Explore the Community
Cato Cloud
Cato and SASE discussions and best practices.
API
API questions-and-answers, discussions, and best practices.
Recent Content
Mismatch in User Count: Cato Report vs GraphQL API Output
This is to update that we are encountering an issue with the User GraphQL query. For example, when we generate a manual report from Cato, we receive approximately 1,750 users. However, when fetching data via the API, we are only getting around 768 users. It appears that the API is returning only users with an active Cato connection. We are not receiving data for assets or users that are currently not connected. Could you please confirm if this is an expected limitation of the API, or if there is a way to retrieve all users, including those that are not currently not connected?
HTTP/2 and /3
When using CATO and navigating the internet through a browser, does CATO support protocols above HTTP1. (HTTP/2 and HTTP/3)? A website a user is trying to use only supports these new protocols, and so when connected to the network it shows him in a slowdown mode I have included the site for reference with a support page for this issue https://www.sanity.io/docs/help/http1-performance-issues
I could use some help with a Powershell script for the events feed.
For some work I am doing trying to track DHCP events, I have been looking at the Events Feed API and am having trouble getting code working in Powershell. I know my API key/Account ID are good because I have other scripts/tasks running daily, but I am struggling on the event feed. I would rather avoid Python because I already have other things happening in Powershell and am not very comfortable in Python. I think I have events enabled in my account correctly. I asked ChatGPT to review my efforts and add debugging and this is my current script. It returns 0 events. you can toggle $DEBUG_MODE = $true/$false as needed Can someone let me know if you return results with this code? thanks. # start script ----------------------------------------------------------------------------- # ====== CONFIGURATION ====== $API_URL = "https://api.catonetworks.com/api/v1/graphql2" $API_KEY = "YOUR_CATO_API_KEY" $ACCOUNT_ID = "YOUR_ACCOUNT_ID" $DEBUG_MODE = $true $MAX_LOOPS = 3 # =========================== $query = @" query EventsFeed(`$accountIDs: [ID!], `$marker: String) { eventsFeed(accountIDs: `$accountIDs, marker: `$marker) { marker fetchedCount accounts { id records { time fieldsMap } } } } "@ function Write-DebugLog { param( [string]$Message, $Data = $null ) if (-not $DEBUG_MODE) { return } Write-Output "[DEBUG] $Message" if ($null -ne $Data) { try { if ($Data -is [string]) { Write-Output $Data } else { $json = $Data | ConvertTo-Json -Depth 20 Write-Output $json } } catch { Write-Output "[DEBUG] Could not serialize debug data." Write-Output ($Data | Out-String) } } Write-Output ("=" * 80) } function Print-Event { param($Record) $timeStr = $Record.time try { $dt = [datetime]::Parse($Record.time) $timeStr = $dt.ToUniversalTime().ToString("yyyy-MM-dd HH:mm:ss 'UTC'") } catch {} $f = $Record.fieldsMap Write-Output "[$timeStr] $($f.event_type) / $($f.event_sub_type): $($f.message)" Write-Output " User: $($f.user_display_name)" Write-Output " App: $($f.application)" Write-Output " Src: $($f.src_ip)" Write-Output " Dst: $($f.dest_ip)" Write-Output ("-" * 80) } function Fetch-Events { $headers = @{ "x-api-key" = $API_KEY "Content-Type" = "application/json" } $marker = "" $totalEvents = 0 $loopCount = 0 while ($true) { $loopCount++ if ($loopCount -gt $MAX_LOOPS) { Write-Output "[INFO] Reached MAX_LOOPS limit ($MAX_LOOPS)." break } $variables = @{ accountIDs = @($ACCOUNT_ID) marker = $marker } $bodyObject = @{ query = $query variables = $variables } $body = $bodyObject | ConvertTo-Json -Depth 20 try { Write-DebugLog "Request URI" $API_URL Write-DebugLog "Request headers" @{ "x-api-key" = "***REDACTED***" "Content-Type" = "application/json" } Write-DebugLog "Request variables" $variables Write-DebugLog "Request body