Cato Networks Knowledge Base

Cato Client Arguments - Linux OS

This article lists the arguments that you can run on the Client for the Linux OS version 2.2.0 and higher.

Running the Client

To run the Client on a Linux device:

  • In the directory where the Client is installed, run the following command with the required arguments: ./ start

Arguments for the Linux OS Client

These are the arguments that you can use for different features and settings when you run the Client.



--address _ip-address_

The Client connects to a specific Cato PoP (contact Support for the specific IP address). The default behavior is that the client automatically connects to the best PoP in the Cato Cloud.

--append {head|tail}

Preserves the existing configuration in /etc/resolv.conf.

When connected, the Client replaces /etc/resolv.conf with the DNS configuration received from Cato. Using this parameter appends the Cato configuration to the existing configuration.

  • head - adds the DNS configuration from Cato before the existing configuration, giving preference to the Cato configuration.

  • tail - adds the DNS configuration from Cato after the existing configuration, giving preference to the existing configuration.In both cases, /etc/resolv.conf is restored to its original contents on disconnection.

If Split Tunnel is enabled in the Cato Management Application, this parameter is ignored and the Client always replaces the contents of /etc/resolv.conf.


Shows the help screen.

--metric _metric_

The route created for VPN traffic (see --route).

If not specified, this route has the highest priority on the system (identical to specifying --metric 0).

--reconn _seconds_

Following a disconnect, the number of seconds the Client waits before attempting to reconnect. The Client attempts to reconnect at this interval until a connection is established or the client is stopped externally.

If this parameter is not specified, the client attempts to reconnect once and if unsuccessful, exits immediately.


Uses a registration code to authenticate to the Client.


A single subnet that is routed to the tunnel instead of the default route. For example: --route creates a specific route so only this subnet is routed through VPN.

If not specified, the Client adds a default route so all traffic is routed through the VPN on the device (identical to specifying --route


Displays the status of a running service.

--user, --account, --password, --reset-password

Cato user credentials.

password is optional. When a password is required, the user is prompted to add a new one.

Note: We don't recommend using the --password argument.


Uses systemd-resolv (instead of editing /dev/resolv.conf directly). The values for this parameter are:

  • 1 - true

  • 0 - false (default value)

When using the --use-systemd-resolv parameter with the Client, do NOT use the append parameter.


Shows information about the Client version.

Arguments for Client File Parameters

You can save the arguments for the Linux Client to a file, and then load the parameters when you start the Client. These are the arguments for the Client file:




Uses the parameter values stored in the file previously with --save.

You can override any stored setting by specifying it on the command line.

Since the credentials are also stored in this file, make sure you keep it private as anyone can use this file to connect with the saved credentials. The password is saved in hashed form (SHA-256 with salt).

Alternately, you can store an empty or incorrect password in the file and specify the correct one on the command line. For example: --load _file_ --password '******'


Saves all arguments passed on the command line to the given file for use with the --load parameter.


Display the settings stored in the file using --save.

Arguments for Device Authentication with Certificates

This section contains arguments that are used for the Linux Clients that use Device Authentication with a device certificate. For more information, see Distributing Device Certificates.



--cert <certificate path>

Path to the certificate file for Device Authentication.

Was this article helpful?

0 out of 0 found this helpful



Please sign in to leave a comment.