CATO Networks

Cato SASE cloud is a global converged cloud-native service that securely and optimally connects all branches, data centers, people, and clouds. Cato can be gradually deployed to replace or augment legacy network services and security point solutions.

Cato solves the global connectivity problem. The Cato global private backbone is a private network spanning 60+ points of presence (PoPs) worldwide. The backbone is affordable and managed by Cato personnel.


Reliable Global Connectivity at an Affordable Price

Cato dramatically reduces the cost of enterprise-grade global connectivity by leveraging the massive build-out in IP capacity. Cato PoPs interconnect across multiple tier-1 providers, backed by SLAs on availability, latency, packet loss, and jitter. Cato’s software monitors the real-time performance of the provider networks and with our application-aware routing algorithms, selects the optimum path across the Cato backbone — even if that path is indirect, via other PoPs. By controlling the routing and only using SLA-backed network capacity, Cato delivers far better performance than the public Internet and at a far lower cost than global MPLS.

WAN Optimization for Peak Throughput

Cato improves application throughput not beyond just minimizing global network latency. Built-in WAN optimization dramatically improves TCP efficiency, increasing data throughput for sites and mobile users by as much as 40x. Cato PoPs proxy TCP connections, allowing TCP clients and servers to send far more data, sooner. Advanced TCP congestion control also enables Cato edges to send and receive more data, as well as better, utilize the available bandwidth. Both techniques shorten the time needed to remediate errors, reducing the impact of packet loss on data throughput.

Cloud-Native Software for Faster Innovation and Lower Costs

Cato PoPs run our cloud-native software, a fully multitenant and scalable network stack that performs all core networking and security functions — route calculation, policy-enforcement, and security inspection. The software platform operates on off-the-shelf servers capable of breakthrough performance previously only possible with custom hardware.

Self-Healing By Design for 24x7 Operation

To ensure maximum availability, the Cato architecture is fully self-healing. All aspects of failure detection, failover, and failback are automated, requiring no special planning or pre-orchestration. Each PoP contains multiple compute nodes running identical copies of Cato’s software; any compute node can serve any edge tunnel connected to that PoP. Should a compute node fail, the tunnels automatically move to another node. Should a PoP become unreachable, edges connected to that PoP automatically reconnect to the next closest PoP. And should a tier-1 provider connecting Cato PoPs fail or degrade, PoPs automatically switch to one of the alternate tier-1 providers.

Built-in End-to-End Encryption and Security

Extensive measures are taken to ensure the security of Cato Cloud. All communications — whether between PoPs or with Cato Sockets or Cato Clients — are secured by AES-256 encrypted tunnels. To minimize the attack surface, only authorized sites and mobile users can connect and send traffic to the backbone. The external IP addresses of the PoPs are protected with specific anti-DDoS measures. Cato service is ISO 27001 certified.

The Cato Socket, Cato’s Edge SD-WAN device, is a zero-touch device ready to work in minutes. Sockets come in two models: X1500 for branch offices and X1700 for datacenters. Both are continuously monitored and updated by Cato’s network operations center (NOC).


Link Aggregation

Cato improves capacity and resiliency by balancing traffic across links. Multiple link aggregation scenarios for MPLS and Internet circuits (fiber, DSL, cable, 4G/LTE, or 5G) are supported. In active-active mode, Cato balances traffic across last-mile circuits. Using active-passive or active-active-passive, customers can designate one or two active connection(s) and a secondary connection for reliability purposes.

Dynamic Path Selection

Applications receive the optimum network experience with Dynamic Path Selection and Policy-based Routing (PBR). Cato Socket monitors link quality metrics (jitter, latency, and packet loss), dynamically selecting the optimum link based on preconfigured network rules. Using Cato’s PbR capabilities, applications can also be pinned to specific transports, such as restricting business-critical applications to high-quality, symmetric fiber links and leisure applications to lower-quality, asymmetric links.

Application Identification

Cato’s advanced Deep Packet Inspection (DPI) engine automatically identifies thousands of applications and millions of domains on the first packet. This robust library is continuously enriched by third-party URL categorization engines and machine learning algorithms that mine a massive data warehouse built from the metadata of all traffic flows traversing Cato Cloud. Customers can also configure policies to identify custom applications or have that done for them by Cato engineers.

