Cato Networks Knowledge Base

Adding Advanced Features to Sites

Using Advanced Features for a Site

The Advanced Configuration section for a site lets you configure advanced features and settings for that site. The available features in the section depend on the Connection Type for the site. For more about using advanced features, see .

When an advanced setting is disabled, you are configuring it to use the global setting.

To configure an advanced feature for a site:

  1. From the navigation menu, click Network > Sites and select the site.

  2. From the navigation menu, click Advanced Configuration.

  3. In the Status column, use the toggle to enable or disable the status of each setting (green is enabled, grey is disabled).

  4. To configure or edit the value of a setting, click on the name of the setting in the Name column.

    The Edit <Setting Name> panel opens.

  5. In the Edit panel, you can:

    • Enter or select a Value

    • Enter or edit a Comment to explain the reason for this advanced setting (Recommended)

  6. Click Apply. The change for the advanced configuration is added to the screen.

  7. Click Save. The configuration settings are saved.

Working with Account and Site Settings

There are some features in the Advanced Configuration section that you can configure either for a specific site or a setting for all the sites in your account. When you configure the advanced feature for a site, it overrides the setting for the account (in Assets > Advanced Configuration). Some features are only supported for Socket sites. For example, feature alpha is only supported for Sockets. If you configure feature alpha for the entire account, it is only relevant to Socket sites.

Configuring WAN Recovery for a Site

To improve resiliency of your network, the WAN Recovery feature provides support if there are connectivity problems in the Cato Cloud, and the Sockets cannot use it to send WAN traffic to the other sites. This feature automatically uses bypass tunnels to maintain connectivity with the other Socket sites. When the Sockets re-establish connectivity to the Cato Cloud, they automatically resume regular operation.

During the temporary WAN recovery, the WAN traffic bypasses the Cato Cloud and these are the changes to the traffic:

  • The Cato Management Application does not analyze data for connectivity and does not generate alerts for network health or quality

  • The Cato security stack (firewall and Security services) is not applied to the traffic

To configure the WAN Recovery setting, see above Using Advanced Features for a Site with these values:

  • Disabled - This site uses the setting that is configured for the account.

  • Enabled and On - This site is configured to provide recovery for WAN traffic to other sites. The functionality is the same as Disabled.

  • Enabled and Off - Recovery is NOT enabled for this site, and bypass tunnels are NOT supported or maintained.

For more about configuring the global WAN Recovery setting for all sites, see .

Configuring Recovery via Internet for a Site

To improve resiliency Internet traffic, the Recovery via Internet feature provides support if there are problems connecting to the Cato Cloud, and the Cato Socket cannot use it to traffic to the Internet. When enabled, this feature automatically recovers Internet connectivity with the ISP links to send traffic to the Internet.

During the temporary Internet recovery, the Internet traffic bypasses the Cato Cloud and these are the changes to the traffic:

  • The Internet firewalls, and URL Filtering rules are not applied to the traffic

  • The Threat Protection services are not applied to the traffic

  • The Cato Management Application does not analyze data for connectivity and does not generate alerts for Internet traffic

To configure the Internet Recovery setting, see above Using Advanced Features for a Site with these values:

  • Disabled - This site uses the setting that is configured for the account.

  • Enabled and On - This site is configured to provide recovery for all traffic to Internet. The functionality is the same as Disabled.

  • Enabled and Off - The Recovery via Internet feature is DISABLED for this site.

Note

IMPORTANT! We recommend that you always enable the Recovery via Internet feature and select the On or Off option to manage recovery for Internet traffic. When this feature is disabled, there can be issues with settings that are configured using the Socket Web UI.

Configuring the MTU for DTLS Tunnels to the Cato Cloud

You can configure the maximum MTU for the DTLS tunnels between the Socket and the PoP in the Cato Cloud. For traffic inside these DTLS tunnels, this value overrides the MTU that is configured in the Socket WebUI. This setting is only relevant for physical Sockets, and it doesn't apply to vSockets.

Use the Socket to PoP max MTU field to configure the MTU for the DTLS tunnels, see above Using Advanced Features for a Site.

 

Blocking Local Routing when a Site is Disconnected from PoP

By default, traffic within the site (for example, between VLANs) is routed via the Cato PoP, which inspects the traffic. Traffic flows from the VLAN to the PoP in the Cato Cloud and then to the other VLAN.

If a site is temporarily disconnected from the Cato Cloud, the default behavior is fail-open. The traffic flows from the VLAN directly to the other VLAN without being inspected. You can customize this behavior for a specific site, so that the behavior is different than the global default setting for the account. Requires Socket v15.0 or higher.

Note

Note: For sites that are configured with Local Routing rules, these rules take precedence over the Block Local Routing when disconnected from PoP setting. Therefore, this setting does NOT apply to traffic that matches the local routing rules.

To configure the Block Local Routing when disconnected from PoP setting, see above Using Advanced Features for a Site with these values:

  • Disabled - This site uses the setting that is configured for the account.

  • Enabled and On - The traffic routing within this site is blocked when this site is disconnected from the PoP. This is fail-closed behavior.

  • Enabled and Off - The traffic routing within this site is allowed when this site is disconnected from the PoP. This is fail-open behavior.

The following diagram shows the local routing behavior:

Block_Local_Routing.png

Was this article helpful?

0 out of 0 found this helpful

Comments

1 comment

Please sign in to leave a comment.