Discussions
Discussions and questions regarding Cato Networks and SASEBest Practices
Find Cato Networks best practices, tips, tricks, and other helpful information!
Recent Content
How to Uninstall Windows Cato SDP Client Remotely?
Use case: Manual uninstall is only required occasionally. You as an IT desktop admin want to uninstall Cato SDP Client remotely. A typical use case is if your company portal has a different version than what is installed on the user device. Cato client would auto upgrade to higher version. In order to downgrade you will need to uninstall the existing installation first. Prerequisite: Admin privilege on the system you are uninstalling the client on How To? Launch command prompt using privileged mode and then issue following command [screenshot example on Windows 11 attached] or simply execute this command remotely to the system: \Windows\System32\wmic product where name=“Cato Client" call uninstallTomorrow: Discover How to Cover GenAI and SaaS Blindspots
Join us tomorrow for an interactive webinar about implementing CASB across verticals like finance, healthcare & manufacturing. In this special session, we’ll introduce the proprietary-developed Safe TLSi, which enables deep inspection without operational friction. Sign up and find out how to use Cato’s CASB to protect from SaaS and GenAI risks and regain control and visibility. Register here
Tenant Restriction for Box
Hi Community, I would like to use the tenant restriction feature in CASB to limit Box access to specific tenants. https://support.catonetworks.com/hc/en-us/articles/24373653275165-Managing-Tenant-Restrictions-for-SaaS-Apps After checking Box's public documentation, I could not find information on the parameters to insert into the HTTP headers. Are there anyone using tenant restrictions for Box?
Post Quantum Cryptography?
The PQC topic is increasingly being raised - what is the current Cato Networks stance on it? My searches only come up with a rather dismissive blog article from last year (https://www.catonetworks.com/blog/is-recent-quantum-hype-by-google-willows-chip-a-threat-to-rsa-algorithm) while competing vendors (that shall be unnamed) are seemingly taking a very aggressive approach - both for preparing to implement these algorithmes into their products as well as being able to detect/block the use of such protocols currently.
Blocking icloud private relay "nicely"
I would like to block "icloud private relay" in such a way that the user would be notified and able to continue without icloud private relay. Apple's recommended way to do this is to block DNS requests to mask.icloud.com and mask-h2.icloud.com so a "no error/no answer" or NXDOMAIN response is returned. This alerts the users that they either need to disable private relay or choose another network. Details are here: Prepare your network or web server for iCloud Private Relay - iCloud - Apple Developer Is there a way to configure this using only Cato? I cannot see how to create a custom DNS rule to block specific queries, and I cannot see how to create a custom IPS rule either. Is there a recommended way to do this? What are others doing? I am in a Windows shop. I could redirect DNS queries to a Windows DNS server and use DNS query filtering, but would rather do a Cato only solution if possible. Per Apple: Some enterprise or school networks might be required to audit all network traffic by policy, and your network can block access to Private Relay in these cases. The user will be alerted that they need to either disable Private Relay for your network or choose another network. The fastest and most reliable way to alert users is to return either a "no error no answer" response or an NXDOMAIN response from your network’s DNS resolver, preventing DNS resolution for the following hostnames used by Private Relay traffic. Avoid causing DNS resolution timeouts or silently dropping IP packets sent to the Private Relay server, as this can lead to delays on client devices. mask.icloud.com mask-h2.icloud.com
Endpoint Device DNS Resolution
When Cato is handling DHCP and DNS for all devices within an account across multiple vlans, across multiple sites, is it possible for a device to resolve the IP of a hostname outside of the local subnet that the device is on, using Cato DNS to resolve the hostname? We historically have had on-prem Windows AD providing DHCP/DNS which reliably provided name resolution from hostname to IP, but also reverse DNS for IP back to hostname. We are moving to Entra ID/Intune+Auto Pilot managed devices with the outlook to retire our on-prem servers entirely. We have various use cases where we need to resolve a hostname to have the IP returned, but also for the IP to resolve back to hostname via reverse DNS. This has become difficult for Entra ID managed devices unless the device is on the same local subnet where the site switch manages the resolution via the local mac table. Is mDNS the right approach and where I should focus my attention or is there an alternative I should consider? As is looks like mDNS is restricted to vlans within the same site, it may not work in our scenario where we need to resolve across sites. Any advice or recommendations are greatly appreciated.Need help with prelogin Intune deployment
Hello, I need to understand how to get prelogin to work for my environment so users can sign in when off of the network. We are deploying devices from intune using the enrollment status page. So it gets deployed to them, they turn it on and it autopilots from there. The cato sdp client is being deployed with patchmypc and has a script in place with that for the required registry keys. The certificates are being deployed inside of a win32 intune win file with a script to install the certificate. Script for the certificate: yes it is password protected pfx file. (We do not have a certificate authority. (This did work for prelogin on my device.) Import-PfxCertificate -FilePath .\Catoprelogin.pfx -Password (ConvertTo-SecureString -String 'mypassword' -AsPlainText -Force) -CertStoreLocation Cert:\CurrentUser\My All of this was successfully installed, what could I be missing? The certificate is an SSL certificate and I confirmed that it worked prior to the autopilot on my personal work computer without autopiloting it. DOES ANYONE HAVE ADVICE OR SUGGESTIONS ON HOW TO SETUP THE INTUNE AUTOPILOT PROFILE, ENROLLMENT STATUS PAGE, OR ANY OF THE ABOVE TO MAKE THIS WORK? WHETHER IT IS DEPLOYING THE CERT A DIFFERENT WAY OR DEPLOYING THE CERTIFICATE WITH THE CATO CLIENT APPLICATION INSTALL. Thanks,
