Cato Connect is on READ-ONLY mode until June 22nd, 2026 - Read More Here
Explore the Community
Cato Cloud
Cato and SASE discussions and best practices.
API
API questions-and-answers, discussions, and best practices.
Community Help
Start here with any Cato Connect questions! Community guides and information.Recent Content
Cato Connect is moving!
Community Update As of today, we'll be moving into read-only mode and will remain there until Monday, June 22. We're in the process of migrating to our new community home, and this temporary pause will help us make sure that everything is set up for a smooth transition. We're excited about what's ahead and look forward to creating an even better experience for all of you. Thank you for your patience, flexibility, and support throughout this process. A special shout-out to those of you who are going through a second migration with me, at this point, you've practically earned honorary migration expert status! 😄 Quick FAQ: Will my content migrate? Yes - everything you have created here is coming with you. That's part of the reason for this pause in action, it allows us to take everything and leave nothing behind. What do I do if I need help in the meantime? Our community email (community@catonetworks.com) is always available to you for questions, emotional support, and funny GIFs. The team and I are watching and ready to answer. How will we know the community is back up? I'll post in our new space and you will get a notification - if I don't see you around for a while, I may send you a little reminder. We are excited about the new opportunities this new software is providing and can't wait to share all the cool stuff with you. We truly appreciate everyone's understanding and can't wait to welcome you into our new space next week. See you on June 22!
Configure a Private DNS server with Cato DNS
Does anyone configure a private DNS server (Windows DNS server) with the Cato default DNS server? We have a private DNS server to resolve the internal hosts. But I am a bit confused about how I can configure this with Cato DNS? Any leads would be appreciated.
Any method to disable management access to the Web UI from the LAN
I would like to restrict management access to the Socket Web UI from the LAN. However, in a post from about a year ago, no solution was provided. Is there a way to restrict access to the WebUI? | Cato Connect Has there been any update or new feature introduced that enables this? Thank you.
Users behind the socket cannot access IPSec Tunnels
Users working remotely (home network) are able to successfully access Azure Virtual Desktop (AVD). However, when users are connected via the Site Socket, access to AVD fails. As part of our troubleshooting, we manually configured the client-side DNS settings on a test laptop. With this configuration, DNS resolution functioned as expected, and we were able to successfully establish connectivity to AVD. This behavior suggests that the issue is related to DNS resolution within the Cato environment—specifically, DNS forwarding to the client-defined DNS servers does not appear to be functioning as expected. Given this, we would like to inquire if there is a mechanism to prioritize client DNS settings on a per-user or per-group basis within Cato. For reference, when connected via the Site Socket network, client devices are assigned IP addresses within the subnet range 10.254.xxx.x. When users are connected via Home Wi-Fi or Mobile Data, they are able to successfully access the client’s Azure Virtual Desktop (AVD). In this scenario, the assigned IP address falls within the subnet range 10.20.xxx.xx.
Issue creating IPsec tunnel with identification_type FQDN
Hi Cato community, I have encountered an issue where it is not possible to create a IPSec tunnel using the following configurations Site type: IPSecV2 connectionMode: RESPONDER_ONLY identificationType: FQDN Since the IPsec is responder only with FQDN identification, the updateIpsecIkeV2SiteTunnels mutation cannot be used to create such tunnels as it will require a public site ip, but FQDN will give local ID. When I tried to enter a dummy ip to test it out, it shows a "GraphQL error: Required"; leaving it blank will produce Required field 'primary_public_site_ip' is missing or empty. Are there any solutions/workarounds for this? Let me know if more information is required. Cheers, VincentP
Bypassing Cato via WAN Bypass and Split Tunnel
We need to add around 200 subnets to bypass Cato. My understanding is that they need to be added to all sites under the Site Configuration/Router/Bypass/Destination and for all SDP users via Access/Client Access Control/Split Tunnel policy. We have nearly 90 sites. Manually adding 200 subnets to 90 sites doesn't seem like a good time. Is this possible via the API? If so, can you point me toward the correct commands.
Creating NAT Rules
Hi, I’m trying to figure out if it’s possible to create or update NAT Policy Rules for a site using the Cato GraphQL API. I’m using the siteUpdate mutation to modify the natPolicyRules field (adding DNAT rules), but I keep getting a "permission denied" (Code104) error even though my API key should have the right permissions. Just to clarify, the rules I want to create are in: Network → Sites → [Selected Site] → Routing → NAT Before I go any further, can someone confirm : Is it actually possible to create/modify NAT rules via the GraphQL API ? Is siteUpdate the right mutation for this ? I have about 300 DNAT rules to create, so doing it manually in the UI would be pretty painful. Thanks !HTTP/2 and /3
When using CATO and navigating the internet through a browser, does CATO support protocols above HTTP1. (HTTP/2 and HTTP/3)? A website a user is trying to use only supports these new protocols, and so when connected to the network it shows him in a slowdown mode I have included the site for reference with a support page for this issue https://www.sanity.io/docs/help/http1-performance-issues
Meraki Integration?
in the 4/27/2026 product announcements it says: Cisco Meraki Access Point Events in Experience Monitoring: Integrate Wi-Fi access point events from Cisco Meraki and correlate them with user experience data to improve troubleshooting of office connectivity issues. Requires a DEM license and configuration of the Cisco Meraki connector We have the required DEM license, but It references setting up the Meraki connector Cisco Meraki: Creating the Experience Monitoring Connector – Cato Learning Center but when we go to set up the Meraki integration there does not seem to be a Meraki integration to configure. What am I missing?
