This article explains how to customize an Advanced Configuration feature for the entire account.
The options in the Advanced Configuration screen give you increased granular control over different settings in your account. The screen also shows the default value for each of the disabled settings.
When you disable an advanced setting, it returns to the default value. However, the custom value is saved and if you enable the setting later, the custom value can be used.

To configure advanced configuration features for an account:
-
From the navigation menu, click Assets > Advanced Configuration.
-
In the Status column, use the toggle to enable or disable the status of each setting (green is enabled, grey is disabled).
-
To configure or edit the value of a setting, click on the name of the setting in the Name column.
The Edit <Setting Name> panel opens.
-
In the Edit panel, you can:
-
Enter or select a Value
-
Enter or edit a Comment to explain the reason for this advanced setting (Recommended)
-
-
Click Apply. The change for the advanced configuration is added to the screen.
-
Click Save. The configuration settings are saved.
When you configure the advanced feature for a site or SDP user, it overrides the setting for the account in the Advanced Configuration screen. The following table shows each advanced feature and if it applies to a site or a SDP user.
Feature Name |
Applies to |
---|---|
Preferred IP for SIP Traffic |
Sites |
Recovery via Internet |
Sites (only for Sockets) |
SIP ALG |
Sites |
TCP Congestion Algorithm |
Global only |
VPN Office Mode |
All SDP users |
WAN Keep-alive Frequency |
Sites (only for Sockets) |
WAN Recovery |
Sites (only for Sockets) |
IKEv2 Send Single TS per Payload |
Sites (only IPsec IKEv2) |
Block Local Routing when Disconnected from PoP |
|
Verify OID in Device Certificate |
All SDP users |
Revoke Certificates by Serial Number |
All SDP users |
You can configure the following settings for only for individual sites (not as a global setting for the account):
-
Socket to PoP Max MTU (only applies to physical Sockets)
For more about Advanced Configuration for sites, see Adding Advanced Features to Sites.
When a SDP user is working in an office that is behind a Cato Socket, the Cato Client automatically connects to that site. This behavior is called VPN office mode and it is enabled by default for all accounts. Without office mode, when the Cato Client connects to the VPN behind a Cato Socket, the Client connects with a VPN tunnel-in-tunnel which often has a negative impact on performance.
With office mode, the Cato Client connects to the Cato Cloud using the Socket tunnel and is treated as a regular host for that site. The Client receives the networking and security settings from the site and prevents using a VPN tunnel-in-tunnel.
Sometimes office mode can prevent someone who is visiting a branch office from connecting to resources in a different office, such as the corporate headquarters. You can choose to enable SDP users to configure the Cato Client behavior for office mode.
For more about how to enable SDP users to configure Office Mode for their clients, see Configuring Office Mode.
To improve resiliency of your network, the WAN Recovery feature provides support if there are connectivity problems in the Cato Cloud, and the Cato Sockets cannot use it to send WAN traffic to the other sites. This feature automatically uses bypass tunnels to maintain connectivity with the other Socket sites. When the Sockets re-establish connectivity to the Cato Cloud, they automatically resume regular operation.
Note
Note: Off-Cloud traffic must be enabled on the Socket WAN links to support WAN Recovery.
During network recovery, the WAN traffic bypasses the Cato Cloud and these are the changes to the traffic:
-
The Cato Management Application does not analyze data for connectivity and does not generate alerts for network health or quality
-
The WAN and Internet firewalls are not applied to the traffic
-
The Threat Protection services are not applied to the traffic
To configure the WAN Recovery setting, see above Configuring Advanced Features the Account with these values:
-
Disabled - Default global setting. Sockets establish tunnels with other Socket sites and use keep-alive messages to maintain the tunnels. Recovery IS enabled by default for all Socket sites in the account.
-
Enabled and On - The account is configured to provide recovery for WAN traffic to other sites. The functionality is the same as Disabled.
-
Enabled and Off - Recovery is NOT enabled for this account, and bypass tunnels are NOT supported or maintained.
Note
Note: Events generated by the WAN Recovery feature are described as Off-Cloud Recovery.
For more about configuring the global WAN Recovery setting for specific sites, see Adding Advanced Features to Sites.
