Community Help
Community guides and FAQs
Recent Content
Block access to local/home network for Cato Client – force all traffic through Cato tunnel
Hi everyone, we are using the Cato Client (Windows/macOS) for remote users and would like to fully block access to the local/home network when the client is connected. Goal: No access to local LAN subnets (e.g. 192.168.0.0/16, 10.0.0.0/8, printers, NAS, routers, IoT, etc.) No split tunneling or local breakout All traffic should be forced through the Cato tunnel We checked the following areas but could not find a clear way to block local LAN access on the endpoint: Client Connectivity Policy Network Rules Internet / WAN / LAN Firewall Questions: Is it possible to block local/home network access for Cato Clients purely within Cato (endpoint-based), so that local LAN traffic is not reachable at all? If yes: which policy / feature is required (e.g. Client Advanced Controls, specific license, feature flag)? If no: is the recommended approach to enforce this via endpoint controls (e.g. OS firewall / MDM) in combination with Always-On and no split tunneling? Any guidance or best practice from real-world deployments would be highly appreciated. Thanks in advance!
DNS Forwarding When Overriding Account-Level DNS Settings
Since I cannot leave comments on the KB, I am writing this down for others who may face the same issue. https://support.catonetworks.com/hc/en-us/articles/12710391725981-Centralized-Management-of-SDP-User-DNS-Settings-with-the-DNS-Settings-Policy#UUID-13385199-3a2b-70d3-5da2-ea4ebb98e5dd The article lists the following under Known Limitations: DNS Forwarding is not supported if you override Account Level DNS settings. This known limitation applies when using an untrusted DNS server. If you use a trusted DNS server (such as 8.8.8.8), DNS Forwarding can still be used even when overriding the account‑level settings.
SDP Users - IPV6
Hi all, We have two users, both located in Germany at the moment for holidays, who can't connect using the Cato SDP client. They get an error about the Device Posture. However, when they switch to a mobile hotspot, it will connect fine, so it's not the device posture checks? The only thing I've noticed is that both clients are getting a IPV6 address from their broadband router. In the Cato Event log I can see their device IP is a 169.254.x.x address when they try and connect and are blocked. I just wanted to check if a IPV6 address could cause an issue like this or if there's some extra config we need to do.
Degraded Sockets in High Availability
I have multiple customers that have a LTE sim card just for the main socket. This will have the sockets identify asymmetric WAN connections causing the DEGRADED alert. What can I do to disable the DEGRADED alarm from the site? could it be possible to disable the interfaces so the asymmetric connections don't show as alarmed?
User group specified reports
We need to schedule a daily report for users who log in from a specific user group. The report should capture all users who have logged in on a daily basis from the identified group. Kindly confirm the feasibility and share the steps or requirements to enable this reporting. Additionally, while exporting the overall users list, the respective user group details should also be included in the report. Kindly confirm the feasibility and share the required steps or prerequisites to enable this.Multiple events are getting as a single log while pulling the events from the CATO using the API
Hi Team, We are using the cato-toolbox and using the cloud RIN, we are fetching the events from the CATO SASE. https://github.com/catonetworks/cato-toolbox/tree/main/eventsfeed With this help we are pulling the events from the CATO using the API and forwarding the events to the HUB Server over the specific port. But when we are pulling it was giving multiple events as a single log. As per our SIEM vendor, they cannot split the event log. So can you please let us know if this can be fixed from your side?Cato Client - manual PoP addressing
Has anyone tried scripting to change the manual pop location so the user can run the script and it will change their client manual pop address to a specific location. Not sure where this detail is stored on windows for the client, regkey or config file? Even a cato cli client with a switch to set it? I tried using fqdns as the pop name and having it resolve to a PoP IP in the hosts file, then using a script to change the hosts file entry to the desired PoP IP.... but the client cant use fqdns as the PoP to connect to :DAre Clients connecting to PoPs in China and Vietnam still limited to 20Mbps maximum throughput?
Cato KB "Supported Throughput for Cato SDP Clients" states that remote client users connecting to PoPs in China and Vietnam are limited to 20Mbps maximum throughput. Is this still the case? If so, why? Are there plans for this restriction to be lifted in the roadmap? This is a recurring question for customers with distributed footprint across China and Vietnam.