Discussions
Discussions and questions regarding Cato Networks and SASEBest Practices
Find Cato Networks best practices, tips, tricks, and other helpful information!
Recent Content
URL - Category over-ride not taking effect?
Is your URL category over-ride not taking effect? When configuring firewall rules by domain you do not need to specify the subdomains. Firewall rules will even cover the subdomains if you specify a Top Level Domain e.g. "uk" would cover all the subdomains such as bbc.co.uk). This is not the case when using domains to override a category though! Category over-ride from CMA for an domain / FQDN applies just to the that domain or FQDN. Any subdomains must be specified with its own FQDN. E.g. over-riding category for http://catonetworks.com to a category of your choice does not change the category for http://www.catonetworks.com Hope you find this helpful. Thanks Nath based on your comment I have added following article that shows how to add a custom app to get around having to override individual domains. Add the custom app in a rule and place it above the rule that blocks the traffic. https://support.catonetworks.com/hc/en-us/articles/4413265662993-Working-with-Custom-Apps Reference Article: https://connect.catonetworks.com/kb/cato-cloud-best-practices/how-to-block-a-tld-top-level-domain-or-a-specific-country/374IPSEC with Azure Gateway
Issue:Intermittent IPSEC SA disconnects; Packet loss; TLSi disabled. Symptoms: Timeline shows 'unable to decrypt' packets intermittently; resulting in asymmetric traffic. TLS Inspection shows disabled intermittently on CMA events. Intermittently, session with a server / host behind IPSec Azure gateway lost. Correspondingly IPSec Timeline shows following in the logs Unable to decrypt packet - ignoring Error parsing or unsupported parameters in an incoming packet Environment: IPSec tunnel with Azure Gateway, GCM used as encryption and Phase 1 timers are such that Azure is the initiator for rekeying. The larger picture - While using GCM and IKE timers set to default / matching values [3600sec (p1) and 28800sec (p2)]. This issue is observed whenever the Azure gateway is the initiator of IKE Phase1 tunnel. Cato receives malformed packet from Azure that Cato is unable to decrypt. A corresponding message mentioned above is seen in the IPsec Timeline (Timeline message shown above). Refer to articles below on where to find timelines and pcaps in the CMA. Whenever you see similar symptom recommendation is to have P1 lifetime on Cato as default of 19800sec (5.5 hrs) i.e. lower than Azure default of 28800 sec (8 hrs). This will ensure that Cato is always the initiator of tunnel of P1 rekey. Another workaround is to use encryption algorithm other than GCM. Our IPSec has been implemented by some of our largest customers with 100+ sites across the global and proven to be compatible with industry standard SDWAN vendors. The issue is not seen with just the Cato as peer. From lab tests it was confirmed this behavior is same between with Juniper SRX or Fortinet as a peer device with Azure IPSec gateway. Cato maintains its own IPSEC suite built from scratch compliant with IKE standards. Reference articles- Did you know? - IPSEC Timelines and PCAP | Cato Connect https://support.catonetworks.com/hc/en-us/articles/4413280512785-Advanced-Configurations-for-a-Site https://support.catonetworks.com/hc/en-us/articles/4413273472145-Configuring-IPsec-IKEv1-Sites https://support.catonetworks.com/hc/en-us/articles/360001688857-Cato-IPsec-Guide-IKEv1-vs-IKEv2 https://support.catonetworks.com/hc/en-us/articles/16203875505565-IPsec-Site-Connectivity-Troubleshooting https://support.catonetworks.com/hc/en-us/articles/11013259398301-Troubleshooting-IPsec-ConnectivityDid you know? - IPSEC Timelines and PCAP
Unlike most other competitors we have this awesome tool available from CMA - With other vendors you would to login to a CLI shell, elevate and run some intrusive tcpdumps. It makes IPsec troubleshooting far easier. PCAPs and Timelines are available in the CMA next to the IPSEC configuration page. Networks > Sites > IPSec > Primary
Visit website with error(HTTP Version Not Supported) with Cato
HTTP Version Not Supported Your client is using HTTP version 1.1, which is not supported. This service requires HTTP/2. Please update your client or contact support Reply from Cato Support : I have confirmed internally that HTTP/2 is not supported yet.How to Uninstall Windows Cato SDP Client Remotely?
Use case: Although manual uninstall may not be required frequently, there may be instance where you have a user with corrupt installation and you must uninstall remotely. Another typical use case I cam across recently - your company self service portal (e.g. Intune or Kandji) has a different version than what is installed on the user device and now you want to downgrade the client. In order to downgrade you will need to uninstall the existing installation first. You can do this using a simple command. Prerequisite: Admin privilege on the system How To? Launch command prompt using privileged mode (run as admin) and then issue following command [screenshot example on Windows 11 attached] or simply execute this command remotely to the system: \Windows\System32\wmic product where name=“Cato Client" call uninstall Corrupt installation that persists after boot? From time to time support may advise doing a clean install. Here is what you would do for a more elaborate clean removal of the SDP client for reinstall- Uninstall CATO Client by following the Article How To Uninstall the Windows Client, when uninstalling the CATO Client, kindly delete the cache contents located at "C:\Users\User\AppData\Local\CatoNetworks\Cache" Go to Control Panel > Network and Internet -> Network Connections Ensure that all CATO Adapters and Local Area Connection adapter ( WinTun Userspace Adater) have been removed, if they still exist, manually delete them (disabling them alone will not help).
Cato Device Posture Profile problems.. What are others using?
We've been working for several weeks to setup our Device Posture Profiles (DPPs) to be used as a way to block/allow access to certain resources. Our goal was to have the Cato client check to see if the following processes were running: Microsoft Intune MDM (for Windows and Macs) Microsoft Defender ATP (for Windows and Macs) We've found all sorts of inconsistencies and problems when applying these DPPs. Many times the Cato client won't realize the process are running (even thought they are). It will detect one of the processes but not the other sometimes. Sometimes it will work after users reboot and connect to Cato other times it won't. We are confused how often the Cato client checks for the postures . We have the "Enable Advance Posture Checks" option set to 5min, but see different behavior when machines come out of Sleep mode, etc. So now we are thinking it's asking too much of the Cato client to verify Defender and Intune are actually running , So we may have to settle for verifying if they are simply "installed" on the machine (via registry entry possibly)? We would like to hear how other companies are using the Device Posture Profiles/Checks to add security to their user's access. I'm guessing most companies are just putting a Cert on the machines and looking for that to allow access to Cato? Any suggestions would be appreciated.
