Recent Discussions
Permission errors when testing Cato API with Python
HI all, I am currently working on a project to automate workflows in Cato with Python. I've already set and reviewed my API permissions and they should already inherit my account which is able to edit and view most of the resources. However, I still get this error: HTTP 200 { "errors": [ { "message": "permission denied", "path": [ "licensing", "licensingInfo" ], "extensions": { "code": "Code104" } } ], "data": { "licensing": { "licensingInfo": null } } } I've been scouting the documentation on specific troubleshooting steps but I couldn't seem to find the answers i'm looking for. Any chance some folks could give me a quick guide on how to ensure I get the right permissions for my API keys? This is the sample script i'm testing btw, it is to pull available licensing information for monitoring. API_KEY = os.getenv("CATO_API_KEY") API_URL = "https://api.catonetworks.com/api/v1/graphql2" QUERY = """ { licensing(accountId: <ID_HERE>) { licensingInfo { globalLicenseAllocations { ztnaUsers { total allocated available } } } } } """ async def main(): headers = { "x-api-key": API_KEY, "Content-Type": "application/json" } async with aiohttp.ClientSession(headers=headers) as session: async with session.post(API_URL, json={"query": QUERY}) as resp: print("HTTP", resp.status) print(json.dumps(await resp.json(), indent=4)) asyncio.run(main())API for Creating Users in CMA
We don’t have an IdP environment, so we need to manually provision a large number of users in CMA. I couldn’t find any API call in the API Reference that would allow us to do this. Is there an API that can be used to create/register users? I apologize if I have overlooked it in the documentation.
Regarding the execution interval of the Azure Functions template for Cato log integration
I'd like to confirm something about Azure Functions processing. ■Requirements - To forward Cato SASE logs to an Azure Log Analytics workspace, I'm using the following Cato log integration template. https://github.com/catonetworks/cato-sentinel-connect/tree/main -The Azure Functions specs are as follows: OS: Linux Plan: App Service Plan Size: P1v3 Type: Custom Handler Trigger: Timer trigger (30-second interval) The following logs are targeted for integration: -CommonSecurityLog Log size: Approximately 2.5-5MB per 30 seconds (300-600MB per hour) -CatoAuditEngine_CL Log size: Less than 0.01MB per 30 seconds ■Question I'm using a 30-second timer trigger, but the actual execution interval is 2 minutes. (The execution interval can be confirmed by counting the "Functions Execution Count" metric.) Please confirm the following three points. 1. Is the change in execution interval due to a large log volume? 2. What should I do to set the execution interval to 30 seconds? Would scaling up Azure Functions be effective? 3. Even if execution takes a long time, is the log integration being executed without any problems? Are there any logs being missed? Note that in the test environment (log volume per 30 seconds is less than 0.01MB for both tables), execution is performed every 30 seconds.
Terraform: IPsec site creation with Responder-only and destination type FQDN possible?
Hi, see subject. When trying to setup an ipsec site (IKEv2) in responder only mode and with destination type FQDN for primary and secondary tunnel, terraform (in fact opentofu), gives this error: │ Error: Cato API error in SiteAddIpsecIkeV2SiteTunnels │ │ with cato_ipsec_site.Vienna, │ on main.tf line 73, in resource "cato_ipsec_site" "Vienna": │ 73: resource "cato_ipsec_site" "Vienna" { │ │ {"networkErrors":{"code":422,"message":"Response body {\"errors\":[{\"message\":\"input: │ variable.updateIpsecIkeV2SiteTunnelsInput.primary.tunnels[0].tunnelId is not a valid │ IPSecV2InterfaceId\",\"path\":[\"variable\",\"updateIpsecIkeV2SiteTunnelsInput\",\"primary\",\"tunnels\",0,\"tunnelId\"]}],\"data\":null}"},"graphqlErrors":[{"message":"input: │ variable.updateIpsecIkeV2SiteTunnelsInput.primary.tunnels[0].tunnelId is not a valid │ IPSecV2InterfaceId","path":["variable","updateIpsecIkeV2SiteTunnelsInput","primary","tunnels",0,"tunnelId"]}]} ╵ That appears when adding the "tunnels" section. Without that section, a deployment if possible. Obviously, the tunnels section is required. --------------------snip-------------------- connection_mode = "RESPONDER_ONLY" identification_type = "IPV4" primary = { destination_type = "FQDN" tunnels = [ { public_site_ip = "10.10.10.10" psk = "abcABC1234567!!" //last_mile_bw = { //downstream = 10 //upstream = 10 } ] } ---------------snap------------------------------------- Is that supported with the terraform provider currently? Thanks, Christian
Cato Rapid7 SIEM API Integration
Followed the configuration steps in the links below, but laid an egg. I mean, the integration still isn’t working https://support.catonetworks.com/hc/en-us/articles/13975273800733-Cato-Data-Third-Party-Supported-Integrations https://docs.rapid7.com/insightidr/cato-networks/ I’ve opened tickets with both Cato and Rapid7 since each points to the other as the root cause. It’s turning into a real whodunit, fun and frustrating at the same time. If anyone has already solved this mystery, please share any insights.
