Cato SASE Cloud Review & Features 2023

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Cato Networks focuses on the simplified deployment and delivery of cloud-native security, and their SASE solution extends end-to-end security to all users, assets, offices, and resources regardless of location. With an assortment of service options, Cato SASE Cloud will appeal to organizations interested in full-service or high-speed SASE solutions.

For more details explore the following sections of this review:

To compare Cato SASE against competitors, see our complete list of top secure access service edge (SASE) solutions.

Who is Cato Networks?

Founded in Tel Aviv, Israel, Cato Networks started as a firewall-as-a-service (FWaaS) company and focuses on the convergence of security, networks, and the cloud. Run by Shlomo Kramer, founder of Check Point Software, Cato is a private company backed by investors such as USVP, Aspect Ventures, Lightspeed, SingTel innov8, and Greylock Partners.

Cato SASE Cloud

Cato SASE Cloud provides a cloud-native solution for SASE that is fast to deploy, simple to manage, and capable of improving security and performance. Cato was recognized as a Challenger in the 2023 Gartner Magic Quadrant and their SASE Cloud solution satisfies the six required SASE capabilities through:

  1. Centralized control through a consolidated management application that provides a single interface to manage and investigate all other components and policies
  2. Monitored network status through Cato Socket Edge software defined wide area network (SD-WAN) connectors (physical networks), Cato ZTNA connections (remote users), Cato vSocket (cloud integration), and third party IPsec VPN connections that provide reports, analytics and control over network operations performance and security
  3. Monitored user activity and data loss prevention (DLP) analysis through Cato SSE 360 analysis and event monitoring
  4. Inspected and decrypted traffic that blocks malware and malicious URLs through SSE 360’s packet inspection that consolidates the functions of a secure web gateway (SWG), Firewall-as-a-Service (FWaaS), intrusion prevention systems (IPS), and next generation anti-malware
  5. Controlled access to data and resources based upon user, device, and permissions through Cato SSE 360 that converges the capabilities of zero trust network access (ZTNA), cloud access security broker (CASB), remote browser isolation (RBI), and SD-WAN capabilities
  6. Secured cloud-based assets such as applications, websites, and Software-as-a-Service (SaaS) resources through Cato vSocket or IPsec VPN connections to the Cato SASE Cloud and IPS performed by Cato SSE 360

The Cato SASE Cloud components consist of:

  • Cato Points of Presence (PoPs) connect assets to Cato’s privately-owned, high-speed backbone infrastructure
  • Cato ZTNA Client applications can be downloaded and installed on user’s devices to provide zero-trust VPN access
  • Integrated Cato SSE 360 provides the capabilities for SWG, CASB, RBI, ZTNA, IPS, FWaaS and more
  • Cato Socket Edge SD-WAN appliances provide zero-touch connections for physical networks to the SD-WAN network and Cato SASE Cloud
  • Cato vSocket virtual appliances can be installed within cloud resources to enable quick and easy connections to the SD-WAN

Users can also make clientless connections to access applications protected by Cato SASE Cloud through web browsers and a valid login credential.

Pricing & Delivery

Cato’s SASE offering simplifies purchase, setup, and configuration with simplified options and bundled pricing. Cato includes their SSE 360, clientless connections, the ZTNA Client licenses, and technical support within the Cato SASE Cloud license.

Cato charges customers annually based primarily on the bandwidth volume per site and the number of mobile users. Bandwidth is sold for connections between 10 Mbps and 10 Gbps and Cato does not directly publish prices. Some partners publish that 50 Mbps of bandwidth starts at $200 per location and reaches $500 per location for 400 Mbps.

Cato only offers two versions of the Socket Edge SD-WAN appliance for physical deployment, one rated up to 500 Mbps (X1500) and the other rated up to 2 Gbps (X1700). Cato sells the appliance as Hardware-as-a-Service and the service contract includes updates, upgrades, and replacements.

Partners publish prices between $350 and $500 per socket as well deployment site fees of $500 each. However, these partner prices do not clarify which are annual, monthly, or one-time fees. Cato does not explicitly offer free trials, but they have been known to authorize proof-of-concept tests and they also offer free quotes.

To compliment the Cato SASE Cloud technology, Cato offers customers options for managed services performed by Cato or their partners:

  • Managed Threat Detection and Response (MDR) services will proactively monitor customer networks for potential threats to directly mitigate and resolve attacks
  • Site Deployment will fully manage the setup (QoS, security, failover, etc.) and deployment of Socket Edge appliances and their connection to the Cato SASE Cloud
  • Hands-Free Management turns over day-to-day management and rule setting within the SASE Cloud to Cato, either completely or partially
  • Intelligent Last Mile Management turns over management of ISPs at each location for Cato to monitor for potential brownouts and blackouts and manage communication and troubleshooting

