Explore the Community
Cato Cloud
Cato and SASE discussions and best practices.
API
API questions-and-answers, discussions, and best practices.
Recent Content
December 2025 Winner - @Nath
3 MIN READ Congratulations to Nath for winning the Cato SWIFT award for community excellence and achievement for December 2025! Name and Job Title Nathan, Network Engineer How long have you been in IT/Software/Cybersecurity? I’ve been working in IT for just over seven years, building up experience across networking, security, and infrastructure. Most of that time has been focused on enterprise network operations and secure connectivity. What’s your favorite part of your job right now? The favourite part of my job is implementing new Cato features, especially when they’re ones we’ve been waiting for via the roadmap, or that originated from our own feature requests (there's been a few!). It’s always satisfying to see those improvements come to life and make a real impact in production. How long have you worked with Cato? I’ve worked with Cato for around four and a half years. I was involved in the initial selection of Cato as our SD-WAN/SASE vendor and played a key role in implementing the migration. Since then, I’ve continued to stay hands-on with the platform through operations, feature testing, and early access programs. What is the number one thing Cato has helped you achieve? Cato has given us a true single pane of glass for managing our network and security policies. Users now get a consistent experience wherever they connect from, with the same policies applied globally. It’s brought real consistency and simplification across the environment, and troubleshooting issues is now much quicker and easier. We still get the occasional incident that initially stumps up - but MTTR is significantly less) What do you want to see more of on the Cato Connect Community? I’d love to see more technical deep-dives and interactive sessions around upcoming features — for example, workshops where Cato shares what’s on the roadmap and customers can give input on how those features might impact their environments or influence GUI design. Real-world deployment stories or troubleshooting case studies from other customers would also be great to learn from - especially because there are so many legacy topologies out there that necessitate a different migration approach than which was necessary for us. What do you do for fun when you’re not working? I recently completed a part-time Masters degree in Advanced Networking, which was challenging but really rewarding. Outside of that, I’m a bodybuilder and train in the gym around six times a week — it’s a big part of my lifestyle. I also enjoy playing the piano as a creative outlet away from work and training. Any other comments/stories/anything else you’d like to say? I’ve really enjoyed being on the Cato journey. As a customer, we joined around four and a half years ago, and the progress since then has been incredible. Big shout-out to the Cato Support team — they’re phenomenal. Always responsive, helpful, and quick to get issues escalated to the right team and resolved promptly. Thank you so much for being such a big part of our Cato Connect Community journey! We appreciate you and enjoy watching you learn and grow on Cato Connect and beyond :)Cato Connect Event: AMA with Professional Services
Ever wish you could get direct time with the experts? On June 3rd, 2025 at 11:00 AM EDT, you’ll get just that — a live AMA with two of our Principal Consultants from the Cato Professional Services team. We’ll cover topics like: Designing and implementing a CMA deployment Best practices we’ve seen across real-world environments Your questions — seriously, bring them Here’s how to get the most out of it: Click here to register and get the calendar invite and join us live Post your questions below in the comments — we’ll answer pre-submitted ones first, before tackling live chat during the session + See a question you like? Give it a “like” to help it rise to the top Note: We won’t be able to look at specific CMA instances — demos will be done using internal environments. That’s it — register, post your questions, and we’ll see you there! Presenters: Principal Consultant Professional Services, Italy Principal Consultant Professional Services, USA If you run into any issues, @mention me or email us at community@catonetworks.com
Bypassing Cato via WAN Bypass and Split Tunnel
