Recent Discussions
Device posture basis domain name
One of the issue we raised during Cato Connect program was around device posture policy basis domain and it was clarified that this falls under advanced configuration and can be done by support/CSM team. I raised ticket for the same and the response was that they can apply but from backend and at account level. I want to exclude some of my senior management from this policy but it is not feasible now since done at account level. Also I cant do testing by applying this device posture basis domain for some 2-3 users to see if it works properly and also no option from frontend to disable if there is any issue and totally depend on service ticket and backend team. This makes this good policy not to be deployed as it has potential risk since neither testing can be done nor exclusion can be done unlike any other device posture policy since policy deployed from backend and deployed at account level.
Setting up SSO with IdPs other than the default nine?
I would like to ask about the possibilities of setting up SSO integration with Identity Providers (IdPs) that are not among the nine default options provided. What methods are available for establishing SSO connections with IdPs beyond the default nine? Is there a way to configure a generic IdP setting, or can we leverage the existing nine IdP configurations to connect with other IdPs? Additionally, is there a process to request a new IdP to be officially supported or added as a connection option? Any insights or guidance on this would be greatly appreciated. Thank you. Sincerely, hisashi
Cato Connect Event: AMA with Professional Services
Ever wish you could get direct time with the experts? On June 3rd, 2025 at 11:00 AM EDT, you’ll get just that — a live AMA with two of our Principal Consultants from the Cato Professional Services team. We’ll cover topics like: Designing and implementing a CMA deployment Best practices we’ve seen across real-world environments Your questions — seriously, bring them Here’s how to get the most out of it: Click here to register and get the calendar invite and join us live Post your questions below in the comments — we’ll answer pre-submitted ones first, before tackling live chat during the session + See a question you like? Give it a “like” to help it rise to the top Note: We won’t be able to look at specific CMA instances — demos will be done using internal environments. That’s it — register, post your questions, and we’ll see you there! Presenters: Principal Consultant Professional Services, Italy Principal Consultant Professional Services, USA If you run into any issues, @mention me or email us at community@catonetworks.com
Reporting the wrong category goes nowhere
As per https://support.catonetworks.com/hc/en-us/articles/4413280530449-Customizing-the-Warning-Block-Page: "The Cato Security team regularly reviews reported wrong categories and validates that the content for the category is correct. When websites or applications belong to the wrong category, the Cato Security team updates the definition of the category." Not so much. I just went through the last two months of such reports (filter for "Sub-Type Is Misclassification" in the Events log) and found 31 such requests from our users - most were for perfectly legit sites that for some reason were categorized as "Porn". And they still are - every single one of them. If the Cato security team is indeed not reviewing these submissions as originally intended, it would be great if that was communicated so that we can remove that misleading reporting link and take care of the Brightcloud submissions ourselves.Voices Behind the Stack: Nick and Jack of Redner’s
This month, we’re spotlighting two IT leaders who have been keeping a multi-location retail operation at the forefront of cybersecurity for over 20 years and doing it with unmatched clarity, curiosity, and consistency. Meet Nick Hidalgo (aka NickH), VP of IT, and Jack Senesap (aka JackSenesap), Director of Infrastructure and Security at Redner’s, a locally owned and family-oriented retail food company in the US. Their secret? A passion for unifying complexity, a love of visibility, and a belief that the right tools and the right people make all the difference. “We always know where our users are. We can deny access to things by default. That’s huge.” – Jack “It’s the first tool I look at in the morning. Everything’s in one place.” – Nick These two were early adopters of SASE from way back when it still sounded like just another buzzword. What changed their minds? Visibility. Simplicity. And the sense that this shift actually reduced complexity instead of adding more. They chose Cato Networks for its performance and security and stayed because it became a trusted part of how they work. “Now we have the resources to continue to improve.” Why these two stand out: They’re always pushing forward: from expanding their TLSi reporting to exploring orchestration and automation. They’re deeply curious about AI: not just how it can help, but how it might reshape their roles. They’re passionate about their industry and always looking for ways to do more. Off the clock? Nick is out on the lake or at the gym. Jack is tearing up the trails on his mountain bike or shooting hoops with a crew of all ages. And fun fact: Jack once won a car at a software user conference. (Seriously.) “Security never sleeps” Jack says, and hearing about everything he’s accomplishing at work, apparently neither does he. Huge thanks to Nick and Jack for their time, insights, and everything they do to keep their organization secure and forward-looking. For more Redner’s fun – check out this nifty customer story here.
TLS Inspection and RBI
Hello, I'm new on Cato Cloud and I don't understand the behavior of the Security feature... I have created a local SDP user and assigned it a license, I'm able to connect to the tenant through the client. I've enabled the Internet Firewall, TLS inspection and RBI : Split tunneling is not enabled. I just wanted to test RBI, all other internet traffic is blocked : But when I access https://rbicheck.com which is an uncategorised website, sometimes the site isn't isolated at all like in the simulator, the automatic download is done and the certificate isn't replaced. And sometimes, the website is blocked like any other website : I don't know if I'm missing something, I understood that the changes I make on the CMA takes a few minutes to be acknowledged, the logs aren't helping me... I would be very thankful if someone could help me
