Recent Discussions
Device Posture-Real Time Protection
I noticed a couple of items in the Device Posture>Device Checks>Anti-Malware section today that I was wanting to bring up. 1. Real Time Protection Enablement Realtime protection is not able to be selected when you have "Any" selected as the Vendor (grayed out in the screenshot shown below): However, if you end up Defining a Vendor and Product, and then revert your Vendor selection back to "Any," Real Time Protection can be enabled (see screenshot below once reverting Vendor back to "Any"): Question Does this mean that Real Time Protection cannot be assessed if you have the "Any" vendor selection, and I just happened to find a bug that allows me to check,....OR....am I supposed to be able to select Real Time Protection when the Vendor selection is set to "Any"? 2. Real Time Protection Definition When reviewing CATO documentation on Device Checks using the following URL: Creating Device Posture Profiles and Device Checks – Cato Learning Center The following is listed: This reads like it is mentioning the frequency that the Client is checking the device for Anti-Malware criteria checks and not that the installed Anti-Malware solution has Real Time Protection enabled. Can I get confirmation that by enabling Real Time Protection in the Anti-Malware device check, this is actually verifying that the installed solution has Real Time Protection configured?
CATO always on
Hi, I am currently deploying Cato across my entire organization, transitioning from Fortinet’s VPN platform to Cato’s ZTNA. We are enabling Always On to enforce the use of Cato for all users. However, this feature requires an initial login from the user. How can I force an end user (who does not use any sensitive company services but still needs enforcement as part of ZTNA) to complete the initial login to the Cato Client? Since we are rolling this out company-wide, I do not want to enforce it for all users, but rather for a specific group. Is there an option to do that? Thanks!Bypass L7 from socket device
Hi community, Like the “Exclude Applications from Split Tunnel Policy Rules” available from the SDP client, is this functionality available from the socket ? Many customers have lot of teams and outlook traffic and need to bypass it directly from the socket. Many reasons for that (improve performance and save bandwitdh to the Cato Cloud) The actual bypass (from/to) IP is not usable for teams and outlook traffic. Thanks
Allow List
Hello, I'm new to the community and the CATO environment and had a question regarding allow listing. I can see my public IP is from the Ashburn, VA PoP location. As we migrate away from traditional premise-based firewalls I'm unclear how broadly I should ask our vendor partners to allow list. Traditionally, I'd simply provide the IP range for the circuit coming into the site (Lumen, Comcast, etc.). But with CATO, there are numerous PoP locations. I recognize I wouldn't need to provide something that doesn't make sense (e.g., PoPs in Asia). But what is the recommendation otherwise? Should I provide all the IP ranges in Ashburn, VA since we're in central Virginia. Should I continue providing the IP ranges for the physical circuit coming into the buildings too? Thank you, Robabout Always-on Issue
On iOS devices, client certificate authentication and “Always-on” VPN configuration" is created with one configuration profile and distributed through MDM. The Cato Client app is also purchased through Volume Purchasing and distributed through MDM. https://support.catonetworks.com/hc/en-us/articles/360016152418-Distributing-Device-Certificates-to-macOS-and-iOS-Devices-with-Jamf Our user's Cato Client authenticates using the Registration code. Although Cato recommends against creating multiple VPN configurations, once the user authenticates with the Registration code, a second configuration profile "Cato Networks VPN" is automatically created by Cato Client. The problem with this is that users can manually turn off the VPN switch. I can manually delete the second profile, but it will be re-created after a while. This issue is fundamental to the Always-on feature and is so serious that organizations are starting to talk about discontinuing their use of Cato. Does anyone know of a good solution to this problem? shiva
"400 Bad Request" Error Occurs with Okta SSO - Unable to Log in to VPN
I configured SSO authentication with Okta as the IdP for the Cato VPN Client, but when attempting to connect to the VPN, I receive a '400 Bad Request' error and cannot log in. Setup: "Single Sign-On" has been configured in CMA "Cato Portal" configured in Okta A VPN connection has been attempted using the Cato Client During authentication, the following error message appears: Error Message: "400 Bad Request" What I have tried: I found the following information in Okta's Knowledge Base, but I was unable to locate the corresponding setting in the Cato Portal Make sure that the redirect_uri, http://localhost:8080/authorization-code/callback is registered as an allowed Sign-in redirect URI in Open ID Client for the application being used [Reference link] (https://support.okta.com/help/s/article/The-redirect-uri-parameter-must-be-an-absolute-URI?language=en_US) Question: If anyone has encountered and resolved this issue, I would appreciate any insights on key configuration points or possible solutions. Additional Information: I am using Okta's free Developer edition (https://developer.okta.com/login/) for testing.
