Cato Networks

The World's leading single vendor SASE platform.

Cato SASE Cloud: The World’s Leading Single Vendor SASE Platform Solution Brief

The Network and Security Challenges of Digital Transformation Your business is going digital. It depends on optimized and secure global access to applications and data, on premises and in the cloud, and on an increasingly hybrid workforce. Rigid network and security architectures built with disjointed point solutions, can’t adapt to emerging business and technical requirements and the evolving threat landscape. The result is lower business agility and increased risk made worse by shortage of resources and scarcity of critical skills as well as the high cost of outsourced support. There must be a better way. Digital business means a cloud-昀椀rst, fast, and agile business, something that is incompatible with legacy telcos and network services. Digital transformation pressures legacy architecture, IT resources because: • MPLS networks are built around a physical datacenter and WAN access. The network must be rearchitected to encompass both WAN and Internet traffic to support the cloud DCs and applications along with big capacity increase. • Centralized (backhauling) security model creates a chokepoint for secure cloud access. Direct secure Internet access at the branch must be enabled while extending full security capabilities to all branches and users. • The legacy WAN doesn’t extend beyond physical locations. Supporting the hybrid workforce to accommodate work from anywhere requires a flexible architecture that is user- and location-centric. • Disjointed solutions increase complexity, IT workload and security risk with fragmented management and expanded attack surface. Increasing agility and improving responsiveness require solution consolidation. And, convergence into the cloud, with self-healing and self-maintaining architecture can help reduce the load on IT. There is no way to escape complexity: either you bear the costs and the business impact, or you pay outsourced service providers. Either way, underlying complexity is the root cause of rigidity and slow responsiveness. Contact Us Ready for Whatever’s Next Cato SASE Cloud Solution Brief 2

The World’s First SASE Platform The world’s 昀椀rst single-vendor SASE platform, converging SD-WAN and network security into a global cloud-native service. Cato is the first single-vendor implementation of the Gartner secure access service edge (SASE) framework, which identified a global and cloud-native architecture as the way to deliver secure and optimized access to all users and applications. With Cato, enterprises move from legacy networks built with point solutions and expensive MPLS services to modern networks that are global, secure, agile, and affordable. Cato SASE Cloud connects all enterprise network resources, such as branch locations, the mobile workforce, and physical and cloud datacenters, into a global and secure, managed SD-WAN service. With all WAN and Internet traffic consolidated in the cloud, Cato applies a suite of security services to protect all traffic at all times. Real-time Policy Enforcement (SSE 360) FWaaS • SWG • IPS • NGAM ZTNA • CASB • DLP • RBI Multi-gig Packet Processing SPACE Any flow • Context extraction • Route optimization • Selective decryption Protocol acceleration P o o t P a C SaaS Optimization C Cloud DC Integration l s o s u a d P E (Smart egress) n (IPsec • Cross Connect • Cato vSocket) e l g g i n n Si e SPACE e n o kb c a B e t a v i Pr al ob Gl MPLS/Internet Cato Socket Edge SD-WAN Cato ZTNA or 3rd party IPSEC Client & Clientless Contact Us Ready for Whatever’s Next Cato SASE Cloud Solution Brief 3

