Discussions
Discussions and questions regarding Cato Networks and SASEBest Practices
Find Cato Networks best practices, tips, tricks, and other helpful information!
Recent Content
Seamless SSO with External vs. Embedded Browser – Conditional Access & Compliance Issues
Hi Community, I'm currently testing Seamless SSO with Cato and ran into an issue that I’d appreciate some input on. When using an external browser for authentication, Conditional Access (CA) policies work as expected, and compliant devices are recognized. However, when trying to authenticate via the embedded browser, the device fails to report compliance, which leads to failed Conditional Access checks. My questions are: Is Seamless SSO currently supported when using the external browser flow with full Conditional Access and device compliance evaluation? Is there any official support or workaround for enabling embedded browser authentication with Conditional Access and device compliance checks? For example, is there any roadmap item or setting that might allow the embedded browser to pass device compliance state? I’ve reviewed the official SSO guide, but it doesn’t address this specific scenario. Thanks in advance for any insights or guidance!
Cato Connect Event: AMA with Professional Services
Ever wish you could get direct time with the experts? On June 3rd, 2025 at 11:00 AM EDT, you’ll get just that — a live AMA with two of our Principal Consultants from the Cato Professional Services team. We’ll cover topics like: Designing and implementing a CMA deployment Best practices we’ve seen across real-world environments Your questions — seriously, bring them Here’s how to get the most out of it: Click here to register and get the calendar invite and join us live Post your questions below in the comments — we’ll answer pre-submitted ones first, before tackling live chat during the session + See a question you like? Give it a “like” to help it rise to the top Note: We won’t be able to look at specific CMA instances — demos will be done using internal environments. That’s it — register, post your questions, and we’ll see you there! Presenters: Principal Consultant Professional Services, Italy Principal Consultant Professional Services, USA If you run into any issues, @mention me or email us at community@catonetworks.comPolicy Rule Not Hitting When Destination is Set to 'Any' – Expected Behavior?
Hi all, I ran into a situation with a security policy in Cato and would like to hear if anyone else has experienced something similar. Here is the scenario: I created a policy where the source site is set to "Site A", the destination is set to "Any", and the application is defined as a specific IP address, for example 192.168.1.1. In this setup, the rule does not match and traffic is not allowed as expected. However, when I change the destination from "Any" to the specific site where 192.168.1.1 is located, the rule starts working correctly and the traffic is matched. My questions: Is this expected behavior in Cato? Does using "Any" as the destination somehow prevent matching traffic to a specific internal IP? Is there something else I might be missing? Appreciate any insights or experiences. Thanks!The power of Smart SASE - Cato Remote Port Forwarding
Overview If I interpret the latest comments on SSE Gartner MQ '25, SASE is going to devour the SSE soon. Use case mentioned here is one such instance that SSE alone can't implement without fancy private access or ZTNA hooks let alone the publishers that are required to be hosted and maintanined by the customers for inbound access. Cato RPF (Remote Port Forwarding) functionality allows you to open up your servers or internal resources to the internet. How? Quick and easy 3 steps: Check how many public IP’s you are licensed for Account > License > IP's Assign an IP from the available Cato Public IP’s for your preferred location Network > Network Configuration > IP Allocation Create RPF rule using the IP you allocated in last step Security> Firewall > Remote Port Forwarding The intrigued users may ask, can I use this for my WAN to WAN traffic? Yes, you can. The documentation does not call it out as an officially supported feature but it works based on my testing. Question before you consider this option: Wouldn't you rather use WAN firewall rules though to control the same though instead of having the internal users to access this resource using public IP? I would leverage WAN firewall and WAN Network rules for the internal traffic crossing sites. Best Practices around RPF Tightly control the rule by limiting access to source IP’s. If you see exclamation mark like the one in the first rule in the screenshot, take an action! Host your critical servers behind DDoS/WAF protection if you must allow 0/0. RPF traffic is automatically assigned the lowest priority (P255). For WAN to WAN you can use a special network rule on the source site though (that would work only for WAN to WAN traffic using an Internet Type Network rule with higher priority, P8 for example) References https://support.catonetworks.com/hc/en-us/articles/7784979714333-Configuring-Remote-Port-Forwarding-for-the-Account https://support.catonetworks.com/hc/en-us/articles/360004514358-Security-and-QoS-Recommendations-for-RPF https://support.catonetworks.com/hc/en-us/articles/9299509375517-How-to-Integrate-Third-Party-DDoS-Services-for-Internet-Facing-RPF-Traffic https://support.catonetworks.com/hc/en-us/articles/19516873839005-Integrating-Imperva-Cloud-WAF-DDoS-Services-for-Internet-Facing-RPF-Traffic
CATO always on
Hi, I am currently deploying Cato across my entire organization, transitioning from Fortinet’s VPN platform to Cato’s ZTNA. We are enabling Always On to enforce the use of Cato for all users. However, this feature requires an initial login from the user. How can I force an end user (who does not use any sensitive company services but still needs enforcement as part of ZTNA) to complete the initial login to the Cato Client? Since we are rolling this out company-wide, I do not want to enforce it for all users, but rather for a specific group. Is there an option to do that? Thanks!Hey Siri.... Find me these Cato events....... AI Powered Natural Language Search.
Imagine as a SASE admin (already busy hunting critical threats and protecting your org from on-prem and cloud threats) how much you would hate if you have to write complex queries for simple searches? No one more Yet another query language please! But this is how our competitors did it by making you learn their syntax and their version of Regex to find events. For a simple search to find all traffic to 'google' and 'microsoft' or all phishing URLs why does it have to be so difficult? We took a radically innovative approach to finding results- very close to Apple's 'Hey Siri'! We have now made it even better with our innovative AI powered Natural Language Search feature. Simply click the magnifying glass on far right and write your queries in your own words. Sure you can use our filters and presets (check out my previous article on custom presets) but cool yeh? Where: Event Monitoring > Far right magnifying glass (note the far right magnifying glass icon in the screenshot on the top) NLS ability is now extended to Audit Logs as well! [If it isn't already, contact your Cato Networks representative if you would like this feature enabled in your account] Key Features of AI powered NLS: Uses everyday language to find relevant data Translates natural language queries into specific filters Automatically formats table results to show relevant columns Example Queries Show me all RDP blocked traffic Show me all DNS traffic Show me Internet firewall security events from phishing category URLs Show recent security incidents and alerts related to application vulnerabilities Show me security alerts where data was sent from computer 10.0.0.1 to 10.0.0.2 Power of Cato powered networks! Explore more: https://support.catonetworks.com/hc/en-us/articles/21585563225757-Filtering-Events-with-Natural-Language-Search PS: 'Hey Siri' or other products mentioned here are trademarks of Apple or their respective vendors.
Updating resource group names
I have noticed that if I go to Resources > Groups and change a group's name, that changed group name does not reflect in any firewall rules that reference that group. For instance, I create a group named group_1. I create an Internet Firewall rule with group_1 as the source. If I go back to and change the name of the group to group_one, the group name group_1 is still listed as the source in the Internet Firewall rule (it seems like it should update to group_one when he group's name is changed). If I change a group name that is referenced in a firewall rule, do I need to manually update the group reference in the firewall rule? If not, how long does it usually take for a firewall rule to update it's group name if the group name changes?
