This article explains how to customize an Advanced Configuration for a specific site.
The Advanced Configuration section for a site lets you configure advanced features and settings for that site. The available features in the section depend on the Connection Type for the site. For more about using advanced features, see Working with Advanced Configuration for the Account.
When an advanced setting is disabled, you are configuring it to use the global setting.
To configure an advanced feature for a Site:
-
From the navigation menu, click Network > Sites and select the site.
-
From the navigation menu, click Advanced Configuration.
-
In the Status column, use the toggle to enable or disable the status of each setting (green is enabled, grey is disabled).
-
To configure or edit the value of a setting, click on the name of the setting in the Name column.
The Edit <Setting Name> panel opens.
-
In the Edit panel, you can:
-
Enter or select a Value
-
Enter or edit a Comment to explain the reason for this advanced setting (Recommended)
-
-
Click Apply. The change for the advanced configuration is added to the screen.
-
Click Save. The configuration settings are saved.
There are some features in the Advanced Configuration section that you can configure either for a specific site or a setting for all the sites in your account. When you configure the advanced feature for a site, it overrides the setting for the account (in Assets > Advanced Configuration). Some features are only supported for Socket sites. For example, feature alpha is only supported for Sockets. If you configure feature alpha for the entire account, it is only relevant to Socket sites.
To improve resiliency of your network, the WAN Recovery feature provides support if there are connectivity problems in the Cato Cloud, and the Sockets cannot use it to send WAN traffic to the other sites. This feature automatically uses bypass tunnels to maintain connectivity with the other Socket sites. When the Sockets re-establish connectivity to the Cato Cloud, they automatically resume regular operation.
Note
Note: Off-Cloud traffic must be enabled on the Socket WAN links to support WAN Recovery.
During the temporary WAN recovery, the WAN traffic bypasses the Cato Cloud and these are the changes to the traffic:
-
The Cato Management Application does not analyze data for connectivity and does not generate alerts for network health or quality
-
The Cato security stack (firewall and Security services) is not applied to the traffic
To configure the WAN Recovery setting, see above Using Advanced Configurations for a Site with these values:
-
Disabled - This site uses the setting that is configured for the account.
-
Enabled and On - This site is configured to provide recovery for WAN traffic to other sites. The functionality is the same as Disabled.
-
Enabled and Off - Recovery is NOT enabled for this site, and bypass tunnels are NOT supported or maintained.
For more about configuring the global WAN Recovery setting for all sites, see Working with Advanced Configuration for the Account.
To improve resiliency Internet traffic, the Recovery via Internet feature provides support if there are problems connecting to the Cato Cloud, and the Cato Socket cannot use it to traffic to the Internet. When enabled, this feature automatically recovers Internet connectivity with the ISP links to send traffic to the Internet.
During the temporary Internet recovery, the Internet traffic bypasses the Cato Cloud and these are the changes to the traffic:
-
The Internet firewalls, and URL Filtering rules are not applied to the traffic
-
The Threat Protection services are not applied to the traffic
-
The Cato Management Application does not analyze data for connectivity and does not generate alerts for Internet traffic
To configure the Internet Recovery setting, see above Using Advanced Configurations for a Site with these values:
-
Disabled - This site uses the setting that is configured for the account.
-
Enabled and On - This site is configured to provide recovery for all traffic to Internet. The functionality is the same as Disabled.
-
Enabled and Off - The Recovery via Internet feature is DISABLED for this site.
Note
IMPORTANT! We recommend that you always enable the Recovery via Internet feature and select the On or Off option to manage recovery for Internet traffic. When this feature is disabled, there can be issues with settings that are configured using the Socket Web UI.
You can configure the maximum MTU for the DTLS tunnels between the Socket and the PoP in the Cato Cloud. For traffic inside these DTLS tunnels, this value overrides the MTU that is configured in the Socket WebUI. This setting is only relevant for physical Sockets, and it doesn't apply to vSockets.
