Recent Discussions
Cato Rapid7 SIEM API Integration
Followed the configuration steps in the links below, but laid an egg. I mean, the integration still isn’t working https://support.catonetworks.com/hc/en-us/articles/13975273800733-Cato-Data-Third-Party-Supported-Integrations https://docs.rapid7.com/insightidr/cato-networks/ I’ve opened tickets with both Cato and Rapid7 since each points to the other as the root cause. It’s turning into a real whodunit, fun and frustrating at the same time. If anyone has already solved this mystery, please share any insights.
Terraform: IPsec site creation with Responder-only and destination type FQDN possible?
Hi, see subject. When trying to setup an ipsec site (IKEv2) in responder only mode and with destination type FQDN for primary and secondary tunnel, terraform (in fact opentofu), gives this error: │ Error: Cato API error in SiteAddIpsecIkeV2SiteTunnels │ │ with cato_ipsec_site.Vienna, │ on main.tf line 73, in resource "cato_ipsec_site" "Vienna": │ 73: resource "cato_ipsec_site" "Vienna" { │ │ {"networkErrors":{"code":422,"message":"Response body {\"errors\":[{\"message\":\"input: │ variable.updateIpsecIkeV2SiteTunnelsInput.primary.tunnels[0].tunnelId is not a valid │ IPSecV2InterfaceId\",\"path\":[\"variable\",\"updateIpsecIkeV2SiteTunnelsInput\",\"primary\",\"tunnels\",0,\"tunnelId\"]}],\"data\":null}"},"graphqlErrors":[{"message":"input: │ variable.updateIpsecIkeV2SiteTunnelsInput.primary.tunnels[0].tunnelId is not a valid │ IPSecV2InterfaceId","path":["variable","updateIpsecIkeV2SiteTunnelsInput","primary","tunnels",0,"tunnelId"]}]} ╵ That appears when adding the "tunnels" section. Without that section, a deployment if possible. Obviously, the tunnels section is required. --------------------snip-------------------- connection_mode = "RESPONDER_ONLY" identification_type = "IPV4" primary = { destination_type = "FQDN" tunnels = [ { public_site_ip = "10.10.10.10" psk = "abcABC1234567!!" //last_mile_bw = { //downstream = 10 //upstream = 10 } ] } ---------------snap------------------------------------- Is that supported with the terraform provider currently? Thanks, Christian
Events Filtering
Good day, I had been trying to use the catocli to pull events based on destination IP addresses and it only return 1 event, while I can see multiple matching events within the same time frame in CATO portal. I wonder if anyone had come across similar problem and had found a solution to it json query { "eventsDimension": [ { "fieldName": "dest_ip" } ], "eventsFilter": [ { "fieldName": "dest_ip", "operator": "is", "values": "5******8" } ], "eventsMeasure": [ { "aggType": "any", "fieldName": "action" }, { "aggType": "any", "fieldName": "src_ip" }, { "aggType": "any", "fieldName": "src_port" }, { "aggType": "any", "fieldName": "subnet_name" }, { "aggType": "any", "fieldName": "dest_ip" }, { "aggType": "any", "fieldName": "dest_port" } ], "eventsSort": [ { "fieldName": "action", "order": "asc" } ], "timeFrame": "last.P14D" } catocli command catocli query eventsFeed "json input from variable column" Response { "data": { "events": { "from": "2025-12-09T09:00:00Z", "id": "*******", "records": [ { "fieldsMap": { "action": "Monitor", "dest_ip": "************", "dest_port": "****", "src_ip": "*******", "src_port": "*****", "subnet_name": "**********" }, "fieldsUnitTypes": [ "none", "none", "none", "none", "none", "none" ], "flatFields": [ [ "action", "Monitor" ], [ "dest_ip", "****************" ], [ "dest_port", "************" ], [ "src_ip", "**************" ], [ "src_port", "***********" ], [ "subnet_name", "***************" ] ], "prevTimeFrame": null, "trends": null } ], "to": "2025-12-23T10:00:00Z", "total": 1, "totals": { "action": "********", "dest_ip": *****, "dest_port": *****, "src_ip": "********", "src_port": ****, "subnet_name": "***********" } } } } If anyone have any ideas, do kindly share. Thanks vm.Has anyone successfully queried the auditFeed endpoint using the Cato API?
I’m trying to automate daily audit/change reporting from our Cato tenant by using the auditFeed GraphQL endpoint. I can successfully authenticate and run other queries (such as accountMetrics), but every valid auditFeed request results in the following error: { "errors": [ { "message": "internal server error", "path": ["auditFeed", "timeFrame"] } ], "data": { "auditFeed": null } } Here is the minimal reproducible query: Query query TestAuditFeed($accountIds: [ID!]!, $timeFrame: TimeFrame!) { auditFeed(accountIDs: $accountIds, timeFrame: $timeFrame) { from to fetchedCount hasMore marker accounts { id } } } Variables: { "accountIds": ["<my-account-id>"], "timeFrame": { "last": "P1D" } } This request passes schema validation but the resolver returns an internal error every time. Attempts with from/to, small windows, and other valid TimeFrame shapes produce the same error. Introspection (__type) is disabled for my tenant, so I cannot check field-level definitions. Question: Has anyone successfully used auditFeed in a production Cato tenant? If so, could you share a working query + variables example, or any insight on required schema structure or known limitations? Appreciate any help in validating that this will work or if there is some issue I am running up against. Thank you.Creating NAT Rules
Hi, I’m trying to figure out if it’s possible to create or update NAT Policy Rules for a site using the Cato GraphQL API. I’m using the siteUpdate mutation to modify the natPolicyRules field (adding DNAT rules), but I keep getting a "permission denied" (Code104) error even though my API key should have the right permissions. Just to clarify, the rules I want to create are in: Network → Sites → [Selected Site] → Routing → NAT Before I go any further, can someone confirm : Is it actually possible to create/modify NAT rules via the GraphQL API ? Is siteUpdate the right mutation for this ? I have about 300 DNAT rules to create, so doing it manually in the UI would be pretty painful. Thanks !
