Centralized Management of Remote Traffic Routing (Split Tunnel Policy)

This article explains how to configure and manage Cato Client traffic routing rules by creating Split Tunnel rules.

Overview

The highest level of security for remote traffic is to route the traffic through the Cato Cloud. However, there may be situations that require specific routing. The Split Tunnel Policy lets you define whether specific traffic is routed through the Cato Cloud or accesses the Internet directly.

The Split Tunnel Policy provides you with centralized management of your routing rules for Client traffic. You can create traffic routing rules to be applied to specific users, platforms or locations.

Configurations for the Split Tunnel Policy

The Split Tunnel Policy lets you customize the Client traffic routing rules across your account. It is configured by defining the Split Tunnel and LAN Access settings.

Understanding the Split Tunnel Settings

All traffic from remote users is routed through the Cato Cloud by default. You can use the Split Tunnel settings to customize traffic routing for remote users in your account. For example, you can change the default routing so that traffic is routed to the Internet directly.

The options for the default traffic routing are:

  • Off: All traffic is routed through the Cato Cloud without exception.

  • Exclude specific IPs: Traffic is routed through the Cato Cloud. You can define exceptions to be routed directly to the Internet.
    Note:

    • If you Block outbound LAN access, this option is only supported from Windows Client v5.6 and higher

    • Do not exclude IP ranges that overlap with the Cato Dynamic IP range for remote Users
  • Include specific IPs: Traffic directly accesses the Internet and bypasses the Cato Cloud. You can define exceptions to be routed through the Cato Cloud. Blocking outbound LAN access conflicts with this option and cannot be selected.
  • End-user defined: Users are able to upload a text file to the Client to configure which traffic is routed through the Cato Cloud and which traffic is excluded through the Cato Cloud. Blocking outbound LAN access cannot be selected with this option.
Managing Exceptions

You can define exceptions to your default traffic routing using the Global IP Range entity. Selected IP ranges are excluded from the default routing.

Understanding LAN Access Settings

Note

Note: Supported for Windows Client v5.3 and higher

To avoid traffic routing conflicts between subnets with the same IP address, in the event of a conflict, you can block outbound LAN access. With this option, all traffic is routed to the Cato Cloud, providing increased security. The Client is blocked from connecting to a LAN host in the remote network.

Known Limitation

  • The End-user defined Split Tunnel setting is not supported on macOS if a specific location is included in the policy

  • Split Tunnel is not supported with NAT64

Use Cases

Traffic Prioritization - Overlapping Subnets

Company ABC is based in Chicago and has contractors in New York. The contractors need to access a server based in the company's head office, but have an overlapping subnet with a local printer at the contractor's office.

To ensure the contractors can connect to the server, the IT team create a contractors user group. They configure a Split Tunnel Policy rule that blocks outbound LAN access.

Default Traffic Routing - Testing Cato Security Features

Company ABC uses Cato to support their networking requirements. The IT team want to test Cato's security features without impacting the traffic routing of the rest of the company.

The IT team creates a user group for themselves and create a rule with the Split Tunnel setting Exclude specific IPs. They create a lower priority rule for the traffic of the rest of the company with the Split Tunnel setting Include specific IP.

Only traffic from the devices of the IT team are routed through the Cato Cloud to enable them to conduct testing of Cato's security features.

Configuring the Split Tunnel Policy

The Split Tunnel Policy is an ordered rule base that sequentially checks if a rule is met. When a user meets a rule, the traffic routing settings based on that rule are applied. If no rule is met, traffic is routed through the Cato Cloud and LAN access is allowed.

To include IP ranges that are exceptions to the Split Tunnel settings, add the IP ranges to a Global IP Range entity.

Split_Tunnel_Policy.png

To configure the Split Tunnel Policy:

  1. From the navigation menu, click Access > Split Tunnel Policy.

  2. Click New.

    The New Split Tunnel Policy Rule panel opens.

  3. Enter a Name for the rule

  4. Define the Users & Groups, Platforms, Countries, and Split Tunnel settings.

  5. (Optional) Add IP ranges that are exceptions to the rule

    Note: IP ranges are defined using the Global IP Range entity

  6. (Optional) Define LAN Access settings

  7. Click Apply.

  8. Repeat steps 2-7 for each rule in the Split Tunnel Policy.

  9. Enable the Split Tunnel Policy and then click Save.

    The slider is green when the rule is enabled, and gray when the rule is disabled.

User Defined Split Tunnel Settings

You can split tunnel settings to be configured by users. In the Client, users can upload files with the IP ranges that are included or excluded from the tunnel.

To define Split Tunnel Settings:

  1. Create a text file with the IP addresses to route through or excluded from the encrypted tunnel.
    Note: The text file must be shorter than 16,384 characters .

    You can configure the following rules within the text file:

    • Include: Traffic to the IP range is routed through the encrypted tunnel. All other traffic is routed directly to the Internet. In the text file, add the list of IP address and netmask to route through the encrypted tunnel as follows:

      /comment
      include
      <IP>,<netmask>
      <IP>,<netmask>

      For example:

      /splittunnel
      include
      198.51.100.0,255.255.255.255
    • Exclude: Traffic to the IP range is routed directly to the Internet. All other traffic is routed through the encrypted tunnel. In the text file, add the list of IP address and netmask to route directing to the Internet as follows:

      ;comment
      exclude
      <IP>,<netmask>
      <IP>,<netmask>

      For example:

      /splittunnel
      exclude
      198.51.100.0,255.255.255.255

    You can use a slash (/) or semicolon (;) for comments.

  2. On the Windows Client, on the Settings screen, click Upload File and upload the text file.

    On the macOS Client, on the Settings screen, select Split Tunnel Enabled.

  3. On the Windows Client, on the Settings screen, select Enable split tunnel.

    On the macOS Client, click Upload Split Tunnel Configuration and upload the text file.

Was this article helpful?

0 out of 0 found this helpful

3 comments

  • Comment author
    makimoto

    Hello,

    I have a question regarding the transition from Split Tunnel to Split Tunnel Policy.

    If we switch to "Split Tunnel Policy," will all newly added items automatically default to "Any"? Additionally, regarding the order of rules, will they also be automatically assigned as 1, 2, 3, etc., and then we can rearrange them after implementation?

    We would like to confirm what values will be present for items and functionalities that are not currently available in the existing Split Tunnel feature after implementation.

  • Comment author
    Michael Goldberg

    Hi makimoto ,

    Thanks for your question. 

    After your account transitions to the Split Tunnel Policy, the new rules will replicate your existing configuration.  The new items in the policy (Platform and Country) will default to Any. You can rearrange the order of the rules at any time. 

     

  • Comment author
    makimoto

    Hello, Michael Goldberg Thank you for your reply.

    Will users and groups be the default as well as platform and country?

Add your comment