Websites Blacklisting Cato IP

Issue

When attempting to reach a specific website via the Cato Cloud, the page won't load and eventually will time out. However, the same website is accessible outside the Cato Cloud. It is possible that the website is blocking Cato IP ranges due to internal restrictions. Although Cato does not have control over this behavior, there are a few ways to troubleshoot and overcome this issue.

The website may also be restricting access based on the PoP IP geo-location. See Geo-blocked Websites

Troubleshooting

• Run a local packet capture either on the PC or via the socket to confirm that there are no replies from the website server. You will only see SYN packets going out or a complete 3-way handshake with no application-layer exchange. A RST packet may also come from the website server which would be a clear indication that the Cato IP is being blocked.
• It's also possible that parts of the website won't fully load which may indicate a redirection to another server that blocks Cato IP ranges. Collect a HAR file via the browser's developer tool for further analysis.

Solution

• Contact the Website Administrator and inquire about the reason why Cato IP ranges are being blocked. Request the admin to whitelist the IP ranges listed in this guide according to the PoP location.
• If the affected users were determined to be from a specific location, apply a basic network rule, select the Route via routing method, and pick a different location that will have access to the website.

Cato SDP Client

• You can enable backhaul via a socket in the network rule and select a site that has access to the website. The pop will still perform security scans and will then route SDP traffic to the selected site so the traffic would egress via the socket's WAN port.
• Alternatively, you can create a split tunnel configuration and exempt the IP address(es) of the website. Any traffic to the exempted IP addresses will not be sent to Cato.

Socket

• Define the website in a network rule as a Domain object or Application and enable backhaul hairpinning. This allows the traffic that matches the network rule to go to the pop for security scans. The traffic is then routed back to the defined site so the traffic would egress via the local socket's WAN port. Be sure to follow FW best practices and block the QUIC protocol to accurately identify the Website/Application.
• As a last resort, you can perform local bypass so the traffic goes out directly via the socket's WAN port to the target website.  This is not an ideal solution as it bypasses the Cato PoP infrastructure and no security is applied to this traffic.  

IPSec Site Connected to Cato

• Define the website in a network rule as a Domain object or Application and enable backhaul via IPSec. This allows the traffic that matches the network rule to go to the pop for security scans. The traffic is then routed back to the IPSec site so the traffic would egress via the local firewall's WAN port. Routing configuration on the firewall is necessary for this option to work. Be sure to follow FW best practices and block the QUIC protocol to accurately identify the Website/Application.
• As a last resort, you can change the routing policy on the local IPsec device so that traffic to the website's IP address(es) will not route through the Cato IPsec tunnel. This is not an ideal solution as it bypasses the Cato PoP infrastructure and no security is applied to this traffic.