IP Allocation Policy

This article explains how to use the IP Allocation Policy screen to define the Dynamic IP range for SDP users in your account. In addition, you can allocate Static IP addresses for specific SDP users.

Overview of the IP Allocation Policy for Remote Access

The IP Allocation Policy defines the IP ranges that Cato assigns to Clients when they connect a device to the Cato Cloud. The default setting is to dynamically allocate the IPs based on the unique network range defined for your account. When the Client disconnects from the network, this dynamic IP address is only reserved for a few minutes.

You can also choose to assign static fixed IP addresses to specific SDP users. The static IP address is reserved for that SDP user, and is allocated to them when they authenticate and connect with the Client. SDP users that aren't assigned static IP addresses are allocated an IP from the Dynamic IP range.

This feature is only for SDP users, and not for users located in an office behind a Socket.

Example IP Allocation Use Case

For accounts with equipment that uses fixed IP addresses, for example routers with an Access Control List (ACL), some users are defined specific IPs for the router. This means that they are only allowed to access the network from that IP address.

Customers can use the IP Allocation Policy to assign a Static IP for an SDP user that matches the IP in the ACL. Then the Client is always assigned the same IP, and the router allows the SDP user to access the network.

Setting the Dynamic IP Range for the Account


Note: Best practice is to configure the largest Client IP range possible to decrease the chances of an IP conflict that causes the Client to disconnect.

The Dynamic IP Range is the range of IP addresses that are allocated to Clients when they connect to the Cato Cloud. The default range is, and if you need to change it, it must be a unique network range and can’t overlap with any other network range defined in your account.

The lease time for the dynamically allocated IP addresses is 2 minutes, and afterwards the IP address is available for other users.

Allocating Static IPs to SDP Users

For specific SDP users, you can define the static IP that is allocated to them when they use the Client to connect to the network. First define the IP range for the static IP addresses, and then define the unique IP address for each SDP user.

For SDP users that are already connected to the network, when you allocate them a static IP address the Client disconnects and then automatically reconnects using the static IP.

Ensure the allocated IP address range is large enough to accommodate all Clients with a license assigned. If the allocated range is smaller than the total number of assigned licenses, it may result in connectivity issues as some users can't obtain an available IP address.


To allocate Static IPs to an SDP user:

  1. From the navigation menu, click Access > IP Allocation Policy​.
  2. In the Static IP section, select Enable Static IPs.

    The toggle is green toggle.pngwhen enabled.

  3. In IP Range, enter the range of IP addresses that are available for the static IPs.

  4. In the Allocate IP per SDP User section, assign the static IP to the SDP user:

    1. In SDP Users, select the user you are assigning the static IP.

    2. Enter the static IP address that is within the IP Range, and click Add.

    3. Repeat the previous two steps for additional SDP users.

  5. Click Save.

Working with Multiple Devices and Static IPs

Each static IP can only be allocated to one device at a time. When an SDP user connects to the network with multiple devices, the first device is allocated the static IP address. Other devices are allocated IPs from the Dynamic IP Range.

Was this article helpful?

2 out of 5 found this helpful


Add your comment