Explore the Community
Cato Cloud
Cato and SASE discussions and best practices.
API
API questions-and-answers, discussions, and best practices.
Recent Content
Recording: Ask Me Anything with Professional Services - March 2026
Professional Services AMA – March 2026 Thank you to everyone who joined our March AMA session! Below is a clean, easy‑to‑scan recap of every question asked, along with brief summaries of the answers shared during the call. If you’d like the full context, you can view the recording below. IPsec & Tunnel Behavior Are IPsec tunnels active‑active or active‑passive? Cato uses active‑passive by default. Active‑active is available with EA enablement. How do we identify the primary vs. secondary tunnel? Your IPSec configuration labels them directly: Primary=active Secondary=standby Can secondary tunnels load‑balance with primary? No. Secondary tunnels do not participate in load‑sharing. Can we configure active‑active instead of active‑passive? Yes, but only via Early Access. This enables multiple tunnels on primary/secondary POPs. Logging, Packet Capture & Troubleshooting Can we see packet counts like a firewall (sent/received)? You can see traffic hitting WAN firewall policies, but tunnel‑level packet breakdown is not available. Can we capture tunnel traffic? Not in CMA. Support can perform captures on the backend. Bandwidth, Utilization & Alerts Is there an automated way to detect when a site hits max bandwidth? Yes, via the API or MCP Server integrations. Are bandwidth‑based alerts planned in CMA? Not today. Current alerts may trigger on QoS discards. Recommended to submit an Idea Hub request. Can we mute all alerts during a maintenance window from one place? Not currently. Alerts must be disabled per area (BGP, XOps, link health). Suggested as an idea via the Idea Hub. Browser Extension, DNS & Clientless Access Hostname access fails with the browser extension. Why does IP work? Hostname resolution should work in normal circumstances. Re‑testing and a support ticket is recommended if it persists. Direct Connect, IPv6 & Packet Capture When will packet capture be supported on Direct Connect? No timeline yet; currently only possible on the backend through Support. AI Security Monitoring Does AI Security capture user prompts (e.g., Copilot prompts)? Robin gave a walkthrough of our AI Security offering during this event. He starts discussing capturing user prompts around the 18th minute and continues discussing how to secure and monitor AI for several minutes. AWS Architecture & Inspection Can inbound AWS traffic be inspected by Cato before reaching EC2 (like GWLB + Palo Alto)? Not with AWS public IPs. Cato can only inspect inbound traffic terminated on Cato public IPs via Remote Port Forwarding. Why must inbound inspection use Cato’s public IP? Cato is a SaaS platform and cannot locally inspect traffic inside your AWS VPC. Automation, Importing & Configuration Management Is there a bulk import feature for IP ranges/VLANs? Not natively. Consider: Cato API CatoCLI Terraform provider Best Practices & Identity What best practice do customers commonly miss? Fully adopting identity‑based policies (ZTNA) instead of legacy IP‑based access controls. Do AD‑synced users need a ZTNA/SDP license for identity policies? It depends: Windows + SCIM + Azure AD Join/Hybrid = no license needed macOS = license currently required On‑prem AD join = SCIM not supported (use LDAP) Why does user awareness fail for some SCIM‑synced users? SCIM does not support on‑prem AD joined devices. These must use LDAP provisioning. Always‑On VPN Issues Why does always‑on VPN block all traffic until reinstall? Common causes include: Internet Recovery option not enabled Device posture checks failing If issues persist, Support should investigate. Event Logs Can we filter traffic to wildcard domains? Yes, use the “contains” filter for domain‑based event searching. Remote Browser Access What’s the high‑level architecture for Remote Browser Access? User connects to the Cato Portal Portal creates a policy Cato initiates a connection to your internal resource Without Source NAT, the internal server sees a Cato public IP. Source NAT forces it to appear from a private IP instead. QoS for Remote Port Forwarding Can we set QoS rules for Remote Port Forwarding? Not today, traffic uses the default QoS queue. Idea Hub submissions encouraged. Local Bypass Enhancements Will more applications be added to local bypass? Yes. The list is expanding, and domain/FQDN bypass is available in EA via your account team. Questions Requiring Follow‑Up These topics require SME confirmation and will be answered on the community once available: 1. Does AI Security capture user prompts (Copilot, etc.)? Pending SME validation. 2. Is IPv6 DNS fully supported, and how does Cato plan to address IPv6‑only ISP environments? Pending SME validation. Have more questions? Drop them in the community anytime or join our next AMA.
Socket Active-Active SLA
Just watvhed a training video that states there is an option for Active/Active SLA settings globally but when I log into teh CMA all I see is Actrve/Passive. I checked at the site level and its only Active/Passive. How is this enabled? Or is this still in early availability?
