Cato Rapid Recap | June 2025
📣 Cato Rapid Recap | June 2025 Staying current on the latest features, best practices, and platform improvements isn’t always easy. That’s why I’m kicking off a new 2-minute monthly recap — designed to help you: ✅ Quickly catch up on what’s new ✅ Share relevant updates with prospects, POCs, and customers ✅ Stay aligned on Cato’s evolving value 📅 Plan is to release this every month — short, actionable, and easy to share. ▶️ Watch the June Recap Got feedback or requests for next month’s recap? Drop a comment below 👇
Policy Rule Not Hitting When Destination is Set to 'Any' – Expected Behavior?
Hi all, I ran into a situation with a security policy in Cato and would like to hear if anyone else has experienced something similar. Here is the scenario: I created a policy where the source site is set to "Site A", the destination is set to "Any", and the application is defined as a specific IP address, for example 192.168.1.1. In this setup, the rule does not match and traffic is not allowed as expected. However, when I change the destination from "Any" to the specific site where 192.168.1.1 is located, the rule starts working correctly and the traffic is matched. My questions: Is this expected behavior in Cato? Does using "Any" as the destination somehow prevent matching traffic to a specific internal IP? Is there something else I might be missing? Appreciate any insights or experiences. Thanks!
LAN Firewall rules - missing "IP range" in src/dst
Anyone else missing an ability to use Custom IP Range as a source or destination in LAN Firewall rule? We use CATO LAN Firewall to control traffic between two separate network zones terminated on two different internal firewalls. Since this is a local traffic in the site, we don't want to route it to Cato Cloud so it's not dependent on WAN links. That's why we use CATO LAN Firewall (formerly Local Routing). But the only options to set Source or Destination are: Global range, Host, Interface subnet, Network Interface and Any. Would be very useful if we can use Custom IP ranges and Host Groups there.IPS Whitelist GEO_RESTRICTION using domain name
Is there going to be an option in the future to whitelist geoblock IPS using a domain name? Currently only IP addresses affect geo_restriction, so, whitelisting all Microsoft servers in India is a bit like playing whack-a-mole. You can add a domain, but it throws an error (see screenshot below).
