Discussions
Discussions and questions regarding Cato Networks and SASEBest Practices
Find Cato Networks best practices, tips, tricks, and other helpful information!
Recent Content
Simplifying TLS Inspection with Cato's ML-driven Wizard
You made the first step, this is THE place to learn more, get your questions answered and share your experiences with other Cato customers. Our TLS Wizard is designed with a clear purpose: intelligently determine which traffic to bypass and which to inspect, giving you immediate visibility into the most-commonly used applications and websites in your network. We leverage real-world customer traffic insights to identify which traffic works well with TLS inspection and which might be problematic. What Traffic Should Not Be Inspected? Four types of traffic should typically bypass TLS inspection: Certificate Pinned Applications - These applications require specific certificates and will fail when inspected. Cato automatically bypasses known problematic OS, applications and URLs using our default bypass rule β without requiring the Wizard! Embedded OS Devices - IoT devices like printers, cameras, and smart TVs don't support certificate installation and won't work with TLS inspection. Sensitive Categories - While Cato never stores payload data, bypassing health, medical, and financial categories helps ensure privacy and compliance. Traffic originating from Guest networks (or other devices that do not have the Cato certificate installed) β typically itβs not possible to inspect traffic from guest devices as they will not have the Cato certificate installed and will therefore generate an error if inspected. The TLS Wizard adds bypass rules for embedded OS and sensitive categories automatically. The bypass of guest networks will need to be created manually as this is not a generic rule that applies to all customers. What Traffic Should Be Inspected? The Wizard recommends inspecting these five categories: General, Business Information, Computers and Technology categories Popular cloud applications Cato-recommended domains (approximately 6,000 domains verified to work with TLS inspection) Malicious and suspicious categories Uncategorized and undefined categories Remember, these are suggestions that you can customise during setup. You might want to start by testing with specific users or groups. Best Practice for the Default Inspection rule To prevent unexpected traffic inspection, we recommend configuring your default TLS inspection rule to bypass. After running the Wizard, you'll be: Bypassing known problematic sources and destinations Inspecting known-good, high-value destinations Bypassing everything else by default You can customise and expand upon this foundation later, we recommend adding the bypass for the guest networks in the appropriate section of the TLS inspection policy as a starting point. See the TLS Wizard in Action: Watch the demonstration - https://www.youtube.com/watch?v=zYVoxHA09NY&t=14s Visit our Knowledge base article Have questions? Use the "comment" option at the bottom of this page. We're monitoring closely and ready to assist you on your journey
Is there a way to restrict access to the WebUI?
Hi all, Some of our customers want to restrict access to the Web UI from the local networks of the socket. However, even though I write LAN FW rules, the local IPs will respond to the HTTPs request from every network on the LAN port, even if that is a guest network. Is there any way to restrict access to the WebUI? If not, isn't such a configuration necessary? Thank you,Split Tunnel basis FQDN/Domain
I am facing some issue wherein I am not able to browse some government site. There was an article on the same as well. As of now , I have configured split tunnel basis exclude IP and I have excluded IP address of one of the website of Government but this is not going to work as I have multiple websites of government which is not opening. Why there is no option to bypass or split tunnel basis FQDN or domain then I can exclude traffic for Government sites as it becomes a task for doing split tunnel basis individual IP address. Is it on road map as well or not?Cato Product Rewind
Join us for Product Rewind, a fast-paced monthly webinar where we break down the most compelling product updates from March 2025. See the latest innovations in action with live demos and get practical insights on how these updates can enhance your experience. Register now in Cato Academy: https://academy.catonetworks.com/product-monthly-rewind-march-2025
Device Posture-Real Time Protection
I noticed a couple of items in the Device Posture>Device Checks>Anti-Malware section today that I was wanting to bring up. 1. Real Time Protection Enablement Realtime protection is not able to be selected when you have "Any" selected as the Vendor (grayed out in the screenshot shown below): However, if you end up Defining a Vendor and Product, and then revert your Vendor selection back to "Any," Real Time Protection can be enabled (see screenshot below once reverting Vendor back to "Any"): Question Does this mean that Real Time Protection cannot be assessed if you have the "Any" vendor selection, and I just happened to find a bug that allows me to check,....OR....am I supposed to be able to select Real Time Protection when the Vendor selection is set to "Any"? 2. Real Time Protection Definition When reviewing CATO documentation on Device Checks using the following URL: Creating Device Posture Profiles and Device Checks β Cato Learning Center The following is listed: This reads like it is mentioning the frequency that the Client is checking the device for Anti-Malware criteria checks and not that the installed Anti-Malware solution has Real Time Protection enabled. Can I get confirmation that by enabling Real Time Protection in the Anti-Malware device check, this is actually verifying that the installed solution has Real Time Protection configured?
CATO always on
Hi, I am currently deploying Cato across my entire organization, transitioning from Fortinetβs VPN platform to Catoβs ZTNA. We are enabling Always On to enforce the use of Cato for all users. However, this feature requires an initial login from the user. How can I force an end user (who does not use any sensitive company services but still needs enforcement as part of ZTNA) to complete the initial login to the Cato Client? Since we are rolling this out company-wide, I do not want to enforce it for all users, but rather for a specific group. Is there an option to do that? Thanks!
