Discussions
Discussions and questions regarding Cato Networks and SASEBest Practices
Find Cato Networks best practices, tips, tricks, and other helpful information!
Recent Content
2-arm VPN router behind Socket
I have a Cisco router from a 3rd party provider that provides access to that 3rd party providers networks. Thie router uses a 2-arm configuration with WAN and LAN interfaces. The WAN cannot be a public routed IP, it must be a private IP. The router's existing deployment has the WAN interface connected to a DMZ zone off our legacy firewall, which uses a subnet of 192.168.1.0/24 and the router's LAN interface is connected to a trusted LAN subnet of 172.29.1.0/24. The firewall does not have any inbound ports open to the VPN router's WAN interface, as the router is configured to outbound initiate the VPN tunnel. I need to move this router to sit behind the socket so I can remove the legacy firewall from our network. What would be the best way to set this up? Note that VLAN's are terminated to a L3 switch at this location, and I am not looking to move them to the socket at this time. I would also prefer to not have the 192.168.1.0/24 subnet advertised to the entire Cato network (especially ZTNA clients).IPSec with Azure Gateway
Issue:Intermittent IPSec disconnects; Packet loss; TLSi disabled. Symptoms: Timeline shows 'unable to decrypt' packets intermittently CMA events show TLS Inspection disabled subsequently Session with a server / host behind IPSec Azure gateway lost. IPSec Timeline shows following in the logs Unable to decrypt packet - ignoring Error parsing or unsupported parameters in an incoming packet Environment: IKEv2 tunnel with Azure Gateway GCM algorithm used in the phase1 cipher-suite Rekey / Security association timers are configured such that Azure is the initiator for rekeying. (i.e. Azure timer <= Cato timer). For IKE Phase1 Cato default is 19800 Sec i.e. 5.5 hrs. Azure default is 8 hrs/ The larger picture - While using GCM and IKE timers set to default / matching values [3600sec (p1) and 28800sec (p2)]. This issue is observed whenever the Azure gateway is the initiator of IKE Phase1 tunnel. Cato receives malformed packet from Azure that Cato is unable to decrypt. A corresponding message mentioned above is seen in the IPsec Timeline (Timeline message shown above). Refer to articles below on where to find timelines and pcaps in the CMA. Solution: -Whenever you see similar symptom recommendation is to set P1 lifetime on Cato to default vale of 19800sec (5.5 hrs). This will make it lower than Azure default of 28800 sec (8 hrs) and ensure that Cato is always the initiator of tunnel for P1 rekey. -Another workaround - This issue is specific to GCM based algorithm. Instead of using GCM, use CBC based cipher-suite for IKEv2 Phase I / Init Message Parameters. Cato maintains its own IPSec suite built from scratch based on RFE standards. Cato has been deployed as a gateway peering with many different SDWAN vendors by some of our largest enterprise customers with 100+ sites across the globe. From lab tests by our experts it is confirmed that this behavior is same when Azure IPSec gateway is peering with Juniper SRX or Fortinet as a peer device. i.e the issue is not specific to Cato. Contributors: Special thanks to ngog for this finding bug and reviewing the article for corrections. Reference articles- Did you know? - IPSEC Timelines and PCAP | Cato Connect https://support.catonetworks.com/hc/en-us/articles/4413280512785-Advanced-Configurations-for-a-Site https://support.catonetworks.com/hc/en-us/articles/4413273472145-Configuring-IPsec-IKEv1-Sites https://support.catonetworks.com/hc/en-us/articles/360001688857-Cato-IPsec-Guide-IKEv1-vs-IKEv2 https://support.catonetworks.com/hc/en-us/articles/16203875505565-IPsec-Site-Connectivity-Troubleshooting https://support.catonetworks.com/hc/en-us/articles/11013259398301-Troubleshooting-IPsec-Connectivity
Windows Cato Client Throughput Throttled by 3rd-Party Software
Hi everyone, We would like to raise awareness of a recent issue we've seen quite often in Cato support: 3rd-party software, such as the Intel Connectivity Performance Suite and Dell Optimizer, throttles network throughput while the Cato Client for Windows is connected, often by 50% or more compared to when the Cato Client is disconnected. These programs are designed to prioritize different types of traffic, but they aren't optimized for use with the Cato Client. While we work with these vendors to resolve these issues, we recommend uninstalling these software programs to achieve maximum throughput and performance when using the Cato Client. We recently added a step in our Cato SDP Client Performance Troubleshooting KB to check for these programs and provided links to the vendors' uninstall instructions. If you know of any other 3rd-party software that interferes with Cato Client performance, please feel free to comment and share with others here or open a support ticket so we can investigate further. Thank you!Recording: AMA with Professional Services - November 2025 Session 2
In our last AMA with our Professional Services team we dove into two major topics: TLS Inspection and CASB/DLP. These features are critical for improving visibility, securing encrypted traffic, and protecting sensitive data. If you missed the session, don’t worry! We’ve summarized the key points and answered your most pressing questions below. (Slides from the presentation are attached for deeper detail.) Presentation Highlights TLS Inspection Why it matters: Over 90% of internet traffic is encrypted, which is great for privacy but creates blind spots for threats like malware and phishing. Benefits: Organizations enabling TLS inspection block 52% more malicious traffic. Challenges: Complexity, operational burden, and compliance concerns often slow adoption. Cato’s approach: Cloud-native TLS inspection with Safe Mode simplifies rollout, minimizes disruption, and includes automatic bypass lists for problematic apps. Best practices: Block QUIC/GQUIC, manage bypass lists, and roll out gradually in phases. CASB & DLP Purpose: Protect sensitive data, ensure compliance, and gain visibility into SaaS usage. CASB: