Recording: AMA with Professional Services - November 2025 Session 2

In our last AMA with our Professional Services team we dove into two major topics: TLS Inspection and CASB/DLP. These features are critical for improving visibility, securing encrypted traffic, and protecting sensitive data. If you missed the session, don’t worry! We’ve summarized the key points and answered your most pressing questions below. (Slides from the presentation are attached for deeper detail.) 

Presentation Highlights 

TLS Inspection 

• Why it matters: Over 90% of internet traffic is encrypted, which is great for privacy but creates blind spots for threats like malware and phishing. 

• Benefits: Organizations enabling TLS inspection block 52% more malicious traffic. 

• Challenges: Complexity, operational burden, and compliance concerns often slow adoption. 

• Cato’s approach: Cloud-native TLS inspection with Safe Mode simplifies rollout, minimizes disruption, and includes automatic bypass lists for problematic apps. 

• Best practices: Block QUIC/GQUIC, manage bypass lists, and roll out gradually in phases. 

CASB & DLP 

• Purpose: Protect sensitive data, ensure compliance, and gain visibility into SaaS usage. 

• CASB: Focuses on application control—monitoring activities like uploads/downloads and enforcing granular policies. 

• DLP: Adds content inspection to prevent data leaks based on patterns, sensitivity labels, or custom rules. 
• Implementation: Start with monitoring, then enforce policies gradually. TLS inspection is a prerequisite for both. 

Q&A Highlights 

Q1: Is TLS Inspection becoming more popular? 

Yes! Adoption has improved significantly since the introduction of Safe TLS Mode, which uses a wizard to simplify configuration and automatically applies recommended bypasses. This reduces risk of breaking apps and makes rollout less intimidating. 

Q2: What about mobile apps using QUIC? 

QUIC-based apps (e.g., WhatsApp, Jira) can pose challenges. Recommendations include: 

• Verify automatic bypass settings for native apps. 

• Block QUIC/GQUIC to force fallback to TCP for inspection. 

• Apply exceptions only when necessary. 

Q3: Will users get notified when DLP blocks an action? 

Currently, notifications are basic, but enhancements are planned. Soon, users will see alerts like “Action blocked due to company policy” via the client, with more detailed CMA alerts coming later. 

Q4: Can we filter CASB activities like upload/download? 

Yes! The Cloud Activity Dashboard shows top activities and allows filtering by action (e.g., upload). You can also drill down into events for detailed visibility. 

Q5: Is AWS GovCloud supported for log integration? 

Not at this time. The current integration works with standard AWS S3 buckets. GovCloud support is a common request and may be addressed in future updates. 

Q6: Any update on combining SDP and EPP into one app? 

It’s on the roadmap, but no detailed timeline yet. 

Q7: How to handle bandwidth spikes during patching? 

Use Bandwidth Management to map update traffic to a lower-priority queue, ensuring critical apps maintain performance during bursts. 

Thanks to everyone who joined and asked great questions! If you have ideas for more content that we can create that will be useful to you and your team, feel free to leave us a comment or email our community team at community@catonetworks.com.  

Stay tuned for our next AMA in February :) bring your questions and your favorite warm beverage!