Unified Endpoint & Network Investigation: CrowdStrike and SentinelOne Stories in the Stories Workbench
🕓 September 12, 2025
Setting Up Sites in CMA – Socket vs. vSocket vs. Cloud-Only
Introduction
Site deployment is the backbone of any secure, global network strategy. In Cato’s SASE platform, setting up sites is a foundational task — whether you’re connecting a branch office, a cloud workload, or a virtual location within your data center. With the new CMA UI, site onboarding is not only streamlined but also built around deployment realities like bandwidth constraints, security posture, and failover readiness.
In this guide, we’ll break down how to set up different types of sites, clarify where to find each function in the CMA, and walk you through real-world tips that can save you hours of troubleshooting.
Key Takeaways
- Understand the differences between Socket, vSocket, and Cloud-only sites
- Learn where to configure these sites in the CMA (Network > Sites)
- Review deployment scenarios and tips for each site type
- Explore options for resilience, DNS settings, and PoP assignment
- Get field-ready with testing, monitoring, and go-live validation tips
Where to Start: Navigating to Site Setup
Log into the CMA, then go to:
Network > Sites > Add Site
From there, you can choose between: - Socket Site: For hardware-based site connections using a Cato Socket - vSocket Site: For virtualized environments using supported hypervisors - Cloud-Only Site: For connecting cloud-native environments without any appliance
Socket Sites – Physical, Reliable, and Resilient
When to Use
Use a Socket site when deploying to: - Branch offices with stable WAN access - HQs needing high-throughput connections - Locations requiring dual-WAN redundancy
Configuration Highlights
- Socket Serial Number: Required to pair physical hardware
- PoP Assignment: Manually or automatically select based on geography
- WAN Settings: Configure primary and secondary links
- Local DHCP / DNS: Adjust to integrate with existing LAN settings
Admin Tip
If your location has an existing router/firewall, place the Cato Socket in bridge mode to avoid NAT conflicts.
vSocket Sites – Virtual Flexibility
When to Use
Use a vSocket for: - Data centers - Virtual labs and SDN test environments - Edge locations without space for physical hardware
Configuration Highlights
- Hypervisor Support: KVM, VMware, and others
- License Allocation: vSockets consume site licenses just like physical sockets
- Boot File Generation: Download the config to install in your virtual host
Real-World Tip
Always validate time sync (NTP) in your hypervisor or vSocket may fail to authenticate with Cato.
Cloud-Only Sites – Cloud-Native Simplicity
When to Use
Go Cloud-only if you need to connect: - SaaS environments like Microsoft 365 or Salesforce - Cloud-hosted apps in AWS, Azure, or GCP - Remote infrastructure you don’t control physically
Configuration Highlights
- No hardware or VM required
- Route-based tunneling setup via standard IPsec
- Custom DNS and subnet tagging for app-level visibility
Best Practice
Use Cloud-only sites with Cato’s CASB and FWaaS capabilities for more granular security at the data layer.
Field-Tested Workflow: Deploying a Site in Minutes
Let’s walk through a hybrid deployment:
- Go to Network > Sites > Add Site
- Select Socket, enter the serial number, assign PoPs
- Set primary/secondary WAN settings (e.g. MPLS + LTE failover)
- Configure LAN, DHCP, and DNS
- Verify connectivity in Site Overview
- Test routing in Network > Tools > Ping/Traceroute
- Apply firewall policies in Security > Internet Firewall
Within 30–60 minutes, the site should be production-ready.
Next Steps
After setup, go to Home > Experience Monitoring to confirm app performance and site latency. Schedule a bandwidth test or simulate failover using the Network > Tools suite to validate your deployment under real load conditions.
FAQ Summary
Can I use a vSocket for cloud-only environments?
No. vSocket requires a virtual host. Use Cloud-only sites for SaaS or IPsec-based cloud apps.
Is it possible to change site type after creation?
No. You’ll need to delete and recreate the site with the correct type.
How are PoPs assigned?
Cato auto-assigns based on latency, or you can override manually.
Can I use static IPs instead of DHCP?
Yes. Under WAN settings, select manual configuration.
Does Cato support high-availability (HA) at sites?
Yes. Configure dual Socket deployment for failover scenarios.
About The Author
Anas Abdu Rauf
Anas is an Expert in Network and Security Infrastructure, With over seven years of industry experience, holding certifications Including CCIE- Enterprise, PCNSE, Cato SASE Expert, and Atera Certified Master. Anas provides his valuable insights and expertise to readers.
share your thoughts