To improve resiliency Internet traffic, the Recovery via Internet feature provides support if there are problems connecting to the Cato Cloud, and the Cato Socket cannot use it to traffic to the Internet. When enabled, this feature automatically recovers Internet connectivity with the ISP links to send traffic to the Internet.
During the temporary Internet recovery, the Internet traffic bypasses the Cato Cloud and these are the changes to the traffic:
-
The Internet firewalls, and URL Filtering rules are not applied to the traffic
-
The Threat Protection services are not applied to the traffic
-
The Cato Management Application does not analyze data for connectivity and does not generate alerts for Internet traffic
To configure the Internet Recovery setting, see above Configuring Advanced Features the Account with these values:
-
Disabled - Default global setting. Recovery IS enabled by default for all Socket sites in the account. We recommend that you use this setting.
-
Enabled and On - The account is configured to provide recovery for all traffic to Internet. The functionality is the same as Disabled.
-
Enabled and Off - The Recovery via Internet feature is DISABLED for this the account.
Note
IMPORTANT! We recommend that you always enable the Recovery via Internet feature and select the On or Off option to manage recovery for Internet traffic. When this feature is disabled, there can be issues with settings that are configured using the Socket Web UI.
For more about configuring the global Internet Recovery setting for a specific site, see Adding Advanced Features to Sites.
If you work with a UCaaS and have an egress network rule for VoIP or SIP traffic, sometimes the UCaaS (such as RingCentral) has problems if the IP address changes. When the Preferred IP for SIP Traffic feature is enabled, VoIP and SIP traffic always uses the same egress IP address.
Note
Note: You must have an egress network rule for VoIP or SIP traffic to use this feature.
When creating a child SA, Cato sends multiple traffic selectors (TS) in the same TS payload in accordance with RFC 7295. Some third-party solutions, such as Cisco ASAs, only support a single TS in each child SA. A Cisco ASA will send a TS_UNACCEPTABLE message in response to a Cato proposal to create a child SA with multiple TS.
When IKEv2 Send Single TS per Payload is enabled and set to On , only a single TS is sent in each child SA. It is disabled by default.
By default, traffic within a site (for example, between VLANs) is routed via the Cato PoP, which inspects the traffic. Traffic flows from the VLAN to the PoP in the Cato Cloud and then to the other VLAN.
If a site is temporarily disconnected from the Cato Cloud, the default behavior is fail-open. The traffic flows from the VLAN directly to the other VLAN without being inspected. You can change the default global account-level behavior to fail-closed, so that by default all Socket sites block local routing traffic when they disconnect from the PoP. Requires Socket v15.0 or higher.
Note
Note: For sites that are configured with Local Routing rules, these rules take precedence over the Block Local Routing when disconnected from PoP setting. Therefore, this setting does NOT apply to traffic that matches the local routing rules.
To configure the Block Local Routing when disconnected from PoP setting, see above Overview of Advanced Configuration for the Account with these values:
-
Disabled - Default global setting. The traffic routing within a supported site is allowed when the site is disconnected from the PoP. This is fail-open behavior.
-
Enabled and On - The traffic routing within a supported site is blocked when the site is disconnected from the PoP. This is fail-closed behavior.
-
Enabled and Off - The traffic routing within supported site is allowed when the site is disconnected from the PoP. This is fail-open behavior. The functionality is the same as Disabled.
The following diagram shows the local routing behavior:

Verify OID in Device Certificate enhances Device Certificate checks. When enabled, you can define a list of device certificate OIDs that can connect to your network. Only devices authenticating with a certificate that matches a defined OID are able to connect. Separate multiple OIDs with a semicolon.
This feature is disabled by default. SDP users may not be able to connect to your network if you activate this setting without correctly configuring your device’s certificates.
Revoke Certificates by Serial Number enhances Device Certificate checks. When enabled, you can define a list of blocked certificate serial numbers. Devices authenticating with a certificate that matches a defined Serial Number are blocked. Separate multiple serial numbers with a comma.
This feature is disabled by default. SDP users may not be able to connect to your network if you activate this setting without correctly configuring your device’s certificates.
Comments
1 comment
Added section for Blocking Local Routing when Sites are Disconnected from a PoP
Please sign in to leave a comment.