Cato Networks Knowledge Base

Cato Client Split Tunnel

Split tunneling enables routing of only specific traffic over the VPN connection, while other traffic accesses the Internet directly. For more about Split Tunnel in the Cato Management Application, see Configuring Split Tunnel for SDP Clients.

The administrator can decide to enable this feature globally to all VPN users or let the VPN users  to configure their own split tunneling definitions.

In order for a VPN user to configure their own split tunnel settings, please select the Split Tunnel Enabled option.

In MAC:

In Windows:

As a next step, you'll need to upload a CCST text file to configure the addresses and ranges.

Create the text file with a list of IP address and netmask that are included or excluded from the Client. You can use a slash / or semicolon ; for comments.

/comment
include

<IP>,<netmask>
<IP>,<netmask>

or

;comment
exclude

<IP>,<netmask>
<IP>,<netmask>

For example:

Was this article helpful?

7 out of 9 found this helpful

Comments

11 comments

  • Comment author
    Juki kushiyama

    How does include or exclude work?

    Does Split means another tunnel not bypass?

    Is there a way to bypass Cato in VPN Client?

    0
  • Comment author
    Yaakov Simon

    Hi Kushiyama,

    Please take a look at this article about configuring split tunneling in the Cato Management Application: https://support.catonetworks.com/hc/en-us/articles/360001945817

    I think it will answer your questions.

    Thanks!

    0
  • Comment author
    Kumiko Ohara

    Is it possible to configure FQDN?

    0
  • Comment author
    Yaakov Simon

    Kumiko,

    You can't use FQDN for the split tunnel feature, only IP addresses and subnets.

    Thanks!

    0
  • Comment author
    Kumiko Ohara

    Yaakov Simon

    Understood, thank you!

    0
  • Comment author
    Joseph Webb

    Is there a way to prevent local LAN access with the Cato VPN client? The split tunneling feature appears to work, but a connected VPN client can still access devices on the local LAN and that is not desirable in what we are trying to test. Thoughts?

    0
  • Comment author
    Alex Koshlich

    Is there a way to add comments to the configuration file? '#' seem to break the file. 

    0
  • Comment author
    Neil Ticktin

    Is there a way to include comment lines in the config?  e.g., proceeded by a ; or something?

    0
  • Comment author
    Yaakov Simon

    Alex and Neil,

    Thanks for the question about adding comments to the split tunnel file.

    The file is a CCST file, and you can use a slash / or semicolon ; for comments.

    I updated this article with the information about comments.

    0
  • Comment author
    Matthew Tan

    There should be a referenceon this page to this article https://support.catonetworks.com/hc/en-us/articles/4413265651217-Configuring-Split-Tunnel-for-SDP-Clients

    Which is a newer feature to manage split tunnel settings in the Cato portal instead of on the user device itself..

     

    0
  • Comment author
    Yaakov Simon

    Matthew,

    I couldn't agree more! I added the link you referenced to the beginning of the article.

    Thanks!

    0

Please sign in to leave a comment.