NetNXT Logo

How to Fix Application Failures Caused by Cato TLS Inspection?

January 19, 2026
2 min read
ByNetNXT

The Problem

Cato’s TLS Inspection acts as a "Man-in-the-Middle" to scan encrypted traffic for malware. However, secure applications use Certificate Pinning they hardcode the expected server certificate inside the app. When they see Cato’s inspection certificate instead, they assume an attack is happening and drop the connection immediately.

Symptoms

  • Browsers work (because they trust the Cato Root CA), but installed apps fail.

  • "Unknown Error" or "Network Error" in apps like Postman, IntelliJ, or Spotify.

  • Cato Events log shows TLS Inspection: Decrypt Error or Handshake Failed.

The Solution: Granular TLS Bypass

You must bypass inspection for these specific destinations while keeping inspection active for everything else.

  1. Identify the Traffic:

    • Go to Monitoring > Events > Discovery.

    • Filter by the user IP and look for the specific Destination Domains triggering errors.

  2. Create a TLS Inspection Policy Rule:

    • Navigate to Security > TLS Inspection.

    • Click New Rule.

    • Order: Place this above your "Inspect All" rule.

    • Action: Bypass (Do not decrypt).

    • Destination:

      • Option A (Category): Select Finance, Healthcare, and Software/Technology (if broad bypass is acceptable).

      • Option B (App-Specific): Create a Custom App object for domains like *.whatsapp.net or *.dropbox.com.

  3. Validate:

    • Ask the user to restart the application (flush socket).

    • Verify the app connects.

Pro Tip: For developers using Python/Pip or Docker, you often need to manually add the Cato Root CA to the tool's specific trust store, as they ignore the Windows System Certificate Store.

FAQ

1) Why do applications fail when Cato TLS Inspection is enabled?

Applications using certificate pinning reject Cato’s inspection certificate, assuming a man-in-the-middle attack, which causes the TLS handshake to fail and the connection to drop.

2) Why do browsers work but installed applications fail with Cato TLS Inspection?

Browsers trust the Cato Root CA installed on the system, while many applications use their own certificate stores and enforce certificate pinning.

3) How do you identify traffic that needs TLS inspection bypass in Cato?

Use the Cato Events and Discovery logs to identify destination domains causing decrypt or handshake errors, then target those domains for bypass rules.

4) How do you safely bypass TLS inspection for specific applications?

Create a TLS Inspection rule with action set to Bypass for specific domains or applications, and place it above the global inspection rule to limit scope.

5) When should developers add the Cato Root CA manually?

For tools like Python, Pip, Docker, or Java-based applications that ignore system trust stores, the Cato Root CA must be manually added to their trust configuration.

Was this article helpful?