Global Private Backbone The Cato global private backbone is comprised of 80+ PoPs worldwide servicing customers in 150+ countries. All PoPs are interconnected by multiple SLA-backed tier-1 providers, and every PoP runs Cato’s cloud-native software stack. It’s fully multitenant, scalable, and ubiquitous, performing in a single pass all network functions — such as global route optimization, dynamic path selection, traffic optimization, and end-to-end encryption — as well as implementing the inspection and enforcement functions needed by Cato security services. Stockholm, Sweden Brussels, Belgium Amsterdam, Netherlands Manchester, UK Munich, Germany Vancouver, Canada Dublin, Ireland Frankfurt, Germany Calgary, Canada Toronto, Canada London, UK Prague, Czechia Seattle, WA Minneapolis, MN Montreal, Canada Paris, France Bucharest, Romania Portland, OR Detroit, MI Boston, MA Milan, Italy Chicago, IL Zurich, Switzerland Beijing, China San Jose, CA Columbus, OH New York, NY Madrid, Spain Santa Clara, CA Denver, CO Ashburn, VA Seoul, South Korea Tokyo, Japan Los Angeles, CA Cincinnati, OH Charlotte, NC Osaka, Japan Las Vegas, NV Dallas, TX Atlanta, GA Tel Aviv, Israel Shanghai, China Houston, TX Miami, FL Casablanca, Morocco Dubai, UAE Hong Kong Taiwan Mexico City, Mexico Shenzhen , China Mumbai, India Chennai, India Bangkok, Thailand San José, Costa Rica Ho Chi Minh City, Vietnam Kuala Lumpur, Malaysia Quito, Ecuador Singapore Manila, Philippines Lima, Peru Jakarta, Indonesia São Paulo, Brazil Johannesburg, South Africa Perth Sydney Santiago, Chile Melbourne Auckland, New Zealand WAN Optimization Self-healing Architecture WAN optimization is an integral part of the The Cato backbone is continuously monitored network software stack, utilizing TCP proxies and measured. Self-healing capabilities and advanced congestion management guarantee 99.999% service availability. Elastic, algorithms to maximize throughput in key scale-up cloud software design principles operations, such as file transfers. assure seamless service infrastructure growth without service downtime or disruptions. Global Route Optimization Locations connect to the Cato global, private Cato’s proprietary routing algorithms factor in backbone by establishing encrypted tunnels latency, packet loss, and jitter. Unlike Internet from a Cato Socket, Cato’s zero-touch, edge routing, Cato routing always favor performance SD-WAN appliance, or any device that supports over cost, selecting the optimal route for every IPsec tunnels. Cloud datacenters connect network packet. through an agent or agentless configuration; mobile users connect clientless or by running a Cato Client. Encryption End-to-end encryption, using the strongest industry-standard cipher suites, assures data confidentiality, privacy and secure multitenancy. Contact Us Ready for Whatever’s Next Cato SASE Cloud Solution Brief 4

Edge SD-WAN Edge SD-WAN Cato Edge SD-WAN works with multiple Internet circuits, CATO providing reliable, high-performance access to Cato’s global, private backbone. Traffic can also be routed over t MPLS, directly between sites (not through the Cato PoP), erne t In and across IPsec tunnels to third-party devices. The Cato Socket, Cato’s Edge SD-WAN device, is a zero- touch device ready to work in minutes once it has power and Internet connectivity. Sockets come in two models: X1500 for branch offices and X1700 for datacenters. Both are continuously monitored and updated by Cato’s MPLS network operations center (NOC). Cato Sockets include: • Link Aggregation that balances inbound • Packet Loss Mitigation techniques and outbound traffic across MPLS and dynamically switch traffic to alternate, better multiple Internet circuits (fiber, DSL, cable, performing link(s) and proactively duplicate 4G/LTE or 5G) to maximize bandwidth packets on a per application basis. (active/active) and availability. Cato’s architecture eliminates middle-mile • Dynamic Path Selection that routes traffic packet loss. across the optimum transport based on • Routing Protocol Integration that leverages application, user, and real-time link quality BGP to make informed real-time routing (jitter, latency, and packet loss). decisions, easily integrating a company’s • Application Identification that uses Cato’s existing routing infrastructure with Cato Edge advanced Deep Packet Inspection (DPI) SD-WAN. engine to automatically identify thousands • High Availability (HA) that carries no of applications and millions of domains on additional recurring charge and deployment the first packet. is simple and completed in minutes. Sockets • Bandwidth Management Rules ensure automatically connect to the best available that more critical applications always Cato PoP. Should the connection degrade or receive the necessary upstream and fail, the Cato Socket automatically reconnects downstream capacity, serving other to the best available PoP. applications on a best-effort basis. Contact Us Ready for Whatever’s Next Cato SASE Cloud Solution Brief 5

