URL - Category over-ride not taking effect?
Is your URL category over-ride not taking effect? When configuring firewall rules by domain you do not need to specify the subdomains. Firewall rules will even cover the subdomains if you specify a Top Level Domain e.g. "uk" would cover all the subdomains such as bbc.co.uk). This is not the case when using domains to override a category though! Category over-ride from CMA for an domain / FQDN applies just to the that domain or FQDN. Any subdomains must be specified with its own FQDN. E.g. over-riding category for http://catonetworks.com to a category of your choice does not change the category for http://www.catonetworks.com Hope you find this helpful. Thanks Nath based on your comment I have added following article that shows how to add a custom app to get around having to override individual domains. Add the custom app in a rule and place it above the rule that blocks the traffic. https://support.catonetworks.com/hc/en-us/articles/4413265662993-Working-with-Custom-Apps Reference Article: https://connect.catonetworks.com/kb/cato-cloud-best-practices/how-to-block-a-tld-top-level-domain-or-a-specific-country/374How to Uninstall Windows Cato SDP Client Remotely?
Use case: Although manual uninstall may not be required frequently, there may be instance where you have a user with corrupt installation and you must uninstall remotely. Another typical use case I cam across recently - your company self service portal (e.g. Intune or Kandji) has a different version than what is installed on the user device and now you want to downgrade the client. In order to downgrade you will need to uninstall the existing installation first. You can do this using a simple command. Prerequisite: Admin privilege on the system How To? Launch command prompt using privileged mode (run as admin) and then issue following command [screenshot example on Windows 11 attached] or simply execute this command remotely to the system: \Windows\System32\wmic product where name=“Cato Client" call uninstall Corrupt installation that persists after boot? From time to time support may advise doing a clean install. Here is what you would do for a more elaborate clean removal of the SDP client for reinstall- Uninstall CATO Client by following the Article How To Uninstall the Windows Client, when uninstalling the CATO Client, kindly delete the cache contents located at "C:\Users\User\AppData\Local\CatoNetworks\Cache" Go to Control Panel > Network and Internet -> Network Connections Ensure that all CATO Adapters and Local Area Connection adapter ( WinTun Userspace Adater) have been removed, if they still exist, manually delete them (disabling them alone will not help).The power of Smart SASE - Cato Remote Port Forwarding
Overview If I interpret the latest comments on SSE Gartner MQ '25, SASE is going to devour the SSE soon. Use case mentioned here is one such instance that SSE alone can't implement without fancy private access or ZTNA or steering hooks. Let alone the publishers that are required to be hosted and maintained by the customers for inbound access. Cato RPF (Remote Port Forwarding) functionality allows you to open up your servers or internal resources to the internet with following quick 3 steps. How? Quick and easy 3 steps: Check how many public IP’s you are licensed for Account > License > IP's Assign an IP from the available Cato Public IP’s for your preferred location Network > Network Configuration > IP Allocation Create RPF rule using the IP you allocated in last step Security> Firewall > Remote Port Forwarding The intrigued users may ask, can I use this for my WAN to WAN traffic? Yes, you can. The documentation does not call it out as an officially supported feature but it works based on my testing. Question before you consider this option: Wouldn't you rather use WAN firewall rules though to control the same though instead of having the internal users to access this resource using public IP? I would leverage WAN firewall and WAN Network rules for the internal traffic crossing sites. Best Practices around RPF Like what uncle Ben or Voltaire would warn, 'with power comes a great responsibility' Note that there are 10K sessions allowed per RPF. If you have a high volume use case use a load balancer behind RPF to front end the servers Tightly control the rule by limiting access to source IP’s. If you see exclamation mark like the one in the first rule in the screenshot, take an action! Host your critical servers behind DDoS/WAF protection if you must allow 0/0. RPF traffic is automatically assigned the lowest priority (P255). For WAN to WAN you can use a special network rule on the source site though (that would work only for WAN to WAN traffic using an Internet Type Network rule with higher priority, P8 for example) References https://support.catonetworks.com/hc/en-us/articles/7784979714333-Configuring-Remote-Port-Forwarding-for-the-Account https://support.catonetworks.com/hc/en-us/articles/360004514358-Security-and-QoS-Recommendations-for-RPF https://support.catonetworks.com/hc/en-us/articles/9299509375517-How-to-Integrate-Third-Party-DDoS-Services-for-Internet-Facing-RPF-Traffic https://support.catonetworks.com/hc/en-us/articles/19516873839005-Integrating-Imperva-Cloud-WAF-DDoS-Services-for-Internet-Facing-RPF-Traffic
