Recent Discussions
Cato SDP Client to be auto intelligent to login instead of manual logging
I have recently migrated from Netskope to Cato Networks. One issue we have noticed is that users need to login once to Cato SDP client and then "Always-on policy" gets enabled. But users are smart, they don't login to SDP client itself as many sites gets blocked as per policy which they don't want so they don't login once also to SDP client thus making us non-compliant as absence of SDP client makes them vulnerable as they can browse malicious sites as well as can upload company data on public sites which typically gets blocked when connected over SDP client. In Netskope, we just had to push agents to the laptop and no user intervention was required, it automatically detects logged in user credentials so there was no scope for user to not login or bypass security controls. Can't we make zero touch experience for user so that there is no room for escape or delay as now we are totally dependent on user.CASB Tech Hour Q&A
Yesterday, we hosted a live Tech Hour focused on CASB, and it sparked some fantastic discussions. A big thank you to everyone who joined and contributed questions! We've compiled the full Q&A from the session: Will we be getting this recording post this webinar? Yes, the recording will soon be available in this link. You can find all live sessions recordings in Cato Academy > Live Sessions. In application Control do we still get alerts for Sanctioned App if they have risk rating is 6 or higher? Can we setup on such way that sanctioned App will not be notified? Getting alerts in the Cato Management Application is fully customizable so you can decide whether you get alerts or not for specific applications on given risk score and other parameters. In Experience Monitoring we have good data for device and network performance however is there option to export the data ? Today we have a few methods to get the data via reports or API. Export to CSV buttons are on our roadmap and will be added soon. We know CASB requires TLS inspection to be enabled. What if the business bypasses TLS inspection on Microsoft services (apps/networks/IPs), how can we still control the tenant and personal instances of Microsoft services or is this not possible anymore with TLS bypassed? With TLS inspection set to bypass Microsoft services, inline CASB controls will be somewhat limited and tenant control will not be available. Is access to GenAI apps controlled by Sanctioned/Unsanctioned feature or are there other policies that control access specifically to GenAI apps? GenAI apps are controlled by the application and data controls policies in the system. Sanctioned / Unsactioned labeling can be used as an attribute in those policies We don't have the GenAI view. Do we have to set up a rule before hand to get that to show or enable something else? The GenAI dashboard requires CASB license, onces that’s enabled, the default CASB policies automatically start collecting application and activity usage and populates the dashboards with insights I always feel like sanctioned/unsanctioned is counter intuitive to your Zero Trust movement. I don't trust any app, whether it's MS or ServiceNow or ChatGPT. Therefore, I don't sanction any app. I understand the administration advantages but choose not to do it. While this is a valid approach that can be easily configured through CMA, we see many customers labeling SaaS apps and setting up rules according to these principles. To clarify my understanding - the CASB license provides in-line app activity and data protection controls and API SaaS monitoring - and if you want to enforce and data protection policies for SaaS API - that is an additional license? Is that correct? SaaS Data Protection via API requires the “SaaS Security API” license I had a new customer get a popup in Outlook saying "This message includes one or more recipients who aren't authorized to receive sensitive information". They do not have sensitivity labels configured, but they do have the O365 connector setup. Did this come from our CASB engine? If so, how? Follow up with a support ticket as I’m lacking specific information and reproduction steps. Thanks! Can automatic alerts be generated when there is abnormal activity? Abnormal activity is detected using Cato’s XDR engine How is Cato handling HTTP/3 (QUIC) encrypted communications and HTTP/2 SaaS apps that use certificate pinning and thus require TLS decryption exceptions for end users to use them? Cato recommends blocking QUIC to force the session to fallback. Applications that use cert pinning are being analyzed and bypassed by Cato security team. More information can be found here. Under "Applications" in this Cloud Activities dashboard, I can see 2 download activities, but when I click on it, nothing happens. How can I drill in more to see WHO performed those activities? You can hover the application name and either add it as a filter to the dashboard or see them in the events discovery tab As of now, my understanding is that the Data Protection API does not support automatic deletion or blocking of files that violate policies. Are there any plans to expand the range of enforcement actions available in the future? Cato API Data protection support remediation actions like Quarentine and Remove Shares. We are constantly adding additional controls and applications. Currently we are working on adding data protection API for ChatGPT. Data Protection API, requires configuring a connector and defining policy rules. Without getting into app-specific differences, we can automatically remove share or move files to quarantine in case they match configured rules (i.e user action that violates AM/DLP policy) CASB licensing is bandwidth-based? How does this work for SDP users? It is bandwidth based, there is a BW model and an SDP model. We’ll be more than happy to follow up on this to provide more details Many SaaS apps, including popular services from