Centralized Management of Remote Traffic Routing (Split Tunnel Policy)

This article explains how to configure and manage Cato Client traffic routing rules by creating Split Tunnel rules.

Overview

The highest level of security for remote traffic is to route the traffic through the Cato Cloud. However, there may be situations that require specific routing. The Split Tunnel Policy lets you define whether specific traffic is routed through the Cato Cloud or accesses the Internet directly.

The Split Tunnel Policy provides you with centralized management of your routing rules for Client traffic. You can create traffic routing rules to be applied to specific users, platforms or locations.

Configurations for the Split Tunnel Policy

The Split Tunnel Policy lets you customize the Client traffic routing rules across your account. It is configured by defining the Split Tunnel and LAN Access settings.

Understanding the Split Tunnel Settings

All traffic from remote users is routed through the Cato Cloud by default. You can use the Split Tunnel settings to customize traffic routing for remote users in your account. For example, you can change the default routing so that traffic is routed to the Internet directly.

The options for the default traffic routing are:

  • Route all traffic to Cato: Traffic is routed through the Cato Cloud. You can define exceptions to be routed directly to the Internet.

    Note: If you Block outbound LAN access, this option is only supported from Windows Client v5.6 and higher.

  • Route all traffic Out-of-Tunnel: Traffic directly accesses the Internet and bypasses the Cato Cloud. You can define exceptions to be routed through the Cato Cloud. Blocking outbound LAN access conflicts with this option and cannot be selected.

  • End-user defined: Users are able to upload a text file to the Client to configure which traffic is routed through the Cato Cloud and which traffic is excluded through the Cato Cloud. Blocking outbound LAN access cannot be selected with this option.

Defining Routing Exceptions

Within each rule, you can define exceptions to the routing policy.

Defining Routing Exceptions with IP Ranges

You can define exceptions using the Global IP Range entity. Traffic to the selected IP ranges are excluded from the chosen routing policy.

Defining Routing Exceptions for Specific Applications

You can define exceptions for specific applications to exclude them from the chosen routing policy. The supported applications are:

  • Google Applications (for example, Play Store, Google Drive, Google Meet)

  • Outlook

  • SharePoint and OneDrive Business

  • Skype and MS Teams

  • Zoom

Understanding LAN Access Settings

Note

Note: Supported for Windows Client v5.3 and higher

To avoid traffic routing conflicts between subnets with the same IP address, in the event of a conflict, you can block outbound LAN access. With this option, all traffic is routed to the Cato Cloud, providing increased security. The Client is blocked from connecting to a LAN host in the remote network.

Known Limitation

  • The End-user defined Split Tunnel setting is not supported on macOS if a specific location is included in the policy

  • Split Tunnel is not supported with NAT64

  • Defining routing exceptions for Google Applications also includes traffic directed to GCP resources

Use Cases

Traffic Prioritization - Overlapping Subnets

Company ABC is based in Chicago and has contractors in New York. The contractors need to access a server based in the company's head office, but have an overlapping subnet with a local printer at the contractor's office.

To ensure the contractors can connect to the server, the IT team create a contractors user group. They configure a Split Tunnel Policy rule that blocks outbound LAN access.

Default Traffic Routing - Testing Cato Security Features

Company ABC uses Cato to support their networking requirements. The IT team want to test Cato's security features without impacting the traffic routing of the rest of the company.

The IT team creates a user group for themselves and create a rule with the Split Tunnel setting Exclude specific IPs. They create a lower priority rule for the traffic of the rest of the company with the Split Tunnel setting Include specific IP.

Only traffic from the devices of the IT team are routed through the Cato Cloud to enable them to conduct testing of Cato's security features.

Configuring the Split Tunnel Policy

The Split Tunnel Policy is an ordered rule base that sequentially checks if a rule is met. When a user meets a rule, the traffic routing settings based on that rule are applied. If no rule is met, traffic is routed through the Cato Cloud and LAN access is allowed.

To include IP ranges that are exceptions to the Split Tunnel settings, add the IP ranges to a Global IP Range entity.

Split_Tunnel_Policy.png

To configure the Split Tunnel Policy:

  1. From the navigation menu, click Access > Split Tunnel Policy.

  2. Click New.

    The New Split Tunnel Policy Rule panel opens.

  3. Enter a Name for the rule

  4. Define the Users & Groups, Platforms, Countries, and Split Tunnel settings.

  5. (Optional) Add exceptions to the rule

    Note: IP ranges are defined using the Global IP Range entity

  6. (Optional) Define LAN Access settings

  7. Click Apply.

  8. Repeat steps 2-7 for each rule in the Split Tunnel Policy.

  9. Enable the Split Tunnel Policy and then click Save.

    The slider is green when the rule is enabled, and gray when the rule is disabled.

User Defined Split Tunnel Settings

You can split tunnel settings to be configured by users. In the Client, users can upload files with the IP ranges that are included or excluded from the tunnel.

To define Split Tunnel Settings:

  1. Create a text file with the IP addresses to route through or excluded from the encrypted tunnel.

    You can configure the following rules within the text file:

    • Include: Traffic to the IP range is routed through the encrypted tunnel. All other traffic is routed directly to the Internet. In the text file, add the list of IP address and netmask to route through the encrypted tunnel as follows:

      /comment
      include
      <IP>,<netmask>
      <IP>,<netmask>

      For example:

      /splittunnel
      include
      198.51.100.0,255.255.255.255
    • Exclude: Traffic to the IP range is routed directly to the Internet. All other traffic is routed through the encrypted tunnel. In the text file, add the list of IP address and netmask to route directing to the Internet as follows:

      ;comment
      exclude
      <IP>,<netmask>
      <IP>,<netmask>

      For example:

      /splittunnel
      exclude
      198.51.100.0,255.255.255.255

    You can use a slash (/) or semicolon (;) for comments.

  2. On the Windows Client, on the Settings screen, click Upload File and upload the text file.

    On the macOS Client, on the Settings screen, select Split Tunnel Enabled.

  3. On the Windows Client, on the Settings screen, select Enable split tunnel.

    On the macOS Client, click Upload Split Tunnel Configuration and upload the text file.

Was this article helpful?

2 out of 2 found this helpful

5 comments

  • Comment author
    makimoto

    Hello,

    I have a question regarding the transition from Split Tunnel to Split Tunnel Policy.

    If we switch to "Split Tunnel Policy," will all newly added items automatically default to "Any"? Additionally, regarding the order of rules, will they also be automatically assigned as 1, 2, 3, etc., and then we can rearrange them after implementation?

    We would like to confirm what values will be present for items and functionalities that are not currently available in the existing Split Tunnel feature after implementation.

  • Comment author
    Michael Goldberg

    Hi makimoto ,

    Thanks for your question. 

    After your account transitions to the Split Tunnel Policy, the new rules will replicate your existing configuration.  The new items in the policy (Platform and Country) will default to Any. You can rearrange the order of the rules at any time. 

     

  • Comment author
    makimoto

    Hello, Michael Goldberg Thank you for your reply.

    Will users and groups be the default as well as platform and country?

  • Comment author
    Stephen Bayona

    Is there a way to be able to add domains or FQDNs not just IPs?  please add this feature

  • Comment author
    Michael Goldberg
    • Edited

    Hi Stephen Bayona,

    We will soon add the ability to add specific applications to split tunnel rules. Adding FQDNs is also on our roadmap. You can also create an RFE for this feature. For more information, see Requesting New Features.

Add your comment