Configuring Custom Application Control in Cato

Introduction

Organizations often operate applications that aren't included in default application catalogs—such as proprietary business apps, internally hosted services, or industry-specific tools. To address this, Cato SASE supports custom application control, enabling IT and security teams to define, identify, and apply granular policies to applications critical to their business.
 

This blog explains how to configure custom applications in Cato, enforce access policies, monitor their usage, and integrate controls with broader security measures like threat prevention and data loss prevention (DLP).

Key Takeaways

• What custom application control is and why it’s important
• Steps to create and define custom applications in Cato
• How to apply policies such as allow, block, prioritize, or restrict
• Monitoring and reporting on custom app traffic
• Practical use cases like controlling internal ERP or HR systems

Why Custom Application Control Matters

While Cato provides a comprehensive library of applications (cloud, SaaS, collaboration, productivity), enterprises often have unique needs:

• Proprietary ERP systems running internally
• Custom APIs or portals developed in-house
• Legacy applications tied to manufacturing or construction systems
• Vertical-specific apps (finance, healthcare, engineering)

Without the ability to define these apps, visibility is lost, and policies cannot be enforced. Custom application control solves this gap.

Creating a Custom Application in Cato

Custom applications can be defined based on multiple identifiers, including:

• IP ranges or subnets
• Fully Qualified Domain Names (FQDNs)
• Protocols and ports
• TLS Server Name Indication (SNI)

Steps to configure:

1. Navigate to Security > Applications > Custom Applications.
2. Click Add New Application.
3. Provide a descriptive name (e.g., Internal ERP System).
4. Define the identification parameters (FQDN, IP, or port/protocol).
5. Save the application and verify it appears in the catalog.

Note: Custom applications are descendants of matching predefined applications. The first matching firewall or network rule is applied to the custom or predefined application. If you want to apply the rule action for a specific application, make sure that this rule is placed above any other rule that contains matching predefined applications. 

Applying Policies to Custom Applications

Once created, custom applications can be managed like any other app in Cato’s platform:

• Access Control – Allow, block, or restrict by user/group/site.
• Quality of Service (QoS) Prioritization – Assign high/medium/low priority to ensure business-critical apps (like ERP) are not impacted by bandwidth-heavy apps (like streaming).
• Threat Prevention Integration – Intrusion Prevention System (IPS), Anti-Malware, and DNS Security rules also apply to custom applications.
• Data Loss Prevention (DLP) Enforcement – DLP policies can monitor and control sensitive data transfer in both standard and custom applications.

Note: Although Cato Networks continuously updates its predefined application and service list, in some cases, you may not find a commonly-used application/service for which you are searching. If this occurs, please open a support ticket so that Cato adds the application/service to the predefined list. While you are waiting for the predefined application, you can create the specific application/service as a custom application as a workaround until it is available in the Cato Management Application. 

Monitoring and Reporting on Custom Apps

Administrators can track how custom applications are used via:

• Events > Application Events – See sessions, blocked attempts, and user activity.
• Analytics > Application Analytics – Monitor bandwidth consumption and user trends.
• QoS Reports – Validate if prioritization rules are working correctly.

Note: The App Analytics page includes data for blocked apps. This is because the Point of Presence (PoP) allows the client device trying to access the app to send multiple packets to the PoP, so it can identify the app and apply the block rule. This request and response traffic between the client device and PoP is included in App Analytics data. 

Real-World Use Case: Controlling an Internal ERP System

A construction company in the GCC region defined their custom ERP as a recognized app in Cato. With policies:

• ERP traffic was prioritized to guarantee stable performance.
• Access was restricted only to finance and project management teams.
• All ERP traffic was inspected under IPS and Anti-Malware for advanced threat prevention.

This provided full visibility, ensured compliance, and protected critical systems without deploying extra appliances.

Tips for Effective Custom Application Control

• Use FQDN over IPs when possible for better flexibility.
• Group related applications (ERP, HR, CRM) into application categories.
• Combine with user/group-based access policies for tighter control.
• Regularly review unused or outdated custom apps to avoid clutter.

Book a free consultation with our experts and explore how to configure, monitor, and secure your internal apps with Cato. Book Now

FAQ 

What types of identifiers can I use to define a custom application?

You can define by FQDN, IP ranges, protocols, or port numbers. TLS SNI is also supported for encrypted traffic.

Can custom applications be used in QoS rules?

Yes. Once created, they can be prioritized or deprioritized like built-in apps.
 

How does custom application control work with threat prevention policies?

All defined apps are subject to IPS, DNS, and Anti-Malware rules. For example, if a custom app connects to a malicious domain, DNS protection will still block it.
 

What’s the difference between custom applications and categories?

Applications are individual definitions, while categories allow grouping multiple apps together for policy enforcement.
 

Can DLP policies apply to custom applications?

Yes. Cato’s DLP engine can monitor and control sensitive data transfer in both standard and custom applications.