Microsoft, Google, Apple, etc all use certificate pinning and require TLS Decryption Exceptions be put in place for their sites to work. This negates the visibility needed to make informated decisions on end user traffic. Reposting the question a different way to hopefully get some clarification. Palo Alto has not solved this problem either. Native applications who use cert pinning are not inspect-able hence inline inspection will not work (Cato bypasses them). To gain visibility into them, API connectors are the way to go Is there a demo environment for partners to use? Yes, the MSASE_demo account is the Partners demo environment Does Integrated Apps require SaaS API license or does it work with just CASB? Just CASB license The GenAI report available now. Will it have more data with the CASB license? Yes, the CASB license will populate the report with all of the granular activities and data sources Under Security > Cloud Activities > we notice there are files being uploaded to specific Applications. is it possible to view those files being uploaded to each application for DLP purposes? That will require setting up a data control rule for content inspection. This will provide the visibility you are looking for. Can we go setup DLP rule in application control Rule? The app and data control page incorporates the CASB/DLP and File control rules In regards to Data Protection Profiles, how are we to identify false positives? For example, if there is a rule that blocks upload of credit card numbers to SalesForce and there is a hit on the rule, how can we determine if this is a legitimate detection or a false positive? Currently this requires checking the file that triggered the policy. We are working on adding forensics snippets from the matched content into the event for FP analysis. Doesn’t the user just have to login to chatgpt with his corp email address to by pass this rule? No, this level of control is deeper that identifying the login activity and as the tenant is extracted from the HTTP headers and compared to the policy Can the client alert be disabled for given rules? Currently not, it appears for all CASB/DLP hits. This is on our roadmap for later this year He can still use a corp email address for a free account in chatgpt Yes, but you can still configure a rule to block sensitive data and monitor that activity I have a question regarding how DLP behaves. My understanding is that the DLP scan supports files up to 20MB in size. If a file larger than 20MB is sent, does the DLP engine scan up to 20MB of the file before triggering a fail action? Or is the file immediately treated as a failure without any scanning due to exceeding the size limit? The file will be scanned up to 20mb So basically we setup DLP rule in CATO by creating Data Control Rule right? You got it right Question, do you have a best practice to setup CASB and DLP? Yes, you can refer to Cato's Default Recommended CASB/DLP Policy.Does Cato perform application identification based solely on ports?
We'd like to understand how deep Cato's application awareness goes. For example: If someone establishes an SSH connection over a non-standard port (e.g., TCP 222), would it still be recognized as SSH? If we block "SSH" as a service, could a user bypass this by using a custom port? Does blocking SMTP also cover traffic not using the default ports (25, 465, 587)? To allow SSH only over port 22, what would be the correct rule setup? We’re aiming for precise control similar to App-ID behavio.
App catalog categorizations?
"Resources > App catalog" -view lists all the built-in apps, but what are the "rules" that make up an app? For example, what criteria is used to categorize an app as "Amazon AWS"? URLs? IP ranges? In our PoC we used "Atlassian JIRA and Confluence" in a network rule, but found that the rule does not work, when using a custom FQDN, such as customer.atlassian.net.How can I ping or perform health checks on the Cato Socket's WAN interface from the public internet?
We’d like to monitor WAN availability externally (e.g., via public ping or other health check methods). Is there a supported way to reach and test the Socket’s WAN interface from outside the Cato network?How can I route internet-bound traffic from our China-based sites to exit outside of China?
By default, internet traffic from our China locations seems to egress via the local China PoPs. However, we would like to force the egress through a non-China PoP instead. Is there a recommended configuration or best practice within Cato to achieve this? Or is this not possible due the Agreement with China?
What is the difference between App Control Rule "Allow + Tracking: Event Enable" and "Monitor"?
In the *App & Data Inline* -> *Application Control Policy*, we have configured the rule as follows: - **Action: Allow** - **Tracking: Event** (Enabled) However, under this configuration, **no events are shown in the Events screen**. Is this the expected behavior? We are confused because there is also an **Action: Monitor** option, yet "Allow" can also be configured with Tracking enabled or disabled. Could you clarify the functional difference between these two actions and how they affect event logging?Use Case- Bypass internal application access through CATO when in office
I have been using Netskope where there is feature of split tunneling wherein when it detects that you are in office network then you can disable remote access and the traffic to internal application will be routed using your office MPLS/ILL thus only internet traffic going to CATO but when same users are working from home then both remote access as well as internet traffic goes via Netskope. Now with CATO, there is no option with me to exclude traffic going to CATO POP except IP ranges but I want the same experience that when users is in office, only internet traffic goes through CATO and not private access. I want this spliting done through CATO SDP client as I dont have any site license.
