Cato Networks

Cato pioneered the convergence of networking and security into the cloud. Aligned with Gartner’s Secure Access Service Edge (SASE) and Security Service Edge (SSE) frameworks, Cato’s vision is to deliver a next generation secure network architecture that eliminates the complexity, costs, and risks associated with legacy IT approaches based on disjointed point solutions. With Cato, organizations securely and optimally connect any user to any application anywhere on the globe. The cloud-native architecture enables Cato to rapidly deploy new capabilities and maintain optimum security posture, without any effort from the IT teams. With Cato, your IT organization and your business are ready for whatever comes next.


Cato is the first implementation of the Gartner secure access service edge (SASE) framework, which identified a global and cloud-native architecture as the way to deliver secure and optimized access to all users and applications. Cato SASE Cloud connects all enterprise network resources, such as branch locations, the mobile workforce, and physical and cloud datacenters, into a global and secure, managed SD-WAN service. With all WAN and Internet traffic consolidated in the cloud, Cato applies a suite of security services to protect all traffic at all times.


The Cato private global backbone is comprised of 75+ PoPs (point of precense) worldwide, interconnected by multiple SLA-backed tier-1 providers. All PoPs run Cato’s cloud- native software stack. It’s fully multitenant, scalable, and ubiquitous, performing all network functions — such as global route optimization, dynamic path selection, traffic optimization, and end-to-end encryption — as well as implementing the inspection and enforcement functions needed by Cato security services.


Cato Edge SD-WAN works with multiple Internet circuits, providing reliable, high-performance access to Cato’s global, private backbone. Traffic can also be routed over

MPLS, directly between sites (not through the Cato PoP), and across IPsec tunnels to third-party devices.

The Cato Socket, Cato’s Edge SD-WAN device, is a zerotouch device ready to work in minutes once it has power and Internet connectivity. Sockets come in two models: X1500 for branch offices and X1700 for datacenters. Both are continuously monitored and updated by network operations center (NOC).

Cato Sockets include:

  • Link Aggregation
  • Dynamic Path Selection
  • Application Identification
  • Bandwidth Management Rules
  • Packet Loss Mitigation
  • Routing Protocol Integration
  • High Availability


Cloud Datacenter Integration

Cato tightly couples cloud datacenters into the SD-WAN, effortlessly. All cloud providers — Amazon AWS, Microsoft Azure, Google Cloud, and others — connect into Cato global backbone by establishing redundant IPsec tunnels, which typically only have to cross the physical datacenter shared with the Cato PoP. In this way, Cato delivers the optimum cloud experience. Cloud datacenter traffic routes over the optimum path across the Cato global private backbone to the Cato PoP.

The integration is agentless, requiring no virtual appliances.

Cloud Application Acceleration

Cato also improves public cloud application performance, such as Office 365, Cloud ERP, UCaaS, and Cloud Storage. Latency is reduced by optimally routing cloud application traffic across Cato’s global, private backbone to the Cato PoP closest to the cloud application provider’s datacenter. Cato’s built-in WAN optimization maximizes end-to-end throughput to improve application performance, especially around bandwidth-intensive operations, such as file transfers. All traffic and files exchanged with the cloud application are subject to full security inspection within the Cato SASE Cloud.

Secure Remote Access

Cato’s Zero-Trust SDP (Software Defined Perimeter) mobile access model allows the most granular user access control down to specific applications.

By contrast, legacy VPN solution limit access to entire subnets. All user activity is protected by Cato’s built-in network security stack, ensuring enterprisegrade protection to all users everywhere.


Cato provides a single-pane-of-glass into the complete enterprise network — sites, cloud resources, and mobile users for networking and security — through its cloud-based management application. Through the application, customers and providers can control all parts of the service, including network and security policy configuration, detailed network analytics, and security event reporting. The management application is web-based and accessible over the Internet with multi-factor authentication. All access and configuration changes are recorded in a centralized audit log.


The Security Service Edge (SSE) enables enterprises to move away from a rigid and disjointed IT architecture to a converged security platform delivered as a cloud service. With SSE, enterprise IT can rapidly address new business and security requirements such as cloud migration, adoption of public cloud applications, and work from anywhere. SSE’s converged architecture reduces cost and complexity with simple management through single pane of glass, self-healing infrastructure, and automatically evolving defenses that seamlessly mitigates emerging threats. Customers can opt to manage their infrastructure themselves or co-manage it with their preferred partners.

Cato SSE 360 takes SSE beyond the Gartner defined scope. It has the following components:

Cloud-native security service edge

Cato SSE 360 is built using the Cato Single Pass Cloud Engine (SPACE) architecture that is the foundation of Cato’s global, converged, cloud-native service. Current converged capabilities include not only Secure Web Gateway (SWG), Zero Trust Network Access (ZTNA) and Cloud Access Security Broker (CASB) with Data Loss Prevention (DLP), but also full Firewall as a Service (FWaaS) with Advanced Threat Prevention (IPS, Next Generation Anti-malware) as well. Using FWaaS along with the other converged capabilities enables Cato to apply the full set of SSE controls to all traffic.

Cato SDP (Software-Defined Perimeter) Clients

Lightweight clients connect user devices to Cato SSE 360 to optimally and securely access the Internet, internal applications, on premises and in the cloud, and global public cloud applications. Cato provides clients for laptops, smartphones, and tablets, as well as clientless browser access option.

IPsec-enabled devices and Cato Socket SDWAN for Locations

Physical and cloud locations connect to Cato SSE 360 using any IPsec enabled third-party device or Cato Socket SD-WAN appliances. The Cato Socket provides last mile resiliency and quality of service (QoS) and overcomes blackouts and brownouts using application-based dynamic path selection and packet loss mitigation.

Comprehensive Management Application for Analytics and Policy Configuration

Cato provides customers with a management application for security and network analytics, as well as full granular policy configuration. Venticento, Cato partner, offers managed service options including site deployment, intelligent last-mile monitoring, configuration of network and security policy changes, and managed detection and response (MDR).