Pre-Login and Online Services
We currently have an on-premises Active Directory and have Pre-Login enabled with connect at boot enabled. We defined internal destinations (domain domain controllers) as allowed destinations, so the devices can reach the domain controllers before the user has logged in. This worked fine so far. However, now we want to migrate to Entra ID and Intune only, which means that the machines now need to reach Entra and Intune before or directly after the login. Since the pre login mode doesn't allow them to reach all URLs of Entra ID and Intune, we get problems during log in and for the Intune enrollement (which happens after the login of a new user but before the user has authenticated with the CATO client). We also have the same problem with NinjaOne which we use to manage endpoints: We would like to be able to reach endpoints before a user has logged in. In the allowed destinations for the Pre login mode, I can only provide internal targets and IPs, but can't put any Internet hostnames so the devices can reach Entra ID and Intune before the user has authenticated. So what is the solution here? We want to use Pre login to have the security it provides and prevents the devices from having open Internet access before the user has authenticated with CATO, but really need to resolve these issues that are caused by it when it comes to connect to our management services before the user has authenticated. Thank you in advance.Recording: Ask Me Anything with Professional Services - March 2026
Professional Services AMA – March 2026 Thank you to everyone who joined our March AMA session! Below is a clean, easy‑to‑scan recap of every question asked, along with brief summaries of the answers shared during the call. If you’d like the full context, you can view the recording below. IPsec & Tunnel Behavior Are IPsec tunnels active‑active or active‑passive? Cato uses active‑passive by default. Active‑active is available with EA enablement. How do we identify the primary vs. secondary tunnel? Your IPSec configuration labels them directly: Primary=active Secondary=standby Can secondary tunnels load‑balance with primary? No. Secondary tunnels do not participate in load‑sharing. Can we configure active‑active instead of active‑passive? Yes, but only via Early Access. This enables multiple tunnels on primary/secondary POPs. Logging, Packet Capture & Troubleshooting Can we see packet counts like a firewall (sent/received)? You can see traffic hitting WAN firewall policies, but tunnel‑level packet breakdown is not available. Can we capture tunnel traffic? Not in CMA. Support can perform captures on the backend. Bandwidth, Utilization & Alerts Is there an automated way to detect when a site hits max bandwidth? Yes, via the API or MCP Server integrations. Are bandwidth‑based alerts planned in CMA? Not today. Current alerts may trigger on QoS discards. Recommended to submit an Idea Hub request. Can we mute all alerts during a maintenance window from one place? Not currently. Alerts must be disabled per area (BGP, XOps, link health). Suggested as an idea via the Idea Hub. Browser Extension, DNS & Clientless Access Hostname access fails with the browser extension. Why does IP work? Hostname resolution should work in normal circumstances. Re‑testing and a support ticket is recommended if it persists. Direct Connect, IPv6 & Packet Capture When will packet capture be supported on Direct Connect? No timeline yet; currently only possible on the backend through Support. AI Security Monitoring Does AI Security capture user prompts (e.g., Copilot prompts)? Robin gave a walkthrough of our AI Security offering during this event. He starts discussing capturing user prompts around the 18th minute and continues discussing how to secure and monitor AI for several minutes. AWS Architecture & Inspection Can inbound AWS traffic be inspected by Cato before reaching EC2 (like GWLB + Palo Alto)? Not with AWS public IPs. Cato can only inspect inbound traffic terminated on Cato public IPs via Remote Port Forwarding. Why must inbound inspection use Cato’s public IP? Cato is a SaaS platform and cannot locally inspect traffic inside your AWS VPC. Automation, Importing & Configuration Management Is there a bulk import feature for IP ranges/VLANs? Not natively. Consider: Cato API CatoCLI Terraform provider Best Practices & Identity What best practice do customers commonly miss? Fully adopting identity‑based policies (ZTNA) instead of legacy IP‑based access controls. Do AD‑synced users need a ZTNA/SDP license for identity policies? It depends: Windows + SCIM + Azure AD Join/Hybrid = no license needed macOS = license currently required On‑prem AD join = SCIM not supported (use LDAP) Why does user awareness fail for some SCIM‑synced users? SCIM does not support on‑prem AD joined devices. These must use LDAP provisioning. Always‑On VPN Issues Why does always‑on VPN block all traffic until reinstall? Common causes include: Internet Recovery option not enabled Device posture checks failing If issues persist, Support should investigate. Event Logs Can we filter traffic to wildcard domains? Yes, use the “contains” filter for domain‑based event searching. Remote Browser Access What’s the high‑level architecture for Remote Browser Access? User connects to the Cato Portal Portal creates a policy Cato initiates a connection to your internal resource Without Source NAT, the internal server sees a Cato public IP. Source NAT forces it to appear from a private IP instead. QoS for Remote Port Forwarding Can we set QoS rules for Remote Port Forwarding? Not today, traffic uses the default QoS queue. Idea Hub submissions encouraged. Local Bypass Enhancements Will more applications be added to local bypass? Yes. The list is expanding, and domain/FQDN bypass is available in EA via your account team. Questions Requiring Follow‑Up These topics require SME confirmation and will be answered on the community once available: 1. Does AI Security capture user prompts (Copilot, etc.)? Pending SME validation. 2. Is IPv6 DNS fully supported, and how does Cato plan to address IPv6‑only ISP environments? Pending SME validation. Have more questions? Drop them in the community anytime or join our next AMA.
