Recent Discussions
Terraform: IPsec site creation with Responder-only and destination type FQDN possible?
Hi, see subject. When trying to setup an ipsec site (IKEv2) in responder only mode and with destination type FQDN for primary and secondary tunnel, terraform (in fact opentofu), gives this error: │ Error: Cato API error in SiteAddIpsecIkeV2SiteTunnels │ │ with cato_ipsec_site.Vienna, │ on main.tf line 73, in resource "cato_ipsec_site" "Vienna": │ 73: resource "cato_ipsec_site" "Vienna" { │ │ {"networkErrors":{"code":422,"message":"Response body {\"errors\":[{\"message\":\"input: │ variable.updateIpsecIkeV2SiteTunnelsInput.primary.tunnels[0].tunnelId is not a valid │ IPSecV2InterfaceId\",\"path\":[\"variable\",\"updateIpsecIkeV2SiteTunnelsInput\",\"primary\",\"tunnels\",0,\"tunnelId\"]}],\"data\":null}"},"graphqlErrors":[{"message":"input: │ variable.updateIpsecIkeV2SiteTunnelsInput.primary.tunnels[0].tunnelId is not a valid │ IPSecV2InterfaceId","path":["variable","updateIpsecIkeV2SiteTunnelsInput","primary","tunnels",0,"tunnelId"]}]} ╵ That appears when adding the "tunnels" section. Without that section, a deployment if possible. Obviously, the tunnels section is required. --------------------snip-------------------- connection_mode = "RESPONDER_ONLY" identification_type = "IPV4" primary = { destination_type = "FQDN" tunnels = [ { public_site_ip = "10.10.10.10" psk = "abcABC1234567!!" //last_mile_bw = { //downstream = 10 //upstream = 10 } ] } ---------------snap------------------------------------- Is that supported with the terraform provider currently? Thanks, Christian
Regarding the execution interval of the Azure Functions template for Cato log integration
I'd like to confirm something about Azure Functions processing. ■Requirements - To forward Cato SASE logs to an Azure Log Analytics workspace, I'm using the following Cato log integration template. https://github.com/catonetworks/cato-sentinel-connect/tree/main -The Azure Functions specs are as follows: OS: Linux Plan: App Service Plan Size: P1v3 Type: Custom Handler Trigger: Timer trigger (30-second interval) The following logs are targeted for integration: -CommonSecurityLog Log size: Approximately 2.5-5MB per 30 seconds (300-600MB per hour) -CatoAuditEngine_CL Log size: Less than 0.01MB per 30 seconds ■Question I'm using a 30-second timer trigger, but the actual execution interval is 2 minutes. (The execution interval can be confirmed by counting the "Functions Execution Count" metric.) Please confirm the following three points. 1. Is the change in execution interval due to a large log volume? 2. What should I do to set the execution interval to 30 seconds? Would scaling up Azure Functions be effective? 3. Even if execution takes a long time, is the log integration being executed without any problems? Are there any logs being missed? Note that in the test environment (log volume per 30 seconds is less than 0.01MB for both tables), execution is performed every 30 seconds.
Cato Rapid7 SIEM API Integration
Followed the configuration steps in the links below, but laid an egg. I mean, the integration still isn’t working https://support.catonetworks.com/hc/en-us/articles/13975273800733-Cato-Data-Third-Party-Supported-Integrations https://docs.rapid7.com/insightidr/cato-networks/ I’ve opened tickets with both Cato and Rapid7 since each points to the other as the root cause. It’s turning into a real whodunit, fun and frustrating at the same time. If anyone has already solved this mystery, please share any insights.
Events Filtering
Good day, I had been trying to use the catocli to pull events based on destination IP addresses and it only return 1 event, while I can see multiple matching events within the same time frame in CATO portal. I wonder if anyone had come across similar problem and had found a solution to it json query { "eventsDimension": [ { "fieldName": "dest_ip" } ], "eventsFilter": [ { "fieldName": "dest_ip", "operator": "is", "values": "5******8" } ], "eventsMeasure": [ { "aggType": "any", "fieldName": "action" }, { "aggType": "any", "fieldName": "src_ip" }, { "aggType": "any", "fieldName": "src_port" }, { "aggType": "any", "fieldName": "subnet_name" }, { "aggType": "any", "fieldName": "dest_ip" }, { "aggType": "any", "fieldName": "dest_port" } ], "eventsSort": [ { "fieldName": "action", "order": "asc" } ], "timeFrame": "last.P14D" } catocli command catocli query eventsFeed "json input from variable column" Response { "data": { "events": { "from": "2025-12-09T09:00:00Z", "id": "*******", "records": [ { "fieldsMap": { "action": "Monitor", "dest_ip": "************", "dest_port": "****", "src_ip": "*******", "src_port": "*****", "subnet_name": "**********" }, "fieldsUnitTypes": [ "none", "none", "none", "none", "none", "none" ], "flatFields": [ [ "action", "Monitor" ], [ "dest_ip", "****************" ], [ "dest_port", "************" ], [ "src_ip", "**************" ], [ "src_port", "***********" ], [ "subnet_name", "***************" ] ], "prevTimeFrame": null, "trends": null } ], "to": "2025-12-23T10:00:00Z", "total": 1, "totals": { "action": "********", "dest_ip": *****, "dest_port": *****, "src_ip": "********", "src_port": ****, "subnet_name": "***********" } } } } If anyone have any ideas, do kindly share. Thanks vm.Has anyone successfully queried the auditFeed endpoint using the Cato API?
I’m trying to automate daily audit/change reporting from our Cato tenant by using the auditFeed GraphQL endpoint. I can successfully authenticate and run other queries (such as accountMetrics), but every valid auditFeed request results in the following error: { "errors": [ { "message": "internal server error", "path": ["auditFeed", "timeFrame"] } ], "data": { "auditFeed": null } } Here is the minimal reproducible query: Query query TestAuditFeed($accountIds: [ID!]!, $timeFrame: TimeFrame!) { auditFeed(accountIDs: $accountIds, timeFrame: $timeFrame) { from to fetchedCount hasMore marker accounts { id } } } Variables: { "accountIds": ["<my-account-id>"], "timeFrame": { "last": "P1D" } } This request passes schema validation but the resolver returns an internal error every time. Attempts with from/to, small windows, and other valid TimeFrame shapes produce the same error. Introspection (__type) is disabled for my tenant, so I cannot check field-level definitions. Question: Has anyone successfully used auditFeed in a production Cato tenant? If so, could you share a working query + variables example, or any insight on required schema structure or known limitations? Appreciate any help in validating that this will work or if there is some issue I am running up against. Thank you.Creating NAT Rules
Hi, I’m trying to figure out if it’s possible to create or update NAT Policy Rules for a site using the Cato GraphQL API. I’m using the siteUpdate mutation to modify the natPolicyRules field (adding DNAT rules), but I keep getting a "permission denied" (Code104) error even though my API key should have the right permissions. Just to clarify, the rules I want to create are in: Network → Sites → [Selected Site] → Routing → NAT Before I go any further, can someone confirm : Is it actually possible to create/modify NAT rules via the GraphQL API ? Is siteUpdate the right mutation for this ? I have about 300 DNAT rules to create, so doing it manually in the UI would be pretty painful. Thanks !
