Recent Discussions
Block/prompt based on risk rating
For Generative AI services, we would like to present the "Prompt" action for services that have a risk rating of 3 and less as per the Cato App catalog, and "Block" those with risks 4+. To our slight surprise there does not appear to be a "Prompt" option in the App & Data Inline Protection module. Is there a way to work around this that does not include having to manually populate the list of "risky" service?
CATO Socket port flapping with certain Spectrum modems
Hi everyone, We would like to raise awareness of a recent issue, where the CATO Socket port may begin flapping when connected to specific Spectrum-provided modems. While the root cause appears to be related to these modems and cannot be addressed on our side, replacing the modem is consistently proven to be an effective solution. If you experience CATO socket port flapping and you are using Spectrum-provided modems. To resolve this issue, add a Switch in between the CATO Socket and the Spectrum modem. If the does not help, you can contact Spectrum support and requested a replacement modem, specifying that you need a different model due to compatibility issues. Ask for either the Hitron ET2251 or EU2251, as both of these seems to have resolve this issue in real customer scenarios.Cato Connect Event: AMA with Professional Services - February/March 2026
Did you join our last AMA with Professional Services and want more? Did you miss the last one and have been waiting for us to drop more dates? Well your request is our command, and we are back with another event for our customers and partners. During these live AMAs with members of our talented Professional Services team we’ll cover topics like: Implementing Cato and getting as much out of your purchase as possible Best practices we’ve seen across real-world environments AI Security (New, exciting topic!) Your questions... seriously, bring them Choose from the two available sessions, whatever works best for you. February 24th, 2026 at 11am EST or March 12th, 2026 at 3pm JST Here’s how to get the most out of it: Register for the February 24th or March 12th meetings and get the calendar invite and join us live Post your questions below in the comments — we’ll answer pre-submitted ones first, before tackling live chat during the session + See a question you like? Give it a “like” to help it rise to the top Note: We won’t be able to look at specific CMA instances — demos will be done using internal environments. That’s it — register, post your questions, and we’ll see you there! Presenters: Steven Wong Professional Services Engineer Mihai Radoveanu Principal Consultant Professional Services, Italy Rob Pfrogner Principal Consultant Professional Services, US Special guest: Robin Johns Worldwide, AI Security SME If you run into any issues, @mention me or email us at community@catonetworks.com
Application File Name Upload
Hi, We are monitoring the uploads to external cloud storage which are not compliant to our company policies. We have seen that only in gmail Upload events, the file name is presence. For Whatsapp, Google Drive or other services, an file path hashed is provided. ¿Is there any possibility or roadmap in order to check for the file name in this apps? Thank you, David.
LDAP To SCIM Migration
We are planning to migrate from Cato Directory Services LDAP & User Awareness to Cato SCIM user provisioning and looking to get some feedback if anyone has performed this migration and if they encountered any issues during the migrations. We currently have a few domains, over 3500 users and not everyone has an SDP lic, a mixture of Entra joined and non-Entra joined devices. SSO for VPN Users. I'm trying to understand how users are going to be mapped to the workstations they are logging in from and identified since Cato currently taps into DC's Event viewer to map users to computers and LAN IP's. We have Shared computers where an SDP license is not needed as these are fixed computers. We see the user login events, but not the details for the system they are logging in from and LAN IP. Will there be problems if we migrate 1 domain first and wait a week or two to iron out any bugs? Should Always-On Windows RegKey be removed from all systems prior the migration?
Office mode for Mac users
We have AlwaysOn policy enabled for all the users and it is causing some troubles for Mac users. Most of our users are Windows and when they come to the office behind the socket, the client detects Office Mode automatically, users do not need to enter credentials, and they get network connectivity just fine. However our Mac users would need to enter credentials in the cato client for it to detect the office mode. If they do not enter credentials, they do not have a network connection. Our Mac users are not happy with this since it does add some inconvenience when they are in the office. I am wondering if anyone has the same challenge and what are possible workarounds.
2-arm VPN router behind Socket
I have a Cisco router from a 3rd party provider that provides access to that 3rd party providers networks. Thie router uses a 2-arm configuration with WAN and LAN interfaces. The WAN cannot be a public routed IP, it must be a private IP. The router's existing deployment has the WAN interface connected to a DMZ zone off our legacy firewall, which uses a subnet of 192.168.1.0/24 and the router's LAN interface is connected to a trusted LAN subnet of 172.29.1.0/24. The firewall does not have any inbound ports open to the VPN router's WAN interface, as the router is configured to outbound initiate the VPN tunnel. I need to move this router to sit behind the socket so I can remove the legacy firewall from our network. What would be the best way to set this up? Note that VLAN's are terminated to a L3 switch at this location, and I am not looking to move them to the socket at this time. I would also prefer to not have the 192.168.1.0/24 subnet advertised to the entire Cato network (especially ZTNA clients).Windows Cato Client Throughput Throttled by 3rd-Party Software
Hi everyone, We would like to raise awareness of a recent issue we've seen quite often in Cato support: 3rd-party software, such as the Intel Connectivity Performance Suite and Dell Optimizer, throttles network throughput while the Cato Client for Windows is connected, often by 50% or more compared to when the Cato Client is disconnected. These programs are designed to prioritize different types of traffic, but they aren't optimized for use with the Cato Client. While we work with these vendors to resolve these issues, we recommend uninstalling these software programs to achieve maximum throughput and performance when using the Cato Client. We recently added a step in our Cato SDP Client Performance Troubleshooting KB to check for these programs and provided links to the vendors' uninstall instructions. If you know of any other 3rd-party software that interferes with Cato Client performance, please feel free to comment and share with others here or open a support ticket so we can investigate further. Thank you!
