New Device Checks Provide More Security for Windows Devices: In the next few weeks, we are enhancing Device Checks and Profiles for the Windows Clients (Access > Device Posture). The new checks let you define stricter device requirements in the Client Connectivity and Firewall policies. For example, only allow devices with disk encryption and a specific certificate installed. Read more.
Patch Management - For organizations with device management solutions such as Intune or JAMF, this verifies the status of the relevant software installed on the device
Disk Encryption - Verifies that the specified drives are encrypted on the device
Device Certificate - Verifies that there is a certificate installed on a device that matches a certificate defined for your account
For accounts that already use Device Authentication, you can use this Device Check instead and apply it only to specific items, such as User Groups, OS, and geolocation.
Device Posture Includes Support for macOS Clients: In the next few weeks, you can update Device Checks and Policies to include macOS devices in your account. This lets you define stricter device requirements for the Client Connectivity and Firewall policies. For example, only allow devices with disk encryption and a specific certificate installed. Read more.
macOS Clients support these Device Checks: Anti-Malware, Firewall, and Patch Management
Improved Onboarding for SDP Users (with SSO): Over the next few weeks, for accounts that use invitation emails, after installing the Client on a device, users can immediately authenticate with SSO and connect to the Cato Cloud. There is no impact for existing SDP users.
As part of this improvement, the User Portal will no longer support SSO authentication
There is no change for SDP users that don’t use SSO
Export Security Rules to CSV: Starting on Dec. 11th, you can easily export rules from the Security policies to a readable spreadsheet format (CSV file). Read more. The Security policies include:
Internet and WAN firewall
Application Control and Data Control
Enhancements for IPsec IKEv2 Sites (Cato Initiated): Cato introduces the following enhancements that improve interoperability with 3rd party devices, including Cisco ASA, and better protection against DoS attacks. No action is required for the relevant IPsec IKEv2 sites.
Enhanced support for working with multiple Traffic Selectors
If there are too many traffic selectors, and they can’t be sent on a single packet, the PoP will send the traffic selectors in multiple packets
PoPs can now send a single traffic selector per packet
Improved protection against half-open IKE SAs DoS attacks
Cato now supports IKEv2 cookie flows
Cato SDP Client Releases
macOS Client v5.2: macOS Client version 5.2 will soon be available in the User Portal. This version includes:
Enhanced Reauthentication Experience: A notification lets users know that the SSO or MFA session will soon expire, and allows them to seamlessly reauthenticate. Read more.
Status Bar Icon: Users can easily connect, disconnect, quit, and open the Client right from the status bar of macOS devices
Security fixes and enhancements
Improved Classification for Google Translate in Proxy Mode: The Cato Cloud now identifies Google Translate in proxy mode and it is included in the Anonymizer category. This means that for block rules using the Anonymizer category, the relevant traffic for end-users will be blocked.
Enhanced Classification for iOS Devices: The Cato Cloud now more accurately identifies the iOS operating system. For example, iPhone devices that were previously classified as UNKNOWN, are now classified correctly as iOS. This change may impact the TLS Inspection policy, because UNKNOWN OS bypasses inspection, and iOS devices would now be inspected and require the Cato certificate.
Malware - SVCReady
Malware - Azorult Stealer
Added more than 200 new SaaS applications (you can view the SaaS apps in Monitoring > Apps Catalog), including: