Recent Content
Can't Export Dashboards?... Export button grayed out?
Issue: -I have editor permission under Networks and Access rows, yet I can’t export the sites or SDP users into CSV. -Export button is grayed out. Background: Cato CMA (Cato Management Application) has extensive RBAC (role-based access control) permissions. Since we introduced RBAC set of permissions have continued to be more granular in terms of what the admins can limit under various sections of the CMA. Some of the permissions may have evolved. This is one I ran into most recently that I thought would be worth sharing. How to: If you are running into this issue enable the Edit permissions under the Monitoring for the element tied to the dashboard you are trying to export. E.g. SDP User dashboard Where? Administration > Roles & Permissions
Cato SDP Client to be auto intelligent to login instead of manual logging
I have recently migrated from Netskope to Cato Networks. One issue we have noticed is that users need to login once to Cato SDP client and then "Always-on policy" gets enabled. But users are smart, they don't login to SDP client itself as many sites gets blocked as per policy which they don't want so they don't login once also to SDP client thus making us non-compliant as absence of SDP client makes them vulnerable as they can browse malicious sites as well as can upload company data on public sites which typically gets blocked when connected over SDP client. In Netskope, we just had to push agents to the laptop and no user intervention was required, it automatically detects logged in user credentials so there was no scope for user to not login or bypass security controls. Can't we make zero touch experience for user so that there is no room for escape or delay as now we are totally dependent on user.Hey Siri.... Find me these Cato events....... AI Powered Natural Language Search.
Imagine as a SASE admin (already busy hunting critical threats and protecting your org from on-prem and cloud threats) how much you would hate if you have to write complex queries for simple searches? No one more Yet another query language please! But this is how our competitors did it by making you learn their syntax and their version of Regex to find events. For a simple search to find all traffic to 'google' and 'microsoft' or all phishing URLs why does it have to be so difficult? We took a radically innovative approach to finding results. Very close to Apple's 'Hey Siri'! Sure you can use our filters and presets (check out my previous article on custom presets). We have now made it even better with our innovative AI powered Natural Language Search feature. Simply click the magnifying glass on far right and write your queries in your own words. How to: Event Monitoring > Far right magnifying glass (note the far right icon in the screenshot next to #1) NLS ability will is now extended to Audit Logs as well! This feature is currently in beta. [Contact your Cato Networks representative if you would like this feature enabled in your account] Key Features of AI powered NLS: Uses everyday language to find relevant data Translates natural language queries into specific filters Automatically formats table results to show relevant columns Example Queries Show me all RDP blocked traffic Show me all DNS traffic Show me Internet firewall security events from phishing category URLs Show recent security incidents and alerts related to application vulnerabilities Show me security alerts where data was sent from computer 10.0.0.1 to 10.0.0.2 Power of Cato powered networks! Explore more: https://support.catonetworks.com/hc/en-us/articles/21585563225757-Filtering-Events-with-Natural-Language-SearchURL - Category over-ride not taking effect?
Is your URL category over-ride not taking effect? In firewall rules by domain you do not need to specify the subdomains. Unlike firewall rules (where subdomains covered if you specify a Top Level Domain e.g. "uk" would cover all the subdomains such as bbc.co.uk), category over-ride from CMA for an FQDNs applies just to the FQDN. Any subdomains must be specified with its own FQDN. E.g. over-riding category for http://catonetworks.com to a category of your choice does not change the category for http://www.catonetworks.com Hope you find this helpful.CASB Tech Hour Q&A
Yesterday, we hosted a live Tech Hour focused on CASB, and it sparked some fantastic discussions. A big thank you to everyone who joined and contributed questions! We've compiled the full Q&A from the session: Will we be getting this recording post this webinar? Yes, the recording will soon be available in this link. You can find all live sessions recordings in Cato Academy > Live Sessions. In application Control do we still get alerts for Sanctioned App if they have risk rating is 6 or higher? Can we setup on such way that sanctioned App will not be notified? Getting alerts in the Cato Management Application is fully customizable so you can decide whether you get alerts or not for specific applications on given risk score and other parameters. In Experience Monitoring we have good data for device and network performance however is there option to export the data ? Today we have a few methods to get the data via reports or API. Export to CSV buttons are on our roadmap and will be added soon. We know CASB requires TLS inspection to be enabled. What if the business bypasses TLS inspection on Microsoft services (apps/networks/IPs), how can we still control the tenant and personal instances of Microsoft services or is this not possible anymore with TLS bypassed? With TLS inspection set to bypass Microsoft services, inline CASB controls will be somewhat limited and tenant control will not be available. Is access to GenAI apps controlled by Sanctioned/Unsanctioned feature or are there other policies that control access specifically to GenAI apps? GenAI apps are controlled by the application and data controls policies in the system. Sanctioned / Unsactioned labeling can be used as an attribute in those policies We don't have the GenAI view. Do we have to set up a rule before hand to get that to show or enable something else? The GenAI dashboard requires CASB license, onces that’s enabled, the default CASB policies automatically start collecting application and activity usage and populates the dashboards with insights I always feel like sanctioned/unsanctioned is counter intuitive to your Zero Trust movement. I don't trust any app, whether it's MS or ServiceNow or ChatGPT. Therefore, I don't sanction any app. I understand the administration advantages but choose not to do it. While this is a valid approach that can be easily configured through CMA, we see many customers labeling SaaS apps and setting up rules according to these principles. To clarify my understanding - the CASB license provides in-line app activity and data protection controls and API SaaS monitoring - and if you want to