ChatGPT Blocks Traffic from the Cato Cloud


ChatGPT uses Cloudflare to protect its servers from cyber threats. However, in certain cases, Cloudflare may mistakenly flag Cato traffic as suspicious VPN traffic, resulting in blocks. Additionally, if the user's ChatGPT traffic appears to be originating from a different country than the physical location of their device, it can trigger suspicion and subsequent blocking.

For more information about websites blocking Cato Cloud traffic, see Websites Blacklisting Cato IP


When attempting to log in to ChatGPT while connected to Cato, you may encounter the following error message:


Suggested Workarounds

The solution suggested in this article is based on best effort. Apart from the reasons which are provided above, there could be other external factors that can also contribute to the issue. Our proposed solution consists of two configuration steps:

  1. Configuring the Internet Firewall Rule: In this step, the Internet firewall rule is adjusted to block GQUIC/QUIC apps and services.
  2. Configuring the Network Rule: This step involves setting up a backhauling network rule to redirect the traffic to the user's country of origin.

Internet Firewall Rules

The first step is to ensure proper handling of GQUIC and QUIC traffic. However, if they are not automatically configured (when enabling CASB/DLP/TLSi), it is crucial to manually set them up.

As a best practice, these GQUIC and QUIC rules should be positioned at the top of the Internet Firewall rule. This ensures that all flows related to ChatGPT are accurately redirected. For more information regarding GQUIC and QUIC, please refer to the Internet-and-WAN-Firewall-Policies-Best-Practices article. For configuring the Internet Firewall Rule, refer to Managing-Internet-Firewall-Rules.


Network Rules

In the Network Rules, setup a backhauling network rule. It is important to include both the ChatGPT application and the OpenAI application in the rule to ensure that all ChatGPT related flows are egressed directly from customer's ISP.

There are two options for implementing the backhauling network rule: "Backhaul via" and "Backhaul hairpinning". Regardless of the option chosen, the traffic will still pass through the security stack provided by CATO before it is egressed from the customer's ISP. This ensures that the traffic remains secure and compliant with the configured security rules in the CMA.

Backhaul Via Option

The below screenshot is an example of a rule that uses Backhauling via option to egress ChatGPT and OpenAI application traffic for a SDP user. For more information about configuring backhauling rules, see Backhauling Traffic via a Socket's WAN Interface IP Address .


Backhaul Hairpinning Option

The below screenshot is an example of a rule that uses Backhauling hairpinning option to egress ChatGPT and OpenAI application traffic for a site. For more information about configuring backhauling rules using the Backhauling hairpinning option, see Hairpinning-Traffic-to-the-Same-Site


Was this article helpful?

1 out of 1 found this helpful


Add your comment