Discussions
Discussions and questions regarding Cato Networks and SASEBest Practices
Find Cato Networks best practices, tips, tricks, and other helpful information!
Recent Content
Device Posture-Real Time Protection
I noticed a couple of items in the Device Posture>Device Checks>Anti-Malware section today that I was wanting to bring up. 1. Real Time Protection Enablement Realtime protection is not able to be selected when you have "Any" selected as the Vendor (grayed out in the screenshot shown below): However, if you end up Defining a Vendor and Product, and then revert your Vendor selection back to "Any," Real Time Protection can be enabled (see screenshot below once reverting Vendor back to "Any"): Question Does this mean that Real Time Protection cannot be assessed if you have the "Any" vendor selection, and I just happened to find a bug that allows me to check,....OR....am I supposed to be able to select Real Time Protection when the Vendor selection is set to "Any"? 2. Real Time Protection Definition When reviewing CATO documentation on Device Checks using the following URL: Creating Device Posture Profiles and Device Checks – Cato Learning Center The following is listed: This reads like it is mentioning the frequency that the Client is checking the device for Anti-Malware criteria checks and not that the installed Anti-Malware solution has Real Time Protection enabled. Can I get confirmation that by enabling Real Time Protection in the Anti-Malware device check, this is actually verifying that the installed solution has Real Time Protection configured?
CATO always on
Hi, I am currently deploying Cato across my entire organization, transitioning from Fortinet’s VPN platform to Cato’s ZTNA. We are enabling Always On to enforce the use of Cato for all users. However, this feature requires an initial login from the user. How can I force an end user (who does not use any sensitive company services but still needs enforcement as part of ZTNA) to complete the initial login to the Cato Client? Since we are rolling this out company-wide, I do not want to enforce it for all users, but rather for a specific group. Is there an option to do that? Thanks!Bypass L7 from socket device
Hi community, Like the “Exclude Applications from Split Tunnel Policy Rules” available from the SDP client, is this functionality available from the socket ? Many customers have lot of teams and outlook traffic and need to bypass it directly from the socket. Many reasons for that (improve performance and save bandwitdh to the Cato Cloud) The actual bypass (from/to) IP is not usable for teams and outlook traffic. ThanksHey Siri.... Find me these Cato events
Imagine as a SASE admin (already busy hunting critical threats and protecting your org from on-prem and cloud threats) how much you would hate if you have to write complex queries for simple searches? No one more Yet another query language please! But this is how our competitors did it by making you learn their syntax and their version of Regex to find events. For a simple search to find all traffic to 'google' and 'microsoft' or all phishing URLs why does it have to be so difficult? We took a radically innovative approach to finding results. Very close to Apple's 'Hey Siri'! Sure you can use our filters and presets (check out my previous article on custom presets). We have now made it even better with our innovative AI powered Natural Language Search feature. Simply click the magnifying glass on far right and write your queries in your own words. How to: Event Monitoring > Far right magnifying glass (note the far right icon in the screenshot next to #1) NLS ability will be extended to Audit Logs as well! This feature is currently in beta. [Contact your Cato Networks representative if you would like this feature enabled in your account] Key Features: Uses everyday language to find relevant data Translates natural language queries into specific filters Automatically formats table results to show relevant columns Example Queries Show me all RDP blocked traffic Show me all DNS traffic Show me Internet firewall security events from phishing category URLs Show recent security incidents and alerts related to application vulnerabilities Show me security alerts where data was sent from computer 10.0.0.1 to 10.0.0.2 Power of Cato powered networks! Explore more: https://support.catonetworks.com/hc/en-us/articles/21585563225757-Filtering-Events-with-Natural-Language-SearchCan't Export Dashboards?... Export button grayed out?
Issue:-I have editor permission under Networks and Access tabs still I can’t export the sites or SDP users. -Export button is grayed out Background: Cato CMA (Cato Management Application) has extensive RBAC (role-based access control) permissions. Since we introduced RBAC set of permissions have continued to be more granular in terms of what the admins can limit under various sections of the CMA. Some of the permissions may have evolved. This is one I ran into most recently that I thought would be worth sharing. How to: If you are running into this issue enable the Edit permissions under the Monitoring Administration > Roles & PermissionsEnhanced Block / Warning Message - Event Reference ID
Last week a very powerful troubleshooting and event monitoring feature "Event Reference ID" was introduced. It will make troubleshooting easier for the admins. Now you can customize the block and warning page to display an external event ID that a user will see in the browser. You can use this to further co-relate the event in the CMA using the Event Reference ID https://support.catonetworks.com/hc/en-us/articles/4413280530449-Customizing-the-Warning-Block-Page#heading-3 How to enable this feature? Enable this for Warning and Block page separately. CMA > Administration > Branding > Warning / Block Page How to co-relate using Event Reference ID? -From CMA > Event Monitoring you can use this reference ID to pivot directly to the event
Allow List
Hello, I'm new to the community and the CATO environment and had a question regarding allow listing. I can see my public IP is from the Ashburn, VA PoP location. As we migrate away from traditional premise-based firewalls I'm unclear how broadly I should ask our vendor partners to allow list. Traditionally, I'd simply provide the IP range for the circuit coming into the site (Lumen, Comcast, etc.). But with CATO, there are numerous PoP locations. I recognize I wouldn't need to provide something that doesn't make sense (e.g., PoPs in Asia). But what is the recommendation otherwise? Should I provide all the IP ranges in Ashburn, VA since we're in central Virginia. Should I continue providing the IP ranges for the physical circuit coming into the buildings too? Thank you, Rob
