Discussions
Discussions and questions regarding Cato Networks and SASEBest Practices
Find Cato Networks best practices, tips, tricks, and other helpful information!
Recent Content
Reporting the wrong category goes nowhere
As per https://support.catonetworks.com/hc/en-us/articles/4413280530449-Customizing-the-Warning-Block-Page: "The Cato Security team regularly reviews reported wrong categories and validates that the content for the category is correct. When websites or applications belong to the wrong category, the Cato Security team updates the definition of the category." Not so much. I just went through the last two months of such reports (filter for "Sub-Type Is Misclassification" in the Events log) and found 31 such requests from our users - most were for perfectly legit sites that for some reason were categorized as "Porn". And they still are - every single one of them. If the Cato security team is indeed not reviewing these submissions as originally intended, it would be great if that was communicated so that we can remove that misleading reporting link and take care of the Brightcloud submissions ourselves.
Voices Behind the Stack: Nick and Jack of Redner’s
This month, we’re spotlighting two IT leaders who have been keeping a multi-location retail operation at the forefront of cybersecurity for over 20 years and doing it with unmatched clarity, curiosity, and consistency. Meet Nick Hidalgo (aka NickH), VP of IT, and Jack Senesap (aka JackSenesap), Director of Infrastructure and Security at Redner’s, a locally owned and family-oriented retail food company in the US. Their secret? A passion for unifying complexity, a love of visibility, and a belief that the right tools and the right people make all the difference. “We always know where our users are. We can deny access to things by default. That’s huge.” – Jack “It’s the first tool I look at in the morning. Everything’s in one place.” – Nick These two were early adopters of SASE from way back when it still sounded like just another buzzword. What changed their minds? Visibility. Simplicity. And the sense that this shift actually reduced complexity instead of adding more. They chose Cato Networks for its performance and security and stayed because it became a trusted part of how they work. “Now we have the resources to continue to improve.” Why these two stand out: They’re always pushing forward: from expanding their TLSi reporting to exploring orchestration and automation. They’re deeply curious about AI: not just how it can help, but how it might reshape their roles. They’re passionate about their industry and always looking for ways to do more. Off the clock? Nick is out on the lake or at the gym. Jack is tearing up the trails on his mountain bike or shooting hoops with a crew of all ages. And fun fact: Jack once won a car at a software user conference. (Seriously.) “Security never sleeps” Jack says, and hearing about everything he’s accomplishing at work, apparently neither does he. Huge thanks to Nick and Jack for their time, insights, and everything they do to keep their organization secure and forward-looking. For more Redner’s fun – check out this nifty customer story here.
TLS Inspection and RBI
Hello, I'm new on Cato Cloud and I don't understand the behavior of the Security feature... I have created a local SDP user and assigned it a license, I'm able to connect to the tenant through the client. I've enabled the Internet Firewall, TLS inspection and RBI : Split tunneling is not enabled. I just wanted to test RBI, all other internet traffic is blocked : But when I access https://rbicheck.com which is an uncategorised website, sometimes the site isn't isolated at all like in the simulator, the automatic download is done and the certificate isn't replaced. And sometimes, the website is blocked like any other website : I don't know if I'm missing something, I understood that the changes I make on the CMA takes a few minutes to be acknowledged, the logs aren't helping me... I would be very thankful if someone could help me
Blocking icloud private relay "nicely"
I would like to block "icloud private relay" in such a way that the user would be notified and able to continue without icloud private relay. Apple's recommended way to do this is to block DNS requests to mask.icloud.com and mask-h2.icloud.com so a "no error/no answer" or NXDOMAIN response is returned. This alerts the users that they either need to disable private relay or choose another network. Details are here: Prepare your network or web server for iCloud Private Relay - iCloud - Apple Developer Is there a way to configure this using only Cato? I cannot see how to create a custom DNS rule to block specific queries, and I cannot see how to create a custom IPS rule either. Is there a recommended way to do this? What are others doing? I am in a Windows shop. I could redirect DNS queries to a Windows DNS server and use DNS query filtering, but would rather do a Cato only solution if possible. Per Apple: Some enterprise or school networks might be required to audit all network traffic by policy, and your network can block access to Private Relay in these cases. The user will be alerted that they need to either disable Private Relay for your network or choose another network. The fastest and most reliable way to alert users is to return either a "no error no answer" response or an NXDOMAIN response from your network’s DNS resolver, preventing DNS resolution for the following hostnames used by Private Relay traffic. Avoid causing DNS resolution timeouts or silently dropping IP packets sent to the Private Relay server, as this can lead to delays on client devices. mask.icloud.com mask-h2.icloud.comCato Connect Event: AMA with Professional Services