Recording: Ask Me Anything with Professional Services - February 2026
Professional Services AMA – February 2026 Missed the live session? Here’s the full rundown of every question asked, summarized for quick reading, and the recording for deeper context and chit chat. Our experts this session: Robin Johns, David Tudor, and Mihai Radoveanu AI Security Questions How will Cato help identify MCPs, AI agents, and all the new AI tools popping up daily? Cato is introducing an AI Security module (GA expected early Q2) that will provide: Local AI usage discovery (MCP servers, local agents) Cloud AI usage discovery (ChatGPT, Copilot, etc.) Model inventories & device discovery for homegrown AI Early access may be available around mid‑March. Will users be able to test early versions? Yes. Cato expects to offer trial availability around general release (early Q2). Can customers see how each AI app uses data (free vs enterprise)? Yes. Cato can differentiate free, paid, and enterprise versions of tools like ChatGPT or Copilot by analyzing traffic, authentication headers, or API connections. Can existing AI-related firewall and CASB rules be removed once AI Security is enabled? Technically yes, but Cato recommends keeping them during transition. Move them to “monitor” mode first before deleting. Can Cato block or warn users about risky AI sites? Yes. Through web firewalling and AI Security policies, admins can: Block sites Redirect users Show user education prompts Apply rules per site, category, or group Can Cato enforce guardrails on AI prompts? Yes. Prompt policies can: Detect PII Block sensitive data Anonymize inputs Detect intent (e.g., self‑harm, illegal activity, jailbreak attempts) Trigger “Are you sure?” notifications Does this work with embedded Copilot inside Microsoft apps (Teams, Word, Excel, etc.)? Yes. Cato can audit and monitor AI usage across the Microsoft ecosystem, including embedded Copilot prompts. Can Cato block file uploads or screenshots to AI tools? Partially. Today: Cato can block the upload action. Later in 2026: OCR‑based inspection of files/images is on the roadmap. DLP is still recommended for full file handling. Can Cato monitor email-based prompt injection attacks? Yes. AI Security can detect prompt-injection attempts, including those originating from email content. Can it help discover vulnerable code or libraries in homegrown AI apps? Yes. Cato can inspect your AI pipelines, models, datasets, knowledge bases, and detect: PII in training data Vulnerable base models Insecure tools/endpoints Risky GPTs or agent configurations Will AI Security support SOAR-like capabilities? Eventually. Partners already offer SOAR-like services today. Cato may expand here in the future. Can Cato detect internal MCP servers (e.g., engineers running local Docker containers)? Yes. Cato can detect MCP traffic using Layer 7 signatures and app analysis. Will the browser plugin be locked so users can’t remove it? Yes, deployment via MDM allows admins to make the plugin non-removable. Does the ZTNA client need to be connected for AI/user identification? No. As long as the client is installed and running, Cato can identify the user. Identity & SCIM / LDAP Migration Questions Can customers migrate from LDAP to SCIM gradually? Yes, you can run LDAP and SCIM in parallel. SCIM entries override LDAP where both exist. Do SCIM provisioning and SSO use the same application in Entra? No. SSO app = authentication SCIM provisioning app = user & group sync Both coexist. Can two SCIM provisioning apps run at the same time? No. If you rebuild the SCIM app (e.g., because MS Graph v1 was deprecated), you must replace the old app, not run both. How are users detected when synced through SCIM? User awareness requires: The user synced through SCIM The ZTNA client installed (no login needed) The ZTNA client provides identity signals via the endpoint. If a user without a ZTNA license has the client, can they connect? No. They will be identified, but they cannot remotely connect. API & Logging Questions Why is Arctic Wolf only receiving IPS/security events and not network events? Check the API key permissions. Old API keys had limited controls; new RBAC-enabled keys allow specifying full access. Updating the key typically resolves this. Cato recommends using: API Explorer Cato CLI to validate what should be visible. Does Cato offer API discovery and monitoring? Not fully today, but you can use: API Explorer MCP server logs AI Security (for AI-driven API calls) More native API discovery is expected in future releases. Miscellaneous Questions Can Cato support SOAR workflows for automated response? Yes, through partners today, and potentially natively in the future. Links discussed in the video: https://learn.microsoft.com/en-us/microsoftsearch/semantic-index-for-copilot https://learn.microsoft.com/en-us/copilot/microsoft-365/microsoft-365-copilot-privacy https://support.catonetworks.com/hc/en-us/sections/28000327077789-Migrating-from-LDAP-to-SCIM-User-Provisioning https://support.catonetworks.com/hc/en-us/articles/28000333704861-Preparing-to-Migrate-to-SCIM-Part-1 https://docs.arcticwolf.com/bundle/m_cloud_detection_and_response/page/configure_cato_sse_360_for_arctic_wolf_monitoring.html Creating API keys: https://support.catonetworks.com/hc/en-us/articles/4413280536081-Generating-API-Keys-for-the-Cato-API https://github.com/catonetworks/cato-api-explorer https://github.com/catonetworks/cato-mcp-server https://github.com/catonetworks/cato-cli https://connect.catonetworks.com/
