They (Cato) don’t even have their own in-house Security solutions it’s 3rd party, and how are you gauging whether they’re a leader in the space? Based on the gartner MQ for single vendor SASE, because in that MQ there is only one leader and it’s not Cato? Not that we should put a lot of stock in Gartner’s analysis.
Cato/Velo/Aryaka are fundamentally different services offerings than what you’d get from a Palo/Cisco/Fortinet offering and yes there are pros/cons but Cato is a far cry from a leader in the SASE space based on their weak SSE capabilities.
Cato is quite feature limited if they’re coming from Catalyst SDWAN (Viptela.) Fortinet or others may be a better compromise. It really comes down to whether or not they want more security functionality in the longer term, think SSE/SASE beyond SDWAN. What is the customer’s security & cloud strategy?
That’s true. I understood the post asking for the difference or what’s better or something. So I just wanted I explain that it’s to different things and you usually don’t fhise of one of them over the other.
SDWAN is a pretty common step into SASE, but it doesn’t have to be. Many enterprises start with remote access use cases as an alternative initial step.
Client has a datacenter and about a dozen remote sites. They want DIA from each site and interconnectivity between sites, currently running Viptela SD-WAN which creates a VPN between each TLOC/DIA which seems cumbersome. Only specifications have been a replacement for Viptela that provides opportunity for PBR and down the road they intend to implement routing preference for apps. Central management and security at each sites edge are a must.
We tried to deploy Cato at a large RV company. Spent countless hours on the phone with support trying to get basic things like local bypass and integrate traffic working without latency spikes. After 4 weeks and five useless deployments, the client switched to Fortinet. This was nearly two years ago, perhaps they have improved since.
1st off, isn’t this a discussion about SDWAN comparisons? No doubt every solution is different in some form or another. Nobody is arguing that they aren’t. Maybe the broader comparisons are appropriate for another post? The only discussion I thought you and I were having was around the value of a solution that can provide reliable and predictable user expeircne for real time services like voice and video and doing that through the SDWAN service offering of some providers. I indicated that NAT persistence was a big part of that and I don’t think you disagreed.
2nd, please let the community know by elaborating on your expertise about Cato Security if youre going to make a general claims. You mention Cato has no in-house security solutions. I’m assuming you mean they don’t have anything that they have developed directly as it relates to the services they offer. If you know that they don’t develop their own stuff it must mean that you also know what 3rd party solutions they use…so, please elaborate on what those are.
What NGFW/FWaaS 3rd party solution are they using?
What SWG 3rd party solution are they using?
What IPS 3rd party solution are they using?
What CASB/DLP 3rd party solution are they using?
What XDR 3rd party solution are they using?
I can tell you that they OEM BitDefender and S1 for gateway/inline NGAM, their OEM Bitdefender for EPP and they service OEM Authenc8 for for RBI. What can you tell us about all the other services above?
Currently null … they are looking to be lead towards either product is all I know. They are signed up to poc Cato … sounding like Fortinet may be the better mix of edge security/functionality.
Sounds like Viptela deployment was bad so more features might not even be important. Maybe a simpler solution to deploy and manage would be? In the end, the only features that are important are the ones that the business needs and uses.
“Baby town frolic?” Not entirely sure what this phrase means.
does Fortigate though? Not internet bound traffic. Without Fortigate on the other end you can’t control your shaping except for egress. You cannot put a Fortigate in O365. The Cato Cloud sits in between all traffic so that means all last mile optimizations apply WAN and Internet bound.
that’s an interesting argument. I guess you’re anti cloud in general? Don’t use SaaS based anything? The Cato Cloud and it’s SDWAN edge have been built to be resilient in just about any kind of failure scenario even with a theoretical doomsday situation where their cloud went down completely (the equivalent of AWS, Azure and GCP all going down together, because Catos Cloud is more distributed than even theirs). What that means…? Cato’s worst day ever would turn it into the equivalent of…(drum roll) Fortinet SDWAN.
