This article explains how to configure your account to use an alternate UDP port for DTLS tunnel traffic for Socket sites and Clients.
In some locations with restrictive network controls or traffic filtering, DTLS tunnels using UDP port 443 can experience connectivity issues such as packet loss. Cato lets you configure UDP port 1337 as a preferred DTLS port for Socket and Client traffic to improve connectivity.
By default, DTLS tunnels for Socket site and Client traffic use UDP port 443 as the preferred port, and fall back to port 1337 when connectivity issues are experienced. The System Settings page lets you enable an account-level setting that changes the preferred port for DTLS traffic to UDP port 1337, with port 443 as fallback. This setting applies to traffic for Socket sites and Client users located in China. Traffic for other locations is not impacted.
Cato recommends as a best practice configuring the alternate UDP port for accounts with Socket sites and Client users located in China. For accounts where this is relevant, a posture check is added. For more about posture checks, see Reviewing Posture Checks for Your Account.
Note
Notes:
-
When you enable the alternate UDP port setting, the DTLS tunnels for Socket sites reconnect, which may briefly impact connectivity.
-
As of May 11, 2026, new accounts have the system setting for alternate DTLS UDP port enabled by default.
-
For Socket sites - Socket v26 and higher
-
For Client traffic - Windows Client v6.4 and higher
Use the System Settings page to enable the alternate DTLS UDP port setting for the account.
To configure the alternate DTLS UDP Port:
-
From the navigation menu, click Resources > System Settings.
-
In the Alternative DTLS Port section, use the toggle to enable the setting.
Note: When you enable this setting, the DTLS tunnels for Socket sites reconnect, which may briefly impact connectivity.
-
Click Save. The configuration settings are saved.
0 comments
Article is closed for comments.