Features

  • Full SASE Features: centralized control, monitored user activity, inspected and decrypted traffic, controlled access, secured cloud-based assets, and monitored network status and operations control
  • Global Private Backbone with world-wide points of presence (PoPs) fully owned and controlled by Cato to provide faster performance and higher security than internet or IPsec VPN transmission
  • Hardware-as-a-Service avoids delays or IT team time because maintenance contracts include patching, updating, upgrading, replacing, and maintaining connection hardware
  • Cloud-scaled security with firewall, anti-malware, and packet inspections performed in the cloud where scalability eliminates performance hits
  • Bandwidth flexibility enables flexible pricing without overcommitment
  • Inspection everywhere IPS and anti-malware applied to all traffic, everywhere – including cloud and remote assets
  • No customer lockout to make emergency changes – even when using Cato managed services
  • Optimized traffic routing through the backbone automatically or by rules to minimize latency and packet loss between users and apps, cloud resources, branch offices, etc.
  • Windows, macOS, iOS, Android, and Linux support through the self-service Cato Client ZTNA agent
  • Automatic smart Socket Edge appliance updates allow customers to select how aggressively and when to perform hardware updates based on rules and with no customer IT involvement required
  • Segregated internet and WAN firewalls for fastest analysis and segregation of traffic
  • Three layers of anti-malware inspection: signature based, advanced malware detection, and IPS performed on all users and traffic within the Cato SASE Cloud
  • Optional Cato Managed Services for internet service provider management, SASE management, managed detection and response (MDR), deployment, and designated support services
  • 1 year of operations data stored for each link: jitter, packet loss, PoP distance, upstream and downstream bandwidth
  • Usage reports by user, categories, and applications to monitor trends, troubleshoot, and refine access and bandwidth rules
  • 365 days of security information and event management (SIEM) data built into Cato SASE Cloud for direct inspection and evaluation or to export via API pull or scheduled push

Pros

  • Rule-based automatic traffic routing can maximize performance and reduce costs
  • No local hardware configuration needed because the Socket Edge SD-WAN configuration is both set-up and stored within Cato SASE Cloud for fast and easy installation, failover, or replacement
  • Automatic failover with pairs of SD-WAN appliances
  • Automatic Point-of-Presence (PoP) location and connection by Socket Edge SD-WAN appliances
  • Lightweight on-device agent with all anti-malware and packet inspection performed on scalable cloud resources
  • SASE Challenger as recognized by Gartner in their 2023 Single Vendor SASE Magic Quadrant
  • Never locked out of management console even when using managed servers; emergency modifications are always possible
  • Granular migration options for users and offices for organizations with existing point-service contracts
  • Replaces premium cloud connectivity services such as AWS Direct Connect or Azure ExpressRoute
  • Greatly reduced labor costs to support local hardware replaced by the SASE solution (SD-WAN, firewalls, etc.) can be realized
  • Simple and intuitive interface with easy to navigate reports

Cons

  • Time consuming to fine-tune connections although initial connections can be quick
  • Slower throughput rates than expected may be caused by poor connections or distance between users or sites and Cato SASE Cloud PoP, although Cato estimates all PoP are within 25 ms of users
  • Lacks some options for network and security controls present in specialist applications which may distress IT and security teams accustomed to those specific options such as sandboxing
  • Out-of-date or incomplete documentation cited by some customers
  • Intrusion detection needs improvement according to some customers

Alternatives to Cato SASE Cloud

Customers attracted to Cato SASE Cloud likely seek simple, easy solutions to install and implement and likely have limited SD-WAN infrastructure investments. Key competitors to Cato SASE Cloud to consider are:

  • Barracuda SecureEdge: Organizations unintimidated by hardware installation requirements and who do not need the speed of a private backbone can opt for the strong Barracuda brand and its integrated email security option
  • Cloudflare One: Smaller organizations or those testing out SASE may opt to pursue Cloudflare One’s simplified SASE and the free tier for under 50 users
  • SASE service provider: Several managed service providers such as Aryaka, Masergy (Comcast), and Open Systems offer SASE as a service for customers that do not want to self-manage their SASE

How We Evaluated Cato SASE Cloud

Cato SASE Cloud is rated and ranked against seven other SASE competition in our top SASE providers article. That article explains the overall ranking and here we provide details specific to Cato SASE Cloud:

  • Overall Rating: 4.12 / 5  (#2)
  • Licensing Information: 2.75 out of 5 possible criteria
  • Monitoring and Managing: 6.3 out of 7 possible criteria
  • Asset Control: 4 out of 4 possible criteria (tied for #1)
  • Implementation and Administration: 4.25 out of 5 possible criteria (#1)
  • Customer Support: 2.92  out of  4 possible criteria

Cato SASE Cloud might lack some of the options present in more established network and security vendor SASE offerings, but makes up for it with truly integrated, simplified and automated implementation, deployment, and management. A high-speed private backbone combines with automated rerouting and security options to provide a fast, simple SASE solution.

Bottom Line: Best for Full-Service SASE

Cato offers a simplified and semi-automated installation for their SASE Cloud solution, that enables a fast deployment for a wide range of customers that value deployment speed over networking and security options. With options for managed operations, installation, and ISPs, the Cato Cloud solution offers an organization the opportunity to fully outsource their SASE needs to their vendor and focus on their business.

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Chad Kime Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.




Top Cybersecurity Companies

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis