Cato Socket Connection Prerequisites

Note

Note: The Cato Cloud only supports IPv4 addresses.

The scope of this document is to discuss the prerequisites for Sockets to connect to the Cato Cloud.

To securely connect and access resources on your private network behind the Cato Cloud, please ensure that the your networking devices and firewalls meet these requirements:

  • These ports are open on firewalls

    • UDP port 53

    • UDP port 443

    • TCP port 443

  • Device can resolve the URLs below

    • vpn.catonetworks.net

    • cc2.catonetworks.com

      Note: If this URL is unreachable, then use the actual IP address (see Source IP Address for the Cato Management Application (you must be logged in to the Cato Knowledge Base to view this article).

    • steering.catonetworks.com

    • For Sockets running firmware v11.x and earlier, they must be able to resolve these domains:

      • c-me.catonetworks.net

      • d-me.catonetworks.net

  • TLS inspection and security checks are disabled for the Socket IP

  • Sockets use ICMP packets for Last Mile Monitoring data

  • NTP is used for time synchronization

Was this article helpful?

5 out of 8 found this helpful

7 comments

  • Comment author
    Jeff Aronow

    Need to allow DNS to 8.8.8.8 and 8.8.4.4 until socket 8.0 is the firmware shipped with sockets from Factory as this is how cc2 is resolved for the upgrade process.  Also, socket logs are sent to socketlogs.catonet.works  So the google DNS is used to resolve those two addresses.

    NOTE: resolving those addresses from the socket UI is not enough.  Socket UI will use the WAN configured DNS settings.  These are ignored for socket upgrades and socket log file offload.

  • Comment author
    Paul Howard

    Are these still needed, as they don't resolve anything?

    • c-me.catonetworks.net
    • d-me.catonetworks.net 
  • Comment author
    Dermot - Community Manager Only 42 of these badges will be awarded.  They are reserved for people who have played a key role in helping build the Cato Community through their contributions! Community Pioneer The chief of community conversations. Community manager

    Hello Paul!

    Thank you for pointing this out!  I'm going to investigate it a bit further and get the documentation updated accordingly.

    Kind Regards,

    Dermot Doran (Cato Networks)

  • Comment author
    Paul Howard

    Any updates on this, please?

  • Comment author
    Dermot - Community Manager Only 42 of these badges will be awarded.  They are reserved for people who have played a key role in helping build the Cato Community through their contributions! Community Pioneer The chief of community conversations. Community manager

    Hello Paul!

    My apologies for not responding earlier.  It is no longer a requirement for these URLs to be resolvable.  This has actually been the case since v13 of the socket software, but the documentation was not updated accordingly.  I will ensure that it is updated as soon as possible.

    Thank you (again) for highlighting this.

    Kind Regards,

    Dermot Doran (Cato Networks).

  • Comment author
    Dermot - Community Manager Only 42 of these badges will be awarded.  They are reserved for people who have played a key role in helping build the Cato Community through their contributions! Community Pioneer The chief of community conversations. Community manager

    Prior to Socket v13 it was also necessary to ensure that the following URLs were resolvable:

    • c-me.catonetworks.net
    • d-me.catonetworks.net 

    This is prerequisite is no longer required.

  • Comment author
    akei hsu

    what is the vpn.catonetworks.net??? (not resolvable)

Add your comment