object" $bodyObject Write-DebugLog "Request body JSON" $body $response = Invoke-RestMethod ` -Uri $API_URL ` -Method Post ` -Headers $headers ` -Body $body ` -TimeoutSec 30 Write-DebugLog "Parsed API response" $response } catch { Write-Error "[ERROR] API request failed: $($_.Exception.Message)" if ($_.ErrorDetails -and $_.ErrorDetails.Message) { Write-Output "[DEBUG] ErrorDetails:" Write-Output $_.ErrorDetails.Message Write-Output ("=" * 80) } break } if ($response.errors) { Write-Error "[ERROR] API returned GraphQL errors." Write-DebugLog "GraphQL errors" $response.errors break } if (-not $response.data) { Write-Output "[DEBUG] Response has no 'data' property." Write-DebugLog "Full parsed response" $response break } $feed = $response.data.eventsFeed if (-not $feed) { Write-Output "[DEBUG] Response has no 'data.eventsFeed'." Write-DebugLog "Full parsed response" $response break } Write-DebugLog "eventsFeed object" $feed $batchCount = 0 if (-not $feed.accounts) { Write-Output "[DEBUG] eventsFeed.accounts is null or empty." } else { Write-Output "[DEBUG] Number of accounts returned: $($feed.accounts.Count)" } foreach ($account in $feed.accounts) { Write-Output "[DEBUG] Inspecting account id: $($account.id)" if (-not $account.records) { Write-Output "[DEBUG] No records returned for this account." continue } Write-Output "[DEBUG] Records returned for account $($account.id): $($account.records.Count)" foreach ($record in $account.records) { if ($DEBUG_MODE -and $batchCount -lt 3) { Write-DebugLog "Sample record" $record if ($record.fieldsMap) { Write-DebugLog "Sample fieldsMap keys" ($record.fieldsMap.PSObject.Properties.Name) } } Print-Event $record $totalEvents++ $batchCount++ } } Write-Output "[INFO] Batch fetched: $($feed.fetchedCount)" Write-Output "[DEBUG] Batch printed: $batchCount" Write-Output "[DEBUG] Next marker: $($feed.marker)" if (($feed.fetchedCount -eq 0) -or [string]::IsNullOrWhiteSpace($feed.marker)) { Write-Output "[INFO] Stopping because fetchedCount is 0 or marker is empty." break } $marker = $feed.marker } Write-Output "[INFO] Total events retrieved: $totalEvents" } Fetch-Events # end script -----------------------------------------------------------------------------
App Analytics Dashboard not having all filters
Currently App Analytics Dashboard covers all the application or traffic going to Cato PoP. I have users who also uses Cato SDP in mobile phone but those are BYOD devices. Now when I see analytics dashboard, it shows various applications which are blocked in windows/MAC OS like whatsApp. But in App Analytics Dashboard, it also shows application like "WhatsApp" with almost traffic in 10-15GB which is unnecessarily flagged by auditors wherein these are allowed from personal mobile device . There is no filter currently in dashboard to filter insights bases device OS type so that I can remove IOS from device type so that it shows correct picture. I asked this in Ask AI feature and it said :- Unfortunately, based on the Cato documentation, there is no built-in feature to completely exclude specific devices or device types from traffic monitoring and analytics. Current Limitations App Analytics shows all traffic: The App Analytics page includes data for all traffic flowing through the Cato Cloud, including blocked apps and traffic from all device types. According to the documentation: "The App Analytics page includes data for blocked apps. This is because the PoP allows the client device trying to access the app to send multiple packets to the PoP, so it can identify the app and apply the block rule." No device-type exclusion from analytics: While you can filter analytics by device type (iOS, Android, etc.), you cannot exclude specific device types from being collected or displayed in analytics altogether. Workaround - Contact Cato Support: This might be a feature request worth submitting to Cato, as BYOD privacy concerns are common in enterprise environments. Can Cato Team looks into this?URL - Category over-ride not taking effect?
