Cato Management Application Notification: New Always-On Policy

Starting on March 19, 2023, Cato will introduce a new ordered policy for Always-On settings for SDP users and remote access. This policy lets you implement granular rules that are easy to maintain and update, and also provides the security of remote access with Always-On. This new policy has no impact on the settings and functionality of your account.

These are the actions for the new policy:

  • Always-On - users & groups in this rule are always connected to the network
  • On-Demand - users & groups in this rule can choose to disconnect from the network

The final implicit rule in the policy is ANY ANY On-Demand. So, any user that doesn’t match a rule in the policy can choose to disconnect from the network.

What Are the Changes to My Account?

The old Always-On settings are migrated to rules in the new policy that keep the same Always-On configuration for your account.

  • For accounts that enabled Always-On for one or more platforms (OS):
    • The OS that require Always-On are migrated to one rule with the Always-On action
  • For accounts that enabled Always-On, and defined exceptions for individual SDP users, for each OS two rules are created. First a rule for the individual SDP users, and then a rule for the default account setting. When there are more than 10 SDP users with exceptions, all these users are added to a new User Group in the rule.

For example, if Always-On is enabled for Windows, and three users are excluded from this setting, these are the rules:

  • Individual users with the action On-Demand
  • Windows OS with the action Always-On

What Is the Impact to My Account?

There is no impact to your account for Always-On configuration. The OS and individual SDP users are migrated to rules with the appropriate action.

For Connect On Boot configuration:

  • Defining Connect On Boot configuration for specific SDP users from the Cato Management Application is no longer supported
  • If Connect on Boot is disabled in the Cato Management Application, SDP users can define their own configuration from the Client. For accounts that configured Connect on Boot for specific SDP users, we recommend using this setting
  • If Connect on Boot is enabled in the Cato Management application, all Clients in your account automatically connect during device boot, SDP users can’t change the behavior in the Client

Following a migration, SDP users keep their account level configuration, without their previous user level configuration. 


Who do I talk to if I have questions?  

Please contact  Support. 

Was this article helpful?


Add your comment