Focuses on application control—monitoring activities like uploads/downloads and enforcing granular policies. DLP: Adds content inspection to prevent data leaks based on patterns, sensitivity labels, or custom rules. Implementation: Start with monitoring, then enforce policies gradually. TLS inspection is a prerequisite for both. Q&A Highlights Q1: Is TLS Inspection becoming more popular? Yes! Adoption has improved significantly since the introduction of Safe TLS Mode, which uses a wizard to simplify configuration and automatically applies recommended bypasses. This reduces risk of breaking apps and makes rollout less intimidating. Q2: What about mobile apps using QUIC? QUIC-based apps (e.g., WhatsApp, Jira) can pose challenges. Recommendations include: Verify automatic bypass settings for native apps. Block QUIC/GQUIC to force fallback to TCP for inspection. Apply exceptions only when necessary. Q3: Will users get notified when DLP blocks an action? Currently, notifications are basic, but enhancements are planned. Soon, users will see alerts like “Action blocked due to company policy” via the client, with more detailed CMA alerts coming later. Q4: Can we filter CASB activities like upload/download? Yes! The Cloud Activity Dashboard shows top activities and allows filtering by action (e.g., upload). You can also drill down into events for detailed visibility. Q5: Is AWS GovCloud supported for log integration? Not at this time. The current integration works with standard AWS S3 buckets. GovCloud support is a common request and may be addressed in future updates. Q6: Any update on combining SDP and EPP into one app? It’s on the roadmap, but no detailed timeline yet. Q7: How to handle bandwidth spikes during patching? Use Bandwidth Management to map update traffic to a lower-priority queue, ensuring critical apps maintain performance during bursts. Thanks to everyone who joined and asked great questions! If you have ideas for more content that we can create that will be useful to you and your team, feel free to leave us a comment or email our community team at community@catonetworks.com. Stay tuned for our next AMA in February :) bring your questions and your favorite warm beverage!
AWS - OpenVPN routing clash for Cato SDP
Hi, We have been a Cato customer for just over a year now and we have a hybrid network Infra, of some onprem servers and new workloads been hosted in both AWS & GCP. My question is around the use of existing OpenVPN for accessing our AWS trusted VPCs and users having issues with Cato SDP and OpenVPN clashing for DNS/routes etc.. when trying to access the AWS vs. Onprem server environments. We need staff to be on Cato SDP all the time for montioring, audting and best security practices.. however it clashes with some users who need OpenVPN AWS access. What do other companies do to get around this issue (if they have a similar routing issue at all?). Split tunnel vs. AWS marketplace Cato virtual socket (EC2 instance needed per account?). I would be very interested to see if others have seen or have a good work around to this dilemia.How to Uninstall Windows Cato SDP Client Remotely?
Use case: Although manual uninstall may not be required frequently, there may be instance where you have a user with corrupt installation and you must uninstall remotely. Another typical use case I cam across recently - your company self service portal (e.g. Intune or Kandji) has a different version than what is installed on the user device and now you want to downgrade the client. In order to downgrade you will need to uninstall the existing installation first. You can do this using a simple command. Prerequisite: Admin privilege on the system How To? Launch command prompt using privileged mode (i.e. run as "admin") and then issue following command [screenshot example on Windows 11 attached] or simply execute this command remotely on the system running SDP client: \Windows\System32\wmic product where name=“Cato Client" call uninstall Corrupt installation that persists after boot? From time to time support may advise doing a clean install. Here is what you would do for a more elaborate clean removal of the SDP client for reinstall- Uninstall CATO Client by following the Article How To Uninstall the Windows Client, when uninstalling the CATO Client, kindly delete the cache contents located at "C:\Users\User\AppData\Local\CatoNetworks\Cache" Go to Control Panel > Network and Internet -> Network Connections Ensure that all CATO Adapters and Local Area Connection adapter ( WinTun Userspace Adater) have been removed, if they still exist, manually delete them (disabling them alone will not help).URL - Category over-ride not taking effect?
Is your URL category over-ride not taking effect? When configuring firewall rules by domain you do not need to specify the subdomains. Firewall rules will even cover the subdomains if you specify a Top Level Domain e.g. "uk" would cover all the subdomains such as bbc.co.uk). This is not the case when using domains to override a category though! Category over-ride from CMA for an domain / FQDN applies just to the that domain or FQDN. Any subdomains must be specified with its own FQDN. E.g. over-riding category for http://catonetworks.com to a category of your choice does not change the category for http://www.catonetworks.com Hope you find this helpful. Thanks Nath based on your comment I have added following article that shows how to add a custom app to get around having to override individual domains. Add the custom app in a rule and place it above the rule that blocks the traffic. https://support.catonetworks.com/hc/en-us/articles/4413265662993-Working-with-Custom-Apps Reference Article: https://connect.catonetworks.com/kb/cato-cloud-best-practices/how-to-block-a-tld-top-level-domain-or-a-specific-country/374Did you know? - IPSEC Timelines and PCAP
Unlike most other competitors we have this awesome tool available from CMA - With other vendors you would to login to a CLI shell, elevate and run some intrusive tcpdumps. It makes IPsec troubleshooting far easier. PCAPs and Timelines are available in the CMA next to the IPSEC configuration page. Networks > Sites > IPSec > Primary
