Community Help
Community guides and FAQs
Recent Content
Certificate File Manipulation using OpenSSL
Use case: I have a TLS bypass rule for a domain that I would like removed. I added this rule because the certificate is not trusted. Now I need to grab certificate details. I have a certificate that appears to be missing from Cato TLS store. I want to report the same to Cato Support. Although I have p7b file which only works on Windows. How do I convert it to a regular certificate and just share with support? Prerequisites: A system with openSSL installed. If you are using a MacBook install HomeBrew and update OpenSSL libraries to the latest version [version as of writing this article - 3.6.0]. xyz@MacBook1 ~ %/ bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" xyz@MacBook1 ~ % brew update xyz@MacBook1 ~ % brew install openssl@3 xyz@MacBook1 ~ % openssl version Solution: If you have a pem file which can be opened in a text editor and it shows BEGIN and END lines with hashes, skip to the final step #3. Procedure: Save p7b file on a folder and run following openssl pkcs7 command from that folder "openssl pkcs7 -inform DER -in input_file.p7b -print_certs -out output_file.pem" Once it is converted open the cdrts.pem file in a text editor. Individually copy text from BEGIN to END values and save them in separate files, save as .pem extension. Further use following openssl command to fetch the SN# and SHA256 fingerprint against each file "openssl x509 -in cdrts.pem -noout -serial -fingerprint -sha256" Sample conversion using above method: xyz@Linux-Host1 % openssl pkcs7 -inform DER -in corphqglobal.p7b -print_certs -out cdrts.pem xyz@Linux-Host1 % openssl x509 -in cdrts.pem -noout -serial -fingerprint -sha256 -dates -subject Other alternate solutions- Although clumsy and not easy to copy paste just the SN or hash you can use an internet browser such as Google Chrome to view certificate details from "view site info" icon (or a pad lock icon on other browsers) next to the the browser address bar Use Chapt GPT or co-pilot and upload p7b file there. I have tried it but not 100% of the times I got the right SN. I would encourage verifying the results with step 4 above. Be careful not to upload any private keys to online AI Tools.
Multiple events are getting as a single log while pulling the events from the CATO using the API
Hi Team, We are using the cato-toolbox and using the cloud RIN, we are fetching the events from the CATO SASE. https://github.com/catonetworks/cato-toolbox/tree/main/eventsfeed With this help we are pulling the events from the CATO using the API and forwarding the events to the HUB Server over the specific port. But when we are pulling it was giving multiple events as a single log. As per our SIEM vendor, they cannot split the event log. So can you please let us know if this can be fixed from your side?
Cato Client - manual PoP addressing
Has anyone tried scripting to change the manual pop location so the user can run the script and it will change their client manual pop address to a specific location. Not sure where this detail is stored on windows for the client, regkey or config file? Even a cato cli client with a switch to set it? I tried using fqdns as the pop name and having it resolve to a PoP IP in the hosts file, then using a script to change the hosts file entry to the desired PoP IP.... but the client cant use fqdns as the PoP to connect to :D
Are Clients connecting to PoPs in China and Vietnam still limited to 20Mbps maximum throughput?
Cato KB "Supported Throughput for Cato SDP Clients" states that remote client users connecting to PoPs in China and Vietnam are limited to 20Mbps maximum throughput. Is this still the case? If so, why? Are there plans for this restriction to be lifted in the roadmap? This is a recurring question for customers with distributed footprint across China and Vietnam.
Always on VPN and troubleshooting connectivity issues
Hi, I wanted to check if anyone else have experienced issues with the users enabled for Always On when their SDP client can not connect. Ocasionaly we see clients can not connect showing different errors, like username not recognized, can not connect, etc. The problem is that our Zoho Assist remote management software is not available if the user laptop is not connected to Internet which it is not when using Always On. How do you guys provide support in this scenario? What we usually do is first disable Always on policy for that user and then re-install the CAto client using either local admin or service desk user account. The problem is that we need to change the passwords to those accounts after giving out to the user by phone. Basically we just need Zoho Assist client traffic to bypass Cato tunnel, we will be testing split tunnel feature and adding Zoho IPs to bypass. Curious to hear your thoughts. Thanks!
Cato Deployment Scenario
I am trying to find a documentation in the Cato portal regarding different methods of deployment and their drawbacks. For example, if I want to setup X1500 sockets in two separate buildings and achieve HA what are the pluses and minuses of this setup. In case of loss of connectivity between buildings how do each socket operate now they are no longer in pair. These are the information I want to find in the portal but not having any luck.
