High Availability and Redundancy in Cato SASE

Unplanned outages and network failures can disrupt operations, damage productivity, and hurt business continuity. To be honest, most of us have felt that sinking feeling when the "internet is down" at a major branch. Cato SASE addresses these challenges by offering built-in High Availability (HA) and redundancy features across your sites, edges, and links. You don't need complex setups or third-party failover solutions.

The beauty of Cato lies in its simplicity. This blog explores how Cato supports seamless uptime through active-active tunnels, automatic failover, site-level HA, and cloud backbone resilience. Are you ready to stop worrying about the next fiber cut?

Redundancy in Cato

Cato’s architecture is designed with redundancy at multiple levels:

• PoP-level Redundancy – Each Cato PoP is fully redundant and connected to multiple Tier-1 ISPs
• Tunnel Redundancy – All SD-WAN tunnels are created in active-active mode by default
• Edge Device Redundancy – You can deploy multiple Cato Socket devices per site for hardware-level HA
• Link Redundancy – Sites can be connected via multiple internet connections (e.g., fiber + LTE backup)

Get Started with Cato SASE

Redundant Internet Links

To prevent internet outages at branch or HQ sites:

1. Connect multiple WAN interfaces to the Cato Socket (e.g., WAN1 and WAN2)
2. Navigate to Site Configuration > Sockets > Interfaces
3. Assign primary and secondary priorities to WAN links
4. Enable Smart Link Selection, which uses real-time health data for tunnel routing

When a link degrades, traffic is shifted seamlessly to the healthier path without user disruption.
 

Also Read: Simplifying IT Operations with Cato SASE: Reducing Complexity and Enhancing Performance

Understanding Link Health and Tunnel Probes

Cato uses continuous tunnel health monitoring to assess each link’s quality. Probes are sent every few seconds to measure:

• Packet Loss – How many packets are dropped en route to a PoP
• Jitter – Variation in delay affecting real-time traffic (e.g., VoIP)
• Latency – Round-trip time between the site and Cato PoP
   

These metrics are visible in:

• Monitoring > Site Overview
• Analytics > Network Analytics > Link Metrics
   

Cato automatically routes critical traffic over the healthier path based on this telemetry, ensuring the best user experience at any moment.

Experience Monitoring with Last-Mile Visibility

Cato also offers End-to-End Experience Monitoring, particularly useful for identifying issues in the local ISP (last mile). Using synthetic probes and performance baselines, you can:

• Detect if issues originate from user LAN, internet circuit, or PoP
• Measure user experience consistency during off-hours and peak loads
• Correlate app performance issues to tunnel health metrics
   

This allows IT teams to validate SLA compliance and hold ISPs accountable during performance degradation.
 

Deploying HA with Dual Cato Sockets

For critical sites, Cato supports High Availability using two Sockets in Active/Standby mode:

• Both Sockets are connected to the LAN and WAN
• Only the active device forwards traffic; the standby takes over during hardware or power failure
• Failover is automatic and occurs within seconds
   

Steps:

1. Deploy two Sockets in the same site configuration
2. Under Site > High Availability, pair the Sockets as primary and secondary
3. Connect them to separate power and network sources for full fault isolation

Also Read: Preventing Insider Threats and Unauthorized Access with Cato SASE’s Context-Aware Security

Real-World Use Case: HA at Regional HQ

A regional headquarters in the GCC has two internet links and redundant Sockets:

• Link 1: Dedicated fiber
• Link 2: 5G LTE
• Socket A (Primary) and Socket B (Secondary)

During a power event, Socket A went offline. Socket B seamlessly took over, and Smart Link Selection routed voice traffic over the LTE backup while prioritizing ERP access.

Business operations continued without any downtime or end-user impact.

Monitoring and Verifying Redundancy Events

You can monitor the health and performance of HA setups using:

• Monitoring > Site Overview – See link health and tunnel status
• Events > System Events – Track failovers, device status, and PoP changes
• Analytics > Network Analytics – Compare performance between WAN links over time

Tips for Effective HA Planning

• Always connect Sockets to different power circuits or UPS systems
• Use diverse ISPs (e.g., fiber + wireless) for internet resilience
• Enable logging for all tunnel and interface events
• Regularly test failover by simulating edge/power disconnections
• Review Cato’s HA documentation before rollout
   

FAQ Summary

Can I use HA without dual Sockets?

Yes. You can still achieve link-level redundancy with a single Socket and multiple WAN links.
 

Is HA available at all sites?

Yes, for any site with supported hardware and licensing.
 

How fast is failover between Sockets?

Typically occurs within seconds and does not require manual intervention.
 

Can I prioritize which link to failover to?

Yes. You can set link priorities and policies via Smart Link Selection.
 

Is HA supported in mobile clients?

No. HA is designed for site-level deployments, not individual client devices.
 

High Availability and redundancy aren’t just checkboxes—they’re critical for keeping your business online and your users productive. With Cato, you get these capabilities natively, and setting them up is easier than ever.

Conclusion

High Availability and redundancy aren’t just checkboxes—they’re critical for keeping your business online. With Cato, you get these capabilities natively, making setup easier than ever. We believe in empowering IT teams with tools that just work, so you can focus on growth rather than troubleshooting.

Click Here To Know More