HomeNext Gen IT-InfraMonitoring & ManagementCyber SecurityBCP / DRAutomationDecoded
Next Gen IT-Infra
Cato’s SASE Supports Cybersecurity Skills Development

How Cato’s SASE Supports Cybersecurity Skills Development

🕓 April 8, 2025

How SASE Supports the Security Needs of SMBs

How SASE Supports the Security Needs of SMBs

🕓 February 9, 2025

Attack Surface Reduction with Cato’s SASE

Attack Surface Reduction with Cato’s SASE

🕓 February 10, 2025

SASE for Digital Transformation in UAE

SASE for Digital Transformation in UAE

🕓 February 8, 2025

Monitoring & Management
Understanding Atera’s SLA Management

Understanding Atera’s SLA Management

🕓 February 7, 2025

Cost-Performance Ratio: Finding the Right Balance in IT Management Networks

Cost-Performance Ratio: Finding the Right Balance in IT Management Networks

🕓 June 16, 2025

Customizing Atera with APIs

Customizing Atera with APIs

🕓 March 3, 2025

Power Up Your IT Team’s Strategy with Atera’s Communication Tools

Power Up Your IT Team’s Strategy with Atera’s Communication Tools

🕓 February 8, 2025

Cyber Security
Illustration of the Cato Cloud architecture showing its role in delivering SASE for secure, optimized global connectivity.

Understanding the Cato Cloud and Its Role in SASE

🕓 January 29, 2025

Isometric illustration of professionals managing network performance, bandwidth analytics, and cloud-based optimization around the Cato Networks platform, symbolizing bandwidth control and QoS visibility.

Mastering Bandwidth Control and QoS in Cato Networks

🕓 July 26, 2025

Global network backbone powering Cato SASE solution for secure, high-performance connectivity across regions.

Global Backbone: The Engine Powering Cato’s SASE Solution

🕓 January 30, 2025

Illustration of team analyzing application traffic and usage insights on a large laptop screen using Cato’s dashboard, surrounded by network and cloud icons.

Cato Networks Application Visibility | Monitoring & Control

🕓 July 27, 2025

BCP / DR
Illustration showing diverse business and IT professionals collaborating with cloud, backup, and security icons, representing Vembu use cases for SMBs, MSPs, and IT teams.

Who Uses Vembu? Real-World Use Cases for SMBs, MSPs & IT Teams

🕓 July 12, 2025

Graphic showcasing Vembu’s all-in-one backup and disaster recovery platform with icons for cloud, data protection, and business continuity for IT teams and SMBs.

What Is Vembu? A Deep Dive Into the All in One Backup & Disaster Recovery Platform

🕓 July 6, 2025

Illustration showing Vembu backup and disaster recovery system with cloud storage, server racks, analytics dashboard, and IT professionals managing data.

The Rising Cost of Data Loss: Why Backup Is No Longer Optional?

🕓 August 14, 2025

3D isometric illustration of cloud backup and data recovery infrastructure with laptop, data center stack, and digital business icons — FSD Tech

RPO & RTO: The Heart of Business Continuity

🕓 August 15, 2025

Automation
Cross-Functional Collaboration with ClickUp

Fostering Cross-Functional Collaboration with ClickUp for Multi-Departmental Projects

🕓 February 11, 2025

ClickUp Project Reporting

Revolutionizing Enterprise Reporting with ClickUp’s Advanced Analytics and Dashboards

🕓 June 16, 2025

ClickUp’s Design Collaboration and Asset Management Tools

Empowering Creative Teams with ClickUp’s Design Collaboration and Asset Management Tools

🕓 February 26, 2025

ClickUp Communication and Collaboration Tools

ClickUp Communication and Collaboration Tools: Empowering Remote Teams

🕓 March 12, 2025

Decoded
Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA): All You Need to Know

🕓 December 7, 2025

L3 Switch

What Is an L3 Switch? L2 vs L3 & Why You Need Layer 3?

🕓 December 8, 2025

IPSec

IPSec Explained: Protocols, Modes, IKE & VPN Security

🕓 December 3, 2025

Datagram Transport Layer Security (DTLS)

What is Datagram Transport Layer Security (DTLS)? How it works?

🕓 December 4, 2025

    Subscribe to our newsletter!

    About Us

    Follow Us

    Copyright © 2024 | Powered by 

    Atera

    (59)

    Cato Networks

    (131)

    ClickUp

    (78)

    FishOS

    (7)

    Miradore

    (21)

    PointGuard AI

    (9)

    Vembu

    (22)

    Xcitium

    (33)

    ZETA HRMS

    (79)

    Table of Contents

    Cato Networks Custom Application Control: Configuration and Policy

    Anas Abdu Rauf
    September 21, 2025
    Comments
    3D illustration of Cato custom application control securing ERP, CRM, and HR apps in hybrid networks. Shows cloud shield blocking threats, enforcing security policies, and providing monitoring dashboards for enterprises across GCC and Africa.