Ever wish you could get direct time with the experts? On June 3rd, 2025 at 11:00 AM EDT, you’ll get just that — a live AMA with two of our Principal Consultants from the Cato Professional Services team. We’ll cover topics like: Designing and implementing a CMA deployment Best practices we’ve seen across real-world environments Your questions — seriously, bring them Here’s how to get the most out of it: Click here to register and get the calendar invite and join us live Post your questions below in the comments — we’ll answer pre-submitted ones first, before tackling live chat during the session + See a question you like? Give it a “like” to help it rise to the top Note: We won’t be able to look at specific CMA instances — demos will be done using internal environments. That’s it — register, post your questions, and we’ll see you there! Presenters: Principal Consultant Professional Services, Italy Principal Consultant Professional Services, USA If you run into any issues, @mention me or email us at community@catonetworks.com
Cato Windows SDP Client - TCP443 only
I've got a support ticket in - and am working on this. But I figure I'll throw this out here too: I have an instance of needing Cato SDP Client access - and the vendor's security team is allowing tcp443, but not udp443 nor udp1337. I saw the following recently: https://support.catonetworks.com/hc/en-us/articles/360002577917-Client-TCP-Fallback-for-UDP-Tunnel I have tested this with my own laptop that already has a user and was previously connected. Blocking all ports except TCP443 outbound from my infrastructure for my laptop caused the client after about 90 seconds to connect, and only via TCP. Success! Installed a quick VM (win 11, same cato client version fresh) and performed the same thing. Blocking all access except tcp443 (local DNS is still allowed, as well as ICMP outbound) and the client does not ever fail over as described in the article. Any thoughts? I figure there could be a hidden "registry setting" similar to what they have for changing the UDP ports in use by the client, but my searching has resulted in nothing. Additionally the support rep states they can force TCP at an account or site level, but that isn't what I need - I don't have sockets at these affected sites, just workstations on the internet (firewalled).
Cato SDP Client - Always On / Prelogin questions
We are switching from another VPN solution and I have some questions about the always-on / pre-login features. Is there any way to see always-on or pre-login connections in the CMA? Do the pre-login sessions use machine credentials? Can we access the machines remotely during pre-login? Use cases / background if we were working on an issue we could restart the machine and login again after the reboot. If the user had an issue we could remote to the machines, do an admin login and resolve issues. with our previous solution we could see the machine/device connections and IP information in the management console. We may be able to use teamviewer remote access but i don't think you can allow pre-login destinations via FQDN. Basically, we would like to be able to see and manage our on-line devices even if they are not logged in. Do split tunnel exceptions work pre-login for something like Teamviewer?The power of Smart SASE - Cato Remote Port Forwarding
Overview If I interpret the latest comments on SSE Gartner MQ '25, SASE is going to devour the SSE soon. Use case mentioned here is one such instance that SSE alone can't implement without fancy private access or ZTNA or steering hooks. Let alone the publishers that are required to be hosted and maintained by the customers for inbound access. Cato RPF (Remote Port Forwarding) functionality allows you to open up your servers or internal resources to the internet with following quick 3 steps. How? Quick and easy 3 steps: Check how many public IP’s you are licensed for Account > License > IP's Assign an IP from the available Cato Public IP’s for your preferred location Network > Network Configuration > IP Allocation Create RPF rule using the IP you allocated in last step Security> Firewall > Remote Port Forwarding The intrigued users may ask, can I use this for my WAN to WAN traffic? Yes, you can. The documentation does not call it out as an officially supported feature but it works based on my testing. Question before you consider this option: Wouldn't you rather use WAN firewall rules though to control the same though instead of having the internal users to access this resource using public IP? I would leverage WAN firewall and WAN Network rules for the internal traffic crossing sites. Best Practices around RPF Tightly control the rule by limiting access to source IP’s. If you see exclamation mark like the one in the first rule in the screenshot, take an action! Host your critical servers behind DDoS/WAF protection if you must allow 0/0. RPF traffic is automatically assigned the lowest priority (P255). For WAN to WAN you can use a special network rule on the source site though (that would work only for WAN to WAN traffic using an Internet Type Network rule with higher priority, P8 for example) References https://support.catonetworks.com/hc/en-us/articles/7784979714333-Configuring-Remote-Port-Forwarding-for-the-Account https://support.catonetworks.com/hc/en-us/articles/360004514358-Security-and-QoS-Recommendations-for-RPF https://support.catonetworks.com/hc/en-us/articles/9299509375517-How-to-Integrate-Third-Party-DDoS-Services-for-Internet-Facing-RPF-Traffic https://support.catonetworks.com/hc/en-us/articles/19516873839005-Integrating-Imperva-Cloud-WAF-DDoS-Services-for-Internet-Facing-RPF-Traffic