We need to add around 200 subnets to bypass Cato. My understanding is that they need to be added to all sites under the Site Configuration/Router/Bypass/Destination and for all SDP users via Access/Client Access Control/Split Tunnel policy. We have nearly 90 sites. Manually adding 200 subnets to 90 sites doesn't seem like a good time. Is this possible via the API? If so, can you point me toward the correct commands.Announcement: Introducing Cato Connect's new Idea Hub
We’re excited to introduce the Idea Hub to Cato Connect! This is a space where you can share your ideas, collaborate with fellow members, and vote on suggestions that resonate with you. What is the Idea Hub? The Idea Hub is a forum for brainstorming and discussing ideas that could enhance our products, services, or overall customer experience. Explain your use-case and issue in detail so your fellow Cato Connect members can expound on the idea or even share workaround or solutions. By voting and commenting, we can surface the ideas that are truly important to our community with context and relevant use cases and examples. What happens once an idea is created? The Idea Hub is the beginning of a journey - a starting point for a discussion. Once you have submitted an idea to the Idea Hub, your fellow Cato Connect members will vote and comment on the idea. Perhaps they might even offer a solution or a workaround, or point you to another idea in the Hub about a similar problem to the one you noticed. Each comment and vote creates a more robust story for the Cato Networks Team to discuss, so don't skimp on the details. How Does It Differ from RFEs (Requests for Enhancements)? Idea Hub: A collaborative space for discussion, exploration, and voting on ideas. It’s designed to capture a wide range of feedback and innovation. RFEs: A formal process for submitting specific, detailed enhancement requests - opened by a customer's Cato Networks Representative on their behalf in certain circumstances. By keeping these two processes separate, we ensure that both can operate effectively to meet your needs. Further FAQs can be found here. Thank you for contributing to this new initiative! We can’t wait to see your creativity and insights in action. Stay SASE - Your Cato Networks Team
Area for users to submit and vote for RFEs
Currently the only option to submit an RFE is to contact CATO representative by email and answer a set of template questions. With this method, different users are not aware of RFEs already opened, their status etc. and it is likely they submit similar or the same ideas independently. I would recommend to create an area in this community portal to submit RFEs, review the ones already opened by others and maybe vote for the ones you appreciate. Vote results could be a way for CATO Team to understand what are the needs and expectations of the customers, and maybe prioritize some RFEs over another. RFEs submitted by users could go through a review/approval process first, so CATO Team checks if something similar was already created in the past (to avoid duplicates) or if provided description is complete and enough to start the process.
Site Management API Multi-Tool Workshop
Welcome to this hands-on workshop where you'll learn to manage Cato Networks infrastructure (socket sites, network interfaces and network ranges) using three different tools in a real-world workflow. This exercise outlines the API structure for managing site configurations, and demonstrates the flexibility of the Cato API ecosystem, while teaching you when and how to use each tool for maximum efficiency. What You'll Learn By the end of this workshop, you'll be able to: Install, configure and use the Cato API Explorer (containerized web-based GUI) providing code generation including syntax for python, catocli, and CURL Install, configure and use the Cato CLI to both read and update configurations Create new Cato sites, network interfaces and add network ranges to interfaces via API Why Use Multiple Tools? In real-world scenarios, you'll often use different tools for different tasks: Tool Best For Use Case API Explorer Testing new APIs, one-off changes, learning Initial site creation, exploring API capabilities Cato CLI OS agnostic tool for bulk operations, automation scripts Updating multiple sites, generating reports cURL Generic method of calling APIs directly, troubleshooting Integrating with existing automation, minimal dependencies Prerequisites Before starting, ensure you have the following installed on your machine: Install Python Install Cato CLI Install Docker Desktop on Mac, Windows, or Linux NOTE: Manually start the docker application before checking