Cato Networks Knowledge Base

Working with Advanced Configuration for the Account

Overview of Advanced Configuration for the Account

The options in the Advanced Configuration screen give you increased granular control over different settings in your account. The screen also shows the default value for each of the disabled settings.

When you disable an advanced setting, it returns to the default value. However, the custom value is saved and if you enable the setting later, the custom value can be used.

AdvConfig.png

To configure advanced configuration features for an account:

  1. From the navigation menu, click Assets > Advanced Configuration.

  2. In the Status column, use the toggle to enable or disable the status of each setting (green is enabled, grey is disabled).

  3. To configure or edit the value of a setting, click on the name of the setting in the Name column.

    The Edit <Setting Name> panel opens.

  4. In the Edit panel, you can:

    • Enter or select a Value

    • Enter or edit a Comment to explain the reason for this advanced setting (Recommended)

  5. Click Apply. The change for the advanced configuration is added to the screen.

  6. Click Save. The configuration settings are saved.

Precedence for Advanced Configuration with Sites and VPN User Settings

When you configure the advanced feature for a site or SDP user, it overrides the setting for the account in the Advanced Configuration window. The following table shows each advanced feature and if it applies to a site or a SDP user.

Feature Name

Applies to

Preferred IP for SIP Traffic

Sites

Recovery via Internet

Sites (only for Sockets)

SIP ALG

Sites

TCP Congestion Algorithm

Global only

VPN Office Mode

All SDP users

WAN Keep-alive Frequency

Sites (only for Sockets)

WAN Recovery

Sites (only for Sockets)

You can configure the following settings for only for individual sites (not as a global setting for the account):

  • Socket to PoP Max MTU (only applies to physical Sockets)

For more about Advanced Configuration for sites, see Adding Advanced Features to Sites.

Enabling VPN Users to Configure VPN Office Mode

When a SDP user is working in an office that is behind a Cato Socket, the Cato VPN Client automatically connects to that site. This behavior is called VPN office mode and it is enabled by default for all accounts. Without office mode, when the Cato Client connects to the VPN behind a Cato Socket, the Client connects with a VPN tunnel-in-tunnel which often has a negative impact on performance.

With office mode, the Cato Client connects to the Cato Cloud using the Socket tunnel and is treated as a regular host for that site. The Client receives the networking and security settings from the site and prevents using a VPN tunnel-in-tunnel.

Sometimes office mode can prevent someone who is visiting a branch office from connecting to resources in a different office, such as the corporate headquarters. You can choose to enable SDP users to configure the Cato Client behavior for VPN office mode.

For more about how to enable SDP users to configure VPN Office Mode for their clients, see Configuring VPN Office Mode.

Configuring WAN Recovery for the Account

To improve resiliency of your network, the WAN Recovery feature provides support if there are connectivity problems in the Cato Cloud, and the Cato Sockets cannot use it to send WAN traffic to the other sites. This feature automatically uses bypass tunnels to maintain connectivity with the other Socket sites. When the Sockets re-establish connectivity to the Cato Cloud, they automatically resume regular operation.

During network recovery, the WAN traffic bypasses the Cato Cloud and these are the changes to the traffic:

  • The Cato Management Application does not analyze data for connectivity and does not generate alerts for network health or quality

  • The WAN and Internet firewalls are not applied to the traffic

  • The Threat Protection services are not applied to the traffic

To configure the WAN Recovery setting, see above Configuring Advanced Features the Account with these values:

  • Disabled - Default global setting - Sockets establish tunnels with other Socket sites and use keep-alive messages to maintain the tunnels. Recovery IS enabled by default for all Socket sites in the account.

  • Enabled and On - The account is configured to provide recovery for WAN traffic to other sites. The functionality is the same as Disabled.

  • Enabled and Off - Recovery is NOT enabled for this account, and bypass tunnels are NOT supported or maintained.

Note

Note: Events generated by the WAN Recovery feature are described as Off-Cloud Recovery.

For more about configuring the global WAN Recovery setting for specific sites, see Adding Advanced Features to Sites.

Configuring Recovery via Internet for the Account

To improve resiliency Internet traffic, the Recovery via Internet feature provides support if there are problems connecting to the Cato Cloud, and the Cato Socket cannot use it to traffic to the Internet. When enabled, this feature automatically recovers Internet connectivity with the ISP links to send traffic to the Internet.

During the temporary Internet recovery, the Internet traffic bypasses the Cato Cloud and these are the changes to the traffic:

  • The Internet firewalls, and URL Filtering rules are not applied to the traffic

  • The Threat Protection services are not applied to the traffic

  • The Cato Management Application does not analyze data for connectivity and does not generate alerts for Internet traffic

To configure the Internet Recovery setting, see above Configuring Advanced Features the Account with these values:

  • Disabled - Default global setting - Recovery IS enabled by default for all Socket sites in the account.

  • Enabled and On - The account is configured to provide recovery for all traffic to Internet. The functionality is the same as Disabled. We recommend that you use this setting.

  • Enabled and Off - The Recovery via Internet feature is DISABLED for this the account.

Note

IMPORTANT! We recommend that you always enable the Recovery via Internet feature and select the On or Off option to manage recovery for Internet traffic. When this feature is disabled, there can be issues with settings that are configured using the Socket Web UI.

For more about configuring the global Internet Recovery setting for a specific site, see Adding Advanced Features to Sites.

Using the Same (Preferred) Egress IP Address for VoIP and SIP Traffic

If you work with a UCaaS and have an egress network rule for VoIP or SIP traffic, sometimes the UCaaS (such as RingCentral) has problems if the IP address changes. When the Preferred IP for SIP Traffic feature is enabled, VoIP and SIP traffic always uses the same egress IP address.

When you enable the Preferred IP for SIP Traffic feature, if the PoP is temporary unavailable (such as scheduled maintenance), the site does NOT try to reconnect to the UCaaS from a different PoP or Internet connection. This means that it is possible that the connection will be temporarily dropped, however the configuration with the UCaaS is maintained for future connections.

Note

Note: You must have an egress network rule for VoIP or SIP traffic to use this feature.

Blocking Local Routing when Sites are Disconnected from a PoP

By default, traffic within a site (for example, between VLANs) is routed via the Cato PoP, which inspects the traffic. Traffic flows from the VLAN to the PoP in the Cato Cloud and then to the other VLAN.

If a site is temporarily disconnected from the Cato Cloud, the default behavior is fail-open. The traffic flows from the VLAN directly to the other VLAN without being inspected. You can change the default global account-level behavior to fail-closed, so that by default all Socket sites block local routing traffic when they disconnect from the PoP. Requires Socket v15.0 or higher.

Note

Note: For sites that are configured with Local Routing rules, these rules take precedence over the Block Local Routing when disconnected from PoP setting. Therefore, this setting does NOT apply to traffic that matches the local routing rules.

To configure the Block Local Routing when disconnected from PoP setting, see above Overview of Advanced Configuration for the Account with these values:

  • Disabled - Default global setting. The traffic routing within a supported site is allowed when the site is disconnected from the PoP. This is fail-open behavior.

  • Enabled and On - The traffic routing within a supported site is blocked when the site is disconnected from the PoP. This is fail-closed behavior.

  • Enabled and Off - The traffic routing within supported site is allowed when the site is disconnected from the PoP. This is fail-open behavior. The functionality is the same as Disabled.

The following diagram shows the local routing behavior:

Block_Local_Routing.png

 

Was this article helpful?

0 out of 0 found this helpful

Comments

1 comment

Please sign in to leave a comment.