Recent Content
URL - Category over-ride not taking effect?
Is your URL category over-ride not taking effect? When configuring firewall rules by domain you do not need to specify the subdomains. Firewall rules will even cover the subdomains if you specify a Top Level Domain e.g. "uk" would cover all the subdomains such as bbc.co.uk). This is not the case when using domains to override a category though! Category over-ride from CMA for an domain / FQDN applies just to the that domain or FQDN. Any subdomains must be specified with its own FQDN. E.g. over-riding category for http://catonetworks.com to a category of your choice does not change the category for http://www.catonetworks.com Hope you find this helpful. Thanks Nath based on your comment I have added following article that shows how to add a custom app to get around having to override individual domains. Add the custom app in a rule and place it above the rule that blocks the traffic. https://support.catonetworks.com/hc/en-us/articles/4413265662993-Working-with-Custom-Apps Reference Article: https://connect.catonetworks.com/kb/cato-cloud-best-practices/how-to-block-a-tld-top-level-domain-or-a-specific-country/374IPSEC with Azure Gateway
Issue:Intermittent IPSEC SA disconnects; Packet loss; TLSi disabled. Symptoms: Timeline shows 'unable to decrypt' packets intermittently; resulting in asymmetric traffic. TLS Inspection shows disabled intermittently on CMA events. Intermittently, session with a server / host behind IPSec Azure gateway lost. Correspondingly IPSec Timeline shows following in the logs Unable to decrypt packet - ignoring Error parsing or unsupported parameters in an incoming packet Environment: IPSec tunnel with Azure Gateway, GCM used as encryption and Phase 1 timers are such that Azure is the initiator for rekeying. The larger picture - While using GCM and IKE timers set to default / matching values [3600sec (p1) and 28800sec (p2)]. This issue is observed whenever the Azure gateway is the initiator of IKE Phase1 tunnel. Cato receives malformed packet from Azure that Cato is unable to decrypt. A corresponding message mentioned above is seen in the IPsec Timeline (Timeline message shown above). Refer to articles below on where to find timelines and pcaps in the CMA. Whenever you see similar symptom recommendation is to have P1 lifetime on Cato as default of 19800sec (5.5 hrs) i.e. lower than Azure default of 28800 sec (8 hrs). This will ensure that Cato is always the initiator of tunnel of P1 rekey. Another workaround is to use encryption algorithm other than GCM. Our IPSec has been implemented by some of our largest customers with 100+ sites across the global and proven to be compatible with industry standard SDWAN vendors. The issue is not seen with just the Cato as peer. From lab tests it was confirmed this behavior is same between with Juniper SRX or Fortinet as a peer device with Azure IPSec gateway. Cato maintains its own IPSEC suite built from scratch compliant with IKE standards. Reference articles- Did you know? - IPSEC Timelines and PCAP | Cato Connect https://support.catonetworks.com/hc/en-us/articles/4413280512785-Advanced-Configurations-for-a-Site https://support.catonetworks.com/hc/en-us/articles/4413273472145-Configuring-IPsec-IKEv1-Sites https://support.catonetworks.com/hc/en-us/articles/360001688857-Cato-IPsec-Guide-IKEv1-vs-IKEv2 https://support.catonetworks.com/hc/en-us/articles/16203875505565-IPsec-Site-Connectivity-Troubleshooting https://support.catonetworks.com/hc/en-us/articles/11013259398301-Troubleshooting-IPsec-ConnectivityDid you know? - IPSEC Timelines and PCAP
Unlike most other competitors we have this awesome tool available from CMA - With other vendors you would to login to a CLI shell, elevate and run some intrusive tcpdumps. It makes IPsec troubleshooting far easier. PCAPs and Timelines are available in the CMA next to the IPSEC configuration page. Networks > Sites > IPSec > PrimaryHow to Uninstall Windows Cato SDP Client Remotely?
