Installing and Running the Linux Client (v5.1 and above)

This article explains how to install and run the Cato Linux Client v5.1.

Overview of the Linux v5.1 Client

Starting with version 5.1, the Linux Client supports Device Posture checks that can be included in your Client Connectivity and Security policies. This version also includes support for user awareness, automatic upgrades that are managed by Cato and SSO without a browser.


  • Supported Linux OS versions for 64-bit (X86_64):
    • Ubuntu v18 or higher
    • CentOS v8 and higher
    • Fedora v36 and higher
    • Debian v11 and higher
    • Mint v20.3 and higher
  • For SSO and GUI-based features:

    • All Linux desktop versions are supported (e.g. Gnome and KDE)

    • Define a default browser for the device (generally the default setting is for GNOME)

    • Headless SSO is supported for Azure only. For more information on how to configure Azure SSO, see Configuring Azure SSO for Your Account

  • The installation and execution scripts are run from the CLI, and require you to open a terminal app

Known Limitations

  • Automatic re-authentication is not supported. End-users must re-authenticate to the IdP in the browser.

Installing the Linux Client

Download the Client file and run it on your Linux device.

To install the Client on a Linux device:

  1. From the Client download portal, select the Linux tab and download the Client.

    The following file types are available:

    • .rpm (Red Hat Package Manager)

    • Debian (.deb)

  2. Run the Client file:

    • For the .rpm file, enter the following command in the terminal: sudo rpm -i cato-client-install.rpm

    • For the Debian file, enter the following command in the terminal: sudo dpkg -i cato-client-install.deb

Running the Linux Client

To connect the Client to the Cato Cloud on a browser based device, run the command: cato-sdp start

To connect the Client to the Cato Cloud on a headless (without a browser) based device, run the command: cato-sdp start --account <account name> --user <SDP user's email address>


Note: The account name is the account Subdomain. To find the Subdomain, navigate to Access > Single Sign-On.

Browser Authentication

On device with a browser, after you run the start command a browser opens. You can use the browser to authenticate to Cato using the authentication method configured for your account.

Headless SSO (Authentication Without a Browser)

To authenticate with SSO on devices without a browser, you can use a different device that has a browser to authenticate on behalf of the headless device.

Overview of Headless SSO

You can use headless SSO to authenticate SDP users in non-browser environments, for example a command line tool or a printer, without requiring a browser. With headless SSO you can use a different device, that has a browser, to authenticate on behalf of the non-browser device. After successfully authenticating through the browser, the non-browser device connects to the Cato Cloud.

Silent re-authentication is not possible with headless SSO. After the token expires, SDPs users are required to re-authenticate.

Authenticating with Headless SSO

Headless SSO lets you authenticate on devices without a browser.

To authenticate on a headless device:

  1. On the headless device, run the command: cato-sdp start --account <account name>--headless
    A unique code and URL are returned.


    - The account name is the account Subdomain. To find the Subdomain, navigate to Access > Single Sign-On.
    - For authentication without SSO, add the parameter --no-sso
    - The --headless parameter is not required in version and higher

  2. On a device that has a browser, access the URL and enter the unique code.
  3. Sign in with your SSO credentials.

The headless device is connected to the Cato Cloud.

Actions for the Linux OS Client

These are the actions that you can use in the Linux Client. Preceded each parameter with cato-sdp.




The Client connects to the Cato Cloud


The Client disconnects from the Cato Cloud


Displays the list of available arguments


Displays the connectivity status


Display the Client version


Contact Technical Support


Update the Client to the latest version


Import device certificate

Arguments for the Linux OS Client

These are the optional arguments that you can use for different features and settings when you run the Client. Each arguement should be preceded by cato-sdp start.



--address <PoP IP address>

The Client connects to a specific Cato PoP based on the IP address of the PoP. (For a list of IP address of Cato's PoPs, see Production PoP Guide). The default behavior is that the client automatically connects to the best PoP in the Cato Cloud.

--append {head|tail}

Preserves the existing configuration in /etc/resolv.conf.

When connected, the Client replaces /etc/resolv.conf with the DNS configuration received from Cato. Using this parameter appends the Cato configuration to the existing configuration.

  • head - adds the DNS configuration from Cato before the existing configuration, giving preference to the Cato configuration.

  • tail - adds the DNS configuration from Cato after the existing configuration, giving preference to the existing configuration.In both cases, /etc/resolv.conf is restored to its original contents on disconnection.

If Split Tunnel is enabled in the Cato Management Application, this parameter is ignored and the Client always replaces the contents of /etc/resolv.conf.



Sets the file (floglevel) or global (gloglevel) logging settings for the Client:

  • 0 - verbose

  • 1 - debug

  • 2 - info

  • 3 - warning

  • 4 - error

  • 5 - none



The Client runs in headless mode.

no-sso prompts the SDP user for a password. Use this argument on a headless device in accounts with no SSO authentication configured. 


Shows the help screen.

--metric _metric_

The route created for VPN traffic (see --route).

If not specified, this route has the highest priority on the system (identical to specifying --metric 0).


Changes the DTLS port (443 or 1337), port 443 is the default setting.

--reconn _seconds_

Following a disconnect, the number of seconds the Client waits before attempting to reconnect. The Client attempts to reconnect at this interval until a connection is established or the client is stopped externally.

If this parameter is not specified, the client attempts to reconnect once and if unsuccessful, exits immediately.


Uses a registration code to authenticate to the Client.


A single subnet that is routed to the tunnel instead of the default route. For example: --route creates a specific route so only this subnet is routed through VPN.

If not specified, the Client adds a default route so all traffic is routed through the VPN on the device (identical to specifying --route

--user, --account, --password, --reset-password, --reset-cred

Cato user credentials. These values are optional for users that authenticate with the web browser.

password is optional. When a password is required, the user is prompted to add a new one.

reset-cred resets all the user credentials and removes the authentication token (supported on v5.0 and higher).


Note: We don't recommend using the --password argument.


Uses systemd-resolv (instead of editing /dev/resolv.conf directly). The values for this parameter are:

  • 1 - true

  • 0 - false (default value)

When using the --use-systemd-resolv parameter with the Client, do NOT use the append parameter.


Shows information about the Client version.


Enter a MFA code

Arguments for Client File Parameters

You can save the arguments for the Linux Client to a file, and then load the parameters when you start the Client. These are the arguments for the Client file:




Uses the parameter values stored in the file previously with --save.

You can override any stored setting by specifying it on the command line.

Since the credentials are also stored in this file, make sure you keep it private as anyone can use this file to connect with the saved credentials. The password is saved in hashed form (SHA-256 with salt).

Alternately, you can store an empty or incorrect password in the file and specify the correct one on the command line. For example: --load _file_ --password '******'


Saves all arguments passed on the command line to the given file for use with the --load parameter.


Display the settings stored in the file using --save.

Arguments for Device Authentication with Certificates

This section contains arguments that are used for the Linux Clients that use Device Authentication with a device certificate. For more information, see Installing Device Certificates on Linux Devices.



--cert <certificate path>

Path to the certificate file for Device Authentication. The default path is:


Was this article helpful?

2 out of 5 found this helpful


Add your comment