Explore the Community
Cato Cloud
Cato and SASE discussions and best practices.
API
API questions-and-answers, discussions, and best practices.
Recent Content
Configure a Private DNS server with Cato DNS
Does anyone configure a private DNS server (Windows DNS server) with the Cato default DNS server? We have a private DNS server to resolve the internal hosts. But I am a bit confused about how I can configure this with Cato DNS? Any leads would be appreciated.
Any method to disable management access to the Web UI from the LAN
I would like to restrict management access to the Socket Web UI from the LAN. However, in a post from about a year ago, no solution was provided. Is there a way to restrict access to the WebUI? | Cato Connect Has there been any update or new feature introduced that enables this? Thank you.
Users behind the socket cannot access IPSec Tunnels
Users working remotely (home network) are able to successfully access Azure Virtual Desktop (AVD). However, when users are connected via the Site Socket, access to AVD fails. As part of our troubleshooting, we manually configured the client-side DNS settings on a test laptop. With this configuration, DNS resolution functioned as expected, and we were able to successfully establish connectivity to AVD. This behavior suggests that the issue is related to DNS resolution within the Cato environment—specifically, DNS forwarding to the client-defined DNS servers does not appear to be functioning as expected. Given this, we would like to inquire if there is a mechanism to prioritize client DNS settings on a per-user or per-group basis within Cato. For reference, when connected via the Site Socket network, client devices are assigned IP addresses within the subnet range 10.254.xxx.x. When users are connected via Home Wi-Fi or Mobile Data, they are able to successfully access the client’s Azure Virtual Desktop (AVD). In this scenario, the assigned IP address falls within the subnet range 10.20.xxx.xx.
Issue creating IPsec tunnel with identification_type FQDN
Hi Cato community, I have encountered an issue where it is not possible to create a IPSec tunnel using the following configurations Site type: IPSecV2 connectionMode: RESPONDER_ONLY identificationType: FQDN Since the IPsec is responder only with FQDN identification, the updateIpsecIkeV2SiteTunnels mutation cannot be used to create such tunnels as it will require a public site ip, but FQDN will give local ID. When I tried to enter a dummy ip to test it out, it shows a "GraphQL error: Required"; leaving it blank will produce Required field 'primary_public_site_ip' is missing or empty. Are there any solutions/workarounds for this? Let me know if more information is required. Cheers, VincentP
Bypassing Cato via WAN Bypass and Split Tunnel
We need to add around 200 subnets to bypass Cato. My understanding is that they need to be added to all sites under the Site Configuration/Router/Bypass/Destination and for all SDP users via Access/Client Access Control/Split Tunnel policy. We have nearly 90 sites. Manually adding 200 subnets to 90 sites doesn't seem like a good time. Is this possible via the API? If so, can you point me toward the correct commands.
Creating NAT Rules
Hi, I’m trying to figure out if it’s possible to create or update NAT Policy Rules for a site using the Cato GraphQL API. I’m using the siteUpdate mutation to modify the natPolicyRules field (adding DNAT rules), but I keep getting a "permission denied" (Code104) error even though my API key should have the right permissions. Just to clarify, the rules I want to create are in: Network → Sites → [Selected Site] → Routing → NAT Before I go any further, can someone confirm : Is it actually possible to create/modify NAT rules via the GraphQL API ? Is siteUpdate the right mutation for this ? I have about 300 DNAT rules to create, so doing it manually in the UI would be pretty painful. Thanks !HTTP/2 and /3
When using CATO and navigating the internet through a browser, does CATO support protocols above HTTP1. (HTTP/2 and HTTP/3)? A website a user is trying to use only supports these new protocols, and so when connected to the network it shows him in a slowdown mode I have included the site for reference with a support page for this issue https://www.sanity.io/docs/help/http1-performance-issues
Meraki Integration?
in the 4/27/2026 product announcements it says: Cisco Meraki Access Point Events in Experience Monitoring: Integrate Wi-Fi access point events from Cisco Meraki and correlate them with user experience data to improve troubleshooting of office connectivity issues. Requires a DEM license and configuration of the Cisco Meraki connector We have the required DEM license, but It references setting up the Meraki connector Cisco Meraki: Creating the Experience Monitoring Connector – Cato Learning Center but when we go to set up the Meraki integration there does not seem to be a Meraki integration to configure. What am I missing?Recording: API/DevOps Live - May 2026
Thank you to everyone who joined our recent API/DevOps Live. If you’re looking to move from manual network/security operations to scalable, automated workflows, this session walks through exactly how to do that using Cato’s DevOps toolkit. What we covered How to apply DevOps principles to your Cato environment Using the CLI for day-to-day operations and bulk changes Leveraging Terraform for infrastructure as code (including brownfield environments) Going deeper with the SDK for custom automation and integrations How these layers connect: SDK → CLI → Terraform → AI-assisted workflows Key highlights Real-world examples of bulk config changes (DHCP, WAN priority, rules) How to export operational data like degraded sites A practical look at a “day in the life” of an operator Demo of AI-assisted workflows with built-in security guardrails (including blocking sensitive data like API keys) Questions we addressed What should I be automating first? How do I handle existing (brownfield) environments with Terraform? When should I use CLI vs Terraform vs SDK? How can I safely use AI tools in a DevOps workflow? Watch the full recording Here are some resources mentioned in the video: Getting started with Cato CLI Terraform Quickstart + Brownfield Onboarding Cato Networks Github Github Cato Networks API Explorer Github MCP Server Wrapping Cato CLI If you have questions or want to share how you're using automation in your environment, drop a comment below, we’d love to hear from you.
