Cato Networks Knowledge Base

Sync Active Directory Users to Cato SDP Users

In this article we will explain and demonstrate how to configure your Cato account to work with Active Directory (LDAP integration). The feature will allow you to fetch the users and add them automatically to the Cato Management Application. It will NOT authenticate to the AD server.

The sAMAaccountName attribute is used for the name of the User Group in the Cato Management Application.

The sync has two main options:

1. Syncing with a local AD server

2. Syncing with an external AD server

Syncing a Local AD Server

How to sync a local AD server (server behind a Cato site):

  1. Add the AD server to the Hosts screen for the site.

    1. From the navigation menu, select Network > Sites, and select the site.

    2. From the navigation menu, select Site Configuration > Hosts.

    3. Click New and enter the settings for the AD server.

    4. Click Apply and then click Save.

  2. Add a new domain to the LDAP services for the account.

    1. From the navigation menu, click Access > Directory Services, and select the LDAP tab or section.

    2. Click New, and configure the settings for the AD domain.

      • Login DN and Base DN - The unique string for the AD (authenticating for fetched users)

      • Password - The password to access the Active Directory DN

      • Encryption - Select Use SSL to secure the connection, not supported by all servers

    3. Click Save.

  3. Add the AD server (from step 1) as a domain controller (DC) to the domain.

    1. In the panel navigation section, click Domain Controllers.

    2. In the top drop-down menu, select Host, and in the next drop-down menu, select the host from step 1.

    3. Click Save.

  4. Select the AD groups for SDP users and for User Awareness that you are syncing to your Cato account.



    • If no groups are selected, then all AD groups are imported for User Awareness
    • Nested groups are synced if you select the parent group
    1. In the panel navigation section, click User Groups.

    2. Select the AD groups that your are syncing for SDP users and User Awareness.


      Note: Capitalization matters when importing organizational units from Active Directory. ExampleGroup will be treated differently from EXAMPLEGROUP.

      If you change the name of the OUs within Active Directory, please ensure that you also change the selected OUs within the Cato Management Application.

    3. Select Daily Sync SDP User Groups to enable automatically syncing the groups and SDP users each day.

    4. Click Save and Close.

  5. In the Directory Services screen, click Sync Now.

Syncing an External AD Server

If you need to sync an external AD server, then you can perform the same procedure as above.

  • If your Domain Controller is behind an IPsec connection or if you are routing only some subnets to the Socket, be sure to include the IP address of the Cato Management Application in your VPN tunnel routing configuration. Traffic from and to this IP should be routed via the Cato tunnel.

    • Please contact Support to receive the IP address of the Cato Management Application
  • When the UPN and/or email address of an LDAP SDP user has been changed in the AD, the status of the affected LDAP SDP user remains unchanged in the Cato Management Application.

  • When syncing the Azure AD, both the Member and Guest user types are synchronized.

  • Make sure that the first and last names are configured for AD users. Otherwise, users missing a first or last name are NOT synced to your Cato account.

Was this article helpful?

7 out of 7 found this helpful



  • Comment author
    Chris Minder

    The SYNC button is no longer there. Guide needs updating with the correct steps. CC2 portal is new.

    New SYNC option is as below:

  • Comment author
    Christopher Bradski

    If you are configuring the LDAP connection string be sure to put double quotes around fields with spaces, i.e. CN="Admin and Service Accounts"

    Also, imported username are not the samAccount, uid, or cn fields. I expected "christopherbradski" to be used as the login field but in fact was "Christopher Bradski"...

  • Comment author
    Tamir Eliyahu

    Christopher, thank you for your comment.

    1. Double quotes are not required for LDAP connection string with spaces.

    2. The login is displayed as [FIRST_NAME LAST_NAME], that is the reason you see the full name.


Please sign in to leave a comment.