Cato Networks Knowledge Base

Local & VPN Users: LDAP Import vs. User Awareness


Cato can distinguish between internal and remote users. Internal users are located inside the local network of each office, while remote users are VPN users working from home or the road.
VPN users use Cato client to connect to local resources. By design, it's easy to identify them since they have a unique profile installed on their client. Also, in the Topology page of the Cato Management Application (main page), they're easily distinguishable with a dedicated Laptop icon (the icon matches the OS of the user).

Note: if there are many users connected, they're all aggregated to a User icon.

Internal users, on the other hand, don't have any client installed (or at least not activated), and require additional Active Directory authentication in order to identify them. The AD integration allows mapping between the workstation IP address of the user, and the current logged-in user on that machine.

LDAP Import for VPN Users

The most basic way of creating VPN users is by adding them manually one-by-one. Naturally, this is not scalable. For large deployments it is highly recommended to utilize the existing Active Directory and import users from a specific group. The process of importing existing users from AD called LDAP import, since it uses LDAP protocol for the communication with the AD.
LDAP import allows an automatic process of importing users from a specified AD group and then sending them an invite to install the Cato client.

User Awareness of Internal Users

When reviewing traffic Analytics of various sites, you see only IP addresses of servers and PCs. As mentioned above, internal PCs don't have any client installed on them, so there's no visibility on the actual user using the machine.
User Awareness feature can make the correlation between the machine's IP and the user logged in. Similar to LDAP import, it is also based on Active Directory integration. In this case, Cato goes over the Domain Controller login logs and makes the mapping between the user and his work station IP. User Awareness requires deeper integration as it requires special services to be turned on on the Domain Controller + special permissions for Cato's user to be able to read the logs.

Directory Services Configuration

Under the following menu both LDAP import and User Awareness configuration is found:

LDAP import configuration located here: Configuration => Global Settings => Directory Services

Pay attention to the following items:

  • Domain configuration is required for both features.
  • LDAP Authentication Connection and Domain Controllers options must be filled for both features as well.
  • Import VPN Users from Directory Service groups and all it's sub-menus are relevant only for VPN users configuration.
  • Import Directory Service Groups and Users and Domain Controllers for Real Time Sync are exclusive for User Awareness.

Was this article helpful?

5 out of 6 found this helpful



  • Comment author
    Dennis Nielsen

    What is the source IP address of these LDAP connections? I expect 10.254.254.?? 

  • Comment author
    Yaakov Simon


    Are you asking regarding a third-party firewall? You can find that information for User Awareness here.




Please sign in to leave a comment.