Security Service Edge (SSE) Cato SASE Cloud is powered by a cloud-native WWW security service edge (SSE), Cato SSE 360. Cato SSE 360 is built using the Cato Single Pass Cloud Engine (SPACE) architecture and converges the following capabilities: Secure Web Gateway (SWG), FWaaS ZTNA SWG Cloud Access Security Broker (CASB), Data Loss Prevention (DLP), Zero Trust Network Access CASB SPACE IPS (ZTNA), and Firewall as a Service (FWaaS) with DLP NGAM Advanced Threat Prevention (IPS, Next Generation RBI Anti-malware), which is managed by the Cato SOC (Security Operations Center). These security capabilities form the basis of a comprehensive Managed Threat Detection and Response (MDR) service that is provided as part of Cato’s managed services offering. All capabilities seamlessly scale to process all customer traffic, encrypted and unencrypted, without the need for sizing, patching, or upgrading appliances and point solutions. Cato protects user privacy and fully complies with GDPR. Inspected data is never stored on Cato servers or shared with third-parties. Customers are able to exclude privacy-sensitive applications, such as banking and healthcare, from inspection. In addition, Cato complies with SOC 1 and 2, and ISO 27001, 27017, 27701, and 27018. Next-generation Firewall The Cato NGFW operates across every Cato PoP, protecting the entire organization with a unified application-aware and user-aware security policy — all without the cost and complexity of upgrading and maintaining individual firewall appliances. Cato’s NGFW uniquely provides: • Complete visibility, inspecting all WAN • Unified security policy, enforcing one and Internet traffic for fixed and mobile granular policy and rule base that extends from users. There are no blind spots, no need one user to the entire business. The rule base to deploy multiple security appliances is common to all security functions and traffic or tools. types. There is no need to associate policies • Unlimited scalability, applying security with distinct appliances or point products. policies and inspecting any traffic mix • Simple lifecycle management, eliminating (encrypted and unencrypted) at line the need to size, upgrade, patch or refresh rate. We ensure processing power firewalls. Customers are relieved of the and network capacity always meet ongoing grunt work of keeping their network committed service levels. security current against emerging threats and evolving business needs — or being forced into paying more so their telco will do it for them. Contact Us Ready for Whatever’s Next Cato SASE Cloud Solution Brief 6

Secure Web Gateway Secure Web Gateways (SWGs) protect against phishing, malware, and other Internet-borne threats. Cato converges SWG with NGFW, eliminating the need to maintain policies across multiple point solutions and the appliance life cycle. Cato’s integrated SWG provides dynamic site categorization, which includes an always current URL database enriched with information about phishing threats, malware delivery, botnets, and other malicious content. Customers can set and enforce one set of web access policies for mobile and fixed users based on visibility into user activity, reducing organizational risk. Cloud and Data Security Cato’s SASE Cloud enables enterprises to gain better visibility and control over their cloud-hosted applications. Cato’s Cloud Access Security Broker (CASB) provides in depth visibility into SaaS usage and enables IT leaders to better cope with shadow IT. Cato’s Data Loss Prevention (DLP) enables granular control over the extraction of sensitive enterprise information in order to protects form potential data breaches. Cloud Access Security Broker (CASB) Data Loss Prevention (DLP) Cato’s CASB provides IT managers with Cato’s Data Loss Prevention (DLP) enables comprehensive insight into their organisation’s enterprises to protect sensitive information cloud application usage, covering both sanctioned from being uploaded to, or extracted from, and unsanctioned (Shadow IT) applications. cloud or physical datacenters. The solution Cato’s CASB enables assessment of each SaaS inspects traffic to detect sensitive data or application in order to evaluate its potential risk, file types and takes the defined action when and definition of highly granular and flexible access a match is found. DLP helps enterprises rules to ensure least privileges and minimal risk achieve regulatory compliance, for example exposure. with the General Data Protect Regulation (GDPR), by detecting Private Identifiable Remote Browser Isolation (RBI) Information (PII), as well as with industry Cato’s RBI provides secure browsing through specific standards such as Payment a virtualization service that streams web pages Card Industry (PCI) and Health Insurance safely to the user’s device. Page code is executed Portability and Accountability Act (HIPAA). remotely, keeping users safe from ransomware, phishing and other threats. Cato RBI gives Admins a new ‘Isolate’ option that lets users browse unknown sites safely, rather than disrupt productivity by blocking. It adds another layer of protection against new sites and attacks that are not yet documented, and user error. Contact Us Ready for Whatever’s Next Cato SASE Cloud Solution Brief 7

