Discussions
Discussions and questions regarding Cato Networks and SASEBest Practices
Find Cato Networks best practices, tips, tricks, and other helpful information!
Recent Content
Block/prompt based on risk rating
For Generative AI services, we would like to present the "Prompt" action for services that have a risk rating of 3 and less as per the Cato App catalog, and "Block" those with risks 4+. To our slight surprise there does not appear to be a "Prompt" option in the App & Data Inline Protection module. Is there a way to work around this that does not include having to manually populate the list of "risky" service?
CATO Socket port flapping with certain Spectrum modems
Hi everyone, We would like to raise awareness of a recent issue, where the CATO Socket port may begin flapping when connected to specific Spectrum-provided modems. While the root cause appears to be related to these modems and cannot be addressed on our side, replacing the modem is consistently proven to be an effective solution. If you experience CATO socket port flapping and you are using Spectrum-provided modems. To resolve this issue, add a Switch in between the CATO Socket and the Spectrum modem. If the does not help, you can contact Spectrum support and requested a replacement modem, specifying that you need a different model due to compatibility issues. Ask for either the Hitron ET2251 or EU2251, as both of these seems to have resolve this issue in real customer scenarios.Cato Connect Event: AMA with Professional Services - February/March 2026
Did you join our last AMA with Professional Services and want more? Did you miss the last one and have been waiting for us to drop more dates? Well your request is our command, and we are back with another event for our customers and partners. During these live AMAs with members of our talented Professional Services team we’ll cover topics like: Implementing Cato and getting as much out of your purchase as possible Best practices we’ve seen across real-world environments AI Security (New, exciting topic!) Your questions... seriously, bring them Choose from the two available sessions, whatever works best for you. February 24th, 2026 at 11am EST or March 12th, 2026 at 3pm JST Here’s how to get the most out of it: Register for the February 24th or March 12th meetings and get the calendar invite and join us live Post your questions below in the comments — we’ll answer pre-submitted ones first, before tackling live chat during the session + See a question you like? Give it a “like” to help it rise to the top Note: We won’t be able to look at specific CMA instances — demos will be done using internal environments. That’s it — register, post your questions, and we’ll see you there! Presenters: Steven Wong Professional Services Engineer Mihai Radoveanu Principal Consultant Professional Services, Italy Rob Pfrogner Principal Consultant Professional Services, US Special guest: Robin Johns Worldwide, AI Security SME If you run into any issues, @mention me or email us at community@catonetworks.com
Application File Name Upload
Hi, We are monitoring the uploads to external cloud storage which are not compliant to our company policies. We have seen that only in gmail Upload events, the file name is presence. For Whatsapp, Google Drive or other services, an file path hashed is provided. ¿Is there any possibility or roadmap in order to check for the file name in this apps? Thank you, David.
LDAP To SCIM Migration
We are planning to migrate from Cato Directory Services LDAP & User Awareness to Cato SCIM user provisioning and looking to get some feedback if anyone has performed this migration and if they encountered any issues during the migrations. We currently have a few domains, over 3500 users and not everyone has an SDP lic, a mixture of Entra joined and non-Entra joined devices. SSO for VPN Users. I'm trying to understand how users are going to be mapped to the workstations they are logging in from and identified since Cato currently taps into DC's Event viewer to map users to computers and LAN IP's. We have Shared computers where an SDP license is not needed as these are fixed computers. We see the user login events, but not the details for the system they are logging in from and LAN IP. Will there be problems if we migrate 1 domain first and wait a week or two to iron out any bugs? Should Always-On Windows RegKey be removed from all systems prior the migration?
Office mode for Mac users
We have AlwaysOn policy enabled for all the users and it is causing some troubles for Mac users. Most of our users are Windows and when they come to the office behind the socket, the client detects Office Mode automatically, users do not need to enter credentials, and they get network connectivity just fine. However our Mac users would need to enter credentials in the cato client for it to detect the office mode. If they do not enter credentials, they do not have a network connection. Our Mac users are not happy with this since it does add some inconvenience when they are in the office. I am wondering if anyone has the same challenge and what are possible workarounds.
2-arm VPN router behind Socket
I have a Cisco router from a 3rd party provider that provides access to that 3rd party providers networks. Thie router uses a 2-arm configuration with WAN and LAN interfaces. The WAN cannot be a public routed IP, it must be a private IP. The router's existing deployment has the WAN interface connected to a DMZ zone off our legacy firewall, which uses a subnet of 192.168.1.0/24 and the router's LAN interface is connected to a trusted LAN subnet of 172.29.1.0/24. The firewall does not have any inbound ports open to the VPN router's WAN interface, as the router is configured to outbound initiate the VPN tunnel. I need to move this router to sit behind the socket so I can remove the legacy firewall from our network. What would be the best way to set this up? Note that VLAN's are terminated to a L3 switch at this location, and I am not looking to move them to the socket at this time. I would also prefer to not have the 192.168.1.0/24 subnet advertised to the entire Cato network (especially ZTNA clients).Certificate File Manipulation using OpenSSL
Use case: I have a TLS bypass rule for a domain that I would like removed. I added this rule because the certificate is not trusted. Now I need to grab certificate details. I have a certificate that appears to be missing from Cato TLS store. I want to report the same to Cato Support. Although I have p7b file which only works on Windows. How do I convert it to a regular certificate and just share with support? Prerequisites: A system with openSSL installed. If you are using a MacBook install HomeBrew and update OpenSSL libraries to the latest version [version as of writing this article - 3.6.0]. xyz@MacBook1 ~ %/ bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" xyz@MacBook1 ~ % brew update xyz@MacBook1 ~ % brew install openssl@3 xyz@MacBook1 ~ % openssl version Solution: If you have a pem file which can be opened in a text editor and it shows BEGIN and END lines with hashes, skip to the final step #3. Procedure: Save p7b file on a folder and run following openssl pkcs7 command from that folder "openssl pkcs7 -inform DER -in input_file.p7b -print_certs -out output_file.pem" Once it is converted open the cdrts.pem file in a text editor. Individually copy text from BEGIN to END values and save them in separate files, save as .pem extension. Further use following openssl command to fetch the SN# and SHA256 fingerprint against each file "openssl x509 -in cdrts.pem -noout -serial -fingerprint -sha256" Sample conversion using above method: xyz@Linux-Host1 % openssl pkcs7 -inform DER -in corphqglobal.p7b -print_certs -out cdrts.pem xyz@Linux-Host1 % openssl x509 -in cdrts.pem -noout -serial -fingerprint -sha256 -dates -subject Other alternate solutions- Although clumsy and not easy to copy paste just the SN or hash you can use an internet browser such as Google Chrome to view certificate details from "view site info" icon (or a pad lock icon on other browsers) next to the the browser address bar Use Chapt GPT or co-pilot and upload p7b file there. I have tried it but not 100% of the times I got the right SN. I would encourage verifying the results with step 4 above. Be careful not to upload any private keys to online AI Tools.
