Is there any way to expose/export DHCP logs from Cato SDP clients?
is there any way (events / API) to see DHCP events for our SDP users? Our security vendors (Rapid7 and Defender for Identity) are doing correlation based on DNS and DHCP events and sometimes see SDP addresses as different machines. I have DNS and PTR records updating but am curious if there is any way to expose the DHCP lease events for SDP users. I see those events for other Cato DHCP but not for SDP users in my tenant. Cato has the concept of "User Awareness" that is correlating IP addresses to User IDs. When we were using Windows DHCP servers we fed the logs to our security vendors for a similar type of correlation between IP addresses and User IDs. As we are moving away from Windows Servers in our offices, we are losing this visibility. We are beginning to allow Cato to provide the DHCP on our LAN segments, as well as for our remote SDP client users. As this happens, we are seeing DHCP events on the LAN segments which can be tied to machine names and matched against login events via active directory or Entra ID to correlate IP addresses to users. However, for our remote SDP client users I cannot seem to find DHCP events. This leads to issues. Microsoft Defender for Endpoint sees a user getting different IP remote SDP client addresses in the 10.41.x.x as "Pass the Hash" attacks. However, when I investigate, it is the same workstation being getting different IP addresses through normal, remote operation. If the user does not reboot/login every day this raises security alerts. Am I missing the point, or not configuring something correctly? Is there a way via API or syslog forwarding to monitor DHCP logs from Cato for both LAN segments and SDP client segments? The ultimate solution would be log forwarding type of solution where I could forward all Cato DHCP lease events to Microsoft Defender for Endpoints/Identity and my security vendor (Rapid7) but I am just wondering how others are handling this. I figured I would ask around before I put something in the Idea hub for a non-issue.
LAN Firewall rules - missing "IP range" in src/dst
Anyone else missing an ability to use Custom IP Range as a source or destination in LAN Firewall rule? We use CATO LAN Firewall to control traffic between two separate network zones terminated on two different internal firewalls. Since this is a local traffic in the site, we don't want to route it to Cato Cloud so it's not dependent on WAN links. That's why we use CATO LAN Firewall (formerly Local Routing). But the only options to set Source or Destination are: Global range, Host, Interface subnet, Network Interface and Any. Would be very useful if we can use Custom IP ranges and Host Groups there.Recording: Ask Me Anything with Professional Services - February 2026
Professional Services AMA – February 2026 Missed the live session? Here’s the full rundown of every question asked, summarized for quick reading, and the recording for deeper context and chit chat. Our experts this session: Robin Johns, David Tudor, and Mihai Radoveanu AI Security Questions How will Cato help identify MCPs, AI agents, and all the new AI tools popping up daily? Cato is introducing an AI Security module (GA expected early Q2) that will provide: Local AI usage discovery (MCP servers, local agents) Cloud AI usage discovery (ChatGPT, Copilot, etc.) Model inventories & device discovery for homegrown AI Early access may be available around mid‑March. Will users be able to test early versions? Yes. Cato expects to offer trial availability around general release (early Q2). Can customers see how each AI app uses data (free vs enterprise)? Yes. Cato can differentiate free, paid, and enterprise versions of tools like ChatGPT or Copilot by analyzing traffic, authentication headers, or API connections. Can existing AI-related firewall and CASB rules be removed once AI Security is enabled? Technically yes, but Cato recommends keeping them during transition. Move them to “monitor” mode first before deleting. Can Cato block or warn users about risky AI sites? Yes. Through web firewalling and AI Security policies, admins can: Block sites Redirect users Show user education prompts Apply rules per site, category, or group Can Cato enforce guardrails on AI prompts? Yes. Prompt policies can: Detect PII Block sensitive data Anonymize inputs Detect intent (e.g., self‑harm, illegal activity, jailbreak attempts) Trigger “Are you sure?” notifications Does this work with embedded Copilot inside Microsoft apps (Teams, Word, Excel, etc.)