Cato Connect is on READ-ONLY mode until June 22nd, 2026 - Read More Here
Explore the Community
Cato Cloud
Cato and SASE discussions and best practices.
API
API questions-and-answers, discussions, and best practices.
Community Help
Start here with any Cato Connect questions! Community guides and information.Recent Discussions
Cato Connect is moving!
Community Update As of today, we'll be moving into read-only mode and will remain there until Monday, June 22. We're in the process of migrating to our new community home, and this temporary pause will help us make sure that everything is set up for a smooth transition. We're excited about what's ahead and look forward to creating an even better experience for all of you. Thank you for your patience, flexibility, and support throughout this process. A special shout-out to those of you who are going through a second migration with me, at this point, you've practically earned honorary migration expert status! 😄 Quick FAQ: Will my content migrate? Yes - everything you have created here is coming with you. That's part of the reason for this pause in action, it allows us to take everything and leave nothing behind. What do I do if I need help in the meantime? Our community email (community@catonetworks.com) is always available to you for questions, emotional support, and funny GIFs. The team and I are watching and ready to answer. How will we know the community is back up? I'll post in our new space and you will get a notification - if I don't see you around for a while, I may send you a little reminder. We are excited about the new opportunities this new software is providing and can't wait to share all the cool stuff with you. We truly appreciate everyone's understanding and can't wait to welcome you into our new space next week. See you on June 22!
Users behind the socket cannot access IPSec Tunnels
Users working remotely (home network) are able to successfully access Azure Virtual Desktop (AVD). However, when users are connected via the Site Socket, access to AVD fails. As part of our troubleshooting, we manually configured the client-side DNS settings on a test laptop. With this configuration, DNS resolution functioned as expected, and we were able to successfully establish connectivity to AVD. This behavior suggests that the issue is related to DNS resolution within the Cato environment—specifically, DNS forwarding to the client-defined DNS servers does not appear to be functioning as expected. Given this, we would like to inquire if there is a mechanism to prioritize client DNS settings on a per-user or per-group basis within Cato. For reference, when connected via the Site Socket network, client devices are assigned IP addresses within the subnet range 10.254.xxx.x. When users are connected via Home Wi-Fi or Mobile Data, they are able to successfully access the client’s Azure Virtual Desktop (AVD). In this scenario, the assigned IP address falls within the subnet range 10.20.xxx.xx.
Any method to disable management access to the Web UI from the LAN
I would like to restrict management access to the Socket Web UI from the LAN. However, in a post from about a year ago, no solution was provided. Is there a way to restrict access to the WebUI? | Cato Connect Has there been any update or new feature introduced that enables this? Thank you.Recording: API/DevOps Live - May 2026
Thank you to everyone who joined our recent API/DevOps Live. If you’re looking to move from manual network/security operations to scalable, automated workflows, this session walks through exactly how to do that using Cato’s DevOps toolkit. What we covered How to apply DevOps principles to your Cato environment Using the CLI for day-to-day operations and bulk changes Leveraging Terraform for infrastructure as code (including brownfield environments) Going deeper with the SDK for custom automation and integrations How these layers connect: SDK → CLI → Terraform → AI-assisted workflows Key highlights Real-world examples of bulk config changes (DHCP, WAN priority, rules) How to export operational data like degraded sites A practical look at a “day in the life” of an operator Demo of AI-assisted workflows with built-in security guardrails (including blocking sensitive data like API keys) Questions we addressed What should I be automating first? How do I handle existing (brownfield) environments with Terraform? When should I use CLI vs Terraform vs SDK? How can I safely use AI tools in a DevOps workflow? Watch the full recording Here are some resources mentioned in the video: Getting started with Cato CLI Terraform Quickstart + Brownfield Onboarding Cato Networks Github Github Cato Networks API Explorer Github MCP Server Wrapping Cato CLI If you have questions or want to share how you're using automation in your environment, drop a comment below, we’d love to hear from you.
Issue creating IPsec tunnel with identification_type FQDN
Hi Cato community, I have encountered an issue where it is not possible to create a IPSec tunnel using the following configurations Site type: IPSecV2 connectionMode: RESPONDER_ONLY identificationType: FQDN Since the IPsec is responder only with FQDN identification, the updateIpsecIkeV2SiteTunnels mutation cannot be used to create such tunnels as it will require a public site ip, but FQDN will give local ID. When I tried to enter a dummy ip to test it out, it shows a "GraphQL error: Required"; leaving it blank will produce Required field 'primary_public_site_ip' is missing or empty. Are there any solutions/workarounds for this? Let me know if more information is required. Cheers, VincentP
Meraki Integration?
in the 4/27/2026 product announcements it says: Cisco Meraki Access Point Events in Experience Monitoring: Integrate Wi-Fi access point events from Cisco Meraki and correlate them with user experience data to improve troubleshooting of office connectivity issues. Requires a DEM license and configuration of the Cisco Meraki connector We have the required DEM license, but It references setting up the Meraki connector Cisco Meraki: Creating the Experience Monitoring Connector – Cato Learning Center but when we go to set up the Meraki integration there does not seem to be a Meraki integration to configure. What am I missing?Cato Connect Event: DevOps/API Live - May 2026
We’re back with a live session focused on DevOps and API workflows designed for customers and partners who want to build, automate, and scale with Cato. During this session, we’ll walk through practical, real-world use cases and tooling, including: API explorer and code generation Terraform bulk rule and site provisioning Brownfield deployments MCP Server, custom reports, and analysis CatoCLI, troubleshooting, and bulk configuration management And time for questions Join us on: May 7, 2026 1:00 PM ET Register here Presenters: Brian Anderson Global Field CTO Joe Fontes Major Sales Sales Engineer John Farthing Professional Services ConsultantLDAP Integration – Is Password from AD or Local SDP?
Hi, In a setup where LDAP (Active Directory) is configured in Cato for user provisioning only, and no SSO is in place: - Is LDAP also used implicitly for authentication (LDAP bind)? - Or is authentication handled locally by Cato (separate SDP credentials)? There doesn’t seem to be a clear setting indicating LDAP auth vs provisioning-only. Would like to confirm the expected login behavior. Thanks.
IP Containers in Firewall Rule
Acording to the KB, "The Internet firewall inspects traffic between the WAN and the Internet and lets you create rules to control this traffic." Dumb question but then is the firewall one directional? WAN to Internet? I ask because other firewalls have rules/policies that are bi-directional. When I tried to create an Internet firewall rule in CATO and tried to select an IP Container (bad source IP's) it did not have an option, which indicates to me that the Internet Firewall rules are WAN to Internet only. In that case how do I apply an IP Container to block for inbound traffic from the Internet?
