Cato IP blacklisted or Geo-Blocked

Website blacklisted Cato IP

When attempting to reach a specific website via the Cato Cloud, the page won't load and eventually will time out. However, the same website is accessible outside the Cato Cloud. It is possible that the website is blocking Cato IP ranges due to internal restrictions. Although Cato does not have control over this behavior, there are a few ways to troubleshoot and overcome this issue.

The website may also be restricting access based on the PoP IP geo-location. See Geo-blocked Websites

Troubleshooting

  • Run a local packet capture either on the PC or via the socket to confirm that there are no replies from the website server. You will only see SYN packets going out or a complete 3-way handshake with no application-layer exchange. A RST packet may also come from the website server which would be a clear indication that the Cato IP is being blocked.
  • It's also possible that parts of the website won't fully load which may indicate a redirection to another server that blocks Cato IP ranges. Collect a HAR file via the browser's developer tool for further analysis.

Solution

  • Contact the Website Administrator and inquire about the reason why Cato IP ranges are being blocked. Request the admin to whitelist the IP ranges listed in this guide according to the PoP location.
  • If the affected users were determined to be from a specific location, apply a basic network rule, select the Route via routing method, and pick a different location that will have access to the website.

Cato SDP Client

  • You can enable backhaul via a socket in the network rule and select a site that has access to the website. The pop will still perform security scans and will then route SDP traffic to the selected site so the traffic would egress via the socket's WAN port.
  • Alternatively, you can create a split tunnel configuration and exempt the IP address(es) of the website. Any traffic to the exempted IP addresses will not be sent to Cato.

Socket

  • Define the website in a network rule as a Domain object or Application and enable backhaul hairpinning. This allows the traffic that matches the network rule to go to the pop for security scans. The traffic is then routed back to the defined site so the traffic would egress via the local socket's WAN port. Be sure to follow FW best practices and block the QUIC protocol to accurately identify the Website/Application.
  • As a last resort, you can perform local bypass so the traffic goes out directly via the socket's WAN port to the target website.  This is not an ideal solution as it bypasses the Cato PoP infrastructure and no security is applied to this traffic.  

IPSec Site Connected to Cato

  • Define the website in a network rule as a Domain object or Application and enable backhaul via IPSec. This allows the traffic that matches the network rule to go to the pop for security scans. The traffic is then routed back to the IPSec site so the traffic would egress via the local firewall's WAN port. Routing configuration on the firewall is necessary for this option to work. Be sure to follow FW best practices and block the QUIC protocol to accurately identify the Website/Application.
  • As a last resort, you can change the routing policy on the local IPsec device so that traffic to the website's IP address(es) will not route through the Cato IPsec tunnel. This is not an ideal solution as it bypasses the Cato PoP infrastructure and no security is applied to this traffic.  

 

Geo-blocked Websites

Some governments and other organizations may only allow access to their websites from IP addresses registered in their own country or jurisdiction. This is known as geo-blocking.

Cato Networks has PoPs deployed all over the world, but the PoP you connect to won't necessarily be in the same country/state you live in. If that's the case, when you visit a website hosted within your country/state, the site would see the connection coming from an IP address registered outside your jurisdiction, the external IP address of the PoP.

If the website is using geo-blocking to restrict access to in-country/state IP addresses only, the website will fail to load. In some cases you may see a block page from the web server, but most of the time the website will just time out and browser error will be displayed like the ones below.

Chrome:

Firefox:

Edge:

Solution

Cato SDP Client

  • You should be able to access the geo-blocked website while in your own country/state by disconnecting from the VPN client. This will not be possible if Always-On is enforced on the client.
  • Alternatively, you can create a split tunnel configuration and exempt the website IP address(es). Any traffic to the exempted IP addresses will not be sent to Cato.

Socket

  • Define the website in a network rule as a Domain object or Application and enable backhaul hairpinning. This allows the traffic that matches the network rule to go to the pop for security scans. The traffic is then routed back to the defined site so the traffic would egress via the local socket's WAN port. Be sure to follow FW best practices and block the QUIC protocol to accurately identify the Website/Application.
  • As a last resort, you can perform local bypass so the traffic goes out directly via the socket's WAN port to the target website.  This is not an ideal solution as it bypasses the Cato PoP infrastructure and no security is applied to this traffic. 

IPsec Site Connected to Cato

  • Define the website in a network rule as a Domain object or Application and enable backhaul via IPSec. This allows the traffic that matches the network rule to go to the pop for security scans. The traffic is then routed back to the IPSec site so the traffic would egress via the local firewall's WAN port. Routing configuration on the firewall is necessary for this option to work. Be sure to follow FW best practices and block the QUIC protocol to accurately identify the Website/Application.
  • As a last resort, you can change the routing policy on the local IPsec device so that traffic to the website's IP address(es) will not route through the Cato IPsec tunnel. This is not an ideal solution as it bypasses the Cato PoP infrastructure and no security is applied to this traffic. 

 

Was this article helpful?

1 out of 1 found this helpful

0 comments

Add your comment