Events Filtering
Good day, I had been trying to use the catocli to pull events based on destination IP addresses and it only return 1 event, while I can see multiple matching events within the same time frame in CATO portal. I wonder if anyone had come across similar problem and had found a solution to it json query { "eventsDimension": [ { "fieldName": "dest_ip" } ], "eventsFilter": [ { "fieldName": "dest_ip", "operator": "is", "values": "5******8" } ], "eventsMeasure": [ { "aggType": "any", "fieldName": "action" }, { "aggType": "any", "fieldName": "src_ip" }, { "aggType": "any", "fieldName": "src_port" }, { "aggType": "any", "fieldName": "subnet_name" }, { "aggType": "any", "fieldName": "dest_ip" }, { "aggType": "any", "fieldName": "dest_port" } ], "eventsSort": [ { "fieldName": "action", "order": "asc" } ], "timeFrame": "last.P14D" } catocli command catocli query eventsFeed "json input from variable column" Response { "data": { "events": { "from": "2025-12-09T09:00:00Z", "id": "*******", "records": [ { "fieldsMap": { "action": "Monitor", "dest_ip": "************", "dest_port": "****", "src_ip": "*******", "src_port": "*****", "subnet_name": "**********" }, "fieldsUnitTypes": [ "none", "none", "none", "none", "none", "none" ], "flatFields": [ [ "action", "Monitor" ], [ "dest_ip", "****************" ], [ "dest_port", "************" ], [ "src_ip", "**************" ], [ "src_port", "***********" ], [ "subnet_name", "***************" ] ], "prevTimeFrame": null, "trends": null } ], "to": "2025-12-23T10:00:00Z", "total": 1, "totals": { "action": "********", "dest_ip": *****, "dest_port": *****, "src_ip": "********", "src_port": ****, "subnet_name": "***********" } } } } If anyone have any ideas, do kindly share. Thanks vm.Has anyone successfully queried the auditFeed endpoint using the Cato API?
I’m trying to automate daily audit/change reporting from our Cato tenant by using the auditFeed GraphQL endpoint. I can successfully authenticate and run other queries (such as accountMetrics), but every valid auditFeed request results in the following error: { "errors": [ { "message": "internal server error", "path": ["auditFeed", "timeFrame"] } ], "data": { "auditFeed": null } } Here is the minimal reproducible query: Query query TestAuditFeed($accountIds: [ID!]!, $timeFrame: TimeFrame!) { auditFeed(accountIDs: $accountIds, timeFrame: $timeFrame) { from to fetchedCount hasMore marker accounts { id } } } Variables: { "accountIds": ["<my-account-id>"], "timeFrame": { "last": "P1D" } } This request passes schema validation but the resolver returns an internal error every time. Attempts with from/to, small windows, and other valid TimeFrame shapes produce the same error. Introspection (__type) is disabled for my tenant, so I cannot check field-level definitions. Question: Has anyone successfully used auditFeed in a production Cato tenant? If so, could you share a working query + variables example, or any insight on required schema structure or known limitations? Appreciate any help in validating that this will work or if there is some issue I am running up against. Thank you.
