a bucket name. The Cato portal specifically prevents using an alias. How can we get this integration configured?
Bypassing Cato via WAN Bypass and Split Tunnel
We need to add around 200 subnets to bypass Cato. My understanding is that they need to be added to all sites under the Site Configuration/Router/Bypass/Destination and for all SDP users via Access/Client Access Control/Split Tunnel policy. We have nearly 90 sites. Manually adding 200 subnets to 90 sites doesn't seem like a good time. Is this possible via the API? If so, can you point me toward the correct commands.
AWS can't reach Private IP - Cato Client Windows
Hi, on my PC I have the Cato Client to connect to Cato Network. We have a connection with a virtual appliance in AWS in one account. In this account there is a TGW that connect other accounts. I can' reach the private IP of AWS accounts, but all networks are routed in Cato Configuration, TGW and VPC route tables seems ok....The source/destination check is disabled for LAN interface, the client subnet 10.41.0.0/16 is associated to subnet route table, tgw route table and there is also in the other account's route tables..... But the traffic is not going well..... any suggestion ? Many thanks Dario
Device posture basis domain name
One of the issue we raised during Cato Connect program was around device posture policy basis domain and it was clarified that this falls under advanced configuration and can be done by support/CSM team. I raised ticket for the same and the response was that they can apply but from backend and at account level. I want to exclude some of my senior management from this policy but it is not feasible now since done at account level. Also I cant do testing by applying this device posture basis domain for some 2-3 users to see if it works properly and also no option from frontend to disable if there is any issue and totally depend on service ticket and backend team. This makes this good policy not to be deployed as it has potential risk since neither testing can be done nor exclusion can be done unlike any other device posture policy since policy deployed from backend and deployed at account level.
Cato Connect Event: AMA with Professional Services
Ever wish you could get direct time with the experts? On June 3rd, 2025 at 11:00 AM EDT, you’ll get just that — a live AMA with two of our Principal Consultants from the Cato Professional Services team. We’ll cover topics like: Designing and implementing a CMA deployment Best practices we’ve seen across real-world environments Your questions — seriously, bring them Here’s how to get the most out of it: Click here to register and get the calendar invite and join us live Post your questions below in the comments — we’ll answer pre-submitted ones first, before tackling live chat during the session + See a question you like? Give it a “like” to help it rise to the top Note: We won’t be able to look at specific CMA instances — demos will be done using internal environments. That’s it — register, post your questions, and we’ll see you there! Presenters: Principal Consultant Professional Services, Italy Principal Consultant Professional Services, USA If you run into any issues, @mention me or email us at community@catonetworks.com
Setting up SSO with IdPs other than the default nine?
I would like to ask about the possibilities of setting up SSO integration with Identity Providers (IdPs) that are not among the nine default options provided. What methods are available for establishing SSO connections with IdPs beyond the default nine? Is there a way to configure a generic IdP setting, or can we leverage the existing nine IdP configurations to connect with other IdPs? Additionally, is there a process to request a new IdP to be officially supported or added as a connection option? Any insights or guidance on this would be greatly appreciated. Thank you. Sincerely, hisashiHow to Delete VPN Users via GraphQL API
Greetings, I'm working on automating user cleanup and am attempting to delete inactive VPN users via the Cato API. According to the API conventions, I assumed the following mutation would work to remove users from our account: Sorry for the poor formatting. mutation deleteEntities($accountID: ID!, $entityIDs: [ID!]!) { deleteEntities(accountID: $accountID, entityIDs: $entityIDs) { success failed { userID reason } } } I'm calling it in Python with: delete_variables = { "accountID": account_id, "entityIDs": [uid] } delete_response = requests.post(API_URL, headers=HEADERS, json={ "query": delete_mutation, "variables": delete_variables }) However, I receive the following error in the response: { "errors": [ { "message": "Cannot query field 'deleteEntities' on type 'Mutation'.", "extensions": { "code": "GRAPHQL_VALIDATION_FAILED" } } ], "data": null } What I am trying to figure out is: Is deleteEntities a valid mutation for deleting VPN users? If not, what is the correct GraphQL mutation for deleting users? Thank you guys!
