Discussions
Discussions and questions regarding Cato Networks and SASEBest Practices
Find Cato Networks best practices, tips, tricks, and other helpful information!
Recent Content
Need help with prelogin Intune deployment
Hello, I need to understand how to get prelogin to work for my environment so users can sign in when off of the network. We are deploying devices from intune using the enrollment status page. So it gets deployed to them, they turn it on and it autopilots from there. The cato sdp client is being deployed with patchmypc and has a script in place with that for the required registry keys. The certificates are being deployed inside of a win32 intune win file with a script to install the certificate. Script for the certificate: yes it is password protected pfx file. (We do not have a certificate authority. (This did work for prelogin on my device.) Import-PfxCertificate -FilePath .\Catoprelogin.pfx -Password (ConvertTo-SecureString -String 'mypassword' -AsPlainText -Force) -CertStoreLocation Cert:\CurrentUser\My All of this was successfully installed, what could I be missing? The certificate is an SSL certificate and I confirmed that it worked prior to the autopilot on my personal work computer without autopiloting it. DOES ANYONE HAVE ADVICE OR SUGGESTIONS ON HOW TO SETUP THE INTUNE AUTOPILOT PROFILE, ENROLLMENT STATUS PAGE, OR ANY OF THE ABOVE TO MAKE THIS WORK? WHETHER IT IS DEPLOYING THE CERT A DIFFERENT WAY OR DEPLOYING THE CERTIFICATE WITH THE CATO CLIENT APPLICATION INSTALL. Thanks,321Views0likes3CommentsBlocking TLD (Top Level Domain) or a Specific Country
Use Case 1- How do I block traffic to all *.info websites using TLD? Use Case 2- How do I block traffic to and form a country? > IPS > Geo Cato has a very powerful IPS feature to block both inbound and outbound traffic to a specific country which some of our competitors can't do. They usually will only block outbound traffic to a country based on their ( obsolete) web proxy feature. Cato can do both directions! This is the true power of UZTNA vs the rudimentary ZTNA solutions out there! How? - CMA > Security > IPS > Geo Internet rule > category country > Congo Internet rule > Category > domain > “cg”. Use case 1: Cato makes blocking top level domain as easy as creating an Internet rule with category domain and specifying e.g. "info" as the domain (Yes even the TLD!). Subdomains are blocked without specifying the wildcard character automatically. Use case 2: Now you would think if I create an Internet rule with "cg" it will block all traffic to Congo? You guess it right. That works too. Some of our competitors today can't block TLDs (top level domains). Note that this method though only prevents outbound traffic to that TLD (destination country). Augment this with Geo block using IPS. Going one level further if your use case is to block all traffic to a country, you don't just want to rely on a SWG (RIP, the Secure Web Gateway!) rule like above. Cato has a very powerful Geo-ip feature that works at the firewall rule level for both inbound and outbound (see the screenshot on the top)! In summary here are 3 ways to do this- Security > IPS > Geo Restriction > Select the country and the direction. Refer to the top screenshot, we have bi-directional support (Cato Differentiator) Internet rule > category country > Congo (SWG / Proxy) Internet rule > Category > domain > “cg”. (TLD - Cato Differentiator) Supporting articles: https://support.catonetworks.com/hc/en-us/articles/360012276478-Configuring-IPS-and-Geo-Restriction Note: Most companies follow their corporate policies or some regulations / embargo in effect to maintain a list of countries to block Make sure you have no users / partners / businesses in the destination country before you put a blanket block While this is as full-proof as it can get there is a gotcha: what happens if the site is using an Anycast service or a CDN service hosted outside the country?272Views0likes0CommentsURL - Category over-ride not taking effect?
