Discussions
Discussions and questions regarding Cato Networks and SASEBest Practices
Find Cato Networks best practices, tips, tricks, and other helpful information!
Recent Content
Recording: Ask Me Anything with Professional Services - February 2026
Professional Services AMA – February 2026 Missed the live session? Here’s the full rundown of every question asked, summarized for quick reading, and the recording for deeper context and chit chat. Our experts this session: Robin Johns, David Tudor, and Mihai Radoveanu AI Security Questions How will Cato help identify MCPs, AI agents, and all the new AI tools popping up daily? Cato is introducing an AI Security module (GA expected early Q2) that will provide: Local AI usage discovery (MCP servers, local agents) Cloud AI usage discovery (ChatGPT, Copilot, etc.) Model inventories & device discovery for homegrown AI Early access may be available around mid‑March. Will users be able to test early versions? Yes. Cato expects to offer trial availability around general release (early Q2). Can customers see how each AI app uses data (free vs enterprise)? Yes. Cato can differentiate free, paid, and enterprise versions of tools like ChatGPT or Copilot by analyzing traffic, authentication headers, or API connections. Can existing AI-related firewall and CASB rules be removed once AI Security is enabled? Technically yes, but Cato recommends keeping them during transition. Move them to “monitor” mode first before deleting. Can Cato block or warn users about risky AI sites? Yes. Through web firewalling and AI Security policies, admins can: Block sites Redirect users Show user education prompts Apply rules per site, category, or group Can Cato enforce guardrails on AI prompts? Yes. Prompt policies can: Detect PII Block sensitive data Anonymize inputs Detect intent (e.g., self‑harm, illegal activity, jailbreak attempts) Trigger “Are you sure?” notifications Does this work with embedded Copilot inside Microsoft apps (Teams, Word, Excel, etc.)? Yes. Cato can audit and monitor AI usage across the Microsoft ecosystem, including embedded Copilot prompts. Can Cato block file uploads or screenshots to AI tools? Partially. Today: Cato can block the upload action. Later in 2026: OCR‑based inspection of files/images is on the roadmap. DLP is still recommended for full file handling. Can Cato monitor email-based prompt injection attacks? Yes. AI Security can detect prompt-injection attempts, including those originating from email content. Can it help discover vulnerable code or libraries in homegrown AI apps? Yes. Cato can inspect your AI pipelines, models, datasets, knowledge bases, and detect: PII in training data Vulnerable base models Insecure tools/endpoints Risky GPTs or agent configurations Will AI Security support SOAR-like capabilities? Eventually. Partners already offer SOAR-like services today. Cato may expand here in the future. Can Cato detect internal MCP servers (e.g., engineers running local Docker containers)? Yes. Cato can detect MCP traffic using Layer 7 signatures and app analysis. Will the browser plugin be locked so users can’t remove it? Yes, deployment via MDM allows admins to make the plugin non-removable. Does the ZTNA client need to be connected for AI/user identification? No. As long as the client is installed and running, Cato can identify the user. Identity & SCIM / LDAP Migration Questions Can customers migrate from LDAP to SCIM gradually? Yes, you can run LDAP and SCIM in parallel. SCIM entries override LDAP where both exist. Do SCIM provisioning and SSO use the same application in Entra? No. SSO app = authentication SCIM provisioning app = user & group sync Both coexist. Can two SCIM provisioning apps run at the same time? No. If you rebuild the SCIM app (e.g., because MS Graph v1 was deprecated), you must replace the old app, not run both. How are users detected when synced through SCIM? User awareness requires: The user synced through SCIM The ZTNA client installed (no login needed) The ZTNA client provides identity signals via the endpoint. If a user without a ZTNA license has the client, can they connect? No. They will be identified, but they cannot remotely connect. API & Logging Questions Why is Arctic Wolf only receiving IPS/security events and not network events? Check the API key permissions. Old API keys had limited controls; new RBAC-enabled keys allow specifying full access. Updating the key typically resolves this. Cato recommends using: API Explorer Cato CLI to validate what should be visible. Does Cato offer API discovery and monitoring? Not fully today, but you can use: API Explorer MCP server logs AI Security (for AI-driven API calls) More native API discovery is expected in future releases. Miscellaneous Questions Can Cato support SOAR workflows for automated response? Yes, through partners today, and potentially natively in the future. Links discussed in the video: https://learn.microsoft.com/en-us/microsoftsearch/semantic-index-for-copilot https://learn.microsoft.com/en-us/copilot/microsoft-365/microsoft-365-copilot-privacy https://support.catonetworks.com/hc/en-us/sections/28000327077789-Migrating-from-LDAP-to-SCIM-User-Provisioning https://support.catonetworks.com/hc/en-us/articles/28000333704861-Preparing-to-Migrate-to-SCIM-Part-1 https://docs.arcticwolf.com/bundle/m_cloud_detection_and_response/page/configure_cato_sse_360_for_arctic_wolf_monitoring.html Creating API keys: https://support.catonetworks.com/hc/en-us/articles/4413280536081-Generating-API-Keys-for-the-Cato-API https://github.com/catonetworks/cato-api-explorer https://github.com/catonetworks/cato-mcp-server https://github.com/catonetworks/cato-cli https://connect.catonetworks.com/
Relocate of Old Socket to new location
Hi Cato Community Has anyone previously attempted to relocate an old socket to a new site or location? We are looking for the best method to move the existing socket without impacting its current configuration. In addition to relocating the old socket, we will also be deploying a new socket at the new site—resulting in two sockets operating in the new location. Any guidance or recommendations based on your experience would be greatly appreciated.