Getting the DHCP Pools information via API
I need to get the informations under DHCP pools to monitor the percentages of each subnet per Site Socket. However, I am having issue when pulling the "dhcpPools" and saying that permission denied error. Is there a query for graphql that can call this such informations in CATO? this is my query: query dhcpPools($accountID: ID!, $siteId: ID!, $protoId: ID!, $search: String) { dhcpPools( accountID: $accountID siteId: $siteId protoId: $protoId search: $search ) { dhcpPools { ...DhcpPoolData __typename } __typename } } fragment DhcpPoolData on DhcpPool { subnetRange { ...EntityData __typename } dhcpRange { ...EntityData __typename } allocatedIPs availableIPs __typename } fragment EntityData on Entity { id type name __typename } this is my variable: { "accountID": "2015", "siteId": "105762", "protoId": "1000000070", "search": "" }Disable SCIM User
It takes about 40 minutes once the user is deleted from from the IDP. Are there any other options for disabling a SCIM user? My thought was to create a WAN firewall rule to deny the user access until the scim update happens. Currently user are setup for split tunneling so I wouldnt need an Internet FW rule but if split tunneling was not in place then I would create a rule here as well.Pre-Login and Online Services
We currently have an on-premises Active Directory and have Pre-Login enabled with connect at boot enabled. We defined internal destinations (domain domain controllers) as allowed destinations, so the devices can reach the domain controllers before the user has logged in. This worked fine so far. However, now we want to migrate to Entra ID and Intune only, which means that the machines now need to reach Entra and Intune before or directly after the login. Since the pre login mode doesn't allow them to reach all URLs of Entra ID and Intune, we get problems during log in and for the Intune enrollement (which happens after the login of a new user but before the user has authenticated with the CATO client). We also have the same problem with NinjaOne which we use to manage endpoints: We would like to be able to reach endpoints before a user has logged in. In the allowed destinations for the Pre login mode, I can only provide internal targets and IPs, but can't put any Internet hostnames so the devices can reach Entra ID and Intune before the user has authenticated. So what is the solution here? We want to use Pre login to have the security it provides and prevents the devices from having open Internet access before the user has authenticated with CATO, but really need to resolve these issues that are caused by it when it comes to connect to our management services before the user has authenticated. Thank you in advance.
Cato Network as Layer 3
Hi Team, We have a new site coming online, and I’d like to gather your insights regarding our network design. Which approach would you recommend for the deployment? Cato Network as the Layer 3, or HPE Aruba Switch performing Layer 3 Is anyone here currently using Cato as the Layer 3? If so, what advantages or improvements have you observed in your environment? Appreciate any feedback you can share. Thank you.
Migration SCIM to SCIM Provisioning
Hello Team, We currently use Okta for SSO and SCIM provisioning with Cato. We want to keep SSO authentication on Okta, but move provisioning from Okta to Saviynt. Our Understanding: - We understand SCIM endpoints are scoped per directory (sourceId) as /scim/v2/{accountId}/{sourceId}. - We also noted documentation stating multiple IdPs are supported, but not recommended as a migration method. Could you please advise the following? Is there a recommended procedure to migrate existing users from an Okta SCIM directory to a new Saviynt SCIM directory? If adding a new SCIM directory is not recommended for migration, please point us to the recommended migration steps or best practices. We want users and groups provisioned via Saviynt to authenticate via Okta SSO. Is mapping Saviynt directory to the Okta SSO provider a possible configuration? Please let us know if you have any recommend plan. Thank you,Using Graphql to query statistic of LastMilePacketLoss
