Explore the Community
Cato Cloud
Cato and SASE discussions and best practices.
API
API questions-and-answers, discussions, and best practices.
Recent Content
Cato SDP Client to be auto intelligent to login instead of manual logging
I have recently migrated from Netskope to Cato Networks. One issue we have noticed is that users need to login once to Cato SDP client and then "Always-on policy" gets enabled. But users are smart, they don't login to SDP client itself as many sites gets blocked as per policy which they don't want so they don't login once also to SDP client thus making us non-compliant as absence of SDP client makes them vulnerable as they can browse malicious sites as well as can upload company data on public sites which typically gets blocked when connected over SDP client. In Netskope, we just had to push agents to the laptop and no user intervention was required, it automatically detects logged in user credentials so there was no scope for user to not login or bypass security controls. Can't we make zero touch experience for user so that there is no room for escape or delay as now we are totally dependent on user.
Always on VPN and troubleshooting connectivity issues
Hi, I wanted to check if anyone else have experienced issues with the users enabled for Always On when their SDP client can not connect. Ocasionaly we see clients can not connect showing different errors, like username not recognized, can not connect, etc. The problem is that our Zoho Assist remote management software is not available if the user laptop is not connected to Internet which it is not when using Always On. How do you guys provide support in this scenario? What we usually do is first disable Always on policy for that user and then re-install the CAto client using either local admin or service desk user account. The problem is that we need to change the passwords to those accounts after giving out to the user by phone. Basically we just need Zoho Assist client traffic to bypass Cato tunnel, we will be testing split tunnel feature and adding Zoho IPs to bypass. Curious to hear your thoughts. Thanks!
Need help with prelogin Intune deployment
Hello, I need to understand how to get prelogin to work for my environment so users can sign in when off of the network. We are deploying devices from intune using the enrollment status page. So it gets deployed to them, they turn it on and it autopilots from there. The cato sdp client is being deployed with patchmypc and has a script in place with that for the required registry keys. The certificates are being deployed inside of a win32 intune win file with a script to install the certificate. Script for the certificate: yes it is password protected pfx file. (We do not have a certificate authority. (This did work for prelogin on my device.) Import-PfxCertificate -FilePath .\Catoprelogin.pfx -Password (ConvertTo-SecureString -String 'mypassword' -AsPlainText -Force) -CertStoreLocation Cert:\CurrentUser\My All of this was successfully installed, what could I be missing? The certificate is an SSL certificate and I confirmed that it worked prior to the autopilot on my personal work computer without autopiloting it. DOES ANYONE HAVE ADVICE OR SUGGESTIONS ON HOW TO SETUP THE INTUNE AUTOPILOT PROFILE, ENROLLMENT STATUS PAGE, OR ANY OF THE ABOVE TO MAKE THIS WORK? WHETHER IT IS DEPLOYING THE CERT A DIFFERENT WAY OR DEPLOYING THE CERTIFICATE WITH THE CATO CLIENT APPLICATION INSTALL. Thanks,Split Tunnel basis FQDN/Domain
I am facing some issue wherein I am not able to browse some government site. There was an article on the same as well. As of now , I have configured split tunnel basis exclude IP and I have excluded IP address of one of the website of Government but this is not going to work as I have multiple websites of government which is not opening. Why there is no option to bypass or split tunnel basis FQDN or domain then I can exclude traffic for Government sites as it becomes a task for doing split tunnel basis individual IP address. Is it on road map as well or not?Use Case- Bypass internal application access through CATO when in office
I have been using Netskope where there is feature of split tunneling wherein when it detects that you are in office network then you can disable remote access and the traffic to internal application will be routed using your office MPLS/ILL thus only internet traffic going to CATO but when same users are working from home then both remote access as well as internet traffic goes via Netskope. Now with CATO, there is no option with me to exclude traffic going to CATO POP except IP ranges but I want the same experience that when users is in office, only internet traffic goes through CATO and not private access. I want this spliting done through CATO SDP client as I dont have any site license.
Clarification on Bandwidth Limit with Split Tunnel Policy
Hi CATO Community, I have a question regarding the CATO Bandwidth limit in relation to split tunneling policies. I have purchased a 25 Mbps CATO Bandwidth plan. If an SDP Client connects to the CATO Cloud and I configure a split tunnel policy to route some traffic outside of CATO Cloud (e.g., directly to the internet), will this traffic still be limited to the 25 Mbps bandwidth cap? 2, If the traffic is indeed limited, is there any method to bypass this limit for split tunnel traffic? Specifically, I want the split tunnel traffic to bypass the CATO Cloud entirely, avoid any security checks, and enjoy the full speed of our original internet connection. I would appreciate any insights or advice from those who have experience with this configuration. Thanks in advance for your help!API Request to get all SDP users
Hi everyone, I'm trying to get all users within my Cato platform. Like in Access > Users when you select SDP Users Activity. I cannot find any direct way to do it, maybe i'm missing something ? I tried with AccountSnapshot but here you can only find connected users, it is also stated that if I want users that are offline I need to specify the ID, is it the only way to do it ? Thanks, Billy
about Always-on Issue
On iOS devices, client certificate authentication and “Always-on” VPN configuration" is created with one configuration profile and distributed through MDM. The Cato Client app is also purchased through Volume Purchasing and distributed through MDM. https://support.catonetworks.com/hc/en-us/articles/360016152418-Distributing-Device-Certificates-to-macOS-and-iOS-Devices-with-Jamf Our user's Cato Client authenticates using the Registration code. Although Cato recommends against creating multiple VPN configurations, once the user authenticates with the Registration code, a second configuration profile "Cato Networks VPN" is automatically created by Cato Client. The problem with this is that users can manually turn off the VPN switch. I can manually delete the second profile, but it will be re-created after a while. This issue is fundamental to the Always-on feature and is so serious that organizations are starting to talk about discontinuing their use of Cato. Does anyone know of a good solution to this problem? shiva
IPS Whitelist GEO_RESTRICTION using domain name
Is there going to be an option in the future to whitelist geoblock IPS using a domain name? Currently only IP addresses affect geo_restriction, so, whitelisting all Microsoft servers in India is a bit like playing whack-a-mole. You can add a domain, but it throws an error (see screenshot below).
Cato Connect Event: AMA with Professional Services
Ever wish you could get direct time with the experts? On June 3rd, 2025 at 11:00 AM EDT, you’ll get just that — a live AMA with two of our Principal Consultants from the Cato Professional Services team. We’ll cover topics like: Designing and implementing a CMA deployment Best practices we’ve seen across real-world environments Your questions — seriously, bring them Here’s how to get the most out of it: Go here to find the registration link and get the calendar invite and join us live (must be logged in to Cato Connect to view the registration link) Post your questions below in the comments — we’ll answer pre-submitted ones first, before tackling live chat during the session + See a question you like? Give it a “like” to help it rise to the top Note: We won’t be able to look at specific CMA instances — demos will be done using internal environments. That’s it — register, post your questions, and we’ll see you there! Presenters: Principal Consultant Professional Services, Italy Principal Consultant Professional Services, USA If you run into any issues, @mention me or email us at community@catonetworks.com