enforce and data protection policies for SaaS API - that is an additional license? Is that correct? SaaS Data Protection via API requires the “SaaS Security API” license I had a new customer get a popup in Outlook saying "This message includes one or more recipients who aren't authorized to receive sensitive information". They do not have sensitivity labels configured, but they do have the O365 connector setup. Did this come from our CASB engine? If so, how? Follow up with a support ticket as I’m lacking specific information and reproduction steps. Thanks! Can automatic alerts be generated when there is abnormal activity? Abnormal activity is detected using Cato’s XDR engine How is Cato handling HTTP/3 (QUIC) encrypted communications and HTTP/2 SaaS apps that use certificate pinning and thus require TLS decryption exceptions for end users to use them? Cato recommends blocking QUIC to force the session to fallback. Applications that use cert pinning are being analyzed and bypassed by Cato security team. More information can be found here. Under "Applications" in this Cloud Activities dashboard, I can see 2 download activities, but when I click on it, nothing happens. How can I drill in more to see WHO performed those activities? You can hover the application name and either add it as a filter to the dashboard or see them in the events discovery tab As of now, my understanding is that the Data Protection API does not support automatic deletion or blocking of files that violate policies. Are there any plans to expand the range of enforcement actions available in the future? Cato API Data protection support remediation actions like Quarentine and Remove Shares. We are constantly adding additional controls and applications. Currently we are working on adding data protection API for ChatGPT. Data Protection API, requires configuring a connector and defining policy rules. Without getting into app-specific differences, we can automatically remove share or move files to quarantine in case they match configured rules (i.e user action that violates AM/DLP policy) CASB licensing is bandwidth-based? How does this work for SDP users? It is bandwidth based, there is a BW model and an SDP model. We’ll be more than happy to follow up on this to provide more details Many SaaS apps, including popular services from Microsoft, Google, Apple, etc all use certificate pinning and require TLS Decryption Exceptions be put in place for their sites to work. This negates the visibility needed to make informated decisions on end user traffic. Reposting the question a different way to hopefully get some clarification. Palo Alto has not solved this problem either. Native applications who use cert pinning are not inspect-able hence inline inspection will not work (Cato bypasses them). To gain visibility into them, API connectors are the way to go Is there a demo environment for partners to use? Yes, the MSASE_demo account is the Partners demo environment Does Integrated Apps require SaaS API license or does it work with just CASB? Just CASB license The GenAI report available now. Will it have more data with the CASB license? Yes, the CASB license will populate the report with all of the granular activities and data sources Under Security > Cloud Activities > we notice there are files being uploaded to specific Applications. is it possible to view those files being uploaded to each application for DLP purposes? That will require setting up a data control rule for content inspection. This will provide the visibility you are looking for. Can we go setup DLP rule in application control Rule? The app and data control page incorporates the CASB/DLP and File control rules In regards to Data Protection Profiles, how are we to identify false positives? For example, if there is a rule that blocks upload of credit card numbers to SalesForce and there is a hit on the rule, how can we determine if this is a legitimate detection or a false positive? Currently this requires checking the file that triggered the policy. We are working on adding forensics snippets from the matched content into the event for FP analysis. Doesn’t the user just have to login to chatgpt with his corp email address to by pass this rule? No, this level of control is deeper that identifying the login activity and as the tenant is extracted from the HTTP headers and compared to the policy Can the client alert be disabled for given rules? Currently not, it appears for all CASB/DLP hits. This is on our roadmap for later this year He can still use a corp email address for a free account in chatgpt Yes, but you can still configure a rule to block sensitive data and monitor that activity I have a question regarding how DLP behaves. My understanding is that the DLP scan supports files up to 20MB in size. If a file larger than 20MB is sent, does the DLP engine scan up to 20MB of the file before triggering a fail action? Or is the file immediately treated as a failure without any scanning due to exceeding the size limit? The file will be scanned up to 20mb So basically we setup DLP rule in CATO by creating Data Control Rule right? You got it right Question, do you have a best practice to setup CASB and DLP? Yes, you can refer to Cato's Default Recommended CASB/DLP Policy.Does Cato perform application identification based solely on ports?
We'd like to understand how deep Cato's application awareness goes. For example: If someone establishes an SSH connection over a non-standard port (e.g., TCP 222), would it still be recognized as SSH? If we block "SSH" as a service, could a user bypass this by using a custom port? Does blocking SMTP also cover traffic not using the default ports (25, 465, 587)? To allow SSH only over port 22, what would be the correct rule setup? We’re aiming for precise control similar to App-ID behavio.
App catalog categorizations?
"Resources > App catalog" -view lists all the built-in apps, but what are the "rules" that make up an app? For example, what criteria is used to categorize an app as "Amazon AWS"? URLs? IP ranges? In our PoC we used "Atlassian JIRA and Confluence" in a network rule, but found that the rule does not work, when using a custom FQDN, such as customer.atlassian.net.How can I ping or perform health checks on the Cato Socket's WAN interface from the public internet?
We’d like to monitor WAN availability externally (e.g., via public ping or other health check methods). Is there a supported way to reach and test the Socket’s WAN interface from outside the Cato network?How can I route internet-bound traffic from our China-based sites to exit outside of China?
By default, internet traffic from our China locations seems to egress via the local China PoPs. However, we would like to force the egress through a non-China PoP instead. Is there a recommended configuration or best practice within Cato to achieve this? Or is this not possible due the Agreement with China?