    Why Custom Application Control is a Critical Gap in Most Deployments?

    Every enterprise network carries a category of traffic that falls outside the scope of standard application libraries — proprietary business systems, internally developed portals, legacy industry-specific tools, custom APIs, and vertical applications built for specific operational requirements. These applications do not appear in predefined catalogs. They do not have pre-built policy templates. And without explicit definition in the security platform, they are effectively invisible to policy enforcement.

     

    The consequences of that invisibility are significant and underappreciated. Bandwidth consumed by an unrecognized ERP system cannot be prioritized, meaning it competes equally with video streaming and social media traffic during peak hours. Data moving through an unrecognized internal HR portal cannot be subject to DLP inspection, meaning sensitive employee records can transit the network without any controls. 

     

    Sessions connecting to a custom manufacturing application cannot be inspected by IPS rules, leaving them exposed to exploitation without the protection applied to every other recognized application.

     

    For organizations operating in the GCC region and across Africa — where proprietary enterprise systems, localized business applications, and industry-specific tools are particularly prevalent — this gap between what security platforms recognize by default and what organizations actually run is a practical security and operational challenge that demands a direct solution.

     

    Cato SASE addresses this through custom application control: the ability to define any application not in the default catalog, apply the full Cato security and policy stack to it, and monitor its usage with the same depth available for predefined applications.

     

    What is Cato Custom Application Control?

    Cato's custom application control capability allows IT and security administrators to define applications that are not present in Cato's predefined application library, and then treat those applications as first-class citizens in the policy framework — subject to the same access controls, QoS prioritization, threat prevention inspection, DLP enforcement, and reporting capabilities available for any built-in application.

     

    Once a custom application is defined, it integrates directly into the Cato Management Application's policy engine. It appears in the application catalog alongside predefined applications, can be referenced in firewall rules, QoS policies, and security profiles, and generates analytics data that appears in the same reporting interfaces used for all other application traffic.

     

    The practical effect is that the boundary between "recognized" and "unrecognized" traffic disappears for the applications your organization defines. An internal ERP system running on a proprietary protocol becomes as visible and policy-manageable as Microsoft 365 or Salesforce. A custom API built by your development team becomes subject to DLP inspection and IPS threat detection. A legacy manufacturing application becomes a named entity in your security policy rather than an anonymous traffic flow.

     

    This matters not just for security but for operational clarity. When every significant application your organization runs is named and defined in the policy platform, your security posture becomes auditable, your QoS configuration becomes purposeful, and your incident investigations become faster and more accurate.

     

    Consult with us in just one tap

     

    Key Takeaways

    • What custom application control is and why it’s important
    • Steps to create and define custom applications in Cato
    • How to apply policies such as allow, block, prioritize, or restrict
    • Monitoring and reporting on custom app traffic
    • Practical use cases like controlling internal ERP or HR systems

     

    Why Custom Application Control Matters?

    While Cato provides a comprehensive library of applications (cloud, SaaS, collaboration, productivity), enterprises often have unique needs:

     

    • Proprietary ERP systems running internally
    • Custom APIs or portals developed in-house
    • Legacy applications tied to manufacturing or construction systems
    • Vertical-specific apps (finance, healthcare, engineering)

     

    Without the ability to define these apps, visibility is lost, and policies cannot be enforced. Custom application control solves this gap.

     

    Also Read: How the Cato Client Becomes the Identity Anchor for Zero Trust Access

     

    Creating a Custom Application in Cato

    Custom applications can be defined based on multiple identifiers, including:

    • IP ranges or subnets
    • Fully Qualified Domain Names (FQDNs)
    • Protocols and ports
    • TLS Server Name Indication (SNI)

    Steps to configure:

    1. Navigate to Security > Applications > Custom Applications.
    2. Click Add New Application.
    3. Provide a descriptive name (e.g., Internal ERP System).
    4. Define the identification parameters (FQDN, IP, or port/protocol).
    5. Save the application and verify it appears in the catalog.

     

    Note: Custom applications are descendants of matching predefined applications. The first matching firewall or network rule is applied to the custom or predefined application. If you want to apply the rule action for a specific application, make sure that this rule is placed above any other rule that contains matching predefined applications. 

     

    Applying Policies to Custom Applications

    Once created, custom applications can be managed like any other app in Cato’s platform:

     

    • Access Control – Allow, block, or restrict by user/group/site.
    • Quality of Service (QoS) Prioritization – Assign high/medium/low priority to ensure business-critical apps (like ERP) are not impacted by bandwidth-heavy apps (like streaming).
    • Threat Prevention Integration – Intrusion Prevention System (IPS), Anti-Malware, and DNS Security rules also apply to custom applications.
    • Data Loss Prevention (DLP) Enforcement – DLP policies can monitor and control sensitive data transfer in both standard and custom applications.

