Recent Discussions
Internet Network Rules - No Option for IP Address
Hi, I’m seeking advice on how to set up a rule in the Network Rules section to allow traffic to egress to a specific destination public IP address on the Internet. When I choose Rule Type as Internet, I don’t see an option to define an IP address in the App/Category field. Do I need to use the Custom Service IP option for this? If so, could you share an example configuration?Azure Virtual Desktop - Always on policy
Hello! What is best practise for implementing the always on policy for Windows 11 VMs (hybrid domain joined). At the moment if a user session expires the Cato tunnel seems to break. The AVD shows as unavailable in Azure and the user is no longer able to login. Only workaround so far is using the serial console to disable the Cato network adapter or uninstall Cato altogether. Is there a way for the session to still expire while making the domain and other prerequisite AVD features still accessible? Thanks!
Anti-Tampering Query- Auto upgrade of client version
In the EA documentation , it is written that :- As part of the Anti-Tampering protections, when Anti-Tampering is enabled, by design, the Client can't be upgraded. To enable an upgrade either manually or using an MDM, there is a specific bypass code that is not connected to disabling Anti-Tampering for the configured duration. My query is as below:- If my policy in client rollout is set as "Automatic by Cato", will the client version get updated or not. If not, then will this create issue in upgrading the version to get benefit and manual upgrade is time consuming
Visual Bugs in the UI?
Anyone else struggling with visual bugs in the UI? Created Internet FW rules for our VoIP solution to cover softphones on the LAN and hard phones on designated VoIP VLANs. I also created a VLAN supernet to make rule creation easier. My conundrum is visually the LAN and VLAN20 appear as LAN in the rule. Additionally, I have a rule further downstream that blocks any other traffic on VLAN20 that doesn't match an upstream rule -- same visual bug. Anyone else experiencing this?Azure Virtual Desktop Session Host Routing
Hi, has anyone ever set up a route table on Azure so that the route to Microsoft Login subnets goes out through Cato? When we tried doing this, to make sure our AVD users are protected by Cato, users stopped being able to connect to session hosts through the AVD FQDN (broker). I suspect that its either TLS Inspection being enabled for Microsoft Login app (has never been an issue for our laptop users), or that AVD brokering system needs Microsoft Login traffic to go through the internet instead of a private route for some reason.Potential for abuse of the password reset link with https://cc2.catonetworks.com/forgotAdminPassword
Hi, This is Cato Lab from South Korea. Our customer raised a question. Is there any way to prevent malicious actors from repeatedly entering an email address to trigger password reset emails, potentially spamming or annoying administrators? Their concern is that someone could misuse the reset link mechanism to repeatedly send reset emails, causing inconvenience to the administrators or account owners. Does Cato have any existing protections or recommended best practices to mitigate this type of abuse? It will be really helpful if you guys know any type of protection behavior for administrators regarding using this webpage. Thanks, Best Regards, Cato Lab.
Defender for Identity - VPN Integration
Hi, We frequently get false positives from Microsoft Defender for Identity because it's unable to map the IP address Cato assigns a remote user with their laptop hostname. I guess our on prem Microsoft sensors are unaware of the Cato client range. I think the only way to fix it is to send RADIUS accounting events from Cato to the Microsoft sensor, but I don't think this can be done? https://learn.microsoft.com/en-us/defender-for-identity/vpn-integrationDisabling Connect On Boot for external user
Hi, we have activated the "Always On" policy for our users and an "on demand" rule for our external service providers. To ensure that always on is applied for our users, we have checked the "connect on boot" option, but unfortunately this option also applies to external service providers. Can our service providers override this option (registry key?) so that the CATO client doesn't launch at startup? (when I asked the CATO AI, it mentioned a key, but it doesn't seem to work). I can't see specfic configuration in user profile to override this nether. Any idea ? Thanks ! Regards