Advanced Threat Prevention Advanced Threat Prevention is a collection of network security and related defenses deployed to address current and emerging threats. IT organizations face the daunting task of maintaining complex infrastructure to identify and prevent advanced threats from penetrating the network. Cato Advanced Threat Prevention solves that problem, inspecting encrypted and unencrypted traffic at line rate for malware and network-based threats. TLS Inspection Intrusion Prevention With most Internet traffic encrypted, detecting Cato’s IPS leverages multiple layers and and preventing threats delivered within SSL/TLS technologies to block network attacks. traffic is critical. However, inline SSL/TLS traffic Network protocol validation detects inspection consumes significant processing protocol manipulations and malformed resources. Appliance-based security solutions packets. Context-aware signatures and face resource limitations as their hardware is often rules block attacks based on known CVEs, inadequate, forcing hardware upgrades outside unknown attacks based on network traffic of the budgetary cycle. As noted, Cato security behavior, and network scans. Internal services benefit from infinite compute power of and external reputation feeds enrich cloud. Cato inspects all TLS-encrypted traffic flows IPS intelligence. Geographic-based without impact on user experience or application restrictions minimize the threat landscape. performance. Legacy IPS technology requires extensive skills and management effort. IT teams Malware Protection need to evaluate new signatures, determine Cato’s network-based malware protection which ones to activate, validate they won’t leverages multiple, multilayered and tightly- disrupt the business, and consider the integrated anti-malware engines running in all performance impact on the IPS appliance Cato PoPs. The first layer includes a signature and the network. Those concerns simply and heuristics-based inspection engine, which don’t exist with Cato IPS. Like all Cato is kept up-to-date at all times based on global security services, the Cato Security threat intelligence databases, scans files in transit Research Lab and SOC manage the Cato across the Cato backbone to protect against IPS for you and ensure appropriate rules known malware. The second layer applies proven are applied against emerging threats with machine-learning algorithms from SentinalOne the proper validation and capacity analysis. to identify and block unknown malware, such Activation is simple. Cato customers as zero-day attacks or polymorphic variants only need to enable the IPS from their of known threats that are designed to evade management console to benefit from its signature-based inspection engines. With both prevention power. layers, connected endpoints are deeply protected against network-delivered malware. Contact Us Ready for Whatever’s Next Cato SASE Cloud Solution Brief 8

Cloud Access and Optimization and Remote Access Cloud Datacenter Integration Cato tightly couples cloud datacenters into the SD-WAN, t p i O m i d z u a t o i l o effortlessly. All cloud providers — Amazon AWS, Microsoft C n Azure, Google Cloud, and others — connect into the Cato global private backbone by establishing redundant IPsec tunnels, which typically only have to cross the physical datacenter shared with the Cato PoP. In this way, Cato delivers the optimum cloud experience. Cloud datacenter traffic routes over the optimum path across the Cato global private backbone to the Cato PoP. From there, traffic is typically sent across the datacenter network to the cloud datacenter. This architecture eliminates the need for premium cloud connectivity services, such as AWS DirectConnect or Microsoft Azure Express Route. The integration is agentless, requiring no virtual appliances. For those who prefer a virtual appliance, Cato also offers its vSocket. Agentless configuration leverages the IPsec gateway connectivity available from all cloud providers avoids additional VM costs as well as the risk of modifying production server network configurations. Like all other traffic, cloud datacenter traffic is subject to full security inspection by Cato security services. Cloud Application Acceleration Cato also improves public cloud application performance, such as Office 365, Cloud ERP, UCaaS, and Cloud Storage. Latency is reduced by optimally routing cloud application traffic across Cato’s global, private backbone to the Cato PoP closest to the cloud application provider’s datacenter. Cato’s built-in WAN optimization maximizes end-to-end throughput to improve application performance, especially around bandwidth-intensive operations, such as file transfers. All traffic and files exchanged with the cloud application are subject to full security inspection within the Cato SASE Cloud. Secure Remote Access Cato extends the full range of its network and security capabilities down to remote and mobile users. Using a Cato Client or clientless browser access, users connect to the nearest Cato PoP and their traffic is routed optimally over the Cato global private backbone to applications on on-premises or in the cloud. Cato provides remote and mobile users with Zero Trust Network Access (ZTNA/SDP), allowing the most granular user access control down to specific applications. By contrast, legacy VPN solution limit access to entire subnets. All user activity is protected by Cato’s built-in network security stack, ensuring enterprise-grade protection to all users everywhere. Contact Us Ready for Whatever’s Next Cato SASE Cloud Solution Brief 9