Query Regarding Blocking Emails to Specific External Domain in Cato SASE
Hi Team, I have a use case where I need to block emails sent from our internal domain (abc.com) to a specific external domain (xyz.com). Could you please confirm whether this is possible in Cato Networks Cato SASE Cloud Platform? If this functionality is supported, kindly share the relevant documentation or configuration guide to help me implement this policy. Looking forward to your support. Thanks & Regards, Rajat SharmaApplication File Name Upload
Hi, We are monitoring the uploads to external cloud storage which are not compliant to our company policies. We have seen that only in gmail Upload events, the file name is presence. For Whatsapp, Google Drive or other services, an file path hashed is provided. ¿Is there any possibility or roadmap in order to check for the file name in this apps? Thank you, David.IPSec with Azure Gateway
Issue:Intermittent IPSec disconnects; Packet loss; TLSi disabled. Symptoms: Timeline shows 'unable to decrypt' packets intermittently CMA events show TLS Inspection disabled subsequently Session with a server / host behind IPSec Azure gateway lost. IPSec Timeline shows following in the logs Unable to decrypt packet - ignoring Error parsing or unsupported parameters in an incoming packet Environment: IKEv2 tunnel with Azure Gateway GCM algorithm used in the phase1 cipher-suite Rekey / Security association timers are configured such that Azure is the initiator for rekeying. (i.e. Azure timer <= Cato timer). For IKE Phase1 Cato default is 19800 Sec i.e. 5.5 hrs. Azure default is 8 hrs/ The larger picture - While using GCM and IKE timers set to default / matching values [3600sec (p1) and 28800sec (p2)]. This issue is observed whenever the Azure gateway is the initiator of IKE Phase1 tunnel. Cato receives malformed packet from Azure that Cato is unable to decrypt. A corresponding message mentioned above is seen in the IPsec Timeline (Timeline message shown above). Refer to articles below on where to find timelines and pcaps in the CMA. Solution: -Whenever you see similar symptom recommendation is to set P1 lifetime on Cato to default vale of 19800sec (5.5 hrs). This will make it lower than Azure default of 28800 sec (8 hrs) and ensure that Cato is always the initiator of tunnel for P1 rekey. -Another workaround - This issue is specific to GCM based algorithm. Instead of using GCM, use CBC based cipher-suite for IKEv2 Phase I / Init Message Parameters. Cato maintains its own IPSec suite built from scratch based on RFE standards. Cato has been deployed as a gateway peering with many different SDWAN vendors by some of our largest enterprise customers with 100+ sites across the globe. From lab tests by our experts it is confirmed that this behavior is same when Azure IPSec gateway is peering with Juniper SRX or Fortinet as a peer device. i.e the issue is not specific to Cato. Contributors: Special thanks to ngog for this finding bug and reviewing the article for corrections. Reference articles- Did you know? - IPSEC Timelines and PCAP | Cato Connect https://support.catonetworks.com/hc/en-us/articles/4413280512785-Advanced-Configurations-for-a-Site https://support.catonetworks.com/hc/en-us/articles/4413273472145-Configuring-IPsec-IKEv1-Sites https://support.catonetworks.com/hc/en-us/articles/360001688857-Cato-IPsec-Guide-IKEv1-vs-IKEv2 https://support.catonetworks.com/hc/en-us/articles/16203875505565-IPsec-Site-Connectivity-Troubleshooting https://support.catonetworks.com/hc/en-us/articles/11013259398301-Troubleshooting-IPsec-Connectivity
