Geo-blocked Websites

Issue

Some governments and other organizations may only allow access to their websites from IP addresses registered in their own country or jurisdiction. This is known as geo-blocking.

Cato Networks has PoPs deployed all over the world, but the PoP you connect to won't necessarily be in the same country/state you live in. If that's the case, when you visit a website hosted within your country/state, the site would see the connection coming from an IP address registered outside your jurisdiction, the external IP address of the PoP.

If the website is using geo-blocking to restrict access to in-country/state IP addresses only, the website will fail to load. In some cases you may see a block page from the web server, but most of the time the website will just time out and browser error will be displayed like the ones below.

The website may also be blacklisting the Cato IP. See <Websites Blacklisting Cato IP>

Google Chrome

Mozilla Firefox

Microsoft Edge

Solution

Cato SDP Client

• You should be able to access the geo-blocked website while in your own country/state by disconnecting from the VPN client. This will not be possible if Always-On is enforced on the client.
• Alternatively, you can create a split tunnel configuration and exempt the IP address(es) of the website. Any traffic to the exempted IP addresses will not be sent to Cato.

Socket

• Define the website in a network rule as a Domain object or Application and enable backhaul hairpinning. This allows the traffic that matches the network rule to go to the pop for security scans. The traffic is then routed back to the defined site so the traffic would egress via the local socket's WAN port. Be sure to follow FW best practices and block the QUIC protocol to accurately identify the Website/Application.
• As a last resort, you can perform local bypass so the traffic goes out directly via the socket's WAN port to the target website.  This is not an ideal solution as it bypasses the Cato PoP infrastructure and no security is applied to this traffic. 

IPsec Site Connected to Cato

• Define the website in a network rule as a Domain object or Application and enable backhaul via IPSec. This allows the traffic that matches the network rule to go to the pop for security scans. The traffic is then routed back to the IPSec site so the traffic would egress via the local firewall's WAN port. Routing configuration on the firewall is necessary for this option to work. Be sure to follow FW best practices and block the QUIC protocol to accurately identify the Website/Application.
• As a last resort, you can change the routing policy on the local IPsec device so that traffic to the website's IP address(es) will not route through the Cato IPsec tunnel. This is not an ideal solution as it bypasses the Cato PoP infrastructure and no security is applied to this traffic.