Explore the Community
Cato Cloud
Cato and SASE discussions and best practices.
API
API questions-and-answers, discussions, and best practices.
Recent Content
Cato Connect Event: AMA with Professional Services
Ever wish you could get direct time with the experts? On June 3rd, 2025 at 11:00 AM EDT, you’ll get just that — a live AMA with two of our Principal Consultants from the Cato Professional Services team. We’ll cover topics like: Designing and implementing a CMA deployment Best practices we’ve seen across real-world environments Your questions — seriously, bring them Here’s how to get the most out of it: Click here to register and get the calendar invite and join us live Post your questions below in the comments — we’ll answer pre-submitted ones first, before tackling live chat during the session + See a question you like? Give it a “like” to help it rise to the top Note: We won’t be able to look at specific CMA instances — demos will be done using internal environments. That’s it — register, post your questions, and we’ll see you there! Presenters: Principal Consultant Professional Services, Italy Principal Consultant Professional Services, USA If you run into any issues, @mention me or email us at community@catonetworks.com
Bypassing Cato via WAN Bypass and Split Tunnel
We need to add around 200 subnets to bypass Cato. My understanding is that they need to be added to all sites under the Site Configuration/Router/Bypass/Destination and for all SDP users via Access/Client Access Control/Split Tunnel policy. We have nearly 90 sites. Manually adding 200 subnets to 90 sites doesn't seem like a good time. Is this possible via the API? If so, can you point me toward the correct commands.Announcement: Introducing Cato Connect's new Idea Hub
We’re excited to introduce the Idea Hub to Cato Connect! This is a space where you can share your ideas, collaborate with fellow members, and vote on suggestions that resonate with you. What is the Idea Hub? The Idea Hub is a forum for brainstorming and discussing ideas that could enhance our products, services, or overall customer experience. Explain your use-case and issue in detail so your fellow Cato Connect members can expound on the idea or even share workaround or solutions. By voting and commenting, we can surface the ideas that are truly important to our community with context and relevant use cases and examples. What happens once an idea is created? The Idea Hub is the beginning of a journey - a starting point for a discussion. Once you have submitted an idea to the Idea Hub, your fellow Cato Connect members will vote and comment on the idea. Perhaps they might even offer a solution or a workaround, or point you to another idea in the Hub about a similar problem to the one you noticed. Each comment and vote creates a more robust story for the Cato Networks Team to discuss, so don't skimp on the details. How Does It Differ from RFEs (Requests for Enhancements)? Idea Hub: A collaborative space for discussion, exploration, and voting on ideas. It’s designed to capture a wide range of feedback and innovation. RFEs: A formal process for submitting specific, detailed enhancement requests - opened by Cato Networks Employees on behalf of customers in certain circumstances. By keeping these two processes separate, we ensure that both can operate effectively to meet your needs. Further FAQs can be found here. Thank you for contributing to this new initiative! We can’t wait to see your creativity and insights in action. Stay SASE - Your Cato Networks Team
X1700 Sockets running 22.0.19219 breaks HA
More of a caution, over the weekend we upgraded our sockets to 22.0.19219. No issues with our X1500's but sites running X1700's in an HA pair caused us some trouble. The HA keepalive no longer works, which was causing traffic to switch between Primary and Secondary sockets. Both sockets are showing as master. Engineering has discovered the root cause and are working on new version of the firmware, but wanted to let you all know in cause you plan to upgrade soon. Sockets can't reach each other via IP, but both sockets are pingable from other devices on the network.
Area for users to submit and vote for RFEs
Currently the only option to submit an RFE is to contact CATO representative by email and answer a set of template questions. With this method, different users are not aware of RFEs already opened, their status etc. and it is likely they submit similar or the same ideas independently. I would recommend to create an area in this community portal to submit RFEs, review the ones already opened by others and maybe vote for the ones you appreciate. Vote results could be a way for CATO Team to understand what are the needs and expectations of the customers, and maybe prioritize some RFEs over another. RFEs submitted by users could go through a review/approval process first, so CATO Team checks if something similar was already created in the past (to avoid duplicates) or if provided description is complete and enough to start the process.What's new at Cato? 25th November 2024
"Hey Robin, what's new at Cato Networks this week?" Great question, have a sub-1 minute video giving you a digest of the latest and greatest. Naturally, you can find a full list on our Knowledge Base here:https://support.catonetworks.com/hc/en-us/articles/23222708288157-Product-Update-November-25-2024 Don't forget - it's Thanksgiving in the US this Thursday, so let's reflect on the things we're thankful for: 1) Cato's rapid product development which helps keep us secure, protected and connected 2) Star Wars 3) Memes Happy Monday ya'll! 🦃
Hey, Robin! I currently use Okta to manage my users. How complicated is this to set up with Cato?
You know those situations where someone asks you a question, and you think to yourself "this is something that's going to be asked multiple times?" Yeah, this is one of them. While I was talking with a future Cato Customer, they asked a simple question about how difficult it would be to provision their users with SCIM into the Cato Management Application. Naturally they were hesitant (as this can be a mammoth task with many vendors), but with us, it's a pretty light-lift. Being the egotistical buffoon I am, I thought to record a video in a dimly lit hotel room. Of course we have fantastic product documentation that explains this procedure in detail, but some people are visual learners who want to see the 'final product' instead of the steps along the way. Remember, 5 hours of troubleshooting can often save you 10 minutes of reading the documentation 😀
Blocking icloud private relay "nicely"
I would like to block "icloud private relay" in such a way that the user would be notified and able to continue without icloud private relay. Apple's recommended way to do this is to block DNS requests to mask.icloud.com and mask-h2.icloud.com so a "no error/no answer" or NXDOMAIN response is returned. This alerts the users that they either need to disable private relay or choose another network. Details are here: Prepare your network or web server for iCloud Private Relay - iCloud - Apple Developer Is there a way to configure this using only Cato? I cannot see how to create a custom DNS rule to block specific queries, and I cannot see how to create a custom IPS rule either. Is there a recommended way to do this? What are others doing? I am in a Windows shop. I could redirect DNS queries to a Windows DNS server and use DNS query filtering, but would rather do a Cato only solution if possible. Per Apple: Some enterprise or school networks might be required to audit all network traffic by policy, and your network can block access to Private Relay in these cases. The user will be alerted that they need to either disable Private Relay for your network or choose another network. The fastest and most reliable way to alert users is to return either a "no error no answer" response or an NXDOMAIN response from your network’s DNS resolver, preventing DNS resolution for the following hostnames used by Private Relay traffic. Avoid causing DNS resolution timeouts or silently dropping IP packets sent to the Private Relay server, as this can lead to delays on client devices. mask.icloud.com mask-h2.icloud.com