? Yes. Cato can audit and monitor AI usage across the Microsoft ecosystem, including embedded Copilot prompts. Can Cato block file uploads or screenshots to AI tools? Partially. Today: Cato can block the upload action. Later in 2026: OCR‑based inspection of files/images is on the roadmap. DLP is still recommended for full file handling. Can Cato monitor email-based prompt injection attacks? Yes. AI Security can detect prompt-injection attempts, including those originating from email content. Can it help discover vulnerable code or libraries in homegrown AI apps? Yes. Cato can inspect your AI pipelines, models, datasets, knowledge bases, and detect: PII in training data Vulnerable base models Insecure tools/endpoints Risky GPTs or agent configurations Will AI Security support SOAR-like capabilities? Eventually. Partners already offer SOAR-like services today. Cato may expand here in the future. Can Cato detect internal MCP servers (e.g., engineers running local Docker containers)? Yes. Cato can detect MCP traffic using Layer 7 signatures and app analysis. Will the browser plugin be locked so users can’t remove it? Yes, deployment via MDM allows admins to make the plugin non-removable. Does the ZTNA client need to be connected for AI/user identification? No. As long as the client is installed and running, Cato can identify the user. Identity & SCIM / LDAP Migration Questions Can customers migrate from LDAP to SCIM gradually? Yes, you can run LDAP and SCIM in parallel. SCIM entries override LDAP where both exist. Do SCIM provisioning and SSO use the same application in Entra? No. SSO app = authentication SCIM provisioning app = user & group sync Both coexist. Can two SCIM provisioning apps run at the same time? No. If you rebuild the SCIM app (e.g., because MS Graph v1 was deprecated), you must replace the old app, not run both. How are users detected when synced through SCIM? User awareness requires: The user synced through SCIM The ZTNA client installed (no login needed) The ZTNA client provides identity signals via the endpoint. If a user without a ZTNA license has the client, can they connect? No. They will be identified, but they cannot remotely connect. API & Logging Questions Why is Arctic Wolf only receiving IPS/security events and not network events? Check the API key permissions. Old API keys had limited controls; new RBAC-enabled keys allow specifying full access. Updating the key typically resolves this. Cato recommends using: API Explorer Cato CLI to validate what should be visible. Does Cato offer API discovery and monitoring? Not fully today, but you can use: API Explorer MCP server logs AI Security (for AI-driven API calls) More native API discovery is expected in future releases. Miscellaneous Questions Can Cato support SOAR workflows for automated response? Yes, through partners today, and potentially natively in the future. Links discussed in the video: https://learn.microsoft.com/en-us/microsoftsearch/semantic-index-for-copilot https://learn.microsoft.com/en-us/copilot/microsoft-365/microsoft-365-copilot-privacy https://support.catonetworks.com/hc/en-us/sections/28000327077789-Migrating-from-LDAP-to-SCIM-User-Provisioning https://support.catonetworks.com/hc/en-us/articles/28000333704861-Preparing-to-Migrate-to-SCIM-Part-1 https://docs.arcticwolf.com/bundle/m_cloud_detection_and_response/page/configure_cato_sse_360_for_arctic_wolf_monitoring.html Creating API keys: https://support.catonetworks.com/hc/en-us/articles/4413280536081-Generating-API-Keys-for-the-Cato-API https://github.com/catonetworks/cato-api-explorer https://github.com/catonetworks/cato-mcp-server https://github.com/catonetworks/cato-cli https://connect.catonetworks.com/
Block/prompt based on risk rating
For Generative AI services, we would like to present the "Prompt" action for services that have a risk rating of 3 and less as per the Cato App catalog, and "Block" those with risks 4+. To our slight surprise there does not appear to be a "Prompt" option in the App & Data Inline Protection module. Is there a way to work around this that does not include having to manually populate the list of "risky" service?
AWS - OpenVPN routing clash for Cato SDP
Hi, We have been a Cato customer for just over a year now and we have a hybrid network Infra, of some onprem servers and new workloads been hosted in both AWS & GCP. My question is around the use of existing OpenVPN for accessing our AWS trusted VPCs and users having issues with Cato SDP and OpenVPN clashing for DNS/routes etc.. when trying to access the AWS vs. Onprem server environments. We need staff to be on Cato SDP all the time for montioring, audting and best security practices.. however it clashes with some users who need OpenVPN AWS access. What do other companies do to get around this issue (if they have a similar routing issue at all?). Split tunnel vs. AWS marketplace Cato virtual socket (EC2 instance needed per account?). I would be very interested to see if others have seen or have a good work around to this dilemia.
Windows CA with Cato for Device Posture Check
I’m looking for guidance on configuring a Windows CA to issue and validate RSA certificates for device posture verification in Cato. Has anyone implemented this integration?What’s the best approach for certificate management? Should we use self-signed certificates or purchase individual device certificates from DigiCert or another vendor? If anyone has implemented this, please share the pros and cons.Cato Rapid Recap | June 2025
📣 Cato Rapid Recap | June 2025 Staying current on the latest features, best practices, and platform improvements isn’t always easy. That’s why I’m kicking off a new 2-minute monthly recap — designed to help you: ✅ Quickly catch up on what’s new ✅ Share relevant updates with prospects, POCs, and customers ✅ Stay aligned on Cato’s evolving value 📅 Plan is to release this every month — short, actionable, and easy to share. ▶️ Watch the June Recap Got feedback or requests for next month’s recap? Drop a comment below 👇
