Deploying Cato SASE, Step by Step

Listen to post:
Getting your Trinity Audio player ready...

It’s not uncommon for enterprises to find themselves in a situation where they’ve purchased new technology but are then faced with the hurdle of understanding what they’ve acquired and how to deploy it. This can often lead to confusion, deployment delays, and frustration with the new technology. Deploying the Cato SASE solution can be both simple and quick if you follow this checklist.


As with any new deployment, key stakeholder input and expertise will be required throughout the entire project. Those stakeholders can include members of management, security analysts, network engineers, application owners, and even your external partners (MSPs, VoIP, ISPs, etc.). The collaboration of this team will be crucial for the successful implementation of your Cato SASE platform.

The key deliverable from your planning meetings will be a formal SASE deployment plan, which will become the roadmap for your project. This will include key dates, milestone events, and success criteria for each milestone. The implementation plan should also remain somewhat flexible as sometimes external circumstances might require timelines or plans to change. In addition to the project timeline, the site deployment order, what SASE features will be adopted, and in what order those will be deployed.  


Once you have the completed and agreed-upon SASE deployment plan, you are ready to implement that plan. You should have received notification of access to the Cato Management Application (CMA), allowing you to start creating your sites and configuring your basic networking and security settings. It is a best practice to pre-configure your sites in the CMA before connecting the Cato Sockets or deploying IPSec tunnels to those locations. When the Cato Sockets arrive at your locations, you will be ready to connect them to the Internet and the Cato Cloud.

Cato SASE Cloud Platform: SASE Elegance at Its Best | Get it Now

In addition to the locations around the world you are connecting via the Cato Cloud, you will also need to import your remote users to the CMA and deploy the Cato Software-Defined Perimeter (SDP) Client based on the deployment plan. Cato supports SCIM and LDAP sync for importing users and group membership data. Once the users are onboarded as Cato SDP users, like your sites, they will also use their closest point of presence (PoP) to connect to the Cato Backbone and have access to your corporate network worldwide.

Network Settings

After you have started deploying your sites, which often require minimal network configuration, several options are available that will help your organization adjust and scale your networking configuration in Cato. Some of these configuration options include:

  • DHCP
  • DNS
  • Bandwidth Management (QoS)
  • Link health

Configuring these settings in the CMA will push the configuration globally to all of the Cato PoPs to ensure that all your locations and users have the same global performance and experience.

Security Settings

Since Cato is a complete SASE solution, it includes such features as firewall-as-a-service, intrusion protection, anti-malware, and application control to name a few. Most of these features can be enabled with the flip of a switch in the CMA, and will require some configuration for policies, but otherwise work for basic protection right out of the box.

Cato’s firewall-as-a-service offers both an Internet and WAN firewall for external and internal traffic and operates in the Cato PoPs, removing most of the requirements for on-premise firewalls. The intrusion protection system uses a multi-layered approach to security, which includes reputation analysis, known vulnerability detection, anti-bot detection and blocking, and validation of network protocols to ensure traffic legitimacy.

Cato implements the SentinelOne Next-Gen Anti-Malware engine to provide a second layer of threat protection. This engine utilizes an AI model that detects anomalies in common file types that match known threats in its malware sample database. Machine learning then uses this information to match different features of both harmless and malicious files.

Since a vast amount of network traffic is encrypted, Cato offers TLS inspection as an option to decrypt, inspect, and re-encrypt traffic to ensure security even with encrypted traffic. Cato recommends using TLS inspection as a best practice to get the most out of the IPS, CASB, and anti-malware security modules.

Visibility and Integrations

Once you have deployed a few sites onto the Cato platform, you can see events and analytics flow into the CMA. These events are further processed into Cato XDR stories and displayed on the Stories dashboard. This data, combined with application and user awareness information, will offer a detailed view of your environment. With a SIEM-like experience in viewing and searching for events, your organization can utilize this rich and actionable data almost immediately after deploying your first site and users.

In Summary

Deploying SASE for enterprise is a clear-cut process with Cato. Download our white paper “SASE Deployment Made Simple with Cato” for more insight.

Related Topics