     

    Note: Although Cato Networks continuously updates its predefined application and service list, in some cases, you may not find a commonly-used application/service for which you are searching. If this occurs, please open a support ticket so that Cato adds the application/service to the predefined list. While you are waiting for the predefined application, you can create the specific application/service as a custom application as a workaround until it is available in the Cato Management Application. 

     

    Also Read: Platforms, Countries, and Origin of Connection: Advanced Device Criteria in Cato Firewall

     

    Monitoring and Reporting on Custom Apps

    Administrators can track how custom applications are used via:

     

    • Events > Application Events – See sessions, blocked attempts, and user activity.
    • Analytics > Application Analytics – Monitor bandwidth consumption and user trends.
    • QoS Reports – Validate if prioritization rules are working correctly.

     

    Note: The App Analytics page includes data for blocked apps. This is because the Point of Presence (PoP) allows the client device trying to access the app to send multiple packets to the PoP, so it can identify the app and apply the block rule. This request and response traffic between the client device and PoP is included in App Analytics data. 

     

    Real-World Use Case: Controlling an Internal ERP System

    A construction company in the GCC region defined their custom ERP as a recognized app in Cato. With policies:

     

    • ERP traffic was prioritized to guarantee stable performance.
    • Access was restricted only to finance and project management teams.
    • All ERP traffic was inspected under IPS and Anti-Malware for advanced threat prevention.

     

    This provided full visibility, ensured compliance, and protected critical systems without deploying extra appliances.

     

    Tips for Effective Custom Application Control

    • Use FQDN over IPs when possible for better flexibility.
    • Group related applications (ERP, HR, CRM) into application categories.
    • Combine with user/group-based access policies for tighter control.
    • Regularly review unused or outdated custom apps to avoid clutter.

     

    Conclusion

    Custom application control closes one of the most significant practical gaps between what enterprise security platforms recognize by default and what enterprise networks actually carry. For organizations running proprietary ERP systems, internally developed portals, legacy industry tools, or vertical-specific applications, the absence of custom application control means those applications operate outside the security policy framework — invisible to access controls, unprotected by threat prevention, unmonitored by DLP, and unmanaged by QoS.

     

    Cato's custom application control capability brings those applications fully into the security framework without additional appliances, complex network changes, or application modifications. Once defined, a custom application receives the same depth of policy management, threat inspection, DLP coverage, and usage visibility as any predefined application in the Cato catalog.

     

    For GCC and Africa enterprises where proprietary and industry-specific applications are particularly prevalent, this capability is not a niche feature — it is a foundational requirement for achieving the comprehensive visibility and consistent security posture that modern network environments demand.

     

    Book a free consultation with our experts and explore how to configure, monitor, and secure your internal apps with Cato. 

     

    Book Now

    Infographic on Cato’s Custom Application Control showing why it matters, how to define custom apps by IP, FQDN, and TLS, applying policies like access control, QoS, and threat prevention, plus monitoring, reporting, and best practices for GCC and Africa businesses.

    FAQs on Custom Application Control in Cato SASE 

    What types of identifiers can I use to define a custom application?

    You can define by FQDN, IP ranges, protocols, or port numbers. TLS SNI is also supported for encrypted traffic.

     

    Can custom applications be used in QoS rules?

    Yes. Once created, they can be prioritized or deprioritized like built-in apps.
     

    How does custom application control work with threat prevention policies?

    All defined apps are subject to IPS, DNS, and Anti-Malware rules. For example, if a custom app connects to a malicious domain, DNS protection will still block it.
     

    What’s the difference between custom applications and categories?

    Applications are individual definitions, while categories allow grouping multiple apps together for policy enforcement.
     

    Can DLP policies apply to custom applications?

    Yes. Cato’s DLP engine can monitor and control sensitive data transfer in both standard and custom applications.

    Cato Networks Custom Application Control: Configuration and Policy

    About The Author

    Anas Abdu Rauf

    Anas is an Expert in Network and Security Infrastructure, With over seven years of industry experience, holding certifications Including CCIE- Enterprise, PCNSE, Cato SASE Expert, and Atera Certified Master. Anas provides his valuable insights and expertise to readers.

    TRY OUR PRODUCTS

    Like This Story?

    Share it with friends!

    Subscribe to our newsletter!

    FishOSCato SASEVembuXcitiumZeta HRMSAtera
    Isometric illustration of a centralized performance platform connected to analytics dashboards and team members, representing goal alignment, measurable outcomes, risk visibility, and strategic project tracking within ClickUp.

