This article explains how to define Managed Networks in Cato Networks. Managed networks can be used as a parameter that you can base your Access policies on.
Cato gives you granular control over how user traffic is routed and when Always-On is enforced, based on the type of network the user is connected to.
This network classification allows you to integrate with existing security architectures while ensuring consistent traffic handling across trusted, managed, and unmanaged environments.
The Cato Client determines its configuration at runtime using specific criteria, such as:
- Whether it identifies that it is behind a Cato site (Socket, IPsec, vSocket)
- Whether it can successfully receive a response from a pre-defined probe to a given destination
Based on these conditions, the Client applies one of the following behaviors:
- Behind a Cato site (Office Mode) - If the Client identifies that it is behind a Cato site, Office Mode is enabled and all traffic is routed through Cato.
-
Behind a Managed Network - If the Client is not behind a site, it checks whether the network is defined as Managed. If so:
- Managed Network (not trusted) - The tunnel to Cato is maintained, and the Split Tunnel policy is applied. Only certain traffic is routed through Cato (e.g., Internet-bound traffic), while other traffic is routed through the third-party firewall.
- Trusted Managed Network - If the network is also marked as Trusted, Always on is suspended, the Client disconnects from the Cato tunnel, and all traffic is routed through the third-party firewall.
- Unmanaged Network - If the network is neither behind a site nor defined as Managed (e.g., your home WiFi, airport, hotel, coffee shop), it is considered a public network and treated as Unmanaged. All traffic is routed through Cato.
Company ABC has 70 offices and over 10,000 employees. They are a new Cato customer that will use the Cato Client for networking and security solutions with Always-on to provide Internet security (in line with the company’s UZTNA best practices). During the Cato onboarding process, the company will deploy the Clients over a few weeks, whereas SD-WAN will be gradually deployed in 20 offices over the next several months. The offices are protected by a third-party vendor until that time.
The company designates the network ranges for the physical offices as Managed networks. The admin creates a rule in the Split Tunnel policy to route the traffic based on the network source:
- Managed network - Users are connected behind a site that has not been onboarded to Cato. Only Internet traffic is routed to the Cato Cloud for added security.
- Unmanaged network - Remote users, all traffic is routed to the Cato Cloud
You can configure Network checks to define what is a managed network. The Client uses pre-defined probes to identify if the network the Client connected to is a Managed network. This check occurs every time the Client connects, after every network change, and every 30 seconds while connected.
The Client sends out probes to check for connectivity to different types of internal resources:
- HTTPS resource request: Define a URL that is only accessible when connected to the managed network. After accessing the URL, the Client verifies that the response is either HTTP 200 or HTTP 300 and then verifies that the certificate is trusted based on the local machine’s certificate store
- DNS query: Define a hostname for the Client to send a DNS request to, and the IP address that is the expected response
- Ping to an IP address or URL: Define an IP address or URL for the Client to ping. The Client verifies if there is a response with the ICMP protocol
If any of the checks is satisfied, the Source network is considered Managed. If all of the checks fail, the network is considered Unmanaged.
When behind a Cato site, the Client transitions seamlessly to Office-Mode as before.
For example, the internal company DNS server uses the hostname companyabc.local, and it resolves to 10.10.10.26. So you would define the Managed network as a DNS query that resolves to the host companyabc.local with that IP address.
To designate a network as managed, first create a Managed Network object in the Cato Management Application (CMA). This object represents a network, such as an office or known corporate location. The customer must also define the probe that the Client uses to identify when it is operating within this network. These probes may include DNS, HTTP, or Ping (ICMP packets). When the Client detects a match based on the defined probes, it classifies the network as managed and applies the relevant policies accordingly.
Note: You define up to 5 Network Checks with the type HTTPS Response.
To configure managed networks:
- From the navigation menu, click Access > Managed Networks.
-
Click New and configure the following:
- Name of the probe
- (Optional) A description of the probe
- Type of probe, i.e., HTTPS, DNS query, or ping
- Hostname or IP address of the probe
- Click Save.
- Repeat steps 2 for each Managed Network.
-
Enable Managed Networks and click Save.
The slider is green when Managed Networks is enabled, and gray when Trusted Networks is disabled.
For scenarios where you are routing all the traffic to the destination, and not to the Cato Cloud, you can define all of your Managed Networks as Trusted. When a host device connects to a Trusted Network:
- The Client identifies the network as a Trusted Network, Connect on Boot is disabled, Always-On is bypassed, and the Client does not try to connect (or reconnect) to the Cato Cloud
- As long as the host device is connected to the Trusted Network, the Client remains disconnected, and the Split Tunnel policy is not applied
-
Users still have the option to click Connect in the Client, and the device is connected to the Cato Cloud
For example, developers who need to access a dev environment that is protected by the Cato Cloud
4 comments
Hi,
Is it possible for the client to be disabled automatically when it is connected to the trusted network?
Hi Johnny,
The client must continue running in order to detect changes in the network state and determine if the network is still considered a trusted network.
However, once the client detect a trusted network, the user can disconnect the tunnel.
Eliran
I just want to confirm, are socket locations automatically considered trusted locations? We have SDP users that sometimes come into the office, when they come in the office will it see it as a trusted location when it displays “Office Network Detected”?
Hi Brett,
The client considers socket networks as trusted network.
When the socket network is detected, the client will display an "office network" indicator, and network traffic will securely route through the socket.
Eliran
Please sign in to leave a comment.