Overview of Split Tunnel
Split tunneling enables you to keep sensitive traffic secure without impacting internet speeds by routing specific IP address over the encrypted tunnel and allowing other IP addresses to accesses the Internet directly.
In line with security best practices, split tunneling is disabled by default.
To enable this feature, you can:
-
Globally define (for all SDP users) which IP addresses are routed through or excluded from the encrypted tunnel. For more information, see Configuring Split Tunnel for SDP Clients.
-
Let SDP users define which IP addresses are routed through or excluded from the encrypted tunnel on their device.
From the Cato Management Application, enable and configure the Split Tunnel feature to allow SDP users to define the own split tunnel settings on their Client.
To enable Split Tunnel for SDP users:
-
In the Access > Client Access section, from the Split Tunnel section, on the Enforcement drop down menu, select End-user defined.
-
Select Enable Split Tunnel.
-
Click Save.
In the Client, SDP users can upload files with the IP ranges that are included or excluded from the tunnel.
To define split tunnel definitions:
-
Create a text file with the IP addresses to route through or excluded from the encrypted tunnel.
You can configure the following rules within the text file:
-
Include: Traffic to the IP range is routed through the encrypted tunnel. All other traffic is routed directly to the Internet. In the text file, add the list of IP address and netmask to route through the encrypted tunnel as follows:
/comment include <IP>,<netmask> <IP>,<netmask>
-
Exclude: Traffic to the IP range is routed directly to the Internet. All other traffic is routed through the encrypted tunnel. In the text file, add the list of IP address and netmask to route directing to the Internet as follows:
;comment exclude <IP>,<netmask> <IP>,<netmask>
You can use a slash (/) or semicolon (;) for comments.
-
-
On the Windows Client, on the Settings screen, click Upload File and upload the text file.
On the macOS Client, on the Settings screen, select Split Tunnel Enabled. - On the Windows Client, on the Settings screen, select Enable split tunnel.
On the macOS Client, click Upload Split Tunnel Configuration and upload the text file.
11 comments
How does include or exclude work?
Does Split means another tunnel not bypass?
Is there a way to bypass Cato in VPN Client?
Hi Kushiyama,
Please take a look at this article about configuring split tunneling in the Cato Management Application: https://support.catonetworks.com/hc/en-us/articles/360001945817
I think it will answer your questions.
Thanks!
Is it possible to configure FQDN?
Kumiko,
You can't use FQDN for the split tunnel feature, only IP addresses and subnets.
Thanks!
Yaakov Simon
Understood, thank you!
Is there a way to prevent local LAN access with the Cato VPN client? The split tunneling feature appears to work, but a connected VPN client can still access devices on the local LAN and that is not desirable in what we are trying to test. Thoughts?
Is there a way to add comments to the configuration file? '#' seem to break the file.
Is there a way to include comment lines in the config? e.g., proceeded by a ; or something?
Alex and Neil,
Thanks for the question about adding comments to the split tunnel file.
The file is a CCST file, and you can use a slash / or semicolon ; for comments.
I updated this article with the information about comments.
There should be a referenceon this page to this article https://support.catonetworks.com/hc/en-us/articles/4413265651217-Configuring-Split-Tunnel-for-SDP-Clients
Which is a newer feature to manage split tunnel settings in the Cato portal instead of on the user device itself..
Matthew,
I couldn't agree more! I added the link you referenced to the beginning of the article.
Thanks!
Please sign in to leave a comment.