Auto disabling of "Secured Private Access" when user in office

Question

In Cato, there is "Cato Connectivity Policy" wherein we can either allow "Allow Internet" or "Allow WAN and Internet" or "Block".

We have MPLS in our offices and we wants to have only SWG i.e "Allow Internet" when user is in office so that internal applications go through MPLS and only internet traffic goes through Cato but when same user goes out of office than automatically both Internet and WAN traffic should go through the Cato.

We had similar arrangement when we were with Netskope. In Netskope, there is a feature called “Enabling Dynamic Steering” [Refer https://docs.netskope.com/en/enabling-dynamic-steering/] wherein we could decide if users is “On-Premise” then what all traffic needs to be steered to Netskope and whether Private access needs to be enabled or not or only internet traffic is need to be steered.

Can this be achieved in similar fashion ?

prakashrindia · Answer

Any response from Product Team will be appreciated

ddec-se · Answer

Maybe look at Network rules. Set up WAN rule where the source could be a SITE(s) and build the rule to match on your applications (may need to create custom apps if you don't already have them defined) and maybe even another site like a DC if they're hosted there. Then tell that rule to egress over the Alternate WAN - Transport over Alternate WAN.

prakashrindia · Answer

When we create this network rule, there is no option for Egress over the Alternate WAN as we don't have socket in our organisation, we have only Pooled Bandwidth and SDP license. Also we can't create 230 Sites as we have 230 branches in our organisation and we want traffic from SDP client towards internal application hosted in DC should go via Cato only when user is not in office but as users come to office premises than no WAN traffic should go via CATO but my MPLS or P2P connections that we have.

ddec-se · Answer

If you have a pooled bandwidth allocation, this would indicate that you have IPSEC tunnels from your sites to Cato. Is that the case?

prakashrindia · Answer

Yes, I have pooled bandwidth but I have not created IPSec tunnel from all branches as we have 230 branches and it is cumbersome to manage 230 IpSec tunnel so we are running most of the branch users via SDP client as in Netskope as well, we were 100% on client and no IpSec site.

Forum Discussion

Auto disabling of "Secured Private Access" when user in office

7 Replies

Recent Discussions

Additional South Africa POP

Connectivity Alert Email - Interface Names

CATO Client still connected in a trusted network

Directed Broadcast?

DHCP option to assign Cisco Wireless Controller