Cato EmployeeMaybe look at Network rules. Set up WAN rule where the source could be a SITE(s) and build the rule to match on your applications (may need to create custom apps if you don't already have them defined) and maybe even another site like a DC if they're hosted there. Then tell that rule to egress over the Alternate WAN - Transport over Alternate WAN.
When we create this network rule, there is no option for Egress over the Alternate WAN as we don't have socket in our organisation, we have only Pooled Bandwidth and SDP license. Also we can't create 230 Sites as we have 230 branches in our organisation and we want traffic from SDP client towards internal application hosted in DC should go via Cato only when user is not in office but as users come to office premises than no WAN traffic should go via CATO but my MPLS or P2P connections that we have.
Cato EmployeeIf you have a pooled bandwidth allocation, this would indicate that you have IPSEC tunnels from your sites to Cato. Is that the case?
Yes, I have pooled bandwidth but I have not created IPSec tunnel from all branches as we have 230 branches and it is cumbersome to manage 230 IpSec tunnel so we are running most of the branch users via SDP client as in Netskope as well, we were 100% on client and no IpSec site.
Cato EmployeeThe closest thing to that is utilizing Trusted Networks. However this is more of an all-or-nothing feature. From what I understand, the ability to do more is on the roadmap. Stay tuned! You can help by submitting a request for enhancement (RFE) with your CSM. The more interest, the more it will be prioritized.