Cato Management Application Cato provides customers with a self-service management application for events, analytics and policy configuration. As applicable, Cato or its partners offer managed service options including site deployment, intelligent last-mile monitoring, configuration of network and security policy changes, and managed detection and response (MDR). • The Cato management console combines power and simplicity. Administrators define granular network and security policies without a long learning curve or repetitive manual operations now simplified by an intent-driven user interface. • Real-time and historical, analytics and reports provide comprehensive network visibility, solving key challenges of access control, user experience, troubleshooting, and shadow IT. • Collection and delivery of full network and security event logs to external analysis solutions like SIEM is available, with a unique benefit of using a single interface for all events rather than manually aggregating data from multiple appliances and sources. The management application is web-based and accessible over the Internet with multi-factor authentication. All access and con昀椀guration changes are recorded in a centralized audit log. Cato’s management console provides a single-pane-of-glass, showing all connected sites, cloud resources, and users. Contact Us Ready for Whatever’s Next Cato SASE Cloud Solution Brief 10

Managed Services Cato offers a suite of managed services depending on the management model that best meets customer requirements. In all cases, Cato maintains the underlying platform, freeing customers from the associated costs and complexities of scaling, upgrading, and otherwise managing the networking and security infrastructure. With self-service management, customers control all aspects of their own networks. With co- management, customers can delegate configuration and troubleshooting tasks to the Cato NOC or a regional partner. Fully managed puts responsibility for monitoring and managing the customer’s network on a regional partner. Multiple management models are a unique advantage of Cato over legacy telcos and managed network service providers, which require customers to open tickets for any network change. In addition to site deployment assistance, Cato and its partners o昀昀er the following managed services: Intelligent Last-mile Management Cato provides customers with a premium service to continuously monitor last-mile ISPs. In case of an outage (blackout) or performance degradation (brownout), Cato works with the ISP to resolve the issue by providing pertinent and detailed network information around the incident. This service helps customers that migrated from a fully managed MPLS network to quickly resolve network issues across their multiple, global ISPs without expending precious internal IT resources. Managed Threat Detection and Response As mentioned, Cato provides customers with a premium service to continuously monitor their networks for compromised endpoints. Prevention is no longer sufficient to protect the corporate network. Detection is critical for complete defense against advanced attacks. However, such managed threat detection and response (MDR) services often come at high cost with significant deployment complexity. Cato MDR leverages the deep network visibility of the Cato network to provide a zero-footprint detection of resident threats using a combination of machine learning algorithms that mine network traffic and a human verification of detected anomalies. Cato experts then guide customers on remediating compromised endpoints. Hands-free Management Customers can choose Cato or one of its partners for complete hands-free management of their network. Expert staff will perform all changes to networking and security policies as needed to accommodate changing business and technical requirements. A co-management model between the customer, a partner, and Cato is also available. In all cases, Cato maintains the underlying Cato Cloud platform so customers do not need to upgrade, patch, or otherwise maintain any Cato software. Site Deployment With our Site Deployment service, Cato’s Professional Services (PS) team handles initial site activations and advanced configurations. The PS team then fine tunes network and security policies to match the customer’s unique requirements. Additional training ensures local resources are equipped to follow through on the remaining site activations. And Cato’s PS and Support teams are available to assist during the remainder of the deployment. Designated Support Engineer (DSE) For those customers looking for dedicated support, we offer our DSE service that provides a single-point-of contact for support issues. The DSE is a tier-3 support engineer with a deep understanding of customer’s environment. This eliminates the need to communicate customer-specific information, helping to speed issue resolution. Contact Us Ready for Whatever’s Next Cato SASE Cloud Solution Brief 11

