Explore the Community
Cato Cloud
Cato and SASE discussions and best practices.
API
API questions-and-answers, discussions, and best practices.
Recent Discussions
Has anyone successfully queried the auditFeed endpoint using the Cato API?
I’m trying to automate daily audit/change reporting from our Cato tenant by using the auditFeed GraphQL endpoint. I can successfully authenticate and run other queries (such as accountMetrics), but every valid auditFeed request results in the following error: { "errors": [ { "message": "internal server error", "path": ["auditFeed", "timeFrame"] } ], "data": { "auditFeed": null } } Here is the minimal reproducible query: Query query TestAuditFeed($accountIds: [ID!]!, $timeFrame: TimeFrame!) { auditFeed(accountIDs: $accountIds, timeFrame: $timeFrame) { from to fetchedCount hasMore marker accounts { id } } } Variables: { "accountIds": ["<my-account-id>"], "timeFrame": { "last": "P1D" } } This request passes schema validation but the resolver returns an internal error every time. Attempts with from/to, small windows, and other valid TimeFrame shapes produce the same error. Introspection (__type) is disabled for my tenant, so I cannot check field-level definitions. Question: Has anyone successfully used auditFeed in a production Cato tenant? If so, could you share a working query + variables example, or any insight on required schema structure or known limitations? Appreciate any help in validating that this will work or if there is some issue I am running up against. Thank you.
Cato Rapid7 SIEM API Integration
Followed the configuration steps in the links below, but laid an egg. I mean, the integration still isn’t working https://support.catonetworks.com/hc/en-us/articles/13975273800733-Cato-Data-Third-Party-Supported-Integrations https://docs.rapid7.com/insightidr/cato-networks/ I’ve opened tickets with both Cato and Rapid7 since each points to the other as the root cause. It’s turning into a real whodunit, fun and frustrating at the same time. If anyone has already solved this mystery, please share any insights.2-arm VPN router behind Socket
I have a Cisco router from a 3rd party provider that provides access to that 3rd party providers networks. Thie router uses a 2-arm configuration with WAN and LAN interfaces. The WAN cannot be a public routed IP, it must be a private IP. The router's existing deployment has the WAN interface connected to a DMZ zone off our legacy firewall, which uses a subnet of 192.168.1.0/24 and the router's LAN interface is connected to a trusted LAN subnet of 172.29.1.0/24. The firewall does not have any inbound ports open to the VPN router's WAN interface, as the router is configured to outbound initiate the VPN tunnel. I need to move this router to sit behind the socket so I can remove the legacy firewall from our network. What would be the best way to set this up? Note that VLAN's are terminated to a L3 switch at this location, and I am not looking to move them to the socket at this time. I would also prefer to not have the 192.168.1.0/24 subnet advertised to the entire Cato network (especially ZTNA clients).
Windows Cato Client Throughput Throttled by 3rd-Party Software
Hi everyone, We would like to raise awareness of a recent issue we've seen quite often in Cato support: 3rd-party software, such as the Intel Connectivity Performance Suite and Dell Optimizer, throttles network throughput while the Cato Client for Windows is connected, often by 50% or more compared to when the Cato Client is disconnected. These programs are designed to prioritize different types of traffic, but they aren't optimized for use with the Cato Client. While we work with these vendors to resolve these issues, we recommend uninstalling these software programs to achieve maximum throughput and performance when using the Cato Client. We recently added a step in our Cato SDP Client Performance Troubleshooting KB to check for these programs and provided links to the vendors' uninstall instructions. If you know of any other 3rd-party software that interferes with Cato Client performance, please feel free to comment and share with others here or open a support ticket so we can investigate further. Thank you!