if it is running open -a docker Validate Required Tools # 1. Docker (for API Explorer) docker --version # 2. Python 3.6+ python3 --version # 3. Cato CLI catocli --version # 4. CURL curl --version Cato API Credentials You'll need: API Token: Generated from the Cato Management Application. Refer to Generating API Keys for the Cato API. NOTE: Save the token securely (you won't be able to view it again). Account ID: Your Cato account number found in Account > Account Info or in the CMA URL, example: https://system.cc.catonetworks.com/#/account/{account_id}/ Site Management API Workshop Overview The site workshop workflow consists of four main phases: Phase 1: Create Site using Cato API Explorer (Docker Web UI) Phase 2: Retrieve Site ID using Cato CLI Phase 3: Update Interface using Cato CLI Phase 4: Retrieve Interface ID using Cato CLI Phase 5: Add Network Range using CURL from Cato API Explorer Phase 1: Create a Site Using API Explorer Step 1.1: Launch the API Explorer The Cato API Explorer is a Docker-based web application that provides an interactive GUI for testing GraphQL API calls. mkdir cato-api-explorer cd cato-api-explorer # Create docker-compose.yml cat << 'EOF' > docker-compose.yml services: cato-api-explorer: container_name: cato-api-explorer image: ghcr.io/catonetworks/cato-api-explorer:latest ports: - 8080:8080 - 8443:443 EOF # Pull and start the container docker-compose pull docker-compose up -d Step 1.2: Access the API Explorer # Open in your browser open http://localhost:8080 Step 1.3: Configure API Credentials Click on the Settings tab (gear icon) Enter your API Endpoint, API Token, and Account ID Click Save Settings Step 1.4: Create the Site Follow these steps in the API Explorer: Navigate to the GraphQL API tab and enter addSocketSite in the API Operation field Select mutation.site.addSocketSite() from the dropdown Click Edit on the addSocketSiteInput field and fill out required fields Change connectionType to SOCKET_X1600, and site name to My 1600 Site Configure the siteLocation with your desired city, state, and country Request Variables should reflect: { "accountId": "12345", "addSocketSiteInput": { "connectionType": "SOCKET_X1600", "name": "My 1600 Site", "nativeNetworkRange": "10.111.0.0/24", "siteLocation": { "city": "San Diego", "countryCode": "US", "stateCode": "US-CA", "timezone": "America/Los_Angeles" }, "siteType": "BRANCH" } } Click "Execute" and save the returned siteID. Example mutation.site.addSocketSite() screenshot in API Explorer: Phase 2: Retrieve Site ID Using Cato CLI Now that we've created the site, let's verify it exists and retrieve its ID using the Cato CLI. Step 2.1: Configure Cato CLI # Interactive configuration catocli configure Step 2.2: Search for the Site # Use help menus catocli -h catocli entity -h # Search by site name catocli entity site list -s "My 1600 Site" # Pretty print JSON output catocli entity site -p # Format as CSV catocli entity site -s "My 1600 Site" -f csv Phase 3: Update Interface Using Cato CLI Now we'll update the site's network interface configuration using syntax generated from the API Explorer. Step 3.1: List Existing Interfaces By default when creating a Cato site, the site will have one LAN interface and one WAN interface. The default LAN interface will be configured as the native range used when creating the site. # Use entityLookup to get interface info catocli query entityLookup '{ "entityInput": { "id": "12345", "type": "site" }, "type": "networkInterface" }' Step 3.2: Update the Interface In the API Explorer, configure the interface update: Navigate to GraphQL API tab and enter updateSocketInterface Select INT_7 as the interface to configure Set destType to LAN Configure subnet and localIp Request Variables should reflect: { "accountId": "12345", "siteId": "172807", "socketInterfaceId": "INT_7", "updateSocketInterfaceInput": { "destType": "LAN", "lan": { "localIp": "10.112.0.1", "subnet": "10.112.0.0/24" } } } Example mutation.site.() screenshot in API Explorer: Step 3.3: Execute with Cato CLI Copy the Cato CLI syntax from the API Explorer and execute using your siteID: catocli mutation site updateSocketInterface '{ "siteId": "12345", "socketInterfaceId": "INT_7", "updateSocketInterfaceInput": { "destType": "LAN", "lan": { "localIp": "10.112.0.1", "subnet": "10.112.0.0/24" } } }' Phase 4: Retrieve Interface ID After updating the interface, retrieve the Interface Entity ID for adding network ranges: # Retrieve interface details catocli entity networkInterface list -f csv # Or use entityLookup catocli query entityLookup '{ "entityInput": {"id": "12345", "type": "site"}, "type": "networkInterface" }' Save the Interface Entity ID for the INT_7 interface for use in Phase 5 Phase 5: Add Network Range Using cURL Finally, we'll add a network range to the INT_7 interface using a raw cURL command. Step 5.1: Configure in API Explorer In API Explorer, navigate to addNetworkRange Select the LAN_7 interface Configure network range parameters (name, subnet, VLAN, DHCP) Uncheck Mask secret key checkbox to reveal your API key Example mutation.site.