Unified Endpoint & Network Investigation: CrowdStrike and SentinelOne Stories in the Stories Workbench
🕓 September 12, 2025
Enabling Threat Prevention in Cato – IPS, Anti-Malware, and TLS Inspection
Introduction
Threats to your network are no longer limited to known malware or signature-based exploits. Modern enterprises need dynamic protection that works in real time, at cloud scale. Cato Networks delivers advanced threat prevention capabilities—Intrusion Prevention System (IPS), Anti-Malware, and TLS Inspection—all managed through a unified cloud-native architecture.
This blog shows how to enable and configure these security services in the latest Cato Management Application (CMA) and what to expect in terms of operational behavior.
What You’ll Learn
- How to activate IPS and Anti-Malware features
- Where to enable TLS inspection for encrypted traffic scanning
- Viewing blocked threats and audit logs
- What traffic is inspected and how it affects performance
- Tips for gradually rolling out inspection features across sites
Enabling Intrusion Prevention System (IPS)
Cato’s IPS engine runs at the network layer and is powered by both signature-based and behavioral detection.
To enable IPS:
- Go to Security > Threat Protection > IPS
- Toggle Enable IPS for the global policy or per-site level
- Optionally, enable Alert Only mode for testing (logs without blocking)
You can also review threat severity and categories detected historically.
Enabling Anti-Malware Protection
Cato’s Anti-Malware engine inspects downloaded files and executables in real time. It uses both known threat signatures and zero-day detection via machine learning models.
Steps to enable:
- Navigate to Security > Threat Protection > Anti-Malware
- Toggle Enable Anti-Malware
- Set action preferences: Block, Alert, or Allow with logging
- Apply globally or per-site
Anti-Malware logs are viewable under Monitoring > Security Events.
TLS Inspection: Deep Packet Visibility for Encrypted Traffic
TLS (SSL) Inspection allows Cato to decrypt and inspect HTTPS traffic to detect threats hidden inside encrypted sessions.
To enable TLS Inspection:
- Go to Security > Threat Protection > TLS Inspection
- Toggle Enable TLS Inspection
- Upload your organization’s internal root certificate for endpoint trust
- Select enforcement per rule or category (e.g., decrypt only specific app types)
⚠️ TLS inspection introduces overhead and may impact latency. It’s recommended to roll out in stages.
Monitoring Blocked Threats and Logs
After enabling threat prevention, you can monitor detections under:
- Monitoring > Security Events: IPS/Anti-Malware logs
- Analytics > Threat Dashboard: Aggregated threat categories, trends, and sources
- Monitoring > Audit Trail: Admin changes to policies
Use filters to sort events by source IP, severity, or blocked signature.
Real-World Use Case
An enterprise with distributed branch offices started seeing spikes in CPU usage at multiple endpoints. After enabling TLS inspection and Anti-Malware selectively on file-sharing categories, they discovered embedded ransomware downloads in seemingly harmless zip files.
Using Cato’s logs, the IT team quickly isolated affected endpoints and blocked the application category globally.
Best Practices for Rollout
- Start with Alert-Only Mode: Evaluate IPS/Anti-Malware impact before enforcement
- Whitelist business apps: Avoid false positives with trusted applications
- Use categories: Apply TLS inspection only to high-risk categories initially
- Test root certificate deployment: Validate browser and app compatibility
- Monitor logs daily: Especially in the first 7 days post-deployment
FAQ Summary
Does TLS inspection affect all sites globally?
No. You can scope TLS policies per site or category.
Can users bypass TLS inspection?
Only if you exclude their subnet or device identity from policies.
What happens if a user’s browser doesn’t trust the inspection certificate?
They’ll receive HTTPS warnings. Ensure your root cert is deployed via GPO or MDM.
Are these threat prevention features licensed separately?
They’re included in most standard Cato SASE subscriptions, but confirm with your sales rep.
Can I integrate logs with SIEM platforms?
Yes. Cato supports log forwarding via Syslog and REST API.
About The Author
Anas Abdu Rauf
Anas is an Expert in Network and Security Infrastructure, With over seven years of industry experience, holding certifications Including CCIE- Enterprise, PCNSE, Cato SASE Expert, and Atera Certified Master. Anas provides his valuable insights and expertise to readers.
share your thoughts