Creating NAT Rules
Hi, I’m trying to figure out if it’s possible to create or update NAT Policy Rules for a site using the Cato GraphQL API. I’m using the siteUpdate mutation to modify the natPolicyRules field (adding DNAT rules), but I keep getting a "permission denied" (Code104) error even though my API key should have the right permissions. Just to clarify, the rules I want to create are in: Network → Sites → [Selected Site] → Routing → NAT Before I go any further, can someone confirm : Is it actually possible to create/modify NAT rules via the GraphQL API ? Is siteUpdate the right mutation for this ? I have about 300 DNAT rules to create, so doing it manually in the UI would be pretty painful. Thanks !Recording: AMA with Professional Services - November 2025 Session 2
In our last AMA with our Professional Services team we dove into two major topics: TLS Inspection and CASB/DLP. These features are critical for improving visibility, securing encrypted traffic, and protecting sensitive data. If you missed the session, don’t worry! We’ve summarized the key points and answered your most pressing questions below. (Slides from the presentation are attached for deeper detail.) Presentation Highlights TLS Inspection Why it matters: Over 90% of internet traffic is encrypted, which is great for privacy but creates blind spots for threats like malware and phishing. Benefits: Organizations enabling TLS inspection block 52% more malicious traffic. Challenges: Complexity, operational burden, and compliance concerns often slow adoption. Cato’s approach: Cloud-native TLS inspection with Safe Mode simplifies rollout, minimizes disruption, and includes automatic bypass lists for problematic apps. Best practices: Block QUIC/GQUIC, manage bypass lists, and roll out gradually in phases. CASB & DLP Purpose: Protect sensitive data, ensure compliance, and gain visibility into SaaS usage. CASB: Focuses on application control—monitoring activities like uploads/downloads and enforcing granular policies. DLP: Adds content inspection to prevent data leaks based on patterns, sensitivity labels, or custom rules. Implementation: Start with monitoring, then enforce policies gradually. TLS inspection is a prerequisite for both. Q&A Highlights Q1: Is TLS Inspection becoming more popular? Yes! Adoption has improved significantly since the introduction of Safe TLS Mode, which uses a wizard to simplify configuration and automatically applies recommended bypasses. This reduces risk of breaking apps and makes rollout less intimidating. Q2: What about mobile apps using QUIC? QUIC-based apps (e.g., WhatsApp, Jira) can pose challenges. Recommendations include: Verify automatic bypass settings for native apps. Block QUIC/GQUIC to force fallback to TCP for inspection. Apply exceptions only when necessary. Q3: Will users get notified when DLP blocks an action? Currently, notifications are basic, but enhancements are planned. Soon, users will see alerts like “Action blocked due to company policy” via the client, with more detailed CMA alerts coming later. Q4: Can we filter CASB activities like upload/download? Yes! The Cloud Activity Dashboard shows top activities and allows filtering by action (e.g., upload). You can also drill down into events for detailed visibility. Q5: Is AWS GovCloud supported for log integration? Not at this time. The current integration works with standard AWS S3 buckets. GovCloud support is a common request and may be addressed in future updates. Q6: Any update on combining SDP and EPP into one app? It’s on the roadmap, but no detailed timeline yet. Q7: How to handle bandwidth spikes during patching? Use Bandwidth Management to map update traffic to a lower-priority queue, ensuring critical apps maintain performance during bursts. Thanks to everyone who joined and asked great questions! If you have ideas for more content that we can create that will be useful to you and your team, feel free to leave us a comment or email our community team at community@catonetworks.com. Stay tuned for our next AMA in February :) bring your questions and your favorite warm beverage!
AWS - OpenVPN routing clash for Cato SDP
Hi, We have been a Cato customer for just over a year now and we have a hybrid network Infra, of some onprem servers and new workloads been hosted in both AWS & GCP. My question is around the use of existing OpenVPN for accessing our AWS trusted VPCs and users having issues with Cato SDP and OpenVPN clashing for DNS/routes etc.. when trying to access the AWS vs. Onprem server environments. We need staff to be on Cato SDP all the time for montioring, audting and best security practices.. however it clashes with some users who need OpenVPN AWS access. What do other companies do to get around this issue (if they have a similar routing issue at all?). Split tunnel vs. AWS marketplace Cato virtual socket (EC2 instance needed per account?). I would be very interested to see if others have seen or have a good work around to this dilemia.
