Working with SDP Users

Getting Started with the Users Screen

The Users screen shows the users that have been manually added and synced to your Cato account. For each user, the following information is displayed:

Name: The name of the user
Email address: The email account associated to this user in the Cato Management Application. Depending on the organization's configuration, a user can use this email to log in to the system.
User Status: Options include: Configured, Disabled, Invitation Sent, Locked, MFA Invitation Sent, or New
Creation Date: The date the user account was created.
Origin: The method for how the user was added.
Connectivity Status: current status, for example: connected, disconnected.
Last Modified: The date and time the user account was last modified.
Device: Operating system (OS) of the device the Client is installed on.
Client Version: Version of the Client that is installed on the device.
User Principal Name: UPN for the user in Active Directory.
Authentication Method: Method configured for this user to authenticate to the Client: MFA, SSO, or User & Password.

The Actions drop-down menu lets you manage and control the users.

Manually Adding Users

Define each remote user (users that connect to your organization's network from remote locations) as a user in the Cato Management Application. You can also configure Directory Services to integrate with an Active Directory server and import users to your account.

To manually add a user:

From the navigation menu, click Access > Users.
Click New. The Add User panel opens.
Enter the user's First Name, Last Name and E-mail.
Click Apply.

Resending Invitations to Users

After a new user is added to the Cato Management Application , an activation invitation e-mail is sent to the new user's email address. If the account has not yet been activated or needs to repeat the process for any reason, it is possible to resend the invitation.

To resend an invitation to a User:

From the navigation menu, click Access > Users.
In the User screen, select one or more users.
From the Actions drop-down menu, select Resend Invitation.
In the Resend Invitation window, click OK.

Showing the Origin for Users

The Origin column in the Users screen shows if the user was manually added to the Cato Management Application or imported with Directory Services.

User defined - Users that were added manually
LDAP defined - Users that were imported through integration with the Active Directory.
SCIM defined - Users that added using integration with the Cloud app.

Resetting User Passwords

You can reset the password for a remote user. After you reset the password, the user receives an email with a link to reset the password in the Cato User Portal. The password reset link is valid for one hour after the email is sent.

Before you reset the password for SDP users, make sure that they log out of the Client for all of their devices. Otherwise, the user can be locked out of the Client.

Note

Note: After you reset the password, users can no longer authenticate with the current password. They must create a new one in the User Portal.

To reset a user's password:

From the navigation menu, click Access > Users.
In the User screen, select one or more users.
From the Actions drop-down menu, select Reset Password.
In the Reset Password window, click OK.

The password is reset for the users and they receive an email with a link to create a new password.

Managing Users

This section explains how to manage users that are disabled or locked.

Disabling/Enabling Users

If required, you can temporarily disable user accounts, or enable accounts that have been disabled.

A disabled user cannot connect to the Cato Cloud and is not counted as using an SDP user license. However, they will still appear in its relevant references and entries in the Cato Management Application, such as security rules.

To disable a user account:

From the navigation menu, click Access > Users.
In the User screen, select one or more users.
From the Actions drop-down menu, select Disable.
In the Disable window, click OK.

To enable a user account:

From the navigation menu, click Access > Users.
In the User screen, select one or more users.
From the Actions drop-down menu, select Enable.
In the Enable window, click OK.

Unlocking SDP Users

Following security best practices, after six consecutive authentication failures, Cato automatically locks SDP users for 30 minutes (unless you unlock the user earlier).

These six consecutive failures are counted separately for password and MFA authentication failures (meaning the lock will be triggered only after six consecutive MFA or six consecutive password failures).

You can view where the failure occurred (when the SDP user accessed the Cato User Portal or when authenticating via the Cato Client, and whether the failure was MFA or password related.

Note

Note: Unlocking an SDP user doesn't reset the user's password.

To unlock a locked SDP user:

From the navigation menu, click Access > Users.
In the User screen, select one or more users.
From the Actions drop-down menu, select Unlock.
In the confirmation window, click OK.

The user account is unlocked.

Enabling All Users after an Active Directory Sync

For accounts that use LDAP to synchronize users between Active Directory (AD) and the Cato Cloud, this feature lets you enable all the users that are currently disabled. Sometimes, an admin discovers that many users were disabled by mistake in the AD and then synced to Cato Cloud. When you select this option in the Users window, all users that were disabled in the most recent sync are enabled.

To enable all the disabled users after an LDAP sync:

From the navigation menu, click Access > Users.
In the User screen, select one or more users.
From the Actions drop-down menu, select Re-enable LDAP Disabled Users.

A warning window opens.
Click OK. The selected user (or users) that were disabled in the most recent LDAP sync are now enabled.

Showing Devices for a User

The Devices section shows each device that an SDP user connects to the Cato Cloud with the Client and relevant information including Client version and the most recent session.This section can be helpful for security auditing purposes.

To show the devices for a user:

From the navigation menu, click Access > Users.
Select a user from the list.
Click User Settings > General. The General window opens.
From the navigation menu, click User Monitoring >Devices. The Devices window opens displaying all currently defined devices for the user.

Revoking the MFA Token for a Device

The Devices section lets you revoke the Cato MFA authentication token on a specific device for an SDP user. After the MFA token is revoked the user must re-authenticate and enter a new MFA code in the Client.

To revoke the MFA token for a device:

From the navigation menu, click Access > Users.
Select a user from the list.
From the navigation menu, click User Monitoring > Devices.

The devices for that user are displayed.
At the end of the row for the device, click the More button .
Click Revoke Device.
In the pop-up window, click Revoke.

The MFA token for that device is no longer valid.

Viewing Associated Groups for Users

The Member of Groups section shows you the groups that a member belongs to.

To view associated groups of users

From the navigation menu, click Access > Users.
Select a user from the list.
Click User Settings > General. The General window opens.
From the navigation menu, click Member of Groups.

The Member of Groups window opens, showing groups that the user belongs to.

Deleting Users

Note

Important! You cannot undo the delete user action.

To delete a user:

From the navigation menu, click Access > Users.
Select the check box next to one or more users.
From the Actions drop-down menu, select Delete.
In the confirmation window, click Delete.

Cato Networks Knowledge Base

Working with SDP Users

Getting Started with the Users Screen