() screenshot in API Explorer: Step 5.2: Execute cURL Command Copy the cURL command from the API Explorer and execute in your terminal: curl -k -X POST \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "x-API-Key: YOUR_API_KEY_HERE" \ 'https://api.catonetworks.com/api/v1/graphql2' \ --data '{ "query": "mutation siteAddNetworkRange ( $lanSocketInterfaceId:ID! $addNetworkRangeInput:AddNetworkRangeInput! $accountId:ID! ) { site ( accountId:$accountId ) { addNetworkRange ( lanSocketInterfaceId:$lanSocketInterfaceId input:$addNetworkRangeInput ) { networkRangeId } } }", "variables": { "accountId": "11362", "addNetworkRangeInput": { "dhcpSettings": { "dhcpType": "ACCOUNT_DEFAULT" }, "localIp": "10.113.0.1", "name": "Custom Network", "rangeType": "VLAN", "subnet": "10.113.0.0/24", "vlan": 123 }, "lanSocketInterfaceId": "207469" }, "operationName": "siteAddNetworkRange" }' Expected Response: Network Range ID returned { "data": { "site": { "addNetworkRange": { "networkRangeId": "UzY1NDI4Mg==" } } } } Key Takeaways When to Use Each Tool API Explorer (Web GUI): Initial testing and exploration Learning the API structure One-off changes during troubleshooting Generating cURL and Python templates Cato CLI (catocli): Bulk operations and reporting Automation scripts Quick queries from command line CSV/JSON export capabilities cURL (Raw API): Troubleshooting and calling APIs directly Minimal dependencies Custom error handling with verbose output (-v flag) Integration examples for any programming language Additional Resources Cato API Essentials - Videos Cato CLI Cato API Documentation Congratulations on Completing the Workshop! You now have hands-on experience with three powerful API tools
Split Tunnel basis FQDN/Domain
I am facing some issue wherein I am not able to browse some government site. There was an article on the same as well. As of now , I have configured split tunnel basis exclude IP and I have excluded IP address of one of the website of Government but this is not going to work as I have multiple websites of government which is not opening. Why there is no option to bypass or split tunnel basis FQDN or domain then I can exclude traffic for Government sites as it becomes a task for doing split tunnel basis individual IP address. Is it on road map as well or not?Cato Connect Event: AMA with Professional Services - November 2025
Did you join our last AMA with Professional Services and want more? Did you miss the last one and have been waiting for us to drop more dates? Well your request is our command, and we are back with another event for our customers and partners. We're doing things a little differently this time: First of all, we'll be honing in on specifics around CASB and TLSi, we will even have a short demo at the beginning to help you start using, or get the most out of, your investment. (We'll still take general questions from the audience) The other change is that this time, we're offering ~*options*~ Join us on: November 4th, 2025 at 3pm HKT or November 6th, 2025 at 11am EST During this live AMAs with members of our talented Professional Services team we’ll cover topics like: The latest versions of TLSi and CASB Best practices we’ve seen across real-world environments Your questions... seriously, bring them Here’s how to get the most out of it: Register for the November 4th or November 6th meetings and get the calendar invite and join us live Post your questions below in the comments — we’ll answer pre-submitted ones first, before tackling live chat during the session + See a question you like? Give it a “like” to help it rise to the top Note: We won’t be able to look at specific CMA instances — demos will be done using internal environments. That’s it — register, post your questions, and we’ll see you there! Presenters: Steven Wong Professional Services Engineer Kushtrim Kelmendi Principal Consultant Professional Services, EMEA Martin Guerrero Commercial Sales Engineer If you run into any issues, @mention me or email us at community@catonetworks.com
