Cato Connect Event: AMA with Professional Services - November 2025
Did you join our last AMA with Professional Services and want more? Did you miss the last one and have been waiting for us to drop more dates? Well your request is our command, and we are back with another event for our customers and partners. We're doing things a little differently this time: First of all, we'll be honing in on specifics around CASB and TLSi, we will even have a short demo at the beginning to help you start using, or get the most out of, your investment. (We'll still take general questions from the audience) The other change is that this time, we're offering ~*options*~ Join us on: November 4th, 2025 at 3pm HKT or November 6th, 2025 at 11am EST During this live AMAs with members of our talented Professional Services team we’ll cover topics like: The latest versions of TLSi and CASB Best practices we’ve seen across real-world environments Your questions... seriously, bring them Here’s how to get the most out of it: Register for the November 4th or November 6th meetings and get the calendar invite and join us live Post your questions below in the comments — we’ll answer pre-submitted ones first, before tackling live chat during the session + See a question you like? Give it a “like” to help it rise to the top Note: We won’t be able to look at specific CMA instances — demos will be done using internal environments. That’s it — register, post your questions, and we’ll see you there! Presenters: Steven Wong Professional Services Engineer Kushtrim Kelmendi Principal Consultant Professional Services, EMEA Martin Guerrero Commercial Sales Engineer If you run into any issues, @mention me or email us at community@catonetworks.comCato Rapid Recap | June 2025
📣 Cato Rapid Recap | June 2025 Staying current on the latest features, best practices, and platform improvements isn’t always easy. That’s why I’m kicking off a new 2-minute monthly recap — designed to help you: ✅ Quickly catch up on what’s new ✅ Share relevant updates with prospects, POCs, and customers ✅ Stay aligned on Cato’s evolving value 📅 Plan is to release this every month — short, actionable, and easy to share. ▶️ Watch the June Recap Got feedback or requests for next month’s recap? Drop a comment below 👇Certificate File Manipulation using OpenSSL
Use case: I have a TLS bypass rule for a domain that I would like removed. I added this rule because the certificate is not trusted. Now I need to grab certificate details. I have a certificate that appears to be missing from Cato TLS store. I want to report the same to Cato Support. Although I have p7b file which only works on Windows. How do I convert it to a regular certificate and just share with support? Prerequisites: A system with openSSL installed. If you are using a MacBook install HomeBrew and update OpenSSL libraries to the latest version [version as of writing this article - 3.6.0]. xyz@MacBook1 ~ %/ bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" xyz@MacBook1 ~ % brew update xyz@MacBook1 ~ % brew install openssl@3 xyz@MacBook1 ~ % openssl version Solution: If you have a pem file which can be opened in a text editor and it shows BEGIN and END lines with hashes, skip to the final step #3. Procedure: Save p7b file on a folder and run following openssl pkcs7 command from that folder "openssl pkcs7 -inform DER -in input_file.p7b -print_certs -out output_file.pem" Once it is converted open the cdrts.pem file in a text editor. Individually copy text from BEGIN to END values and save them in separate files, save as .pem extension. Further use following openssl command to fetch the SN# and SHA256 fingerprint against each file "openssl x509 -in cdrts.pem -noout -serial -fingerprint -sha256" Sample conversion using above method: xyz@Linux-Host1 % openssl pkcs7 -inform DER -in corphqglobal.p7b -print_certs -out cdrts.pem xyz@Linux-Host1 % openssl x509 -in cdrts.pem -noout -serial -fingerprint -sha256 -dates -subject Other alternate solutions- Although clumsy and not easy to copy paste just the SN or hash you can use an internet browser such as Google Chrome to view certificate details from "view site info" icon (or a pad lock icon on other browsers) next to the the browser address bar Use Chapt GPT or co-pilot and upload p7b file there. I have tried it but not 100% of the times I got the right SN. I would encourage verifying the results with step 4 above. Be careful not to upload any private keys to online AI Tools.Recording: AMA with Professional Services - November 2025 Session 2
In our last AMA with our Professional Services team we dove into two major topics: TLS Inspection and CASB/DLP. These features are critical for improving visibility, securing encrypted traffic, and protecting sensitive data. If you missed the session, don’t worry! We’ve summarized the key points and answered your most pressing questions below. (Slides from the presentation are attached for deeper detail.) Presentation Highlights TLS Inspection Why it matters: Over 90% of internet traffic is encrypted, which is great for privacy but creates blind spots for threats like malware and phishing. Benefits: Organizations enabling TLS inspection block 52% more malicious traffic. Challenges: Complexity, operational burden, and compliance concerns often slow adoption. Cato’s approach: Cloud-native TLS inspection with Safe Mode simplifies rollout, minimizes disruption, and includes automatic bypass lists for problematic apps. Best practices: Block QUIC/GQUIC, manage bypass lists, and roll out gradually in phases. CASB & DLP Purpose: Protect sensitive data, ensure compliance, and gain visibility into SaaS usage. CASB: Focuses on application control—monitoring activities like uploads/downloads and enforcing granular policies. DLP: Adds content inspection to prevent data leaks based on patterns, sensitivity labels, or custom rules. Implementation: Start with monitoring, then enforce policies gradually. TLS inspection is a prerequisite for both. Q&A Highlights Q1: Is TLS Inspection becoming more popular? Yes! Adoption has improved significantly since the introduction of Safe TLS Mode, which uses a wizard to simplify configuration and automatically applies recommended bypasses. This reduces risk of breaking apps and makes rollout less intimidating. Q2: What about mobile apps using QUIC? QUIC-based apps (e.g., WhatsApp, Jira) can pose challenges. Recommendations include: Verify automatic bypass settings for native apps. Block QUIC/GQUIC to force fallback to TCP for inspection. Apply exceptions only when necessary. Q3: Will users get notified when DLP blocks an action? Currently, notifications are basic, but enhancements are planned. Soon, users will see alerts like “Action blocked due to company policy” via the client, with more detailed CMA alerts coming later. Q4: Can we filter CASB activities like upload/download? Yes! The Cloud Activity Dashboard shows top activities and allows filtering by action (e.g., upload). You can also drill down into events for detailed visibility. Q5: Is AWS GovCloud supported for log integration? Not at this time. The current integration works with standard AWS S3 buckets. GovCloud support is a common request and may be addressed in future updates. Q6: Any update on combining SDP and EPP into one app? It’s on the roadmap, but no detailed timeline yet. Q7: How to handle bandwidth spikes during patching? Use Bandwidth Management to map update traffic to a lower-priority queue, ensuring critical apps maintain performance during bursts. Thanks to everyone who joined and asked great questions! If you have ideas for more content that we can create that will be useful to you and your team, feel free to leave us a comment or email our community team at community@catonetworks.com. Stay tuned for our next AMA in February :) bring your questions and your favorite warm beverage!
