Getty Images/iStockphoto


A review of Cato Networks' SASE Cloud platform

Cato's SASE Cloud lacks some features and may require customers to replace point products to fully benefit from the platform. But Cato aligns with SASE’s cloud-native vision and is a strong contender in the market.

Editor's note: This article is part three in a series that looks at SASE vendors and their platforms. These vendors were chosen regardless of size or ranking. Instead, they were selected based on enterprise interest and competitive bids that our expert has encountered while consulting customers.

Cato Networks describes its Secure Access Service Edge platform, Cato SASE Cloud, as "ready for whatever's next."

The company also says Cato SASE Cloud is the world's first SASE platform. Marketers and analysts can debate that assertion, although it does have credence, as Cato briefed me on its platform two years before SASE's introduction. But most network architects and engineers are more concerned about the practical answer to whether Cato SASE Cloud is really ready for whatever's next.

A brief recap of SASE

Gartner developed SASE based on the premise that decades of deploying discrete networking and security point services have led to an infrastructure that's often too inefficient to operate, too sluggish to respond to new business requirements and too complex to protect. According to Gartner, future network innovation should shift its focus away from network performance and instead look at simpler operations, automation, reliability and flexible business models.

SASE calls for converging the functions of network and security point services into a global cloud service. Rather than relying on appliances that run into scaling issues, SASE moves processing into the cloud. As a cloud service, SASE can connect and deliver secure access to users and resources everywhere -- in the office, on the road or in the cloud.

Analysis of Cato's SASE Cloud architecture

Previously, this series looked at existing security vendors, Palo Alto Networks and Fortinet, that have adapted their appliance architectures to SASE.

In contrast, Cato Networks built its SASE platform from the ground up as a cloud service.

Unlike appliance vendors that only own technology creation and rely on service providers and their customers for delivery, cloud providers own technology creation and service delivery. Think of AWS or Microsoft 365. This strategy gives cloud providers greater control over their technology roadmap. It also means they have a deeper skill set to fix problems while avoiding the channel problems that can occur when selling software-defined WAN (SD-WAN) or SASE.


Enterprise networks are represented as virtual instances within the Cato SASE Cloud software that runs in global points of presence (PoPs). Currently, Cato says it has more than 65 PoPs worldwide, interconnected by multiple tier 1 carriers.

Each PoP contains multiple, multicore compute nodes, with each core running the Cato Single Pass Cloud Engine (SPACE), Cato's converged software stack. As customer network flows hit a Cato PoP, they are dynamically assigned to a Cato SPACE. Cato then extracts the flows' context, maps them to the applicable customer policy and applies the right security or networking actions.

Security and networking

All security and networking engines simultaneously process traffic. For security services, Cato delivers next-generation firewall, secure web gateway with URL filtering and advanced threat prevention with next-generation antimalware and an intrusion prevention system (IPS).

Networking services include global route optimization, dynamic carrier selection, WAN optimization and cloud optimization.

While enterprises must ensure sufficient processing and memory for strategies that rely on appliances, Cato's underlying software allocates the necessary memory and processing needed for each Cato SPACE. Cato is responsible for keeping the IPS current against emerging threats. And Cato is responsible for maintaining the underlying software infrastructure and global backbone. High availability planning in the core, not the edge, is already inherent in the cloud service.

Cato Networks SASE Cloud architecture
Cato Networks' SASE Cloud architecture

Edge locations

Cato brings traffic to its cloud by connecting sites, remote users, IaaS applications and SaaS resources using the following SASE edges.

Sites. Sites are equipped with the Cato Socket, Cato's thin SD-WAN device. The Socket provides just enough intelligence to bring the traffic to the Cato PoP. The Cato Socket X1500 supports up to 500 Mbps of encrypted or unencrypted traffic, while the X1700 model supports up to 2 Gbps of encrypted or unencrypted traffic.

Remote users. Remote users can run the Cato mobile client, establishing an encrypted tunnel to the nearest Cato PoP. Alternatively, they can connect using Cato's clientless access portal.

IaaS. Cato SASE natively supports IaaS resources, such as those in AWS, Microsoft Azure and Google Cloud. Cato has located its data centers in the same physical locations as the leading cloud data center providers. With a few clicks on the Cato management console, teams can establish encrypted tunnels across the data center network into the IaaS network.

This integration with the Cato SASE Cloud is agentless, which eliminates the need for premium cloud connectivity services, such as AWS Direct Connect or Microsoft Azure ExpressRoute. Cato also offers Cato vSocket for additional control.

SaaS applications. SaaS applications require no additional components or integration. Teams can configure a simple network rule to automatically detect SaaS traffic from any edge and apply network optimizations and security inspections. The traffic is then sent across the Cato private backbone to the PoP closest to the cloud instance serving the business.


