Split Tunnel Configuration for Specific SDP Users

Overview of Split Tunnel

Split tunneling enables you to keep sensitive traffic secure without impacting internet speeds by routing specific IP address over the encrypted tunnel and allowing other IP addresses to accesses the Internet directly.

In line with security best practices, split tunneling is disabled by default.

To enable this feature, you can:

  • Globally define (for all SDP users) which IP addresses are routed through or excluded from the encrypted tunnel. For more information, see Configuring Split Tunnel for SDP Clients.

  • Let SDP users define which IP addresses are routed through or excluded from the encrypted tunnel on their device.

Step 1: Enabling Split Tunnel for SDP users

From the Cato Management Application, enable and configure the Split Tunnel feature to allow SDP users to define the own split tunnel settings on their Client.

To enable Split Tunnel for SDP users:

  1. In the Access > Client Access section, from the Split Tunnel section, on the Enforcement drop down menu, select End-user defined.

  2. Click Save.

Step 2: Defining Split Tunnel Settings for Specific SDP Users

In the Client, SDP users can upload files with the IP ranges that are included or excluded from the tunnel.

To define split tunnel definitions:

    1. Create a text file with the IP addresses to route through or excluded from the encrypted tunnel.

      You can configure the following rules within the text file:

      • Include: Traffic to the IP range is routed through the encrypted tunnel. All other traffic is routed directly to the Internet. In the text file, add the list of IP address and netmask to route through the encrypted tunnel as follows:

        /comment
        include
        <IP>,<netmask>
        <IP>,<netmask>
        For example:
        /splittunnel
        include
        198.51.100.0,255.255.255.255

         

      • Exclude: Traffic to the IP range is routed directly to the Internet. All other traffic is routed through the encrypted tunnel. In the text file, add the list of IP address and netmask to route directing to the Internet as follows:

        ;comment
        exclude
        <IP>,<netmask>
        <IP>,<netmask>
        For example:
        /splittunnel
        exclude
        198.51.100.0,255.255.255.255

        You can use a slash (/) or semicolon (;) for comments.

  1. On the Windows Client, on the Settings screen, click Upload File and upload the text file.
    On the macOS Client, on the Settings screen, select Split Tunnel Enabled.

  2. On the Windows Client, on the Settings screen, select Enable split tunnel.
    On the macOS Client, click Upload Split Tunnel Configuration and upload the text file.

Was this article helpful?

12 comments

  • Comment author
    Juki kushiyama

    How does include or exclude work?

    Does Split means another tunnel not bypass?

    Is there a way to bypass Cato in VPN Client?

  • Comment author
    Yaakov Simon

    Hi Kushiyama,

    Please take a look at this article about configuring split tunneling in the Cato Management Application: https://support.catonetworks.com/hc/en-us/articles/360001945817

    I think it will answer your questions.

    Thanks!

  • Comment author
    Kumiko Ohara

    Is it possible to configure FQDN?

  • Comment author
    Yaakov Simon

    Kumiko,

    You can't use FQDN for the split tunnel feature, only IP addresses and subnets.

    Thanks!

  • Comment author
    Kumiko Ohara

    Yaakov Simon

    Understood, thank you!

  • Comment author
    Joseph Webb

    Is there a way to prevent local LAN access with the Cato VPN client? The split tunneling feature appears to work, but a connected VPN client can still access devices on the local LAN and that is not desirable in what we are trying to test. Thoughts?

  • Comment author
    Alex Koshlich

    Is there a way to add comments to the configuration file? '#' seem to break the file. 

  • Comment author
    Neil Ticktin

    Is there a way to include comment lines in the config?  e.g., proceeded by a ; or something?

  • Comment author
    Yaakov Simon

    Alex and Neil,

    Thanks for the question about adding comments to the split tunnel file.

    The file is a CCST file, and you can use a slash / or semicolon ; for comments.

    I updated this article with the information about comments.

  • Comment author
    Matthew Tan

    There should be a referenceon this page to this article https://support.catonetworks.com/hc/en-us/articles/4413265651217-Configuring-Split-Tunnel-for-SDP-Clients

    Which is a newer feature to manage split tunnel settings in the Cato portal instead of on the user device itself..

     

  • Comment author
    Yaakov Simon

    Matthew,

    I couldn't agree more! I added the link you referenced to the beginning of the article.

    Thanks!

  • Comment author
    jumpei nakashima

    When applying Split tunnel to a specific SDP User,
    Checking on the KB, it appears that Cato only supports Windows and MacOS.
    Other operating systems such as iOS do not seem to be available since they cannot upload files.
    Am I correct that it is only available on Windows and MacOS?

Add your comment