This article explains how you configure the Cato Browser Extension. You can read more about the Cato Browser Extension here.
Prerequisites
The Browser Extension has the following prerequisites:
You must enable TLS Inspection for the Browser Extension to function properly
End users can download the relevant certificate directly from the Browser Extension home page

A ZTNA (SDP) license is assigned to the user
To generate events for the Browser Extension, you must have a Client Connectivity policy enabled
High-Level Overview of Configuring the Browser Extension
This section is a high-level overview of the process to configure the Browser Extension for your account. The first two steps are configured by the CMA admin, and the third step is completed by your users with unmanaged devices.
(Optional) For SSO authentication, enable SSO for the Cato Browser Extension.
Define the rules for the Browser Extension in the Client Connectivity Policy to determine which users are allowed to connect via the extension.
Enable the Browser Extension.
Install the Browser Extension on the unmanaged devices.
Step 1 (Optional): Enable SSO for the Cato Browser Extension
If you want to use SSO to manage authentication for the browser extension, you must first enable the option in the CMA.
.png?sv=2026-02-06&spr=https&st=2026-07-19T13%3A37%3A33Z&se=2026-07-19T13%3A51%3A33Z&sr=c&sp=r&sig=hLV%2BgwbLgMkoiEIzlKg2brDsUlfVGoNmmvOfG8P2zzQ%3D)
To enable SSO for the Cato Browser Extension:
Navigate to Access > Single Sign-On.
Under Browser Extension Users, select Allow login with Single Sign-On.
Select the cookie type and for how long it's valid.
Click Save.
Ensure that the following URI is listed in your SSO vendor for traffic redirecting:
https://sso.proxy.catonetworks.com/auth_resultsFor more information, refer to the SSO documentation for your vendor.
Step 2: Create a Rule in the Client Connectivity Policy
To ensure that only authorized users connect via the Browser Extension, create a rule in the Client Connectivity Policy. For example, create a User Group for all contractors and apply the rule to the contractor User Group.
.png?sv=2026-02-06&spr=https&st=2026-07-19T13%3A37%3A33Z&se=2026-07-19T13%3A51%3A33Z&sr=c&sp=r&sig=hLV%2BgwbLgMkoiEIzlKg2brDsUlfVGoNmmvOfG8P2zzQ%3D)
To create a rule to enable Browser Extension traffic:
Navigate to Access > Client Connectivity Policy.
Click New and follow these instructions.
Under Users/Groups, select only those users you want to enable to use the Browser Extension
Under Connection Origin, select Browser Extension
Under Action, select Allow Internet
Click Apply and then Save.
Below this rule, create an additional rule for all other groups who attempt to connect to the Cato Cloud using the Browser Extension and set the Action to Block.
Step 3: Enable the Browser Extension
You must enable the Browser Extension to let your users connect through it.
Enabling the Browser Extension
Navigate to Access > Browser Access Control.
Click the Browser Extension slider.
Click Save.
Defining the NAT IP Range for the Browser Extension
You can define the range of translated source IP addresses for the users who connect with the Browser Extension. For example, some applications use an Access Control List (ACL) to only allow connections from a specific IP range. We recommend that you define the NAT IP address range, and then enable the source NAT IP range for each of the relevant Browser Access applications.
Note:
If a source NAT IP range is configured for the Browser Applications Portal, the Enterprise Browser cannot use the same IP range
Set WAN based on the User identity, and not based on the SNAT range
.png?sv=2026-02-06&spr=https&st=2026-07-19T13%3A37%3A33Z&se=2026-07-19T13%3A51%3A33Z&sr=c&sp=r&sig=hLV%2BgwbLgMkoiEIzlKg2brDsUlfVGoNmmvOfG8P2zzQ%3D)
To define the NAT IP range for the Browser Extension:
Navigate to Access > Browser Access Control.
In the Enterprise Browser and Browser Extension section, enter the Source NAT IP Range.
Click Save.
Step 4: Install the Browser Extension
The Browser Extension can be installed on any device running a version of Chrome that supports extensions. For more information, see Understanding the User Experience.
Understanding the User Experience
When you enable the Browser Extension and define the Client Connectivity Policy, unmanaged devices will only be able to access the designated resources once they install the extension and connect to the network.
Once connected, they will be able to access the internal resources and the profile used to connect will comply with the policies defined in your organization.
Once the extension is installed, users must connect to pull the initial configuration settings.
To connect using the Browser Extension
Install the extension either via the Google Store or request it from your admin.
Click the Cato icon in Extensions and select Connect.
The first time users connect you will need to authenticate.
Enter your corporate email address
(Optional) Enter the sub-domain you're connecting to. This is only relevant for users who are registered on more than one corporate account.
Provide your username and password
Depending on the organizational policy, you might be required to configure MFA
Browser Extension Statuses
This section shows the different Browser Extension statuses and their descriptions
Status | Description |
|---|---|
| The extension is currently disconnected and you can't access company resources |
| The extension is currently authenticating and you don't yet have access to company resources |
| The extension is authenticated and you can now access company resources |
Known Limitations
Only HTTPS traffic is supported
WAN routing requires SNAT or the default gateway to be configured to enable routing traffic back to Cato
Local MFA is not supported
When the Client Connectivity Policy includes a rule that allows only Internet traffic for the Browser Extension, WAN traffic is also allowed. To block WAN traffic, the rule must also block Internet traffic
DEM network path analysis is not supported for Browser Extension traffic
If you receive the following dialog box, it can safely be ignored, and you should click Cancel in the dialog box
.png?sv=2026-02-06&spr=https&st=2026-07-19T13%3A37%3A33Z&se=2026-07-19T13%3A51%3A33Z&sr=c&sp=r&sig=hLV%2BgwbLgMkoiEIzlKg2brDsUlfVGoNmmvOfG8P2zzQ%3D)