I am using the syntax below to query statistic of LastMilePacketLoss , but the response does not include any data for LastMilePacketLoss. Request URL: https://api.catonetworks.com/api/v1/graphql2 Request Body: query accountMetrics($accountID: ID!, $timeFrame: TimeFrame!, $groupInterfaces: Boolean, $groupDevices: Boolean, $siteIDs: [ID!]) { accountMetrics( accountID: $accountID timeFrame: $timeFrame groupInterfaces: $groupInterfaces groupDevices: $groupDevices ) { id from sites(siteIDs: $siteIDs) { id interfaces { name } info { sockets { id isPrimary } } metrics { bytesUpstream bytesDownstream flowCount } name } timeseries(labels: lastMilePacketLoss) { sum units label } to } } Response: { "data": { "accountMetrics": { "id": "xxxx", "from": "2026-03-01T00:00:00Z", "sites": [ { "id": "xxxxx", "interfaces": [ { "name": "Primary-WAN" }, { "name": "Secondary-WAN" } ], "info": { "sockets": [ { "id": "xxxxx", "isPrimary": false }, { "id": "xxxxx", "isPrimary": true } ] }, "metrics": { "bytesUpstream": 234144508140, "bytesDownstream": 464289852590, "flowCount": 5274 }, "name": "xxxxxx" } ], "timeseries": [ { "sum": 0, "units": "percent", "label": "sitePacketsDiscardedDownstreamPcnt" }, { "sum": 0, "units": "bytes", "label": "bytesTotal" }, { "sum": 0, "units": "bytes", "label": "bytesDownstream" }, { "sum": 0, "units": "packets", "label": "packetsDiscardedUpstream" }, { "sum": 0, "units": "percent", "label": "lostUpstreamPcnt" }, { "sum": 0, "units": "percent", "label": "lostDownstreamPcnt" }, { "sum": 0, "units": "bytes", "label": "siteDownstreamThroughputMax" }, { "sum": 0, "units": "bytes", "label": "bytesDownstreamMax" }, { "sum": 0, "units": "packets", "label": "lostUpstream" }, { "sum": 0, "units": "count", "label": "hostLimit" }, { "sum": 0, "units": "ms", "label": "jitterUpstream" }, { "sum": 0, "units": "bytes", "label": "siteBandwidthLimitDownstream" }, { "sum": 0, "units": "bytes", "label": "bytesUpstream" }, { "sum": 0, "units": "packets", "label": "lostDownstream" }, { "sum": 0, "units": "ms", "label": "rtt" }, { "sum": 0, "units": "seconds", "label": "tunnelAge" }, { "sum": 0, "units": "count", "label": "hostCount" }, { "sum": 0, "units": "packets", "label": "packetsDiscardedDownstream" }, { "sum": 0, "units": "score", "label": "health" }, { "sum": 0, "units": "ms", "label": "jitterDownstream" }, { "sum": 0, "units": "percent", "label": "packetsDiscardedUpstreamPcnt" }, { "sum": 0, "units": "bytes", "label": "siteUpstreamThroughputMax" }, { "sum": 0, "units": "bytes", "label": "siteBandwidthLimitUpstream" }, { "sum": 0, "units": "bytes", "label": "siteDailyP95" }, { "sum": 0, "units": "count", "label": "flowCount" }, { "sum": 0, "units": "packets", "label": "packetsUpstream" }, { "sum": 0, "units": "packets", "label": "packetsDownstream" }, { "sum": 0, "units": "percent", "label": "sitePacketsDiscardedUpstreamPcnt" }, { "sum": 0, "units": "bytes", "label": "bytesUpstreamMax" }, { "sum": 0, "units": "percent", "label": "packetsDiscardedDownstreamPcnt" }, { "sum": 0, "units": "bytes", "label": "bytesDownstreamMax" }, { "sum": 0, "units": "packets", "label": "lostUpstream" }, { "sum": 0, "units": "count", "label": "hostLimit" }, { "sum": 0, "units": "ms", "label": "jitterUpstream" }, { "sum": 0, "units": "bytes", "label": "siteBandwidthLimitDownstream" }, { "sum": 0, "units": "bytes", "label": "bytesUpstream" }, { "sum": 0, "units": "packets", "label": "lostDownstream" }, { "sum": 0, "units": "ms", "label": "rtt" }, { "sum": 0, "units": "seconds", "label": "tunnelAge" }, { "sum": 0, "units": "count", "label": "hostCount" }, { "sum": 0, "units": "packets", "label": "packetsDiscardedDownstream" }, { "sum": 0, "units": "score", "label": "health" }, { "sum": 0, "units": "ms", "label": "jitterDownstream" }, { "sum": 0, "units": "percent", "label": "packetsDiscardedUpstreamPcnt" }, { "sum": 0, "units": "bytes", "label": "siteUpstreamThroughputMax" }, { "sum": 0, "units": "bytes", "label": "siteBandwidthLimitUpstream" }, { "sum": 0, "units": "bytes", "label": "siteDailyP95" }, { "sum": 0, "units": "count", "label": "flowCount" }, { "sum": 0, "units": "packets", "label": "packetsUpstream" }, { "sum": 0, "units": "packets", "label": "packetsDownstream" }, { "sum": 0, "units": "percent", "label": "sitePacketsDiscardedUpstreamPcnt" }, { "sum": 0, "units": "bytes", "label": "bytesUpstreamMax" }, { "sum": 0, "units": "percent", "label": "packetsDiscardedDownstreamPcnt" }, { "sum": 0, "units": "percent", "label": "sitePacketsDiscardedDownstreamPcnt" }, { "sum": 0, "units": "bytes", "label": "bytesTotal" }, { "sum": 0, "units": "bytes", "label": "bytesDownstream" }, { "sum": 0, "units": "packets", "label": "packetsDiscardedUpstream" }, { "sum": 0, "units": "percent", "label": "lostUpstreamPcnt" }, { "sum": 0, "units": "percent", "label": "lostDownstreamPcnt" }, { "sum": 0, "units": "bytes", "label": "siteDownstreamThroughputMax" } ], "to": "2026-03-12T23:59:59Z" } } }
