Recent Discussions
HTTP/2 and /3
When using CATO and navigating the internet through a browser, does CATO support protocols above HTTP1. (HTTP/2 and HTTP/3)? A website a user is trying to use only supports these new protocols, and so when connected to the network it shows him in a slowdown mode I have included the site for reference with a support page for this issue https://www.sanity.io/docs/help/http1-performance-issues
LDAP Integration – Is Password from AD or Local SDP?
Hi, In a setup where LDAP (Active Directory) is configured in Cato for user provisioning only, and no SSO is in place: - Is LDAP also used implicitly for authentication (LDAP bind)? - Or is authentication handled locally by Cato (separate SDP credentials)? There doesn’t seem to be a clear setting indicating LDAP auth vs provisioning-only. Would like to confirm the expected login behavior. Thanks.
IP Containers in Firewall Rule
Acording to the KB, "The Internet firewall inspects traffic between the WAN and the Internet and lets you create rules to control this traffic." Dumb question but then is the firewall one directional? WAN to Internet? I ask because other firewalls have rules/policies that are bi-directional. When I tried to create an Internet firewall rule in CATO and tried to select an IP Container (bad source IP's) it did not have an option, which indicates to me that the Internet Firewall rules are WAN to Internet only. In that case how do I apply an IP Container to block for inbound traffic from the Internet?DNS Forwarding When Overriding Account-Level DNS Settings
Since I cannot leave comments on the KB, I am writing this down for others who may face the same issue. https://support.catonetworks.com/hc/en-us/articles/12710391725981-Centralized-Management-of-SDP-User-DNS-Settings-with-the-DNS-Settings-Policy#UUID-13385199-3a2b-70d3-5da2-ea4ebb98e5dd The article lists the following under Known Limitations: DNS Forwarding is not supported if you override Account Level DNS settings. This known limitation applies when using an untrusted DNS server. If you use a trusted DNS server (such as 8.8.8.8), DNS Forwarding can still be used even when overriding the account‑level settings.Block access to local/home network for Cato Client – force all traffic through Cato tunnel
Hi everyone, we are using the Cato Client (Windows/macOS) for remote users and would like to fully block access to the local/home network when the client is connected. Goal: No access to local LAN subnets (e.g. 192.168.0.0/16, 10.0.0.0/8, printers, NAS, routers, IoT, etc.) No split tunneling or local breakout All traffic should be forced through the Cato tunnel We checked the following areas but could not find a clear way to block local LAN access on the endpoint: Client Connectivity Policy Network Rules Internet / WAN / LAN Firewall Questions: Is it possible to block local/home network access for Cato Clients purely within Cato (endpoint-based), so that local LAN traffic is not reachable at all? If yes: which policy / feature is required (e.g. Client Advanced Controls, specific license, feature flag)? If no: is the recommended approach to enforce this via endpoint controls (e.g. OS firewall / MDM) in combination with Always-On and no split tunneling? Any guidance or best practice from real-world deployments would be highly appreciated. Thanks in advance!
SDP Users - IPV6
Hi all, We have two users, both located in Germany at the moment for holidays, who can't connect using the Cato SDP client. They get an error about the Device Posture. However, when they switch to a mobile hotspot, it will connect fine, so it's not the device posture checks? The only thing I've noticed is that both clients are getting a IPV6 address from their broadband router. In the Cato Event log I can see their device IP is a 169.254.x.x address when they try and connect and are blocked. I just wanted to check if a IPV6 address could cause an issue like this or if there's some extra config we need to do.
User group specified reports
We need to schedule a daily report for users who log in from a specific user group. The report should capture all users who have logged in on a daily basis from the identified group. Kindly confirm the feasibility and share the steps or requirements to enable this reporting. Additionally, while exporting the overall users list, the respective user group details should also be included in the report. Kindly confirm the feasibility and share the required steps or prerequisites to enable this.Multiple events are getting as a single log while pulling the events from the CATO using the API
Hi Team, We are using the cato-toolbox and using the cloud RIN, we are fetching the events from the CATO SASE. https://github.com/catonetworks/cato-toolbox/tree/main/eventsfeed With this help we are pulling the events from the CATO using the API and forwarding the events to the HUB Server over the specific port. But when we are pulling it was giving multiple events as a single log. As per our SIEM vendor, they cannot split the event log. So can you please let us know if this can be fixed from your side?