WAN Recovery Tunnel Status in Cato SASE: Readiness You Can See

Introduction

When a PoP or middle-mile path is unavailable, maintaining site-to-site traffic is critical. Cato’s recent update introduces WAN Recovery Tunnel Status in the Cato Management Application (CMA). This enhancement provides at-a-glance visibility into which sites and interfaces are prepared for off-cloud recovery, helping operators validate readiness proactively—before an outage impacts business.

What the Update Adds

Cato now displays tunnel readiness states—fully ready, partially ready, or not ready—at both the site and WAN interface levels. This information is visible from multiple CMA views and exposed via API for integration with monitoring or ticketing systems.

• CMA views: Topology, Sites, and Site Configuration → Socket
• API: wanRecoveryStatus parameter in the accountsnapshot API

This update transforms WAN Recovery from a behind-the-scenes capability into an operationally measurable and testable part of the SASE fabric.

Understanding WAN Recovery

WAN Recovery maintains site-to-site connectivity when a site loses access to the Cato Cloud. Sockets establish direct DTLS tunnels over the Internet, preserving traffic flows during rare events like PoP unavailability.

• Default behavior: Enabled on all Socket sites (except in China)
• Topology options: Full mesh by default; hub-and-spoke recommended at scale
• Recovery caveat: Traffic bypasses the Cato Cloud—PoP-based services (firewall, threat prevention, NAT, QoS, etc.) are not applied until recovery ends

The new Tunnel Status feature builds on this foundation by giving admins a clear readiness signal for each site and interface.

Where to See Tunnel Status in the CMA

Topology View

Displays readiness for all sites in context, making it easy to spot issues at a glance.

Sites View

Provides an inventory-style list where readiness can be sorted and filtered, useful for proactive audits.

Site Configuration → Socket

Offers the most granular visibility, showing readiness at both the site level and individual WAN interfaces.

Historically, admins used the Off-Cloud Status indicator in site configuration to check if links were enabled for recovery. The new feature extends that visibility and standardizes it across multiple views.

Operational Benefits

Proactive Validation

Instead of waiting for a failure, admins can confirm readiness during normal operations. Gaps can be fixed ahead of maintenance windows or ISP escalations.

Faster Troubleshooting

If a site enters recovery, operators already know which interfaces were marked ready. This narrows root cause analysis and avoids false alarms when sites appear “disconnected” in CMA during recovery.

Automation via API

The wanRecoveryStatus parameter allows integration with ITSM or NOC dashboards. Non-ready states can trigger tickets or alerts automatically, embedding recovery checks into broader operational workflows.

Practical Scenarios

Readiness Sweep Before Maintenance

Filter the Sites view for not ready states, drill down into the interface, and resolve misconfigurations before planned downtime.

Hub-and-Spoke Deployments

For large environments, hub-and-spoke topology reduces tunnel scale. Tunnel Status confirms that hub interfaces—the lifelines for spokes—are fully prepared.

Event-Driven Monitoring

Combine readiness with WAN Recovery events (Activated/Stopped) to create complete incident timelines, aligning visibility with recovery outcomes.

Advantages at a Glance

• Clear states: fully ready, partially ready, not ready
• Multi-view visibility in Topology, Sites, and Socket configuration
• API integration for monitoring and ticketing workflows
• Proactive resiliency: readiness can be validated before incidents
• Topology-aware: aligns with hub-and-spoke design guidance at scale

Operational Notes and Limitations

• False packet loss reports: In low-throughput conditions, CMA may incorrectly show ~4–5% packet loss; confirm with packet captures before escalating.
• Hardware caveats: Certain Socket models require attention to add-on card configurations when upgrading.
• Limited CMA visibility during recovery: Sites in off-cloud mode may appear disconnected, even while passing traffic. Use Socket WebUI for monitoring.
• No PoP-based services: Security, QoS, NAT, and DHCP relay do not apply during WAN Recovery; plan compensating controls if critical traffic must flow.

Strategic Impact

This feature elevates WAN Recovery from a hidden safety net to a governed, testable capability. Readiness becomes part of routine audits, change workflows, and compliance reporting. By exposing recovery posture in the CMA and API, Cato enables SRE-style health checks and operational assurance aligned with zero-trust and resiliency goals.

Ready to put WAN Recovery visibility into action? Schedule a free consultation with our experts today and see how Cato SASE can deliver proactive readiness, zero-trust alignment, and operational assurance for your enterprise.

FAQs

Where can I view the WAN Recovery Tunnel Status in the Cato SASE platform?

In the Cato SASE Management Application (CMA), WAN Recovery Tunnel Status is visible in Topology, Sites, and Site Configuration → Socket. The feature shows readiness at both the site and interface levels.

What do the WAN Recovery Tunnel Status readiness states mean in Cato SASE?

Cato SASE displays sites and interfaces as fully ready, partially ready, or not ready for WAN Recovery. These states help IT teams identify which Cato Socket links are prepared for off-cloud resiliency.

How is the new Cato WAN Recovery Tunnel Status different from the older “Off-Cloud Status”?

In Cato SASE, Off-Cloud Status indicates if links are enabled for recovery. The newer WAN Recovery Tunnel Status provides enhanced visibility across CMA views and adds granular readiness states for each Cato Socket interface.

Can WAN Recovery Tunnel Status in Cato SASE be integrated into external monitoring tools?

Yes. Cato SASE exposes tunnel readiness through the wanRecoveryStatus field in the accountsnapshot API. This allows IT teams to integrate Cato WAN Recovery data into dashboards, ticketing systems, or compliance workflows.

Why might a Cato site look disconnected in the CMA during WAN Recovery?

When a site enters WAN Recovery, traffic bypasses the Cato Cloud PoP. As a result, the Cato SASE CMA may show the site as disconnected, even though the Cato Socket is passing traffic through off-cloud tunnels.

What topology does Cato recommend for large-scale WAN Recovery deployments?

For large Cato SASE environments, Cato recommends a hub-and-spoke WAN Recovery topology to reduce tunnel counts and probe overhead. Tunnel Status can then confirm that hub Cato Sockets are fully ready to support spoke sites.

Are there any known issues with Cato WAN Recovery Tunnel Status?

Yes. In Cato SASE, the CMA may misreport low-throughput links with ~4–5% packet loss. Also, certain hardware configurations on Cato Sockets may need special handling during upgrades. Always review the official Cato release notes before deployment.

Do Cato SASE PoP-based services still apply when a site is in WAN Recovery?

No. During WAN Recovery, traffic bypasses the Cato Cloud, and PoP-based services—including Cato Internet Firewall, Threat Prevention, NAT, and QoS—do not apply until normal connectivity is restored.