This document outlines how to configure your ZScaler environment to work with Cato's forward proxy solution to ensure that traffic from desktop AI applications is routed from ZScaler through Cato Networks.
Deployment
Configuration Overview
Install Cato Networks’ root CA on Zscaler to allow Cato Networks to intercept and decrypt SSL sessions.
Create a proxy object and gateway configured with Cato Networks’ forward proxy as the destination.
Configure SSL Inspection.
Configure forwarding rules to route traffic to Cato Networks’ forward proxy.
This document provides guidance for configuring Zscaler to work with Cato Networks certificates, used to intercept AI interactions.
Step 1: Install the Cato Networks Certificate in Zscaler
In the CMA, navigate to Security > Certificate Management.
Under the Actions column, click the 3 dots and select Download PEM.
In ZScaler, navigate to Infrastructure > Internet & SaaS > Network Policies > Forwarding Control > Root Certificates.
Click Add Root Certificates.
In the Add Root Certificates window, configure the following:
Name: Cato Networks Forward Proxy CA
Type: Select Proxy Chaining from the drop-down menu.
Content: Browse and select the downloaded root certificate,
ca.pem.
Step 2: Configure the Proxy Object and Gateway
Create a Proxy
Navigate to Infrastructure > Internet & SaaS > Network Policies > Forwarding Control > Proxies & Gateways.
Select the Proxies tab.
Click Add Proxy.
In the Add Proxy window, enter the details based on the Forward Proxy page in CMA:
Proxy Name: Cato Networks Forward Proxy
IP/FQDN: Enter the value from CMA
Port: Enter the value from CMA
Root Certificate: Select the Cato Networks certificate added in Step 1.
Insert X-Authenticated-User: Enable
Enable Base64 Encoding for X-Authenticated-User Value: Enable
Click Save and activate the change.
Configure a Proxy Gateway
Navigate to Infrastructure > Internet & SaaS > Network Policies > Forwarding Control > Proxies & Gateways.
Select the Proxy Gateways tab.
Click Add Gateway for Proxies.
Enter the following information:
Gateway Name: Cato Networks Gateway
Fail Close: Configure according to your policy requirements
Primary Proxy: Select the Cato Networks proxy.
Click Save and activate the change.
Step 3: Configure SSL Inspection
Go to Infrastructure > Common Configuration > SSL/TLS Inspection > SSL/TLS Inspection Policy.
Create a new SSL Inspection policy with the following settings:
Rule Name: Cato Networks SSL Inspection
Users / Groups: Optional
Forwarding Gateways: Cato Networks Gateway
Action: Inspect
Override Default Intermediate CA Certificate: No
Enable HTTP/2: Yes
Click Save and activate the change.
Step 4: Configure the Forwarding Rules
Navigate to Infrastructure > Internet & SaaS > Network Policies > Forwarding Control > Forwarding Control Policy.
Click Add Forwarding Rule.
Under the Forwarding Rule section, configure the following attributes:
Rule Order: Depends on your current rules and requirements.
Rule Name: Cato Networks forwarding rule
Rule Status: Enable
Rule Label: Optional
Forwarding Method: Proxy Chaining
Under the Destination tab:
Create a URL category named Cato Networks Security AI Proxy URLs.
If you are unable to create the category, navigate to Infrastructure > Internet & SaaS > URL Categories and create the category there.Add the URLs listed below to the newly created URL category.
Set the destination to the Cato Networks Security AI Proxy URLs category.
AI Proxy URLs
www.perplexity.aichatgpt.comsubstrate.office.comcopilot.microsoft.comwww.copilot.comappsgenaiserver-pa.clients6.google.comgrok.comgrok.x.comgemini.google.comapi.anthropic.comclaude.aichat.mistral.aihome.atlassian.comchat.deepseek.com*.augloop.office.com*.augloop.svc.cloud.microsoft*.atlassian.net
From the Forward to Proxy Gateway drop-down menu, select the Cato Networks proxy gateway.
Click Save and activate the change.