Settings That Can be Modified by Cato Support

There are many advanced settings that can be modified on an account or site level by Cato Support. Many of these settings are not visible in the Cato Management Application or the Socket, so please contact us if you would like any of these settings applied.


Setting Description Default Value
Application Finalization Increases the time that Cato waits before finalizing application identification. 2000 milliseconds
Force Fragmentation Forces fragmentation of packets even if the DF bit is set. Each app that requires fragmentation must be defined. Disabled



Setting Description Default Value
Dangling SAs Force Cato to rekey phase 2 following a phase 1 rekey. If phase 2 is not expired, use the existing SAs.
Phase 1 Lifetime Change the Phase 1 lifetime.

AWS/Azure: 28800 seconds

Generic: 86400 seconds

Phase 2 Lifetime Change the Phase 2 lifetime. 3600 seconds



Setting Description Default Value
Cato Service Range Change the subnet reserved by Cato for system traffic.
ICMP Keep Alive Generate an ICMP keep alive through a tunnel. Disabled
Max Flows per Host Changes the maximum number of flows that a single IP can open at once. 20,000
Max Hosts per Tunnel Changes the maximum number of hosts per tunnel 10,000



Setting Description Default Value
Whitelist IP Prevent any client IP address from being blocked by any Cato security policy. Useful for vulnerability scans. Disabled
Whitelist IPS signature Whitelist specific threats from IPS for the whole account Disabled 



Setting Description Default Value
Bypass Flow Timeout Change the flow timeout for bypassed traffic on the Socket. Can also be adjusted in the Socket Web UI under Cato Connection Settings, but it will be reset back to default following a reboot or tunnel disconnect. 60 seconds
GUI Access from Internet Allows access to the Socket GUI from the Internet, such as through Remote Port Forwarding. Access to the Socket GUI from the internet is blocked.
HA Change HA failover behavior depending on whether the Socket has internet access or a tunnel established to a PoP. Also sets the grace time for failover. If a Socket loses internet access, failover will occur in 10 seconds. If the Socket has internet access but no tunnel established to a PoP, failover will not occur.
MTU Change the Socket's WAN interface MTU. MTU is set using PTMUD from the PoP to the Socket.


Preferred IP Change the PoP preferred IP for a Socket. This can also be done in the Socket Web UI under Cato Connection Settings. Dynamic


User Awareness (UA)

Setting Description Default Value
Event IDs Excludes a Windows Event ID generated on a Domain Controller from triggering an IP mapping for a user. Event IDs 4768, 4769, 4770, 4624, 5145, 5140
Windows UA Enables UA for other operating systems other than Windows.

Windows only


SDP Client

Setting Description Default Value
MFA Prompt Grace Time When "Always Prompt" is enabled for MFA authentication, this setting determines how long a Client will not be prompted for an MFA code on future reconnects following a successful connection. 5 minutes
SSO Expiration Period Change the SSO cookie expiration period. This setting determines when a VPN user authenticating with SSO will need to re-enter credentials. 30 days
Blocklist of OS for SDP Client Identify the Client OS type, and if it appears in the account blocklist - fail the connection process Disabled 
Cato Client behind Socket Detects if a Cato Client is behind a socket or not. If a socket was detected, the Socket tunnel will take precedence over the client tunnel Enabled 


Was this article helpful?

1 out of 1 found this helpful


Add your comment