Explore the Community
Cato Cloud
Cato and SASE discussions and best practices.
API
API questions-and-answers, discussions, and best practices.
Recent Content
Always on VPN and troubleshooting connectivity issues
Hi, I wanted to check if anyone else have experienced issues with the users enabled for Always On when their SDP client can not connect. Ocasionaly we see clients can not connect showing different errors, like username not recognized, can not connect, etc. The problem is that our Zoho Assist remote management software is not available if the user laptop is not connected to Internet which it is not when using Always On. How do you guys provide support in this scenario? What we usually do is first disable Always on policy for that user and then re-install the CAto client using either local admin or service desk user account. The problem is that we need to change the passwords to those accounts after giving out to the user by phone. Basically we just need Zoho Assist client traffic to bypass Cato tunnel, we will be testing split tunnel feature and adding Zoho IPs to bypass. Curious to hear your thoughts. Thanks!
Need help with prelogin Intune deployment
Hello, I need to understand how to get prelogin to work for my environment so users can sign in when off of the network. We are deploying devices from intune using the enrollment status page. So it gets deployed to them, they turn it on and it autopilots from there. The cato sdp client is being deployed with patchmypc and has a script in place with that for the required registry keys. The certificates are being deployed inside of a win32 intune win file with a script to install the certificate. Script for the certificate: yes it is password protected pfx file. (We do not have a certificate authority. (This did work for prelogin on my device.) Import-PfxCertificate -FilePath .\Catoprelogin.pfx -Password (ConvertTo-SecureString -String 'mypassword' -AsPlainText -Force) -CertStoreLocation Cert:\CurrentUser\My All of this was successfully installed, what could I be missing? The certificate is an SSL certificate and I confirmed that it worked prior to the autopilot on my personal work computer without autopiloting it. DOES ANYONE HAVE ADVICE OR SUGGESTIONS ON HOW TO SETUP THE INTUNE AUTOPILOT PROFILE, ENROLLMENT STATUS PAGE, OR ANY OF THE ABOVE TO MAKE THIS WORK? WHETHER IT IS DEPLOYING THE CERT A DIFFERENT WAY OR DEPLOYING THE CERTIFICATE WITH THE CATO CLIENT APPLICATION INSTALL. Thanks,
Cato SDP Client to be auto intelligent to login instead of manual logging
I have recently migrated from Netskope to Cato Networks. One issue we have noticed is that users need to login once to Cato SDP client and then "Always-on policy" gets enabled. But users are smart, they don't login to SDP client itself as many sites gets blocked as per policy which they don't want so they don't login once also to SDP client thus making us non-compliant as absence of SDP client makes them vulnerable as they can browse malicious sites as well as can upload company data on public sites which typically gets blocked when connected over SDP client. In Netskope, we just had to push agents to the laptop and no user intervention was required, it automatically detects logged in user credentials so there was no scope for user to not login or bypass security controls. Can't we make zero touch experience for user so that there is no room for escape or delay as now we are totally dependent on user.Split Tunnel basis FQDN/Domain
I am facing some issue wherein I am not able to browse some government site. There was an article on the same as well. As of now , I have configured split tunnel basis exclude IP and I have excluded IP address of one of the website of Government but this is not going to work as I have multiple websites of government which is not opening. Why there is no option to bypass or split tunnel basis FQDN or domain then I can exclude traffic for Government sites as it becomes a task for doing split tunnel basis individual IP address. Is it on road map as well or not?CATO always on
Hi, I am currently deploying Cato across my entire organization, transitioning from Fortinet’s VPN platform to Cato’s ZTNA. We are enabling Always On to enforce the use of Cato for all users. However, this feature requires an initial login from the user. How can I force an end user (who does not use any sensitive company services but still needs enforcement as part of ZTNA) to complete the initial login to the Cato Client? Since we are rolling this out company-wide, I do not want to enforce it for all users, but rather for a specific group. Is there an option to do that? Thanks!Get Started on Cato Connect
It’s good to have you here. Cato Connect is your space to connect with peers, share insights, and get the most out of your Cato experience. Whether you're here to ask a question, share best practices, propose ideas, or stay up to date with events, you’re in the right place. Where to first? 🔹 Log in – Click “Sign in” at the top right and use your Cato Networks credentials to access all community features. 🔹 Explore the Spaces – We’ve organized the community into three key areas to help you find what you need: Cato Cloud – Discussions, best practices, and information regarding Cato and SASE API – Questions and Answers and information from API experts Community Help – Cato Connect community-specific questions and information. Customer-Only Access As a Cato customer, you’ll have exclusive access to certain areas of the community. Once logged in, you’ll see customer-only discussions and resources designed just for you. Idea Hub – Come explore ideas that other customers have suggested, or bring up topics of your own to help improve Cato Networks. Customer Event Calendar – Come see what’s happening around Cato and sign up for any webinars or events we have coming up. How to Engage ✅ Jump into a discussion or ask a question in any of the Discussions areas. ✅ Follow any spaces that you would like to receive notifications for. ✅ Change your avatar and personalize your settings to get exactly what you want. Check out our Community Help area for more guides – feel free to request any additional documentations via the discussions area. 💡 Need help? If you have any issues logging in or navigating the community, feel free to reach out to the Community team at community@catonetworks.com. We’re excited to build this community with you – let’s get started! 🚀
about Always-on Issue
On iOS devices, client certificate authentication and “Always-on” VPN configuration" is created with one configuration profile and distributed through MDM. The Cato Client app is also purchased through Volume Purchasing and distributed through MDM. https://support.catonetworks.com/hc/en-us/articles/360016152418-Distributing-Device-Certificates-to-macOS-and-iOS-Devices-with-Jamf Our user's Cato Client authenticates using the Registration code. Although Cato recommends against creating multiple VPN configurations, once the user authenticates with the Registration code, a second configuration profile "Cato Networks VPN" is automatically created by Cato Client. The problem with this is that users can manually turn off the VPN switch. I can manually delete the second profile, but it will be re-created after a while. This issue is fundamental to the Always-on feature and is so serious that organizations are starting to talk about discontinuing their use of Cato. Does anyone know of a good solution to this problem? shiva