Is your URL category over-ride not taking effect? When configuring firewall rules by domain you do not need to specify the subdomains. Firewall rules will even cover the subdomains if you specify a Top Level Domain e.g. "uk" would cover all the subdomains such as bbc.co.uk). This is not the case when using domains to override a category though! Category over-ride from CMA for an domain / FQDN applies just to the that domain or FQDN. Any subdomains must be specified with its own FQDN. E.g. over-riding category for http://catonetworks.com to a category of your choice does not change the category for http://www.catonetworks.com Hope you find this helpful. Thanks Nath based on your comment I have added following article that shows how to add a custom app to get around having to override individual domains. Add the custom app in a rule and place it above the rule that blocks the traffic. https://support.catonetworks.com/hc/en-us/articles/4413265662993-Working-with-Custom-Apps Reference Article: https://connect.catonetworks.com/kb/cato-cloud-best-practices/how-to-block-a-tld-top-level-domain-or-a-specific-country/374Introducing the Cato GraphQL API Playground
Explore how the Cato GraphQL API Playground streamlines API exploration, query development, and team collaboration.In this video, you’ll learn how to: Interactively explore the GraphQL schema and available API operations Write and test queries in real time with syntax highlighting Debug and troubleshoot API responses efficiently Save query history and share examples with your team for better collaboration Whether you’re a developer, tester, or network engineer, the Cato GraphQL API Playground helps you accelerate development and improve API reliability.
Is there any way to expose/export DHCP logs from Cato SDP clients?
is there any way (events / API) to see DHCP events for our SDP users? Our security vendors (Rapid7 and Defender for Identity) are doing correlation based on DNS and DHCP events and sometimes see SDP addresses as different machines. I have DNS and PTR records updating but am curious if there is any way to expose the DHCP lease events for SDP users. I see those events for other Cato DHCP but not for SDP users in my tenant. Cato has the concept of "User Awareness" that is correlating IP addresses to User IDs. When we were using Windows DHCP servers we fed the logs to our security vendors for a similar type of correlation between IP addresses and User IDs. As we are moving away from Windows Servers in our offices, we are losing this visibility. We are beginning to allow Cato to provide the DHCP on our LAN segments, as well as for our remote SDP client users. As this happens, we are seeing DHCP events on the LAN segments which can be tied to machine names and matched against login events via active directory or Entra ID to correlate IP addresses to users. However, for our remote SDP client users I cannot seem to find DHCP events. This leads to issues. Microsoft Defender for Endpoint sees a user getting different IP remote SDP client addresses in the 10.41.x.x as "Pass the Hash" attacks. However, when I investigate, it is the same workstation being getting different IP addresses through normal, remote operation. If the user does not reboot/login every day this raises security alerts. Am I missing the point, or not configuring something correctly? Is there a way via API or syslog forwarding to monitor DHCP logs from Cato for both LAN segments and SDP client segments? The ultimate solution would be log forwarding type of solution where I could forward all Cato DHCP lease events to Microsoft Defender for Endpoints/Identity and my security vendor (Rapid7) but I am just wondering how others are handling this. I figured I would ask around before I put something in the Idea hub for a non-issue.Migration SCIM to SCIM Provisioning
Hello Team, We currently use Okta for SSO and SCIM provisioning with Cato. We want to keep SSO authentication on Okta, but move provisioning from Okta to Saviynt. Our Understanding: - We understand SCIM endpoints are scoped per directory (sourceId) as /scim/v2/{accountId}/{sourceId}. - We also noted documentation stating multiple IdPs are supported, but not recommended as a migration method. Could you please advise the following? Is there a recommended procedure to migrate existing users from an Okta SCIM directory to a new Saviynt SCIM directory? If adding a new SCIM directory is not recommended for migration, please point us to the recommended migration steps or best practices. We want users and groups provisioned via Saviynt to authenticate via Okta SSO. Is mapping Saviynt directory to the Okta SSO provider a possible configuration? Please let us know if you have any recommend plan. Thank you,
Featured Content
