This article explains how to configure and manage Cato Client traffic routing rules by creating Split Tunnel rules.
Note: This is an Early Availability (EA) feature that is only available for limited release. For more information, contact your Cato Networks representative or send an email to firstname.lastname@example.org.
The highest level of security for remote traffic is to route the traffic through the Cato Cloud. However, there may be situations that require specific routing. The Split Tunnel Policy lets you define whether specific traffic is routed through the Cato Cloud or accesses the Internet directly.
The Split Tunnel Policy provides you with centralized management of your routing rules for Client traffic. You can create traffic routing rules to be applied to specific users, platforms or locations.
The Split Tunnel Policy lets you customize the Client traffic routing rules across your account. It is configured by defining the Split Tunnel and LAN Access settings.
All traffic from remote users is routed through the Cato Cloud by default. You can use the Split Tunnel settings to customize traffic routing for remote users in your account. For example, you can change the default routing so that traffic is routed to the Internet directly.
The options for the default traffic routing are:
Off: All traffic is routed through the Cato Cloud without exception.
Exclude specific IPs: Traffic is routed through the Cato Cloud. You can define exceptions to be routed directly to the Internet.
Note: If you Block outbound LAN access, this option is only supported from Windows Client v5.6 and higher.
Include specific IPs: Traffic directly accesses the Internet and bypasses the Cato Cloud. You can define exceptions to be routed through the Cato Cloud. Blocking outbound LAN access conflicts with this option and cannot be selected.
End-user defined: Users are able to upload a text file to the Client to configure which traffic is routed through the Cato Cloud and which traffic is excluded through the Cato Cloud. Blocking outbound LAN access cannot be selected with this option.
You can define exceptions to your default traffic routing using the Global IP Range entity. Selected IP ranges are excluded from the default routing.
Note: Supported for Windows Client v5.3 and higher
To avoid traffic routing conflicts between subnets with the same IP address, in the event of a conflict, you can block outbound LAN access. With this option, all traffic is routed to the Cato Cloud, providing increased security. The Client is blocked from connecting to a LAN host in the remote network.
Company ABC is based in Chicago and has contractors in New York. The contractors need to access a server based in the company's head office, but have an overlapping subnet with a local printer at the contractor's office.
To ensure the contractors can connect to the server, the IT team create a contractors user group. They configure a Split Tunnel Policy rule that blocks outbound LAN access.
Company ABC uses Cato to support their networking requirements. The IT team want to test Cato's security features without impacting the traffic routing of the rest of the company.
The IT team creates a user group for themselves and create a rule with the Split Tunnel setting Exclude specific IPs. They create a lower priority rule for the traffic of the rest of the company with the Split Tunnel setting Include specific IP.
Only traffic from the devices of the IT team are routed through the Cato Cloud to enable them to conduct testing of Cato's security features.
The Split Tunnel Policy is an ordered rule base that sequentially checks if a rule is met. When a user meets a rule, the traffic routing settings based on that rule are applied. If no rule is met, traffic is routed through the Cato Cloud and LAN access is allowed.
To include IP ranges that are exceptions to the Split Tunnel settings, add the IP ranges to a Global IP Range entity.
To configure the Split Tunnel Policy:
From the navigation menu, click Access > Split Tunnel Policy.
The New Split Tunnel Policy Rule panel opens.
Enter a Name for the rule
Define the Users & Groups, Platforms, Countries, and Split Tunnel settings.
(Optional) Add IP ranges that are exceptions to the rule
Note: IP ranges are defined using the Global IP Range entity
(Optional) Define LAN Access settings
Repeat steps 2-7 for each rule in the Split Tunnel Policy.
Enable the Split Tunnel Policy and then click Save.
The slider is green when the rule is enabled, and gray when the rule is disabled.
You can split tunnel settings to be configured by users. In the Client, users can upload files with the IP ranges that are included or excluded from the tunnel.
To define Split Tunnel Settings:
Create a text file with the IP addresses to route through or excluded from the encrypted tunnel.
You can configure the following rules within the text file:
Include: Traffic to the IP range is routed through the encrypted tunnel. All other traffic is routed directly to the Internet. In the text file, add the list of IP address and netmask to route through the encrypted tunnel as follows:
/comment include <IP>,<netmask> <IP>,<netmask>
/splittunnel include 198.51.100.0,255.255.255.255
Exclude: Traffic to the IP range is routed directly to the Internet. All other traffic is routed through the encrypted tunnel. In the text file, add the list of IP address and netmask to route directing to the Internet as follows:
;comment exclude <IP>,<netmask> <IP>,<netmask>
/splittunnel exclude 198.51.100.0,255.255.255.255
You can use a slash (/) or semicolon (;) for comments.
On the Windows Client, on the Settings screen, click Upload File and upload the text file.
On the macOS Client, on the Settings screen, select Split Tunnel Enabled.
On the Windows Client, on the Settings screen, select Enable split tunnel.
On the macOS Client, click Upload Split Tunnel Configuration and upload the text file.