Is your URL category over-ride not taking effect? When configuring firewall rules by domain you do not need to specify the subdomains. Firewall rules will even cover the subdomains if you specify a Top Level Domain e.g. "uk" would cover all the subdomains such as bbc.co.uk). Category over-ride from CMA for an FQDNs applies just to the FQDN. Any subdomains must be specified with its own FQDN. E.g. over-riding category for http://catonetworks.com to a category of your choice does not change the category for http://www.catonetworks.com Hope you find this helpful.42Views1like0CommentsSpeaking Opp for Cato CASB Power Users
Hey Cato Connect! We’re gearing up for our next CASB webinar — and we’d love to spotlight one of YOU. Are you using Cato CASB and passionate about how it’s helping your organization? This is a great chance to share your journey, insights, and real-world wins with a broader audience. Interested in speaking? Let us know! We’re looking for a customer to join us on the virtual stage and bring the customer perspective front and center. Not a CASB user (yet)? No problem! We'd still love your input — tell us what CASB-related topics you'd find most valuable to hear about. We'll do our best to cover them during the session. Drop your ideas or interest in the comments below — or email me directly at zoe.averbuch@catonetworks.com. Let’s co-create a session that’s practical, relevant, and community-driven. 🙌13Views0likes0CommentsBlocking icloud private relay "nicely"
I would like to block "icloud private relay" in such a way that the user would be notified and able to continue without icloud private relay. Apple's recommended way to do this is to block DNS requests to mask.icloud.com and mask-h2.icloud.com so a "no error/no answer" or NXDOMAIN response is returned. This alerts the users that they either need to disable private relay or choose another network. Details are here: Prepare your network or web server for iCloud Private Relay - iCloud - Apple Developer Is there a way to configure this using only Cato? I cannot see how to create a custom DNS rule to block specific queries, and I cannot see how to create a custom IPS rule either. Is there a recommended way to do this? What are others doing? I am in a Windows shop. I could redirect DNS queries to a Windows DNS server and use DNS query filtering, but would rather do a Cato only solution if possible. Per Apple: Some enterprise or school networks might be required to audit all network traffic by policy, and your network can block access to Private Relay in these cases. The user will be alerted that they need to either disable Private Relay for your network or choose another network. The fastest and most reliable way to alert users is to return either a "no error no answer" response or an NXDOMAIN response from your network’s DNS resolver, preventing DNS resolution for the following hostnames used by Private Relay traffic. Avoid causing DNS resolution timeouts or silently dropping IP packets sent to the Private Relay server, as this can lead to delays on client devices. mask.icloud.com mask-h2.icloud.com96Views2likes5CommentsSeamless SSO with External vs. Embedded Browser – Conditional Access & Compliance Issues
Hi Community, I'm currently testing Seamless SSO with Cato and ran into an issue that I’d appreciate some input on. When using an external browser for authentication, Conditional Access (CA) policies work as expected, and compliant devices are recognized. However, when trying to authenticate via the embedded browser, the device fails to report compliance, which leads to failed Conditional Access checks. My questions are: Is Seamless SSO currently supported when using the external browser flow with full Conditional Access and device compliance evaluation? Is there any official support or workaround for enabling embedded browser authentication with Conditional Access and device compliance checks? For example, is there any roadmap item or setting that might allow the embedded browser to pass device compliance state? I’ve reviewed the official SSO guide, but it doesn’t address this specific scenario. Thanks in advance for any insights or guidance!Solved70Views1like2CommentsCato Rapid Recap | June 2025
📣 Cato Rapid Recap | June 2025 Staying current on the latest features, best practices, and platform improvements isn’t always easy. That’s why I’m kicking off a new 2-minute monthly recap — designed to help you: ✅ Quickly catch up on what’s new ✅ Share relevant updates with prospects, POCs, and customers ✅ Stay aligned on Cato’s evolving value 📅 Plan is to release this every month — short, actionable, and easy to share. ▶️ Watch the June Recap Got feedback or requests for next month’s recap? Drop a comment below 👇21Views1like0CommentsDSCP Markers in Microsoft Teams
I have been reading the following article which shows it was updated 6 months ago and so I think it must still be relevant: https://support.catonetworks.com/hc/en-us/articles/4408901533073-Implementing-QoS-using-Microsoft-Teams-and-Cato Our app analytics only show the Skype and MS Teams application, rather than being broken down into these: We use Cisco switches, and for the ports connected to the socket we use the following: switchport trunk native vlan 99 switchport mode trunk ip device tracking maximum 0 no access-session monitor spanning-tree portfast edge trunk ip dhcp snooping trust We do have GPO/InTune that sets the DCSP on our laptops. Do we need to configure anything on the Cisco switches for this to work? Or is there another reason I haven't thought of?72Views0likes3CommentsMicrosoft Defender for Endpoint alerts no longer showing in Stories Workbench
I'm seeking advice regarding the integration between Cato XDR and Microsoft Defender for Endpoint (MDE). Previously, MDE alerts were being displayed correctly in Cato XDR (Home > Stories Workbench), but since yesterday, new incidents detected in MDE are no longer appearing in XDR. Below is the current status of our investigation: When an incident occurs on a device, it is properly detected and displayed in MDE. The integration with MDE was successfully completed, and the corresponding application in Entra ID has been granted the following application permissions with admin consent: SecurityAlert.Read.All SecurityIncident.Read.All ThreatHunting.Read.All User.Read (delegated) User.Read.All (application) In Microsoft Entra ID, the Sign-in logs show that all sign-ins by the service principal are marked as "successful." We tried deleting "Microsoft Defender" once from Security > Endpoint Connector and re-integrating it, but the alerts still do not appear in XDR. I would greatly appreciate any advice or insights to help resolve this issue. Thank you very much in advance.Solved104Views0likes2Comments