CISA, NSA and FBI all warn about how unmaintained and exploitable Fortinet technologies are. I mean…just google “Fortinet vulnerabilities in the news”. The list is endless, but it’s not like other vendors can’t have vulnerabilities too. That’s not the point. The point is that Fortinet seems to have them somewhat frequently and the burden of effort falls on the enterprises to take care of them. So if I have to choose a DIY maintenance solution (Fortinet) or a solution that is automatically maintained by the supplier (Cato)…seems like it could be an important consideration for an enterprise.
Happy to openly discuss real arguments here if you have any. It does seem like the only thing you know about Cato is that it is a Cloud. Maybe you have more insight for the community?
Lots of choices available for this scope and need. Fortinet could do the job. So could Cato. Fortinet would likely be a more complicated deployment than Cato. Surely you will see this in your PoC with the two of them.
I’ve seen PoCs with Cato take 2 weeks to complete from start to finish. In those same PoCs with Fortinet, it take 2 to 3 weeks just to get hardware implemented and an overlay established.
Catos solution is very sophisticated and comprehensive but I think many feel it not so because it’s also very easy to implement and manage. You’re doing a PoC so why don’t you get the most out of the process and share your feedback with the community here when you’re done.
Sorry it didn’t work out for you. “Intrasite” (inter-VLAN) isn’t a super strong use case for Cato…at least back then, maybe. There have been improvements made to local routing/local firewalling since then, but the default behavior is for all network segmentation to happen in the PoP itself…so traffic can be properly inspected with the full security stack (including ATP). This default setup/configuration isn’t a big issue for most organizations on decent last mile internet because that typically sit sub 20ms rtt from PoP, but if you’re moving lots of big chunky workloads intrasite, even 20ms rtt or less is felt and local routing could/should be the better configuration practice.
If you have a strong local intrasite use case that needs full east/west inspection without going to PoP then Cato might not be the best option and a traditional edge firewall could be. Cato’s local intrasite east/west inspection capabilities are more suited for L3/L4 controls (and I hear that L7 at the local site level is coming soon) and assume that you can scope the traffic finely enough to limit the amount of risk or exposure created. The ingress/egress perimeter is still protected, of course, because anything coming into the site or going out is still having to traverse the full security stack in the PoP. It’s a practical vs. theoretical risk kind of thing.
Still, if you’re requirements for “local routing” were pretty routine…I would have expected no issue with setup and execution.
I’m a bit surprised they’ve moved up into the leaders quadrant, but maybe they’ve gotten a bit better since I last dealt with their solution. Unsurprisingly Gartner keyed into my own issues with Cato based on past experiences related to security. In the context of this discussion, there’s no question they’re going to cost more than Fortinet SASE.
Cato networks cautions
Gartner clients report frustration with the vendor’s pricing model, as sales proposals can be high and/or difficult to understand. Costs are related to site bandwidth, which can lead to large increases when site bandwidth upgrades are required.
The vendor’s geographic strategy lags competitors, due to limited localization of documentation and technical support, and its sovereign processing approach.
Some of Cato’s security capabilities are limited, including SaaS control and visibility, and on-premises firewalling.
If they’re looking at the full fortinet SASE suite that is very different than what Cato provides (Fortinet offers Endpoint client sec for ZTNA, an Explicit proxy, Digital Experience Monitoring etc which Cato does not). User traffic must traverse the CATO cloud for any inspection, they’re very different offerings.
Cato doesn’t have roots in the Sec space, they grew out of managed WAN Opt → SDWAN → SASE and many of their features are checkbox in that regard. It’s not to say it won’t work, but given where the market/industry is headed one could easily argue that that Cato isn’t well positioned from a security perspective. CATO is 100% reliant on 3rd parties for ATP, URL filtering and most all of their Sec capabilities.
Clearly, I’m a bit biased, but was burned in a past life on the MSP side with Cato not working very well beyond their basic functionality. That said, it still could be a good fit for this customer given their needs. I’d really try and dig into their security requirements in this case, to understand what they have now and what they’re thinking long term.