Disable Always-On in Designated Trusted Networks

This article explains how to define Trusted Networks as part of the process of onboarding to Cato. Trusted networks are protected by a third party service, and let SDP users bypass Always-On requirements (they can disconnect the Client).


When companies onboard to Cato, there may be a period of time where SDP Clients are deployed on the employee's devices, but not all the offices are configured as Cato sites. These offices are protected with a third party solution. To ensure that business operations can continue as normal during the onboarding process, you can classify these offices as Trusted Networks.

A network can be classified as trusted based on a HTTPS resource request, a DNS query, or a ping to an IP address or URL. After checking if it is connected behind a Cato site, the Client checks if it is connected to a Trusted Network. This check occurs every time the Client connects, after every network change, and every 30 seconds while connected.

When a host device connects to a Trusted Network:

  1. The Client identifies the network as a Trusted Network, Connect on Boot is disabled, Always-On is bypassed and the Client does not try to connect (or reconnect) to the Cato Cloud
  2. As long as the host device is connected to the Trusted Network, the Client remains disconnected
  3. In the Client, Users can click Connect to connect to the Cato Cloud

This results in a better user experience and increases network performance.

In addition to onboarding, Trusted Networks can be used in any scenario you want to bypass Always-On at a specific location.

Use Case - Cato Onboarding

Company ABC has 70 offices and over 1000 employees. They are a new Cato customer for remote access, networking, and security solutions, in addition, they plan to configure their Clients to use Always-on. During the Cato onboarding process, the deployment of Clients will be quicker than the deployment of sockets at all the company’s offices. There is a period where employees will have the Client installed on their device but will work from an office where a Socket has not been deployed but is protected with the company’s old solution.

For the easiest onboarding, the company designates offices secured with the previous security solution as a trusted network. This lets SDP users located in the office bypass Always-on and can choose to disconnect from the network. Once a Socket is deployed at the office, the SDP users will be able to connect to Cato in Office Mode (not connected to the network).


  • Supported from Windows Client v5.8 and higher

  • Supported only on Clients where a single SDP user account is configured

Classifying a Trusted Network

A Client will classify a network as trusted if any of these criteria are met:

  • HTTPS resource request: Define a URL that is only accessible when connected to the trusted network. After accessing the URL, the Client verifies the response is either HTTP 200 or HTTP 300 and then verifies the certificate

  • DNS query: Define a hostname for the Client to send a DNS request to, and the IP address that is the expected response

  • Ping to an IP address or URL: Define an IP address or URL for the Client to ping. The Client verifies if there is a response with the ICMP protocol

Configuring Trusted Networks

You can classify a network protected with a third party solution as a Trusted Network. Once a network is classified as trusted, any SDP user connecting to that network can bypass Always-On by disconnecting the Client.



To configure trusted networks:

  1. From the navigation menu, click Access > Trusted Networks.

  2. Select a method of classifying a Trusted Network and enter the supporting information

  3. Click Add.

  4. Repeat steps 2-3 for each Trusted Network.

  5. Enable Trusted Networks and click Save.

    The slider is green when Trusted Networks is enabled, and gray when Trusted Networks is disabled.

Was this article helpful?

0 out of 0 found this helpful


  • Comment author
    Johnny ambroisej


    Is it possible for the client to be disabled automatically when it is connected to the trusted network?

  • Comment author
    Eliran Zango

    Hi Johnny,

     The client must continue running in order to detect changes in the network state and determine if the network is still considered a trusted network.

    However, once the client detect a trusted network, the user can disconnect the tunnel.


Add your comment