Professional Services AMA – March 2026

Thank you to everyone who joined our March AMA session! Below is a clean, easy‑to‑scan recap of every question asked, along with brief summaries of the answers shared during the call. If you’d like the full context, you can view the recording below.

IPsec & Tunnel Behavior

Are IPsec tunnels active‑active or active‑passive?

Cato uses active‑passive by default. Active‑active is available with EA enablement.

How do we identify the primary vs. secondary tunnel?

Your IPSec configuration labels them directly:

• Primary=active
• Secondary=standby

Can secondary tunnels load‑balance with primary?

No. Secondary tunnels do not participate in load‑sharing.

Can we configure active‑active instead of active‑passive?

Yes, but only via Early Access. This enables multiple tunnels on primary/secondary POPs.

Logging, Packet Capture & Troubleshooting

Can we see packet counts like a firewall (sent/received)?

You can see traffic hitting WAN firewall policies, but tunnel‑level packet breakdown is not available.

Can we capture tunnel traffic?

Not in CMA. Support can perform captures on the backend.

Bandwidth, Utilization & Alerts

Is there an automated way to detect when a site hits max bandwidth?

Yes, via the API or MCP Server integrations.

Are bandwidth‑based alerts planned in CMA?

Not today. Current alerts may trigger on QoS discards. Recommended to submit an Idea Hub request.

Can we mute all alerts during a maintenance window from one place?

Not currently. Alerts must be disabled per area (BGP, XOps, link health).
Suggested as an idea via the Idea Hub.

Browser Extension, DNS & Clientless Access

Hostname access fails with the browser extension. Why does IP work?

Hostname resolution should work in normal circumstances. Re‑testing and a support ticket is recommended if it persists.

Direct Connect, IPv6 & Packet Capture

When will packet capture be supported on Direct Connect?

No timeline yet; currently only possible on the backend through Support.

AI Security Monitoring

Does AI Security capture user prompts (e.g., Copilot prompts)?

Robin gave a walkthrough of our AI Security offering during this event. He starts discussing capturing user prompts around the 18th minute and continues discussing how to secure and monitor AI for several minutes.

AWS Architecture & Inspection

Can inbound AWS traffic be inspected by Cato before reaching EC2 (like GWLB + Palo Alto)?

Not with AWS public IPs. Cato can only inspect inbound traffic terminated on Cato public IPs via Remote Port Forwarding.

Why must inbound inspection use Cato’s public IP?

Cato is a SaaS platform and cannot locally inspect traffic inside your AWS VPC.

Automation, Importing & Configuration Management

Is there a bulk import feature for IP ranges/VLANs?

Not natively. Consider:

• Cato API
• CatoCLI
• Terraform provider

Best Practices & Identity

What best practice do customers commonly miss?

Fully adopting identity‑based policies (ZTNA) instead of legacy IP‑based access controls.

Do AD‑synced users need a ZTNA/SDP license for identity policies?

It depends:

• Windows + SCIM + Azure AD Join/Hybrid = no license needed
• macOS = license currently required
• On‑prem AD join = SCIM not supported (use LDAP)

Why does user awareness fail for some SCIM‑synced users?

SCIM does not support on‑prem AD joined devices. These must use LDAP provisioning.

Always‑On VPN Issues

Why does always‑on VPN block all traffic until reinstall?

Common causes include:

• Internet Recovery option not enabled
• Device posture checks failing
  If issues persist, Support should investigate.

Event Logs

Can we filter traffic to wildcard domains?

Yes, use the “contains” filter for domain‑based event searching.

Remote Browser Access

What’s the high‑level architecture for Remote Browser Access?

1. User connects to the Cato Portal
2. Portal creates a policy
3. Cato initiates a connection to your internal resource
   Without Source NAT, the internal server sees a Cato public IP. Source NAT forces it to appear from a private IP instead.

QoS for Remote Port Forwarding

Can we set QoS rules for Remote Port Forwarding?

Not today, traffic uses the default QoS queue. Idea Hub submissions encouraged.

Local Bypass Enhancements

Will more applications be added to local bypass?

Yes. The list is expanding, and domain/FQDN bypass is available in EA via your account team.

Questions Requiring Follow‑Up

These topics require SME confirmation and will be answered on the community once available:

1. Does AI Security capture user prompts (Copilot, etc.)?

Pending SME validation.

2. Is IPv6 DNS fully supported, and how does Cato plan to address IPv6‑only ISP environments?

Pending SME validation.

Have more questions?

Drop them in the community anytime or join our next AMA.