Connecting Sites to the Cato Cloud

This article discusses options and details for connecting sites to the Cato Cloud, for physical offices and cloud-based data centers.

Cato SASE vs SSE Services

Cato offers two services to connect sites to the Cato Cloud, SASE and SSE. SASE is a comprehensive, cloud-native service that converges networking and security capabilities, while SSE focuses on security. For customers using SASE, they rely on our backbone for SD-WAN features. With SSE, customers can use a third-party network as their SD-WAN, which can integrate with Cato using IPsec solutions and rely on secure Internet connectivity from the Cato Cloud.

Cato Sockets provide significant advantages for holistic SASE services, including last-mile acceleration and optimal synchronization with the Cato PoP due to a shared code base. For more details, see below Sockets vs IPsec Sites.

Overview of Site Types

There are types of connections that you can use to connect a site to the Cato Cloud. Each connection type provides distinctive benefits and is chosen based on specific use cases, performance requirements, and existing infrastructure. These are the connection types for sites:

  1. Cato Socket and vSocket - Easy to set up at physical premises and virtual cloud data centers.

    The Socket is a user-friendly SD-WAN device that connects your office or data center to the Cato Cloud service. There are different Socket models to fit the requirements of the specific physical site and virtual Sockets (vSockets) for cloud data centers. Setting up the Socket is a quick and automated process, taking just a few minutes and no complicated configurations for physical or virtual devices.

  2. IPsec Tunnel - Connect existing appliances and solutions to the Cato Cloud.

    If you have existing third-party appliances like firewalls or routers, you can still connect them to the Cato Cloud using a secure IPsec tunnel. The appliance connects to a PoP in the Cato Cloud over the public Internet.

  3. Cross Connect Connectivity - Direct physical connections to data centers.

    For physical and cloud-based data centers with a high volume of traffic, you can use Cross Connect to directly connect them to the Cato Cloud. This option gives you a direct and fast connection to your data centers without any intermediate devices.

This table summarizes the different connection types:




Cross Connect






Up to 10 Gbps

Up to 5 Gbps

Up to 10 Gbps

High performance and minimal latency


Full monitoring and visibility

Partial (e.g no packet loss visibility)

Partial (e.g no packet loss visibility)


Upstream and downstream



High Availability Details

Full HA – Up to 4 different tunnels, with recovery mechanisms

Active/Passive – 2 different PoP Locations

Active/Passive – 2 different PoP Locations




Only available at specific PoP locations

BW must be 400 Mbps and higher

Sockets vs IPsec Sites

Sockets provide several advantages and features that are not supported by IPsec.

  • Last-Mile Optimization: Sockets include these traffic optimization features:

    • Packet size optimization

    • TCP acceleration

    • MTU optimization

    • Packet duplication

    • Per-packet load balancing

  • Improved Metrics and Visibility: Sockets let you view extensive metrics for network traffic measured every second, including:

  • Centralized Management: The Cato Management Application handles all Sockets through a single interface, reducing complexity and ensuring consistency across all sites.

    IPsec sites may require separate configuration and updates and could potentially have inconsistent settings and performance.

  • Better Performance and Stability: Sockets dynamically connect to the best PoP location for optimal performance. If a PoP experiences performance issues, all Sockets will automatically switch to a different one.

    IPsec connections are statically connected to one PoP location and don't offer this level of performance adaptability and are more likely to suffer from performance and connectivity issues.

  • Internet and WAN Resilience: In the unlikely event that the Cato Cloud PoP is unavailable, Sockets have a backup mechanism, and the Sockets continue to provide Internet and WAN connectivity for the site.

    IPsec doesn't provide the same level of resilience, potentially impacting your site's connectivity if there are PoP issues.

  • Simplified High Availability: Two Sockets can operate in active/passive High Availability (HA) mode, ensuring continuous service in case of a failure related to the physical Socket.

    HA for third-party appliances and solutions often requires an additional complex setup.

  • Improved Security: Sockets automatically use encrypted tunnels for secure connections, reducing vulnerabilities and enhancing overall security.

    While IPsec also offers secure connections, if not configured and managed correctly then it's liable to be more vulnerable.

  • Flexibility for Hybrid Environments: Sockets can communicate through different transports, including MPLS or direct site-to-site tunnels, allowing flexibility in how your sites connect.

  • Bandwidth Management: Sockets and the Cato Cloud apply end-to-end bandwidth management for all traffic types to ensure that critical applications receive the necessary bandwidth. Centrally manage the bandwidth policies and profiles in the Cato Management Application.

    Sophisticated bandwidth management may not be as straightforward to implement with IPsec. Bandwidth management for IPsec sites is only for downstream traffic (from the Cato Cloud to the site).

  • Packet Loss Mitigation: Cato's proprietary technology lets Socket intelligently optimize the Last Mile service and mitigates packet loss to provide a highly optimized network and improved user experience.

    IPsec tunnels do not provide the same level of packet loss mitigation, potentially impacting network performance.

Was this article helpful?

0 out of 0 found this helpful


Add your comment