Discussions
Discussions and questions regarding Cato Networks and SASEBest Practices
Find Cato Networks best practices, tips, tricks, and other helpful information!
Recent Content
How to Uninstall Windows Cato SDP Client Remotely?
Use case: Although manual uninstall may not be required frequently, there may be instance where you have a user with corrupt installation and you must uninstall remotely. Another typical use case I cam across recently - your company self service portal (e.g. Intune or Kandji) has a different version than what is installed on the user device and now you want to downgrade the client. In order to downgrade you will need to uninstall the existing installation first. You can do this using a simple command. Prerequisite: Admin privilege on the system How To? Launch command prompt using privileged mode (run as admin) and then issue following command [screenshot example on Windows 11 attached] or simply execute this command remotely to the system: \Windows\System32\wmic product where name=“Cato Client" call uninstall Corrupt installation that persists after boot? From time to time support may advise doing a clean install. Here is what you would do for a more elaborate clean removal of the SDP client for reinstall- Uninstall CATO Client by following the Article How To Uninstall the Windows Client, when uninstalling the CATO Client, kindly delete the cache contents located at "C:\Users\User\AppData\Local\CatoNetworks\Cache" Go to Control Panel > Network and Internet -> Network Connections Ensure that all CATO Adapters and Local Area Connection adapter ( WinTun Userspace Adater) have been removed, if they still exist, manually delete them (disabling them alone will not help).
Cato Device Posture Profile problems.. What are others using?
We've been working for several weeks to setup our Device Posture Profiles (DPPs) to be used as a way to block/allow access to certain resources. Our goal was to have the Cato client check to see if the following processes were running: Microsoft Intune MDM (for Windows and Macs) Microsoft Defender ATP (for Windows and Macs) We've found all sorts of inconsistencies and problems when applying these DPPs. Many times the Cato client won't realize the process are running (even thought they are). It will detect one of the processes but not the other sometimes. Sometimes it will work after users reboot and connect to Cato other times it won't. We are confused how often the Cato client checks for the postures . We have the "Enable Advance Posture Checks" option set to 5min, but see different behavior when machines come out of Sleep mode, etc. So now we are thinking it's asking too much of the Cato client to verify Defender and Intune are actually running , So we may have to settle for verifying if they are simply "installed" on the machine (via registry entry possibly)? We would like to hear how other companies are using the Device Posture Profiles/Checks to add security to their user's access. I'm guessing most companies are just putting a Cert on the machines and looking for that to allow access to Cato? Any suggestions would be appreciated.URL - Category over-ride not taking effect?
Is your URL category over-ride not taking effect? When configuring firewall rules by domain you do not need to specify the subdomains. Firewall rules will even cover the subdomains if you specify a Top Level Domain e.g. "uk" would cover all the subdomains such as bbc.co.uk). Category over-ride from CMA for an domain / FQDN applies just to the that domain or FQDN. Any subdomains must be specified with its own FQDN. E.g. over-riding category for http://catonetworks.com to a category of your choice does not change the category for http://www.catonetworks.com Hope you find this helpful.Cato Connect Event: AMA with Professional Services - November 2025
Did you join our last AMA with Professional Services and want more? Did you miss the last one and have been waiting for us to drop more dates? Well your request is our command, and we are back with another event for our customers and partners. We're doing things a little differently this time: First of all, we'll be honing in on specifics around CASB and TLSi, we will even have a short demo at the beginning to help you start using, or get the most out of, your investment. (We'll still take general questions from the audience) The other change is that this time, we're offering ~*options*~ Join us on: November 4th, 2025 at 3pm HKT or November 6th, 2025 at 11am EST During this live AMAs with members of our talented Professional Services team we’ll cover topics like: The latest versions of TLSi and CASB Best practices we’ve seen across real-world environments Your questions... seriously, bring them Here’s how to get the most out of it: Register for the November 4th or November 6th meetings and get the calendar invite and join us live Post your questions below in the comments — we’ll answer pre-submitted ones first, before tackling live chat during the session + See a question you like? Give it a “like” to help it rise to the top Note: We won’t be able to look at specific CMA instances — demos will be done using internal environments. That’s it — register, post your questions, and we’ll see you there! Presenters: Steven Wong Professional Services Engineer Kushtrim Kelmendi Principal Consultant Professional Services, EMEA Martin Guerrero Commercial Sales Engineer If you run into any issues, @mention me or email us at community@catonetworks.com
Windows CA with Cato for Device Posture Check
I’m looking for guidance on configuring a Windows CA to issue and validate RSA certificates for device posture verification in Cato. Has anyone implemented this integration?What’s the best approach for certificate management? Should we use self-signed certificates or purchase individual device certificates from DigiCert or another vendor? If anyone has implemented this, please share the pros and cons.
Need help with prelogin Intune deployment
Hello, I need to understand how to get prelogin to work for my environment so users can sign in when off of the network. We are deploying devices from intune using the enrollment status page. So it gets deployed to them, they turn it on and it autopilots from there. The cato sdp client is being deployed with patchmypc and has a script in place with that for the required registry keys. The certificates are being deployed inside of a win32 intune win file with a script to install the certificate. Script for the certificate: yes it is password protected pfx file. (We do not have a certificate authority. (This did work for prelogin on my device.) Import-PfxCertificate -FilePath .\Catoprelogin.pfx -Password (ConvertTo-SecureString -String 'mypassword' -AsPlainText -Force) -CertStoreLocation Cert:\CurrentUser\My All of this was successfully installed, what could I be missing? The certificate is an SSL certificate and I confirmed that it worked prior to the autopilot on my personal work computer without autopiloting it. DOES ANYONE HAVE ADVICE OR SUGGESTIONS ON HOW TO SETUP THE INTUNE AUTOPILOT PROFILE, ENROLLMENT STATUS PAGE, OR ANY OF THE ABOVE TO MAKE THIS WORK? WHETHER IT IS DEPLOYING THE CERT A DIFFERENT WAY OR DEPLOYING THE CERTIFICATE WITH THE CATO CLIENT APPLICATION INSTALL. Thanks,AI for firewall rules?
I would have expected the Cato AI Assistant to be able to answer relatively simple questions in the account context like "does user x have access to the configured host y over HTTPS" - but that does not appear to be the case. Is the MCP server be able to manage such What-If queries?
Spotify web unable to play music
Hi, We are new to Cato. One issue I just discovered is with the SDP client running and connected to Cato cloud, if I try to play something on Spotify via the web browser, I get error "Spotify can't play this right now". I have tried various browsers, incognito, etc. When I disable the Cato SDP client, refresh the page, then hit the play button, it works. If I enable SDP client, refresh the page, then hit play, it's broken again with the same error above. I can see the Spotify traffic events in Cato CMA. Some events show TCP, TLS and HTTPs. Other events show UDP and QUIC. The action shows 'monitor', so why would this be blocked and prevent music from playing? There may be other apps that are blocked, which we need to make exceptions for, so some advice about troubleshooting this, or making exceptions would be much appreciated. Thanks!Minimize the Windows ZTNA client when it starts
Have you ever wanted to minimize the windows ZTNA client when it start up? Just add a registry key under: Path: HKEY_CURRENT_USER\Software\CatoNetworksVPN Key: start_minimized Value: 1 (DWORD) Restart the service CatoNetworksVPNService and the setting will be applied. That's it! Enjoy!