Use case: Although manual uninstall may not be required frequently, there may be instance where you have a user with corrupt installation and you must uninstall remotely. Another typical use case I cam across recently - your company self service portal (e.g. Intune or Kandji) has a different version than what is installed on the user device and now you want to downgrade the client. In order to downgrade you will need to uninstall the existing installation first. You can do this using a simple command. Prerequisite: Admin privilege on the system How To? Launch command prompt using privileged mode (run as admin) and then issue following command [screenshot example on Windows 11 attached] or simply execute this command remotely to the system: \Windows\System32\wmic product where name=“Cato Client" call uninstall Corrupt installation that persists after boot? From time to time support may advise doing a clean install. Here is what you would do for a more elaborate clean removal of the SDP client for reinstall- Uninstall CATO Client by following the Article How To Uninstall the Windows Client, when uninstalling the CATO Client, kindly delete the cache contents located at "C:\Users\User\AppData\Local\CatoNetworks\Cache" Go to Control Panel > Network and Internet -> Network Connections Ensure that all CATO Adapters and Local Area Connection adapter ( WinTun Userspace Adater) have been removed, if they still exist, manually delete them (disabling them alone will not help).Minimize the Windows ZTNA client when it starts
Have you ever wanted to minimize the windows ZTNA client when it start up? Just add a registry key under: Path: HKEY_CURRENT_USER\Software\CatoNetworksVPN Key: start_minimized Value: 1 (DWORD) Restart the service CatoNetworksVPNService and the setting will be applied. That's it! Enjoy!The power of Smart SASE - Cato Remote Port Forwarding
Overview If I interpret the latest comments on SSE Gartner MQ '25, SASE is going to devour the SSE soon. Use case mentioned here is one such instance that SSE alone can't implement without fancy private access or ZTNA or steering hooks. Let alone the publishers that are required to be hosted and maintained by the customers for inbound access. Cato RPF (Remote Port Forwarding) functionality allows you to open up your servers or internal resources to the internet with following quick 3 steps. How? Quick and easy 3 steps: Check how many public IP’s you are licensed for Account > License > IP's Assign an IP from the available Cato Public IP’s for your preferred location Network > Network Configuration > IP Allocation Create RPF rule using the IP you allocated in last step Security> Firewall > Remote Port Forwarding The intrigued users may ask, can I use this for my WAN to WAN traffic? Yes, you can. The documentation does not call it out as an officially supported feature but it works based on my testing. Question before you consider this option: Wouldn't you rather use WAN firewall rules though to control the same though instead of having the internal users to access this resource using public IP? I would leverage WAN firewall and WAN Network rules for the internal traffic crossing sites. Best Practices around RPF Like what uncle Ben or Voltaire would warn, 'with power comes a great responsibility' Note that there are 10K sessions allowed per RPF. If you have a high volume use case use a load balancer behind RPF to front end the servers Tightly control the rule by limiting access to source IP’s. If you see exclamation mark like the one in the first rule in the screenshot, take an action! Host your critical servers behind DDoS/WAF protection if you must allow 0/0. RPF traffic is automatically assigned the lowest priority (P255). For WAN to WAN you can use a special network rule on the source site though (that would work only for WAN to WAN traffic using an Internet Type Network rule with higher priority, P8 for example) References https://support.catonetworks.com/hc/en-us/articles/7784979714333-Configuring-Remote-Port-Forwarding-for-the-Account https://support.catonetworks.com/hc/en-us/articles/360004514358-Security-and-QoS-Recommendations-for-RPF https://support.catonetworks.com/hc/en-us/articles/9299509375517-How-to-Integrate-Third-Party-DDoS-Services-for-Internet-Facing-RPF-Traffic https://support.catonetworks.com/hc/en-us/articles/19516873839005-Integrating-Imperva-Cloud-WAF-DDoS-Services-for-Internet-Facing-RPF-TrafficHey Siri.... Find me these Cato events....... AI Powered Natural Language Search.