Bandwidth Management and QoS

Cato aligns network usage with business intent through Bandwidth Management rules. The rules assure that more critical applications always receive the necessary upstream and downstream capacity, serving other applications on a best-effort basis. Rules contain priority, class of service, and capacity limits, if relevant. Administrators can modify or create rules, network-wide or per site. Detailed analytics for all rules can be easily seen through Cato’s advanced reporting capabilities.

Packet Loss Mitigation

To address last-mile packet loss, Cato employs numerous mitigation techniques. The effects of packet loss are dramatically reduced by detecting lost packets nearly instantly in the nearby PoP and not the remote destination. When packet loss does jump, Cato Sockets automatically detect the change and switch traffic to alternate link(s) connecting the site. Cato intelligently resumes the use of primary links to avoid link flapping.

BGP Integration

When organizations consider WAN transformation, they can face the migration challenge of integrating SD-WAN with their existing routing infrastructure. Without routing protocol integration, companies end up having to manually configure multiple static paths to connect their routed and SD-WAN infrastructure.

Access Control Across Your Network

Cato provides enterprises with access control capabilities through our next-generation firewall (NGFW) and Secure Web Gateway (SWG). Our NGFW provides full application awareness with the ability to inspect the payload of packet data and distinguish between different types of web traffic. Cato’s SWG allows customers to monitor, control and block access to websites based on predefined and customizable categories.

Next-Generation Firewall

The Cato NGFW inspects both WAN and Internet traffic. It can enforce granular rules based on network entities, time restrictions, and type of traffic. The Deep Packet Inspection (DPI) engine classifies the relevant context, such as application or services, as early as the first packet and without having to decrypt the payload. Cato provides a full list of signatures and parsers to identify common applications. In addition, custom application definitions identify account-specific applications by port, IP address, or domain.

Secure Web Gateway

Cato provides an SWG to give you granular control over your Internet-bound traffic, enabling enforcement of corporate policies and preventing downloads of unwanted or malicious software. We provide predefined policies for dozens of different URL categories and support custom rules, enhancing the granularity of web access control. As with the rest of our service, the SWG is easily managed through Cato’s management portal and covered by a full audit trail.

Advanced Threat Prevention

As part of Cato’s Advanced Threat Protection, Cato offers anti-malware protection and Intrusion Prevention System (IPS) capabilities. Both services inspect WAN and Internet traffic. Additionally, Cato PoPs inspect TLS-encrypted traffic in the Cato Cloud, so there are no scaling constraints or additional latency.


Malware Detection and Prevention leverages multi-layered and tightly-integrated anti-malware engines. First, a signature and heuristics-based inspection engine, which is kept up-to-date at all times based on global threat intelligence databases, scans files in transit to ensure effective protection against known malware.

IPS Protection Engine

Cato delivers a fully managed and adaptive cloud-based IPS service. Cato Research Labs updates, tunes, and maintains context-aware heuristics, both those developed in-house (based on big-data collection and analysis of customers’ traffic) and those originating from external security feeds. This dramatically reduces the risk of false positives compared to other IPSs that lack an experienced SOC behind them. Cato Cloud scales to support the compute requirements of our IPS rules, so customers don’t have to balance protection and performance to avoid unplanned upgrades as processing load exceeds available capacity.

Managed Threat Detection and Response to Reduce Dwell Time

Cato’s Managed Threat Detection and Response Service (MDR) enables enterprises to offload the resource-intensive and skill-dependent process of detecting compromised endpoints to the Cato SOC team. Cato seamlessly applies a full MDR service to customer networks. We automatically collect and analyze all network flows, verify suspicious activity, and notify customers of compromised endpoints. This is the power of networking and security convergence to simplify network protection for enterprises of all sizes.

Cloud datacenters offer enterprises tremendous value in cost savings, scalability, accessibility, agility, and management. But connecting your WAN with your cloud datacenters can be fraught with challenges.


Access Control Without the Complexity

Access control, a critical requirement when integrating cloud data centers, is also simplified with Cato. Once the cloud networks are connected, access is managed by our Firewall-as-a-Service, which has AD integration for granular user and application control built-in, and full visibility for troubleshooting and auditing. There’s no need to settle for the insufficient ACL-level access control offered by Cloud providers or to invest in licensing and deploying 3rd party virtual FWs.