Use Cases MPLS Migration to SD-WAN/SASE Cato enables customers to move away from expensive, rigid, and capacity constrained MPLS to a high-capacity and resilient modern network. Using Cato Edge SD-WAN and multiple Internet links, customers boost capacity and improve resiliency for lower cost per Mbps. Customers with a global footprint leverage Cato’s affordable global private backbone to replace global MPLS services to reduce cost, meet service levels, improve performance, and deliver security everywhere. Ultimately, most customers can increase capacity, resiliency, and improve overall network performance and security with the same network spend. MPLS Migration to SD-WAN/SASE Secure Direct Internet Access Cato enables customers to move away from expensive, rigid, and capacity constrained MPLS to a high-capacity and resilient modern network. Using Cato Edge SD-WAN and Cato provides a cloud-native security service edge, Cato SSE 360, converged into the multiple Internet links, customers boost capacity and improve resiliency for lower cost Cato SASE Cloud. By connecting all locations and users to Cato SASE Cloud through per Mbps. Customers with a global footprint leverage Cato’s affordable global private Cato edge SD-WAN devices and Cato SDP Clients, all traffic, both Internet and WAN, is backbone to replace global MPLS services to reduce cost, meet service levels, improve fully protected by Cato SSE 360. With Cato, customers can eliminate or avoid the cost performance, and deliver security everywhere. Ultimately, most customers can increase and complexity of multiple firewall appliances and standalone cloud security services. capacity, resiliency, and improve overall network performance and security with the same network spend. Work From Anywhere Cato extends global networking and security capabilities down to a single user’s laptop, Sensitive Data Security smartphone, or tablet. Using a Cato SDP Client or clientless browser access, users Cato SSE 360’s CASB and DLP capabilities enable full visibility and control of sensitive dynamically connect to the closest Cato PoP, and their traffic is optimally routed over data. Cato enforces granular policies on data access from corporate and BYOD devices the Cato global private backbone to on-premises or cloud applications. Cato SSE 360 and data sharing across applications. With Cato, customers can reduce the risk of enforces granular application access policies, protects all users against threats, and sensitive data loss and reputation risk, and better comply with regulatory requirements.prevents data loss. Customers use Cato to eliminate the cost and complexity of point solutions including appliances and cloud-based security services such as VPN, Firewalls, Secure Direct Internet Access CASB, and Secure Web Gateways. Cato provides a cloud-native security service edge, Cato SSE 360, converged into the Sensitive Data Security Cato SASE Cloud. By connecting all locations and users to Cato SASE Cloud through Cato edge SD-WAN devices and Cato SDP Clients, all traffic, both Internet and WAN, is Cato SSE 360’s CASB and DLP capabilities enable full visibility and control of sensitive fully protected by Cato SSE 360. With Cato, customers can eliminate or avoid the cost data. Cato enforces granular policies on data access from corporate and BYOD devices and complexity of multiple firewall appliances and standalone cloud security services. and data sharing across applications. With Cato, customers can reduce the risk of sensitive data loss and reputation risk, and better comply with regulatory requirements. Gradual Cloud Migration Gradual Cloud Migration Cato easily connects physical and cloud datacenters to Cato SASE Cloud and optimizes access to public cloud apps. Traffic is inspected by Cato SSE 360 and optimized using Cato easily connects physical and cloud datacenters to Cato SASE Cloud and optimizes Cato’s global private backbone across the “middle mile”. This is achieved through a “smart access to public cloud apps. Traffic is inspected by Cato SSE 360 and optimized using egress” capability that allows customers to define an application-level rule to exit specific Cato’s global private backbone across the “middle mile”. This is achieved through a “smart application traffic at a designated PoP that is the closest to the target instance serving the egress” capability that allows customers to define an application-level rule to exit specific organization. With Cato, customers can eliminate premium cloud connectivity solutions application traffic at a designated PoP that is the closest to the target instance serving the like AWS DirectConnect and Microsoft ExpressRoute.organization. With Cato, customers can eliminate premium cloud connectivity solutions like AWS DirectConnect and Microsoft ExpressRoute. Global Application Access Global Application Access Cato SASE Cloud leverages Cato’s a global private backbone with built-in WAN and cloud optimization to deliver an SLA-backed, predictable, and high-performance application Cato SASE Cloud leverages Cato’s a global private backbone with built-in WAN and cloud access everywhere. Customers that suffer from poor application access for remote optimization to deliver an SLA-backed, predictable, and high-performance application locations and users, use Cato to deliver a great user experience for both on-premises access everywhere. Customers that suffer from poor application access for remote and cloud application access. locations and users, use Cato to deliver a great user experience for both on-premises and cloud application access. Work From Anywhere Cato extends global networking and security capabilities down to a single user’s laptop, smartphone, or tablet. Using a Cato SDP Client or clientless browser access, users Contact Us Ready for Whatever’s Next Cato SASE Cloud Solution Brief 12 dynamically connect to the closest Cato PoP, and their traffic is optimally routed over the Cato global private backbone to on-premises or cloud applications. Cato SSE 360 enforces granular application access policies, protects all users against threats, and prevents data loss. Customers use Cato to eliminate the cost and complexity of point solutions including appliances and cloud-based security services such as VPN, Firewalls, CASB, and Secure Web Gateways.

