Recent Content
Simplifying TLS Inspection with Cato's ML-driven Wizard
You made the first step, this is THE place to learn more, get your questions answered and share your experiences with other Cato customers. Our TLS Wizard is designed with a clear purpose: intelligently determine which traffic to bypass and which to inspect, giving you immediate visibility into the most-commonly used applications and websites in your network. We leverage real-world customer traffic insights to identify which traffic works well with TLS inspection and which might be problematic. What Traffic Should Not Be Inspected? Four types of traffic should typically bypass TLS inspection: Certificate Pinned Applications - These applications require specific certificates and will fail when inspected. Cato automatically bypasses known problematic OS, applications and URLs using our default bypass rule — without requiring the Wizard! Embedded OS Devices - IoT devices like printers, cameras, and smart TVs don't support certificate installation and won't work with TLS inspection. Sensitive Categories - While Cato never stores payload data, bypassing health, medical, and financial categories helps ensure privacy and compliance. Traffic originating from Guest networks (or other devices that do not have the Cato certificate installed) – typically it’s not possible to inspect traffic from guest devices as they will not have the Cato certificate installed and will therefore generate an error if inspected. The TLS Wizard adds bypass rules for embedded OS and sensitive categories automatically. The bypass of guest networks will need to be created manually as this is not a generic rule that applies to all customers. What Traffic Should Be Inspected? The Wizard recommends inspecting these five categories: General, Business Information, Computers and Technology categories Popular cloud applications Cato-recommended domains (approximately 6,000 domains verified to work with TLS inspection) Malicious and suspicious categories Uncategorized and undefined categories Remember, these are suggestions that you can customise during setup. You might want to start by testing with specific users or groups. Best Practice for the Default Inspection rule To prevent unexpected traffic inspection, we recommend configuring your default TLS inspection rule to bypass. After running the Wizard, you'll be: Bypassing known problematic sources and destinations Inspecting known-good, high-value destinations Bypassing everything else by default You can customise and expand upon this foundation later, we recommend adding the bypass for the guest networks in the appropriate section of the TLS inspection policy as a starting point. See the TLS Wizard in Action: Watch the demonstration - https://www.youtube.com/watch?v=zYVoxHA09NY&t=14s Visit our Knowledge base article Have questions? Use the "comment" option at the bottom of this page. We're monitoring closely and ready to assist you on your journeyHey Siri.... Find me these Cato events
Imagine as a SASE admin (already busy hunting critical threats and protecting your org from on-prem and cloud threats) how much you would hate if you have to write complex queries for simple searches? No one more Yet another query language please! But this is how our competitors did it by making you learn their syntax and their version of Regex to find events. For a simple search to find all traffic to 'google' and 'microsoft' or all phishing URLs why does it have to be so difficult? We took a radically innovative approach to finding results. Very close to Apple's 'Hey Siri'! Sure you can use our filters and presets (check out my previous article on custom presets). We have now made it even better with our innovative AI powered Natural Language Search feature. Simply click the magnifying glass on far right and write your queries in your own words. How to: Event Monitoring > Far right magnifying glass (note the far right icon in the screenshot next to #1) NLS ability will be extended to Audit Logs as well! This feature is currently in beta. [Contact your Cato Networks representative if you would like this feature enabled in your account] Key Features: Uses everyday language to find relevant data Translates natural language queries into specific filters Automatically formats table results to show relevant columns Example Queries Show me all RDP blocked traffic Show me all DNS traffic Show me Internet firewall security events from phishing category URLs Show recent security incidents and alerts related to application vulnerabilities Show me security alerts where data was sent from computer 10.0.0.1 to 10.0.0.2 Power of Cato powered networks! Explore more: https://support.catonetworks.com/hc/en-us/articles/21585563225757-Filtering-Events-with-Natural-Language-SearchCan't Export Dashboards?... Export button grayed out?
Issue:-I have editor permission under Networks and Access tabs still I can’t export the sites or SDP users. -Export button is grayed out Background: Cato CMA (Cato Management Application) has extensive RBAC (role-based access control) permissions. Since we introduced RBAC set of permissions have continued to be more granular in terms of what the admins can limit under various sections of the CMA. Some of the permissions may have evolved. This is one I ran into most recently that I thought would be worth sharing. How to: If you are running into this issue enable the Edit permissions under the Monitoring Administration > Roles & PermissionsEnhanced Block / Warning Message - Event Reference ID
Last week a very powerful troubleshooting and event monitoring feature "Event Reference ID" was introduced. It will make troubleshooting easier for the admins. Now you can customize the block and warning page to display an external event ID that a user will see in the browser. You can use this to further co-relate the event in the CMA using the Event Reference ID https://support.catonetworks.com/hc/en-us/articles/4413280530449-Customizing-the-Warning-Block-Page#heading-3 How to enable this feature? Enable this for Warning and Block page separately. CMA > Administration > Branding > Warning / Block Page How to co-relate using Event Reference ID? -From CMA > Event Monitoring you can use this reference ID to pivot directly to the eventBlocking TLD (Top Level Domain) or a Specific Country
Use Case 1- How do I block traffic to all *.info websites using TLD? Use Case 2- How do I block traffic to and form a country? > IPS > Geo Cato has a very powerful IPS feature to block both inbound and outbound traffic to a specific country which some of our competitors can't do. They usually will only block outbound traffic to a country based on their ( obsolete) web proxy feature. Cato can do both directions! True power of UZTNA vs the rudimentary ZTNA solutions out there. How? - CMA > Security > IPS > Geo Internet rule > category country > Congo Internet rule > Category > domain > “cg”. Use case 1: Cato makes blocking top level domain as easy as creating an Internet rule with category domain and specifying e.g. "info" as the domain (Yes even the TLD). Subdomains are blocked without specifying the wildcard character automatically. Use case 2: Now you would think if I create an Internet rule with "cg" it will block all traffic to Congo? Yes that works too. Some of our competitors today can't block TLDs (to level domains). This method though only prevents outbound traffic to that TLD (destination country). Going one level further if your use case is to block all traffic to a country, you don't just want to rely on a SWG (RIP the Secure Web Gateway) rule like above. Cato has a very powerful Geo-ip feature that works at the firewall rule level for both inbound and outbound (see the screenshot on the top)! In summary here are 3 ways to do this- Security > IPS > Geo Restriction > Select the country and the direction. Refer to the top screenshot, we have bi-directional support (Cato Differentiator) Internet rule > category country > Congo (SWG / Proxy) Internet rule > Category > domain > “cg”. (TLD - Cato Differentiator) Supporting articles: https://support.catonetworks.com/hc/en-us/articles/360012276478-Configuring-IPS-and-Geo-Restriction Note: Most companies follow their corporate policies or some regulations / embargo in effect to maintain a list of countries to block Make sure you have no users / partners / businesses in the destination country before you put a blanket block While this is as full-proof as it can get there is a gotcha: what happens if the site is using an Anycast service or a CDN service hosted outside the country?What's New at Cato this week?
“Hey Robin! What’s new at Cato Networks this week?” I hear you ask. Well you could read the release notes, but here’s the key points in under a minute 😀 Let me know if you like this type of video with a reaction, repost or comment. If you think it’s worthwhile, I’ll turn it into a weekly series. Bonus points if you can guess where in the world where this was recorded… Read this weeks full release notes here.