Performance Without the Premium Price Tag

Cato’s global private backbone saves you the cost of private connections and performance problems of backhauling to cloud datacenters by delivering end-to-end route optimization. Cato PoPs and cloud data center providers, such as AWS and Azure, share the same physical datacenters, practically eliminating the latency and packet loss between the two. That gives you a similar performance of dedicated connections without the cost. With Cato, customers can see up to X4-X40 increase in throughput.

Security That’s Built In – Not Bolted On

Cato’s Security-as-a-Service is Built into the Cato private global backbone and delivered as a service. No additional appliances need to be purchased or deployed. Cato has a single security stack covering all of your cloud datacenters, physical locations, and remote workers. All of your network traffic, regardless of where it’s coming from, is processed through our NGFW, SWG, IPS, NGAM, and MDR. As more load is put on the cloud datacenter, or a new cloud data center is added, the service seamlessly scales without any need to buy additional security solutions or upgrade existing ones.

Full Visibility for Full Control

By making the cloud datacenter a native part of the enterprise network, Cato gives you the exact same visibility and control as you have with your physical network, without any additional components. Cato provides a single-pane-of-glass into the complete enterprise network — sites, cloud resources, and mobile users for networking and security — through its cloud-based management application. Through the application, customers can control all parts of the service, including network and security policy configuration, detailed network analytics, and security event reporting.

The users connect to the nearest Cato PoP, and their traffic is optimally routed across the Cato global private backbone to on-premises or cloud applications. Cato’s Security as a Service stack protects remote users against threats and enforces application access control.


Easy Deployment, Instant Secure Access

Cato integrates with Active Directory as the center of Identity and Access Management. Quickly setting up directory synchronization and selecting desired user groups, or all groups automatically enables these users for remote access. Applications access control policies are configured via the Cato management application.

Multi-Factor Authentication & Single-Sign-On

Cato is integrated with identity providers to provide strong authentication and a single-sign-on (SSO) experience. Setting up existing authentication services, like Office365 or AzureAD, as the remote access SSO will make your users securely authenticate through interfaces they are already familiar with. And, enabling multi-factor authentication at your identity provider will automatically enforce it to your remote access user’s authentication, further strengthening your remote access security.

Flexible Client-Based or Clientless Access Options

Cato provides the flexibility to choose how remote and mobile users securely connect to resources and applications. Cato Client is a lightweight application available for Windows, macOS, iOS, Android, and Linux. It is set up in minutes and automatically connects the remote user to the Cato Cloud. Clientless access allows optimized and secure access to select applications through a browser. Users simply navigate to an Application Portal, which is globally available from all of Cato’s 60+ PoPs, authenticate with the configured SSO, and are instantly presented with their approved applications.

Continuous Security Inspection for All Remote Access Traffic

Remote access traffic is continuously inspected by Cato’s security stack ensuring enterprise-grade protection is available down to a single user. Cato’s access controls (NGFW, SWG), threat prevention (IPS, NGAM), and threat detection (MDR) capabilities are enforced globally, ensuring your remote users benefit from the same protection as office users.

Access Performance Optimization to All Applications

Cato extends global network optimization capabilities down to a remote user’s laptop, smartphone, or tablet. Once connected using a Cato Client or clientless browser access, a remote user’s network traffic is optimally routed over Cato’s global private backbone to on-premises or cloud applications. The use of Cato’s backbone eliminates the performance challenges of legacy VPN access that relies on the unpredictable Internet and its packet loss, latency, and jitter. Furthermore, built-in WAN optimization maximizes throughput for bandwidth-intensive applications like collaboration and file sharing.

Cloud-Scale Remote Access for Everyone, Anytime and Anywhere

Cato takes away the capacity constraints of traditional VPN appliances. Cato’s cloud-native architecture, elastic capacity, global footprint, and self-healing capabilities are designed to continuously support any number of remote users connected at any time. Delivered from Cato’s 60+ PoPs worldwide, secure remote access is made available near your remote users wherever they are. There is no need to backhaul remote users to a central VPN concentrator with limited bandwidth and high latency.

Simple Unified Management of Remote Access Policies

Remote users’ management and analytics are available from the Cato Management Application. Defining access permissions and monitoring the activity of remote users from the same platform increases your visibility and control and improves the overall security posture.

Business Continuity Readiness

When a business continuity plan needs to be activated, your entire workforce can instantly switch to work remotely. Cato is built to continuously secure and optimize all your users’ traffic, regardless of where they are located and how they connect to Cato. This makes your enterprise application access BCP-ready by design.

Super secure your data with Cato Networks

Request Demo