Cato SASE Cloud: Complete WAN Transformation Cato is the world’s first single-vendor SASE platform, converging SD-WAN and SSE into a global, cloud-native service. Cato optimizes and secures application access for all users and locations, including branch offices, mobile users, and cloud datacenters, and allows enterprises to manage all of them with a single management console with comprehensive network visibility. Cato’s SASE platform has all the advantages of cloud-native architectures, including infinite scalability, elasticity, global reach and low total cost of ownership. Connecting locations to the Cato SASE Cloud is as simple as plugging in a preconfigured Cato socket appliance, which connects to the nearest of Cato’s 80+ globally dispersed points of presence (PoPs). Mobile users connect to the same PoPs from any mobile device via a simple piece of software that is easy to install and use. With Cato, new locations or users can be up and running in hours or even minutes, rather than days or weeks. At the local PoP, Cato provides an onramp to its high-performance global private backbone and security services. Cato monitors traffic and selects the optimum path for each packet across the backbone for performance that is as good or better than legacy MPLS. Since mobile users run across the same backbone as all other resources, the remote access experience is no different from working at the office. With Cato, customers can easily migrate from MPLS to SD-WAN, optimize global connectivity to on-premises and cloud applications, enable secure branch office Internet access everywhere, and seamlessly integrate cloud datacenters and mobile users into a high-speed network with a zero trust architecture. Whether its mergers and acquisitions, global expansion, rapid deployments, or cloud migration, with Cato, the network and your business are ready for whatever is next in your digital transformation journey. Contact Us Ready for Whatever’s Next Cato SASE Cloud Solution Brief 13

About Cato Networks Cato provides the world’s leading single-vendor SASE platform, converging Cato SD-WAN and a cloud-native security service edge, Cato SSE 360, into a global cloud service. Cato SASE Clou`d optimizes and secures application access for all users and locations everywhere. Using Cato, customers easily replace costly and rigid legacy MPLS with modern network architecture based on SD-WAN, secure and optimize a hybrid workforce working from anywhere, and enable seamless cloud migration. Cato enforces granular access policies, protects users against threats, and prevents sensitive data loss, all easily managed from a single pane of glass. With Cato your business is ready for whatever’s next. Cato SASE Cloud with SSE 360 Real-time Policy Enforcement (SSE 360) FWaaS • SWG • IPS • NGAM ZTNA • CASB • DLP • RBI Multi-gig Packet Processing SPACE Any flow • Context extraction • Route optimization • Selective decryption Protocol acceleration P o o t P a C SaaS Optimization C Cloud DC Integration l s o s u a d P E (Smart egress) n (IPsec • Cross Connect • Cato vSocket) e l g g in n Si e SPACE e n o kb c a B e t a v i Pr l a ob Gl MPLS/Internet Cato Socket Edge SD-WAN Cato ZTNA or 3rd party IPSEC Client & Clientless Cato SASE Cloud Use Cases SSE 360 MPLS Migration to SD-WAN Secure Remote Access Secure Remote Access Edge SD-WAN Secure Branch Internet Access Global Private Backbone Optimized Global Connectivity Multi-cloud / Hybrid-cloud Secure Hybrid-cloud and Multi-cloud SaaS Optimization Work From Home Cato Management Application Cato. Ready for Whatever’s Next. SASE, SSE, ZTNA, SD-WAN: Your journey, your way. Contact Us Ready for Whatever’s Next Cato SASE Cloud Solution Brief 14