Note
Note: The Cato Cloud only supports IPv4 addresses.
This article describes the prerequisites for Sockets to connect to the Cato Cloud, and known limitations for Sockets.
Socket Connection Prerequisites
To securely connect and access resources on your private network behind the Cato Cloud, please ensure that your networking devices and firewalls meet these requirements:
-
These ports are open on firewalls:
-
UDP port 53
-
UDP port 443
-
TCP port 443
-
-
Devices can resolve these URLs:
-
vpn.catonetworks.net
-
cc2.us1.catonetworks.com
-
cc2.catonetworks.com
Note: If this URL is unreachable, then use the actual IP address (see Using Cato IP Addresses (you must be logged in to the Cato Knowledge Base to view this article).
-
steering.catonetworks.com
-
For Sockets running firmware v11.x and earlier, they must be able to resolve these domains:
-
c-me.catonetworks.net
-
d-me.catonetworks.net
-
-
-
TLS inspection and security checks are disabled for the Socket IP
-
Sockets use ICMP packets for Last Mile Monitoring data
-
NTP is used for time synchronization
-
For Sockets that use multiple WAN links, if there is a NAT device between the Socket and the PoP, then it’s possible that one or more of the WAN links can’t connect to the PoP. This can create connectivity issues, such as the HA status of the site is Not Ready.
The PoP uses the source port of each incoming DTLS connection to connect each WAN link to the same logical tunnel. The NAT device may change the source port, and prevent a WAN link from connecting to the same logical tunnel as the other WAN links.
-
Devices with NIC model Intel® Ethernet Connection I219-LM can't connect directly to the Socket MGMT port using the NIC's default settings. This NIC is common in Dell and HP laptops.
-
Workarounds: There are two ways to connect to the Socket MGMT port with this NIC:
-
Connect directly by changing the NIC settings as follows:
-
Set Speed/Duplex to 100 Full
-
Set Legacy Switch Compatibility to Enabled
Note: After configuring these settings, the NIC can connect directly to the Socket, however the Socket will recognize the connection as 100Mbps half-duplex and not full-duplex.
-
-
Connect through a third-party device, such as a switch. The device and Socket must be in the same subnet.
-
-
7 comments
Need to allow DNS to 8.8.8.8 and 8.8.4.4 until socket 8.0 is the firmware shipped with sockets from Factory as this is how cc2 is resolved for the upgrade process. Also, socket logs are sent to socketlogs.catonet.works So the google DNS is used to resolve those two addresses.
NOTE: resolving those addresses from the socket UI is not enough. Socket UI will use the WAN configured DNS settings. These are ignored for socket upgrades and socket log file offload.
Are these still needed, as they don't resolve anything?
Hello Paul!
Thank you for pointing this out! I'm going to investigate it a bit further and get the documentation updated accordingly.
Kind Regards,
Dermot Doran (Cato Networks)
Any updates on this, please?
Hello Paul!
My apologies for not responding earlier. It is no longer a requirement for these URLs to be resolvable. This has actually been the case since v13 of the socket software, but the documentation was not updated accordingly. I will ensure that it is updated as soon as possible.
Thank you (again) for highlighting this.
Kind Regards,
Dermot Doran (Cato Networks).
Prior to Socket v13 it was also necessary to ensure that the following URLs were resolvable:
This is prerequisite is no longer required.
what is the vpn.catonetworks.net??? (not resolvable)
Please sign in to leave a comment.