Use the Socket to PoP max MTU field to configure the MTU for the DTLS tunnels, see above Using Advanced Configurations for a Site.
By default, traffic within the site (for example, between VLANs) is routed via the Cato PoP, which inspects the traffic. Traffic flows from the VLAN to the PoP in the Cato Cloud and then to the other VLAN.
If a site is temporarily disconnected from the Cato Cloud, the default behavior is fail-open. The traffic flows from the VLAN directly to the other VLAN without being inspected. You can customize this behavior for a specific site, so that the behavior is different than the global default setting for the account. Requires Socket v15.0 or higher.
You can also choose to set the global account-level behavior to fail-closed, so that by default all Socket sites block local routing traffic when they disconnect from the PoP.
Note
Note: For sites that are configured with LAN Firewall or Local Routing rules, these rules take precedence over the Block Local Routing when disconnected from PoP setting. Therefore, this setting does NOT apply to traffic that matches the rules.
To configure the Block Local Routing when disconnected from PoP setting, see above Using Advanced Configurations for a Site with these values:
-
Disabled - This site uses the setting that is configured for the account.
-
Enabled and On - The traffic routing within this site is blocked when this site is disconnected from the PoP. This is fail-closed behavior.
-
Enabled and Off - The traffic routing within this site is allowed when this site is disconnected from the PoP. This is fail-open behavior.
TCP Proxy enables you to modify your WAN TCP proxy mode to start on first SYN packets for each connection OR to delay and start the WAN TCP proxy after TCP handshake has been completed. You can read more about the two TCP proxy mode in Explaining the Cato TCP Acceleration and Best Practices.
To change the WAN TCP Proxy Mode:
-
In the Advanced Configuration page, Click on the TCP Proxy configuration. The Edit Configuration pane opens.
-
Enable the configuration and select the mode value:
-
On - Full WAN TCP Proxy.
-
Off - Preserving original WAN TCP negotiation and delaying the TCP proxy.
-
Micro-bursts are characterized by a sudden surge of packets or data frames that occur within a very short time frame.
When micro-bursts exceed a site's rate limit in a short time, packet loss may occur due to excessive packet drops by the Last Mile Provider (ISP).
Burstiness downstream value and Burstiness upstream value allow you to adjust how your sites handle micro-bursts over the network by modifying burstiness level values per the downstream or upstream directions. Modifying the burstiness level values may mitigate packet loss caused by burstiness by applying a more aggressive or more permissive shaping policy for micro-bursts. The default burstiness value depends on the interface bandwidth:
-
For interface bandwidth 40 Mbps and above, the default value is 0.2
-
For interface bandwidth below 40 Mbps, the default value is 0.1
For more about burstiness and packet loss, see How to Troubleshoot Socket Site Packet Loss.
To configure the Burstiness value setting for upstream or downstream traffic, see above Using Advanced Configurations for a Site.
Note
Notes:
-
All Sockets must run on version 12.0 and above to support configuring burstiness.
-
The new value is applied only after tunnel reset.
IPsec phases have a lifetime, which is the duration for which the Security Association (SA) is valid.
IPsec P1 Lifetime Seconds and IPsec P2 Lifetime Seconds are two advanced configuration parameters that let you change the lifetime of each phase to match remote settings for both IKEv1 and IKEv2, respectively. The default lifetime values depend on the phase:
-
For Phase 1, the default values are:
-
For IKEv1: 86400
-
For IKEv2: 19800
Note
Note: By default, these values are not displayed in the Cato Management Application. If you want to set these values, follow the procedure outlined above.
-
-
For Phase 2, the default value is 3600 for both IKEv1 and IKEv2.
The configuration is applied after the tunnel restarts, or after the expiration of the current SA lifetime.
For more information, see the IPsec Sites articles.
1 comment
Added section for Blocking Local Routing when a Site is Disconnected from PoP
Please sign in to leave a comment.