Imagine as a SASE admin (already busy hunting critical threats and protecting your org from on-prem and cloud threats) how much you would hate if you have to write complex queries for simple searches? No one more Yet another query language please! But this is how our competitors did it by making you learn their syntax and their version of Regex to find events. For a simple search to find all traffic to 'google' and 'microsoft' or all phishing URLs why does it have to be so difficult? We took a radically innovative approach to finding results- very close to Apple's 'Hey Siri'! We have now made it even better with our innovative AI powered Natural Language Search feature. Simply click the magnifying glass on far right and write your queries in your own words. Sure you can use our filters and presets (check out my previous article on custom presets) but cool yeh? Where: Event Monitoring > Far right magnifying glass (note the far right magnifying glass icon in the screenshot on the top) NLS ability is now extended to Audit Logs as well! [If it isn't already, contact your Cato Networks representative if you would like this feature enabled in your account] Key Features of AI powered NLS: Uses everyday language to find relevant data Translates natural language queries into specific filters Automatically formats table results to show relevant columns Example Queries Show me all RDP blocked traffic Show me all DNS traffic Show me Internet firewall security events from phishing category URLs Show recent security incidents and alerts related to application vulnerabilities Show me security alerts where data was sent from computer 10.0.0.1 to 10.0.0.2 Power of Cato powered networks! Explore more: https://support.catonetworks.com/hc/en-us/articles/21585563225757-Filtering-Events-with-Natural-Language-Search PS: 'Hey Siri' or other products mentioned here are trademarks of Apple or their respective vendors.Can't Export Dashboards?... Export button grayed out?
Issue: -I have editor permission under Networks and Access rows, yet I can’t export the sites or SDP users into CSV. -Export button is grayed out. Background: Cato CMA (Cato Management Application) has extensive RBAC (role-based access control) permissions. Since we introduced RBAC set of permissions have continued to be more granular in terms of what the admins can limit under various sections of the CMA. Some of the permissions may have evolved. This is one I ran into most recently that I thought would be worth sharing. How to: If you are running into this issue enable the Edit permissions under the Monitoring for the element tied to the dashboard you are trying to export. E.g. SDP User dashboard Where? Administration > Roles & PermissionsSimplifying TLS Inspection with Cato's ML-driven Wizard
You made the first step, this is THE place to learn more, get your questions answered and share your experiences with other Cato customers. Our TLS Wizard is designed with a clear purpose: intelligently determine which traffic to bypass and which to inspect, giving you immediate visibility into the most-commonly used applications and websites in your network. We leverage real-world customer traffic insights to identify which traffic works well with TLS inspection and which might be problematic. What Traffic Should Not Be Inspected? Four types of traffic should typically bypass TLS inspection: Certificate Pinned Applications - These applications require specific certificates and will fail when inspected. Cato automatically bypasses known problematic OS, applications and URLs using our default bypass rule — without requiring the Wizard! Embedded OS Devices - IoT devices like printers, cameras, and smart TVs don't support certificate installation and won't work with TLS inspection. Sensitive Categories - While Cato never stores payload data, bypassing health, medical, and financial categories helps ensure privacy and compliance. Traffic originating from Guest networks (or other devices that do not have the Cato certificate installed) – typically it’s not possible to inspect traffic from guest devices as they will not have the Cato certificate installed and will therefore generate an error if inspected. The TLS Wizard adds bypass rules for embedded OS and sensitive categories automatically. The bypass of guest networks will need to be created manually as this is not a generic rule that applies to all customers. What Traffic Should Be Inspected? The Wizard recommends inspecting these five categories: General, Business Information, Computers and Technology categories Popular cloud applications Cato-recommended domains (approximately 6,000 domains verified to work with TLS inspection) Malicious and suspicious categories Uncategorized and undefined categories Remember, these are suggestions that you can customise during setup. You might want to start by testing with specific users or groups. Best Practice for the Default Inspection rule To prevent unexpected traffic inspection, we recommend configuring your default TLS inspection rule to bypass. After running the Wizard, you'll be: Bypassing known problematic sources and destinations Inspecting known-good, high-value destinations Bypassing everything else by default You can customise and expand upon this foundation later, we recommend adding the bypass for the guest networks in the appropriate section of the TLS inspection policy as a starting point. See the TLS Wizard in Action: Watch the demonstration - https://www.youtube.com/watch?v=zYVoxHA09NY&t=14s Visit our Knowledge base article Have questions? Use the "comment" option at the bottom of this page. We're monitoring closely and ready to assist you on your journey