    How ClickUp Enables Outcome-Based Project Management (Not Just Task Tracking)

    🕓 February 15, 2026

    Isometric illustration of a centralized executive dashboard platform connected to analytics panels, performance charts, security indicators, and strategic milestones, representing real-time business visibility and decision control within ClickUp.

    Executive Visibility in ClickUp – How CXOs Gain Real-Time Control Without Micromanaging

    🕓 February 13, 2026

    Cato SASE Architecture

    Inside Cato’s SASE Architecture: A Blueprint for Modern Security

    🕓 January 26, 2025

    Workflow Automation(8)

    Workforce Automation(1)

    AI Project Management(1)

    HR Data Automation(1)

    RMM(2)

    IT Workflow Automation(1)

    GCC compliance(4)

    IT security(2)

    Payroll Integration(2)

    IT support automation(3)

    procurement automation(1)

    lost device management(1)

    IT Management(5)

    IoT Security(3)

    Cato XOps(1)

    IT compliance(5)

    Task Automation(1)

    Workflow Management(1)

    OpenStack automation(1)

    Kubernetes lifecycle management(2)

    AI-powered cloud ops(1)

    SMB Security(8)

    Data Security(1)

    MDR (Managed Detection & Response)(3)

    MSP Automation(3)

    Atera Integrations(2)

    XDR Security(2)

    Threat Detection & Response(1)

    Ransomware Defense(3)

    SMB Cyber Protection(1)

    HR Tech Solutions(1)

    Zero Trust Network Access(3)

    Quantum Threat UAE & GCC(1)

    Post-Quantum Cryptography(1)

    Quantum Security(1)

    Zero Trust Security(2)

    Cloud IDE Security(1)

    Endpoint Management(1)

    SaaS Security(2)

    Payroll Automation(5)

    IT Monitoring(2)

    Xcitium EDR SOC(15)

    Ransomware Protection GCC(1)

    Network Consolidation UAE(1)

    M&A IT Integration(1)

    MSSP for SMBs(1)

    Managed EDR FSD-Tech(1)

    FSD-Tech MSSP(25)

    Ransomware Protection(3)

    Antivirus vs EDR(1)

    SMB Cybersecurity GCC(1)

    Endpoint Security(1)

    Cybersecurity GCC(15)

    Data Breach Costs(1)

    Endpoint Protection(1)

    SMB Cybersecurity(8)

    Managed Security Services(2)

    Xcitium EDR(30)

    Zero Dwell Containment(31)

    Hybrid Backup(1)

    Cloud Backup(1)

    Backup & Recovery(1)

    pointguard ai(4)

    vembu(9)

    SMB data protection(9)

    disaster recovery myths(1)

    backup myths(1)

    Disaster Recovery(4)

    Vembu BDR Suite(19)

    DataProtection(1)

    GCCBusiness(1)

    Secure Access Service Edge(4)

    GCC IT Solutions(1)

    Unified Network Management(1)

    GCC HR software(20)

    open banking(1)

    CC compliance(1)

    financial cybersecurity(2)

    Miradore EMM(15)

    Government Security(1)

    Cato SASE(9)

    Cloud Security(9)

    GCC Education(1)

    Hybrid Learning(1)

    Talent Development(1)

    AI Governance(4)

    AI Compliance(2)

    AI Security(2)

    AI Cybersecurity(13)

    AI Risk Management(1)

    Secure Remote Access(1)

    GCC business security(1)

    GCC network integration(1)

    compliance automation(5)

    education security(1)

    GCC cybersecurity(3)

    BYOD security Dubai(8)

    App management UAE(1)

    Miradore EMM Premium+(5)

    MiddleEast(1)

    share your thoughts

    Isometric diagram showing Cato SASE troubleshooting workflow where device inventory, DHCP mapping, posture validation, and firewall event logs are analyzed to diagnose device-based rule enforcement issues.

    Troubleshooting Device-Based Firewall Rules in Cato SASE

    🕓 March 13, 2026

    Isometric diagram showing Cato SASE device inventory analyzing network traffic, DHCP data, and device attributes to support WAN and Internet firewall enforcement and device-aware security policies.

    Understanding Device Identification Limitations in Cato Device Inventory

    🕓 March 8, 2026

    Isometric diagram showing Cato SASE cloud analyzing network traffic, DHCP data, and MAC address fingerprints to identify devices and enable accurate device-based firewall enforcement.

    Why DHCP Configuration Matters for Device-Based Firewall Enforcement in Cato SASE

    🕓 March 7, 2026

    Decoded(172)

    Cyber Security(128)

    BCP / DR(22)

    Zeta HRMS(78)

    SASE(21)

    Automation(78)

    Next Gen IT-Infra(128)

    Monitoring & Management(80)

    ITSM(22)

    HRMS(21)

    Automation(24)