Discussions
Discussions and questions regarding Cato Networks and SASEBest Practices
Find Cato Networks best practices, tips, tricks, and other helpful information!
Recent Content
App Analytics Dashboard not having all filters
Currently App Analytics Dashboard covers all the application or traffic going to Cato PoP. I have users who also uses Cato SDP in mobile phone but those are BYOD devices. Now when I see analytics dashboard, it shows various applications which are blocked in windows/MAC OS like whatsApp. But in App Analytics Dashboard, it also shows application like "WhatsApp" with almost traffic in 10-15GB which is unnecessarily flagged by auditors wherein these are allowed from personal mobile device . There is no filter currently in dashboard to filter insights bases device OS type so that I can remove IOS from device type so that it shows correct picture. I asked this in Ask AI feature and it said :- Unfortunately, based on the Cato documentation, there is no built-in feature to completely exclude specific devices or device types from traffic monitoring and analytics. Current Limitations App Analytics shows all traffic: The App Analytics page includes data for all traffic flowing through the Cato Cloud, including blocked apps and traffic from all device types. According to the documentation: "The App Analytics page includes data for blocked apps. This is because the PoP allows the client device trying to access the app to send multiple packets to the PoP, so it can identify the app and apply the block rule." No device-type exclusion from analytics: While you can filter analytics by device type (iOS, Android, etc.), you cannot exclude specific device types from being collected or displayed in analytics altogether. Workaround - Contact Cato Support: This might be a feature request worth submitting to Cato, as BYOD privacy concerns are common in enterprise environments. Can Cato Team looks into this?URL - Category over-ride not taking effect?
Is your URL category over-ride not taking effect? When configuring firewall rules by domain you do not need to specify the subdomains. Firewall rules will even cover the subdomains if you specify a Top Level Domain e.g. "uk" would cover all the subdomains such as bbc.co.uk). This is not the case when using domains to override a category though! Category over-ride from CMA for an domain / FQDN applies just to the that domain or FQDN. Any subdomains must be specified with its own FQDN. E.g. over-riding category for http://catonetworks.com to a category of your choice does not change the category for http://www.catonetworks.com Hope you find this helpful. Thanks Nath​ based on your comment I have added following article that shows how to add a custom app to get around having to override individual domains. Add the custom app in a rule and place it above the rule that blocks the traffic. https://support.catonetworks.com/hc/en-us/articles/4413265662993-Working-with-Custom-Apps Reference Article: https://connect.catonetworks.com/kb/cato-cloud-best-practices/how-to-block-a-tld-top-level-domain-or-a-specific-country/374
Is there any way to expose/export DHCP logs from Cato SDP clients?
is there any way (events / API) to see DHCP events for our SDP users? Our security vendors (Rapid7 and Defender for Identity) are doing correlation based on DNS and DHCP events and sometimes see SDP addresses as different machines. I have DNS and PTR records updating but am curious if there is any way to expose the DHCP lease events for SDP users. I see those events for other Cato DHCP but not for SDP users in my tenant. Cato has the concept of "User Awareness" that is correlating IP addresses to User IDs. When we were using Windows DHCP servers we fed the logs to our security vendors for a similar type of correlation between IP addresses and User IDs. As we are moving away from Windows Servers in our offices, we are losing this visibility. We are beginning to allow Cato to provide the DHCP on our LAN segments, as well as for our remote SDP client users. As this happens, we are seeing DHCP events on the LAN segments which can be tied to machine names and matched against login events via active directory or Entra ID to correlate IP addresses to users. However, for our remote SDP client users I cannot seem to find DHCP events. This leads to issues. Microsoft Defender for Endpoint sees a user getting different IP remote SDP client addresses in the 10.41.x.x as "Pass the Hash" attacks. However, when I investigate, it is the same workstation being getting different IP addresses through normal, remote operation. If the user does not reboot/login every day this raises security alerts. Am I missing the point, or not configuring something correctly? Is there a way via API or syslog forwarding to monitor DHCP logs from Cato for both LAN segments and SDP client segments? The ultimate solution would be log forwarding type of solution where I could forward all Cato DHCP lease events to Microsoft Defender for Endpoints/Identity and my security vendor (Rapid7) but I am just wondering how others are handling this. I figured I would ask around before I put something in the Idea hub for a non-issue.
Migration SCIM to SCIM Provisioning
Hello Team, We currently use Okta for SSO and SCIM provisioning with Cato. We want to keep SSO authentication on Okta, but move provisioning from Okta to Saviynt. Our Understanding: - We understand SCIM endpoints are scoped per directory (sourceId) as /scim/v2/{accountId}/{sourceId}. - We also noted documentation stating multiple IdPs are supported, but not recommended as a migration method. Could you please advise the following? Is there a recommended procedure to migrate existing users from an Okta SCIM directory to a new Saviynt SCIM directory? If adding a new SCIM directory is not recommended for migration, please point us to the recommended migration steps or best practices. We want users and groups provisioned via Saviynt to authenticate via Okta SSO. Is mapping Saviynt directory to the Okta SSO provider a possible configuration? Please let us know if you have any recommend plan. Thank you,Degraded Sockets in High Availability
I have multiple customers that have a LTE sim card just for the main socket. This will have the sockets identify asymmetric WAN connections causing the DEGRADED alert. What can I do to disable the DEGRADED alarm from the site? could it be possible to disable the interfaces so the asymmetric connections don't show as alarmed?
LAN Firewall rules - missing "IP range" in src/dst
Anyone else missing an ability to use Custom IP Range as a source or destination in LAN Firewall rule? We use CATO LAN Firewall to control traffic between two separate network zones terminated on two different internal firewalls. Since this is a local traffic in the site, we don't want to route it to Cato Cloud so it's not dependent on WAN links. That's why we use CATO LAN Firewall (formerly Local Routing). But the only options to set Source or Destination are: Global range, Host, Interface subnet, Network Interface and Any. Would be very useful if we can use Custom IP ranges and Host Groups there.
Pre-Login and Online Services
We currently have an on-premises Active Directory and have Pre-Login enabled with connect at boot enabled. We defined internal destinations (domain domain controllers) as allowed destinations, so the devices can reach the domain controllers before the user has logged in. This worked fine so far. However, now we want to migrate to Entra ID and Intune only, which means that the machines now need to reach Entra and Intune before or directly after the login. Since the pre login mode doesn't allow them to reach all URLs of Entra ID and Intune, we get problems during log in and for the Intune enrollement (which happens after the login of a new user but before the user has authenticated with the CATO client). We also have the same problem with NinjaOne which we use to manage endpoints: We would like to be able to reach endpoints before a user has logged in. In the allowed destinations for the Pre login mode, I can only provide internal targets and IPs, but can't put any Internet hostnames so the devices can reach Entra ID and Intune before the user has authenticated. So what is the solution here? We want to use Pre login to have the security it provides and prevents the devices from having open Internet access before the user has authenticated with CATO, but really need to resolve these issues that are caused by it when it comes to connect to our management services before the user has authenticated. Thank you in advance.