Customers maintain their Cato accounts through the Cato Management Application, a self-service portal for configuration, troubleshooting and analytics. Customers can also outsource part, or all, of their account management through a suite of optional, managed services.

Intelligent Last-Mile Management provides 24/7 monitoring of last-mile ISPs at customer sites.

Hands-free Management uses Cato personnel or partners to perform all changes to networking and security policies.

Managed Threat Detection and Response uses machine learning algorithms to monitor customer networks for compromised, malware-infected endpoints. It also applies human verification to detected anomalies.

Currently, Cato provides the closest implementation of Gartner's SASE vision.

Strengths of Cato SASE Cloud

Currently, Cato provides the closest implementation of Gartner's SASE vision. Incumbent IT vendors have needed to rearchitect existing point services or develop new ones to deliver networking and security from the cloud. As a startup, Cato was able to create a platform from scratch for the cloud.

Simpler management

Enterprises can reduce overall administration costs by connecting and securing the entire infrastructure with Cato. Cato also makes IT simpler and easier to run.

While many SASE platforms require teams to juggle multiple management interfaces, Cato provides a single interface into security and networking infrastructure, which helps eliminate "swivel chair IT troubleshooting." Cato Instant*Insight is a good example of this convergence, as it provides a single interface for seeing all networking and security event data for the past year.

Ease of deployment

As a cloud service, SASE deployment is supposed to be easy, and that's the case with Cato. Site spin-up is quick, taking under an hour with all networking rules and security policies configured -- and without having to fly in an IT professional.

Many enterprises also see cost savings in IT operations, as Cato handles infrastructure planning and maintenance.

Global private backbone

Finally, the benefits of a global private backbone cannot be understated. The global internet is too unpredictable to serve as the backbone for a global enterprise. That's why enterprises might use SD-WAN to reduce dependency on global MPLS but, in my experience, rarely eliminate MPLS.

The Cato private backbone provides a consistent, low-latency, near-zero packet loss and jitter-free path between sites, which is quite different from internet connections. In addition, Cato manipulates TCP windows to improve file transfer performance.

With one of my customers, Cato ran an iPerf test across the internet, which had a latency of 224 milliseconds (ms), versus the Cato backbone. The results showed large increases in average throughput.

Chart showing how the average throughput for a company's various locations improved using Cato Networks SASE compared to internet.
A Cato Networks customer saw significant improvement in average throughput between sites, compared to internet connectivity.

Weaknesses of Cato SASE Cloud

Cato Networks is well funded, brings a strong pedigree and already has more than 900 customers. Its CEO and co-founder, Shlomo Kramer, is an acknowledged network security expert and serial entrepreneur who co-founded Check Point Software and Imperva. So, what are the catches with Cato SASE?

Age and maturity

Cato is a relatively young company competing with much bigger networking and security players. One example of that age difference is in the portfolio offering. Cato currently misses some of the "bells and whistles" of its larger competitors. For example, Cato doesn't currently offer remote browser isolation, data loss prevention or a full cloud access security broker.

That said, no SASE vendor has converged every security area detailed in the SASE specifications. Further, these capabilities are likely to be delivered by the end of 2021.

No network sandboxing

Another capability missing from Cato's portfolio is network sandboxing, which is used for detecting zero-day threats. Cato argues that sandboxing is limited and can introduce delay when inspecting a file. Instead, Cato says, customers can better defend against zero-day threats by using its advanced antimalware.

Changes to legacy infrastructure

Gaining the full benefit of Cato SASE Cloud will also require organizations to replace their current point services. That's quite a challenge and a lot of change for enterprises with large investments in legacy infrastructure.

Cato says enterprises can offset this challenge by aligning the changeover with contract renewals and end-of-life timelines. It also provides a migration that can be as granular as the individual user or office level.

PoPs aren't always the best option

Cato SASE secures access between users, branches and applications on the WAN by routing traffic to its cloud-based PoPs. But this isn't the best strategy when users need to access applications in the same location.

In response, Cato points out that the density of its PoPs currently covers more than 65 locations, and PoPs are always within 25 ms of its users. This enables sites to send local traffic to the PoPs for inspection without noticeable effects on performance.

Is Cato SASE Cloud ready for whatever's next?

Cato is competing with much larger, well-entrenched vendors. That said, no other vendor currently matches the implementation of Gartner's SASE vision as well as Cato. Cato's packaging of networking and security, cloud connectivity and remote access is appealing, particularly in this age where users move fluidly between office and home.

If Cato's missing features aren't limitations in your book and the roadmap makes sense for your business, Cato SASE Cloud appears to get customers ready for whatever's next.

Dig Deeper on Network security

Unified Communications
Mobile Computing
Data Center