Cato Connect Event: AMA with Professional Services - February/March 2026
Did you join our last AMA with Professional Services and want more? Did you miss the last one and have been waiting for us to drop more dates? Well your request is our command, and we are back with another event for our customers and partners. During these live AMAs with members of our talented Professional Services team we’ll cover topics like: Implementing Cato and getting as much out of your purchase as possible Best practices we’ve seen across real-world environments AI Security (New, exciting topic!) Your questions... seriously, bring them Choose from the two available sessions, whatever works best for you. February 24th, 2026 at 11am EST or March 12th, 2026 at 3pm JST Here’s how to get the most out of it: Register for the February 24th or March 12th meetings and get the calendar invite and join us live Post your questions below in the comments — we’ll answer pre-submitted ones first, before tackling live chat during the session + See a question you like? Give it a “like” to help it rise to the top Note: We won’t be able to look at specific CMA instances — demos will be done using internal environments. That’s it — register, post your questions, and we’ll see you there! Presenters: Steven Wong Professional Services Engineer Mihai Radoveanu Principal Consultant Professional Services, Italy Rob Pfrogner Principal Consultant Professional Services, US Special guest: Robin Johns Worldwide, AI Security SME If you run into any issues, @mention me or email us at community@catonetworks.comCato Connect Event: AMA with Professional Services - November 2025
Did you join our last AMA with Professional Services and want more? Did you miss the last one and have been waiting for us to drop more dates? Well your request is our command, and we are back with another event for our customers and partners. We're doing things a little differently this time: First of all, we'll be honing in on specifics around CASB and TLSi, we will even have a short demo at the beginning to help you start using, or get the most out of, your investment. (We'll still take general questions from the audience) The other change is that this time, we're offering ~*options*~ Join us on: November 4th, 2025 at 3pm HKT or November 6th, 2025 at 11am EST During this live AMAs with members of our talented Professional Services team we’ll cover topics like: The latest versions of TLSi and CASB Best practices we’ve seen across real-world environments Your questions... seriously, bring them Here’s how to get the most out of it: Register for the November 4th or November 6th meetings and get the calendar invite and join us live Post your questions below in the comments — we’ll answer pre-submitted ones first, before tackling live chat during the session + See a question you like? Give it a “like” to help it rise to the top Note: We won’t be able to look at specific CMA instances — demos will be done using internal environments. That’s it — register, post your questions, and we’ll see you there! Presenters: Steven Wong Professional Services Engineer Kushtrim Kelmendi Principal Consultant Professional Services, EMEA Martin Guerrero Commercial Sales Engineer If you run into any issues, @mention me or email us at community@catonetworks.comCato Connect Event: AMA with Professional Services
Ever wish you could get direct time with the experts? On June 3rd, 2025 at 11:00 AM EDT, you’ll get just that — a live AMA with two of our Principal Consultants from the Cato Professional Services team. We’ll cover topics like: Designing and implementing a CMA deployment Best practices we’ve seen across real-world environments Your questions — seriously, bring them Here’s how to get the most out of it: Click here to register and get the calendar invite and join us live Post your questions below in the comments — we’ll answer pre-submitted ones first, before tackling live chat during the session + See a question you like? Give it a “like” to help it rise to the top Note: We won’t be able to look at specific CMA instances — demos will be done using internal environments. That’s it — register, post your questions, and we’ll see you there! Presenters: Principal Consultant Professional Services, Italy Principal Consultant Professional Services, USA If you run into any issues, @mention me or email us at community@catonetworks.com
